From fda2332e894ff14f932d74d70e9201d1d91511c4 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 23 Sep 2025 12:26:39 +0000 Subject: [PATCH] import UBI nodejs22-22.19.0-2.el10_0 --- .gitignore | 2 +- 0001-fips-disable-options.patch | 84 +++++++++++++++++++++++++++++++++ nodejs22.spec | 74 ++++++++++++++++++++--------- sources | 2 +- 4 files changed, 137 insertions(+), 25 deletions(-) create mode 100644 0001-fips-disable-options.patch diff --git a/.gitignore b/.gitignore index 06d9c76..6c99e26 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ icu4c-77_1-data-bin-b.zip icu4c-77_1-data-bin-l.zip -node-v22.16.0-stripped.tar.gz +node-v22.19.0-stripped.tar.gz diff --git a/0001-fips-disable-options.patch b/0001-fips-disable-options.patch new file mode 100644 index 0000000..56482a2 --- /dev/null +++ b/0001-fips-disable-options.patch @@ -0,0 +1,84 @@ +From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001 +From: Michael Dawson +Date: Fri, 23 Feb 2024 13:43:56 +0100 +Subject: [PATCH] Disable FIPS options + +On RHEL, FIPS should be configured only on system level. +Additionally, the related options may cause segfault when used on RHEL. + +This patch causes the option processing to end sooner +than the problematic code gets executed. +Additionally, the JS-level options to mess with FIPS settings +are similarly disabled. + +Upstream report: https://github.com/nodejs/node/pull/48950 +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 +--- + lib/crypto.js | 10 ++++++++++ + lib/internal/errors.js | 6 ++++++ + src/crypto/crypto_util.cc | 2 ++ + 3 files changed, 18 insertions(+) + +diff --git a/lib/crypto.js b/lib/crypto.js +index 41adecc..b2627ac 100644 +--- a/lib/crypto.js ++++ b/lib/crypto.js +@@ -36,7 +36,10 @@ const { + assertCrypto(); + + const { ++ // RHEL specific error ++ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED, ++ + ERR_CRYPTO_FIPS_FORCED, + ERR_WORKER_UNSUPPORTED_OPERATION, + } = require('internal/errors').codes; + const constants = internalBinding('constants').crypto; +@@ -251,6 +254,13 @@ function getFips() { + } + + function setFips(val) { ++ // in RHEL FIPS enable/disable should only be done at system level ++ if (getFips() != val) { ++ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED(); ++ } else { ++ return; ++ } ++ + if (getOptionValue('--force-fips')) { + if (val) return; + throw new ERR_CRYPTO_FIPS_FORCED(); +diff --git a/lib/internal/errors.js b/lib/internal/errors.js +index a722360..04d8a53 100644 +--- a/lib/internal/errors.js ++++ b/lib/internal/errors.js +@@ -1111,6 +1111,12 @@ module.exports = { + // + // Note: Node.js specific errors must begin with the prefix ERR_ + ++// insert RHEL specific erro ++E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED', ++ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' + ++ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n', ++ Error); ++ + E('ERR_ACCESS_DENIED', + function(msg, permission = '', resource = '') { + this.permission = permission; +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc +index 5734d8f..ef9d1b1 100644 +--- a/src/crypto/crypto_util.cc ++++ b/src/crypto/crypto_util.cc +@@ -121,6 +121,8 @@ bool ProcessFipsOptions() { + /* Override FIPS settings in configuration file, if needed. */ + if (per_process::cli_options->enable_fips_crypto || + per_process::cli_options->force_fips_crypto) { ++ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n"); ++ return false; + #if OPENSSL_VERSION_MAJOR >= 3 + OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); + if (fips_provider == nullptr) +-- +2.43.2 + + diff --git a/nodejs22.spec b/nodejs22.spec index 0f78168..b39e7e0 100644 --- a/nodejs22.spec +++ b/nodejs22.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.6.5) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 1; + release_number = 2; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -62,7 +62,7 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 22 -%global nodejs_minor 16 +%global nodejs_minor 19 %global nodejs_patch 0 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 127 @@ -93,10 +93,10 @@ %global c_ares_version 1.34.5 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_version 9.2.1 +%global llhttp_version 9.3.0 # libuv - from deps/uv/include/uv/version.h -%global libuv_version 1.49.2 +%global libuv_version 1.51.0 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h %global nghttp2_version 1.64.0 @@ -130,7 +130,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 10.9.2 +%global npm_version 10.9.3 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -147,7 +147,7 @@ %global histogram_version 0.11.8 # sqlite – from deps/sqlite/sqlite3.h -%global sqlite_version 3.49.1 +%global sqlite_version 3.50.4 Name: nodejs%{nodejs_pkg_major} @@ -181,6 +181,7 @@ Source300: test-runner.sh Source301: test-should-pass.txt Patch: 0001-Remove-unused-OpenSSL-config.patch +Patch: 0001-fips-disable-options.patch %if 0%{?nodejs_default} %global pkgname nodejs @@ -413,8 +414,10 @@ Provides: nodejs-devel = %{nodejs_envr} %endif %unversioned_obsoletes_of_nodejsXX_if_default devel -Provides: nodejs-devel-pkg = %{nodejs_envr} +Provides: alternative-for(nodejs-devel) = %{nodejs_envr} +Conflicts: alternative-for(nodejs-devel) Conflicts: nodejs-devel-pkg + # previously VP used for the same reason as alternative-for() above %description -n %{pkgname}-devel @@ -604,6 +607,7 @@ export PATH="${cwd}/.bin:$PATH" --ninja \ --enable-lto \ --prefix=%{_prefix} \ + --use-prefix-to-find-headers \ --shared \ --libdir=%{_lib} \ %{ssl_configure} \ @@ -655,12 +659,16 @@ chrpath --delete %{buildroot}%{_bindir}/node # Rename the node binary mv %{buildroot}%{_bindir}/node %{buildroot}%{_bindir}/node-%{nodejs_pkg_major} -# Adjust the npm binaries -# 1. Replace all hasbangs with versioned ones -grep --extended-regexp --files-with-matches --recursive \ - '^#!/usr/bin/(env )?node($|[[:space:]])+' '%{buildroot}%{nodejs_private_sitelib}/npm/bin' \ -| xargs sed --in-place --regexp-extended \ - 's;^#!/usr/bin/(env )?node($|[[:space:]])+;#!/usr/bin/node-%{nodejs_pkg_major};' +# Adjust npm binaries +# 1. Replace all hashbangs with versioned ones +readonly NPM_DIR="%{buildroot}%{nodejs_private_sitelib}/npm" +readonly SHEBANG_ERE='^#!/usr/bin/(env\s+)?node\b' +readonly SHEBANG_FIX='#!%{_bindir}/node-%{nodejs_pkg_major}' +readonly -a npm_bin_dirs=("${NPM_DIR}/bin" "${NPM_DIR}/node_modules") + +find "${npm_bin_dirs[@]}" -type f \ +| xargs grep --extended-regexp --files-with-matches "${SHEBANG_ERE}" \ +| xargs sed --regexp-extended --in-place "s;${SHEBANG_ERE};${SHEBANG_FIX};" # 2. Replace original links with the adjusted ones for bin in npm npx; do @@ -681,6 +689,13 @@ ln -srf %{buildroot}%{_bindir}/npx-%{nodejs_pkg_major} \ %{buildroot}%{_bindir}/npx %endif +# Fix shell scripts that call 'node' as command +readonly -a known_shell_scripts=( + "${NPM_DIR}/bin/node-gyp-bin/node-gyp" + "${NPM_DIR}/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp" +) +sed --regexp-extended --in-place 's;\bnode(\s);%{_bindir}/node-%{nodejs_pkg_major}\1;' "${known_shell_scripts[@]}" + # Install library symlink ln -srf %{buildroot}%{_libdir}/libnode.so.%{nodejs_soversion} \ %{buildroot}%{_libdir}/libnode.so @@ -774,11 +789,6 @@ find %{buildroot}%{nodejs_private_sitelib}/npm \ chmod 0755 %{buildroot}%{nodejs_private_sitelib}/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp chmod 0755 %{buildroot}%{nodejs_private_sitelib}/npm/node_modules/node-gyp/bin/node-gyp.js -# Set the hashbang to use the matching Node.js interpreter -sed --in-place --regexp-extended \ - 's;^#!/usr/bin/env node($|\ |\t)+;#!/usr/bin/node-%{nodejs_pkg_major};g' \ - %{buildroot}%{nodejs_private_sitelib}/npm/node_modules/node-gyp/bin/node-gyp.js - # Drop the NPM builtin configuration in place sed -e 's#@SYSCONFDIR@#%{_sysconfdir}#g' \ %{SOURCE201} > %{buildroot}%{nodejs_private_sitelib}/npm/npmrc @@ -962,19 +972,37 @@ end %changelog ## START: Generated by rpmautospec -* Tue May 27 2025 Andrei Radchenko - 1:22.16.0-1 +* Wed Sep 03 2025 Andrei Radchenko - 1:22.19.0-2 +- spec: devel packages explicitly conflicts + +* Wed Sep 03 2025 Andrei Radchenko - 1:22.19.0-1 +- Update to version 22.19.0 + +* Fri Aug 29 2025 tjuhasz - 1:22.16.0-5 +- Add patch to prevent fips usage segfault + +* Mon Aug 25 2025 Andrei Radchenko - 1:22.16.0-4 +- configure.py: use local headers for building native addons when available + +* Mon Aug 25 2025 Andrei Radchenko - 1:22.16.0-3 +- spec: fix node binary calls to use versioned binary + +* Wed Aug 20 2025 Andrei Radchenko - 1:22.16.0-2 +- Test plan adjustments + +* Wed May 28 2025 Andrei Radchenko - 1:22.16.0-1 - Update to version 22.16.0 -* Tue May 20 2025 tjuhasz - 1:22.15.0-3 +* Wed May 21 2025 tjuhasz - 1:22.15.0-3 - Make grep Source stricter in nodejs-tarball -* Tue May 20 2025 tjuhasz - 1:22.15.0-2 +* Wed May 21 2025 tjuhasz - 1:22.15.0-2 - Add unit-test during build for nodejs22 -* Thu Apr 24 2025 tjuhasz - 1:22.15.0-1 +* Tue Apr 29 2025 tjuhasz - 1:22.15.0-1 - Update to version 22.15.0 -* Tue Apr 22 2025 tjuhasz - 1:22.13.1-6 +* Tue Apr 15 2025 tjuhasz - 1:22.13.1-6 - Update c-ares with fix for CVE-2025-31498 * Thu Mar 06 2025 Jan Staněk - 1:22.13.1-5 diff --git a/sources b/sources index f929ed3..e1c54a7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (icu4c-77_1-data-bin-b.zip) = 93b4c8228a059546e7c3e337f1f837db255c0046c15f50a31a7bd20daf361174edab05b01faaac1dd4f515ca3c1f1d7fb0f61e4177eb5631833ad1450e252c4e SHA512 (icu4c-77_1-data-bin-l.zip) = 3de15bb5925956b8e51dc6724c2114a1009ec471a2241b09ae09127f1760f44d02cc29cfbeed6cbaac6ee880553ac8395c61c6043c00ddba3277233e19e6490e -SHA512 (node-v22.16.0-stripped.tar.gz) = 63f9ccf38a9c3384ba07d5792cde18517b0c3fbfb612f13cce6b98381a8c951008550a5950bec7078b88e7f7f69e714a82f586cf2433659295db64d8013df784 +SHA512 (node-v22.19.0-stripped.tar.gz) = cbf43bfc0edce8e80e3c29b6f391ea97f2a531eb1c271e9d48b1d26e5a9d8198052b873e37739bddb4de696eb3f1f1bc53503d2145cfc16efbe1bef0a54cfd56