From 1c9387e267037f1605d23808af69e582db56b67a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 28 2023 12:17:05 +0000 Subject: import nodejs-14.21.1-2.module+el8.7.0+17528+a329cd47 --- diff --git a/.gitignore b/.gitignore index 751ebb7..c9ee73e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ +SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/icu4c-70_1-src.tgz -SOURCES/node-v14.20.0-stripped.tar.gz +SOURCES/node-v14.21.1-stripped.tar.gz +SOURCES/wasi-sdk-wasi-sdk-11.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index d868ff8..d20d8cd 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,4 @@ +6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz -66dc4b75e2e416d064f12be3450fc7953d72b21b SOURCES/node-v14.20.0-stripped.tar.gz +2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz +8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch index 361ea08..1a12d5f 100644 --- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch +++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,19 +1,18 @@ -From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001 +From 0daef8b47290ffa866f321173a0a45f7c131f172 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Fri, 17 Apr 2020 12:59:44 +0200 -Subject: [PATCH 1/2] Disable running gyp on shared deps +Subject: [PATCH] Disable running gyp on shared deps +Signed-off-by: rpm-build --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644 +index 82281b5..9e65fc4 100644 --- a/Makefile +++ b/Makefile -@@ -136,11 +136,11 @@ endif - .PHONY: test-code-cache - with-code-cache test-code-cache: +@@ -143,7 +143,7 @@ with-code-cache test-code-cache: $(warning '$@' target is a noop) out/Makefile: config.gypi common.gypi node.gyp \ @@ -22,8 +21,6 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp $(PYTHON) tools/gyp_node.py -f make - - # node_version.h is listed because the N-API version is taken from there -- -2.29.2 +2.38.1 diff --git a/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch b/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch deleted file mode 100644 index 3287b6c..0000000 --- a/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch +++ /dev/null @@ -1,46 +0,0 @@ -From e12dad58e7c749d65d51e2dd49dece4102ddfa18 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Thu, 9 Dec 2021 15:48:46 +0100 -Subject: [PATCH] deps(ansi-regex): fix potential ReDoS - -This is the upstream fix [1] applied to all applicable bundled deps. - -[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 - -Fixes: CVE-2021-3807 -Signed-off-by: rpm-build ---- - .../node_modules/string-width/node_modules/ansi-regex/index.js | 2 +- - deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js -index c4aaecf..7d32201 100644 ---- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js -+++ b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js -@@ -2,7 +2,7 @@ - - module.exports = () => { - const pattern = [ -- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)', -+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', - '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))' - ].join('|'); - -diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js -index c254480..9e37ec3 100644 ---- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js -+++ b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js -@@ -6,7 +6,7 @@ module.exports = options => { - }, options); - - const pattern = [ -- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', -+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', - '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' - ].join('|'); - --- -2.36.1 - - diff --git a/SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch b/SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch new file mode 100644 index 0000000..e486e3e --- /dev/null +++ b/SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch @@ -0,0 +1,45 @@ +From 8fc20d21cd7861ecc4f034ae82234a05227c2c12 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 9 Dec 2021 15:48:46 +0100 +Subject: [PATCH] deps(ansi-regex): fix potential ReDoS + +This is the upstream fix [1] applied to all applicable bundled deps. + +[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 + +Fixes: CVE-2021-3807 +Signed-off-by: rpm-build +--- + .../node_modules/string-width/node_modules/ansi-regex/index.js | 2 +- + deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js +index c4aaecf..7d32201 100644 +--- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js ++++ b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js +@@ -2,7 +2,7 @@ + + module.exports = () => { + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))' + ].join('|'); + +diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js +index c254480..9e37ec3 100644 +--- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js ++++ b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js +@@ -6,7 +6,7 @@ module.exports = options => { + }, options); + + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' + ].join('|'); + +-- +2.38.1 + diff --git a/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch b/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch new file mode 100644 index 0000000..81064b3 --- /dev/null +++ b/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch @@ -0,0 +1,98 @@ +From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001 +From: Jordan Harband +Date: Mon, 27 Dec 2021 19:15:57 -0800 +Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999) + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/qs/lib/parse.js | 2 +- + deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++ + 2 files changed, 61 insertions(+), 1 deletion(-) + +diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js +index 8c9872e..08e623a 100644 +--- a/deps/npm/node_modules/qs/lib/parse.js ++++ b/deps/npm/node_modules/qs/lib/parse.js +@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) { + ) { + obj = []; + obj[index] = leaf; +- } else { ++ } else if (cleanRoot !== '__proto__') { + obj[cleanRoot] = leaf; + } + } +diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js +index 0f8fe45..3e93784 100644 +--- a/deps/npm/node_modules/qs/test/parse.js ++++ b/deps/npm/node_modules/qs/test/parse.js +@@ -515,6 +515,66 @@ test('parse()', function (t) { + st.end(); + }); + ++ t.test('dunder proto is ignored', function (st) { ++ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42'; ++ var result = qs.parse(payload, { allowPrototypes: true }); ++ ++ st.deepEqual( ++ result, ++ { ++ categories: { ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload' ++ ); ++ ++ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true }); ++ ++ st.deepEqual( ++ plainResult, ++ { ++ __proto__: null, ++ categories: { ++ __proto__: null, ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload: plain objects' ++ ); ++ ++ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true }); ++ ++ st.notOk(Array.isArray(query.categories), 'is not an array'); ++ st.notOk(query.categories instanceof Array, 'is not instanceof an array'); ++ st.deepEqual(query.categories, { some: { json: 'toInject' } }); ++ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array'); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }), ++ { ++ foo: { ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values' ++ ); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }), ++ { ++ __proto__: null, ++ foo: { ++ __proto__: null, ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values: plain objects' ++ ); ++ ++ st.end(); ++ }); ++ + t.test('can return null objects', { skip: !Object.create }, function (st) { + var expected = Object.create(null); + expected.a = Object.create(null); +-- +2.38.1 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 77e76c5..81b8048 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -41,8 +41,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 14 -%global nodejs_minor 20 -%global nodejs_patch 0 +%global nodejs_minor 21 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} %global nodejs_release %{baserelease} @@ -72,7 +72,7 @@ # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_major 2 %global llhttp_minor 1 -%global llhttp_patch 5 +%global llhttp_patch 6 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} # libuv - from deps/uv/include/uv/version.h @@ -168,10 +168,23 @@ Source100: %{name}-tarball.sh # nodejs-packaging SRPM. Source7: nodejs_native.attr +# These are full sources for dependencies included as WASM blobs in the source of Node itself. +# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to. +# Recipes for creating these blobs are included in the sources. + +# Version: jq '.version' deps/cjs-module-lexer/package.json +# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz +# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm +Source101: cjs-module-lexer-1.2.2.tar.gz +# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in. +# Version source: Makefile +Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz + # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch - -Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch +# Dependency vulnerabilities +Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch +Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch BuildRequires: make BuildRequires: python3-devel @@ -352,6 +365,21 @@ The API documentation for the Node.js JavaScript runtime. rm -rf deps/zlib rm -rf deps/brotli +# check for correct versions of dependencies we are bundling +check_wasm_dep() { + local -r name="$1" source="$2" packagejson="$3" + local -r expected_version="$(jq -r '.version' "${packagejson}")" + + if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then + printf '%s version matches\n' "${name}" >&2 + else + printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2 + return 1 + fi +} + +check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json + # Replace any instances of unversioned python' with python3 %if %{with python3_fixup} pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js") @@ -668,26 +696,35 @@ end %changelog -* Tue Aug 02 2022 Zuzana Svetlikova - 1:14.21.1-2 +- Apply upstream fix for CVE-2022-24999 + Resolves: CVE-2022-24999 +- Record CVEs fixed by current or previous upstream releases + Resolves: CVE-2021-44906 + +* Wed Nov 16 2022 Jan Staněk - 1:14.21.1-1 +- Rebase to version 14.21.1 + Resolves: rhbz#2129805 CVE-2022-43548 CVE-2022-3517 + +* Fri Oct 07 2022 Jan Staněk - 1:14.20.1-2 +- Record issues fixed in the current version + Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 + +* Thu Sep 29 2022 Jan Staněk - 1:14.20.1-1 +- Rebase to version 14.20.1 + Resolves: CVE-2022-35256 + +* Mon Aug 22 2022 Zuzana Svetlikova - 1:14.20.0-1 +- Rebase to latest release +- Resolves: #2106281, #2108056, #2108061, #2108066, #2108071, #2108139 +- Remove libs patch +- Build without corepack + +* Wed May 25 2022 Jan Staněk - 1:14.18.2-2 - Replace with_* macros with RPM confitionals - Unify configure calls into single command - Refactor bootstrap-related parts - Decouple dependency bundling from bootstrapping -- Resolves: RHBZ#2111417 - -* Mon Jul 25 2022 Zuzana Svetlikova - 1:14.20.0-1 -- Rebase to latest version -- Resolves: RHBZ#2106367 -- CVE fixes for CVE-2022-32212/3/4/5 -- Resolves: #2109576, #2109579, #2109582, #2109585 - -* Tue Jan 11 2022 Zuzana Svetlikova - 1:14.18.2-3 -- Resolves: RHBZ#2029519 -- Add missing BZ to changelog - -* Mon Dec 13 2021 Zuzana Svetlikova - 1:14.18.2-2 -- Add missing fixes -- Resolves: RHBZ#2027641, RHBZ#2027634 * Wed Dec 01 2021 Zuzana Svetlikova - 1:14.18.2-1 - Resolves: RHBZ#2026325