From ce9c58d4ba4915741ca41996c075a7d71c03d060 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Apr 05 2023 14:13:38 +0000
Subject: import nodejs-14.21.3-1.module+el8.7.0+18531+81d21ca6


---

diff --git a/.gitignore b/.gitignore
index c9ee73e..63419b7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 SOURCES/icu4c-70_1-src.tgz
-SOURCES/node-v14.21.1-stripped.tar.gz
+SOURCES/node-v14.21.3-stripped.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
diff --git a/.nodejs.metadata b/.nodejs.metadata
index d20d8cd..99cafef 100644
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@@ -1,4 +1,4 @@
 6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
-2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz
+9929bfc056f9689ee30a088e923a81db640e39be SOURCES/node-v14.21.3-stripped.tar.gz
 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
diff --git a/SOURCES/0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch b/SOURCES/0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
new file mode 100644
index 0000000..9fa4284
--- /dev/null
+++ b/SOURCES/0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
@@ -0,0 +1,49 @@
+From 201c8b23df7bf986276e62b03f8276e18ef49728 Mon Sep 17 00:00:00 2001
+From: Kornel <kornel@geekhood.net>
+Date: Fri, 27 Jan 2023 01:20:38 +0000
+Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
+ whitespace
+
+upstream-patch: https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/http-cache-semantics/node4/index.js | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/deps/npm/node_modules/http-cache-semantics/node4/index.js b/deps/npm/node_modules/http-cache-semantics/node4/index.js
+index bcdaebe..e427106 100644
+--- a/deps/npm/node_modules/http-cache-semantics/node4/index.js
++++ b/deps/npm/node_modules/http-cache-semantics/node4/index.js
+@@ -21,7 +21,7 @@ function parseCacheControl(header) {
+ 
+     // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives),
+     // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale
+-    var parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing
++    var parts = header.trim().split(/,/);
+     for (var _iterator = parts, _isArray = Array.isArray(_iterator), _i = 0, _iterator = _isArray ? _iterator : _iterator[Symbol.iterator]();;) {
+         var _ref;
+ 
+@@ -36,11 +36,11 @@ function parseCacheControl(header) {
+ 
+         var part = _ref;
+ 
+-        var _part$split = part.split(/\s*=\s*/, 2),
++        var _part$split = part.split(/=/, 2),
+             k = _part$split[0],
+             v = _part$split[1];
+ 
+-        cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting
++        cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, '');
+     }
+ 
+     return cc;
+@@ -556,4 +556,4 @@ module.exports = function () {
+     };
+ 
+     return CachePolicy;
+-}();
+\ No newline at end of file
++}();
+-- 
+2.39.2
+
diff --git a/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch b/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch
deleted file mode 100644
index 81064b3..0000000
--- a/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001
-From: Jordan Harband <ljharb@gmail.com>
-Date: Mon, 27 Dec 2021 19:15:57 -0800
-Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999)
-
-Signed-off-by: rpm-build <rpm-build>
----
- deps/npm/node_modules/qs/lib/parse.js  |  2 +-
- deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++
- 2 files changed, 61 insertions(+), 1 deletion(-)
-
-diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js
-index 8c9872e..08e623a 100644
---- a/deps/npm/node_modules/qs/lib/parse.js
-+++ b/deps/npm/node_modules/qs/lib/parse.js
-@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) {
-             ) {
-                 obj = [];
-                 obj[index] = leaf;
--            } else {
-+            } else if (cleanRoot !== '__proto__') {
-                 obj[cleanRoot] = leaf;
-             }
-         }
-diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js
-index 0f8fe45..3e93784 100644
---- a/deps/npm/node_modules/qs/test/parse.js
-+++ b/deps/npm/node_modules/qs/test/parse.js
-@@ -515,6 +515,66 @@ test('parse()', function (t) {
-         st.end();
-     });
- 
-+    t.test('dunder proto is ignored', function (st) {
-+        var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
-+        var result = qs.parse(payload, { allowPrototypes: true });
-+
-+        st.deepEqual(
-+            result,
-+            {
-+                categories: {
-+                    length: '42'
-+                }
-+            },
-+            'silent [[Prototype]] payload'
-+        );
-+
-+        var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
-+
-+        st.deepEqual(
-+            plainResult,
-+            {
-+                __proto__: null,
-+                categories: {
-+                    __proto__: null,
-+                    length: '42'
-+                }
-+            },
-+            'silent [[Prototype]] payload: plain objects'
-+        );
-+
-+        var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
-+
-+        st.notOk(Array.isArray(query.categories), 'is not an array');
-+        st.notOk(query.categories instanceof Array, 'is not instanceof an array');
-+        st.deepEqual(query.categories, { some: { json: 'toInject' } });
-+        st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
-+
-+        st.deepEqual(
-+            qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
-+            {
-+                foo: {
-+                    bar: 'stuffs'
-+                }
-+            },
-+            'hidden values'
-+        );
-+
-+        st.deepEqual(
-+            qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
-+            {
-+                __proto__: null,
-+                foo: {
-+                    __proto__: null,
-+                    bar: 'stuffs'
-+                }
-+            },
-+            'hidden values: plain objects'
-+        );
-+
-+        st.end();
-+    });
-+
-     t.test('can return null objects', { skip: !Object.create }, function (st) {
-         var expected = Object.create(null);
-         expected.a = Object.create(null);
--- 
-2.38.1
-
diff --git a/SOURCES/0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch b/SOURCES/0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
new file mode 100644
index 0000000..c81988f
--- /dev/null
+++ b/SOURCES/0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
@@ -0,0 +1,52 @@
+From 58725d71e4306c83a474d6c3035e72580d0c4592 Mon Sep 17 00:00:00 2001
+From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
+Date: Wed, 18 Jan 2023 22:14:26 +0800
+Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
+ stack overflow (#497)
+
+In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
+the input str and initialize a sortlist configuration.
+
+However, ares_set_sortlist has not any checks about the validity of the input str.
+It is very easy to create an arbitrary length stack overflow with the unchecked
+`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
+statements in the config_sortlist call, which could potentially cause severe
+security impact in practical programs.
+
+This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
+potential stack overflows.
+
+fixes #496
+
+Fix By: @hopper-vul
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/cares/src/lib/ares_init.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
+index de5d86c..d5858f6 100644
+--- a/deps/cares/src/lib/ares_init.c
++++ b/deps/cares/src/lib/ares_init.c
+@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+       q = str;
+       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
+         q++;
++      if (q-str >= 16)
++        return ARES_EBADSTR;
+       memcpy(ipbuf, str, q-str);
+       ipbuf[q-str] = '\0';
+       /* Find the prefix */
+@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+           const char *str2 = q+1;
+           while (*q && *q != ';' && !ISSPACE(*q))
+             q++;
++          if (q-str >= 32)
++            return ARES_EBADSTR;
+           memcpy(ipbufpfx, str, q-str);
+           ipbufpfx[q-str] = '\0';
+           str = str2;
+-- 
+2.39.2
+
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index 81b8048..da638c6 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -30,7 +30,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 2
+%global baserelease 1
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -42,7 +42,7 @@
 %global nodejs_epoch 1
 %global nodejs_major 14
 %global nodejs_minor 21
-%global nodejs_patch 1
+%global nodejs_patch 3
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
 %global nodejs_release %{baserelease}
@@ -121,7 +121,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 17
+%global npm_patch 18
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -184,7 +184,8 @@ Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 # Dependency vulnerabilities
 Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch
-Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch
+Patch3: 0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
+Patch4: 0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
 
 BuildRequires: make
 BuildRequires: python3-devel
@@ -679,7 +680,6 @@ end
 %doc %{_mandir}/man5/shrinkwrap-json.5*
 %doc %{_mandir}/man7/config.7*
 %doc %{_mandir}/man7/developers.7*
-%doc %{_mandir}/man7/disputes.7*
 %doc %{_mandir}/man7/orgs.7*
 %doc %{_mandir}/man7/registry.7*
 %doc %{_mandir}/man7/removal.7*
@@ -696,6 +696,12 @@ end
 
 
 %changelog
+* Mon Mar 06 2023 Jan Staněk <jstanek@redhat.com> - 1:14.21.3-1
+- Rebase to 14.21.3
+  Resolves: rhbz#2153712
+  Resolves: CVE-2022-25881 CVE-2023-23918 CVE-2023-23920 CVE-2022-38900
+  Resolves: CVE-2022-4904
+
 * Thu Dec 08 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-2
 - Apply upstream fix for CVE-2022-24999
   Resolves: CVE-2022-24999
@@ -704,7 +710,7 @@ end
 
 * Wed Nov 16 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-1
 - Rebase to version 14.21.1
-  Resolves: rhbz#2129805 CVE-2022-43548 CVE-2022-3517
+  Resolves: rhbz#2129805 CVE-2022-43548
 
 * Fri Oct 07 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-2
 - Record issues fixed in the current version