From d5a80804c66400edaa78db9c65dd175c962a7fd5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 02 2020 07:24:01 +0000 Subject: import nodejs-12.16.1-2.module+el8.1.0+6117+b25a342c --- diff --git a/SOURCES/0004-ICU-20958-Prevent-SEGV_MAPERR-in-append.patch b/SOURCES/0004-ICU-20958-Prevent-SEGV_MAPERR-in-append.patch new file mode 100644 index 0000000..8f86a30 --- /dev/null +++ b/SOURCES/0004-ICU-20958-Prevent-SEGV_MAPERR-in-append.patch @@ -0,0 +1,17 @@ +diff --git a/deps/icu-small/source/common/unistr.cpp b/deps/icu-small/source/common/unistr.cpp +index eeb0c3a..1c59de9 100644 +--- a/deps/icu-small/source/common/unistr.cpp ++++ b/deps/icu-small/source/common/unistr.cpp +@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng + } + + int32_t oldLength = length(); +- int32_t newLength = oldLength + srcLength; ++ int32_t newLength; ++ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) { ++ setToBogus(); ++ return *this; ++ } + + // Check for append onto ourself + const UChar* oldArray = getArrayStart(); diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index d052f29..d33e00f 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -29,7 +29,7 @@ %global nodejs_soversion 72 %endif %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 1 +%global nodejs_release 2 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h @@ -152,6 +152,8 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch3: 0003-Install-both-binaries-and-use-libdir.patch %endif +Patch4: 0004-ICU-20958-Prevent-SEGV_MAPERR-in-append.patch + BuildRequires: python2-devel BuildRequires: python3-devel BuildRequires: zlib-devel @@ -359,6 +361,8 @@ rm -rf deps/zlib %patch3 -p1 %endif +%patch4 -p1 + # Replace any instances of unversioned python' with python2 pathfix.py -i %{__python2} -pn $(find -type f ! -name "*.js") find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python2~" {} \; @@ -384,12 +388,12 @@ export CXX='g++' # build with debugging symbols and add defines from libuv (#892601) # Node's v8 breaks with GCC 6 because of incorrect usage of methods on # NULL objects. We need to pass -fno-delete-null-pointer-checks -export CFLAGS='%{optflags} \ +export CFLAGS='%{optflags} -g \ -D_LARGEFILE_SOURCE \ -D_FILE_OFFSET_BITS=64 \ -DZLIB_CONST \ -fno-delete-null-pointer-checks' -export CXXFLAGS='%{optflags} \ +export CXXFLAGS='%{optflags} -g \ -D_LARGEFILE_SOURCE \ -D_FILE_OFFSET_BITS=64 \ -DZLIB_CONST \ @@ -739,6 +743,9 @@ end %changelog +* Tue Mar 17 2020 Zuzana Svetlikova - 1:12.16.1-2 +- Fix CVE-2020-10531 + * Thu Feb 20 2020 Zuzana Svetlikova - 1:12.16.1-1 - Resolves: RHBZ#1800393, RHBZ#1800394, RHBZ#1800380 - Rebase to 12.16.1