diff --git a/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch b/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch new file mode 100644 index 0000000..b23946b --- /dev/null +++ b/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch @@ -0,0 +1,74 @@ +From e040864f2797b9c705bac5862581d5f190510e04 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 9 Dec 2021 15:48:46 +0100 +Subject: [PATCH] deps(ansi-regex): fix potential ReDoS + +This is the upstream fix [1] applied to all applicable bundled deps. + +[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 + +Fixes: CVE-2021-3807 +Signed-off-by: rpm-build +--- + deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js | 2 +- + .../node_modules/string-width/node_modules/ansi-regex/index.js | 2 +- + .../npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js | 2 +- + deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js +index c254480..9e37ec3 100644 +--- a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js ++++ b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js +@@ -6,7 +6,7 @@ module.exports = options => { + }, options); + + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' + ].join('|'); + +diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js +index c4aaecf..7d32201 100644 +--- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js ++++ b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js +@@ -2,7 +2,7 @@ + + module.exports = () => { + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))' + ].join('|'); + +diff --git a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js +index c254480..9e37ec3 100644 +--- a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js ++++ b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js +@@ -6,7 +6,7 @@ module.exports = options => { + }, options); + + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' + ].join('|'); + +diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js +index c254480..9e37ec3 100644 +--- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js ++++ b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js +@@ -6,7 +6,7 @@ module.exports = options => { + }, options); + + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' + ].join('|'); + +-- +2.33.1 + + diff --git a/SOURCES/0002-deps-json-schema-protect-against-prototype-pollution.patch b/SOURCES/0002-deps-json-schema-protect-against-prototype-pollution.patch new file mode 100644 index 0000000..2f0a58b --- /dev/null +++ b/SOURCES/0002-deps-json-schema-protect-against-prototype-pollution.patch @@ -0,0 +1,73 @@ +From 25661e4fc0e7c6a3d47bc189f886af76b1ecafa1 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 9 Dec 2021 13:01:08 +0100 +Subject: [PATCH] deps(json-schema): protect against prototype pollution + +Amalgamation of the following upstream patches: +https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 +https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a +https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa + +Fixes: CVE-2021-3918 +Signed-off-by: rpm-build +--- + .../node_modules/json-schema/lib/validate.js | 4 +-- + .../node_modules/json-schema/test/tests.js | 28 ++++++++++++++++++- + 2 files changed, 29 insertions(+), 3 deletions(-) + +diff --git a/deps/npm/node_modules/json-schema/lib/validate.js b/deps/npm/node_modules/json-schema/lib/validate.js +index 4b61088..d05ee86 100644 +--- a/deps/npm/node_modules/json-schema/lib/validate.js ++++ b/deps/npm/node_modules/json-schema/lib/validate.js +@@ -209,8 +209,8 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O + } + + for(var i in objTypeDef){ +- if(objTypeDef.hasOwnProperty(i)){ +- var value = instance[i]; ++ if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){ ++ var value = instance.hasOwnProperty(i) ? instance[i] : undefined; + // skip _not_ specified properties + if (value === undefined && options.existingOnly) continue; + var propDef = objTypeDef[i]; +diff --git a/deps/npm/node_modules/json-schema/test/tests.js b/deps/npm/node_modules/json-schema/test/tests.js +index 40eeda5..70f515a 100644 +--- a/deps/npm/node_modules/json-schema/test/tests.js ++++ b/deps/npm/node_modules/json-schema/test/tests.js +@@ -91,5 +91,31 @@ var suite = vows.describe('JSON Schema').addBatch({ + + 'Json-Ref self-validates': assertSelfValidates('json-ref'), + 'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'), +- 'Json-Ref/Core': assertValidates('json-ref', 'schema') ++ 'Json-Ref/Core': assertValidates('json-ref', 'schema'), ++ prototypePollution: function() { ++ console.log('testing') ++ const instance = JSON.parse(` ++ { ++ "$schema":{ ++ "type": "object", ++ "properties":{ ++ "__proto__": { ++ "type": "object", ++ ++ "properties":{ ++ "polluted": { ++ "type": "string", ++ "default": "polluted" ++ } ++ } ++ } ++ }, ++ "__proto__": {} ++ } ++ }`); ++ ++ const a = {}; ++ validate(instance); ++ assert.equal(a.polluted, undefined); ++ } + }).export(module); +-- +2.33.1 + + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 972efc3..7acefba 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -15,7 +15,7 @@ # This is used by both the nodejs package and the npm subpackage thar # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 1 +%global baserelease 2 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -169,6 +169,9 @@ Patch2: 0002-Install-both-binaries-and-use-libdir.patch # https://github.com/nodejs/node/issues/34903 Patch3: 0004-always-available-fips-options.patch +Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch +Patch5: 0002-deps-json-schema-protect-against-prototype-pollution.patch + BuildRequires: make BuildRequires: python3-devel BuildRequires: zlib-devel @@ -826,6 +829,10 @@ end %changelog +* Mon Dec 13 2021 Zuzana Svetlikova - 1:14.18.2-2 +- Add missing fixes +- Resolves: RHBZ#2027642, RHBZ#2027635 + * Wed Dec 01 2021 Zuzana Svetlikova - 1:14.18.2-1 - Resolves: RHBZ#2027609 - Resolves: RHBZ#2027649, RHBZ#2027646, RHBZ#2027642, RHBZ#2027635