diff --git a/.gitignore b/.gitignore index 5529c49..09a0bd2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/icu4c-67_1-src.tgz -SOURCES/node-v12.18.2-stripped.tar.gz +SOURCES/node-v12.18.4-stripped.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index b816f66..76a9a3f 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,2 @@ 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz -b8955ce8e33b4c1cfdd4c5be22f70f3419ce63df SOURCES/node-v12.18.2-stripped.tar.gz +31bb163dc0d11a30767ce9b71f1283d9b8d93903 SOURCES/node-v12.18.4-stripped.tar.gz diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch index 79dc997..4d59d71 100644 --- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch +++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,25 +1,26 @@ -From 4509b10cbe5d22216a7880cc7fb6bd5f92b18018 Mon Sep 17 00:00:00 2001 +From 641730c7d1322dacd8e1020ec0753795d01200f0 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Thu, 27 Apr 2017 14:25:42 +0200 -Subject: [PATCH 1/5] Disable running gyp on shared deps +Subject: [PATCH] Disable running gyp on shared deps +Signed-off-by: rpm-build --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 56f5358..f289f25 100644 +index 32a8a6c..f44f88a 100644 --- a/Makefile +++ b/Makefile @@ -141,7 +141,7 @@ test-code-cache: with-code-cache echo "'test-code-cache' target is a noop" - + out/Makefile: config.gypi common.gypi node.gyp \ - deps/uv/uv.gyp deps/http_parser/http_parser.gyp deps/zlib/zlib.gyp \ + deps/http_parser/http_parser.gyp \ tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp $(PYTHON) tools/gyp_node.py -f make --- -2.24.1 +-- +2.26.2 diff --git a/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch b/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch new file mode 100644 index 0000000..b078f92 --- /dev/null +++ b/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch @@ -0,0 +1,106 @@ +From 9473adba9cba6767e8e506f8f19e0ff8f66920be Mon Sep 17 00:00:00 2001 +From: Marco Carini +Date: Mon, 3 Aug 2020 17:16:07 -0500 +Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116 + +Adjusted from +https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587.patch + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/dot-prop/index.js | 18 ++++++++++++++++++ + deps/npm/node_modules/dot-prop/package.json | 6 +++--- + deps/npm/node_modules/dot-prop/readme.md | 2 ++ + 3 files changed, 23 insertions(+), 3 deletions(-) + +diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js +index 15282bb..189831c 100644 +--- a/deps/npm/node_modules/dot-prop/index.js ++++ b/deps/npm/node_modules/dot-prop/index.js +@@ -1,6 +1,14 @@ + 'use strict'; + const isObj = require('is-obj'); + ++const disallowedKeys = [ ++ '__proto__', ++ 'prototype', ++ 'constructor' ++]; ++ ++const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment)); ++ + function getPathSegments(path) { + const pathArr = path.split('.'); + const parts = []; +@@ -16,6 +24,10 @@ function getPathSegments(path) { + parts.push(p); + } + ++ if (!isValidPath(parts)) { ++ return []; ++ } ++ + return parts; + } + +@@ -26,6 +38,9 @@ module.exports = { + } + + const pathArr = getPathSegments(path); ++ if (pathArr.length === 0) { ++ return; ++ } + + for (let i = 0; i < pathArr.length; i++) { + if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) { +@@ -58,6 +73,9 @@ module.exports = { + + const root = obj; + const pathArr = getPathSegments(path); ++ if (pathArr.length === 0) { ++ return; ++ } + + for (let i = 0; i < pathArr.length; i++) { + const p = pathArr[i]; +diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json +index 40fefa3..93daf7d 100644 +--- a/deps/npm/node_modules/dot-prop/package.json ++++ b/deps/npm/node_modules/dot-prop/package.json +@@ -37,9 +37,9 @@ + "deprecated": false, + "description": "Get, set, or delete a property from a nested object using a dot path", + "devDependencies": { +- "ava": "*", ++ "ava": "1.4.1", + "matcha": "^0.7.0", +- "xo": "*" ++ "xo": "0.24.0" + }, + "engines": { + "node": ">=4" +@@ -73,7 +73,7 @@ + "bench": "matcha bench.js", + "test": "xo && ava" + }, +- "version": "4.2.0", ++ "version": "4.2.1", + "xo": { + "esnext": true + } +diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md +index fab3b7a..0e18f78 100644 +--- a/deps/npm/node_modules/dot-prop/readme.md ++++ b/deps/npm/node_modules/dot-prop/readme.md +@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key. + + Use `\\.` if you have a `.` in the key. + ++The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`. ++ + #### value + + Type: `any` +-- +2.26.2 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 6901062..1602d84 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -26,7 +26,7 @@ %global nodejs_epoch 1 %global nodejs_major 12 %global nodejs_minor 18 -%global nodejs_patch 2 +%global nodejs_patch 4 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %if %{?with_libs} == 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -65,8 +65,8 @@ # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_major 2 -%global llhttp_minor 0 -%global llhttp_patch 4 +%global llhttp_minor 1 +%global llhttp_patch 2 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} # libuv - from deps/uv/include/uv/version.h @@ -102,7 +102,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 5 +%global npm_patch 6 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -157,6 +157,9 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch2: 0002-Install-both-binaries-and-use-libdir.patch %endif +# Fix for CVE-2020-8116 +Patch3: 0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch + BuildRequires: python2-devel BuildRequires: python3-devel BuildRequires: zlib-devel @@ -817,6 +820,9 @@ end %changelog +* Tue Sep 22 2020 Jan Staněk - 12.18.4-1 +- Rebase to 12.18.4 + * Tue Jun 30 2020 Jan Staněk - 12.18.2-1 - Rebase to 12.18.2