diff --git a/SOURCES/0001-fix-redirect-help.patch b/SOURCES/0001-fix-redirect-help.patch index b0a9e67..89cfc0a 100644 --- a/SOURCES/0001-fix-redirect-help.patch +++ b/SOURCES/0001-fix-redirect-help.patch @@ -1,4 +1,4 @@ -From cccb59dd0029243d816cd1a07ffa1f4b3ed25313 Mon Sep 17 00:00:00 2001 +From 190d081bdbc703d34124aba06f3903c27e4f7c11 Mon Sep 17 00:00:00 2001 From: Remy Sharp Date: Wed, 6 Jan 2021 10:38:53 +0000 Subject: [PATCH] fix: redirect help diff --git a/SOURCES/0002-Fix-ReDoS-for-data-URLs.patch b/SOURCES/0002-Fix-ReDoS-for-data-URLs.patch index 83004a4..c16dd66 100644 --- a/SOURCES/0002-Fix-ReDoS-for-data-URLs.patch +++ b/SOURCES/0002-Fix-ReDoS-for-data-URLs.patch @@ -1,4 +1,4 @@ -From f3fa3bb4248f851be3cb6adc1beaf68711848ff3 Mon Sep 17 00:00:00 2001 +From 099828b738527c3a1e9fcba8ed9b0b1a5103526f Mon Sep 17 00:00:00 2001 From: rpm-build Date: Fri, 2 Jul 2021 16:30:14 +0200 Subject: [PATCH] Fix ReDoS for data URLs diff --git a/SOURCES/0003-fix-eliminate-ReDoS-36.patch b/SOURCES/0003-fix-eliminate-ReDoS-36.patch new file mode 100644 index 0000000..a8a208b --- /dev/null +++ b/SOURCES/0003-fix-eliminate-ReDoS-36.patch @@ -0,0 +1,31 @@ +From 77d803b877935e51c42e8bd66510d41f3e76460c Mon Sep 17 00:00:00 2001 +From: Rich Trott +Date: Sat, 6 Mar 2021 13:16:16 -0800 +Subject: [PATCH] fix: eliminate ReDoS (#36) + +This change fixes a regular expression denial of service +vulnerability. + +Refs: https://github.com/gulpjs/glob-parent/issues/32 +Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 +Signed-off-by: rpm-build +--- + node_modules/glob-parent/index.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js +index 2ded6ea..c7b3bd3 100644 +--- a/node_modules/glob-parent/index.js ++++ b/node_modules/glob-parent/index.js +@@ -6,7 +6,7 @@ var isWin32 = require('os').platform() === 'win32'; + + var slash = '/'; + var backslash = /\\/g; +-var enclosure = /[\{\[].*[\/]*.*[\}\]]$/; ++var enclosure = /[\{\[].*[\}\]]$/; + var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/; + var escaped = /\\([\*\?\|\[\]\(\)\{\}])/g; + +-- +2.31.1 + diff --git a/SOURCES/0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch b/SOURCES/0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch new file mode 100644 index 0000000..85f2ba4 --- /dev/null +++ b/SOURCES/0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch @@ -0,0 +1,99 @@ +From 26bf6f9b5118302d41cc702587e5bb9c5ac51350 Mon Sep 17 00:00:00 2001 +From: isaacs +Date: Tue, 8 Dec 2020 14:21:50 -0800 +Subject: [PATCH] do not allow invalid hazardous string as section name + +Signed-off-by: rpm-build +--- + node_modules/ini/ini.js | 8 ++++++ + node_modules/ini/test/proto.js | 45 ++++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + create mode 100644 node_modules/ini/test/proto.js + +diff --git a/node_modules/ini/ini.js b/node_modules/ini/ini.js +index 590195d..0401258 100644 +--- a/node_modules/ini/ini.js ++++ b/node_modules/ini/ini.js +@@ -80,6 +80,12 @@ function decode (str) { + if (!match) return + if (match[1] !== undefined) { + section = unsafe(match[1]) ++ if (section === '__proto__') { ++ // not allowed ++ // keep parsing the section, but don't attach it. ++ p = {} ++ return ++ } + p = out[section] = out[section] || {} + return + } +@@ -94,6 +100,7 @@ function decode (str) { + // Convert keys with '[]' suffix to an array + if (key.length > 2 && key.slice(-2) === '[]') { + key = key.substring(0, key.length - 2) ++ if (key === '__proto__') return + if (!p[key]) { + p[key] = [] + } else if (!Array.isArray(p[key])) { +@@ -125,6 +132,7 @@ function decode (str) { + var l = parts.pop() + var nl = l.replace(/\\\./g, '.') + parts.forEach(function (part, _, __) { ++ if (part === '__proto__') return + if (!p[part] || typeof p[part] !== 'object') p[part] = {} + p = p[part] + }) +diff --git a/node_modules/ini/test/proto.js b/node_modules/ini/test/proto.js +new file mode 100644 +index 0000000..ab35533 +--- /dev/null ++++ b/node_modules/ini/test/proto.js +@@ -0,0 +1,45 @@ ++var ini = require('../') ++var t = require('tap') ++ ++var data = ` ++__proto__ = quux ++foo = baz ++[__proto__] ++foo = bar ++[other] ++foo = asdf ++[kid.__proto__.foo] ++foo = kid ++[arrproto] ++hello = snyk ++__proto__[] = you did a good job ++__proto__[] = so you deserve arrays ++thanks = true ++` ++var res = ini.parse(data) ++t.deepEqual(res, { ++ foo: 'baz', ++ other: { ++ foo: 'asdf', ++ }, ++ kid: { ++ foo: { ++ foo: 'kid', ++ }, ++ }, ++ arrproto: { ++ hello: 'snyk', ++ thanks: true, ++ }, ++}) ++t.equal(res.__proto__, Object.prototype) ++t.equal(res.kid.__proto__, Object.prototype) ++t.equal(res.kid.foo.__proto__, Object.prototype) ++t.equal(res.arrproto.__proto__, Object.prototype) ++t.equal(Object.prototype.foo, undefined) ++t.equal(Object.prototype[0], undefined) ++t.equal(Object.prototype['0'], undefined) ++t.equal(Object.prototype[1], undefined) ++t.equal(Object.prototype['1'], undefined) ++t.equal(Array.prototype[0], undefined) ++t.equal(Array.prototype[1], undefined) +-- +2.31.1 + diff --git a/SPECS/nodejs-nodemon.spec b/SPECS/nodejs-nodemon.spec index 9852458..e0bc2ed 100644 --- a/SPECS/nodejs-nodemon.spec +++ b/SPECS/nodejs-nodemon.spec @@ -9,7 +9,7 @@ Name: %{?scl_prefix}nodejs-%{npm_name} Version: 2.0.3 -Release: 2%{?dist} +Release: 5%{?dist} Summary: Simple monitor script for use during development of a node.js app License: MIT URL: https://github.com/remy/nodemon @@ -17,6 +17,8 @@ Source0: %{npm_name}-v%{version}-bundled.tar.gz Patch0: 0001-fix-redirect-help.patch Patch1: 0002-Fix-ReDoS-for-data-URLs.patch +Patch2: 0003-fix-eliminate-ReDoS-36.patch +Patch4: 0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch BuildRequires: %{?scl_prefix}nodejs-devel BuildRequires: %{?scl_prefix}npm @@ -83,6 +85,18 @@ npm run test %{_bindir}/nodemon %changelog +* Tue Aug 17 2021 Jan Staněk - 2.0.3-5 +- Rebuild with the previous fix correctly applied + Related: rhbz#1991323 + +* Mon Aug 16 2021 Jan Staněk - 2.0.3-4 +- Backport fix for CVE-2020-7788 in bundled(nodejs-ini) + Resolves: rhbz#1991324 + +* Thu Aug 05 2021 Jan Staněk - 2.0.3-3 +- Backport fix for CVE-2020-28469 in bundled(nodejs-glob-parent) + Resolves: rhbz#1948026 + * Fri Jul 02 2021 Jan Staněk - 2.0.3-2 - Allow --help option text to be redirected to file - Backport CVE-2021-33502 fix