From 89a831a87068f1194d00d5481960f25bfa5705f0 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 11 2021 13:10:16 +0000 Subject: import rh-nodejs12-nodejs-12.20.1-1.el7 --- diff --git a/.gitignore b/.gitignore index e1f0b9c..49a89a8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/node-ssl-shim-6fc0b05.tar.gz -SOURCES/node-v12.19.1-stripped.tar.gz +SOURCES/node-v12.20.1-stripped.tar.gz diff --git a/.rh-nodejs12-nodejs.metadata b/.rh-nodejs12-nodejs.metadata index 7f0c8fc..e3ac9b6 100644 --- a/.rh-nodejs12-nodejs.metadata +++ b/.rh-nodejs12-nodejs.metadata @@ -1,2 +1,2 @@ 9fe6761bd237af8be0e4d26184c5a01e01d7967d SOURCES/node-ssl-shim-6fc0b05.tar.gz -52b6a7856356c8cd8c5ddae0550c4d65238ea33a SOURCES/node-v12.19.1-stripped.tar.gz +81c75a3ddae01fb409cdbb3c9ef98989f2914cbf SOURCES/node-v12.20.1-stripped.tar.gz diff --git a/SOURCES/deps-ajv-ignore-proto-properties.patch b/SOURCES/deps-ajv-ignore-proto-properties.patch deleted file mode 100644 index d10b9c8..0000000 --- a/SOURCES/deps-ajv-ignore-proto-properties.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d06e33cc159627e45205b99fdedb9df22d51f0ee Mon Sep 17 00:00:00 2001 -From: Evgeny Poberezkin <2769109+epoberezkin@users.noreply.github.com> -Date: Wed, 1 Jul 2020 11:56:05 +0100 -Subject: [PATCH] deps(ajv): ignore proto properties - -Fixes: CVE-2020-15366 -Signed-off-by: rpm-build ---- - deps/npm/node_modules/ajv/lib/dot/dependencies.jst | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/deps/npm/node_modules/ajv/lib/dot/dependencies.jst b/deps/npm/node_modules/ajv/lib/dot/dependencies.jst -index c41f334..7403105 100644 ---- a/deps/npm/node_modules/ajv/lib/dot/dependencies.jst -+++ b/deps/npm/node_modules/ajv/lib/dot/dependencies.jst -@@ -19,6 +19,7 @@ - , $ownProperties = it.opts.ownProperties; - - for ($property in $schema) { -+ if ($property == '__proto__') continue; - var $sch = $schema[$property]; - var $deps = Array.isArray($sch) ? $propertyDeps : $schemaDeps; - $deps[$property] = $sch; --- -2.28.0 - diff --git a/SOURCES/deps-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch b/SOURCES/deps-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch new file mode 100644 index 0000000..b7270a0 --- /dev/null +++ b/SOURCES/deps-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch @@ -0,0 +1,99 @@ +From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001 +From: isaacs +Date: Tue, 8 Dec 2020 14:21:50 -0800 +Subject: [PATCH] do not allow invalid hazardous string as section name + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/ini/ini.js | 8 +++++ + deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + create mode 100644 deps/npm/node_modules/ini/test/proto.js + +diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js +index 590195d..0401258 100644 +--- a/deps/npm/node_modules/ini/ini.js ++++ b/deps/npm/node_modules/ini/ini.js +@@ -80,6 +80,12 @@ function decode (str) { + if (!match) return + if (match[1] !== undefined) { + section = unsafe(match[1]) ++ if (section === '__proto__') { ++ // not allowed ++ // keep parsing the section, but don't attach it. ++ p = {} ++ return ++ } + p = out[section] = out[section] || {} + return + } +@@ -94,6 +100,7 @@ function decode (str) { + // Convert keys with '[]' suffix to an array + if (key.length > 2 && key.slice(-2) === '[]') { + key = key.substring(0, key.length - 2) ++ if (key === '__proto__') return + if (!p[key]) { + p[key] = [] + } else if (!Array.isArray(p[key])) { +@@ -125,6 +132,7 @@ function decode (str) { + var l = parts.pop() + var nl = l.replace(/\\\./g, '.') + parts.forEach(function (part, _, __) { ++ if (part === '__proto__') return + if (!p[part] || typeof p[part] !== 'object') p[part] = {} + p = p[part] + }) +diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js +new file mode 100644 +index 0000000..ab35533 +--- /dev/null ++++ b/deps/npm/node_modules/ini/test/proto.js +@@ -0,0 +1,45 @@ ++var ini = require('../') ++var t = require('tap') ++ ++var data = ` ++__proto__ = quux ++foo = baz ++[__proto__] ++foo = bar ++[other] ++foo = asdf ++[kid.__proto__.foo] ++foo = kid ++[arrproto] ++hello = snyk ++__proto__[] = you did a good job ++__proto__[] = so you deserve arrays ++thanks = true ++` ++var res = ini.parse(data) ++t.deepEqual(res, { ++ foo: 'baz', ++ other: { ++ foo: 'asdf', ++ }, ++ kid: { ++ foo: { ++ foo: 'kid', ++ }, ++ }, ++ arrproto: { ++ hello: 'snyk', ++ thanks: true, ++ }, ++}) ++t.equal(res.__proto__, Object.prototype) ++t.equal(res.kid.__proto__, Object.prototype) ++t.equal(res.kid.foo.__proto__, Object.prototype) ++t.equal(res.arrproto.__proto__, Object.prototype) ++t.equal(Object.prototype.foo, undefined) ++t.equal(Object.prototype[0], undefined) ++t.equal(Object.prototype['0'], undefined) ++t.equal(Object.prototype[1], undefined) ++t.equal(Object.prototype['1'], undefined) ++t.equal(Array.prototype[0], undefined) ++t.equal(Array.prototype[1], undefined) +-- +2.29.2 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 66ba952..c4953f0 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -22,11 +22,11 @@ # feature releases that are only supported for nine months, which is shorter # than a Fedora release lifecycle. %global nodejs_major 12 -%global nodejs_minor 19 +%global nodejs_minor 20 %global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 2 +%global nodejs_release 1 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h @@ -41,24 +41,24 @@ # c-ares - from deps/cares/include/ares_version.h %global c_ares_major 1 %global c_ares_minor 16 -%global c_ares_patch 0 +%global c_ares_patch 1 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} # http-parser - from deps/http_parser/http_parser.h %global http_parser_major 2 %global http_parser_minor 9 -%global http_parser_patch 3 +%global http_parser_patch 4 %global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch} # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_major 2 %global llhttp_minor 1 -%global llhttp_patch 2 +%global llhttp_patch 3 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} # libuv - from deps/uv/include/uv/version.h %global libuv_major 1 -%global libuv_minor 39 +%global libuv_minor 40 %global libuv_patch 0 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch} @@ -80,13 +80,13 @@ # npm - from deps/npm/package.json %global npm_major 6 %global npm_minor 14 -%global npm_patch 8 +%global npm_patch 10 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h %global uvwasi_major 0 %global uvwasi_minor 0 -%global uvwasi_patch 10 +%global uvwasi_patch 11 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch} # zlib version - from deps/zlib/zlib.h @@ -150,8 +150,8 @@ Patch10: deps-Remove-statx-from-libuv.patch Patch11: tools-test-Replace-malformed-input-from-tests.patch # Backport upstream fixes -Patch20: deps-ajv-ignore-proto-properties.patch -Patch21: deps-y18n-address-prototype-pollution-issue.patch +Patch20: deps-y18n-address-prototype-pollution-issue.patch +Patch21: deps-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch %{?scl:Requires: %{scl}-runtime} @@ -412,6 +412,28 @@ set -ex # Ensure we have npm and that the version matches NODE_PATH=%{buildroot}%{nodejs_sitelib} %{buildroot}/%{_bindir}/node -e "require('assert').equal(require('npm').version, '%{npm_version}')" +# Some tests fail only on specific architectures; disable only when needed +DISABLE_ARCH_TESTS=( +%ifarch ppc64le + # rhbz#1916184 + sequential/test-cpu-prof-default + sequential/test-cpu-prof-dir-absolute + sequential/test-cpu-prof-dir-and-name + sequential/test-cpu-prof-dir-relative + sequential/test-cpu-prof-dir-worker + sequential/test-cpu-prof-drained + sequential/test-cpu-prof-exit + sequential/test-cpu-prof-invalid-options + sequential/test-cpu-prof-kill + sequential/test-cpu-prof-name + sequential/test-cpu-prof-worker-argv + sequential/test-diagnostic-dir-cpu-prof +%endif +) +for testcase in "${DISABLE_ARCH_TESTS[@]}" +do mv -t test/known_issues/ "test/${testcase}.js" +done + # Only run suites that we are expected to pass RUN_SUITES=( abort @@ -482,6 +504,10 @@ python2 tools/test.py "${RUN_SUITES[@]}" %changelog +* Fri Jan 08 2021 Jan Staněk - 12.20.1-1.fc33~bootstrap +- Rebase to 12.20.1 +- Resolves: CVE-2020-8265 CVE-2020-8287 + * Tue Nov 24 2020 Jan Staněk - 12.19.1-2 - Backport patches for CVE-2020-15366 and CVE-2020-7774