From d3c1de8536f02673d7d8c9f0b85b609733b6ad7c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 26 2021 09:52:30 +0000 Subject: import rh-nodejs12-nodejs-12.22.5-1.el7 --- diff --git a/.gitignore b/.gitignore index 08162fc..b402021 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/node-ssl-shim-70e39fd.tar.gz -SOURCES/node-v12.22.2-stripped.tar.gz +SOURCES/node-v12.22.5-stripped.tar.gz diff --git a/.rh-nodejs12-nodejs.metadata b/.rh-nodejs12-nodejs.metadata index 6a195dd..774efbb 100644 --- a/.rh-nodejs12-nodejs.metadata +++ b/.rh-nodejs12-nodejs.metadata @@ -1,2 +1,2 @@ a49b02166a7bdba54fb45cba26a18fa48928ca0e SOURCES/node-ssl-shim-70e39fd.tar.gz -b8b3a8cee7a4fa4f99818c8a1eb86a9ba474b839 SOURCES/node-v12.22.2-stripped.tar.gz +6233f9c47c1bc9677e2b50de01b0455cbec2e303 SOURCES/node-v12.22.5-stripped.tar.gz diff --git a/SOURCES/0001-Temporarily-disable-test-dgram-udp6-link-local-addre.patch b/SOURCES/0001-Temporarily-disable-test-dgram-udp6-link-local-addre.patch new file mode 100644 index 0000000..ff0d5f4 --- /dev/null +++ b/SOURCES/0001-Temporarily-disable-test-dgram-udp6-link-local-addre.patch @@ -0,0 +1,23 @@ +From 4f56b53aa29f34822ab6a3fb8eacb98a158a359b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Fri, 6 Aug 2021 13:06:22 +0200 +Subject: [PATCH] Temporarily disable test-dgram-udp6-link-local-address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Review on next rebase – this seems like temporary issue + +Signed-off-by: rpm-build +--- + .../test-dgram-udp6-link-local-address.js | 0 + 1 file changed, 0 insertions(+), 0 deletions(-) + rename test/{parallel => known_issues}/test-dgram-udp6-link-local-address.js (100%) + +diff --git a/test/parallel/test-dgram-udp6-link-local-address.js b/test/known_issues/test-dgram-udp6-link-local-address.js +similarity index 100% +rename from test/parallel/test-dgram-udp6-link-local-address.js +rename to test/known_issues/test-dgram-udp6-link-local-address.js +-- +2.31.1 + diff --git a/SOURCES/CVE-2021-23343-nodejs-path-parse.patch b/SOURCES/CVE-2021-23343-nodejs-path-parse.patch new file mode 100644 index 0000000..201721d --- /dev/null +++ b/SOURCES/CVE-2021-23343-nodejs-path-parse.patch @@ -0,0 +1,180 @@ +https://github.com/jbgutierrez/path-parse/pull/10 + +From 72c38e3a36b8ed2ec03960ac659aa114cbe6a420 Mon Sep 17 00:00:00 2001 +From: Jeffrey Pinyan +Date: Thu, 13 May 2021 10:53:50 -0400 +Subject: [PATCH 1/2] fixed regexes to avoid ReDoS attacks + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/path-parse/index.js | 6 +++--- + deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 3 deletions(-) + create mode 100644 deps/npm/node_modules/path-parse/redos.js + +diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js +index 3b7601f..e6b2af1 100644 +--- a/deps/npm/node_modules/path-parse/index.js ++++ b/deps/npm/node_modules/path-parse/index.js +@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32'; + // Regex to split a windows path into three parts: [*, device, slash, + // tail] windows-only + var splitDeviceRe = +- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/; ++ /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; + + // Regex to split the tail part of the above into [*, dir, basename, ext] + var splitTailRe = +- /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; ++ /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; + + var win32 = {}; + +@@ -51,7 +51,7 @@ win32.parse = function(pathString) { + // Split a filename into [root, dir, basename, ext], unix version + // 'root' is just a slash, or nothing. + var splitPathRe = +- /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; ++ /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; + var posix = {}; + + +diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js +new file mode 100644 +index 0000000..261947f +--- /dev/null ++++ b/deps/npm/node_modules/path-parse/redos.js +@@ -0,0 +1,20 @@ ++var pathParse = require('.'); ++ ++function build_attack(n) { ++ var ret = "" ++ for (var i = 0; i < n; i++) { ++ ret += "/" ++ } ++ return ret + "◎"; ++} ++ ++for(var i = 1; i <= 5000000; i++) { ++ if (i % 10000 == 0) { ++ var time = Date.now(); ++ var attack_str = build_attack(i) ++ pathParse.posix(attack_str); ++ pathParse.win32(attack_str); ++ var time_cost = Date.now() - time; ++ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") ++ } ++} +-- +2.31.1 + + +From 44d1c9cd047988bb819707c726d9640f8aabe04d Mon Sep 17 00:00:00 2001 +From: Jeffrey Pinyan +Date: Thu, 13 May 2021 11:51:45 -0400 +Subject: [PATCH 2/2] streamlined regexes, simplified parse() returns + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/path-parse/index.js | 52 ++++++++--------------- + 1 file changed, 17 insertions(+), 35 deletions(-) + +diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js +index e6b2af1..f062d0a 100644 +--- a/deps/npm/node_modules/path-parse/index.js ++++ b/deps/npm/node_modules/path-parse/index.js +@@ -2,29 +2,14 @@ + + var isWindows = process.platform === 'win32'; + +-// Regex to split a windows path into three parts: [*, device, slash, +-// tail] windows-only +-var splitDeviceRe = +- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; +- +-// Regex to split the tail part of the above into [*, dir, basename, ext] +-var splitTailRe = +- /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; ++// Regex to split a windows path into into [dir, root, basename, name, ext] ++var splitWindowsRe = ++ /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/; + + var win32 = {}; + +-// Function to split a filename into [root, dir, basename, ext] + function win32SplitPath(filename) { +- // Separate device+slash from tail +- var result = splitDeviceRe.exec(filename), +- device = (result[1] || '') + (result[2] || ''), +- tail = result[3] || ''; +- // Split the tail into dir, basename and extension +- var result2 = splitTailRe.exec(tail), +- dir = result2[1], +- basename = result2[2], +- ext = result2[3]; +- return [device, dir, basename, ext]; ++ return splitWindowsRe.exec(filename).slice(1); + } + + win32.parse = function(pathString) { +@@ -34,24 +19,24 @@ win32.parse = function(pathString) { + ); + } + var allParts = win32SplitPath(pathString); +- if (!allParts || allParts.length !== 4) { ++ if (!allParts || allParts.length !== 5) { + throw new TypeError("Invalid path '" + pathString + "'"); + } + return { +- root: allParts[0], +- dir: allParts[0] + allParts[1].slice(0, -1), ++ root: allParts[1], ++ dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1), + base: allParts[2], +- ext: allParts[3], +- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) ++ ext: allParts[4], ++ name: allParts[3] + }; + }; + + + +-// Split a filename into [root, dir, basename, ext], unix version ++// Split a filename into [dir, root, basename, name, ext], unix version + // 'root' is just a slash, or nothing. + var splitPathRe = +- /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; ++ /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/; + var posix = {}; + + +@@ -67,19 +52,16 @@ posix.parse = function(pathString) { + ); + } + var allParts = posixSplitPath(pathString); +- if (!allParts || allParts.length !== 4) { ++ if (!allParts || allParts.length !== 5) { + throw new TypeError("Invalid path '" + pathString + "'"); + } +- allParts[1] = allParts[1] || ''; +- allParts[2] = allParts[2] || ''; +- allParts[3] = allParts[3] || ''; +- ++ + return { +- root: allParts[0], +- dir: allParts[0] + allParts[1].slice(0, -1), ++ root: allParts[1], ++ dir: allParts[0].slice(0, -1), + base: allParts[2], +- ext: allParts[3], +- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) ++ ext: allParts[4], ++ name: allParts[3], + }; + }; + +-- +2.31.1 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index bdf2bd8..899a786 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -23,7 +23,7 @@ # than a Fedora release lifecycle. %global nodejs_major 12 %global nodejs_minor 22 -%global nodejs_patch 2 +%global nodejs_patch 5 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} %global nodejs_release 1 @@ -40,8 +40,8 @@ # c-ares - from deps/cares/include/ares_version.h %global c_ares_major 1 -%global c_ares_minor 16 -%global c_ares_patch 1 +%global c_ares_minor 17 +%global c_ares_patch 2 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} # http-parser - from deps/http_parser/http_parser.h @@ -80,7 +80,7 @@ # npm - from deps/npm/package.json %global npm_major 6 %global npm_minor 14 -%global npm_patch 13 +%global npm_patch 14 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -149,6 +149,11 @@ Patch11: tools-test-Replace-malformed-input-from-tests.patch # Always defer to OS when it comes to FIPS Patch12: always-available-fips-options.patch +Patch14: CVE-2021-23343-nodejs-path-parse.patch + +# Temporarily disabled tests; review on next rebase +Patch99: 0001-Temporarily-disable-test-dgram-udp6-link-local-addre.patch + %{?scl:Requires: %{scl}-runtime} %{?scl:BuildRequires: %{scl}-runtime} @@ -499,8 +504,19 @@ python2 tools/test.py "${RUN_SUITES[@]}" %changelog +* Mon Aug 16 2021 Jan Staněk - 12.22.5-1 +- Rebase to 12.22.5 + Resolves: CVE-2021-22931 CVE-2021-22939 CVE-2021-22940 + +* Thu Aug 05 2021 Jan Staněk - 12.22.4-1 +- Rebase to 12.22.4 with additional fixes (http2-update-handling-of-streams-on-rst_stream-frames.patch) + Resolves: CVE-2021-22930 +- Backport fix for CVE-2021-23343 in bundled(nodejs-path-parse) + Resolves: rhbz#1986744 + * Thu Jul 08 2021 Jan Staněk - 12.22.2-1 - Rebase to 12.22.2 + Resolves: CVE-2021-22918, CVE-2021-23362, CVE-2021-27290, CVE-2021-33502 - Drop upstreamed deps-y18n-address-prototype-pollution-issue.patch * Tue Feb 23 2021 Jan Staněk - 12.21.0-1