diff --git a/.gitignore b/.gitignore index b402021..16eab39 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/node-ssl-shim-70e39fd.tar.gz -SOURCES/node-v12.22.5-stripped.tar.gz +SOURCES/node-v12.22.12-stripped.tar.gz diff --git a/.rh-nodejs12-nodejs.metadata b/.rh-nodejs12-nodejs.metadata index 774efbb..54a8682 100644 --- a/.rh-nodejs12-nodejs.metadata +++ b/.rh-nodejs12-nodejs.metadata @@ -1,2 +1,2 @@ a49b02166a7bdba54fb45cba26a18fa48928ca0e SOURCES/node-ssl-shim-70e39fd.tar.gz -6233f9c47c1bc9677e2b50de01b0455cbec2e303 SOURCES/node-v12.22.5-stripped.tar.gz +be046ad95927ecf500b758b183a3271d88944903 SOURCES/node-v12.22.12-stripped.tar.gz diff --git a/SOURCES/0001-Link-with-ssl-shim.patch b/SOURCES/0001-Link-with-ssl-shim.patch index a5d74e2..599d634 100644 --- a/SOURCES/0001-Link-with-ssl-shim.patch +++ b/SOURCES/0001-Link-with-ssl-shim.patch @@ -1,4 +1,4 @@ -From 2b3df37eb2e1dfe324b935332b958b45a89ec9c6 Mon Sep 17 00:00:00 2001 +From 6e749f6bd7fb92c1594e7186ba497b7352789a59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= Date: Tue, 28 Apr 2020 11:15:24 +0200 Subject: [PATCH] Link with ssl-shim @@ -61,5 +61,5 @@ index 573d59ddf4..7bce7706a9 100644 namespace crypto { -- -2.31.1 +2.36.1 diff --git a/SOURCES/0001-deps-import-fixes-for-CVE-2021-44906.patch b/SOURCES/0001-deps-import-fixes-for-CVE-2021-44906.patch new file mode 100644 index 0000000..50e6c6f --- /dev/null +++ b/SOURCES/0001-deps-import-fixes-for-CVE-2021-44906.patch @@ -0,0 +1,132 @@ +From 8a32b7404574b68eb023ba21a7fb42cd68069d77 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= +Date: Wed, 1 Jun 2022 11:48:45 +0200 +Subject: [PATCH] deps: import fixes for CVE-2021-44906 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Recreated from the upstream patches: + +* https://github.com/substack/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d +* https://github.com/substack/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb + +Signed-off-by: Jan Staněk +--- + deps/npm/node_modules/minimist/index.js | 8 ++++++-- + deps/npm/node_modules/minimist/test/proto.js | 16 ++++++++++++++++ + .../mkdirp/node_modules/minimist/index.js | 8 ++++++-- + .../mkdirp/node_modules/minimist/test/proto.js | 16 ++++++++++++++++ + 4 files changed, 44 insertions(+), 4 deletions(-) + +diff --git a/deps/npm/node_modules/minimist/index.js b/deps/npm/node_modules/minimist/index.js +index d2afe5e..d9c3eb7 100644 +--- a/deps/npm/node_modules/minimist/index.js ++++ b/deps/npm/node_modules/minimist/index.js +@@ -70,7 +70,7 @@ module.exports = function (args, opts) { + var o = obj; + for (var i = 0; i < keys.length-1; i++) { + var key = keys[i]; +- if (key === '__proto__') return; ++ if (isConstructorOrProto(o, key)) return; + if (o[key] === undefined) o[key] = {}; + if (o[key] === Object.prototype || o[key] === Number.prototype + || o[key] === String.prototype) o[key] = {}; +@@ -79,7 +79,7 @@ module.exports = function (args, opts) { + } + + var key = keys[keys.length - 1]; +- if (key === '__proto__') return; ++ if (isConstructorOrProto(o, key)) return; + if (o === Object.prototype || o === Number.prototype + || o === String.prototype) o = {}; + if (o === Array.prototype) o = []; +@@ -243,3 +243,7 @@ function isNumber (x) { + return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x); + } + ++ ++function isConstructorOrProto (obj, key) { ++ return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__'; ++} +diff --git a/deps/npm/node_modules/minimist/test/proto.js b/deps/npm/node_modules/minimist/test/proto.js +index 8649107..4ac62df 100644 +--- a/deps/npm/node_modules/minimist/test/proto.js ++++ b/deps/npm/node_modules/minimist/test/proto.js +@@ -42,3 +42,19 @@ test('proto pollution (constructor)', function (t) { + t.equal(argv.y, undefined); + t.end(); + }); ++ ++test('proto pollution (constructor function)', function (t) { ++ var argv = parse(['--_.concat.constructor.prototype.y', '123']); ++ function fnToBeTested() {} ++ t.equal(fnToBeTested.y, undefined); ++ t.equal(argv.y, undefined); ++ t.end(); ++}); ++ ++// powered by snyk - https://github.com/backstage/backstage/issues/10343 ++test('proto pollution (constructor function) snyk', function (t) { ++ var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' ')); ++ t.equal((function(){}).foo, undefined); ++ t.equal(argv.y, undefined); ++ t.end(); ++}) +diff --git a/deps/npm/node_modules/mkdirp/node_modules/minimist/index.js b/deps/npm/node_modules/mkdirp/node_modules/minimist/index.js +index d2afe5e..d9c3eb7 100644 +--- a/deps/npm/node_modules/mkdirp/node_modules/minimist/index.js ++++ b/deps/npm/node_modules/mkdirp/node_modules/minimist/index.js +@@ -70,7 +70,7 @@ module.exports = function (args, opts) { + var o = obj; + for (var i = 0; i < keys.length-1; i++) { + var key = keys[i]; +- if (key === '__proto__') return; ++ if (isConstructorOrProto(o, key)) return; + if (o[key] === undefined) o[key] = {}; + if (o[key] === Object.prototype || o[key] === Number.prototype + || o[key] === String.prototype) o[key] = {}; +@@ -79,7 +79,7 @@ module.exports = function (args, opts) { + } + + var key = keys[keys.length - 1]; +- if (key === '__proto__') return; ++ if (isConstructorOrProto(o, key)) return; + if (o === Object.prototype || o === Number.prototype + || o === String.prototype) o = {}; + if (o === Array.prototype) o = []; +@@ -243,3 +243,7 @@ function isNumber (x) { + return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x); + } + ++ ++function isConstructorOrProto (obj, key) { ++ return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__'; ++} +diff --git a/deps/npm/node_modules/mkdirp/node_modules/minimist/test/proto.js b/deps/npm/node_modules/mkdirp/node_modules/minimist/test/proto.js +index 8649107..4ac62df 100644 +--- a/deps/npm/node_modules/mkdirp/node_modules/minimist/test/proto.js ++++ b/deps/npm/node_modules/mkdirp/node_modules/minimist/test/proto.js +@@ -42,3 +42,19 @@ test('proto pollution (constructor)', function (t) { + t.equal(argv.y, undefined); + t.end(); + }); ++ ++test('proto pollution (constructor function)', function (t) { ++ var argv = parse(['--_.concat.constructor.prototype.y', '123']); ++ function fnToBeTested() {} ++ t.equal(fnToBeTested.y, undefined); ++ t.equal(argv.y, undefined); ++ t.end(); ++}); ++ ++// powered by snyk - https://github.com/backstage/backstage/issues/10343 ++test('proto pollution (constructor function) snyk', function (t) { ++ var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' ')); ++ t.equal((function(){}).foo, undefined); ++ t.equal(argv.y, undefined); ++ t.end(); ++}) +-- +2.36.1 + diff --git a/SOURCES/0002-Use-OpenSSL-1.0-API.patch b/SOURCES/0002-Use-OpenSSL-1.0-API.patch index cb2a128..22deaf1 100644 --- a/SOURCES/0002-Use-OpenSSL-1.0-API.patch +++ b/SOURCES/0002-Use-OpenSSL-1.0-API.patch @@ -1,6 +1,6 @@ -From 6d27ddf97c68d2e80925dc25b790d598170b7a0f Mon Sep 17 00:00:00 2001 +From 9b10377b668466b6d464883361c9ebb5bd499fc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Thu, 8 Jul 2021 14:08:31 +0200 +Date: Tue, 10 May 2022 14:45:36 +0200 Subject: [PATCH] Use OpenSSL 1.0 API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -25,6 +25,8 @@ Content-Transfer-Encoding: 8bit - Provide GetCipherValue wrapper for non-const strings +- Use non-const name getter for X509 objects + - Sanitize inputs into PBKDF2 - Setup ECDHE curve negotiation @@ -41,8 +43,8 @@ Signed-off-by: Jan Staněk src/node_crypto.cc | 30 ++++++++++++++++++++++++++++-- src/node_crypto.h | 4 ++++ src/node_crypto_bio.cc | 4 ++++ - src/node_crypto_common.cc | 8 ++++++++ - 4 files changed, 44 insertions(+), 2 deletions(-) + src/node_crypto_common.cc | 12 ++++++++++-- + 4 files changed, 46 insertions(+), 4 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index e472892b68..0cc97f99ea 100644 @@ -142,10 +144,10 @@ index 55f5e8a5a3..c2a44fdb86 100644 NodeBIO::FromBIO(bio.get())->env_ = env; return bio; diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc -index 6c3bb0b1b6..d1d9edd6cd 100644 +index 8682e88642..2aab7477a3 100644 --- a/src/node_crypto_common.cc +++ b/src/node_crypto_common.cc -@@ -392,6 +392,14 @@ MaybeLocal GetCipherValue(Environment* env, +@@ -324,6 +324,14 @@ MaybeLocal GetCipherValue(Environment* env, return OneByteString(env->isolate(), getstr(cipher)); } @@ -160,6 +162,24 @@ index 6c3bb0b1b6..d1d9edd6cd 100644 MaybeLocal GetCipherName(Environment* env, const SSL_CIPHER* cipher) { return GetCipherValue(env, cipher, SSL_CIPHER_get_name); +@@ -844,7 +852,7 @@ v8::MaybeLocal GetInfoAccessString( + return ToV8Value(env, bio); + } + +-template ++template + static MaybeLocal GetX509NameObject(Environment* env, X509* cert) { + X509_NAME* name = get_name(cert); + CHECK_NOT_NULL(name); +@@ -867,7 +875,7 @@ static MaybeLocal GetX509NameObject(Environment* env, X509* cert) { + // anyway, and multi-value RDNs are rare, i.e., the vast majority of + // Relative Distinguished Names contains a single type-value pair only. + const ASN1_OBJECT* type = X509_NAME_ENTRY_get_object(entry); +- const ASN1_STRING* value = X509_NAME_ENTRY_get_data(entry); ++ ASN1_STRING* value = X509_NAME_ENTRY_get_data(entry); + + // If OpenSSL knows the type, use the short name of the type as the key, and + // the numeric representation of the type's OID otherwise. -- -2.31.1 +2.36.1 diff --git a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch index 244871e..123252e 100644 --- a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch +++ b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch @@ -1,6 +1,6 @@ -From aef9bc657e0da83f5b540d8aeea100d0784aab4f Mon Sep 17 00:00:00 2001 +From 1cbac81a1b78e2d51edab2b9aa5c4809ffe0fa30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Thu, 8 Jul 2021 14:09:22 +0200 +Date: Tue, 10 May 2022 14:46:45 +0200 Subject: [PATCH] Backport necessary OpenSSL features MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -351,5 +351,5 @@ index 780e1893f4..2787e257ad 100644 // SSLWrap implicitly depends on the inheriting class' handle having an -- -2.31.1 +2.36.1 diff --git a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch index 89ddb90..363f9a6 100644 --- a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch +++ b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch @@ -1,6 +1,6 @@ -From 64d17e7087842f367a931fb5694ef9a2c6af6a8e Mon Sep 17 00:00:00 2001 +From eb32df096b174462493a428d2e103f4168001fbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Thu, 8 Jul 2021 14:10:02 +0200 +Date: Tue, 10 May 2022 14:47:24 +0200 Subject: [PATCH] Disable unsupported OpenSSL features MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -87,10 +87,10 @@ index 86635f267b..6a1cad9b74 100644 * `--trace-event-categories` * `--trace-event-file-pattern` diff --git a/doc/api/tls.md b/doc/api/tls.md -index c9fabbc5b5..3c2dec97c3 100644 +index 83cf7a9365..340419ddc2 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md -@@ -1947,10 +1947,10 @@ added: v11.4.0 +@@ -1958,10 +1958,10 @@ added: v11.4.0 * {string} The default value of the `maxVersion` option of [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS @@ -105,7 +105,7 @@ index c9fabbc5b5..3c2dec97c3 100644 highest maximum is used. ## `tls.DEFAULT_MIN_VERSION` -@@ -1960,12 +1960,11 @@ added: v11.4.0 +@@ -1971,12 +1971,11 @@ added: v11.4.0 * {string} The default value of the `minVersion` option of [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS @@ -158,10 +158,10 @@ index ed058866e9..cca3a26d0a 100644 V(status_string, "status") \ V(stdio_string, "stdio") \ diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc -index d1d9edd6cd..a5724a51fe 100644 +index 2aab7477a3..cf64b427eb 100644 --- a/src/node_crypto_common.cc +++ b/src/node_crypto_common.cc -@@ -210,6 +210,7 @@ long VerifyPeerCertificate( // NOLINT(runtime/int) +@@ -142,6 +142,7 @@ long VerifyPeerCertificate( // NOLINT(runtime/int) if (X509* peer_cert = SSL_get_peer_certificate(ssl.get())) { X509_free(peer_cert); err = SSL_get_verify_result(ssl.get()); @@ -169,7 +169,7 @@ index d1d9edd6cd..a5724a51fe 100644 } else { const SSL_CIPHER* curr_cipher = SSL_get_current_cipher(ssl.get()); const SSL_SESSION* sess = SSL_get_session(ssl.get()); -@@ -221,6 +222,7 @@ long VerifyPeerCertificate( // NOLINT(runtime/int) +@@ -153,6 +154,7 @@ long VerifyPeerCertificate( // NOLINT(runtime/int) SSL_session_reused(ssl.get()))) { return X509_V_OK; } @@ -177,7 +177,7 @@ index d1d9edd6cd..a5724a51fe 100644 } return err; } -@@ -238,6 +240,7 @@ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr context) { +@@ -170,6 +172,7 @@ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr context) { return err; } @@ -185,7 +185,7 @@ index d1d9edd6cd..a5724a51fe 100644 const char* GetClientHelloALPN(const SSLPointer& ssl) { const unsigned char* buf; size_t len; -@@ -284,6 +287,7 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) { +@@ -216,6 +219,7 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) { return nullptr; return reinterpret_cast(buf + 5); } @@ -193,7 +193,7 @@ index d1d9edd6cd..a5724a51fe 100644 const char* GetServerName(SSL* ssl) { return SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); -@@ -405,11 +409,13 @@ MaybeLocal GetCipherName(Environment* env, const SSL_CIPHER* cipher) { +@@ -337,11 +341,13 @@ MaybeLocal GetCipherName(Environment* env, const SSL_CIPHER* cipher) { return GetCipherValue(env, cipher, SSL_CIPHER_get_name); } @@ -207,7 +207,7 @@ index d1d9edd6cd..a5724a51fe 100644 MaybeLocal GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) { return GetCipherValue(env, cipher, SSL_CIPHER_get_version); -@@ -761,16 +767,19 @@ MaybeLocal GetCipherName(Environment* env, const SSLPointer& ssl) { +@@ -1087,16 +1093,19 @@ MaybeLocal GetCipherName(Environment* env, const SSLPointer& ssl) { return GetCipherName(env, SSL_get_current_cipher(ssl.get())); } @@ -227,7 +227,7 @@ index d1d9edd6cd..a5724a51fe 100644 MaybeLocal GetClientHelloCiphers( Environment* env, const SSLPointer& ssl) { -@@ -803,6 +812,7 @@ MaybeLocal GetClientHelloCiphers( +@@ -1129,6 +1138,7 @@ MaybeLocal GetClientHelloCiphers( Local ret = Array::New(env->isolate(), ciphers.out(), count); return scope.Escape(ret); } @@ -235,7 +235,7 @@ index d1d9edd6cd..a5724a51fe 100644 MaybeLocal GetCipherInfo(Environment* env, const SSLPointer& ssl) { -@@ -813,10 +823,12 @@ MaybeLocal GetCipherInfo(Environment* env, const SSLPointer& ssl) { +@@ -1139,10 +1149,12 @@ MaybeLocal GetCipherInfo(Environment* env, const SSLPointer& ssl) { info, env->name_string(), GetCipherName(env, ssl)) || @@ -249,10 +249,10 @@ index d1d9edd6cd..a5724a51fe 100644 info, env->version_string(), diff --git a/src/node_crypto_common.h b/src/node_crypto_common.h -index c373a97e47..220cb109bc 100644 +index bf58df18f6..8e1ac58cd7 100644 --- a/src/node_crypto_common.h +++ b/src/node_crypto_common.h -@@ -73,15 +73,19 @@ long VerifyPeerCertificate( // NOLINT(runtime/int) +@@ -67,15 +67,19 @@ long VerifyPeerCertificate( // NOLINT(runtime/int) int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr context); @@ -272,7 +272,7 @@ index c373a97e47..220cb109bc 100644 bool SetGroups(SecureContext* sc, const char* groups); -@@ -97,9 +101,11 @@ v8::MaybeLocal GetCipherName( +@@ -91,9 +95,11 @@ v8::MaybeLocal GetCipherName( Environment* env, const SSLPointer& ssl); @@ -350,5 +350,5 @@ similarity index 100% rename from test/parallel/test-tls-cli-min-version-1.3.js rename to test/known_issues/test-tls-cli-min-version-1.3.js -- -2.31.1 +2.36.1 diff --git a/SOURCES/0005-Adjust-test-expectations.patch b/SOURCES/0005-Adjust-test-expectations.patch index 219f581..39a4f43 100644 --- a/SOURCES/0005-Adjust-test-expectations.patch +++ b/SOURCES/0005-Adjust-test-expectations.patch @@ -1,6 +1,6 @@ -From 1a0bb0ba167ea9417377e4adeca436ba321df3a3 Mon Sep 17 00:00:00 2001 +From c1e6ed7438e83968463f6d3251d3680add342361 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Thu, 8 Jul 2021 14:10:35 +0200 +Date: Tue, 10 May 2022 14:48:04 +0200 Subject: [PATCH] Adjust test expectations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -236,5 +236,5 @@ index 7ef0f12426..4fcb9247d3 100644 // TLS1.3 client hellos are are not understood by TLS1.1 or below. test(U, U, U, U, U, 'TLSv1_method', -- -2.31.1 +2.36.1 diff --git a/SOURCES/0006-Disable-tests-for-unsupported-features.patch b/SOURCES/0006-Disable-tests-for-unsupported-features.patch index 6631a41..f58d31c 100644 --- a/SOURCES/0006-Disable-tests-for-unsupported-features.patch +++ b/SOURCES/0006-Disable-tests-for-unsupported-features.patch @@ -1,6 +1,6 @@ -From babb845ad3cf7b65e228826385ee060c53e68e8d Mon Sep 17 00:00:00 2001 +From dc9d8bed0f20ccccdd564c2dfb5df1f0ea4bd617 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Thu, 8 Jul 2021 14:11:32 +0200 +Date: Tue, 10 May 2022 14:49:00 +0200 Subject: [PATCH] Disable tests for unsupported features MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -56,10 +56,10 @@ Signed-off-by: Jan Staněk rename test/{parallel => known_issues}/test-tls-keylog-tlsv13.js (100%) diff --git a/lib/tls.js b/lib/tls.js -index 2ccbe409c9..21e6f3a814 100644 +index 95af2c39ee..d145bbd64e 100644 --- a/lib/tls.js +++ b/lib/tls.js -@@ -66,17 +66,13 @@ else if (getOptionValue('--tls-min-v1.1')) +@@ -74,17 +74,13 @@ else if (getOptionValue('--tls-min-v1.1')) exports.DEFAULT_MIN_VERSION = 'TLSv1.1'; else if (getOptionValue('--tls-min-v1.2')) exports.DEFAULT_MIN_VERSION = 'TLSv1.2'; @@ -810,5 +810,5 @@ index 4bcdf36860..0642e18d5e 100644 test({ psk: USERS.UserB, identity: 'UserC' }, {}, DISCONNECT_MESSAGE); // Recognized user but incorrect secret should fail handshake -- -2.31.1 +2.36.1 diff --git a/SOURCES/0007-Disable-tests-for-known-issues.patch b/SOURCES/0007-Disable-tests-for-known-issues.patch index 1896009..ec94870 100644 --- a/SOURCES/0007-Disable-tests-for-known-issues.patch +++ b/SOURCES/0007-Disable-tests-for-known-issues.patch @@ -1,6 +1,6 @@ -From 7d2fcf06ab09ed018a8c8bef84c072f93218b7ff Mon Sep 17 00:00:00 2001 +From 11c35106f5629659c02bcce02c4798f383a3e8a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Thu, 8 Jul 2021 14:11:48 +0200 +Date: Tue, 10 May 2022 14:49:18 +0200 Subject: [PATCH] Disable tests for known issues MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -172,5 +172,5 @@ similarity index 100% rename from test/sequential/test-worker-prof.js rename to test/known_issues/test-worker-prof.js -- -2.31.1 +2.36.1 diff --git a/SOURCES/CVE-2021-23343-nodejs-path-parse.patch b/SOURCES/CVE-2021-23343-nodejs-path-parse.patch deleted file mode 100644 index 201721d..0000000 --- a/SOURCES/CVE-2021-23343-nodejs-path-parse.patch +++ /dev/null @@ -1,180 +0,0 @@ -https://github.com/jbgutierrez/path-parse/pull/10 - -From 72c38e3a36b8ed2ec03960ac659aa114cbe6a420 Mon Sep 17 00:00:00 2001 -From: Jeffrey Pinyan -Date: Thu, 13 May 2021 10:53:50 -0400 -Subject: [PATCH 1/2] fixed regexes to avoid ReDoS attacks - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/path-parse/index.js | 6 +++--- - deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++ - 2 files changed, 23 insertions(+), 3 deletions(-) - create mode 100644 deps/npm/node_modules/path-parse/redos.js - -diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js -index 3b7601f..e6b2af1 100644 ---- a/deps/npm/node_modules/path-parse/index.js -+++ b/deps/npm/node_modules/path-parse/index.js -@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32'; - // Regex to split a windows path into three parts: [*, device, slash, - // tail] windows-only - var splitDeviceRe = -- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/; -+ /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; - - // Regex to split the tail part of the above into [*, dir, basename, ext] - var splitTailRe = -- /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; -+ /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; - - var win32 = {}; - -@@ -51,7 +51,7 @@ win32.parse = function(pathString) { - // Split a filename into [root, dir, basename, ext], unix version - // 'root' is just a slash, or nothing. - var splitPathRe = -- /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; -+ /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; - var posix = {}; - - -diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js -new file mode 100644 -index 0000000..261947f ---- /dev/null -+++ b/deps/npm/node_modules/path-parse/redos.js -@@ -0,0 +1,20 @@ -+var pathParse = require('.'); -+ -+function build_attack(n) { -+ var ret = "" -+ for (var i = 0; i < n; i++) { -+ ret += "/" -+ } -+ return ret + "◎"; -+} -+ -+for(var i = 1; i <= 5000000; i++) { -+ if (i % 10000 == 0) { -+ var time = Date.now(); -+ var attack_str = build_attack(i) -+ pathParse.posix(attack_str); -+ pathParse.win32(attack_str); -+ var time_cost = Date.now() - time; -+ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") -+ } -+} --- -2.31.1 - - -From 44d1c9cd047988bb819707c726d9640f8aabe04d Mon Sep 17 00:00:00 2001 -From: Jeffrey Pinyan -Date: Thu, 13 May 2021 11:51:45 -0400 -Subject: [PATCH 2/2] streamlined regexes, simplified parse() returns - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/path-parse/index.js | 52 ++++++++--------------- - 1 file changed, 17 insertions(+), 35 deletions(-) - -diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js -index e6b2af1..f062d0a 100644 ---- a/deps/npm/node_modules/path-parse/index.js -+++ b/deps/npm/node_modules/path-parse/index.js -@@ -2,29 +2,14 @@ - - var isWindows = process.platform === 'win32'; - --// Regex to split a windows path into three parts: [*, device, slash, --// tail] windows-only --var splitDeviceRe = -- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; -- --// Regex to split the tail part of the above into [*, dir, basename, ext] --var splitTailRe = -- /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; -+// Regex to split a windows path into into [dir, root, basename, name, ext] -+var splitWindowsRe = -+ /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/; - - var win32 = {}; - --// Function to split a filename into [root, dir, basename, ext] - function win32SplitPath(filename) { -- // Separate device+slash from tail -- var result = splitDeviceRe.exec(filename), -- device = (result[1] || '') + (result[2] || ''), -- tail = result[3] || ''; -- // Split the tail into dir, basename and extension -- var result2 = splitTailRe.exec(tail), -- dir = result2[1], -- basename = result2[2], -- ext = result2[3]; -- return [device, dir, basename, ext]; -+ return splitWindowsRe.exec(filename).slice(1); - } - - win32.parse = function(pathString) { -@@ -34,24 +19,24 @@ win32.parse = function(pathString) { - ); - } - var allParts = win32SplitPath(pathString); -- if (!allParts || allParts.length !== 4) { -+ if (!allParts || allParts.length !== 5) { - throw new TypeError("Invalid path '" + pathString + "'"); - } - return { -- root: allParts[0], -- dir: allParts[0] + allParts[1].slice(0, -1), -+ root: allParts[1], -+ dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1), - base: allParts[2], -- ext: allParts[3], -- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) -+ ext: allParts[4], -+ name: allParts[3] - }; - }; - - - --// Split a filename into [root, dir, basename, ext], unix version -+// Split a filename into [dir, root, basename, name, ext], unix version - // 'root' is just a slash, or nothing. - var splitPathRe = -- /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; -+ /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/; - var posix = {}; - - -@@ -67,19 +52,16 @@ posix.parse = function(pathString) { - ); - } - var allParts = posixSplitPath(pathString); -- if (!allParts || allParts.length !== 4) { -+ if (!allParts || allParts.length !== 5) { - throw new TypeError("Invalid path '" + pathString + "'"); - } -- allParts[1] = allParts[1] || ''; -- allParts[2] = allParts[2] || ''; -- allParts[3] = allParts[3] || ''; -- -+ - return { -- root: allParts[0], -- dir: allParts[0] + allParts[1].slice(0, -1), -+ root: allParts[1], -+ dir: allParts[0].slice(0, -1), - base: allParts[2], -- ext: allParts[3], -- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) -+ ext: allParts[4], -+ name: allParts[3], - }; - }; - --- -2.31.1 - diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 899a786..bec128d 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -23,10 +23,10 @@ # than a Fedora release lifecycle. %global nodejs_major 12 %global nodejs_minor 22 -%global nodejs_patch 5 +%global nodejs_patch 12 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 1 +%global nodejs_release 2 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h @@ -40,8 +40,8 @@ # c-ares - from deps/cares/include/ares_version.h %global c_ares_major 1 -%global c_ares_minor 17 -%global c_ares_patch 2 +%global c_ares_minor 18 +%global c_ares_patch 1 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} # http-parser - from deps/http_parser/http_parser.h @@ -53,7 +53,7 @@ # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_major 2 %global llhttp_minor 1 -%global llhttp_patch 3 +%global llhttp_patch 4 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} # libuv - from deps/uv/include/uv/version.h @@ -63,7 +63,6 @@ %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch} # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h - %global nghttp2_major 1 %global nghttp2_minor 41 %global nghttp2_patch 0 @@ -80,7 +79,7 @@ # npm - from deps/npm/package.json %global npm_major 6 %global npm_minor 14 -%global npm_patch 14 +%global npm_patch 16 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -148,8 +147,8 @@ Patch10: deps-Remove-statx-from-libuv.patch Patch11: tools-test-Replace-malformed-input-from-tests.patch # Always defer to OS when it comes to FIPS Patch12: always-available-fips-options.patch - -Patch14: CVE-2021-23343-nodejs-path-parse.patch +# Import fix for CVE-2021-44906 +Patch13: 0001-deps-import-fixes-for-CVE-2021-44906.patch # Temporarily disabled tests; review on next rebase Patch99: 0001-Temporarily-disable-test-dgram-udp6-link-local-addre.patch @@ -430,6 +429,7 @@ DISABLE_ARCH_TESTS=( sequential/test-diagnostic-dir-cpu-prof %endif ) + for testcase in "${DISABLE_ARCH_TESTS[@]}" do mv -t test/known_issues/ "test/${testcase}.js" done @@ -443,7 +443,7 @@ RUN_SUITES=( parallel sequential ) -python2 tools/test.py "${RUN_SUITES[@]}" +#python2 tools/test.py "${RUN_SUITES[@]}" %{?scl:EOF} @@ -504,6 +504,25 @@ python2 tools/test.py "${RUN_SUITES[@]}" %changelog +* Wed Jun 01 2022 Jan Staněk - 12.22.12-2 +- Re-create patch for CVE-2021-44906 and apply to all found bundled dependencies + Resolves: rhbz#2073596 + +* Mon May 09 2022 Jan Staněk - 12.22.12-1 +- Rebase to last upstream release + Resolves: CVE-2021-37701 CVE-2021-37712 CVE-2021-22960 CVE-2021-22959 + Resolves: CVE-2021-3918 CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 + Resolves: CVE-2022-21824 CVE-2021-44906 + +* Wed Aug 25 2021 Zuzana Svetlikova - 12.22.5-4 +- Don't run tests + +* Tue Aug 24 2021 Zuzana Svetlikova - 12.22.5-3 +- Disable test + +* Tue Aug 24 2021 Zuzana Svetlikova - 12.22.5-2 +- Disable test + * Mon Aug 16 2021 Jan Staněk - 12.22.5-1 - Rebase to 12.22.5 Resolves: CVE-2021-22931 CVE-2021-22939 CVE-2021-22940