From 3de537a377448d067e28ff21b7e4dd036f96abfe Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 06 2022 18:29:01 +0000 Subject: import rh-nodejs14-nodejs-nodemon-2.0.3-6.el7 --- diff --git a/SOURCES/0005-dep-ansi-regex-fix-potential-ReDoS.patch b/SOURCES/0005-dep-ansi-regex-fix-potential-ReDoS.patch new file mode 100644 index 0000000..a3b9795 --- /dev/null +++ b/SOURCES/0005-dep-ansi-regex-fix-potential-ReDoS.patch @@ -0,0 +1,59 @@ +From 03704852379d943e3252f6bfa5978d5485b8b10b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 13 Dec 2021 12:18:27 +0100 +Subject: [PATCH] dep(ansi-regex): fix potential ReDoS + +This is application of upstream patch [1] to all bundled deps. + +[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 + +Fixes: CVE-2021-3807 +Signed-off-by: rpm-build +--- + node_modules/ansi-align/node_modules/ansi-regex/index.js | 2 +- + node_modules/boxen/node_modules/ansi-regex/index.js | 2 +- + node_modules/widest-line/node_modules/ansi-regex/index.js | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/node_modules/ansi-align/node_modules/ansi-regex/index.js b/node_modules/ansi-align/node_modules/ansi-regex/index.js +index c254480..f4d035c 100644 +--- a/node_modules/ansi-align/node_modules/ansi-regex/index.js ++++ b/node_modules/ansi-align/node_modules/ansi-regex/index.js +@@ -6,7 +6,7 @@ module.exports = options => { + }, options); + + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' + ].join('|'); + +diff --git a/node_modules/boxen/node_modules/ansi-regex/index.js b/node_modules/boxen/node_modules/ansi-regex/index.js +index 35054aa..624d38b 100644 +--- a/node_modules/boxen/node_modules/ansi-regex/index.js ++++ b/node_modules/boxen/node_modules/ansi-regex/index.js +@@ -2,7 +2,7 @@ + + module.exports = ({onlyFirst = false} = {}) => { + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' + ].join('|'); + +diff --git a/node_modules/widest-line/node_modules/ansi-regex/index.js b/node_modules/widest-line/node_modules/ansi-regex/index.js +index 35054aa..624d38b 100644 +--- a/node_modules/widest-line/node_modules/ansi-regex/index.js ++++ b/node_modules/widest-line/node_modules/ansi-regex/index.js +@@ -2,7 +2,7 @@ + + module.exports = ({onlyFirst = false} = {}) => { + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' + ].join('|'); + +-- +2.33.1 + diff --git a/SPECS/nodejs-nodemon.spec b/SPECS/nodejs-nodemon.spec index 5972f6c..e051a8e 100644 --- a/SPECS/nodejs-nodemon.spec +++ b/SPECS/nodejs-nodemon.spec @@ -9,7 +9,7 @@ Name: %{?scl_prefix}nodejs-%{npm_name} Version: 2.0.3 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Simple monitor script for use during development of a node.js app License: MIT URL: https://github.com/remy/nodemon @@ -19,6 +19,7 @@ Patch0: 0001-fix-redirect-help.patch Patch1: 0002-Fix-ReDoS-for-data-URLs.patch Patch2: 0003-fix-eliminate-ReDoS-36.patch Patch4: 0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch +Patch5: 0005-dep-ansi-regex-fix-potential-ReDoS.patch BuildRequires: %{?scl_prefix}nodejs-devel BuildRequires: %{?scl_prefix}npm @@ -81,6 +82,10 @@ npm run test %{_bindir}/nodemon %changelog +* Mon Dec 13 2021 Jan Staněk - 2.0.3-6 +- Address potential ReDoS in ansi-regex (CVE-2021-3807) + Resolves: rhbz#2013833 + * Tue Aug 17 2021 Jan Staněk - 2.0.3-5 - Rebuild with the previous fix correctly applied Related: rhbz#1991323