diff --git a/.gitignore b/.gitignore index 08911b0..5023da7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/nodemon-v2.0.19-bundled.tar.gz +SOURCES/nodemon-v2.0.20-bundled.tar.gz diff --git a/.rh-nodejs14-nodejs-nodemon.metadata b/.rh-nodejs14-nodejs-nodemon.metadata index ebea1f0..2b8c5db 100644 --- a/.rh-nodejs14-nodejs-nodemon.metadata +++ b/.rh-nodejs14-nodejs-nodemon.metadata @@ -1 +1 @@ -eb0c6a31054c1739d10bd491295394686429d75c SOURCES/nodemon-v2.0.19-bundled.tar.gz +c7b270296bf6f24f7611d0c41b3a3381f972abc8 SOURCES/nodemon-v2.0.20-bundled.tar.gz diff --git a/SOURCES/0001-fix-Resolve-ReDoS-vulnerability-from-CVE-2021-35065-.patch b/SOURCES/0001-fix-Resolve-ReDoS-vulnerability-from-CVE-2021-35065-.patch new file mode 100644 index 0000000..2594192 --- /dev/null +++ b/SOURCES/0001-fix-Resolve-ReDoS-vulnerability-from-CVE-2021-35065-.patch @@ -0,0 +1,62 @@ +From 3bfdb3d4a33d950ae1c2438a83bb69ef48671e54 Mon Sep 17 00:00:00 2001 +From: Takayuki Sato +Date: Tue, 20 Jul 2021 14:46:33 +0900 +Subject: [PATCH] fix: Resolve ReDoS vulnerability from CVE-2021-35065 (#49) + +Signed-off-by: rpm-build +--- + node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js +index 09e257e..b182190 100644 +--- a/node_modules/glob-parent/index.js ++++ b/node_modules/glob-parent/index.js +@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32'; + + var slash = '/'; + var backslash = /\\/g; +-var enclosure = /[\{\[].*[\}\]]$/; + var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/; + var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g; + +@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) { + } + + // special case for strings ending in enclosure containing path separator +- if (enclosure.test(str)) { ++ if (isEnclosure(str)) { + str += slash; + } + +@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) { + // remove escape chars and return result + return str.replace(escaped, '$1'); + }; ++ ++ ++function isEnclosure(str) { ++ var lastChar = str.slice(-1) ++ ++ var enclosureStart; ++ switch (lastChar) { ++ case '}': ++ enclosureStart = '{'; ++ break; ++ case ']': ++ enclosureStart = '['; ++ break; ++ default: ++ return false; ++ } ++ ++ var foundIndex = str.indexOf(enclosureStart); ++ if (foundIndex < 0) { ++ return false; ++ } ++ ++ return str.slice(foundIndex + 1, -1).includes(slash); ++} +-- +2.39.0 + diff --git a/SPECS/nodejs-nodemon.spec b/SPECS/nodejs-nodemon.spec index 23fcdcd..c64c81d 100644 --- a/SPECS/nodejs-nodemon.spec +++ b/SPECS/nodejs-nodemon.spec @@ -8,13 +8,15 @@ %bcond_with tests Name: %{?scl_prefix}nodejs-%{npm_name} -Version: 2.0.19 -Release: 1%{?dist} +Version: 2.0.20 +Release: 2%{?dist} Summary: Simple monitor script for use during development of a node.js app License: MIT URL: https://github.com/remy/nodemon Source0: %{npm_name}-v%{version}-bundled.tar.gz +Patch1: 0001-fix-Resolve-ReDoS-vulnerability-from-CVE-2021-35065-.patch + BuildRequires: %{?scl_prefix}nodejs-devel BuildRequires: %{?scl_prefix}npm @@ -76,6 +78,14 @@ npm run test %{_bindir}/nodemon %changelog +* Thu Jan 19 2023 Jan Staněk - 2.0.20-2 +- Backport patches for additional CVEs + Resolves: CVE-2021-44906 CVE-2021-35065 + +* Fri Nov 18 2022 Jan Staněk - 2.0.20-1 +- Rebase to 2.0.20 + Resolves: CVE-2022-3517 + * Tue Jul 19 2022 Jan Staněk - 2.0.19-1 - Rebase to version 2.0.19 Resolves: CVE-2022-33987