From da7774ac08b0ed17cd194d2d69f1b6d427d0417f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 12 2023 14:51:24 +0000 Subject: import rh-nodejs14-nodejs-14.21.3-2.el7 --- diff --git a/.gitignore b/.gitignore index 4b97fd1..aa2738c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/icu4c-70_1-src.tgz SOURCES/node-ssl-shim-70e39fd.tar.gz -SOURCES/node-v14.21.1-stripped.tar.gz +SOURCES/node-v14.21.3-stripped.tar.gz SOURCES/wasi-sdk-wasi-sdk-11.tar.gz diff --git a/.rh-nodejs14-nodejs.metadata b/.rh-nodejs14-nodejs.metadata index 6b296f9..b370ec4 100644 --- a/.rh-nodejs14-nodejs.metadata +++ b/.rh-nodejs14-nodejs.metadata @@ -1,5 +1,5 @@ 6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz a49b02166a7bdba54fb45cba26a18fa48928ca0e SOURCES/node-ssl-shim-70e39fd.tar.gz -2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz +c01e6a3dbb6a9a6a117a4c9cda31f8c925170400 SOURCES/node-v14.21.3-stripped.tar.gz 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz diff --git a/SOURCES/deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch b/SOURCES/deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch new file mode 100644 index 0000000..c81988f --- /dev/null +++ b/SOURCES/deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch @@ -0,0 +1,52 @@ +From 58725d71e4306c83a474d6c3035e72580d0c4592 Mon Sep 17 00:00:00 2001 +From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> +Date: Wed, 18 Jan 2023 22:14:26 +0800 +Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid + stack overflow (#497) + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Fix By: @hopper-vul + +Signed-off-by: rpm-build +--- + deps/cares/src/lib/ares_init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c +index de5d86c..d5858f6 100644 +--- a/deps/cares/src/lib/ares_init.c ++++ b/deps/cares/src/lib/ares_init.c +@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +-- +2.39.2 + diff --git a/SOURCES/deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch b/SOURCES/deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch new file mode 100644 index 0000000..9fa4284 --- /dev/null +++ b/SOURCES/deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch @@ -0,0 +1,49 @@ +From 201c8b23df7bf986276e62b03f8276e18ef49728 Mon Sep 17 00:00:00 2001 +From: Kornel +Date: Fri, 27 Jan 2023 01:20:38 +0000 +Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim + whitespace + +upstream-patch: https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74 +Signed-off-by: rpm-build +--- + deps/npm/node_modules/http-cache-semantics/node4/index.js | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/deps/npm/node_modules/http-cache-semantics/node4/index.js b/deps/npm/node_modules/http-cache-semantics/node4/index.js +index bcdaebe..e427106 100644 +--- a/deps/npm/node_modules/http-cache-semantics/node4/index.js ++++ b/deps/npm/node_modules/http-cache-semantics/node4/index.js +@@ -21,7 +21,7 @@ function parseCacheControl(header) { + + // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), + // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale +- var parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing ++ var parts = header.trim().split(/,/); + for (var _iterator = parts, _isArray = Array.isArray(_iterator), _i = 0, _iterator = _isArray ? _iterator : _iterator[Symbol.iterator]();;) { + var _ref; + +@@ -36,11 +36,11 @@ function parseCacheControl(header) { + + var part = _ref; + +- var _part$split = part.split(/\s*=\s*/, 2), ++ var _part$split = part.split(/=/, 2), + k = _part$split[0], + v = _part$split[1]; + +- cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting ++ cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, ''); + } + + return cc; +@@ -556,4 +556,4 @@ module.exports = function () { + }; + + return CachePolicy; +-}(); +\ No newline at end of file ++}(); +-- +2.39.2 + diff --git a/SOURCES/deps-minimist-improve-redos-protection.patch b/SOURCES/deps-minimist-improve-redos-protection.patch deleted file mode 100644 index 8d56f8e..0000000 --- a/SOURCES/deps-minimist-improve-redos-protection.patch +++ /dev/null @@ -1,298 +0,0 @@ -From fb18c98b6ac91740165fd7c2a6f4449e880375a8 Mon Sep 17 00:00:00 2001 -From: isaacs -Date: Sun, 6 Feb 2022 12:26:10 -0800 -Subject: [PATCH] Improve redos protection, add many tests - -100% line coverage, not quite 100% total though. - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/minimatch/minimatch.js | 119 ++++++++++++------- - 1 file changed, 74 insertions(+), 45 deletions(-) - -diff --git a/deps/npm/node_modules/minimatch/minimatch.js b/deps/npm/node_modules/minimatch/minimatch.js -index 5b5f8cf..0499a73 100644 ---- a/deps/npm/node_modules/minimatch/minimatch.js -+++ b/deps/npm/node_modules/minimatch/minimatch.js -@@ -1,15 +1,15 @@ - module.exports = minimatch - minimatch.Minimatch = Minimatch - --var path = { sep: '/' } --try { -- path = require('path') --} catch (er) {} -+const path = (() => { try { return require('path') } catch (e) {}})() || { -+ sep: '/' -+} -+minimatch.sep = path.sep - --var GLOBSTAR = minimatch.GLOBSTAR = Minimatch.GLOBSTAR = {} --var expand = require('brace-expansion') -+const GLOBSTAR = minimatch.GLOBSTAR = Minimatch.GLOBSTAR = {} -+const expand = require('brace-expansion') - --var plTypes = { -+const plTypes = { - '!': { open: '(?:(?!(?:', close: '))[^/]*?)'}, - '?': { open: '(?:', close: ')?' }, - '+': { open: '(?:', close: ')+' }, -@@ -19,22 +19,22 @@ var plTypes = { - - // any single thing other than / - // don't need to escape / when using new RegExp() --var qmark = '[^/]' -+const qmark = '[^/]' - - // * => any number of characters --var star = qmark + '*?' -+const star = qmark + '*?' - - // ** when dots are allowed. Anything goes, except .. and . - // not (^ or / followed by one or two dots followed by $ or /), - // followed by anything, any number of times. --var twoStarDot = '(?:(?!(?:\\\/|^)(?:\\.{1,2})($|\\\/)).)*?' -+const twoStarDot = '(?:(?!(?:\\\/|^)(?:\\.{1,2})($|\\\/)).)*?' - - // not a ^ or / followed by a dot, - // followed by anything, any number of times. --var twoStarNoDot = '(?:(?!(?:\\\/|^)\\.).)*?' -+const twoStarNoDot = '(?:(?!(?:\\\/|^)\\.).)*?' - - // characters that need to be escaped in RegExp. --var reSpecials = charSet('().*{}+?[]^$\\!') -+const reSpecials = charSet('().*{}+?[]^$\\!') - - // "abc" -> { a:true, b:true, c:true } - function charSet (s) { -@@ -45,7 +45,7 @@ function charSet (s) { - } - - // normalizes slashes. --var slashSplit = /\/+/ -+const slashSplit = /\/+/ - - minimatch.filter = filter - function filter (pattern, options) { -@@ -58,41 +58,63 @@ function filter (pattern, options) { - function ext (a, b) { - a = a || {} - b = b || {} -- var t = {} -- Object.keys(b).forEach(function (k) { -- t[k] = b[k] -- }) -+ const t = {} - Object.keys(a).forEach(function (k) { - t[k] = a[k] - }) -+ Object.keys(b).forEach(function (k) { -+ t[k] = b[k] -+ }) - return t - } - - minimatch.defaults = function (def) { -- if (!def || !Object.keys(def).length) return minimatch -+ if (!def || typeof def !== 'object' || !Object.keys(def).length) { -+ return minimatch -+ } - -- var orig = minimatch -+ const orig = minimatch - -- var m = function minimatch (p, pattern, options) { -- return orig.minimatch(p, pattern, ext(def, options)) -+ const m = function minimatch (p, pattern, options) { -+ return orig(p, pattern, ext(def, options)) - } - - m.Minimatch = function Minimatch (pattern, options) { - return new orig.Minimatch(pattern, ext(def, options)) - } -+ m.Minimatch.defaults = options => { -+ return orig.defaults(ext(def, options)).Minimatch -+ } -+ -+ m.filter = function filter (pattern, options) { -+ return orig.filter(pattern, ext(def, options)) -+ } -+ -+ m.defaults = function defaults (options) { -+ return orig.defaults(ext(def, options)) -+ } -+ -+ m.makeRe = function makeRe (pattern, options) { -+ return orig.makeRe(pattern, ext(def, options)) -+ } -+ -+ m.braceExpand = function braceExpand (pattern, options) { -+ return orig.braceExpand(pattern, ext(def, options)) -+ } -+ -+ m.match = function (list, pattern, options) { -+ return orig.match(list, pattern, ext(def, options)) -+ } - - return m - } - - Minimatch.defaults = function (def) { -- if (!def || !Object.keys(def).length) return Minimatch - return minimatch.defaults(def).Minimatch - } - - function minimatch (p, pattern, options) { -- if (typeof pattern !== 'string') { -- throw new TypeError('glob pattern string required') -- } -+ assertValidPattern(pattern) - - if (!options) options = {} - -@@ -112,9 +134,7 @@ function Minimatch (pattern, options) { - return new Minimatch(pattern, options) - } - -- if (typeof pattern !== 'string') { -- throw new TypeError('glob pattern string required') -- } -+ assertValidPattern(pattern) - - if (!options) options = {} - pattern = pattern.trim() -@@ -242,12 +262,9 @@ function braceExpand (pattern, options) { - pattern = typeof pattern === 'undefined' - ? this.pattern : pattern - -- if (typeof pattern === 'undefined') { -- throw new TypeError('undefined pattern') -- } -+ assertValidPattern(pattern) - -- if (options.nobrace || -- !pattern.match(/\{.*\}/)) { -+ if (options.nobrace || !/\{(?:(?!\{).)*\}/.test(pattern)) { - // shortcut. no need to expand. - return [pattern] - } -@@ -255,6 +272,17 @@ function braceExpand (pattern, options) { - return expand(pattern) - } - -+const MAX_PATTERN_LENGTH = 1024 * 64 -+const assertValidPattern = pattern => { -+ if (typeof pattern !== 'string') { -+ throw new TypeError('invalid pattern') -+ } -+ -+ if (pattern.length > MAX_PATTERN_LENGTH) { -+ throw new TypeError('pattern is too long') -+ } -+} -+ - // parse a component of the expanded set. - // At this point, no pattern may contain "/" in it - // so we're going to return a 2d array, where each entry is the full -@@ -267,11 +295,9 @@ function braceExpand (pattern, options) { - // of * is equivalent to a single *. Globstar behavior is enabled by - // default, and can be disabled by setting options.noglobstar. - Minimatch.prototype.parse = parse --var SUBPARSE = {} -+const SUBPARSE = {} - function parse (pattern, isSub) { -- if (pattern.length > 1024 * 64) { -- throw new TypeError('pattern is too long') -- } -+ assertValidPattern(pattern) - - var options = this.options - -@@ -280,7 +306,7 @@ function parse (pattern, isSub) { - if (pattern === '') return '' - - var re = '' -- var hasMagic = !!options.nocase -+ var hasMagic = false - var escaping = false - // ? => one single character - var patternListStack = [] -@@ -332,10 +358,11 @@ function parse (pattern, isSub) { - } - - switch (c) { -- case '/': -+ case '/': /* istanbul ignore next */ { - // completely not allowed, even escaped. - // Should already be path-split by now. - return false -+ } - - case '\\': - clearStateChar() -@@ -620,7 +647,7 @@ function parse (pattern, isSub) { - var flags = options.nocase ? 'i' : '' - try { - var regExp = new RegExp('^' + re + '$', flags) -- } catch (er) { -+ } catch (er) /* istanbul ignore next - should be impossible */ { - // If it was an invalid regular expression, then it can't match - // anything. This trick looks for a character after the end of - // the string, which is of course impossible, except in multi-line -@@ -678,7 +705,7 @@ function makeRe () { - - try { - this.regexp = new RegExp(re, flags) -- } catch (ex) { -+ } catch (ex) /* istanbul ignore next - should be impossible */ { - this.regexp = false - } - return this.regexp -@@ -686,7 +713,7 @@ function makeRe () { - - minimatch.match = function (list, pattern, options) { - options = options || {} -- var mm = new Minimatch(pattern, options) -+ const mm = new Minimatch(pattern, options) - list = list.filter(function (f) { - return mm.match(f) - }) -@@ -779,6 +806,7 @@ Minimatch.prototype.matchOne = function (file, pattern, partial) { - - // should be impossible. - // some invalid regexp stuff in the set. -+ /* istanbul ignore if */ - if (p === false) return false - - if (p === GLOBSTAR) { -@@ -852,6 +880,7 @@ Minimatch.prototype.matchOne = function (file, pattern, partial) { - // no match was found. - // However, in partial mode, we can't say this is necessarily over. - // If there's more *pattern* left, then -+ /* istanbul ignore if */ - if (partial) { - // ran out of file - this.debug('\n>>> no match, partial?', file, fr, pattern, pr) -@@ -900,16 +929,16 @@ Minimatch.prototype.matchOne = function (file, pattern, partial) { - // this is ok if we're doing the match as part of - // a glob fs traversal. - return partial -- } else if (pi === pl) { -+ } else /* istanbul ignore else */ if (pi === pl) { - // ran out of pattern, still have file left. - // this is only acceptable if we're on the very last - // empty segment of a file with a trailing slash. - // a/* should match a/b/ -- var emptyFileEnd = (fi === fl - 1) && (file[fi] === '') -- return emptyFileEnd -+ return (fi === fl - 1) && (file[fi] === '') - } - - // should be unreachable. -+ /* istanbul ignore next */ - throw new Error('wtf?') - } - --- -2.39.1 - diff --git a/SOURCES/deps-qs-parse-ignore-__proto__-keys.patch b/SOURCES/deps-qs-parse-ignore-__proto__-keys.patch deleted file mode 100644 index 9155957..0000000 --- a/SOURCES/deps-qs-parse-ignore-__proto__-keys.patch +++ /dev/null @@ -1,98 +0,0 @@ -From f0ee81ba69c78dfb9d827eda45fd957b758ca9f2 Mon Sep 17 00:00:00 2001 -From: Jordan Harband -Date: Mon, 27 Dec 2021 19:15:57 -0800 -Subject: [PATCH] `parse`: ignore `__proto__` keys (#428) - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/qs/lib/parse.js | 2 +- - deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++ - 2 files changed, 61 insertions(+), 1 deletion(-) - -diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js -index 8c9872e..08e623a 100644 ---- a/deps/npm/node_modules/qs/lib/parse.js -+++ b/deps/npm/node_modules/qs/lib/parse.js -@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) { - ) { - obj = []; - obj[index] = leaf; -- } else { -+ } else if (cleanRoot !== '__proto__') { - obj[cleanRoot] = leaf; - } - } -diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js -index 0f8fe45..3e93784 100644 ---- a/deps/npm/node_modules/qs/test/parse.js -+++ b/deps/npm/node_modules/qs/test/parse.js -@@ -515,6 +515,66 @@ test('parse()', function (t) { - st.end(); - }); - -+ t.test('dunder proto is ignored', function (st) { -+ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42'; -+ var result = qs.parse(payload, { allowPrototypes: true }); -+ -+ st.deepEqual( -+ result, -+ { -+ categories: { -+ length: '42' -+ } -+ }, -+ 'silent [[Prototype]] payload' -+ ); -+ -+ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true }); -+ -+ st.deepEqual( -+ plainResult, -+ { -+ __proto__: null, -+ categories: { -+ __proto__: null, -+ length: '42' -+ } -+ }, -+ 'silent [[Prototype]] payload: plain objects' -+ ); -+ -+ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true }); -+ -+ st.notOk(Array.isArray(query.categories), 'is not an array'); -+ st.notOk(query.categories instanceof Array, 'is not instanceof an array'); -+ st.deepEqual(query.categories, { some: { json: 'toInject' } }); -+ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array'); -+ -+ st.deepEqual( -+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }), -+ { -+ foo: { -+ bar: 'stuffs' -+ } -+ }, -+ 'hidden values' -+ ); -+ -+ st.deepEqual( -+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }), -+ { -+ __proto__: null, -+ foo: { -+ __proto__: null, -+ bar: 'stuffs' -+ } -+ }, -+ 'hidden values: plain objects' -+ ); -+ -+ st.end(); -+ }); -+ - t.test('can return null objects', { skip: !Object.create }, function (st) { - var expected = Object.create(null); - expected.a = Object.create(null); --- -2.39.0 - diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index e2b47f0..9577eae 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -23,10 +23,10 @@ # than a Fedora release lifecycle. %global nodejs_major 14 %global nodejs_minor 21 -%global nodejs_patch 1 +%global nodejs_patch 3 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 3 +%global nodejs_release 2 %global nodejs_datadir %{_datarootdir}/nodejs @@ -92,7 +92,7 @@ # npm - from deps/npm/package.json %global npm_major 6 %global npm_minor 14 -%global npm_patch 17 +%global npm_patch 18 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -176,8 +176,8 @@ Patch11: Make-icutrim.py-Python-2-compatible.patch # Address various CVEs in bundled deps Patch21: deps-ansi-regex-fix-potential-ReDoS.patch Patch22: deps-node-fetch-npm-backport-CVE-2022-0235-fix.patch -Patch23: deps-qs-parse-ignore-__proto__-keys.patch -Patch24: deps-minimist-improve-redos-protection.patch +Patch23: deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch +Patch24: deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch %{?scl:Requires: %{scl}-runtime} @@ -543,7 +543,6 @@ python2 tools/test.py "${RUN_SUITES[@]}" || : # FIXME – disable all failing t %doc %{_mandir}/man5/shrinkwrap-json.5* %doc %{_mandir}/man7/config.7* %doc %{_mandir}/man7/developers.7* -%doc %{_mandir}/man7/disputes.7* %doc %{_mandir}/man7/orgs.7* %doc %{_mandir}/man7/registry.7* %doc %{_mandir}/man7/removal.7* @@ -559,6 +558,16 @@ python2 tools/test.py "${RUN_SUITES[@]}" || : # FIXME – disable all failing t %changelog +* Thu Mar 16 2023 Jan Staněk - 14.21.3-2 +- Rebuilt with updated provides generator + Related: rhbz#2153715 + +* Tue Mar 07 2023 Jan Staněk - 14.21.3-1 +- Rebase to 14.21.3 + Resolves: rhbz#2153715 + Resolves: CVE-2022-25881 CVE-2023-23918 CVE-2023-23920 CVE-2022-38900 + Resolves: CVE-2022-4904 + * Thu Jan 26 2023 Jan Staněk - 14.21.1-3 - Properly apply upstream patch for CVE-2022-3517 Resolves: CVE-2022-3517