diff --git a/.gitignore b/.gitignore index e673228..a69187d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/node-ssl-shim-6fc0b05.tar.gz -SOURCES/node-v14.15.4-stripped.tar.gz +SOURCES/node-v14.16.0-stripped.tar.gz diff --git a/.rh-nodejs14-nodejs.metadata b/.rh-nodejs14-nodejs.metadata index e2cb57f..3380149 100644 --- a/.rh-nodejs14-nodejs.metadata +++ b/.rh-nodejs14-nodejs.metadata @@ -1,2 +1,2 @@ 9fe6761bd237af8be0e4d26184c5a01e01d7967d SOURCES/node-ssl-shim-6fc0b05.tar.gz -80e7c92657b6c19357ac8f41872bf30a7379d07e SOURCES/node-v14.15.4-stripped.tar.gz +f29df6df94e384907adc5c6353eeb6261ad4833e SOURCES/node-v14.16.0-stripped.tar.gz diff --git a/SOURCES/deps-npm-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch b/SOURCES/deps-npm-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch deleted file mode 100644 index 59de1e7..0000000 --- a/SOURCES/deps-npm-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch +++ /dev/null @@ -1,99 +0,0 @@ -From b91d5c56210c8d7728c77d0f6a640a13b220fc3e Mon Sep 17 00:00:00 2001 -From: isaacs -Date: Tue, 8 Dec 2020 14:21:50 -0800 -Subject: [PATCH] do not allow invalid hazardous string as section name - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/ini/ini.js | 8 +++++ - deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ - 2 files changed, 53 insertions(+) - create mode 100644 deps/npm/node_modules/ini/test/proto.js - -diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js -index 590195d..0401258 100644 ---- a/deps/npm/node_modules/ini/ini.js -+++ b/deps/npm/node_modules/ini/ini.js -@@ -80,6 +80,12 @@ function decode (str) { - if (!match) return - if (match[1] !== undefined) { - section = unsafe(match[1]) -+ if (section === '__proto__') { -+ // not allowed -+ // keep parsing the section, but don't attach it. -+ p = {} -+ return -+ } - p = out[section] = out[section] || {} - return - } -@@ -94,6 +100,7 @@ function decode (str) { - // Convert keys with '[]' suffix to an array - if (key.length > 2 && key.slice(-2) === '[]') { - key = key.substring(0, key.length - 2) -+ if (key === '__proto__') return - if (!p[key]) { - p[key] = [] - } else if (!Array.isArray(p[key])) { -@@ -125,6 +132,7 @@ function decode (str) { - var l = parts.pop() - var nl = l.replace(/\\\./g, '.') - parts.forEach(function (part, _, __) { -+ if (part === '__proto__') return - if (!p[part] || typeof p[part] !== 'object') p[part] = {} - p = p[part] - }) -diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js -new file mode 100644 -index 0000000..ab35533 ---- /dev/null -+++ b/deps/npm/node_modules/ini/test/proto.js -@@ -0,0 +1,45 @@ -+var ini = require('../') -+var t = require('tap') -+ -+var data = ` -+__proto__ = quux -+foo = baz -+[__proto__] -+foo = bar -+[other] -+foo = asdf -+[kid.__proto__.foo] -+foo = kid -+[arrproto] -+hello = snyk -+__proto__[] = you did a good job -+__proto__[] = so you deserve arrays -+thanks = true -+` -+var res = ini.parse(data) -+t.deepEqual(res, { -+ foo: 'baz', -+ other: { -+ foo: 'asdf', -+ }, -+ kid: { -+ foo: { -+ foo: 'kid', -+ }, -+ }, -+ arrproto: { -+ hello: 'snyk', -+ thanks: true, -+ }, -+}) -+t.equal(res.__proto__, Object.prototype) -+t.equal(res.kid.__proto__, Object.prototype) -+t.equal(res.kid.foo.__proto__, Object.prototype) -+t.equal(res.arrproto.__proto__, Object.prototype) -+t.equal(Object.prototype.foo, undefined) -+t.equal(Object.prototype[0], undefined) -+t.equal(Object.prototype['0'], undefined) -+t.equal(Object.prototype[1], undefined) -+t.equal(Object.prototype['1'], undefined) -+t.equal(Array.prototype[0], undefined) -+t.equal(Array.prototype[1], undefined) --- -2.29.2 - diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 7ca52b9..8d7d4cf 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -22,11 +22,11 @@ # feature releases that are only supported for nine months, which is shorter # than a Fedora release lifecycle. %global nodejs_major 14 -%global nodejs_minor 15 -%global nodejs_patch 4 +%global nodejs_minor 16 +%global nodejs_patch 0 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 2 +%global nodejs_release 1 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h @@ -72,7 +72,7 @@ # npm - from deps/npm/package.json %global npm_major 6 %global npm_minor 14 -%global npm_patch 10 +%global npm_patch 11 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -138,9 +138,7 @@ Patch10: deps-Remove-statx-from-libuv.patch # Make icutrim work with python 2 Patch11: Make-icutrim.py-Python-2-compatible.patch -# CVE-2020-7788 -Patch12: deps-npm-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch -Patch13: deps-y18n-CVE-2020-7774.patch +Patch12: deps-y18n-CVE-2020-7774.patch %{?scl:Requires: %{scl}-runtime} @@ -313,8 +311,7 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl --with-dtrace --with-intl=small-icu \ --shared-openssl --openssl-use-def-ca-store --openssl-is-fips \ %{!?el7:--shared-zlib} \ - %{!?with_bootstrap:--shared-http-parser} \ - --debug-nghttp2 + %{!?with_bootstrap:--shared-http-parser} %make_build %{!?with_parallel_build:-j1} @@ -469,6 +466,10 @@ python2 tools/test.py "${RUN_SUITES[@]}" || : # FIXME – disable all failing t %changelog +* Tue Feb 23 2021 Jan Staněk - 14.16.0-1 +- Rebase to 14.16.0 +- Resolves: CVE-2021-22883 CVE-2021-22884 + * Wed Jan 27 2021 Jan Staněk - 14.15.4-2 - Patch bundled y18n for CVE-2020-7774 - Resolves: CVE-2020-7774