diff --git a/.gitignore b/.gitignore index 1e77ba2..1b97368 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/node-ssl-shim-70e39fd.tar.gz -SOURCES/node-v14.17.2-stripped.tar.gz +SOURCES/node-v14.17.5-stripped.tar.gz diff --git a/.rh-nodejs14-nodejs.metadata b/.rh-nodejs14-nodejs.metadata index 92f4234..3b3af77 100644 --- a/.rh-nodejs14-nodejs.metadata +++ b/.rh-nodejs14-nodejs.metadata @@ -1,2 +1,2 @@ a49b02166a7bdba54fb45cba26a18fa48928ca0e SOURCES/node-ssl-shim-70e39fd.tar.gz -2153195b43725df008e9edf540c5acb3405c00ae SOURCES/node-v14.17.2-stripped.tar.gz +a1399887c30332381bbcbcaac21035c0b301619f SOURCES/node-v14.17.5-stripped.tar.gz diff --git a/SOURCES/CVE-2021-23343-path-parse-redos.patch b/SOURCES/CVE-2021-23343-path-parse-redos.patch new file mode 100644 index 0000000..d5bffc9 --- /dev/null +++ b/SOURCES/CVE-2021-23343-path-parse-redos.patch @@ -0,0 +1,180 @@ +https://github.com/jbgutierrez/path-parse/pull/10 + +From 75e6a130a111dc6c72d9f55ec5540dd6350f1e77 Mon Sep 17 00:00:00 2001 +From: Jeffrey Pinyan +Date: Thu, 13 May 2021 10:53:50 -0400 +Subject: [PATCH] fixed regexes to avoid ReDoS attacks + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/path-parse/index.js | 6 +++--- + deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 3 deletions(-) + create mode 100644 deps/npm/node_modules/path-parse/redos.js + +diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js +index 3b7601f..e6b2af1 100644 +--- a/deps/npm/node_modules/path-parse/index.js ++++ b/deps/npm/node_modules/path-parse/index.js +@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32'; + // Regex to split a windows path into three parts: [*, device, slash, + // tail] windows-only + var splitDeviceRe = +- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/; ++ /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; + + // Regex to split the tail part of the above into [*, dir, basename, ext] + var splitTailRe = +- /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; ++ /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; + + var win32 = {}; + +@@ -51,7 +51,7 @@ win32.parse = function(pathString) { + // Split a filename into [root, dir, basename, ext], unix version + // 'root' is just a slash, or nothing. + var splitPathRe = +- /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; ++ /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; + var posix = {}; + + +diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js +new file mode 100644 +index 0000000..261947f +--- /dev/null ++++ b/deps/npm/node_modules/path-parse/redos.js +@@ -0,0 +1,20 @@ ++var pathParse = require('.'); ++ ++function build_attack(n) { ++ var ret = "" ++ for (var i = 0; i < n; i++) { ++ ret += "/" ++ } ++ return ret + "◎"; ++} ++ ++for(var i = 1; i <= 5000000; i++) { ++ if (i % 10000 == 0) { ++ var time = Date.now(); ++ var attack_str = build_attack(i) ++ pathParse.posix(attack_str); ++ pathParse.win32(attack_str); ++ var time_cost = Date.now() - time; ++ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") ++ } ++} +-- +2.31.1 + + +From ad13f8003dfa6c15ecad2b5aadf2faad3fae1435 Mon Sep 17 00:00:00 2001 +From: Jeffrey Pinyan +Date: Thu, 13 May 2021 11:51:45 -0400 +Subject: [PATCH] streamlined regexes, simplified parse() returns + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/path-parse/index.js | 52 ++++++++--------------- + 1 file changed, 17 insertions(+), 35 deletions(-) + +diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js +index e6b2af1..f062d0a 100644 +--- a/deps/npm/node_modules/path-parse/index.js ++++ b/deps/npm/node_modules/path-parse/index.js +@@ -2,29 +2,14 @@ + + var isWindows = process.platform === 'win32'; + +-// Regex to split a windows path into three parts: [*, device, slash, +-// tail] windows-only +-var splitDeviceRe = +- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; +- +-// Regex to split the tail part of the above into [*, dir, basename, ext] +-var splitTailRe = +- /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; ++// Regex to split a windows path into into [dir, root, basename, name, ext] ++var splitWindowsRe = ++ /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/; + + var win32 = {}; + +-// Function to split a filename into [root, dir, basename, ext] + function win32SplitPath(filename) { +- // Separate device+slash from tail +- var result = splitDeviceRe.exec(filename), +- device = (result[1] || '') + (result[2] || ''), +- tail = result[3] || ''; +- // Split the tail into dir, basename and extension +- var result2 = splitTailRe.exec(tail), +- dir = result2[1], +- basename = result2[2], +- ext = result2[3]; +- return [device, dir, basename, ext]; ++ return splitWindowsRe.exec(filename).slice(1); + } + + win32.parse = function(pathString) { +@@ -34,24 +19,24 @@ win32.parse = function(pathString) { + ); + } + var allParts = win32SplitPath(pathString); +- if (!allParts || allParts.length !== 4) { ++ if (!allParts || allParts.length !== 5) { + throw new TypeError("Invalid path '" + pathString + "'"); + } + return { +- root: allParts[0], +- dir: allParts[0] + allParts[1].slice(0, -1), ++ root: allParts[1], ++ dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1), + base: allParts[2], +- ext: allParts[3], +- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) ++ ext: allParts[4], ++ name: allParts[3] + }; + }; + + + +-// Split a filename into [root, dir, basename, ext], unix version ++// Split a filename into [dir, root, basename, name, ext], unix version + // 'root' is just a slash, or nothing. + var splitPathRe = +- /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; ++ /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/; + var posix = {}; + + +@@ -67,19 +52,16 @@ posix.parse = function(pathString) { + ); + } + var allParts = posixSplitPath(pathString); +- if (!allParts || allParts.length !== 4) { ++ if (!allParts || allParts.length !== 5) { + throw new TypeError("Invalid path '" + pathString + "'"); + } +- allParts[1] = allParts[1] || ''; +- allParts[2] = allParts[2] || ''; +- allParts[3] = allParts[3] || ''; +- ++ + return { +- root: allParts[0], +- dir: allParts[0] + allParts[1].slice(0, -1), ++ root: allParts[1], ++ dir: allParts[0].slice(0, -1), + base: allParts[2], +- ext: allParts[3], +- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) ++ ext: allParts[4], ++ name: allParts[3], + }; + }; + +-- +2.31.1 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 46cd366..db0a589 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -23,7 +23,7 @@ # than a Fedora release lifecycle. %global nodejs_major 14 %global nodejs_minor 17 -%global nodejs_patch 2 +%global nodejs_patch 5 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} %global nodejs_release 1 @@ -41,7 +41,7 @@ # c-ares - from deps/cares/include/ares_version.h %global c_ares_major 1 %global c_ares_minor 17 -%global c_ares_patch 1 +%global c_ares_patch 2 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} # llhttp - from deps/llhttp/include/llhttp.h @@ -71,7 +71,7 @@ # npm - from deps/npm/package.json %global npm_major 6 %global npm_minor 14 -%global npm_patch 13 +%global npm_patch 14 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -140,6 +140,8 @@ Patch11: Make-icutrim.py-Python-2-compatible.patch # Always defer to OS when it comes to FIPS Patch13: always-available-fips-options.patch +Patch15: CVE-2021-23343-path-parse-redos.patch + %{?scl:Requires: %{scl}-runtime} %{?scl:BuildRequires: %{scl}-runtime} @@ -466,8 +468,19 @@ python2 tools/test.py "${RUN_SUITES[@]}" || : # FIXME – disable all failing t %changelog +* Thu Aug 12 2021 Jan Staněk - 14.17.5-1 +- Rebase to 14.17.5 + Resolves: CVE-2021-22931 CVE-2021-22939 CVE-2021-22940 + +* Thu Aug 05 2021 Jan Staněk - 14.17.4-1 +- Rebase to 14.17.4 with additional fixes (update-handling-on-rst_stream-frames.patch) + Resolves: CVE-2021-22930 +- Patch bundled(nodejs-path-parse) for CVE-2021-23343 + Resolves: rhbz#1986745 + * Wed Jul 07 2021 Jan Staněk - 14.17.2-1 - Rebase to 14.17.2 + Resolves: CVE-2021-22918, CVE-2021-23362, CVE-2021-27290, CVE-2021-33502 - Remove upstreamed deps-y18n-CVE-2020-7774.patch * Tue Feb 23 2021 Jan Staněk - 14.16.0-1