diff --git a/.gitignore b/.gitignore index d99edf1..e673228 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/node-ssl-shim-6fc0b05.tar.gz -SOURCES/node-v14.15.0-stripped.tar.gz +SOURCES/node-v14.15.4-stripped.tar.gz diff --git a/.rh-nodejs14-nodejs.metadata b/.rh-nodejs14-nodejs.metadata index 250715c..e2cb57f 100644 --- a/.rh-nodejs14-nodejs.metadata +++ b/.rh-nodejs14-nodejs.metadata @@ -1,2 +1,2 @@ 9fe6761bd237af8be0e4d26184c5a01e01d7967d SOURCES/node-ssl-shim-6fc0b05.tar.gz -fdc54e8dbaec8f3a477e9708a3299a40e995eb91 SOURCES/node-v14.15.0-stripped.tar.gz +80e7c92657b6c19357ac8f41872bf30a7379d07e SOURCES/node-v14.15.4-stripped.tar.gz diff --git a/SOURCES/0001-Link-with-ssl-shim.patch b/SOURCES/0001-Link-with-ssl-shim.patch index 87c7f13..44aeb62 100644 --- a/SOURCES/0001-Link-with-ssl-shim.patch +++ b/SOURCES/0001-Link-with-ssl-shim.patch @@ -1,4 +1,4 @@ -From 75268fbb6bbe32db695595e2b30f4600732767ad Mon Sep 17 00:00:00 2001 +From 464d38829f78ac9858ce691af34ae04623865aeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= Date: Tue, 28 Apr 2020 11:15:24 +0200 Subject: [PATCH] Link with ssl-shim @@ -61,5 +61,5 @@ index bef98b3e24..d46730c9ba 100644 namespace crypto { -- -2.26.2 +2.29.2 diff --git a/SOURCES/0002-Use-OpenSSL-1.0-API.patch b/SOURCES/0002-Use-OpenSSL-1.0-API.patch index d5e7561..33535c7 100644 --- a/SOURCES/0002-Use-OpenSSL-1.0-API.patch +++ b/SOURCES/0002-Use-OpenSSL-1.0-API.patch @@ -1,6 +1,6 @@ -From 779cd3cc604a0efdeba1e0e2bcacab27880675c4 Mon Sep 17 00:00:00 2001 +From 79ea1491a221b2c87384f47f125df1544b11c97a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Wed, 16 Sep 2020 12:46:38 +0200 +Date: Tue, 5 Jan 2021 11:33:47 +0100 Subject: [PATCH] Use OpenSSL 1.0 API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -143,5 +143,5 @@ index 6473b652ac..da1033fdef 100644 StackOfX509 CloneSSLCerts(X509Pointer&& cert, -- -2.26.2 +2.29.2 diff --git a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch index 48a8c4f..f505435 100644 --- a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch +++ b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch @@ -1,6 +1,6 @@ -From afdb783c2b6c97e4e8c4a8b69bff4187a1cb4bd2 Mon Sep 17 00:00:00 2001 +From 4f4ff18447ce5a4114d328d2e6175aae0b35b0fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Wed, 16 Sep 2020 12:47:35 +0200 +Date: Tue, 5 Jan 2021 11:35:07 +0100 Subject: [PATCH] Backport necessary OpenSSL features MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -353,5 +353,5 @@ index dbc46fbec8..d27125042b 100644 // SSLWrap implicitly depends on the inheriting class' handle having an -- -2.26.2 +2.29.2 diff --git a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch index 7319353..749dc53 100644 --- a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch +++ b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch @@ -1,6 +1,6 @@ -From 86227ed377d723a157bcd95ffb39bc14900a8576 Mon Sep 17 00:00:00 2001 +From f572d6ca73ec03c232fe0d4273ba5dc2e4329bd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Wed, 16 Sep 2020 12:49:21 +0200 +Date: Tue, 5 Jan 2021 11:35:51 +0100 Subject: [PATCH] Disable unsupported OpenSSL features MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -41,7 +41,7 @@ Signed-off-by: Jan Staněk rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%) diff --git a/doc/api/cli.md b/doc/api/cli.md -index 0112319a3a..eb39adfd16 100644 +index 3c39689c62..a337ce69a1 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -806,14 +806,6 @@ added: @@ -87,7 +87,7 @@ index 0112319a3a..eb39adfd16 100644 * `--trace-deprecation` * `--trace-event-categories` diff --git a/doc/api/tls.md b/doc/api/tls.md -index a55847ec3c..16ed16ea09 100644 +index 9a7ea7ee04..10aa912ab3 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -1966,10 +1966,10 @@ added: v11.4.0 @@ -285,7 +285,7 @@ index c373a97e47..220cb109bc 100644 v8::MaybeLocal GetCipherVersion( Environment* env, diff --git a/src/node_options.cc b/src/node_options.cc -index 87f547da1d..da4a8cd56f 100644 +index e7dc220f5c..c708597a0c 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -9,6 +9,8 @@ @@ -310,7 +310,7 @@ index 87f547da1d..da4a8cd56f 100644 #if HAVE_INSPECTOR if (!cpu_prof) { -@@ -523,14 +527,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() { +@@ -526,14 +530,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() { "set default TLS minimum to TLSv1.2 (default: TLSv1.2)", &EnvironmentOptions::tls_min_v1_2, kAllowedInEnvironment); @@ -329,7 +329,7 @@ index 87f547da1d..da4a8cd56f 100644 // Current plan is: // - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3 // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2 -@@ -539,6 +546,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() { +@@ -542,6 +549,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() { "set default TLS maximum to TLSv1.3 (default: TLSv1.3)", &EnvironmentOptions::tls_max_v1_3, kAllowedInEnvironment); @@ -350,5 +350,5 @@ similarity index 100% rename from test/parallel/test-tls-cli-min-version-1.3.js rename to test/known_issues/test-tls-cli-min-version-1.3.js -- -2.26.2 +2.29.2 diff --git a/SOURCES/0005-Adjust-tests-expectations.patch b/SOURCES/0005-Adjust-tests-expectations.patch index 10fccfd..dc09d73 100644 --- a/SOURCES/0005-Adjust-tests-expectations.patch +++ b/SOURCES/0005-Adjust-tests-expectations.patch @@ -1,6 +1,6 @@ -From 6d75bbca77dead5af864e3ace591f882745eeb9e Mon Sep 17 00:00:00 2001 +From d262e378ca48cf6a893a9dbc5ed5ec83b1adacbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Wed, 16 Sep 2020 12:49:56 +0200 +Date: Tue, 5 Jan 2021 11:36:29 +0100 Subject: [PATCH] Adjust tests expectations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -239,7 +239,7 @@ index 7ef0f12426..4fcb9247d3 100644 // TLS1.3 client hellos are are not understood by TLS1.1 or below. test(U, U, U, U, U, 'TLSv1_method', diff --git a/test/parallel/test-util-inspect.js b/test/parallel/test-util-inspect.js -index ffdf121dd5..6a2543e26a 100644 +index 9187af18da..53e0840f5c 100644 --- a/test/parallel/test-util-inspect.js +++ b/test/parallel/test-util-inspect.js @@ -148,7 +148,7 @@ assert.strictEqual( @@ -252,5 +252,5 @@ index ffdf121dd5..6a2543e26a 100644 { const regexp = /regexp/; -- -2.26.2 +2.29.2 diff --git a/SOURCES/0006-Disable-tests-for-unsupported-features.patch b/SOURCES/0006-Disable-tests-for-unsupported-features.patch index ab86965..34f5131 100644 --- a/SOURCES/0006-Disable-tests-for-unsupported-features.patch +++ b/SOURCES/0006-Disable-tests-for-unsupported-features.patch @@ -1,6 +1,6 @@ -From b1994d6afd0c14ea5f06fb11a250f3d405c98724 Mon Sep 17 00:00:00 2001 +From fdb39348a2f6c55fbdcaf8f88eaf3262ee8106a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Wed, 16 Sep 2020 12:50:55 +0200 +Date: Tue, 5 Jan 2021 11:38:28 +0100 Subject: [PATCH] Disable tests for unsupported features MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -33,7 +33,7 @@ Signed-off-by: Jan Staněk test/parallel/test-crypto-dh-stateless.js | 17 -- test/parallel/test-crypto-hash.js | 63 -------- test/parallel/test-crypto-key-objects.js | 151 ------------------ - test/parallel/test-crypto-keygen.js | 51 ------ + test/parallel/test-crypto-keygen.js | 49 ------ test/parallel/test-crypto-sign-verify.js | 108 ------------- test/parallel/test-tls-cli-min-version-1.0.js | 2 +- test/parallel/test-tls-cli-min-version-1.1.js | 2 +- @@ -42,7 +42,7 @@ Signed-off-by: Jan Staněk test/parallel/test-tls-getcipher.js | 22 --- test/parallel/test-tls-min-max-version.js | 19 +-- test/parallel/test-tls-psk-circuit.js | 4 +- - 26 files changed, 33 insertions(+), 441 deletions(-) + 26 files changed, 33 insertions(+), 439 deletions(-) rename test/{parallel => known_issues}/test-crypto-certificate.js (100%) rename test/{parallel => known_issues}/test-crypto-des3-wrap.js (100%) rename test/{parallel => known_issues}/test-crypto-hash-stream-pipe.js (100%) @@ -479,10 +479,10 @@ index d3011db79d..644a52a1c7 100644 // Exporting an encrypted private key requires a cipher const privateKey = createPrivateKey(privatePem); diff --git a/test/parallel/test-crypto-keygen.js b/test/parallel/test-crypto-keygen.js -index 384f4fa68a..38432254f0 100644 +index 5da5715bcb..2f4b1ab407 100644 --- a/test/parallel/test-crypto-keygen.js +++ b/test/parallel/test-crypto-keygen.js -@@ -265,42 +265,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher); +@@ -257,41 +257,6 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher); })); } @@ -493,15 +493,13 @@ index 384f4fa68a..38432254f0 100644 - saltLength: 16, - hash: 'sha256', - mgf1Hash: 'sha256' -- }, common.mustCall((err, publicKey, privateKey) => { -- assert.ifError(err); -- +- }, common.mustSucceed((publicKey, privateKey) => { - assert.strictEqual(publicKey.type, 'public'); - assert.strictEqual(publicKey.asymmetricKeyType, 'rsa-pss'); - - assert.strictEqual(privateKey.type, 'private'); - assert.strictEqual(privateKey.asymmetricKeyType, 'rsa-pss'); - +- - // Unlike RSA, RSA-PSS does not allow encryption. - assert.throws(() => { - testEncryptDecrypt(publicKey, privateKey); @@ -522,10 +520,11 @@ index 384f4fa68a..38432254f0 100644 - testSignVerify(publicKey, privateKey); - })); -} - +- { const privateKeyEncoding = { -@@ -975,22 +940,6 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher); + type: 'pkcs8', +@@ -945,20 +910,6 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher); })); } @@ -533,9 +532,7 @@ index 384f4fa68a..38432254f0 100644 -{ - if (!/^1\.1\.0/.test(process.versions.openssl)) { - ['ed25519', 'ed448', 'x25519', 'x448'].forEach((keyType) => { -- generateKeyPair(keyType, common.mustCall((err, publicKey, privateKey) => { -- assert.ifError(err); -- +- generateKeyPair(keyType, common.mustSucceed((publicKey, privateKey) => { - assert.strictEqual(publicKey.type, 'public'); - assert.strictEqual(publicKey.asymmetricKeyType, keyType); - @@ -810,5 +807,5 @@ index 4bcdf36860..0642e18d5e 100644 test({ psk: USERS.UserB, identity: 'UserC' }, {}, DISCONNECT_MESSAGE); // Recognized user but incorrect secret should fail handshake -- -2.26.2 +2.29.2 diff --git a/SOURCES/0007-Disable-tests-for-known-issues.patch b/SOURCES/0007-Disable-tests-for-known-issues.patch index 929f62c..ae7a16e 100644 --- a/SOURCES/0007-Disable-tests-for-known-issues.patch +++ b/SOURCES/0007-Disable-tests-for-known-issues.patch @@ -1,6 +1,6 @@ -From 6c61519df159341a552e058acf8bc5755d5a6b46 Mon Sep 17 00:00:00 2001 +From 4276326db77bc9012d8e73ed90f0c3e4c502b57a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Wed, 16 Sep 2020 12:51:20 +0200 +Date: Tue, 5 Jan 2021 11:38:49 +0100 Subject: [PATCH] Disable tests for known issues MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -216,5 +216,5 @@ index 8fb15d3ba5..2fc22ca477 100644 expect(opt, want, command, wantsError, false); } -- -2.26.2 +2.29.2 diff --git a/SOURCES/deps-npm-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch b/SOURCES/deps-npm-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch new file mode 100644 index 0000000..59de1e7 --- /dev/null +++ b/SOURCES/deps-npm-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch @@ -0,0 +1,99 @@ +From b91d5c56210c8d7728c77d0f6a640a13b220fc3e Mon Sep 17 00:00:00 2001 +From: isaacs +Date: Tue, 8 Dec 2020 14:21:50 -0800 +Subject: [PATCH] do not allow invalid hazardous string as section name + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/ini/ini.js | 8 +++++ + deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + create mode 100644 deps/npm/node_modules/ini/test/proto.js + +diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js +index 590195d..0401258 100644 +--- a/deps/npm/node_modules/ini/ini.js ++++ b/deps/npm/node_modules/ini/ini.js +@@ -80,6 +80,12 @@ function decode (str) { + if (!match) return + if (match[1] !== undefined) { + section = unsafe(match[1]) ++ if (section === '__proto__') { ++ // not allowed ++ // keep parsing the section, but don't attach it. ++ p = {} ++ return ++ } + p = out[section] = out[section] || {} + return + } +@@ -94,6 +100,7 @@ function decode (str) { + // Convert keys with '[]' suffix to an array + if (key.length > 2 && key.slice(-2) === '[]') { + key = key.substring(0, key.length - 2) ++ if (key === '__proto__') return + if (!p[key]) { + p[key] = [] + } else if (!Array.isArray(p[key])) { +@@ -125,6 +132,7 @@ function decode (str) { + var l = parts.pop() + var nl = l.replace(/\\\./g, '.') + parts.forEach(function (part, _, __) { ++ if (part === '__proto__') return + if (!p[part] || typeof p[part] !== 'object') p[part] = {} + p = p[part] + }) +diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js +new file mode 100644 +index 0000000..ab35533 +--- /dev/null ++++ b/deps/npm/node_modules/ini/test/proto.js +@@ -0,0 +1,45 @@ ++var ini = require('../') ++var t = require('tap') ++ ++var data = ` ++__proto__ = quux ++foo = baz ++[__proto__] ++foo = bar ++[other] ++foo = asdf ++[kid.__proto__.foo] ++foo = kid ++[arrproto] ++hello = snyk ++__proto__[] = you did a good job ++__proto__[] = so you deserve arrays ++thanks = true ++` ++var res = ini.parse(data) ++t.deepEqual(res, { ++ foo: 'baz', ++ other: { ++ foo: 'asdf', ++ }, ++ kid: { ++ foo: { ++ foo: 'kid', ++ }, ++ }, ++ arrproto: { ++ hello: 'snyk', ++ thanks: true, ++ }, ++}) ++t.equal(res.__proto__, Object.prototype) ++t.equal(res.kid.__proto__, Object.prototype) ++t.equal(res.kid.foo.__proto__, Object.prototype) ++t.equal(res.arrproto.__proto__, Object.prototype) ++t.equal(Object.prototype.foo, undefined) ++t.equal(Object.prototype[0], undefined) ++t.equal(Object.prototype['0'], undefined) ++t.equal(Object.prototype[1], undefined) ++t.equal(Object.prototype['1'], undefined) ++t.equal(Array.prototype[0], undefined) ++t.equal(Array.prototype[1], undefined) +-- +2.29.2 + diff --git a/SOURCES/deps-y18n-CVE-2020-7774.patch b/SOURCES/deps-y18n-CVE-2020-7774.patch new file mode 100644 index 0000000..88a9d75 --- /dev/null +++ b/SOURCES/deps-y18n-CVE-2020-7774.patch @@ -0,0 +1,13 @@ +diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js +index d720681628..727362aac0 100644 +--- a/deps/npm/node_modules/y18n/index.js ++++ b/deps/npm/node_modules/y18n/index.js +@@ -11,7 +11,7 @@ function Y18N (opts) { + this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true + + // internal stuff. +- this.cache = {} ++ this.cache = Object.create(null) + this.writeQueue = [] + } + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index ff054ea..7ca52b9 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -23,10 +23,10 @@ # than a Fedora release lifecycle. %global nodejs_major 14 %global nodejs_minor 15 -%global nodejs_patch 0 +%global nodejs_patch 4 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 1 +%global nodejs_release 2 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h @@ -72,7 +72,7 @@ # npm - from deps/npm/package.json %global npm_major 6 %global npm_minor 14 -%global npm_patch 8 +%global npm_patch 10 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -138,6 +138,10 @@ Patch10: deps-Remove-statx-from-libuv.patch # Make icutrim work with python 2 Patch11: Make-icutrim.py-Python-2-compatible.patch +# CVE-2020-7788 +Patch12: deps-npm-ini-do-not-allow-invalid-hazardous-string-as-section-name.patch +Patch13: deps-y18n-CVE-2020-7774.patch + %{?scl:Requires: %{scl}-runtime} %{?scl:BuildRequires: %{scl}-runtime} @@ -465,6 +469,14 @@ python2 tools/test.py "${RUN_SUITES[@]}" || : # FIXME – disable all failing t %changelog +* Wed Jan 27 2021 Jan Staněk - 14.15.4-2 +- Patch bundled y18n for CVE-2020-7774 +- Resolves: CVE-2020-7774 + +* Tue Jan 05 2021 Jan Staněk - 14.15.4-1 +- Rebase to 14.15.4 +- Resolves: CVE-2020-8265 CVE-2020-8287 + * Thu Oct 29 2020 Jan Staněk - 14.15.0-1 - Rebase to 14.15.0