diff --git a/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch b/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch new file mode 100644 index 0000000000000000000000000000000000000000..278ba062c95e49650ad104d5881c84175a3fc33a --- /dev/null +++ b/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch @@ -0,0 +1,45 @@ +From df574e2999dc6c2c38138bd0c3ec61dfafe9c929 Mon Sep 17 00:00:00 2001 +From: Kornel +Date: Fri, 27 Jan 2023 01:20:38 +0000 +Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim + whitespace + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/http-cache-semantics/index.js | 6 +++--- + deps/npm/node_modules/http-cache-semantics/package.json | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/deps/npm/node_modules/http-cache-semantics/index.js b/deps/npm/node_modules/http-cache-semantics/index.js +index 4f6c2f3..39d58a7 100644 +--- a/deps/npm/node_modules/http-cache-semantics/index.js ++++ b/deps/npm/node_modules/http-cache-semantics/index.js +@@ -79,10 +79,10 @@ function parseCacheControl(header) { + + // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), + // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale +- const parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing ++ const parts = header.trim().split(/,/); + for (const part of parts) { +- const [k, v] = part.split(/\s*=\s*/, 2); +- cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting ++ const [k, v] = part.split(/=/, 2); ++ cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, ''); + } + + return cc; +diff --git a/deps/npm/node_modules/http-cache-semantics/package.json b/deps/npm/node_modules/http-cache-semantics/package.json +index 897798d..79c020a 100644 +--- a/deps/npm/node_modules/http-cache-semantics/package.json ++++ b/deps/npm/node_modules/http-cache-semantics/package.json +@@ -1,6 +1,6 @@ + { + "name": "http-cache-semantics", +- "version": "4.1.0", ++ "version": "4.1.1", + "description": "Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies", + "repository": "https://github.com/kornelski/http-cache-semantics.git", + "main": "index.js", +-- +2.39.2 + diff --git a/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch b/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch new file mode 100644 index 0000000000000000000000000000000000000000..69763ba790d6e6f8ed0c3be1cde1895acefbabdc --- /dev/null +++ b/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch @@ -0,0 +1,53 @@ +From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001 +From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> +Date: Wed, 18 Jan 2023 22:14:26 +0800 +Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid + stack overflow (#497) + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Fix By: @hopper-vul +Resolves: CVE-2022-4904 + +Signed-off-by: rpm-build +--- + deps/cares/src/lib/ares_init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c +index de5d86c..d5858f6 100644 +--- a/deps/cares/src/lib/ares_init.c ++++ b/deps/cares/src/lib/ares_init.c +@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +-- +2.39.2 + diff --git a/download b/download index 35540d4fffd5303a78832e6a923b6d8e27d909c8..230a5e8b4f4f578dc5f8bdee22cb4b6d4e4e5243 100644 --- a/download +++ b/download @@ -1,5 +1,5 @@ 202bcb573b72c91238010bec571db597 cjs-module-lexer-1.2.2.tar.gz -358bee3c8aa39057f762c648a88c6f5b node-v16.17.1-stripped.tar.gz -67b88b13c3de906255b06cb95366218e undici-5.8.0.tar.gz +b71238e546340b236c7395eb2124b969 node-v16.19.1-stripped.tar.gz +64f3cb63e29c3a054d3084265d8fa090 undici-5.19.1.tar.gz 7b6ec4e1c3e39397bdd09087e2437bfd wasi-sdk-wasi-sdk-11.tar.gz 4dfce15eff429925893eb9102b9b8b2e wasi-sdk-wasi-sdk-14.tar.gz diff --git a/nodejs.spec b/nodejs.spec index c8f26071ab8f0dca17c85c0c48e567940ed0ea38..f139933134d58a75aee4fc4702671d6f2d154395 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -46,7 +46,7 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 16 -%global nodejs_minor 17 +%global nodejs_minor 19 %global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -79,7 +79,7 @@ # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_major 6 %global llhttp_minor 0 -%global llhttp_patch 9 +%global llhttp_patch 10 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} # libuv - from deps/uv/include/uv/version.h @@ -96,14 +96,14 @@ # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_major 0 -%global nghttp3_minor 1 -%global nghttp3_patch 0-DEV +%global nghttp3_minor 7 +%global nghttp3_patch 0 %global nghttp3_version %{nghttp3_major}.%{nghttp3_minor}.%{nghttp3_patch} # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h %global ngtcp2_major 0 -%global ngtcp2_minor 1 -%global ngtcp2_patch 0-DEV +%global ngtcp2_minor 8 +%global ngtcp2_patch 1 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep @@ -139,20 +139,20 @@ # npm - from deps/npm/package.json %global npm_epoch 1 %global npm_major 8 -%global npm_minor 15 -%global npm_patch 0 +%global npm_minor 19 +%global npm_patch 3 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h %global uvwasi_major 0 %global uvwasi_minor 0 -%global uvwasi_patch 12 +%global uvwasi_patch 13 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch} # histogram_c - assumed from timestamps %global histogram_major 0 -%global histogram_minor 9 -%global histogram_patch 7 +%global histogram_minor 11 +%global histogram_patch 2 %global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch} # In order to avoid needing to keep incrementing the release version for the @@ -200,15 +200,19 @@ Source101: cjs-module-lexer-1.2.2.tar.gz Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.8.0.tar.gz -# Adjustments: rm -f undici-5.8.0/lib/llhttp/llhttp*.wasm* -Source111: undici-5.8.0.tar.gz +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.19.1.tar.gz +# Adjustments: rm -f undici-5.19.1/lib/llhttp/llhttp*.wasm* +Source111: undici-5.19.1.tar.gz # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. # Version source: build/Dockerfile Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch +# CVE-2022-25881 +Patch2: 0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch +# CVE-2022-4904 +Patch3: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch BuildRequires: make BuildRequires: python3-devel @@ -394,6 +398,22 @@ rm -rf deps/brotli rm -rf deps/v8/third_party/jinja2 rm -rf tools/inspector_protocol/jinja2 +# check for correct versions of dependencies we are bundling +check_wasm_dep() { + local -r name="$1" source="$2" packagejson="$3" + local -r expected_version="$(jq -r '.version' "${packagejson}")" + + if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then + printf '%s version matches\n' "${name}" >&2 + else + printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2 + return 1 + fi +} + +check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json +check_wasm_dep undici '%{SOURCE111}' deps/undici/src/package.json + # Replace any instances of unversioned python' with python3 %if %{with python3_fixup} pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js") @@ -686,11 +706,14 @@ end %doc %{_mandir}/man1/npx.1* %doc %{_mandir}/man5/folders.5* %doc %{_mandir}/man5/install.5* +%doc %{_mandir}/man5/npm-global.5* +%doc %{_mandir}/man5/npm-json.5* +%doc %{_mandir}/man5/npm-shrinkwrap-json.5* %doc %{_mandir}/man5/npmrc.5* %doc %{_mandir}/man5/package-json.5* %doc %{_mandir}/man5/package-lock-json.5* -%doc %{_mandir}/man5/npm-shrinkwrap-json.5* %doc %{_mandir}/man7/config.7* +%doc %{_mandir}/man7/dependency-selectors.7* %doc %{_mandir}/man7/developers.7* %doc %{_mandir}/man7/logging.7* %doc %{_mandir}/man7/orgs.7* @@ -710,30 +733,47 @@ end %changelog +* Mon Feb 27 2023 Jan Staněk - 1:16.19.1-1 +- Rebase to 16.19.1 + Resolves: rhbz#2153713 + Resolves: CVE-2023-23918 CVE-2023-23919 CVE-2023-23936 CVE-2023-24807 CVE-2023-23920 + Resolves: CVE-2022-25881 CVE-2022-4904 + +* Wed Dec 07 2022 Jan Staněk - 1:16.18.1-3 +- Update sources of undici WASM blobs + Resolves: rhbz#2151546 + +* Fri Dec 02 2022 Jan Staněk - 1:16.18.1-2 +- Record CVE references already addressed in this or previous upstream versions + Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 + +* Wed Nov 16 2022 Zuzana Svetlikova - 1:16.18.1-1 +- Rebase + CVE fixes +- Resolves: #2142806 +- Resolves: #2142837, #2142851 + * Fri Oct 07 2022 Zuzana Svetlikova - 1:16.17.1-1 - Rebase to version 16.17.1 - Resolves: CVE-2022-35255 CVE-2022-35256 -- Resolves: #2132004, #2130552 +- Resolves: #2130553 +- Resolves #2132003 - Resolves #2121095 -* Fri Aug 05 2022 Zuzana Svetlikova - 1:16.16.0-3 -- Fix build -- Resolves: RHBZ#2111416 - -* Fri Aug 05 2022 Zuzana Svetlikova - 1:16.16.0-2 -- Refactor spec -- Resolves: RHBZ#2111416 +* Tue Aug 23 2022 Zuzana Svetlikova - 1:16.16.0-1 +- Resolves: #2104754, #2108057, #2108062, #2108067, #2108072 +- Resolves CVE-2022-29244, CVE-2022-32212/3/4/5 +- Resolves: #2106285 +- Rebase to latest release -* Tue Jul 26 2022 Zuzana Svetlikova - 1:16.16.0-1 -- Rebase to latest version -- Resolves: RHBZ#2106369 -- CVE fixes for CVE-2022-32212/3/4/5 -- Resolves: #2109578, #2109581, #2109584, #2109588 +* Mon Apr 25 2022 Jan Staněk - 1:16.14.0-5 +- Unify configure calls into single command +- Refactor bootstrap-related parts +- Decouple dependency bundling from bootstrapping * Mon Apr 11 2022 Zuzana Svetlikova - 1:16.14.0-4 - Apply lock file validation fixes -- Resolves CVE-2021-43616 -- Resolves: RHBZ#2070012 +- Resolves: CVE-2021-43616 +- Resolves: RHBZ#2070013 * Mon Dec 06 2021 Zuzana Svetlikova - 1:16.13.1-3 - Resolves: RHBZ#2026329