diff --git a/0001-Disable-running-gyp-on-shared-deps.patch b/0001-Disable-running-gyp-on-shared-deps.patch index fc528b5770d8207bab6e887f789384a7803a1d54..bfc20b4b19ec0a68ffacac3c245ca2edd7caf3fc 100644 --- a/0001-Disable-running-gyp-on-shared-deps.patch +++ b/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,19 +1,18 @@ -From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001 -From: Zuzana Svetlikova -Date: Fri, 17 Apr 2020 12:59:44 +0200 -Subject: [PATCH 1/2] Disable running gyp on shared deps +From 8a45f34d9d74d59879973210cf06f4383b9832b8 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 30 May 2023 13:12:35 +0200 +Subject: [PATCH] Disable running gyp on shared deps +Signed-off-by: rpm-build --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644 +index 6d6f2e4..88e1a11 100644 --- a/Makefile +++ b/Makefile -@@ -136,11 +136,11 @@ endif - .PHONY: test-code-cache - with-code-cache test-code-cache: +@@ -148,7 +148,7 @@ with-code-cache test-code-cache: $(warning '$@' target is a noop) out/Makefile: config.gypi common.gypi node.gyp \ @@ -22,8 +21,6 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp $(PYTHON) tools/gyp_node.py -f make - - # node_version.h is listed because the N-API version is taken from there -- -2.29.2 +2.40.1 diff --git a/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch b/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch deleted file mode 100644 index 278ba062c95e49650ad104d5881c84175a3fc33a..0000000000000000000000000000000000000000 --- a/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch +++ /dev/null @@ -1,45 +0,0 @@ -From df574e2999dc6c2c38138bd0c3ec61dfafe9c929 Mon Sep 17 00:00:00 2001 -From: Kornel -Date: Fri, 27 Jan 2023 01:20:38 +0000 -Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim - whitespace - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/http-cache-semantics/index.js | 6 +++--- - deps/npm/node_modules/http-cache-semantics/package.json | 2 +- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/deps/npm/node_modules/http-cache-semantics/index.js b/deps/npm/node_modules/http-cache-semantics/index.js -index 4f6c2f3..39d58a7 100644 ---- a/deps/npm/node_modules/http-cache-semantics/index.js -+++ b/deps/npm/node_modules/http-cache-semantics/index.js -@@ -79,10 +79,10 @@ function parseCacheControl(header) { - - // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), - // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale -- const parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing -+ const parts = header.trim().split(/,/); - for (const part of parts) { -- const [k, v] = part.split(/\s*=\s*/, 2); -- cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting -+ const [k, v] = part.split(/=/, 2); -+ cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, ''); - } - - return cc; -diff --git a/deps/npm/node_modules/http-cache-semantics/package.json b/deps/npm/node_modules/http-cache-semantics/package.json -index 897798d..79c020a 100644 ---- a/deps/npm/node_modules/http-cache-semantics/package.json -+++ b/deps/npm/node_modules/http-cache-semantics/package.json -@@ -1,6 +1,6 @@ - { - "name": "http-cache-semantics", -- "version": "4.1.0", -+ "version": "4.1.1", - "description": "Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies", - "repository": "https://github.com/kornelski/http-cache-semantics.git", - "main": "index.js", --- -2.39.2 - diff --git a/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch b/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch deleted file mode 100644 index 69763ba790d6e6f8ed0c3be1cde1895acefbabdc..0000000000000000000000000000000000000000 --- a/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001 -From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> -Date: Wed, 18 Jan 2023 22:14:26 +0800 -Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid - stack overflow (#497) - -In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse -the input str and initialize a sortlist configuration. - -However, ares_set_sortlist has not any checks about the validity of the input str. -It is very easy to create an arbitrary length stack overflow with the unchecked -`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` -statements in the config_sortlist call, which could potentially cause severe -security impact in practical programs. - -This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the -potential stack overflows. - -fixes #496 - -Fix By: @hopper-vul -Resolves: CVE-2022-4904 - -Signed-off-by: rpm-build ---- - deps/cares/src/lib/ares_init.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c -index de5d86c..d5858f6 100644 ---- a/deps/cares/src/lib/ares_init.c -+++ b/deps/cares/src/lib/ares_init.c -@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, - q = str; - while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) - q++; -+ if (q-str >= 16) -+ return ARES_EBADSTR; - memcpy(ipbuf, str, q-str); - ipbuf[q-str] = '\0'; - /* Find the prefix */ -@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, - const char *str2 = q+1; - while (*q && *q != ';' && !ISSPACE(*q)) - q++; -+ if (q-str >= 32) -+ return ARES_EBADSTR; - memcpy(ipbufpfx, str, q-str); - ipbufpfx[q-str] = '\0'; - str = str2; --- -2.39.2 - diff --git a/c-ares-cares-1_19_1.zip b/c-ares-cares-1_19_1.zip deleted file mode 100644 index fe5627281f397242b7731da5873c4305f2ccd2ef..0000000000000000000000000000000000000000 Binary files a/c-ares-cares-1_19_1.zip and /dev/null differ diff --git a/cares-update-version-and-release-procedure.patch b/cares-update-version-and-release-procedure.patch deleted file mode 100644 index a925ef76f6c948cdf735aed240f8ac289ac59b27..0000000000000000000000000000000000000000 --- a/cares-update-version-and-release-procedure.patch +++ /dev/null @@ -1,56 +0,0 @@ -From b81b93235fd3311636af110c107228a309fd3b47 Mon Sep 17 00:00:00 2001 -From: bradh352 -Date: Tue, 23 May 2023 09:54:08 -0400 -Subject: [PATCH] update version and release procedure - ---- - RELEASE-PROCEDURE.md | 5 +++-- - include/ares_version.h | 6 +++--- - 2 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/RELEASE-PROCEDURE.md b/RELEASE-PROCEDURE.md -index c16770788..1abc9a382 100644 ---- a/RELEASE-PROCEDURE.md -+++ b/RELEASE-PROCEDURE.md -@@ -10,6 +10,9 @@ in the source code repo - `CARES_LIB_VERSIONINFO` set to the same value to denote the current shared - object versioning. - -+- edit `include/ares_version.h` and set `ARES_VERSION_*` definitions to reflect -+ the current version. -+ - - make sure all relevant changes are committed on the master branch - - - tag the git repo in this style: `git tag -a cares-1_14_0` -a annotates the -@@ -26,8 +29,6 @@ in the source code repo - - - upload the resulting files to https://c-ares.org/download/ - --- update `ares_version.h` for the next version -- - in the c-ares-www repo - ---------------------- - -diff --git a/include/ares_version.h b/include/ares_version.h -index 4d8d62fd1..9db836ecc 100644 ---- a/include/ares_version.h -+++ b/include/ares_version.h -@@ -3,15 +3,15 @@ - #define ARES__VERSION_H - - /* This is the global package copyright */ --#define ARES_COPYRIGHT "2004 - 2021 Daniel Stenberg, ." -+#define ARES_COPYRIGHT "2004 - 2023 Daniel Stenberg, ." - - #define ARES_VERSION_MAJOR 1 - #define ARES_VERSION_MINOR 19 --#define ARES_VERSION_PATCH 0 -+#define ARES_VERSION_PATCH 1 - #define ARES_VERSION ((ARES_VERSION_MAJOR<<16)|\ - (ARES_VERSION_MINOR<<8)|\ - (ARES_VERSION_PATCH)) --#define ARES_VERSION_STR "1.19.0" -+#define ARES_VERSION_STR "1.19.1" - - #if (ARES_VERSION >= 0x010700) - # define CARES_HAVE_ARES_LIBRARY_INIT 1 diff --git a/download b/download index 230a5e8b4f4f578dc5f8bdee22cb4b6d4e4e5243..68045f65a88990f332c9179c81df9d15c6effcb0 100644 --- a/download +++ b/download @@ -1,5 +1,5 @@ 202bcb573b72c91238010bec571db597 cjs-module-lexer-1.2.2.tar.gz -b71238e546340b236c7395eb2124b969 node-v16.19.1-stripped.tar.gz -64f3cb63e29c3a054d3084265d8fa090 undici-5.19.1.tar.gz +82a6c59e10584844df611efb22488003 node-v16.20.1-stripped.tar.gz +3bc72ad8621dc81e0d6e67f2588219de undici-5.20.0.tar.gz 7b6ec4e1c3e39397bdd09087e2437bfd wasi-sdk-wasi-sdk-11.tar.gz 4dfce15eff429925893eb9102b9b8b2e wasi-sdk-wasi-sdk-14.tar.gz diff --git a/fix-build-with-cares-1.19.1.patch b/fix-build-with-cares-1.19.1.patch deleted file mode 100644 index 36a04c18f8478087123b18b2fb0ef4527e301d98..0000000000000000000000000000000000000000 --- a/fix-build-with-cares-1.19.1.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/deps/cares/cares.gyp b/deps/cares/cares.gyp -index 74f0e78..e6b8e96 100644 ---- a/deps/cares/cares.gyp -+++ b/deps/cares/cares.gyp -@@ -88,6 +88,7 @@ - 'src/lib/ares_private.h', - 'src/lib/ares_process.c', - 'src/lib/ares_query.c', -+ 'src/lib/ares_rand.c', - 'src/lib/ares__read_line.c', - 'src/lib/ares__readaddrinfo.c', - 'src/lib/ares_search.c', diff --git a/nodejs.spec b/nodejs.spec index d56e47b969a01522af90e75a0379a01daba06d8b..8722a5e34a9216e8863d1c64f8f33279ef0fdf7b 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.2 +%define anolis_release .0.1 %bcond_with debug # PowerPC, s390x and aarch64 segfault during Debug builds @@ -36,7 +36,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 2 +%global baserelease 1 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -47,7 +47,7 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 16 -%global nodejs_minor 19 +%global nodejs_minor 20 %global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -72,16 +72,10 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 -%global c_ares_major 1 -%global c_ares_minor 19 -%global c_ares_patch 1 -%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} +%global c_ares_version 1.19.1 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_major 6 -%global llhttp_minor 0 -%global llhttp_patch 10 -%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} +%global llhttp_version 6.0.11 # libuv - from deps/uv/include/uv/version.h %global libuv_major 1 @@ -139,10 +133,13 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_major 8 -%global npm_minor 19 -%global npm_patch 3 -%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} +%global npm_version 8.19.4 + +# In order to avoid needing to keep incrementing the release version for the +# main package forever, we will just construct one for npm that is guaranteed +# to increment safely. Changing this can only be done during an update when the +# base npm version number is increasing. +%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} # uvwasi - from deps/uvwasi/include/uvwasi.h %global uvwasi_major 0 @@ -156,12 +153,6 @@ %global histogram_patch 2 %global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch} -# In order to avoid needing to keep incrementing the release version for the -# main package forever, we will just construct one for npm that is guaranteed -# to increment safely. Changing this can only be done during an update when the -# base npm version number is increasing. -%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} - Name: nodejs Epoch: %{nodejs_epoch} @@ -182,8 +173,6 @@ Source0: node-v%{nodejs_version}-stripped.tar.gz Source1: npmrc Source2: btest402.js Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.tgz -Source4: c-ares-cares-%{c_ares_major}_%{c_ares_minor}_%{c_ares_patch}.zip -Source5: cares-update-version-and-release-procedure.patch Source100: %{name}-tarball.sh # The native module Requires generator remains in the nodejs SRPM, so it knows @@ -191,6 +180,9 @@ Source100: %{name}-tarball.sh # nodejs-packaging SRPM. Source7: nodejs_native.attr +# Configure npm to look into /etc for configuration +Source8: npmrc.builtin.in + # These are full sources for dependencies included as WASM blobs in the source of Node itself. # Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to. # Recipes for creating these blobs are included in the sources. @@ -204,21 +196,15 @@ Source101: cjs-module-lexer-1.2.2.tar.gz Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.19.1.tar.gz -# Adjustments: rm -f undici-5.19.1/lib/llhttp/llhttp*.wasm* -Source111: undici-5.19.1.tar.gz +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.20.0.tar.gz +# Adjustments: rm -f undici-5.20.0/lib/llhttp/llhttp*.wasm* +Source111: undici-5.20.0.tar.gz # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. # Version source: build/Dockerfile Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch -# CVE-2022-25881 -Patch2: 0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch -# CVE-2022-4904 -Patch3: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch - -Patch1000: fix-build-with-cares-1.19.1.patch BuildRequires: make BuildRequires: python3-devel @@ -430,16 +416,6 @@ sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_unittest find . -type f -exec sed -i "s~python -c~python3 -c~" {} \; %endif -pushd deps/ -# extract cares -unzip -d cares %SOURCE4 -cp -r cares/c-ares-cares-%{c_ares_major}_%{c_ares_minor}_%{c_ares_patch}/* cares/ -rm -rf cares/test cares/c-ares-cares-%{c_ares_major}_%{c_ares_minor}_%{c_ares_patch} -pushd cares -patch -p1 < %SOURCE5 -popd -popd - %build %ifarch s390 s390x %{arm} %ix86 @@ -586,15 +562,14 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \ chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js +# Drop the NPM builtin configuration in place +sed -e 's#@SYSCONFDIR@#%{_sysconfdir}#g' \ + %{SOURCE8} > %{buildroot}%{_prefix}/lib/node_modules/npm/npmrc + # Drop the NPM default configuration in place mkdir -p %{buildroot}%{_sysconfdir} cp %{SOURCE1} %{buildroot}%{_sysconfdir}/npmrc -# NPM upstream expects it to be in /usr/etc/npmrc, so we'll put a symlink here -# This is done in the interests of keeping /usr read-only. -mkdir -p %{buildroot}%{_prefix}/etc -ln -s %{_sysconfdir}/npmrc %{buildroot}%{_prefix}/etc/npmrc - # Install the full-icu data files install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/* @@ -716,7 +691,6 @@ end %{_bindir}/npx %{_prefix}/lib/node_modules/npm %config(noreplace) %{_sysconfdir}/npmrc -%{_prefix}/etc/npmrc %ghost %{_sysconfdir}/npmignore %doc %{_mandir}/man1/npm*.1* %doc %{_mandir}/man1/npx.1* @@ -749,15 +723,20 @@ end %changelog -* Thu Jul 13 2023 Liwei Ge - 1:16.19.1-2.0.2 -- update cares to 1.19.1 -- fix CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067 - -* Thu Apr 13 2023 Zhao Hang - 1:16.19.1-1.0.2 +* Wed Aug 09 2023 Zhao Hang - 1:16.20.1-1.0.1 +- Remove loongarch64 arch - Update requires and recommands -* Tue Apr 11 2023 Zhao Hang - 1:16.19.1-1.0.1 -- Remove loongarch64 arch +* Thu Jul 13 2023 Jan Staněk - 1:16.20.1-1 +- Rebase to 16.20.1 + Resolves: rhbz#2188289 + Resolves: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590 +- Replace /usr/etc/npmrc symlink with builtin configuration + Resolves: rhbz#2222288 + +* Wed May 31 2023 Jan Staněk - 1:16.19.1-2 +- Update bundled c-ares to 1.19.1 + Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067 * Mon Feb 27 2023 Jan Staněk - 1:16.19.1-1 - Rebase to 16.19.1 @@ -775,15 +754,12 @@ end * Wed Nov 16 2022 Zuzana Svetlikova - 1:16.18.1-1 - Rebase + CVE fixes -- Resolves: #2142806 -- Resolves: #2142837, #2142851 +- Resolves: #2121024 +- Resolves: #2135490, #2140926 * Fri Oct 07 2022 Zuzana Svetlikova - 1:16.17.1-1 - Rebase to version 16.17.1 - Resolves: CVE-2022-35255 CVE-2022-35256 -- Resolves: #2130553 -- Resolves #2132003 -- Resolves #2121095 * Tue Aug 23 2022 Zuzana Svetlikova - 1:16.16.0-1 - Resolves: #2104754, #2108057, #2108062, #2108067, #2108072 diff --git a/npmrc.builtin.in b/npmrc.builtin.in new file mode 100644 index 0000000000000000000000000000000000000000..739a57d4a2ba25fb6a76206be9840f4906fa6a10 --- /dev/null +++ b/npmrc.builtin.in @@ -0,0 +1,5 @@ +# This is the distibution-level configuration file for npm. +# To configure NPM on a system level, use the globalconfig below (defaults to @SYSCONFDIR@/npmrc). +# vim:set filetype=dosini: + +globalconfig=@SYSCONFDIR@/npmrc