diff --git a/CVE-2022-25883.patch b/CVE-2022-25883.patch deleted file mode 100644 index cde302b3a4fb6387ad003672268f21d05f1db386..0000000000000000000000000000000000000000 --- a/CVE-2022-25883.patch +++ /dev/null @@ -1,260 +0,0 @@ -From ac529638de1c057b86b17d526e57751a8e838cd6 Mon Sep 17 00:00:00 2001 -From: Luke Karrys -Date: Thu, 15 Jun 2023 12:21:14 -0700 -Subject: [PATCH] fix: better handling of whitespace (#564) - -commit 717534ee353682f3bcf33e60a8af4292626d4441 upstream. - ---- - .../node_modules/semver/classes/comparator.js | 3 +- - deps/npm/node_modules/semver/classes/range.js | 64 +++++++++++-------- - .../npm/node_modules/semver/classes/semver.js | 2 +- - .../node_modules/semver/functions/coerce.js | 2 +- - deps/npm/node_modules/semver/internal/re.js | 11 ++++ - deps/npm/node_modules/semver/package.json | 2 +- - 6 files changed, 53 insertions(+), 31 deletions(-) - -diff --git a/deps/npm/node_modules/semver/classes/comparator.js b/deps/npm/node_modules/semver/classes/comparator.js -index 62cd204d..c909446d 100644 ---- a/deps/npm/node_modules/semver/classes/comparator.js -+++ b/deps/npm/node_modules/semver/classes/comparator.js -@@ -16,6 +16,7 @@ class Comparator { - } - } - -+ comp = comp.trim().split(/\s+/).join(' ') - debug('comparator', comp, options) - this.options = options - this.loose = !!options.loose -@@ -129,7 +130,7 @@ class Comparator { - module.exports = Comparator - - const parseOptions = require('../internal/parse-options') --const { re, t } = require('../internal/re') -+const { safeRe: re, t } = require('../internal/re') - const cmp = require('../functions/cmp') - const debug = require('../internal/debug') - const SemVer = require('./semver') -diff --git a/deps/npm/node_modules/semver/classes/range.js b/deps/npm/node_modules/semver/classes/range.js -index a791d912..a8c9d591 100644 ---- a/deps/npm/node_modules/semver/classes/range.js -+++ b/deps/npm/node_modules/semver/classes/range.js -@@ -26,19 +26,26 @@ class Range { - this.loose = !!options.loose - this.includePrerelease = !!options.includePrerelease - -- // First, split based on boolean or || -+ // First reduce all whitespace as much as possible so we do not have to rely -+ // on potentially slow regexes like \s*. This is then stored and used for -+ // future error messages as well. - this.raw = range -- this.set = range -+ .trim() -+ .split(/\s+/) -+ .join(' ') -+ -+ // First, split on || -+ this.set = this.raw - .split('||') - // map the range to a 2d array of comparators -- .map(r => this.parseRange(r.trim())) -+ .map(r => this.parseRange(r)) - // throw out any comparator lists that are empty - // this generally means that it was not a valid range, which is allowed - // in loose mode, but will still throw if the WHOLE range is invalid. - .filter(c => c.length) - - if (!this.set.length) { -- throw new TypeError(`Invalid SemVer Range: ${range}`) -+ throw new TypeError(`Invalid SemVer Range: ${this.raw}`) - } - - // if we have any that are not the null set, throw out null sets. -@@ -64,9 +71,7 @@ class Range { - - format () { - this.range = this.set -- .map((comps) => { -- return comps.join(' ').trim() -- }) -+ .map((comps) => comps.join(' ').trim()) - .join('||') - .trim() - return this.range -@@ -77,8 +82,6 @@ class Range { - } - - parseRange (range) { -- range = range.trim() -- - // memoize range parsing for performance. - // this is a very hot path, and fully deterministic. - const memoOpts = Object.keys(this.options).join(',') -@@ -103,9 +106,6 @@ class Range { - // `^ 1.2.3` => `^1.2.3` - range = range.replace(re[t.CARETTRIM], caretTrimReplace) - -- // normalize spaces -- range = range.split(/\s+/).join(' ') -- - // At this point, the range is completely trimmed and - // ready to be split into comparators. - -@@ -200,7 +200,7 @@ const Comparator = require('./comparator') - const debug = require('../internal/debug') - const SemVer = require('./semver') - const { -- re, -+ safeRe: re, - t, - comparatorTrimReplace, - tildeTrimReplace, -@@ -253,10 +253,13 @@ const isX = id => !id || id.toLowerCase() === 'x' || id === '*' - // ~1.2.3, ~>1.2.3 --> >=1.2.3 <1.3.0-0 - // ~1.2.0, ~>1.2.0 --> >=1.2.0 <1.3.0-0 - // ~0.0.1 --> >=0.0.1 <0.1.0-0 --const replaceTildes = (comp, options) => -- comp.trim().split(/\s+/).map((c) => { -- return replaceTilde(c, options) -- }).join(' ') -+const replaceTildes = (comp, options) => { -+ return comp -+ .trim() -+ .split(/\s+/) -+ .map((c) => replaceTilde(c, options)) -+ .join(' ') -+} - - const replaceTilde = (comp, options) => { - const r = options.loose ? re[t.TILDELOOSE] : re[t.TILDE] -@@ -294,10 +297,13 @@ const replaceTilde = (comp, options) => { - // ^1.2.0 --> >=1.2.0 <2.0.0-0 - // ^0.0.1 --> >=0.0.1 <0.0.2-0 - // ^0.1.0 --> >=0.1.0 <0.2.0-0 --const replaceCarets = (comp, options) => -- comp.trim().split(/\s+/).map((c) => { -- return replaceCaret(c, options) -- }).join(' ') -+const replaceCarets = (comp, options) => { -+ return comp -+ .trim() -+ .split(/\s+/) -+ .map((c) => replaceCaret(c, options)) -+ .join(' ') -+} - - const replaceCaret = (comp, options) => { - debug('caret', comp, options) -@@ -354,9 +360,10 @@ const replaceCaret = (comp, options) => { - - const replaceXRanges = (comp, options) => { - debug('replaceXRanges', comp, options) -- return comp.split(/\s+/).map((c) => { -- return replaceXRange(c, options) -- }).join(' ') -+ return comp -+ .split(/\s+/) -+ .map((c) => replaceXRange(c, options)) -+ .join(' ') - } - - const replaceXRange = (comp, options) => { -@@ -439,12 +446,15 @@ const replaceXRange = (comp, options) => { - const replaceStars = (comp, options) => { - debug('replaceStars', comp, options) - // Looseness is ignored here. star is always as loose as it gets! -- return comp.trim().replace(re[t.STAR], '') -+ return comp -+ .trim() -+ .replace(re[t.STAR], '') - } - - const replaceGTE0 = (comp, options) => { - debug('replaceGTE0', comp, options) -- return comp.trim() -+ return comp -+ .trim() - .replace(re[options.includePrerelease ? t.GTE0PRE : t.GTE0], '') - } - -@@ -482,7 +492,7 @@ const hyphenReplace = incPr => ($0, - to = `<=${to}` - } - -- return (`${from} ${to}`).trim() -+ return `${from} ${to}`.trim() - } - - const testSet = (set, version, options) => { -diff --git a/deps/npm/node_modules/semver/classes/semver.js b/deps/npm/node_modules/semver/classes/semver.js -index af629551..ad4e8775 100644 ---- a/deps/npm/node_modules/semver/classes/semver.js -+++ b/deps/npm/node_modules/semver/classes/semver.js -@@ -1,6 +1,6 @@ - const debug = require('../internal/debug') - const { MAX_LENGTH, MAX_SAFE_INTEGER } = require('../internal/constants') --const { re, t } = require('../internal/re') -+const { safeRe: re, t } = require('../internal/re') - - const parseOptions = require('../internal/parse-options') - const { compareIdentifiers } = require('../internal/identifiers') -diff --git a/deps/npm/node_modules/semver/functions/coerce.js b/deps/npm/node_modules/semver/functions/coerce.js -index 2e01452f..febbff9c 100644 ---- a/deps/npm/node_modules/semver/functions/coerce.js -+++ b/deps/npm/node_modules/semver/functions/coerce.js -@@ -1,6 +1,6 @@ - const SemVer = require('../classes/semver') - const parse = require('./parse') --const { re, t } = require('../internal/re') -+const { safeRe: re, t } = require('../internal/re') - - const coerce = (version, options) => { - if (version instanceof SemVer) { -diff --git a/deps/npm/node_modules/semver/internal/re.js b/deps/npm/node_modules/semver/internal/re.js -index ed88398a..f73ef1aa 100644 ---- a/deps/npm/node_modules/semver/internal/re.js -+++ b/deps/npm/node_modules/semver/internal/re.js -@@ -4,16 +4,27 @@ exports = module.exports = {} - - // The actual regexps go on exports.re - const re = exports.re = [] -+const safeRe = exports.safeRe = [] - const src = exports.src = [] - const t = exports.t = {} - let R = 0 - - const createToken = (name, value, isGlobal) => { -+ // Replace all greedy whitespace to prevent regex dos issues. These regex are -+ // used internally via the safeRe object since all inputs in this library get -+ // normalized first to trim and collapse all extra whitespace. The original -+ // regexes are exported for userland consumption and lower level usage. A -+ // future breaking change could export the safer regex only with a note that -+ // all input should have extra whitespace removed. -+ const safe = value -+ .split('\\s*').join('\\s{0,1}') -+ .split('\\s+').join('\\s') - const index = R++ - debug(name, index, value) - t[name] = index - src[index] = value - re[index] = new RegExp(value, isGlobal ? 'g' : undefined) -+ safeRe[index] = new RegExp(safe, isGlobal ? 'g' : undefined) - } - - // The following Regular Expressions can be used for tokenizing, -diff --git a/deps/npm/node_modules/semver/package.json b/deps/npm/node_modules/semver/package.json -index 72d3f66e..48949225 100644 ---- a/deps/npm/node_modules/semver/package.json -+++ b/deps/npm/node_modules/semver/package.json -@@ -37,7 +37,7 @@ - "range.bnf" - ], - "tap": { -- "check-coverage": true, -+ "timeout": 30, - "coverage-map": "map.js", - "nyc-arg": [ - "--exclude", --- -2.31.1 - diff --git a/download b/download index 343098377031d110818827e77dfa036b220ebec8..e3fa3b71b5565c07272a996fbffa89ab484039fb 100644 --- a/download +++ b/download @@ -1,5 +1,4 @@ -8d30ae61833be02b1a9baa0f4c485fd2 cjs-module-lexer-1.2.2.tar.gz -d8449da68056820378959287aa29a52a node-v18.16.1-stripped.tar.gz -78ca83cccbec1698bf272d063510ee68 undici-5.21.0.tar.gz -7b6ec4e1c3e39397bdd09087e2437bfd wasi-sdk-wasi-sdk-11.tar.gz -4dfce15eff429925893eb9102b9b8b2e wasi-sdk-wasi-sdk-14.tar.gz +202bcb573b72c91238010bec571db597 cjs-module-lexer-1.2.2.tar.gz +fd8dbfdf21cd14b7b6ddc0eaf044623a node-v18.17.1-stripped.tar.gz +2874a2ccbe36eee688bd9cea51cb1ed3 undici-5.22.1.tar.gz +d80d3731d039b0944b405044dabd5f93 wasi-sdk-11.0-linux.tar.gz diff --git a/icu4c-72_1-src.tgz b/icu4c-73_1-src.zip similarity index 69% rename from icu4c-72_1-src.tgz rename to icu4c-73_1-src.zip index 60190dfb689190b962f917ab7bfb1f2d9f592d99..8b78b922843f9c79ca09940136f0de3d6c0f7130 100644 Binary files a/icu4c-72_1-src.tgz and b/icu4c-73_1-src.zip differ diff --git a/nodejs-tarball.sh b/nodejs-tarball.sh index f59d5c2823177ee29f2bef4c8ff9a331de201acf..6a94b29db54b160948dcbea9fd41b75e2f410d2c 100755 --- a/nodejs-tarball.sh +++ b/nodejs-tarball.sh @@ -120,10 +120,10 @@ rm -rf node-v${version}/deps/openssl tar -zcf node-v${version}-stripped.tar.gz node-v${version} # Download the matching version of ICU -rm -f icu4c*-src.tgz icu.md5 +rm -f icu4c*-src.zip icu.md5 ICUMD5=$(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].md5') wget $(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].url') -ICUTARBALL=$(ls -1 icu4c*-src.tgz) +ICUTARBALL=$(ls -1 icu4c*-src.zip) echo "$ICUMD5 $ICUTARBALL" > icu.md5 md5sum -c icu.md5 rm -f icu.md5 SHASUMS256.txt diff --git a/nodejs.spec b/nodejs.spec index 415b5eac3b4043124ab82858fe34b64d2da41479..a6c75646cd7ae8a16db88a2733d708fd56adca97 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -30,7 +30,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 2 +%global baserelease 1 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -41,7 +41,7 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 18 -%global nodejs_minor 16 +%global nodejs_minor 17 %global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -93,7 +93,7 @@ %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep -%global icu_major 72 +%global icu_major 73 %global icu_minor 1 %global icu_version %{icu_major}.%{icu_minor} @@ -114,11 +114,11 @@ # simduft from deps/simdutf/simdutf.h %global simduft_major 3 %global simduft_minor 2 -%global simduft_patch 2 +%global simduft_patch 12 %global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch} # ada from deps/ada/ada.h -%global ada_version 1.0.4 +%global ada_version 2.5.0 # OpenSSL minimum version %global openssl_minimum 1:1.1.1 @@ -133,7 +133,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 9.5.1 +%global npm_version 9.6.7 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -145,7 +145,7 @@ %global corepack_version 0.10.0 # uvwasi - from deps/uvwasi/include/uvwasi.h -%global uvwasi_version 0.0.15 +%global uvwasi_version 0.0.18 # histogram_c - assumed from timestamps %global histogram_version 0.11.2 @@ -167,7 +167,7 @@ ExclusiveArch: %{nodejs_arches} Source0: node-v%{nodejs_version}-stripped.tar.gz Source1: npmrc Source2: btest402.js -Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.tgz +Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.zip Source100: %{name}-tarball.sh # The native module Requires generator remains in the nodejs SRPM, so it knows @@ -188,20 +188,16 @@ Source8: npmrc.builtin.in Source101: cjs-module-lexer-1.2.2.tar.gz # The WASM blob was made using wasi-sdk v11; compiler libraries are linked in. # Version source: Makefile -Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz +Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.21.0.tar.gz -# Adjustments: rm -f undici-5.21.0/lib/llhttp/llhttp*.wasm* -Source111: undici-5.21.0.tar.gz -# The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. -# Version source: build/Dockerfile -Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.22.1.tar.gz +# Adjustments: rm -f undici-5.22.1/lib/llhttp/llhttp*.wasm +# Build uses alpine image, see alpine for sources for wasi-sdk +Source111: undici-5.22.1.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch -# https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441 -Patch2: CVE-2022-25883.patch BuildRequires: make BuildRequires: python3-devel @@ -446,7 +442,7 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl export LDFLAGS="%{build_ldflags}" %{__python3} configure.py --prefix=%{_prefix} --verbose \ - --shared-openssl \ + --shared-openssl --openssl-conf-name=openssl_conf \ --shared-zlib \ --shared-brotli \ %{!?with_bundled:--shared-libuv} \ @@ -466,7 +462,7 @@ make BUILDTYPE=Release %{?_smp_mflags} # Extract the ICU data and convert it to the appropriate endianness pushd deps/ -tar xfz %SOURCE3 +unzip -a %{SOURCE3} pushd icu/source @@ -736,8 +732,11 @@ end %changelog -* Thu Sep 28 2023 Bo Liu -1:18.16.1-2 -- Fixes CVE-2022-25883 +* Wed Aug 23 2023 Jan Staněk - 1:18.17.1-1 +- Rebase to version 18.17.1 + Resolves: rhbz#2228939 + Resolves: CVE-2023-32002 CVE-2023-32006 CVE-2023-32559 +- Specify proper OpenSSL configuration section build * Wed Jul 12 2023 Jan Staněk - 1:18.16.1-1 - Rebase to 18.16.1