From d86772aa3aeea4fda97696bcf1ca53a7e25db623 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Tue, 2 Apr 2024 15:18:22 +0800 Subject: [PATCH 1/4] update to nodejs-16.20.2-4.src.rpm Signed-off-by: Zhao Hang --- 0001-Disable-running-gyp-on-shared-deps.patch | 6 +- nodejs-CVE-2024-22019.patch | 539 ++++++++++++++++++ nodejs.spec | 35 +- 3 files changed, 558 insertions(+), 22 deletions(-) create mode 100644 nodejs-CVE-2024-22019.patch diff --git a/0001-Disable-running-gyp-on-shared-deps.patch b/0001-Disable-running-gyp-on-shared-deps.patch index bfc20b4..33c2db1 100644 --- a/0001-Disable-running-gyp-on-shared-deps.patch +++ b/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,4 +1,4 @@ -From 8a45f34d9d74d59879973210cf06f4383b9832b8 Mon Sep 17 00:00:00 2001 +From 39f761838b5fc10af995642bd44e6bb4c79085f1 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Tue, 30 May 2023 13:12:35 +0200 Subject: [PATCH] Disable running gyp on shared deps @@ -9,7 +9,7 @@ Signed-off-by: rpm-build 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 6d6f2e4..88e1a11 100644 +index ef3eda2..8b52a4f 100644 --- a/Makefile +++ b/Makefile @@ -148,7 +148,7 @@ with-code-cache test-code-cache: @@ -22,5 +22,5 @@ index 6d6f2e4..88e1a11 100644 tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp $(PYTHON) tools/gyp_node.py -f make -- -2.40.1 +2.41.0 diff --git a/nodejs-CVE-2024-22019.patch b/nodejs-CVE-2024-22019.patch new file mode 100644 index 0000000..dfe8e86 --- /dev/null +++ b/nodejs-CVE-2024-22019.patch @@ -0,0 +1,539 @@ +diff --git a/deps/llhttp/.gitignore b/deps/llhttp/.gitignore +new file mode 100644 +index 0000000000..98438a2cd3 +--- /dev/null ++++ b/deps/llhttp/.gitignore +@@ -0,0 +1 @@ ++libllhttp.pc +diff --git a/deps/llhttp/CMakeLists.txt b/deps/llhttp/CMakeLists.txt +index d0382038b9..747564a76f 100644 +--- a/deps/llhttp/CMakeLists.txt ++++ b/deps/llhttp/CMakeLists.txt +@@ -1,7 +1,7 @@ + cmake_minimum_required(VERSION 3.5.1) + cmake_policy(SET CMP0069 NEW) + +-project(llhttp VERSION 6.0.11) ++project(llhttp VERSION 6.1.0) + include(GNUInstallDirs) + + set(CMAKE_C_STANDARD 99) +diff --git a/deps/llhttp/include/llhttp.h b/deps/llhttp/include/llhttp.h +index 2da66f15e6..78f27abc03 100644 +--- a/deps/llhttp/include/llhttp.h ++++ b/deps/llhttp/include/llhttp.h +@@ -2,8 +2,8 @@ + #define INCLUDE_LLHTTP_H_ + + #define LLHTTP_VERSION_MAJOR 6 +-#define LLHTTP_VERSION_MINOR 0 +-#define LLHTTP_VERSION_PATCH 11 ++#define LLHTTP_VERSION_MINOR 1 ++#define LLHTTP_VERSION_PATCH 0 + + #ifndef LLHTTP_STRICT_MODE + # define LLHTTP_STRICT_MODE 0 +@@ -348,6 +348,9 @@ struct llhttp_settings_s { + */ + llhttp_cb on_headers_complete; + ++ /* Possible return values 0, -1, HPE_USER */ ++ llhttp_data_cb on_chunk_parameters; ++ + /* Possible return values 0, -1, HPE_USER */ + llhttp_data_cb on_body; + +diff --git a/deps/llhttp/src/api.c b/deps/llhttp/src/api.c +index c4ce197c58..d3065b3664 100644 +--- a/deps/llhttp/src/api.c ++++ b/deps/llhttp/src/api.c +@@ -355,6 +355,13 @@ int llhttp__on_chunk_header(llhttp_t* s, const char* p, const char* endp) { + } + + ++int llhttp__on_chunk_parameters(llhttp_t* s, const char* p, const char* endp) { ++ int err; ++ SPAN_CALLBACK_MAYBE(s, on_chunk_parameters, p, endp - p); ++ return err; ++} ++ ++ + int llhttp__on_chunk_complete(llhttp_t* s, const char* p, const char* endp) { + int err; + CALLBACK_MAYBE(s, on_chunk_complete); +diff --git a/deps/llhttp/src/llhttp.c b/deps/llhttp/src/llhttp.c +index 5e7c5d1093..e6db6e3188 100644 +--- a/deps/llhttp/src/llhttp.c ++++ b/deps/llhttp/src/llhttp.c +@@ -340,6 +340,8 @@ enum llparse_state_e { + s_n_llhttp__internal__n_invoke_is_equal_content_length, + s_n_llhttp__internal__n_chunk_size_almost_done, + s_n_llhttp__internal__n_chunk_parameters, ++ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters, ++ s_n_llhttp__internal__n_chunk_parameters_ows, + s_n_llhttp__internal__n_chunk_size_otherwise, + s_n_llhttp__internal__n_chunk_size, + s_n_llhttp__internal__n_chunk_size_digit, +@@ -539,6 +541,10 @@ int llhttp__on_body( + llhttp__internal_t* s, const unsigned char* p, + const unsigned char* endp); + ++int llhttp__on_chunk_parameters( ++ llhttp__internal_t* s, const unsigned char* p, ++ const unsigned char* endp); ++ + int llhttp__on_status( + llhttp__internal_t* s, const unsigned char* p, + const unsigned char* endp); +@@ -1226,8 +1232,7 @@ static llparse_state_t llhttp__internal__run( + goto s_n_llhttp__internal__n_chunk_parameters; + } + case 2: { +- p++; +- goto s_n_llhttp__internal__n_chunk_size_almost_done; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters; + } + default: { + goto s_n_llhttp__internal__n_error_10; +@@ -1236,6 +1241,34 @@ static llparse_state_t llhttp__internal__run( + /* UNREACHABLE */; + abort(); + } ++ case s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: ++ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: { ++ if (p == endp) { ++ return s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters; ++ } ++ state->_span_pos0 = (void*) p; ++ state->_span_cb0 = llhttp__on_chunk_parameters; ++ goto s_n_llhttp__internal__n_chunk_parameters; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_chunk_parameters_ows: ++ s_n_llhttp__internal__n_chunk_parameters_ows: { ++ if (p == endp) { ++ return s_n_llhttp__internal__n_chunk_parameters_ows; ++ } ++ switch (*p) { ++ case ' ': { ++ p++; ++ goto s_n_llhttp__internal__n_chunk_parameters_ows; ++ } ++ default: { ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters; ++ } ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } + case s_n_llhttp__internal__n_chunk_size_otherwise: + s_n_llhttp__internal__n_chunk_size_otherwise: { + if (p == endp) { +@@ -1246,13 +1279,9 @@ static llparse_state_t llhttp__internal__run( + p++; + goto s_n_llhttp__internal__n_chunk_size_almost_done; + } +- case ' ': { +- p++; +- goto s_n_llhttp__internal__n_chunk_parameters; +- } + case ';': { + p++; +- goto s_n_llhttp__internal__n_chunk_parameters; ++ goto s_n_llhttp__internal__n_chunk_parameters_ows; + } + default: { + goto s_n_llhttp__internal__n_error_11; +@@ -6074,6 +6103,24 @@ static llparse_state_t llhttp__internal__run( + /* UNREACHABLE */; + abort(); + } ++ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_chunk_parameters(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_chunk_size_almost_done; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_chunk_size_almost_done; ++ /* UNREACHABLE */; ++ abort(); ++ } + s_n_llhttp__internal__n_error_10: { + state->error = 0x2; + state->reason = "Invalid character in chunk parameters"; +@@ -8441,6 +8488,8 @@ enum llparse_state_e { + s_n_llhttp__internal__n_invoke_is_equal_content_length, + s_n_llhttp__internal__n_chunk_size_almost_done, + s_n_llhttp__internal__n_chunk_parameters, ++ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters, ++ s_n_llhttp__internal__n_chunk_parameters_ows, + s_n_llhttp__internal__n_chunk_size_otherwise, + s_n_llhttp__internal__n_chunk_size, + s_n_llhttp__internal__n_chunk_size_digit, +@@ -8635,6 +8684,10 @@ int llhttp__on_body( + llhttp__internal_t* s, const unsigned char* p, + const unsigned char* endp); + ++int llhttp__on_chunk_parameters( ++ llhttp__internal_t* s, const unsigned char* p, ++ const unsigned char* endp); ++ + int llhttp__on_status( + llhttp__internal_t* s, const unsigned char* p, + const unsigned char* endp); +@@ -9299,8 +9352,7 @@ static llparse_state_t llhttp__internal__run( + goto s_n_llhttp__internal__n_chunk_parameters; + } + case 2: { +- p++; +- goto s_n_llhttp__internal__n_chunk_size_almost_done; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters; + } + default: { + goto s_n_llhttp__internal__n_error_6; +@@ -9309,6 +9361,34 @@ static llparse_state_t llhttp__internal__run( + /* UNREACHABLE */; + abort(); + } ++ case s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: ++ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: { ++ if (p == endp) { ++ return s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters; ++ } ++ state->_span_pos0 = (void*) p; ++ state->_span_cb0 = llhttp__on_chunk_parameters; ++ goto s_n_llhttp__internal__n_chunk_parameters; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_chunk_parameters_ows: ++ s_n_llhttp__internal__n_chunk_parameters_ows: { ++ if (p == endp) { ++ return s_n_llhttp__internal__n_chunk_parameters_ows; ++ } ++ switch (*p) { ++ case ' ': { ++ p++; ++ goto s_n_llhttp__internal__n_chunk_parameters_ows; ++ } ++ default: { ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters; ++ } ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } + case s_n_llhttp__internal__n_chunk_size_otherwise: + s_n_llhttp__internal__n_chunk_size_otherwise: { + if (p == endp) { +@@ -9319,13 +9399,9 @@ static llparse_state_t llhttp__internal__run( + p++; + goto s_n_llhttp__internal__n_chunk_size_almost_done; + } +- case ' ': { +- p++; +- goto s_n_llhttp__internal__n_chunk_parameters; +- } + case ';': { + p++; +- goto s_n_llhttp__internal__n_chunk_parameters; ++ goto s_n_llhttp__internal__n_chunk_parameters_ows; + } + default: { + goto s_n_llhttp__internal__n_error_7; +@@ -13951,6 +14027,24 @@ static llparse_state_t llhttp__internal__run( + /* UNREACHABLE */; + abort(); + } ++ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_chunk_parameters(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_chunk_size_almost_done; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_chunk_size_almost_done; ++ /* UNREACHABLE */; ++ abort(); ++ } + s_n_llhttp__internal__n_error_6: { + state->error = 0x2; + state->reason = "Invalid character in chunk parameters"; +diff --git a/doc/api/errors.md b/doc/api/errors.md +index dcf8744d8b..a76bfe528d 100644 +--- a/doc/api/errors.md ++++ b/doc/api/errors.md +@@ -3043,6 +3043,18 @@ malconfigured clients, if more than 8 KiB of HTTP header data is received then + HTTP parsing will abort without a request or response object being created, and + an `Error` with this code will be emitted. + ++ ++ ++### `HPE_CHUNK_EXTENSIONS_OVERFLOW` ++ ++ ++ ++Too much data was received for a chunk extensions. In order to protect against ++malicious or malconfigured clients, if more than 16 KiB of data is received ++then an `Error` with this code will be emitted. ++ + + + ### `HPE_UNEXPECTED_CONTENT_LENGTH` +diff --git a/lib/_http_server.js b/lib/_http_server.js +index 4e23266f63..325bce6f54 100644 +--- a/lib/_http_server.js ++++ b/lib/_http_server.js +@@ -706,6 +706,12 @@ const requestHeaderFieldsTooLargeResponse = Buffer.from( + `HTTP/1.1 431 ${STATUS_CODES[431]}\r\n` + + 'Connection: close\r\n\r\n', 'ascii' + ); ++ ++const requestChunkExtensionsTooLargeResponse = Buffer.from( ++ `HTTP/1.1 413 ${STATUS_CODES[413]}\r\n` + ++ 'Connection: close\r\n\r\n', 'ascii', ++); ++ + function socketOnError(e) { + // Ignore further errors + this.removeListener('error', socketOnError); +@@ -719,6 +725,9 @@ function socketOnError(e) { + case 'HPE_HEADER_OVERFLOW': + response = requestHeaderFieldsTooLargeResponse; + break; ++ case 'HPE_CHUNK_EXTENSIONS_OVERFLOW': ++ response = requestChunkExtensionsTooLargeResponse; ++ break; + case 'ERR_HTTP_REQUEST_TIMEOUT': + response = requestTimeoutResponse; + break; +diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc +index 74f32480b9..b92e8486ae 100644 +--- a/src/node_http_parser.cc ++++ b/src/node_http_parser.cc +@@ -79,6 +79,8 @@ const uint32_t kOnExecute = 5; + const uint32_t kOnTimeout = 6; + // Any more fields than this will be flushed into JS + const size_t kMaxHeaderFieldsCount = 32; ++// Maximum size of chunk extensions ++const size_t kMaxChunkExtensionsSize = 16384; + + const uint32_t kLenientNone = 0; + const uint32_t kLenientHeaders = 1 << 0; +@@ -206,6 +208,7 @@ class Parser : public AsyncWrap, public StreamListener { + + int on_message_begin() { + num_fields_ = num_values_ = 0; ++ chunk_extensions_nread_ = 0; + url_.Reset(); + status_message_.Reset(); + header_parsing_start_time_ = uv_hrtime(); +@@ -443,9 +446,22 @@ class Parser : public AsyncWrap, public StreamListener { + return 0; + } + +- // Reset nread for the next chunk ++ int on_chunk_extension(const char* at, size_t length) { ++ chunk_extensions_nread_ += length; ++ ++ if (chunk_extensions_nread_ > kMaxChunkExtensionsSize) { ++ llhttp_set_error_reason(&parser_, ++ "HPE_CHUNK_EXTENSIONS_OVERFLOW:Chunk extensions overflow"); ++ return HPE_USER; ++ } ++ ++ return 0; ++ } ++ ++ // Reset nread for the next chunk and also reset the extensions counter + int on_chunk_header() { + header_nread_ = 0; ++ chunk_extensions_nread_ = 0; + return 0; + } + +@@ -887,6 +903,7 @@ class Parser : public AsyncWrap, public StreamListener { + const char* current_buffer_data_; + bool pending_pause_ = false; + uint64_t header_nread_ = 0; ++ uint64_t chunk_extensions_nread_ = 0; + uint64_t max_http_header_size_; + uint64_t headers_timeout_; + uint64_t header_parsing_start_time_ = 0; +@@ -921,6 +938,7 @@ const llhttp_settings_t Parser::settings = { + Proxy::Raw, + Proxy::Raw, + Proxy::Raw, ++ Proxy::Raw, + Proxy::Raw, + Proxy::Raw, + Proxy::Raw, +diff --git a/test/parallel/test-http-chunk-extensions-limit.js b/test/parallel/test-http-chunk-extensions-limit.js +new file mode 100644 +index 0000000000..6868b3da6c +--- /dev/null ++++ b/test/parallel/test-http-chunk-extensions-limit.js +@@ -0,0 +1,131 @@ ++'use strict'; ++ ++const common = require('../common'); ++const http = require('http'); ++const net = require('net'); ++const assert = require('assert'); ++ ++// Verify that chunk extensions are limited in size when sent all together. ++{ ++ const server = http.createServer((req, res) => { ++ req.on('end', () => { ++ res.writeHead(200, { 'Content-Type': 'text/plain' }); ++ res.end('bye'); ++ }); ++ ++ req.resume(); ++ }); ++ ++ server.listen(0, () => { ++ const sock = net.connect(server.address().port); ++ let data = ''; ++ ++ sock.on('data', (chunk) => data += chunk.toString('utf-8')); ++ ++ sock.on('end', common.mustCall(function() { ++ assert.strictEqual(data, 'HTTP/1.1 413 Payload Too Large\r\nConnection: close\r\n\r\n'); ++ server.close(); ++ })); ++ ++ sock.end('' + ++ 'GET / HTTP/1.1\r\n' + ++ 'Host: localhost:8080\r\n' + ++ 'Transfer-Encoding: chunked\r\n\r\n' + ++ '2;' + 'A'.repeat(20000) + '=bar\r\nAA\r\n' + ++ '0\r\n\r\n' ++ ); ++ }); ++} ++ ++// Verify that chunk extensions are limited in size when sent in intervals. ++{ ++ const server = http.createServer((req, res) => { ++ req.on('end', () => { ++ res.writeHead(200, { 'Content-Type': 'text/plain' }); ++ res.end('bye'); ++ }); ++ ++ req.resume(); ++ }); ++ ++ server.listen(0, () => { ++ const sock = net.connect(server.address().port); ++ let remaining = 20000; ++ let data = ''; ++ ++ const interval = setInterval( ++ () => { ++ if (remaining > 0) { ++ sock.write('A'.repeat(1000)); ++ } else { ++ sock.write('=bar\r\nAA\r\n0\r\n\r\n'); ++ clearInterval(interval); ++ } ++ ++ remaining -= 1000; ++ }, ++ common.platformTimeout(20), ++ ).unref(); ++ ++ sock.on('data', (chunk) => data += chunk.toString('utf-8')); ++ ++ sock.on('end', common.mustCall(function() { ++ assert.strictEqual(data, 'HTTP/1.1 413 Payload Too Large\r\nConnection: close\r\n\r\n'); ++ server.close(); ++ })); ++ ++ sock.write('' + ++ 'GET / HTTP/1.1\r\n' + ++ 'Host: localhost:8080\r\n' + ++ 'Transfer-Encoding: chunked\r\n\r\n' + ++ '2;' ++ ); ++ }); ++} ++ ++// Verify the chunk extensions is correctly reset after a chunk ++{ ++ const server = http.createServer((req, res) => { ++ req.on('end', () => { ++ res.writeHead(200, { 'content-type': 'text/plain', 'connection': 'close', 'date': 'now' }); ++ res.end('bye'); ++ }); ++ ++ req.resume(); ++ }); ++ ++ server.listen(0, () => { ++ const sock = net.connect(server.address().port); ++ let data = ''; ++ ++ sock.on('data', (chunk) => data += chunk.toString('utf-8')); ++ ++ sock.on('end', common.mustCall(function() { ++ assert.strictEqual( ++ data, ++ 'HTTP/1.1 200 OK\r\n' + ++ 'content-type: text/plain\r\n' + ++ 'connection: close\r\n' + ++ 'date: now\r\n' + ++ 'Transfer-Encoding: chunked\r\n' + ++ '\r\n' + ++ '3\r\n' + ++ 'bye\r\n' + ++ '0\r\n' + ++ '\r\n', ++ ); ++ ++ server.close(); ++ })); ++ ++ sock.end('' + ++ 'GET / HTTP/1.1\r\n' + ++ 'Host: localhost:8080\r\n' + ++ 'Transfer-Encoding: chunked\r\n\r\n' + ++ '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' + ++ '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' + ++ '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' + ++ '0\r\n\r\n' ++ ); ++ }); ++} +diff --git a/tools/update-llhttp.sh b/tools/update-llhttp.sh +index 12e2f465d7..a95eef1237 100755 +--- a/tools/update-llhttp.sh ++++ b/tools/update-llhttp.sh +@@ -59,5 +59,5 @@ echo "" + echo "Please git add llhttp, commit the new version:" + echo "" + echo "$ git add -A deps/llhttp" +-echo "$ git commit -m \"deps: update nghttp2 to $LLHTTP_VERSION\"" ++echo "$ git commit -m \"deps: update llhttp to $LLHTTP_VERSION\"" + echo "" +-- +2.41.0 + diff --git a/nodejs.spec b/nodejs.spec index e1a8201..75216a5 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.2 %bcond_with debug # PowerPC, s390x and aarch64 segfault during Debug builds @@ -36,7 +35,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 3 +%global baserelease 4 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -85,7 +84,7 @@ # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h %global nghttp2_major 1 -%global nghttp2_minor 47 +%global nghttp2_minor 57 %global nghttp2_patch 0 %global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch} @@ -157,14 +156,13 @@ Name: nodejs Epoch: %{nodejs_epoch} Version: %{nodejs_version} -Release: %{nodejs_release}%{anolis_release}%{?dist} +Release: %{nodejs_release}%{?dist} Summary: JavaScript runtime License: MIT and ASL 2.0 and ISC and BSD Group: Development/Languages URL: http://nodejs.org/ ExclusiveArch: %{nodejs_arches} -Excludearch: loongarch64 # nodejs bundles openssl, but we use the system version in Fedora # because openssl contains prohibited code, we remove openssl completely from @@ -206,6 +204,7 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk- # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch3: 0003-deps-nghttp2-update-to-1.57.0.patch +Patch4: nodejs-CVE-2024-22019.patch BuildRequires: make BuildRequires: python3-devel @@ -319,7 +318,7 @@ real-time applications that run across distributed devices. %package devel Summary: JavaScript runtime - development headers Group: Development/Languages -Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} Requires: openssl-devel%{?_isa} Requires: zlib-devel%{?_isa} Requires: brotli-devel%{?_isa} @@ -335,7 +334,7 @@ Development headers for the Node.js JavaScript runtime. %package full-i18n Summary: Non-English locale data for Node.js -Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} %description full-i18n Optional data files to provide full-icu support for Node.js. Remove this @@ -346,16 +345,16 @@ package to save space if non-English locales are not needed. Summary: Node.js Package Manager Epoch: %{npm_epoch} Version: %{npm_version} -Release: %{npm_release}%{anolis_release}%{?dist} +Release: %{npm_release}%{?dist} # We used to ship npm separately, but it is so tightly integrated with Node.js # (and expected to be present on all Node.js systems) that we ship it bundled # now. Obsoletes: npm < 0:3.5.4-6 Provides: npm = %{npm_epoch}:%{npm_version} -Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} %if 0%{?fedora} || 0%{?rhel} >= 8 -Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} %endif # Do not add epoch to the virtual NPM provides or it will break @@ -375,8 +374,8 @@ BuildArch: noarch # We don't require that the main package be installed to # use the docs, but if it is installed, make sure the # version always matches -Conflicts: %{name} > %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} -Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Conflicts: %{name} > %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} %description docs The API documentation for the Node.js JavaScript runtime. @@ -724,17 +723,15 @@ end %changelog -* Tue Oct 24 2023 Kaiqiang Wang 1:16.20.1-3.0.2 -- deps nghttp2 update to 1.57.0 (CVE-2023-44487) +* Tue Mar 05 2024 Honza Horak - 1:16.20.2-4 +- Fix CVE-2024-22019 -* Fri Sep 29 2023 Zhao Hang - 1:16.20.1-2.0.2 -- Remove loongarch64 arch -- Update requires and recommands -- Fixes CVE-2022-25883 (liubo03@inspur.com) +* Thu Oct 12 2023 Jan Staněk - 1:16.20.2-3 +- Update bundled nghttp2 to 1.57.0 (CVE-2023-44487) * Wed Sep 06 2023 Masahiro Matsuya - 1:16.20.2-2 - Bump Release. Need to rebuild with the updated nodejs-packaging - Resolves: rhbz#2237394 + Resolves: rhbz#2237393 * Fri Aug 18 2023 Dominik Rehák - 1:16.20.2-1 - Rebase to 16.20.2 -- Gitee From 6459888e4d1d8d1d1b40e0c8b027f4b3f498b519 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Tue, 11 Apr 2023 15:18:12 +0800 Subject: [PATCH 2/4] spec: remove loongarch64 arch Signed-off-by: Zhao Hang --- nodejs.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/nodejs.spec b/nodejs.spec index 75216a5..d84082e 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %bcond_with debug # PowerPC, s390x and aarch64 segfault during Debug builds @@ -156,13 +157,14 @@ Name: nodejs Epoch: %{nodejs_epoch} Version: %{nodejs_version} -Release: %{nodejs_release}%{?dist} +Release: %{nodejs_release}%{anolis_release}%{?dist} Summary: JavaScript runtime License: MIT and ASL 2.0 and ISC and BSD Group: Development/Languages URL: http://nodejs.org/ ExclusiveArch: %{nodejs_arches} +Excludearch: loongarch64 # nodejs bundles openssl, but we use the system version in Fedora # because openssl contains prohibited code, we remove openssl completely from @@ -723,6 +725,9 @@ end %changelog +* Tue Apr 02 2024 Zhao Hang - 1:16.20.1-4.0.1 +- Remove loongarch64 arch + * Tue Mar 05 2024 Honza Horak - 1:16.20.2-4 - Fix CVE-2024-22019 -- Gitee From 08884f901566093da1f6a7cb9cea9d6e24870550 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Thu, 13 Apr 2023 15:48:45 +0800 Subject: [PATCH 3/4] spec: update requires and recommands Signed-off-by: Zhao Hang --- nodejs.spec | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/nodejs.spec b/nodejs.spec index d84082e..c8fb13d 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -320,7 +320,7 @@ real-time applications that run across distributed devices. %package devel Summary: JavaScript runtime - development headers Group: Development/Languages -Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} Requires: openssl-devel%{?_isa} Requires: zlib-devel%{?_isa} Requires: brotli-devel%{?_isa} @@ -336,7 +336,7 @@ Development headers for the Node.js JavaScript runtime. %package full-i18n Summary: Non-English locale data for Node.js -Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} %description full-i18n Optional data files to provide full-icu support for Node.js. Remove this @@ -347,16 +347,16 @@ package to save space if non-English locales are not needed. Summary: Node.js Package Manager Epoch: %{npm_epoch} Version: %{npm_version} -Release: %{npm_release}%{?dist} +Release: %{npm_release}%{anolis_release}%{?dist} # We used to ship npm separately, but it is so tightly integrated with Node.js # (and expected to be present on all Node.js systems) that we ship it bundled # now. Obsoletes: npm < 0:3.5.4-6 Provides: npm = %{npm_epoch}:%{npm_version} -Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} %if 0%{?fedora} || 0%{?rhel} >= 8 -Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} %endif # Do not add epoch to the virtual NPM provides or it will break @@ -376,8 +376,8 @@ BuildArch: noarch # We don't require that the main package be installed to # use the docs, but if it is installed, make sure the # version always matches -Conflicts: %{name} > %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} -Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Conflicts: %{name} > %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} %description docs The API documentation for the Node.js JavaScript runtime. @@ -727,6 +727,7 @@ end %changelog * Tue Apr 02 2024 Zhao Hang - 1:16.20.1-4.0.1 - Remove loongarch64 arch +- Update requires and recommands * Tue Mar 05 2024 Honza Horak - 1:16.20.2-4 - Fix CVE-2024-22019 -- Gitee From 817321305647e57dd20bf40f97dbc628e3cf1777 Mon Sep 17 00:00:00 2001 From: Renbo Date: Fri, 29 Sep 2023 12:13:47 +0800 Subject: [PATCH 4/4] spec: add changelog Signed-off-by: Renbo --- nodejs.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nodejs.spec b/nodejs.spec index c8fb13d..749f082 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -728,6 +728,8 @@ end * Tue Apr 02 2024 Zhao Hang - 1:16.20.1-4.0.1 - Remove loongarch64 arch - Update requires and recommands +- Fixes CVE-2022-25883 (liubo03@inspur.com) +- deps nghttp2 update to 1.57.0 (CVE-2023-44487)(wangkaiqiang@inspur.com) * Tue Mar 05 2024 Honza Horak - 1:16.20.2-4 - Fix CVE-2024-22019 -- Gitee