import nodejs-18.20.2-1.module+el8.9.0+21767+537f34ee

c8-stream-18 imports/c8-stream-18/nodejs-18.20.2-1.module+el8.9.0+21767+537f34ee
MSVSphere Packaging Team 6 months ago
parent e0bc6125e7
commit 4291cccca9

6
.gitignore vendored

@ -1,5 +1,5 @@
SOURCES/cjs-module-lexer-1.2.2.tar.gz
SOURCES/icu4c-73_2-src.tgz
SOURCES/node-v18.19.1-stripped.tar.gz
SOURCES/undici-5.28.3.tar.gz
SOURCES/icu4c-74_2-src.tgz
SOURCES/node-v18.20.2-stripped.tar.gz
SOURCES/undici-5.28.4.tar.gz
SOURCES/wasi-sdk-11.0-linux.tar.gz

@ -1,5 +1,5 @@
164f7f39841415284b0280a648c43bd7ea1615ac SOURCES/cjs-module-lexer-1.2.2.tar.gz
3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
7962d96e7c1517cf7b34395fc582b32b8acebe3a SOURCES/node-v18.19.1-stripped.tar.gz
b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz
43a8d688a3a6bc8f0f8c5e699d0ef7a905d24314 SOURCES/icu4c-74_2-src.tgz
d3c7f3b4d4aa55e38b0e221ed4f5fdfcf48d1e4c SOURCES/node-v18.20.2-stripped.tar.gz
d38d72bec82e3c41a4de73d6ee56d9c9eff5f403 SOURCES/undici-5.28.4.tar.gz
ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz

@ -0,0 +1,157 @@
Backport from upstream commits.
https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
--- node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h 2024-04-15 14:38:00.000000000 +0200
+++ node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h 2024-04-15 14:43:36.000000000 +0200
@@ -440,7 +440,12 @@
* exhaustion on server side to send these frames forever and does
* not read network.
*/
- NGHTTP2_ERR_FLOODED = -904
+ NGHTTP2_ERR_FLOODED = -904,
+ /**
+ * When a local endpoint receives too many CONTINUATION frames
+ * following a HEADER frame.
+ */
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
} nghttp2_error;
/**
@@ -2775,6 +2780,17 @@
/**
* @function
+ *
+ * This function sets the maximum number of CONTINUATION frames
+ * following an incoming HEADER frame. If more than those frames are
+ * received, the remote endpoint is considered to be misbehaving and
+ * session will be closed. The default value is 8.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
+ size_t val);
+
+/**
+ * @function
*
* Initializes |*session_ptr| for client use. The all members of
* |callbacks| are copied to |*session_ptr|. Therefore |*session_ptr|
Only in node-v18.19.1/deps/nghttp2/lib/includes/nghttp2: nghttp2.h.orig
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c
--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c 2024-04-15 14:38:00.000000000 +0200
+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c 2024-04-15 14:41:10.000000000 +0200
@@ -336,6 +336,8 @@
"closed";
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
return "SETTINGS frame contained more than the maximum allowed entries";
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
+ return "Too many CONTINUATION frames following a HEADER frame";
default:
return "Unknown error code";
}
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c
--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c 2024-04-15 14:38:00.000000000 +0200
+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c 2024-04-15 14:43:36.000000000 +0200
@@ -150,3 +150,8 @@
option->stream_reset_burst = burst;
option->stream_reset_rate = rate;
}
+
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
+ option->max_continuations = val;
+}
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h
--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h 2024-04-15 14:38:00.000000000 +0200
+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h 2024-04-15 14:43:36.000000000 +0200
@@ -71,6 +71,7 @@
NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
} nghttp2_option_flag;
/**
@@ -99,6 +100,10 @@
*/
size_t max_settings;
/**
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
+ */
+ size_t max_continuations;
+ /**
* Bitwise OR of nghttp2_option_flag to determine that which fields
* are specified.
*/
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c
--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c 2024-04-15 14:38:00.000000000 +0200
+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c 2024-04-15 14:43:36.000000000 +0200
@@ -496,6 +496,7 @@
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
if (option) {
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -584,6 +585,10 @@
option->stream_reset_burst,
option->stream_reset_rate);
}
+
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
+ (*session_ptr)->max_continuations = option->max_continuations;
+ }
}
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
@@ -6778,6 +6783,8 @@
}
}
session_inbound_frame_reset(session);
+
+ session->num_continuations = 0;
}
break;
}
@@ -6899,6 +6906,10 @@
}
#endif /* DEBUGBUILD */
+ if (++session->num_continuations > session->max_continuations) {
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
+ }
+
readlen = inbound_frame_buf_read(iframe, in, last);
in += readlen;
Only in node-v18.19.1/deps/nghttp2/lib: nghttp2_session.c.orig
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h
--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h 2024-04-15 14:38:00.000000000 +0200
+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h 2024-04-15 14:41:10.000000000 +0200
@@ -110,6 +110,10 @@
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+/* The default max number of CONTINUATION frames following an incoming
+ HEADER frame. */
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
+
/* Internal state when receiving incoming frame */
typedef enum {
/* Receiving frame header */
@@ -290,6 +294,12 @@
size_t max_send_header_block_length;
/* The maximum number of settings accepted per SETTINGS frame. */
size_t max_settings;
+ /* The maximum number of CONTINUATION frames following an incoming
+ HEADER frame. */
+ size_t max_continuations;
+ /* The number of CONTINUATION frames following an incoming HEADER
+ frame. This variable is reset when END_HEADERS flag is seen. */
+ size_t num_continuations;
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
uint32_t next_stream_id;
/* The last stream ID this session initiated. For client session,

@ -41,8 +41,8 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 18
%global nodejs_minor 19
%global nodejs_patch 1
%global nodejs_minor 20
%global nodejs_patch 2
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 108
@ -65,10 +65,10 @@
%global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
# c-ares - from deps/cares/include/ares_version.h
%global c_ares_version 1.20.1
%global c_ares_version 1.27.0
# llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_version 6.1.0
%global llhttp_version 6.1.1
# libuv - from deps/uv/include/uv/version.h
%global libuv_major 1
@ -92,7 +92,7 @@
%global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
# ICU - from tools/icu/current_ver.dep
%global icu_major 73
%global icu_major 74
%global icu_minor 2
%global icu_version %{icu_major}.%{icu_minor}
@ -111,13 +111,13 @@
%endif
# simduft from deps/simdutf/simdutf.h
%global simduft_major 3
%global simduft_minor 2
%global simduft_patch 18
%global simduft_major 4
%global simduft_minor 0
%global simduft_patch 8
%global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
# ada from deps/ada/ada.h
%global ada_version 2.7.2
%global ada_version 2.7.6
# OpenSSL minimum version
%global openssl_minimum 1:1.1.1
@ -132,7 +132,7 @@
# npm - from deps/npm/package.json
%global npm_epoch 1
%global npm_version 10.2.4
%global npm_version 10.5.0
# In order to avoid needing to keep incrementing the release version for the
# main package forever, we will just construct one for npm that is guaranteed
@ -193,11 +193,12 @@ Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm
# Build uses alpine image, see alpine for sources for wasi-sdk
Source111: undici-5.28.3.tar.gz
Source111: undici-5.28.4.tar.gz
# Disable running gyp on bundled deps we don't use
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch3: nodejs-fips-disable-options.patch
Patch2: nodejs-fips-disable-options.patch
Patch3: CVE-2024-28182.patch
BuildRequires: make
BuildRequires: python3-devel
@ -557,6 +558,11 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \
-executable -type f \
-exec chmod -x {} \;
# NPM bundle dep contain powershell files
# These files are not useful for linux
# systems and create /usr/bin/pwsh requirement, so the files are deleted
find %{buildroot}%{_prefix}/lib/node_modules/npm/bin/*.ps1 -executable -type f -exec rm {} \;
# The above command is a little overzealous. Add a few permissions back.
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
@ -564,7 +570,8 @@ chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin
# Corepack contains a number of executable"shims", including some for Windows
# PowerShell. Drop the executable bit for those so we don't pick up an
# automatic dependency on /usr/bin/pwsh that we cannot satisfy.
chmod -x %{buildroot}%{_prefix}/lib/node_modules/corepack/shims/*.ps1
find %{buildroot}%{_prefix}/lib/node_modules/corepack/shims/*.ps1 -executable -type f -exec rm {} \;
find %{buildroot}%{_prefix}/lib/node_modules/corepack/shims/nodewin/*.ps1 -executable -type f -exec rm {} \;
# Drop the NPM builtin configuration in place
sed -e 's#@SYSCONFDIR@#%{_sysconfdir}#g' \
@ -732,6 +739,11 @@ end
%changelog
* Wed Apr 24 2024 Filip Janus <fjanus@redhat.com> - 1:18.20.2-1
- Removes .ps1 files
- Rebase to 18.20.2
- Fixes: CVE-2024-27983, CVE-2024-28182, CVE-2024-27982, CVE-2024-25629
* Wed Feb 21 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:18.19.1-1
- Rebase to version 18.19.1
- Fix FIPS handling of the cmd-line options (RHBZ#2226726)

Loading…
Cancel
Save