import nodejs-18.19.1-1.module+el9.3.0+21388+22892fb9

6 months ago · e4f0d7dc0b
parent 6936d7822c
commit e4f0d7dc0b
4 changed files with 84 additions and 17 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,5 @@
 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 SOURCES/icu4c-73_2-src.tgz
-SOURCES/node-v18.19.0-stripped.tar.gz
-SOURCES/undici-5.26.4.tar.gz
+SOURCES/node-v18.19.1-stripped.tar.gz
+SOURCES/undici-5.28.3.tar.gz
 SOURCES/wasi-sdk-11.0-linux.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,5 +1,5 @@
 b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
-86902e7f408e3689e3048ae7ec047fb658be6a6e SOURCES/node-v18.19.0-stripped.tar.gz
-d1dde2c4db1554f1f152d98f5fed64ea606be946 SOURCES/undici-5.26.4.tar.gz
+7962d96e7c1517cf7b34395fc582b32b8acebe3a SOURCES/node-v18.19.1-stripped.tar.gz
+b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz
 ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz
--- a/SOURCES/nodejs-fips-disable-options.patch
+++ b/SOURCES/nodejs-fips-disable-options.patch
@ -1,15 +1,75 @@
-FIPS related options cause a segfault, let's end sooner
+From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
+From: Michael Dawson <midawson@redhat.com>
+Date: Fri, 23 Feb 2024 13:43:56 +0100
+Subject: [PATCH] Disable FIPS options
+
+On RHEL, FIPS should be configured only on system level.
+Additionally, the related options may cause segfault when used on RHEL.
+
+This patch causes the option processing to end sooner
+than the problematic code gets executed.
+Additionally, the JS-level options to mess with FIPS settings
+are similarly disabled.

 Upstream report: https://github.com/nodejs/node/pull/48950
 RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
+Customer case: https://access.redhat.com/support/cases/#/case/03711488
+---
+ lib/crypto.js             | 10 ++++++++++
+ lib/internal/errors.js    |  6 ++++++
+ src/crypto/crypto_util.cc |  2 ++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/lib/crypto.js b/lib/crypto.js
+index 41adecc..b2627ac 100644
+--- a/lib/crypto.js
+++ b/lib/crypto.js
+@@ -36,6 +36,9 @@ const {
+ assertCrypto();
+
+ const {
+  // RHEL specific error
+  ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
+
+   ERR_CRYPTO_FIPS_FORCED,
+ } = require('internal/errors').codes;
+ const constants = internalBinding('constants').crypto;
+@@ -251,6 +254,13 @@ function getFips() {
+ }
 
-This patch makes the part of the code that processes cmd-line options for
-FIPS to end sooner before the code gets to the problematic part of the code.
+ function setFips(val) {
+  // in RHEL FIPS enable/disable should only be done at system level
+  if (getFips() != val) {
+    throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
+  } else {
+    return;
+  }
+
+   if (getOptionValue('--force-fips')) {
+     if (val) return;
+     throw new ERR_CRYPTO_FIPS_FORCED();
+diff --git a/lib/internal/errors.js b/lib/internal/errors.js
+index a722360..04d8a53 100644
+--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
+@@ -1060,6 +1060,12 @@ module.exports = {
+ //
+ // Note: Node.js specific errors must begin with the prefix ERR_
 
-diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc
--- node-v18.16.1/src/crypto/crypto_util.cc.origfips	2023-07-31 12:09:46.603683081 +0200
-+++ node-v18.16.1/src/crypto/crypto_util.cc	2023-07-31 12:16:16.906617914 +0200
-@@ -111,6 +111,8 @@ bool ProcessFipsOptions() {
+// insert RHEL specific erro
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
+  'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
+  'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
+  Error);
+
+ E('ERR_ACCESS_DENIED',
+   'Access to this API has been restricted. Permission: %s',
+   Error);
+diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
+index 5734d8f..ef9d1b1 100644
+--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
+@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
   /* Override FIPS settings in configuration file, if needed. */
   if (per_process::cli_options->enable_fips_crypto ||
       per_process::cli_options->force_fips_crypto) {
@ -18,3 +78,5 @@ diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/cryp
 #if OPENSSL_VERSION_MAJOR >= 3
     OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
     if (fips_provider == nullptr)
+-- 
+2.43.2
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -41,7 +41,7 @@
 %global nodejs_epoch 1
 %global nodejs_major 18
 %global nodejs_minor 19
-%global nodejs_patch 0
+%global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 108
@ -68,7 +68,7 @@
 %global c_ares_version 1.20.1

 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_version 6.0.11
+%global llhttp_version 6.1.0

 # libuv - from deps/uv/include/uv/version.h
 %global libuv_version 1.44.2
@ -126,7 +126,7 @@

 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 10.2.3
+%global npm_version 10.2.4

 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@ -181,10 +181,10 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
 Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz

 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.26.4.tar.gz
-# Adjustments: rm -f undici-5.26.4/lib/llhttp/llhttp*.wasm
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
+# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm
 # Build uses alpine image, see alpine for sources for wasi-sdk
-Source102: undici-5.26.4.tar.gz
+Source102: undici-5.28.3.tar.gz

 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
@ -628,6 +628,11 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod


 %changelog
+* Thu Feb 29 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:18.19.1-1
+- Rebase to version 18.19.1
+- Fix FIPS handling of the cmd-line options (RHBZ#2226726)
+- Resolves: RHEL-26695 RHEL-26009 RHEL-26690
+
 * Thu Jan 18 2024 Jan Staněk <jstanek@redhat.com> - 1:18.19.0-1
 - Rebase to version 18.19.0
  Resolves: RHEL-21438