Skip to content

Commit

Permalink
Fix CVE-2024-21538 in nodejs (#11177)
Browse files Browse the repository at this point in the history
Co-authored-by: jslobodzian <[email protected]>
(cherry picked from commit 5e6e2a2)
  • Loading branch information
0xba1a authored and CBL-Mariner-Bot committed Nov 22, 2024
1 parent 0a9ea87 commit efbaa90
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 2 deletions.
36 changes: 36 additions & 0 deletions SPECS/nodejs/CVE-2024-21538.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
From ea1368b332cebba727436bf4dddebb0c5d7a9d5b Mon Sep 17 00:00:00 2001
From: bala <[email protected]>
Date: Tue, 19 Nov 2024 12:03:43 +0000
Subject: [PATCH] Vendor patch applied to fix CVE-2024-21538

---
deps/npm/node_modules/cross-spawn/lib/util/escape.js | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/deps/npm/node_modules/cross-spawn/lib/util/escape.js b/deps/npm/node_modules/cross-spawn/lib/util/escape.js
index b0bb84c..e4804b9 100644
--- a/deps/npm/node_modules/cross-spawn/lib/util/escape.js
+++ b/deps/npm/node_modules/cross-spawn/lib/util/escape.js
@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) {
arg = `${arg}`;

// Algorithm below is based on https://qntm.org/cmd
+ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input
+ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information

// Sequence of backslashes followed by a double quote:
// double up all the backslashes and escape the double quote
- arg = arg.replace(/(\\*)"/g, '$1$1\\"');
+ arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"');

// Sequence of backslashes followed by the end of the string
// (which will become a double quote later):
// double up all the backslashes
- arg = arg.replace(/(\\*)$/, '$1$1');
+ arg = arg.replace(/(?=\\*?)$/, '$1$1');

// All other backslashes occur literally

--
2.39.4

6 changes: 5 additions & 1 deletion SPECS/nodejs/nodejs18.spec
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Name: nodejs18
# WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
# The version of NPM can be found inside the sources under 'deps/npm/package.json'.
Version: 18.20.3
Release: 1%{?dist}
Release: 2%{?dist}
License: BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
Group: Applications/System
Vendor: Microsoft Corporation
Expand All @@ -17,6 +17,7 @@ URL: https://github.com/nodejs/node
# !!! => use clean-source-tarball.sh script to create a clean and reproducible source tarball.
Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
Patch0: CVE-2023-21100.patch
Patch1: CVE-2024-21538.patch
BuildRequires: brotli-devel
BuildRequires: coreutils >= 8.22
BuildRequires: gcc
Expand Down Expand Up @@ -117,6 +118,9 @@ make cctest
%{_datadir}/systemtap/tapset/node.stp

%changelog
* Tue Nov 19 2024 Bala <[email protected]> - 18.20.3-2
- Patch CVE-2024-21538

* Thu Jun 13 2024 Nick Samson <[email protected]> - 18.20.3-1
- Upgrade to 18.20.3-1 to fix CVE-2024-28863

Expand Down
7 changes: 6 additions & 1 deletion SPECS/python-tensorboard/python-tensorboard.spec
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ TensorBoard is a suite of web applications for inspecting and understanding your
Summary: TensorBoard is a suite of web applications for inspecting and understanding your TensorFlow runs and graphs
Name: python-%{pypi_name}
Version: 2.11.0
Release: 2%{?dist}
Release: 3%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -56,6 +56,7 @@ Summary: %{summary}

%prep
%autosetup -p1 -n tensorboard-%{version}
rm -rf tensorboard-%{version}/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm

%build
tar -xf %{SOURCE1} -C /root/
Expand Down Expand Up @@ -102,6 +103,10 @@ mv %{pypi_name}-%{version}-*.whl pyproject-wheeldir/
%{python3_sitelib}/tensorboard_data_server*

%changelog
* Tue Nov 19 2024 Bala <[email protected]> - 2.11.0-3
- Remove npm directory before building to make sure no nodejs vulnerability is getting through
- It is done while fixing CVE-2024-21538

* Tue Aug 01 2023 Riken Maharjan <[email protected]> - 2.11.0-2
- Remove bazel version.

Expand Down

0 comments on commit efbaa90

Please sign in to comment.