-
Notifications
You must be signed in to change notification settings - Fork 549
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix CVE-2024-21538 in nodejs (#11177)
Co-authored-by: jslobodzian <[email protected]> (cherry picked from commit 5e6e2a2)
- Loading branch information
1 parent
0a9ea87
commit efbaa90
Showing
3 changed files
with
47 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
From ea1368b332cebba727436bf4dddebb0c5d7a9d5b Mon Sep 17 00:00:00 2001 | ||
From: bala <[email protected]> | ||
Date: Tue, 19 Nov 2024 12:03:43 +0000 | ||
Subject: [PATCH] Vendor patch applied to fix CVE-2024-21538 | ||
|
||
--- | ||
deps/npm/node_modules/cross-spawn/lib/util/escape.js | 6 ++++-- | ||
1 file changed, 4 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/deps/npm/node_modules/cross-spawn/lib/util/escape.js b/deps/npm/node_modules/cross-spawn/lib/util/escape.js | ||
index b0bb84c..e4804b9 100644 | ||
--- a/deps/npm/node_modules/cross-spawn/lib/util/escape.js | ||
+++ b/deps/npm/node_modules/cross-spawn/lib/util/escape.js | ||
@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) { | ||
arg = `${arg}`; | ||
|
||
// Algorithm below is based on https://qntm.org/cmd | ||
+ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input | ||
+ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information | ||
|
||
// Sequence of backslashes followed by a double quote: | ||
// double up all the backslashes and escape the double quote | ||
- arg = arg.replace(/(\\*)"/g, '$1$1\\"'); | ||
+ arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"'); | ||
|
||
// Sequence of backslashes followed by the end of the string | ||
// (which will become a double quote later): | ||
// double up all the backslashes | ||
- arg = arg.replace(/(\\*)$/, '$1$1'); | ||
+ arg = arg.replace(/(?=\\*?)$/, '$1$1'); | ||
|
||
// All other backslashes occur literally | ||
|
||
-- | ||
2.39.4 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,7 +6,7 @@ Name: nodejs18 | |
# WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package. | ||
# The version of NPM can be found inside the sources under 'deps/npm/package.json'. | ||
Version: 18.20.3 | ||
Release: 1%{?dist} | ||
Release: 2%{?dist} | ||
License: BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0 | ||
Group: Applications/System | ||
Vendor: Microsoft Corporation | ||
|
@@ -17,6 +17,7 @@ URL: https://github.com/nodejs/node | |
# !!! => use clean-source-tarball.sh script to create a clean and reproducible source tarball. | ||
Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz | ||
Patch0: CVE-2023-21100.patch | ||
Patch1: CVE-2024-21538.patch | ||
BuildRequires: brotli-devel | ||
BuildRequires: coreutils >= 8.22 | ||
BuildRequires: gcc | ||
|
@@ -117,6 +118,9 @@ make cctest | |
%{_datadir}/systemtap/tapset/node.stp | ||
|
||
%changelog | ||
* Tue Nov 19 2024 Bala <[email protected]> - 18.20.3-2 | ||
- Patch CVE-2024-21538 | ||
|
||
* Thu Jun 13 2024 Nick Samson <[email protected]> - 18.20.3-1 | ||
- Upgrade to 18.20.3-1 to fix CVE-2024-28863 | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,7 +7,7 @@ TensorBoard is a suite of web applications for inspecting and understanding your | |
Summary: TensorBoard is a suite of web applications for inspecting and understanding your TensorFlow runs and graphs | ||
Name: python-%{pypi_name} | ||
Version: 2.11.0 | ||
Release: 2%{?dist} | ||
Release: 3%{?dist} | ||
License: ASL 2.0 | ||
Vendor: Microsoft Corporation | ||
Distribution: Mariner | ||
|
@@ -56,6 +56,7 @@ Summary: %{summary} | |
|
||
%prep | ||
%autosetup -p1 -n tensorboard-%{version} | ||
rm -rf tensorboard-%{version}/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm | ||
|
||
%build | ||
tar -xf %{SOURCE1} -C /root/ | ||
|
@@ -102,6 +103,10 @@ mv %{pypi_name}-%{version}-*.whl pyproject-wheeldir/ | |
%{python3_sitelib}/tensorboard_data_server* | ||
|
||
%changelog | ||
* Tue Nov 19 2024 Bala <[email protected]> - 2.11.0-3 | ||
- Remove npm directory before building to make sure no nodejs vulnerability is getting through | ||
- It is done while fixing CVE-2024-21538 | ||
|
||
* Tue Aug 01 2023 Riken Maharjan <[email protected]> - 2.11.0-2 | ||
- Remove bazel version. | ||
|
||
|