From 078db84bb3745621a4502c160ca6ec701ad79dbb Mon Sep 17 00:00:00 2001 From: Renbo Date: Mon, 1 Apr 2024 14:01:12 +0800 Subject: [PATCH 1/3] update to nodejs-18.19.1-1.src.rpm Signed-off-by: Renbo --- download | 6 +-- nodejs-fips-disable-options.patch | 83 +++++++++++++++++++++++++++++++ nodejs.spec | 43 ++++++++-------- 3 files changed, 108 insertions(+), 24 deletions(-) create mode 100644 nodejs-fips-disable-options.patch diff --git a/download b/download index 407af3e..3050f2f 100644 --- a/download +++ b/download @@ -1,4 +1,4 @@ -08535247571b2a04e00dc1c8bfdc5606 cjs-module-lexer-1.2.2.tar.gz -c430fc52d7930fe5fa2ff73a087d0a90 node-v18.19.0-stripped.tar.gz -7c8cec0063a7a8a04aaf5c0ebf5d9f0c undici-5.26.4.tar.gz +5808c204e2942e7bf56d6d7971d4f5d4 cjs-module-lexer-1.2.2.tar.gz +e0c8c46dc6505116bf5db18454a11777 node-v18.19.1-stripped.tar.gz +aae05b8ad7bdb6d6813924709bbc34a0 undici-5.28.3.tar.gz d80d3731d039b0944b405044dabd5f93 wasi-sdk-11.0-linux.tar.gz diff --git a/nodejs-fips-disable-options.patch b/nodejs-fips-disable-options.patch new file mode 100644 index 0000000..07f8d92 --- /dev/null +++ b/nodejs-fips-disable-options.patch @@ -0,0 +1,83 @@ +From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001 +From: Michael Dawson +Date: Fri, 23 Feb 2024 13:43:56 +0100 +Subject: [PATCH] Disable FIPS options + +On RHEL, FIPS should be configured only on system level. +Additionally, the related options may cause segfault when used on RHEL. + +This patch causes the option processing to end sooner +than the problematic code gets executed. +Additionally, the JS-level options to mess with FIPS settings +are similarly disabled. + +Upstream report: https://github.com/nodejs/node/pull/48950 +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 +Customer case: https://access.redhat.com/support/cases/#/case/03711488 +--- + lib/crypto.js | 10 ++++++++++ + lib/internal/errors.js | 6 ++++++ + src/crypto/crypto_util.cc | 2 ++ + 3 files changed, 18 insertions(+) + +diff --git a/lib/crypto.js b/lib/crypto.js +index 41adecc..b2627ac 100644 +--- a/lib/crypto.js ++++ b/lib/crypto.js +@@ -36,6 +36,9 @@ const { + assertCrypto(); + + const { ++ // RHEL specific error ++ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED, ++ + ERR_CRYPTO_FIPS_FORCED, + } = require('internal/errors').codes; + const constants = internalBinding('constants').crypto; +@@ -251,6 +254,13 @@ function getFips() { + } + + function setFips(val) { ++ // in RHEL FIPS enable/disable should only be done at system level ++ if (getFips() != val) { ++ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED(); ++ } else { ++ return; ++ } ++ + if (getOptionValue('--force-fips')) { + if (val) return; + throw new ERR_CRYPTO_FIPS_FORCED(); +diff --git a/lib/internal/errors.js b/lib/internal/errors.js +index a722360..04d8a53 100644 +--- a/lib/internal/errors.js ++++ b/lib/internal/errors.js +@@ -1060,6 +1060,12 @@ module.exports = { + // + // Note: Node.js specific errors must begin with the prefix ERR_ + ++// insert RHEL specific erro ++E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED', ++ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' + ++ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n', ++ Error); ++ + E('ERR_ACCESS_DENIED', + 'Access to this API has been restricted. Permission: %s', + Error); +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc +index 5734d8f..ef9d1b1 100644 +--- a/src/crypto/crypto_util.cc ++++ b/src/crypto/crypto_util.cc +@@ -121,6 +121,8 @@ bool ProcessFipsOptions() { + /* Override FIPS settings in configuration file, if needed. */ + if (per_process::cli_options->enable_fips_crypto || + per_process::cli_options->force_fips_crypto) { ++ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n"); ++ return false; + #if OPENSSL_VERSION_MAJOR >= 3 + OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); + if (fips_provider == nullptr) +-- +2.43.2 + diff --git a/nodejs.spec b/nodejs.spec index ec382d2..6776fe7 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 %global with_debug 0 # PowerPC, s390x and aarch64 segfault during Debug builds @@ -43,7 +42,7 @@ %global nodejs_epoch 1 %global nodejs_major 18 %global nodejs_minor 19 -%global nodejs_patch 0 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 108 @@ -69,7 +68,7 @@ %global c_ares_version 1.20.1 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_version 6.0.11 +%global llhttp_version 6.1.0 # libuv - from deps/uv/include/uv/version.h %global libuv_major 1 @@ -133,7 +132,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 10.2.3 +%global npm_version 10.2.4 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -142,7 +141,7 @@ %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} # Node.js 16.9.1 and later comes with an experimental package management tool -%global corepack_version 0.10.0 +%global corepack_version 0.22.0 # uvwasi - from deps/uvwasi/include/uvwasi.h %global uvwasi_version 0.0.19 @@ -153,7 +152,7 @@ Name: nodejs Epoch: %{nodejs_epoch} Version: %{nodejs_version} -Release: %{nodejs_release}%{anolis_release}%{?dist} +Release: %{nodejs_release}%{?dist} Summary: JavaScript runtime License: MIT and ASL 2.0 and ISC and BSD Group: Development/Languages @@ -191,13 +190,14 @@ Source101: cjs-module-lexer-1.2.2.tar.gz Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.26.4.tar.gz -# Adjustments: rm -f undici-5.26.4/lib/llhttp/llhttp*.wasm +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz +# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm # Build uses alpine image, see alpine for sources for wasi-sdk -Source111: undici-5.26.4.tar.gz +Source111: undici-5.28.3.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch +Patch3: nodejs-fips-disable-options.patch BuildRequires: make BuildRequires: python3-devel @@ -303,9 +303,9 @@ Provides: bundled(ada) = %{ada_version} # Make sure we keep NPM up to date when we update Node.js %if 0%{?rhel} < 8 # EPEL doesn't support Recommends, so make it strict -Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{anolis_release}%{?dist} +Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} %else -Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{anolis_release}%{?dist} +Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} %endif %description @@ -319,7 +319,7 @@ real-time applications that run across distributed devices. %package devel Summary: JavaScript runtime - development headers Group: Development/Languages -Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} Requires: openssl-devel%{?_isa} Requires: zlib-devel%{?_isa} Requires: brotli-devel%{?_isa} @@ -335,7 +335,7 @@ Development headers for the Node.js JavaScript runtime. %package full-i18n Summary: Non-English locale data for Node.js -Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} %description full-i18n Optional data files to provide full-icu support for Node.js. Remove this @@ -346,16 +346,16 @@ package to save space if non-English locales are not needed. Summary: Node.js Package Manager Epoch: %{npm_epoch} Version: %{npm_version} -Release: %{npm_release}%{anolis_release}%{?dist} +Release: %{npm_release}%{?dist} # We used to ship npm separately, but it is so tightly integrated with Node.js # (and expected to be present on all Node.js systems) that we ship it bundled # now. Obsoletes: npm < 0:3.5.4-6 Provides: npm = %{npm_epoch}:%{npm_version} -Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} %if 0%{?fedora} || 0%{?rhel} >= 8 -Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} %endif # Do not add epoch to the virtual NPM provides or it will break @@ -375,8 +375,8 @@ BuildArch: noarch # We don't require that the main package be installed to # use the docs, but if it is installed, make sure the # version always matches -Conflicts: %{name} > %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} -Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Conflicts: %{name} > %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} %description docs The API documentation for the Node.js JavaScript runtime. @@ -732,9 +732,10 @@ end %changelog -* Wed Feb 21 2024 Bo Liu - 1:18.19.0-1.0.1 -- Fixes CVE-2022-25883 -- update requires and recommands (wb-zh951434@alibaba-inc.com) +* Wed Feb 21 2024 Lukas Javorsky - 1:18.19.1-1 +- Rebase to version 18.19.1 +- Fix FIPS handling of the cmd-line options (RHBZ#2226726) +- Resolves: RHEL-26691 RHEL-26016 RHEL-26648 * Fri Jan 19 2024 Lukas Javorsky - 1:18.19.0-1 - Rebase to version 18.19.0 -- Gitee From bf27083de0c65e1c6b8a74517ac06471f34d5516 Mon Sep 17 00:00:00 2001 From: Bo Liu Date: Thu, 28 Sep 2023 11:20:51 +0800 Subject: [PATCH 2/3] Fixes CVE-2022-25883 Signed-off-by: Bo Liu --- nodejs.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/nodejs.spec b/nodejs.spec index 6776fe7..a9db32d 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %global with_debug 0 # PowerPC, s390x and aarch64 segfault during Debug builds @@ -152,7 +153,7 @@ Name: nodejs Epoch: %{nodejs_epoch} Version: %{nodejs_version} -Release: %{nodejs_release}%{?dist} +Release: %{nodejs_release}%{anolis_release}%{?dist} Summary: JavaScript runtime License: MIT and ASL 2.0 and ISC and BSD Group: Development/Languages @@ -732,6 +733,9 @@ end %changelog +* Mon Apr 01 2024 Bo Liu - 1:18.19.1-1.0.1 +- Fixes CVE-2022-25883 + * Wed Feb 21 2024 Lukas Javorsky - 1:18.19.1-1 - Rebase to version 18.19.1 - Fix FIPS handling of the cmd-line options (RHBZ#2226726) -- Gitee From 1b74f33ffc58ca4c7af0fd8217eb62deb70b5b5c Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Sat, 7 Oct 2023 16:47:43 +0800 Subject: [PATCH 3/3] spec: update requires and recommands Signed-off-by: Zhao Hang --- nodejs.spec | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/nodejs.spec b/nodejs.spec index a9db32d..2cca09c 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -304,9 +304,9 @@ Provides: bundled(ada) = %{ada_version} # Make sure we keep NPM up to date when we update Node.js %if 0%{?rhel} < 8 # EPEL doesn't support Recommends, so make it strict -Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} +Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{anolis_release}%{?dist} %else -Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} +Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{anolis_release}%{?dist} %endif %description @@ -320,7 +320,7 @@ real-time applications that run across distributed devices. %package devel Summary: JavaScript runtime - development headers Group: Development/Languages -Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} Requires: openssl-devel%{?_isa} Requires: zlib-devel%{?_isa} Requires: brotli-devel%{?_isa} @@ -336,7 +336,7 @@ Development headers for the Node.js JavaScript runtime. %package full-i18n Summary: Non-English locale data for Node.js -Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} %description full-i18n Optional data files to provide full-icu support for Node.js. Remove this @@ -347,16 +347,16 @@ package to save space if non-English locales are not needed. Summary: Node.js Package Manager Epoch: %{npm_epoch} Version: %{npm_version} -Release: %{npm_release}%{?dist} +Release: %{npm_release}%{anolis_release}%{?dist} # We used to ship npm separately, but it is so tightly integrated with Node.js # (and expected to be present on all Node.js systems) that we ship it bundled # now. Obsoletes: npm < 0:3.5.4-6 Provides: npm = %{npm_epoch}:%{npm_version} -Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} %if 0%{?fedora} || 0%{?rhel} >= 8 -Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} %endif # Do not add epoch to the virtual NPM provides or it will break @@ -376,8 +376,8 @@ BuildArch: noarch # We don't require that the main package be installed to # use the docs, but if it is installed, make sure the # version always matches -Conflicts: %{name} > %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} -Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Conflicts: %{name} > %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} +Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{anolis_release}%{?dist} %description docs The API documentation for the Node.js JavaScript runtime. @@ -735,6 +735,7 @@ end %changelog * Mon Apr 01 2024 Bo Liu - 1:18.19.1-1.0.1 - Fixes CVE-2022-25883 +- update requires and recommands (wb-zh951434@alibaba-inc.com) * Wed Feb 21 2024 Lukas Javorsky - 1:18.19.1-1 - Rebase to version 18.19.1 -- Gitee