From 7058008749c8b8186ea22d94c0fdaab295f84531 Mon Sep 17 00:00:00 2001 From: wangdi Date: Thu, 20 Mar 2025 18:38:19 +0800 Subject: [PATCH] update path-to-regexp to 1.9.0 to resolve CVE-2024-45296 --- cockpit-ovirt.spec | 8 ++++- path-to-regexp-1-9-0-update-patch | 55 +++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 path-to-regexp-1-9-0-update-patch diff --git a/cockpit-ovirt.spec b/cockpit-ovirt.spec index e5ab161..1e64f3f 100644 --- a/cockpit-ovirt.spec +++ b/cockpit-ovirt.spec @@ -11,11 +11,12 @@ Name: cockpit-ovirt Version: 0.15.0 -Release: 4 +Release: 5 Summary: Dashboard for Cockpit based on %{product} License: ASL 2.0 URL: https://gerrit.ovirt.org/gitweb?p=cockpit-ovirt.git;a=summary Source0: http://resources.ovirt.org/pub/src/%{name}/%{source_basename}.tar.gz +Source1: path-to-regexp-1-9-0-update-patch @@ -55,6 +56,8 @@ This package provides a Cockpit dashboard for use with %{product}. pushd dashboard source %{_datadir}/ovirt-engine-nodejs-modules/setup-env.sh popd +# apply patch to update path-to-regexp to 1.9.0 to resolve CVE-2024-45296 +patch -p1 dashboard/node_modules/path-to-regexp/index.js < %{SOURCE1} %endif %build @@ -92,6 +95,9 @@ install -dm 700 %{buildroot}%{_sharedstatedir}/ovirt-hosted-engine-setup/cockpit %dir %attr(700, root, root) %{_sharedstatedir}/ovirt-hosted-engine-setup/cockpit %changelog +* Thu Mar 20 2025 wangdi - 0.15.0-5 +- update path-to-regexp to 1.9.0 to resolve CVE-2024-45296 + * Mon Apr 01 2024 yanjianqing - 0.15.0-4 - Remove cockpit conf file diff --git a/path-to-regexp-1-9-0-update-patch b/path-to-regexp-1-9-0-update-patch new file mode 100644 index 0000000..cff9ade --- /dev/null +++ b/path-to-regexp-1-9-0-update-patch @@ -0,0 +1,55 @@ +From 9a77cb23c729295ae34e68bbb6c99dc5576422e4 Mon Sep 17 00:00:00 2001 +From: Blake Embrey +Date: Tue, 10 Sep 2024 13:40:51 -0700 +Subject: [PATCH] Add backtrack protection to 1.x release + +--- + index.js | 13 +- + package-lock.json | 4226 ++++++++++++++++++++++++++++++++++++++++++++ + package.json | 10 +- + test.ts => test.js | 28 +- + typings.json | 9 - + 5 files changed, 4250 insertions(+), 36 deletions(-) + create mode 100644 package-lock.json + rename test.ts => test.js (98%) + delete mode 100644 typings.json + +diff --git a/index.js b/index.js +index e485afe..73cd8b5 100644 +--- a/index.js ++++ b/index.js +@@ -72,8 +72,9 @@ function parse (str, options) { + var partial = prefix != null && next != null && next !== prefix + var repeat = modifier === '+' || modifier === '*' + var optional = modifier === '?' || modifier === '*' +- var delimiter = res[2] || defaultDelimiter ++ var delimiter = prefix || defaultDelimiter + var pattern = capture || group ++ var prevText = prefix || (typeof tokens[tokens.length - 1] === 'string' ? tokens[tokens.length - 1] : '') + + tokens.push({ + name: name || key++, +@@ -83,7 +84,7 @@ function parse (str, options) { + repeat: repeat, + partial: partial, + asterisk: !!asterisk, +- pattern: pattern ? escapeGroup(pattern) : (asterisk ? '.*' : '[^' + escapeString(delimiter) + ']+?') ++ pattern: pattern ? escapeGroup(pattern) : (asterisk ? '.*' : restrictBacktrack(delimiter, prevText)) + }) + } + +@@ -100,6 +101,14 @@ function parse (str, options) { + return tokens + } + ++function restrictBacktrack(delimiter, prevText) { ++ if (!prevText || prevText.indexOf(delimiter) > -1) { ++ return '[^' + escapeString(delimiter) + ']+?' ++ } ++ ++ return escapeString(prevText) + '|(?:(?!' + escapeString(prevText) + ')[^' + escapeString(delimiter) + '])+?' ++} ++ + /** + * Compile a string to a template function for the path. + * -- Gitee