diff --git a/backport-CVE-2018-16487-CVE-2018-3721-CVE-2019-10744-CVE-2020-8203.patch b/backport-CVE-2018-16487-CVE-2018-3721-CVE-2019-10744-CVE-2020-8203.patch new file mode 100644 index 0000000000000000000000000000000000000000..09290c54927e8719925971f0b9df8f69ca439529 --- /dev/null +++ b/backport-CVE-2018-16487-CVE-2018-3721-CVE-2019-10744-CVE-2020-8203.patch @@ -0,0 +1,89 @@ +From 4cc82eb7d49f511f97174a389aa318c5d33ab691 Mon Sep 17 00:00:00 2001 +From: root +Date: Tue, 13 Jun 2023 20:15:35 +0800 +Subject: [PATCH] CVE-2018-16487-CVE-2018-3721-CVE-2019-10744-CVE-2020-8203 + +--- + lodash.src.js | 32 ++++++++++++++++++++++++++++---- + 1 file changed, 28 insertions(+), 4 deletions(-) + +diff --git a/lodash.src.js b/lodash.src.js +index 1855c28..6df3879 100644 +--- a/lodash.src.js ++++ b/lodash.src.js +@@ -2494,7 +2494,7 @@ + arrayEach(props || source, function(srcValue, key) { + if (props) { + key = srcValue; +- srcValue = source[key]; ++ srcValue = safeGet(source, key); + } + if (isObjectLike(srcValue)) { + stackA || (stackA = []); +@@ -2502,7 +2502,7 @@ + baseMergeDeep(object, source, key, baseMerge, customizer, stackA, stackB); + } + else { +- var value = object[key], ++ var value = safeGet(object, key), + result = customizer ? customizer(value, srcValue, key, object, source) : undefined, + isCommon = result === undefined; + +@@ -2535,7 +2535,7 @@ + */ + function baseMergeDeep(object, source, key, mergeFunc, customizer, stackA, stackB) { + var length = stackA.length, +- srcValue = source[key]; ++ srcValue = safeGet(source, key); + + while (length--) { + if (stackA[length] == srcValue) { +@@ -2543,7 +2543,7 @@ + return; + } + } +- var value = object[key], ++ var value = safeGet(object, key), + result = customizer ? customizer(value, srcValue, key, object, source) : undefined, + isCommon = result === undefined; + +@@ -4466,6 +4466,25 @@ + return array; + } + ++ /* Gets the value at `key`, unless `key` is "__proto__" or "constructor". ++ * ++ * @private ++ * @param {Object} object The object to query. ++ * @param {string} key The key of the property to get. ++ * @returns {*} Returns the property value. ++ */ ++ function safeGet(object, key) { ++ if (key === 'constructor' && typeof object[key] === 'function') { ++ return; ++ } ++ ++ if (key == '__proto__') { ++ return; ++ } ++ return object[key]; ++ } ++ ++ + /** + * Sets metadata for `func`. + * +@@ -10166,6 +10185,11 @@ + + while (nested != null && ++index < length) { + var key = path[index]; ++ ++ if (key === '__proto__' || key === 'constructor' || key === 'prototype') { ++ return object; ++ } ++ + if (isObject(nested)) { + if (index == lastIndex) { + nested[key] = value; +-- +2.33.0 \ No newline at end of file diff --git a/lodash.spec b/lodash.spec index b21792b37d867f8f10fd927d972ad702bb717733..4d11143334202a58e32c6bb94e622543cfdeba35 100644 --- a/lodash.spec +++ b/lodash.spec @@ -1,7 +1,7 @@ %{?nodejs_find_provides_and_requires} Name: lodash Version: 3.10.1 -Release: 1 +Release: 2 Summary: A JavaScript utility library License: MIT URL: https://lodash.com/ @@ -12,6 +12,7 @@ Source3: https://raw.githubusercontent.com/lodash/lodash-compat/%{ve Source4: https://raw.githubusercontent.com/lodash/lodash-node/%{version}/package.json#/%{name}-node-package.json Source5: %{name}-modules.txt Source6: %{name}-modules-2.txt +Patch6000: backport-CVE-2018-16487-CVE-2018-3721-CVE-2019-10744-CVE-2020-8203.patch BuildArch: noarch BuildRequires: nodejs-packaging >= 7-5 web-assets-devel BuildRequires: npm(closure-compiler) npm(glob) npm(uglify-js) >= 2.4.13 npm(semver) @@ -113,6 +114,7 @@ end} %prep %setup -q -T -b 0 -a 1 +%patch6000 -p1 rm -rf lodash.js lodash.min.js node_modules vendor pushd %{name}-cli-%{version} %nodejs_fixdep closure-compiler "^0.2.6" @@ -207,5 +209,8 @@ popd %{_bindir}/lodash %changelog +* Thu Dec 28 2023 chenbo - 3.10.1-2 +- Fix CVE-2018-16487C,VE-2018-3721,CVE-2019-10744,CVE-2020-8203 + * Fri Aug 21 2020 Jeffery.Gao - 3.10.1-1 - Package init