From e4ea0fd5713bbc7130d681f5decd62767ebe8a5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E7=BF=BC?= Date: Fri, 15 Aug 2025 13:57:10 +0800 Subject: [PATCH] fix CVE-2025-47279 --- CVE-2025-47279.patch | 39 +++++++++++++++++++++++++++++++++++++++ nodejs.spec | 9 ++++++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-47279.patch diff --git a/CVE-2025-47279.patch b/CVE-2025-47279.patch new file mode 100644 index 0000000..36fbb2f --- /dev/null +++ b/CVE-2025-47279.patch @@ -0,0 +1,39 @@ +From f317618ec28753a4218beccea048bcf89c36db25 Mon Sep 17 00:00:00 2001 +From: Matteo Collina +Date: Wed, 12 Mar 2025 17:07:10 +0100 +Subject: [PATCH] Removed clients with unrecoverable errors from the Pool + (#4088) + +--- + lib/dispatcher/pool.js | 14 ++ + test/pool-connection-error-memory-leak.js | 158 ++++++++++++++++ + test/tls-cert-leak.js | 209 ++++++++++++++++++++++ + 3 files changed, 381 insertions(+) + create mode 100644 test/pool-connection-error-memory-leak.js + create mode 100644 test/tls-cert-leak.js + +diff --git a/deps/undici/src/lib/dispatcher/pool.js b/deps/undici/src/lib/dispatcher/pool.js +index d80cf1274f9..14175cf4a18 100644 +--- a/deps/undici/src/lib/dispatcher/pool.js ++++ b/deps/undici/src/lib/dispatcher/pool.js +@@ -70,6 +70,20 @@ class Pool extends PoolBase { + ? { ...options.interceptors } + : undefined + this[kFactory] = factory ++ ++ this.on('connectionError', (origin, targets, error) => { ++ // If a connection error occurs, we remove the client from the pool, ++ // and emit a connectionError event. They will not be re-used. ++ // Fixes https://github.com/nodejs/undici/issues/3895 ++ for (const target of targets) { ++ // Do not use kRemoveClient here, as it will close the client, ++ // but the client cannot be closed in this state. ++ const idx = this[kClients].indexOf(target) ++ if (idx !== -1) { ++ this[kClients].splice(idx, 1) ++ } ++ } ++ }) + } + + [kGetDispatcher] () { diff --git a/nodejs.spec b/nodejs.spec index d4fd235..a1be537 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,4 +1,4 @@ -%global baserelease 4 +%global baserelease 5 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} %global nodejs_epoch 1 %global nodejs_major 20 @@ -81,6 +81,9 @@ Patch5: CVE-2025-23165.patch Patch6: CVE-2025-23166.patch Patch7: add-sw64-support-20.18.2.patch +# Reference:https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25 +Patch8: CVE-2025-47279.patch + BuildRequires: python3-devel python3-setuptools make BuildRequires: zlib-devel python3-jinja2 BuildRequires: brotli-devel python3-unversioned-command @@ -217,6 +220,7 @@ The API documentation for the Node.js JavaScript runtime. %ifarch sw_64 %patch -P7 -p1 %endif +%patch -P8 -p1 rm -rf deps/zlib rm -rf deps/brotli @@ -421,6 +425,9 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %{_pkgdocdir}/npm/docs %changelog +* Fri Aug 15 2025 Zhang Yi - 1:20.18.2-5 +- fix CVE-2025-47279 + * Tue Jul 22 2025 swcompiler - 1:20.18.2-4 - add sw64 support of node-v20.18.2 in openEuler-24.03-LTS-SP2 -- Gitee