From 7e97572d76de57ae172ea6f99c099965574384b8 Mon Sep 17 00:00:00 2001
From: wangxiao65 <287608437@qq.com>
Date: Tue, 15 Dec 2020 14:10:29 +0800
Subject: [PATCH] fix CVE-2020-8252

---
 CVE-2020-8252.patch | 45 +++++++++++++++++++++++++++++++++++++++++++++
 nodejs.spec         |  6 +++++-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-8252.patch

diff --git a/CVE-2020-8252.patch b/CVE-2020-8252.patch
new file mode 100644
index 0000000..de3ca91
--- /dev/null
+++ b/CVE-2020-8252.patch
@@ -0,0 +1,45 @@
+From 0e6e8620496dff0eb285589ef1e37a7f407f3ddd Mon Sep 17 00:00:00 2001
+From: Ben Noordhuis <info@bnoordhuis.nl>
+Date: Mon, 24 Aug 2020 11:42:27 +0200
+Subject: [PATCH] unix: don't use _POSIX_PATH_MAX
+
+Libuv was using _POSIX_PATH_MAX wrong. Bug introduced in commit b56d279b
+("unix: do not require PATH_MAX to be defined") from September 2018.
+
+_POSIX_PATH_MAX is the minimum max path size guaranteed by POSIX, not
+the actual max path size of the system libuv runs on. _POSIX_PATH_MAX
+is always 256, the real max is often much bigger.
+
+This commit fixes buffer overruns when processing very long paths in
+uv_fs_readlink() and uv_fs_realpath() because libuv was not allocating
+enough memory to store the result.
+
+Fixes: https://github.com/libuv/libuv/issues/2965
+PR-URL: https://github.com/libuv/libuv/pull/2966
+Reviewed-By: Richard Lau <riclau@uk.ibm.com>
+Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
+Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
+Reviewed-By: Jameson Nash <vtjnash@gmail.com>
+---
+
+ deps/uv/src/unix/internal.h | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/deps/uv/src/unix/internal.h b/deps/uv/src/unix/internal.h
+index 47f2200..82f7bc9 100644
+--- a/deps/uv/src/unix/internal.h
++++ b/deps/uv/src/unix/internal.h
+@@ -61,9 +61,7 @@
+ # include <AvailabilityMacros.h>
+ #endif
+ 
+-#if defined(_POSIX_PATH_MAX)
+-# define UV__PATH_MAX _POSIX_PATH_MAX
+-#elif defined(PATH_MAX)
++#if defined(PATH_MAX)
+ # define UV__PATH_MAX PATH_MAX
+ #else
+ # define UV__PATH_MAX 8192
+-- 
+2.23.0
+
diff --git a/nodejs.spec b/nodejs.spec
index f311c71..8978428 100644
--- a/nodejs.spec
+++ b/nodejs.spec
@@ -1,5 +1,5 @@
 %bcond_with bootstrap
-%global baserelease 1
+%global baserelease 2
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 %global nodejs_epoch 1
 %global nodejs_major 12
@@ -84,6 +84,7 @@ Patch0002: 0002-Install-both-binaries-and-use-libdir.patch
 %ifarch aarch64
 Patch0003: 0003-Modify-openEuler-aarch64-v8_os_page_size-to-64.patch
 %endif
+Patch0004: CVE-2020-8252.patch
 
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
@@ -486,6 +487,9 @@ end
 %{_pkgdocdir}/npm/docs
 
 %changelog
+* Tue Dec 15 2020 wangxiao <wangxiao65@huawei.com> - 1:12.18.4-2
+- fix CVE-2020-8252
+
 * Wed Nov 18 2020 lingsheng <lingsheng@huawei.com> - 1:12.18.4-1
 - Update to 12.18.4
 
-- 
Gitee