From 203c69a39ce96159c39516d4b8a4fc49774de9a7 Mon Sep 17 00:00:00 2001 From: wang--ge Date: Mon, 6 Jan 2025 17:03:16 +0800 Subject: [PATCH] fix CVE in third-party plugin (cherry picked from commit a02f2c7418c296b221ff15127ad2afffaab540e4) --- CVE-2023-45853.patch | 36 +++++++++++++++ CVE-2024-5274.patch | 38 ++++++++++++++++ CVE-2024-5535.patch | 94 ++++++++++++++++++++++++++++++++++++++++ CVE-2024-7971.patch | 101 +++++++++++++++++++++++++++++++++++++++++++ nodejs.spec | 12 ++++- 5 files changed, 280 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-45853.patch create mode 100644 CVE-2024-5274.patch create mode 100644 CVE-2024-5535.patch create mode 100644 CVE-2024-7971.patch diff --git a/CVE-2023-45853.patch b/CVE-2023-45853.patch new file mode 100644 index 0000000..676c1cb --- /dev/null +++ b/CVE-2023-45853.patch @@ -0,0 +1,36 @@ +From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001 +From: Hans Wennborg +Date: Fri, 18 Aug 2023 11:05:33 +0200 +Subject: [PATCH] Reject overflows of zip header fields in minizip. + +This checks the lengths of the file name, extra field, and comment +that would be put in the zip headers, and rejects them if they are +too long. They are each limited to 65535 bytes in length by the zip +format. This also avoids possible buffer overflows if the provided +fields are too long. +--- + deps/v8/third_party/zlib/contrib/minizip/zip.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/deps/v8/third_party/zlib/contrib/minizip/zip.c b/deps/v8/third_party/zlib/contrib/minizip/zip.c +index 3d3d4cadd..0446109b2 100644 +--- a/deps/v8/third_party/zlib/contrib/minizip/zip.c ++++ b/deps/v8/third_party/zlib/contrib/minizip/zip.c +@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c + return ZIP_PARAMERROR; + #endif + ++ // The filename and comment length must fit in 16 bits. ++ if ((filename!=NULL) && (strlen(filename)>0xffff)) ++ return ZIP_PARAMERROR; ++ if ((comment!=NULL) && (strlen(comment)>0xffff)) ++ return ZIP_PARAMERROR; ++ // The extra field length must fit in 16 bits. If the member also requires ++ // a Zip64 extra block, that will also need to fit within that 16-bit ++ // length, but that will be checked for later. ++ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff)) ++ return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff --git a/CVE-2024-5274.patch b/CVE-2024-5274.patch new file mode 100644 index 0000000..17eb19a --- /dev/null +++ b/CVE-2024-5274.patch @@ -0,0 +1,38 @@ +From f79f2d4458557b78e390276cd39f88941ea2d6a9 Mon Sep 17 00:00:00 2001 +From: Shu-yu Guo +Date: Fri, 3 Jan 2025 17:32:00 +0800 +Subject: [PATCH] [parser] Using FunctionParsingScope for parsing class static + +--- + deps/v8/src/ast/scopes.cc | 2 +- + deps/v8/src/parsing/parser-base.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/deps/v8/src/ast/scopes.cc b/deps/v8/src/ast/scopes.cc +index cd8be1ca..1cbeaaca 100644 +--- a/deps/v8/src/ast/scopes.cc ++++ b/deps/v8/src/ast/scopes.cc +@@ -2420,7 +2420,7 @@ bool Scope::MustAllocate(Variable* var) { + var->set_is_used(); + if (inner_scope_calls_eval_ && !var->is_this()) var->SetMaybeAssigned(); + } +- DCHECK(!var->has_forced_context_allocation() || var->is_used()); ++ CHECK(!var->has_forced_context_allocation() || var->is_used()); + // Global variables do not need to be allocated. + return !var->IsGlobalObjectProperty() && var->is_used(); + } +diff --git a/deps/v8/src/parsing/parser-base.h b/deps/v8/src/parsing/parser-base.h +index cfba92d7..efefb37f 100644 +--- a/deps/v8/src/parsing/parser-base.h ++++ b/deps/v8/src/parsing/parser-base.h +@@ -2611,6 +2611,7 @@ typename ParserBase::BlockT ParserBase::ParseClassStaticBlock( + } + + FunctionState initializer_state(&function_state_, &scope_, initializer_scope); ++ FunctionParsingScope body_parsing_scope(impl()); + AcceptINScope accept_in(this, true); + + // Each static block has its own var and lexical scope, so make a new var +-- +2.43.0 + diff --git a/CVE-2024-5535.patch b/CVE-2024-5535.patch new file mode 100644 index 0000000..138abc7 --- /dev/null +++ b/CVE-2024-5535.patch @@ -0,0 +1,94 @@ +From 177b1485da2fc0130dc549abb227320b4463797c Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 3 Jan 2025 16:37:37 +0800 +Subject: [PATCH] Fix SSL_select_next_proto + +--- + deps/openssl/openssl/ssl/ssl_lib.c | 63 +++++++++++++++++++----------- + 1 file changed, 40 insertions(+), 23 deletions(-) + +diff --git a/deps/openssl/openssl/ssl/ssl_lib.c b/deps/openssl/openssl/ssl/ssl_lib.c +index 20ddf8d2..4f69117b 100644 +--- a/deps/openssl/openssl/ssl/ssl_lib.c ++++ b/deps/openssl/openssl/ssl/ssl_lib.c +@@ -3037,37 +3037,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG +-- +2.43.0 + diff --git a/CVE-2024-7971.patch b/CVE-2024-7971.patch new file mode 100644 index 0000000..cc0b8df --- /dev/null +++ b/CVE-2024-7971.patch @@ -0,0 +1,101 @@ +From b03d043bdc5abb867ef3d937f116dcb576e774e0 Mon Sep 17 00:00:00 2001 +From: Clemens Backes +Date: Fri, 3 Jan 2025 16:13:32 +0800 +Subject: [PATCH] [wasm] Spill all loop inputs before entering loop + +--- + .../v8/src/wasm/baseline/liftoff-assembler.cc | 35 +++++-------------- + deps/v8/src/wasm/baseline/liftoff-assembler.h | 6 ++-- + deps/v8/src/wasm/baseline/liftoff-compiler.cc | 2 +- + 3 files changed, 12 insertions(+), 31 deletions(-) + +diff --git a/deps/v8/src/wasm/baseline/liftoff-assembler.cc b/deps/v8/src/wasm/baseline/liftoff-assembler.cc +index 29120dd0..29ab4714 100644 +--- a/deps/v8/src/wasm/baseline/liftoff-assembler.cc ++++ b/deps/v8/src/wasm/baseline/liftoff-assembler.cc +@@ -764,29 +764,10 @@ void LiftoffAssembler::DropExceptionValueAtOffset(int offset) { + cache_state_.stack_state.pop_back(); + } + +-void LiftoffAssembler::PrepareLoopArgs(int num) { +- for (int i = 0; i < num; ++i) { +- VarState& slot = cache_state_.stack_state.end()[-1 - i]; +- if (slot.is_stack()) continue; +- RegClass rc = reg_class_for(slot.kind()); +- if (slot.is_reg()) { +- if (cache_state_.get_use_count(slot.reg()) > 1) { +- // If the register is used more than once, we cannot use it for the +- // merge. Move it to an unused register instead. +- LiftoffRegList pinned; +- pinned.set(slot.reg()); +- LiftoffRegister dst_reg = GetUnusedRegister(rc, pinned); +- Move(dst_reg, slot.reg(), slot.kind()); +- cache_state_.dec_used(slot.reg()); +- cache_state_.inc_used(dst_reg); +- slot.MakeRegister(dst_reg); +- } +- continue; +- } +- LiftoffRegister reg = GetUnusedRegister(rc, {}); +- LoadConstant(reg, slot.constant()); +- slot.MakeRegister(reg); +- cache_state_.inc_used(reg); ++void LiftoffAssembler::SpillLoopArgs(int num) { ++ for (VarState& slot : ++ base::VectorOf(cache_state_.stack_state.end() - num, num)) { ++ Spill(&slot); + } + } + +@@ -978,14 +959,14 @@ void LiftoffAssembler::Spill(VarState* slot) { + } + + void LiftoffAssembler::SpillLocals() { +- for (uint32_t i = 0; i < num_locals_; ++i) { +- Spill(&cache_state_.stack_state[i]); ++ for (VarState& local_slot : ++ base::VectorOf(cache_state_.stack_state.data(), num_locals_)) { ++ Spill(&local_slot); + } + } + + void LiftoffAssembler::SpillAllRegisters() { +- for (uint32_t i = 0, e = cache_state_.stack_height(); i < e; ++i) { +- auto& slot = cache_state_.stack_state[i]; ++ for (VarState& slot : cache_state_.stack_state) { + if (!slot.is_reg()) continue; + Spill(slot.offset(), slot.reg(), slot.kind()); + slot.MakeStack(); +diff --git a/deps/v8/src/wasm/baseline/liftoff-assembler.h b/deps/v8/src/wasm/baseline/liftoff-assembler.h +index aef63c64..d5c3b056 100644 +--- a/deps/v8/src/wasm/baseline/liftoff-assembler.h ++++ b/deps/v8/src/wasm/baseline/liftoff-assembler.h +@@ -549,9 +549,9 @@ class LiftoffAssembler : public MacroAssembler { + // the bottom of the stack. + void DropExceptionValueAtOffset(int offset); + +- // Ensure that the loop inputs are either in a register or spilled to the +- // stack, so that we can merge different values on the back-edge. +- void PrepareLoopArgs(int num); ++ // Spill all loop inputs to the stack to free registers and to ensure that we ++ // can merge different values on the back-edge. ++ void SpillLoopArgs(int num); + + V8_INLINE static int NextSpillOffset(ValueKind kind, int top_spill_offset) { + int offset = top_spill_offset + SlotSizeForType(kind); +diff --git a/deps/v8/src/wasm/baseline/liftoff-compiler.cc b/deps/v8/src/wasm/baseline/liftoff-compiler.cc +index f0887de7..9aed6ddd 100644 +--- a/deps/v8/src/wasm/baseline/liftoff-compiler.cc ++++ b/deps/v8/src/wasm/baseline/liftoff-compiler.cc +@@ -1262,7 +1262,7 @@ class LiftoffCompiler { + // pre-analysis of the function. + __ SpillLocals(); + +- __ PrepareLoopArgs(loop->start_merge.arity); ++ __ SpillLoopArgs(loop->start_merge.arity); + + // Loop labels bind at the beginning of the block. + __ bind(loop->label.get()); +-- +2.43.0 + diff --git a/nodejs.spec b/nodejs.spec index ff3bbd7..f262156 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,4 +1,4 @@ -%global baserelease 2 +%global baserelease 3 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} %global nodejs_epoch 1 %global nodejs_major 20 @@ -80,6 +80,10 @@ Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_majo Source4: nodejs_native.attr Patch0: 0001-Use-system-uv-zlib.patch +Patch1: CVE-2023-45853.patch +Patch2: CVE-2024-5274.patch +Patch3: CVE-2024-5535.patch +Patch4: CVE-2024-7971.patch BuildRequires: python3-devel python3-setuptools make BuildRequires: zlib-devel python3-jinja2 @@ -409,6 +413,12 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %{_pkgdocdir}/npm/docs %changelog +* Mon Jan 06 2025 Ge Wang - 1:20.12.1-3 +- CVE-2023-45853 - Reject overflows of zip header fields in minizip +- CVE-2024-5274 - Using FunctionParsingScope for parsing class static +- CVE-2024-5535 - Fix SSL_select_next_proto +- CVE-2024-7971 - Spill all loop inputs before entering loop + * Fri Nov 29 2024 jchzhou - 1:20.12.1-2 - fix building w/ clang: only apply '-fno-ipa-icf' for gcc && disable LTO for clang + ld.bfd - improve the handling of trilling whitespaces in C/CXXFLAGS -- Gitee