Accepting request 1118117 from home:dziobian:gulgul-ultron:19

- Add backported security patches: * CVE-2023-38552 bsc#1216272 CVE-2023-38552-node-integrity-checks-according-to-policies.patch * CVE-2023-39333 bsc#1216273 CVE-2023-39333-node-create_dynamic_module-code-injection.patch * CVE-2023-45143 bsc#1216205 CVE-2023-45143-undici-cookie-leakage.patch - Build against Wayland 21 also on Leap 15.4 now that it's available * drop wayland-WL-SINCE-VERSION.patch * drop wayland_data_drag_controller-WL_SURFACE_OFFSET_SINCE_VERSION.patch OBS-URL: https://build.opensuse.org/request/show/1118117 OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs-electron?expand=0&rev=102
2023-10-16 22:04:02 +00:00
parent 2a74265430
commit cef1ee1e83
8 changed files with 292 additions and 382 deletions
--- a/CVE-2023-39333-node-create_dynamic_module-code-injection.patch
+++ b/CVE-2023-39333-node-create_dynamic_module-code-injection.patch
@@ -0,0 +1,61 @@
+From eaf9083cf1e43bd897ac8244dcc0f4e3500150ca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
+Date: Sun, 6 Aug 2023 10:41:33 +0000
+Subject: [PATCH] module: fix code injection through export names
+
+createDynamicModule() properly escapes import names, but not export
+names. In WebAssembly, any string is a valid export name. Importing a
+WebAssembly module that uses a non-identifier export name leads to
+either a syntax error in createDynamicModule() or to code injection,
+that is, to the evaluation of almost arbitrary JavaScript code outside
+of the WebAssembly module.
+
+To address this issue, adopt the same mechanism in createExport() that
+createImport() already uses. Add tests for both exports and imports.
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/461
+Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/490
+Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
+CVE-ID: CVE-2023-39333
+---
+ .../modules/esm/create_dynamic_module.js      |  14 ++---
+ test/es-module/test-esm-wasm.mjs              |  50 ++++++++++++++++++
+ .../export-name-code-injection.wasm           | Bin 0 -> 98 bytes
+ .../es-modules/export-name-code-injection.wat |   8 +++
+ .../es-modules/export-name-syntax-error.wasm  | Bin 0 -> 37 bytes
+ .../es-modules/export-name-syntax-error.wat   |   6 +++
+ test/fixtures/es-modules/import-name.wasm     | Bin 0 -> 237 bytes
+ test/fixtures/es-modules/import-name.wat      |  10 ++++
+ 8 files changed, 81 insertions(+), 7 deletions(-)
+ create mode 100644 test/fixtures/es-modules/export-name-code-injection.wasm
+ create mode 100644 test/fixtures/es-modules/export-name-code-injection.wat
+ create mode 100644 test/fixtures/es-modules/export-name-syntax-error.wasm
+ create mode 100644 test/fixtures/es-modules/export-name-syntax-error.wat
+ create mode 100644 test/fixtures/es-modules/import-name.wasm
+ create mode 100644 test/fixtures/es-modules/import-name.wat
+
+diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js
+index f7c20083b6c91..c99da19d5c827 100644
+--- a/third_party/electron_node/lib/internal/modules/esm/create_dynamic_module.js
+++ b/third_party/electron_node/lib/internal/modules/esm/create_dynamic_module.js
+@@ -18,13 +18,13 @@ function createImport(impt, index) {
+ import.meta.imports[${imptPath}] = $import_${index};`;
+ }
+ 
+-function createExport(expt) {
+-  const name = `${expt}`;
+-  return `let $${name};
+-export { $${name} as ${name} };
+-import.meta.exports.${name} = {
+-  get: () => $${name},
+-  set: (v) => $${name} = v,
+function createExport(expt, index) {
+  const nameStringLit = JSONStringify(expt);
+  return `let $export_${index};
+export { $export_${index} as ${nameStringLit} };
+import.meta.exports[${nameStringLit}] = {
+  get: () => $export_${index},
+  set: (v) => $export_${index} = v,
+ };`;
+ }
+