nodejs/nodejs20
SHA256
6
0
Fork 0
forked from pool/nodejs20
Code Pull Requests Activity
Files
main
nodejs20/CVE-2024-21538.patch
Adam Majer 6eba4bd4ca - Update to 20.18.1 
* Experimental Network Inspection Support in Node.js
  * Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext
  * New option for vm.createContext() to create a context with a
    freezable globalThis
  * buffer: optimize createFromString
- Changes in 20.17.0:
  * module: support require()ing synchronous ESM graphs
  * path: add matchesGlob method
  * stream: expose DuplexPair API
- Changes in 20.16.0:
  * process: add process.getBuiltinModule(id)
  * inspector: fix disable async hooks on Debugger.setAsyncCallStackDepth
  * buffer: add .bytes() method to Blob
- CVE-2024-21538.patch: fixes regular expression denial of service
  (bsc#1233856, CVE-2024-21538)
- linker_lto_jobs.patch, fix_ci_tests.patch: refreshed

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs20?expand=0&rev=85
2024-12-04 16:58:37 +00:00

47 lines
1.8 KiB
Diff
Raw Permalink Blame History

Applied following patches,
From 5ff3a07d9add449021d806e45c4168203aa833ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Cruz?= <andremiguelcruz@msn.com>
Date: Wed, 6 Nov 2024 22:02:49 +0000
Subject: [PATCH] fix: disable regexp backtracking (#160)
---
lib/util/escape.js | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
From 640d391fde65388548601d95abedccc12943374f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Cruz?= <andre.cruz@uphold.com>
Date: Thu, 7 Nov 2024 12:50:38 +0000
Subject: [PATCH] fix: fix escaping bug introduced by backtracking
---
lib/util/escape.js | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: node-v18.20.5/deps/npm/node_modules/cross-spawn/lib/util/escape.js
===================================================================
--- node-v18.20.5.orig/deps/npm/node_modules/cross-spawn/lib/util/escape.js
+++ node-v18.20.5/deps/npm/node_modules/cross-spawn/lib/util/escape.js
@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscap
arg = `${arg}`;
// Algorithm below is based on https://qntm.org/cmd
+ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input
+ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information
// Sequence of backslashes followed by a double quote:
// double up all the backslashes and escape the double quote
- arg = arg.replace(/(\\*)"/g, '$1$1\\"');
+ arg = arg.replace(/(?=(\\+?)?)\1"/g, '$1$1\\"');
// Sequence of backslashes followed by the end of the string
// (which will become a double quote later):
// double up all the backslashes
- arg = arg.replace(/(\\*)$/, '$1$1');
+ arg = arg.replace(/(?=(\\+?)?)\1$/, '$1$1');
// All other backslashes occur literally
View Git Blame Copy Permalink