Patch nodejs18 to address CVE-2023-21100 (#9250)

SPECS/nodejs/CVE-2023-21100.patch

@@ -0,0 +1,50 @@
+From 901960817a6dc7b40c68c47bcd77037d5fc5d1ea Mon Sep 17 00:00:00 2001
+From: Mitch Zhu <mitchzhu@microsoft.com>
+Date: Wed, 29 May 2024 19:11:14 +0000
+Subject: [PATCH] Address CVE-2023-21100
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+---
+ deps/v8/third_party/zlib/contrib/optimizations/inflate.c | 5 +++--
+ deps/v8/third_party/zlib/inflate.c                       | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/deps/v8/third_party/zlib/contrib/optimizations/inflate.c b/deps/v8/third_party/zlib/contrib/optimizations/inflate.c
+index 4841cd96..1007f062 100644
+--- a/deps/v8/third_party/zlib/contrib/optimizations/inflate.c
++++ b/deps/v8/third_party/zlib/contrib/optimizations/inflate.c
+@@ -772,8 +772,9 @@ int flush;
+                 if (copy > have) copy = have;
+                 if (copy) {
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
+++                        (len = state->head->extra_len - state->length) <
+++                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
+diff --git a/deps/v8/third_party/zlib/inflate.c b/deps/v8/third_party/zlib/inflate.c
+index 7543c33d..384af93f 100644
+--- a/deps/v8/third_party/zlib/inflate.c
++++ b/deps/v8/third_party/zlib/inflate.c
+@@ -761,8 +761,9 @@ int flush;
+                 if (copy > have) copy = have;
+                 if (copy) {
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
+++                        (len = state->head->extra_len - state->length) <
+++                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
+-- 
+2.34.1
+

SPECS/nodejs/CVE-2023-42282.patch

@@ -1,111 +0,0 @@
-From 32f468f1245574785ec080705737a579be1223aa Mon Sep 17 00:00:00 2001
-From: Luke McFarlane <luke@innoware.com.au>
-Date: Mon, 12 Feb 2024 13:22:18 +1100
-Subject: [PATCH] lib: fixed CVE-2023-42282 and added unit test
-
-Unit test code is not applicable for NodeJS sources hence not included.
-
-diff --git a/deps/npm/node_modules/ip/lib/ip.js b/deps/npm/node_modules/ip/lib/ip.js
-index 4b2adb5add..9022443ae5 100644
---- a/deps/npm/node_modules/ip/lib/ip.js
-+++ b/deps/npm/node_modules/ip/lib/ip.js
-@@ -306,12 +306,26 @@ ip.isEqual = function (a, b) {
- };
- 
- ip.isPrivate = function (addr) {
--  return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i
--    .test(addr)
-+  // check loopback addresses first
-+  if (ip.isLoopback(addr)) {
-+    return true;
-+  }
-+
-+  // ensure the ipv4 address is valid
-+  if (!ip.isV6Format(addr)) {
-+    const ipl = ip.normalizeToLong(addr);
-+    if (ipl < 0) {
-+      throw new Error('invalid ipv4 address');
-+    }
-+    // normalize the address for the private range checks that follow
-+    addr = ip.fromLong(ipl);
-+  }
-+
-+  // check private ranges
-+  return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
-     || /^(::f{4}:)?192\.168\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
-     || /^(::f{4}:)?172\.(1[6-9]|2\d|30|31)\.([0-9]{1,3})\.([0-9]{1,3})$/i
-       .test(addr)
--    || /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
-     || /^(::f{4}:)?169\.254\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
-     || /^f[cd][0-9a-f]{2}:/i.test(addr)
-     || /^fe80:/i.test(addr)
-@@ -324,9 +338,16 @@ ip.isPublic = function (addr) {
- };
- 
- ip.isLoopback = function (addr) {
-+  // If addr is an IPv4 address in long integer form (no dots and no colons), convert it
-+  if (!/\./.test(addr) && !/:/.test(addr)) {
-+    addr = ip.fromLong(Number(addr));
-+  }
-+
-   return /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/
-     .test(addr)
--    || /^fe80::1$/.test(addr)
-+    || /^0177\./.test(addr)
-+    || /^0x7f\./i.test(addr)
-+    || /^fe80::1$/i.test(addr)
-     || /^::1$/.test(addr)
-     || /^::$/.test(addr);
- };
-@@ -420,3 +441,51 @@ ip.fromLong = function (ipl) {
-     ipl >> 8 & 255}.${
-     ipl & 255}`);
- };
-+
-+ip.normalizeToLong = function (addr) {
-+  const parts = addr.split('.').map(part => {
-+    // Handle hexadecimal format
-+    if (part.startsWith('0x') || part.startsWith('0X')) {
-+      return parseInt(part, 16);
-+    }
-+    // Handle octal format (strictly digits 0-7 after a leading zero)
-+    else if (part.startsWith('0') && part !== '0' && /^[0-7]+$/.test(part)) {
-+      return parseInt(part, 8);
-+    }
-+    // Handle decimal format, reject invalid leading zeros
-+    else if (/^[1-9]\d*$/.test(part) || part === '0') {
-+      return parseInt(part, 10);
-+    }
-+    // Return NaN for invalid formats to indicate parsing failure
-+    else {
-+      return NaN;
-+    }
-+  });
-+
-+  if (parts.some(isNaN)) return -1; // Indicate error with -1
-+
-+  let val = 0;
-+  const n = parts.length;
-+
-+  switch (n) {
-+  case 1:
-+    val = parts[0];
-+    break;
-+  case 2:
-+    if (parts[0] > 0xff || parts[1] > 0xffffff) return -1;
-+    val = (parts[0] << 24) | (parts[1] & 0xffffff);
-+    break;
-+  case 3:
-+    if (parts[0] > 0xff || parts[1] > 0xff || parts[2] > 0xffff) return -1;
-+    val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] & 0xffff);
-+    break;
-+  case 4:
-+    if (parts.some(part => part > 0xff)) return -1;
-+    val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3];
-+    break;
-+  default:
-+    return -1; // Error case
-+  }
-+
-+  return val >>> 0;
-+};

SPECS/nodejs/CVE-2024-24806.patch

@@ -1,31 +0,0 @@
-From 9c2cf90e5b3952a202a0fb8435470eaa527d3f63 Mon Sep 17 00:00:00 2001
-From: Suresh Thelkar <sthelkar@microsoft.com>
-Date: Tue, 27 Feb 2024 10:24:03 +0530
-Subject: [PATCH] Patch CVE-2024-24806
-
-Upstream patch details are given below.
-https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
----
- deps/uv/src/idna.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/deps/uv/src/idna.c b/deps/uv/src/idna.c
-index 93d982ca..197650af 100644
---- a/deps/uv/src/idna.c
-+++ b/deps/uv/src/idna.c
-@@ -308,8 +308,10 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
-       return rc;
-   }
- 
--  if (d < de)
--    *d++ = '\0';
-+  if (d >= de)
-+    return UV_EINVAL;
-+
-+  *d++ = '\0';
- 
-   return d - ds;  /* Number of bytes written. */
- }
--- 
-2.34.1
-

SPECS/nodejs/CVE-2024-27983.patch

@@ -1,34 +0,0 @@
-From 0fb816dbccde955cd24acc1b16497a91fab507c8 Mon Sep 17 00:00:00 2001
-From: RafaelGSS <rafael.nunu@hotmail.com>
-Date: Tue, 26 Mar 2024 15:55:13 -0300
-Subject: [PATCH] src: ensure to close stream when destroying session
-
-Co-Authored-By: Anna Henningsen <anna@addaleax.net>
-PR-URL: https://github.com/nodejs-private/node-private/pull/561
-Fixes: https://hackerone.com/reports/2319584
-Reviewed-By: Michael Dawson <midawson@redhat.com>
-Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
-Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
-Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
-CVE-ID: CVE-2024-27983
----
- src/node_http2.cc | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/node_http2.cc b/src/node_http2.cc
-index 528bf3aa58b322..eb3506ff5e609b 100644
---- a/src/node_http2.cc
-+++ b/src/node_http2.cc
-@@ -528,6 +528,12 @@ Http2Session::Http2Session(Http2State* http2_state,
- Http2Session::~Http2Session() {
-   CHECK(!is_in_scope());
-   Debug(this, "freeing nghttp2 session");
-+  // Ensure that all `Http2Stream` instances and the memory they hold
-+  // on to are destroyed before the nghttp2 session is.
-+  for (const auto& [id, stream] : streams_) {
-+    stream->Detach();
-+  }
-+  streams_.clear();
-   // Explicitly reset session_ so the subsequent
-   // current_nghttp2_memory_ check passes.
-   session_.reset();

SPECS/nodejs/disable-tlsv1-tlsv1-1.patch

@@ -1,42 +0,0 @@
-diff -ru node-v16.14.0-orig/src/crypto/crypto_context.cc node-v16.14.0/src/crypto/crypto_context.cc
---- node-v16.14.0-orig/src/crypto/crypto_context.cc	2022-02-08 04:37:50.000000000 -0800
-+++ node-v16.14.0/src/crypto/crypto_context.cc	2022-02-25 09:17:21.964960342 -0800
-@@ -467,28 +467,16 @@
-       min_version = 0;
-       max_version = kMaxSupportedVersion;
-       method = TLS_client_method();
--    } else if (sslmethod == "TLSv1_method") {
--      min_version = TLS1_VERSION;
--      max_version = TLS1_VERSION;
--    } else if (sslmethod == "TLSv1_server_method") {
--      min_version = TLS1_VERSION;
--      max_version = TLS1_VERSION;
--      method = TLS_server_method();
--    } else if (sslmethod == "TLSv1_client_method") {
--      min_version = TLS1_VERSION;
--      max_version = TLS1_VERSION;
--      method = TLS_client_method();
--    } else if (sslmethod == "TLSv1_1_method") {
--      min_version = TLS1_1_VERSION;
--      max_version = TLS1_1_VERSION;
--    } else if (sslmethod == "TLSv1_1_server_method") {
--      min_version = TLS1_1_VERSION;
--      max_version = TLS1_1_VERSION;
--      method = TLS_server_method();
--    } else if (sslmethod == "TLSv1_1_client_method") {
--      min_version = TLS1_1_VERSION;
--      max_version = TLS1_1_VERSION;
--      method = TLS_client_method();
-+    } else if (sslmethod == "TLSv1_method" ||
-+               sslmethod == "TLSv1_server_method" ||
-+               sslmethod == "TLSv1_client_method") {
-+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "TLSv1 methods disabled");
-+      return;
-+    } else if (sslmethod == "TLSv1_1_method" ||
-+               sslmethod == "TLSv1_1_server_method" ||
-+               sslmethod == "TLSv1_1_client_method") {
-+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "TLSv1_1 methods disabled");
-+      return;
-     } else if (sslmethod == "TLSv1_2_method") {
-       min_version = TLS1_2_VERSION;
-       max_version = TLS1_2_VERSION;

SPECS/nodejs/nodejs18.spec

@@ -6,7 +6,7 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.20.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -16,6 +16,7 @@ URL:            https://github.com/nodejs/node
 # !!!! because it contains patented algorithms.
 # !!!  => use clean-source-tarball.sh script to create a clean and reproducible source tarball.
 Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
+Patch0:         CVE-2023-21100.patch
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -116,6 +117,10 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Wed May 29 2024 Mitch Zhu <mitchzhu@microsoft.com> - 18.20.2-2
+- Patch CVE-2023-21100.
+- Remove unused patches.
+
 * Fri Apr 26 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 18.20.2-1
 - Auto-upgrade to 18.20.2 - address multiple CVEs.
 - Remove patches as the upgrade already has these changes.