From a8386f0c9f1adf6b592d9b767652b5647f82a9f9 Mon Sep 17 00:00:00 2001
From: suresh-thelkar <suresh.thelkar@yahoo.com>
Date: Thu, 29 Feb 2024 03:58:03 +0530
Subject: [PATCH 1/2] Patch CVE-2024-24806 in nodejs18 (#8110)

Co-authored-by: Suresh Thelkar <sthelkar@microsoft.com>
(cherry picked from commit ae70b926bf50d9bbefb2e2d9e524108e54b1d2f7)
---
 SPECS/nodejs/CVE-2024-24806.patch | 31 +++++++++++++++++++++++++++++++
 SPECS/nodejs/nodejs18.spec        | 19 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 SPECS/nodejs/CVE-2024-24806.patch

diff --git a/SPECS/nodejs/CVE-2024-24806.patch b/SPECS/nodejs/CVE-2024-24806.patch
new file mode 100644
index 00000000000..f183ff3f72b
--- /dev/null
+++ b/SPECS/nodejs/CVE-2024-24806.patch
@@ -0,0 +1,31 @@
+From 9c2cf90e5b3952a202a0fb8435470eaa527d3f63 Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <sthelkar@microsoft.com>
+Date: Tue, 27 Feb 2024 10:24:03 +0530
+Subject: [PATCH] Patch CVE-2024-24806
+
+Upstream patch details are given below.
+https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
+---
+ deps/uv/src/idna.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/deps/uv/src/idna.c b/deps/uv/src/idna.c
+index 93d982ca..197650af 100644
+--- a/deps/uv/src/idna.c
++++ b/deps/uv/src/idna.c
+@@ -308,8 +308,10 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
+       return rc;
+   }
+ 
+-  if (d < de)
+-    *d++ = '\0';
++  if (d >= de)
++    return UV_EINVAL;
++
++  *d++ = '\0';
+ 
+   return d - ds;  /* Number of bytes written. */
+ }
+-- 
+2.34.1
+
diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec
index 4fafb0f54aa..e204d24f84b 100644
--- a/SPECS/nodejs/nodejs18.spec
+++ b/SPECS/nodejs/nodejs18.spec
@@ -6,7 +6,11 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.18.2
+<<<<<<< HEAD
 Release:        2%{?dist}
+=======
+Release:        4%{?dist}
+>>>>>>> ae70b926b (Patch CVE-2024-24806 in nodejs18 (#8110))
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -17,7 +21,12 @@ URL:            https://github.com/nodejs/node
 # !!!  => use clean-source-tarball.sh script to create a clean and reproducible source tarball.
 Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
 Patch0:         disable-tlsv1-tlsv1-1.patch
+<<<<<<< HEAD
 
+=======
+Patch1:         CVE-2023-42282.patch
+Patch2:         CVE-2024-24806.patch
+>>>>>>> ae70b926b (Patch CVE-2024-24806 in nodejs18 (#8110))
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -116,6 +125,16 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+<<<<<<< HEAD
+=======
+* Tue Feb 27 2024 Suresh Thelkar <sthelkar@ieee.org> - 18.18.2-4
+- Patch CVE-2024-24806
+
+* Mon Feb 26 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 18.18.2-3
+- Patch CVE-2023-42282
+- Unit test code is not applicable for this NodeJS version sources
+
+>>>>>>> ae70b926b (Patch CVE-2024-24806 in nodejs18 (#8110))
 * Thu Oct 19 2023 Dan Streetman <ddstreet@ieee.org> - 18.18.2-2
 - Re-enable building debuginfo. We can just ignore the dirs conflict failure in the pipelines! :)
 

From 193e9ed11d00b38c09966301feffdf42e37b9ded Mon Sep 17 00:00:00 2001
From: Pawel Winogrodzki <pawelwi@microsoft.com>
Date: Wed, 28 Feb 2024 14:47:06 -0800
Subject: [PATCH 2/2] Resolving merge conflict.

---
 SPECS/nodejs/nodejs18.spec | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec
index e204d24f84b..f1b7c2eb028 100644
--- a/SPECS/nodejs/nodejs18.spec
+++ b/SPECS/nodejs/nodejs18.spec
@@ -6,11 +6,7 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.18.2
-<<<<<<< HEAD
-Release:        2%{?dist}
-=======
 Release:        4%{?dist}
->>>>>>> ae70b926b (Patch CVE-2024-24806 in nodejs18 (#8110))
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -21,12 +17,8 @@ URL:            https://github.com/nodejs/node
 # !!!  => use clean-source-tarball.sh script to create a clean and reproducible source tarball.
 Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
 Patch0:         disable-tlsv1-tlsv1-1.patch
-<<<<<<< HEAD
-
-=======
 Patch1:         CVE-2023-42282.patch
 Patch2:         CVE-2024-24806.patch
->>>>>>> ae70b926b (Patch CVE-2024-24806 in nodejs18 (#8110))
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -125,8 +117,6 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
-<<<<<<< HEAD
-=======
 * Tue Feb 27 2024 Suresh Thelkar <sthelkar@ieee.org> - 18.18.2-4
 - Patch CVE-2024-24806
 
@@ -134,7 +124,6 @@ make cctest
 - Patch CVE-2023-42282
 - Unit test code is not applicable for this NodeJS version sources
 
->>>>>>> ae70b926b (Patch CVE-2024-24806 in nodejs18 (#8110))
 * Thu Oct 19 2023 Dan Streetman <ddstreet@ieee.org> - 18.18.2-2
 - Re-enable building debuginfo. We can just ignore the dirs conflict failure in the pipelines! :)