Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AUTO-CHERRYPICK] Patch CVE-2024-24806 in nodejs18 - branch main #8164

Merged
merged 3 commits into from
Feb 28, 2024
Merged

[AUTO-CHERRYPICK] Patch CVE-2024-24806 in nodejs18 - branch main #8164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a8386f0
Patch CVE-2024-24806 in nodejs18 (#8110)
suresh-thelkar Feb 28, 2024
193e9ed
Resolving merge conflict.
PawelWMS Feb 28, 2024
2c2a27a
Merge branch 'main' into cblmargh/cherry-pick-pr-8110-to-main
PawelWMS Feb 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions SPECS/nodejs/CVE-2024-24806.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
From 9c2cf90e5b3952a202a0fb8435470eaa527d3f63 Mon Sep 17 00:00:00 2001
From: Suresh Thelkar <sthelkar@microsoft.com>
Date: Tue, 27 Feb 2024 10:24:03 +0530
Subject: [PATCH] Patch CVE-2024-24806

Upstream patch details are given below.
https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
---
deps/uv/src/idna.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/deps/uv/src/idna.c b/deps/uv/src/idna.c
index 93d982ca..197650af 100644
--- a/deps/uv/src/idna.c
+++ b/deps/uv/src/idna.c
@@ -308,8 +308,10 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
return rc;
}

- if (d < de)
- *d++ = '\0';
+ if (d >= de)
+ return UV_EINVAL;
+
+ *d++ = '\0';

return d - ds; /* Number of bytes written. */
}
--
2.34.1

6 changes: 5 additions & 1 deletion SPECS/nodejs/nodejs18.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Name: nodejs18
# WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
# The version of NPM can be found inside the sources under 'deps/npm/package.json'.
Version: 18.18.2
Release: 3%{?dist}
Release: 4%{?dist}
License: BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
Group: Applications/System
Vendor: Microsoft Corporation
Expand All @@ -18,6 +18,7 @@ URL: https://github.com/nodejs/node
Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
Patch0: disable-tlsv1-tlsv1-1.patch
Patch1: CVE-2023-42282.patch
Patch2: CVE-2024-24806.patch
BuildRequires: brotli-devel
BuildRequires: coreutils >= 8.22
BuildRequires: gcc
Expand Down Expand Up @@ -116,6 +117,9 @@ make cctest
%{_datadir}/systemtap/tapset/node.stp

%changelog
* Tue Feb 27 2024 Suresh Thelkar <sthelkar@ieee.org> - 18.18.2-4
- Patch CVE-2024-24806

* Mon Feb 26 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 18.18.2-3
- Patch CVE-2023-42282
- Unit test code is not applicable for this NodeJS version sources
Expand Down
Loading