From 2bfea2a53decc77e93649e3595430d268a4ee457 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Wed, 28 Feb 2024 16:13:53 +0800 Subject: [PATCH] Fix CVE-2024-27088 --- CVE-2024-27088-1.patch | 41 ++++++++++++++++++ CVE-2024-27088-2.patch | 95 ++++++++++++++++++++++++++++++++++++++++++ nodejs-es5-ext.spec | 12 ++++-- 3 files changed, 145 insertions(+), 3 deletions(-) create mode 100644 CVE-2024-27088-1.patch create mode 100644 CVE-2024-27088-2.patch diff --git a/CVE-2024-27088-1.patch b/CVE-2024-27088-1.patch new file mode 100644 index 0000000..d5a3ced --- /dev/null +++ b/CVE-2024-27088-1.patch @@ -0,0 +1,41 @@ +From 3551cdd7b2db08b1632841f819d008757d28e8e2 Mon Sep 17 00:00:00 2001 +From: Mariusz Nowak +Date: Mon, 19 Feb 2024 17:38:29 +0100 +Subject: [PATCH] fix: Do not rely on problematic regex + +Addresses #201 +--- + function/#/copy.js | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/function/#/copy.js b/function/#/copy.js +index 81ae7838..897207bb 100644 +--- a/function/#/copy.js ++++ b/function/#/copy.js +@@ -1,19 +1,20 @@ + "use strict"; + + var mixin = require("../../object/mixin") +- , validFunction = require("../valid-function") +- , re = /^\s*function\s*([\0-')-\uffff]+)*\s*\(([\0-(*-\uffff]*)\)\s*\{/; ++ , validFunction = require("../valid-function"); + + module.exports = function () { +- var match = String(validFunction(this)).match(re), fn; ++ validFunction(this); + ++ var args = []; ++ for (var i = 0; i < this.length; ++i) args.push("arg" + (i + 1)); + // eslint-disable-next-line no-new-func +- fn = new Function( ++ var fn = new Function( + "fn", + "return function " + +- match[1].trim() + ++ (this.name || "") + + "(" + +- match[2] + ++ args.join(", ") + + ") { return fn.apply(this, arguments); };" + )(this); + try { mixin(fn, this); } diff --git a/CVE-2024-27088-2.patch b/CVE-2024-27088-2.patch new file mode 100644 index 0000000..db46321 --- /dev/null +++ b/CVE-2024-27088-2.patch @@ -0,0 +1,95 @@ +From a52e95736690ad1d465ebcd9791d54570e294602 Mon Sep 17 00:00:00 2001 +From: Mariusz Nowak +Date: Wed, 21 Feb 2024 16:33:49 +0100 +Subject: [PATCH] fix: Support ES2015+ function definitions in + `function#toStringTokens()` + +Additionally revert from problematic regex based implementation. Addresses #021 +--- + function/#/to-string-tokens.js | 57 +++++++++++++++++++++++++++------- + package.json | 1 + + 2 files changed, 47 insertions(+), 11 deletions(-) + +diff --git a/function/#/to-string-tokens.js b/function/#/to-string-tokens.js +index 4ce026a..b35f51d 100644 +--- a/function/#/to-string-tokens.js ++++ b/function/#/to-string-tokens.js +@@ -1,17 +1,52 @@ + "use strict"; + +-var validFunction = require("../valid-function"); ++var isValue = require("../../object/is-value") ++ , esniff = require("esniff") ++ , validFunction = require("../valid-function"); + +-var re1 = /^\s*function[\0-')-\uffff]*\(([\0-(*-\uffff]*)\)\s*\{([\0-\uffff]*)\}\s*$/ +- , re2 = /^\s*\(?([\0-'*-\uffff]*)\)?\s*=>\s*(\{?[\0-\uffff]*\}?)\s*$/; ++var classRe = /^\s*class[\s{/}]/; + + module.exports = function () { +- var str = String(validFunction(this)), data = str.match(re1); +- if (!data) { +- data = str.match(re2); +- if (!data) throw new Error("Unrecognized string format"); +- data[1] = data[1].trim(); +- if (data[2][0] === "{") data[2] = data[2].trim().slice(1, -1); +- } +- return { args: data[1], body: data[2] }; ++ var str = String(validFunction(this)); ++ if (classRe.test(str)) throw new Error("Class methods are not supported"); ++ ++ var argsStartIndex ++ , argsEndIndex ++ , bodyStartIndex ++ , bodyEndReverseIndex = -1 ++ , shouldTrimArgs = false; ++ ++ esniff(str, function (emitter, accessor) { ++ emitter.once("trigger:(", function () { argsStartIndex = accessor.index + 1; }); ++ emitter.once("trigger:=", function () { ++ if (isValue(argsStartIndex)) return; ++ argsStartIndex = 0; ++ argsEndIndex = accessor.index; ++ shouldTrimArgs = true; ++ if (!accessor.skipCodePart("=>")) { ++ throw new Error("Unexpected function string: " + str); ++ } ++ accessor.skipWhitespace(); ++ if (!accessor.skipCodePart("{")) bodyEndReverseIndex = Infinity; ++ bodyStartIndex = accessor.index; ++ }); ++ emitter.on("trigger:)", function () { ++ if (accessor.scopeDepth) return; ++ argsEndIndex = accessor.index; ++ accessor.skipCodePart(")"); ++ accessor.skipWhitespace(); ++ if (accessor.skipCodePart("=>")) { ++ accessor.skipWhitespace(); ++ if (!accessor.skipCodePart("{")) bodyEndReverseIndex = Infinity; ++ } else if (!accessor.skipCodePart("{")) { ++ throw new Error("Unexpected function string: " + str); ++ } ++ bodyStartIndex = accessor.index; ++ accessor.stop(); ++ }); ++ }); ++ ++ var argsString = str.slice(argsStartIndex, argsEndIndex); ++ if (shouldTrimArgs) argsString = argsString.trim(); ++ return { args: argsString, body: str.slice(bodyStartIndex, bodyEndReverseIndex) }; + }; +diff --git a/package.json b/package.json +index c659815..1762c15 100644 +--- a/package.json ++++ b/package.json +@@ -25,6 +25,7 @@ + "dependencies": { + "es6-iterator": "^2.0.3", + "es6-symbol": "^3.1.3", ++ "esniff": "^2.0.1", + "next-tick": "^1.1.0" + }, + "devDependencies": { +-- +2.33.0 + diff --git a/nodejs-es5-ext.spec b/nodejs-es5-ext.spec index 06be9f6..84b93dd 100644 --- a/nodejs-es5-ext.spec +++ b/nodejs-es5-ext.spec @@ -3,12 +3,16 @@ %global enable_tests 0 Name: nodejs-es5-ext Version: 0.10.56 -Release: 2 +Release: 3 Summary: ECMAScript 5 extensions and ES6 shims License: MIT URL: https://github.com/medikoo/es5-ext.git Source0: https://registry.npmjs.org/%{packagename}/-/%{packagename}-%{version}.tgz Patch0: 0001-Revert-Give-Peace-a-Chance.patch +# https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2 +Patch1: CVE-2024-27088-1.patch +# https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602 +Patch2: CVE-2024-27088-2.patch BuildArch: noarch ExclusiveArch: %{nodejs_arches} noarch ExclusiveArch: %{ix86} x86_64 %{arm} noarch @@ -21,8 +25,7 @@ Requires: nodejs ECMAScript 5 extensions and ES6 shims %prep -%setup -q -n package -%patch0 -p1 +%autosetup -n package -p1 %nodejs_fixdep es6-symbol ^3.1.1 %build @@ -50,6 +53,9 @@ echo "Tests are disabled..." %{nodejs_sitelib}/%{packagename} %changelog +* Wed Feb 28 2024 yaoxin - 0.10.56-3 +- Fix CVE-2024-27088 + * Fri Mar 10 2023 Ge Wang - 0.10.56-2 - Revert Give Peace a Chance -- Gitee