From d24573239f5ea95a5c5a268198a379cdc6e1618d Mon Sep 17 00:00:00 2001 From: hanguanqiang Date: Wed, 2 Apr 2025 16:02:47 +0800 Subject: [PATCH] 1.According to the description above error line in node_http2.cc,this should be checking whether frame->hd.type is NGHTTP2_GOAWAY,and the value of NGHTTP2_GOAWAY is 0x07,however,it is written as 0x03 here,which i think it is an error;2.correct the error of http2 header frame content based on http2 related protocal so that make UT script exited successfully (cherry picked from commit 9040d72f2571cb0374bdcb592d327bf5f1b0b417) --- ...ome-errors-related-to-CVE-2025-23085.patch | 51 +++++++++++++++++++ nodejs.spec | 6 ++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 0001-correct-some-errors-related-to-CVE-2025-23085.patch diff --git a/0001-correct-some-errors-related-to-CVE-2025-23085.patch b/0001-correct-some-errors-related-to-CVE-2025-23085.patch new file mode 100644 index 0000000..7bc00c4 --- /dev/null +++ b/0001-correct-some-errors-related-to-CVE-2025-23085.patch @@ -0,0 +1,51 @@ +From 888d300c1ae7f1ef4d0eda26df9335b02b62e7b0 Mon Sep 17 00:00:00 2001 +From: hanguanqiang +Date: Wed, 2 Apr 2025 14:42:23 +0800 +Subject: [PATCH] correct some errors related to CVE-2025-23085 + +--- + src/node_http2.cc | 2 +- + test/parallel/test-http2-premature-close.js | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/node_http2.cc b/src/node_http2.cc +index 1569149b..5a24f99e 100644 +--- a/src/node_http2.cc ++++ b/src/node_http2.cc +@@ -1193,7 +1193,7 @@ int Http2Session::OnFrameNotSent(nghttp2_session* handle, + // closed but the Http2Session will still be up causing a memory leak. + // Therefore, if the GOAWAY frame couldn't be send due to + // ERR_SESSION_CLOSING we should force close from our side. +- if (frame->hd.type != 0x03) { ++ if (frame->hd.type != NGHTTP2_GOAWAY) { + return 0; + } + } +diff --git a/test/parallel/test-http2-premature-close.js b/test/parallel/test-http2-premature-close.js +index a9b08f55..df30c429 100644 +--- a/test/parallel/test-http2-premature-close.js ++++ b/test/parallel/test-http2-premature-close.js +@@ -29,9 +29,9 @@ async function requestAndClose(server) { + // Send a valid HEADERS frame + const headersFrame = Buffer.concat([ + Buffer.from([ +- 0x00, 0x00, 0x0c, // Length: 12 bytes ++ 0x00, 0x00, 0x0e, // Length: 14 bytes + 0x01, // Type: HEADERS +- 0x05, // Flags: END_HEADERS + END_STREAM ++ 0x04, // Flags: END_HEADERS + (streamId >> 24) & 0xFF, // Stream ID: high byte + (streamId >> 16) & 0xFF, + (streamId >> 8) & 0xFF, +@@ -41,7 +41,7 @@ async function requestAndClose(server) { + 0x82, // Indexed Header Field Representation (Predefined ":method: GET") + 0x84, // Indexed Header Field Representation (Predefined ":path: /") + 0x86, // Indexed Header Field Representation (Predefined ":scheme: http") +- 0x44, 0x0a, // Custom ":authority: localhost" ++ 0x41, 0x09, // ":authority: localhost" Length: 9 bytes + 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, + ]), + ]); +-- +2.43.0 + diff --git a/nodejs.spec b/nodejs.spec index 48a8ee2..cf209b3 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,4 +1,4 @@ -%global baserelease 1 +%global baserelease 2 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} %global nodejs_epoch 1 %global nodejs_major 20 @@ -76,6 +76,7 @@ Patch0: 0001-Use-system-uv-zlib.patch Patch1: CVE-2023-45853.patch Patch2: CVE-2024-5274.patch Patch3: CVE-2024-7971.patch +Patch4: 0001-correct-some-errors-related-to-CVE-2025-23085.patch BuildRequires: python3-devel python3-setuptools make BuildRequires: zlib-devel python3-jinja2 @@ -406,6 +407,9 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %{_pkgdocdir}/npm/docs %changelog +* Wed Apr 02 2025 hanguanqiang - 1:20.18.2-2 +- correct error related to CVE-2025-23085 + * Thu Jan 23 2025 wangkai <13474090681@163.com> - 1:20.18.2-1 - Update to 20.18.2 - Fix CVE-2025-23083 CVE-2025-23085 CVE-2025-23084 CVE-2024-36137 -- Gitee