From cbbd2976d95c8660beff486484c771d4a044d603 Mon Sep 17 00:00:00 2001 From: Balakumaran Kannan Date: Tue, 19 Nov 2024 11:36:34 +0000 Subject: [PATCH 1/4] Fix CVE-2024-21538 by patching vendor packages --- SPECS/nodejs/CVE-2024-21538.patch | 61 +++++++++++++++++++ SPECS/nodejs/nodejs18.spec | 4 ++ SPECS/python-tensorboard/CVE-2024-21538.patch | 61 +++++++++++++++++++ 3 files changed, 126 insertions(+) create mode 100644 SPECS/nodejs/CVE-2024-21538.patch create mode 100644 SPECS/python-tensorboard/CVE-2024-21538.patch diff --git a/SPECS/nodejs/CVE-2024-21538.patch b/SPECS/nodejs/CVE-2024-21538.patch new file mode 100644 index 00000000000..5e23eaac709 --- /dev/null +++ b/SPECS/nodejs/CVE-2024-21538.patch @@ -0,0 +1,61 @@ +From 25a768556d7e7fcf29bc1e0f93bbfda698de5795 Mon Sep 17 00:00:00 2001 +From: bala +Date: Tue, 19 Nov 2024 11:19:13 +0000 +Subject: [PATCH] Vendor patch applied to fix CVE-2024-21538 + +--- + .../npm/_/node_modules/cross-spawn/lib/util/escape.js | 6 ++++-- + .../node_modules/cross-spawn/lib/util/escape.js | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js +index b0bb84c..e4804b9 100644 +--- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js ++++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js +@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) { + arg = `${arg}`; + + // Algorithm below is based on https://qntm.org/cmd ++ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input ++ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information + + // Sequence of backslashes followed by a double quote: + // double up all the backslashes and escape the double quote +- arg = arg.replace(/(\\*)"/g, '$1$1\\"'); ++ arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"'); + + // Sequence of backslashes followed by the end of the string + // (which will become a double quote later): + // double up all the backslashes +- arg = arg.replace(/(\\*)$/, '$1$1'); ++ arg = arg.replace(/(?=\\*?)$/, '$1$1'); + + // All other backslashes occur literally + +diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js +index b0bb84c..e4804b9 100644 +--- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js ++++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js +@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) { + arg = `${arg}`; + + // Algorithm below is based on https://qntm.org/cmd ++ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input ++ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information + + // Sequence of backslashes followed by a double quote: + // double up all the backslashes and escape the double quote +- arg = arg.replace(/(\\*)"/g, '$1$1\\"'); ++ arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"'); + + // Sequence of backslashes followed by the end of the string + // (which will become a double quote later): + // double up all the backslashes +- arg = arg.replace(/(\\*)$/, '$1$1'); ++ arg = arg.replace(/(?=\\*?)$/, '$1$1'); + + // All other backslashes occur literally + +-- +2.39.4 + diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec index 59de8fbdf55..9d8e94bd57a 100644 --- a/SPECS/nodejs/nodejs18.spec +++ b/SPECS/nodejs/nodejs18.spec @@ -17,6 +17,7 @@ URL: https://github.com/nodejs/node # !!! => use clean-source-tarball.sh script to create a clean and reproducible source tarball. Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz Patch0: CVE-2023-21100.patch +Patch1: CVE-2024-21538.patch BuildRequires: brotli-devel BuildRequires: coreutils >= 8.22 BuildRequires: gcc @@ -117,6 +118,9 @@ make cctest %{_datadir}/systemtap/tapset/node.stp %changelog +* Tue Nov 19 2024 Bala - 20.14.0-3 +- Patch CVE-2024-21538 + * Thu Jun 13 2024 Nick Samson - 18.20.3-1 - Upgrade to 18.20.3-1 to fix CVE-2024-28863 diff --git a/SPECS/python-tensorboard/CVE-2024-21538.patch b/SPECS/python-tensorboard/CVE-2024-21538.patch new file mode 100644 index 00000000000..f90f77e901c --- /dev/null +++ b/SPECS/python-tensorboard/CVE-2024-21538.patch @@ -0,0 +1,61 @@ +From b1fc6aa3d09e6a29e5cb7bad252ccceaf86f2b35 Mon Sep 17 00:00:00 2001 +From: bala +Date: Tue, 19 Nov 2024 10:42:19 +0000 +Subject: [PATCH] Fix CVE-2024-21538 by patching + +--- + .../npm/_/node_modules/cross-spawn/lib/util/escape.js | 6 ++++-- + .../node_modules/cross-spawn/lib/util/escape.js | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js +index b0bb84c3a..e4804b997 100644 +--- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js ++++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js +@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) { + arg = `${arg}`; + + // Algorithm below is based on https://qntm.org/cmd ++ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input ++ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information + + // Sequence of backslashes followed by a double quote: + // double up all the backslashes and escape the double quote +- arg = arg.replace(/(\\*)"/g, '$1$1\\"'); ++ arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"'); + + // Sequence of backslashes followed by the end of the string + // (which will become a double quote later): + // double up all the backslashes +- arg = arg.replace(/(\\*)$/, '$1$1'); ++ arg = arg.replace(/(?=\\*?)$/, '$1$1'); + + // All other backslashes occur literally + +diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js +index b0bb84c3a..e4804b997 100644 +--- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js ++++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js +@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) { + arg = `${arg}`; + + // Algorithm below is based on https://qntm.org/cmd ++ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input ++ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information + + // Sequence of backslashes followed by a double quote: + // double up all the backslashes and escape the double quote +- arg = arg.replace(/(\\*)"/g, '$1$1\\"'); ++ arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"'); + + // Sequence of backslashes followed by the end of the string + // (which will become a double quote later): + // double up all the backslashes +- arg = arg.replace(/(\\*)$/, '$1$1'); ++ arg = arg.replace(/(?=\\*?)$/, '$1$1'); + + // All other backslashes occur literally + +-- +2.39.4 + From 249e18b72aa5553c7d577dcd728e7cb85802f785 Mon Sep 17 00:00:00 2001 From: Balakumaran Kannan Date: Tue, 19 Nov 2024 12:08:35 +0000 Subject: [PATCH 2/4] Create patch agains correct module file --- SPECS/nodejs/CVE-2024-21538.patch | 39 ++++++------------------------- 1 file changed, 7 insertions(+), 32 deletions(-) diff --git a/SPECS/nodejs/CVE-2024-21538.patch b/SPECS/nodejs/CVE-2024-21538.patch index 5e23eaac709..7620a62ff46 100644 --- a/SPECS/nodejs/CVE-2024-21538.patch +++ b/SPECS/nodejs/CVE-2024-21538.patch @@ -1,41 +1,16 @@ -From 25a768556d7e7fcf29bc1e0f93bbfda698de5795 Mon Sep 17 00:00:00 2001 +From ea1368b332cebba727436bf4dddebb0c5d7a9d5b Mon Sep 17 00:00:00 2001 From: bala -Date: Tue, 19 Nov 2024 11:19:13 +0000 +Date: Tue, 19 Nov 2024 12:03:43 +0000 Subject: [PATCH] Vendor patch applied to fix CVE-2024-21538 --- - .../npm/_/node_modules/cross-spawn/lib/util/escape.js | 6 ++++-- - .../node_modules/cross-spawn/lib/util/escape.js | 6 ++++-- - 2 files changed, 8 insertions(+), 4 deletions(-) + deps/npm/node_modules/cross-spawn/lib/util/escape.js | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) -diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js +diff --git a/deps/npm/node_modules/cross-spawn/lib/util/escape.js b/deps/npm/node_modules/cross-spawn/lib/util/escape.js index b0bb84c..e4804b9 100644 ---- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js -+++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js -@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) { - arg = `${arg}`; - - // Algorithm below is based on https://qntm.org/cmd -+ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input -+ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information - - // Sequence of backslashes followed by a double quote: - // double up all the backslashes and escape the double quote -- arg = arg.replace(/(\\*)"/g, '$1$1\\"'); -+ arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"'); - - // Sequence of backslashes followed by the end of the string - // (which will become a double quote later): - // double up all the backslashes -- arg = arg.replace(/(\\*)$/, '$1$1'); -+ arg = arg.replace(/(?=\\*?)$/, '$1$1'); - - // All other backslashes occur literally - -diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js -index b0bb84c..e4804b9 100644 ---- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js -+++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js +--- a/deps/npm/node_modules/cross-spawn/lib/util/escape.js ++++ b/deps/npm/node_modules/cross-spawn/lib/util/escape.js @@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) { arg = `${arg}`; From caab9f9cb95d9fd632acb3f7bf53fac012f53271 Mon Sep 17 00:00:00 2001 From: Balakumaran Kannan Date: Thu, 21 Nov 2024 09:20:13 +0000 Subject: [PATCH 3/4] Remove patch from python-tensorboard --- SPECS/python-tensorboard/CVE-2024-21538.patch | 61 ------------------- .../python-tensorboard.spec | 5 ++ 2 files changed, 5 insertions(+), 61 deletions(-) delete mode 100644 SPECS/python-tensorboard/CVE-2024-21538.patch diff --git a/SPECS/python-tensorboard/CVE-2024-21538.patch b/SPECS/python-tensorboard/CVE-2024-21538.patch deleted file mode 100644 index f90f77e901c..00000000000 --- a/SPECS/python-tensorboard/CVE-2024-21538.patch +++ /dev/null @@ -1,61 +0,0 @@ -From b1fc6aa3d09e6a29e5cb7bad252ccceaf86f2b35 Mon Sep 17 00:00:00 2001 -From: bala -Date: Tue, 19 Nov 2024 10:42:19 +0000 -Subject: [PATCH] Fix CVE-2024-21538 by patching - ---- - .../npm/_/node_modules/cross-spawn/lib/util/escape.js | 6 ++++-- - .../node_modules/cross-spawn/lib/util/escape.js | 6 ++++-- - 2 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js -index b0bb84c3a..e4804b997 100644 ---- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js -+++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/cross-spawn/lib/util/escape.js -@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) { - arg = `${arg}`; - - // Algorithm below is based on https://qntm.org/cmd -+ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input -+ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information - - // Sequence of backslashes followed by a double quote: - // double up all the backslashes and escape the double quote -- arg = arg.replace(/(\\*)"/g, '$1$1\\"'); -+ arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"'); - - // Sequence of backslashes followed by the end of the string - // (which will become a double quote later): - // double up all the backslashes -- arg = arg.replace(/(\\*)$/, '$1$1'); -+ arg = arg.replace(/(?=\\*?)$/, '$1$1'); - - // All other backslashes occur literally - -diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js -index b0bb84c3a..e4804b997 100644 ---- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js -+++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/patch-package/node_modules/cross-spawn/lib/util/escape.js -@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) { - arg = `${arg}`; - - // Algorithm below is based on https://qntm.org/cmd -+ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input -+ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information - - // Sequence of backslashes followed by a double quote: - // double up all the backslashes and escape the double quote -- arg = arg.replace(/(\\*)"/g, '$1$1\\"'); -+ arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"'); - - // Sequence of backslashes followed by the end of the string - // (which will become a double quote later): - // double up all the backslashes -- arg = arg.replace(/(\\*)$/, '$1$1'); -+ arg = arg.replace(/(?=\\*?)$/, '$1$1'); - - // All other backslashes occur literally - --- -2.39.4 - diff --git a/SPECS/python-tensorboard/python-tensorboard.spec b/SPECS/python-tensorboard/python-tensorboard.spec index a53425ed1a3..11ea9e84604 100644 --- a/SPECS/python-tensorboard/python-tensorboard.spec +++ b/SPECS/python-tensorboard/python-tensorboard.spec @@ -56,6 +56,7 @@ Summary: %{summary} %prep %autosetup -p1 -n tensorboard-%{version} +rm -rf tensorboard-%{version}/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm %build tar -xf %{SOURCE1} -C /root/ @@ -102,6 +103,10 @@ mv %{pypi_name}-%{version}-*.whl pyproject-wheeldir/ %{python3_sitelib}/tensorboard_data_server* %changelog +* Tue Nov 19 2024 Bala - 2.16.2-6 +- Remove npm directory before building to make sure as no nodejs vulnerability is getting through +- It is done while fixing CVE-2024-21538 + * Tue Aug 01 2023 Riken Maharjan - 2.11.0-2 - Remove bazel version. From 32ba264c0e63c53dde591e21b7ed6b50390c3825 Mon Sep 17 00:00:00 2001 From: Balakumaran Kannan Date: Thu, 21 Nov 2024 10:24:51 +0000 Subject: [PATCH 4/4] Fix changelog and version number --- SPECS/nodejs/nodejs18.spec | 4 ++-- SPECS/python-tensorboard/python-tensorboard.spec | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec index 9d8e94bd57a..fb9b9f05b02 100644 --- a/SPECS/nodejs/nodejs18.spec +++ b/SPECS/nodejs/nodejs18.spec @@ -6,7 +6,7 @@ Name: nodejs18 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package. # The version of NPM can be found inside the sources under 'deps/npm/package.json'. Version: 18.20.3 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0 Group: Applications/System Vendor: Microsoft Corporation @@ -118,7 +118,7 @@ make cctest %{_datadir}/systemtap/tapset/node.stp %changelog -* Tue Nov 19 2024 Bala - 20.14.0-3 +* Tue Nov 19 2024 Bala - 18.20.3-2 - Patch CVE-2024-21538 * Thu Jun 13 2024 Nick Samson - 18.20.3-1 diff --git a/SPECS/python-tensorboard/python-tensorboard.spec b/SPECS/python-tensorboard/python-tensorboard.spec index 11ea9e84604..e62fefa9f02 100644 --- a/SPECS/python-tensorboard/python-tensorboard.spec +++ b/SPECS/python-tensorboard/python-tensorboard.spec @@ -7,7 +7,7 @@ TensorBoard is a suite of web applications for inspecting and understanding your Summary: TensorBoard is a suite of web applications for inspecting and understanding your TensorFlow runs and graphs Name: python-%{pypi_name} Version: 2.11.0 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -103,8 +103,8 @@ mv %{pypi_name}-%{version}-*.whl pyproject-wheeldir/ %{python3_sitelib}/tensorboard_data_server* %changelog -* Tue Nov 19 2024 Bala - 2.16.2-6 -- Remove npm directory before building to make sure as no nodejs vulnerability is getting through +* Tue Nov 19 2024 Bala - 2.11.0-3 +- Remove npm directory before building to make sure no nodejs vulnerability is getting through - It is done while fixing CVE-2024-21538 * Tue Aug 01 2023 Riken Maharjan - 2.11.0-2