summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2026-01-02 12:28:57 +0100
committerGyorgy Sarvari <skandigraun@gmail.com>2026-01-08 22:03:03 +0100
commitf9ed3b8197d024b291fb100205fcfd371275f0db (patch)
tree89289d822bae4d448759a044e439afa9968a0e3d
parent04f577d527d9d7beb6fcde973f5e61704bfe1ba8 (diff)
downloadmeta-openembedded-f9ed3b8197d024b291fb100205fcfd371275f0db.tar.gz
nodejs: patch CVE-2023-39333
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39333 Backport the patch that mentions this CVE ID explicitly in its commit message. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
-rw-r--r--meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch57
-rw-r--r--meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb1
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch
new file mode 100644
index 0000000000..a6c7f1091b
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch
@@ -0,0 +1,57 @@
1From 217a3dba7b2bfc94534c19e48a35bb9282367be2 Mon Sep 17 00:00:00 2001
2From: Gyorgy Sarvari <skandigraun@gmail.com>
3Date: Sun, 6 Aug 2023 10:41:33 +0000
4Subject: [PATCH] module: fix code injection through export names
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9From: Tobias Nießen <tniessen@tnie.de>
10
11createDynamicModule() properly escapes import names, but not export
12names. In WebAssembly, any string is a valid export name. Importing a
13WebAssembly module that uses a non-identifier export name leads to
14either a syntax error in createDynamicModule() or to code injection,
15that is, to the evaluation of almost arbitrary JavaScript code outside
16of the WebAssembly module.
17
18To address this issue, adopt the same mechanism in createExport() that
19createImport() already uses. Add tests for both exports and imports.
20
21PR-URL: https://github.com/nodejs-private/node-private/pull/461
22Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/489
23Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
24CVE-ID: CVE-2023-39333
25
26CVE: CVE-2023-39333
27Upstream-Status: Backport [https://github.com/nodejs/node/commit/f5c90b2951ca8ce8e47136ef073a1778edcad15d]
28Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
29---
30 lib/internal/modules/esm/create_dynamic_module.js | 14 +++++++-------
31 1 file changed, 7 insertions(+), 7 deletions(-)
32
33diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js
34index f7c2008..c99da19 100644
35--- a/lib/internal/modules/esm/create_dynamic_module.js
36+++ b/lib/internal/modules/esm/create_dynamic_module.js
37@@ -18,13 +18,13 @@ function createImport(impt, index) {
38 import.meta.imports[${imptPath}] = $import_${index};`;
39 }
40
41-function createExport(expt) {
42- const name = `${expt}`;
43- return `let $${name};
44-export { $${name} as ${name} };
45-import.meta.exports.${name} = {
46- get: () => $${name},
47- set: (v) => $${name} = v,
48+function createExport(expt, index) {
49+ const nameStringLit = JSONStringify(expt);
50+ return `let $export_${index};
51+export { $export_${index} as ${nameStringLit} };
52+import.meta.exports[${nameStringLit}] = {
53+ get: () => $export_${index},
54+ set: (v) => $export_${index} = v,
55 };`;
56 }
57
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
index b2872bfd98..2feec12f21 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
30 file://CVE-2024-22019.patch \ 30 file://CVE-2024-22019.patch \
31 file://CVE-2024-22025.patch \ 31 file://CVE-2024-22025.patch \
32 file://CVE-2023-46809.patch \ 32 file://CVE-2023-46809.patch \
33 file://CVE-2023-39333.patch \
33 " 34 "
34SRC_URI:append:class-target = " \ 35SRC_URI:append:class-target = " \
35 file://0001-Using-native-binaries.patch \ 36 file://0001-Using-native-binaries.patch \