diff options
| -rw-r--r-- | meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch | 57 | ||||
| -rw-r--r-- | meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | 1 |
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch new file mode 100644 index 0000000000..a6c7f1091b --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch | |||
| @@ -0,0 +1,57 @@ | |||
| 1 | From 217a3dba7b2bfc94534c19e48a35bb9282367be2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Sun, 6 Aug 2023 10:41:33 +0000 | ||
| 4 | Subject: [PATCH] module: fix code injection through export names | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | From: Tobias Nießen <tniessen@tnie.de> | ||
| 10 | |||
| 11 | createDynamicModule() properly escapes import names, but not export | ||
| 12 | names. In WebAssembly, any string is a valid export name. Importing a | ||
| 13 | WebAssembly module that uses a non-identifier export name leads to | ||
| 14 | either a syntax error in createDynamicModule() or to code injection, | ||
| 15 | that is, to the evaluation of almost arbitrary JavaScript code outside | ||
| 16 | of the WebAssembly module. | ||
| 17 | |||
| 18 | To address this issue, adopt the same mechanism in createExport() that | ||
| 19 | createImport() already uses. Add tests for both exports and imports. | ||
| 20 | |||
| 21 | PR-URL: https://github.com/nodejs-private/node-private/pull/461 | ||
| 22 | Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/489 | ||
| 23 | Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> | ||
| 24 | CVE-ID: CVE-2023-39333 | ||
| 25 | |||
| 26 | CVE: CVE-2023-39333 | ||
| 27 | Upstream-Status: Backport [https://github.com/nodejs/node/commit/f5c90b2951ca8ce8e47136ef073a1778edcad15d] | ||
| 28 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 29 | --- | ||
| 30 | lib/internal/modules/esm/create_dynamic_module.js | 14 +++++++------- | ||
| 31 | 1 file changed, 7 insertions(+), 7 deletions(-) | ||
| 32 | |||
| 33 | diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js | ||
| 34 | index f7c2008..c99da19 100644 | ||
| 35 | --- a/lib/internal/modules/esm/create_dynamic_module.js | ||
| 36 | +++ b/lib/internal/modules/esm/create_dynamic_module.js | ||
| 37 | @@ -18,13 +18,13 @@ function createImport(impt, index) { | ||
| 38 | import.meta.imports[${imptPath}] = $import_${index};`; | ||
| 39 | } | ||
| 40 | |||
| 41 | -function createExport(expt) { | ||
| 42 | - const name = `${expt}`; | ||
| 43 | - return `let $${name}; | ||
| 44 | -export { $${name} as ${name} }; | ||
| 45 | -import.meta.exports.${name} = { | ||
| 46 | - get: () => $${name}, | ||
| 47 | - set: (v) => $${name} = v, | ||
| 48 | +function createExport(expt, index) { | ||
| 49 | + const nameStringLit = JSONStringify(expt); | ||
| 50 | + return `let $export_${index}; | ||
| 51 | +export { $export_${index} as ${nameStringLit} }; | ||
| 52 | +import.meta.exports[${nameStringLit}] = { | ||
| 53 | + get: () => $export_${index}, | ||
| 54 | + set: (v) => $export_${index} = v, | ||
| 55 | };`; | ||
| 56 | } | ||
| 57 | |||
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb index b2872bfd98..2feec12f21 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | |||
| @@ -30,6 +30,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ | |||
| 30 | file://CVE-2024-22019.patch \ | 30 | file://CVE-2024-22019.patch \ |
| 31 | file://CVE-2024-22025.patch \ | 31 | file://CVE-2024-22025.patch \ |
| 32 | file://CVE-2023-46809.patch \ | 32 | file://CVE-2023-46809.patch \ |
| 33 | file://CVE-2023-39333.patch \ | ||
| 33 | " | 34 | " |
| 34 | SRC_URI:append:class-target = " \ | 35 | SRC_URI:append:class-target = " \ |
| 35 | file://0001-Using-native-binaries.patch \ | 36 | file://0001-Using-native-binaries.patch \ |
