summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch57
-rw-r--r--meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb1
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch
new file mode 100644
index 0000000000..a6c7f1091b
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch
@@ -0,0 +1,57 @@
1From 217a3dba7b2bfc94534c19e48a35bb9282367be2 Mon Sep 17 00:00:00 2001
2From: Gyorgy Sarvari <skandigraun@gmail.com>
3Date: Sun, 6 Aug 2023 10:41:33 +0000
4Subject: [PATCH] module: fix code injection through export names
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9From: Tobias Nießen <tniessen@tnie.de>
10
11createDynamicModule() properly escapes import names, but not export
12names. In WebAssembly, any string is a valid export name. Importing a
13WebAssembly module that uses a non-identifier export name leads to
14either a syntax error in createDynamicModule() or to code injection,
15that is, to the evaluation of almost arbitrary JavaScript code outside
16of the WebAssembly module.
17
18To address this issue, adopt the same mechanism in createExport() that
19createImport() already uses. Add tests for both exports and imports.
20
21PR-URL: https://github.com/nodejs-private/node-private/pull/461
22Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/489
23Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
24CVE-ID: CVE-2023-39333
25
26CVE: CVE-2023-39333
27Upstream-Status: Backport [https://github.com/nodejs/node/commit/f5c90b2951ca8ce8e47136ef073a1778edcad15d]
28Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
29---
30 lib/internal/modules/esm/create_dynamic_module.js | 14 +++++++-------
31 1 file changed, 7 insertions(+), 7 deletions(-)
32
33diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js
34index f7c2008..c99da19 100644
35--- a/lib/internal/modules/esm/create_dynamic_module.js
36+++ b/lib/internal/modules/esm/create_dynamic_module.js
37@@ -18,13 +18,13 @@ function createImport(impt, index) {
38 import.meta.imports[${imptPath}] = $import_${index};`;
39 }
40
41-function createExport(expt) {
42- const name = `${expt}`;
43- return `let $${name};
44-export { $${name} as ${name} };
45-import.meta.exports.${name} = {
46- get: () => $${name},
47- set: (v) => $${name} = v,
48+function createExport(expt, index) {
49+ const nameStringLit = JSONStringify(expt);
50+ return `let $export_${index};
51+export { $export_${index} as ${nameStringLit} };
52+import.meta.exports[${nameStringLit}] = {
53+ get: () => $export_${index},
54+ set: (v) => $export_${index} = v,
55 };`;
56 }
57
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
index b2872bfd98..2feec12f21 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
30 file://CVE-2024-22019.patch \ 30 file://CVE-2024-22019.patch \
31 file://CVE-2024-22025.patch \ 31 file://CVE-2024-22025.patch \
32 file://CVE-2023-46809.patch \ 32 file://CVE-2023-46809.patch \
33 file://CVE-2023-39333.patch \
33 " 34 "
34SRC_URI:append:class-target = " \ 35SRC_URI:append:class-target = " \
35 file://0001-Using-native-binaries.patch \ 36 file://0001-Using-native-binaries.patch \