Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nodejs-electron for openSUSE:Factory checked in at 2022-12-07 17:35:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nodejs-electron (Old) and /work/SRC/openSUSE:Factory/.nodejs-electron.new.1835 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nodejs-electron" Wed Dec 7 17:35:40 2022 rev:47 rq:1040905 version:21.3.2 Changes: -------- --- /work/SRC/openSUSE:Factory/nodejs-electron/nodejs-electron.changes 2022-12-04 14:59:32.744682095 +0100 +++ /work/SRC/openSUSE:Factory/.nodejs-electron.new.1835/nodejs-electron.changes 2022-12-07 17:37:24.381341188 +0100 @@ -1,0 +2,7 @@ +Tue Dec 6 17:20:10 UTC 2022 - Bruno Pitrus <brunopit...@hotmail.com> +- Add backported CVE-2022-43548.patch + * inspector: DNS rebinding in --inspect via invalid octal IP + (bsc#1205119, CVE-2022-43548) +- Fix vaapi build error in the arm port and reenable vaapi. + +------------------------------------------------------------------- New: ---- CVE-2022-43548.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nodejs-electron.spec ++++++ --- /var/tmp/diff_new_pack.aKXpH9/_old 2022-12-07 17:37:28.233362280 +0100 +++ /var/tmp/diff_new_pack.aKXpH9/_new 2022-12-07 17:37:28.241362324 +0100 @@ -44,6 +44,7 @@ %bcond_without pipewire +%bcond_without swiftshader %ifarch %ix86 x86_64 %arm #Use subzero as swiftshader backend instead of LLVM %bcond_without subzero @@ -51,13 +52,10 @@ %bcond_with subzero %endif +#the QT ui is currently borderline unusable (too small fonts in menu and wrong colors) +%bcond_with qt - -%ifarch x86_64 %ix86 aarch64 %bcond_without vaapi -%else -%bcond_with vaapi -%endif %if %{with vaapi} #vaapi still requires bundled libvpx @@ -168,6 +166,7 @@ + %if 0%{?fedora} %bcond_without system_llhttp @@ -361,6 +360,7 @@ Patch3092: webgl_image_conversion-Wstrict-aliasing.patch Patch3093: xr_cube_map-Wstrict-aliasing.patch Patch3094: static_constructors-Wstrict-aliasing.patch +Patch3095: CVE-2022-43548.patch %if %{with clang} BuildRequires: clang @@ -419,7 +419,7 @@ %if %{with lld} BuildRequires: lld %endif -%if %{without subzero} +%if %{with swiftshader} && %{without subzero} BuildRequires: llvm-devel %endif BuildRequires: memory-constraints @@ -580,6 +580,10 @@ BuildRequires: pkgconfig(nss) >= 3.26 BuildRequires: pkgconfig(opus) >= 1.3.1 BuildRequires: pkgconfig(pangocairo) +%if %{with qt} +BuildRequires: pkgconfig(Qt5Core) +BuildRequires: pkgconfig(Qt5Widgets) +%endif BuildRequires: pkgconfig(re2) %if %{with system_spirv} %if 0%{?suse_version} @@ -1045,11 +1049,16 @@ myconf_gn+=" is_debug=false" myconf_gn+=" dcheck_always_on=false" myconf_gn+=" enable_nacl=false" +%if %{with swiftshader} +myconf_gn+=" enable_swiftshader=true" %if %{with subzero} myconf_gn+=" use_swiftshader_with_subzero=true" %else myconf_gn+=" use_swiftshader_with_subzero=false" %endif +%else +myconf_gn+=" enable_swiftshader=false" +%endif myconf_gn+=" is_component_ffmpeg=true" myconf_gn+=" use_cups=true" myconf_gn+=" use_aura=true" @@ -1152,6 +1161,7 @@ myconf_gn+=" enable_vulkan=true" myconf_gn+=" icu_use_data_file=false" myconf_gn+=" media_use_openh264=false" +myconf_gn+=" use_libgav1_parser=true" myconf_gn+=" rtc_use_h264=false" myconf_gn+=" use_v8_context_snapshot=true" myconf_gn+=" v8_use_external_startup_data=true" @@ -1223,8 +1233,9 @@ myconf_gn+=" rtc_use_pipewire=true rtc_link_pipewire=true" %endif - - +%if %{with qt} +myconf_gn+=" use_qt=true" +%endif # Do not build WebGPU support. It is huge and not used by ANY known apps (we would know if it was â it's hidden behind an experimental flag). myconf_gn+=" use_dawn=false" @@ -1276,8 +1287,9 @@ install -pm 0755 chrome_crashpad_handler -t %{buildroot}%{_libdir}/electron/ install -pm 0755 libEGL.so -t %{buildroot}%{_libdir}/electron/ install -pm 0755 libGLESv2.so -t %{buildroot}%{_libdir}/electron/ -install -pm 0755 libvk_swiftshader.so -t %{buildroot}%{_libdir}/electron/ -install -pm 0644 vk_swiftshader_icd.json -t %{buildroot}%{_libdir}/electron/ +install -pm 0755 libqt5_shim.so -t %{buildroot}%{_libdir}/electron/ ||true +install -pm 0755 libvk_swiftshader.so -t %{buildroot}%{_libdir}/electron/ ||true +install -pm 0644 vk_swiftshader_icd.json -t %{buildroot}%{_libdir}/electron/ ||true install -pm 0644 version -t %{buildroot}%{_libdir}/electron/ popd ++++++ CVE-2022-43548.patch ++++++ >From 165342beac61a5573c8eb422cb5bc7001adbf0c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tnies...@tnie.de> Date: Sun, 25 Sep 2022 12:34:05 +0000 Subject: [PATCH] inspector: harden IP address validation again Use inet_pton() to parse IP addresses, which restricts IP addresses to a small number of well-defined formats. In particular, octal and hexadecimal number formats are not allowed, and neither are leading zeros. Also explicitly reject 0.0.0.0/8 and ::/128 as non-routable. Refs: https://hackerone.com/reports/1710652 CVE-ID: CVE-2022-43548 PR-URL: https://github.com/nodejs-private/node-private/pull/354 Reviewed-by: Michael Dawson <midaw...@redhat.com> Reviewed-by: Rafael Gonzaga <rafael.n...@hotmail.com> Reviewed-by: Rich Trott <rtr...@gmail.com> --- src/inspector_socket.cc | 77 ++++++++++++++++++++------ test/cctest/test_inspector_socket.cc | 80 ++++++++++++++++++++++++++++ 2 files changed, 141 insertions(+), 16 deletions(-) diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc index ab1cdf1fa5bd..8001d893e1fd 100644 --- a/third_party/electron_node/src/inspector_socket.cc +++ b/third_party/electron_node/src/inspector_socket.cc @@ -162,24 +162,70 @@ static std::string TrimPort(const std::string& host) { } static bool IsIPAddress(const std::string& host) { - if (host.length() >= 4 && host.front() == '[' && host.back() == ']') - return true; - uint_fast16_t accum = 0; - uint_fast8_t quads = 0; - bool empty = true; - auto endOctet = [&accum, &quads, &empty](bool final = false) { - return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) && - (empty = true) && !(accum = 0); - }; - for (char c : host) { - if (isdigit(c)) { - if ((accum = (accum * 10) + (c - '0')) > 0xff) return false; - empty = false; - } else if (c != '.' || !endOctet()) { + // TODO(tniessen): add CVEs to the following bullet points + // To avoid DNS rebinding attacks, we are aware of the following requirements: + // * the host name must be an IP address, + // * the IP address must be routable, and + // * the IP address must be formatted unambiguously. + + // The logic below assumes that the string is null-terminated, so ensure that + // we did not somehow end up with null characters within the string. + if (host.find('\0') != std::string::npos) return false; + + // All IPv6 addresses must be enclosed in square brackets, and anything + // enclosed in square brackets must be an IPv6 address. + if (host.length() >= 4 && host.front() == '[' && host.back() == ']') { + // INET6_ADDRSTRLEN is the maximum length of the dual format (including the + // terminating null character), which is the longest possible representation + // of an IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:ddd.ddd.ddd.ddd + if (host.length() - 2 >= INET6_ADDRSTRLEN) return false; + + // Annoyingly, libuv's implementation of inet_pton() deviates from other + // implementations of the function in that it allows '%' in IPv6 addresses. + if (host.find('%') != std::string::npos) return false; + + // Parse the IPv6 address to ensure it is syntactically valid. + char ipv6_str[INET6_ADDRSTRLEN]; + std::copy(host.begin() + 1, host.end() - 1, ipv6_str); + ipv6_str[host.length()] = '\0'; + unsigned char ipv6[sizeof(struct in6_addr)]; + if (uv_inet_pton(AF_INET6, ipv6_str, ipv6) != 0) return false; + + // The only non-routable IPv6 address is ::/128. It should not be necessary + // to explicitly reject it because it will still be enclosed in square + // brackets and not even macOS should make DNS requests in that case, but + // history has taught us that we cannot be careful enough. + // Note that RFC 4291 defines both "IPv4-Compatible IPv6 Addresses" and + // "IPv4-Mapped IPv6 Addresses", which means that there are IPv6 addresses + // (other than ::/128) that represent non-routable IPv4 addresses. However, + // this translation assumes that the host is interpreted as an IPv6 address + // in the first place, at which point DNS rebinding should not be an issue. + if (std::all_of(ipv6, ipv6 + sizeof(ipv6), [](auto b) { return b == 0; })) { return false; } + + // It is a syntactically valid and routable IPv6 address enclosed in square + // brackets. No client should be able to misinterpret this. + return true; } - return endOctet(true); + + // Anything not enclosed in square brackets must be an IPv4 address. It is + // important here that inet_pton() accepts only the so-called dotted-decimal + // notation, which is a strict subset of the so-called numbers-and-dots + // notation that is allowed by inet_aton() and inet_addr(). This subset does + // not allow hexadecimal or octal number formats. + unsigned char ipv4[sizeof(struct in_addr)]; + if (uv_inet_pton(AF_INET, host.c_str(), ipv4) != 0) return false; + + // The only strictly non-routable IPv4 address is 0.0.0.0, and macOS will make + // DNS requests for this IP address, so we need to explicitly reject it. In + // fact, we can safely reject all of 0.0.0.0/8 (see Section 3.2 of RFC 791 and + // Section 3.2.1.3 of RFC 1122). + // Note that inet_pton() stores the IPv4 address in network byte order. + if (ipv4[0] == 0) return false; + + // It is a routable IPv4 address in dotted-decimal notation. + return true; } // Constants for hybi-10 frame format. ++++++ fpic.patch ++++++ --- /var/tmp/diff_new_pack.aKXpH9/_old 2022-12-07 17:37:28.469363572 +0100 +++ /var/tmp/diff_new_pack.aKXpH9/_new 2022-12-07 17:37:28.473363594 +0100 @@ -85,4 +85,24 @@ sources = [ "compression_utils_portable.cc", "compression_utils_portable.h", +--- src/ui/qt/BUILD.gn.old 2022-12-02 23:49:17.792117400 +0100 ++++ src/ui/qt/BUILD.gn 2022-12-04 14:32:48.407196100 +0100 +@@ -43,6 +43,8 @@ + # target instead. + public = [ "qt_interface.h" ] + sources = [ "qt_interface.cc" ] ++ cflags = ["-fpic", "-fno-semantic-interposition"] ++ asmflags = ["-fpic", "-fno-semantic-interposition"] + } + + shared_library("qt5_shim") { +@@ -76,6 +78,8 @@ + # 3. Manually add copyright header. + "qt_shim_moc.cc", + ] ++ cflags = ["-fpic", "-fno-semantic-interposition"] ++ asmflags = ["-fpic", "-fno-semantic-interposition"] + } + + component("qt") {