Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package nodejs-electron for openSUSE:Factory
checked in at 2022-12-07 17:35:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/nodejs-electron (Old)
and /work/SRC/openSUSE:Factory/.nodejs-electron.new.1835 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nodejs-electron"
Wed Dec 7 17:35:40 2022 rev:47 rq:1040905 version:21.3.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/nodejs-electron/nodejs-electron.changes
2022-12-04 14:59:32.744682095 +0100
+++
/work/SRC/openSUSE:Factory/.nodejs-electron.new.1835/nodejs-electron.changes
2022-12-07 17:37:24.381341188 +0100
@@ -1,0 +2,7 @@
+Tue Dec 6 17:20:10 UTC 2022 - Bruno Pitrus <brunopit...@hotmail.com>
+- Add backported CVE-2022-43548.patch
+ * inspector: DNS rebinding in --inspect via invalid octal IP
+ (bsc#1205119, CVE-2022-43548)
+- Fix vaapi build error in the arm port and reenable vaapi.
+
+-------------------------------------------------------------------
New:
----
CVE-2022-43548.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nodejs-electron.spec ++++++
--- /var/tmp/diff_new_pack.aKXpH9/_old 2022-12-07 17:37:28.233362280 +0100
+++ /var/tmp/diff_new_pack.aKXpH9/_new 2022-12-07 17:37:28.241362324 +0100
@@ -44,6 +44,7 @@
%bcond_without pipewire
+%bcond_without swiftshader
%ifarch %ix86 x86_64 %arm
#Use subzero as swiftshader backend instead of LLVM
%bcond_without subzero
@@ -51,13 +52,10 @@
%bcond_with subzero
%endif
+#the QT ui is currently borderline unusable (too small fonts in menu and wrong
colors)
+%bcond_with qt
-
-%ifarch x86_64 %ix86 aarch64
%bcond_without vaapi
-%else
-%bcond_with vaapi
-%endif
%if %{with vaapi}
#vaapi still requires bundled libvpx
@@ -168,6 +166,7 @@
+
%if 0%{?fedora}
%bcond_without system_llhttp
@@ -361,6 +360,7 @@
Patch3092: webgl_image_conversion-Wstrict-aliasing.patch
Patch3093: xr_cube_map-Wstrict-aliasing.patch
Patch3094: static_constructors-Wstrict-aliasing.patch
+Patch3095: CVE-2022-43548.patch
%if %{with clang}
BuildRequires: clang
@@ -419,7 +419,7 @@
%if %{with lld}
BuildRequires: lld
%endif
-%if %{without subzero}
+%if %{with swiftshader} && %{without subzero}
BuildRequires: llvm-devel
%endif
BuildRequires: memory-constraints
@@ -580,6 +580,10 @@
BuildRequires: pkgconfig(nss) >= 3.26
BuildRequires: pkgconfig(opus) >= 1.3.1
BuildRequires: pkgconfig(pangocairo)
+%if %{with qt}
+BuildRequires: pkgconfig(Qt5Core)
+BuildRequires: pkgconfig(Qt5Widgets)
+%endif
BuildRequires: pkgconfig(re2)
%if %{with system_spirv}
%if 0%{?suse_version}
@@ -1045,11 +1049,16 @@
myconf_gn+=" is_debug=false"
myconf_gn+=" dcheck_always_on=false"
myconf_gn+=" enable_nacl=false"
+%if %{with swiftshader}
+myconf_gn+=" enable_swiftshader=true"
%if %{with subzero}
myconf_gn+=" use_swiftshader_with_subzero=true"
%else
myconf_gn+=" use_swiftshader_with_subzero=false"
%endif
+%else
+myconf_gn+=" enable_swiftshader=false"
+%endif
myconf_gn+=" is_component_ffmpeg=true"
myconf_gn+=" use_cups=true"
myconf_gn+=" use_aura=true"
@@ -1152,6 +1161,7 @@
myconf_gn+=" enable_vulkan=true"
myconf_gn+=" icu_use_data_file=false"
myconf_gn+=" media_use_openh264=false"
+myconf_gn+=" use_libgav1_parser=true"
myconf_gn+=" rtc_use_h264=false"
myconf_gn+=" use_v8_context_snapshot=true"
myconf_gn+=" v8_use_external_startup_data=true"
@@ -1223,8 +1233,9 @@
myconf_gn+=" rtc_use_pipewire=true rtc_link_pipewire=true"
%endif
-
-
+%if %{with qt}
+myconf_gn+=" use_qt=true"
+%endif
# Do not build WebGPU support. It is huge and not used by ANY known apps (we
would know if it was â it's hidden behind an experimental flag).
myconf_gn+=" use_dawn=false"
@@ -1276,8 +1287,9 @@
install -pm 0755 chrome_crashpad_handler -t %{buildroot}%{_libdir}/electron/
install -pm 0755 libEGL.so -t %{buildroot}%{_libdir}/electron/
install -pm 0755 libGLESv2.so -t %{buildroot}%{_libdir}/electron/
-install -pm 0755 libvk_swiftshader.so -t %{buildroot}%{_libdir}/electron/
-install -pm 0644 vk_swiftshader_icd.json -t %{buildroot}%{_libdir}/electron/
+install -pm 0755 libqt5_shim.so -t %{buildroot}%{_libdir}/electron/
||true
+install -pm 0755 libvk_swiftshader.so -t %{buildroot}%{_libdir}/electron/
||true
+install -pm 0644 vk_swiftshader_icd.json -t %{buildroot}%{_libdir}/electron/
||true
install -pm 0644 version -t %{buildroot}%{_libdir}/electron/
popd
++++++ CVE-2022-43548.patch ++++++
>From 165342beac61a5573c8eb422cb5bc7001adbf0c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tnies...@tnie.de>
Date: Sun, 25 Sep 2022 12:34:05 +0000
Subject: [PATCH] inspector: harden IP address validation again
Use inet_pton() to parse IP addresses, which restricts IP addresses
to a small number of well-defined formats. In particular, octal and
hexadecimal number formats are not allowed, and neither are leading
zeros. Also explicitly reject 0.0.0.0/8 and ::/128 as non-routable.
Refs: https://hackerone.com/reports/1710652
CVE-ID: CVE-2022-43548
PR-URL: https://github.com/nodejs-private/node-private/pull/354
Reviewed-by: Michael Dawson <midaw...@redhat.com>
Reviewed-by: Rafael Gonzaga <rafael.n...@hotmail.com>
Reviewed-by: Rich Trott <rtr...@gmail.com>
---
src/inspector_socket.cc | 77 ++++++++++++++++++++------
test/cctest/test_inspector_socket.cc | 80 ++++++++++++++++++++++++++++
2 files changed, 141 insertions(+), 16 deletions(-)
diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
index ab1cdf1fa5bd..8001d893e1fd 100644
--- a/third_party/electron_node/src/inspector_socket.cc
+++ b/third_party/electron_node/src/inspector_socket.cc
@@ -162,24 +162,70 @@ static std::string TrimPort(const std::string& host) {
}
static bool IsIPAddress(const std::string& host) {
- if (host.length() >= 4 && host.front() == '[' && host.back() == ']')
- return true;
- uint_fast16_t accum = 0;
- uint_fast8_t quads = 0;
- bool empty = true;
- auto endOctet = [&accum, &quads, &empty](bool final = false) {
- return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) &&
- (empty = true) && !(accum = 0);
- };
- for (char c : host) {
- if (isdigit(c)) {
- if ((accum = (accum * 10) + (c - '0')) > 0xff) return false;
- empty = false;
- } else if (c != '.' || !endOctet()) {
+ // TODO(tniessen): add CVEs to the following bullet points
+ // To avoid DNS rebinding attacks, we are aware of the following
requirements:
+ // * the host name must be an IP address,
+ // * the IP address must be routable, and
+ // * the IP address must be formatted unambiguously.
+
+ // The logic below assumes that the string is null-terminated, so ensure that
+ // we did not somehow end up with null characters within the string.
+ if (host.find('\0') != std::string::npos) return false;
+
+ // All IPv6 addresses must be enclosed in square brackets, and anything
+ // enclosed in square brackets must be an IPv6 address.
+ if (host.length() >= 4 && host.front() == '[' && host.back() == ']') {
+ // INET6_ADDRSTRLEN is the maximum length of the dual format (including the
+ // terminating null character), which is the longest possible
representation
+ // of an IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:ddd.ddd.ddd.ddd
+ if (host.length() - 2 >= INET6_ADDRSTRLEN) return false;
+
+ // Annoyingly, libuv's implementation of inet_pton() deviates from other
+ // implementations of the function in that it allows '%' in IPv6 addresses.
+ if (host.find('%') != std::string::npos) return false;
+
+ // Parse the IPv6 address to ensure it is syntactically valid.
+ char ipv6_str[INET6_ADDRSTRLEN];
+ std::copy(host.begin() + 1, host.end() - 1, ipv6_str);
+ ipv6_str[host.length()] = '\0';
+ unsigned char ipv6[sizeof(struct in6_addr)];
+ if (uv_inet_pton(AF_INET6, ipv6_str, ipv6) != 0) return false;
+
+ // The only non-routable IPv6 address is ::/128. It should not be necessary
+ // to explicitly reject it because it will still be enclosed in square
+ // brackets and not even macOS should make DNS requests in that case, but
+ // history has taught us that we cannot be careful enough.
+ // Note that RFC 4291 defines both "IPv4-Compatible IPv6 Addresses" and
+ // "IPv4-Mapped IPv6 Addresses", which means that there are IPv6 addresses
+ // (other than ::/128) that represent non-routable IPv4 addresses. However,
+ // this translation assumes that the host is interpreted as an IPv6 address
+ // in the first place, at which point DNS rebinding should not be an issue.
+ if (std::all_of(ipv6, ipv6 + sizeof(ipv6), [](auto b) { return b == 0; }))
{
return false;
}
+
+ // It is a syntactically valid and routable IPv6 address enclosed in square
+ // brackets. No client should be able to misinterpret this.
+ return true;
}
- return endOctet(true);
+
+ // Anything not enclosed in square brackets must be an IPv4 address. It is
+ // important here that inet_pton() accepts only the so-called dotted-decimal
+ // notation, which is a strict subset of the so-called numbers-and-dots
+ // notation that is allowed by inet_aton() and inet_addr(). This subset does
+ // not allow hexadecimal or octal number formats.
+ unsigned char ipv4[sizeof(struct in_addr)];
+ if (uv_inet_pton(AF_INET, host.c_str(), ipv4) != 0) return false;
+
+ // The only strictly non-routable IPv4 address is 0.0.0.0, and macOS will
make
+ // DNS requests for this IP address, so we need to explicitly reject it. In
+ // fact, we can safely reject all of 0.0.0.0/8 (see Section 3.2 of RFC 791
and
+ // Section 3.2.1.3 of RFC 1122).
+ // Note that inet_pton() stores the IPv4 address in network byte order.
+ if (ipv4[0] == 0) return false;
+
+ // It is a routable IPv4 address in dotted-decimal notation.
+ return true;
}
// Constants for hybi-10 frame format.
++++++ fpic.patch ++++++
--- /var/tmp/diff_new_pack.aKXpH9/_old 2022-12-07 17:37:28.469363572 +0100
+++ /var/tmp/diff_new_pack.aKXpH9/_new 2022-12-07 17:37:28.473363594 +0100
@@ -85,4 +85,24 @@
sources = [
"compression_utils_portable.cc",
"compression_utils_portable.h",
+--- src/ui/qt/BUILD.gn.old 2022-12-02 23:49:17.792117400 +0100
++++ src/ui/qt/BUILD.gn 2022-12-04 14:32:48.407196100 +0100
+@@ -43,6 +43,8 @@
+ # target instead.
+ public = [ "qt_interface.h" ]
+ sources = [ "qt_interface.cc" ]
++ cflags = ["-fpic", "-fno-semantic-interposition"]
++ asmflags = ["-fpic", "-fno-semantic-interposition"]
+ }
+
+ shared_library("qt5_shim") {
+@@ -76,6 +78,8 @@
+ # 3. Manually add copyright header.
+ "qt_shim_moc.cc",
+ ]
++ cflags = ["-fpic", "-fno-semantic-interposition"]
++ asmflags = ["-fpic", "-fno-semantic-interposition"]
+ }
+
+ component("qt") {
