Hello community, here is the log from the commit of package nodejs8 for openSUSE:Factory checked in at 2019-08-06 15:11:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nodejs8 (Old) and /work/SRC/openSUSE:Factory/.nodejs8.new.4126 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nodejs8" Tue Aug 6 15:11:03 2019 rev:25 rq:721007 version:8.15.1 Changes: -------- --- /work/SRC/openSUSE:Factory/nodejs8/nodejs8.changes 2019-05-07 23:20:34.641137098 +0200 +++ /work/SRC/openSUSE:Factory/.nodejs8.new.4126/nodejs8.changes 2019-08-06 15:11:05.139754885 +0200 @@ -1,0 +2,6 @@ +Mon Jul 29 09:01:29 UTC 2019 - Adam Majer <adam.ma...@suse.de> + +- CVE-2019-13173.patch: fix potential file overwrite via hardlink + in fstream.DirWriter() function (bsc#1140290, CVE-2019-13173) + +------------------------------------------------------------------- New: ---- CVE-2019-13173.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nodejs8.spec ++++++ --- /var/tmp/diff_new_pack.gngNYe/_old 2019-08-06 15:11:06.295754350 +0200 +++ /var/tmp/diff_new_pack.gngNYe/_new 2019-08-06 15:11:06.299754348 +0200 @@ -121,6 +121,8 @@ Patch7: manual_configure.patch Patch12: openssl_1_1_1.patch +Patch31: CVE-2019-13173.patch + ## Patches specific to SUSE and openSUSE # PATCH-FIX-OPENSUSE -- set correct path for dtrace if it is built Patch101: nodejs-libpath.patch @@ -319,6 +321,7 @@ %if 0%{with valgrind_tests} %endif %patch12 -p1 +%patch31 -p1 %patch101 -p1 %patch102 -p1 # Add check_output to configure script (not part of Python 2.6 in SLE11). @@ -364,7 +367,7 @@ # percent-configure pulls in something that confuses node's configure # script, so we'll do it thus: export CFLAGS="%{optflags}" -export CXXFLAGS="%{optflags}" +export CXXFLAGS="%{optflags} -Wno-class-memaccess" %if 0%{?cc_exec:1} export CC=%{?cc_exec} @@ -376,6 +379,9 @@ ./configure \ --prefix=%{_prefix} \ +%if %{node_version_number} >= 12 + --enable-lto \ +%endif %if ! 0%{with intree_openssl} --shared-openssl \ %endif ++++++ CVE-2019-13173.patch ++++++ CVE-2019-13173 Backported from https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22 >From 6a77d2fa6e1462693cf8e46f930da96ec1b0bb22 Mon Sep 17 00:00:00 2001 From: isaacs <i...@izs.me> Date: Tue, 14 May 2019 17:37:57 -0700 Subject: [PATCH] Clobber a Link if it's in the way of a File Fixes https://github.com/npm/node-tar/issues/212 --- lib/writer.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/writer.js b/lib/writer.js index 140e449..3f10547 100644 --- a/deps/npm/node_modules/fstream/lib/writer.js +++ b/deps/npm/node_modules/fstream/lib/writer.js @@ -147,7 +147,7 @@ Writer.prototype._stat = function (current) { // if it's a type change, then we need to clobber or error. // if it's not a type change, then let the impl take care of it. - if (currentType !== self.type) { + if (currentType !== self.type || self.type === 'File' && current.nlink > 1) { return rimraf(self._path, function (er) { if (er) return self.error(er) self._old = null