Hello community,
here is the log from the commit of package nodejs8 for openSUSE:Factory checked
in at 2019-08-06 15:11:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/nodejs8 (Old)
and /work/SRC/openSUSE:Factory/.nodejs8.new.4126 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nodejs8"
Tue Aug 6 15:11:03 2019 rev:25 rq:721007 version:8.15.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/nodejs8/nodejs8.changes 2019-05-07
23:20:34.641137098 +0200
+++ /work/SRC/openSUSE:Factory/.nodejs8.new.4126/nodejs8.changes
2019-08-06 15:11:05.139754885 +0200
@@ -1,0 +2,6 @@
+Mon Jul 29 09:01:29 UTC 2019 - Adam Majer <adam.ma...@suse.de>
+
+- CVE-2019-13173.patch: fix potential file overwrite via hardlink
+ in fstream.DirWriter() function (bsc#1140290, CVE-2019-13173)
+
+-------------------------------------------------------------------
New:
----
CVE-2019-13173.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nodejs8.spec ++++++
--- /var/tmp/diff_new_pack.gngNYe/_old 2019-08-06 15:11:06.295754350 +0200
+++ /var/tmp/diff_new_pack.gngNYe/_new 2019-08-06 15:11:06.299754348 +0200
@@ -121,6 +121,8 @@
Patch7: manual_configure.patch
Patch12: openssl_1_1_1.patch
+Patch31: CVE-2019-13173.patch
+
## Patches specific to SUSE and openSUSE
# PATCH-FIX-OPENSUSE -- set correct path for dtrace if it is built
Patch101: nodejs-libpath.patch
@@ -319,6 +321,7 @@
%if 0%{with valgrind_tests}
%endif
%patch12 -p1
+%patch31 -p1
%patch101 -p1
%patch102 -p1
# Add check_output to configure script (not part of Python 2.6 in SLE11).
@@ -364,7 +367,7 @@
# percent-configure pulls in something that confuses node's configure
# script, so we'll do it thus:
export CFLAGS="%{optflags}"
-export CXXFLAGS="%{optflags}"
+export CXXFLAGS="%{optflags} -Wno-class-memaccess"
%if 0%{?cc_exec:1}
export CC=%{?cc_exec}
@@ -376,6 +379,9 @@
./configure \
--prefix=%{_prefix} \
+%if %{node_version_number} >= 12
+ --enable-lto \
+%endif
%if ! 0%{with intree_openssl}
--shared-openssl \
%endif
++++++ CVE-2019-13173.patch ++++++
CVE-2019-13173
Backported from
https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22
>From 6a77d2fa6e1462693cf8e46f930da96ec1b0bb22 Mon Sep 17 00:00:00 2001
From: isaacs <i...@izs.me>
Date: Tue, 14 May 2019 17:37:57 -0700
Subject: [PATCH] Clobber a Link if it's in the way of a File
Fixes https://github.com/npm/node-tar/issues/212
---
lib/writer.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/writer.js b/lib/writer.js
index 140e449..3f10547 100644
--- a/deps/npm/node_modules/fstream/lib/writer.js
+++ b/deps/npm/node_modules/fstream/lib/writer.js
@@ -147,7 +147,7 @@ Writer.prototype._stat = function (current) {
// if it's a type change, then we need to clobber or error.
// if it's not a type change, then let the impl take care of it.
- if (currentType !== self.type) {
+ if (currentType !== self.type || self.type === 'File' && current.nlink >
1) {
return rimraf(self._path, function (er) {
if (er) return self.error(er)
self._old = null
