mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
nodejs: patch CVE-2023-39333
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39333 Backport the patch that mentions this CVE ID explicitly in its commit message. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
@@ -0,0 +1,57 @@
|
|||||||
|
From 217a3dba7b2bfc94534c19e48a35bb9282367be2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
Date: Sun, 6 Aug 2023 10:41:33 +0000
|
||||||
|
Subject: [PATCH] module: fix code injection through export names
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
From: Tobias Nießen <tniessen@tnie.de>
|
||||||
|
|
||||||
|
createDynamicModule() properly escapes import names, but not export
|
||||||
|
names. In WebAssembly, any string is a valid export name. Importing a
|
||||||
|
WebAssembly module that uses a non-identifier export name leads to
|
||||||
|
either a syntax error in createDynamicModule() or to code injection,
|
||||||
|
that is, to the evaluation of almost arbitrary JavaScript code outside
|
||||||
|
of the WebAssembly module.
|
||||||
|
|
||||||
|
To address this issue, adopt the same mechanism in createExport() that
|
||||||
|
createImport() already uses. Add tests for both exports and imports.
|
||||||
|
|
||||||
|
PR-URL: https://github.com/nodejs-private/node-private/pull/461
|
||||||
|
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/489
|
||||||
|
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
|
||||||
|
CVE-ID: CVE-2023-39333
|
||||||
|
|
||||||
|
CVE: CVE-2023-39333
|
||||||
|
Upstream-Status: Backport [https://github.com/nodejs/node/commit/f5c90b2951ca8ce8e47136ef073a1778edcad15d]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
lib/internal/modules/esm/create_dynamic_module.js | 14 +++++++-------
|
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js
|
||||||
|
index f7c2008..c99da19 100644
|
||||||
|
--- a/lib/internal/modules/esm/create_dynamic_module.js
|
||||||
|
+++ b/lib/internal/modules/esm/create_dynamic_module.js
|
||||||
|
@@ -18,13 +18,13 @@ function createImport(impt, index) {
|
||||||
|
import.meta.imports[${imptPath}] = $import_${index};`;
|
||||||
|
}
|
||||||
|
|
||||||
|
-function createExport(expt) {
|
||||||
|
- const name = `${expt}`;
|
||||||
|
- return `let $${name};
|
||||||
|
-export { $${name} as ${name} };
|
||||||
|
-import.meta.exports.${name} = {
|
||||||
|
- get: () => $${name},
|
||||||
|
- set: (v) => $${name} = v,
|
||||||
|
+function createExport(expt, index) {
|
||||||
|
+ const nameStringLit = JSONStringify(expt);
|
||||||
|
+ return `let $export_${index};
|
||||||
|
+export { $export_${index} as ${nameStringLit} };
|
||||||
|
+import.meta.exports[${nameStringLit}] = {
|
||||||
|
+ get: () => $export_${index},
|
||||||
|
+ set: (v) => $export_${index} = v,
|
||||||
|
};`;
|
||||||
|
}
|
||||||
|
|
||||||
@@ -30,6 +30,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
|
|||||||
file://CVE-2024-22019.patch \
|
file://CVE-2024-22019.patch \
|
||||||
file://CVE-2024-22025.patch \
|
file://CVE-2024-22025.patch \
|
||||||
file://CVE-2023-46809.patch \
|
file://CVE-2023-46809.patch \
|
||||||
|
file://CVE-2023-39333.patch \
|
||||||
"
|
"
|
||||||
SRC_URI:append:class-target = " \
|
SRC_URI:append:class-target = " \
|
||||||
file://0001-Using-native-binaries.patch \
|
file://0001-Using-native-binaries.patch \
|
||||||
|
|||||||
Reference in New Issue
Block a user