commit nodejs-electron for openSUSE:Factory

Thu, 11 Apr 2024 10:41:24 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package nodejs-electron for openSUSE:Factory 
checked in at 2024-04-11 19:41:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/nodejs-electron (Old)
 and      /work/SRC/openSUSE:Factory/.nodejs-electron.new.29460 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "nodejs-electron"

Thu Apr 11 19:41:00 2024 rev:111 rq:1166706 version:28.2.10

Changes:
--------
--- /work/SRC/openSUSE:Factory/nodejs-electron/nodejs-electron.changes  
2024-04-10 17:50:07.995905851 +0200
+++ 
/work/SRC/openSUSE:Factory/.nodejs-electron.new.29460/nodejs-electron.changes   
    2024-04-11 19:41:04.893601769 +0200
@@ -1,0 +2,5 @@
+Wed Apr 10 18:21:32 UTC 2024 - Bruno Pitrus <[email protected]>
+
+- Add CVE-2024-30261-undici-fetch-integrity.patch (fixes CVE-2024-30261 
bsc#1222603)
+
+-------------------------------------------------------------------

New:
----
  CVE-2024-30261-undici-fetch-integrity.patch

BETA DEBUG BEGIN:
  New:
- Add CVE-2024-30261-undici-fetch-integrity.patch (fixes CVE-2024-30261 
bsc#1222603)
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ nodejs-electron.spec ++++++
--- /var/tmp/diff_new_pack.yvSzH7/_old  2024-04-11 19:41:08.573737910 +0200
+++ /var/tmp/diff_new_pack.yvSzH7/_new  2024-04-11 19:41:08.573737910 +0200
@@ -355,6 +355,7 @@
 Patch3134:      swiftshader-llvm18-LLVMJIT-Host.patch
 Patch3135:      swiftshader-llvm18-LLVMJIT-CodeGenOptLevel.patch
 Patch3136:      CVE-2024-30260-undici-clear-proxy-authorization.patch
+Patch3137:      CVE-2024-30261-undici-fetch-integrity.patch
 
 BuildRequires:  brotli
 %if %{with system_cares}

++++++ CVE-2024-30261-undici-fetch-integrity.patch ++++++
Port https://github.com/nodejs/undici/commit/d542b8c to apply to amalgamated 
undici code in nodejs (the original copy in deps/undici/src is not used and i'm 
not bothering with patching it)

These chunks were manually cherry-picked from upstream nodejs commit 
https://github.com/nodejs/node/commit/60d24938 to match the undici changes.


--- a/third_party/electron_node/deps/undici/undici.js
+++ b/third_party/electron_node/deps/undici/undici.js
@@ -992,9 +992,12 @@ var require_util2 = __commonJS({
     var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util();
     var assert = require("assert");
     var { isUint8Array } = require("util/types");
+    var supportedHashes = [];
     var crypto;
     try {
       crypto = require("crypto");
+      const possibleRelevantHashes = ["sha256", "sha384", "sha512"];
+      supportedHashes = crypto.getHashes().filter((hash) => 
possibleRelevantHashes.includes(hash));
     } catch {
     }
     function responseURL(response) {
@@ -1277,46 +1280,38 @@ var require_util2 = __commonJS({
       if (parsedMetadata.length === 0) {
         return true;
       }
-      const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo));
-      const strongest = list[0].algo;
-      const metadata = list.filter((item) => item.algo === strongest);
+      const strongest = getStrongestMetadata(parsedMetadata);
+      const metadata = filterMetadataListByAlgorithm(parsedMetadata, 
strongest);
       for (const item of metadata) {
         const algorithm = item.algo;
-        let expectedValue = item.hash;
-        if (expectedValue.endsWith("==")) {
-          expectedValue = expectedValue.slice(0, -2);
-        }
+        const expectedValue = item.hash;
         let actualValue = 
crypto.createHash(algorithm).update(bytes).digest("base64");
-        if (actualValue.endsWith("==")) {
-          actualValue = actualValue.slice(0, -2);
-        }
-        if (actualValue === expectedValue) {
-          return true;
-        }
-        let actualBase64URL = 
crypto.createHash(algorithm).update(bytes).digest("base64url");
-        if (actualBase64URL.endsWith("==")) {
-          actualBase64URL = actualBase64URL.slice(0, -2);
+        if (actualValue[actualValue.length - 1] === "=") {
+          if (actualValue[actualValue.length - 2] === "=") {
+            actualValue = actualValue.slice(0, -2);
+          } else {
+            actualValue = actualValue.slice(0, -1);
+          }
         }
-        if (actualBase64URL === expectedValue) {
+        if (compareBase64Mixed(actualValue, expectedValue)) {
           return true;
         }
       }
       return false;
     }
     __name(bytesMatch, "bytesMatch");
-    var parseHashWithOptions = 
/((?<algo>sha256|sha384|sha512)-(?<hash>[A-z0-9+/]{1}.*={0,2}))( 
+[\x21-\x7e]?)?/i;
+    var parseHashWithOptions = 
/(?<algo>sha256|sha384|sha512)-((?<hash>[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)(
 +[!-~]*)?)?/i;
     function parseMetadata(metadata) {
       const result = [];
       let empty = true;
-      const supportedHashes = crypto.getHashes();
       for (const token of metadata.split(" ")) {
         empty = false;
         const parsedToken = parseHashWithOptions.exec(token);
-        if (parsedToken === null || parsedToken.groups === void 0) {
+        if (parsedToken === null || parsedToken.groups === void 0 || 
parsedToken.groups.algo === void 0) {
           continue;
         }
-        const algorithm = parsedToken.groups.algo;
-        if (supportedHashes.includes(algorithm.toLowerCase())) {
+        const algorithm = parsedToken.groups.algo.toLowerCase();
+        if (supportedHashes.includes(algorithm)) {
           result.push(parsedToken.groups);
         }
       }
@@ -1326,6 +1321,54 @@ var require_util2 = __commonJS({
       return result;
     }
     __name(parseMetadata, "parseMetadata");
+    function getStrongestMetadata(metadataList) {
+      let algorithm = metadataList[0].algo;
+      if (algorithm[3] === "5") {
+        return algorithm;
+      }
+      for (let i = 1; i < metadataList.length; ++i) {
+        const metadata = metadataList[i];
+        if (metadata.algo[3] === "5") {
+          algorithm = "sha512";
+          break;
+        } else if (algorithm[3] === "3") {
+          continue;
+        } else if (metadata.algo[3] === "3") {
+          algorithm = "sha384";
+        }
+      }
+      return algorithm;
+    }
+    __name(getStrongestMetadata, "getStrongestMetadata");
+    function filterMetadataListByAlgorithm(metadataList, algorithm) {
+      if (metadataList.length === 1) {
+        return metadataList;
+      }
+      let pos = 0;
+      for (let i = 0; i < metadataList.length; ++i) {
+        if (metadataList[i].algo === algorithm) {
+          metadataList[pos++] = metadataList[i];
+        }
+      }
+      metadataList.length = pos;
+      return metadataList;
+    }
+    __name(filterMetadataListByAlgorithm, "filterMetadataListByAlgorithm");
+    function compareBase64Mixed(actualValue, expectedValue) {
+      if (actualValue.length !== expectedValue.length) {
+        return false;
+      }
+      for (let i = 0; i < actualValue.length; ++i) {
+        if (actualValue[i] !== expectedValue[i]) {
+          if (actualValue[i] === "+" && expectedValue[i] === "-" || 
actualValue[i] === "/" && expectedValue[i] === "_") {
+            continue;
+          }
+          return false;
+        }
+      }
+      return true;
+    }
+    __name(compareBase64Mixed, "compareBase64Mixed");
     function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) {
     }
     __name(tryUpgradeRequestToAPotentiallyTrustworthyURL, 
"tryUpgradeRequestToAPotentiallyTrustworthyURL");

Reply via email to