Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39333
Backport the patch that mentions this CVE ID explicitly in its commit message. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../nodejs/nodejs/CVE-2023-39333.patch | 57 +++++++++++++++++++ .../recipes-devtools/nodejs/nodejs_16.20.2.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch new file mode 100644 index 0000000000..3cea4e1c23 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch @@ -0,0 +1,57 @@ +From 217a3dba7b2bfc94534c19e48a35bb9282367be2 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Sun, 6 Aug 2023 10:41:33 +0000 +Subject: [PATCH] module: fix code injection through export names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tobias Nießen <[email protected]> + +createDynamicModule() properly escapes import names, but not export +names. In WebAssembly, any string is a valid export name. Importing a +WebAssembly module that uses a non-identifier export name leads to +either a syntax error in createDynamicModule() or to code injection, +that is, to the evaluation of almost arbitrary JavaScript code outside +of the WebAssembly module. + +To address this issue, adopt the same mechanism in createExport() that +createImport() already uses. Add tests for both exports and imports. + +PR-URL: https://github.com/nodejs-private/node-private/pull/461 +Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/489 +Reviewed-By: Rafael Gonzaga <[email protected]> +CVE-ID: CVE-2023-39333 + +CVE: CVE-2023-39333 +Upstream-Status: Backport [https://github.com/nodejs/node/commit/f5c90b2951ca8ce8e47136ef073a1778edcad15d] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + lib/internal/modules/esm/create_dynamic_module.js | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js +index f7c2008..c99da19 100644 +--- a/lib/internal/modules/esm/create_dynamic_module.js ++++ b/lib/internal/modules/esm/create_dynamic_module.js +@@ -18,13 +18,13 @@ function createImport(impt, index) { + import.meta.imports[${imptPath}] = $import_${index};`; + } + +-function createExport(expt) { +- const name = `${expt}`; +- return `let $${name}; +-export { $${name} as ${name} }; +-import.meta.exports.${name} = { +- get: () => $${name}, +- set: (v) => $${name} = v, ++function createExport(expt, index) { ++ const nameStringLit = JSONStringify(expt); ++ return `let $export_${index}; ++export { $export_${index} as ${nameStringLit} }; ++import.meta.exports[${nameStringLit}] = { ++ get: () => $export_${index}, ++ set: (v) => $export_${index} = v, + };`; + } + diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb index b2872bfd98..2feec12f21 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb @@ -30,6 +30,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ file://CVE-2024-22019.patch \ file://CVE-2024-22025.patch \ file://CVE-2023-46809.patch \ + file://CVE-2023-39333.patch \ " SRC_URI:append:class-target = " \ file://0001-Using-native-binaries.patch \
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123092): https://lists.openembedded.org/g/openembedded-devel/message/123092 Mute This Topic: https://lists.openembedded.org/mt/117039636/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
