Patch nodejs18 to address CVE-2023-21100 (#9250)

Author: miz060

SPECS/nodejs/CVE-2023-21100.patch

@@ -0,0 +1,50 @@
+From 901960817a6dc7b40c68c47bcd77037d5fc5d1ea Mon Sep 17 00:00:00 2001
+From: Mitch Zhu <mitchzhu@microsoft.com>
+Date: Wed, 29 May 2024 19:11:14 +0000
+Subject: [PATCH] Address CVE-2023-21100
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+---
+ deps/v8/third_party/zlib/contrib/optimizations/inflate.c | 5 +++--
+ deps/v8/third_party/zlib/inflate.c                       | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/deps/v8/third_party/zlib/contrib/optimizations/inflate.c b/deps/v8/third_party/zlib/contrib/optimizations/inflate.c
+index 4841cd96..1007f062 100644
+--- a/deps/v8/third_party/zlib/contrib/optimizations/inflate.c
++++ b/deps/v8/third_party/zlib/contrib/optimizations/inflate.c
+@@ -772,8 +772,9 @@ int flush;
+                 if (copy > have) copy = have;
+                 if (copy) {
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
+++                        (len = state->head->extra_len - state->length) <
+++                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
+diff --git a/deps/v8/third_party/zlib/inflate.c b/deps/v8/third_party/zlib/inflate.c
+index 7543c33d..384af93f 100644
+--- a/deps/v8/third_party/zlib/inflate.c
++++ b/deps/v8/third_party/zlib/inflate.c
+@@ -761,8 +761,9 @@ int flush;
+                 if (copy > have) copy = have;
+                 if (copy) {
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
+++                        (len = state->head->extra_len - state->length) <
+++                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
+-- 
+2.34.1
+

SPECS/nodejs/CVE-2023-42282.patch

@@ -6,7 +6,7 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.20.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -16,6 +16,7 @@ URL:            https://github.com/nodejs/node
 # !!!! because it contains patented algorithms.
 # !!!  => use clean-source-tarball.sh script to create a clean and reproducible source tarball.
 Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
+Patch0:         CVE-2023-21100.patch
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -116,6 +117,10 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Wed May 29 2024 Mitch Zhu <mitchzhu@microsoft.com> - 18.20.2-2
+- Patch CVE-2023-21100.
+- Remove unused patches.
+
 * Fri Apr 26 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 18.20.2-1
 - Auto-upgrade to 18.20.2 - address multiple CVEs.
 - Remove patches as the upgrade already has these changes.