[AUTO-CHERRYPICK] Patch CVE-2024-24806 in nodejs18 - branch main (#8164)

CBL-Mariner-Bot · suresh-thelkar · PawelWMS · web-flow · commit 351ccbc8f1f0 · 2024-02-28T14:52:19.000-08:00
Co-authored-by: suresh-thelkar &lt;suresh.thelkar@yahoo.com&gt;
Co-authored-by: Pawel Winogrodzki &lt;pawelwi@microsoft.com&gt;
diff --git a/SPECS/nodejs/CVE-2024-24806.patch b/SPECS/nodejs/CVE-2024-24806.patch
@@ -0,0 +1,31 @@
+From 9c2cf90e5b3952a202a0fb8435470eaa527d3f63 Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <sthelkar@microsoft.com>
+Date: Tue, 27 Feb 2024 10:24:03 +0530
+Subject: [PATCH] Patch CVE-2024-24806
+
+Upstream patch details are given below.
+https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
+---
+ deps/uv/src/idna.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/deps/uv/src/idna.c b/deps/uv/src/idna.c
+index 93d982ca..197650af 100644
+--- a/deps/uv/src/idna.c
++++ b/deps/uv/src/idna.c
+@@ -308,8 +308,10 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
+       return rc;
+   }
+ 
+-  if (d < de)
+-    *d++ = '\0';
++  if (d >= de)
++    return UV_EINVAL;
++
++  *d++ = '\0';
+ 
+   return d - ds;  /* Number of bytes written. */
+ }
+-- 
+2.34.1
+
diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec
@@ -6,7 +6,7 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.18.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -18,6 +18,7 @@ URL:            https://github.com/nodejs/node
 Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
 Patch0:         disable-tlsv1-tlsv1-1.patch
 Patch1:         CVE-2023-42282.patch
+Patch2:         CVE-2024-24806.patch
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -116,6 +117,9 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Tue Feb 27 2024 Suresh Thelkar <sthelkar@ieee.org> - 18.18.2-4
+- Patch CVE-2024-24806
+
 * Mon Feb 26 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 18.18.2-3
 - Patch CVE-2023-42282
 - Unit test code is not applicable for this NodeJS version sources
