[LOW] Patch nodejs18 for CVE-2025-5889 (#14065)

aninda-al · web-flow · commit 76c1706d470e · 2025-08-22T11:39:22.000+05:30
diff --git a/SPECS/nodejs/CVE-2025-5889.patch b/SPECS/nodejs/CVE-2025-5889.patch
@@ -0,0 +1,25 @@
+From 5ac97cd987e7dcc2d5ccd0803eb184a7954b2176 Mon Sep 17 00:00:00 2001
+From: Aninda <v-anipradhan@microsoft.com>
+Date: Sat, 21 Jun 2025 07:40:51 -0400
+Subject: [PATCH] Address CVE-2025-5889
+Upstream Patch Reference: https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5
+---
+ deps/minimatch/src/node_modules/brace-expansion/index.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/deps/minimatch/src/node_modules/brace-expansion/index.js b/deps/minimatch/src/node_modules/brace-expansion/index.js
+index 4af9ddee..a27f81ce 100644
+--- a/deps/minimatch/src/node_modules/brace-expansion/index.js
++++ b/deps/minimatch/src/node_modules/brace-expansion/index.js
+@@ -116,7 +116,7 @@ function expand(str, isTop) {
+     var isOptions = m.body.indexOf(',') >= 0;
+     if (!isSequence && !isOptions) {
+       // {a},b}
+-      if (m.post.match(/,.*\}/)) {
++      if (m.post.match(/,(?!,).*\}/)) {
+         str = m.pre + '{' + m.body + escClose + m.post;
+         return expand(str);
+       }
+-- 
+2.34.1
+
diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec
@@ -6,7 +6,7 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.20.3
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -27,7 +27,7 @@ Patch7:         CVE-2025-27516.patch
 Patch8:         CVE-2025-47279.patch
 Patch9:         CVE-2025-23166.patch
 Patch10:        CVE-2025-7656.patch
-
+Patch11:        CVE-2025-5889.patch
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -128,6 +128,9 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Mon Aug 04 2025 Aninda Pradhan <v-anipradhan@microsoft.com> - 18.20.3-9
+- Patch CVE-2025-5889
+
 * Mon Jul 21 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 18.20.3-8
 - Patch CVE-2025-7656
 
