[AUTO-CHERRYPICK] nodejs and python-tensorboard: patched vendor tarball to fix CVE-2024-21538 - branch 3.0-dev (#11195)

Co-authored-by: Bala <kumaran.4353@gmail.com>

Author: CBL-Mariner-Bot

SPECS/nodejs/CVE-2024-21538.patch

@@ -0,0 +1,36 @@
+From ea1368b332cebba727436bf4dddebb0c5d7a9d5b Mon Sep 17 00:00:00 2001
+From: bala <balakumaran.kannan@microsoft.com>
+Date: Tue, 19 Nov 2024 12:03:43 +0000
+Subject: [PATCH] Vendor patch applied to fix CVE-2024-21538
+
+---
+ deps/npm/node_modules/cross-spawn/lib/util/escape.js | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/deps/npm/node_modules/cross-spawn/lib/util/escape.js b/deps/npm/node_modules/cross-spawn/lib/util/escape.js
+index b0bb84c..e4804b9 100644
+--- a/deps/npm/node_modules/cross-spawn/lib/util/escape.js
++++ b/deps/npm/node_modules/cross-spawn/lib/util/escape.js
+@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) {
+     arg = `${arg}`;
+ 
+     // Algorithm below is based on https://qntm.org/cmd
++    // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input
++    // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information
+ 
+     // Sequence of backslashes followed by a double quote:
+     // double up all the backslashes and escape the double quote
+-    arg = arg.replace(/(\\*)"/g, '$1$1\\"');
++    arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"');
+ 
+     // Sequence of backslashes followed by the end of the string
+     // (which will become a double quote later):
+     // double up all the backslashes
+-    arg = arg.replace(/(\\*)$/, '$1$1');
++    arg = arg.replace(/(?=\\*?)$/, '$1$1');
+ 
+     // All other backslashes occur literally
+ 
+-- 
+2.39.4
+

SPECS/nodejs/nodejs.spec

@@ -5,7 +5,7 @@ Name:           nodejs
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        20.14.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -17,6 +17,7 @@ URL:            https://github.com/nodejs/node
 Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
 Patch0:         disable-tlsv1-tlsv1-1.patch
 Patch1:         CVE-2019-10906.patch
+Patch2:         CVE-2024-21538.patch
 BuildRequires:  brotli-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  coreutils >= 8.22
@@ -128,6 +129,9 @@ make cctest
 %{_prefix}/lib/node_modules/*
 
 %changelog
+* Tue Nov 19 2024 Bala <balakumaran.kannan@microsoft.com> - 20.14.0-3
+- Patch CVE-2024-21538
+
 * Thu Sep 19 2024 Suresh Thelkar <sthelkar@microsoft.com> - 20.14.0-2
 - Patch CVE-2019-10906
 

SPECS/python-tensorboard/python-tensorboard.spec

@@ -7,7 +7,7 @@ TensorBoard is a suite of web applications for inspecting and understanding your
 Summary:        TensorBoard is a suite of web applications for inspecting and understanding your TensorFlow runs and graphs
 Name:           python-%{pypi_name}
 Version:        2.16.2
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -64,6 +64,7 @@ Summary:        %{summary}
 
 %prep
 %autosetup -p1 -n tensorboard-%{version}
+rm -rf tensorboard-%{version}/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm
 
 %build
 
@@ -97,6 +98,10 @@ mv %{pypi_name}-*.whl pyproject-wheeldir/
 %{python3_sitelib}/tensorboard_data_server*
 
 %changelog
+* Tue Nov 19 2024 Bala <balakumaran.kannan@microsoft.com> - 2.16.2-6
+- Remove npm directory before building to make sure as no nodejs vulnerability is getting through
+- It is done while fixing CVE-2024-21538
+
 * Thu Sep 26 09 2024 Rohit Rawat <rohitrawat@microsoft.com> - 2.16.2-5
 - Patch to fix CVE-2024-45590