[AUTO-CHERRYPICK] Fix CVE-2024-21538 in nodejs - branch main (#11189)

Co-authored-by: Bala <kumaran.4353@gmail.com>

Author: CBL-Mariner-Bot

SPECS/nodejs/CVE-2024-21538.patch

@@ -0,0 +1,36 @@
+From ea1368b332cebba727436bf4dddebb0c5d7a9d5b Mon Sep 17 00:00:00 2001
+From: bala <balakumaran.kannan@microsoft.com>
+Date: Tue, 19 Nov 2024 12:03:43 +0000
+Subject: [PATCH] Vendor patch applied to fix CVE-2024-21538
+
+---
+ deps/npm/node_modules/cross-spawn/lib/util/escape.js | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/deps/npm/node_modules/cross-spawn/lib/util/escape.js b/deps/npm/node_modules/cross-spawn/lib/util/escape.js
+index b0bb84c..e4804b9 100644
+--- a/deps/npm/node_modules/cross-spawn/lib/util/escape.js
++++ b/deps/npm/node_modules/cross-spawn/lib/util/escape.js
+@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) {
+     arg = `${arg}`;
+ 
+     // Algorithm below is based on https://qntm.org/cmd
++    // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input
++    // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information
+ 
+     // Sequence of backslashes followed by a double quote:
+     // double up all the backslashes and escape the double quote
+-    arg = arg.replace(/(\\*)"/g, '$1$1\\"');
++    arg = arg.replace(/(?=\\*?)"/g, '$1$1\\"');
+ 
+     // Sequence of backslashes followed by the end of the string
+     // (which will become a double quote later):
+     // double up all the backslashes
+-    arg = arg.replace(/(\\*)$/, '$1$1');
++    arg = arg.replace(/(?=\\*?)$/, '$1$1');
+ 
+     // All other backslashes occur literally
+ 
+-- 
+2.39.4
+

SPECS/nodejs/nodejs18.spec

@@ -6,7 +6,7 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.20.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -17,6 +17,7 @@ URL:            https://github.com/nodejs/node
 # !!!  => use clean-source-tarball.sh script to create a clean and reproducible source tarball.
 Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
 Patch0:         CVE-2023-21100.patch
+Patch1:         CVE-2024-21538.patch
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -117,6 +118,9 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Tue Nov 19 2024 Bala <balakumaran.kannan@microsoft.com> - 18.20.3-2
+- Patch CVE-2024-21538
+
 * Thu Jun 13 2024 Nick Samson <nisamson@microsoft.com> - 18.20.3-1
 - Upgrade to 18.20.3-1 to fix CVE-2024-28863
 

SPECS/python-tensorboard/python-tensorboard.spec

@@ -7,7 +7,7 @@ TensorBoard is a suite of web applications for inspecting and understanding your
 Summary:        TensorBoard is a suite of web applications for inspecting and understanding your TensorFlow runs and graphs
 Name:           python-%{pypi_name}
 Version:        2.11.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -56,6 +56,7 @@ Summary:        %{summary}
 
 %prep
 %autosetup -p1 -n tensorboard-%{version}
+rm -rf tensorboard-%{version}/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm
 
 %build
 tar -xf %{SOURCE1} -C /root/
@@ -102,6 +103,10 @@ mv %{pypi_name}-%{version}-*.whl pyproject-wheeldir/
 %{python3_sitelib}/tensorboard_data_server*
 
 %changelog
+* Tue Nov 19 2024 Bala <balakumaran.kannan@microsoft.com> - 2.11.0-3
+- Remove npm directory before building to make sure no nodejs vulnerability is getting through
+- It is done while fixing CVE-2024-21538
+
 * Tue Aug 01 2023 Riken Maharjan <rmaharjan@microsoft.com> - 2.11.0-2
 - Remove bazel version.