[AUTO-CHERRYPICK] Fixed CVE-2023-42282 in nodejs. - branch main (#8159)

CBL-Mariner-Bot · chalamalasetty · web-flow · commit e65e9f194bc2 · 2024-02-28T14:40:53.000-08:00
Co-authored-by: chalamalasetty &lt;42326515+chalamalasetty@users.noreply.github.com&gt;
diff --git a/SPECS/nodejs/CVE-2023-42282.patch b/SPECS/nodejs/CVE-2023-42282.patch
@@ -0,0 +1,111 @@
+From 32f468f1245574785ec080705737a579be1223aa Mon Sep 17 00:00:00 2001
+From: Luke McFarlane <luke@innoware.com.au>
+Date: Mon, 12 Feb 2024 13:22:18 +1100
+Subject: [PATCH] lib: fixed CVE-2023-42282 and added unit test
+
+Unit test code is not applicable for NodeJS sources hence not included.
+
+diff --git a/deps/npm/node_modules/ip/lib/ip.js b/deps/npm/node_modules/ip/lib/ip.js
+index 4b2adb5add..9022443ae5 100644
+--- a/deps/npm/node_modules/ip/lib/ip.js
++++ b/deps/npm/node_modules/ip/lib/ip.js
+@@ -306,12 +306,26 @@ ip.isEqual = function (a, b) {
+ };
+ 
+ ip.isPrivate = function (addr) {
+-  return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i
+-    .test(addr)
++  // check loopback addresses first
++  if (ip.isLoopback(addr)) {
++    return true;
++  }
++
++  // ensure the ipv4 address is valid
++  if (!ip.isV6Format(addr)) {
++    const ipl = ip.normalizeToLong(addr);
++    if (ipl < 0) {
++      throw new Error('invalid ipv4 address');
++    }
++    // normalize the address for the private range checks that follow
++    addr = ip.fromLong(ipl);
++  }
++
++  // check private ranges
++  return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
+     || /^(::f{4}:)?192\.168\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
+     || /^(::f{4}:)?172\.(1[6-9]|2\d|30|31)\.([0-9]{1,3})\.([0-9]{1,3})$/i
+       .test(addr)
+-    || /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
+     || /^(::f{4}:)?169\.254\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
+     || /^f[cd][0-9a-f]{2}:/i.test(addr)
+     || /^fe80:/i.test(addr)
+@@ -324,9 +338,16 @@ ip.isPublic = function (addr) {
+ };
+ 
+ ip.isLoopback = function (addr) {
++  // If addr is an IPv4 address in long integer form (no dots and no colons), convert it
++  if (!/\./.test(addr) && !/:/.test(addr)) {
++    addr = ip.fromLong(Number(addr));
++  }
++
+   return /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/
+     .test(addr)
+-    || /^fe80::1$/.test(addr)
++    || /^0177\./.test(addr)
++    || /^0x7f\./i.test(addr)
++    || /^fe80::1$/i.test(addr)
+     || /^::1$/.test(addr)
+     || /^::$/.test(addr);
+ };
+@@ -420,3 +441,51 @@ ip.fromLong = function (ipl) {
+     ipl >> 8 & 255}.${
+     ipl & 255}`);
+ };
++
++ip.normalizeToLong = function (addr) {
++  const parts = addr.split('.').map(part => {
++    // Handle hexadecimal format
++    if (part.startsWith('0x') || part.startsWith('0X')) {
++      return parseInt(part, 16);
++    }
++    // Handle octal format (strictly digits 0-7 after a leading zero)
++    else if (part.startsWith('0') && part !== '0' && /^[0-7]+$/.test(part)) {
++      return parseInt(part, 8);
++    }
++    // Handle decimal format, reject invalid leading zeros
++    else if (/^[1-9]\d*$/.test(part) || part === '0') {
++      return parseInt(part, 10);
++    }
++    // Return NaN for invalid formats to indicate parsing failure
++    else {
++      return NaN;
++    }
++  });
++
++  if (parts.some(isNaN)) return -1; // Indicate error with -1
++
++  let val = 0;
++  const n = parts.length;
++
++  switch (n) {
++  case 1:
++    val = parts[0];
++    break;
++  case 2:
++    if (parts[0] > 0xff || parts[1] > 0xffffff) return -1;
++    val = (parts[0] << 24) | (parts[1] & 0xffffff);
++    break;
++  case 3:
++    if (parts[0] > 0xff || parts[1] > 0xff || parts[2] > 0xffff) return -1;
++    val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] & 0xffff);
++    break;
++  case 4:
++    if (parts.some(part => part > 0xff)) return -1;
++    val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3];
++    break;
++  default:
++    return -1; // Error case
++  }
++
++  return val >>> 0;
++};
diff --git a/SPECS/nodejs/nodejs.spec b/SPECS/nodejs/nodejs.spec
@@ -5,7 +5,7 @@ Name:           nodejs
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        16.20.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -18,6 +18,7 @@ Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}
 Patch0:         disable-tlsv1-tlsv1-1.patch
 Patch1:         CVE-2022-25883.patch
 Patch2:         CVE-2023-35945.patch
+Patch3:         CVE-2023-42282.patch
 BuildRequires:  brotli-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  coreutils >= 8.22
@@ -115,6 +116,10 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Mon Feb 26 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 16.20.2-3
+- Patch CVE-2023-42282
+- Unit test code is not applicable for this NodeJS version sources
+
 * Wed Sep 06 2023 Brian Fjeldstad <bfjelds@microsoft.com> - 16.20.2-2
 - Patch CVE-2023-35945
 
diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec
@@ -6,7 +6,7 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.18.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -17,7 +17,7 @@ URL:            https://github.com/nodejs/node
 # !!!  => use clean-source-tarball.sh script to create a clean and reproducible source tarball.
 Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
 Patch0:         disable-tlsv1-tlsv1-1.patch
-
+Patch1:         CVE-2023-42282.patch
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -116,6 +116,10 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Mon Feb 26 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 18.18.2-3
+- Patch CVE-2023-42282
+- Unit test code is not applicable for this NodeJS version sources
+
 * Thu Oct 19 2023 Dan Streetman <ddstreet@ieee.org> - 18.18.2-2
 - Re-enable building debuginfo. We can just ignore the dirs conflict failure in the pipelines! :)
 
