-
Notifications
You must be signed in to change notification settings - Fork 535
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
…`. (#9729)
- Loading branch information
Showing
6 changed files
with
269 additions
and
63 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
From: Pawel Winogrodzki <[email protected]> | ||
Date: Tue, 9 Jul 2024 21:55:46 +0000 | ||
Subject: Patching CVE-2023-42282. | ||
|
||
Backported upstream patch: | ||
https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894?diff=split&w=0 | ||
--- | ||
lib/ip.js | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- | ||
1 file changed, 73 insertions(+), 4 deletions(-) | ||
|
||
diff --git a/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js b/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js | ||
index c1799a8..a0c920f 100644 | ||
--- a/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js | ||
+++ b/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js | ||
@@ -300,12 +300,26 @@ ip.isEqual = function(a, b) { | ||
}; | ||
|
||
ip.isPrivate = function(addr) { | ||
- return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i | ||
- .test(addr) || | ||
+ // check loopback addresses first | ||
+ if (ip.isLoopback(addr)) { | ||
+ return true; | ||
+ } | ||
+ | ||
+ // ensure the ipv4 address is valid | ||
+ if (!ip.isV6Format(addr)) { | ||
+ const ipl = ip.normalizeToLong(addr); | ||
+ if (ipl < 0) { | ||
+ throw new Error('invalid ipv4 address'); | ||
+ } | ||
+ // normalize the address for the private range checks that follow | ||
+ addr = ip.fromLong(ipl); | ||
+ } | ||
+ | ||
+ // check private ranges | ||
+ return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) || | ||
/^(::f{4}:)?192\.168\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) || | ||
/^(::f{4}:)?172\.(1[6-9]|2\d|30|31)\.([0-9]{1,3})\.([0-9]{1,3})$/i | ||
.test(addr) || | ||
- /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) || | ||
/^(::f{4}:)?169\.254\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) || | ||
/^f[cd][0-9a-f]{2}:/i.test(addr) || | ||
/^fe80:/i.test(addr) || | ||
@@ -318,9 +332,16 @@ ip.isPublic = function(addr) { | ||
}; | ||
|
||
ip.isLoopback = function(addr) { | ||
+ // If addr is an IPv4 address in long integer form (no dots and no colons), convert it | ||
+ if (!/\./.test(addr) && !/:/.test(addr)) { | ||
+ addr = ip.fromLong(Number(addr)); | ||
+ } | ||
+ | ||
return /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/ | ||
.test(addr) || | ||
- /^fe80::1$/.test(addr) || | ||
+ /^0177\./.test(addr) || | ||
+ /^0x7f\./i.test(addr) || | ||
+ /^fe80::1$/i.test(addr) || | ||
/^::1$/.test(addr) || | ||
/^::$/.test(addr); | ||
}; | ||
@@ -414,3 +435,51 @@ ip.fromLong = function(ipl) { | ||
(ipl >> 8 & 255) + '.' + | ||
(ipl & 255) ); | ||
}; | ||
+ | ||
+ip.normalizeToLong = function (addr) { | ||
+ const parts = addr.split('.').map(part => { | ||
+ // Handle hexadecimal format | ||
+ if (part.startsWith('0x') || part.startsWith('0X')) { | ||
+ return parseInt(part, 16); | ||
+ } | ||
+ // Handle octal format (strictly digits 0-7 after a leading zero) | ||
+ else if (part.startsWith('0') && part !== '0' && /^[0-7]+$/.test(part)) { | ||
+ return parseInt(part, 8); | ||
+ } | ||
+ // Handle decimal format, reject invalid leading zeros | ||
+ else if (/^[1-9]\d*$/.test(part) || part === '0') { | ||
+ return parseInt(part, 10); | ||
+ } | ||
+ // Return NaN for invalid formats to indicate parsing failure | ||
+ else { | ||
+ return NaN; | ||
+ } | ||
+ }); | ||
+ | ||
+ if (parts.some(isNaN)) return -1; // Indicate error with -1 | ||
+ | ||
+ let val = 0; | ||
+ const n = parts.length; | ||
+ | ||
+ switch (n) { | ||
+ case 1: | ||
+ val = parts[0]; | ||
+ break; | ||
+ case 2: | ||
+ if (parts[0] > 0xff || parts[1] > 0xffffff) return -1; | ||
+ val = (parts[0] << 24) | (parts[1] & 0xffffff); | ||
+ break; | ||
+ case 3: | ||
+ if (parts[0] > 0xff || parts[1] > 0xff || parts[2] > 0xffff) return -1; | ||
+ val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] & 0xffff); | ||
+ break; | ||
+ case 4: | ||
+ if (parts.some(part => part > 0xff)) return -1; | ||
+ val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3]; | ||
+ break; | ||
+ default: | ||
+ return -1; // Error case | ||
+ } | ||
+ | ||
+ return val >>> 0; | ||
+}; | ||
-- | ||
2.39.4 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
From 355a396ccce875ea012a4ea8e6ab283bb575ba5b Mon Sep 17 00:00:00 2001 | ||
From: ABC <abc> | ||
Date: Tue, 9 Jul 2024 16:48:16 +0000 | ||
Subject: [PATCH] Patching CVE-2024-37890. | ||
|
||
Applying the patch for the 6.x versions from: | ||
https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63 | ||
--- | ||
src/ui/node_modules/ws/lib/websocket-server.js | 4 +++- | ||
1 file changed, 3 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/src/ui/node_modules/ws/lib/websocket-server.js b/src/ui/node_modules/ws/lib/websocket-server.js | ||
index db02f4d0..b74eb1cf 100644 | ||
--- a/src/ui/node_modules/ws/lib/websocket-server.js | ||
+++ b/src/ui/node_modules/ws/lib/websocket-server.js | ||
@@ -186,12 +186,14 @@ class WebSocketServer extends EventEmitter { | ||
req.headers['sec-websocket-key'] !== undefined | ||
? req.headers['sec-websocket-key'].trim() | ||
: false; | ||
+ const upgrade = req.headers.upgrade; | ||
const version = +req.headers['sec-websocket-version']; | ||
const extensions = {}; | ||
|
||
if ( | ||
req.method !== 'GET' || | ||
- req.headers.upgrade.toLowerCase() !== 'websocket' || | ||
+ upgrade === undefined || | ||
+ upgrade.toLowerCase() !== 'websocket' || | ||
!key || | ||
!keyRegex.test(key) || | ||
(version !== 8 && version !== 13) || | ||
-- | ||
2.39.4 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,10 @@ | ||
{ | ||
"Signatures": { | ||
"cassandra-reaper-3.1.1.tar.gz": "6efe52195ad4a3c3b7a6f928bafa60d3df011709d9bc918e717033bf86d724d8", | ||
"reaper-bower-cache-3.1.1.tar.gz": "a8532fe1d28f6d2c99a5e0d08b17b85465617931d49c7d27450ed328e59c0b08", | ||
"reaper-bower-components-3.1.1-1.tar.gz": "51f5b03b3f56966f5fbfe28a13e0a74003cf33372ff4ba13fd82c6fe79092033", | ||
"reaper-local-lib-node-modules-3.1.1.tar.gz": "8daf9a8726a85ca31b024a5bab60a357fe927f670908955cdd9b106bf9c6bd60", | ||
"reaper-local-n-3.1.1-1.tar.gz": "e60ecf1c982c8cd44b35da02aec6de5b1f8f0df562f290f9bb905d03f9eefa68", | ||
"reaper-m2-cache-3.1.1.tar.gz": "14103df496c6bfd1bf2690b45e6082e3411872f7332f03a68cf5d8e28fc6b27f", | ||
"reaper-npm-cache-3.1.1.tar.gz": "1fd8fd9438ef682cccceaaf49d0e65ec50eb7145c20f27253a3521c731e79585", | ||
"reaper-srcui-node-modules-3.1.1-1.tar.gz": "edd67243e97838657e09513f639a8e7c81fbb813353a19eba3949f79fb9e3e9e" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,48 +3,45 @@ | |
%define local_n_release 1 | ||
%define local_srcui_release 1 | ||
|
||
%define srcdir cassandra-%{name}-%{version} | ||
%define bower_components reaper-bower-components-%{version}-%{local_srcui_release}.tar.gz | ||
%define srcui_node_modules reaper-srcui-node-modules-%{version}-%{local_srcui_release}.tar.gz | ||
%define bower_cache reaper-bower-cache-%{version}.tar.gz | ||
%define maven_cache reaper-m2-cache-%{version}.tar.gz | ||
%define npm_cache reaper-npm-cache-%{version}.tar.gz | ||
%define local_lib_node_modules reaper-local-lib-node-modules-%{version}.tar.gz | ||
%define local_n reaper-local-n-%{version}-%{local_n_release}.tar.gz | ||
|
||
Summary: Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters. | ||
Name: reaper | ||
Version: 3.1.1 | ||
Release: 9%{?dist} | ||
Release: 10%{?dist} | ||
License: ASL 2.0 | ||
Vendor: Microsoft Corporation | ||
Distribution: Mariner | ||
Group: Applications/System | ||
URL: https://cassandra-reaper.io/ | ||
Source0: https://github.com/thelastpickle/cassandra-reaper/archive/refs/tags/%{version}.tar.gz#/cassandra-reaper-%{version}.tar.gz | ||
# Building reaper from sources downloads artifacts related to maven/node/etc. These artifacts need to be downloaded as caches in order to build reaper using maven in offline mode. | ||
# Building reaper from sources downloads artifacts related to maven/node/etc. | ||
# These artifacts need to be downloaded as caches in order to build reaper using maven in offline mode. | ||
# Below is the list of cached sources. | ||
# bower-components downloaded under src/ui | ||
# NOTE: USE "reaper_build_caches.sh" TO RE-GENERATE BUILD CACHES. | ||
Source1: %{bower_components} | ||
Source1: reaper-bower-components-%{version}-%{local_srcui_release}.tar.gz | ||
# node_modules downloaded under src/ui | ||
Source2: %{srcui_node_modules} | ||
# bower cache | ||
Source3: %{bower_cache} | ||
Source2: reaper-srcui-node-modules-%{version}-%{local_srcui_release}.tar.gz | ||
# m2 cache | ||
Source4: %{maven_cache} | ||
# npm cache | ||
Source5: %{npm_cache} | ||
Source4: reaper-m2-cache-%{version}.tar.gz | ||
# node_modules downloaded to /usr/local/lib | ||
Source6: %{local_lib_node_modules} | ||
Source6: reaper-local-lib-node-modules-%{version}.tar.gz | ||
# v14.18.0 node binary under /usr/local | ||
Source7: %{local_n} | ||
Source7: reaper-local-n-%{version}-%{local_n_release}.tar.gz | ||
# Patches the src/ui/node_modules/ws/lib/websocket-server.js file, which comes | ||
# from the "reaper-srcui-node-modules*" tarball. | ||
# The src/ui/node_modules/ws/package.json file suggest we're on the | ||
# 6.x version of "ws". Patch for this version taken from here: | ||
# https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63 | ||
Patch0: CVE-2024-37890.patch | ||
Patch1: CVE-2023-42282.patch | ||
Patch2: CVE-2017-18214.patch | ||
BuildRequires: git | ||
BuildRequires: javapackages-tools | ||
BuildRequires: maven | ||
BuildRequires: msopenjdk-11 | ||
BuildRequires: nodejs | ||
BuildRequires: python3 | ||
BuildRequires: rsync | ||
BuildRequires: systemd-rpm-macros | ||
BuildRequires: openssl-devel | ||
Requires: msopenjdk-11 | ||
|
@@ -58,22 +55,15 @@ ExclusiveArch: x86_64 | |
Cassandra reaper is an open source tool that aims to schedule and orchestrate repairs of Apache Cassandra clusters. | ||
|
||
%prep | ||
%setup -q -n %{srcdir} | ||
|
||
%build | ||
export JAVA_HOME="%{_libdir}/jvm/msopenjdk-11" | ||
export LD_LIBRARY_PATH="%{_libdir}/jvm/msopenjdk-11/lib/jli" | ||
|
||
pushd "$HOME" | ||
echo "Installing bower cache." | ||
tar xf %{SOURCE3} | ||
%autosetup -N -n cassandra-%{name}-%{version} | ||
|
||
echo "Installing m2 cache." | ||
tar xf %{SOURCE4} | ||
echo "Installing bower_components and npm_modules caches." | ||
for source in "%{SOURCE1}" "%{SOURCE2}"; do | ||
tar -C src/ui -xf "$source" | ||
done | ||
|
||
echo "Installing npm cache" | ||
tar xf %{SOURCE5} | ||
popd | ||
echo "Installing the m2 cache." | ||
tar -C "$HOME" -xf "%{SOURCE4}" | ||
|
||
# Reaper build fails when trying to install [email protected]/[email protected] and build node native addons using mariner default [email protected]/[email protected]. | ||
# ERROR: | ||
|
@@ -82,33 +72,35 @@ popd | |
# There is no way to remove node-sass dependency from builds, hence we need to install local node/npm and caches to be able to build reaper. | ||
# NOTE: This issue was also faced on Fedora Fc37 when trying to build reaper. | ||
# NOTE: node-sass seems to be deprecated, the spec and build process will be modified once reaper removes its dependencies as well. | ||
pushd %{_prefix}/local | ||
|
||
# Extracting to intermediate folder to apply patch. | ||
tmp_local_dir=tmp_local | ||
mkdir -p $tmp_local_dir/{bin,lib} | ||
pushd $tmp_local_dir | ||
echo "Installing node_modules" | ||
tar xf %{SOURCE6} -C ./lib/ | ||
tar -C ./lib/ -xf %{SOURCE6} | ||
|
||
echo "Installing n version 14.18.0" | ||
tar xf %{SOURCE7} | ||
tar -xf %{SOURCE7} | ||
|
||
echo "Creating symlinks under local/bin" | ||
cd ./bin | ||
ln -sf ../lib/node_modules/bower/bin/bower bower | ||
ln -sf ../lib/node_modules/npm/bin/npm-cli.js npm | ||
ln -sf ../lib/node_modules/npm/bin/npx-cli.js npx | ||
ln -sf ../lib/node_modules/bower/bin/bower bin/bower | ||
ln -sf ../lib/node_modules/npm/bin/npm-cli.js bin/npm | ||
ln -sf ../lib/node_modules/npm/bin/npx-cli.js bin/npx | ||
|
||
cp ../n/versions/node/14.18.0/bin/node . | ||
cp n/versions/node/14.18.0/bin/node bin | ||
|
||
ls -al | ||
popd | ||
|
||
cd %{_builddir}/%{srcdir} | ||
echo "Installing src caches" | ||
pushd ./src/ui | ||
echo "Installing bower_components" | ||
tar xf %{SOURCE1} | ||
%autopatch -p1 | ||
|
||
echo "Installing npm_modules" | ||
tar fx %{SOURCE2} | ||
popd | ||
rsync -azvhr $tmp_local_dir/ "%{_prefix}/local" | ||
rm -rf $tmp_local_dir | ||
|
||
%build | ||
export JAVA_HOME="%{_libdir}/jvm/msopenjdk-11" | ||
export LD_LIBRARY_PATH="%{_libdir}/jvm/msopenjdk-11/lib/jli" | ||
|
||
# Building using maven in offline mode. | ||
mvn -DskipTests package -o | ||
|
@@ -122,7 +114,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/cassandra-%{name}/configs | |
mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d | ||
mkdir -p %{buildroot}%{_unitdir} | ||
mkdir -p %{buildroot}%{_datadir}/licenses/%{name} | ||
cd %{_builddir}/%{srcdir}/src/packaging | ||
|
||
pushd src/packaging | ||
|
||
cp resource/cassandra-reaper.yaml %{buildroot}%{_sysconfdir}/cassandra-%{name}/ | ||
cp resource/cassandra-reaper*.yaml %{buildroot}%{_sysconfdir}/cassandra-%{name}/configs | ||
|
@@ -139,7 +132,7 @@ cp debian/cassandra-%{name}.new.service %{buildroot}/%{_unitdir}/cassandra-%{nam | |
chmod 0644 %{buildroot}/%{_unitdir}/cassandra-%{name}.service | ||
chmod 7555 %{buildroot}%{_sysconfdir}/init.d/cassandra-%{name} | ||
|
||
cp %{_builddir}/%{srcdir}/LICENSE.txt %{buildroot}%{_datadir}/licenses/%{name} | ||
popd | ||
|
||
%pre | ||
getent group reaper > /dev/null || groupadd -r reaper | ||
|
@@ -178,6 +171,9 @@ fi | |
%{_unitdir}/cassandra-%{name}.service | ||
|
||
%changelog | ||
* Tue Jul 09 2024 Pawel Winogrodzki <[email protected]> - 3.1.1-10 | ||
- Patching CVE-2024-37890, CVE-2023-42282, and CVE-2017-18214. | ||
|
||
* Thu May 23 2024 Archana Choudhary <[email protected]> - 3.1.1-9 | ||
- Repackage and update src/ui node modules and bower components to 3.1.1-1 | ||
- Address CVE-2024-4068 by upgrading the version of the npm module "braces" to 3.0.3 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters