js-jquery: Patch CVE-2019-20149 in kind-of (#10086)

Co-authored-by: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com>
2024-08-09 16:12:09 -07:00 · 2024-08-09 16:12:09 -07:00 · 06b9340c14
parent 4308a0c426
commit 06b9340c14
2 changed files with 37 additions and 3 deletions
--- a/SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch
+++ b/SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch
@ -0,0 +1,27 @@
+From 638d1c5d1c33b4383a4e307f5bcb8b366dd36071 Mon Sep 17 00:00:00 2001
+From: Amrita Kohli <amritakohli@microsoft.com>
+Date: Fri, 9 Aug 2024 16:19:34 +0000
+Subject: [PATCH] Modified upstream patch from PR https://github.com/jonschlinkert/kind-of/pull/31 with commit id
+ 975c13a7cfaf25d811475823824af3a9c04b0ba8 for CVE-2019-20149. Modified by:
+ Amrita Kohli <amritakohli@microsoft.com>
+
+---
+ node_modules/kind-of/index.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/node_modules/kind-of/index.js b/node_modules/kind-of/index.js
+index dfa799b7..bdcfdc85 100644
+--- a/node_modules/kind-of/index.js
+++ b/node_modules/kind-of/index.js
+@@ -66,7 +66,7 @@ module.exports = function kindOf(val) {
+ };
+ 
+ function ctorName(val) {
+-  return typeof val.constructor === 'function' ? val.constructor.name : null;
+  return val.constructor && typeof val.constructor === 'function' ? val.constructor.name : null;
+ }
+ 
+ function isArray(val) {
+-- 
+2.34.1
+
--- a/SPECS-EXTENDED/js-jquery/js-jquery.spec
+++ b/SPECS-EXTENDED/js-jquery/js-jquery.spec
@ -2,7 +2,7 @@ Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Name:           js-jquery
 Version:        3.5.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        JavaScript DOM manipulation, event handling, and AJAX library
 BuildArch:      noarch

@ -18,6 +18,8 @@ Source1:        jquery_%{version}_node_modules.tar.gz

 # disable gzip-js during build
 Patch1:         %{name}-disable-gzip-js.patch
+# Patch for CVE-2019-20149 in kind-of package https://github.com/jonschlinkert/kind-of/pull/31
+Patch2:         CVE-2019-20149.patch


 BuildRequires:  web-assets-devel
@ -45,14 +47,15 @@ browsers. With a combination of versatility and extensibility, jQuery has
 changed the way that millions of people write JavaScript.

 %prep
-%autosetup -n jquery-%{version} -v -p1
+%setup -n jquery-%{version}
+%patch1 -p1

 #remove precompiled stuff
 rm -rf dist/*

 # Install the cached node modules
 tar xf %{SOURCE1}
-
+%patch2 -p1

 %build
 ./node_modules/grunt-cli/bin/grunt -v 'build:*:*' uglify
@ -83,6 +86,10 @@ ln -s %{version} %{installdir}/%{ver_x}.%{ver_y}


 %changelog
+* Fri Aug 9 2024 Amrita Kohli <amritakohli@microsoft.com> - 3.5.0-4
+- Patch CVE-2019-20149 in kind-of package.
+- License verified
+
 * Mon Jun 14 2021 Thomas Crain <thcrain@microsoft.com> - 3.5.0-3
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 - Add explicit build-time dependency on nodejs-devel