From 06b9340c14bc453f06aabe1baf013570b16adbce Mon Sep 17 00:00:00 2001 From: amritakohli <56371098+amritakohli@users.noreply.github.com> Date: Fri, 9 Aug 2024 16:12:09 -0700 Subject: [PATCH] js-jquery: Patch CVE-2019-20149 in kind-of (#10086) Co-authored-by: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com> --- SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch | 27 +++++++++++++++++++ SPECS-EXTENDED/js-jquery/js-jquery.spec | 13 ++++++--- 2 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch diff --git a/SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch b/SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch new file mode 100644 index 0000000000..b12c6187a8 --- /dev/null +++ b/SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch @@ -0,0 +1,27 @@ +From 638d1c5d1c33b4383a4e307f5bcb8b366dd36071 Mon Sep 17 00:00:00 2001 +From: Amrita Kohli +Date: Fri, 9 Aug 2024 16:19:34 +0000 +Subject: [PATCH] Modified upstream patch from PR https://github.com/jonschlinkert/kind-of/pull/31 with commit id + 975c13a7cfaf25d811475823824af3a9c04b0ba8 for CVE-2019-20149. Modified by: + Amrita Kohli + +--- + node_modules/kind-of/index.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/node_modules/kind-of/index.js b/node_modules/kind-of/index.js +index dfa799b7..bdcfdc85 100644 +--- a/node_modules/kind-of/index.js ++++ b/node_modules/kind-of/index.js +@@ -66,7 +66,7 @@ module.exports = function kindOf(val) { + }; + + function ctorName(val) { +- return typeof val.constructor === 'function' ? val.constructor.name : null; ++ return val.constructor && typeof val.constructor === 'function' ? val.constructor.name : null; + } + + function isArray(val) { +-- +2.34.1 + diff --git a/SPECS-EXTENDED/js-jquery/js-jquery.spec b/SPECS-EXTENDED/js-jquery/js-jquery.spec index 478f4de422..76fa57a13b 100644 --- a/SPECS-EXTENDED/js-jquery/js-jquery.spec +++ b/SPECS-EXTENDED/js-jquery/js-jquery.spec @@ -2,7 +2,7 @@ Vendor: Microsoft Corporation Distribution: Mariner Name: js-jquery Version: 3.5.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: JavaScript DOM manipulation, event handling, and AJAX library BuildArch: noarch @@ -18,6 +18,8 @@ Source1: jquery_%{version}_node_modules.tar.gz # disable gzip-js during build Patch1: %{name}-disable-gzip-js.patch +# Patch for CVE-2019-20149 in kind-of package https://github.com/jonschlinkert/kind-of/pull/31 +Patch2: CVE-2019-20149.patch BuildRequires: web-assets-devel @@ -45,14 +47,15 @@ browsers. With a combination of versatility and extensibility, jQuery has changed the way that millions of people write JavaScript. %prep -%autosetup -n jquery-%{version} -v -p1 +%setup -n jquery-%{version} +%patch1 -p1 #remove precompiled stuff rm -rf dist/* # Install the cached node modules tar xf %{SOURCE1} - +%patch2 -p1 %build ./node_modules/grunt-cli/bin/grunt -v 'build:*:*' uglify @@ -83,6 +86,10 @@ ln -s %{version} %{installdir}/%{ver_x}.%{ver_y} %changelog +* Fri Aug 9 2024 Amrita Kohli - 3.5.0-4 +- Patch CVE-2019-20149 in kind-of package. +- License verified + * Mon Jun 14 2021 Thomas Crain - 3.5.0-3 - Initial CBL-Mariner import from Fedora 32 (license: MIT). - Add explicit build-time dependency on nodejs-devel