From 32547e5c45ae5bd03fc1b4cbce11758ff6f43f6f Mon Sep 17 00:00:00 2001 From: Miro Hrončok Date: Jul 13 2022 09:47:50 +0000 Subject: Fix CVE-2022-24785 and CVE-2022-31129 in bundled moment --- diff --git a/0001-Fix-CVE-2022-24785-and-CVE-2022-31129.patch b/0001-Fix-CVE-2022-24785-and-CVE-2022-31129.patch new file mode 100644 index 0000000..573b5aa --- /dev/null +++ b/0001-Fix-CVE-2022-24785-and-CVE-2022-31129.patch @@ -0,0 +1,388 @@ +From 5e9e2efcc75ecd5843a6de2f09bfaa3df05eac42 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 13 Jul 2022 10:47:09 +0200 +Subject: [PATCH] Fix CVE-2022-24785 and CVE-2022-31129 + +https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5 +https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 + +Patches applied to: + + notebook/static/components/moment/moment.js + notebook/static/components/moment/min/moment-with-locales.js + +Manually updated: + + notebook/static/components/moment/min/moment.min.js + notebook/static/components/moment/min/moment-with-locales.min.js + +For easier review: + + $ diff -u <(fold -s -w 80 moment.min.js) <(fold -s -w 80 moment.min.js_patched) + --- /dev/fd/63 2022-07-13 11:45:08.437165199 +0200 + +++ /dev/fd/62 2022-07-13 11:45:08.434165181 +0200 + @@ -127,10 +127,11 @@ + this.hours()%12||12}function ne(e,t){P(e,0,0,function(){return + this.localeData().meridiem(this.hours(),this.minutes(),t)})}function + se(e,t){return t._meridiemParse}function ie(e){return + -e?e.toLowerCase().replace("_","-"):e}function re(e){var + +e?e.toLowerCase().replace("_","-"):e}function isLocaleNameSane(name){return + +name.match("^[^/\\\\]*$")!=null}function re(e){var + t=null;if(!Xt[e]&&"undefined"!=typeof + -module&&module&&module.exports)try{t=Jt._abbr;require("./locale/"+e),ae(t)}catch + -(e){}return Xt[e]}function ae(e,t){var n;return + +module&&module&&module.exports&&isLocaleNameSane(e))try{t=Jt._abbr;require("./lo + +cale/"+e),ae(t)}catch(e){}return Xt[e]}function ae(e,t){var n;return + e&&(n=s(t)?ue(e):oe(e,t))&&(Jt=n),Jt._abbr}function oe(e,t){if(null!==t){var + n=Qt;if(t.abbr=e,null!=Xt[e])M("defineLocaleOverride","use + moment.updateLocale(localeName, config) to change an existing locale. + @@ -187,7 +188,7 @@ + t=parseInt(e,10);{if(t<=49)return 2e3+t;if(t<=999)return 1900+t}return + t}(e),Vt.indexOf(t),parseInt(n,10),parseInt(s,10),parseInt(i,10)];return + r&&a.push(parseInt(r,10)),a}function me(e){var t=on.exec(function(e){return + -e.replace(/\([^)]*\)|[\n\t]/g," ").replace(/(\s\s+)/g," + +e.replace(/\([^()]*\)|[\n\t]/g," ").replace(/(\s\s+)/g," + ").trim()}(e._i));if(t){var + n=fe(t[4],t[3],t[2],t[5],t[6],t[7]);if(!function(e,t,n){if(e&&At.indexOf(e)!==ne + w Date(t[0],t[1],t[2]).getDay())return + + $ diff -u <(fold -s -w 80 moment-with-locales.min.js) <(fold -s -w 80 moment-with-locales.min.js_patched) + --- /dev/fd/63 2022-07-13 11:45:23.280254917 +0200 + +++ /dev/fd/62 2022-07-13 11:45:23.281254922 +0200 + @@ -127,10 +127,12 @@ + this.hours()%12||12}function te(e,a){j(e,0,0,function(){return + this.localeData().meridiem(this.hours(),this.minutes(),a)})}function + se(e,a){return a._meridiemParse}function ne(e){return + -e?e.toLowerCase().replace("_","-"):e}function re(e){var + +e?e.toLowerCase().replace("_","-"):e}function isLocaleNameSane(name){return + +name.match("^[^/\\\\]*$")!=null}function re(e){var + a=null;if(!At[e]&&"undefined"!=typeof + -module&&module&&module.exports)try{a=Ot._abbr;require("./locale/"+e),de(a)}catch + -(e){}return At[e]}function de(e,a){var t;return + +module&&module&&module.exports&&isLocaleNameSane(e))try{a=Ot._abbr;require("./lo + +cale/"+e),de(a)}catch(e){}return At[e]} + +function de(e,a){var t;return + e&&(t=s(a)?ie(e):_e(e,a))&&(Ot=t),Ot._abbr}function _e(e,a){if(null!==a){var + t=Et;if(a.abbr=e,null!=At[e])k("defineLocaleOverride","use + moment.updateLocale(localeName, config) to change an existing locale. + @@ -187,7 +189,7 @@ + a=parseInt(e,10);{if(a<=49)return 2e3+a;if(a<=999)return 1900+a}return + a}(e),gt.indexOf(a),parseInt(t,10),parseInt(s,10),parseInt(n,10)];return + r&&d.push(parseInt(r,10)),d}function he(e){var a=Gt.exec(function(e){return + -e.replace(/\([^)]*\)|[\n\t]/g," ").replace(/(\s\s+)/g," + +e.replace(/\([^()]*\)|[\n\t]/g," ").replace(/(\s\s+)/g," + ").trim()}(e._i));if(a){var + t=Me(a[4],a[3],a[2],a[5],a[6],a[7]);if(!function(e,a,t){if(e&&Ht.indexOf(e)!==ne + w Date(a[0],a[1],a[2]).getDay())return + +Run: + + $ npm install + $ python3 setup.py js --force + +Added .gitattributes to force treating files with extremely long lines +as if they were binary. +That way, the patch is not readable by a human, +but at least does not contain two full copies of everything. +--- + .gitattributes | 3 +++ + .../moment/min/moment-with-locales.js | 9 +++++++-- + .../moment/min/moment-with-locales.min.js | Bin 307839 -> 307933 bytes + .../components/moment/min/moment.min.js | Bin 51190 -> 51283 bytes + notebook/static/components/moment/moment.js | 9 +++++++-- + notebook/static/edit/js/main.min.js | 9 +++++++-- + notebook/static/edit/js/main.min.js.map | Bin 1740150 -> 1740372 bytes + notebook/static/notebook/js/main.min.js | 9 +++++++-- + notebook/static/notebook/js/main.min.js.map | Bin 3457416 -> 3457643 bytes + notebook/static/terminal/js/main.min.js | 9 +++++++-- + notebook/static/terminal/js/main.min.js.map | Bin 1510544 -> 1510766 bytes + notebook/static/tree/js/main.min.js | 9 +++++++-- + notebook/static/tree/js/main.min.js.map | Bin 1495621 -> 1495843 bytes + 13 files changed, 45 insertions(+), 12 deletions(-) + create mode 100644 .gitattributes + +diff --git a/.gitattributes b/.gitattributes +new file mode 100644 +index 0000000..68fdeb6 +--- /dev/null ++++ b/.gitattributes +@@ -0,0 +1,3 @@ ++moment.min.js binary ++moment-with-locales.min.js binary ++*.js.map binary +diff --git a/notebook/static/components/moment/min/moment-with-locales.js b/notebook/static/components/moment/min/moment-with-locales.js +index 574b770..bbcf913 100644 +--- a/notebook/static/components/moment/min/moment-with-locales.js ++++ b/notebook/static/components/moment/min/moment-with-locales.js +@@ -1828,11 +1828,16 @@ function chooseLocale(names) { + return null; + } + ++function isLocaleNameSane(name) { ++ // Prevent names that look like filesystem paths, i.e contain '/' or '\' ++ return name.match('^[^/\\\\]*$') != null; ++} ++ + function loadLocale(name) { + var oldLocale = null; + // TODO: Find a better way to register and load all the locales in Node + if (!locales[name] && (typeof module !== 'undefined') && +- module && module.exports) { ++ module && module.exports && isLocaleNameSane(name)) { + try { + oldLocale = globalLocale._abbr; + var aliasedRequire = require; +@@ -2269,7 +2274,7 @@ function untruncateYear(yearStr) { + + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space +- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); ++ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); + } + + function checkWeekday(weekdayStr, parsedInput, config) { +diff --git a/notebook/static/components/moment/min/moment-with-locales.min.js b/notebook/static/components/moment/min/moment-with-locales.min.js +index fef7c85fd429dc88f3c7195dd890bba655c400a7..9cb3030a8c459eafb769271e00349936b318bfc9 100644 +GIT binary patch +delta 131 +zcmezWMCk5Qp$&HxY%_~}@{<#DQvDKhQ-c%pQZ@2`49)7I)RNMoJOvO(FE_CyIYUD! +zE;>#>1_)xcRFpIoZSzWVawcC^h!9m%!!RRNbF#Lg3nSO&e8nCS3o*?dN^hp#!(pgq!n5r~<9n0b4o0ZU600H{L{;s5{u + +diff --git a/notebook/static/components/moment/min/moment.min.js b/notebook/static/components/moment/min/moment.min.js +index a049687679c3d43895039554cfe5f477cd92a51d..a9231146c9e8912bb1ce3700c7db33d3b346c4bf 100644 +GIT binary patch +delta 109 +zcmey?&wP0T^M<<$wwc8~`N@enseXyMslkbPsTz4ehGun9YDsBPo&t!Ymz!9UoS~r< +u7agY`0|c>JDoUD)wt1yFIg>9dM2M=XVVIGsxmjEB0w1Hs=HL3irvm`%tti6) + +delta 23 +fcmcaSf%#iM^M<<$lT{S`Hn%HY;M*Kw@OwG{f}aY= + +diff --git a/notebook/static/components/moment/moment.js b/notebook/static/components/moment/moment.js +index f10d709..b71107c 100644 +--- a/notebook/static/components/moment/moment.js ++++ b/notebook/static/components/moment/moment.js +@@ -1834,11 +1834,16 @@ function chooseLocale(names) { + return null; + } + ++function isLocaleNameSane(name) { ++ // Prevent names that look like filesystem paths, i.e contain '/' or '\' ++ return name.match('^[^/\\\\]*$') != null; ++} ++ + function loadLocale(name) { + var oldLocale = null; + // TODO: Find a better way to register and load all the locales in Node + if (!locales[name] && (typeof module !== 'undefined') && +- module && module.exports) { ++ module && module.exports && isLocaleNameSane(name)) { + try { + oldLocale = globalLocale._abbr; + var aliasedRequire = require; +@@ -2275,7 +2280,7 @@ function untruncateYear(yearStr) { + + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space +- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); ++ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); + } + + function checkWeekday(weekdayStr, parsedInput, config) { +diff --git a/notebook/static/edit/js/main.min.js b/notebook/static/edit/js/main.min.js +index cdad0e6..62b32c2 100644 +--- a/notebook/static/edit/js/main.min.js ++++ b/notebook/static/edit/js/main.min.js +@@ -11694,11 +11694,16 @@ function chooseLocale(names) { + return null; + } + ++function isLocaleNameSane(name) { ++ // Prevent names that look like filesystem paths, i.e contain '/' or '\' ++ return name.match('^[^/\\\\]*$') != null; ++} ++ + function loadLocale(name) { + var oldLocale = null; + // TODO: Find a better way to register and load all the locales in Node + if (!locales[name] && (typeof module !== 'undefined') && +- module && module.exports) { ++ module && module.exports && isLocaleNameSane(name)) { + try { + oldLocale = globalLocale._abbr; + var aliasedRequire = require; +@@ -12135,7 +12140,7 @@ function untruncateYear(yearStr) { + + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space +- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); ++ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); + } + + function checkWeekday(weekdayStr, parsedInput, config) { +diff --git a/notebook/static/edit/js/main.min.js.map b/notebook/static/edit/js/main.min.js.map +index c8db4623ffdd0fab25734cbcb698316981809128..0878441624f812ffbd9fb608019206541464b14d 100644 +GIT binary patch +delta 331 +zcmex1E9=UftcER&sy8Mluu8J&I651aBu$>kD&OvPgAs_CfS4JGS%8=oh}nRc9f&!A +zm~*?=4X%xC)9=0FX0K26OUz9TPRvWy$OAGo6{=(M6o5cqUm>6rm#UDQpI4HYnWvzxuda|^q@W%X +zqYg2yD7B=tC=YCuUT$JZa)yR_Ty&g%OblNP7{qF+sB0=H+D;Et;uf3!JC6IFtb&@F +zLT0f~esW?Cnj3+RoGwtsCB6N7JU5#qqelDR8Qeh31H`;Q%m>8$Kr8^nfq*~EC$5lKrFHS?+nSxF8~|ffYks1 + +delta 146 +zcmcaIC+pj+tcER&syEnl9G#0wk|s}Nm2XeJ!3e}mK+FupEI`Z(#B4y!4#XTl%(*@J +z2G_>6>HFfj?=fpCR8L=^A|<{3N&+{VW&7=!+(66&#JoVv2gLk9EC9rUKr95r!aytn +U#G*hf2E^h(EV2FeOv%bG0KJYx2mk;8 + +diff --git a/notebook/static/notebook/js/main.min.js b/notebook/static/notebook/js/main.min.js +index 2f9601e..057ac22 100644 +--- a/notebook/static/notebook/js/main.min.js ++++ b/notebook/static/notebook/js/main.min.js +@@ -11700,11 +11700,16 @@ function chooseLocale(names) { + return null; + } + ++function isLocaleNameSane(name) { ++ // Prevent names that look like filesystem paths, i.e contain '/' or '\' ++ return name.match('^[^/\\\\]*$') != null; ++} ++ + function loadLocale(name) { + var oldLocale = null; + // TODO: Find a better way to register and load all the locales in Node + if (!locales[name] && (typeof module !== 'undefined') && +- module && module.exports) { ++ module && module.exports && isLocaleNameSane(name)) { + try { + oldLocale = globalLocale._abbr; + var aliasedRequire = require; +@@ -12141,7 +12146,7 @@ function untruncateYear(yearStr) { + + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space +- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); ++ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); + } + + function checkWeekday(weekdayStr, parsedInput, config) { +diff --git a/notebook/static/notebook/js/main.min.js.map b/notebook/static/notebook/js/main.min.js.map +index 1030ec0328a1ce041f56519ce10df7759df8260e..48f9d8a2e6a245b9f4891ce18348f49dac68fcf6 100644 +GIT binary patch +delta 488 +zcmZY3OG^S_6b4|Xi&>g!X=c}>nWJS+c3Bj(h#(>(qFMxv(r8~eq%+}s716?=!gdiY +z=3fL+_vD#e-Ta}gpaoyr`>0X&dtYp`u;hv +z)=)}R1gL|0sNRiWfhMp*GqivW?BztIb?LgO8q0b{$*~nB&(;-^*zd|dyIC~95ap$&hoUc@T?IfHO45TYg|z^5+#xJ0*SIL{=6$N +zeo)YAuVQ(HXR=|BnA%E7^6w;vgJOjIvu2SyK0Oo)(Z718@alJ)+fO}h-8&DTPF4;SL|Pi&W}_TxKnjFo@~UhLloKLXHjh$93Ma*fsTWUP9& +zzI59kdiKe&XF9?#aDr2uA%duD&tlJW(N}}1Ce^o7^_Q_99%t`f2%uNkW%uChC12Qxfs$=pLfIwegA)qL=EH$r00VH0m +zP?C{YqL7oHpRJISnVqVTmYI`UTv=R_nyXNdSdvk!qmZeWs*s$YSCW{Sr=YH{u8?1( +zpdJ&W4l%AMwWPEt4{VfPZemGthK8tmTy&g%3>3s_siE*48hjrI*j+(66&#JoVv2gLk9EC9rUKr95r!aytn#G>0b7>PZ&2>=Nr +Bc31!a + +delta 130 +zcmaDiD`vvXn1(Hk6E3sqI64=VBu!q(B;S7SG9wT(0WmWWvj8zG5VHX>I}mdKG3WMk +zm$`nbOfUS&b#J=NP9cTuoxiwPEZh5xxq+Amh`4=Ie-8F + +diff --git a/notebook/static/tree/js/main.min.js b/notebook/static/tree/js/main.min.js +index ee25657..9bca71e 100644 +--- a/notebook/static/tree/js/main.min.js ++++ b/notebook/static/tree/js/main.min.js +@@ -13330,11 +13330,16 @@ function chooseLocale(names) { + return null; + } + ++function isLocaleNameSane(name) { ++ // Prevent names that look like filesystem paths, i.e contain '/' or '\' ++ return name.match('^[^/\\\\]*$') != null; ++} ++ + function loadLocale(name) { + var oldLocale = null; + // TODO: Find a better way to register and load all the locales in Node + if (!locales[name] && (typeof module !== 'undefined') && +- module && module.exports) { ++ module && module.exports && isLocaleNameSane(name)) { + try { + oldLocale = globalLocale._abbr; + var aliasedRequire = require; +@@ -13771,7 +13776,7 @@ function untruncateYear(yearStr) { + + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space +- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); ++ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); + } + + function checkWeekday(weekdayStr, parsedInput, config) { +diff --git a/notebook/static/tree/js/main.min.js.map b/notebook/static/tree/js/main.min.js.map +index ad77c09f3b9e4e73fbb6cc285134cb1112602746..4051397d97e63d775028630ad2873c9542dce9fc 100644 +GIT binary patch +delta 322 +zcmX@QBzp0(=!Pwf8^29rkz~_xbT%wWn*5MizWv%aMj&PaVrC#_0b*7lW&>h&Am#vK +zP9Wyme(f8#^Q8LBVxRov#GF*W#N5>2#Jp6EJRn0;p*ki{0SNT<6#|M<%Tn`76hPv| +z3MCndB?>wD`Pm9Nnc1ldX_+~x#g)Y+sksUTi6t4uItrP3sS3&Yc_oRNc?#I(Tq +z3hFU2>Ja0KQcFsU^1w#vmWsNjf}-v8d>5`p1_v97S +z)D*D05$wq6jDjN4+r_(hSS%Se+NBTk05LBR^8qnG5DNgYAP@@yu`m#e0I}$H>BC}L +F`~YDycVhqm + +delta 135 +zcmZ3yEc)n@=!Pwf8^5vXI64=VBu#$EEZ_eA8zT@i0WmWWvj8zG5VHX>I}mdKF((jn +zZGZob+j-LTJDoiDrq7P&=AJ%nIk)KcFI_w=mhC?e^8hg~5c2^sKM)H5u^ - 6.4.11-3 +- Fix CVE-2022-24785 and CVE-2022-31129 in bundled moment +- Fixes: rhbz#2075263 + * Thu Jun 16 2022 Python Maint - 6.4.11-2 - Rebuilt for Python 3.11