diff --git a/CVE-2021-23383.patch b/CVE-2021-23383.patch new file mode 100644 index 0000000..1da2919 --- /dev/null +++ b/CVE-2021-23383.patch @@ -0,0 +1,30 @@ +From 4f844f2b439aa94d88dae0567401c4880e53bfac Mon Sep 17 00:00:00 2001 +From: jackie_wu +Date: Thu, 20 May 2021 16:21:57 +0800 +Subject: [PATCH] add2 + +--- + lib/handlebars/compiler/javascript-compiler.js | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/handlebars/compiler/javascript-compiler.js b/lib/handlebars/compiler/javascript-compiler.js +index ff98ad9..757b594 100644 +--- a/lib/handlebars/compiler/javascript-compiler.js ++++ b/lib/handlebars/compiler/javascript-compiler.js +@@ -23,7 +23,12 @@ JavaScriptCompiler.prototype = { + } + }, + depthedLookup: function(name) { +- return [this.aliasable('container.lookup'), '(depths, "', name, '")']; ++ return [ ++ this.aliasable('container.lookup'), ++ '(depths, ', ++ JSON.stringify(name), ++ ')' ++ ]; + }, + + compilerInfo: function() { +-- +2.23.0 + diff --git a/nodejs-handlebars.spec b/nodejs-handlebars.spec index 509f55e..6926e25 100644 --- a/nodejs-handlebars.spec +++ b/nodejs-handlebars.spec @@ -3,11 +3,12 @@ %global npm_name handlebars Name: nodejs-%{npm_name} Version: 4.0.13 -Release: 1 +Release: 2 Summary: Mustache extension for Node.js License: MIT URL: http://handlebarsjs.com/ Source0: https://registry.npmjs.org/handlebars/-/handlebars-%{version}.tgz +Patch0: CVE-2021-23383.patch Requires: npm(uglify-js) npm(optimist) BuildRequires: npm(uglify-js) npm(optimist) nodejs-devel nodejs-packaging BuildArch: noarch @@ -25,6 +26,7 @@ rm -rf node_modules %nodejs_fixdep optimist '0.x' %nodejs_fixdep source-map '^0.5.2' %nodejs_fixdep async +%patch0 -p1 %build @@ -52,5 +54,8 @@ grunt %{_bindir}/handlebars %changelog +* Fri May 21 2021 wutao - 4.0.13-2 +- fix CVE-2021-23383 + * Thu Aug 20 2020 Anan Fu - 4.0.13-1 - package init