Fix CVE-2020-8178

2022-02-23 11:34:32 +08:00 · 2022-02-23 11:34:32 +08:00 · ebc5a5e04b
commit ebc5a5e04b
parent f4d0fc7015
2 changed files with 60 additions and 2 deletions
--- a/CVE-2020-8178.patch
+++ b/CVE-2020-8178.patch
@ -0,0 +1,54 @@
+From 64c18e3e654b55e3414894295127337705217139 Mon Sep 17 00:00:00 2001
+From: toufik-airane <toufik.airane@gmail.com>
+Date: Fri, 12 Jun 2020 21:06:44 +0200
+Subject: [PATCH] Fix OS Command Injection on Jison
+
+Fix OS Command Injection on Jison for huntr.dev.
+https://www.huntr.dev/app/bounties/open/1-npm-jison
+---
+ ports/csharp/Jison/Jison/csharp.js | 4 ++--
+ ports/php/php.js                   | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ports/csharp/Jison/Jison/csharp.js b/ports/csharp/Jison/Jison/csharp.js
+index 76c5d8ad..fdcd7b48 100644
+--- a/ports/csharp/Jison/Jison/csharp.js
+++ b/ports/csharp/Jison/Jison/csharp.js
+@@ -1,6 +1,6 @@
+ var fs = require('fs'),
+     util = require('util'),
+-    exec = require('child_process').exec,
+    execFile = require('child_process').execFile,
+     path = require('path');
+ 
+ GLOBAL.convertToSyntax = function (types, body) {
+@@ -16,7 +16,7 @@ function puts(error, stdout, stderr) {
+ 
+ console.log("Executing: " + "jison " + process.argv[2]);
+ 
+-exec("jison " + process.argv[2], function (error) {
+execFile("jison ", [process.argv[2]], function (error) {
+     if (error) {
+         console.log(error);
+         return;
+diff --git a/ports/php/php.js b/ports/php/php.js
+index 5e9f8425..e9b48499 100644
+--- a/ports/php/php.js
+++ b/ports/php/php.js
+@@ -1,6 +1,6 @@
+ var fs = require('fs'),
+     util = require('util'),
+-    exec = require('child_process').exec,
+    execFile = require('child_process').execFile,
+     path = require('path');
+ 
+ GLOBAL.convertToSyntax = function (types, body) {
+@@ -16,7 +16,7 @@ function puts(error, stdout, stderr) {
+ 
+ console.log("Executing: " + "jison " + process.argv[2]);
+ 
+-exec("jison " + process.argv[2], function (error) {
+execFile("jison ", [process.argv[2]], function (error) {
+     if (error) {
+         console.log(error);
+         return;
--- a/nodejs-jison.spec
+++ b/nodejs-jison.spec
@ -5,11 +5,12 @@
 %global shortcommit %(c=%{commit}; echo ${c:0:7})
 Name:                nodejs-jison
 Version:             0.4.18
-Release:             1
+Release:             2
 Summary:             A parser generator with Bison's API
 License:             MIT
 URL:                 https://github.com/zaach/jison
 Source0:             https://github.com/zaach/jison/archive/%{commit}/jison-%{shortcommit}.tar.gz
+Patch0:		     CVE-2020-8178.patch
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 BuildRequires:       nodejs-packaging npm(cjson) npm(ebnf-parser) npm(escodegen) npm(esprima)
@ -21,7 +22,7 @@ BuildRequires:       npm(test)
 %{summary}.

 %prep
-%autosetup -n jison-%{commit}
+%autosetup -n jison-%{commit} -p1
 chmod -x lib/jison.js
 rm -rf node_modules
 %nodejs_fixdep cjson
@ -56,5 +57,8 @@ ln -s %{nodejs_sitelib}/jison/lib/cli.js \
 %{_bindir}/jison

 %changelog
+* Wed Feb 23 2022 houyingchao <houyingchao@huawei.com> - 0.4.18-2
+- Fix CVE-2020-8178
+
 * Thu Aug 20 2020 yaokai <yaokai13@huawei.com> - 0.4.18-1
 - Package init