!12 [sync] PR-11: prevent exploit of CVE-2021-30483

From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git
prevent exploit of CVE-2021-30483
2025-03-20 05:50:52 +00:00 · 2025-03-20 10:02:30 +08:00 · 2024-11-19 05:45:17 +00:00 · 2024-11-19 10:54:32 +08:00 · 2023-03-03 13:32:57 +00:00 · 2023-03-03 15:10:28 +08:00
6 changed files with 110 additions and 11 deletions
--- a/0001-Update-leading-zero-use-case-for-date-formatting.patch
+++ b/0001-Update-leading-zero-use-case-for-date-formatting.patch
@ -0,0 +1,34 @@
+From c3099f1dbf0dd83bdca443dab55b310ea8efc040 Mon Sep 17 00:00:00 2001
+From: jxy_git <jiangxinyu@kylinos.cn>
+Date: Mon, 18 Nov 2024 17:21:12 +0800
+Subject: [PATCH] Update leading zero use case for date formatting
+
+---
+ src/utils/intl-test.js | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/utils/intl-test.js b/src/utils/intl-test.js
+index 40d422f..520a771 100644
+--- a/src/utils/intl-test.js
+++ b/src/utils/intl-test.js
+@@ -180,7 +180,7 @@ describe('DateTime Formatters', function () {
+         expect(currentTimeZone()).toBe('UTC')
+ 
+         expect(formatDate(new Date(Date.UTC(1999, 11, 31)))).toBe('31/12/1999')
+-        expect(formatDate(new Date(Date.UTC(2020, 6, 4)))).toBe('4/7/2020')
+        expect(formatDate(new Date(Date.UTC(2020, 6, 4)))).toBe('04/07/2020')
+       })
+       it('format datetime', function () {
+         initLocale('it-IT')
+@@ -188,7 +188,7 @@ describe('DateTime Formatters', function () {
+         const utcTzName = extractUtcTimezoneName(currentLocale())
+ 
+         expect(formatDateTime(new Date(Date.UTC(1999, 11, 31, 16, 35, 42)))).toBe(`31/12/1999, 16:35:42 ${utcTzName}`)
+-        expect(formatDateTime(new Date(Date.UTC(2020, 6, 4, 11, 12, 13)))).toBe(`4/7/2020, 11:12:13 ${utcTzName}`)
+        expect(formatDateTime(new Date(Date.UTC(2020, 6, 4, 11, 12, 13)))).toBe(`04/07/2020, 11:12:13 ${utcTzName}`)
+       })
+     })
+   }
+-- 
+2.43.0
+
--- a/0002-prevent-exploit-of-CVE-2021-30483.patch
+++ b/0002-prevent-exploit-of-CVE-2021-30483.patch
@ -0,0 +1,37 @@
+From f9d72006dcc6033297729c3b0b4a86e43d1925ba Mon Sep 17 00:00:00 2001
+From: wangdi <wangdi@kylinos.cn>
+Date: Wed, 19 Mar 2025 18:09:32 +0800
+Subject: [PATCH] prevent exploit of CVE-2021-30483
+
+---
+ webpack.common.js | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/webpack.common.js b/webpack.common.js
+index 43c25ee..20f175e 100644
+--- a/webpack.common.js
+++ b/webpack.common.js
+@@ -9,7 +9,8 @@ const InlineManifestWebpackPlugin = require('inline-manifest-webpack-plugin')
+ const env = process.env.NODE_ENV || 'development'
+ const useFakeData = process.env.FAKE_DATA === 'true'
+ const packageInfo = require('./package.json')
+-const fetchGitInfo = require('./webpack.gitinfo.js')
+// disable git info fetch to prevent exploit of CVE-2021-30483
+// const fetchGitInfo = require('./webpack.gitinfo.js')
+ 
+ // common modules required by all entry points
+ const commonModules = ['core-js/stable']
+@@ -17,7 +18,9 @@ const commonModules = ['core-js/stable']
+ // common webpack configuration applicable to all environments
+ // @see: https://github.com/patternfly/patternfly-react-seed/blob/master/webpack.common.js
+ async function common () {
+-  const gitInfo = await fetchGitInfo()
+  // disable git info fetch to prevent exploit of CVE-2021-30483
+  // const gitInfo = await fetchGitInfo()
+  const gitInfo = null
+   const rpmInfo = process.env.RPM_PACKAGE_NAME && {
+     packageName: process.env.RPM_PACKAGE_NAME,
+     packageVersion: process.env.RPM_PACKAGE_VERSION,
+-- 
+2.48.1
+
--- a/ovirt-engine-ui-extensions-1.0.10.tar.gz
+++ b/ovirt-engine-ui-extensions-1.0.10.tar.gz
--- a/ovirt-engine-ui-extensions-1.2.6.tar.gz
+++ b/ovirt-engine-ui-extensions-1.2.6.tar.gz
--- a/ovirt-engine-ui-extensions.spec
+++ b/ovirt-engine-ui-extensions.spec
@ -1,19 +1,20 @@
 Name: ovirt-engine-ui-extensions
 Summary: oVirt UI Extensions
-Version: 1.0.10
-Release: 1%{?dist}
-License: ASL 2.0
+Version: 1.2.6
+Release: 4
+License: Apache-2.0
 URL: http://www.ovirt.org/
-Source: ovirt-engine-ui-extensions-1.0.10.tar.gz
+Source: ovirt-engine-ui-extensions-1.2.6.tar.gz
+Patch0: 0001-Update-leading-zero-use-case-for-date-formatting.patch
+Patch1: 0002-prevent-exploit-of-CVE-2021-30483.patch

 BuildArch: noarch

-BuildRequires: ovirt-engine-nodejs
-BuildRequires: ovirt-engine-nodejs-modules
-BuildRequires: ovirt-engine-yarn
+# nodejs-modules embeds yarn and requires nodejs
+BuildRequires: ovirt-engine-nodejs-modules >= 2.0.44-1

 Requires: ovirt-engine-webadmin-portal >= 4.3
-Requires: ovirt-ansible-cluster-upgrade >= 1.1.12
+Requires: ovirt-ansible-collection >= 1.2.0

 Obsoletes: ovirt-engine-dashboard < 1.3
 Provides: ovirt-engine-dashboard = 1.3
@ -24,16 +25,27 @@ UI plugin that provides various extensions to oVirt administration UI.
 Extensions include:
  - dashboard
  - VM migrate dialog
+  - VM export dialog
+  - VM manage GPU dialog
  - Cluster upgrade wizard

 %prep

 # Unpack the source:
 %setup -q -n %{name}-%{version}
+%patch 0 -p1
+%patch 1 -p1

 # Set up Node.js environment with dependencies linked to ./node_modules:
 source %{_datadir}/ovirt-engine-nodejs-modules/setup-env.sh

+# Change hardcoded deafult hash algorithm from legacy md4 to sha512
+sed -i 's/md4/sha512/g' node_modules/webpack/lib/*.js
+sed -i 's/md4/sha512/g' node_modules/webpack/lib/optimize/*.js
+sed -i 's/md4/sha512/g' node_modules/copy-webpack-plugin/dist/*.js
+sed -i 's/md4/sha512/g' node_modules/terser-webpack-plugin/dist/*.js
+sed -i 's/md4/sha512/g' node_modules/babel-loader/lib/*.js
+
 # Build the application:
 yarn build

@ -52,19 +64,31 @@ ln -s "%{_datadir}/%{name}/ui-extensions.json" "%{buildroot}%{_datadir}/ovirt-en
 ln -s "%{_datadir}/%{name}/ui-extensions-resources" "%{buildroot}%{_datadir}/ovirt-engine/ui-plugins"

 # Ensure the Engine playbooks directory exists:
-mkdir -p %{buildroot}%{_datadir}/ovirt-engine/playbooks
+mkdir -p %{buildroot}%{_datadir}/ovirt-engine/ansible-runner-service-project/project

 # Link plugin playbooks to Engine playbooks directory:
-ln -s "%{_datadir}/%{name}/ansible-playbooks/ovirt-cluster-upgrade.yml" "%{buildroot}%{_datadir}/ovirt-engine/playbooks"
+ln -s "%{_datadir}/%{name}/ansible-playbooks/ovirt-cluster-upgrade.yml" "%{buildroot}%{_datadir}/ovirt-engine/ansible-runner-service-project/project"

 %files
 %{_datadir}/%{name}
 %{_datadir}/ovirt-engine/ui-plugins/ui-extensions.json
 %{_datadir}/ovirt-engine/ui-plugins/ui-extensions-resources
-%{_datadir}/ovirt-engine/playbooks/ovirt-cluster-upgrade.yml
+%{_datadir}/ovirt-engine/ansible-runner-service-project/project/ovirt-cluster-upgrade.yml
 %doc README.adoc
 %license LICENSE

 %changelog
+* Wed Mar 19 2025 wangdi <wangdi@kylinos.cn> - 1.2.6-4
+- Prevent exploit of CVE-2021-30483
+
+* Mon Nov 18 2024 jiangxinyu <jiangxinyu@kylinos.cn> - 1.2.6-3
+- Fix leading zero issue with date formatting
+
+* Fri Mar 3 2023 yanjianqing <yanjianqing@kylinos.cn> - 1.2.6-2
+- Change hardcoded deafult hash algorithm from legacy md4 to sha512
+
+* Tue Jul 6 2021 kymayl <mayilin@kylinos.cn> - 1.2.6-1
+- upgrade package
+
 * Thu Mar 05 2020 huihui.fu <huihui.fu@cs2c.com.cn> - 1.0.10-1
 - Package initialization
--- a/ovirt-engine-ui-extensions.yaml
+++ b/ovirt-engine-ui-extensions.yaml
@ -0,0 +1,4 @@
+version_control: github
+src_repo: oVirt/ovirt-engine-ui-extensions
+tag_prefix: "^ovirt-engine-ui-extensions-"
+seperator: "."
Author	SHA1	Message	Date
openeuler-ci-bot	1d9e59ae99	!12 [sync] PR-11: prevent exploit of CVE-2021-30483 From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2025-03-20 05:50:52 +00:00
wangdi	cb1791b364	prevent exploit of CVE-2021-30483 (cherry picked from commit 8fdd3cda27164799aa7e69f2d7bbdf87411f064d)	2025-03-20 10:02:30 +08:00
openeuler-ci-bot	ec16efcbfa	!9 [sync] PR-7: Fix leading zero issue with date formatting From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2024-11-19 05:45:17 +00:00
jxy_git	fd1cbca535	Fix leading zero issue with date formatting (cherry picked from commit 2d59c5b259638bd57e5ec6bb41349273ad0123df)	2024-11-19 10:54:32 +08:00
openeuler-ci-bot	24b39f6198	!5 编译时修改所有node模块依赖中硬编码的默认哈希算法为sha512，不使用md4 From: @moonyan Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2023-03-03 13:32:57 +00:00
yanjianqing	3d656b0b4e	Change hardcoded deafult hash algorithm from legacy md4 to sha512	2023-03-03 15:10:28 +08:00
openeuler-ci-bot	7b1dc78489	!4 add yaml file From: @kymayl Reviewed-by: @crrs666 Signed-off-by: @crrs666	2021-07-06 09:58:28 +00:00
kymayl	47a8b5c68f	add yaml file	2021-07-06 16:39:19 +08:00
openeuler-ci-bot	46fc7fce66	!3 package upgrade From: @kymayl Reviewed-by: @crrs666 Signed-off-by: @crrs666	2021-07-06 08:32:16 +00:00
kymayl	34c37ae852	upgrade package	2021-07-06 16:03:37 +08:00