diff mbox series

[meta-oe,kirkstone,3/5] nodejs: patch CVE-2023-39333

Message ID 20260102112900.1800006-3-skandigraun@gmail.com
State New
Headers show
Series [meta-oe,kirkstone,1/5] fio: ignore CVE-2025-10824 | expand

Commit Message

Gyorgy Sarvari Jan. 2, 2026, 11:28 a.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39333

Backport the patch that mentions this CVE ID explicitly in its
commit message. 

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../nodejs/nodejs/CVE-2023-39333.patch        | 57 +++++++++++++++++++
 .../recipes-devtools/nodejs/nodejs_16.20.2.bb |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch
new file mode 100644
index 0000000000..3cea4e1c23
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch
@@ -0,0 +1,57 @@ 
+From 217a3dba7b2bfc94534c19e48a35bb9282367be2 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 6 Aug 2023 10:41:33 +0000
+Subject: [PATCH] module: fix code injection through export names
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tobias Nießen <tniessen@tnie.de>
+
+createDynamicModule() properly escapes import names, but not export
+names. In WebAssembly, any string is a valid export name. Importing a
+WebAssembly module that uses a non-identifier export name leads to
+either a syntax error in createDynamicModule() or to code injection,
+that is, to the evaluation of almost arbitrary JavaScript code outside
+of the WebAssembly module.
+
+To address this issue, adopt the same mechanism in createExport() that
+createImport() already uses. Add tests for both exports and imports.
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/461
+Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/489
+Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
+CVE-ID: CVE-2023-39333
+
+CVE: CVE-2023-39333
+Upstream-Status: Backport [https://github.com/nodejs/node/commit/f5c90b2951ca8ce8e47136ef073a1778edcad15d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ lib/internal/modules/esm/create_dynamic_module.js | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js
+index f7c2008..c99da19 100644
+--- a/lib/internal/modules/esm/create_dynamic_module.js
++++ b/lib/internal/modules/esm/create_dynamic_module.js
+@@ -18,13 +18,13 @@ function createImport(impt, index) {
+ import.meta.imports[${imptPath}] = $import_${index};`;
+ }
+ 
+-function createExport(expt) {
+-  const name = `${expt}`;
+-  return `let $${name};
+-export { $${name} as ${name} };
+-import.meta.exports.${name} = {
+-  get: () => $${name},
+-  set: (v) => $${name} = v,
++function createExport(expt, index) {
++  const nameStringLit = JSONStringify(expt);
++  return `let $export_${index};
++export { $export_${index} as ${nameStringLit} };
++import.meta.exports[${nameStringLit}] = {
++  get: () => $export_${index},
++  set: (v) => $export_${index} = v,
+ };`;
+ }
+ 
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
index b2872bfd98..2feec12f21 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
@@ -30,6 +30,7 @@  SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
            file://CVE-2024-22019.patch \
            file://CVE-2024-22025.patch \
            file://CVE-2023-46809.patch \
+           file://CVE-2023-39333.patch \
            "
 SRC_URI:append:class-target = " \
            file://0001-Using-native-binaries.patch \