nodejs: patch CVE-2023-39333

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39333 Backport the patch that mentions this CVE ID explicitly in its commit message. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-05-19 02:04:09 +00:00 · 2026-01-02 12:28:57 +01:00 · 2026-01-02 12:28:57 +01:00 · f9ed3b8197
commit f9ed3b8197
parent 04f577d527
2 changed files with 58 additions and 0 deletions
--- a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch
@ -0,0 +1,57 @@
+From 217a3dba7b2bfc94534c19e48a35bb9282367be2 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 6 Aug 2023 10:41:33 +0000
+Subject: [PATCH] module: fix code injection through export names
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tobias NieÃŸen <tniessen@tnie.de>
+
+createDynamicModule() properly escapes import names, but not export
+names. In WebAssembly, any string is a valid export name. Importing a
+WebAssembly module that uses a non-identifier export name leads to
+either a syntax error in createDynamicModule() or to code injection,
+that is, to the evaluation of almost arbitrary JavaScript code outside
+of the WebAssembly module.
+
+To address this issue, adopt the same mechanism in createExport() that
+createImport() already uses. Add tests for both exports and imports.
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/461
+Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/489
+Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
+CVE-ID: CVE-2023-39333
+
+CVE: CVE-2023-39333
+Upstream-Status: Backport [https://github.com/nodejs/node/commit/f5c90b2951ca8ce8e47136ef073a1778edcad15d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ lib/internal/modules/esm/create_dynamic_module.js | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js
+index f7c2008..c99da19 100644
+--- a/lib/internal/modules/esm/create_dynamic_module.js
+++ b/lib/internal/modules/esm/create_dynamic_module.js
+@@ -18,13 +18,13 @@ function createImport(impt, index) {
+ import.meta.imports[${imptPath}] = $import_${index};`;
+ }
+ 
+-function createExport(expt) {
+-  const name = `${expt}`;
+-  return `let $${name};
+-export { $${name} as ${name} };
+-import.meta.exports.${name} = {
+-  get: () => $${name},
+-  set: (v) => $${name} = v,
+function createExport(expt, index) {
+  const nameStringLit = JSONStringify(expt);
+  return `let $export_${index};
+export { $export_${index} as ${nameStringLit} };
+import.meta.exports[${nameStringLit}] = {
+  get: () => $export_${index},
+  set: (v) => $export_${index} = v,
+ };`;
+ }
+ 
--- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
@ -30,6 +30,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
           file://CVE-2024-22019.patch \
           file://CVE-2024-22025.patch \
           file://CVE-2023-46809.patch \
+           file://CVE-2023-39333.patch \
           "
 SRC_URI:append:class-target = " \
           file://0001-Using-native-binaries.patch \