[Medium] Patch nodejs24 for CVE-2026-40170

SPECS/nodejs24/CVE-2026-40170.patch

@@ -0,0 +1,29 @@
+From 708a7640c1f48fb8ffb540c4b8ea5b4c1dfb8ee5 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Fri, 10 Apr 2026 00:07:34 +0900
+Subject: [PATCH] Fix qlog parameters_set stack buffer overflow
+
+---
+ deps/ngtcp2/ngtcp2/lib/ngtcp2_qlog.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/deps/ngtcp2/ngtcp2/lib/ngtcp2_qlog.c b/deps/ngtcp2/ngtcp2/lib/ngtcp2_qlog.c
+index c0f92074..45a88b98 100644
+--- a/deps/ngtcp2/ngtcp2/lib/ngtcp2_qlog.c
++++ b/deps/ngtcp2/ngtcp2/lib/ngtcp2_qlog.c
+@@ -932,10 +932,10 @@ void ngtcp2_qlog_pkt_sent_end(ngtcp2_qlog *qlog, const ngtcp2_pkt_hd *hd,
+   qlog_pkt_write_end(qlog, hd, pktlen);
+ }
+
+-void ngtcp2_qlog_parameters_set_transport_params(
++void ngtcp2_parameters_set_transport_params(
+   ngtcp2_qlog *qlog, const ngtcp2_transport_params *params, int server,
+   ngtcp2_qlog_side side) {
+-  uint8_t buf[1024];
++  uint8_t buf[2048]
+   uint8_t *p = buf;
+   const ngtcp2_preferred_addr *paddr;
+   const ngtcp2_sockaddr_in *sa_in;
+-- 
+2.45.4
+

SPECS/nodejs24/nodejs24.spec

@@ -16,7 +16,7 @@ Name:           nodejs24
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        24.14.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -37,6 +37,7 @@ Patch4:         CVE-2024-34064.patch
 Patch5:         CVE-2025-27516.patch
 Patch6:         CVE-2026-33671.patch
 Patch7:         CVE-2026-33672.patch
+Patch8:         CVE-2026-40170.patch
 BuildRequires:  brotli-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  coreutils >= 8.22