From 27f006aeeebbaa72bf2774070d46ef1a5f472477 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Wed, 28 Jun 2017 11:00:13 +0200 Subject: [PATCH] Update to v8.1.2, npm@5.0.3, remove gcc7 patch --- .gitignore | 1 + ...e-running-gyp-files-for-bundled-deps.patch | 26 +++++++------ ...es-NAPTR-parser-out-of-bounds-access.patch | 36 ++++++++++++++++++ nodejs.spec | 38 ++++++++++++------- sources | 2 +- 5 files changed, 77 insertions(+), 26 deletions(-) create mode 100644 0003-c-ares-NAPTR-parser-out-of-bounds-access.patch diff --git a/.gitignore b/.gitignore index 863b931..2dac779 100644 --- a/.gitignore +++ b/.gitignore @@ -68,3 +68,4 @@ /node-v6.10.2-stripped.tar.gz /node-v6.10.3-stripped.tar.gz /node-v6.11.0-stripped.tar.gz +/node-v8.1.2-stripped.tar.gz diff --git a/0001-Disable-running-gyp-files-for-bundled-deps.patch b/0001-Disable-running-gyp-files-for-bundled-deps.patch index fe9f854..324a468 100644 --- a/0001-Disable-running-gyp-files-for-bundled-deps.patch +++ b/0001-Disable-running-gyp-files-for-bundled-deps.patch @@ -1,25 +1,29 @@ -From 54cb96f338bd162dcf1301b7d7a46eea2a56befb Mon Sep 17 00:00:00 2001 +From c2aff16cc196a61f4ab1cdae4a91c7926123c239 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova -Date: Wed, 22 Mar 2017 19:13:10 +0100 -Subject: [PATCH] Disable running gyp files for bundled deps +Date: Thu, 27 Apr 2017 14:25:42 +0200 +Subject: [PATCH] Disable running gyp on shared deps --- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + Makefile | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile -index a2b64e63b4..7b0847d1d5 100644 +index 0a217bd893..e1229ad07f 100644 --- a/Makefile +++ b/Makefile -@@ -77,7 +77,7 @@ $(NODE_G_EXE): config.gypi out/Makefile +@@ -79,10 +79,9 @@ $(NODE_G_EXE): config.gypi out/Makefile $(MAKE) -C out BUILDTYPE=Debug V=$(V) if [ ! -r $@ -o ! -L $@ ]; then ln -fs out/Debug/$(NODE_EXE) $@; fi --out/Makefile: common.gypi deps/uv/uv.gyp deps/http_parser/http_parser.gyp deps/zlib/zlib.gyp deps/v8/build/toolchain.gypi deps/v8/build/features.gypi deps/v8/tools/gyp/v8.gyp node.gyp config.gypi -+out/Makefile: common.gypi deps/v8/build/toolchain.gypi deps/v8/build/features.gypi deps/v8/tools/gyp/v8.gyp node.gyp config.gypi +-out/Makefile: common.gypi deps/uv/uv.gyp deps/http_parser/http_parser.gyp \ +- deps/zlib/zlib.gyp deps/v8/gypfiles/toolchain.gypi \ +- deps/v8/gypfiles/features.gypi deps/v8/src/v8.gyp node.gyp \ +- config.gypi ++out/Makefile: common.gypi deps/http_parser/http_parser.gyp \ ++ deps/v8/gypfiles/toolchain.gypi deps/v8/gypfiles/features.gypi \ ++ deps/v8/src/v8.gyp node.gyp config.gypi $(PYTHON) tools/gyp_node.py -f make config.gypi: configure -- -2.12.0 - +2.12.2 diff --git a/0003-c-ares-NAPTR-parser-out-of-bounds-access.patch b/0003-c-ares-NAPTR-parser-out-of-bounds-access.patch new file mode 100644 index 0000000..1a011bb --- /dev/null +++ b/0003-c-ares-NAPTR-parser-out-of-bounds-access.patch @@ -0,0 +1,36 @@ +From 15dfe22be278cb1f0194de0b0ab790ba9dc4fc33 Mon Sep 17 00:00:00 2001 +From: Zuzana Svetlikova +Date: Fri, 23 Jun 2017 23:11:28 +0200 +Subject: [PATCH] c-ares NAPTR parser out of bounds access + +CVE: CVE-2017-1000381 +Upstream bug: https://c-ares.haxx.se/adv_20170620.html +--- + deps/cares/src/ares_parse_naptr_reply.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/deps/cares/src/ares_parse_naptr_reply.c b/deps/cares/src/ares_parse_naptr_reply.c +index 11634df984..717d355778 100644 +--- a/deps/cares/src/ares_parse_naptr_reply.c ++++ b/deps/cares/src/ares_parse_naptr_reply.c +@@ -110,6 +110,12 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen, + status = ARES_EBADRESP; + break; + } ++ /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */ ++ if (rr_len < 7) ++ { ++ status = ARES_EBADRESP; ++ break; ++ } + + /* Check if we are really looking at a NAPTR record */ + if (rr_class == C_IN && rr_type == T_NAPTR) +@@ -185,4 +191,3 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen, + + return ARES_SUCCESS; + } +- +-- +2.13.1 + diff --git a/nodejs.spec b/nodejs.spec index aa28b3f..9167903 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -16,9 +16,9 @@ # feature releases that are only supported for nine months, which is shorter # than a Fedora release lifecycle. %global nodejs_epoch 1 -%global nodejs_major 6 -%global nodejs_minor 11 -%global nodejs_patch 0 +%global nodejs_major 8 +%global nodejs_minor 1 +%global nodejs_patch 2 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} %global nodejs_release 1 @@ -26,14 +26,15 @@ # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h %global v8_major 5 -%global v8_minor 1 -%global v8_build 281 -%global v8_patch 102 +%global v8_minor 8 +%global v8_build 283 +%global v8_patch 41 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} # c-ares - from deps/cares/include/ares_version.h +# https://github.com/nodejs/node/pull/9332 %global c_ares_major 1 %global c_ares_minor 10 %global c_ares_patch 1 @@ -55,9 +56,9 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_major 3 -%global npm_minor 10 -%global npm_patch 10 +%global npm_major 5 +%global npm_minor 0 +%global npm_patch 3 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # In order to avoid needing to keep incrementing the release version for the @@ -99,9 +100,8 @@ Patch1: 0001-Disable-running-gyp-files-for-bundled-deps.patch # EPEL only has OpenSSL 1.0.1, so we need to carry a patch on that platform Patch2: 0002-Use-openssl-1.0.1.patch -# Backported upstream patch to allow building with GCC 7 from -# https://github.com/nodejs/node/commit/2bbee49e6f170a5d6628444a7c9a2235fe0dd929 -Patch4: 0004-Fix-compatibility-with-GCC-7.patch +# Patch CVE-2017-1000381 until upstream updates to new version/merges patch +Patch3: 0003-c-ares-NAPTR-parser-out-of-bounds-access.patch # RHEL 7 still uses OpenSSL 1.0.1 for now, and it segfaults on SSL # Revert this upstream patch until RHEL 7 upgrades to 1.0.2 @@ -118,6 +118,7 @@ BuildRequires: gcc-c++ >= 4.8.0 %if ! 0%{?bootstrap} BuildRequires: systemtap-sdt-devel BuildRequires: http-parser-devel >= 2.7.0 +Requires: http-parser >= 2.7.0 %else Provides: bundled(http-parser) = %{http_parser_version} %endif @@ -200,6 +201,10 @@ Requires: openssl-devel%{?_isa} Requires: zlib-devel%{?_isa} Requires: nodejs-packaging +%if ! 0%{?bootstrap} +BuildRequires: http-parser-devel%{?_isa} +%endif + %description devel Development headers for the Node.js JavaScript runtime. @@ -248,8 +253,8 @@ rm -rf deps/icu-small \ deps/uv \ deps/zlib -# Fix GCC7 build -%patch4 -p1 +# Patch CVE in c-ares +%patch3 -p1 %if 0%{?epel} %patch2 -p1 @@ -429,6 +434,7 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %ghost %{_sysconfdir}/npmignore %doc %{_mandir}/man*/npm* %doc %{_mandir}/man5/package.json.5* +%doc %{_mandir}/man5/package-lock.json.5* %doc %{_mandir}/man7/removing-npm.7* %doc %{_mandir}/man7/semver.7* @@ -440,6 +446,10 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Wed Jun 28 2017 Zuzana Svetlikova - 1:8.1.2-1 +- Update to v8.1.2 +- remove GCC 7 patch, as it is now fixed in node >= 6.12 + * Fri Jun 09 2017 Zuzana Svetlikova - 1:6.11.0-1 - Update to 6.11.0 - remove system CA patch since it was merged upstream diff --git a/sources b/sources index 77400eb..5f9691c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (node-v6.11.0-stripped.tar.gz) = a23e0d8461dcf87048555d2e4e62c0bacecf6d2a6a8d6d27ed08f6f0911ec31f9a7abc48ab45478eaf3ba6af593714e628a194340168581f2f9c3c8dbf0c7a1d +SHA512 (node-v8.1.2-stripped.tar.gz) = ccfa858837236185d8e1118335d83a4a75cbfcff0029ccbdbda920f71920c8a18b122bbf5e5eed6e9549ae0e0fc79e50406ac508aedbfc3812469921036f3168