Update to v8.1.2, npm@5.0.3, remove gcc7 patch

.gitignore

@@ -68,3 +68,4 @@
 /node-v6.10.2-stripped.tar.gz
 /node-v6.10.3-stripped.tar.gz
 /node-v6.11.0-stripped.tar.gz
+/node-v8.1.2-stripped.tar.gz

0001-Disable-running-gyp-files-for-bundled-deps.patch

@@ -1,25 +1,29 @@
-From 54cb96f338bd162dcf1301b7d7a46eea2a56befb Mon Sep 17 00:00:00 2001
+From c2aff16cc196a61f4ab1cdae4a91c7926123c239 Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
-Date: Wed, 22 Mar 2017 19:13:10 +0100
+Date: Thu, 27 Apr 2017 14:25:42 +0200
-Subject: [PATCH] Disable running gyp files for bundled deps
+Subject: [PATCH] Disable running gyp on shared deps
 
 ---
- Makefile | 2 +-
+ Makefile | 7 +++----
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ 1 file changed, 3 insertions(+), 4 deletions(-)
 
 diff --git a/Makefile b/Makefile
-index a2b64e63b4..7b0847d1d5 100644
+index 0a217bd893..e1229ad07f 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -77,7 +77,7 @@ $(NODE_G_EXE): config.gypi out/Makefile
+@@ -79,10 +79,9 @@ $(NODE_G_EXE): config.gypi out/Makefile
  	$(MAKE) -C out BUILDTYPE=Debug V=$(V)
  	if [ ! -r $@ -o ! -L $@ ]; then ln -fs out/Debug/$(NODE_EXE) $@; fi
  
--out/Makefile: common.gypi deps/uv/uv.gyp deps/http_parser/http_parser.gyp deps/zlib/zlib.gyp deps/v8/build/toolchain.gypi deps/v8/build/features.gypi deps/v8/tools/gyp/v8.gyp node.gyp config.gypi
+-out/Makefile: common.gypi deps/uv/uv.gyp deps/http_parser/http_parser.gyp \
-+out/Makefile: common.gypi deps/v8/build/toolchain.gypi deps/v8/build/features.gypi deps/v8/tools/gyp/v8.gyp node.gyp config.gypi
+-              deps/zlib/zlib.gyp deps/v8/gypfiles/toolchain.gypi \
+-              deps/v8/gypfiles/features.gypi deps/v8/src/v8.gyp node.gyp \
+-              config.gypi
++out/Makefile: common.gypi deps/http_parser/http_parser.gyp \
++              deps/v8/gypfiles/toolchain.gypi deps/v8/gypfiles/features.gypi \
++			  deps/v8/src/v8.gyp node.gyp config.gypi
  	$(PYTHON) tools/gyp_node.py -f make
  
  config.gypi: configure
 -- 
-2.12.0
+2.12.2
-

0003-c-ares-NAPTR-parser-out-of-bounds-access.patch

@@ -0,0 +1,36 @@
+From 15dfe22be278cb1f0194de0b0ab790ba9dc4fc33 Mon Sep 17 00:00:00 2001
+From: Zuzana Svetlikova <zsvetlik@redhat.com>
+Date: Fri, 23 Jun 2017 23:11:28 +0200
+Subject: [PATCH] c-ares NAPTR parser out of bounds access
+
+CVE: CVE-2017-1000381
+Upstream bug: https://c-ares.haxx.se/adv_20170620.html
+---
+ deps/cares/src/ares_parse_naptr_reply.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/deps/cares/src/ares_parse_naptr_reply.c b/deps/cares/src/ares_parse_naptr_reply.c
+index 11634df984..717d355778 100644
+--- a/deps/cares/src/ares_parse_naptr_reply.c
++++ b/deps/cares/src/ares_parse_naptr_reply.c
+@@ -110,6 +110,12 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,
+           status = ARES_EBADRESP;
+           break;
+         }
++      /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */
++      if (rr_len < 7)
++        {
++          status = ARES_EBADRESP;
++          break;
++        }
+ 
+       /* Check if we are really looking at a NAPTR record */
+       if (rr_class == C_IN && rr_type == T_NAPTR)
+@@ -185,4 +191,3 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,
+ 
+   return ARES_SUCCESS;
+ }
+-
+-- 
+2.13.1
+

nodejs.spec

@@ -16,9 +16,9 @@
 # feature releases that are only supported for nine months, which is shorter
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
-%global nodejs_major 6
+%global nodejs_major 8
-%global nodejs_minor 11
+%global nodejs_minor 1
-%global nodejs_patch 0
+%global nodejs_patch 2
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
 %global nodejs_release 1
@@ -26,14 +26,15 @@
 # == Bundled Dependency Versions ==
 # v8 - from deps/v8/include/v8-version.h
 %global v8_major 5
-%global v8_minor 1
+%global v8_minor 8
-%global v8_build 281
+%global v8_build 283
-%global v8_patch 102
+%global v8_patch 41
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
 
 # c-ares - from deps/cares/include/ares_version.h
+# https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
 %global c_ares_minor 10
 %global c_ares_patch 1
@@ -55,9 +56,9 @@
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_major 3
+%global npm_major 5
-%global npm_minor 10
+%global npm_minor 0
-%global npm_patch 10
+%global npm_patch 3
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # In order to avoid needing to keep incrementing the release version for the
@@ -99,9 +100,8 @@ Patch1: 0001-Disable-running-gyp-files-for-bundled-deps.patch
 # EPEL only has OpenSSL 1.0.1, so we need to carry a patch on that platform
 Patch2: 0002-Use-openssl-1.0.1.patch
 
-# Backported upstream patch to allow building with GCC 7 from
+# Patch CVE-2017-1000381 until upstream updates to new version/merges patch
-# https://github.com/nodejs/node/commit/2bbee49e6f170a5d6628444a7c9a2235fe0dd929
+Patch3: 0003-c-ares-NAPTR-parser-out-of-bounds-access.patch
-Patch4: 0004-Fix-compatibility-with-GCC-7.patch
 
 # RHEL 7 still uses OpenSSL 1.0.1 for now, and it segfaults on SSL
 # Revert this upstream patch until RHEL 7 upgrades to 1.0.2
@@ -118,6 +118,7 @@ BuildRequires: gcc-c++ >= 4.8.0
 %if ! 0%{?bootstrap}
 BuildRequires: systemtap-sdt-devel
 BuildRequires: http-parser-devel >= 2.7.0
+Requires: http-parser >= 2.7.0
 %else
 Provides: bundled(http-parser) = %{http_parser_version}
 %endif
@@ -200,6 +201,10 @@ Requires: openssl-devel%{?_isa}
 Requires: zlib-devel%{?_isa}
 Requires: nodejs-packaging
 
+%if ! 0%{?bootstrap}
+BuildRequires: http-parser-devel%{?_isa}
+%endif
+
 %description devel
 Development headers for the Node.js JavaScript runtime.
 
@@ -248,8 +253,8 @@ rm -rf deps/icu-small \
        deps/uv \
        deps/zlib
 
-# Fix GCC7 build
+# Patch CVE in c-ares
-%patch4 -p1
+%patch3 -p1
 
 %if 0%{?epel}
 %patch2 -p1
@@ -429,6 +434,7 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node -
 %ghost %{_sysconfdir}/npmignore
 %doc %{_mandir}/man*/npm*
 %doc %{_mandir}/man5/package.json.5*
+%doc %{_mandir}/man5/package-lock.json.5*
 %doc %{_mandir}/man7/removing-npm.7*
 %doc %{_mandir}/man7/semver.7*
 
@@ -440,6 +446,10 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node -
 %{_pkgdocdir}/npm/doc
 
 %changelog
+* Wed Jun 28 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.1.2-1
+- Update to v8.1.2
+- remove GCC 7 patch, as it is now fixed in node >= 6.12
+
 * Fri Jun 09 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:6.11.0-1
 - Update to 6.11.0
 - remove system CA patch since it was merged upstream

sources

@@ -1 +1 @@
-SHA512 (node-v6.11.0-stripped.tar.gz) = a23e0d8461dcf87048555d2e4e62c0bacecf6d2a6a8d6d27ed08f6f0911ec31f9a7abc48ab45478eaf3ba6af593714e628a194340168581f2f9c3c8dbf0c7a1d
+SHA512 (node-v8.1.2-stripped.tar.gz) = ccfa858837236185d8e1118335d83a4a75cbfcff0029ccbdbda920f71920c8a18b122bbf5e5eed6e9549ae0e0fc79e50406ac508aedbfc3812469921036f3168