From 32edd143c20830bf393c7563daa1a2ca024b0eb2 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 20 Apr 2021 09:35:18 -0400
Subject: [PATCH] Disable stack execution

Resolves: rhbz#1950528

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
 0001-Disable-running-gyp-on-shared-deps.patch |  6 +--
 ...Install-both-binaries-and-use-libdir.patch |  6 +--
 0003-src-add-.note.GNU-stack-section.patch    | 45 +++++++++++++++++++
 nodejs.spec                                   |  9 +++-
 4 files changed, 59 insertions(+), 7 deletions(-)
 create mode 100644 0003-src-add-.note.GNU-stack-section.patch

diff --git a/0001-Disable-running-gyp-on-shared-deps.patch b/0001-Disable-running-gyp-on-shared-deps.patch
index 361ea08..1b5cf73 100644
--- a/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/0001-Disable-running-gyp-on-shared-deps.patch
@@ -1,7 +1,7 @@
-From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
+From 0a889af5ee18290d833f7f63742d5b714bdb1a40 Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
 Date: Fri, 17 Apr 2020 12:59:44 +0200
-Subject: [PATCH 1/2] Disable running gyp on shared deps
+Subject: [PATCH 1/3] Disable running gyp on shared deps
 
 ---
  Makefile | 2 +-
@@ -25,5 +25,5 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e
  
  # node_version.h is listed because the N-API version is taken from there
 -- 
-2.29.2
+2.31.1
 
diff --git a/0002-Install-both-binaries-and-use-libdir.patch b/0002-Install-both-binaries-and-use-libdir.patch
index 1dc8b12..9679f8b 100644
--- a/0002-Install-both-binaries-and-use-libdir.patch
+++ b/0002-Install-both-binaries-and-use-libdir.patch
@@ -1,7 +1,7 @@
-From 45a9bca165f6ed76c4e43cc2cc3fdf596814bc77 Mon Sep 17 00:00:00 2001
+From 4012d5b9ae521f36c8b0155f591a38383e84407b Mon Sep 17 00:00:00 2001
 From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
 Date: Tue, 19 Mar 2019 23:22:40 -0400
-Subject: [PATCH 2/2] Install both binaries and use libdir.
+Subject: [PATCH 2/3] Install both binaries and use libdir.
 
 This allows us to build with a shared library for other users while
 still providing the normal executable.
@@ -86,5 +86,5 @@ index 729b416fc47d3ff3317ae3671dee977c719a8841..9bfc6234edb7732f9b90f063c2ee4a27
  
    # behave similarly for systemtap
 -- 
-2.29.2
+2.31.1
 
diff --git a/0003-src-add-.note.GNU-stack-section.patch b/0003-src-add-.note.GNU-stack-section.patch
new file mode 100644
index 0000000..74fd28f
--- /dev/null
+++ b/0003-src-add-.note.GNU-stack-section.patch
@@ -0,0 +1,45 @@
+From 6aa11a8cf48463432c0b5c6bfca5c2a5b18b1cc7 Mon Sep 17 00:00:00 2001
+From: James Addison <jay@jp-hosting.net>
+Date: Tue, 9 Mar 2021 13:08:47 +0000
+Subject: [PATCH 3/3] src: add .note.GNU-stack section
+
+This indicates to GNU binutils that it can unset the executable stack
+flag on the binary that it is building.
+
+PR-URL: https://github.com/nodejs/node/pull/37688
+Refs: https://github.com/nodejs/node/issues/17933
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+
+src: Use %progbits instead of @progbits
+
+While @progbits is preferred for most architectures, there are some
+(notably 32-bit ARM) for which it does not. %progbits is effective
+everywhere.
+
+See https://bugzilla.redhat.com/show_bug.cgi?id=1950528 for more
+details.
+
+Related: https://github.com/nodejs/node/issues/17933
+Related: https://github.com/nodejs/node/pull/37688
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/large_pages/node_text_start.S | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/large_pages/node_text_start.S b/src/large_pages/node_text_start.S
+index 1609b254f0495a32f8896ba96d96bad03f6f2321..d27dd39cc236f0e6be4e68113bfff7b531a37455 100644
+--- a/src/large_pages/node_text_start.S
++++ b/src/large_pages/node_text_start.S
+@@ -1,5 +1,8 @@
++#if defined(__ELF__)
++.section .note.GNU-stack,"",%progbits
++#endif
+ .text
+ .align 0x2000
+ .global __node_text_start
+ .hidden __node_text_start
+ __node_text_start:
+-- 
+2.31.1
+
diff --git a/nodejs.spec b/nodejs.spec
index a4eb5e2..e807c09 100644
--- a/nodejs.spec
+++ b/nodejs.spec
@@ -8,7 +8,7 @@
 # This is used by both the nodejs package and the npm subpackage thar
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 2
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -145,6 +145,10 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 # Patch to install both node and libnode.so, using the correct libdir
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 
+# Patch to disable stack execution. Merged from one upstream patch and
+# one upstream proposed patch
+Patch3: 0003-src-add-.note.GNU-stack-section.patch
+
 BuildRequires: make
 BuildRequires: python3-devel
 BuildRequires: python3-setuptools
@@ -665,6 +669,9 @@ end
 
 
 %changelog
+* Tue Apr 20 2021 Stephen Gallagher <sgallagh@redhat.com> - 1:14.16.1-2
+- Disable stack execution (bz#1950528)
+
 * Thu Apr 08 2021 Stephen Gallagher <sgallagh@redhat.com> - 1:14.16.1-1
 - Update to 14.16.1