diff --git a/.rh-nodejs4-nodejs.metadata b/.rh-nodejs4-nodejs.metadata index 5445c9e..d4ff84e 100644 --- a/.rh-nodejs4-nodejs.metadata +++ b/.rh-nodejs4-nodejs.metadata @@ -1 +1 @@ -915ec41d17a65ab4acd30201caf9af09287171a8 SOURCES/node-v4.6.2-stripped.tar.gz +c0154a42a96870a749aa7e203a574860a3810129 SOURCES/node-v4.6.2-stripped.tar.gz diff --git a/SOURCES/0003-c-ares-NAPTR-parser-out-of-bounds-access.patch b/SOURCES/0003-c-ares-NAPTR-parser-out-of-bounds-access.patch new file mode 100644 index 0000000..1a011bb --- /dev/null +++ b/SOURCES/0003-c-ares-NAPTR-parser-out-of-bounds-access.patch @@ -0,0 +1,36 @@ +From 15dfe22be278cb1f0194de0b0ab790ba9dc4fc33 Mon Sep 17 00:00:00 2001 +From: Zuzana Svetlikova +Date: Fri, 23 Jun 2017 23:11:28 +0200 +Subject: [PATCH] c-ares NAPTR parser out of bounds access + +CVE: CVE-2017-1000381 +Upstream bug: https://c-ares.haxx.se/adv_20170620.html +--- + deps/cares/src/ares_parse_naptr_reply.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/deps/cares/src/ares_parse_naptr_reply.c b/deps/cares/src/ares_parse_naptr_reply.c +index 11634df984..717d355778 100644 +--- a/deps/cares/src/ares_parse_naptr_reply.c ++++ b/deps/cares/src/ares_parse_naptr_reply.c +@@ -110,6 +110,12 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen, + status = ARES_EBADRESP; + break; + } ++ /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */ ++ if (rr_len < 7) ++ { ++ status = ARES_EBADRESP; ++ break; ++ } + + /* Check if we are really looking at a NAPTR record */ + if (rr_class == C_IN && rr_type == T_NAPTR) +@@ -185,4 +191,3 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen, + + return ARES_SUCCESS; + } +- +-- +2.13.1 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 8e01ea3..1936ca3 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -11,8 +11,9 @@ %endif Name: %{?scl_prefix}nodejs +Epoch: 1 Version: 4.6.2 -Release: 4%{?dist} +Release: 6%{?dist} Summary: JavaScript runtime License: MIT and ASL 2.0 and ISC and BSD Group: Development/Languages @@ -48,26 +49,26 @@ Patch5: 0001-Disable-brew-tests.patch Patch6: 0001-Disable-net-tests.patch -# V8 presently breaks ABI at least every x.y release while never bumping SONAME -%global v8_abi 4.5 +# fix c-ares vulnerability +Patch7: 0003-c-ares-NAPTR-parser-out-of-bounds-access.patch BuildRequires: python-devel BuildRequires: %{?scl_prefix}libuv-devel >= 1.7.5 BuildRequires: %{?scl_prefix}http-parser-devel >= 2.6.1 +BuildRequires: gcc gcc-c++ BuildRequires: zlib-devel BuildRequires: openssl-devel -# one of the tests need pc command +# one of the tests need ps command BuildRequires: procps-ng Requires: %{?scl_prefix}libuv >= 1.7.5 Requires: %{?scl_prefix}http-parser >= 2.6.1 Requires: openssl -# Node.js requires some features from openssl 1.0.1 for SPDY support -#BuildRequires: openssl-devel >= 1:1.0.2 - # we need the system certificate store when Patch2 is applied Requires: ca-certificates +# V8 presently breaks ABI at least every x.y release while never bumping SONAME +%global v8_abi 4.5 #we need ABI virtual provides where SONAMEs aren't enough/not present so deps #break when binary compatibility is broken %global nodejs_abi 4.6 @@ -95,18 +96,14 @@ Provides: %{?scl_prefix}npm(punycode) = 1.3.2 # Node.js has forked c-ares from upstream in an incompatible way, so we need # to carry the bundled version internally. # See https://github.com/nodejs/node/commit/766d063e0578c0f7758c3a965c971763f43fec85 -Provides: %{?scl_prefix}bundled(c-ares) = 1.10.1 +Provides: bundled(%{?scl_prefix}c-ares) = 1.10.1 # Node.js is closely tied to the version of v8 that is used with it. It makes # sense to use the bundled version because upstream consistently breaks ABI # even in point releases. Node.js upstream has now removed the ability to build # against a shared system version entirely. # See https://github.com/nodejs/node/commit/d726a177ed59c37cf5306983ed00ecd858cfbbef -Provides: %{?scl_prefix}bundled(v8) = 4.5.103.42 - -# Node.js and http-parser share an upstream. The http-parser upstream does not -# do releases often and is almost always far behind the bundled version -#Provides: %%{?scl_prefix}bundled(http-parser) = 2.5.1 +Provides: bundled(%{?scl_prefix}v8) = 4.5.103.42 %description Node.js is a platform built on Chrome's JavaScript runtime @@ -118,7 +115,7 @@ real-time applications that run across distributed devices. %package devel Summary: JavaScript runtime - development headers Group: Development/Languages -Requires: %{?scl_prefix}%{pkg_name}%{?_isa} == %{version}-%{release} +Requires: %{?scl_prefix}%{pkg_name}%{?_isa} == %{epoch}:%{version}-%{release} Requires: %{?scl_prefix}libuv-devel%{?_isa} %{?scl_prefix}http-parser-devel%{?_isa} Requires: openssl-devel%{?_isa} zlib-devel%{?_isa} Requires: %{?scl_prefix}runtime @@ -141,18 +138,24 @@ The API documentation for the Node.js JavaScript runtime. %patch1 -p1 rm -rf deps/npm \ deps/uv \ - deps/http-parser \ + deps/http_parser \ deps/zlib -# remove bundled CA certificates +# no need to remove bundled CA certificates anymore %patch2 -p1 rm -f src/node_root_certs.h +# Disable OpenSSL %patch3 -p1 + +# Disable tests %patch4 -p1 %patch5 -p1 %patch6 -p1 +# Fix c-ares +%patch7 -p1 + %build # build with debugging symbols and add defines from libuv (#892601) # Node's v8 breaks with GCC 8 because of incorrect usage of methods on @@ -169,20 +172,20 @@ export LDFLAGS='%{optflags} -L%{_libdir}' --shared-libuv \ --shared-openssl \ --without-npm \ - --without-dtrace + --without-dtrace \ + --without-snapshot +%{?scl:scl enable %{scl} - << \EOF} %if %{?with_debug} == 1 # Setting BUILDTYPE=Debug builds both release and debug binaries -%{?scl:scl enable %{scl} - << \EOF} make BUILDTYPE=Debug %{?_smp_mflags} -%{?scl:EOF} %else -%{?scl:scl enable %{scl} - << \EOF} make BUILDTYPE=Release %{?_smp_mflags} -%{?scl:EOF} %endif +%{?scl:EOF} + %install rm -rf %{buildroot} @@ -258,7 +261,26 @@ python tools/test.py --mode=release parallel -J %{_pkgdocdir}/html %changelog -* Mon Nov 28 2016 Zuzana Svetlikova - 4.6.2-4 +* Wed Oct 18 2017 Zuzana Svetlikova - 1:4.6.2-6 +- Resolves: RHBZ#1476314 +- disable snaphots +- fix c-ares +- bump spec, revert back to 4.6.2 + +* Thu Oct 05 2017 Zuzana Svetlikova - 4.8.4-2 +- Resolves: RHBZ#1476314 +- backport https://github.com/nodejs/node/commit/e3ef382f357d2bd12e7429711936aa79cc1d7699 +- fix segfaulting npm + +* Tue Sep 12 2017 Zuzana Svetlikova - 4.8.4-1 +- Resolves: RHBZ#1476314 +- update to 4.8.4 +- clean up/refactor patches + +* Wed Apr 19 2017 Zuzana Svetlikova - 4.6.2-5 +- Resolves: RHBZ#1399557 #c4 + +* Tue Nov 15 2016 Zuzana Svetlikova - 4.6.2-3 - Resolves: #1392914 - Update to 4.6.2 - Modified/fixed/refactored patches