diff --git a/.rh-nodejs6-nodejs.metadata b/.rh-nodejs6-nodejs.metadata index d12d13f..d81dd06 100644 --- a/.rh-nodejs6-nodejs.metadata +++ b/.rh-nodejs6-nodejs.metadata @@ -1 +1 @@ -631608b680b369b73727eacfa2ddbeaed731f303 SOURCES/node-v6.11.3-stripped.tar.gz +e6dbabb4242727435ca2ad025d42722439a661d0 SOURCES/node-v6.11.3-stripped.tar.gz diff --git a/SOURCES/0001-https-segfault.patch b/SOURCES/0001-https-segfault.patch new file mode 100644 index 0000000..2ba2ba5 --- /dev/null +++ b/SOURCES/0001-https-segfault.patch @@ -0,0 +1,57 @@ +diff --git a/src/node_crypto.cc b/src/node_crypto.cc +index aa2dafe..a327b23 100644 +--- a/src/node_crypto.cc ++++ b/src/node_crypto.cc +@@ -120,13 +120,13 @@ static X509_NAME *cnnic_ev_name = + + static Mutex* mutexes; + +-static const char* const root_certs[] = { ++const char* const root_certs[] = { + #include "node_root_certs.h" // NOLINT(build/include_order) + }; + +-static std::string extra_root_certs_file; // NOLINT(runtime/string) ++std::string extra_root_certs_file; // NOLINT(runtime/string) + +-static X509_STORE* root_cert_store; ++X509_STORE* root_cert_store; + + // Just to generate static methods + template class SSLWrap; +@@ -865,8 +865,6 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo& args) { + } + } + +- // Increment reference count so global store is not deleted along with CTX. +- X509_STORE_up_ref(root_cert_store); + SSL_CTX_set_cert_store(sc->ctx_, root_cert_store); + } + +diff --git a/src/node_crypto.h b/src/node_crypto.h +index 746c954..06a9017 100644 +--- a/src/node_crypto.h ++++ b/src/node_crypto.h +@@ -63,6 +63,8 @@ enum CheckResult { + + extern int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx); + ++extern X509_STORE* root_cert_store; ++ + extern void UseExtraCaCerts(const std::string& file); + + // Forward declaration +@@ -143,6 +145,13 @@ class SecureContext : public BaseObject { + } + + env()->isolate()->AdjustAmountOfExternalAllocatedMemory(-kExternalSize); ++ if (ctx_->cert_store == root_cert_store) { ++ // SSL_CTX_free() will attempt to free the cert_store as well. ++ // Since we want our root_cert_store to stay around forever ++ // we just clear the field. Hopefully OpenSSL will not modify this ++ // struct in future versions. ++ ctx_->cert_store = nullptr; ++ } + SSL_CTX_free(ctx_); + if (cert_ != nullptr) + X509_free(cert_); diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 469bfc4..d1aeb58 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -12,7 +12,7 @@ Name: %{?scl_prefix}nodejs Version: 6.11.3 -Release: 2%{?dist} +Release: 4%{?dist} Summary: JavaScript runtime License: MIT and ASL 2.0 and ISC and BSD URL: http://nodejs.org/ @@ -40,6 +40,10 @@ Patch3: 0001-Use-openssl-1.0.1.patch Patch4: 0001-Disable-crypto-tests.patch Patch5: 0001-Disable-failing-tests.patch +# patch openssl segfaults (RHBZ#1508986) +# revert 5900ebe and 4849d03145 +Patch6: 0001-https-segfault.patch + BuildRequires: %{?scl_prefix}gyp BuildRequires: %{?scl_prefix}scldevel BuildRequires: %{?scl_prefix}libuv-devel >= 1.9.1 @@ -56,7 +60,6 @@ Requires: openssl Requires: ca-certificates # V8 presently breaks ABI at least every x.y release while never bumping SONAME -#%global v8_version 5.1.281.84 %global v8_abi 5.1 #we need ABI virtual provides where SONAMEs aren't enough/not present so deps #break when binary compatibility is broken @@ -140,6 +143,9 @@ rm -rf deps/npm \ %patch4 -p1 %patch5 -p1 +# fix segafulting https +%patch6 -p1 + %build # build with debugging symbols and add defines from libuv (#892601) # Node's v8 breaks with GCC 8 because of incorrect usage of methods on @@ -260,8 +266,12 @@ python tools/test.py --mode=release parallel -J %{_pkgdocdir}/html %changelog +* Thu Nov 09 2017 Zuzana Svetlikova - 6.11.3-4 +- Resolves: RHBZ#1508986 +- revert some upstream commits to fix https+openssl-1.0.1 segfaults + * Thu Sep 07 2017 Zuzana Svetlikova - 6.11.3-2 -- Resolves: RHBZ#1476317 +- Resolves: RHBZ#1476316 - turn off lots of tests (mainly https and tls) - update to latest v6.x version (fixes c-ares CVE), rebase patches - remove bundled-ca patch (merged upstream as configure option)