packages/nodejs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!83 Update to 12.22.11, fix some cves.

Browse Source 
From: @wk333 
Reviewed-by: @solarhu 
Signed-off-by: @solarhu
This commit is contained in:
openeuler-ci-bot 2022-04-08 00:53:05 +00:00 committed by Gitee
commit 27e977fde7
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
20 changed files with 201 additions and 1317 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
0001-Disable-running-gyp-on-shared-deps.patch
View File

@ -1,30 +1,25 @@
From 7a6257be1d0276ff22d2d92ea89c5bca6c633802 Mon Sep 17 00:00:00 2001
From 0da4decd64a9cbfcf75b2697c722cd6fc82a164d Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com>
Date: Thu, 27 Apr 2017 14:25:42 +0200
Subject: [PATCH 1/3] Disable running gyp on shared deps
Date: Fri, 17 Apr 2020 12:59:44 +0200
Subject: [PATCH] 0001
---
Makefile | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 316410e3f81e39cdddecf91d5b717c884a9c51b3..62c8ebb5b95a68e44d4c2ab3beee70d63c3175c7 100644
index 88166da2a8..f0637b6c78 100644
--- a/Makefile
+++ b/Makefile
@@ -123,10 +123,9 @@ with-code-cache:
test-code-cache: with-code-cache
$(PYTHON) tools/test.py $(PARALLEL_ARGS) --mode=$(BUILDTYPE_LOWER) code-cache
@@ -141,7 +141,7 @@ test-code-cache: with-code-cache
echo "'test-code-cache' target is a noop"
-out/Makefile: common.gypi deps/uv/uv.gyp deps/http_parser/http_parser.gyp \
- deps/zlib/zlib.gyp deps/v8/gypfiles/toolchain.gypi \
- deps/v8/gypfiles/features.gypi deps/v8/gypfiles/v8.gyp node.gyp \
- config.gypi
+out/Makefile: common.gypi deps/http_parser/http_parser.gyp \
+ deps/v8/gypfiles/toolchain.gypi deps/v8/gypfiles/features.gypi \
+ deps/v8/gypfiles/v8.gyp node.gyp config.gypi
out/Makefile: config.gypi common.gypi node.gyp \
- deps/uv/uv.gyp deps/http_parser/http_parser.gyp deps/zlib/zlib.gyp \
+ deps/http_parser/http_parser.gyp \
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
$(PYTHON) tools/gyp_node.py -f make
config.gypi: configure configure.py
--
2.24.1
2.25.2

20
0002-Install-both-binaries-and-use-libdir.patch
View File

@ -1,7 +1,7 @@
From 8828c8fdc98f310a718a65ebc47d8a163e41b0cb Mon Sep 17 00:00:00 2001
From 11512edeb046b64be4daca76f061a3a918251ee0 Mon Sep 17 00:00:00 2001
From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
Date: Tue, 19 Mar 2019 23:22:40 -0400
Subject: [PATCH 2/3] Install both binaries and use libdir.
Subject: [PATCH 2/2] Install both binaries and use libdir.
This allows us to build with a shared library for other users while
still providing the normal executable.
@ -13,10 +13,10 @@ Signed-off-by: Elliott Sales de Andrade <quantum.analyst@gmail.com>
2 files changed, 20 insertions(+), 16 deletions(-)
diff --git a/configure.py b/configure.py
index 22861a10eeac54cae69fc1be4b9aef7ed5106a35..48389fbdcb57cbf8d9c11d4921c65f34a1937cc7 100755
index 6537a62d3954d83927c698db3fb80c9fc05faba7..b9a894bec9e5fd954004bcb423822ca984066dc5 100755
--- a/configure.py
+++ b/configure.py
@@ -552,6 +552,12 @@ parser.add_option('--shared',
@@ -571,6 +571,12 @@ parser.add_option('--shared',
help='compile shared library for embedding node in another project. ' +
'(This mode is not officially supported for regular applications)')
@ -29,19 +29,19 @@ index 22861a10eeac54cae69fc1be4b9aef7ed5106a35..48389fbdcb57cbf8d9c11d4921c65f34
parser.add_option('--without-v8-platform',
action='store_true',
dest='without_v8_platform',
@@ -1095,6 +1101,7 @@ def configure_node(o):
if options.code_cache_path:
o['variables']['node_code_cache_path'] = options.code_cache_path
@@ -1105,6 +1111,7 @@ def configure_node(o):
o['variables']['node_no_browser_globals'] = b(options.no_browser_globals)
o['variables']['node_shared'] = b(options.shared)
+ o['variables']['libdir'] = options.libdir
node_module_version = getmoduleversion.get_version()
if sys.platform == 'darwin':
if options.dest_os == 'android':
diff --git a/tools/install.py b/tools/install.py
index 028c32ecbbdf9625238dfcc2baef66df9408b539..bf443c4d15a3b3ebf1e10a5dd802e9c5999691e5 100755
index 655802980a6ea94d1d4ca1dc63c8c8e905fbb83a..fe4723bf15012c8aacacb0393dc8294c049b0503 100755
--- a/tools/install.py
+++ b/tools/install.py
@@ -117,26 +117,23 @@ def subdir_files(path, dest, action):
@@ -121,26 +121,23 @@ def subdir_files(path, dest, action):
def files(action):
is_windows = sys.platform == 'win32'

122
0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
View File

@ -1,122 +0,0 @@
From 9ca4d4aeccf50e6c036e5536ef070a09c1776817 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 6 Dec 2019 16:40:25 -0500
Subject: [PATCH 3/3] build: auto-load ICU data from
--with-icu-default-data-dir
When compiled with `--with-intl=small` and
`--with-icu-default-data-dir=PATH`, Node.js will use PATH as a
fallback location for the ICU data.
We will first perform an access check using fopen(PATH, 'r') to
ensure that the file is readable. If it is, we'll set the
icu_data_directory and proceed. There's a slight overhead for the
fopen() check, but it should be barely measurable.
This will be useful for Linux distribution packagers who want to
be able to ship a minimal node binary in a container image but
also be able to add on the full i18n support where needed. With
this patch, it becomes possible to ship the interpreter as
/usr/bin/node in one package for the distribution and to ship the
data files in another package (without a strict dependency
between the two). This means that users of the distribution will
not need to explicitly direct Node.js to locate the ICU data. It
also means that in environments where full internationalization is
not required, they do not need to carry the extra content (with
the associated storage costs).
Refs: https://github.com/nodejs/node/issues/3460
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
configure.py | 9 +++++++++
node.gypi | 7 +++++++
src/node.cc | 20 ++++++++++++++++++++
3 files changed, 36 insertions(+)
diff --git a/configure.py b/configure.py
index 48389fbdcb57cbf8d9c11d4921c65f34a1937cc7..063e8748b954a7fed4fe084399e61371c061edab 100755
--- a/configure.py
+++ b/configure.py
@@ -433,6 +433,14 @@ intl_optgroup.add_option('--with-icu-source',
'the icu4c source archive. '
'v%d.x or later recommended.' % icu_versions['minimum_icu'])
+intl_optgroup.add_option('--with-icu-default-data-dir',
+ action='store',
+ dest='with_icu_default_data_dir',
+ help='Path to the icuXXdt{lb}.dat file. If unspecified, ICU data will '
+ 'only be read if the NODE_ICU_DATA environment variable or the '
+ '--icu-data-dir runtime argument is used. This option has effect '
+ 'only when Node.js is built with --with-intl=small-icu.')
+
parser.add_option('--with-ltcg',
action='store_true',
dest='with_ltcg',
@@ -1360,6 +1368,7 @@ def configure_intl(o):
locs.add('root') # must have root
o['variables']['icu_locales'] = string.join(locs,',')
# We will check a bit later if we can use the canned deps/icu-small
+ o['variables']['icu_default_data'] = options.with_icu_default_data_dir or ''
elif with_intl == 'full-icu':
# full ICU
o['variables']['v8_enable_i18n_support'] = 1
diff --git a/node.gypi b/node.gypi
index 466a1746811cfac1a8ce4ef604ef1152c6229ff1..65b97d6466a14f4343a948a5fc36f8a2580badfb 100644
--- a/node.gypi
+++ b/node.gypi
@@ -113,6 +113,13 @@
'conditions': [
[ 'icu_small=="true"', {
'defines': [ 'NODE_HAVE_SMALL_ICU=1' ],
+ 'conditions': [
+ [ 'icu_default_data!=""', {
+ 'defines': [
+ 'NODE_ICU_DEFAULT_DATA_DIR="<(icu_default_data)"',
+ ],
+ }],
+ ],
}]],
}],
[ 'node_use_bundled_v8=="true" and \
diff --git a/src/node.cc b/src/node.cc
index 7c0118758dfd9449283b900209b2ba8df7ddd129..c9840e3e367ca47176a17a7940a1e08eb1f56f78 100644
--- a/src/node.cc
+++ b/src/node.cc
@@ -92,6 +92,7 @@
#if defined(NODE_HAVE_I18N_SUPPORT)
#include <unicode/uvernum.h>
+#include <unicode/utypes.h>
#endif
#if defined(LEAK_SANITIZER)
@@ -2643,6 +2644,25 @@ void Init(std::vector<std::string>* argv,
// If the parameter isn't given, use the env variable.
if (per_process_opts->icu_data_dir.empty())
SafeGetenv("NODE_ICU_DATA", &per_process_opts->icu_data_dir);
+
+#ifdef NODE_ICU_DEFAULT_DATA_DIR
+ // If neither the CLI option nor the environment variable was specified,
+ // fall back to the configured default
+ if (per_process_opts->icu_data_dir.empty()) {
+ // Check whether the NODE_ICU_DEFAULT_DATA_DIR contains the right data
+ // file and can be read.
+ static const char full_path[] =
+ NODE_ICU_DEFAULT_DATA_DIR "/" U_ICUDATA_NAME ".dat";
+
+ FILE* f = fopen(full_path, "rb");
+
+ if (f != nullptr) {
+ fclose(f);
+ per_process_opts->icu_data_dir = NODE_ICU_DEFAULT_DATA_DIR;
+ }
+ }
+#endif // NODE_ICU_DEFAULT_DATA_DIR
+
// Initialize ICU.
// If icu_data_dir is empty here, it will load the 'minimal' data.
if (!i18n::InitializeICUDirectory(per_process_opts->icu_data_dir)) {
--
2.24.1

25
0004-Make-AARCH64-compile-on-64KB-physical-pages.patch Normal file
View File

@ -0,0 +1,25 @@
From 8a189060f6e5f969fc331f4531f31c319d654639 Mon Sep 17 00:00:00 2001
From: hht8 <huanghaitao12138@163.com>
Date: Mon, 4 Jan 2021 09:14:35 +0800
Subject: [PATCH] Make AARCH64 compile on 64KB physical pages
---
deps/v8/src/base/build_config.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deps/v8/src/base/build_config.h b/deps/v8/src/base/build_config.h
index f430082..098e36f 100644
--- a/deps/v8/src/base/build_config.h
+++ b/deps/v8/src/base/build_config.h
@@ -202,7 +202,7 @@
#endif
// Number of bits to represent the page size for paged spaces.
-#if defined(V8_TARGET_ARCH_PPC) || defined(V8_TARGET_ARCH_PPC64)
+#if defined(V8_TARGET_ARCH_PPC) || defined(V8_TARGET_ARCH_PPC64) || defined(V8_TARGET_ARCH_ARM64)
// PPC has large (64KB) physical pages.
const int kPageSizeBits = 19;
#else
--
2.23.0

79
0004-src-avoid-OOB-read-in-URL-parser.patch
View File

@ -1,79 +0,0 @@
From 4cb8fa4aa5dea72bc66ea950e3fc193385bb7175 Mon Sep 17 00:00:00 2001
From: gaozhekang <gaozhekang@huawei.com>
Date: Wed, 4 Nov 2020 11:12:53 +0800
Subject: [PATCH] src: avoid OOB read in URL parser
This is not a big concern, because right now, all (non-test) inputs
to the parser are `'\0'`-terminated, but we should be future-proof
here and not perform these OOB reads.
---
src/node_url.cc | 6 +++---
test/cctest/test_url.cc | 20 ++++++++++++++++++++
2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/src/node_url.cc b/src/node_url.cc
index 7bfcde5..41492b1 100644
--- a/src/node_url.cc
+++ b/src/node_url.cc
@@ -1487,7 +1487,7 @@ void URL::Parse(const char* input,
state = kSpecialRelativeOrAuthority;
} else if (special) {
state = kSpecialAuthoritySlashes;
- } else if (p[1] == '/') {
+ } else if (p + 1 < end && p[1] == '/') {
state = kPathOrAuthority;
p++;
} else {
@@ -1547,7 +1547,7 @@ void URL::Parse(const char* input,
}
break;
case kSpecialRelativeOrAuthority:
- if (ch == '/' && p[1] == '/') {
+ if (ch == '/' && p + 1 < end && p[1] == '/') {
state = kSpecialAuthorityIgnoreSlashes;
p++;
} else {
@@ -1695,7 +1695,7 @@ void URL::Parse(const char* input,
break;
case kSpecialAuthoritySlashes:
state = kSpecialAuthorityIgnoreSlashes;
- if (ch == '/' && p[1] == '/') {
+ if (ch == '/' && p + 1 < end && p[1] == '/') {
p++;
} else {
continue;
diff --git a/test/cctest/test_url.cc b/test/cctest/test_url.cc
index ddef534..810cbc2 100644
--- a/test/cctest/test_url.cc
+++ b/test/cctest/test_url.cc
@@ -80,6 +80,26 @@ TEST_F(URLTest, Base3) {
EXPECT_EQ(simple.path(), "/baz");
}
+TEST_F(URLTest, TruncatedAfterProtocol) {
+ char input[2] = { 'q', ':' };
+ URL simple(input, sizeof(input));
+
+ EXPECT_FALSE(simple.flags() & URL_FLAGS_FAILED);
+ EXPECT_EQ(simple.protocol(), "q:");
+ EXPECT_EQ(simple.host(), "");
+ EXPECT_EQ(simple.path(), "/");
+}
+
+TEST_F(URLTest, TruncatedAfterProtocol2) {
+ char input[6] = { 'h', 't', 't', 'p', ':', '/' };
+ URL simple(input, sizeof(input));
+
+ EXPECT_TRUE(simple.flags() & URL_FLAGS_FAILED);
+ EXPECT_EQ(simple.protocol(), "http:");
+ EXPECT_EQ(simple.host(), "");
+ EXPECT_EQ(simple.path(), "");
+}
+
TEST_F(URLTest, ToFilePath) {
#define T(url, path) EXPECT_EQ(path, URL(url).ToFilePath())
T("http://example.org/foo/bar", "");
--
2.23.0

60
0005-use-getauxval-in-node_main_cc.patch Normal file
View File

@ -0,0 +1,60 @@
From 7232c2a1604d241ce0455d919ba9b0b8e9959f81 Mon Sep 17 00:00:00 2001
From: Daniel Bevenius <daniel.bevenius@gmail.com>
Date: Tue, 2 Jun 2020 05:33:25 +0200
Subject: [PATCH] src: use getauxval in node_main.cc
This commit suggests using getauxval in node_main.cc.
The motivation for this is that getauxval was introduced in glibc 2.16
and looking at BUILDING.md, in the 'Platform list' section, it looks
like we now support glibc >= 2.17 and perhaps this change would be
alright now.
PR-URL: https://github.com/nodejs/node/pull/33693
Refs: https://github.com/nodejs/node/pull/12548
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
src/node_main.cc | 18 ++----------------
1 file changed, 2 insertions(+), 16 deletions(-)
diff --git a/src/node_main.cc b/src/node_main.cc
index 9f4ea22d12c6..6bac10759325 100644
--- a/src/node_main.cc
+++ b/src/node_main.cc
@@ -89,13 +89,7 @@ int wmain(int argc, wchar_t* wargv[]) {
#else
// UNIX
#ifdef __linux__
-#include <elf.h>
-#ifdef __LP64__
-#define Elf_auxv_t Elf64_auxv_t
-#else
-#define Elf_auxv_t Elf32_auxv_t
-#endif // __LP64__
-extern char** environ;
+#include <sys/auxv.h>
#endif // __linux__
#if defined(__POSIX__) && defined(NODE_SHARED_MODE)
#include <string.h>
@@ -124,15 +118,7 @@ int main(int argc, char* argv[]) {
#endif
#if defined(__linux__)
- char** envp = environ;
- while (*envp++ != nullptr) {}
- Elf_auxv_t* auxv = reinterpret_cast<Elf_auxv_t*>(envp);
- for (; auxv->a_type != AT_NULL; auxv++) {
- if (auxv->a_type == AT_SECURE) {
- node::per_process::linux_at_secure = auxv->a_un.a_val;
- break;
- }
- }
+ node::per_process::linux_at_secure = getauxval(AT_SECURE);
#endif
// Disable stdio buffering, it interacts poorly with printf()
// calls elsewhere in the program (e.g., any logging from V8.)

45
CVE-2020-8252.patch
View File

@ -1,45 +0,0 @@
From 0e6e8620496dff0eb285589ef1e37a7f407f3ddd Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Mon, 24 Aug 2020 11:42:27 +0200
Subject: [PATCH] unix: don't use _POSIX_PATH_MAX
Libuv was using _POSIX_PATH_MAX wrong. Bug introduced in commit b56d279b
("unix: do not require PATH_MAX to be defined") from September 2018.
_POSIX_PATH_MAX is the minimum max path size guaranteed by POSIX, not
the actual max path size of the system libuv runs on. _POSIX_PATH_MAX
is always 256, the real max is often much bigger.
This commit fixes buffer overruns when processing very long paths in
uv_fs_readlink() and uv_fs_realpath() because libuv was not allocating
enough memory to store the result.
Fixes: https://github.com/libuv/libuv/issues/2965
PR-URL: https://github.com/libuv/libuv/pull/2966
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jameson Nash <vtjnash@gmail.com>
---
deps/uv/src/unix/internal.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/deps/uv/src/unix/internal.h b/deps/uv/src/unix/internal.h
index 47f2200..82f7bc9 100644
--- a/deps/uv/src/unix/internal.h
+++ b/deps/uv/src/unix/internal.h
@@ -61,9 +61,7 @@
# include <AvailabilityMacros.h>
#endif
-#if defined(_POSIX_PATH_MAX)
-# define UV__PATH_MAX _POSIX_PATH_MAX
-#elif defined(PATH_MAX)
+#if defined(PATH_MAX)
# define UV__PATH_MAX PATH_MAX
#else
# define UV__PATH_MAX 8192
--
2.23.0

281
CVE-2020-8265.patch
View File

@ -1,281 +0,0 @@
From 7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed Mon Sep 17 00:00:00 2001
From: Daniel Bevenius <daniel.bevenius@gmail.com>
Date: Wed, 2 Dec 2020 18:21:41 +0100
Subject: [PATCH] src: use unique_ptr for WriteWrap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This commit attempts to avoid a use-after-free error by using unqiue_ptr
and passing a reference to it.
CVE-ID: CVE-2020-8265
Fixes: https://github.com/nodejs-private/node-private/issues/227
PR-URL: https://github.com/nodejs-private/node-private/pull/238
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reference: https://github.com/nodejs/node/commit/7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed
---
src/js_stream.cc | 4 ++--
src/js_stream.h | 2 +-
src/node_file.h | 2 +-
src/node_http2.cc | 4 ++--
src/node_http2.h | 2 +-
src/stream_base-inl.h | 8 ++++----
src/stream_base.h | 9 +++++----
src/stream_wrap.cc | 4 ++--
src/stream_wrap.h | 2 +-
src/tls_wrap.cc | 13 +++++++------
src/tls_wrap.h | 4 ++--
11 files changed, 28 insertions(+), 26 deletions(-)
diff --git a/src/js_stream.cc b/src/js_stream.cc
index e3d734c..4054e90 100644
--- a/src/js_stream.cc
+++ b/src/js_stream.cc
@@ -105,7 +105,7 @@ int JSStream::DoShutdown(ShutdownWrap* req_wrap) {
}
-int JSStream::DoWrite(WriteWrap* w,
+int JSStream::DoWrite(std::unique_ptr<WriteWrap>& w,
uv_buf_t* bufs,
size_t count,
uv_stream_t* send_handle) {
@@ -122,7 +122,7 @@ int JSStream::DoWrite(WriteWrap* w,
}
Local<Value> argv[] = {
- w->object(),
+ w.get()->object(),
bufs_arr
};
diff --git a/src/js_stream.h b/src/js_stream.h
index 6612e55..bf0d15d 100644
--- a/src/js_stream.h
+++ b/src/js_stream.h
@@ -22,7 +22,7 @@ class JSStream : public AsyncWrap, public StreamBase {
int ReadStop() override;
int DoShutdown(ShutdownWrap* req_wrap) override;
- int DoWrite(WriteWrap* w,
+ int DoWrite(std::unique_ptr<WriteWrap>& w,
uv_buf_t* bufs,
size_t count,
uv_stream_t* send_handle) override;
diff --git a/src/node_file.h b/src/node_file.h
index cbbb8b0..b440c14 100644
--- a/src/node_file.h
+++ b/src/node_file.h
@@ -287,7 +287,7 @@ class FileHandle : public AsyncWrap, public StreamBase {
ShutdownWrap* CreateShutdownWrap(v8::Local<v8::Object> object) override;
int DoShutdown(ShutdownWrap* req_wrap) override;
- int DoWrite(WriteWrap* w,
+ int DoWrite(std::unique_ptr<WriteWrap>& w,
uv_buf_t* bufs,
size_t count,
uv_stream_t* send_handle) override {
diff --git a/src/node_http2.cc b/src/node_http2.cc
index 9bde444..2a523a4 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -2314,7 +2314,7 @@ int Http2Stream::ReadStop() {
// chunks of data have been flushed to the underlying nghttp2_session.
// Note that this does *not* mean that the data has been flushed
// to the socket yet.
-int Http2Stream::DoWrite(WriteWrap* req_wrap,
+int Http2Stream::DoWrite(std::unique_ptr<WriteWrap>& req_wrap,
uv_buf_t* bufs,
size_t nbufs,
uv_stream_t* send_handle) {
@@ -2329,7 +2329,7 @@ int Http2Stream::DoWrite(WriteWrap* req_wrap,
// Store the req_wrap on the last write info in the queue, so that it is
// only marked as finished once all buffers associated with it are finished.
queue_.emplace(nghttp2_stream_write {
- i == nbufs - 1 ? req_wrap : nullptr,
+ i == nbufs - 1 ? req_wrap.get() : nullptr,
bufs[i]
});
IncrementAvailableOutboundLength(bufs[i].len);
diff --git a/src/node_http2.h b/src/node_http2.h
index 1526e0b..d1d523e 100644
--- a/src/node_http2.h
+++ b/src/node_http2.h
@@ -568,7 +568,7 @@ class Http2Stream : public AsyncWrap,
AsyncWrap* GetAsyncWrap() override { return this; }
- int DoWrite(WriteWrap* w, uv_buf_t* bufs, size_t count,
+ int DoWrite(std::unique_ptr<WriteWrap>& w, uv_buf_t* bufs, size_t count,
uv_stream_t* send_handle) override;
void MemoryInfo(MemoryTracker* tracker) const override {
diff --git a/src/stream_base-inl.h b/src/stream_base-inl.h
index 027b938..dca02ac 100644
--- a/src/stream_base-inl.h
+++ b/src/stream_base-inl.h
@@ -216,14 +216,14 @@ inline StreamWriteResult StreamBase::Write(
}
AsyncHooks::DefaultTriggerAsyncIdScope trigger_scope(GetAsyncWrap());
- WriteWrap* req_wrap = CreateWriteWrap(req_wrap_obj);
+ std::unique_ptr<WriteWrap> req_wrap{CreateWriteWrap(req_wrap_obj)};
err = DoWrite(req_wrap, bufs, count, send_handle);
bool async = err == 0;
- if (!async) {
+ if (!async && req_wrap != nullptr) {
req_wrap->Dispose();
- req_wrap = nullptr;
+ req_wrap.release();
}
const char* msg = Error();
@@ -232,7 +232,7 @@ inline StreamWriteResult StreamBase::Write(
ClearError();
}
- return StreamWriteResult { async, err, req_wrap, total_bytes };
+ return StreamWriteResult { async, err, req_wrap.release(), total_bytes };
}
template <typename OtherBase>
diff --git a/src/stream_base.h b/src/stream_base.h
index 65abd4d..3e922a4 100644
--- a/src/stream_base.h
+++ b/src/stream_base.h
@@ -215,10 +215,11 @@ class StreamResource {
virtual int DoTryWrite(uv_buf_t** bufs, size_t* count);
// Perform a write of data, and either call req_wrap->Done() when finished
// and return 0, or return a libuv error code for synchronous failures.
- virtual int DoWrite(WriteWrap* w,
- uv_buf_t* bufs,
- size_t count,
- uv_stream_t* send_handle) = 0;
+ virtual int DoWrite(
+ /* NOLINT (runtime/references) */ std::unique_ptr<WriteWrap>& w,
+ uv_buf_t* bufs,
+ size_t count,
+ uv_stream_t* send_handle) = 0;
// Returns true if the stream supports the `OnStreamWantsWrite()` interface.
virtual bool HasWantsWrite() const { return false; }
diff --git a/src/stream_wrap.cc b/src/stream_wrap.cc
index 10444fe..bd512e3 100644
--- a/src/stream_wrap.cc
+++ b/src/stream_wrap.cc
@@ -351,11 +351,11 @@ int LibuvStreamWrap::DoTryWrite(uv_buf_t** bufs, size_t* count) {
}
-int LibuvStreamWrap::DoWrite(WriteWrap* req_wrap,
+int LibuvStreamWrap::DoWrite(std::unique_ptr<WriteWrap>& req_wrap,
uv_buf_t* bufs,
size_t count,
uv_stream_t* send_handle) {
- LibuvWriteWrap* w = static_cast<LibuvWriteWrap*>(req_wrap);
+ LibuvWriteWrap* w = static_cast<LibuvWriteWrap*>(req_wrap.get());
int r;
if (send_handle == nullptr) {
r = w->Dispatch(uv_write, stream(), bufs, count, AfterUvWrite);
diff --git a/src/stream_wrap.h b/src/stream_wrap.h
index 98f0ca4..3c00d33 100644
--- a/src/stream_wrap.h
+++ b/src/stream_wrap.h
@@ -51,7 +51,7 @@ class LibuvStreamWrap : public HandleWrap, public StreamBase {
// Resource implementation
int DoShutdown(ShutdownWrap* req_wrap) override;
int DoTryWrite(uv_buf_t** bufs, size_t* count) override;
- int DoWrite(WriteWrap* w,
+ int DoWrite(std::unique_ptr<WriteWrap>& w,
uv_buf_t* bufs,
size_t count,
uv_stream_t* send_handle) override;
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
index ce46e21..65ea884 100644
--- a/src/tls_wrap.cc
+++ b/src/tls_wrap.cc
@@ -91,8 +91,7 @@ bool TLSWrap::InvokeQueued(int status, const char* error_str) {
return false;
if (current_write_ != nullptr) {
- WriteWrap* w = current_write_;
- current_write_ = nullptr;
+ WriteWrap* w = current_write_.release();
w->Done(status, error_str);
}
@@ -617,7 +616,7 @@ void TLSWrap::ClearError() {
// Called by StreamBase::Write() to request async write of clear text into SSL.
-int TLSWrap::DoWrite(WriteWrap* w,
+int TLSWrap::DoWrite(std::unique_ptr<WriteWrap>& w,
uv_buf_t* bufs,
size_t count,
uv_stream_t* send_handle) {
@@ -651,7 +650,7 @@ int TLSWrap::DoWrite(WriteWrap* w,
if (BIO_pending(enc_out_) == 0) {
Debug(this, "No pending encrypted output, writing to underlying stream");
CHECK_NULL(current_empty_write_);
- current_empty_write_ = w;
+ current_empty_write_ = w.get();
StreamWriteResult res =
underlying_stream()->Write(bufs, count, send_handle);
if (!res.async) {
@@ -666,7 +665,7 @@ int TLSWrap::DoWrite(WriteWrap* w,
// Store the current write wrap
CHECK_NULL(current_write_);
- current_write_ = w;
+ current_write_ = std::move(w);
// Write encrypted data to underlying stream and call Done().
if (length == 0) {
@@ -705,7 +704,7 @@ int TLSWrap::DoWrite(WriteWrap* w,
// If we stopped writing because of an error, it's fatal, discard the data.
if (!arg.IsEmpty()) {
Debug(this, "Got SSL error (%d), returning UV_EPROTO", err);
- current_write_ = nullptr;
+ current_write_.release();
return UV_EPROTO;
}
@@ -718,6 +717,8 @@ int TLSWrap::DoWrite(WriteWrap* w,
// Write any encrypted/handshake output that may be ready.
EncOut();
+ w.reset(current_write_.get());
+
return 0;
}
diff --git a/src/tls_wrap.h b/src/tls_wrap.h
index bfcf07b..e2e748b 100644
--- a/src/tls_wrap.h
+++ b/src/tls_wrap.h
@@ -67,7 +67,7 @@ class TLSWrap : public AsyncWrap,
ShutdownWrap* CreateShutdownWrap(
v8::Local<v8::Object> req_wrap_object) override;
int DoShutdown(ShutdownWrap* req_wrap) override;
- int DoWrite(WriteWrap* w,
+ int DoWrite(std::unique_ptr<WriteWrap>& w,
uv_buf_t* bufs,
size_t count,
uv_stream_t* send_handle) override;
@@ -170,7 +170,7 @@ class TLSWrap : public AsyncWrap,
// Waiting for ClearIn() to pass to SSL_write().
std::vector<char> pending_cleartext_input_;
size_t write_size_ = 0;
- WriteWrap* current_write_ = nullptr;
+ std::unique_ptr<WriteWrap> current_write_ = nullptr;
WriteWrap* current_empty_write_ = nullptr;
bool write_callback_scheduled_ = false;
bool started_ = false;
--
2.23.0

78
CVE-2020-8287.patch
View File

@ -1,78 +0,0 @@
From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Wed, 18 Nov 2020 20:50:21 -0800
Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding`
Duplicate `Transfer-Encoding` header should be a treated as a single,
but with original header values concatenated with a comma separator. In
the light of this, even if the past `Transfer-Encoding` ended with
`chunked`, we should be not let the `F_CHUNKED` to leak into the next
header, because mere presence of another header indicates that `chunked`
is not the last transfer-encoding token.
CVE-ID: CVE-2020-8287
PR-URL: https://github.com/nodejs-private/node-private/pull/235
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reference: https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e
---
deps/http_parser/http_parser.c | 7 +++++++
deps/http_parser/test.c | 26 ++++++++++++++++++++++++++
2 files changed, 33 insertions(+)
diff --git a/deps/http_parser/http_parser.c b/deps/http_parser/http_parser.c
index 0f76b6a..5cc951a 100644
--- a/deps/http_parser/http_parser.c
+++ b/deps/http_parser/http_parser.c
@@ -1339,6 +1339,13 @@ reexecute:
} else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
parser->header_state = h_transfer_encoding;
parser->flags |= F_TRANSFER_ENCODING;
+
+ /* Multiple `Transfer-Encoding` headers should be treated as
+ * one, but with values separate by a comma.
+ *
+ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
+ */
+ parser->flags &= ~F_CHUNKED;
}
break;
diff --git a/deps/http_parser/test.c b/deps/http_parser/test.c
index c979467..f185c56 100644
--- a/deps/http_parser/test.c
+++ b/deps/http_parser/test.c
@@ -2045,6 +2045,32 @@ const struct message responses[] =
,.body= "2\r\nOK\r\n0\r\n\r\n"
,.num_chunks_complete= 0
}
+#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30
+, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding"
+ ,.type= HTTP_RESPONSE
+ ,.raw= "HTTP/1.1 200 OK\r\n"
+ "Transfer-Encoding: chunked\r\n"
+ "Transfer-Encoding: identity\r\n"
+ "\r\n"
+ "2\r\n"
+ "OK\r\n"
+ "0\r\n"
+ "\r\n"
+ ,.should_keep_alive= FALSE
+ ,.message_complete_on_eof= TRUE
+ ,.http_major= 1
+ ,.http_minor= 1
+ ,.status_code= 200
+ ,.response_status= "OK"
+ ,.content_length= -1
+ ,.num_headers= 2
+ ,.headers=
+ { { "Transfer-Encoding", "chunked" }
+ , { "Transfer-Encoding", "identity" }
+ }
+ ,.body= "2\r\nOK\r\n0\r\n\r\n"
+ ,.num_chunks_complete= 0
+ }
};
/* strnlen() is a POSIX.2008 addition. Can't rely on it being available so
--
2.23.0

229
CVE-2021-22883.patch
View File

@ -1,229 +0,0 @@
From 3f2e9dc40c9964965b075c00719829f9bb17e65f Mon Sep 17 00:00:00 2001
From: Daniel Bevenius <daniel.bevenius@gmail.com>
Date: Fri, 22 Jan 2021 12:34:21 +0100
Subject: [PATCH] http2: add unknownProtocol timeout
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This commit add a configuration options named unknownProtocolTimeout
which can be specified to set a value for the timeout in milliseconds
that a server should wait when an unknowProtocol is sent to it. When
this happens a timer will be started and the if the socket has not been
destroyed during that time the timer callback will destoy it.
CVE-ID: CVE-2021-22883
Refs: https://hackerone.com/reports/1043360
PR-URL: https://github.com/nodejs/node/pull/246
Backport PR-URL: https://github.com/nodejs/node/pull/248
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reference: https://github.com/nodejs/node/commit/3f2e9dc40c9964965b075c00719829f9bb17e65f
---
doc/api/http2.md | 25 +++++++++++++-
lib/internal/http2/core.js | 32 +++++++++++++++---
.../test-http2-server-unknown-protocol.js | 33 +++++++++++++++++++
3 files changed, 85 insertions(+), 5 deletions(-)
create mode 100644 test/parallel/test-http2-server-unknown-protocol.js
diff --git a/doc/api/http2.md b/doc/api/http2.md
index bb0ac52..9d0c258 100644
--- a/doc/api/http2.md
+++ b/doc/api/http2.md
@@ -1864,7 +1864,9 @@ added: v8.4.0
The `'unknownProtocol'` event is emitted when a connecting client fails to
negotiate an allowed protocol (i.e. HTTP/2 or HTTP/1.1). The event handler
receives the socket for handling. If no listener is registered for this event,
-the connection is terminated. See the [Compatibility API][].
+the connection is terminated. A timeout may be specified using the
+`'unknownProtocolTimeout'` option passed to [`http2.createSecureServer()`][].
+See the [Compatibility API][].
#### server.close([callback])
<!-- YAML
@@ -1900,6 +1902,9 @@ error will be thrown.
<!-- YAML
added: v8.4.0
changes:
+ - version: REPLACEME
+ pr-url: https://github.com/nodejs-private/node-private/pull/248
+ description: Added `unknownProtocolTimeout` option with a default of 10000.
- version: v10.21.0
pr-url: https://github.com/nodejs-private/node-private/pull/204
description: Added `maxSettings` option with a default of 32.
@@ -1980,6 +1985,10 @@ changes:
`Http2ServerResponse` class to use.
Useful for extending the original `Http2ServerResponse`.
**Default:** `Http2ServerResponse`.
+ * `unknownProtocolTimeout` {number} Specifies a timeout in milliseconds that
+ a server should wait when an [`'unknownProtocol'`][] is emitted. If the
+ socket has not been destroyed by that time the server will destroy it.
+ **Default:** `10000`.
* `onRequestHandler` {Function} See [Compatibility API][]
* Returns: {Http2Server}
@@ -2015,6 +2024,9 @@ server.listen(80);
<!-- YAML
added: v8.4.0
changes:
+ - version: REPLACEME
+ pr-url: https://github.com/nodejs-private/node-private/pull/248
+ description: Added `unknownProtocolTimeout` option with a default of 10000.
- version: v10.21.0
pr-url: https://github.com/nodejs-private/node-private/pull/204
description: Added `maxSettings` option with a default of 32.
@@ -2089,6 +2101,10 @@ changes:
servers, the identity options (`pfx` or `key`/`cert`) are usually required.
* `origins` {string[]} An array of origin strings to send within an `ORIGIN`
frame immediately following creation of a new server `Http2Session`.
+ * `unknownProtocolTimeout` {number} Specifies a timeout in milliseconds that
+ a server should wait when an [`'unknownProtocol'`][] event is emitted. If
+ the socket has not been destroyed by that time the server will destroy it.
+ **Default:** `10000`.
* `onRequestHandler` {Function} See [Compatibility API][]
* Returns: {Http2SecureServer}
@@ -2122,6 +2138,9 @@ server.listen(80);
<!-- YAML
added: v8.4.0
changes:
+ - version: REPLACEME
+ pr-url: https://github.com/nodejs-private/node-private/pull/248
+ description: Added `unknownProtocolTimeout` option with a default of 10000.
- version: v10.21.0
pr-url: https://github.com/nodejs-private/node-private/pull/204
description: Added `maxSettings` option with a default of 32.
@@ -2193,6 +2212,10 @@ changes:
instance passed to `connect` and the `options` object, and returns any
[`Duplex`][] stream that is to be used as the connection for this session.
* ...: Any [`net.connect()`][] or [`tls.connect()`][] options can be provided.
+ * `unknownProtocolTimeout` {number} Specifies a timeout in milliseconds that
+ a server should wait when an [`'unknownProtocol'`][] event is emitted. If
+ the socket has not been destroyed by that time the server will destroy it.
+ **Default:** `10000`.
* `listener` {Function}
* Returns: {ClientHttp2Session}
diff --git a/lib/internal/http2/core.js b/lib/internal/http2/core.js
index bb9e43c..9c5d737 100644
--- a/lib/internal/http2/core.js
+++ b/lib/internal/http2/core.js
@@ -19,6 +19,7 @@ const { Duplex } = require('stream');
const tls = require('tls');
const { URL } = require('url');
const util = require('util');
+const { setImmediate, setTimeout, clearTimeout } = require('timers');
const { kIncomingMessage } = require('_http_common');
const { kServerResponse } = require('_http_server');
@@ -78,7 +79,7 @@ const {
ERR_SOCKET_CLOSED
}
} = require('internal/errors');
-const { validateNumber } = require('internal/validators');
+const { validateNumber, validateUint32 } = require('internal/validators');
const { utcDate } = require('internal/http');
const { onServerStream,
Http2ServerRequest,
@@ -2676,7 +2677,7 @@ function handleHeaderContinue(headers) {
this.emit('continue');
}
-const setTimeout = {
+const setTimeoutValue = {
configurable: true,
enumerable: true,
writable: true,
@@ -2710,8 +2711,8 @@ const setTimeout = {
return this;
}
};
-Object.defineProperty(Http2Stream.prototype, 'setTimeout', setTimeout);
-Object.defineProperty(Http2Session.prototype, 'setTimeout', setTimeout);
+Object.defineProperty(Http2Stream.prototype, 'setTimeout', setTimeoutValue);
+Object.defineProperty(Http2Session.prototype, 'setTimeout', setTimeoutValue);
// When the socket emits an error, destroy the associated Http2Session and
@@ -2771,6 +2772,22 @@ function connectionListener(socket) {
debug('Unknown protocol from %s:%s',
socket.remoteAddress, socket.remotePort);
if (!this.emit('unknownProtocol', socket)) {
+ debug('Unknown protocol timeout: %s', options.unknownProtocolTimeout);
+ // Install a timeout if the socket was not successfully closed, then
+ // destroy the socket to ensure that the underlying resources are
+ // released.
+ const timer = setTimeout(() => {
+ if (!socket.destroyed) {
+ debug('UnknownProtocol socket timeout, destroy socket');
+ socket.destroy();
+ }
+ }, options.unknownProtocolTimeout);
+ // Un-reference the timer to avoid blocking of application shutdown and
+ // clear the timeout if the socket was successfully closed.
+ timer.unref();
+
+ socket.once('close', () => clearTimeout(timer));
+
// We don't know what to do, so let's just tell the other side what's
// going on in a format that they *might* understand.
socket.end('HTTP/1.0 403 Forbidden\r\n' +
@@ -2810,6 +2827,13 @@ function initializeOptions(options) {
assertIsObject(options.settings, 'options.settings');
options.settings = Object.assign({}, options.settings);
+ if (options.unknownProtocolTimeout !== undefined)
+ validateUint32(options.unknownProtocolTimeout, 'unknownProtocolTimeout');
+ else
+ // TODO(danbev): is this a good default value?
+ options.unknownProtocolTimeout = 10000;
+
+
// Used only with allowHTTP1
options.Http1IncomingMessage = options.Http1IncomingMessage ||
http.IncomingMessage;
diff --git a/test/parallel/test-http2-server-unknown-protocol.js b/test/parallel/test-http2-server-unknown-protocol.js
new file mode 100644
index 0000000..2c7aea5
--- /dev/null
+++ b/test/parallel/test-http2-server-unknown-protocol.js
@@ -0,0 +1,33 @@
+'use strict';
+const common = require('../common');
+const fixtures = require('../common/fixtures');
+
+// This test verifies that when a server receives an unknownProtocol it will
+// not leave the socket open if the client does not close it.
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const h2 = require('http2');
+const tls = require('tls');
+
+const server = h2.createSecureServer({
+ key: fixtures.readKey('agent2-key.pem'),
+ cert: fixtures.readKey('agent2-cert.pem'),
+ unknownProtocolTimeout: 500,
+ allowHalfOpen: true
+});
+
+server.on('connection', (socket) => {
+ socket.on('close', common.mustCall(() => {
+ server.close();
+ }));
+});
+
+server.listen(0, function() {
+ tls.connect({
+ port: server.address().port,
+ rejectUnauthorized: false,
+ ALPNProtocols: ['bogus']
+ });
+});
--
2.23.0

39
CVE-2021-22884.patch
View File

@ -1,39 +0,0 @@
From d1cf6a9b0f74d587dea1d0f194d922ff94eddd06 Mon Sep 17 00:00:00 2001
From: Matteo Collina <hello@matteocollina.com>
Date: Thu, 14 Jan 2021 16:04:44 +0100
Subject: [PATCH] src: drop localhost6 as allowed host for inspector
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-ID: CVE-2021-22884
Refs: https://hackerone.com/bugs?report_id=1069487
PR-URL: https://github.com/nodejs/node/pull/244
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Mary Marchini <oss@mmarchini.me>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reference: https://github.com/nodejs/node/commit/d1cf6a9b0f74d587dea1d0f194d922ff94eddd06
---
src/inspector_socket.cc | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
index dc36359..38b9ed4 100644
--- a/src/inspector_socket.cc
+++ b/src/inspector_socket.cc
@@ -576,8 +576,7 @@ class HttpHandler : public ProtocolHandler {
bool IsAllowedHost(const std::string& host_with_port) const {
std::string host = TrimPort(host_with_port);
return host.empty() || IsIPAddress(host)
- || node::StringEqualNoCase(host.data(), "localhost")
- || node::StringEqualNoCase(host.data(), "localhost6");
+ || node::StringEqualNoCase(host.data(), "localhost");
}
bool parsing_value_;
--
2.23.0

177
CVE-2021-22918.patch
View File

@ -1,177 +0,0 @@
From d33aead28bcec32a2a450f884907a6d971631829 Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Fri, 21 May 2021 11:23:36 +0200
Subject: [PATCH] deps: uv: cherry-pick 99c29c9c2c9b
Original commit message:
idna: fix OOB read in punycode decoder
Reported by Eric Sesterhenn in collaboration with
Cure53 and ExpressVPN.
Deleted unintroduced test files.
Reported-By: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
PR-URL: https://github.com/libuv/libuv-private/pull/1
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
CVE-ID: CVE-2021-22918
Refs: https://hackerone.com/reports/1209681
PR-URL: https://github.com/nodejs-private/node-private/pull/267
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
---
deps/uv/src/idna.c | 49 ++++++++++++++++++++++++++++++++++------------
1 file changed, 36 insertions(+), 13 deletions(-)
diff --git a/deps/uv/src/idna.c b/deps/uv/src/idna.c
index 13ffac6..b44cb16 100644
--- a/deps/uv/src/idna.c
+++ b/deps/uv/src/idna.c
@@ -19,6 +19,7 @@
#include "uv.h"
#include "idna.h"
+#include <assert.h>
#include <string.h>
static unsigned uv__utf8_decode1_slow(const char** p,
@@ -32,7 +33,7 @@ static unsigned uv__utf8_decode1_slow(const char** p,
if (a > 0xF7)
return -1;
- switch (*p - pe) {
+ switch (pe - *p) {
default:
if (a > 0xEF) {
min = 0x10000;
@@ -62,6 +63,8 @@ static unsigned uv__utf8_decode1_slow(const char** p,
a = 0;
break;
}
+ /* Fall through. */
+ case 0:
return -1; /* Invalid continuation byte. */
}
@@ -88,6 +91,8 @@ static unsigned uv__utf8_decode1_slow(const char** p,
unsigned uv__utf8_decode1(const char** p, const char* pe) {
unsigned a;
+ assert(*p < pe);
+
a = (unsigned char) *(*p)++;
if (a < 128)
@@ -96,9 +101,6 @@ unsigned uv__utf8_decode1(const char** p, const char* pe) {
return uv__utf8_decode1_slow(p, pe, a);
}
-#define foreach_codepoint(c, p, pe) \
- for (; (void) (*p <= pe && (c = uv__utf8_decode1(p, pe))), *p <= pe;)
-
static int uv__idna_toascii_label(const char* s, const char* se,
char** d, char* de) {
static const char alphabet[] = "abcdefghijklmnopqrstuvwxyz0123456789";
@@ -121,15 +123,22 @@ static int uv__idna_toascii_label(const char* s, const char* se,
ss = s;
todo = 0;
- foreach_codepoint(c, &s, se) {
+ /* Note: after this loop we've visited all UTF-8 characters and know
+ * they're legal so we no longer need to check for decode errors.
+ */
+ while (s < se) {
+ c = uv__utf8_decode1(&s, se);
+
+ if (c == -1u)
+ return UV_EINVAL;
+
if (c < 128)
h++;
- else if (c == (unsigned) -1)
- return UV_EINVAL;
else
todo++;
}
+ /* Only write "xn--" when there are non-ASCII characters. */
if (todo > 0) {
if (*d < de) *(*d)++ = 'x';
if (*d < de) *(*d)++ = 'n';
@@ -137,9 +146,13 @@ static int uv__idna_toascii_label(const char* s, const char* se,
if (*d < de) *(*d)++ = '-';
}
+ /* Write ASCII characters. */
x = 0;
s = ss;
- foreach_codepoint(c, &s, se) {
+ while (s < se) {
+ c = uv__utf8_decode1(&s, se);
+ assert(c != -1u);
+
if (c > 127)
continue;
@@ -166,10 +179,15 @@ static int uv__idna_toascii_label(const char* s, const char* se,
while (todo > 0) {
m = -1;
s = ss;
- foreach_codepoint(c, &s, se)
+
+ while (s < se) {
+ c = uv__utf8_decode1(&s, se);
+ assert(c != -1u);
+
if (c >= n)
if (c < m)
m = c;
+ }
x = m - n;
y = h + 1;
@@ -181,7 +199,10 @@ static int uv__idna_toascii_label(const char* s, const char* se,
n = m;
s = ss;
- foreach_codepoint(c, &s, se) {
+ while (s < se) {
+ c = uv__utf8_decode1(&s, se);
+ assert(c != -1u);
+
if (c < n)
if (++delta == 0)
return UV_E2BIG; /* Overflow. */
@@ -245,8 +266,6 @@ static int uv__idna_toascii_label(const char* s, const char* se,
return 0;
}
-#undef foreach_codepoint
-
long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
const char* si;
const char* st;
@@ -256,10 +275,14 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
ds = d;
- for (si = s; si < se; /* empty */) {
+ si = s;
+ while (si < se) {
st = si;
c = uv__utf8_decode1(&si, se);
+ if (c == -1u)
+ return UV_EINVAL;
+
if (c != '.')
if (c != 0x3002) /* 。 */
if (c != 0xFF0E) /* */
--
2.27.0

71
CVE-2021-22930-1.patch
View File

@ -1,71 +0,0 @@
From b263f2585ab53f56e0e22b46cf1f8519a8af8a05 Mon Sep 17 00:00:00 2001
From: Akshay K <iit.akshay@gmail.com>
Date: Mon, 26 Jul 2021 08:21:51 -0400
Subject: [PATCH] http2: on receiving rst_stream with cancel code add it to
pending list
PR-URL: https://github.com/nodejs/node/pull/39423
Backport-PR-URL: https://github.com/nodejs/node/pull/39527
Fixes: https://github.com/nodejs/node/issues/38964
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
---
src/node_http2.cc | 17 +++++++++++++++++
src/node_http2.h | 16 ++++++++++++++++
2 files changed, 33 insertions(+)
diff --git a/src/node_http2.cc b/src/node_http2.cc
index dec6d7dab9ee..cc21373521e4 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -2135,6 +2135,23 @@ int Http2Stream::SubmitPriority(nghttp2_priority_spec* prispec,
void Http2Stream::SubmitRstStream(const uint32_t code) {
CHECK(!this->IsDestroyed());
code_ = code;
+
+ // If RST_STREAM frame is received and stream is not writable
+ // because it is busy reading data, don't try force purging it.
+ // Instead add the stream to pending stream list and process
+ // the pending data when it is safe to do so. This is to avoid
+ // double free error due to unwanted behavior of nghttp2.
+ // Ref:https://github.com/nodejs/node/issues/38964
+
+ // Add stream to the pending list if it is received with scope
+ // below in the stack. The pending list may not get processed
+ // if RST_STREAM received is not in scope and added to the list
+ // causing endpoint to hang.
+ if (session_->is_in_scope() && IsReading()) {
+ session_->AddPendingRstStream(id_);
+ return;
+ }
+
// If possible, force a purge of any currently pending data here to make sure
// it is sent before closing the stream. If it returns non-zero then we need
// to wait until the current write finishes and try again to avoid nghttp2
diff --git a/src/node_http2.h b/src/node_http2.h
index 045bdfd716da..a59de18f920a 100644
--- a/src/node_http2.h
+++ b/src/node_http2.h
@@ -764,6 +764,22 @@ class Http2Session : public AsyncWrap,
return (flags_ & SESSION_STATE_CLOSED) || session_ == nullptr;
}
+
+ // The changes are backported and exposes APIs to check the
+ // status flag of `Http2Session`
+#define IS_FLAG(name, flag) \
+ bool is_##name() const { return flags_ & flag; }
+
+ IS_FLAG(in_scope, SESSION_STATE_HAS_SCOPE)
+ IS_FLAG(write_scheduled, SESSION_STATE_WRITE_SCHEDULED)
+ IS_FLAG(closing, SESSION_STATE_CLOSING)
+ IS_FLAG(sending, SESSION_STATE_SENDING)
+ IS_FLAG(write_in_progress, SESSION_STATE_WRITE_IN_PROGRESS)
+ IS_FLAG(reading_stopped, SESSION_STATE_READING_STOPPED)
+ IS_FLAG(receive_paused, SESSION_STATE_NGHTTP2_RECV_PAUSED)
+
+#undef IS_FLAG
+
// Schedule a write if nghttp2 indicates it wants to write to the socket.
void MaybeScheduleWrite();

46
CVE-2021-22930-2.patch
View File

@ -1,46 +0,0 @@
From 1b61414ccdd0e1b5969219ba3ec7664d1f3ab495 Mon Sep 17 00:00:00 2001
From: Akshay K <iit.akshay@gmail.com>
Date: Fri, 30 Jul 2021 18:46:45 -0400
Subject: [PATCH] http2: update handling of rst_stream with error code
NGHTTP2_CANCEL
---
src/node_http2.cc | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/src/node_http2.cc b/src/node_http2.cc
index edbf531..6027318 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -2136,18 +2136,19 @@ void Http2Stream::SubmitRstStream(const uint32_t code) {
CHECK(!this->IsDestroyed());
code_ = code;
- // If RST_STREAM frame is received and stream is not writable
- // because it is busy reading data, don't try force purging it.
- // Instead add the stream to pending stream list and process
- // the pending data when it is safe to do so. This is to avoid
- // double free error due to unwanted behavior of nghttp2.
- // Ref:https://github.com/nodejs/node/issues/38964
-
- // Add stream to the pending list if it is received with scope
+ auto is_stream_cancel = [](const uint32_t code) {
+ return code == NGHTTP2_CANCEL;
+ };
+
+ // If RST_STREAM frame is received with error code NGHTTP2_CANCEL,
+ // add it to the pending list and don't force purge the data. It is
+ // to avoids the double free error due to unwanted behavior of nghttp2.
+
+ // Add stream to the pending list only if it is received with scope
// below in the stack. The pending list may not get processed
// if RST_STREAM received is not in scope and added to the list
// causing endpoint to hang.
- if (session_->is_in_scope() && IsReading()) {
+ if (session_->is_in_scope() && is_stream_cancel(code)) {
session_->AddPendingRstStream(id_);
return;
}
--
2.27.0

53
CVE-2021-22930-3.patch
View File

@ -1,53 +0,0 @@
From 9b39a6b0c5e41a67c0fd180c884dca1b38e16b7b Mon Sep 17 00:00:00 2001
From: Akshay K <iit.akshay@gmail.com>
Date: Thu, 5 Aug 2021 03:01:43 -0400
Subject: [PATCH] http2: add tests for cancel event while client is paused
reading
---
.../test-http2-cancel-while-client-reading.js | 36 +++++++++++++++++++
1 file changed, 36 insertions(+)
create mode 100644 test/parallel/test-http2-cancel-while-client-reading.js
diff --git a/test/parallel/test-http2-cancel-while-client-reading.js b/test/parallel/test-http2-cancel-while-client-reading.js
new file mode 100644
index 000000000000..0605a02e1166
--- /dev/null
+++ b/test/parallel/test-http2-cancel-while-client-reading.js
@@ -0,0 +1,36 @@
+'use strict';
+const common = require('../common');
+const fixtures = require('../common/fixtures');
+if (!common.hasCrypto) {
+ common.skip('missing crypto');
+}
+
+const http2 = require('http2');
+const key = fixtures.readKey('agent1-key.pem', 'binary');
+const cert = fixtures.readKey('agent1-cert.pem', 'binary');
+
+const server = http2.createSecureServer({ key, cert });
+
+let client_stream;
+
+server.on('stream', common.mustCall(function(stream) {
+ stream.resume();
+ stream.on('data', function(chunk) {
+ stream.write(chunk);
+ client_stream.pause();
+ client_stream.close(http2.constants.NGHTTP2_CANCEL);
+ });
+}));
+
+server.listen(0, function() {
+ const client = http2.connect(`https://localhost:${server.address().port}`,
+ { rejectUnauthorized: false }
+ );
+ client_stream = client.request({ ':method': 'POST' });
+ client_stream.on('close', common.mustCall(() => {
+ client.close();
+ server.close();
+ }));
+ client_stream.resume();
+ client_stream.write(Buffer.alloc(1024 * 1024));
+});

BIN
icu4c-64_2-src.tgz → icu4c-67_1-src.tgz
View File

Binary file not shown.

BIN
node-v10.21.0.tar.gz → node-v12.22.11.tar.gz
View File

Binary file not shown.

155
nodejs.spec
View File

@ -1,44 +1,50 @@
%bcond_with bootstrap
%global baserelease 8
%global baserelease 1
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
%global nodejs_epoch 1
%global nodejs_major 10
%global nodejs_minor 21
%global nodejs_patch 0
%global nodejs_major 12
%global nodejs_minor 22
%global nodejs_patch 11
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%global nodejs_soversion 64
%global nodejs_soversion 72
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
%global nodejs_release %{baserelease}
%global nodejs_datadir %{_datarootdir}/nodejs
%global v8_epoch 1
%global v8_major 6
%global v8_epoch 2
%global v8_major 7
%global v8_minor 8
%global v8_build 275
%global v8_patch 32
%global v8_build 279
%global v8_patch 23
%global v8_abi %{v8_major}.%{v8_minor}
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
%global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
%global c_ares_major 1
%global c_ares_minor 15
%global c_ares_patch 0
%global c_ares_minor 18
%global c_ares_patch 1
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
%global http_parser_major 2
%global http_parser_minor 9
%global http_parser_patch 3
%global http_parser_patch 4
%global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch}
%global llhttp_major 2
%global llhttp_minor 1
%global llhttp_patch 4
%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
%global libuv_major 1
%global libuv_minor 34
%global libuv_patch 2
%global libuv_minor 40
%global libuv_patch 0
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
%global nghttp2_major 1
%global nghttp2_minor 41
%global nghttp2_patch 0
%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
%global icu_major 64
%global icu_minor 2
%global icu_major 67
%global icu_minor 1
%global icu_version %{icu_major}.%{icu_minor}
%global icudatadir %{nodejs_datadir}/icudata
%{!?little_endian: %global little_endian %(%{__python3} -c "import sys;print (0 if sys.byteorder=='big' else 1)")}
# " this line just fixes syntax highlighting for vim that is confused by the above and continues literal
%global openssl_minimum 1:1.1.1
%global punycode_major 2
%global punycode_minor 1
%global punycode_patch 0
@ -46,13 +52,17 @@
%global npm_epoch 1
%global npm_major 6
%global npm_minor 14
%global npm_patch 4
%global npm_patch 16
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
%global uvwasi_major 0
%global uvwasi_minor 0
%global uvwasi_patch 11
%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
%global histogram_major 0
%global histogram_minor 9
%global histogram_patch 7
%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}
%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
%global brotli_major 1
%global brotli_minor 0
%global brotli_patch 7
%global brotli_version %{brotli_major}.%{brotli_minor}.%{brotli_patch}
Name: nodejs
Epoch: %{nodejs_epoch}
@ -69,22 +79,19 @@ Source2: btest402.js
Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.tgz
Source7: nodejs_native.attr
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch2: 0002-Install-both-binaries-and-use-libdir.patch
Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
Patch4: 0004-src-avoid-OOB-read-in-URL-parser.patch
Patch5: CVE-2020-8252.patch
Patch6: CVE-2020-8265.patch
Patch7: CVE-2020-8287.patch
Patch8: CVE-2021-22883.patch
Patch9: CVE-2021-22884.patch
Patch10: CVE-2021-22918.patch
Patch11: CVE-2021-22930-1.patch
Patch12: CVE-2021-22930-2.patch
Patch13: CVE-2021-22930-3.patch
Patch0001: 0001-Disable-running-gyp-on-shared-deps.patch
Patch0002: 0002-Install-both-binaries-and-use-libdir.patch
Patch0003: 0004-Make-AARCH64-compile-on-64KB-physical-pages.patch
Patch00010: 0005-use-getauxval-in-node_main_cc.patch
BuildRequires: python2-devel python3-devel zlib-devel gcc >= 6.3.0
BuildRequires: gcc-c++ >= 6.3.0 nodejs-packaging chrpath libatomic
BuildRequires: python3-devel
BuildRequires: zlib-devel
BuildRequires: brotli-devel
BuildRequires: gcc >= 6.3.0
BuildRequires: gcc-c++ >= 6.3.0
BuildRequires: nodejs-packaging
BuildRequires: chrpath
BuildRequires: libatomic
%if %{with bootstrap}
Provides: bundled(http-parser) = %{http_parser_version}
@ -96,11 +103,12 @@ BuildRequires: libuv-devel >= 1:%{libuv_version}
Requires: libuv >= 1:%{libuv_version}
BuildRequires: libnghttp2-devel >= %{nghttp2_version}
Requires: libnghttp2 >= %{nghttp2_version}
BuildRequires: http-parser-devel >= %{http_parser_version}
Requires: http-parser >= %{http_parser_version}
Provides: bundled(http-parser) = %{http_parser_version}
Provides: bundled(llhttp) = %{llhttp_version}
%endif
BuildRequires: openssl-devel
BuildRequires: openssl-devel >= %{openssl_minimum}
Requires: openssl >= %{openssl_minimum}
Requires: ca-certificates
Requires: nodejs-libs%{?_isa} = %{nodejs_epoch}:%{version}-%{release}
Recommends: nodejs-full-i18n%{?_isa} = %{nodejs_epoch}:%{version}-%{release}
@ -115,11 +123,10 @@ Provides: npm(punycode) = %{punycode_version}
Provides: bundled(c-ares) = %{c_ares_version}
Provides: bundled(v8) = %{v8_version}
Provides: bundled(icu) = %{icu_version}
Provides: bundled(uvwasi) = %{uvwasi_version}
Provides: bundled(histogram) = %{histogram_version}
Requires: (nodejs-packaging if rpm-build)
Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
Provides: bundled(brotli) = %{brotli_version}
Provides: %{name}-help = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
Obsoletes: %{name}-help < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
%description
Node.js is a platform built on Chrome's JavaScript runtime
@ -139,7 +146,6 @@ Requires: nodejs-packaging
%if %{with bootstrap}
%else
Requires: http-parser-devel%{?_isa}
Requires: libuv-devel%{?_isa}
%endif
@ -178,7 +184,7 @@ package to save space if non-English locales are not needed.
Summary: v8 - development headers
Epoch: %{v8_epoch}
Version: %{v8_version}
Release: %{v8_release}%{?dist}
Release: %{v8_release}
Requires: %{name}-devel%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
%description -n v8-devel
@ -188,7 +194,7 @@ Development headers for the v8 runtime.
Summary: Node.js Package Manager
Epoch: %{npm_epoch}
Version: %{npm_version}
Release: %{npm_release}%{?dist}
Release: %{npm_release}
Obsoletes: npm < 0:3.5.4-6
Provides: npm = %{npm_epoch}:%{npm_version}
@ -205,8 +211,6 @@ Summary: Node.js API documentation
Group: Documentation
BuildArch: noarch
Provides: %{name}-help = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
Obsoletes: %{name}-help < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
Conflicts: %{name} > %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
@ -216,15 +220,15 @@ The API documentation for the Node.js JavaScript runtime.
%prep
%autosetup -p1 -n node-v%{nodejs_version}
rm -rf deps/zlib
rm -rf deps/brotli
rm -rf deps/openssl
pathfix.py -i %{__python2} -pn $(find -type f ! -name "*.js")
find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python2~" {} \;
find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python2~" {} \;
sed -i "s~python~python2~" $(find . -type f | grep "gyp$")
pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python3~" {} \;
find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python3~" {} \;
sed -i "s~python~python3~" $(find . -type f | grep "gyp$")
sed -i "s~usr\/bin\/python2~usr\/bin\/python3~" ./deps/v8/tools/gen-inlining-tests.py
sed -i "s~usr\/bin\/python.*$~usr\/bin\/python2~" ./deps/v8/tools/mb/mb_unittest.py
find . -type f -exec sed -i "s~python -c~python2 -c~" {} \;
sed -i "s~which('python')~which('python2')~" configure
sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_unittest.py
find . -type f -exec sed -i "s~python -c~python3 -c~" {} \;
%build
%define _lto_cflags %{nil}
@ -251,23 +255,24 @@ export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')"
export LDFLAGS="%{build_ldflags}"
%if %{with bootstrap}
./configure --prefix=%{_prefix} \
%{__python3} configure.py --prefix=%{_prefix} \
--shared \
--libdir=%{_lib} \
--shared-openssl \
--shared-zlib \
--shared-brotli \
--without-dtrace \
--with-intl=small-icu \
--debug-nghttp2 \
--openssl-use-def-ca-store
%else
./configure --prefix=%{_prefix} \
%{__python3} configure.py --prefix=%{_prefix} \
--shared \
--libdir=%{_lib} \
--shared-openssl \
--shared-zlib \
--shared-brotli \
--shared-libuv \
--shared-http-parser \
--shared-nghttp2 \
--with-dtrace \
--with-intl=small-icu \
@ -277,8 +282,10 @@ export LDFLAGS="%{build_ldflags}"
%endif
make BUILDTYPE=Release %{?_smp_mflags}
pushd deps/
tar xfz %SOURCE3
pushd icu/source
mkdir -p converted
%if 0%{?little_endian}
@ -292,15 +299,18 @@ LD_LIBRARY_PATH=./lib ./bin/icupkg -tb data/in/icudt%{icu_major}l.dat \
converted/icudt%{icu_major}b.dat
%endif
popd # icu/source
popd # deps
popd
popd
%install
rm -rf %{buildroot}
./tools/install.py install %{buildroot} %{_prefix}
chmod 0755 %{buildroot}/%{_bindir}/node
chrpath --delete %{buildroot}%{_bindir}/node
ln -s libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/libnode.so
for header in %{buildroot}%{_includedir}/node/libplatform %{buildroot}%{_includedir}/node/v8*.h; do
header=$(basename ${header})
ln -s %{_includedir}/node/${header} %{buildroot}%{_includedir}/${header}
@ -309,7 +319,9 @@ for soname in libv8 libv8_libbase libv8_libplatform; do
ln -s libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/${soname}.so
ln -s libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/${soname}.so.%{v8_major}
done
mkdir -p %{buildroot}%{_prefix}/lib/node_modules
install -Dpm0644 %{SOURCE7} %{buildroot}%{_rpmconfigdir}/fileattrs/nodejs_native.attr
cat << EOF > %{buildroot}%{_rpmconfigdir}/nodejs_native.req
#!/bin/sh
@ -317,49 +329,56 @@ echo 'nodejs(abi%{nodejs_major}) >= %nodejs_abi'
echo 'nodejs(v8-abi%{v8_major}) >= %v8_abi'
EOF
chmod 0755 %{buildroot}%{_rpmconfigdir}/nodejs_native.req
mkdir -p %{buildroot}%{_pkgdocdir}/html
cp -pr doc/* %{buildroot}%{_pkgdocdir}/html
rm -f %{buildroot}%{_pkgdocdir}/html/nodejs.1
mkdir -p %{buildroot}%{_datadir}/node
cp -p common.gypi %{buildroot}%{_datadir}/node
mv %{buildroot}/%{_datadir}/doc/node/gdbinit %{buildroot}/%{_pkgdocdir}/gdbinit
mkdir -p %{buildroot}%{_mandir} \
%{buildroot}%{_pkgdocdir}/npm
cp -pr deps/npm/man/* %{buildroot}%{_mandir}/
rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/man
ln -sf %{_mandir} %{buildroot}%{_prefix}/lib/node_modules/npm/man
cp -pr deps/npm/docs %{buildroot}%{_pkgdocdir}/npm/
rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/docs
ln -sf %{_pkgdocdir}/npm %{buildroot}%{_prefix}/lib/node_modules/npm/docs
rm -f %{buildroot}/%{_defaultdocdir}/node/lldb_commands.py \
%{buildroot}/%{_defaultdocdir}/node/lldbinit
find %{buildroot}%{_prefix}/lib/node_modules/npm \
-not -path "%{buildroot}%{_prefix}/lib/node_modules/npm/bin/*" \
-executable -type f \
-exec chmod -x {} \;
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/npm-lifecycle/node-gyp-bin/node-gyp
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
mkdir -p %{buildroot}%{_sysconfdir}
cp %{SOURCE1} %{buildroot}%{_sysconfdir}/npmrc
mkdir -p %{buildroot}%{_prefix}/etc
ln -s %{_sysconfdir}/npmrc %{buildroot}%{_prefix}/etc/npmrc
install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/*
%check
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.ares.replace(/-DEV$/, ''), '%{c_ares_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')"
NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')"
NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2}
%pretrans -n npm -p <lua>
-- Replace the npm man directory with a symlink
-- Drop this scriptlet when F31 is EOL
path = "%{_prefix}/lib/node_modules/npm/man"
st = posix.stat(path)
if st and st.type == "directory" then
@ -375,8 +394,6 @@ if st and st.type == "directory" then
end
%pretrans -n v8-devel -p <lua>
-- Replace the v8 libplatform include directory with a symlink
-- Drop this scriptlet when F30 is EOL
path = "%{_includedir}/libplatform"
st = posix.stat(path)
if st and st.type == "directory" then
@ -407,7 +424,7 @@ end
%{_rpmconfigdir}/fileattrs/nodejs_native.attr
%{_rpmconfigdir}/nodejs_native.req
%doc AUTHORS CHANGELOG.md COLLABORATOR_GUIDE.md GOVERNANCE.md README.md
%doc AUTHORS CHANGELOG.md onboarding.md GOVERNANCE.md README.md
%doc %{_mandir}/man1/node.1*
%files devel
@ -467,8 +484,10 @@ end
%{_pkgdocdir}/html
%{_pkgdocdir}/npm/docs
%changelog
* Mon Mar 28 2022 wangkai <wangkai385@huawei.com> 1:12.22.11-1
- Update to 12.22.11, fix some cves.
* Thu Oct 21 2021 yaoxin <yaoxin30@huawei.com> 1:10.21.0-8
- fix CVE-2021-22930

4
nodejs.yaml Normal file
View File

@ -0,0 +1,4 @@
version_control: github
src_repo: nodejs/node
tag_prefix: "^v"
separator: "."

1
npmrc
View File

@ -1 +1,2 @@
prefix=/usr/local
python=/usr/bin/python3