main/nodejs: fix CVE-2017-1000381 and Constant Hashtable Seeds

See: https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/

4 files changed, 166 insertions, 3 deletions

diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD
index db2f0af2a8..edf0e7dcd4 100644
--- a/main/nodejs/APKBUILD
+++ b/main/nodejs/APKBUILD
@@ -4,11 +4,16 @@
 # Contributor: Dave Esaias <dave@containership.io>
 # Contributor: Tadahisa Kamijo <kamijin@live.jp>
 # Maintainer: Eivind Uggedal <eivind@uggedal.com>
+#
+# secfixes:
+#   6.10.3-r1:
+#     - CVE-2017-1000381
+#
 pkgname=nodejs
 # Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
 # Odd-numbered versions are supported only for 9 months by upstream.
 pkgver=6.10.3
-pkgrel=0
+pkgrel=1
 pkgdesc="JavaScript runtime built on V8 engine - LTS version"
 url="http://nodejs.org/"
 arch="all"
@@ -24,7 +29,10 @@ replaces="nodejs-current nodejs-lts"  # nodejs-lts for backward compatibility
 source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz
 	use-system-ca-certs.patch
 	dont-run-gyp-files-for-bundled-deps.patch
-	ppc-fix-musl-mcontext.patch"
+	ppc-fix-musl-mcontext.patch
+	disable-v8-snapshots.patch
+	s390-debug-code-requires-bigger-buffer.patch
+	CVE-2017-1000381.patch"
 builddir="$srcdir/node-v$pkgver"
 
 prepare() {
@@ -101,4 +109,7 @@ npm() {
 sha512sums="1aa4b2984893375c9fad675f629a1a1131e1e06778abe92a99ebd472f681e372432c7ff08dfe282848bf2b324cb5cc757dde42523016a16a527360083499c718  node-v6.10.3.tar.gz
 316a09f697e244c48d4dcf26ca2bb7e2441fc01ed61ad6b987e24741f93cfcf29f2e6de736ab9e4c014355cd14dd63ae7de1f8c28b5274e3225b1b3412db11d4  use-system-ca-certs.patch
 a8be538158b7c96341a407acba30450ddc5c3ad764e7efe728d1ceff64efc3067b177855b9ef91b54400be6a02600d83da4c21a07ae9d7dc0774f92b2006ea8b  dont-run-gyp-files-for-bundled-deps.patch
-54a96cdc103bdffa9ba5283f59c64a35774e272f3a944d6475e3f669f95f7d75bcca6db3b12b9af76ea463f531763105aeabb302872652ced6a2bcb66f1eace0  ppc-fix-musl-mcontext.patch"
+54a96cdc103bdffa9ba5283f59c64a35774e272f3a944d6475e3f669f95f7d75bcca6db3b12b9af76ea463f531763105aeabb302872652ced6a2bcb66f1eace0  ppc-fix-musl-mcontext.patch
+adb75d68c350640a96c536baa46d18b566cc00796db1ea6e5ee00d60b6ab8316212dd4aa6fb00e58ef9a40a1f68b1c6c52aaffedaad6c4c91d650a946bcaeba2  disable-v8-snapshots.patch
+7e03abce16050ca6abedf9c2f167e75f6e8d9c92bbab3dacf4be4f0b490829666d60a764d5bfc496a1fce7f5cad757073200c8c07c5df8f531c65ee2099f4540  s390-debug-code-requires-bigger-buffer.patch
+57738244c3b0484f24a0082cf3f1d582dead809a3962e89a692c288829c4a4e5dd60695dbe6a76081db1dbc92bf6f9dcfaff892b99f9985aff5d4231d9a13145  CVE-2017-1000381.patch"
diff --git a/main/nodejs/CVE-2017-1000381.patch b/main/nodejs/CVE-2017-1000381.patch
new file mode 100644
index 0000000000..ae8212226c
--- /dev/null
+++ b/main/nodejs/CVE-2017-1000381.patch
@@ -0,0 +1,54 @@
+From 75bc33d16fbc46f026cf913a08dff80167c370d1 Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale@google.com>
+Date: Mon, 22 May 2017 10:54:10 +0100
+Subject: [PATCH] deps: cherry-pick 9478908a49 from cares upstream
+
+Original commit message:
+
+  ares_parse_naptr_reply: check sufficient data
+
+  Check that there is enough data for the required elements
+  of an NAPTR record (2 int16, 3 bytes for string lengths)
+  before processing a record.
+
+This patch fixes CVE-2017-1000381
+
+The c-ares function ares_parse_naptr_reply(), which is used for
+parsing NAPTR responses, could be triggered to read memory outside
+of the given input buffer if the passed in DNS response packet was
+crafted in a particular way.
+
+Refs: https://c-ares.haxx.se/adv_20170620.html
+Refs: https://c-ares.haxx.se/CVE-2017-1000381.patch
+PR-URL: https://github.com/nodejs/node-private/pull/88
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
+
+Patch-Source: https://github.com/nodejs/node/commit/75bc33d16f
+See: https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
+---
+ deps/cares/src/ares_parse_naptr_reply.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/deps/cares/src/ares_parse_naptr_reply.c b/deps/cares/src/ares_parse_naptr_reply.c
+index 11634df984..717d355778 100644
+--- a/deps/cares/src/ares_parse_naptr_reply.c
++++ b/deps/cares/src/ares_parse_naptr_reply.c
+@@ -110,6 +110,12 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,
+           status = ARES_EBADRESP;
+           break;
+         }
++      /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */
++      if (rr_len < 7)
++        {
++          status = ARES_EBADRESP;
++          break;
++        }
+ 
+       /* Check if we are really looking at a NAPTR record */
+       if (rr_class == C_IN && rr_type == T_NAPTR)
+@@ -185,4 +191,3 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,
+ 
+   return ARES_SUCCESS;
+ }
+-
diff --git a/main/nodejs/disable-v8-snapshots.patch b/main/nodejs/disable-v8-snapshots.patch
new file mode 100644
index 0000000000..2cbcc2e517
--- /dev/null
+++ b/main/nodejs/disable-v8-snapshots.patch
@@ -0,0 +1,53 @@
+From 86c0eae5244ff8c9f1d500882c3197a3ab55b076 Mon Sep 17 00:00:00 2001
+From: Ali Ijaz Sheikh <ofrobots@google.com>
+Date: Thu, 1 Jun 2017 17:55:42 -0700
+Subject: [PATCH] build: disable V8 snapshots
+
+PR-URL: https://github.com/nodejs/node-private/pull/84
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
+Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
+
+Patch-Source: https://github.com/nodejs/node/commit/86c0eae524
+See: https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
+---
+ configure | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/configure b/configure
+index 97b41ae368..5232ccefdb 100755
+--- a/configure
++++ b/configure
+@@ -419,12 +419,12 @@ parser.add_option('--without-perfctr',
+ # Dummy option for backwards compatibility
+ parser.add_option('--with-snapshot',
+     action='store_true',
+-    dest='unused_with_snapshot',
++    dest='with_snapshot',
+     help=optparse.SUPPRESS_HELP)
+ 
+ parser.add_option('--without-snapshot',
+     action='store_true',
+-    dest='without_snapshot',
++    dest='unused_without_snapshot',
+     help=optparse.SUPPRESS_HELP)
+ 
+ parser.add_option('--without-ssl',
+@@ -802,7 +802,7 @@ def configure_node(o):
+   cross_compiling = (options.cross_compiling
+                      if options.cross_compiling is not None
+                      else target_arch != host_arch)
+-  want_snapshots = not options.without_snapshot
++  want_snapshots = 1 if options.with_snapshot else 0
+   o['variables']['want_separate_host_toolset'] = int(
+       cross_compiling and want_snapshots)
+ 
+@@ -946,7 +946,7 @@ def configure_v8(o):
+   o['variables']['v8_no_strict_aliasing'] = 1  # Work around compiler bugs.
+   o['variables']['v8_optimized_debug'] = 0  # Compile with -O0 in debug builds.
+   o['variables']['v8_random_seed'] = 0  # Use a random seed for hash tables.
+-  o['variables']['v8_use_snapshot'] = 'false' if options.without_snapshot else 'true'
++  o['variables']['v8_use_snapshot'] = b(options.with_snapshot)
+   o['variables']['node_use_v8_platform'] = b(not options.without_v8_platform)
+   o['variables']['node_use_bundled_v8'] = b(not options.without_bundled_v8)
+   o['variables']['force_dynamic_crt'] = 1 if options.shared else 0
diff --git a/main/nodejs/s390-debug-code-requires-bigger-buffer.patch b/main/nodejs/s390-debug-code-requires-bigger-buffer.patch
new file mode 100644
index 0000000000..f29d971b86
--- /dev/null
+++ b/main/nodejs/s390-debug-code-requires-bigger-buffer.patch
@@ -0,0 +1,45 @@
+From a92d4ca460f76b22ee7d68d50a9a99ee7c8f6f5c Mon Sep 17 00:00:00 2001
+From: Michael Dawson <mdawson@devrus.com>
+Date: Mon, 10 Jul 2017 15:17:58 -0400
+Subject: [PATCH] deps: Debug code requires bigger buffer on s390
+
+s390 requires a bigger buffer for debug code
+when snapshots are not enabled.
+
+PR-URL: https://github.com/nodejs/node-private/pull/93
+Reviewed-By: Myles Borins <Myles.Borins@gmail.com>
+
+Patch-Source: https://github.com/nodejs/node/commit/a92d4ca460
+---
+ deps/v8/include/v8-version.h | 2 +-
+ deps/v8/src/builtins.cc      | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
+index 2162538fda..55d32cc899 100644
+--- a/deps/v8/include/v8-version.h
++++ b/deps/v8/include/v8-version.h
+@@ -11,7 +11,7 @@
+ #define V8_MAJOR_VERSION 5
+ #define V8_MINOR_VERSION 1
+ #define V8_BUILD_NUMBER 281
+-#define V8_PATCH_LEVEL 101
++#define V8_PATCH_LEVEL 102
+ 
+ // Use 1 for candidates and 0 otherwise.
+ // (Boolean macro values are not supported by all preprocessors.)
+diff --git a/deps/v8/src/builtins.cc b/deps/v8/src/builtins.cc
+index 01f103101c..4d399b2ca0 100644
+--- a/deps/v8/src/builtins.cc
++++ b/deps/v8/src/builtins.cc
+@@ -4720,8 +4720,8 @@ Handle<Code> MacroAssemblerBuilder(Isolate* isolate,
+ #ifdef DEBUG
+   // We can generate a lot of debug code on Arm64.
+   const size_t buffer_size = 32 * KB;
+-#elif V8_TARGET_ARCH_PPC64
+-  // 8 KB is insufficient on PPC64 when FLAG_debug_code is on.
++#elif V8_TARGET_ARCH_PPC64 || V8_TARGET_ARCH_S390X
++  // 8 KB is insufficient on PPC64 and S390X when FLAG_debug_code is on.
+   const size_t buffer_size = 10 * KB;
+ #else
+   const size_t buffer_size = 8 * KB;