Fixes the following security issues (12.15.0):
- CVE-2019-15606: HTTP header values do not have trailing OWS trimmed
- CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding
header
- CVE-2019-15604: Remotely trigger an assertion on a TLS server with a
malformed certificate string
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
On top of this, 12.16.0 brings a number of changes and bugfixes.
Update the license hash for an addition of the (MIT) licensing terms for the
uvwsai module:
+
+- uvwasi, located at deps/uvwasi, is licensed as follows:
+ """
+ MIT License
+
+ Copyright (c) 2019 Colin Ihrig and Contributors
+
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice shall be included in all
+ copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
+ """
While we are at it, adjust the white space in the .hash function to match
the new agreements.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security vulnerabilities (in npm):
- CVE-2019-16775: Versions of the npm CLI prior to 6.13.3 are vulnerable to
an Arbitrary File Write. It is possible for packages to create symlinks
to files outside of thenode_modules folder through the bin field upon
installation
https://www.npmjs.com/advisories/1436
- CVE-2019-16776: Versions of the npm CLI prior to 6.13.3 are vulnerable to
an Arbitrary File Write. It fails to prevent access to folders outside of
the intended node_modules folder through the bin field
https://www.npmjs.com/advisories/1434
- CVE-2019-16777: Versions of the npm CLI prior to 6.13.4 are vulnerable to
an Arbitrary File Overwrite. It fails to prevent existing
globally-installed binaries to be overwritten by other package
installations
https://www.npmjs.com/advisories/1437
For further details, see the upstream announcements:
https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-clihttps://nodejs.org/en/blog/vulnerability/december-2019-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
After building host tools, we currently run a pass of patchelf to add
the proper RPATH to these tools so that they are able to find the
libraries they depend on.
Unfortunately, the "torque" host tool is used during the build itself,
before we have a chance to run "patchelf" on it. Since it is linked
against libcrypto.so available in $(HOST_DIR)/lib, the build aborts
because the RPATH is not set.
To fix this, we make sure that $(HOST_LDFLAGS) are properly taken into
account: since they contain the -Wl,-rpath option, the host tools will
have the correct RPATH. This both fixes the build failure, and makes
the patchelf hack no longer necessary.
Fixes:
https://bugs.busybox.net/show_bug.cgi?id=12211http://autobuild.buildroot.net/results/a1f5e336ddaf386ba08eb5a7a299a48e2bdfe2d9/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
nodejs can use some FPU instructions on ARM, but it needs to know that
thanks to the --with-arm-fpu option. Without this, it may use the
wrong FPU setting, such as use VFPv3 even if only a VFPv3-D16 is
available. This has been reported as bug #12166, where the compiled
node binary had some floating point instructions using floating point
registers above 16 on a VFPv3-D16 system.
This commit makes sure we pass the appropriate --with-arm-fpu value
when it makes sense. Note that NodeJS only has explicit support for a
subset of the FPUs, for the ones that are not explicitly supported, we
simply pass no --with-arm-fpu value.
Fixes:
https://bugs.busybox.net/show_bug.cgi?id=12166
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When commit 0064132ba0 introduced ARM64
support in nodejs.mk, it incorrectly kept the NODEJS_ARM_FP
definition. This variable is used to pass --with-arm-float-abi, which
in NodeJS's configure.py script is only used when --dest-cpu=arm, and
not when --dest-cpu=arm64.
So we are passing --with-arm-float-abi=<something> for ARM64, which
has no effect, and we are no longer passing it on ARM.
This commit fixes that by putting the NODEJS_ARM_FP definition back at
the right location.
Fixes:
0064132ba0
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
package/nodejs/nodejs.mk:73: expected indent with tabs
package/nodejs/nodejs.mk:74: expected indent with tabs
package/nodejs/nodejs.mk:75: expected indent with tabs
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Removed libhttpparser dependency as nodejs now uses built in llhttp.
Installed additional build tools to host that are required for target build.
License file change is due to 3rd party dependency changes and date updates.
Dependencies still appear to have Apache and BSD family licenses.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security vulnerabilities:
- CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data
from a specified resource over multiple streams. They manipulate window
size and stream priority to force the server to queue the data in 1-byte
chunks. Depending on how efficiently this data is queued, this can
consume excess CPU, memory, or both, potentially leading to a denial of
service.
- CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume excess
CPU, memory, or both, potentially leading to a denial of service.
- CVE-2019-9513 "Resource Loop": The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way that
causes substantial churn to the priority tree. This can consume excess
CPU, potentially leading to a denial of service.
- CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and
sends an invalid request over each stream that should solicit a stream of
RST_STREAM frames from the peer. Depending on how the peer queues the
RST_STREAM frames, this can consume excess memory, CPU, or both,
potentially leading to a denial of service.
- CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS
frames to the peer. Since the RFC requires that the peer reply with one
acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost
equivalent in behavior to a ping. Depending on how efficiently this data
is queued, this can consume excess CPU, memory, or both, potentially
leading to a denial of service.
- CVE-2019-9516 "0-Length Headers Leak": The attacker sends a stream of
headers with a 0-length header name and 0-length header value, optionally
Huffman encoded into 1-byte or greater headers. Some implementations
allocate memory for these headers and keep the allocation alive until the
session dies. This can consume excess memory, potentially leading to a
denial of service.
- CVE-2019-9517 "Internal Data Buffering": The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave the
TCP window closed so the peer cannot actually write (many of) the bytes on
the wire. The attacker then sends a stream of requests for a large
response object. Depending on how the servers queue the responses, this
can consume excess memory, CPU, or both, potentially leading to a denial
of service.
- CVE-2019-9518 "Empty Frames Flood": The attacker sends a stream of frames
with an empty payload and without the end-of-stream flag. These frames
can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends
time processing each frame disproportionate to attack bandwidth. This can
consume excess CPU, potentially leading to a denial of service.
(Discovered by Piotr Sikora of Google)
Notice that this version bump requires nghttp2 1.39.2. It also includes an
(unconditional) embedded copy of brotli.
Update the license hash because of copyright year changes and the addition
of the MIT-style license text for large_pages and brotli.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
See https://nodejs.org/en/blog/release/v10.15.3/
The host tool "torque" is unfortunately not built by complying to our
LDFLAGS, so it is not built with the proper RPATH. We fix that using
patchelf, and install it to $(HOST_DIR) to make it available during
the build of the target nodejs.
Signed-off-by: Martin Bark <martin@barkynet.com>
[Thomas:
- add explanation in the commit log about torque
- install torque in $(HOST_DIR)/bin and not $(HOST_DIR)/usr/bin]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
BUILDING.md lists gcc 4.9.4 or newer as build prerequisite. This is
needed for full C++11 support.
d13a65ad68
Cc: Daniel Price <daniel.price@gmail.com>
Reported-by: Boris-Ben Shapiro <erectcrested@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes regressions introduced by the v8.14.0 security release. From the
announcement:
The 8.14.0 security release introduced some unexpected breakages on the 8.x
release line. This is a special release to fix a regression in the HTTP
binary upgrade response body and add a missing CLI flag to adjust the max
header size of the http parser.
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.15.0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
- Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
- Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
- Node.js: HTTP request splitting (CVE-2018-12116)
- OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
- OpenSSL: Microarchitecture timing vulnerability in ECC scalar
multiplication (CVE-2018-5407)
For more details, see the announcement:
https://nodejs.org/en/blog/release/v8.14.0/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When two Buildroot builds run in parallel, and they both happen to call
npm at roughly the same time, the two npm instances may conflict when
accessing the npm cache, which is by default ~/.npm
Although npm is supposed to lock access to the cache, it seems it does
sometimes fail to do so properly, bailling out in error, when it would
never ever crash at all when not running in parallel. We suspect that
the sequence leading to such failures are something like:
npm-1 npm-2
lock(retry=few, sleep=short) .
does-stuff() .
. lock(retry=few, sleep=short)
. # can't lock local cache
. download-module()
. # can't download
. exit(1)
unlock()
As per the docs [0], few = 10, short = 10. So if the first npm (npm-1)
takes more than 100s (which can happen behind slow links and/or big
modules that contain native code that is compiled), then the second npm
(npm-2) will bail out (the download would fail if there is no network
access, for example, and only local modules are used).
Point npm to use a per-build cache directory, so they no longer compete
across builds.
That would still need some care when we do top-level parallel builds,
though.
Note also that the conflicts are not totally eliminated: two or more npm
instances may still compete for some other resource that has not yet
been identified.
But, at least, the conflict window has been drastically shortened now,
to the point where it now seldom occurs.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The BR2_GCC_TARGET_* configuration variables are copied to
corresponding GCC_TARGET_* variables which may then be optionally
modified or overwritten by architecture specific makefiles.
All makefiles must use the new GCC_TARGET_* variables instead
of the BR2_GCC_TARGET_* versions.
Signed-off-by: Mark Corbin <mark.corbin@embecosm.com>
[Thomas: simplify include of arch/arch.mk]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
host-nodejs is configured to build openssl by using its included openssl
source code which is based on openssl 1.0.2. If host-libopenssl was
already built its header files are being picked up during host-nodejs
build, this was verified by adding debug code to
$(HOST_DIR)/include/openssl/opensslv.h.
This situation was not a problem as long as host-libopenssl was the
same version than the openssl code included in nodejs.
Some code in host-nodejs-8.11.4/src/node_crypto.cc is guarded by
#if OPENSSL_VERSION_NUMBER < 0x10100000L
to be used only with openssl 1.0.x.
This leads to problems if host-libopenssl 1.1.x was built before. Due
to the usage of its header files some code in node_crypto.cc is not
built leading to many linking errors later on, for example:
node_crypto.cc:(.text+0x1a1): undefined reference to `DH_get0_pqg'
When the nodejs package originally was added to buildroot back in
March 2013:
https://git.buildroot.net/buildroot/commit/?id=b31bc7d4387095091a109eb879464d54d37a5eab
We did not have a host-libopenssl package back then, it was added one
month later:
https://git.buildroot.net/buildroot/commit/?id=7842789cb539b6b64d61b03f5c8dbe6813f01da7
To fix the problem we use host-libopenssl for host-nodejs.
By using host-libopenssl the build time of nodejs is reduced by ~15s.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Release notes:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
Fixes CVE-2018-12115, also CVEs were fixed in included OpenSSL code
which do not use for the target build.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- (CVE-2018-7167): Fixes Denial of Service vulnerability where calling
Buffer.fill() could hang
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
http2 implementation to not crash under certain circumstances during
cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
nghttp2 to 1.32.0
See https://nodejs.org/en/blog/release/v8.11.3/ for more details
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious
website could use a DNS rebinding attack to trick a web browser to bypass
same-origin-policy checks and allow HTTP connections to localhost or to
hosts on the local network, potentially to an open inspector port as a
debugger, therefore gaining full code execution access. The inspector now
only allows connections that have a browser Host value of localhost or
localhost6.
- Fix for 'path' module regular expression denial of service
(CVE-2018-7158): A regular expression used for parsing POSIX paths could
be used to cause a denial of service if an attacker were able to have a
specially crafted path string passed through one of the impacted 'path'
module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The
Node.js HTTP parser allowed for spaces inside Content-Length header
values. Such values now lead to rejected connections in the same way as
non-numeric values.
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See https://nodejs.org/en/blog/release/v8.9.3/
[Peter: mention that this fixes security issues]
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit fixes the warnings reported by check-package on the help
text of all package Config.in files, related to the formatting of the
help text: should start with a tab, then 2 spaces, then at most 62
characters.
The vast majority of warnings fixed were caused by too long lines. A
few warnings were related to spaces being used instead of a tab to
indent the help text.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes a regression introduced in 8.8.0.
See https://nodejs.org/en/blog/release/v8.8.1/
Peter: apply on top of 8.8.0, mention that it fixes regression]
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with windowBits
set to 8. On some versions this crashes Node and you cannot recover from
it, while on some versions it throws an exception. Node.js will now
gracefully set windowBits to 9 replicating the legacy behavior to avoid a
DOS vector.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <<a href="mailto:peter@korsgaard.com">peter@korsgaard.com</a>><br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See https://nodejs.org/en/blog/release/v8.4.0/
An update to v8 6.0.286 has removed the need for mkpeephole and
0002-add-missing-stdarg-includes.patch
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
nodejs requires libuv and by default will use an internal copy
bundled with the release. Change to using a shared libuv library.
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
nodejs requires libhttpparser and by default will use an internal copy
bundled with the release. Change to using a shared libhttpparser library.
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
nodejs requires c-ares and by default will use an internal copy
bundled with the release. Change to using a shared c-ares library.
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
is used for parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response packet was
crafted in a particular way. This patch checks that there is enough data
for the required elements of an NAPTR record (2 int16, 3 bytes for string
lengths) before processing a record.
See https://nodejs.org/en/blog/release/v8.1.4/
[Peter: add CVE info]
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since things are no longer installed in $(HOST_DIR)/usr, the callers
should also not refer to it.
This is a mechanical change with
git grep -l '$(HOST_DIR)/usr/bin' | xargs sed -i 's%$(HOST_DIR)/usr/bin%$(HOST_DIR)/bin%g'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Remove the redundant usr/ component of the HOST_DIR paths. Since a
previous commit added a symlink from $(HOST_DIR)/usr to $(HOST_DIR),
everything keeps on working.
This is a mechanical change with
git grep -l '\$(HOST_DIR)/usr' | xargs sed -i 's%\(prefix\|PREFIX\)=\("\?\)\$(HOST_DIR)/usr%\1=\2$(HOST_DIR)%g'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
