From 06410b655878fe8825f10da90b9cc34a5e05ccf9 Mon Sep 17 00:00:00 2001 From: Morgan Thomas Date: Sun, 25 Apr 2021 09:25:46 -0700 Subject: [PATCH 1/4] nodejs: use system libuv See https://github.com/void-linux/void-packages/issues/29034. `shared-uv.patch` has been in the repo for a while but was slightly broken. --- srcpkgs/nodejs/{ => patches}/shared-uv.patch | 2 +- srcpkgs/nodejs/template | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename srcpkgs/nodejs/{ => patches}/shared-uv.patch (97%) diff --git a/srcpkgs/nodejs/shared-uv.patch b/srcpkgs/nodejs/patches/shared-uv.patch similarity index 97% rename from srcpkgs/nodejs/shared-uv.patch rename to srcpkgs/nodejs/patches/shared-uv.patch index 128e3a5ce06e..3e609a6c49a5 100644 --- a/srcpkgs/nodejs/shared-uv.patch +++ b/srcpkgs/nodejs/patches/shared-uv.patch @@ -16,7 +16,7 @@ }], + [ 'node_shared_libuv=="false"', { + 'dependencies': [ '../uv/uv.gyp:libuv' ], -+ }] ++ }], + [ 'node_shared_libuv=="true"', { + 'libraries': [ '-luv' ], + }] diff --git a/srcpkgs/nodejs/template b/srcpkgs/nodejs/template index 450b59bbc7d0..bcfaaa73ac4c 100644 --- a/srcpkgs/nodejs/template +++ b/srcpkgs/nodejs/template @@ -1,7 +1,7 @@ # Template file for 'nodejs' pkgname=nodejs version=14.16.0 -revision=1 +revision=2 wrksrc="node-v${version}" # Need these for host v8 for torque, see https://github.com/nodejs/node/pull/21079 hostmakedepends="which pkg-config python3 libatomic-devel zlib-devel From 222b25551a493a75b589f5c1dfc055fa8beb4c39 Mon Sep 17 00:00:00 2001 From: Morgan Thomas Date: Sun, 25 Apr 2021 09:59:58 -0700 Subject: [PATCH 2/4] nodejs-lts: use system libuv See 06410b655878fe8825f10da90b9cc34a5e05ccf9 and https://github.com/void-linux/void-packages/issues/29034. --- srcpkgs/nodejs-lts/patches/shared-uv.patch | 25 ++++++++++++++++++++++ srcpkgs/nodejs-lts/template | 2 +- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/nodejs-lts/patches/shared-uv.patch diff --git a/srcpkgs/nodejs-lts/patches/shared-uv.patch b/srcpkgs/nodejs-lts/patches/shared-uv.patch new file mode 100644 index 000000000000..3e609a6c49a5 --- /dev/null +++ b/srcpkgs/nodejs-lts/patches/shared-uv.patch @@ -0,0 +1,25 @@ +--- deps/uvwasi/uvwasi.gyp.orig ++++ deps/uvwasi/uvwasi.gyp +@@ -18,9 +18,6 @@ + 'src/wasi_rights.c', + 'src/wasi_serdes.c', + ], +- 'dependencies': [ +- '../uv/uv.gyp:libuv', +- ], + 'direct_dependent_settings': { + 'include_dirs': ['include'] + }, +@@ -31,6 +28,12 @@ + '_POSIX_C_SOURCE=200112', + ], + }], ++ [ 'node_shared_libuv=="false"', { ++ 'dependencies': [ '../uv/uv.gyp:libuv' ], ++ }], ++ [ 'node_shared_libuv=="true"', { ++ 'libraries': [ '-luv' ], ++ }] + ], + } + ] diff --git a/srcpkgs/nodejs-lts/template b/srcpkgs/nodejs-lts/template index f9326d337555..d3912ae2cf05 100644 --- a/srcpkgs/nodejs-lts/template +++ b/srcpkgs/nodejs-lts/template @@ -1,7 +1,7 @@ # Template file for 'nodejs-lts' pkgname=nodejs-lts version=12.21.0 -revision=1 +revision=2 wrksrc="node-v${version}" # Need these for host v8 for torque, see https://github.com/nodejs/node/pull/21079 hostmakedepends="pkg-config python libatomic-devel zlib-devel which From ba2d9af447cb8a686424dd33d67d138fdedd54c7 Mon Sep 17 00:00:00 2001 From: Morgan Thomas Date: Mon, 26 Apr 2021 06:31:01 -0700 Subject: [PATCH 3/4] nodejs-lts-10: fix build for targets without native atomic8 patches/ppc32.patch used "host_arch" instead of "target_arch" to check whether to link against -latomic, and didn't include 32-bit ARM in the list of targets that might need it. This addresses build failures on armv6l as well as some lesser-used architectures. Additionally, libatomic-devel is now included in makedepends for all architectures (not just when `XBPS_TARGET_NO_ATOMIC8` is set) because the build system can't tell the difference between armv6l and armv7l. This matches how it's done for `nodejs{,-lts}` and doesn't cause the armv7l build to actually depend on libatomic at runtime. --- srcpkgs/nodejs-lts-10/patches/atomic8.patch | 14 ++++++++++++++ srcpkgs/nodejs-lts-10/patches/ppc32.patch | 14 -------------- srcpkgs/nodejs-lts-10/template | 21 ++++++++------------- 3 files changed, 22 insertions(+), 27 deletions(-) create mode 100644 srcpkgs/nodejs-lts-10/patches/atomic8.patch diff --git a/srcpkgs/nodejs-lts-10/patches/atomic8.patch b/srcpkgs/nodejs-lts-10/patches/atomic8.patch new file mode 100644 index 000000000000..023cfad01239 --- /dev/null +++ b/srcpkgs/nodejs-lts-10/patches/atomic8.patch @@ -0,0 +1,14 @@ +--- node.gyp ++++ node.gyp +@@ -479,6 +479,11 @@ + 'msvs_disabled_warnings!': [4244], + + 'conditions': [ ++ [ 'target_arch=="mips" or target_arch=="mipsel" or target_arch=="ppc" or target_arch=="arm"', { ++ 'link_settings': { ++ 'libraries': [ '-latomic' ], ++ }, ++ }], + [ 'node_code_cache_path!=""', { + 'sources': [ '<(node_code_cache_path)' ] + }, { diff --git a/srcpkgs/nodejs-lts-10/patches/ppc32.patch b/srcpkgs/nodejs-lts-10/patches/ppc32.patch index 343eff585123..4650b285c363 100644 --- a/srcpkgs/nodejs-lts-10/patches/ppc32.patch +++ b/srcpkgs/nodejs-lts-10/patches/ppc32.patch @@ -9,20 +9,6 @@ '__x86_64__' : 'x64', '__s390__' : 's390', '__s390x__' : 's390x', ---- node.gyp -+++ node.gyp -@@ -479,6 +479,11 @@ - 'msvs_disabled_warnings!': [4244], - - 'conditions': [ -+ [ 'host_arch=="mips" or host_arch=="mipsel" or host_arch=="ppc"', { -+ 'link_settings': { -+ 'libraries': [ '-latomic' ], -+ }, -+ }], - [ 'node_code_cache_path!=""', { - 'sources': [ '<(node_code_cache_path)' ] - }, { --- deps/v8/src/libsampler/sampler.cc +++ deps/v8/src/libsampler/sampler.cc @@ -418,9 +418,15 @@ void SignalHandler::FillRegisterState(void* context, RegisterState* state) { diff --git a/srcpkgs/nodejs-lts-10/template b/srcpkgs/nodejs-lts-10/template index 3944d359c673..e9be94fcd393 100644 --- a/srcpkgs/nodejs-lts-10/template +++ b/srcpkgs/nodejs-lts-10/template @@ -1,14 +1,16 @@ # Template file for 'nodejs-lts-10' pkgname=nodejs-lts-10 version=10.24.0 -revision=1 +revision=2 wrksrc="node-v${version}" -hostmakedepends="pkg-config python zlib-devel which $(vopt_if icu icu-devel) - $(vopt_if ssl openssl-devel) $(vopt_if libuv libuv-devel) +# libatomic-devel moved into here for #29034 - atomic8.patch will pull in -latomic +# even for some architectures not covered by XBPS_TARGET_NO_ATOMIC8. +hostmakedepends="libatomic-devel pkg-config python zlib-devel which + $(vopt_if icu icu-devel) $(vopt_if ssl openssl-devel) $(vopt_if libuv libuv-devel) $(vopt_if http_parser http-parser-devel) $(vopt_if nghttp2 nghttp2-devel) $(vopt_if cares c-ares-devel)" -makedepends="zlib-devel python-devel $(vopt_if icu icu-devel) - $(vopt_if ssl openssl-devel) $(vopt_if libuv libuv-devel) +makedepends="libatomic-devel zlib-devel python-devel + $(vopt_if icu icu-devel) $(vopt_if ssl openssl-devel) $(vopt_if libuv libuv-devel) $(vopt_if http_parser http-parser-devel) $(vopt_if nghttp2 nghttp2-devel) $(vopt_if cares c-ares-devel)" checkdepends="procps-ng" @@ -18,7 +20,7 @@ license="MIT" homepage="https://nodejs.org/" distfiles="${homepage}/download/release/v${version}/node-v${version}.tar.xz" checksum=158273af66f891b2fca90aec7336c42f7574f467affad02c14e80ca163cb3acc -python_version=2 #unverified +python_version=3 build_options="ssl libuv http_parser icu nghttp2 cares" desc_option_ssl="Enable shared openssl" @@ -37,13 +39,6 @@ if [ "$XBPS_WORDSIZE" -ne "$XBPS_TARGET_WORDSIZE" ]; then nocross="host and target must have the same pointer size" fi -if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then - makedepends+=" libatomic-devel" -fi -if [ "$XBPS_NO_ATOMIC8" ]; then - hostmakedepends+=" libatomic-devel" -fi - CFLAGS="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" CXXFLAGS="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" From 8243734099c1acaaddcc7fd3d8b1e99657c4eb79 Mon Sep 17 00:00:00 2001 From: Morgan Thomas Date: Tue, 27 Apr 2021 09:03:00 -0700 Subject: [PATCH 4/4] http-parser: update to 2.9.4.20201223 This is a pseudo-version to integrate upstream changes that haven't been given a version number, as well as a patch from nodejs to fix CVE-2020-8287. --- .../http-parser/patches/cve_2020_8287.patch | 52 +++++++++++++++++++ srcpkgs/http-parser/template | 12 +++-- 2 files changed, 60 insertions(+), 4 deletions(-) create mode 100644 srcpkgs/http-parser/patches/cve_2020_8287.patch diff --git a/srcpkgs/http-parser/patches/cve_2020_8287.patch b/srcpkgs/http-parser/patches/cve_2020_8287.patch new file mode 100644 index 000000000000..09b6b5f6ee47 --- /dev/null +++ b/srcpkgs/http-parser/patches/cve_2020_8287.patch @@ -0,0 +1,52 @@ +--- http_parser.c ++++ http_parser.c +@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser, + } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { + parser->header_state = h_transfer_encoding; + parser->uses_transfer_encoding = 1; ++ ++ /* Multiple `Transfer-Encoding` headers should be treated as ++ * one, but with values separate by a comma. ++ * ++ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 ++ */ ++ parser->flags &= ~F_CHUNKED; + } + break; + +--- test.c ++++ test.c +@@ -2154,6 +2154,32 @@ const struct message responses[] = + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } ++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 ++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" ++ ,.type= HTTP_RESPONSE ++ ,.raw= "HTTP/1.1 200 OK\r\n" ++ "Transfer-Encoding: chunked\r\n" ++ "Transfer-Encoding: identity\r\n" ++ "\r\n" ++ "2\r\n" ++ "OK\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= FALSE ++ ,.message_complete_on_eof= TRUE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.status_code= 200 ++ ,.response_status= "OK" ++ ,.content_length= -1 ++ ,.num_headers= 2 ++ ,.headers= ++ { { "Transfer-Encoding", "chunked" } ++ , { "Transfer-Encoding", "identity" } ++ } ++ ,.body= "2\r\nOK\r\n0\r\n\r\n" ++ ,.num_chunks_complete= 0 ++ } + }; + + /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so + diff --git a/srcpkgs/http-parser/template b/srcpkgs/http-parser/template index 9a9e4a626dd2..e8402ce55525 100644 --- a/srcpkgs/http-parser/template +++ b/srcpkgs/http-parser/template @@ -1,15 +1,19 @@ # Template file for 'http-parser' pkgname=http-parser -version=2.9.4 +# 2.9.4, plus upstream commits through ec8b5ee, plus fc70ce0 from nodejs/node +# needed to fix CVE-2020-8287 and fix a test in nodejs-lts-10 +version=2.9.4.20201223 revision=1 +_githash=ec8b5ee63f0e51191ea43bb0c6eac7bfbff3141d +wrksrc="${pkgname}-${_githash}" build_style=gnu-makefile make_build_target=library short_desc="HTTP request/response parser for c" maintainer="Enno Boland " license="MIT" -homepage="https://github.com/joyent/http-parser" -distfiles="${homepage}/archive/v${version}.tar.gz" -checksum=467b9e30fd0979ee301065e70f637d525c28193449e1b13fbcb1b1fab3ad224f +homepage="https://github.com/nodejs/http-parser" +distfiles="${homepage}/archive/${_githash}.tar.gz" +checksum=765a21444322ea2476ca1e3cfeb74d280eeb37f4713cf52d2bf398dabf6e4128 pre_install() { vmkdir usr/lib/pkgconfig