[PATCH] gnu: node: Update to 10.23.3. [security fixes]

  • Done
  • quality assurance status badge
Details
2 participants
  • Jelle Licht
  • Jonathan Brielmaier
Owner
unassigned
Submitted by
Jelle Licht
Severity
normal
J
J
Jelle Licht wrote on 19 Feb 2021 12:02
(address . guix-patches@gnu.org)
86czww5nhl.fsf@fsfe.org
Hey Guix,

The attached two patches together should address CVE-2020-8287 (in
Node). I am kind of fuzzy on the details, but to me it seems that the
vulnerability is actually in http-parser (and llhttp), not node. I
informed upstream about my findings, but in the mean time we should
probably apply these.

The node package subsequently has a regression test to demonstrate that
the applied fix works. Nonetheless, http-parser has quite some
dependents, and I only verified everything to still work with node.

- Jelle
Attachment: 0001-gnu-http-parser-Update-to-2.9.4-1.ec8b5ee-fixes-CVE-.patch
From 44f5b6f6ee7ffbec1c38d52ac8356b3f5a252e61 Mon Sep 17 00:00:00 2001
From: Jelle Licht <jlicht@fsfe.org>
Date: Wed, 17 Feb 2021 00:06:04 +0100
Subject: [PATCH] gnu: node: Update to 10.23.3.

* gnu/packages/node.scm (node): Update to 10.23.3.
---
gnu/packages/node.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm
index 77c47ec71f..051c4c3b41 100644
--- a/gnu/packages/node.scm
+++ b/gnu/packages/node.scm
@@ -50,14 +50,14 @@
(define-public node
(package
(name "node")
- (version "10.22.1")
+ (version "10.23.3")
(source (origin
(method url-fetch)
(uri (string-append "https://nodejs.org/dist/v" version
"/node-v" version ".tar.xz"))
(sha256
(base32
- "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl"))
+ "13za06bz17k71gcxyrx41l2j8al1kr3j627b8m7kqrf3l7rdfnsi"))
(modules '((guix build utils)))
(snippet
`(begin
--
2.30.1
J
J
Jonathan Brielmaier wrote on 23 Feb 2021 20:29
9a584e1f-4f43-57f6-61ae-4de39c8e8015@web.de
On 19.02.21 12:02, Jelle Licht wrote:
Toggle quote (14 lines)
> Hey Guix,
>
> The attached two patches together should address CVE-2020-8287 (in
> Node). I am kind of fuzzy on the details, but to me it seems that the
> vulnerability is actually in http-parser (and llhttp), not node. I
> informed upstream about my findings, but in the mean time we should
> probably apply these.
>
> The node package subsequently has a regression test to demonstrate that
> the applied fix works. Nonetheless, http-parser has quite some
> dependents, and I only verified everything to still work with node.
>
> - Jelle

Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
so as well for the next ESR branch of icecat and icedove...
J
J
Jelle Licht wrote on 24 Feb 2021 10:38
86v9ahkdph.fsf@fsfe.org
Jonathan Brielmaier <jonathan.brielmaier@web.de> writes:

Toggle quote (18 lines)
> On 19.02.21 12:02, Jelle Licht wrote:
>> Hey Guix,
>>
>> The attached two patches together should address CVE-2020-8287 (in
>> Node). I am kind of fuzzy on the details, but to me it seems that the
>> vulnerability is actually in http-parser (and llhttp), not node. I
>> informed upstream about my findings, but in the mean time we should
>> probably apply these.
>>
>> The node package subsequently has a regression test to demonstrate that
>> the applied fix works. Nonetheless, http-parser has quite some
>> dependents, and I only verified everything to still work with node.
>>
>> - Jelle
>
> Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
> so as well for the next ESR branch of icecat and icedove...

Good to know, I wouldn't want to block any other ongoing packaging efforts:

I pushed the patches to master, with the security fix at 66fa2d318a.
- Jelle
Closed
?