From: Jörg Krause Date: Thu, 18 Feb 2016 08:05:06 +0000 (+0100) Subject: package/nodejs: security bump for 0.10.x to version 0.10.42 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=f4c366f005c8294efecfbef895ae85d4a1c4e74f;p=buildroot.git package/nodejs: security bump for 0.10.x to version 0.10.42 Fixes security vulnerabilites [1]: - CVE-2016-2086 - CVE-2016-2216 Also switch to the xz compressed tar file now available for v0.10 builds from v0.10.42 onward. [1] https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/ Signed-off-by: Jörg Krause Signed-off-by: Peter Korsgaard --- diff --git a/package/nodejs/0.10.41/0001-remove-python-bz2-dependency.patch b/package/nodejs/0.10.41/0001-remove-python-bz2-dependency.patch deleted file mode 100644 index 75fe437502..0000000000 --- a/package/nodejs/0.10.41/0001-remove-python-bz2-dependency.patch +++ /dev/null @@ -1,27 +0,0 @@ -Remove dependency on Python bz2 module - -The Python bz2 module is only needed in certain cases, so only import -it when needed. In the normal nodejs build, this allows to remove the -dependency on this module. - -Signed-off-by: Thomas Petazzoni -Index: b/deps/v8/tools/js2c.py -=================================================================== ---- a/deps/v8/tools/js2c.py -+++ b/deps/v8/tools/js2c.py -@@ -33,7 +33,6 @@ - - import os, re, sys, string - import jsmin --import bz2 - - - def ToCAsciiArray(lines): -@@ -344,6 +343,7 @@ - else: - raw_sources_declaration = RAW_SOURCES_COMPRESSION_DECLARATION - if env['COMPRESSION'] == 'bz2': -+ import bz2 - all_sources = bz2.compress("".join(all_sources)) - total_length = len(all_sources) - sources_data = ToCArray(all_sources) diff --git a/package/nodejs/0.10.41/0002-gyp-force-link-command-to-use-CXX.patch b/package/nodejs/0.10.41/0002-gyp-force-link-command-to-use-CXX.patch deleted file mode 100644 index a2f02abf34..0000000000 --- a/package/nodejs/0.10.41/0002-gyp-force-link-command-to-use-CXX.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 00d809e9305241f8636a2d75e22c493293e6971a Mon Sep 17 00:00:00 2001 -From: Samuel Martin -Date: Sun, 20 Apr 2014 15:03:01 +0200 -Subject: [PATCH] gyp: force link command to use CXX - -Signed-off-by: Samuel Martin ---- - tools/gyp/pylib/gyp/generator/make.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/gyp/pylib/gyp/generator/make.py b/tools/gyp/pylib/gyp/generator/make.py -index 0de510e..54e4c96 100644 ---- a/tools/gyp/pylib/gyp/generator/make.py -+++ b/tools/gyp/pylib/gyp/generator/make.py -@@ -134,7 +134,7 @@ cmd_alink_thin = rm -f $@ && $(AR.$(TOOLSET)) crsT $@ $(filter %.o,$^) - # special "figure out circular dependencies" flags around the entire - # input list during linking. - quiet_cmd_link = LINK($(TOOLSET)) $@ --cmd_link = $(LINK.$(TOOLSET)) $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -o $@ -Wl,--start-group $(LD_INPUTS) -Wl,--end-group $(LIBS) -+cmd_link = $(CXX.$(TOOLSET)) $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -o $@ -Wl,--start-group $(LD_INPUTS) -Wl,--end-group $(LIBS) - - # We support two kinds of shared objects (.so): - # 1) shared_library, which is just bundling together many dependent libraries --- -1.9.2 - diff --git a/package/nodejs/0.10.41/0003-use-python-variable.patch b/package/nodejs/0.10.41/0003-use-python-variable.patch deleted file mode 100644 index f231f4c2f2..0000000000 --- a/package/nodejs/0.10.41/0003-use-python-variable.patch +++ /dev/null @@ -1,43 +0,0 @@ -Use a python variable instead of hardcoding Python - -The nodejs build system uses python in a number of locations. However, -there are some locations where it hardcodes 'python' as the Python -interpreter. However, this causes problems when we need to use python2 -instead of just python. - -This patch fixes that by using the python variable already in place in -the nodejs build system. - -Signed-off-by: Thomas Petazzoni - -Index: b/deps/v8/tools/gyp/v8.gyp -=================================================================== ---- a/deps/v8/tools/gyp/v8.gyp -+++ b/deps/v8/tools/gyp/v8.gyp -@@ -792,7 +792,7 @@ - '<(SHARED_INTERMEDIATE_DIR)/libraries.cc', - ], - 'action': [ -- 'python', -+ '<(python)', - '../../tools/js2c.py', - '<@(_outputs)', - 'CORE', -@@ -810,7 +810,7 @@ - '<(SHARED_INTERMEDIATE_DIR)/experimental-libraries.cc', - ], - 'action': [ -- 'python', -+ '<(python)', - '../../tools/js2c.py', - '<@(_outputs)', - 'EXPERIMENTAL', -@@ -840,7 +840,7 @@ - '<(SHARED_INTERMEDIATE_DIR)/debug-support.cc', - ], - 'action': [ -- 'python', -+ '<(python)', - '../../tools/gen-postmortem-metadata.py', - '<@(_outputs)', - '<@(heapobject_files)' diff --git a/package/nodejs/0.10.41/0004-fix-musl-USE-MISC-build-issue.patch b/package/nodejs/0.10.41/0004-fix-musl-USE-MISC-build-issue.patch deleted file mode 100644 index 128058df29..0000000000 --- a/package/nodejs/0.10.41/0004-fix-musl-USE-MISC-build-issue.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0bc482abeb814573251ecafb5a1e045c885b13a2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?J=C3=B6rg=20Krause?= -Date: Mon, 25 May 2015 16:22:57 +0200 -Subject: [PATCH 1/1] Fix musl __USE_MISC issue -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The musl C library does not define __USE_MISC and so libuv (built-in dependency) -does not use the correct struct stat definition for musl. - -The feature test macro __USE_MISC is defined by glibc if _BSD_SOURCE or -_SVID_SOURCE is defined. - -The libuv build system enables the feature test macro _GNU_SOURCE for linux -builds. - -Since glibc 2.19, defining _GNU_SOURCE also has the effect of implicitly -defining _DEFAULT_SOURCE - the replacement for _BSD_SOURCE and _SVID_SOURCE. - -In glibc versions before 2.20, defining _GNU_SOURCE also had the effect of -implicitly defining _BSD_SOURCE and _SVID_SOURCE. This is also true for uClibc. - -Alltogether, we can safely replace __USE_MISC by _GNU_SOURCE to support building -nodejs 0.10.x with the musl C library. - -Signed-off-by: Jörg Krause ---- - deps/uv/src/fs-poll.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/deps/uv/src/fs-poll.c b/deps/uv/src/fs-poll.c -index ad27f18..094447e 100644 ---- a/deps/uv/src/fs-poll.c -+++ b/deps/uv/src/fs-poll.c -@@ -198,7 +198,7 @@ static int statbuf_eq(const uv_statbuf_t* a, const uv_statbuf_t* b) { - - /* Jump through a few hoops to get sub-second granularity on Linux. */ - # if defined(__linux__) --# if defined(__USE_MISC) /* _BSD_SOURCE || _SVID_SOURCE */ -+# if defined(_GNU_SOURCE) /* _BSD_SOURCE || _SVID_SOURCE */ - if (a->st_ctim.tv_nsec != b->st_ctim.tv_nsec) return 0; - if (a->st_mtim.tv_nsec != b->st_mtim.tv_nsec) return 0; - # else --- -2.4.1 - diff --git a/package/nodejs/0.10.41/0005-Fix-support-for-uClibc-ng.patch b/package/nodejs/0.10.41/0005-Fix-support-for-uClibc-ng.patch deleted file mode 100644 index 59b9d5044c..0000000000 --- a/package/nodejs/0.10.41/0005-Fix-support-for-uClibc-ng.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 1cc08f6ceacbb0e5ba1f4638ca3a97ac002d7792 Mon Sep 17 00:00:00 2001 -From: "Bark, Martin" -Date: Mon, 14 Dec 2015 13:26:10 +0000 -Subject: [PATCH 2/2] Fix support for uClibc-ng - -uClibc-ng is currently at v1.0.9. The patch corrects the uClibc -version test so that HAVE_IFADDRS_H is defined for uClibc versions -after v0.9.32. - -Submitted upstream to libuv and accepted, see -https://github.com/libuv/libuv/pull/653 and -https://github.com/libuv/libuv/commit/c861972 - -Signed-off-by: Bark, Martin ---- - deps/uv/src/unix/linux-core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/deps/uv/src/unix/linux-core.c b/deps/uv/src/unix/linux-core.c -index e6e6828..6cbbb71 100644 ---- a/deps/uv/src/unix/linux-core.c -+++ b/deps/uv/src/unix/linux-core.c -@@ -39,7 +39,7 @@ - #define HAVE_IFADDRS_H 1 - - #ifdef __UCLIBC__ --# if __UCLIBC_MAJOR__ < 0 || __UCLIBC_MINOR__ < 9 || __UCLIBC_SUBLEVEL__ < 32 -+# if __UCLIBC_MAJOR__ < 0 && __UCLIBC_MINOR__ < 9 && __UCLIBC_SUBLEVEL__ < 32 - # undef HAVE_IFADDRS_H - # endif - #endif --- -2.6.2 diff --git a/package/nodejs/0.10.42/0001-remove-python-bz2-dependency.patch b/package/nodejs/0.10.42/0001-remove-python-bz2-dependency.patch new file mode 100644 index 0000000000..75fe437502 --- /dev/null +++ b/package/nodejs/0.10.42/0001-remove-python-bz2-dependency.patch @@ -0,0 +1,27 @@ +Remove dependency on Python bz2 module + +The Python bz2 module is only needed in certain cases, so only import +it when needed. In the normal nodejs build, this allows to remove the +dependency on this module. + +Signed-off-by: Thomas Petazzoni +Index: b/deps/v8/tools/js2c.py +=================================================================== +--- a/deps/v8/tools/js2c.py ++++ b/deps/v8/tools/js2c.py +@@ -33,7 +33,6 @@ + + import os, re, sys, string + import jsmin +-import bz2 + + + def ToCAsciiArray(lines): +@@ -344,6 +343,7 @@ + else: + raw_sources_declaration = RAW_SOURCES_COMPRESSION_DECLARATION + if env['COMPRESSION'] == 'bz2': ++ import bz2 + all_sources = bz2.compress("".join(all_sources)) + total_length = len(all_sources) + sources_data = ToCArray(all_sources) diff --git a/package/nodejs/0.10.42/0002-gyp-force-link-command-to-use-CXX.patch b/package/nodejs/0.10.42/0002-gyp-force-link-command-to-use-CXX.patch new file mode 100644 index 0000000000..a2f02abf34 --- /dev/null +++ b/package/nodejs/0.10.42/0002-gyp-force-link-command-to-use-CXX.patch @@ -0,0 +1,26 @@ +From 00d809e9305241f8636a2d75e22c493293e6971a Mon Sep 17 00:00:00 2001 +From: Samuel Martin +Date: Sun, 20 Apr 2014 15:03:01 +0200 +Subject: [PATCH] gyp: force link command to use CXX + +Signed-off-by: Samuel Martin +--- + tools/gyp/pylib/gyp/generator/make.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/gyp/pylib/gyp/generator/make.py b/tools/gyp/pylib/gyp/generator/make.py +index 0de510e..54e4c96 100644 +--- a/tools/gyp/pylib/gyp/generator/make.py ++++ b/tools/gyp/pylib/gyp/generator/make.py +@@ -134,7 +134,7 @@ cmd_alink_thin = rm -f $@ && $(AR.$(TOOLSET)) crsT $@ $(filter %.o,$^) + # special "figure out circular dependencies" flags around the entire + # input list during linking. + quiet_cmd_link = LINK($(TOOLSET)) $@ +-cmd_link = $(LINK.$(TOOLSET)) $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -o $@ -Wl,--start-group $(LD_INPUTS) -Wl,--end-group $(LIBS) ++cmd_link = $(CXX.$(TOOLSET)) $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -o $@ -Wl,--start-group $(LD_INPUTS) -Wl,--end-group $(LIBS) + + # We support two kinds of shared objects (.so): + # 1) shared_library, which is just bundling together many dependent libraries +-- +1.9.2 + diff --git a/package/nodejs/0.10.42/0003-use-python-variable.patch b/package/nodejs/0.10.42/0003-use-python-variable.patch new file mode 100644 index 0000000000..f231f4c2f2 --- /dev/null +++ b/package/nodejs/0.10.42/0003-use-python-variable.patch @@ -0,0 +1,43 @@ +Use a python variable instead of hardcoding Python + +The nodejs build system uses python in a number of locations. However, +there are some locations where it hardcodes 'python' as the Python +interpreter. However, this causes problems when we need to use python2 +instead of just python. + +This patch fixes that by using the python variable already in place in +the nodejs build system. + +Signed-off-by: Thomas Petazzoni + +Index: b/deps/v8/tools/gyp/v8.gyp +=================================================================== +--- a/deps/v8/tools/gyp/v8.gyp ++++ b/deps/v8/tools/gyp/v8.gyp +@@ -792,7 +792,7 @@ + '<(SHARED_INTERMEDIATE_DIR)/libraries.cc', + ], + 'action': [ +- 'python', ++ '<(python)', + '../../tools/js2c.py', + '<@(_outputs)', + 'CORE', +@@ -810,7 +810,7 @@ + '<(SHARED_INTERMEDIATE_DIR)/experimental-libraries.cc', + ], + 'action': [ +- 'python', ++ '<(python)', + '../../tools/js2c.py', + '<@(_outputs)', + 'EXPERIMENTAL', +@@ -840,7 +840,7 @@ + '<(SHARED_INTERMEDIATE_DIR)/debug-support.cc', + ], + 'action': [ +- 'python', ++ '<(python)', + '../../tools/gen-postmortem-metadata.py', + '<@(_outputs)', + '<@(heapobject_files)' diff --git a/package/nodejs/0.10.42/0004-fix-musl-USE-MISC-build-issue.patch b/package/nodejs/0.10.42/0004-fix-musl-USE-MISC-build-issue.patch new file mode 100644 index 0000000000..128058df29 --- /dev/null +++ b/package/nodejs/0.10.42/0004-fix-musl-USE-MISC-build-issue.patch @@ -0,0 +1,47 @@ +From 0bc482abeb814573251ecafb5a1e045c885b13a2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rg=20Krause?= +Date: Mon, 25 May 2015 16:22:57 +0200 +Subject: [PATCH 1/1] Fix musl __USE_MISC issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The musl C library does not define __USE_MISC and so libuv (built-in dependency) +does not use the correct struct stat definition for musl. + +The feature test macro __USE_MISC is defined by glibc if _BSD_SOURCE or +_SVID_SOURCE is defined. + +The libuv build system enables the feature test macro _GNU_SOURCE for linux +builds. + +Since glibc 2.19, defining _GNU_SOURCE also has the effect of implicitly +defining _DEFAULT_SOURCE - the replacement for _BSD_SOURCE and _SVID_SOURCE. + +In glibc versions before 2.20, defining _GNU_SOURCE also had the effect of +implicitly defining _BSD_SOURCE and _SVID_SOURCE. This is also true for uClibc. + +Alltogether, we can safely replace __USE_MISC by _GNU_SOURCE to support building +nodejs 0.10.x with the musl C library. + +Signed-off-by: Jörg Krause +--- + deps/uv/src/fs-poll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/deps/uv/src/fs-poll.c b/deps/uv/src/fs-poll.c +index ad27f18..094447e 100644 +--- a/deps/uv/src/fs-poll.c ++++ b/deps/uv/src/fs-poll.c +@@ -198,7 +198,7 @@ static int statbuf_eq(const uv_statbuf_t* a, const uv_statbuf_t* b) { + + /* Jump through a few hoops to get sub-second granularity on Linux. */ + # if defined(__linux__) +-# if defined(__USE_MISC) /* _BSD_SOURCE || _SVID_SOURCE */ ++# if defined(_GNU_SOURCE) /* _BSD_SOURCE || _SVID_SOURCE */ + if (a->st_ctim.tv_nsec != b->st_ctim.tv_nsec) return 0; + if (a->st_mtim.tv_nsec != b->st_mtim.tv_nsec) return 0; + # else +-- +2.4.1 + diff --git a/package/nodejs/0.10.42/0005-Fix-support-for-uClibc-ng.patch b/package/nodejs/0.10.42/0005-Fix-support-for-uClibc-ng.patch new file mode 100644 index 0000000000..59b9d5044c --- /dev/null +++ b/package/nodejs/0.10.42/0005-Fix-support-for-uClibc-ng.patch @@ -0,0 +1,33 @@ +From 1cc08f6ceacbb0e5ba1f4638ca3a97ac002d7792 Mon Sep 17 00:00:00 2001 +From: "Bark, Martin" +Date: Mon, 14 Dec 2015 13:26:10 +0000 +Subject: [PATCH 2/2] Fix support for uClibc-ng + +uClibc-ng is currently at v1.0.9. The patch corrects the uClibc +version test so that HAVE_IFADDRS_H is defined for uClibc versions +after v0.9.32. + +Submitted upstream to libuv and accepted, see +https://github.com/libuv/libuv/pull/653 and +https://github.com/libuv/libuv/commit/c861972 + +Signed-off-by: Bark, Martin +--- + deps/uv/src/unix/linux-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/deps/uv/src/unix/linux-core.c b/deps/uv/src/unix/linux-core.c +index e6e6828..6cbbb71 100644 +--- a/deps/uv/src/unix/linux-core.c ++++ b/deps/uv/src/unix/linux-core.c +@@ -39,7 +39,7 @@ + #define HAVE_IFADDRS_H 1 + + #ifdef __UCLIBC__ +-# if __UCLIBC_MAJOR__ < 0 || __UCLIBC_MINOR__ < 9 || __UCLIBC_SUBLEVEL__ < 32 ++# if __UCLIBC_MAJOR__ < 0 && __UCLIBC_MINOR__ < 9 && __UCLIBC_SUBLEVEL__ < 32 + # undef HAVE_IFADDRS_H + # endif + #endif +-- +2.6.2 diff --git a/package/nodejs/Config.in b/package/nodejs/Config.in index cdf770552d..7324f6d7f4 100644 --- a/package/nodejs/Config.in +++ b/package/nodejs/Config.in @@ -44,7 +44,7 @@ config BR2_PACKAGE_NODEJS_V8_ARCH_SUPPORTS config BR2_PACKAGE_NODEJS_VERSION_STRING string default "5.5.0" if BR2_PACKAGE_NODEJS_V8_ARCH_SUPPORTS - default "0.10.41" + default "0.10.42" menu "Module Selection" diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash index e65f14ada0..a3faa5a455 100644 --- a/package/nodejs/nodejs.hash +++ b/package/nodejs/nodejs.hash @@ -1,5 +1,5 @@ -# From upstream URL: http://nodejs.org/dist/v0.10.41/SHASUMS256.txt -sha256 79f694e2a5c42543b75d0c69f6860499d7593136d0f6b59e7163b9e66fb2c995 node-v0.10.41.tar.gz +# From upstream URL: http://nodejs.org/dist/v0.10.42/SHASUMS256.txt +sha256 9b4cc1b5bc397d80dfe217625b04bb6212a3b5a8b1e0eb36000a30d7ae567b8a node-v0.10.42.tar.xz # From upstream URL: http://nodejs.org/dist/v5.5.0/SHASUMS256.txt sha256 9c46b4dc9548e43826f71f6571f56e39783c456b9516045b496ea73321731e22 node-v5.5.0.tar.xz diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk index 37de331f12..63ae4631fd 100644 --- a/package/nodejs/nodejs.mk +++ b/package/nodejs/nodejs.mk @@ -5,11 +5,7 @@ ################################################################################ NODEJS_VERSION = $(call qstrip,$(BR2_PACKAGE_NODEJS_VERSION_STRING)) -ifeq ($(findstring 0.10.,$(NODEJS_VERSION)),) NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz -else -NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.gz -endif NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION) NODEJS_DEPENDENCIES = host-python host-nodejs zlib \ $(call qstrip,$(BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL_DEPS))