Package: guix;
Reported by: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>
Date: Tue, 14 Mar 2023 06:07:01 UTC
Severity: normal
Tags: patch
Done: Nicolas Goaziou <mail <at> nicolasgoaziou.fr>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: help-debbugs <at> gnu.org (GNU bug Tracking System) To: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de> Subject: bug#62177: closed (Re: [PATCH] [WIP] update node to version 16) Date: Sat, 01 Mar 2025 10:49:02 +0000
[Message part 1 (text/plain, inline)]
Your bug report #62177: [PATCH] [WIP] update node to version 16 which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 62177 <at> debbugs.gnu.org. -- 62177: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=62177 GNU Bug Tracking System Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
From: Nicolas Goaziou <mail <at> nicolasgoaziou.fr> To: 62177-done <at> debbugs.gnu.org Subject: Re: [PATCH] [WIP] update node to version 16 Date: Sat, 01 Mar 2025 11:48:05 +0100Closing as node is currently at a higher version.
[Message part 3 (message/rfc822, inline)]
From: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de> To: bug-guix <at> gnu.org Subject: [PATCH] [WIP] update node to version 16 Date: Tue, 14 Mar 2023 07:02:14 +0100[Message part 4 (text/plain, inline)]Hi, this is an initial stab at getting node to version 16. It is far from perfect, but I hope it gives someone a good starting point to move forward. The llhttp bootstrap fixes are currently commented out — I’m not sure what these should be doing and how they interact with node — so this cannot be merged as is.[0001-WIP-try-to-update-node-to-16.19.0.patch (text/x-patch, inline)]From 14d58ab181c9087420a5f955d28d72cb086884fc Mon Sep 17 00:00:00 2001 From: Arne Babenhauserheide <arne_bab <at> web.de> Date: Sat, 28 Jan 2023 20:45:16 +0100 Subject: [PATCH] WIP try to update node to 16.19.0 --- gnu/packages/node.scm | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm index be39f3b25a..34d13d849c 100644 --- a/gnu/packages/node.scm +++ b/gnu/packages/node.scm @@ -668,7 +668,7 @@ (define-public node-llparse-bootstrap (define-public llhttp-bootstrap (package (name "llhttp") - (version "2.1.4") + (version "8.1.0") (source (origin (method git-fetch) (uri (git-reference @@ -677,7 +677,7 @@ (define-public llhttp-bootstrap (file-name (git-file-name name version)) (sha256 (base32 - "115mwyds9655p76lhglxg2blc1ksgrix6zhigaxnc2q6syy3pa6x")) + "1cq3q3jybibppjhhiymdfmnqgbvn77j7b4ks7lil0lrc3vnnp87f")) (patches (search-patches "llhttp-bootstrap-CVE-2020-8287.patch")) (modules '((guix build utils))) (snippet @@ -738,14 +738,14 @@ (define-public llhttp-bootstrap (define-public node-lts (package (inherit node) - (version "14.19.3") + (version "16.19.0") (source (origin (method url-fetch) (uri (string-append "https://nodejs.org/dist/v" version "/node-v" version ".tar.xz")) (sha256 (base32 - "15691j5zhiikyamiwwd7f282g6d9acfhq91nrwx54xya38gmpx2w")) + "01k72p0hp4lhlpz1syd9cbkm2gpfww0hn10xdpmzd4i3x8dfq7sg")) (modules '((guix build utils))) (snippet `(begin @@ -808,9 +808,12 @@ (define-public node-lts ;; FIXME: These tests fail in the build container, but they don't ;; seem to be indicative of real problems in practice. (for-each delete-file - '("test/parallel/test-cluster-master-error.js" - "test/parallel/test-cluster-master-kill.js")) + '("test/parallel/test-cluster-primary-error.js" + "test/parallel/test-cluster-primary-kill.js")) + ;; requires /bin/sh + (delete-file "test/parallel/test-stdin-from-file-spawn.js") + ;; These require a DNS resolver. (for-each delete-file '("test/parallel/test-dns.js" @@ -818,8 +821,7 @@ (define-public node-lts ;; These tests require networking. (for-each delete-file - '("test/parallel/test-https-agent-unref-socket.js" - "test/parallel/test-corepack-yarn-install.js")) + '("test/parallel/test-https-agent-unref-socket.js")) ;; This test is timing-sensitive, and fails sporadically on ;; slow, busy, or even very fast machines. @@ -847,21 +849,21 @@ (define-public node-lts ;; TLS certificates that are bundled with the source. We want this ;; package to be reproducible forever, so remove those. ;; TODO: Regenerate certs instead. - (for-each delete-file + (for-each (λ(x)(display x)(delete-file x)) '("test/parallel/test-tls-passphrase.js" "test/parallel/test-tls-server-verify.js")))) (add-after 'delete-problematic-tests 'replace-llhttp-sources - (lambda* (#:key inputs #:allow-other-keys) + (lambda* (#:key inputs #:allow-other-keys) #f)))))) ;; Replace pre-generated llhttp sources - (let ((llhttp (assoc-ref inputs "llhttp"))) - (copy-file (string-append llhttp "/src/llhttp.c") - "deps/llhttp/src/llhttp.c") - (copy-file (string-append llhttp "/src/api.c") - "deps/llhttp/src/api.c") - (copy-file (string-append llhttp "/src/http.c") - "deps/llhttp/src/http.c") - (copy-file (string-append llhttp "/include/llhttp.h") - "deps/llhttp/include/llhttp.h")))))))) + ;;(let ((llhttp (assoc-ref inputs "llhttp"))) + ;; (copy-file (string-append llhttp "/src/llhttp.c") + ;; "deps/llhttp/src/llhttp.c") + ;; (copy-file (string-append llhttp "/src/api.c") + ;; "deps/llhttp/src/api.c") + ;; (copy-file (string-append llhttp "/src/http.c") + ;; "deps/llhttp/src/http.c") + ;; (copy-file (string-append llhttp "/include/llhttp.h") + ;; "deps/llhttp/include/llhttp.h")))))))) (native-inputs (list ;; Runtime dependencies for binaries used as a bootstrap. c-ares-for-node -- 2.39.2[Message part 6 (text/plain, inline)]Updating llhttp also needs the CVE-2020-8287 patch to be removed (it is fixed upstream).[0001-gnu-do-not-patch-llhttp-bootstrap-CVE-2020-8287-is-f.patch (text/x-patch, inline)]From 4e9e7905a9a8792b164e96aa31e0dcf3945283d2 Mon Sep 17 00:00:00 2001 From: Arne Babenhauserheide <arne_bab <at> web.de> Date: Tue, 14 Mar 2023 06:48:38 +0100 Subject: [PATCH] gnu: do not patch llhttp-bootstrap: CVE-2020-8287 is fixed in node 16 upstream. --- gnu/local.mk | 1 - gnu/packages/node.scm | 1 - .../llhttp-bootstrap-CVE-2020-8287.patch | 100 ------------------ 3 files changed, 102 deletions(-) delete mode 100644 gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch diff --git a/gnu/local.mk b/gnu/local.mk index 403c5f483e..0efa292322 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1492,7 +1492,6 @@ dist_patch_DATA = \ %D%/packages/patches/linuxdcpp-openssl-1.1.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/lirc-reproducible-build.patch \ - %D%/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch \ %D%/packages/patches/llvm-3.5-fix-clang-build-with-gcc5.patch \ %D%/packages/patches/llvm-3.6-fix-build-with-gcc-10.patch \ %D%/packages/patches/llvm-3.x.1-fix-build-with-gcc.patch \ diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm index 34d13d849c..774c0b3ae8 100644 --- a/gnu/packages/node.scm +++ b/gnu/packages/node.scm @@ -678,7 +678,6 @@ (define-public llhttp-bootstrap (sha256 (base32 "1cq3q3jybibppjhhiymdfmnqgbvn77j7b4ks7lil0lrc3vnnp87f")) - (patches (search-patches "llhttp-bootstrap-CVE-2020-8287.patch")) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch b/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch deleted file mode 100644 index 215c920e53..0000000000 --- a/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch +++ /dev/null @@ -1,100 +0,0 @@ -This patch comes from upstream. It corresponds to a patch applied to -the generated C source code for llhttp included in Node.js 14.16.0 -(see commit 641f786bb1a1f6eb1ff8750782ed939780f2b31a). That commit -fixes CVE-2020-8287. With this patch, the output of our -llhttp-bootstrap package matches the files included in Node.js 14.16.0 -exactly. - -commit e9b36ea64709c35ca66094d5cf3787f444029601 -Author: Fedor Indutny <fedor <at> indutny.com> -Date: Sat Oct 10 19:56:01 2020 -0700 - - http: unset `F_CHUNKED` on new `Transfer-Encoding` - - Duplicate `Transfer-Encoding` header should be a treated as a single, - but with original header values concatenated with a comma separator. In - the light of this, even if the past `Transfer-Encoding` ended with - `chunked`, we should be not let the `F_CHUNKED` to leak into the next - header, because mere presence of another header indicates that `chunked` - is not the last transfer-encoding token. - -diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts -index f4f1a6e..0a0c365 100644 ---- a/src/llhttp/http.ts -+++ b/src/llhttp/http.ts -@@ -460,11 +460,19 @@ export class HTTP { - .match([ ' ', '\t' ], n('header_value_discard_ws')) - .otherwise(checkContentLengthEmptiness); - -+ // Multiple `Transfer-Encoding` headers should be treated as one, but with -+ // values separate by a comma. -+ // -+ // See: https://tools.ietf.org/html/rfc7230#section-3.2.2 -+ const toTransferEncoding = this.unsetFlag( -+ FLAGS.CHUNKED, -+ 'header_value_te_chunked'); -+ - n('header_value_start') - .otherwise(this.load('header_state', { - [HEADER_STATE.UPGRADE]: this.setFlag(FLAGS.UPGRADE, fallback), - [HEADER_STATE.TRANSFER_ENCODING]: this.setFlag( -- FLAGS.TRANSFER_ENCODING, 'header_value_te_chunked'), -+ FLAGS.TRANSFER_ENCODING, toTransferEncoding), - [HEADER_STATE.CONTENT_LENGTH]: n('header_value_content_length_once'), - [HEADER_STATE.CONNECTION]: n('header_value_connection'), - }, 'header_value')); -@@ -847,6 +855,11 @@ export class HTTP { - return span.start(span.end(this.node(next))); - } - -+ private unsetFlag(flag: FLAGS, next: string | Node): Node { -+ const p = this.llparse; -+ return p.invoke(p.code.and('flags', ~flag), this.node(next)); -+ } -+ - private setFlag(flag: FLAGS, next: string | Node): Node { - const p = this.llparse; - return p.invoke(p.code.or('flags', flag), this.node(next)); -diff --git a/test/request/transfer-encoding.md b/test/request/transfer-encoding.md -index a7d1681..b0891d6 100644 ---- a/test/request/transfer-encoding.md -+++ b/test/request/transfer-encoding.md -@@ -353,6 +353,38 @@ off=106 headers complete method=3 v=1/1 flags=200 content_length=0 - off=106 error code=15 reason="Request has invalid `Transfer-Encoding`" - ``` - -+## POST with `chunked` and duplicate transfer-encoding -+ -+<!-- meta={"type": "request", "noScan": true} --> -+```http -+POST /post_identity_body_world?q=search#hey HTTP/1.1 -+Accept: */* -+Transfer-Encoding: chunked -+Transfer-Encoding: deflate -+ -+World -+``` -+ -+```log -+off=0 message begin -+off=5 len=38 span[url]="/post_identity_body_world?q=search#hey" -+off=44 url complete -+off=54 len=6 span[header_field]="Accept" -+off=61 header_field complete -+off=62 len=3 span[header_value]="*/*" -+off=67 header_value complete -+off=67 len=17 span[header_field]="Transfer-Encoding" -+off=85 header_field complete -+off=86 len=7 span[header_value]="chunked" -+off=95 header_value complete -+off=95 len=17 span[header_field]="Transfer-Encoding" -+off=113 header_field complete -+off=114 len=7 span[header_value]="deflate" -+off=123 header_value complete -+off=125 headers complete method=3 v=1/1 flags=200 content_length=0 -+off=125 error code=15 reason="Request has invalid `Transfer-Encoding`" -+``` -+ - ## POST with `chunked` before other transfer-coding (lenient) - - TODO(indutny): should we allow it even in lenient mode? (Consider disabling -- 2.39.2[Message part 8 (text/plain, inline)]Best wishes, Arne -- Unpolitisch sein heißt politisch sein, ohne es zu merken. draketo.de[signature.asc (application/pgp-signature, inline)]
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.