Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
nodejs4
CVE-2018-12120.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2018-12120.patch of Package nodejs4
Date: Tue Jan 8 13:44:29 CET 2019 Ported from, From a9791c9090927b41a8bbfad254a2279204508059 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis <info@bnoordhuis.nl> Date: Mon, 15 Aug 2016 11:23:34 +0200 Subject: [PATCH] src: make debugger listen on 127.0.0.1 by default CVE-2018-12120 Backport of 8e7cbe2 to v6.x Prepared by Sam Roberts <vieuxtech@gmail.com> Original commit: Commit 2272052 ("net: bind to `::` TCP address by default") from April 2014 seems to have accidentally changed the default listen address from 127.0.0.1 to 0.0.0.0, a.k.a. the "any" address. From a security viewpoint it's undesirable to accept debug agent connections from anywhere so let's change that back. Users can override the default with the `--debug=<host>:<port>` switch. Fixes: https://github.com/nodejs/node/issues/8081 PR-URL: https://github.com/nodejs/node/pull/8106 Reviewed-By: James M Snell <jasnell@gmail.com> PR-URL: https://github.com/nodejs-private/node-private/pull/148 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Index: node-v4.9.1/src/debug-agent.cc =================================================================== --- node-v4.9.1.orig/src/debug-agent.cc +++ node-v4.9.1/src/debug-agent.cc @@ -70,7 +70,7 @@ Agent::~Agent() { } -bool Agent::Start(const std::string& host, int port, bool wait) { +bool Agent::Start(const char* host, int port, bool wait) { int err; if (state_ == kRunning) Index: node-v4.9.1/src/debug-agent.h =================================================================== --- node-v4.9.1.orig/src/debug-agent.h +++ node-v4.9.1/src/debug-agent.h @@ -74,7 +74,7 @@ class Agent { typedef void (*DispatchHandler)(node::Environment* env); // Start the debugger agent thread - bool Start(const std::string& host, int port, bool wait); + bool Start(const char* host, int port, bool wait); // Listen for debug events void Enable(); // Stop the debugger agent Index: node-v4.9.1/src/node.cc =================================================================== --- node-v4.9.1.orig/src/node.cc +++ node-v4.9.1/src/node.cc @@ -143,7 +143,7 @@ static unsigned int preload_module_count static const char** preload_modules = nullptr; static bool use_debug_agent = false; static bool debug_wait_connect = false; -static std::string debug_host; // NOLINT(runtime/string) +static std::string* debug_host; // coverity[leaked_storage] static int debug_port = 5858; static bool prof_process = false; static bool v8_is_profiling = false; @@ -3346,7 +3346,7 @@ static bool ParseDebugOpt(const char* ar return true; } - std::string* const the_host = &debug_host; + std::string** const the_host = &debug_host; int* const the_port = &debug_port; // FIXME(bnoordhuis) Move IPv6 address parsing logic to lib/net.js. @@ -3354,7 +3354,7 @@ static bool ParseDebugOpt(const char* ar // in net.Server#listen() and net.Socket#connect(). const size_t port_len = strlen(port); if (port[0] == '[' && port[port_len - 1] == ']') { - the_host->assign(port + 1, port_len - 2); + *the_host = new std::string(port + 1, port_len - 2); return true; } @@ -3364,13 +3364,13 @@ static bool ParseDebugOpt(const char* ar // if it's not all decimal digits, it's a host name. for (size_t n = 0; port[n] != '\0'; n += 1) { if (port[n] < '0' || port[n] > '9') { - *the_host = port; + *the_host = new std::string(port); return true; } } } else { const bool skip = (colon > port && port[0] == '[' && colon[-1] == ']'); - the_host->assign(port + skip, colon - skip); + *the_host = new std::string(port + skip, colon - skip); } char* endptr; @@ -3622,11 +3622,12 @@ static void StartDebug(Environment* env, env->debugger_agent()->set_dispatch_handler( DispatchMessagesDebugAgentCallback); + const char* host = debug_host ? debug_host->c_str() : "127.0.0.1"; debugger_running = - env->debugger_agent()->Start(debug_host, debug_port, wait); + env->debugger_agent()->Start(host, debug_port, wait); if (debugger_running == false) { fprintf(stderr, "Starting debugger on %s:%d failed\n", - debug_host.c_str(), debug_port); + host, debug_port); fflush(stderr); return; } Index: node-v4.9.1/test/sequential/test-debug-host-port.js =================================================================== --- node-v4.9.1.orig/test/sequential/test-debug-host-port.js +++ node-v4.9.1/test/sequential/test-debug-host-port.js @@ -5,7 +5,7 @@ const assert = require('assert'); const spawn = require('child_process').spawn; let run = () => {}; -function test(args, re) { +function test(args, needle) { const next = run; run = () => { const options = {encoding: 'utf8'}; @@ -14,34 +14,32 @@ function test(args, re) { proc.stderr.setEncoding('utf8'); proc.stderr.on('data', (data) => { stderr += data; - if (re.test(stderr)) proc.kill(); + if (stderr.includes(needle)) proc.kill(); }); proc.on('exit', common.mustCall(() => { - assert(re.test(stderr)); + assert(stderr.includes(needle)); next(); })); }; } -test(['--debug-brk'], /Debugger listening on (\[::\]|0\.0\.0\.0):5858/); -test(['--debug-brk=1234'], /Debugger listening on (\[::\]|0\.0\.0\.0):1234/); -test(['--debug-brk=127.0.0.1'], /Debugger listening on 127\.0\.0\.1:5858/); -test(['--debug-brk=127.0.0.1:1234'], /Debugger listening on 127\.0\.0\.1:1234/); -test(['--debug-brk=localhost'], - /Debugger listening on (\[::\]|127\.0\.0\.1):5858/); -test(['--debug-brk=localhost:1234'], - /Debugger listening on (\[::\]|127\.0\.0\.1):1234/); +test(['--debug-brk'], 'Debugger listening on 127.0.0.1:5858'); +test(['--debug-brk=1234'], 'Debugger listening on 127.0.0.1:1234'); +test(['--debug-brk=0.0.0.0'], 'Debugger listening on 0.0.0.0:5858'); +test(['--debug-brk=0.0.0.0:1234'], 'Debugger listening on 0.0.0.0:1234'); +test(['--debug-brk=localhost'], 'Debugger listening on 127.0.0.1:5858'); +test(['--debug-brk=localhost:1234'], 'Debugger listening on 127.0.0.1:1234'); if (common.hasIPv6) { - test(['--debug-brk=::'], /Debug port must be in range 1024 to 65535/); - test(['--debug-brk=::0'], /Debug port must be in range 1024 to 65535/); - test(['--debug-brk=::1'], /Debug port must be in range 1024 to 65535/); - test(['--debug-brk=[::]'], /Debugger listening on \[::\]:5858/); - test(['--debug-brk=[::0]'], /Debugger listening on \[::\]:5858/); - test(['--debug-brk=[::]:1234'], /Debugger listening on \[::\]:1234/); - test(['--debug-brk=[::0]:1234'], /Debugger listening on \[::\]:1234/); + test(['--debug-brk=::'], 'Debug port must be in range 1024 to 65535'); + test(['--debug-brk=::0'], 'Debug port must be in range 1024 to 65535'); + test(['--debug-brk=::1'], 'Debug port must be in range 1024 to 65535'); + test(['--debug-brk=[::]'], 'Debugger listening on [::]:5858'); + test(['--debug-brk=[::0]'], 'Debugger listening on [::]:5858'); + test(['--debug-brk=[::]:1234'], 'Debugger listening on [::]:1234'); + test(['--debug-brk=[::0]:1234'], 'Debugger listening on [::]:1234'); test(['--debug-brk=[::ffff:127.0.0.1]:1234'], - /Debugger listening on \[::ffff:127\.0\.0\.1\]:1234/); + 'Debugger listening on [::ffff:127.0.0.1]:1234'); } run(); // Runs tests in reverse order. Index: node-v4.9.1/test/parallel/test-debug-port-cluster.js =================================================================== --- node-v4.9.1.orig/test/parallel/test-debug-port-cluster.js +++ node-v4.9.1/test/parallel/test-debug-port-cluster.js @@ -16,8 +16,7 @@ child.stderr.setEncoding('utf8'); const checkMessages = common.mustCall(() => { for (let port = PORT_MIN; port <= PORT_MAX; port += 1) { - const re = RegExp(`Debugger listening on (\\[::\\]|0\\.0\\.0\\.0):${port}`); - assert(re.test(stderr)); + const re = stderr.includes(`Debugger listening on 127.0.0.1:${port}`); } }); Index: node-v4.9.1/test/parallel/test-debug-port-from-cmdline.js =================================================================== --- node-v4.9.1.orig/test/parallel/test-debug-port-from-cmdline.js +++ node-v4.9.1/test/parallel/test-debug-port-from-cmdline.js @@ -39,10 +39,10 @@ function processStderrLine(line) { function assertOutputLines() { var expectedLines = [ 'Starting debugger agent.', - 'Debugger listening on (\\[::\\]|0\\.0\\.0\\.0):' + debugPort, + 'Debugger listening on 127.0.0.1:' + debugPort, ]; assert.strictEqual(outputLines.length, expectedLines.length); for (var i = 0; i < expectedLines.length; i++) - assert(RegExp(expectedLines[i]).test(outputLines[i])); + assert(expectedLines[i].includes(outputLines[i])); } Index: node-v4.9.1/test/parallel/test-debug-port-numbers.js =================================================================== --- node-v4.9.1.orig/test/parallel/test-debug-port-numbers.js +++ node-v4.9.1/test/parallel/test-debug-port-numbers.js @@ -52,10 +52,7 @@ function kill(child) { process.on('exit', function() { for (const child of children) { - const port = child.test.port; - const one = RegExp(`Debugger listening on (\\[::\\]|0\.0\.0\.0):${port}`); - const two = RegExp(`connecting to 127.0.0.1:${port}`); - assert(one.test(child.test.stdout)); - assert(two.test(child.test.stdout)); + assert(child.test.stdout.includes(`Debugger listening on 127.0.0.1:${child.test.port}`)); + assert(child.test.stdout.includes(`connecting to 127.0.0.1:${child.test.port}`)); } }); Index: node-v4.9.1/test/parallel/test-debug-signal-cluster.js =================================================================== --- node-v4.9.1.orig/test/parallel/test-debug-signal-cluster.js +++ node-v4.9.1/test/parallel/test-debug-signal-cluster.js @@ -61,11 +61,11 @@ process.on('exit', function onExit() { const expectedLines = [ 'Starting debugger agent.', - 'Debugger listening on (\\[::\\]|0\\.0\\.0\\.0):' + (port + 0), + 'Debugger listening on 127.0.0.1:' + (port + 0), 'Starting debugger agent.', - 'Debugger listening on (\\[::\\]|0\\.0\\.0\\.0):' + (port + 1), + 'Debugger listening on 127.0.0.1:' + (port + 1), 'Starting debugger agent.', - 'Debugger listening on (\\[::\\]|0\\.0\\.0\\.0):' + (port + 2), + 'Debugger listening on 127.0.0.1:' + (port + 2), ]; function assertOutputLines() { @@ -77,5 +77,5 @@ function assertOutputLines() { assert.equal(outputLines.length, expectedLines.length); for (var i = 0; i < expectedLines.length; i++) - assert(RegExp(expectedLines[i]).test(outputLines[i])); + assert(expectedLines[i].includes(outputLines[i])); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
