Hello,
We added upstream patch provided from [1] during Debian BSP in Paris.

Package build went well, even if we face an error during tests.
This error is referenced and has been commented in bug #766484 and is
related to libssl-dev version.

Please find patch attached.

Regards,
Jean Baptiste

[1] http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
diff -Nru nodejs-0.10.29~dfsg/debian/changelog nodejs-0.10.29~dfsg/debian/changelog
--- nodejs-0.10.29~dfsg/debian/changelog	2014-06-13 23:58:23.000000000 +0200
+++ nodejs-0.10.29~dfsg/debian/changelog	2014-11-15 13:00:42.000000000 +0100
@@ -1,3 +1,10 @@
+nodejs (0.10.29~dfsg-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Add patch for CVE-2014-5256 (Closes: #760385)
+
+ -- Jean Baptiste Favre <deb...@jbfavre.org>  Sat, 15 Nov 2014 13:00:13 +0100
+
 nodejs (0.10.29~dfsg-1) unstable; urgency=medium
 
   * Upstream update.
diff -Nru nodejs-0.10.29~dfsg/debian/patches/fix_CVE-2014-5256.patch nodejs-0.10.29~dfsg/debian/patches/fix_CVE-2014-5256.patch
--- nodejs-0.10.29~dfsg/debian/patches/fix_CVE-2014-5256.patch	1970-01-01 01:00:00.000000000 +0100
+++ nodejs-0.10.29~dfsg/debian/patches/fix_CVE-2014-5256.patch	2014-11-15 13:10:33.000000000 +0100
@@ -0,0 +1,27 @@
+Description: Fix for CVE-2014-5256
+Bug-Node: https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356
+Author: Fedor Indutny <fe...@indutny.com>
+Acked-by: Jean Baptiste Favre <deb...@jbfavre.org>
+Last-Update: 2014-11-15
+Applied-Upstream: https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356
+Index: nodejs-0.10.29~dfsg/deps/v8/src/isolate.h
+===================================================================
+--- nodejs-0.10.29~dfsg.orig/deps/v8/src/isolate.h	2014-11-15 10:45:49.962023622 +0100
++++ nodejs-0.10.29~dfsg/deps/v8/src/isolate.h	2014-11-15 10:45:49.962023622 +0100
+@@ -1392,14 +1392,9 @@
+  public:
+   explicit StackLimitCheck(Isolate* isolate) : isolate_(isolate) { }
+ 
+-  bool HasOverflowed() const {
++  inline bool HasOverflowed() const {
+     StackGuard* stack_guard = isolate_->stack_guard();
+-    // Stack has overflowed in C++ code only if stack pointer exceeds the C++
+-    // stack guard and the limits are not set to interrupt values.
+-    // TODO(214): Stack overflows are ignored if a interrupt is pending. This
+-    // code should probably always use the initial C++ limit.
+-    return (reinterpret_cast<uintptr_t>(this) < stack_guard->climit()) &&
+-           stack_guard->IsStackOverflow();
++    return reinterpret_cast<uintptr_t>(this) < stack_guard->real_climit();
+   }
+  private:
+   Isolate* isolate_;
diff -Nru nodejs-0.10.29~dfsg/debian/patches/series nodejs-0.10.29~dfsg/debian/patches/series
--- nodejs-0.10.29~dfsg/debian/patches/series	2014-06-13 23:36:52.000000000 +0200
+++ nodejs-0.10.29~dfsg/debian/patches/series	2014-11-15 13:00:11.000000000 +0100
@@ -13,3 +13,4 @@
 2014_donotinclude_root_certs.patch
 1006_relax_timeouts_in_tests.patch
 1007_revert_invalid_utf8_fix.patch
+fix_CVE-2014-5256.patch

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to