zlib: gracefully set windowBits from 8 to 9#16511
Merged
Uh oh!
There was an error while loading. Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
addaleax added lts-watch-v4.x zlib 
lpinca approved these changes Oct 26, 2017
doc/api/zlib.md Outdated
doc/api/zlib.md Outdated
Contributor
There was a problem hiding this comment.
not a big deal, but behavior (without the u) is used in the previous sentence 😄
jasnell approved these changes Oct 26, 2017
cjihrig approved these changes Oct 26, 2017
Contributor
MylesBorins commented Oct 26, 2017
After your research did you determine that we did not want to modify inflate stream |
MemberAuthor
addaleax commented Oct 26, 2017
At least for now that seems like a sensible course of action. |
refack approved these changes Oct 26, 2017
4 tasks
Member
jasnell commented Oct 29, 2017
This needs needs a rebase and will need to land before noon pacific time today to make it in to 9.0.0 |
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were released. These versions bumped the vendored zlib library from v1.2.8 to v1.2.11 in response to what it describes as low-severity CVEs. In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialised with windowBits set to 8. In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib module will crash if you call this: ``` zlib.createDeflateRaw({windowBits: 8}) ``` On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. The permessage-deflate library up to version v0.1.5 does make such a call with no try/catch This commit reverts to the original behavior of zlib by gracefully changed windowBits: 8 to windowBits: 9 for raw deflate streams. Original-PR-URL: nodejs-private/node-private#95 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Sam Roberts <[email protected]> PR-URL: nodejs#16511 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>Fixes: nodejs#14847 PR-URL: nodejs#16511 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
addaleaxforce-pushed the zlib-windowsbits-8 branch from 74d69ab to 25ef9d2CompareMemberAuthor
addaleax commented Oct 29, 2017
Member
gibfahn commented Oct 30, 2017
Should this be backported to |
Member
lpinca commented Oct 30, 2017
@gibfahn no it's already there. |
Member
25ef9d2 could be backported. |
MemberAuthor
addaleax commented Oct 30, 2017
@lpinca Yup, that’s why I’m doing now :) |
addaleax added a commit to addaleax/node that referenced this pull request Oct 30, 2017
Fixes: nodejs#14847 Original-PR-URL: nodejs#16511 Original-Reviewed-By: Luigi Pinca <[email protected]> Original-Reviewed-By: James M Snell <[email protected]> Original-Reviewed-By: Colin Ihrig <[email protected]> Original-Reviewed-By: Michael Dawson <[email protected]> Original-Reviewed-By: Refael Ackermann <[email protected]>
gibfahn pushed a commit to gibfahn/node that referenced this pull request Oct 30, 2017
Fixes: nodejs#14847 PR-URL: nodejs#16511 Backport-PR-URL: nodejs#16623 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
gibfahn pushed a commit that referenced this pull request Oct 30, 2017
Fixes: #14847 PR-URL: #16511 Backport-PR-URL: #16623 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
gibfahn pushed a commit that referenced this pull request Oct 30, 2017
Fixes: #14847 PR-URL: #16511 Backport-PR-URL: #16623 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
gibfahn pushed a commit that referenced this pull request Oct 31, 2017
Fixes: #14847 PR-URL: #16511 Backport-PR-URL: #16623 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
Merged
Qard pushed a commit to ayojs/ayo that referenced this pull request Nov 2, 2017
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were released. These versions bumped the vendored zlib library from v1.2.8 to v1.2.11 in response to what it describes as low-severity CVEs. In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialised with windowBits set to 8. In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib module will crash if you call this: ``` zlib.createDeflateRaw({windowBits: 8}) ``` On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. The permessage-deflate library up to version v0.1.5 does make such a call with no try/catch This commit reverts to the original behavior of zlib by gracefully changed windowBits: 8 to windowBits: 9 for raw deflate streams. Original-PR-URL: https://github.com/nodejs-private/node-private/pull/95 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Sam Roberts <[email protected]> PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>Qard pushed a commit to ayojs/ayo that referenced this pull request Nov 2, 2017
Fixes: nodejs/node#14847 PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
Qard pushed a commit to ayojs/ayo that referenced this pull request Nov 2, 2017
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were released. These versions bumped the vendored zlib library from v1.2.8 to v1.2.11 in response to what it describes as low-severity CVEs. In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialised with windowBits set to 8. In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib module will crash if you call this: ``` zlib.createDeflateRaw({windowBits: 8}) ``` On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. The permessage-deflate library up to version v0.1.5 does make such a call with no try/catch This commit reverts to the original behavior of zlib by gracefully changed windowBits: 8 to windowBits: 9 for raw deflate streams. Original-PR-URL: https://github.com/nodejs-private/node-private/pull/95 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Sam Roberts <[email protected]> PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>Qard pushed a commit to ayojs/ayo that referenced this pull request Nov 2, 2017
Fixes: nodejs/node#14847 PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
Contributor
MylesBorins commented Nov 16, 2017
@addaleax do you want to backport the updated documentation to v6.x? |
MemberAuthor
addaleax commented Nov 16, 2017
@MylesBorins yes, and the variant that landed in v8.x (a6b3cd8) should apply cleanly |
Contributor
Done! |
MylesBorins pushed a commit that referenced this pull request Nov 16, 2017
Fixes: #14847 PR-URL: #16511 Backport-PR-URL: #16623 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
Merged
MylesBorins pushed a commit that referenced this pull request Nov 21, 2017
Fixes: #14847 PR-URL: #16511 Backport-PR-URL: #16623 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
MylesBorins pushed a commit that referenced this pull request Nov 28, 2017
Fixes: #14847 PR-URL: #16511 Backport-PR-URL: #16623 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
addaleax pushed a commit to ayojs/ayo that referenced this pull request Dec 7, 2017
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were released. These versions bumped the vendored zlib library from v1.2.8 to v1.2.11 in response to what it describes as low-severity CVEs. In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialised with windowBits set to 8. In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib module will crash if you call this: ``` zlib.createDeflateRaw({windowBits: 8}) ``` On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. The permessage-deflate library up to version v0.1.5 does make such a call with no try/catch This commit reverts to the original behavior of zlib by gracefully changed windowBits: 8 to windowBits: 9 for raw deflate streams. Original-PR-URL: nodejs-private/node-private#95 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Sam Roberts <[email protected]> PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>addaleax added a commit to ayojs/ayo that referenced this pull request Dec 7, 2017
Fixes: nodejs/node#14847 PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Refael Ackermann <[email protected]>
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
After looking into the details of the
zlibbehaviour when asked for 8-/9-bit windows more closely, this patch makes sense. I’ve updated the documentation & the test commentary to account for that.(Addling lts-watch labels for the test/doc updates.)
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)
zlib