diff --git a/ChangeLog b/ChangeLog index a8ff0965eeb278..c063af8db0f218 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,17 @@ +2016-10-18, Version 0.10.48 (Maintenance), @rvagg + +This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/ for details on patched vulnerabilities. + +Notable changes: + +* c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more information at https://c-ares.haxx.se/adv_20160929.html (Rod Vagg) + +Commits: + +* [a14a6a3a11] - deps: c-ares, avoid single-byte buffer overwrite (Rod Vagg) https://github.com/nodejs/node/pull/9108 +* [b798f598af] - tls: fix minor jslint failure (Rod Vagg) https://github.com/nodejs/node/pull/9107 +* [92b232ba01] - win,build: try multiple timeservers when signing (Rod Vagg) https://github.com/nodejs/node/pull/9155 + 2016-09-27, Version 0.10.47 (Maintenance), @rvagg This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/ for details on patched vulnerabilities. diff --git a/deps/cares/src/ares_mkquery.c b/deps/cares/src/ares_mkquery.c index e33f13ff223216..eabd7ef531b9b5 100644 --- a/deps/cares/src/ares_mkquery.c +++ b/deps/cares/src/ares_mkquery.c @@ -86,56 +86,29 @@ */ int ares_mkquery(const char *name, int dnsclass, int type, unsigned short id, - int rd, unsigned char **buf, int *buflen) + int rd, unsigned char **bufp, int *buflenp) { - int len; + size_t len; unsigned char *q; const char *p; + size_t buflen; + unsigned char *buf; /* Set our results early, in case we bail out early with an error. */ - *buflen = 0; - *buf = NULL; + *buflenp = 0; + *bufp = NULL; - /* Compute the length of the encoded name so we can check buflen. - * Start counting at 1 for the zero-length label at the end. */ - len = 1; - for (p = name; *p; p++) - { - if (*p == '\\' && *(p + 1) != 0) - p++; - len++; - } - /* If there are n periods in the name, there are n + 1 labels, and - * thus n + 1 length fields, unless the name is empty or ends with a - * period. So add 1 unless name is empty or ends with a period. - */ - if (*name && *(p - 1) != '.') - len++; - - /* Immediately reject names that are longer than the maximum of 255 - * bytes that's specified in RFC 1035 ("To simplify implementations, - * the total length of a domain name (i.e., label octets and label - * length octets) is restricted to 255 octets or less."). We aren't - * doing this just to be a stickler about RFCs. For names that are - * too long, 'dnscache' closes its TCP connection to us immediately - * (when using TCP) and ignores the request when using UDP, and - * BIND's named returns ServFail (TCP or UDP). Sending a request - * that we know will cause 'dnscache' to close the TCP connection is - * painful, since that makes any other outstanding requests on that - * connection fail. And sending a UDP request that we know - * 'dnscache' will ignore is bad because resources will be tied up - * until we time-out the request. + /* Allocate a memory area for the maximum size this packet might need. +2 + * is for the length byte and zero termination if no dots or ecscaping is + * used. */ - if (len > MAXCDNAME) - return ARES_EBADNAME; - - *buflen = len + HFIXEDSZ + QFIXEDSZ; - *buf = malloc(*buflen); - if (!*buf) - return ARES_ENOMEM; + len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ; + buf = malloc(len); + if (!buf) + return ARES_ENOMEM; /* Set up the header. */ - q = *buf; + q = buf; memset(q, 0, HFIXEDSZ); DNS_HEADER_SET_QID(q, id); DNS_HEADER_SET_OPCODE(q, QUERY); @@ -155,8 +128,10 @@ int ares_mkquery(const char *name, int dnsclass, int type, unsigned short id, q += HFIXEDSZ; while (*name) { - if (*name == '.') + if (*name == '.') { + free (buf); return ARES_EBADNAME; + } /* Count the number of bytes in this label. */ len = 0; @@ -166,8 +141,10 @@ int ares_mkquery(const char *name, int dnsclass, int type, unsigned short id, p++; len++; } - if (len > MAXLABEL) + if (len > MAXLABEL) { + free (buf); return ARES_EBADNAME; + } /* Encode the length and copy the data. */ *q++ = (unsigned char)len; @@ -191,5 +168,22 @@ int ares_mkquery(const char *name, int dnsclass, int type, unsigned short id, DNS_QUESTION_SET_TYPE(q, type); DNS_QUESTION_SET_CLASS(q, dnsclass); + q += QFIXEDSZ; + + buflen = (q - buf); + + /* Reject names that are longer than the maximum of 255 bytes that's + * specified in RFC 1035 ("To simplify implementations, the total length of + * a domain name (i.e., label octets and label length octets) is restricted + * to 255 octets or less."). */ + if (buflen > (MAXCDNAME + HFIXEDSZ + QFIXEDSZ)) { + free (buf); + return ARES_EBADNAME; + } + + /* we know this fits in an int at this point */ + *buflenp = (int) buflen; + *bufp = buf; + return ARES_SUCCESS; } diff --git a/lib/tls.js b/lib/tls.js index 588dce3139e378..3e7bcc2d5522d0 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -135,9 +135,10 @@ function check(hostParts, pattern, wildcards) { return false; // Check host parts from right to left first. - for (var i = hostParts.length - 1; i > 0; i -= 1) + for (var i = hostParts.length - 1; i > 0; i -= 1) { if (hostParts[i] !== patternParts[i]) return false; + } var hostSubdomain = hostParts[0]; var patternSubdomain = patternParts[0]; diff --git a/src/node_version.h b/src/node_version.h index cb2f19c221b256..c03cc8bb9ac322 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -26,7 +26,7 @@ #define NODE_MINOR_VERSION 10 #define NODE_PATCH_VERSION 48 -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n) diff --git a/tools/sign.bat b/tools/sign.bat new file mode 100644 index 00000000000000..aa003bca681eaa --- /dev/null +++ b/tools/sign.bat @@ -0,0 +1,15 @@ +@echo off + +set timeservers=(http://timestamp.globalsign.com/scripts/timestamp.dll http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://tsa.starfieldtech.com) + +for %%s in %timeservers% do ( + signtool sign /a /d "node" /t %%s %1 + if not ERRORLEVEL 1 ( + echo Successfully signed %1 using timeserver %%s + exit /b 0 + ) + echo Signing %1 failed using %%s +) + +echo Could not sign %1 using any available timeserver +exit /b 1 diff --git a/vcbuild.bat b/vcbuild.bat index adf54eb659568b..b9f386740fdcdc 100644 --- a/vcbuild.bat +++ b/vcbuild.bat @@ -196,7 +196,7 @@ if errorlevel 1 goto exit @rem Skip signing if the `nosign` option was specified. if defined nosign goto licensertf -signtool sign /a /d "node" /t http://timestamp.globalsign.com/scripts/timestamp.dll Release\node.exe +call tools\sign.bat Release\node.exe if errorlevel 1 echo Failed to sign exe&goto exit :licensertf @@ -216,7 +216,7 @@ msbuild "%~dp0tools\msvs\msi\nodemsi.sln" /m /t:Clean,Build /p:PlatformToolset=% if errorlevel 1 goto exit if defined nosign goto upload -signtool sign /a /d "node" /t http://timestamp.globalsign.com/scripts/timestamp.dll node-v%FULLVERSION%-%target_arch%.msi +call tools\sign.bat node-v%FULLVERSION%-%target_arch%.msi if errorlevel 1 echo Failed to sign msi&goto exit :upload