-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zlib: gracefully set windowBits from 8 to 9 #16511
Conversation
doc/api/zlib.md
Outdated
*Note*: An upgrade of zlib from 1.2.8 to 1.2.11 changed behavior when windowBits | ||
is set to 8 for raw deflate streams. zlib would automatically set windowBits | ||
to 9 if was initially set to 8. Newer versions of zlib will throw an exception, | ||
so Node restored the original behaviour of upgrading a value of 8 to 9, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Node.js
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
doc/api/zlib.md
Outdated
*Note*: An upgrade of zlib from 1.2.8 to 1.2.11 changed behavior when windowBits | ||
is set to 8 for raw deflate streams. zlib would automatically set windowBits | ||
to 9 if was initially set to 8. Newer versions of zlib will throw an exception, | ||
so Node.js restored the original behaviour of upgrading a value of 8 to 9, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not a big deal, but behavior
(without the u) is used in the previous sentence 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
After your research did you determine that we did not want to modify inflate stream |
At least for now that seems like a sensible course of action. |
This needs needs a rebase and will need to land before noon pacific time today to make it in to 9.0.0 |
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were released. These versions bumped the vendored zlib library from v1.2.8 to v1.2.11 in response to what it describes as low-severity CVEs. In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialised with windowBits set to 8. In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib module will crash if you call this: ``` zlib.createDeflateRaw({windowBits: 8}) ``` On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. The permessage-deflate library up to version v0.1.5 does make such a call with no try/catch This commit reverts to the original behavior of zlib by gracefully changed windowBits: 8 to windowBits: 9 for raw deflate streams. Original-PR-URL: nodejs-private/node-private#95 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> PR-URL: nodejs#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
Fixes: nodejs#14847 PR-URL: nodejs#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
74d69ab
to
25ef9d2
Compare
Should this be backported to |
@gibfahn no it's already there. |
25ef9d2 could be backported. |
@lpinca Yup, that’s why I’m doing now :) |
Fixes: nodejs#14847 Original-PR-URL: nodejs#16511 Original-Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Original-Reviewed-By: James M Snell <jasnell@gmail.com> Original-Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Original-Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Original-Reviewed-By: Refael Ackermann <refack@gmail.com>
Fixes: nodejs#14847 PR-URL: nodejs#16511 Backport-PR-URL: nodejs#16623 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were released. These versions bumped the vendored zlib library from v1.2.8 to v1.2.11 in response to what it describes as low-severity CVEs. In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialised with windowBits set to 8. In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib module will crash if you call this: ``` zlib.createDeflateRaw({windowBits: 8}) ``` On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. The permessage-deflate library up to version v0.1.5 does make such a call with no try/catch This commit reverts to the original behavior of zlib by gracefully changed windowBits: 8 to windowBits: 9 for raw deflate streams. Original-PR-URL: https://github.com/nodejs-private/node-private/pull/95 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
Fixes: nodejs/node#14847 PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were released. These versions bumped the vendored zlib library from v1.2.8 to v1.2.11 in response to what it describes as low-severity CVEs. In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialised with windowBits set to 8. In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib module will crash if you call this: ``` zlib.createDeflateRaw({windowBits: 8}) ``` On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. The permessage-deflate library up to version v0.1.5 does make such a call with no try/catch This commit reverts to the original behavior of zlib by gracefully changed windowBits: 8 to windowBits: 9 for raw deflate streams. Original-PR-URL: https://github.com/nodejs-private/node-private/pull/95 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
Fixes: nodejs/node#14847 PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
@addaleax do you want to backport the updated documentation to v6.x? |
@MylesBorins yes, and the variant that landed in v8.x (a6b3cd8) should apply cleanly |
Done! |
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were released. These versions bumped the vendored zlib library from v1.2.8 to v1.2.11 in response to what it describes as low-severity CVEs. In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialised with windowBits set to 8. In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib module will crash if you call this: ``` zlib.createDeflateRaw({windowBits: 8}) ``` On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. The permessage-deflate library up to version v0.1.5 does make such a call with no try/catch This commit reverts to the original behavior of zlib by gracefully changed windowBits: 8 to windowBits: 9 for raw deflate streams. Original-PR-URL: nodejs-private/node-private#95 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
Fixes: nodejs/node#14847 PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
After looking into the details of the
zlib
behaviour when asked for 8-/9-bit windows more closely, this patch makes sense. I’ve updated the documentation & the test commentary to account for that.(Addling lts-watch labels for the test/doc updates.)
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesAffected core subsystem(s)
zlib