zlib: gracefully set windowBits from 8 to 9 #16511
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
addaleax
added
lts-watch-v4.x
zlib
lpinca
approved these changes
Oct 26, 2017
doc/api/zlib.md
Outdated
| *Note*: An upgrade of zlib from 1.2.8 to 1.2.11 changed behavior when windowBits | ||
| is set to 8 for raw deflate streams. zlib would automatically set windowBits | ||
| to 9 if was initially set to 8. Newer versions of zlib will throw an exception, | ||
| so Node restored the original behaviour of upgrading a value of 8 to 9, |
maclover7
reviewed
Oct 26, 2017
doc/api/zlib.md
Outdated
| *Note*: An upgrade of zlib from 1.2.8 to 1.2.11 changed behavior when windowBits | ||
| is set to 8 for raw deflate streams. zlib would automatically set windowBits | ||
| to 9 if was initially set to 8. Newer versions of zlib will throw an exception, | ||
| so Node.js restored the original behaviour of upgrading a value of 8 to 9, |
There was a problem hiding this comment.
not a big deal, but behavior (without the u) is used in the previous sentence 😄
jasnell
approved these changes
Oct 26, 2017
cjihrig
approved these changes
Oct 26, 2017
|
After your research did you determine that we did not want to modify inflate stream |
At least for now that seems like a sensible course of action. |
refack
approved these changes
Oct 26, 2017
4 tasks
|
This needs needs a rebase and will need to land before noon pacific time today to make it in to 9.0.0 |
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were
released. These versions bumped the vendored zlib library from
v1.2.8 to v1.2.11 in response to what it describes as low-severity
CVEs. In zlib v1.2.9, a change was made that causes an error to be
raised when a raw deflate stream is initialised with windowBits set
to 8.
In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib
module will crash if you call this:
```
zlib.createDeflateRaw({windowBits: 8})
```
On some versions this crashes Node and you cannot recover from it, while on some
versions it throws an exception. The permessage-deflate library up to
version v0.1.5 does make such a call with no try/catch
This commit reverts to the original behavior of zlib by gracefully changed
windowBits: 8 to windowBits: 9 for raw deflate streams.
Original-PR-URL: nodejs-private/node-private#95
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
PR-URL: nodejs#16511
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Fixes: nodejs#14847 PR-URL: nodejs#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
addaleax
force-pushed
the
zlib-windowsbits-8
branch
from
74d69ab
to
25ef9d2
Compare
|
Should this be backported to |
|
@gibfahn no it's already there. |
|
25ef9d2 could be backported. |
|
@lpinca Yup, that’s why I’m doing now :) |
addaleax
added a commit
to addaleax/node
that referenced
this pull request
Oct 30, 2017
Fixes: nodejs#14847 Original-PR-URL: nodejs#16511 Original-Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Original-Reviewed-By: James M Snell <jasnell@gmail.com> Original-Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Original-Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Original-Reviewed-By: Refael Ackermann <refack@gmail.com>
gibfahn
pushed a commit
to gibfahn/node
that referenced
this pull request
Oct 30, 2017
Fixes: nodejs#14847 PR-URL: nodejs#16511 Backport-PR-URL: nodejs#16623 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
Merged
Qard
pushed a commit
to ayojs/ayo
that referenced
this pull request
Nov 2, 2017
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were
released. These versions bumped the vendored zlib library from
v1.2.8 to v1.2.11 in response to what it describes as low-severity
CVEs. In zlib v1.2.9, a change was made that causes an error to be
raised when a raw deflate stream is initialised with windowBits set
to 8.
In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib
module will crash if you call this:
```
zlib.createDeflateRaw({windowBits: 8})
```
On some versions this crashes Node and you cannot recover from it, while on some
versions it throws an exception. The permessage-deflate library up to
version v0.1.5 does make such a call with no try/catch
This commit reverts to the original behavior of zlib by gracefully changed
windowBits: 8 to windowBits: 9 for raw deflate streams.
Original-PR-URL: https://github.com/nodejs-private/node-private/pull/95
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
PR-URL: nodejs/node#16511
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Qard
pushed a commit
to ayojs/ayo
that referenced
this pull request
Nov 2, 2017
Fixes: nodejs/node#14847 PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
Qard
pushed a commit
to ayojs/ayo
that referenced
this pull request
Nov 2, 2017
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were
released. These versions bumped the vendored zlib library from
v1.2.8 to v1.2.11 in response to what it describes as low-severity
CVEs. In zlib v1.2.9, a change was made that causes an error to be
raised when a raw deflate stream is initialised with windowBits set
to 8.
In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib
module will crash if you call this:
```
zlib.createDeflateRaw({windowBits: 8})
```
On some versions this crashes Node and you cannot recover from it, while on some
versions it throws an exception. The permessage-deflate library up to
version v0.1.5 does make such a call with no try/catch
This commit reverts to the original behavior of zlib by gracefully changed
windowBits: 8 to windowBits: 9 for raw deflate streams.
Original-PR-URL: https://github.com/nodejs-private/node-private/pull/95
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
PR-URL: nodejs/node#16511
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Qard
pushed a commit
to ayojs/ayo
that referenced
this pull request
Nov 2, 2017
Fixes: nodejs/node#14847 PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
|
@addaleax do you want to backport the updated documentation to v6.x? |
|
@MylesBorins yes, and the variant that landed in v8.x (a6b3cd8) should apply cleanly |
|
Done! |
Merged
addaleax
pushed a commit
to ayojs/ayo
that referenced
this pull request
Dec 7, 2017
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were
released. These versions bumped the vendored zlib library from
v1.2.8 to v1.2.11 in response to what it describes as low-severity
CVEs. In zlib v1.2.9, a change was made that causes an error to be
raised when a raw deflate stream is initialised with windowBits set
to 8.
In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib
module will crash if you call this:
```
zlib.createDeflateRaw({windowBits: 8})
```
On some versions this crashes Node and you cannot recover from it, while on some
versions it throws an exception. The permessage-deflate library up to
version v0.1.5 does make such a call with no try/catch
This commit reverts to the original behavior of zlib by gracefully changed
windowBits: 8 to windowBits: 9 for raw deflate streams.
Original-PR-URL: nodejs-private/node-private#95
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
PR-URL: nodejs/node#16511
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
addaleax
added a commit
to ayojs/ayo
that referenced
this pull request
Dec 7, 2017
Fixes: nodejs/node#14847 PR-URL: nodejs/node#16511 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After looking into the details of the
zlibbehaviour when asked for 8-/9-bit windows more closely, this patch makes sense. I’ve updated the documentation & the test commentary to account for that.(Addling lts-watch labels for the test/doc updates.)
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)
zlib