diff --git a/CHANGELOG.md b/CHANGELOG.md index 39dd5c8b801..1a1268f6cf3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # Node.js ChangeLog +## 2016-06-22, Version 4.4.6 'Argon' (LTS), @thealphanerd + +This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities. + +This release is specifically related to a Buffer overflow vulnerability discovered in v8, more details can be found [in the CVE](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669) + +### Commits + +* [[`134c3b3977`](https://github.com/nodejs/node/commit/134c3b3977)] - **deps**: backport 3a9bfec from v8 upstream (Ben Noordhuis) [nodejs/node-private#38](https://github.com/nodejs/node-private/pull/38) + ## 2016-05-24, Version 4.4.5 'Argon' (LTS), @thealphanerd ### Notable Changes diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 98dca238c85..4a4a51238e6 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 4 #define V8_MINOR_VERSION 5 #define V8_BUILD_NUMBER 103 -#define V8_PATCH_LEVEL 35 +#define V8_PATCH_LEVEL 36 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/zone.cc b/deps/v8/src/zone.cc index 9dcebba2dc1..1f722f2f608 100644 --- a/deps/v8/src/zone.cc +++ b/deps/v8/src/zone.cc @@ -105,7 +105,10 @@ void* Zone::New(size_t size) { Address result = position_; const size_t size_with_redzone = size + kASanRedzoneBytes; - if (limit_ < position_ + size_with_redzone) { + const uintptr_t limit = reinterpret_cast(limit_); + const uintptr_t position = reinterpret_cast(position_); + // position_ > limit_ can be true after the alignment correction above. + if (limit < position || size_with_redzone > limit - position) { result = NewExpand(size_with_redzone); } else { position_ += size_with_redzone; @@ -222,7 +225,10 @@ Address Zone::NewExpand(size_t size) { // Make sure the requested size is already properly aligned and that // there isn't enough room in the Zone to satisfy the request. DCHECK_EQ(size, RoundDown(size, kAlignment)); - DCHECK_LT(limit_, position_ + size); + DCHECK(limit_ < position_ || + reinterpret_cast(limit_) - + reinterpret_cast(position_) < + size); // Compute the new segment size. We use a 'high water mark' // strategy, where we increase the segment size every time we expand diff --git a/src/node_version.h b/src/node_version.h index 85afe22f25d..001bba78a47 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -8,7 +8,7 @@ #define NODE_VERSION_IS_LTS 1 #define NODE_VERSION_LTS_CODENAME "Argon" -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)