| Summary: | package need upgrade as uglify-js security upgrade needs vers. >= 1.5.0 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Thomas Spuhler <thomas> |
| Component: | RPM Packages | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED MOVED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | lewyssmith, shlomif, thomas |
| Version: | 5 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | nodejs-async | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 18232 | ||
| Attachments: | The node.js testcase. | ||
|
Description
Thomas Spuhler
2016-04-22 17:02:01 CEST
This bug is now fixed. it must be pushed before testing Bug 18232 - uglify-js new security issue CVE-2015-8858 The following pacakges are now in updates_testing: nodejs-async-1.5.0-1.mga5.src.rpm nodejs-async-1.5.0-1.mga5.noarch.rpm Status:
NEW =>
ASSIGNED
claire robinson
2016-04-22 17:16:34 CEST
Blocks:
(none) =>
18232 On an x86-64 mgav5 VBox VM , I got the following typescript before and after the update:
Script started on Thu 28 Apr 2016 11:11:42 PM IDT
[36l>]0;shlomif@localhost:~[shlomif@localhost ~]$ ls
[0m[01;34mDesktop[0m/ [01;34mDownloads[0m/ [01;34mPictures[0m/ test.js [01;34mtmp[0m/ [01;34mVideos[0m/
[01;34mDocuments[0m/ [01;34mMusic[0m/ [01;34mTemplates[0m/ [47;30mtest.js~[0m typescript
]0;shlomif@localhost:~[shlomif@localhost ~]$ cat test.js
async = require("async");
fs = require("fs");
async.map(['Desktop', '.bashrc', '/var/tmp'], fs.stat, function(err, results){
// results is now an array of stats for each file
console.log (results);
});
]0;shlomif@localhost:~[shlomif@localhost ~]$ node test.js
module.js:340
throw err;
^
Error: Cannot find module 'async'
at Function.Module._resolveFilename (module.js:338:15)
at Function.Module._load (module.js:280:25)
at Module.require (module.js:364:17)
at require (module.js:380:17)
at Object.<anonymous> (/home/shlomif/test.js:1:71)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Function.Module.runMain (module.js:497:10)
]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s /usr/lib/noe[Kde_modules/[K no[K[K
]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s /usr/lib/node_modules
[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[16Pnode test.js
[ { dev: 2049,
mode: 16877,
nlink: 2,
uid: 1000,
gid: 1000,
rdev: 0,
blksize: 4096,
ino: 538148,
size: 4096,
blocks: 8,
atime: Tue Apr 19 2016 13:43:42 GMT+0300 (IDT),
mtime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT),
ctime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT) },
{ dev: 2049,
mode: 33188,
nlink: 1,
uid: 1000,
gid: 1000,
rdev: 0,
blksize: 4096,
ino: 538115,
size: 124,
blocks: 8,
atime: Thu Apr 28 2016 23:04:42 GMT+0300 (IDT),
mtime: Tue Jan 27 2015 19:20:42 GMT+0200 (IST),
ctime: Wed Jul 15 2015 16:01:39 GMT+0300 (IDT) },
{ dev: 2049,
mode: 17407,
nlink: 5,
uid: 0,
gid: 0,
rdev: 0,
blksize: 4096,
ino: 784898,
size: 4096,
blocks: 8,
atime: Tue Apr 19 2016 13:29:59 GMT+0300 (IDT),
mtime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT),
ctime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT) } ]
]0;shlomif@localhost:~[shlomif@localhost ~]$ ext[Kit
exit
Script done on Thu 28 Apr 2016 11:12:20 PM IDT
-----------
So it seems to be working fine after I create a symlink, but not beforehand.
I'll attach the test script I used soon.CC:
(none) =>
shlomif Created attachment 7707 [details]
The node.js testcase.
This is the test case I used.
And I'm getting the exact same results with the test case and the symbolic link on an i586 mgav5 VBox VM. (In reply to Shlomi Fish from comment #2) > On an x86-64 mgav5 VBox VM , I got the following typescript before and after > the update: > > Script started on Thu 28 Apr 2016 11:11:42 PM IDT > [36l>]0;shlomif@localhost:~[shlomif@localhost ~]$ ls > [0m[01;34mDesktop[0m/ [01;34mDownloads[0m/ [01;34mPictures[0m/ test.js > [01;34mtmp[0m/ [01;34mVideos[0m/ > [01;34mDocuments[0m/ [01;34mMusic[0m/ [01;34mTemplates[0m/ > [47;30mtest.js~[0m typescript > ]0;shlomif@localhost:~[shlomif@localhost ~]$ cat test.js > async = require("async"); > fs = require("fs"); > > async.map(['Desktop', '.bashrc', '/var/tmp'], fs.stat, function(err, > results){ > // results is now an array of stats for each file > console.log (results); > }); > ]0;shlomif@localhost:~[shlomif@localhost ~]$ node test.js > > module.js:340 > throw err; > ^ > Error: Cannot find module 'async' > at Function.Module._resolveFilename (module.js:338:15) > at Function.Module._load (module.js:280:25) > at Module.require (module.js:364:17) > at require (module.js:380:17) > at Object.<anonymous> (/home/shlomif/test.js:1:71) > at Module._compile (module.js:456:26) > at Object.Module._extensions..js (module.js:474:10) > at Module.load (module.js:356:32) > at Function.Module._load (module.js:312:12) > at Function.Module.runMain (module.js:497:10) > ]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s > /usr/lib/noe[Kde_modules/[K no[K[K > ]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s /usr/lib/node_modules > [C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[16Pnode test.js > [ { dev: 2049, > mode: 16877, > nlink: 2, > uid: 1000, > gid: 1000, > rdev: 0, > blksize: 4096, > ino: 538148, > size: 4096, > blocks: 8, > atime: Tue Apr 19 2016 13:43:42 GMT+0300 (IDT), > mtime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT), > ctime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT) }, > { dev: 2049, > mode: 33188, > nlink: 1, > uid: 1000, > gid: 1000, > rdev: 0, > blksize: 4096, > ino: 538115, > size: 124, > blocks: 8, > atime: Thu Apr 28 2016 23:04:42 GMT+0300 (IDT), > mtime: Tue Jan 27 2015 19:20:42 GMT+0200 (IST), > ctime: Wed Jul 15 2015 16:01:39 GMT+0300 (IDT) }, > { dev: 2049, > mode: 17407, > nlink: 5, > uid: 0, > gid: 0, > rdev: 0, > blksize: 4096, > ino: 784898, > size: 4096, > blocks: 8, > atime: Tue Apr 19 2016 13:29:59 GMT+0300 (IDT), > mtime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT), > ctime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT) } ] > ]0;shlomif@localhost:~[shlomif@localhost ~]$ ext[Kit > exit > > Script done on Thu 28 Apr 2016 11:12:20 PM IDT > > > ----------- > > So it seems to be working fine after I create a symlink, but not beforehand. > > I'll attach the test script I used soon. Thanks for testing. Which symlink did you add and where? Thomas > Thanks for testing.
> Which symlink did you add and where?
> Thomas
I did "ln -s /usr/lib/node_modules" while at the $HOME directory.
Trying x64. Thanks Shlomi for your efforts. BEFORE the update, same result as Shlomi Comment 2 with $ node test.js module.js:340 throw err; ^ Error: Cannot find module 'async' etc etc. AFTER the update (which pulled in both uglify-js & js-uglify), the same erroneous result. The symlinks as shown in Comment 2 are unclear. If they make the test case here work, should they not be part of the update? Do I take it that the latter part of the Comment 2 output is the *correct* result (after the symlinks)? As it is, either we can accept this update as merely providing a certain version advance (ignoring that it does not work; but neither did it before); or should we enhance the update? CC:
(none) =>
lewyssmith |