Bug 18243

Summary: package need upgrade as uglify-js security upgrade needs vers. >= 1.5.0
Product: Mageia Reporter: Thomas Spuhler <thomas>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED MOVED QA Contact:
Severity: major    
Priority: Normal CC: lewyssmith, shlomif, thomas
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: nodejs-async CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 18232    
Attachments: The node.js testcase.

Description Thomas Spuhler 2016-04-22 17:02:01 CEST
Description of problem:
package need upgrade as uglify-js security upgrade needs vers. >= 1.5.0
Bug 18232 - uglify-js new security issue CVE-2015-8858
Comment 1 Thomas Spuhler 2016-04-22 17:06:14 CEST
This bug is now fixed. it must be pushed before testing Bug 18232 - uglify-js new security issue CVE-2015-8858

The following pacakges are now in updates_testing:
nodejs-async-1.5.0-1.mga5.src.rpm
nodejs-async-1.5.0-1.mga5.noarch.rpm

Status: NEW => ASSIGNED
CC: (none) => thomas
Assignee: bugsquad => qa-bugs

claire robinson 2016-04-22 17:16:34 CEST

Blocks: (none) => 18232

Comment 2 Shlomi Fish 2016-04-28 22:25:34 CEST
On an x86-64 mgav5 VBox VM , I got the following typescript before and after the update:

Script started on Thu 28 Apr 2016 11:11:42 PM IDT
[36l>]0;shlomif@localhost:~[shlomif@localhost ~]$ ls
[0m[01;34mDesktop[0m/    [01;34mDownloads[0m/  [01;34mPictures[0m/   test.js   [01;34mtmp[0m/        [01;34mVideos[0m/
[01;34mDocuments[0m/  [01;34mMusic[0m/      [01;34mTemplates[0m/  [47;30mtest.js~[0m  typescript
]0;shlomif@localhost:~[shlomif@localhost ~]$ cat test.js
async = require("async");
fs = require("fs");

async.map(['Desktop', '.bashrc', '/var/tmp'], fs.stat, function(err, results){
    // results is now an array of stats for each file
    console.log (results);
});
]0;shlomif@localhost:~[shlomif@localhost ~]$ node test.js

module.js:340
    throw err;
          ^
Error: Cannot find module 'async'
    at Function.Module._resolveFilename (module.js:338:15)
    at Function.Module._load (module.js:280:25)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.<anonymous> (/home/shlomif/test.js:1:71)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Function.Module.runMain (module.js:497:10)
]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s /usr/lib/noe[Kde_modules/[K no[K[K
]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s /usr/lib/node_modules 
[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[16Pnode test.js
[ { dev: 2049,
    mode: 16877,
    nlink: 2,
    uid: 1000,
    gid: 1000,
    rdev: 0,
    blksize: 4096,
    ino: 538148,
    size: 4096,
    blocks: 8,
    atime: Tue Apr 19 2016 13:43:42 GMT+0300 (IDT),
    mtime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT),
    ctime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT) },
  { dev: 2049,
    mode: 33188,
    nlink: 1,
    uid: 1000,
    gid: 1000,
    rdev: 0,
    blksize: 4096,
    ino: 538115,
    size: 124,
    blocks: 8,
    atime: Thu Apr 28 2016 23:04:42 GMT+0300 (IDT),
    mtime: Tue Jan 27 2015 19:20:42 GMT+0200 (IST),
    ctime: Wed Jul 15 2015 16:01:39 GMT+0300 (IDT) },
  { dev: 2049,
    mode: 17407,
    nlink: 5,
    uid: 0,
    gid: 0,
    rdev: 0,
    blksize: 4096,
    ino: 784898,
    size: 4096,
    blocks: 8,
    atime: Tue Apr 19 2016 13:29:59 GMT+0300 (IDT),
    mtime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT),
    ctime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT) } ]
]0;shlomif@localhost:~[shlomif@localhost ~]$ ext[Kit
exit

Script done on Thu 28 Apr 2016 11:12:20 PM IDT


-----------

So it seems to be working fine after I create a symlink, but not beforehand.

I'll attach the test script I used soon.

CC: (none) => shlomif

Comment 3 Shlomi Fish 2016-04-28 22:26:39 CEST
Created attachment 7707 [details]
The node.js testcase.

This is the test case I used.
Comment 4 Shlomi Fish 2016-04-28 22:29:57 CEST
And I'm getting the exact same results with the test case and the symbolic link on an i586 mgav5 VBox VM.
Comment 5 Thomas Spuhler 2016-04-28 23:12:33 CEST
(In reply to Shlomi Fish from comment #2)
> On an x86-64 mgav5 VBox VM , I got the following typescript before and after
> the update:
> 
> Script started on Thu 28 Apr 2016 11:11:42 PM IDT
> [36l>]0;shlomif@localhost:~[shlomif@localhost ~]$ ls
> [0m[01;34mDesktop[0m/    [01;34mDownloads[0m/  [01;34mPictures[0m/   test.js
> [01;34mtmp[0m/        [01;34mVideos[0m/
> [01;34mDocuments[0m/  [01;34mMusic[0m/      [01;34mTemplates[0m/ 
> [47;30mtest.js~[0m  typescript
> ]0;shlomif@localhost:~[shlomif@localhost ~]$ cat test.js
> async = require("async");
> fs = require("fs");
> 
> async.map(['Desktop', '.bashrc', '/var/tmp'], fs.stat, function(err,
> results){
>     // results is now an array of stats for each file
>     console.log (results);
> });
> ]0;shlomif@localhost:~[shlomif@localhost ~]$ node test.js
> 
> module.js:340
>     throw err;
>           ^
> Error: Cannot find module 'async'
>     at Function.Module._resolveFilename (module.js:338:15)
>     at Function.Module._load (module.js:280:25)
>     at Module.require (module.js:364:17)
>     at require (module.js:380:17)
>     at Object.<anonymous> (/home/shlomif/test.js:1:71)
>     at Module._compile (module.js:456:26)
>     at Object.Module._extensions..js (module.js:474:10)
>     at Module.load (module.js:356:32)
>     at Function.Module._load (module.js:312:12)
>     at Function.Module.runMain (module.js:497:10)
> ]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s
> /usr/lib/noe[Kde_modules/[K no[K[K
> ]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s /usr/lib/node_modules 
> [C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[16Pnode test.js
> [ { dev: 2049,
>     mode: 16877,
>     nlink: 2,
>     uid: 1000,
>     gid: 1000,
>     rdev: 0,
>     blksize: 4096,
>     ino: 538148,
>     size: 4096,
>     blocks: 8,
>     atime: Tue Apr 19 2016 13:43:42 GMT+0300 (IDT),
>     mtime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT),
>     ctime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT) },
>   { dev: 2049,
>     mode: 33188,
>     nlink: 1,
>     uid: 1000,
>     gid: 1000,
>     rdev: 0,
>     blksize: 4096,
>     ino: 538115,
>     size: 124,
>     blocks: 8,
>     atime: Thu Apr 28 2016 23:04:42 GMT+0300 (IDT),
>     mtime: Tue Jan 27 2015 19:20:42 GMT+0200 (IST),
>     ctime: Wed Jul 15 2015 16:01:39 GMT+0300 (IDT) },
>   { dev: 2049,
>     mode: 17407,
>     nlink: 5,
>     uid: 0,
>     gid: 0,
>     rdev: 0,
>     blksize: 4096,
>     ino: 784898,
>     size: 4096,
>     blocks: 8,
>     atime: Tue Apr 19 2016 13:29:59 GMT+0300 (IDT),
>     mtime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT),
>     ctime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT) } ]
> ]0;shlomif@localhost:~[shlomif@localhost ~]$ ext[Kit
> exit
> 
> Script done on Thu 28 Apr 2016 11:12:20 PM IDT
> 
> 
> -----------
> 
> So it seems to be working fine after I create a symlink, but not beforehand.
> 
> I'll attach the test script I used soon.
Thanks for testing.
Which symlink did you add and where?
Thomas
Comment 6 Shlomi Fish 2016-04-28 23:47:47 CEST
> Thanks for testing.
> Which symlink did you add and where?
> Thomas

I did "ln -s /usr/lib/node_modules" while at the $HOME directory.
Comment 7 Lewis Smith 2016-05-10 20:34:12 CEST
Trying x64. Thanks Shlomi for your efforts.

BEFORE the update, same result as Shlomi Comment 2 with
 $ node test.js 
module.js:340
    throw err;
          ^
Error: Cannot find module 'async'
etc etc.

AFTER the update (which pulled in both uglify-js & js-uglify), the same erroneous result.

The symlinks as shown in Comment 2 are unclear. If they make the test case here work, should they not be part of the update? Do I take it that the latter part of the Comment 2 output is the *correct* result (after the symlinks)?
As it is, either we can accept this update as merely providing a certain version advance (ignoring that it does not work; but neither did it before); or should we enhance the update?

CC: (none) => lewyssmith

Comment 8 claire robinson 2016-05-12 11:50:38 CEST
Closing: This forms part of the uglify-js update in bug 18232 so will be handled there for clarity.

Status: ASSIGNED => RESOLVED
Resolution: (none) => MOVED