fixed by upgrading to vers. 2.5.0 in cauldron and
vers. 2.4.24 in mga5
The following packages are now in mga5 updates_testing:
uglify-js-2.4.24-1.mga5.src.rpm
uglify-js/RPMS/noarch/uglify-js-2.4.24-1.mga5.noarch.rpm
uglify-js/RPMS/noarch/js-uglify-2.4.24-1.mga5.noarch.rpm

Assigning to QA

CC: (none) => thomas
Hardware: i586 => All
Assignee: joequant => qa-bugs
Status: NEW => ASSIGNED

Thanks Thomas!

Advisory:
========================

The UglifyJS node module has a problem where the combination of De Morganâs Law
and non-boolean values can lead to a case where code is incorrectly minified,
which can lead to possibly malicious minified JS code.

References:
http://openwall.com/lists/oss-security/2015/08/24/5

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Anybody got a simple command line for POC?
It's a compressor or so it says it is.

CC: (none) => wilcal.int

There's discussion about reproducing on the upstream bug:
https://github.com/mishoo/UglifyJS2/issues/751

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
uglify-js js-uglify

default install of uglify-js & js-uglify

[root@localhost wilcal]# urpmi uglify-js
Package uglify-js-2.4.13-4.mga5.noarch is already installed
[root@localhost wilcal]# urpmi js-uglify
Package js-uglify-2.4.13-4.mga5.noarch is already installed

uglify-js & js-uglify install without error.

install uglify-js & js-uglify from updates_testing

[root@localhost wilcal]# urpmi uglify-js
A requested package cannot be installed:
uglify-js-2.4.24-1.mga5.noarch (due to unsatisfied npm(yargs)[>= 3.5.4])
Continue installation anyway? (Y/n) y
While some packages may have been installed, there were failures.
A requested package cannot be installed:
uglify-js-2.4.24-1.mga5.noarch (due to unsatisfied npm(yargs)[>= 3.5.4])
Continue installation anyway?
[root@localhost wilcal]# urpmi js-uglify
Package js-uglify-2.4.24-1.mga5.noarch is already installed

I'm not sure what all this means.

(In reply to David Walser from comment #4)

> There's discussion about reproducing on the upstream bug:
> https://github.com/mishoo/UglifyJS2/issues/751

Tried, unsuccessfully, to reproduce all this.

added the maintainer cc
the package uglify-js-2.4.24 needs npm(yargs)[>= 3.5.4]) which is not packaged and it doesn't build on our BS for some strange reasons.

CC: (none) => joequant

If no progress in one week, I'll continue to drop it from cauldron..

CC: (none) => mageia

the two dependencies,  nodejs-yargs and  nodejs-minimist (dep for yargs) were imported into mga5/updates_testing (copid from cauldron)
uglify-js has been rebuilt with the yargs version patch and the following packages are now in update_testing: 

uglify-js-2.4.24-2.mga5.src.rpm
uglify-js-2.4.24-2.mga5.noarch.rpm
js-uglify-2.4.24-2.mga5.noarch.rpm

Whiteboard: feedback => (none)

(In reply to Thomas Spuhler from comment #9)
> the two dependencies,  nodejs-yargs and  nodejs-minimist (dep for yargs)
> were imported into mga5/updates_testing (copid from cauldron)
> uglify-js has been rebuilt with the yargs version patch and the following
> packages are now in update_testing: 
> 
> uglify-js-2.4.24-2.mga5.src.rpm
> uglify-js-2.4.24-2.mga5.noarch.rpm
> js-uglify-2.4.24-2.mga5.noarch.rpm

hold off with testing, there are more hidden deps.

Can you list any added rpms/srpms too please Thomas so they can be pushed together.

Thanks

I will. I am importing the missing deps in cauldron first and test them for hidden deps. (opensuse has updated them all about 10 days ago)
I then will copy (svn) them over to mga5/updates and build them for mga5 updates_testing.

OK, this bug is now fixed in cauldron. uglify-js in cauldron finds and installs all deps fine.
I will now work on mga5. I will let you know when it's complete

Whiteboard: feedback => fixed in cauldron

Ok

Whiteboard: fixed in cauldron => feedback

This bug is now fixed and all deps have been added to mga5 updates_testing.
I installed it on a mga5 VM by doing a urpmi uglify-js

The following packages are now in updates_testing:
uglify-js-2.4.24-3.mga5.noarch.rpm 
js-uglify-2.4.24-3.mga5.noarch.rpm 
uglify-js-2.4.24-3.mga5.src.rpm 

nodejs-align-text-0.1.3-1.mga5.noarch.rpm
nodejs-ansi-regex-2.0.0-1.mga5.noarch.rpm
nodejs-camelcase-1.2.1-1.mga5.noarch.rpm
nodejs-center-align-0.1.1-1.mga5.noarch.rpm
nodejs-cliui-3.0.3-1.mga5.noarch.rpm
nodejs-code-point-at-1.0.0-1.mga5.noarch.rpm
nodejs-decamelize-1.0.0-1.mga5.noarch.rpm
nodejs-invert-kv-1.0.0-1.mga5.noarch.rpm
nodejs-is-buffer-1.1.0-1.mga5.noarch.rpm
nodejs-is-fullwidth-code-point-1.0.0-1.mga5.noarch.rpm
nodejs-kind-of-2.0.1-1.mga5.noarch.rpm 
nodejs-lcid-1.0.0-1.mga5.noarch.rpm 
nodejs-longest-1.0.1-1.mga5.noarch.rpm
nodejs-minimist-1.2.0-1.mga5.noarch.rpm 
nodejs-number-is-nan-1.0.0-1.mga5.noarch.rpm 
nodejs-os-locale-1.4.0-1.mga5.noarch.rpm
nodejs-repeat-string-1.5.2-1.mga5.noarch.rpm 
nodejs-right-align-0.1.3-1.mga5.noarch.rpm
nodejs-source-map-0.5.1-1.mga5.noarch.rpm
nodejs-string-width-1.0.1-6.mga5.noarch.rpm
nodejs-strip-ansi-3.0.0-1.mga5.noarch.rpm
nodejs-window-size-0.1.2-1.mga5.noarch.rpm
nodejs-wrap-ansi-1.0.0-1.mga5.noarch.rpm
nodejs-y18n-3.2.0-1.mga5.noarch.rpm
nodejs-yargs-3.28.0-2.mga5.noarch.rpm  

nodejs-align-text-0.1.3-1.mga5.src.rpm
nodejs-ansi-regex-2.0.0-1.mga5.src.rpm
nodejs-camelcase-1.2.1-1.mga5.src.rpm
nodejs-center-align-0.1.1-1.mga5.src.rpm
nodejs-cliui-3.0.3-1.mga5.src.rpm
nodejs-code-point-at-1.0.0-1.mga5.src.rpm
nodejs-decamelize-1.0.0-1.mga5.src.rpm
nodejs-invert-kv-1.0.0-1.mga5.src.rpm
nodejs-is-buffer-1.1.0-1.mga5.src.rpm
nodejs-is-fullwidth-code-point-1.0.0-1.mga5.src.rpm
nodejs-kind-of-2.0.1-1.mga5.src.rpm 
nodejs-lcid-1.0.0-1.mga5.src.rpm 
nodejs-longest-1.0.1-1.mga5.src.rpm 
nodejs-minimist-1.2.0-1.mga5.src.rpm 
nodejs-number-is-nan-1.0.0-1.mga5.src.rpm
nodejs-os-locale-1.4.0-1.mga5.src.rpm
nodejs-repeat-string-1.5.2-1.mga5.src.rpm
nodejs-right-align-0.1.3-1.mga5.src.rpm
nodejs-source-map-0.5.1-1.mga5.src.rpm
nodejs-string-width-1.0.1-6.mga5.src.rpm
nodejs-strip-ansi-3.0.0-1.mga5.src.rpm 
nodejs-window-size-0.1.2-1.mga5.src.rpm
nodejs-wrap-ansi-1.0.0-1.mga5.src.rpm
nodejs-y18n-3.2.0-1.mga5.src.rpm
nodejs-yargs-3.28.0-2.mga5.src.rpm

Whiteboard: feedback => (none)

Preparing to test M5 x64, but some pre-ambles:

- In the test case page https://github.com/mishoo/UglifyJS2/issues/751 there is the helpful comment:
"The simplest test case appears to be:

match = !x &&
    (!z || c) &&
    (!k || d) &&
    the_stuff();

compresses to:

match = !(x || z && !c || k && !d || !the_stuff());

which obviously loses the value returned from the_stuff()".
[although I cannot see the logic of this assertion].

- There must be a way of running JavaScript directly (without embedding it in a web page). Can anyone say how? Then it should be easy enough to write a mini-script to try the simple test case.

CC: (none) => lewyssmith

While I have the info to hand, which might help...

Nodejs is a way of running javascripts: $ node <script>

http://lisperator.net/uglifyjs/
Home site. The 'Open Demo' button enables real-time playing with source & compressed code. It does not show the uglifyjs version. Close that window to return to the home page.

http://marijnhaverbeke.nl/uglifyjs
A dedicated real-time play area. Version 2.4.24 (the update).

Interestingly, using the formatted source in Comment 16, the first (version ?) demo above gives a result like that in the comment:
 match=!(x||z&&!c||k&&!d||!the_stuff())
while the second (2.4.24) yields:
 match=!x&&(!z||c)&&(!k||d)&&the_stuff();
Remains to discover the difference in execution, whether the first is flawed and the second corrected.

There is no uglifyjs man page (should there be?); find it here:
 https://github.com/mishoo/UglifyJS2#readme

Testing M5 x64

Forget my previous note about using 'node' to run JavaScript independantly. It does not (or I could not see how to) show output (alert, document.write) on the console. You need a browser for that; alas.

I ended up writing a simple HTML page referencing little JavaScripts (hooray having the books!) in separate files; it has to be thus to try the effect of uglifyjs on the given formatted code snippet. This implies giving values to all its variables, and writing a little function the_stuff() to return either true or false.

PRE-update (with nodejs also installed)
 uglify-js-2.4.13-4.mga5
 js-uglify-2.4.13-4.mga5

The HTML page showed the ultimate true|false result of the formatted code snippet, *and* that returned by the same JavaScript passed through uglifyjs with different flags. I tried three variants of uglifying:
- no additional qualifiers. Produced for the test fragment:
 match=!x&&(!z||c)&&(!k||d)&&the_stuff();   [like the second result in Comment 17]
- just -c compress flag, which produced:
 match=!(x||z&&!c||k&&!d||!the_stuff()),    [like the first Comment 17 result]
- both -c compress & -m mangle [?, see uglifysjs -h], which yielded
 match=!(x||z&&!c||k&&!d||!the_stuff()),    [as previous]

The page ran all 4 external scripts & displayed their final result, also noting whether the function the_stuff() was called, since the note in Comment 16 suggests that this gets overlooked. It never was when it needed to be called after all previous logic tests were 'false'. I varied the variables in the formatted source code between 0 & 1, true & false for the_stuff(), then uglified that in the 3 ways described, and displayed the final result of all 4 scripts.

The results were always consistent both between the 4 JavaScript variants, and manual verification of what the result *should* be. Sigh: no reproduceable error to test the resolution thereof by the update.

[continued below]

M5 x64 continued.

AFTER update to:
js-uglify-2.4.24-3.mga5
uglify-js-2.4.24-3.mga5
nodejs-0.10.38-1.mga5
nodejs-amdefine-0.0.4-2.mga5
nodejs-ansi-regex-2.0.0-1.mga5
nodejs-async-0.2.10-3.mga5
nodejs-camelcase-1.2.1-1.mga5
nodejs-cliui-3.0.3-1.mga5
nodejs-code-point-at-1.0.0-1.mga5
nodejs-decamelize-1.0.0-1.mga5
nodejs-invert-kv-1.0.0-1.mga5
nodejs-is-fullwidth-code-point-1.0.0-1.mga5
nodejs-lcid-1.0.0-1.mga5
nodejs-minimist-1.2.0-1.mga5
nodejs-number-is-nan-1.0.0-1.mga5
nodejs-optimist-0.4.0-2.mga5
nodejs-os-locale-1.4.0-1.mga5
nodejs-source-map-0.5.1-1.mga5
nodejs-string-width-1.0.1-6.mga5
nodejs-strip-ansi-3.0.0-1.mga5
nodejs-uglify-to-browserify-1.0.2-4.mga5
nodejs-window-size-0.1.2-1.mga5
nodejs-wordwrap-0.0.2-2.mga5
nodejs-wrap-ansi-1.0.0-1.mga5
nodejs-y18n-3.2.0-1.mga5
nodejs-yargs-3.28.0-2.mga5

Re-running the same uglifyjs commands as before the update [testsrc is the formatted JavaScript file]:
$ uglifyjs testsrc.js -o testobj1.js

module.js:340
    throw err;
          ^
Error: Cannot find module 'source-map'
    at Function.Module._resolveFilename (module.js:338:15)
    at Function.Module._load (module.js:280:25)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.<anonymous> (/usr/lib/node_modules/uglify-js@2/tools/node.js:9:21)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:364:17)

Similarly for
$ uglifyjs testsrc.js -c -o testobj2.js
$ uglifyjs testsrc.js -c -m -o testobj3.js

Which looks like a step backwards. So what next, please? Marking 'feedback'.

Whiteboard: (none) => feedback

maybe source-map needs to be updated, maintainer what do you think?

would you mind if this works in cauldron?

Are you asking whether it can be left without an update? We won't intentionally push an update to 5 which causes regression/breakage. Beyond that it's really between yourself, David & maintainer to decide how to proceed. Can it not be patched?

Hopefully Cauldron will work too though, yes :)

Unfortunately, the maintainer has abandoned (or almost) all updates and bug fixes.

(In reply to Thomas Spuhler from comment #21)
> would you mind if this works in cauldron?

Ooops, would you mind to check if this works in cauldron
or
provide the code you are using to test.

Lewis, I found the script you were running and it fails in cauldron too. I am suspecting the new nodejs-source-map. It's missing some files. I am looking for a packaging problem.

Created attachment 7201 [details]
HTML page to run test javaScripts

The formatted javaScript testsrc.js follows as another attachment. You need to run
$ uglifyjs testsrc.js -o testobj1.js
$ uglifyjs testsrc.js -c -o testobj2.js
$ uglifyjs testsrc.js -c -m -o testobj3.js
to create the compressed scripts to run from this page.

Created attachment 7202 [details]
Test normally formatted javaScript to put through uglifyjs

This includes the code fragment given to test the alleged error in the output from uglifyjs. See Comment 16, Comment 18. The script needs to be:
$ uglifyjs testsrc.js -o testobj1.js
$ uglifyjs testsrc.js -c -o testobj2.js
$ uglifyjs testsrc.js -c -m -o testobj3.js
to create the compressed variants run by the HTML page, previous attachment.

Correction to my Comment 18:
the_stuff only gets run when all previous boolean tests were *true*, because they are all and'd. The first false (unless or'd to a true) will break out false overall.

Lewis: Hold off right now. source-map.js is missing in nodejs-source-map after upgrading the package and that may be the problem. I just rebuilt it in cauldron.
I am not sure if it's at the right path, so I am checking.
After it works in cauldron, I will update it in mga5 update_testing

source-map solved in cauldron. I will fix it in mga5 tomorrow morning.

it's now fixed in mga5. The follwoing packages are in updates_testing

nodejs-source-map-0.5.1-1.1.mga5.src.rpm
nodejs-source-map-0.5.1-1.1.mga5.noarch.rpm
replacing those w/o subrel 1

(In reply to Thomas Spuhler from comment #31)
> it's now fixed in mga5. The follwoing packages are in updates_testing
> 
> nodejs-source-map-0.5.1-1.1.mga5.src.rpm
> nodejs-source-map-0.5.1-1.1.mga5.noarch.rpm
> replacing those w/o subrel 1
Thanks Thomas.
My Mageia system is currently out of action, but when I get it back I will return to this.

MGA-5-32 on Acer D620 Xfce
No installation issues.
After downloading the html and script files in the attachments, copying these into http document root, running the uglify commands as per Comment 27, I could run the html test page and get the results:

The formatted JavaScript result
3 previous conditions true, the_stuff() was called to return true

Final result TRUE
The UNcompressed JavaScript result
3 previous conditions true, the_stuff() was called to return true

Final result TRUE
The compressed JavaScript result
3 previous conditions true, the_stuff() was called to return true

Final result TRUE
The compressed and mangled JavaScript result
3 previous conditions true, the_stuff() was called to return true

Final result TRUE 

which to my understanding is OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Well done all. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0454.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

CVE-2015-8857:
https://nodesecurity.io/advisories/39

Summary: uglify-js new security issue fixed upstream in 2.4.24 => uglify-js new security issue fixed upstream in 2.4.24 (CVE-2015-8857)