A CVE has been requested for a security issue in uglify-js: http://openwall.com/lists/oss-security/2015/08/24/5 The upstream commit to fix the issue is linked in the message above. The issue has also been fixed in version 2.4.24. Mageia 5 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
fixed by upgrading to vers. 2.5.0 in cauldron and vers. 2.4.24 in mga5 The following packages are now in mga5 updates_testing: uglify-js-2.4.24-1.mga5.src.rpm uglify-js/RPMS/noarch/uglify-js-2.4.24-1.mga5.noarch.rpm uglify-js/RPMS/noarch/js-uglify-2.4.24-1.mga5.noarch.rpm Assigning to QA
CC: (none) => thomasHardware: i586 => AllAssignee: joequant => qa-bugsStatus: NEW => ASSIGNED
Thanks Thomas! Advisory: ======================== The UglifyJS node module has a problem where the combination of De Morganâs Law and non-boolean values can lead to a case where code is incorrectly minified, which can lead to possibly malicious minified JS code. References: http://openwall.com/lists/oss-security/2015/08/24/5
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
Anybody got a simple command line for POC? It's a compressor or so it says it is.
CC: (none) => wilcal.int
There's discussion about reproducing on the upstream bug: https://github.com/mishoo/UglifyJS2/issues/751
In VirtualBox, M5, KDE, 32-bit Package(s) under test: uglify-js js-uglify default install of uglify-js & js-uglify [root@localhost wilcal]# urpmi uglify-js Package uglify-js-2.4.13-4.mga5.noarch is already installed [root@localhost wilcal]# urpmi js-uglify Package js-uglify-2.4.13-4.mga5.noarch is already installed uglify-js & js-uglify install without error. install uglify-js & js-uglify from updates_testing [root@localhost wilcal]# urpmi uglify-js A requested package cannot be installed: uglify-js-2.4.24-1.mga5.noarch (due to unsatisfied npm(yargs)[>= 3.5.4]) Continue installation anyway? (Y/n) y While some packages may have been installed, there were failures. A requested package cannot be installed: uglify-js-2.4.24-1.mga5.noarch (due to unsatisfied npm(yargs)[>= 3.5.4]) Continue installation anyway? [root@localhost wilcal]# urpmi js-uglify Package js-uglify-2.4.24-1.mga5.noarch is already installed I'm not sure what all this means.
(In reply to David Walser from comment #4) > There's discussion about reproducing on the upstream bug: > https://github.com/mishoo/UglifyJS2/issues/751 Tried, unsuccessfully, to reproduce all this.
added the maintainer cc the package uglify-js-2.4.24 needs npm(yargs)[>= 3.5.4]) which is not packaged and it doesn't build on our BS for some strange reasons.
CC: (none) => joequant
Whiteboard: (none) => feedback
If no progress in one week, I'll continue to drop it from cauldron..
CC: (none) => mageia
the two dependencies, nodejs-yargs and nodejs-minimist (dep for yargs) were imported into mga5/updates_testing (copid from cauldron) uglify-js has been rebuilt with the yargs version patch and the following packages are now in update_testing: uglify-js-2.4.24-2.mga5.src.rpm uglify-js-2.4.24-2.mga5.noarch.rpm js-uglify-2.4.24-2.mga5.noarch.rpm
Whiteboard: feedback => (none)
(In reply to Thomas Spuhler from comment #9) > the two dependencies, nodejs-yargs and nodejs-minimist (dep for yargs) > were imported into mga5/updates_testing (copid from cauldron) > uglify-js has been rebuilt with the yargs version patch and the following > packages are now in update_testing: > > uglify-js-2.4.24-2.mga5.src.rpm > uglify-js-2.4.24-2.mga5.noarch.rpm > js-uglify-2.4.24-2.mga5.noarch.rpm hold off with testing, there are more hidden deps.
Can you list any added rpms/srpms too please Thomas so they can be pushed together. Thanks
I will. I am importing the missing deps in cauldron first and test them for hidden deps. (opensuse has updated them all about 10 days ago) I then will copy (svn) them over to mga5/updates and build them for mga5 updates_testing.
OK, this bug is now fixed in cauldron. uglify-js in cauldron finds and installs all deps fine. I will now work on mga5. I will let you know when it's complete
Whiteboard: feedback => fixed in cauldron
Ok
Whiteboard: fixed in cauldron => feedback
This bug is now fixed and all deps have been added to mga5 updates_testing. I installed it on a mga5 VM by doing a urpmi uglify-js The following packages are now in updates_testing: uglify-js-2.4.24-3.mga5.noarch.rpm js-uglify-2.4.24-3.mga5.noarch.rpm uglify-js-2.4.24-3.mga5.src.rpm nodejs-align-text-0.1.3-1.mga5.noarch.rpm nodejs-ansi-regex-2.0.0-1.mga5.noarch.rpm nodejs-camelcase-1.2.1-1.mga5.noarch.rpm nodejs-center-align-0.1.1-1.mga5.noarch.rpm nodejs-cliui-3.0.3-1.mga5.noarch.rpm nodejs-code-point-at-1.0.0-1.mga5.noarch.rpm nodejs-decamelize-1.0.0-1.mga5.noarch.rpm nodejs-invert-kv-1.0.0-1.mga5.noarch.rpm nodejs-is-buffer-1.1.0-1.mga5.noarch.rpm nodejs-is-fullwidth-code-point-1.0.0-1.mga5.noarch.rpm nodejs-kind-of-2.0.1-1.mga5.noarch.rpm nodejs-lcid-1.0.0-1.mga5.noarch.rpm nodejs-longest-1.0.1-1.mga5.noarch.rpm nodejs-minimist-1.2.0-1.mga5.noarch.rpm nodejs-number-is-nan-1.0.0-1.mga5.noarch.rpm nodejs-os-locale-1.4.0-1.mga5.noarch.rpm nodejs-repeat-string-1.5.2-1.mga5.noarch.rpm nodejs-right-align-0.1.3-1.mga5.noarch.rpm nodejs-source-map-0.5.1-1.mga5.noarch.rpm nodejs-string-width-1.0.1-6.mga5.noarch.rpm nodejs-strip-ansi-3.0.0-1.mga5.noarch.rpm nodejs-window-size-0.1.2-1.mga5.noarch.rpm nodejs-wrap-ansi-1.0.0-1.mga5.noarch.rpm nodejs-y18n-3.2.0-1.mga5.noarch.rpm nodejs-yargs-3.28.0-2.mga5.noarch.rpm nodejs-align-text-0.1.3-1.mga5.src.rpm nodejs-ansi-regex-2.0.0-1.mga5.src.rpm nodejs-camelcase-1.2.1-1.mga5.src.rpm nodejs-center-align-0.1.1-1.mga5.src.rpm nodejs-cliui-3.0.3-1.mga5.src.rpm nodejs-code-point-at-1.0.0-1.mga5.src.rpm nodejs-decamelize-1.0.0-1.mga5.src.rpm nodejs-invert-kv-1.0.0-1.mga5.src.rpm nodejs-is-buffer-1.1.0-1.mga5.src.rpm nodejs-is-fullwidth-code-point-1.0.0-1.mga5.src.rpm nodejs-kind-of-2.0.1-1.mga5.src.rpm nodejs-lcid-1.0.0-1.mga5.src.rpm nodejs-longest-1.0.1-1.mga5.src.rpm nodejs-minimist-1.2.0-1.mga5.src.rpm nodejs-number-is-nan-1.0.0-1.mga5.src.rpm nodejs-os-locale-1.4.0-1.mga5.src.rpm nodejs-repeat-string-1.5.2-1.mga5.src.rpm nodejs-right-align-0.1.3-1.mga5.src.rpm nodejs-source-map-0.5.1-1.mga5.src.rpm nodejs-string-width-1.0.1-6.mga5.src.rpm nodejs-strip-ansi-3.0.0-1.mga5.src.rpm nodejs-window-size-0.1.2-1.mga5.src.rpm nodejs-wrap-ansi-1.0.0-1.mga5.src.rpm nodejs-y18n-3.2.0-1.mga5.src.rpm nodejs-yargs-3.28.0-2.mga5.src.rpm
Preparing to test M5 x64, but some pre-ambles: - In the test case page https://github.com/mishoo/UglifyJS2/issues/751 there is the helpful comment: "The simplest test case appears to be: match = !x && (!z || c) && (!k || d) && the_stuff(); compresses to: match = !(x || z && !c || k && !d || !the_stuff()); which obviously loses the value returned from the_stuff()". [although I cannot see the logic of this assertion]. - There must be a way of running JavaScript directly (without embedding it in a web page). Can anyone say how? Then it should be easy enough to write a mini-script to try the simple test case.
CC: (none) => lewyssmith
While I have the info to hand, which might help... Nodejs is a way of running javascripts: $ node <script> http://lisperator.net/uglifyjs/ Home site. The 'Open Demo' button enables real-time playing with source & compressed code. It does not show the uglifyjs version. Close that window to return to the home page. http://marijnhaverbeke.nl/uglifyjs A dedicated real-time play area. Version 2.4.24 (the update). Interestingly, using the formatted source in Comment 16, the first (version ?) demo above gives a result like that in the comment: match=!(x||z&&!c||k&&!d||!the_stuff()) while the second (2.4.24) yields: match=!x&&(!z||c)&&(!k||d)&&the_stuff(); Remains to discover the difference in execution, whether the first is flawed and the second corrected. There is no uglifyjs man page (should there be?); find it here: https://github.com/mishoo/UglifyJS2#readme
Testing M5 x64 Forget my previous note about using 'node' to run JavaScript independantly. It does not (or I could not see how to) show output (alert, document.write) on the console. You need a browser for that; alas. I ended up writing a simple HTML page referencing little JavaScripts (hooray having the books!) in separate files; it has to be thus to try the effect of uglifyjs on the given formatted code snippet. This implies giving values to all its variables, and writing a little function the_stuff() to return either true or false. PRE-update (with nodejs also installed) uglify-js-2.4.13-4.mga5 js-uglify-2.4.13-4.mga5 The HTML page showed the ultimate true|false result of the formatted code snippet, *and* that returned by the same JavaScript passed through uglifyjs with different flags. I tried three variants of uglifying: - no additional qualifiers. Produced for the test fragment: match=!x&&(!z||c)&&(!k||d)&&the_stuff(); [like the second result in Comment 17] - just -c compress flag, which produced: match=!(x||z&&!c||k&&!d||!the_stuff()), [like the first Comment 17 result] - both -c compress & -m mangle [?, see uglifysjs -h], which yielded match=!(x||z&&!c||k&&!d||!the_stuff()), [as previous] The page ran all 4 external scripts & displayed their final result, also noting whether the function the_stuff() was called, since the note in Comment 16 suggests that this gets overlooked. It never was when it needed to be called after all previous logic tests were 'false'. I varied the variables in the formatted source code between 0 & 1, true & false for the_stuff(), then uglified that in the 3 ways described, and displayed the final result of all 4 scripts. The results were always consistent both between the 4 JavaScript variants, and manual verification of what the result *should* be. Sigh: no reproduceable error to test the resolution thereof by the update. [continued below]
M5 x64 continued. AFTER update to: js-uglify-2.4.24-3.mga5 uglify-js-2.4.24-3.mga5 nodejs-0.10.38-1.mga5 nodejs-amdefine-0.0.4-2.mga5 nodejs-ansi-regex-2.0.0-1.mga5 nodejs-async-0.2.10-3.mga5 nodejs-camelcase-1.2.1-1.mga5 nodejs-cliui-3.0.3-1.mga5 nodejs-code-point-at-1.0.0-1.mga5 nodejs-decamelize-1.0.0-1.mga5 nodejs-invert-kv-1.0.0-1.mga5 nodejs-is-fullwidth-code-point-1.0.0-1.mga5 nodejs-lcid-1.0.0-1.mga5 nodejs-minimist-1.2.0-1.mga5 nodejs-number-is-nan-1.0.0-1.mga5 nodejs-optimist-0.4.0-2.mga5 nodejs-os-locale-1.4.0-1.mga5 nodejs-source-map-0.5.1-1.mga5 nodejs-string-width-1.0.1-6.mga5 nodejs-strip-ansi-3.0.0-1.mga5 nodejs-uglify-to-browserify-1.0.2-4.mga5 nodejs-window-size-0.1.2-1.mga5 nodejs-wordwrap-0.0.2-2.mga5 nodejs-wrap-ansi-1.0.0-1.mga5 nodejs-y18n-3.2.0-1.mga5 nodejs-yargs-3.28.0-2.mga5 Re-running the same uglifyjs commands as before the update [testsrc is the formatted JavaScript file]: $ uglifyjs testsrc.js -o testobj1.js module.js:340 throw err; ^ Error: Cannot find module 'source-map' at Function.Module._resolveFilename (module.js:338:15) at Function.Module._load (module.js:280:25) at Module.require (module.js:364:17) at require (module.js:380:17) at Object.<anonymous> (/usr/lib/node_modules/uglify-js@2/tools/node.js:9:21) at Module._compile (module.js:456:26) at Object.Module._extensions..js (module.js:474:10) at Module.load (module.js:356:32) at Function.Module._load (module.js:312:12) at Module.require (module.js:364:17) Similarly for $ uglifyjs testsrc.js -c -o testobj2.js $ uglifyjs testsrc.js -c -m -o testobj3.js Which looks like a step backwards. So what next, please? Marking 'feedback'.
maybe source-map needs to be updated, maintainer what do you think?
would you mind if this works in cauldron?
Are you asking whether it can be left without an update? We won't intentionally push an update to 5 which causes regression/breakage. Beyond that it's really between yourself, David & maintainer to decide how to proceed. Can it not be patched? Hopefully Cauldron will work too though, yes :)
Unfortunately, the maintainer has abandoned (or almost) all updates and bug fixes.
(In reply to Thomas Spuhler from comment #21) > would you mind if this works in cauldron? Ooops, would you mind to check if this works in cauldron or provide the code you are using to test.
Lewis, I found the script you were running and it fails in cauldron too. I am suspecting the new nodejs-source-map. It's missing some files. I am looking for a packaging problem.
Created attachment 7201 [details] HTML page to run test javaScripts The formatted javaScript testsrc.js follows as another attachment. You need to run $ uglifyjs testsrc.js -o testobj1.js $ uglifyjs testsrc.js -c -o testobj2.js $ uglifyjs testsrc.js -c -m -o testobj3.js to create the compressed scripts to run from this page.
Created attachment 7202 [details] Test normally formatted javaScript to put through uglifyjs This includes the code fragment given to test the alleged error in the output from uglifyjs. See Comment 16, Comment 18. The script needs to be: $ uglifyjs testsrc.js -o testobj1.js $ uglifyjs testsrc.js -c -o testobj2.js $ uglifyjs testsrc.js -c -m -o testobj3.js to create the compressed variants run by the HTML page, previous attachment.
Correction to my Comment 18: the_stuff only gets run when all previous boolean tests were *true*, because they are all and'd. The first false (unless or'd to a true) will break out false overall.
Lewis: Hold off right now. source-map.js is missing in nodejs-source-map after upgrading the package and that may be the problem. I just rebuilt it in cauldron. I am not sure if it's at the right path, so I am checking. After it works in cauldron, I will update it in mga5 update_testing
source-map solved in cauldron. I will fix it in mga5 tomorrow morning.
it's now fixed in mga5. The follwoing packages are in updates_testing nodejs-source-map-0.5.1-1.1.mga5.src.rpm nodejs-source-map-0.5.1-1.1.mga5.noarch.rpm replacing those w/o subrel 1
(In reply to Thomas Spuhler from comment #31) > it's now fixed in mga5. The follwoing packages are in updates_testing > > nodejs-source-map-0.5.1-1.1.mga5.src.rpm > nodejs-source-map-0.5.1-1.1.mga5.noarch.rpm > replacing those w/o subrel 1 Thanks Thomas. My Mageia system is currently out of action, but when I get it back I will return to this.
MGA-5-32 on Acer D620 Xfce No installation issues. After downloading the html and script files in the attachments, copying these into http document root, running the uglify commands as per Comment 27, I could run the html test page and get the results: The formatted JavaScript result 3 previous conditions true, the_stuff() was called to return true Final result TRUE The UNcompressed JavaScript result 3 previous conditions true, the_stuff() was called to return true Final result TRUE The compressed JavaScript result 3 previous conditions true, the_stuff() was called to return true Final result TRUE The compressed and mangled JavaScript result 3 previous conditions true, the_stuff() was called to return true Final result TRUE which to my understanding is OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Well done all. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK => MGA5-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0454.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/665242/
CVE-2015-8857: https://nodesecurity.io/advisories/39
Summary: uglify-js new security issue fixed upstream in 2.4.24 => uglify-js new security issue fixed upstream in 2.4.24 (CVE-2015-8857)