18243 – package need upgrade as uglify-js security upgrade needs vers. >= 1.5.0

Bug 18243 - package need upgrade as uglify-js security upgrade needs vers. >= 1.5.0

Summary: package need upgrade as uglify-js security upgrade needs vers. >= 1.5.0

Status:	RESOLVED MOVED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	18232
	Show dependency tree / graph

Reported:	2016-04-22 17:02 CEST by Thomas Spuhler
Modified:	2016-05-12 11:50 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	nodejs-async
CVE:
Status comment:

Attachments
The node.js testcase. (211 bytes, text/plain) 2016-04-28 22:26 CEST, Shlomi Fish	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Thomas Spuhler 2016-04-22 17:02:01 CEST

Description of problem:
package need upgrade as uglify-js security upgrade needs vers. >= 1.5.0
Bug 18232 - uglify-js new security issue CVE-2015-8858

Comment 1 Thomas Spuhler 2016-04-22 17:06:14 CEST

This bug is now fixed. it must be pushed before testing Bug 18232 - uglify-js new security issue CVE-2015-8858

The following pacakges are now in updates_testing:
nodejs-async-1.5.0-1.mga5.src.rpm
nodejs-async-1.5.0-1.mga5.noarch.rpm

Status: NEW => ASSIGNED
CC: (none) => thomas
Assignee: bugsquad => qa-bugs

claire robinson 2016-04-22 17:16:34 CEST

Blocks: (none) => 18232

Comment 2 Shlomi Fish 2016-04-28 22:25:34 CEST

On an x86-64 mgav5 VBox VM , I got the following typescript before and after the update:

Script started on Thu 28 Apr 2016 11:11:42 PM IDT
[36l>]0;shlomif@localhost:~[shlomif@localhost ~]$ ls
[0m[01;34mDesktop[0m/    [01;34mDownloads[0m/  [01;34mPictures[0m/   test.js   [01;34mtmp[0m/        [01;34mVideos[0m/
[01;34mDocuments[0m/  [01;34mMusic[0m/      [01;34mTemplates[0m/  [47;30mtest.js~[0m  typescript
]0;shlomif@localhost:~[shlomif@localhost ~]$ cat test.js
async = require("async");
fs = require("fs");

async.map(['Desktop', '.bashrc', '/var/tmp'], fs.stat, function(err, results){
    // results is now an array of stats for each file
    console.log (results);
});
]0;shlomif@localhost:~[shlomif@localhost ~]$ node test.js

module.js:340
    throw err;
          ^
Error: Cannot find module 'async'
    at Function.Module._resolveFilename (module.js:338:15)
    at Function.Module._load (module.js:280:25)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.<anonymous> (/home/shlomif/test.js:1:71)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Function.Module.runMain (module.js:497:10)
]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s /usr/lib/noe[Kde_modules/[K no[K[K
]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s /usr/lib/node_modules 
[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[16Pnode test.js
[ { dev: 2049,
    mode: 16877,
    nlink: 2,
    uid: 1000,
    gid: 1000,
    rdev: 0,
    blksize: 4096,
    ino: 538148,
    size: 4096,
    blocks: 8,
    atime: Tue Apr 19 2016 13:43:42 GMT+0300 (IDT),
    mtime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT),
    ctime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT) },
  { dev: 2049,
    mode: 33188,
    nlink: 1,
    uid: 1000,
    gid: 1000,
    rdev: 0,
    blksize: 4096,
    ino: 538115,
    size: 124,
    blocks: 8,
    atime: Thu Apr 28 2016 23:04:42 GMT+0300 (IDT),
    mtime: Tue Jan 27 2015 19:20:42 GMT+0200 (IST),
    ctime: Wed Jul 15 2015 16:01:39 GMT+0300 (IDT) },
  { dev: 2049,
    mode: 17407,
    nlink: 5,
    uid: 0,
    gid: 0,
    rdev: 0,
    blksize: 4096,
    ino: 784898,
    size: 4096,
    blocks: 8,
    atime: Tue Apr 19 2016 13:29:59 GMT+0300 (IDT),
    mtime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT),
    ctime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT) } ]
]0;shlomif@localhost:~[shlomif@localhost ~]$ ext[Kit
exit

Script done on Thu 28 Apr 2016 11:12:20 PM IDT


-----------

So it seems to be working fine after I create a symlink, but not beforehand.

I'll attach the test script I used soon.

CC: (none) => shlomif

Comment 3 Shlomi Fish 2016-04-28 22:26:39 CEST

Created attachment 7707 [details]
The node.js testcase.

This is the test case I used.

Comment 4 Shlomi Fish 2016-04-28 22:29:57 CEST

And I'm getting the exact same results with the test case and the symbolic link on an i586 mgav5 VBox VM.

Comment 5 Thomas Spuhler 2016-04-28 23:12:33 CEST

(In reply to Shlomi Fish from comment #2)
> On an x86-64 mgav5 VBox VM , I got the following typescript before and after
> the update:
> 
> Script started on Thu 28 Apr 2016 11:11:42 PM IDT
> [36l>]0;shlomif@localhost:~[shlomif@localhost ~]$ ls
> [0m[01;34mDesktop[0m/    [01;34mDownloads[0m/  [01;34mPictures[0m/   test.js
> [01;34mtmp[0m/        [01;34mVideos[0m/
> [01;34mDocuments[0m/  [01;34mMusic[0m/      [01;34mTemplates[0m/ 
> [47;30mtest.js~[0m  typescript
> ]0;shlomif@localhost:~[shlomif@localhost ~]$ cat test.js
> async = require("async");
> fs = require("fs");
> 
> async.map(['Desktop', '.bashrc', '/var/tmp'], fs.stat, function(err,
> results){
>     // results is now an array of stats for each file
>     console.log (results);
> });
> ]0;shlomif@localhost:~[shlomif@localhost ~]$ node test.js
> 
> module.js:340
>     throw err;
>           ^
> Error: Cannot find module 'async'
>     at Function.Module._resolveFilename (module.js:338:15)
>     at Function.Module._load (module.js:280:25)
>     at Module.require (module.js:364:17)
>     at require (module.js:380:17)
>     at Object.<anonymous> (/home/shlomif/test.js:1:71)
>     at Module._compile (module.js:456:26)
>     at Object.Module._extensions..js (module.js:474:10)
>     at Module.load (module.js:356:32)
>     at Function.Module._load (module.js:312:12)
>     at Function.Module.runMain (module.js:497:10)
> ]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s
> /usr/lib/noe[Kde_modules/[K no[K[K
> ]0;shlomif@localhost:~[shlomif@localhost ~]$ ln -s /usr/lib/node_modules 
> [C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[16Pnode test.js
> [ { dev: 2049,
>     mode: 16877,
>     nlink: 2,
>     uid: 1000,
>     gid: 1000,
>     rdev: 0,
>     blksize: 4096,
>     ino: 538148,
>     size: 4096,
>     blocks: 8,
>     atime: Tue Apr 19 2016 13:43:42 GMT+0300 (IDT),
>     mtime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT),
>     ctime: Wed Jul 15 2015 16:03:33 GMT+0300 (IDT) },
>   { dev: 2049,
>     mode: 33188,
>     nlink: 1,
>     uid: 1000,
>     gid: 1000,
>     rdev: 0,
>     blksize: 4096,
>     ino: 538115,
>     size: 124,
>     blocks: 8,
>     atime: Thu Apr 28 2016 23:04:42 GMT+0300 (IDT),
>     mtime: Tue Jan 27 2015 19:20:42 GMT+0200 (IST),
>     ctime: Wed Jul 15 2015 16:01:39 GMT+0300 (IDT) },
>   { dev: 2049,
>     mode: 17407,
>     nlink: 5,
>     uid: 0,
>     gid: 0,
>     rdev: 0,
>     blksize: 4096,
>     ino: 784898,
>     size: 4096,
>     blocks: 8,
>     atime: Tue Apr 19 2016 13:29:59 GMT+0300 (IDT),
>     mtime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT),
>     ctime: Thu Apr 28 2016 23:04:58 GMT+0300 (IDT) } ]
> ]0;shlomif@localhost:~[shlomif@localhost ~]$ ext[Kit
> exit
> 
> Script done on Thu 28 Apr 2016 11:12:20 PM IDT
> 
> 
> -----------
> 
> So it seems to be working fine after I create a symlink, but not beforehand.
> 
> I'll attach the test script I used soon.
Thanks for testing.
Which symlink did you add and where?
Thomas

Comment 6 Shlomi Fish 2016-04-28 23:47:47 CEST

> Thanks for testing.
> Which symlink did you add and where?
> Thomas

I did "ln -s /usr/lib/node_modules" while at the $HOME directory.

Comment 7 Lewis Smith 2016-05-10 20:34:12 CEST

Trying x64. Thanks Shlomi for your efforts.

BEFORE the update, same result as Shlomi Comment 2 with
 $ node test.js 
module.js:340
    throw err;
          ^
Error: Cannot find module 'async'
etc etc.

AFTER the update (which pulled in both uglify-js & js-uglify), the same erroneous result.

The symlinks as shown in Comment 2 are unclear. If they make the test case here work, should they not be part of the update? Do I take it that the latter part of the Comment 2 output is the *correct* result (after the symlinks)?
As it is, either we can accept this update as merely providing a certain version advance (ignoring that it does not work; but neither did it before); or should we enhance the update?

CC: (none) => lewyssmith

Comment 8 claire robinson 2016-05-12 11:50:38 CEST

Closing: This forms part of the uglify-js update in bug 18232 so will be handled there for clarity.

Status: ASSIGNED => RESOLVED
Resolution: (none) => MOVED

Note You need to log in before you can comment on or make changes to this bug.