Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 24 Aug 2015 11:26:15 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: CVE request: uglify-js node.js module <2.4.24 incorrectly handles
 non-boolean comparisons during minification

As seen on Hacker News -- https://zyan.scripts.mit.edu/blog/backdooring-js/

Blog post has all the details, but basically the UglifyJS node module has a
problem where the combination of De Morgan’s Law and non-boolean values can
lead to a case where code is incorrectly minified, which can lead to
possibly malicious minified JS code.

UglifyJS is a "JavaScript parser / mangler / compressor / beautifier
toolkit" for Node.js.

Node.js module: uglify-js (https://www.npmjs.com/package/uglify-js)
Affects: 2.4.23 and earlier
Fixed in: 2.4.24
Reported via https://github.com/mishoo/UglifyJS2/issues/751
Fixed by
https://github.com/mishoo/UglifyJS2/commit/905b6011784ca60d41919ac1a499962b7c1d4b02

Can a CVE be assigned?

Thanks,
~reed

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ