Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 24 Aug 2015 12:44:13 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: Re: CVE request: uglify-js node.js module <2.4.24 incorrectly handles
 non-boolean comparisons during minification

This also affects the uglifier ruby gem as well, which is a "Ruby wrapper
for UglifyJS JavaScript compressor."

https://github.com/lautis/uglifier

No fixed version released yet, but I submitted a PR to fix in
https://github.com/lautis/uglifier/pull/86.

~reed

On Mon, Aug 24, 2015 at 11:26 AM, Reed Loden <reed@...dloden.com> wrote:

> As seen on Hacker News --
> https://zyan.scripts.mit.edu/blog/backdooring-js/
>
> Blog post has all the details, but basically the UglifyJS node module has
> a problem where the combination of De Morgan’s Law and non-boolean values
> can lead to a case where code is incorrectly minified, which can lead to
> possibly malicious minified JS code.
>
> UglifyJS is a "JavaScript parser / mangler / compressor / beautifier
> toolkit" for Node.js.
>
> Node.js module: uglify-js (https://www.npmjs.com/package/uglify-js)
> Affects: 2.4.23 and earlier
> Fixed in: 2.4.24
> Reported via https://github.com/mishoo/UglifyJS2/issues/751
> Fixed by
> https://github.com/mishoo/UglifyJS2/commit/905b6011784ca60d41919ac1a499962b7c1d4b02
>
> Can a CVE be assigned?
>
> Thanks,
> ~reed
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ