oss-sec mailing list archives

CVE request: uglify-js node.js module <2.4.24 incorrectly handles non-boolean comparisons during minification

From: Reed Loden <reed () reedloden com>
Date: Mon, 24 Aug 2015 11:26:15 -0700

As seen on Hacker News -- https://zyan.scripts.mit.edu/blog/backdooring-js/

Blog post has all the details, but basically the UglifyJS node module has a
problem where the combination of De Morgan’s Law and non-boolean values can
lead to a case where code is incorrectly minified, which can lead to
possibly malicious minified JS code.

UglifyJS is a "JavaScript parser / mangler / compressor / beautifier
toolkit" for Node.js.

Node.js module: uglify-js (https://www.npmjs.com/package/uglify-js)
Affects: 2.4.23 and earlier
Fixed in: 2.4.24
Reported via https://github.com/mishoo/UglifyJS2/issues/751
Fixed by
https://github.com/mishoo/UglifyJS2/commit/905b6011784ca60d41919ac1a499962b7c1d4b02

Can a CVE be assigned?

Thanks,
~reed

Current thread:

CVE request: uglify-js node.js module <2.4.24 incorrectly handles non-boolean comparisons during minification Reed Loden (Aug 24)
- Re: CVE request: uglify-js node.js module <2.4.24 incorrectly handles non-boolean comparisons during minification Reed Loden (Aug 24)
- Re: CVE request: uglify-js node.js module <2.4.24 incorrectly handles non-boolean comparisons during minification Florian Weimer (Aug 24)
  - Re: CVE request: uglify-js node.js module <2.4.24 incorrectly handles non-boolean comparisons during minification Reed Loden (Aug 24)