oss-sec mailing list archives
Re: CVE request: uglify-js node.js module <2.4.24 incorrectly handles non-boolean comparisons during minification
From: Reed Loden <reed () reedloden com>
Date: Mon, 24 Aug 2015 12:44:13 -0700
This also affects the uglifier ruby gem as well, which is a "Ruby wrapper for UglifyJS JavaScript compressor." https://github.com/lautis/uglifier No fixed version released yet, but I submitted a PR to fix in https://github.com/lautis/uglifier/pull/86. ~reed On Mon, Aug 24, 2015 at 11:26 AM, Reed Loden <reed () reedloden com> wrote:
As seen on Hacker News -- https://zyan.scripts.mit.edu/blog/backdooring-js/ Blog post has all the details, but basically the UglifyJS node module has a problem where the combination of De Morgan’s Law and non-boolean values can lead to a case where code is incorrectly minified, which can lead to possibly malicious minified JS code. UglifyJS is a "JavaScript parser / mangler / compressor / beautifier toolkit" for Node.js. Node.js module: uglify-js (https://www.npmjs.com/package/uglify-js) Affects: 2.4.23 and earlier Fixed in: 2.4.24 Reported via https://github.com/mishoo/UglifyJS2/issues/751 Fixed by https://github.com/mishoo/UglifyJS2/commit/905b6011784ca60d41919ac1a499962b7c1d4b02 Can a CVE be assigned? Thanks, ~reed
Current thread:
- CVE request: uglify-js node.js module <2.4.24 incorrectly handles non-boolean comparisons during minification Reed Loden (Aug 24)
- Re: CVE request: uglify-js node.js module <2.4.24 incorrectly handles non-boolean comparisons during minification Reed Loden (Aug 24)
- Re: CVE request: uglify-js node.js module <2.4.24 incorrectly handles non-boolean comparisons during minification Florian Weimer (Aug 24)