Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALPTtNXiS0jqswCaH2z59oAAsOmAWZBaKcGEtOc8cGGUM9yd=Q@mail.gmail.com>
Date: Mon, 24 Aug 2015 11:26:15 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: CVE request: uglify-js node.js module <2.4.24 incorrectly handles
 non-boolean comparisons during minification

As seen on Hacker News -- https://zyan.scripts.mit.edu/blog/backdooring-js/

Blog post has all the details, but basically the UglifyJS node module has a
problem where the combination of De Morgan’s Law and non-boolean values can
lead to a case where code is incorrectly minified, which can lead to
possibly malicious minified JS code.

UglifyJS is a "JavaScript parser / mangler / compressor / beautifier
toolkit" for Node.js.

Node.js module: uglify-js (https://www.npmjs.com/package/uglify-js)
Affects: 2.4.23 and earlier
Fixed in: 2.4.24
Reported via https://github.com/mishoo/UglifyJS2/issues/751
Fixed by
https://github.com/mishoo/UglifyJS2/commit/905b6011784ca60d41919ac1a499962b7c1d4b02

Can a CVE be assigned?

Thanks,
~reed

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.