uglify -c changes behavior of mdast code #751

Closed
tmcw opened this Issue Jul 21, 2015 · 8 comments

Projects

None yet

6 participants

@tmcw
tmcw commented Jul 21, 2015

I've created a repo to reproduce this bug: https://github.com/tmcw/mdast-uglify-bug

For the mdast markdown library, the source succeeds when not uglified, and then, passed through uglify -c, its behavior changes and it breaks.

I'm trying to dig through the source, passed through uglify -c and then uglify -b, in order to track down the cause. It's quite a doozy

@tmcw tmcw referenced this issue in wooorm/remark Jul 21, 2015
Closed

uglify breaks mdast #41

@wooorm
wooorm commented Jul 22, 2015

I fixed this in mdast (syntax-tree/mdast@1a4fc46), but I’m not sure that this was really my error.

It was basically a long list of logical AND-operators, followed by an expression which I needed the value of (rules[name].exec(value)). For some reason I did not get that value, but true.

@mishoo
Owner
mishoo commented Jul 22, 2015

This looks like a bug. Thanks for the test repo, it helped isolating the problem. The simplest test case appears to be:

match = !x &&
    (!z || c) &&
    (!k || d) &&
    the_stuff();

compresses to:

match = !(x || z && !c || k && !d || !the_stuff());

which obviously loses the value returned from the_stuff(). Will investigate as soon as I can.

@mishoo mishoo closed this in 905b601 Jul 22, 2015
@mishoo
Owner
mishoo commented Jul 22, 2015

Fix pushed.

@tmcw
tmcw commented Jul 22, 2015

👍 awesome, thank you!

@mishoo
Owner
mishoo commented Jul 22, 2015

I also published v2.4.24 to npm, since the issue appears to be pretty serious.

@reedloden reedloden referenced this issue in webpack/webpack Aug 24, 2015
Merged

Update uglify-js dependency to v2.4.24 #1388

@reedloden

Requested a CVE assignment in http://seclists.org/oss-sec/2015/q3/351

@diracdeltas

I'm the author of the blog post @reedloden linked above - just wanted to clarify a couple things:

  1. I haven't found exploits in the wild for this bug.
  2. The PoC's described in the blog post don't work with the current release of UglifyJS2. (Excellent job getting things fixed quickly, @mishoo!)
  3. I suspect that it's not uncommon for minifiers, transpilers, and other js processors to accidentally change return values, which of course can lead to security problems.
@reedloden reedloden added a commit to reedloden/jquery that referenced this issue Aug 24, 2015
@reedloden reedloden Build: Update grunt-contrib-uglify for security issue in uglify-js
Update grunt-contrib-uglify dependency to v0.9.2 in order to
fix security issue fixed in uglify-js v2.4.24.

mishoo/UglifyJS2#751
https://zyan.scripts.mit.edu/blog/backdooring-js/
7b1ae0c
@reedloden reedloden added a commit to reedloden/jquery that referenced this issue Aug 24, 2015
@reedloden reedloden Build: Update grunt-contrib-uglify for security issue in uglify-js
Update grunt-contrib-uglify dependency to v0.9.2 in order to
fix security issue fixed in uglify-js v2.4.24.

mishoo/UglifyJS2#751
https://zyan.scripts.mit.edu/blog/backdooring-js/
63c32d3
@reedloden reedloden referenced this issue in lautis/uglifier Aug 24, 2015
Merged

Update UglifyJS to 2.4.24 #86

@rvanvelzen
Collaborator

I suspect that it's not uncommon

Definitely. Most of the stuff that can bite you is behind --unsafe, but there's probably more to be found.

@graysonwright graysonwright added a commit to thoughtbot/administrate that referenced this issue Aug 27, 2015
@graysonwright graysonwright Update `uglifier` to improve security
Based on the recommendations of [bundler-audit]:

```
ruby-advisory-db: 227 advisories
Name: uglifier
Version: 2.7.0
Advisory: OSVDB-126747
Criticality: Unknown
URL: mishoo/UglifyJS2#751
Title: uglifier incorrectly handles non-boolean comparisons during
minification
Solution: upgrade to >= 2.7.2

Unpatched versions found!
```

[bundler-audit]: https://rubygems.org/gems/bundler-audit
12b65c8
@elliotcm elliotcm added a commit to alphagov/trade-tariff-frontend that referenced this issue Sep 2, 2015
@elliotcm elliotcm Upgrade uglifier.
Resolves advisory 126747
mishoo/UglifyJS2#751
7b015ba
@mgol mgol added a commit to jquery/jquery that referenced this issue Sep 7, 2015
@reedloden @mgol reedloden + mgol Build: Update grunt-contrib-uglify because of a security issue in uglify
Update grunt-contrib-uglify dependency to v0.9.2 in order to
avoid a security issue fixed in uglify-js v2.4.24.

mishoo/UglifyJS2#751
https://zyan.scripts.mit.edu/blog/backdooring-js/

Closes gh-2556
835e921
@mgol mgol added a commit to jquery/jquery that referenced this issue Sep 7, 2015
@reedloden @mgol reedloden + mgol Build: Update grunt-contrib-uglify because of a security issue in uglify
Update grunt-contrib-uglify dependency to v0.9.2 in order to
avoid a security issue fixed in uglify-js v2.4.24.

mishoo/UglifyJS2#751
https://zyan.scripts.mit.edu/blog/backdooring-js/

(cherry-picked from 835e921)

Closes gh-2556
2da0cca
@akestner akestner added a commit to projecthire/pyrite that referenced this issue Sep 8, 2015
@akestner akestner updated uglifier to version 2.7.2 in response to:
```
Name: uglifier
Version: 2.7.1
Advisory: 126747
Criticality: Unknown
URL: mishoo/UglifyJS2#751
Title: uglifier incorrectly handles non-boolean comparisons during minification
Solution: upgrade to >= 2.7.2
```
f61426a
@graysonwright graysonwright added a commit to sfbrigade/sf-openreferral that referenced this issue Sep 10, 2015
@graysonwright graysonwright Update Uglifier for security patch
Problem:

[bundler-audit] returned this security warning:

```
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
 Already up-to-date.
 ruby-advisory-db: 230 advisories
 Name: uglifier
 Version: 2.7.1
 Advisory: OSVDB-126747
 Criticality: Unknown
 URL: mishoo/UglifyJS2#751
 Title: uglifier incorrectly handles non-boolean comparisons during
 minification
 Solution: upgrade to >= 2.7.2

 Unpatched versions found!
```

[bundler-audit]: https://github.com/rubysec/bundler-audit

Solution: Upgrade `bundle update uglifier`
05f0429
@dylangrafmyre dylangrafmyre added a commit to shakacode/react_on_rails that referenced this issue Sep 15, 2015
@dylangrafmyre dylangrafmyre Address security alert for gem uglifier 0972af7
@dylangrafmyre dylangrafmyre referenced this issue in shakacode/react_on_rails Sep 15, 2015
Merged

Address security alert for gem uglifier #25

@supertinou supertinou added a commit to supertinou/livequiz that referenced this issue Sep 16, 2015
@supertinou supertinou Update to uiglifier 2.7.1 to prevent mishoo/UglifyJS2#751 11dc4ee
@boffbowsh boffbowsh added a commit to alphagov/trade-tariff-admin that referenced this issue Sep 29, 2015
@boffbowsh boffbowsh Security bump for uglifier 1772b5c
@boffbowsh boffbowsh added a commit to alphagov/publisher that referenced this issue Sep 29, 2015
@boffbowsh boffbowsh Security update to uglifier 5618e24
@randx randx added a commit to gitlabhq/gitlabhq that referenced this issue Oct 15, 2015
@randx randx Merge branch 'rs-update-uglifier' into 'master'
Update uglifier to ~> 2.7.2

Fixes a security vulnerability:

- lautis/uglifier#86
- mishoo/UglifyJS2#751
- https://zyan.scripts.mit.edu/blog/backdooring-js/

See merge request !1590
fb77856
@JuanitoFatas JuanitoFatas added a commit to JuanitoFatas/hound that referenced this issue Oct 21, 2015
@JuanitoFatas JuanitoFatas Upgrade Rubygems according to bundler-audit
$ bundle-audit
Insecure Source URI found: git://github.com/octokit/octokit.rb.git
Name: jquery-rails
Version: 3.1.1
Advisory: CVE-2015-1840
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
Title: CSRF Vulnerability in jquery-rails
Solution: upgrade to >= 4.0.4, ~> 3.1.3

Name: rest-client
Version: 1.7.2
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses
Solution: upgrade to >= 1.8.0

Name: rest-client
Version: 1.7.2
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3

Name: sentry-raven
Version: 0.9.4
Advisory: CVE-2014-9490
Criticality: Medium
URL: http://osvdb.org/show/osvdb/115654
Title: sentry-raven Gem for Ruby contains a flaw that can result in a denial of service
Solution: upgrade to >= 0.12.2

Name: uglifier
Version: 2.5.3
Advisory: 126747
Criticality: Unknown
URL: mishoo/UglifyJS2#751
Title: uglifier incorrectly handles non-boolean comparisons during minification
Solution: upgrade to >= 2.7.2

Vulnerabilities found!
14f8947
@AdrianCann AdrianCann added a commit to sophomoric/secret that referenced this issue Nov 1, 2015
@AdrianCann AdrianCann Update uglifier
Travis build bundle audit alerted me to this issue:
mishoo/UglifyJS2#751
1ac0255
@AdrianCann AdrianCann added a commit to sophomoric/secret that referenced this issue Nov 1, 2015
@AdrianCann AdrianCann Use Travis CI and github integration
- Free for public repositories
- Need to set secret key base (copy travis specific file)
- Also copying a database.yml file so that local credentials can be
  different
- Needed to Update uglifier
  * Travis build bundle audit alerted me to this issue:
  * mishoo/UglifyJS2#751
- Could leave off the rvm ruby version and let it use the
  `.ruby-version` file, but this is a beta feature (warning printed)
2531412
@sgerrand sgerrand added a commit to sgerrand/boxen-web that referenced this issue Nov 21, 2015
@sgerrand sgerrand Update uglifier gem and dependencies to v2.7.2
Uglifier prior to version 2.7.2 has a known vulnerability:

> There's a vulnerability which allows a specially crafted Javascript file to
> have altered functionality after minification. This bug was demonstrated to
> allow potentially malicious code to be hidden within secure code, activated by
> minification. Affected versions erroneously minify boolean expressions.

Sources:
* lautis/uglifier#86
* https://zyan.scripts.mit.edu/blog/backdooring-js/
* https://nodesecurity.io/advisories/uglifyjs_incorrectly_handles_non-boolean_comparisons
* mishoo/UglifyJS2#751
9878ef6
@sgerrand sgerrand added a commit to sgerrand/boxen-web that referenced this issue Nov 21, 2015
@sgerrand sgerrand Update uglifier gem and dependencies to v2.7.2
Uglifier prior to version 2.7.2 has a known vulnerability:

> There's a vulnerability which allows a specially crafted Javascript file to
> have altered functionality after minification. This bug was demonstrated to
> allow potentially malicious code to be hidden within secure code, activated by
> minification. Affected versions erroneously minify boolean expressions.

Sources:
* lautis/uglifier#86
* https://zyan.scripts.mit.edu/blog/backdooring-js/
* https://nodesecurity.io/advisories/uglifyjs_incorrectly_handles_non-boolean_comparisons
* mishoo/UglifyJS2#751
f94d099
@awsmsrc awsmsrc referenced this issue in awsmsrc/sample_app_rails_4 Dec 7, 2015
Closed

Fixie: Security issues found in your Gemfile #4

@awsmsrc awsmsrc referenced this issue in awsmsrc/sample_app_rails_4 Dec 7, 2015
Closed

Fixie: Security issues found in your Gemfile #5

@awsmsrc awsmsrc referenced this issue in awsmsrc/sample_app_rails_4 Dec 7, 2015
Closed

Fixie: Security issues found in your Gemfile #6

@awsmsrc awsmsrc referenced this issue in awsmsrc/sample_app_rails_4 Dec 7, 2015
Closed

Fixie: Security issues found in your Gemfile #7

@awsmsrc awsmsrc referenced this issue in awsmsrc/sample_app_rails_4 Dec 7, 2015
Closed

Fixie: Security issues found in your Gemfile #8

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 16, 2015
Closed

11 security vulnerabilties #9

@pushbit-bot pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 16, 2015
Closed

11 security vulnerabilties #10

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 16, 2015
Closed

12 security vulnerabilties #15

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 17, 2015
Closed

9 security vulnerabilties #19

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 17, 2015
Closed

9 security vulnerabilties #25

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 17, 2015
Closed

9 security vulnerabilties #28

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 17, 2015
Closed

9 security vulnerabilties #31

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 18, 2015
Closed

9 security vulnerabilties #34

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 18, 2015
Closed

9 security vulnerabilties #35

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 18, 2015
Closed

9 security vulnerabilties #36

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 18, 2015
Closed

9 security vulnerabilties #38

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 18, 2015
Closed

9 security vulnerabilties #44

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 20, 2015
Closed

10 security vulnerabilties #49

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 20, 2015
Closed

10 security vulnerabilties #50

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 20, 2015
Closed

10 security vulnerabilties #53

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 30, 2015
Closed

10 security vulnerabilties #54

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Dec 30, 2015
Closed

10 security vulnerabilties #55

@pushbit-bot pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Jan 2, 2016
Closed

10 security vulnerabilties #56

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Jan 3, 2016
Closed

9 security vulnerabilties #57

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Jan 5, 2016
Closed

9 security vulnerabilties #58

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Jan 5, 2016
Closed

9 security vulnerabilties #62

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Jan 5, 2016
Open

9 security vulnerabilties #63

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Jan 5, 2016
Open

9 security vulnerabilties #64

@dev-pushbit-bot dev-pushbit-bot referenced this issue in awsmsrc/sample_app_rails_4 Jan 5, 2016
Open

9 security vulnerabilties #66

@MatMoore MatMoore added a commit to alphagov/search-admin that referenced this issue Jan 26, 2016
@MatMoore MatMoore Update rails/uglifier versions for security fixes
Rails:

- CVE-2015-7576
- CVE-2015-7577
- CVE-2015-7578
- CVE-2015-7579
- CVE-2015-7581
- CVE-2016-0751
- CVE-2016-0752
- CVE-2016-0753

Uglifier:

    Name: uglifier
    Version: 2.7.1
    Advisory: 126747
    Criticality: Unknown
    URL: mishoo/UglifyJS2#751
    Title: uglifier incorrectly handles non-boolean comparisons during minification
    Solution: upgrade to >= 2.7.2
6af9da6
@MatMoore MatMoore added a commit to alphagov/search-admin that referenced this issue Jan 26, 2016
@MatMoore MatMoore Update rails/uglifier versions for security fixes
Rails:

- CVE-2015-7576
- CVE-2015-7577
- CVE-2015-7578
- CVE-2015-7579
- CVE-2015-7581
- CVE-2016-0751
- CVE-2016-0752
- CVE-2016-0753

Uglifier:

    Name: uglifier
    Version: 2.7.1
    Advisory: 126747
    Criticality: Unknown
    URL: mishoo/UglifyJS2#751
    Title: uglifier incorrectly handles non-boolean comparisons during minification
    Solution: upgrade to >= 2.7.2
5719cba
@MatMoore MatMoore added a commit to alphagov/search-admin that referenced this issue Jan 26, 2016
@MatMoore MatMoore Update rails/uglifier versions for security fixes
Rails:

- CVE-2015-7576
- CVE-2015-7577
- CVE-2015-7578
- CVE-2015-7579
- CVE-2015-7581
- CVE-2016-0751
- CVE-2016-0752
- CVE-2016-0753

Uglifier:

    Name: uglifier
    Version: 2.7.1
    Advisory: 126747
    Criticality: Unknown
    URL: mishoo/UglifyJS2#751
    Title: uglifier incorrectly handles non-boolean comparisons during minification
    Solution: upgrade to >= 2.7.2
9b748fb
@CloCkWeRX CloCkWeRX added a commit to CloCkWeRX/growstuff that referenced this issue Mar 28, 2016
@CloCkWeRX CloCkWeRX Name: uglifier
Version: 2.5.3
Advisory: 126747
Criticality: Unknown
URL: mishoo/UglifyJS2#751
Title: uglifier incorrectly handles non-boolean comparisons during minification
Solution: upgrade to >= 2.7.2
03ae327
@CloCkWeRX CloCkWeRX added a commit to CloCkWeRX/growstuff that referenced this issue Mar 28, 2016
@CloCkWeRX CloCkWeRX Name: uglifier
Version: 2.5.3
Advisory: 126747
Criticality: Unknown
URL: mishoo/UglifyJS2#751
Title: uglifier incorrectly handles non-boolean comparisons during minification
Solution: upgrade to >= 2.7.2
3748f95
@CloCkWeRX CloCkWeRX added a commit to CloCkWeRX/planningalerts-app that referenced this issue Apr 2, 2016
@CloCkWeRX CloCkWeRX Upgrade uglifier
Name: uglifier
Version: 1.3.0
Advisory: 126747
Criticality: Unknown
URL: mishoo/UglifyJS2#751
Title: uglifier incorrectly handles non-boolean comparisons during minification
Solution: upgrade to >= 2.7.2
72d8bd6
@SuriyaaKudoIsc SuriyaaKudoIsc referenced this issue in bunto/bunto-assets Apr 9, 2016
Closed

OSVDB-126747 in uglifier #2

@sophiedeziel sophiedeziel added a commit to railsbridge-montreal/railsbridge-montreal-website that referenced this issue Jul 29, 2016
@steakunderscore @sophiedeziel steakunderscore + sophiedeziel Security updates (#108)
* Upgrade jquery-rails gem for security patch

> Name: jquery-rails
> Version: 3.1.1
> Advisory: CVE-2015-1840
> Criticality: Medium
> URL:
> https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
> Title: CSRF Vulnerability in jquery-rails
> Solution: upgrade to >= 4.0.4, ~> 3.1.3

* Upgrade sass-rails & sprockets gems for security patches

> Name: sprockets
> Version: 2.11.0
> Advisory: CVE-2014-7819
> Criticality: Medium
> URL:
> https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
> Title: Arbitrary file existence disclosure in Sprockets
> Solution: upgrade to ~> 2.0.5, ~> 2.1.4, ~> 2.2.3, ~> 2.3.3, ~> 2.4.6,
>   ~> 2.5.1, ~> 2.7.1, ~> 2.8.3, ~> 2.9.4, ~> 2.10.2, ~> 2.11.3, ~>
>   2.12.3, >= 3.0.0.beta.3

* Upgrade uglifier gem for security patch

> Name: uglifier
> Version: 2.5.1
> Advisory: 126747
> Criticality: Unknown
> URL: mishoo/UglifyJS2#751
> Title: uglifier incorrectly handles non-boolean comparisons during
> minification
> Solution: upgrade to >= 2.7.2
a7e4a52
@CloCkWeRX CloCkWeRX added a commit to CloCkWeRX/OpenFarm that referenced this issue Sep 14, 2016
@CloCkWeRX CloCkWeRX Name: uglifier
Version: 2.7.0
Advisory: 126747
Criticality: Unknown
URL: mishoo/UglifyJS2#751
Title: uglifier incorrectly handles non-boolean comparisons during minification
Solution: upgrade to >= 2.7.2
bf4b636
@TanSA05 TanSA05 added a commit to TanSA05/OpenFarm that referenced this issue Sep 29, 2016
@CloCkWeRX @TanSA05 CloCkWeRX + TanSA05 Name: uglifier
Version: 2.7.0
Advisory: 126747
Criticality: Unknown
URL: mishoo/UglifyJS2#751
Title: uglifier incorrectly handles non-boolean comparisons during minification
Solution: upgrade to >= 2.7.2
4a0fef2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment