Bug#850214: jessie-pu: package jq/1.4-2.2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#850214: jessie-pu: package jq/1.4-2.2
From: Harlan Lieberman-Berg <hlieberman@debian.org>
Date: Thu, 05 Jan 2017 01:01:10 -0500
Message-id: <[🔎] 87lguqkpuh.fsf@setec.io>
Reply-to: Harlan Lieberman-Berg <hlieberman@debian.org>, 850214@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

In order to fix two CVEs deemed not important enough for DSAs, I have prepared
a new version of jq (1.4-2.2) for p-u.  Debdiff from version in stable is
attached.

Can upload to s-p-u if the debdiff looks good to you.

diff -Nru jq-1.4/debian/changelog jq-1.4/debian/changelog
--- jq-1.4/debian/changelog	2014-07-21 02:53:57.000000000 -0400
+++ jq-1.4/debian/changelog	2017-01-05 00:26:08.000000000 -0500
@@ -1,3 +1,11 @@
+jq (1.4-2.2) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Add patch to fix CVE-2015-8863. (Closes: #802231)
+  * Add patch to fix CVE-2016-4074. (Closes: #822456)
+
+ -- Harlan Lieberman-Berg <hlieberman@debian.org>  Thu, 05 Jan 2017 00:26:08 -0500
+
 jq (1.4-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru jq-1.4/debian/patches/heap-buffer-overflow.patch jq-1.4/debian/patches/heap-buffer-overflow.patch
--- jq-1.4/debian/patches/heap-buffer-overflow.patch	1969-12-31 19:00:00.000000000 -0500
+++ jq-1.4/debian/patches/heap-buffer-overflow.patch	2017-01-05 00:26:08.000000000 -0500
@@ -0,0 +1,32 @@
+From 8eb1367ca44e772963e704a700ef72ae2e12babd Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@cryptonector.com>
+Date: Sat, 24 Oct 2015 17:24:57 -0500
+Subject: [PATCH] Heap buffer overflow in tokenadd() (fix #105)
+
+This was an off-by one: the NUL terminator byte was not allocated on
+resize.  This was triggered by JSON-encoded numbers longer than 256
+bytes.
+---
+ src/jv_parse.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/jv_parse.c
++++ b/jv_parse.c
+@@ -172,7 +172,7 @@
+ 
+ static void tokenadd(struct jv_parser* p, char c) {
+   assert(p->tokenpos <= p->tokenlen);
+-  if (p->tokenpos == p->tokenlen) {
++  if (p->tokenpos >= (p->tokenlen - 1)) {
+     p->tokenlen = p->tokenlen*2 + 256;
+     p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen);
+   }
+@@ -271,7 +271,7 @@
+     TRY(value(p, v));
+   } else {
+     // FIXME: better parser
+-    p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid
++    p->tokenbuf[p->tokenpos] = 0;
+     char* end = 0;
+     double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end);
+     if (end == 0 || *end != 0)
diff -Nru jq-1.4/debian/patches/series jq-1.4/debian/patches/series
--- jq-1.4/debian/patches/series	2014-07-21 02:34:21.000000000 -0400
+++ jq-1.4/debian/patches/series	2017-01-05 00:26:08.000000000 -0500
@@ -4,3 +4,5 @@
 patch-version-into-build.patch
 disable-shared-lib.patch
 big-endian-fix.patch
+stack-exhaustion.patch
+heap-buffer-overflow.patch
diff -Nru jq-1.4/debian/patches/stack-exhaustion.patch jq-1.4/debian/patches/stack-exhaustion.patch
--- jq-1.4/debian/patches/stack-exhaustion.patch	1969-12-31 19:00:00.000000000 -0500
+++ jq-1.4/debian/patches/stack-exhaustion.patch	2017-01-05 00:26:08.000000000 -0500
@@ -0,0 +1,62 @@
+From 2d38a12d686a5156d4e7afb1fed7851805590582 Mon Sep 17 00:00:00 2001
+From: W-Mark Kubacki <wmark@hurrikane.de>
+Date: Fri, 19 Aug 2016 19:50:39 +0200
+Subject: [PATCH] Skip printing at MAX_DEPTH and deeper
+
+This addresses #1136, and mitigates a stack exhaustion when printing
+a very deeply nested term.
+
+Updated by hlieberman@debian.org for security backport to 1.4.
+---
+ src/jv_print.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+--- a/jv_print.c
++++ b/jv_print.c
+@@ -7,13 +7,17 @@
+ #include "jv_dtoa.h"
+ #include "jv_unicode.h"
+ 
++#ifndef MAX_DEPTH
++#define MAX_DEPTH 256
++#endif
++
+ #define ESC "\033"
+ #define COL(c) (ESC "[" c "m")
+ #define COLRESET (ESC "[0m")
+ 
+ // Colour table. See http://en.wikipedia.org/wiki/ANSI_escape_code#Colors
+ // for how to choose these.
+-static const jv_kind colour_kinds[] = 
++static const jv_kind colour_kinds[] =
+   {JV_KIND_NULL,   JV_KIND_FALSE, JV_KIND_TRUE, JV_KIND_NUMBER,
+    JV_KIND_STRING, JV_KIND_ARRAY, JV_KIND_OBJECT};
+ static const char* const colours[] =
+@@ -99,7 +103,7 @@
+         sprintf(buf, "\\u%04x", c);
+       } else {
+         c -= 0x10000;
+-        sprintf(buf, "\\u%04x\\u%04x", 
++        sprintf(buf, "\\u%04x\\u%04x",
+                 0xD800 | ((c & 0xffc00) >> 10),
+                 0xDC00 | (c & 0x003ff));
+       }
+@@ -124,7 +128,9 @@
+       }
+     }
+   }
+-  switch (jv_get_kind(x)) {
++  if (indent > MAX_DEPTH) {
++    put_str("<stripped: exceeds max depth>", F, S);
++  } else switch (jv_get_kind(x)) {
+   default:
+   case JV_KIND_INVALID:
+     assert(0 && "Invalid value");
+@@ -242,7 +248,7 @@
+       if (colour) put_str(colour, F, S);
+       put_str((flags & JV_PRINT_PRETTY) ? ": " : ":", F, S);
+       if (colour) put_str(COLRESET, F, S);
+-      
++
+       jv_dump_term(C, value, flags, indent + INDENT, F, S);
+       if (colour) put_str(colour, F, S);
+     }

-- 
Harlan Lieberman-Berg
~hlieberman

Reply to:

Follow-Ups:
- Bug#850214: jessie-pu: package jq/1.4-2.2
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Processed: Re: Bug#850214: jessie-pu: package jq/1.4-2.2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#850214: jessie-pu: package jq/1.4-2.2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#850214: marked as done (jessie-pu: package jq/1.4-2.2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#850196: unblock: dgit/2.14
Next by Date: Bug#850214: jessie-pu: package jq/1.4-2.2
Previous by thread: Bug#850196: marked as done (unblock: dgit/2.14)
Next by thread: Bug#850214: jessie-pu: package jq/1.4-2.2
Index(es):
- Date
- Thread