Bug#850214: jessie-pu: package jq/1.4-2.2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
In order to fix two CVEs deemed not important enough for DSAs, I have prepared
a new version of jq (1.4-2.2) for p-u. Debdiff from version in stable is
attached.
Can upload to s-p-u if the debdiff looks good to you.
diff -Nru jq-1.4/debian/changelog jq-1.4/debian/changelog
--- jq-1.4/debian/changelog 2014-07-21 02:53:57.000000000 -0400
+++ jq-1.4/debian/changelog 2017-01-05 00:26:08.000000000 -0500
@@ -1,3 +1,11 @@
+jq (1.4-2.2) jessie; urgency=high
+
+ * Non-maintainer upload.
+ * Add patch to fix CVE-2015-8863. (Closes: #802231)
+ * Add patch to fix CVE-2016-4074. (Closes: #822456)
+
+ -- Harlan Lieberman-Berg <hlieberman@debian.org> Thu, 05 Jan 2017 00:26:08 -0500
+
jq (1.4-2.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru jq-1.4/debian/patches/heap-buffer-overflow.patch jq-1.4/debian/patches/heap-buffer-overflow.patch
--- jq-1.4/debian/patches/heap-buffer-overflow.patch 1969-12-31 19:00:00.000000000 -0500
+++ jq-1.4/debian/patches/heap-buffer-overflow.patch 2017-01-05 00:26:08.000000000 -0500
@@ -0,0 +1,32 @@
+From 8eb1367ca44e772963e704a700ef72ae2e12babd Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@cryptonector.com>
+Date: Sat, 24 Oct 2015 17:24:57 -0500
+Subject: [PATCH] Heap buffer overflow in tokenadd() (fix #105)
+
+This was an off-by one: the NUL terminator byte was not allocated on
+resize. This was triggered by JSON-encoded numbers longer than 256
+bytes.
+---
+ src/jv_parse.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/jv_parse.c
++++ b/jv_parse.c
+@@ -172,7 +172,7 @@
+
+ static void tokenadd(struct jv_parser* p, char c) {
+ assert(p->tokenpos <= p->tokenlen);
+- if (p->tokenpos == p->tokenlen) {
++ if (p->tokenpos >= (p->tokenlen - 1)) {
+ p->tokenlen = p->tokenlen*2 + 256;
+ p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen);
+ }
+@@ -271,7 +271,7 @@
+ TRY(value(p, v));
+ } else {
+ // FIXME: better parser
+- p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid
++ p->tokenbuf[p->tokenpos] = 0;
+ char* end = 0;
+ double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end);
+ if (end == 0 || *end != 0)
diff -Nru jq-1.4/debian/patches/series jq-1.4/debian/patches/series
--- jq-1.4/debian/patches/series 2014-07-21 02:34:21.000000000 -0400
+++ jq-1.4/debian/patches/series 2017-01-05 00:26:08.000000000 -0500
@@ -4,3 +4,5 @@
patch-version-into-build.patch
disable-shared-lib.patch
big-endian-fix.patch
+stack-exhaustion.patch
+heap-buffer-overflow.patch
diff -Nru jq-1.4/debian/patches/stack-exhaustion.patch jq-1.4/debian/patches/stack-exhaustion.patch
--- jq-1.4/debian/patches/stack-exhaustion.patch 1969-12-31 19:00:00.000000000 -0500
+++ jq-1.4/debian/patches/stack-exhaustion.patch 2017-01-05 00:26:08.000000000 -0500
@@ -0,0 +1,62 @@
+From 2d38a12d686a5156d4e7afb1fed7851805590582 Mon Sep 17 00:00:00 2001
+From: W-Mark Kubacki <wmark@hurrikane.de>
+Date: Fri, 19 Aug 2016 19:50:39 +0200
+Subject: [PATCH] Skip printing at MAX_DEPTH and deeper
+
+This addresses #1136, and mitigates a stack exhaustion when printing
+a very deeply nested term.
+
+Updated by hlieberman@debian.org for security backport to 1.4.
+---
+ src/jv_print.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+--- a/jv_print.c
++++ b/jv_print.c
+@@ -7,13 +7,17 @@
+ #include "jv_dtoa.h"
+ #include "jv_unicode.h"
+
++#ifndef MAX_DEPTH
++#define MAX_DEPTH 256
++#endif
++
+ #define ESC "\033"
+ #define COL(c) (ESC "[" c "m")
+ #define COLRESET (ESC "[0m")
+
+ // Colour table. See http://en.wikipedia.org/wiki/ANSI_escape_code#Colors
+ // for how to choose these.
+-static const jv_kind colour_kinds[] =
++static const jv_kind colour_kinds[] =
+ {JV_KIND_NULL, JV_KIND_FALSE, JV_KIND_TRUE, JV_KIND_NUMBER,
+ JV_KIND_STRING, JV_KIND_ARRAY, JV_KIND_OBJECT};
+ static const char* const colours[] =
+@@ -99,7 +103,7 @@
+ sprintf(buf, "\\u%04x", c);
+ } else {
+ c -= 0x10000;
+- sprintf(buf, "\\u%04x\\u%04x",
++ sprintf(buf, "\\u%04x\\u%04x",
+ 0xD800 | ((c & 0xffc00) >> 10),
+ 0xDC00 | (c & 0x003ff));
+ }
+@@ -124,7 +128,9 @@
+ }
+ }
+ }
+- switch (jv_get_kind(x)) {
++ if (indent > MAX_DEPTH) {
++ put_str("<stripped: exceeds max depth>", F, S);
++ } else switch (jv_get_kind(x)) {
+ default:
+ case JV_KIND_INVALID:
+ assert(0 && "Invalid value");
+@@ -242,7 +248,7 @@
+ if (colour) put_str(colour, F, S);
+ put_str((flags & JV_PRINT_PRETTY) ? ": " : ":", F, S);
+ if (colour) put_str(COLRESET, F, S);
+-
++
+ jv_dump_term(C, value, flags, indent + INDENT, F, S);
+ if (colour) put_str(colour, F, S);
+ }
--
Harlan Lieberman-Berg
~hlieberman
Reply to: