[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106459: unblock: jq/1.7.1-5

Control: tags -1 moreinfo

On 2025-05-25 03:34:19 +0800, ChangZhuo Chen (陳昌倬) wrote:
> Package: release.debian.org
> Severity: normal
> X-Debbugs-Cc: jq@packages.debian.org
> Control: affects -1 + src:jq
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package jq

-6 hasn't been uploaded yet. Please remove the moreinfo tag once the
package is available in unstable.

Cheers

> 
> [ Reason ]
> 
> Cherry-pick upstream commit for CVE-2024-23337.
> 
> [ Impact ]
> 
> Security vulnerability remains in jq if unblock is not granted.
> 
> [ Tests ]
> 
> Upstream unit test has been performed and passed.
> 
> [ Risks ]
> 
> [ Checklist ]
> 
>   [v] all changes are documented in the d/changelog
>   [v] I reviewed all changes and I approve them
>   [v] attach debdiff against the package in testing
> 
> [ Other info ]
> 
> unblock jq/1.7.1-5
> 
> -- 
> ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
> Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

> diff -Nru jq-1.7.1/debian/changelog jq-1.7.1/debian/changelog
> --- jq-1.7.1/debian/changelog	2025-04-12 16:09:04.000000000 +0800
> +++ jq-1.7.1/debian/changelog	2025-05-25 03:15:28.000000000 +0800
> @@ -1,3 +1,9 @@
> +jq (1.7.1-6) unstable; urgency=medium
> +
> +  * Cherry-pick upstream commit for CVE-2024-23337 (Closes: #1106289)
> +
> + -- ChangZhuo Chen (陳昌倬) <czchen@debian.org>  Sun, 25 May 2025 03:15:28 +0800
> +
>  jq (1.7.1-5) unstable; urgency=medium
>  
>    * Cherry-pick upstream commit for CVE-2024-53427 (Closes: #1102679)
> diff -Nru jq-1.7.1/debian/patches/CVE-2024-23337.patch jq-1.7.1/debian/patches/CVE-2024-23337.patch
> --- jq-1.7.1/debian/patches/CVE-2024-23337.patch	1970-01-01 08:00:00.000000000 +0800
> +++ jq-1.7.1/debian/patches/CVE-2024-23337.patch	2025-05-25 03:11:23.000000000 +0800
> @@ -0,0 +1,208 @@
> +From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?=
> + <czchen@debian.org>
> +Date: Sun, 25 May 2025 03:08:51 +0800
> +Subject: Fix signed integer overflow in jvp_array_write and jvp_object_rehash
> +
> +---
> + src/jv.c      | 45 ++++++++++++++++++++++++++++++++++++---------
> + src/jv_aux.c  |  9 +++++----
> + tests/jq.test |  4 ++++
> + 3 files changed, 45 insertions(+), 13 deletions(-)
> +
> +diff --git a/src/jv.c b/src/jv.c
> +index 7f798d8..a8fbe48 100644
> +--- a/src/jv.c
> ++++ b/src/jv.c
> +@@ -997,6 +997,11 @@ jv jv_array_set(jv j, int idx, jv val) {
> +     jv_free(val);
> +     return jv_invalid_with_msg(jv_string("Out of bounds negative array index"));
> +   }
> ++  if (idx > (INT_MAX >> 2) - jvp_array_offset(j)) {
> ++    jv_free(j);
> ++    jv_free(val);
> ++    return jv_invalid_with_msg(jv_string("Array index too large"));
> ++  }
> +   // copy/free of val,j coalesced
> +   jv* slot = jvp_array_write(&j, idx);
> +   jv_free(*slot);
> +@@ -1016,6 +1021,7 @@ jv jv_array_concat(jv a, jv b) {
> +   // FIXME: could be faster
> +   jv_array_foreach(b, i, elem) {
> +     a = jv_array_append(a, elem);
> ++    if (!jv_is_valid(a)) break;
> +   }
> +   jv_free(b);
> +   return a;
> +@@ -1288,6 +1294,7 @@ jv jv_string_indexes(jv j, jv k) {
> +     p = jstr;
> +     while ((p = _jq_memmem(p, (jstr + jlen) - p, idxstr, idxlen)) != NULL) {
> +       a = jv_array_append(a, jv_number(p - jstr));
> ++      if (!jv_is_valid(a)) break;
> +       p++;
> +     }
> +   }
> +@@ -1310,14 +1317,17 @@ jv jv_string_split(jv j, jv sep) {
> + 
> +   if (seplen == 0) {
> +     int c;
> +-    while ((jstr = jvp_utf8_next(jstr, jend, &c)))
> ++    while ((jstr = jvp_utf8_next(jstr, jend, &c))) {
> +       a = jv_array_append(a, jv_string_append_codepoint(jv_string(""), c));
> ++      if (!jv_is_valid(a)) break;
> ++    }
> +   } else {
> +     for (p = jstr; p < jend; p = s + seplen) {
> +       s = _jq_memmem(p, jend - p, sepstr, seplen);
> +       if (s == NULL)
> +         s = jend;
> +       a = jv_array_append(a, jv_string_sized(p, s - p));
> ++      if (!jv_is_valid(a)) break;
> +       // Add an empty string to denote that j ends on a sep
> +       if (s + seplen == jend && seplen != 0)
> +         a = jv_array_append(a, jv_string(""));
> +@@ -1335,8 +1345,10 @@ jv jv_string_explode(jv j) {
> +   const char* end = i + len;
> +   jv a = jv_array_sized(len);
> +   int c;
> +-  while ((i = jvp_utf8_next(i, end, &c)))
> ++  while ((i = jvp_utf8_next(i, end, &c))) {
> +     a = jv_array_append(a, jv_number(c));
> ++    if (!jv_is_valid(a)) break;
> ++  }
> +   jv_free(j);
> +   return a;
> + }
> +@@ -1610,10 +1622,13 @@ static void jvp_object_free(jv o) {
> +   }
> + }
> + 
> +-static jv jvp_object_rehash(jv object) {
> ++static int jvp_object_rehash(jv *objectp) {
> ++  jv object = *objectp;
> +   assert(JVP_HAS_KIND(object, JV_KIND_OBJECT));
> +   assert(jvp_refcnt_unshared(object.u.ptr));
> +   int size = jvp_object_size(object);
> ++  if (size > INT_MAX >> 2)
> ++    return 0;
> +   jv new_object = jvp_object_new(size * 2);
> +   for (int i=0; i<size; i++) {
> +     struct object_slot* slot = jvp_object_get_slot(object, i);
> +@@ -1626,7 +1641,8 @@ static jv jvp_object_rehash(jv object) {
> +   }
> +   // references are transported, just drop the old table
> +   jv_mem_free(jvp_object_ptr(object));
> +-  return new_object;
> ++  *objectp = new_object;
> ++  return 1;
> + }
> + 
> + static jv jvp_object_unshare(jv object) {
> +@@ -1655,27 +1671,32 @@ static jv jvp_object_unshare(jv object) {
> +   return new_object;
> + }
> + 
> +-static jv* jvp_object_write(jv* object, jv key) {
> ++static int jvp_object_write(jv* object, jv key, jv **valpp) {
> +   *object = jvp_object_unshare(*object);
> +   int* bucket = jvp_object_find_bucket(*object, key);
> +   struct object_slot* slot = jvp_object_find_slot(*object, key, bucket);
> +   if (slot) {
> +     // already has the key
> +     jvp_string_free(key);
> +-    return &slot->value;
> ++    *valpp = &slot->value;
> ++    return 1;
> +   }
> +   slot = jvp_object_add_slot(*object, key, bucket);
> +   if (slot) {
> +     slot->value = jv_invalid();
> +   } else {
> +-    *object = jvp_object_rehash(*object);
> ++    if (!jvp_object_rehash(object)) {
> ++      *valpp = NULL;
> ++      return 0;
> ++    }
> +     bucket = jvp_object_find_bucket(*object, key);
> +     assert(!jvp_object_find_slot(*object, key, bucket));
> +     slot = jvp_object_add_slot(*object, key, bucket);
> +     assert(slot);
> +     slot->value = jv_invalid();
> +   }
> +-  return &slot->value;
> ++  *valpp = &slot->value;
> ++  return 1;
> + }
> + 
> + static int jvp_object_delete(jv* object, jv key) {
> +@@ -1775,7 +1796,11 @@ jv jv_object_set(jv object, jv key, jv value) {
> +   assert(JVP_HAS_KIND(object, JV_KIND_OBJECT));
> +   assert(JVP_HAS_KIND(key, JV_KIND_STRING));
> +   // copy/free of object, key, value coalesced
> +-  jv* slot = jvp_object_write(&object, key);
> ++  jv* slot;
> ++  if (!jvp_object_write(&object, key, &slot)) {
> ++    jv_free(object);
> ++    return jv_invalid_with_msg(jv_string("Object too big"));
> ++  }
> +   jv_free(*slot);
> +   *slot = value;
> +   return object;
> +@@ -1800,6 +1825,7 @@ jv jv_object_merge(jv a, jv b) {
> +   assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
> +   jv_object_foreach(b, k, v) {
> +     a = jv_object_set(a, k, v);
> ++    if (!jv_is_valid(a)) break;
> +   }
> +   jv_free(b);
> +   return a;
> +@@ -1819,6 +1845,7 @@ jv jv_object_merge_recursive(jv a, jv b) {
> +       jv_free(elem);
> +       a = jv_object_set(a, k, v);
> +     }
> ++    if (!jv_is_valid(a)) break;
> +   }
> +   jv_free(b);
> +   return a;
> +diff --git a/src/jv_aux.c b/src/jv_aux.c
> +index 6004799..bbe1c0d 100644
> +--- a/src/jv_aux.c
> ++++ b/src/jv_aux.c
> +@@ -193,18 +193,19 @@ jv jv_set(jv t, jv k, jv v) {
> +         if (slice_len < insert_len) {
> +           // array is growing
> +           int shift = insert_len - slice_len;
> +-          for (int i = array_len - 1; i >= end; i--) {
> ++          for (int i = array_len - 1; i >= end && jv_is_valid(t); i--) {
> +             t = jv_array_set(t, i + shift, jv_array_get(jv_copy(t), i));
> +           }
> +         } else if (slice_len > insert_len) {
> +           // array is shrinking
> +           int shift = slice_len - insert_len;
> +-          for (int i = end; i < array_len; i++) {
> ++          for (int i = end; i < array_len && jv_is_valid(t); i++) {
> +             t = jv_array_set(t, i - shift, jv_array_get(jv_copy(t), i));
> +           }
> +-          t = jv_array_slice(t, 0, array_len - shift);
> ++          if (jv_is_valid(t))
> ++            t = jv_array_slice(t, 0, array_len - shift);
> +         }
> +-        for (int i=0; i < insert_len; i++) {
> ++        for (int i = 0; i < insert_len && jv_is_valid(t); i++) {
> +           t = jv_array_set(t, start + i, jv_array_get(jv_copy(v), i));
> +         }
> +         jv_free(v);
> +diff --git a/tests/jq.test b/tests/jq.test
> +index 7036df2..944f9da 100644
> +--- a/tests/jq.test
> ++++ b/tests/jq.test
> +@@ -198,6 +198,10 @@ null
> + [0,1,2]
> + [0,5,2]
> + 
> ++try (.[999999999] = 0) catch .
> ++null
> ++"Array index too large"
> ++
> + #
> + # Multiple outputs, iteration
> + #
> diff -Nru jq-1.7.1/debian/patches/series jq-1.7.1/debian/patches/series
> --- jq-1.7.1/debian/patches/series	2025-04-12 16:00:54.000000000 +0800
> +++ jq-1.7.1/debian/patches/series	2025-05-25 03:11:23.000000000 +0800
> @@ -5,3 +5,4 @@
>  0006-Do-not-use-pipenv-to-build-docs.patch
>  libtool.patch
>  CVE-2024-53427.patch
> +CVE-2024-23337.patch




-- 
Sebastian Ramacher
Reply to: