[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108863: [discussion] unblock: jq/1.8.0-1

Control: retitle -1 unblock: jq/1.7.1-6+deb13u1

On Mon, Jul 07, 2025 at 11:24:21PM +0800, ChangZhuo Chen (陳昌倬) wrote:
> On Sun, Jul 06, 2025 at 09:18:00PM +0200, Sebastian Ramacher wrote:
> > I think a targetted fix on top of 1.7.1 would be more appropriate. I
> > don't expect all of " 190 files changed, 30175 insertions(+), 24688
> > deletions(-)" is needed to fix CVE-2025-49104.
> 
> I agree with Sebastian. Let's aim for a targeted fix on top of 1.7.1.

I have prepare jq 1.7.1-6+deb13u1 for CVE-2025-49104, please see
attachment for debdiff.


-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

diff -Nru jq-1.7.1/debian/changelog jq-1.7.1/debian/changelog
--- jq-1.7.1/debian/changelog	2025-05-25 03:15:28.000000000 +0800
+++ jq-1.7.1/debian/changelog	2025-07-08 00:16:39.000000000 +0800
@@ -1,3 +1,9 @@
+jq (1.7.1-6+deb13u1) trixie; urgency=medium
+
+  * Cherry-pick upstream commit for CVE-2025-48060.
+
+ -- ChangZhuo Chen (陳昌倬) <czchen@debian.org>  Tue, 08 Jul 2025 00:16:39 +0800
+
 jq (1.7.1-6) unstable; urgency=medium
 
   * Cherry-pick upstream commit for CVE-2024-23337 (Closes: #1106289)
diff -Nru jq-1.7.1/debian/patches/CVE-2025-48060.patch jq-1.7.1/debian/patches/CVE-2025-48060.patch
--- jq-1.7.1/debian/patches/CVE-2025-48060.patch	1970-01-01 08:00:00.000000000 +0800
+++ jq-1.7.1/debian/patches/CVE-2025-48060.patch	2025-07-08 00:16:25.000000000 +0800
@@ -0,0 +1,37 @@
+From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?=
+ <czchen@debian.org>
+Date: Tue, 8 Jul 2025 00:09:51 +0800
+Subject: Fix heap buffer overflow when formatting an empty string
+
+---
+ src/jv.c      | 1 +
+ tests/jq.test | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/jv.c b/src/jv.c
+index a8fbe48..c8e0c51 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -1121,6 +1121,7 @@ static jv jvp_string_empty_new(uint32_t length) {
+   jvp_string* s = jvp_string_alloc(length);
+   s->length_hashed = 0;
+   memset(s->data, 0, length);
++  s->data[length] = 0;
+   jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
+   return r;
+ }
+diff --git a/tests/jq.test b/tests/jq.test
+index 944f9da..b36e591 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2024,6 +2024,10 @@ map(try implode catch .)
+ [123,["a"],[nan]]
+ ["implode input must be an array","string (\"a\") can't be imploded, unicode codepoint needs to be numeric","number (null) can't be imploded, unicode codepoint needs to be numeric"]
+ 
++try 0[implode] catch .
++[]
++"Cannot index number with string \"\""
++
+ # walk
+ walk(.)
+ {"x":0}
diff -Nru jq-1.7.1/debian/patches/series jq-1.7.1/debian/patches/series
--- jq-1.7.1/debian/patches/series	2025-05-25 03:11:23.000000000 +0800
+++ jq-1.7.1/debian/patches/series	2025-07-08 00:16:25.000000000 +0800
@@ -6,3 +6,4 @@
 libtool.patch
 CVE-2024-53427.patch
 CVE-2024-23337.patch
+CVE-2025-48060.patch

Attachment: signature.asc
Description: PGP signature

Reply to: