[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108863: [discussion] unblock: jq/1.8.0-1

Control: tags -1 confirmed moreinfo

On 2025-07-08 00:41:37 +0800, ChangZhuo Chen (陳昌倬) wrote:
> Control: retitle -1 unblock: jq/1.7.1-6+deb13u1
> 
> On Mon, Jul 07, 2025 at 11:24:21PM +0800, ChangZhuo Chen (陳昌倬) wrote:
> > On Sun, Jul 06, 2025 at 09:18:00PM +0200, Sebastian Ramacher wrote:
> > > I think a targetted fix on top of 1.7.1 would be more appropriate. I
> > > don't expect all of " 190 files changed, 30175 insertions(+), 24688
> > > deletions(-)" is needed to fix CVE-2025-49104.
> > 
> > I agree with Sebastian. Let's aim for a targeted fix on top of 1.7.1.
> 
> I have prepare jq 1.7.1-6+deb13u1 for CVE-2025-49104, please see
> attachment for debdiff.

Please go ahead with this upload. Please remove the moreinfo tag after
the upload.

Cheers

> 
> 
> -- 
> ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
> Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

> diff -Nru jq-1.7.1/debian/changelog jq-1.7.1/debian/changelog
> --- jq-1.7.1/debian/changelog	2025-05-25 03:15:28.000000000 +0800
> +++ jq-1.7.1/debian/changelog	2025-07-08 00:16:39.000000000 +0800
> @@ -1,3 +1,9 @@
> +jq (1.7.1-6+deb13u1) trixie; urgency=medium
> +
> +  * Cherry-pick upstream commit for CVE-2025-48060.
> +
> + -- ChangZhuo Chen (陳昌倬) <czchen@debian.org>  Tue, 08 Jul 2025 00:16:39 +0800
> +
>  jq (1.7.1-6) unstable; urgency=medium
>  
>    * Cherry-pick upstream commit for CVE-2024-23337 (Closes: #1106289)
> diff -Nru jq-1.7.1/debian/patches/CVE-2025-48060.patch jq-1.7.1/debian/patches/CVE-2025-48060.patch
> --- jq-1.7.1/debian/patches/CVE-2025-48060.patch	1970-01-01 08:00:00.000000000 +0800
> +++ jq-1.7.1/debian/patches/CVE-2025-48060.patch	2025-07-08 00:16:25.000000000 +0800
> @@ -0,0 +1,37 @@
> +From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?=
> + <czchen@debian.org>
> +Date: Tue, 8 Jul 2025 00:09:51 +0800
> +Subject: Fix heap buffer overflow when formatting an empty string
> +
> +---
> + src/jv.c      | 1 +
> + tests/jq.test | 4 ++++
> + 2 files changed, 5 insertions(+)
> +
> +diff --git a/src/jv.c b/src/jv.c
> +index a8fbe48..c8e0c51 100644
> +--- a/src/jv.c
> ++++ b/src/jv.c
> +@@ -1121,6 +1121,7 @@ static jv jvp_string_empty_new(uint32_t length) {
> +   jvp_string* s = jvp_string_alloc(length);
> +   s->length_hashed = 0;
> +   memset(s->data, 0, length);
> ++  s->data[length] = 0;
> +   jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
> +   return r;
> + }
> +diff --git a/tests/jq.test b/tests/jq.test
> +index 944f9da..b36e591 100644
> +--- a/tests/jq.test
> ++++ b/tests/jq.test
> +@@ -2024,6 +2024,10 @@ map(try implode catch .)
> + [123,["a"],[nan]]
> + ["implode input must be an array","string (\"a\") can't be imploded, unicode codepoint needs to be numeric","number (null) can't be imploded, unicode codepoint needs to be numeric"]
> + 
> ++try 0[implode] catch .
> ++[]
> ++"Cannot index number with string \"\""
> ++
> + # walk
> + walk(.)
> + {"x":0}
> diff -Nru jq-1.7.1/debian/patches/series jq-1.7.1/debian/patches/series
> --- jq-1.7.1/debian/patches/series	2025-05-25 03:11:23.000000000 +0800
> +++ jq-1.7.1/debian/patches/series	2025-07-08 00:16:25.000000000 +0800
> @@ -6,3 +6,4 @@
>  libtool.patch
>  CVE-2024-53427.patch
>  CVE-2024-23337.patch
> +CVE-2025-48060.patch




-- 
Sebastian Ramacher
Reply to: