Bug#1108863: [discussion] unblock: jq/1.8.0-1
Control: tags -1 confirmed moreinfo
On 2025-07-08 00:41:37 +0800, ChangZhuo Chen (陳昌倬) wrote:
> Control: retitle -1 unblock: jq/1.7.1-6+deb13u1
>
> On Mon, Jul 07, 2025 at 11:24:21PM +0800, ChangZhuo Chen (陳昌倬) wrote:
> > On Sun, Jul 06, 2025 at 09:18:00PM +0200, Sebastian Ramacher wrote:
> > > I think a targetted fix on top of 1.7.1 would be more appropriate. I
> > > don't expect all of " 190 files changed, 30175 insertions(+), 24688
> > > deletions(-)" is needed to fix CVE-2025-49104.
> >
> > I agree with Sebastian. Let's aim for a targeted fix on top of 1.7.1.
>
> I have prepare jq 1.7.1-6+deb13u1 for CVE-2025-49104, please see
> attachment for debdiff.
Please go ahead with this upload. Please remove the moreinfo tag after
the upload.
Cheers
>
>
> --
> ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
> Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B
> diff -Nru jq-1.7.1/debian/changelog jq-1.7.1/debian/changelog
> --- jq-1.7.1/debian/changelog 2025-05-25 03:15:28.000000000 +0800
> +++ jq-1.7.1/debian/changelog 2025-07-08 00:16:39.000000000 +0800
> @@ -1,3 +1,9 @@
> +jq (1.7.1-6+deb13u1) trixie; urgency=medium
> +
> + * Cherry-pick upstream commit for CVE-2025-48060.
> +
> + -- ChangZhuo Chen (陳昌倬) <czchen@debian.org> Tue, 08 Jul 2025 00:16:39 +0800
> +
> jq (1.7.1-6) unstable; urgency=medium
>
> * Cherry-pick upstream commit for CVE-2024-23337 (Closes: #1106289)
> diff -Nru jq-1.7.1/debian/patches/CVE-2025-48060.patch jq-1.7.1/debian/patches/CVE-2025-48060.patch
> --- jq-1.7.1/debian/patches/CVE-2025-48060.patch 1970-01-01 08:00:00.000000000 +0800
> +++ jq-1.7.1/debian/patches/CVE-2025-48060.patch 2025-07-08 00:16:25.000000000 +0800
> @@ -0,0 +1,37 @@
> +From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?=
> + <czchen@debian.org>
> +Date: Tue, 8 Jul 2025 00:09:51 +0800
> +Subject: Fix heap buffer overflow when formatting an empty string
> +
> +---
> + src/jv.c | 1 +
> + tests/jq.test | 4 ++++
> + 2 files changed, 5 insertions(+)
> +
> +diff --git a/src/jv.c b/src/jv.c
> +index a8fbe48..c8e0c51 100644
> +--- a/src/jv.c
> ++++ b/src/jv.c
> +@@ -1121,6 +1121,7 @@ static jv jvp_string_empty_new(uint32_t length) {
> + jvp_string* s = jvp_string_alloc(length);
> + s->length_hashed = 0;
> + memset(s->data, 0, length);
> ++ s->data[length] = 0;
> + jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
> + return r;
> + }
> +diff --git a/tests/jq.test b/tests/jq.test
> +index 944f9da..b36e591 100644
> +--- a/tests/jq.test
> ++++ b/tests/jq.test
> +@@ -2024,6 +2024,10 @@ map(try implode catch .)
> + [123,["a"],[nan]]
> + ["implode input must be an array","string (\"a\") can't be imploded, unicode codepoint needs to be numeric","number (null) can't be imploded, unicode codepoint needs to be numeric"]
> +
> ++try 0[implode] catch .
> ++[]
> ++"Cannot index number with string \"\""
> ++
> + # walk
> + walk(.)
> + {"x":0}
> diff -Nru jq-1.7.1/debian/patches/series jq-1.7.1/debian/patches/series
> --- jq-1.7.1/debian/patches/series 2025-05-25 03:11:23.000000000 +0800
> +++ jq-1.7.1/debian/patches/series 2025-07-08 00:16:25.000000000 +0800
> @@ -6,3 +6,4 @@
> libtool.patch
> CVE-2024-53427.patch
> CVE-2024-23337.patch
> +CVE-2025-48060.patch
--
Sebastian Ramacher
Reply to: