Bug#1109012: bookworm-pu: package jq/1.6-2.1+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1109012: bookworm-pu: package jq/1.6-2.1+deb12u1
From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
Date: Wed, 9 Jul 2025 23:00:06 +0800
Message-id: <[🔎] aG6D9tcFve7yttfB@gmail.com>
Reply-to: ChangZhuo Chen (陳昌倬) <czchen@debian.org>, 1109012@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: jq@packages.debian.org, team@security.debian.org
Control: affects -1 + src:jq
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

Cherry-pick to fix CVE-2025-48060.

[ Impact ]

User will affect by CVE-2025-48060.

[ Tests ]

No test is done since the change is trivial.

[ Risks ]

The change is trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Set 0 to the end of buffer.

[ Other info ]

-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

diff -Nru jq-1.6/debian/changelog jq-1.6/debian/changelog
--- jq-1.6/debian/changelog	2020-12-10 16:24:21.000000000 +0800
+++ jq-1.6/debian/changelog	2025-07-09 22:23:15.000000000 +0800
@@ -1,3 +1,10 @@
+jq (1.6-2.1+deb12u1) bookworm; urgency=medium
+
+  * Cherry-pick upstream commit c6e041699d8cd31b97375a2596217aff2cfca85b to
+    fix CVE-2025-48060.
+
+ -- ChangZhuo Chen (陳昌倬) <czchen@debian.org>  Wed, 09 Jul 2025 22:23:15 +0800
+
 jq (1.6-2.1) unstable; urgency=medium
 
   [ Paul Gevers ]
diff -Nru jq-1.6/debian/patches/CVE-2025-48060.patch jq-1.6/debian/patches/CVE-2025-48060.patch
--- jq-1.6/debian/patches/CVE-2025-48060.patch	1970-01-01 08:00:00.000000000 +0800
+++ jq-1.6/debian/patches/CVE-2025-48060.patch	2025-07-09 22:21:20.000000000 +0800
@@ -0,0 +1,22 @@
+From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?=
+ <czchen@debian.org>
+Date: Wed, 9 Jul 2025 22:19:33 +0800
+Subject: Cherry-pick upstream commit c6e041699d8cd31b97375a2596217aff2cfca85b
+ to fix CVE-2025-48060
+
+---
+ src/jv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/jv.c b/src/jv.c
+index 979d188..6936f59 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -492,6 +492,7 @@ static jv jvp_string_empty_new(uint32_t length) {
+   jvp_string* s = jvp_string_alloc(length);
+   s->length_hashed = 0;
+   memset(s->data, 0, length);
++  s->data[length] = 0;
+   jv r = {JV_KIND_STRING, 0, 0, 0, {&s->refcnt}};
+   return r;
+ }
diff -Nru jq-1.6/debian/patches/series jq-1.6/debian/patches/series
--- jq-1.6/debian/patches/series	2020-12-10 16:24:21.000000000 +0800
+++ jq-1.6/debian/patches/series	2025-07-09 22:22:06.000000000 +0800
@@ -8,3 +8,4 @@
 0008-Do-not-use-venderized-oniguruma.patch
 0009-Hardcode-version-to-1.6.patch
 0010-initialized-variables.patch
+CVE-2025-48060.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package jq/1.6-2.1+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1109012: bookworm-pu: package jq/1.6-2.1+deb12u1
  - From: Jonathan Wiltshire <jmw@debian.org>
- Processed: Re: Bug#1109012: bookworm-pu: package jq/1.6-2.1+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1109012: jq 1.6-2.1+deb12u1 flagged for acceptance
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Processed: bookworm-pu: package jq/1.6-2.1+deb12u1
Next by Date: Bug#1109019: unblock: dioptas/0.6.1-2
Previous by thread: Bug#1109009: marked as done (unblock: rust-sequoia-octopus-librnp/1.11.1-1)
Next by thread: Processed: bookworm-pu: package jq/1.6-2.1+deb12u1
Index(es):
- Date
- Thread