CVE-2025-48060

Resolves: RHEL-92993
2025-06-19 13:07:18 +02:00 · 2025-06-19 13:07:18 +02:00 · 0925f71764
commit 0925f71764
parent 2d0e06ab66
2 changed files with 143 additions and 1 deletions
--- a/0007-CVE-2025-48060.patch
+++ b/0007-CVE-2025-48060.patch
@ -0,0 +1,137 @@
+Patch based on:
+
+commit dc849e9bb74a7a164a3ea52f661cc712b1ffbd43
+Author: itchyny <itchyny@cybozu.co.jp>
+Date:   Tue Mar 4 22:13:55 2025 +0900
+
+    Improve performance of repeating strings (#3272)
+
+    This commit improves the performance of repeating strings, by copying
+    the result string instead of the string being repeated. Also it adds
+    an error message when the result string is too long.
+
+and
+
+commit c6e041699d8cd31b97375a2596217aff2cfca85b
+Author: itchyny <itchyny@cybozu.co.jp>
+Date:   Sat May 31 11:46:40 2025 +0900
+
+    Fix heap buffer overflow when formatting an empty string
+
+    The `jv_string_empty` did not properly null-terminate the string data,
+    which could lead to a heap buffer overflow. The test case of
+    GHSA-p7rr-28xf-3m5w (`0[""*0]`) was fixed by the commit dc849e9bb74a,
+    but another case (`0[[]|implode]`) was still vulnerable. This commit
+    ensures string data is properly null-terminated, and fixes CVE-2025-48060.
+
+diff -up jq-1.6/src/builtin.c.orig jq-1.6/src/builtin.c
+--- jq-1.6/src/builtin.c.orig	2025-06-18 16:41:04.634258088 +0200
+++ jq-1.6/src/builtin.c	2025-06-18 17:07:00.384104796 +0200
+@@ -317,19 +317,10 @@ static jv f_multiply(jq_state *jq, jv in
+       str = b;
+       num = a;
+     }
+-    int n;
+-    size_t alen = jv_string_length_bytes(jv_copy(str));
+-    jv res = str;
+-
+-    for (n = jv_number_value(num) - 1; n > 0; n--)
+-      res = jv_string_append_buf(res, jv_string_value(str), alen);
+-
+    double d = jv_number_value(num);
+     jv_free(num);
+-    if (n < 0) {
+-      jv_free(str);
+-      return jv_null();
+-    }
+-    return res;
+    return jv_string_repeat(str,
+        d < 0 || isnan(d) ? -1 : d > INT_MAX ? INT_MAX : (int)d);
+   } else if (ak == JV_KIND_OBJECT && bk == JV_KIND_OBJECT) {
+     return jv_object_merge_recursive(a, b);
+   } else {
+diff -up jq-1.6/src/jv.c.orig jq-1.6/src/jv.c
+--- jq-1.6/src/jv.c.orig	2025-06-19 12:37:15.745792964 +0200
+++ jq-1.6/src/jv.c	2025-06-19 12:18:05.812121053 +0200
+@@ -828,6 +828,7 @@ static jv jvp_string_empty_new(uint32_t
+   jvp_string* s = jvp_string_alloc(length);
+   s->length_hashed = 0;
+   memset(s->data, 0, length);
+  s->data[length] = 0;
+   jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
+   return r;
+ }
+@@ -1006,6 +1007,32 @@ jv jv_string_indexes(jv j, jv k) {
+   return a;
+ }
+ 
+jv jv_string_repeat(jv j, int n) {
+  assert(JVP_HAS_KIND(j, JV_KIND_STRING));
+  if (n < 0) {
+    jv_free(j);
+    return jv_null();
+  }
+  int len = jv_string_length_bytes(jv_copy(j));
+  int64_t res_len = (int64_t)len * n;
+  if (res_len >= INT_MAX) {
+    jv_free(j);
+    return jv_invalid_with_msg(jv_string("Repeat string result too long"));
+  }
+  if (res_len == 0) {
+    jv_free(j);
+    return jv_string("");
+  }
+  jv res = jv_string_empty(res_len);
+  res = jvp_string_append(res, jv_string_value(j), len);
+  for (int curr = len, grow; curr < res_len; curr += grow) {
+    grow = MIN(res_len - curr, curr);
+    res = jvp_string_append(res, jv_string_value(res), grow);
+  }
+  jv_free(j);
+  return res;
+}
+
+ jv jv_string_split(jv j, jv sep) {
+   assert(JVP_HAS_KIND(j, JV_KIND_STRING));
+   assert(JVP_HAS_KIND(sep, JV_KIND_STRING));
+diff -up jq-1.6/src/jv.h.orig jq-1.6/src/jv.h
+--- jq-1.6/src/jv.h.orig	2025-06-18 16:36:33.079921073 +0200
+++ jq-1.6/src/jv.h	2025-06-18 16:41:04.635205790 +0200
+@@ -120,6 +120,7 @@ jv jv_string_fmt(const char*, ...) JV_PR
+ jv jv_string_append_codepoint(jv a, uint32_t c);
+ jv jv_string_append_buf(jv a, const char* buf, int len);
+ jv jv_string_append_str(jv a, const char* str);
+jv jv_string_repeat(jv j, int n);
+ jv jv_string_split(jv j, jv sep);
+ jv jv_string_explode(jv j);
+ jv jv_string_implode(jv j);
+diff -up jq-1.6/tests/jq.test.orig jq-1.6/tests/jq.test
+--- jq-1.6/tests/jq.test.orig	2025-06-19 12:34:53.179089126 +0200
+++ jq-1.6/tests/jq.test	2025-06-19 12:20:34.666161956 +0200
+@@ -1169,6 +1169,18 @@ indices(", ")
+ ["a", "ab", "abc"]
+ ["aaa", "ababab", "abcabcabc"]
+ 
+. * 100000 | [.[:10],.[-10:]]
+"abc"
+["abcabcabca","cabcabcabc"]
+
+. * 1000000000
+""
+""
+
+try (. * 1000000000) catch .
+"abc"
+"Repeat string result too long"
+
+ [.[] / ","]
+ ["a, bc, def, ghij, jklmn, a,b, c,d, e,f", "a,b,c,d, e,f,g,h"]
+ [["a"," bc"," def"," ghij"," jklmn"," a","b"," c","d"," e","f"],["a","b","c","d"," e","f","g","h"]]
+@@ -1560,3 +1572,7 @@ false
+ .x - 10
+ {"x":13911860366432393}
+ 13911860366432382
+
+try 0[implode] catch .
+[]
+"Cannot index number with string \"\""
--- a/jq.spec
+++ b/jq.spec
@ -1,6 +1,6 @@
 Name:           jq
 Version:        1.6
-Release:        18%{?dist}
+Release:        19%{?dist}
 Summary:        Command-line JSON processor

 License:        MIT and ASL 2.0 and CC-BY and GPLv3
@ -14,6 +14,7 @@ Patch3:         0003-fix-pthread-segfault.patch
 Patch4:         0004-make-jq-fast.patch
 Patch5:         0005-sast.patch
 Patch6:         0006-CVE-2024-23337.patch
+Patch7:         0007-CVE-2025-48060.patch

 BuildRequires:  gcc
 BuildRequires:  flex
@ -104,6 +105,10 @@ make check


 %changelog
+* Thu Jun 19 2025 Tomas Halman <thalman@redhat.com> - 1.6-19
+- Fix CVE-2025-48060
+- Resolves: RHEL-92993
+
 * Tue Jun 3 2025  Tomas Halman <thalman@redhat.com> - 1.6-18
 - Fix CVE-2024-23337
 - Resolves: RHEL-92975