From 0925f7176491103faa8fe84aecc663e8f6d6e73d Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Thu, 19 Jun 2025 13:07:18 +0200
Subject: [PATCH] CVE-2025-48060

Resolves: RHEL-92993
---
 0007-CVE-2025-48060.patch | 137 ++++++++++++++++++++++++++++++++++++++
 jq.spec                   |   7 +-
 2 files changed, 143 insertions(+), 1 deletion(-)
 create mode 100644 0007-CVE-2025-48060.patch

diff --git a/0007-CVE-2025-48060.patch b/0007-CVE-2025-48060.patch
new file mode 100644
index 0000000..85f6352
--- /dev/null
+++ b/0007-CVE-2025-48060.patch
@@ -0,0 +1,137 @@
+Patch based on:
+
+commit dc849e9bb74a7a164a3ea52f661cc712b1ffbd43
+Author: itchyny <itchyny@cybozu.co.jp>
+Date:   Tue Mar 4 22:13:55 2025 +0900
+
+    Improve performance of repeating strings (#3272)
+
+    This commit improves the performance of repeating strings, by copying
+    the result string instead of the string being repeated. Also it adds
+    an error message when the result string is too long.
+
+and
+
+commit c6e041699d8cd31b97375a2596217aff2cfca85b
+Author: itchyny <itchyny@cybozu.co.jp>
+Date:   Sat May 31 11:46:40 2025 +0900
+
+    Fix heap buffer overflow when formatting an empty string
+
+    The `jv_string_empty` did not properly null-terminate the string data,
+    which could lead to a heap buffer overflow. The test case of
+    GHSA-p7rr-28xf-3m5w (`0[""*0]`) was fixed by the commit dc849e9bb74a,
+    but another case (`0[[]|implode]`) was still vulnerable. This commit
+    ensures string data is properly null-terminated, and fixes CVE-2025-48060.
+
+diff -up jq-1.6/src/builtin.c.orig jq-1.6/src/builtin.c
+--- jq-1.6/src/builtin.c.orig	2025-06-18 16:41:04.634258088 +0200
++++ jq-1.6/src/builtin.c	2025-06-18 17:07:00.384104796 +0200
+@@ -317,19 +317,10 @@ static jv f_multiply(jq_state *jq, jv in
+       str = b;
+       num = a;
+     }
+-    int n;
+-    size_t alen = jv_string_length_bytes(jv_copy(str));
+-    jv res = str;
+-
+-    for (n = jv_number_value(num) - 1; n > 0; n--)
+-      res = jv_string_append_buf(res, jv_string_value(str), alen);
+-
++    double d = jv_number_value(num);
+     jv_free(num);
+-    if (n < 0) {
+-      jv_free(str);
+-      return jv_null();
+-    }
+-    return res;
++    return jv_string_repeat(str,
++        d < 0 || isnan(d) ? -1 : d > INT_MAX ? INT_MAX : (int)d);
+   } else if (ak == JV_KIND_OBJECT && bk == JV_KIND_OBJECT) {
+     return jv_object_merge_recursive(a, b);
+   } else {
+diff -up jq-1.6/src/jv.c.orig jq-1.6/src/jv.c
+--- jq-1.6/src/jv.c.orig	2025-06-19 12:37:15.745792964 +0200
++++ jq-1.6/src/jv.c	2025-06-19 12:18:05.812121053 +0200
+@@ -828,6 +828,7 @@ static jv jvp_string_empty_new(uint32_t
+   jvp_string* s = jvp_string_alloc(length);
+   s->length_hashed = 0;
+   memset(s->data, 0, length);
++  s->data[length] = 0;
+   jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
+   return r;
+ }
+@@ -1006,6 +1007,32 @@ jv jv_string_indexes(jv j, jv k) {
+   return a;
+ }
+ 
++jv jv_string_repeat(jv j, int n) {
++  assert(JVP_HAS_KIND(j, JV_KIND_STRING));
++  if (n < 0) {
++    jv_free(j);
++    return jv_null();
++  }
++  int len = jv_string_length_bytes(jv_copy(j));
++  int64_t res_len = (int64_t)len * n;
++  if (res_len >= INT_MAX) {
++    jv_free(j);
++    return jv_invalid_with_msg(jv_string("Repeat string result too long"));
++  }
++  if (res_len == 0) {
++    jv_free(j);
++    return jv_string("");
++  }
++  jv res = jv_string_empty(res_len);
++  res = jvp_string_append(res, jv_string_value(j), len);
++  for (int curr = len, grow; curr < res_len; curr += grow) {
++    grow = MIN(res_len - curr, curr);
++    res = jvp_string_append(res, jv_string_value(res), grow);
++  }
++  jv_free(j);
++  return res;
++}
++
+ jv jv_string_split(jv j, jv sep) {
+   assert(JVP_HAS_KIND(j, JV_KIND_STRING));
+   assert(JVP_HAS_KIND(sep, JV_KIND_STRING));
+diff -up jq-1.6/src/jv.h.orig jq-1.6/src/jv.h
+--- jq-1.6/src/jv.h.orig	2025-06-18 16:36:33.079921073 +0200
++++ jq-1.6/src/jv.h	2025-06-18 16:41:04.635205790 +0200
+@@ -120,6 +120,7 @@ jv jv_string_fmt(const char*, ...) JV_PR
+ jv jv_string_append_codepoint(jv a, uint32_t c);
+ jv jv_string_append_buf(jv a, const char* buf, int len);
+ jv jv_string_append_str(jv a, const char* str);
++jv jv_string_repeat(jv j, int n);
+ jv jv_string_split(jv j, jv sep);
+ jv jv_string_explode(jv j);
+ jv jv_string_implode(jv j);
+diff -up jq-1.6/tests/jq.test.orig jq-1.6/tests/jq.test
+--- jq-1.6/tests/jq.test.orig	2025-06-19 12:34:53.179089126 +0200
++++ jq-1.6/tests/jq.test	2025-06-19 12:20:34.666161956 +0200
+@@ -1169,6 +1169,18 @@ indices(", ")
+ ["a", "ab", "abc"]
+ ["aaa", "ababab", "abcabcabc"]
+ 
++. * 100000 | [.[:10],.[-10:]]
++"abc"
++["abcabcabca","cabcabcabc"]
++
++. * 1000000000
++""
++""
++
++try (. * 1000000000) catch .
++"abc"
++"Repeat string result too long"
++
+ [.[] / ","]
+ ["a, bc, def, ghij, jklmn, a,b, c,d, e,f", "a,b,c,d, e,f,g,h"]
+ [["a"," bc"," def"," ghij"," jklmn"," a","b"," c","d"," e","f"],["a","b","c","d"," e","f","g","h"]]
+@@ -1560,3 +1572,7 @@ false
+ .x - 10
+ {"x":13911860366432393}
+ 13911860366432382
++
++try 0[implode] catch .
++[]
++"Cannot index number with string \"\""
diff --git a/jq.spec b/jq.spec
index ca5bc90..69a9eff 100644
--- a/jq.spec
+++ b/jq.spec
@@ -1,6 +1,6 @@
 Name:           jq
 Version:        1.6
-Release:        18%{?dist}
+Release:        19%{?dist}
 Summary:        Command-line JSON processor
 
 License:        MIT and ASL 2.0 and CC-BY and GPLv3
@@ -14,6 +14,7 @@ Patch3:         0003-fix-pthread-segfault.patch
 Patch4:         0004-make-jq-fast.patch
 Patch5:         0005-sast.patch
 Patch6:         0006-CVE-2024-23337.patch
+Patch7:         0007-CVE-2025-48060.patch
 
 BuildRequires:  gcc
 BuildRequires:  flex
@@ -104,6 +105,10 @@ make check
 
 
 %changelog
+* Thu Jun 19 2025 Tomas Halman <thalman@redhat.com> - 1.6-19
+- Fix CVE-2025-48060
+- Resolves: RHEL-92993
+
 * Tue Jun 3 2025  Tomas Halman <thalman@redhat.com> - 1.6-18
 - Fix CVE-2024-23337
 - Resolves: RHEL-92975