import OL jq-1.6-17.el9_6.2

This commit is contained in:
eabdullin 2025-07-10 06:26:25 +00:00
parent 6e8093eae8
commit 2f4021df44
4 changed files with 399 additions and 1 deletions

52
SOURCES/0005-sast.patch Normal file
View File

@ -0,0 +1,52 @@
diff -up jq-1.6/src/jq_test.c.orig jq-1.6/src/jq_test.c
--- jq-1.6/src/jq_test.c.orig 2024-05-03 11:47:47.403617188 +0200
+++ jq-1.6/src/jq_test.c 2024-05-03 11:48:46.569675199 +0200
@@ -16,6 +16,7 @@ static void run_jq_pthread_tests();
int jq_testsuite(jv libdirs, int verbose, int argc, char* argv[]) {
FILE *testdata = stdin;
+ const char *testdata_filename = NULL;
int skip = -1;
int take = -1;
jv_test();
@@ -28,18 +29,24 @@ int jq_testsuite(jv libdirs, int verbose
take = atoi(argv[i+1]);
i++;
} else {
- testdata = fopen(argv[i], "r");
- if (!testdata) {
- perror("fopen");
- exit(1);
- }
+ testdata_filename = argv[i];
}
}
}
+ if (testdata_filename) {
+ testdata = fopen(testdata_filename, "r");
+ if (!testdata) {
+ perror("fopen");
+ exit(1);
+ }
+ }
run_jq_tests(libdirs, verbose, testdata, skip, take);
#ifdef HAVE_PTHREAD
run_jq_pthread_tests();
#endif
+ if (testdata_filename) {
+ fclose(testdata);
+ }
return 0;
}
diff -up jq-1.6/src/locfile.c.orig jq-1.6/src/locfile.c
--- jq-1.6/src/locfile.c.orig 2018-11-02 02:49:29.000000000 +0100
+++ jq-1.6/src/locfile.c 2024-05-03 11:15:46.562476303 +0200
@@ -72,6 +72,7 @@ void locfile_locate(struct locfile* l, l
}
jv m1 = jv_string_vfmt(fmt, fmtargs);
+ va_end(fmtargs);
if (!jv_is_valid(m1)) {
jq_report_error(l->jq, m1);
return;

View File

@ -0,0 +1,194 @@
diff -up jq-1.6/src/jv_aux.c.orig jq-1.6/src/jv_aux.c
--- jq-1.6/src/jv_aux.c.orig 2025-06-02 17:24:14.789647070 +0200
+++ jq-1.6/src/jv_aux.c 2025-06-02 17:29:13.339864069 +0200
@@ -162,18 +162,19 @@ jv jv_set(jv t, jv k, jv v) {
if (slice_len < insert_len) {
// array is growing
int shift = insert_len - slice_len;
- for (int i = array_len - 1; i >= end; i--) {
+ for (int i = array_len - 1; i >= end && jv_is_valid(t); i--) {
t = jv_array_set(t, i + shift, jv_array_get(jv_copy(t), i));
}
} else if (slice_len > insert_len) {
// array is shrinking
int shift = slice_len - insert_len;
- for (int i = end; i < array_len; i++) {
+ for (int i = end; i < array_len && jv_is_valid(t); i++) {
t = jv_array_set(t, i - shift, jv_array_get(jv_copy(t), i));
}
- t = jv_array_slice(t, 0, array_len - shift);
+ if (jv_is_valid(t))
+ t = jv_array_slice(t, 0, array_len - shift);
}
- for (int i=0; i < insert_len; i++) {
+ for (int i = 0; i < insert_len && jv_is_valid(t); i++) {
t = jv_array_set(t, start + i, jv_array_get(jv_copy(v), i));
}
jv_free(v);
diff -up jq-1.6/src/jv.c.orig jq-1.6/src/jv.c
--- jq-1.6/src/jv.c.orig 2025-06-02 17:24:14.800158498 +0200
+++ jq-1.6/src/jv.c 2025-06-02 17:33:17.395419062 +0200
@@ -703,6 +703,11 @@ jv jv_array_set(jv j, int idx, jv val) {
jv_free(val);
return jv_invalid_with_msg(jv_string("Out of bounds negative array index"));
}
+ if (idx > (INT_MAX >> 2) - jvp_array_offset(j)) {
+ jv_free(j);
+ jv_free(val);
+ return jv_invalid_with_msg(jv_string("Array index too large"));
+ }
// copy/free of val,j coalesced
jv* slot = jvp_array_write(&j, idx);
jv_free(*slot);
@@ -722,6 +727,7 @@ jv jv_array_concat(jv a, jv b) {
// FIXME: could be faster
jv_array_foreach(b, i, elem) {
a = jv_array_append(a, elem);
+ if (!jv_is_valid(a)) break;
}
jv_free(b);
return a;
@@ -992,6 +998,7 @@ jv jv_string_indexes(jv j, jv k) {
p = jstr;
while ((p = _jq_memmem(p, (jstr + jlen) - p, idxstr, idxlen)) != NULL) {
a = jv_array_append(a, jv_number(p - jstr));
+ if (!jv_is_valid(a)) break;
p += idxlen;
}
jv_free(j);
@@ -1013,14 +1020,17 @@ jv jv_string_split(jv j, jv sep) {
if (seplen == 0) {
int c;
- while ((jstr = jvp_utf8_next(jstr, jend, &c)))
+ while ((jstr = jvp_utf8_next(jstr, jend, &c))) {
a = jv_array_append(a, jv_string_append_codepoint(jv_string(""), c));
+ if (!jv_is_valid(a)) break;
+ }
} else {
for (p = jstr; p < jend; p = s + seplen) {
s = _jq_memmem(p, jend - p, sepstr, seplen);
if (s == NULL)
s = jend;
a = jv_array_append(a, jv_string_sized(p, s - p));
+ if (!jv_is_valid(a)) break;
// Add an empty string to denote that j ends on a sep
if (s + seplen == jend && seplen != 0)
a = jv_array_append(a, jv_string(""));
@@ -1038,8 +1048,10 @@ jv jv_string_explode(jv j) {
const char* end = i + len;
jv a = jv_array_sized(len);
int c;
- while ((i = jvp_utf8_next(i, end, &c)))
+ while ((i = jvp_utf8_next(i, end, &c))) {
a = jv_array_append(a, jv_number(c));
+ if (!jv_is_valid(a)) break;
+ }
jv_free(j);
return a;
}
@@ -1312,10 +1324,13 @@ static void jvp_object_free(jv o) {
}
}
-static jv jvp_object_rehash(jv object) {
+static int jvp_object_rehash(jv *objectp) {
+ jv object = *objectp;
assert(JVP_HAS_KIND(object, JV_KIND_OBJECT));
assert(jvp_refcnt_unshared(object.u.ptr));
int size = jvp_object_size(object);
+ if (size > INT_MAX >> 2)
+ return 0;
jv new_object = jvp_object_new(size * 2);
for (int i=0; i<size; i++) {
struct object_slot* slot = jvp_object_get_slot(object, i);
@@ -1328,7 +1343,8 @@ static jv jvp_object_rehash(jv object) {
}
// references are transported, just drop the old table
jv_mem_free(jvp_object_ptr(object));
- return new_object;
+ *objectp = new_object;
+ return 1;
}
static jv jvp_object_unshare(jv object) {
@@ -1357,27 +1373,32 @@ static jv jvp_object_unshare(jv object)
return new_object;
}
-static jv* jvp_object_write(jv* object, jv key) {
+static int jvp_object_write(jv* object, jv key, jv **valpp) {
*object = jvp_object_unshare(*object);
int* bucket = jvp_object_find_bucket(*object, key);
struct object_slot* slot = jvp_object_find_slot(*object, key, bucket);
if (slot) {
// already has the key
jvp_string_free(key);
- return &slot->value;
+ *valpp = &slot->value;
+ return 1;
}
slot = jvp_object_add_slot(*object, key, bucket);
if (slot) {
slot->value = jv_invalid();
} else {
- *object = jvp_object_rehash(*object);
+ if (!jvp_object_rehash(object)) {
+ *valpp = NULL;
+ return 0;
+ }
bucket = jvp_object_find_bucket(*object, key);
assert(!jvp_object_find_slot(*object, key, bucket));
slot = jvp_object_add_slot(*object, key, bucket);
assert(slot);
slot->value = jv_invalid();
}
- return &slot->value;
+ *valpp = &slot->value;
+ return 1;
}
static int jvp_object_delete(jv* object, jv key) {
@@ -1478,7 +1499,11 @@ jv jv_object_set(jv object, jv key, jv v
assert(JVP_HAS_KIND(object, JV_KIND_OBJECT));
assert(JVP_HAS_KIND(key, JV_KIND_STRING));
// copy/free of object, key, value coalesced
- jv* slot = jvp_object_write(&object, key);
+ jv* slot;
+ if (!jvp_object_write(&object, key, &slot)) {
+ jv_free(object);
+ return jv_invalid_with_msg(jv_string("Object too big"));
+ }
jv_free(*slot);
*slot = value;
return object;
@@ -1503,6 +1528,7 @@ jv jv_object_merge(jv a, jv b) {
assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
jv_object_foreach(b, k, v) {
a = jv_object_set(a, k, v);
+ if (!jv_is_valid(a)) break;
}
jv_free(b);
return a;
@@ -1522,6 +1548,7 @@ jv jv_object_merge_recursive(jv a, jv b)
jv_free(elem);
a = jv_object_set(a, k, v);
}
+ if (!jv_is_valid(a)) break;
}
jv_free(b);
return a;
diff -up jq-1.6/tests/jq.test.orig jq-1.6/tests/jq.test
--- jq-1.6/tests/jq.test.orig 2025-06-02 17:24:14.792756100 +0200
+++ jq-1.6/tests/jq.test 2025-06-02 17:29:13.339960811 +0200
@@ -186,6 +186,10 @@ null
[0,1,2]
[0,5,2]
+try (.[999999999] = 0) catch .
+null
+"Array index too large"
+
#
# Multiple outputs, iteration
#

View File

@ -0,0 +1,137 @@
Patch based on:
commit dc849e9bb74a7a164a3ea52f661cc712b1ffbd43
Author: itchyny <itchyny@cybozu.co.jp>
Date: Tue Mar 4 22:13:55 2025 +0900
Improve performance of repeating strings (#3272)
This commit improves the performance of repeating strings, by copying
the result string instead of the string being repeated. Also it adds
an error message when the result string is too long.
and
commit c6e041699d8cd31b97375a2596217aff2cfca85b
Author: itchyny <itchyny@cybozu.co.jp>
Date: Sat May 31 11:46:40 2025 +0900
Fix heap buffer overflow when formatting an empty string
The `jv_string_empty` did not properly null-terminate the string data,
which could lead to a heap buffer overflow. The test case of
GHSA-p7rr-28xf-3m5w (`0[""*0]`) was fixed by the commit dc849e9bb74a,
but another case (`0[[]|implode]`) was still vulnerable. This commit
ensures string data is properly null-terminated, and fixes CVE-2025-48060.
diff -up jq-1.6/src/builtin.c.orig jq-1.6/src/builtin.c
--- jq-1.6/src/builtin.c.orig 2025-06-18 16:41:04.634258088 +0200
+++ jq-1.6/src/builtin.c 2025-06-18 17:07:00.384104796 +0200
@@ -317,19 +317,10 @@ static jv f_multiply(jq_state *jq, jv in
str = b;
num = a;
}
- int n;
- size_t alen = jv_string_length_bytes(jv_copy(str));
- jv res = str;
-
- for (n = jv_number_value(num) - 1; n > 0; n--)
- res = jv_string_append_buf(res, jv_string_value(str), alen);
-
+ double d = jv_number_value(num);
jv_free(num);
- if (n < 0) {
- jv_free(str);
- return jv_null();
- }
- return res;
+ return jv_string_repeat(str,
+ d < 0 || isnan(d) ? -1 : d > INT_MAX ? INT_MAX : (int)d);
} else if (ak == JV_KIND_OBJECT && bk == JV_KIND_OBJECT) {
return jv_object_merge_recursive(a, b);
} else {
diff -up jq-1.6/src/jv.c.orig jq-1.6/src/jv.c
--- jq-1.6/src/jv.c.orig 2025-06-19 12:37:15.745792964 +0200
+++ jq-1.6/src/jv.c 2025-06-19 12:18:05.812121053 +0200
@@ -828,6 +828,7 @@ static jv jvp_string_empty_new(uint32_t
jvp_string* s = jvp_string_alloc(length);
s->length_hashed = 0;
memset(s->data, 0, length);
+ s->data[length] = 0;
jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
return r;
}
@@ -1006,6 +1007,32 @@ jv jv_string_indexes(jv j, jv k) {
return a;
}
+jv jv_string_repeat(jv j, int n) {
+ assert(JVP_HAS_KIND(j, JV_KIND_STRING));
+ if (n < 0) {
+ jv_free(j);
+ return jv_null();
+ }
+ int len = jv_string_length_bytes(jv_copy(j));
+ int64_t res_len = (int64_t)len * n;
+ if (res_len >= INT_MAX) {
+ jv_free(j);
+ return jv_invalid_with_msg(jv_string("Repeat string result too long"));
+ }
+ if (res_len == 0) {
+ jv_free(j);
+ return jv_string("");
+ }
+ jv res = jv_string_empty(res_len);
+ res = jvp_string_append(res, jv_string_value(j), len);
+ for (int curr = len, grow; curr < res_len; curr += grow) {
+ grow = MIN(res_len - curr, curr);
+ res = jvp_string_append(res, jv_string_value(res), grow);
+ }
+ jv_free(j);
+ return res;
+}
+
jv jv_string_split(jv j, jv sep) {
assert(JVP_HAS_KIND(j, JV_KIND_STRING));
assert(JVP_HAS_KIND(sep, JV_KIND_STRING));
diff -up jq-1.6/src/jv.h.orig jq-1.6/src/jv.h
--- jq-1.6/src/jv.h.orig 2025-06-18 16:36:33.079921073 +0200
+++ jq-1.6/src/jv.h 2025-06-18 16:41:04.635205790 +0200
@@ -120,6 +120,7 @@ jv jv_string_fmt(const char*, ...) JV_PR
jv jv_string_append_codepoint(jv a, uint32_t c);
jv jv_string_append_buf(jv a, const char* buf, int len);
jv jv_string_append_str(jv a, const char* str);
+jv jv_string_repeat(jv j, int n);
jv jv_string_split(jv j, jv sep);
jv jv_string_explode(jv j);
jv jv_string_implode(jv j);
diff -up jq-1.6/tests/jq.test.orig jq-1.6/tests/jq.test
--- jq-1.6/tests/jq.test.orig 2025-06-19 12:34:53.179089126 +0200
+++ jq-1.6/tests/jq.test 2025-06-19 12:20:34.666161956 +0200
@@ -1169,6 +1169,18 @@ indices(", ")
["a", "ab", "abc"]
["aaa", "ababab", "abcabcabc"]
+. * 100000 | [.[:10],.[-10:]]
+"abc"
+["abcabcabca","cabcabcabc"]
+
+. * 1000000000
+""
+""
+
+try (. * 1000000000) catch .
+"abc"
+"Repeat string result too long"
+
[.[] / ","]
["a, bc, def, ghij, jklmn, a,b, c,d, e,f", "a,b,c,d, e,f,g,h"]
[["a"," bc"," def"," ghij"," jklmn"," a","b"," c","d"," e","f"],["a","b","c","d"," e","f","g","h"]]
@@ -1560,3 +1572,7 @@ false
.x - 10
{"x":13911860366432393}
13911860366432382
+
+try 0[implode] catch .
+[]
+"Cannot index number with string \"\""

View File

@ -1,6 +1,6 @@
Name: jq
Version: 1.6
Release: 16%{?dist}
Release: 17%{?dist}.2
Summary: Command-line JSON processor
License: MIT and ASL 2.0 and CC-BY and GPLv3
@ -12,6 +12,9 @@ Patch1: 0001-iterration-problem-for-non-decimal-string.patch
Patch2: 0002-add-mantest.patch
Patch3: 0003-fix-pthread-segfault.patch
Patch4: 0004-make-jq-fast.patch
Patch5: 0005-sast.patch
Patch6: 0006-CVE-2024-23337.patch
Patch7: 0007-CVE-2025-48060.patch
BuildRequires: gcc
BuildRequires: flex
@ -102,6 +105,18 @@ make check
%changelog
* Thu Jun 19 2025 Tomas Halman <thalman@redhat.com> - 1.6-17.el9.2
- Fix CVE-2025-48060
- Resolves: RHEL-92990
* Tue Jun 3 2025 Tomas Halman <thalman@redhat.com> - 1.6-17.el9.1
- Fix CVE-2024-23337
- Resolves: RHEL-92972
* Fri May 3 2024 Tomas Halman <thalman@redhat.com> - 1.6-17
- Fix SAST findings in jq 1.6
- Resolves: RHEL-28653
* Fri Oct 13 2023 Tomas Halman <thalman@redhat.com> - 1.6-16
- Make jq 1.6 fast
- Resolves: RHEL-13431