From 2f4021df44524d658c8578882cc5b6e704e3cfcc Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 10 Jul 2025 06:26:25 +0000 Subject: [PATCH] import OL jq-1.6-17.el9_6.2 --- SOURCES/0005-sast.patch | 52 ++++++++ SOURCES/0006-CVE-2024-23337.patch | 194 ++++++++++++++++++++++++++++++ SOURCES/0007-CVE-2025-48060.patch | 137 +++++++++++++++++++++ SPECS/jq.spec | 17 ++- 4 files changed, 399 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0005-sast.patch create mode 100644 SOURCES/0006-CVE-2024-23337.patch create mode 100644 SOURCES/0007-CVE-2025-48060.patch diff --git a/SOURCES/0005-sast.patch b/SOURCES/0005-sast.patch new file mode 100644 index 0000000..5284d60 --- /dev/null +++ b/SOURCES/0005-sast.patch @@ -0,0 +1,52 @@ +diff -up jq-1.6/src/jq_test.c.orig jq-1.6/src/jq_test.c +--- jq-1.6/src/jq_test.c.orig 2024-05-03 11:47:47.403617188 +0200 ++++ jq-1.6/src/jq_test.c 2024-05-03 11:48:46.569675199 +0200 +@@ -16,6 +16,7 @@ static void run_jq_pthread_tests(); + + int jq_testsuite(jv libdirs, int verbose, int argc, char* argv[]) { + FILE *testdata = stdin; ++ const char *testdata_filename = NULL; + int skip = -1; + int take = -1; + jv_test(); +@@ -28,18 +29,24 @@ int jq_testsuite(jv libdirs, int verbose + take = atoi(argv[i+1]); + i++; + } else { +- testdata = fopen(argv[i], "r"); +- if (!testdata) { +- perror("fopen"); +- exit(1); +- } ++ testdata_filename = argv[i]; + } + } + } ++ if (testdata_filename) { ++ testdata = fopen(testdata_filename, "r"); ++ if (!testdata) { ++ perror("fopen"); ++ exit(1); ++ } ++ } + run_jq_tests(libdirs, verbose, testdata, skip, take); + #ifdef HAVE_PTHREAD + run_jq_pthread_tests(); + #endif ++ if (testdata_filename) { ++ fclose(testdata); ++ } + return 0; + } + +diff -up jq-1.6/src/locfile.c.orig jq-1.6/src/locfile.c +--- jq-1.6/src/locfile.c.orig 2018-11-02 02:49:29.000000000 +0100 ++++ jq-1.6/src/locfile.c 2024-05-03 11:15:46.562476303 +0200 +@@ -72,6 +72,7 @@ void locfile_locate(struct locfile* l, l + } + + jv m1 = jv_string_vfmt(fmt, fmtargs); ++ va_end(fmtargs); + if (!jv_is_valid(m1)) { + jq_report_error(l->jq, m1); + return; diff --git a/SOURCES/0006-CVE-2024-23337.patch b/SOURCES/0006-CVE-2024-23337.patch new file mode 100644 index 0000000..425c3f9 --- /dev/null +++ b/SOURCES/0006-CVE-2024-23337.patch @@ -0,0 +1,194 @@ +diff -up jq-1.6/src/jv_aux.c.orig jq-1.6/src/jv_aux.c +--- jq-1.6/src/jv_aux.c.orig 2025-06-02 17:24:14.789647070 +0200 ++++ jq-1.6/src/jv_aux.c 2025-06-02 17:29:13.339864069 +0200 +@@ -162,18 +162,19 @@ jv jv_set(jv t, jv k, jv v) { + if (slice_len < insert_len) { + // array is growing + int shift = insert_len - slice_len; +- for (int i = array_len - 1; i >= end; i--) { ++ for (int i = array_len - 1; i >= end && jv_is_valid(t); i--) { + t = jv_array_set(t, i + shift, jv_array_get(jv_copy(t), i)); + } + } else if (slice_len > insert_len) { + // array is shrinking + int shift = slice_len - insert_len; +- for (int i = end; i < array_len; i++) { ++ for (int i = end; i < array_len && jv_is_valid(t); i++) { + t = jv_array_set(t, i - shift, jv_array_get(jv_copy(t), i)); + } +- t = jv_array_slice(t, 0, array_len - shift); ++ if (jv_is_valid(t)) ++ t = jv_array_slice(t, 0, array_len - shift); + } +- for (int i=0; i < insert_len; i++) { ++ for (int i = 0; i < insert_len && jv_is_valid(t); i++) { + t = jv_array_set(t, start + i, jv_array_get(jv_copy(v), i)); + } + jv_free(v); +diff -up jq-1.6/src/jv.c.orig jq-1.6/src/jv.c +--- jq-1.6/src/jv.c.orig 2025-06-02 17:24:14.800158498 +0200 ++++ jq-1.6/src/jv.c 2025-06-02 17:33:17.395419062 +0200 +@@ -703,6 +703,11 @@ jv jv_array_set(jv j, int idx, jv val) { + jv_free(val); + return jv_invalid_with_msg(jv_string("Out of bounds negative array index")); + } ++ if (idx > (INT_MAX >> 2) - jvp_array_offset(j)) { ++ jv_free(j); ++ jv_free(val); ++ return jv_invalid_with_msg(jv_string("Array index too large")); ++ } + // copy/free of val,j coalesced + jv* slot = jvp_array_write(&j, idx); + jv_free(*slot); +@@ -722,6 +727,7 @@ jv jv_array_concat(jv a, jv b) { + // FIXME: could be faster + jv_array_foreach(b, i, elem) { + a = jv_array_append(a, elem); ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +@@ -992,6 +998,7 @@ jv jv_string_indexes(jv j, jv k) { + p = jstr; + while ((p = _jq_memmem(p, (jstr + jlen) - p, idxstr, idxlen)) != NULL) { + a = jv_array_append(a, jv_number(p - jstr)); ++ if (!jv_is_valid(a)) break; + p += idxlen; + } + jv_free(j); +@@ -1013,14 +1020,17 @@ jv jv_string_split(jv j, jv sep) { + + if (seplen == 0) { + int c; +- while ((jstr = jvp_utf8_next(jstr, jend, &c))) ++ while ((jstr = jvp_utf8_next(jstr, jend, &c))) { + a = jv_array_append(a, jv_string_append_codepoint(jv_string(""), c)); ++ if (!jv_is_valid(a)) break; ++ } + } else { + for (p = jstr; p < jend; p = s + seplen) { + s = _jq_memmem(p, jend - p, sepstr, seplen); + if (s == NULL) + s = jend; + a = jv_array_append(a, jv_string_sized(p, s - p)); ++ if (!jv_is_valid(a)) break; + // Add an empty string to denote that j ends on a sep + if (s + seplen == jend && seplen != 0) + a = jv_array_append(a, jv_string("")); +@@ -1038,8 +1048,10 @@ jv jv_string_explode(jv j) { + const char* end = i + len; + jv a = jv_array_sized(len); + int c; +- while ((i = jvp_utf8_next(i, end, &c))) ++ while ((i = jvp_utf8_next(i, end, &c))) { + a = jv_array_append(a, jv_number(c)); ++ if (!jv_is_valid(a)) break; ++ } + jv_free(j); + return a; + } +@@ -1312,10 +1324,13 @@ static void jvp_object_free(jv o) { + } + } + +-static jv jvp_object_rehash(jv object) { ++static int jvp_object_rehash(jv *objectp) { ++ jv object = *objectp; + assert(JVP_HAS_KIND(object, JV_KIND_OBJECT)); + assert(jvp_refcnt_unshared(object.u.ptr)); + int size = jvp_object_size(object); ++ if (size > INT_MAX >> 2) ++ return 0; + jv new_object = jvp_object_new(size * 2); + for (int i=0; ivalue; ++ *valpp = &slot->value; ++ return 1; + } + slot = jvp_object_add_slot(*object, key, bucket); + if (slot) { + slot->value = jv_invalid(); + } else { +- *object = jvp_object_rehash(*object); ++ if (!jvp_object_rehash(object)) { ++ *valpp = NULL; ++ return 0; ++ } + bucket = jvp_object_find_bucket(*object, key); + assert(!jvp_object_find_slot(*object, key, bucket)); + slot = jvp_object_add_slot(*object, key, bucket); + assert(slot); + slot->value = jv_invalid(); + } +- return &slot->value; ++ *valpp = &slot->value; ++ return 1; + } + + static int jvp_object_delete(jv* object, jv key) { +@@ -1478,7 +1499,11 @@ jv jv_object_set(jv object, jv key, jv v + assert(JVP_HAS_KIND(object, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(key, JV_KIND_STRING)); + // copy/free of object, key, value coalesced +- jv* slot = jvp_object_write(&object, key); ++ jv* slot; ++ if (!jvp_object_write(&object, key, &slot)) { ++ jv_free(object); ++ return jv_invalid_with_msg(jv_string("Object too big")); ++ } + jv_free(*slot); + *slot = value; + return object; +@@ -1503,6 +1528,7 @@ jv jv_object_merge(jv a, jv b) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + jv_object_foreach(b, k, v) { + a = jv_object_set(a, k, v); ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +@@ -1522,6 +1548,7 @@ jv jv_object_merge_recursive(jv a, jv b) + jv_free(elem); + a = jv_object_set(a, k, v); + } ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +diff -up jq-1.6/tests/jq.test.orig jq-1.6/tests/jq.test +--- jq-1.6/tests/jq.test.orig 2025-06-02 17:24:14.792756100 +0200 ++++ jq-1.6/tests/jq.test 2025-06-02 17:29:13.339960811 +0200 +@@ -186,6 +186,10 @@ null + [0,1,2] + [0,5,2] + ++try (.[999999999] = 0) catch . ++null ++"Array index too large" ++ + # + # Multiple outputs, iteration + # diff --git a/SOURCES/0007-CVE-2025-48060.patch b/SOURCES/0007-CVE-2025-48060.patch new file mode 100644 index 0000000..85f6352 --- /dev/null +++ b/SOURCES/0007-CVE-2025-48060.patch @@ -0,0 +1,137 @@ +Patch based on: + +commit dc849e9bb74a7a164a3ea52f661cc712b1ffbd43 +Author: itchyny +Date: Tue Mar 4 22:13:55 2025 +0900 + + Improve performance of repeating strings (#3272) + + This commit improves the performance of repeating strings, by copying + the result string instead of the string being repeated. Also it adds + an error message when the result string is too long. + +and + +commit c6e041699d8cd31b97375a2596217aff2cfca85b +Author: itchyny +Date: Sat May 31 11:46:40 2025 +0900 + + Fix heap buffer overflow when formatting an empty string + + The `jv_string_empty` did not properly null-terminate the string data, + which could lead to a heap buffer overflow. The test case of + GHSA-p7rr-28xf-3m5w (`0[""*0]`) was fixed by the commit dc849e9bb74a, + but another case (`0[[]|implode]`) was still vulnerable. This commit + ensures string data is properly null-terminated, and fixes CVE-2025-48060. + +diff -up jq-1.6/src/builtin.c.orig jq-1.6/src/builtin.c +--- jq-1.6/src/builtin.c.orig 2025-06-18 16:41:04.634258088 +0200 ++++ jq-1.6/src/builtin.c 2025-06-18 17:07:00.384104796 +0200 +@@ -317,19 +317,10 @@ static jv f_multiply(jq_state *jq, jv in + str = b; + num = a; + } +- int n; +- size_t alen = jv_string_length_bytes(jv_copy(str)); +- jv res = str; +- +- for (n = jv_number_value(num) - 1; n > 0; n--) +- res = jv_string_append_buf(res, jv_string_value(str), alen); +- ++ double d = jv_number_value(num); + jv_free(num); +- if (n < 0) { +- jv_free(str); +- return jv_null(); +- } +- return res; ++ return jv_string_repeat(str, ++ d < 0 || isnan(d) ? -1 : d > INT_MAX ? INT_MAX : (int)d); + } else if (ak == JV_KIND_OBJECT && bk == JV_KIND_OBJECT) { + return jv_object_merge_recursive(a, b); + } else { +diff -up jq-1.6/src/jv.c.orig jq-1.6/src/jv.c +--- jq-1.6/src/jv.c.orig 2025-06-19 12:37:15.745792964 +0200 ++++ jq-1.6/src/jv.c 2025-06-19 12:18:05.812121053 +0200 +@@ -828,6 +828,7 @@ static jv jvp_string_empty_new(uint32_t + jvp_string* s = jvp_string_alloc(length); + s->length_hashed = 0; + memset(s->data, 0, length); ++ s->data[length] = 0; + jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}}; + return r; + } +@@ -1006,6 +1007,32 @@ jv jv_string_indexes(jv j, jv k) { + return a; + } + ++jv jv_string_repeat(jv j, int n) { ++ assert(JVP_HAS_KIND(j, JV_KIND_STRING)); ++ if (n < 0) { ++ jv_free(j); ++ return jv_null(); ++ } ++ int len = jv_string_length_bytes(jv_copy(j)); ++ int64_t res_len = (int64_t)len * n; ++ if (res_len >= INT_MAX) { ++ jv_free(j); ++ return jv_invalid_with_msg(jv_string("Repeat string result too long")); ++ } ++ if (res_len == 0) { ++ jv_free(j); ++ return jv_string(""); ++ } ++ jv res = jv_string_empty(res_len); ++ res = jvp_string_append(res, jv_string_value(j), len); ++ for (int curr = len, grow; curr < res_len; curr += grow) { ++ grow = MIN(res_len - curr, curr); ++ res = jvp_string_append(res, jv_string_value(res), grow); ++ } ++ jv_free(j); ++ return res; ++} ++ + jv jv_string_split(jv j, jv sep) { + assert(JVP_HAS_KIND(j, JV_KIND_STRING)); + assert(JVP_HAS_KIND(sep, JV_KIND_STRING)); +diff -up jq-1.6/src/jv.h.orig jq-1.6/src/jv.h +--- jq-1.6/src/jv.h.orig 2025-06-18 16:36:33.079921073 +0200 ++++ jq-1.6/src/jv.h 2025-06-18 16:41:04.635205790 +0200 +@@ -120,6 +120,7 @@ jv jv_string_fmt(const char*, ...) JV_PR + jv jv_string_append_codepoint(jv a, uint32_t c); + jv jv_string_append_buf(jv a, const char* buf, int len); + jv jv_string_append_str(jv a, const char* str); ++jv jv_string_repeat(jv j, int n); + jv jv_string_split(jv j, jv sep); + jv jv_string_explode(jv j); + jv jv_string_implode(jv j); +diff -up jq-1.6/tests/jq.test.orig jq-1.6/tests/jq.test +--- jq-1.6/tests/jq.test.orig 2025-06-19 12:34:53.179089126 +0200 ++++ jq-1.6/tests/jq.test 2025-06-19 12:20:34.666161956 +0200 +@@ -1169,6 +1169,18 @@ indices(", ") + ["a", "ab", "abc"] + ["aaa", "ababab", "abcabcabc"] + ++. * 100000 | [.[:10],.[-10:]] ++"abc" ++["abcabcabca","cabcabcabc"] ++ ++. * 1000000000 ++"" ++"" ++ ++try (. * 1000000000) catch . ++"abc" ++"Repeat string result too long" ++ + [.[] / ","] + ["a, bc, def, ghij, jklmn, a,b, c,d, e,f", "a,b,c,d, e,f,g,h"] + [["a"," bc"," def"," ghij"," jklmn"," a","b"," c","d"," e","f"],["a","b","c","d"," e","f","g","h"]] +@@ -1560,3 +1572,7 @@ false + .x - 10 + {"x":13911860366432393} + 13911860366432382 ++ ++try 0[implode] catch . ++[] ++"Cannot index number with string \"\"" diff --git a/SPECS/jq.spec b/SPECS/jq.spec index 909825f..34b1222 100644 --- a/SPECS/jq.spec +++ b/SPECS/jq.spec @@ -1,6 +1,6 @@ Name: jq Version: 1.6 -Release: 16%{?dist} +Release: 17%{?dist}.2 Summary: Command-line JSON processor License: MIT and ASL 2.0 and CC-BY and GPLv3 @@ -12,6 +12,9 @@ Patch1: 0001-iterration-problem-for-non-decimal-string.patch Patch2: 0002-add-mantest.patch Patch3: 0003-fix-pthread-segfault.patch Patch4: 0004-make-jq-fast.patch +Patch5: 0005-sast.patch +Patch6: 0006-CVE-2024-23337.patch +Patch7: 0007-CVE-2025-48060.patch BuildRequires: gcc BuildRequires: flex @@ -102,6 +105,18 @@ make check %changelog +* Thu Jun 19 2025 Tomas Halman - 1.6-17.el9.2 +- Fix CVE-2025-48060 +- Resolves: RHEL-92990 + +* Tue Jun 3 2025 Tomas Halman - 1.6-17.el9.1 +- Fix CVE-2024-23337 +- Resolves: RHEL-92972 + +* Fri May 3 2024 Tomas Halman - 1.6-17 +- Fix SAST findings in jq 1.6 +- Resolves: RHEL-28653 + * Fri Oct 13 2023 Tomas Halman - 1.6-16 - Make jq 1.6 fast - Resolves: RHEL-13431