diff --git a/SOURCES/0006-CVE-2024-23337.patch b/SOURCES/0006-CVE-2024-23337.patch new file mode 100644 index 0000000..41daa44 --- /dev/null +++ b/SOURCES/0006-CVE-2024-23337.patch @@ -0,0 +1,238 @@ +diff -up jq-1.6/src/jv_aux.c.orig jq-1.6/src/jv_aux.c +--- jq-1.6/src/jv_aux.c.orig 2025-06-30 18:14:49.211823479 +0200 ++++ jq-1.6/src/jv_aux.c 2025-06-30 18:15:20.270512946 +0200 +@@ -162,18 +162,19 @@ jv jv_set(jv t, jv k, jv v) { + if (slice_len < insert_len) { + // array is growing + int shift = insert_len - slice_len; +- for (int i = array_len - 1; i >= end; i--) { ++ for (int i = array_len - 1; i >= end && jv_is_valid(t); i--) { + t = jv_array_set(t, i + shift, jv_array_get(jv_copy(t), i)); + } + } else if (slice_len > insert_len) { + // array is shrinking + int shift = slice_len - insert_len; +- for (int i = end; i < array_len; i++) { ++ for (int i = end; i < array_len && jv_is_valid(t); i++) { + t = jv_array_set(t, i - shift, jv_array_get(jv_copy(t), i)); + } +- t = jv_array_slice(t, 0, array_len - shift); ++ if (jv_is_valid(t)) ++ t = jv_array_slice(t, 0, array_len - shift); + } +- for (int i=0; i < insert_len; i++) { ++ for (int i = 0; i < insert_len && jv_is_valid(t); i++) { + t = jv_array_set(t, start + i, jv_array_get(jv_copy(v), i)); + } + jv_free(v); +diff -up jq-1.6/src/jv.c.orig jq-1.6/src/jv.c +--- jq-1.6/src/jv.c.orig 2025-06-30 18:14:49.221499541 +0200 ++++ jq-1.6/src/jv.c 2025-06-30 18:17:11.071456789 +0200 +@@ -326,10 +326,10 @@ static double jvp_literal_number_to_doub + + decNumber *p_dec_number = jvp_dec_number_ptr(j); + decNumberDoublePrecision dec_double; +- char literal[BIN64_DEC_PRECISION + DEC_NUMBER_STRING_GUARD + 1]; ++ char literal[BIN64_DEC_PRECISION + DEC_NUMBER_STRING_GUARD + 1]; + + // reduce the number to the shortest possible form +- // while also making sure than no more than BIN64_DEC_PRECISION ++ // while also making sure than no more than BIN64_DEC_PRECISION + // digits are used (dec_context_to_double) + decNumberReduce(&dec_double.number, p_dec_number, DEC_CONTEXT_TO_DOUBLE()); + +@@ -368,7 +368,7 @@ static const char* jvp_literal_number_li + + // Preserve the actual precision as we have parsed it + // don't do decNumberTrim(pdec); +- ++ + decNumberToString(pdec, plit->literal_data); + } + +@@ -459,9 +459,9 @@ int jvp_number_cmp(jv a, jv b) { + assert(JVP_HAS_KIND(b, JV_KIND_NUMBER)); + + if(JVP_HAS_FLAGS(a, JVP_FLAGS_NUMBER_LITERAL) && JVP_HAS_FLAGS(b, JVP_FLAGS_NUMBER_LITERAL)) { +- decNumberSingle res; +- decNumberCompare(&res.number, +- jvp_dec_number_ptr(a), ++ decNumberSingle res; ++ decNumberCompare(&res.number, ++ jvp_dec_number_ptr(a), + jvp_dec_number_ptr(b), + DEC_CONTEXT() + ); +@@ -703,6 +703,11 @@ jv jv_array_set(jv j, int idx, jv val) { + jv_free(val); + return jv_invalid_with_msg(jv_string("Out of bounds negative array index")); + } ++ if (idx > (INT_MAX >> 2) - jvp_array_offset(j)) { ++ jv_free(j); ++ jv_free(val); ++ return jv_invalid_with_msg(jv_string("Array index too large")); ++ } + // copy/free of val,j coalesced + jv* slot = jvp_array_write(&j, idx); + jv_free(*slot); +@@ -722,6 +727,7 @@ jv jv_array_concat(jv a, jv b) { + // FIXME: could be faster + jv_array_foreach(b, i, elem) { + a = jv_array_append(a, elem); ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +@@ -992,6 +998,7 @@ jv jv_string_indexes(jv j, jv k) { + p = jstr; + while ((p = _jq_memmem(p, (jstr + jlen) - p, idxstr, idxlen)) != NULL) { + a = jv_array_append(a, jv_number(p - jstr)); ++ if (!jv_is_valid(a)) break; + p += idxlen; + } + jv_free(j); +@@ -1013,14 +1020,17 @@ jv jv_string_split(jv j, jv sep) { + + if (seplen == 0) { + int c; +- while ((jstr = jvp_utf8_next(jstr, jend, &c))) ++ while ((jstr = jvp_utf8_next(jstr, jend, &c))) { + a = jv_array_append(a, jv_string_append_codepoint(jv_string(""), c)); ++ if (!jv_is_valid(a)) break; ++ } + } else { + for (p = jstr; p < jend; p = s + seplen) { + s = _jq_memmem(p, jend - p, sepstr, seplen); + if (s == NULL) + s = jend; + a = jv_array_append(a, jv_string_sized(p, s - p)); ++ if (!jv_is_valid(a)) break; + // Add an empty string to denote that j ends on a sep + if (s + seplen == jend && seplen != 0) + a = jv_array_append(a, jv_string("")); +@@ -1038,8 +1048,10 @@ jv jv_string_explode(jv j) { + const char* end = i + len; + jv a = jv_array_sized(len); + int c; +- while ((i = jvp_utf8_next(i, end, &c))) ++ while ((i = jvp_utf8_next(i, end, &c))) { + a = jv_array_append(a, jv_number(c)); ++ if (!jv_is_valid(a)) break; ++ } + jv_free(j); + return a; + } +@@ -1312,10 +1324,13 @@ static void jvp_object_free(jv o) { + } + } + +-static jv jvp_object_rehash(jv object) { ++static int jvp_object_rehash(jv *objectp) { ++ jv object = *objectp; + assert(JVP_HAS_KIND(object, JV_KIND_OBJECT)); + assert(jvp_refcnt_unshared(object.u.ptr)); + int size = jvp_object_size(object); ++ if (size > INT_MAX >> 2) ++ return 0; + jv new_object = jvp_object_new(size * 2); + for (int i=0; ivalue; ++ *valpp = &slot->value; ++ return 1; + } + slot = jvp_object_add_slot(*object, key, bucket); + if (slot) { + slot->value = jv_invalid(); + } else { +- *object = jvp_object_rehash(*object); ++ if (!jvp_object_rehash(object)) { ++ *valpp = NULL; ++ return 0; ++ } + bucket = jvp_object_find_bucket(*object, key); + assert(!jvp_object_find_slot(*object, key, bucket)); + slot = jvp_object_add_slot(*object, key, bucket); + assert(slot); + slot->value = jv_invalid(); + } +- return &slot->value; ++ *valpp = &slot->value; ++ return 1; + } + + static int jvp_object_delete(jv* object, jv key) { +@@ -1478,7 +1499,11 @@ jv jv_object_set(jv object, jv key, jv v + assert(JVP_HAS_KIND(object, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(key, JV_KIND_STRING)); + // copy/free of object, key, value coalesced +- jv* slot = jvp_object_write(&object, key); ++ jv* slot; ++ if (!jvp_object_write(&object, key, &slot)) { ++ jv_free(object); ++ return jv_invalid_with_msg(jv_string("Object too big")); ++ } + jv_free(*slot); + *slot = value; + return object; +@@ -1503,6 +1528,7 @@ jv jv_object_merge(jv a, jv b) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + jv_object_foreach(b, k, v) { + a = jv_object_set(a, k, v); ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +@@ -1522,6 +1548,7 @@ jv jv_object_merge_recursive(jv a, jv b) + jv_free(elem); + a = jv_object_set(a, k, v); + } ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +@@ -1671,7 +1698,7 @@ int jv_contains(jv a, jv b) { + r = jvp_array_contains(a, b); + } else if (JVP_HAS_KIND(a, JV_KIND_STRING)) { + int b_len = jv_string_length_bytes(jv_copy(b)); +- if (b_len != 0) { ++ if (b_len != 0) { + r = _jq_memmem(jv_string_value(a), jv_string_length_bytes(jv_copy(a)), + jv_string_value(b), b_len) != 0; + } else { +diff -up jq-1.6/tests/jq.test.orig jq-1.6/tests/jq.test +--- jq-1.6/tests/jq.test.orig 2025-06-30 18:14:49.214961567 +0200 ++++ jq-1.6/tests/jq.test 2025-06-30 18:15:20.271792714 +0200 +@@ -186,6 +186,10 @@ null + [0,1,2] + [0,5,2] + ++try (.[999999999] = 0) catch . ++null ++"Array index too large" ++ + # + # Multiple outputs, iteration + # diff --git a/SOURCES/0007-CVE-2025-48060.patch b/SOURCES/0007-CVE-2025-48060.patch new file mode 100644 index 0000000..cb5ef5d --- /dev/null +++ b/SOURCES/0007-CVE-2025-48060.patch @@ -0,0 +1,111 @@ +diff -up jq-1.6/src/builtin.c.orig jq-1.6/src/builtin.c +--- jq-1.6/src/builtin.c.orig 2025-06-30 19:07:06.250825334 +0200 ++++ jq-1.6/src/builtin.c 2025-06-30 19:08:51.635668449 +0200 +@@ -317,19 +317,10 @@ static jv f_multiply(jq_state *jq, jv in + str = b; + num = a; + } +- int n; +- size_t alen = jv_string_length_bytes(jv_copy(str)); +- jv res = str; +- +- for (n = jv_number_value(num) - 1; n > 0; n--) +- res = jv_string_append_buf(res, jv_string_value(str), alen); +- ++ double d = jv_number_value(num); + jv_free(num); +- if (n < 0) { +- jv_free(str); +- return jv_null(); +- } +- return res; ++ return jv_string_repeat(str, ++ d < 0 || isnan(d) ? -1 : d > INT_MAX ? INT_MAX : (int)d); + } else if (ak == JV_KIND_OBJECT && bk == JV_KIND_OBJECT) { + return jv_object_merge_recursive(a, b); + } else { +diff -up jq-1.6/src/jv.c.orig jq-1.6/src/jv.c +--- jq-1.6/src/jv.c.orig 2025-06-30 19:06:08.660648842 +0200 ++++ jq-1.6/src/jv.c 2025-06-30 19:07:06.251424952 +0200 +@@ -828,6 +828,7 @@ static jv jvp_string_empty_new(uint32_t + jvp_string* s = jvp_string_alloc(length); + s->length_hashed = 0; + memset(s->data, 0, length); ++ s->data[length] = 0; + jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}}; + return r; + } +@@ -1006,6 +1007,32 @@ jv jv_string_indexes(jv j, jv k) { + return a; + } + ++jv jv_string_repeat(jv j, int n) { ++ assert(JVP_HAS_KIND(j, JV_KIND_STRING)); ++ if (n < 0) { ++ jv_free(j); ++ return jv_null(); ++ } ++ int len = jv_string_length_bytes(jv_copy(j)); ++ int64_t res_len = (int64_t)len * n; ++ if (res_len >= INT_MAX) { ++ jv_free(j); ++ return jv_invalid_with_msg(jv_string("Repeat string result too long")); ++ } ++ if (res_len == 0) { ++ jv_free(j); ++ return jv_string(""); ++ } ++ jv res = jv_string_empty(res_len); ++ res = jvp_string_append(res, jv_string_value(j), len); ++ for (int curr = len, grow; curr < res_len; curr += grow) { ++ grow = MIN(res_len - curr, curr); ++ res = jvp_string_append(res, jv_string_value(res), grow); ++ } ++ jv_free(j); ++ return res; ++} ++ + jv jv_string_split(jv j, jv sep) { + assert(JVP_HAS_KIND(j, JV_KIND_STRING)); + assert(JVP_HAS_KIND(sep, JV_KIND_STRING)); +diff -up jq-1.6/src/jv.h.orig jq-1.6/src/jv.h +--- jq-1.6/src/jv.h.orig 2025-06-30 19:06:08.614632776 +0200 ++++ jq-1.6/src/jv.h 2025-06-30 19:07:06.251840524 +0200 +@@ -120,6 +120,7 @@ jv jv_string_fmt(const char*, ...) JV_PR + jv jv_string_append_codepoint(jv a, uint32_t c); + jv jv_string_append_buf(jv a, const char* buf, int len); + jv jv_string_append_str(jv a, const char* str); ++jv jv_string_repeat(jv j, int n); + jv jv_string_split(jv j, jv sep); + jv jv_string_explode(jv j); + jv jv_string_implode(jv j); +diff -up jq-1.6/tests/jq.test.orig jq-1.6/tests/jq.test +--- jq-1.6/tests/jq.test.orig 2025-06-30 19:06:08.661007480 +0200 ++++ jq-1.6/tests/jq.test 2025-06-30 19:09:33.221816670 +0200 +@@ -1169,6 +1169,18 @@ indices(", ") + ["a", "ab", "abc"] + ["aaa", "ababab", "abcabcabc"] + ++. * 100000 | [.[:10],.[-10:]] ++"abc" ++["abcabcabca","cabcabcabc"] ++ ++. * 1000000000 ++"" ++"" ++ ++try (. * 1000000000) catch . ++"abc" ++"Repeat string result too long" ++ + [.[] / ","] + ["a, bc, def, ghij, jklmn, a,b, c,d, e,f", "a,b,c,d, e,f,g,h"] + [["a"," bc"," def"," ghij"," jklmn"," a","b"," c","d"," e","f"],["a","b","c","d"," e","f","g","h"]] +@@ -1560,3 +1572,7 @@ false + .x - 10 + {"x":13911860366432393} + 13911860366432382 ++ ++try 0[implode] catch . ++[] ++"Cannot index number with string \"\"" diff --git a/SPECS/jq.spec b/SPECS/jq.spec index 788379b..41c71e0 100644 --- a/SPECS/jq.spec +++ b/SPECS/jq.spec @@ -1,6 +1,6 @@ Name: jq Version: 1.6 -Release: 9%{?dist} +Release: 11%{?dist} Summary: Command-line JSON processor License: MIT and ASL 2.0 and CC-BY and GPLv3 @@ -12,6 +12,8 @@ Patch2: 0002-add-mantest.patch Patch3: 0003-fix-pthread-segfault.patch Patch4: 0004-make-jq-fast.patch Patch5: 0005-sast.patch +Patch6: 0006-CVE-2024-23337.patch +Patch7: 0007-CVE-2025-48060.patch BuildRequires: flex BuildRequires: bison @@ -100,6 +102,14 @@ make check %changelog +* Mon Jun 30 2025 Tomas Halman - 1.6-11 +- Fix CVE-2025-48060 AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt) +- Resolves: RHEL-92987 + +* Mon Jun 30 2025 Tomas Halman - 1.6-10 +- Fix CVE-2024-23337 jq has signed integer overflow in jv.c:jvp_array_write +- Resolves: RHEL-92968 + * Fri May 3 2024 Tomas Halman - 1.6-9 - Fix SAST findings in jq 1.6 - Resolves: RHEL-37827