From d4bc2a481322cabc4efa0f37def4c10e1d6e4000 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 16 Dec 2020 11:38:26 +0000 Subject: [PATCH] import jq-1.5-12.el8 --- .gitignore | 1 + .jq.metadata | 1 + SOURCES/CVE-2015-8863.patch | 37 +++++++++ SPECS/jq.spec | 146 ++++++++++++++++++++++++++++++++++++ 4 files changed, 185 insertions(+) create mode 100644 .gitignore create mode 100644 .jq.metadata create mode 100644 SOURCES/CVE-2015-8863.patch create mode 100644 SPECS/jq.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3fbf437 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/jq-1.5.tar.gz diff --git a/.jq.metadata b/.jq.metadata new file mode 100644 index 0000000..0c9c074 --- /dev/null +++ b/.jq.metadata @@ -0,0 +1 @@ +6eef3705ac0a322e8aa0521c57ce339671838277 SOURCES/jq-1.5.tar.gz diff --git a/SOURCES/CVE-2015-8863.patch b/SOURCES/CVE-2015-8863.patch new file mode 100644 index 0000000..f4046cd --- /dev/null +++ b/SOURCES/CVE-2015-8863.patch @@ -0,0 +1,37 @@ +From 8eb1367ca44e772963e704a700ef72ae2e12babd Mon Sep 17 00:00:00 2001 +From: Nicolas Williams +Date: Sat, 24 Oct 2015 17:24:57 -0500 +Subject: [PATCH] Heap buffer overflow in tokenadd() (fix #105) + +This was an off-by one: the NUL terminator byte was not allocated on +resize. This was triggered by JSON-encoded numbers longer than 256 +bytes. +--- + src/jv_parse.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/jv_parse.c b/src/jv_parse.c +index 3102ed4..84245b8 100644 +--- a/src/jv_parse.c ++++ b/src/jv_parse.c +@@ -383,7 +383,7 @@ static pfunc stream_token(struct jv_parser* p, char ch) { + + static void tokenadd(struct jv_parser* p, char c) { + assert(p->tokenpos <= p->tokenlen); +- if (p->tokenpos == p->tokenlen) { ++ if (p->tokenpos >= (p->tokenlen - 1)) { + p->tokenlen = p->tokenlen*2 + 256; + p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen); + } +@@ -485,7 +485,7 @@ static pfunc check_literal(struct jv_parser* p) { + TRY(value(p, v)); + } else { + // FIXME: better parser +- p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid ++ p->tokenbuf[p->tokenpos] = 0; + char* end = 0; + double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end); + if (end == 0 || *end != 0) +-- +2.14.3 + diff --git a/SPECS/jq.spec b/SPECS/jq.spec new file mode 100644 index 0000000..d7dafc7 --- /dev/null +++ b/SPECS/jq.spec @@ -0,0 +1,146 @@ +Name: jq +Version: 1.5 +Release: 12%{?dist} +Summary: Command-line JSON processor + +License: MIT and ASL 2.0 and CC-BY and GPLv3 +URL: http://stedolan.github.io/jq/ +Source0: https://github.com/stedolan/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz +Patch0: CVE-2015-8863.patch + +BuildRequires: flex +BuildRequires: bison +BuildRequires: oniguruma-devel + +%ifnarch s390x +BuildRequires: valgrind +%endif + + +%description +lightweight and flexible command-line JSON processor + + jq is like sed for JSON data – you can use it to slice + and filter and map and transform structured data with + the same ease that sed, awk, grep and friends let you + play with text. + + It is written in portable C, and it has zero runtime + dependencies. + + jq can mangle the data format that you have into the + one that you want with very little effort, and the + program to do so is often shorter and simpler than + you'd expect. + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +Development files for %{name} + + +%prep +%setup -qn %{name}-%{version} +%patch0 -p2 -b .cve-2015-8863 + +%build +%configure --disable-static +make %{?_smp_mflags} +# Docs already shipped in jq's tarball. +# In order to build the manual page, it +# is necessary to install rake, rubygem-ronn +# and do the following steps: +# +# # yum install rake rubygem-ronn +# $ cd docs/ +# $ curl -L https://get.rvm.io | bash -s stable --ruby=1.9.3 +# $ source $HOME/.rvm/scripts/rvm +# $ bundle install +# $ cd .. +# $ ./configure +# $ make real_docs + +%install +make DESTDIR=%{buildroot} install +find %{buildroot} -name '*.la' -exec rm -f {} ';' + +%check +# Valgrind used, so restrict architectures for check +%ifarch %{ix86} x86_64 +make check +%endif + +%ldconfig_scriptlets + +%files +%{_bindir}/%{name} +%{_libdir}/libjq.so.* +%{_datadir}/man/man1/jq.1.gz +%{_datadir}/doc/jq/AUTHORS +%{_datadir}/doc/jq/COPYING +%{_datadir}/doc/jq/README +%{_datadir}/doc/jq/README.md + +%files devel +%{_includedir}/jq.h +%{_includedir}/jv.h +%{_libdir}/libjq.so + + +%changelog +* Sat Aug 11 2018 Troy Dawson +- Fix typo: s390 -> s390x +- Related: bug#1614611 + +* Sun Apr 01 2018 Mamoru TASAKA - 1.5-12 +- Rebuild against oniguruma 6.8.1 + +* Wed Feb 07 2018 Fedora Release Engineering - 1.5-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Feb 07 2018 Lon Hohberger - 1.5-10 +- Fix CVE 2015-8863 + +* Fri Feb 02 2018 Igor Gnatenko - 1.5-9 +- Switch to %%ldconfig_scriptlets + +* Thu Aug 03 2017 Fedora Release Engineering - 1.5-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1.5-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 1.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sun Oct 30 2016 Mamoru TASAKA - 1.5-5 +- Rebuild for oniguruma 6.1.1 + +* Mon Jul 18 2016 Mamoru TASAKA - 1.5-4 +- Rebuild for oniguruma 6 + +* Sun Mar 13 2016 Peter Robinson 1.5-3 +- valgrind on all but s390 + +* Thu Feb 04 2016 Fedora Release Engineering - 1.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Aug 25 2015 Haïkel Guémar - 1.5-1 +- Upstream 1.5.0 + +* Wed Jun 17 2015 Fedora Release Engineering - 1.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Aug 16 2014 Fedora Release Engineering - 1.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Oct 24 2013 Flavio Percoco - 1.3-2 +- Added check, manpage + +* Fri Oct 18 2013 Flavio Percoco - 1.3-1 +- Initial package release.