From d58da5b4b5c276eaacaf7615a6ab0a260ee3b936 Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Fri, 3 May 2024 13:37:37 +0200 Subject: [PATCH] Fix SAST findings in jq 1.6 Resolves: RHEL-28653 --- 0005-sast.patch | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ jq.spec | 7 ++++++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 0005-sast.patch diff --git a/0005-sast.patch b/0005-sast.patch new file mode 100644 index 0000000..5284d60 --- /dev/null +++ b/0005-sast.patch @@ -0,0 +1,52 @@ +diff -up jq-1.6/src/jq_test.c.orig jq-1.6/src/jq_test.c +--- jq-1.6/src/jq_test.c.orig 2024-05-03 11:47:47.403617188 +0200 ++++ jq-1.6/src/jq_test.c 2024-05-03 11:48:46.569675199 +0200 +@@ -16,6 +16,7 @@ static void run_jq_pthread_tests(); + + int jq_testsuite(jv libdirs, int verbose, int argc, char* argv[]) { + FILE *testdata = stdin; ++ const char *testdata_filename = NULL; + int skip = -1; + int take = -1; + jv_test(); +@@ -28,18 +29,24 @@ int jq_testsuite(jv libdirs, int verbose + take = atoi(argv[i+1]); + i++; + } else { +- testdata = fopen(argv[i], "r"); +- if (!testdata) { +- perror("fopen"); +- exit(1); +- } ++ testdata_filename = argv[i]; + } + } + } ++ if (testdata_filename) { ++ testdata = fopen(testdata_filename, "r"); ++ if (!testdata) { ++ perror("fopen"); ++ exit(1); ++ } ++ } + run_jq_tests(libdirs, verbose, testdata, skip, take); + #ifdef HAVE_PTHREAD + run_jq_pthread_tests(); + #endif ++ if (testdata_filename) { ++ fclose(testdata); ++ } + return 0; + } + +diff -up jq-1.6/src/locfile.c.orig jq-1.6/src/locfile.c +--- jq-1.6/src/locfile.c.orig 2018-11-02 02:49:29.000000000 +0100 ++++ jq-1.6/src/locfile.c 2024-05-03 11:15:46.562476303 +0200 +@@ -72,6 +72,7 @@ void locfile_locate(struct locfile* l, l + } + + jv m1 = jv_string_vfmt(fmt, fmtargs); ++ va_end(fmtargs); + if (!jv_is_valid(m1)) { + jq_report_error(l->jq, m1); + return; diff --git a/jq.spec b/jq.spec index 909825f..13b682d 100644 --- a/jq.spec +++ b/jq.spec @@ -1,6 +1,6 @@ Name: jq Version: 1.6 -Release: 16%{?dist} +Release: 17%{?dist} Summary: Command-line JSON processor License: MIT and ASL 2.0 and CC-BY and GPLv3 @@ -12,6 +12,7 @@ Patch1: 0001-iterration-problem-for-non-decimal-string.patch Patch2: 0002-add-mantest.patch Patch3: 0003-fix-pthread-segfault.patch Patch4: 0004-make-jq-fast.patch +Patch5: 0005-sast.patch BuildRequires: gcc BuildRequires: flex @@ -102,6 +103,10 @@ make check %changelog +* Fri May 3 2024 Tomas Halman - 1.6-17 +- Fix SAST findings in jq 1.6 +- Resolves: RHEL-28653 + * Fri Oct 13 2023 Tomas Halman - 1.6-16 - Make jq 1.6 fast - Resolves: RHEL-13431