import UBI jq-1.7.1-8.el10_0.1

2025-08-05 06:43:43 +00:00 · 2025-08-05 06:43:43 +00:00 · eb87df2276
commit eb87df2276
parent 349fdd5996
3 changed files with 319 additions and 7 deletions
--- a/0001-CVE-2024-23337.patch
+++ b/0001-CVE-2024-23337.patch
@ -0,0 +1,194 @@
+diff -up jq-jq-1.7.1/src/jv_aux.c.orig jq-jq-1.7.1/src/jv_aux.c
+--- jq-jq-1.7.1/src/jv_aux.c.orig	2023-12-13 20:20:22.000000000 +0100
+++ jq-jq-1.7.1/src/jv_aux.c	2025-06-27 11:11:20.223266818 +0200
+@@ -193,18 +193,19 @@ jv jv_set(jv t, jv k, jv v) {
+         if (slice_len < insert_len) {
+           // array is growing
+           int shift = insert_len - slice_len;
+-          for (int i = array_len - 1; i >= end; i--) {
+          for (int i = array_len - 1; i >= end && jv_is_valid(t); i--) {
+             t = jv_array_set(t, i + shift, jv_array_get(jv_copy(t), i));
+           }
+         } else if (slice_len > insert_len) {
+           // array is shrinking
+           int shift = slice_len - insert_len;
+-          for (int i = end; i < array_len; i++) {
+          for (int i = end; i < array_len && jv_is_valid(t); i++) {
+             t = jv_array_set(t, i - shift, jv_array_get(jv_copy(t), i));
+           }
+-          t = jv_array_slice(t, 0, array_len - shift);
+          if (jv_is_valid(t))
+            t = jv_array_slice(t, 0, array_len - shift);
+         }
+-        for (int i=0; i < insert_len; i++) {
+        for (int i = 0; i < insert_len && jv_is_valid(t); i++) {
+           t = jv_array_set(t, start + i, jv_array_get(jv_copy(v), i));
+         }
+         jv_free(v);
+diff -up jq-jq-1.7.1/src/jv.c.orig jq-jq-1.7.1/src/jv.c
+--- jq-jq-1.7.1/src/jv.c.orig	2023-12-13 20:20:22.000000000 +0100
+++ jq-jq-1.7.1/src/jv.c	2025-06-27 11:11:20.223554791 +0200
+@@ -992,6 +992,11 @@ jv jv_array_set(jv j, int idx, jv val) {
+     jv_free(val);
+     return jv_invalid_with_msg(jv_string("Out of bounds negative array index"));
+   }
+  if (idx > (INT_MAX >> 2) - jvp_array_offset(j)) {
+    jv_free(j);
+    jv_free(val);
+    return jv_invalid_with_msg(jv_string("Array index too large"));
+  }
+   // copy/free of val,j coalesced
+   jv* slot = jvp_array_write(&j, idx);
+   jv_free(*slot);
+@@ -1011,6 +1016,7 @@ jv jv_array_concat(jv a, jv b) {
+   // FIXME: could be faster
+   jv_array_foreach(b, i, elem) {
+     a = jv_array_append(a, elem);
+    if (!jv_is_valid(a)) break;
+   }
+   jv_free(b);
+   return a;
+@@ -1283,6 +1289,7 @@ jv jv_string_indexes(jv j, jv k) {
+     p = jstr;
+     while ((p = _jq_memmem(p, (jstr + jlen) - p, idxstr, idxlen)) != NULL) {
+       a = jv_array_append(a, jv_number(p - jstr));
+      if (!jv_is_valid(a)) break;
+       p++;
+     }
+   }
+@@ -1305,14 +1312,17 @@ jv jv_string_split(jv j, jv sep) {
+ 
+   if (seplen == 0) {
+     int c;
+-    while ((jstr = jvp_utf8_next(jstr, jend, &c)))
+    while ((jstr = jvp_utf8_next(jstr, jend, &c))) {
+       a = jv_array_append(a, jv_string_append_codepoint(jv_string(""), c));
+      if (!jv_is_valid(a)) break;
+    }
+   } else {
+     for (p = jstr; p < jend; p = s + seplen) {
+       s = _jq_memmem(p, jend - p, sepstr, seplen);
+       if (s == NULL)
+         s = jend;
+       a = jv_array_append(a, jv_string_sized(p, s - p));
+      if (!jv_is_valid(a)) break;
+       // Add an empty string to denote that j ends on a sep
+       if (s + seplen == jend && seplen != 0)
+         a = jv_array_append(a, jv_string(""));
+@@ -1330,8 +1340,10 @@ jv jv_string_explode(jv j) {
+   const char* end = i + len;
+   jv a = jv_array_sized(len);
+   int c;
+-  while ((i = jvp_utf8_next(i, end, &c)))
+  while ((i = jvp_utf8_next(i, end, &c))) {
+     a = jv_array_append(a, jv_number(c));
+    if (!jv_is_valid(a)) break;
+  }
+   jv_free(j);
+   return a;
+ }
+@@ -1605,10 +1617,13 @@ static void jvp_object_free(jv o) {
+   }
+ }
+ 
+-static jv jvp_object_rehash(jv object) {
+static int jvp_object_rehash(jv *objectp) {
+  jv object = *objectp;
+   assert(JVP_HAS_KIND(object, JV_KIND_OBJECT));
+   assert(jvp_refcnt_unshared(object.u.ptr));
+   int size = jvp_object_size(object);
+  if (size > INT_MAX >> 2)
+    return 0;
+   jv new_object = jvp_object_new(size * 2);
+   for (int i=0; i<size; i++) {
+     struct object_slot* slot = jvp_object_get_slot(object, i);
+@@ -1621,7 +1636,8 @@ static jv jvp_object_rehash(jv object) {
+   }
+   // references are transported, just drop the old table
+   jv_mem_free(jvp_object_ptr(object));
+-  return new_object;
+  *objectp = new_object;
+  return 1;
+ }
+ 
+ static jv jvp_object_unshare(jv object) {
+@@ -1650,27 +1666,32 @@ static jv jvp_object_unshare(jv object)
+   return new_object;
+ }
+ 
+-static jv* jvp_object_write(jv* object, jv key) {
+static int jvp_object_write(jv* object, jv key, jv **valpp) {
+   *object = jvp_object_unshare(*object);
+   int* bucket = jvp_object_find_bucket(*object, key);
+   struct object_slot* slot = jvp_object_find_slot(*object, key, bucket);
+   if (slot) {
+     // already has the key
+     jvp_string_free(key);
+-    return &slot->value;
+    *valpp = &slot->value;
+    return 1;
+   }
+   slot = jvp_object_add_slot(*object, key, bucket);
+   if (slot) {
+     slot->value = jv_invalid();
+   } else {
+-    *object = jvp_object_rehash(*object);
+    if (!jvp_object_rehash(object)) {
+      *valpp = NULL;
+      return 0;
+    }
+     bucket = jvp_object_find_bucket(*object, key);
+     assert(!jvp_object_find_slot(*object, key, bucket));
+     slot = jvp_object_add_slot(*object, key, bucket);
+     assert(slot);
+     slot->value = jv_invalid();
+   }
+-  return &slot->value;
+  *valpp = &slot->value;
+  return 1;
+ }
+ 
+ static int jvp_object_delete(jv* object, jv key) {
+@@ -1770,7 +1791,11 @@ jv jv_object_set(jv object, jv key, jv v
+   assert(JVP_HAS_KIND(object, JV_KIND_OBJECT));
+   assert(JVP_HAS_KIND(key, JV_KIND_STRING));
+   // copy/free of object, key, value coalesced
+-  jv* slot = jvp_object_write(&object, key);
+  jv* slot;
+  if (!jvp_object_write(&object, key, &slot)) {
+    jv_free(object);
+    return jv_invalid_with_msg(jv_string("Object too big"));
+  }
+   jv_free(*slot);
+   *slot = value;
+   return object;
+@@ -1795,6 +1820,7 @@ jv jv_object_merge(jv a, jv b) {
+   assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
+   jv_object_foreach(b, k, v) {
+     a = jv_object_set(a, k, v);
+    if (!jv_is_valid(a)) break;
+   }
+   jv_free(b);
+   return a;
+@@ -1814,6 +1840,7 @@ jv jv_object_merge_recursive(jv a, jv b)
+       jv_free(elem);
+       a = jv_object_set(a, k, v);
+     }
+    if (!jv_is_valid(a)) break;
+   }
+   jv_free(b);
+   return a;
+diff -up jq-jq-1.7.1/tests/jq.test.orig jq-jq-1.7.1/tests/jq.test
+--- jq-jq-1.7.1/tests/jq.test.orig	2023-12-13 20:20:22.000000000 +0100
+++ jq-jq-1.7.1/tests/jq.test	2025-06-27 11:11:20.224554796 +0200
+@@ -198,6 +198,10 @@ null
+ [0,1,2]
+ [0,5,2]
+ 
+try (.[999999999] = 0) catch .
+null
+"Array index too large"
+
+ #
+ # Multiple outputs, iteration
+ #
--- a/0002-CVE-2025-48060.patch
+++ b/0002-CVE-2025-48060.patch
@ -0,0 +1,115 @@
+diff -up jq-jq-1.7.1/src/builtin.c.orig jq-jq-1.7.1/src/builtin.c
+--- jq-jq-1.7.1/src/builtin.c.orig	2023-12-13 20:20:22.000000000 +0100
+++ jq-jq-1.7.1/src/builtin.c	2025-06-27 11:14:40.786222806 +0200
+@@ -369,21 +369,10 @@ jv binop_multiply(jv a, jv b) {
+       str = b;
+       num = a;
+     }
+-    jv res;
+     double d = jv_number_value(num);
+-    if (d < 0 || isnan(d)) {
+-      res = jv_null();
+-    } else {
+-      int n = d;
+-      size_t alen = jv_string_length_bytes(jv_copy(str));
+-      res = jv_string_empty(alen * n);
+-      for (; n > 0; n--) {
+-        res = jv_string_append_buf(res, jv_string_value(str), alen);
+-      }
+-    }
+-    jv_free(str);
+     jv_free(num);
+-    return res;
+    return jv_string_repeat(str,
+        d < 0 || isnan(d) ? -1 : d > INT_MAX ? INT_MAX : (int)d);
+   } else if (ak == JV_KIND_OBJECT && bk == JV_KIND_OBJECT) {
+     return jv_object_merge_recursive(a, b);
+   } else {
+diff -up jq-jq-1.7.1/src/jv.c.orig jq-jq-1.7.1/src/jv.c
+--- jq-jq-1.7.1/src/jv.c.orig	2025-06-27 11:14:19.893953149 +0200
+++ jq-jq-1.7.1/src/jv.c	2025-06-27 11:14:40.787046668 +0200
+@@ -1116,6 +1116,7 @@ static jv jvp_string_empty_new(uint32_t
+   jvp_string* s = jvp_string_alloc(length);
+   s->length_hashed = 0;
+   memset(s->data, 0, length);
+  s->data[length] = 0;
+   jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
+   return r;
+ }
+@@ -1298,6 +1299,32 @@ jv jv_string_indexes(jv j, jv k) {
+   return a;
+ }
+ 
+jv jv_string_repeat(jv j, int n) {
+  assert(JVP_HAS_KIND(j, JV_KIND_STRING));
+  if (n < 0) {
+    jv_free(j);
+    return jv_null();
+  }
+  int len = jv_string_length_bytes(jv_copy(j));
+  int64_t res_len = (int64_t)len * n;
+  if (res_len >= INT_MAX) {
+    jv_free(j);
+    return jv_invalid_with_msg(jv_string("Repeat string result too long"));
+  }
+  if (res_len == 0) {
+    jv_free(j);
+    return jv_string("");
+  }
+  jv res = jv_string_empty(res_len);
+  res = jvp_string_append(res, jv_string_value(j), len);
+  for (int curr = len, grow; curr < res_len; curr += grow) {
+    grow = MIN(res_len - curr, curr);
+    res = jvp_string_append(res, jv_string_value(res), grow);
+  }
+  jv_free(j);
+  return res;
+}
+
+ jv jv_string_split(jv j, jv sep) {
+   assert(JVP_HAS_KIND(j, JV_KIND_STRING));
+   assert(JVP_HAS_KIND(sep, JV_KIND_STRING));
+diff -up jq-jq-1.7.1/src/jv.h.orig jq-jq-1.7.1/src/jv.h
+--- jq-jq-1.7.1/src/jv.h.orig	2023-12-13 20:20:22.000000000 +0100
+++ jq-jq-1.7.1/src/jv.h	2025-06-27 11:14:40.787594155 +0200
+@@ -131,6 +131,7 @@ jv jv_string_fmt(const char*, ...) JV_PR
+ jv jv_string_append_codepoint(jv a, uint32_t c);
+ jv jv_string_append_buf(jv a, const char* buf, int len);
+ jv jv_string_append_str(jv a, const char* str);
+jv jv_string_repeat(jv j, int n);
+ jv jv_string_split(jv j, jv sep);
+ jv jv_string_explode(jv j);
+ jv jv_string_implode(jv j);
+diff -up jq-jq-1.7.1/tests/jq.test.orig jq-jq-1.7.1/tests/jq.test
+--- jq-jq-1.7.1/tests/jq.test.orig	2025-06-27 11:14:19.894378376 +0200
+++ jq-jq-1.7.1/tests/jq.test	2025-06-27 11:14:40.788086263 +0200
+@@ -1369,6 +1369,18 @@ indices(", ")
+ "abc"
+ [null,null]
+ 
+. * 100000 | [.[:10],.[-10:]]
+"abc"
+["abcabcabca","cabcabcabc"]
+
+. * 1000000000
+""
+""
+
+try (. * 1000000000) catch .
+"abc"
+"Repeat string result too long"
+
+ [.[] / ","]
+ ["a, bc, def, ghij, jklmn, a,b, c,d, e,f", "a,b,c,d, e,f,g,h"]
+ [["a"," bc"," def"," ghij"," jklmn"," a","b"," c","d"," e","f"],["a","b","c","d"," e","f","g","h"]]
+@@ -2024,6 +2036,10 @@ map(try implode catch .)
+ [123,["a"],[nan]]
+ ["implode input must be an array","string (\"a\") can't be imploded, unicode codepoint needs to be numeric","number (null) can't be imploded, unicode codepoint needs to be numeric"]
+ 
+try 0[implode] catch .
+[]
+"Cannot index number with string \"\""
+
+ # walk
+ walk(.)
+ {"x":0}
--- a/jq.spec
+++ b/jq.spec
@ -1,11 +1,6 @@
 ## START: Set by rpmautospec
 ## (rpmautospec version 0.6.5)
-## RPMAUTOSPEC: autorelease, autochangelog
-%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 8;
-    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
-    print(release_number + base_release_number - 1);
-}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
+## RPMAUTOSPEC: autochangelog
 ## END: Set by rpmautospec

 # valgrind cannot cope with GCC 13+ SSE4.1 optimizations of strcmp
@ -14,12 +9,14 @@

 Name:           jq
 Version:        1.7.1
-Release:        %autorelease
+Release:        8%{?dist}.1
 Summary:        Command-line JSON processor

 License:        MIT and ASL 2.0 and CC-BY and GPLv3
 URL:            https://jqlang.github.io/jq/
 Source0:        https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Patch1:         0001-CVE-2024-23337.patch
+Patch2:         0002-CVE-2025-48060.patch

 BuildRequires:  gcc
 BuildRequires:  flex
@ -112,6 +109,12 @@ make check

 %changelog
 ## START: Generated by rpmautospec
+* Mon Jun 30 2025 Tomas Halman <thalman@redhat.com> - 1.7.1-10
+- AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute
+
+* Mon Jun 30 2025 Tomas Halman <thalman@redhat.com> - 1.7.1-9
+- Fix signed integer overflow in jvp_array_write
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.7.1-8
 - Bump release for October 2024 mass rebuild: