Fix CVE-2015-8863: Heap overflow in tokenadd

8eb1367ca4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8863 Signed-off-by: Lon Hohberger <lhh@redhat.com>
2018-02-07 09:04:12 -05:00 · 2018-02-07 09:04:12 -05:00 · f7e334cc31
commit f7e334cc31
parent 9d7555ec18
2 changed files with 43 additions and 1 deletions
--- a/CVE-2015-8863.patch
+++ b/CVE-2015-8863.patch
@ -0,0 +1,37 @@
+From 8eb1367ca44e772963e704a700ef72ae2e12babd Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@cryptonector.com>
+Date: Sat, 24 Oct 2015 17:24:57 -0500
+Subject: [PATCH] Heap buffer overflow in tokenadd() (fix #105)
+
+This was an off-by one: the NUL terminator byte was not allocated on
+resize.  This was triggered by JSON-encoded numbers longer than 256
+bytes.
+---
+ src/jv_parse.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/jv_parse.c b/src/jv_parse.c
+index 3102ed4..84245b8 100644
+--- a/src/jv_parse.c
+++ b/src/jv_parse.c
+@@ -383,7 +383,7 @@ static pfunc stream_token(struct jv_parser* p, char ch) {
+ 
+ static void tokenadd(struct jv_parser* p, char c) {
+   assert(p->tokenpos <= p->tokenlen);
+-  if (p->tokenpos == p->tokenlen) {
+  if (p->tokenpos >= (p->tokenlen - 1)) {
+     p->tokenlen = p->tokenlen*2 + 256;
+     p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen);
+   }
+@@ -485,7 +485,7 @@ static pfunc check_literal(struct jv_parser* p) {
+     TRY(value(p, v));
+   } else {
+     // FIXME: better parser
+-    p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid
+    p->tokenbuf[p->tokenpos] = 0;
+     char* end = 0;
+     double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end);
+     if (end == 0 || *end != 0)
+-- 
+2.14.3
+
--- a/jq.spec
+++ b/jq.spec
@ -1,11 +1,12 @@
 Name:           jq
 Version:        1.5
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        Command-line JSON processor

 License:        MIT and ASL 2.0 and CC-BY and GPLv3
 URL:            http://stedolan.github.io/jq/
 Source0:        https://github.com/stedolan/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Patch0:         CVE-2015-8863.patch

 BuildRequires:  flex
 BuildRequires:  bison
@ -42,6 +43,7 @@ Development files for %{name}

 %prep
 %setup -qn %{name}-%{version}
+%patch0 -p2 -b .cve-2015-8863

 %build
 %configure --disable-static
@ -88,6 +90,9 @@ make check


 %changelog
+* Wed Feb 07 2018 Lon Hohberger <lon@fedoraproject.org> - 1.5-10
+- Fix CVE 2015-8863
+
 * Fri Feb 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.5-9
 - Switch to %%ldconfig_scriptlets