- Add CVE-2016-4074.patch to prevent a stack exhaustion

CVE-2016-4074 bsc#1014176 OBS-URL: https://build.opensuse.org/package/show/utilities/jq?expand=0&rev=17
2017-02-03 09:28:44 +00:00 · 2017-02-03 09:28:44 +00:00 · 5a15dfb3c6
commit 5a15dfb3c6
parent 19c14242f5
3 changed files with 84 additions and 0 deletions
--- a/CVE-2016-4074.patch
+++ b/CVE-2016-4074.patch
@ -0,0 +1,76 @@
+From 83e2cf607f3599d208b6b3129092fa7deb2e5292 Mon Sep 17 00:00:00 2001
+From: W-Mark Kubacki <wmark@hurrikane.de>
+Date: Fri, 19 Aug 2016 19:50:39 +0200
+Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH
+
+This addresses #1136, and mitigates a stack exhaustion when printing
+a very deeply nested term.
+---
+ src/jv_print.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/jv_print.c b/src/jv_print.c
+index 5f4f234..ce4a59a 100644
+--- a/src/jv_print.c
+++ b/src/jv_print.c
+@@ -13,6 +13,10 @@
+ #include "jv_dtoa.h"
+ #include "jv_unicode.h"
+ 
+#ifndef MAX_PRINT_DEPTH
+#define MAX_PRINT_DEPTH (256)
+#endif
+
+ #define ESC "\033"
+ #define COL(c) (ESC "[" c "m")
+ #define COLRESET (ESC "[0m")
+@@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI
+       }
+     }
+   }
+-  switch (jv_get_kind(x)) {
+  if (indent > MAX_PRINT_DEPTH) {
+    put_str("<skipped: too deep>", F, S, flags & JV_PRINT_ISATTY);
+  } else switch (jv_get_kind(x)) {
+   default:
+   case JV_KIND_INVALID:
+     if (flags & JV_PRINT_INVALID) {
+From fd4ae8304e23007672af9a37855c7a76de7c78cf Mon Sep 17 00:00:00 2001
+From: W-Mark Kubacki <wmark@hurrikane.de>
+Date: Fri, 19 Aug 2016 20:10:21 +0200
+Subject: [PATCH] Parse no deeper than MAX_PARSING_DEPTH
+
+    while true; do printf '{"deeper": '; done | jq .
+---
+ src/jv_parse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/jv_parse.c b/src/jv_parse.c
+index 84245b8..51ad9f0 100644
+--- a/src/jv_parse.c
+++ b/src/jv_parse.c
+@@ -10,6 +10,10 @@
+ 
+ typedef const char* presult;
+ 
+#ifndef MAX_PARSING_DEPTH
+#define MAX_PARSING_DEPTH (256)
+#endif
+
+ #define TRY(x) do {presult msg__ = (x); if (msg__) return msg__; } while(0)
+ #ifdef __GNUC__
+ #define pfunc __attribute__((warn_unused_result)) presult
+@@ -147,11 +151,13 @@ static void push(struct jv_parser* p, jv v) {
+ static pfunc parse_token(struct jv_parser* p, char ch) {
+   switch (ch) {
+   case '[':
+    if (p->stackpos >= MAX_PARSING_DEPTH) return "Exceeds depth limit for parsing";
+     if (jv_is_valid(p->next)) return "Expected separator between values";
+     push(p, jv_array());
+     break;
+ 
+   case '{':
+    if (p->stackpos >= MAX_PARSING_DEPTH) return "Exceeds depth limit for parsing";
+     if (jv_is_valid(p->next)) return "Expected separator between values";
+     push(p, jv_object());
+     break;
--- a/jq.changes
+++ b/jq.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Feb  3 09:26:17 UTC 2017 - idonmez@suse.com
+
+- Add CVE-2016-4074.patch to prevent a stack exhaustion
+  CVE-2016-4074 bsc#1014176
+
 -------------------------------------------------------------------
 Mon Jan  2 08:47:00 UTC 2017 - mpluskal@suse.com

--- a/jq.spec
+++ b/jq.spec
@ -25,6 +25,7 @@ Group:          Productivity/Text/Utilities
 Url:            http://stedolan.github.io/jq/
 Source:         https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz
 Patch1:         CVE-2015-8863.patch
+Patch2:         CVE-2016-4074.patch
 BuildRequires:  chrpath
 BuildRequires:  flex
 BuildRequires:  oniguruma-devel
@ -55,6 +56,7 @@ Development files (headers and libraries for jq).
 %prep
 %setup -q
 %patch1 -p2
+%patch2 -p2

 %build
 %configure \