From 5a15dfb3c605eefd854955d1412f149043066fd1bcce99892a0bc142b9898adf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Fri, 3 Feb 2017 09:28:44 +0000 Subject: [PATCH] - Add CVE-2016-4074.patch to prevent a stack exhaustion CVE-2016-4074 bsc#1014176 OBS-URL: https://build.opensuse.org/package/show/utilities/jq?expand=0&rev=17 --- CVE-2016-4074.patch | 76 +++++++++++++++++++++++++++++++++++++++++++++ jq.changes | 6 ++++ jq.spec | 2 ++ 3 files changed, 84 insertions(+) create mode 100644 CVE-2016-4074.patch diff --git a/CVE-2016-4074.patch b/CVE-2016-4074.patch new file mode 100644 index 0000000..293456a --- /dev/null +++ b/CVE-2016-4074.patch @@ -0,0 +1,76 @@ +From 83e2cf607f3599d208b6b3129092fa7deb2e5292 Mon Sep 17 00:00:00 2001 +From: W-Mark Kubacki +Date: Fri, 19 Aug 2016 19:50:39 +0200 +Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH + +This addresses #1136, and mitigates a stack exhaustion when printing +a very deeply nested term. +--- + src/jv_print.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/jv_print.c b/src/jv_print.c +index 5f4f234..ce4a59a 100644 +--- a/src/jv_print.c ++++ b/src/jv_print.c +@@ -13,6 +13,10 @@ + #include "jv_dtoa.h" + #include "jv_unicode.h" + ++#ifndef MAX_PRINT_DEPTH ++#define MAX_PRINT_DEPTH (256) ++#endif ++ + #define ESC "\033" + #define COL(c) (ESC "[" c "m") + #define COLRESET (ESC "[0m") +@@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI + } + } + } +- switch (jv_get_kind(x)) { ++ if (indent > MAX_PRINT_DEPTH) { ++ put_str("", F, S, flags & JV_PRINT_ISATTY); ++ } else switch (jv_get_kind(x)) { + default: + case JV_KIND_INVALID: + if (flags & JV_PRINT_INVALID) { +From fd4ae8304e23007672af9a37855c7a76de7c78cf Mon Sep 17 00:00:00 2001 +From: W-Mark Kubacki +Date: Fri, 19 Aug 2016 20:10:21 +0200 +Subject: [PATCH] Parse no deeper than MAX_PARSING_DEPTH + + while true; do printf '{"deeper": '; done | jq . +--- + src/jv_parse.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/jv_parse.c b/src/jv_parse.c +index 84245b8..51ad9f0 100644 +--- a/src/jv_parse.c ++++ b/src/jv_parse.c +@@ -10,6 +10,10 @@ + + typedef const char* presult; + ++#ifndef MAX_PARSING_DEPTH ++#define MAX_PARSING_DEPTH (256) ++#endif ++ + #define TRY(x) do {presult msg__ = (x); if (msg__) return msg__; } while(0) + #ifdef __GNUC__ + #define pfunc __attribute__((warn_unused_result)) presult +@@ -147,11 +151,13 @@ static void push(struct jv_parser* p, jv v) { + static pfunc parse_token(struct jv_parser* p, char ch) { + switch (ch) { + case '[': ++ if (p->stackpos >= MAX_PARSING_DEPTH) return "Exceeds depth limit for parsing"; + if (jv_is_valid(p->next)) return "Expected separator between values"; + push(p, jv_array()); + break; + + case '{': ++ if (p->stackpos >= MAX_PARSING_DEPTH) return "Exceeds depth limit for parsing"; + if (jv_is_valid(p->next)) return "Expected separator between values"; + push(p, jv_object()); + break; diff --git a/jq.changes b/jq.changes index cdaede8..2d050a2 100644 --- a/jq.changes +++ b/jq.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Feb 3 09:26:17 UTC 2017 - idonmez@suse.com + +- Add CVE-2016-4074.patch to prevent a stack exhaustion + CVE-2016-4074 bsc#1014176 + ------------------------------------------------------------------- Mon Jan 2 08:47:00 UTC 2017 - mpluskal@suse.com diff --git a/jq.spec b/jq.spec index 2c82173..9d0d623 100644 --- a/jq.spec +++ b/jq.spec @@ -25,6 +25,7 @@ Group: Productivity/Text/Utilities Url: http://stedolan.github.io/jq/ Source: https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz Patch1: CVE-2015-8863.patch +Patch2: CVE-2016-4074.patch BuildRequires: chrpath BuildRequires: flex BuildRequires: oniguruma-devel @@ -55,6 +56,7 @@ Development files (headers and libraries for jq). %prep %setup -q %patch1 -p2 +%patch2 -p2 %build %configure \