Accepting request 1133610 from home:AndreasStieger:branches:utilities

jq 1.7.1 CVE-2023-50246 (boo#1218034) CVE-2023-50268 (boo#1218038) OBS-URL: https://build.opensuse.org/request/show/1133610 OBS-URL: https://build.opensuse.org/package/show/utilities/jq?expand=0&rev=32
2023-12-19 09:44:30 +00:00 · 2023-12-19 09:44:30 +00:00 · ea85872191
commit ea85872191
parent b29b559748
4 changed files with 43 additions and 4 deletions
--- a/jq-1.7.1.tar.gz
+++ b/jq-1.7.1.tar.gz
--- a/jq-1.7.tar.gz
+++ b/jq-1.7.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:402a0d6975d946e6f4e484d1a84320414a0ff8eb6cf49d2c11d144d4d344db62
-size 1905863
--- a/jq.changes
+++ b/jq.changes
@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Wed Dec 13 20:28:23 UTC 2023 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 1.7.1
+  Security
+  * Fix CVE-2023-50246 (boo#1218034)
+    + Fix heap buffer overflow in jvp_literal_number_literal.
+  * Fix CVE-2023-50268 (boo#1218038)
+      fix stack-buffer-overflow if comparing nan with payload.
+  CLI changes
+  * Make the default background color more suitable for bright
+    backgrounds.
+  * Allow passing the inline jq script after --.
+  * Fix possible uninitialised value dereference if jq_init() fails
+  Language changes
+  * Simplify paths/0 and paths/1.
+  * Reject U+001F in string literals.
+  * Remove unused nref accumulator in block_bind_library.
+  * Remove a bunch of unused variables, and useless assignments.
+  * main.c: Remove unused EXIT_STATUS_EXACT option.
+  * Actually use the number correctly casted from double to int as
+    index.
+  * src/builtin.c: remove unnecessary jv_copy-s in
+    type_error/type_error2.
+  * Remove undefined behavior caught by LLVM 10 UBSAN.
+  * Convert decnum to binary64 (double) instead of decimal64.
+    This makes jq behave like the JSON specification suggests and
+    more similar to other languages.
+  * Fix memory leaks on invalid input for ltrimstr/1 and
+    rtrimstr/1.
+  * Fix memory leak on failed get for setpath/2.
+  * Fix nan from json parsing also for nans with payload that 
+    start with 'n'.
+  * Allow carriage return characters in comments.
+  Documentation changes
+  * Generate links in the man page.
+  libjq
+  * Add extern C for C++.
+
 -------------------------------------------------------------------
 Wed Nov 15 10:26:07 UTC 2023 - Dirk Müller <dmueller@suse.com>

--- a/jq.spec
+++ b/jq.spec
@ -18,7 +18,7 @@

 %define jq_sover 1
 Name:           jq
-Version:        1.7
+Version:        1.7.1
 Release:        0
 Summary:        A lightweight and flexible command-line JSON processor
 License:        CC-BY-3.0 AND MIT