Accepting request 646096 from home:avindra:branches:utilities

- Update to version 1.6 * Destructuring Alternation * many new builtins (see docs) * Add support for ASAN and UBSAN * Make it easier to use jq with shebangs * Add $ENV builtin variable to access environment * Add JQ_COLORS env var for configuring the output colors * change: Calling jq without a program argument now always assumes "." for the program, regardless of stdin/stdout * fix: Make sorting stable regardless of qsort. - cleanup with spec-cleaner - drop CVE-2015-8863.patch (upstreamed in 8eb1367ca44e772963e704a700ef72ae2e12babd) - drop CVE-2016-4074.patch (upstreamed in fd4ae8304e23007672af9a37855c7a76de7c78cf) OBS-URL: https://build.opensuse.org/request/show/646096 OBS-URL: https://build.opensuse.org/package/show/utilities/jq?expand=0&rev=19
2018-11-03 08:58:11 +00:00 · 2018-11-03 08:58:11 +00:00 · f604510b4e
commit f604510b4e
parent 5a15dfb3c6
6 changed files with 28 additions and 128 deletions
--- a/CVE-2015-8863.patch
+++ b/CVE-2015-8863.patch
@ -1,34 +0,0 @@
-From 8eb1367ca44e772963e704a700ef72ae2e12babd Mon Sep 17 00:00:00 2001
-From: Nicolas Williams <nico@cryptonector.com>
-Date: Sat, 24 Oct 2015 17:24:57 -0500
-Subject: [PATCH] Heap buffer overflow in tokenadd() (fix #105)
-
-This was an off-by one: the NUL terminator byte was not allocated on
-resize.  This was triggered by JSON-encoded numbers longer than 256
-bytes.
---
- src/jv_parse.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/jv_parse.c b/src/jv_parse.c
-index 3102ed4..84245b8 100644
--- a/src/jv_parse.c
-+++ b/src/jv_parse.c
-@@ -383,7 +383,7 @@ static pfunc stream_token(struct jv_parser* p, char ch) {
- 
- static void tokenadd(struct jv_parser* p, char c) {
-   assert(p->tokenpos <= p->tokenlen);
-  if (p->tokenpos == p->tokenlen) {
-+  if (p->tokenpos >= (p->tokenlen - 1)) {
-     p->tokenlen = p->tokenlen*2 + 256;
-     p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen);
-   }
-@@ -485,7 +485,7 @@ static pfunc check_literal(struct jv_parser* p) {
-     TRY(value(p, v));
-   } else {
-     // FIXME: better parser
-    p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid
-+    p->tokenbuf[p->tokenpos] = 0;
-     char* end = 0;
-     double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end);
-     if (end == 0 || *end != 0)
--- a/CVE-2016-4074.patch
+++ b/CVE-2016-4074.patch
@ -1,76 +0,0 @@
-From 83e2cf607f3599d208b6b3129092fa7deb2e5292 Mon Sep 17 00:00:00 2001
-From: W-Mark Kubacki <wmark@hurrikane.de>
-Date: Fri, 19 Aug 2016 19:50:39 +0200
-Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH
-
-This addresses #1136, and mitigates a stack exhaustion when printing
-a very deeply nested term.
---
- src/jv_print.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/jv_print.c b/src/jv_print.c
-index 5f4f234..ce4a59a 100644
--- a/src/jv_print.c
-+++ b/src/jv_print.c
-@@ -13,6 +13,10 @@
- #include "jv_dtoa.h"
- #include "jv_unicode.h"
- 
-+#ifndef MAX_PRINT_DEPTH
-+#define MAX_PRINT_DEPTH (256)
-+#endif
-+
- #define ESC "\033"
- #define COL(c) (ESC "[" c "m")
- #define COLRESET (ESC "[0m")
-@@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI
-       }
-     }
-   }
-  switch (jv_get_kind(x)) {
-+  if (indent > MAX_PRINT_DEPTH) {
-+    put_str("<skipped: too deep>", F, S, flags & JV_PRINT_ISATTY);
-+  } else switch (jv_get_kind(x)) {
-   default:
-   case JV_KIND_INVALID:
-     if (flags & JV_PRINT_INVALID) {
-From fd4ae8304e23007672af9a37855c7a76de7c78cf Mon Sep 17 00:00:00 2001
-From: W-Mark Kubacki <wmark@hurrikane.de>
-Date: Fri, 19 Aug 2016 20:10:21 +0200
-Subject: [PATCH] Parse no deeper than MAX_PARSING_DEPTH
-
-    while true; do printf '{"deeper": '; done | jq .
---
- src/jv_parse.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/jv_parse.c b/src/jv_parse.c
-index 84245b8..51ad9f0 100644
--- a/src/jv_parse.c
-+++ b/src/jv_parse.c
-@@ -10,6 +10,10 @@
- 
- typedef const char* presult;
- 
-+#ifndef MAX_PARSING_DEPTH
-+#define MAX_PARSING_DEPTH (256)
-+#endif
-+
- #define TRY(x) do {presult msg__ = (x); if (msg__) return msg__; } while(0)
- #ifdef __GNUC__
- #define pfunc __attribute__((warn_unused_result)) presult
-@@ -147,11 +151,13 @@ static void push(struct jv_parser* p, jv v) {
- static pfunc parse_token(struct jv_parser* p, char ch) {
-   switch (ch) {
-   case '[':
-+    if (p->stackpos >= MAX_PARSING_DEPTH) return "Exceeds depth limit for parsing";
-     if (jv_is_valid(p->next)) return "Expected separator between values";
-     push(p, jv_array());
-     break;
- 
-   case '{':
-+    if (p->stackpos >= MAX_PARSING_DEPTH) return "Exceeds depth limit for parsing";
-     if (jv_is_valid(p->next)) return "Expected separator between values";
-     push(p, jv_object());
-     break;
--- a/jq-1.5.tar.gz
+++ b/jq-1.5.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c
-size 739309
--- a/jq-1.6.tar.gz
+++ b/jq-1.6.tar.gz
--- a/jq.changes
+++ b/jq.changes
@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Fri Nov  2 12:35:25 UTC 2018 - Avindra Goolcharan <aavindraa@gmail.com>
+
+- Update to version 1.6
+  * Destructuring Alternation
+  * many new builtins (see docs)
+  * Add support for ASAN and UBSAN
+  * Make it easier to use jq with shebangs
+  * Add $ENV builtin variable to access environment
+  * Add JQ_COLORS env var for configuring the output colors
+  * change: Calling jq without a program argument now always assumes
+    "." for the program, regardless of stdin/stdout
+  * fix: Make sorting stable regardless of qsort.
+- cleanup with spec-cleaner
+- drop CVE-2015-8863.patch (upstreamed in 8eb1367ca44e772963e704a700ef72ae2e12babd)
+- drop CVE-2016-4074.patch (upstreamed in fd4ae8304e23007672af9a37855c7a76de7c78cf)
+
 -------------------------------------------------------------------
 Fri Feb  3 09:26:17 UTC 2017 - idonmez@suse.com

--- a/jq.spec
+++ b/jq.spec
@ -1,7 +1,7 @@
 #
 # spec file for package jq
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,25 +12,22 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


 Name:           jq
-Version:        1.5
+Version:        1.6
 Release:        0
 Summary:        A lightweight and flexible command-line JSON processor
-License:        MIT and CC-BY-3.0
+License:        MIT AND CC-BY-3.0
 Group:          Productivity/Text/Utilities
-Url:            http://stedolan.github.io/jq/
+URL:            http://stedolan.github.io/jq/
 Source:         https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz
-Patch1:         CVE-2015-8863.patch
-Patch2:         CVE-2016-4074.patch
 BuildRequires:  chrpath
 BuildRequires:  flex
 BuildRequires:  oniguruma-devel
 BuildRequires:  valgrind
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
 A lightweight and flexible command-line JSON processor. jq is like sed for
@ -55,8 +52,6 @@ Development files (headers and libraries for jq).

 %prep
 %setup -q
-%patch1 -p2
-%patch2 -p2

 %build
 %configure \
@ -85,17 +80,15 @@ make %{?_smp_mflags} check
 %postun -n libjq1 -p /sbin/ldconfig

 %files
-%defattr(-,root,root)
-%doc AUTHORS ChangeLog COPYING NEWS README.md
+%license COPYING
+%doc AUTHORS ChangeLog NEWS README.md
 %{_bindir}/%{name}
-%{_mandir}/man1/%{name}.1%{ext_man}
+%{_mandir}/man1/%{name}.1%{?ext_man}

 %files -n libjq1
-%defattr(-,root,root)
 %{_libdir}/libjq.so.1*

 %files -n libjq-devel
-%defattr(-,root,root)
 %{_includedir}/jq.h
 %{_includedir}/jv.h
 %{_libdir}/libjq.so