pool/jq
SHA256
17
0
Fork 2
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
...
pull from: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

1 Commits
factory ... slfo-1.2

Author SHA256 Message Date
Adrian Schröter
c7bdab54cd Sync changes to SLFO-1.2 branch 2025-08-20 18:43:27 +02:00
6 changed files with 323 additions and 101 deletions
Expand all files Collapse all files

212
CVE-2024-23337.patch Normal file
View File

@@ -0,0 +1,212 @@
From de21386681c0df0104a99d9d09db23a9b2a78b1e Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Wed, 21 May 2025 07:45:00 +0900
Subject: [PATCH] Fix signed integer overflow in jvp_array_write and
jvp_object_rehash
This commit fixes signed integer overflow and SEGV issues on growing
arrays and objects. The size of arrays and objects is now limited to
`536870912` (`0x20000000`). This fixes CVE-2024-23337 and fixes #3262.
---
src/jv.c | 45 ++++++++++++++++++++++++++++++++++++---------
src/jv_aux.c | 9 +++++----
tests/jq.test | 4 ++++
3 files changed, 45 insertions(+), 13 deletions(-)
Index: jq-1.7.1/src/jv.c
===================================================================
--- jq-1.7.1.orig/src/jv.c
+++ jq-1.7.1/src/jv.c
@@ -992,6 +992,11 @@ jv jv_array_set(jv j, int idx, jv val) {
jv_free(val);
return jv_invalid_with_msg(jv_string("Out of bounds negative array index"));
}
+ if (idx > (INT_MAX >> 2) - jvp_array_offset(j)) {
+ jv_free(j);
+ jv_free(val);
+ return jv_invalid_with_msg(jv_string("Array index too large"));
+ }
// copy/free of val,j coalesced
jv* slot = jvp_array_write(&j, idx);
jv_free(*slot);
@@ -1011,6 +1016,7 @@ jv jv_array_concat(jv a, jv b) {
// FIXME: could be faster
jv_array_foreach(b, i, elem) {
a = jv_array_append(a, elem);
+ if (!jv_is_valid(a)) break;
}
jv_free(b);
return a;
@@ -1283,6 +1289,7 @@ jv jv_string_indexes(jv j, jv k) {
p = jstr;
while ((p = _jq_memmem(p, (jstr + jlen) - p, idxstr, idxlen)) != NULL) {
a = jv_array_append(a, jv_number(p - jstr));
+ if (!jv_is_valid(a)) break;
p++;
}
}
@@ -1305,14 +1312,17 @@ jv jv_string_split(jv j, jv sep) {
if (seplen == 0) {
int c;
- while ((jstr = jvp_utf8_next(jstr, jend, &c)))
+ while ((jstr = jvp_utf8_next(jstr, jend, &c))) {
a = jv_array_append(a, jv_string_append_codepoint(jv_string(""), c));
+ if (!jv_is_valid(a)) break;
+ }
} else {
for (p = jstr; p < jend; p = s + seplen) {
s = _jq_memmem(p, jend - p, sepstr, seplen);
if (s == NULL)
s = jend;
a = jv_array_append(a, jv_string_sized(p, s - p));
+ if (!jv_is_valid(a)) break;
// Add an empty string to denote that j ends on a sep
if (s + seplen == jend && seplen != 0)
a = jv_array_append(a, jv_string(""));
@@ -1330,8 +1340,10 @@ jv jv_string_explode(jv j) {
const char* end = i + len;
jv a = jv_array_sized(len);
int c;
- while ((i = jvp_utf8_next(i, end, &c)))
+ while ((i = jvp_utf8_next(i, end, &c))) {
a = jv_array_append(a, jv_number(c));
+ if (!jv_is_valid(a)) break;
+ }
jv_free(j);
return a;
}
@@ -1605,10 +1617,13 @@ static void jvp_object_free(jv o) {
}
}
-static jv jvp_object_rehash(jv object) {
+static int jvp_object_rehash(jv *objectp) {
+ jv object = *objectp;
assert(JVP_HAS_KIND(object, JV_KIND_OBJECT));
assert(jvp_refcnt_unshared(object.u.ptr));
int size = jvp_object_size(object);
+ if (size > INT_MAX >> 2)
+ return 0;
jv new_object = jvp_object_new(size * 2);
for (int i=0; i<size; i++) {
struct object_slot* slot = jvp_object_get_slot(object, i);
@@ -1621,7 +1636,8 @@ static jv jvp_object_rehash(jv object) {
}
// references are transported, just drop the old table
jv_mem_free(jvp_object_ptr(object));
- return new_object;
+ *objectp = new_object;
+ return 1;
}
static jv jvp_object_unshare(jv object) {
@@ -1650,27 +1666,32 @@ static jv jvp_object_unshare(jv object)
return new_object;
}
-static jv* jvp_object_write(jv* object, jv key) {
+static int jvp_object_write(jv* object, jv key, jv **valpp) {
*object = jvp_object_unshare(*object);
int* bucket = jvp_object_find_bucket(*object, key);
struct object_slot* slot = jvp_object_find_slot(*object, key, bucket);
if (slot) {
// already has the key
jvp_string_free(key);
- return &slot->value;
+ *valpp = &slot->value;
+ return 1;
}
slot = jvp_object_add_slot(*object, key, bucket);
if (slot) {
slot->value = jv_invalid();
} else {
- *object = jvp_object_rehash(*object);
+ if (!jvp_object_rehash(object)) {
+ *valpp = NULL;
+ return 0;
+ }
bucket = jvp_object_find_bucket(*object, key);
assert(!jvp_object_find_slot(*object, key, bucket));
slot = jvp_object_add_slot(*object, key, bucket);
assert(slot);
slot->value = jv_invalid();
}
- return &slot->value;
+ *valpp = &slot->value;
+ return 1;
}
static int jvp_object_delete(jv* object, jv key) {
@@ -1770,7 +1791,11 @@ jv jv_object_set(jv object, jv key, jv v
assert(JVP_HAS_KIND(object, JV_KIND_OBJECT));
assert(JVP_HAS_KIND(key, JV_KIND_STRING));
// copy/free of object, key, value coalesced
- jv* slot = jvp_object_write(&object, key);
+ jv* slot;
+ if (!jvp_object_write(&object, key, &slot)) {
+ jv_free(object);
+ return jv_invalid_with_msg(jv_string("Object too big"));
+ }
jv_free(*slot);
*slot = value;
return object;
@@ -1795,6 +1820,7 @@ jv jv_object_merge(jv a, jv b) {
assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
jv_object_foreach(b, k, v) {
a = jv_object_set(a, k, v);
+ if (!jv_is_valid(a)) break;
}
jv_free(b);
return a;
@@ -1814,6 +1840,7 @@ jv jv_object_merge_recursive(jv a, jv b)
jv_free(elem);
a = jv_object_set(a, k, v);
}
+ if (!jv_is_valid(a)) break;
}
jv_free(b);
return a;
Index: jq-1.7.1/src/jv_aux.c
===================================================================
--- jq-1.7.1.orig/src/jv_aux.c
+++ jq-1.7.1/src/jv_aux.c
@@ -193,18 +193,19 @@ jv jv_set(jv t, jv k, jv v) {
if (slice_len < insert_len) {
// array is growing
int shift = insert_len - slice_len;
- for (int i = array_len - 1; i >= end; i--) {
+ for (int i = array_len - 1; i >= end && jv_is_valid(t); i--) {
t = jv_array_set(t, i + shift, jv_array_get(jv_copy(t), i));
}
} else if (slice_len > insert_len) {
// array is shrinking
int shift = slice_len - insert_len;
- for (int i = end; i < array_len; i++) {
+ for (int i = end; i < array_len && jv_is_valid(t); i++) {
t = jv_array_set(t, i - shift, jv_array_get(jv_copy(t), i));
}
- t = jv_array_slice(t, 0, array_len - shift);
+ if (jv_is_valid(t))
+ t = jv_array_slice(t, 0, array_len - shift);
}
- for (int i=0; i < insert_len; i++) {
+ for (int i = 0; i < insert_len && jv_is_valid(t); i++) {
t = jv_array_set(t, start + i, jv_array_get(jv_copy(v), i));
}
jv_free(v);
Index: jq-1.7.1/tests/jq.test
===================================================================
--- jq-1.7.1.orig/tests/jq.test
+++ jq-1.7.1/tests/jq.test
@@ -198,6 +198,10 @@ null
[0,1,2]
[0,5,2]
+try (.[999999999] = 0) catch .
+null
+"Array index too large"
+
#
# Multiple outputs, iteration
#

103
CVE-2024-53427.patch Normal file
View File

@@ -0,0 +1,103 @@
This is a combined patch consisting of upstream patches:
https://github.com/jqlang/jq/commit/b86ff49f46a4a37e5a8e75a140cb5fd6e1331384
https://github.com/jqlang/jq/commit/a09a4dfd55e6c24d04b35062ccfe4509748b1dd3
which have been slightly tweaked so they apply to the jq 1.7.1 release.
The purpose of the patch is to fix CVE-2024-53427.
Index: jq-1.7.1/src/jv.c
===================================================================
--- jq-1.7.1.orig/src/jv.c
+++ jq-1.7.1/src/jv.c
@@ -206,9 +206,6 @@ enum {
JVP_NUMBER_DECIMAL = 1
};
-#define JV_NUMBER_SIZE_INIT (0)
-#define JV_NUMBER_SIZE_CONVERTED (1)
-
#define JVP_FLAGS_NUMBER_NATIVE JVP_MAKE_FLAGS(JV_KIND_NUMBER, JVP_MAKE_PFLAGS(JVP_NUMBER_NATIVE, 0))
#define JVP_FLAGS_NUMBER_LITERAL JVP_MAKE_FLAGS(JV_KIND_NUMBER, JVP_MAKE_PFLAGS(JVP_NUMBER_DECIMAL, 1))
@@ -589,8 +586,17 @@ static jv jvp_literal_number_new(const c
jv_mem_free(n);
return JV_INVALID;
}
+ if (decNumberIsNaN(&n->num_decimal)) {
+ // Reject NaN with payload.
+ if (n->num_decimal.digits > 1 || *n->num_decimal.lsu != 0) {
+ jv_mem_free(n);
+ return JV_INVALID;
+ }
+ jv_mem_free(n);
+ return jv_number(NAN);
+ }
- jv r = {JVP_FLAGS_NUMBER_LITERAL, 0, 0, JV_NUMBER_SIZE_INIT, {&n->refcnt}};
+ jv r = {JVP_FLAGS_NUMBER_LITERAL, 0, 0, 0, {&n->refcnt}};
return r;
}
@@ -698,9 +704,8 @@ double jv_number_value(jv j) {
if (JVP_HAS_FLAGS(j, JVP_FLAGS_NUMBER_LITERAL)) {
jvp_literal_number* n = jvp_literal_number_ptr(j);
- if (j.size != JV_NUMBER_SIZE_CONVERTED) {
+ if (isnan(n->num_double)) {
n->num_double = jvp_literal_number_to_double(j);
- j.size = JV_NUMBER_SIZE_CONVERTED;
}
return n->num_double;
@@ -731,7 +736,7 @@ int jvp_number_is_nan(jv n) {
return decNumberIsNaN(pdec);
}
#endif
- return n.u.number != n.u.number;
+ return isnan(n.u.number);
}
int jvp_number_cmp(jv a, jv b) {
Index: jq-1.7.1/tests/jq.test
===================================================================
--- jq-1.7.1.orig/tests/jq.test
+++ jq-1.7.1/tests/jq.test
@@ -1942,11 +1942,17 @@ tojson | fromjson
{"a":nan}
{"a":null}
-# also "nan with payload" #2985
-fromjson | isnan
-"nan1234"
+# NaN with payload is not parsed
+.[] | try (fromjson | isnan) catch .
+["NaN","-NaN","NaN1","NaN10","NaN100","NaN1000","NaN10000","NaN100000"]
true
-
+true
+"Invalid numeric literal at EOF at line 1, column 4 (while parsing 'NaN1')"
+"Invalid numeric literal at EOF at line 1, column 5 (while parsing 'NaN10')"
+"Invalid numeric literal at EOF at line 1, column 6 (while parsing 'NaN100')"
+"Invalid numeric literal at EOF at line 1, column 7 (while parsing 'NaN1000')"
+"Invalid numeric literal at EOF at line 1, column 8 (while parsing 'NaN10000')"
+"Invalid numeric literal at EOF at line 1, column 9 (while parsing 'NaN100000')"
# calling input/0, or debug/0 in a test doesn't crash jq
Index: jq-1.7.1/tests/shtest
===================================================================
--- jq-1.7.1.orig/tests/shtest
+++ jq-1.7.1/tests/shtest
@@ -594,11 +594,6 @@ if ! x=$($JQ -n "1 # foo$cr + 2") || [ "
exit 1
fi
-# CVE-2023-50268: No stack overflow comparing a nan with a large payload
-$VALGRIND $Q $JQ '1 != .' <<\EOF >/dev/null
-Nan4000
-EOF
-
# Allow passing the inline jq script before -- #2919
if ! r=$($JQ --args -rn -- '$ARGS.positional[0]' bar) || [ "$r" != bar ]; then
echo "passing the inline script after -- didn't work"

BIN
jq-1.7.1.tar.gz LFS Normal file
View File

Binary file not shown.

3
jq-1.8.1.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2be64e7129cecb11d5906290eba10af694fb9e3e7f9fc208a311dc33ca837eb0
size 2026798

97
jq.changes
View File

@@ -1,108 +1,13 @@
-------------------------------------------------------------------
Tue Jul 1 15:18:11 UTC 2025 - Martin Hauke <mardnh@gmx.de>
- Update to version 1.8.1
Security fixes
* CVE-2025-49014: Fix heap use after free in f_strftime,
f_strflocaltime.
* GHSA-f946-j5j2-4w5m: Fix stack overflow in node_min_byte_len
of oniguruma.
CLI changes
* Fix assertion failure when syntax error happens at the end of
the query.
Language changes
* Revert the change of reduce/foreach state variable in 1.8.0.
* This change was reverted due to serious performance regression.
-------------------------------------------------------------------
Wed Jun 18 13:33:37 UTC 2025 - Martin Hauke <mardnh@gmx.de>
- Update to version 1.8.0
Security fixes
* CVE-2024-23337: Fix signed integer overflow in jvp_array_write
and jvp_object_rehash.
* CVE-2024-53427: Reject NaN with payload while parsing JSON.
* CVE-2025-48060: Fix heap buffer overflow in jv_string_vfmt.
* Fix use of uninitialized value in check_literal.
* Fix segmentation fault on strftime/1, strflocaltime/1.
* Fix unhandled overflow in @base64d.
CLI changes
* Fix --indent 0 implicitly enabling --compact-output.
* Improve error messages to show problematic position in the
filter.
* Include column number in parser and compiler error messages.
* Fix error message for string literal beginning with single
quote.
* Improve JQ_COLORS environment variable to support larger
escapes like truecolor.
* Add --library-path long option for -L.
* Fix --slurp --stream when input has no trailing newline
character.
* Fix --indent option to error for malformed values.
* Fix option parsing of --binary on non-Windows platforms.
* Fix issue with ~/.jq on Windows where $HOME is not set.
* Increase the maximum parsing depth for JSON to 10000.
* Parse short options in order given.
* Consistently reset color formatting.
New functions
* Add trim/0, ltrim/0 and rtrim/0 to trim leading and trailing
white spaces.
* Add trimstr/1 to trim string from both ends.
* Add add/1. Generator variant of add/0.
* Add skip/2 as the counterpart to limit/2.
* Add toboolean/0 to convert strings to booleans.
* Add @urid format. Reverse of @uri.
Changes to existing functions
* Use code point index for indices/1, index/1 and rindex/1.
* Improve tonumber/0 performance and rejects numbers with
leading or trailing white spaces.
* Populate timezone data when formatting time.
* Preserve numerical precision on unary negation, abs/0, length/0
* Make last(empty) yield no output values like first(empty).
* Make ltrimstr/1 and rtrimstr/1 error for non-string inputs.
* Make limit/2 error for negative count.
* Fix mktime/0 overflow and allow fewer elements in date-time
representation array.
* Fix non-matched optional capture group.
* Provide strptime/1 on all systems.
* Improve bsearch/1 performance by implementing in C.
* Improve unique/0 and unique_by/1 performance.
* Fix error messages including long string literal not to break
Unicode characters.
* Remove pow10/0 as it has been deprecated in glibc 2.27.
Use exp10/0 instead.
* Remove private (and undocumented) _nwise filter.
Language changes
* Fix precedence of binding syntax against unary and binary
operators.
* Support Tcl-style multiline comments.
* Fix foreach not to break init backtracking with DUPN.
* Fix reduce/foreach state variable should not be reset each
iteration.
* Support CRLF line breaks in filters.
* Improve performance of repeating strings.
- Drop not longer needed patches (fixed by upstream):
* CVE-2024-23337.patch
* CVE-2024-53427.patch
- Remove not longer needed hardcoded compiler option "-std-gnu17"
gh#3206
-------------------------------------------------------------------
Thu Jun 12 16:24:57 UTC 2025 - Nathan Cutler <ncutler@suse.com>
- Add patch CVE-2024-23337.patch (CVE-2024-23337, bsc#1243450)
-------------------------------------------------------------------
Tue May 20 17:19:29 UTC 2025 - Nathan Cutler <ncutler@suse.com>
Tue May 20 17:12:31 UTC 2025 - Nathan Cutler <ncutler@suse.com>
- Add patch CVE-2024-53427.patch (CVE-2024-53427, bsc#1238078)
-------------------------------------------------------------------
Tue May 6 20:43:03 UTC 2025 - Martin Jambor <mjambor@suse.com>
- Build with compiler option -std=gnu17 to avoid issues with code
which is not valid in C23. [boo#1241922]
-------------------------------------------------------------------
Wed Dec 13 20:28:23 UTC 2023 - Martin Hauke <mardnh@gmx.de>

6
jq.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package jq
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,13 +18,15 @@
%define jq_sover 1
Name: jq
Version: 1.8.1
Version: 1.7.1
Release: 0
Summary: A lightweight and flexible command-line JSON processor
License: CC-BY-3.0 AND MIT
Group: Productivity/Text/Utilities
URL: https://github.com/jqlang
Source: https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
Patch0: CVE-2024-23337.patch
Patch1: CVE-2024-53427.patch
BuildRequires: chrpath
BuildRequires: pkgconfig
BuildRequires: pkgconfig(oniguruma)