pyrox.dev
jq: *actually* fix CVE-2025-48060 (#412590)
authored by Leona Maroni and committed by GitHub 68f92917 3a906e97
+1
-1
pkgs/by-name/jq/jq/0001-Improve-performance-of-repeating-strings-3272.patch
+1
-1
pkgs/by-name/jq/jq/0001-Improve-performance-of-repeating-strings-3272.patch
···
1
1
From c15fc903e00fdd3b460e64d5a6a540f944e1eca6 Mon Sep 17 00:00:00 2001
2
2
From: itchyny <itchyny@cybozu.co.jp>
3
3
Date: Tue, 4 Mar 2025 22:13:55 +0900
4
-
Subject: [PATCH 1/4] Improve performance of repeating strings (#3272)
4
+
Subject: [PATCH 1/5] Improve performance of repeating strings (#3272)
5
5
6
6
This commit improves the performance of repeating strings, by copying
7
7
the result string instead of the string being repeated. Also it adds
+1
-1
pkgs/by-name/jq/jq/0002-fix-jv_number_value-should-cache-the-double-value-of.patch
+1
-1
pkgs/by-name/jq/jq/0002-fix-jv_number_value-should-cache-the-double-value-of.patch
···
1
1
From df0ddb83feb656230157f5bc9b7f34caef1f82be Mon Sep 17 00:00:00 2001
2
2
From: itchyny <itchyny@cybozu.co.jp>
3
3
Date: Sun, 16 Feb 2025 22:08:36 +0900
4
-
Subject: [PATCH 2/4] fix: `jv_number_value` should cache the double value of
4
+
Subject: [PATCH 2/5] fix: `jv_number_value` should cache the double value of
5
5
literal numbers (#3245)
6
6
7
7
The code of `jv_number_value` is intended to cache the double value of
+1
-1
pkgs/by-name/jq/jq/0003-Reject-NaN-with-payload-while-parsing-JSON.patch
+1
-1
pkgs/by-name/jq/jq/0003-Reject-NaN-with-payload-while-parsing-JSON.patch
···
1
1
From dfd25612454deacb6df47329787844795bf59821 Mon Sep 17 00:00:00 2001
2
2
From: itchyny <itchyny@cybozu.co.jp>
3
3
Date: Wed, 5 Mar 2025 07:43:54 +0900
4
-
Subject: [PATCH 3/4] Reject NaN with payload while parsing JSON
4
+
Subject: [PATCH 3/5] Reject NaN with payload while parsing JSON
5
5
6
6
This commit drops support for parsing NaN with payload in JSON like
7
7
`NaN123` and fixes CVE-2024-53427. Other JSON extensions like `NaN` and
+1
-1
pkgs/by-name/jq/jq/0004-Fix-signed-integer-overflow-in-jvp_array_write-and-j.patch
+1
-1
pkgs/by-name/jq/jq/0004-Fix-signed-integer-overflow-in-jvp_array_write-and-j.patch
···
1
1
From dc65d5af447f266d8a4037551e028785aab31e04 Mon Sep 17 00:00:00 2001
2
2
From: itchyny <itchyny@cybozu.co.jp>
3
3
Date: Wed, 21 May 2025 07:45:00 +0900
4
-
Subject: [PATCH 4/4] Fix signed integer overflow in jvp_array_write and
4
+
Subject: [PATCH 4/5] Fix signed integer overflow in jvp_array_write and
5
5
jvp_object_rehash
6
6
7
7
This commit fixes signed integer overflow and SEGV issues on growing
+45
pkgs/by-name/jq/jq/0005-Fix-heap-buffer-overflow-when-formatting-an-empty-st.patch
+45
pkgs/by-name/jq/jq/0005-Fix-heap-buffer-overflow-when-formatting-an-empty-st.patch
···
1
+
From d73a79035e1d24011a3363d52bf36b4eaea67aa6 Mon Sep 17 00:00:00 2001
2
+
From: itchyny <itchyny@cybozu.co.jp>
3
+
Date: Sat, 31 May 2025 11:46:40 +0900
4
+
Subject: [PATCH 5/5] Fix heap buffer overflow when formatting an empty string
5
+
6
+
The `jv_string_empty` did not properly null-terminate the string data,
7
+
which could lead to a heap buffer overflow. The test case of
8
+
GHSA-p7rr-28xf-3m5w (`0[""*0]`) was fixed by the commit dc849e9bb74a,
9
+
but another case (`0[[]|implode]`) was still vulnerable. This commit
10
+
ensures string data is properly null-terminated, and fixes CVE-2025-48060.
11
+
---
12
+
src/jv.c | 1 +
13
+
tests/jq.test | 4 ++++
14
+
2 files changed, 5 insertions(+)
15
+
16
+
diff --git a/src/jv.c b/src/jv.c
17
+
index 6e8cdd3..3303286 100644
18
+
--- a/src/jv.c
19
+
+++ b/src/jv.c
20
+
@@ -1121,6 +1121,7 @@ static jv jvp_string_empty_new(uint32_t length) {
21
+
jvp_string* s = jvp_string_alloc(length);
22
+
s->length_hashed = 0;
23
+
memset(s->data, 0, length);
24
+
+ s->data[length] = 0;
25
+
jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
26
+
return r;
27
+
}
28
+
diff --git a/tests/jq.test b/tests/jq.test
29
+
index 10b20e3..680706b 100644
30
+
--- a/tests/jq.test
31
+
+++ b/tests/jq.test
32
+
@@ -2042,6 +2042,10 @@ map(try implode catch .)
33
+
[123,["a"],[nan]]
34
+
["implode input must be an array","string (\"a\") can't be imploded, unicode codepoint needs to be numeric","number (null) can't be imploded, unicode codepoint needs to be numeric"]
35
+
36
+
+try 0[implode] catch .
37
+
+[]
38
+
+"Cannot index number with string \"\""
39
+
+
40
+
# walk
41
+
walk(.)
42
+
{"x":0}
43
+
--
44
+
2.49.0
45
+
+5
pkgs/by-name/jq/jq/package.nix
+5
pkgs/by-name/jq/jq/package.nix
···
44
44
# CVE-2024-23337
45
45
# https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e
46
46
./0004-Fix-signed-integer-overflow-in-jvp_array_write-and-j.patch
47
+
48
+
# CVE-2025-48060, part two
49
+
# Improve-performance-of-repeating-strings is only a partial fix
50
+
# https://github.com/jqlang/jq/commit/c6e041699d8cd31b97375a2596217aff2cfca85b
51
+
./0005-Fix-heap-buffer-overflow-when-formatting-an-empty-st.patch
47
52
];
48
53
49
54
# https://github.com/jqlang/jq/issues/2871