diff --git a/0001-CVE-2024-23337.patch b/0001-CVE-2024-23337.patch new file mode 100644 index 0000000000000000000000000000000000000000..205d85cbf42f929cd577f66b843d3e4a62738197 --- /dev/null +++ b/0001-CVE-2024-23337.patch @@ -0,0 +1,206 @@ +Based on: + +commit de21386681c0df0104a99d9d09db23a9b2a78b1e +Author: itchyny +Date: Wed May 21 07:45:00 2025 +0900 + + Fix signed integer overflow in jvp_array_write and jvp_object_rehash + + This commit fixes signed integer overflow and SEGV issues on growing + arrays and objects. The size of arrays and objects is now limited to + `536870912` (`0x20000000`). This fixes CVE-2024-23337 and fixes #3262. + +diff -up jq-jq-1.7.1/src/jv_aux.c.orig jq-jq-1.7.1/src/jv_aux.c +--- jq-jq-1.7.1/src/jv_aux.c.orig 2023-12-13 20:20:22.000000000 +0100 ++++ jq-jq-1.7.1/src/jv_aux.c 2025-06-25 10:10:45.542441628 +0200 +@@ -193,18 +193,19 @@ jv jv_set(jv t, jv k, jv v) { + if (slice_len < insert_len) { + // array is growing + int shift = insert_len - slice_len; +- for (int i = array_len - 1; i >= end; i--) { ++ for (int i = array_len - 1; i >= end && jv_is_valid(t); i--) { + t = jv_array_set(t, i + shift, jv_array_get(jv_copy(t), i)); + } + } else if (slice_len > insert_len) { + // array is shrinking + int shift = slice_len - insert_len; +- for (int i = end; i < array_len; i++) { ++ for (int i = end; i < array_len && jv_is_valid(t); i++) { + t = jv_array_set(t, i - shift, jv_array_get(jv_copy(t), i)); + } +- t = jv_array_slice(t, 0, array_len - shift); ++ if (jv_is_valid(t)) ++ t = jv_array_slice(t, 0, array_len - shift); + } +- for (int i=0; i < insert_len; i++) { ++ for (int i = 0; i < insert_len && jv_is_valid(t); i++) { + t = jv_array_set(t, start + i, jv_array_get(jv_copy(v), i)); + } + jv_free(v); +diff -up jq-jq-1.7.1/src/jv.c.orig jq-jq-1.7.1/src/jv.c +--- jq-jq-1.7.1/src/jv.c.orig 2025-06-25 10:07:24.630147714 +0200 ++++ jq-jq-1.7.1/src/jv.c 2025-06-25 10:12:28.591914084 +0200 +@@ -1001,6 +1001,11 @@ jv jv_array_set(jv j, int idx, jv val) { + jv_free(val); + return jv_invalid_with_msg(jv_string("Out of bounds negative array index")); + } ++ if (idx > (INT_MAX >> 2) - jvp_array_offset(j)) { ++ jv_free(j); ++ jv_free(val); ++ return jv_invalid_with_msg(jv_string("Array index too large")); ++ } + // copy/free of val,j coalesced + jv* slot = jvp_array_write(&j, idx); + jv_free(*slot); +@@ -1020,6 +1025,7 @@ jv jv_array_concat(jv a, jv b) { + // FIXME: could be faster + jv_array_foreach(b, i, elem) { + a = jv_array_append(a, elem); ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +@@ -1292,6 +1298,7 @@ jv jv_string_indexes(jv j, jv k) { + p = jstr; + while ((p = _jq_memmem(p, (jstr + jlen) - p, idxstr, idxlen)) != NULL) { + a = jv_array_append(a, jv_number(p - jstr)); ++ if (!jv_is_valid(a)) break; + p++; + } + } +@@ -1314,14 +1321,17 @@ jv jv_string_split(jv j, jv sep) { + + if (seplen == 0) { + int c; +- while ((jstr = jvp_utf8_next(jstr, jend, &c))) ++ while ((jstr = jvp_utf8_next(jstr, jend, &c))) { + a = jv_array_append(a, jv_string_append_codepoint(jv_string(""), c)); ++ if (!jv_is_valid(a)) break; ++ } + } else { + for (p = jstr; p < jend; p = s + seplen) { + s = _jq_memmem(p, jend - p, sepstr, seplen); + if (s == NULL) + s = jend; + a = jv_array_append(a, jv_string_sized(p, s - p)); ++ if (!jv_is_valid(a)) break; + // Add an empty string to denote that j ends on a sep + if (s + seplen == jend && seplen != 0) + a = jv_array_append(a, jv_string("")); +@@ -1339,8 +1349,10 @@ jv jv_string_explode(jv j) { + const char* end = i + len; + jv a = jv_array_sized(len); + int c; +- while ((i = jvp_utf8_next(i, end, &c))) ++ while ((i = jvp_utf8_next(i, end, &c))) { + a = jv_array_append(a, jv_number(c)); ++ if (!jv_is_valid(a)) break; ++ } + jv_free(j); + return a; + } +@@ -1614,10 +1626,13 @@ static void jvp_object_free(jv o) { + } + } + +-static jv jvp_object_rehash(jv object) { ++static int jvp_object_rehash(jv *objectp) { ++ jv object = *objectp; + assert(JVP_HAS_KIND(object, JV_KIND_OBJECT)); + assert(jvp_refcnt_unshared(object.u.ptr)); + int size = jvp_object_size(object); ++ if (size > INT_MAX >> 2) ++ return 0; + jv new_object = jvp_object_new(size * 2); + for (int i=0; ivalue; ++ *valpp = &slot->value; ++ return 1; + } + slot = jvp_object_add_slot(*object, key, bucket); + if (slot) { + slot->value = jv_invalid(); + } else { +- *object = jvp_object_rehash(*object); ++ if (!jvp_object_rehash(object)) { ++ *valpp = NULL; ++ return 0; ++ } + bucket = jvp_object_find_bucket(*object, key); + assert(!jvp_object_find_slot(*object, key, bucket)); + slot = jvp_object_add_slot(*object, key, bucket); + assert(slot); + slot->value = jv_invalid(); + } +- return &slot->value; ++ *valpp = &slot->value; ++ return 1; + } + + static int jvp_object_delete(jv* object, jv key) { +@@ -1779,7 +1800,11 @@ jv jv_object_set(jv object, jv key, jv v + assert(JVP_HAS_KIND(object, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(key, JV_KIND_STRING)); + // copy/free of object, key, value coalesced +- jv* slot = jvp_object_write(&object, key); ++ jv* slot; ++ if (!jvp_object_write(&object, key, &slot)) { ++ jv_free(object); ++ return jv_invalid_with_msg(jv_string("Object too big")); ++ } + jv_free(*slot); + *slot = value; + return object; +@@ -1804,6 +1829,7 @@ jv jv_object_merge(jv a, jv b) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + jv_object_foreach(b, k, v) { + a = jv_object_set(a, k, v); ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +@@ -1823,6 +1849,7 @@ jv jv_object_merge_recursive(jv a, jv b) + jv_free(elem); + a = jv_object_set(a, k, v); + } ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +diff -up jq-jq-1.7.1/tests/jq.test.orig jq-jq-1.7.1/tests/jq.test +--- jq-jq-1.7.1/tests/jq.test.orig 2025-06-25 10:07:24.630712938 +0200 ++++ jq-jq-1.7.1/tests/jq.test 2025-06-25 10:10:45.542877328 +0200 +@@ -198,6 +198,10 @@ null + [0,1,2] + [0,5,2] + ++try (.[999999999] = 0) catch . ++null ++"Array index too large" ++ + # + # Multiple outputs, iteration + # diff --git a/0002-CVE-2025-48060.patch b/0002-CVE-2025-48060.patch new file mode 100644 index 0000000000000000000000000000000000000000..f017b679d466e04a2cbc5856afd50462d5504b44 --- /dev/null +++ b/0002-CVE-2025-48060.patch @@ -0,0 +1,141 @@ +CVE-2025-48060 fix based on: + +commit dc849e9bb74a7a164a3ea52f661cc712b1ffbd43 +Author: itchyny +Date: Tue Mar 4 22:13:55 2025 +0900 + + Improve performance of repeating strings (#3272) + + This commit improves the performance of repeating strings, by copying + the result string instead of the string being repeated. Also it adds + an error message when the result string is too long. + +and + +commit c6e041699d8cd31b97375a2596217aff2cfca85b +Author: itchyny +Date: Sat May 31 11:46:40 2025 +0900 + + Fix heap buffer overflow when formatting an empty string + + The `jv_string_empty` did not properly null-terminate the string data, + which could lead to a heap buffer overflow. The test case of + GHSA-p7rr-28xf-3m5w (`0[""*0]`) was fixed by the commit dc849e9bb74a, + but another case (`0[[]|implode]`) was still vulnerable. This commit + ensures string data is properly null-terminated, and fixes CVE-2025-48060. + +diff -up jq-jq-1.7.1/src/builtin.c.orig jq-jq-1.7.1/src/builtin.c +--- jq-jq-1.7.1/src/builtin.c.orig 2023-12-13 20:20:22.000000000 +0100 ++++ jq-jq-1.7.1/src/builtin.c 2025-06-25 10:44:54.924284670 +0200 +@@ -369,21 +369,10 @@ jv binop_multiply(jv a, jv b) { + str = b; + num = a; + } +- jv res; + double d = jv_number_value(num); +- if (d < 0 || isnan(d)) { +- res = jv_null(); +- } else { +- int n = d; +- size_t alen = jv_string_length_bytes(jv_copy(str)); +- res = jv_string_empty(alen * n); +- for (; n > 0; n--) { +- res = jv_string_append_buf(res, jv_string_value(str), alen); +- } +- } +- jv_free(str); + jv_free(num); +- return res; ++ return jv_string_repeat(str, ++ d < 0 || isnan(d) ? -1 : d > INT_MAX ? INT_MAX : (int)d); + } else if (ak == JV_KIND_OBJECT && bk == JV_KIND_OBJECT) { + return jv_object_merge_recursive(a, b); + } else { +diff -up jq-jq-1.7.1/src/jv.c.orig jq-jq-1.7.1/src/jv.c +--- jq-jq-1.7.1/src/jv.c.orig 2025-06-25 10:53:50.314332900 +0200 ++++ jq-jq-1.7.1/src/jv.c 2025-06-25 10:51:23.208740329 +0200 +@@ -1125,6 +1125,7 @@ static jv jvp_string_empty_new(uint32_t + jvp_string* s = jvp_string_alloc(length); + s->length_hashed = 0; + memset(s->data, 0, length); ++ s->data[length] = 0; + jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}}; + return r; + } +@@ -1307,6 +1308,32 @@ jv jv_string_indexes(jv j, jv k) { + return a; + } + ++jv jv_string_repeat(jv j, int n) { ++ assert(JVP_HAS_KIND(j, JV_KIND_STRING)); ++ if (n < 0) { ++ jv_free(j); ++ return jv_null(); ++ } ++ int len = jv_string_length_bytes(jv_copy(j)); ++ int64_t res_len = (int64_t)len * n; ++ if (res_len >= INT_MAX) { ++ jv_free(j); ++ return jv_invalid_with_msg(jv_string("Repeat string result too long")); ++ } ++ if (res_len == 0) { ++ jv_free(j); ++ return jv_string(""); ++ } ++ jv res = jv_string_empty(res_len); ++ res = jvp_string_append(res, jv_string_value(j), len); ++ for (int curr = len, grow; curr < res_len; curr += grow) { ++ grow = MIN(res_len - curr, curr); ++ res = jvp_string_append(res, jv_string_value(res), grow); ++ } ++ jv_free(j); ++ return res; ++} ++ + jv jv_string_split(jv j, jv sep) { + assert(JVP_HAS_KIND(j, JV_KIND_STRING)); + assert(JVP_HAS_KIND(sep, JV_KIND_STRING)); +diff -up jq-jq-1.7.1/src/jv.h.orig jq-jq-1.7.1/src/jv.h +--- jq-jq-1.7.1/src/jv.h.orig 2023-12-13 20:20:22.000000000 +0100 ++++ jq-jq-1.7.1/src/jv.h 2025-06-25 10:44:54.925242109 +0200 +@@ -131,6 +131,7 @@ jv jv_string_fmt(const char*, ...) JV_PR + jv jv_string_append_codepoint(jv a, uint32_t c); + jv jv_string_append_buf(jv a, const char* buf, int len); + jv jv_string_append_str(jv a, const char* str); ++jv jv_string_repeat(jv j, int n); + jv jv_string_split(jv j, jv sep); + jv jv_string_explode(jv j); + jv jv_string_implode(jv j); +diff -up jq-jq-1.7.1/tests/jq.test.orig jq-jq-1.7.1/tests/jq.test +--- jq-jq-1.7.1/tests/jq.test.orig 2025-06-25 10:53:02.390073835 +0200 ++++ jq-jq-1.7.1/tests/jq.test 2025-06-25 10:51:23.209350316 +0200 +@@ -1369,6 +1369,18 @@ indices(", ") + "abc" + [null,null] + ++. * 100000 | [.[:10],.[-10:]] ++"abc" ++["abcabcabca","cabcabcabc"] ++ ++. * 1000000000 ++"" ++"" ++ ++try (. * 1000000000) catch . ++"abc" ++"Repeat string result too long" ++ + [.[] / ","] + ["a, bc, def, ghij, jklmn, a,b, c,d, e,f", "a,b,c,d, e,f,g,h"] + [["a"," bc"," def"," ghij"," jklmn"," a","b"," c","d"," e","f"],["a","b","c","d"," e","f","g","h"]] +@@ -2030,6 +2042,10 @@ map(try implode catch .) + [123,["a"],[nan]] + ["implode input must be an array","string (\"a\") can't be imploded, unicode codepoint needs to be numeric","number (null) can't be imploded, unicode codepoint needs to be numeric"] + ++try 0[implode] catch . ++[] ++"Cannot index number with string \"\"" ++ + # walk + walk(.) + {"x":0} diff --git a/Fix-CVE-2024-53427.patch b/Fix-CVE-2024-53427.patch deleted file mode 100644 index 7210825917f3b005207db9694f5999c27cd53674..0000000000000000000000000000000000000000 --- a/Fix-CVE-2024-53427.patch +++ /dev/null @@ -1,138 +0,0 @@ -From ed19fa4a16c2e446bc2ad9746714b7a8aec7c4e8 Mon Sep 17 00:00:00 2001 - From: itchyny - Date: Sun, 16 Feb 2025 22:08:36 +0900 - Subject: [PATCH 1/2] fix: `jv_number_value` should cache the double value of - literal numbers (#3245) - - The code of `jv_number_value` is intended to cache the double value of - literal numbers, but it does not work because it accepts the `jv` struct - by value. This patch fixes the behavior by checking if the double value - is `NaN`, which indicates the unconverted value. This patch improves the - performance of major use cases; e.g. `range(1000000)` runs 25% faster. - --- - src/jv.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - - diff --git a/src/jv.c b/src/jv.c - index e23d8ec..9329eae 100644 - --- a/src/jv.c - +++ b/src/jv.c - @@ -206,9 +206,6 @@ enum { - JVP_NUMBER_DECIMAL = 1 - }; - - -#define JV_NUMBER_SIZE_INIT (0) - -#define JV_NUMBER_SIZE_CONVERTED (1) - - - #define JVP_FLAGS_NUMBER_NATIVE JVP_MAKE_FLAGS(JV_KIND_NUMBER, JVP_MAKE_PFLAGS(JVP_NUMBER_NATIVE, 0)) - #define JVP_FLAGS_NUMBER_LITERAL JVP_MAKE_FLAGS(JV_KIND_NUMBER, JVP_MAKE_PFLAGS(JVP_NUMBER_DECIMAL, 1)) - - @@ -589,8 +586,12 @@ static jv jvp_literal_number_new(const char * literal) { - jv_mem_free(n); - return JV_INVALID; - } - + if (decNumberIsNaN(&n->num_decimal)) { - + jv_mem_free(n); - + return jv_number(NAN); - + } - - - jv r = {JVP_FLAGS_NUMBER_LITERAL, 0, 0, JV_NUMBER_SIZE_INIT, {&n->refcnt}}; - + jv r = {JVP_FLAGS_NUMBER_LITERAL, 0, 0, 0, {&n->refcnt}}; - return r; - } - - @@ -698,9 +699,8 @@ double jv_number_value(jv j) { - if (JVP_HAS_FLAGS(j, JVP_FLAGS_NUMBER_LITERAL)) { - jvp_literal_number* n = jvp_literal_number_ptr(j); - - - if (j.size != JV_NUMBER_SIZE_CONVERTED) { - + if (isnan(n->num_double)) { - n->num_double = jvp_literal_number_to_double(j); - - j.size = JV_NUMBER_SIZE_CONVERTED; - } - - return n->num_double; - @@ -731,7 +731,7 @@ int jvp_number_is_nan(jv n) { - return decNumberIsNaN(pdec); - } - #endif - - return n.u.number != n.u.number; - + return isnan(n.u.number); - } - - int jvp_number_cmp(jv a, jv b) { - -- - 2.43.0 - -From a09a4dfd55e6c24d04b35062ccfe4509748b1dd3 Mon Sep 17 00:00:00 2001 -From: itchyny -Date: Wed, 5 Mar 2025 07:43:54 +0900 -Subject: [PATCH] Reject NaN with payload while parsing JSON - -This commit drops support for parsing NaN with payload in JSON like -`NaN123` and fixes CVE-2024-53427. Other JSON extensions like `NaN` and -`Infinity` are still supported. Fixes #3023, fixes #3196, fixes #3246. ---- - src/jv.c | 5 +++++ - tests/jq.test | 14 ++++++++++---- - tests/shtest | 7 ------- - 3 files changed, 15 insertions(+), 11 deletions(-) - -diff --git a/src/jv.c b/src/jv.c -index fd6cfcabc3..0fbdcfaa7e 100644 ---- a/src/jv.c -+++ b/src/jv.c -@@ -585,6 +585,11 @@ static jv jvp_literal_number_new(const char * literal) { - return JV_INVALID; - } - if (decNumberIsNaN(&n->num_decimal)) { -+ // Reject NaN with payload. -+ if (n->num_decimal.digits > 1 || *n->num_decimal.lsu != 0) { -+ jv_mem_free(n); -+ return JV_INVALID; -+ } - jv_mem_free(n); - return jv_number(NAN); - } -diff --git a/tests/jq.test b/tests/jq.test -index 2e3c1e8bd7..f5a57b1823 100644 ---- a/tests/jq.test -+++ b/tests/jq.test -@@ -1938,11 +1938,17 @@ tojson | fromjson - {"a":nan} - {"a":null} - --# also "nan with payload" #2985 --fromjson | isnan --"nan1234" -+# NaN with payload is not parsed -+.[] | try (fromjson | isnan) catch . -+["NaN","-NaN","NaN1","NaN10","NaN100","NaN1000","NaN10000","NaN100000"] - true -- -+true -+"Invalid numeric literal at EOF at line 1, column 4 (while parsing 'NaN1')" -+"Invalid numeric literal at EOF at line 1, column 5 (while parsing 'NaN10')" -+"Invalid numeric literal at EOF at line 1, column 6 (while parsing 'NaN100')" -+"Invalid numeric literal at EOF at line 1, column 7 (while parsing 'NaN1000')" -+"Invalid numeric literal at EOF at line 1, column 8 (while parsing 'NaN10000')" -+"Invalid numeric literal at EOF at line 1, column 9 (while parsing 'NaN100000')" - - # calling input/0, or debug/0 in a test doesn't crash jq - -diff --git a/tests/shtest b/tests/shtest -index 86e759ba69..72ffc086fd 100755 ---- a/tests/shtest -+++ b/tests/shtest -@@ -594,11 +594,6 @@ - exit 1 - fi - --# CVE-2023-50268: No stack overflow comparing a nan with a large payload --$VALGRIND $Q $JQ '1 != .' <<\EOF >/dev/null --Nan4000 --EOF -- - # Allow passing the inline jq script before -- #2919 - if ! r=$($JQ --args -rn -- '$ARGS.positional[0]' bar) || [ "$r" != bar ]; then - echo "passing the inline script after -- didn't work" diff --git a/jq.spec b/jq.spec index b83426fe1dda532240fee33d595e704f7c6a38be..0bfd287dd26a99a9bd8ddc6f87dcbae2d6956974 100644 --- a/jq.spec +++ b/jq.spec @@ -1,4 +1,20 @@ -%define anolis_release 2 +ExclusiveArch: x86_64 aarch64 +## START: Set by rpmautospec +## (rpmautospec version 0.6.5) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 12; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + +# valgrind cannot cope with GCC 13+ SSE4.1 optimizations of strcmp +# https://bugzilla.redhat.com/show_bug.cgi?id=2257546 +%bcond check %[!(0%{?rhel} >= 10)] + +%global anolis_release 1 + Name: jq Version: 1.7.1 Release: %{anolis_release}%{?dist} @@ -7,9 +23,8 @@ Summary: Command-line JSON processor License: MIT and ASL 2.0 and CC-BY and GPLv3 URL: https://jqlang.github.io/jq/ Source0: https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz - -# https://github.com/jqlang/jq/commit/a09a4dfd55e6c24d04b35062ccfe4509748b1dd3 -Patch0: Fix-CVE-2024-53427.patch +Patch1: 0001-CVE-2024-23337.patch +Patch3: 0002-CVE-2025-48060.patch BuildRequires: gcc BuildRequires: flex @@ -99,6 +114,10 @@ make check %{_libdir}/pkgconfig/libjq.pc %changelog +* Fri Feb 13 2026 wency_cn - 1.7.1-3 +- Apply security patches for CVE-2024-23337 and CVE-2025-48060 +- Fix integer overflow and heap buffer overflow vulnerabilities + * Fri Mar 28 2025 mgb01105731 - 1.7.1-2 - Add patch to fix CVE-2024-53427