diff --git a/CVE-2015-8863.patch b/CVE-2015-8863.patch deleted file mode 100644 index f4046cd6759e68d85f90c79463a06f6271569ffa..0000000000000000000000000000000000000000 --- a/CVE-2015-8863.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 8eb1367ca44e772963e704a700ef72ae2e12babd Mon Sep 17 00:00:00 2001 -From: Nicolas Williams -Date: Sat, 24 Oct 2015 17:24:57 -0500 -Subject: [PATCH] Heap buffer overflow in tokenadd() (fix #105) - -This was an off-by one: the NUL terminator byte was not allocated on -resize. This was triggered by JSON-encoded numbers longer than 256 -bytes. ---- - src/jv_parse.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/jv_parse.c b/src/jv_parse.c -index 3102ed4..84245b8 100644 ---- a/src/jv_parse.c -+++ b/src/jv_parse.c -@@ -383,7 +383,7 @@ static pfunc stream_token(struct jv_parser* p, char ch) { - - static void tokenadd(struct jv_parser* p, char c) { - assert(p->tokenpos <= p->tokenlen); -- if (p->tokenpos == p->tokenlen) { -+ if (p->tokenpos >= (p->tokenlen - 1)) { - p->tokenlen = p->tokenlen*2 + 256; - p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen); - } -@@ -485,7 +485,7 @@ static pfunc check_literal(struct jv_parser* p) { - TRY(value(p, v)); - } else { - // FIXME: better parser -- p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid -+ p->tokenbuf[p->tokenpos] = 0; - char* end = 0; - double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end); - if (end == 0 || *end != 0) --- -2.14.3 - diff --git a/CVE-2016-4074.patch b/CVE-2016-4074.patch deleted file mode 100644 index d7369540491aa031b1e2884f61eeb038dedae493..0000000000000000000000000000000000000000 --- a/CVE-2016-4074.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 83e2cf607f3599d208b6b3129092fa7deb2e5292 Mon Sep 17 00:00:00 2001 -From: W-Mark Kubacki -Date: Fri, 19 Aug 2016 19:50:39 +0200 -Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH - -This addresses #1136, and mitigates a stack exhaustion when printing -a very deeply nested term. ---- - src/jv_print.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/jv_print.c b/src/jv_print.c -index 5f4f234..ce4a59a 100644 ---- a/src/jv_print.c -+++ b/src/jv_print.c -@@ -13,6 +13,10 @@ - #include "jv_dtoa.h" - #include "jv_unicode.h" - -+#ifndef MAX_PRINT_DEPTH -+#define MAX_PRINT_DEPTH (256) -+#endif -+ - #define ESC "\033" - #define COL(c) (ESC "[" c "m") - #define COLRESET (ESC "[0m") -@@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI - } - } - } -- switch (jv_get_kind(x)) { -+ if (indent > MAX_PRINT_DEPTH) { -+ put_str("", F, S, flags & JV_PRINT_ISATTY); -+ } else switch (jv_get_kind(x)) { - default: - case JV_KIND_INVALID: - if (flags & JV_PRINT_INVALID) { --- -1.8.3.1 - diff --git a/jq-1.5.tar.gz b/jq-1.5.tar.gz deleted file mode 100644 index d034ef9459e2a8ca010cf080f1a01a28ef3283ab..0000000000000000000000000000000000000000 Binary files a/jq-1.5.tar.gz and /dev/null differ diff --git a/jq-1.8.0.tar.gz b/jq-1.8.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..1e270e4f85bb780d879c7d3f43c82aec749fae2d Binary files /dev/null and b/jq-1.8.0.tar.gz differ diff --git a/jq.spec b/jq.spec index f5ce4bfa290422d915ef9b00b3e9d9bcb0d391d7..92b03b5ad36337951fe5ac22c60647b3f9aff950 100644 --- a/jq.spec +++ b/jq.spec @@ -1,14 +1,14 @@ Name: jq -Version: 1.5 -Release: 19 +Version: 1.8.0 +Release: 1 Summary: A lightweight and flexible command-line JSON processor -License: MIT and ASL 2.0 and CC-BY and GPLv3 -URL: http://stedolan.github.io/jq/ -Source0: https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz -Patch0: CVE-2015-8863.patch -Patch1: CVE-2016-4074.patch -BuildRequires: make flex bison valgrind chrpath -Requires: %{name}-help = %{version}-%{release} +License: MIT AND ICU AND CC-BY-3.0 +URL: https://jqlang.github.io/jq/ +Source0: https://github.com/jqlang/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz +BuildRequires: make flex bison gcc chrpath oniguruma-devel +%ifarch %{valgrind_arches} +BuildRequires: valgrind +%endif %description jq is a lightweight and flexible command-line JSON processor. @@ -31,7 +31,7 @@ BuildArch: noarch Documentation for jq package. %prep -%autosetup -n jq-%{version} +%autosetup -n jq-%{version} -p1 %build %configure --disable-static @@ -39,8 +39,9 @@ Documentation for jq package. %install %make_install -%delete_la -chrpath -d %{buildroot}/%{_bindir}/jq +%delete_la_and_a +rm -fr %{buildroot}%{_docdir} +chrpath -d %{buildroot}%{_bindir}/%{name} %check %if %{?_with_check:1}%{!?_with_check:0} @@ -57,27 +58,38 @@ make check %files +%license COPYING +%doc AUTHORS %{_bindir}/jq %{_libdir}/libjq.so.* -%{_datadir}/doc/jq/COPYING -%{_datadir}/doc/jq/AUTHORS %files devel %{_includedir}/*.h %{_libdir}/libjq.so +%{_libdir}/pkgconfig/libjq.pc %files help -%{_datadir}/man/man1/jq.1.gz -%{_datadir}/doc/jq/README -%{_datadir}/doc/jq/README.md - +%doc NEWS.md README.md +%{_mandir}/man1/jq.1.gz %changelog -* Tue Nov 21 2023 Ge Wang -1.5-19 -- Remove rpath +* Tue Jun 17 2025 yaoxin <1024769339@qq.com> - 1.8.0-1 +- Update to 1.8.0 for fix CVE-2024-23337 and CVE-2025-48060 + +* Sun Apr 28 2024 yinsist - 1.6-4 +- Valgrind does not support certain architectures like RISC-V, Before depending on Valgrind, first check if Valgrind supports the architecture + +* Mon May 30 2022 Chenyx - 1.6-3 +- License compliance rectification + +* Mon Aug 30 2021 lingsheng - 1.6-2 +- Support binary strings preserve UTF-8 and UTF-16 errors + +* Wed Aug 25 2021 wangyue - 1.6-1 +- Upgrade to 1.6 -* Fri Nov 06 2020 leiju -1.5-18 -- Add Requires jq-help into jq +* Thu Jun 03 2021 wulei - 1.5-18 +- fixes failed: no acceptable C compiler found in $PATH * Sat Mar 21 2020 yanglijin -1.5-17 - close check diff --git a/jq.yaml b/jq.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4f22ed01b99d5373018bb66cbac2a2ccd503604e --- /dev/null +++ b/jq.yaml @@ -0,0 +1,4 @@ +version_control: github +src_repo: stedolan/jq +tag_prefix: jq- +seperator: .