From 96b4774ff6756c89c5c8eeeab5f47c396a831117 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 25 Jun 2025 10:50:27 +0800
Subject: [PATCH] Fix CVE-2025-49014

(cherry picked from commit dd16f116aae9d31c00812e7478ad83d1347a6a8e)
---
 CVE-2025-49014.patch | 62 ++++++++++++++++++++++++++++++++++++++++++++
 jq.spec              |  6 ++++-
 2 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-49014.patch

diff --git a/CVE-2025-49014.patch b/CVE-2025-49014.patch
new file mode 100644
index 0000000..a2c9cf3
--- /dev/null
+++ b/CVE-2025-49014.patch
@@ -0,0 +1,62 @@
+From 499c91bca9d4d027833bc62787d1bb075c03680e Mon Sep 17 00:00:00 2001
+From: Mattias Wadman <mattias.wadman@gmail.com>
+Date: Thu, 19 Jun 2025 00:11:01 +0200
+Subject: [PATCH] Fixes CVE-2025-49014 which was introduced in 1.8.0
+
+---
+ src/builtin.c | 6 ++++--
+ tests/jq.test | 8 ++++++++
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/src/builtin.c b/src/builtin.c
+index 5787ca852a..52fe77c4f6 100644
+--- a/src/builtin.c
++++ b/src/builtin.c
+@@ -1764,6 +1764,7 @@ static jv f_strftime(jq_state *jq, jv a, jv b) {
+     return ret_error(b, jv_string("strftime/1 requires parsed datetime inputs"));
+ 
+   const char *fmt = jv_string_value(b);
++  int fmt_not_empty = *fmt != '\0';
+   size_t max_size = strlen(fmt) + 100;
+   char *buf = jv_mem_alloc(max_size);
+ #ifdef __APPLE__
+@@ -1784,7 +1785,7 @@ static jv f_strftime(jq_state *jq, jv a, jv b) {
+ #endif
+   jv_free(b);
+   /* POSIX doesn't provide errno values for strftime() failures; weird */
+-  if ((n == 0 && *fmt) || n > max_size) {
++  if ((n == 0 && fmt_not_empty) || n > max_size) {
+     free(buf);
+     return jv_invalid_with_msg(jv_string("strftime/1: unknown system failure"));
+   }
+@@ -1813,12 +1814,13 @@ static jv f_strflocaltime(jq_state *jq, jv a, jv b) {
+   if (!jv2tm(a, &tm, 1))
+     return ret_error(b, jv_string("strflocaltime/1 requires parsed datetime inputs"));
+   const char *fmt = jv_string_value(b);
++  int fmt_not_empty = *fmt != '\0';
+   size_t max_size = strlen(fmt) + 100;
+   char *buf = jv_mem_alloc(max_size);
+   size_t n = strftime(buf, max_size, fmt, &tm);
+   jv_free(b);
+   /* POSIX doesn't provide errno values for strftime() failures; weird */
+-  if ((n == 0 && *fmt) || n > max_size) {
++  if ((n == 0 && fmt_not_empty) || n > max_size) {
+     free(buf);
+     return jv_invalid_with_msg(jv_string("strflocaltime/1: unknown system failure"));
+   }
+diff --git a/tests/jq.test b/tests/jq.test
+index 55ae09b7e9..4ecf72ffdc 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2499,3 +2499,11 @@ foreach .[] as $x (0, 1; . + $x)
+ 3
+ 2
+ 4
++
++# regression test for CVE-2025-49014 (use of fmt after free)
++# tests with both empty string literal and empty string created by function
++# as they seems to behave referecne wise differently.
++strflocaltime("" | ., @uri)
++0
++""
++""
diff --git a/jq.spec b/jq.spec
index 92b03b5..3ad0c52 100644
--- a/jq.spec
+++ b/jq.spec
@@ -1,10 +1,11 @@
 Name:           jq
 Version:        1.8.0
-Release:        1
+Release:        2
 Summary:        A lightweight and flexible command-line JSON processor
 License:        MIT AND ICU AND CC-BY-3.0
 URL:            https://jqlang.github.io/jq/
 Source0:        https://github.com/jqlang/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz
+Patch0:         CVE-2025-49014.patch
 BuildRequires:  make flex bison gcc chrpath oniguruma-devel
 %ifarch %{valgrind_arches}
 BuildRequires:  valgrind
@@ -73,6 +74,9 @@ make check
 %{_mandir}/man1/jq.1.gz
 
 %changelog
+* Wed Jun 25 2025 yaoxin <1024769339@qq.com> - 1.8.0-2
+- Fix CVE-2025-49014
+
 * Tue Jun 17 2025 yaoxin <1024769339@qq.com> - 1.8.0-1
 - Update to 1.8.0 for fix CVE-2024-23337 and CVE-2025-48060
 
-- 
Gitee