diff --git a/CVE-2015-8863.patch b/CVE-2015-8863.patch deleted file mode 100644 index f4046cd6759e68d85f90c79463a06f6271569ffa..0000000000000000000000000000000000000000 --- a/CVE-2015-8863.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 8eb1367ca44e772963e704a700ef72ae2e12babd Mon Sep 17 00:00:00 2001 -From: Nicolas Williams -Date: Sat, 24 Oct 2015 17:24:57 -0500 -Subject: [PATCH] Heap buffer overflow in tokenadd() (fix #105) - -This was an off-by one: the NUL terminator byte was not allocated on -resize. This was triggered by JSON-encoded numbers longer than 256 -bytes. ---- - src/jv_parse.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/jv_parse.c b/src/jv_parse.c -index 3102ed4..84245b8 100644 ---- a/src/jv_parse.c -+++ b/src/jv_parse.c -@@ -383,7 +383,7 @@ static pfunc stream_token(struct jv_parser* p, char ch) { - - static void tokenadd(struct jv_parser* p, char c) { - assert(p->tokenpos <= p->tokenlen); -- if (p->tokenpos == p->tokenlen) { -+ if (p->tokenpos >= (p->tokenlen - 1)) { - p->tokenlen = p->tokenlen*2 + 256; - p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen); - } -@@ -485,7 +485,7 @@ static pfunc check_literal(struct jv_parser* p) { - TRY(value(p, v)); - } else { - // FIXME: better parser -- p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid -+ p->tokenbuf[p->tokenpos] = 0; - char* end = 0; - double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end); - if (end == 0 || *end != 0) --- -2.14.3 - diff --git a/CVE-2016-4074.patch b/CVE-2016-4074.patch deleted file mode 100644 index d7369540491aa031b1e2884f61eeb038dedae493..0000000000000000000000000000000000000000 --- a/CVE-2016-4074.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 83e2cf607f3599d208b6b3129092fa7deb2e5292 Mon Sep 17 00:00:00 2001 -From: W-Mark Kubacki -Date: Fri, 19 Aug 2016 19:50:39 +0200 -Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH - -This addresses #1136, and mitigates a stack exhaustion when printing -a very deeply nested term. ---- - src/jv_print.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/jv_print.c b/src/jv_print.c -index 5f4f234..ce4a59a 100644 ---- a/src/jv_print.c -+++ b/src/jv_print.c -@@ -13,6 +13,10 @@ - #include "jv_dtoa.h" - #include "jv_unicode.h" - -+#ifndef MAX_PRINT_DEPTH -+#define MAX_PRINT_DEPTH (256) -+#endif -+ - #define ESC "\033" - #define COL(c) (ESC "[" c "m") - #define COLRESET (ESC "[0m") -@@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI - } - } - } -- switch (jv_get_kind(x)) { -+ if (indent > MAX_PRINT_DEPTH) { -+ put_str("", F, S, flags & JV_PRINT_ISATTY); -+ } else switch (jv_get_kind(x)) { - default: - case JV_KIND_INVALID: - if (flags & JV_PRINT_INVALID) { --- -1.8.3.1 - diff --git a/jq-1.5.tar.gz b/jq-1.5.tar.gz deleted file mode 100644 index d034ef9459e2a8ca010cf080f1a01a28ef3283ab..0000000000000000000000000000000000000000 Binary files a/jq-1.5.tar.gz and /dev/null differ diff --git a/jq-1.6.tar.gz b/jq-1.6.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..dbd18fb91dca5da01c9f4b90aa1260313725a535 Binary files /dev/null and b/jq-1.6.tar.gz differ diff --git a/jq.spec b/jq.spec index c9d57a6fd826653f3a7eb5ae8a49a914c2aa1618..d546e387e19a3eb9bb7278a95dbd0791b6131e58 100644 --- a/jq.spec +++ b/jq.spec @@ -1,13 +1,11 @@ Name: jq -Version: 1.5 -Release: 18 +Version: 1.6 +Release: 1 Summary: A lightweight and flexible command-line JSON processor License: MIT and ASL 2.0 and CC-BY and GPLv3 URL: http://stedolan.github.io/jq/ Source0: https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz -Patch0: CVE-2015-8863.patch -Patch1: CVE-2016-4074.patch -BuildRequires: make flex bison valgrind gcc +BuildRequires: make flex bison valgrind gcc chrpath oniguruma-devel %description jq is a lightweight and flexible command-line JSON processor. @@ -39,6 +37,7 @@ Documentation for jq package. %install %make_install %delete_la +chrpath -d %{buildroot}%{_bindir}/%{name} %check %if %{?_with_check:1}%{!?_with_check:0} @@ -71,6 +70,9 @@ make check %changelog +* Wed Aug 25 2021 wangyue - 1.6-1 +- Upgrade to 1.6 + * Thu Jun 03 2021 wulei - 1.5-18 - fixes failed: no acceptable C compiler found in $PATH