Inicio Explorar Axuda
Rexistro Iniciar sesión
PUBLIC_REPOS
/
buildroot
réplica de git://git.buildroot.net/buildroot
2
1
Fork 0
Ficheiros
Explorar o código

package/jq: security patch for CVE-2025-48060

Security patch have been fetched from the Nixpkgs [1].

Fixes the following CVE:
- CVE-2025-48060: jq is a command-line JSON processor. In versions up to
 and including 1.7.1, a heap-buffer-overflow is present in function
  in the jq_fuzz_execute harness from oss-fuzz. This
 crash happens on file jv.c, line 1456 . As of
 time of publication, no patched versions are available.

For more information, see:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-48060

[1] https://github.com/LordGrimmauld/nixpkgs/blob/df21c79bfbb4d5ea50a49231bb8f91ab7afa051d/pkgs/by-name/jq/jq/0005-Fix-heap-buffer-overflow-when-formatting-an-empty-st.patch

Signed-off-by: Yuce Kurum <yuce.kurum@mind.be>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Yuce Kurum hai 1 mes
pai
06c5664b18
achega
a9fd428c61
Modificáronse 2 ficheiros con 52 adicións e 0 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 49 0
      package/jq/0003-CVE-2025-48060.patch
  2. 3 0
      package/jq/jq.mk

+ 49 - 0
package/jq/0003-CVE-2025-48060.patch
Ver ficheiro 

@@ -0,0 +1,49 @@
 
+From d73a79035e1d24011a3363d52bf36b4eaea67aa6 Mon Sep 17 00:00:00 2001
 
+From: itchyny <itchyny@cybozu.co.jp>
 
+Date: Sat, 31 May 2025 11:46:40 +0900
 
+Subject: [PATCH] Fix heap buffer overflow when formatting an empty string
 
+
 
+The `jv_string_empty` did not properly null-terminate the string data,
 
+which could lead to a heap buffer overflow. The test case of
 
+GHSA-p7rr-28xf-3m5w (`0[""*0]`) was fixed by the commit dc849e9bb74a,
 
+but another case (`0[[]|implode]`) was still vulnerable. This commit
 
+ensures string data is properly null-terminated, and fixes CVE-2025-48060.
 
+
 
+CVE: CVE-2025-48060
 
+Upstream: https://github.com/LordGrimmauld/nixpkgs/blob/df21c79bfbb4d5ea50a49231bb8f91ab7afa051d/pkgs/by-name/jq/jq/0005-Fix-heap-buffer-overflow-when-formatting-an-empty-st.patch
 
+Signed-off-by: Yuce Kurum <yuce.kurum@mind.be>
 
+---
 
+ src/jv.c      | 1 +
 
+ tests/jq.test | 4 ++++
 
+ 2 files changed, 5 insertions(+)
 
+
 
+diff --git a/src/jv.c b/src/jv.c
 
+index 6e8cdd3..3303286 100644
 
+--- a/src/jv.c
 
++++ b/src/jv.c
 
+@@ -1121,6 +1121,7 @@ static jv jvp_string_empty_new(uint32_t length) {
 
+   jvp_string* s = jvp_string_alloc(length);
 
+   s->length_hashed = 0;
 
+   memset(s->data, 0, length);
 
++  s->data[length] = 0;
 
+   jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
 
+   return r;
 
+ }
 
+diff --git a/tests/jq.test b/tests/jq.test
 
+index 10b20e3..680706b 100644
 
+--- a/tests/jq.test
 
++++ b/tests/jq.test
 
+@@ -2042,6 +2042,10 @@ map(try implode catch .)
 
+ [123,["a"],[nan]]
 
+ ["implode input must be an array","string (\"a\") can't be imploded, unicode codepoint needs to be numeric","number (null) can't be imploded, unicode codepoint needs to be numeric"]
 
+ 
++try 0[implode] catch .
 
++[]
 
++"Cannot index number with string \"\""
 
++
 
+ # walk
 
+ walk(.)
 
+ {"x":0}
 
+-- 
+2.49.0
 
+

+ 3 - 0
package/jq/jq.mk
Ver ficheiro 

@@ -17,6 +17,9 @@ JQ_IGNORE_CVES += CVE-2024-23337
 
 # 0002-CVE-2024-53427.patch
 
 JQ_IGNORE_CVES += CVE-2024-53427
 
 
+# 0003-CVE-2025-48060.patch
 
+JQ_IGNORE_CVES += CVE-2025-48060
 
+
 
 # uses c99 specific features
 
 JQ_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -std=c99"
 
 HOST_JQ_CONF_ENV += CFLAGS="$(HOST_CFLAGS) -std=c99"