1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1108062: jq: CVE-2025-49014: Heap use after free in f_strflocaltime

    From Salvatore Bonaccorso@21:1/5 to All on Thu Jun 19 23:30:01 2025
    Source: jq
    Version: 1.8.0-1
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

    Hi,

    The following vulnerability was published for jq.

    CVE-2025-49014[0]:
    | jq is a command-line JSON processor. In version 1.8.0 a heap use
    | after free vulnerability exists within the function f_strflocaltime
    | of /src/builtin.c. This issue has been patched in commit 499c91b, no
    | known fix version exists at time of publication.

    Note, while the severity as RC is disputable to some extend, this
    issue is introduced in the new upstream version uploaded recently, so
    1.8.0-1 should not migrate to trixie in this form ideally.

    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-49014
    https://www.cve.org/CVERecord?id=CVE-2025-49014
    [1] https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2
    [2] https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Mon Jul 7 18:30:02 2025
    Processing control commands:

    fixed -1 1.8.1-1
    Bug #1108062 [src:jq] jq: CVE-2025-49014: Heap use after free in f_strflocaltime
    The source 'jq' and version '1.8.1-1' do not appear to match any binary packages
    Marked as fixed in versions jq/1.8.1-1.

    --
    1108062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108062
    Debian Bug Tracking System
    Contact [email protected] with problems

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Wed Jul 9 12:40:01 2025
    This is a multi-part message in MIME format...

    Your message dated Tue, 8 Jul 2025 00:22:03 +0800
    with message-id <[email protected]>
    and subject line Re: Bug#1108062: jq: CVE-2025-49014: Heap use after free in f_strflocaltime
    has caused the Debian Bug report #1108062,
    regarding jq: CVE-2025-49014: Heap use after free in f_strflocaltime
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected]
    immediately.)


    --
    1108062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108062
    Debian Bug Tracking System
    Contact [email protected] with problems

    Received: (at submit) by bugs.debian.org; 19 Jun 2025 21:20:56 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
    (2024-03-25) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-9.5 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,
    RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,
    RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 25; hammy, 149; neutral, 39; spammy,
    1. spammytokens:0.944-+--H*r:bugs.debian.org
    hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
    0.000-+--X-Debbugs-Cc, 0.000-+--trixie, 0.000-+--H*r:eldamar.lan Return-path: <[email protected]>
    Received: from c-82-192-244-13.customer.ggaweb.ch ([8