Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected], [email protected], ChangZhuo Chen (陳昌倬) <[email protected]>, [email protected]
Control: affects -1 + src:jq
User: [email protected]
Usertags: unblock
Hi ChangZhuo Chen, hi release team
This is not actaully a proper unblock request. There is in unstable a
new jq version which fixes CVE-2025-48060 (the other mentioned CVEs
were already fixed earlier afaics).
But there is now a problem.
1. the new upstream version fails to build on i386.
2. the new upstream version 1.8.0 itself introduces a new security
issue, CVE-2025-49014.
ChangZhuo Chen, what is your take here? I see possibly two ways:
Convince release team that a version based on 1.8.0 + including the
security fix for CVE-2025-49014 and the FTBFS for i386 is fine, or
actually revert back to 1.7.1-6, and apply the fix for CVE-2025-48060
on top.
Regards,
Salvatore
On 2025-07-06 15:28:25 +0200, Salvatore Bonaccorso wrote:
ChangZhuo Chen, what is your take here? I see possibly two ways:
Convince release team that a version based on 1.8.0 + including the security fix for CVE-2025-49014 and the FTBFS for i386 is fine, or
actually revert back to 1.7.1-6, and apply the fix for CVE-2025-48060
on top.
I think a targetted fix on top of 1.7.1 would be more appropriate. I
don't expect all of " 190 files changed, 30175 insertions(+), 24688 deletions(-)" is needed to fix CVE-2025-49104.
On Sun, Jul 06, 2025 at 09:18:00PM +0200, Sebastian Ramacher wrote:
I think a targetted fix on top of 1.7.1 would be more appropriate. I
don't expect all of " 190 files changed, 30175 insertions(+), 24688 deletions(-)" is needed to fix CVE-2025-49104.
I agree with Sebastian. Let's aim for a targeted fix on top of 1.7.1.
Control: retitle -1 unblock: jq/1.7.1-6+deb13u1
On Mon, Jul 07, 2025 at 11:24:21PM +0800, ChangZhuo Chen (陳昌倬) wrote:
On Sun, Jul 06, 2025 at 09:18:00PM +0200, Sebastian Ramacher wrote:
I think a targetted fix on top of 1.7.1 would be more appropriate. I
don't expect all of " 190 files changed, 30175 insertions(+), 24688
deletions(-)" is needed to fix CVE-2025-49104.
I agree with Sebastian. Let's aim for a targeted fix on top of 1.7.1.
I have prepare jq 1.7.1-6+deb13u1 for CVE-2025-49104, please see
attachment for debdiff.
--
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B
Control: retitle -1 unblock: jq/1.7.1-6+deb13u1
On Mon, Jul 07, 2025 at 11:24:21PM +0800, ChangZhuo Chen (陳昌倬) wrote:
On Sun, Jul 06, 2025 at 09:18:00PM +0200, Sebastian Ramacher wrote:
I think a targetted fix on top of 1.7.1 would be more appropriate. I don't expect all of " 190 files changed, 30175 insertions(+), 24688 deletions(-)" is needed to fix CVE-2025-49104.
I agree with Sebastian. Let's aim for a targeted fix on top of 1.7.1.
I have prepare jq 1.7.1-6+deb13u1 for CVE-2025-49104, please see
attachment for debdiff.
--
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B
diff -Nru jq-1.7.1/debian/changelog jq-1.7.1/debian/changelog
--- jq-1.7.1/debian/changelog 2025-05-25 03:15:28.000000000 +0800
+++ jq-1.7.1/debian/changelog 2025-07-08 00:16:39.000000000 +0800
@@ -1,3 +1,9 @@
+jq (1.7.1-6+deb13u1) trixie; urgency=medium
+
+ * Cherry-pick upstream commit for CVE-2025-48060.
+
+ -- ChangZhuo Chen (陳昌倬) <[email protected]> Tue, 08 Jul 2025 00:16:39 +0800
+
jq (1.7.1-6) unstable; urgency=medium
* Cherry-pick upstream commit for CVE-2024-23337 (Closes: #1106289)
diff -Nru jq-1.7.1/debian/patches/CVE-2025-48060.patch jq-1.7.1/debian/patches/CVE-2025-48060.patch
--- jq-1.7.1/debian/patches/CVE-2025-48060.patch 1970-01-01 08:00:00.000000000 +0800
+++ jq-1.7.1/debian/patches/CVE-2025-48060.patch 2025-07-08 00:16:25.000000000 +0800
@@ -0,0 +1,37 @@
+From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?=
+ <[email protected]>
+Date: Tue, 8 Jul 2025 00:09:51 +0800
+Subject: Fix heap buffer overflow when formatting an empty string
+
+---
+ src/jv.c | 1 +
+ tests/jq.test | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/jv.c b/src/jv.c
+index a8fbe48..c8e0c51 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -1121,6 +1121,7 @@ static jv jvp_string_empty_new(uint32_t length) {
+ jvp_string* s = jvp_string_alloc(length);
+ s->length_hashed = 0;
+ memset(s->data, 0, length);
++ s->data[length] = 0;
+ jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
+ return r;
+ }
+diff --git a/tests/jq.test b/tests/jq.test
+index 944f9da..b36e591 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2024,6 +2024,10 @@ map(try implode catch .)
+ [123,["a"],[nan]]
+ ["implode input must be an array","string (\"a\") can't be imploded, unicode codepoint needs to be numeric","number (null) can't be imploded, unicode codepoint needs to be numeric"]
+
++try 0[implode] catch .
++[]
++"Cannot index number with string \"\""
++
+ # walk
+ walk(.)
+ {"x":0}
diff -Nru jq-1.7.1/debian/patches/series jq-1.7.1/debian/patches/series
--- jq-1.7.1/debian/patches/series 2025-05-25 03:11:23.000000000 +0800
+++ jq-1.7.1/debian/patches/series 2025-07-08 00:16:25.000000000 +0800
@@ -6,3 +6,4 @@
libtool.patch
CVE-2024-53427.patch
CVE-2024-23337.patch
+CVE-2025-48060.patch
Please go ahead with this upload. Please remove the moreinfo tag after
the upload.
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 715 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 41:53:43 |
| Calls: | 12,109 |
| Files: | 15,006 |
| Messages: | 6,518,416 |