oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

jq 1.7.1 fixes CVE-2023-50246 & CVE-2023-50268

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 15 Dec 2023 14:44:43 -0800
https://github.com/jqlang/jq/releases/tag/jq-1.7.1 lists these two fixes
among the changes in this week's release of jq 1.7.1:

    CVE-2023-50246: Fix heap buffer overflow in jvp_literal_number_literal
    CVE-2023-50268: fix stack-buffer-overflow if comparing nan with payload

They've also published advisories on github for each:

[oss-fuzz] Issue 64771: jq:jq_fuzz_execute: Stack-buffer-overflow in decNaNs
https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j

heap-buffer-overflow exists in the function decToString in decNumber.c
https://github.com/jqlang/jq/security/advisories/GHSA-686w-5m7m-54vc

The fixes appear to be in:
https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b
https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: