oss-sec mailing list archives
jq 1.7.1 fixes CVE-2023-50246 & CVE-2023-50268
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 15 Dec 2023 14:44:43 -0800
https://github.com/jqlang/jq/releases/tag/jq-1.7.1 lists these two fixes among the changes in this week's release of jq 1.7.1: CVE-2023-50246: Fix heap buffer overflow in jvp_literal_number_literal CVE-2023-50268: fix stack-buffer-overflow if comparing nan with payload They've also published advisories on github for each: [oss-fuzz] Issue 64771: jq:jq_fuzz_execute: Stack-buffer-overflow in decNaNs https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j heap-buffer-overflow exists in the function decToString in decNumber.c https://github.com/jqlang/jq/security/advisories/GHSA-686w-5m7m-54vc The fixes appear to be in: https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297 -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- jq 1.7.1 fixes CVE-2023-50246 & CVE-2023-50268 Alan Coopersmith (Dec 15)