Bug#1106289: marked as done (jq: CVE-2024-23337)

[Debian Bug Tracking System]

Your message dated Mon, 26 May 2025 14:34:00 +0000
with message-id <e1ujyts-009pnq...@fasolo.debian.org>
and subject line Bug#1106289: fixed in jq 1.7.1-6
has caused the Debian Bug report #1106289,
regarding jq: CVE-2024-23337
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1106289: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106289
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: jq
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for jq.

CVE-2024-23337[0]:
| jq is a command-line JSON processor. In versions up to and including
| 1.7.1, an integer overflow arises when assigning value using an
| index of 2147483647, the signed integer limit. This causes a denial
| of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains
| a patch for the issue.

https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46
https://github.com/jqlang/jq/issues/3262
https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-23337
    https://www.cve.org/CVERecord?id=CVE-2024-23337

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: jq
Source-Version: 1.7.1-6
Done: ChangZhuo Chen (陳昌倬) <czc...@debian.org>

We believe that the bug you reported is fixed in the latest version of
jq, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1106...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
ChangZhuo Chen (陳昌倬) <czc...@debian.org> (supplier of updated jq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 25 May 2025 03:15:28 +0800
Source: jq
Architecture: source
Version: 1.7.1-6
Distribution: unstable
Urgency: medium
Maintainer: ChangZhuo Chen (陳昌倬) <czc...@debian.org>
Changed-By: ChangZhuo Chen (陳昌倬) <czc...@debian.org>
Closes: 1106289
Changes:
 jq (1.7.1-6) unstable; urgency=medium
 .
   * Cherry-pick upstream commit for CVE-2024-23337 (Closes: #1106289)
Checksums-Sha1:
 0d1fbba6dbfc33511d1aa0b334eca3d644716f2a 2000 jq_1.7.1-6.dsc
 f3a1bae96ba0150505df0cb6086ac7149560b617 16076 jq_1.7.1-6.debian.tar.xz
 7a337224e6c226470d7dece1dae298b1f8f1efe3 7727 jq_1.7.1-6_amd64.buildinfo
Checksums-Sha256:
 1f8e3db12354ff8380159972ea74bbeaed9eecf08fb54020d035bf5c91403cb8 2000 
jq_1.7.1-6.dsc
 4e6d078dfcef3df4907d4dfd91125340bd4bda0ecbc2116b6ad1c2b254377c49 16076 
jq_1.7.1-6.debian.tar.xz
 206b795b5cfdb8855c607331d5b514b14b61594fa2bdf7db84d519b7cec36e10 7727 
jq_1.7.1-6_amd64.buildinfo
Files:
 37d8a30363eae2641eef0458eb331952 2000 utils optional jq_1.7.1-6.dsc
 328aa5a0c57047851335a5f9eb0b0aa7 16076 utils optional jq_1.7.1-6.debian.tar.xz
 ad3f7ff59ed39d3ba8ce7943df749f71 7727 utils optional jq_1.7.1-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEugQ0bcLh/mPHkIeTzGWwzewnXVsFAmg0d9oACgkQzGWwzewn
XVtyaBAAhemaD0a960dwbJnN16F9ibaJs7JUMu30Kk+padIcA/ZSOHqCl+6o8VdM
lSEZdDDL3gHDsIUC5Y11Iv+vLEqBYadvG/1XhYZ6rbafeoeZpDvcwNzOiZHnr2r0
9HkHfXi2zlkUbrqfQh9bW8Q275jRwlkp9ZCCJGorvdtIpSbMHWngjlM2DX5+t7HE
0JRTcp5zw22adJhpPByDeDnbTIGkINDo9OSS5mljQnPxxF084t00F8/ap8ihMxfC
INR5bdm7SvRmZQ0iXo8tqCQLt4xyKU9kG0T2oAUa+pXY1NmvmTXr5kn8PEni9ik6
hfIU7i6dliL2ILBchQspOW+2fwWrvtYPoEbegKCnZXDe0Jx4B43+rrSAYTG7PeDw
JKbRVJQ15rBqanV7/F8nDJCZHhUTLKJv9kNowjKNgNlRluief9F0Uol/BpWCaFKu
nKH6oDznoxOZJRyw89M0XkSGUoprYrb/HRvgMnvzkekGn8YAFZPBovcpBGdudyus
WA84yvNHb1QcLre/jXylQEhz+Jn+yBhGHg1FEaIVdmO41y5Zje9ZGSHXsvOAv2Tn
uoBxL6zMc9qzv/DBde3OCPQv5Bbqz/WQ5g7NN5jVpz58SKuxpTbpRg9dZbAVt+vS
H0oe67JdyHukaodpUYw6sR9vfxEcnQkYrXHXz+x4fTAz0UluE6A=
=2tyK
-----END PGP SIGNATURE-----

pgpQ76xO_suxj.pgp
Description: PGP signature

--- End Message ---