Your message dated Mon, 09 Jun 2025 02:21:31 +0000
with message-id <e1uos8h-0083da...@fasolo.debian.org>
and subject line Bug#1106288: fixed in jq 1.8.0-1
has caused the Debian Bug report #1106288,
regarding jq: CVE-2025-48060
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1106288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106288
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: jq
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for jq.
CVE-2025-48060[0]:
| jq is a command-line JSON processor. In versions up to and including
| 1.7.1, a heap-buffer-overflow is present in function
| `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This
| crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of
| time of publication, no patched versions are available.
https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48060
https://www.cve.org/CVERecord?id=CVE-2025-48060
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: jq
Source-Version: 1.8.0-1
Done: ChangZhuo Chen (陳昌倬) <czc...@debian.org>
We believe that the bug you reported is fixed in the latest version of
jq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1106...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
ChangZhuo Chen (陳昌倬) <czc...@debian.org> (supplier of updated jq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 09 Jun 2025 09:40:21 +0800
Source: jq
Architecture: source
Version: 1.8.0-1
Distribution: unstable
Urgency: medium
Maintainer: ChangZhuo Chen (陳昌倬) <czc...@debian.org>
Changed-By: ChangZhuo Chen (陳昌倬) <czc...@debian.org>
Closes: 1106288
Changes:
jq (1.8.0-1) unstable; urgency=medium
.
* New upstream release. (Closes: #1106288)
* Fix CVE-2024-23337, CVE-2024-53427, CVE-2025-48060.
* d/copyright: Update copyright.
* d/symbols: Update symbols.
Checksums-Sha1:
b2edf032367793fed91ea25aebae947b5784989d 2000 jq_1.8.0-1.dsc
3d7ef862ba67fb87379811ddbacd86e5a2257e0a 1355079 jq_1.8.0.orig.tar.gz
2da5286cd1eb29960254da826682ff963cd355af 14028 jq_1.8.0-1.debian.tar.xz
c965eb11e58434e97f7564d3286817f17d398600 7723 jq_1.8.0-1_amd64.buildinfo
Checksums-Sha256:
6ddf5806d0025ab103a8ef2844dcfdd170b7c1f43673e29088e747bb5832f688 2000
jq_1.8.0-1.dsc
6f4137cfb1744e9729d177707c3880957ec3fab621db921fcb4c04e62ed9e636 1355079
jq_1.8.0.orig.tar.gz
c04b583bfc82ef04d522737f8cf814253c35443a706b2692d064786e1361439b 14028
jq_1.8.0-1.debian.tar.xz
1f84fa425b873fa83f1569b0baaf373b7da74c4c5348797382516201ef562c08 7723
jq_1.8.0-1_amd64.buildinfo
Files:
a226cdde6e2615fa20752f8956de41bd 2000 utils optional jq_1.8.0-1.dsc
59f7722d037825d881382e2e76a11919 1355079 utils optional jq_1.8.0.orig.tar.gz
86acebea6ab9b1f1567c4f83d6c36163 14028 utils optional jq_1.8.0-1.debian.tar.xz
aa50e4844829ff5cd59f5044920cfd77 7723 utils optional jq_1.8.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEugQ0bcLh/mPHkIeTzGWwzewnXVsFAmhGPAgACgkQzGWwzewn
XVsemw/+OWZr52S5WkJGFvqFI5VnZIlXbPXeE2ov4KeeZVt2NvoWuzJHpVr8TEmt
r5Fjg81qLBZGiUMctMkG6E41RzZb7Yl5aUTXtoPsMKxqYjvJV4mysVB7HPJHEeVI
riC7O+NAHJVlq+LPcLWp/qy5CnHExeFWPc1OlW9we7e+FOjY96dQWuHOYfP21Pav
BV13sKo5rvY+kkieT15h6XStaA8VHMqxI+92gHB0OHAENpSECJPQ83xh9zozG+Z0
Dw0iRbZpFsvPSTOi3VDFXCVf9Hg6rPoe19Y0NpuPYE7FkAP0UKVLiqGe8VyMoo+Z
l9Nn4bLk5ZXN7Deh8CBKvKaSeqoYF15AH3HV83PAu3S3cTsgloVDdhbxFAmyuCHO
d7xjbBYp7jIxQJRAUblcWOmRqljlR8a8r9+R1IScqGeYUODEzSN3Qs/At/qKBKrP
kcunZvhdYLvnFz3MiwYH6K5mmYZmf2cuKwrdIOjrbgW+pbJwv7GF9a/g5pZZg2zd
UCKX3ZWROjAQ82Fc6XT+nxU56IkfupNrsOOrBg/VW3MWQ2K0vyIuMluvt8irzX5V
yrbYjOzy9MKxD28Fsgx6X3RB1FTUs8DeDGUEW49i0XnAA/3Ggzp/Q5VIlyWb4WQU
GfZBb3ZFrJ4In/lMSByEDsm151S1NUAeqlYzUxKn23yaa7gSehU=
=sHXe
-----END PGP SIGNATURE-----
pgp9kl0FVNl37.pgp
Description: PGP signature
--- End Message ---
