Source: jq Version: 1.7.1-3 Severity: important Tags: security upstream Forwarded: https://github.com/jqlang/jq/issues/3196 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.7.1-4
Hi, The following vulnerability was published for jq. CVE-2024-53427[0]: | decNumberCopy in decNumber.c in jq through 1.7.1 does not properly | consider that NaN is interpreted as numeric, which has a resultant | stack-based buffer overflow and out-of-bounds write, as demonstrated | by use of --slurp with subtraction, such as a filter of .-. when the | input has a certain form of digit string with NaN (e.g., "1 NaN123" | immediately followed by many more digits). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-53427 https://www.cve.org/CVERecord?id=CVE-2024-53427 [1] https://github.com/jqlang/jq/issues/3196 [2] https://github.com/jqlang/jq/security/advisories/GHSA-x6c3-qv5r-7q22 [3] https://github.com/jqlang/jq/commit/b86ff49f46a4a37e5a8e75a140cb5fd6e1331384 [4] https://github.com/jqlang/jq/commit/a09a4dfd55e6c24d04b35062ccfe4509748b1dd3 Regards, Salvatore
