Control: tags -1 moreinfo
On 2025-05-25 03:34:19 +0800, ChangZhuo Chen (陳昌倬) wrote:
> Package: release.debian.org
> Severity: normal
> X-Debbugs-Cc: j...@packages.debian.org
> Control: affects -1 + src:jq
> User: release.debian....@packages.debian.org
> Usertags: unblock
>
> Please unblock package jq
-6 hasn't been uploaded yet. Please remove the moreinfo tag once the
package is available in unstable.
Cheers
>
> [ Reason ]
>
> Cherry-pick upstream commit for CVE-2024-23337.
>
> [ Impact ]
>
> Security vulnerability remains in jq if unblock is not granted.
>
> [ Tests ]
>
> Upstream unit test has been performed and passed.
>
> [ Risks ]
>
> [ Checklist ]
>
> [v] all changes are documented in the d/changelog
> [v] I reviewed all changes and I approve them
> [v] attach debdiff against the package in testing
>
> [ Other info ]
>
> unblock jq/1.7.1-5
>
> --
> ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
> Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B
> diff -Nru jq-1.7.1/debian/changelog jq-1.7.1/debian/changelog
> --- jq-1.7.1/debian/changelog 2025-04-12 16:09:04.000000000 +0800
> +++ jq-1.7.1/debian/changelog 2025-05-25 03:15:28.000000000 +0800
> @@ -1,3 +1,9 @@
> +jq (1.7.1-6) unstable; urgency=medium
> +
> + * Cherry-pick upstream commit for CVE-2024-23337 (Closes: #1106289)
> +
> + -- ChangZhuo Chen (陳昌倬) <czc...@debian.org> Sun, 25 May 2025 03:15:28 +0800
> +
> jq (1.7.1-5) unstable; urgency=medium
>
> * Cherry-pick upstream commit for CVE-2024-53427 (Closes: #1102679)
> diff -Nru jq-1.7.1/debian/patches/CVE-2024-23337.patch
> jq-1.7.1/debian/patches/CVE-2024-23337.patch
> --- jq-1.7.1/debian/patches/CVE-2024-23337.patch 1970-01-01
> 08:00:00.000000000 +0800
> +++ jq-1.7.1/debian/patches/CVE-2024-23337.patch 2025-05-25
> 03:11:23.000000000 +0800
> @@ -0,0 +1,208 @@
> +From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?=
> + <czc...@debian.org>
> +Date: Sun, 25 May 2025 03:08:51 +0800
> +Subject: Fix signed integer overflow in jvp_array_write and jvp_object_rehash
> +
> +---
> + src/jv.c | 45 ++++++++++++++++++++++++++++++++++++---------
> + src/jv_aux.c | 9 +++++----
> + tests/jq.test | 4 ++++
> + 3 files changed, 45 insertions(+), 13 deletions(-)
> +
> +diff --git a/src/jv.c b/src/jv.c
> +index 7f798d8..a8fbe48 100644
> +--- a/src/jv.c
> ++++ b/src/jv.c
> +@@ -997,6 +997,11 @@ jv jv_array_set(jv j, int idx, jv val) {
> + jv_free(val);
> + return jv_invalid_with_msg(jv_string("Out of bounds negative array
> index"));
> + }
> ++ if (idx > (INT_MAX >> 2) - jvp_array_offset(j)) {
> ++ jv_free(j);
> ++ jv_free(val);
> ++ return jv_invalid_with_msg(jv_string("Array index too large"));
> ++ }
> + // copy/free of val,j coalesced
> + jv* slot = jvp_array_write(&j, idx);
> + jv_free(*slot);
> +@@ -1016,6 +1021,7 @@ jv jv_array_concat(jv a, jv b) {
> + // FIXME: could be faster
> + jv_array_foreach(b, i, elem) {
> + a = jv_array_append(a, elem);
> ++ if (!jv_is_valid(a)) break;
> + }
> + jv_free(b);
> + return a;
> +@@ -1288,6 +1294,7 @@ jv jv_string_indexes(jv j, jv k) {
> + p = jstr;
> + while ((p = _jq_memmem(p, (jstr + jlen) - p, idxstr, idxlen)) != NULL) {
> + a = jv_array_append(a, jv_number(p - jstr));
> ++ if (!jv_is_valid(a)) break;
> + p++;
> + }
> + }
> +@@ -1310,14 +1317,17 @@ jv jv_string_split(jv j, jv sep) {
> +
> + if (seplen == 0) {
> + int c;
> +- while ((jstr = jvp_utf8_next(jstr, jend, &c)))
> ++ while ((jstr = jvp_utf8_next(jstr, jend, &c))) {
> + a = jv_array_append(a, jv_string_append_codepoint(jv_string(""), c));
> ++ if (!jv_is_valid(a)) break;
> ++ }
> + } else {
> + for (p = jstr; p < jend; p = s + seplen) {
> + s = _jq_memmem(p, jend - p, sepstr, seplen);
> + if (s == NULL)
> + s = jend;
> + a = jv_array_append(a, jv_string_sized(p, s - p));
> ++ if (!jv_is_valid(a)) break;
> + // Add an empty string to denote that j ends on a sep
> + if (s + seplen == jend && seplen != 0)
> + a = jv_array_append(a, jv_string(""));
> +@@ -1335,8 +1345,10 @@ jv jv_string_explode(jv j) {
> + const char* end = i + len;
> + jv a = jv_array_sized(len);
> + int c;
> +- while ((i = jvp_utf8_next(i, end, &c)))
> ++ while ((i = jvp_utf8_next(i, end, &c))) {
> + a = jv_array_append(a, jv_number(c));
> ++ if (!jv_is_valid(a)) break;
> ++ }
> + jv_free(j);
> + return a;
> + }
> +@@ -1610,10 +1622,13 @@ static void jvp_object_free(jv o) {
> + }
> + }
> +
> +-static jv jvp_object_rehash(jv object) {
> ++static int jvp_object_rehash(jv *objectp) {
> ++ jv object = *objectp;
> + assert(JVP_HAS_KIND(object, JV_KIND_OBJECT));
> + assert(jvp_refcnt_unshared(object.u.ptr));
> + int size = jvp_object_size(object);
> ++ if (size > INT_MAX >> 2)
> ++ return 0;
> + jv new_object = jvp_object_new(size * 2);
> + for (int i=0; i<size; i++) {
> + struct object_slot* slot = jvp_object_get_slot(object, i);
> +@@ -1626,7 +1641,8 @@ static jv jvp_object_rehash(jv object) {
> + }
> + // references are transported, just drop the old table
> + jv_mem_free(jvp_object_ptr(object));
> +- return new_object;
> ++ *objectp = new_object;
> ++ return 1;
> + }
> +
> + static jv jvp_object_unshare(jv object) {
> +@@ -1655,27 +1671,32 @@ static jv jvp_object_unshare(jv object) {
> + return new_object;
> + }
> +
> +-static jv* jvp_object_write(jv* object, jv key) {
> ++static int jvp_object_write(jv* object, jv key, jv **valpp) {
> + *object = jvp_object_unshare(*object);
> + int* bucket = jvp_object_find_bucket(*object, key);
> + struct object_slot* slot = jvp_object_find_slot(*object, key, bucket);
> + if (slot) {
> + // already has the key
> + jvp_string_free(key);
> +- return &slot->value;
> ++ *valpp = &slot->value;
> ++ return 1;
> + }
> + slot = jvp_object_add_slot(*object, key, bucket);
> + if (slot) {
> + slot->value = jv_invalid();
> + } else {
> +- *object = jvp_object_rehash(*object);
> ++ if (!jvp_object_rehash(object)) {
> ++ *valpp = NULL;
> ++ return 0;
> ++ }
> + bucket = jvp_object_find_bucket(*object, key);
> + assert(!jvp_object_find_slot(*object, key, bucket));
> + slot = jvp_object_add_slot(*object, key, bucket);
> + assert(slot);
> + slot->value = jv_invalid();
> + }
> +- return &slot->value;
> ++ *valpp = &slot->value;
> ++ return 1;
> + }
> +
> + static int jvp_object_delete(jv* object, jv key) {
> +@@ -1775,7 +1796,11 @@ jv jv_object_set(jv object, jv key, jv value) {
> + assert(JVP_HAS_KIND(object, JV_KIND_OBJECT));
> + assert(JVP_HAS_KIND(key, JV_KIND_STRING));
> + // copy/free of object, key, value coalesced
> +- jv* slot = jvp_object_write(&object, key);
> ++ jv* slot;
> ++ if (!jvp_object_write(&object, key, &slot)) {
> ++ jv_free(object);
> ++ return jv_invalid_with_msg(jv_string("Object too big"));
> ++ }
> + jv_free(*slot);
> + *slot = value;
> + return object;
> +@@ -1800,6 +1825,7 @@ jv jv_object_merge(jv a, jv b) {
> + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
> + jv_object_foreach(b, k, v) {
> + a = jv_object_set(a, k, v);
> ++ if (!jv_is_valid(a)) break;
> + }
> + jv_free(b);
> + return a;
> +@@ -1819,6 +1845,7 @@ jv jv_object_merge_recursive(jv a, jv b) {
> + jv_free(elem);
> + a = jv_object_set(a, k, v);
> + }
> ++ if (!jv_is_valid(a)) break;
> + }
> + jv_free(b);
> + return a;
> +diff --git a/src/jv_aux.c b/src/jv_aux.c
> +index 6004799..bbe1c0d 100644
> +--- a/src/jv_aux.c
> ++++ b/src/jv_aux.c
> +@@ -193,18 +193,19 @@ jv jv_set(jv t, jv k, jv v) {
> + if (slice_len < insert_len) {
> + // array is growing
> + int shift = insert_len - slice_len;
> +- for (int i = array_len - 1; i >= end; i--) {
> ++ for (int i = array_len - 1; i >= end && jv_is_valid(t); i--) {
> + t = jv_array_set(t, i + shift, jv_array_get(jv_copy(t), i));
> + }
> + } else if (slice_len > insert_len) {
> + // array is shrinking
> + int shift = slice_len - insert_len;
> +- for (int i = end; i < array_len; i++) {
> ++ for (int i = end; i < array_len && jv_is_valid(t); i++) {
> + t = jv_array_set(t, i - shift, jv_array_get(jv_copy(t), i));
> + }
> +- t = jv_array_slice(t, 0, array_len - shift);
> ++ if (jv_is_valid(t))
> ++ t = jv_array_slice(t, 0, array_len - shift);
> + }
> +- for (int i=0; i < insert_len; i++) {
> ++ for (int i = 0; i < insert_len && jv_is_valid(t); i++) {
> + t = jv_array_set(t, start + i, jv_array_get(jv_copy(v), i));
> + }
> + jv_free(v);
> +diff --git a/tests/jq.test b/tests/jq.test
> +index 7036df2..944f9da 100644
> +--- a/tests/jq.test
> ++++ b/tests/jq.test
> +@@ -198,6 +198,10 @@ null
> + [0,1,2]
> + [0,5,2]
> +
> ++try (.[999999999] = 0) catch .
> ++null
> ++"Array index too large"
> ++
> + #
> + # Multiple outputs, iteration
> + #
> diff -Nru jq-1.7.1/debian/patches/series jq-1.7.1/debian/patches/series
> --- jq-1.7.1/debian/patches/series 2025-04-12 16:00:54.000000000 +0800
> +++ jq-1.7.1/debian/patches/series 2025-05-25 03:11:23.000000000 +0800
> @@ -5,3 +5,4 @@
> 0006-Do-not-use-pipenv-to-build-docs.patch
> libtool.patch
> CVE-2024-53427.patch
> +CVE-2024-23337.patch
--
Sebastian Ramacher
