Bug#1108062: marked as done (jq: CVE-2025-49014: Heap use after free in f_strflocaltime)

Wed, 09 Jul 2025 03:31:15 -0700 

Your message dated Tue, 8 Jul 2025 00:22:03 +0800
with message-id <agv0k4xsqocep...@gmail.com>
and subject line Re: Bug#1108062: jq: CVE-2025-49014: Heap use after free in 
f_strflocaltime
has caused the Debian Bug report #1108062,
regarding jq: CVE-2025-49014: Heap use after free in f_strflocaltime
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1108062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108062
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: jq
Version: 1.8.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for jq.

CVE-2025-49014[0]:
| jq is a command-line JSON processor. In version 1.8.0 a heap use
| after free vulnerability exists within the function f_strflocaltime
| of /src/builtin.c. This issue has been patched in commit 499c91b, no
| known fix version exists at time of publication.

Note, while the severity as RC is disputable to some extend, this
issue is introduced in the new upstream version uploaded recently, so
1.8.0-1 should not migrate to trixie in this form ideally.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-49014
    https://www.cve.org/CVERecord?id=CVE-2025-49014
[1] https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2
[2] https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Control: fixed -1 1.8.1-1

-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

Attachment: signature.asc
Description: PGP signature


--- End Message ---

Reply via email to