commit jq for openSUSE:Factory

Mon, 26 May 2025 10:50:47 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package jq for openSUSE:Factory checked in 
at 2025-05-26 18:32:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jq (Old)
 and      /work/SRC/openSUSE:Factory/.jq.new.2732 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "jq"

Mon May 26 18:32:06 2025 rev:17 rq:1279507 version:1.7.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/jq/jq.changes    2025-05-09 18:39:11.894608417 
+0200
+++ /work/SRC/openSUSE:Factory/.jq.new.2732/jq.changes  2025-05-26 
18:33:19.741855468 +0200
@@ -1,0 +2,5 @@
+Tue May 20 17:19:29 UTC 2025 - Nathan Cutler <ncut...@suse.com>
+
+- Add patch CVE-2024-53427.patch (CVE-2024-53427, bsc#1238078)
+
+-------------------------------------------------------------------

New:
----
  CVE-2024-53427.patch

BETA DEBUG BEGIN:
  New:
- Add patch CVE-2024-53427.patch (CVE-2024-53427, bsc#1238078)
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ jq.spec ++++++
--- /var/tmp/diff_new_pack.0ryvDs/_old  2025-05-26 18:33:20.325879955 +0200
+++ /var/tmp/diff_new_pack.0ryvDs/_new  2025-05-26 18:33:20.325879955 +0200
@@ -25,6 +25,7 @@
 Group:          Productivity/Text/Utilities
 URL:            https://github.com/jqlang
 Source:         
https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-53427.patch
 BuildRequires:  chrpath
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(oniguruma)

++++++ CVE-2024-53427.patch ++++++
This is a combined patch consisting of upstream patches:

https://github.com/jqlang/jq/commit/b86ff49f46a4a37e5a8e75a140cb5fd6e1331384
https://github.com/jqlang/jq/commit/a09a4dfd55e6c24d04b35062ccfe4509748b1dd3

which have been slightly tweaked so they apply to the jq 1.7.1 release.

The purpose of the patch is to fix CVE-2024-53427.
Index: jq-1.7.1/src/jv.c
===================================================================
--- jq-1.7.1.orig/src/jv.c
+++ jq-1.7.1/src/jv.c
@@ -206,9 +206,6 @@ enum {
   JVP_NUMBER_DECIMAL = 1
 };
 
-#define JV_NUMBER_SIZE_INIT      (0)
-#define JV_NUMBER_SIZE_CONVERTED (1)
-
 #define JVP_FLAGS_NUMBER_NATIVE       JVP_MAKE_FLAGS(JV_KIND_NUMBER, 
JVP_MAKE_PFLAGS(JVP_NUMBER_NATIVE, 0))
 #define JVP_FLAGS_NUMBER_LITERAL      JVP_MAKE_FLAGS(JV_KIND_NUMBER, 
JVP_MAKE_PFLAGS(JVP_NUMBER_DECIMAL, 1))
 
@@ -589,8 +586,17 @@ static jv jvp_literal_number_new(const c
     jv_mem_free(n);
     return JV_INVALID;
   }
+  if (decNumberIsNaN(&n->num_decimal)) {
+    // Reject NaN with payload.
+    if (n->num_decimal.digits > 1 || *n->num_decimal.lsu != 0) {
+      jv_mem_free(n);
+      return JV_INVALID;
+    }
+    jv_mem_free(n);
+    return jv_number(NAN);
+  }
 
-  jv r = {JVP_FLAGS_NUMBER_LITERAL, 0, 0, JV_NUMBER_SIZE_INIT, {&n->refcnt}};
+  jv r = {JVP_FLAGS_NUMBER_LITERAL, 0, 0, 0, {&n->refcnt}};
   return r;
 }
 
@@ -698,9 +704,8 @@ double jv_number_value(jv j) {
   if (JVP_HAS_FLAGS(j, JVP_FLAGS_NUMBER_LITERAL)) {
     jvp_literal_number* n = jvp_literal_number_ptr(j);
 
-    if (j.size != JV_NUMBER_SIZE_CONVERTED) {
+    if (isnan(n->num_double)) {
       n->num_double = jvp_literal_number_to_double(j);
-      j.size = JV_NUMBER_SIZE_CONVERTED;
     }
 
     return n->num_double;
@@ -731,7 +736,7 @@ int jvp_number_is_nan(jv n) {
     return decNumberIsNaN(pdec);
   }
 #endif
-  return n.u.number != n.u.number;
+  return isnan(n.u.number);
 }
 
 int jvp_number_cmp(jv a, jv b) {
Index: jq-1.7.1/tests/jq.test
===================================================================
--- jq-1.7.1.orig/tests/jq.test
+++ jq-1.7.1/tests/jq.test
@@ -1938,11 +1938,17 @@ tojson | fromjson
 {"a":nan}
 {"a":null}
 
-# also "nan with payload" #2985
-fromjson | isnan
-"nan1234"
+# NaN with payload is not parsed
+.[] | try (fromjson | isnan) catch .
+["NaN","-NaN","NaN1","NaN10","NaN100","NaN1000","NaN10000","NaN100000"]
 true
-
+true
+"Invalid numeric literal at EOF at line 1, column 4 (while parsing 'NaN1')"
+"Invalid numeric literal at EOF at line 1, column 5 (while parsing 'NaN10')"
+"Invalid numeric literal at EOF at line 1, column 6 (while parsing 'NaN100')"
+"Invalid numeric literal at EOF at line 1, column 7 (while parsing 'NaN1000')"
+"Invalid numeric literal at EOF at line 1, column 8 (while parsing 'NaN10000')"
+"Invalid numeric literal at EOF at line 1, column 9 (while parsing 
'NaN100000')"
 
 # calling input/0, or debug/0 in a test doesn't crash jq
 
Index: jq-1.7.1/tests/shtest
===================================================================
--- jq-1.7.1.orig/tests/shtest
+++ jq-1.7.1/tests/shtest
@@ -594,11 +594,6 @@ if ! x=$($JQ -n "1 # foo$cr + 2") || [ "
   exit 1
 fi
 
-# CVE-2023-50268: No stack overflow comparing a nan with a large payload
-$VALGRIND $Q $JQ '1 != .' <<\EOF >/dev/null
-Nan4000
-EOF
-
 # Allow passing the inline jq script before -- #2919
 if ! r=$($JQ --args -rn -- '$ARGS.positional[0]' bar) || [ "$r" != bar ]; then
     echo "passing the inline script after -- didn't work"

Reply via email to