Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jq for openSUSE:Factory checked in at 2025-06-14 16:16:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jq (Old) and /work/SRC/openSUSE:Factory/.jq.new.19631 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jq" Sat Jun 14 16:16:59 2025 rev:18 rq:1285208 version:1.7.1 Changes: -------- --- /work/SRC/openSUSE:Factory/jq/jq.changes 2025-05-26 18:33:19.741855468 +0200 +++ /work/SRC/openSUSE:Factory/.jq.new.19631/jq.changes 2025-06-14 16:17:00.520483573 +0200 @@ -1,0 +2,5 @@ +Thu Jun 12 16:24:57 UTC 2025 - Nathan Cutler <ncut...@suse.com> + +- Add patch CVE-2024-23337.patch (CVE-2024-23337, bsc#1243450) + +------------------------------------------------------------------- New: ---- CVE-2024-23337.patch BETA DEBUG BEGIN: New: - Add patch CVE-2024-23337.patch (CVE-2024-23337, bsc#1243450) BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jq.spec ++++++ --- /var/tmp/diff_new_pack.nc4qkX/_old 2025-06-14 16:17:00.996503213 +0200 +++ /var/tmp/diff_new_pack.nc4qkX/_new 2025-06-14 16:17:00.996503213 +0200 @@ -25,7 +25,8 @@ Group: Productivity/Text/Utilities URL: https://github.com/jqlang Source: https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz -Patch0: CVE-2024-53427.patch +Patch0: CVE-2024-23337.patch +Patch1: CVE-2024-53427.patch BuildRequires: chrpath BuildRequires: pkgconfig BuildRequires: pkgconfig(oniguruma) ++++++ CVE-2024-23337.patch ++++++ >From de21386681c0df0104a99d9d09db23a9b2a78b1e Mon Sep 17 00:00:00 2001 From: itchyny <itch...@cybozu.co.jp> Date: Wed, 21 May 2025 07:45:00 +0900 Subject: [PATCH] Fix signed integer overflow in jvp_array_write and jvp_object_rehash This commit fixes signed integer overflow and SEGV issues on growing arrays and objects. The size of arrays and objects is now limited to `536870912` (`0x20000000`). This fixes CVE-2024-23337 and fixes #3262. --- src/jv.c | 45 ++++++++++++++++++++++++++++++++++++--------- src/jv_aux.c | 9 +++++---- tests/jq.test | 4 ++++ 3 files changed, 45 insertions(+), 13 deletions(-) Index: jq-1.7.1/src/jv.c =================================================================== --- jq-1.7.1.orig/src/jv.c +++ jq-1.7.1/src/jv.c @@ -992,6 +992,11 @@ jv jv_array_set(jv j, int idx, jv val) { jv_free(val); return jv_invalid_with_msg(jv_string("Out of bounds negative array index")); } + if (idx > (INT_MAX >> 2) - jvp_array_offset(j)) { + jv_free(j); + jv_free(val); + return jv_invalid_with_msg(jv_string("Array index too large")); + } // copy/free of val,j coalesced jv* slot = jvp_array_write(&j, idx); jv_free(*slot); @@ -1011,6 +1016,7 @@ jv jv_array_concat(jv a, jv b) { // FIXME: could be faster jv_array_foreach(b, i, elem) { a = jv_array_append(a, elem); + if (!jv_is_valid(a)) break; } jv_free(b); return a; @@ -1283,6 +1289,7 @@ jv jv_string_indexes(jv j, jv k) { p = jstr; while ((p = _jq_memmem(p, (jstr + jlen) - p, idxstr, idxlen)) != NULL) { a = jv_array_append(a, jv_number(p - jstr)); + if (!jv_is_valid(a)) break; p++; } } @@ -1305,14 +1312,17 @@ jv jv_string_split(jv j, jv sep) { if (seplen == 0) { int c; - while ((jstr = jvp_utf8_next(jstr, jend, &c))) + while ((jstr = jvp_utf8_next(jstr, jend, &c))) { a = jv_array_append(a, jv_string_append_codepoint(jv_string(""), c)); + if (!jv_is_valid(a)) break; + } } else { for (p = jstr; p < jend; p = s + seplen) { s = _jq_memmem(p, jend - p, sepstr, seplen); if (s == NULL) s = jend; a = jv_array_append(a, jv_string_sized(p, s - p)); + if (!jv_is_valid(a)) break; // Add an empty string to denote that j ends on a sep if (s + seplen == jend && seplen != 0) a = jv_array_append(a, jv_string("")); @@ -1330,8 +1340,10 @@ jv jv_string_explode(jv j) { const char* end = i + len; jv a = jv_array_sized(len); int c; - while ((i = jvp_utf8_next(i, end, &c))) + while ((i = jvp_utf8_next(i, end, &c))) { a = jv_array_append(a, jv_number(c)); + if (!jv_is_valid(a)) break; + } jv_free(j); return a; } @@ -1605,10 +1617,13 @@ static void jvp_object_free(jv o) { } } -static jv jvp_object_rehash(jv object) { +static int jvp_object_rehash(jv *objectp) { + jv object = *objectp; assert(JVP_HAS_KIND(object, JV_KIND_OBJECT)); assert(jvp_refcnt_unshared(object.u.ptr)); int size = jvp_object_size(object); + if (size > INT_MAX >> 2) + return 0; jv new_object = jvp_object_new(size * 2); for (int i=0; i<size; i++) { struct object_slot* slot = jvp_object_get_slot(object, i); @@ -1621,7 +1636,8 @@ static jv jvp_object_rehash(jv object) { } // references are transported, just drop the old table jv_mem_free(jvp_object_ptr(object)); - return new_object; + *objectp = new_object; + return 1; } static jv jvp_object_unshare(jv object) { @@ -1650,27 +1666,32 @@ static jv jvp_object_unshare(jv object) return new_object; } -static jv* jvp_object_write(jv* object, jv key) { +static int jvp_object_write(jv* object, jv key, jv **valpp) { *object = jvp_object_unshare(*object); int* bucket = jvp_object_find_bucket(*object, key); struct object_slot* slot = jvp_object_find_slot(*object, key, bucket); if (slot) { // already has the key jvp_string_free(key); - return &slot->value; + *valpp = &slot->value; + return 1; } slot = jvp_object_add_slot(*object, key, bucket); if (slot) { slot->value = jv_invalid(); } else { - *object = jvp_object_rehash(*object); + if (!jvp_object_rehash(object)) { + *valpp = NULL; + return 0; + } bucket = jvp_object_find_bucket(*object, key); assert(!jvp_object_find_slot(*object, key, bucket)); slot = jvp_object_add_slot(*object, key, bucket); assert(slot); slot->value = jv_invalid(); } - return &slot->value; + *valpp = &slot->value; + return 1; } static int jvp_object_delete(jv* object, jv key) { @@ -1770,7 +1791,11 @@ jv jv_object_set(jv object, jv key, jv v assert(JVP_HAS_KIND(object, JV_KIND_OBJECT)); assert(JVP_HAS_KIND(key, JV_KIND_STRING)); // copy/free of object, key, value coalesced - jv* slot = jvp_object_write(&object, key); + jv* slot; + if (!jvp_object_write(&object, key, &slot)) { + jv_free(object); + return jv_invalid_with_msg(jv_string("Object too big")); + } jv_free(*slot); *slot = value; return object; @@ -1795,6 +1820,7 @@ jv jv_object_merge(jv a, jv b) { assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); jv_object_foreach(b, k, v) { a = jv_object_set(a, k, v); + if (!jv_is_valid(a)) break; } jv_free(b); return a; @@ -1814,6 +1840,7 @@ jv jv_object_merge_recursive(jv a, jv b) jv_free(elem); a = jv_object_set(a, k, v); } + if (!jv_is_valid(a)) break; } jv_free(b); return a; Index: jq-1.7.1/src/jv_aux.c =================================================================== --- jq-1.7.1.orig/src/jv_aux.c +++ jq-1.7.1/src/jv_aux.c @@ -193,18 +193,19 @@ jv jv_set(jv t, jv k, jv v) { if (slice_len < insert_len) { // array is growing int shift = insert_len - slice_len; - for (int i = array_len - 1; i >= end; i--) { + for (int i = array_len - 1; i >= end && jv_is_valid(t); i--) { t = jv_array_set(t, i + shift, jv_array_get(jv_copy(t), i)); } } else if (slice_len > insert_len) { // array is shrinking int shift = slice_len - insert_len; - for (int i = end; i < array_len; i++) { + for (int i = end; i < array_len && jv_is_valid(t); i++) { t = jv_array_set(t, i - shift, jv_array_get(jv_copy(t), i)); } - t = jv_array_slice(t, 0, array_len - shift); + if (jv_is_valid(t)) + t = jv_array_slice(t, 0, array_len - shift); } - for (int i=0; i < insert_len; i++) { + for (int i = 0; i < insert_len && jv_is_valid(t); i++) { t = jv_array_set(t, start + i, jv_array_get(jv_copy(v), i)); } jv_free(v); Index: jq-1.7.1/tests/jq.test =================================================================== --- jq-1.7.1.orig/tests/jq.test +++ jq-1.7.1/tests/jq.test @@ -198,6 +198,10 @@ null [0,1,2] [0,5,2] +try (.[999999999] = 0) catch . +null +"Array index too large" + # # Multiple outputs, iteration # ++++++ CVE-2024-53427.patch ++++++ --- /var/tmp/diff_new_pack.nc4qkX/_old 2025-06-14 16:17:01.032504698 +0200 +++ /var/tmp/diff_new_pack.nc4qkX/_new 2025-06-14 16:17:01.032504698 +0200 @@ -63,7 +63,7 @@ =================================================================== --- jq-1.7.1.orig/tests/jq.test +++ jq-1.7.1/tests/jq.test -@@ -1938,11 +1938,17 @@ tojson | fromjson +@@ -1942,11 +1942,17 @@ tojson | fromjson {"a":nan} {"a":null}
