Package: jq
Version: 1.6-2.1
Severity: important
Consider this JSON file:
{
"\u0041PIModule": "/test2.dll",
"APIModule": "/test.dll"
}
On running jq .APIModule < test.json, the output is "/test.dll". The
expected output is "/test2.dll", "/test.dll", or alternately an error
message as this input file is in fact malformed. The order of the two
input lines does not matter: reversing the order in input does not
change the output.
This bug is security class, and was discovered by looking for a solution
to a security problem we uncovered in new development; however this is
not a security bug for everybody. Most people don't try to determine if
JSON input is trustworthy this way.
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-18-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages jq depends on:
ii libc6 2.36-9+deb12u4
ii libjq1 1.6-2.1
jq recommends no packages.
jq suggests no packages.
-- no debconf information
