Your message dated Sat, 12 Apr 2025 09:34:17 +0000
with message-id <[email protected]>
and subject line Bug#1102679: fixed in jq 1.7.1-5
has caused the Debian Bug report #1102679,
regarding jq: CVE-2024-53427
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1102679: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102679
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jq
Version: 1.7.1-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/jqlang/jq/issues/3196
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.7.1-4
Hi,
The following vulnerability was published for jq.
CVE-2024-53427[0]:
| decNumberCopy in decNumber.c in jq through 1.7.1 does not properly
| consider that NaN is interpreted as numeric, which has a resultant
| stack-based buffer overflow and out-of-bounds write, as demonstrated
| by use of --slurp with subtraction, such as a filter of .-. when the
| input has a certain form of digit string with NaN (e.g., "1 NaN123"
| immediately followed by many more digits).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-53427
https://www.cve.org/CVERecord?id=CVE-2024-53427
[1] https://github.com/jqlang/jq/issues/3196
[2] https://github.com/jqlang/jq/security/advisories/GHSA-x6c3-qv5r-7q22
[3] https://github.com/jqlang/jq/commit/b86ff49f46a4a37e5a8e75a140cb5fd6e1331384
[4] https://github.com/jqlang/jq/commit/a09a4dfd55e6c24d04b35062ccfe4509748b1dd3
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jq
Source-Version: 1.7.1-5
Done: ChangZhuo Chen (陳昌倬) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
ChangZhuo Chen (陳昌倬) <[email protected]> (supplier of updated jq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Apr 2025 16:09:04 +0800
Source: jq
Architecture: source
Version: 1.7.1-5
Distribution: unstable
Urgency: medium
Maintainer: ChangZhuo Chen (陳昌倬) <[email protected]>
Changed-By: ChangZhuo Chen (陳昌倬) <[email protected]>
Closes: 1102679
Changes:
jq (1.7.1-5) unstable; urgency=medium
.
* Cherry-pick upstream commit for CVE-2024-53427 (Closes: #1102679)
* d/copyright: Update copyright year.
Checksums-Sha1:
b00237609c36f00a9a21fd8b7cfd080c69a83e61 2000 jq_1.7.1-5.dsc
cc452599a43f9888edb42a9364d333186ebfc44f 14344 jq_1.7.1-5.debian.tar.xz
3c726005d92b87fac56cec13cf3bb1f55198c73e 7724 jq_1.7.1-5_amd64.buildinfo
Checksums-Sha256:
ca72d9bf09570df9e6794af909bfa74efaba1d74481d2df54508f86c13dd1947 2000
jq_1.7.1-5.dsc
674ffec0ebf4fd3f315543f9dc04364de0ce40a3c10850293b1c77b95685a729 14344
jq_1.7.1-5.debian.tar.xz
3f915a65754b3249feaabb7aad79a121e0fb8259bd6f4c76a4897fa2ab7f207d 7724
jq_1.7.1-5_amd64.buildinfo
Files:
f125de5397934221fce406434be638c4 2000 utils optional jq_1.7.1-5.dsc
16cc4e1ae68e839fb3f83a36a8561579 14344 utils optional jq_1.7.1-5.debian.tar.xz
449dae9b9c873f39748ecdbf3990fcff 7724 utils optional jq_1.7.1-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEugQ0bcLh/mPHkIeTzGWwzewnXVsFAmf6MVoACgkQzGWwzewn
XVtHpw/+PamiJRdhwn6otNgxrsJ+dzQTVhW2wbPXejeVo9ON9nOtZ7GOs+KffgAN
iSp7rpVXA8uUjIbkzb20lsSrQVcoY0eBnGz/MVCEyir3qK39VQ+aCz7L+GIBsUZe
RGcya5oLLnQOr3g194ESBCl62HcDm/MQssDRrh8bohvwYCzoBn3Wsa+1C5AoaNPT
mII4MmC8cbzJNJNbUbebCYO5u52fHUCudonSTMAarRB202+FnyTgg0ENk0+Oi5uB
Nz3DKeLE0jUdkocZ+aU74ZVX0nh6VnQRT0peI4bFmp1ilzK4o/CvdrR/1BNEZKHp
g9dgRSb/Kx5+tus/Gpzn3+AAGvHDWANdsh0Q5c+KIZ5T32xuCiG8epYUm1apPV1M
suWhO4AV652uK9JJw5pmUxgus5sXgqp2j2PbNQf0SAMRKnOb478t2nxKne+7NLHJ
fgMzUgitVnjwRzNkRm2Iek/wM0ntmdhkZ9WG8bEeizlmTHDVkV2WCyrgS/qxLpkR
gRgYd0BuSpK7MaFQHbMgyA1bSKMS61w+LcUZ66PpJGT+rsS3F6S5ApnvxSvbKQQn
xypH01Hj+iQ8VIMeMcHAOyl3Sj5u84tsfF/KQ/fHTdzinPHx0e+whxzEk9z3aLjm
TpJb7o0CAAc4DQmMXzEygDTJJkvcLBon6/DEiEhMXoAKChLMhw4=
=S84R
-----END PGP SIGNATURE-----
pgpfJW_ygVK9T.pgp
Description: PGP signature
--- End Message ---
