Bug#1109012: bookworm-pu: package jq/1.6-2.1+deb12u1

陳昌倬 Wed, 09 Jul 2025 08:01:14 -0700

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:jq
User: [email protected]
Usertags: pu


[ Reason ]

Cherry-pick to fix CVE-2025-48060.

[ Impact ]

User will affect by CVE-2025-48060.

[ Tests ]

No test is done since the change is trivial.

[ Risks ]

The change is trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Set 0 to the end of buffer.

[ Other info ]

-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

diff -Nru jq-1.6/debian/changelog jq-1.6/debian/changelog
--- jq-1.6/debian/changelog     2020-12-10 16:24:21.000000000 +0800
+++ jq-1.6/debian/changelog     2025-07-09 22:23:15.000000000 +0800
@@ -1,3 +1,10 @@
+jq (1.6-2.1+deb12u1) bookworm; urgency=medium
+
+  * Cherry-pick upstream commit c6e041699d8cd31b97375a2596217aff2cfca85b to
+    fix CVE-2025-48060.
+
+ -- ChangZhuo Chen (陳昌倬) <[email protected]>  Wed, 09 Jul 2025 22:23:15 +0800
+
 jq (1.6-2.1) unstable; urgency=medium
 
   [ Paul Gevers ]
diff -Nru jq-1.6/debian/patches/CVE-2025-48060.patch 
jq-1.6/debian/patches/CVE-2025-48060.patch
--- jq-1.6/debian/patches/CVE-2025-48060.patch  1970-01-01 08:00:00.000000000 
+0800
+++ jq-1.6/debian/patches/CVE-2025-48060.patch  2025-07-09 22:21:20.000000000 
+0800
@@ -0,0 +1,22 @@
+From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?=
+ <[email protected]>
+Date: Wed, 9 Jul 2025 22:19:33 +0800
+Subject: Cherry-pick upstream commit c6e041699d8cd31b97375a2596217aff2cfca85b
+ to fix CVE-2025-48060
+
+---
+ src/jv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/jv.c b/src/jv.c
+index 979d188..6936f59 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -492,6 +492,7 @@ static jv jvp_string_empty_new(uint32_t length) {
+   jvp_string* s = jvp_string_alloc(length);
+   s->length_hashed = 0;
+   memset(s->data, 0, length);
++  s->data[length] = 0;
+   jv r = {JV_KIND_STRING, 0, 0, 0, {&s->refcnt}};
+   return r;
+ }
diff -Nru jq-1.6/debian/patches/series jq-1.6/debian/patches/series
--- jq-1.6/debian/patches/series        2020-12-10 16:24:21.000000000 +0800
+++ jq-1.6/debian/patches/series        2025-07-09 22:22:06.000000000 +0800
@@ -8,3 +8,4 @@
 0008-Do-not-use-venderized-oniguruma.patch
 0009-Hardcode-version-to-1.6.patch
 0010-initialized-variables.patch
+CVE-2025-48060.patch

signature.asc
Description: PGP signature

Bug#1109012: bookworm-pu: package jq/1.6-2.1+deb12u1

Reply via email to