Hello community, here is the log from the commit of package jq for openSUSE:Factory checked in at 2017-02-06 14:35:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jq (Old) and /work/SRC/openSUSE:Factory/.jq.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jq" Changes: -------- --- /work/SRC/openSUSE:Factory/jq/jq.changes 2017-01-09 10:32:32.380823751 +0100 +++ /work/SRC/openSUSE:Factory/.jq.new/jq.changes 2017-02-06 14:35:45.528540252 +0100 @@ -1,0 +2,6 @@ +Fri Feb 3 09:26:17 UTC 2017 - [email protected] + +- Add CVE-2016-4074.patch to prevent a stack exhaustion + CVE-2016-4074 bsc#1014176 + +------------------------------------------------------------------- New: ---- CVE-2016-4074.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jq.spec ++++++ --- /var/tmp/diff_new_pack.fXc6dr/_old 2017-02-06 14:35:46.048465204 +0100 +++ /var/tmp/diff_new_pack.fXc6dr/_new 2017-02-06 14:35:46.052464627 +0100 @@ -25,6 +25,7 @@ Url: http://stedolan.github.io/jq/ Source: https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz Patch1: CVE-2015-8863.patch +Patch2: CVE-2016-4074.patch BuildRequires: chrpath BuildRequires: flex BuildRequires: oniguruma-devel @@ -55,6 +56,7 @@ %prep %setup -q %patch1 -p2 +%patch2 -p2 %build %configure \ ++++++ CVE-2016-4074.patch ++++++ >From 83e2cf607f3599d208b6b3129092fa7deb2e5292 Mon Sep 17 00:00:00 2001 From: W-Mark Kubacki <[email protected]> Date: Fri, 19 Aug 2016 19:50:39 +0200 Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH This addresses #1136, and mitigates a stack exhaustion when printing a very deeply nested term. --- src/jv_print.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/jv_print.c b/src/jv_print.c index 5f4f234..ce4a59a 100644 --- a/src/jv_print.c +++ b/src/jv_print.c @@ -13,6 +13,10 @@ #include "jv_dtoa.h" #include "jv_unicode.h" +#ifndef MAX_PRINT_DEPTH +#define MAX_PRINT_DEPTH (256) +#endif + #define ESC "\033" #define COL(c) (ESC "[" c "m") #define COLRESET (ESC "[0m") @@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI } } } - switch (jv_get_kind(x)) { + if (indent > MAX_PRINT_DEPTH) { + put_str("<skipped: too deep>", F, S, flags & JV_PRINT_ISATTY); + } else switch (jv_get_kind(x)) { default: case JV_KIND_INVALID: if (flags & JV_PRINT_INVALID) { >From fd4ae8304e23007672af9a37855c7a76de7c78cf Mon Sep 17 00:00:00 2001 From: W-Mark Kubacki <[email protected]> Date: Fri, 19 Aug 2016 20:10:21 +0200 Subject: [PATCH] Parse no deeper than MAX_PARSING_DEPTH while true; do printf '{"deeper": '; done | jq . --- src/jv_parse.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/jv_parse.c b/src/jv_parse.c index 84245b8..51ad9f0 100644 --- a/src/jv_parse.c +++ b/src/jv_parse.c @@ -10,6 +10,10 @@ typedef const char* presult; +#ifndef MAX_PARSING_DEPTH +#define MAX_PARSING_DEPTH (256) +#endif + #define TRY(x) do {presult msg__ = (x); if (msg__) return msg__; } while(0) #ifdef __GNUC__ #define pfunc __attribute__((warn_unused_result)) presult @@ -147,11 +151,13 @@ static void push(struct jv_parser* p, jv v) { static pfunc parse_token(struct jv_parser* p, char ch) { switch (ch) { case '[': + if (p->stackpos >= MAX_PARSING_DEPTH) return "Exceeds depth limit for parsing"; if (jv_is_valid(p->next)) return "Expected separator between values"; push(p, jv_array()); break; case '{': + if (p->stackpos >= MAX_PARSING_DEPTH) return "Exceeds depth limit for parsing"; if (jv_is_valid(p->next)) return "Expected separator between values"; push(p, jv_object()); break;
