Package: jq Version: 1.6-2.1 Severity: important Consider this JSON file:
{ "\u0041PIModule": "/test2.dll", "APIModule": "/test.dll" } On running jq .APIModule < test.json, the output is "/test.dll". The expected output is "/test2.dll", "/test.dll", or alternately an error message as this input file is in fact malformed. The order of the two input lines does not matter: reversing the order in input does not change the output. This bug is security class, and was discovered by looking for a solution to a security problem we uncovered in new development; however this is not a security bug for everybody. Most people don't try to determine if JSON input is trustworthy this way. -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-18-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages jq depends on: ii libc6 2.36-9+deb12u4 ii libjq1 1.6-2.1 jq recommends no packages. jq suggests no packages. -- no debconf information