commit jq for openSUSE:Factory
Hello community, here is the log from the commit of package jq for openSUSE:Factory checked in at 2019-08-24 18:42:09 Comparing /work/SRC/openSUSE:Factory/jq (Old) and /work/SRC/openSUSE:Factory/.jq.new.7948 (New) Package is "jq" Sat Aug 24 18:42:09 2019 rev:10 rq:724965 version:1.6 Changes: --- /work/SRC/openSUSE:Factory/jq/jq.changes2018-11-12 09:48:38.408535569 +0100 +++ /work/SRC/openSUSE:Factory/.jq.new.7948/jq.changes 2019-08-24 18:42:10.377781775 +0200 @@ -1,0 +2,6 @@ +Thu Jul 4 17:27:13 UTC 2019 - m...@suse.com + +- Make jq depend on libjq1, so upgrading jq upgrades both + See: https://github.com/stedolan/jq/issues/1904 + +--- Other differences: -- ++ jq.spec ++ --- /var/tmp/diff_new_pack.IUKcgH/_old 2019-08-24 18:42:10.889781726 +0200 +++ /var/tmp/diff_new_pack.IUKcgH/_new 2019-08-24 18:42:10.893781725 +0200 @@ -1,7 +1,7 @@ # # spec file for package jq # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -28,6 +28,7 @@ BuildRequires: flex BuildRequires: oniguruma-devel BuildRequires: valgrind +Requires: libjq1 = %{version} %description A lightweight and flexible command-line JSON processor. jq is like sed for
commit jq for openSUSE:Factory
Hello community, here is the log from the commit of package jq for openSUSE:Factory checked in at 2018-11-12 09:48:36 Comparing /work/SRC/openSUSE:Factory/jq (Old) and /work/SRC/openSUSE:Factory/.jq.new (New) Package is "jq" Mon Nov 12 09:48:36 2018 rev:9 rq:646178 version:1.6 Changes: --- /work/SRC/openSUSE:Factory/jq/jq.changes2017-02-06 14:35:45.528540252 +0100 +++ /work/SRC/openSUSE:Factory/.jq.new/jq.changes 2018-11-12 09:48:38.408535569 +0100 @@ -1,0 +2,17 @@ +Fri Nov 2 12:35:25 UTC 2018 - Avindra Goolcharan + +- Update to version 1.6 + * Destructuring Alternation + * many new builtins (see docs) + * Add support for ASAN and UBSAN + * Make it easier to use jq with shebangs + * Add $ENV builtin variable to access environment + * Add JQ_COLORS env var for configuring the output colors + * change: Calling jq without a program argument now always assumes +"." for the program, regardless of stdin/stdout + * fix: Make sorting stable regardless of qsort. +- cleanup with spec-cleaner +- drop CVE-2015-8863.patch (upstreamed in 8eb1367ca44e772963e704a700ef72ae2e12babd) +- drop CVE-2016-4074.patch (upstreamed in fd4ae8304e23007672af9a37855c7a76de7c78cf) + +--- Old: CVE-2015-8863.patch CVE-2016-4074.patch jq-1.5.tar.gz New: jq-1.6.tar.gz Other differences: -- ++ jq.spec ++ --- /var/tmp/diff_new_pack.RTRntq/_old 2018-11-12 09:48:39.264534278 +0100 +++ /var/tmp/diff_new_pack.RTRntq/_new 2018-11-12 09:48:39.264534278 +0100 @@ -1,7 +1,7 @@ # # spec file for package jq # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,25 +12,22 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: jq -Version:1.5 +Version:1.6 Release:0 Summary:A lightweight and flexible command-line JSON processor -License:MIT and CC-BY-3.0 +License:MIT AND CC-BY-3.0 Group: Productivity/Text/Utilities -Url:http://stedolan.github.io/jq/ +URL:http://stedolan.github.io/jq/ Source: https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz -Patch1: CVE-2015-8863.patch -Patch2: CVE-2016-4074.patch BuildRequires: chrpath BuildRequires: flex BuildRequires: oniguruma-devel BuildRequires: valgrind -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description A lightweight and flexible command-line JSON processor. jq is like sed for @@ -55,8 +52,6 @@ %prep %setup -q -%patch1 -p2 -%patch2 -p2 %build %configure \ @@ -85,17 +80,15 @@ %postun -n libjq1 -p /sbin/ldconfig %files -%defattr(-,root,root) -%doc AUTHORS ChangeLog COPYING NEWS README.md +%license COPYING +%doc AUTHORS ChangeLog NEWS README.md %{_bindir}/%{name} -%{_mandir}/man1/%{name}.1%{ext_man} +%{_mandir}/man1/%{name}.1%{?ext_man} %files -n libjq1 -%defattr(-,root,root) %{_libdir}/libjq.so.1* %files -n libjq-devel -%defattr(-,root,root) %{_includedir}/jq.h %{_includedir}/jv.h %{_libdir}/libjq.so ++ jq-1.5.tar.gz -> jq-1.6.tar.gz ++ 176411 lines of diff (skipped)
commit jq for openSUSE:Factory
Hello community, here is the log from the commit of package jq for openSUSE:Factory checked in at 2017-02-06 14:35:44 Comparing /work/SRC/openSUSE:Factory/jq (Old) and /work/SRC/openSUSE:Factory/.jq.new (New) Package is "jq" Changes: --- /work/SRC/openSUSE:Factory/jq/jq.changes2017-01-09 10:32:32.380823751 +0100 +++ /work/SRC/openSUSE:Factory/.jq.new/jq.changes 2017-02-06 14:35:45.528540252 +0100 @@ -1,0 +2,6 @@ +Fri Feb 3 09:26:17 UTC 2017 - idon...@suse.com + +- Add CVE-2016-4074.patch to prevent a stack exhaustion + CVE-2016-4074 bsc#1014176 + +--- New: CVE-2016-4074.patch Other differences: -- ++ jq.spec ++ --- /var/tmp/diff_new_pack.fXc6dr/_old 2017-02-06 14:35:46.048465204 +0100 +++ /var/tmp/diff_new_pack.fXc6dr/_new 2017-02-06 14:35:46.052464627 +0100 @@ -25,6 +25,7 @@ Url:http://stedolan.github.io/jq/ Source: https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz Patch1: CVE-2015-8863.patch +Patch2: CVE-2016-4074.patch BuildRequires: chrpath BuildRequires: flex BuildRequires: oniguruma-devel @@ -55,6 +56,7 @@ %prep %setup -q %patch1 -p2 +%patch2 -p2 %build %configure \ ++ CVE-2016-4074.patch ++ >From 83e2cf607f3599d208b6b3129092fa7deb2e5292 Mon Sep 17 00:00:00 2001 From: W-Mark Kubacki Date: Fri, 19 Aug 2016 19:50:39 +0200 Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH This addresses #1136, and mitigates a stack exhaustion when printing a very deeply nested term. --- src/jv_print.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/jv_print.c b/src/jv_print.c index 5f4f234..ce4a59a 100644 --- a/src/jv_print.c +++ b/src/jv_print.c @@ -13,6 +13,10 @@ #include "jv_dtoa.h" #include "jv_unicode.h" +#ifndef MAX_PRINT_DEPTH +#define MAX_PRINT_DEPTH (256) +#endif + #define ESC "\033" #define COL(c) (ESC "[" c "m") #define COLRESET (ESC "[0m") @@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI } } } - switch (jv_get_kind(x)) { + if (indent > MAX_PRINT_DEPTH) { +put_str("", F, S, flags & JV_PRINT_ISATTY); + } else switch (jv_get_kind(x)) { default: case JV_KIND_INVALID: if (flags & JV_PRINT_INVALID) { >From fd4ae8304e23007672af9a37855c7a76de7c78cf Mon Sep 17 00:00:00 2001 From: W-Mark Kubacki Date: Fri, 19 Aug 2016 20:10:21 +0200 Subject: [PATCH] Parse no deeper than MAX_PARSING_DEPTH while true; do printf '{"deeper": '; done | jq . --- src/jv_parse.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/jv_parse.c b/src/jv_parse.c index 84245b8..51ad9f0 100644 --- a/src/jv_parse.c +++ b/src/jv_parse.c @@ -10,6 +10,10 @@ typedef const char* presult; +#ifndef MAX_PARSING_DEPTH +#define MAX_PARSING_DEPTH (256) +#endif + #define TRY(x) do {presult msg__ = (x); if (msg__) return msg__; } while(0) #ifdef __GNUC__ #define pfunc __attribute__((warn_unused_result)) presult @@ -147,11 +151,13 @@ static void push(struct jv_parser* p, jv v) { static pfunc parse_token(struct jv_parser* p, char ch) { switch (ch) { case '[': +if (p->stackpos >= MAX_PARSING_DEPTH) return "Exceeds depth limit for parsing"; if (jv_is_valid(p->next)) return "Expected separator between values"; push(p, jv_array()); break; case '{': +if (p->stackpos >= MAX_PARSING_DEPTH) return "Exceeds depth limit for parsing"; if (jv_is_valid(p->next)) return "Expected separator between values"; push(p, jv_object()); break;
commit jq for openSUSE:Factory
Hello community, here is the log from the commit of package jq for openSUSE:Factory checked in at 2016-07-20 09:18:05 Comparing /work/SRC/openSUSE:Factory/jq (Old) and /work/SRC/openSUSE:Factory/.jq.new (New) Package is "jq" Changes: --- /work/SRC/openSUSE:Factory/jq/jq.changes2016-04-30 23:29:39.0 +0200 +++ /work/SRC/openSUSE:Factory/.jq.new/jq.changes 2016-07-20 09:18:10.0 +0200 @@ -1,0 +2,6 @@ +Sat Jul 16 10:14:33 UTC 2016 - mplus...@suse.com + +- Make building more verbose +- Run tests + +--- Other differences: -- ++ jq.spec ++ --- /var/tmp/diff_new_pack.sbLIKF/_old 2016-07-20 09:18:11.0 +0200 +++ /var/tmp/diff_new_pack.sbLIKF/_new 2016-07-20 09:18:11.0 +0200 @@ -25,10 +25,7 @@ Url:http://stedolan.github.io/jq/ Source: https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz Patch1: CVE-2015-8863.patch -BuildRequires: autoconf BuildRequires: chrpath -BuildRequires: coreutils -BuildRequires: make BuildRequires: oniguruma-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -58,7 +55,9 @@ %patch1 -p2 %build -%configure --disable-static +%configure \ + --disable-static \ + --disable-silent-rules make %{?_smp_mflags} %install @@ -73,15 +72,17 @@ # we install the documentation in a separate location using the doc macro rm -rf %{buildroot}%{_datadir}/doc/%{name} -%post -n libjq1 -p /sbin/ldconfig +%check +make check +%post -n libjq1 -p /sbin/ldconfig %postun -n libjq1 -p /sbin/ldconfig %files %defattr(-,root,root) -%doc AUTHORS ChangeLog COPYING NEWS README README.md +%doc AUTHORS ChangeLog COPYING NEWS README.md %{_bindir}/%{name} -%{_mandir}/man1/%{name}.1.gz +%{_mandir}/man1/%{name}.1%{ext_man} %files -n libjq1 %defattr(-,root,root)
commit jq for openSUSE:Factory
Hello community, here is the log from the commit of package jq for openSUSE:Factory checked in at 2016-04-30 23:29:38 Comparing /work/SRC/openSUSE:Factory/jq (Old) and /work/SRC/openSUSE:Factory/.jq.new (New) Package is "jq" Changes: --- /work/SRC/openSUSE:Factory/jq/jq.changes2015-08-23 17:41:07.0 +0200 +++ /work/SRC/openSUSE:Factory/.jq.new/jq.changes 2016-04-30 23:29:39.0 +0200 @@ -1,0 +2,5 @@ +Mon Apr 25 11:48:27 UTC 2016 - idon...@suse.com + +- Add CVE-2015-8863.patch to fix a heap overflow bsc#976992 + +--- New: CVE-2015-8863.patch Other differences: -- ++ jq.spec ++ --- /var/tmp/diff_new_pack.BgyXlK/_old 2016-04-30 23:29:40.0 +0200 +++ /var/tmp/diff_new_pack.BgyXlK/_new 2016-04-30 23:29:40.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package jq # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,6 +24,7 @@ Group: Productivity/Text/Utilities Url:http://stedolan.github.io/jq/ Source: https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz +Patch1: CVE-2015-8863.patch BuildRequires: autoconf BuildRequires: chrpath BuildRequires: coreutils @@ -54,6 +55,7 @@ %prep %setup -q +%patch1 -p2 %build %configure --disable-static ++ CVE-2015-8863.patch ++ >From 8eb1367ca44e772963e704a700ef72ae2e12babd Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Sat, 24 Oct 2015 17:24:57 -0500 Subject: [PATCH] Heap buffer overflow in tokenadd() (fix #105) This was an off-by one: the NUL terminator byte was not allocated on resize. This was triggered by JSON-encoded numbers longer than 256 bytes. --- src/jv_parse.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/jv_parse.c b/src/jv_parse.c index 3102ed4..84245b8 100644 --- a/src/jv_parse.c +++ b/src/jv_parse.c @@ -383,7 +383,7 @@ static pfunc stream_token(struct jv_parser* p, char ch) { static void tokenadd(struct jv_parser* p, char c) { assert(p->tokenpos <= p->tokenlen); - if (p->tokenpos == p->tokenlen) { + if (p->tokenpos >= (p->tokenlen - 1)) { p->tokenlen = p->tokenlen*2 + 256; p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen); } @@ -485,7 +485,7 @@ static pfunc check_literal(struct jv_parser* p) { TRY(value(p, v)); } else { // FIXME: better parser -p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid +p->tokenbuf[p->tokenpos] = 0; char* end = 0; double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end); if (end == 0 || *end != 0)
commit jq for openSUSE:Factory
Hello community, here is the log from the commit of package jq for openSUSE:Factory checked in at 2015-08-23 15:43:54 Comparing /work/SRC/openSUSE:Factory/jq (Old) and /work/SRC/openSUSE:Factory/.jq.new (New) Package is "jq" Changes: --- /work/SRC/openSUSE:Factory/jq/jq.changes2014-06-30 21:50:27.0 +0200 +++ /work/SRC/openSUSE:Factory/.jq.new/jq.changes 2015-08-23 17:41:07.0 +0200 @@ -1,0 +2,16 @@ +Tue Aug 18 09:12:21 UTC 2015 - idon...@suse.com + +- Update to version 1.5 + * Regexp support + * A proper module system + * Destructuring syntax + * Math functions + * An online streaming parser + * Minimal I/O builtins (inputs, debug) + * try/catch for catching and handling errors + * Tail call optimization + * Datetime functions + * Performance enhancements +- Add oniguruma-devel BuildRequires for regexp support + +--- Old: jq-1.4.tar.gz New: jq-1.5.tar.gz Other differences: -- ++ jq.spec ++ --- /var/tmp/diff_new_pack.lyBaiz/_old 2015-08-23 17:41:08.0 +0200 +++ /var/tmp/diff_new_pack.lyBaiz/_new 2015-08-23 17:41:08.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package jq # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,17 +17,18 @@ Name: jq -Version:1.4 +Version:1.5 Release:0 Summary:A lightweight and flexible command-line JSON processor License:MIT and CC-BY-3.0 Group: Productivity/Text/Utilities Url:http://stedolan.github.io/jq/ -Source: http://stedolan.github.io/jq/download/source/%{name}-%{version}.tar.gz +Source: https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz BuildRequires: autoconf BuildRequires: chrpath BuildRequires: coreutils BuildRequires: make +BuildRequires: oniguruma-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -76,7 +77,7 @@ %files %defattr(-,root,root) -%doc README README.md COPYING AUTHORS +%doc AUTHORS ChangeLog COPYING NEWS README README.md %{_bindir}/%{name} %{_mandir}/man1/%{name}.1.gz ++ jq-1.4.tar.gz -> jq-1.5.tar.gz ++ 36082 lines of diff (skipped)
commit jq for openSUSE:Factory
Hello community, here is the log from the commit of package jq for openSUSE:Factory checked in at 2014-06-30 21:45:23 Comparing /work/SRC/openSUSE:Factory/jq (Old) and /work/SRC/openSUSE:Factory/.jq.new (New) Package is "jq" Changes: --- /work/SRC/openSUSE:Factory/jq/jq.changes2013-11-21 15:25:30.0 +0100 +++ /work/SRC/openSUSE:Factory/.jq.new/jq.changes 2014-06-30 21:45:52.0 +0200 @@ -1,0 +2,42 @@ +Fri Jun 27 09:55:52 UTC 2014 - idon...@suse.com + +- Don't package static libs +- Fix rpath on the main binary + +--- +Sun Jun 15 20:52:42 UTC 2014 - prus...@opensuse.org + +- Updated to 1.4 + + New command line arguments + * jq --arg-file variable file + * jq --unbuffered + * jq -e / --exit-status (set exit status based on outputs) + * jq -S / --sort-keys (now jq no longer sorts object keys by + default + + Syntax changes + * .. -> like // in XPath (recursive traversal) + * question mark (e.g., .a?) to suppress errors + * ."foo" syntax (equivalent to .["foo"]) + * better error handling for .foo + * added % operator (modulo) + * allow negation without requiring extra parenthesis + * more function arguments (up to six) + + New filters + * any, all + * iterables, arrays, objects, scalars, nulls, booleans, + numbers, strings, values + + New string built-ins + * split + * join (join an array of strings with a given separator string) + * ltrimstr, rtrimstr + * startswith, endswith + * explode, implode + * fromjson, tojson + * index, rindex, indices + + New math functions + * floor, sqrt, cbrt, etc. + + Addition of libjq, a C API interface to jq's JSON representation + and for running jq programs from C applications. + + +--- Old: jq-1.3.tar.gz New: jq-1.4.tar.gz Other differences: -- ++ jq.spec ++ --- /var/tmp/diff_new_pack.mdbJ4h/_old 2014-06-30 21:45:53.0 +0200 +++ /var/tmp/diff_new_pack.mdbJ4h/_new 2014-06-30 21:45:53.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package jq # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,38 +15,64 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + Name: jq -Version:1.3 -Release:0.0 -License:MIT and CC-BY-3.0 +Version:1.4 +Release:0 Summary:A lightweight and flexible command-line JSON processor -Url:http://stedolan.github.io/jq/ +License:MIT and CC-BY-3.0 Group: Productivity/Text/Utilities -Source: http://stedolan.github.io/jq/download/source/jq-1.3.tar.gz +Url:http://stedolan.github.io/jq/ +Source: http://stedolan.github.io/jq/download/source/%{name}-%{version}.tar.gz BuildRequires: autoconf +BuildRequires: chrpath BuildRequires: coreutils BuildRequires: make BuildRoot: %{_tmppath}/%{name}-%{version}-build %description - A lightweight and flexible command-line JSON processor. jq is like sed for JSON data – you can use it to slice and filter and map and transform structured data with the same ease that sed, awk, grep and friends let you play with text. +%package -n libjq1 +Summary:Library for a lightweight and flexible command-line JSON processor +Group: System/Libraries + +%description -n libjq1 +Library for a lightweight and flexible command-line JSON processor. + +%package -n libjq-devel +Summary:Development files for jq +Group: Development/Languages/C and C++ +Requires: libjq1 = %{version} + +%description -n libjq-devel +Development files (headers and libraries for jq). + %prep %setup -q %build -%configure +%configure --disable-static make %{?_smp_mflags} %install %make_install +# RPATH contains the builddir yucks! +chrpath -d %{buildroot}%{_bindir}/jq + +# No static stuff +rm %{buildroot}%{_libdir}/libjq.la + # we install the documentation in a separate location using the doc macro -%{__rm} -rf %{buildroot}/usr/share/doc/%{name} +rm -rf %{buildroot}%{_datadir}/doc/%{name} + +%post -n libjq1 -p /sbin/ldconfig + +%postun -n libjq1 -p /sbin/ldconfig %files %defattr(-,root,root) @@ -54,4 +80,14 @@ %{_bindir}/%{name} %{_mandir}/man1/%{name}.1.gz +%files -n libjq1 +%defattr(-,root,root) +%{_libdir}/libjq.so.1* + +%files -n libjq-devel +%defattr(-,root,root