diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-04-30 15:41:19 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-04-30 15:41:19 +0000 |
| commit | 08fa87dac229e919eba54885a02dca0ae57c5f41 (patch) | |
| tree | ffcc03f6aff4920caad230413954cb93f3a4e184 | |
| parent | 73f6ed4311545e458f14db858c74d8d332f9c100 (diff) | |
main/jq: security fix (CVE-2016-4074). Fixes #8808
| -rw-r--r-- | main/jq/APKBUILD | 11 | ||||
| -rw-r--r-- | main/jq/CVE-2016-4074.patch | 37 |
2 files changed, 45 insertions, 3 deletions
diff --git a/main/jq/APKBUILD b/main/jq/APKBUILD index 2c6b01915c1..f7d19c54d64 100644 --- a/main/jq/APKBUILD +++ b/main/jq/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Johannes Matheis <jomat+alpinebuild@jmt.gr> pkgname=jq pkgver=1.5 -pkgrel=4 +pkgrel=5 pkgdesc="A lightweight and flexible command-line JSON processor" url="http://stedolan.github.io/jq/" arch="all" @@ -15,10 +15,14 @@ subpackages="$pkgname-doc $pkgname-dev" source="https://github.com/stedolan/jq/releases/download/${pkgname}-${pkgver}/${pkgname}-${pkgver}.tar.gz 0001-mktemp-needs-6-or-more-X-s-fix-1000.patch CVE-2015-8863.patch + CVE-2016-4074.patch " - builddir="${srcdir}/${pkgname}-${pkgver}" +# secfixes: +# 1.5-r5: +# - CVE-2016-4074 + build() { cd "$builddir" ./configure --prefix=/usr --disable-docs @@ -37,4 +41,5 @@ package() { sha512sums="4a0bb069ae875f47731d7d84ae6b82240703dc7a694cfb0aee4c7e9639defe7ba9af575d17dc32bda4426b80c186cc8dcd4505f3a6bcbe16b39e9b13097da238 jq-1.5.tar.gz c3508ad1692ebd7ad3486e376869f0f89230ad5869e00353c682cf86ff43cc15360ee2f45803ec113d7fd822d863856a9b93ff22b83b69d319786fe5bdce1edb 0001-mktemp-needs-6-or-more-X-s-fix-1000.patch -e7e7fdf346ccd6df725dd28029654a6bebaa45ed6f14119f51d7f898b555416595d004bfc8a51f612039c11e9573d0f6ea28c3c2ca6aca1d23f1ee0543bfe1e9 CVE-2015-8863.patch" +e7e7fdf346ccd6df725dd28029654a6bebaa45ed6f14119f51d7f898b555416595d004bfc8a51f612039c11e9573d0f6ea28c3c2ca6aca1d23f1ee0543bfe1e9 CVE-2015-8863.patch +d523ed92b5a5ca806007c6ff5efe0e11eb7c1e020de29f4b4003080cd9da92fa69a268a011c35e8cf07791bacf8a0e7c9df40698673027ac961725f7163f2150 CVE-2016-4074.patch" diff --git a/main/jq/CVE-2016-4074.patch b/main/jq/CVE-2016-4074.patch new file mode 100644 index 00000000000..fb61ac9dad4 --- /dev/null +++ b/main/jq/CVE-2016-4074.patch @@ -0,0 +1,37 @@ +From 904ee3bf26f863b7b31c4085f511e54c0307e537 Mon Sep 17 00:00:00 2001 +From: W-Mark Kubacki <wmark@hurrikane.de> +Date: Fri, 19 Aug 2016 19:50:39 +0200 +Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH + +This addresses #1136, and mitigates a stack exhaustion when printing +a very deeply nested term. +--- + jv_print.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/jv_print.c b/src/jv_print.c +index 5f4f234b..ce4a59af 100644 +--- a/jv_print.c ++++ b/jv_print.c +@@ -13,6 +13,10 @@ + #include "jv_dtoa.h" + #include "jv_unicode.h" + ++#ifndef MAX_PRINT_DEPTH ++#define MAX_PRINT_DEPTH (256) ++#endif ++ + #define ESC "\033" + #define COL(c) (ESC "[" c "m") + #define COLRESET (ESC "[0m") +@@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI + } + } + } +- switch (jv_get_kind(x)) { ++ if (indent > MAX_PRINT_DEPTH) { ++ put_str("<skipped: too deep>", F, S, flags & JV_PRINT_ISATTY); ++ } else switch (jv_get_kind(x)) { + default: + case JV_KIND_INVALID: + if (flags & JV_PRINT_INVALID) { |