diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-04-30 15:41:19 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-04-30 18:49:51 +0000 |
| commit | e10ec9bc1b1ba649892df0d8f7c116a1172e51a3 (patch) | |
| tree | 7a7e4639feedb363eccab57a1668742ffd4604f4 | |
| parent | f1dfff5f7f40aa56b73723d12ce463ed5a4f3503 (diff) | |
| download | aports-e10ec9bc1b1ba649892df0d8f7c116a1172e51a3.tar.bz2 aports-e10ec9bc1b1ba649892df0d8f7c116a1172e51a3.tar.xz | |
main/jq: security fix (CVE-2016-4074)
Fixes #8811
| -rw-r--r-- | main/jq/APKBUILD | 17 | ||||
| -rw-r--r-- | main/jq/CVE-2016-4074.patch | 37 |
2 files changed, 44 insertions, 10 deletions
diff --git a/main/jq/APKBUILD b/main/jq/APKBUILD index 3973d1964c..c06ae103df 100644 --- a/main/jq/APKBUILD +++ b/main/jq/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Johannes Matheis <jomat+alpinebuild@jmt.gr> pkgname=jq pkgver=1.5 -pkgrel=1 +pkgrel=2 pkgdesc="A lightweight and flexible command-line JSON processor" url="http://stedolan.github.io/jq/" arch="all" @@ -14,13 +14,13 @@ install="" subpackages="$pkgname-doc $pkgname-dev" source="https://github.com/stedolan/jq/releases/download/${pkgname}-${pkgver}/${pkgname}-${pkgver}.tar.gz CVE-2015-8863.patch + CVE-2016-4074.patch " +builddir="${srcdir}/${pkgname}-${pkgver}" # secfixes: -# 1.5-r1: -# - CVE-2015-8863 - -builddir="${srcdir}/${pkgname}-${pkgver}" +# 1.5-r2: +# - CVE-2016-4074 build() { cd "$builddir" @@ -33,9 +33,6 @@ package() { make DESTDIR="$pkgdir" prefix=/usr install } -md5sums="0933532b086bd8b6a41c1b162b1731f9 jq-1.5.tar.gz -bb9ef50162ebbba9a936a96bef607e1a CVE-2015-8863.patch" -sha256sums="c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c jq-1.5.tar.gz -cbe2003ab7d65acae4e6249df75bddbe78b076126b4d1c332eee46df24cb09e0 CVE-2015-8863.patch" sha512sums="4a0bb069ae875f47731d7d84ae6b82240703dc7a694cfb0aee4c7e9639defe7ba9af575d17dc32bda4426b80c186cc8dcd4505f3a6bcbe16b39e9b13097da238 jq-1.5.tar.gz -e7e7fdf346ccd6df725dd28029654a6bebaa45ed6f14119f51d7f898b555416595d004bfc8a51f612039c11e9573d0f6ea28c3c2ca6aca1d23f1ee0543bfe1e9 CVE-2015-8863.patch" +e7e7fdf346ccd6df725dd28029654a6bebaa45ed6f14119f51d7f898b555416595d004bfc8a51f612039c11e9573d0f6ea28c3c2ca6aca1d23f1ee0543bfe1e9 CVE-2015-8863.patch +d523ed92b5a5ca806007c6ff5efe0e11eb7c1e020de29f4b4003080cd9da92fa69a268a011c35e8cf07791bacf8a0e7c9df40698673027ac961725f7163f2150 CVE-2016-4074.patch" diff --git a/main/jq/CVE-2016-4074.patch b/main/jq/CVE-2016-4074.patch new file mode 100644 index 0000000000..fb61ac9dad --- /dev/null +++ b/main/jq/CVE-2016-4074.patch @@ -0,0 +1,37 @@ +From 904ee3bf26f863b7b31c4085f511e54c0307e537 Mon Sep 17 00:00:00 2001 +From: W-Mark Kubacki <wmark@hurrikane.de> +Date: Fri, 19 Aug 2016 19:50:39 +0200 +Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH + +This addresses #1136, and mitigates a stack exhaustion when printing +a very deeply nested term. +--- + jv_print.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/jv_print.c b/src/jv_print.c +index 5f4f234b..ce4a59af 100644 +--- a/jv_print.c ++++ b/jv_print.c +@@ -13,6 +13,10 @@ + #include "jv_dtoa.h" + #include "jv_unicode.h" + ++#ifndef MAX_PRINT_DEPTH ++#define MAX_PRINT_DEPTH (256) ++#endif ++ + #define ESC "\033" + #define COL(c) (ESC "[" c "m") + #define COLRESET (ESC "[0m") +@@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI + } + } + } +- switch (jv_get_kind(x)) { ++ if (indent > MAX_PRINT_DEPTH) { ++ put_str("<skipped: too deep>", F, S, flags & JV_PRINT_ISATTY); ++ } else switch (jv_get_kind(x)) { + default: + case JV_KIND_INVALID: + if (flags & JV_PRINT_INVALID) { |