main/jq: security fix for CVE-2015-8863

fixes #5632

2 files changed, 47 insertions, 8 deletions

diff --git a/main/jq/APKBUILD b/main/jq/APKBUILD
index 0c70cb30a5..06cff23fa7 100644
--- a/main/jq/APKBUILD
+++ b/main/jq/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Johannes Matheis <jomat+alpinebuild@jmt.gr>
 pkgname=jq
 pkgver=1.5
-pkgrel=0
+pkgrel=1
 pkgdesc="A lightweight and flexible command-line JSON processor"
 url="http://stedolan.github.io/jq/"
 arch="all"
@@ -12,21 +12,26 @@ depends_dev=""
 makedepends="$depends_dev"
 install=""
 subpackages="$pkgname-doc $pkgname-dev"
-source="https://github.com/stedolan/jq/releases/download/${pkgname}-${pkgver}/${pkgname}-${pkgver}.tar.gz"
+source="https://github.com/stedolan/jq/releases/download/${pkgname}-${pkgver}/${pkgname}-${pkgver}.tar.gz
+	CVE-2015-8863.patch
+	"
 
-_builddir="${srcdir}/${pkgname}-${pkgver}"
+builddir="${srcdir}/${pkgname}-${pkgver}"
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	./configure --prefix=/usr --disable-docs
 	make
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make DESTDIR="$pkgdir" prefix=/usr install
 }
 
-md5sums="0933532b086bd8b6a41c1b162b1731f9  jq-1.5.tar.gz"
-sha256sums="c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c  jq-1.5.tar.gz"
-sha512sums="4a0bb069ae875f47731d7d84ae6b82240703dc7a694cfb0aee4c7e9639defe7ba9af575d17dc32bda4426b80c186cc8dcd4505f3a6bcbe16b39e9b13097da238  jq-1.5.tar.gz"
+md5sums="0933532b086bd8b6a41c1b162b1731f9  jq-1.5.tar.gz
+bb9ef50162ebbba9a936a96bef607e1a  CVE-2015-8863.patch"
+sha256sums="c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c  jq-1.5.tar.gz
+cbe2003ab7d65acae4e6249df75bddbe78b076126b4d1c332eee46df24cb09e0  CVE-2015-8863.patch"
+sha512sums="4a0bb069ae875f47731d7d84ae6b82240703dc7a694cfb0aee4c7e9639defe7ba9af575d17dc32bda4426b80c186cc8dcd4505f3a6bcbe16b39e9b13097da238  jq-1.5.tar.gz
+e7e7fdf346ccd6df725dd28029654a6bebaa45ed6f14119f51d7f898b555416595d004bfc8a51f612039c11e9573d0f6ea28c3c2ca6aca1d23f1ee0543bfe1e9  CVE-2015-8863.patch"
diff --git a/main/jq/CVE-2015-8863.patch b/main/jq/CVE-2015-8863.patch
new file mode 100644
index 0000000000..c146cadd56
--- /dev/null
+++ b/main/jq/CVE-2015-8863.patch
@@ -0,0 +1,34 @@
+From 8eb1367ca44e772963e704a700ef72ae2e12babd Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@cryptonector.com>
+Date: Sat, 24 Oct 2015 17:24:57 -0500
+Subject: [PATCH] Heap buffer overflow in tokenadd() (fix #105)
+
+This was an off-by one: the NUL terminator byte was not allocated on
+resize.  This was triggered by JSON-encoded numbers longer than 256
+bytes.
+---
+ src/jv_parse.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/jv_parse.c b/src/jv_parse.c
+index 3102ed4..84245b8 100644
+--- a/src/jv_parse.c
++++ b/jv_parse.c
+@@ -383,7 +383,7 @@ static pfunc stream_token(struct jv_parser* p, char ch) {
+ 
+ static void tokenadd(struct jv_parser* p, char c) {
+   assert(p->tokenpos <= p->tokenlen);
+-  if (p->tokenpos == p->tokenlen) {
++  if (p->tokenpos >= (p->tokenlen - 1)) {
+     p->tokenlen = p->tokenlen*2 + 256;
+     p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen);
+   }
+@@ -485,7 +485,7 @@ static pfunc check_literal(struct jv_parser* p) {
+     TRY(value(p, v));
+   } else {
+     // FIXME: better parser
+-    p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid
++    p->tokenbuf[p->tokenpos] = 0;
+     char* end = 0;
+     double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end);
+     if (end == 0 || *end != 0)