Debian Bug report logs -
#822456
jq: CVE-2016-4074: Stack exhaustion parsing a JSON file
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 24 Apr 2016 17:27:02 UTC
Severity: normal
Tags: security, upstream
Found in version jq/1.4-2.1
Fixed in version jq/1.5+dfsg-1.1
Done: Harlan Lieberman-Berg <hlieberman@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Simon Elsbrock <simon@iodev.org>:
Bug#822456; Package src:jq.
(Sun, 24 Apr 2016 17:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Simon Elsbrock <simon@iodev.org>.
(Sun, 24 Apr 2016 17:27:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jq
Version: 1.4-2.1
Severity: normal
Tags: security upstream
Hi,
the following vulnerability was published for jq.
CVE-2016-4074[0]:
Stack exhaustion parsing a JSON file
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4074
[1] https://github.com/stedolan/jq/issues/1136
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Simon Elsbrock <simon@iodev.org>:
Bug#822456; Package src:jq.
(Mon, 03 Oct 2016 17:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicholas Luedtke <nicholas.luedtke@hpe.com>:
Extra info received and forwarded to list. Copy sent to Simon Elsbrock <simon@iodev.org>.
(Mon, 03 Oct 2016 17:51:05 GMT) (full text, mbox, link).
Message #10 received at 822456@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Maintainer,
Upstream hasn't had a release in over a year, any thoughts to applying a
patch for this CVE? Thanks.
--
Nicholas Luedtke
HPE Linux Security, Hewlett-Packard Enterprise
[Message part 2 (text/html, inline)]
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Simon Elsbrock <simon@iodev.org>:
Bug#822456; Package src:jq.
(Mon, 03 Oct 2016 18:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicholas Luedtke <nicholas.luedtke@hpe.com>:
Extra info received and forwarded to list. Copy sent to Simon Elsbrock <simon@iodev.org>.
(Mon, 03 Oct 2016 18:57:04 GMT) (full text, mbox, link).
Message #15 received at 822456@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Maintainer,
Upstream hasn't had a release in over a year, any thoughts to applying a
patch for this CVE? Thanks.
--
Nicholas Luedtke
HPE Linux, Hewlett-Packard Enterprise
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Harlan Lieberman-Berg <hlieberman@debian.org>:
You have taken responsibility.
(Wed, 16 Nov 2016 01:42:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 16 Nov 2016 01:42:06 GMT) (full text, mbox, link).
Message #20 received at 822456-close@bugs.debian.org (full text, mbox, reply):
Source: jq
Source-Version: 1.5+dfsg-1.1
We believe that the bug you reported is fixed in the latest version of
jq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 822456@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Harlan Lieberman-Berg <hlieberman@debian.org> (supplier of updated jq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Nov 2016 19:48:02 -0500
Source: jq
Binary: jq
Architecture: source amd64
Version: 1.5+dfsg-1.1
Distribution: unstable
Urgency: medium
Maintainer: Simon Elsbrock <simon@iodev.org>
Changed-By: Harlan Lieberman-Berg <hlieberman@debian.org>
Description:
jq - lightweight and flexible command-line JSON processor
Closes: 802231 822456
Changes:
jq (1.5+dfsg-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Apply patch to fix CVE-2016-4074 (Closes: #822456)
* Apply patch to fix CVE-2015-8863 (Closes: #802231)
Checksums-Sha1:
4ebe78b9229bfe70aadafa8e9ab8fdc15bfd88cf 2022 jq_1.5+dfsg-1.1.dsc
111929814a86b3f70f817ac57a61371e145678a0 12712 jq_1.5+dfsg-1.1.debian.tar.xz
1d1ca370513ea3a4fec9331fe8829af5ff7289f4 247886 jq-dbgsym_1.5+dfsg-1.1_amd64.deb
a5e0a9c75959980ce648630a76aaa07e49085d8e 5919 jq_1.5+dfsg-1.1_20161114T005411z-fd0c63b6.buildinfo
61f2489ead6f60c1416753df799928abff39adc0 155636 jq_1.5+dfsg-1.1_amd64.deb
Checksums-Sha256:
3f9ca0e129818e8c96ead16f14e968a6211dc57d1a104bcb08f9454f5c2eb976 2022 jq_1.5+dfsg-1.1.dsc
8f78d1dca4521ba5501d36dfd3a91374b5a7145e1324259d592e0761a435b295 12712 jq_1.5+dfsg-1.1.debian.tar.xz
6f1a5a2cb95e961e73649b4b602207245ecc02f55527e525e0b7e0cc41c06de6 247886 jq-dbgsym_1.5+dfsg-1.1_amd64.deb
367acd579311b65f8f3960878bafdb90ec7204b5f94d50da4ec1be9cf9d3be13 5919 jq_1.5+dfsg-1.1_20161114T005411z-fd0c63b6.buildinfo
bfeb9bebf9d3c920fa171715df6659a12002ece28c5a7cfdb530772a08f2d1f6 155636 jq_1.5+dfsg-1.1_amd64.deb
Files:
cd9b90ee6ecea662e92500c9c4332fe6 2022 utils optional jq_1.5+dfsg-1.1.dsc
f3394d948f2ad7aedddb2ef6dcdb8a84 12712 utils optional jq_1.5+dfsg-1.1.debian.tar.xz
d922ba54748afd75bcdf2b69a47f4e9b 247886 debug extra jq-dbgsym_1.5+dfsg-1.1_amd64.deb
fd0c63b639f46f8cf46f316c66ef1883 5919 utils optional jq_1.5+dfsg-1.1_20161114T005411z-fd0c63b6.buildinfo
fd18354b306eaee9ea7b55fea1e6b04d 155636 utils optional jq_1.5+dfsg-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9BQJYKQx+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwQjhGRTA3NDJENTI3OURDNjU1MEUyODk4
NTQwOUVFNEI5OUY4OTYxFhxobGllYmVybWFuQGRlYmlhbi5vcmcACgkQhUCe5Lmf
iWHeXA/+OM+y0rPwsazqME+vbgmG8IzjEwUAhjlOFSNAOXX+4/hSMjQUOAYDEc34
b1mrbPM4c1axxnjV/fmRivPzo3LjU7N/D/6PIrXxgC7BOIW3fxYCbRZRm49L2Ebw
T291AzDgnma+W+PWWJQttgCL3sklffdJi3teWPTN/4FzK3PgyP3nQsdqjTj/FtxT
FcQaSTEyfflBEXg7vE0H2o6ShpswGncTZbl7ijJBpd+nr9Iv7l7Q8Brq/NrwFeuw
aolaFy8jBpva/iuPLOo34WewI2G0h8G9+9Evz430VA8RGoxnct7MQ1mV17JSqWic
SswbRAynBHpXY+VGZWgLcU5uqG01bK2gv8SWjQsEuqvl/VgqjY8UhP8OGrJO9i0w
wZzX6H8Ak6+7b7lTvN0S7mnZQMp6nh/2YJQlT/H5YmkxOG3QffnLFOV3v0b3bW9o
H18gLcYc7gOPUogR5aWd/5E5N9DFjqA0n6hoxdulhqjmVEMJiRH0tzd1y7gRcZyn
VQkgPl4793Ly4MffaO6la7sQkEvA2Cogx/55qR7rDRXa/MglwA0qfZxZAWj5lVuo
iCnfkuNDBw6g5QNPdv1NjJO3xRoIPRvjZTMxw7VKXh0RQa0UOB8bBOSrYme+AWof
md+DuaB1uGsLiJ58Cq7ufBgrHt17e3BeOJXRkDKlV6ER2w5l42I=
=fMB3
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 29 Dec 2016 08:49:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:16:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon