Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

jq: CVE-2015-8863: Heap buffer overflow in tokenadd()

Related Vulnerabilities: CVE-2015-8863   CVE-2016-4074  

Source

Debian Bug report logs - #802231
jq: CVE-2015-8863: Heap buffer overflow in tokenadd()

version graph

Package: jq; Maintainer for jq is ChangZhuo Chen (陳昌倬) <czchen@debian.org>; Source for jq is src:jq (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Sun, 18 Oct 2015 16:06:02 UTC

Severity: normal

Tags: fixed-upstream, security, upstream

Found in versions jq/1.5+dfsg-1, jq/1.4-2.1

Fixed in version jq/1.5+dfsg-1.1

Done: Harlan Lieberman-Berg <hlieberman@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/stedolan/jq/issues/995

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Simon Elsbrock <simon@iodev.org>:
Bug#802231; Package jq. (Sun, 18 Oct 2015 16:06:06 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: jq: buffer overflow in check_literal()
Date: Sun, 18 Oct 2015 18:02:56 +0200
[Message part 1 (text/plain, inline)]
Package: jq
Version: 1.5+dfsg-1
Usertags: afl

There's heap-based buffer overflow in check_literal():

$ valgrind jq . overflow.json
==2609== Memcheck, a memory error detector
==2609== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2609== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==2609== Command: jq . overflow.json
==2609==
==2609== Invalid write of size 1
==2609==    at 0x12D76B: check_literal (jv_parse.c:488)
==2609==    by 0x12E930: jv_parser_next (jv_parse.c:782)
==2609==    by 0x14072C: jq_util_input_next_input (util.c:444)
==2609==    by 0x10D3C9: main (main.c:527)
==2609==  Address 0x4b7c5e8 is 0 bytes after a block of size 256 alloc'd
==2609==    at 0x482A1DC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2609==    by 0x482C3D0: realloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2609==    by 0x13B375: jv_mem_realloc (jv_alloc.c:162)
==2609==    by 0x12D238: tokenadd (jv_parse.c:388)
==2609==    by 0x12E058: scan (jv_parse.c:626)
==2609==    by 0x12E641: jv_parser_next (jv_parse.c:743)
==2609==    by 0x14072C: jq_util_input_next_input (util.c:444)
==2609==    by 0x10D3C9: main (main.c:527)
...

(Note that I rebuilt the package with noopt to make the backtrace more 
useful.)

This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/


-- System Information:
Debian Release: stretch/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 4.2.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages jq depends on:
ii  libc6     2.19-22
ii  libonig2  5.9.6-1

-- 
Jakub Wilk

[overflow.json (application/json, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#802231; Package jq. (Sun, 18 Oct 2015 17:09:12 GMT) (full text, mbox, link).

Acknowledgement sent to Simon Elsbrock <simon@iodev.org>:
Extra info received and forwarded to list. (Sun, 18 Oct 2015 17:09:12 GMT) (full text, mbox, link).

Message #8 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon Elsbrock <simon@iodev.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#802231: jq: buffer overflow in check_literal()
Date: Sun, 18 Oct 2015 19:07:33 +0200
forwarded 802231 https://github.com/stedolan/jq/issues/995
thanks

Set Bug forwarded-to-address to 'https://github.com/stedolan/jq/issues/995'. Request was from Simon Elsbrock <simon@iodev.org> to control@bugs.debian.org. (Sun, 18 Oct 2015 17:15:04 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 26 Oct 2015 16:51:14 GMT) (full text, mbox, link).

Added tag(s) security and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 20 Apr 2016 06:39:03 GMT) (full text, mbox, link).

Marked as found in versions jq/1.4-2.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 23 Apr 2016 06:33:04 GMT) (full text, mbox, link).

Changed Bug title to 'jq: CVE-2015-8863: Heap buffer overflow in tokenadd()' from 'jq: buffer overflow in check_literal()'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 23 Apr 2016 14:24:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Simon Elsbrock <simon@iodev.org>:
Bug#802231; Package jq. (Tue, 02 Aug 2016 02:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Harlan Lieberman-Berg <hlieberman@debian.org>:
Extra info received and forwarded to list. Copy sent to Simon Elsbrock <simon@iodev.org>. (Tue, 02 Aug 2016 02:39:03 GMT) (full text, mbox, link).

Message #23 received at 802231@bugs.debian.org (full text, mbox, reply):

From: Harlan Lieberman-Berg <hlieberman@debian.org>
To: 802231@bugs.debian.org
Subject: jq: CVE-2015-8863
Date: Mon, 01 Aug 2016 22:35:56 -0400
Hello Simon,

Is there any possibility of shipping the patch for CVE-2015-8863 out of
a release cycle?  Upstream seems to be going through a period of
idleness, but I'd really like to see the fix in.

Thanks!
-- 
Harlan Lieberman-Berg
~hlieberman

Information forwarded to debian-bugs-dist@lists.debian.org, Simon Elsbrock <simon@iodev.org>:
Bug#802231; Package jq. (Mon, 03 Oct 2016 17:54:02 GMT) (full text, mbox, link).

Acknowledgement sent to Nicholas Luedtke <nicholas.luedtke@hpe.com>:
Extra info received and forwarded to list. Copy sent to Simon Elsbrock <simon@iodev.org>. (Mon, 03 Oct 2016 17:54:02 GMT) (full text, mbox, link).

Message #28 received at 802231@bugs.debian.org (full text, mbox, reply):

From: Nicholas Luedtke <nicholas.luedtke@hpe.com>
To: 802231@bugs.debian.org
Subject: jq: CVE-2015-8863: Heap buffer overflow in tokenadd()
Date: Mon, 3 Oct 2016 11:46:52 -0600
[Message part 1 (text/plain, inline)]
Maintainer,

Upstream hasn't had a release in over a year, any thoughts to applying a
patch for this CVE? Thanks.

-- 
Nicholas Luedtke
HPE Linux Security, Hewlett-Packard Enterprise


[Message part 2 (text/html, inline)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Simon Elsbrock <simon@iodev.org>:
Bug#802231; Package jq. (Mon, 03 Oct 2016 17:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Nicholas Luedtke <nicholas.luedtke@hpe.com>:
Extra info received and forwarded to list. Copy sent to Simon Elsbrock <simon@iodev.org>. (Mon, 03 Oct 2016 17:57:03 GMT) (full text, mbox, link).

Message #33 received at 802231@bugs.debian.org (full text, mbox, reply):

From: Nicholas Luedtke <nicholas.luedtke@hpe.com>
To: <802231@bugs.debian.org>
Subject: jq: CVE-2015-8863: Heap buffer overflow in tokenadd()
Date: Mon, 3 Oct 2016 11:21:05 -0600
[Message part 1 (text/plain, inline)]
Maintainer,

Upstream hasn't had a release in over a year, any thoughts to applying a
patch for this CVE? Thanks.

-- 
Nicholas Luedtke
HPE Linux, Hewlett-Packard Enterprise



[signature.asc (application/pgp-signature, attachment)]

Reply sent to Harlan Lieberman-Berg <hlieberman@debian.org>:
You have taken responsibility. (Wed, 16 Nov 2016 01:42:03 GMT) (full text, mbox, link).

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Wed, 16 Nov 2016 01:42:03 GMT) (full text, mbox, link).

Message #38 received at 802231-close@bugs.debian.org (full text, mbox, reply):

From: Harlan Lieberman-Berg <hlieberman@debian.org>
To: 802231-close@bugs.debian.org
Subject: Bug#802231: fixed in jq 1.5+dfsg-1.1
Date: Wed, 16 Nov 2016 01:38:21 +0000
Source: jq
Source-Version: 1.5+dfsg-1.1

We believe that the bug you reported is fixed in the latest version of
jq, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 802231@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Harlan Lieberman-Berg <hlieberman@debian.org> (supplier of updated jq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 13 Nov 2016 19:48:02 -0500
Source: jq
Binary: jq
Architecture: source amd64
Version: 1.5+dfsg-1.1
Distribution: unstable
Urgency: medium
Maintainer: Simon Elsbrock <simon@iodev.org>
Changed-By: Harlan Lieberman-Berg <hlieberman@debian.org>
Description:
 jq         - lightweight and flexible command-line JSON processor
Closes: 802231 822456
Changes:
 jq (1.5+dfsg-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Apply patch to fix CVE-2016-4074 (Closes: #822456)
   * Apply patch to fix CVE-2015-8863 (Closes: #802231)
Checksums-Sha1:
 4ebe78b9229bfe70aadafa8e9ab8fdc15bfd88cf 2022 jq_1.5+dfsg-1.1.dsc
 111929814a86b3f70f817ac57a61371e145678a0 12712 jq_1.5+dfsg-1.1.debian.tar.xz
 1d1ca370513ea3a4fec9331fe8829af5ff7289f4 247886 jq-dbgsym_1.5+dfsg-1.1_amd64.deb
 a5e0a9c75959980ce648630a76aaa07e49085d8e 5919 jq_1.5+dfsg-1.1_20161114T005411z-fd0c63b6.buildinfo
 61f2489ead6f60c1416753df799928abff39adc0 155636 jq_1.5+dfsg-1.1_amd64.deb
Checksums-Sha256:
 3f9ca0e129818e8c96ead16f14e968a6211dc57d1a104bcb08f9454f5c2eb976 2022 jq_1.5+dfsg-1.1.dsc
 8f78d1dca4521ba5501d36dfd3a91374b5a7145e1324259d592e0761a435b295 12712 jq_1.5+dfsg-1.1.debian.tar.xz
 6f1a5a2cb95e961e73649b4b602207245ecc02f55527e525e0b7e0cc41c06de6 247886 jq-dbgsym_1.5+dfsg-1.1_amd64.deb
 367acd579311b65f8f3960878bafdb90ec7204b5f94d50da4ec1be9cf9d3be13 5919 jq_1.5+dfsg-1.1_20161114T005411z-fd0c63b6.buildinfo
 bfeb9bebf9d3c920fa171715df6659a12002ece28c5a7cfdb530772a08f2d1f6 155636 jq_1.5+dfsg-1.1_amd64.deb
Files:
 cd9b90ee6ecea662e92500c9c4332fe6 2022 utils optional jq_1.5+dfsg-1.1.dsc
 f3394d948f2ad7aedddb2ef6dcdb8a84 12712 utils optional jq_1.5+dfsg-1.1.debian.tar.xz
 d922ba54748afd75bcdf2b69a47f4e9b 247886 debug extra jq-dbgsym_1.5+dfsg-1.1_amd64.deb
 fd0c63b639f46f8cf46f316c66ef1883 5919 utils optional jq_1.5+dfsg-1.1_20161114T005411z-fd0c63b6.buildinfo
 fd18354b306eaee9ea7b55fea1e6b04d 155636 utils optional jq_1.5+dfsg-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9BQJYKQx+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwQjhGRTA3NDJENTI3OURDNjU1MEUyODk4
NTQwOUVFNEI5OUY4OTYxFhxobGllYmVybWFuQGRlYmlhbi5vcmcACgkQhUCe5Lmf
iWHeXA/+OM+y0rPwsazqME+vbgmG8IzjEwUAhjlOFSNAOXX+4/hSMjQUOAYDEc34
b1mrbPM4c1axxnjV/fmRivPzo3LjU7N/D/6PIrXxgC7BOIW3fxYCbRZRm49L2Ebw
T291AzDgnma+W+PWWJQttgCL3sklffdJi3teWPTN/4FzK3PgyP3nQsdqjTj/FtxT
FcQaSTEyfflBEXg7vE0H2o6ShpswGncTZbl7ijJBpd+nr9Iv7l7Q8Brq/NrwFeuw
aolaFy8jBpva/iuPLOo34WewI2G0h8G9+9Evz430VA8RGoxnct7MQ1mV17JSqWic
SswbRAynBHpXY+VGZWgLcU5uqG01bK2gv8SWjQsEuqvl/VgqjY8UhP8OGrJO9i0w
wZzX6H8Ak6+7b7lTvN0S7mnZQMp6nh/2YJQlT/H5YmkxOG3QffnLFOV3v0b3bW9o
H18gLcYc7gOPUogR5aWd/5E5N9DFjqA0n6hoxdulhqjmVEMJiRH0tzd1y7gRcZyn
VQkgPl4793Ly4MffaO6la7sQkEvA2Cogx/55qR7rDRXa/MglwA0qfZxZAWj5lVuo
iCnfkuNDBw6g5QNPdv1NjJO3xRoIPRvjZTMxw7VKXh0RQa0UOB8bBOSrYme+AWof
md+DuaB1uGsLiJ58Cq7ufBgrHt17e3BeOJXRkDKlV6ER2w5l42I=
=fMB3
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 29 Dec 2016 08:09:18 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:11:35 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started