Debian Bug report logs -
#1058763
jq: CVE-2023-50246 CVE-2023-50268
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 15 Dec 2023 19:57:01 UTC
Severity: important
Tags: security, upstream
Found in version jq/1.7-1
Fixed in version jq/1.7.1-1
Done: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, ChangZhuo Chen (陳昌倬) <czchen@debian.org>:
Bug#1058763; Package src:jq.
(Fri, 15 Dec 2023 19:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, ChangZhuo Chen (陳昌倬) <czchen@debian.org>.
(Fri, 15 Dec 2023 19:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jq
Version: 1.7-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for jq.
CVE-2023-50246[0]:
| jq is a command-line JSON processor. Version 1.7 is vulnerable to
| heap-based buffer overflow. Version 1.7.1 contains a patch for this
| issue.
CVE-2023-50268[1]:
| jq is a command-line JSON processor. Version 1.7 is vulnerable to
| stack-based buffer overflow in builds using decNumber. Version 1.7.1
| contains a patch for this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-50246
https://www.cve.org/CVERecord?id=CVE-2023-50246
https://github.com/jqlang/jq/security/advisories/GHSA-686w-5m7m-54vc
[1] https://security-tracker.debian.org/tracker/CVE-2023-50268
https://www.cve.org/CVERecord?id=CVE-2023-50268
https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j
Regards,
Salvatore
Reply sent
to ChangZhuo Chen (陳昌倬) <czchen@debian.org>:
You have taken responsibility.
(Fri, 15 Dec 2023 21:09:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 15 Dec 2023 21:09:06 GMT) (full text, mbox, link).
Message #10 received at 1058763-close@bugs.debian.org (full text, mbox, reply):
Source: jq
Source-Version: 1.7.1-1
Done: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
We believe that the bug you reported is fixed in the latest version of
jq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1058763@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
ChangZhuo Chen (陳昌倬) <czchen@debian.org> (supplier of updated jq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 Dec 2023 04:35:42 +0800
Source: jq
Architecture: source
Version: 1.7.1-1
Distribution: unstable
Urgency: high
Maintainer: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
Changed-By: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
Closes: 1058763
Changes:
jq (1.7.1-1) unstable; urgency=high
.
* New upstream release. (Closes: #1058763)
* Fix CVE-2023-50246, CVE-2023-50268.
* Remove unused patch.
Checksums-Sha1:
ee1ad84ee0ca383940f2d77bf9d7135b01ac0fba 2009 jq_1.7.1-1.dsc
b84066c8abfda37b1eff2d4f9bc2187951e281e2 1323338 jq_1.7.1.orig.tar.gz
c12fec78ce6b665ee9a7172405411603a5ce67b1 13792 jq_1.7.1-1.debian.tar.xz
5c7cb5eebcad58022c970aac6275283884adabb9 7717 jq_1.7.1-1_amd64.buildinfo
Checksums-Sha256:
8bffbcc9ccae2fe405ce05b4efe4607422f7b748cc50dd2fc2a0ca984af23f09 2009 jq_1.7.1-1.dsc
fc75b1824aba7a954ef0886371d951c3bf4b6e0a921d1aefc553f309702d6ed1 1323338 jq_1.7.1.orig.tar.gz
d4b0c7cce9463e7511fb89846e28c98c164289fe5e12765f40a58574bf27b300 13792 jq_1.7.1-1.debian.tar.xz
5949328fefe5b50db4748ebeff5e83addfeac80610c99ddde2b40a40283ca47c 7717 jq_1.7.1-1_amd64.buildinfo
Files:
55f854ad0023edd16d8f76daa6bbafb8 2009 utils optional jq_1.7.1-1.dsc
6298967cd176a8e9f3e83b98f42295b6 1323338 utils optional jq_1.7.1.orig.tar.gz
d85e4e71ed9250f05db7d8f780f7e39a 13792 utils optional jq_1.7.1-1.debian.tar.xz
75cee463f0f36e25591e9e95af4119b0 7717 utils optional jq_1.7.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEugQ0bcLh/mPHkIeTzGWwzewnXVsFAmV8vCcACgkQzGWwzewn
XVuUjg//bC3/AzxBg6G1GSCmCwmKA3b1FrhUu0AF2jINAfb2FrvZ7jh+1DJTGhfu
lcnwg0cWMLnZF5/iwKf9MOEWuHQzhrKDldVTfI5pMZLF5p5+Spz2zxLZj2t8Tv+6
MwHGdLs3r+d9MMEo9fcPI183uukzcsMUcDlB7XgqIBAEB5IiA4+yG+iZQdhlg5oH
mTey5uRDh9LkXYYL9wmbEkLdac5feQBYa66mgJiwZyMnWXGjfkJQzSMWTU2vaziU
eGojYlj9DWyyF3BL7p/TeGcVN8g0Gqaj+2OZn5hWJ2O1Kzk0sSm+3In1unReuIXk
ULBD4sNU+rjbU5kgP6r9F1HFzqqk7NFMS4UNr4nbrtfzvbQ932e/1H0UUDneQXL6
OPch4xsq1uUqxvAZyTQpzxKXB3m9Y+3a/IeLUhVbhaU4Jcob/QFDu1FTIxZH+DFr
hCOqjsU9MUn44fdRi/ogHqC3EXlZSvGq4RpuOgeX2Dth6pGokJDwiiYRgabSRyD/
y2Wj/FU8dTNoC8HzCb0jk0BOi3nvAPmJgxC5hzmZfivOooE3DqAw/gLwYbsKJ2xV
AgJg1M44I99Oc2iDyRSJXxyGYiLswxdDHNdqP+yla00QsHKLWxsQOxYVZmRiz0rF
U+6k6CkQ/yZbazxtNFMlj3Cl7ar+lPCnvhYUpfahBcNr+3HU8JI=
=A/UY
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Dec 16 08:18:20 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon