diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000000000000000000000000000000000..c9a618551d7d788cde5f4326178966a3917277e9 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.gz filter=lfs diff=lfs merge=lfs -text diff --git a/.lfsconfig b/.lfsconfig new file mode 100644 index 0000000000000000000000000000000000000000..33ffb855c160651b7eb490542cf00774a914c1c0 --- /dev/null +++ b/.lfsconfig @@ -0,0 +1,2 @@ +[lfs] + url = https://artlfs.openeuler.openatom.cn/src-openEuler/jq diff --git a/CVE-2025-49014.patch b/CVE-2025-49014.patch deleted file mode 100644 index a2c9cf35fc7c3ff2f0f9e3e67c13b3f7d6332f47..0000000000000000000000000000000000000000 --- a/CVE-2025-49014.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 499c91bca9d4d027833bc62787d1bb075c03680e Mon Sep 17 00:00:00 2001 -From: Mattias Wadman -Date: Thu, 19 Jun 2025 00:11:01 +0200 -Subject: [PATCH] Fixes CVE-2025-49014 which was introduced in 1.8.0 - ---- - src/builtin.c | 6 ++++-- - tests/jq.test | 8 ++++++++ - 2 files changed, 12 insertions(+), 2 deletions(-) - -diff --git a/src/builtin.c b/src/builtin.c -index 5787ca852a..52fe77c4f6 100644 ---- a/src/builtin.c -+++ b/src/builtin.c -@@ -1764,6 +1764,7 @@ static jv f_strftime(jq_state *jq, jv a, jv b) { - return ret_error(b, jv_string("strftime/1 requires parsed datetime inputs")); - - const char *fmt = jv_string_value(b); -+ int fmt_not_empty = *fmt != '\0'; - size_t max_size = strlen(fmt) + 100; - char *buf = jv_mem_alloc(max_size); - #ifdef __APPLE__ -@@ -1784,7 +1785,7 @@ static jv f_strftime(jq_state *jq, jv a, jv b) { - #endif - jv_free(b); - /* POSIX doesn't provide errno values for strftime() failures; weird */ -- if ((n == 0 && *fmt) || n > max_size) { -+ if ((n == 0 && fmt_not_empty) || n > max_size) { - free(buf); - return jv_invalid_with_msg(jv_string("strftime/1: unknown system failure")); - } -@@ -1813,12 +1814,13 @@ static jv f_strflocaltime(jq_state *jq, jv a, jv b) { - if (!jv2tm(a, &tm, 1)) - return ret_error(b, jv_string("strflocaltime/1 requires parsed datetime inputs")); - const char *fmt = jv_string_value(b); -+ int fmt_not_empty = *fmt != '\0'; - size_t max_size = strlen(fmt) + 100; - char *buf = jv_mem_alloc(max_size); - size_t n = strftime(buf, max_size, fmt, &tm); - jv_free(b); - /* POSIX doesn't provide errno values for strftime() failures; weird */ -- if ((n == 0 && *fmt) || n > max_size) { -+ if ((n == 0 && fmt_not_empty) || n > max_size) { - free(buf); - return jv_invalid_with_msg(jv_string("strflocaltime/1: unknown system failure")); - } -diff --git a/tests/jq.test b/tests/jq.test -index 55ae09b7e9..4ecf72ffdc 100644 ---- a/tests/jq.test -+++ b/tests/jq.test -@@ -2499,3 +2499,11 @@ foreach .[] as $x (0, 1; . + $x) - 3 - 2 - 4 -+ -+# regression test for CVE-2025-49014 (use of fmt after free) -+# tests with both empty string literal and empty string created by function -+# as they seems to behave referecne wise differently. -+strflocaltime("" | ., @uri) -+0 -+"" -+"" diff --git a/jq-1.8.0.tar.gz b/jq-1.8.0.tar.gz deleted file mode 100644 index 1e270e4f85bb780d879c7d3f43c82aec749fae2d..0000000000000000000000000000000000000000 Binary files a/jq-1.8.0.tar.gz and /dev/null differ diff --git a/jq-1.8.1.tar.gz b/jq-1.8.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..271be9c04e7605e0232e81d424954233063230d6 --- /dev/null +++ b/jq-1.8.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2be64e7129cecb11d5906290eba10af694fb9e3e7f9fc208a311dc33ca837eb0 +size 2026798 diff --git a/jq.spec b/jq.spec index 9de7921ed046534524f50bc10038b7f406a240f1..d8da9eae3d97d9da16d0e71ca8dceb25cc5f8f02 100644 --- a/jq.spec +++ b/jq.spec @@ -1,11 +1,10 @@ Name: jq -Version: 1.8.0 -Release: 2 +Version: 1.8.1 +Release: 1 Summary: A lightweight and flexible command-line JSON processor License: MIT AND ICU AND CC-BY-3.0 URL: https://jqlang.org/ Source0: https://github.com/jqlang/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz -Patch0: CVE-2025-49014.patch BuildRequires: make flex bison gcc chrpath oniguruma-devel %ifarch %{valgrind_arches} BuildRequires: valgrind @@ -64,6 +63,9 @@ make check %{_mandir}/man1/jq.1* %changelog +* Wed Jul 02 2025 Funda Wang - 1.8.1-1 +- update to 1.8.1 + * Wed Jun 25 2025 yaoxin <1024769339@qq.com> - 1.8.0-2 - Fix CVE-2025-49014