diff --git a/Fix-CVE-2024-53427.patch b/Fix-CVE-2024-53427.patch new file mode 100644 index 0000000000000000000000000000000000000000..7210825917f3b005207db9694f5999c27cd53674 --- /dev/null +++ b/Fix-CVE-2024-53427.patch @@ -0,0 +1,138 @@ +From ed19fa4a16c2e446bc2ad9746714b7a8aec7c4e8 Mon Sep 17 00:00:00 2001 + From: itchyny + Date: Sun, 16 Feb 2025 22:08:36 +0900 + Subject: [PATCH 1/2] fix: `jv_number_value` should cache the double value of + literal numbers (#3245) + + The code of `jv_number_value` is intended to cache the double value of + literal numbers, but it does not work because it accepts the `jv` struct + by value. This patch fixes the behavior by checking if the double value + is `NaN`, which indicates the unconverted value. This patch improves the + performance of major use cases; e.g. `range(1000000)` runs 25% faster. + --- + src/jv.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + + diff --git a/src/jv.c b/src/jv.c + index e23d8ec..9329eae 100644 + --- a/src/jv.c + +++ b/src/jv.c + @@ -206,9 +206,6 @@ enum { + JVP_NUMBER_DECIMAL = 1 + }; + + -#define JV_NUMBER_SIZE_INIT (0) + -#define JV_NUMBER_SIZE_CONVERTED (1) + - + #define JVP_FLAGS_NUMBER_NATIVE JVP_MAKE_FLAGS(JV_KIND_NUMBER, JVP_MAKE_PFLAGS(JVP_NUMBER_NATIVE, 0)) + #define JVP_FLAGS_NUMBER_LITERAL JVP_MAKE_FLAGS(JV_KIND_NUMBER, JVP_MAKE_PFLAGS(JVP_NUMBER_DECIMAL, 1)) + + @@ -589,8 +586,12 @@ static jv jvp_literal_number_new(const char * literal) { + jv_mem_free(n); + return JV_INVALID; + } + + if (decNumberIsNaN(&n->num_decimal)) { + + jv_mem_free(n); + + return jv_number(NAN); + + } + + - jv r = {JVP_FLAGS_NUMBER_LITERAL, 0, 0, JV_NUMBER_SIZE_INIT, {&n->refcnt}}; + + jv r = {JVP_FLAGS_NUMBER_LITERAL, 0, 0, 0, {&n->refcnt}}; + return r; + } + + @@ -698,9 +699,8 @@ double jv_number_value(jv j) { + if (JVP_HAS_FLAGS(j, JVP_FLAGS_NUMBER_LITERAL)) { + jvp_literal_number* n = jvp_literal_number_ptr(j); + + - if (j.size != JV_NUMBER_SIZE_CONVERTED) { + + if (isnan(n->num_double)) { + n->num_double = jvp_literal_number_to_double(j); + - j.size = JV_NUMBER_SIZE_CONVERTED; + } + + return n->num_double; + @@ -731,7 +731,7 @@ int jvp_number_is_nan(jv n) { + return decNumberIsNaN(pdec); + } + #endif + - return n.u.number != n.u.number; + + return isnan(n.u.number); + } + + int jvp_number_cmp(jv a, jv b) { + -- + 2.43.0 + +From a09a4dfd55e6c24d04b35062ccfe4509748b1dd3 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Wed, 5 Mar 2025 07:43:54 +0900 +Subject: [PATCH] Reject NaN with payload while parsing JSON + +This commit drops support for parsing NaN with payload in JSON like +`NaN123` and fixes CVE-2024-53427. Other JSON extensions like `NaN` and +`Infinity` are still supported. Fixes #3023, fixes #3196, fixes #3246. +--- + src/jv.c | 5 +++++ + tests/jq.test | 14 ++++++++++---- + tests/shtest | 7 ------- + 3 files changed, 15 insertions(+), 11 deletions(-) + +diff --git a/src/jv.c b/src/jv.c +index fd6cfcabc3..0fbdcfaa7e 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -585,6 +585,11 @@ static jv jvp_literal_number_new(const char * literal) { + return JV_INVALID; + } + if (decNumberIsNaN(&n->num_decimal)) { ++ // Reject NaN with payload. ++ if (n->num_decimal.digits > 1 || *n->num_decimal.lsu != 0) { ++ jv_mem_free(n); ++ return JV_INVALID; ++ } + jv_mem_free(n); + return jv_number(NAN); + } +diff --git a/tests/jq.test b/tests/jq.test +index 2e3c1e8bd7..f5a57b1823 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -1938,11 +1938,17 @@ tojson | fromjson + {"a":nan} + {"a":null} + +-# also "nan with payload" #2985 +-fromjson | isnan +-"nan1234" ++# NaN with payload is not parsed ++.[] | try (fromjson | isnan) catch . ++["NaN","-NaN","NaN1","NaN10","NaN100","NaN1000","NaN10000","NaN100000"] + true +- ++true ++"Invalid numeric literal at EOF at line 1, column 4 (while parsing 'NaN1')" ++"Invalid numeric literal at EOF at line 1, column 5 (while parsing 'NaN10')" ++"Invalid numeric literal at EOF at line 1, column 6 (while parsing 'NaN100')" ++"Invalid numeric literal at EOF at line 1, column 7 (while parsing 'NaN1000')" ++"Invalid numeric literal at EOF at line 1, column 8 (while parsing 'NaN10000')" ++"Invalid numeric literal at EOF at line 1, column 9 (while parsing 'NaN100000')" + + # calling input/0, or debug/0 in a test doesn't crash jq + +diff --git a/tests/shtest b/tests/shtest +index 86e759ba69..72ffc086fd 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -594,11 +594,6 @@ + exit 1 + fi + +-# CVE-2023-50268: No stack overflow comparing a nan with a large payload +-$VALGRIND $Q $JQ '1 != .' <<\EOF >/dev/null +-Nan4000 +-EOF +- + # Allow passing the inline jq script before -- #2919 + if ! r=$($JQ --args -rn -- '$ARGS.positional[0]' bar) || [ "$r" != bar ]; then + echo "passing the inline script after -- didn't work" diff --git a/jq-1.7.1.tar.gz b/jq-1.7.1.tar.gz index 158d8d01d8f596f90174659b8ec35b7e03939a55..40718ba6f7ac1e08c8ed93862b4fb0926b446f9b 100644 Binary files a/jq-1.7.1.tar.gz and b/jq-1.7.1.tar.gz differ diff --git a/jq.spec b/jq.spec index 16dae8d9f4f8ba8e417c289d213bc07a4fc60a6c..b83426fe1dda532240fee33d595e704f7c6a38be 100644 --- a/jq.spec +++ b/jq.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 Name: jq Version: 1.7.1 Release: %{anolis_release}%{?dist} @@ -8,6 +8,9 @@ License: MIT and ASL 2.0 and CC-BY and GPLv3 URL: https://jqlang.github.io/jq/ Source0: https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz +# https://github.com/jqlang/jq/commit/a09a4dfd55e6c24d04b35062ccfe4509748b1dd3 +Patch0: Fix-CVE-2024-53427.patch + BuildRequires: gcc BuildRequires: flex BuildRequires: bison @@ -57,7 +60,7 @@ Doc pages for %{name} %prep -%autosetup -p1 -n %{name}-%{name}-%{version} +%autosetup -p1 -n %{name}-%{version} %build autoreconf -fi @@ -96,6 +99,9 @@ make check %{_libdir}/pkgconfig/libjq.pc %changelog +* Fri Mar 28 2025 mgb01105731 - 1.7.1-2 +- Add patch to fix CVE-2024-53427 + * Fri Feb 21 2025 Xiaoping Liu - 1.7.1-1 - update to 1.7.1 from 1.6 - Remove patches because the changes already exist upstream