Mail archive
alpine-devel

[alpine-devel] Patching CVE-2016-4074 in jq

From: Ariel Zelivansky <ariel_at_twistlock.com>
Date: Tue, 17 Apr 2018 16:07:23 +0300

Hi,

It has been brought to my attention that the current jq package in alpine
is vulnerable to CVE-2016-4074
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074>.

The fix for this issue was released a while back on their master branch but
no one packaged it into release. On the project website
<https://stedolan.github.io/jq/> the latest jq release is 1.5, which was
released more than two years ago. It is vulnerable to this CVE.

It is worth mentioning someone on the project GitHub someone released
1.6rc1 last year and it includes the fix for this issue. You might want to
consider packaging this release but I am not very familiar with the jq
release process or found any documentation of it.

The alpine jq package
<https://git.alpinelinux.org/cgit/aports/tree/main/jq/APKBUILD> patches
CVE-2015-8863 so I think it should also patch this issue for the meanwhile.
You can see the correspondence on this issue
<https://github.com/stedolan/jq/issues/1136> and the fix
<https://github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292#diff-6bc4fa2c743f03adaf36dcc09acaaba2>
.

Also relevant (from the jq side): https://github.com/stedolan/jq/issues/1406

LMK if there is anything I can do by myself

Thank you,

Ariel Zelivansky
Twistlock Security Researcher



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Tue Apr 17 2018 - 16:07:23 GMT