Mail archive
alpine-devel

Re: [alpine-devel] Patching CVE-2016-4074 in jq

From: Leonardo Arena <rnalrd_at_gmail.com>
Date: Tue, 17 Apr 2018 17:01:44 +0200

Hi,

On Tue, Apr 17, 2018 at 3:07 PM, Ariel Zelivansky <ariel_at_twistlock.com>
wrote:

> Hi,
>
> It has been brought to my attention that the current jq package in alpine
> is vulnerable to CVE-2016-4074
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074>.
>


thank you for bringing this to our attention. This has been now fixed in
edge. I'll see if it can be backported to stable branches too.


>
> The fix for this issue was released a while back on their master branch
> but no one packaged it into release. On the project website
> <https://stedolan.github.io/jq/> the latest jq release is 1.5, which was
> released more than two years ago. It is vulnerable to this CVE.
>
> It is worth mentioning someone on the project GitHub someone released
> 1.6rc1 last year and it includes the fix for this issue. You might want to
> consider packaging this release but I am not very familiar with the jq
> release process or found any documentation of it.
>
> The alpine jq package
> <https://git.alpinelinux.org/cgit/aports/tree/main/jq/APKBUILD> patches
> CVE-2015-8863 so I think it should also patch this issue for the meanwhile.
> You can see the correspondence on this issue
> <https://github.com/stedolan/jq/issues/1136> and the fix
> <https://github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292#diff-6bc4fa2c743f03adaf36dcc09acaaba2>
> .
>
>
This was fixed in 1.5-r1 package.

Best regards,

/eo



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Tue Apr 17 2018 - 17:01:44 GMT