X-Original-To: alpine-devel@lists.alpinelinux.org
Received: from mail-ua0-f170.google.com (mail-ua0-f170.google.com [209.85.217.170])
	by lists.alpinelinux.org (Postfix) with ESMTP id DD9E55C4F60
	for <alpine-devel@lists.alpinelinux.org>; Tue, 17 Apr 2018 15:01:45 +0000 (GMT)
Received: by mail-ua0-f170.google.com with SMTP id q38so12758400uad.5
        for <alpine-devel@lists.alpinelinux.org>; Tue, 17 Apr 2018 08:01:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=BTl4N2ca8xStybDqFhJjPDigoci/Oi6gvu+K9qvyuLE=;
        b=IZxq2tS+Tp43RaG7jXMoW+H6YC+LQLTQsW2zejPdqf8u4fHY7JlB1ZLoR1aozoeGf8
         4GFDeoEirXXZn1I86U5X7eZP42vRt+vKHd7n5591xkliQDLVz15Xi5p/BG/lPF8Uo0Qz
         RL4XBZ1CFgZwSiJiz+uKVCzxItmDD1OhQKpybXy7l0ejcfLjeVH8yW5Txct5NLlcrAbj
         pyjkgdP0r3VaG6rgv4yzLAvlmzaf/xHuSdNUeOUUyMxnxqKpiQZbSrq702LxFLUOQMCZ
         coIlZ2T5LGGNGOSLaiGfT4UNe3BqRZAHYMpUHBjByXUj+gi8HIYYG/6ssh+7affMcwVc
         VwSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=BTl4N2ca8xStybDqFhJjPDigoci/Oi6gvu+K9qvyuLE=;
        b=YdOSs5TWZvQY/H8Y3mF/ii0NGky1At9DQ1xAnPmhPPTVNPST2V2L75MyN3SVt6fZPG
         Pu5F/uxyi6PoSQ+aDkVEjhLR0Um166w7OaWqy5ivj/kbZDpxPwh316Fq7QJi5nE3/YS0
         snCrkl2neufUdHPrb1he/HVoTep/k7OGGWw8/LrqdrI5y9EkUatUmd9WYI7nLAuSUCk6
         PqR5y5Hk7kqvaFJUETx+QVhH9NLcP6HjEmqhclo9R++0KLroBdxoMNL5/03X2FHA6XkM
         jqN/HiDouQAQvamuFKsbL73gtZvsFSnMjpKr7RgYT9lX/gJWm8V+EcBMl2EwCQUqpcgh
         iq1g==
X-Gm-Message-State: ALQs6tDG3rC8+i4O94gbm5rR5qUSIi29DlcCPK5l5SWykUsdM96GJ+MI
	o4UdE08IvaqhYipU3wW5eHZJU7mmMKOGKZXn30I=
X-Google-Smtp-Source: AIpwx49MiuzYlFbxlmHPY17zu/6p8EY5NcQWj6FBXTIa8aOaBGVkMdJ798kJHd5dtw2WQIJ+ZBdqFKeQkYVQ3PvmXLE=
X-Received: by 10.176.83.143 with SMTP id k15mr1715584uaa.40.1523977305152;
 Tue, 17 Apr 2018 08:01:45 -0700 (PDT)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Received: by 10.159.34.202 with HTTP; Tue, 17 Apr 2018 08:01:44 -0700 (PDT)
In-Reply-To: <CAMgJUL2X6tTPDJZSnciPOgL9g4p1ix1FxeqPsWniVytO9ctnow@mail.gmail.com>
References: <CAMgJUL2X6tTPDJZSnciPOgL9g4p1ix1FxeqPsWniVytO9ctnow@mail.gmail.com>
From: Leonardo Arena <rnalrd@gmail.com>
Date: Tue, 17 Apr 2018 17:01:44 +0200
Message-ID: <CAGG_d8BsZQ1O5A2-ARmX4VjZGiMBVGMH2-475+rz_7YnXoAeuQ@mail.gmail.com>
Subject: Re: [alpine-devel] Patching CVE-2016-4074 in jq
To: Ariel Zelivansky <ariel@twistlock.com>
Cc: Alpine-devel <alpine-devel@lists.alpinelinux.org>
Content-Type: multipart/alternative; boundary="f403045e36d0eb615b056a0c9d4b"

--f403045e36d0eb615b056a0c9d4b
Content-Type: text/plain; charset="UTF-8"

Hi,

On Tue, Apr 17, 2018 at 3:07 PM, Ariel Zelivansky <ariel@twistlock.com>
wrote:

> Hi,
>
> It has been brought to my attention that the current jq package in alpine
> is vulnerable to CVE-2016-4074
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074>.
>


thank you for bringing this to our attention. This has been now fixed in
edge. I'll see if it can be backported to stable branches too.


>
> The fix for this issue was released a while back on their master branch
> but no one packaged it into release. On the project website
> <https://stedolan.github.io/jq/> the latest jq release is 1.5, which was
> released more than two years ago. It is vulnerable to this CVE.
>
> It is worth mentioning someone on the project GitHub someone released
> 1.6rc1 last year and it includes the fix for this issue. You might want to
> consider packaging this release but I am not very familiar with the jq
> release process or found any documentation of it.
>
> The alpine jq package
> <https://git.alpinelinux.org/cgit/aports/tree/main/jq/APKBUILD> patches
> CVE-2015-8863 so I think it should also patch this issue for the meanwhile.
> You can see the correspondence on this issue
> <https://github.com/stedolan/jq/issues/1136> and the fix
> <https://github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292#diff-6bc4fa2c743f03adaf36dcc09acaaba2>
> .
>
>
This was fixed in 1.5-r1 package.

Best regards,

/eo

--f403045e36d0eb615b056a0c9d4b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,<br><div><div class=3D"gmail_extra"><br><div class=3D"g=
mail_quote">On Tue, Apr 17, 2018 at 3:07 PM, Ariel Zelivansky <span dir=3D"=
ltr">&lt;<a href=3D"mailto:ariel@twistlock.com" target=3D"_blank">ariel@twi=
stlock.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=
=3D"ltr">Hi,<div><br></div><div>It has been brought to my attention that th=
e current jq package in alpine is vulnerable to=C2=A0<a href=3D"https://cve=
.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-4074" target=3D"_blank">CVE-=
2016-4074</a>.</div></div></blockquote><div><br><br></div><div>thank you fo=
r bringing this to our attention. This has been now fixed in edge. I&#39;ll=
 see if it can be backported to stable branches too.<br></div><div>=C2=A0</=
div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-lef=
t:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div><br></div><div>The=
 fix for this issue was released a while back on their master branch but no=
 one packaged it into release. On the <a href=3D"https://stedolan.github.io=
/jq/" target=3D"_blank">project website</a>=C2=A0the latest jq release is 1=
.5, which was released more than two years ago. It is vulnerable to this CV=
E.</div><div><br></div><div>It is worth mentioning someone on the project G=
itHub someone released 1.6rc1 last year and it includes the fix for this is=
sue. You might want to consider packaging this release but I am not very fa=
miliar with the jq release process or found any documentation of it.</div><=
div><br></div><div>The alpine <a href=3D"https://git.alpinelinux.org/cgit/a=
ports/tree/main/jq/APKBUILD" target=3D"_blank">jq package</a>=C2=A0patches =
CVE-2015-8863 so I think it should also patch this issue for the meanwhile.=
 You can see the=C2=A0<a href=3D"https://github.com/stedolan/jq/issues/1136=
" target=3D"_blank">correspondence on this issue</a> and <a href=3D"https:/=
/github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292#dif=
f-6bc4fa2c743f03adaf36dcc09acaaba2" target=3D"_blank">the fix</a>.</div><di=
v><br></div></div></blockquote><div><br></div><div>This was fixed in 1.5-r1=
 package.<br><br></div><div>Best regards,<br><br></div><div>/eo<br></div></=
div></div></div></div>

--f403045e36d0eb615b056a0c9d4b--


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---