1

[alpine-devel] Patching CVE-2016-4074 in jq

Ariel Zelivansky
Details
Message ID
<CAMgJUL2X6tTPDJZSnciPOgL9g4p1ix1FxeqPsWniVytO9ctnow@mail.gmail.com>
Sender timestamp
1523970443
DKIM signature
missing
Download raw message
Hi,

It has been brought to my attention that the current jq package in alpine
is vulnerable to CVE-2016-4074
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074>.

The fix for this issue was released a while back on their master branch but
no one packaged it into release. On the project website
<https://stedolan.github.io/jq/> the latest jq release is 1.5, which was
released more than two years ago. It is vulnerable to this CVE.

It is worth mentioning someone on the project GitHub someone released
1.6rc1 last year and it includes the fix for this issue. You might want to
consider packaging this release but I am not very familiar with the jq
release process or found any documentation of it.

The alpine jq package
<https://git.alpinelinux.org/cgit/aports/tree/main/jq/APKBUILD> patches
CVE-2015-8863 so I think it should also patch this issue for the meanwhile.
You can see the correspondence on this issue
<https://github.com/stedolan/jq/issues/1136> and the fix
<https://github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292#diff-6bc4fa2c743f03adaf36dcc09acaaba2>
.

Also relevant (from the jq side): https://github.com/stedolan/jq/issues/1406

LMK if there is anything I can do by myself

Thank you,

Ariel Zelivansky
Twistlock Security Researcher
Leonardo Arena
Details
Message ID
<CAGG_d8BsZQ1O5A2-ARmX4VjZGiMBVGMH2-475+rz_7YnXoAeuQ@mail.gmail.com>
In-Reply-To
<CAMgJUL2X6tTPDJZSnciPOgL9g4p1ix1FxeqPsWniVytO9ctnow@mail.gmail.com> (view parent)
Sender timestamp
1523977304
DKIM signature
missing
Download raw message
Hi,

On Tue, Apr 17, 2018 at 3:07 PM, Ariel Zelivansky <ariel@twistlock.com>
wrote:

> Hi,
>
> It has been brought to my attention that the current jq package in alpine
> is vulnerable to CVE-2016-4074
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074>.
>


thank you for bringing this to our attention. This has been now fixed in
edge. I'll see if it can be backported to stable branches too.


>
> The fix for this issue was released a while back on their master branch
> but no one packaged it into release. On the project website
> <https://stedolan.github.io/jq/> the latest jq release is 1.5, which was
> released more than two years ago. It is vulnerable to this CVE.
>
> It is worth mentioning someone on the project GitHub someone released
> 1.6rc1 last year and it includes the fix for this issue. You might want to
> consider packaging this release but I am not very familiar with the jq
> release process or found any documentation of it.
>
> The alpine jq package
> <https://git.alpinelinux.org/cgit/aports/tree/main/jq/APKBUILD> patches
> CVE-2015-8863 so I think it should also patch this issue for the meanwhile.
> You can see the correspondence on this issue
> <https://github.com/stedolan/jq/issues/1136> and the fix
> <https://github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292#diff-6bc4fa2c743f03adaf36dcc09acaaba2>
> .
>
>
This was fixed in 1.5-r1 package.

Best regards,

/eo