X-Original-To: alpine-devel@lists.alpinelinux.org
Received: from mail-it0-f47.google.com (mail-it0-f47.google.com [209.85.214.47])
	by lists.alpinelinux.org (Postfix) with ESMTP id AC6085C5EA5
	for <alpine-devel@lists.alpinelinux.org>; Tue, 17 Apr 2018 13:07:24 +0000 (GMT)
Received: by mail-it0-f47.google.com with SMTP id u62-v6so16062554ita.5
        for <alpine-devel@lists.alpinelinux.org>; Tue, 17 Apr 2018 06:07:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=twistlock.com; s=google;
        h=mime-version:from:date:message-id:subject:to;
        bh=G1fz46JmCrCchsUPPxNR2HL6EGKmViTrSa+oOSWmkT8=;
        b=XoTSP0nb98MNXkZ53hh5/hXllmpSj6zcllXP58lnmzBWAVrFwMNIc/BsAr910i6Gkj
         0CvRZh+yG6svr9OVKHgN0xNPJnppHPvEPaOTJ8UuDpmEswO0auMM0RCoIAb8533da0+W
         eIRZC6mHChexcCt11f+2MqGG4LTLOSApp8Q34=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=G1fz46JmCrCchsUPPxNR2HL6EGKmViTrSa+oOSWmkT8=;
        b=BTYLPYSQmJWfEK0Hzc4DlxzUFwjjT2JQ/muG5oOtkDggpGIcNAxddCSVmF/H79HBN2
         dxkFSONznLUD/Kd8drYqCTJbunSqdKg4SpCqnJDtBcfWXf+Ko1Z/cy7tB7Zcf1ApKt97
         XmdeJIxWhmtMWGlBAMGAwhyDuWpoMcY0eUSTbLoiasRZ1Xge8yEQCmCk48Wavra1+dWP
         2H7uvmt13bE7El1HRNQGtzh2xpZUTROldjD+NvA4NaNIJhCUGz+C18VhrXAFOODkHez0
         3PTVbJHcfVQwf1kODfSfAKA67OW4Hh3Dfk0vpF1slJpyLIOl0J5GGvrqKf55BFQfaEGX
         F9hw==
X-Gm-Message-State: ALQs6tB2EJ79GQ+tuklp87Vd4gLUF1ZLY0lucBNtGb5oDYcnCtuUAZtJ
	+JKrA/dL8HQjHvcrRLhZAhkvC/quvA6I+4etEx/bH6CcLA4=
X-Google-Smtp-Source: AIpwx4912XkMFroMkjpbE6ryc7QGROOHgipy/Kich3iqmiyp+1TSmiKKUzNzBBlyUJO18z7gjyNnAGRv5ZWERIxJyLw=
X-Received: by 2002:a24:468a:: with SMTP id j132-v6mr1039075itb.23.1523970443865;
 Tue, 17 Apr 2018 06:07:23 -0700 (PDT)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Received: by 2002:a4f:90c3:0:0:0:0:0 with HTTP; Tue, 17 Apr 2018 06:07:23
 -0700 (PDT)
From: Ariel Zelivansky <ariel@twistlock.com>
Date: Tue, 17 Apr 2018 16:07:23 +0300
Message-ID: <CAMgJUL2X6tTPDJZSnciPOgL9g4p1ix1FxeqPsWniVytO9ctnow@mail.gmail.com>
Subject: [alpine-devel] Patching CVE-2016-4074 in jq
To: alpine-devel@lists.alpinelinux.org
Content-Type: multipart/alternative; boundary="000000000000f48b51056a0b04c4"

--000000000000f48b51056a0b04c4
Content-Type: text/plain; charset="UTF-8"

Hi,

It has been brought to my attention that the current jq package in alpine
is vulnerable to CVE-2016-4074
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074>.

The fix for this issue was released a while back on their master branch but
no one packaged it into release. On the project website
<https://stedolan.github.io/jq/> the latest jq release is 1.5, which was
released more than two years ago. It is vulnerable to this CVE.

It is worth mentioning someone on the project GitHub someone released
1.6rc1 last year and it includes the fix for this issue. You might want to
consider packaging this release but I am not very familiar with the jq
release process or found any documentation of it.

The alpine jq package
<https://git.alpinelinux.org/cgit/aports/tree/main/jq/APKBUILD> patches
CVE-2015-8863 so I think it should also patch this issue for the meanwhile.
You can see the correspondence on this issue
<https://github.com/stedolan/jq/issues/1136> and the fix
<https://github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292#diff-6bc4fa2c743f03adaf36dcc09acaaba2>
.

Also relevant (from the jq side): https://github.com/stedolan/jq/issues/1406

LMK if there is anything I can do by myself

Thank you,

Ariel Zelivansky
Twistlock Security Researcher

--000000000000f48b51056a0b04c4
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,<div><br></div><div>It has been brought to my attention=
 that the current jq package in alpine is vulnerable to=C2=A0<a href=3D"htt=
ps://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-4074">CVE-2016-4074<=
/a>.</div><div><br></div><div>The fix for this issue was released a while b=
ack on their master branch but no one packaged it into release. On the <a h=
ref=3D"https://stedolan.github.io/jq/">project website</a>=C2=A0the latest =
jq release is 1.5, which was released more than two years ago. It is vulner=
able to this CVE.</div><div><br></div><div>It is worth mentioning someone o=
n the project GitHub someone released 1.6rc1 last year and it includes the =
fix for this issue. You might want to consider packaging this release but I=
 am not very familiar with the jq release process or found any documentatio=
n of it.</div><div><br></div><div>The alpine <a href=3D"https://git.alpinel=
inux.org/cgit/aports/tree/main/jq/APKBUILD">jq package</a>=C2=A0patches CVE=
-2015-8863 so I think it should also patch this issue for the meanwhile. Yo=
u can see the=C2=A0<a href=3D"https://github.com/stedolan/jq/issues/1136">c=
orrespondence on this issue</a> and <a href=3D"https://github.com/stedolan/=
jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292#diff-6bc4fa2c743f03adaf3=
6dcc09acaaba2">the fix</a>.</div><div><br></div><div>Also relevant (from th=
e jq side):=C2=A0<a href=3D"https://github.com/stedolan/jq/issues/1406">htt=
ps://github.com/stedolan/jq/issues/1406</a></div><div><br></div><div>LMK if=
 there is anything I can do by myself</div><div><br></div><div>Thank you,</=
div><div><br></div><div>Ariel Zelivansky</div><div>Twistlock Security Resea=
rcher</div></div>

--000000000000f48b51056a0b04c4--


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---