Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636382 (CVE-2016-4074) - app-misc/jq: Denial of Service vulnerability (CVE-2016-4074)
Summary: app-misc/jq: Denial of Service vulnerability (CVE-2016-4074)
Status: RESOLVED FIXED
Alias: CVE-2016-4074
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-03 14:38 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-16 06:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-03 14:38:34 UTC 
CVE-2016-4074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4074):
  The jv_dump_term function in jq 1.5 allows remote attackers to cause a
  denial of service (stack consumption and application crash) via a crafted
  JSON file.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-03 14:39:23 UTC 
@Maintainer please confirm if we are affected by this vulnerability.

Thank you
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-16 02:22:22 UTC 
Bug: https://github.com/stedolan/jq/issues/1136

Patch: https://github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292

@maintainer(s), please drop the old affected version.
Comment 3 Larry the Git Cow gentoo-dev 2020-03-17 18:13:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa9d3e38d6d0763bbfe1bd2f2af686410d8ab83d

commit aa9d3e38d6d0763bbfe1bd2f2af686410d8ab83d
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2020-03-17 18:13:10 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-03-17 18:13:10 +0000

    app-misc/jq: remove vunlerable version (bug #636382)
    
    Bug: https://bugs.gentoo.org/636382
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 app-misc/jq/Manifest         |  1 -
 app-misc/jq/jq-1.5-r3.ebuild | 60 --------------------------------------------
 2 files changed, 61 deletions(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 21:11:22 UTC 
@maintainer(s): thanks for cleaning up. Tree is clean.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 06:40:34 UTC 
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].