Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 636382 (CVE-2016-4074)

Summary: app-misc/jq: Denial of Service vulnerability (CVE-2016-4074)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chutzpah, radhermit, vpayno+gentoo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-03 14:38:34 UTC 
CVE-2016-4074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4074):
  The jv_dump_term function in jq 1.5 allows remote attackers to cause a
  denial of service (stack consumption and application crash) via a crafted
  JSON file.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-03 14:39:23 UTC 
@Maintainer please confirm if we are affected by this vulnerability.

Thank you
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-16 02:22:22 UTC 
Bug: https://github.com/stedolan/jq/issues/1136

Patch: https://github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292

@maintainer(s), please drop the old affected version.
Comment 3 Larry the Git Cow gentoo-dev 2020-03-17 18:13:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa9d3e38d6d0763bbfe1bd2f2af686410d8ab83d

commit aa9d3e38d6d0763bbfe1bd2f2af686410d8ab83d
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2020-03-17 18:13:10 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-03-17 18:13:10 +0000

    app-misc/jq: remove vunlerable version (bug #636382)
    
    Bug: https://bugs.gentoo.org/636382
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 app-misc/jq/Manifest         |  1 -
 app-misc/jq/jq-1.5-r3.ebuild | 60 --------------------------------------------
 2 files changed, 61 deletions(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 21:11:22 UTC 
@maintainer(s): thanks for cleaning up. Tree is clean.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 06:40:34 UTC 
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].