[pkgsrc/trunk]: pkgsrc/devel/jq CVE-2016-4074 denial-of-service (via upstream)

[ginsbach <ginsbach%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/41470835ba65
branches:  trunk
changeset: 308730:41470835ba65
user:      ginsbach <ginsbach%pkgsrc.org@localhost>
date:      Wed May 30 16:03:48 2018 +0000

description:
CVE-2016-4074 denial-of-service (via upstream)

Fix present in jq-1.6rc1 (https://github.com/stedolan/jq/commit/83e2cf6).
The fix prevents 'infinite' recursion preventing stack exhaustion.

diffstat:

 devel/jq/Makefile                      |   4 +-
 devel/jq/distinfo                      |   3 +-
 devel/jq/patches/patch-src_jv__print.c |  41 ++++++++++++++++++++++++++++++++++
 3 files changed, 45 insertions(+), 3 deletions(-)

diffs (72 lines):

diff -r 809440374e2f -r 41470835ba65 devel/jq/Makefile
--- a/devel/jq/Makefile Wed May 30 14:59:00 2018 +0000
+++ b/devel/jq/Makefile Wed May 30 16:03:48 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.14 2018/03/22 08:14:52 adam Exp $
+# $NetBSD: Makefile,v 1.15 2018/05/30 16:03:48 ginsbach Exp $
 
 DISTNAME=      jq-1.5
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=stedolan/}
 
diff -r 809440374e2f -r 41470835ba65 devel/jq/distinfo
--- a/devel/jq/distinfo Wed May 30 14:59:00 2018 +0000
+++ b/devel/jq/distinfo Wed May 30 16:03:48 2018 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2018/01/15 08:51:55 adam Exp $
+$NetBSD: distinfo,v 1.9 2018/05/30 16:03:48 ginsbach Exp $
 
 SHA1 (jq-1.5.tar.gz) = 664638b560d9e734178e8cafb21d98817af5b5f3
 RMD160 (jq-1.5.tar.gz) = 33ac77ac93e0539f6d66d29cd717013cdab8cf61
@@ -6,3 +6,4 @@
 Size (jq-1.5.tar.gz) = 1118086 bytes
 SHA1 (patch-Makefile.in) = 446be0fa3517fb6fc1e2f5761d1f8fb28339c79c
 SHA1 (patch-src_jv__parse.c) = efca86e70daf27291a01bf538487b745b7bd600c
+SHA1 (patch-src_jv__print.c) = 4d53dc1a1f0bb1cc827dd1adb62ecef2b7393970
diff -r 809440374e2f -r 41470835ba65 devel/jq/patches/patch-src_jv__print.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/jq/patches/patch-src_jv__print.c    Wed May 30 16:03:48 2018 +0000
@@ -0,0 +1,41 @@
+$NetBSD: patch-src_jv__print.c,v 1.1 2018/05/30 16:03:48 ginsbach Exp $
+
+CVE-2016-4074
+
+From 83e2cf607f3599d208b6b3129092fa7deb2e5292 Mon Sep 17 00:00:00 2001
+From: W-Mark Kubacki <wmark%hurrikane.de@localhost>
+Date: Fri, 19 Aug 2016 19:50:39 +0200
+Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH
+
+This addresses #1136, and mitigates a stack exhaustion when printing
+a very deeply nested term.
+---
+ src/jv_print.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/jv_print.c b/src/jv_print.c
+index 5f4f234b..ce4a59af 100644
+--- jv_print.c
++++ jv_print.c
+@@ -13,6 +13,10 @@
+ #include "jv_dtoa.h"
+ #include "jv_unicode.h"
+ 
++#ifndef MAX_PRINT_DEPTH
++#define MAX_PRINT_DEPTH (256)
++#endif
++
+ #define ESC "\033"
+ #define COL(c) (ESC "[" c "m")
+ #define COLRESET (ESC "[0m")
+@@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI
+       }
+     }
+   }
+-  switch (jv_get_kind(x)) {
++  if (indent > MAX_PRINT_DEPTH) {
++    put_str("<skipped: too deep>", F, S, flags & JV_PRINT_ISATTY);
++  } else switch (jv_get_kind(x)) {
+   default:
+   case JV_KIND_INVALID:
+     if (flags & JV_PRINT_INVALID) {