pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2018Q1]: pkgsrc/devel/jq Pullup ticket #5766 - requested by bs...
details: https://anonhg.NetBSD.org/pkgsrc/rev/a6ed077bc5d1
branches: pkgsrc-2018Q1
changeset: 309414:a6ed077bc5d1
user: spz <spz%pkgsrc.org@localhost>
date: Sun Jun 17 12:43:56 2018 +0000
description:
Pullup ticket #5766 - requested by bsiegert
devel/jq: security patch
Revisions pulled up:
- devel/jq/Makefile 1.15
- devel/jq/distinfo 1.9
- devel/jq/patches/patch-src_jv__print.c 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ginsbach
Date: Wed May 30 16:03:48 UTC 2018
Modified Files:
pkgsrc/devel/jq: Makefile distinfo
Added Files:
pkgsrc/devel/jq/patches: patch-src_jv__print.c
Log Message:
CVE-2016-4074 denial-of-service (via upstream)
Fix present in jq-1.6rc1 (https://github.com/stedolan/jq/commit/83e2cf6).
The fix prevents 'infinite' recursion preventing stack exhaustion.
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 pkgsrc/devel/jq/Makefile
cvs rdiff -u -r1.8 -r1.9 pkgsrc/devel/jq/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/devel/jq/patches/patch-src_jv__print.c
diffstat:
devel/jq/Makefile | 4 +-
devel/jq/distinfo | 3 +-
devel/jq/patches/patch-src_jv__print.c | 41 ++++++++++++++++++++++++++++++++++
3 files changed, 45 insertions(+), 3 deletions(-)
diffs (72 lines):
diff -r a1c87fb993a5 -r a6ed077bc5d1 devel/jq/Makefile
--- a/devel/jq/Makefile Sun Jun 17 11:40:03 2018 +0000
+++ b/devel/jq/Makefile Sun Jun 17 12:43:56 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.14 2018/03/22 08:14:52 adam Exp $
+# $NetBSD: Makefile,v 1.14.2.1 2018/06/17 12:43:56 spz Exp $
DISTNAME= jq-1.5
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= devel
MASTER_SITES= ${MASTER_SITE_GITHUB:=stedolan/}
diff -r a1c87fb993a5 -r a6ed077bc5d1 devel/jq/distinfo
--- a/devel/jq/distinfo Sun Jun 17 11:40:03 2018 +0000
+++ b/devel/jq/distinfo Sun Jun 17 12:43:56 2018 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2018/01/15 08:51:55 adam Exp $
+$NetBSD: distinfo,v 1.8.2.1 2018/06/17 12:43:56 spz Exp $
SHA1 (jq-1.5.tar.gz) = 664638b560d9e734178e8cafb21d98817af5b5f3
RMD160 (jq-1.5.tar.gz) = 33ac77ac93e0539f6d66d29cd717013cdab8cf61
@@ -6,3 +6,4 @@
Size (jq-1.5.tar.gz) = 1118086 bytes
SHA1 (patch-Makefile.in) = 446be0fa3517fb6fc1e2f5761d1f8fb28339c79c
SHA1 (patch-src_jv__parse.c) = efca86e70daf27291a01bf538487b745b7bd600c
+SHA1 (patch-src_jv__print.c) = 4d53dc1a1f0bb1cc827dd1adb62ecef2b7393970
diff -r a1c87fb993a5 -r a6ed077bc5d1 devel/jq/patches/patch-src_jv__print.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/jq/patches/patch-src_jv__print.c Sun Jun 17 12:43:56 2018 +0000
@@ -0,0 +1,41 @@
+$NetBSD: patch-src_jv__print.c,v 1.1.2.2 2018/06/17 12:43:56 spz Exp $
+
+CVE-2016-4074
+
+From 83e2cf607f3599d208b6b3129092fa7deb2e5292 Mon Sep 17 00:00:00 2001
+From: W-Mark Kubacki <wmark%hurrikane.de@localhost>
+Date: Fri, 19 Aug 2016 19:50:39 +0200
+Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH
+
+This addresses #1136, and mitigates a stack exhaustion when printing
+a very deeply nested term.
+---
+ src/jv_print.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/jv_print.c b/src/jv_print.c
+index 5f4f234b..ce4a59af 100644
+--- jv_print.c
++++ jv_print.c
+@@ -13,6 +13,10 @@
+ #include "jv_dtoa.h"
+ #include "jv_unicode.h"
+
++#ifndef MAX_PRINT_DEPTH
++#define MAX_PRINT_DEPTH (256)
++#endif
++
+ #define ESC "\033"
+ #define COL(c) (ESC "[" c "m")
+ #define COLRESET (ESC "[0m")
+@@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI
+ }
+ }
+ }
+- switch (jv_get_kind(x)) {
++ if (indent > MAX_PRINT_DEPTH) {
++ put_str("<skipped: too deep>", F, S, flags & JV_PRINT_ISATTY);
++ } else switch (jv_get_kind(x)) {
+ default:
+ case JV_KIND_INVALID:
+ if (flags & JV_PRINT_INVALID) {
Home |
Main Index |
Thread Index |
Old Index