CVS commit: pkgsrc/devel/jq

["Kimmo Suominen" <kim%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   kim
Date:           Sun Jun 22 06:16:20 UTC 2025

Modified Files:
        pkgsrc/devel/jq: Makefile distinfo
Added Files:
        pkgsrc/devel/jq/patches: patch-src_builtin.c patch-tests_jq.test

Log Message:
jq: Apply upstream patch for CVE-2025-49014


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 pkgsrc/devel/jq/Makefile
cvs rdiff -u -r1.20 -r1.21 pkgsrc/devel/jq/distinfo
cvs rdiff -u -r0 -r1.3 pkgsrc/devel/jq/patches/patch-src_builtin.c
cvs rdiff -u -r0 -r1.1 pkgsrc/devel/jq/patches/patch-tests_jq.test

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/jq/Makefile
diff -u pkgsrc/devel/jq/Makefile:1.22 pkgsrc/devel/jq/Makefile:1.23
--- pkgsrc/devel/jq/Makefile:1.22       Sun Jun  1 18:43:09 2025
+++ pkgsrc/devel/jq/Makefile    Sun Jun 22 06:16:19 2025
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.22 2025/06/01 18:43:09 leot Exp $
+# $NetBSD: Makefile,v 1.23 2025/06/22 06:16:19 kim Exp $
 
 DISTNAME=      jq-1.8.0
+PKGREVISION=   1
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=jqlang/}
 GITHUB_RELEASE=        ${DISTNAME}

Index: pkgsrc/devel/jq/distinfo
diff -u pkgsrc/devel/jq/distinfo:1.20 pkgsrc/devel/jq/distinfo:1.21
--- pkgsrc/devel/jq/distinfo:1.20       Mon Jun  2 08:07:34 2025
+++ pkgsrc/devel/jq/distinfo    Sun Jun 22 06:16:19 2025
@@ -1,7 +1,9 @@
-$NetBSD: distinfo,v 1.20 2025/06/02 08:07:34 wiz Exp $
+$NetBSD: distinfo,v 1.21 2025/06/22 06:16:19 kim Exp $
 
 BLAKE2s (jq-1.8.0.tar.gz) = 5c80da8304630ba309ff79275656dbc765e2786a15247aea838eef012fa5e366
 SHA512 (jq-1.8.0.tar.gz) = eaa991e43d3fc716dd57f6722a42d4119dcd8ba272eb2fcab882f83efb0b11c10a35c3dc8ad2067f30440dad988d34b5955601499eae1bb9e43db53db02bc4cf
 Size (jq-1.8.0.tar.gz) = 1908285 bytes
 SHA1 (patch-Makefile.am) = 01886c0d7ea547367228a4d35c79c384682cf800
 SHA1 (patch-Makefile.in) = aef7aeb2ba4868dbd50b659221530d6c0beba110
+SHA1 (patch-src_builtin.c) = 67646aa711268436bbcc2a4b744a0d88e6ec738f
+SHA1 (patch-tests_jq.test) = 82b34ba522320bac9ac7e3f0597d5f2f699e1b2a

Added files:

Index: pkgsrc/devel/jq/patches/patch-src_builtin.c
diff -u /dev/null pkgsrc/devel/jq/patches/patch-src_builtin.c:1.3
--- /dev/null   Sun Jun 22 06:16:20 2025
+++ pkgsrc/devel/jq/patches/patch-src_builtin.c Sun Jun 22 06:16:19 2025
@@ -0,0 +1,39 @@
+$NetBSD: patch-src_builtin.c,v 1.3 2025/06/22 06:16:19 kim Exp $
+
+Fixes CVE-2025-49014 which was introduced in 1.8.0
+https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e.patch
+
+--- src/builtin.c.orig 2025-06-01 05:58:31.000000000 +0000
++++ src/builtin.c      2025-06-22 06:08:48.067551402 +0000
+@@ -1769,6 +1769,7 @@
+     return ret_error(b, jv_string("strftime/1 requires parsed datetime inputs"));
+ 
+   const char *fmt = jv_string_value(b);
++  int fmt_not_empty = *fmt != '\0';
+   size_t max_size = strlen(fmt) + 100;
+   char *buf = jv_mem_alloc(max_size);
+ #ifdef __APPLE__
+@@ -1789,7 +1790,7 @@
+ #endif
+   jv_free(b);
+   /* POSIX doesn't provide errno values for strftime() failures; weird */
+-  if ((n == 0 && *fmt) || n > max_size) {
++  if ((n == 0 && fmt_not_empty) || n > max_size) {
+     free(buf);
+     return jv_invalid_with_msg(jv_string("strftime/1: unknown system failure"));
+   }
+@@ -1818,12 +1819,13 @@
+   if (!jv2tm(a, &tm, 1))
+     return ret_error(b, jv_string("strflocaltime/1 requires parsed datetime inputs"));
+   const char *fmt = jv_string_value(b);
++  int fmt_not_empty = *fmt != '\0';
+   size_t max_size = strlen(fmt) + 100;
+   char *buf = jv_mem_alloc(max_size);
+   size_t n = strftime(buf, max_size, fmt, &tm);
+   jv_free(b);
+   /* POSIX doesn't provide errno values for strftime() failures; weird */
+-  if ((n == 0 && *fmt) || n > max_size) {
++  if ((n == 0 && fmt_not_empty) || n > max_size) {
+     free(buf);
+     return jv_invalid_with_msg(jv_string("strflocaltime/1: unknown system failure"));
+   }

Index: pkgsrc/devel/jq/patches/patch-tests_jq.test
diff -u /dev/null pkgsrc/devel/jq/patches/patch-tests_jq.test:1.1
--- /dev/null   Sun Jun 22 06:16:20 2025
+++ pkgsrc/devel/jq/patches/patch-tests_jq.test Sun Jun 22 06:16:19 2025
@@ -0,0 +1,19 @@
+$NetBSD: patch-tests_jq.test,v 1.1 2025/06/22 06:16:19 kim Exp $
+
+Fixes CVE-2025-49014 which was introduced in 1.8.0
+https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e.patch
+
+--- tests/jq.test.orig 2025-06-01 05:58:31.000000000 +0000
++++ tests/jq.test      2025-06-22 06:08:48.077032552 +0000
+@@ -2495,3 +2495,11 @@
+ 3
+ 2
+ 4
++
++# regression test for CVE-2025-49014 (use of fmt after free)
++# tests with both empty string literal and empty string created by function
++# as they seems to behave referecne wise differently.
++strflocaltime("" | ., @uri)
++0
++""
++""