Bug 21923

Summary: jq new security issues CVE-2015-8863 and CVE-2016-4074
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olav, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: jq-1.5-2.mga7.src.rpm CVE:
Status comment:
Attachments: Ruby snippet which uses the json gem to generate json data files.
JSON data file for tutorial tests
JSON data file 2
JSON data file 3

Description David Walser 2017-10-23 16:32:46 CEST 
openSUSE has issued an advisory today (October 23):
https://lists.opensuse.org/opensuse-updates/2017-10/msg00083.html

Mageia 6 is also affected.
David Walser 2017-10-23 16:32:53 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2017-11-10 22:07:26 CET 
Olav imported a package with an unfixed security issue; we additionally have CVE-2015-8863:
https://bugzilla.suse.com/show_bug.cgi?id=976992

It looks like the package is unmaintained in Fedora and should have been dropped there.  I'm not sure why Olav imported it.

Advisory:
========================

Updated jq packages fix security vulnerabilities:

A heap-based buffer overflow flaw was found in jq's tokenadd() function. By
tricking a victim into processing a specially crafted JSON file, an attacker
could use this flaw to crash jq or, potentially, execute arbitrary code on the
victim's system (CVE-2015-8863).

Stack exhaustion could affect availability when parsing untrusted input
(CVE-2016-4074).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8863
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074
https://lists.opensuse.org/opensuse-updates/2017-10/msg00083.html
========================

Updated packages in core/updates_testing:
========================
jq-1.5-1.1.mga6
libjq1-1.5-1.1.mga6
libjq-devel-1.5-1.1.mga6

from jq-1.5-1.1.mga6.src.rpm

CC: (none) => olav
Severity: normal => major
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: olav => qa-bugs

David Walser 2017-11-10 22:07:43 CET

Summary: jq new security issue CVE-2016-4074 => jq new security issue2 CVE-2015-8863 and CVE-2016-4074

David Walser 2017-11-10 22:07:54 CET

Summary: jq new security issue2 CVE-2015-8863 and CVE-2016-4074 => jq new security issues CVE-2015-8863 and CVE-2016-4074

Comment 2 Len Lawrence 2017-11-13 19:27:33 CET 
Created attachment 9785 [details]
Ruby snippet which uses the json gem to generate json data files.

If you have ruby installed
$ sudo gem install json
$ ruby makejson.rb

This generates the files
names.json
dog.json
inventory.json

CC: (none) => tarazed25

Comment 3 Len Lawrence 2017-11-13 19:29:08 CET 
Testing on Mageia 6, x86_64

jq is a commandline JSON processor.
https://shapeshed.com/jq-json/

These bugs are all about using specially crafted JSON files to cause stack exhaustion.
CVE-2015-8863
POC referenced at https://github.com/stedolan/jq/issues/1136
$ jq . qcufnzxcnp.json.4167733746247029131
Running this in a terminal causes and endless series of [ to be posted to the screen separated by large numbers of spaces.  Has to be interrupted with Ctrl-C.  Reset and clear terminal after that.

CVE-2016-4074
Looks like this can be reproduced with the same POC test so it is difficult to see how we could distinguish the faults.
$ jq length qcufnzxcnp.json.4167733746247029131
31
The test can be forced to run out of stack space faster by doing
$ ulimit -s 256
$ jq . qcufnzxcnp.json.4167733746247029131
Then the test finishes quickly and shows:
                                                                Segmentation fault (core dumped)

Updated the packages from Core Updates Testing.
# rpm -qa | grep jq
lib64jq-devel-1.5-1.1.mga6
jq-1.5-1.1.mga6
lib64jq1-1.5-1.1.mga6

Tried the POC.
$ jq . qcufnzxcnp.json.4167733746247029131
parse error: Exceeds depth limit for parsing at line 7, column 257

This is the expected result, so the patch is good.

Tutorial example:
Creat a specimen JSON file:
$ echo [{"id": 1, "name": "Arthur", "age": "21"},{"id": 2, "name": "Richard", "age": "32"}] > names.json
Use jq to prettyprint this and you end up in trouble.  There are ways to generate JSON data online, in a browser interface but those are not very convenient.
My solution was to use ruby and the json gem, since they were at hand.  The attached script generates the files {names,dog,inventory}.json as illustrated in the tutorial.  These examples all work fine.

$ jq '.' names.json
[
  {
    "id": 1,
    "name": "Arthur",
    "age": "21"
  },
  {
    "id": 2,
    "name": "Richard",
    "age": "32"
  }
]
$ cat dog.json | jq '.name' 
"Buster"
$ cat dog.json | jq '.breed,.age'
"Golden Retriever"
"4"
$ cat dog.json | jq '.owner.name'
"Sally"
$ cat dog.json | jq '.likes[2]'
"dog biscuits"
$ jq '.[] | .name' names.json
"Arthur"
"Richard"
$ jq '.eggs + 1' inventory.json
6

This should be enough to show that the packages are in working order.
Comment 4 Len Lawrence 2017-11-13 19:31:48 CET 
Created attachment 9786 [details]
JSON data file for tutorial tests

The contents can in fact be checked with cat.
Comment 5 Len Lawrence 2017-11-13 19:32:35 CET 
Created attachment 9787 [details]
JSON data file 2
Comment 6 Len Lawrence 2017-11-13 19:33:09 CET 
Created attachment 9788 [details]
JSON data file 3
Len Lawrence 2017-11-13 19:33:27 CET

Whiteboard: (none) => MGA6-64-OK

Lewis Smith 2017-11-18 21:19:24 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2017-11-19 11:24:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0415.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED