Bug 21923 - jq new security issues CVE-2015-8863 and CVE-2016-4074
Summary: jq new security issues CVE-2015-8863 and CVE-2016-4074
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2017-10-23 16:32 CEST by David Walser
Modified: 2017-11-19 11:24 CET (History)
3 users (show)

See Also:
Source RPM: jq-1.5-2.mga7.src.rpm
Status comment:

Ruby snippet which uses the json gem to generate json data files. (605 bytes, application/x-ruby)
2017-11-13 19:27 CET, Len Lawrence
JSON data file for tutorial tests (75 bytes, application/octet-stream)
2017-11-13 19:31 CET, Len Lawrence
JSON data file 2 (121 bytes, application/octet-stream)
2017-11-13 19:32 CET, Len Lawrence
JSON data file 3 (31 bytes, application/octet-stream)
2017-11-13 19:33 CET, Len Lawrence

Description David Walser 2017-10-23 16:32:46 CEST
openSUSE has issued an advisory today (October 23):

Mageia 6 is also affected.
David Walser 2017-10-23 16:32:53 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2017-11-10 22:07:26 CET
Olav imported a package with an unfixed security issue; we additionally have CVE-2015-8863:

It looks like the package is unmaintained in Fedora and should have been dropped there.  I'm not sure why Olav imported it.


Updated jq packages fix security vulnerabilities:

A heap-based buffer overflow flaw was found in jq's tokenadd() function. By
tricking a victim into processing a specially crafted JSON file, an attacker
could use this flaw to crash jq or, potentially, execute arbitrary code on the
victim's system (CVE-2015-8863).

Stack exhaustion could affect availability when parsing untrusted input


Updated packages in core/updates_testing:

from jq-1.5-1.1.mga6.src.rpm

CC: (none) => olav
Severity: normal => major
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: olav => qa-bugs

David Walser 2017-11-10 22:07:43 CET

Summary: jq new security issue CVE-2016-4074 => jq new security issue2 CVE-2015-8863 and CVE-2016-4074

David Walser 2017-11-10 22:07:54 CET

Summary: jq new security issue2 CVE-2015-8863 and CVE-2016-4074 => jq new security issues CVE-2015-8863 and CVE-2016-4074

Comment 2 Len Lawrence 2017-11-13 19:27:33 CET
Created attachment 9785 [details]
Ruby snippet which uses the json gem to generate json data files.

If you have ruby installed
$ sudo gem install json
$ ruby makejson.rb

This generates the files

CC: (none) => tarazed25

Comment 3 Len Lawrence 2017-11-13 19:29:08 CET
Testing on Mageia 6, x86_64

jq is a commandline JSON processor.

These bugs are all about using specially crafted JSON files to cause stack exhaustion.
POC referenced at https://github.com/stedolan/jq/issues/1136
$ jq . qcufnzxcnp.json.4167733746247029131
Running this in a terminal causes and endless series of [ to be posted to the screen separated by large numbers of spaces.  Has to be interrupted with Ctrl-C.  Reset and clear terminal after that.

Looks like this can be reproduced with the same POC test so it is difficult to see how we could distinguish the faults.
$ jq length qcufnzxcnp.json.4167733746247029131
The test can be forced to run out of stack space faster by doing
$ ulimit -s 256
$ jq . qcufnzxcnp.json.4167733746247029131
Then the test finishes quickly and shows:
                                                                Segmentation fault (core dumped)

Updated the packages from Core Updates Testing.
# rpm -qa | grep jq

Tried the POC.
$ jq . qcufnzxcnp.json.4167733746247029131
parse error: Exceeds depth limit for parsing at line 7, column 257

This is the expected result, so the patch is good.

Tutorial example:
Creat a specimen JSON file:
$ echo [{"id": 1, "name": "Arthur", "age": "21"},{"id": 2, "name": "Richard", "age": "32"}] > names.json
Use jq to prettyprint this and you end up in trouble.  There are ways to generate JSON data online, in a browser interface but those are not very convenient.
My solution was to use ruby and the json gem, since they were at hand.  The attached script generates the files {names,dog,inventory}.json as illustrated in the tutorial.  These examples all work fine.

$ jq '.' names.json
    "id": 1,
    "name": "Arthur",
    "age": "21"
    "id": 2,
    "name": "Richard",
    "age": "32"
$ cat dog.json | jq '.name' 
$ cat dog.json | jq '.breed,.age'
"Golden Retriever"
$ cat dog.json | jq '.owner.name'
$ cat dog.json | jq '.likes[2]'
"dog biscuits"
$ jq '.[] | .name' names.json
$ jq '.eggs + 1' inventory.json

This should be enough to show that the packages are in working order.
Comment 4 Len Lawrence 2017-11-13 19:31:48 CET
Created attachment 9786 [details]
JSON data file for tutorial tests

The contents can in fact be checked with cat.
Comment 5 Len Lawrence 2017-11-13 19:32:35 CET
Created attachment 9787 [details]
JSON data file 2
Comment 6 Len Lawrence 2017-11-13 19:33:09 CET
Created attachment 9788 [details]
JSON data file 3
Len Lawrence 2017-11-13 19:33:27 CET

Whiteboard: (none) => MGA6-64-OK

Lewis Smith 2017-11-18 21:19:24 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2017-11-19 11:24:28 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.