Olav imported a package with an unfixed security issue; we additionally have CVE-2015-8863:
https://bugzilla.suse.com/show_bug.cgi?id=976992

It looks like the package is unmaintained in Fedora and should have been dropped there.  I'm not sure why Olav imported it.

Advisory:
========================

Updated jq packages fix security vulnerabilities:

A heap-based buffer overflow flaw was found in jq's tokenadd() function. By
tricking a victim into processing a specially crafted JSON file, an attacker
could use this flaw to crash jq or, potentially, execute arbitrary code on the
victim's system (CVE-2015-8863).

Stack exhaustion could affect availability when parsing untrusted input
(CVE-2016-4074).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8863
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074
https://lists.opensuse.org/opensuse-updates/2017-10/msg00083.html
========================

Updated packages in core/updates_testing:
========================
jq-1.5-1.1.mga6
libjq1-1.5-1.1.mga6
libjq-devel-1.5-1.1.mga6

from jq-1.5-1.1.mga6.src.rpm

CC: (none) => olav
Severity: normal => major
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: olav => qa-bugs

Created attachment 9785 [details]
Ruby snippet which uses the json gem to generate json data files.

If you have ruby installed
$ sudo gem install json
$ ruby makejson.rb

This generates the files
names.json
dog.json
inventory.json

CC: (none) => tarazed25

Testing on Mageia 6, x86_64

jq is a commandline JSON processor.
https://shapeshed.com/jq-json/

These bugs are all about using specially crafted JSON files to cause stack exhaustion.
CVE-2015-8863
POC referenced at https://github.com/stedolan/jq/issues/1136
$ jq . qcufnzxcnp.json.4167733746247029131
Running this in a terminal causes and endless series of [ to be posted to the screen separated by large numbers of spaces.  Has to be interrupted with Ctrl-C.  Reset and clear terminal after that.

CVE-2016-4074
Looks like this can be reproduced with the same POC test so it is difficult to see how we could distinguish the faults.
$ jq length qcufnzxcnp.json.4167733746247029131
31
The test can be forced to run out of stack space faster by doing
$ ulimit -s 256
$ jq . qcufnzxcnp.json.4167733746247029131
Then the test finishes quickly and shows:
                                                                Segmentation fault (core dumped)

Updated the packages from Core Updates Testing.
# rpm -qa | grep jq
lib64jq-devel-1.5-1.1.mga6
jq-1.5-1.1.mga6
lib64jq1-1.5-1.1.mga6

Tried the POC.
$ jq . qcufnzxcnp.json.4167733746247029131
parse error: Exceeds depth limit for parsing at line 7, column 257

This is the expected result, so the patch is good.

Tutorial example:
Creat a specimen JSON file:
$ echo [{"id": 1, "name": "Arthur", "age": "21"},{"id": 2, "name": "Richard", "age": "32"}] > names.json
Use jq to prettyprint this and you end up in trouble.  There are ways to generate JSON data online, in a browser interface but those are not very convenient.
My solution was to use ruby and the json gem, since they were at hand.  The attached script generates the files {names,dog,inventory}.json as illustrated in the tutorial.  These examples all work fine.

$ jq '.' names.json
[
  {
    "id": 1,
    "name": "Arthur",
    "age": "21"
  },
  {
    "id": 2,
    "name": "Richard",
    "age": "32"
  }
]
$ cat dog.json | jq '.name' 
"Buster"
$ cat dog.json | jq '.breed,.age'
"Golden Retriever"
"4"
$ cat dog.json | jq '.owner.name'
"Sally"
$ cat dog.json | jq '.likes[2]'
"dog biscuits"
$ jq '.[] | .name' names.json
"Arthur"
"Richard"
$ jq '.eggs + 1' inventory.json
6

This should be enough to show that the packages are in working order.

Created attachment 9786 [details]
JSON data file for tutorial tests

The contents can in fact be checked with cat.

Created attachment 9787 [details]
JSON data file 2

Created attachment 9788 [details]
JSON data file 3

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0415.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED