Bug 32640 - jq new security issues CVE-2023-50246 and CVE-2023-50268
Summary: jq new security issues CVE-2023-50246 and CVE-2023-50268
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: David GEIGER
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-20 11:19 CET by Nicolas Salguero
Modified: 2024-01-26 15:31 CET (History)
0 users

See Also:
Source RPM: jq-1.7-1.mga10.src.rpm
CVE: CVE-2023-50246, CVE-2023-50268
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-12-20 11:19:18 CET 
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2023/12/15/10

There are fixed in version 1.7.1 and with these commits:
https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b
https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297

Mageia 9 is also affected.
Nicolas Salguero 2023-12-20 11:20:18 CET

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 1.7.1
Source RPM: (none) => jq-1.7-1.mga10.src.rpm

Comment 1 Lewis Smith 2023-12-23 21:25:46 CET 
Assigning to you, David, as you put up v1.7 - very recently, in fact.

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2024-01-26 15:31:22 CET 
In fact, it only affected Cauldron.

Status comment: Fixed upstream in 1.7.1 => (none)
Status: NEW => RESOLVED
CVE: (none) => CVE-2023-50246, CVE-2023-50268
Resolution: (none) => FIXED
Whiteboard: MGA9TOO => (none)
Note You need to log in before you can comment on or make changes to this bug.