Forum: >>> Magnum BBS <<<

Bug#1102679: jq: CVE-2024-53427

From Salvatore Bonaccorso@21:1/5 to All on Fri Apr 11 22:30:01 2025

Source: jq
Version: 1.7.1-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/jqlang/jq/issues/3196
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1.7.1-4

Hi,

The following vulnerability was published for jq.

CVE-2024-53427[0]:
| decNumberCopy in decNumber.c in jq through 1.7.1 does not properly
| consider that NaN is interpreted as numeric, which has a resultant
| stack-based buffer overflow and out-of-bounds write, as demonstrated
| by use of --slurp with subtraction, such as a filter of .-. when the
| input has a certain form of digit string with NaN (e.g., "1 NaN123"
| immediately followed by many more digits).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-53427
https://www.cve.org/CVERecord?id=CVE-2024-53427
[1] https://github.com/jqlang/jq/issues/3196
[2] https://github.com/jqlang/jq/security/advisories/GHSA-x6c3-qv5r-7q22
[3] https://github.com/jqlang/jq/commit/b86ff49f46a4a37e5a8e75a140cb5fd6e1331384
[4] https://github.com/jqlang/jq/commit/a09a4dfd55e6c24d04b35062ccfe4509748b1dd3

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	491
Nodes:	16 (2 / 14)
Uptime:	137:05:12
Calls:	9,693
Calls today:	3
Files:	13,728
Messages:	6,177,971