Bug 2254467 (CVE-2023-50246)

Summary: CVE-2023-50246 jq: heap buffer overflow in function decToString() in decNumber.c
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bniver, caswilli, dfreiber, drow, fjansen, flucifre, gmeno, hkataria, jburrell, kaycoth, kshier, mbenjamin, mhackett, sostapov, sthirugn, vereddy, vkrizan, vkumar, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jq 1.7.1 Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow vulnerability was found in the decToString() function in decNumber.c in the Jq project. This issue occurs when submitting malicious input to the application, leading to an application crash and causing a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2254488, 2254489    
Bug Blocks: 2254521    

Description TEJ RATHI 2023-12-14 05:32:11 UTC 
jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64574
https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297
https://github.com/jqlang/jq/security/advisories/GHSA-686w-5m7m-54vc
Comment 1 TEJ RATHI 2023-12-14 08:05:08 UTC 
Created jq tracking bugs for this issue:

Affects: epel-all [bug 2254489]
Affects: fedora-all [bug 2254488]