2254468 – (CVE-2023-50268) CVE-2023-50268 jq: stack-based buffer overflow in builds using decNumber

Bug 2254468 (CVE-2023-50268) - CVE-2023-50268 jq: stack-based buffer overflow in builds using decNumber

Summary: CVE-2023-50268 jq: stack-based buffer overflow in builds using decNumber

Keywords:
Status:	NEW
Alias:	CVE-2023-50268
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2254486 2254487
Blocks:	2254521
TreeView+	depends on / blocked

Reported:	2023-12-14 05:32 UTC by TEJ RATHI
Modified:	2024-02-28 06:19 UTC (History)
CC List:	22 users (show)
Fixed In Version:	jq 1.7.1
Doc Type:	If docs needed, set a value
Doc Text:	A stack-based buffer overflow vulnerability was found in the Jq project. This issue occurs when submitting malicious input to the application, leading to an application crash and causing a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2023-12-14 05:32:14 UTC

jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771
https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b
https://github.com/jqlang/jq/pull/2804
https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j

Comment 1 TEJ RATHI 2023-12-14 08:04:43 UTC

Created jq tracking bugs for this issue:

Affects: epel-all [bug 2254487]
Affects: fedora-all [bug 2254486]

Note You need to log in before you can comment on or make changes to this bug.

amctagga
aoconnor
bniver
caswilli
dfreiber
dhalasz
drow
fjansen
flucifre
gmeno
hkataria
jburrell
kaycoth
kshier
mbenjamin
mhackett
sostapov
sthirugn
vereddy
vkrizan
vkumar
vmugicag