[AUTO-CHERRYPICK] Patch jq for CVE-2024-53427 [High] - branch 3.0-dev (#12965)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit 2ac1c5c6756f · 2025-03-19T15:45:35.000-04:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/jq/CVE-2024-53427.patch b/SPECS/jq/CVE-2024-53427.patch
@@ -0,0 +1,75 @@
+From 1e18e567de7b23797679817ba02a1f67995fe386 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Wed, 5 Mar 2025 08:19:33 +0000
+Subject: [PATCH] CVE-2024-53427
+Upstream Reference: https://github.com/jqlang/jq/commit/a09a4dfd55e6c24d04b35062ccfe4509748b1dd3
+---
+ src/jv.c      |  9 +++++++++
+ tests/jq.test | 13 ++++++++++---
+ tests/shtest  |  5 -----
+ 3 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/src/jv.c b/src/jv.c
+index e23d8ec..34573b8 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -589,6 +589,15 @@ static jv jvp_literal_number_new(const char * literal) {
+     jv_mem_free(n);
+     return JV_INVALID;
+   }
++  if (decNumberIsNaN(&n->num_decimal)) {
++    // Reject NaN with payload.
++    if (n->num_decimal.digits > 1 || *n->num_decimal.lsu != 0) {
++      jv_mem_free(n);
++      return JV_INVALID;
++    }
++    jv_mem_free(n);
++    return jv_number(NAN);
++  }
+ 
+   jv r = {JVP_FLAGS_NUMBER_LITERAL, 0, 0, JV_NUMBER_SIZE_INIT, {&n->refcnt}};
+   return r;
+diff --git a/tests/jq.test b/tests/jq.test
+index 7036df2..7011cf9 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -1938,10 +1938,17 @@ tojson | fromjson
+ {"a":nan}
+ {"a":null}
+ 
+-# also "nan with payload" #2985
+-fromjson | isnan
+-"nan1234"
++# NaN with payload is not parsed
++.[] | try (fromjson | isnan) catch .
++["NaN","-NaN","NaN1","NaN10","NaN100","NaN1000","NaN10000","NaN100000"]
++true
+ true
++"Invalid numeric literal at EOF at line 1, column 4 (while parsing 'NaN1')"
++"Invalid numeric literal at EOF at line 1, column 5 (while parsing 'NaN10')"
++"Invalid numeric literal at EOF at line 1, column 6 (while parsing 'NaN100')"
++"Invalid numeric literal at EOF at line 1, column 7 (while parsing 'NaN1000')"
++"Invalid numeric literal at EOF at line 1, column 8 (while parsing 'NaN10000')"
++"Invalid numeric literal at EOF at line 1, column 9 (while parsing 'NaN100000')"
+ 
+ 
+ # calling input/0, or debug/0 in a test doesn't crash jq
+diff --git a/tests/shtest b/tests/shtest
+index 14aafbf..a471889 100755
+--- a/tests/shtest
++++ b/tests/shtest
+@@ -594,11 +594,6 @@ if ! x=$($JQ -n "1 # foo$cr + 2") || [ "$x" != 1 ]; then
+   exit 1
+ fi
+ 
+-# CVE-2023-50268: No stack overflow comparing a nan with a large payload
+-$VALGRIND $Q $JQ '1 != .' <<\EOF >/dev/null
+-Nan4000
+-EOF
+-
+ # Allow passing the inline jq script before -- #2919
+ if ! r=$($JQ --args -rn -- '$ARGS.positional[0]' bar) || [ "$r" != bar ]; then
+     echo "passing the inline script after -- didn't work"
+-- 
+2.45.2
+
diff --git a/SPECS/jq/jq.spec b/SPECS/jq/jq.spec
@@ -1,12 +1,13 @@
 Summary:        jq is a lightweight and flexible command-line JSON processor.
 Name:           jq
 Version:        1.7.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Group:          Applications/System
 Vendor:         Microsoft Corporation
 License:        MIT
 URL:            https://jqlang.github.io/jq/
 Source0:        https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-53427.patch
 Distribution:   Azure Linux
 BuildRequires:  bison
 BuildRequires:  chrpath
@@ -29,7 +30,7 @@ Requires:   %{name} = %{version}-%{release}
 Development files for jq
 
 %prep
-%autosetup
+%autosetup -p1
 
 %build
 %configure \
@@ -59,6 +60,9 @@ make check
 %{_includedir}/*
 
 %changelog
+* Wed Mar 05 2025 Kanishk Bansal <kanbansal@microsoft.com> - 1.7.1-2
+- Patch CVE-2024-53427
+
 * Fri Feb 02 2024 Thien Trung Vuong <tvuong@microsoft.com> - 1.7.1-1
 - Upgrade to version 1.7.1
 
