Skip to content

Commit bdd91d4

Browse files
[AutoPR- Security] Patch jq for CVE-2025-9403 [MEDIUM] (#14952)
1 parent 9cbce1b commit bdd91d4

File tree

2 files changed

+52
-1
lines changed

2 files changed

+52
-1
lines changed

SPECS/jq/CVE-2025-9403.patch

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
From b5403362c386b80e4726f52897c5fe5d3705a9a6 Mon Sep 17 00:00:00 2001
2+
From: AllSpark <allspark@microsoft.com>
3+
Date: Wed, 29 Oct 2025 05:38:18 +0000
4+
Subject: [PATCH] Fix expected value assertion for NaN value (fix #3393): -
5+
Include math.h for isnan - Skip reparsing/roundtrip assertion when expected
6+
is NaN under USE_DECNUM
7+
8+
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
9+
Upstream-reference: AI Backport of https://github.com/jqlang/jq/commit/304a0f7e0ec376bf0ecabf9f96b2ab3432548819.patch
10+
---
11+
src/jq_test.c | 13 ++++++++-----
12+
1 file changed, 8 insertions(+), 5 deletions(-)
13+
14+
diff --git a/src/jq_test.c b/src/jq_test.c
15+
index 7a396b9..0172a76 100644
16+
--- a/src/jq_test.c
17+
+++ b/src/jq_test.c
18+
@@ -2,6 +2,7 @@
19+
#include <stdio.h>
20+
#include <string.h>
21+
#include <stdlib.h>
22+
+#include <math.h>
23+
#include "jv.h"
24+
#include "jq.h"
25+
26+
@@ -157,11 +158,13 @@ static void run_jq_tests(jv lib_dirs, int verbose, FILE *testdata) {
27+
printf(" for test at line number %u: %s\n", lineno, prog);
28+
pass = 0;
29+
}
30+
- jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT));
31+
- jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string)));
32+
- assert(jv_equal(jv_copy(expected), jv_copy(reparsed)));
33+
- jv_free(as_string);
34+
- jv_free(reparsed);
35+
+ if (!(jv_get_kind(expected) == JV_KIND_NUMBER && isnan(jv_number_value(expected)))) {
36+
+ jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT));
37+
+ jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string)));
38+
+ assert(jv_equal(jv_copy(expected), jv_copy(reparsed)));
39+
+ jv_free(as_string);
40+
+ jv_free(reparsed);
41+
+ }
42+
jv_free(expected);
43+
jv_free(actual);
44+
}
45+
--
46+
2.45.4
47+

SPECS/jq/jq.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Summary: jq is a lightweight and flexible command-line JSON processor.
22
Name: jq
33
Version: 1.6
4-
Release: 4%{?dist}
4+
Release: 5%{?dist}
55
Group: Applications/System
66
Vendor: Microsoft Corporation
77
License: MIT
@@ -10,6 +10,7 @@ Source0: https://github.com/stedolan/jq/releases/download/%{name}-%{versi
1010
Distribution: Mariner
1111
Patch0: CVE-2024-23337.patch
1212
Patch1: CVE-2025-48060.patch
13+
Patch2: CVE-2025-9403.patch
1314
BuildRequires: bison
1415
BuildRequires: chrpath
1516
BuildRequires: flex
@@ -60,6 +61,9 @@ make check
6061
%{_includedir}/*
6162

6263
%changelog
64+
* Wed Oct 29 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.6-5
65+
- Patch for CVE-2025-9403
66+
6367
* Thu Jul 24 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.6-4
6468
- Patch for CVE-2025-48060
6569

0 commit comments

Comments
 (0)