Advisories » MGASA-2017-0415

Updated jq packages fix security vulnerabilities

Publication date: 19 Nov 2017
Modification date: 19 Nov 2017
Type: security
Affected Mageia releases : 6
CVE: CVE-2015-8863 , CVE-2016-4074

Description

A heap-based buffer overflow flaw was found in jq's tokenadd() function.
By tricking a victim into processing a specially crafted JSON file, an
attacker could use this flaw to crash jq or, potentially, execute
arbitrary code on the victim's system (CVE-2015-8863).

Stack exhaustion could affect availability when parsing untrusted input
(CVE-2016-4074).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=21923
• https://lists.opensuse.org/opensuse-updates/2017-10/msg00083.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8863
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074

SRPMS

6/core

• jq-1.5-1.1.mga6