Bug 1014176 (CVE-2016-4074)

Summary: VUL-1: CVE-2016-4074: jq: stack exhaustion using jv_dump_term() function
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: ismail, jsegitz, meissner, ncutler, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
URL: https://github.com/stedolan/jq/pull/1214
Whiteboard: CVSSv2:SUSE:CVE-2016-4074:2.6:(AV:N/AC:H/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Andreas Stieger 2016-12-07 09:50:51 UTC 
This is 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) on NVD, vector is untrusted JSON input
Comment 2 Ismail Dönmez 2016-12-07 09:51:21 UTC 
First of all I don't really see the security aspect, is any code execution possible here? Also, I only see a patch in an unofficial fork: https://github.com/wmark/jq/commit/2d38a12d686a5156d4e7afb1fed7851805590582 is that what you meant as fix available?
Comment 4 Andreas Stieger 2016-12-07 10:02:51 UTC 
(In reply to Ismail Donmez from comment #2)
> First of all I don't really see the security aspect, is any code execution
> possible here?

The affected security goal for this issue is availability.

> Also, I only see a patch in an unofficial fork:
> https://github.com/wmark/jq/commit/2d38a12d686a5156d4e7afb1fed7851805590582
> is that what you meant as fix available?

Yes I was referring this proposed fix, to be investigated.
Comment 5 Nathan Cutler 2016-12-07 11:02:36 UTC 
Upstream PR is https://github.com/stedolan/jq/pull/1214 and is still open.
Comment 9 Swamp Workflow Management 2016-12-07 23:01:20 UTC 
bugbot adjusting priority
Comment 11 Andreas Stieger 2016-12-09 15:45:06 UTC 
On SUSE products and the openSUSE distribution, this issue is considered to have very low impact. The CVE was assigned for the scenario of an unattended process accepting untrusted input over the network. This issue may be fixed in a future update.
Comment 13 Nathan Cutler 2017-01-27 16:31:02 UTC 
The upstream PR (see URL field) was just merged.
Comment 14 Bernhard Wiedemann 2017-02-03 11:02:37 UTC 
This is an autogenerated message for OBS integration:
This bug (1014176) was mentioned in
https://build.opensuse.org/request/show/454381 Factory / jq
Comment 15 Ismail Dönmez 2017-02-06 13:45:29 UTC 
Factory fixed, leaving open for Nathan to fix for Storage_4 product.
Comment 16 Nathan Cutler 2017-02-10 12:48:37 UTC 
MR is open https://build.suse.de/request/show/127987

Re-assigning to security team.
Comment 17 Swamp Workflow Management 2017-10-23 13:08:55 UTC 
openSUSE-SU-2017:2833-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 1014176,1017157
CVE References: CVE-2016-4074
Sources used:
openSUSE Leap 42.2 (src):    jq-1.5-8.3.1
Comment 18 Swamp Workflow Management 2017-10-23 13:09:23 UTC 
openSUSE-SU-2017:2834-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 1014176,1017157
CVE References: CVE-2016-4074
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    jq-1.5-5.1
Comment 19 Swamp Workflow Management 2017-11-08 11:19:44 UTC 
SUSE-SU-2017:2950-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1014176,1017157
CVE References: CVE-2016-4074
Sources used:
SUSE Enterprise Storage 4 (src):    jq-1.5-3.5.7
Comment 20 Marcus Meissner 2017-12-27 20:26:30 UTC 
released