976992 – (CVE-2015-8863) VUL-1: CVE-2015-8863: jq: heap buffer overflow in tokenadd() function

Bug 976992 (CVE-2015-8863) - VUL-1: CVE-2015-8863: jq: heap buffer overflow in tokenadd() function

Summary: VUL-1: CVE-2015-8863: jq: heap buffer overflow in tokenadd() function

Status:	RESOLVED FIXED

Alias:	CVE-2015-8863

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 42.1

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Ismail Dönmez
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/168253/
Whiteboard:	CVSSv2:SUSE:CVE-2016-4074:2.6:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-04-25 08:18 UTC by Johannes Segitz
Modified:	2022-02-13 11:08 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-04-25 08:18:26 UTC

heap buffer overflow in tokenadd() function
CVE-2015-8863: http://seclists.org/oss-sec/2016/q2/134

stack exhaustion using jv_dump_term() function
CVE-2016-4074: http://seclists.org/oss-sec/2016/q2/140

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4074
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8863
http://seclists.org/oss-sec/2016/q2/141
http://seclists.org/oss-sec/2016/q2/135

Comment 1 Ismail Dönmez 2016-04-25 10:54:41 UTC

As noted in the links CVE-2016-4074 doesn't really seem to be a security bug. Also has no fix upstream. What does the security people think?

Comment 2 Johannes Segitz 2016-04-25 11:36:11 UTC

(In reply to Ismail Donmez from comment #1)
Well it received a CVE so we'll have to handle it anyway. Please submit the fix for the other issue, we'll handle CVE-2016-4074 as VUL-1 and fix if once/if upstream provides a fix

Comment 3 Bernhard Wiedemann 2016-04-25 12:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (976992) was mentioned in
https://build.opensuse.org/request/show/391548 Factory / jq
https://build.opensuse.org/request/show/391551 13.2 / jq

Comment 4 Bernhard Wiedemann 2016-04-25 13:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (976992) was mentioned in
https://build.opensuse.org/request/show/391552 42.1 / jq

Comment 5 Swamp Workflow Management 2016-04-25 22:00:25 UTC

bugbot adjusting priority

Comment 6 Johannes Segitz 2016-04-26 06:44:33 UTC

CVE-2015-8863 handled in openSUSE:Maintenance:5008 and openSUSE:Maintenance:5009, will set to VUL-1 for remaining issue

Comment 7 Swamp Workflow Management 2016-05-04 14:08:26 UTC

openSUSE-SU-2016:1212-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 976992
CVE References: CVE-2015-8863
Sources used:
openSUSE 13.2 (src):    jq-1.4-2.3.1

Comment 8 Swamp Workflow Management 2016-05-04 14:08:56 UTC

openSUSE-SU-2016:1214-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 976992
CVE References: CVE-2015-8863
Sources used:
openSUSE Leap 42.1 (src):    jq-1.5-7.1

Comment 9 Andreas Stieger 2016-12-07 09:36:32 UTC

CVE-2016-4074 is bug 1014176