Bug 1014176 (CVE-2016-4074) - VUL-1: CVE-2016-4074: jq: stack exhaustion using jv_dump_term() function
Summary: VUL-1: CVE-2016-4074: jq: stack exhaustion using jv_dump_term() function
Status: RESOLVED FIXED
Alias: CVE-2016-4074
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other All
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://github.com/stedolan/jq/pull/1214
Whiteboard: CVSSv2:SUSE:CVE-2016-4074:2.6:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-07 09:36 UTC by Andreas Stieger
Modified: 2022-02-13 11:15 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Andreas Stieger 2016-12-07 09:50:51 UTC 
This is 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) on NVD, vector is untrusted JSON input
Comment 2 Ismail Dönmez 2016-12-07 09:51:21 UTC 
First of all I don't really see the security aspect, is any code execution possible here? Also, I only see a patch in an unofficial fork: https://github.com/wmark/jq/commit/2d38a12d686a5156d4e7afb1fed7851805590582 is that what you meant as fix available?
Comment 4 Andreas Stieger 2016-12-07 10:02:51 UTC 
(In reply to Ismail Donmez from comment #2)
> First of all I don't really see the security aspect, is any code execution
> possible here?

The affected security goal for this issue is availability.

> Also, I only see a patch in an unofficial fork:
> https://github.com/wmark/jq/commit/2d38a12d686a5156d4e7afb1fed7851805590582
> is that what you meant as fix available?

Yes I was referring this proposed fix, to be investigated.
Comment 5 Nathan Cutler 2016-12-07 11:02:36 UTC 
Upstream PR is https://github.com/stedolan/jq/pull/1214 and is still open.
Comment 9 Swamp Workflow Management 2016-12-07 23:01:20 UTC 
bugbot adjusting priority
Comment 11 Andreas Stieger 2016-12-09 15:45:06 UTC 
On SUSE products and the openSUSE distribution, this issue is considered to have very low impact. The CVE was assigned for the scenario of an unattended process accepting untrusted input over the network. This issue may be fixed in a future update.
Comment 13 Nathan Cutler 2017-01-27 16:31:02 UTC 
The upstream PR (see URL field) was just merged.
Comment 14 Bernhard Wiedemann 2017-02-03 11:02:37 UTC 
This is an autogenerated message for OBS integration:
This bug (1014176) was mentioned in
https://build.opensuse.org/request/show/454381 Factory / jq
Comment 15 Ismail Dönmez 2017-02-06 13:45:29 UTC 
Factory fixed, leaving open for Nathan to fix for Storage_4 product.
Comment 16 Nathan Cutler 2017-02-10 12:48:37 UTC 
MR is open https://build.suse.de/request/show/127987

Re-assigning to security team.
Comment 17 Swamp Workflow Management 2017-10-23 13:08:55 UTC 
openSUSE-SU-2017:2833-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 1014176,1017157
CVE References: CVE-2016-4074
Sources used:
openSUSE Leap 42.2 (src):    jq-1.5-8.3.1
Comment 18 Swamp Workflow Management 2017-10-23 13:09:23 UTC 
openSUSE-SU-2017:2834-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 1014176,1017157
CVE References: CVE-2016-4074
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    jq-1.5-5.1
Comment 19 Swamp Workflow Management 2017-11-08 11:19:44 UTC 
SUSE-SU-2017:2950-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1014176,1017157
CVE References: CVE-2016-4074
Sources used:
SUSE Enterprise Storage 4 (src):    jq-1.5-3.5.7
Comment 20 Marcus Meissner 2017-12-27 20:26:30 UTC 
released