[AUTO-CHERRYPICK] [AutoPR- Security] Patch jq for CVE-2025-48060 [HIGH] - branch 3.0-dev (microsoft#14391)

CBL-Mariner-Bot · azurelinux-security · jykanase · web-flow · commit 1b72799101ab · 2025-07-28T15:19:53.000-04:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
Co-authored-by: jykanase &lt;v-jykanase@microsoft.com&gt;
diff --git a/SPECS/jq/CVE-2025-48060.patch b/SPECS/jq/CVE-2025-48060.patch
@@ -0,0 +1,42 @@
+From b87793372b4a54b49fcb56b60e9b0f29795f521a Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <azurelinux-security@microsoft.com>
+Date: Wed, 23 Jul 2025 03:35:30 +0000
+Subject: [PATCH] Fix CVE CVE-2025-48060 in jq
+
+Upstream Patch Reference: https://github.com/jqlang/jq/commit/c6e041699d8cd31b97375a2596217aff2cfca85b.patch
+---
+ src/jv.c      | 1 +
+ tests/jq.test | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/jv.c b/src/jv.c
+index 15990f1..18dbb54 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -1125,6 +1125,7 @@ static jv jvp_string_empty_new(uint32_t length) {
+   jvp_string* s = jvp_string_alloc(length);
+   s->length_hashed = 0;
+   memset(s->data, 0, length);
++  s->data[length] = 0;
+   jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
+   return r;
+ }
+diff --git a/tests/jq.test b/tests/jq.test
+index cd650d4..500e741 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2031,6 +2031,10 @@ map(try implode catch .)
+ [123,["a"],[nan]]
+ ["implode input must be an array","string (\"a\") can't be imploded, unicode codepoint needs to be numeric","number (null) can't be imploded, unicode codepoint needs to be numeric"]
+ 
++try 0[implode] catch .
++[]
++"Cannot index number with string \"\""
++
+ # walk
+ walk(.)
+ {"x":0}
+-- 
+2.45.2
+
diff --git a/SPECS/jq/jq.spec b/SPECS/jq/jq.spec
@@ -1,14 +1,15 @@
 Summary:        jq is a lightweight and flexible command-line JSON processor.
 Name:           jq
 Version:        1.7.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Group:          Applications/System
 Vendor:         Microsoft Corporation
 License:        MIT
 URL:            https://jqlang.github.io/jq/
 Source0:        https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Patch0:         CVE-2024-53427.patch
 Patch1:         CVE-2024-23337.patch
+Patch2:         CVE-2025-48060.patch
 Distribution:   Azure Linux
 BuildRequires:  bison
 BuildRequires:  chrpath
@@ -53,6 +54,7 @@ make check
 %license COPYING
 %{_bindir}/*
 %{_datadir}/*
+%exclude %{_datadir}/doc/jq/COPYING
 %{_libdir}/libjq.so.*
 %{_libdir}/pkgconfig/libjq.pc
 
@@ -61,6 +63,10 @@ make check
 %{_includedir}/*
 
 %changelog
+* Wed Jul 23 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.7.1-4
+- Patch for CVE-2025-48060
+- Updated files section to fix duplicated license files
+
 * Mon May 26 2025 Akhila Guruju <v-guakhila@microsoft.com> - 1.7.1-3
 - Patch CVE-2024-23337
 
