Patch jq for CVE-2025-48060

Author: azurelinux-security

SPECS/jq/CVE-2025-48060.patch

@@ -0,0 +1,26 @@
+From a2ff6dd13fd47ec5d74cb5dab2f152112de6a1c1 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 24 Jul 2025 10:20:29 +0000
+Subject: [PATCH] Fix CVE CVE-2025-48060 in jq
+
+[AI Backported] Upstream Patch Reference: https://github.com/jqlang/jq/commit/c6e041699d8cd31b97375a2596217aff2cfca85b
+---
+ src/jv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/jv.c b/src/jv.c
+index d3042e6..d7e3938 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -498,6 +498,7 @@ static jv jvp_string_empty_new(uint32_t length) {
+   jvp_string* s = jvp_string_alloc(length);
+   s->length_hashed = 0;
+   memset(s->data, 0, length);
++  s->data[length] = 0;
+   jv r = {JV_KIND_STRING, 0, 0, 0, {&s->refcnt}};
+   return r;
+ }
+-- 
+2.45.4
+

SPECS/jq/jq.spec

@@ -1,14 +1,15 @@
 Summary:        jq is a lightweight and flexible command-line JSON processor.
 Name:           jq
 Version:        1.6
-Release:        3%{?dist}
+Release:        4%{?dist}
 Group:          Applications/System
 Vendor:         Microsoft Corporation
 License:        MIT
 URL:            https://github.com/stedolan/jq
 Source0:        https://github.com/stedolan/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Distribution:   Mariner
 Patch0:         CVE-2024-23337.patch
+Patch1:         CVE-2025-48060.patch
 BuildRequires:  bison
 BuildRequires:  chrpath
 BuildRequires:  flex
@@ -59,6 +60,9 @@ make check
 %{_includedir}/*
 
 %changelog
+* Thu Jul 24 2025 Azure Linux Security Servicing Account <[email protected]> - 1.6-4
+- Patch for CVE-2025-48060
+
 * Mon May 26 2025 Akhila Guruju <[email protected]> - 1.6-3
 - Patch CVE-2024-23337