[AutoPR- Security] Patch jq for CVE-2025-48060 [HIGH] (microsoft#14379)

azurelinux-security · jykanase · jslobodzian · web-flow · commit eb1469d56429 · 2025-07-25T11:47:32.000-04:00
Co-authored-by: jykanase &lt;v-jykanase@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/jq/CVE-2025-48060.patch b/SPECS/jq/CVE-2025-48060.patch
@@ -0,0 +1,39 @@
+From e3a08a2f1d4925f3903adb501f1665b9f6c97a61 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <azurelinux-security@microsoft.com>
+Date: Thu, 24 Jul 2025 10:40:19 +0000
+Subject: [PATCH] Fix CVE CVE-2025-48060 in jq
+
+[AI Backported] Upstream Patch Reference: https://github.com/jqlang/jq/commit/c6e041699d8cd31b97375a2596217aff2cfca85b.patch
+---
+ src/jv.c      | 1 +
+ tests/jq.test | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/src/jv.c b/src/jv.c
+index d3042e6..d7e3938 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -498,6 +498,7 @@ static jv jvp_string_empty_new(uint32_t length) {
+   jvp_string* s = jvp_string_alloc(length);
+   s->length_hashed = 0;
+   memset(s->data, 0, length);
++  s->data[length] = 0;
+   jv r = {JV_KIND_STRING, 0, 0, 0, {&s->refcnt}};
+   return r;
+ }
+diff --git a/tests/jq.test b/tests/jq.test
+index 2c58574..06c39f0 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -1520,4 +1520,7 @@ isempty(1,error("foo"))
+ null
+ false
+ 
++try 0[implode] catch .
++[]
++"Cannot index number with string \"\""
+ 
+-- 
+2.45.2
+
diff --git a/SPECS/jq/jq.spec b/SPECS/jq/jq.spec
@@ -1,14 +1,15 @@
 Summary:        jq is a lightweight and flexible command-line JSON processor.
 Name:           jq
 Version:        1.6
-Release:        3%{?dist}
+Release:        4%{?dist}
 Group:          Applications/System
 Vendor:         Microsoft Corporation
 License:        MIT
 URL:            https://github.com/stedolan/jq
 Source0:        https://github.com/stedolan/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Distribution:   Mariner
 Patch0:         CVE-2024-23337.patch
+Patch1:         CVE-2025-48060.patch
 BuildRequires:  bison
 BuildRequires:  chrpath
 BuildRequires:  flex
@@ -59,6 +60,9 @@ make check
 %{_includedir}/*
 
 %changelog
+* Thu Jul 24 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.6-4
+- Patch for CVE-2025-48060
+
 * Mon May 26 2025 Akhila Guruju <v-guakhila@microsoft.com> - 1.6-3
 - Patch CVE-2024-23337
 
