diff --git a/SPECS/jq/CVE-2025-48060.patch b/SPECS/jq/CVE-2025-48060.patch new file mode 100644 index 00000000000..8c84ed8683a --- /dev/null +++ b/SPECS/jq/CVE-2025-48060.patch @@ -0,0 +1,26 @@ +From a2ff6dd13fd47ec5d74cb5dab2f152112de6a1c1 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 24 Jul 2025 10:20:29 +0000 +Subject: [PATCH] Fix CVE CVE-2025-48060 in jq + +[AI Backported] Upstream Patch Reference: https://github.com/jqlang/jq/commit/c6e041699d8cd31b97375a2596217aff2cfca85b +--- + src/jv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/jv.c b/src/jv.c +index d3042e6..d7e3938 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -498,6 +498,7 @@ static jv jvp_string_empty_new(uint32_t length) { + jvp_string* s = jvp_string_alloc(length); + s->length_hashed = 0; + memset(s->data, 0, length); ++ s->data[length] = 0; + jv r = {JV_KIND_STRING, 0, 0, 0, {&s->refcnt}}; + return r; + } +-- +2.45.4 + diff --git a/SPECS/jq/jq.spec b/SPECS/jq/jq.spec index 8890f95ab13..f1ff88f9a13 100644 --- a/SPECS/jq/jq.spec +++ b/SPECS/jq/jq.spec @@ -1,7 +1,7 @@ Summary: jq is a lightweight and flexible command-line JSON processor. Name: jq Version: 1.6 -Release: 3%{?dist} +Release: 4%{?dist} Group: Applications/System Vendor: Microsoft Corporation License: MIT @@ -9,6 +9,7 @@ URL: https://github.com/stedolan/jq Source0: https://github.com/stedolan/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz Distribution: Mariner Patch0: CVE-2024-23337.patch +Patch1: CVE-2025-48060.patch BuildRequires: bison BuildRequires: chrpath BuildRequires: flex @@ -59,6 +60,9 @@ make check %{_includedir}/* %changelog +* Thu Jul 24 2025 Azure Linux Security Servicing Account - 1.6-4 +- Patch for CVE-2025-48060 + * Mon May 26 2025 Akhila Guruju - 1.6-3 - Patch CVE-2024-23337