All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH v2] package/jq: security bump to version 1.8.1
@ 2025-08-19 14:03 Angelo Compagnucci
  2025-08-19 14:37 ` Julien Olivain via buildroot
  0 siblings, 1 reply; 2+ messages in thread
From: Angelo Compagnucci @ 2025-08-19 14:03 UTC (permalink / raw)
  To: buildroot; +Cc: Angelo Compagnucci

Changelog:
https://github.com/jqlang/jq/releases/tag/jq-1.8.1

COPYING:
Add LICENSE notice of NetBSD's strptime() to COPYING

Fixes the following security issues:

- CVE-2025-49014
  Fix heap use after free in f_strftime, f_strflocaltime.

- GHSA-f946-j5j2-4w5m
  Fix stack overflow in node_min_byte_len of oniguruma.

Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
---

v1->v2:
* Updated COPYING hash (Thomas P)

 package/jq/jq.hash | 4 ++--
 package/jq/jq.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/jq/jq.hash b/package/jq/jq.hash
index 344f73d463..4596134620 100644
--- a/package/jq/jq.hash
+++ b/package/jq/jq.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  91811577f91d9a6195ff50c2bffec9b72c8429dc05ec3ea022fd95c06d2b319c  jq-1.8.0.tar.gz
-sha256  ea9e53f5974239869c51ace8bb6849c9751dee7c9d592180957987a1a133caff  COPYING
+sha256  2be64e7129cecb11d5906290eba10af694fb9e3e7f9fc208a311dc33ca837eb0  jq-1.8.1.tar.gz
+sha256  ad2b4a266b2268939c1446979759706077421cf906a203aa188c6f396e8cfd74  COPYING
diff --git a/package/jq/jq.mk b/package/jq/jq.mk
index f3f4704f37..3077a76b17 100644
--- a/package/jq/jq.mk
+++ b/package/jq/jq.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-JQ_VERSION = 1.8.0
+JQ_VERSION = 1.8.1
 JQ_SITE = https://github.com/jqlang/jq/releases/download/jq-$(JQ_VERSION)
 JQ_LICENSE = MIT (code), ICU (decNumber), CC-BY-3.0 (documentation)
 JQ_LICENSE_FILES = COPYING
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH v2] package/jq: security bump to version 1.8.1
  2025-08-19 14:03 [Buildroot] [PATCH v2] package/jq: security bump to version 1.8.1 Angelo Compagnucci
@ 2025-08-19 14:37 ` Julien Olivain via buildroot
  0 siblings, 0 replies; 2+ messages in thread
From: Julien Olivain via buildroot @ 2025-08-19 14:37 UTC (permalink / raw)
  To: Angelo Compagnucci; +Cc: buildroot

Hi Angelo,

Thanks for the patch!

I have few comments, see below.

On 19/08/2025 16:03, Angelo Compagnucci wrote:
> Changelog:
> https://github.com/jqlang/jq/releases/tag/jq-1.8.1
> 
> COPYING:
> Add LICENSE notice of NetBSD's strptime() to COPYING

When there is a change in the license text, it is preferable to
provide a link of the upstream commit of the change, if available.
This makes reviews easier. In that case, it is:

https://github.com/jqlang/jq/commit/78045d8aa9d155ec0f82ab102aa752300c2349f1

Looking at this change, I see it is introducing a new BSD-2-Clause
paragraph for strptime(). So the JQ_LICENSE variable would also need
to be updated accordingly. See below.

> Fixes the following security issues:
> 
> - CVE-2025-49014
>   Fix heap use after free in f_strftime, f_strflocaltime.

To make review faster, could you add a direct link to the CVE, please?

     https://www.cve.org/CVERecord?id=CVE-2025-49014

> 
> - GHSA-f946-j5j2-4w5m
>   Fix stack overflow in node_min_byte_len of oniguruma.

Same comment here:

     https://github.com/jqlang/jq/security/advisories/GHSA-f946-j5j2-4w5m

> 
> Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
> ---
> 
> v1->v2:
> * Updated COPYING hash (Thomas P)
> 
>  package/jq/jq.hash | 4 ++--
>  package/jq/jq.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/jq/jq.hash b/package/jq/jq.hash
> index 344f73d463..4596134620 100644
> --- a/package/jq/jq.hash
> +++ b/package/jq/jq.hash
> @@ -1,3 +1,3 @@
>  # Locally calculated
> -sha256  
> 91811577f91d9a6195ff50c2bffec9b72c8429dc05ec3ea022fd95c06d2b319c  
> jq-1.8.0.tar.gz
> -sha256  
> ea9e53f5974239869c51ace8bb6849c9751dee7c9d592180957987a1a133caff  
> COPYING
> +sha256  
> 2be64e7129cecb11d5906290eba10af694fb9e3e7f9fc208a311dc33ca837eb0  
> jq-1.8.1.tar.gz
> +sha256  
> ad2b4a266b2268939c1446979759706077421cf906a203aa188c6f396e8cfd74  
> COPYING
> diff --git a/package/jq/jq.mk b/package/jq/jq.mk
> index f3f4704f37..3077a76b17 100644
> --- a/package/jq/jq.mk
> +++ b/package/jq/jq.mk
> @@ -4,7 +4,7 @@
>  #
>  
> ################################################################################
> 
> -JQ_VERSION = 1.8.0
> +JQ_VERSION = 1.8.1
>  JQ_SITE = 
> https://github.com/jqlang/jq/releases/download/jq-$(JQ_VERSION)
>  JQ_LICENSE = MIT (code), ICU (decNumber), CC-BY-3.0 (documentation)

Here, we should update _LICENSE to include the new BSD-2-Clause:

JQ_LICENSE = MIT (code), ICU (decNumber), CC-BY-3.0 (documentation), 
BSD-2-Clause (strptime)

>  JQ_LICENSE_FILES = COPYING
> --
> 2.34.1

Could you send an updated patch, please?

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-08-19 14:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-19 14:03 [Buildroot] [PATCH v2] package/jq: security bump to version 1.8.1 Angelo Compagnucci
2025-08-19 14:37 ` Julien Olivain via buildroot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.