* Re: [Buildroot] [PATCH v2] package/jq: security bump to version 1.8.1
2025-08-19 14:03 [Buildroot] [PATCH v2] package/jq: security bump to version 1.8.1 Angelo Compagnucci
@ 2025-08-19 14:37 ` Julien Olivain via buildroot
0 siblings, 0 replies; 2+ messages in thread
From: Julien Olivain via buildroot @ 2025-08-19 14:37 UTC (permalink / raw)
To: Angelo Compagnucci; +Cc: buildroot
Hi Angelo,
Thanks for the patch!
I have few comments, see below.
On 19/08/2025 16:03, Angelo Compagnucci wrote:
> Changelog:
> https://github.com/jqlang/jq/releases/tag/jq-1.8.1
>
> COPYING:
> Add LICENSE notice of NetBSD's strptime() to COPYING
When there is a change in the license text, it is preferable to
provide a link of the upstream commit of the change, if available.
This makes reviews easier. In that case, it is:
https://github.com/jqlang/jq/commit/78045d8aa9d155ec0f82ab102aa752300c2349f1
Looking at this change, I see it is introducing a new BSD-2-Clause
paragraph for strptime(). So the JQ_LICENSE variable would also need
to be updated accordingly. See below.
> Fixes the following security issues:
>
> - CVE-2025-49014
> Fix heap use after free in f_strftime, f_strflocaltime.
To make review faster, could you add a direct link to the CVE, please?
https://www.cve.org/CVERecord?id=CVE-2025-49014
>
> - GHSA-f946-j5j2-4w5m
> Fix stack overflow in node_min_byte_len of oniguruma.
Same comment here:
https://github.com/jqlang/jq/security/advisories/GHSA-f946-j5j2-4w5m
>
> Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
> ---
>
> v1->v2:
> * Updated COPYING hash (Thomas P)
>
> package/jq/jq.hash | 4 ++--
> package/jq/jq.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/jq/jq.hash b/package/jq/jq.hash
> index 344f73d463..4596134620 100644
> --- a/package/jq/jq.hash
> +++ b/package/jq/jq.hash
> @@ -1,3 +1,3 @@
> # Locally calculated
> -sha256
> 91811577f91d9a6195ff50c2bffec9b72c8429dc05ec3ea022fd95c06d2b319c
> jq-1.8.0.tar.gz
> -sha256
> ea9e53f5974239869c51ace8bb6849c9751dee7c9d592180957987a1a133caff
> COPYING
> +sha256
> 2be64e7129cecb11d5906290eba10af694fb9e3e7f9fc208a311dc33ca837eb0
> jq-1.8.1.tar.gz
> +sha256
> ad2b4a266b2268939c1446979759706077421cf906a203aa188c6f396e8cfd74
> COPYING
> diff --git a/package/jq/jq.mk b/package/jq/jq.mk
> index f3f4704f37..3077a76b17 100644
> --- a/package/jq/jq.mk
> +++ b/package/jq/jq.mk
> @@ -4,7 +4,7 @@
> #
>
> ################################################################################
>
> -JQ_VERSION = 1.8.0
> +JQ_VERSION = 1.8.1
> JQ_SITE =
> https://github.com/jqlang/jq/releases/download/jq-$(JQ_VERSION)
> JQ_LICENSE = MIT (code), ICU (decNumber), CC-BY-3.0 (documentation)
Here, we should update _LICENSE to include the new BSD-2-Clause:
JQ_LICENSE = MIT (code), ICU (decNumber), CC-BY-3.0 (documentation),
BSD-2-Clause (strptime)
> JQ_LICENSE_FILES = COPYING
> --
> 2.34.1
Could you send an updated patch, please?
Best regards,
Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread