jq-1.6-17.el9_6.2

エラータID: AXSA:2025-10633:02

Release date: 
Tuesday, July 29, 2025 - 17:51
Subject: 
jq-1.6-17.el9_6.2
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text.

Security Fix(es):

* jq: jq has signed integer overflow in jv.c:jvp_array_write (CVE-2024-23337)
* jq: AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt) (CVE-2025-48060)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-23337
jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.
CVE-2025-48060
jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

Solution: 

Update packages.

CVEs: 
CVE-2024-23337
jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.
CVE-2025-48060
jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.
Additional Info: 

N/A

Download: 

SRPMS
  1. jq-1.6-17.el9_6.2.src.rpm
    MD5: a4f017592b968f97bec3acfaaccc0aea
    SHA-256: a9cd877bdfd66c24ee9aea703f2ae10a7e93fedbf1a0baea8b4712b23ccc5490
    Size: 1.43 MB

Asianux Server 9 for x86_64
  1. jq-1.6-17.el9_6.2.i686.rpm
    MD5: ab3b666369e94a73424459464e6b04ae
    SHA-256: 21f9d8b72de6834ad46df842c32eb3cfec37c7dfbab380348a906a962d109183
    Size: 212.99 kB
  2. jq-1.6-17.el9_6.2.x86_64.rpm
    MD5: e76089b8ec0fb2a08461d00c6b58f44f
    SHA-256: c873d69d47896d8d9a34092e620937240300e4de50d3938f03dd287ef6e8eea9
    Size: 186.38 kB
  3. jq-devel-1.6-17.el9_6.2.i686.rpm
    MD5: 6b0129bceea9801522c368cee5c9de7d
    SHA-256: 2b87bd2e49e345c1f68f6de2934790c1ecdbc48250e58c8325b0bd3fa10649c0
    Size: 10.37 kB
  4. jq-devel-1.6-17.el9_6.2.x86_64.rpm
    MD5: 0f46872fbd6bde38f6b8013b2f282aaf
    SHA-256: 86e16734efabad10dd1e6078911c126ce955c6e38e6587c59b986572d7cb214c
    Size: 10.36 kB