[3.4] jq: heap-buffer-overflow in tokenadd() function (CVE-2015-8863)
Off-by-one error in the tokenadd function in jv_parse.c in jq allows
remote attackers to cause a denial of service (crash) via a long
JSON-encoded number,
which triggers a heap-based buffer overflow.
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8863
http://www.openwall.com/lists/oss-security/2016/04/23/1
Patch:
https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd
(from redmine: issue id 5632, created on 2016-05-26, closed on 2016-06-23)
- Relations:
- parent #5631 (closed)
- Changesets:
- Revision 6d30e78f by Natanael Copa on 2016-05-26T15:31:15Z:
main/jq: security fix for CVE-2015-8863
fixes #5632