SB2018041714 - Buffer overflow in jq (Alpine package)
Published: April 17, 2018
Security Bulletin ID
SB2018041714
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Buffer overflow (CVE-ID: CVE-2016-4074)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=cf67851f93c049ccf42e0811509aa517fec6ac59
- https://git.alpinelinux.org/aports/commit/?id=5f5f852407d176edf3596f5dcde0cd7aa21d446c
- https://git.alpinelinux.org/aports/commit/?id=1bfcfb905d961ba964207398fa61c21690f058f1
- https://git.alpinelinux.org/aports/commit/?id=e10ec9bc1b1ba649892df0d8f7c116a1172e51a3
- https://git.alpinelinux.org/aports/commit/?id=08fa87dac229e919eba54885a02dca0ae57c5f41
- https://git.alpinelinux.org/aports/commit/?id=37aee0002e98bcd41e35d010a63c7989589a10b5
- https://git.alpinelinux.org/aports/commit/?id=929b5faa3daa8490ac9e97720d28d0435c6936b7