head 1.2; access; symbols pkgsrc-2025Q2:1.1.0.2 pkgsrc-2025Q2-base:1.1; locks; strict; comment @# @; 1.2 date 2025.07.06.09.07.43; author wiz; state dead; branches; next 1.1; commitid xF8hwMv4Y6ZJjF1G; 1.1 date 2025.06.22.06.16.19; author kim; state Exp; branches; next ; commitid WmPMUffIEGIHOQZF; desc @@ 1.2 log @jq: update to 1.8.1. # 1.8.1 This is a patch release to fix security, performance, and build issues found in 1.8.0. Full commit log can be found at . ## Security fixes - CVE-2025-49014: Fix heap use after free in `f_strftime`, `f_strflocaltime`. @@wader 499c91bca9d4d027833bc62787d1bb075c03680e - GHSA-f946-j5j2-4w5m: Fix stack overflow in `node_min_byte_len` of oniguruma. @@wader 5e159b34b179417e3e0404108190a2ac7d65611c ## CLI changes - Fix assertion failure when syntax error happens at the end of the query. @@itchyny #3350 ## Changes to existing functions - Fix portability of `strptime/1` especially for Windows. @@itchyny #3342 ## Language changes - Revert the change of `reduce`/`foreach` state variable in 1.8.0 (#3205). This change was reverted due to serious performance regression. @@itchyny #3349 ## Documentation changes - Add LICENSE notice of NetBSD's `strptime()` to COPYING. @@itchyny #3344 ## Build improvements - Fix build on old Mac with old sed. @@qianbinbin #3336 @ text @$NetBSD: patch-tests_jq.test,v 1.1 2025/06/22 06:16:19 kim Exp $ Fixes CVE-2025-49014 which was introduced in 1.8.0 https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e.patch --- tests/jq.test.orig 2025-06-01 05:58:31.000000000 +0000 +++ tests/jq.test 2025-06-22 06:08:48.077032552 +0000 @@@@ -2495,3 +2495,11 @@@@ 3 2 4 + +# regression test for CVE-2025-49014 (use of fmt after free) +# tests with both empty string literal and empty string created by function +# as they seems to behave referecne wise differently. +strflocaltime("" | ., @@uri) +0 +"" +"" @ 1.1 log @jq: Apply upstream patch for CVE-2025-49014 @ text @d1 1 a1 1 $NetBSD$ @