Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160424165242.6CE3F332037@smtpvbsrv1.mitre.org>
Date: Sun, 24 Apr 2016 12:52:42 -0400 (EDT)
From: cve-assign@...re.org
To: gustavo.grieco@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: jq: stack exhaustion using jv_dump_term() function

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> A crash caused by stack exhaustion parsing a JSON was found. It affects, at
> least version 1.5 as well as the last git revision. Technical details and a
> reproducer are available here:
> 
> https://github.com/stedolan/jq/issues/1136

>> jq . qcufnzxcnp.json.4167733746247029131
>> 
>> Program received signal SIGSEGV, Segmentation fault.

>>> https://github.com/stedolan/jq/blob/master/README.md
>>> jq is a lightweight and flexible command-line JSON processor.

We do not feel that a stack-exhaustion attack against a command-line
program requires a CVE ID in all cases. A jq bug was discovered; the
question is whether it's a security bug. This depends on the existence
of a common use case in which an unattended process receives untrusted
JSON files, and (for example) the overall resource consumption is
substantially higher than what an attacker could achieve by submitting
a JSON file that is parsed without encountering any jq bugs.

Our understanding is that https://jqplay.org/ is an existence proof of
"unattended process receives untrusted JSON files." Also,
https://stedolan.github.io/jq/manual/ might imply that the . filter is
not expected to result in a lot of resource consumption (stack
exhaustion or anything else). So, a need for a CVE ID seems plausible;
however, we would like to have more information about security
relevance if anyone wants many CVE IDs for many different jq bugs
causing stack exhaustion.

Use CVE-2016-4074.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXHPkoAAoJEHb/MwWLVhi2klQP/0JXSWdl1OK3qZD/7Ze8TGyi
rbzXE7w0xk9/QPTjbvODOxDDIWOu1WKPbXLtk0Q3pMBbEIsSNB0gIF0uBpxA6jWa
i+faeokrPE2VH8cKd1Esvo7GJ0hbGxF2o2StNIkqoTPlV+Ycy13NEt9fgJ1KBf7K
kdmB9fd5yBLiP6Fbiob1jB7a/YSXIZ7QmtlrverLnrC2lNpKTIzMp2ena5wE5QBB
ebc0cvtW149ktlfz3axexPM/GVOAnIPLqCtDskDjgSD2BngPuFIfI4+isai+mPQS
6xRO4zJuZokKGLwIe2XuHCu3BSqHO5GXP2vgOy8JDEUaKejvUQlqdDpvqypa3CrN
pNAGz4BXrOrCuXQOIsVcHFjSjzauAIP5ttioSX6DEeGCSkhSGuLe7v62SvlEJCmP
clKRaXK0cTzYOneNiZncha8mUQpWpAe9q9DNutnQhIuA6d5Jx4wzXA8f8MmpUG5T
eO9df1RkNca7+PzNSgspBQTdqBKcDCVqJSY47/VIf9oZKPyzKUI0k2pDgyajwIDv
frelAoZ3CM2iPZdjJUY3EAn/CJV1rWMGFIUbCSDkyTshlP07V2cSbDj3KGySt0ZA
Tdtt3Pt2r4CbBn3rwLd1g5GOTW7Od54wxUTnSOaFikZo6oEVhmOyG3AGIBsdtbxM
mQMgvymwfziBQ5SeGM7D
=BV9n
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.