'[oss-security] Re: CVE Request: jq: stack exhaustion using jv_dump_term() function'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE Request: jq: stack exhaustion using jv_dump_term() function
From:       cve-assign () mitre ! org
Date:       2016-04-24 16:52:42
Message-ID: 20160424165242.6CE3F332037 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> A crash caused by stack exhaustion parsing a JSON was found. It affects, at
> least version 1.5 as well as the last git revision. Technical details and a
> reproducer are available here:
> 
> https://github.com/stedolan/jq/issues/1136

>> jq . qcufnzxcnp.json.4167733746247029131
>> 
>> Program received signal SIGSEGV, Segmentation fault.

>>> https://github.com/stedolan/jq/blob/master/README.md
>>> jq is a lightweight and flexible command-line JSON processor.

We do not feel that a stack-exhaustion attack against a command-line
program requires a CVE ID in all cases. A jq bug was discovered; the
question is whether it's a security bug. This depends on the existence
of a common use case in which an unattended process receives untrusted
JSON files, and (for example) the overall resource consumption is
substantially higher than what an attacker could achieve by submitting
a JSON file that is parsed without encountering any jq bugs.

Our understanding is that https://jqplay.org/ is an existence proof of
"unattended process receives untrusted JSON files." Also,
https://stedolan.github.io/jq/manual/ might imply that the . filter is
not expected to result in a lot of resource consumption (stack
exhaustion or anything else). So, a need for a CVE ID seems plausible;
however, we would like to have more information about security
relevance if anyone wants many CVE IDs for many different jq bugs
causing stack exhaustion.

Use CVE-2016-4074.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXHPkoAAoJEHb/MwWLVhi2klQP/0JXSWdl1OK3qZD/7Ze8TGyi
rbzXE7w0xk9/QPTjbvODOxDDIWOu1WKPbXLtk0Q3pMBbEIsSNB0gIF0uBpxA6jWa
i+faeokrPE2VH8cKd1Esvo7GJ0hbGxF2o2StNIkqoTPlV+Ycy13NEt9fgJ1KBf7K
kdmB9fd5yBLiP6Fbiob1jB7a/YSXIZ7QmtlrverLnrC2lNpKTIzMp2ena5wE5QBB
ebc0cvtW149ktlfz3axexPM/GVOAnIPLqCtDskDjgSD2BngPuFIfI4+isai+mPQS
6xRO4zJuZokKGLwIe2XuHCu3BSqHO5GXP2vgOy8JDEUaKejvUQlqdDpvqypa3CrN
pNAGz4BXrOrCuXQOIsVcHFjSjzauAIP5ttioSX6DEeGCSkhSGuLe7v62SvlEJCmP
clKRaXK0cTzYOneNiZncha8mUQpWpAe9q9DNutnQhIuA6d5Jx4wzXA8f8MmpUG5T
eO9df1RkNca7+PzNSgspBQTdqBKcDCVqJSY47/VIf9oZKPyzKUI0k2pDgyajwIDv
frelAoZ3CM2iPZdjJUY3EAn/CJV1rWMGFIUbCSDkyTshlP07V2cSbDj3KGySt0ZA
Tdtt3Pt2r4CbBn3rwLd1g5GOTW7Od54wxUTnSOaFikZo6oEVhmOyG3AGIBsdtbxM
mQMgvymwfziBQ5SeGM7D
=BV9n
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic