Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 15 Dec 2023 14:44:43 -0800
From: Alan Coopersmith <>
Subject: jq 1.7.1 fixes CVE-2023-50246 & CVE-2023-50268 lists these two fixes
among the changes in this week's release of jq 1.7.1:

     CVE-2023-50246: Fix heap buffer overflow in jvp_literal_number_literal
     CVE-2023-50268: fix stack-buffer-overflow if comparing nan with payload

They've also published advisories on github for each:

[oss-fuzz] Issue 64771: jq:jq_fuzz_execute: Stack-buffer-overflow in decNaNs

heap-buffer-overflow exists in the function decToString in decNumber.c

The fixes appear to be in:

         -Alan Coopersmith-       
          Oracle Solaris Engineering -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.