pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkgsrc is flagging a corrected vulnerability in "jq"



 Hello Leo,

You are right, and "pkg_admin fetch-pkg-vulnerabilities" has removed the warning on 'jq'.

Now, I have another alert on the omiguruma lib, but that's another story...

Thanks for your help!

Le mer. 17 juil. 2019 à 09:35, Leonardo Taccari <leot%netbsd.org@localhost> a écrit :
Hello Noryungi,

Noryungi writes:
> [...]
> Just installed pkgsrc-2019Q2, and I get the following message while trying
> to compile "jq" (/dev/jq):
>
> $ bmake && bmake install
> => Bootstrap dependency digest>=20010302: found digest-20160304
> ===> Checking for vulnerabilities in jq-1.6
> Package jq-1.6 has a denial-of-service vulnerability, see
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4074
> ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URL in
> pkg_install.conf(5) if this package is absolutely essential.
> *** Error code 1
> Stop.
>
> However, the CVE link provided:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4074
> points out that this denial-of-service is for jq 1.5, while distinfo (as
> well as the message above) indicate that jq is now version 1.6 in pkgsrc.
>
> Furthermore, reading the different references of the CVE link points to:
> https://github.com/stedolan/jq/issues/1136
>
> ... which itself indicates the issue has been fixed in a commit in
> mid-August 2016.
>
> I think we can safely assume jq 1.6 does not contain the vulnerability
> anymore. I believe the pkgsrc warning should be removed and/or modified to
> reflect these changes.
> [...]

Yes, jq-1.6 addressed that indeed.

However, checking the corresponding entry in pkg-vulnerabilities (the
file that store this information and is used by pkg_admin(1) to report
vulnerable packages):

 jq<1.5nb4    denial-of-service    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4074

(and indeed the corresponding patch was backported in jq-1.5 in May
2018).

I think that this entry was still showed because the
pkg-vulnerabilities file was not updated.  Can you please (re)run
`pkg_admin fetch-pkg-vulnerabilities' to update it?


Thank you!


Home | Main Index | Thread Index | Old Index