CVE-2016-4074

Published: 06 May 2016

The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file.

From the Ubuntu security team

It was discovered that jq did not perform sufficient bounds checking, resulting in unbounded resource consumption. An attacker could use this vulnerability to cause a denial of service.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
jq
Launchpad, Ubuntu, Debian
Upstream
Released (1.5+dfsg-1.1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/stedolan/jq/commit/fd4ae8304e23007672af9a37855c7a76de7c78cf
Upstream: https://github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292