Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-8.10.z
Affects Version/s: rhel-8.0.0, CentOS Stream 8, CentOS Stream 9, rhel-9.0.0
Component/s: jq
Labels:
None

Fixed in Build:
jq-1.6-9.el8_10
Regression:
None
Severity:
Moderate

Pool Team:

rhel-sst-idm-sssd
Sub-System Group:

ssg_idm

Story Points:
0
ACKs Check:

QE ack, Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/132331
Gating Tests:

Enabled
Test Coverage:

RegressionOnly

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Few non-critical findings has been found in JQ code.

Error: VARARGS (CWE-237):
jq-1.6/src/locfile.c:65: va_init: Initializing va_list "fmtargs".
jq-1.6/src/locfile.c:77: missing_va_end: "va_end" was not called for "fmtargs".
#   75|     if (!jv_is_valid(m1)) {
#   76|       jq_report_error(l->jq, m1);
#   77|->     return;
#   78|     }
#   79|     if (loc.start == -1) {Error: VARARGS (CWE-237):

Error: VARARGS (CWE-237):
jq-1.6/src/locfile.c:65: va_init: Initializing va_list "fmtargs".
jq-1.6/src/locfile.c:90: missing_va_end: "va_end" was not called for "fmtargs".
#   88|     jv_free(m1);
#   89|     jq_report_error(l->jq, m2);
#   90|->   return;
#   91|   }

Error: RESOURCE_LEAK (CWE-772):
jq-1.6/src/jq_test.c:31: alloc_fn: Storage is returned from allocation function "fopen".
jq-1.6/src/jq_test.c:31: var_assign: Assigning: "testdata" = storage returned from "fopen(argv[i], "r")".
jq-1.6/src/jq_test.c:39: noescape: Resource "testdata" is not freed or pointed-to in "run_jq_tests".
jq-1.6/src/jq_test.c:43: leaked_storage: Variable "testdata" going out of scope leaks the storage it points to.
#   41|     run_jq_pthread_tests();
#   42|   #endif
#   43|->   return 0;
#   44|   }
#   45|   // code placeholder

Error: VARARGS (CWE-237):
jq-1.6/src/locfile.c:65: va_init: Initializing va_list "fmtargs".
jq-1.6/src/locfile.c:82: missing_va_end: "va_end" was not called for "fmtargs".
#   80|       jq_report_error(l->jq, jv_string_fmt("jq: error: %s\n<unknown location>", jv_string_value(m1)));
#   81|       jv_free(m1);
#   82|->     return;
#   83|     }
#   84|     jv m2 = jv_string_fmt("%s at %s, line %d:\n%.*s%*s", jv_string_value(m1),

Error: RESOURCE_LEAK (CWE-772):
jq-1.6/src/jq_test.c:31: alloc_fn: Storage is returned from allocation function "fopen".
jq-1.6/src/jq_test.c:31: var_assign: Assigning: "testdata" = storage returned from "fopen(argv[i], "r")".
jq-1.6/src/jq_test.c:31: overwrite_var: Overwriting "testdata" in "testdata = fopen(argv[i], "r")" leaks the storage that "testdata" points to.
#   29|           i++;
#   30|         } else {
#   31|->         testdata = fopen(argv[i], "r");
#   32|           if (!testdata) {
#   33|             perror("fopen");

clones

RHEL-28653 JQ findings from static application security testing

Closed

links to

RHBA-2024:132331 jq update

Assignee:: Tomas Halman

Reporter:: Tomas Halman

Developer:: Tomas Halman

QA Contact:: Scott Poore

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/05/22 12:17 PM

Updated:: 2024/09/23 3:49 PM

Resolved:: 2024/07/02 3:21 PM

Release Date:: 2024/07/02

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates