Arch Linux Security Advisory ASA-201608-10 ========================================== Severity: High Date : 2016-08-10 CVE-ID : CVE-2015-8863 Package : jq Type : arbitrary code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package jq before version 1.5-4 is vulnerable to a heap-based buffer overflow leading to arbitrary code execution. Resolution ========== Upgrade to 1.5-4. # pacman -Syu "jq>=1.5-4" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A heap-based buffer overflow has been found in jq when parsing a JSON-encoded number longer than 256 bytes. The NULL-terminator byte was not allocated when the buffer was resized, causing a off-by-one write. Impact ====== A remote attacker can execute arbitrary code on the affected host by tricking a victim into processing a specially crafted JSON file. References ========== https://bugs.archlinux.org/task/50330 http://seclists.org/oss-sec/2016/q2/134 https://access.redhat.com/security/cve/CVE-2015-8863