CVE-2023-49355 status ?

Question

CVE-2023-49355 status ?

z00z00z00 opened this issue 6 months ago · comments

CVE-2023-49355
linzc21 published [1] an one-byte oob write affecting JQ 1.7-37-g88f01a7 (88f01a7).

[1] https://github.com/linzc21/bug-reports/blob/main/reports/jq/1.7-37-g88f01a7/heap-buffer-overflow/CVE-2023-49355.md

JQ status
The researcher did not provide any information about potential report to you. I create this bug report to have some status. Do you confirm this issue ? Is so, any available patch ?

Thanks in advance.
z00

Emanuele Torre · Answer 1 · Wed Dec 13 2023 22:03:14 GMT+0800 (China Standard Time)

We call it CVE-2023-50246
I told that user their report was a duplicate, but they already published it anyway even before reporting it to us. :(
We have had a patch ready for a while.
I am organising to get 1.7.1 released soon (maybe today?); we're currently waiting to get a CVE number for another vulnerability.

Wil · Answer 2 · Wed Dec 13 2023 22:04:05 GMT+0800 (China Standard Time)

OK, got it. Thanks Emanuele