ArchLinux: 201608-10: jq: arbitrary code execution
Summary
A heap-based buffer overflow has been found in jq when parsing a JSON-encoded number longer than 256 bytes. The NULL-terminator byte was not allocated when the buffer was resized, causing a off-by-one write.
Resolution
Upgrade to 1.5-4.
# pacman -Syu "jq>=1.5-4"
The problem has been fixed upstream but no release is available yet.
References
https://bugs.archlinux.org/task/50330 https://seclists.org/oss-sec/2016/q2/134 https://access.redhat.com/security/cve/CVE-2015-8863
Workaround
None.