Backported the upstream fix for CVE-2025-48060 (heap buffer overflow in jv_string_empty) to jq 1.6.# jq-els-backport-cve-2025-48060
Backported the upstream fix for CVE-2025-48060 (heap buffer overflow in jv_string_empty) to jq 1.6.
Backport (CVE-2025-48060) – Backported upstream commit c6e0416 (“Fix heap buffer overflow when formatting an empty string”) from a newer jq version to jq-1.6, adapting internal string representation (jv_string_empty), adding a regression test (0[implode]), rebuilding and running the test suite successfully.
# How to apply this patch
You can apply this backport on top of the official **jq-1.6** release either
from a tarball or from a git checkout.
## 1) Download and unpack jq-1.6
```
curl -LO https://github.com/jqlang/jq/releases/download/jq-1.6/jq-1.6.tar.gz
tar xf jq-1.6.tar.gz
cd jq-1.6
```
## 2) Copy the patch from this repo into the jq source directory
## 3) Apply the backport patch
```
patch -p1 < 0001-Fix-heap-buffer-overflow-when-formatting-an-empty-st.patch
```
## 4) Regenerate build system and build jq
```
autoreconf -i
./configure --with-oniguruma=builtin
make -j"$(nproc)"
```
## 5) Run the test suite
```
make check
```
In case you want to apply it from a git checkout:
## 1) Clone the jq repository
```
git clone https://github.com/jqlang/jq.git
cd jq
```
## 2) Switch to jq 1.6 tag
```
git checkout jq-1.6
```
## 3) Copy the patch from this repo into the jq source directory
## 4) Apply the patch with git am
```
git am 0001-Fix-heap-buffer-overflow-when-formatting-an-empty-st.patch
```
## 5) Compile and run the tests
```
git submodule update --init
autoreconf -i
./configure --with-oniguruma=builtin
make -j"$(nproc)"
make check
```
[4.0K] /data/pocs/0fc489dd8f7179793d61776e1f3e0424a8eb23b0
├── [4.0K] docs
│ └── [ 44K] BACKPORTING-CVE-2025-48060.odt
├── [4.0K] patch
│ └── [1.3K] 0001-Fix-heap-buffer-overflow-when-formatting-an-empty-st.patch
└── [1.6K] README.md
3 directories, 3 files