jq Heap Use-After-Free Vulnerability in f_strflocaltime Function

A heap use-after-free vulnerability has been identified in jq version 1.8.0, specifically within the function f_strflocaltime in the file /src/builtin.c. This vulnerability allows for the use of a pointer to memory that has already been freed, which can lead to memory corruption and potentially arbitrary code execution.

Impact

Exploitation of this vulnerability causes a heap use-after-free condition, which can lead to memory corruption. Such conditions are often exploitable, allowing for arbitrary code execution or other malicious actions.

Reproduction

The vulnerability can be reproduced by using jq version 1.8.0 with a command that triggers the f_strflocaltime function. This can be done by using the jq command-line tool with the -n flag, along with a script that references the vulnerable function. The AddressSanitizer (ASan) will report the use-after-free error, indicating that the vulnerability has been successfully exploited.

Remediation

Users are advised to update to the latest version of jq, as this vulnerability has been patched. The specific commit that addresses this issue can be found on the jq GitHub repository.