Version in base suite: 1.6-2.1

Base version: jq_1.6-2.1
Target version: jq_1.6-2.1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/j/jq/jq_1.6-2.1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/j/jq/jq_1.6-2.1+deb12u1.dsc

 changelog                    |    7 +++++++
 patches/CVE-2025-48060.patch |   22 ++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 30 insertions(+)

gpgv: Signature made Thu Dec 10 08:48:07 2020 UTC
gpgv:                using RSA key 58B66D48736BE93B052DE6729C5C99EB05BD750A
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on /srv/release.debian.org/tmp/tmpk0w7e80e/jq_1.6-2.1.dsc
diff -Nru jq-1.6/debian/changelog jq-1.6/debian/changelog
--- jq-1.6/debian/changelog	2020-12-10 08:24:21.000000000 +0000
+++ jq-1.6/debian/changelog	2025-07-09 14:23:15.000000000 +0000
@@ -1,3 +1,10 @@
+jq (1.6-2.1+deb12u1) bookworm; urgency=medium
+
+  * Cherry-pick upstream commit c6e041699d8cd31b97375a2596217aff2cfca85b to
+    fix CVE-2025-48060.
+
+ -- ChangZhuo Chen (陳昌倬) <czchen@debian.org>  Wed, 09 Jul 2025 22:23:15 +0800
+
 jq (1.6-2.1) unstable; urgency=medium
 
   [ Paul Gevers ]
diff -Nru jq-1.6/debian/patches/CVE-2025-48060.patch jq-1.6/debian/patches/CVE-2025-48060.patch
--- jq-1.6/debian/patches/CVE-2025-48060.patch	1970-01-01 00:00:00.000000000 +0000
+++ jq-1.6/debian/patches/CVE-2025-48060.patch	2025-07-09 14:23:15.000000000 +0000
@@ -0,0 +1,22 @@
+From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?=
+ <czchen@debian.org>
+Date: Wed, 9 Jul 2025 22:19:33 +0800
+Subject: Cherry-pick upstream commit c6e041699d8cd31b97375a2596217aff2cfca85b
+ to fix CVE-2025-48060
+
+---
+ src/jv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/jv.c b/src/jv.c
+index 979d188..6936f59 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -492,6 +492,7 @@ static jv jvp_string_empty_new(uint32_t length) {
+   jvp_string* s = jvp_string_alloc(length);
+   s->length_hashed = 0;
+   memset(s->data, 0, length);
++  s->data[length] = 0;
+   jv r = {JV_KIND_STRING, 0, 0, 0, {&s->refcnt}};
+   return r;
+ }
diff -Nru jq-1.6/debian/patches/series jq-1.6/debian/patches/series
--- jq-1.6/debian/patches/series	2020-12-10 08:24:21.000000000 +0000
+++ jq-1.6/debian/patches/series	2025-07-09 14:23:15.000000000 +0000
@@ -8,3 +8,4 @@
 0008-Do-not-use-venderized-oniguruma.patch
 0009-Hardcode-version-to-1.6.patch
 0010-initialized-variables.patch
+CVE-2025-48060.patch