diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3fbf437
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/jq-1.5.tar.gz
diff --git a/.jq.metadata b/.jq.metadata
new file mode 100644
index 0000000..0c9c074
--- /dev/null
+++ b/.jq.metadata
@@ -0,0 +1 @@
+6eef3705ac0a322e8aa0521c57ce339671838277 SOURCES/jq-1.5.tar.gz
diff --git a/SOURCES/CVE-2015-8863.patch b/SOURCES/CVE-2015-8863.patch
new file mode 100644
index 0000000..f4046cd
--- /dev/null
+++ b/SOURCES/CVE-2015-8863.patch
@@ -0,0 +1,37 @@
+From 8eb1367ca44e772963e704a700ef72ae2e12babd Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@cryptonector.com>
+Date: Sat, 24 Oct 2015 17:24:57 -0500
+Subject: [PATCH] Heap buffer overflow in tokenadd() (fix #105)
+
+This was an off-by one: the NUL terminator byte was not allocated on
+resize.  This was triggered by JSON-encoded numbers longer than 256
+bytes.
+---
+ src/jv_parse.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/jv_parse.c b/src/jv_parse.c
+index 3102ed4..84245b8 100644
+--- a/src/jv_parse.c
++++ b/src/jv_parse.c
+@@ -383,7 +383,7 @@ static pfunc stream_token(struct jv_parser* p, char ch) {
+ 
+ static void tokenadd(struct jv_parser* p, char c) {
+   assert(p->tokenpos <= p->tokenlen);
+-  if (p->tokenpos == p->tokenlen) {
++  if (p->tokenpos >= (p->tokenlen - 1)) {
+     p->tokenlen = p->tokenlen*2 + 256;
+     p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen);
+   }
+@@ -485,7 +485,7 @@ static pfunc check_literal(struct jv_parser* p) {
+     TRY(value(p, v));
+   } else {
+     // FIXME: better parser
+-    p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid
++    p->tokenbuf[p->tokenpos] = 0;
+     char* end = 0;
+     double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end);
+     if (end == 0 || *end != 0)
+-- 
+2.14.3
+
diff --git a/SPECS/jq.spec b/SPECS/jq.spec
new file mode 100644
index 0000000..d7dafc7
--- /dev/null
+++ b/SPECS/jq.spec
@@ -0,0 +1,146 @@
+Name:           jq
+Version:        1.5
+Release:        12%{?dist}
+Summary:        Command-line JSON processor
+
+License:        MIT and ASL 2.0 and CC-BY and GPLv3
+URL:            http://stedolan.github.io/jq/
+Source0:        https://github.com/stedolan/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Patch0:         CVE-2015-8863.patch
+
+BuildRequires:  flex
+BuildRequires:  bison
+BuildRequires:  oniguruma-devel
+
+%ifnarch s390x
+BuildRequires:  valgrind
+%endif
+
+
+%description
+lightweight and flexible command-line JSON processor
+
+ jq is like sed for JSON data – you can use it to slice
+ and filter and map and transform structured data with
+ the same ease that sed, awk, grep and friends let you
+ play with text.
+
+ It is written in portable C, and it has zero runtime
+ dependencies.
+
+ jq can mangle the data format that you have into the
+ one that you want with very little effort, and the
+ program to do so is often shorter and simpler than
+ you'd expect.
+
+%package devel
+Summary:	Development files for %{name}
+Requires:	%{name}%{?_isa} = %{version}-%{release}
+
+%description devel
+Development files for %{name}
+
+
+%prep
+%setup -qn %{name}-%{version}
+%patch0 -p2 -b .cve-2015-8863
+
+%build
+%configure --disable-static
+make %{?_smp_mflags}
+# Docs already shipped in jq's tarball.
+# In order to build the manual page, it
+# is necessary to install rake, rubygem-ronn
+# and do the following steps:
+#
+# # yum install rake rubygem-ronn
+# $ cd docs/
+# $ curl -L https://get.rvm.io | bash -s stable --ruby=1.9.3
+# $ source $HOME/.rvm/scripts/rvm
+# $ bundle install
+# $ cd ..
+# $ ./configure
+# $ make real_docs
+
+%install
+make DESTDIR=%{buildroot} install
+find %{buildroot} -name '*.la' -exec rm -f {} ';'
+
+%check
+# Valgrind used, so restrict architectures for check
+%ifarch %{ix86} x86_64
+make check
+%endif
+
+%ldconfig_scriptlets
+
+%files
+%{_bindir}/%{name}
+%{_libdir}/libjq.so.*
+%{_datadir}/man/man1/jq.1.gz
+%{_datadir}/doc/jq/AUTHORS
+%{_datadir}/doc/jq/COPYING
+%{_datadir}/doc/jq/README
+%{_datadir}/doc/jq/README.md
+
+%files devel
+%{_includedir}/jq.h
+%{_includedir}/jv.h
+%{_libdir}/libjq.so
+
+
+%changelog
+* Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
+- Fix typo: s390 -> s390x
+- Related: bug#1614611
+
+* Sun Apr 01 2018 Mamoru TASAKA <mtasaka@fedoraproject.org> - 1.5-12
+- Rebuild against oniguruma 6.8.1
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Feb 07 2018 Lon Hohberger <lon@fedoraproject.org> - 1.5-10
+- Fix CVE 2015-8863
+
+* Fri Feb 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.5-9
+- Switch to %%ldconfig_scriptlets
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Sun Oct 30 2016 Mamoru TASAKA <mtasaka@fedoraproject.org> - 1.5-5
+- Rebuild for oniguruma 6.1.1
+
+* Mon Jul 18 2016 Mamoru TASAKA <mtasaka@fedoraproject.org> - 1.5-4
+- Rebuild for oniguruma 6
+
+* Sun Mar 13 2016 Peter Robinson <pbrobinson@fedoraproject.org> 1.5-3
+- valgrind on all but s390
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Aug 25 2015 Haïkel Guémar <hguemar@fedoraproject.org> - 1.5-1
+- Upstream 1.5.0
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu Oct 24 2013 Flavio Percoco <flavio@redhat.com> - 1.3-2
+- Added check, manpage
+
+* Fri Oct 18 2013 Flavio Percoco <flavio@redhat.com> - 1.3-1
+- Initial package release.