jq: patch CVE-2026-39979

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-39979 Ptests passed: root@qemux86:~# ptest-runner jq START: ptest-runner 2026-04-26T11:09 BEGIN: /usr/lib/jq/ptest PASS: optionaltest PASS: mantest PASS: jqtest PASS: onigtest PASS: shtest PASS: utf8test PASS: base64test === Test Summary === TOTAL: 7 PASSED: 7 FAILED: 0 SKIPPED: 0 DURATION: 44 END: /usr/lib/jq/ptest 2026-04-26T11:10 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Ankur Tyagi <ankur.tyagi85@gmail.com> 2026-04-27 01:03:46 +1200
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-29 10:14:29 +0530
commit: 964065663cd424bfbbac5a17091a41f3c729eb3a (patch)
tree: 678d3d99e95dd1d032ea6390620b651c01c4b9fd
parent: 6cbaf81a019c8d995d67370251a755e6a14f6884 (diff)
download: meta-openembedded-964065663cd424bfbbac5a17091a41f3c729eb3a.tar.gz
2 files changed, 33 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch
new file mode 100644
index 0000000000..7ab7e6fcdf
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch
@@ -0,0 +1,32 @@
+From 46fac767d5007849b9a63cae2e74c0fc7afaa093 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 13 Apr 2026 11:04:52 +0900
+Subject: [PATCH] Fix out-of-bounds read in jv_parse_sized()
+This fixes CVE-2026-39979.
+Co-authored-by: Mattias Wadman <mattias.wadman@gmail.com>
+(cherry picked from commit 2f09060afab23fe9390cce7cb860b10416e1bf5f)
+CVE: CVE-2026-39979
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/jv_parse.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/src/jv_parse.c b/src/jv_parse.c
+index 9755b8a..84a847f 100644
+--- a/src/jv_parse.c
+++ b/src/jv_parse.c
+@@ -890,8 +890,9 @@ jv jv_parse_sized_custom_flags(const char* string, int length, int flags) {
+ 
+   if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) {
+     jv msg = jv_invalid_get_msg(value);
+-    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')",
+    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')",
+                                               jv_string_value(msg),
+                                              length,
+                                               string));
+     jv_free(msg);
+   }
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index ed1f36f6f1..4ef95bd824 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
    file://CVE-2026-32316.patch \
    file://CVE-2026-33947.patch \
    file://CVE-2026-33948.patch \
+    file://CVE-2026-39979.patch \
    "
 SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
author	Ankur Tyagi <ankur.tyagi85@gmail.com>	2026-04-27 01:03:46 +1200
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-04-29 10:14:29 +0530
commit	964065663cd424bfbbac5a17091a41f3c729eb3a (patch)
tree	678d3d99e95dd1d032ea6390620b651c01c4b9fd
parent	6cbaf81a019c8d995d67370251a755e6a14f6884 (diff)
download	meta-openembedded-964065663cd424bfbbac5a17091a41f3c729eb3a.tar.gz

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch new file mode 100644 index 0000000000..7ab7e6fcdf --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch
@@ -0,0 +1,32 @@
		1	From 46fac767d5007849b9a63cae2e74c0fc7afaa093 Mon Sep 17 00:00:00 2001
		2	From: itchyny <itchyny@cybozu.co.jp>
		3	Date: Mon, 13 Apr 2026 11:04:52 +0900
		4	Subject: [PATCH] Fix out-of-bounds read in jv_parse_sized()
		5
		6	This fixes CVE-2026-39979.
		7
		8	Co-authored-by: Mattias Wadman <mattias.wadman@gmail.com>
		9	(cherry picked from commit 2f09060afab23fe9390cce7cb860b10416e1bf5f)
		10
		11	CVE: CVE-2026-39979
		12	Upstream-Status: Backport [https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f]
		13	Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
		14	---
		15	src/jv_parse.c \| 3 ++-
		16	1 file changed, 2 insertions(+), 1 deletion(-)
		17
		18	diff --git a/src/jv_parse.c b/src/jv_parse.c
		19	index 9755b8a..84a847f 100644
		20	--- a/src/jv_parse.c
		21	+++ b/src/jv_parse.c
		22	@@ -890,8 +890,9 @@ jv jv_parse_sized_custom_flags(const char* string, int length, int flags) {
		23
		24	if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) {
		25	jv msg = jv_invalid_get_msg(value);
		26	- value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')",
		27	+ value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')",
		28	jv_string_value(msg),
		29	+ length,
		30	string));
		31	jv_free(msg);
		32	}


diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb index ed1f36f6f1..4ef95bd824 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
19	file://CVE-2026-32316.patch \	19	file://CVE-2026-32316.patch \
20	file://CVE-2026-33947.patch \	20	file://CVE-2026-33947.patch \
21	file://CVE-2026-33948.patch \	21	file://CVE-2026-33948.patch \
		22	file://CVE-2026-39979.patch \
22	"	23	"
23	SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"	24	SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
24		25