jq: patch CVE-2026-33947

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947 Backport the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit 525e18ce214213193d9a280de3bfd2deb847110e) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-04-20 08:27:35 +0200
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-24 21:13:20 +0530
commit: f251c270256ff57bd1621415b4445e5f4b178c34 (patch)
tree: 6f28bb3f78b40383b17047b43bd83e461b853422
parent: c5475650885213ef6e8be8de60ae536e7d360e07 (diff)
download: meta-openembedded-f251c270256ff57bd1621415b4445e5f4b178c34.tar.gz
2 files changed, 105 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch
new file mode 100644
index 0000000000..69a8381f06
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch
@@ -0,0 +1,104 @@
+From 5fd935884a6f5b3d8ecdcacfc5d3982140f3a478 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 13 Apr 2026 11:23:40 +0900
+Subject: [PATCH] Limit path depth to prevent stack overflow
+Deeply nested path arrays can cause unbounded recursion in
+`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to
+stack overflow. Add a depth limit of 10000 to match the
+existing `tojson` depth limit. This fixes CVE-2026-33947.
+CVE: CVE-2026-33947
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/jv_aux.c  | 21 +++++++++++++++++++++
+ tests/jq.test | 25 +++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+diff --git a/src/jv_aux.c b/src/jv_aux.c
+index bc1405f..594a21f 100644
+--- a/src/jv_aux.c
+++ b/src/jv_aux.c
+@@ -375,6 +375,10 @@ static jv jv_dels(jv t, jv keys) {
+   return t;
+ }
+ 
+#ifndef MAX_PATH_DEPTH
+#define MAX_PATH_DEPTH (10000)
+#endif
+
+ jv jv_setpath(jv root, jv path, jv value) {
+   if (jv_get_kind(path) != JV_KIND_ARRAY) {
+     jv_free(value);
+@@ -382,6 +386,12 @@ jv jv_setpath(jv root, jv path, jv value) {
+     jv_free(path);
+     return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
+   }
+  if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
+    jv_free(value);
+    jv_free(root);
+    jv_free(path);
+    return jv_invalid_with_msg(jv_string("Path too deep"));
+  }
+   if (!jv_is_valid(root)){
+     jv_free(value);
+     jv_free(path);
+@@ -434,6 +444,11 @@ jv jv_getpath(jv root, jv path) {
+     jv_free(path);
+     return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
+   }
+  if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
+    jv_free(root);
+    jv_free(path);
+    return jv_invalid_with_msg(jv_string("Path too deep"));
+  }
+   if (!jv_is_valid(root)) {
+     jv_free(path);
+     return root;
+@@ -511,6 +526,12 @@ jv jv_delpaths(jv object, jv paths) {
+       jv_free(elem);
+       return err;
+     }
+    if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) {
+      jv_free(object);
+      jv_free(paths);
+      jv_free(elem);
+      return jv_invalid_with_msg(jv_string("Path too deep"));
+    }
+     jv_free(elem);
+   }
+   if (jv_array_length(jv_copy(paths)) == 0) {
+diff --git a/tests/jq.test b/tests/jq.test
+index 4ecf72f..6186d8b 100644
+--- a/tests/jq.test
+++ b/tests/jq.test
+@@ -2507,3 +2507,28 @@ strflocaltime("" | ., @uri)
+ 0
+ ""
+ ""
+
+# regression test for CVE-2026-33947
+setpath([range(10000) | 0]; 0) | flatten
+null
+[0]
+
+try setpath([range(10001) | 0]; 0) catch .
+null
+"Path too deep"
+
+getpath([range(10000) | 0])
+null
+null
+
+try getpath([range(10001) | 0]) catch .
+null
+"Path too deep"
+
+delpaths([[range(10000) | 0]])
+null
+null
+
+try delpaths([[range(10001) | 0]]) catch .
+null
+"Path too deep"
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 71d7387bf8..6df1d46f48 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
           file://run-ptest \
           file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \
           file://CVE-2026-32316.patch \
+           file://CVE-2026-33947.patch \
           "
 inherit autotools ptest
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-04-20 08:27:35 +0200
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-04-24 21:13:20 +0530
commit	f251c270256ff57bd1621415b4445e5f4b178c34 (patch)
tree	6f28bb3f78b40383b17047b43bd83e461b853422
parent	c5475650885213ef6e8be8de60ae536e7d360e07 (diff)
download	meta-openembedded-f251c270256ff57bd1621415b4445e5f4b178c34.tar.gz

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch new file mode 100644 index 0000000000..69a8381f06 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch
@@ -0,0 +1,104 @@
		1	From 5fd935884a6f5b3d8ecdcacfc5d3982140f3a478 Mon Sep 17 00:00:00 2001
		2	From: itchyny <itchyny@cybozu.co.jp>
		3	Date: Mon, 13 Apr 2026 11:23:40 +0900
		4	Subject: [PATCH] Limit path depth to prevent stack overflow
		5
		6	Deeply nested path arrays can cause unbounded recursion in
		7	`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to
		8	stack overflow. Add a depth limit of 10000 to match the
		9	existing `tojson` depth limit. This fixes CVE-2026-33947.
		10
		11	CVE: CVE-2026-33947
		12	Upstream-Status: Backport [https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f]
		13	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		14	---
		15	src/jv_aux.c \| 21 +++++++++++++++++++++
		16	tests/jq.test \| 25 +++++++++++++++++++++++++
		17	2 files changed, 46 insertions(+)
		18
		19	diff --git a/src/jv_aux.c b/src/jv_aux.c
		20	index bc1405f..594a21f 100644
		21	--- a/src/jv_aux.c
		22	+++ b/src/jv_aux.c
		23	@@ -375,6 +375,10 @@ static jv jv_dels(jv t, jv keys) {
		24	return t;
		25	}
		26
		27	+#ifndef MAX_PATH_DEPTH
		28	+#define MAX_PATH_DEPTH (10000)
		29	+#endif
		30	+
		31	jv jv_setpath(jv root, jv path, jv value) {
		32	if (jv_get_kind(path) != JV_KIND_ARRAY) {
		33	jv_free(value);
		34	@@ -382,6 +386,12 @@ jv jv_setpath(jv root, jv path, jv value) {
		35	jv_free(path);
		36	return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
		37	}
		38	+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
		39	+ jv_free(value);
		40	+ jv_free(root);
		41	+ jv_free(path);
		42	+ return jv_invalid_with_msg(jv_string("Path too deep"));
		43	+ }
		44	if (!jv_is_valid(root)){
		45	jv_free(value);
		46	jv_free(path);
		47	@@ -434,6 +444,11 @@ jv jv_getpath(jv root, jv path) {
		48	jv_free(path);
		49	return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
		50	}
		51	+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
		52	+ jv_free(root);
		53	+ jv_free(path);
		54	+ return jv_invalid_with_msg(jv_string("Path too deep"));
		55	+ }
		56	if (!jv_is_valid(root)) {
		57	jv_free(path);
		58	return root;
		59	@@ -511,6 +526,12 @@ jv jv_delpaths(jv object, jv paths) {
		60	jv_free(elem);
		61	return err;
		62	}
		63	+ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) {
		64	+ jv_free(object);
		65	+ jv_free(paths);
		66	+ jv_free(elem);
		67	+ return jv_invalid_with_msg(jv_string("Path too deep"));
		68	+ }
		69	jv_free(elem);
		70	}
		71	if (jv_array_length(jv_copy(paths)) == 0) {
		72	diff --git a/tests/jq.test b/tests/jq.test
		73	index 4ecf72f..6186d8b 100644
		74	--- a/tests/jq.test
		75	+++ b/tests/jq.test
		76	@@ -2507,3 +2507,28 @@ strflocaltime("" \| ., @uri)
		77	0
		78	""
		79	""
		80	+
		81	+# regression test for CVE-2026-33947
		82	+setpath([range(10000) \| 0]; 0) \| flatten
		83	+null
		84	+[0]
		85	+
		86	+try setpath([range(10001) \| 0]; 0) catch .
		87	+null
		88	+"Path too deep"
		89	+
		90	+getpath([range(10000) \| 0])
		91	+null
		92	+null
		93	+
		94	+try getpath([range(10001) \| 0]) catch .
		95	+null
		96	+"Path too deep"
		97	+
		98	+delpaths([[range(10000) \| 0]])
		99	+null
		100	+null
		101	+
		102	+try delpaths([[range(10001) \| 0]]) catch .
		103	+null
		104	+"Path too deep"


diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 71d7387bf8..6df1d46f48 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
14	file://run-ptest \	14	file://run-ptest \
15	file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \	15	file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \
16	file://CVE-2026-32316.patch \	16	file://CVE-2026-32316.patch \
		17	file://CVE-2026-33947.patch \
17	"	18	"
18		19
19	inherit autotools ptest	20	inherit autotools ptest