jq: patch CVE-2026-32316

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-04-20 08:27:34 +0200
committer: Khem Raj <khem.raj@oss.qualcomm.com> 2026-04-20 07:35:33 -0700
commit: e94ab85126f12d77253107084dc8463c79b3e776 (patch)
tree: 05a8eb10165cbb526d092b17cef124697c865a0b /meta-oe/recipes-devtools
parent: 6fb954e73697b0bcf5fc7f4641f7add0d5e619c1 (diff)
download: meta-openembedded-e94ab85126f12d77253107084dc8463c79b3e776.tar.gz
2 files changed, 58 insertions, 5 deletions
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch
new file mode 100644
index 0000000000..1277b356d8
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch
@@ -0,0 +1,53 @@
+From 321e62b356df2d4ed47aba4f3818e447ec4d77fc Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Thu, 12 Mar 2026 20:28:43 +0900
+Subject: [PATCH] Fix heap buffer overflow in `jvp_string_append` and
+ `jvp_string_copy_replace_bad`
+In `jvp_string_append`, the allocation size `(currlen + len) * 2` could
+overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small
+allocation followed by a large `memcpy`.
+In `jvp_string_copy_replace_bad`, the output buffer size calculation
+`length * 3 + 1` could overflow `uint32_t`, again resulting in a small
+allocation followed by a large write.
+Add overflow checks to both functions to return an error for strings
+that would exceed `INT_MAX` in length. Fixes CVE-2026-32316.
+CVE: CVE-2026-32316
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/e47e56d226519635768e6aab2f38f0ab037c09e5]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/jv.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+diff --git a/src/jv.c b/src/jv.c
+index e4529a4..74be05a 100644
+--- a/src/jv.c
+++ b/src/jv.c
+@@ -1114,7 +1114,12 @@ static jv jvp_string_copy_replace_bad(const char* data, uint32_t length) {
+   const char* end = data + length;
+   const char* i = data;
+ 
+-  uint32_t maxlength = length * 3 + 1; // worst case: all bad bytes, each becomes a 3-byte U+FFFD
+  // worst case: all bad bytes, each becomes a 3-byte U+FFFD
+  uint64_t maxlength = (uint64_t)length * 3 + 1;
+  if (maxlength >= INT_MAX) {
+    return jv_invalid_with_msg(jv_string("String too long"));
+  }
+
+   jvp_string* s = jvp_string_alloc(maxlength);
+   char* out = s->data;
+   int c = 0;
+@@ -1174,6 +1179,10 @@ static uint32_t jvp_string_remaining_space(jvp_string* s) {
+ static jv jvp_string_append(jv string, const char* data, uint32_t len) {
+   jvp_string* s = jvp_string_ptr(string);
+   uint32_t currlen = jvp_string_length(s);
+  if ((uint64_t)currlen + len >= INT_MAX) {
+    jv_free(string);
+    return jv_invalid_with_msg(jv_string("String too long"));
+  }
+ 
+   if (jvp_refcnt_unshared(string.u.ptr) &&
+       jvp_string_remaining_space(s) >= len) {
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 6eaa2de6df..71d7387bf8 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -10,11 +10,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=cf7fcb0a1def4a7ad62c028f7d0dca47"
 SRCREV = "4467af7068b1bcd7f882defff6e7ea674c5357f4"
-SRC_URI = " \
+SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${PV} \
-    git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${PV} \
+           file://run-ptest \
-    file://run-ptest \
+           file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \
-    file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \
+           file://CVE-2026-32316.patch \
-"
+           "
 inherit autotools ptest
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-04-20 08:27:34 +0200
committer	Khem Raj <khem.raj@oss.qualcomm.com>	2026-04-20 07:35:33 -0700
commit	e94ab85126f12d77253107084dc8463c79b3e776 (patch)
tree	05a8eb10165cbb526d092b17cef124697c865a0b /meta-oe/recipes-devtools
parent	6fb954e73697b0bcf5fc7f4641f7add0d5e619c1 (diff)
download	meta-openembedded-e94ab85126f12d77253107084dc8463c79b3e776.tar.gz

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch new file mode 100644 index 0000000000..1277b356d8 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch
@@ -0,0 +1,53 @@
		1	From 321e62b356df2d4ed47aba4f3818e447ec4d77fc Mon Sep 17 00:00:00 2001
		2	From: itchyny <itchyny@cybozu.co.jp>
		3	Date: Thu, 12 Mar 2026 20:28:43 +0900
		4	Subject: [PATCH] Fix heap buffer overflow in `jvp_string_append` and
		5	`jvp_string_copy_replace_bad`
		6
		7	In `jvp_string_append`, the allocation size `(currlen + len) * 2` could
		8	overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small
		9	allocation followed by a large `memcpy`.
		10
		11	In `jvp_string_copy_replace_bad`, the output buffer size calculation
		12	`length * 3 + 1` could overflow `uint32_t`, again resulting in a small
		13	allocation followed by a large write.
		14
		15	Add overflow checks to both functions to return an error for strings
		16	that would exceed `INT_MAX` in length. Fixes CVE-2026-32316.
		17
		18	CVE: CVE-2026-32316
		19	Upstream-Status: Backport [https://github.com/jqlang/jq/commit/e47e56d226519635768e6aab2f38f0ab037c09e5]
		20	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		21	---
		22	src/jv.c \| 11 ++++++++++-
		23	1 file changed, 10 insertions(+), 1 deletion(-)
		24
		25	diff --git a/src/jv.c b/src/jv.c
		26	index e4529a4..74be05a 100644
		27	--- a/src/jv.c
		28	+++ b/src/jv.c
		29	@@ -1114,7 +1114,12 @@ static jv jvp_string_copy_replace_bad(const char* data, uint32_t length) {
		30	const char* end = data + length;
		31	const char* i = data;
		32
		33	- uint32_t maxlength = length * 3 + 1; // worst case: all bad bytes, each becomes a 3-byte U+FFFD
		34	+ // worst case: all bad bytes, each becomes a 3-byte U+FFFD
		35	+ uint64_t maxlength = (uint64_t)length * 3 + 1;
		36	+ if (maxlength >= INT_MAX) {
		37	+ return jv_invalid_with_msg(jv_string("String too long"));
		38	+ }
		39	+
		40	jvp_string* s = jvp_string_alloc(maxlength);
		41	char* out = s->data;
		42	int c = 0;
		43	@@ -1174,6 +1179,10 @@ static uint32_t jvp_string_remaining_space(jvp_string* s) {
		44	static jv jvp_string_append(jv string, const char* data, uint32_t len) {
		45	jvp_string* s = jvp_string_ptr(string);
		46	uint32_t currlen = jvp_string_length(s);
		47	+ if ((uint64_t)currlen + len >= INT_MAX) {
		48	+ jv_free(string);
		49	+ return jv_invalid_with_msg(jv_string("String too long"));
		50	+ }
		51
		52	if (jvp_refcnt_unshared(string.u.ptr) &&
		53	jvp_string_remaining_space(s) >= len) {


diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 6eaa2de6df..71d7387bf8 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -10,11 +10,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=cf7fcb0a1def4a7ad62c028f7d0dca47"
10		10
11	SRCREV = "4467af7068b1bcd7f882defff6e7ea674c5357f4"	11	SRCREV = "4467af7068b1bcd7f882defff6e7ea674c5357f4"
12		12
13	SRC_URI = " \	13	SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${PV} \
14	git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${PV} \	14	file://run-ptest \
15	file://run-ptest \	15	file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \
16	file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \	16	file://CVE-2026-32316.patch \
17	"	17	"
18		18
19	inherit autotools ptest	19	inherit autotools ptest
20		20