summaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-devtools
diff options
context:
space:
mode:
authorDivya Chellam <divya.chellam@windriver.com>2025-10-24 19:21:08 +0530
committerAnuj Mittal <anuj.mittal@intel.com>2025-10-30 15:11:47 +0800
commit62b9edf47be6b70d77ac6a662cedc9dbbb96e550 (patch)
treef5239494a3a0d44cd87f01f6ce599a5c838b3de5 /meta-oe/recipes-devtools
parent9fd485ca64a6e7a1ea7157c224ba6d8a336ce950 (diff)
downloadmeta-openembedded-62b9edf47be6b70d77ac6a662cedc9dbbb96e550.tar.gz
jq: fix CVE-2025-9403
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9403 Upstream-patch: https://github.com/jqlang/jq/commit/a4d9d540103ff9a262e304329c277ec89b27e5f9 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Diffstat (limited to 'meta-oe/recipes-devtools')
-rw-r--r--meta-oe/recipes-devtools/jq/jq/CVE-2025-9403.patch49
-rw-r--r--meta-oe/recipes-devtools/jq/jq_1.7.1.bb1
2 files changed, 50 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2025-9403.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2025-9403.patch
new file mode 100644
index 0000000000..19d769a6f5
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2025-9403.patch
@@ -0,0 +1,49 @@
1From a4d9d540103ff9a262e304329c277ec89b27e5f9 Mon Sep 17 00:00:00 2001
2From: itchyny <itchyny@cybozu.co.jp>
3Date: Mon, 15 Sep 2025 07:47:51 +0900
4Subject: [PATCH] Fix expected value assertion for NaN value (fix #3393)
5 (#3408)
6
7CVE: CVE-2025-9403
8
9Upstream-Status: Backport [https://github.com/jqlang/jq/commit/a4d9d540103ff9a262e304329c277ec89b27e5f9]
10
11Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
12---
13 src/jq_test.c | 13 ++++++++-----
14 1 file changed, 8 insertions(+), 5 deletions(-)
15
16diff --git a/src/jq_test.c b/src/jq_test.c
17index 3945686..f42b05c 100644
18--- a/src/jq_test.c
19+++ b/src/jq_test.c
20@@ -2,6 +2,7 @@
21 #include <stdio.h>
22 #include <string.h>
23 #include <stdlib.h>
24+#include <math.h>
25 #ifdef HAVE_PTHREAD
26 #include <pthread.h>
27 #endif
28@@ -208,11 +209,13 @@ static void run_jq_tests(jv lib_dirs, int verbose, FILE *testdata, int skip, int
29 printf(" for test at line number %u: %s\n", lineno, prog);
30 pass = 0;
31 }
32- jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT));
33- jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string)));
34- assert(jv_equal(jv_copy(expected), jv_copy(reparsed)));
35- jv_free(as_string);
36- jv_free(reparsed);
37+ if (!(jv_get_kind(expected) == JV_KIND_NUMBER && isnan(jv_number_value(expected)))) {
38+ jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT));
39+ jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string)));
40+ assert(jv_equal(jv_copy(expected), jv_copy(reparsed)));
41+ jv_free(as_string);
42+ jv_free(reparsed);
43+ }
44 jv_free(expected);
45 jv_free(actual);
46 }
47--
482.40.0
49
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index 9238474319..dfc8dda7ee 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -14,6 +14,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
14 file://CVE-2024-23337.patch \ 14 file://CVE-2024-23337.patch \
15 file://CVE-2024-53427.patch \ 15 file://CVE-2024-53427.patch \
16 file://CVE-2025-48060.patch \ 16 file://CVE-2025-48060.patch \
17 file://CVE-2025-9403.patch \
17 " 18 "
18SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2" 19SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
19 20