summaryrefslogtreecommitdiffstats
path: root/meta-oe
diff options
context:
space:
mode:
authorAnkur Tyagi <ankur.tyagi85@gmail.com>2026-04-27 01:03:44 +1200
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-04-29 10:14:29 +0530
commit18de8de0ef441e05deeccb319658696202b02ad8 (patch)
tree7a442dfc103c221e53f479d75021e9b5b6694f2b /meta-oe
parent9bdfbd20b270bbfd77cbd0dc2b8de37a118e6460 (diff)
downloadmeta-openembedded-18de8de0ef441e05deeccb319658696202b02ad8.tar.gz
jq: patch CVE-2026-33947
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
-rw-r--r--meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch107
-rw-r--r--meta-oe/recipes-devtools/jq/jq_1.7.1.bb1
2 files changed, 108 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch
new file mode 100644
index 0000000000..bf1a506311
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch
@@ -0,0 +1,107 @@
1From d6a36423898f756355c270c4acae335318ac357c Mon Sep 17 00:00:00 2001
2From: itchyny <itchyny@cybozu.co.jp>
3Date: Mon, 13 Apr 2026 11:23:40 +0900
4Subject: [PATCH] Limit path depth to prevent stack overflow
5
6Deeply nested path arrays can cause unbounded recursion in
7`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to
8stack overflow. Add a depth limit of 10000 to match the
9existing `tojson` depth limit. This fixes CVE-2026-33947.
10
11(cherry picked from commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f)
12
13CVE: CVE-2026-33947
14Upstream-Status: Backport [https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f]
15Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
16---
17 src/jv_aux.c | 21 +++++++++++++++++++++
18 tests/jq.test | 25 +++++++++++++++++++++++++
19 2 files changed, 46 insertions(+)
20
21diff --git a/src/jv_aux.c b/src/jv_aux.c
22index bbe1c0d..0855053 100644
23--- a/src/jv_aux.c
24+++ b/src/jv_aux.c
25@@ -376,6 +376,10 @@ static jv jv_dels(jv t, jv keys) {
26 return t;
27 }
28
29+#ifndef MAX_PATH_DEPTH
30+#define MAX_PATH_DEPTH (10000)
31+#endif
32+
33 jv jv_setpath(jv root, jv path, jv value) {
34 if (jv_get_kind(path) != JV_KIND_ARRAY) {
35 jv_free(value);
36@@ -383,6 +387,12 @@ jv jv_setpath(jv root, jv path, jv value) {
37 jv_free(path);
38 return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
39 }
40+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
41+ jv_free(value);
42+ jv_free(root);
43+ jv_free(path);
44+ return jv_invalid_with_msg(jv_string("Path too deep"));
45+ }
46 if (!jv_is_valid(root)){
47 jv_free(value);
48 jv_free(path);
49@@ -434,6 +444,11 @@ jv jv_getpath(jv root, jv path) {
50 jv_free(path);
51 return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
52 }
53+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
54+ jv_free(root);
55+ jv_free(path);
56+ return jv_invalid_with_msg(jv_string("Path too deep"));
57+ }
58 if (!jv_is_valid(root)) {
59 jv_free(path);
60 return root;
61@@ -511,6 +526,12 @@ jv jv_delpaths(jv object, jv paths) {
62 jv_free(elem);
63 return err;
64 }
65+ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) {
66+ jv_free(object);
67+ jv_free(paths);
68+ jv_free(elem);
69+ return jv_invalid_with_msg(jv_string("Path too deep"));
70+ }
71 jv_free(elem);
72 }
73 if (jv_array_length(jv_copy(paths)) == 0) {
74diff --git a/tests/jq.test b/tests/jq.test
75index ecb9116..4d57301 100644
76--- a/tests/jq.test
77+++ b/tests/jq.test
78@@ -2129,3 +2129,28 @@ try ltrimstr("x") catch "x", try rtrimstr("x") catch "x" | "ok"
79 {"hey":[]}
80 "ok"
81 "ok"
82+
83+# regression test for CVE-2026-33947
84+setpath([range(10000) | 0]; 0) | flatten
85+null
86+[0]
87+
88+try setpath([range(10001) | 0]; 0) catch .
89+null
90+"Path too deep"
91+
92+getpath([range(10000) | 0])
93+null
94+null
95+
96+try getpath([range(10001) | 0]) catch .
97+null
98+"Path too deep"
99+
100+delpaths([[range(10000) | 0]])
101+null
102+null
103+
104+try delpaths([[range(10001) | 0]]) catch .
105+null
106+"Path too deep"
107\ No newline at end of file
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index c0211ca8bd..ce7748f22c 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
17 file://CVE-2025-9403.patch \ 17 file://CVE-2025-9403.patch \
18 file://CVE-2026-40164.patch \ 18 file://CVE-2026-40164.patch \
19 file://CVE-2026-32316.patch \ 19 file://CVE-2026-32316.patch \
20 file://CVE-2026-33947.patch \
20 " 21 "
21SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2" 22SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
22 23