diff options
| author | Ankur Tyagi <ankur.tyagi85@gmail.com> | 2026-04-27 01:03:44 +1200 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-04-29 10:14:29 +0530 |
| commit | 18de8de0ef441e05deeccb319658696202b02ad8 (patch) | |
| tree | 7a442dfc103c221e53f479d75021e9b5b6694f2b /meta-oe | |
| parent | 9bdfbd20b270bbfd77cbd0dc2b8de37a118e6460 (diff) | |
| download | meta-openembedded-18de8de0ef441e05deeccb319658696202b02ad8.tar.gz | |
jq: patch CVE-2026-33947
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch | 107 | ||||
| -rw-r--r-- | meta-oe/recipes-devtools/jq/jq_1.7.1.bb | 1 |
2 files changed, 108 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch new file mode 100644 index 0000000000..bf1a506311 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch | |||
| @@ -0,0 +1,107 @@ | |||
| 1 | From d6a36423898f756355c270c4acae335318ac357c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: itchyny <itchyny@cybozu.co.jp> | ||
| 3 | Date: Mon, 13 Apr 2026 11:23:40 +0900 | ||
| 4 | Subject: [PATCH] Limit path depth to prevent stack overflow | ||
| 5 | |||
| 6 | Deeply nested path arrays can cause unbounded recursion in | ||
| 7 | `jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to | ||
| 8 | stack overflow. Add a depth limit of 10000 to match the | ||
| 9 | existing `tojson` depth limit. This fixes CVE-2026-33947. | ||
| 10 | |||
| 11 | (cherry picked from commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f) | ||
| 12 | |||
| 13 | CVE: CVE-2026-33947 | ||
| 14 | Upstream-Status: Backport [https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f] | ||
| 15 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 16 | --- | ||
| 17 | src/jv_aux.c | 21 +++++++++++++++++++++ | ||
| 18 | tests/jq.test | 25 +++++++++++++++++++++++++ | ||
| 19 | 2 files changed, 46 insertions(+) | ||
| 20 | |||
| 21 | diff --git a/src/jv_aux.c b/src/jv_aux.c | ||
| 22 | index bbe1c0d..0855053 100644 | ||
| 23 | --- a/src/jv_aux.c | ||
| 24 | +++ b/src/jv_aux.c | ||
| 25 | @@ -376,6 +376,10 @@ static jv jv_dels(jv t, jv keys) { | ||
| 26 | return t; | ||
| 27 | } | ||
| 28 | |||
| 29 | +#ifndef MAX_PATH_DEPTH | ||
| 30 | +#define MAX_PATH_DEPTH (10000) | ||
| 31 | +#endif | ||
| 32 | + | ||
| 33 | jv jv_setpath(jv root, jv path, jv value) { | ||
| 34 | if (jv_get_kind(path) != JV_KIND_ARRAY) { | ||
| 35 | jv_free(value); | ||
| 36 | @@ -383,6 +387,12 @@ jv jv_setpath(jv root, jv path, jv value) { | ||
| 37 | jv_free(path); | ||
| 38 | return jv_invalid_with_msg(jv_string("Path must be specified as an array")); | ||
| 39 | } | ||
| 40 | + if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { | ||
| 41 | + jv_free(value); | ||
| 42 | + jv_free(root); | ||
| 43 | + jv_free(path); | ||
| 44 | + return jv_invalid_with_msg(jv_string("Path too deep")); | ||
| 45 | + } | ||
| 46 | if (!jv_is_valid(root)){ | ||
| 47 | jv_free(value); | ||
| 48 | jv_free(path); | ||
| 49 | @@ -434,6 +444,11 @@ jv jv_getpath(jv root, jv path) { | ||
| 50 | jv_free(path); | ||
| 51 | return jv_invalid_with_msg(jv_string("Path must be specified as an array")); | ||
| 52 | } | ||
| 53 | + if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { | ||
| 54 | + jv_free(root); | ||
| 55 | + jv_free(path); | ||
| 56 | + return jv_invalid_with_msg(jv_string("Path too deep")); | ||
| 57 | + } | ||
| 58 | if (!jv_is_valid(root)) { | ||
| 59 | jv_free(path); | ||
| 60 | return root; | ||
| 61 | @@ -511,6 +526,12 @@ jv jv_delpaths(jv object, jv paths) { | ||
| 62 | jv_free(elem); | ||
| 63 | return err; | ||
| 64 | } | ||
| 65 | + if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) { | ||
| 66 | + jv_free(object); | ||
| 67 | + jv_free(paths); | ||
| 68 | + jv_free(elem); | ||
| 69 | + return jv_invalid_with_msg(jv_string("Path too deep")); | ||
| 70 | + } | ||
| 71 | jv_free(elem); | ||
| 72 | } | ||
| 73 | if (jv_array_length(jv_copy(paths)) == 0) { | ||
| 74 | diff --git a/tests/jq.test b/tests/jq.test | ||
| 75 | index ecb9116..4d57301 100644 | ||
| 76 | --- a/tests/jq.test | ||
| 77 | +++ b/tests/jq.test | ||
| 78 | @@ -2129,3 +2129,28 @@ try ltrimstr("x") catch "x", try rtrimstr("x") catch "x" | "ok" | ||
| 79 | {"hey":[]} | ||
| 80 | "ok" | ||
| 81 | "ok" | ||
| 82 | + | ||
| 83 | +# regression test for CVE-2026-33947 | ||
| 84 | +setpath([range(10000) | 0]; 0) | flatten | ||
| 85 | +null | ||
| 86 | +[0] | ||
| 87 | + | ||
| 88 | +try setpath([range(10001) | 0]; 0) catch . | ||
| 89 | +null | ||
| 90 | +"Path too deep" | ||
| 91 | + | ||
| 92 | +getpath([range(10000) | 0]) | ||
| 93 | +null | ||
| 94 | +null | ||
| 95 | + | ||
| 96 | +try getpath([range(10001) | 0]) catch . | ||
| 97 | +null | ||
| 98 | +"Path too deep" | ||
| 99 | + | ||
| 100 | +delpaths([[range(10000) | 0]]) | ||
| 101 | +null | ||
| 102 | +null | ||
| 103 | + | ||
| 104 | +try delpaths([[range(10001) | 0]]) catch . | ||
| 105 | +null | ||
| 106 | +"Path too deep" | ||
| 107 | \ No newline at end of file | ||
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb index c0211ca8bd..ce7748f22c 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb | |||
| @@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \ | |||
| 17 | file://CVE-2025-9403.patch \ | 17 | file://CVE-2025-9403.patch \ |
| 18 | file://CVE-2026-40164.patch \ | 18 | file://CVE-2026-40164.patch \ |
| 19 | file://CVE-2026-32316.patch \ | 19 | file://CVE-2026-32316.patch \ |
| 20 | file://CVE-2026-33947.patch \ | ||
| 20 | " | 21 | " |
| 21 | SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2" | 22 | SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2" |
| 22 | 23 | ||
