jq: patch CVE-2026-33948

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-04-20 08:27:36 +0200
committer: Khem Raj <khem.raj@oss.qualcomm.com> 2026-04-20 07:35:33 -0700
commit: 8d399af3337b25d71f8cd4308b9788ac4e88b730 (patch)
tree: f7868f4661a7ec7b721dcd54daa40a704d77b6cc /meta-oe
parent: 525e18ce214213193d9a280de3bfd2deb847110e (diff)
download: meta-openembedded-8d399af3337b25d71f8cd4308b9788ac4e88b730.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch
new file mode 100644
index 0000000000..8625429c74
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch
@@ -0,0 +1,49 @@
+From 19a792c4cdb6b91c056eac033ac3367af6e67755 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 13 Apr 2026 08:46:11 +0900
+Subject: [PATCH] Fix NUL truncation in the JSON parser
+This fixes CVE-2026-33948.
+CVE: CVE-2026-33948
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/util.c   | 8 +-------
+ tests/shtest | 6 ++++++
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+diff --git a/src/util.c b/src/util.c
+index bcb86da..60ec4d5 100644
+--- a/src/util.c
+++ b/src/util.c
+@@ -309,13 +309,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) {
+       if (p != NULL)
+         state->current_line++;
+ 
+-      if (p == NULL && state->parser != NULL) {
+-        /*
+-         * There should be no NULs in JSON texts (but JSON text
+-         * sequences are another story).
+-         */
+-        state->buf_valid_len = strlen(state->buf);
+-      } else if (p == NULL && feof(state->current_input)) {
+      if (p == NULL && feof(state->current_input)) {
+         size_t i;
+ 
+         /*
+diff --git a/tests/shtest b/tests/shtest
+index 887a6bb..a046afe 100755
+--- a/tests/shtest
+++ b/tests/shtest
+@@ -842,4 +842,10 @@ if ! $msys && ! $mingw; then
+   fi
+ fi
+ 
+# CVE-2026-33948: No NUL truncation in the JSON parser
+if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then
+  printf 'Error expected but jq exited successfully\n' 1>&2
+  exit 1
+fi
+
+ exit 0
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 6df1d46f48..acea1e4b27 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
           file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \
           file://CVE-2026-32316.patch \
           file://CVE-2026-33947.patch \
+           file://CVE-2026-33948.patch \
           "
 inherit autotools ptest
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-04-20 08:27:36 +0200
committer	Khem Raj <khem.raj@oss.qualcomm.com>	2026-04-20 07:35:33 -0700
commit	8d399af3337b25d71f8cd4308b9788ac4e88b730 (patch)
tree	f7868f4661a7ec7b721dcd54daa40a704d77b6cc /meta-oe
parent	525e18ce214213193d9a280de3bfd2deb847110e (diff)
download	meta-openembedded-8d399af3337b25d71f8cd4308b9788ac4e88b730.tar.gz

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch new file mode 100644 index 0000000000..8625429c74 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch
@@ -0,0 +1,49 @@
		1	From 19a792c4cdb6b91c056eac033ac3367af6e67755 Mon Sep 17 00:00:00 2001
		2	From: itchyny <itchyny@cybozu.co.jp>
		3	Date: Mon, 13 Apr 2026 08:46:11 +0900
		4	Subject: [PATCH] Fix NUL truncation in the JSON parser
		5
		6	This fixes CVE-2026-33948.
		7
		8	CVE: CVE-2026-33948
		9	Upstream-Status: Backport [https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b]
		10	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		11	---
		12	src/util.c \| 8 +-------
		13	tests/shtest \| 6 ++++++
		14	2 files changed, 7 insertions(+), 7 deletions(-)
		15
		16	diff --git a/src/util.c b/src/util.c
		17	index bcb86da..60ec4d5 100644
		18	--- a/src/util.c
		19	+++ b/src/util.c
		20	@@ -309,13 +309,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) {
		21	if (p != NULL)
		22	state->current_line++;
		23
		24	- if (p == NULL && state->parser != NULL) {
		25	- /*
		26	- * There should be no NULs in JSON texts (but JSON text
		27	- * sequences are another story).
		28	- */
		29	- state->buf_valid_len = strlen(state->buf);
		30	- } else if (p == NULL && feof(state->current_input)) {
		31	+ if (p == NULL && feof(state->current_input)) {
		32	size_t i;
		33
		34	/*
		35	diff --git a/tests/shtest b/tests/shtest
		36	index 887a6bb..a046afe 100755
		37	--- a/tests/shtest
		38	+++ b/tests/shtest
		39	@@ -842,4 +842,10 @@ if ! $msys && ! $mingw; then
		40	fi
		41	fi
		42
		43	+# CVE-2026-33948: No NUL truncation in the JSON parser
		44	+if printf '{}\x00{}' \| $JQ >/dev/null 2> /dev/null; then
		45	+ printf 'Error expected but jq exited successfully\n' 1>&2
		46	+ exit 1
		47	+fi
		48	+
		49	exit 0


diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 6df1d46f48..acea1e4b27 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
15	file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \	15	file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \
16	file://CVE-2026-32316.patch \	16	file://CVE-2026-32316.patch \
17	file://CVE-2026-33947.patch \	17	file://CVE-2026-33947.patch \
		18	file://CVE-2026-33948.patch \
18	"	19	"
19		20
20	inherit autotools ptest	21	inherit autotools ptest