summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch92
-rw-r--r--meta-oe/recipes-devtools/jq/jq_1.7.1.bb1
2 files changed, 93 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch
new file mode 100644
index 0000000000..91b778a6b4
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch
@@ -0,0 +1,92 @@
1From 5077fc0780810ba556518ff3ae34df0832a469d4 Mon Sep 17 00:00:00 2001
2From: itchyny <itchyny@cybozu.co.jp>
3Date: Mon, 13 Apr 2026 08:53:26 +0900
4Subject: [PATCH] Randomize hash seed to mitigate hash collision DoS attacks
5
6The hash function used a fixed seed, allowing attackers to craft colliding keys
7and cause O(n^2) object parsing performance. Initialize the seed from a random
8source at process startup to prevent the attack. This fixes CVE-2026-40164.
9
10Co-authored-by: Asaf Meizner <asafmeizner@gmail.com>
11
12CVE: CVE-2026-40164
13Upstream-Status: Backport [https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784]
14
15Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
16---
17 configure.ac | 2 ++
18 src/jv.c | 34 ++++++++++++++++++++++++++++++++--
19 2 files changed, 34 insertions(+), 2 deletions(-)
20
21diff --git a/configure.ac b/configure.ac
22index 118e084..7f12b52 100644
23--- a/configure.ac
24+++ b/configure.ac
25@@ -149,6 +149,8 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [AC_DEFINE([HAVE_TM_TM_GMT_OFF],1,[Define
26 AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])],
27 [], [[#include <time.h>]])
28 AC_FIND_FUNC([setlocale], [c], [#include <locale.h>], [0,0])
29+AC_FIND_FUNC([arc4random], [c], [#include <stdlib.h>], [])
30+AC_FIND_FUNC([getentropy], [c], [#include <unistd.h>], [0, 0])
31
32 dnl Figure out if we have the pthread functions we actually need
33 AC_FIND_FUNC_NO_LIBS([pthread_key_create], [], [#include <pthread.h>], [NULL, NULL])
34diff --git a/src/jv.c b/src/jv.c
35index 18dbb54..27cc2a4 100644
36--- a/src/jv.c
37+++ b/src/jv.c
38@@ -40,6 +40,10 @@
39 #include <limits.h>
40 #include <math.h>
41 #include <float.h>
42+#include <time.h>
43+#include <unistd.h>
44+#include <fcntl.h>
45+#include <pthread.h>
46
47 #include "jv_alloc.h"
48 #include "jv.h"
49@@ -1174,7 +1178,33 @@ static jv jvp_string_append(jv string, const char* data, uint32_t len) {
50 }
51 }
52
53-static const uint32_t HASH_SEED = 0x432A9843;
54+static uint32_t hash_seed;
55+static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT;
56+
57+static void jvp_hash_seed_init(void) {
58+ uint32_t seed;
59+#if defined(HAVE_ARC4RANDOM)
60+ seed = arc4random();
61+#elif defined(HAVE_GETENTROPY)
62+ if (getentropy(&seed, sizeof(seed)) != 0)
63+ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
64+#else
65+ int fd = open("/dev/urandom", O_RDONLY);
66+ if (fd >= 0) {
67+ if (read(fd, &seed, sizeof(seed)) != 4)
68+ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
69+ close(fd);
70+ } else {
71+ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
72+ }
73+#endif
74+ hash_seed = seed;
75+}
76+
77+static uint32_t jvp_hash_seed(void) {
78+ pthread_once(&hash_seed_once, jvp_hash_seed_init);
79+ return hash_seed;
80+}
81
82 static uint32_t rotl32 (uint32_t x, int8_t r){
83 return (x << r) | (x >> (32 - r));
84@@ -1193,7 +1223,7 @@ static uint32_t jvp_string_hash(jv jstr) {
85 int len = (int)jvp_string_length(str);
86 const int nblocks = len / 4;
87
88- uint32_t h1 = HASH_SEED;
89+ uint32_t h1 = jvp_hash_seed();
90
91 const uint32_t c1 = 0xcc9e2d51;
92 const uint32_t c2 = 0x1b873593;
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index dfc8dda7ee..566e8017dc 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
15 file://CVE-2024-53427.patch \ 15 file://CVE-2024-53427.patch \
16 file://CVE-2025-48060.patch \ 16 file://CVE-2025-48060.patch \
17 file://CVE-2025-9403.patch \ 17 file://CVE-2025-9403.patch \
18 file://CVE-2026-40164.patch \
18 " 19 "
19SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2" 20SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
20 21