diff options
| -rw-r--r-- | meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch | 92 | ||||
| -rw-r--r-- | meta-oe/recipes-devtools/jq/jq_1.7.1.bb | 1 |
2 files changed, 93 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch new file mode 100644 index 0000000000..91b778a6b4 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch | |||
| @@ -0,0 +1,92 @@ | |||
| 1 | From 5077fc0780810ba556518ff3ae34df0832a469d4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: itchyny <itchyny@cybozu.co.jp> | ||
| 3 | Date: Mon, 13 Apr 2026 08:53:26 +0900 | ||
| 4 | Subject: [PATCH] Randomize hash seed to mitigate hash collision DoS attacks | ||
| 5 | |||
| 6 | The hash function used a fixed seed, allowing attackers to craft colliding keys | ||
| 7 | and cause O(n^2) object parsing performance. Initialize the seed from a random | ||
| 8 | source at process startup to prevent the attack. This fixes CVE-2026-40164. | ||
| 9 | |||
| 10 | Co-authored-by: Asaf Meizner <asafmeizner@gmail.com> | ||
| 11 | |||
| 12 | CVE: CVE-2026-40164 | ||
| 13 | Upstream-Status: Backport [https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784] | ||
| 14 | |||
| 15 | Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> | ||
| 16 | --- | ||
| 17 | configure.ac | 2 ++ | ||
| 18 | src/jv.c | 34 ++++++++++++++++++++++++++++++++-- | ||
| 19 | 2 files changed, 34 insertions(+), 2 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/configure.ac b/configure.ac | ||
| 22 | index 118e084..7f12b52 100644 | ||
| 23 | --- a/configure.ac | ||
| 24 | +++ b/configure.ac | ||
| 25 | @@ -149,6 +149,8 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [AC_DEFINE([HAVE_TM_TM_GMT_OFF],1,[Define | ||
| 26 | AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])], | ||
| 27 | [], [[#include <time.h>]]) | ||
| 28 | AC_FIND_FUNC([setlocale], [c], [#include <locale.h>], [0,0]) | ||
| 29 | +AC_FIND_FUNC([arc4random], [c], [#include <stdlib.h>], []) | ||
| 30 | +AC_FIND_FUNC([getentropy], [c], [#include <unistd.h>], [0, 0]) | ||
| 31 | |||
| 32 | dnl Figure out if we have the pthread functions we actually need | ||
| 33 | AC_FIND_FUNC_NO_LIBS([pthread_key_create], [], [#include <pthread.h>], [NULL, NULL]) | ||
| 34 | diff --git a/src/jv.c b/src/jv.c | ||
| 35 | index 18dbb54..27cc2a4 100644 | ||
| 36 | --- a/src/jv.c | ||
| 37 | +++ b/src/jv.c | ||
| 38 | @@ -40,6 +40,10 @@ | ||
| 39 | #include <limits.h> | ||
| 40 | #include <math.h> | ||
| 41 | #include <float.h> | ||
| 42 | +#include <time.h> | ||
| 43 | +#include <unistd.h> | ||
| 44 | +#include <fcntl.h> | ||
| 45 | +#include <pthread.h> | ||
| 46 | |||
| 47 | #include "jv_alloc.h" | ||
| 48 | #include "jv.h" | ||
| 49 | @@ -1174,7 +1178,33 @@ static jv jvp_string_append(jv string, const char* data, uint32_t len) { | ||
| 50 | } | ||
| 51 | } | ||
| 52 | |||
| 53 | -static const uint32_t HASH_SEED = 0x432A9843; | ||
| 54 | +static uint32_t hash_seed; | ||
| 55 | +static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT; | ||
| 56 | + | ||
| 57 | +static void jvp_hash_seed_init(void) { | ||
| 58 | + uint32_t seed; | ||
| 59 | +#if defined(HAVE_ARC4RANDOM) | ||
| 60 | + seed = arc4random(); | ||
| 61 | +#elif defined(HAVE_GETENTROPY) | ||
| 62 | + if (getentropy(&seed, sizeof(seed)) != 0) | ||
| 63 | + seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); | ||
| 64 | +#else | ||
| 65 | + int fd = open("/dev/urandom", O_RDONLY); | ||
| 66 | + if (fd >= 0) { | ||
| 67 | + if (read(fd, &seed, sizeof(seed)) != 4) | ||
| 68 | + seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); | ||
| 69 | + close(fd); | ||
| 70 | + } else { | ||
| 71 | + seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); | ||
| 72 | + } | ||
| 73 | +#endif | ||
| 74 | + hash_seed = seed; | ||
| 75 | +} | ||
| 76 | + | ||
| 77 | +static uint32_t jvp_hash_seed(void) { | ||
| 78 | + pthread_once(&hash_seed_once, jvp_hash_seed_init); | ||
| 79 | + return hash_seed; | ||
| 80 | +} | ||
| 81 | |||
| 82 | static uint32_t rotl32 (uint32_t x, int8_t r){ | ||
| 83 | return (x << r) | (x >> (32 - r)); | ||
| 84 | @@ -1193,7 +1223,7 @@ static uint32_t jvp_string_hash(jv jstr) { | ||
| 85 | int len = (int)jvp_string_length(str); | ||
| 86 | const int nblocks = len / 4; | ||
| 87 | |||
| 88 | - uint32_t h1 = HASH_SEED; | ||
| 89 | + uint32_t h1 = jvp_hash_seed(); | ||
| 90 | |||
| 91 | const uint32_t c1 = 0xcc9e2d51; | ||
| 92 | const uint32_t c2 = 0x1b873593; | ||
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb index dfc8dda7ee..566e8017dc 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb | |||
| @@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \ | |||
| 15 | file://CVE-2024-53427.patch \ | 15 | file://CVE-2024-53427.patch \ |
| 16 | file://CVE-2025-48060.patch \ | 16 | file://CVE-2025-48060.patch \ |
| 17 | file://CVE-2025-9403.patch \ | 17 | file://CVE-2025-9403.patch \ |
| 18 | file://CVE-2026-40164.patch \ | ||
| 18 | " | 19 | " |
| 19 | SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2" | 20 | SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2" |
| 20 | 21 | ||
