diff mbox series

[PATCHv2,1/8] jq: patch CVE-2026-49839

Message ID 20260616062754.748436-1-antonsk@axis.com
State New
Headers show
Series [PATCHv2,1/8] jq: patch CVE-2026-49839 | expand

Commit Message

Anton Skorup June 16, 2026, 6:27 a.m. UTC 
From: Anton Skorup <anton@skorup.se>

CVE details: https://vulert.com/vuln-db/--4743

Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
v2
 * Added patch to stack of jq CVEs
---
 .../jq/jq/CVE-2026-49389.patch                | 31 +++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.8.1.bb       |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch

Comments

Khem Raj June 17, 2026, 1:25 a.m. UTC | #1 
Please rebase it on top of latest master-next and resend.

On Tue, Jun 16, 2026 at 12:11 AM Anton Skorup via lists.openembedded.org
<antonsk=axis.com@lists.openembedded.org> wrote:

> From: Anton Skorup <anton@skorup.se>
>
> CVE details: https://vulert.com/vuln-db/--4743
>
> Signed-off-by: Anton Skorup <anton.skorup@axis.com>
> ---
> v2
>  * Added patch to stack of jq CVEs
> ---
>  .../jq/jq/CVE-2026-49389.patch                | 31 +++++++++++++++++++
>  meta-oe/recipes-devtools/jq/jq_1.8.1.bb       |  1 +
>  2 files changed, 32 insertions(+)
>  create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
>
> diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
> b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
> new file mode 100644
> index 0000000000..3189158b4a
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
> @@ -0,0 +1,31 @@
> +From e987df0d463d85fd70825e042a082427e8275b86 Mon Sep 17 00:00:00 2001
> +From: itchyny <itchyny@cybozu.co.jp>
> +Date: Mon, 8 Jun 2026 22:14:48 +0900
> +Subject: [PATCH] Fix heap-buffer-overflow in raw file loading
> +
> +When `jv_string_append_buf` overflows the string length limit,
> +it returns an invalid `jv`; `jv_load_file` then re-entered it
> +on the invalid value and overran the heap. Break out of the loop
> +once the value is invalid.
> +
> +Fixes CVE-2026-49839.
> +
> +Signed-off-by: Anton Skorup <anton.skorup@axis.com>
> +Upstream-Status: Backport [
> https://github.com/jqlang/jq/commit/e987df0d463d85fd70825e042a082427e8275b86
> ]
> +---
> + src/jv_file.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/src/jv_file.c b/src/jv_file.c
> +index 7706b0e06e..fbc1e4d653 100644
> +--- a/src/jv_file.c
> ++++ b/src/jv_file.c
> +@@ -57,6 +57,8 @@ jv jv_load_file(const char* filename, int raw) {
> +
> +     if (raw) {
> +       data = jv_string_append_buf(data, buf, n);
> ++      if (!jv_is_valid(data))
> ++        break;
> +     } else {
> +       jv_parser_set_buf(parser, buf, n, !feof(file));
> +       jv value;
> diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
> b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
> index 026f6bfa71..0419ccd46d 100644
> --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
> +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
> @@ -17,6 +17,7 @@ SRC_URI = "git://
> github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
> <http://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-$%7B>
>             file://CVE-2026-33947.patch \
>             file://CVE-2026-33948.patch \
>             file://CVE-2026-39979.patch \
> +           file://CVE-2026-49389.patch \
>             "
>
>  inherit autotools ptest
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#127606):
> https://lists.openembedded.org/g/openembedded-devel/message/127606
> Mute This Topic: https://lists.openembedded.org/mt/119829812/1997914
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [
> raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
diff mbox series

Patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
new file mode 100644
index 0000000000..3189158b4a
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
@@ -0,0 +1,31 @@ 
+From e987df0d463d85fd70825e042a082427e8275b86 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 8 Jun 2026 22:14:48 +0900
+Subject: [PATCH] Fix heap-buffer-overflow in raw file loading
+
+When `jv_string_append_buf` overflows the string length limit,
+it returns an invalid `jv`; `jv_load_file` then re-entered it
+on the invalid value and overran the heap. Break out of the loop
+once the value is invalid.
+
+Fixes CVE-2026-49839.
+
+Signed-off-by: Anton Skorup <anton.skorup@axis.com>
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/e987df0d463d85fd70825e042a082427e8275b86]
+---
+ src/jv_file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/jv_file.c b/src/jv_file.c
+index 7706b0e06e..fbc1e4d653 100644
+--- a/src/jv_file.c
++++ b/src/jv_file.c
+@@ -57,6 +57,8 @@ jv jv_load_file(const char* filename, int raw) {
+ 
+     if (raw) {
+       data = jv_string_append_buf(data, buf, n);
++      if (!jv_is_valid(data))
++        break;
+     } else {
+       jv_parser_set_buf(parser, buf, n, !feof(file));
+       jv value;
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 026f6bfa71..0419ccd46d 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -17,6 +17,7 @@  SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
            file://CVE-2026-33947.patch \
            file://CVE-2026-33948.patch \
            file://CVE-2026-39979.patch \
+           file://CVE-2026-49389.patch \
            "
 
 inherit autotools ptest