[meta-oe,scarthgap,v2,0/1] jq-1.7.1: Backport multiple CVE fixes

Message ID	20250708080158.50374-2-roland.kovacs@est.tech
Headers	show Return-Path: <roland.kovacs@est.tech> ip: 52.101.66.27, mailfrom: roland.kovacs@est.tech) From: roland.kovacs@est.tech To: openembedded-devel@lists.openembedded.org CC: Roland Kovacs <roland.kovacs@est.tech> Subject: [meta-oe][scarthgap][PATCH v2 0/1] jq-1.7.1: Backport multiple CVE fixes Date: Tue, 8 Jul 2025 10:01:58 +0200 Message-ID: <20250708080158.50374-2-roland.kovacs@est.tech> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain MIME-Version: 1.0
Series	jq-1.7.1: Backport multiple CVE fixes \| expand [meta-oe,scarthgap,v2,0/1] jq-1.7.1: Backport multiple CVE fixes [meta-oe,scarthgap,v2,1/1] jq-1.7.1: Backport multiple CVE fixes

Message ID

20250708080158.50374-2-roland.kovacs@est.tech

Headers

From: roland.kovacs@est.tech
To: openembedded-devel@lists.openembedded.org
CC: Roland Kovacs <roland.kovacs@est.tech>
Subject: [meta-oe][scarthgap][PATCH v2 0/1] jq-1.7.1: Backport multiple CVE
 fixes
Date: Tue,  8 Jul 2025 10:01:58 +0200
Message-ID: <20250708080158.50374-2-roland.kovacs@est.tech>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 23wyylwntO5iKFaezSUAGEJDpHIyAL8NYPn2kGTPrYexXBQcSx+VAuAEvicnLTZVSwr9Y66/dgEvIVhSpUvqRbnBhqQu/0kA2TV0wNtvG+o/U8dbUOJ+2ewUcloDYhfXwaqdY8mmw/53EQBzue7Akrpu5gDl4on4qOXxabnP+bPmsPd1yWGHXCiaKtu3YkDlKcQzv6XoqKVbKhc49yfIMeeIP6flyqF1yY7UjM60t0v6mrCwRdSRgEejyxXzQuIVV506sZwUWJO2P3V4lbEeu7WqNsXG+Wr5iJ6hva0BMR1eS/26vKrwRjFT7tmH/n6bH77Hbeab6Gct0cv7HK4XhsDyljdrTZ4j526O5zvNKVaamfvENLws0W5qeiKSGZLyjcTfUlX1LCLg4YYead4rlX447GPAv+KtwLcfqRaJWrpXlsDuY8Vz8Kw5pT49CpizZxV2aA6muW9oYQLCp1ahTgu5pijlysdvz/pgaI/tDqXmo625MC49mkz6MHbiy6NYXXDhUFE4DOlw5NrMXKL9e1okmb9P7MQfjBUEsnBIdbb3Ne88gxNQSXgAPumgj23povZMziQuSQFku8ZVDEzRaBWxF99fr3nqEzbOxc4tq8oiDfLzSJZI7A8sTyn2ym0rAfG6d87IQRz0oof0yKGR7kGkZQzR2NW4LBWErpewQ+NHKJg7PrjUS+moqeag5UC8PfGW8gdEEz+AMZ60g8VBq12cZObJ+OieykgndlWqAuRMs8lRIDjESge8A9ajDQ9DGNhoc69VsKzioiRVmnbAjcfP599FhMz2mtdpBdhmPI9CI1UTuRDNSBLqRAqMtNg2PX2z1xqYPyj3NEXlb/GcCVpXVh60Du9vlrUzKTgfaXl+6SJ+EjYe5jqlqMq7jBGM1E8EV0Gs779VL8Xen3RCBU9XZj06liTcLJQGwTNK3Bi6HFrIvvvMnITM9wFzkBjnur+9Z2HoWjgNflQnR1DOLp1lpju1et+QLsfr/27uHerhTzMerd4w8TWc0TN1m2wQuszE9kO+IxxwZv2rThnhmfV2pVTT14xNq+6EjPy1lO/qcOsZ/nz5ie/4BzFgdMEViv/SMZZBzF0Qo9qW2THuh+6eC/colyURNJ6XBbYrUj2pKoyzaoxsU64gnKUKmadmuTSF2lxw9HJmICxzf5IQlLHTP0eDAF8WHJdPafAoHLc7E4CzycSkuAnnddJglWlyHj0pWo/NO7A/eUYRCT2WoBn2ugydwivdfgf/gs6s3RkKvLS4Vi0ZBiQWESAq4rQ9jfOO+ka+umiBeKPjqPZ54hPZVPrSEpIDCfCQgV/kqvt9ZxhxbPUTL3QVqyD7uvEdF/0mf3oYXpm2CqByWR+snQFuAgL7IrFyou7ecFGdyvbpQwBvKODZSVrc5T/PsNIzAsLT7B1OPtLs5b3O6vXOX8ebLsfCDe4MrVCsmkIIeywJ0BOtBEh6E06tx81hjZtUa7Q9NGsKu/50hDIOfY8xNuuqG2ZEagfX8OrCUpheOZlPIPHchWaSsdCpcW6vffz+lAbpKpGRl6tlL7CruafO767ePZibDH6gwS4EEwFzjNmPCW23WzMGsZNGiFMNQ7LY
X-OriginatorOrg: est.tech
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 ecc2dada-c90d-41e2-5c5d-08ddbdf5c44c
X-MS-Exchange-CrossTenant-AuthSource: AM7P189MB0725.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Jul 2025 08:02:21.5242
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 aTbjswB/hqLdjAfrQ9+oXUEnK9UfAK4Bb7K8wVSDiIu8ldunq0PEoadjkVPT/psZuWBNraUkZ5X+1sTEfvdnzA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1P189MB2884
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 08 Jul 2025 08:02:32 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/118301

Series

jq-1.7.1: Backport multiple CVE fixes | expand

Message

Roland Kovács July 8, 2025, 8:01 a.m. UTC

From: Roland Kovacs <roland.kovacs@est.tech>

I forgot to run patchtest before sending v1, so this version includes the missing
'Upstream-Status' and 'CVE' fields in the added patch files.

Roland Kovacs (1):
  jq-1.7.1: Backport multiple CVE fixes

 .../jq/jq/CVE-2024-23337.patch                | 236 ++++++++++++++++++
 .../jq/jq/CVE-2024-53427.patch                |  82 ++++++
 .../jq/jq/CVE-2025-48060.patch                |  48 ++++
 meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |   3 +
 4 files changed, 369 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2024-23337.patch
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2024-53427.patch
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2025-48060.patch

Comments

Martin Jansa Aug. 1, 2025, 8:29 p.m. UTC | #1

Looks like v1 without Upstream-Status was merged to scarthgap, can you
please rebase this v2 and send follow-up patch adding the
Upstream-Status?

On Tue, Jul 8, 2025 at 10:02 AM roland.kovacs via
lists.openembedded.org <roland.kovacs=est.tech@lists.openembedded.org>
wrote:
>
> From: Roland Kovacs <roland.kovacs@est.tech>
>
> I forgot to run patchtest before sending v1, so this version includes the missing
> 'Upstream-Status' and 'CVE' fields in the added patch files.
>
> Roland Kovacs (1):
>   jq-1.7.1: Backport multiple CVE fixes
>
>  .../jq/jq/CVE-2024-23337.patch                | 236 ++++++++++++++++++
>  .../jq/jq/CVE-2024-53427.patch                |  82 ++++++
>  .../jq/jq/CVE-2025-48060.patch                |  48 ++++
>  meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |   3 +
>  4 files changed, 369 insertions(+)
>  create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2024-23337.patch
>  create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2024-53427.patch
>  create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2025-48060.patch
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#118301): https://lists.openembedded.org/g/openembedded-devel/message/118301
> Mute This Topic: https://lists.openembedded.org/mt/114042961/3617156
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [martin.jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Roland Kovács Aug. 14, 2025, 8:23 a.m. UTC | #2

On Fri, 2025-08-01 at 22:29 +0200, Martin Jansa via lists.openembedded.org wrote:
> Looks like v1 without Upstream-Status was merged to scarthgap, can you
> please rebase this v2 and send follow-up patch adding the
> Upstream-Status?
> 
> On Tue, Jul 8, 2025 at 10:02 AM roland.kovacs via
> lists.openembedded.org <roland.kovacs=est.tech@lists.openembedded.org>
> wrote:
> > 
> > From: Roland Kovacs <roland.kovacs@est.tech>
> > 
> > I forgot to run patchtest before sending v1, so this version includes the missing
> > 'Upstream-Status' and 'CVE' fields in the added patch files.
> > 
> > Roland Kovacs (1):
> >   jq-1.7.1: Backport multiple CVE fixes
> > 
> >  .../jq/jq/CVE-2024-23337.patch                | 236 ++++++++++++++++++
> >  .../jq/jq/CVE-2024-53427.patch                |  82 ++++++
> >  .../jq/jq/CVE-2025-48060.patch                |  48 ++++
> >  meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |   3 +
> >  4 files changed, 369 insertions(+)
> >  create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2024-23337.patch
> >  create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2024-53427.patch
> >  create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2025-48060.patch
> > 
> > 
> > 
> > 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#118823): https://lists.openembedded.org/g/openembedded-devel/message/118823
> Mute This Topic: https://lists.openembedded.org/mt/114042961/9897074
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [roland.kovacs@est.tech]
> -=-=-=-=-=-=-=-=-=-=-=-
Hi Martin,

I see you already sent the fix out. Thanks for spotting this and sorry for not picking it up in
time.

Cheers,
	Roland