[meta-oe,04/17] jq: patch CVE-2026-33948

Message ID	20260420062750.3795917-4-skandigraun@gmail.com
State	Accepted
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 04/17] jq: patch CVE-2026-33948 Date: Mon, 20 Apr 2026 08:27:36 +0200 Message-ID: <20260420062750.3795917-4-skandigraun@gmail.com> In-Reply-To: <20260420062750.3795917-1-skandigraun@gmail.com> References: <20260420062750.3795917-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,01/17] fio: upgrade 3.41 -> 3.42 \| expand [meta-oe,01/17] fio: upgrade 3.41 -> 3.42 [meta-oe,02/17] jq: patch CVE-2026-32316 [meta-oe,03/17] jq: patch CVE-2026-33947 [meta-oe,04/17] jq: patch CVE-2026-33948 [meta-oe,05/17] jq: patch CVE-2026-39979 [meta-oe,06/17] lcms: patch CVE-2026-41254 [meta-networking,07/17] libcoap: upgrade 4.3.5a -> 4.3.5b [meta-oe,08/17] gphoto2: upgrade 2.5.28 -> 2.5.32 [meta-oe,09/17] libgphoto2: patch CVE-2026-40333 [meta-oe,10/17] libgphoto2: patch CVE-2026-40334 [meta-oe,11/17] libgphoto2: patch CVE-2026-40335 [meta-oe,12/17] libgphoto2: patch CVE-2026-40336 [meta-oe,13/17] libgphoto2: patch CVE-2026-40338 [meta-oe,14/17] libgphoto2: patch CVE-2026-40339 [meta-oe,15/17] libgphoto2: patch CVE-2026-40340 [meta-oe,16/17] libgphoto2: patch CVE-2026-40341 [meta-oe,17/17] libraw: mark CVE-2026-20911 and CVE-2026-21413 patched

Message ID

20260420062750.3795917-4-skandigraun@gmail.com

State

Accepted

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][PATCH 04/17] jq: patch CVE-2026-33948
Date: Mon, 20 Apr 2026 08:27:36 +0200
Message-ID: <20260420062750.3795917-4-skandigraun@gmail.com>
In-Reply-To: <20260420062750.3795917-1-skandigraun@gmail.com>
References: <20260420062750.3795917-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,01/17] fio: upgrade 3.41 -> 3.42 | expand

Commit Message

Gyorgy Sarvari April 20, 2026, 6:27 a.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948

Backport the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../jq/jq/CVE-2026-33948.patch                | 49 +++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.8.1.bb       |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch
new file mode 100644
index 0000000000..8625429c74
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch
@@ -0,0 +1,49 @@ 
+From 19a792c4cdb6b91c056eac033ac3367af6e67755 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 13 Apr 2026 08:46:11 +0900
+Subject: [PATCH] Fix NUL truncation in the JSON parser
+
+This fixes CVE-2026-33948.
+
+CVE: CVE-2026-33948
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/util.c   | 8 +-------
+ tests/shtest | 6 ++++++
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index bcb86da..60ec4d5 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -309,13 +309,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) {
+       if (p != NULL)
+         state->current_line++;
+ 
+-      if (p == NULL && state->parser != NULL) {
+-        /*
+-         * There should be no NULs in JSON texts (but JSON text
+-         * sequences are another story).
+-         */
+-        state->buf_valid_len = strlen(state->buf);
+-      } else if (p == NULL && feof(state->current_input)) {
++      if (p == NULL && feof(state->current_input)) {
+         size_t i;
+ 
+         /*
+diff --git a/tests/shtest b/tests/shtest
+index 887a6bb..a046afe 100755
+--- a/tests/shtest
++++ b/tests/shtest
+@@ -842,4 +842,10 @@ if ! $msys && ! $mingw; then
+   fi
+ fi
+ 
++# CVE-2026-33948: No NUL truncation in the JSON parser
++if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then
++  printf 'Error expected but jq exited successfully\n' 1>&2
++  exit 1
++fi
++
+ exit 0
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 6df1d46f48..acea1e4b27 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -15,6 +15,7 @@  SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
            file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \
            file://CVE-2026-32316.patch \
            file://CVE-2026-33947.patch \
+           file://CVE-2026-33948.patch \
            "
 
 inherit autotools ptest

[meta-oe,04/17] jq: patch CVE-2026-33948

Commit Message

Patch