diff mbox series

[meta-oe,scarthgap,3/9] jq: patch CVE-2026-33948

Message ID 20260426130351.793052-3-ankur.tyagi85@gmail.com
State Under Review
Delegated to: Anuj Mittal
Headers show
Series [meta-oe,scarthgap,1/9] jq: patch CVE-2026-32316 | expand

Commit Message

Ankur Tyagi April 26, 2026, 1:03 p.m. UTC 
From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../jq/jq/CVE-2026-33948.patch                | 51 +++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch
new file mode 100644
index 0000000000..a2aabec059
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch
@@ -0,0 +1,51 @@ 
+From 4676c3e5675ba6e8422b021375acbd7c0ba450b0 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 13 Apr 2026 08:46:11 +0900
+Subject: [PATCH] Fix NUL truncation in the JSON parser
+
+This fixes CVE-2026-33948.
+
+(cherry picked from commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b)
+
+CVE: CVE-2026-33948
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/util.c   | 8 +-------
+ tests/shtest | 6 ++++++
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index de44fa6..422a8b8 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -311,13 +311,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) {
+       if (p != NULL)
+         state->current_line++;
+ 
+-      if (p == NULL && state->parser != NULL) {
+-        /*
+-         * There should be no NULs in JSON texts (but JSON text
+-         * sequences are another story).
+-         */
+-        state->buf_valid_len = strlen(state->buf);
+-      } else if (p == NULL && feof(state->current_input)) {
++      if (p == NULL && feof(state->current_input)) {
+         size_t i;
+ 
+         /*
+diff --git a/tests/shtest b/tests/shtest
+index a471889..0397ca0 100755
+--- a/tests/shtest
++++ b/tests/shtest
+@@ -609,4 +609,10 @@ $VALGRIND $Q $JQ . <<\NUM
+ -10E-1000000001
+ NUM
+ 
++# CVE-2026-33948: No NUL truncation in the JSON parser
++if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then
++  printf 'Error expected but jq exited successfully\n' 1>&2
++  exit 1
++fi
++
+ exit 0
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index 7b7910bc72..975d7d7007 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -17,6 +17,7 @@  SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
     file://CVE-2025-9403.patch \
     file://CVE-2026-32316.patch \
     file://CVE-2026-33947.patch \
+    file://CVE-2026-33948.patch \
     "
 SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"