[meta-oe,PATCHv2,6/8] jq: patch CVE-2026-40612

Message ID	20260617053040.990143-6-antonsk@axis.com
State	New
Headers	show Return-Path: <david.partain@est.tech> ip: 52.101.65.17, mailfrom: anton.skorup@axis.com) Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C From: Anton Skorup <antonsk@axis.com> To: <openembedded-devel@lists.openembedded.org> CC: Anton Skorup <anton@skorup.se>, Anton Skorup <anton.skorup@axis.com> Subject: [meta-oe][PATCHv2 6/8] jq: patch CVE-2026-40612 Date: Wed, 17 Jun 2026 07:30:38 +0200 Message-ID: <20260617053040.990143-6-antonsk@axis.com> In-Reply-To: <20260617053040.990143-1-antonsk@axis.com> References: <20260617053040.990143-1-antonsk@axis.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain
Series	[meta-oe,PATCHv3,1/8] jq: patch CVE-2026-49839 \| expand [meta-oe,PATCHv3,1/8] jq: patch CVE-2026-49839 [meta-oe,PATCHv2,2/8] jq: patch CVE-2026-41256 [meta-oe,PATCHv2,3/8] jq: patch CVE-2026-44777 [meta-oe,PATCHv2,4/8] jq: patch CVE-2026-43896 [meta-oe,PATCHv2,5/8] jq: patch CVE-2026-41257 [meta-oe,PATCHv2,6/8] jq: patch CVE-2026-40612 [meta-oe,PATCHv2,7/8] jq: patch CVE-2026-43894 [meta-oe,8/8] jq: patch CVE-2026-43895

Message ID

20260617053040.990143-6-antonsk@axis.com

State

New

Headers

Received-SPF: Pass (protection.outlook.com: domain of axis.com designates
 195.60.68.100 as permitted sender) receiver=protection.outlook.com;
 client-ip=195.60.68.100; helo=mail.axis.com; pr=C
From: Anton Skorup <antonsk@axis.com>
To: <openembedded-devel@lists.openembedded.org>
CC: Anton Skorup <anton@skorup.se>, Anton Skorup <anton.skorup@axis.com>
Subject: [meta-oe][PATCHv2 6/8] jq: patch CVE-2026-40612
Date: Wed, 17 Jun 2026 07:30:38 +0200
Message-ID: <20260617053040.990143-6-antonsk@axis.com>
In-Reply-To: <20260617053040.990143-1-antonsk@axis.com>
References: <20260617053040.990143-1-antonsk@axis.com>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	w202XEZnqDziAtxdhBkM2VWyX92OPsOSzIH+/expJJB2eFnPSlm4fG78RNKQlU5EoXUz5kErkeTfOcywYeajkgZ0XM2EF4xcyCNaAjlrVlpxK5ceDaFUuXnsDASNcqvBVrGs/aKqo2FvvCqNjwSGrm8Hzr0V2k9J2Qc3LB4Mww0PY9odWI7zHeEOqfEAP/IQOVBvqEPlwji/lVaGw6Kp91iluBMKriB/5qKU6DaRuO3ZEAMve9rZRixvAnGlOUdmpV3yB5lZRpLszhCMBFHrXvzVX71iLWxlK/uQgSgfQ1b7HKyqumCrAcuu0oq62UuSVdutkaBYhpyyNiPEyVh3jkIaJ81FkMXBo4j0VD1uDx77rQuqMRdeYTan+ij4rPpzhGy9LstEXYI48UIxWAOp8+mJHC4cdkD6xhcEcyMNEiiASLhhz21SnzTlW03FrYNY
X-OriginatorOrg: axis.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jun 2026 05:30:46.9049
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 ad29c753-776e-4adf-6309-08decc3195a9
X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	AMS1EPF00000042.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR02MB10556
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 17 Jun 2026 06:14:28 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127632

Series

[meta-oe,PATCHv3,1/8] jq: patch CVE-2026-49839 | expand

Commit Message

Anton Skorup June 17, 2026, 5:30 a.m. UTC

From: Anton Skorup <anton@skorup.se>

CVE details: https://www.cve.org/CVERecord?id=CVE-2026-40612

Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
 .../jq/jq/CVE-2026-40612.patch                | 136 ++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.8.1.bb       |   1 +
 2 files changed, 137 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch
new file mode 100644
index 0000000000..4078b8b10d
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch
@@ -0,0 +1,136 @@ 
+From d1a12569d91641135976a8536776a4a329c02cc2 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Fri, 24 Apr 2026 22:02:24 +0900
+Subject: [PATCH] Limit the containment check depth
+
+This fixes CVE-2026-40612.
+
+Signed-off-by: Anton Skorup
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2]
+---
+ src/builtin.c |  5 ++++-
+ src/jv.c      | 40 +++++++++++++++++++++++++++-------------
+ tests/jq.test |  9 +++++++++
+ 3 files changed, 40 insertions(+), 14 deletions(-)
+
+diff --git a/src/builtin.c b/src/builtin.c
+index d33e9fb162..2b2a2d40da 100644
+--- a/src/builtin.c
++++ b/src/builtin.c
+@@ -421,7 +421,10 @@ jv binop_greatereq(jv a, jv b) {
+ 
+ static jv f_contains(jq_state *jq, jv a, jv b) {
+   if (jv_get_kind(a) == jv_get_kind(b)) {
+-    return jv_bool(jv_contains(a, b));
++    int r = jv_contains(a, b);
++    if (r < 0)
++      return jv_invalid_with_msg(jv_string("Containment check too deep"));
++    return jv_bool(r);
+   } else {
+     return type_error2(a, b, "cannot have their containment checked");
+   }
+diff --git a/src/jv.c b/src/jv.c
+index 607ac174f7..4b18c00cf6 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -938,19 +938,19 @@ static void jvp_clamp_slice_params(int len, int *pstart, int *pend)
+ }
+ 
+ 
+-static int jvp_array_contains(jv a, jv b) {
++static int jvp_contains(jv a, jv b, int depth);
++
++static int jvp_array_contains(jv a, jv b, int depth) {
+   int r = 1;
+   jv_array_foreach(b, bi, belem) {
+     int ri = 0;
+     jv_array_foreach(a, ai, aelem) {
+-      if (jv_contains(aelem, jv_copy(belem))) {
+-        ri = 1;
+-        break;
+-      }
++      ri = jvp_contains(aelem, jv_copy(belem), depth);
++      if (ri) break;
+     }
+     jv_free(belem);
+-    if (!ri) {
+-      r = 0;
++    if (ri <= 0) {
++      r = ri;
+       break;
+     }
+   }
+@@ -1844,7 +1844,7 @@ static int jvp_object_equal(jv o1, jv o2) {
+   return len1 == len2;
+ }
+ 
+-static int jvp_object_contains(jv a, jv b) {
++static int jvp_object_contains(jv a, jv b, int depth) {
+   assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
+   assert(JVP_HAS_KIND(b, JV_KIND_OBJECT));
+   int r = 1;
+@@ -1852,9 +1852,9 @@ static int jvp_object_contains(jv a, jv b) {
+   jv_object_foreach(b, key, b_val) {
+     jv a_val = jv_object_get(jv_copy(a), key);
+ 
+-    r = jv_contains(a_val, b_val);
++    r = jvp_contains(a_val, b_val, depth);
+ 
+-    if (!r) break;
++    if (r <= 0) break;
+   }
+   return r;
+ }
+@@ -2086,14 +2086,23 @@ int jv_identical(jv a, jv b) {
+   return r;
+ }
+ 
+-int jv_contains(jv a, jv b) {
++#ifndef MAX_CONTAINS_DEPTH
++#define MAX_CONTAINS_DEPTH (10000)
++#endif
++
++static int jvp_contains(jv a, jv b, int depth) {
++  if (depth > MAX_CONTAINS_DEPTH) {
++    jv_free(a);
++    jv_free(b);
++    return -1;
++  }
+   int r = 1;
+   if (jv_get_kind(a) != jv_get_kind(b)) {
+     r = 0;
+   } else if (JVP_HAS_KIND(a, JV_KIND_OBJECT)) {
+-    r = jvp_object_contains(a, b);
++    r = jvp_object_contains(a, b, depth + 1);
+   } else if (JVP_HAS_KIND(a, JV_KIND_ARRAY)) {
+-    r = jvp_array_contains(a, b);
++    r = jvp_array_contains(a, b, depth + 1);
+   } else if (JVP_HAS_KIND(a, JV_KIND_STRING)) {
+     int b_len = jv_string_length_bytes(jv_copy(b));
+     if (b_len != 0) {
+@@ -2109,3 +2118,8 @@ int jv_contains(jv a, jv b) {
+   jv_free(b);
+   return r;
+ }
++
++// Returns 1 (contained), 0 (not contained), or -1 (too deep)
++int jv_contains(jv a, jv b) {
++  return jvp_contains(a, b, 0);
++}
+diff --git a/tests/jq.test b/tests/jq.test
+index 0cd5198f8d..8094a5b6eb 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2593,3 +2593,12 @@ null
+ try delpaths([[range(10001) | 0]]) catch .
+ null
+ "Path too deep"
++
++# regression test for CVE-2026-40612
++reduce range(10000) as $_ ([]; [.]) | contains([[]])
++null
++true
++
++try (reduce range(10001) as $_ ([]; [.]) as $x | $x | contains($x)) catch .
++null
++"Containment check too deep"
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 9af7e00f3b..aff33589b9 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -17,6 +17,7 @@  SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
            file://CVE-2026-33947.patch \
            file://CVE-2026-33948.patch \
            file://CVE-2026-39979.patch \
+           file://CVE-2026-40612.patch \
            file://CVE-2026-41256.patch \
            file://CVE-2026-41257.patch \
            file://CVE-2026-43896.patch \

[meta-oe,PATCHv2,6/8] jq: patch CVE-2026-40612

Commit Message

Patch