diff mbox series

[meta-OE,wrynose,1/6] jq: Fix CVE-2026-40612

Message ID 20260706152022.873284-1-spushpka@cisco.com
State Under Review
Delegated to: Anuj Mittal
Headers show
Series [meta-OE,wrynose,1/6] jq: Fix CVE-2026-40612 | expand

Commit Message

From: Shubham Pushpkar <spushpka@cisco.com>

The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-40612.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
---
 .../jq/jq/CVE-2026-40612.patch                | 127 ++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.8.1.bb       |   1 +
 2 files changed, 128 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch
new file mode 100644
index 0000000000..f7cae01e21
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch
@@ -0,0 +1,127 @@ 
+From f1a72c7b5eb9c9e99576b2ca8e59ab1f36a2a4e3 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Fri, 24 Apr 2026 22:02:24 +0900
+Subject: [PATCH] Limit the containment check depth
+
+This fixes CVE-2026-40612.
+
+CVE: CVE-2026-40612
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2]
+
+Backport Changes:
+- Dropped the duplicate tests/jq.test hunk because Wrynose already carries
+  the same regression coverage in existing CVE-2026-47770.patch.
+
+(cherry picked from commit d1a12569d91641135976a8536776a4a329c02cc2)
+Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
+---
+ src/builtin.c |  5 ++++-
+ src/jv.c      | 40 +++++++++++++++++++++++++++-------------
+ 2 files changed, 32 insertions(+), 13 deletions(-)
+
+diff --git a/src/builtin.c b/src/builtin.c
+index 902490d..378be02 100644
+--- a/src/builtin.c
++++ b/src/builtin.c
+@@ -471,7 +471,10 @@ jv binop_greatereq(jv a, jv b) {
+
+ static jv f_contains(jq_state *jq, jv a, jv b) {
+   if (jv_get_kind(a) == jv_get_kind(b)) {
+-    return jv_bool(jv_contains(a, b));
++    int r = jv_contains(a, b);
++    if (r < 0)
++      return jv_invalid_with_msg(jv_string("Containment check too deep"));
++    return jv_bool(r);
+   } else {
+     return type_error2(a, b, "cannot have their containment checked");
+   }
+diff --git a/src/jv.c b/src/jv.c
+index 08ded35..5a2c3a2 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -914,19 +914,19 @@ static void jvp_clamp_slice_params(int len, int *pstart, int *pend)
+ }
+
+
+-static int jvp_array_contains(jv a, jv b) {
++static int jvp_contains(jv a, jv b, int depth);
++
++static int jvp_array_contains(jv a, jv b, int depth) {
+   int r = 1;
+   jv_array_foreach(b, bi, belem) {
+     int ri = 0;
+     jv_array_foreach(a, ai, aelem) {
+-      if (jv_contains(aelem, jv_copy(belem))) {
+-        ri = 1;
+-        break;
+-      }
++      ri = jvp_contains(aelem, jv_copy(belem), depth);
++      if (ri) break;
+     }
+     jv_free(belem);
+-    if (!ri) {
+-      r = 0;
++    if (ri <= 0) {
++      r = ri;
+       break;
+     }
+   }
+@@ -1794,7 +1794,7 @@ static int jvp_object_equal(jv o1, jv o2) {
+   return len1 == len2;
+ }
+
+-static int jvp_object_contains(jv a, jv b) {
++static int jvp_object_contains(jv a, jv b, int depth) {
+   assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
+   assert(JVP_HAS_KIND(b, JV_KIND_OBJECT));
+   int r = 1;
+@@ -1802,9 +1802,9 @@ static int jvp_object_contains(jv a, jv b) {
+   jv_object_foreach(b, key, b_val) {
+     jv a_val = jv_object_get(jv_copy(a), key);
+
+-    r = jv_contains(a_val, b_val);
++    r = jvp_contains(a_val, b_val, depth);
+
+-    if (!r) break;
++    if (r <= 0) break;
+   }
+   return r;
+ }
+@@ -2035,14 +2035,23 @@ int jv_identical(jv a, jv b) {
+   return r;
+ }
+
+-int jv_contains(jv a, jv b) {
++#ifndef MAX_CONTAINS_DEPTH
++#define MAX_CONTAINS_DEPTH (10000)
++#endif
++
++static int jvp_contains(jv a, jv b, int depth) {
++  if (depth > MAX_CONTAINS_DEPTH) {
++    jv_free(a);
++    jv_free(b);
++    return -1;
++  }
+   int r = 1;
+   if (jv_get_kind(a) != jv_get_kind(b)) {
+     r = 0;
+   } else if (JVP_HAS_KIND(a, JV_KIND_OBJECT)) {
+-    r = jvp_object_contains(a, b);
++    r = jvp_object_contains(a, b, depth + 1);
+   } else if (JVP_HAS_KIND(a, JV_KIND_ARRAY)) {
+-    r = jvp_array_contains(a, b);
++    r = jvp_array_contains(a, b, depth + 1);
+   } else if (JVP_HAS_KIND(a, JV_KIND_STRING)) {
+     int b_len = jv_string_length_bytes(jv_copy(b));
+     if (b_len != 0) {
+@@ -2058,3 +2067,8 @@ int jv_contains(jv a, jv b) {
+   jv_free(b);
+   return r;
+ }
++
++// Returns 1 (contained), 0 (not contained), or -1 (too deep)
++int jv_contains(jv a, jv b) {
++  return jvp_contains(a, b, 0);
++}
+--
+2.44.4
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 7665ba2511..9f0fcf8cb5 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -18,6 +18,7 @@  SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
            file://CVE-2026-33948.patch \
            file://CVE-2026-39979.patch \
            file://CVE-2026-47770.patch \
+           file://CVE-2026-40612.patch \
            "
 
 inherit autotools ptest