From patchwork Tue Jun 16 06:27:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90172 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A5D9FCD98DA for ; Tue, 16 Jun 2026 07:11:52 +0000 (UTC) Received: from DB3PR0202CU003.outbound.protection.outlook.com (DB3PR0202CU003.outbound.protection.outlook.com [52.101.84.11]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.148000.1781591286357168447 for ; Mon, 15 Jun 2026 23:28:06 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=AMAm6k8V; spf=pass (domain: axis.com, ip: 52.101.84.11, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nS5dDD36YCp2zFwKfWctTP+KiUIJg2F08zaQWAFGv4Ujf4liGz0XCuFTJf8qQtnoXhjaYz9aKmsdH/0ooqE+47DPOhy2N8n4yj/g2IypCe6AvpcK3/H7XlsYRDuiXgYx8x3Siqjn2tGG68PHF8c5E0qpp6qQ9dyeJhTg98SXfER8jP4M8Owds7eFiVwkYkXXBQN2iN9EFJ41xf9aQETtBfO4BtDexa35z0y0zqSSoKYmzfDaMad7tnVffDT7wXNIJGqNR7HtxF8/v+LKtItPLEReUZJIXxhB9HqINqGeZDVDPEtGRWITebOhq8r0hA19ZoG06ChBvnnjGz1asuoeAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=81MyZJ35Bk9uu8QYVLLbGf9RBlyMbWTPrZSTa8wr1lQ=; b=jgcYzN/cd+y39N06c1ddmf8+8Fm9dO0mhQGjNLDQhxHSYtD0apA+z/l7hxHVl64sIvgoyvAH/8RgQZFIX4ZyEd5vWLObgwhhVJVlrURMy/qdlxIjNtStIlaXfQKqETEgBurQPoV5rf08c1DVs0BVHwy86uBQVQT+1xRBXLSQsY3ecdnN6+pMeF0ru9srOVNJJ9Aq3apvQyyLBt3zcX2iXFImsph3v6arrgBdaVXdVGdiiUX6ZOz5TbS7xVUfXNPPBK2ruxZVxzCVJlvAqZzisEqjn6T0OBiI2kNJA6giZ+VNNEDXsTheer8omocWJegZQpy+bEynyZXPXlY1c2K6ag== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=81MyZJ35Bk9uu8QYVLLbGf9RBlyMbWTPrZSTa8wr1lQ=; b=AMAm6k8VpIBOuQGHwRJhqZkZGrqycggOpAOLEfB4Mz9cJmyx8PYyDUVuTCOwdNN5s67exAUesaWNS8EA1WrQYlTcpo+dVss2vb1prtAPwoyEqc9R54ExFH3VB6GHdsshMcPAyHB+/ZzGyn3vcPRSG8pBImIZYPgQnpwIxSMTI4I= Received: from CWLP265CA0428.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1d7::16) by MI3PR02MB12486.eurprd02.prod.outlook.com (2603:10a6:290:7e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.16; Tue, 16 Jun 2026 06:28:00 +0000 Received: from AM2PEPF0001C715.eurprd05.prod.outlook.com (2603:10a6:400:1d7:cafe::a8) by CWLP265CA0428.outlook.office365.com (2603:10a6:400:1d7::16) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.113.18 via Frontend Transport; Tue, 16 Jun 2026 06:27:57 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AM2PEPF0001C715.mail.protection.outlook.com (10.167.16.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Tue, 16 Jun 2026 06:27:57 +0000 Received: from se-mail10w.axis.com (10.20.40.10) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Tue, 16 Jun 2026 08:27:56 +0200 Received: from se-intmail01x.se.axis.com (10.4.0.28) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Tue, 16 Jun 2026 08:27:56 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail01x.se.axis.com (Postfix) with ESMTP id E870728FC; Tue, 16 Jun 2026 08:27:56 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id E37538461E6; Tue, 16 Jun 2026 08:27:56 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [PATCHv2 1/8] jq: patch CVE-2026-49839 Date: Tue, 16 Jun 2026 08:27:47 +0200 Message-ID: <20260616062754.748436-1-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM2PEPF0001C715:EE_|MI3PR02MB12486:EE_ X-MS-Office365-Filtering-Correlation-Id: a4b33d25-054a-4cfc-70ed-08decb7067da X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|23010399003|82310400026|376014|36860700016|18002099003|11063799006|3023799007|56012099006|6133799003; X-Microsoft-Antispam-Message-Info: JAdpWCW3WmQPR1G2Abyun7DZDgRx2amqu0U+Yimw2eV/UW1pLtZL9JJetgEIwjsVCerYSi5Yv+vm3mFRDKUON+1Gnr6Br3qwL3EZln2LhtOo4TDJw5Jl5Ol34aVdBF9+SxpivW7yqfAGUI53zPuN4ZkrsWCa5ce1uT9+6qfOtwm/B398eJfFv79xigL4taMoS9Xn8oJagjq1GVWNMbjZwnD2Nl/Q2snnElY9mCzUVy+XAbwCJSdWI1fx89zmImp+0ehrKF4WbJZ/8bhSaKZhd6A8mV3OP0M3ZnsOgRfjGYnvasT6bgtAU+IRU/RxEcSm9BEk7mYcZTVKcH6PXmewUtvu5MOJC7g8X3TFyMRa3lJYR6O6K6zPCADlEWhNGNgpkJaRPAsyvq/VjFbBqxCiLZCbmx94zkzYBS99tiB2FJKQVowpsg7VsHuI9gHF3BNe9nqPF/whO7FjlU42SdOXGxsVVZsDC6+w8N/V0yvPMZZM3Wn+whPWWDVrxj4v24YtV3kOzF9TNVQtIDGjZXF8sLvbK/EjymmIHl2fEJJnfSNRzzRK/Q0vFMb+safbLCgnHFGbdb5mGbTfTGT8SJVfkxj9CAA7fS/7RcSGkBZGGm0KRsVLlMs89nAaN2I0bDjgJa8B0vsy+Atq81q83O9VKSdJuJl3pPn+5XI5bIqHT44/Bl3Qj3GE8y08vFVnyHBsgAqD/iFJ1qrTeJayaMqUfzU9WPvCbvExY/QebtbRENY= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(23010399003)(82310400026)(376014)(36860700016)(18002099003)(11063799006)(3023799007)(56012099006)(6133799003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: cUpqpOublyS5WWQKNmJ+MhzeGudCjjHXoDqvklSuQ8qoELvbxBVlBA2LCO5/vTkAg/sTV12oJYYFQS8V8ja1IG+kpWUlsygISE8LTQm1Op8lt9i/p/Y0pP8yGcQKlrLCEIXwLaR+UKAoGE+aA8T5kdoniVQDqAIy7wXilUSOkkTZmrQc15O5kl4EZX0+1apdoBhTO5JRWE+xXBWns1j2KNPS/yUTNzbe9F822ZYokIhBdG8M+DzGfBEhhmQiA2v8ysBkkNgWDEqCnINsWVrj0WIx+Pk27uRsl+eaqptwgjax8a0jy/7o7FM04qj7fy3h1s8eQs2epjBJHwT5k8377AToNQtyuHEAcGmsqxXVfURaMxK/QUdXaa0hEE+USGGef4izYT/oA0c+3JvDjvlRUB8Jp8LpH7RMpfGHNC0EtnBqxYnBldKhRCpYuAGCSmgK X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2026 06:27:57.1932 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a4b33d25-054a-4cfc-70ed-08decb7067da X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AM2PEPF0001C715.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MI3PR02MB12486 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Jun 2026 07:11:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127606 From: Anton Skorup CVE details: https://vulert.com/vuln-db/--4743 Signed-off-by: Anton Skorup --- v2 * Added patch to stack of jq CVEs --- .../jq/jq/CVE-2026-49389.patch | 31 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch new file mode 100644 index 0000000000..3189158b4a --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch @@ -0,0 +1,31 @@ +From e987df0d463d85fd70825e042a082427e8275b86 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 8 Jun 2026 22:14:48 +0900 +Subject: [PATCH] Fix heap-buffer-overflow in raw file loading + +When `jv_string_append_buf` overflows the string length limit, +it returns an invalid `jv`; `jv_load_file` then re-entered it +on the invalid value and overran the heap. Break out of the loop +once the value is invalid. + +Fixes CVE-2026-49839. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/e987df0d463d85fd70825e042a082427e8275b86] +--- + src/jv_file.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/jv_file.c b/src/jv_file.c +index 7706b0e06e..fbc1e4d653 100644 +--- a/src/jv_file.c ++++ b/src/jv_file.c +@@ -57,6 +57,8 @@ jv jv_load_file(const char* filename, int raw) { + + if (raw) { + data = jv_string_append_buf(data, buf, n); ++ if (!jv_is_valid(data)) ++ break; + } else { + jv_parser_set_buf(parser, buf, n, !feof(file)); + jv value; diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 026f6bfa71..0419ccd46d 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33947.patch \ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ + file://CVE-2026-49389.patch \ " inherit autotools ptest From patchwork Tue Jun 16 06:27:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90178 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B290CD98DA for ; Tue, 16 Jun 2026 07:12:42 +0000 (UTC) Received: from GVXPR05CU001.outbound.protection.outlook.com (GVXPR05CU001.outbound.protection.outlook.com [52.101.83.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.148002.1781591288640343888 for ; Mon, 15 Jun 2026 23:28:09 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=k91+wnjh; spf=pass (domain: axis.com, ip: 52.101.83.41, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Yq9kQWsMUmcAPQdbnx7vRjStpBrEw5ggyA3wwDIWXvmoSXQNnr9nPpg8sNtefrY9EUAW7B38NlNDJ9l80RtWREtsLCDIfsb4fngq7E/dSIlM4ySqlhudsX8oiw2PQLN3/e/uphLEPMa8wIV90q4K1WgXzszvvJ4LWujo+694ZwXVUUO3JZYqrtpvxs4ek2DVzgM5iGfXc+roby3UUQfU2TwszG4yjlGL3i1ZwP4Ddczl/Q0xoApWLDMjYlEaxkcAkdHlhzj/DSnrxE6ZOjjQ1pxOeycokUoeYDHiM32prfzSPXQIZdUOken0SZKA2d/3bI0Lh5sxjXTUlr1tyYsYKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AYbIQ42aq1enj7rMAdbjBpvoCgnenbQnA+ntIysZgLg=; b=VfvOXwin1W+BI+Ci+Rf9knWLF1pWhZsnFNdOipJiiLPLIKUJrybpw27te9WL4m3nbxi1lRmgEncLy5icqitycDAIYbOCVQHFHZvLTG5zu1jT13bMd9UWrC6YH6BJ4bwffNWGk77Tr2LmBsrLmyGwiHTGOvRUUYRcNyv0NtKOKmEBCmIxZKPIvAczP8wmsO8Br8yC4ffznZW3J/1eCvohM2PcFyIWVNCo8f5PXe2qJJW6Oj1mtzEwmgkqW9Kd0d/qAE0A6XPEQHYdUiEYH6Dwk2oWxfhose4gWllAx1HnmGWL0JQ1i9PcpP3ATfczxGhjDU0CAs3zJRef6shZRiE5ig== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AYbIQ42aq1enj7rMAdbjBpvoCgnenbQnA+ntIysZgLg=; b=k91+wnjhVcv4kefzIyp+BuIFA/aBAXNMfjWASHitdLQeR8TPlkExLfFQscjSBPX4cpkVRFbzRd0eZ5fgdIqVsCLCmUdmo332Rh/EREM+RFtJ+jSZ0ldP0OGcN4Q9kugs2VHUDA6qLrqbm3e6sWlzpwfsUFe06jdhz9IVj6MB1No= Received: from CWLP265CA0430.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1d7::12) by DU4PR02MB11050.eurprd02.prod.outlook.com (2603:10a6:10:582::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Tue, 16 Jun 2026 06:28:00 +0000 Received: from AM2PEPF0001C715.eurprd05.prod.outlook.com (2603:10a6:400:1d7::4) by CWLP265CA0430.outlook.office365.com (2603:10a6:400:1d7::12) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.113.18 via Frontend Transport; Tue, 16 Jun 2026 06:28:00 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AM2PEPF0001C715.mail.protection.outlook.com (10.167.16.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Tue, 16 Jun 2026 06:28:00 +0000 Received: from se-mail11w.axis.com (10.20.40.11) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Tue, 16 Jun 2026 08:27:59 +0200 Received: from se-intmail02x.se.axis.com (10.4.0.28) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Tue, 16 Jun 2026 08:27:59 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail02x.se.axis.com (Postfix) with ESMTP id D5C1D2423; Tue, 16 Jun 2026 08:27:59 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id BD6B98461E6; Tue, 16 Jun 2026 08:27:59 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [PATCH 2/8] jq: patch CVE-2026-41256 Date: Tue, 16 Jun 2026 08:27:48 +0200 Message-ID: <20260616062754.748436-2-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260616062754.748436-1-antonsk@axis.com> References: <20260616062754.748436-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM2PEPF0001C715:EE_|DU4PR02MB11050:EE_ X-MS-Office365-Filtering-Correlation-Id: d1c31afa-8593-4e32-eaf4-08decb7069c9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|23010399003|1800799024|36860700016|376014|22082099003|13003099007|18002099003|6133799003|56012099006|3023799007|11063799006; X-Microsoft-Antispam-Message-Info: xd9yNQER8pjvZOC4B6AM3cz46Hqf+DDKe/jkz140pUZq4PJhxTJxejAnypGZcIgkUrkBox23/Q6Y/OZnlb7r7E7kqnIkwS0N6p6FsSHhPV7JtSyImIY8AA97hwbPZ1gt2BHn7ApDQkc0DDXh6AB+P2QpR6boBmPZj6jva8Rduf3zDUSzuuINLg93b3/pWpYOM4Zmmbk7GwjtSeRZY2bcviDETiK/C/lDnjtlR5/tBiH+hbjaxm8YLt+sIULEM49x5Ae+6mOJY2oCrQEiWln46F/PEGKDbAwabiqIwDXQy1C2HCIQQAPtQWhrt+6f0X1kemTTUlAbRxPu/SfO9X4pv21KAHQtJtDDLTxTFtYn+nwt/Z+Pf8x7z3xEEHiRzfGnXU0oVsX+Gzl0ynIG8OZ4j3zPxoeWPz8kJ1T9HaoBWqLszJlJvz3bFHvZ5w7aaIBvaFPSrU1unjo8MUtTqzSwbNEc0mFi2t4OKdIEX7PY8dCduzKJCMRnOJ9O11rcHTdf+G9r1gCp1QBmE6yjUWicta1Ozm9x+jEIS5MWYtU8iFSQaNmJMRAJEahAPFFL5EzGx0YGR+kVV2L6X82HchhXas8ReEQlQfpuXnJ4tmgvMiwUAXaUQKz4aIAwjoPAOipMoFDOICxMCr4SGz5J+qsbd/pgKhc8jvQdqSGnTv8/faojIcXRK/s51S01vfEtXRDhOXV0gxuLI8aqquNETyqNDYrTVOa+3Z0ofvU9Sy5KQk4= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(23010399003)(1800799024)(36860700016)(376014)(22082099003)(13003099007)(18002099003)(6133799003)(56012099006)(3023799007)(11063799006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: T6SzIRoQWdP58rTE8FbhPN6Ikt3ZnyEMo/Wly+1EIE+FpimmcgzWifXJGmhxw4mdLl+RMArVbp/usIIi6uta61itXnY3tCztTkhq2OctmjB+4LywnqvUegoLJ8FC81QSz92XiTSjs6QGeaW9CAJ1bq5NtpNTRKe/7tHNjeTHJ+y8HLcbwX5Gdtkl2Iiv038rlRgsZQhNHsYnbca3yUL5Sq2ZICIr+hFJkcCPo4pT+nSInm5wNirmpZGGTcHyS5EnTHP/RX0ekcg7qtI/DSU82Lski0qVLwXZN/SwqPtDefvK1lh53BUZhOKlIHWdluLZ5rPuPy2FZ3pwlca+QZKR+bXNLfXpMQDSJGej1Lf6CFKleliPQ53cvKmeD9ONMtvsG79pGhVivIuTVZ/X9BVZZtvU7lZKdsOHzdcDkm/JSptFc3YkRXoAPTxy6SPRJ1rt X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2026 06:28:00.4396 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: d1c31afa-8593-4e32-eaf4-08decb7069c9 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AM2PEPF0001C715.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU4PR02MB11050 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Jun 2026 07:12:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127610 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-41256 Signed-off-by: Anton Skorup --- .../jq/jq/CVE-2026-41256.patch | 49 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch new file mode 100644 index 0000000000..738a359e6a --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch @@ -0,0 +1,49 @@ +From 5a015deae35d19e3ebbc65db6c157a80e76df738 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Fri, 24 Apr 2026 22:15:08 +0900 +Subject: [PATCH] Fix NUL truncation in program files loaded with -f + +This fixes CVE-2026-41256. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/5a015deae35d19e3ebbc65db6c157a80e76df738] +--- + src/main.c | 8 ++++++++ + tests/shtest | 7 +++++++ + 2 files changed, 15 insertions(+) + +diff --git a/src/main.c b/src/main.c +index ce362607e2..fb5c7ab8e3 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -612,6 +612,14 @@ int main(int argc, char* argv[]) { + ret = JQ_ERROR_SYSTEM; + goto out; + } ++ int len = jv_string_length_bytes(jv_copy(data)); ++ if ((size_t)len != strlen(jv_string_value(data))) { ++ fprintf(stderr, "jq: program file contains NUL bytes\n"); ++ free(program_origin); ++ jv_free(data); ++ ret = JQ_ERROR_SYSTEM; ++ goto out; ++ } + jq_set_attr(jq, jv_string("PROGRAM_ORIGIN"), jq_realpath(jv_string(dirname(program_origin)))); + ARGS = JV_OBJECT(jv_string("positional"), ARGS, + jv_string("named"), jv_copy(program_arguments)); +diff --git a/tests/shtest b/tests/shtest +index 370f7b7c69..68705df255 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -886,4 +886,11 @@ if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then + exit 1 + fi + ++# CVE-2026-41256: No NUL truncation in program files loaded with -f ++printf '.\x00invalid' > "$d/nul_prog.jq" ++if echo '42' | $JQ -f "$d/nul_prog.jq" >/dev/null 2>/dev/null; then ++ printf 'Error expected for program file with NUL bytes\n' 1>&2 ++ exit 1 ++fi ++ + exit 0 diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 0419ccd46d..34616e0af6 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33947.patch \ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ + file://CVE-2026-41256.patch \ file://CVE-2026-49389.patch \ " From patchwork Tue Jun 16 06:27:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90176 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86FC2CD98E4 for ; Tue, 16 Jun 2026 07:12:22 +0000 (UTC) Received: from OSPPR02CU001.outbound.protection.outlook.com (OSPPR02CU001.outbound.protection.outlook.com [40.107.159.70]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.148001.1781591287735457526 for ; Mon, 15 Jun 2026 23:28:08 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=OjfXCzkZ; spf=pass (domain: axis.com, ip: 40.107.159.70, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=q2ER02GFIbH03LDEqlfVsD1PwL+ZHAyBWQKzKTaSQPG4Pb1xrK/gd0i+uQ5i9nqvbGATGZiOQJeViLvMawFiTE/xdM6tCQIAv7qBw0AQUT/cznBy0BibgMg1QW1EFCGl6XwqnQ3t52X0lwwQITrRbfxHpo5v7yN4EthosPINQL9taew9RfamA/aA55WNLbM5x5vHLmzFp/ANcc1AQN7dyqMMlA7Z+ZLY+dTW0w4FQU4KIFwLUspPUHLaBf2+k0gGeVsjE36liv21SQQz7Z+SSq6Wek5CfrlZBpRx0wJkgZK6PTGZm6pHPIJ7zUHL0ODrcLbtdu0Q2ztV8lBR2yx0lA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dSKxQ0rSKasW+6cFX+HoEiDaPzef0IGDtRAuj+ena/k=; b=g7RPhKYHXlxP/4iSnHqxqf2lF0huvEnTDbvo+UGIbdkfjH5yHreAbXE+2aS8IFppPKKQ4V2Hx+zeYBgqzre7H7uyvHVhyjNUnU5Y81LkI/0hMyooXGVMZidpWXTSXT8Z9nkslXjluK1odZVn9HrSxdh4h4yI1V2p8CR4I0jDHrH6CUFRe12IBu9LXzZfddgDaaaZXP0SC3MEx6awhOhmBJ1wAapPZPYqbdlh/VFFX2fuO/6/3Hn9/wlOi53SWny5lHG4qQeXyad9FdWbTET+ZmXh1odhds82XDE6Ox3ELOFAKkZQlAQJB1KV8DkdS4af2NTvaLHuJzClpfceKGNhUg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dSKxQ0rSKasW+6cFX+HoEiDaPzef0IGDtRAuj+ena/k=; b=OjfXCzkZxEHEGWzOQWgprerpNrwQxZs0QbzGYp5bAUw3lFxwXHl9AmFdrde3KqCQvTlplOKxIbQQvb74xb2MsPqyhHu8XwqpFWE/afnY9VAqP5YqsBqGtXeUysujz83V6fBeyT+nFCQGIbVpeYymLlc+bZ7PwoPYQ14RgyUYwJk= Received: from CWLP265CA0432.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1d7::11) by PA4PR02MB8214.eurprd02.prod.outlook.com (2603:10a6:102:26b::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.18; Tue, 16 Jun 2026 06:28:01 +0000 Received: from AM2PEPF0001C715.eurprd05.prod.outlook.com (2603:10a6:400:1d7:cafe::8a) by CWLP265CA0432.outlook.office365.com (2603:10a6:400:1d7::11) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.113.18 via Frontend Transport; Tue, 16 Jun 2026 06:28:00 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AM2PEPF0001C715.mail.protection.outlook.com (10.167.16.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Tue, 16 Jun 2026 06:28:00 +0000 Received: from se-mail10w.axis.com (10.20.40.10) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Tue, 16 Jun 2026 08:28:00 +0200 Received: from se-intmail02x.se.axis.com (10.4.0.28) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Tue, 16 Jun 2026 08:28:00 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail02x.se.axis.com (Postfix) with ESMTP id 6DA502423; Tue, 16 Jun 2026 08:28:00 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id 55ACA8461E6; Tue, 16 Jun 2026 08:28:00 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [PATCH 3/8] jq: patch CVE-2026-44777 Date: Tue, 16 Jun 2026 08:27:49 +0200 Message-ID: <20260616062754.748436-3-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260616062754.748436-1-antonsk@axis.com> References: <20260616062754.748436-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM2PEPF0001C715:EE_|PA4PR02MB8214:EE_ X-MS-Office365-Filtering-Correlation-Id: c5fbd5c6-68be-4374-e245-08decb706a0e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|36860700016|23010399003|82310400026|13003099007|18002099003|22082099003|3023799007|6133799003|11063799006|56012099006; X-Microsoft-Antispam-Message-Info: yDezxfj+OzshZPDn9AyUPdOg8sTlVmofD6Z/UQ/MIYCidAa1RgcAlnOoqQDNTcRnn/3O52tS7h/8mg8iVGIm4SDGM+QgDdrjHCkSHsLx12LpYR4p0ZYnGA/aiUJ/WLnVk2cF7cZa6XiW4IFNjb0fn3iBjfBRxIflEJgN5ygBBDbxHPv1F1CRFJ3ll1z5vuQi9gGUO/KubnC+7hSiD+BoM1O9Nf0+AWO0IN1vJzvbS66ITqACds+L/NBjDQxOCg61IhWKt8N02X823Oc/SBXL3zlSvMqPFBGb5At4E3xnlfTJp1+w1aXj8NT+svfMIkONohdNa4z94Q/sOlc9488mUZx1HgNs5Pr33fdjY6EIOMphY7cKzuxN2KoJD/b3OYNT4KxZycWEtT64QIr4xP2nB/aEuPuFGwdzDqq5rLAcdjbvka29JqYycEg/Xtm5aQLANjl/E1Lhc4ZX8E4oInnkx+eDs6j7lujSFKxnlMsTMjYPxkmqkqOojp/Rqa047XXEKdnye+tQGxWEskOKToPpwDiGjsfThZI0x1SA5gnSN1m3SHL98mljiBeTQnIzFNChnSGwg17sXu7Z072RymA2dTzc/+V4iEITVlpFHyMLivR8t7CKAvV7xbvii+glbOGCLjUeVQbzVcJbJJMVAYtoGI6jv4a6WrlOfLk6jmS5P1ZJgZu75wzamQSPn5akZRXLcKjeSz7AO3drd9igPAJtE/YZLXZXrMdGWjN11Kf4n64= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(376014)(36860700016)(23010399003)(82310400026)(13003099007)(18002099003)(22082099003)(3023799007)(6133799003)(11063799006)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: M3QgmK/xmcQGnNYwBRK0gl3QGM+fyZEvEIGRbuX7Vkt1aLObcXkR+mjnw0RoSy5QbAIx0r2OziSG/gKToBBHfbRMGDZIYbOITOZ/B8j1Jn+1UAU0yZauRYK4x/uFos1AvLREP8lz3erhhav4pgD3L0O2wD0Td4r51tqBHAp8QLE1WpYvOnAt3aaFXXFtdS+Riucn1FT11ySad5ACQIza9PhVnrpR1fvGs7xnqnJKNBvRNRoSOuwNg5RsRR77kEqNgJV6gco0G/x2NOhxjBpFQUvv/opNkB3XPEwDXXLWw0e0qgfqIT9WjxCGgNHOPIaIiuzpYgblsn6UnzUCgn7enOQF8zBJ6fBJkm7rwGMQ730ZfEm2kOdJ/i7MmuaV6IEdfZXvkx35R5vaR4WzXreTDGWvFFUcBR7mps2Fq78BcfzIG84ufEAocurZG0iniivE X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2026 06:28:00.8923 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c5fbd5c6-68be-4374-e245-08decb706a0e X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AM2PEPF0001C715.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR02MB8214 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Jun 2026 07:12:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127609 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-44777 Signed-off-by: Anton Skorup --- .../jq/jq/CVE-2026-44777.patch | 233 ++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 234 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch new file mode 100644 index 0000000000..f6bf926a0a --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch @@ -0,0 +1,233 @@ +From f58787c41835d9b17795730cb04925fdba25c71c Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 11 May 2026 20:41:38 +0900 +Subject: [PATCH] Detect circular module imports to prevent stack overflow + +jq used to recurse without bound on mutual or self-referential +`import` declarations, exhausting the stack. Track each library's +load state with a `loading` flag set before its dependencies are +processed; a recursive reference to an in-progress library now +reports "circular import of X". + +Fixes CVE-2026-44777. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/f58787c41835d9b17795730cb04925fdba25c71c] +--- + Makefile.am | 2 ++ + src/linker.c | 59 ++++++++++++++++++++++++------------- + tests/modules/cycle_a.jq | 2 ++ + tests/modules/cycle_b.jq | 2 ++ + tests/modules/cycle_self.jq | 2 ++ + tests/shtest | 23 +++++++++++++++ + 6 files changed, 70 insertions(+), 20 deletions(-) + create mode 100644 tests/modules/cycle_a.jq + create mode 100644 tests/modules/cycle_b.jq + create mode 100644 tests/modules/cycle_self.jq + +diff --git a/Makefile.am b/Makefile.am +index acb94435f4..e2321bb196 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -232,6 +232,8 @@ EXTRA_DIST = $(DOC_FILES) $(man_MANS) $(TESTS) $(TEST_LOG_COMPILER) \ + tests/modules/test_bind_order0.jq \ + tests/modules/test_bind_order1.jq \ + tests/modules/test_bind_order2.jq \ ++ tests/modules/cycle_a.jq tests/modules/cycle_b.jq \ ++ tests/modules/cycle_self.jq \ + tests/onig.supp tests/local.supp \ + tests/setup tests/torture/input0.json \ + tests/optional.test tests/man.test tests/manonig.test \ +diff --git a/src/linker.c b/src/linker.c +index e9027004cc..03f46db05c 100644 +--- a/src/linker.c ++++ b/src/linker.c +@@ -20,9 +20,13 @@ + #include "compile.h" + #include "jv_alloc.h" + ++struct lib_entry { ++ char *name; ++ block def; ++ int loading; ++}; + struct lib_loading_state { +- char **names; +- block *defs; ++ struct lib_entry *entries; + uint64_t ct; + }; + static int load_library(jq_state *jq, jv lib_path, +@@ -303,14 +307,24 @@ static int process_dependencies(jq_state *jq, jv jq_origin, jv lib_origin, block + } else { + uint64_t state_idx = 0; + for (; state_idx < lib_state->ct; ++state_idx) { +- if (strcmp(lib_state->names[state_idx],jv_string_value(resolved)) == 0) ++ if (strcmp(lib_state->entries[state_idx].name, jv_string_value(resolved)) == 0) + break; + } + + if (state_idx < lib_state->ct) { // Found ++ if (lib_state->entries[state_idx].loading) { ++ jq_report_error(jq, jv_string_fmt("jq: error: circular import of %s\n", ++ jv_string_value(resolved))); ++ jv_free(resolved); ++ jv_free(as); ++ jv_free(deps); ++ jv_free(jq_origin); ++ jv_free(lib_origin); ++ return 1; ++ } + jv_free(resolved); + // Bind the library to the program +- bk = block_bind_library(lib_state->defs[state_idx], bk, OP_IS_CALL_PSEUDO, as_str); ++ bk = block_bind_library(lib_state->entries[state_idx].def, bk, OP_IS_CALL_PSEUDO, as_str); + } else { // Not found. Add it to the table before binding. + block dep_def_block = gen_noop(); + nerrors += load_library(jq, resolved, is_data, raw, optional, as_str, &dep_def_block, lib_state); +@@ -352,32 +366,38 @@ static int load_library(jq_state *jq, jv lib_path, int is_data, int raw, int opt + jq_report_error(jq, jv_string_fmt("jq: error loading data file %s: %s\n", jv_string_value(lib_path), jv_string_value(data))); + nerrors++; + } +- goto out; + } else if (is_data) { + // import "foo" as $bar; + program = gen_const_global(jv_copy(data), as); ++ state_idx = lib_state->ct++; ++ lib_state->entries = jv_mem_realloc(lib_state->entries, lib_state->ct * sizeof(struct lib_entry)); ++ lib_state->entries[state_idx].name = strdup(jv_string_value(lib_path)); ++ lib_state->entries[state_idx].def = program; ++ lib_state->entries[state_idx].loading = 0; + } else { + // import "foo" as bar; + src = locfile_init(jq, jv_string_value(lib_path), jv_string_value(data), jv_string_length_bytes(jv_copy(data))); + nerrors += jq_parse_library(src, &program); + locfile_free(src); + if (nerrors == 0) { ++ // Register the library before processing its dependencies so that ++ // circular imports can be detected. ++ state_idx = lib_state->ct++; ++ lib_state->entries = jv_mem_realloc(lib_state->entries, lib_state->ct * sizeof(struct lib_entry)); ++ lib_state->entries[state_idx].name = strdup(jv_string_value(lib_path)); ++ lib_state->entries[state_idx].def = gen_noop(); ++ lib_state->entries[state_idx].loading = 1; ++ + char *lib_origin = strdup(jv_string_value(lib_path)); + nerrors += process_dependencies(jq, jq_get_jq_origin(jq), + jv_string(dirname(lib_origin)), + &program, lib_state); + free(lib_origin); + program = block_bind_self(program, OP_IS_CALL_PSEUDO); ++ lib_state->entries[state_idx].def = program; ++ lib_state->entries[state_idx].loading = 0; + } + } +- if (nerrors == 0) { +- state_idx = lib_state->ct++; +- lib_state->names = jv_mem_realloc(lib_state->names, lib_state->ct * sizeof(const char *)); +- lib_state->defs = jv_mem_realloc(lib_state->defs, lib_state->ct * sizeof(block)); +- lib_state->names[state_idx] = strdup(jv_string_value(lib_path)); +- lib_state->defs[state_idx] = program; +- } +-out: + *out_block = program; + jv_free(lib_path); + jv_free(data); +@@ -415,7 +435,7 @@ jv load_module_meta(jq_state *jq, jv mod_relpath) { + int load_program(jq_state *jq, struct locfile* src, block *out_block) { + int nerrors = 0; + block program; +- struct lib_loading_state lib_state = {0,0,0}; ++ struct lib_loading_state lib_state = {0,0}; + nerrors = jq_parse(src, &program); + if (nerrors) + return nerrors; +@@ -441,14 +461,13 @@ int load_program(jq_state *jq, struct locfile* src, block *out_block) { + nerrors = process_dependencies(jq, jq_get_jq_origin(jq), jq_get_prog_origin(jq), &program, &lib_state); + block libs = gen_noop(); + for (uint64_t i = 0; i < lib_state.ct; ++i) { +- free(lib_state.names[i]); +- if (nerrors == 0 && !block_is_const(lib_state.defs[i])) +- libs = block_join(libs, lib_state.defs[i]); ++ free(lib_state.entries[i].name); ++ if (nerrors == 0 && !block_is_const(lib_state.entries[i].def)) ++ libs = block_join(libs, lib_state.entries[i].def); + else +- block_free(lib_state.defs[i]); ++ block_free(lib_state.entries[i].def); + } +- free(lib_state.names); +- free(lib_state.defs); ++ free(lib_state.entries); + if (nerrors) + block_free(program); + else +diff --git a/tests/modules/cycle_a.jq b/tests/modules/cycle_a.jq +new file mode 100644 +index 0000000000..30c1deaedf +--- /dev/null ++++ b/tests/modules/cycle_a.jq +@@ -0,0 +1,2 @@ ++import "cycle_b" as b; ++def f: null; +diff --git a/tests/modules/cycle_b.jq b/tests/modules/cycle_b.jq +new file mode 100644 +index 0000000000..3fdc360fcd +--- /dev/null ++++ b/tests/modules/cycle_b.jq +@@ -0,0 +1,2 @@ ++import "cycle_a" as a; ++def f: null; +diff --git a/tests/modules/cycle_self.jq b/tests/modules/cycle_self.jq +new file mode 100644 +index 0000000000..8365eab1a4 +--- /dev/null ++++ b/tests/modules/cycle_self.jq +@@ -0,0 +1,2 @@ ++import "cycle_self" as s; ++def f: null; +diff --git a/tests/shtest b/tests/shtest +index fa972de870..aca82790bc 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -382,17 +382,40 @@ if ! HOME="$mods/home2" $VALGRIND $Q $JQ -n 'include "g"; empty'; then + exit 1 + fi + ++( + cd "$JQBASEDIR" # so that relative library paths are guaranteed correct + if ! $VALGRIND $Q $JQ -L ./tests/modules -ne 'import "test_bind_order" as check; check::check==true'; then + echo "Issue #817 regression?" 1>&2 + exit 1 + fi ++) + ++( + cd "$JQBASEDIR" + if ! $VALGRIND $Q $JQ -L tests/modules -ne 'import "test_bind_order" as check; check::check==true'; then + echo "Issue #817 regression?" 1>&2 + exit 1 + fi ++) ++ ++# CVE-2026-44777: Circular imports should be detected ++if $VALGRIND $JQ -L "$mods" -ne 'import "cycle_a" as a; null' 2> $d/out; then ++ echo "Mutual import should be rejected" 1>&2 ++ exit 1 ++fi ++if ! grep -q "circular import" $d/out; then ++ echo "Expected circular import error" 1>&2 ++ exit 1 ++fi ++ ++if $VALGRIND $JQ -L "$mods" -ne 'import "cycle_self" as s; null' 2> $d/out; then ++ echo "Self import should be rejected" 1>&2 ++ exit 1 ++fi ++if ! grep -q "circular import" $d/out; then ++ echo "Expected circular import error" 1>&2 ++ exit 1 ++fi + + ## Halt + diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 34616e0af6..2e6c3a3eea 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ file://CVE-2026-41256.patch \ + file://CVE-2026-44777.patch \ file://CVE-2026-49389.patch \ " From patchwork Tue Jun 16 06:27:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90173 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8701CCD98D2 for ; Tue, 16 Jun 2026 07:12:12 +0000 (UTC) Received: from AS8PR04CU009.outbound.protection.outlook.com (AS8PR04CU009.outbound.protection.outlook.com [52.101.70.23]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.148428.1781591287456937043 for ; Mon, 15 Jun 2026 23:28:07 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=o3sKzfWx; spf=pass (domain: axis.com, ip: 52.101.70.23, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=jGfuC8Mssc7u07vj/Ug4HfmFlzSeMvEiwKvyGwMt8saQj2i+DbELy3F12Ssgce2l2ZO/AJwJCPoFXm+5Q0WeLeCjNB6WYKs4uOCea2RyzvR46h1s+brr53bS0rBWPhxPPddQYB7OqyByGgs48TuIfJ58aQxAwBYOAlSn+9e5jj4j7J0N1EbbFViLJ5904tX+6uMlU+XmSVVgc6YBHmsY6otZRAofTxcd2dwq845rOmm4jkAzhSFXsfZYBjDv5OBi8z4pEPNmJ4HRo53XmDHzVuHccHxXrKDMm5wMEZo6WSjlfjWmlkn+l+auV53pptf0f3p8sJZ08cdP/Rlwr7BWNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mVjiq6kkqN+Ao9gZ84cwBJvksQrjhCjZkvF61hGkfAg=; b=neZAN81qaPvv78tO274GR4PCTE0hzRVZg4ruTZOLrKEYHE6gfwVdDzQyr0ZoQabEjmsrcXHo6WVFIszmT4UAsVjxZyHZDjxu/AQjIh8t38qfiJAyuNVbqCIjQLmlmbYCDDCB0TwiOggt8PEeIlicPhLGn4icaj/N6eqteoCJGzdRjLk4f7o7KflAKvfocf9y5ay9NyXaEejdrlYv7Uw41mZd9LSC/A/cx3PKFfi48a95LtsYyf0N4Edk81jb71PmzsCXA8CKc0eulVrq4cj/Uw+hFqVgtwrWyMc5loTwN8qEII+hEITdy/eqvx7ELwa1EuLWVSgbJfFHvXxY/f10Gg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mVjiq6kkqN+Ao9gZ84cwBJvksQrjhCjZkvF61hGkfAg=; b=o3sKzfWxpVbGFouONkBBAIx3x9TgzyFQEbqIe7uqYDBdWrQeagot2ao1kphpXeDEVII15RNfZJDaVEo9X+ZH1Ru/Csxmj57IB/Zyzs5MYg8l6/8ay8c5Dt+c+m4OMz+p3oPgI2p1VM0l3/lMSoZeEt9T4IqQIfKkMKCkhjwK7cg= Received: from CWLP265CA0431.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1d7::7) by AS8PR02MB8613.eurprd02.prod.outlook.com (2603:10a6:20b:54b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Tue, 16 Jun 2026 06:28:01 +0000 Received: from AM2PEPF0001C715.eurprd05.prod.outlook.com (2603:10a6:400:1d7:cafe::97) by CWLP265CA0431.outlook.office365.com (2603:10a6:400:1d7::7) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.113.18 via Frontend Transport; Tue, 16 Jun 2026 06:28:01 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AM2PEPF0001C715.mail.protection.outlook.com (10.167.16.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Tue, 16 Jun 2026 06:28:01 +0000 Received: from se-mail10w.axis.com (10.20.40.10) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Tue, 16 Jun 2026 08:28:00 +0200 Received: from se-intmail01x.se.axis.com (10.4.0.28) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Tue, 16 Jun 2026 08:28:00 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail01x.se.axis.com (Postfix) with ESMTP id B5CCE2480; Tue, 16 Jun 2026 08:28:00 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id B2C878461E6; Tue, 16 Jun 2026 08:28:00 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [PATCH 4/8] jq: patch CVE-2026-43896 Date: Tue, 16 Jun 2026 08:27:50 +0200 Message-ID: <20260616062754.748436-4-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260616062754.748436-1-antonsk@axis.com> References: <20260616062754.748436-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM2PEPF0001C715:EE_|AS8PR02MB8613:EE_ X-MS-Office365-Filtering-Correlation-Id: 9049bc78-4028-473c-edae-08decb706a50 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700016|82310400026|1800799024|376014|23010399003|13003099007|22082099003|18002099003|11063799006|3023799007|6133799003|56012099006; X-Microsoft-Antispam-Message-Info: GTH3UYJZvgHZrgICRkGyTwIAA4N067m68clb1e2jJWyT6fthpbAX1gAbXPUzbUydlc2X9eLPFuXbEMkX4ty15vJUOZ14nOS077JxI4ZUFDyahj2urE1N7P1V+HUBl7nSge4wGFfXhdRdkZbHrLW1qZm0MOCaplDB+2bAT2BLRIrrWvu1Q+vfJrybquOeiPbrxRgLdZXIfkGRNKcOKJwIpB1WJaGesdSuEQoYyZg0LFDZI0/x6mx8ZWdxgySTfYn97LKuBTVJljrroSZpsK5FllgUaNooS9GEOHChHNa7LS4gg4+cw/vngQQW60H9Yaf3DpfYM7fETBqEkmNt5pZyd3FhpZNjOq2+TirXqRJxY/avxTnLrjJ4rdd0YbHSpmmtrr5eSfC68Qe8OX8c1s11YDbUY5tUMT2uXcMM3Q07OpmPqOC2eijVZgvYtjWcVq94mzp15LwX37UUNRmsaQvuglgmu874ERFPwBFsdOC/MAAVoNtPL0lpekVdF21AgkD8uXE8I2uPUMVETuIQUtdnhstLrx6Ow2eUCu9cvuGZffVpMXoSHoPRTfsORRSdaeTVn+X53VEq3F85r44MKwCPgWgXR9EtxIgZkDdHFbbRlH3gVlK+t8sP2uA96jNcGZuzrpWIqTHGaPNV+QXgxoyeCUMOest4XZuT/lDLSrv21ts/RBk1nEHgYbFSAJrd1XmJJ8RkfltDu5tTvpsoitqsZiw1QgDHKfBBGqQ8jr00M9w= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700016)(82310400026)(1800799024)(376014)(23010399003)(13003099007)(22082099003)(18002099003)(11063799006)(3023799007)(6133799003)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 0AymU7UNQS01juJuaeyfMI8LNOZ6XZtSPne3tm3k1opE1jBcDEJjyAG1GVUyer8hgyJd/UyePX/mwGqaSPaNP1iFi+AsY9hR3GQ2LR62H/sDYDglA+DADhvWHfjX+GxERjisvRIOuhQNUtJ8Xm0ax2FxrOLtA1epX5Qh1PVPzalZ9X1LcUwQX+Xb64TMwTT65tIfg+ADjwtdzjOHRu21oKIDqbkFkVobLO4t6Nxe/H1a862rZVL799xkmW3xMugJt5HQIJA8AKIdz1+4Wf7BOG0KMbifyMmCta5lRbcZ8VfABohZ5Fn04Aousa/qkLlZREpzCsKazN9loK/7FNb7iY9Tht6W9mJ4AWV1tRMYJotjisii5pX5cwny4tuwZSoGczb1c10JM8bDeJhl50duK044kfRfYTYPMH3a2/F2eH6Ciy3QP9QCBLMiW3OGV2LF X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2026 06:28:01.3244 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9049bc78-4028-473c-edae-08decb706a50 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AM2PEPF0001C715.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR02MB8613 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Jun 2026 07:12:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127607 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-43896 Signed-off-by: Anton Skorup --- .../jq/jq/CVE-2026-43896.patch | 82 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 83 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch new file mode 100644 index 0000000000..318c86a121 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch @@ -0,0 +1,82 @@ +From 532ccea6080ed6758f39fe9f6208a44b665023d2 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Tue, 5 May 2026 22:44:02 +0900 +Subject: [PATCH] Limit recursive object merge depth to prevent stack overflow + +This fixes CVE-2026-43896. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2] +--- + src/jv.c | 25 +++++++++++++++++++++++-- + tests/jq.test | 9 +++++++++ + 2 files changed, 32 insertions(+), 2 deletions(-) + +diff --git a/src/jv.c b/src/jv.c +index feb68d1a1c..84fafef666 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -1899,16 +1899,33 @@ jv jv_object_merge(jv a, jv b) { + return a; + } + +-jv jv_object_merge_recursive(jv a, jv b) { ++#ifndef MAX_OBJECT_MERGE_DEPTH ++#define MAX_OBJECT_MERGE_DEPTH (10000) ++#endif ++ ++static jv jvp_object_merge_recursive(jv a, jv b, int depth) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(b, JV_KIND_OBJECT)); + ++ if (depth > MAX_OBJECT_MERGE_DEPTH) { ++ jv_free(a); ++ jv_free(b); ++ return jv_invalid_with_msg(jv_string("Object merge too deep")); ++ } ++ + jv_object_foreach(b, k, v) { + jv elem = jv_object_get(jv_copy(a), jv_copy(k)); + if (jv_is_valid(elem) && + JVP_HAS_KIND(elem, JV_KIND_OBJECT) && + JVP_HAS_KIND(v, JV_KIND_OBJECT)) { +- a = jv_object_set(a, k, jv_object_merge_recursive(elem, v)); ++ jv merged = jvp_object_merge_recursive(elem, v, depth + 1); ++ if (!jv_is_valid(merged)) { ++ jv_free(k); ++ jv_free(a); ++ jv_free(b); ++ return merged; ++ } ++ a = jv_object_set(a, k, merged); + } else { + jv_free(elem); + a = jv_object_set(a, k, v); +@@ -1919,6 +1936,10 @@ jv jv_object_merge_recursive(jv a, jv b) { + return a; + } + ++jv jv_object_merge_recursive(jv a, jv b) { ++ return jvp_object_merge_recursive(a, b, 0); ++} ++ + /* + * Object iteration (internal helpers) + */ +diff --git a/tests/jq.test b/tests/jq.test +index 8094a5b6eb..9a80341f52 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -2602,3 +2602,12 @@ true + try (reduce range(10001) as $_ ([]; [.]) as $x | $x | contains($x)) catch . + null + "Containment check too deep" ++ ++# regression test for CVE-2026-43896 ++reduce range(10000) as $_ ({}; {a: .}) as $x | $x * $x | length ++null ++1 ++ ++try (reduce range(10001) as $_ ({}; {a: .}) as $x | $x * $x) catch . ++null ++"Object merge too deep" diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 2e6c3a3eea..082a827041 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ file://CVE-2026-41256.patch \ + file://CVE-2026-43896.patch \ file://CVE-2026-44777.patch \ file://CVE-2026-49389.patch \ " From patchwork Tue Jun 16 06:27:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90177 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85F24CD98D2 for ; Tue, 16 Jun 2026 07:12:42 +0000 (UTC) Received: from PA4PR04CU001.outbound.protection.outlook.com (PA4PR04CU001.outbound.protection.outlook.com [40.107.162.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.148003.1781591289593908342 for ; Mon, 15 Jun 2026 23:28:09 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=qclLbNoc; spf=pass (domain: axis.com, ip: 40.107.162.42, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=vlzPuCK1pWROqnYkaFj2sq/grj1W2zHwKl/sCkbqtb41aRVh3sbZUPQ5tEakmu2AVxl8KVFZK2/XKEqElXRrMyCtt52UoaBV1UdwTGsfCh3iT2ZQDCrZLsAEjSL7iYS9gb8wl5HxqX97lIjt3UE4Dst1NRYztAexq+qwyzLPX0CSIfS5qqj3QuXGJ0haI2JOkHV7LOcGJTIUlAlYojakKfNTaO5VtR6Yi1VLbCE2+mhMEx8IsxDYqP06DQWvvc5bgd6qKha5LHVlxL/wPpWOqa/yID/XfWy4W2mTpAbePCHAO9ioxbDoinYtt9hV4Z4ZUaf/zrXAUg556+x8VazcbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/bysg2t3A8XalXcxXb1b+ENIYsIxI3F5r05pNGHdBFg=; b=V6TpxUDwyocyB+PDeVAdXFB14FUVAqv+yekdZYm2hcwxRVAzeFBQiVxm8AOWshhjWuCRkculGBnN0nttoqLvjdMkovyDFq5M6mJLiCIJuncyAPsmfMz9D6NPvqRlT2hmYuCMxhjgKoKZD2xJ5kBO35LPJOb8VpkP/uKe3WGvmjVtd2113JiWfSyvhVYy48Vgywi3QaOugifsc2sNWOGGIxJPiNDNu+aJ5c3pFaGxiHmeL++ot1wEGqn7tbxYHidFeWy/xnrQqnpNAKPx559VyMzVcSob2WbzlEIY3L7zfCFPIHDD2GxOC1YShbmP5HqjfF3u7KqPza7x/jqJcdt3DQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/bysg2t3A8XalXcxXb1b+ENIYsIxI3F5r05pNGHdBFg=; b=qclLbNocccrWhmklr77u29LbvXfITW+3gX3uXKpJMMnpBsQdC1T7dB3yvlYv0UHgEbf43I5AZJqMxCaBo9bxqP8lWv0YfMIqINUPbrSYWlPcBOxYCkSp5gBJdYawawlrWvFlLu37GAlQfCxAssbRx47iYrHVAorc4mJ/L9xWRAA= Received: from CWLP265CA0432.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1d7::11) by AS4PR02MB8766.eurprd02.prod.outlook.com (2603:10a6:20b:58e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Tue, 16 Jun 2026 06:28:02 +0000 Received: from AM2PEPF0001C715.eurprd05.prod.outlook.com (2603:10a6:400:1d7:cafe::5b) by CWLP265CA0432.outlook.office365.com (2603:10a6:400:1d7::11) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.113.18 via Frontend Transport; Tue, 16 Jun 2026 06:28:01 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AM2PEPF0001C715.mail.protection.outlook.com (10.167.16.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Tue, 16 Jun 2026 06:28:01 +0000 Received: from se-mail11w.axis.com (10.20.40.11) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Tue, 16 Jun 2026 08:28:01 +0200 Received: from se-intmail01x.se.axis.com (10.4.0.28) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Tue, 16 Jun 2026 08:28:01 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail01x.se.axis.com (Postfix) with ESMTP id 18BA42480; Tue, 16 Jun 2026 08:28:01 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id 154B78461E6; Tue, 16 Jun 2026 08:28:01 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [PATCH 5/8] jq: patch CVE-2026-41257 Date: Tue, 16 Jun 2026 08:27:51 +0200 Message-ID: <20260616062754.748436-5-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260616062754.748436-1-antonsk@axis.com> References: <20260616062754.748436-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM2PEPF0001C715:EE_|AS4PR02MB8766:EE_ X-MS-Office365-Filtering-Correlation-Id: 471096bb-d8bf-4875-7e46-08decb706a9f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700016|82310400026|376014|23010399003|13003099007|22082099003|18002099003|3023799007|11063799006|56012099006|6133799003; X-Microsoft-Antispam-Message-Info: PJWqUX1AWjsobPeXa8N+03xavxIvjXnUKIPdu1+WyjIm/kCuriZpqJWf7ATD9oHRYQjCLpjsL2LoM8g4qH+rsLqiYRFMoglkmLg5sKZqy25YO72R3/hjtt/gRY8VTJWzGMAlP4WPZnL1sqowiBBrIdYqN4Ij+7gq/OD1sjrYVAAPydEfKqHBAObadJdti+8XFQUSVcTeCwLL42Q8HpCknu/YbjAXC8kE1koi+gzT4MLi/Apo53HGXQUY8vJg9ct4Fl1AuYm6IzB/q1GRp7rSK10OzuHB3egc3CxkZw8tggQvj+zRFY7vNuNaomd+CFCsX1aO3oflhoPs6mSFjdSlQxmkVs0MPM5TStU5vWmbrgSYGFCeYQMmwgd+QW8r9ipDbnSomLmv6x1UqC2BdRegJAJMW7MjL9IgHV11gM3KEZBmdJICbVY/kJ3wv6Pw7QWHBLUtyr+ysgDeEx6aI9LCeYM5JGf5qhYYwBiGiVGmDtsC84rckWYpWTEMdorEgUm41P9nxhdKhOEzwb1c8sYlLNpHG7S3N528WP/fU2DuTcQs3LQoVoYf3Ui6gNSeTuHxWNj3q4N9YopHsi5rA6fCXANHw+WSNohgnfACPtdM3HH5I2/sL8DcbQDa/gh5rnpD2CbjZwYU6feb++xFuwXkf8LheDxchDkvGeCc4DHXq1f8r+bdlW8w0GHZrZ0kCc3oJide3qkf/OIHrS5BmqYsWn+m6btr/XFfE7LSzHOQwBI= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(36860700016)(82310400026)(376014)(23010399003)(13003099007)(22082099003)(18002099003)(3023799007)(11063799006)(56012099006)(6133799003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: +EdtVqdgV2BJQ27LdqvIyyfELyWxEHVL1aEqkehRwv5jWoxO7IwUZRwppJ40kuhotil30j12bgPFRhP+kh2msyMb3e7h46D78RodDyoOYKXgsOcNRmeWHnOBI2Idm/NHG4uMYJIgnxp1aV4SmeMC8+TiJVnKRHeDKBFnMjWjam+ARQ7ir6wEwEs4iYNfOhxuPX2U+ZFl7IdJIqk1UZ4Sscq+MzTJ6trH0LqKqWHHPtgfR1YBKhmF6QtlgOKs/p4KdpoE1Hfswo4ZBkeuvh7laWBinI9PMCrVBRzAyP3tQJP2WLOPB2lhgFXpfukOk3GslHDIppjNBG/eg1CRSBKLSw7FgKsrkYFfNQaVFrUS6sAP+gLVPGwFJYCveQOZAYYEMR47eaPdSyww4i04egDA/x2vld+BNEdvxNVarbYNLaCEHE84cTBLCFoDjuL1CdV6 X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2026 06:28:01.8375 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 471096bb-d8bf-4875-7e46-08decb706a9f X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AM2PEPF0001C715.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4PR02MB8766 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Jun 2026 07:12:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127611 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-41257 Signed-off-by: Anton Skorup --- .../jq/jq/CVE-2026-41257.patch | 52 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch new file mode 100644 index 0000000000..8bf3ecd325 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch @@ -0,0 +1,52 @@ +From 01b3cded76daacbfddb7f8763700b0803bcb5c6f Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Fri, 24 Apr 2026 22:09:44 +0900 +Subject: [PATCH] Fix signed-int overflow in `stack_reallocate` + +This fixes CVE-2026-41257. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f] +--- + src/exec_stack.h | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/exec_stack.h b/src/exec_stack.h +index 2a063e8cf9..159c56e4fb 100644 +--- a/src/exec_stack.h ++++ b/src/exec_stack.h +@@ -2,8 +2,10 @@ + #define EXEC_STACK_H + #include + #include ++#include + #include + #include ++#include + #include "jv_alloc.h" + + /* +@@ -81,15 +83,19 @@ static stack_ptr* stack_block_next(struct stack* s, stack_ptr p) { + } + + static void stack_reallocate(struct stack* s, size_t sz) { +- int old_mem_length = -(s->bound) + ALIGNMENT; +- char* old_mem_start = (s->mem_end != NULL) ? (s->mem_end - old_mem_length) : NULL; ++ size_t old_mem_length = (size_t)(-(s->bound)) + ALIGNMENT; ++ char* old_mem_start = s->mem_end != NULL ? s->mem_end - old_mem_length : NULL; + +- int new_mem_length = align_round_up((old_mem_length + sz + 256) * 2); ++ size_t new_mem_length = align_round_up((old_mem_length + sz + 256) * 2); ++ if (new_mem_length > INT_MAX) { ++ fprintf(stderr, "jq: error: cannot allocate memory\n"); ++ abort(); ++ } + char* new_mem_start = jv_mem_realloc(old_mem_start, new_mem_length); + memmove(new_mem_start + (new_mem_length - old_mem_length), + new_mem_start, old_mem_length); + s->mem_end = new_mem_start + new_mem_length; +- s->bound = -(new_mem_length - ALIGNMENT); ++ s->bound = -(int)(new_mem_length - ALIGNMENT); + } + + static stack_ptr stack_push_block(struct stack* s, stack_ptr p, size_t sz) { diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 082a827041..bb4601b667 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ file://CVE-2026-41256.patch \ + file://CVE-2026-41257.patch \ file://CVE-2026-43896.patch \ file://CVE-2026-44777.patch \ file://CVE-2026-49389.patch \ From patchwork Tue Jun 16 06:27:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90174 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C716CD98E4 for ; Tue, 16 Jun 2026 07:12:12 +0000 (UTC) Received: from OSPPR02CU001.outbound.protection.outlook.com (OSPPR02CU001.outbound.protection.outlook.com [40.107.159.68]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.148427.1781591286733951400 for ; Mon, 15 Jun 2026 23:28:07 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=kjZsLm4j; spf=pass (domain: axis.com, ip: 40.107.159.68, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=tztc4Qxu+4NbhnXjDUr6eazBpmqFYT3vmt4tmYs7pC1rNx1/DFxHgQHb7uYU2rHk+l/sYMeWg9SS02gNoJHcTtl+OTM1fymfuti83CxAjpC9nA/ZlHyiqH0cVSe6kX+BSnREdEt+Wh3J/LydtXYVhMWxgka/qAo017+fiHElqdz2Ujb+dwc74aoZ4Xygtr1pO7S/5eXakaG9ycobMlQXKgQMaQ334Gzycc/yLAgE2pox7ZzqoBXhmjNsk3SmQdY7CqWpIBpcT7Yt8Krmr9y6Do/uONk1b1eM0zb6gYJXdjEq8bPxvnmDB9nt/JRJSqnserd7XghYknFxDJa+9wxTbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tZLlbnjrG1X+KCjr1W8Y1OZBXQePgo4n1V9oVk69Wqs=; b=L+aWWzuI6UcsXlAsuSXXY2cWU36IbzTjrVIEMBtYEsDeWRfKEOBNK81jCl4VnqaTyu7nnmEuWkXnyYe2bWFtROLyLYGyktHw5sqmvDwQMZJgQMxzZi4TvYudHC96oyIGO4feiHO+ickJuv17T7FBPwKDsBsW7UpQmk1pTZBum106nnQcrzle2+whSAP4XChn/6CwNSydH6chA0WqP0ckHwF1hAIncKGTgW3cXDQGBr3UqnZLIgzJIoQ0IeQQtMHhXRyPS3xYbhhoQUiWcNjbIBfPSDP2RAcuV459aBSbvfgcStO+VzXwEoK8aA0mCY3cle870shbnBEOU/I30dxC8g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tZLlbnjrG1X+KCjr1W8Y1OZBXQePgo4n1V9oVk69Wqs=; b=kjZsLm4jN7WhXAiS5COHi4A93iIygp8A/9GzBl2JbIAbFBx2apTqADp39qCwHSLQC4GCLoLIx/WQiO9KsVA2O7/ELrDv/850Xn6zv01rBrFD+WINiV8fySWnx6Qg/PeLgjnQD/KkXkX65zAZQNj3lXXxwx+Z41lQZOwhdY0RgQw= Received: from CWLP265CA0437.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1d7::13) by PA1PR02MB11380.eurprd02.prod.outlook.com (2603:10a6:102:4f4::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Tue, 16 Jun 2026 06:28:02 +0000 Received: from AM2PEPF0001C715.eurprd05.prod.outlook.com (2603:10a6:400:1d7:cafe::42) by CWLP265CA0437.outlook.office365.com (2603:10a6:400:1d7::13) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.113.18 via Frontend Transport; Tue, 16 Jun 2026 06:28:02 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AM2PEPF0001C715.mail.protection.outlook.com (10.167.16.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Tue, 16 Jun 2026 06:28:02 +0000 Received: from se-mail11w.axis.com (10.20.40.11) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Tue, 16 Jun 2026 08:28:01 +0200 Received: from se-intmail01x.se.axis.com (10.4.0.28) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Tue, 16 Jun 2026 08:28:01 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail01x.se.axis.com (Postfix) with ESMTP id 6E6D62480; Tue, 16 Jun 2026 08:28:01 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id 6B0F78461E6; Tue, 16 Jun 2026 08:28:01 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [PATCH 6/8] jq: patch CVE-2026-40612 Date: Tue, 16 Jun 2026 08:27:52 +0200 Message-ID: <20260616062754.748436-6-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260616062754.748436-1-antonsk@axis.com> References: <20260616062754.748436-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM2PEPF0001C715:EE_|PA1PR02MB11380:EE_ X-MS-Office365-Filtering-Correlation-Id: 3498f16a-9caf-4934-9ea2-08decb706ada X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700016|82310400026|376014|23010399003|13003099007|3023799007|22082099003|18002099003|56012099006|11063799006|6133799003; X-Microsoft-Antispam-Message-Info: 2AGkpA9lV2Zg7ji12GoUT/kx/eOO/fKug8ViNIcYwOlSmg7ogI5sLGWL6NwI4Znljfms+dCzimoWaDzzJZXOjrmDf0nikXCdsid6i4I3euI7BcU6Mq9ljOVmPJn3Sp/O29xgyX8pBLaVft1uQc1Q8nAGdKgFcA4OnM8hH3hfWrV8ZbZrXjUia3jjno5DGW/L/VIPF6kLYI/KO8dUM6mkd9612ren1hFgyoqsQAei44t7yRHII16R/rv8RjF0Y9QbNLSf6VtEVNF94rgdhdo5oPhorUnzVg6g0sbZDuolKpy+Pc+14RW+M4knDTHvPTR/bmTQmCNru4uoo3cXwXm266tN562BKfdJl6A8NzWlBtt4aeaUA8/5EyxluVC6i6PttKJi8P5G32ryWDKMam2NS3shlcMpJb3LER9ESFrVO+HUBRTA6woO1fegClakTxr0uMJnJamkIyIV9Z1TBjwQkrzjpo9oDZSVqhILgnIIi4g85ah4xyl+M+UJrQnCgNtuGUUfUFUFtK/YiFN3+ThygA57GtlDA1mUip7Ae8ig6bOJO1jROnjLRxrXKzrqojI6fi4147JABVQIukvsReL6iV1rmWR3qq0s7WK3heX6uvs7X7dh6gp+jny6zmMb8w8HSyWirKamIMp3YRme5m7DHAFsp63RQnKObarWEru5+8JhDeRIuHAF9f1BYLfUbbyLPjaHPdih66JxzQ+cVqD4BTk1zCjRqS1cAOhLL8EvDW4= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(36860700016)(82310400026)(376014)(23010399003)(13003099007)(3023799007)(22082099003)(18002099003)(56012099006)(11063799006)(6133799003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: dxxNFyHQZhryZMt2KNCrJH+XzhIZiX9NIFRc6bj0ILsQn+0ppJ5cUDV7rpuemJDEVVboAxjiVD3EQuKXm6N7L2cR9B7u7rd1/rW5VyP4JCTBERKcJRP/PtvNzi1qBtlJ4Q00UmZzmk0dxf7MRjvwiZND/LKP2fuknNTiMOUT1d/LNdsYqK5pP9hKbinYbJHrTLsSL/mcudXV2bZ3tgKkwBcjjzh1o1bRLGjrhwl9XPwf4mFp9+PpxmiXV0aO4nzZR6etlLnSk9afekZC/58g0tyUFSkwKw/ToRFuUAHHmDzmZgXCowQXb0bROSXGBpbxSzdnwtUJui2syg0wSPS5idMtphuk8fPzxLM4hqD8iLwguf7tr5IIsX8lLF8/aBuzF5EYdGSKsINS1R/F8n2eYrrAB49fMTQH+4Xb9WCE3shSL/tuorGfS4XVT+UycmCt X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2026 06:28:02.2274 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 3498f16a-9caf-4934-9ea2-08decb706ada X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AM2PEPF0001C715.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA1PR02MB11380 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Jun 2026 07:12:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127608 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-40612 Signed-off-by: Anton Skorup --- .../jq/jq/CVE-2026-40612.patch | 136 ++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 137 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch new file mode 100644 index 0000000000..4078b8b10d --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch @@ -0,0 +1,136 @@ +From d1a12569d91641135976a8536776a4a329c02cc2 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Fri, 24 Apr 2026 22:02:24 +0900 +Subject: [PATCH] Limit the containment check depth + +This fixes CVE-2026-40612. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2] +--- + src/builtin.c | 5 ++++- + src/jv.c | 40 +++++++++++++++++++++++++++------------- + tests/jq.test | 9 +++++++++ + 3 files changed, 40 insertions(+), 14 deletions(-) + +diff --git a/src/builtin.c b/src/builtin.c +index d33e9fb162..2b2a2d40da 100644 +--- a/src/builtin.c ++++ b/src/builtin.c +@@ -421,7 +421,10 @@ jv binop_greatereq(jv a, jv b) { + + static jv f_contains(jq_state *jq, jv a, jv b) { + if (jv_get_kind(a) == jv_get_kind(b)) { +- return jv_bool(jv_contains(a, b)); ++ int r = jv_contains(a, b); ++ if (r < 0) ++ return jv_invalid_with_msg(jv_string("Containment check too deep")); ++ return jv_bool(r); + } else { + return type_error2(a, b, "cannot have their containment checked"); + } +diff --git a/src/jv.c b/src/jv.c +index 607ac174f7..4b18c00cf6 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -938,19 +938,19 @@ static void jvp_clamp_slice_params(int len, int *pstart, int *pend) + } + + +-static int jvp_array_contains(jv a, jv b) { ++static int jvp_contains(jv a, jv b, int depth); ++ ++static int jvp_array_contains(jv a, jv b, int depth) { + int r = 1; + jv_array_foreach(b, bi, belem) { + int ri = 0; + jv_array_foreach(a, ai, aelem) { +- if (jv_contains(aelem, jv_copy(belem))) { +- ri = 1; +- break; +- } ++ ri = jvp_contains(aelem, jv_copy(belem), depth); ++ if (ri) break; + } + jv_free(belem); +- if (!ri) { +- r = 0; ++ if (ri <= 0) { ++ r = ri; + break; + } + } +@@ -1844,7 +1844,7 @@ static int jvp_object_equal(jv o1, jv o2) { + return len1 == len2; + } + +-static int jvp_object_contains(jv a, jv b) { ++static int jvp_object_contains(jv a, jv b, int depth) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(b, JV_KIND_OBJECT)); + int r = 1; +@@ -1852,9 +1852,9 @@ static int jvp_object_contains(jv a, jv b) { + jv_object_foreach(b, key, b_val) { + jv a_val = jv_object_get(jv_copy(a), key); + +- r = jv_contains(a_val, b_val); ++ r = jvp_contains(a_val, b_val, depth); + +- if (!r) break; ++ if (r <= 0) break; + } + return r; + } +@@ -2086,14 +2086,23 @@ int jv_identical(jv a, jv b) { + return r; + } + +-int jv_contains(jv a, jv b) { ++#ifndef MAX_CONTAINS_DEPTH ++#define MAX_CONTAINS_DEPTH (10000) ++#endif ++ ++static int jvp_contains(jv a, jv b, int depth) { ++ if (depth > MAX_CONTAINS_DEPTH) { ++ jv_free(a); ++ jv_free(b); ++ return -1; ++ } + int r = 1; + if (jv_get_kind(a) != jv_get_kind(b)) { + r = 0; + } else if (JVP_HAS_KIND(a, JV_KIND_OBJECT)) { +- r = jvp_object_contains(a, b); ++ r = jvp_object_contains(a, b, depth + 1); + } else if (JVP_HAS_KIND(a, JV_KIND_ARRAY)) { +- r = jvp_array_contains(a, b); ++ r = jvp_array_contains(a, b, depth + 1); + } else if (JVP_HAS_KIND(a, JV_KIND_STRING)) { + int b_len = jv_string_length_bytes(jv_copy(b)); + if (b_len != 0) { +@@ -2109,3 +2118,8 @@ int jv_contains(jv a, jv b) { + jv_free(b); + return r; + } ++ ++// Returns 1 (contained), 0 (not contained), or -1 (too deep) ++int jv_contains(jv a, jv b) { ++ return jvp_contains(a, b, 0); ++} +diff --git a/tests/jq.test b/tests/jq.test +index 0cd5198f8d..8094a5b6eb 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -2593,3 +2593,12 @@ null + try delpaths([[range(10001) | 0]]) catch . + null + "Path too deep" ++ ++# regression test for CVE-2026-40612 ++reduce range(10000) as $_ ([]; [.]) | contains([[]]) ++null ++true ++ ++try (reduce range(10001) as $_ ([]; [.]) as $x | $x | contains($x)) catch . ++null ++"Containment check too deep" diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index bb4601b667..0653dcd1f1 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33947.patch \ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ + file://CVE-2026-40612.patch \ file://CVE-2026-41256.patch \ file://CVE-2026-41257.patch \ file://CVE-2026-43896.patch \ From patchwork Tue Jun 16 06:27:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90179 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85A4DCD98DA for ; Tue, 16 Jun 2026 07:13:02 +0000 (UTC) Received: from OSPPR02CU001.outbound.protection.outlook.com (OSPPR02CU001.outbound.protection.outlook.com [40.107.159.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.148004.1781591289880416164 for ; Mon, 15 Jun 2026 23:28:10 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=WlYOxMaM; spf=pass (domain: axis.com, ip: 40.107.159.41, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=jAJCHLGjywJlt+BpAj/FVq88Wxz5Et+ben5V4uuCXpogXYs9TG4U6B24IktB6Mazva4bGIXBPv7bszTWAfBP6cKs9lx0Xkeavwb/vqProBahQtItrqBsBhuAC95ObykfAzeDrN+XQjC1tSWycdJI8+xv7bXVibzK0yJ6EByMuXxExhHHk1iJUkaUJd8LPQEJB2XrtIn9nqJj2dfhb3orbqJ9DxpETvAu7pTYpzjbkbgW+We3NRfQxiupsBM7nQsiny8JmKAdX4zW1GltzCnmqKyTYybuqZqK+6Ti04RQ0SiHoK1RQ+vUBeYJH26mTdnhvRRNZAcVNziyeFn095AwIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sHQF6r2ngJr8+W/ZByGxljkW8qZ7xgt1ddZrSWF/k04=; b=CMIL/jE4YJ6snfZcBLaql3bS3Kesh3gmfTVmMTSeTVwqLvY2PUGnDUfHnffqJS84l7m2qrb9wxcoM+zMRNInBEfdtLV57+hJnr5RdoVjMwW0X4oYqxMmErvf2QtSnESDlkopxEHCYI/+fziMfIPWSLctb9OmIzyrgKUFynVwqmrmumR4d0mRJyaCceMu4snL5DgKVKW2mLgM984gpIRdSZRIy/tkAkxFkUqfl34U0X26kJl0yFiQ4DV382yGq5blDYqn26iKc7fAfSPW/3qfC4L0RkBQx4LbnHVnYUv/pXTVeZghA9QFCBX3C5rC6xU+lfiCumeoMNSmZZ6K6hL24g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sHQF6r2ngJr8+W/ZByGxljkW8qZ7xgt1ddZrSWF/k04=; b=WlYOxMaMu3V9X6gLV9HHTX7azJ154zHlAziSmRObnk3Lqk+q1sQ9h04HoIz3wb8XDfbetLRmkJrDCRkeBCauRzoB1S8K2GjoOXiWN43HE5Gx8/uJ5oo+LelEqBmKOydgHyXunfNwt4f5myDlF0QLVrs3zGqilEgKjLrg8KDdTlM= Received: from CWLP265CA0431.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1d7::7) by AS8PR02MB9529.eurprd02.prod.outlook.com (2603:10a6:20b:5a5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Tue, 16 Jun 2026 06:28:03 +0000 Received: from AM2PEPF0001C715.eurprd05.prod.outlook.com (2603:10a6:400:1d7:cafe::63) by CWLP265CA0431.outlook.office365.com (2603:10a6:400:1d7::7) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.113.18 via Frontend Transport; Tue, 16 Jun 2026 06:28:02 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AM2PEPF0001C715.mail.protection.outlook.com (10.167.16.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Tue, 16 Jun 2026 06:28:02 +0000 Received: from se-mail11w.axis.com (10.20.40.11) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Tue, 16 Jun 2026 08:28:01 +0200 Received: from se-intmail01x.se.axis.com (10.4.0.28) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Tue, 16 Jun 2026 08:28:01 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail01x.se.axis.com (Postfix) with ESMTP id C2B572480; Tue, 16 Jun 2026 08:28:01 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id BF1AD8461E6; Tue, 16 Jun 2026 08:28:01 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [PATCH 7/8] jq: patch CVE-2026-43894 Date: Tue, 16 Jun 2026 08:27:53 +0200 Message-ID: <20260616062754.748436-7-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260616062754.748436-1-antonsk@axis.com> References: <20260616062754.748436-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM2PEPF0001C715:EE_|AS8PR02MB9529:EE_ X-MS-Office365-Filtering-Correlation-Id: d7528e62-4b80-4bde-8bb9-08decb706b19 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|82310400026|23010399003|36860700016|13003099007|22082099003|18002099003|3023799007|6133799003|11063799006|56012099006; X-Microsoft-Antispam-Message-Info: jIQcjS6UriyuD32WopOmXT5w61UzjcFUrPApw/zzNp+g6kcdnJWCSUWq36+BefWcG0vapfr0ai7qG7yj83Jz6bErrwca+oDOUo52kmFSq+G4gngTH3SkfUZR+EdhQw3ZOMSm+2Drvb9X+mHa6flvqVXV6sSro9S0ktOEcW6gQtdr+E6bJXQTINr5SrDznfe9EtthwTWSnOlB5WsHLE71J9wJTUvwEZ0q15GvpgPYMBzI5nmxOuVlal92vHoOD0rHtmvJ4WZQ+/OWPYzgNy/uhAasB2qf2njQqX6CqWFAcT9qKXOAe+lg0yqgNo0xRIXXt/JCmSWxdU+bKCCJ75MREWjEjhAuoaXKoMKtAYDSguk/c4JqEXvhbqnhQpk0SH4Kg/9u+wkUgX2Ld95dQvFg+dTnPXUgadMpwLy0EBSa6RO6hdHWA9jmVi5+jQ5Wbh2X337/uIwJZJTxWyuWJpbatF3ygeQ3OQHeEaowYa/o+WCp8ombbHMsjaFLimEdAbmKBSyq/+/FiBZZz7QIgsteDHTrvYg5uqqPyUSdQSur36T7aauPeizWpmw3eRkH22qJeNjlbod8HiBKm4Td0EremYlRBUJtigywFzSPKKLHV9oBOPfQIGtlE/QIetzgxHM79WwYNkfuCMfoBQLF2pBv8fyb9EKDDkrNuQUtN79C/qCdbcNgo0EgzNCW82pv4THpFj9LeS5gdjyh0qhVWWMamXCXXR8ZHjZ1/k8IkgJ1Ep0= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(376014)(82310400026)(23010399003)(36860700016)(13003099007)(22082099003)(18002099003)(3023799007)(6133799003)(11063799006)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: kVn5he7/v7TB4iTS6IH+aTYXCNWHswTRP08M3ETYSRKGLMG6/G5SNoZ1pdNsNLl/IReiNih5simWoJ71h2B4fryOoHmFs9QJHmChpO2cfJBiEdJiNPVEPx8SR6tMicRADjTyhPDNKV/vh3o/6ruqNNJssZ5LLWzIHXNJ2JECLaDgAPwuuMI8+okKN+0YeXafj1S3rqqYxH3iLf5fwFQroc13ewgYwLXZg3vXlSLuQh5zbgyDZF4u7rUbYVgz76nPt9siaBo9n7bjNcv85Xkmqx4v5Ya279hGRHCMpu0hVPyB54Ym6XVAF/V9i5TcDvqWpqbChPwuGuwB1gOpay/8Ao91A2xTSdSrUXNXUg9MavvOoYqXZJGRDK+2Gx7KNrsinx0Bxlg/DgGwdZE65+lPm5SxdIixxJJXuI5U/ZxV6AWDe53HFam0s0R4myWfrBuc X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2026 06:28:02.6521 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: d7528e62-4b80-4bde-8bb9-08decb706b19 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AM2PEPF0001C715.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR02MB9529 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Jun 2026 07:13:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127612 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-43894 Signed-off-by: Anton Skorup --- .../jq/jq/CVE-2026-43894.patch | 52 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch new file mode 100644 index 0000000000..3b73647de0 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch @@ -0,0 +1,52 @@ +From 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Wed, 6 May 2026 19:45:24 +0900 +Subject: [PATCH] Reject numeric literals longer than DEC_MAX_DIGITS + (999999999) + +A signed-int overflow in decNumber's D2U macro lets huge literals +write attacker-controlled bytes past a stack buffer. Cap the length +before calling decNumberFromString, and pre-slice long strings in +jv_dump_string_trunc so the resulting error message doesn't itself +allocate a multi-GiB buffer. + +Fixes CVE-2026-43894. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4] +--- + src/jv.c | 5 ++++- + src/jv_print.c | 4 ++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/jv.c b/src/jv.c +index 84fafef666..074ee310c5 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -570,7 +570,10 @@ static jvp_literal_number* jvp_literal_number_alloc(unsigned literal_length) { + } + + static jv jvp_literal_number_new(const char * literal) { +- jvp_literal_number* n = jvp_literal_number_alloc(strlen(literal)); ++ size_t len = strlen(literal); ++ if (len > DEC_MAX_DIGITS) ++ return JV_INVALID; ++ jvp_literal_number* n = jvp_literal_number_alloc(len); + + decContext *ctx = DEC_CONTEXT(); + decContextClearStatus(ctx, DEC_Conversion_syntax); +diff --git a/src/jv_print.c b/src/jv_print.c +index 5c86c5d97c..bc251070f7 100644 +--- a/src/jv_print.c ++++ b/src/jv_print.c +@@ -410,6 +410,10 @@ jv jv_dump_string(jv x, int flags) { + + char *jv_dump_string_trunc(jv x, char *outbuf, size_t bufsize) { + assert(bufsize > 0); ++ if (jv_get_kind(x) == JV_KIND_STRING && ++ (size_t)jv_string_length_bytes(jv_copy(x)) > bufsize) { ++ x = jv_string_slice(x, 0, bufsize); ++ } + x = jv_dump_string(x, 0); + const char *str = jv_string_value(x); + const size_t len = strlen(str); diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 0653dcd1f1..0e3e22c65b 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -20,6 +20,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-40612.patch \ file://CVE-2026-41256.patch \ file://CVE-2026-41257.patch \ + file://CVE-2026-43894.patch \ file://CVE-2026-43896.patch \ file://CVE-2026-44777.patch \ file://CVE-2026-49389.patch \ From patchwork Tue Jun 16 06:27:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90180 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C975CD98DA for ; Tue, 16 Jun 2026 07:13:12 +0000 (UTC) Received: from AS8PR04CU009.outbound.protection.outlook.com (AS8PR04CU009.outbound.protection.outlook.com [52.101.70.20]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.148429.1781591292017518233 for ; Mon, 15 Jun 2026 23:28:12 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=FFoWd25L; spf=pass (domain: axis.com, ip: 52.101.70.20, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=r0R0wcLiBdceNVscBcPXjSF5MsmKxCDrGghBokJyQpzxqHM3aSaGth7pJr58bo4vcE7gnK1BfTQDMqqpaNspxcjRMii0/tnRDDjK0dkXHO7IkVB/hv6O6b6R/T+TDESSkkeO8GurcOgny8q8ULq1/+TObyCqIw/UEBhf8kJTMetkm8koHfx0r6sX/H78RzlawvBNS5U+ZsF/yFXnirhVi7Pn/K2yjDMj1DPJezTlqT7BJdk96Z+EPvcFalzsmlWeLZyU+0sgbzZ/WHwm7REp5m0wO9325u6KW+0PKDq01c1EI5Z28qkXSTbdblhCi5eWiFCi89BWOallR7/APFFUOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7kEfFyqu3GnATRpg+M0h1/20LtSGYN927fL+bq2pwUg=; b=WmJNTA23GOAc8ckpAvr0AsxmDbgFj8Pjz4Wc/mkEtykUmWgtLQgLGG2KzRpU2IxqOCOk/ZZNZwGBFrB7HroB8E3JwzfPkX+OprPwlXIf0YtlLzHLRaSMNwSedSD3hkebLSoPqWUNnskmF9Kg94/hqvE6mlSOIhQnC7mK5lAes5qVzX9/+1LQS/VrsGENzNOscYDs5bBth1GG5Hm6Ca1uOD11sPZbuDffXknsENvPNQgUMU+3ufdh8AE9H+BadsjbSZwdAuuQ+PsxQKBiZ/TIz0rLdXOdJvJxioYbatDOmOGXwJwtombZDyf+z1BTYETDq7e+AsNYhpKcQ3H1lm/tdQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7kEfFyqu3GnATRpg+M0h1/20LtSGYN927fL+bq2pwUg=; b=FFoWd25LyRFsOZhNcj3v6TQ0raCbouzEammqbcj9dXocZ+gcmU+48Zo/G5YcxJxKUrMSzOBmzqeSZwKcj7RPlwJ9s4CzIFGghhAX28qfq2nMZBTw2FUCGqZK3MOjtgI4ss7G1SN7pV2J/xvfasKJh2C36EwykyXTTWUlv+/mJm0= Received: from CWLP265CA0431.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1d7::7) by BESPR02MB12391.eurprd02.prod.outlook.com (2603:10a6:b10:100::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Tue, 16 Jun 2026 06:28:04 +0000 Received: from AM2PEPF0001C715.eurprd05.prod.outlook.com (2603:10a6:400:1d7:cafe::97) by CWLP265CA0431.outlook.office365.com (2603:10a6:400:1d7::7) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.113.18 via Frontend Transport; Tue, 16 Jun 2026 06:28:03 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AM2PEPF0001C715.mail.protection.outlook.com (10.167.16.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Tue, 16 Jun 2026 06:28:03 +0000 Received: from se-mail11w.axis.com (10.20.40.11) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Tue, 16 Jun 2026 08:28:02 +0200 Received: from se-intmail02x.se.axis.com (10.4.0.28) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Tue, 16 Jun 2026 08:28:02 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail02x.se.axis.com (Postfix) with ESMTP id 3513D2423; Tue, 16 Jun 2026 08:28:02 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id 1CF808461E6; Tue, 16 Jun 2026 08:28:02 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [PATCH 8/8] jq: patch CVE-2026-43895 Date: Tue, 16 Jun 2026 08:27:54 +0200 Message-ID: <20260616062754.748436-8-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260616062754.748436-1-antonsk@axis.com> References: <20260616062754.748436-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM2PEPF0001C715:EE_|BESPR02MB12391:EE_ X-MS-Office365-Filtering-Correlation-Id: 42d26eea-8e67-4467-32f1-08decb706bd6 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700016|82310400026|376014|23010399003|3023799007|22082099003|18002099003|11063799006|56012099006|6133799003; X-Microsoft-Antispam-Message-Info: W6hwXTl8cSliTCxZWECx+1xmQRqeOggoDAyztY4nzqjzMVPfLquxhOa0XDKR29kegGVkUeVbVLGYBs37Gq5igboakj8RL1I75ScGbRb0ndoBEKO5Y+iDw6xho/81coxaBK56891+hb1NpzLVN49GdUnHJwXo/DH9AyScTpy0dUS/9+JCJ+ADvdF6rYG/g9SO8LuhhlHTPmvPw6amYYEut3giSfOU22E6WBSlysJs9LzO+/LMFluh953rUuG4os1s8L/DZi9VRvgSluUSmg03zfsYWHQ5XL5FPkJsSJOtSnpUBsNLolo/3SF8S/OmXk2fWWn1GLTRSP+U40mPfZIQ83tBp0YyH2N0NvupMhkot/vo81eUmwh3HdaM9zTh2ZqCzmhx6xMyvmJfIZywDpVVtcwxjHCqreVR/bGd8QUki6+MxjIrnOJtdmw5YYVQx/qhnkihA0ExYCGUjoY9Pnlcm8vvfEvlHG9dDcIeqHVTWLBtzRgBPX37KcNZTQCio1H8PJmodUPnUxcYTITqxeM5sY4VYJ74qB/yA1xNgy2TxaHRPfAV/b5rLZxdGv33X3qO5bjF44wbcgmMVWWYHcbxK0iVY2lF3Kgs+8tL5dC4sXxrDIXSqkpaOgdb1MPBvQXnAguuh7RvuK2kAprEPDsATmwPjGT6UnRQXcOflYhmnpk37f5tZiDgv8h04hgY7e1gjB0FHw+9C1bK1daINIgSZpE/oB0IMkgkgE8SoxT9h/E= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(36860700016)(82310400026)(376014)(23010399003)(3023799007)(22082099003)(18002099003)(11063799006)(56012099006)(6133799003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: mTNrfWIs41qfa16sFYNxUa4mxnWF8DwNKigzRfBEN0KtkB/i/MQEQxmRwUccQnRdltMMJv8wXhw59QMNgWWT02x0gFZ+WptSj2CPp/h85XzMoFM+8UkLuvF40H7NOw2qp6wzPE+X0Ww0KOWXOi/Y7AbVGQ9Z3BD+CyPQeV+3dSrIbGFMtdTmZrzYfq+U0j+yJF1Ynuys+JtMNrIUAbbdJHANZTMD1PXWKiE+QqUqA1jP8U6vP5t2U1osdLRpYmwAViYd77dwfdqYxvz+gEc/+vL4R3whFHTVoP+2yfCmccbwscfXzd2wOhwFlko6ZPcoM7rRz20mzrfTnH7GBCeaBekxYS+9OFNsup/IecQ9gQl9zJIQsMyTYPQeyinfomwTGK+IaRl4ToYTKljQPVpDpxHDdli/KOy8tmX7Wu3u4D+VQDIxwpc1pj4oxE+qKjtS X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2026 06:28:03.8736 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 42d26eea-8e67-4467-32f1-08decb706bd6 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AM2PEPF0001C715.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BESPR02MB12391 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Jun 2026 07:13:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127613 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-43895 Signed-off-by: Anton Skorup --- .../jq/jq/CVE-2026-43895.patch | 1537 +++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 1538 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch new file mode 100644 index 0000000000..8b58c8e95e --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch @@ -0,0 +1,1537 @@ +From 9d223f153c3632a207fa071caaa6292da33ae361 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Sat, 9 May 2026 17:08:43 +0900 +Subject: [PATCH] Reject embedded NUL bytes in module import paths + +jq accepts embedded NUL bytes at the language level but resolves +module import paths through NUL-terminated C strings, so the path +validated by policy or audit code could differ from the on-disk +path jq actually opens. Pass jv through gen_import so the AST +preserves the original bytes, and reject embedded NULs in +validate_relpath. + +Fixes CVE-2026-43895. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/9d223f153c3632a207fa071caaa6292da33ae361] +--- + src/compile.c | 12 +- + src/compile.h | 2 +- + src/linker.c | 6 +- + src/parser.c | 556 +++++++++++++++++++++++++------------------------- + src/parser.y | 16 +- + tests/shtest | 17 ++ + 6 files changed, 307 insertions(+), 302 deletions(-) + +diff --git a/src/compile.c b/src/compile.c +index 5e64946b3e..80b723c119 100644 +--- a/src/compile.c ++++ b/src/compile.c +@@ -525,13 +525,17 @@ jv block_module_meta(block b) { + return jv_null(); + } + +-block gen_import(const char* name, const char* as, int is_data) { ++block gen_import(jv name, jv as, int is_data) { ++ assert(jv_get_kind(name) == JV_KIND_STRING); ++ assert(!jv_is_valid(as) || jv_get_kind(as) == JV_KIND_STRING); + inst* i = inst_new(DEPS); + jv meta = jv_object(); +- if (as != NULL) +- meta = jv_object_set(meta, jv_string("as"), jv_string(as)); ++ if (jv_is_valid(as)) ++ meta = jv_object_set(meta, jv_string("as"), as); ++ else ++ jv_free(as); + meta = jv_object_set(meta, jv_string("is_data"), is_data ? jv_true() : jv_false()); +- meta = jv_object_set(meta, jv_string("relpath"), jv_string(name)); ++ meta = jv_object_set(meta, jv_string("relpath"), name); + i->imm.constant = meta; + return inst_block(i); + } +diff --git a/src/compile.h b/src/compile.h +index bef46328a7..d195e9e2e8 100644 +--- a/src/compile.h ++++ b/src/compile.h +@@ -33,7 +33,7 @@ block gen_op_pushk_under(jv constant); + + block gen_module(block metadata); + jv block_module_meta(block b); +-block gen_import(const char* name, const char *as, int is_data); ++block gen_import(jv name, jv as, int is_data); + block gen_import_meta(block import, block metadata); + block gen_function(const char* name, block formals, block body); + block gen_param_regular(const char* name); +diff --git a/src/linker.c b/src/linker.c +index cfd74d1d48..e9027004cc 100644 +--- a/src/linker.c ++++ b/src/linker.c +@@ -93,6 +93,10 @@ static jv build_lib_search_chain(jq_state *jq, jv search_path, jv jq_origin, jv + // in between). + static jv validate_relpath(jv name) { + const char *s = jv_string_value(name); ++ if (strlen(s) != (size_t)jv_string_length_bytes(jv_copy(name))) { ++ jv_free(name); ++ return jv_invalid_with_msg(jv_string("Module path contains a NUL byte")); ++ } + if (strchr(s, '\\')) { + jv res = jv_invalid_with_msg(jv_string_fmt("Modules must be named by relative paths using '/', not '\\' (%s)", s)); + jv_free(name); +@@ -425,7 +429,7 @@ int load_program(jq_state *jq, struct locfile* src, block *out_block) { + jv home = get_home(); + if (jv_is_valid(home)) { + /* Import ~/.jq as a library named "" found in $HOME or %USERPROFILE% */ +- block import = gen_import_meta(gen_import("", NULL, 0), ++ block import = gen_import_meta(gen_import(jv_string(""), jv_invalid(), 0), + gen_const(JV_OBJECT( + jv_string("optional"), jv_true(), + jv_string("search"), home))); +diff --git a/src/parser.c b/src/parser.c +index c90e313420..9c60173e27 100644 +--- a/src/parser.c ++++ b/src/parser.c +@@ -937,19 +937,19 @@ static const yytype_int16 yyrline[] = + 325, 328, 331, 337, 340, 343, 349, 352, 355, 358, + 361, 364, 367, 370, 373, 376, 379, 382, 385, 388, + 391, 394, 397, 400, 403, 406, 409, 412, 415, 421, +- 424, 441, 450, 457, 465, 476, 481, 487, 490, 495, +- 499, 506, 509, 515, 522, 525, 528, 534, 537, 540, +- 546, 549, 552, 560, 564, 567, 570, 573, 576, 579, +- 582, 585, 588, 592, 598, 601, 604, 607, 610, 613, +- 616, 619, 622, 625, 628, 631, 634, 637, 640, 643, +- 646, 649, 652, 655, 658, 661, 664, 671, 674, 677, +- 680, 683, 687, 690, 694, 712, 716, 720, 723, 735, +- 740, 741, 742, 743, 746, 749, 754, 759, 762, 767, +- 770, 775, 779, 782, 787, 790, 795, 798, 803, 806, +- 809, 812, 815, 818, 826, 832, 835, 838, 841, 844, +- 847, 850, 853, 856, 859, 862, 865, 868, 871, 874, +- 877, 880, 883, 889, 892, 895, 900, 903, 906, 909, +- 913, 918, 922, 926, 930, 934, 942, 948, 951 ++ 424, 441, 445, 449, 455, 466, 471, 477, 480, 485, ++ 489, 496, 499, 505, 512, 515, 518, 524, 527, 530, ++ 536, 539, 542, 550, 554, 557, 560, 563, 566, 569, ++ 572, 575, 578, 582, 588, 591, 594, 597, 600, 603, ++ 606, 609, 612, 615, 618, 621, 624, 627, 630, 633, ++ 636, 639, 642, 645, 648, 651, 654, 661, 664, 667, ++ 670, 673, 677, 680, 684, 702, 706, 710, 713, 725, ++ 730, 731, 732, 733, 736, 739, 744, 749, 752, 757, ++ 760, 765, 769, 772, 777, 780, 785, 788, 793, 796, ++ 799, 802, 805, 808, 816, 822, 825, 828, 831, 834, ++ 837, 840, 843, 846, 849, 852, 855, 858, 861, 864, ++ 867, 870, 873, 879, 882, 885, 890, 893, 896, 899, ++ 903, 908, 912, 916, 920, 924, 932, 938, 941 + }; + #endif + +@@ -2841,42 +2841,32 @@ YYLTYPE yylloc = yyloc_default; + case 41: /* ImportWhat: "import" ImportFrom "as" BINDING */ + #line 441 "src/parser.y" + { +- jv v = block_const((yyvsp[-2].blk)); +- // XXX Make gen_import take only blocks and the int is_data so we +- // don't have to free so much stuff here +- (yyval.blk) = gen_import(jv_string_value(v), jv_string_value((yyvsp[0].literal)), 1); ++ (yyval.blk) = gen_import(block_const((yyvsp[-2].blk)), (yyvsp[0].literal), 1); + block_free((yyvsp[-2].blk)); +- jv_free((yyvsp[0].literal)); +- jv_free(v); + } +-#line 2853 "src/parser.c" ++#line 2848 "src/parser.c" + break; + + case 42: /* ImportWhat: "import" ImportFrom "as" IDENT */ +-#line 450 "src/parser.y" ++#line 445 "src/parser.y" + { +- jv v = block_const((yyvsp[-2].blk)); +- (yyval.blk) = gen_import(jv_string_value(v), jv_string_value((yyvsp[0].literal)), 0); ++ (yyval.blk) = gen_import(block_const((yyvsp[-2].blk)), (yyvsp[0].literal), 0); + block_free((yyvsp[-2].blk)); +- jv_free((yyvsp[0].literal)); +- jv_free(v); + } +-#line 2865 "src/parser.c" ++#line 2857 "src/parser.c" + break; + + case 43: /* ImportWhat: "include" ImportFrom */ +-#line 457 "src/parser.y" ++#line 449 "src/parser.y" + { +- jv v = block_const((yyvsp[0].blk)); +- (yyval.blk) = gen_import(jv_string_value(v), NULL, 0); ++ (yyval.blk) = gen_import(block_const((yyvsp[0].blk)), jv_invalid(), 0); + block_free((yyvsp[0].blk)); +- jv_free(v); + } +-#line 2876 "src/parser.c" ++#line 2866 "src/parser.c" + break; + + case 44: /* ImportFrom: String */ +-#line 465 "src/parser.y" ++#line 455 "src/parser.y" + { + if (!block_is_const((yyvsp[0].blk))) { + FAIL((yylsp[0]), "Import path must be constant"); +@@ -2886,152 +2876,152 @@ YYLTYPE yylloc = yyloc_default; + (yyval.blk) = (yyvsp[0].blk); + } + } +-#line 2890 "src/parser.c" ++#line 2880 "src/parser.c" + break; + + case 45: /* FuncDef: "def" IDENT ':' Query ';' */ +-#line 476 "src/parser.y" ++#line 466 "src/parser.y" + { + (yyval.blk) = gen_function(jv_string_value((yyvsp[-3].literal)), gen_noop(), (yyvsp[-1].blk)); + jv_free((yyvsp[-3].literal)); + } +-#line 2899 "src/parser.c" ++#line 2889 "src/parser.c" + break; + + case 46: /* FuncDef: "def" IDENT '(' Params ')' ':' Query ';' */ +-#line 481 "src/parser.y" ++#line 471 "src/parser.y" + { + (yyval.blk) = gen_function(jv_string_value((yyvsp[-6].literal)), (yyvsp[-4].blk), (yyvsp[-1].blk)); + jv_free((yyvsp[-6].literal)); + } +-#line 2908 "src/parser.c" ++#line 2898 "src/parser.c" + break; + + case 47: /* Params: Param */ +-#line 487 "src/parser.y" ++#line 477 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 2916 "src/parser.c" ++#line 2906 "src/parser.c" + break; + + case 48: /* Params: Params ';' Param */ +-#line 490 "src/parser.y" ++#line 480 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 2924 "src/parser.c" ++#line 2914 "src/parser.c" + break; + + case 49: /* Param: BINDING */ +-#line 495 "src/parser.y" ++#line 485 "src/parser.y" + { + (yyval.blk) = gen_param_regular(jv_string_value((yyvsp[0].literal))); + jv_free((yyvsp[0].literal)); + } +-#line 2933 "src/parser.c" ++#line 2923 "src/parser.c" + break; + + case 50: /* Param: IDENT */ +-#line 499 "src/parser.y" ++#line 489 "src/parser.y" + { + (yyval.blk) = gen_param(jv_string_value((yyvsp[0].literal))); + jv_free((yyvsp[0].literal)); + } +-#line 2942 "src/parser.c" ++#line 2932 "src/parser.c" + break; + + case 51: /* StringStart: FORMAT QQSTRING_START */ +-#line 506 "src/parser.y" ++#line 496 "src/parser.y" + { + (yyval.literal) = (yyvsp[-1].literal); + } +-#line 2950 "src/parser.c" ++#line 2940 "src/parser.c" + break; + + case 52: /* StringStart: QQSTRING_START */ +-#line 509 "src/parser.y" ++#line 499 "src/parser.y" + { + (yyval.literal) = jv_string("text"); + } +-#line 2958 "src/parser.c" ++#line 2948 "src/parser.c" + break; + + case 53: /* String: StringStart QQString QQSTRING_END */ +-#line 515 "src/parser.y" ++#line 505 "src/parser.y" + { + (yyval.blk) = (yyvsp[-1].blk); + jv_free((yyvsp[-2].literal)); + } +-#line 2967 "src/parser.c" ++#line 2957 "src/parser.c" + break; + + case 54: /* QQString: %empty */ +-#line 522 "src/parser.y" ++#line 512 "src/parser.y" + { + (yyval.blk) = gen_const(jv_string("")); + } +-#line 2975 "src/parser.c" ++#line 2965 "src/parser.c" + break; + + case 55: /* QQString: QQString QQSTRING_TEXT */ +-#line 525 "src/parser.y" ++#line 515 "src/parser.y" + { + (yyval.blk) = gen_binop((yyvsp[-1].blk), gen_const((yyvsp[0].literal)), '+'); + } +-#line 2983 "src/parser.c" ++#line 2973 "src/parser.c" + break; + + case 56: /* QQString: QQString QQSTRING_INTERP_START Query QQSTRING_INTERP_END */ +-#line 528 "src/parser.y" ++#line 518 "src/parser.y" + { + (yyval.blk) = gen_binop((yyvsp[-3].blk), gen_format((yyvsp[-1].blk), jv_copy((yyvsp[-4].literal))), '+'); + } +-#line 2991 "src/parser.c" ++#line 2981 "src/parser.c" + break; + + case 57: /* ElseBody: "elif" Query "then" Query ElseBody */ +-#line 534 "src/parser.y" ++#line 524 "src/parser.y" + { + (yyval.blk) = gen_cond((yyvsp[-3].blk), (yyvsp[-1].blk), (yyvsp[0].blk)); + } +-#line 2999 "src/parser.c" ++#line 2989 "src/parser.c" + break; + + case 58: /* ElseBody: "else" Query "end" */ +-#line 537 "src/parser.y" ++#line 527 "src/parser.y" + { + (yyval.blk) = (yyvsp[-1].blk); + } +-#line 3007 "src/parser.c" ++#line 2997 "src/parser.c" + break; + + case 59: /* ElseBody: "end" */ +-#line 540 "src/parser.y" ++#line 530 "src/parser.y" + { + (yyval.blk) = gen_noop(); + } +-#line 3015 "src/parser.c" ++#line 3005 "src/parser.c" + break; + + case 60: /* Term: '.' */ +-#line 546 "src/parser.y" ++#line 536 "src/parser.y" + { + (yyval.blk) = gen_noop(); + } +-#line 3023 "src/parser.c" ++#line 3013 "src/parser.c" + break; + + case 61: /* Term: ".." */ +-#line 549 "src/parser.y" ++#line 539 "src/parser.y" + { + (yyval.blk) = gen_call("recurse", gen_noop()); + } +-#line 3031 "src/parser.c" ++#line 3021 "src/parser.c" + break; + + case 62: /* Term: "break" BINDING */ +-#line 552 "src/parser.y" ++#line 542 "src/parser.y" + { + jv v = jv_string_fmt("*label-%s", jv_string_value((yyvsp[0].literal))); // impossible symbol + (yyval.blk) = gen_location((yyloc), locations, +@@ -3040,279 +3030,279 @@ YYLTYPE yylloc = yyloc_default; + jv_free(v); + jv_free((yyvsp[0].literal)); + } +-#line 3044 "src/parser.c" ++#line 3034 "src/parser.c" + break; + + case 63: /* Term: "break" error */ +-#line 560 "src/parser.y" ++#line 550 "src/parser.y" + { + FAIL((yyloc), "break requires a label to break to"); + (yyval.blk) = gen_noop(); + } +-#line 3053 "src/parser.c" ++#line 3043 "src/parser.c" + break; + + case 64: /* Term: Term FIELD '?' */ +-#line 564 "src/parser.y" ++#line 554 "src/parser.y" + { + (yyval.blk) = gen_index_opt((yyvsp[-2].blk), gen_const((yyvsp[-1].literal))); + } +-#line 3061 "src/parser.c" ++#line 3051 "src/parser.c" + break; + + case 65: /* Term: FIELD '?' */ +-#line 567 "src/parser.y" ++#line 557 "src/parser.y" + { + (yyval.blk) = gen_index_opt(gen_noop(), gen_const((yyvsp[-1].literal))); + } +-#line 3069 "src/parser.c" ++#line 3059 "src/parser.c" + break; + + case 66: /* Term: Term '.' String '?' */ +-#line 570 "src/parser.y" ++#line 560 "src/parser.y" + { + (yyval.blk) = gen_index_opt((yyvsp[-3].blk), (yyvsp[-1].blk)); + } +-#line 3077 "src/parser.c" ++#line 3067 "src/parser.c" + break; + + case 67: /* Term: '.' String '?' */ +-#line 573 "src/parser.y" ++#line 563 "src/parser.y" + { + (yyval.blk) = gen_index_opt(gen_noop(), (yyvsp[-1].blk)); + } +-#line 3085 "src/parser.c" ++#line 3075 "src/parser.c" + break; + + case 68: /* Term: Term FIELD */ +-#line 576 "src/parser.y" ++#line 566 "src/parser.y" + { + (yyval.blk) = gen_index((yyvsp[-1].blk), gen_const((yyvsp[0].literal))); + } +-#line 3093 "src/parser.c" ++#line 3083 "src/parser.c" + break; + + case 69: /* Term: FIELD */ +-#line 579 "src/parser.y" ++#line 569 "src/parser.y" + { + (yyval.blk) = gen_index(gen_noop(), gen_const((yyvsp[0].literal))); + } +-#line 3101 "src/parser.c" ++#line 3091 "src/parser.c" + break; + + case 70: /* Term: Term '.' String */ +-#line 582 "src/parser.y" ++#line 572 "src/parser.y" + { + (yyval.blk) = gen_index((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3109 "src/parser.c" ++#line 3099 "src/parser.c" + break; + + case 71: /* Term: '.' String */ +-#line 585 "src/parser.y" ++#line 575 "src/parser.y" + { + (yyval.blk) = gen_index(gen_noop(), (yyvsp[0].blk)); + } +-#line 3117 "src/parser.c" ++#line 3107 "src/parser.c" + break; + + case 72: /* Term: '.' error */ +-#line 588 "src/parser.y" ++#line 578 "src/parser.y" + { + FAIL((yyloc), "try .[\"field\"] instead of .field for unusually named fields"); + (yyval.blk) = gen_noop(); + } +-#line 3126 "src/parser.c" ++#line 3116 "src/parser.c" + break; + + case 73: /* Term: '.' IDENT error */ +-#line 592 "src/parser.y" ++#line 582 "src/parser.y" + { + jv_free((yyvsp[-1].literal)); + FAIL((yyloc), "try .[\"field\"] instead of .field for unusually named fields"); + (yyval.blk) = gen_noop(); + } +-#line 3136 "src/parser.c" ++#line 3126 "src/parser.c" + break; + + case 74: /* Term: Term '[' Query ']' '?' */ +-#line 598 "src/parser.y" ++#line 588 "src/parser.y" + { + (yyval.blk) = gen_index_opt((yyvsp[-4].blk), (yyvsp[-2].blk)); + } +-#line 3144 "src/parser.c" ++#line 3134 "src/parser.c" + break; + + case 75: /* Term: Term '[' Query ']' */ +-#line 601 "src/parser.y" ++#line 591 "src/parser.y" + { + (yyval.blk) = gen_index((yyvsp[-3].blk), (yyvsp[-1].blk)); + } +-#line 3152 "src/parser.c" ++#line 3142 "src/parser.c" + break; + + case 76: /* Term: Term '.' '[' Query ']' '?' */ +-#line 604 "src/parser.y" ++#line 594 "src/parser.y" + { + (yyval.blk) = gen_index_opt((yyvsp[-5].blk), (yyvsp[-2].blk)); + } +-#line 3160 "src/parser.c" ++#line 3150 "src/parser.c" + break; + + case 77: /* Term: Term '.' '[' Query ']' */ +-#line 607 "src/parser.y" ++#line 597 "src/parser.y" + { + (yyval.blk) = gen_index((yyvsp[-4].blk), (yyvsp[-1].blk)); + } +-#line 3168 "src/parser.c" ++#line 3158 "src/parser.c" + break; + + case 78: /* Term: Term '[' ']' '?' */ +-#line 610 "src/parser.y" ++#line 600 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-3].blk), gen_op_simple(EACH_OPT)); + } +-#line 3176 "src/parser.c" ++#line 3166 "src/parser.c" + break; + + case 79: /* Term: Term '[' ']' */ +-#line 613 "src/parser.y" ++#line 603 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-2].blk), gen_op_simple(EACH)); + } +-#line 3184 "src/parser.c" ++#line 3174 "src/parser.c" + break; + + case 80: /* Term: Term '.' '[' ']' '?' */ +-#line 616 "src/parser.y" ++#line 606 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-4].blk), gen_op_simple(EACH_OPT)); + } +-#line 3192 "src/parser.c" ++#line 3182 "src/parser.c" + break; + + case 81: /* Term: Term '.' '[' ']' */ +-#line 619 "src/parser.y" ++#line 609 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-3].blk), gen_op_simple(EACH)); + } +-#line 3200 "src/parser.c" ++#line 3190 "src/parser.c" + break; + + case 82: /* Term: Term '[' Query ':' Query ']' '?' */ +-#line 622 "src/parser.y" ++#line 612 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-6].blk), (yyvsp[-4].blk), (yyvsp[-2].blk), INDEX_OPT); + } +-#line 3208 "src/parser.c" ++#line 3198 "src/parser.c" + break; + + case 83: /* Term: Term '[' Query ':' ']' '?' */ +-#line 625 "src/parser.y" ++#line 615 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-5].blk), (yyvsp[-3].blk), gen_const(jv_null()), INDEX_OPT); + } +-#line 3216 "src/parser.c" ++#line 3206 "src/parser.c" + break; + + case 84: /* Term: Term '[' ':' Query ']' '?' */ +-#line 628 "src/parser.y" ++#line 618 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-5].blk), gen_const(jv_null()), (yyvsp[-2].blk), INDEX_OPT); + } +-#line 3224 "src/parser.c" ++#line 3214 "src/parser.c" + break; + + case 85: /* Term: Term '[' Query ':' Query ']' */ +-#line 631 "src/parser.y" ++#line 621 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk), INDEX); + } +-#line 3232 "src/parser.c" ++#line 3222 "src/parser.c" + break; + + case 86: /* Term: Term '[' Query ':' ']' */ +-#line 634 "src/parser.y" ++#line 624 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-4].blk), (yyvsp[-2].blk), gen_const(jv_null()), INDEX); + } +-#line 3240 "src/parser.c" ++#line 3230 "src/parser.c" + break; + + case 87: /* Term: Term '[' ':' Query ']' */ +-#line 637 "src/parser.y" ++#line 627 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-4].blk), gen_const(jv_null()), (yyvsp[-1].blk), INDEX); + } +-#line 3248 "src/parser.c" ++#line 3238 "src/parser.c" + break; + + case 88: /* Term: Term '?' */ +-#line 640 "src/parser.y" ++#line 630 "src/parser.y" + { + (yyval.blk) = gen_try((yyvsp[-1].blk), gen_op_simple(BACKTRACK)); + } +-#line 3256 "src/parser.c" ++#line 3246 "src/parser.c" + break; + + case 89: /* Term: LITERAL */ +-#line 643 "src/parser.y" ++#line 633 "src/parser.y" + { + (yyval.blk) = gen_const((yyvsp[0].literal)); + } +-#line 3264 "src/parser.c" ++#line 3254 "src/parser.c" + break; + + case 90: /* Term: String */ +-#line 646 "src/parser.y" ++#line 636 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3272 "src/parser.c" ++#line 3262 "src/parser.c" + break; + + case 91: /* Term: FORMAT */ +-#line 649 "src/parser.y" ++#line 639 "src/parser.y" + { + (yyval.blk) = gen_format(gen_noop(), (yyvsp[0].literal)); + } +-#line 3280 "src/parser.c" ++#line 3270 "src/parser.c" + break; + + case 92: /* Term: '-' Term */ +-#line 652 "src/parser.y" ++#line 642 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[0].blk), gen_call("_negate", gen_noop())); + } +-#line 3288 "src/parser.c" ++#line 3278 "src/parser.c" + break; + + case 93: /* Term: '(' Query ')' */ +-#line 655 "src/parser.y" ++#line 645 "src/parser.y" + { + (yyval.blk) = (yyvsp[-1].blk); + } +-#line 3296 "src/parser.c" ++#line 3286 "src/parser.c" + break; + + case 94: /* Term: '[' Query ']' */ +-#line 658 "src/parser.y" ++#line 648 "src/parser.y" + { + (yyval.blk) = gen_collect((yyvsp[-1].blk)); + } +-#line 3304 "src/parser.c" ++#line 3294 "src/parser.c" + break; + + case 95: /* Term: '[' ']' */ +-#line 661 "src/parser.y" ++#line 651 "src/parser.y" + { + (yyval.blk) = gen_const(jv_array()); + } +-#line 3312 "src/parser.c" ++#line 3302 "src/parser.c" + break; + + case 96: /* Term: '{' DictPairs '}' */ +-#line 664 "src/parser.y" ++#line 654 "src/parser.y" + { + block o = gen_const_object((yyvsp[-1].blk)); + if (o.first != NULL) +@@ -3320,103 +3310,103 @@ YYLTYPE yylloc = yyloc_default; + else + (yyval.blk) = BLOCK(gen_subexp(gen_const(jv_object())), (yyvsp[-1].blk), gen_op_simple(POP)); + } +-#line 3324 "src/parser.c" ++#line 3314 "src/parser.c" + break; + + case 97: /* Term: "reduce" Expr "as" Patterns '(' Query ';' Query ')' */ +-#line 671 "src/parser.y" ++#line 661 "src/parser.y" + { + (yyval.blk) = gen_reduce((yyvsp[-7].blk), (yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk)); + } +-#line 3332 "src/parser.c" ++#line 3322 "src/parser.c" + break; + + case 98: /* Term: "foreach" Expr "as" Patterns '(' Query ';' Query ';' Query ')' */ +-#line 674 "src/parser.y" ++#line 664 "src/parser.y" + { + (yyval.blk) = gen_foreach((yyvsp[-9].blk), (yyvsp[-7].blk), (yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk)); + } +-#line 3340 "src/parser.c" ++#line 3330 "src/parser.c" + break; + + case 99: /* Term: "foreach" Expr "as" Patterns '(' Query ';' Query ')' */ +-#line 677 "src/parser.y" ++#line 667 "src/parser.y" + { + (yyval.blk) = gen_foreach((yyvsp[-7].blk), (yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk), gen_noop()); + } +-#line 3348 "src/parser.c" ++#line 3338 "src/parser.c" + break; + + case 100: /* Term: "if" Query "then" Query ElseBody */ +-#line 680 "src/parser.y" ++#line 670 "src/parser.y" + { + (yyval.blk) = gen_cond((yyvsp[-3].blk), (yyvsp[-1].blk), (yyvsp[0].blk)); + } +-#line 3356 "src/parser.c" ++#line 3346 "src/parser.c" + break; + + case 101: /* Term: "if" Query "then" error */ +-#line 683 "src/parser.y" ++#line 673 "src/parser.y" + { + FAIL((yyloc), "Possibly unterminated 'if' statement"); + (yyval.blk) = (yyvsp[-2].blk); + } +-#line 3365 "src/parser.c" ++#line 3355 "src/parser.c" + break; + + case 102: /* Term: "try" Expr "catch" Expr */ +-#line 687 "src/parser.y" ++#line 677 "src/parser.y" + { + (yyval.blk) = gen_try((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3373 "src/parser.c" ++#line 3363 "src/parser.c" + break; + + case 103: /* Term: "try" Expr "catch" error */ +-#line 690 "src/parser.y" ++#line 680 "src/parser.y" + { + FAIL((yyloc), "Possibly unterminated 'try' statement"); + (yyval.blk) = (yyvsp[-2].blk); + } +-#line 3382 "src/parser.c" ++#line 3372 "src/parser.c" + break; + + case 104: /* Term: "try" Expr */ +-#line 694 "src/parser.y" ++#line 684 "src/parser.y" + { + (yyval.blk) = gen_try((yyvsp[0].blk), gen_op_simple(BACKTRACK)); + } +-#line 3390 "src/parser.c" ++#line 3380 "src/parser.c" + break; + + case 105: /* Term: '$' '$' '$' BINDING */ +-#line 712 "src/parser.y" ++#line 702 "src/parser.y" + { + (yyval.blk) = gen_location((yyloc), locations, gen_op_unbound(LOADVN, jv_string_value((yyvsp[0].literal)))); + jv_free((yyvsp[0].literal)); + } +-#line 3399 "src/parser.c" ++#line 3389 "src/parser.c" + break; + + case 106: /* Term: BINDING */ +-#line 716 "src/parser.y" ++#line 706 "src/parser.y" + { + (yyval.blk) = gen_location((yyloc), locations, gen_op_unbound(LOADV, jv_string_value((yyvsp[0].literal)))); + jv_free((yyvsp[0].literal)); + } +-#line 3408 "src/parser.c" ++#line 3398 "src/parser.c" + break; + + case 107: /* Term: "$__loc__" */ +-#line 720 "src/parser.y" ++#line 710 "src/parser.y" + { + (yyval.blk) = gen_loc_object(&(yyloc), locations); + } +-#line 3416 "src/parser.c" ++#line 3406 "src/parser.c" + break; + + case 108: /* Term: IDENT */ +-#line 723 "src/parser.y" ++#line 713 "src/parser.y" + { + const char *s = jv_string_value((yyvsp[0].literal)); + if (strcmp(s, "false") == 0) +@@ -3429,198 +3419,198 @@ YYLTYPE yylloc = yyloc_default; + (yyval.blk) = gen_location((yyloc), locations, gen_call(s, gen_noop())); + jv_free((yyvsp[0].literal)); + } +-#line 3433 "src/parser.c" ++#line 3423 "src/parser.c" + break; + + case 109: /* Term: IDENT '(' Args ')' */ +-#line 735 "src/parser.y" ++#line 725 "src/parser.y" + { + (yyval.blk) = gen_call(jv_string_value((yyvsp[-3].literal)), (yyvsp[-1].blk)); + (yyval.blk) = gen_location((yylsp[-3]), locations, (yyval.blk)); + jv_free((yyvsp[-3].literal)); + } +-#line 3443 "src/parser.c" ++#line 3433 "src/parser.c" + break; + + case 110: /* Term: '(' error ')' */ +-#line 740 "src/parser.y" ++#line 730 "src/parser.y" + { (yyval.blk) = gen_noop(); } +-#line 3449 "src/parser.c" ++#line 3439 "src/parser.c" + break; + + case 111: /* Term: '[' error ']' */ +-#line 741 "src/parser.y" ++#line 731 "src/parser.y" + { (yyval.blk) = gen_noop(); } +-#line 3455 "src/parser.c" ++#line 3445 "src/parser.c" + break; + + case 112: /* Term: Term '[' error ']' */ +-#line 742 "src/parser.y" ++#line 732 "src/parser.y" + { (yyval.blk) = (yyvsp[-3].blk); } +-#line 3461 "src/parser.c" ++#line 3451 "src/parser.c" + break; + + case 113: /* Term: '{' error '}' */ +-#line 743 "src/parser.y" ++#line 733 "src/parser.y" + { (yyval.blk) = gen_noop(); } +-#line 3467 "src/parser.c" ++#line 3457 "src/parser.c" + break; + + case 114: /* Args: Arg */ +-#line 746 "src/parser.y" ++#line 736 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3475 "src/parser.c" ++#line 3465 "src/parser.c" + break; + + case 115: /* Args: Args ';' Arg */ +-#line 749 "src/parser.y" ++#line 739 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3483 "src/parser.c" ++#line 3473 "src/parser.c" + break; + + case 116: /* Arg: Query */ +-#line 754 "src/parser.y" ++#line 744 "src/parser.y" + { + (yyval.blk) = gen_lambda((yyvsp[0].blk)); + } +-#line 3491 "src/parser.c" ++#line 3481 "src/parser.c" + break; + + case 117: /* RepPatterns: RepPatterns "?//" Pattern */ +-#line 759 "src/parser.y" ++#line 749 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-2].blk), gen_destructure_alt((yyvsp[0].blk))); + } +-#line 3499 "src/parser.c" ++#line 3489 "src/parser.c" + break; + + case 118: /* RepPatterns: Pattern */ +-#line 762 "src/parser.y" ++#line 752 "src/parser.y" + { + (yyval.blk) = gen_destructure_alt((yyvsp[0].blk)); + } +-#line 3507 "src/parser.c" ++#line 3497 "src/parser.c" + break; + + case 119: /* Patterns: RepPatterns "?//" Pattern */ +-#line 767 "src/parser.y" ++#line 757 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3515 "src/parser.c" ++#line 3505 "src/parser.c" + break; + + case 120: /* Patterns: Pattern */ +-#line 770 "src/parser.y" ++#line 760 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3523 "src/parser.c" ++#line 3513 "src/parser.c" + break; + + case 121: /* Pattern: BINDING */ +-#line 775 "src/parser.y" ++#line 765 "src/parser.y" + { + (yyval.blk) = gen_op_unbound(STOREV, jv_string_value((yyvsp[0].literal))); + jv_free((yyvsp[0].literal)); + } +-#line 3532 "src/parser.c" ++#line 3522 "src/parser.c" + break; + + case 122: /* Pattern: '[' ArrayPats ']' */ +-#line 779 "src/parser.y" ++#line 769 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-1].blk), gen_op_simple(POP)); + } +-#line 3540 "src/parser.c" ++#line 3530 "src/parser.c" + break; + + case 123: /* Pattern: '{' ObjPats '}' */ +-#line 782 "src/parser.y" ++#line 772 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-1].blk), gen_op_simple(POP)); + } +-#line 3548 "src/parser.c" ++#line 3538 "src/parser.c" + break; + + case 124: /* ArrayPats: Pattern */ +-#line 787 "src/parser.y" ++#line 777 "src/parser.y" + { + (yyval.blk) = gen_array_matcher(gen_noop(), (yyvsp[0].blk)); + } +-#line 3556 "src/parser.c" ++#line 3546 "src/parser.c" + break; + + case 125: /* ArrayPats: ArrayPats ',' Pattern */ +-#line 790 "src/parser.y" ++#line 780 "src/parser.y" + { + (yyval.blk) = gen_array_matcher((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3564 "src/parser.c" ++#line 3554 "src/parser.c" + break; + + case 126: /* ObjPats: ObjPat */ +-#line 795 "src/parser.y" ++#line 785 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3572 "src/parser.c" ++#line 3562 "src/parser.c" + break; + + case 127: /* ObjPats: ObjPats ',' ObjPat */ +-#line 798 "src/parser.y" ++#line 788 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3580 "src/parser.c" ++#line 3570 "src/parser.c" + break; + + case 128: /* ObjPat: BINDING */ +-#line 803 "src/parser.y" ++#line 793 "src/parser.y" + { + (yyval.blk) = gen_object_matcher(gen_const((yyvsp[0].literal)), gen_op_unbound(STOREV, jv_string_value((yyvsp[0].literal)))); + } +-#line 3588 "src/parser.c" ++#line 3578 "src/parser.c" + break; + + case 129: /* ObjPat: BINDING ':' Pattern */ +-#line 806 "src/parser.y" ++#line 796 "src/parser.y" + { + (yyval.blk) = gen_object_matcher(gen_const((yyvsp[-2].literal)), BLOCK(gen_op_simple(DUP), gen_op_unbound(STOREV, jv_string_value((yyvsp[-2].literal))), (yyvsp[0].blk))); + } +-#line 3596 "src/parser.c" ++#line 3586 "src/parser.c" + break; + + case 130: /* ObjPat: IDENT ':' Pattern */ +-#line 809 "src/parser.y" ++#line 799 "src/parser.y" + { + (yyval.blk) = gen_object_matcher(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk)); + } +-#line 3604 "src/parser.c" ++#line 3594 "src/parser.c" + break; + + case 131: /* ObjPat: Keyword ':' Pattern */ +-#line 812 "src/parser.y" ++#line 802 "src/parser.y" + { + (yyval.blk) = gen_object_matcher(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk)); + } +-#line 3612 "src/parser.c" ++#line 3602 "src/parser.c" + break; + + case 132: /* ObjPat: String ':' Pattern */ +-#line 815 "src/parser.y" ++#line 805 "src/parser.y" + { + (yyval.blk) = gen_object_matcher((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3620 "src/parser.c" ++#line 3610 "src/parser.c" + break; + + case 133: /* ObjPat: '(' Query ')' ':' Pattern */ +-#line 818 "src/parser.y" ++#line 808 "src/parser.y" + { + jv msg = check_object_key((yyvsp[-3].blk)); + if (jv_is_valid(msg)) { +@@ -3629,267 +3619,267 @@ YYLTYPE yylloc = yyloc_default; + jv_free(msg); + (yyval.blk) = gen_object_matcher((yyvsp[-3].blk), (yyvsp[0].blk)); + } +-#line 3633 "src/parser.c" ++#line 3623 "src/parser.c" + break; + + case 134: /* ObjPat: error ':' Pattern */ +-#line 826 "src/parser.y" ++#line 816 "src/parser.y" + { + FAIL((yyloc), "May need parentheses around object key expression"); + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3642 "src/parser.c" ++#line 3632 "src/parser.c" + break; + + case 135: /* Keyword: "as" */ +-#line 832 "src/parser.y" ++#line 822 "src/parser.y" + { + (yyval.literal) = jv_string("as"); + } +-#line 3650 "src/parser.c" ++#line 3640 "src/parser.c" + break; + + case 136: /* Keyword: "def" */ +-#line 835 "src/parser.y" ++#line 825 "src/parser.y" + { + (yyval.literal) = jv_string("def"); + } +-#line 3658 "src/parser.c" ++#line 3648 "src/parser.c" + break; + + case 137: /* Keyword: "module" */ +-#line 838 "src/parser.y" ++#line 828 "src/parser.y" + { + (yyval.literal) = jv_string("module"); + } +-#line 3666 "src/parser.c" ++#line 3656 "src/parser.c" + break; + + case 138: /* Keyword: "import" */ +-#line 841 "src/parser.y" ++#line 831 "src/parser.y" + { + (yyval.literal) = jv_string("import"); + } +-#line 3674 "src/parser.c" ++#line 3664 "src/parser.c" + break; + + case 139: /* Keyword: "include" */ +-#line 844 "src/parser.y" ++#line 834 "src/parser.y" + { + (yyval.literal) = jv_string("include"); + } +-#line 3682 "src/parser.c" ++#line 3672 "src/parser.c" + break; + + case 140: /* Keyword: "if" */ +-#line 847 "src/parser.y" ++#line 837 "src/parser.y" + { + (yyval.literal) = jv_string("if"); + } +-#line 3690 "src/parser.c" ++#line 3680 "src/parser.c" + break; + + case 141: /* Keyword: "then" */ +-#line 850 "src/parser.y" ++#line 840 "src/parser.y" + { + (yyval.literal) = jv_string("then"); + } +-#line 3698 "src/parser.c" ++#line 3688 "src/parser.c" + break; + + case 142: /* Keyword: "else" */ +-#line 853 "src/parser.y" ++#line 843 "src/parser.y" + { + (yyval.literal) = jv_string("else"); + } +-#line 3706 "src/parser.c" ++#line 3696 "src/parser.c" + break; + + case 143: /* Keyword: "elif" */ +-#line 856 "src/parser.y" ++#line 846 "src/parser.y" + { + (yyval.literal) = jv_string("elif"); + } +-#line 3714 "src/parser.c" ++#line 3704 "src/parser.c" + break; + + case 144: /* Keyword: "reduce" */ +-#line 859 "src/parser.y" ++#line 849 "src/parser.y" + { + (yyval.literal) = jv_string("reduce"); + } +-#line 3722 "src/parser.c" ++#line 3712 "src/parser.c" + break; + + case 145: /* Keyword: "foreach" */ +-#line 862 "src/parser.y" ++#line 852 "src/parser.y" + { + (yyval.literal) = jv_string("foreach"); + } +-#line 3730 "src/parser.c" ++#line 3720 "src/parser.c" + break; + + case 146: /* Keyword: "end" */ +-#line 865 "src/parser.y" ++#line 855 "src/parser.y" + { + (yyval.literal) = jv_string("end"); + } +-#line 3738 "src/parser.c" ++#line 3728 "src/parser.c" + break; + + case 147: /* Keyword: "and" */ +-#line 868 "src/parser.y" ++#line 858 "src/parser.y" + { + (yyval.literal) = jv_string("and"); + } +-#line 3746 "src/parser.c" ++#line 3736 "src/parser.c" + break; + + case 148: /* Keyword: "or" */ +-#line 871 "src/parser.y" ++#line 861 "src/parser.y" + { + (yyval.literal) = jv_string("or"); + } +-#line 3754 "src/parser.c" ++#line 3744 "src/parser.c" + break; + + case 149: /* Keyword: "try" */ +-#line 874 "src/parser.y" ++#line 864 "src/parser.y" + { + (yyval.literal) = jv_string("try"); + } +-#line 3762 "src/parser.c" ++#line 3752 "src/parser.c" + break; + + case 150: /* Keyword: "catch" */ +-#line 877 "src/parser.y" ++#line 867 "src/parser.y" + { + (yyval.literal) = jv_string("catch"); + } +-#line 3770 "src/parser.c" ++#line 3760 "src/parser.c" + break; + + case 151: /* Keyword: "label" */ +-#line 880 "src/parser.y" ++#line 870 "src/parser.y" + { + (yyval.literal) = jv_string("label"); + } +-#line 3778 "src/parser.c" ++#line 3768 "src/parser.c" + break; + + case 152: /* Keyword: "break" */ +-#line 883 "src/parser.y" ++#line 873 "src/parser.y" + { + (yyval.literal) = jv_string("break"); + } +-#line 3786 "src/parser.c" ++#line 3776 "src/parser.c" + break; + + case 153: /* DictPairs: %empty */ +-#line 889 "src/parser.y" ++#line 879 "src/parser.y" + { + (yyval.blk) = gen_noop(); + } +-#line 3794 "src/parser.c" ++#line 3784 "src/parser.c" + break; + + case 154: /* DictPairs: DictPair */ +-#line 892 "src/parser.y" ++#line 882 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3802 "src/parser.c" ++#line 3792 "src/parser.c" + break; + + case 155: /* DictPairs: DictPair ',' DictPairs */ +-#line 895 "src/parser.y" ++#line 885 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3810 "src/parser.c" ++#line 3800 "src/parser.c" + break; + + case 156: /* DictPair: IDENT ':' DictExpr */ +-#line 900 "src/parser.y" ++#line 890 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk)); + } +-#line 3818 "src/parser.c" ++#line 3808 "src/parser.c" + break; + + case 157: /* DictPair: Keyword ':' DictExpr */ +-#line 903 "src/parser.y" ++#line 893 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk)); + } +-#line 3826 "src/parser.c" ++#line 3816 "src/parser.c" + break; + + case 158: /* DictPair: String ':' DictExpr */ +-#line 906 "src/parser.y" ++#line 896 "src/parser.y" + { + (yyval.blk) = gen_dictpair((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3834 "src/parser.c" ++#line 3824 "src/parser.c" + break; + + case 159: /* DictPair: String */ +-#line 909 "src/parser.y" ++#line 899 "src/parser.y" + { + (yyval.blk) = gen_dictpair((yyvsp[0].blk), BLOCK(gen_op_simple(POP), gen_op_simple(DUP2), + gen_op_simple(DUP2), gen_op_simple(INDEX))); + } +-#line 3843 "src/parser.c" ++#line 3833 "src/parser.c" + break; + + case 160: /* DictPair: BINDING ':' DictExpr */ +-#line 913 "src/parser.y" ++#line 903 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_location((yyloc), locations, gen_op_unbound(LOADV, jv_string_value((yyvsp[-2].literal)))), + (yyvsp[0].blk)); + jv_free((yyvsp[-2].literal)); + } +-#line 3853 "src/parser.c" ++#line 3843 "src/parser.c" + break; + + case 161: /* DictPair: BINDING */ +-#line 918 "src/parser.y" ++#line 908 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const((yyvsp[0].literal)), + gen_location((yyloc), locations, gen_op_unbound(LOADV, jv_string_value((yyvsp[0].literal))))); + } +-#line 3862 "src/parser.c" ++#line 3852 "src/parser.c" + break; + + case 162: /* DictPair: IDENT */ +-#line 922 "src/parser.y" ++#line 912 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const(jv_copy((yyvsp[0].literal))), + gen_index(gen_noop(), gen_const((yyvsp[0].literal)))); + } +-#line 3871 "src/parser.c" ++#line 3861 "src/parser.c" + break; + + case 163: /* DictPair: "$__loc__" */ +-#line 926 "src/parser.y" ++#line 916 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const(jv_string("__loc__")), + gen_loc_object(&(yyloc), locations)); + } +-#line 3880 "src/parser.c" ++#line 3870 "src/parser.c" + break; + + case 164: /* DictPair: Keyword */ +-#line 930 "src/parser.y" ++#line 920 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const(jv_copy((yyvsp[0].literal))), + gen_index(gen_noop(), gen_const((yyvsp[0].literal)))); + } +-#line 3889 "src/parser.c" ++#line 3879 "src/parser.c" + break; + + case 165: /* DictPair: '(' Query ')' ':' DictExpr */ +-#line 934 "src/parser.y" ++#line 924 "src/parser.y" + { + jv msg = check_object_key((yyvsp[-3].blk)); + if (jv_is_valid(msg)) { +@@ -3898,36 +3888,36 @@ YYLTYPE yylloc = yyloc_default; + jv_free(msg); + (yyval.blk) = gen_dictpair((yyvsp[-3].blk), (yyvsp[0].blk)); + } +-#line 3902 "src/parser.c" ++#line 3892 "src/parser.c" + break; + + case 166: /* DictPair: error ':' DictExpr */ +-#line 942 "src/parser.y" ++#line 932 "src/parser.y" + { + FAIL((yylsp[-2]), "May need parentheses around object key expression"); + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3911 "src/parser.c" ++#line 3901 "src/parser.c" + break; + + case 167: /* DictExpr: DictExpr '|' DictExpr */ +-#line 948 "src/parser.y" ++#line 938 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3919 "src/parser.c" ++#line 3909 "src/parser.c" + break; + + case 168: /* DictExpr: Expr */ +-#line 951 "src/parser.y" ++#line 941 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3927 "src/parser.c" ++#line 3917 "src/parser.c" + break; + + +-#line 3931 "src/parser.c" ++#line 3921 "src/parser.c" + + default: break; + } +@@ -4156,7 +4146,7 @@ YYLTYPE yylloc = yyloc_default; + return yyresult; + } + +-#line 954 "src/parser.y" ++#line 944 "src/parser.y" + + + int jq_parse(struct locfile* locations, block* answer) { +diff --git a/src/parser.y b/src/parser.y +index 987a4ecaa3..ecd5796561 100644 +--- a/src/parser.y ++++ b/src/parser.y +@@ -439,26 +439,16 @@ ImportWhat Query ';' { + + ImportWhat: + "import" ImportFrom "as" BINDING { +- jv v = block_const($2); +- // XXX Make gen_import take only blocks and the int is_data so we +- // don't have to free so much stuff here +- $$ = gen_import(jv_string_value(v), jv_string_value($4), 1); ++ $$ = gen_import(block_const($2), $4, 1); + block_free($2); +- jv_free($4); +- jv_free(v); + } | + "import" ImportFrom "as" IDENT { +- jv v = block_const($2); +- $$ = gen_import(jv_string_value(v), jv_string_value($4), 0); ++ $$ = gen_import(block_const($2), $4, 0); + block_free($2); +- jv_free($4); +- jv_free(v); + } | + "include" ImportFrom { +- jv v = block_const($2); +- $$ = gen_import(jv_string_value(v), NULL, 0); ++ $$ = gen_import(block_const($2), jv_invalid(), 0); + block_free($2); +- jv_free(v); + } + + ImportFrom: +diff --git a/tests/shtest b/tests/shtest +index 68705df255..fa972de870 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -893,4 +893,21 @@ if echo '42' | $JQ -f "$d/nul_prog.jq" >/dev/null 2>/dev/null; then + exit 1 + fi + ++# CVE-2026-43895: No NUL bytes in module/data import paths ++printf 'import "a\\u0000b" as $x; .' > "$d/nul_import.jq" ++if $JQ -nf "$d/nul_import.jq" >/dev/null 2>/dev/null; then ++ printf 'Error expected for import path with NUL bytes\n' 1>&2 ++ exit 1 ++fi ++printf 'include "a\\u0000b"; .' > "$d/nul_include.jq" ++if $JQ -nf "$d/nul_include.jq" >/dev/null 2>/dev/null; then ++ printf 'Error expected for include path with NUL bytes\n' 1>&2 ++ exit 1 ++fi ++printf '"a\\u0000b" | modulemeta' > "$d/nul_modulemeta.jq" ++if $JQ -nf "$d/nul_modulemeta.jq" >/dev/null 2>/dev/null; then ++ printf 'Error expected for modulemeta with NUL bytes\n' 1>&2 ++ exit 1 ++fi ++ + exit 0 diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 0e3e22c65b..c32efc5b88 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-41256.patch \ file://CVE-2026-41257.patch \ file://CVE-2026-43894.patch \ + file://CVE-2026-43895.patch \ file://CVE-2026-43896.patch \ file://CVE-2026-44777.patch \ file://CVE-2026-49389.patch \