From patchwork Wed Jun 17 05:30:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90291 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD5FECD98E2 for ; Wed, 17 Jun 2026 06:13:58 +0000 (UTC) Received: from DB3PR0202CU003.outbound.protection.outlook.com (DB3PR0202CU003.outbound.protection.outlook.com [52.101.84.35]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9047.1781674248677337308 for ; Tue, 16 Jun 2026 22:30:49 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=QAVqCUBa; spf=pass (domain: axis.com, ip: 52.101.84.35, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=sXO6i61nbsqcUe7r6js6F3p0agmqLQzw4g+I7kemyBwVxsfm44Z4zEQfFxwCUu3nxTaZrbeAcnKOZzbPGQEM+nX/yPmtHYDxmo1csf27peehu+Ul+DozRJrug8Bu0dLip6wIieXJdBqWPvUp0qg5/bBI/AW9oqMUE+4GprTWEo4l4d6gjqhrXsWDtLnGxK160tbJJTOrOs+VVzmq0ABGW3g3l1odM5S6Z9feh2w1D8uhmgflmb+B/9MkEltVxncmoSXlLR8J8BSHZj+lV5elxpL3rbyszxxRxccRtHJ8vC/WpRix8QZZ7tiAzpNjJN53vZUonpoEQTmCu80PQnWafg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YwW6LlWS9zAY6wuYcPVO5x4FRKY666HslkNctaeC2dA=; b=Pxf7EOEj7ESJk/P+qRpQRTgRS9zRyv2nDuDAcJSV1HjpdvobhtDH1EpmIRTC6OA+u8h3VOCD8W7csDVo91pwUDCiOocm4fRESBzMEOP9scdCg0uE8nzkFO0lp9blw/HKrZ/Edsa5bm2IFrktY/dKasqXJq5lZYAGFSbkoPteSFwdmc2t91ZKkCWiWaea03OTdWlbCOIuZLi+m9d98uTEQ10usb1XLEHmQGpW9sY3XqW+SW4Jdxv2lO2v8qQoo0pxUuoPCNUkI2v7HlX890VIGGquk/uRetjGrXOIWt114RdUQsjwuVO/L9lemEvtrZot2dI2qwMAgbUflb4G+wv+Uw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YwW6LlWS9zAY6wuYcPVO5x4FRKY666HslkNctaeC2dA=; b=QAVqCUBaH1g5mhvNVRdxrupFXd4z1dS+k6gPZ00m4l7yiuN/5133Nt7qzi79+EY3sqkS9DfBOq9Vlr4/5Qsx1dpTkuLN5+VdvDH/TSJWWnfyTBVuo6l1hLOQrft92uzu47/5Lp5QgoW7K9JKsYM88yOn37BZ6HgZE7oDiGEzjgQ= Received: from CWLP265CA0493.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:18b::20) by DU0PR02MB9824.eurprd02.prod.outlook.com (2603:10a6:10:44b::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.11; Wed, 17 Jun 2026 05:30:43 +0000 Received: from AMS1EPF00000042.eurprd04.prod.outlook.com (2603:10a6:400:18b:cafe::bb) by CWLP265CA0493.outlook.office365.com (2603:10a6:400:18b::20) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.113.18 via Frontend Transport; Wed, 17 Jun 2026 05:30:43 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AMS1EPF00000042.mail.protection.outlook.com (10.167.16.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Wed, 17 Jun 2026 05:30:42 +0000 Received: from se-mail10w.axis.com (10.20.40.10) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Wed, 17 Jun 2026 07:30:42 +0200 Received: from se-intmail01x.se.axis.com (10.4.0.28) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Wed, 17 Jun 2026 07:30:42 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail01x.se.axis.com (Postfix) with ESMTP id 8325A2ACF; Wed, 17 Jun 2026 07:30:42 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id 7C75C8461E6; Wed, 17 Jun 2026 07:30:42 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [meta-oe][PATCHv3 1/8] jq: patch CVE-2026-49839 Date: Wed, 17 Jun 2026 07:30:33 +0200 Message-ID: <20260617053040.990143-1-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AMS1EPF00000042:EE_|DU0PR02MB9824:EE_ X-MS-Office365-Filtering-Correlation-Id: 4a1d930b-586c-4f9a-eac8-08decc31934a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700016|376014|23010399003|1800799024|82310400026|18002099003|3023799007|56012099006|11063799006|6133799003; X-Microsoft-Antispam-Message-Info: bPISt3k0iUOsHqdYxr2Z/CSYryGZBexqxXEfYf6v2a7plUVqgfhClFf6TXh+Ub22let3jWhIjhutEA+UrRwAQxBdTZMWhQlHcGmDLQ+ptR2+bFKtbtKOhiQ42Lpkb6U4QyUnkEjT9WUfo8ZGJELj39AQ7gEqi52AJMVkTM81d0/SaDB2g494BT8892vUG2+lZw92oIBZcFhjLc0kLbg4NqmCgqwNlaEg6/dJIqSJMExyfxYAPi1sSgD72zNN4cf0N5tWJ3Q2bz/pSQpKzb1XY69EUv1x/0W7BXp1c+s+bkr6uMRJMctjfm8f8OXAMrnrZ9mcuOIvkclyI4v52Zm6OcOkpXGLsCaxPwPXhrUNM8jdW8uF6ztZovkqMJfW+AcyO4E2Xbn1gFy6b56aNjlB8ky2S5fFqv7gtGT/KZRr8dW+dgbi/5U3VtbRN1+ZPVhNnFv/nlwCHqgiSi0BxHCMUshB7g3pGdvCTaMnJac1Mkics/WmJcuGnW1X7e6UgXAuuxdRsILnGZfmmPiNCb0Q+Wvm9so4KP2KiMJ9vD2Tx78cH2iBTOBaHGYDEvBg+Z+pl7Rf4TWbbMPOJVRqRCcJeh4O5K71RZi+FRmCJmgiFUOVQNprK9zEO2l2O8absSS8HXmln4La0RfY428uV4pmJC9CKRMYAv6Mks8MwiKhAlvmW6dxE9XPECzMl/o1JtxQdbD2cpd+jEEWsqJrhGtZ859yV1pk2gNtO577G19RaGQ= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700016)(376014)(23010399003)(1800799024)(82310400026)(18002099003)(3023799007)(56012099006)(11063799006)(6133799003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: KFXQ9+SBfslxpkGWCDTN937LrNThGq+mnCBbh9auDLHb92ZMt2aJUCZ/Y/MYkNbhBmdT/30xmRCTOT55aazD3irxfQ5bQdkPaNL74LdnKV49Qqo3zlWdyNR6cYX7ZPxsYW+drbCoW2HEB3vcTIC5QCa+w2x233sPOQgENPezfuQ/QTysTR9+zto0oNZqJ9Y6FeIGDaiydezVM62mm3J3pAwQduhzIUc3NqD05nGgMp15h7+kBGBOxnlgBPDIJVcwvOJAfIKEg39tSLciTgmvsoZcGZx3dtwJiAip+jWY5vAn1gP1zzlLwzoy1/1fkfkZ4gtIHhC2X5NL2Mfv6QiOs60kwJ4pPuQn3emXUs6pCcB2Bn7WdrrLSZDBRQy6Aa/r1zCSPedDExCe8PdI368cslalGhSgZoUVIWii1asIfSuRnNGiD81UZTD+ER6JdUvs X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jun 2026 05:30:42.9316 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 4a1d930b-586c-4f9a-eac8-08decc31934a X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AMS1EPF00000042.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR02MB9824 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Jun 2026 06:13:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127628 From: Anton Skorup CVE details: https://vulert.com/vuln-db/--4743 Signed-off-by: Anton Skorup --- v3 * Rebased to master-next v2 * Added patch to stack of jq CVEs --- .../jq/jq/CVE-2026-49389.patch | 31 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch new file mode 100644 index 0000000000..3189158b4a --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch @@ -0,0 +1,31 @@ +From e987df0d463d85fd70825e042a082427e8275b86 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 8 Jun 2026 22:14:48 +0900 +Subject: [PATCH] Fix heap-buffer-overflow in raw file loading + +When `jv_string_append_buf` overflows the string length limit, +it returns an invalid `jv`; `jv_load_file` then re-entered it +on the invalid value and overran the heap. Break out of the loop +once the value is invalid. + +Fixes CVE-2026-49839. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/e987df0d463d85fd70825e042a082427e8275b86] +--- + src/jv_file.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/jv_file.c b/src/jv_file.c +index 7706b0e06e..fbc1e4d653 100644 +--- a/src/jv_file.c ++++ b/src/jv_file.c +@@ -57,6 +57,8 @@ jv jv_load_file(const char* filename, int raw) { + + if (raw) { + data = jv_string_append_buf(data, buf, n); ++ if (!jv_is_valid(data)) ++ break; + } else { + jv_parser_set_buf(parser, buf, n, !feof(file)); + jv value; diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 14e77c1bc6..e1791ad099 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ file://CVE-2026-47770.patch \ + file://CVE-2026-49389.patch \ file://CVE-2026-49839.patch \ " From patchwork Wed Jun 17 05:30:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90294 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AADA3CD98EE for ; Wed, 17 Jun 2026 06:14:18 +0000 (UTC) Received: from AM0PR83CU005.outbound.protection.outlook.com (AM0PR83CU005.outbound.protection.outlook.com [52.101.69.31]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9049.1781674251678268950 for ; Tue, 16 Jun 2026 22:30:52 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=TQettzO/; spf=pass (domain: axis.com, ip: 52.101.69.31, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=IbIHYio1B21ASfUK3592oNP7Y/m636cHadldQK/06p95VSQLmvMp78MslVcZW4KJ8d3R4myM0bwI1hhb1vFcnTzVmFpvR4GC8pKthQH6OIwE5TNJem5ESxmea6ChdJOK9uHfkPJqu5zRy59b04BCw7NBtxuJAGZcdOjWeFGF+j94lJ75uk1q3kPQ2eJ71BdpBZsop917tCqT8/5VpnZ/qAqCPnYhB13LtfYQh0miNmdhzEDAL75+5mbN7Rty86NvDLqeP5TysZAGtUFnN7Pexd0l5+WAkGmPd4VaXjN4SGYwdJy/y37lYCSZv3/1EWwD2OMJZtYZerJ9cp+nLFL+PQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QI+5cZC7PvKzNgl/khIA0SFMcb3eNggBYJPmEbDcf1Y=; b=vdkrQoCoSArSJ5fj/rEsbMyebJKtcO6enSRDasDsjLq+Wu0MeXTgNcWUVpVF5ccJvsIY2alYvBJIge4SDQNTRSp6StcJle9RT9UmdZ2WjdooQebXT8s10CkPmw5KJ2tsGCvMJmPRpkPJNKd07SxMlL4O/mmVv7gT8XndNYQP4SOK4tfeytixgF0vKAc4/vNrExZWbhQHQqQRYagqRF4xZnenQHzeaGmt2ENtdmQYGCuW3ygkVembH9D+pg0WwGLDEhHDvqnnz1WzLFR1CKAPPtHsk6jeBon2d8gALITM3BHJupKPH+F04wiiBmlLqbXuMXfZrvR/8eRCt8NBr78xEw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QI+5cZC7PvKzNgl/khIA0SFMcb3eNggBYJPmEbDcf1Y=; b=TQettzO/u4DTzDADB+OkCxnLIfKCDpprd8jMt8U2OtTRAzZIWu7mv1dFZZrr8a2gE0inG1qCTZqx0MAYHJeCZ3G0X1sHnTtfw/XRSJ8PGVKN9rISqDYmjnOKzVHyEXdG4/k5kqPvvY1TFv936YTgsbZcQRQwby10hyWD2aBTMhw= Received: from CWLP265CA0494.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:18b::13) by DB9PR02MB6602.eurprd02.prod.outlook.com (2603:10a6:10:21f::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.11; Wed, 17 Jun 2026 05:30:43 +0000 Received: from AMS1EPF00000042.eurprd04.prod.outlook.com (2603:10a6:400:18b:cafe::5c) by CWLP265CA0494.outlook.office365.com (2603:10a6:400:18b::13) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.113.18 via Frontend Transport; Wed, 17 Jun 2026 05:30:43 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AMS1EPF00000042.mail.protection.outlook.com (10.167.16.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Wed, 17 Jun 2026 05:30:43 +0000 Received: from se-mail10w.axis.com (10.20.40.10) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Wed, 17 Jun 2026 07:30:43 +0200 Received: from se-intmail01x.se.axis.com (10.4.0.28) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Wed, 17 Jun 2026 07:30:43 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail01x.se.axis.com (Postfix) with ESMTP id 4E3E12ACF; Wed, 17 Jun 2026 07:30:43 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id 493FD8461E6; Wed, 17 Jun 2026 07:30:43 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [meta-oe][PATCHv2 2/8] jq: patch CVE-2026-41256 Date: Wed, 17 Jun 2026 07:30:34 +0200 Message-ID: <20260617053040.990143-2-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260617053040.990143-1-antonsk@axis.com> References: <20260617053040.990143-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AMS1EPF00000042:EE_|DB9PR02MB6602:EE_ X-MS-Office365-Filtering-Correlation-Id: aa72ce08-45ec-4a2c-82bf-08decc3193ba X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|23010399003|376014|36860700016|13003099007|22082099003|3023799007|18002099003|11063799006|56012099006|6133799003; X-Microsoft-Antispam-Message-Info: 4fRANcK3hjpPmtXh9vEPGz4rDuzjdCmAou8dQJjp/eGeQ7W3lrRU4fmk+e49AqgYcb01RkjA3kXdEuXGuwSPxL33m32j+6/3xi9+aLYMNwJA/zMJN44oC5LSCsD/B/2NdrKW/5d2qSHFLwmslWx71oRhfvONrY/1SENopwSVYgHR+zS1U4DWW5MHs3i7iRHVyuI1MWZ3xCBdvEPuR62qUZ2dxs8r5CnU+C/O2K8pMhHlQdDgDn/8sfrOrXiPQvD6m6v20oYk6uiEvUDdPDSNPE3ZqzJm5a3MghOhpV7CqTyABw6G+fncL75+dST37ibtALfFoVy91XRW+1w1OvecK3AqKLBDq/VuCRBP4O0yfOsjnTpDmy9GdNqNdVpKiCdRLPjGoCp2PIV18vIBfhMz7ZqSeaageF+cQiVN9c+Tn97s8sgX2TByqdfMch0k4N0sEE6gWQ2X46POVJ24yqlkEcjwOlt9cmSNSiFVVkJZtH1wXt8caFvkgmsLtimZpLk/321+pDcjUW/vGGJcEQo/B/oqMM4irC9WuRTrVxPIcAiint8Fb9WbvPw5U6ecGJOA5a7W1Iol9fSArBdAnyG9m/NNhzwtf/jGkjjJr7ieOXAGSN7EDy984tsuffO2kZ7pkarA1hsq3LRO+dqkuBZx0cdaQoVza3IMYyZZYLfuoFFaQHkq3HqJOpEBDUmGgSjFjx8d3sxGGvh8Brup2BZftQMgmW0DgktyGPHStjPIWDU= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(23010399003)(376014)(36860700016)(13003099007)(22082099003)(3023799007)(18002099003)(11063799006)(56012099006)(6133799003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: pTkBMiah1MEAKnqwGqWIMNtE37tksdd6mR45LIYmOWTEO/gzgIzXaR4KuKHCBtyMI787gxqDzxrJM70db+PP0th7gf9SUlbv+v5T+ABm8J6B2InQFAz6wZdwXDN7QywGIC6v7KkSKMw5ZS/6L/EwPbbapoW4wXTbnissQ7SwOauNa05JoO06WzxPlFO9szOFHFAUJbDeCjFkXc5F7vS0N8irp88b+A6G7lchrNo08QskRort7I45mATrcD1RnsEfOX5hpaFRCiMbyCppSPc4pQ3Wd9oP2dDjUHcgTA3f57K0P9FjZtryoogCf4Ynn5MBiNdsjhIa6TLqz3IcyoXf3Z7sr70gh8JJ3+txo+TA/qUT8qEwe9uBRuRPUytnPFW3Qn0mey5U36XnMafVM+oyEMn8DtCbfVJjbTEAzeqAHvqJZ3XaddoTJtNsF+aY9CBe X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jun 2026 05:30:43.6642 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: aa72ce08-45ec-4a2c-82bf-08decc3193ba X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AMS1EPF00000042.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR02MB6602 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Jun 2026 06:14:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127631 CVE details: https://www.cve.org/CVERecord?id=CVE-2026-41256 Signed-off-by: Anton Skorup --- v2 * Rebased to master-next --- .../jq/jq/CVE-2026-41256.patch | 49 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch new file mode 100644 index 0000000000..738a359e6a --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch @@ -0,0 +1,49 @@ +From 5a015deae35d19e3ebbc65db6c157a80e76df738 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Fri, 24 Apr 2026 22:15:08 +0900 +Subject: [PATCH] Fix NUL truncation in program files loaded with -f + +This fixes CVE-2026-41256. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/5a015deae35d19e3ebbc65db6c157a80e76df738] +--- + src/main.c | 8 ++++++++ + tests/shtest | 7 +++++++ + 2 files changed, 15 insertions(+) + +diff --git a/src/main.c b/src/main.c +index ce362607e2..fb5c7ab8e3 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -612,6 +612,14 @@ int main(int argc, char* argv[]) { + ret = JQ_ERROR_SYSTEM; + goto out; + } ++ int len = jv_string_length_bytes(jv_copy(data)); ++ if ((size_t)len != strlen(jv_string_value(data))) { ++ fprintf(stderr, "jq: program file contains NUL bytes\n"); ++ free(program_origin); ++ jv_free(data); ++ ret = JQ_ERROR_SYSTEM; ++ goto out; ++ } + jq_set_attr(jq, jv_string("PROGRAM_ORIGIN"), jq_realpath(jv_string(dirname(program_origin)))); + ARGS = JV_OBJECT(jv_string("positional"), ARGS, + jv_string("named"), jv_copy(program_arguments)); +diff --git a/tests/shtest b/tests/shtest +index 370f7b7c69..68705df255 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -886,4 +886,11 @@ if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then + exit 1 + fi + ++# CVE-2026-41256: No NUL truncation in program files loaded with -f ++printf '.\x00invalid' > "$d/nul_prog.jq" ++if echo '42' | $JQ -f "$d/nul_prog.jq" >/dev/null 2>/dev/null; then ++ printf 'Error expected for program file with NUL bytes\n' 1>&2 ++ exit 1 ++fi ++ + exit 0 diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index e1791ad099..2092fe962a 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33947.patch \ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ + file://CVE-2026-41256.patch \ file://CVE-2026-47770.patch \ file://CVE-2026-49389.patch \ file://CVE-2026-49839.patch \ From patchwork Wed Jun 17 05:30:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90292 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE7ACCD98EE for ; Wed, 17 Jun 2026 06:13:58 +0000 (UTC) Received: from DB3PR0202CU003.outbound.protection.outlook.com (DB3PR0202CU003.outbound.protection.outlook.com [52.101.84.71]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9048.1781674250728004182 for ; Tue, 16 Jun 2026 22:30:51 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=KA6GZs9E; spf=pass (domain: axis.com, ip: 52.101.84.71, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=aTYQAcAaGzeZtNrvXXagIV3Xk0AiDRJNXO+QaqwVoGjGViluNPbC5CZV/72PuhdLvhshIzEEfdO/Pb76J/eU1QBMebtaVCqWmS6RA47ctVlsT6nfnWPD1gDlYbJkJ6j8kT8oboaiUfzRDaJL3Uq3RfhZFeTdcRFSmdwbNLSJTtcyzhJ+Fon2vlu7M4xlrxFgfZOdicg1rhsIIS9KOscqMoYT87YiT1RGxYhiOWVeTug46akm6SrYYg/jIEEZTySKWABTHN4HY9zi14UcLkJDStzhMsfx/FWpUZb956MCaNL1jmXhHfF+EW1Uav4Bw20Fr5HZTezTk0H0dV691t/rsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BRqLzmSZr/eOi1s2oWy4jJAriqUS6lE/YMWIic8bQYs=; b=wGUezLpTjh3l67qpqpyLgngXEJI4iNQbZ9X2sDi+AN+DfK3TogaXKmSKb5HHTchyosLCOrKnPWprovjlzAYWgo9YFWN7/fnXcTWoIKqZ4I3m0shjHlC+w0jA/Edv7rMZOxkM9D4ep7iKMnng0nX3U5d3nnCYKAFwVSJMDBrvSh5GT0HzUI2pNhS6tlTPVtLlGE59kgSZ8kkNzTnKiVdWLs826C8EaKVm3leQtHR/RFzUQbFL5IbMWMfDbNT/fFuptuE+4s4Q41zmrI/SP0GKwhJmIJ0cylHYiMGvdNQxyIRfwDg1G/cLWk0CrxRlDLI1dLEMrQsUkNl8VD1JMRy7uw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BRqLzmSZr/eOi1s2oWy4jJAriqUS6lE/YMWIic8bQYs=; b=KA6GZs9E+Lp3MzcHarurCacZkJqEmGuzcFCuA66yQARjlUH+hrK50L+0a63fl2mG+sHhEwEvTzZ4HvBbHPY++NnuIMxEHaYZ/zfqYwrNSqSD7epZDmBYdbH2LXK9CCaUZPCFuC+5Ejq+XRAhRCoceD+0feNrNRtTHyaDHyCphng= Received: from DU2P251CA0001.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:230::12) by AM9PR02MB7060.eurprd02.prod.outlook.com (2603:10a6:20b:272::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Wed, 17 Jun 2026 05:30:44 +0000 Received: from DB1PEPF000509E2.eurprd03.prod.outlook.com (2603:10a6:10:230:cafe::74) by DU2P251CA0001.outlook.office365.com (2603:10a6:10:230::12) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.139.11 via Frontend Transport; Wed, 17 Jun 2026 05:30:44 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509E2.mail.protection.outlook.com (10.167.242.52) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Wed, 17 Jun 2026 05:30:44 +0000 Received: from se-mail10w.axis.com (10.20.40.10) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Wed, 17 Jun 2026 07:30:44 +0200 Received: from se-intmail01x.se.axis.com (10.4.0.28) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Wed, 17 Jun 2026 07:30:44 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail01x.se.axis.com (Postfix) with ESMTP id 270952ACF; Wed, 17 Jun 2026 07:30:44 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id 2219F8461E6; Wed, 17 Jun 2026 07:30:44 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [meta-oe][PATCHv2 3/8] jq: patch CVE-2026-44777 Date: Wed, 17 Jun 2026 07:30:35 +0200 Message-ID: <20260617053040.990143-3-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260617053040.990143-1-antonsk@axis.com> References: <20260617053040.990143-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509E2:EE_|AM9PR02MB7060:EE_ X-MS-Office365-Filtering-Correlation-Id: c235f109-4f03-499a-60d9-08decc31943d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|36860700016|23010399003|376014|1800799024|56012099006|11063799006|6133799003|3023799007|18002099003|22082099003|13003099007; X-Microsoft-Antispam-Message-Info: PazuteOBt/EsTECVX1b6jec6ih2z78sJHmEBYyTGmTmjdN770NTmFzIILsIbW4zXmfYKqejTzQBTnJDm3vG42+h1AEbpNaUo6vLX1QPIuOcrIIGaslwJHjXB32MQNMQDkHlt2/6rEwgUkkWumYphBh1RZXfVAQoRLftjCidB4AM0I3JqK5rOEZyB6LMvAuA4h6KOUD5Pnzt3ZB9yD33rMlStCHGjcfULgO/AVWfi6bqoTxK4KaIachpAhx0E59XDUPvpTEF57Y10ffQQpZv21tPBdEpdjKBLHDZoFFAaz0pKwlC6+T4Hye7Khmih9mpYGrdYTIIp9hvmGVxnWxwe6X7qAHzJpWS3BAGf92KZMtXgRTtXYvRl1W4ztFz8Vauxr/5Tr0hIoKIlp0ciP5XY0n4gjcPOsCNfOP+vt6JcJQcxeu4HwZESFhqhJ7H3G8bLxKpgyOGug+2UEXoBKJQjk4xz4KdzH5ySTGv2Hp9FDZhndsmTJtz+UXqwoelWJYiteglvrcRIBi79xvJAQyDLSlCkuyUXUePmlLsy3dcXT+1s6J1XbX+oRsRolXQS/lkDyBtvYCTLflWpgzsJvoTS35Xske6OLlfVz2THAkSgf5mxjmFhJx2rLVc/eLDcUA2/5Izq1PsN1FqPuXBT/S0tROHMEvLRwypkkCB3WrajQeRuBqfRzIL6XypQ6+RNuetUudcpMllsNjQZl+YULc2AI1A2g7Wn4EWX+/6rNajJHYM= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(36860700016)(23010399003)(376014)(1800799024)(56012099006)(11063799006)(6133799003)(3023799007)(18002099003)(22082099003)(13003099007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: VlGmrmao5q2yL+9TRBeEgzNQfdy7PBkXkZDuzMwDijGpMUUwSOhcu4tgA6bAC9RCGMHe7JpG8w+W1rbc8rjvqDxaCYW1hxZNDCfD6HdJcTKe2793M0y+ugeQt9Gj6bul5D01g4+qwj8PTtGZCuHf4UM246srRX6Itf2fGlot2mzsqVzEB0yeRMPtkHJMaYXviEy1YcGUjcylWozvvQ+9NKeSdWbuWsrjTM798z2y60e9NmjJ7DzuA0LmnNfncEWk8M736HSDoz/zqI4gGrcN2o0EMWexgv7ffsnJr52MknOZ49mwrWSw/bZx692Gvjlhkkasbc3CoJOW+F3GjBi0F6GOCc/rxZa4AZDkhl8tVH7tYuvEQY1+qIeDz3LSsyLyr9FifZy/xeG4bQz/4jfQzjojzMPl91RC2EpYuMOVcduLIQosi2bqIPGRuE40mWKg X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jun 2026 05:30:44.5212 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c235f109-4f03-499a-60d9-08decc31943d X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509E2.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR02MB7060 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Jun 2026 06:13:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127629 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-44777 Signed-off-by: Anton Skorup --- v2 * Rebased on master-next --- .../jq/jq/CVE-2026-44777.patch | 233 ++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 234 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch new file mode 100644 index 0000000000..f6bf926a0a --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch @@ -0,0 +1,233 @@ +From f58787c41835d9b17795730cb04925fdba25c71c Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 11 May 2026 20:41:38 +0900 +Subject: [PATCH] Detect circular module imports to prevent stack overflow + +jq used to recurse without bound on mutual or self-referential +`import` declarations, exhausting the stack. Track each library's +load state with a `loading` flag set before its dependencies are +processed; a recursive reference to an in-progress library now +reports "circular import of X". + +Fixes CVE-2026-44777. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/f58787c41835d9b17795730cb04925fdba25c71c] +--- + Makefile.am | 2 ++ + src/linker.c | 59 ++++++++++++++++++++++++------------- + tests/modules/cycle_a.jq | 2 ++ + tests/modules/cycle_b.jq | 2 ++ + tests/modules/cycle_self.jq | 2 ++ + tests/shtest | 23 +++++++++++++++ + 6 files changed, 70 insertions(+), 20 deletions(-) + create mode 100644 tests/modules/cycle_a.jq + create mode 100644 tests/modules/cycle_b.jq + create mode 100644 tests/modules/cycle_self.jq + +diff --git a/Makefile.am b/Makefile.am +index acb94435f4..e2321bb196 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -232,6 +232,8 @@ EXTRA_DIST = $(DOC_FILES) $(man_MANS) $(TESTS) $(TEST_LOG_COMPILER) \ + tests/modules/test_bind_order0.jq \ + tests/modules/test_bind_order1.jq \ + tests/modules/test_bind_order2.jq \ ++ tests/modules/cycle_a.jq tests/modules/cycle_b.jq \ ++ tests/modules/cycle_self.jq \ + tests/onig.supp tests/local.supp \ + tests/setup tests/torture/input0.json \ + tests/optional.test tests/man.test tests/manonig.test \ +diff --git a/src/linker.c b/src/linker.c +index e9027004cc..03f46db05c 100644 +--- a/src/linker.c ++++ b/src/linker.c +@@ -20,9 +20,13 @@ + #include "compile.h" + #include "jv_alloc.h" + ++struct lib_entry { ++ char *name; ++ block def; ++ int loading; ++}; + struct lib_loading_state { +- char **names; +- block *defs; ++ struct lib_entry *entries; + uint64_t ct; + }; + static int load_library(jq_state *jq, jv lib_path, +@@ -303,14 +307,24 @@ static int process_dependencies(jq_state *jq, jv jq_origin, jv lib_origin, block + } else { + uint64_t state_idx = 0; + for (; state_idx < lib_state->ct; ++state_idx) { +- if (strcmp(lib_state->names[state_idx],jv_string_value(resolved)) == 0) ++ if (strcmp(lib_state->entries[state_idx].name, jv_string_value(resolved)) == 0) + break; + } + + if (state_idx < lib_state->ct) { // Found ++ if (lib_state->entries[state_idx].loading) { ++ jq_report_error(jq, jv_string_fmt("jq: error: circular import of %s\n", ++ jv_string_value(resolved))); ++ jv_free(resolved); ++ jv_free(as); ++ jv_free(deps); ++ jv_free(jq_origin); ++ jv_free(lib_origin); ++ return 1; ++ } + jv_free(resolved); + // Bind the library to the program +- bk = block_bind_library(lib_state->defs[state_idx], bk, OP_IS_CALL_PSEUDO, as_str); ++ bk = block_bind_library(lib_state->entries[state_idx].def, bk, OP_IS_CALL_PSEUDO, as_str); + } else { // Not found. Add it to the table before binding. + block dep_def_block = gen_noop(); + nerrors += load_library(jq, resolved, is_data, raw, optional, as_str, &dep_def_block, lib_state); +@@ -352,32 +366,38 @@ static int load_library(jq_state *jq, jv lib_path, int is_data, int raw, int opt + jq_report_error(jq, jv_string_fmt("jq: error loading data file %s: %s\n", jv_string_value(lib_path), jv_string_value(data))); + nerrors++; + } +- goto out; + } else if (is_data) { + // import "foo" as $bar; + program = gen_const_global(jv_copy(data), as); ++ state_idx = lib_state->ct++; ++ lib_state->entries = jv_mem_realloc(lib_state->entries, lib_state->ct * sizeof(struct lib_entry)); ++ lib_state->entries[state_idx].name = strdup(jv_string_value(lib_path)); ++ lib_state->entries[state_idx].def = program; ++ lib_state->entries[state_idx].loading = 0; + } else { + // import "foo" as bar; + src = locfile_init(jq, jv_string_value(lib_path), jv_string_value(data), jv_string_length_bytes(jv_copy(data))); + nerrors += jq_parse_library(src, &program); + locfile_free(src); + if (nerrors == 0) { ++ // Register the library before processing its dependencies so that ++ // circular imports can be detected. ++ state_idx = lib_state->ct++; ++ lib_state->entries = jv_mem_realloc(lib_state->entries, lib_state->ct * sizeof(struct lib_entry)); ++ lib_state->entries[state_idx].name = strdup(jv_string_value(lib_path)); ++ lib_state->entries[state_idx].def = gen_noop(); ++ lib_state->entries[state_idx].loading = 1; ++ + char *lib_origin = strdup(jv_string_value(lib_path)); + nerrors += process_dependencies(jq, jq_get_jq_origin(jq), + jv_string(dirname(lib_origin)), + &program, lib_state); + free(lib_origin); + program = block_bind_self(program, OP_IS_CALL_PSEUDO); ++ lib_state->entries[state_idx].def = program; ++ lib_state->entries[state_idx].loading = 0; + } + } +- if (nerrors == 0) { +- state_idx = lib_state->ct++; +- lib_state->names = jv_mem_realloc(lib_state->names, lib_state->ct * sizeof(const char *)); +- lib_state->defs = jv_mem_realloc(lib_state->defs, lib_state->ct * sizeof(block)); +- lib_state->names[state_idx] = strdup(jv_string_value(lib_path)); +- lib_state->defs[state_idx] = program; +- } +-out: + *out_block = program; + jv_free(lib_path); + jv_free(data); +@@ -415,7 +435,7 @@ jv load_module_meta(jq_state *jq, jv mod_relpath) { + int load_program(jq_state *jq, struct locfile* src, block *out_block) { + int nerrors = 0; + block program; +- struct lib_loading_state lib_state = {0,0,0}; ++ struct lib_loading_state lib_state = {0,0}; + nerrors = jq_parse(src, &program); + if (nerrors) + return nerrors; +@@ -441,14 +461,13 @@ int load_program(jq_state *jq, struct locfile* src, block *out_block) { + nerrors = process_dependencies(jq, jq_get_jq_origin(jq), jq_get_prog_origin(jq), &program, &lib_state); + block libs = gen_noop(); + for (uint64_t i = 0; i < lib_state.ct; ++i) { +- free(lib_state.names[i]); +- if (nerrors == 0 && !block_is_const(lib_state.defs[i])) +- libs = block_join(libs, lib_state.defs[i]); ++ free(lib_state.entries[i].name); ++ if (nerrors == 0 && !block_is_const(lib_state.entries[i].def)) ++ libs = block_join(libs, lib_state.entries[i].def); + else +- block_free(lib_state.defs[i]); ++ block_free(lib_state.entries[i].def); + } +- free(lib_state.names); +- free(lib_state.defs); ++ free(lib_state.entries); + if (nerrors) + block_free(program); + else +diff --git a/tests/modules/cycle_a.jq b/tests/modules/cycle_a.jq +new file mode 100644 +index 0000000000..30c1deaedf +--- /dev/null ++++ b/tests/modules/cycle_a.jq +@@ -0,0 +1,2 @@ ++import "cycle_b" as b; ++def f: null; +diff --git a/tests/modules/cycle_b.jq b/tests/modules/cycle_b.jq +new file mode 100644 +index 0000000000..3fdc360fcd +--- /dev/null ++++ b/tests/modules/cycle_b.jq +@@ -0,0 +1,2 @@ ++import "cycle_a" as a; ++def f: null; +diff --git a/tests/modules/cycle_self.jq b/tests/modules/cycle_self.jq +new file mode 100644 +index 0000000000..8365eab1a4 +--- /dev/null ++++ b/tests/modules/cycle_self.jq +@@ -0,0 +1,2 @@ ++import "cycle_self" as s; ++def f: null; +diff --git a/tests/shtest b/tests/shtest +index fa972de870..aca82790bc 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -382,17 +382,40 @@ if ! HOME="$mods/home2" $VALGRIND $Q $JQ -n 'include "g"; empty'; then + exit 1 + fi + ++( + cd "$JQBASEDIR" # so that relative library paths are guaranteed correct + if ! $VALGRIND $Q $JQ -L ./tests/modules -ne 'import "test_bind_order" as check; check::check==true'; then + echo "Issue #817 regression?" 1>&2 + exit 1 + fi ++) + ++( + cd "$JQBASEDIR" + if ! $VALGRIND $Q $JQ -L tests/modules -ne 'import "test_bind_order" as check; check::check==true'; then + echo "Issue #817 regression?" 1>&2 + exit 1 + fi ++) ++ ++# CVE-2026-44777: Circular imports should be detected ++if $VALGRIND $JQ -L "$mods" -ne 'import "cycle_a" as a; null' 2> $d/out; then ++ echo "Mutual import should be rejected" 1>&2 ++ exit 1 ++fi ++if ! grep -q "circular import" $d/out; then ++ echo "Expected circular import error" 1>&2 ++ exit 1 ++fi ++ ++if $VALGRIND $JQ -L "$mods" -ne 'import "cycle_self" as s; null' 2> $d/out; then ++ echo "Self import should be rejected" 1>&2 ++ exit 1 ++fi ++if ! grep -q "circular import" $d/out; then ++ echo "Expected circular import error" 1>&2 ++ exit 1 ++fi + + ## Halt + diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 2092fe962a..2634fd52a2 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -19,6 +19,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-39979.patch \ file://CVE-2026-41256.patch \ file://CVE-2026-47770.patch \ + file://CVE-2026-44777.patch \ file://CVE-2026-49389.patch \ file://CVE-2026-49839.patch \ " From patchwork Wed Jun 17 05:30:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90297 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9996CD98EE for ; Wed, 17 Jun 2026 06:14:38 +0000 (UTC) Received: from MRWPR03CU001.outbound.protection.outlook.com (MRWPR03CU001.outbound.protection.outlook.com [40.107.130.23]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8941.1781674254867389422 for ; Tue, 16 Jun 2026 22:30:56 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=Nxs27rlc; spf=pass (domain: axis.com, ip: 40.107.130.23, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=LNqr+PpaaBDg9hGBYuyys0Pk7ABaY8FmLVlWeLRcfrtdXjivldj9ueJdkM/tn6t5CWmp8/Ie0Y86AfjF/uhJyfIUZ9MtvQWOAQQ2U1trt7T9PV0sisQyMY40XckOUBRppVP12KlQgG5sX06KAcPPD1LNj6DruVwj1LqfhbETBJJooMjBXuNFBEHT4C+OM9Rdag/ffNEUJSK46tSiq66oX0hOBFPOKSgcTvNWyQp8gxm9xSqNi9rVPonfPYAkdqOwEGhyHRoR7xyihx7BFnd/+P8oEF4b8WLkvcBaL92lCt19phia+YqRsKv7ZUzIR2uX3iIEUTUh6jRWI12zMmQHjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=otj5ho+rWamRTjMABCdLm6/e3QH6IB6w0XttjnGUkHQ=; b=zRUyuywl3Lv+/fIQ5OGB42YhLHX6WDj04rBPmaRbo9rjQkOzXR5lkC7bIUjlosfe0JPnp/HwSb9CQbTdk7TmBqjZG8lA8GYO5XwvgrYy8RF4niZ4YVdwPHDo4mOV0ke7kVe8VrMjFbzeavLnd57FYSEZLDLxVbqJpUqytOdRurw2lbE7PPCoLclbbT3rnm3TcCUB9N3EyrUMnNZdlvGWt/7RUYj5sMxdTav6c3ouTPMW68zKFYVBSNVtvIonLwCrLmXQG1Cz1mtquV6ON0UkzhGlHHEms+XHhNRCImM4mg+ig1zYBoMre1qOMu715/GoDts0Ps3GZn03xwQkv1TQPQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=otj5ho+rWamRTjMABCdLm6/e3QH6IB6w0XttjnGUkHQ=; b=Nxs27rlcfOqahWbZMiWYOzrTApKDYz6+1YK7xBQKyfsTTq8D8dNuuJfr+m6Llh+5pYwB8dnQkU+rmbQrgKlGREpa16zHEG8Sm3irDqKHbs6dYXkks6Iq6/p3h/yTkVI700Ah5IS0UmtWQgC/Num5mDFQxPXUCI/9u5VZEWIJzGk= Received: from DB8PR04CA0008.eurprd04.prod.outlook.com (2603:10a6:10:110::18) by AS1PR02MB7968.eurprd02.prod.outlook.com (2603:10a6:20b:48e::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.11; Wed, 17 Jun 2026 05:30:45 +0000 Received: from DB1PEPF000509E9.eurprd03.prod.outlook.com (2603:10a6:10:110:cafe::3b) by DB8PR04CA0008.outlook.office365.com (2603:10a6:10:110::18) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.139.11 via Frontend Transport; Wed, 17 Jun 2026 05:30:45 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509E9.mail.protection.outlook.com (10.167.242.59) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.7 via Frontend Transport; Wed, 17 Jun 2026 05:30:45 +0000 Received: from se-mail10w.axis.com (10.20.40.10) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Wed, 17 Jun 2026 07:30:44 +0200 Received: from se-intmail01x.se.axis.com (10.4.0.28) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Wed, 17 Jun 2026 07:30:44 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail01x.se.axis.com (Postfix) with ESMTP id EAC832ACF; Wed, 17 Jun 2026 07:30:44 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id E57DB8461E6; Wed, 17 Jun 2026 07:30:44 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [meta-oe][PATCHv2 4/8] jq: patch CVE-2026-43896 Date: Wed, 17 Jun 2026 07:30:36 +0200 Message-ID: <20260617053040.990143-4-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260617053040.990143-1-antonsk@axis.com> References: <20260617053040.990143-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509E9:EE_|AS1PR02MB7968:EE_ X-MS-Office365-Filtering-Correlation-Id: 37c21c11-9512-4918-43fc-08decc3194ca X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|23010399003|36860700016|376014|82310400026|1800799024|6133799003|56012099006|3023799007|11063799006|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: kNC90pizjZtbj/2IdK/EVAtK/K1OQk9kd8fsxOuJUNhnYhEcCPqGeIiE+yBEk4QXWYIFpCRMXRzumhX2Xj+kYR4/xoUIn1ZnGRBUyUnax6MaUkaZVKqyV5NRjmBDS3/+fXPTWRxITRCh/dLf8BiohLF0v/pTI1sfVukTlx7hC+Q+YjtUaZPrPYMd/F9TlBqbTf7LMxV6srO3fP4/u72J4qACcB8gqA8+Li8IOKKhiUPrBGEiZlaz3VBLueS7IdOVAVXNdXxr1HKdLwAg4LmLOUerWxagt/zpBg+Xxt3C0rEn4py89OS3C1mRUE1uSInfSLZ7WUWloK4JqfjTjRaHBmj+moCIs43cN0egM6TlwyOpBW0ZQB7kwXGpAR7gP/qzS8lHPwQOAn4BGvMPHSAXQV2CyXzzZbYdfeCgoN3wBo6LmRWu+MuivxmECdjysXiWkBArj+vma4xqRNHpC7RgUGgx7gUa88soRcTEU9Cfl9UR280Blvh/nW0B2TYCnAB/LzbVwjVhTwV2gfhDc6TFdJQbQ2+URNHV40svWv52OiMQz7E8CfnxlbuskggBrloL00zOzc1xfR8ulncdJWTG1WraaWD3qRfp5gB3oBhxjXDS3ny71A1XJEv2MbKGodU1bDMla4BScPTJjdmmbvWXlyFVl38aoJNX4DV+NhPLBXwljoxEo+im6k1U1BOEQcDNtFhHyufUiFnlCG19B+rvY9f1cLKzJGJn3cG5a4cX6JM= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(23010399003)(36860700016)(376014)(82310400026)(1800799024)(6133799003)(56012099006)(3023799007)(11063799006)(22082099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: r+ioESaY7bci/R5HR8PgqPLkLd1C73/RUhGv+eTXLSIpM7y4uD2sIoycnohW45FswEd3yW8osI8tNr/1Bv4WnwRyU3IIVvz3zM1fy+BkeBvZH1+7Hecv4pAfkDz8KDpLczj66gb0Kl1nwMHOtTyHqK91YfgQ3XbgYYRm6tnwniZLQmp0QWS/EaiqnR8/qy4HwVtmdHGtg+gLILKFQQH3Y99cQrndoXX3IwGlcx6EZ7eW/QARpNke+i0pWCXzTK/hYUgfq4txVeMZgCJL1kQM5cMFCWCAQryOmpCnDK/LYZ/5KYR7g2Zvhay/9taz4G+q2pAQQs34x+uaKvtT+OrLR15MgdOM/PHSuCfIhctnVbGveQ2RtXgtsPsnV8u/ougQD4FtZSlbM7PvyFM8ai/EC4/nGFQbUwbocRK2nH+A2F0TscQQsE+upSYtNSPseCYO X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jun 2026 05:30:45.4421 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 37c21c11-9512-4918-43fc-08decc3194ca X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509E9.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1PR02MB7968 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Jun 2026 06:14:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127634 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-43896 Signed-off-by: Anton Skorup --- v2 * Rebased on master-next --- .../jq/jq/CVE-2026-43896.patch | 82 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 83 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch new file mode 100644 index 0000000000..318c86a121 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch @@ -0,0 +1,82 @@ +From 532ccea6080ed6758f39fe9f6208a44b665023d2 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Tue, 5 May 2026 22:44:02 +0900 +Subject: [PATCH] Limit recursive object merge depth to prevent stack overflow + +This fixes CVE-2026-43896. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2] +--- + src/jv.c | 25 +++++++++++++++++++++++-- + tests/jq.test | 9 +++++++++ + 2 files changed, 32 insertions(+), 2 deletions(-) + +diff --git a/src/jv.c b/src/jv.c +index feb68d1a1c..84fafef666 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -1899,16 +1899,33 @@ jv jv_object_merge(jv a, jv b) { + return a; + } + +-jv jv_object_merge_recursive(jv a, jv b) { ++#ifndef MAX_OBJECT_MERGE_DEPTH ++#define MAX_OBJECT_MERGE_DEPTH (10000) ++#endif ++ ++static jv jvp_object_merge_recursive(jv a, jv b, int depth) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(b, JV_KIND_OBJECT)); + ++ if (depth > MAX_OBJECT_MERGE_DEPTH) { ++ jv_free(a); ++ jv_free(b); ++ return jv_invalid_with_msg(jv_string("Object merge too deep")); ++ } ++ + jv_object_foreach(b, k, v) { + jv elem = jv_object_get(jv_copy(a), jv_copy(k)); + if (jv_is_valid(elem) && + JVP_HAS_KIND(elem, JV_KIND_OBJECT) && + JVP_HAS_KIND(v, JV_KIND_OBJECT)) { +- a = jv_object_set(a, k, jv_object_merge_recursive(elem, v)); ++ jv merged = jvp_object_merge_recursive(elem, v, depth + 1); ++ if (!jv_is_valid(merged)) { ++ jv_free(k); ++ jv_free(a); ++ jv_free(b); ++ return merged; ++ } ++ a = jv_object_set(a, k, merged); + } else { + jv_free(elem); + a = jv_object_set(a, k, v); +@@ -1919,6 +1936,10 @@ jv jv_object_merge_recursive(jv a, jv b) { + return a; + } + ++jv jv_object_merge_recursive(jv a, jv b) { ++ return jvp_object_merge_recursive(a, b, 0); ++} ++ + /* + * Object iteration (internal helpers) + */ +diff --git a/tests/jq.test b/tests/jq.test +index 8094a5b6eb..9a80341f52 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -2602,3 +2602,12 @@ true + try (reduce range(10001) as $_ ([]; [.]) as $x | $x | contains($x)) catch . + null + "Containment check too deep" ++ ++# regression test for CVE-2026-43896 ++reduce range(10000) as $_ ({}; {a: .}) as $x | $x * $x | length ++null ++1 ++ ++try (reduce range(10001) as $_ ({}; {a: .}) as $x | $x * $x) catch . ++null ++"Object merge too deep" diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 2634fd52a2..b0779b389e 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ file://CVE-2026-41256.patch \ + file://CVE-2026-43896.patch \ file://CVE-2026-47770.patch \ file://CVE-2026-44777.patch \ file://CVE-2026-49389.patch \ From patchwork Wed Jun 17 05:30:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90293 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A943DCD98E2 for ; Wed, 17 Jun 2026 06:14:08 +0000 (UTC) Received: from DU2PR03CU002.outbound.protection.outlook.com (DU2PR03CU002.outbound.protection.outlook.com [52.101.65.64]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9050.1781674251731018729 for ; Tue, 16 Jun 2026 22:30:52 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=QtlLQKfW; spf=pass (domain: axis.com, ip: 52.101.65.64, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=OWkiefXdx7eCaZ2ZqaQsmy4MjFpCcKG5xZ7nxbxyJg462IjKYDIbZK5x+N4YV7m6mX7YndYj8FeFVVqODoTFwXAarPHfIF6aIevBHLDUdfgsWuaPv0OH7iXDIetPVPK435Xms1smj3G791wO33Z+5Bs6RwFwAv4rFBvI5gtFhz1ztlB6S/4BE19YrW2ZyGQj9Nt1HMrzTbeTfs3K+B6jnK4o7+EAc62X1DhDviy/1OpgmDIAQm6/3NODQzpBVsVHVLOLokoVaVXkOERg60kXa/potFHOYNOC8PpepAcX0MyI0snnAtJ3jQJjXy9x6ULlzBIMn4MIGvi7Bkn691AoXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Te6njP09JnzNU9y7kzVeikD3LfudAhnLMghjsJ8xkZ0=; b=e1i3iGWRYXht1yipQ67NowcYVtGmESB0x+MXgguuQbywABo/BE3Hmn2DSVv406nLU0kGy1ObJEDFe3tGrK3SDzBLoH1KFEFfIorxDyn/oLhcaPraUGfcSXv6NnaF6UU4Y4E/zEO2QBEYKfay6KZOnOEPOSo704oQ91HJ6bVzTfObkWOaubU5UhnAX2Af13J8e3CNu5wOUwbHHCgAUG+fjBZ76FEF1pN878cgu1cifjXYDtMBz0XUL52QlrWi6JYUCOnbEohTeXvitkOGg3X9TJQjQ5Kfrbwo0PcyC2P3plelYs2WESfJtktBc3Uz29UXXdi3OzZS+8d6n7CSUBJ5KQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Te6njP09JnzNU9y7kzVeikD3LfudAhnLMghjsJ8xkZ0=; b=QtlLQKfW6uruNXBtcf0dbPv08Cuzy94frknoX6mIKXK9cYlDmkJzGshsDuW9BMWJLs9CzS7JYoy7pTnukmXwfOu3Zkm0H1LltzAfSp/7uMdKDpOX9eCfxqKNklDrkfscdebUTKAYH+LdJTVtZqmrkGipgV2QU+VD5Ed0JPsvMtI= Received: from DB8PR04CA0025.eurprd04.prod.outlook.com (2603:10a6:10:110::35) by AS8PR02MB10202.eurprd02.prod.outlook.com (2603:10a6:20b:63f::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Wed, 17 Jun 2026 05:30:46 +0000 Received: from DB1PEPF000509E9.eurprd03.prod.outlook.com (2603:10a6:10:110:cafe::1c) by DB8PR04CA0025.outlook.office365.com (2603:10a6:10:110::35) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.139.11 via Frontend Transport; Wed, 17 Jun 2026 05:30:46 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509E9.mail.protection.outlook.com (10.167.242.59) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.7 via Frontend Transport; Wed, 17 Jun 2026 05:30:46 +0000 Received: from se-mail10w.axis.com (10.20.40.10) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Wed, 17 Jun 2026 07:30:45 +0200 Received: from se-intmail02x.se.axis.com (10.4.0.28) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Wed, 17 Jun 2026 07:30:45 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail02x.se.axis.com (Postfix) with ESMTP id A8C72551; Wed, 17 Jun 2026 07:30:45 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id A77068461E6; Wed, 17 Jun 2026 07:30:45 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [meta-oe][PATCHv2 5/8] jq: patch CVE-2026-41257 Date: Wed, 17 Jun 2026 07:30:37 +0200 Message-ID: <20260617053040.990143-5-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260617053040.990143-1-antonsk@axis.com> References: <20260617053040.990143-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509E9:EE_|AS8PR02MB10202:EE_ X-MS-Office365-Filtering-Correlation-Id: 28b90d3f-f770-4465-7c31-08decc319525 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700016|82310400026|23010399003|376014|1800799024|56012099006|11063799006|22082099003|18002099003|3023799007|6133799003|13003099007; X-Microsoft-Antispam-Message-Info: 5uFGTlutfvmDYWn0zEr27qSgCmK0f3/yrL/qUkPVZV9FE4Fx4r7uK6WbvXBf1xhL5l+iEf7XLMetjhWN4vAKpaVzhVR4I/1pyO2TBTXRqyD6Bjcs5yloSJ+GAoXOJUB8Eys2PIPSBHFgl58xrHAB6vTLVmJw3XI6Qr+yLW3MVCoPZQGpQpuIk/4UXqPhX+e/S6rslKdUo/snajPdEBlhWh6sFVgFr4MLifgj+O6S2zrM5555AgiLYALYycy+fr76Z0PyxvDdPy2UyJRn69ETe8T0BrecXyGxs19QsK70UvPxQYBqUIUqDTk4/RBeBESQmmzNNLklAqNM2FedOvfLQsoDUdORVP9RBE/QZc41Yj5aMQCr8CaLrJDV8SAyt5GNw+rlRF1PcCNhOd2oj2iOd2iqXe4c4nDqJbzObjuCdjv6ygUNnYCHcAhxm/ChpmuTidH4TZpjXwgB+Ml6C/n0lFS5VWUDZk98GD+stzwbac2aPpjNvUiE4C4TW0Cz82UC5REc71X03KzYPjwH7D8DB1vqCHQAcSb77iWU6MTijd7jRz8hSj6o6/+kC9vlmku04DOSuB+X5Crqvw7Cn1Mvpi755vJY9WRE3uQEOGzylT0XqaeiPv35Q3o1lhBN3sbudTUVGK54Ukooh/06tMS/Jl3sNmBgNMS6XoxksECdZScC2sK8OKp1YFdXWzUY191G4JF8Bz/wosj/hVH6yjRIHxNiOBUSqig6h1tgFNtsjd8= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700016)(82310400026)(23010399003)(376014)(1800799024)(56012099006)(11063799006)(22082099003)(18002099003)(3023799007)(6133799003)(13003099007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: dfx1Kt83km5utvGbqjYzUvbX57iN1VrLlv6kfuVIKLdjyBru47Z8LVirC8qAOpoYpmiNXHWlEnsunGa2KZKa82+fE10i21FaGLA2NzsrnOe5R/ugI0wM+uD9n0qHH/VMpLumFoHyEoKFgNtTnvEBC1Ol9c8lYvIs5MB7lPDJ0kPOM9j+wTw5m9gSllz73q7hT1QmUsU1wZQMyLXZgOHi2gGZ51aIPXJ6dAF4ewAOr4y5BHG2CDKkMDTTSl7XbGLRmCfPrdI7y7EItx/aMX9CUIt1IBFYE9Nld0Y7JxWbNIHElrATIB9w5Mb3HAuitJMqUpS0jv47s6cFX/LdqYJ36tNIWngtEd+sdJ+kApGxaihHw5x8ZEaEW4fSjlBiMADGzViEss92AKUj2LuTOzi4nIARvvYrCLRV+qg+0cOKuLbeWb/RqTbtGPtc0YsEjcvS X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jun 2026 05:30:46.0400 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 28b90d3f-f770-4465-7c31-08decc319525 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509E9.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR02MB10202 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Jun 2026 06:14:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127630 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-41257 Signed-off-by: Anton Skorup --- .../jq/jq/CVE-2026-41257.patch | 52 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch new file mode 100644 index 0000000000..8bf3ecd325 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch @@ -0,0 +1,52 @@ +From 01b3cded76daacbfddb7f8763700b0803bcb5c6f Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Fri, 24 Apr 2026 22:09:44 +0900 +Subject: [PATCH] Fix signed-int overflow in `stack_reallocate` + +This fixes CVE-2026-41257. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f] +--- + src/exec_stack.h | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/exec_stack.h b/src/exec_stack.h +index 2a063e8cf9..159c56e4fb 100644 +--- a/src/exec_stack.h ++++ b/src/exec_stack.h +@@ -2,8 +2,10 @@ + #define EXEC_STACK_H + #include + #include ++#include + #include + #include ++#include + #include "jv_alloc.h" + + /* +@@ -81,15 +83,19 @@ static stack_ptr* stack_block_next(struct stack* s, stack_ptr p) { + } + + static void stack_reallocate(struct stack* s, size_t sz) { +- int old_mem_length = -(s->bound) + ALIGNMENT; +- char* old_mem_start = (s->mem_end != NULL) ? (s->mem_end - old_mem_length) : NULL; ++ size_t old_mem_length = (size_t)(-(s->bound)) + ALIGNMENT; ++ char* old_mem_start = s->mem_end != NULL ? s->mem_end - old_mem_length : NULL; + +- int new_mem_length = align_round_up((old_mem_length + sz + 256) * 2); ++ size_t new_mem_length = align_round_up((old_mem_length + sz + 256) * 2); ++ if (new_mem_length > INT_MAX) { ++ fprintf(stderr, "jq: error: cannot allocate memory\n"); ++ abort(); ++ } + char* new_mem_start = jv_mem_realloc(old_mem_start, new_mem_length); + memmove(new_mem_start + (new_mem_length - old_mem_length), + new_mem_start, old_mem_length); + s->mem_end = new_mem_start + new_mem_length; +- s->bound = -(new_mem_length - ALIGNMENT); ++ s->bound = -(int)(new_mem_length - ALIGNMENT); + } + + static stack_ptr stack_push_block(struct stack* s, stack_ptr p, size_t sz) { diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index b0779b389e..9af7e00f3b 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ file://CVE-2026-41256.patch \ + file://CVE-2026-41257.patch \ file://CVE-2026-43896.patch \ file://CVE-2026-47770.patch \ file://CVE-2026-44777.patch \ From patchwork Wed Jun 17 05:30:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90296 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA1DCCD98EE for ; Wed, 17 Jun 2026 06:14:28 +0000 (UTC) Received: from DU2PR03CU002.outbound.protection.outlook.com (DU2PR03CU002.outbound.protection.outlook.com [52.101.65.17]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9051.1781674252668973822 for ; Tue, 16 Jun 2026 22:30:53 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=XRnktjJM; spf=pass (domain: axis.com, ip: 52.101.65.17, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=YsJg7DGdnC0DugQ5lzMS5vQ4Dw/kNp3KmwOWLcxZhanchKqucrQsa7qp561tcyvXff9otuWu/runQjTDLzDIlmTr8bpKX5TvrVsDBl2xZC/WhW0FFJ01IxMpUVHWDBI2ryTP/GEgRUcp5UTdP5u9HstFPb6BVnSt8ZKe/JkNPqyXQeL4qnwzhrXSNeAZsfpuerz5Agem8RlB+WwN8/RbxFWI0PLeIZ8TZ0DoN/0mwkW2mRPFrckfxycC9jGn2Ux85sc3YKouuQC2HykM5uP17etcHHmL3056GQAMrDaD8YKuIbW0NjJjXqyG31sQYReWea2Uh/o7r4yc9V4W2fKCKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cjYcZCYoPFqTrenIBrWKaqvwKzzwy5n5bfrrHpB0Kyw=; b=h3oxENbwVPoyLK3T32P/x0+MGb0IsHA5ebcXPCa2XbIOE8Wn8AxhvHG7TCW1QmwAavVnWs9KHFXL6TJ6pnR0qFIdDVQP3RtFlLzSGBXvzaeer7HjA6X/Wbms76nW+HLbBUeLVGsMiMfSdskLODToaKp1U5vJQCCGDEe01SkAz1KPwM0kwz1SG39Sp5AO4VqTxWoK9fTgG7eyFefIIAIB7P2RSAHYlR+ulrwb0pDlND5O8fYpt7fRujomPlsFojUkgWQB4nm552td+ARufFfJAeaDsWZmbB7wCZ+Dv9LOhOf+EDtJvqMcxvfx8zDQH0iHsUx7ttETL3inZ4UF80najA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cjYcZCYoPFqTrenIBrWKaqvwKzzwy5n5bfrrHpB0Kyw=; b=XRnktjJMnCgE876Z+7pxVzyNxWEWb4AtWVn9yFOmCklHOz7IuuMXvW65L2t5EV07W4nhxrFVheQFAbQ9jx+jRTfHKMCvnvuKR2OV6/v3yB9CCrduZ5ftszM6pvk1V+2pUAnJYwjKbvwfV4VlZpkfytNWiispUOVO5o16JKdFX+E= Received: from CWLP265CA0504.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:18b::23) by DBBPR02MB10556.eurprd02.prod.outlook.com (2603:10a6:10:53c::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Wed, 17 Jun 2026 05:30:47 +0000 Received: from AMS1EPF00000042.eurprd04.prod.outlook.com (2603:10a6:400:18b:cafe::a9) by CWLP265CA0504.outlook.office365.com (2603:10a6:400:18b::23) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.139.11 via Frontend Transport; Wed, 17 Jun 2026 05:30:46 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AMS1EPF00000042.mail.protection.outlook.com (10.167.16.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Wed, 17 Jun 2026 05:30:46 +0000 Received: from SE-MAILARCH01W.axis.com (10.20.40.15) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.39; Wed, 17 Jun 2026 07:30:46 +0200 Received: from se-mail11w.axis.com (10.20.40.11) by SE-MAILARCH01W.axis.com (10.20.40.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 17 Jun 2026 07:30:46 +0200 Received: from se-intmail02x.se.axis.com (10.4.0.28) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Wed, 17 Jun 2026 07:30:46 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail02x.se.axis.com (Postfix) with ESMTP id 5BF72551; Wed, 17 Jun 2026 07:30:46 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id 5ACCB8461E6; Wed, 17 Jun 2026 07:30:46 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [meta-oe][PATCHv2 6/8] jq: patch CVE-2026-40612 Date: Wed, 17 Jun 2026 07:30:38 +0200 Message-ID: <20260617053040.990143-6-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260617053040.990143-1-antonsk@axis.com> References: <20260617053040.990143-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AMS1EPF00000042:EE_|DBBPR02MB10556:EE_ X-MS-Office365-Filtering-Correlation-Id: ad29c753-776e-4adf-6309-08decc3195a9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700016|82310400026|23010399003|376014|1800799024|56012099006|11063799006|6133799003|22082099003|18002099003|3023799007|13003099007; X-Microsoft-Antispam-Message-Info: w8OT2IqZMFPt2D01wvQklevzRqViv2PW6Hp9M9TH8TUlThUQb3Si9GFWldGFbrOGWG9IuVVBfuIKGlbUadI93WkDHMhAxZpEYzXgIqtzw6VoB/fze3p/8kxcji6y/NDZEmlUw9uN0hAI9IX/I0RCqbRYK9U67JfCl1okNj4PHoj+do6VuHQ5llLNNWpAJcxgdYI0vaMbBHYvcPBI6FRw74cZlY6F28N9Cs3a36ZYg5dN0LDxCSrhbAY3rZOv5rEjCg6hGvQlHzBbgJ+4K+ACmNwJj8nl3rZY99Eb6rIIgx6mTpAq8vfW6M4O157FDL1P1/QFMAtapviKE4UIW5syVXMfkpwgWeNruWCIHbWhXEbFHwSiTf7ikZYtniiJPw/jRgvTkGDkAnFx9mBp9WQCiCg5CBEmd3eC84Kgvkb7D+M/TTP2Nvelah7yiCmeQWbHugq1iZqNmGnHB85iB2rMQrJ/O2mSVVfKlYOMDLiNNqDRyhPSG9Smc6NGOHUgGX5fv5GaNIMFDCqwz2Tv6XHadv1Mc3Wbc7TWYkxrriNqxc/zCgT+REVlM+AtKuV981ONJTFCToXM7RWF3nA+WhR2gZUfptRzJKi36y9Le3DjdcYhvprtxsw9+CkjKBX+cRzfcES5Ie2o9a4IN7oyT0cVweHYRUX3hD6flHz5a/aF/Vzd3oU2EegtcwMRuNNOqSPXD+erEUTKxhhBB8msEcgfJOdLnJti256+0OVgRwgSYxE= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700016)(82310400026)(23010399003)(376014)(1800799024)(56012099006)(11063799006)(6133799003)(22082099003)(18002099003)(3023799007)(13003099007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: w202XEZnqDziAtxdhBkM2VWyX92OPsOSzIH+/expJJB2eFnPSlm4fG78RNKQlU5EoXUz5kErkeTfOcywYeajkgZ0XM2EF4xcyCNaAjlrVlpxK5ceDaFUuXnsDASNcqvBVrGs/aKqo2FvvCqNjwSGrm8Hzr0V2k9J2Qc3LB4Mww0PY9odWI7zHeEOqfEAP/IQOVBvqEPlwji/lVaGw6Kp91iluBMKriB/5qKU6DaRuO3ZEAMve9rZRixvAnGlOUdmpV3yB5lZRpLszhCMBFHrXvzVX71iLWxlK/uQgSgfQ1b7HKyqumCrAcuu0oq62UuSVdutkaBYhpyyNiPEyVh3jkIaJ81FkMXBo4j0VD1uDx77rQuqMRdeYTan+ij4rPpzhGy9LstEXYI48UIxWAOp8+mJHC4cdkD6xhcEcyMNEiiASLhhz21SnzTlW03FrYNY X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jun 2026 05:30:46.9049 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ad29c753-776e-4adf-6309-08decc3195a9 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AMS1EPF00000042.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR02MB10556 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Jun 2026 06:14:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127632 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-40612 Signed-off-by: Anton Skorup --- .../jq/jq/CVE-2026-40612.patch | 136 ++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 137 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch new file mode 100644 index 0000000000..4078b8b10d --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch @@ -0,0 +1,136 @@ +From d1a12569d91641135976a8536776a4a329c02cc2 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Fri, 24 Apr 2026 22:02:24 +0900 +Subject: [PATCH] Limit the containment check depth + +This fixes CVE-2026-40612. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2] +--- + src/builtin.c | 5 ++++- + src/jv.c | 40 +++++++++++++++++++++++++++------------- + tests/jq.test | 9 +++++++++ + 3 files changed, 40 insertions(+), 14 deletions(-) + +diff --git a/src/builtin.c b/src/builtin.c +index d33e9fb162..2b2a2d40da 100644 +--- a/src/builtin.c ++++ b/src/builtin.c +@@ -421,7 +421,10 @@ jv binop_greatereq(jv a, jv b) { + + static jv f_contains(jq_state *jq, jv a, jv b) { + if (jv_get_kind(a) == jv_get_kind(b)) { +- return jv_bool(jv_contains(a, b)); ++ int r = jv_contains(a, b); ++ if (r < 0) ++ return jv_invalid_with_msg(jv_string("Containment check too deep")); ++ return jv_bool(r); + } else { + return type_error2(a, b, "cannot have their containment checked"); + } +diff --git a/src/jv.c b/src/jv.c +index 607ac174f7..4b18c00cf6 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -938,19 +938,19 @@ static void jvp_clamp_slice_params(int len, int *pstart, int *pend) + } + + +-static int jvp_array_contains(jv a, jv b) { ++static int jvp_contains(jv a, jv b, int depth); ++ ++static int jvp_array_contains(jv a, jv b, int depth) { + int r = 1; + jv_array_foreach(b, bi, belem) { + int ri = 0; + jv_array_foreach(a, ai, aelem) { +- if (jv_contains(aelem, jv_copy(belem))) { +- ri = 1; +- break; +- } ++ ri = jvp_contains(aelem, jv_copy(belem), depth); ++ if (ri) break; + } + jv_free(belem); +- if (!ri) { +- r = 0; ++ if (ri <= 0) { ++ r = ri; + break; + } + } +@@ -1844,7 +1844,7 @@ static int jvp_object_equal(jv o1, jv o2) { + return len1 == len2; + } + +-static int jvp_object_contains(jv a, jv b) { ++static int jvp_object_contains(jv a, jv b, int depth) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(b, JV_KIND_OBJECT)); + int r = 1; +@@ -1852,9 +1852,9 @@ static int jvp_object_contains(jv a, jv b) { + jv_object_foreach(b, key, b_val) { + jv a_val = jv_object_get(jv_copy(a), key); + +- r = jv_contains(a_val, b_val); ++ r = jvp_contains(a_val, b_val, depth); + +- if (!r) break; ++ if (r <= 0) break; + } + return r; + } +@@ -2086,14 +2086,23 @@ int jv_identical(jv a, jv b) { + return r; + } + +-int jv_contains(jv a, jv b) { ++#ifndef MAX_CONTAINS_DEPTH ++#define MAX_CONTAINS_DEPTH (10000) ++#endif ++ ++static int jvp_contains(jv a, jv b, int depth) { ++ if (depth > MAX_CONTAINS_DEPTH) { ++ jv_free(a); ++ jv_free(b); ++ return -1; ++ } + int r = 1; + if (jv_get_kind(a) != jv_get_kind(b)) { + r = 0; + } else if (JVP_HAS_KIND(a, JV_KIND_OBJECT)) { +- r = jvp_object_contains(a, b); ++ r = jvp_object_contains(a, b, depth + 1); + } else if (JVP_HAS_KIND(a, JV_KIND_ARRAY)) { +- r = jvp_array_contains(a, b); ++ r = jvp_array_contains(a, b, depth + 1); + } else if (JVP_HAS_KIND(a, JV_KIND_STRING)) { + int b_len = jv_string_length_bytes(jv_copy(b)); + if (b_len != 0) { +@@ -2109,3 +2118,8 @@ int jv_contains(jv a, jv b) { + jv_free(b); + return r; + } ++ ++// Returns 1 (contained), 0 (not contained), or -1 (too deep) ++int jv_contains(jv a, jv b) { ++ return jvp_contains(a, b, 0); ++} +diff --git a/tests/jq.test b/tests/jq.test +index 0cd5198f8d..8094a5b6eb 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -2593,3 +2593,12 @@ null + try delpaths([[range(10001) | 0]]) catch . + null + "Path too deep" ++ ++# regression test for CVE-2026-40612 ++reduce range(10000) as $_ ([]; [.]) | contains([[]]) ++null ++true ++ ++try (reduce range(10001) as $_ ([]; [.]) as $x | $x | contains($x)) catch . ++null ++"Containment check too deep" diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 9af7e00f3b..aff33589b9 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33947.patch \ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ + file://CVE-2026-40612.patch \ file://CVE-2026-41256.patch \ file://CVE-2026-41257.patch \ file://CVE-2026-43896.patch \ From patchwork Wed Jun 17 05:30:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90295 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AEBCBCD98F0 for ; Wed, 17 Jun 2026 06:14:28 +0000 (UTC) Received: from AM0PR83CU005.outbound.protection.outlook.com (AM0PR83CU005.outbound.protection.outlook.com [52.101.69.7]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8940.1781674253999596491 for ; Tue, 16 Jun 2026 22:30:54 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=NPh8C/So; spf=pass (domain: axis.com, ip: 52.101.69.7, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=H4utfK4VgE3e/of0WRWFUKg5GgkMrxB7fDfDEWvpSRt8BIFmQv3BVSPZ2CHt1r1teSDLPMUlT1QN21mNe61v2FL3eT+dUMhUiu4NHisjbHtx85y1timo0/nuid+DCwhVCUaw30g6Hc2onxZ46cyRdqoDQrd4Mfi4M08ahbA26qEJHylRQ0FJxFLLYwiyS0GDRu3uZEYi2WI/WeF9hmZHz7xrKbK8DXcMDemrxALFhFxZw4HzdxDgdcS09HlIWh6bG3F8geZJCaDdS7nhqRFRQ2xR8p03fQal3lD63QM02RZoSuX7nWZjOMNXxcfxshc4f1pzIOBqizgc4bmlf4Q+9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hYWdjMYXDyTTBuf8jJhn4ZmdU1Ps2OzHaKYH3FQiHZw=; b=X4nZlJX4q/+TmrElWa3z/M+yDxg3ITbXeFj+fjcyOEUiSkyXvj9VMHkgU5FWkIu1KJEUMg3VQPPXvnj/RcZQiEE3M0k9Rg4nU375RbwwcOrY9l5assO/zwXXMYmhscfMrTvpBFhrRmKiJ1awjFgmUjLpW2XylWCp7x+svSThEnCqF2Y1KfUj7pWYUU9T9NXukN4VtIXGCy8b9987zCQR7YzwdVZylo7CFQ431t8d0ZrNfZDSeUPfXngBtSBcBc4udikKgHzmnW0AM7Rf6amry8WSLZKvHJC9JET6Pb/pZ6yJ/oA1luNJoLTVf/j3iY3gMeYIY0UX98bWVJLh4XDBPw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hYWdjMYXDyTTBuf8jJhn4ZmdU1Ps2OzHaKYH3FQiHZw=; b=NPh8C/SovEmmHHGWe8/rpPKLIctG3IY0gvCpog4CA8dTc9ONyQK5TJzjP+cHT/Yb43FM6nn5v7fBvTC4c/GeCIJkLutIKUaFBc5eh8F9Wu9D/lDubv9iedH2I5QElk+kUUQIW2AHx0aBQnk0I8AFjB+q5U5ztuMO46bMOh6zv+o= Received: from DU2PR04CA0021.eurprd04.prod.outlook.com (2603:10a6:10:3b::26) by AM9PR02MB7025.eurprd02.prod.outlook.com (2603:10a6:20b:273::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.11; Wed, 17 Jun 2026 05:30:48 +0000 Received: from DB1PEPF000509E6.eurprd03.prod.outlook.com (2603:10a6:10:3b:cafe::33) by DU2PR04CA0021.outlook.office365.com (2603:10a6:10:3b::26) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.139.11 via Frontend Transport; Wed, 17 Jun 2026 05:30:47 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by DB1PEPF000509E6.mail.protection.outlook.com (10.167.242.56) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Wed, 17 Jun 2026 05:30:47 +0000 Received: from se-mail11w.axis.com (10.20.40.11) by se-mail10w.axis.com (10.20.40.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Wed, 17 Jun 2026 07:30:47 +0200 Received: from se-intmail02x.se.axis.com (10.4.0.28) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Wed, 17 Jun 2026 07:30:46 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail02x.se.axis.com (Postfix) with ESMTP id F0857551; Wed, 17 Jun 2026 07:30:46 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id EF2CD8461E6; Wed, 17 Jun 2026 07:30:46 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [meta-oe][PATCHv2 7/8] jq: patch CVE-2026-43894 Date: Wed, 17 Jun 2026 07:30:39 +0200 Message-ID: <20260617053040.990143-7-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260617053040.990143-1-antonsk@axis.com> References: <20260617053040.990143-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509E6:EE_|AM9PR02MB7025:EE_ X-MS-Office365-Filtering-Correlation-Id: 792eca20-442c-40da-fb0d-08decc319617 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|23010399003|1800799024|36860700016|376014|11063799006|3023799007|56012099006|6133799003|22082099003|18002099003|13003099007; X-Microsoft-Antispam-Message-Info: rgmptkF3Zc85S4IPls1EdoC3eRzopilzPkj0Mk6rmBr9CHgTIOL6YK2t4i3RH7T/YyG6BlBcUr50hUMPhlASbR1KF48L/TPdD6dxKJQ9yUZV86BHnhZQTYoNAm6awfVmtiu0VXNtCpYIuuEcdDjX6J23T/Vnn3hNMNXEYADdrT83sxDj2y4ShWt3DxBwQnoWVJJE/oCJGf6vfcIUsqXOJqnoycMtmI5c1OJz/UITGnKZkJLJ3WfKLUVcb/4TEBjH0e/0XGCmakQNQI02q4LmpUrHsxSiQPJRroAIrCCqChV+jU0bA56UafGfoJLgrmc0en1ghQfK7+pMYR2GX4DmkLGP9MCix+gWjBIIKoi+AiUv+nFdfVde5D1HNt9DHk32BVv/DQTiuiqYtvsNUrCE7PJAYAVxozUx2JAKBOLX0vBqk+f5pHR66o+JQPfG2hfu2JApj02AKFzpM6d3is2jZ8FTBMZ5m3NbE9x1rr90KB876g1nA4ebPhaqM+BMl+ZcwrYk86VqmUrnm9m0VrvyNJaqa/Lf3qpIg4MGsjD5zuWuIUezRJhk25H2tkoQfgyUQxQZ/kQ18oeHkT3UCBzM/Yc6RPTFqfA9X3SiMFMY1Xeh+lu43KncuwBTXFW1WEfNazGJD/Md618qn3B8qM9ivjatq0XdpzUsTnnxTwjbBCLfLq8NocQANRreHsPiuMVvoMVev9FSnTueGmdaQVMljTcP6tKxnznmrTRl/NzMyfA= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(23010399003)(1800799024)(36860700016)(376014)(11063799006)(3023799007)(56012099006)(6133799003)(22082099003)(18002099003)(13003099007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: fPex/5LaPvWDYItoMM78vuNzYm5hv6FRwWEKXJqDdt1jMqI3tMolCd+jJ6gWoQ70sSJ3BsQ6NZGUNEE/b0dl3ygRVeU1AyDpA7IuUwof24EzexGuIXEdy3ZQiS4XiIWTpEYzEASGWZ3jWEJw7xFtBROX4zELIa+hCjkx0LGMkqMYnpknAVwKtaMIvn0pGi/UY2qyltiyRJfEVIlaOgcbcs4j/NsbIsCVvyGcPjmya5B+nBivsBXvdLSDPsBhRq7Dltailm20eAXmNewPBw0pGXJtA5q3XL20NXLIqXREj6N8JcYmrma+O8Vzp7ML92HeC3qjqhLKsX/0xlFXKLSCbMvWwnw7bymedglDMGKKsc8x5ci2y5EOVPgNplTOGNN0i5BIM+JZCkjzE18MctYSq1qbeuglzj5wROyJTUftvHFn64K3WTOEQXoe1lw7hn1q X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jun 2026 05:30:47.6245 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 792eca20-442c-40da-fb0d-08decc319617 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509E6.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR02MB7025 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Jun 2026 06:14:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127633 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-43894 Signed-off-by: Anton Skorup --- .../jq/jq/CVE-2026-43894.patch | 52 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch new file mode 100644 index 0000000000..3b73647de0 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch @@ -0,0 +1,52 @@ +From 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Wed, 6 May 2026 19:45:24 +0900 +Subject: [PATCH] Reject numeric literals longer than DEC_MAX_DIGITS + (999999999) + +A signed-int overflow in decNumber's D2U macro lets huge literals +write attacker-controlled bytes past a stack buffer. Cap the length +before calling decNumberFromString, and pre-slice long strings in +jv_dump_string_trunc so the resulting error message doesn't itself +allocate a multi-GiB buffer. + +Fixes CVE-2026-43894. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4] +--- + src/jv.c | 5 ++++- + src/jv_print.c | 4 ++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/jv.c b/src/jv.c +index 84fafef666..074ee310c5 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -570,7 +570,10 @@ static jvp_literal_number* jvp_literal_number_alloc(unsigned literal_length) { + } + + static jv jvp_literal_number_new(const char * literal) { +- jvp_literal_number* n = jvp_literal_number_alloc(strlen(literal)); ++ size_t len = strlen(literal); ++ if (len > DEC_MAX_DIGITS) ++ return JV_INVALID; ++ jvp_literal_number* n = jvp_literal_number_alloc(len); + + decContext *ctx = DEC_CONTEXT(); + decContextClearStatus(ctx, DEC_Conversion_syntax); +diff --git a/src/jv_print.c b/src/jv_print.c +index 5c86c5d97c..bc251070f7 100644 +--- a/src/jv_print.c ++++ b/src/jv_print.c +@@ -410,6 +410,10 @@ jv jv_dump_string(jv x, int flags) { + + char *jv_dump_string_trunc(jv x, char *outbuf, size_t bufsize) { + assert(bufsize > 0); ++ if (jv_get_kind(x) == JV_KIND_STRING && ++ (size_t)jv_string_length_bytes(jv_copy(x)) > bufsize) { ++ x = jv_string_slice(x, 0, bufsize); ++ } + x = jv_dump_string(x, 0); + const char *str = jv_string_value(x); + const size_t len = strlen(str); diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index aff33589b9..87917b7c32 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -20,6 +20,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-40612.patch \ file://CVE-2026-41256.patch \ file://CVE-2026-41257.patch \ + file://CVE-2026-43894.patch \ file://CVE-2026-43896.patch \ file://CVE-2026-47770.patch \ file://CVE-2026-44777.patch \ From patchwork Wed Jun 17 05:30:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Skorup X-Patchwork-Id: 90298 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B15B9CD98EE for ; Wed, 17 Jun 2026 06:14:48 +0000 (UTC) Received: from AM0PR02CU008.outbound.protection.outlook.com (AM0PR02CU008.outbound.protection.outlook.com [52.101.72.3]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9052.1781674256237930375 for ; Tue, 16 Jun 2026 22:30:56 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@axis.com header.s=selector1 header.b=Sw/PQF4/; spf=pass (domain: axis.com, ip: 52.101.72.3, mailfrom: anton.skorup@axis.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=MZtX1YCnbS5Ute5B3fx1P7dQZwHA9b2yjqsrDbuo94DeiPPRiyM9uIPQ1j6aUAFAmIW3MNds3//EPDJBlrHLiJSU89Q4KA9JvKv0b3Ye1ssm1TXSHdHqPBmkQHroRLIDyXRuZwcs2fQZ1aB5k5RT/vI97Py7vwqwMRbhSAZXwh/vGsoA64+ZR9VwCe2q0xPBSAOlFZ0TYMwqmKkxxfVORuxudk6fc7PobttRDZiQ4N9kSB/S1UKJXf0sE2Ov0jvYWQdgWciyi3bb67rYYu57nGBKZCxTEYmDbFnk58ALxJiBjdA3BEIxZGR6Pe5WMLVtQRT9lyuTmKJRoVn4XWqBmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=djmCav1Rumc22n4a1UdmKIilbEo5weudnLgq4OamsyY=; b=L8wRYY6rUk0gDV2QQgtiMAYEzO+LkSaP1Q0RfmGZukpf1kx4oawXbabrewAhJFFHqg4CbDaZ/kVxoUFI6Y8bpxXaw0z88hs4oj4bzhOP2aAK7WQUPjBTTVyzO/jPdJ0uajWym/8Y5XQarWCzM+k+i1FbkVCH9twFm7ZKX21PZbzkhHlw1IAKwNHHh2N1RRFfFNupIRaTCX5gxcuZEpR8oz4aFev0Z35ajzmVdcttwwZ+fxVw0LohgcZgQLEYT8e9ZPUbDcfdQaJeNpKKaUIhFqYcUh2UzLKAr4xILZslZLlbglh6wW+g3qpO5MXhwRipvnaxGfnZvHEZ8wsOoyPXVg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 195.60.68.100) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=axis.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=axis.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=djmCav1Rumc22n4a1UdmKIilbEo5weudnLgq4OamsyY=; b=Sw/PQF4/94+lXB+rxwcFv40IExzGjJAUU9OEV1bq84m84G2B6eVu08dTxSVUjZoXprZ0OBCnZhEeItFJIlythBsikCOzUkSqcDEHD1giuhiUJvszElff9aymg6NLbeCwRSYGNa7ZIT7z9WGO4MLtohfKfbRg2jiD8Bd3TGA2npI= Received: from CWLP123CA0172.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:19b::7) by GV1PR02MB8834.eurprd02.prod.outlook.com (2603:10a6:150:a0::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.11; Wed, 17 Jun 2026 05:30:48 +0000 Received: from AMS1EPF0000003F.eurprd04.prod.outlook.com (2603:10a6:400:19b:cafe::a0) by CWLP123CA0172.outlook.office365.com (2603:10a6:400:19b::7) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.139.11 via Frontend Transport; Wed, 17 Jun 2026 05:30:48 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 195.60.68.100) smtp.mailfrom=axis.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=axis.com; Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C Received: from mail.axis.com (195.60.68.100) by AMS1EPF0000003F.mail.protection.outlook.com (10.167.16.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.8 via Frontend Transport; Wed, 17 Jun 2026 05:30:48 +0000 Received: from se-mail11w.axis.com (10.20.40.11) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.39; Wed, 17 Jun 2026 07:30:47 +0200 Received: from se-intmail02x.se.axis.com (10.4.0.28) by se-mail11w.axis.com (10.20.40.11) with Microsoft SMTP Server id 15.2.1748.39 via Frontend Transport; Wed, 17 Jun 2026 07:30:47 +0200 Received: from pc62260-2523.se.axis.com (pc62260-2523.se.axis.com [10.92.71.7]) by se-intmail02x.se.axis.com (Postfix) with ESMTP id 86CBC25D2; Wed, 17 Jun 2026 07:30:47 +0200 (CEST) Received: by pc62260-2523.se.axis.com (Postfix, from userid 19544) id 859C78461E6; Wed, 17 Jun 2026 07:30:47 +0200 (CEST) From: Anton Skorup To: CC: Anton Skorup , Anton Skorup Subject: [meta-oe][PATCH 8/8] jq: patch CVE-2026-43895 Date: Wed, 17 Jun 2026 07:30:40 +0200 Message-ID: <20260617053040.990143-8-antonsk@axis.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260617053040.990143-1-antonsk@axis.com> References: <20260617053040.990143-1-antonsk@axis.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AMS1EPF0000003F:EE_|GV1PR02MB8834:EE_ X-MS-Office365-Filtering-Correlation-Id: 8bee5d7a-5305-4594-5ce8-08decc319651 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|23010399003|376014|36860700016|13003099007|22082099003|3023799007|18002099003|11063799006|56012099006|6133799003; X-Microsoft-Antispam-Message-Info: VPDJv2O5xNKw7KW67wRtOamcUxkjIfO/2SsNiB8A0J6iaBomr6UceK5r+HvCkoYjUEdgBh4jJRx0OcQPVtkT5MdcdazUq7yFQ0lFE7vD1Fp623H/7Hcz4jntGP12gPqqWoM301uodOorEaKY82GODqo1t+MreuXe3r84hWdMMUp4rKDN6wFlnkDpbArPoIsd/5wsWu4ELJDDT2sZarztOTkyzctAJvcAi0OigCOWAFX1ntuW1StRsHBFmWjNGoix+D3NAoRwS1Od6M6wGvZSbOU++mZsvrK137C7ivEG2Y0oTmS6RbfRZ/4kHGFwUiXFexzbj08VEAFS94jIooN0GI9BldLf76ApiCt0DWqaXYDiennS89Po1PliWc7vwbHe83yUKqRXFTWFW21/vvlzX+O8tGvnIyvAfkL2Qq8vv9vJZ+qOHj88K+2aPvoTYf2FbVTNohylKTLXY0HrwBSGetqf9T8coqn2cGGa0AajGItioD+6DoKs/2YOZUx1HyIFi/UpIeenS/+l9cG1CC1oUszjmQOxRbVoJvAlo+eoSbPou0buPEgeZRUz7KSdkVotFMN5p13GtRHzpvwXjWHc08jdjrG6pu+aC7DnzSc0Lr+qhjaft353IR0cB+WXsmu8snPph3Gsm1s9zZdG2mecNTF3LBV4kzduST42u3bFOrhPtDj6mQ4fpaAB15NJnSoSVRU6qaBkp/daDZ4mNirVLkIt9hHEF0J0CeV6PQuxnLk= X-Forefront-Antispam-Report: CIP:195.60.68.100;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.axis.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(23010399003)(376014)(36860700016)(13003099007)(22082099003)(3023799007)(18002099003)(11063799006)(56012099006)(6133799003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: qcHdQJ4XbuiCXNHUyDNl//EhtP6j8VRKM5SXVpBb1dDRdTm9i2SYJWkq8FChi2gKgx8aEz2zjRwniSYeS6shtPRQKZja3d0zfUV91zjKIM1f4bhgsx2qYbHWbsDTfQuBfOOKhH6vR6nN/xrB4jRMr77BFpqGs3SDhYEWLckS6AJ/2uZcstycn7Qvd2TVAkSCoNJHelBmUXTF93jVzi4tJyE8HsLXG5Ka13p21N8Yt0QsyEiaD34GJ7FwK+QZNvJRAUjgx1g46Nrj2Z8U6e1lrI65C9uwNsaStSJI18lfMJGpPMciU5Fc4i33MriUwQXjnB6cBE8E7VH4B6fCMVpojDLHjCnYYBtcvIxUX9hNdNmBnX1PWx6hh+MzzYUTOzMnOPZ2b7sVnwesCpx2cBsuDTcEGKglmm3qZcN1KL0L2FKOFBNU6gcqdalTz/RiZysx X-OriginatorOrg: axis.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jun 2026 05:30:48.0063 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 8bee5d7a-5305-4594-5ce8-08decc319651 X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com] X-MS-Exchange-CrossTenant-AuthSource: AMS1EPF0000003F.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR02MB8834 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Jun 2026 06:14:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127635 From: Anton Skorup CVE details: https://www.cve.org/CVERecord?id=CVE-2026-43895 Signed-off-by: Anton Skorup --- .../jq/jq/CVE-2026-43895.patch | 1537 +++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 1538 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch new file mode 100644 index 0000000000..8b58c8e95e --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch @@ -0,0 +1,1537 @@ +From 9d223f153c3632a207fa071caaa6292da33ae361 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Sat, 9 May 2026 17:08:43 +0900 +Subject: [PATCH] Reject embedded NUL bytes in module import paths + +jq accepts embedded NUL bytes at the language level but resolves +module import paths through NUL-terminated C strings, so the path +validated by policy or audit code could differ from the on-disk +path jq actually opens. Pass jv through gen_import so the AST +preserves the original bytes, and reject embedded NULs in +validate_relpath. + +Fixes CVE-2026-43895. + +Signed-off-by: Anton Skorup +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/9d223f153c3632a207fa071caaa6292da33ae361] +--- + src/compile.c | 12 +- + src/compile.h | 2 +- + src/linker.c | 6 +- + src/parser.c | 556 +++++++++++++++++++++++++------------------------- + src/parser.y | 16 +- + tests/shtest | 17 ++ + 6 files changed, 307 insertions(+), 302 deletions(-) + +diff --git a/src/compile.c b/src/compile.c +index 5e64946b3e..80b723c119 100644 +--- a/src/compile.c ++++ b/src/compile.c +@@ -525,13 +525,17 @@ jv block_module_meta(block b) { + return jv_null(); + } + +-block gen_import(const char* name, const char* as, int is_data) { ++block gen_import(jv name, jv as, int is_data) { ++ assert(jv_get_kind(name) == JV_KIND_STRING); ++ assert(!jv_is_valid(as) || jv_get_kind(as) == JV_KIND_STRING); + inst* i = inst_new(DEPS); + jv meta = jv_object(); +- if (as != NULL) +- meta = jv_object_set(meta, jv_string("as"), jv_string(as)); ++ if (jv_is_valid(as)) ++ meta = jv_object_set(meta, jv_string("as"), as); ++ else ++ jv_free(as); + meta = jv_object_set(meta, jv_string("is_data"), is_data ? jv_true() : jv_false()); +- meta = jv_object_set(meta, jv_string("relpath"), jv_string(name)); ++ meta = jv_object_set(meta, jv_string("relpath"), name); + i->imm.constant = meta; + return inst_block(i); + } +diff --git a/src/compile.h b/src/compile.h +index bef46328a7..d195e9e2e8 100644 +--- a/src/compile.h ++++ b/src/compile.h +@@ -33,7 +33,7 @@ block gen_op_pushk_under(jv constant); + + block gen_module(block metadata); + jv block_module_meta(block b); +-block gen_import(const char* name, const char *as, int is_data); ++block gen_import(jv name, jv as, int is_data); + block gen_import_meta(block import, block metadata); + block gen_function(const char* name, block formals, block body); + block gen_param_regular(const char* name); +diff --git a/src/linker.c b/src/linker.c +index cfd74d1d48..e9027004cc 100644 +--- a/src/linker.c ++++ b/src/linker.c +@@ -93,6 +93,10 @@ static jv build_lib_search_chain(jq_state *jq, jv search_path, jv jq_origin, jv + // in between). + static jv validate_relpath(jv name) { + const char *s = jv_string_value(name); ++ if (strlen(s) != (size_t)jv_string_length_bytes(jv_copy(name))) { ++ jv_free(name); ++ return jv_invalid_with_msg(jv_string("Module path contains a NUL byte")); ++ } + if (strchr(s, '\\')) { + jv res = jv_invalid_with_msg(jv_string_fmt("Modules must be named by relative paths using '/', not '\\' (%s)", s)); + jv_free(name); +@@ -425,7 +429,7 @@ int load_program(jq_state *jq, struct locfile* src, block *out_block) { + jv home = get_home(); + if (jv_is_valid(home)) { + /* Import ~/.jq as a library named "" found in $HOME or %USERPROFILE% */ +- block import = gen_import_meta(gen_import("", NULL, 0), ++ block import = gen_import_meta(gen_import(jv_string(""), jv_invalid(), 0), + gen_const(JV_OBJECT( + jv_string("optional"), jv_true(), + jv_string("search"), home))); +diff --git a/src/parser.c b/src/parser.c +index c90e313420..9c60173e27 100644 +--- a/src/parser.c ++++ b/src/parser.c +@@ -937,19 +937,19 @@ static const yytype_int16 yyrline[] = + 325, 328, 331, 337, 340, 343, 349, 352, 355, 358, + 361, 364, 367, 370, 373, 376, 379, 382, 385, 388, + 391, 394, 397, 400, 403, 406, 409, 412, 415, 421, +- 424, 441, 450, 457, 465, 476, 481, 487, 490, 495, +- 499, 506, 509, 515, 522, 525, 528, 534, 537, 540, +- 546, 549, 552, 560, 564, 567, 570, 573, 576, 579, +- 582, 585, 588, 592, 598, 601, 604, 607, 610, 613, +- 616, 619, 622, 625, 628, 631, 634, 637, 640, 643, +- 646, 649, 652, 655, 658, 661, 664, 671, 674, 677, +- 680, 683, 687, 690, 694, 712, 716, 720, 723, 735, +- 740, 741, 742, 743, 746, 749, 754, 759, 762, 767, +- 770, 775, 779, 782, 787, 790, 795, 798, 803, 806, +- 809, 812, 815, 818, 826, 832, 835, 838, 841, 844, +- 847, 850, 853, 856, 859, 862, 865, 868, 871, 874, +- 877, 880, 883, 889, 892, 895, 900, 903, 906, 909, +- 913, 918, 922, 926, 930, 934, 942, 948, 951 ++ 424, 441, 445, 449, 455, 466, 471, 477, 480, 485, ++ 489, 496, 499, 505, 512, 515, 518, 524, 527, 530, ++ 536, 539, 542, 550, 554, 557, 560, 563, 566, 569, ++ 572, 575, 578, 582, 588, 591, 594, 597, 600, 603, ++ 606, 609, 612, 615, 618, 621, 624, 627, 630, 633, ++ 636, 639, 642, 645, 648, 651, 654, 661, 664, 667, ++ 670, 673, 677, 680, 684, 702, 706, 710, 713, 725, ++ 730, 731, 732, 733, 736, 739, 744, 749, 752, 757, ++ 760, 765, 769, 772, 777, 780, 785, 788, 793, 796, ++ 799, 802, 805, 808, 816, 822, 825, 828, 831, 834, ++ 837, 840, 843, 846, 849, 852, 855, 858, 861, 864, ++ 867, 870, 873, 879, 882, 885, 890, 893, 896, 899, ++ 903, 908, 912, 916, 920, 924, 932, 938, 941 + }; + #endif + +@@ -2841,42 +2841,32 @@ YYLTYPE yylloc = yyloc_default; + case 41: /* ImportWhat: "import" ImportFrom "as" BINDING */ + #line 441 "src/parser.y" + { +- jv v = block_const((yyvsp[-2].blk)); +- // XXX Make gen_import take only blocks and the int is_data so we +- // don't have to free so much stuff here +- (yyval.blk) = gen_import(jv_string_value(v), jv_string_value((yyvsp[0].literal)), 1); ++ (yyval.blk) = gen_import(block_const((yyvsp[-2].blk)), (yyvsp[0].literal), 1); + block_free((yyvsp[-2].blk)); +- jv_free((yyvsp[0].literal)); +- jv_free(v); + } +-#line 2853 "src/parser.c" ++#line 2848 "src/parser.c" + break; + + case 42: /* ImportWhat: "import" ImportFrom "as" IDENT */ +-#line 450 "src/parser.y" ++#line 445 "src/parser.y" + { +- jv v = block_const((yyvsp[-2].blk)); +- (yyval.blk) = gen_import(jv_string_value(v), jv_string_value((yyvsp[0].literal)), 0); ++ (yyval.blk) = gen_import(block_const((yyvsp[-2].blk)), (yyvsp[0].literal), 0); + block_free((yyvsp[-2].blk)); +- jv_free((yyvsp[0].literal)); +- jv_free(v); + } +-#line 2865 "src/parser.c" ++#line 2857 "src/parser.c" + break; + + case 43: /* ImportWhat: "include" ImportFrom */ +-#line 457 "src/parser.y" ++#line 449 "src/parser.y" + { +- jv v = block_const((yyvsp[0].blk)); +- (yyval.blk) = gen_import(jv_string_value(v), NULL, 0); ++ (yyval.blk) = gen_import(block_const((yyvsp[0].blk)), jv_invalid(), 0); + block_free((yyvsp[0].blk)); +- jv_free(v); + } +-#line 2876 "src/parser.c" ++#line 2866 "src/parser.c" + break; + + case 44: /* ImportFrom: String */ +-#line 465 "src/parser.y" ++#line 455 "src/parser.y" + { + if (!block_is_const((yyvsp[0].blk))) { + FAIL((yylsp[0]), "Import path must be constant"); +@@ -2886,152 +2876,152 @@ YYLTYPE yylloc = yyloc_default; + (yyval.blk) = (yyvsp[0].blk); + } + } +-#line 2890 "src/parser.c" ++#line 2880 "src/parser.c" + break; + + case 45: /* FuncDef: "def" IDENT ':' Query ';' */ +-#line 476 "src/parser.y" ++#line 466 "src/parser.y" + { + (yyval.blk) = gen_function(jv_string_value((yyvsp[-3].literal)), gen_noop(), (yyvsp[-1].blk)); + jv_free((yyvsp[-3].literal)); + } +-#line 2899 "src/parser.c" ++#line 2889 "src/parser.c" + break; + + case 46: /* FuncDef: "def" IDENT '(' Params ')' ':' Query ';' */ +-#line 481 "src/parser.y" ++#line 471 "src/parser.y" + { + (yyval.blk) = gen_function(jv_string_value((yyvsp[-6].literal)), (yyvsp[-4].blk), (yyvsp[-1].blk)); + jv_free((yyvsp[-6].literal)); + } +-#line 2908 "src/parser.c" ++#line 2898 "src/parser.c" + break; + + case 47: /* Params: Param */ +-#line 487 "src/parser.y" ++#line 477 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 2916 "src/parser.c" ++#line 2906 "src/parser.c" + break; + + case 48: /* Params: Params ';' Param */ +-#line 490 "src/parser.y" ++#line 480 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 2924 "src/parser.c" ++#line 2914 "src/parser.c" + break; + + case 49: /* Param: BINDING */ +-#line 495 "src/parser.y" ++#line 485 "src/parser.y" + { + (yyval.blk) = gen_param_regular(jv_string_value((yyvsp[0].literal))); + jv_free((yyvsp[0].literal)); + } +-#line 2933 "src/parser.c" ++#line 2923 "src/parser.c" + break; + + case 50: /* Param: IDENT */ +-#line 499 "src/parser.y" ++#line 489 "src/parser.y" + { + (yyval.blk) = gen_param(jv_string_value((yyvsp[0].literal))); + jv_free((yyvsp[0].literal)); + } +-#line 2942 "src/parser.c" ++#line 2932 "src/parser.c" + break; + + case 51: /* StringStart: FORMAT QQSTRING_START */ +-#line 506 "src/parser.y" ++#line 496 "src/parser.y" + { + (yyval.literal) = (yyvsp[-1].literal); + } +-#line 2950 "src/parser.c" ++#line 2940 "src/parser.c" + break; + + case 52: /* StringStart: QQSTRING_START */ +-#line 509 "src/parser.y" ++#line 499 "src/parser.y" + { + (yyval.literal) = jv_string("text"); + } +-#line 2958 "src/parser.c" ++#line 2948 "src/parser.c" + break; + + case 53: /* String: StringStart QQString QQSTRING_END */ +-#line 515 "src/parser.y" ++#line 505 "src/parser.y" + { + (yyval.blk) = (yyvsp[-1].blk); + jv_free((yyvsp[-2].literal)); + } +-#line 2967 "src/parser.c" ++#line 2957 "src/parser.c" + break; + + case 54: /* QQString: %empty */ +-#line 522 "src/parser.y" ++#line 512 "src/parser.y" + { + (yyval.blk) = gen_const(jv_string("")); + } +-#line 2975 "src/parser.c" ++#line 2965 "src/parser.c" + break; + + case 55: /* QQString: QQString QQSTRING_TEXT */ +-#line 525 "src/parser.y" ++#line 515 "src/parser.y" + { + (yyval.blk) = gen_binop((yyvsp[-1].blk), gen_const((yyvsp[0].literal)), '+'); + } +-#line 2983 "src/parser.c" ++#line 2973 "src/parser.c" + break; + + case 56: /* QQString: QQString QQSTRING_INTERP_START Query QQSTRING_INTERP_END */ +-#line 528 "src/parser.y" ++#line 518 "src/parser.y" + { + (yyval.blk) = gen_binop((yyvsp[-3].blk), gen_format((yyvsp[-1].blk), jv_copy((yyvsp[-4].literal))), '+'); + } +-#line 2991 "src/parser.c" ++#line 2981 "src/parser.c" + break; + + case 57: /* ElseBody: "elif" Query "then" Query ElseBody */ +-#line 534 "src/parser.y" ++#line 524 "src/parser.y" + { + (yyval.blk) = gen_cond((yyvsp[-3].blk), (yyvsp[-1].blk), (yyvsp[0].blk)); + } +-#line 2999 "src/parser.c" ++#line 2989 "src/parser.c" + break; + + case 58: /* ElseBody: "else" Query "end" */ +-#line 537 "src/parser.y" ++#line 527 "src/parser.y" + { + (yyval.blk) = (yyvsp[-1].blk); + } +-#line 3007 "src/parser.c" ++#line 2997 "src/parser.c" + break; + + case 59: /* ElseBody: "end" */ +-#line 540 "src/parser.y" ++#line 530 "src/parser.y" + { + (yyval.blk) = gen_noop(); + } +-#line 3015 "src/parser.c" ++#line 3005 "src/parser.c" + break; + + case 60: /* Term: '.' */ +-#line 546 "src/parser.y" ++#line 536 "src/parser.y" + { + (yyval.blk) = gen_noop(); + } +-#line 3023 "src/parser.c" ++#line 3013 "src/parser.c" + break; + + case 61: /* Term: ".." */ +-#line 549 "src/parser.y" ++#line 539 "src/parser.y" + { + (yyval.blk) = gen_call("recurse", gen_noop()); + } +-#line 3031 "src/parser.c" ++#line 3021 "src/parser.c" + break; + + case 62: /* Term: "break" BINDING */ +-#line 552 "src/parser.y" ++#line 542 "src/parser.y" + { + jv v = jv_string_fmt("*label-%s", jv_string_value((yyvsp[0].literal))); // impossible symbol + (yyval.blk) = gen_location((yyloc), locations, +@@ -3040,279 +3030,279 @@ YYLTYPE yylloc = yyloc_default; + jv_free(v); + jv_free((yyvsp[0].literal)); + } +-#line 3044 "src/parser.c" ++#line 3034 "src/parser.c" + break; + + case 63: /* Term: "break" error */ +-#line 560 "src/parser.y" ++#line 550 "src/parser.y" + { + FAIL((yyloc), "break requires a label to break to"); + (yyval.blk) = gen_noop(); + } +-#line 3053 "src/parser.c" ++#line 3043 "src/parser.c" + break; + + case 64: /* Term: Term FIELD '?' */ +-#line 564 "src/parser.y" ++#line 554 "src/parser.y" + { + (yyval.blk) = gen_index_opt((yyvsp[-2].blk), gen_const((yyvsp[-1].literal))); + } +-#line 3061 "src/parser.c" ++#line 3051 "src/parser.c" + break; + + case 65: /* Term: FIELD '?' */ +-#line 567 "src/parser.y" ++#line 557 "src/parser.y" + { + (yyval.blk) = gen_index_opt(gen_noop(), gen_const((yyvsp[-1].literal))); + } +-#line 3069 "src/parser.c" ++#line 3059 "src/parser.c" + break; + + case 66: /* Term: Term '.' String '?' */ +-#line 570 "src/parser.y" ++#line 560 "src/parser.y" + { + (yyval.blk) = gen_index_opt((yyvsp[-3].blk), (yyvsp[-1].blk)); + } +-#line 3077 "src/parser.c" ++#line 3067 "src/parser.c" + break; + + case 67: /* Term: '.' String '?' */ +-#line 573 "src/parser.y" ++#line 563 "src/parser.y" + { + (yyval.blk) = gen_index_opt(gen_noop(), (yyvsp[-1].blk)); + } +-#line 3085 "src/parser.c" ++#line 3075 "src/parser.c" + break; + + case 68: /* Term: Term FIELD */ +-#line 576 "src/parser.y" ++#line 566 "src/parser.y" + { + (yyval.blk) = gen_index((yyvsp[-1].blk), gen_const((yyvsp[0].literal))); + } +-#line 3093 "src/parser.c" ++#line 3083 "src/parser.c" + break; + + case 69: /* Term: FIELD */ +-#line 579 "src/parser.y" ++#line 569 "src/parser.y" + { + (yyval.blk) = gen_index(gen_noop(), gen_const((yyvsp[0].literal))); + } +-#line 3101 "src/parser.c" ++#line 3091 "src/parser.c" + break; + + case 70: /* Term: Term '.' String */ +-#line 582 "src/parser.y" ++#line 572 "src/parser.y" + { + (yyval.blk) = gen_index((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3109 "src/parser.c" ++#line 3099 "src/parser.c" + break; + + case 71: /* Term: '.' String */ +-#line 585 "src/parser.y" ++#line 575 "src/parser.y" + { + (yyval.blk) = gen_index(gen_noop(), (yyvsp[0].blk)); + } +-#line 3117 "src/parser.c" ++#line 3107 "src/parser.c" + break; + + case 72: /* Term: '.' error */ +-#line 588 "src/parser.y" ++#line 578 "src/parser.y" + { + FAIL((yyloc), "try .[\"field\"] instead of .field for unusually named fields"); + (yyval.blk) = gen_noop(); + } +-#line 3126 "src/parser.c" ++#line 3116 "src/parser.c" + break; + + case 73: /* Term: '.' IDENT error */ +-#line 592 "src/parser.y" ++#line 582 "src/parser.y" + { + jv_free((yyvsp[-1].literal)); + FAIL((yyloc), "try .[\"field\"] instead of .field for unusually named fields"); + (yyval.blk) = gen_noop(); + } +-#line 3136 "src/parser.c" ++#line 3126 "src/parser.c" + break; + + case 74: /* Term: Term '[' Query ']' '?' */ +-#line 598 "src/parser.y" ++#line 588 "src/parser.y" + { + (yyval.blk) = gen_index_opt((yyvsp[-4].blk), (yyvsp[-2].blk)); + } +-#line 3144 "src/parser.c" ++#line 3134 "src/parser.c" + break; + + case 75: /* Term: Term '[' Query ']' */ +-#line 601 "src/parser.y" ++#line 591 "src/parser.y" + { + (yyval.blk) = gen_index((yyvsp[-3].blk), (yyvsp[-1].blk)); + } +-#line 3152 "src/parser.c" ++#line 3142 "src/parser.c" + break; + + case 76: /* Term: Term '.' '[' Query ']' '?' */ +-#line 604 "src/parser.y" ++#line 594 "src/parser.y" + { + (yyval.blk) = gen_index_opt((yyvsp[-5].blk), (yyvsp[-2].blk)); + } +-#line 3160 "src/parser.c" ++#line 3150 "src/parser.c" + break; + + case 77: /* Term: Term '.' '[' Query ']' */ +-#line 607 "src/parser.y" ++#line 597 "src/parser.y" + { + (yyval.blk) = gen_index((yyvsp[-4].blk), (yyvsp[-1].blk)); + } +-#line 3168 "src/parser.c" ++#line 3158 "src/parser.c" + break; + + case 78: /* Term: Term '[' ']' '?' */ +-#line 610 "src/parser.y" ++#line 600 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-3].blk), gen_op_simple(EACH_OPT)); + } +-#line 3176 "src/parser.c" ++#line 3166 "src/parser.c" + break; + + case 79: /* Term: Term '[' ']' */ +-#line 613 "src/parser.y" ++#line 603 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-2].blk), gen_op_simple(EACH)); + } +-#line 3184 "src/parser.c" ++#line 3174 "src/parser.c" + break; + + case 80: /* Term: Term '.' '[' ']' '?' */ +-#line 616 "src/parser.y" ++#line 606 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-4].blk), gen_op_simple(EACH_OPT)); + } +-#line 3192 "src/parser.c" ++#line 3182 "src/parser.c" + break; + + case 81: /* Term: Term '.' '[' ']' */ +-#line 619 "src/parser.y" ++#line 609 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-3].blk), gen_op_simple(EACH)); + } +-#line 3200 "src/parser.c" ++#line 3190 "src/parser.c" + break; + + case 82: /* Term: Term '[' Query ':' Query ']' '?' */ +-#line 622 "src/parser.y" ++#line 612 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-6].blk), (yyvsp[-4].blk), (yyvsp[-2].blk), INDEX_OPT); + } +-#line 3208 "src/parser.c" ++#line 3198 "src/parser.c" + break; + + case 83: /* Term: Term '[' Query ':' ']' '?' */ +-#line 625 "src/parser.y" ++#line 615 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-5].blk), (yyvsp[-3].blk), gen_const(jv_null()), INDEX_OPT); + } +-#line 3216 "src/parser.c" ++#line 3206 "src/parser.c" + break; + + case 84: /* Term: Term '[' ':' Query ']' '?' */ +-#line 628 "src/parser.y" ++#line 618 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-5].blk), gen_const(jv_null()), (yyvsp[-2].blk), INDEX_OPT); + } +-#line 3224 "src/parser.c" ++#line 3214 "src/parser.c" + break; + + case 85: /* Term: Term '[' Query ':' Query ']' */ +-#line 631 "src/parser.y" ++#line 621 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk), INDEX); + } +-#line 3232 "src/parser.c" ++#line 3222 "src/parser.c" + break; + + case 86: /* Term: Term '[' Query ':' ']' */ +-#line 634 "src/parser.y" ++#line 624 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-4].blk), (yyvsp[-2].blk), gen_const(jv_null()), INDEX); + } +-#line 3240 "src/parser.c" ++#line 3230 "src/parser.c" + break; + + case 87: /* Term: Term '[' ':' Query ']' */ +-#line 637 "src/parser.y" ++#line 627 "src/parser.y" + { + (yyval.blk) = gen_slice_index((yyvsp[-4].blk), gen_const(jv_null()), (yyvsp[-1].blk), INDEX); + } +-#line 3248 "src/parser.c" ++#line 3238 "src/parser.c" + break; + + case 88: /* Term: Term '?' */ +-#line 640 "src/parser.y" ++#line 630 "src/parser.y" + { + (yyval.blk) = gen_try((yyvsp[-1].blk), gen_op_simple(BACKTRACK)); + } +-#line 3256 "src/parser.c" ++#line 3246 "src/parser.c" + break; + + case 89: /* Term: LITERAL */ +-#line 643 "src/parser.y" ++#line 633 "src/parser.y" + { + (yyval.blk) = gen_const((yyvsp[0].literal)); + } +-#line 3264 "src/parser.c" ++#line 3254 "src/parser.c" + break; + + case 90: /* Term: String */ +-#line 646 "src/parser.y" ++#line 636 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3272 "src/parser.c" ++#line 3262 "src/parser.c" + break; + + case 91: /* Term: FORMAT */ +-#line 649 "src/parser.y" ++#line 639 "src/parser.y" + { + (yyval.blk) = gen_format(gen_noop(), (yyvsp[0].literal)); + } +-#line 3280 "src/parser.c" ++#line 3270 "src/parser.c" + break; + + case 92: /* Term: '-' Term */ +-#line 652 "src/parser.y" ++#line 642 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[0].blk), gen_call("_negate", gen_noop())); + } +-#line 3288 "src/parser.c" ++#line 3278 "src/parser.c" + break; + + case 93: /* Term: '(' Query ')' */ +-#line 655 "src/parser.y" ++#line 645 "src/parser.y" + { + (yyval.blk) = (yyvsp[-1].blk); + } +-#line 3296 "src/parser.c" ++#line 3286 "src/parser.c" + break; + + case 94: /* Term: '[' Query ']' */ +-#line 658 "src/parser.y" ++#line 648 "src/parser.y" + { + (yyval.blk) = gen_collect((yyvsp[-1].blk)); + } +-#line 3304 "src/parser.c" ++#line 3294 "src/parser.c" + break; + + case 95: /* Term: '[' ']' */ +-#line 661 "src/parser.y" ++#line 651 "src/parser.y" + { + (yyval.blk) = gen_const(jv_array()); + } +-#line 3312 "src/parser.c" ++#line 3302 "src/parser.c" + break; + + case 96: /* Term: '{' DictPairs '}' */ +-#line 664 "src/parser.y" ++#line 654 "src/parser.y" + { + block o = gen_const_object((yyvsp[-1].blk)); + if (o.first != NULL) +@@ -3320,103 +3310,103 @@ YYLTYPE yylloc = yyloc_default; + else + (yyval.blk) = BLOCK(gen_subexp(gen_const(jv_object())), (yyvsp[-1].blk), gen_op_simple(POP)); + } +-#line 3324 "src/parser.c" ++#line 3314 "src/parser.c" + break; + + case 97: /* Term: "reduce" Expr "as" Patterns '(' Query ';' Query ')' */ +-#line 671 "src/parser.y" ++#line 661 "src/parser.y" + { + (yyval.blk) = gen_reduce((yyvsp[-7].blk), (yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk)); + } +-#line 3332 "src/parser.c" ++#line 3322 "src/parser.c" + break; + + case 98: /* Term: "foreach" Expr "as" Patterns '(' Query ';' Query ';' Query ')' */ +-#line 674 "src/parser.y" ++#line 664 "src/parser.y" + { + (yyval.blk) = gen_foreach((yyvsp[-9].blk), (yyvsp[-7].blk), (yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk)); + } +-#line 3340 "src/parser.c" ++#line 3330 "src/parser.c" + break; + + case 99: /* Term: "foreach" Expr "as" Patterns '(' Query ';' Query ')' */ +-#line 677 "src/parser.y" ++#line 667 "src/parser.y" + { + (yyval.blk) = gen_foreach((yyvsp[-7].blk), (yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk), gen_noop()); + } +-#line 3348 "src/parser.c" ++#line 3338 "src/parser.c" + break; + + case 100: /* Term: "if" Query "then" Query ElseBody */ +-#line 680 "src/parser.y" ++#line 670 "src/parser.y" + { + (yyval.blk) = gen_cond((yyvsp[-3].blk), (yyvsp[-1].blk), (yyvsp[0].blk)); + } +-#line 3356 "src/parser.c" ++#line 3346 "src/parser.c" + break; + + case 101: /* Term: "if" Query "then" error */ +-#line 683 "src/parser.y" ++#line 673 "src/parser.y" + { + FAIL((yyloc), "Possibly unterminated 'if' statement"); + (yyval.blk) = (yyvsp[-2].blk); + } +-#line 3365 "src/parser.c" ++#line 3355 "src/parser.c" + break; + + case 102: /* Term: "try" Expr "catch" Expr */ +-#line 687 "src/parser.y" ++#line 677 "src/parser.y" + { + (yyval.blk) = gen_try((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3373 "src/parser.c" ++#line 3363 "src/parser.c" + break; + + case 103: /* Term: "try" Expr "catch" error */ +-#line 690 "src/parser.y" ++#line 680 "src/parser.y" + { + FAIL((yyloc), "Possibly unterminated 'try' statement"); + (yyval.blk) = (yyvsp[-2].blk); + } +-#line 3382 "src/parser.c" ++#line 3372 "src/parser.c" + break; + + case 104: /* Term: "try" Expr */ +-#line 694 "src/parser.y" ++#line 684 "src/parser.y" + { + (yyval.blk) = gen_try((yyvsp[0].blk), gen_op_simple(BACKTRACK)); + } +-#line 3390 "src/parser.c" ++#line 3380 "src/parser.c" + break; + + case 105: /* Term: '$' '$' '$' BINDING */ +-#line 712 "src/parser.y" ++#line 702 "src/parser.y" + { + (yyval.blk) = gen_location((yyloc), locations, gen_op_unbound(LOADVN, jv_string_value((yyvsp[0].literal)))); + jv_free((yyvsp[0].literal)); + } +-#line 3399 "src/parser.c" ++#line 3389 "src/parser.c" + break; + + case 106: /* Term: BINDING */ +-#line 716 "src/parser.y" ++#line 706 "src/parser.y" + { + (yyval.blk) = gen_location((yyloc), locations, gen_op_unbound(LOADV, jv_string_value((yyvsp[0].literal)))); + jv_free((yyvsp[0].literal)); + } +-#line 3408 "src/parser.c" ++#line 3398 "src/parser.c" + break; + + case 107: /* Term: "$__loc__" */ +-#line 720 "src/parser.y" ++#line 710 "src/parser.y" + { + (yyval.blk) = gen_loc_object(&(yyloc), locations); + } +-#line 3416 "src/parser.c" ++#line 3406 "src/parser.c" + break; + + case 108: /* Term: IDENT */ +-#line 723 "src/parser.y" ++#line 713 "src/parser.y" + { + const char *s = jv_string_value((yyvsp[0].literal)); + if (strcmp(s, "false") == 0) +@@ -3429,198 +3419,198 @@ YYLTYPE yylloc = yyloc_default; + (yyval.blk) = gen_location((yyloc), locations, gen_call(s, gen_noop())); + jv_free((yyvsp[0].literal)); + } +-#line 3433 "src/parser.c" ++#line 3423 "src/parser.c" + break; + + case 109: /* Term: IDENT '(' Args ')' */ +-#line 735 "src/parser.y" ++#line 725 "src/parser.y" + { + (yyval.blk) = gen_call(jv_string_value((yyvsp[-3].literal)), (yyvsp[-1].blk)); + (yyval.blk) = gen_location((yylsp[-3]), locations, (yyval.blk)); + jv_free((yyvsp[-3].literal)); + } +-#line 3443 "src/parser.c" ++#line 3433 "src/parser.c" + break; + + case 110: /* Term: '(' error ')' */ +-#line 740 "src/parser.y" ++#line 730 "src/parser.y" + { (yyval.blk) = gen_noop(); } +-#line 3449 "src/parser.c" ++#line 3439 "src/parser.c" + break; + + case 111: /* Term: '[' error ']' */ +-#line 741 "src/parser.y" ++#line 731 "src/parser.y" + { (yyval.blk) = gen_noop(); } +-#line 3455 "src/parser.c" ++#line 3445 "src/parser.c" + break; + + case 112: /* Term: Term '[' error ']' */ +-#line 742 "src/parser.y" ++#line 732 "src/parser.y" + { (yyval.blk) = (yyvsp[-3].blk); } +-#line 3461 "src/parser.c" ++#line 3451 "src/parser.c" + break; + + case 113: /* Term: '{' error '}' */ +-#line 743 "src/parser.y" ++#line 733 "src/parser.y" + { (yyval.blk) = gen_noop(); } +-#line 3467 "src/parser.c" ++#line 3457 "src/parser.c" + break; + + case 114: /* Args: Arg */ +-#line 746 "src/parser.y" ++#line 736 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3475 "src/parser.c" ++#line 3465 "src/parser.c" + break; + + case 115: /* Args: Args ';' Arg */ +-#line 749 "src/parser.y" ++#line 739 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3483 "src/parser.c" ++#line 3473 "src/parser.c" + break; + + case 116: /* Arg: Query */ +-#line 754 "src/parser.y" ++#line 744 "src/parser.y" + { + (yyval.blk) = gen_lambda((yyvsp[0].blk)); + } +-#line 3491 "src/parser.c" ++#line 3481 "src/parser.c" + break; + + case 117: /* RepPatterns: RepPatterns "?//" Pattern */ +-#line 759 "src/parser.y" ++#line 749 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-2].blk), gen_destructure_alt((yyvsp[0].blk))); + } +-#line 3499 "src/parser.c" ++#line 3489 "src/parser.c" + break; + + case 118: /* RepPatterns: Pattern */ +-#line 762 "src/parser.y" ++#line 752 "src/parser.y" + { + (yyval.blk) = gen_destructure_alt((yyvsp[0].blk)); + } +-#line 3507 "src/parser.c" ++#line 3497 "src/parser.c" + break; + + case 119: /* Patterns: RepPatterns "?//" Pattern */ +-#line 767 "src/parser.y" ++#line 757 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3515 "src/parser.c" ++#line 3505 "src/parser.c" + break; + + case 120: /* Patterns: Pattern */ +-#line 770 "src/parser.y" ++#line 760 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3523 "src/parser.c" ++#line 3513 "src/parser.c" + break; + + case 121: /* Pattern: BINDING */ +-#line 775 "src/parser.y" ++#line 765 "src/parser.y" + { + (yyval.blk) = gen_op_unbound(STOREV, jv_string_value((yyvsp[0].literal))); + jv_free((yyvsp[0].literal)); + } +-#line 3532 "src/parser.c" ++#line 3522 "src/parser.c" + break; + + case 122: /* Pattern: '[' ArrayPats ']' */ +-#line 779 "src/parser.y" ++#line 769 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-1].blk), gen_op_simple(POP)); + } +-#line 3540 "src/parser.c" ++#line 3530 "src/parser.c" + break; + + case 123: /* Pattern: '{' ObjPats '}' */ +-#line 782 "src/parser.y" ++#line 772 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-1].blk), gen_op_simple(POP)); + } +-#line 3548 "src/parser.c" ++#line 3538 "src/parser.c" + break; + + case 124: /* ArrayPats: Pattern */ +-#line 787 "src/parser.y" ++#line 777 "src/parser.y" + { + (yyval.blk) = gen_array_matcher(gen_noop(), (yyvsp[0].blk)); + } +-#line 3556 "src/parser.c" ++#line 3546 "src/parser.c" + break; + + case 125: /* ArrayPats: ArrayPats ',' Pattern */ +-#line 790 "src/parser.y" ++#line 780 "src/parser.y" + { + (yyval.blk) = gen_array_matcher((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3564 "src/parser.c" ++#line 3554 "src/parser.c" + break; + + case 126: /* ObjPats: ObjPat */ +-#line 795 "src/parser.y" ++#line 785 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3572 "src/parser.c" ++#line 3562 "src/parser.c" + break; + + case 127: /* ObjPats: ObjPats ',' ObjPat */ +-#line 798 "src/parser.y" ++#line 788 "src/parser.y" + { + (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3580 "src/parser.c" ++#line 3570 "src/parser.c" + break; + + case 128: /* ObjPat: BINDING */ +-#line 803 "src/parser.y" ++#line 793 "src/parser.y" + { + (yyval.blk) = gen_object_matcher(gen_const((yyvsp[0].literal)), gen_op_unbound(STOREV, jv_string_value((yyvsp[0].literal)))); + } +-#line 3588 "src/parser.c" ++#line 3578 "src/parser.c" + break; + + case 129: /* ObjPat: BINDING ':' Pattern */ +-#line 806 "src/parser.y" ++#line 796 "src/parser.y" + { + (yyval.blk) = gen_object_matcher(gen_const((yyvsp[-2].literal)), BLOCK(gen_op_simple(DUP), gen_op_unbound(STOREV, jv_string_value((yyvsp[-2].literal))), (yyvsp[0].blk))); + } +-#line 3596 "src/parser.c" ++#line 3586 "src/parser.c" + break; + + case 130: /* ObjPat: IDENT ':' Pattern */ +-#line 809 "src/parser.y" ++#line 799 "src/parser.y" + { + (yyval.blk) = gen_object_matcher(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk)); + } +-#line 3604 "src/parser.c" ++#line 3594 "src/parser.c" + break; + + case 131: /* ObjPat: Keyword ':' Pattern */ +-#line 812 "src/parser.y" ++#line 802 "src/parser.y" + { + (yyval.blk) = gen_object_matcher(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk)); + } +-#line 3612 "src/parser.c" ++#line 3602 "src/parser.c" + break; + + case 132: /* ObjPat: String ':' Pattern */ +-#line 815 "src/parser.y" ++#line 805 "src/parser.y" + { + (yyval.blk) = gen_object_matcher((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3620 "src/parser.c" ++#line 3610 "src/parser.c" + break; + + case 133: /* ObjPat: '(' Query ')' ':' Pattern */ +-#line 818 "src/parser.y" ++#line 808 "src/parser.y" + { + jv msg = check_object_key((yyvsp[-3].blk)); + if (jv_is_valid(msg)) { +@@ -3629,267 +3619,267 @@ YYLTYPE yylloc = yyloc_default; + jv_free(msg); + (yyval.blk) = gen_object_matcher((yyvsp[-3].blk), (yyvsp[0].blk)); + } +-#line 3633 "src/parser.c" ++#line 3623 "src/parser.c" + break; + + case 134: /* ObjPat: error ':' Pattern */ +-#line 826 "src/parser.y" ++#line 816 "src/parser.y" + { + FAIL((yyloc), "May need parentheses around object key expression"); + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3642 "src/parser.c" ++#line 3632 "src/parser.c" + break; + + case 135: /* Keyword: "as" */ +-#line 832 "src/parser.y" ++#line 822 "src/parser.y" + { + (yyval.literal) = jv_string("as"); + } +-#line 3650 "src/parser.c" ++#line 3640 "src/parser.c" + break; + + case 136: /* Keyword: "def" */ +-#line 835 "src/parser.y" ++#line 825 "src/parser.y" + { + (yyval.literal) = jv_string("def"); + } +-#line 3658 "src/parser.c" ++#line 3648 "src/parser.c" + break; + + case 137: /* Keyword: "module" */ +-#line 838 "src/parser.y" ++#line 828 "src/parser.y" + { + (yyval.literal) = jv_string("module"); + } +-#line 3666 "src/parser.c" ++#line 3656 "src/parser.c" + break; + + case 138: /* Keyword: "import" */ +-#line 841 "src/parser.y" ++#line 831 "src/parser.y" + { + (yyval.literal) = jv_string("import"); + } +-#line 3674 "src/parser.c" ++#line 3664 "src/parser.c" + break; + + case 139: /* Keyword: "include" */ +-#line 844 "src/parser.y" ++#line 834 "src/parser.y" + { + (yyval.literal) = jv_string("include"); + } +-#line 3682 "src/parser.c" ++#line 3672 "src/parser.c" + break; + + case 140: /* Keyword: "if" */ +-#line 847 "src/parser.y" ++#line 837 "src/parser.y" + { + (yyval.literal) = jv_string("if"); + } +-#line 3690 "src/parser.c" ++#line 3680 "src/parser.c" + break; + + case 141: /* Keyword: "then" */ +-#line 850 "src/parser.y" ++#line 840 "src/parser.y" + { + (yyval.literal) = jv_string("then"); + } +-#line 3698 "src/parser.c" ++#line 3688 "src/parser.c" + break; + + case 142: /* Keyword: "else" */ +-#line 853 "src/parser.y" ++#line 843 "src/parser.y" + { + (yyval.literal) = jv_string("else"); + } +-#line 3706 "src/parser.c" ++#line 3696 "src/parser.c" + break; + + case 143: /* Keyword: "elif" */ +-#line 856 "src/parser.y" ++#line 846 "src/parser.y" + { + (yyval.literal) = jv_string("elif"); + } +-#line 3714 "src/parser.c" ++#line 3704 "src/parser.c" + break; + + case 144: /* Keyword: "reduce" */ +-#line 859 "src/parser.y" ++#line 849 "src/parser.y" + { + (yyval.literal) = jv_string("reduce"); + } +-#line 3722 "src/parser.c" ++#line 3712 "src/parser.c" + break; + + case 145: /* Keyword: "foreach" */ +-#line 862 "src/parser.y" ++#line 852 "src/parser.y" + { + (yyval.literal) = jv_string("foreach"); + } +-#line 3730 "src/parser.c" ++#line 3720 "src/parser.c" + break; + + case 146: /* Keyword: "end" */ +-#line 865 "src/parser.y" ++#line 855 "src/parser.y" + { + (yyval.literal) = jv_string("end"); + } +-#line 3738 "src/parser.c" ++#line 3728 "src/parser.c" + break; + + case 147: /* Keyword: "and" */ +-#line 868 "src/parser.y" ++#line 858 "src/parser.y" + { + (yyval.literal) = jv_string("and"); + } +-#line 3746 "src/parser.c" ++#line 3736 "src/parser.c" + break; + + case 148: /* Keyword: "or" */ +-#line 871 "src/parser.y" ++#line 861 "src/parser.y" + { + (yyval.literal) = jv_string("or"); + } +-#line 3754 "src/parser.c" ++#line 3744 "src/parser.c" + break; + + case 149: /* Keyword: "try" */ +-#line 874 "src/parser.y" ++#line 864 "src/parser.y" + { + (yyval.literal) = jv_string("try"); + } +-#line 3762 "src/parser.c" ++#line 3752 "src/parser.c" + break; + + case 150: /* Keyword: "catch" */ +-#line 877 "src/parser.y" ++#line 867 "src/parser.y" + { + (yyval.literal) = jv_string("catch"); + } +-#line 3770 "src/parser.c" ++#line 3760 "src/parser.c" + break; + + case 151: /* Keyword: "label" */ +-#line 880 "src/parser.y" ++#line 870 "src/parser.y" + { + (yyval.literal) = jv_string("label"); + } +-#line 3778 "src/parser.c" ++#line 3768 "src/parser.c" + break; + + case 152: /* Keyword: "break" */ +-#line 883 "src/parser.y" ++#line 873 "src/parser.y" + { + (yyval.literal) = jv_string("break"); + } +-#line 3786 "src/parser.c" ++#line 3776 "src/parser.c" + break; + + case 153: /* DictPairs: %empty */ +-#line 889 "src/parser.y" ++#line 879 "src/parser.y" + { + (yyval.blk) = gen_noop(); + } +-#line 3794 "src/parser.c" ++#line 3784 "src/parser.c" + break; + + case 154: /* DictPairs: DictPair */ +-#line 892 "src/parser.y" ++#line 882 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3802 "src/parser.c" ++#line 3792 "src/parser.c" + break; + + case 155: /* DictPairs: DictPair ',' DictPairs */ +-#line 895 "src/parser.y" ++#line 885 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3810 "src/parser.c" ++#line 3800 "src/parser.c" + break; + + case 156: /* DictPair: IDENT ':' DictExpr */ +-#line 900 "src/parser.y" ++#line 890 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk)); + } +-#line 3818 "src/parser.c" ++#line 3808 "src/parser.c" + break; + + case 157: /* DictPair: Keyword ':' DictExpr */ +-#line 903 "src/parser.y" ++#line 893 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk)); + } +-#line 3826 "src/parser.c" ++#line 3816 "src/parser.c" + break; + + case 158: /* DictPair: String ':' DictExpr */ +-#line 906 "src/parser.y" ++#line 896 "src/parser.y" + { + (yyval.blk) = gen_dictpair((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3834 "src/parser.c" ++#line 3824 "src/parser.c" + break; + + case 159: /* DictPair: String */ +-#line 909 "src/parser.y" ++#line 899 "src/parser.y" + { + (yyval.blk) = gen_dictpair((yyvsp[0].blk), BLOCK(gen_op_simple(POP), gen_op_simple(DUP2), + gen_op_simple(DUP2), gen_op_simple(INDEX))); + } +-#line 3843 "src/parser.c" ++#line 3833 "src/parser.c" + break; + + case 160: /* DictPair: BINDING ':' DictExpr */ +-#line 913 "src/parser.y" ++#line 903 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_location((yyloc), locations, gen_op_unbound(LOADV, jv_string_value((yyvsp[-2].literal)))), + (yyvsp[0].blk)); + jv_free((yyvsp[-2].literal)); + } +-#line 3853 "src/parser.c" ++#line 3843 "src/parser.c" + break; + + case 161: /* DictPair: BINDING */ +-#line 918 "src/parser.y" ++#line 908 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const((yyvsp[0].literal)), + gen_location((yyloc), locations, gen_op_unbound(LOADV, jv_string_value((yyvsp[0].literal))))); + } +-#line 3862 "src/parser.c" ++#line 3852 "src/parser.c" + break; + + case 162: /* DictPair: IDENT */ +-#line 922 "src/parser.y" ++#line 912 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const(jv_copy((yyvsp[0].literal))), + gen_index(gen_noop(), gen_const((yyvsp[0].literal)))); + } +-#line 3871 "src/parser.c" ++#line 3861 "src/parser.c" + break; + + case 163: /* DictPair: "$__loc__" */ +-#line 926 "src/parser.y" ++#line 916 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const(jv_string("__loc__")), + gen_loc_object(&(yyloc), locations)); + } +-#line 3880 "src/parser.c" ++#line 3870 "src/parser.c" + break; + + case 164: /* DictPair: Keyword */ +-#line 930 "src/parser.y" ++#line 920 "src/parser.y" + { + (yyval.blk) = gen_dictpair(gen_const(jv_copy((yyvsp[0].literal))), + gen_index(gen_noop(), gen_const((yyvsp[0].literal)))); + } +-#line 3889 "src/parser.c" ++#line 3879 "src/parser.c" + break; + + case 165: /* DictPair: '(' Query ')' ':' DictExpr */ +-#line 934 "src/parser.y" ++#line 924 "src/parser.y" + { + jv msg = check_object_key((yyvsp[-3].blk)); + if (jv_is_valid(msg)) { +@@ -3898,36 +3888,36 @@ YYLTYPE yylloc = yyloc_default; + jv_free(msg); + (yyval.blk) = gen_dictpair((yyvsp[-3].blk), (yyvsp[0].blk)); + } +-#line 3902 "src/parser.c" ++#line 3892 "src/parser.c" + break; + + case 166: /* DictPair: error ':' DictExpr */ +-#line 942 "src/parser.y" ++#line 932 "src/parser.y" + { + FAIL((yylsp[-2]), "May need parentheses around object key expression"); + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3911 "src/parser.c" ++#line 3901 "src/parser.c" + break; + + case 167: /* DictExpr: DictExpr '|' DictExpr */ +-#line 948 "src/parser.y" ++#line 938 "src/parser.y" + { + (yyval.blk) = block_join((yyvsp[-2].blk), (yyvsp[0].blk)); + } +-#line 3919 "src/parser.c" ++#line 3909 "src/parser.c" + break; + + case 168: /* DictExpr: Expr */ +-#line 951 "src/parser.y" ++#line 941 "src/parser.y" + { + (yyval.blk) = (yyvsp[0].blk); + } +-#line 3927 "src/parser.c" ++#line 3917 "src/parser.c" + break; + + +-#line 3931 "src/parser.c" ++#line 3921 "src/parser.c" + + default: break; + } +@@ -4156,7 +4146,7 @@ YYLTYPE yylloc = yyloc_default; + return yyresult; + } + +-#line 954 "src/parser.y" ++#line 944 "src/parser.y" + + + int jq_parse(struct locfile* locations, block* answer) { +diff --git a/src/parser.y b/src/parser.y +index 987a4ecaa3..ecd5796561 100644 +--- a/src/parser.y ++++ b/src/parser.y +@@ -439,26 +439,16 @@ ImportWhat Query ';' { + + ImportWhat: + "import" ImportFrom "as" BINDING { +- jv v = block_const($2); +- // XXX Make gen_import take only blocks and the int is_data so we +- // don't have to free so much stuff here +- $$ = gen_import(jv_string_value(v), jv_string_value($4), 1); ++ $$ = gen_import(block_const($2), $4, 1); + block_free($2); +- jv_free($4); +- jv_free(v); + } | + "import" ImportFrom "as" IDENT { +- jv v = block_const($2); +- $$ = gen_import(jv_string_value(v), jv_string_value($4), 0); ++ $$ = gen_import(block_const($2), $4, 0); + block_free($2); +- jv_free($4); +- jv_free(v); + } | + "include" ImportFrom { +- jv v = block_const($2); +- $$ = gen_import(jv_string_value(v), NULL, 0); ++ $$ = gen_import(block_const($2), jv_invalid(), 0); + block_free($2); +- jv_free(v); + } + + ImportFrom: +diff --git a/tests/shtest b/tests/shtest +index 68705df255..fa972de870 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -893,4 +893,21 @@ if echo '42' | $JQ -f "$d/nul_prog.jq" >/dev/null 2>/dev/null; then + exit 1 + fi + ++# CVE-2026-43895: No NUL bytes in module/data import paths ++printf 'import "a\\u0000b" as $x; .' > "$d/nul_import.jq" ++if $JQ -nf "$d/nul_import.jq" >/dev/null 2>/dev/null; then ++ printf 'Error expected for import path with NUL bytes\n' 1>&2 ++ exit 1 ++fi ++printf 'include "a\\u0000b"; .' > "$d/nul_include.jq" ++if $JQ -nf "$d/nul_include.jq" >/dev/null 2>/dev/null; then ++ printf 'Error expected for include path with NUL bytes\n' 1>&2 ++ exit 1 ++fi ++printf '"a\\u0000b" | modulemeta' > "$d/nul_modulemeta.jq" ++if $JQ -nf "$d/nul_modulemeta.jq" >/dev/null 2>/dev/null; then ++ printf 'Error expected for modulemeta with NUL bytes\n' 1>&2 ++ exit 1 ++fi ++ + exit 0 diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 87917b7c32..3a7850c697 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-41256.patch \ file://CVE-2026-41257.patch \ file://CVE-2026-43894.patch \ + file://CVE-2026-43895.patch \ file://CVE-2026-43896.patch \ file://CVE-2026-47770.patch \ file://CVE-2026-44777.patch \