From patchwork Mon Jul 6 15:20:15 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91811 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3807C43458 for ; Mon, 6 Jul 2026 15:20:50 +0000 (UTC) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.152657.1783351247339948657 for ; Mon, 06 Jul 2026 08:20:47 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=OPbKvnyn; spf=pass (domain: cisco.com, ip: 173.37.86.74, mailfrom: spushpka@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=5299; q=dns/txt; s=iport01; t=1783351247; x=1784560847; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=f3IJ5P4pplTvk+TcBZaissHlwTn84WkGbdL+943v9tw=; b=OPbKvnynUq6f1cxr5s0t3xydjD3MKq0cbNf7aoWcCKB8qAjh1aA6L+JM 6QRjddv4rD5CEut5p2GfNU8BKpqgDyVn7yAI/kcErKQzK1Lfxm+2pDXEu eH5sUESWHuonUzfrfg5sMepqHkqzm7q4ZllVZfVrh0RmMRbHKjxt7K8mZ GkT1dxMqe/jgu+PZL6lfI5GMNrNX8JirfPRSLQ1z+zGKcs+8QuW78BKKX rWAEV01GNBkbFrb6+iFg11jYjre+b/rF0FBAEyKpXEvJdqYuoUuQov6YA RaD9UKKUsZkM6gYoEvgos7fr0IrCZju5xJFYDwEw3Btxk6uAitZTdqSYl A==; X-CSE-ConnectionGUID: L3iDz5SZR4GxTPeIWWHKFw== X-CSE-MsgGUID: a86rYdAKREqL73UPU0p6Xg== X-IPAS-Result: A0BXAADCxktq/4z/Ja1aHQEBAQEJARIBBQUBgX4GAQsBglZ0X0JJA5ZIgRadCIF+DwEBAQ9EDQQBAYUGjU8CJjYHDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECATUBGAEbEiwDAQJaIyGDAgGCcwIBEQa5RIIsgQGDKAE/AkNQ2ywBCxQBBYEzAYU+iB9bGAGEegInGxuBcoEVgnN2gQV3ZQICGIEehm0EgiKBDIFaHo8nSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2Ba4EChHkjHwM5f4EwdUp5LYECARIeCoFSgSkDCxgNSBEsNxQbBD5uB4x7Fw+CPQGBDQErgiyTOAeSN6EPCiiDdYwhlToaM4VbpRELmH2LN4JTiQ+NQYRogW8FMIFZcBWDIglKGQ+OLQsLg2CFE8lHJDUCAQEHAy8BAQcCBw4DC4FokAGBfAEB IronPort-Data: A9a23:llRqiquMLMRvUvBtNlykCO7GFufnVAZfMUV32f8akzHdYApBsoF/q tZmKT3VPvaPYmqjKdhzb4zg8kNUu8OGnNc3SFZoriwwFngRgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuFZTdJ5xYuajhKs/3b9ks21BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIw3r12LXMTz s4idB8dUiiOpt2J4JGVVbw57igjBJGD0II3oHpsy3TdSP0hW52GG/6M7t5D1zB2jcdLdRrcT 5NGMnw0M1KaPkAJYwtPYH49tL/Aan3XaCVFs1KNpqMf6GnIxws327/oWDbQUoHSGJUMzh/I/ goq+UzwUk8ABdC26gCo61bz3dL3oHvjBrIdQejQGvlCxQf7KnYoIBoOWF22pPO0hkKzV5dTJ lIZ/gIqrLMu7wqsVtT7UhiyrXKIsxJaXMBfe9DW8ymXwabSpgLcDW8eQ3sZM5ottdQ9Qnoh0 Vrhc87VOAGDeYa9ERq1nop4ZxvrUcTJBQfuvRM5cDY= IronPort-HdrOrdr: A9a23:ML7fX65xqewAOVKfjwPXwOTXdLJyesId70hD6qm+c3Nom6uj5q WTdZsgtCMc5Ax9ZJhCo6HjBEDjexPhHPdOiOF7V4tKNzOJhILHFu1fBKLZslnd8lXFh41g/J YlVbRiA9vtClU/p8P77A6kV+sE+rC8gceVbSO09QYVcemsAJsQiTtENg== X-Talos-CUID: 9a23:dJXLtWw6SIagTli0zur5BgUwQcEJYCDm/k2MDF+EMWtId4K1anGPrfY= X-Talos-MUID: 9a23:EDYgbATtMghfTYNeRXTl1G94BctBwJ6DEWRSyqg+hpGcaxx/bmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,149,1779148800"; d="scan'208";a="505818180" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by rcdn-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 06 Jul 2026 15:20:46 +0000 Received: from sjc-ads-8093.cisco.com (sjc-ads-8093.cisco.com [171.68.208.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id 43CEA180001F3; Mon, 6 Jul 2026 15:20:46 +0000 (GMT) Received: by sjc-ads-8093.cisco.com (Postfix, from userid 1839047) id DE6DACBEF99; Mon, 6 Jul 2026 08:20:45 -0700 (PDT) From: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-devel@lists.openembedded.org Cc: xe-linux-external@cisco.com, Shubham Pushpkar Subject: [meta-OE] [wrynose] [PATCH 1/6] jq: Fix CVE-2026-40612 Date: Mon, 6 Jul 2026 08:20:15 -0700 Message-ID: <20260706152022.873284-1-spushpka@cisco.com> X-Mailer: git-send-email 2.44.1 MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-8093.cisco.com [171.68.208.131];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.208.131, sjc-ads-8093.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Jul 2026 15:20:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/128045 From: Shubham Pushpkar The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2]. [1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-40612.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2 Reference: https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j Signed-off-by: Shubham Pushpkar --- .../jq/jq/CVE-2026-40612.patch | 127 ++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 128 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch new file mode 100644 index 0000000000..f7cae01e21 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch @@ -0,0 +1,127 @@ +From f1a72c7b5eb9c9e99576b2ca8e59ab1f36a2a4e3 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Fri, 24 Apr 2026 22:02:24 +0900 +Subject: [PATCH] Limit the containment check depth + +This fixes CVE-2026-40612. + +CVE: CVE-2026-40612 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2] + +Backport Changes: +- Dropped the duplicate tests/jq.test hunk because Wrynose already carries + the same regression coverage in existing CVE-2026-47770.patch. + +(cherry picked from commit d1a12569d91641135976a8536776a4a329c02cc2) +Signed-off-by: Shubham Pushpkar +--- + src/builtin.c | 5 ++++- + src/jv.c | 40 +++++++++++++++++++++++++++------------- + 2 files changed, 32 insertions(+), 13 deletions(-) + +diff --git a/src/builtin.c b/src/builtin.c +index 902490d..378be02 100644 +--- a/src/builtin.c ++++ b/src/builtin.c +@@ -471,7 +471,10 @@ jv binop_greatereq(jv a, jv b) { + + static jv f_contains(jq_state *jq, jv a, jv b) { + if (jv_get_kind(a) == jv_get_kind(b)) { +- return jv_bool(jv_contains(a, b)); ++ int r = jv_contains(a, b); ++ if (r < 0) ++ return jv_invalid_with_msg(jv_string("Containment check too deep")); ++ return jv_bool(r); + } else { + return type_error2(a, b, "cannot have their containment checked"); + } +diff --git a/src/jv.c b/src/jv.c +index 08ded35..5a2c3a2 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -914,19 +914,19 @@ static void jvp_clamp_slice_params(int len, int *pstart, int *pend) + } + + +-static int jvp_array_contains(jv a, jv b) { ++static int jvp_contains(jv a, jv b, int depth); ++ ++static int jvp_array_contains(jv a, jv b, int depth) { + int r = 1; + jv_array_foreach(b, bi, belem) { + int ri = 0; + jv_array_foreach(a, ai, aelem) { +- if (jv_contains(aelem, jv_copy(belem))) { +- ri = 1; +- break; +- } ++ ri = jvp_contains(aelem, jv_copy(belem), depth); ++ if (ri) break; + } + jv_free(belem); +- if (!ri) { +- r = 0; ++ if (ri <= 0) { ++ r = ri; + break; + } + } +@@ -1794,7 +1794,7 @@ static int jvp_object_equal(jv o1, jv o2) { + return len1 == len2; + } + +-static int jvp_object_contains(jv a, jv b) { ++static int jvp_object_contains(jv a, jv b, int depth) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(b, JV_KIND_OBJECT)); + int r = 1; +@@ -1802,9 +1802,9 @@ static int jvp_object_contains(jv a, jv b) { + jv_object_foreach(b, key, b_val) { + jv a_val = jv_object_get(jv_copy(a), key); + +- r = jv_contains(a_val, b_val); ++ r = jvp_contains(a_val, b_val, depth); + +- if (!r) break; ++ if (r <= 0) break; + } + return r; + } +@@ -2035,14 +2035,23 @@ int jv_identical(jv a, jv b) { + return r; + } + +-int jv_contains(jv a, jv b) { ++#ifndef MAX_CONTAINS_DEPTH ++#define MAX_CONTAINS_DEPTH (10000) ++#endif ++ ++static int jvp_contains(jv a, jv b, int depth) { ++ if (depth > MAX_CONTAINS_DEPTH) { ++ jv_free(a); ++ jv_free(b); ++ return -1; ++ } + int r = 1; + if (jv_get_kind(a) != jv_get_kind(b)) { + r = 0; + } else if (JVP_HAS_KIND(a, JV_KIND_OBJECT)) { +- r = jvp_object_contains(a, b); ++ r = jvp_object_contains(a, b, depth + 1); + } else if (JVP_HAS_KIND(a, JV_KIND_ARRAY)) { +- r = jvp_array_contains(a, b); ++ r = jvp_array_contains(a, b, depth + 1); + } else if (JVP_HAS_KIND(a, JV_KIND_STRING)) { + int b_len = jv_string_length_bytes(jv_copy(b)); + if (b_len != 0) { +@@ -2058,3 +2067,8 @@ int jv_contains(jv a, jv b) { + jv_free(b); + return r; + } ++ ++// Returns 1 (contained), 0 (not contained), or -1 (too deep) ++int jv_contains(jv a, jv b) { ++ return jvp_contains(a, b, 0); ++} +-- +2.44.4 diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 7665ba2511..9f0fcf8cb5 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ file://CVE-2026-47770.patch \ + file://CVE-2026-40612.patch \ " inherit autotools ptest From patchwork Mon Jul 6 15:20:16 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91812 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C560EC43458 for ; Mon, 6 Jul 2026 15:21:00 +0000 (UTC) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.153650.1783351259219945479 for ; Mon, 06 Jul 2026 08:20:59 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=OXOp7Gv9; spf=pass (domain: cisco.com, ip: 173.37.86.75, mailfrom: spushpka@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3400; q=dns/txt; s=iport01; t=1783351259; x=1784560859; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=C4d94ttkm1WOvSglxGr8R6niloeGkV3dzqOQAWbYUCc=; b=OXOp7Gv9dHBZl6XeivLOl3QW5mzGY9DzrE8/Q7MgFKMdYdIPYSGdgZOg 0RhaWRu5EKX6iUqR9dRST47JFm7BYrwCpIhSh2hHztRsDsN3auuSylmlz pFh1PtlXYmYP6aSNWoTWsekJowAhKof6/2mDln+zqmKtjcnPE6Tn9gxZM xy3pxSh5F8aTISeHB/X22dpL9OiDtuzKnJd8fcJ/yZakWRo3C+x37NiDE v5ZdwkSWPK/XsV5trQpJrmOeJlmHm0/reXS+gC3yXSdDX2YfHecfEpxHE mSZ7w20fLQQ9mTNW+N0ADH2TYEDh7gJc7uLlgO1wzKY2UjFD82ePJdr+s w==; X-CSE-ConnectionGUID: yc++i7jmTdiP3IPqfNe5ag== X-CSE-MsgGUID: REf6WSFdTWiiGjck3vyjLQ== X-IPAS-Result: A0AaAADSxktq/4v/Ja1aHAEBAQEBAQcBARIBAQQEAQGBfAcBAQsBglZ0X0JJA4xwiVgDnhuBfg8BAQEPRA0EAQGFBgKNTQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAzIBGAEtEBwDAQIvKyMIGYMCAYJzAgERBrlXgiyBAYMoAT8CQ1DbLAELFAEFgTMBhT6IH1sYAYR6AicbG4FygRWDaYEFd2UCAhiICwSCIoEMgVoejydIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFrgQKEeSMfAzl/gTB1SnktgQIBEh4KgVKBKQMLGA1IESw3FBsEPm4HjHsXD4I9exMBExiBUVuldqEPCiiDdYwhlToaM4VbpRELmH2LN4JTllCEaIFoPIFZcBWDIglKGQ+OKg4Lg2CFE8lHJDUCAQEHAy8BAQcCBw4DC4FokX0BAQ IronPort-Data: A9a23:ZceBRq4gN0BtfWkQr1OXJQxRtGvGchMFZxGqfqrLsTDasY5as4F+v mEWUGHUM/3eZWXzfosiO4rnpkMHsceGnNZjHANo/io1Zn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyGa/lH2dOC98RGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wo/qUzBHf/g2Qqaj1MtfrawP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoaSW +bZwbilyXjS9hErB8nNuu6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTaJLwXXxqZwChxLid/ jniWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I0DuKxPRL/tS4E4eLIZbuecoA2Ry+ f0gcxE1dx6lir+/z+fuIgVsrpxLwMjDJogTvDRkiDreF/tjGcqFSKTR7tge1zA17ixMNa+BP IxCNnw1MUmGOkYeUrsUIMpWcOOAnWHiaD1Aq1u9rqss6G+Vxwt0uFToGIeNJ4fbHp8Nwy50o Er80mqnPSo0OOCgyDuq8Hmv3fHenwfCDdd6+LqQs6QCbEeo7msLBRsbUFG2rfW0hguyVsxSL 2QQ+zEytu417EGtQ9z3UhG0rXLCuQQTM+e8CMUg4w2Lj66R6AGDCy1cFHhKaccts4k9QjlCO kK1ou4FzAdH6NW9IU9xPJ/N8Vte5QB9wbc+WBI5 IronPort-HdrOrdr: A9a23:LZKF8KE9zF3J10qgpLqEMMeALOsnbusQ8zAXPo5KJiC9Ffbo8P xG88576faZslsssTQb6LK90cq7MBfhHPxOgbX5VI3KNGKNhILrFvAG0WKI+VPd8kPFmtK1/J 0QFZSWcOeAbmRSvILd/BSyFcomzZ2s9aClgvqb8lJWJDsaEp2JK2xCe32m+oocfng/OaYE X-Talos-CUID: 9a23:wj79+GBNB05XE9H6Ezhstw0VRcIgTnHc9CzxG1a2L2s0QbLAHA== X-Talos-MUID: 9a23:PNwWaw5NGnDHnlDxoQFXd5GPxoxSzqrwN3sjnak5usirNydzYCmMjhCOF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,149,1779148800"; d="scan'208";a="505393205" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by rcdn-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 06 Jul 2026 15:20:57 +0000 Received: from sjc-ads-8093.cisco.com (sjc-ads-8093.cisco.com [171.68.208.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 57A3B180007D4; Mon, 6 Jul 2026 15:20:57 +0000 (GMT) Received: by sjc-ads-8093.cisco.com (Postfix, from userid 1839047) id 03959CBEF99; Mon, 6 Jul 2026 08:20:57 -0700 (PDT) From: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-devel@lists.openembedded.org Cc: xe-linux-external@cisco.com, Shubham Pushpkar Subject: [meta-OE] [wrynose] [PATCH 2/6] jq: Fix CVE-2026-41256 Date: Mon, 6 Jul 2026 08:20:16 -0700 Message-ID: <20260706152022.873284-2-spushpka@cisco.com> X-Mailer: git-send-email 2.44.1 In-Reply-To: <20260706152022.873284-1-spushpka@cisco.com> References: <20260706152022.873284-1-spushpka@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-8093.cisco.com [171.68.208.131];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.208.131, sjc-ads-8093.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Jul 2026 15:21:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/128046 From: Shubham Pushpkar The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2]. [1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41256.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/5a015deae35d19e3ebbc65db6c157a80e76df738 Reference: https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg Signed-off-by: Shubham Pushpkar --- .../jq/jq/CVE-2026-41256.patch | 54 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch new file mode 100644 index 0000000000..224bb103da --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch @@ -0,0 +1,54 @@ +From f4efca339cadef8ce7a5d5be98d0d2a8e0a77989 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Fri, 24 Apr 2026 22:15:08 +0900 +Subject: [PATCH] Fix NUL truncation in program files loaded with -f + +This fixes CVE-2026-41256. + +CVE: CVE-2026-41256 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/5a015deae35d19e3ebbc65db6c157a80e76df738] + +(cherry picked from commit 5a015deae35d19e3ebbc65db6c157a80e76df738) +Signed-off-by: Shubham Pushpkar +--- + src/main.c | 8 ++++++++ + tests/shtest | 7 +++++++ + 2 files changed, 15 insertions(+) + +diff --git a/src/main.c b/src/main.c +index 43586c4..f462e4d 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -677,6 +677,14 @@ int main(int argc, char* argv[]) { + ret = JQ_ERROR_SYSTEM; + goto out; + } ++ int len = jv_string_length_bytes(jv_copy(data)); ++ if ((size_t)len != strlen(jv_string_value(data))) { ++ fprintf(stderr, "jq: program file contains NUL bytes\n"); ++ free(program_origin); ++ jv_free(data); ++ ret = JQ_ERROR_SYSTEM; ++ goto out; ++ } + jq_set_attr(jq, jv_string("PROGRAM_ORIGIN"), jq_realpath(jv_string(dirname(program_origin)))); + ARGS = JV_OBJECT(jv_string("positional"), ARGS, + jv_string("named"), jv_copy(program_arguments)); +diff --git a/tests/shtest b/tests/shtest +index 0397ca0..505d45d 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -615,4 +615,11 @@ if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then + exit 1 + fi + ++# CVE-2026-41256: No NUL truncation in program files loaded with -f ++printf '.\x00invalid' > "$d/nul_prog.jq" ++if echo '42' | $JQ -f "$d/nul_prog.jq" >/dev/null 2>/dev/null; then ++ printf 'Error expected for program file with NUL bytes\n' 1>&2 ++ exit 1 ++fi ++ + exit 0 +-- +2.44.4 diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 9f0fcf8cb5..3e83464f0b 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -19,6 +19,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-39979.patch \ file://CVE-2026-47770.patch \ file://CVE-2026-40612.patch \ + file://CVE-2026-41256.patch \ " inherit autotools ptest From patchwork Mon Jul 6 15:20:17 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91813 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C63B6C43602 for ; Mon, 6 Jul 2026 15:21:10 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.153652.1783351263394279974 for ; Mon, 06 Jul 2026 08:21:03 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=JsbCHawa; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: spushpka@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3596; q=dns/txt; s=iport01; t=1783351263; x=1784560863; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=75qGaASrlARYeIegzsRE5uBXucunh95KuhfW8tlYZZ0=; b=JsbCHawazel7wubV6rUsjbBUVSHqDhdO/yQ3kSo4DMSKWqQMiDUOBBzn idJAZgd0rawobarYOEOpYHB8o2kB3eQWoc2HdwcTxEYD8zxGd4cFbRiKa hFDnvERj8+5gTzmWbEw6s9iWJat++bOXK2QFaoavs0yLe2r/hSWUT3y88 OeHAXuTZvCt5XYR5Db90mdCJryxtQGC4M7bNz6EoQ25yCzKmKGwo9a1JG HDcAcvHUPrbGo5qrF7dXtcd+k9Kd4HwSyj1IWiFsOwKaqiuGlX/XsO3xd nq7qrqBdmdBP4cIDswHx8mEfK6AeNAOAIw0zJURFfWF39JtcORODSZqoN Q==; X-CSE-ConnectionGUID: vHR2agLPR2Wxr5q9SDzyqA== X-CSE-MsgGUID: ZpMaUO34Tu6KsK3NyQ+6SA== X-IPAS-Result: A0BHAgDSxktq/5H/Ja1aHgEBCxIMggULgld0X0JJlk6eG4F+DwEBAQ9EDQQBAYUGAo1NAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDJwsBGAEtEBwDAQIvKyMIGYMCAYJzAgERBrlXgXkzgQGDKAE/AkNQ2ywBCxQBBYEzhT+IH1sYAYR6AicbG4FygRWDaYEFd2UCAhiICwSCIoEMgVoejydIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFrgQKEeSMfAzl/gTB1SnktgQIBEh4KgVKBKQMLGA1IESw3FBsEPm4HjHsXD4I9exMBK6gioQ8KKIN1jCGVOhozhVulEQuYfYs3glOWUIRogWg8gVlwFYMiCUoZD44tCwuDYIUTyUckNQIBAQcyAQEHAgcOAwuBaJF9AQE IronPort-Data: A9a23:SLgAb6iRRyGZDeq9OLQl03xaX161MBEKZh0ujC45NGQN5FlHY01je htvUGCGb62JazDxKdx3aNm090gHvJaHztIyGldsqCg0RXhjpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeCULOZ82QsaDxMtPrd8EoHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqUG2twtCG5qz cZCFyAXMwnSvM6k0auSH7wEasQLdKEHPasFsX1miDWcBvE8TNWbE+PB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWZgp/5JEWxI9EglHkayBDqEqWrII84nPYy0p6172F3N/9J4TXGJgNxBbAz o7A11bhJxgnE4fD9Sfb0WmP3cnepGClY6tHQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHt5SN UEQ0i4vtrQpskuzQ9/wWhe1rHKJslgbQdU4LgEhwBuGxqyR50OSAXIJC2YRLtcnr8QxAzct0 zdlgu/UONCmi5XNIVr1y1tehWra1fQ9RYPaWRI5cA== IronPort-HdrOrdr: A9a23:pp/vDKEh9R/kn5YlpLqEMMeALOsnbusQ8zAXPo5KJiC9Ffbo8P xG88576faZslsssTQb6LK90cq7MBfhHPxOgbX5VI3KNGKNhILrFvAG0WKI+VPd8kPFmtK1/J 0QFZSWcOeAbmRSvILd/BSyFcomzZ2s9aClgvqb8lJWJDsaEp2JK2xCe32m+oocfng/OaYE X-Talos-CUID: 9a23:TkIn4mvlOSgJcQfNbUiUUkZ/6Is7UkeHxXj0G3XiNnZzFaTEcnOC6bpNxp8= X-Talos-MUID: 9a23:NuYShQ64PkxLxhLHgU/DOZJgxoxa+4GnNWdWzakb5eqfFndWKg7e0g+eF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,149,1779148800"; d="scan'208";a="505550280" Received: from rcdn-l-core-08.cisco.com ([173.37.255.145]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 06 Jul 2026 15:21:02 +0000 Received: from sjc-ads-8093.cisco.com (sjc-ads-8093.cisco.com [171.68.208.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-08.cisco.com (Postfix) with ESMTPS id 75B93180005B3; Mon, 6 Jul 2026 15:21:02 +0000 (GMT) Received: by sjc-ads-8093.cisco.com (Postfix, from userid 1839047) id 23788CBEF99; Mon, 6 Jul 2026 08:21:02 -0700 (PDT) From: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-devel@lists.openembedded.org Cc: xe-linux-external@cisco.com, Shubham Pushpkar Subject: [meta-OE] [wrynose] [PATCH 3/6] jq: Fix CVE-2026-41257 Date: Mon, 6 Jul 2026 08:20:17 -0700 Message-ID: <20260706152022.873284-3-spushpka@cisco.com> X-Mailer: git-send-email 2.44.1 In-Reply-To: <20260706152022.873284-1-spushpka@cisco.com> References: <20260706152022.873284-1-spushpka@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-8093.cisco.com [171.68.208.131];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.208.131, sjc-ads-8093.cisco.com X-Outbound-Node: rcdn-l-core-08.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Jul 2026 15:21:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/128047 From: Shubham Pushpkar The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2]. [1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41257.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f Signed-off-by: Shubham Pushpkar --- .../jq/jq/CVE-2026-41257.patch | 57 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch new file mode 100644 index 0000000000..9eb3ea2576 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch @@ -0,0 +1,57 @@ +From a525b86330b4b8889e0329249b8d2e04f9640a2a Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Fri, 24 Apr 2026 22:09:44 +0900 +Subject: [PATCH] Fix signed-int overflow in `stack_reallocate` + +This fixes CVE-2026-41257. + +CVE: CVE-2026-41257 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f] + +(cherry picked from commit 01b3cded76daacbfddb7f8763700b0803bcb5c6f) +Signed-off-by: Shubham Pushpkar +--- + src/exec_stack.h | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/exec_stack.h b/src/exec_stack.h +index 2a063e8..159c56e 100644 +--- a/src/exec_stack.h ++++ b/src/exec_stack.h +@@ -2,8 +2,10 @@ + #define EXEC_STACK_H + #include + #include ++#include + #include + #include ++#include + #include "jv_alloc.h" + + /* +@@ -81,15 +83,19 @@ static stack_ptr* stack_block_next(struct stack* s, stack_ptr p) { + } + + static void stack_reallocate(struct stack* s, size_t sz) { +- int old_mem_length = -(s->bound) + ALIGNMENT; +- char* old_mem_start = (s->mem_end != NULL) ? (s->mem_end - old_mem_length) : NULL; ++ size_t old_mem_length = (size_t)(-(s->bound)) + ALIGNMENT; ++ char* old_mem_start = s->mem_end != NULL ? s->mem_end - old_mem_length : NULL; + +- int new_mem_length = align_round_up((old_mem_length + sz + 256) * 2); ++ size_t new_mem_length = align_round_up((old_mem_length + sz + 256) * 2); ++ if (new_mem_length > INT_MAX) { ++ fprintf(stderr, "jq: error: cannot allocate memory\n"); ++ abort(); ++ } + char* new_mem_start = jv_mem_realloc(old_mem_start, new_mem_length); + memmove(new_mem_start + (new_mem_length - old_mem_length), + new_mem_start, old_mem_length); + s->mem_end = new_mem_start + new_mem_length; +- s->bound = -(new_mem_length - ALIGNMENT); ++ s->bound = -(int)(new_mem_length - ALIGNMENT); + } + + static stack_ptr stack_push_block(struct stack* s, stack_ptr p, size_t sz) { +-- +2.44.4 diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 3e83464f0b..d45d88951c 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -20,6 +20,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-47770.patch \ file://CVE-2026-40612.patch \ file://CVE-2026-41256.patch \ + file://CVE-2026-41257.patch \ " inherit autotools ptest From patchwork Mon Jul 6 15:20:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91815 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3AEDAC44500 for ; Mon, 6 Jul 2026 15:21:21 +0000 (UTC) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.152672.1783351273578482615 for ; Mon, 06 Jul 2026 08:21:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=G9KLfjcW; spf=pass (domain: cisco.com, ip: 173.37.86.80, mailfrom: spushpka@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3648; q=dns/txt; s=iport01; t=1783351273; x=1784560873; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=86j7EkND5fC/bK/P4UGwu0uN0yLplfDLSVF14Dap0VU=; b=G9KLfjcW7jutxvZRnNcGjp4rqlJC//LMPKHwTNciNVyKC9t6PJb7GaOi 3MncNmmuNHIb0lE+FX1SbgdUYcljeDe5B4g3xCuKeHEsFckOQUqXquiCc Z2mP57OUTwvDrHJI19TtJgQbnJrwaYc2K4BwrjKkS6s52ROO9Ukk8Spzq XrM84NMY6bNgfFJNhxKMTdSJGawt7p/j3+1DyvtoV7wzxoS4cuklccnYf fyxiMMvAl3j97QHfYSaZsqgkfYM1iCsGkaawwdQNBq587CrP3Bz9oOsmo EhUyVmfeU0amBkC3XNNgv0U8ZfZns2kgPzhCrewEOKyG33ANMrLKPjyBt A==; X-CSE-ConnectionGUID: NSnx/Fa1ROSiFRPMOMRD4g== X-CSE-MsgGUID: 81TarQSVTRWC/8/ewcBWsA== X-IPAS-Result: A0AaAABNx0tq/5H/Ja1aHAEBAQEBAQcBARIBAQQEAQGBfAcBAQsBglZ0X0JJA4xwiVgDnhuBfg8BAQEPRA0EAQGFBgKNTQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAzIBGAEtEBwDAQIvKyMIGYMCAYJzAgERBrlXgiyBAYMoAT8CQ1DbLAELFAEFgTMBhT6IH1sYAYR6AicbG4FygRWDaYEFd2UCAhiBDYZ+BIIigQyBWh6PJ0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgWuBAoR5Ix8DOX+BMHVKeS2BAgESHgqBUoEpAwsYDUgRLDcUGwQ+bgeMexcPgj17EwErgixOpSihDwoog3WMIZU6GjOFW6URC5h9izeCU5ZQhGiBaDyBWXAVgyIJShkPjioOC4NghRPJRyQ1AgEBBwMvAQEHAgcOAwuBaJAAgX0BAQ IronPort-Data: A9a23:RG5jjagInRyx0x3SwSvgL+7PX161MxEKZh0ujC45NGQN5FlHY01je htvXD+Hb6yCZWqmKIp2PY23pEMPupTRyNQ3GVc5qShmRC5jpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeCULOZ82QsaDxMtPrd8EoHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqU+weBnRk9Hr MY/EzEjVCimoMeM7O60H7wEasQLdKEHPasFsX1miDWcBvE8TNWbE+PB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWZgp/5JEWxI9EglHkayBDqEqWrII84nPYy0p6172F3N/9J4TWGZsEzh7Ez o7A1zSgPhgADeeh9QC62TX8weLQlgnEQ6tHQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHt5SN UEQ0i4vtrQpskuzQ9/wWhe1rHKJslgbQdU4LgEhwBuGxqyR50OSAXIJC2YRLtcnr8QxAzct0 zdlgu/UONCmi5XNIVr1y1tehWriUcTJBQfuvRM5cDY= IronPort-HdrOrdr: A9a23:1OAfbaiJ3olnQs8zNS8LNQ3+iHBQXgIji2hC6mlwRA09TyVXra +TdZMgpHjJYVkqOU3I9ersBEDEewK/yXcX2/h0AV7BZmnbUQKTRekIh7cKgQeQfhEWndQy6U 4PScRD4fTLfD5HZL7BkWqFOudl5sWb+6a1guqb5XJsQQZ2L5xE1W5Ce3+m+okcfng8OXL/f6 DsnvZ6mw== X-Talos-CUID: 9a23:U7t0tGh78KsOZDQ2ZQNqO6Od7jJuVEbb3DD+KhaCLl1oZoetbHi1wo84nJ87 X-Talos-MUID: 9a23:BvRqtQ3ntY+49AQLqVfVM03DqDUjs/2SAVo0qqs6gfavcnw3NiiWpgusa9py X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,149,1779148800"; d="scan'208";a="504469804" Received: from rcdn-l-core-08.cisco.com ([173.37.255.145]) by rcdn-iport-9.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 06 Jul 2026 15:21:10 +0000 Received: from sjc-ads-8093.cisco.com (sjc-ads-8093.cisco.com [171.68.208.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-08.cisco.com (Postfix) with ESMTPS id 87C5C1800045E; Mon, 6 Jul 2026 15:21:10 +0000 (GMT) Received: by sjc-ads-8093.cisco.com (Postfix, from userid 1839047) id 35B6ECBEF99; Mon, 6 Jul 2026 08:21:10 -0700 (PDT) From: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-devel@lists.openembedded.org Cc: xe-linux-external@cisco.com, Shubham Pushpkar Subject: [meta-OE] [wrynose] [PATCH 4/6] jq: Fix CVE-2026-43894 Date: Mon, 6 Jul 2026 08:20:18 -0700 Message-ID: <20260706152022.873284-4-spushpka@cisco.com> X-Mailer: git-send-email 2.44.1 In-Reply-To: <20260706152022.873284-1-spushpka@cisco.com> References: <20260706152022.873284-1-spushpka@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-8093.cisco.com [171.68.208.131];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.208.131, sjc-ads-8093.cisco.com X-Outbound-Node: rcdn-l-core-08.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Jul 2026 15:21:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/128048 From: Shubham Pushpkar The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2]. [1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43894.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4 Reference: https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g Signed-off-by: Shubham Pushpkar --- .../jq/jq/CVE-2026-43894.patch | 56 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch new file mode 100644 index 0000000000..ea85c6b355 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch @@ -0,0 +1,56 @@ +From 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Wed, 13 May 2026 19:41:49 +0900 +Subject: [PATCH] Reject numeric literals longer than DEC_MAX_DIGITS + (999999999) + +A signed-int overflow in decNumber's D2U macro lets huge literals write +attacker-controlled bytes past a stack buffer. Cap the length before +calling decNumberFromString, and pre-slice long strings in +jv_dump_string_trunc so the resulting error message doesn't itself +allocate a multi-GiB buffer. Fixes CVE-2026-43894. + +CVE: CVE-2026-43894 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4] + +(cherry picked from commit 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4) +Signed-off-by: Shubham Pushpkar +--- + src/jv.c | 5 ++++- + src/jv_print.c | 4 ++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/jv.c b/src/jv.c +index e4529a4..dd10b8b 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -574,7 +574,11 @@ static jvp_literal_number* jvp_literal_number_alloc(unsigned literal_length) { + } + + static jv jvp_literal_number_new(const char * literal) { +- jvp_literal_number* n = jvp_literal_number_alloc(strlen(literal)); ++ size_t len = strlen(literal); ++ if (len > DEC_MAX_DIGITS) ++ return JV_INVALID; ++ ++ jvp_literal_number* n = jvp_literal_number_alloc(len); + + decContext *ctx = DEC_CONTEXT(); + decContextClearStatus(ctx, DEC_Conversion_syntax); +diff --git a/src/jv_print.c b/src/jv_print.c +index 791af17..c032d87 100644 +--- a/src/jv_print.c ++++ b/src/jv_print.c +@@ -408,6 +408,10 @@ jv jv_dump_string(jv x, int flags) { + } + + char *jv_dump_string_trunc(jv x, char *outbuf, size_t bufsize) { ++ if (jv_get_kind(x) == JV_KIND_STRING && ++ (size_t)jv_string_length_bytes(jv_copy(x)) > bufsize) { ++ x = jv_string_slice(x, 0, bufsize); ++ } + x = jv_dump_string(x, 0); + const char *str = jv_string_value(x); + const size_t len = strlen(str); +-- +2.44.4 diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index d45d88951c..62de3a4117 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-40612.patch \ file://CVE-2026-41256.patch \ file://CVE-2026-41257.patch \ + file://CVE-2026-43894.patch \ " inherit autotools ptest From patchwork Mon Jul 6 15:20:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91814 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1EBDC43458 for ; Mon, 6 Jul 2026 15:21:20 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.152673.1783351274179291127 for ; Mon, 06 Jul 2026 08:21:14 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=PsYEc8Vz; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: spushpka@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3796; q=dns/txt; s=iport01; t=1783351274; x=1784560874; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=BKxtySLc3Jh//rG2U3HJNO6USuM+2W9fC37G/QE2EKg=; b=PsYEc8Vz/h7Xg0l0QMRoaIiwQJkfC7VL5HTOwn6dtrPwG5MPkocfoilY TYJpch7uwIM0QrpnO8enki+akAHNcpBkB7wYFNqGC6jebM7TjjCp31344 L1m65Me1Xa0s7qkb583AymU3feHpMm+eof0WaaCBjBbE51PlUUlP2ky5f KKlRii2+hD5wYggMvGdnZnRAkRmgVTHlLnw659ksD91kx94rTBCTx1uj0 1p4OG6ve8APH0pXxDgMBUdgLzzEO17PvxDLpsIp7nQHnN4sqqggJ7SJIO o9P7t58hqmZpvtymVbEt9R15bQ8HUHJWs+icedbqkMsda0HgVHVR2FaYi w==; X-CSE-ConnectionGUID: tuhW/0TvRbKIABdaui6h+Q== X-CSE-MsgGUID: P7o+8/+sSyuA1IcwVEBdPg== X-IPAS-Result: A0BHAgDSxktq/43/Ja1aHgEBCxIMggULgld0X0JJA5ZLnhuBfg8BAQEPRA0EAQGFBgKNTQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAzIBGAEbEhAcAwECLysjCBmDAgGCcwIBEQa5V4IsgQGDKAE/AkNQ2ywBCxQBBYEzhT+IH1sYAYR6AicbG4FygRWDaYEFd2UCAhiBHoZtBIIigQyBWh6PJ0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgWuBAoR5Ix8DOX+BMHVKeS2BAgESHgqBUoEpAwsYDUgRLDcUGwQ+bgeMexcPgj2BDgErgUNppXahDwoog3WMIZU6GjOFW6URC5h9izeCU4kPjUGEaIFoPIFZcBWDIglKGQ+OOINrhRPJRyQ1AgEBBwMvAQEHAgcOAwuBaJABgXwBAQ IronPort-Data: A9a23:/w4EXK9ft+VyUukmrsRxDrUD0H+TJUtcMsCJ2f8bNWPcYEJGY0x3y 2pJCj/UOvzfZGf9L992bo+/pBkFvZHQz9A1SgBp+HhEQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEDmE4EzrauS9xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4mvyyHjEAX9gWAsbTpKs/vrRC5H5ZwehhtJ5jTSWtgT1LPuvyF9JI4SI6i3M0z5TuF8dsamR /zOxa2O5WjQ+REgELuNyt4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5nXBYoUnq7vh3S9zxHJ HqhgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/wmWeG0YAzcmCA2kqII0nvb5LH1tE1 t0xAjwEcxHdh6GPlefTpulE3qzPLeHxN48Z/3UlxjbDALN+HdbIQr7B4plT2zJYasJmRKmFI ZFGL2AyMVKZP0Qn1lQ/UPrSmM+znmTkcyVboXqepLE85C7YywkZPL3FbYKIJ4HSHpgI9qqej lqZ+CepRVIBD82C4GOk+W2Sq8XDpSyuDer+E5X9rJaGmma7wXQeDhATX1a3rfS1z0KzRd9bA 0gV4TY1668q+UqmS9PwUxG1rDiDpBF0ZjZLO/cx5AfIzu/f5ByUQzBYCDVAc9ch8sQxQFTGy 2O0oj8gPhQ32JX9dJ5X3u78Qe+aUcTNEVI/WA== IronPort-HdrOrdr: A9a23:Hm+1v68hNGLgfJt6yrNuk+AAI+orL9Y04lQ7vn2ZhyY7TiX+rb HIoB11737JYVoqNU3I3OrwWpVoIkmskaKdg7NwAV7KZmCP0wGVxcNZnO7fKlbbdREWmNQw6U 5ISdkZNDSJNykYse/KpC+lDt0n3N6LtIqshevY0jNRaDsCUdAY0++8YTzraXGfg2J9dOIEKK Y= X-Talos-CUID: 9a23:Dci8Vm/PMzo9rCs3ER6Vv1IJGv9iKkHD9n3zAmaSBW90SeOVCmbFrQ== X-Talos-MUID: 9a23:nYJIEAleMjwYV7nzBoGsdnpaa8Ars+PtE3scjLxfmsKbCwFaNw+S2WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,149,1779148800"; d="scan'208";a="505550355" Received: from rcdn-l-core-04.cisco.com ([173.37.255.141]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 06 Jul 2026 15:21:13 +0000 Received: from sjc-ads-8093.cisco.com (sjc-ads-8093.cisco.com [171.68.208.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-04.cisco.com (Postfix) with ESMTPS id 30346180005E5; Mon, 6 Jul 2026 15:21:13 +0000 (GMT) Received: by sjc-ads-8093.cisco.com (Postfix, from userid 1839047) id D2152CBEF99; Mon, 6 Jul 2026 08:21:12 -0700 (PDT) From: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-devel@lists.openembedded.org Cc: xe-linux-external@cisco.com, Shubham Pushpkar Subject: [meta-OE] [wrynose] [PATCH 5/6] jq: Fix CVE-2026-43896 Date: Mon, 6 Jul 2026 08:20:19 -0700 Message-ID: <20260706152022.873284-5-spushpka@cisco.com> X-Mailer: git-send-email 2.44.1 In-Reply-To: <20260706152022.873284-1-spushpka@cisco.com> References: <20260706152022.873284-1-spushpka@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-8093.cisco.com [171.68.208.131];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.208.131, sjc-ads-8093.cisco.com X-Outbound-Node: rcdn-l-core-04.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Jul 2026 15:21:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/128049 From: Shubham Pushpkar The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2]. [1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43896.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2 Reference: https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846 Signed-off-by: Shubham Pushpkar --- .../jq/jq/CVE-2026-43896.patch | 73 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch new file mode 100644 index 0000000000..4ff82cf05f --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch @@ -0,0 +1,73 @@ +From 532ccea6080ed6758f39fe9f6208a44b665023d2 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Tue, 5 May 2026 22:44:02 +0900 +Subject: [PATCH] Limit recursive object merge depth to prevent stack overflow + +This fixes CVE-2026-43896. + +CVE: CVE-2026-43896 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2] + +Backport Changes: +- Dropped the duplicate tests/jq.test hunk because Wrynose already carries + the same regression coverage in existing CVE-2026-47770.patch. + +(cherry picked from commit 532ccea6080ed6758f39fe9f6208a44b665023d2) +Signed-off-by: Shubham Pushpkar +--- + src/jv.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/src/jv.c b/src/jv.c +index 34573b8..b112757 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -1884,16 +1884,33 @@ jv jv_object_merge(jv a, jv b) { + return a; + } + +-jv jv_object_merge_recursive(jv a, jv b) { ++#ifndef MAX_OBJECT_MERGE_DEPTH ++#define MAX_OBJECT_MERGE_DEPTH (10000) ++#endif ++ ++static jv jvp_object_merge_recursive(jv a, jv b, int depth) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(b, JV_KIND_OBJECT)); + ++ if (depth > MAX_OBJECT_MERGE_DEPTH) { ++ jv_free(a); ++ jv_free(b); ++ return jv_invalid_with_msg(jv_string("Object merge too deep")); ++ } ++ + jv_object_foreach(b, k, v) { + jv elem = jv_object_get(jv_copy(a), jv_copy(k)); + if (jv_is_valid(elem) && + JVP_HAS_KIND(elem, JV_KIND_OBJECT) && + JVP_HAS_KIND(v, JV_KIND_OBJECT)) { +- a = jv_object_set(a, k, jv_object_merge_recursive(elem, v)); ++ jv merged = jvp_object_merge_recursive(elem, v, depth + 1); ++ if (!jv_is_valid(merged)) { ++ jv_free(k); ++ jv_free(a); ++ jv_free(b); ++ return merged; ++ } ++ a = jv_object_set(a, k, merged); + } else { + jv_free(elem); + a = jv_object_set(a, k, v); +@@ -1904,6 +1921,10 @@ jv jv_object_merge_recursive(jv a, jv b) { + return a; + } + ++jv jv_object_merge_recursive(jv a, jv b) { ++ return jvp_object_merge_recursive(a, b, 0); ++} ++ + /* + * Object iteration (internal helpers) + */ +-- +2.44.4 diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 62de3a4117..9d98fd81c3 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -22,6 +22,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-41256.patch \ file://CVE-2026-41257.patch \ file://CVE-2026-43894.patch \ + file://CVE-2026-43896.patch \ " inherit autotools ptest From patchwork Mon Jul 6 15:20:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 91816 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48086C44501 for ; Mon, 6 Jul 2026 15:21:21 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.152673.1783351274179291127 for ; Mon, 06 Jul 2026 08:21:15 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=jvE8lHyo; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: spushpka@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=10480; q=dns/txt; s=iport01; t=1783351275; x=1784560875; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=MKtNSegBd9+uNCNvgM/kBlJ3jpDlG2unvX+mu75k/hs=; b=jvE8lHyoMuAjV2mn5DHazO8qNxb/7xBKfeIPgzc8223pJ7UI6sNoBCPD 2wDaKkVg7Em5L7xMYAzC0Gt0R0jygVNiHtlMoGOHj8ESPu7vKgrZNvG2F iJhOMe/GL/vK8oWuHb5+kGfVWXP/e53LL83iFoGwixUjRsZilcpi2hjHb 15CBuVGFbT3ZQhydbPIGzu1haSxNN2t0liso5ipTxcEgN2VR0kdvmLS0u Xhit3EiiW92J2NISGVm2S9NgphjTwbasTgLU4H8R3wRLdPVRFE6aRiMPs 0nHr9mK6ojSK5I3PwcqaJROUr8GVOiPfbgOqBikpadGmdL+o7uEC+Cwwj g==; X-CSE-ConnectionGUID: Fg6M6F9ORW+hazBQmiNWRA== X-CSE-MsgGUID: X1Ypoti+TqWGKmbGW3JnGA== X-IPAS-Result: A0BHAgDSxktq/4v/Ja1aHgEBCxIMggULgld0X0JJlksDnhuBfg8BAQEPRA0EAQGFBgKNTQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAycLARgBLRAcAwECLysjCBmDAgGCcwIBEQa5V4F5M4EBgygBPwJDUNssAQsUAQWBM4U/iB9bGAGEegInGxuBcoR+gQV3ZQICGIgLBIIigQyBWh6PJ0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgWuBAoR5Ix8DOX+BMHVKeS2BAgESHgqBUoEpAwsYDUgRLDcUGwQ+bgeMexcPgh0gAVIoEwEKCRgggSMOJ5NrCDGPZYIhgTWfWgoog3WMIZU6GjOFW6URC5h9izeCU5ZQhGiBaDyBWXAVgyIJShkPjjiCA4FohRPJRyQ1AgEBBzIBAQcCBw4DC4FokR1gAQE IronPort-Data: A9a23:kL1MXa9f9k9q9ko1nxUlDrUD0H+TJUtcMsCJ2f8bNWPcYEJGY0x3z WZOCzqCO6nYYTf0c9kgPIy08B4AvsfWndNnTQA/qSFEQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEDmE4EzrauS9xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4mvyyHjEAX9gWAsbTpKs/vrRC5H5ZwehhtJ5jTSWtgT1LPuvyF9JI4SI6i3M0z5TuF8dsamR /zOxa2O5WjQ+REgELuNyt4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5nXBYoUnq7vh3S9zxHJ HqhgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/wmWeG0YAzcmCA2kYMtM9pMgmJltxt vwROho0axGluNiflefTpulE3qzPLeHxN48Z/3UlxjbDALN+G9bIQr7B4plT2zJYasJmRKmFI ZFGL2AyMVKZOEwn1lQ/UPrSmM+znmTkcyVboXqepLE85C7YywkZPL3FbYKIJ4HSHpsO9qqej lKfznz+HhBZCMWg5hmA+F2T3c3JsgquDer+E5X9rJaGmma7wXQeDhATX1a3rfS1z0KzRd9bA 0gV4TY1668q+UqmS9PwUxG1rDiDpBF0ZjZLO/cx5AfIzu/f5ByUQzBeCDVAc9ch8sQxQFTGy 2O0oj8gPhQ32JX9dJ5X3u78Qe+aUcTNEVI/WA== IronPort-HdrOrdr: A9a23:Rq9nkaGXVSgi8pa+pLqEMMeALOsnbusQ8zAXPo5KJiC9Ffbo8P xG88576faZslsssTQb6LK90cq7MBfhHPxOgbX5VI3KNGKNhILrFvAG0WKI+VPd8kPFmtK1/J 0QFZSWcOeAbmRSvILd/BSyFcomzZ2s9aClgvqb8lJWJDsaEp2JK2xCe32m+oocfng/OaYE X-Talos-CUID: 9a23:OH6mwGgFQfxIkDJLQVdmd/BWMjJuXHKD6Sn+cmiCNiVpQa+/cFqR3pxeup87 X-Talos-MUID: 9a23:+TrIdgspcnqCwFzB8c2ntGhTLMB04ueSEX8ispAMlPbfFypfEmLI X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,149,1779148800"; d="scan'208";a="505550363" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 06 Jul 2026 15:21:15 +0000 Received: from sjc-ads-8093.cisco.com (sjc-ads-8093.cisco.com [171.68.208.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 1A970180007D4; Mon, 6 Jul 2026 15:21:15 +0000 (GMT) Received: by sjc-ads-8093.cisco.com (Postfix, from userid 1839047) id BC86ECBEF99; Mon, 6 Jul 2026 08:21:14 -0700 (PDT) From: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-devel@lists.openembedded.org Cc: xe-linux-external@cisco.com, Shubham Pushpkar Subject: [meta-OE] [wrynose] [PATCH 6/6] jq: Fix CVE-2026-44777 Date: Mon, 6 Jul 2026 08:20:20 -0700 Message-ID: <20260706152022.873284-6-spushpka@cisco.com> X-Mailer: git-send-email 2.44.1 In-Reply-To: <20260706152022.873284-1-spushpka@cisco.com> References: <20260706152022.873284-1-spushpka@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-8093.cisco.com [171.68.208.131];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.208.131, sjc-ads-8093.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Jul 2026 15:21:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/128050 From: Shubham Pushpkar The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2]. [1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-44777.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/f58787c41835d9b17795730cb04925fdba25c71c Signed-off-by: Shubham Pushpkar --- .../jq/jq/CVE-2026-44777.patch | 243 ++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 244 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch new file mode 100644 index 0000000000..3fe1a9beb3 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch @@ -0,0 +1,243 @@ +From f58787c41835d9b17795730cb04925fdba25c71c Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 11 May 2026 20:41:38 +0900 +Subject: [PATCH] Detect circular module imports to prevent stack overflow + +jq used to recurse without bound on mutual or self-referential +`import` declarations, exhausting the stack. Track each library's +load state with a `loading` flag set before its dependencies are +processed; a recursive reference to an in-progress library now +reports "circular import of X". + +Fixes CVE-2026-44777. + +CVE: CVE-2026-44777 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/f58787c41835d9b17795730cb04925fdba25c71c] + +Backport Changes: +- The upstream src/linker.c patch deletes an `if (nerrors == 0)` wrapper + around the old library registration block. Wrynose jq 1.8.1 does not + have that wrapper in the same form, so this backport has two fewer + deleted lines in src/linker.c while preserving the upstream + circular-import detection logic. + +(cherry picked from commit f58787c41835d9b17795730cb04925fdba25c71c) +Signed-off-by: Shubham Pushpkar +--- + Makefile.am | 2 ++ + src/linker.c | 57 +++++++++++++++++++++++++------------ + tests/modules/cycle_a.jq | 2 ++ + tests/modules/cycle_b.jq | 2 ++ + tests/modules/cycle_self.jq | 2 ++ + tests/shtest | 23 +++++++++++++++ + 6 files changed, 70 insertions(+), 18 deletions(-) + create mode 100644 tests/modules/cycle_a.jq + create mode 100644 tests/modules/cycle_b.jq + create mode 100644 tests/modules/cycle_self.jq + +diff --git a/Makefile.am b/Makefile.am +index 76e35df..6fcc013 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -223,6 +223,8 @@ EXTRA_DIST = $(DOC_FILES) $(man_MANS) $(TESTS) $(TEST_LOG_COMPILER) \ + tests/modules/test_bind_order0.jq \ + tests/modules/test_bind_order1.jq \ + tests/modules/test_bind_order2.jq \ ++ tests/modules/cycle_a.jq tests/modules/cycle_b.jq \ ++ tests/modules/cycle_self.jq \ + tests/onig.supp tests/local.supp \ + tests/setup tests/torture/input0.json \ + tests/optional.test tests/man.test tests/manonig.test \ +diff --git a/src/linker.c b/src/linker.c +index e7d1024..0c9c34b 100644 +--- a/src/linker.c ++++ b/src/linker.c +@@ -21,9 +21,13 @@ + #include "compile.h" + #include "jv_alloc.h" + ++struct lib_entry { ++ char *name; ++ block def; ++ int loading; ++}; + struct lib_loading_state { +- char **names; +- block *defs; ++ struct lib_entry *entries; + uint64_t ct; + }; + static int load_library(jq_state *jq, jv lib_path, +@@ -299,14 +303,24 @@ static int process_dependencies(jq_state *jq, jv jq_origin, jv lib_origin, block + } else { + uint64_t state_idx = 0; + for (; state_idx < lib_state->ct; ++state_idx) { +- if (strcmp(lib_state->names[state_idx],jv_string_value(resolved)) == 0) ++ if (strcmp(lib_state->entries[state_idx].name, jv_string_value(resolved)) == 0) + break; + } + + if (state_idx < lib_state->ct) { // Found ++ if (lib_state->entries[state_idx].loading) { ++ jq_report_error(jq, jv_string_fmt("jq: error: circular import of %s\n", ++ jv_string_value(resolved))); ++ jv_free(resolved); ++ jv_free(as); ++ jv_free(deps); ++ jv_free(jq_origin); ++ jv_free(lib_origin); ++ return 1; ++ } + jv_free(resolved); + // Bind the library to the program +- bk = block_bind_library(lib_state->defs[state_idx], bk, OP_IS_CALL_PSEUDO, as_str); ++ bk = block_bind_library(lib_state->entries[state_idx].def, bk, OP_IS_CALL_PSEUDO, as_str); + } else { // Not found. Add it to the table before binding. + block dep_def_block = gen_noop(); + nerrors += load_library(jq, resolved, is_data, raw, optional, as_str, &dep_def_block, lib_state); +@@ -348,30 +362,38 @@ static int load_library(jq_state *jq, jv lib_path, int is_data, int raw, int opt + jq_report_error(jq, jv_string_fmt("jq: error loading data file %s: %s\n", jv_string_value(lib_path), jv_string_value(data))); + nerrors++; + } +- goto out; + } else if (is_data) { + // import "foo" as $bar; + program = gen_const_global(jv_copy(data), as); ++ state_idx = lib_state->ct++; ++ lib_state->entries = jv_mem_realloc(lib_state->entries, lib_state->ct * sizeof(struct lib_entry)); ++ lib_state->entries[state_idx].name = strdup(jv_string_value(lib_path)); ++ lib_state->entries[state_idx].def = program; ++ lib_state->entries[state_idx].loading = 0; + } else { + // import "foo" as bar; + src = locfile_init(jq, jv_string_value(lib_path), jv_string_value(data), jv_string_length_bytes(jv_copy(data))); + nerrors += jq_parse_library(src, &program); + locfile_free(src); + if (nerrors == 0) { ++ // Register the library before processing its dependencies so that ++ // circular imports can be detected. ++ state_idx = lib_state->ct++; ++ lib_state->entries = jv_mem_realloc(lib_state->entries, lib_state->ct * sizeof(struct lib_entry)); ++ lib_state->entries[state_idx].name = strdup(jv_string_value(lib_path)); ++ lib_state->entries[state_idx].def = gen_noop(); ++ lib_state->entries[state_idx].loading = 1; ++ + char *lib_origin = strdup(jv_string_value(lib_path)); + nerrors += process_dependencies(jq, jq_get_jq_origin(jq), + jv_string(dirname(lib_origin)), + &program, lib_state); + free(lib_origin); + program = block_bind_self(program, OP_IS_CALL_PSEUDO); ++ lib_state->entries[state_idx].def = program; ++ lib_state->entries[state_idx].loading = 0; + } + } +- state_idx = lib_state->ct++; +- lib_state->names = jv_mem_realloc(lib_state->names, lib_state->ct * sizeof(const char *)); +- lib_state->defs = jv_mem_realloc(lib_state->defs, lib_state->ct * sizeof(block)); +- lib_state->names[state_idx] = strdup(jv_string_value(lib_path)); +- lib_state->defs[state_idx] = program; +-out: + *out_block = program; + jv_free(lib_path); + jv_free(data); +@@ -409,7 +431,7 @@ jv load_module_meta(jq_state *jq, jv mod_relpath) { + int load_program(jq_state *jq, struct locfile* src, block *out_block) { + int nerrors = 0; + block program; +- struct lib_loading_state lib_state = {0,0,0}; ++ struct lib_loading_state lib_state = {0,0}; + nerrors = jq_parse(src, &program); + if (nerrors) + return nerrors; +@@ -433,14 +455,13 @@ int load_program(jq_state *jq, struct locfile* src, block *out_block) { + nerrors = process_dependencies(jq, jq_get_jq_origin(jq), jq_get_prog_origin(jq), &program, &lib_state); + block libs = gen_noop(); + for (uint64_t i = 0; i < lib_state.ct; ++i) { +- free(lib_state.names[i]); +- if (nerrors == 0 && !block_is_const(lib_state.defs[i])) +- libs = block_join(libs, lib_state.defs[i]); ++ free(lib_state.entries[i].name); ++ if (nerrors == 0 && !block_is_const(lib_state.entries[i].def)) ++ libs = block_join(libs, lib_state.entries[i].def); + else +- block_free(lib_state.defs[i]); ++ block_free(lib_state.entries[i].def); + } +- free(lib_state.names); +- free(lib_state.defs); ++ free(lib_state.entries); + if (nerrors) + block_free(program); + else +diff --git a/tests/modules/cycle_a.jq b/tests/modules/cycle_a.jq +new file mode 100644 +index 0000000..30c1dea +--- /dev/null ++++ b/tests/modules/cycle_a.jq +@@ -0,0 +1,2 @@ ++import "cycle_b" as b; ++def f: null; +diff --git a/tests/modules/cycle_b.jq b/tests/modules/cycle_b.jq +new file mode 100644 +index 0000000..3fdc360 +--- /dev/null ++++ b/tests/modules/cycle_b.jq +@@ -0,0 +1,2 @@ ++import "cycle_a" as a; ++def f: null; +diff --git a/tests/modules/cycle_self.jq b/tests/modules/cycle_self.jq +new file mode 100644 +index 0000000..8365eab +--- /dev/null ++++ b/tests/modules/cycle_self.jq +@@ -0,0 +1,2 @@ ++import "cycle_self" as s; ++def f: null; +diff --git a/tests/shtest b/tests/shtest +index 505d45d..f5794fb 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -369,17 +369,40 @@ if ! HOME="$mods/home2" $VALGRIND $Q $JQ -n 'include "g"; empty'; then + exit 1 + fi + ++( + cd "$JQBASEDIR" # so that relative library paths are guaranteed correct + if ! $VALGRIND $Q $JQ -L ./tests/modules -ne 'import "test_bind_order" as check; check::check==true'; then + echo "Issue #817 regression?" 1>&2 + exit 1 + fi ++) + ++( + cd "$JQBASEDIR" + if ! $VALGRIND $Q $JQ -L tests/modules -ne 'import "test_bind_order" as check; check::check==true'; then + echo "Issue #817 regression?" 1>&2 + exit 1 + fi ++) ++ ++# CVE-2026-44777: Circular imports should be detected ++if $VALGRIND $JQ -L "$mods" -ne 'import "cycle_a" as a; null' 2> $d/out; then ++ echo "Mutual import should be rejected" 1>&2 ++ exit 1 ++fi ++if ! grep -q "circular import" $d/out; then ++ echo "Expected circular import error" 1>&2 ++ exit 1 ++fi ++ ++if $VALGRIND $JQ -L "$mods" -ne 'import "cycle_self" as s; null' 2> $d/out; then ++ echo "Self import should be rejected" 1>&2 ++ exit 1 ++fi ++if ! grep -q "circular import" $d/out; then ++ echo "Expected circular import error" 1>&2 ++ exit 1 ++fi + + ## Halt + +-- +2.35.6 diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 9d98fd81c3..7585d0c5f9 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -23,6 +23,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-41257.patch \ file://CVE-2026-43894.patch \ file://CVE-2026-43896.patch \ + file://CVE-2026-44777.patch \ " inherit autotools ptest