From: Shubham Pushpkar <[email protected]> The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2].
[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-40612.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2 Reference: https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j Signed-off-by: Shubham Pushpkar <[email protected]> --- .../jq/jq/CVE-2026-40612.patch | 153 ++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.7.1.bb | 1 + 2 files changed, 154 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch new file mode 100644 index 0000000000..bcd9f2dbc0 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch @@ -0,0 +1,153 @@ +From f1a72c7b5eb9c9e99576b2ca8e59ab1f36a2a4e3 Mon Sep 17 00:00:00 2001 +From: itchyny <[email protected]> +Date: Fri, 24 Apr 2026 22:02:24 +0900 +Subject: [PATCH] Limit the containment check depth + +This fixes CVE-2026-40612. + +CVE: CVE-2026-40612 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2] + +Backport Changes: +- The upstream regression test used `reduce ... as $x` without wrapping + the `reduce` expression in parentheses. jq 1.7.1 parses that form as a + syntax error before the test can run. +- Wrapped the `reduce range(10001) ...` expression in an extra set of + parentheses so jq 1.7.1 first builds the nested array, then binds that + result to `$x` for the `contains($x)` depth-limit check. + +(cherry picked from commit d1a12569d91641135976a8536776a4a329c02cc2) +Signed-off-by: Shubham Pushpkar <[email protected]> +--- + src/builtin.c | 5 ++++- + src/jv.c | 40 +++++++++++++++++++++++++++------------- + tests/jq.test | 11 ++++++++++- + 3 files changed, 41 insertions(+), 15 deletions(-) + +diff --git a/src/builtin.c b/src/builtin.c +index 902490d..378be02 100644 +--- a/src/builtin.c ++++ b/src/builtin.c +@@ -471,7 +471,10 @@ jv binop_greatereq(jv a, jv b) { + + static jv f_contains(jq_state *jq, jv a, jv b) { + if (jv_get_kind(a) == jv_get_kind(b)) { +- return jv_bool(jv_contains(a, b)); ++ int r = jv_contains(a, b); ++ if (r < 0) ++ return jv_invalid_with_msg(jv_string("Containment check too deep")); ++ return jv_bool(r); + } else { + return type_error2(a, b, "cannot have their containment checked"); + } +diff --git a/src/jv.c b/src/jv.c +index 08ded35..5a2c3a2 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -914,19 +914,19 @@ static void jvp_clamp_slice_params(int len, int *pstart, int *pend) + } + + +-static int jvp_array_contains(jv a, jv b) { ++static int jvp_contains(jv a, jv b, int depth); ++ ++static int jvp_array_contains(jv a, jv b, int depth) { + int r = 1; + jv_array_foreach(b, bi, belem) { + int ri = 0; + jv_array_foreach(a, ai, aelem) { +- if (jv_contains(aelem, jv_copy(belem))) { +- ri = 1; +- break; +- } ++ ri = jvp_contains(aelem, jv_copy(belem), depth); ++ if (ri) break; + } + jv_free(belem); +- if (!ri) { +- r = 0; ++ if (ri <= 0) { ++ r = ri; + break; + } + } +@@ -1794,7 +1794,7 @@ static int jvp_object_equal(jv o1, jv o2) { + return len1 == len2; + } + +-static int jvp_object_contains(jv a, jv b) { ++static int jvp_object_contains(jv a, jv b, int depth) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(b, JV_KIND_OBJECT)); + int r = 1; +@@ -1802,9 +1802,9 @@ static int jvp_object_contains(jv a, jv b) { + jv_object_foreach(b, key, b_val) { + jv a_val = jv_object_get(jv_copy(a), key); + +- r = jv_contains(a_val, b_val); ++ r = jvp_contains(a_val, b_val, depth); + +- if (!r) break; ++ if (r <= 0) break; + } + return r; + } +@@ -2035,14 +2035,23 @@ int jv_identical(jv a, jv b) { + return r; + } + +-int jv_contains(jv a, jv b) { ++#ifndef MAX_CONTAINS_DEPTH ++#define MAX_CONTAINS_DEPTH (10000) ++#endif ++ ++static int jvp_contains(jv a, jv b, int depth) { ++ if (depth > MAX_CONTAINS_DEPTH) { ++ jv_free(a); ++ jv_free(b); ++ return -1; ++ } + int r = 1; + if (jv_get_kind(a) != jv_get_kind(b)) { + r = 0; + } else if (JVP_HAS_KIND(a, JV_KIND_OBJECT)) { +- r = jvp_object_contains(a, b); ++ r = jvp_object_contains(a, b, depth + 1); + } else if (JVP_HAS_KIND(a, JV_KIND_ARRAY)) { +- r = jvp_array_contains(a, b); ++ r = jvp_array_contains(a, b, depth + 1); + } else if (JVP_HAS_KIND(a, JV_KIND_STRING)) { + int b_len = jv_string_length_bytes(jv_copy(b)); + if (b_len != 0) { +@@ -2058,3 +2067,8 @@ int jv_contains(jv a, jv b) { + jv_free(b); + return r; + } ++ ++// Returns 1 (contained), 0 (not contained), or -1 (too deep) ++int jv_contains(jv a, jv b) { ++ return jvp_contains(a, b, 0); ++} +diff --git a/tests/jq.test b/tests/jq.test +index 4d57301..40d14d6 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -2153,4 +2153,13 @@ null + + try delpaths([[range(10001) | 0]]) catch . + null +-"Path too deep" +\ No newline at end of file ++"Path too deep" ++ ++# regression test for CVE-2026-40612 ++reduce range(10000) as $_ ([]; [.]) | contains([[]]) ++null ++true ++ ++try ((reduce range(10001) as $_ ([]; [.])) as $x | $x | contains($x)) catch . ++null ++"Containment check too deep" +-- +2.44.4 + diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb index 98f06af3b9..b35e5579b2 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb @@ -20,6 +20,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \ file://CVE-2026-33947.patch \ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ + file://CVE-2026-40612.patch \ " SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127509): https://lists.openembedded.org/g/openembedded-devel/message/127509 Mute This Topic: https://lists.openembedded.org/mt/119736516/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
