From: Shubham Pushpkar <[email protected]> The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2].
[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43894.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4 Reference: https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g Signed-off-by: Shubham Pushpkar <[email protected]> --- .../jq/jq/CVE-2026-43894.patch | 56 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.7.1.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch new file mode 100644 index 0000000000..0549128b7b --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch @@ -0,0 +1,56 @@ +From 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4 Mon Sep 17 00:00:00 2001 +From: itchyny <[email protected]> +Date: Wed, 13 May 2026 19:41:49 +0900 +Subject: [PATCH] Reject numeric literals longer than DEC_MAX_DIGITS + (999999999) + +A signed-int overflow in decNumber's D2U macro lets huge literals write +attacker-controlled bytes past a stack buffer. Cap the length before +calling decNumberFromString, and pre-slice long strings in +jv_dump_string_trunc so the resulting error message doesn't itself +allocate a multi-GiB buffer. Fixes CVE-2026-43894. + +CVE: CVE-2026-43894 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4] + +(cherry picked from commit 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4) +Signed-off-by: Shubham Pushpkar <[email protected]> +--- + src/jv.c | 5 ++++- + src/jv_print.c | 4 ++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/jv.c b/src/jv.c +index 34573b8..26ccfc0 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -579,8 +579,11 @@ + } + + static jv jvp_literal_number_new(const char * literal) { ++ size_t len = strlen(literal); ++ if (len > DEC_MAX_DIGITS) ++ return JV_INVALID; + +- jvp_literal_number * n = jvp_literal_number_alloc(strlen(literal)); ++ jvp_literal_number * n = jvp_literal_number_alloc(len); + + n->refcnt = JV_REFCNT_INIT; + n->literal_data = NULL; +diff --git a/src/jv_print.c b/src/jv_print.c +index 7f1e312..25540c5 100644 +--- a/src/jv_print.c ++++ b/src/jv_print.c +@@ -387,6 +387,10 @@ + } + + char *jv_dump_string_trunc(jv x, char *outbuf, size_t bufsize) { ++ if (jv_get_kind(x) == JV_KIND_STRING && ++ (size_t)jv_string_length_bytes(jv_copy(x)) > bufsize) { ++ x = jv_string_slice(x, 0, bufsize); ++ } + x = jv_dump_string(x,0); + const char* p = jv_string_value(x); + const size_t len = strlen(p); +-- +2.44.4 diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb index 917196d7b5..54fa9f096d 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb @@ -23,6 +23,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \ file://CVE-2026-40612.patch \ file://CVE-2026-41256.patch \ file://CVE-2026-41257.patch \ + file://CVE-2026-43894.patch \ " SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127512): https://lists.openembedded.org/g/openembedded-devel/message/127512 Mute This Topic: https://lists.openembedded.org/mt/119736519/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
