Please rebase it on top of latest master-next and resend.

On Tue, Jun 16, 2026 at 12:11 AM Anton Skorup via lists.openembedded.org
<[email protected]> wrote:

> From: Anton Skorup <[email protected]>
>
> CVE details: https://vulert.com/vuln-db/--4743
>
> Signed-off-by: Anton Skorup <[email protected]>
> ---
> v2
>  * Added patch to stack of jq CVEs
> ---
>  .../jq/jq/CVE-2026-49389.patch                | 31 +++++++++++++++++++
>  meta-oe/recipes-devtools/jq/jq_1.8.1.bb       |  1 +
>  2 files changed, 32 insertions(+)
>  create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
>
> diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
> b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
> new file mode 100644
> index 0000000000..3189158b4a
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
> @@ -0,0 +1,31 @@
> +From e987df0d463d85fd70825e042a082427e8275b86 Mon Sep 17 00:00:00 2001
> +From: itchyny <[email protected]>
> +Date: Mon, 8 Jun 2026 22:14:48 +0900
> +Subject: [PATCH] Fix heap-buffer-overflow in raw file loading
> +
> +When `jv_string_append_buf` overflows the string length limit,
> +it returns an invalid `jv`; `jv_load_file` then re-entered it
> +on the invalid value and overran the heap. Break out of the loop
> +once the value is invalid.
> +
> +Fixes CVE-2026-49839.
> +
> +Signed-off-by: Anton Skorup <[email protected]>
> +Upstream-Status: Backport [
> https://github.com/jqlang/jq/commit/e987df0d463d85fd70825e042a082427e8275b86
> ]
> +---
> + src/jv_file.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/src/jv_file.c b/src/jv_file.c
> +index 7706b0e06e..fbc1e4d653 100644
> +--- a/src/jv_file.c
> ++++ b/src/jv_file.c
> +@@ -57,6 +57,8 @@ jv jv_load_file(const char* filename, int raw) {
> +
> +     if (raw) {
> +       data = jv_string_append_buf(data, buf, n);
> ++      if (!jv_is_valid(data))
> ++        break;
> +     } else {
> +       jv_parser_set_buf(parser, buf, n, !feof(file));
> +       jv value;
> diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
> b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
> index 026f6bfa71..0419ccd46d 100644
> --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
> +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
> @@ -17,6 +17,7 @@ SRC_URI = "git://
> github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
> <http://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-$%7B>
>             file://CVE-2026-33947.patch \
>             file://CVE-2026-33948.patch \
>             file://CVE-2026-39979.patch \
> +           file://CVE-2026-49389.patch \
>             "
>
>  inherit autotools ptest
> --
> 2.43.0
>
>
> 
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#127627): 
https://lists.openembedded.org/g/openembedded-devel/message/127627
Mute This Topic: https://lists.openembedded.org/mt/119829812/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to