From: Anton Skorup <[email protected]> CVE details: https://www.cve.org/CVERecord?id=CVE-2026-43896
Signed-off-by: Anton Skorup <[email protected]> --- v2 * Rebased on master-next --- .../jq/jq/CVE-2026-43896.patch | 82 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 83 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch new file mode 100644 index 0000000000..318c86a121 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch @@ -0,0 +1,82 @@ +From 532ccea6080ed6758f39fe9f6208a44b665023d2 Mon Sep 17 00:00:00 2001 +From: itchyny <[email protected]> +Date: Tue, 5 May 2026 22:44:02 +0900 +Subject: [PATCH] Limit recursive object merge depth to prevent stack overflow + +This fixes CVE-2026-43896. + +Signed-off-by: Anton Skorup <[email protected]> +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2] +--- + src/jv.c | 25 +++++++++++++++++++++++-- + tests/jq.test | 9 +++++++++ + 2 files changed, 32 insertions(+), 2 deletions(-) + +diff --git a/src/jv.c b/src/jv.c +index feb68d1a1c..84fafef666 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -1899,16 +1899,33 @@ jv jv_object_merge(jv a, jv b) { + return a; + } + +-jv jv_object_merge_recursive(jv a, jv b) { ++#ifndef MAX_OBJECT_MERGE_DEPTH ++#define MAX_OBJECT_MERGE_DEPTH (10000) ++#endif ++ ++static jv jvp_object_merge_recursive(jv a, jv b, int depth) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(b, JV_KIND_OBJECT)); + ++ if (depth > MAX_OBJECT_MERGE_DEPTH) { ++ jv_free(a); ++ jv_free(b); ++ return jv_invalid_with_msg(jv_string("Object merge too deep")); ++ } ++ + jv_object_foreach(b, k, v) { + jv elem = jv_object_get(jv_copy(a), jv_copy(k)); + if (jv_is_valid(elem) && + JVP_HAS_KIND(elem, JV_KIND_OBJECT) && + JVP_HAS_KIND(v, JV_KIND_OBJECT)) { +- a = jv_object_set(a, k, jv_object_merge_recursive(elem, v)); ++ jv merged = jvp_object_merge_recursive(elem, v, depth + 1); ++ if (!jv_is_valid(merged)) { ++ jv_free(k); ++ jv_free(a); ++ jv_free(b); ++ return merged; ++ } ++ a = jv_object_set(a, k, merged); + } else { + jv_free(elem); + a = jv_object_set(a, k, v); +@@ -1919,6 +1936,10 @@ jv jv_object_merge_recursive(jv a, jv b) { + return a; + } + ++jv jv_object_merge_recursive(jv a, jv b) { ++ return jvp_object_merge_recursive(a, b, 0); ++} ++ + /* + * Object iteration (internal helpers) + */ +diff --git a/tests/jq.test b/tests/jq.test +index 8094a5b6eb..9a80341f52 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -2602,3 +2602,12 @@ true + try (reduce range(10001) as $_ ([]; [.]) as $x | $x | contains($x)) catch . + null + "Containment check too deep" ++ ++# regression test for CVE-2026-43896 ++reduce range(10000) as $_ ({}; {a: .}) as $x | $x * $x | length ++null ++1 ++ ++try (reduce range(10001) as $_ ({}; {a: .}) as $x | $x * $x) catch . ++null ++"Object merge too deep" diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 2634fd52a2..b0779b389e 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-33948.patch \ file://CVE-2026-39979.patch \ file://CVE-2026-41256.patch \ + file://CVE-2026-43896.patch \ file://CVE-2026-47770.patch \ file://CVE-2026-44777.patch \ file://CVE-2026-49389.patch \ -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127634): https://lists.openembedded.org/g/openembedded-devel/message/127634 Mute This Topic: https://lists.openembedded.org/mt/119846941/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
