mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
jq: patch CVE-2026-33947
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
@@ -0,0 +1,107 @@
|
|||||||
|
From d6a36423898f756355c270c4acae335318ac357c Mon Sep 17 00:00:00 2001
|
||||||
|
From: itchyny <itchyny@cybozu.co.jp>
|
||||||
|
Date: Mon, 13 Apr 2026 11:23:40 +0900
|
||||||
|
Subject: [PATCH] Limit path depth to prevent stack overflow
|
||||||
|
|
||||||
|
Deeply nested path arrays can cause unbounded recursion in
|
||||||
|
`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to
|
||||||
|
stack overflow. Add a depth limit of 10000 to match the
|
||||||
|
existing `tojson` depth limit. This fixes CVE-2026-33947.
|
||||||
|
|
||||||
|
(cherry picked from commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f)
|
||||||
|
|
||||||
|
CVE: CVE-2026-33947
|
||||||
|
Upstream-Status: Backport [https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f]
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
src/jv_aux.c | 21 +++++++++++++++++++++
|
||||||
|
tests/jq.test | 25 +++++++++++++++++++++++++
|
||||||
|
2 files changed, 46 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/jv_aux.c b/src/jv_aux.c
|
||||||
|
index bbe1c0d..0855053 100644
|
||||||
|
--- a/src/jv_aux.c
|
||||||
|
+++ b/src/jv_aux.c
|
||||||
|
@@ -376,6 +376,10 @@ static jv jv_dels(jv t, jv keys) {
|
||||||
|
return t;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef MAX_PATH_DEPTH
|
||||||
|
+#define MAX_PATH_DEPTH (10000)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
jv jv_setpath(jv root, jv path, jv value) {
|
||||||
|
if (jv_get_kind(path) != JV_KIND_ARRAY) {
|
||||||
|
jv_free(value);
|
||||||
|
@@ -383,6 +387,12 @@ jv jv_setpath(jv root, jv path, jv value) {
|
||||||
|
jv_free(path);
|
||||||
|
return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
|
||||||
|
}
|
||||||
|
+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
|
||||||
|
+ jv_free(value);
|
||||||
|
+ jv_free(root);
|
||||||
|
+ jv_free(path);
|
||||||
|
+ return jv_invalid_with_msg(jv_string("Path too deep"));
|
||||||
|
+ }
|
||||||
|
if (!jv_is_valid(root)){
|
||||||
|
jv_free(value);
|
||||||
|
jv_free(path);
|
||||||
|
@@ -434,6 +444,11 @@ jv jv_getpath(jv root, jv path) {
|
||||||
|
jv_free(path);
|
||||||
|
return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
|
||||||
|
}
|
||||||
|
+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
|
||||||
|
+ jv_free(root);
|
||||||
|
+ jv_free(path);
|
||||||
|
+ return jv_invalid_with_msg(jv_string("Path too deep"));
|
||||||
|
+ }
|
||||||
|
if (!jv_is_valid(root)) {
|
||||||
|
jv_free(path);
|
||||||
|
return root;
|
||||||
|
@@ -511,6 +526,12 @@ jv jv_delpaths(jv object, jv paths) {
|
||||||
|
jv_free(elem);
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
+ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) {
|
||||||
|
+ jv_free(object);
|
||||||
|
+ jv_free(paths);
|
||||||
|
+ jv_free(elem);
|
||||||
|
+ return jv_invalid_with_msg(jv_string("Path too deep"));
|
||||||
|
+ }
|
||||||
|
jv_free(elem);
|
||||||
|
}
|
||||||
|
if (jv_array_length(jv_copy(paths)) == 0) {
|
||||||
|
diff --git a/tests/jq.test b/tests/jq.test
|
||||||
|
index ecb9116..4d57301 100644
|
||||||
|
--- a/tests/jq.test
|
||||||
|
+++ b/tests/jq.test
|
||||||
|
@@ -2129,3 +2129,28 @@ try ltrimstr("x") catch "x", try rtrimstr("x") catch "x" | "ok"
|
||||||
|
{"hey":[]}
|
||||||
|
"ok"
|
||||||
|
"ok"
|
||||||
|
+
|
||||||
|
+# regression test for CVE-2026-33947
|
||||||
|
+setpath([range(10000) | 0]; 0) | flatten
|
||||||
|
+null
|
||||||
|
+[0]
|
||||||
|
+
|
||||||
|
+try setpath([range(10001) | 0]; 0) catch .
|
||||||
|
+null
|
||||||
|
+"Path too deep"
|
||||||
|
+
|
||||||
|
+getpath([range(10000) | 0])
|
||||||
|
+null
|
||||||
|
+null
|
||||||
|
+
|
||||||
|
+try getpath([range(10001) | 0]) catch .
|
||||||
|
+null
|
||||||
|
+"Path too deep"
|
||||||
|
+
|
||||||
|
+delpaths([[range(10000) | 0]])
|
||||||
|
+null
|
||||||
|
+null
|
||||||
|
+
|
||||||
|
+try delpaths([[range(10001) | 0]]) catch .
|
||||||
|
+null
|
||||||
|
+"Path too deep"
|
||||||
|
\ No newline at end of file
|
||||||
@@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
|
|||||||
file://CVE-2025-9403.patch \
|
file://CVE-2025-9403.patch \
|
||||||
file://CVE-2026-40164.patch \
|
file://CVE-2026-40164.patch \
|
||||||
file://CVE-2026-32316.patch \
|
file://CVE-2026-32316.patch \
|
||||||
|
file://CVE-2026-33947.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
|
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user