mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
jq: Fix CVE-2026-43896
The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2]. [1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43896.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2 Reference: https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846 Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
ed1d6f1e0a
commit
1d301aca63
@@ -0,0 +1,97 @@
|
|||||||
|
From 532ccea6080ed6758f39fe9f6208a44b665023d2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: itchyny <itchyny@cybozu.co.jp>
|
||||||
|
Date: Tue, 5 May 2026 22:44:02 +0900
|
||||||
|
Subject: [PATCH] Limit recursive object merge depth to prevent stack overflow
|
||||||
|
|
||||||
|
This fixes CVE-2026-43896.
|
||||||
|
|
||||||
|
CVE: CVE-2026-43896
|
||||||
|
Upstream-Status: Backport [https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2]
|
||||||
|
|
||||||
|
Backport Changes:
|
||||||
|
- Adapted the tests/jq.test hunk context to apply after the existing
|
||||||
|
jq 1.7.1 CVE regression tests in the scarthgap patch stack.
|
||||||
|
- The upstream regression test used `reduce ... as $x` without wrapping
|
||||||
|
the `reduce` expression in parentheses. jq 1.7.1 parses that form as a
|
||||||
|
syntax error before the test can run.
|
||||||
|
- Wrapped the `reduce range(...) ...` expression in an extra set of
|
||||||
|
parentheses so jq 1.7.1 first builds the nested object, then binds that
|
||||||
|
result to `$x` for the object merge depth-limit check.
|
||||||
|
|
||||||
|
(cherry picked from commit 532ccea6080ed6758f39fe9f6208a44b665023d2)
|
||||||
|
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
|
||||||
|
---
|
||||||
|
src/jv.c | 25 +++++++++++++++++++++++--
|
||||||
|
tests/jq.test | 9 +++++++++
|
||||||
|
2 files changed, 32 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/jv.c b/src/jv.c
|
||||||
|
index 34573b8..b112757 100644
|
||||||
|
--- a/src/jv.c
|
||||||
|
+++ b/src/jv.c
|
||||||
|
@@ -1884,16 +1884,33 @@ jv jv_object_merge(jv a, jv b) {
|
||||||
|
return a;
|
||||||
|
}
|
||||||
|
|
||||||
|
-jv jv_object_merge_recursive(jv a, jv b) {
|
||||||
|
+#ifndef MAX_OBJECT_MERGE_DEPTH
|
||||||
|
+#define MAX_OBJECT_MERGE_DEPTH (10000)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+static jv jvp_object_merge_recursive(jv a, jv b, int depth) {
|
||||||
|
assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
|
||||||
|
assert(JVP_HAS_KIND(b, JV_KIND_OBJECT));
|
||||||
|
|
||||||
|
+ if (depth > MAX_OBJECT_MERGE_DEPTH) {
|
||||||
|
+ jv_free(a);
|
||||||
|
+ jv_free(b);
|
||||||
|
+ return jv_invalid_with_msg(jv_string("Object merge too deep"));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
jv_object_foreach(b, k, v) {
|
||||||
|
jv elem = jv_object_get(jv_copy(a), jv_copy(k));
|
||||||
|
if (jv_is_valid(elem) &&
|
||||||
|
JVP_HAS_KIND(elem, JV_KIND_OBJECT) &&
|
||||||
|
JVP_HAS_KIND(v, JV_KIND_OBJECT)) {
|
||||||
|
- a = jv_object_set(a, k, jv_object_merge_recursive(elem, v));
|
||||||
|
+ jv merged = jvp_object_merge_recursive(elem, v, depth + 1);
|
||||||
|
+ if (!jv_is_valid(merged)) {
|
||||||
|
+ jv_free(k);
|
||||||
|
+ jv_free(a);
|
||||||
|
+ jv_free(b);
|
||||||
|
+ return merged;
|
||||||
|
+ }
|
||||||
|
+ a = jv_object_set(a, k, merged);
|
||||||
|
} else {
|
||||||
|
jv_free(elem);
|
||||||
|
a = jv_object_set(a, k, v);
|
||||||
|
@@ -1904,6 +1921,10 @@ jv jv_object_merge_recursive(jv a, jv b) {
|
||||||
|
return a;
|
||||||
|
}
|
||||||
|
|
||||||
|
+jv jv_object_merge_recursive(jv a, jv b) {
|
||||||
|
+ return jvp_object_merge_recursive(a, b, 0);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Object iteration (internal helpers)
|
||||||
|
*/
|
||||||
|
diff --git a/tests/jq.test b/tests/jq.test
|
||||||
|
index 86bfc56..a258c11 100644
|
||||||
|
--- a/tests/jq.test
|
||||||
|
+++ b/tests/jq.test
|
||||||
|
@@ -2633,3 +2633,12 @@ true
|
||||||
|
try ((reduce range(10001) as $_ ([]; [.])) as $x | $x | contains($x)) catch .
|
||||||
|
null
|
||||||
|
"Containment check too deep"
|
||||||
|
+
|
||||||
|
+# regression test for CVE-2026-43896
|
||||||
|
+(reduce range(10000) as $_ ({}; {a: .})) as $x | $x * $x | length
|
||||||
|
+null
|
||||||
|
+1
|
||||||
|
+
|
||||||
|
+try ((reduce range(10001) as $_ ({}; {a: .})) as $x | $x * $x) catch .
|
||||||
|
+null
|
||||||
|
+"Object merge too deep"
|
||||||
|
--
|
||||||
|
2.44.4
|
||||||
@@ -24,6 +24,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
|
|||||||
file://CVE-2026-41256.patch \
|
file://CVE-2026-41256.patch \
|
||||||
file://CVE-2026-41257.patch \
|
file://CVE-2026-41257.patch \
|
||||||
file://CVE-2026-43894.patch \
|
file://CVE-2026-43894.patch \
|
||||||
|
file://CVE-2026-43896.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
|
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user