From 383ff869536417d6a562fda8b1e268b27483ae1b Mon Sep 17 00:00:00 2001 From: Daniel Turull Date: Fri, 24 Apr 2026 13:53:11 +0200 Subject: [PATCH] jq: fix CVE-2026-40164 Backport patch to fix CVE-2026-40164. Signed-off-by: Daniel Turull Signed-off-by: Anuj Mittal --- .../jq/jq/CVE-2026-40164.patch | 92 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.7.1.bb | 1 + 2 files changed, 93 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch new file mode 100644 index 0000000000..91b778a6b4 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40164.patch @@ -0,0 +1,92 @@ +From 5077fc0780810ba556518ff3ae34df0832a469d4 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 08:53:26 +0900 +Subject: [PATCH] Randomize hash seed to mitigate hash collision DoS attacks + +The hash function used a fixed seed, allowing attackers to craft colliding keys +and cause O(n^2) object parsing performance. Initialize the seed from a random +source at process startup to prevent the attack. This fixes CVE-2026-40164. + +Co-authored-by: Asaf Meizner + +CVE: CVE-2026-40164 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784] + +Signed-off-by: Daniel Turull +--- + configure.ac | 2 ++ + src/jv.c | 34 ++++++++++++++++++++++++++++++++-- + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 118e084..7f12b52 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -149,6 +149,8 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [AC_DEFINE([HAVE_TM_TM_GMT_OFF],1,[Define + AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])], + [], [[#include ]]) + AC_FIND_FUNC([setlocale], [c], [#include ], [0,0]) ++AC_FIND_FUNC([arc4random], [c], [#include ], []) ++AC_FIND_FUNC([getentropy], [c], [#include ], [0, 0]) + + dnl Figure out if we have the pthread functions we actually need + AC_FIND_FUNC_NO_LIBS([pthread_key_create], [], [#include ], [NULL, NULL]) +diff --git a/src/jv.c b/src/jv.c +index 18dbb54..27cc2a4 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -40,6 +40,10 @@ + #include + #include + #include ++#include ++#include ++#include ++#include + + #include "jv_alloc.h" + #include "jv.h" +@@ -1174,7 +1178,33 @@ static jv jvp_string_append(jv string, const char* data, uint32_t len) { + } + } + +-static const uint32_t HASH_SEED = 0x432A9843; ++static uint32_t hash_seed; ++static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT; ++ ++static void jvp_hash_seed_init(void) { ++ uint32_t seed; ++#if defined(HAVE_ARC4RANDOM) ++ seed = arc4random(); ++#elif defined(HAVE_GETENTROPY) ++ if (getentropy(&seed, sizeof(seed)) != 0) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++#else ++ int fd = open("/dev/urandom", O_RDONLY); ++ if (fd >= 0) { ++ if (read(fd, &seed, sizeof(seed)) != 4) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ close(fd); ++ } else { ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ } ++#endif ++ hash_seed = seed; ++} ++ ++static uint32_t jvp_hash_seed(void) { ++ pthread_once(&hash_seed_once, jvp_hash_seed_init); ++ return hash_seed; ++} + + static uint32_t rotl32 (uint32_t x, int8_t r){ + return (x << r) | (x >> (32 - r)); +@@ -1193,7 +1223,7 @@ static uint32_t jvp_string_hash(jv jstr) { + int len = (int)jvp_string_length(str); + const int nblocks = len / 4; + +- uint32_t h1 = HASH_SEED; ++ uint32_t h1 = jvp_hash_seed(); + + const uint32_t c1 = 0xcc9e2d51; + const uint32_t c2 = 0x1b873593; diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb index dfc8dda7ee..566e8017dc 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb @@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \ file://CVE-2024-53427.patch \ file://CVE-2025-48060.patch \ file://CVE-2025-9403.patch \ + file://CVE-2026-40164.patch \ " SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"