jq: fix CVE-2025-9403

A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9403 Upstream-patch: https://github.com/jqlang/jq/commit/a4d9d540103ff9a262e304329c277ec89b27e5f9 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-06-13 17:39:57 +00:00 · 2025-10-24 17:56:23 +05:30
parent 63bb7a478e
commit 6306bae883
2 changed files with 50 additions and 0 deletions
@@ -0,0 +1,49 @@
+From a4d9d540103ff9a262e304329c277ec89b27e5f9 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 15 Sep 2025 07:47:51 +0900
+Subject: [PATCH] Fix expected value assertion for NaN value (fix #3393)
+ (#3408)
+
+CVE: CVE-2025-9403
+
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/a4d9d540103ff9a262e304329c277ec89b27e5f9]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/jq_test.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/jq_test.c b/src/jq_test.c
+index eed633f..40a1d23 100644
+--- a/src/jq_test.c
+++ b/src/jq_test.c
+@@ -2,6 +2,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
+#include <math.h>
+ #include "jv.h"
+ #include "jq.h"
+ 
+@@ -200,11 +201,13 @@ static void run_jq_tests(jv lib_dirs, int verbose, FILE *testdata, int skip, int
+         printf(" for test at line number %u: %s\n", lineno, prog);
+         pass = 0;
+       }
+-      jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT));
+-      jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string)));
+-      assert(jv_equal(jv_copy(expected), jv_copy(reparsed)));
+-      jv_free(as_string);
+-      jv_free(reparsed);
+      if (!(jv_get_kind(expected) == JV_KIND_NUMBER && isnan(jv_number_value(expected)))) {
+        jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT));
+        jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string)));
+        assert(jv_equal(jv_copy(expected), jv_copy(reparsed)));
+        jv_free(as_string);
+        jv_free(reparsed);
+      }
+       jv_free(expected);
+       jv_free(actual);
+     }
+-- 
+2.40.0
+
@@ -15,6 +15,7 @@ SRC_URI = " \
    file://CVE-2025-48060.patch \
    file://CVE-2024-53427-01.patch \
    file://CVE-2024-53427-02.patch \
+    file://CVE-2025-9403.patch \
    "
 SRCREV = "a9f97e9e61a910a374a5d768244e8ad63f407d3e"
 S = "${WORKDIR}/git"