mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
jq: Fix CVE-2026-41257
The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2]. [1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41257.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
d2c778bb20
commit
69716b15d8
@@ -0,0 +1,57 @@
|
|||||||
|
From a525b86330b4b8889e0329249b8d2e04f9640a2a Mon Sep 17 00:00:00 2001
|
||||||
|
From: itchyny <itchyny@cybozu.co.jp>
|
||||||
|
Date: Fri, 24 Apr 2026 22:09:44 +0900
|
||||||
|
Subject: [PATCH] Fix signed-int overflow in `stack_reallocate`
|
||||||
|
|
||||||
|
This fixes CVE-2026-41257.
|
||||||
|
|
||||||
|
CVE: CVE-2026-41257
|
||||||
|
Upstream-Status: Backport [https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f]
|
||||||
|
|
||||||
|
(cherry picked from commit 01b3cded76daacbfddb7f8763700b0803bcb5c6f)
|
||||||
|
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
|
||||||
|
---
|
||||||
|
src/exec_stack.h | 14 ++++++++++----
|
||||||
|
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/exec_stack.h b/src/exec_stack.h
|
||||||
|
index 2a063e8..159c56e 100644
|
||||||
|
--- a/src/exec_stack.h
|
||||||
|
+++ b/src/exec_stack.h
|
||||||
|
@@ -2,8 +2,10 @@
|
||||||
|
#define EXEC_STACK_H
|
||||||
|
#include <stddef.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
+#include <limits.h>
|
||||||
|
#include "jv_alloc.h"
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -81,15 +83,19 @@ static stack_ptr* stack_block_next(struct stack* s, stack_ptr p) {
|
||||||
|
}
|
||||||
|
|
||||||
|
static void stack_reallocate(struct stack* s, size_t sz) {
|
||||||
|
- int old_mem_length = -(s->bound) + ALIGNMENT;
|
||||||
|
- char* old_mem_start = (s->mem_end != NULL) ? (s->mem_end - old_mem_length) : NULL;
|
||||||
|
+ size_t old_mem_length = (size_t)(-(s->bound)) + ALIGNMENT;
|
||||||
|
+ char* old_mem_start = s->mem_end != NULL ? s->mem_end - old_mem_length : NULL;
|
||||||
|
|
||||||
|
- int new_mem_length = align_round_up((old_mem_length + sz + 256) * 2);
|
||||||
|
+ size_t new_mem_length = align_round_up((old_mem_length + sz + 256) * 2);
|
||||||
|
+ if (new_mem_length > INT_MAX) {
|
||||||
|
+ fprintf(stderr, "jq: error: cannot allocate memory\n");
|
||||||
|
+ abort();
|
||||||
|
+ }
|
||||||
|
char* new_mem_start = jv_mem_realloc(old_mem_start, new_mem_length);
|
||||||
|
memmove(new_mem_start + (new_mem_length - old_mem_length),
|
||||||
|
new_mem_start, old_mem_length);
|
||||||
|
s->mem_end = new_mem_start + new_mem_length;
|
||||||
|
- s->bound = -(new_mem_length - ALIGNMENT);
|
||||||
|
+ s->bound = -(int)(new_mem_length - ALIGNMENT);
|
||||||
|
}
|
||||||
|
|
||||||
|
static stack_ptr stack_push_block(struct stack* s, stack_ptr p, size_t sz) {
|
||||||
|
--
|
||||||
|
2.44.4
|
||||||
@@ -22,6 +22,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
|
|||||||
file://CVE-2026-39979.patch \
|
file://CVE-2026-39979.patch \
|
||||||
file://CVE-2026-40612.patch \
|
file://CVE-2026-40612.patch \
|
||||||
file://CVE-2026-41256.patch \
|
file://CVE-2026-41256.patch \
|
||||||
|
file://CVE-2026-41257.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
|
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user