mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-05-08 17:39:24 +00:00
Code Issues Projects Releases Wiki Activity

jq: patch CVE-2026-33948

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948

Backport the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This commit is contained in:
Gyorgy Sarvari
2026-04-20 08:27:36 +02:00
committed by Khem Raj
parent 525e18ce21
commit 8d399af333
2 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch
+49
View File
@@ -0,0 +1,49 @@
From 19a792c4cdb6b91c056eac033ac3367af6e67755 Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Mon, 13 Apr 2026 08:46:11 +0900
Subject: [PATCH] Fix NUL truncation in the JSON parser
This fixes CVE-2026-33948.
CVE: CVE-2026-33948
Upstream-Status: Backport [https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
src/util.c | 8 +-------
tests/shtest | 6 ++++++
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/util.c b/src/util.c
index bcb86da..60ec4d5 100644
--- a/src/util.c
+++ b/src/util.c
@@ -309,13 +309,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) {
if (p != NULL)
state->current_line++;
- if (p == NULL && state->parser != NULL) {
- /*
- * There should be no NULs in JSON texts (but JSON text
- * sequences are another story).
- */
- state->buf_valid_len = strlen(state->buf);
- } else if (p == NULL && feof(state->current_input)) {
+ if (p == NULL && feof(state->current_input)) {
size_t i;
/*
diff --git a/tests/shtest b/tests/shtest
index 887a6bb..a046afe 100755
--- a/tests/shtest
+++ b/tests/shtest
@@ -842,4 +842,10 @@ if ! $msys && ! $mingw; then
fi
fi
+# CVE-2026-33948: No NUL truncation in the JSON parser
+if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then
+ printf 'Error expected but jq exited successfully\n' 1>&2
+ exit 1
+fi
+
exit 0
meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+1
View File
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \ file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \
file://CVE-2026-32316.patch \ file://CVE-2026-32316.patch \
file://CVE-2026-33947.patch \ file://CVE-2026-33947.patch \
file://CVE-2026-33948.patch \
" "
inherit autotools ptest inherit autotools ptest