mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
jq: Fix CVE-2026-40612
The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2]. [1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-40612.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2 Reference: https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
9f47f2e912
commit
92546d9ec0
@@ -0,0 +1,153 @@
|
|||||||
|
From f1a72c7b5eb9c9e99576b2ca8e59ab1f36a2a4e3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: itchyny <itchyny@cybozu.co.jp>
|
||||||
|
Date: Fri, 24 Apr 2026 22:02:24 +0900
|
||||||
|
Subject: [PATCH] Limit the containment check depth
|
||||||
|
|
||||||
|
This fixes CVE-2026-40612.
|
||||||
|
|
||||||
|
CVE: CVE-2026-40612
|
||||||
|
Upstream-Status: Backport [https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2]
|
||||||
|
|
||||||
|
Backport Changes:
|
||||||
|
- The upstream regression test used `reduce ... as $x` without wrapping
|
||||||
|
the `reduce` expression in parentheses. jq 1.7.1 parses that form as a
|
||||||
|
syntax error before the test can run.
|
||||||
|
- Wrapped the `reduce range(10001) ...` expression in an extra set of
|
||||||
|
parentheses so jq 1.7.1 first builds the nested array, then binds that
|
||||||
|
result to `$x` for the `contains($x)` depth-limit check.
|
||||||
|
|
||||||
|
(cherry picked from commit d1a12569d91641135976a8536776a4a329c02cc2)
|
||||||
|
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
|
||||||
|
---
|
||||||
|
src/builtin.c | 5 ++++-
|
||||||
|
src/jv.c | 40 +++++++++++++++++++++++++++-------------
|
||||||
|
tests/jq.test | 11 ++++++++++-
|
||||||
|
3 files changed, 41 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/builtin.c b/src/builtin.c
|
||||||
|
index 902490d..378be02 100644
|
||||||
|
--- a/src/builtin.c
|
||||||
|
+++ b/src/builtin.c
|
||||||
|
@@ -471,7 +471,10 @@ jv binop_greatereq(jv a, jv b) {
|
||||||
|
|
||||||
|
static jv f_contains(jq_state *jq, jv a, jv b) {
|
||||||
|
if (jv_get_kind(a) == jv_get_kind(b)) {
|
||||||
|
- return jv_bool(jv_contains(a, b));
|
||||||
|
+ int r = jv_contains(a, b);
|
||||||
|
+ if (r < 0)
|
||||||
|
+ return jv_invalid_with_msg(jv_string("Containment check too deep"));
|
||||||
|
+ return jv_bool(r);
|
||||||
|
} else {
|
||||||
|
return type_error2(a, b, "cannot have their containment checked");
|
||||||
|
}
|
||||||
|
diff --git a/src/jv.c b/src/jv.c
|
||||||
|
index 08ded35..5a2c3a2 100644
|
||||||
|
--- a/src/jv.c
|
||||||
|
+++ b/src/jv.c
|
||||||
|
@@ -914,19 +914,19 @@ static void jvp_clamp_slice_params(int len, int *pstart, int *pend)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
-static int jvp_array_contains(jv a, jv b) {
|
||||||
|
+static int jvp_contains(jv a, jv b, int depth);
|
||||||
|
+
|
||||||
|
+static int jvp_array_contains(jv a, jv b, int depth) {
|
||||||
|
int r = 1;
|
||||||
|
jv_array_foreach(b, bi, belem) {
|
||||||
|
int ri = 0;
|
||||||
|
jv_array_foreach(a, ai, aelem) {
|
||||||
|
- if (jv_contains(aelem, jv_copy(belem))) {
|
||||||
|
- ri = 1;
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
+ ri = jvp_contains(aelem, jv_copy(belem), depth);
|
||||||
|
+ if (ri) break;
|
||||||
|
}
|
||||||
|
jv_free(belem);
|
||||||
|
- if (!ri) {
|
||||||
|
- r = 0;
|
||||||
|
+ if (ri <= 0) {
|
||||||
|
+ r = ri;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1794,7 +1794,7 @@ static int jvp_object_equal(jv o1, jv o2) {
|
||||||
|
return len1 == len2;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int jvp_object_contains(jv a, jv b) {
|
||||||
|
+static int jvp_object_contains(jv a, jv b, int depth) {
|
||||||
|
assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
|
||||||
|
assert(JVP_HAS_KIND(b, JV_KIND_OBJECT));
|
||||||
|
int r = 1;
|
||||||
|
@@ -1802,9 +1802,9 @@ static int jvp_object_contains(jv a, jv b) {
|
||||||
|
jv_object_foreach(b, key, b_val) {
|
||||||
|
jv a_val = jv_object_get(jv_copy(a), key);
|
||||||
|
|
||||||
|
- r = jv_contains(a_val, b_val);
|
||||||
|
+ r = jvp_contains(a_val, b_val, depth);
|
||||||
|
|
||||||
|
- if (!r) break;
|
||||||
|
+ if (r <= 0) break;
|
||||||
|
}
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
@@ -2035,14 +2035,23 @@ int jv_identical(jv a, jv b) {
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int jv_contains(jv a, jv b) {
|
||||||
|
+#ifndef MAX_CONTAINS_DEPTH
|
||||||
|
+#define MAX_CONTAINS_DEPTH (10000)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+static int jvp_contains(jv a, jv b, int depth) {
|
||||||
|
+ if (depth > MAX_CONTAINS_DEPTH) {
|
||||||
|
+ jv_free(a);
|
||||||
|
+ jv_free(b);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
int r = 1;
|
||||||
|
if (jv_get_kind(a) != jv_get_kind(b)) {
|
||||||
|
r = 0;
|
||||||
|
} else if (JVP_HAS_KIND(a, JV_KIND_OBJECT)) {
|
||||||
|
- r = jvp_object_contains(a, b);
|
||||||
|
+ r = jvp_object_contains(a, b, depth + 1);
|
||||||
|
} else if (JVP_HAS_KIND(a, JV_KIND_ARRAY)) {
|
||||||
|
- r = jvp_array_contains(a, b);
|
||||||
|
+ r = jvp_array_contains(a, b, depth + 1);
|
||||||
|
} else if (JVP_HAS_KIND(a, JV_KIND_STRING)) {
|
||||||
|
int b_len = jv_string_length_bytes(jv_copy(b));
|
||||||
|
if (b_len != 0) {
|
||||||
|
@@ -2058,3 +2067,8 @@ int jv_contains(jv a, jv b) {
|
||||||
|
jv_free(b);
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+// Returns 1 (contained), 0 (not contained), or -1 (too deep)
|
||||||
|
+int jv_contains(jv a, jv b) {
|
||||||
|
+ return jvp_contains(a, b, 0);
|
||||||
|
+}
|
||||||
|
diff --git a/tests/jq.test b/tests/jq.test
|
||||||
|
index 4d57301..40d14d6 100644
|
||||||
|
--- a/tests/jq.test
|
||||||
|
+++ b/tests/jq.test
|
||||||
|
@@ -2153,4 +2153,13 @@ null
|
||||||
|
|
||||||
|
try delpaths([[range(10001) | 0]]) catch .
|
||||||
|
null
|
||||||
|
-"Path too deep"
|
||||||
|
\ No newline at end of file
|
||||||
|
+"Path too deep"
|
||||||
|
+
|
||||||
|
+# regression test for CVE-2026-40612
|
||||||
|
+reduce range(10000) as $_ ([]; [.]) | contains([[]])
|
||||||
|
+null
|
||||||
|
+true
|
||||||
|
+
|
||||||
|
+try ((reduce range(10001) as $_ ([]; [.])) as $x | $x | contains($x)) catch .
|
||||||
|
+null
|
||||||
|
+"Containment check too deep"
|
||||||
|
--
|
||||||
|
2.44.4
|
||||||
|
|
||||||
@@ -20,6 +20,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
|
|||||||
file://CVE-2026-33947.patch \
|
file://CVE-2026-33947.patch \
|
||||||
file://CVE-2026-33948.patch \
|
file://CVE-2026-33948.patch \
|
||||||
file://CVE-2026-39979.patch \
|
file://CVE-2026-39979.patch \
|
||||||
|
file://CVE-2026-40612.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
|
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user