jq: Fix CVE-2026-40612

The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-40612.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Shubham Pushpkar
2026-06-10 00:52:49 -07:00
committed by Anuj Mittal
parent 9f47f2e912
commit 92546d9ec0
2 changed files with 154 additions and 0 deletions
@@ -0,0 +1,153 @@
From f1a72c7b5eb9c9e99576b2ca8e59ab1f36a2a4e3 Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Fri, 24 Apr 2026 22:02:24 +0900
Subject: [PATCH] Limit the containment check depth
This fixes CVE-2026-40612.
CVE: CVE-2026-40612
Upstream-Status: Backport [https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2]
Backport Changes:
- The upstream regression test used `reduce ... as $x` without wrapping
the `reduce` expression in parentheses. jq 1.7.1 parses that form as a
syntax error before the test can run.
- Wrapped the `reduce range(10001) ...` expression in an extra set of
parentheses so jq 1.7.1 first builds the nested array, then binds that
result to `$x` for the `contains($x)` depth-limit check.
(cherry picked from commit d1a12569d91641135976a8536776a4a329c02cc2)
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
---
src/builtin.c | 5 ++++-
src/jv.c | 40 +++++++++++++++++++++++++++-------------
tests/jq.test | 11 ++++++++++-
3 files changed, 41 insertions(+), 15 deletions(-)
diff --git a/src/builtin.c b/src/builtin.c
index 902490d..378be02 100644
--- a/src/builtin.c
+++ b/src/builtin.c
@@ -471,7 +471,10 @@ jv binop_greatereq(jv a, jv b) {
static jv f_contains(jq_state *jq, jv a, jv b) {
if (jv_get_kind(a) == jv_get_kind(b)) {
- return jv_bool(jv_contains(a, b));
+ int r = jv_contains(a, b);
+ if (r < 0)
+ return jv_invalid_with_msg(jv_string("Containment check too deep"));
+ return jv_bool(r);
} else {
return type_error2(a, b, "cannot have their containment checked");
}
diff --git a/src/jv.c b/src/jv.c
index 08ded35..5a2c3a2 100644
--- a/src/jv.c
+++ b/src/jv.c
@@ -914,19 +914,19 @@ static void jvp_clamp_slice_params(int len, int *pstart, int *pend)
}
-static int jvp_array_contains(jv a, jv b) {
+static int jvp_contains(jv a, jv b, int depth);
+
+static int jvp_array_contains(jv a, jv b, int depth) {
int r = 1;
jv_array_foreach(b, bi, belem) {
int ri = 0;
jv_array_foreach(a, ai, aelem) {
- if (jv_contains(aelem, jv_copy(belem))) {
- ri = 1;
- break;
- }
+ ri = jvp_contains(aelem, jv_copy(belem), depth);
+ if (ri) break;
}
jv_free(belem);
- if (!ri) {
- r = 0;
+ if (ri <= 0) {
+ r = ri;
break;
}
}
@@ -1794,7 +1794,7 @@ static int jvp_object_equal(jv o1, jv o2) {
return len1 == len2;
}
-static int jvp_object_contains(jv a, jv b) {
+static int jvp_object_contains(jv a, jv b, int depth) {
assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
assert(JVP_HAS_KIND(b, JV_KIND_OBJECT));
int r = 1;
@@ -1802,9 +1802,9 @@ static int jvp_object_contains(jv a, jv b) {
jv_object_foreach(b, key, b_val) {
jv a_val = jv_object_get(jv_copy(a), key);
- r = jv_contains(a_val, b_val);
+ r = jvp_contains(a_val, b_val, depth);
- if (!r) break;
+ if (r <= 0) break;
}
return r;
}
@@ -2035,14 +2035,23 @@ int jv_identical(jv a, jv b) {
return r;
}
-int jv_contains(jv a, jv b) {
+#ifndef MAX_CONTAINS_DEPTH
+#define MAX_CONTAINS_DEPTH (10000)
+#endif
+
+static int jvp_contains(jv a, jv b, int depth) {
+ if (depth > MAX_CONTAINS_DEPTH) {
+ jv_free(a);
+ jv_free(b);
+ return -1;
+ }
int r = 1;
if (jv_get_kind(a) != jv_get_kind(b)) {
r = 0;
} else if (JVP_HAS_KIND(a, JV_KIND_OBJECT)) {
- r = jvp_object_contains(a, b);
+ r = jvp_object_contains(a, b, depth + 1);
} else if (JVP_HAS_KIND(a, JV_KIND_ARRAY)) {
- r = jvp_array_contains(a, b);
+ r = jvp_array_contains(a, b, depth + 1);
} else if (JVP_HAS_KIND(a, JV_KIND_STRING)) {
int b_len = jv_string_length_bytes(jv_copy(b));
if (b_len != 0) {
@@ -2058,3 +2067,8 @@ int jv_contains(jv a, jv b) {
jv_free(b);
return r;
}
+
+// Returns 1 (contained), 0 (not contained), or -1 (too deep)
+int jv_contains(jv a, jv b) {
+ return jvp_contains(a, b, 0);
+}
diff --git a/tests/jq.test b/tests/jq.test
index 4d57301..40d14d6 100644
--- a/tests/jq.test
+++ b/tests/jq.test
@@ -2153,4 +2153,13 @@ null
try delpaths([[range(10001) | 0]]) catch .
null
-"Path too deep"
\ No newline at end of file
+"Path too deep"
+
+# regression test for CVE-2026-40612
+reduce range(10000) as $_ ([]; [.]) | contains([[]])
+null
+true
+
+try ((reduce range(10001) as $_ ([]; [.])) as $x | $x | contains($x)) catch .
+null
+"Containment check too deep"
--
2.44.4
+1
View File
@@ -20,6 +20,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
file://CVE-2026-33947.patch \ file://CVE-2026-33947.patch \
file://CVE-2026-33948.patch \ file://CVE-2026-33948.patch \
file://CVE-2026-39979.patch \ file://CVE-2026-39979.patch \
file://CVE-2026-40612.patch \
" "
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2" SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"