jq: add Upstream-Status and CVE tags into .patch files

v1 version was merged instead of v2 from:
https://lists.openembedded.org/g/openembedded-devel/message/118302
add missing Upstream-Status and CVE tags from v2.

Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
This commit is contained in:
Roland Kovacs
2025-08-02 23:55:36 +02:00
committed by Anuj Mittal
parent 3fbbd2c080
commit e099b1462d
3 changed files with 9 additions and 0 deletions
@@ -8,6 +8,9 @@ This commit fixes signed integer overflow and SEGV issues on growing
arrays and objects. The size of arrays and objects is now limited to arrays and objects. The size of arrays and objects is now limited to
`536870912` (`0x20000000`). This fixes CVE-2024-23337 and fixes #3262. `536870912` (`0x20000000`). This fixes CVE-2024-23337 and fixes #3262.
Upstream-Status: Backport [https://github.com/jqlang/jq.git/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e]
CVE: CVE-2024-23337
(cherry picked from commit de21386681c0df0104a99d9d09db23a9b2a78b1e) (cherry picked from commit de21386681c0df0104a99d9d09db23a9b2a78b1e)
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
--- ---
@@ -7,6 +7,9 @@ This commit drops support for parsing NaN with payload in JSON like
`NaN123` and fixes CVE-2024-53427. Other JSON extensions like `NaN` and `NaN123` and fixes CVE-2024-53427. Other JSON extensions like `NaN` and
`Infinity` are still supported. Fixes #3023, fixes #3196, fixes #3246. `Infinity` are still supported. Fixes #3023, fixes #3196, fixes #3246.
Upstream-Status: Backport [https://github.com/jqlang/jq.git/commit/a09a4dfd55e6c24d04b35062ccfe4509748b1dd3]
CVE: CVE-2024-53427
(cherry picked from commit a09a4dfd55e6c24d04b35062ccfe4509748b1dd3) (cherry picked from commit a09a4dfd55e6c24d04b35062ccfe4509748b1dd3)
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
--- ---
@@ -9,6 +9,9 @@ GHSA-p7rr-28xf-3m5w (`0[""*0]`) was fixed by the commit dc849e9bb74a,
but another case (`0[[]|implode]`) was still vulnerable. This commit but another case (`0[[]|implode]`) was still vulnerable. This commit
ensures string data is properly null-terminated, and fixes CVE-2025-48060. ensures string data is properly null-terminated, and fixes CVE-2025-48060.
Upstream-Status: Backport [https://github.com/jqlang/jq.git/commit/c6e041699d8cd31b97375a2596217aff2cfca85b]
CVE: CVE-2025-48060
(cherry picked from commit c6e041699d8cd31b97375a2596217aff2cfca85b) (cherry picked from commit c6e041699d8cd31b97375a2596217aff2cfca85b)
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
--- ---