jq: Fix CVE-2026-43894

The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43894.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Shubham Pushpkar
2026-06-10 00:52:52 -07:00
committed by Anuj Mittal
parent 69716b15d8
commit ed1d6f1e0a
2 changed files with 57 additions and 0 deletions
@@ -0,0 +1,56 @@
From 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4 Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Wed, 13 May 2026 19:41:49 +0900
Subject: [PATCH] Reject numeric literals longer than DEC_MAX_DIGITS
(999999999)
A signed-int overflow in decNumber's D2U macro lets huge literals write
attacker-controlled bytes past a stack buffer. Cap the length before
calling decNumberFromString, and pre-slice long strings in
jv_dump_string_trunc so the resulting error message doesn't itself
allocate a multi-GiB buffer. Fixes CVE-2026-43894.
CVE: CVE-2026-43894
Upstream-Status: Backport [https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4]
(cherry picked from commit 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4)
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
---
src/jv.c | 5 ++++-
src/jv_print.c | 4 ++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/jv.c b/src/jv.c
index 34573b8..26ccfc0 100644
--- a/src/jv.c
+++ b/src/jv.c
@@ -579,8 +579,11 @@
}
static jv jvp_literal_number_new(const char * literal) {
+ size_t len = strlen(literal);
+ if (len > DEC_MAX_DIGITS)
+ return JV_INVALID;
- jvp_literal_number * n = jvp_literal_number_alloc(strlen(literal));
+ jvp_literal_number * n = jvp_literal_number_alloc(len);
n->refcnt = JV_REFCNT_INIT;
n->literal_data = NULL;
diff --git a/src/jv_print.c b/src/jv_print.c
index 7f1e312..25540c5 100644
--- a/src/jv_print.c
+++ b/src/jv_print.c
@@ -387,6 +387,10 @@
}
char *jv_dump_string_trunc(jv x, char *outbuf, size_t bufsize) {
+ if (jv_get_kind(x) == JV_KIND_STRING &&
+ (size_t)jv_string_length_bytes(jv_copy(x)) > bufsize) {
+ x = jv_string_slice(x, 0, bufsize);
+ }
x = jv_dump_string(x,0);
const char* p = jv_string_value(x);
const size_t len = strlen(p);
--
2.44.4
+1
View File
@@ -23,6 +23,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
file://CVE-2026-40612.patch \
file://CVE-2026-41256.patch \
file://CVE-2026-41257.patch \
file://CVE-2026-43894.patch \
"
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"