Commit Graph

29 Commits

Author SHA1 Message Date
Shubham Pushpkar 1d301aca63 jq: Fix CVE-2026-43896
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43896.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:34 +05:30
Shubham Pushpkar ed1d6f1e0a jq: Fix CVE-2026-43894
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43894.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:34 +05:30
Shubham Pushpkar 69716b15d8 jq: Fix CVE-2026-41257
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41257.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:33 +05:30
Shubham Pushpkar d2c778bb20 jq: Fix CVE-2026-41256
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41256.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/5a015deae35d19e3ebbc65db6c157a80e76df738

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:33 +05:30
Shubham Pushpkar 92546d9ec0 jq: Fix CVE-2026-40612
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-40612.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:32 +05:30
Khem Raj ae7dfb1224 jq: Stick to C17 until next release
Patches are sprinkled in master branch of jq but the backports
regresses tests, so its better to keep it at C17 for now.

Backport: changed from += to :append to apply to all target, native
and nativesdk builds.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-05 06:57:17 +05:30
Ankur Tyagi 964065663c jq: patch CVE-2026-39979
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-39979

Ptests passed:
root@qemux86:~# ptest-runner jq
START: ptest-runner
2026-04-26T11:09
BEGIN: /usr/lib/jq/ptest
PASS: optionaltest
PASS: mantest
PASS: jqtest
PASS: onigtest
PASS: shtest
PASS: utf8test
PASS: base64test
=== Test Summary ===
TOTAL: 7
PASSED: 7
FAILED: 0
SKIPPED: 0
DURATION: 44
END: /usr/lib/jq/ptest
2026-04-26T11:10
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi 6cbaf81a01 jq: patch CVE-2026-33948
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi 18de8de0ef jq: patch CVE-2026-33947
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi 9bdfbd20b2 jq: patch CVE-2026-32316
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Daniel Turull 383ff86953 jq: fix CVE-2026-40164
Backport patch to fix CVE-2026-40164.

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Divya Chellam 62b9edf47b jq: fix CVE-2025-9403
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the
function run_jq_tests of the file jq_test.c of the component JSON Parser.
Executing manipulation can lead to reachable assertion. The attack
requires local access. The exploit has been publicly disclosed and may be
utilized. Other versions might be affected as well.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9403

Upstream-patch:
https://github.com/jqlang/jq/commit/a4d9d540103ff9a262e304329c277ec89b27e5f9

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
2025-10-30 15:11:47 +08:00
Roland Kovacs e099b1462d jq: add Upstream-Status and CVE tags into .patch files
v1 version was merged instead of v2 from:
https://lists.openembedded.org/g/openembedded-devel/message/118302
add missing Upstream-Status and CVE tags from v2.

Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
2025-09-12 08:15:10 +08:00
Roland Kovacs 3d03058fe2 jq-1.7.1: Backport multiple CVE fixes
CVE: CVE-2024-23337
CVE: CVE-2024-53427
CVE: CVE-2025-48060

Patches CVE-2024-23337.patch and CVE-2024-53427.patch are backported from
jq-1.8.0, and CVE-2025-48060.patch is backported from jq-1.8.1.

Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2025-07-10 20:23:11 -04:00
Wang Mingyu bef4681e41 jq: upgrade 1.7 -> 1.7.1
Changelog:
==========
- CVE-2023-50246: Fix heap buffer overflow in jvp\_literal\_number\_literal
- CVE-2023-50268: fix stack-buffer-overflow if comparing nan with payload

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-12-29 09:04:17 -08:00
Alex Kiernan 3f378f7924 jq: Upgrade 1.6+git -> 1.7
Move to new upstream, drop use of autotools-brokensep as the build now
works without it, drop local patches which have been merged, fix
buildpaths leakage.

License-Update: Fix misspellings [https://github.com/jqlang/jq/commit/5cebe86a7b90e5718077c5e1d5c2165939d3f3cb]
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-09-28 21:44:26 -07:00
Martin Jansa be8c765c7c *.patch: add Upstream-Status to all patches
There is new patch-status QA check in oe-core:
https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a

This is temporary work around just to hide _many_ warnings from
optional patch-status (if you add it to WARN_QA).

This just added
Upstream-Status: Pending
everywhere without actually investigating what's the proper status.

This is just to hide current QA warnings and to catch new .patch files being
added without Upstream-Status, but the number of Pending patches is now terrible:

5 (26%) 	meta-xfce
6 (50%) 	meta-perl
15 (42%)        meta-webserver
21 (36%)        meta-gnome
25 (57%)        meta-filesystems
26 (43%)        meta-initramfs
45 (45%)        meta-python
47 (55%)        meta-multimedia
312 (63%)       meta-networking
756 (61%)       meta-oe

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-21 09:15:20 -07:00
Zheng Qiu 3eaf01fcd4 jq: improve ptest and disable valgrind by default
Improve ptest result formatting.
In run-ptest, setting a flag to disable valgrind image unless
enabled by "valgrind" PACKAGECONFIG.
Requested jq for seprating make check, so in the future
it can be changed to utilize Makefile and reduce redudancy.

Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
Signed-off-by: Randy MacLeod <randy.macleod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-10-18 15:06:37 -07:00
Zheng Qiu caca326d97 jq: add ptest
Add run-ptest to run the 7 tests provided by jq.

In do_install_ptest, add a soft link to jq in the ptest directory to avoid
having to patch the jq setup script.

While the jq tests can use valgrind, it is out of scope for integration
testing.

Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
Signed-off-by: Randy MacLeod <randy.macleod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-09-17 01:09:18 -07:00
Khem Raj c803bce22b jq: Upgrade to latest and fix configure tests
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-09-07 16:44:53 -07:00
Joerg Vehlow 1aa9d7d53d jq: Fix typo OE_EXTRACONF -> EXTRA_OECONF
Signed-off-by: Joerg Vehlow <joerg.vehlow@aox.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-05-12 09:16:11 -07:00
William A. Kennington III 0d8dee9172 jq: upgrade 1.6 -> 2021-10-24 git
JQ has gone through more than 3 years of code changes and has had
significant performance improvements since the last release. The team is
still figuring out a new release process. Use the latest git commit to
pull in these changes.

Signed-off-by: William A. Kennington III <wak@google.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-01-19 09:28:51 -08:00
Pierre-Jean Texier c4fa664720 jq: fix upstream version check
Fixes:

INFO: Skip package jq (status = UNKNOWN_BROKEN, current version = 1.6, next version = N/A)

After this commit:

INFO: Skip package jq (status = MATCH, current version = 1.6, next version = 1.6)

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
2020-03-05 07:11:50 -08:00
Alex Kiernan 9ada8b1306 jq: update to 1.6
Drop backported patch as it's present in 1.6. Switch to autotools-brokensep
to avoid

| sed -e 's/\\/\\\\/g' -e 's/"/\\"/g' -e 's/^/"/' -e 's/$/\\n"/' ../jq-1.6/src/builtin.jq > src/builtin.inc
| /bin/sh: src/builtin.inc: No such file or directory

License-Update: whitespace changes
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2019-01-30 13:34:49 -08:00
Andre McCurdy 8b68ed985b jq: add support for jq-native + misc minor fixes
- Add PACKAGECONFIG options for docs, maintainer-mode and oniguruma

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2016-10-05 18:21:13 +02:00
Martin Jansa 4158dd4994 jq: add dependency on onig
* configure doesn't have config option ot disable it and it's autodetected from sysroot
  causing:
  WARN: jq: jq rdepends on onig, but it isn't a build dependency?

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2016-03-25 11:27:30 +01:00
Derek Straka 19a3f18e1e jq: upgrade to 1.5
update source url and checksums
license checksum update since trailing whitespace removed upstream
disable-maintainer-mode to avoid bison > 3.0 dependency

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2016-01-27 12:43:56 +01:00
Matthieu CRAPET 31577e783a jq: upgrade to 1.4
Signed-off-by: Matthieu Crapet <Matthieu.Crapet@ingenico.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2014-08-01 14:23:46 +02:00
Matthieu CRAPET 6f0a4b9471 jq: add new recipe for version 1.3
jq is like sed but for JSON data. It's a very useful tool with no dependency.

Signed-off-by: Matthieu Crapet <Matthieu.Crapet@ingenico.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2014-05-15 12:30:20 +02:00