From: Anton Skorup <antonsk@axis.com>
To: <openembedded-devel@lists.openembedded.org>
Cc: Anton Skorup <anton@skorup.se>, Anton Skorup <anton.skorup@axis.com>
Subject: [PATCH 4/8] jq: patch CVE-2026-43896
Date: Tue, 16 Jun 2026 08:27:50 +0200 [thread overview]
Message-ID: <20260616062754.748436-4-antonsk@axis.com> (raw)
In-Reply-To: <20260616062754.748436-1-antonsk@axis.com>
From: Anton Skorup <anton@skorup.se>
CVE details: https://www.cve.org/CVERecord?id=CVE-2026-43896
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
.../jq/jq/CVE-2026-43896.patch | 82 +++++++++++++++++++
meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 +
2 files changed, 83 insertions(+)
create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch
new file mode 100644
index 0000000000..318c86a121
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch
@@ -0,0 +1,82 @@
+From 532ccea6080ed6758f39fe9f6208a44b665023d2 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Tue, 5 May 2026 22:44:02 +0900
+Subject: [PATCH] Limit recursive object merge depth to prevent stack overflow
+
+This fixes CVE-2026-43896.
+
+Signed-off-by: Anton Skorup <anton.skorup@axis.com>
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2]
+---
+ src/jv.c | 25 +++++++++++++++++++++++--
+ tests/jq.test | 9 +++++++++
+ 2 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/src/jv.c b/src/jv.c
+index feb68d1a1c..84fafef666 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -1899,16 +1899,33 @@ jv jv_object_merge(jv a, jv b) {
+ return a;
+ }
+
+-jv jv_object_merge_recursive(jv a, jv b) {
++#ifndef MAX_OBJECT_MERGE_DEPTH
++#define MAX_OBJECT_MERGE_DEPTH (10000)
++#endif
++
++static jv jvp_object_merge_recursive(jv a, jv b, int depth) {
+ assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
+ assert(JVP_HAS_KIND(b, JV_KIND_OBJECT));
+
++ if (depth > MAX_OBJECT_MERGE_DEPTH) {
++ jv_free(a);
++ jv_free(b);
++ return jv_invalid_with_msg(jv_string("Object merge too deep"));
++ }
++
+ jv_object_foreach(b, k, v) {
+ jv elem = jv_object_get(jv_copy(a), jv_copy(k));
+ if (jv_is_valid(elem) &&
+ JVP_HAS_KIND(elem, JV_KIND_OBJECT) &&
+ JVP_HAS_KIND(v, JV_KIND_OBJECT)) {
+- a = jv_object_set(a, k, jv_object_merge_recursive(elem, v));
++ jv merged = jvp_object_merge_recursive(elem, v, depth + 1);
++ if (!jv_is_valid(merged)) {
++ jv_free(k);
++ jv_free(a);
++ jv_free(b);
++ return merged;
++ }
++ a = jv_object_set(a, k, merged);
+ } else {
+ jv_free(elem);
+ a = jv_object_set(a, k, v);
+@@ -1919,6 +1936,10 @@ jv jv_object_merge_recursive(jv a, jv b) {
+ return a;
+ }
+
++jv jv_object_merge_recursive(jv a, jv b) {
++ return jvp_object_merge_recursive(a, b, 0);
++}
++
+ /*
+ * Object iteration (internal helpers)
+ */
+diff --git a/tests/jq.test b/tests/jq.test
+index 8094a5b6eb..9a80341f52 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2602,3 +2602,12 @@ true
+ try (reduce range(10001) as $_ ([]; [.]) as $x | $x | contains($x)) catch .
+ null
+ "Containment check too deep"
++
++# regression test for CVE-2026-43896
++reduce range(10000) as $_ ({}; {a: .}) as $x | $x * $x | length
++null
++1
++
++try (reduce range(10001) as $_ ({}; {a: .}) as $x | $x * $x) catch .
++null
++"Object merge too deep"
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 2e6c3a3eea..082a827041 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://CVE-2026-33948.patch \
file://CVE-2026-39979.patch \
file://CVE-2026-41256.patch \
+ file://CVE-2026-43896.patch \
file://CVE-2026-44777.patch \
file://CVE-2026-49389.patch \
"
--
2.43.0
next prev parent reply other threads:[~2026-06-16 7:12 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 6:27 [PATCHv2 1/8] jq: patch CVE-2026-49839 Anton Skorup
2026-06-16 6:27 ` [PATCH 2/8] jq: patch CVE-2026-41256 Anton Skorup
2026-06-16 6:27 ` [PATCH 3/8] jq: patch CVE-2026-44777 Anton Skorup
2026-06-16 6:27 ` Anton Skorup [this message]
2026-06-16 6:27 ` [PATCH 5/8] jq: patch CVE-2026-41257 Anton Skorup
2026-06-16 6:27 ` [PATCH 6/8] jq: patch CVE-2026-40612 Anton Skorup
2026-06-16 6:27 ` [PATCH 7/8] jq: patch CVE-2026-43894 Anton Skorup
2026-06-16 6:27 ` [PATCH 8/8] jq: patch CVE-2026-43895 Anton Skorup
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616062754.748436-4-antonsk@axis.com \
--to=antonsk@axis.com \
--cc=anton.skorup@axis.com \
--cc=anton@skorup.se \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.