From: Anton Skorup <antonsk@axis.com>
To: <openembedded-devel@lists.openembedded.org>
Cc: Anton Skorup <anton@skorup.se>, Anton Skorup <anton.skorup@axis.com>
Subject: [meta-oe][PATCH] jq: patch CVE-2026-49839
Date: Mon, 15 Jun 2026 15:49:59 +0200 [thread overview]
Message-ID: <20260615134959.10013-1-antonsk@axis.com> (raw)
From: Anton Skorup <anton@skorup.se>
CVE details: https://vulert.com/vuln-db/--4743
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
.../jq/jq/CVE-2026-49839.patch | 34 +++++++++++++++++++
meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 +
2 files changed, 35 insertions(+)
create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-49839.patch
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-49839.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49839.patch
new file mode 100644
index 0000000000..bd4bcf8e37
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49839.patch
@@ -0,0 +1,34 @@
+From 59fcd85066bea536f259b6396a7a0a939a4fb369 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 8 Jun 2026 22:14:48 +0900
+Subject: [PATCH] Fix heap-buffer-overflow in raw file loading
+
+When `jv_string_append_buf` overflows the string length limit,
+it returns an invalid `jv`; `jv_load_file` then re-entered it
+on the invalid value and overran the heap. Break out of the loop
+once the value is invalid.
+
+Fixes CVE-2026-49839.
+
+Signed-off-by: Anton Skorup <antonsk@axis.com>
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/e987df0d463d85fd70825e042a082427e8275b86]
+---
+ src/jv_file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/jv_file.c b/src/jv_file.c
+index b10bcc0..40137c3 100644
+--- a/src/jv_file.c
++++ b/src/jv_file.c
+@@ -57,6 +57,8 @@ jv jv_load_file(const char* filename, int raw) {
+
+ if (raw) {
+ data = jv_string_append_buf(data, buf, n);
++ if (!jv_is_valid(data))
++ break;
+ } else {
+ jv_parser_set_buf(parser, buf, n, !feof(file));
+ jv value;
+--
+2.43.0
+
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 7665ba2511..14e77c1bc6 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://CVE-2026-33948.patch \
file://CVE-2026-39979.patch \
file://CVE-2026-47770.patch \
+ file://CVE-2026-49839.patch \
"
inherit autotools ptest
--
2.43.0
reply other threads:[~2026-06-15 14:06 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260615134959.10013-1-antonsk@axis.com \
--to=antonsk@axis.com \
--cc=anton.skorup@axis.com \
--cc=anton@skorup.se \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox