From: Anton Skorup <antonsk@axis.com>
To: <openembedded-devel@lists.openembedded.org>
Cc: Anton Skorup <anton@skorup.se>, Anton Skorup <anton.skorup@axis.com>
Subject: [PATCHv2 1/8] jq: patch CVE-2026-49839
Date: Tue, 16 Jun 2026 08:27:47 +0200 [thread overview]
Message-ID: <20260616062754.748436-1-antonsk@axis.com> (raw)
From: Anton Skorup <anton@skorup.se>
CVE details: https://vulert.com/vuln-db/--4743
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
v2
* Added patch to stack of jq CVEs
---
.../jq/jq/CVE-2026-49389.patch | 31 +++++++++++++++++++
meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 +
2 files changed, 32 insertions(+)
create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
new file mode 100644
index 0000000000..3189158b4a
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
@@ -0,0 +1,31 @@
+From e987df0d463d85fd70825e042a082427e8275b86 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 8 Jun 2026 22:14:48 +0900
+Subject: [PATCH] Fix heap-buffer-overflow in raw file loading
+
+When `jv_string_append_buf` overflows the string length limit,
+it returns an invalid `jv`; `jv_load_file` then re-entered it
+on the invalid value and overran the heap. Break out of the loop
+once the value is invalid.
+
+Fixes CVE-2026-49839.
+
+Signed-off-by: Anton Skorup <anton.skorup@axis.com>
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/e987df0d463d85fd70825e042a082427e8275b86]
+---
+ src/jv_file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/jv_file.c b/src/jv_file.c
+index 7706b0e06e..fbc1e4d653 100644
+--- a/src/jv_file.c
++++ b/src/jv_file.c
+@@ -57,6 +57,8 @@ jv jv_load_file(const char* filename, int raw) {
+
+ if (raw) {
+ data = jv_string_append_buf(data, buf, n);
++ if (!jv_is_valid(data))
++ break;
+ } else {
+ jv_parser_set_buf(parser, buf, n, !feof(file));
+ jv value;
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 026f6bfa71..0419ccd46d 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://CVE-2026-33947.patch \
file://CVE-2026-33948.patch \
file://CVE-2026-39979.patch \
+ file://CVE-2026-49389.patch \
"
inherit autotools ptest
--
2.43.0
next reply other threads:[~2026-06-16 7:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 6:27 Anton Skorup [this message]
2026-06-16 6:27 ` [PATCH 2/8] jq: patch CVE-2026-41256 Anton Skorup
2026-06-16 6:27 ` [PATCH 3/8] jq: patch CVE-2026-44777 Anton Skorup
2026-06-16 6:27 ` [PATCH 4/8] jq: patch CVE-2026-43896 Anton Skorup
2026-06-16 6:27 ` [PATCH 5/8] jq: patch CVE-2026-41257 Anton Skorup
2026-06-16 6:27 ` [PATCH 6/8] jq: patch CVE-2026-40612 Anton Skorup
2026-06-16 6:27 ` [PATCH 7/8] jq: patch CVE-2026-43894 Anton Skorup
2026-06-16 6:27 ` [PATCH 8/8] jq: patch CVE-2026-43895 Anton Skorup
2026-06-17 1:25 ` [oe] [PATCHv2 1/8] jq: patch CVE-2026-49839 Khem Raj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616062754.748436-1-antonsk@axis.com \
--to=antonsk@axis.com \
--cc=anton.skorup@axis.com \
--cc=anton@skorup.se \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox