import UBI jq-1.7.1-11.el10_1.0.2

2026-05-13 15:41:08 -04:00 · 2026-05-13 15:41:08 -04:00 · 571f9a18e0
commit 571f9a18e0
parent 753826117d
3 changed files with 118 additions and 8 deletions
--- a/0003-CVE-2026-39979.patch
+++ b/0003-CVE-2026-39979.patch
@ -0,0 +1,24 @@
+commit 2f09060afab23fe9390cce7cb860b10416e1bf5f
+Author: itchyny <itchyny@cybozu.co.jp>
+Date:   Mon Apr 13 11:04:52 2026 +0900
+
+    Fix out-of-bounds read in jv_parse_sized()
+    
+    This fixes CVE-2026-39979.
+    
+    Co-authored-by: Mattias Wadman <mattias.wadman@gmail.com>
+
+diff -up jq-jq-1.7.1/src/jv_parse.c.orig jq-jq-1.7.1/src/jv_parse.c
+--- jq-jq-1.7.1/src/jv_parse.c.orig	2023-12-13 20:20:22.000000000 +0100
+++ jq-jq-1.7.1/src/jv_parse.c	2026-04-24 09:38:10.259656776 +0200
+@@ -890,8 +890,9 @@ jv jv_parse_sized_custom_flags(const cha
+ 
+   if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) {
+     jv msg = jv_invalid_get_msg(value);
+-    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')",
+    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')",
+                                               jv_string_value(msg),
+                                              length,
+                                               string));
+     jv_free(msg);
+   }
--- a/0004-CVE-2026-40164.patch
+++ b/0004-CVE-2026-40164.patch
@ -0,0 +1,82 @@
+commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784
+Author: itchyny <itchyny@cybozu.co.jp>
+Date:   Mon Apr 13 08:53:26 2026 +0900
+
+    Randomize hash seed to mitigate hash collision DoS attacks
+    
+    The hash function used a fixed seed, allowing attackers to craft colliding keys
+    and cause O(n^2) object parsing performance. Initialize the seed from a random
+    source at process startup to prevent the attack. This fixes CVE-2026-40164.
+    
+    Co-authored-by: Asaf Meizner <asafmeizner@gmail.com>
+
+diff -up jq-jq-1.7.1/configure.ac.orig jq-jq-1.7.1/configure.ac
+--- jq-jq-1.7.1/configure.ac.orig	2023-12-13 20:20:22.000000000 +0100
+++ jq-jq-1.7.1/configure.ac	2026-04-24 09:47:31.445398669 +0200
+@@ -149,6 +149,8 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [
+ AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])],
+                 [], [[#include <time.h>]])
+ AC_FIND_FUNC([setlocale], [c], [#include <locale.h>], [0,0])
+AC_FIND_FUNC([arc4random], [c], [#include <stdlib.h>], [])
+AC_FIND_FUNC([getentropy], [c], [#include <unistd.h>], [0, 0])
+ 
+ dnl Figure out if we have the pthread functions we actually need
+ AC_FIND_FUNC_NO_LIBS([pthread_key_create], [], [#include <pthread.h>], [NULL, NULL])
+diff -up jq-jq-1.7.1/src/jv.c.orig jq-jq-1.7.1/src/jv.c
+--- jq-jq-1.7.1/src/jv.c.orig	2026-04-24 09:47:05.190307112 +0200
+++ jq-jq-1.7.1/src/jv.c	2026-04-24 09:47:31.445705067 +0200
+@@ -40,6 +40,10 @@
+ #include <limits.h>
+ #include <math.h>
+ #include <float.h>
+#include <time.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <pthread.h>
+ 
+ #include "jv_alloc.h"
+ #include "jv.h"
+@@ -1165,7 +1169,33 @@ static jv jvp_string_append(jv string, c
+   }
+ }
+ 
+-static const uint32_t HASH_SEED = 0x432A9843;
+static uint32_t hash_seed;
+static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT;
+
+static void jvp_hash_seed_init(void) {
+  uint32_t seed;
+#if defined(HAVE_ARC4RANDOM)
+  seed = arc4random();
+#elif defined(HAVE_GETENTROPY)
+  if (getentropy(&seed, sizeof(seed)) != 0)
+    seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
+#else
+  int fd = open("/dev/urandom", O_RDONLY);
+  if (fd >= 0) {
+    if (read(fd, &seed, sizeof(seed)) != 4)
+      seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
+    close(fd);
+  } else {
+    seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
+  }
+#endif
+  hash_seed = seed;
+}
+
+static uint32_t jvp_hash_seed(void) {
+  pthread_once(&hash_seed_once, jvp_hash_seed_init);
+  return hash_seed;
+}
+ 
+ static uint32_t rotl32 (uint32_t x, int8_t r){
+   return (x << r) | (x >> (32 - r));
+@@ -1184,7 +1214,7 @@ static uint32_t jvp_string_hash(jv jstr)
+   int len = (int)jvp_string_length(str);
+   const int nblocks = len / 4;
+ 
+-  uint32_t h1 = HASH_SEED;
+  uint32_t h1 = jvp_hash_seed();
+ 
+   const uint32_t c1 = 0xcc9e2d51;
+   const uint32_t c2 = 0x1b873593;
--- a/jq.spec
+++ b/jq.spec
@ -1,11 +1,6 @@
 ## START: Set by rpmautospec
 ## (rpmautospec version 0.6.5)
-## RPMAUTOSPEC: autorelease, autochangelog
-%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 11;
-    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
-    print(release_number + base_release_number - 1);
-}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
+## RPMAUTOSPEC: autochangelog
 ## END: Set by rpmautospec

 # valgrind cannot cope with GCC 13+ SSE4.1 optimizations of strcmp
@ -14,14 +9,16 @@

 Name:           jq
 Version:        1.7.1
-Release:        %autorelease
+Release:        11%{?dist}.0.2
 Summary:        Command-line JSON processor

 License:        MIT and ASL 2.0 and CC-BY and GPLv3
 URL:            https://jqlang.github.io/jq/
 Source0:        https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Patch1:         0001-CVE-2024-23337.patch
-Patch3:         0002-CVE-2025-48060.patch
+Patch2:         0002-CVE-2025-48060.patch
+Patch3:         0003-CVE-2026-39979.patch
+Patch4:         0004-CVE-2026-40164.patch

 BuildRequires:  gcc
 BuildRequires:  flex
@ -114,6 +111,13 @@ make check

 %changelog
 ## START: Generated by rpmautospec
+* Tue May 12 2026 Tomas Halman <thalman@redhat.com> - 1.7.1-13
+- Fix CVE-2026-40164 - Denial of Service via crafted JSON object causing
+  hash collisions
+
+* Tue May 12 2026 Tomas Halman <thalman@redhat.com> - 1.7.1-12
+- Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized()
+
 * Mon Jun 30 2025 Tomas Halman <thalman@redhat.com> - 1.7.1-11
 - AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute