diff --git a/0003-CVE-2026-39979.patch b/0003-CVE-2026-39979.patch new file mode 100644 index 0000000..e2692d6 --- /dev/null +++ b/0003-CVE-2026-39979.patch @@ -0,0 +1,24 @@ +commit 2f09060afab23fe9390cce7cb860b10416e1bf5f +Author: itchyny +Date: Mon Apr 13 11:04:52 2026 +0900 + + Fix out-of-bounds read in jv_parse_sized() + + This fixes CVE-2026-39979. + + Co-authored-by: Mattias Wadman + +diff -up jq-jq-1.7.1/src/jv_parse.c.orig jq-jq-1.7.1/src/jv_parse.c +--- jq-jq-1.7.1/src/jv_parse.c.orig 2023-12-13 20:20:22.000000000 +0100 ++++ jq-jq-1.7.1/src/jv_parse.c 2026-04-24 09:38:10.259656776 +0200 +@@ -890,8 +890,9 @@ jv jv_parse_sized_custom_flags(const cha + + if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) { + jv msg = jv_invalid_get_msg(value); +- value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')", ++ value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')", + jv_string_value(msg), ++ length, + string)); + jv_free(msg); + } diff --git a/0004-CVE-2026-40164.patch b/0004-CVE-2026-40164.patch new file mode 100644 index 0000000..9a52be4 --- /dev/null +++ b/0004-CVE-2026-40164.patch @@ -0,0 +1,82 @@ +commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 +Author: itchyny +Date: Mon Apr 13 08:53:26 2026 +0900 + + Randomize hash seed to mitigate hash collision DoS attacks + + The hash function used a fixed seed, allowing attackers to craft colliding keys + and cause O(n^2) object parsing performance. Initialize the seed from a random + source at process startup to prevent the attack. This fixes CVE-2026-40164. + + Co-authored-by: Asaf Meizner + +diff -up jq-jq-1.7.1/configure.ac.orig jq-jq-1.7.1/configure.ac +--- jq-jq-1.7.1/configure.ac.orig 2023-12-13 20:20:22.000000000 +0100 ++++ jq-jq-1.7.1/configure.ac 2026-04-24 09:47:31.445398669 +0200 +@@ -149,6 +149,8 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [ + AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])], + [], [[#include ]]) + AC_FIND_FUNC([setlocale], [c], [#include ], [0,0]) ++AC_FIND_FUNC([arc4random], [c], [#include ], []) ++AC_FIND_FUNC([getentropy], [c], [#include ], [0, 0]) + + dnl Figure out if we have the pthread functions we actually need + AC_FIND_FUNC_NO_LIBS([pthread_key_create], [], [#include ], [NULL, NULL]) +diff -up jq-jq-1.7.1/src/jv.c.orig jq-jq-1.7.1/src/jv.c +--- jq-jq-1.7.1/src/jv.c.orig 2026-04-24 09:47:05.190307112 +0200 ++++ jq-jq-1.7.1/src/jv.c 2026-04-24 09:47:31.445705067 +0200 +@@ -40,6 +40,10 @@ + #include + #include + #include ++#include ++#include ++#include ++#include + + #include "jv_alloc.h" + #include "jv.h" +@@ -1165,7 +1169,33 @@ static jv jvp_string_append(jv string, c + } + } + +-static const uint32_t HASH_SEED = 0x432A9843; ++static uint32_t hash_seed; ++static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT; ++ ++static void jvp_hash_seed_init(void) { ++ uint32_t seed; ++#if defined(HAVE_ARC4RANDOM) ++ seed = arc4random(); ++#elif defined(HAVE_GETENTROPY) ++ if (getentropy(&seed, sizeof(seed)) != 0) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++#else ++ int fd = open("/dev/urandom", O_RDONLY); ++ if (fd >= 0) { ++ if (read(fd, &seed, sizeof(seed)) != 4) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ close(fd); ++ } else { ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ } ++#endif ++ hash_seed = seed; ++} ++ ++static uint32_t jvp_hash_seed(void) { ++ pthread_once(&hash_seed_once, jvp_hash_seed_init); ++ return hash_seed; ++} + + static uint32_t rotl32 (uint32_t x, int8_t r){ + return (x << r) | (x >> (32 - r)); +@@ -1184,7 +1214,7 @@ static uint32_t jvp_string_hash(jv jstr) + int len = (int)jvp_string_length(str); + const int nblocks = len / 4; + +- uint32_t h1 = HASH_SEED; ++ uint32_t h1 = jvp_hash_seed(); + + const uint32_t c1 = 0xcc9e2d51; + const uint32_t c2 = 0x1b873593; diff --git a/jq.spec b/jq.spec index 8afc46c..d54676e 100644 --- a/jq.spec +++ b/jq.spec @@ -1,11 +1,6 @@ ## START: Set by rpmautospec ## (rpmautospec version 0.6.5) -## RPMAUTOSPEC: autorelease, autochangelog -%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 11; - base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); - print(release_number + base_release_number - 1); -}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## RPMAUTOSPEC: autochangelog ## END: Set by rpmautospec # valgrind cannot cope with GCC 13+ SSE4.1 optimizations of strcmp @@ -14,14 +9,16 @@ Name: jq Version: 1.7.1 -Release: %autorelease +Release: 11%{?dist}.0.2 Summary: Command-line JSON processor License: MIT and ASL 2.0 and CC-BY and GPLv3 URL: https://jqlang.github.io/jq/ Source0: https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz Patch1: 0001-CVE-2024-23337.patch -Patch3: 0002-CVE-2025-48060.patch +Patch2: 0002-CVE-2025-48060.patch +Patch3: 0003-CVE-2026-39979.patch +Patch4: 0004-CVE-2026-40164.patch BuildRequires: gcc BuildRequires: flex @@ -114,6 +111,13 @@ make check %changelog ## START: Generated by rpmautospec +* Tue May 12 2026 Tomas Halman - 1.7.1-13 +- Fix CVE-2026-40164 - Denial of Service via crafted JSON object causing + hash collisions + +* Tue May 12 2026 Tomas Halman - 1.7.1-12 +- Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized() + * Mon Jun 30 2025 Tomas Halman - 1.7.1-11 - AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute