Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized()

Resolves: RHEL-168203
2026-04-23 11:14:56 +02:00 · 2026-04-23 11:14:56 +02:00 · 5cec352a59
commit 5cec352a59
parent 725c03edf0
3 changed files with 31 additions and 2 deletions
--- a/0000-jq-decimal-literal-number.patch
+++ b/0000-jq-decimal-literal-number.patch
--- a/0008-CVE-2026-39979.patch
+++ b/0008-CVE-2026-39979.patch
@ -0,0 +1,24 @@
+commit 2f09060afab23fe9390cce7cb860b10416e1bf5f
+Author: itchyny <itchyny@cybozu.co.jp>
+Date:   Mon Apr 13 11:04:52 2026 +0900
+
+    Fix out-of-bounds read in jv_parse_sized()
+    
+    This fixes CVE-2026-39979.
+    
+    Co-authored-by: Mattias Wadman <mattias.wadman@gmail.com>
+
+diff -up jq-1.6/src/jv_parse.c.orig jq-1.6/src/jv_parse.c
+--- jq-1.6/src/jv_parse.c.orig	2026-04-23 10:22:41.774842081 +0200
+++ jq-1.6/src/jv_parse.c	2026-04-23 10:28:15.741885969 +0200
+@@ -863,8 +863,9 @@ jv jv_parse_sized(const char* string, in
+ 
+   if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) {
+     jv msg = jv_invalid_get_msg(value);
+-    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')",
+    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')",
+                                               jv_string_value(msg),
+                                              length,
+                                               string));
+     jv_free(msg);
+   }
--- a/jq.spec
+++ b/jq.spec
@ -1,13 +1,13 @@
 Name:           jq
 Version:        1.6
-Release:        19%{?dist}
+Release:        20%{?dist}
 Summary:        Command-line JSON processor

 License:        MIT and ASL 2.0 and CC-BY and GPLv3
 URL:            http://stedolan.github.io/jq/
 Source0:        https://github.com/stedolan/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 # Backport of PR#1752 for RHBZ#2008979
-Patch0:         jq-decimal-literal-number.patch
+Patch0:         0000-jq-decimal-literal-number.patch
 Patch1:         0001-iterration-problem-for-non-decimal-string.patch
 Patch2:         0002-add-mantest.patch
 Patch3:         0003-fix-pthread-segfault.patch
@ -15,6 +15,7 @@ Patch4:         0004-make-jq-fast.patch
 Patch5:         0005-sast.patch
 Patch6:         0006-CVE-2024-23337.patch
 Patch7:         0007-CVE-2025-48060.patch
+Patch8:         0008-CVE-2026-39979.patch

 BuildRequires:  gcc
 BuildRequires:  flex
@ -105,6 +106,10 @@ make check


 %changelog
+* Thu Apr 23 2026 Tomas Halman <thalman@redhat.com> - 1.6-20
+- Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized()
+- Resolves: RHEL-168203
+
 * Thu Jun 19 2025 Tomas Halman <thalman@redhat.com> - 1.6-19
 - Fix CVE-2025-48060
 - Resolves: RHEL-92993