From 5cec352a592f6541cfc8f525cf26d53a356f8144 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Thu, 23 Apr 2026 11:14:56 +0200
Subject: [PATCH] Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized()

Resolves: RHEL-168203
---
 ...ch => 0000-jq-decimal-literal-number.patch |  0
 0008-CVE-2026-39979.patch                     | 24 +++++++++++++++++++
 jq.spec                                       |  9 +++++--
 3 files changed, 31 insertions(+), 2 deletions(-)
 rename jq-decimal-literal-number.patch => 0000-jq-decimal-literal-number.patch (100%)
 create mode 100644 0008-CVE-2026-39979.patch

diff --git a/jq-decimal-literal-number.patch b/0000-jq-decimal-literal-number.patch
similarity index 100%
rename from jq-decimal-literal-number.patch
rename to 0000-jq-decimal-literal-number.patch
diff --git a/0008-CVE-2026-39979.patch b/0008-CVE-2026-39979.patch
new file mode 100644
index 0000000..969c55b
--- /dev/null
+++ b/0008-CVE-2026-39979.patch
@@ -0,0 +1,24 @@
+commit 2f09060afab23fe9390cce7cb860b10416e1bf5f
+Author: itchyny <itchyny@cybozu.co.jp>
+Date:   Mon Apr 13 11:04:52 2026 +0900
+
+    Fix out-of-bounds read in jv_parse_sized()
+    
+    This fixes CVE-2026-39979.
+    
+    Co-authored-by: Mattias Wadman <mattias.wadman@gmail.com>
+
+diff -up jq-1.6/src/jv_parse.c.orig jq-1.6/src/jv_parse.c
+--- jq-1.6/src/jv_parse.c.orig	2026-04-23 10:22:41.774842081 +0200
++++ jq-1.6/src/jv_parse.c	2026-04-23 10:28:15.741885969 +0200
+@@ -863,8 +863,9 @@ jv jv_parse_sized(const char* string, in
+ 
+   if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) {
+     jv msg = jv_invalid_get_msg(value);
+-    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')",
++    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')",
+                                               jv_string_value(msg),
++                                              length,
+                                               string));
+     jv_free(msg);
+   }
diff --git a/jq.spec b/jq.spec
index 69a9eff..b0b616d 100644
--- a/jq.spec
+++ b/jq.spec
@@ -1,13 +1,13 @@
 Name:           jq
 Version:        1.6
-Release:        19%{?dist}
+Release:        20%{?dist}
 Summary:        Command-line JSON processor
 
 License:        MIT and ASL 2.0 and CC-BY and GPLv3
 URL:            http://stedolan.github.io/jq/
 Source0:        https://github.com/stedolan/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 # Backport of PR#1752 for RHBZ#2008979
-Patch0:         jq-decimal-literal-number.patch
+Patch0:         0000-jq-decimal-literal-number.patch
 Patch1:         0001-iterration-problem-for-non-decimal-string.patch
 Patch2:         0002-add-mantest.patch
 Patch3:         0003-fix-pthread-segfault.patch
@@ -15,6 +15,7 @@ Patch4:         0004-make-jq-fast.patch
 Patch5:         0005-sast.patch
 Patch6:         0006-CVE-2024-23337.patch
 Patch7:         0007-CVE-2025-48060.patch
+Patch8:         0008-CVE-2026-39979.patch
 
 BuildRequires:  gcc
 BuildRequires:  flex
@@ -105,6 +106,10 @@ make check
 
 
 %changelog
+* Thu Apr 23 2026 Tomas Halman <thalman@redhat.com> - 1.6-20
+- Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized()
+- Resolves: RHEL-168203
+
 * Thu Jun 19 2025 Tomas Halman <thalman@redhat.com> - 1.6-19
 - Fix CVE-2025-48060
 - Resolves: RHEL-92993