diff --git a/0009-CVE-2026-40164.patch b/0009-CVE-2026-40164.patch new file mode 100644 index 0000000..3a97c7d --- /dev/null +++ b/0009-CVE-2026-40164.patch @@ -0,0 +1,83 @@ +based on commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 +Author: itchyny +Date: Mon Apr 13 08:53:26 2026 +0900 + + Randomize hash seed to mitigate hash collision DoS attacks + + The hash function used a fixed seed, allowing attackers to craft colliding keys + and cause O(n^2) object parsing performance. Initialize the seed from a random + source at process startup to prevent the attack. This fixes CVE-2026-40164. + + Co-authored-by: Asaf Meizner + +diff -up jq-1.6/configure.ac.orig jq-1.6/configure.ac +--- jq-1.6/configure.ac.orig 2026-04-23 13:11:08.425063387 +0200 ++++ jq-1.6/configure.ac 2026-04-23 13:43:25.807324877 +0200 +@@ -140,6 +140,9 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [ + AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])], + [], [[#include ]]) + ++AC_FIND_FUNC([arc4random], [c], [#include ], []) ++AC_FIND_FUNC([getentropy], [c], [#include ], [0, 0]) ++ + AC_FIND_FUNC([pthread_key_create], [pthread], [#include ], [NULL, NULL]) + AC_FIND_FUNC([pthread_once], [pthread], [#include ], [NULL, NULL]) + AC_FIND_FUNC([atexit], [pthread], [#include ], [NULL]) +diff -up jq-1.6/src/jv.c.orig jq-1.6/src/jv.c +--- jq-1.6/src/jv.c.orig 2026-04-23 13:11:08.501988205 +0200 ++++ jq-1.6/src/jv.c 2026-04-23 13:35:04.250952609 +0200 +@@ -7,6 +7,10 @@ + #include + #include + #include ++#include ++#include ++#include ++#include + + #include "jv_alloc.h" + #include "jv.h" +@@ -877,7 +881,33 @@ static jv jvp_string_append(jv string, c + } + } + +-static const uint32_t HASH_SEED = 0x432A9843; ++static uint32_t hash_seed; ++static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT; ++ ++static void jvp_hash_seed_init(void) { ++ uint32_t seed; ++#if defined(HAVE_ARC4RANDOM) ++ seed = arc4random(); ++#elif defined(HAVE_GETENTROPY) ++ if (getentropy(&seed, sizeof(seed)) != 0) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++#else ++ int fd = open("/dev/urandom", O_RDONLY); ++ if (fd >= 0) { ++ if (read(fd, &seed, sizeof(seed)) != 4) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ close(fd); ++ } else { ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ } ++#endif ++ hash_seed = seed; ++} ++ ++static uint32_t jvp_hash_seed(void) { ++ pthread_once(&hash_seed_once, jvp_hash_seed_init); ++ return hash_seed; ++} + + static uint32_t rotl32 (uint32_t x, int8_t r){ + return (x << r) | (x >> (32 - r)); +@@ -896,7 +926,7 @@ static uint32_t jvp_string_hash(jv jstr) + int len = (int)jvp_string_length(str); + const int nblocks = len / 4; + +- uint32_t h1 = HASH_SEED; ++ uint32_t h1 = jvp_hash_seed(); + + const uint32_t c1 = 0xcc9e2d51; + const uint32_t c2 = 0x1b873593; diff --git a/jq.spec b/jq.spec index b0b616d..3364994 100644 --- a/jq.spec +++ b/jq.spec @@ -1,6 +1,6 @@ Name: jq Version: 1.6 -Release: 20%{?dist} +Release: 21%{?dist} Summary: Command-line JSON processor License: MIT and ASL 2.0 and CC-BY and GPLv3 @@ -16,6 +16,7 @@ Patch5: 0005-sast.patch Patch6: 0006-CVE-2024-23337.patch Patch7: 0007-CVE-2025-48060.patch Patch8: 0008-CVE-2026-39979.patch +Patch9: 0009-CVE-2026-40164.patch BuildRequires: gcc BuildRequires: flex @@ -106,6 +107,10 @@ make check %changelog +* Thu Apr 23 2026 Tomas Halman - 1.6-21 +- Fix CVE-2026-40164 - Denial of Service via crafted JSON object causing hash collisions +- Resolves: RHEL-168186 + * Thu Apr 23 2026 Tomas Halman - 1.6-20 - Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized() - Resolves: RHEL-168203