From c1d55e46f2486f66a2fa8ff65b1e7cd745f10a6f Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Tue, 12 May 2026 12:27:03 -0400
Subject: [PATCH] import CS git jq-1.6-12.el8_10

---
 SOURCES/0008-CVE-2026-39979.patch | 24 +++++++++
 SOURCES/0009-CVE-2026-40164.patch | 83 +++++++++++++++++++++++++++++++
 SPECS/jq.spec                     | 10 +++-
 3 files changed, 116 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0008-CVE-2026-39979.patch
 create mode 100644 SOURCES/0009-CVE-2026-40164.patch

diff --git a/SOURCES/0008-CVE-2026-39979.patch b/SOURCES/0008-CVE-2026-39979.patch
new file mode 100644
index 0000000..969c55b
--- /dev/null
+++ b/SOURCES/0008-CVE-2026-39979.patch
@@ -0,0 +1,24 @@
+commit 2f09060afab23fe9390cce7cb860b10416e1bf5f
+Author: itchyny <itchyny@cybozu.co.jp>
+Date:   Mon Apr 13 11:04:52 2026 +0900
+
+    Fix out-of-bounds read in jv_parse_sized()
+    
+    This fixes CVE-2026-39979.
+    
+    Co-authored-by: Mattias Wadman <mattias.wadman@gmail.com>
+
+diff -up jq-1.6/src/jv_parse.c.orig jq-1.6/src/jv_parse.c
+--- jq-1.6/src/jv_parse.c.orig	2026-04-23 10:22:41.774842081 +0200
++++ jq-1.6/src/jv_parse.c	2026-04-23 10:28:15.741885969 +0200
+@@ -863,8 +863,9 @@ jv jv_parse_sized(const char* string, in
+ 
+   if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) {
+     jv msg = jv_invalid_get_msg(value);
+-    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')",
++    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')",
+                                               jv_string_value(msg),
++                                              length,
+                                               string));
+     jv_free(msg);
+   }
diff --git a/SOURCES/0009-CVE-2026-40164.patch b/SOURCES/0009-CVE-2026-40164.patch
new file mode 100644
index 0000000..3a97c7d
--- /dev/null
+++ b/SOURCES/0009-CVE-2026-40164.patch
@@ -0,0 +1,83 @@
+based on commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784
+Author: itchyny <itchyny@cybozu.co.jp>
+Date:   Mon Apr 13 08:53:26 2026 +0900
+
+    Randomize hash seed to mitigate hash collision DoS attacks
+    
+    The hash function used a fixed seed, allowing attackers to craft colliding keys
+    and cause O(n^2) object parsing performance. Initialize the seed from a random
+    source at process startup to prevent the attack. This fixes CVE-2026-40164.
+    
+    Co-authored-by: Asaf Meizner <asafmeizner@gmail.com>
+
+diff -up jq-1.6/configure.ac.orig jq-1.6/configure.ac
+--- jq-1.6/configure.ac.orig	2026-04-23 13:11:08.425063387 +0200
++++ jq-1.6/configure.ac	2026-04-23 13:43:25.807324877 +0200
+@@ -140,6 +140,9 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [
+ AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])],
+                 [], [[#include <time.h>]])
+ 
++AC_FIND_FUNC([arc4random], [c], [#include <stdlib.h>], [])
++AC_FIND_FUNC([getentropy], [c], [#include <unistd.h>], [0, 0])
++ 
+ AC_FIND_FUNC([pthread_key_create], [pthread], [#include <pthread.h>], [NULL, NULL])
+ AC_FIND_FUNC([pthread_once], [pthread], [#include <pthread.h>], [NULL, NULL])
+ AC_FIND_FUNC([atexit], [pthread], [#include <stdlib.h>], [NULL])
+diff -up jq-1.6/src/jv.c.orig jq-1.6/src/jv.c
+--- jq-1.6/src/jv.c.orig	2026-04-23 13:11:08.501988205 +0200
++++ jq-1.6/src/jv.c	2026-04-23 13:35:04.250952609 +0200
+@@ -7,6 +7,10 @@
+ #include <stdarg.h>
+ #include <limits.h>
+ #include <math.h>
++#include <time.h>
++#include <unistd.h>
++#include <fcntl.h>
++#include <pthread.h>
+ 
+ #include "jv_alloc.h"
+ #include "jv.h"
+@@ -877,7 +881,33 @@ static jv jvp_string_append(jv string, c
+   }
+ }
+ 
+-static const uint32_t HASH_SEED = 0x432A9843;
++static uint32_t hash_seed;
++static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT;
++
++static void jvp_hash_seed_init(void) {
++  uint32_t seed;
++#if defined(HAVE_ARC4RANDOM)
++  seed = arc4random();
++#elif defined(HAVE_GETENTROPY)
++  if (getentropy(&seed, sizeof(seed)) != 0)
++    seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
++#else
++  int fd = open("/dev/urandom", O_RDONLY);
++  if (fd >= 0) {
++    if (read(fd, &seed, sizeof(seed)) != 4)
++      seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
++    close(fd);
++  } else {
++    seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
++  }
++#endif
++  hash_seed = seed;
++}
++
++static uint32_t jvp_hash_seed(void) {
++  pthread_once(&hash_seed_once, jvp_hash_seed_init);
++  return hash_seed;
++}
+ 
+ static uint32_t rotl32 (uint32_t x, int8_t r){
+   return (x << r) | (x >> (32 - r));
+@@ -896,7 +926,7 @@ static uint32_t jvp_string_hash(jv jstr)
+   int len = (int)jvp_string_length(str);
+   const int nblocks = len / 4;
+ 
+-  uint32_t h1 = HASH_SEED;
++  uint32_t h1 = jvp_hash_seed();
+ 
+   const uint32_t c1 = 0xcc9e2d51;
+   const uint32_t c2 = 0x1b873593;
diff --git a/SPECS/jq.spec b/SPECS/jq.spec
index 41c71e0..7f8a332 100644
--- a/SPECS/jq.spec
+++ b/SPECS/jq.spec
@@ -1,6 +1,6 @@
 Name:           jq
 Version:        1.6
-Release:        11%{?dist}
+Release:        12%{?dist}
 Summary:        Command-line JSON processor
 
 License:        MIT and ASL 2.0 and CC-BY and GPLv3
@@ -14,6 +14,8 @@ Patch4:         0004-make-jq-fast.patch
 Patch5:         0005-sast.patch
 Patch6:         0006-CVE-2024-23337.patch
 Patch7:         0007-CVE-2025-48060.patch
+Patch8:         0008-CVE-2026-39979.patch
+Patch9:         0009-CVE-2026-40164.patch
 
 BuildRequires:  flex
 BuildRequires:  bison
@@ -102,6 +104,12 @@ make check
 
 
 %changelog
+* Mon May 11 2026 Tomas Halman <thalman@redhat.com> - 1.6-12
+- Fix CVE-2026-40164 - Denial of Service via crafted JSON object causing hash collisions
+- Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized()
+- Resolves: RHEL-168174
+- Resolves: RHEL-168192
+
 * Mon Jun 30 2025 Tomas Halman <thalman@redhat.com> - 1.6-11
 - Fix CVE-2025-48060 AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt)
 - Resolves: RHEL-92987