Debian Patches
Status for jq/1.6-2.1+deb12u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2026-43895.patch | Reject embedded NUL bytes in module import paths jq accepts embedded NUL bytes at the language level but resolves module import paths through NUL-terminated C strings, so the path validated by policy or audit code could differ from the on-disk path jq actually opens. Pass jv through gen_import so the AST preserves the original bytes, and reject embedded NULs in validate_relpath. Fixes CVE-2026-43895. (cherry picked from commit 9d223f153c3632a207fa071caaa6292da33ae361) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-05-09 | ||
| CVE-2026-44777.patch | Detect circular module imports to prevent stack overflow jq used to recurse without bound on mutual or self-referential `import` declarations, exhausting the stack. Track each library's load state with a `loading` flag set before its dependencies are processed; a recursive reference to an in-progress library now reports "circular import of X". Fixes CVE-2026-44777. (cherry picked from commit f58787c41835d9b17795730cb04925fdba25c71c) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-05-11 | ||
| CVE-2026-43894.patch | Reject numeric literals longer than DEC_MAX_DIGITS (999999999) A signed-int overflow in decNumber's D2U macro lets huge literals write attacker-controlled bytes past a stack buffer. Cap the length before calling decNumberFromString, and pre-slice long strings in jv_dump_string_trunc so the resulting error message doesn't itself allocate a multi-GiB buffer. Fixes CVE-2026-43894. (cherry picked from commit 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-05-06 | ||
| CVE-2026-47770.patch | Guard deep structural equality and comparison recursion (#3539) jv_equal and jv_cmp overflows the C stack on deeply nested input. Cap recursion at 10000 with -1 / INT_MIN sentinels; operators that compose user expressions surface this as "Equality check too deep" / "Comparison too deep". Fixes CVE-2026-47770. (cherry picked from commit 7122866869960b55cea3646bc91334ef55787831) |
Yu-Fu Fu <yufu@yfu.tw> | no | 2026-05-22 | ||
| CVE-2026-49839.patch | Fix heap-buffer-overflow in raw file loading When `jv_string_append_buf` overflows the string length limit, it returns an invalid `jv`; `jv_load_file` then re-entered it on the invalid value and overran the heap. Break out of the loop once the value is invalid. Fixes CVE-2026-49839. (cherry picked from commit e987df0d463d85fd70825e042a082427e8275b86) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-06-08 | ||
| GHSA-ggc9-rpv2-xgpm_and_GHSA-gvwx-xj9r-3frq.patch | Fix undefined pointer arithmetic in UTF-8 helpers Fixes GHSA-ggc9-rpv2-xgpm and GHSA-gvwx-xj9r-3frq. (cherry picked from commit df924eae91af10cc236a907cdadd97813827aa1f) |
theyoucheng <daniel1988xyz@gmail.com> | no | 2026-05-23 | ||
| CVE-2026-54679-1.patch | implode: Better invalid input validation and handling Error on non-number and nan codepoint, would asserd before Replace negative codepoint and surrogate range with unicode replacement character, would assert before Fixes #1160 (cherry picked from commit a949745059ee61366a5d880c3b18d5d4db6524eb) |
Mattias Wadman <mattias.wadman@gmail.com> | no | 2023-07-02 | ||
| enable-manpages.patch | patch Makefile to always generate the manpage. | "ChangZhuo Chen (陳昌倬)" | not-needed | 2014-06-21 | ||
| remove-unecessary-rakefile-deps.patch | patch Rakefile to allow for easier manpage generation This patch disable some of the dependencies that are not required to build the actual manpage. |
"ChangZhuo Chen (陳昌倬)" | yes | upstream | 2014-06-21 | |
| patch-version-into-build.patch | Set release version manually. jq sets the build version by parsing the git branch. There is no git branch during package building however. This patch sets the version manually. The version can be looked up using `git describe --tags --match 'upstream*' | sed 's/^upstream\///'`. |
"ChangZhuo Chen (陳昌倬)" | yes | upstream | 2014-06-21 | |
| dont-distribute-duplicate-docs.patch | Do not distribute COPYING, fixes lintian warning | "ChangZhuo Chen (陳昌倬)" | not-needed | 2015-10-11 | ||
| stack-exhaustion.patch | Skip printing at MAX_DEPTH and deeper This addresses #1136, and mitigates a stack exhaustion when printing a very deeply nested term. |
W-Mark Kubacki <wmark@hurrikane.de> | no | 2016-08-19 | ||
| disable-static-libtool.patch | Ensure jq doesn't statically link in libraries | Harlan Lieberman-Berg <hlieberman@debian.org> | not-needed | 2018-11-04 | ||
| 0007-stop-using-libtool-bin.patch | stop using libtool-bin | Helmut Grohne <helmut@subdivi.de> | no | 2018-11-04 | ||
| 0008-Do-not-use-venderized-oniguruma.patch | Do not use venderized oniguruma | "ChangZhuo Chen (陳昌倬)" | no | 2018-11-04 | ||
| 0009-Hardcode-version-to-1.6.patch | Hardcode version to 1.6 | "ChangZhuo Chen (陳昌倬)" | no | 2019-01-27 | ||
| 0010-initialized-variables.patch | Fix uninitialized variables | Reiner Herrmann <reiner@reiner-h.de> | no | debian | ||
| CVE-2025-48060.patch | Cherry-pick upstream commit c6e041699d8cd31b97375a2596217aff2cfca85b to fix CVE-2025-48060 | "ChangZhuo Chen (陳昌倬)" | no | 2025-07-09 | ||
| CVE-2026-32316.patch | Fix heap buffer overflow in `jvp_string_append` and `jvp_string_copy_replace_bad` In `jvp_string_append`, the allocation size `(currlen + len) * 2` could overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small allocation followed by a large `memcpy`. In `jvp_string_copy_replace_bad`, the output buffer size calculation `length * 3 + 1` could overflow `uint32_t`, again resulting in a small allocation followed by a large write. Add overflow checks to both functions to return an error for strings that would exceed `INT_MAX` in length. Fixes CVE-2026-32316. (cherry picked from commit e47e56d226519635768e6aab2f38f0ab037c09e5) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-03-12 | ||
| CVE-2026-33947.patch | Limit path depth to prevent stack overflow Deeply nested path arrays can cause unbounded recursion in `jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to stack overflow. Add a depth limit of 10000 to match the existing `tojson` depth limit. This fixes CVE-2026-33947. (cherry picked from commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-04-13 | ||
| CVE-2026-33948.patch | Fix NUL truncation in the JSON parser This fixes CVE-2026-33948. (cherry picked from commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-04-13 | ||
| CVE-2026-39956.patch | Add runtime type checks to f_string_indexes This fixes CVE-2026-39956. (cherry picked from commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03) |
tlsbollei <170938166+tlsbollei@users.noreply.github.com> | no | 2026-04-08 | ||
| CVE-2026-39979.patch | Fix out-of-bounds read in jv_parse_sized() This fixes CVE-2026-39979. (cherry picked from commit 2f09060afab23fe9390cce7cb860b10416e1bf5f) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-04-13 | ||
| CVE-2026-40164.patch | Randomize hash seed to mitigate hash collision DoS attacks The hash function used a fixed seed, allowing attackers to craft colliding keys and cause O(n^2) object parsing performance. Initialize the seed from a random source at process startup to prevent the attack. This fixes CVE-2026-40164. (cherry picked from commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-04-13 | ||
| CVE-2026-41256.patch | Fix NUL truncation in program files loaded with -f This fixes CVE-2026-41256. (cherry picked from commit 5a015deae35d19e3ebbc65db6c157a80e76df738) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-04-24 | ||
| CVE-2026-41257.patch | Fix signed-int overflow in `stack_reallocate` This fixes CVE-2026-41257. (cherry picked from commit 01b3cded76daacbfddb7f8763700b0803bcb5c6f) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-04-24 | ||
| CVE-2026-43896.patch | Limit recursive object merge depth to prevent stack overflow This fixes CVE-2026-43896. (cherry picked from commit 532ccea6080ed6758f39fe9f6208a44b665023d2) |
itchyny <itchyny@cybozu.co.jp> | no | 2026-05-05 | ||
| CVE-2026-54679-2.patch | Tighten string length bounds and propagate invalid jv in implode The bound added in CVE-2026-32316 (e47e56d22) still allowed `sizeof(jvp_string) + (currlen + len) * 2 + 1` to wrap `size_t` on 32-bit platforms. Tighten the threshold so the final allocation fits in 32-bit `size_t`. Also break out of `jv_string_implode` and `f_string_implode` once `jv_string_append_codepoint` returns an invalid `jv`; otherwise the next iteration triggers the assertion in `jvp_string_ptr` (or invokes undefined behavior under `-DNDEBUG`). Fixes CVE-2026-54679. (cherry picked from commit 46d1da30944ce93dd671ac72b6513fc0eb747837) optimization) has not yet been introduced. |
itchyny <itchyny@cybozu.co.jp> | no | 2026-06-16 | ||
| CVE-2026-54679-3.patch | Parse nan in JSON as NaN instead of triggering a parse error (#2712) * Fix memory leak for has(nan) jv_array_get() used to be responsible of freeing the input array, but since b5c4c3d67decec22d34f494a200af59bbcadcc80, it is no longer called if the key is nan. We need to free it manually to avoid leaking the array. * Parse nan in JSON as NaN instead of triggering a parse error Fixes #2021 (cherry picked from commit 4b1ac7c95fc72b1fd59211f5af46cdf13f4ad478) |
Emanuele Torre <torreemanuele6@gmail.com> | no | 2023-07-14 |
All known versions for source package 'jq'
- 1.8.2-1 (forky, sid)
- 1.7.1-6+deb13u2 (trixie)
- 1.6-2.1+deb12u2 (bookworm, bookworm-security)
