Debian Patches

Status for jq/1.6-2.1+deb12u2

Patch Description Author Forwarded Bugs Origin Last update
CVE-2026-43895.patch Reject embedded NUL bytes in module import paths
jq accepts embedded NUL bytes at the language level but resolves
module import paths through NUL-terminated C strings, so the path
validated by policy or audit code could differ from the on-disk
path jq actually opens. Pass jv through gen_import so the AST
preserves the original bytes, and reject embedded NULs in
validate_relpath.

Fixes CVE-2026-43895.

(cherry picked from commit 9d223f153c3632a207fa071caaa6292da33ae361)
itchyny <itchyny@cybozu.co.jp> no 2026-05-09
CVE-2026-44777.patch Detect circular module imports to prevent stack overflow
jq used to recurse without bound on mutual or self-referential
`import` declarations, exhausting the stack. Track each library's
load state with a `loading` flag set before its dependencies are
processed; a recursive reference to an in-progress library now
reports "circular import of X".

Fixes CVE-2026-44777.

(cherry picked from commit f58787c41835d9b17795730cb04925fdba25c71c)
itchyny <itchyny@cybozu.co.jp> no 2026-05-11
CVE-2026-43894.patch Reject numeric literals longer than DEC_MAX_DIGITS (999999999)
A signed-int overflow in decNumber's D2U macro lets huge literals
write attacker-controlled bytes past a stack buffer. Cap the length
before calling decNumberFromString, and pre-slice long strings in
jv_dump_string_trunc so the resulting error message doesn't itself
allocate a multi-GiB buffer.

Fixes CVE-2026-43894.

(cherry picked from commit 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4)
itchyny <itchyny@cybozu.co.jp> no 2026-05-06
CVE-2026-47770.patch Guard deep structural equality and comparison recursion (#3539)
jv_equal and jv_cmp overflows the C stack on deeply nested
input. Cap recursion at 10000 with -1 / INT_MIN sentinels;
operators that compose user expressions surface this as
"Equality check too deep" / "Comparison too deep".

Fixes CVE-2026-47770.

(cherry picked from commit 7122866869960b55cea3646bc91334ef55787831)
Yu-Fu Fu <yufu@yfu.tw> no 2026-05-22
CVE-2026-49839.patch Fix heap-buffer-overflow in raw file loading
When `jv_string_append_buf` overflows the string length limit,
it returns an invalid `jv`; `jv_load_file` then re-entered it
on the invalid value and overran the heap. Break out of the loop
once the value is invalid.

Fixes CVE-2026-49839.

(cherry picked from commit e987df0d463d85fd70825e042a082427e8275b86)
itchyny <itchyny@cybozu.co.jp> no 2026-06-08
GHSA-ggc9-rpv2-xgpm_and_GHSA-gvwx-xj9r-3frq.patch Fix undefined pointer arithmetic in UTF-8 helpers
Fixes GHSA-ggc9-rpv2-xgpm and GHSA-gvwx-xj9r-3frq.

(cherry picked from commit df924eae91af10cc236a907cdadd97813827aa1f)
theyoucheng <daniel1988xyz@gmail.com> no 2026-05-23
CVE-2026-54679-1.patch implode: Better invalid input validation and handling
Error on non-number and nan codepoint, would asserd before
Replace negative codepoint and surrogate range with unicode replacement character, would assert before

Fixes #1160

(cherry picked from commit a949745059ee61366a5d880c3b18d5d4db6524eb)
Mattias Wadman <mattias.wadman@gmail.com> no 2023-07-02
enable-manpages.patch patch Makefile to always generate the manpage. "ChangZhuo Chen (陳昌倬)" not-needed 2014-06-21
remove-unecessary-rakefile-deps.patch patch Rakefile to allow for easier manpage generation
This patch disable some of the dependencies that are not
required to build the actual manpage.
"ChangZhuo Chen (陳昌倬)" yes upstream 2014-06-21
patch-version-into-build.patch Set release version manually.
jq sets the build version by parsing the git branch. There is no git branch during
package building however. This patch sets the version manually. The version can be
looked up using `git describe --tags --match 'upstream*' | sed 's/^upstream\///'`.
"ChangZhuo Chen (陳昌倬)" yes upstream 2014-06-21
dont-distribute-duplicate-docs.patch Do not distribute COPYING, fixes lintian warning "ChangZhuo Chen (陳昌倬)" not-needed 2015-10-11
stack-exhaustion.patch Skip printing at MAX_DEPTH and deeper
This addresses #1136, and mitigates a stack exhaustion when printing
a very deeply nested term.
W-Mark Kubacki <wmark@hurrikane.de> no 2016-08-19
disable-static-libtool.patch Ensure jq doesn't statically link in libraries Harlan Lieberman-Berg <hlieberman@debian.org> not-needed 2018-11-04
0007-stop-using-libtool-bin.patch stop using libtool-bin Helmut Grohne <helmut@subdivi.de> no 2018-11-04
0008-Do-not-use-venderized-oniguruma.patch Do not use venderized oniguruma "ChangZhuo Chen (陳昌倬)" no 2018-11-04
0009-Hardcode-version-to-1.6.patch Hardcode version to 1.6 "ChangZhuo Chen (陳昌倬)" no 2019-01-27
0010-initialized-variables.patch Fix uninitialized variables Reiner Herrmann <reiner@reiner-h.de> no debian
CVE-2025-48060.patch Cherry-pick upstream commit c6e041699d8cd31b97375a2596217aff2cfca85b to fix CVE-2025-48060 "ChangZhuo Chen (陳昌倬)" no 2025-07-09
CVE-2026-32316.patch Fix heap buffer overflow in `jvp_string_append` and `jvp_string_copy_replace_bad`

In `jvp_string_append`, the allocation size `(currlen + len) * 2` could
overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small
allocation followed by a large `memcpy`.

In `jvp_string_copy_replace_bad`, the output buffer size calculation
`length * 3 + 1` could overflow `uint32_t`, again resulting in a small
allocation followed by a large write.

Add overflow checks to both functions to return an error for strings
that would exceed `INT_MAX` in length. Fixes CVE-2026-32316.

(cherry picked from commit e47e56d226519635768e6aab2f38f0ab037c09e5)
itchyny <itchyny@cybozu.co.jp> no 2026-03-12
CVE-2026-33947.patch Limit path depth to prevent stack overflow
Deeply nested path arrays can cause unbounded recursion in
`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to
stack overflow. Add a depth limit of 10000 to match the
existing `tojson` depth limit. This fixes CVE-2026-33947.

(cherry picked from commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f)
itchyny <itchyny@cybozu.co.jp> no 2026-04-13
CVE-2026-33948.patch Fix NUL truncation in the JSON parser
This fixes CVE-2026-33948.

(cherry picked from commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b)
itchyny <itchyny@cybozu.co.jp> no 2026-04-13
CVE-2026-39956.patch Add runtime type checks to f_string_indexes
This fixes CVE-2026-39956.

(cherry picked from commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03)
tlsbollei <170938166+tlsbollei@users.noreply.github.com> no 2026-04-08
CVE-2026-39979.patch Fix out-of-bounds read in jv_parse_sized()
This fixes CVE-2026-39979.

(cherry picked from commit 2f09060afab23fe9390cce7cb860b10416e1bf5f)
itchyny <itchyny@cybozu.co.jp> no 2026-04-13
CVE-2026-40164.patch Randomize hash seed to mitigate hash collision DoS attacks
The hash function used a fixed seed, allowing attackers to craft colliding keys
and cause O(n^2) object parsing performance. Initialize the seed from a random
source at process startup to prevent the attack. This fixes CVE-2026-40164.

(cherry picked from commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784)
itchyny <itchyny@cybozu.co.jp> no 2026-04-13
CVE-2026-41256.patch Fix NUL truncation in program files loaded with -f
This fixes CVE-2026-41256.

(cherry picked from commit 5a015deae35d19e3ebbc65db6c157a80e76df738)
itchyny <itchyny@cybozu.co.jp> no 2026-04-24
CVE-2026-41257.patch Fix signed-int overflow in `stack_reallocate`
This fixes CVE-2026-41257.

(cherry picked from commit 01b3cded76daacbfddb7f8763700b0803bcb5c6f)
itchyny <itchyny@cybozu.co.jp> no 2026-04-24
CVE-2026-43896.patch Limit recursive object merge depth to prevent stack overflow
This fixes CVE-2026-43896.

(cherry picked from commit 532ccea6080ed6758f39fe9f6208a44b665023d2)
itchyny <itchyny@cybozu.co.jp> no 2026-05-05
CVE-2026-54679-2.patch Tighten string length bounds and propagate invalid jv in implode
The bound added in CVE-2026-32316 (e47e56d22) still allowed
`sizeof(jvp_string) + (currlen + len) * 2 + 1` to wrap `size_t` on
32-bit platforms. Tighten the threshold so the final allocation
fits in 32-bit `size_t`.

Also break out of `jv_string_implode` and `f_string_implode` once
`jv_string_append_codepoint` returns an invalid `jv`; otherwise the
next iteration triggers the assertion in `jvp_string_ptr` (or
invokes undefined behavior under `-DNDEBUG`).

Fixes CVE-2026-54679.

(cherry picked from commit 46d1da30944ce93dd671ac72b6513fc0eb747837)

optimization) has not yet been introduced.
itchyny <itchyny@cybozu.co.jp> no 2026-06-16
CVE-2026-54679-3.patch Parse nan in JSON as NaN instead of triggering a parse error (#2712)

* Fix memory leak for has(nan)

jv_array_get() used to be responsible of freeing the input array, but
since b5c4c3d67decec22d34f494a200af59bbcadcc80, it is no longer called
if the key is nan. We need to free it manually to avoid leaking the
array.

* Parse nan in JSON as NaN instead of triggering a parse error

Fixes #2021

(cherry picked from commit 4b1ac7c95fc72b1fd59211f5af46cdf13f4ad478)
Emanuele Torre <torreemanuele6@gmail.com> no 2023-07-14

All known versions for source package 'jq'

Links