Version in base suite: 1.7.1-6+deb13u1 Base version: jq_1.7.1-6+deb13u1 Target version: jq_1.7.1-6+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/j/jq/jq_1.7.1-6+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/j/jq/jq_1.7.1-6+deb13u2.dsc changelog | 12 +++++ patches/CVE-2026-33947.patch | 97 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-33948.patch | 45 +++++++++++++++++++ patches/CVE-2026-39956.patch | 50 ++++++++++++++++++++++ patches/CVE-2026-39979.patch | 25 +++++++++++ patches/CVE-2026-40164.patch | 83 ++++++++++++++++++++++++++++++++++++ patches/series | 5 ++ 7 files changed, 317 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpzbiq4d8y/jq_1.7.1-6+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpzbiq4d8y/jq_1.7.1-6+deb13u2.dsc: no acceptable signature found diff -Nru jq-1.7.1/debian/changelog jq-1.7.1/debian/changelog --- jq-1.7.1/debian/changelog 2025-07-07 16:16:39.000000000 +0000 +++ jq-1.7.1/debian/changelog 2026-04-17 09:08:56.000000000 +0000 @@ -1,3 +1,15 @@ +jq (1.7.1-6+deb13u2) trixie; urgency=medium + + * Cherry-pick upstream commit for the following: + * CVE-2026-32316 + * CVE-2026-33947 + * CVE-2026-33948 + * CVE-2026-39956 + * CVE-2026-39979 + * CVE-2026-40164 + + -- ChangZhuo Chen (陳昌倬) Fri, 17 Apr 2026 17:08:56 +0800 + jq (1.7.1-6+deb13u1) trixie; urgency=medium * Cherry-pick upstream commit for CVE-2025-48060. diff -Nru jq-1.7.1/debian/patches/CVE-2026-33947.patch jq-1.7.1/debian/patches/CVE-2026-33947.patch --- jq-1.7.1/debian/patches/CVE-2026-33947.patch 1970-01-01 00:00:00.000000000 +0000 +++ jq-1.7.1/debian/patches/CVE-2026-33947.patch 2026-04-17 09:08:56.000000000 +0000 @@ -0,0 +1,97 @@ +From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?= + +Date: Fri, 17 Apr 2026 09:03:54 +0800 +Subject: CVE-2026-33947 + +Origin: https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f +--- + src/jv_aux.c | 21 +++++++++++++++++++++ + tests/jq.test | 25 +++++++++++++++++++++++++ + 2 files changed, 46 insertions(+) + +diff --git a/src/jv_aux.c b/src/jv_aux.c +index bbe1c0d..0855053 100644 +--- a/src/jv_aux.c ++++ b/src/jv_aux.c +@@ -376,6 +376,10 @@ static jv jv_dels(jv t, jv keys) { + return t; + } + ++#ifndef MAX_PATH_DEPTH ++#define MAX_PATH_DEPTH (10000) ++#endif ++ + jv jv_setpath(jv root, jv path, jv value) { + if (jv_get_kind(path) != JV_KIND_ARRAY) { + jv_free(value); +@@ -383,6 +387,12 @@ jv jv_setpath(jv root, jv path, jv value) { + jv_free(path); + return jv_invalid_with_msg(jv_string("Path must be specified as an array")); + } ++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { ++ jv_free(value); ++ jv_free(root); ++ jv_free(path); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + if (!jv_is_valid(root)){ + jv_free(value); + jv_free(path); +@@ -434,6 +444,11 @@ jv jv_getpath(jv root, jv path) { + jv_free(path); + return jv_invalid_with_msg(jv_string("Path must be specified as an array")); + } ++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { ++ jv_free(root); ++ jv_free(path); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + if (!jv_is_valid(root)) { + jv_free(path); + return root; +@@ -511,6 +526,12 @@ jv jv_delpaths(jv object, jv paths) { + jv_free(elem); + return err; + } ++ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) { ++ jv_free(object); ++ jv_free(paths); ++ jv_free(elem); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + jv_free(elem); + } + if (jv_array_length(jv_copy(paths)) == 0) { +diff --git a/tests/jq.test b/tests/jq.test +index b36e591..e1deba0 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -2123,3 +2123,28 @@ try ltrimstr("x") catch "x", try rtrimstr("x") catch "x" | "ok" + {"hey":[]} + "ok" + "ok" ++ ++# regression test for CVE-2026-33947 ++setpath([range(10000) | 0]; 0) | flatten ++null ++[0] ++ ++try setpath([range(10001) | 0]; 0) catch . ++null ++"Path too deep" ++ ++getpath([range(10000) | 0]) ++null ++null ++ ++try getpath([range(10001) | 0]) catch . ++null ++"Path too deep" ++ ++delpaths([[range(10000) | 0]]) ++null ++null ++ ++try delpaths([[range(10001) | 0]]) catch . ++null ++"Path too deep" diff -Nru jq-1.7.1/debian/patches/CVE-2026-33948.patch jq-1.7.1/debian/patches/CVE-2026-33948.patch --- jq-1.7.1/debian/patches/CVE-2026-33948.patch 1970-01-01 00:00:00.000000000 +0000 +++ jq-1.7.1/debian/patches/CVE-2026-33948.patch 2026-04-17 09:08:56.000000000 +0000 @@ -0,0 +1,45 @@ +From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?= + +Date: Fri, 17 Apr 2026 09:05:55 +0800 +Subject: CVE-2026-33948 + +Origin: https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b +--- + src/util.c | 8 +------- + tests/shtest | 6 ++++++ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/util.c b/src/util.c +index de44fa6..422a8b8 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -311,13 +311,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) { + if (p != NULL) + state->current_line++; + +- if (p == NULL && state->parser != NULL) { +- /* +- * There should be no NULs in JSON texts (but JSON text +- * sequences are another story). +- */ +- state->buf_valid_len = strlen(state->buf); +- } else if (p == NULL && feof(state->current_input)) { ++ if (p == NULL && feof(state->current_input)) { + size_t i; + + /* +diff --git a/tests/shtest b/tests/shtest +index 14aafbf..544506a 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -614,4 +614,10 @@ $VALGRIND $Q $JQ . <<\NUM + -10E-1000000001 + NUM + ++# CVE-2026-33948: No NUL truncation in the JSON parser ++if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then ++ printf 'Error expected but jq exited successfully\n' 1>&2 ++ exit 1 ++fi ++ + exit 0 diff -Nru jq-1.7.1/debian/patches/CVE-2026-39956.patch jq-1.7.1/debian/patches/CVE-2026-39956.patch --- jq-1.7.1/debian/patches/CVE-2026-39956.patch 1970-01-01 00:00:00.000000000 +0000 +++ jq-1.7.1/debian/patches/CVE-2026-39956.patch 2026-04-17 09:08:56.000000000 +0000 @@ -0,0 +1,50 @@ +From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?= + +Date: Fri, 17 Apr 2026 09:06:40 +0800 +Subject: CVE-2026-39956 + +Origin: https://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03 +--- + src/builtin.c | 8 ++++++++ + tests/jq.test | 9 +++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/src/builtin.c b/src/builtin.c +index 902490d..3cb8eb7 100644 +--- a/src/builtin.c ++++ b/src/builtin.c +@@ -1212,6 +1212,14 @@ static jv f_string_explode(jq_state *jq, jv a) { + } + + static jv f_string_indexes(jq_state *jq, jv a, jv b) { ++ if (jv_get_kind(a) != JV_KIND_STRING) { ++ jv_free(b); ++ return type_error(a, "cannot be searched, as it is not a string"); ++ } ++ if (jv_get_kind(b) != JV_KIND_STRING) { ++ jv_free(a); ++ return type_error(b, "is not a string"); ++ } + return jv_string_indexes(a, b); + } + +diff --git a/tests/jq.test b/tests/jq.test +index e1deba0..d731513 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -1333,6 +1333,15 @@ split("") + "xababababax" + [1,7,[1,3,5,7]] + ++# _strindices is used by indices/1 but is callable ++try _strindices("abc") catch . ++123 ++"number (123) cannot be searched, as it is not a string" ++ ++try _strindices(123) catch . ++"abc" ++"number (123) is not a string" ++ + indices(1) + [0,1,1,2,3,4,1,5] + [1,2,6] diff -Nru jq-1.7.1/debian/patches/CVE-2026-39979.patch jq-1.7.1/debian/patches/CVE-2026-39979.patch --- jq-1.7.1/debian/patches/CVE-2026-39979.patch 1970-01-01 00:00:00.000000000 +0000 +++ jq-1.7.1/debian/patches/CVE-2026-39979.patch 2026-04-17 09:08:56.000000000 +0000 @@ -0,0 +1,25 @@ +From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?= + +Date: Fri, 17 Apr 2026 09:07:31 +0800 +Subject: CVE-2026-39979 + +Origin: https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f +--- + src/jv_parse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/jv_parse.c b/src/jv_parse.c +index 9755b8a..84a847f 100644 +--- a/src/jv_parse.c ++++ b/src/jv_parse.c +@@ -890,8 +890,9 @@ jv jv_parse_sized_custom_flags(const char* string, int length, int flags) { + + if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) { + jv msg = jv_invalid_get_msg(value); +- value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')", ++ value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')", + jv_string_value(msg), ++ length, + string)); + jv_free(msg); + } diff -Nru jq-1.7.1/debian/patches/CVE-2026-40164.patch jq-1.7.1/debian/patches/CVE-2026-40164.patch --- jq-1.7.1/debian/patches/CVE-2026-40164.patch 1970-01-01 00:00:00.000000000 +0000 +++ jq-1.7.1/debian/patches/CVE-2026-40164.patch 2026-04-17 09:08:56.000000000 +0000 @@ -0,0 +1,83 @@ +From: =?utf-8?b?IkNoYW5nWmh1byBDaGVuICjpmbPmmIzlgKwpIg==?= + +Date: Fri, 17 Apr 2026 09:07:50 +0800 +Subject: CVE-2026-40164 + +Origin: https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784 +--- + configure.ac | 2 ++ + src/jv.c | 34 ++++++++++++++++++++++++++++++++-- + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 4c9feae..841ba1b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -124,6 +124,8 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [AC_DEFINE([HAVE_TM_TM_GMT_OFF],1,[Define + AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])], + [], [[#include ]]) + AC_FIND_FUNC([setlocale], [c], [#include ], [0,0]) ++AC_FIND_FUNC([arc4random], [c], [#include ], []) ++AC_FIND_FUNC([getentropy], [c], [#include ], [0, 0]) + + dnl Figure out if we have the pthread functions we actually need + AC_FIND_FUNC_NO_LIBS([pthread_key_create], [], [#include ], [NULL, NULL]) +diff --git a/src/jv.c b/src/jv.c +index c8e0c51..10a861f 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -40,6 +40,10 @@ + #include + #include + #include ++#include ++#include ++#include ++#include + + #include "jv_alloc.h" + #include "jv.h" +@@ -1170,7 +1174,33 @@ static jv jvp_string_append(jv string, const char* data, uint32_t len) { + } + } + +-static const uint32_t HASH_SEED = 0x432A9843; ++static uint32_t hash_seed; ++static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT; ++ ++static void jvp_hash_seed_init(void) { ++ uint32_t seed; ++#if defined(HAVE_ARC4RANDOM) ++ seed = arc4random(); ++#elif defined(HAVE_GETENTROPY) ++ if (getentropy(&seed, sizeof(seed)) != 0) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++#else ++ int fd = open("/dev/urandom", O_RDONLY); ++ if (fd >= 0) { ++ if (read(fd, &seed, sizeof(seed)) != 4) ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ close(fd); ++ } else { ++ seed = (uint32_t)getpid() ^ (uint32_t)time(NULL); ++ } ++#endif ++ hash_seed = seed; ++} ++ ++static uint32_t jvp_hash_seed(void) { ++ pthread_once(&hash_seed_once, jvp_hash_seed_init); ++ return hash_seed; ++} + + static uint32_t rotl32 (uint32_t x, int8_t r){ + return (x << r) | (x >> (32 - r)); +@@ -1189,7 +1219,7 @@ static uint32_t jvp_string_hash(jv jstr) { + int len = (int)jvp_string_length(str); + const int nblocks = len / 4; + +- uint32_t h1 = HASH_SEED; ++ uint32_t h1 = jvp_hash_seed(); + + const uint32_t c1 = 0xcc9e2d51; + const uint32_t c2 = 0x1b873593; diff -Nru jq-1.7.1/debian/patches/series jq-1.7.1/debian/patches/series --- jq-1.7.1/debian/patches/series 2025-07-07 16:16:39.000000000 +0000 +++ jq-1.7.1/debian/patches/series 2026-04-17 09:08:56.000000000 +0000 @@ -7,3 +7,8 @@ CVE-2024-53427.patch CVE-2024-23337.patch CVE-2025-48060.patch +CVE-2026-33947.patch +CVE-2026-33948.patch +CVE-2026-39956.patch +CVE-2026-39979.patch +CVE-2026-40164.patch