Your message dated Wed, 01 Jul 2026 19:17:21 +0000
with message-id <[email protected]>
and subject line Bug#1136445: fixed in jq 1.6-2.1+deb12u2
has caused the Debian Bug report #1136445,
regarding jq: CVE-2026-40612 CVE-2026-41256 CVE-2026-41257 CVE-2026-43894 
CVE-2026-43895 CVE-2026-43896 CVE-2026-44777
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136445: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jq
Version: 1.8.1-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for jq.

CVE-2026-40612[0]:
| jq is a command-line JSON processor. In 1.8.1 and earlier,
| jv_contains recurses into nested arrays/objects with no depth limit.
| With a sufficiently nested input structure (built programmatically
| with reduce, since the JSON parser caps at depth 10000), the C stack
| is exhausted.


CVE-2026-41256[1]:
| jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level
| jq programs loaded from a file with -f are truncated at the first
| embedded NUL byte on current upstream HEAD. A crafted filter file
| such as . followed by \x00 and arbitrary suffix compiles and
| executes as only the prefix before the NUL. This leaves jq with a
| post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation
| path even though the JSON parser path has already been fixed.


CVE-2026-41257[2]:
| jq is a command-line JSON processor. In 1.8.1 and earlier, the jq
| bytecode VM's data stack tracks its allocation size in a signed int.
| When the stack grows beyond ≈1 GiB (via deeply nested generator
| forks), the doubling arithmetic overflows. The wrapped value is
| passed to realloc and then used for a memmove with attacker-
| influenced offsets.


CVE-2026-43894[3]:
| jq is a command-line JSON processor. In 1.8.1 and earlier, when
| decNumberFromString is given a number literal of INT_MAX-1
| (2147483646) digits, the D2U() macro overflows during signed-int
| arithmetic. The wrapped negative value bypasses the heap-allocation
| size check, causes the function to use a 30-byte stack buffer, and
| then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43
| GiB below the stack frame. The written content is fully attacker-
| controlled (the parsed decimal digits, packed 3-per-unit).


CVE-2026-43895[4]:
| jq is a command-line JSON processor. In 1.8.1 and earlier, jq
| accepts embedded NUL bytes in import paths at the jq-language level,
| but later resolves those paths through C string operations during
| module and data-file lookup. This creates a mismatch between the
| logical import string that policy or audit code may validate and the
| on-disk path that jq actually opens.


CVE-2026-43896[5]:
| jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded
| recursion in jv_object_merge_recursive() allows a crafted jq program
| to crash the process with a segfault. The function is reachable
| through the * operator when both operands are objects.


CVE-2026-44777[6]:
| jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the
| ordinary module loader recurses without cycle detection when two
| otherwise valid modules include each other.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-40612
    https://www.cve.org/CVERecord?id=CVE-2026-40612
[1] https://security-tracker.debian.org/tracker/CVE-2026-41256
    https://www.cve.org/CVERecord?id=CVE-2026-41256
[2] https://security-tracker.debian.org/tracker/CVE-2026-41257
    https://www.cve.org/CVERecord?id=CVE-2026-41257
[3] https://security-tracker.debian.org/tracker/CVE-2026-43894
    https://www.cve.org/CVERecord?id=CVE-2026-43894
[4] https://security-tracker.debian.org/tracker/CVE-2026-43895
    https://www.cve.org/CVERecord?id=CVE-2026-43895
[5] https://security-tracker.debian.org/tracker/CVE-2026-43896
    https://www.cve.org/CVERecord?id=CVE-2026-43896
[6] https://security-tracker.debian.org/tracker/CVE-2026-44777
    https://www.cve.org/CVERecord?id=CVE-2026-44777

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: jq
Source-Version: 1.6-2.1+deb12u2
Done: Andreas Henriksson <[email protected]>

We believe that the bug you reported is fixed in the latest version of
jq, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Henriksson <[email protected]> (supplier of updated jq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 01 Jul 2026 10:47:59 +0200
Source: jq
Architecture: source
Version: 1.6-2.1+deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: ChangZhuo Chen (陳昌倬) <[email protected]>
Changed-By: Andreas Henriksson <[email protected]>
Closes: 1133921 1136445
Changes:
 jq (1.6-2.1+deb12u2) bookworm-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2026-32316 (Closes: #1133921)
   * CVE-2026-33947
   * CVE-2026-33948
   * CVE-2026-39956
   * CVE-2026-39979
   * CVE-2026-40164
   * CVE-2026-41256 (Closes: #1136445)
   * CVE-2026-41257
   * CVE-2026-43896
   * CVE-2026-43895
   * CVE-2026-44777
   * CVE-2026-43894
   * CVE-2026-47770
   * CVE-2026-49839
   * GHSA-ggc9-rpv2-xgpm and GHSA-gvwx-xj9r-3frq
   * CVE-2026-54679
Checksums-Sha1:
 c10217110f716e6e3c1abe05d35782fa2848bdfe 1973 jq_1.6-2.1+deb12u2.dsc
 2fdbf962ec939eafb2c37427adcd7fab94293cd4 419859 jq_1.6.orig.tar.gz
 74ad5ffb03b4993b05de37e8bd75f704274aa3c6 28368 jq_1.6-2.1+deb12u2.debian.tar.xz
 9cfbb606f64802d6779e47d7001be19330ebd2dd 6849 
jq_1.6-2.1+deb12u2_source.buildinfo
Checksums-Sha256:
 ac53e4e0af865fd228e47c26a6d9a34da459fd4fbc2ab90815147dfeedf6ded0 1973 
jq_1.6-2.1+deb12u2.dsc
 3ba940b97571c866923f0409678033d33b5a98758dfc174fad8397ed908bc4d9 419859 
jq_1.6.orig.tar.gz
 88498e8c917c09ddee251544b0525051551e6a0552c862625696a3e83469ae66 28368 
jq_1.6-2.1+deb12u2.debian.tar.xz
 7efe4a88e191722f1d33a1f7571821cd78a768d2e1de879139da0f451b19baeb 6849 
jq_1.6-2.1+deb12u2_source.buildinfo
Files:
 1af7d074b8a3fbdbc18d1837ac263096 1973 utils optional jq_1.6-2.1+deb12u2.dsc
 430dd5b73f36db64fd7c128a0313e98e 419859 utils optional jq_1.6.orig.tar.gz
 53989e73b541e157e695f0bb5ee2caa8 28368 utils optional 
jq_1.6-2.1+deb12u2.debian.tar.xz
 bacf508f0c60e863c6c1b229da8763c0 6849 utils optional 
jq_1.6-2.1+deb12u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmpFIxYACgkQC8R9xk0T
Uwa5Vg//ZNYpaaf5nW3yXz/W59OzAnjHI2PZK2Jsc92bzKxBpYvK4bmIkRZzJp5F
Xn03kbjNFKaSDbHoFr8fkzb5LomYq4Dq15RimQ4K2paOpt44O5uJ8fKsjchAbdh2
21Hdo9MISZzVt0XleMdlCVPdqxkjsjh7AGa7Jvei9pcQc29duPDYiOo6ftds9Inr
vsHDBlu2Ga+baxVhL/pwVgMOUB+uLWd2o3hbo/06ADTM5hha3cXe4ZZvhwadFVjB
Q/Yjfb73OkdU60W226vIToVXD0JQBXfbbziisffwNci8Ky7zsoaVd5HdCjKi/u0X
zLcjVruPdrwjao/cb1tDjF/3fopKE62uQjpWCenjzWB7gOmy6ovoUiDRXmJi6iuN
n9oGmVz3HtJNDrxgIAM60sN4ztelO2UMKaBk/koAyhDdZGavGwWTHZS5ujNDrG9J
6I25sUE6gONNCbPvGbGpkpid4fLOkWE8ynGimOAhMObyM32x6JlOrfVg4+Thd4ez
Feti/QWwxU6IA4jAOsjJmiKP/vuZnJn+oLGQb0wXsqWsHN3k1D/HpwFkulkh1I6A
2hXJH0eQR4tjbHI3iyjB78/r/JkwWR0RbKgeb0K0M6667H7XakN38wA5uQlrplcG
RW2INwsyN+l+RN07NhryLplkdXKTSShYDyNJ2fipZcIn+vNSDgc=
=Hld9
-----END PGP SIGNATURE-----

Attachment: pgpCe4k4xhzYv.pgp
Description: PGP signature


--- End Message ---

Reply via email to