rpms/jq

Fork 0

[security][HIGH] jq 1.8.1: CVE-2026-32316 require triage #1

New issue

Closed

opened 2026-05-25 20:44:46 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-05-25 20:44:46 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: jq
Version: 1.8.1
EVR: 1.8.1-1
Category: -
Policy class: -
NiceOS policy class: -
Owner: -
Severity: HIGH
Max CVSS: 7.5
CVE count: 1
Included NiceOS statuses: needs_triage
Included match types: cpe-range

LLM recommendation / Рекомендация LLM

RU

Для пакета jq 1.8.1 найдены CVE-кандидаты по данным NVD/CPE: CVE-2026-32316. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for jq 1.8.1: CVE-2026-32316. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	Confidence	NiceOS status	Fixed in	Existing issue	Reason
CVE-2026-32316	HIGH	7.5	cpe-range	80	needs_triage			package version is inside version range

Descriptions

CVE-2026-32316

jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.

Scanner integration / Интеграция со сканером

This issue was generated from niceos_cve_matches after the SPEC/Forgejo evidence pass.
After real creation, this script writes forgejo_issue_open rows into niceos_cve_evidence and marks the selected CVE rows as issue_open, so the next scanner/creator run does not duplicate the issue.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2026-32316"
  ],
  "fingerprint": "d26863c54f5bd61fd959",
  "generated_at": "2026-05-25T17:44:45Z",
  "match_ids": [
    1415
  ],
  "match_types": [
    "cpe-range"
  ],
  "package": "jq",
  "prompt_version": "niceos_cve_issue_analysis_v2",
  "statuses": [
    "needs_triage"
  ],
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "2.0",
  "version": "1.8.1"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `jq` - Version: `1.8.1` - EVR: `1.8.1-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `HIGH` - Max CVSS: `7.5` - CVE count: `1` - Included NiceOS statuses: `needs_triage` - Included match types: `cpe-range` ## LLM recommendation / Рекомендация LLM ### RU Для пакета jq 1.8.1 найдены CVE-кандидаты по данным NVD/CPE: CVE-2026-32316. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for jq 1.8.1: CVE-2026-32316. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | Confidence | NiceOS status | Fixed in | Existing issue | Reason | |---|---|---:|---|---:|---|---|---|---| | CVE-2026-32316 | HIGH | 7.5 | cpe-range | 80 | needs_triage | | | package version is inside version range | ## Descriptions ### CVE-2026-32316 jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5. ## Scanner integration / Интеграция со сканером This issue was generated from `niceos_cve_matches` after the SPEC/Forgejo evidence pass. After real creation, this script writes `forgejo_issue_open` rows into `niceos_cve_evidence` and marks the selected CVE rows as `issue_open`, so the next scanner/creator run does not duplicate the issue. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2026-32316" ], "fingerprint": "d26863c54f5bd61fd959", "generated_at": "2026-05-25T17:44:45Z", "match_ids": [ 1415 ], "match_types": [ "cpe-range" ], "package": "jq", "prompt_version": "niceos_cve_issue_analysis_v2", "statuses": [ "needs_triage" ], "tool": "niceos_cve_create_issues.py", "tool_version": "2.0", "version": "1.8.1" } ```

sbelikov added the

labels

2026-05-25 20:44:46 +03:00

sbelikov commented

2026-05-26 15:12:44 +03:00

Author

Owner

CVE resolution / Закрытие CVE

EN

Resolved in NiceOS branch niceos-5.2.
Status: fixed.
Fixed in EVR: 1.8.1-2.
CVE: CVE-2026-32316.
Source: SPECS/jq.spec.

RU

Исправлено в ветке НАЙС.ОС niceos-5.2.
Статус: fixed.
Исправлено в EVR: 1.8.1-2.
CVE: CVE-2026-32316.
Источник: SPECS/jq.spec.

## CVE resolution / Закрытие CVE ### EN Resolved in NiceOS branch `niceos-5.2`. Status: `fixed`. Fixed in EVR: `1.8.1-2`. CVE: `CVE-2026-32316`. Source: `SPECS/jq.spec`. ### RU Исправлено в ветке НАЙС.ОС `niceos-5.2`. Статус: `fixed`. Исправлено в EVR: `1.8.1-2`. CVE: `CVE-2026-32316`. Источник: `SPECS/jq.spec`.

sbelikov closed this issue

2026-05-26 15:12:44 +03:00