jq: backport fix for CVE-2026-32316 #2

Merged

sbelikov merged 2 commits from cve-jq-CVE-2026-32316 into niceos-5.2

2026-05-26 15:11:26 +03:00

sbelikov commented

2026-05-26 14:59:40 +03:00

Owner

This update backports the upstream fix for CVE-2026-32316 in jq 1.8.1-1.

The vulnerability is an integer overflow in jvp_string_append() and jvp_string_copy_replace_bad() that can allocate an undersized heap buffer when very large strings are concatenated. Subsequent writes may overflow the heap, causing process crashes and potentially enabling exploitation through heap corruption.

NiceOS jq 1.8.1-1 is within the affected range, so the package should be treated as affected until the upstream fix is backported.

Validation planned:

rebuild the RPM
run jq CLI smoke tests
run targeted large-string regression checks
verify package install/upgrade behavior and library linkage

This update backports the upstream fix for CVE-2026-32316 in jq 1.8.1-1. The vulnerability is an integer overflow in jvp_string_append() and jvp_string_copy_replace_bad() that can allocate an undersized heap buffer when very large strings are concatenated. Subsequent writes may overflow the heap, causing process crashes and potentially enabling exploitation through heap corruption. NiceOS jq 1.8.1-1 is within the affected range, so the package should be treated as affected until the upstream fix is backported. Validation planned: - rebuild the RPM - run jq CLI smoke tests - run targeted large-string regression checks - verify package install/upgrade behavior and library linkage

sbelikov added 1 commit

2026-05-26 14:59:40 +03:00