pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/devel/jq



Module Name:    pkgsrc
Committed By:   wiz
Date:           Sun Jun 21 11:19:58 UTC 2026

Modified Files:
        pkgsrc/devel/jq: Makefile distinfo

Log Message:
jq: update to 1.8.2.

Security fix release.

Ok leot@

# 1.8.2

This is a patch release with security fixes and bug fixes since 1.8.1, along with new builds for Windows arm64 and Docker arm/v7.
Full commit log can be found at <https://github.com/jqlang/jq/compare/jq-1.8.1...jq-1.8.2>.

## Security fixes

- CVE-2026-32316: Fix heap buffer overflow in `jvp_string_append` and `jvp_string_copy_replace_bad`.
  @itchyny e47e56d226519635768e6aab2f38f0ab037c09e5
- CVE-2026-33947: Limit path depth to prevent stack overflow in `jv_setpath`, `jv_getpath`, `jv_delpaths`.
  @itchyny fb59f1491058d58bdc3e8dd28f1773d1ac690a1f
- CVE-2026-33948: Fix NUL truncation in the JSON parser.
  @itchyny 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b
- CVE-2026-39956: Fix `_strindices` missing runtime type checks.
  @tlsbollei fdf8ef0f0810e3d365cdd5160de43db46f57ed03
- CVE-2026-39979: Fix out-of-bounds read in `jv_parse_sized()`.
  @wader 2f09060afab23fe9390cce7cb860b10416e1bf5f
- CVE-2026-40164: Randomize hash seed to mitigate hash collision DoS attacks.
  @AsafMeizner @itchyny 0c7d133c3c7e37c00b6d46b658a02244fdd3c784
- CVE-2026-40612: Limit containment check depth to prevent stack overflow in `contains`.
  @itchyny d1a12569d91641135976a8536776a4a329c02cc2
- CVE-2026-41256: Fix NUL truncation in program files loaded with `-f`.
  @itchyny 5a015deae35d19e3ebbc65db6c157a80e76df738
- CVE-2026-41257: Fix signed-int overflow in `stack_reallocate`.
  @itchyny 01b3cded76daacbfddb7f8763700b0803bcb5c6f
- CVE-2026-43894: Reject numeric literals longer than `DEC_MAX_DIGITS` (999999999).
  @itchyny 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4
- CVE-2026-43895: Reject embedded NUL bytes in module import paths.
  @itchyny 9d223f153c3632a207fa071caaa6292da33ae361
- CVE-2026-43896: Limit recursive object merge depth to prevent stack overflow.
  @itchyny 532ccea6080ed6758f39fe9f6208a44b665023d2
- CVE-2026-44777: Detect circular module imports to prevent stack overflow.
  @itchyny f58787c41835d9b17795730cb04925fdba25c71c
- CVE-2026-47770: Guard deep structural equality and comparison recursion.
  @fuyu0425 7122866869960b55cea3646bc91334ef55787831
- CVE-2026-49839: Fix heap-buffer-overflow in raw file loading.
  @itchyny e987df0d463d85fd70825e042a082427e8275b86
- CVE-2026-54679: Tighten string length bounds and propagate invalid jv in implode.
  @itchyny 46d1da30944ce93dd671ac72b6513fc0eb747837
- GHSA-gf4g-95wj-4q4r: Fix use-after-free in `args2obj()` array argument path. @sseal #3498
- GHSA-hj52-j2c9-r8r4: Fix signed-int overflow in `tokenadd` to prevent buffer overflow.
  @itchyny 63751f8a9f94dc6d3370084ad0d60826c58b955d
- Limit the number of function parameters and definitions to prevent SEGV. @OwenSanzas #3460
- Pre-allocate `tokenbuf` for string parser to avoid undefined behavior. @fab1ano #3485
- Avoid stack overflow when freeing deeply nested values.
  @itchyny 33d7bce3218ec718139342e5b48b475c4dea715f
- Fix memory leaks and double frees. @itchyny #3487

## Releasing

- Add builds for Windows arm64. @dennisameling #3376
- Support arm/v7 architecture in Docker images. @itchyny #3463
- Update GPG signing key. @itchyny 0ff997f7c4c07660ffc6ad2506d5f56b8136208b
- Add `artifact-metadata` permission for actions/attest. @itchyny #3530
- Upload attestation bundle as a release artifact, allowing unauthenticated
  verification via `gh attestation verify --bundle jq-attestation.json`.
  @itchyny #3563

## CLI changes

- Improve error message truncation with closing delimiters. @itchyny #3478
- Remove extra space from `die` function output. @krtk6160 #3391
- Fix raw input flag not to corrupt multi-byte characters. @itchyny #3421
- Fix crash when importing a module with errors twice. @itchyny #3497
- Increase the maximum printing depth from 256 to 10000. @ishnagy #3414

## Changes to existing functions

- Fix `rtrimstr("")` always outputting `""`. @A4-Tacks #3415
- Fix infinite loop and undefined behavior in `del(.[nan])`. @itchyny #3490
- Refactor `@uri` and `@urid` to fix multi-byte UTF-8 corruption. @itchyny #3495
- Fix `tonumber` and `toboolean` to reject strings with embedded null bytes. @itchyny #3496
- Fix undefined behavior in modulo operator. @fab1ano #3486
- Fix reversed pointer subtraction in `f_env` bounds check. @itchyny #3465
- Fix missing validity check in `f_strflocaltime` after `f_localtime`. @itchyny #3491
- Fix year 2038 problem on 32-bit platforms. @itchyny #3407
- Use `//` instead of `//=` in `from_entries` definition. @itchyny #3516

## Build and test changes

- Drop `strptime` test using non-portable `%F`. @alyssais #3365
- Limit oniguruma depth to 1024 in `jq_fuzz_execute`. @sudhackar #3377
- Fix localization test for time formatting functions. @itchyny #3409
- Fix expected value assertion. @itchyny #3431 #3408
- Fix typo in tests/jq.test. @bigmoonbit #3441
- Refactor `tm2jv` to handle fractional seconds. @itchyny #3489
- Fix `jq_fuzz_parse_stream`: use iterative parser API for streaming mode. @OwenSanzas #3499
- Fix crashes and resource leaks in `jq_testsuite`. @itchyny #3509
- Support building with `--disable-maintainer-mode` and source != build dir. @Saur2000 #3518
- Add Solaris support. @vlmarek #3515
- Respect `SOURCE_DATE_EPOCH` while generating man page. @McSinyx #3514
- Fix undefined pointer arithmetic in UTF-8 helpers. @theyoucheng df924eae91af10cc236a907cdadd97813827aa1f
- Fix one-byte over-read in `BASE64_DECODE_TABLE`. @itchyny #3547

## Documentation changes

- Add wiki link to navigation bar. @wader #3424
- Add missing word in manual for rawfile. @jpmens #3434
- Fix typo "stder" to "stderr". @jjatria #3446
- Fix buttons in tutorial to toggle labels when clicked on. @itchyny #3493
- Fix "happened" spelling in tutorial changelog entries. @Rohan5commit #3525


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 pkgsrc/devel/jq/Makefile
cvs rdiff -u -r1.22 -r1.23 pkgsrc/devel/jq/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/jq/Makefile
diff -u pkgsrc/devel/jq/Makefile:1.24 pkgsrc/devel/jq/Makefile:1.25
--- pkgsrc/devel/jq/Makefile:1.24       Sun Jul  6 09:07:43 2025
+++ pkgsrc/devel/jq/Makefile    Sun Jun 21 11:19:57 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.24 2025/07/06 09:07:43 wiz Exp $
+# $NetBSD: Makefile,v 1.25 2026/06/21 11:19:57 wiz Exp $
 
-DISTNAME=      jq-1.8.1
+DISTNAME=      jq-1.8.2
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=jqlang/}
 GITHUB_RELEASE=        ${DISTNAME}
@@ -20,6 +20,9 @@ PKGCONFIG_OVERRIDE=   libjq.pc.in
 
 TEST_TARGET=   check
 
+# 3 self tests failed as of 1.8.2
+# https://github.com/jqlang/jq/issues/3567
+
 .include "options.mk"
 
 .include "../../mk/bsd.pkg.mk"

Index: pkgsrc/devel/jq/distinfo
diff -u pkgsrc/devel/jq/distinfo:1.22 pkgsrc/devel/jq/distinfo:1.23
--- pkgsrc/devel/jq/distinfo:1.22       Sun Jul  6 09:07:43 2025
+++ pkgsrc/devel/jq/distinfo    Sun Jun 21 11:19:57 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.22 2025/07/06 09:07:43 wiz Exp $
+$NetBSD: distinfo,v 1.23 2026/06/21 11:19:57 wiz Exp $
 
-BLAKE2s (jq-1.8.1.tar.gz) = 6bfde0dea2a58348f14d125be2693550b47636e948366f031a40942bfa3a0cea
-SHA512 (jq-1.8.1.tar.gz) = b09d48dbeaac7b552397b75692ed7833afa72186de80d977fb1b887a14ac66c02f677acdd79f9a2736db1fd738b7ce57a39725e34846bfa21ed3728cd7adc187
-Size (jq-1.8.1.tar.gz) = 2026798 bytes
+BLAKE2s (jq-1.8.2.tar.gz) = 0fc6f98a3e806e61bcfa45cd65e635208b0d4023b108da7ff224762955b356ff
+SHA512 (jq-1.8.2.tar.gz) = d4058940cff1cd9946d7f2a9057316bf05915679385386685d140b7a82d870d43ae5b5b4d0a5560c864cf0ef2cc59d7b6ed3afb46b3aea0f4d35329678b2c328
+Size (jq-1.8.2.tar.gz) = 1959950 bytes



Home | Main Index | Thread Index | Old Index