Skip to content

[Low] Patch jq for CVE-2025-9403#17153

Open
VijayenderReddyPutta wants to merge 1 commit into
microsoft:3.0-devfrom
Kanishk-Bansal:topic_jq-3.0
Open

[Low] Patch jq for CVE-2025-9403#17153
VijayenderReddyPutta wants to merge 1 commit into
microsoft:3.0-devfrom
Kanishk-Bansal:topic_jq-3.0

Conversation

@VijayenderReddyPutta
Copy link
Copy Markdown

@VijayenderReddyPutta VijayenderReddyPutta commented May 12, 2026
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

What does the PR accomplish, why was it needed?
[Low] Patch jq for CVE-2025-9403
The upstream patch matches our source code, except for the jv_get_kind, jv_dump_string, and jv_parse_sized functions.
-#include <math.h> line also not available in our source code.

Change Log
Does this affect the toolchain?

NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology
  • Pipeline build id: xxxx

Patch applies cleanly:
image

@VijayenderReddyPutta VijayenderReddyPutta requested a review from a team as a code owner May 12, 2026 12:36
@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels May 12, 2026
@VijayenderReddyPutta VijayenderReddyPutta marked this pull request as draft May 12, 2026 12:37
@VijayenderReddyPutta VijayenderReddyPutta marked this pull request as ready for review May 12, 2026 13:22
@Kanishk-Bansal
Copy link
Copy Markdown
Contributor

Kanishk-Bansal commented May 12, 2026

Build

@azurelinux-security
Copy link
Copy Markdown
Contributor

azurelinux-security commented May 17, 2026

🔒 CVE Patch Review: CVE-2025-9403

PR #17153 — [Low] Patch jq for CVE-2025-9403
Package: jq | Branch: 3.0-dev

Spec File Validation

Check Status Detail
Release bump Release bumped 5 → 6
Patch entry Patch entries added: ['CVE-2025-9403.patch'] (covers ['CVE-2025-9403'])
Patch application %autosetup/%autopatch found in full spec — patches applied automatically
Changelog Changelog entry looks good
Signatures No source tarball changes — signatures N/A
Manifests Not a toolchain PR — manifests N/A

Build Verification

  • Build status: ✅ PASSED
  • Artifact downloaded:
  • CVE applied during build:
  • Warnings (3):
    • L266: time="2026-05-12T18:10:38Z" level=debug msg="configure: WARNING: valgrind is required to test jq."
    • L272: time="2026-05-12T18:10:39Z" level=debug msg="configure: WARNING: Error checking python dependencies: "
    • L444: time="2026-05-12T18:10:45Z" level=debug msg="libtool: warning: remember to run 'libtool --finish /usr/lib'"

🤖 AI Build Log Analysis

  • Risk: medium
  • Summary: The jq 1.7.1-6.azl3 package built successfully with multiple CVE patches applied, including CVE-2025-9403. All patches applied under strict conditions (--fuzz=0) without reported failures, the project configured and compiled cleanly, and RPMs were produced. Non-fatal warnings appeared regarding missing Python dependencies for documentation, a hostname canonicalization warning, and a libtool reminder, but these did not affect the build outcome.
  • AI-detected warnings:
    • configure: WARNING: Python dependencies for building jq documentation not found; manpage will not be rebuilt and manpage tests will not run.
    • warning: Could not canonicalize hostname: ed7f948fc000000
    • libtool: warning: remember to run 'libtool --finish /usr/lib'

🧪 Test Log Analysis

  • Test status: ❌ FAILED
  • Test errors (1):
    • L530: time="2026-05-12T18:11:05Z" level=debug msg="# ERROR: 0"
  • Test warnings (3):
    • L271: time="2026-05-12T18:10:57Z" level=debug msg="configure: WARNING: valgrind is required to test jq."
    • L277: time="2026-05-12T18:10:57Z" level=debug msg="configure: WARNING: Error checking python dependencies: "
    • L449: time="2026-05-12T18:11:02Z" level=debug msg="libtool: warning: remember to run 'libtool --finish /usr/lib'"
🤖 AI Test Log Analysis
  • Risk: low
  • Summary: The jq 1.7.1 test suite ran successfully after applying the CVE-2025-9403 patch (and other CVE patches), with all 8 tests passing and no failures, errors, or skips. Build and %check completed with exit status 0, indicating no regressions introduced by the patch.

Patch Analysis

  • Match type: backport
  • Risk assessment: low
  • Summary: The PR applies the core upstream change to jq_test.c by replacing the assert-based equality check with an explicit comparison that reports a failure and sets pass=0, and by fixing the dump flags to 0 instead of using a randomized mask. Context differs due to the downstream source layout, but the functional behavior of the critical hunk matches upstream. Some minor upstream adjustments (header and NaN-guard changes) are not present in the PR, likely due to differences in the downstream code base.
  • Missing hunks:
    • Upstream removed the inclusion of <math.h> near the top of jq_test.c; this change is not present in the PR (may not exist in the downstream file).
    • Upstream removed the isnan-based guard around the reparse equality check under USE_DECNUM; the PR does not show this change (likely because the downstream code does not have that guard or the context differs).
Detailed analysis

  1. Core equivalence: The upstream patch changes the test verification in jq_test.c to avoid a hard assert by: (a) dumping the expected value with flags=0 instead of using a randomized mask (rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT)); (b) reparsing it; (c) if not equal, printing a diagnostic (including dumping the reparsed value) and setting pass=0; and (d) freeing temporary JV values. The PR implements exactly these two core changes: it sets the flags argument of jv_dump_string to 0 and replaces the assert(jv_equal(...)) with an if (!jv_equal(...)) block that prints an error using lineno and buf, then sets pass=0. It retains the frees. This matches the functional intent and behavior of the upstream fix.

  2. Context differences: The PR context shows an earlier printf using "line number" and the variable prog, indicating that the downstream source differs from the upstream version around those lines. The newly added failure message uses lineno and buf, matching upstream’s message contents. These context differences do not affect the functional change being backported.

  3. Upstream-only adjustments: The upstream patch also (i) removes the inclusion of <math.h>, and (ii) eliminates an isnan-based conditional guarding the equality check under USE_DECNUM. The PR does not include these hunks. Given the differing context in the downstream file, it is plausible that these constructs are absent in the Azure Linux source and thus not applicable. If the isnan guard existed downstream and was left intact, the new comparison would still only execute when that condition allowed, which would differ slightly from upstream intent; however, the PR snippet shows the call site directly without such a guard, suggesting it likely does not exist in that tree.

  4. Risk and regressions: The patch touches test harness code (jq_test.c) and replaces an assert with controlled error reporting while also removing non-determinism from jv_dump_string by using flags=0. This reduces test flakiness and avoids abrupt termination, aligning with upstream. As it is test code, the operational risk to runtime functionality is low. The only potential difference would arise if the downstream code retained an isnan/USE_DECNUM guard that upstream removed; in that case, NaN-related cases might still be skipped downstream, but this would only affect test behavior, not production code.

  5. Backport assessment: The PR faithfully backports the critical hunk with safe context adjustments appropriate for the downstream code base. No functional gaps in the core fix are evident.

Raw diff (upstream vs PR) 
--- upstream
+++ pr
@@ -1,44 +1,41 @@
-From 33b3a68f9c32413cf3a1afa76addf0dd64c2922b Mon Sep 17 00:00:00 2001
-From: itchyny <itchyny@cybozu.co.jp>
-Date: Tue, 4 Nov 2025 21:21:21 +0900
-Subject: [PATCH] Fix expected value assertion (fix #3430, ref #3393) (#3431)
-
----
- src/jq_test.c | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/src/jq_test.c b/src/jq_test.c
-index a0120b7f3c..4a0bfe0d60 100644
---- a/src/jq_test.c
-+++ b/src/jq_test.c
-@@ -2,7 +2,6 @@
- #include <stdio.h>
- #include <string.h>
- #include <stdlib.h>
--#include <math.h>
- #ifdef HAVE_PTHREAD
- #include <pthread.h>
- #endif
-@@ -200,13 +199,16 @@ static void run_jq_tests(jv lib_dirs, int verbose, FILE *testdata, int skip, int
-         pass = 0;
-       }
- #ifdef USE_DECNUM
--      if (!(jv_get_kind(expected) == JV_KIND_NUMBER && isnan(jv_number_value(expected)))) {
--        jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT));
--        jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string)));
--        assert(jv_equal(jv_copy(expected), jv_copy(reparsed)));
--        jv_free(as_string);
--        jv_free(reparsed);
-+      jv as_string = jv_dump_string(jv_copy(expected), 0);
-+      jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string)));
-+      if (!jv_equal(jv_copy(expected), jv_copy(reparsed))) {
-+        printf("*** Expected result should be equal after reparsing, but got ");
-+        jv_dump(jv_copy(reparsed), 0);
-+        printf(" for test at line %u: %s\n", lineno, buf);
-+        pass = 0;
-       }
-+      jv_free(as_string);
-+      jv_free(reparsed);
- #endif
-       jv_free(expected);
-       jv_free(actual);
+diff --git a/SPECS/jq/CVE-2025-9403.patch b/SPECS/jq/CVE-2025-9403.patch
+new file mode 100644
+index 00000000000..0ff9b3a8a31
+--- /dev/null
++++ b/SPECS/jq/CVE-2025-9403.patch
+@@ -0,0 +1,35 @@
++From 33b3a68f9c32413cf3a1afa76addf0dd64c2922b Mon Sep 17 00:00:00 2001
++From: itchyny <itchyny@cybozu.co.jp>
++Date: Tue, 4 Nov 2025 21:21:21 +0900
++Subject: [PATCH] Fix expected value assertion (fix #3430, ref #3393) (#3431)
++
++Upstream patch reference: https://github.com/jqlang/jq/commit/33b3a68f9c32413cf3a1afa76addf0dd64c2922b.patch
++
++---
++ src/jq_test.c | 9 +++++++--
++ 1 file changed, 7 insertions(+), 2 deletions(-)
++
++diff --git a/src/jq_test.c b/src/jq_test.c
++index 3945686..9fa370a 100644
++--- a/src/jq_test.c
+++++ b/src/jq_test.c
++@@ -208,9 +208,14 @@ static void run_jq_tests(jv lib_dirs, int verbose, FILE *testdata, int skip, int
++         printf(" for test at line number %u: %s\n", lineno, prog);
++         pass = 0;
++       }
++-      jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT));
+++      jv as_string = jv_dump_string(jv_copy(expected), 0);
++       jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string)));
++-      assert(jv_equal(jv_copy(expected), jv_copy(reparsed)));
+++      if (!jv_equal(jv_copy(expected), jv_copy(reparsed))) {
+++        printf("*** Expected result should be equal after reparsing, but got ");
+++        jv_dump(jv_copy(reparsed), 0);
+++        printf(" for test at line %u: %s\n", lineno, buf);
+++        pass = 0;
+++      }
++       jv_free(as_string);
++       jv_free(reparsed);
++       jv_free(expected);
++-- 
++2.45.4
++

Verdict

CHANGES REQUESTED — Please address the issues flagged above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@VijayenderReddyPutta @Kanishk-Bansal @azurelinux-security