Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1084

NIXPKGS-2026-1084

GitHub issue published 2 months, 1 week ago

Permalink CVE-2026-39979

updated 2 months, 1 week ago by @LeSuisse Activity log

Created suggestion 2 months, 1 week ago
@LeSuisse ignored
38 packages
- ijq
- jql
- jqp
- njq
- gojq
- jqfmt
- jq-lsp
- jquake
- jq-zsh-plugin
- python312Packages.jq
- python313Packages.jq
- python314Packages.jq
- python312Packages.llm-jq
- python313Packages.llm-jq
- python314Packages.llm-jq
- haskellPackages.js-jquery
- tests.fetchpatch.relative
- python312Packages.xstatic-jquery
- python313Packages.xstatic-jquery
- python314Packages.xstatic-jquery
- python312Packages.django-jquery-js
- python313Packages.django-jquery-js
- python314Packages.django-jquery-js
- python312Packages.xstatic-jquery-ui
- python313Packages.xstatic-jquery-ui
- python314Packages.xstatic-jquery-ui
- tree-sitter-grammars.tree-sitter-jq
- tests.fetchNextcloudApp.simple-sha512
- vimPlugins.nvim-treesitter-parsers.jq
- python312Packages.sphinxcontrib-jquery
- python313Packages.sphinxcontrib-jquery
- python314Packages.sphinxcontrib-jquery
- tests.fetchFromGitHub.submodule-leave-git
- python312Packages.xstatic-jquery-file-upload
- python313Packages.xstatic-jquery-file-upload
- python314Packages.xstatic-jquery-file-upload
- python313Packages.tree-sitter-grammars.tree-sitter-jq
- python314Packages.tree-sitter-grammars.tree-sitter-jq
2 months, 1 week ago
@LeSuisse accepted 2 months, 1 week ago
@LeSuisse published on GitHub 2 months, 1 week ago

jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.

References

https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p x_refsource_CONFIRM
https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f x_refsource_MISC

Affected products

jq

==< 2f09060afab23fe9390cce7cb860b10416e1bf5f

Matching in nixpkgs

pkgs.jq

Lightweight and flexible command-line JSON processor

nixos-unstable 1.8.1
- nixpkgs-unstable 1.8.1
- nixos-unstable-small 1.8.1

Ignored packages (38)

pkgs.ijq

Interactive wrapper for jq

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0

pkgs.jql

JSON Query Language CLI tool built with Rust

nixos-unstable 8.0.10
- nixpkgs-unstable 8.0.10
- nixos-unstable-small 8.0.10

pkgs.jqp

TUI playground to experiment with jq

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0

pkgs.njq

Command-line JSON processor using nix as query language

nixos-unstable 0.0.3.1
- nixpkgs-unstable 0.0.3.1
- nixos-unstable-small 0.0.3.1

pkgs.gojq

Pure Go implementation of jq

nixos-unstable 0.12.19
- nixpkgs-unstable 0.12.19
- nixos-unstable-small 0.12.19

pkgs.jqfmt

Like gofmt, but for jq

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.jq-lsp

jq language server

nixos-unstable 0.1.17
- nixpkgs-unstable 0.1.17
- nixos-unstable-small 0.1.17

pkgs.jquake

Real-time earthquake map of Japan

nixos-unstable 1.8.5
- nixpkgs-unstable 1.8.5
- nixos-unstable-small 1.8.5

pkgs.jq-zsh-plugin

Interactively build jq expressions in Zsh

nixos-unstable 0.6.1
- nixpkgs-unstable 0.6.1
- nixos-unstable-small 0.6.1

pkgs.python312Packages.jq

None

pkgs.python313Packages.jq

Python bindings for jq, the flexible JSON processor

nixos-unstable 1.11.0
- nixpkgs-unstable 1.11.0
- nixos-unstable-small 1.11.0

pkgs.python314Packages.jq

Python bindings for jq, the flexible JSON processor

nixos-unstable 1.11.0
- nixpkgs-unstable 1.11.0
- nixos-unstable-small 1.11.0

pkgs.python312Packages.llm-jq

None

pkgs.python313Packages.llm-jq

Write and execute jq programs with the help of LLM

nixos-unstable 0.1.1
- nixpkgs-unstable 0.1.1
- nixos-unstable-small 0.1.1

pkgs.python314Packages.llm-jq

Write and execute jq programs with the help of LLM

nixos-unstable 0.1.1
- nixpkgs-unstable 0.1.1
- nixos-unstable-small 0.1.1

pkgs.haskellPackages.js-jquery

Obtain minified jQuery code

nixos-unstable 3.7.1
- nixpkgs-unstable 3.7.1
- nixos-unstable-small 3.7.1

pkgs.tests.fetchpatch.relative

None

pkgs.python312Packages.xstatic-jquery

None

pkgs.python313Packages.xstatic-jquery

jquery packaged static files for python

nixos-unstable 3.5.1.1
- nixpkgs-unstable 3.5.1.1
- nixos-unstable-small 3.5.1.1

pkgs.python314Packages.xstatic-jquery

jquery packaged static files for python

nixos-unstable 3.5.1.1
- nixpkgs-unstable 3.5.1.1
- nixos-unstable-small 3.5.1.1

pkgs.python312Packages.django-jquery-js

None

pkgs.python313Packages.django-jquery-js

jQuery, bundled up so apps can depend upon it

nixos-unstable 3.1.1
- nixpkgs-unstable 3.1.1
- nixos-unstable-small 3.1.1

pkgs.python314Packages.django-jquery-js

jQuery, bundled up so apps can depend upon it

nixos-unstable 3.1.1
- nixpkgs-unstable 3.1.1
- nixos-unstable-small 3.1.1

pkgs.python312Packages.xstatic-jquery-ui

None

pkgs.python313Packages.xstatic-jquery-ui

jquery-ui packaged static files for python

nixos-unstable 1.13.0.1
- nixpkgs-unstable 1.13.0.1
- nixos-unstable-small 1.13.0.1

pkgs.python314Packages.xstatic-jquery-ui

jquery-ui packaged static files for python

nixos-unstable 1.13.0.1
- nixpkgs-unstable 1.13.0.1
- nixos-unstable-small 1.13.0.1

pkgs.tree-sitter-grammars.tree-sitter-jq

Tree-sitter grammar for jq

nixos-unstable 0-unstable-2025-05-10
- nixpkgs-unstable 0-unstable-2025-05-10
- nixos-unstable-small 0-unstable-2025-05-10

pkgs.tests.fetchNextcloudApp.simple-sha512

None

pkgs.vimPlugins.nvim-treesitter-parsers.jq

Tree-sitter grammar for jq

nixos-unstable 0.0.0+rev=c204e36
- nixpkgs-unstable 0.0.0+rev=c204e36
- nixos-unstable-small 0.0.0+rev=c204e36

pkgs.python312Packages.sphinxcontrib-jquery

None

pkgs.python313Packages.sphinxcontrib-jquery

Extension to include jQuery on newer Sphinx releases

nixos-unstable 4.1
- nixpkgs-unstable 4.1
- nixos-unstable-small 4.1

pkgs.python314Packages.sphinxcontrib-jquery

Extension to include jQuery on newer Sphinx releases

nixos-unstable 4.1
- nixpkgs-unstable 4.1
- nixos-unstable-small 4.1

pkgs.tests.fetchFromGitHub.submodule-leave-git

None

nixos-unstable cjqxpb9q4nw2
- nixpkgs-unstable cjqxpb9q4nw2
- nixos-unstable-small cjqxpb9q4nw2

pkgs.python312Packages.xstatic-jquery-file-upload

None

pkgs.python313Packages.xstatic-jquery-file-upload

jquery-file-upload packaged static files for python

nixos-unstable 10.31.0.1
- nixpkgs-unstable 10.31.0.1
- nixos-unstable-small 10.31.0.1

pkgs.python314Packages.xstatic-jquery-file-upload

jquery-file-upload packaged static files for python

nixos-unstable 10.31.0.1
- nixpkgs-unstable 10.31.0.1
- nixos-unstable-small 10.31.0.1

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-jq

Python bindings for tree-sitter-jq

nixos-unstable 0+unstable20250510
- nixpkgs-unstable 0+unstable20250510
- nixos-unstable-small 0+unstable20250510

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-jq

Python bindings for tree-sitter-jq

nixos-unstable 0+unstable20250510
- nixpkgs-unstable 0+unstable20250510
- nixos-unstable-small 0+unstable20250510

Package maintainers

@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@ncfavier Naïm Favier <n@monade.li>
@Artturin Artturi N <artturin@artturin.com>