[rpms/jq] rawhide: removed old upstreamed patches

[rpms/jq] rawhide: removed old upstreamed patches

[Filipe Rosset]

            A new commit has been pushed.

            Repo   : rpms/jq
            Branch : rawhide
            Commit : 5fb34089cd978d7e112154d5501098d668a8efeb
            Author : Filipe Rosset <filiperosset@fedoraproject.org>
            Date   : 2026-06-20T18:41:59-03:00
            Stats  : +0/-365 in 6 file(s)
            URL    : https://src.fedoraproject.org/rpms/jq/c/5fb34089cd978d7e112154d5501098d668a8efeb?branch=rawhide

            Log:
            removed old upstreamed patches

Signed-off-by: Filipe Rosset <filiperosset@fedoraproject.org>

---
diff --git a/CVE-2026-32316.patch b/CVE-2026-32316.patch
deleted file mode 100644
index 29d08c9..0000000
--- a/CVE-2026-32316.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From e47e56d226519635768e6aab2f38f0ab037c09e5 Mon Sep 17 00:00:00 2001
-From: itchyny <itchyny@cybozu.co.jp>
-Date: Thu, 12 Mar 2026 20:28:43 +0900
-Subject: [PATCH] Fix heap buffer overflow in `jvp_string_append` and
- `jvp_string_copy_replace_bad`
-
-In `jvp_string_append`, the allocation size `(currlen + len) * 2` could
-overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small
-allocation followed by a large `memcpy`.
-
-In `jvp_string_copy_replace_bad`, the output buffer size calculation
-`length * 3 + 1` could overflow `uint32_t`, again resulting in a small
-allocation followed by a large write.
-
-Add overflow checks to both functions to return an error for strings
-that would exceed `INT_MAX` in length. Fixes CVE-2026-32316.
----
- src/jv.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/src/jv.c b/src/jv.c
-index 722a539391..2a62b48419 100644
---- a/src/jv.c
-+++ b/src/jv.c
-@@ -1114,7 +1114,12 @@ static jv jvp_string_copy_replace_bad(const char* data, uint32_t length) {
-   const char* end = data + length;
-   const char* i = data;
- 
--  uint32_t maxlength = length * 3 + 1; // worst case: all bad bytes, each becomes a 3-byte U+FFFD
-+  // worst case: all bad bytes, each becomes a 3-byte U+FFFD
-+  uint64_t maxlength = (uint64_t)length * 3 + 1;
-+  if (maxlength >= INT_MAX) {
-+    return jv_invalid_with_msg(jv_string("String too long"));
-+  }
-+
-   jvp_string* s = jvp_string_alloc(maxlength);
-   char* out = s->data;
-   int c = 0;
-@@ -1174,6 +1179,10 @@ static uint32_t jvp_string_remaining_space(jvp_string* s) {
- static jv jvp_string_append(jv string, const char* data, uint32_t len) {
-   jvp_string* s = jvp_string_ptr(string);
-   uint32_t currlen = jvp_string_length(s);
-+  if ((uint64_t)currlen + len >= INT_MAX) {
-+    jv_free(string);
-+    return jv_invalid_with_msg(jv_string("String too long"));
-+  }
- 
-   if (jvp_refcnt_unshared(string.u.ptr) &&
-       jvp_string_remaining_space(s) >= len) {

diff --git a/CVE-2026-33947.patch b/CVE-2026-33947.patch
deleted file mode 100644
index 0b16190..0000000
--- a/CVE-2026-33947.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From fb59f1491058d58bdc3e8dd28f1773d1ac690a1f Mon Sep 17 00:00:00 2001
-From: itchyny <itchyny@cybozu.co.jp>
-Date: Mon, 13 Apr 2026 11:23:40 +0900
-Subject: [PATCH] Limit path depth to prevent stack overflow
-
-Deeply nested path arrays can cause unbounded recursion in
-`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to
-stack overflow. Add a depth limit of 10000 to match the
-existing `tojson` depth limit. This fixes CVE-2026-33947.
----
- src/jv_aux.c  | 21 +++++++++++++++++++++
- tests/jq.test | 25 +++++++++++++++++++++++++
- 2 files changed, 46 insertions(+)
-
-diff --git a/src/jv_aux.c b/src/jv_aux.c
-index 018f380b10..fd5ff96684 100644
---- a/src/jv_aux.c
-+++ b/src/jv_aux.c
-@@ -365,6 +365,10 @@ static jv jv_dels(jv t, jv keys) {
-   return t;
- }
- 
-+#ifndef MAX_PATH_DEPTH
-+#define MAX_PATH_DEPTH (10000)
-+#endif
-+
- jv jv_setpath(jv root, jv path, jv value) {
-   if (jv_get_kind(path) != JV_KIND_ARRAY) {
-     jv_free(value);
-@@ -372,6 +376,12 @@ jv jv_setpath(jv root, jv path, jv value) {
-     jv_free(path);
-     return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
-   }
-+  if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
-+    jv_free(value);
-+    jv_free(root);
-+    jv_free(path);
-+    return jv_invalid_with_msg(jv_string("Path too deep"));
-+  }
-   if (!jv_is_valid(root)){
-     jv_free(value);
-     jv_free(path);
-@@ -424,6 +434,11 @@ jv jv_getpath(jv root, jv path) {
-     jv_free(path);
-     return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
-   }
-+  if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
-+    jv_free(root);
-+    jv_free(path);
-+    return jv_invalid_with_msg(jv_string("Path too deep"));
-+  }
-   if (!jv_is_valid(root)) {
-     jv_free(path);
-     return root;
-@@ -502,6 +517,12 @@ jv jv_delpaths(jv object, jv paths) {
-       jv_free(elem);
-       return err;
-     }
-+    if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) {
-+      jv_free(object);
-+      jv_free(paths);
-+      jv_free(elem);
-+      return jv_invalid_with_msg(jv_string("Path too deep"));
-+    }
-     jv_free(elem);
-   }
-   if (jv_array_length(jv_copy(paths)) == 0) {
-diff --git a/tests/jq.test b/tests/jq.test
-index 4a84e96c11..0cd5198f8d 100644
---- a/tests/jq.test
-+++ b/tests/jq.test
-@@ -2568,3 +2568,28 @@ true
- reduce range(10001) as $_ ([];[.]) | tojson | contains("<skipped: too deep>")
- null
- true
-+
-+# regression test for CVE-2026-33947
-+setpath([range(10000) | 0]; 0) | flatten
-+null
-+[0]
-+
-+try setpath([range(10001) | 0]; 0) catch .
-+null
-+"Path too deep"
-+
-+getpath([range(10000) | 0])
-+null
-+null
-+
-+try getpath([range(10001) | 0]) catch .
-+null
-+"Path too deep"
-+
-+delpaths([[range(10000) | 0]])
-+null
-+null
-+
-+try delpaths([[range(10001) | 0]]) catch .
-+null
-+"Path too deep"

diff --git a/CVE-2026-39956.patch b/CVE-2026-39956.patch
deleted file mode 100644
index 9bbcd67..0000000
--- a/CVE-2026-39956.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From fdf8ef0f0810e3d365cdd5160de43db46f57ed03 Mon Sep 17 00:00:00 2001
-From: tlsbollei <170938166+tlsbollei@users.noreply.github.com>
-Date: Wed, 8 Apr 2026 21:43:46 +0200
-Subject: [PATCH] Add runtime type checks to f_string_indexes
-
-This fixes CVE-2026-39956.
----
- src/builtin.c | 8 ++++++++
- tests/jq.test | 9 +++++++++
- 2 files changed, 17 insertions(+)
-
-diff --git a/src/builtin.c b/src/builtin.c
-index 90a3af2da9..d33e9fb162 100644
---- a/src/builtin.c
-+++ b/src/builtin.c
-@@ -1306,6 +1306,14 @@ static jv f_string_explode(jq_state *jq, jv a) {
- }
- 
- static jv f_string_indexes(jq_state *jq, jv a, jv b) {
-+  if (jv_get_kind(a) != JV_KIND_STRING) {
-+    jv_free(b);
-+    return type_error(a, "cannot be searched, as it is not a string");
-+  }
-+  if (jv_get_kind(b) != JV_KIND_STRING) {
-+    jv_free(a);
-+    return type_error(b, "is not a string");
-+  }
-   return jv_string_indexes(a, b);
- }
- 
-diff --git a/tests/jq.test b/tests/jq.test
-index 169a7ac81b..4a84e96c11 100644
---- a/tests/jq.test
-+++ b/tests/jq.test
-@@ -1549,6 +1549,15 @@ split("")
- "xababababax"
- [1,7,[1,3,5,7]]
- 
-+# _strindices is used by indices/1 but is callable
-+try _strindices("abc") catch .
-+123
-+"number (123) cannot be searched, as it is not a string"
-+
-+try _strindices(123) catch .
-+"abc"
-+"number (123) is not a string"
-+
- # trim
- # \u000b is vertical tab (\v not supported by json)
- map(trim), map(ltrim), map(rtrim)

diff --git a/CVE-2026-39979.patch b/CVE-2026-39979.patch
deleted file mode 100644
index cc0c3d1..0000000
--- a/CVE-2026-39979.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 2f09060afab23fe9390cce7cb860b10416e1bf5f Mon Sep 17 00:00:00 2001
-From: itchyny <itchyny@cybozu.co.jp>
-Date: Mon, 13 Apr 2026 11:04:52 +0900
-Subject: [PATCH] Fix out-of-bounds read in jv_parse_sized()
-
-This fixes CVE-2026-39979.
-
-Co-authored-by: Mattias Wadman <mattias.wadman@gmail.com>
----
- src/jv_parse.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/jv_parse.c b/src/jv_parse.c
-index aa2054cc09..56847b5eaa 100644
---- a/src/jv_parse.c
-+++ b/src/jv_parse.c
-@@ -893,8 +893,9 @@ jv jv_parse_sized_custom_flags(const char* string, int length, int flags) {
- 
-   if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) {
-     jv msg = jv_invalid_get_msg(value);
--    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')",
-+    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')",
-                                               jv_string_value(msg),
-+                                              length,
-                                               string));
-     jv_free(msg);
-   }

diff --git a/CVE-2026-40164.patch b/CVE-2026-40164.patch
deleted file mode 100644
index 483316f..0000000
--- a/CVE-2026-40164.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 Mon Sep 17 00:00:00 2001
-From: itchyny <itchyny@cybozu.co.jp>
-Date: Mon, 13 Apr 2026 08:53:26 +0900
-Subject: [PATCH] Randomize hash seed to mitigate hash collision DoS attacks
-
-The hash function used a fixed seed, allowing attackers to craft colliding keys
-and cause O(n^2) object parsing performance. Initialize the seed from a random
-source at process startup to prevent the attack. This fixes CVE-2026-40164.
-
-Co-authored-by: Asaf Meizner <asafmeizner@gmail.com>
----
- configure.ac |  2 ++
- src/jv.c     | 34 ++++++++++++++++++++++++++++++++--
- 2 files changed, 34 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 5dac42655a..f7067a4341 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -149,6 +149,8 @@ AC_CHECK_MEMBER([struct tm.tm_gmtoff], [AC_DEFINE([HAVE_TM_TM_GMT_OFF],1,[Define
- AC_CHECK_MEMBER([struct tm.__tm_gmtoff], [AC_DEFINE([HAVE_TM___TM_GMT_OFF],1,[Define to 1 if the system has the __tm_gmt_off field in struct tm])],
-                 [], [[#include <time.h>]])
- AC_FIND_FUNC([setlocale], [c], [#include <locale.h>], [0,0])
-+AC_FIND_FUNC([arc4random], [c], [#include <stdlib.h>], [])
-+AC_FIND_FUNC([getentropy], [c], [#include <unistd.h>], [0, 0])
- 
- dnl Figure out if we have the pthread functions we actually need
- AC_FIND_FUNC_NO_LIBS([pthread_key_create], [], [#include <pthread.h>], [NULL, NULL])
-diff --git a/src/jv.c b/src/jv.c
-index 2a62b48419..607ac174f7 100644
---- a/src/jv.c
-+++ b/src/jv.c
-@@ -40,6 +40,10 @@
- #include <limits.h>
- #include <math.h>
- #include <float.h>
-+#include <time.h>
-+#include <unistd.h>
-+#include <fcntl.h>
-+#include <pthread.h>
- 
- #include "jv_alloc.h"
- #include "jv.h"
-@@ -1206,7 +1210,33 @@ static jv jvp_string_append(jv string, const char* data, uint32_t len) {
-   }
- }
- 
--static const uint32_t HASH_SEED = 0x432A9843;
-+static uint32_t hash_seed;
-+static pthread_once_t hash_seed_once = PTHREAD_ONCE_INIT;
-+
-+static void jvp_hash_seed_init(void) {
-+  uint32_t seed;
-+#if defined(HAVE_ARC4RANDOM)
-+  seed = arc4random();
-+#elif defined(HAVE_GETENTROPY)
-+  if (getentropy(&seed, sizeof(seed)) != 0)
-+    seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
-+#else
-+  int fd = open("/dev/urandom", O_RDONLY);
-+  if (fd >= 0) {
-+    if (read(fd, &seed, sizeof(seed)) != 4)
-+      seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
-+    close(fd);
-+  } else {
-+    seed = (uint32_t)getpid() ^ (uint32_t)time(NULL);
-+  }
-+#endif
-+  hash_seed = seed;
-+}
-+
-+static uint32_t jvp_hash_seed(void) {
-+  pthread_once(&hash_seed_once, jvp_hash_seed_init);
-+  return hash_seed;
-+}
- 
- static uint32_t rotl32 (uint32_t x, int8_t r){
-   return (x << r) | (x >> (32 - r));
-@@ -1225,7 +1255,7 @@ static uint32_t jvp_string_hash(jv jstr) {
-   int len = (int)jvp_string_length(str);
-   const int nblocks = len / 4;
- 
--  uint32_t h1 = HASH_SEED;
-+  uint32_t h1 = jvp_hash_seed();
- 
-   const uint32_t c1 = 0xcc9e2d51;
-   const uint32_t c2 = 0x1b873593;

diff --git a/skipped_too_deep.patch b/skipped_too_deep.patch
deleted file mode 100644
index cfe87ba..0000000
--- a/skipped_too_deep.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From b29504b4e191a4b1028bd1c252aaab0c62fbdbfa Mon Sep 17 00:00:00 2001
-From: Ish Nagy <50555716+ishnagy@users.noreply.github.com>
-Date: Tue, 14 Oct 2025 07:12:57 +0200
-Subject: [PATCH] Increase the maximum printing depth from 256 to 10000 (fixes
- #3413) (#3414)
-
----
- .github/workflows/ci.yml |  2 +-
- src/jv_print.c           |  2 +-
- tests/jq.test            | 19 +++++++++++++++++++
- 3 files changed, 21 insertions(+), 2 deletions(-)
-
-diff --git a/src/jv_print.c b/src/jv_print.c
-index 791af1798b..f717d079e4 100644
---- a/src/jv_print.c
-+++ b/src/jv_print.c
-@@ -17,7 +17,7 @@
- #include "jv_private.h"
- 
- #ifndef MAX_PRINT_DEPTH
--#define MAX_PRINT_DEPTH (256)
-+#define MAX_PRINT_DEPTH (10000)
- #endif
- 
- #define ESC "\033"
-diff --git a/tests/jq.test b/tests/jq.test
-index 14d98ba169..2471379d0f 100644
---- a/tests/jq.test
-+++ b/tests/jq.test
-@@ -2515,3 +2515,22 @@ strflocaltime("" | ., @uri)
- 0
- ""
- ""
-+
-+# regression tests for #3413
-+# upper range bounds should be in sync with the constants defined at
-+#   src/jv_parse.c:#define MAX_PARSING_DEPTH (N)
-+#   src/jv_print.c:#define MAX_PRINT_DEPTH (N)
-+# (N-1)
-+reduce range(9999) as $_ ([];[.]) | tojson | fromjson | flatten
-+null
-+[]
-+
-+# (N)
-+reduce range(10000) as $_ ([];[.]) | tojson | try (fromjson) catch . | (contains("<skipped: too deep>") | not) and contains("Exceeds depth limit for parsing")
-+null
-+true
-+
-+# (N+1)
-+reduce range(10001) as $_ ([];[.]) | tojson | contains("<skipped: too deep>")
-+null
-+true