Debian Package Tracker
Register | Log in
Subscribe

jq

lightweight and flexible command-line JSON processor

Choose email to subscribe with

general
  • source: jq (main)
  • version: 1.8.2-1
  • maintainer: ChangZhuo Chen (陳昌倬) (DMD)
  • arch: any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 1.6-2.1
  • o-o-sec: 1.6-2.1+deb11u3
  • oldstable: 1.6-2.1+deb12u1
  • old-sec: 1.6-2.1+deb12u2
  • old-p-u: 1.6-2.1+deb12u2
  • stable: 1.7.1-6+deb13u2
  • testing: 1.8.1-8
  • unstable: 1.8.2-1
versioned links
  • 1.6-2.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.6-2.1+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.6-2.1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.6-2.1+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.7.1-6+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.8.1-8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.8.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • jq (4 bugs: 0, 3, 1, 0)
  • libjq-dev
  • libjq1
action needed
A new upstream version is available: 1.8.2rc1 high
A new upstream version 1.8.2rc1 is available, you should consider packaging it.
Created: 2026-04-25 Last update: 2026-07-06 12:00
9 security issues in trixie high

There are 9 open security issues in trixie.

5 important issues:
  • CVE-2026-43894: jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).
  • CVE-2026-43895: jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.
  • CVE-2026-47770: jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2.
  • CVE-2026-49839: jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds write in assertion-disabled builds. When jv_load_file(raw=1) reads an attacker-controlled file, it repeatedly appends file chunks to the same jv string accumulator. Once jv_string_append_buf() returns jv_invalid_with_msg("String too long"), the raw-file loop does not stop. If the file contains at least one more byte, the next loop iteration appends a new chunk to an object that is already invalid. With assertions enabled this aborts in jvp_string_ptr(). With assertions disabled, the invalid object is interpreted as a string object and ASan reports heap-buffer-overflow. This vulnerability is fixed in 1.8.2.
  • CVE-2026-54679: jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2.
4 issues left for the package maintainer to handle:
  • CVE-2026-41256: (needs triaging) jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.
  • CVE-2026-41257: (needs triaging) jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.
  • CVE-2026-43896: (needs triaging) jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.
  • CVE-2026-44777: (needs triaging) jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-11 Last update: 2026-07-01 21:18
1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:
  • CVE-2026-54679: jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2.
Created: 2026-06-26 Last update: 2026-07-01 21:18
The package has not entered testing even though the delay is over normal
The package has not entered testing even though the 5-day delay is over. Check why.
Created: 2026-06-28 Last update: 2026-07-06 16:01
testing migrations
  • excuses:
    • Migration status for jq (1.8.1-8 to 1.8.2-1): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ Autopkgtest for ocaml-dune/3.23.1-5: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, loong64: Test triggered (failure will be ignored), ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ Autopkgtest for python-jq/1.11.0-1: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), armhf: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), loong64: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
    • Additional info (not blocking):
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/j/jq.html
    • ∙ ∙ Reproduced on amd64 - info
    • ∙ ∙ Reproduced on arm64 - info
    • ∙ ∙ Reproduced on armhf - info
    • ∙ ∙ Reproduced on i386 - info
    • ∙ ∙ 13 days old (needed 5 days)
    • Not considered
news
[rss feed]
  • [2026-07-01] Accepted jq 1.6-2.1+deb12u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Andreas Henriksson)
  • [2026-07-01] Accepted jq 1.6-2.1+deb12u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Andreas Henriksson)
  • [2026-07-01] Accepted jq 1.6-2.1+deb11u3 (source) into oldoldstable-security (Andreas Henriksson)
  • [2026-06-23] Accepted jq 1.8.2-1 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2026-06-23] jq 1.8.1-8 MIGRATED to testing (Debian testing watch)
  • [2026-06-09] Accepted jq 1.8.1-8 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2026-05-30] jq 1.8.1-7 MIGRATED to testing (Debian testing watch)
  • [2026-05-27] Accepted jq 1.8.1-7 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2026-05-27] jq 1.8.1-6 MIGRATED to testing (Debian testing watch)
  • [2026-05-25] Accepted jq 1.6-2.1+deb11u2 (source) into oldoldstable-security (Andreas Henriksson)
  • [2026-05-16] Accepted jq 1.8.1-6 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2026-05-04] Accepted jq 1.7.1-6+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: ChangZhuo Chen)
  • [2026-04-22] jq 1.8.1-5 MIGRATED to testing (Debian testing watch)
  • [2026-04-17] Accepted jq 1.8.1-5 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2025-09-28] jq 1.8.1-4 MIGRATED to testing (Debian testing watch)
  • [2025-09-23] Accepted jq 1.8.1-4 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2025-09-21] Accepted jq 1.6-2.1+deb11u1 (source) into oldoldstable-security (Thorsten Alteholz)
  • [2025-08-13] jq 1.8.1-3 MIGRATED to testing (Debian testing watch)
  • [2025-07-12] Accepted jq 1.8.1-3 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2025-07-12] Accepted jq 1.6-2.1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: ChangZhuo Chen)
  • [2025-07-09] Accepted jq 1.8.1-2 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2025-07-09] jq 1.7.1-6+deb13u1 MIGRATED to testing (Debian testing watch)
  • [2025-07-08] Accepted jq 1.7.1-6+deb13u1 (source) into testing-proposed-updates (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2025-07-07] Accepted jq 1.8.1-1 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2025-06-09] Accepted jq 1.8.0-1 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2025-05-29] jq 1.7.1-6 MIGRATED to testing (Debian testing watch)
  • [2025-05-26] Accepted jq 1.7.1-6 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2025-04-22] jq 1.7.1-5 MIGRATED to testing (Debian testing watch)
  • [2025-04-12] Accepted jq 1.7.1-5 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • [2025-04-09] Accepted jq 1.7.1-4 (source) into unstable (ChangZhuo Chen (陳昌倬)) (signed by: ChangZhuo Chen)
  • 1
  • 2
bugs [bug history graph]
  • all: 4
  • RC: 0
  • I&N: 3
  • M&W: 1
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • screenshots
  • debian patches
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.8.1-4ubuntu1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing