On Fri, 2026-05-08 at 07:15 +0000, Marko, Peter wrote: > > > -----Original Message----- > > From: Yoann Congal <[email protected]> > > Sent: Friday, May 8, 2026 12:36 AM > > To: Marko, Peter (FT D EU SK BFS1) <[email protected]>; > > [email protected] > > Subject: Re: [OE-core] [scarthgap][PATCH] expat: patch CVE-2026-41080 > > > > On Tue May 5, 2026 at 10:52 PM CEST, Peter Marko via lists.openembedded.org > > wrote: > > > From: Peter Marko <[email protected]> > > > > > > Pick github PR [1] mentioned in [2]. > > > * > > 969af8f4654ce50d837bb9199a73d1d02d2c7e16..4ba09dc471b39a78d77e5179d0243 > > 186c0c4ff7a > > > * dropped code which doesn't exist in 2.6.4 yet (github actions, map > > > file) > > > * resolved minor conflicts (formatting) > > > * picked 2 additional commits to apply the code cleanly > > > > > > [1] https://github.com/libexpat/libexpat/pull/1183 > > > [2] https://security-tracker.debian.org/tracker/CVE-2026-41080 > > > > > > Signed-off-by: Peter Marko <[email protected]> > > > --- > > > .../expat/expat/CVE-2026-41080-01.patch | 50 ++ > > > .../expat/expat/CVE-2026-41080-02.patch | 29 ++ > > > .../expat/expat/CVE-2026-41080-03.patch | 467 ++++++++++++++++++ > > > meta/recipes-core/expat/expat_2.6.4.bb | 3 + > > > 4 files changed, 549 insertions(+) > > > create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-01.patch > > > create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-02.patch > > > create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-03.patch > > > > > > diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-01.patch > > b/meta/recipes-core/expat/expat/CVE-2026-41080-01.patch > > > new file mode 100644 > > > index 00000000000..0c6af75a5de > > > --- /dev/null > > > +++ b/meta/recipes-core/expat/expat/CVE-2026-41080-01.patch > > > @@ -0,0 +1,50 @@ > > > +From fe04a7f0ff8afe57ba33d919f368b1ba23bcda92 Mon Sep 17 00:00:00 2001 > > > +From: Sebastian Pipping <[email protected]> > > > +Date: Sun, 30 Mar 2025 19:26:55 +0200 > > > +Subject: [PATCH 1/3] lib/xmlparse.c: Address clang-tidy warning > > > + misc-no-recursion > > > + > > > +CVE: CVE-2026-41080 > > > +Upstream-Status: Backport > > [https://github.com/libexpat/libexpat/commit/fe04a7f0ff8afe57ba33d919f368b1ba23bcd > > a92] > > > +Signed-off-by: Peter Marko <[email protected]> > > > +--- > > > + lib/xmlparse.c | 17 ++++++++++------- > > > + 1 file changed, 10 insertions(+), 7 deletions(-) > > > + > > > +diff --git a/lib/xmlparse.c b/lib/xmlparse.c > > > +index 9bc67f38..cb25c37b 100644 > > > +--- a/lib/xmlparse.c > > > ++++ b/lib/xmlparse.c > > > +@@ -1243,9 +1243,10 @@ generate_hash_secret_salt(XML_Parser parser) { > > > + > > > + static unsigned long > > > + get_hash_secret_salt(XML_Parser parser) { > > > +- if (parser->m_parentParser != NULL) > > > +- return get_hash_secret_salt(parser->m_parentParser); > > > +- return parser->m_hash_secret_salt; > > > ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); > > > ++ assert(! rootParser->m_parentParser); > > > ++ > > > ++ return rootParser->m_hash_secret_salt; > > > + } > > > + > > > + static enum XML_Error > > > +@@ -2321,12 +2322,14 @@ int XMLCALL > > > + XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) { > > > + if (parser == NULL) > > > + return 0; > > > +- if (parser->m_parentParser) > > > +- return XML_SetHashSalt(parser->m_parentParser, hash_salt); > > > ++ > > > ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); > > > ++ assert(! rootParser->m_parentParser); > > > ++ > > > + /* block after XML_Parse()/XML_ParseBuffer() has been called */ > > > +- if (parserBusy(parser)) > > > ++ if (parserBusy(rootParser)) > > > + return 0; > > > +- parser->m_hash_secret_salt = hash_salt; > > > ++ rootParser->m_hash_secret_salt = hash_salt; > > > + return 1; > > > + } > > > + > > > diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-02.patch > > b/meta/recipes-core/expat/expat/CVE-2026-41080-02.patch > > > new file mode 100644 > > > index 00000000000..953f93c68a9 > > > --- /dev/null > > > +++ b/meta/recipes-core/expat/expat/CVE-2026-41080-02.patch > > > @@ -0,0 +1,29 @@ > > > +From 7fb2c7a454edc9e2880073a27f899c31d9b078ce Mon Sep 17 00:00:00 2001 > > > +From: Atrem Borovik <[email protected]> > > > +Date: Sat, 20 Dec 2025 13:22:16 +0300 > > > +Subject: [PATCH 2/3] WASI: remove getpid > > > + > > > +CVE: CVE-2026-41080 > > > +Upstream-Status: Backport > > [https://github.com/libexpat/libexpat/commit/7fb2c7a454edc9e2880073a27f899c31d9b > > 078ce] > > > +Signed-off-by: Peter Marko <[email protected]> > > > +--- > > > + lib/xmlparse.c | 5 ++++- > > > + 1 file changed, 4 insertions(+), 1 deletion(-) > > > + > > > +diff --git a/lib/xmlparse.c b/lib/xmlparse.c > > > +index cb25c37b..1bafb948 100644 > > > +--- a/lib/xmlparse.c > > > ++++ b/lib/xmlparse.c > > > +@@ -1228,8 +1228,11 @@ generate_hash_secret_salt(XML_Parser parser) { > > > + # endif /* ! defined(_WIN32) && defined(XML_DEV_URANDOM) */ > > > + /* .. and self-made low quality for backup: */ > > > + > > > ++ entropy = gather_time_entropy(); > > > ++# if ! defined(__wasi__) > > > + /* Process ID is 0 bits entropy if attacker has local access */ > > > +- entropy = gather_time_entropy() ^ getpid(); > > > ++ entropy ^= getpid(); > > > ++# endif > > > + > > > + /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ > > > + if (sizeof(unsigned long) == 4) { > > > diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-03.patch > > b/meta/recipes-core/expat/expat/CVE-2026-41080-03.patch > > > new file mode 100644 > > > index 00000000000..4d17f1a0b0e > > > --- /dev/null > > > +++ b/meta/recipes-core/expat/expat/CVE-2026-41080-03.patch > > > @@ -0,0 +1,467 @@ > > > +From b77ab600e1893fdcfc3868d0a46efcc87c87943d Mon Sep 17 00:00:00 2001 > > > +From: Sebastian Pipping <[email protected]> > > > +Date: Wed, 8 Apr 2026 15:41:54 +0200 > > > +Subject: [PATCH 3/3] [CVE-2026-41080] Improve protection against hash > > > flooding > > > + (fixes #47) > > > + > > > +Fixes #47 > > > + > > > +CVE: CVE-2026-41080 > > > +Upstream-Status: Backport > > > [https://github.com/libexpat/libexpat/pull/1183] > > > +Signed-off-by: Peter Marko <[email protected]> > > > +--- > > > + Changes | 16 ++++++ > > > + doc/reference.html | 51 ++++++++++++++-- > > > + lib/expat.h | 12 ++++ > > > + lib/internal.h | 2 + > > > + lib/xmlparse.c | 118 ++++++++++++++++++++++++++------------ > > > + tests/basic_tests.c | 25 ++++++++ > > > + 6 files changed, 181 insertions(+), 43 deletions(-) > > > + > > > +diff --git a/Changes b/Changes > > > +index 4265d608..1d87d6a0 100644 > > > +--- a/Changes > > > ++++ b/Changes > > > +@@ -30,6 +30,22 @@ > > > + > > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > > + > > > + Patches: > > > ++ Security fixes: > > > ++ #47 #1183 CVE-2026-41080 -- The existing hash flooding > > > protection > > > ++ (based on SipHash) only used 4 to 8 bytes of > > > entropy for > > > ++ a salt, when 16 bytes of salt are supported by the > > > ++ implementation of SipHash used by Expat. Now full > > > 16 bytes > > > ++ of entropy are used to improve protection against > > > hash > > > ++ flooding attacks. > > > ++ Existing API function XML_SetHashSalt is now > > > deprecated > > > ++ because of its limitations, and its use should be > > > ++ considered a vulnerability. Please either use the > > > new API > > > ++ function XML_SetHashSalt16Bytes (with > > > known-high-quality > > > ++ entropy input only!) instead, or leave the > > > derivation of > > > ++ a 16-bytes hash salt from high quality entropy to > > > Expat's > > > ++ internal machinery (by *not* calling either of the > > > two > > > ++ XML_SetHashSalt* functions). > > > ++ > > > > Hello Peter, > > > > I don't know if we can consider CVE-2026-41080 "fixed" with this. A code > > calling the existing XML_SetHashSalt function will keep be vulnerable > > even with this patch... > > > > Maybe we can apply this but leave the CVE applicable to let downstream > > users review their expat calls? > > > > This might be one of the rare case to use > > CVE_STATUS[CVE-2026-41080] = "vulnerable-investigating: ..." > > to grab attention of users? > > > > Hello Yoann, > > I don't really like that idea. > What’s the difference to master where the same patch (included in release > upgrade) marks it as patched?
Hi Peter, Yoann, I took a look at this. The CVE "fix" is to mark the existing API as deprecated and add a new API. That means that users of the old API will continue to have insufficient entropy. The patch here is *necessary*, but not *sufficient* to address CVE-2026-41080. The fact is that there is no standard definition of what is meant by "patching" a CVE. The correct thing to do is to chase this up the stack and ensure that all callers of XML_SetHashSalt() are updated to use the new API. That is not something that I or Yoann have the bandwidth to do though. I think on balance we should take the patch. It's not ideal, but it's what we've got. We could raise an issue upstream that this is not a complete fix for existing API users. Best regards, -- Paul Barker
signature.asc
Description: This is a digitally signed message part
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237838): https://lists.openembedded.org/g/openembedded-core/message/237838 Mute This Topic: https://lists.openembedded.org/mt/119168855/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
