From: Deepak Rathore <[email protected]> - wrynose contains Expat 2.7.5, that the listed CVEs affect versions before 2.8.2, and that this series backports the relevant upstream fixes rather than upgrading the stable-branch recipe. - For CVE-2026-56403, upstream pull request 1232 contains both the storeAtts fix and the related xcsdup overflow hardening. This makes the reason for carrying both source patches explicit, even though the published advisory description names storeAtts specifically.
- Verified the full image build successfully after applying all the patches. - Ran Ptest on the full image and verified that all tests passed successfully. Deepak Rathore (10): expat: fix CVE-2026-56403 expat: fix CVE-2026-56408 expat: fix CVE-2026-56404 expat: fix CVE-2026-56405 expat: fix CVE-2026-56410 expat: fix CVE-2026-56406 expat: fix CVE-2026-56409 expat: fix CVE-2026-56411 expat: fix CVE-2026-56407 expat: fix CVE-2026-56132 .../expat/expat/CVE-2026-56132_p1.patch | 89 +++++++++++++++++++ .../expat/expat/CVE-2026-56132_p2.patch | 62 +++++++++++++ .../expat/expat/CVE-2026-56132_p3.patch | 76 ++++++++++++++++ .../expat/expat/CVE-2026-56132_p4.patch | 63 +++++++++++++ .../expat/expat/CVE-2026-56132_p5.patch | 58 ++++++++++++ .../expat/expat/CVE-2026-56403_p1.patch | 83 +++++++++++++++++ .../expat/expat/CVE-2026-56403_p2.patch | 52 +++++++++++ .../expat/expat/CVE-2026-56404.patch | 46 ++++++++++ .../expat/expat/CVE-2026-56405.patch | 32 +++++++ .../expat/CVE-2026-56406-dependent.patch | 57 ++++++++++++ .../expat/expat/CVE-2026-56406.patch | 36 ++++++++ .../expat/expat/CVE-2026-56407.patch | 43 +++++++++ .../expat/expat/CVE-2026-56408.patch | 36 ++++++++ .../expat/expat/CVE-2026-56409.patch | 52 +++++++++++ .../expat/expat/CVE-2026-56410_p1.patch | 48 ++++++++++ .../expat/expat/CVE-2026-56410_p2.patch | 40 +++++++++ .../expat/expat/CVE-2026-56411.patch | 46 ++++++++++ meta/recipes-core/expat/expat_2.7.5.bb | 17 ++++ 18 files changed, 936 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p1.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p2.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p3.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p4.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p5.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56404.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56405.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56406.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56407.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56408.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56409.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56411.patch -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240640): https://lists.openembedded.org/g/openembedded-core/message/240640 Mute This Topic: https://lists.openembedded.org/mt/120206235/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
