From: Deepak Rathore <[email protected]> These patches apply the upstream fixes shown in [1] and [2], as referenced by [3].
[1] https://github.com/libexpat/libexpat/commit/12dc6d8d3d65f79471a94d8565f6bf1cf245f648 [2] https://github.com/libexpat/libexpat/commit/147c8f36d6277d5c6011c098370a8362aed47b15 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-56403 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch b/meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch new file mode 100644 index 0000000000..4cf5c3bd54 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch @@ -0,0 +1,83 @@ +From 4a264be1794368a1acc08476058b6cf087686d11 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <[email protected]> +Date: Wed, 20 May 2026 12:12:10 +0200 +Subject: [PATCH] lib: Protect function `storeAtts` from signed integer + overflow + +CVE: CVE-2026-56403 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/12dc6d8d3d65f79471a94d8565f6bf1cf245f648] + +Backport Changes: +- Retain the Expat 2.7.5 binding URI reallocation and active tag pointer + updates while using the overflow-safe localPartLen calculation. + +(cherry picked from commit 12dc6d8d3d65f79471a94d8565f6bf1cf245f648) +Signed-off-by: Deepak Rathore <[email protected]> +--- + expat/lib/xmlparse.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 0248b665..e441ff7f 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -4235,26 +4235,32 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + return XML_ERROR_NONE; + prefixLen = 0; + if (parser->m_ns_triplets && binding->prefix->name) { +- while (binding->prefix->name[prefixLen++]) +- ; /* prefixLen includes null terminator */ ++ size_t candidateLen = 0; ++ while (binding->prefix->name[candidateLen++]) ++ ; /* candidateLen includes null terminator */ ++ /* Detect and prevent integer overflow */ ++ if (candidateLen > INT_MAX) ++ return XML_ERROR_NO_MEMORY; ++ prefixLen = (int)candidateLen; + } + tagNamePtr->localPart = localPart; + tagNamePtr->uriLen = binding->uriLen; + tagNamePtr->prefix = binding->prefix->name; + tagNamePtr->prefixLen = prefixLen; +- for (i = 0; localPart[i++];) +- ; /* i includes null terminator */ ++ ++ size_t localPartLen = 0; ++ for (; localPart[localPartLen++];) ++ ; /* localPartLen includes null terminator */ + + /* Detect and prevent integer overflow */ +- if (binding->uriLen > INT_MAX - prefixLen +- || i > INT_MAX - (binding->uriLen + prefixLen)) { ++ if (localPartLen > INT_MAX || binding->uriLen > INT_MAX - prefixLen ++ || localPartLen > (size_t)INT_MAX - (binding->uriLen + prefixLen)) { + return XML_ERROR_NO_MEMORY; + } + +- n = i + binding->uriLen + prefixLen; ++ n = (int)localPartLen + binding->uriLen + prefixLen; + if (n > binding->uriAlloc) { + TAG *p; +- + /* Detect and prevent integer overflow */ + if (n > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; +@@ -4282,10 +4288,14 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + } + /* if m_namespaceSeparator != '\0' then uri includes it already */ + uri = binding->uri + binding->uriLen; +- memcpy(uri, localPart, i * sizeof(XML_Char)); ++ /* Detect and prevent integer overflow */ ++ if (localPartLen > SIZE_MAX / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ memcpy(uri, localPart, localPartLen * sizeof(XML_Char)); + /* we always have a namespace separator between localPart and prefix */ + if (prefixLen) { +- uri += i - 1; ++ uri += localPartLen - 1; + *uri = parser->m_namespaceSeparator; /* replace null terminator */ + memcpy(uri + 1, binding->prefix->name, prefixLen * sizeof(XML_Char)); + } +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch b/meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch new file mode 100644 index 0000000000..a17e3a8b3a --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch @@ -0,0 +1,52 @@ +From e8100827a4f68c70d8cadf446bb82bec7cbebbac Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <[email protected]> +Date: Fri, 22 May 2026 00:43:52 +0200 +Subject: [PATCH] xmlwf: Protect function `xcsdup` from signed integer overflow + +CVE: CVE-2026-56403 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/147c8f36d6277d5c6011c098370a8362aed47b15] + +Backport Changes: +- Include stdint.h explicitly because Expat 2.7.5 does not expose SIZE_MAX + to xmlwf.c. + +(cherry picked from commit 147c8f36d6277d5c6011c098370a8362aed47b15) +Signed-off-by: Deepak Rathore <[email protected]> +--- + expat/xmlwf/xmlwf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c +index 2d0c4f8e..934473ce 100644 +--- a/expat/xmlwf/xmlwf.c ++++ b/expat/xmlwf/xmlwf.c +@@ -46,6 +46,7 @@ + + #include <assert.h> + #include <stdio.h> ++#include <stdint.h> + #include <stdlib.h> + #include <stddef.h> + #include <string.h> +@@ -305,13 +306,18 @@ processingInstruction(void *userData, const XML_Char *target, + static XML_Char * + xcsdup(const XML_Char *s) { + XML_Char *result; +- int count = 0; ++ size_t count = 0; + size_t numBytes; + + /* Get the length of the string, including terminator */ + while (s[count++] != 0) { + /* Do nothing */ + } ++ ++ // Detect and prevent integer overflow ++ if (count > SIZE_MAX / sizeof(XML_Char)) ++ return NULL; ++ + numBytes = count * sizeof(XML_Char); + result = malloc(numBytes); + if (result == NULL) +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index 4f2578292d..a0c28d162c 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -10,6 +10,8 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://run-ptest \ + file://CVE-2026-56403_p1.patch;striplevel=2 \ + file://CVE-2026-56403_p2.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240641): https://lists.openembedded.org/g/openembedded-core/message/240641 Mute This Topic: https://lists.openembedded.org/mt/120206239/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
