From: Deepak Rathore <[email protected]> This patch applies the upstream fix shown in [1] as referenced by [2].
[1] https://github.com/libexpat/libexpat/commit/babfc48090977cbf7be24b2c48f6053dca75c164 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56404 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta/recipes-core/expat/expat/CVE-2026-56404.patch b/meta/recipes-core/expat/expat/CVE-2026-56404.patch new file mode 100644 index 0000000000..8c72838f68 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56404.patch @@ -0,0 +1,46 @@ +From 8cb4583ac3204175a03c8ea8e371adee583b0bec Mon Sep 17 00:00:00 2001 +From: netliomax25-code <[email protected]> +Date: Thu, 28 May 2026 12:44:11 +0530 +Subject: [PATCH] lib: protect function addBinding from signed integer overflow + +CVE: CVE-2026-56404 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/babfc48090977cbf7be24b2c48f6053dca75c164] + +(cherry picked from commit babfc48090977cbf7be24b2c48f6053dca75c164) +Signed-off-by: Deepak Rathore <[email protected]> +--- + expat/lib/xmlparse.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 53f842d1..33b92c9c 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -4485,6 +4485,10 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + } + + for (len = 0; uri[len]; len++) { ++ /* Detect and prevent signed integer overflow */ ++ if (len == INT_MAX) { ++ return XML_ERROR_NO_MEMORY; ++ } + if (isXML && (len > xmlLen || uri[len] != xmlNamespace[len])) + isXML = XML_FALSE; + +@@ -4525,8 +4529,13 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + if (isXMLNS) + return XML_ERROR_RESERVED_NAMESPACE_URI; + +- if (parser->m_namespaceSeparator) ++ if (parser->m_namespaceSeparator) { ++ /* Detect and prevent signed integer overflow */ ++ if (len == INT_MAX) { ++ return XML_ERROR_NO_MEMORY; ++ } + len++; ++ } + if (parser->m_freeBindingList) { + b = parser->m_freeBindingList; + if (len > b->uriAlloc) { +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index 267e7db35b..affc134285 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -13,6 +13,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56403_p1.patch;striplevel=2 \ file://CVE-2026-56403_p2.patch;striplevel=2 \ file://CVE-2026-56408.patch;striplevel=2 \ + file://CVE-2026-56404.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240643): https://lists.openembedded.org/g/openembedded-core/message/240643 Mute This Topic: https://lists.openembedded.org/mt/120206249/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
