From: Deepak Rathore <[email protected]> These patches apply the upstream fixes shown in [1] and [2], as referenced by [3].
[1] https://github.com/libexpat/libexpat/commit/deeb97f7c88d17a16b0ea2521a13733abc283347 [2] https://github.com/libexpat/libexpat/commit/cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea [3] https://nvd.nist.gov/vuln/detail/CVE-2026-56410 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch b/meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch new file mode 100644 index 0000000000..30fb59b2a3 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch @@ -0,0 +1,48 @@ +From 759b77a8439bcbf57c86900bc472d46d8ef70c92 Mon Sep 17 00:00:00 2001 +From: netliomax25-code <[email protected]> +Date: Fri, 29 May 2026 17:51:25 +0530 +Subject: [PATCH] xmlwf: protect resolveSystemId from integer overflow + +CVE: CVE-2026-56410 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/deeb97f7c88d17a16b0ea2521a13733abc283347] + +Backport Changes: +- Adapt the allocation hunk to the explicit cast used by Expat 2.7.5 and + include stdint.h for SIZE_MAX. + +(cherry picked from commit deeb97f7c88d17a16b0ea2521a13733abc283347) +Signed-off-by: Deepak Rathore <[email protected]> +--- + expat/xmlwf/xmlfile.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlfile.c b/expat/xmlwf/xmlfile.c +index c4eb839f..31a40209 100644 +--- a/expat/xmlwf/xmlfile.c ++++ b/expat/xmlwf/xmlfile.c +@@ -42,6 +42,7 @@ + #include "expat_config.h" + + #include <stdio.h> ++#include <stdint.h> + #include <stdlib.h> + #include <stddef.h> + #include <string.h> +@@ -138,8 +139,13 @@ resolveSystemId(const XML_Char *base, const XML_Char *systemId, + #endif + ) + return systemId; +- *toFree = (XML_Char *)malloc((tcslen(base) + tcslen(systemId) + 2) +- * sizeof(XML_Char)); ++ const size_t charsRequired = tcslen(base) + tcslen(systemId) + 2; ++ ++ /* Detect and prevent integer overflow */ ++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) ++ return systemId; ++ ++ *toFree = malloc(charsRequired * sizeof(XML_Char)); + if (! *toFree) + return systemId; + tcscpy(*toFree, base); +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch b/meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch new file mode 100644 index 0000000000..63d574f591 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch @@ -0,0 +1,40 @@ +From f16fa442eaa81bfceec5302d977219959eaac7b7 Mon Sep 17 00:00:00 2001 +From: netliomax25-code <[email protected]> +Date: Sat, 30 May 2026 11:28:51 +0530 +Subject: [PATCH] xmlwf: guard each operator in resolveSystemId length sum + +CVE: CVE-2026-56410 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea] + +(cherry picked from commit cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea) +Signed-off-by: Deepak Rathore <[email protected]> +--- + expat/xmlwf/xmlfile.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlfile.c b/expat/xmlwf/xmlfile.c +index 31a40209..15c69217 100644 +--- a/expat/xmlwf/xmlfile.c ++++ b/expat/xmlwf/xmlfile.c +@@ -139,9 +139,17 @@ resolveSystemId(const XML_Char *base, const XML_Char *systemId, + #endif + ) + return systemId; +- const size_t charsRequired = tcslen(base) + tcslen(systemId) + 2; ++ const size_t baseLen = tcslen(base); ++ const size_t systemIdLen = tcslen(systemId); + +- /* Detect and prevent integer overflow */ ++ /* Detect and prevent integer overflow in the addition (without risking ++ underflow) */ ++ if (baseLen > SIZE_MAX - systemIdLen || baseLen > SIZE_MAX - systemIdLen - 2) ++ return systemId; ++ ++ const size_t charsRequired = baseLen + systemIdLen + 2; ++ ++ /* Detect and prevent integer overflow in the multiplication */ + if (charsRequired > SIZE_MAX / sizeof(XML_Char)) + return systemId; + +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index 578d745e61..dcccc7597e 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -15,6 +15,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56408.patch;striplevel=2 \ file://CVE-2026-56404.patch;striplevel=2 \ file://CVE-2026-56405.patch;striplevel=2 \ + file://CVE-2026-56410_p1.patch;striplevel=2 \ + file://CVE-2026-56410_p2.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240645): https://lists.openembedded.org/g/openembedded-core/message/240645 Mute This Topic: https://lists.openembedded.org/mt/120206264/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
