mbox series

[scarthgap,0/10] expat: Security fixes

Message ID 20260717060437.2910653-1-deeratho@cisco.com
Headers show
Series expat: Security fixes | expand

Message

From: Deepak Rathore <deeratho@cisco.com>

This series backports security fixes for Expat 2.6.4 in Scarthgap.
The listed CVEs affect versions before 2.8.2, so this series carries
the relevant upstream fixes instead of upgrading the stable-branch
recipe.

- CVE-2026-56403: Signed integer overflow in storeAtts namespace URI
  construction, with related xcsdup overflow hardening from the same
  upstream pull request. Fixed by adding overflow guards before length
  conversion, allocation, and copy operations.
  Upstream: https://github.com/libexpat/libexpat/commit/12dc6d8d3d65f79471a94d8565f6bf1cf245f648
            https://github.com/libexpat/libexpat/commit/147c8f36d6277d5c6011c098370a8362aed47b15

- CVE-2026-56408: copyString could overflow while calculating the
  allocation size for a copied string. Fixed by adding the upstream
  allocation overflow guard while keeping the Scarthgap 2.6.4 loop
  structure.
  Upstream: https://github.com/libexpat/libexpat/commit/16e2efd867ea8567ffa012210b52ef5918e20817

- CVE-2026-56404: addBinding could hit signed integer overflow while
  calculating namespace binding lengths. Fixed by adding upstream
  length and allocation bounds checks in the binding path.
  Upstream: https://github.com/libexpat/libexpat/commit/babfc48090977cbf7be24b2c48f6053dca75c164

- CVE-2026-56405: getAttributeId could hit signed integer overflow
  while sizing attribute ID storage. Fixed by applying the upstream
  overflow checks around the attribute name allocation.
  Upstream: https://github.com/libexpat/libexpat/commit/2c6c42d33689f6b266a5267b639e03cde17e53c0

- CVE-2026-56410: xmlwf resolveSystemId could overflow while joining
  base and system identifiers. Fixed by guarding both the length sum
  and the allocation multiplication.
  Upstream: https://github.com/libexpat/libexpat/commit/deeb97f7c88d17a16b0ea2521a13733abc283347
            https://github.com/libexpat/libexpat/commit/cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea

- CVE-2026-56406: XML_ParseBuffer was missing the overflow protection
  already used by XML_Parse. Fixed by adding the XML_Index overflow
  check, with the prerequisite XML_INDEX_MAX helper backported first.
  Upstream: https://github.com/libexpat/libexpat/commit/252ff1a307b1490ce0f430632791e7e52d7e43fd
            https://github.com/libexpat/libexpat/commit/99d8454fdf900a6d00c2a52748e6c0eeb507574d

- CVE-2026-56409: xmlwf output path construction could overflow while
  joining output directory and file name components. Fixed by adding
  upstream bounds checks before allocation.
  Upstream: https://github.com/libexpat/libexpat/commit/61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e

- CVE-2026-56411: xmlwf notation list allocation could overflow while
  sizing the notation table. Fixed by applying the upstream allocation
  checks and adapting cleanup to the Scarthgap 2.6.4 code path.
  Upstream: https://github.com/libexpat/libexpat/commit/528a4e5017e1bd3b48b689fd0c131df940ae3ea5

- CVE-2026-56407: Entity textLen handling could exceed signed integer
  limits. Fixed by capping entity textLen before storing it in the
  signed field.
  Upstream: https://github.com/libexpat/libexpat/commit/30c2fc179ce5d2b1b1bae30bbe0dfddeac894e13

- CVE-2026-56132: Shared DTD scaffolding could store past the
  scaffIndex allocation after parser-specific group sizes diverged.
  Fixed by tracking scaffIndexSize separately, growing scaffIndex from
  its actual allocation size, and backporting the regression test and
  related follow-up cleanups.
  Upstream: https://github.com/libexpat/libexpat/commit/3a4eaf47af8fd7abda38ea2c08308c91152061f3
            https://github.com/libexpat/libexpat/commit/58400483d7c97be316d7a77739c0a6af5d55932e
            https://github.com/libexpat/libexpat/commit/353919b3b9f2174073a557ac7d517a5f3cd0cbbf
            https://github.com/libexpat/libexpat/commit/bca93b4ba9e15fd84425568d772b69baebf790e4
            https://github.com/libexpat/libexpat/commit/08baa7ef9d168b99094249998fd78f8d190526e5

Validation:
- Built expat successfully after applying the full series.
- Built core-image-minimal successfully with ptest packages enabled.

Deepak Rathore (10):
  expat: fix CVE-2026-56403
  expat: fix CVE-2026-56408
  expat: fix CVE-2026-56404
  expat: fix CVE-2026-56405
  expat: fix CVE-2026-56410
  expat: fix CVE-2026-56406
  expat: fix CVE-2026-56409
  expat: fix CVE-2026-56411
  expat: fix CVE-2026-56407
  expat: fix CVE-2026-56132

 .../expat/expat/CVE-2026-56132_p1.patch       | 80 +++++++++++++++++
 .../expat/expat/CVE-2026-56132_p2.patch       | 60 +++++++++++++
 .../expat/expat/CVE-2026-56132_p3.patch       | 74 ++++++++++++++++
 .../expat/expat/CVE-2026-56132_p4.patch       | 60 +++++++++++++
 .../expat/expat/CVE-2026-56132_p5.patch       | 56 ++++++++++++
 .../expat/expat/CVE-2026-56403_p1.patch       | 81 ++++++++++++++++++
 .../expat/expat/CVE-2026-56403_p2.patch       | 52 +++++++++++
 .../expat/expat/CVE-2026-56404.patch          | 45 ++++++++++
 .../expat/expat/CVE-2026-56405.patch          | 30 +++++++
 .../expat/CVE-2026-56406-dependent.patch      | 59 +++++++++++++
 .../expat/expat/CVE-2026-56406.patch          | 34 ++++++++
 .../expat/expat/CVE-2026-56407.patch          | 41 +++++++++
 .../expat/expat/CVE-2026-56408.patch          | 33 ++++++++
 .../expat/expat/CVE-2026-56409.patch          | 51 +++++++++++
 .../expat/expat/CVE-2026-56410_p1.patch       | 46 ++++++++++
 .../expat/expat/CVE-2026-56410_p2.patch       | 39 +++++++++
 .../expat/expat/CVE-2026-56411.patch          | 50 +++++++++++
 meta/recipes-core/expat/expat_2.6.4.bb        | 17 ++++
 18 files changed, 908 insertions(+)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p1.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p2.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p3.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p4.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p5.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56404.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56405.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56406.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56407.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56408.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56409.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56411.patch

--
2.35.6