diff --git a/meta/recipes-core/expat/expat/CVE-2026-32776.patch b/meta/recipes-core/expat/expat/CVE-2026-32776.patch new file mode 100644 index 0000000000..96a869a7c8 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-32776.patch @@ -0,0 +1,91 @@ +From 3340f971f2f92e499adf03156024105bb9bb7ed9 Mon Sep 17 00:00:00 2001 +From: Francesco Bertolaccini +Date: Tue, 3 Mar 2026 16:41:43 +0100 +Subject: [PATCH] Fix NULL function-pointer dereference for empty external + parameter entities + +When an external parameter entity with empty text is referenced inside +an entity declaration value, the sub-parser created to handle it receives +0 bytes of input. Processing enters entityValueInitProcessor which calls +storeEntityValue() with the parser's encoding; since no bytes were ever +processed, encoding detection has not yet occurred and the encoding is +still the initial probing encoding set up by XmlInitEncoding(). That +encoding only populates scanners[] (for prolog and content), not +literalScanners[]. XmlEntityValueTok() calls through +literalScanners[XML_ENTITY_VALUE_LITERAL] which is NULL, causing a +SEGV. + +Skip the tokenization loop entirely when entityTextPtr >= entityTextEnd, +and initialize the `next` pointer before the early exit so that callers +(callStoreEntityValue) receive a valid value through nextPtr. + +CVE: CVE-2026-32776 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5be25657583ea91b09025c858b4785834c20f59c] + +(cherry picked from commit 5be25657583ea91b09025c858b4785834c20f59c) +Signed-off-by: Hugo SIMELIERE +--- + lib/xmlparse.c | 9 ++++++++- + tests/basic_tests.c | 19 +++++++++++++++++++ + 2 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index aa5e91e4..56faf2eb 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -6777,7 +6777,14 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + return XML_ERROR_NO_MEMORY; + } + +- const char *next; ++ const char *next = entityTextPtr; ++ ++ /* Nothing to tokenize. */ ++ if (entityTextPtr >= entityTextEnd) { ++ result = XML_ERROR_NONE; ++ goto endEntityValue; ++ } ++ + for (;;) { + next + = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */ +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 2a5e43d6..023d9ce4 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -6210,6 +6210,24 @@ START_TEST(test_varying_buffer_fills) { + } + END_TEST + ++START_TEST(test_empty_ext_param_entity_in_value) { ++ const char *text = ""; ++ ExtOption options[] = { ++ {XCS("ext.dtd"), "" ++ ""}, ++ {XCS("empty"), ""}, ++ {NULL, NULL}, ++ }; ++ ++ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ XML_SetExternalEntityRefHandler(g_parser, external_entity_optioner); ++ XML_SetUserData(g_parser, options); ++ if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(g_parser); ++} ++END_TEST ++ + void + make_basic_test_case(Suite *s) { + TCase *tc_basic = tcase_create("basic tests"); +@@ -6456,6 +6474,7 @@ make_basic_test_case(Suite *s) { + tcase_add_test(tc_basic, test_empty_element_abort); + tcase_add_test__ifdef_xml_dtd(tc_basic, + test_pool_integrity_with_unfinished_attr); ++ tcase_add_test__ifdef_xml_dtd(tc_basic, test_empty_ext_param_entity_in_value); + tcase_add_test__if_xml_ge(tc_basic, test_entity_ref_no_elements); + tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_entity); + tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_attribute_entity); +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 048093f010..631aebe6ca 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -46,6 +46,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-25210-01.patch \ file://CVE-2026-25210-02.patch \ file://CVE-2026-25210-03.patch \ + file://CVE-2026-32776.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"