diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch b/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch new file mode 100644 index 0000000000..23d412cc38 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch @@ -0,0 +1,88 @@ +From 03794ce9a58b1f33751c88d7d876dfbf27645c56 Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych +Date: Sun, 26 Apr 2026 19:31:25 +0100 +Subject: [PATCH] Use `XML_SetHashSalt16Bytes` from libExpat when possible + +CVE: CVE-2026-7210 +Upstream-Status: Backport [https://github.com/python/cpython/pull/149023/commits/03794ce9a58b1f33751c88d7d876dfbf27645c56] + +Signed-off-by: Amaury Couderc +--- + Include/pyexpat.h | 3 +++ + .../2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst | 3 +++ + Modules/_elementtree.c | 8 ++++++-- + Modules/pyexpat.c | 11 ++++++++++- + 4 files changed, 22 insertions(+), 3 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst + +diff --git a/Include/pyexpat.h b/Include/pyexpat.h +index f523f8bb273983a..a676e16a7a457ea 100644 +--- a/Include/pyexpat.h ++++ b/Include/pyexpat.h +@@ -57,6 +57,9 @@ struct PyExpat_CAPI + XML_Parser parser, unsigned long long activationThresholdBytes); + XML_Bool (*SetAllocTrackerMaximumAmplification)( + XML_Parser parser, float maxAmplificationFactor); ++ /* might be NULL for expat < 2.8.0 */ ++ XML_Bool (*SetHashSalt16Bytes)( ++ XML_Parser parser, const uint8_t entropy[16]); + /* always add new stuff to the end! */ + }; + +diff --git a/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst +new file mode 100644 +index 000000000000000..d1b5b368684e6a5 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst +@@ -0,0 +1,3 @@ ++Improved protection against XML hash-flooding attacks in ++:mod:`xml.parsers.expat` and :mod:`xml.etree.ElementTree` when Python is ++compiled with libExpat 2.8.0 or later. +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c +index cbd1e026df27227..b2d4b982602c583 100644 +--- a/Modules/_elementtree.c ++++ b/Modules/_elementtree.c +@@ -3657,8 +3657,12 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *target, + PyErr_NoMemory(); + return -1; + } +- /* expat < 2.1.0 has no XML_SetHashSalt() */ +- if (EXPAT(st, SetHashSalt) != NULL) { ++ // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018 ++ if (EXPAT(st, SetHashSalt16Bytes) != NULL) { ++ EXPAT(st, SetHashSalt16Bytes)(self->parser, ++ (const uint8_t *)_Py_HashSecret.uc); ++ } ++ else if (EXPAT(st, SetHashSalt) != NULL) { + EXPAT(st, SetHashSalt)(self->parser, + (unsigned long)_Py_HashSecret.expat.hashsalt); + } +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c +index 0f0afe17513ef1c..1df433e64bc096f 100644 +--- a/Modules/pyexpat.c ++++ b/Modules/pyexpat.c +@@ -1388,7 +1388,11 @@ newxmlparseobject(pyexpat_state *state, const char *encoding, + Py_DECREF(self); + return NULL; + } +-#if XML_COMBINED_VERSION >= 20100 ++#if XML_COMBINED_VERSION >= 20800 ++ /* This feature was added upstream in libexpat 2.8.0. */ ++ XML_SetHashSalt16Bytes(self->itself, ++ (const uint8_t *)_Py_HashSecret.uc); ++#elif XML_COMBINED_VERSION >= 20100 + /* This feature was added upstream in libexpat 2.1.0. */ + XML_SetHashSalt(self->itself, + (unsigned long)_Py_HashSecret.expat.hashsalt); +@@ -2257,6 +2261,11 @@ pyexpat_exec(PyObject *mod) + #else + capi->SetHashSalt = NULL; + #endif ++#if XML_COMBINED_VERSION >= 20800 ++ capi->SetHashSalt16Bytes = XML_SetHashSalt16Bytes; ++#else ++ capi->SetHashSalt16Bytes = NULL; ++#endif + #if XML_COMBINED_VERSION >= 20600 + capi->SetReparseDeferralEnabled = XML_SetReparseDeferralEnabled; + #else diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch b/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch new file mode 100644 index 0000000000..a0c365cc82 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch @@ -0,0 +1,74 @@ +From ccb8d2f7df9534e49a43554193d7f5f4d993189c Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych +Date: Sun, 26 Apr 2026 19:42:01 +0100 +Subject: [PATCH] Add `_Py_HashSecret_t.expat.hashsalt16` instead + +CVE: CVE-2026-7210 +Upstream-Status: Backport [https://github.com/python/cpython/pull/149023/commits/ccb8d2f7df9534e49a43554193d7f5f4d993189c] + +Signed-off-by: Amaury Couderc +--- + Include/pyhash.h | 8 +++++--- + Modules/_elementtree.c | 2 +- + Modules/pyexpat.c | 3 +-- + 3 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/Include/pyhash.h b/Include/pyhash.h +index 84cb72fa6fd1b26..3056dc44cc0f1b1 100644 +--- a/Include/pyhash.h ++++ b/Include/pyhash.h +@@ -39,14 +39,14 @@ + * pppppppp ssssssss ........ fnv -- two Py_hash_t + * k0k0k0k0 k1k1k1k1 ........ siphash -- two uint64_t + * ........ ........ ssssssss djbx33a -- 16 bytes padding + one Py_hash_t +- * ........ ........ eeeeeeee pyexpat XML hash salt ++ * eeeeeeee eeeeeeee eeeeeeee pyexpat XML hash salt + * + * memory layout on 32 bit systems + * cccccccc cccccccc cccccccc uc + * ppppssss ........ ........ fnv -- two Py_hash_t + * k0k0k0k0 k1k1k1k1 ........ siphash -- two uint64_t (*) + * ........ ........ ssss.... djbx33a -- 16 bytes padding + one Py_hash_t +- * ........ ........ eeee.... pyexpat XML hash salt ++ * eeeeeeee eeeeeeee eeee.... pyexpat XML hash salt + * + * (*) The siphash member may not be available on 32 bit platforms without + * an unsigned int64 data type. +@@ -71,7 +71,9 @@ typedef union { + Py_hash_t suffix; + } djbx33a; + struct { +- unsigned char padding[16]; ++ /* 16 bytes for XML_SetHashSalt16Bytes */ ++ uint8_t hashsalt16[16]; ++ /* 4/8 bytes for legacy XML_SetHashSalt */ + Py_hash_t hashsalt; + } expat; + } _Py_HashSecret_t; +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c +index b2d4b982602c583..9e794be5c109ba5 100644 +--- a/Modules/_elementtree.c ++++ b/Modules/_elementtree.c +@@ -3660,7 +3660,7 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *target, + // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018 + if (EXPAT(st, SetHashSalt16Bytes) != NULL) { + EXPAT(st, SetHashSalt16Bytes)(self->parser, +- (const uint8_t *)_Py_HashSecret.uc); ++ _Py_HashSecret.expat.hashsalt16); + } + else if (EXPAT(st, SetHashSalt) != NULL) { + EXPAT(st, SetHashSalt)(self->parser, +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c +index 1df433e64bc096f..78efbef679024f3 100644 +--- a/Modules/pyexpat.c ++++ b/Modules/pyexpat.c +@@ -1390,8 +1390,7 @@ newxmlparseobject(pyexpat_state *state, const char *encoding, + } + #if XML_COMBINED_VERSION >= 20800 + /* This feature was added upstream in libexpat 2.8.0. */ +- XML_SetHashSalt16Bytes(self->itself, +- (const uint8_t *)_Py_HashSecret.uc); ++ XML_SetHashSalt16Bytes(self->itself, _Py_HashSecret.expat.hashsalt16); + #elif XML_COMBINED_VERSION >= 20100 + /* This feature was added upstream in libexpat 2.1.0. */ + XML_SetHashSalt(self->itself, diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index 5fa25235fe..236bffc360 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -34,6 +34,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_deadlock-skip-problematic-test.patch \ file://0001-test_active_children-skip-problematic-test.patch \ file://0001-test_readline-skip-limited-history-test.patch \ + file://CVE-2026-7210-1.patch \ + file://CVE-2026-7210-2.patch \ " SRC_URI:append:class-native = " \