diff mbox series

[meta-oe,wrynose] libidn: Fix CVE-2026-57053

Message ID 20260709113220.3742085-1-deeratho@cisco.com
State New
Headers show
Series [meta-oe,wrynose] libidn: Fix CVE-2026-57053 | expand

Commit Message

From: Deepak Rathore <deeratho@cisco.com>

This patch applies the upstream v1.44 backport for
CVE-2026-57053. The upstream fix commit is referenced in [1],
and the public CVE advisory is referenced in [2].

[1] https://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f57fab06afc1e328bbe197ad3d4a4e83c829593e
[2] https://www.cve.org/CVERecord?id=CVE-2026-57053

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
diff mbox series

Patch

diff --git a/meta-oe/recipes-extended/libidn/libidn/CVE-2026-57053.patch b/meta-oe/recipes-extended/libidn/libidn/CVE-2026-57053.patch
new file mode 100644
index 0000000000..7079f9c429
--- /dev/null
+++ b/meta-oe/recipes-extended/libidn/libidn/CVE-2026-57053.patch
@@ -0,0 +1,28 @@ 
+From f57fab06afc1e328bbe197ad3d4a4e83c829593e Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Tue, 16 Jun 2026 17:23:38 +0200
+Subject: [PATCH] Guard against read-out-bounds on some xn-- strings
+
+Report and suggested fix by jiami3us@icloud.com in:
+https://lists.gnu.org/archive/html/help-libidn/2026-05/msg00000.html
+
+CVE: CVE-2026-57053
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f57fab06afc1e328bbe197ad3d4a4e83c829593e]
+
+(cherry picked from commit f57fab06afc1e328bbe197ad3d4a4e83c829593e)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ lib/idna.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/idna.c b/lib/idna.c
+index 27de4489..29664245 100644
+--- a/lib/idna.c
++++ b/lib/idna.c
+@@ -388,4 +388,5 @@ step3:
+-  if (c_strcasecmp (utf8in, tmpout + strlen (IDNA_ACE_PREFIX)) != 0)
++  if (c_strncasecmp (tmpout, IDNA_ACE_PREFIX, strlen (IDNA_ACE_PREFIX)) != 0
++      || c_strcasecmp (utf8in, tmpout + strlen (IDNA_ACE_PREFIX)) != 0)
+     {
+       free (utf8in);
+       return IDNA_ROUNDTRIP_VERIFY_ERROR;
diff --git a/meta-oe/recipes-extended/libidn/libidn_1.43.bb b/meta-oe/recipes-extended/libidn/libidn_1.43.bb
index 7c478a1495..e645ffce20 100644
--- a/meta-oe/recipes-extended/libidn/libidn_1.43.bb
+++ b/meta-oe/recipes-extended/libidn/libidn_1.43.bb
@@ -17,6 +17,7 @@  inherit pkgconfig autotools gettext texinfo gtk-doc
 
 SRC_URI = "${GNU_MIRROR}/libidn/${BPN}-${PV}.tar.gz \
            file://dont-depend-on-help2man.patch \
+           file://CVE-2026-57053.patch \
            "
 
 SRC_URI[sha256sum] = "bdc662c12d041b2539d0e638f3a6e741130cdb33a644ef3496963a443482d164"