From patchwork Tue Oct 28 13:46:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 73187 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EEBEACCF9E0 for ; Tue, 28 Oct 2025 13:46:28 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web10.12193.1761659187290607105 for ; Tue, 28 Oct 2025 06:46:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=vNJkH+LA; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-290ac2ef203so57135595ad.1 for ; Tue, 28 Oct 2025 06:46:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761659186; x=1762263986; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=2V+OXtUW2gznBBneNeixHhgmVFE3FCebIDyy5p0pkPA=; b=vNJkH+LAa4yF2zUQsnAILO7d0JiJ97Sup75zZrp8tCRC5DnvJAJ4fHhg0EqQ7AvhZv 91zkbSWynRMI1oR2EPlS01WmgRqvmudA9I5IhQ/0e1C2C4CyaArwF+KGPOv10brIuhsZ SndCDjG2uvYco6jeIaO0fcd6PaCunoGfkE73ZspylJqnHRVC/Mpf55fA0hT+r2QJkjpz bgUjdKSGevsWjKQQg71kPJLWJDc/tIJKVogrDCnOK5EavG/8rhE1fhq1ggpA3JDnwjgU naPzJ1O77vXDAzyelk+Co4PuTQHENUSmKcO9sdIcjBR1/PWBfILE0kaspEITlAVWA7EJ 7urQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761659186; x=1762263986; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2V+OXtUW2gznBBneNeixHhgmVFE3FCebIDyy5p0pkPA=; b=Uy1tB87WXpG9cPx7Hpi3n5REvF6Ujf7qvoiZLdW9JwsZPxEVHC/sHo69dRhadKQDEI U9DDEg4XXGnAUQOwu8hlSCZ8/p462BE7KLXTF6QcBtzS6MZH4XYNUBLlzSPlC8NJikYc aFm0aUikJN9dLrmNLZP4VhyJ38APeoYMsB8ilYG4eiA7sPsmh+k2WFGaGlKu27OIXUBQ /HminAdUR1N4kvw2BKb/mSodIcZ+8i2r8kFPfXL1QL4kAmeYUNWzG3Q9w05pKE1v4uSY DmG+MlBfbKPGkrTtz5nQAAhnpQfpwkpMYWJreXgET/IMUB4xkvGa/sJ49a90k69vDrAa GmVQ== X-Gm-Message-State: AOJu0Yz56ofP0FLybmxuUZP8Rwv9IKCL8ZdDGDP4TTlzKIxhrVTFXiN2 VKsMeojQT7+3eOV7w8OS7HsqbPlmGJUxVhOSINh5n4mbGcWB0g2hYsiq+kS85vGDsKn84bUm0HU 4zLjevBM= X-Gm-Gg: ASbGncvhKBLJ3OVKpOvOK0B/3c4E9AtseyE8wft/OX3D59ANvIgsDzJQ78HDAMwyo/q k/E+mspR0HKobBglM3r4KFgTWSgMnnkQWfXyMCBkqwKW3PAgKAaS/Zdsgu8guzVirO/Ji6PTg9i tRkmr8UGk0K6+Bo+1awUZKqzKOWuZwxHp3SUVFzuxdo8reKMDleav1gzMoXNfpaRBPIPtJ23pBw CZf9VvLNQbF4gYFroSujpyknRMphyA8ZwJejCSpnZut3XqPUeaKz0Ozl81TDwUXRbrw9hKyX/h7 c4vD4Fc0WXEflpccftN/SZkgtIjruGdExqMd6sCe7nSIvtWDhpqwicIgSUndA2TkBSaTtc7xmiv jc80kn1jiBKDeKALe4RNL6bfdSTroPCYHVTW2Stt1JsRjMIpecY0IbGJGVWfVghVMvgqCFro0de qW+g== X-Google-Smtp-Source: AGHT+IEzO+i6wnkR1s8mHMLzAL56ZM70hAa4qdBaTKEvcWop8d/5zUxr4TFR+vA5QYZfgKZqR11TpA== X-Received: by 2002:a17:902:d4d2:b0:267:87be:505e with SMTP id d9443c01a7336-294cb3d8384mr41592625ad.23.1761659186526; Tue, 28 Oct 2025 06:46:26 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29498d40a7esm119894605ad.70.2025.10.28.06.46.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Oct 2025 06:46:26 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 1/8] libpam: mark CVE-2025-6018 as not applicable Date: Tue, 28 Oct 2025 06:46:11 -0700 Message-ID: <3f2a9ad03326dc87681cf47ed5f73712ebaa624c.1761596406.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Oct 2025 13:46:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225401 From: Anders Heimer CVE-2025-6018 is a local privilege escalation in PAM that requires `user_readenv=1` to be enabled in the PAM configuration. The default configuration does not enable reading user environment files (user_readenv is 0 by default). Hence this vulnerability cannot be exploited using the default configuration. Signed-off-by: Anders Heimer Signed-off-by: Steve Sakoman --- meta/recipes-extended/pam/libpam_1.5.3.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/pam/libpam_1.5.3.bb b/meta/recipes-extended/pam/libpam_1.5.3.bb index 4c27767ab1..79a0e9f694 100644 --- a/meta/recipes-extended/pam/libpam_1.5.3.bb +++ b/meta/recipes-extended/pam/libpam_1.5.3.bb @@ -39,6 +39,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \ SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283" +CVE_STATUS[CVE-2025-6018] = "not-applicable-config: Default PAM config does not use user_readenv=1" + DEPENDS = "bison-native flex-native libxml2-native virtual/crypt" EXTRA_OECONF = "--includedir=${includedir}/security \ From patchwork Tue Oct 28 13:46:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 73194 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E50D5CCD1BF for ; Tue, 28 Oct 2025 13:46:38 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.9353.1761659191689700831 for ; Tue, 28 Oct 2025 06:46:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=pRE/8sxr; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-27eec33b737so86076185ad.1 for ; Tue, 28 Oct 2025 06:46:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761659191; x=1762263991; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=et2ZKMRBt54g12FcE/Gexu9OkCWL15NWdTC+lin3N1E=; b=pRE/8sxrwj8CxHNuGQ1P09hbaPMeiOB7ZSwphl5avQteuE4NyDrhRtv+TFxaEutMnn W1iBFTm/RfIsz9AWJjpQ0tbuBONsbaef0rh1eDqNaMpkU9+eU5gWvLO2z8wdxXsrHGla PCGaQxF9S+hzYGg6hQi2lxIZuFfAYpdHUpYt1eZkQLaatKlhiYzJ05lLmJiuM+teP4B1 l9ZIgPSRntp7ErelIvsijJy6EkWKwpElnvE571l4uTxGQDXVLviWSH1azO0fkWszveKq tw9Hg4heLQX7J6tXrUIJuYZ3DCQ11exIRvmJtFQu0p9UWyXn7j98RJ99PKhPDOpulZmz mcrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761659191; x=1762263991; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=et2ZKMRBt54g12FcE/Gexu9OkCWL15NWdTC+lin3N1E=; b=FaOGeCm4pssOOWWZqFy19tVFkvCmbldyV61iUXa4NX36OaITO1PYttOT30QtOZMAe+ c2f97bg5wcOYj08nWEkcaGrk4MD1NftY9N+r4bVxYwk+0FgHEgP/6OgbgAGCRlwZunrp 6Hbe2p7/QJcE1Kz4zxNmxOHWecK+Nh1VrDIHP8+6tdXD6zq8p7qhCqj4uzBtw6vNORI7 IZd7j8GNaKy9HGanWbgoWT2lLzuf+kZdqea89iX+ZpFMtOio/zMlTSvW5cHyn0EXxQHK DpIwlZn9ink0YnFvBzfxP1uTEYoOVFwPkM/VIv281e8e15Bj3jXXJ24sNMMPug1yuzL2 lvWw== X-Gm-Message-State: AOJu0YwX1QsWdMv7Tzf/tamdY7tJd+C0nJFK7LWu85F/zUj+cbJP6GTE iatDEM/zTpjj4voMAew6z+Y4xtgOki7ozzXUnEDM04uyaFRM5ukwYUI8MLrcBeFcAZDnEbihUqW ar4D8EeQ= X-Gm-Gg: ASbGncuNQoTB8hun9J7N562J30XnWsxFJrw0QUckftPA8VWerLF7QCJRjO/T+m1gXW9 N31SXZ3zpFkcWTqjC7mWfUmWPYW433UxRT82YGlRapwpFX4wz5OTvAEMEkJZ0T/5lC76h1HuhLS keid8h9hPG21ASWvir0lMHjhLMFFBC7ntqZBX6b//DWIAk2TkqcDCT8lll7JamhFUFKIEN/Ktlo A9Xvq+Dt7qewg/zRPjpzaJMRtYpMB3tpKhljdvy0Tg9ndR52gXcOzuCeAF9xtZHJOttOYdOMpnh QOn2Ivy08pWOASVHTX8KVF9wIaHT4bvBKgrbK3rPIYfET3BnfXxWApOkSKZWvu7owGnbhGFFxuY 20xIvYiswfTVB2BbXeduFZkAx2Fs/KYr+fbMQm64/r7TZFQCJqDVyisz8gyhHPS1bncs= X-Google-Smtp-Source: AGHT+IFXIj26mjOpjdCVw1Ci87LzLOflGgmcJWG3y/513Oh3Nb2MCM5jsU4HE2yfTK4uE/cFEB/Z4g== X-Received: by 2002:a17:903:1248:b0:294:9813:4509 with SMTP id d9443c01a7336-294cb643bd4mr43761495ad.53.1761659188473; Tue, 28 Oct 2025 06:46:28 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29498d40a7esm119894605ad.70.2025.10.28.06.46.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Oct 2025 06:46:28 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 2/8] expat: patch CVE-2025-59375 Date: Tue, 28 Oct 2025 06:46:12 -0700 Message-ID: <684d3cdbc08ce41dc1f92e1f228eee34bc2bc1fe.1761596406.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Oct 2025 13:46:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225403 From: Peter Marko Pick patch from PR mentioning this CVE [1] It's a complex patch so I have checked diff of 2.6.4 and commit before these patches landed. There were no changes in memory allocations. Also version in scarthgap is still not that much different from current upstream master. Ptests pass. Also picked one documentation commit (-00) to resolve patch conflict. Following conflicts were resolved manually: * commit "mass-cppcheck.sh: Activate in-code suppression comments" was skipped as it only edited github actions not yet available in 2.6.4 * commit "lib: Implement tracking of dynamic memory allocations" ale had conflict in github actions not yet available in 2.6.4 * commit "fuzz: Be robust towards NULL return from XML_ExternalEntityParserCreate" edited file "expat/fuzz/xml_lpm_fuzzer.cpp" which is not present in our version yet. Since we're not using fuzzying, this is not needed. * the final changelog commit needed lot conflict resolution actions Finally picked PR fixing regression [2] together with two minor commits to have a clean cherry-picks. Also here the Changes commit needed conflict resolution. [1] https://github.com/libexpat/libexpat/pull/1034 [2] https://github.com/libexpat/libexpat/pull/1048 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../expat/expat/CVE-2025-59375-00.patch | 52 ++ .../expat/expat/CVE-2025-59375-01.patch | 48 ++ .../expat/expat/CVE-2025-59375-02.patch | 109 ++++ .../expat/expat/CVE-2025-59375-03.patch | 127 ++++ .../expat/expat/CVE-2025-59375-04.patch | 62 ++ .../expat/expat/CVE-2025-59375-05.patch | 64 ++ .../expat/expat/CVE-2025-59375-06.patch | 68 +++ .../expat/expat/CVE-2025-59375-07.patch | 52 ++ .../expat/expat/CVE-2025-59375-08.patch | 577 ++++++++++++++++++ .../expat/expat/CVE-2025-59375-09.patch | 43 ++ .../expat/expat/CVE-2025-59375-10.patch | 54 ++ .../expat/expat/CVE-2025-59375-11.patch | 66 ++ .../expat/expat/CVE-2025-59375-12.patch | 58 ++ .../expat/expat/CVE-2025-59375-13.patch | 309 ++++++++++ .../expat/expat/CVE-2025-59375-14.patch | 122 ++++ .../expat/expat/CVE-2025-59375-15.patch | 70 +++ .../expat/expat/CVE-2025-59375-16.patch | 146 +++++ .../expat/expat/CVE-2025-59375-17.patch | 28 + .../expat/expat/CVE-2025-59375-18.patch | 74 +++ .../expat/expat/CVE-2025-59375-19.patch | 103 ++++ .../expat/expat/CVE-2025-59375-20.patch | 285 +++++++++ .../expat/expat/CVE-2025-59375-21.patch | 196 ++++++ .../expat/expat/CVE-2025-59375-22.patch | 37 ++ .../expat/expat/CVE-2025-59375-23.patch | 47 ++ .../expat/expat/CVE-2025-59375-24.patch | 36 ++ meta/recipes-core/expat/expat_2.6.4.bb | 25 + 26 files changed, 2858 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-00.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-01.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-02.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-03.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-04.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-05.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-06.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-07.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-08.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-09.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-10.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-11.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-12.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-13.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-14.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-15.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-16.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-17.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-18.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-19.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-20.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-21.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-22.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-23.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-24.patch diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-00.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-00.patch new file mode 100644 index 0000000000..e3cbd0f604 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-00.patch @@ -0,0 +1,52 @@ +From 87321ac84a0d6cb42ee64a591adc79c1ec37fb5b Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Tue, 2 Sep 2025 20:52:29 +0200 +Subject: [PATCH] xmlwf: Mention supported environment variables in --help + output + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/87321ac84a0d6cb42ee64a591adc79c1ec37fb5b] +Signed-off-by: Peter Marko +--- + xmlwf/xmlwf.c | 8 ++++++++ + xmlwf/xmlwf_helpgen.py | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index ec7e51c9..8cfc73ca 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -926,6 +926,14 @@ usage(const XML_Char *prog, int rc) { + T(" -h, --help show this [h]elp message and exit\n") + T(" -v, --version show program's [v]ersion number and exit\n") + T("\n") ++ T("environment variables:\n") ++ T(" EXPAT_ACCOUNTING_DEBUG=(0|1|2|3)\n") ++ T(" Control verbosity of accounting debugging (default: 0)\n") ++ T(" EXPAT_ENTITY_DEBUG=(0|1)\n") ++ T(" Control verbosity of entity debugging (default: 0)\n") ++ T(" EXPAT_ENTROPY_DEBUG=(0|1)\n") ++ T(" Control verbosity of entropy debugging (default: 0)\n") ++ T("\n") + T("exit status:\n") + T(" 0 the input files are well-formed and the output (if requested) was written successfully\n") + T(" 1 could not allocate data structures, signals a serious problem with execution environment\n") +diff --git a/xmlwf/xmlwf_helpgen.py b/xmlwf/xmlwf_helpgen.py +index c3257f0e..39a3dc13 100755 +--- a/xmlwf/xmlwf_helpgen.py ++++ b/xmlwf/xmlwf_helpgen.py +@@ -32,6 +32,14 @@ + import argparse + + epilog = """ ++environment variables: ++ EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) ++ Control verbosity of accounting debugging (default: 0) ++ EXPAT_ENTITY_DEBUG=(0|1) ++ Control verbosity of entity debugging (default: 0) ++ EXPAT_ENTROPY_DEBUG=(0|1) ++ Control verbosity of entropy debugging (default: 0) ++ + exit status: + 0 the input files are well-formed and the output (if requested) was written successfully + 1 could not allocate data structures, signals a serious problem with execution environment diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-01.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-01.patch new file mode 100644 index 0000000000..6708bbef45 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-01.patch @@ -0,0 +1,48 @@ +From 0872c189db6e457084fca335662a9cb49e8ec4c7 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 1 Sep 2025 18:06:59 +0200 +Subject: [PATCH] lib: Make function dtdCreate use macro MALLOC + +.. and give its body access to the parser for upcoming changes + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/0872c189db6e457084fca335662a9cb49e8ec4c7] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 25f786ec..b9d6eed1 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -555,7 +555,7 @@ static XML_Bool setContext(XML_Parser parser, const XML_Char *context); + + static void FASTCALL normalizePublicId(XML_Char *s); + +-static DTD *dtdCreate(const XML_Memory_Handling_Suite *ms); ++static DTD *dtdCreate(XML_Parser parser); + /* do not call if m_parentParser != NULL */ + static void dtdReset(DTD *p, const XML_Memory_Handling_Suite *ms); + static void dtdDestroy(DTD *p, XML_Bool isDocEntity, +@@ -1166,7 +1166,7 @@ parserCreate(const XML_Char *encodingName, + if (dtd) + parser->m_dtd = dtd; + else { +- parser->m_dtd = dtdCreate(&parser->m_mem); ++ parser->m_dtd = dtdCreate(parser); + if (parser->m_dtd == NULL) { + FREE(parser, parser->m_dataBuf); + FREE(parser, parser->m_atts); +@@ -7126,8 +7126,9 @@ normalizePublicId(XML_Char *publicId) { + } + + static DTD * +-dtdCreate(const XML_Memory_Handling_Suite *ms) { +- DTD *p = ms->malloc_fcn(sizeof(DTD)); ++dtdCreate(XML_Parser parser) { ++ const XML_Memory_Handling_Suite *const ms = &parser->m_mem; ++ DTD *p = MALLOC(parser, sizeof(DTD)); + if (p == NULL) + return p; + poolInit(&(p->pool), ms); diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-02.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-02.patch new file mode 100644 index 0000000000..b0543370ad --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-02.patch @@ -0,0 +1,109 @@ +From 8768dadae479d9f2e984b747fb2ba79bb78de94f Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 1 Sep 2025 18:10:26 +0200 +Subject: [PATCH] lib: Make string pools use macros MALLOC, FREE, REALLOC + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/8768dadae479d9f2e984b747fb2ba79bb78de94f] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index b9d6eed1..a56c71ea 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -357,7 +357,7 @@ typedef struct { + const XML_Char *end; + XML_Char *ptr; + XML_Char *start; +- const XML_Memory_Handling_Suite *mem; ++ XML_Parser parser; + } STRING_POOL; + + /* The XML_Char before the name is used to determine whether +@@ -574,8 +574,7 @@ static void FASTCALL hashTableIterInit(HASH_TABLE_ITER *iter, + const HASH_TABLE *table); + static NAMED *FASTCALL hashTableIterNext(HASH_TABLE_ITER *iter); + +-static void FASTCALL poolInit(STRING_POOL *pool, +- const XML_Memory_Handling_Suite *ms); ++static void FASTCALL poolInit(STRING_POOL *pool, XML_Parser parser); + static void FASTCALL poolClear(STRING_POOL *pool); + static void FASTCALL poolDestroy(STRING_POOL *pool); + static XML_Char *poolAppend(STRING_POOL *pool, const ENCODING *enc, +@@ -1200,8 +1199,8 @@ parserCreate(const XML_Char *encodingName, + + parser->m_protocolEncodingName = NULL; + +- poolInit(&parser->m_tempPool, &(parser->m_mem)); +- poolInit(&parser->m_temp2Pool, &(parser->m_mem)); ++ poolInit(&parser->m_tempPool, parser); ++ poolInit(&parser->m_temp2Pool, parser); + parserInit(parser, encodingName); + + if (encodingName && ! parser->m_protocolEncodingName) { +@@ -7131,8 +7130,8 @@ dtdCreate(XML_Parser parser) { + DTD *p = MALLOC(parser, sizeof(DTD)); + if (p == NULL) + return p; +- poolInit(&(p->pool), ms); +- poolInit(&(p->entityValuePool), ms); ++ poolInit(&(p->pool), parser); ++ poolInit(&(p->entityValuePool), parser); + hashTableInit(&(p->generalEntities), ms); + hashTableInit(&(p->elementTypes), ms); + hashTableInit(&(p->attributeIds), ms); +@@ -7596,13 +7595,13 @@ hashTableIterNext(HASH_TABLE_ITER *iter) { + } + + static void FASTCALL +-poolInit(STRING_POOL *pool, const XML_Memory_Handling_Suite *ms) { ++poolInit(STRING_POOL *pool, XML_Parser parser) { + pool->blocks = NULL; + pool->freeBlocks = NULL; + pool->start = NULL; + pool->ptr = NULL; + pool->end = NULL; +- pool->mem = ms; ++ pool->parser = parser; + } + + static void FASTCALL +@@ -7629,13 +7628,13 @@ poolDestroy(STRING_POOL *pool) { + BLOCK *p = pool->blocks; + while (p) { + BLOCK *tem = p->next; +- pool->mem->free_fcn(p); ++ FREE(pool->parser, p); + p = tem; + } + p = pool->freeBlocks; + while (p) { + BLOCK *tem = p->next; +- pool->mem->free_fcn(p); ++ FREE(pool->parser, p); + p = tem; + } + } +@@ -7790,8 +7789,8 @@ poolGrow(STRING_POOL *pool) { + if (bytesToAllocate == 0) + return XML_FALSE; + +- temp = (BLOCK *)pool->mem->realloc_fcn(pool->blocks, +- (unsigned)bytesToAllocate); ++ temp = (BLOCK *)REALLOC(pool->parser, pool->blocks, ++ (unsigned)bytesToAllocate); + if (temp == NULL) + return XML_FALSE; + pool->blocks = temp; +@@ -7831,7 +7830,7 @@ poolGrow(STRING_POOL *pool) { + if (bytesToAllocate == 0) + return XML_FALSE; + +- tem = pool->mem->malloc_fcn(bytesToAllocate); ++ tem = MALLOC(pool->parser, bytesToAllocate); + if (! tem) + return XML_FALSE; + tem->size = blockSize; diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-03.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-03.patch new file mode 100644 index 0000000000..b8c2c595e1 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-03.patch @@ -0,0 +1,127 @@ +From 4fc6f1ee9f2b282cfe446bf645c992e37f8c3e15 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 1 Sep 2025 18:14:09 +0200 +Subject: [PATCH] lib: Make function hash tables use macros MALLOC and FREE + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4fc6f1ee9f2b282cfe446bf645c992e37f8c3e15] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 34 ++++++++++++++++------------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index a56c71ea..a65b0265 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -234,7 +234,7 @@ typedef struct { + unsigned char power; + size_t size; + size_t used; +- const XML_Memory_Handling_Suite *mem; ++ XML_Parser parser; + } HASH_TABLE; + + static size_t keylen(KEY s); +@@ -566,8 +566,7 @@ static int copyEntityTable(XML_Parser oldParser, HASH_TABLE *newTable, + STRING_POOL *newPool, const HASH_TABLE *oldTable); + static NAMED *lookup(XML_Parser parser, HASH_TABLE *table, KEY name, + size_t createSize); +-static void FASTCALL hashTableInit(HASH_TABLE *table, +- const XML_Memory_Handling_Suite *ms); ++static void FASTCALL hashTableInit(HASH_TABLE *table, XML_Parser parser); + static void FASTCALL hashTableClear(HASH_TABLE *table); + static void FASTCALL hashTableDestroy(HASH_TABLE *table); + static void FASTCALL hashTableIterInit(HASH_TABLE_ITER *iter, +@@ -7126,19 +7125,18 @@ normalizePublicId(XML_Char *publicId) { + + static DTD * + dtdCreate(XML_Parser parser) { +- const XML_Memory_Handling_Suite *const ms = &parser->m_mem; + DTD *p = MALLOC(parser, sizeof(DTD)); + if (p == NULL) + return p; + poolInit(&(p->pool), parser); + poolInit(&(p->entityValuePool), parser); +- hashTableInit(&(p->generalEntities), ms); +- hashTableInit(&(p->elementTypes), ms); +- hashTableInit(&(p->attributeIds), ms); +- hashTableInit(&(p->prefixes), ms); ++ hashTableInit(&(p->generalEntities), parser); ++ hashTableInit(&(p->elementTypes), parser); ++ hashTableInit(&(p->attributeIds), parser); ++ hashTableInit(&(p->prefixes), parser); + #ifdef XML_DTD + p->paramEntityRead = XML_FALSE; +- hashTableInit(&(p->paramEntities), ms); ++ hashTableInit(&(p->paramEntities), parser); + #endif /* XML_DTD */ + p->defaultPrefix.name = NULL; + p->defaultPrefix.binding = NULL; +@@ -7473,7 +7471,7 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) { + /* table->size is a power of 2 */ + table->size = (size_t)1 << INIT_POWER; + tsize = table->size * sizeof(NAMED *); +- table->v = table->mem->malloc_fcn(tsize); ++ table->v = MALLOC(table->parser, tsize); + if (! table->v) { + table->size = 0; + return NULL; +@@ -7513,7 +7511,7 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) { + } + + size_t tsize = newSize * sizeof(NAMED *); +- NAMED **newV = table->mem->malloc_fcn(tsize); ++ NAMED **newV = MALLOC(table->parser, tsize); + if (! newV) + return NULL; + memset(newV, 0, tsize); +@@ -7529,7 +7527,7 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) { + } + newV[j] = table->v[i]; + } +- table->mem->free_fcn(table->v); ++ FREE(table->parser, table->v); + table->v = newV; + table->power = newPower; + table->size = newSize; +@@ -7542,7 +7540,7 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) { + } + } + } +- table->v[i] = table->mem->malloc_fcn(createSize); ++ table->v[i] = MALLOC(table->parser, createSize); + if (! table->v[i]) + return NULL; + memset(table->v[i], 0, createSize); +@@ -7555,7 +7553,7 @@ static void FASTCALL + hashTableClear(HASH_TABLE *table) { + size_t i; + for (i = 0; i < table->size; i++) { +- table->mem->free_fcn(table->v[i]); ++ FREE(table->parser, table->v[i]); + table->v[i] = NULL; + } + table->used = 0; +@@ -7565,17 +7563,17 @@ static void FASTCALL + hashTableDestroy(HASH_TABLE *table) { + size_t i; + for (i = 0; i < table->size; i++) +- table->mem->free_fcn(table->v[i]); +- table->mem->free_fcn(table->v); ++ FREE(table->parser, table->v[i]); ++ FREE(table->parser, table->v); + } + + static void FASTCALL +-hashTableInit(HASH_TABLE *p, const XML_Memory_Handling_Suite *ms) { ++hashTableInit(HASH_TABLE *p, XML_Parser parser) { + p->power = 0; + p->size = 0; + p->used = 0; + p->v = NULL; +- p->mem = ms; ++ p->parser = parser; + } + + static void FASTCALL diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-04.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-04.patch new file mode 100644 index 0000000000..78d9e2fc91 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-04.patch @@ -0,0 +1,62 @@ +From 51487ad9d760faa4809b0f8e189d2f666317e41a Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 1 Sep 2025 17:45:50 +0200 +Subject: [PATCH] lib: Make function copyString use macro MALLOC + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/51487ad9d760faa4809b0f8e189d2f666317e41a] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index a65b0265..c0576abd 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -593,8 +593,7 @@ static XML_Content *build_model(XML_Parser parser); + static ELEMENT_TYPE *getElementType(XML_Parser parser, const ENCODING *enc, + const char *ptr, const char *end); + +-static XML_Char *copyString(const XML_Char *s, +- const XML_Memory_Handling_Suite *memsuite); ++static XML_Char *copyString(const XML_Char *s, XML_Parser parser); + + static unsigned long generate_hash_secret_salt(XML_Parser parser); + static XML_Bool startParsing(XML_Parser parser); +@@ -1231,7 +1230,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { + parser->m_processor = prologInitProcessor; + XmlPrologStateInit(&parser->m_prologState); + if (encodingName != NULL) { +- parser->m_protocolEncodingName = copyString(encodingName, &(parser->m_mem)); ++ parser->m_protocolEncodingName = copyString(encodingName, parser); + } + parser->m_curBase = NULL; + XmlInitEncoding(&parser->m_initEncoding, &parser->m_encoding, 0); +@@ -1419,7 +1418,7 @@ XML_SetEncoding(XML_Parser parser, const XML_Char *encodingName) { + parser->m_protocolEncodingName = NULL; + else { + /* Copy the new encoding name into allocated memory */ +- parser->m_protocolEncodingName = copyString(encodingName, &(parser->m_mem)); ++ parser->m_protocolEncodingName = copyString(encodingName, parser); + if (! parser->m_protocolEncodingName) + return XML_STATUS_ERROR; + } +@@ -8064,7 +8063,7 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr, + } + + static XML_Char * +-copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { ++copyString(const XML_Char *s, XML_Parser parser) { + size_t charsRequired = 0; + XML_Char *result; + +@@ -8076,7 +8075,7 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { + charsRequired++; + + /* Now allocate space for the copy */ +- result = memsuite->malloc_fcn(charsRequired * sizeof(XML_Char)); ++ result = MALLOC(parser, charsRequired * sizeof(XML_Char)); + if (result == NULL) + return NULL; + /* Copy the original into place */ diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-05.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-05.patch new file mode 100644 index 0000000000..37b882fbf4 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-05.patch @@ -0,0 +1,64 @@ +From b3f0bda5f5e979781469532f7c304f7e223568d5 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 1 Sep 2025 17:48:02 +0200 +Subject: [PATCH] lib: Make function dtdReset use macro FREE + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/b3f0bda5f5e979781469532f7c304f7e223568d5] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index c0576abd..65fcce30 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -557,7 +557,7 @@ static void FASTCALL normalizePublicId(XML_Char *s); + + static DTD *dtdCreate(XML_Parser parser); + /* do not call if m_parentParser != NULL */ +-static void dtdReset(DTD *p, const XML_Memory_Handling_Suite *ms); ++static void dtdReset(DTD *p, XML_Parser parser); + static void dtdDestroy(DTD *p, XML_Bool isDocEntity, + const XML_Memory_Handling_Suite *ms); + static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, +@@ -1382,7 +1382,7 @@ XML_ParserReset(XML_Parser parser, const XML_Char *encodingName) { + FREE(parser, (void *)parser->m_protocolEncodingName); + parser->m_protocolEncodingName = NULL; + parserInit(parser, encodingName); +- dtdReset(parser->m_dtd, &parser->m_mem); ++ dtdReset(parser->m_dtd, parser); + return XML_TRUE; + } + +@@ -7155,7 +7155,7 @@ dtdCreate(XML_Parser parser) { + } + + static void +-dtdReset(DTD *p, const XML_Memory_Handling_Suite *ms) { ++dtdReset(DTD *p, XML_Parser parser) { + HASH_TABLE_ITER iter; + hashTableIterInit(&iter, &(p->elementTypes)); + for (;;) { +@@ -7163,7 +7163,7 @@ dtdReset(DTD *p, const XML_Memory_Handling_Suite *ms) { + if (! e) + break; + if (e->allocDefaultAtts != 0) +- ms->free_fcn(e->defaultAtts); ++ FREE(parser, e->defaultAtts); + } + hashTableClear(&(p->generalEntities)); + #ifdef XML_DTD +@@ -7180,9 +7180,9 @@ dtdReset(DTD *p, const XML_Memory_Handling_Suite *ms) { + + p->in_eldecl = XML_FALSE; + +- ms->free_fcn(p->scaffIndex); ++ FREE(parser, p->scaffIndex); + p->scaffIndex = NULL; +- ms->free_fcn(p->scaffold); ++ FREE(parser, p->scaffold); + p->scaffold = NULL; + + p->scaffLevel = 0; diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-06.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-06.patch new file mode 100644 index 0000000000..04f975a458 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-06.patch @@ -0,0 +1,68 @@ +From 53a3eda0ae2e0317afd071b72b41976053d82732 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 1 Sep 2025 17:50:59 +0200 +Subject: [PATCH] lib: Make function dtdDestroy use macro FREE + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/53a3eda0ae2e0317afd071b72b41976053d82732] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 65fcce30..e7df97da 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -558,8 +558,7 @@ static void FASTCALL normalizePublicId(XML_Char *s); + static DTD *dtdCreate(XML_Parser parser); + /* do not call if m_parentParser != NULL */ + static void dtdReset(DTD *p, XML_Parser parser); +-static void dtdDestroy(DTD *p, XML_Bool isDocEntity, +- const XML_Memory_Handling_Suite *ms); ++static void dtdDestroy(DTD *p, XML_Bool isDocEntity, XML_Parser parser); + static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + const XML_Memory_Handling_Suite *ms); + static int copyEntityTable(XML_Parser oldParser, HASH_TABLE *newTable, +@@ -1685,8 +1684,7 @@ XML_ParserFree(XML_Parser parser) { + #else + if (parser->m_dtd) + #endif /* XML_DTD */ +- dtdDestroy(parser->m_dtd, (XML_Bool)! parser->m_parentParser, +- &parser->m_mem); ++ dtdDestroy(parser->m_dtd, (XML_Bool)! parser->m_parentParser, parser); + FREE(parser, (void *)parser->m_atts); + #ifdef XML_ATTR_INFO + FREE(parser, (void *)parser->m_attInfo); +@@ -7196,7 +7194,7 @@ dtdReset(DTD *p, XML_Parser parser) { + } + + static void +-dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms) { ++dtdDestroy(DTD *p, XML_Bool isDocEntity, XML_Parser parser) { + HASH_TABLE_ITER iter; + hashTableIterInit(&iter, &(p->elementTypes)); + for (;;) { +@@ -7204,7 +7202,7 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms) { + if (! e) + break; + if (e->allocDefaultAtts != 0) +- ms->free_fcn(e->defaultAtts); ++ FREE(parser, e->defaultAtts); + } + hashTableDestroy(&(p->generalEntities)); + #ifdef XML_DTD +@@ -7216,10 +7214,10 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms) { + poolDestroy(&(p->pool)); + poolDestroy(&(p->entityValuePool)); + if (isDocEntity) { +- ms->free_fcn(p->scaffIndex); +- ms->free_fcn(p->scaffold); ++ FREE(parser, p->scaffIndex); ++ FREE(parser, p->scaffold); + } +- ms->free_fcn(p); ++ FREE(parser, p); + } + + /* Do a deep copy of the DTD. Return 0 for out of memory, non-zero otherwise. diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-07.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-07.patch new file mode 100644 index 0000000000..7eff0009d2 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-07.patch @@ -0,0 +1,52 @@ +From 4e7a5d03daf672f20c73d40dc8970385c18b30d3 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 1 Sep 2025 17:52:58 +0200 +Subject: [PATCH] lib: Make function dtdCopy use macro MALLOC + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4e7a5d03daf672f20c73d40dc8970385c18b30d3] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index e7df97da..9f0a8b3e 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -560,7 +560,7 @@ static DTD *dtdCreate(XML_Parser parser); + static void dtdReset(DTD *p, XML_Parser parser); + static void dtdDestroy(DTD *p, XML_Bool isDocEntity, XML_Parser parser); + static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, +- const XML_Memory_Handling_Suite *ms); ++ XML_Parser parser); + static int copyEntityTable(XML_Parser oldParser, HASH_TABLE *newTable, + STRING_POOL *newPool, const HASH_TABLE *oldTable); + static NAMED *lookup(XML_Parser parser, HASH_TABLE *table, KEY name, +@@ -1572,7 +1572,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, + parser->m_prologState.inEntityValue = oldInEntityValue; + if (context) { + #endif /* XML_DTD */ +- if (! dtdCopy(oldParser, parser->m_dtd, oldDtd, &parser->m_mem) ++ if (! dtdCopy(oldParser, parser->m_dtd, oldDtd, parser) + || ! setContext(parser, context)) { + XML_ParserFree(parser); + return NULL; +@@ -7225,7 +7225,7 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, XML_Parser parser) { + */ + static int + dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, +- const XML_Memory_Handling_Suite *ms) { ++ XML_Parser parser) { + HASH_TABLE_ITER iter; + + /* Copy the prefix table. */ +@@ -7306,7 +7306,7 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + } + #endif + newE->defaultAtts +- = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); ++ = MALLOC(parser, oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); + if (! newE->defaultAtts) { + return 0; + } diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-08.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-08.patch new file mode 100644 index 0000000000..deda31bebc --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-08.patch @@ -0,0 +1,577 @@ +From cfce28e171676fe6f70d17b97ed8a59eaeb83f15 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 1 Sep 2025 17:34:58 +0200 +Subject: [PATCH] lib: Implement tracking of dynamic memory allocations + +**PLEASE NOTE** that distributors intending to backport (or cherry-pick) +this fix need to copy 99% of the related pull request, not just this +commit, to not end up with a state that literally does both too much and +too little at the same time. Appending ".diff" to the pull request URL +could be of help. + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/cfce28e171676fe6f70d17b97ed8a59eaeb83f15] +Signed-off-by: Peter Marko +--- + lib/expat.h | 15 +- + lib/internal.h | 5 + + lib/libexpat.def.cmake | 3 + + lib/xmlparse.c | 337 +++++++++++++++++++++++++++++++++++++++-- + tests/basic_tests.c | 4 + + tests/nsalloc_tests.c | 5 + + xmlwf/xmlwf.c | 2 + + xmlwf/xmlwf_helpgen.py | 2 + + 8 files changed, 361 insertions(+), 12 deletions(-) + +diff --git a/lib/expat.h b/lib/expat.h +index 610e1ddc..66a253c1 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -1032,7 +1032,10 @@ enum XML_FeatureEnum { + XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT, + XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT, + /* Added in Expat 2.6.0. */ +- XML_FEATURE_GE ++ XML_FEATURE_GE, ++ /* Added in Expat 2.7.2. */ ++ XML_FEATURE_ALLOC_TRACKER_MAXIMUM_AMPLIFICATION_DEFAULT, ++ XML_FEATURE_ALLOC_TRACKER_ACTIVATION_THRESHOLD_DEFAULT, + /* Additional features must be added to the end of this enum. */ + }; + +@@ -1057,6 +1060,16 @@ XML_SetBillionLaughsAttackProtectionMaximumAmplification( + XMLPARSEAPI(XML_Bool) + XML_SetBillionLaughsAttackProtectionActivationThreshold( + XML_Parser parser, unsigned long long activationThresholdBytes); ++ ++/* Added in Expat 2.7.2. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetAllocTrackerMaximumAmplification(XML_Parser parser, ++ float maximumAmplificationFactor); ++ ++/* Added in Expat 2.7.2. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetAllocTrackerActivationThreshold( ++ XML_Parser parser, unsigned long long activationThresholdBytes); + #endif + + /* Added in Expat 2.6.0. */ +diff --git a/lib/internal.h b/lib/internal.h +index 6bde6ae6..eb67cf50 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -145,6 +145,11 @@ + 100.0f + #define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT \ + 8388608 // 8 MiB, 2^23 ++ ++#define EXPAT_ALLOC_TRACKER_MAXIMUM_AMPLIFICATION_DEFAULT 100.0f ++#define EXPAT_ALLOC_TRACKER_ACTIVATION_THRESHOLD_DEFAULT \ ++ 67108864 // 64 MiB, 2^26 ++ + /* NOTE END */ + + #include "expat.h" // so we can use type XML_Parser below +diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake +index 10ee9cd6..7a3a7ec0 100644 +--- a/lib/libexpat.def.cmake ++++ b/lib/libexpat.def.cmake +@@ -79,3 +79,6 @@ EXPORTS + @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 + ; added with version 2.6.0 + XML_SetReparseDeferralEnabled @71 ++; added with version 2.7.2 ++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerMaximumAmplification @72 ++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerActivationThreshold @73 +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 9f0a8b3e..fcf1cfdd 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -452,6 +452,14 @@ typedef struct accounting { + unsigned long long activationThresholdBytes; + } ACCOUNTING; + ++typedef struct MALLOC_TRACKER { ++ XmlBigCount bytesAllocated; ++ XmlBigCount peakBytesAllocated; // updated live only for debug level >=2 ++ unsigned long debugLevel; ++ float maximumAmplificationFactor; // >=1.0 ++ XmlBigCount activationThresholdBytes; ++} MALLOC_TRACKER; ++ + typedef struct entity_stats { + unsigned int countEverOpened; + unsigned int currentDepth; +@@ -599,7 +607,8 @@ static XML_Bool startParsing(XML_Parser parser); + + static XML_Parser parserCreate(const XML_Char *encodingName, + const XML_Memory_Handling_Suite *memsuite, +- const XML_Char *nameSep, DTD *dtd); ++ const XML_Char *nameSep, DTD *dtd, ++ XML_Parser parentParser); + + static void parserInit(XML_Parser parser, const XML_Char *encodingName); + +@@ -769,14 +778,220 @@ struct XML_ParserStruct { + unsigned long m_hash_secret_salt; + #if XML_GE == 1 + ACCOUNTING m_accounting; ++ MALLOC_TRACKER m_alloc_tracker; + ENTITY_STATS m_entity_stats; + #endif + XML_Bool m_reenter; + }; + +-#define MALLOC(parser, s) (parser->m_mem.malloc_fcn((s))) +-#define REALLOC(parser, p, s) (parser->m_mem.realloc_fcn((p), (s))) +-#define FREE(parser, p) (parser->m_mem.free_fcn((p))) ++#if XML_GE == 1 ++# define MALLOC(parser, s) (expat_malloc((parser), (s), __LINE__)) ++# define REALLOC(parser, p, s) (expat_realloc((parser), (p), (s), __LINE__)) ++# define FREE(parser, p) (expat_free((parser), (p), __LINE__)) ++#else ++# define MALLOC(parser, s) (parser->m_mem.malloc_fcn((s))) ++# define REALLOC(parser, p, s) (parser->m_mem.realloc_fcn((p), (s))) ++# define FREE(parser, p) (parser->m_mem.free_fcn((p))) ++#endif ++ ++#if XML_GE == 1 ++static void ++expat_heap_stat(XML_Parser rootParser, char operator, XmlBigCount absDiff, ++ XmlBigCount newTotal, XmlBigCount peakTotal, int sourceLine) { ++ // NOTE: This can be +infinity or -nan ++ const float amplification ++ = (float)newTotal / (float)rootParser->m_accounting.countBytesDirect; ++ fprintf( ++ stderr, ++ "expat: Allocations(%p): Direct " EXPAT_FMT_ULL("10") ", allocated %c" EXPAT_FMT_ULL( ++ "10") " to " EXPAT_FMT_ULL("10") " (" EXPAT_FMT_ULL("10") " peak), amplification %8.2f (xmlparse.c:%d)\n", ++ (void *)rootParser, rootParser->m_accounting.countBytesDirect, operator, ++ absDiff, newTotal, peakTotal, (double)amplification, sourceLine); ++} ++ ++static bool ++expat_heap_increase_tolerable(XML_Parser rootParser, XmlBigCount increase, ++ int sourceLine) { ++ assert(rootParser != NULL); ++ assert(increase > 0); ++ ++ XmlBigCount newTotal = 0; ++ bool tolerable = true; ++ ++ // Detect integer overflow ++ if ((XmlBigCount)-1 - rootParser->m_alloc_tracker.bytesAllocated < increase) { ++ tolerable = false; ++ } else { ++ newTotal = rootParser->m_alloc_tracker.bytesAllocated + increase; ++ ++ if (newTotal >= rootParser->m_alloc_tracker.activationThresholdBytes) { ++ assert(newTotal > 0); ++ // NOTE: This can be +infinity when dividing by zero but not -nan ++ const float amplification ++ = (float)newTotal / (float)rootParser->m_accounting.countBytesDirect; ++ if (amplification ++ > rootParser->m_alloc_tracker.maximumAmplificationFactor) { ++ tolerable = false; ++ } ++ } ++ } ++ ++ if (! tolerable && (rootParser->m_alloc_tracker.debugLevel >= 1)) { ++ expat_heap_stat(rootParser, '+', increase, newTotal, newTotal, sourceLine); ++ } ++ ++ return tolerable; ++} ++ ++static void * ++expat_malloc(XML_Parser parser, size_t size, int sourceLine) { ++ // Detect integer overflow ++ if (SIZE_MAX - size < sizeof(size_t)) { ++ return NULL; ++ } ++ ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); ++ assert(rootParser->m_parentParser == NULL); ++ ++ const size_t bytesToAllocate = sizeof(size_t) + size; ++ ++ if ((XmlBigCount)-1 - rootParser->m_alloc_tracker.bytesAllocated ++ < bytesToAllocate) { ++ return NULL; // i.e. signal integer overflow as out-of-memory ++ } ++ ++ if (! expat_heap_increase_tolerable(rootParser, bytesToAllocate, ++ sourceLine)) { ++ return NULL; // i.e. signal violation as out-of-memory ++ } ++ ++ // Actually allocate ++ void *const mallocedPtr = parser->m_mem.malloc_fcn(bytesToAllocate); ++ ++ if (mallocedPtr == NULL) { ++ return NULL; ++ } ++ ++ // Update in-block recorded size ++ *(size_t *)mallocedPtr = size; ++ ++ // Update accounting ++ rootParser->m_alloc_tracker.bytesAllocated += bytesToAllocate; ++ ++ // Report as needed ++ if (rootParser->m_alloc_tracker.debugLevel >= 2) { ++ if (rootParser->m_alloc_tracker.bytesAllocated ++ > rootParser->m_alloc_tracker.peakBytesAllocated) { ++ rootParser->m_alloc_tracker.peakBytesAllocated ++ = rootParser->m_alloc_tracker.bytesAllocated; ++ } ++ expat_heap_stat(rootParser, '+', bytesToAllocate, ++ rootParser->m_alloc_tracker.bytesAllocated, ++ rootParser->m_alloc_tracker.peakBytesAllocated, sourceLine); ++ } ++ ++ return (char *)mallocedPtr + sizeof(size_t); ++} ++ ++static void ++expat_free(XML_Parser parser, void *ptr, int sourceLine) { ++ assert(parser != NULL); ++ ++ if (ptr == NULL) { ++ return; ++ } ++ ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); ++ assert(rootParser->m_parentParser == NULL); ++ ++ // Extract size (to the eyes of malloc_fcn/realloc_fcn) and ++ // the original pointer returned by malloc/realloc ++ void *const mallocedPtr = (char *)ptr - sizeof(size_t); ++ const size_t bytesAllocated = sizeof(size_t) + *(size_t *)mallocedPtr; ++ ++ // Update accounting ++ assert(rootParser->m_alloc_tracker.bytesAllocated >= bytesAllocated); ++ rootParser->m_alloc_tracker.bytesAllocated -= bytesAllocated; ++ ++ // Report as needed ++ if (rootParser->m_alloc_tracker.debugLevel >= 2) { ++ expat_heap_stat(rootParser, '-', bytesAllocated, ++ rootParser->m_alloc_tracker.bytesAllocated, ++ rootParser->m_alloc_tracker.peakBytesAllocated, sourceLine); ++ } ++ ++ // NOTE: This may be freeing rootParser, so freeing has to come last ++ parser->m_mem.free_fcn(mallocedPtr); ++} ++ ++static void * ++expat_realloc(XML_Parser parser, void *ptr, size_t size, int sourceLine) { ++ assert(parser != NULL); ++ ++ if (ptr == NULL) { ++ return expat_malloc(parser, size, sourceLine); ++ } ++ ++ if (size == 0) { ++ expat_free(parser, ptr, sourceLine); ++ return NULL; ++ } ++ ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); ++ assert(rootParser->m_parentParser == NULL); ++ ++ // Extract original size (to the eyes of the caller) and the original ++ // pointer returned by malloc/realloc ++ void *mallocedPtr = (char *)ptr - sizeof(size_t); ++ const size_t prevSize = *(size_t *)mallocedPtr; ++ ++ // Classify upcoming change ++ const bool isIncrease = (size > prevSize); ++ const size_t absDiff ++ = (size > prevSize) ? (size - prevSize) : (prevSize - size); ++ ++ // Ask for permission from accounting ++ if (isIncrease) { ++ if (! expat_heap_increase_tolerable(rootParser, absDiff, sourceLine)) { ++ return NULL; // i.e. signal violation as out-of-memory ++ } ++ } ++ ++ // Actually allocate ++ mallocedPtr = parser->m_mem.realloc_fcn(mallocedPtr, sizeof(size_t) + size); ++ ++ if (mallocedPtr == NULL) { ++ return NULL; ++ } ++ ++ // Update accounting ++ if (isIncrease) { ++ assert((XmlBigCount)-1 - rootParser->m_alloc_tracker.bytesAllocated ++ >= absDiff); ++ rootParser->m_alloc_tracker.bytesAllocated += absDiff; ++ } else { // i.e. decrease ++ assert(rootParser->m_alloc_tracker.bytesAllocated >= absDiff); ++ rootParser->m_alloc_tracker.bytesAllocated -= absDiff; ++ } ++ ++ // Report as needed ++ if (rootParser->m_alloc_tracker.debugLevel >= 2) { ++ if (rootParser->m_alloc_tracker.bytesAllocated ++ > rootParser->m_alloc_tracker.peakBytesAllocated) { ++ rootParser->m_alloc_tracker.peakBytesAllocated ++ = rootParser->m_alloc_tracker.bytesAllocated; ++ } ++ expat_heap_stat(rootParser, isIncrease ? '+' : '-', absDiff, ++ rootParser->m_alloc_tracker.bytesAllocated, ++ rootParser->m_alloc_tracker.peakBytesAllocated, sourceLine); ++ } ++ ++ // Update in-block recorded size ++ *(size_t *)mallocedPtr = size; ++ ++ return (char *)mallocedPtr + sizeof(size_t); ++} ++#endif // XML_GE == 1 + + XML_Parser XMLCALL + XML_ParserCreate(const XML_Char *encodingName) { +@@ -1096,19 +1311,40 @@ XML_Parser XMLCALL + XML_ParserCreate_MM(const XML_Char *encodingName, + const XML_Memory_Handling_Suite *memsuite, + const XML_Char *nameSep) { +- return parserCreate(encodingName, memsuite, nameSep, NULL); ++ return parserCreate(encodingName, memsuite, nameSep, NULL, NULL); + } + + static XML_Parser + parserCreate(const XML_Char *encodingName, + const XML_Memory_Handling_Suite *memsuite, const XML_Char *nameSep, +- DTD *dtd) { +- XML_Parser parser; ++ DTD *dtd, XML_Parser parentParser) { ++ XML_Parser parser = NULL; ++ ++#if XML_GE == 1 ++ const size_t increase = sizeof(size_t) + sizeof(struct XML_ParserStruct); ++ ++ if (parentParser != NULL) { ++ const XML_Parser rootParser = getRootParserOf(parentParser, NULL); ++ if (! expat_heap_increase_tolerable(rootParser, increase, __LINE__)) { ++ return NULL; ++ } ++ } ++#else ++ UNUSED_P(parentParser); ++#endif + + if (memsuite) { + XML_Memory_Handling_Suite *mtemp; ++#if XML_GE == 1 ++ void *const sizeAndParser = memsuite->malloc_fcn( ++ sizeof(size_t) + sizeof(struct XML_ParserStruct)); ++ if (sizeAndParser != NULL) { ++ *(size_t *)sizeAndParser = sizeof(struct XML_ParserStruct); ++ parser = (XML_Parser)((char *)sizeAndParser + sizeof(size_t)); ++#else + parser = memsuite->malloc_fcn(sizeof(struct XML_ParserStruct)); + if (parser != NULL) { ++#endif + mtemp = (XML_Memory_Handling_Suite *)&(parser->m_mem); + mtemp->malloc_fcn = memsuite->malloc_fcn; + mtemp->realloc_fcn = memsuite->realloc_fcn; +@@ -1116,18 +1352,67 @@ parserCreate(const XML_Char *encodingName, + } + } else { + XML_Memory_Handling_Suite *mtemp; ++#if XML_GE == 1 ++ void *const sizeAndParser ++ = (XML_Parser)malloc(sizeof(size_t) + sizeof(struct XML_ParserStruct)); ++ if (sizeAndParser != NULL) { ++ *(size_t *)sizeAndParser = sizeof(struct XML_ParserStruct); ++ parser = (XML_Parser)((char *)sizeAndParser + sizeof(size_t)); ++#else + parser = (XML_Parser)malloc(sizeof(struct XML_ParserStruct)); + if (parser != NULL) { ++#endif + mtemp = (XML_Memory_Handling_Suite *)&(parser->m_mem); + mtemp->malloc_fcn = malloc; + mtemp->realloc_fcn = realloc; + mtemp->free_fcn = free; + } +- } ++ } // cppcheck-suppress[memleak symbolName=sizeAndParser] // Cppcheck >=2.18.0 + + if (! parser) + return parser; + ++#if XML_GE == 1 ++ // Initialize .m_alloc_tracker ++ memset(&parser->m_alloc_tracker, 0, sizeof(MALLOC_TRACKER)); ++ if (parentParser == NULL) { ++ parser->m_alloc_tracker.debugLevel ++ = getDebugLevel("EXPAT_MALLOC_DEBUG", 0u); ++ parser->m_alloc_tracker.maximumAmplificationFactor ++ = EXPAT_ALLOC_TRACKER_MAXIMUM_AMPLIFICATION_DEFAULT; ++ parser->m_alloc_tracker.activationThresholdBytes ++ = EXPAT_ALLOC_TRACKER_ACTIVATION_THRESHOLD_DEFAULT; ++ ++ // NOTE: This initialization needs to come this early because these fields ++ // are read by allocation tracking code ++ parser->m_parentParser = NULL; ++ parser->m_accounting.countBytesDirect = 0; ++ } else { ++ parser->m_parentParser = parentParser; ++ } ++ ++ // Record XML_ParserStruct allocation we did a few lines up before ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); ++ assert(rootParser->m_parentParser == NULL); ++ assert(SIZE_MAX - rootParser->m_alloc_tracker.bytesAllocated >= increase); ++ rootParser->m_alloc_tracker.bytesAllocated += increase; ++ ++ // Report on allocation ++ if (rootParser->m_alloc_tracker.debugLevel >= 2) { ++ if (rootParser->m_alloc_tracker.bytesAllocated ++ > rootParser->m_alloc_tracker.peakBytesAllocated) { ++ rootParser->m_alloc_tracker.peakBytesAllocated ++ = rootParser->m_alloc_tracker.bytesAllocated; ++ } ++ ++ expat_heap_stat(rootParser, '+', increase, ++ rootParser->m_alloc_tracker.bytesAllocated, ++ rootParser->m_alloc_tracker.peakBytesAllocated, __LINE__); ++ } ++#else ++ parser->m_parentParser = NULL; ++#endif // XML_GE == 1 ++ + parser->m_buffer = NULL; + parser->m_bufferLim = NULL; + +@@ -1291,7 +1576,6 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { + parser->m_unknownEncodingMem = NULL; + parser->m_unknownEncodingRelease = NULL; + parser->m_unknownEncodingData = NULL; +- parser->m_parentParser = NULL; + parser->m_parsingStatus.parsing = XML_INITIALIZED; + // Reentry can only be triggered inside m_processor calls + parser->m_reenter = XML_FALSE; +@@ -1526,9 +1810,10 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, + */ + if (parser->m_ns) { + XML_Char tmp[2] = {parser->m_namespaceSeparator, 0}; +- parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd); ++ parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd, oldParser); + } else { +- parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd); ++ parser ++ = parserCreate(encodingName, &parser->m_mem, NULL, newDtd, oldParser); + } + + if (! parser) +@@ -2708,6 +2993,13 @@ XML_GetFeatureList(void) { + EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT}, + /* Added in Expat 2.6.0. */ + {XML_FEATURE_GE, XML_L("XML_GE"), 0}, ++ /* Added in Expat 2.7.2. */ ++ {XML_FEATURE_ALLOC_TRACKER_MAXIMUM_AMPLIFICATION_DEFAULT, ++ XML_L("XML_AT_MAX_AMP"), ++ (long int)EXPAT_ALLOC_TRACKER_MAXIMUM_AMPLIFICATION_DEFAULT}, ++ {XML_FEATURE_ALLOC_TRACKER_ACTIVATION_THRESHOLD_DEFAULT, ++ XML_L("XML_AT_ACT_THRES"), ++ (long int)EXPAT_ALLOC_TRACKER_ACTIVATION_THRESHOLD_DEFAULT}, + #endif + {XML_FEATURE_END, NULL, 0}}; + +@@ -2736,6 +3028,29 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold( + parser->m_accounting.activationThresholdBytes = activationThresholdBytes; + return XML_TRUE; + } ++ ++XML_Bool XMLCALL ++XML_SetAllocTrackerMaximumAmplification(XML_Parser parser, ++ float maximumAmplificationFactor) { ++ if ((parser == NULL) || (parser->m_parentParser != NULL) ++ || isnan(maximumAmplificationFactor) ++ || (maximumAmplificationFactor < 1.0f)) { ++ return XML_FALSE; ++ } ++ parser->m_alloc_tracker.maximumAmplificationFactor ++ = maximumAmplificationFactor; ++ return XML_TRUE; ++} ++ ++XML_Bool XMLCALL ++XML_SetAllocTrackerActivationThreshold( ++ XML_Parser parser, unsigned long long activationThresholdBytes) { ++ if ((parser == NULL) || (parser->m_parentParser != NULL)) { ++ return XML_FALSE; ++ } ++ parser->m_alloc_tracker.activationThresholdBytes = activationThresholdBytes; ++ return XML_TRUE; ++} + #endif /* XML_GE == 1 */ + + XML_Bool XMLCALL +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 129db1d8..0231e094 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -3089,6 +3089,10 @@ START_TEST(test_buffer_can_grow_to_max) { + for (int i = 0; i < num_prefixes; ++i) { + set_subtest("\"%s\"", prefixes[i]); + XML_Parser parser = XML_ParserCreate(NULL); ++#if XML_GE == 1 ++ assert_true(XML_SetAllocTrackerActivationThreshold(parser, (size_t)-1) ++ == XML_TRUE); // i.e. deactivate ++#endif + const int prefix_len = (int)strlen(prefixes[i]); + const enum XML_Status s + = _XML_Parse_SINGLE_BYTES(parser, prefixes[i], prefix_len, XML_FALSE); +diff --git a/tests/nsalloc_tests.c b/tests/nsalloc_tests.c +index 48520f42..0a594e14 100644 +--- a/tests/nsalloc_tests.c ++++ b/tests/nsalloc_tests.c +@@ -454,10 +454,15 @@ START_TEST(test_nsalloc_realloc_attributes) { + nsalloc_teardown(); + nsalloc_setup(); + } ++#if XML_GE == 1 ++ assert_true( ++ i == 0); // because expat_realloc relies on expat_malloc to some extent ++#else + if (i == 0) + fail("Parsing worked despite failing reallocations"); + else if (i == max_realloc_count) + fail("Parsing failed at max reallocation count"); ++#endif + } + END_TEST + +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index 8cfc73ca..b9d0a7fc 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -933,6 +933,8 @@ usage(const XML_Char *prog, int rc) { + T(" Control verbosity of entity debugging (default: 0)\n") + T(" EXPAT_ENTROPY_DEBUG=(0|1)\n") + T(" Control verbosity of entropy debugging (default: 0)\n") ++ T(" EXPAT_MALLOC_DEBUG=(0|1|2)\n") ++ T(" Control verbosity of allocation tracker (default: 0)\n") + T("\n") + T("exit status:\n") + T(" 0 the input files are well-formed and the output (if requested) was written successfully\n") +diff --git a/xmlwf/xmlwf_helpgen.py b/xmlwf/xmlwf_helpgen.py +index 39a3dc13..2360820d 100755 +--- a/xmlwf/xmlwf_helpgen.py ++++ b/xmlwf/xmlwf_helpgen.py +@@ -39,6 +39,8 @@ environment variables: + Control verbosity of entity debugging (default: 0) + EXPAT_ENTROPY_DEBUG=(0|1) + Control verbosity of entropy debugging (default: 0) ++ EXPAT_MALLOC_DEBUG=(0|1|2) ++ Control verbosity of allocation tracker (default: 0) + + exit status: + 0 the input files are well-formed and the output (if requested) was written successfully diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-09.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-09.patch new file mode 100644 index 0000000000..364c28183a --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-09.patch @@ -0,0 +1,43 @@ +From 1270e5bc0836d296ac4970fc9e1cf53d83972083 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 7 Sep 2025 12:18:08 +0200 +Subject: [PATCH] lib: Make XML_MemFree and XML_FreeContentModel match their + siblings + +.. XML_MemMalloc and XML_MemRealloc in structure, prior to upcoming changes + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/1270e5bc0836d296ac4970fc9e1cf53d83972083] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index fcf1cfdd..5d27cd45 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2772,8 +2772,9 @@ XML_GetCurrentColumnNumber(XML_Parser parser) { + + void XMLCALL + XML_FreeContentModel(XML_Parser parser, XML_Content *model) { +- if (parser != NULL) +- FREE(parser, model); ++ if (parser == NULL) ++ return; ++ FREE(parser, model); + } + + void *XMLCALL +@@ -2792,8 +2793,9 @@ XML_MemRealloc(XML_Parser parser, void *ptr, size_t size) { + + void XMLCALL + XML_MemFree(XML_Parser parser, void *ptr) { +- if (parser != NULL) +- FREE(parser, ptr); ++ if (parser == NULL) ++ return; ++ FREE(parser, ptr); + } + + void XMLCALL diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-10.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-10.patch new file mode 100644 index 0000000000..fe5452000e --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-10.patch @@ -0,0 +1,54 @@ +From 96c7467281c72028aada525c1d3822512758b266 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 7 Sep 2025 12:06:43 +0200 +Subject: [PATCH] lib: Exclude XML_Mem* functions from allocation tracking + +.. so that allocations by the user application +are not being limited. + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/96c7467281c72028aada525c1d3822512758b266] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 5d27cd45..8145a049 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2781,21 +2781,31 @@ void *XMLCALL + XML_MemMalloc(XML_Parser parser, size_t size) { + if (parser == NULL) + return NULL; +- return MALLOC(parser, size); ++ ++ // NOTE: We are avoiding MALLOC(..) here to not include ++ // user allocations with allocation tracking and limiting. ++ return parser->m_mem.malloc_fcn(size); + } + + void *XMLCALL + XML_MemRealloc(XML_Parser parser, void *ptr, size_t size) { + if (parser == NULL) + return NULL; +- return REALLOC(parser, ptr, size); ++ ++ // NOTE: We are avoiding REALLOC(..) here to not include ++ // user allocations with allocation tracking and limiting. ++ return parser->m_mem.realloc_fcn(ptr, size); + } + + void XMLCALL + XML_MemFree(XML_Parser parser, void *ptr) { + if (parser == NULL) + return; +- FREE(parser, ptr); ++ ++ // NOTE: We are avoiding FREE(..) here because XML_MemMalloc and ++ // XML_MemRealloc are not using MALLOC(..) and REALLOC(..) ++ // but plain .malloc_fcn(..) and .realloc_fcn(..), internally. ++ parser->m_mem.free_fcn(ptr); + } + + void XMLCALL diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-11.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-11.patch new file mode 100644 index 0000000000..be892a7804 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-11.patch @@ -0,0 +1,66 @@ +From ae4086198d710a62a0a1560007b81307dba72909 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Tue, 9 Sep 2025 21:34:28 +0200 +Subject: [PATCH] lib: Exclude the main input buffer from allocation tracking + +.. so that control of the input buffer size remains with the +application using Expat + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/ae4086198d710a62a0a1560007b81307dba72909] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 8145a049..00139b94 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1975,7 +1975,10 @@ XML_ParserFree(XML_Parser parser) { + FREE(parser, (void *)parser->m_attInfo); + #endif + FREE(parser, parser->m_groupConnector); +- FREE(parser, parser->m_buffer); ++ // NOTE: We are avoiding FREE(..) here because parser->m_buffer ++ // is not being allocated with MALLOC(..) but with plain ++ // .malloc_fcn(..). ++ parser->m_mem.free_fcn(parser->m_buffer); + FREE(parser, parser->m_dataBuf); + FREE(parser, parser->m_nsAtts); + FREE(parser, parser->m_unknownEncodingMem); +@@ -2567,7 +2570,9 @@ XML_GetBuffer(XML_Parser parser, int len) { + parser->m_errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +- newBuf = (char *)MALLOC(parser, bufferSize); ++ // NOTE: We are avoiding MALLOC(..) here to leave limiting ++ // the input size to the application using Expat. ++ newBuf = (char *)parser->m_mem.malloc_fcn(bufferSize); + if (newBuf == 0) { + parser->m_errorCode = XML_ERROR_NO_MEMORY; + return NULL; +@@ -2578,7 +2583,10 @@ XML_GetBuffer(XML_Parser parser, int len) { + memcpy(newBuf, &parser->m_bufferPtr[-keep], + EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr) + + keep); +- FREE(parser, parser->m_buffer); ++ // NOTE: We are avoiding FREE(..) here because parser->m_buffer ++ // is not being allocated with MALLOC(..) but with plain ++ // .malloc_fcn(..). ++ parser->m_mem.free_fcn(parser->m_buffer); + parser->m_buffer = newBuf; + parser->m_bufferEnd + = parser->m_buffer +@@ -2594,7 +2602,10 @@ XML_GetBuffer(XML_Parser parser, int len) { + if (parser->m_bufferPtr) { + memcpy(newBuf, parser->m_bufferPtr, + EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr)); +- FREE(parser, parser->m_buffer); ++ // NOTE: We are avoiding FREE(..) here because parser->m_buffer ++ // is not being allocated with MALLOC(..) but with plain ++ // .malloc_fcn(..). ++ parser->m_mem.free_fcn(parser->m_buffer); + parser->m_bufferEnd + = newBuf + + EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr); diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-12.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-12.patch new file mode 100644 index 0000000000..9e036a5284 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-12.patch @@ -0,0 +1,58 @@ +From 7e35240dc97e9fd4f609e31f27c27b659535e436 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 11 Sep 2025 00:27:05 +0200 +Subject: [PATCH] lib: Exclude the content model from allocation tracking + +.. so that applications that are not using XML_FreeContentModel +but plain free(..) or .free_fcn() to free the content model's +memory are safe + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/7e35240dc97e9fd4f609e31f27c27b659535e436] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 00139b94..d0b6e0cd 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2785,7 +2785,10 @@ void XMLCALL + XML_FreeContentModel(XML_Parser parser, XML_Content *model) { + if (parser == NULL) + return; +- FREE(parser, model); ++ ++ // NOTE: We are avoiding FREE(..) here because the content model ++ // has been created using plain .malloc_fcn(..) rather than MALLOC(..). ++ parser->m_mem.free_fcn(model); + } + + void *XMLCALL +@@ -6063,8 +6066,12 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + case XML_ROLE_CONTENT_EMPTY: + if (dtd->in_eldecl) { + if (parser->m_elementDeclHandler) { ++ // NOTE: We are avoiding MALLOC(..) here to so that ++ // applications that are not using XML_FreeContentModel but ++ // plain free(..) or .free_fcn() to free the content model's ++ // memory are safe. + XML_Content *content +- = (XML_Content *)MALLOC(parser, sizeof(XML_Content)); ++ = (XML_Content *)parser->m_mem.malloc_fcn(sizeof(XML_Content)); + if (! content) + return XML_ERROR_NO_MEMORY; + content->quant = XML_CQUANT_NONE; +@@ -8278,7 +8285,10 @@ build_model(XML_Parser parser) { + const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content) + + (dtd->contentStringLen * sizeof(XML_Char))); + +- ret = (XML_Content *)MALLOC(parser, allocsize); ++ // NOTE: We are avoiding MALLOC(..) here to so that ++ // applications that are not using XML_FreeContentModel but plain ++ // free(..) or .free_fcn() to free the content model's memory are safe. ++ ret = (XML_Content *)parser->m_mem.malloc_fcn(allocsize); + if (! ret) + return NULL; + diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-13.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-13.patch new file mode 100644 index 0000000000..209dd83a4b --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-13.patch @@ -0,0 +1,309 @@ +From 31f9053c3c46741f4daf2ea2bdea75f40f720d42 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Tue, 2 Sep 2025 22:36:49 +0200 +Subject: [PATCH] tests: Cover allocation tracking and limiting with tests + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/31f9053c3c46741f4daf2ea2bdea75f40f720d42] +Signed-off-by: Peter Marko +--- + lib/internal.h | 3 + + lib/xmlparse.c | 12 +++ + tests/alloc_tests.c | 214 ++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 229 insertions(+) + +diff --git a/lib/internal.h b/lib/internal.h +index eb67cf50..6e087858 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -173,6 +173,9 @@ extern + #endif + XML_Bool g_reparseDeferralEnabledDefault; // written ONLY in runtests.c + #if defined(XML_TESTING) ++void *expat_malloc(XML_Parser parser, size_t size, int sourceLine); ++void expat_free(XML_Parser parser, void *ptr, int sourceLine); ++void *expat_realloc(XML_Parser parser, void *ptr, size_t size, int sourceLine); + extern unsigned int g_bytesScanned; // used for testing only + #endif + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index d0b6e0cd..6e9c6fb2 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -843,7 +843,11 @@ expat_heap_increase_tolerable(XML_Parser rootParser, XmlBigCount increase, + return tolerable; + } + ++# if defined(XML_TESTING) ++void * ++# else + static void * ++# endif + expat_malloc(XML_Parser parser, size_t size, int sourceLine) { + // Detect integer overflow + if (SIZE_MAX - size < sizeof(size_t)) { +@@ -893,7 +897,11 @@ expat_malloc(XML_Parser parser, size_t size, int sourceLine) { + return (char *)mallocedPtr + sizeof(size_t); + } + ++# if defined(XML_TESTING) ++void ++# else + static void ++# endif + expat_free(XML_Parser parser, void *ptr, int sourceLine) { + assert(parser != NULL); + +@@ -924,7 +932,11 @@ expat_free(XML_Parser parser, void *ptr, int sourceLine) { + parser->m_mem.free_fcn(mallocedPtr); + } + ++# if defined(XML_TESTING) ++void * ++# else + static void * ++# endif + expat_realloc(XML_Parser parser, void *ptr, size_t size, int sourceLine) { + assert(parser != NULL); + +diff --git a/tests/alloc_tests.c b/tests/alloc_tests.c +index 4c3e2af4..275f92d5 100644 +--- a/tests/alloc_tests.c ++++ b/tests/alloc_tests.c +@@ -46,10 +46,16 @@ + # undef NDEBUG /* because test suite relies on assert(...) at the moment */ + #endif + ++#include /* NAN, INFINITY */ ++#include ++#include /* for SIZE_MAX */ + #include + #include + ++#include "expat_config.h" ++ + #include "expat.h" ++#include "internal.h" + #include "common.h" + #include "minicheck.h" + #include "dummy.h" +@@ -2085,6 +2091,203 @@ START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) { + } + END_TEST + ++START_TEST(test_alloc_tracker_size_recorded) { ++ XML_Memory_Handling_Suite memsuite = {malloc, realloc, free}; ++ ++ bool values[] = {true, false}; ++ for (size_t i = 0; i < sizeof(values) / sizeof(values[0]); i++) { ++ const bool useMemSuite = values[i]; ++ set_subtest("useMemSuite=%d", (int)useMemSuite); ++ XML_Parser parser = useMemSuite ++ ? XML_ParserCreate_MM(NULL, &memsuite, XCS("|")) ++ : XML_ParserCreate(NULL); ++ ++#if XML_GE == 1 ++ void *ptr = expat_malloc(parser, 10, -1); ++ ++ assert_true(ptr != NULL); ++ assert_true(*((size_t *)ptr - 1) == 10); ++ ++ assert_true(expat_realloc(parser, ptr, SIZE_MAX / 2, -1) == NULL); ++ ++ assert_true(*((size_t *)ptr - 1) == 10); // i.e. unchanged ++ ++ ptr = expat_realloc(parser, ptr, 20, -1); ++ ++ assert_true(ptr != NULL); ++ assert_true(*((size_t *)ptr - 1) == 20); ++ ++ expat_free(parser, ptr, -1); ++#endif ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ ++START_TEST(test_alloc_tracker_maximum_amplification) { ++ if (g_reparseDeferralEnabledDefault == XML_TRUE) { ++ return; ++ } ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ // Get .m_accounting.countBytesDirect from 0 to 3 ++ const char *const chunk = ""; ++ assert_true(_XML_Parse_SINGLE_BYTES(parser, chunk, (int)strlen(chunk), ++ /*isFinal=*/XML_FALSE) ++ == XML_STATUS_OK); ++ ++#if XML_GE == 1 ++ // Stop activation threshold from interfering ++ assert_true(XML_SetAllocTrackerActivationThreshold(parser, 0) == XML_TRUE); ++ ++ // Exceed maximum amplification: should be rejected. ++ assert_true(expat_malloc(parser, 1000, -1) == NULL); ++ ++ // Increase maximum amplification, and try the same amount once more: should ++ // work. ++ assert_true(XML_SetAllocTrackerMaximumAmplification(parser, 3000.0f) ++ == XML_TRUE); ++ ++ void *const ptr = expat_malloc(parser, 1000, -1); ++ assert_true(ptr != NULL); ++ expat_free(parser, ptr, -1); ++#endif ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_alloc_tracker_threshold) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++#if XML_GE == 1 ++ // Exceed maximum amplification *before* (default) threshold: should work. ++ void *const ptr = expat_malloc(parser, 1000, -1); ++ assert_true(ptr != NULL); ++ expat_free(parser, ptr, -1); ++ ++ // Exceed maximum amplification *after* threshold: should be rejected. ++ assert_true(XML_SetAllocTrackerActivationThreshold(parser, 999) == XML_TRUE); ++ assert_true(expat_malloc(parser, 1000, -1) == NULL); ++#endif ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_alloc_tracker_getbuffer_unlimited) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++#if XML_GE == 1 ++ // Artificially lower threshold ++ assert_true(XML_SetAllocTrackerActivationThreshold(parser, 0) == XML_TRUE); ++ ++ // Self-test: Prove that threshold is as rejecting as expected ++ assert_true(expat_malloc(parser, 1000, -1) == NULL); ++#endif ++ // XML_GetBuffer should be allowed to pass, though ++ assert_true(XML_GetBuffer(parser, 1000) != NULL); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_alloc_tracker_api) { ++ XML_Parser parserWithoutParent = XML_ParserCreate(NULL); ++ XML_Parser parserWithParent = XML_ExternalEntityParserCreate( ++ parserWithoutParent, XCS("entity123"), NULL); ++ if (parserWithoutParent == NULL) ++ fail("parserWithoutParent is NULL"); ++ if (parserWithParent == NULL) ++ fail("parserWithParent is NULL"); ++ ++#if XML_GE == 1 ++ // XML_SetAllocTrackerMaximumAmplification, error cases ++ if (XML_SetAllocTrackerMaximumAmplification(NULL, 123.0f) == XML_TRUE) ++ fail("Call with NULL parser is NOT supposed to succeed"); ++ if (XML_SetAllocTrackerMaximumAmplification(parserWithParent, 123.0f) ++ == XML_TRUE) ++ fail("Call with non-root parser is NOT supposed to succeed"); ++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, NAN) ++ == XML_TRUE) ++ fail("Call with NaN limit is NOT supposed to succeed"); ++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, -1.0f) ++ == XML_TRUE) ++ fail("Call with negative limit is NOT supposed to succeed"); ++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, 0.9f) ++ == XML_TRUE) ++ fail("Call with positive limit <1.0 is NOT supposed to succeed"); ++ ++ // XML_SetAllocTrackerMaximumAmplification, success cases ++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, 1.0f) ++ == XML_FALSE) ++ fail("Call with positive limit >=1.0 is supposed to succeed"); ++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, 123456.789f) ++ == XML_FALSE) ++ fail("Call with positive limit >=1.0 is supposed to succeed"); ++ if (XML_SetAllocTrackerMaximumAmplification(parserWithoutParent, INFINITY) ++ == XML_FALSE) ++ fail("Call with positive limit >=1.0 is supposed to succeed"); ++ ++ // XML_SetAllocTrackerActivationThreshold, error cases ++ if (XML_SetAllocTrackerActivationThreshold(NULL, 123) == XML_TRUE) ++ fail("Call with NULL parser is NOT supposed to succeed"); ++ if (XML_SetAllocTrackerActivationThreshold(parserWithParent, 123) == XML_TRUE) ++ fail("Call with non-root parser is NOT supposed to succeed"); ++ ++ // XML_SetAllocTrackerActivationThreshold, success cases ++ if (XML_SetAllocTrackerActivationThreshold(parserWithoutParent, 123) ++ == XML_FALSE) ++ fail("Call with non-NULL parentless parser is supposed to succeed"); ++#endif // XML_GE == 1 ++ ++ XML_ParserFree(parserWithParent); ++ XML_ParserFree(parserWithoutParent); ++} ++END_TEST ++ ++START_TEST(test_mem_api_cycle) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ void *ptr = XML_MemMalloc(parser, 10); ++ ++ assert_true(ptr != NULL); ++ memset(ptr, 'x', 10); // assert writability, with ASan in mind ++ ++ ptr = XML_MemRealloc(parser, ptr, 20); ++ ++ assert_true(ptr != NULL); ++ memset(ptr, 'y', 20); // assert writability, with ASan in mind ++ ++ XML_MemFree(parser, ptr); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_mem_api_unlimited) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++#if XML_GE == 1 ++ assert_true(XML_SetAllocTrackerActivationThreshold(parser, 0) == XML_TRUE); ++#endif ++ ++ void *ptr = XML_MemMalloc(parser, 1000); ++ ++ assert_true(ptr != NULL); ++ ++ ptr = XML_MemRealloc(parser, ptr, 2000); ++ ++ assert_true(ptr != NULL); ++ ++ XML_MemFree(parser, ptr); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + void + make_alloc_test_case(Suite *s) { + TCase *tc_alloc = tcase_create("allocation tests"); +@@ -2151,4 +2354,15 @@ make_alloc_test_case(Suite *s) { + + tcase_add_test__ifdef_xml_dtd( + tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail); ++ ++ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_tracker_size_recorded); ++ tcase_add_test__ifdef_xml_dtd(tc_alloc, ++ test_alloc_tracker_maximum_amplification); ++ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_tracker_threshold); ++ tcase_add_test__ifdef_xml_dtd(tc_alloc, ++ test_alloc_tracker_getbuffer_unlimited); ++ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_tracker_api); ++ ++ tcase_add_test(tc_alloc, test_mem_api_cycle); ++ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_mem_api_unlimited); + } diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-14.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-14.patch new file mode 100644 index 0000000000..a339cc3f4b --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-14.patch @@ -0,0 +1,122 @@ +From 78366891a586f293aeff60a14a55e4afe1169586 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Tue, 2 Sep 2025 16:44:00 +0200 +Subject: [PATCH] xmlwf: Wire allocation tracker config to existing arguments + -a and -b + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/78366891a586f293aeff60a14a55e4afe1169586] +Signed-off-by: Peter Marko +--- + doc/xmlwf.xml | 26 ++++++++++++++++++++------ + xmlwf/xmlwf.c | 7 +++++-- + xmlwf/xmlwf_helpgen.py | 4 ++-- + 3 files changed, 27 insertions(+), 10 deletions(-) + +diff --git a/doc/xmlwf.xml b/doc/xmlwf.xml +index 17e9cf51..65d8ae9b 100644 +--- a/doc/xmlwf.xml ++++ b/doc/xmlwf.xml +@@ -158,19 +158,31 @@ supports both. + + + Sets the maximum tolerated amplification factor +- for protection against billion laughs attacks (default: 100.0). ++ for protection against amplification attacks ++ like the billion laughs attack ++ (default: 100.0 ++ for the sum of direct and indirect output and also ++ for allocations of dynamic memory). + The amplification factor is calculated as .. + + + amplification := (direct + indirect) / direct + + +- .. while parsing, whereas ++ .. with regard to use of entities and .. ++ ++ ++ amplification := allocated / direct ++ ++ ++ .. with regard to dynamic memory while parsing. + <direct> is the number of bytes read +- from the primary document in parsing and ++ from the primary document in parsing, + <indirect> is the number of bytes + added by expanding entities and reading of external DTD files, +- combined. ++ combined, and ++ <allocated> is the total number of bytes of dynamic memory ++ allocated (and not freed) per hierarchy of parsers. + + + NOTE: +@@ -185,8 +197,10 @@ supports both. + + + Sets the number of output bytes (including amplification) +- needed to activate protection against billion laughs attacks +- (default: 8 MiB). ++ needed to activate protection against amplification attacks ++ like billion laughs ++ (default: 8 MiB for the sum of direct and indirect output, ++ and 64 MiB for allocations of dynamic memory). + This can be thought of as an "activation threshold". + + +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index b9d0a7fc..14206d9e 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -913,11 +913,11 @@ usage(const XML_Char *prog, int rc) { + T(" -t write no XML output for [t]iming of plain parsing\n") + T(" -N enable adding doctype and [n]otation declarations\n") + T("\n") +- T("billion laughs attack protection:\n") ++ T("amplification attack protection (e.g. billion laughs):\n") + T(" NOTE: If you ever need to increase these values for non-attack payload, please file a bug report.\n") + T("\n") + T(" -a FACTOR set maximum tolerated [a]mplification factor (default: 100.0)\n") +- T(" -b BYTES set number of output [b]ytes needed to activate (default: 8 MiB)\n") ++ T(" -b BYTES set number of output [b]ytes needed to activate (default: 8 MiB/64 MiB)\n") + T("\n") + T("reparse deferral:\n") + T(" -q disable reparse deferral, and allow [q]uadratic parse runtime with large tokens\n") +@@ -1181,12 +1181,15 @@ tmain(int argc, XML_Char **argv) { + #if XML_GE == 1 + XML_SetBillionLaughsAttackProtectionMaximumAmplification( + parser, attackMaximumAmplification); ++ XML_SetAllocTrackerMaximumAmplification(parser, ++ attackMaximumAmplification); + #endif + } + if (attackThresholdGiven) { + #if XML_GE == 1 + XML_SetBillionLaughsAttackProtectionActivationThreshold( + parser, attackThresholdBytes); ++ XML_SetAllocTrackerActivationThreshold(parser, attackThresholdBytes); + #else + (void)attackThresholdBytes; // silence -Wunused-but-set-variable + #endif +diff --git a/xmlwf/xmlwf_helpgen.py b/xmlwf/xmlwf_helpgen.py +index 2360820d..e91c285c 100755 +--- a/xmlwf/xmlwf_helpgen.py ++++ b/xmlwf/xmlwf_helpgen.py +@@ -84,13 +84,13 @@ output_mode.add_argument('-m', action='store_true', help='write [m]eta XML, not + output_mode.add_argument('-t', action='store_true', help='write no XML output for [t]iming of plain parsing') + output_related.add_argument('-N', action='store_true', help='enable adding doctype and [n]otation declarations') + +-billion_laughs = parser.add_argument_group('billion laughs attack protection', ++billion_laughs = parser.add_argument_group('amplification attack protection (e.g. billion laughs)', + description='NOTE: ' + 'If you ever need to increase these values ' + 'for non-attack payload, please file a bug report.') + billion_laughs.add_argument('-a', metavar='FACTOR', + help='set maximum tolerated [a]mplification factor (default: 100.0)') +-billion_laughs.add_argument('-b', metavar='BYTES', help='set number of output [b]ytes needed to activate (default: 8 MiB)') ++billion_laughs.add_argument('-b', metavar='BYTES', help='set number of output [b]ytes needed to activate (default: 8 MiB/64 MiB)') + + reparse_deferral = parser.add_argument_group('reparse deferral') + reparse_deferral.add_argument('-q', metavar='FACTOR', diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-15.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-15.patch new file mode 100644 index 0000000000..8d06844192 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-15.patch @@ -0,0 +1,70 @@ +From 5ae51be57ed0ca1e87582881d07ea9c29c4f7c05 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 3 Sep 2025 17:06:41 +0200 +Subject: [PATCH] fuzz: Be robust towards NULL return from + XML_ExternalEntityParserCreate + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5ae51be57ed0ca1e87582881d07ea9c29c4f7c05] +Signed-off-by: Peter Marko +--- + fuzz/xml_parse_fuzzer.c | 14 ++++++++------ + fuzz/xml_parsebuffer_fuzzer.c | 14 ++++++++------ + 2 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/fuzz/xml_parse_fuzzer.c b/fuzz/xml_parse_fuzzer.c +index 90c38549..29ab33ff 100644 +--- a/fuzz/xml_parse_fuzzer.c ++++ b/fuzz/xml_parse_fuzzer.c +@@ -89,15 +89,17 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + + XML_Parser externalEntityParser + = XML_ExternalEntityParserCreate(parentParser, "e1", NULL); +- assert(externalEntityParser); +- ParseOneInput(externalEntityParser, data, size); +- XML_ParserFree(externalEntityParser); ++ if (externalEntityParser != NULL) { ++ ParseOneInput(externalEntityParser, data, size); ++ XML_ParserFree(externalEntityParser); ++ } + + XML_Parser externalDtdParser + = XML_ExternalEntityParserCreate(parentParser, NULL, NULL); +- assert(externalDtdParser); +- ParseOneInput(externalDtdParser, data, size); +- XML_ParserFree(externalDtdParser); ++ if (externalDtdParser != NULL) { ++ ParseOneInput(externalDtdParser, data, size); ++ XML_ParserFree(externalDtdParser); ++ } + + // finally frees this parser which served as parent + XML_ParserFree(parentParser); +diff --git a/fuzz/xml_parsebuffer_fuzzer.c b/fuzz/xml_parsebuffer_fuzzer.c +index 0db67dce..38b9981b 100644 +--- a/fuzz/xml_parsebuffer_fuzzer.c ++++ b/fuzz/xml_parsebuffer_fuzzer.c +@@ -101,15 +101,17 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + + XML_Parser externalEntityParser + = XML_ExternalEntityParserCreate(parentParser, "e1", NULL); +- assert(externalEntityParser); +- ParseOneInput(externalEntityParser, data, size); +- XML_ParserFree(externalEntityParser); ++ if (externalEntityParser != NULL) { ++ ParseOneInput(externalEntityParser, data, size); ++ XML_ParserFree(externalEntityParser); ++ } + + XML_Parser externalDtdParser + = XML_ExternalEntityParserCreate(parentParser, NULL, NULL); +- assert(externalDtdParser); +- ParseOneInput(externalDtdParser, data, size); +- XML_ParserFree(externalDtdParser); ++ if (externalDtdParser != NULL) { ++ ParseOneInput(externalDtdParser, data, size); ++ XML_ParserFree(externalDtdParser); ++ } + + // finally frees this parser which served as parent + XML_ParserFree(parentParser); diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-16.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-16.patch new file mode 100644 index 0000000000..a276347d83 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2025-59375-16.patch @@ -0,0 +1,146 @@ +From d6246c31a1238d065b4d9690d3bac740326f6485 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 3 Sep 2025 01:28:03 +0200 +Subject: [PATCH] docs: Document the two allocation tracking API functions + +CVE: CVE-2025-59375 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/d6246c31a1238d065b4d9690d3bac740326f6485] +Signed-off-by: Peter Marko +--- + doc/reference.html | 116 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 116 insertions(+) + +diff --git a/doc/reference.html b/doc/reference.html +index 89476710..81da4e6c 100644 +--- a/doc/reference.html ++++ b/doc/reference.html +@@ -157,6 +157,8 @@ interface.

+ + +@@ -2262,6 +2264,120 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(XML_Parser p, +

+ + ++

XML_SetAllocTrackerMaximumAmplification

++
++/* Added in Expat 2.7.2. */
++XML_Bool
++XML_SetAllocTrackerMaximumAmplification(XML_Parser p,
++                                        float maximumAmplificationFactor);
++
++
++

++ Sets the maximum tolerated amplification factor ++ between direct input and bytes of dynamic memory allocated ++ (default: 100.0) ++ of parser p to maximumAmplificationFactor, and ++ returns XML_TRUE upon success and XML_FALSE upon error. ++

++ ++

++ Note: ++ There are three types of allocations that intentionally bypass tracking and limiting: ++

++ ++ ++

The amplification factor is calculated as ..

++ 
amplification := allocated / direct
++

++ .. while parsing, whereas ++ direct is the number of bytes read from the primary document in parsing and ++ allocated is the number of bytes of dynamic memory allocated in the parser hierarchy. ++

++ ++

For a call to XML_SetAllocTrackerMaximumAmplification to succeed:

++
    ++
  • parser p must be a non-NULL root parser (without any parent parsers) and
    • ++
  • maximumAmplificationFactor must be non-NaN and greater than or equal to 1.0.
    • ++
++ ++

++ Note: ++ If you ever need to increase this value for non-attack payload, ++ please file a bug report. ++

++ ++

++ Note: ++ Amplifications factors greater than 100 can been observed near the start of parsing ++ even with benign files in practice. ++ ++ So if you do reduce the maximum allowed amplification, ++ please make sure that the activation threshold is still big enough ++ to not end up with undesired false positives (i.e. benign files being rejected). ++

++
++ ++

XML_SetAllocTrackerActivationThreshold

++
++/* Added in Expat 2.7.2. */
++XML_Bool
++XML_SetAllocTrackerActivationThreshold(XML_Parser p,
++                                       unsigned long long activationThresholdBytes);
++
++
++

++ Sets number of allocated bytes of dynamic memory ++ needed to activate protection against disproportionate use of RAM ++ (default: 64 MiB) ++ of parser p to activationThresholdBytes, and ++ returns XML_TRUE upon success and XML_FALSE upon error. ++

++ ++

++ Note: ++ For types of allocations that intentionally bypass tracking and limiting, please see ++ XML_SetAllocTrackerMaximumAmplification ++ above. ++

++ ++

For a call to XML_SetAllocTrackerActivationThreshold to succeed:

++
    ++
  • parser p must be a non-NULL root parser (without any parent parsers).
    • ++
++ ++

++ Note: ++ If you ever need to increase this value for non-attack payload, ++ please file a bug report. ++

++
++ +

XML_SetReparseDeferralEnabled

+ 
+ /* Added in Expat 2.6.0. */
diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-17.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-17.patch
new file mode 100644
index 0000000000..ca0e3a34f7
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2025-59375-17.patch
@@ -0,0 +1,28 @@
+From a6a2a49367f03f5d8a73c9027b45b59953ca27d8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping 
+Date: Wed, 10 Sep 2025 19:52:39 +0200
+Subject: [PATCH] docs: Promote the contract to call XML_FreeContentModel
+
+.. when registering a custom element declaration handler
+(via a call to function XML_SetElementDeclHandler)
+
+CVE: CVE-2025-59375
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/a6a2a49367f03f5d8a73c9027b45b59953ca27d8]
+Signed-off-by: Peter Marko 
+---
+ doc/reference.html | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/reference.html b/doc/reference.html
+index 81da4e6c..564fc1b2 100644
+--- a/doc/reference.html
++++ b/doc/reference.html
+@@ -1902,7 +1902,7 @@ struct XML_cp {
+ 
Sets a handler for element declarations in a DTD. The handler gets
+ called with the name of the element in the declaration and a pointer
+ to a structure that contains the element model. It's the user code's 
+-responsibility to free model when finished with it. See 
++responsibility to free model when finished with via a call to 
+ XML_FreeContentModel.
+ There is no need to free the model from the handler, it can be kept
+ around and freed at a later stage.

diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-18.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-18.patch
new file mode 100644
index 0000000000..c29b301825
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2025-59375-18.patch
@@ -0,0 +1,74 @@
+From a21a3a8299e1ee0b0ae5ae2886a0746d088cf135 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping 
+Date: Sun, 7 Sep 2025 16:00:35 +0200
+Subject: [PATCH] Changes: Document allocation tracking
+
+CVE: CVE-2025-59375
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/a21a3a8299e1ee0b0ae5ae2886a0746d088cf135]
+Signed-off-by: Peter Marko 
+---
+ Changes | 37 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+diff --git a/Changes b/Changes
+index cb752151..ceb5c5dc 100644
+--- a/Changes
++++ b/Changes
+@@ -30,6 +30,36 @@
+ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ 
+ Patches:
++        Security fixes:
++     #1018 #1034  CVE-2025-59375 -- Disallow use of disproportional amounts of
++                    dynamic memory from within an Expat parser (e.g. previously
++                    a ~250 KiB sized document was able to cause allocation of
++                    ~800 MiB from the heap, i.e. an "amplification" of factor
++                    ~3,300); once a threshold (that defaults to 64 MiB) is
++                    reached, a maximum amplification factor (that defaults to
++                    100.0) is enforced, and violating documents are rejected
++                    with an out-of-memory error.
++                    There are two new API functions to fine-tune this new
++                    behavior:
++                      - XML_SetAllocTrackerActivationThreshold
++                      - XML_SetAllocTrackerMaximumAmplification .
++                    If you ever need to increase these defaults for non-attack
++                    XML payload, please file a bug report with libexpat.
++                      There is also a new environment variable
++                    EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity
++                    of allocations debugging at runtime, disabled by default.
++                      Known impact is (reliable and easy) denial of service:
++                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
++                    (Base Score: 7.5, Temporal Score: 7.2)
++                    Please note that a layer of compression around XML can
++                    significantly reduce the minimum attack payload size.
++                      Distributors intending to backport (or cherry-pick) the
++                    fix need to copy 99% of the related pull request, not just
++                    the "lib: Implement tracking of dynamic memory allocations"
++                    commit, to not end up with a state that literally does both
++                    too much and too little at the same time. Appending ".diff"
++                    to the pull request URL could be of help.
++
+         Bug fixes:
+        #980 #989  Restore event pointer behavior from Expat 2.6.4
+                     (that the fix to CVE-2024-8176 changed in 2.7.0);
+@@ -39,6 +69,10 @@ Patches:
+                     - XML_GetCurrentColumnNumber
+                     - XML_GetCurrentLineNumber
+                     - XML_GetInputContext
++        #1034  docs: Promote the contract to call function
++                    XML_FreeContentModel when registering a custom
++                    element declaration handler (via a call to function
++                    XML_SetElementDeclHandler)
+ 
+         Special thanks to:
+             Berkay Eren Ürün
+@@ -71,6 +105,9 @@ Patches:
+             Linutronix
+             Red Hat
+             Siemens
++                 and
++            OSS-Fuzz / ClusterFuzz
++            Perl XML::Parser
+ 
+ Release 2.6.4 Wed November 6 2024
+         Security fixes:
diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-19.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-19.patch
new file mode 100644
index 0000000000..afd4d91d03
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2025-59375-19.patch
@@ -0,0 +1,103 @@
+From f4b5bb033dc4430bbd31dcae8a55f988360bcec5 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping 
+Date: Wed, 17 Sep 2025 23:14:02 +0200
+Subject: [PATCH] lib: Document and regression-proof absence of integer
+ overflow from expat_realloc
+
+Matthew Fernandez (@Smattr) and I teamed up on whether function expat_realloc
+could be vulnerable to integer overflow in line:
+
+  mallocedPtr = parser->m_mem.realloc_fcn(mallocedPtr, sizeof(size_t) + size);
+                                                                      ^
+We ended up with a mathematical proof that, fortunately, the current code
+already is safe from overflow.
+
+The proof uses technique "proof by contradiction". Let's assume, there *was* a
+risk of integer overflow. For a risk of overflow, these four conditions would
+all need to be met, together:
+
+(1) `SIZE_MAX < sizeof(size_t) + size`
+    or we would not hit an overflow on `size_t`.
+
+(2) `size > prevSize`
+    or `expat_malloc` would have already not allocated earlier
+    as `expat_realloc` relies on `expat_malloc` for the initial allocation.
+
+(3) `rootParser->m_alloc_tracker.bytesAllocated >= sizeof(size_t) + prevSize`
+    or the previous allocation would be gone already or have bypassed accounting.
+    The code is not thread-safe in general, race conditions are off the table.
+
+(4) `rootParser->m_alloc_tracker.bytesAllocated + (size - prevSize) <= SIZE_MAX`
+    or `expat_heap_increase_tolerable` would have returned `false` and
+    the overflow line would not be reached.
+
+We encoded this for the Z3 Theorem Prover (https://github.com/Z3Prover/z3)
+and ended up with this document:
+
+  $ cat proof_v2.smt2
+  ; Copyright (c) 2025 Matthew Fernandez 
+  ; Copyright (c) 2025 Sebastian Pipping 
+  ; Licensed under the MIT license
+
+  ; (1), (2), (3), (4) form a contradiction
+
+  ; define `SIZE_MAX`
+  (declare-fun SIZE_MAX () (_ BitVec 64))
+  (assert (= SIZE_MAX #xffffffffffffffff))
+
+  ; define `sizeof(size_t)`
+  (declare-fun sizeof_size_t () (_ BitVec 64))
+  (assert (= sizeof_size_t #x0000000000000008))
+
+  ; claim we have inputs `size`, `prevSize`, and `bytesAllocated`
+  (declare-fun size () (_ BitVec 64))
+  (declare-fun prevSize () (_ BitVec 64))
+  (declare-fun bytesAllocated () (_ BitVec 64))
+
+  ; assume `SIZE_MAX - sizeof(size_t) < size` (1)
+  (assert (bvult (bvsub SIZE_MAX sizeof_size_t) size))
+
+  ; assume `bytesAllocated >= sizeof(size_t) + prevSize` (3)
+  (assert (bvuge bytesAllocated (bvadd sizeof_size_t prevSize)))
+
+  ; assume `bytesAllocated - prevSize <= SIZE_MAX - size` (4)
+  (assert (bvule (bvsub bytesAllocated prevSize) (bvsub SIZE_MAX size)))
+
+  ; assume `SIZE_MAX - sizeof(size_t) >= prevSize` (anti-overflow for 3)
+  (assert (bvuge (bvsub SIZE_MAX sizeof_size_t) prevSize))
+
+  ; prove we have a contradiction
+  (check-sat)
+
+Note that we operate on fixed-size bit vectors here, and hence had
+to transform the assertions to not allow integer overflow by themselves.
+
+Z3 confirms the contradiction, and thus the absence of integer overflow:
+
+  $ z3 -smt2 -model proof_v2.smt2
+  unsat
+
+Co-authored-by: Matthew Fernandez 
+
+CVE: CVE-2025-59375
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/f4b5bb033dc4430bbd31dcae8a55f988360bcec5]
+Signed-off-by: Peter Marko 
+---
+ lib/xmlparse.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index de159493..24fd7b97 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -969,6 +969,10 @@ expat_realloc(XML_Parser parser, void *ptr, size_t size, int sourceLine) {
+     }
+   }
+ 
++  // NOTE: Integer overflow detection has already been done for us
++  //       by expat_heap_increase_tolerable(..) above
++  assert(SIZE_MAX - sizeof(size_t) >= size);
++
+   // Actually allocate
+   mallocedPtr = parser->m_mem.realloc_fcn(mallocedPtr, sizeof(size_t) + size);
+ 
diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-20.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-20.patch
new file mode 100644
index 0000000000..80628f20fb
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2025-59375-20.patch
@@ -0,0 +1,285 @@
+From faf36f806c9065bfd9f0567b01924d5e27c4911c Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping 
+Date: Mon, 15 Sep 2025 18:05:23 +0200
+Subject: [PATCH] lib: Drop casts around malloc/realloc returns that C99 does
+ not need
+
+CVE: CVE-2025-59375
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/faf36f806c9065bfd9f0567b01924d5e27c4911c]
+Signed-off-by: Peter Marko 
+---
+ lib/xmlparse.c | 80 ++++++++++++++++++++++----------------------------
+ 1 file changed, 35 insertions(+), 45 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 6e9c6fb2..fb8ad2e7 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1370,12 +1370,12 @@ parserCreate(const XML_Char *encodingName,
+     XML_Memory_Handling_Suite *mtemp;
+ #if XML_GE == 1
+     void *const sizeAndParser
+-        = (XML_Parser)malloc(sizeof(size_t) + sizeof(struct XML_ParserStruct));
++        = malloc(sizeof(size_t) + sizeof(struct XML_ParserStruct));
+     if (sizeAndParser != NULL) {
+       *(size_t *)sizeAndParser = sizeof(struct XML_ParserStruct);
+       parser = (XML_Parser)((char *)sizeAndParser + sizeof(size_t));
+ #else
+-    parser = (XML_Parser)malloc(sizeof(struct XML_ParserStruct));
++    parser = malloc(sizeof(struct XML_ParserStruct));
+     if (parser != NULL) {
+ #endif
+       mtemp = (XML_Memory_Handling_Suite *)&(parser->m_mem);
+@@ -1433,23 +1433,20 @@ parserCreate(const XML_Char *encodingName,
+   parser->m_bufferLim = NULL;
+ 
+   parser->m_attsSize = INIT_ATTS_SIZE;
+-  parser->m_atts
+-      = (ATTRIBUTE *)MALLOC(parser, parser->m_attsSize * sizeof(ATTRIBUTE));
++  parser->m_atts = MALLOC(parser, parser->m_attsSize * sizeof(ATTRIBUTE));
+   if (parser->m_atts == NULL) {
+     FREE(parser, parser);
+     return NULL;
+   }
+ #ifdef XML_ATTR_INFO
+-  parser->m_attInfo = (XML_AttrInfo *)MALLOC(
+-      parser, parser->m_attsSize * sizeof(XML_AttrInfo));
++  parser->m_attInfo = MALLOC(parser, parser->m_attsSize * sizeof(XML_AttrInfo));
+   if (parser->m_attInfo == NULL) {
+     FREE(parser, parser->m_atts);
+     FREE(parser, parser);
+     return NULL;
+   }
+ #endif
+-  parser->m_dataBuf
+-      = (XML_Char *)MALLOC(parser, INIT_DATA_BUF_SIZE * sizeof(XML_Char));
++  parser->m_dataBuf = MALLOC(parser, INIT_DATA_BUF_SIZE * sizeof(XML_Char));
+   if (parser->m_dataBuf == NULL) {
+     FREE(parser, parser->m_atts);
+ #ifdef XML_ATTR_INFO
+@@ -2588,7 +2585,7 @@ XML_GetBuffer(XML_Parser parser, int len) {
+       }
+       // NOTE: We are avoiding MALLOC(..) here to leave limiting
+       //       the input size to the application using Expat.
+-      newBuf = (char *)parser->m_mem.malloc_fcn(bufferSize);
++      newBuf = parser->m_mem.malloc_fcn(bufferSize);
+       if (newBuf == 0) {
+         parser->m_errorCode = XML_ERROR_NO_MEMORY;
+         return NULL;
+@@ -3133,7 +3130,7 @@ storeRawNames(XML_Parser parser) {
+       return XML_FALSE;
+     bufSize = nameLen + (int)rawNameLen;
+     if (bufSize > tag->bufEnd - tag->buf) {
+-      char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
++      char *temp = REALLOC(parser, tag->buf, bufSize);
+       if (temp == NULL)
+         return XML_FALSE;
+       /* if tag->name.str points to tag->buf (only when namespace
+@@ -3459,10 +3456,10 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+         tag = parser->m_freeTagList;
+         parser->m_freeTagList = parser->m_freeTagList->parent;
+       } else {
+-        tag = (TAG *)MALLOC(parser, sizeof(TAG));
++        tag = MALLOC(parser, sizeof(TAG));
+         if (! tag)
+           return XML_ERROR_NO_MEMORY;
+-        tag->buf = (char *)MALLOC(parser, INIT_TAG_BUF_SIZE);
++        tag->buf = MALLOC(parser, INIT_TAG_BUF_SIZE);
+         if (! tag->buf) {
+           FREE(parser, tag);
+           return XML_ERROR_NO_MEMORY;
+@@ -3495,7 +3492,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+           }
+           bufSize = (int)(tag->bufEnd - tag->buf) << 1;
+           {
+-            char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
++            char *temp = REALLOC(parser, tag->buf, bufSize);
+             if (temp == NULL)
+               return XML_ERROR_NO_MEMORY;
+             tag->buf = temp;
+@@ -3874,8 +3871,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+     }
+ #endif
+ 
+-    temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
+-                                parser->m_attsSize * sizeof(ATTRIBUTE));
++    temp = REALLOC(parser, (void *)parser->m_atts,
++                   parser->m_attsSize * sizeof(ATTRIBUTE));
+     if (temp == NULL) {
+       parser->m_attsSize = oldAttsSize;
+       return XML_ERROR_NO_MEMORY;
+@@ -3893,8 +3890,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+     }
+ #  endif
+ 
+-    temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
+-                                    parser->m_attsSize * sizeof(XML_AttrInfo));
++    temp2 = REALLOC(parser, (void *)parser->m_attInfo,
++                    parser->m_attsSize * sizeof(XML_AttrInfo));
+     if (temp2 == NULL) {
+       parser->m_attsSize = oldAttsSize;
+       return XML_ERROR_NO_MEMORY;
+@@ -4070,8 +4067,7 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+       }
+ #endif
+ 
+-      temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
+-                               nsAttsSize * sizeof(NS_ATT));
++      temp = REALLOC(parser, parser->m_nsAtts, nsAttsSize * sizeof(NS_ATT));
+       if (! temp) {
+         /* Restore actual size of memory in m_nsAtts */
+         parser->m_nsAttsPower = oldNsAttsPower;
+@@ -4252,7 +4248,7 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+     }
+ #endif
+ 
+-    uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
++    uri = MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
+     if (! uri)
+       return XML_ERROR_NO_MEMORY;
+     binding->uriAlloc = n + EXPAND_SPARE;
+@@ -4498,8 +4494,8 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+       }
+ #endif
+ 
+-      XML_Char *temp = (XML_Char *)REALLOC(
+-          parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
++      XML_Char *temp
++          = REALLOC(parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
+       if (temp == NULL)
+         return XML_ERROR_NO_MEMORY;
+       b->uri = temp;
+@@ -4507,7 +4503,7 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+     }
+     parser->m_freeBindingList = b->nextTagBinding;
+   } else {
+-    b = (BINDING *)MALLOC(parser, sizeof(BINDING));
++    b = MALLOC(parser, sizeof(BINDING));
+     if (! b)
+       return XML_ERROR_NO_MEMORY;
+ 
+@@ -4525,8 +4521,7 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+     }
+ #endif
+ 
+-    b->uri
+-        = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
++    b->uri = MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
+     if (! b->uri) {
+       FREE(parser, b);
+       return XML_ERROR_NO_MEMORY;
+@@ -5897,7 +5892,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+               return XML_ERROR_NO_MEMORY;
+             }
+ 
+-            char *const new_connector = (char *)REALLOC(
++            char *const new_connector = REALLOC(
+                 parser, parser->m_groupConnector, parser->m_groupSize *= 2);
+             if (new_connector == NULL) {
+               parser->m_groupSize /= 2;
+@@ -5917,15 +5912,14 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+             }
+ #endif
+ 
+-            int *const new_scaff_index = (int *)REALLOC(
++            int *const new_scaff_index = REALLOC(
+                 parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
+             if (new_scaff_index == NULL)
+               return XML_ERROR_NO_MEMORY;
+             dtd->scaffIndex = new_scaff_index;
+           }
+         } else {
+-          parser->m_groupConnector
+-              = (char *)MALLOC(parser, parser->m_groupSize = 32);
++          parser->m_groupConnector = MALLOC(parser, parser->m_groupSize = 32);
+           if (! parser->m_groupConnector) {
+             parser->m_groupSize = 0;
+             return XML_ERROR_NO_MEMORY;
+@@ -6086,8 +6080,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+           //       applications that are not using XML_FreeContentModel but
+           //       plain free(..) or .free_fcn() to free the content model's
+           //       memory are safe.
+-          XML_Content *content
+-              = (XML_Content *)parser->m_mem.malloc_fcn(sizeof(XML_Content));
++          XML_Content *content = parser->m_mem.malloc_fcn(sizeof(XML_Content));
+           if (! content)
+             return XML_ERROR_NO_MEMORY;
+           content->quant = XML_CQUANT_NONE;
+@@ -6364,8 +6357,7 @@ processEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl,
+     openEntity = *freeEntityList;
+     *freeEntityList = openEntity->next;
+   } else {
+-    openEntity
+-        = (OPEN_INTERNAL_ENTITY *)MALLOC(parser, sizeof(OPEN_INTERNAL_ENTITY));
++    openEntity = MALLOC(parser, sizeof(OPEN_INTERNAL_ENTITY));
+     if (! openEntity)
+       return XML_ERROR_NO_MEMORY;
+   }
+@@ -7164,8 +7156,8 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+   if (type->nDefaultAtts == type->allocDefaultAtts) {
+     if (type->allocDefaultAtts == 0) {
+       type->allocDefaultAtts = 8;
+-      type->defaultAtts = (DEFAULT_ATTRIBUTE *)MALLOC(
+-          parser, type->allocDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
++      type->defaultAtts
++          = MALLOC(parser, type->allocDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (! type->defaultAtts) {
+         type->allocDefaultAtts = 0;
+         return 0;
+@@ -7190,8 +7182,8 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+       }
+ #endif
+ 
+-      temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
+-                                          (count * sizeof(DEFAULT_ATTRIBUTE)));
++      temp = REALLOC(parser, type->defaultAtts,
++                     (count * sizeof(DEFAULT_ATTRIBUTE)));
+       if (temp == NULL)
+         return 0;
+       type->allocDefaultAtts = count;
+@@ -8145,8 +8137,7 @@ poolGrow(STRING_POOL *pool) {
+     if (bytesToAllocate == 0)
+       return XML_FALSE;
+ 
+-    temp = (BLOCK *)REALLOC(pool->parser, pool->blocks,
+-                            (unsigned)bytesToAllocate);
++    temp = REALLOC(pool->parser, pool->blocks, (unsigned)bytesToAllocate);
+     if (temp == NULL)
+       return XML_FALSE;
+     pool->blocks = temp;
+@@ -8217,7 +8208,7 @@ nextScaffoldPart(XML_Parser parser) {
+       return -1;
+     }
+ #endif
+-    dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
++    dtd->scaffIndex = MALLOC(parser, parser->m_groupSize * sizeof(int));
+     if (! dtd->scaffIndex)
+       return -1;
+     dtd->scaffIndex[0] = 0;
+@@ -8240,14 +8231,13 @@ nextScaffoldPart(XML_Parser parser) {
+       }
+ #endif
+ 
+-      temp = (CONTENT_SCAFFOLD *)REALLOC(
+-          parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
++      temp = REALLOC(parser, dtd->scaffold,
++                     dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
+       if (temp == NULL)
+         return -1;
+       dtd->scaffSize *= 2;
+     } else {
+-      temp = (CONTENT_SCAFFOLD *)MALLOC(parser, INIT_SCAFFOLD_ELEMENTS
+-                                                    * sizeof(CONTENT_SCAFFOLD));
++      temp = MALLOC(parser, INIT_SCAFFOLD_ELEMENTS * sizeof(CONTENT_SCAFFOLD));
+       if (temp == NULL)
+         return -1;
+       dtd->scaffSize = INIT_SCAFFOLD_ELEMENTS;
+@@ -8304,7 +8294,7 @@ build_model(XML_Parser parser) {
+   // NOTE: We are avoiding MALLOC(..) here to so that
+   //       applications that are not using XML_FreeContentModel but plain
+   //       free(..) or .free_fcn() to free the content model's memory are safe.
+-  ret = (XML_Content *)parser->m_mem.malloc_fcn(allocsize);
++  ret = parser->m_mem.malloc_fcn(allocsize);
+   if (! ret)
+     return NULL;
+ 
diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-21.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-21.patch
new file mode 100644
index 0000000000..38bc0d1dd8
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2025-59375-21.patch
@@ -0,0 +1,196 @@
+From 4b43b8dacc96fd538254e17a69abc9745c3a2ed4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping 
+Date: Fri, 19 Sep 2025 23:32:46 +0200
+Subject: [PATCH] lib: Fix alignment of internal allocations for some non-amd64
+ architectures
+
+sparc32 is known to be affected.
+
+CVE: CVE-2025-59375
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4b43b8dacc96fd538254e17a69abc9745c3a2ed4]
+Signed-off-by: Peter Marko 
+---
+ lib/internal.h      |  6 ++++++
+ lib/xmlparse.c      | 38 ++++++++++++++++++++++----------------
+ tests/alloc_tests.c | 13 ++++++++++---
+ 3 files changed, 38 insertions(+), 19 deletions(-)
+
+diff --git a/lib/internal.h b/lib/internal.h
+index 6e087858..8f5edf48 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -108,6 +108,7 @@
+ #endif
+ 
+ #include  // ULONG_MAX
++#include  // size_t
+ 
+ #if defined(_WIN32)                                                            \
+     && (! defined(__USE_MINGW_ANSI_STDIO)                                      \
+@@ -150,6 +151,11 @@
+ #define EXPAT_ALLOC_TRACKER_ACTIVATION_THRESHOLD_DEFAULT                       \
+   67108864 // 64 MiB, 2^26
+ 
++// NOTE: If function expat_alloc was user facing, EXPAT_MALLOC_ALIGNMENT would
++//       have to take sizeof(long double) into account
++#define EXPAT_MALLOC_ALIGNMENT sizeof(long long) // largest parser (sub)member
++#define EXPAT_MALLOC_PADDING ((EXPAT_MALLOC_ALIGNMENT) - sizeof(size_t))
++
+ /* NOTE END */
+ 
+ #include "expat.h" // so we can use type XML_Parser below
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 24fd7b97..ce29ab6f 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -850,14 +850,14 @@ static void *
+ #  endif
+ expat_malloc(XML_Parser parser, size_t size, int sourceLine) {
+   // Detect integer overflow
+-  if (SIZE_MAX - size < sizeof(size_t)) {
++  if (SIZE_MAX - size < sizeof(size_t) + EXPAT_MALLOC_PADDING) {
+     return NULL;
+   }
+ 
+   const XML_Parser rootParser = getRootParserOf(parser, NULL);
+   assert(rootParser->m_parentParser == NULL);
+ 
+-  const size_t bytesToAllocate = sizeof(size_t) + size;
++  const size_t bytesToAllocate = sizeof(size_t) + EXPAT_MALLOC_PADDING + size;
+ 
+   if ((XmlBigCount)-1 - rootParser->m_alloc_tracker.bytesAllocated
+       < bytesToAllocate) {
+@@ -894,7 +894,7 @@ expat_malloc(XML_Parser parser, size_t size, int sourceLine) {
+                     rootParser->m_alloc_tracker.peakBytesAllocated, sourceLine);
+   }
+ 
+-  return (char *)mallocedPtr + sizeof(size_t);
++  return (char *)mallocedPtr + sizeof(size_t) + EXPAT_MALLOC_PADDING;
+ }
+ 
+ #  if defined(XML_TESTING)
+@@ -914,8 +914,9 @@ expat_free(XML_Parser parser, void *ptr, int sourceLine) {
+ 
+   // Extract size (to the eyes of malloc_fcn/realloc_fcn) and
+   // the original pointer returned by malloc/realloc
+-  void *const mallocedPtr = (char *)ptr - sizeof(size_t);
+-  const size_t bytesAllocated = sizeof(size_t) + *(size_t *)mallocedPtr;
++  void *const mallocedPtr = (char *)ptr - EXPAT_MALLOC_PADDING - sizeof(size_t);
++  const size_t bytesAllocated
++      = sizeof(size_t) + EXPAT_MALLOC_PADDING + *(size_t *)mallocedPtr;
+ 
+   // Update accounting
+   assert(rootParser->m_alloc_tracker.bytesAllocated >= bytesAllocated);
+@@ -954,7 +955,7 @@ expat_realloc(XML_Parser parser, void *ptr, size_t size, int sourceLine) {
+ 
+   // Extract original size (to the eyes of the caller) and the original
+   // pointer returned by malloc/realloc
+-  void *mallocedPtr = (char *)ptr - sizeof(size_t);
++  void *mallocedPtr = (char *)ptr - EXPAT_MALLOC_PADDING - sizeof(size_t);
+   const size_t prevSize = *(size_t *)mallocedPtr;
+ 
+   // Classify upcoming change
+@@ -971,10 +972,11 @@ expat_realloc(XML_Parser parser, void *ptr, size_t size, int sourceLine) {
+ 
+   // NOTE: Integer overflow detection has already been done for us
+   //       by expat_heap_increase_tolerable(..) above
+-  assert(SIZE_MAX - sizeof(size_t) >= size);
++  assert(SIZE_MAX - sizeof(size_t) - EXPAT_MALLOC_PADDING >= size);
+ 
+   // Actually allocate
+-  mallocedPtr = parser->m_mem.realloc_fcn(mallocedPtr, sizeof(size_t) + size);
++  mallocedPtr = parser->m_mem.realloc_fcn(
++      mallocedPtr, sizeof(size_t) + EXPAT_MALLOC_PADDING + size);
+ 
+   if (mallocedPtr == NULL) {
+     return NULL;
+@@ -1005,7 +1007,7 @@ expat_realloc(XML_Parser parser, void *ptr, size_t size, int sourceLine) {
+   // Update in-block recorded size
+   *(size_t *)mallocedPtr = size;
+ 
+-  return (char *)mallocedPtr + sizeof(size_t);
++  return (char *)mallocedPtr + sizeof(size_t) + EXPAT_MALLOC_PADDING;
+ }
+ #endif // XML_GE == 1
+ 
+@@ -1337,7 +1339,8 @@ parserCreate(const XML_Char *encodingName,
+   XML_Parser parser = NULL;
+ 
+ #if XML_GE == 1
+-  const size_t increase = sizeof(size_t) + sizeof(struct XML_ParserStruct);
++  const size_t increase
++      = sizeof(size_t) + EXPAT_MALLOC_PADDING + sizeof(struct XML_ParserStruct);
+ 
+   if (parentParser != NULL) {
+     const XML_Parser rootParser = getRootParserOf(parentParser, NULL);
+@@ -1352,11 +1355,13 @@ parserCreate(const XML_Char *encodingName,
+   if (memsuite) {
+     XML_Memory_Handling_Suite *mtemp;
+ #if XML_GE == 1
+-    void *const sizeAndParser = memsuite->malloc_fcn(
+-        sizeof(size_t) + sizeof(struct XML_ParserStruct));
++    void *const sizeAndParser
++        = memsuite->malloc_fcn(sizeof(size_t) + EXPAT_MALLOC_PADDING
++                               + sizeof(struct XML_ParserStruct));
+     if (sizeAndParser != NULL) {
+       *(size_t *)sizeAndParser = sizeof(struct XML_ParserStruct);
+-      parser = (XML_Parser)((char *)sizeAndParser + sizeof(size_t));
++      parser = (XML_Parser)((char *)sizeAndParser + sizeof(size_t)
++                            + EXPAT_MALLOC_PADDING);
+ #else
+     parser = memsuite->malloc_fcn(sizeof(struct XML_ParserStruct));
+     if (parser != NULL) {
+@@ -1369,11 +1374,12 @@ parserCreate(const XML_Char *encodingName,
+   } else {
+     XML_Memory_Handling_Suite *mtemp;
+ #if XML_GE == 1
+-    void *const sizeAndParser
+-        = malloc(sizeof(size_t) + sizeof(struct XML_ParserStruct));
++    void *const sizeAndParser = malloc(sizeof(size_t) + EXPAT_MALLOC_PADDING
++                                       + sizeof(struct XML_ParserStruct));
+     if (sizeAndParser != NULL) {
+       *(size_t *)sizeAndParser = sizeof(struct XML_ParserStruct);
+-      parser = (XML_Parser)((char *)sizeAndParser + sizeof(size_t));
++      parser = (XML_Parser)((char *)sizeAndParser + sizeof(size_t)
++                            + EXPAT_MALLOC_PADDING);
+ #else
+     parser = malloc(sizeof(struct XML_ParserStruct));
+     if (parser != NULL) {
+diff --git a/tests/alloc_tests.c b/tests/alloc_tests.c
+index 644a4952..dabdf0da 100644
+--- a/tests/alloc_tests.c
++++ b/tests/alloc_tests.c
+@@ -2091,6 +2091,13 @@ START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) {
+ }
+ END_TEST
+ 
++#if XML_GE == 1
++static size_t
++sizeRecordedFor(void *ptr) {
++  return *(size_t *)((char *)ptr - EXPAT_MALLOC_PADDING - sizeof(size_t));
++}
++#endif // XML_GE == 1
++
+ START_TEST(test_alloc_tracker_size_recorded) {
+   XML_Memory_Handling_Suite memsuite = {malloc, realloc, free};
+ 
+@@ -2106,16 +2113,16 @@ START_TEST(test_alloc_tracker_size_recorded) {
+     void *ptr = expat_malloc(parser, 10, -1);
+ 
+     assert_true(ptr != NULL);
+-    assert_true(*((size_t *)ptr - 1) == 10);
++    assert_true(sizeRecordedFor(ptr) == 10);
+ 
+     assert_true(expat_realloc(parser, ptr, SIZE_MAX / 2, -1) == NULL);
+ 
+-    assert_true(*((size_t *)ptr - 1) == 10); // i.e. unchanged
++    assert_true(sizeRecordedFor(ptr) == 10); // i.e. unchanged
+ 
+     ptr = expat_realloc(parser, ptr, 20, -1);
+ 
+     assert_true(ptr != NULL);
+-    assert_true(*((size_t *)ptr - 1) == 20);
++    assert_true(sizeRecordedFor(ptr) == 20);
+ 
+     expat_free(parser, ptr, -1);
+ #endif
diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-22.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-22.patch
new file mode 100644
index 0000000000..9716be8084
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2025-59375-22.patch
@@ -0,0 +1,37 @@
+From 5cc0010ad93868ec03248e4ac814272bc7d607bc Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping 
+Date: Fri, 19 Sep 2025 22:50:54 +0200
+Subject: [PATCH] tests: Fix test guard for test related to allocation tracking
+
+CVE: CVE-2025-59375
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5cc0010ad93868ec03248e4ac814272bc7d607bc]
+Signed-off-by: Peter Marko 
+---
+ tests/alloc_tests.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/tests/alloc_tests.c b/tests/alloc_tests.c
+index dabdf0da..045447b0 100644
+--- a/tests/alloc_tests.c
++++ b/tests/alloc_tests.c
+@@ -2362,14 +2362,12 @@ make_alloc_test_case(Suite *s) {
+   tcase_add_test__ifdef_xml_dtd(
+       tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail);
+ 
+-  tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_tracker_size_recorded);
+-  tcase_add_test__ifdef_xml_dtd(tc_alloc,
+-                                test_alloc_tracker_maximum_amplification);
+-  tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_tracker_threshold);
+-  tcase_add_test__ifdef_xml_dtd(tc_alloc,
+-                                test_alloc_tracker_getbuffer_unlimited);
+-  tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_tracker_api);
++  tcase_add_test__if_xml_ge(tc_alloc, test_alloc_tracker_size_recorded);
++  tcase_add_test__if_xml_ge(tc_alloc, test_alloc_tracker_maximum_amplification);
++  tcase_add_test__if_xml_ge(tc_alloc, test_alloc_tracker_threshold);
++  tcase_add_test__if_xml_ge(tc_alloc, test_alloc_tracker_getbuffer_unlimited);
++  tcase_add_test__if_xml_ge(tc_alloc, test_alloc_tracker_api);
+ 
+   tcase_add_test(tc_alloc, test_mem_api_cycle);
+-  tcase_add_test__ifdef_xml_dtd(tc_alloc, test_mem_api_unlimited);
++  tcase_add_test__if_xml_ge(tc_alloc, test_mem_api_unlimited);
+ }
diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-23.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-23.patch
new file mode 100644
index 0000000000..60327df22b
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2025-59375-23.patch
@@ -0,0 +1,47 @@
+From 343594dc344e543acb7478d1283b50b299a1c110 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping 
+Date: Fri, 19 Sep 2025 22:46:01 +0200
+Subject: [PATCH] tests: Add new test test_alloc_tracker_pointer_alignment
+
+CVE: CVE-2025-59375
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/343594dc344e543acb7478d1283b50b299a1c110]
+Signed-off-by: Peter Marko 
+---
+ tests/alloc_tests.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/tests/alloc_tests.c b/tests/alloc_tests.c
+index 045447b0..5ae6c6a7 100644
+--- a/tests/alloc_tests.c
++++ b/tests/alloc_tests.c
+@@ -2132,6 +2132,22 @@ START_TEST(test_alloc_tracker_size_recorded) {
+ }
+ END_TEST
+ 
++START_TEST(test_alloc_tracker_pointer_alignment) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++#if XML_GE == 1
++  assert_true(sizeof(long long) >= sizeof(size_t)); // self-test
++  long long *const ptr
++      = (long long *)expat_malloc(parser, 4 * sizeof(long long), -1);
++  ptr[0] = 0LL;
++  ptr[1] = 1LL;
++  ptr[2] = 2LL;
++  ptr[3] = 3LL;
++  expat_free(parser, ptr, -1);
++#endif
++  XML_ParserFree(parser);
++}
++END_TEST
++
+ START_TEST(test_alloc_tracker_maximum_amplification) {
+   if (g_reparseDeferralEnabledDefault == XML_TRUE) {
+     return;
+@@ -2363,6 +2379,7 @@ make_alloc_test_case(Suite *s) {
+       tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail);
+ 
+   tcase_add_test__if_xml_ge(tc_alloc, test_alloc_tracker_size_recorded);
++  tcase_add_test__if_xml_ge(tc_alloc, test_alloc_tracker_pointer_alignment);
+   tcase_add_test__if_xml_ge(tc_alloc, test_alloc_tracker_maximum_amplification);
+   tcase_add_test__if_xml_ge(tc_alloc, test_alloc_tracker_threshold);
+   tcase_add_test__if_xml_ge(tc_alloc, test_alloc_tracker_getbuffer_unlimited);
diff --git a/meta/recipes-core/expat/expat/CVE-2025-59375-24.patch b/meta/recipes-core/expat/expat/CVE-2025-59375-24.patch
new file mode 100644
index 0000000000..e51b2bb327
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2025-59375-24.patch
@@ -0,0 +1,36 @@
+From 6fe5df59a1229ca647d365a0e3a7e17fee4d4548 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping 
+Date: Fri, 19 Sep 2025 23:49:18 +0200
+Subject: [PATCH] Changes: Document pull request #1047
+
+CVE: CVE-2025-59375
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/6fe5df59a1229ca647d365a0e3a7e17fee4d4548]
+Signed-off-by: Peter Marko 
+---
+ Changes | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/Changes b/Changes
+index 706a4ae1..58c222d9 100644
+--- a/Changes
++++ b/Changes
+@@ -61,6 +61,9 @@ Patches:
+                     to the pull request URL could be of help.
+ 
+         Bug fixes:
++     #1046 #1047  Fix alignment of internal allocations for some non-amd64
++                    architectures (e.g. sparc32); fixes up on the fix to
++                    CVE-2025-59375 in release 2.7.2 from #1034
+        #980 #989  Restore event pointer behavior from Expat 2.6.4
+                     (that the fix to CVE-2024-8176 changed in 2.7.0);
+                     affected API functions are:
+@@ -76,7 +79,9 @@ Patches:
+ 
+         Special thanks to:
+             Berkay Eren Ürün
++            Rolf Eike Beer
+                  and
++            Clang/GCC UndefinedBehaviorSanitizer
+             Perl XML::Parser
+ 
+         Security fixes:
diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb
index 816beaa8a3..1d2d818ecf 100644
--- a/meta/recipes-core/expat/expat_2.6.4.bb
+++ b/meta/recipes-core/expat/expat_2.6.4.bb
@@ -16,6 +16,31 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
            file://CVE-2024-8176-03.patch \
            file://CVE-2024-8176-04.patch \
            file://CVE-2024-8176-05.patch \
+           file://CVE-2025-59375-00.patch \
+           file://CVE-2025-59375-01.patch \
+           file://CVE-2025-59375-02.patch \
+           file://CVE-2025-59375-03.patch \
+           file://CVE-2025-59375-04.patch \
+           file://CVE-2025-59375-05.patch \
+           file://CVE-2025-59375-06.patch \
+           file://CVE-2025-59375-07.patch \
+           file://CVE-2025-59375-08.patch \
+           file://CVE-2025-59375-09.patch \
+           file://CVE-2025-59375-10.patch \
+           file://CVE-2025-59375-11.patch \
+           file://CVE-2025-59375-12.patch \
+           file://CVE-2025-59375-13.patch \
+           file://CVE-2025-59375-14.patch \
+           file://CVE-2025-59375-15.patch \
+           file://CVE-2025-59375-16.patch \
+           file://CVE-2025-59375-17.patch \
+           file://CVE-2025-59375-18.patch \
+           file://CVE-2025-59375-19.patch \
+           file://CVE-2025-59375-20.patch \
+           file://CVE-2025-59375-21.patch \
+           file://CVE-2025-59375-22.patch \
+           file://CVE-2025-59375-23.patch \
+           file://CVE-2025-59375-24.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"

From patchwork Tue Oct 28 13:46:13 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 73189
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D8FEECCF9E0
	for ; Tue, 28 Oct 2025 13:46:38 +0000 (UTC)
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
 by mx.groups.io with SMTP id smtpd.web10.12195.1761659191751676720
 for ;
 Tue, 28 Oct 2025 06:46:31 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=OZJ56b3s;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.182,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-28e7cd6dbc0so74195615ad.0
        for ;
 Tue, 28 Oct 2025 06:46:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761659191;
 x=1762263991; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=M1rMHSk4Ma1+JajQNBZTOLetMgu49V0nmrUIl005LEI=;
        b=OZJ56b3s8RrbiIPNnpZO/nNGrW6n8nuCTlYiWDJdqlp3Kn5nMX6r5Se+BABh3KdqsR
         sg7k0mRwjA844GCsGiRxUMe6/IWZ1rdGCWCVAe4W6+a0NY9uUpONqQ4BKGC/iq89OBuY
         73xHqnQ7Kn08bV2hz3c3LXp/5dAKpy32Kdt+iC4O1lSebpAFX1Uazqyq4eZ1AuQtR2+7
         +Gwrp5VyOauqW8UQROJy2py8Q8dtKp7+PtloJNHYCPnPb30lOZUBag0lM2SIvZrQ9Mb5
         kKofN425eLfbPoHFtJsHmItyyWwG7bH8PpBujMnPRe6m4aCwUWsia4lpHr0TT3gIjBeZ
         dinA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761659191; x=1762263991;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=M1rMHSk4Ma1+JajQNBZTOLetMgu49V0nmrUIl005LEI=;
        b=ZyuALGszo2R5bnxnzR1IKlQoxHmKzUigLoKda429UNdq13TjKUdWOFwoLUkdnIwu2q
         EaB2JZE2dYfCSrkOtahETepN49DylEC9zCje4Iv9a3Zo7LdX0XjKcR6e3P4I1iRrrPmk
         gEtuabX7qyQo1iX33xwGv6J4SdOoqeTmczs6J2iMnQertqLKNFkKOJcrx/a1A2h+e87M
         yYULyIQ6rwGf988FzG9TkK/CpbDIAy5/tJoO7KTxFrYmTdaZQbLvSOGI1Ezfp7iI7kgf
         sEI1Xfzn/0b+DAB1LJ1nC06wm9NhMhdsgFNc7mCP5QQqZ1S+lIIsb+0J2dpDcwaLJO4I
         qrRA==
X-Gm-Message-State: AOJu0Yxe2TOExTMHLVzop7U3TjYhp9YGsiptyGAnv2TqzHMBdQ3RHkTG
	x2LerWpJCneUuf4QN0s4pwW4MifSjPab4/iFITIvPA8cNLNQjwup62/jzbna6xZw3uT2yFsn2nd
	acwoT3NU=
X-Gm-Gg: ASbGncvy+iAB0tU9LaaqErtthyqoq23jMS02lMvnVa5/ZO5Sg5dHM2Cw72ghkyI7oAr
	Phu8TL4QfHtPKrxAFZSFy6gLzTUs6lWd60uA6Q5osWEu8ay9BWc8d/wERHu66WGB8sWvBU+NQOh
	/FXeEohOWK+v/G3Hd2LoCB+JVQyvFlgKvFokioakjPaxj0J9zBSHNUHy7GSuKlWT4xb2dMKxf4/
	nq3T6Rw/TV6qOOiUxE70HNaW1qFq9IRE0mwjeCXfmX+q1K2upkwsf1+IJzxc+6IMiUuD9f50Gok
	rnFuwZO4iJjIJfJAA0i5/LyOsoiiEBH6tULNCcH+6wfSqjEdHOCdni4/eTah4jzu2u5bK+tnuyM
	q3VOIGN5ZQn5G0Y14vkj3BWFkfWJTrzbLvlZjYCXuRAe1JnhJOkkRE0NPdz0EEtNCe9g=
X-Google-Smtp-Source: 
 AGHT+IHG9VSALHQDEzwG9ldyMN2mbBY7CA5tpqaS+j/FKUGsojpjvxJ0ByFzhKIafDk6NMmvrImHkQ==
X-Received: by 2002:a17:903:1c8:b0:25b:a5fc:8664 with SMTP id
 d9443c01a7336-294cb687028mr44321815ad.51.1761659190732;
        Tue, 28 Oct 2025 06:46:30 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29498d40a7esm119894605ad.70.2025.10.28.06.46.30
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 06:46:30 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 3/8] elfutils: Fix CVE-2025-1376
Date: Tue, 28 Oct 2025 06:46:13 -0700
Message-ID: 
 <06e3cd0891f553b0ed036d9247dfa7c5ed814d78.1761596406.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Tue, 28 Oct 2025 13:46:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225402

From: Soumya Sambu 

A vulnerability classified as problematic was found in GNU elfutils 0.192. This
vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c
of the component eu-strip. The manipulation leads to denial of service. It is
possible to launch the attack on the local host. The complexity of an attack is
rather high. The exploitation appears to be difficult. The exploit has been
disclosed to the public and may be used. The name of the patch is
b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to
fix this issue.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-1376

Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918

Signed-off-by: Soumya Sambu 
Signed-off-by: Steve Sakoman 
---
 .../elfutils/elfutils_0.191.bb                |  1 +
 .../elfutils/files/CVE-2025-1376.patch        | 58 +++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.191.bb b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
index fcb91e41aa..c5f357eb93 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.191.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://CVE-2025-1372.patch \
            file://CVE-2025-1371.patch \
            file://0007-Fix-build-with-gcc-15.patch \
+           file://CVE-2025-1376.patch \
            "
 SRC_URI:append:libc-musl = " \
            file://0003-musl-utils.patch \
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch
new file mode 100644
index 0000000000..1f40add305
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch
@@ -0,0 +1,58 @@
+From b16f441cca0a4841050e3215a9f120a6d8aea918 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard 
+Date: Thu, 13 Feb 2025 00:02:32 +0100
+Subject: [PATCH] libelf: Handle elf_strptr on section without any data
+
+In the unlikely situation that elf_strptr was called on a section with
+sh_size already set, but that doesn't have any data yet we could crash
+trying to verify the string to return.
+
+This could happen for example when a new section was created with
+elf_newscn, but no data having been added yet.
+
+        * libelf/elf_strptr.c (elf_strptr): Check strscn->rawdata_base
+        is not NULL.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32672
+
+Signed-off-by: Mark Wielaard 
+
+CVE: CVE-2025-1376
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918]
+
+Signed-off-by: Soumya Sambu 
+---
+ libelf/elf_strptr.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c
+index c5a94f8..7be7f5e 100644
+--- a/libelf/elf_strptr.c
++++ b/libelf/elf_strptr.c
+@@ -1,5 +1,6 @@
+ /* Return string pointer from string section.
+    Copyright (C) 1998-2002, 2004, 2008, 2009, 2015 Red Hat, Inc.
++   Copyright (C) 2025 Mark J. Wielaard 
+    This file is part of elfutils.
+    Contributed by Ulrich Drepper , 1998.
+ 
+@@ -183,9 +184,12 @@ elf_strptr (Elf *elf, size_t idx, size_t offset)
+       // initialized yet (when data_read is zero). So we cannot just
+       // look at the rawdata.d.d_size.
+ 
+-      /* Make sure the string is NUL terminated.  Start from the end,
+-	 which very likely is a NUL char.  */
+-      if (likely (validate_str (strscn->rawdata_base, offset, sh_size)))
++      /* First check there actually is any data.  This could be a new
++         section which hasn't had any data set yet.  Then make sure
++         the string is at a valid offset and NUL terminated.  */
++      if (unlikely (strscn->rawdata_base == NULL))
++	__libelf_seterrno (ELF_E_INVALID_SECTION);
++      else if (likely (validate_str (strscn->rawdata_base, offset, sh_size)))
+ 	result = &strscn->rawdata_base[offset];
+       else
+ 	__libelf_seterrno (ELF_E_INVALID_INDEX);
+-- 
+2.40.0
+

From patchwork Tue Oct 28 13:46:14 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 73190
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E46A3CCF9EE
	for ; Tue, 28 Oct 2025 13:46:38 +0000 (UTC)
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
 by mx.groups.io with SMTP id smtpd.web11.9354.1761659193136208852
 for ;
 Tue, 28 Oct 2025 06:46:33 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=zyfpYkBb;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.171,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-26e68904f0eso64631375ad.0
        for ;
 Tue, 28 Oct 2025 06:46:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761659192;
 x=1762263992; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jBxWFGkS0l0lhN6tGr++gCo5vVTFWdqpxlJ7/HD9sNI=;
        b=zyfpYkBbncIwVZeFrTN2Q0MQkQwp1Qc2ghgTZhpHStcuv50HLDdK0XK+EYaaoJG4s2
         QGrBOLCsypvVcN8iQzreqqQR4VNQAvk8C3sZBGUY64wuWswUk4dGJAs2ET16/+nVcR0o
         yE2mFc2T3HDwNNcw01A0+aVxFu0jhMl7wY7r05eIYXFEwxOSjXMwgEb1pT4jdgepi7hi
         9VKB3mIMIxs69zM3BQvK6+6wtGFVP5SbYTunPwryBAu+LLk0ULHkT2siEiDHV/yOo8AH
         fcO8SKNV21/xeDs3M3bnSFqjCB/KJtdgZ4KeR7VgfSwossho3z5NXR2MYXJlRyn/3QQs
         Solg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761659192; x=1762263992;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=jBxWFGkS0l0lhN6tGr++gCo5vVTFWdqpxlJ7/HD9sNI=;
        b=Tb92sV/6u4zHB+Kd6IfyCECEH2GkYNtSBfl4st0UE4SgmlnTGDRXwnZKR7lTmjq/Y6
         bXHgNy079apSjZMkGkdIxJbZ4LmrQ5/HkX7y5qy7Q8b//21bAspRJ2sQSN7l26PA6ljP
         qAcrWBq/YQs3vmpTKu4x3L/dtuLK941jNImG1rSD4m2hwNFD/WfR5y3JKJgvFaTiphTD
         P0aysykCqZQxx3uX68hipL7BKaVDPMf1+smBmCWVtVbi+LgociM0VTh4LOfhUiuSoP4o
         zLfXwXF4XqjhjzZ6KQ5tNgkyQzq+sVjoZNNjbvgzuZeRVEQfhj1z0qyy/hpxASZfbBjP
         Hf5g==
X-Gm-Message-State: AOJu0YwWbpVI8poORAOvK9o2oA9VzSKfy5qbb8eIkRv1Txh9DZyE+GUN
	50fR/r3OZz3QkJrgChTgOm6HIxEaTx5l++8TgJSHMbMozjQckVIZwwHtFWN5gbsinIIJNqyykd8
	gMdcDZb8=
X-Gm-Gg: ASbGncvw4vYgFQMGu35WnUEIdBAgtMP2kFPKLTRDY5NcmNmMMp1ZJW1agfk5oTiDK8M
	sjj0jrDNh/IEezY78qYGv94i+46x8Iecsl8SxDtIPv9fyfDADnd3s3uarKglEwfepNGdKh1JWK3
	n0+lgGuGnmLLKCZjlgakzt6U58F31bnLeK4aND/2As/pWCZnYAogppeVgby4BdRvcBkCRAoksW0
	mLiaGhv1ZjfWEwpuVg7e52sIiQlrF8L1I8xKGBQvTYVyz9b2HLwoipr0Pgyh8UA20jSliAVtASE
	qohKuRLz+yoE98J5MEYAWf9UVTUh2yVyZ5o0uIbXGmp3grdcueDwoG4Vgow/L/9Kcd1NZGTkssn
	ApjPz9ABDwDyMiNpqwSVEP3fv5ztWl7TI93cLSYk/hpf1sKMBFHJUfOVTsp5bbHYQDmHeTj34xJ
	WRLw==
X-Google-Smtp-Source: 
 AGHT+IHP7UI72a4Dcn4yNWhytNzHqdUyL9lvXheDW6rOofcaJ26XAEEzIa8EoZV/eojVNAl263kj5Q==
X-Received: by 2002:a17:902:d4cc:b0:28a:8ae7:4034 with SMTP id
 d9443c01a7336-294cb3d0b60mr46284815ad.25.1761659192224;
        Tue, 28 Oct 2025 06:46:32 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29498d40a7esm119894605ad.70.2025.10.28.06.46.31
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 06:46:31 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 4/8] elfutils: Fix CVE-2025-1377
Date: Tue, 28 Oct 2025 06:46:14 -0700
Message-ID: 
 
X-Mailer: git-send-email 2.43.0
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Tue, 28 Oct 2025 13:46:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225404

From: Soumya Sambu 

A vulnerability, which was classified as problematic, has been found in GNU elfutils
0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the
component eu-strip. The manipulation leads to denial of service. The attack needs to
be approached locally. The exploit has been disclosed to the public and may be used.
The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is
recommended to apply a patch to fix this issue.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-1377

Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=fbf1df9ca286de3323ae541973b08449f8d03aba

Signed-off-by: Soumya Sambu 
Signed-off-by: Steve Sakoman 
---
 .../elfutils/elfutils_0.191.bb                |  1 +
 .../elfutils/files/CVE-2025-1377.patch        | 69 +++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.191.bb b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
index c5f357eb93..0fd6d31af1 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.191.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://CVE-2025-1371.patch \
            file://0007-Fix-build-with-gcc-15.patch \
            file://CVE-2025-1376.patch \
+           file://CVE-2025-1377.patch \
            "
 SRC_URI:append:libc-musl = " \
            file://0003-musl-utils.patch \
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch
new file mode 100644
index 0000000000..31a9ec33f2
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch
@@ -0,0 +1,69 @@
+From fbf1df9ca286de3323ae541973b08449f8d03aba Mon Sep 17 00:00:00 2001
+From: Mark Wielaard 
+Date: Thu, 13 Feb 2025 14:59:34 +0100
+Subject: [PATCH] strip: Verify symbol table is a real symbol table
+
+We didn't check the symbol table referenced from the relocation table
+was a real symbol table. This could cause a crash if that section
+happened to be an SHT_NOBITS section without any data. Fix this by
+adding an explicit check.
+
+       * src/strip.c (INTERNAL_ERROR_MSG): New macro that takes a
+       message string to display.
+       (INTERNAL_ERROR): Use INTERNAL_ERROR_MSG with elf_errmsg (-1).
+       (remove_debug_relocations): Check the sh_link referenced
+       section is real and isn't a SHT_NOBITS section.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32673
+
+Signed-off-by: Mark Wielaard 
+
+CVE: CVE-2025-1377
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=fbf1df9ca286de3323ae541973b08449f8d03aba]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/strip.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/strip.c b/src/strip.c
+index 6436443..16922e9 100644
+--- a/src/strip.c
++++ b/src/strip.c
+@@ -126,13 +126,14 @@ static char *tmp_debug_fname = NULL;
+ /* Close debug file descriptor, if opened. And remove temporary debug file.  */
+ static void cleanup_debug (void);
+ 
+-#define INTERNAL_ERROR(fname) \
++#define INTERNAL_ERROR_MSG(fname, msg) \
+   do { \
+     cleanup_debug (); \
+     error_exit (0, _("%s: INTERNAL ERROR %d (%s): %s"),			\
+-		fname, __LINE__, PACKAGE_VERSION, elf_errmsg (-1));	\
++		fname, __LINE__, PACKAGE_VERSION, msg);	\
+   } while (0)
+ 
++#define INTERNAL_ERROR(fname) INTERNAL_ERROR_MSG(fname, elf_errmsg (-1))
+ 
+ /* Name of the output file.  */
+ static const char *output_fname;
+@@ -631,7 +632,14 @@ remove_debug_relocations (Ebl *ebl, Elf *elf, GElf_Ehdr *ehdr,
+ 	     resolve relocation symbol indexes.  */
+ 	  Elf64_Word symt = shdr->sh_link;
+ 	  Elf_Data *symdata, *xndxdata;
+-	  Elf_Scn * symscn = elf_getscn (elf, symt);
++	  Elf_Scn *symscn = elf_getscn (elf, symt);
++	  GElf_Shdr symshdr_mem;
++	  GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
++	  if (symshdr == NULL)
++	    INTERNAL_ERROR (fname);
++	  if (symshdr->sh_type == SHT_NOBITS)
++	    INTERNAL_ERROR_MSG (fname, "NOBITS section");
++
+ 	  symdata = elf_getdata (symscn, NULL);
+ 	  xndxdata = get_xndxdata (elf, symscn);
+ 	  if (symdata == NULL)
+-- 
+2.40.0
+

From patchwork Tue Oct 28 13:46:15 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 73191
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F0974CCF9F0
	for ; Tue, 28 Oct 2025 13:46:38 +0000 (UTC)
Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com
 [209.85.215.169])
 by mx.groups.io with SMTP id smtpd.web10.12196.1761659194742036198
 for ;
 Tue, 28 Oct 2025 06:46:34 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=SxSGMXU+;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.169,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f169.google.com with SMTP id
 41be03b00d2f7-b6cea7c527bso5839215a12.3
        for ;
 Tue, 28 Oct 2025 06:46:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761659194;
 x=1762263994; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=vtBBpd63X0+tV2ApqJLqYTGy27BXdj7CbLrnde/NV8o=;
        b=SxSGMXU+ApbGxT2FytG9SrgmEzqMLV2MzgUohUZI7yTI03its51O99SdJAEdijUdD0
         8nWtRVxQ1pTtElxFkzBhFPC/xSoT6meOgG26WKkJLhLa595jlkLaXVWHh+i1gzog7k3C
         fcvy1hQU3BIw962UnMwFebAT65BW43PAYLqMrcAy8ybf7124ZF+ugFGbzq0zoRlh/S0b
         QwRtXriBKz9D18728NzfFcPw94XzhYR9dOEYeKja0BJJyGPF5RC3MZOfF9FZxBmrMibS
         J1meueTyWDP6TQI3C6ROsyA+4k/SGzXJI4C6gzE2Pv2wAyz4yXYIi7qBO0lfex3U0OSv
         n7nQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761659194; x=1762263994;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=vtBBpd63X0+tV2ApqJLqYTGy27BXdj7CbLrnde/NV8o=;
        b=cikAalXShQQhDNkujW68b9LF5bnRbk12Jv4KnPA+CT89y3SrzKM1e0GNUyEP9NN3J5
         UCkWKezJ/+aYpxHa/GccEmVeb7jR7r3MavIOesPjdqdonzOMmP6qGyndy1t3aePDQXdA
         eM9LDaSGrKNaO04WHG6/2Mbhclgx3mXZ0C6UdlcuPliPhdib6n0PDgDXoeQmlAGd7bN6
         pM56APfU8p3B63JY29Yt7WGrBIei6nSk2rDB8dFuU2k+woysOWuRjmwVDFw7xJrFRbar
         g6+JPQAw11oFH8tQuJDyHSNcG88V/sQRNbCq87Ad1zNcHf7jlKuy3ht8cBhEhdW2DrcO
         S7zw==
X-Gm-Message-State: AOJu0YxuaQmBT///JthEmsKKN74Bo5v6X1iJ0bH1A+w92f2uulk0isV1
	hjhtLAdjJYDPE5266BllCYnifznGAgOJcNXzKd5jQA6yOjWDUlLAC4NVIpeMofru40J9AhDWcvh
	e9+iqKDk=
X-Gm-Gg: ASbGncuQbczuRTchV4KHp1u1GhgKUzHRYupJp8a5+IkAOn9iiO5l12jaxclekN5iI2m
	7loW8AGWjwGpa08SYGDxoln1BcxEA5ZVpEct1lXitKKNB4baPpgh7nIM7zSdvBG3a9g5iP8AJyT
	HxYlPCNyvqy1MRMlVHrR8QxkStJvBaplK44pRFHitEXpSDJ+oD/d/MU6cU5fnl9KsIZuE1FSWJh
	3lPAlebnPdlGQpSKHpLRUS5IEudtDDdlQhdV0iwTH4nXG6sGwj/py8SlA2PnRdIqafcql+DHrQn
	xelyizLkZfo+AAhm7oOlSyVKz44lllnw65XWi8eV+HloB97+8xvkDmZchq+wFQ8SV6Q28Pc7FWe
	/1N9g8hMgOab7/b7pW4gC5ct5EVQ6NHED21zLO6edu1LXvuYVYUpIxIbu1krdXq+9wLs=
X-Google-Smtp-Source: 
 AGHT+IEbb3QC7EdBxvMXHdgZ1kgiiQ9/4LkgMw3OoC/S5Ujnubyjw0ZXKKeMPbKOn/3jXemH7QnP9A==
X-Received: by 2002:a17:902:c94d:b0:25e:37ed:d15d with SMTP id
 d9443c01a7336-294cac97ed3mr43219075ad.0.1761659193927;
        Tue, 28 Oct 2025 06:46:33 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29498d40a7esm119894605ad.70.2025.10.28.06.46.33
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 06:46:33 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 5/8] flex: fix build with gcc-15 on host
Date: Tue, 28 Oct 2025 06:46:15 -0700
Message-ID: 
 
X-Mailer: git-send-email 2.43.0
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Tue, 28 Oct 2025 13:46:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225405

From: Martin Jansa 

* fixes:
  http://errors.yoctoproject.org/Errors/Details/853017/

../../flex-2.6.4/src/../lib/malloc.c:6:12: warning: conflicting types for built-in function ‘malloc’; expected ‘void *(long unsigned int)’ [-Wbuiltin-declaration-mismatch]
    6 |      void *malloc ();
      |            ^~~~~~
../../flex-2.6.4/src/../lib/malloc.c:5:1: note: ‘malloc’ is declared in header ‘’
    4 |      #include 
  +++ |+#include 
    5 |
../../flex-2.6.4/src/../lib/malloc.c: In function ‘rpl_malloc’:
../../flex-2.6.4/src/../lib/malloc.c:16:15: error: too many arguments to function ‘malloc’; expected 0, have 1
   16 |        return malloc (n);
      |               ^~~~~~  ~
../../flex-2.6.4/src/../lib/malloc.c:6:12: note: declared here
    6 |      void *malloc ();
      |            ^~~~~~
make[2]: *** [Makefile:1431: ../lib/stage1flex-malloc.o] Error 1

Signed-off-by: Martin Jansa 
Signed-off-by: Richard Purdie 
Signed-off-by: Steve Sakoman 
---
 ...01-Match-malloc-signature-to-its-use.patch | 25 +++++++++++++++++++
 meta/recipes-devtools/flex/flex_2.6.4.bb      |  1 +
 2 files changed, 26 insertions(+)
 create mode 100644 meta/recipes-devtools/flex/flex/0001-Match-malloc-signature-to-its-use.patch

diff --git a/meta/recipes-devtools/flex/flex/0001-Match-malloc-signature-to-its-use.patch b/meta/recipes-devtools/flex/flex/0001-Match-malloc-signature-to-its-use.patch
new file mode 100644
index 0000000000..fc3b8c563d
--- /dev/null
+++ b/meta/recipes-devtools/flex/flex/0001-Match-malloc-signature-to-its-use.patch
@@ -0,0 +1,25 @@
+From cec508013706ef06dbac036905a90cbe075fa03d Mon Sep 17 00:00:00 2001
+From: Richard Barnes 
+Date: Wed, 2 Oct 2024 10:35:09 -0700
+Subject: [PATCH] Match `malloc` signature to its use
+
+Upstream-Status: Submitted [https://github.com/westes/flex/pull/674]
+
+Signed-off-by: Martin Jansa 
+---
+ lib/malloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/malloc.c b/lib/malloc.c
+index 75e8ef9..701b9b3 100755
+--- a/lib/malloc.c
++++ b/lib/malloc.c
+@@ -3,7 +3,7 @@
+      
+      #include 
+      
+-     void *malloc ();
++     void *malloc (size_t n);
+      
+      /* Allocate an N-byte block of memory from the heap.
+         If N is zero, allocate a 1-byte block.  */
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index f7d4ef1f08..52543b6e02 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/flex-${PV}.tar.gz \
            file://0001-build-AC_USE_SYSTEM_EXTENSIONS-in-configure.ac.patch \
            file://check-funcs.patch \
            file://0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch \
+           file://0001-Match-malloc-signature-to-its-use.patch \
            "
 
 SRC_URI[md5sum] = "2882e3179748cc9f9c23ec593d6adc8d"

From patchwork Tue Oct 28 13:46:16 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 73193
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 06E97CCF9F2
	for ; Tue, 28 Oct 2025 13:46:39 +0000 (UTC)
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
 [209.85.214.179])
 by mx.groups.io with SMTP id smtpd.web11.9356.1761659196419614970
 for ;
 Tue, 28 Oct 2025 06:46:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=q9UT37/y;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.179,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f179.google.com with SMTP id
 d9443c01a7336-29490944023so41954695ad.3
        for ;
 Tue, 28 Oct 2025 06:46:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761659196;
 x=1762263996; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=e80B4dowYD7M/NSiNQSgZHNH4A798avMYirIYBmLw04=;
        b=q9UT37/ygPG3DYm1neTugibEzx2gahb1HTvUgi1s7xVh9ksWekHSeEeAuljutqI4A4
         rtm2nzUOX20314CAaPKuxzjLwvjtxrthA8GKNyTHHLHyIToN3UMZPgh7hDPwubBhOJws
         R8zOnBXtEA//eFEbpJqlm56cqoNSud+i2RI0k0WZX444QpzlqZHAnHTIv6u813W2AlU8
         KCR1Nu/5RLD9lKvT5dVZquRIRBc1crckqPa/9p1ptscpfvrxT5HMgsiRT4W1KXXf5z98
         A429wTczw8vp5P4HrN4xo7jU6N/pxvp0biNOtEaf/858RlseQOwN84kYul+3bvzwh9pi
         OWBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761659196; x=1762263996;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=e80B4dowYD7M/NSiNQSgZHNH4A798avMYirIYBmLw04=;
        b=p5fMqiy8AS3wzCK1ncLhOeDZEV4/HygHPKfXImu+DmgUJh0Bs+MAIrVJjSJnYSNc+h
         JhxvGLjb/8H+eT40qgULYMzuXYyC8in0pdyKgHiuVmnyV8PFjXD8MneCjF7PQ1ctvRt8
         dTsMHQeqTr8mGs26vUWCETtL1Tj9c9eF5AwYA5Zis3OpuLGsSR0g7SGINxRVtYLGcbCy
         p1KQ8MTjKZGHaC/XJ7n/pj38f8+KgkR3I4oTF2+UqV5Sp8oLZVXjgV1BAKn99F/h7eyx
         EY639HcCZmpobwgGXframJ9SyF7ZpOpU7pjWU+FcCsz38aDmQ6HBhFUZka2MG5GKOTNc
         Ok6w==
X-Gm-Message-State: AOJu0YzNUR6LVShIwlDy6upXpcPsnW3tgMRJRBimVey0cSzdwf/X7Vqt
	kIuuT4i+AfbujLCANP2kNFmKi+LCxMJTSsWZJhLWCtYSFvhBuCeIPCkxGIHivt4zZRn2dyiigp8
	N6LO7GIY=
X-Gm-Gg: ASbGncvvV+85qa1bWBI+IEhaPlnygxbhWukCCw+3wf/rBrbwp/0/iQNPbVM3mhAoOuL
	zjpUpOGVKMMBjysIIsW181BurxTN7UhHdUiDCTNoftqDnmUEp6XmwQIsAh8I6q803186RVL8UGH
	vJlBkqiuKuh51IIgTxVTMBTsLQdBIvOcck30aYB4lJPoqc46eWkAJGLI7ZJTG6Lq/WbMFZp45/Y
	glfFnyC4oUPOfai2oCDdVwOLPWiNtxg2kcYFQxv3GR/8kek6PnX1swIEAicpHjcNfvbYzUXh6cs
	+8l5DvcrF3wGedt/47pwSiqnIsEs6sqQHeug2HgOFYi6A1eY6bgnY6MHy59UJPNtSmYFWItOJ/L
	Y65DvbRqHAm+sniT8xsHJouO+r6r2PNTqWs3BFCa+50baWV37KcPU/+yxGJsyge/jWqQ=
X-Google-Smtp-Source: 
 AGHT+IGUt+qcHW0Osc0o0PLKZgTM6xvuJugOJveUpU1yV0/Y5GzLxYXec3OYFbYYSerfb+16nwXS2Q==
X-Received: by 2002:a17:902:cec2:b0:290:ac36:2ece with SMTP id
 d9443c01a7336-294cb3c8f9amr50294475ad.18.1761659195616;
        Tue, 28 Oct 2025 06:46:35 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29498d40a7esm119894605ad.70.2025.10.28.06.46.35
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 06:46:35 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 6/8] gstreamer1.0-plugins-bad: fix buffer
 allocation fail for v4l2codecs
Date: Tue, 28 Oct 2025 06:46:16 -0700
Message-ID: 
 <1be0de000bb852f1acc9644c1cb702336d7fdd61.1761596406.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Tue, 28 Oct 2025 13:46:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225406

From: Daniel Semkowicz 

There is a bug in GStreamer 1.22 that prevents video playback when
some of the v4l2codecs are paired with sinks that do not support
GstVideoMeta. This is the case of the Qt 6.9 sink used by some
of the Qt components.

For example, when the v4l2codecs-vp8dec decoder is paired with
QMediaPlayer, video playback fails to start with the following error:

  WARN   videodecoder gstvideodecoder.c:4409:gst_video_decoder_negotiate_pool: Subclass failed to decide allocation
  ERROR  videodecoder gstvideodecoder.c:4635:gst_video_decoder_allocate_output_buffer: Failed to allocate the buffer..
  WARN   videodecoder gstvideodecoder.c:4409:gst_video_decoder_negotiate_pool: Subclass failed to decide allocation
  WARN  matroskademux matroska-demux.c:6131:gst_matroska_demux_loop: error: Internal data stream error.
  WARN  matroskademux matroska-demux.c:6131:gst_matroska_demux_loop: error: streaming stopped, reason not-negotiated (-4)

This problem is already fixed in GStreamer 1.24, so backport the fix.
This fixes the buffer allocation failure for H.264, H.265, and VP8.

CC: Steve Sakoman 
CC: Anuj Mittal 
Signed-off-by: Daniel Semkowicz 
Signed-off-by: Steve Sakoman 
---
 ...s-chain-up-to-parent-decide_allocati.patch | 87 +++++++++++++++++++
 .../gstreamer1.0-plugins-bad_1.22.12.bb       |  1 +
 2 files changed, 88 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/0005-v4l2codecs-Always-chain-up-to-parent-decide_allocati.patch

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/0005-v4l2codecs-Always-chain-up-to-parent-decide_allocati.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/0005-v4l2codecs-Always-chain-up-to-parent-decide_allocati.patch
new file mode 100644
index 0000000000..8906b55082
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/0005-v4l2codecs-Always-chain-up-to-parent-decide_allocati.patch
@@ -0,0 +1,87 @@
+From 4e96cc4df0b6807cb487368afca64e022078ed6a Mon Sep 17 00:00:00 2001
+From: James Cowgill 
+Date: Sun, 14 May 2023 13:23:17 +0100
+Subject: [PATCH] v4l2codecs: Always chain up to parent decide_allocation
+ function
+
+The `gst_video_decoder_negotiate_pool` function expects the
+`decide_allocation` function to always provide a pool and will fail to
+negotiate if the pool is missing. If we return immediately (even if we
+don't need to do anything special) negotiation will fail if the
+downstream element does not propose a pool.
+
+Fix by chaining up to the default `decide_allocation` function which
+adds a fallback pool if one was not already proposed.
+
+Part-of: 
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/70ff80a873d8202329df1731c06f1bfed464ad2a]
+Signed-off-by: Daniel Semkowicz 
+---
+ sys/v4l2codecs/gstv4l2codech264dec.c | 3 ++-
+ sys/v4l2codecs/gstv4l2codech265dec.c | 3 ++-
+ sys/v4l2codecs/gstv4l2codecvp8dec.c  | 3 ++-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/sys/v4l2codecs/gstv4l2codech264dec.c b/sys/v4l2codecs/gstv4l2codech264dec.c
+index 1a6b144e9b..bd9041533b 100644
+--- a/sys/v4l2codecs/gstv4l2codech264dec.c
++++ b/sys/v4l2codecs/gstv4l2codech264dec.c
+@@ -417,7 +417,7 @@ gst_v4l2_codec_h264_dec_decide_allocation (GstVideoDecoder * decoder,
+   /* If we are streaming here, then it means there is nothing allocation
+    * related in the new state and allocation can be ignored */
+   if (self->streaming)
+-    return TRUE;
++    goto no_internal_changes;
+ 
+   self->has_videometa = gst_query_find_allocation_meta (query,
+       GST_VIDEO_META_API_TYPE, NULL);
+@@ -452,6 +452,7 @@ gst_v4l2_codec_h264_dec_decide_allocation (GstVideoDecoder * decoder,
+ 
+   self->src_pool = gst_v4l2_codec_pool_new (self->src_allocator, &self->vinfo);
+ 
++no_internal_changes:
+   /* Our buffer pool is internal, we will let the base class create a video
+    * pool, and use it if we are running out of buffers or if downstream does
+    * not support GstVideoMeta */
+diff --git a/sys/v4l2codecs/gstv4l2codech265dec.c b/sys/v4l2codecs/gstv4l2codech265dec.c
+index 8d70d05220..3f0c08d6a4 100644
+--- a/sys/v4l2codecs/gstv4l2codech265dec.c
++++ b/sys/v4l2codecs/gstv4l2codech265dec.c
+@@ -446,7 +446,7 @@ gst_v4l2_codec_h265_dec_decide_allocation (GstVideoDecoder * decoder,
+   guint min = 0;
+ 
+   if (self->streaming)
+-    return TRUE;
++    goto no_internal_changes;
+ 
+   self->has_videometa = gst_query_find_allocation_meta (query,
+       GST_VIDEO_META_API_TYPE, NULL);
+@@ -465,6 +465,7 @@ gst_v4l2_codec_h265_dec_decide_allocation (GstVideoDecoder * decoder,
+       GST_PAD_SRC, self->min_pool_size + min + 1);
+   self->src_pool = gst_v4l2_codec_pool_new (self->src_allocator, &self->vinfo);
+ 
++no_internal_changes:
+   /* Our buffer pool is internal, we will let the base class create a video
+    * pool, and use it if we are running out of buffers or if downstream does
+    * not support GstVideoMeta */
+diff --git a/sys/v4l2codecs/gstv4l2codecvp8dec.c b/sys/v4l2codecs/gstv4l2codecvp8dec.c
+index ba63a029df..bdea1fdf76 100644
+--- a/sys/v4l2codecs/gstv4l2codecvp8dec.c
++++ b/sys/v4l2codecs/gstv4l2codecvp8dec.c
+@@ -284,7 +284,7 @@ gst_v4l2_codec_vp8_dec_decide_allocation (GstVideoDecoder * decoder,
+   guint num_bitstream;
+ 
+   if (self->streaming)
+-    return TRUE;
++    goto no_internal_changes;
+ 
+   self->has_videometa = gst_query_find_allocation_meta (query,
+       GST_VIDEO_META_API_TYPE, NULL);
+@@ -319,6 +319,7 @@ gst_v4l2_codec_vp8_dec_decide_allocation (GstVideoDecoder * decoder,
+ 
+   self->src_pool = gst_v4l2_codec_pool_new (self->src_allocator, &self->vinfo);
+ 
++no_internal_changes:
+   /* Our buffer pool is internal, we will let the base class create a video
+    * pool, and use it if we are running out of buffers or if downstream does
+    * not support GstVideoMeta */
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.12.bb
index e4fa2a412f..f6d0711bd8 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.12.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.12.bb
@@ -9,6 +9,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
            file://0001-fix-maybe-uninitialized-warnings-when-compiling-with.patch \
            file://0002-avoid-including-sys-poll.h-directly.patch \
            file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
+           file://0005-v4l2codecs-Always-chain-up-to-parent-decide_allocati.patch \
            file://CVE-2025-3887-1.patch \
            file://CVE-2025-3887-2.patch \
            "

From patchwork Tue Oct 28 13:46:17 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 73192
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 07DB3CCF9F4
	for ; Tue, 28 Oct 2025 13:46:39 +0000 (UTC)
Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com
 [209.85.215.175])
 by mx.groups.io with SMTP id smtpd.web10.12198.1761659198116625990
 for ;
 Tue, 28 Oct 2025 06:46:38 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=sMC0ukgv;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.175,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f175.google.com with SMTP id
 41be03b00d2f7-b6cf1a9527fso3150550a12.1
        for ;
 Tue, 28 Oct 2025 06:46:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761659197;
 x=1762263997; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jU/HWeoN20d4gDolMMEvRt5eLM7PgXLmntE10pD+eIY=;
        b=sMC0ukgvukaW5NTuoBo3n5qpqVuH8bm82wWrIj10UzF6IvfqX9DxVDWPjKLLJpeWyz
         c1/T5o1Z8wYkBPMfL7xmy+FQNMAtJY88sJG0oeHXaAAbaG8m4JxAeRUgshB0fvxFHgHh
         pc+bsychq4aTGVHtjcNdOutt94ewww8dXkYEvtMjtI6S/uMlGzx0okyFE8aqOvKTiwqP
         bnOVem8+TpZQElFHSflUVydGGWRWYuBL3KCjYsoKmvSqZ+qZYgRpzVAbXYaAtUcsDAZp
         CI2lYzxpCD2wbVi6zd24ZKI5sCEPrxHTU467VqmVYW6oKmyxwHC2VGXlle0xfZi7efje
         Hpwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761659197; x=1762263997;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=jU/HWeoN20d4gDolMMEvRt5eLM7PgXLmntE10pD+eIY=;
        b=oQkgOkKdIv066wxV3WUZs64Zw7uPeZgzHSKvyEcsXHRvsMz9qdzugQb3BozTY1Di5m
         WJFeT1qdB5y4rpJRf7hFOhKHUxek1QXpuCYzav36mdGhE5tTy3qJeVM3tCd2K5+ntopu
         NXWw569JXCBgIIF/RWFq51Pim8ey5sJAQZLC5Qyqlv0ePx61nPq5WFL2VTj7Ok4gE0so
         WUVPtRe1PP/Y+TTDoRv7oYOnYqN5KjUacp1scAQi8AVlBfo86MGsAzJJckCgBzX2MIlJ
         5q/k6e95HDCAhtAip50ivvI3TGCEKyUB5l6wDkhIVSxy7I4w5iVjob0GfvagH+uSfZg0
         DkTg==
X-Gm-Message-State: AOJu0YzklpWDrcQ5/NK9VS3GWpZMwaFN0JpgAcv2N3RDK4w7orMIMsIo
	q+aPmklUVGV8vLP5fp+XUiipBBXpD5KvO4N166G8bFR9Ji3qnze3pukOvWJ1bG/RercJ69Iczaz
	0Qo9l7jw=
X-Gm-Gg: ASbGncu7uqqL0eLBzg3kMo9u6zEzah3IYlJl6i/vNjJ22UAa4f1IrdfB4YnulcIirWb
	s8bkzfq7C0eCyS7DP9gb4cku1r8Ifbkx8ACFhBCxYLt/FDcA/k55c+QJBKAGO0Bbu4OSt0ql0PG
	Y9o9MUJj9ScmITLDAPavZJmAz4BFGxZ/zl3+YageEOy34SCGlvcPLpaS3129Sk8vGMKu/BR/vrP
	Ilm5HixdtCvcqWgPgxBariQLGkuVnq/YeIKQjEs0g87+btFyFUY0m60d5LpgwXrrf0d692C3tNm
	2kpSd77SvezzDHqaJpB7G5FoalQ0KFEzFUGuzxDihokf3DuXQ7z3Qpkwlnxfcng8OHbh83vC118
	qD2AO9mdLgtkAFKZWxwioZjUVPIlxrmYitjCEqmGqXzXCjv/N6K086HGqO/IcwUcZVaU=
X-Google-Smtp-Source: 
 AGHT+IGp+iwiuu1W/cdBB1qlV3xdzZVt4QC8+uUe0Cc9u30ew5dZT7LFwQFMSyyEE2eTMOd7L8ABKw==
X-Received: by 2002:a17:902:e544:b0:24c:db7c:bc34 with SMTP id
 d9443c01a7336-294cc70b369mr37471795ad.13.1761659196972;
        Tue, 28 Oct 2025 06:46:36 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29498d40a7esm119894605ad.70.2025.10.28.06.46.36
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 06:46:36 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 7/8] iptables: remove /etc/ethertypes
Date: Tue, 28 Oct 2025 06:46:17 -0700
Message-ID: 
 
X-Mailer: git-send-email 2.43.0
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Tue, 28 Oct 2025 13:46:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225407

From: Rasmus Villemoes 

When building an image including iptable built with the libnftnl
PACKAGECONFIG, one hits

Downloading file:.../oe-rootfs-repo/armv8a/libkmod2 * check_data_file_clashes: Package iptables wants to install file .../rootfs/etc/ethertypes
        But that file is already provided by package  * netbase

This used to be handled by
0003-Makefile.am-do-not-install-etc-ethertypes.patch, but that patch
got removed with the 1.8.9->1.8.10 upgrade (commit 4616ada82e70).

I think the rationale for dropping the patch was wrong; the commit log
talks about xtables.conf, which is indeed gone from upstream, but said
patch didn't change anything about xtables.conf, it did

-dist_conf_DATA        = etc/ethertypes etc/xtables.conf
+dist_conf_DATA        = etc/xtables.conf

However, instead of patching iptables to not install ethertypes, and
having to forward-port that patch, it is much simpler to just remove
the file in this do_install:append.

Signed-off-by: Rasmus Villemoes 
Signed-off-by: Richard Purdie 
Signed-off-by: Uwe Kleine-König 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-extended/iptables/iptables_1.8.10.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-extended/iptables/iptables_1.8.10.bb b/meta/recipes-extended/iptables/iptables_1.8.10.bb
index f1ee1efe28..8a1f823dc1 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.10.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.10.bb
@@ -78,6 +78,8 @@ do_install:append() {
         ln -sf ${sbindir}/xtables-nft-multi ${D}${sbindir}/iptables 
         ln -sf ${sbindir}/xtables-nft-multi ${D}${sbindir}/iptables-save
         ln -sf ${sbindir}/xtables-nft-multi ${D}${sbindir}/iptables-restore
+        # ethertypes is provided by the netbase package
+        rm -f ${D}${sysconfdir}/ethertypes
     fi
 }
 

From patchwork Tue Oct 28 13:46:18 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 73195
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0899FCCD1BF
	for ; Tue, 28 Oct 2025 13:46:49 +0000 (UTC)
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
 [209.85.214.179])
 by mx.groups.io with SMTP id smtpd.web11.9358.1761659199739649849
 for ;
 Tue, 28 Oct 2025 06:46:39 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=NRXjU0BU;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.179,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f179.google.com with SMTP id
 d9443c01a7336-29488933a91so58099355ad.2
        for ;
 Tue, 28 Oct 2025 06:46:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761659199;
 x=1762263999; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=w5YJsPVDkT7YGM55xn4pxXDPwHhaNPrD4RW0JoBO8D0=;
        b=NRXjU0BUq/Kba3Gptk2bSo0+MdzlCIjdmaTKqRF2Xb9k3XWGCyOvzVxnk30JP5zx1a
         KN9j9XSoOSW5LQCfVeiouwDvLYkfMCbqB+Q5QeMQlJ0b4zlAoo7a8G/YmbYHOQdTh4pZ
         f10in/CgnZFridMY4EndHCv5EmMWo4rUCFBvCExJiM9fQgJs0po1plPOTTslgf/qeuHq
         7ZG3OMHclyjYHmCvukCB9QnhV9beD6BB4AH3pNpxQ19BZjYEXCFkULH3DcYqnCfwVBw4
         V56cunR+56aAmADNG0ZOPFrHHqMjGFAp2jpv8SKMk4t9ejRAuN61M8BPF5B0nK7hz0ts
         vTUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761659199; x=1762263999;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=w5YJsPVDkT7YGM55xn4pxXDPwHhaNPrD4RW0JoBO8D0=;
        b=sQq6a7yJLOavJe29+Y0pLDlTpgv4ypgZUVDUEhlGtnuZu8X3yh6WZUBLOzGNaYjwUE
         W068rdRJF0iD5S+GypU9+Er2UnlwonH89cDoGq6JkzOzL/SKnRp06LWWABkESxK0BbU3
         p1Hq03yex208H4Qm2YDFNJ0wrv8skUkDUisq6x7wtlGtiYptpAFPjUzy217h8Jb6gkrL
         06pTszmhjr2KAWUHiy50OLb5+2yfY9pMf6cRnF6W7ZZ8dt/G8cH83t9uFeRA01sMJQlv
         ppl+oHPBZ5pLOh7lYY9dTmsQafZe7ADJqqDK/adCTpOM/5GjbUyPH2oISy46Kjw1G4CL
         81tg==
X-Gm-Message-State: AOJu0Yzocw4oVGxV/Rgbm6nKATxAuCK3IGt3/2wQABCWYWLtItQOQrmM
	FGdxq4aJEbgQUhUPYKWC93kolM8Mp28xtdrZ3QVgc372rvoAnycPQ6nhSqBjcNXD+akYovHgxm1
	0CLdXKRc=
X-Gm-Gg: ASbGncvNhaej+QaVnbTjR30V6Y7ht74ItEhvQ2C4+AZQAIw37m1nNAV3FuLVCo6/WRX
	mBy1FtDi7DVfz/wWt3wM+8D8TwuDOnFmEgQVpO0x1knWKdFbjNt14pUY2wD3P3S4bzYQxOA88Hw
	iYRI9Z5SMSWnDk6EhlSDQYIGWdanOtjAIbohgkc9j/VUZfwQhakJF2BrusmhLCdppZJsi2el5gu
	D4BaEOACAJDY0cTNOMPNxFur2chRf1trL1w3z/7NWee2JwhGTBdYAhO+45mFSW+Qf8AEXS5C3ph
	mTidn9oUbJYnUD5SJLP6cpBG148dLU90TO5qWpdvj70O3MnaC1/Xwk8eDpCqbBb5+uFBgZmPSfB
	LSfSBqhsfuiWqEy8WDdbCpCrN2lTXXMQpXiEolwHfWqNMy84s0qlAeA072c8kT8meVxw=
X-Google-Smtp-Source: 
 AGHT+IHkXZEFaLWkkfDivruooTVZJrBQygZU7UjAesVnX/ZoQ2y771RySZiG2q1GmcrWf6t5uICzsw==
X-Received: by 2002:a17:902:ce8d:b0:276:d3e:6844 with SMTP id
 d9443c01a7336-294cb510d0amr45487705ad.33.1761659198565;
        Tue, 28 Oct 2025 06:46:38 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29498d40a7esm119894605ad.70.2025.10.28.06.46.37
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Oct 2025 06:46:38 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 8/8] curl: only set CA bundle in target build
Date: Tue, 28 Oct 2025 06:46:18 -0700
Message-ID: 
 <0f98fecda8a0436f760e6fd9f3b7eb510e5258b8.1761596406.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Tue, 28 Oct 2025 13:46:49 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225408

From: Matthias Schiffer 

In native/nativesdk builds, sysconfdir refers to a recipe sysroot
directory, which will disappear once the workdir is cleaned up, breaking
libcurl's HTTPS connections.

By simply not setting --with-ca-bundle at all in non-target builds, curl
defaults to the host system's CA certificates, which is desirable anyways
to allow builds in environments that require local CA certificates.

(From OE-Core rev: 4909a46e93ba774c960c3d3c277e2a669af3fea6)

Signed-off-by: Matthias Schiffer 
Signed-off-by: Richard Purdie 
Signed-off-by: Peter Marko 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-support/curl/curl_8.7.1.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 6ed3d6e84d..713d90a378 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -94,11 +94,13 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd"
 EXTRA_OECONF = " \
     --disable-libcurl-option \
     --disable-ntlm-wb \
-    --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
     --without-libpsl \
     --enable-optimize \
     ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \
 "
+EXTRA_OECONF:append:class-target = " \
+    --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
+"
 
 fix_absolute_paths () {
 	# cleanup buildpaths from curl-config