From patchwork Sun Mar 22 10:06:37 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE
 LIMITED at Cisco)" <deeratho@cisco.com>
X-Patchwork-Id: 84056
Return-Path: <deeratho@cisco.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 27AD5FC72B2
	for <webhook@archiver.kernel.org>; Sun, 22 Mar 2026 10:07:01 +0000 (UTC)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.28059.1774174011957424109
 for <openembedded-core@lists.openembedded.org>;
 Sun, 22 Mar 2026 03:06:52 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: message contains an insecure body length tag"
 header.i=@cisco.com header.s=iport01 header.b=Sz3bmiWn;
 spf=pass (domain: cisco.com, ip: 173.37.142.91, mailfrom: deeratho@cisco.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=cisco.com; i=@cisco.com; l=4626; q=dns/txt;
  s=iport01; t=1774174012; x=1775383612;
  h=from:to:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=X0Q1H90G5OlABFLTn9LPrqUG839cqjJahgzoRuRujvs=;
  b=Sz3bmiWniTh0tdSO28h3O0JVqOvW3KfuBkg5Blz5d7JnJRxpAlKYdER+
   Su5Qgn9Y00RQBkeDVaFxUp2x4CUtpb1+45CjBKl0a8C9Z0PBOmknuIVno
   1FmsnG507fah098fBhYH1hkbc9GMXl6y4uHxenZtD27uDf7psmdxbwAPT
   YpJzQqiizz3pTEuNK4eqReIqZ1MglyINfew0Mvi5m8l8mFM0GMNYuM1Sb
   vye2UwzxI2LTWf8d7WR7n3OlirJRqPG4R15GEdORuzfaG3bEbfVzGaZzl
   KdZc8E67Zcg+b9Qr59PQO1KAG6DtgLEKp7vdBcIrMaAS0KGa5snIcYh6h
   g==;
X-CSE-ConnectionGUID: dR/dBc8pT0ygQD+eNgYGgg==
X-CSE-MsgGUID: K01TlEeDROOddlulPwDDXw==
X-IPAS-Result: 
 A0DKCQDtvb9p/5T/Ja1aHgEBCxIMggULgkgPcV9CSQOUJ4Ihnh2Bfw8BAQEPRA0EAQGEQY1rAiY1CA4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaATgBGAFZAwECWiMhgwIBgnMCARGwXho3giyBAYMoAT8CQ0/bJgELFAGBOIU8iBtbGAGEeicbG4FygRWDaIEFgVwCgSeGfQSCIoEOgWEekFRIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWDBg+IbXRtgROEJQMLGA1IESw3FBsEPm4HjR87gjSBDgErgWhEIpMTkj+hDgoog3SMHpU6GjOqawuYe44JllCEaIFqAjiBWXAVgm4BMwlJGQ+OKgMLC4NehRPCQiM1AgkDMAEHAgcOAoFzkACBfQEB
IronPort-Data: A9a23:GSY1t6uA7QwoR7Fxlg1+mrIOB+fnVAdfMUV32f8akzHdYApBsoF/q
 tZmKW+COf+MNmPwLtxwad7ioUsE6sXWz981SVRtpS8yHy4XgMeUXt7xwmUckM+xwmwvaGo9s
 q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV
 eja/YuFYzdJ5xYuajhKs/nZ8ks21BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb
 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk
 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIw9twwDUtFp
 eQkcCECVzzAisS58Z20Rbw57igjBJGD0II3oHpsy3TdSP0hW52GGvyM7t5D1zB2jcdLdRrcT
 5NGMnw0M1KaPkAJYwtHYH49tL/Aan3XfzBVsluJpa0f6GnIxws327/oWDbQUoLbG5sNwxjE9
 woq+UzaWkgmMPGS5QCi1X6ggvLLpTzXdLINQejQGvlCxQf7KnYoIBoOWF22pPO0hkKzV5dUL
 FYZ0i4vtrQpskuzQ9/wWhe1rHKJslgbQdU4LgEhwBuGxqyR50OSAXIJC2cYLtcnr8QxAzct0
 zdlgu/UONCmi5XNIVr1y1tehWna1fQ9RYPaWRI5cA==
IronPort-HdrOrdr: A9a23:VesMrqH2BO4YAEb0pLqE/ceALOsnbusQ8zAXPidKOH5om6Oj+f
 xG8M536faWskdzZJhfo7G90cC7KBu2n6KdirN/AV7NZmXbUROTTL2LKeDZslnd8+qUzJ856Z
 td
X-Talos-CUID: 
 9a23:otJw12mHjTEyyd4AdK9Y8g9ez9HXOXHni3v6KB+gNT54R4S5ClK295JLnMU7zg==
X-Talos-MUID: 
 9a23:Cj9cqg/qWmyCj7ofar/HCamQf+QwupiqJU0hq7Iht8WAKChIJBuxvCviFw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.23,135,1770595200";
   d="scan'208";a="696605649"
Received: from rcdn-l-core-11.cisco.com ([173.37.255.148])
  by alln-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384;
 22 Mar 2026 10:06:51 +0000
Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com
 [171.68.249.250])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by rcdn-l-core-11.cisco.com (Postfix) with ESMTPS id DD05318000252
	for <openembedded-core@lists.openembedded.org>;
 Sun, 22 Mar 2026 10:06:50 +0000 (GMT)
Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984)
	id 81C53CC12B5; Sun, 22 Mar 2026 03:06:50 -0700 (PDT)
From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)"
 <deeratho@cisco.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter][PATCH 1/3] expat: Fix CVE-2026-32776
Date: Sun, 22 Mar 2026 03:06:37 -0700
Message-Id: <20260322100637.665990-1-deeratho@cisco.com>
X-Mailer: git-send-email 2.35.6
MIME-Version: 1.0
X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com
X-Outbound-Node: rcdn-l-core-11.cisco.com
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sun, 22 Mar 2026 10:07:01 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233669

From: Deepak Rathore <deeratho@cisco.com>

Pick the patch [1] as mentioned in [2].

[1] https://github.com/libexpat/libexpat/commit/5be25657583ea91b09025c858b4785834c20f59c
[2] https://security-tracker.debian.org/tracker/CVE-2026-32776

Signed-off-by: Deepak Rathore <deeratho@cisco.com>

diff --git a/meta/recipes-core/expat/expat/CVE-2026-32776.patch b/meta/recipes-core/expat/expat/CVE-2026-32776.patch
new file mode 100644
index 0000000000..357c41a763
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-32776.patch
@@ -0,0 +1,90 @@
+From dfc050e8c22c40a709a824573efd8691194c1469 Mon Sep 17 00:00:00 2001
+From: Francesco Bertolaccini <francesco.bertolaccini@trailofbits.com>
+Date: Tue, 3 Mar 2026 16:41:43 +0100
+Subject: [PATCH] Fix NULL function-pointer dereference for empty external
+ parameter entities
+
+When an external parameter entity with empty text is referenced inside
+an entity declaration value, the sub-parser created to handle it receives
+0 bytes of input.  Processing enters entityValueInitProcessor which calls
+storeEntityValue() with the parser's encoding; since no bytes were ever
+processed, encoding detection has not yet occurred and the encoding is
+still the initial probing encoding set up by XmlInitEncoding().  That
+encoding only populates scanners[] (for prolog and content), not
+literalScanners[].  XmlEntityValueTok() calls through
+literalScanners[XML_ENTITY_VALUE_LITERAL] which is NULL, causing a
+SEGV.
+
+Skip the tokenization loop entirely when entityTextPtr >= entityTextEnd,
+and initialize the `next` pointer before the early exit so that callers
+(callStoreEntityValue) receive a valid value through nextPtr.
+
+CVE: CVE-2026-32776
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5be25657583ea91b09025c858b4785834c20f59c]
+
+(cherry picked from commit 5be25657583ea91b09025c858b4785834c20f59c)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ lib/xmlparse.c      |  9 ++++++++-
+ tests/basic_tests.c | 19 +++++++++++++++++++
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index a187a3a1..10297c9a 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6780,7 +6780,14 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+       return XML_ERROR_NO_MEMORY;
+   }
+
+-  const char *next;
++  const char *next = entityTextPtr;
++
++  /* Nothing to tokenize. */
++  if (entityTextPtr >= entityTextEnd) {
++    result = XML_ERROR_NONE;
++    goto endEntityValue;
++  }
++
+   for (;;) {
+     next
+         = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index 0231e094..8be3492d 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -6213,6 +6213,24 @@ START_TEST(test_varying_buffer_fills) {
+ }
+ END_TEST
+
++START_TEST(test_empty_ext_param_entity_in_value) {
++  const char *text = "<!DOCTYPE r SYSTEM \"ext.dtd\"><r/>";
++  ExtOption options[] = {
++      {XCS("ext.dtd"), "<!ENTITY % pe SYSTEM \"empty\">"
++                       "<!ENTITY ge \"%pe;\">"},
++      {XCS("empty"), ""},
++      {NULL, NULL},
++  };
++
++  XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++  XML_SetExternalEntityRefHandler(g_parser, external_entity_optioner);
++  XML_SetUserData(g_parser, options);
++  if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE)
++      == XML_STATUS_ERROR)
++    xml_failure(g_parser);
++}
++END_TEST
++
+ void
+ make_basic_test_case(Suite *s) {
+   TCase *tc_basic = tcase_create("basic tests");
+@@ -6458,6 +6476,7 @@ make_basic_test_case(Suite *s) {
+   tcase_add_test(tc_basic, test_empty_element_abort);
+   tcase_add_test__ifdef_xml_dtd(tc_basic,
+                                 test_pool_integrity_with_unfinished_attr);
++  tcase_add_test__ifdef_xml_dtd(tc_basic, test_empty_ext_param_entity_in_value);
+   tcase_add_test__if_xml_ge(tc_basic, test_entity_ref_no_elements);
+   tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_entity);
+   tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_attribute_entity);
+--
+2.51.0
diff --git a/meta/recipes-core/expat/expat_2.7.4.bb b/meta/recipes-core/expat/expat_2.7.4.bb
index 95a1ed52c4..a1cbf77ae1 100644
--- a/meta/recipes-core/expat/expat_2.7.4.bb
+++ b/meta/recipes-core/expat/expat_2.7.4.bb
@@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
 
 SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
            file://run-ptest \
+           file://CVE-2026-32776.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"

From patchwork Sun Mar 22 10:06:58 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE
 LIMITED at Cisco)" <deeratho@cisco.com>
X-Patchwork-Id: 84057
Return-Path: <deeratho@cisco.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 02858FC72B3
	for <webhook@archiver.kernel.org>; Sun, 22 Mar 2026 10:07:11 +0000 (UTC)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.28065.1774174023967436257
 for <openembedded-core@lists.openembedded.org>;
 Sun, 22 Mar 2026 03:07:04 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: message contains an insecure body length tag"
 header.i=@cisco.com header.s=iport01 header.b=DOvI+Kg8;
 spf=pass (domain: cisco.com, ip: 173.37.142.93, mailfrom: deeratho@cisco.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=cisco.com; i=@cisco.com; l=5556; q=dns/txt;
  s=iport01; t=1774174024; x=1775383624;
  h=from:to:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=3XaUFypeF3oXdaWBIp2I9+BRsxHLiMyClGRhh0Ik87k=;
  b=DOvI+Kg89ji52brE8fGE0pg0q12Zn0rb4yBViklAO7ILl5KHacVJayAU
   926RqVnEN4iZYd3imPvM8KSf+MFnXRJdu5EBIJEa40dawE9sqhcKcUv13
   jTkSzxs2a7ygpF/1RBctxBHi8EOuhsa6cD3rCDyCYYo9R2u1atWZuU2hK
   w5KBeoEcGizKJ4mViiR9eGfsyOtwE6wtpBPqrIK2SNtzxd2am/7iSJhAs
   DGLoYI3G56NXi/IoqLjAJ4sRTuaYJunuBuB7PFSVk0Vu6FeHpOubUh4GN
   4V576QAuqDlm6LpMP2xFZdk5q8Bpj8bhpA0V/ck2BIDPinq7UkTKc0RgD
   g==;
X-CSE-ConnectionGUID: Tcx7IrzsThCcM2byinXfLA==
X-CSE-MsgGUID: AI+zPSavQ2KyJ7J5v9J8ZA==
X-IPAS-Result: 
 A0B7CgA3vr9p/4r/Ja1aHgEBCxIMggULgkgPcV9CSQOUJ6A+gX8PAQEBD0QNBAEBhEGNawImNgcOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgE4ARgBWQMBAlojIYMCAYJzAgERsGMaN4IsgQGDKAE/AkNP2yYBCxQBgTiFPIgbWxgBhHonGxuBcoEVg2iBBYFcAoEnhn0EgiKBDoFhHpBUSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgwYPiG10bYEThCUDCxgNSBEsNxQbBD5uB40fO4ItB4EOLIIskzeSPaEOCiiDdIwelToaM6prC5h7jgmWUIRogW8DMoFZcBWCbgEzCUkZD44tCwuDXoUTwkYjNQIJAzABBwIHDgKBc5AAgX0BAQ
IronPort-Data: A9a23:vj4x0KKMD1/PeH4kFE+RgJQlxSXFcZb7ZxGr2PjKsXjdYENS02AGy
 DEYC2uPP/7YYGSgctgiPIW3/UlUsMTUnd5nHAAd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t
 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnW0
 T/Oi5eHYgH9gGQuajt8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T
 vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/
 /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1SB1FpHJcK4dp3Kmprr
 /YJKTY9YDSq0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSBVLAtQIvIROPB4towMDUY358VW62BI
 ZBENHw2N0Sojx5nYj/7DLoykeqyj2X/dBVTqUmeouw85G27IAlZjumwYIKKIYzSLSlTtm+55
 XD+xG3nO0s5Jf7A62ebo1D8tMaayEsXX6pXTtVU7MVCh0WewGEWAhAaWVa35PK+kEOWX9NEN
 1dS/TIjq6U3/kGnQtTxGRqirxa5UgU0QdFcFag+rQqK0KeRu1/fDWkfRTkHY9sj3CMreQEXO
 payt4uBLVRSXHe9EBpxKp/8QeuOBBUo
IronPort-HdrOrdr: A9a23:IC75UK1XkZHRoYF+twSkqAqjBKckLtp133Aq2lEZdPUzSL37qy
 nAppomPHPP5Qr5O0tQ+uxoRpPgfZq0z/cciuMs1NyZMzUO1lHFEGgb1+vfK/mKIVybygabvp
 0QFpRDNA==
X-Talos-CUID: 
 9a23:M0bNcGvXXtp4093ToNFsmVec6IsZeW2C7W3COHO4Im1MEreESFmg9odNxp8=
X-Talos-MUID: 
 9a23:9K/Qyg8F0zMCwL/hqAa+4+aQf+5JoLaWM0kTqM8lquvbF3FuahXNvh3iFw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.23,135,1770595200";
   d="scan'208";a="695807380"
Received: from rcdn-l-core-01.cisco.com ([173.37.255.138])
  by alln-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384;
 22 Mar 2026 10:07:03 +0000
Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com
 [171.68.249.250])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id E933518000307
	for <openembedded-core@lists.openembedded.org>;
 Sun, 22 Mar 2026 10:07:02 +0000 (GMT)
Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984)
	id 976B2CC12B5; Sun, 22 Mar 2026 03:07:02 -0700 (PDT)
From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)"
 <deeratho@cisco.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter][PATCH 2/3] expat: Fix CVE-2026-32777
Date: Sun, 22 Mar 2026 03:06:58 -0700
Message-Id: <20260322100658.666633-1-deeratho@cisco.com>
X-Mailer: git-send-email 2.35.6
MIME-Version: 1.0
X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com
X-Outbound-Node: rcdn-l-core-01.cisco.com
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sun, 22 Mar 2026 10:07:11 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233670

From: Deepak Rathore <deeratho@cisco.com>

Pick the patch [1] and [2] as mentioned in [3].

[1] https://github.com/libexpat/libexpat/commit/55cda8c7125986e17d7e1825cba413bd94a35d02
[2] https://github.com/libexpat/libexpat/commit/a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8
[3] https://security-tracker.debian.org/tracker/CVE-2026-32777

Signed-off-by: Deepak Rathore <deeratho@cisco.com>

diff --git a/meta/recipes-core/expat/expat/CVE-2026-32777_p1.patch b/meta/recipes-core/expat/expat/CVE-2026-32777_p1.patch
new file mode 100644
index 0000000000..4b30b406ed
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-32777_p1.patch
@@ -0,0 +1,48 @@
+From db449df6a700b677cedf723d7be578457e0bc9c7 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 1 Mar 2026 20:16:13 +0100
+Subject: [PATCH] lib: Reject XML_TOK_INSTANCE_START infinite loop in
+ entityValueProcessor
+
+.. that OSS-Fuzz/ClusterFuzz uncovered
+
+CVE: CVE-2026-32777
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/55cda8c7125986e17d7e1825cba413bd94a35d02]
+
+(cherry picked from commit 55cda8c7125986e17d7e1825cba413bd94a35d02)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ lib/xmlparse.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 10297c9a..c5bd7059 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5080,7 +5080,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+     }
+     /* If we get this token, we have the start of what might be a
+        normal tag, but not a declaration (i.e. it doesn't begin with
+-       "<!").  In a DTD context, that isn't legal.
++       "<!" or "<?").  In a DTD context, that isn't legal.
+     */
+     else if (tok == XML_TOK_INSTANCE_START) {
+       *nextPtr = next;
+@@ -5169,6 +5169,15 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end,
+       /* found end of entity value - can store it now */
+       return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT, NULL);
+     }
++    /* If we get this token, we have the start of what might be a
++       normal tag, but not a declaration (i.e. it doesn't begin with
++       "<!" or "<?").  In a DTD context, that isn't legal.
++    */
++    else if (tok == XML_TOK_INSTANCE_START) {
++      *nextPtr = next;
++      return XML_ERROR_SYNTAX;
++    }
++
+     start = next;
+   }
+ }
+--
+2.51.0
diff --git a/meta/recipes-core/expat/expat/CVE-2026-32777_p2.patch b/meta/recipes-core/expat/expat/CVE-2026-32777_p2.patch
new file mode 100644
index 0000000000..d6ba0fe10a
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-32777_p2.patch
@@ -0,0 +1,65 @@
+From 14d31645bd58fceb6b3390b8ae6b0de68948bdc3 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Fri, 6 Mar 2026 18:31:34 +0100
+Subject: [PATCH] misc_tests.c: Cover XML_TOK_INSTANCE_START infinite loop
+ case
+
+.. that OSS-Fuzz/ClusterFuzz uncovered
+
+CVE: CVE-2026-32777
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8]
+
+(cherry picked from commit a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ tests/misc_tests.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/tests/misc_tests.c b/tests/misc_tests.c
+index 2a805454..bdec886d 100644
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -771,6 +771,35 @@ START_TEST(test_misc_async_entity_rejected) {
+ }
+ END_TEST
+
++START_TEST(test_misc_no_infinite_loop_issue_1161) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++
++  const char *text = "<!DOCTYPE d SYSTEM 'secondary.txt'>";
++
++  struct ExtOption options[] = {
++      {XCS("secondary.txt"),
++       "<!ENTITY % p SYSTEM 'tertiary.txt'><!ENTITY g '%p;'>"},
++      {XCS("tertiary.txt"), "<?xml version='1.0'?><a"},
++      {NULL, NULL},
++  };
++
++  XML_SetUserData(parser, options);
++  XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++  XML_SetExternalEntityRefHandler(parser, external_entity_optioner);
++
++  assert_true(_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++              == XML_STATUS_ERROR);
++
++#if defined(XML_DTD)
++  assert_true(XML_GetErrorCode(parser) == XML_ERROR_EXTERNAL_ENTITY_HANDLING);
++#else
++  assert_true(XML_GetErrorCode(parser) == XML_ERROR_NO_ELEMENTS);
++#endif
++
++  XML_ParserFree(parser);
++}
++END_TEST
++
+ void
+ make_miscellaneous_test_case(Suite *s) {
+   TCase *tc_misc = tcase_create("miscellaneous tests");
+@@ -801,4 +830,5 @@ make_miscellaneous_test_case(Suite *s) {
+   tcase_add_test(tc_misc, test_misc_expected_event_ptr_issue_980);
+   tcase_add_test(tc_misc, test_misc_sync_entity_tolerated);
+   tcase_add_test(tc_misc, test_misc_async_entity_rejected);
++  tcase_add_test(tc_misc, test_misc_no_infinite_loop_issue_1161);
+ }
+--
+2.51.0
diff --git a/meta/recipes-core/expat/expat_2.7.4.bb b/meta/recipes-core/expat/expat_2.7.4.bb
index a1cbf77ae1..da6e4bb657 100644
--- a/meta/recipes-core/expat/expat_2.7.4.bb
+++ b/meta/recipes-core/expat/expat_2.7.4.bb
@@ -11,6 +11,8 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
 SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
            file://run-ptest \
            file://CVE-2026-32776.patch \
+           file://CVE-2026-32777_p1.patch \
+           file://CVE-2026-32777_p2.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"

From patchwork Sun Mar 22 10:07:14 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE
 LIMITED at Cisco)" <deeratho@cisco.com>
X-Patchwork-Id: 84058
Return-Path: <deeratho@cisco.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EF129FC72B4
	for <webhook@archiver.kernel.org>; Sun, 22 Mar 2026 10:07:30 +0000 (UTC)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.28070.1774174042461099107
 for <openembedded-core@lists.openembedded.org>;
 Sun, 22 Mar 2026 03:07:22 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: message contains an insecure body length tag"
 header.i=@cisco.com header.s=iport01 header.b=XxrJ79Bq;
 spf=pass (domain: cisco.com, ip: 173.37.142.91, mailfrom: deeratho@cisco.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=cisco.com; i=@cisco.com; l=6917; q=dns/txt;
  s=iport01; t=1774174042; x=1775383642;
  h=from:to:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=T23Ogaw6u0OvFQQIN02F/Ws7gYukowXj1mgxicg6GQc=;
  b=XxrJ79Bq0eTYnBIgb3vaExyhlJKp9bCi+IrL4SqGdYiHQ5LLhuI67ELR
   XflMIahPcKlqiAAKJ3McG3RnvPOmQdMzRQB5PYZ6f2L+1UXsGoOsZ1NW0
   RMblGm+lMcMfHGaqD9A3fWR8ni751xOE4yyuqsWpbmzXprGF7RakU6TDY
   jY20X2bFwjNFYvNGbT0HtwOTcy7zcarziMjqs72FR5TSZvWXZO67RKEf4
   lQTHVM+lShuLsOSUserEx7gkYVKBM3ObdLh9ppQE4u+OiaL94bI+pEJAL
   WwuttdGiY6VG2u0Tn0k8jkuTx2+EZ6pSfArHOS0bP2OOaLIS3eHO1tKma
   A==;
X-CSE-ConnectionGUID: 1T5sYoUbQ+uY7SMQ6GTKyw==
X-CSE-MsgGUID: AhNX2dkdQfWkCuTu9VOezQ==
X-IPAS-Result: 
 A0CNAADtvb9p/4r/Ja1aHQEBAQEJARIBBQUBgXwIAQsBgkcPcV9CSQOEVIgchzeCIZ4dgX8PAQEBD0QNBAEBhEFGjSUCJjQJDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBKQQLARgBWQMBAgMCJgItIyGDAgGCcwIBEbBeGjd6fzOBAYMoAT8CQ0/bJgELFAGBCi4BhTuCfRwBc4QOWxgBhHonGxuBcoEUAYNogQWBXAKCBoM1gmkEgiKBDoFhHpBUSIECHANZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPhc0WBsHBYMGD4htdG2BE4QlAwsYDUgRLDcUGwQ9AW4HjR87gjQxUwosfxmBFB4cknSQJYIhgTWfWQoog3SMHpU6GjOqawuYe44JlWBwhGiBaDyBWXAVgm4BMwlJGQ+OLQsLg16FE8JCIzUCCQMwAQcCBw4CgXORfQEB
IronPort-Data: A9a23:PCJn4qDgijqFxRVW/3jiw5YqxClBgxIJ4kV8jS/XYbTApD4kg2AEn
 2YbCzrQP/jcYGf8eI8ibt7g9EtSvpWDnYMyOVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA
 /02M4eGdIZvCCeA+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357jWGthh
 fuo+5eBYAT/gWYtWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxPQXolOE+emc
 P3Ixbe/83mx109F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq+kTe5p0G2M80Mi+7vdkmc+dZk
 72hvbToIesg0zaldO41C3G0GAkmVUFKFSOuzXWX6aSuI0P6n3TEmskzF3AxAIchuftGXlprz
 KI3FBMccUXW7w626OrTpuhEnM8vKozveYgYoHwllWifBvc9SpeFSKLPjTNa9G5v3YYVQrCEO
 pdfMGE/BPjDS0Un1lM/BJ8zhu60hn7XeDxDo1XTrq0yi4TW5FIgjua1bYqLIbRmQ+18nmCo/
 G7F8133PRIxKeCCmASi/2CV07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb
 UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/KNpQ2YHWMDCDVGbbTKqfMLeNDj7
 XfR9/uBONClmOT9pa61nltMkQ6PBA==
IronPort-HdrOrdr: A9a23:jQ6RIq9gsNSA/whmHotuk+DTI+orL9Y04lQ7vn2ZLiYlF/Bw9v
 re/sjzuiWbtN98YhwdcLO7Scq9qA3nlKKdiLN5VdzJYOCMggSVxe9ZgbcKuweBJ8U7ndQtsp
 uJtMNFebnNMWQ=
X-Talos-CUID: 9a23:HMQgdG6e9cxfsDudCNssrXJJAfEiT3fkj2rhfHSdMDhGdJ6EVgrF
X-Talos-MUID: 9a23:7Pd3SwVGyZwO3e7q/BbsogE4OMRk2qqRC2sQrYhXhe6JJxUlbg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.23,135,1770595200";
   d="scan'208";a="696605863"
Received: from rcdn-l-core-01.cisco.com ([173.37.255.138])
  by alln-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384;
 22 Mar 2026 10:07:21 +0000
Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com
 [171.68.249.250])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id 8035E180002B1
	for <openembedded-core@lists.openembedded.org>;
 Sun, 22 Mar 2026 10:07:21 +0000 (GMT)
Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984)
	id 2FE5BCC12B5; Sun, 22 Mar 2026 03:07:21 -0700 (PDT)
From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)"
 <deeratho@cisco.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter][PATCH 3/3] expat: Fix CVE-2026-32778
Date: Sun, 22 Mar 2026 03:07:14 -0700
Message-Id: <20260322100714.667175-1-deeratho@cisco.com>
X-Mailer: git-send-email 2.35.6
MIME-Version: 1.0
X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com
X-Outbound-Node: rcdn-l-core-01.cisco.com
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sun, 22 Mar 2026 10:07:30 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233671

From: Deepak Rathore <deeratho@cisco.com>

Pick the patch [1] and [2] as mentioned in [3].

[1] https://github.com/libexpat/libexpat/commit/576b61e42feeea704253cb7c7bedb2eeb3754387
[2] https://github.com/libexpat/libexpat/commit/d5fa769b7a7290a7e2c4a0b2287106dec9b3c030
[3] https://security-tracker.debian.org/tracker/CVE-2026-32778

Signed-off-by: Deepak Rathore <deeratho@cisco.com>

diff --git a/meta/recipes-core/expat/expat/CVE-2026-32778_p1.patch b/meta/recipes-core/expat/expat/CVE-2026-32778_p1.patch
new file mode 100644
index 0000000000..35a7c62865
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-32778_p1.patch
@@ -0,0 +1,90 @@
+From fa84dfe9d7c817315e3d77ae632aeecf6fe2cd84 Mon Sep 17 00:00:00 2001
+From: laserbear <10689391+Laserbear@users.noreply.github.com>
+Date: Sun, 8 Mar 2026 17:28:06 -0700
+Subject: [PATCH] copy prefix name to pool before lookup
+
+.. so that we cannot end up with a zombie PREFIX in the pool
+that has NULL for a name.
+
+CVE: CVE-2026-32778
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/576b61e42feeea704253cb7c7bedb2eeb3754387]
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+(cherry picked from commit 576b61e42feeea704253cb7c7bedb2eeb3754387)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ lib/xmlparse.c | 43 +++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 35 insertions(+), 8 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index c5bd7059..eee283a4 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -591,6 +591,8 @@ static XML_Char *poolStoreString(STRING_POOL *pool, const ENCODING *enc,
+ static XML_Bool FASTCALL poolGrow(STRING_POOL *pool);
+ static const XML_Char *FASTCALL poolCopyString(STRING_POOL *pool,
+                                                const XML_Char *s);
++static const XML_Char *FASTCALL poolCopyStringNoFinish(STRING_POOL *pool,
++                                                       const XML_Char *s);
+ static const XML_Char *poolCopyStringN(STRING_POOL *pool, const XML_Char *s,
+                                        int n);
+ static const XML_Char *FASTCALL poolAppendString(STRING_POOL *pool,
+@@ -7446,16 +7448,24 @@ setContext(XML_Parser parser, const XML_Char *context) {
+       else {
+         if (! poolAppendChar(&parser->m_tempPool, XML_T('\0')))
+           return XML_FALSE;
+-        prefix
+-            = (PREFIX *)lookup(parser, &dtd->prefixes,
+-                               poolStart(&parser->m_tempPool), sizeof(PREFIX));
+-        if (! prefix)
++        const XML_Char *const prefixName = poolCopyStringNoFinish(
++            &dtd->pool, poolStart(&parser->m_tempPool));
++        if (! prefixName) {
+           return XML_FALSE;
+-        if (prefix->name == poolStart(&parser->m_tempPool)) {
+-          prefix->name = poolCopyString(&dtd->pool, prefix->name);
+-          if (! prefix->name)
+-            return XML_FALSE;
+         }
++
++        prefix = (PREFIX *)lookup(parser, &dtd->prefixes, prefixName,
++                                  sizeof(PREFIX));
++
++        const bool prefixNameUsed = prefix && prefix->name == prefixName;
++        if (prefixNameUsed)
++          poolFinish(&dtd->pool);
++        else
++          poolDiscard(&dtd->pool);
++
++        if (! prefix)
++          return XML_FALSE;
++
+         poolDiscard(&parser->m_tempPool);
+       }
+       for (context = s + 1; *context != CONTEXT_SEP && *context != XML_T('\0');
+@@ -8044,6 +8054,23 @@ poolCopyString(STRING_POOL *pool, const XML_Char *s) {
+   return s;
+ }
+
++// A version of `poolCopyString` that does not call `poolFinish`
++// and reverts any partial advancement upon failure.
++static const XML_Char *FASTCALL
++poolCopyStringNoFinish(STRING_POOL *pool, const XML_Char *s) {
++  const XML_Char *const original = s;
++  do {
++    if (! poolAppendChar(pool, *s)) {
++      // Revert any previously successful advancement
++      const ptrdiff_t advancedBy = s - original;
++      if (advancedBy > 0)
++        pool->ptr -= advancedBy;
++      return NULL;
++    }
++  } while (*s++);
++  return pool->start;
++}
++
+ static const XML_Char *
+ poolCopyStringN(STRING_POOL *pool, const XML_Char *s, int n) {
+   if (! pool->ptr && ! poolGrow(pool)) {
+--
+2.51.0
diff --git a/meta/recipes-core/expat/expat/CVE-2026-32778_p2.patch b/meta/recipes-core/expat/expat/CVE-2026-32778_p2.patch
new file mode 100644
index 0000000000..0cbf2dd347
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-32778_p2.patch
@@ -0,0 +1,59 @@
+From 0b3d3b977ccaf18684ce951b818c56a7e704fb29 Mon Sep 17 00:00:00 2001
+From: laserbear <10689391+Laserbear@users.noreply.github.com>
+Date: Sun, 8 Mar 2026 17:28:06 -0700
+Subject: [PATCH] test that we do not end up with a zombie PREFIX in the pool
+
+CVE: CVE-2026-32778
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/d5fa769b7a7290a7e2c4a0b2287106dec9b3c030]
+
+(cherry picked from commit d5fa769b7a7290a7e2c4a0b2287106dec9b3c030)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ tests/nsalloc_tests.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tests/nsalloc_tests.c b/tests/nsalloc_tests.c
+index 60fa87f8..9e26d4ee 100644
+--- a/tests/nsalloc_tests.c
++++ b/tests/nsalloc_tests.c
+@@ -1505,6 +1505,32 @@ START_TEST(test_nsalloc_prefixed_element) {
+ }
+ END_TEST
+
++/* Verify that retry after OOM in setContext() does not crash.
++ */
++START_TEST(test_nsalloc_setContext_zombie) {
++  const char *text = "<doc>Hello</doc>";
++  unsigned int i;
++  const unsigned int max_alloc_count = 30;
++
++  for (i = 0; i < max_alloc_count; i++) {
++    g_allocation_count = (int)i;
++    if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE)
++        != XML_STATUS_ERROR)
++      break;
++    /* Retry on the same parser — must not crash */
++    g_allocation_count = ALLOC_ALWAYS_SUCCEED;
++    XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE);
++
++    nsalloc_teardown();
++    nsalloc_setup();
++  }
++  if (i == 0)
++    fail("Parsing worked despite failing allocations");
++  else if (i == max_alloc_count)
++    fail("Parsing failed even at maximum allocation count");
++}
++END_TEST
++
+ void
+ make_nsalloc_test_case(Suite *s) {
+   TCase *tc_nsalloc = tcase_create("namespace allocation tests");
+@@ -1539,4 +1565,5 @@ make_nsalloc_test_case(Suite *s) {
+   tcase_add_test__if_xml_ge(tc_nsalloc, test_nsalloc_long_default_in_ext);
+   tcase_add_test(tc_nsalloc, test_nsalloc_long_systemid_in_ext);
+   tcase_add_test(tc_nsalloc, test_nsalloc_prefixed_element);
++  tcase_add_test(tc_nsalloc, test_nsalloc_setContext_zombie);
+ }
+--
+2.51.0
diff --git a/meta/recipes-core/expat/expat_2.7.4.bb b/meta/recipes-core/expat/expat_2.7.4.bb
index da6e4bb657..f1eff49688 100644
--- a/meta/recipes-core/expat/expat_2.7.4.bb
+++ b/meta/recipes-core/expat/expat_2.7.4.bb
@@ -13,6 +13,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
            file://CVE-2026-32776.patch \
            file://CVE-2026-32777_p1.patch \
            file://CVE-2026-32777_p2.patch \
+           file://CVE-2026-32778_p1.patch \
+           file://CVE-2026-32778_p2.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"