From patchwork Mon Jun 15 06:35:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amaury Couderc X-Patchwork-Id: 90096 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3B31CD98C5 for ; Mon, 15 Jun 2026 06:36:22 +0000 (UTC) Received: from PA4PR04CU001.outbound.protection.outlook.com (PA4PR04CU001.outbound.protection.outlook.com [40.107.162.21]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.123879.1781505374158587164 for ; Sun, 14 Jun 2026 23:36:14 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=PeN+nvFF; spf=pass (domain: est.tech, ip: 40.107.162.21, mailfrom: amaury.couderc@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=m5c9mFMcn4yQH0u+Dt6H0qZ+jcgVYHe2R9lFg3cJVY+TCvgq5HeIdanbZ5WlJkQG6Pa18+TFpNGyKnTsNp7/0MxHTt1/HswBfi7PKBVvCza5i2JAMzXNzJOKIXLoVPr+O/2Im9FWQF8lAIgktvRE3iLWHQgnE8y7Gp+SgM9Yg91iQM1lWeQDJYtYuB3eQcdPsHzbzAGjd/ICYJvEU12FybALnEjGtlFkhQTQOm7/yuaUFjZPaF+GcPsM0Vs0ES4HeDO7+6MeYzQcDAD4pCTkUQmY4+S28Ap+7UxA6viSo1J2G/eCOqs+vvbivzaRRhvRTqnBJ5SSSFHGuUWuRkhXqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=u0SO57v/RF6hxJUlbzIW0heYARQW4H2YVU48A++DrlU=; b=rjFgEcf0A+nxR5mbFL+pOHWC2Fk5zeQidTJaXQPs+N9kxl+2Pbu2Ex0r3j3wR61Z+Rb+pBtNvtoQaBFMYkZVhS6beq2wEomT2UFIwfMFiE8swDlY3dJ5LJPD/LUGKin8SO5YVj+tI/bXUImgGbrh4B1c7COAuC9IdRw1HsBisgKJA+QkT5kK+pKQdT3yPqS4gGERlGcK5Zfyzf19xyetpU+PAWU8sQG2ibGWe7Ac7F1UHheyzUFQ6bOfQaF1Uj2dbu9NnS2Addw0C0kxpRa2wOt21vCkMoyrSKgYHHYlTYPOia8ozSI4FvtUOzewC7Bf5apjKVbKttOQMGr9mekwvg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u0SO57v/RF6hxJUlbzIW0heYARQW4H2YVU48A++DrlU=; b=PeN+nvFFLvSiw+2NdNxWEs0zdQplsc53zE9BnEeHgdsBiiI7LNqJgTUhT7bRIG8kdeTZpCEQI9cKztdaZUY+WL+/y7bTVmcQBFwmEcnzkf4XCxTINvBcrYclHka+4hBUf/eEIg1QxkeWdCUFTk+tCC6riSeI55YFplyR5spQKmLmCwADxVKya9RyLT7l3TxSFpvAiEdqpQzidKWsRE6ML3iJs0knw84LXxG3N8GC9qUmGokwXJ91rRB1/1jT5l0M+O+CMvIIr/4Ob32+K0rA9qE4ttPatW00i9RxwUuiDfYQETzQ3xg2XAuyIjmmdinof935+qNvuKQkBcqIP9Yt3g== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from AMBP189MB3196.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:6ad::11) by BESP189MB3284.EURP189.PROD.OUTLOOK.COM (2603:10a6:b10:e7::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Mon, 15 Jun 2026 06:36:09 +0000 Received: from AMBP189MB3196.EURP189.PROD.OUTLOOK.COM ([fe80::1afd:f059:542:3d95]) by AMBP189MB3196.EURP189.PROD.OUTLOOK.COM ([fe80::1afd:f059:542:3d95%4]) with mapi id 15.21.0113.015; Mon, 15 Jun 2026 06:36:09 +0000 From: amaury.couderc@est.tech To: openembedded-core@lists.openembedded.org Subject: [PATCH v2 1/2][OE-core][scarthgap] expat: fix CVE-2026-7210 Date: Mon, 15 Jun 2026 08:35:35 +0200 Message-ID: <20260615063600.25055-1-amaury.couderc@est.tech> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: DU2PR04CA0255.eurprd04.prod.outlook.com (2603:10a6:10:28e::20) To AMBP189MB3196.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:6ad::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AMBP189MB3196:EE_|BESP189MB3284:EE_ X-MS-Office365-Filtering-Correlation-Id: 44ddb275-811d-4010-9071-08decaa862b0 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|23010399003|376014|366016|1800799024|18002099003|13003099007|56012099006|11063799006|6133799003; X-Microsoft-Antispam-Message-Info: vOqYIiDVhuU4Rw8tPWd6zaao3Uop/zyIlEDbpQvfO6HE1rUgqXw/8+M6Bx+Erv3XbOgglOQPJfCxjsPQSFKWFjO454SCQ3cG6ynA0nVxSsLy6iN0nKSIzlx768Os9ZajLrmx5n+8tIJZPrhWD3B4biwvQPKQpvRBfZVzVQsXOHr9W6G1EU9FhJvcVHhkxcMjmWJL9lWcRgfFvX6s0d+lEt+hxFgwC/aJ3+Gs6jVx2igDN5J/zYN/cj3MHzf1Gi/7s1JhaoYfkaCIpmANc4MwdBHZ/gTBZB6Bys6Vp5b5Q8LacEpJXMp3bczTUZ23av1/9YFnfd8ULthUFBLa/XgEliiTuaGeLnL01oI5tsrh8bci4GxvUnMZOjG9/qdCYBddAZUG/bylwVsn3qWFJbd2wOyeagx1oBpjxGWKureRvaq9yj3ZDjD0+YjI+n302XePuesEO4g9221V7AYWIh21AlVqDSiHROffwIc6aHOKw4iJ3yRG1MOGvMUE6uLrihjuIRZzw5l6GkfA0zh/yo0xxvE5rZg/K1pgwW4JnMsjG3iFCZ/ME9TJftKElkbfs6TOiXx/afirw6lNk8c4lmDom+8Qu1UwolsjEg41ZQWw45droy6lyAj4LtIwjiTDMLlej2BxzdBpp1PqqzbRbv3z6Djv2aKxL60gQzs6ZjC2XejPEPaj5ftqxtTS+Sccj8iV X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AMBP189MB3196.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(23010399003)(376014)(366016)(1800799024)(18002099003)(13003099007)(56012099006)(11063799006)(6133799003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: EeM4ZpRCgPZRf6NMneZ4WRX+dxLExwI7+/DhlOu2E24GiCC2gvqjTg62MOYlXZrv6PBYlVMmP6rNPOuyWJV0GsDHLFMJ8jL3q0fKdmch2/3bGmjaapraSfH32527SMeHvstkppEY1H30GoNv4c1UhtFHuZ8fkR8s7KF6MKz+vqfSskCs8EcErwJYIN7IlUcyIER6opueoCp0Cq610n3Y5hDWaUZ1k6Ch11hH49lf0Rt2RdBu/aCO48A9Tk7KhS7xic1LQJc2k1MSussBUoovsAsyNc27u3M3hQEnhCjYXp+MfbmSE6rmb4V1rq8dLI5P5GYqS30aP8tMV//gk0udsEnxkMXhbFQmVB2BOlqjN83uGuFl7mLDD2iLxCzFlxSZ80Deu/1c2T57ZICOxiuDQiB/ohQS40bzJrPJ0XihnEmDE6qBn/C0sotloAx7kbr44ThFlheCUKrQZV3z9s809MMOq5bgARDFJzJb9ZkhhG/HwcGL+yqytpiA9w2RBlMA7CodnoQjH17J7SDk6Iw34n9DFovH2+nJb8hWwFbYZI5jOjvNRIWC5Ufr0JhOwdZ5kO32NgKtjg9lnZ0JY1cMA4GsjAbHztLScVp7S2+047bU/28+f9sb4cxQDTgklkE77AG2PgHAZtx9GoR5XRyctPILzEKSQP5ufJWfQfjZTmyD7D5p1AViR2XTlh6hupZP+FCkeyZxdfpRZGsZ8aarFpnQSf3cRlkD/Z/hBQNr0Eq4VsZl56lBayD/UeBEFKyDagmtQ9zESx7wAAbVoIE0+5xLUICODfu959n2vhtCSzk9CZ8MKxMSzvnKrK9DiN2ablArmpytlglMW2XdFZP2o2gQOaMmijPAEGL1K1k403Gq5ou1HN+CgwVM3HW1LJ5lN8N2HpFSqxQ+m8h3WVDDd1OwYEWjjFxyx3jTxz+s2yZxA6yLohN/ixKhmQz+pFKW8IpuZp9WzCxmkMOidX2h9pE4tiTav6/Cdm2+ItWedGAngM7pq68Z292lTco+smrW3V3oBIe5yKhTgGg382f9wbFIn2KqTR94NSIanGYSEcz4JGbZrCLCCkZA6HyMMM35UTODLaIckd3Qdvn/mKIdBSs0vhpylQSVpY52axU5OrNYMGc1yO+PWGk0LBM+elxVgsuNlYAbGSnPFHKH3NlUNNpdzcaBV0g2I1QkK1bE9t45YtlQk/mFHBnjyiMZSKC7AdXfEPij+GAnzoc0sDSGUevF8V9XxRAb8xtgceEBP9+luaT98lf2UD+085Og31VGNRoI0DLALYGbGlVzU8MKnLSAy2p+qTlZTR3ihQ1herhK+y37o08WzdstFzB55JvaIdrPe7eVeeV6BY2LsDvDviR0xTcqWO0AJo4d9B+0wcT3euUs3FvoK4C6sndtd/xC6uYPZoP59zqZ7WCVHab+INx7teGNornUEAa1UKDq5Mcp2QggNdxETfnwRpX0maelAGXlweSIgexUYQ8k6qcVO/B+ufEHPQLcFHbhg6sNJr7vYK9Mn7BhHsRRG+LeSST2kH6kovRyHrjV5vsWbGtu5D6X2Yz7pSBJRIf1QSLhk0/r/f+07CAq9Q2sZ55eJjoJiiWU9CB1XDGMX9wusTnAAL2E1tzuhgLm2uB6WWlNySYtGWPE97TvKUmAEqLRF1FML1dAaS5n0bYohQXjOlEts+sfNNjwRMsvW+/k6rad4DhMNDTsxT0mXoL+SJv2PhYVdW9p4i1P782MFCma4aM2zRNb9IvJBpeoL/LDAAHDMLA= X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: 44ddb275-811d-4010-9071-08decaa862b0 X-MS-Exchange-CrossTenant-AuthSource: AMBP189MB3196.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2026 06:36:09.3411 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: vUQ9oWtUogJptQ+XH+1ufvhKi+YlYXfrOLuUGxlMQ0iS7cO87jUKibBIpGEF6r9qM0lm8V+6IILxT+zYxBQnRw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BESP189MB3284 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 15 Jun 2026 06:36:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238814 From: Amaury Couderc Backport patch to fix CVE-2026-7210. https://nvd.nist.gov/vuln/detail/CVE-2026-7210 Upstream fixe: https://github.com/libexpat/libexpat/commit/1ac23e49a46afe040788c8a538afc89e5c4ac8cf Backport the 128-bit hash salt API (XML_SetHashSalt16Bytes) from Expat 2.8.0. The prior hash randomization used only an unsigned long (4 or 8 bytes depending on architecture) as the SipHash key, leaving k[0] as zero. This makes the parser vulnerable to hash-flooding DoS attacks due to insufficient entropy. This backport: - Adds struct sipkey m_hash_secret_salt_128 and XML_Bool m_hash_secret_salt_set to the parser structure - Adds XML_SetHashSalt16Bytes() public API function - Modifies copy_salt_to_sipkey() to use full 128-bit key when set - Modifies startParsing() to auto-generate 128 bits of entropy - Adds XML_BACKPORT_SET_HASH_SALT_16_BYTES capability macro for downstream consumers (e.g. CPython) to detect this backport - Adds basic test coverage for the new API abidiff between the unpatch and unpatched version of expat 2.6.4 : abidiff abidiff-unpatched/libexpat.so.1.10.0 abidiff-patched/libexpat.so.1.10.0 Functions changes summary: 0 Removed, 1 Changed (65 filtered out), 1 Added functions Variables changes summary: 0 Removed, 0 Changed, 0 Added variable 1 Added function: [A] 'function XML_Bool XML_SetHashSalt16Bytes(XML_Parser, const uint8_t*)' {XML_SetHashSalt16Bytes} 1 function with some indirect sub-type change: [C] 'function void XML_DefaultCurrent(XML_Parser)' at xmlparse.c:2899:1 has some indirect sub-type changes: parameter 1 of type 'typedef XML_Parser' has sub-type changes: underlying type 'XML_ParserStruct*' changed: in pointed to type 'struct XML_ParserStruct' at xmlparse.c:665:1: type size changed from 8704 to 8896 (in bits) 2 data member insertions: 'sipkey m_hash_secret_salt_128', at offset 7808 (in bits) at xmlparse.c:781:1 'XML_Bool m_hash_secret_salt_set', at offset 7936 (in bits) at xmlparse.c:782:1 4 data member changes (7 filtered): 'ACCOUNTING m_accounting' offset changed from 7808 to 8000 (in bits) (by +192 bits) 'MALLOC_TRACKER m_alloc_tracker' offset changed from 8128 to 8320 (in bits) (by +192 bits) 'ENTITY_STATS m_entity_stats' offset changed from 8448 to 8640 (in bits) (by +192 bits) 'XML_Bool m_reenter' offset changed from 8640 to 8832 (in bits) (by +192 bits) This patch does not break ABI compatibility: XML_ParserStruct is opaque so its internal layout change is invisible to consumers, and XML_SetHashSalt16Bytes is a purely additive API that doesn't affect existing callers. meta-binaryaudit (https://github.com/Nordix/meta-binaryaudit/). Signed-off-by: Amaury Couderc --- .../expat/expat/CVE-2026-7210.patch | 219 ++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 1 + 2 files changed, 220 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-7210.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-7210.patch b/meta/recipes-core/expat/expat/CVE-2026-7210.patch new file mode 100644 index 0000000000..27813a871c --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-7210.patch @@ -0,0 +1,219 @@ +From d8607abf00cf94316d8c657df1e852087e141538 Mon Sep 17 00:00:00 2001 +From: Amaury Couderc +Date: Wed, 10 Jun 2026 12:44:35 +0000 +Subject: [PATCH] lib: Backport XML_SetHashSalt16Bytes from Expat 2.8.0 + +Backport the 128-bit hash salt API (XML_SetHashSalt16Bytes) from Expat +2.8.0. The prior hash randomization used only an unsigned long (4 or 8 +bytes depending on architecture) as the SipHash key, leaving k[0] as +zero. This makes the parser vulnerable to hash-flooding DoS attacks +due to insufficient entropy. + +This backport: +- Adds struct sipkey m_hash_secret_salt_128 and XML_Bool + m_hash_secret_salt_set to the parser structure +- Adds XML_SetHashSalt16Bytes() public API function +- Modifies copy_salt_to_sipkey() to use full 128-bit key when set +- Modifies startParsing() to auto-generate 128 bits of entropy +- Adds XML_BACKPORT_SET_HASH_SALT_16_BYTES capability macro for + downstream consumers (e.g. CPython) to detect this backport +- Adds basic test coverage for the new API + +CVE: CVE-2026-7210 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/1ac23e49a46afe040788c8a538afc89e5c4ac8cf] +Signed-off-by: Amaury Couderc +--- + lib/expat.h | 18 +++++++++++++ + lib/xmlparse.c | 65 ++++++++++++++++++++++++++++++++++++++++++--- + tests/basic_tests.c | 25 +++++++++++++++++ + 3 files changed, 104 insertions(+), 4 deletions(-) + +diff --git a/lib/expat.h b/lib/expat.h +index df207e9..cdb8e08 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -44,9 +44,15 @@ + #ifndef Expat_INCLUDED + #define Expat_INCLUDED 1 + ++#include + #include + #include "expat_external.h" + ++/* Backport capability macro: 128-bit hash salt API is available. ++ Downstream consumers should test for this rather than relying on ++ XML_COMBINED_VERSION >= 20800 when linked against a backported library. */ ++#define XML_BACKPORT_SET_HASH_SALT_16_BYTES 1 ++ + #ifdef __cplusplus + extern "C" { + #endif +@@ -920,6 +926,18 @@ XML_SetParamEntityParsing(XML_Parser parser, + XMLPARSEAPI(int) + XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt); + ++/* Sets the hash salt to use for internal hash calculations. ++ Helps in preventing DoS attacks based on predicting hash function behavior. ++ This must be called before parsing is started. ++ Returns XML_TRUE if successful, XML_FALSE when called after parsing has ++ started or when parser is NULL. ++ Note: Setting a salt that is not from a source of high quality entropy ++ will make the parser vulnerable to hash flooding attacks. ++ Backported from Expat 2.8.0. ++*/ ++XMLPARSEAPI(XML_Bool) ++XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]); ++ + /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then + XML_GetErrorCode returns information about the error. + */ +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 9bc67f3..cc5ec3f 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -778,6 +778,8 @@ struct XML_ParserStruct { + enum XML_ParamEntityParsing m_paramEntityParsing; + #endif + unsigned long m_hash_secret_salt; ++ struct sipkey m_hash_secret_salt_128; ++ XML_Bool m_hash_secret_salt_set; + #if XML_GE == 1 + ACCOUNTING m_accounting; + MALLOC_TRACKER m_alloc_tracker; +@@ -1316,8 +1318,28 @@ callProcessor(XML_Parser parser, const char *start, const char *end, + static XML_Bool /* only valid for root parser */ + startParsing(XML_Parser parser) { + /* hash functions must be initialized before setContext() is called */ +- if (parser->m_hash_secret_salt == 0) +- parser->m_hash_secret_salt = generate_hash_secret_salt(parser); ++ if (! parser->m_hash_secret_salt_set) { ++ if (parser->m_hash_secret_salt == 0) ++ parser->m_hash_secret_salt = generate_hash_secret_salt(parser); ++ /* Generate full 128-bit key for SipHash */ ++ unsigned long salt_parts[2]; ++ salt_parts[0] = generate_hash_secret_salt(parser); ++ salt_parts[1] = parser->m_hash_secret_salt; ++ unsigned char entropy_buf[16]; ++ memset(entropy_buf, 0, sizeof(entropy_buf)); ++ memcpy(entropy_buf, &salt_parts[0], sizeof(salt_parts[0])); ++ memcpy(entropy_buf + sizeof(salt_parts[0]), &salt_parts[1], ++ sizeof(salt_parts[1])); ++ /* On 32-bit, fill remaining 8 bytes with more entropy */ ++ if (sizeof(unsigned long) < 8) { ++ unsigned long extra1 = generate_hash_secret_salt(parser); ++ unsigned long extra2 = generate_hash_secret_salt(parser); ++ memcpy(entropy_buf + 8, &extra1, sizeof(extra1)); ++ memcpy(entropy_buf + 12, &extra2, sizeof(extra2)); ++ } ++ sip_tokey(&parser->m_hash_secret_salt_128, entropy_buf); ++ parser->m_hash_secret_salt_set = XML_TRUE; ++ } + if (parser->m_ns) { + /* implicit context only set for root parser, since child + parsers (i.e. external entity parsers) will inherit it +@@ -1606,6 +1628,9 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { + parser->m_paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER; + #endif + parser->m_hash_secret_salt = 0; ++ memset(&parser->m_hash_secret_salt_128, 0, ++ sizeof(parser->m_hash_secret_salt_128)); ++ parser->m_hash_secret_salt_set = XML_FALSE; + + #if XML_GE == 1 + memset(&parser->m_accounting, 0, sizeof(ACCOUNTING)); +@@ -2330,6 +2355,30 @@ XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) { + return 1; + } + ++XML_Bool XMLCALL ++XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]) { ++ if (parser == NULL) ++ return XML_FALSE; ++ ++ if (entropy == NULL) ++ return XML_FALSE; ++ ++ /* Walk up to root parser */ ++ XML_Parser rootParser = parser; ++ while (rootParser->m_parentParser) ++ rootParser = rootParser->m_parentParser; ++ ++ /* block after XML_Parse()/XML_ParseBuffer() has been called */ ++ if (parserBusy(rootParser)) ++ return XML_FALSE; ++ ++ sip_tokey(&(rootParser->m_hash_secret_salt_128), entropy); ++ ++ rootParser->m_hash_secret_salt_set = XML_TRUE; ++ ++ return XML_TRUE; ++} ++ + enum XML_Status XMLCALL + XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + if ((parser == NULL) || (len < 0) || ((s == NULL) && (len != 0))) { +@@ -7831,8 +7880,16 @@ keylen(KEY s) { + + static void + copy_salt_to_sipkey(XML_Parser parser, struct sipkey *key) { +- key->k[0] = 0; +- key->k[1] = get_hash_secret_salt(parser); ++ /* Walk up to root parser to access the 128-bit salt */ ++ XML_Parser rootParser = parser; ++ while (rootParser->m_parentParser) ++ rootParser = rootParser->m_parentParser; ++ if (rootParser->m_hash_secret_salt_set) { ++ *key = rootParser->m_hash_secret_salt_128; ++ } else { ++ key->k[0] = 0; ++ key->k[1] = get_hash_secret_salt(parser); ++ } + } + + static unsigned long FASTCALL +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 023d9ce..40254e5 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -204,6 +204,30 @@ START_TEST(test_hash_collision) { + END_TEST + #undef COLLIDING_HASH_SALT + ++START_TEST(test_hash_salt_setter) { ++ const uint8_t entropy[16] = {'0', '1', '2', '3', '4', '5', '6', '7', ++ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ /* NULL parser should be rejected */ ++ assert_true(XML_SetHashSalt16Bytes(NULL, entropy) == XML_FALSE); ++ ++ /* NULL entropy should be rejected */ ++ assert_true(XML_SetHashSalt16Bytes(parser, NULL) == XML_FALSE); ++ ++ /* Setting should be allowed more than once */ ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_TRUE); ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_TRUE); ++ ++ /* But not after parsing has started */ ++ assert_true(XML_Parse(parser, "", 0, XML_FALSE /* isFinal */) ++ == XML_STATUS_OK); ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_FALSE); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Regression test for SF bug #491986. */ + START_TEST(test_danish_latin1) { + const char *text = "\n" +@@ -6244,6 +6268,7 @@ make_basic_test_case(Suite *s) { + tcase_add_test(tc_basic, test_bom_utf16_le); + tcase_add_test(tc_basic, test_nobom_utf16_le); + tcase_add_test(tc_basic, test_hash_collision); ++ tcase_add_test(tc_basic, test_hash_salt_setter); + tcase_add_test(tc_basic, test_illegal_utf8); + tcase_add_test(tc_basic, test_utf8_auto_align); + tcase_add_test(tc_basic, test_utf16); +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 151720a9e3..eda0ff9808 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -51,6 +51,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-32777-02.patch \ file://CVE-2026-32778-01.patch \ file://CVE-2026-32778-02.patch \ + file://CVE-2026-7210.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Mon Jun 15 06:36:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Amaury Couderc X-Patchwork-Id: 90097 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A5D01CD98C5 for ; Mon, 15 Jun 2026 06:37:12 +0000 (UTC) Received: from DU2PR03CU002.outbound.protection.outlook.com (DU2PR03CU002.outbound.protection.outlook.com [52.101.65.66]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.123820.1781505422221099726 for ; Sun, 14 Jun 2026 23:37:02 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=ogZJDVAd; spf=pass (domain: est.tech, ip: 52.101.65.66, mailfrom: amaury.couderc@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=pNzaqseCUUvjWjcgId3Fy9YngmKv5LcglMF1fhRaVkSD+RQxntdENVqsJvxg+e9IyRPWDP0BIV3yuPg1eQwQzohXZ+yFQ7r9p2oViOi1WJkPSJpxbPA98uK6psO+MvlIFRETlGBSFEWwTK92weovtvc52x8DMVRS0tKXDvnkFLvbQixWwIUln0+59ImnRJgY+dTiQJk+8q4P1NdEff7zS80UC1yBM27/dgTUIK3ZOkVHgIqTBnWhSr92YSa1VkwsUeAzbuAVPoTGIHyc7Abvm2whaddP+y5akbSrrybb9BElC4/0lJNlmK0ytcYMxNKfPjSgUJT6JD5lnoVTmJxRyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PLuT4+EpAWo2YozTNxmMfBuC7R/oXbT/tkyiWr+mcNQ=; b=X9ah5CHiKIa6zggt2yektgiyck/u2HrAS4hLrRAq+fqt90iYCJ/y8lmM7t2vT9+LDni269JwgV3ED9TOktnjmRrIMQOrLeR+OyEXq7uNDzkFp/tPU/lCwPZukgTEJ4zPxiN8ACaHf20qgw862oIntNTBrDuxC4MHufxlwBo0eDR33BItsSO86pL4ilHKJG1lefQLIInFvYTG2GhlT+bFtXjrthRMTb/XfTwa9mPHtcrBRtgECCAac3X+EBjehvjP5OQPfMUl/BgT9pq+9tanEoEaecMXVDUN0wCkBeMgdycFHVENrjc/EdchsAkFwcM2stOh/F6HRBpm5lIjWaK5jQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PLuT4+EpAWo2YozTNxmMfBuC7R/oXbT/tkyiWr+mcNQ=; b=ogZJDVAdXhY4LKPi65djY/2VVXPIIrlgcpRJer0qdmk1LW4XvchWjtLeQ9H7EgsibYuXuYJ75r+MaSo0NVOqf6PgDHQOrWg4B2EUKl/V7PvUs/MpX3HuGSknM2t0xuuT9q3njkkQ925T0sh/wg8igKS9va458Wya8beownj73/2dDd0/3Cm2BGewWawRv/qrKVJtb/CydZzpTozFJsApGkuZmxQhkdzTgLlB01mJ6qsZcDuqtUR37diuEolYIqcu1FcnT8qyO89s+05jWaK6DjaOVDl9hyQ4UsHRKlGVBy1ks+cSM6ZGzPFBqKCgnQYlCQK7dZD69Xe02SZCt4Xehw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from AMBP189MB3196.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:6ad::11) by BESP189MB3284.EURP189.PROD.OUTLOOK.COM (2603:10a6:b10:e7::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Mon, 15 Jun 2026 06:36:59 +0000 Received: from AMBP189MB3196.EURP189.PROD.OUTLOOK.COM ([fe80::1afd:f059:542:3d95]) by AMBP189MB3196.EURP189.PROD.OUTLOOK.COM ([fe80::1afd:f059:542:3d95%4]) with mapi id 15.21.0113.015; Mon, 15 Jun 2026 06:36:59 +0000 From: amaury.couderc@est.tech To: openembedded-core@lists.openembedded.org Subject: [PATCH v2 2/2][OE-core][scarthgap] python3: fix CVE-2026-7210 Date: Mon, 15 Jun 2026 08:36:23 +0200 Message-ID: <20260615063640.25128-1-amaury.couderc@est.tech> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: DU7P191CA0026.EURP191.PROD.OUTLOOK.COM (2603:10a6:10:54e::6) To AMBP189MB3196.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:6ad::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AMBP189MB3196:EE_|BESP189MB3284:EE_ X-MS-Office365-Filtering-Correlation-Id: 90d585e4-ae50-40c7-fa94-08decaa88082 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|23010399003|376014|366016|1800799024|18002099003|13003099007|56012099006|11063799006|25016099003|12006099003|6133799003|29003799003; X-Microsoft-Antispam-Message-Info: 0S7LnSbnUdAE7sJR1mohvL7z9J1Vo8rrUZzKh1M+ECyE4UmjmS+ZLuvVvDeRCNNzMmdJ/H/ypKVf4yPW6PooAh0fLZcy/tBsaiNixYU8gQV8jKDZ0gsdoUyN0leoU8KkB2fJ1RAANlL/t/TwlknrD2nbhFMOiTejLU6bWayng+1BRmvNSs9cau8hJ6xVk+pK577nY93b2hE7YjpEkJq1ndGUUre1HY/RouLnLw4HDAaRGOUgt8wL1pAhH/8RtEhoqkte58bzEKk/eFEy1Vi3C6PStJM+4p6qTi6LeSwzmhGtYzht7uFPhtj5i3bZtnY1a8GmA7G+FbCq98o1vEEo8nDXwlEyVWOIyaT50KNaDJaIeCIMrHZQklhBcJGRUAKKMPP2zXB9LkYTAABPSgNMm6TCDw3j3P7k6j9sytJum8ij5YiEQI0zhQARDXJYA00FLmTeDqxzhN89mZc0OQ6tfUVzols0+v5+AfJ0CYCYKH2cO98OK+tJcZmkVF6pJe7jLI/iMY0s7m8sFCLh2s6JRsCE/z22lLyAapT0dXWFZQhKYXyayJprKZbC97m7CdG7/N5Gkulv0P9JbceFlMHu3+GxJg7Ngbp639rpxcsh49hAoMWiKwndv/7WVJBc2ErTZ1rZ2vYmFwVFeliw+4vE6S90tFfyukGrVwirU8l8NP8gn2igi3Np8VUYoOzSl1uOP6UD/62cJ9W6DXJEb6kMzw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AMBP189MB3196.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(23010399003)(376014)(366016)(1800799024)(18002099003)(13003099007)(56012099006)(11063799006)(25016099003)(12006099003)(6133799003)(29003799003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: jbo9FrrH5EXlRoOml5DnNd90ojwhDLpcRsWjgLe7mC06n+18zwsBqyX+LdEkZa16dpEmvf2fT+gjHBVX5jg7GH/Eh7jWUFUsw4uQW9A2dCPruiVGihccRg4XXubuaXqRGc/ICn3osE5OIglRcut5bGCgx/EaMKVNL3sqnsthhyWYQH4AwY3kGUMoQPgSa7Pa/Yfhvrzp3uibVLj9G0ShK+3NNLNnA7aWQJpeDJgSKH3rXPa2cihmJqMcFIKVz26zK5lODuNGWxwaqOdMA8ySlfuFjXCO5fRenVSzoNskVE0w3BElX+eRxxcY69walqU2mYqTFxFzTVDuSzujVzcBVUlXRQYVgPwdtwK0a8pjTGDpSFoqVqO8jq3r/HILKHgDeIZCf2pr6M5DQaKmG2X2MhCOcUx/juax2dKBBcVrSrcFuyyJdifMMvSaRCoaDgdtkZnTb3GyuPfDwIo+iLaT9hbsTSfHD59Xphg1izauTmHNSqR5+Mgft7XoUIrlcnxHz6sYROtbMUZNK01MsC/G2DNs24qJX+4oPZwA1zdGg5zj9cTtDBgl3q1dMwxDfnR2xbSkshmzHJ6ObKe7dPONE+GE/q1J0bE26fINCSAcIGe6l5AyT8vONOvNtDGvF22yJBX+yhEuzj9FcJ8yW4OuS67K9BWK08o56bRK8OCEA8NSvQPb4ZEtD8biU+n2F3LrXdXH1UEs5rdvKgHiI9XlWlUyxZFxodUbWR5pwLJILzjy0xqNP8OpOuqZJUxUfktY5GtUyHSLjYH6tRVCYCvO0oVtMayVU4J7KcOqY7CQLz5/iWlmmIEmxRoGEqJqpwy9ejcpibo/JpD5wGovfsUOP0sHN3Wtus37x6l5Uv/hsSRzZzdh//y/pgzAg7xXM4nQWueMdS5foPPGn/MSJ5PgWBk0K2wQmDPcP7PGekl2q64fhJse1/fLVu4FPB4hN1yTMvbaCsZNSV8DLCOa9jtpH8JRBDToSMnvOfafH88G3JjDNrmTitPs1l7wd/MM+I7BrRm213XL9EnuGSRkPMypKi8A8WrkV3z9CPybT/w5EPN4yGXoJY+ULpHSJ69n36uuwBy/fDGWgXsttS5WheVKNFO45yfPcOuvVGzFRoMHhqqxc+FVizk3+3hc8Hdvfd96sWhrPd0rR63/6l0AQPOEUJ3DboHjQPtoDyyLNHHY0y49Ow4+u+9ZvmGX56N6guV4pHGHRZicVhwp7OEUfM6MMKWlajZCaB9xiS9qKNbZMkyvTlrhUbzs6Lqm8/MmBNEL4ADexNlDRwfwe1XRIXa90ITgwrWiPxv9mV8g8Aq1cZ1Ti+65+H+IJ+TEyqWslLh2r/+VkZo5s4XA5NOVu77ajGRuLjJ8irFI2ZDlxd2x9mNOsY5onzKajPUI8N96qTnnayqcKRFVCLwndh/oNcUCWyvLa2ROWNrZ6fnP35AfliGCK4QzW9MrQS48+BKBYeV69tdIAtCKb97vedSVGq4LTANmuA+tD2/f6l3JlCq1yVCQW0tb5JQqvoMt+WqQOlEc1NRAjcOakPIUlUNR6/7DT4hihCC4vwmVgXRmnvf9tph8glxSqAHNXCbMQxvvQgCjkfZ/UJzKRIGoGZ8EWSwQG+fpONnxStv+AXaOLcLfzbv8N/HXTZKlW/4afnX2VdO8QFBDHOgLnE/9PQOb09r6gGY/AhVWBJTTAsMWIl9p29DLdYZFgr8j39ddXYkFXrkR3p9lr8QKuSuSIDVa5oLALQ== X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: 90d585e4-ae50-40c7-fa94-08decaa88082 X-MS-Exchange-CrossTenant-AuthSource: AMBP189MB3196.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2026 06:36:59.3228 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Wh21kCg90T1x3loZMZiCLLla2/KaNf/cI6pH2LQoRm+nfIugQF6vW9uD/SUQtbIm+sKcw5BtU1tbYDqUubzg0A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BESP189MB3284 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 15 Jun 2026 06:37:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238815 From: Amaury Couderc Backport patch to fix CVE-2026-7210. https://nvd.nist.gov/vuln/detail/CVE-2026-7210 In order to mitigate CVE-2026-7210 this patch should come alongside the associated expat one which backports to expat 2.6.4 the fixes introduced in expat 2.8.0. Upstream fixes: https://github.com/python/cpython/pull/149023/commits/03794ce9a58b1f33751c88d7d876dfbf27645c56 https://github.com/python/cpython/pull/149023/commits/ccb8d2f7df9534e49a43554193d7f5f4d993189c Signed-off-by: Amaury Couderc --- .../python/python3/CVE-2026-7210-1.patch | 90 +++++++++++++++++++ .../python/python3/CVE-2026-7210-2.patch | 74 +++++++++++++++ .../python/python3_3.12.13.bb | 2 + 3 files changed, 166 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch b/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch new file mode 100644 index 0000000000..63aac320af --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch @@ -0,0 +1,90 @@ +From 03794ce9a58b1f33751c88d7d876dfbf27645c56 Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych +Date: Sun, 26 Apr 2026 19:31:25 +0100 +Subject: [PATCH] Use `XML_SetHashSalt16Bytes` from libExpat when possible + +CVE: CVE-2026-7210 +Upstream-Status: Backport [https://github.com/python/cpython/pull/149023/commits/03794ce9a58b1f33751c88d7d876dfbf27645c56] with downstream extension for XML_BACKPORT_SET_HASH_SALT_16_BYTES detection + +Signed-off-by: Amaury Couderc +--- + Include/pyexpat.h | 3 +++ + .../2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst | 3 +++ + Modules/_elementtree.c | 8 ++++++-- + Modules/pyexpat.c | 11 ++++++++++- + 4 files changed, 22 insertions(+), 3 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst + +diff --git a/Include/pyexpat.h b/Include/pyexpat.h +index f523f8bb273983a..a676e16a7a457ea 100644 +--- a/Include/pyexpat.h ++++ b/Include/pyexpat.h +@@ -57,6 +57,9 @@ struct PyExpat_CAPI + XML_Parser parser, unsigned long long activationThresholdBytes); + XML_Bool (*SetAllocTrackerMaximumAmplification)( + XML_Parser parser, float maxAmplificationFactor); ++ /* might be NULL for expat < 2.8.0 */ ++ XML_Bool (*SetHashSalt16Bytes)( ++ XML_Parser parser, const uint8_t entropy[16]); + /* always add new stuff to the end! */ + }; + +diff --git a/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst +new file mode 100644 +index 000000000000000..d1b5b368684e6a5 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst +@@ -0,0 +1,3 @@ ++Improved protection against XML hash-flooding attacks in ++:mod:`xml.parsers.expat` and :mod:`xml.etree.ElementTree` when Python is ++compiled with libExpat 2.8.0 or later. +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c +index cbd1e026df27227..b2d4b982602c583 100644 +--- a/Modules/_elementtree.c ++++ b/Modules/_elementtree.c +@@ -3657,8 +3657,12 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *target, + PyErr_NoMemory(); + return -1; + } +- /* expat < 2.1.0 has no XML_SetHashSalt() */ +- if (EXPAT(st, SetHashSalt) != NULL) { ++ // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018 ++ if (EXPAT(st, SetHashSalt16Bytes) != NULL) { ++ EXPAT(st, SetHashSalt16Bytes)(self->parser, ++ (const uint8_t *)_Py_HashSecret.uc); ++ } ++ else if (EXPAT(st, SetHashSalt) != NULL) { + EXPAT(st, SetHashSalt)(self->parser, + (unsigned long)_Py_HashSecret.expat.hashsalt); + } +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c +index 0f0afe17513ef1c..1df433e64bc096f 100644 +--- a/Modules/pyexpat.c ++++ b/Modules/pyexpat.c +@@ -1388,7 +1388,12 @@ newxmlparseobject(pyexpat_state *state, const char *encoding, + Py_DECREF(self); + return NULL; + } +-#if XML_COMBINED_VERSION >= 20100 ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \ ++ || XML_COMBINED_VERSION >= 20800 ++ /* This feature was added upstream in libexpat 2.8.0. */ ++ XML_SetHashSalt16Bytes(self->itself, ++ (const uint8_t *)_Py_HashSecret.uc); ++#elif XML_COMBINED_VERSION >= 20100 + /* This feature was added upstream in libexpat 2.1.0. */ + XML_SetHashSalt(self->itself, + (unsigned long)_Py_HashSecret.expat.hashsalt); +@@ -2257,6 +2262,12 @@ pyexpat_exec(PyObject *mod) + #else + capi->SetHashSalt = NULL; + #endif ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \ ++ || XML_COMBINED_VERSION >= 20800 ++ capi->SetHashSalt16Bytes = XML_SetHashSalt16Bytes; ++#else ++ capi->SetHashSalt16Bytes = NULL; ++#endif + #if XML_COMBINED_VERSION >= 20600 + capi->SetReparseDeferralEnabled = XML_SetReparseDeferralEnabled; + #else diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch b/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch new file mode 100644 index 0000000000..e9a10d3705 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch @@ -0,0 +1,74 @@ +From ccb8d2f7df9534e49a43554193d7f5f4d993189c Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych +Date: Sun, 26 Apr 2026 19:42:01 +0100 +Subject: [PATCH] Add `_Py_HashSecret_t.expat.hashsalt16` instead + +CVE: CVE-2026-7210 +Upstream-Status: Backport [https://github.com/python/cpython/pull/149023/commits/ccb8d2f7df9534e49a43554193d7f5f4d993189c] + +Signed-off-by: Amaury Couderc +--- + Include/pyhash.h | 8 +++++--- + Modules/_elementtree.c | 2 +- + Modules/pyexpat.c | 3 +-- + 3 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/Include/pyhash.h b/Include/pyhash.h +index 84cb72fa6fd1b26..3056dc44cc0f1b1 100644 +--- a/Include/pyhash.h ++++ b/Include/pyhash.h +@@ -39,14 +39,14 @@ + * pppppppp ssssssss ........ fnv -- two Py_hash_t + * k0k0k0k0 k1k1k1k1 ........ siphash -- two uint64_t + * ........ ........ ssssssss djbx33a -- 16 bytes padding + one Py_hash_t +- * ........ ........ eeeeeeee pyexpat XML hash salt ++ * eeeeeeee eeeeeeee eeeeeeee pyexpat XML hash salt + * + * memory layout on 32 bit systems + * cccccccc cccccccc cccccccc uc + * ppppssss ........ ........ fnv -- two Py_hash_t + * k0k0k0k0 k1k1k1k1 ........ siphash -- two uint64_t (*) + * ........ ........ ssss.... djbx33a -- 16 bytes padding + one Py_hash_t +- * ........ ........ eeee.... pyexpat XML hash salt ++ * eeeeeeee eeeeeeee eeee.... pyexpat XML hash salt + * + * (*) The siphash member may not be available on 32 bit platforms without + * an unsigned int64 data type. +@@ -71,7 +71,9 @@ typedef union { + Py_hash_t suffix; + } djbx33a; + struct { +- unsigned char padding[16]; ++ /* 16 bytes for XML_SetHashSalt16Bytes */ ++ uint8_t hashsalt16[16]; ++ /* 4/8 bytes for legacy XML_SetHashSalt */ + Py_hash_t hashsalt; + } expat; + } _Py_HashSecret_t; +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c +index b2d4b982602c583..9e794be5c109ba5 100644 +--- a/Modules/_elementtree.c ++++ b/Modules/_elementtree.c +@@ -3660,7 +3660,7 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *target, + // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018 + if (EXPAT(st, SetHashSalt16Bytes) != NULL) { + EXPAT(st, SetHashSalt16Bytes)(self->parser, +- (const uint8_t *)_Py_HashSecret.uc); ++ _Py_HashSecret.expat.hashsalt16); + } + else if (EXPAT(st, SetHashSalt) != NULL) { + EXPAT(st, SetHashSalt)(self->parser, +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c +index 1df433e64bc096f..78efbef679024f3 100644 +--- a/Modules/pyexpat.c ++++ b/Modules/pyexpat.c +@@ -1391,8 +1391,7 @@ newxmlparseobject(pyexpat_state *state, const char *encoding, + #if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \ + || XML_COMBINED_VERSION >= 20800 + /* This feature was added upstream in libexpat 2.8.0. */ +- XML_SetHashSalt16Bytes(self->itself, +- (const uint8_t *)_Py_HashSecret.uc); ++ XML_SetHashSalt16Bytes(self->itself, _Py_HashSecret.expat.hashsalt16); + #elif XML_COMBINED_VERSION >= 20100 + /* This feature was added upstream in libexpat 2.1.0. */ + XML_SetHashSalt(self->itself, diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index 5fa25235fe..3e5575d396 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -34,6 +34,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_deadlock-skip-problematic-test.patch \ file://0001-test_active_children-skip-problematic-test.patch \ file://0001-test_readline-skip-limited-history-test.patch \ + file://CVE-2026-7210-1.patch \ + file://CVE-2026-7210-2.patch \ " SRC_URI:append:class-native = " \