From patchwork Fri Jul 10 13:08:09 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92179 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D4DBC43458 for ; Fri, 10 Jul 2026 13:08:20 +0000 (UTC) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.12173.1783688898544299257 for ; Fri, 10 Jul 2026 06:08:18 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=aQSc2MU0; spf=pass (domain: cisco.com, ip: 173.37.86.80, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=6365; q=dns/txt; s=iport01; t=1783688898; x=1784898498; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=joMWqZW1qtelWgXTN5fvFQ/C8R3smYZnnzAs8JBNkNo=; b=aQSc2MU0GSQaiUqnl8T2yjhyXJvPrpydmWU1lnw7tYHI/u+hVHAFNQ0a i8ktEQWYoW7D6x8+q8qRY85G+s1xYWGZW7j7KJN/aozIF1H8cNgrL8b7G RbfpIvWWdpLI9ei2Lq98JuQdQRQj2wcSNROFae6QUhz99fCLtM8MTzUHM NCZPSgPsKiOMtMAFY5d7lBvkDeNBItxPRw4urfGYOcowMpDznwQPXURz3 UvtNZRjSh/MWMKjGsGB8w2usmxUCHZJfIyEhgEraHSpOItf+AoBTwiGHD ttNvX/K7kfPHdz3MBxa4s4Rgnd+Ng24q85EbCv0V4o0L2AAdQaqpHYKC/ A==; X-CSE-ConnectionGUID: bJpk2i69SA2w4Ei3+eB8Iw== X-CSE-MsgGUID: tBrV4Ar5Q+GwkaeRoGKENA== X-IPAS-Result: A0BEAgDL7VBq/4z/Ja1aglmCV3RfQkmUKYIhgRadCIF+DwEBAQ9EDQQBAYQ/jhUCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgEtCwEYAVkDAQJaIyGDAgGCcwIBEblJGjeBeTOBAYMoAT8CQ1DbLgELFAGBOIU/iB9bGAGEfCcbG4FygRWCc3aBBYFcAQGBJ4Z+BIIigQyBWh6FB4prSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BWYEChHkjHwM5f4EwdUp5LXMSHgqBUoIWVAMLGA1IESw3FBsEPm4HjT4XD4I+gQ4sgUMRlBeQFoIhoQ8KKIN1jCGVOhozqmwLmH2OCpYDTYRpgWg8gSgfCwdwFYJuATMJShkPji0LC4NggX/MWyQ1AgkyAQEHAgcOAwuBaJAAgX4BAQ IronPort-Data: A9a23:sxs4Z6s4x4j7++aB0ePAKRElp+fnVAdfMUV32f8akzHdYApBsoF/q tZmKWDQOvneNGWhKNl0YY6z9UID6MKByYVkTlQ+qig2RSgagMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuFZTdJ5xYuajhKs/3b+Es21BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIw8MRvAjtPq 60jAWoSMj2C3KG76uKaVbw57igjBJGD0II3oHpsy3TdSP0hW52GG/6M7t5D1zB2jcdLdRrcT 5NGMnw0M1KaPkAJYwtPYH49tL/Aan3XfzBVsluJpa0f6GnIxws327/oWDbQUoHSG5ULwB7A/ goq+UzlKAskaPWFlAPG3W2vj+L1mgzYdaQ7QejQGvlCxQf7KnYoIBoOWF22pPO0hkKzV5dUL FYZ0i4vtrQpskuzQ9/wWhe1rHKJslgbQdU4LgEhwBuGxqyR50OSAXIJC2YaLtcnr8QxAzct0 zdlgu/UONCmi5XNIVr1y1tehWra1fQ9RYPaWRI5cA== IronPort-HdrOrdr: A9a23:A2r7RKNTWX4sGcBcTvGjsMiBIKoaSvp037BN7TESdfU7SKKlfq yV8cjztiWE6wr5OktApTnoAsDpKhnhHPVOjrX5U43PYOCfgguVBbAny5f+yDv9HCC73Otc2a B8N5VaMrTLfD1HZQKQ2njeLz7mq+P3lJyVuQ== X-Talos-CUID: 9a23:3WKE12zZknYmMeITgH7TBgUeONgmKHyDnUz5eVDkJGcyC7C/GX6PrfY= X-Talos-MUID: 9a23:hX37nAuIvD1Fu0PQ6s2nmBt4CptB+fmXS28SkpwLgc6rFgFWEmLI X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,154,1779148800"; d="scan'208";a="506866000" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by rcdn-iport-9.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 10 Jul 2026 13:08:17 +0000 Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com [171.68.249.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id 9872618000610 for ; Fri, 10 Jul 2026 13:08:17 +0000 (GMT) Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984) id 4691ACC2EC3; Fri, 10 Jul 2026 06:08:17 -0700 (PDT) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 01/10] expat: fix CVE-2026-56403 Date: Fri, 10 Jul 2026 06:08:09 -0700 Message-ID: <20260710130809.2817559-1-deeratho@cisco.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-3552.cisco.com [171.68.249.250];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 13:08:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240641 From: Deepak Rathore These patches apply the upstream fixes shown in [1] and [2], as referenced by [3]. [1] https://github.com/libexpat/libexpat/commit/12dc6d8d3d65f79471a94d8565f6bf1cf245f648 [2] https://github.com/libexpat/libexpat/commit/147c8f36d6277d5c6011c098370a8362aed47b15 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-56403 Signed-off-by: Deepak Rathore diff --git a/meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch b/meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch new file mode 100644 index 0000000000..4cf5c3bd54 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch @@ -0,0 +1,83 @@ +From 4a264be1794368a1acc08476058b6cf087686d11 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 20 May 2026 12:12:10 +0200 +Subject: [PATCH] lib: Protect function `storeAtts` from signed integer + overflow + +CVE: CVE-2026-56403 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/12dc6d8d3d65f79471a94d8565f6bf1cf245f648] + +Backport Changes: +- Retain the Expat 2.7.5 binding URI reallocation and active tag pointer + updates while using the overflow-safe localPartLen calculation. + +(cherry picked from commit 12dc6d8d3d65f79471a94d8565f6bf1cf245f648) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 0248b665..e441ff7f 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -4235,26 +4235,32 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + return XML_ERROR_NONE; + prefixLen = 0; + if (parser->m_ns_triplets && binding->prefix->name) { +- while (binding->prefix->name[prefixLen++]) +- ; /* prefixLen includes null terminator */ ++ size_t candidateLen = 0; ++ while (binding->prefix->name[candidateLen++]) ++ ; /* candidateLen includes null terminator */ ++ /* Detect and prevent integer overflow */ ++ if (candidateLen > INT_MAX) ++ return XML_ERROR_NO_MEMORY; ++ prefixLen = (int)candidateLen; + } + tagNamePtr->localPart = localPart; + tagNamePtr->uriLen = binding->uriLen; + tagNamePtr->prefix = binding->prefix->name; + tagNamePtr->prefixLen = prefixLen; +- for (i = 0; localPart[i++];) +- ; /* i includes null terminator */ ++ ++ size_t localPartLen = 0; ++ for (; localPart[localPartLen++];) ++ ; /* localPartLen includes null terminator */ + + /* Detect and prevent integer overflow */ +- if (binding->uriLen > INT_MAX - prefixLen +- || i > INT_MAX - (binding->uriLen + prefixLen)) { ++ if (localPartLen > INT_MAX || binding->uriLen > INT_MAX - prefixLen ++ || localPartLen > (size_t)INT_MAX - (binding->uriLen + prefixLen)) { + return XML_ERROR_NO_MEMORY; + } + +- n = i + binding->uriLen + prefixLen; ++ n = (int)localPartLen + binding->uriLen + prefixLen; + if (n > binding->uriAlloc) { + TAG *p; +- + /* Detect and prevent integer overflow */ + if (n > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; +@@ -4282,10 +4288,14 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + } + /* if m_namespaceSeparator != '\0' then uri includes it already */ + uri = binding->uri + binding->uriLen; +- memcpy(uri, localPart, i * sizeof(XML_Char)); ++ /* Detect and prevent integer overflow */ ++ if (localPartLen > SIZE_MAX / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ memcpy(uri, localPart, localPartLen * sizeof(XML_Char)); + /* we always have a namespace separator between localPart and prefix */ + if (prefixLen) { +- uri += i - 1; ++ uri += localPartLen - 1; + *uri = parser->m_namespaceSeparator; /* replace null terminator */ + memcpy(uri + 1, binding->prefix->name, prefixLen * sizeof(XML_Char)); + } +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch b/meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch new file mode 100644 index 0000000000..a17e3a8b3a --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch @@ -0,0 +1,52 @@ +From e8100827a4f68c70d8cadf446bb82bec7cbebbac Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Fri, 22 May 2026 00:43:52 +0200 +Subject: [PATCH] xmlwf: Protect function `xcsdup` from signed integer overflow + +CVE: CVE-2026-56403 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/147c8f36d6277d5c6011c098370a8362aed47b15] + +Backport Changes: +- Include stdint.h explicitly because Expat 2.7.5 does not expose SIZE_MAX + to xmlwf.c. + +(cherry picked from commit 147c8f36d6277d5c6011c098370a8362aed47b15) +Signed-off-by: Deepak Rathore +--- + expat/xmlwf/xmlwf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c +index 2d0c4f8e..934473ce 100644 +--- a/expat/xmlwf/xmlwf.c ++++ b/expat/xmlwf/xmlwf.c +@@ -46,6 +46,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -305,13 +306,18 @@ processingInstruction(void *userData, const XML_Char *target, + static XML_Char * + xcsdup(const XML_Char *s) { + XML_Char *result; +- int count = 0; ++ size_t count = 0; + size_t numBytes; + + /* Get the length of the string, including terminator */ + while (s[count++] != 0) { + /* Do nothing */ + } ++ ++ // Detect and prevent integer overflow ++ if (count > SIZE_MAX / sizeof(XML_Char)) ++ return NULL; ++ + numBytes = count * sizeof(XML_Char); + result = malloc(numBytes); + if (result == NULL) +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index 4f2578292d..a0c28d162c 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -10,6 +10,8 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://run-ptest \ + file://CVE-2026-56403_p1.patch;striplevel=2 \ + file://CVE-2026-56403_p2.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 10 13:08:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92180 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CFEEC44501 for ; Fri, 10 Jul 2026 13:08:40 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12265.1783688910923776748 for ; Fri, 10 Jul 2026 06:08:31 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=StxFEJCq; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2558; q=dns/txt; s=iport01; t=1783688910; x=1784898510; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=9TfTS0XlbMDKUa0kTF1pQ1DM4WlhVto93lIqGvP4AuY=; b=StxFEJCqaR9TB1M/+jHHyHb8sOxeoLK8xFP9/hwZkS6KGZXyBwFez/rB EC3wNpeONKdfc5xZ53AiaM71xqalem1Em0KzFnafN10SxOSvigIKZYfRE hWGhPB0Jc883pzoYGxAflmUirZXLHaGCwpd7fn4C90ZotlFFw6PVKSP0F p7ykqg/erljVlvkqqakncF1QUX88ZpY0WIjvbfAacaQ7jG35lso1ng28G jxwW/Z7O0ee465m0zRKya8s2DGaOXOQwjJY/CMJBbv2P4Yht5rhDpw1GL opy8ohfjYZpML2YBTiwOkKGrcZnEW3OFwXCpW/sTOfkZwy2vGeeElcmwV g==; X-CSE-ConnectionGUID: WYSv+KBUQPCWx5suCCk7VA== X-CSE-MsgGUID: FT2LT9IqSv6hHyyt/hnOQg== X-IPAS-Result: A0BDAgA+7VBq/5T/Ja1aglmCV3RfQkmUKaA/gX4PAQEBD0QNBAEBhD+OFQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaATgBGAFZAwECWiMhgwIBgnMCARG5TRo3giyBAYMoAT8CQ1DbLgELFAGBOIU/iB9bGAGEfCcbG4FygRWDaYEFgVwBAYIthXgEgiKBDIFaHoUHimtIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFZgQKEeSMfAzl/gTB1SnktcxIeCoFSghZUAwsYDUgRLDcUGwQ+bgeNPhcPgj4xXSyBQ0GmHqEPCiiDdYwhlToaM6psC5h9jgqWUIRpgWg8gSgBGgQLB3AVgm4BMwlKGQ+OOINrgX/MWyQ1AgkyAQEHAgcOAwuBaJF+AQE IronPort-Data: A9a23:Qt/1WaoOSVXDB2MKiB7Aazo7+WleBmJJZBIvgKrLsJaIsI4StFCzt garIBnSaaqLNmvxL4ogb4m0p09U7ZLTm9E1SFZkqXo0Fn5B8+PIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgLNNwJcaDpOtfrc8EM35ZwehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0tlGOn8N1 tYlEQgmUQDenP+d67HkdMA506zPLOGzVG8ekmtrwTecCbMtRorOBvyTo9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5LWPrSn8/w7pX7WzFVpUicuaowy2PS1wd2lrPqNbI5f/TXHZoEwhfJ/ DiuE2LRLC1AEODO6CO+7Cyspv7egWT7XqUrG+jtnhJtqBjJroAJMzURTVa9rPyzh0KyVt4aI EsO9wIqrLMu7wqsVtT7UhiyrXKIsxJaXMBfe9DW8ymXwabSpgLcDW8eQ3sYMZottdQ9Qnoh0 Vrhc87VOAGDeYa9ERq1nop4ZxvrUcTJBQfuvRM5cDY= IronPort-HdrOrdr: A9a23:WYQvX62zUXXSMO5RNnM8hwqjBIIkLtp133Aq2lEZdPUzSL37qy nAppomPHPP5Qr5O0tQ+uxoWpPgfZq0z/cciuMs1NyZMzUO1lHFEGgb1+vf6gylPTHi/ehA0q olWa1/BNrsSWVet6/BkWyF+xJK+qjhzEhu7t2uq0tQcQ== X-Talos-CUID: 9a23:F/7iaGEMWDetjZtUqmJYxXUKWeMPT0Tl50jAflSlIk1qF4O8HAo= X-Talos-MUID: 9a23:gEWZyQTAUNUuLZHjRXTCuGtGCJZJ+p+wVkAtgIQa/MmCEhV/bmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,154,1779148800"; d="scan'208";a="507949922" Received: from rcdn-l-core-11.cisco.com ([173.37.255.148]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 10 Jul 2026 13:08:30 +0000 Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com [171.68.249.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-11.cisco.com (Postfix) with ESMTPS id 011E718000153 for ; Fri, 10 Jul 2026 13:08:30 +0000 (GMT) Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984) id A371ECC2EC3; Fri, 10 Jul 2026 06:08:29 -0700 (PDT) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 02/10] expat: fix CVE-2026-56408 Date: Fri, 10 Jul 2026 06:08:23 -0700 Message-ID: <20260710130824.2819975-1-deeratho@cisco.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-3552.cisco.com [171.68.249.250];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com X-Outbound-Node: rcdn-l-core-11.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 13:08:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240642 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. The fix is adapted to the existing Expat 2.7.5 copyString implementation. [1] https://github.com/libexpat/libexpat/commit/16e2efd867ea8567ffa012210b52ef5918e20817 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56408 Signed-off-by: Deepak Rathore diff --git a/meta/recipes-core/expat/expat/CVE-2026-56408.patch b/meta/recipes-core/expat/expat/CVE-2026-56408.patch new file mode 100644 index 0000000000..b8c43636cc --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56408.patch @@ -0,0 +1,36 @@ +From b0cf9e9b0f5dfdd938148931a4605a0fd6b917a7 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 23 Apr 2026 10:31:45 +0200 +Subject: [PATCH] lib: Waterproof `copyString` from integer overflow + +CVE: CVE-2026-56408 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/16e2efd867ea8567ffa012210b52ef5918e20817] + +Backport Changes: +- Adapt the fix to Expat 2.7.5, which calculates charsRequired using + an existing loop instead of xcslen. The upstream string helper + refactoring is not required for the overflow guard. + +(cherry picked from commit 16e2efd867ea8567ffa012210b52ef5918e20817) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index e441ff7f..4ff5e33b 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -8505,6 +8505,10 @@ copyString(const XML_Char *s, XML_Parser parser) { + /* Include the terminator */ + charsRequired++; + ++ /* Detect and prevent integer overflow */ ++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) ++ return NULL; ++ + /* Now allocate space for the copy */ + result = MALLOC(parser, charsRequired * sizeof(XML_Char)); + if (result == NULL) +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index a0c28d162c..267e7db35b 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -12,6 +12,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://run-ptest \ file://CVE-2026-56403_p1.patch;striplevel=2 \ file://CVE-2026-56403_p2.patch;striplevel=2 \ + file://CVE-2026-56408.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 10 13:08:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92181 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1994FC43458 for ; Fri, 10 Jul 2026 13:08:50 +0000 (UTC) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12273.1783688925296239023 for ; Fri, 10 Jul 2026 06:08:45 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=kETpNx4v; spf=pass (domain: cisco.com, ip: 173.37.86.75, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2768; q=dns/txt; s=iport01; t=1783688925; x=1784898525; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=f2BocryYHJH5e6jIn00jU3SJmuBsL4QB6XOvDC8blwg=; b=kETpNx4voa6ZrXocaxMLHA/Mur7yyO5JTgpai//ZxdLo+V4qTwHZX+Ns kd8P1Ky9nUKSpaPI9hzoFGJILNTPwUAfVFsIcjVjPUqFC/iwAPh4y15Fc TPkRs3A6qQFK4Fu80RCxJh1B95jSuUtK6cGOAVXpe9xlZirWst/Ko38wA A5m37KW8SwMyLXqva456G9sIM8s9gsvbSQx8G/c8/IsmgMZx1HpOBJy9C 1+QYbg4YIzzgoSIyKye3DwJk1Iid39rK4wRMgshyO5FJTfddoV+q9lwKT hrKQs9XXwYXYu1Z2C+yBmoKNI5B98cGpnRXD0ADq4BNFnXC034lbhIXH1 Q==; X-CSE-ConnectionGUID: IwBN4XVOQdm5mBSQbh1RJQ== X-CSE-MsgGUID: K3z9YcCrRpmbq8nggzGH3w== X-IPAS-Result: A0BFAgA+7VBq/4v/Ja1aglmCV3RfQkmUKYIhi2eSN4F+DwEBAQ9EDQQBAYQ/jhUCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgEtCwEYAVkDAQJPCyMhgwIBgjoDNgIBEblNGjeBeTOBAYMoAT8CQ1DYSQ2CWAELFAGBOIU/gnyFI1sYAYR8JxsbgXKEfoEFgRpCAQGBJ4EGhXgEgiKBDIFaHoUHimtIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFZgQKEeSMfAzl/gTB1SnktcxIeCoFSghZUAwsYDUgRLDcUGwQ+bgeNPhcPgj6BDiyBQxGmTqAecQoog3WMIY8+hXwaM6psC5h9jgqECZJHhGmBaDyBKB8LB3AVgm4BMwlKGQ+OOINrgX/MWyQ1AgkyAQEHAgcOAwuBaJAAgX4BAQ IronPort-Data: A9a23:O/tQm6wysij5CWv9WgZ6t+dmxyrEfRIJ4+MujC+fZmUNrF6WrkUDz mZLDWrQPv7eYjGmKdt2YIXnoE0P75WEyIMyGgZt/FhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/VH1buSJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 46aT/H3Ygf/hWYrajJMsspvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJGApF6tEythQOG1Lq PkyEwkHbkm5pdvjldpXSsE07igiBNPgMIVavjRryivUSK58B5vCWK7No9Rf2V/chOgXQq2YP JVfM2cyKk2bMnWjOX9PYH46tOuli2P2bz1fgFmUvqEwpWPUyWSd1ZCwaIWFI4fQHZo9ckCwh TnUrlXyKQsgLNmV0GqD/X2+qc+UgnauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBXC4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rHnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:lrOFsqoww5GNXkp6rJa46zAaV5obeYIsimQD101hICG9Ffbo9f xG88506faZslsssRIb6LO90cu7IE80nKQdieJ6AV7IZmbbUQWTQL2KlbGD/xTQXwvj6+Vaya BsN4J6CNH2EBxGqPyS2njcLz7lq+P3l5xBQozlvhNQcT0= X-Talos-CUID: 9a23:rkNsEmkRFk/ohYMKPKvssPU5izjXOVzC5lGME3GfMGpsFbi/cmaa+PpesfM7zg== X-Talos-MUID: 9a23:+9Xclgqv9Et9+sL5KjwezxI5JpZZ6I+0MlgIm4xWvcaLJwNQYCjI2Q== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,154,1779148800"; d="scan'208";a="507813207" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by rcdn-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 10 Jul 2026 13:08:44 +0000 Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com [171.68.249.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 4670A18000206 for ; Fri, 10 Jul 2026 13:08:44 +0000 (GMT) Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984) id E8B3FCC2EC3; Fri, 10 Jul 2026 06:08:43 -0700 (PDT) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 03/10] expat: fix CVE-2026-56404 Date: Fri, 10 Jul 2026 06:08:37 -0700 Message-ID: <20260710130837.2820614-1-deeratho@cisco.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-3552.cisco.com [171.68.249.250];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 13:08:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240643 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. [1] https://github.com/libexpat/libexpat/commit/babfc48090977cbf7be24b2c48f6053dca75c164 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56404 Signed-off-by: Deepak Rathore diff --git a/meta/recipes-core/expat/expat/CVE-2026-56404.patch b/meta/recipes-core/expat/expat/CVE-2026-56404.patch new file mode 100644 index 0000000000..8c72838f68 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56404.patch @@ -0,0 +1,46 @@ +From 8cb4583ac3204175a03c8ea8e371adee583b0bec Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Thu, 28 May 2026 12:44:11 +0530 +Subject: [PATCH] lib: protect function addBinding from signed integer overflow + +CVE: CVE-2026-56404 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/babfc48090977cbf7be24b2c48f6053dca75c164] + +(cherry picked from commit babfc48090977cbf7be24b2c48f6053dca75c164) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 53f842d1..33b92c9c 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -4485,6 +4485,10 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + } + + for (len = 0; uri[len]; len++) { ++ /* Detect and prevent signed integer overflow */ ++ if (len == INT_MAX) { ++ return XML_ERROR_NO_MEMORY; ++ } + if (isXML && (len > xmlLen || uri[len] != xmlNamespace[len])) + isXML = XML_FALSE; + +@@ -4525,8 +4529,13 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + if (isXMLNS) + return XML_ERROR_RESERVED_NAMESPACE_URI; + +- if (parser->m_namespaceSeparator) ++ if (parser->m_namespaceSeparator) { ++ /* Detect and prevent signed integer overflow */ ++ if (len == INT_MAX) { ++ return XML_ERROR_NO_MEMORY; ++ } + len++; ++ } + if (parser->m_freeBindingList) { + b = parser->m_freeBindingList; + if (len > b->uriAlloc) { +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index 267e7db35b..affc134285 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -13,6 +13,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56403_p1.patch;striplevel=2 \ file://CVE-2026-56403_p2.patch;striplevel=2 \ file://CVE-2026-56408.patch;striplevel=2 \ + file://CVE-2026-56404.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 10 13:08:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92182 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D849C44501 for ; Fri, 10 Jul 2026 13:09:20 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12287.1783688953637093122 for ; Fri, 10 Jul 2026 06:09:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=DffnlgJM; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2301; q=dns/txt; s=iport01; t=1783688953; x=1784898553; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=o/u8ubR6r+ZfEq8NWdxU/6u8LxpCee66MRJaM3EDvvc=; b=DffnlgJMUoqolgTQQovr2U+8GkO66KrF8fCpseMwdvbuWdqzaVzsRWOh 8tghDTrB6oYLxBl6FgwIXmXGgKZ+XxnjP99S5FPfmCL8CdCZP+b8yF1FT m6D1PNEZxUOWmeLDSTmlC7TyjBJUfArxesbU3pbrPBdVh20/UfTLhxixr +88hYlWvZ7o7kvQs8EnTRIJgj2MMzTTV79WejaCrizX4EoTiqbEmF/c5k pRxebeY6aI252TweCGvC0L6CQJtAnXymfDnNuIvEd0UiL08qnkggaHedp bvO4ERLLyws/GVbh1F1O31UgLf8aWiiAdQUwF4eGOEloLkgtoY4HUaPl2 A==; X-CSE-ConnectionGUID: gDGHLtoNSsOxn3bocuI43A== X-CSE-MsgGUID: d6YLlyQRRJWvKQr2juHk3g== X-IPAS-Result: A0BDAgBH7lBq/4v/Ja1aHgEBCxIMggULgld0X0JJlCmOCJI3gX4PAQEBD0QNBAEBhD9GjU8CJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgE4ARgBWQMBAk8LIyGDAgGCOgM2AgERuT8aN4IsgQGDKAE/AkNQ2EkNglgBCxQBgTiFP4J8hSNbGAGEfCcbG4FygRQBg2mBBYEaQgEBggYnhXgEgiKBDIFaHoUHimtIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYFZgQKEeSMfAzl/gTB1SnktcxIeCoFSghZUAwsYDUgRLDcUGwQ+bgeNPhcPgj6BDiyBQxGkLYIhoB5xCiiDdYwhjz6FfBozqmwLmH2OCoQJkkeEaYFoPIEoHwsHcBWCbgEzCUoZD444g2uBf8xbJDUCCTIBAQcCBw4DC4FokX4BAQ IronPort-Data: A9a23:gHa7uKgr8TaypGadcgkCDH4/X161MREKZh0ujC45NGQN5FlHY01je htvDTqOP/yLYDamL4sjbomz80sFvJLVnYcxTFFq+CFjQ3hjpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeCULOZ82QsaDxMtPrT8EoHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqUX1slXJX1J0 8cDDyALNRqEjP+XnOmSH7wEasQLdKEHPasFsX1miDWcBvE8TNWbGePB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWYQZ/5JEWxI9EglHzfjBCoU6VooI84nPYy0p6172F3N/9J4TVFJgNxhvIz o7A12inMzUeJeWl8xi67FGVnLXNgAP4A41HQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHtlYM UE8/is1sbN081SmSNT4VRC0rHOI+BkGVLJt//YS8gqBzO/Qpg2eHGVBFmQHY909v8hwTjsvv rOUo+7U6fVUmOX9YRqgGn288lte5QB9wbc+WBI5 IronPort-HdrOrdr: A9a23:qTTnw6DheT5CJ5vlHemc55DYdb4zR+YMi2TDsHoBKyC9Hfb3qy nDppkmPHzP+VUssRMb+OxoUZPoKRi3yXcf2+Ys1NmZMDUOwFHJEKhSqa3/3jbnByryssRZ1a tmbuxCLeeYNykesS4/izPIdOrJB7K8gcSVuds= X-Talos-CUID: 9a23:n3vHW27UD4hcpSdyq9ss+2I7OuQ5dVvm11DAJRSyDm10aeHOYArF X-Talos-MUID: 9a23:+AvuKAz8zcACI6yiuRrTyFt832SaqKjwOWQJgKw8geu7Kw9JIW2fkRS0GYByfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,154,1779148800"; d="scan'208";a="507950058" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 10 Jul 2026 13:09:02 +0000 Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com [171.68.249.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id B4E5018000369 for ; Fri, 10 Jul 2026 13:09:02 +0000 (GMT) Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984) id 62551CC2EC3; Fri, 10 Jul 2026 06:09:02 -0700 (PDT) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 04/10] expat: fix CVE-2026-56405 Date: Fri, 10 Jul 2026 06:08:51 -0700 Message-ID: <20260710130852.2820953-1-deeratho@cisco.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-3552.cisco.com [171.68.249.250];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 13:09:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240644 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. [1] https://github.com/libexpat/libexpat/commit/2c6c42d33689f6b266a5267b639e03cde17e53c0 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56405 Signed-off-by: Deepak Rathore diff --git a/meta/recipes-core/expat/expat/CVE-2026-56405.patch b/meta/recipes-core/expat/expat/CVE-2026-56405.patch new file mode 100644 index 0000000000..c850801c1a --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56405.patch @@ -0,0 +1,32 @@ +From 73209f445f0265b203829fa7873caa78ca83cefe Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Fri, 29 May 2026 11:45:17 +0530 +Subject: [PATCH] lib: Protect function getAttributeId from signed integer + overflow + +CVE: CVE-2026-56405 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2c6c42d33689f6b266a5267b639e03cde17e53c0] + +(cherry picked from commit 2c6c42d33689f6b266a5267b639e03cde17e53c0) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 1b7e289f..ec707336 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -7324,6 +7324,10 @@ getAttributeId(XML_Parser parser, const ENCODING *enc, const char *start, + } else { + int i; + for (i = 0; name[i]; i++) { ++ /* Detect and prevent signed integer overflow */ ++ if (i == INT_MAX) { ++ return NULL; ++ } + /* attributes without prefix are *not* in the default namespace */ + if (name[i] == XML_T(ASCII_COLON)) { + int j; +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index affc134285..578d745e61 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -14,6 +14,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56403_p2.patch;striplevel=2 \ file://CVE-2026-56408.patch;striplevel=2 \ file://CVE-2026-56404.patch;striplevel=2 \ + file://CVE-2026-56405.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 10 13:09:11 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92183 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38732C43458 for ; Fri, 10 Jul 2026 13:09:50 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.12203.1783688980176535799 for ; Fri, 10 Jul 2026 06:09:40 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=ajxUPyR4; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=4723; q=dns/txt; s=iport01; t=1783688980; x=1784898580; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=6nVBRE92YAj4bGXzdgG1XkJNFx443QrcSmRSH8mD0io=; b=ajxUPyR4qsMRFOj54out26DayqR7XYTivuO3kLwSIFvQ9obI4mNabxEN lGz4RS+YSu78A6LM5cNuh4Cuifi+3qQi6S9LGomrdwLgIUUxe1h8wxo+E LZZsowtLB6HBujpMXmYuR795P4nA3d1xyR2h1oJ9TUvC6VRW5tF31+gcC b056iGTgcqVA2atBVifg1Q7ZWU5KT9qpzVK6K++Im1Q2G4auLFFng/Adn SWVLXFC9pxWNmn9LeD+UGXuFJHso3thfzrRPNZx3Vb6GT5rMpkaRd+cms +4ZrpmWeDOyq/eLJeIRuVbkBJu7puvqqZqNq1KO5v6DzskXxXPQz4Gh4c Q==; X-CSE-ConnectionGUID: uN8eyn76SCewZBolz0Y7sA== X-CSE-MsgGUID: NFcn46oGRTiVSJJbsdzwWg== X-IPAS-Result: A0BDAgBH7lBq/4r/Ja1aglmCV3RfQkmUKY4IkjeBfg8BAQEPRA0EAQGEP44VAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBOAEYAVkDAQJPCyMhgwIBgjoDNgIBEbk/GjeCLIEBgygBPwJDUNhJDYJYAQsUAYE4hT+CfIUjWxgBhHwnGxuBcoR+gQWBGkIBAYglBIIigQyBWh6FB4prSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BWYEChHkjHwM5f4EwdUp5LXMSHgqBUoIWVAMLGA1IESw3FBsEPm4HjT4XD4I+gQ4sgUMRpk6gHnEKKIN1jCGPPoV8GjOqbAuYfY4KhAmSR4RpgWg8gSgfCwdwFYJuATMJShkPjjiDa4F/zFskNQIJMgEBBwIHDgMLgWiRfgEB IronPort-Data: A9a23:ae0c3qoov7XxYZc094WhOZBpFG1eBmJJZBIvgKrLsJaIsI4StFCzt garIBnQPvqOZTTwLtFyb96/9RwBvcfTyNRqHAs6+3w8ECkW9OPIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgLNNwJcaDpOtfrc8EM35ZwehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0vtRUWxf8 6NGExsAcSKpgOakmIPkUcA506zPLOGzVG8ekmtrwTecCbMtRorOBv2To9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5MWPrSn8/w7pX7WzFVpUicuaowy2PS1wd2lrPqNbI5f/TXHZoEwx7D/ z2uE2LRJD8RMoDBzhW/znOSvc3tlzj3Sp0tG+jtnhJtqBjJroAJMzURTVa9rPyzh0KyVt4aI EsO9wIqrLMu7wqsVtT7UhiyrXKIsxJaXMBfe9DW8ymXwabSpgLcDW8eQ3sZMZottdQ9Qnoh0 Vrhc87VOAGDeYa9ERq1nop4ZxvrUcTJBQfuvRM5cDY= IronPort-HdrOrdr: A9a23:b8EMZKnLUlhtvvAm0L+1Bz34NIzpDfIc3DAbv31ZSRFFG/Fw8P re/sjzuiWbtN98YhwdcLO7Scq9qBHnlKKdiLN5VdzJYOCMggSVxe9ZgbcKuweBJwTOsshAyK xnb69yTPf0DVR8kILGxTPQKadE/DFCm5rY4ts3CBxWPGVXV50= X-Talos-CUID: 9a23:6zqQkGPXokRlAO5DRQ83+V8SRZ4eWXDC/l3XJ13gODlyYejA X-Talos-MUID: 9a23:g/QS3AyeFcgSR7vDw48DhhVuA9CaqIKAA0ZRz5IpgfWFCxdSGT2GgCaofYByfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,154,1779148800"; d="scan'208";a="507950317" Received: from rcdn-l-core-01.cisco.com ([173.37.255.138]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 10 Jul 2026 13:09:39 +0000 Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com [171.68.249.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id 45BDA180001CD for ; Fri, 10 Jul 2026 13:09:39 +0000 (GMT) Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984) id E6FF4CC2EC3; Fri, 10 Jul 2026 06:09:38 -0700 (PDT) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 05/10] expat: fix CVE-2026-56410 Date: Fri, 10 Jul 2026 06:09:11 -0700 Message-ID: <20260710130912.2821509-1-deeratho@cisco.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-3552.cisco.com [171.68.249.250];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com X-Outbound-Node: rcdn-l-core-01.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 13:09:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240645 From: Deepak Rathore These patches apply the upstream fixes shown in [1] and [2], as referenced by [3]. [1] https://github.com/libexpat/libexpat/commit/deeb97f7c88d17a16b0ea2521a13733abc283347 [2] https://github.com/libexpat/libexpat/commit/cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea [3] https://nvd.nist.gov/vuln/detail/CVE-2026-56410 Signed-off-by: Deepak Rathore diff --git a/meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch b/meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch new file mode 100644 index 0000000000..30fb59b2a3 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch @@ -0,0 +1,48 @@ +From 759b77a8439bcbf57c86900bc472d46d8ef70c92 Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Fri, 29 May 2026 17:51:25 +0530 +Subject: [PATCH] xmlwf: protect resolveSystemId from integer overflow + +CVE: CVE-2026-56410 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/deeb97f7c88d17a16b0ea2521a13733abc283347] + +Backport Changes: +- Adapt the allocation hunk to the explicit cast used by Expat 2.7.5 and + include stdint.h for SIZE_MAX. + +(cherry picked from commit deeb97f7c88d17a16b0ea2521a13733abc283347) +Signed-off-by: Deepak Rathore +--- + expat/xmlwf/xmlfile.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlfile.c b/expat/xmlwf/xmlfile.c +index c4eb839f..31a40209 100644 +--- a/expat/xmlwf/xmlfile.c ++++ b/expat/xmlwf/xmlfile.c +@@ -42,6 +42,7 @@ + #include "expat_config.h" + + #include ++#include + #include + #include + #include +@@ -138,8 +139,13 @@ resolveSystemId(const XML_Char *base, const XML_Char *systemId, + #endif + ) + return systemId; +- *toFree = (XML_Char *)malloc((tcslen(base) + tcslen(systemId) + 2) +- * sizeof(XML_Char)); ++ const size_t charsRequired = tcslen(base) + tcslen(systemId) + 2; ++ ++ /* Detect and prevent integer overflow */ ++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) ++ return systemId; ++ ++ *toFree = malloc(charsRequired * sizeof(XML_Char)); + if (! *toFree) + return systemId; + tcscpy(*toFree, base); +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch b/meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch new file mode 100644 index 0000000000..63d574f591 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch @@ -0,0 +1,40 @@ +From f16fa442eaa81bfceec5302d977219959eaac7b7 Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Sat, 30 May 2026 11:28:51 +0530 +Subject: [PATCH] xmlwf: guard each operator in resolveSystemId length sum + +CVE: CVE-2026-56410 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea] + +(cherry picked from commit cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea) +Signed-off-by: Deepak Rathore +--- + expat/xmlwf/xmlfile.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlfile.c b/expat/xmlwf/xmlfile.c +index 31a40209..15c69217 100644 +--- a/expat/xmlwf/xmlfile.c ++++ b/expat/xmlwf/xmlfile.c +@@ -139,9 +139,17 @@ resolveSystemId(const XML_Char *base, const XML_Char *systemId, + #endif + ) + return systemId; +- const size_t charsRequired = tcslen(base) + tcslen(systemId) + 2; ++ const size_t baseLen = tcslen(base); ++ const size_t systemIdLen = tcslen(systemId); + +- /* Detect and prevent integer overflow */ ++ /* Detect and prevent integer overflow in the addition (without risking ++ underflow) */ ++ if (baseLen > SIZE_MAX - systemIdLen || baseLen > SIZE_MAX - systemIdLen - 2) ++ return systemId; ++ ++ const size_t charsRequired = baseLen + systemIdLen + 2; ++ ++ /* Detect and prevent integer overflow in the multiplication */ + if (charsRequired > SIZE_MAX / sizeof(XML_Char)) + return systemId; + +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index 578d745e61..dcccc7597e 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -15,6 +15,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56408.patch;striplevel=2 \ file://CVE-2026-56404.patch;striplevel=2 \ file://CVE-2026-56405.patch;striplevel=2 \ + file://CVE-2026-56410_p1.patch;striplevel=2 \ + file://CVE-2026-56410_p2.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 10 13:09:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92184 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CDB7C43458 for ; Fri, 10 Jul 2026 13:10:20 +0000 (UTC) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12314.1783689017776947249 for ; Fri, 10 Jul 2026 06:10:17 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=TUGvEd/9; spf=pass (domain: cisco.com, ip: 173.37.86.74, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=5187; q=dns/txt; s=iport01; t=1783689017; x=1784898617; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=VA4NHcGfDOPgI7W5AH1ZibIQ7KRQNAL/Ltfxi1/+DKk=; b=TUGvEd/94sNrGg1D3IG2DEpfgMqppX8FsxAD4lDJc0JUcv4WRYm1FRa0 ai4NdD1PpQer7fCaDaoxOwtTj6Y97uNsbG680p6CzJchw9Bp3D7Pr7k37 ge0ksIeQnsUmoCh36tDVYZDzli4saFdVAQgcRHhB6dn1AXN28EnEGfTrr iUFQUMO6h//4Ae0DOM4SyubdVaar8CwbXJxElt92nzFXo0M8CaA16UIXd FD97qwc/sYVY4p6tS3qyfCaWn/9iaJbt9k7w6RE0+jlfKSZWfb0HMb5G7 uN64q4WPzyg9PRCNTbuc0I1XYboKnCng6/KwUiAUAzpBCt5ptlofP068M A==; X-CSE-ConnectionGUID: 9DnJ8i8IS5esSVQ3BGhAAA== X-CSE-MsgGUID: hFw5ALUjThe5mIkqYRr2Uw== X-IPAS-Result: A0BFAgBH7lBq/5L/Ja1aglmCV3RfQkmUKYIhi2eSN4F+DwEBAQ9EDQQBAYQ/jhUCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgEtCwEYAVkDAQJPCyMhgwIBgjoDNgIBEbk/GjeBeTOBAYMoAT8CQ1DYSQ2CWAELFAGBOIU/gnyFI1sYAYR8JxsbgXKBFYNpgQWBGkIBAYFChmMEgiKBDIFaHlCEN4prSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BWYEChHkjHwM5f4EwdUp5LXMSHgqBUoIWVAMLGA1IESw3FBsEPm4HjT4XD4I9AQEwXSx7CpQ4kmWgHnEKKIN1jCGPPoV8GjOqbAuYfY4KhAmSR4RpgWg8gSgfCwdwFYJuATMJShkPjjiDa4F/zFskNQIJMgEBBwIHDgMLgWiRfgEB IronPort-Data: A9a23:7tevMK8MHmCd7NCR1A6LDrUD0X+TJUtcMsCJ2f8bNWPcYEJGY0x3y WcbXD3SPqvba2D1eNp+PoS+pkMPuMWGnN9hHlZkrS1EQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEDmE4EzrauS9xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4mvyyHjEAX9gWAsbTpEs/vrRC5H5ZwehhtJ5jTSWtgT1LPuvyF9JI4SI6i3M0z5TuF8dsamR /zOxa2O5WjQ+REgELuNyt4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5nXBYoUnq7vh3S9zxHJ HqhgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/wmWeG0YAzcmCA2lnEYs6qucnIFoT+ OcjFglWRD+DrsuflefTpulE3qzPLeHxN48Z/3UlxjbDALN+ENbIQr7B4plT2zJYasJmRKmFI ZFGL2AyMVKZP0Mn1lQ/UPrSmM+ki3TleiFYr3qepLE85C7YywkZPL3FbYKFIILbFZwP9qqej mLo4DnQJiwYCNySlD+k8WudvPWVoDyuDer+E5X9rJaGmma7wXQeDhATX1a3rfS1z0W5Qd93L 00P5jFoqrA/8kGuRNTxUxC05nmesXYht8F4CeY27kSJj6HT+QvcXjlCRT9aY9tgv8gzLdA36 mK0cxrSLWQHmNWopbi1r994cRva1fApEFI/ IronPort-HdrOrdr: A9a23:Cj/vG6uBcQVpmfbOeBPOoW7y7skDRtV00zEX/kB9WHVpm6uj5q KTdZsguyMc5Ax9ZJhCo6HiBEDjexLhHPdOiOF7V4tKNzOIhILHFu1fBPPZowHIKmnZ6vNX07 tmfuxVDd39CkU/sOPBiTPIdurJBLK8gceVbSC09QYIcT1X X-Talos-CUID: 9a23:YRXM2muUxSQVrXom2RBgHDdY6It0Xnv/nHaAAnTlBH1SdoTOY3CQ0YpNxp8= X-Talos-MUID: 9a23:xyV9lwZsTG/ObOBTtxHz2RhGCcVU46nzDWEOiKQ8oZO5Knkl X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,154,1779148800"; d="scan'208";a="508269812" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by rcdn-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 10 Jul 2026 13:10:16 +0000 Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com [171.68.249.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id B460B18000204 for ; Fri, 10 Jul 2026 13:10:16 +0000 (GMT) Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984) id 627C4CC2EC3; Fri, 10 Jul 2026 06:10:16 -0700 (PDT) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 06/10] expat: fix CVE-2026-56406 Date: Fri, 10 Jul 2026 06:09:50 -0700 Message-ID: <20260710130950.2822099-1-deeratho@cisco.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-3552.cisco.com [171.68.249.250];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 13:10:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240646 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [3]. The prerequisite in [2] provides XML_INDEX_MAX for the Expat 2.7.5 backport. [1] https://github.com/libexpat/libexpat/commit/99d8454fdf900a6d00c2a52748e6c0eeb507574d [2] https://github.com/libexpat/libexpat/commit/252ff1a307b1490ce0f430632791e7e52d7e43fd [3] https://nvd.nist.gov/vuln/detail/CVE-2026-56406 Signed-off-by: Deepak Rathore diff --git a/meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch b/meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch new file mode 100644 index 0000000000..c1303029e2 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch @@ -0,0 +1,57 @@ +From 4f828b7ee9d6efef618e8a99a0392acbb95e84f2 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Wed, 27 May 2026 17:01:44 -0700 +Subject: [PATCH] lib: Make `XML_Index` overflow check more intuitive + +In fixing a bug, 7e5b71b748491b6e459e5c9a1d090820f94544d8 introduced a +magic number `2` in this code that made it difficult to understand the +rationale for this overflow check without reading the commit log. This +change introduces some more readable constants to use in these +situations. + +CVE: CVE-2026-56406 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/252ff1a307b1490ce0f430632791e7e52d7e43fd] + +(cherry picked from commit 252ff1a307b1490ce0f430632791e7e52d7e43fd) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 96127bf8..5ecea7a8 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -101,7 +101,7 @@ + #include + #include /* memset(), memcpy() */ + #include +-#include /* INT_MAX, UINT_MAX */ ++#include /* INT_MAX, LLONG_MAX, LONG_MAX, UINT_MAX */ + #include /* fprintf */ + #include /* getenv, rand_s */ + #include /* SIZE_MAX, uintptr_t */ +@@ -209,6 +209,12 @@ typedef char ICHAR; + + #endif + ++#ifdef XML_LARGE_SIZE ++# define XML_INDEX_MAX LLONG_MAX ++#else ++# define XML_INDEX_MAX LONG_MAX ++#endif ++ + /* Round up n to be a multiple of sz, where sz is a power of 2. */ + #define ROUND_UP(n, sz) (((n) + ((sz) - 1)) & ~((sz) - 1)) + +@@ -2395,7 +2401,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + int nLeftOver; + enum XML_Status result; + /* Detect overflow (a+b > MAX <==> b > MAX-a) */ +- if ((XML_Size)len > ((XML_Size)-1) / 2 - parser->m_parseEndByteIndex) { ++ if (len > XML_INDEX_MAX - parser->m_parseEndByteIndex) { + parser->m_errorCode = XML_ERROR_NO_MEMORY; + parser->m_eventPtr = parser->m_eventEndPtr = NULL; + parser->m_processor = errorProcessor; +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat/CVE-2026-56406.patch b/meta/recipes-core/expat/expat/CVE-2026-56406.patch new file mode 100644 index 0000000000..0305f05552 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56406.patch @@ -0,0 +1,36 @@ +From 6e52f18aded0a76cf89f191d7810bc04287f5337 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 31 May 2026 15:18:58 +0200 +Subject: [PATCH] lib: Copy overflow check from `XML_Parse` to + `XML_ParseBuffer` + +CVE: CVE-2026-56406 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/99d8454fdf900a6d00c2a52748e6c0eeb507574d] + +(cherry picked from commit 99d8454fdf900a6d00c2a52748e6c0eeb507574d) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 5ecea7a8..71fe2c79 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -2518,6 +2518,14 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { + parser->m_parsingStatus.parsing = XML_PARSING; + } + ++ // Detect and avoid integer overflow ++ if (len > XML_INDEX_MAX - parser->m_parseEndByteIndex) { ++ parser->m_errorCode = XML_ERROR_NO_MEMORY; ++ parser->m_eventPtr = parser->m_eventEndPtr = NULL; ++ parser->m_processor = errorProcessor; ++ return XML_STATUS_ERROR; ++ } ++ + start = parser->m_bufferPtr; + parser->m_positionPtr = start; + parser->m_bufferEnd += len; +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index dcccc7597e..fa9a8bc100 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -17,6 +17,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56405.patch;striplevel=2 \ file://CVE-2026-56410_p1.patch;striplevel=2 \ file://CVE-2026-56410_p2.patch;striplevel=2 \ + file://CVE-2026-56406-dependent.patch;striplevel=2 \ + file://CVE-2026-56406.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 10 13:10:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92185 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 200A9C43458 for ; Fri, 10 Jul 2026 13:10:30 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.12233.1783689029208696099 for ; Fri, 10 Jul 2026 06:10:29 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=ZQIl/jSX; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3049; q=dns/txt; s=iport01; t=1783689029; x=1784898629; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=OXQdt9FjmIXo247evAxp03GUAvsEVCIZce+oVfoz9yw=; b=ZQIl/jSXMg1tOd6pc9/o3ArDvYXtjZqAUKbtL210IS0LpzC64KrLJEUv SpjnILOMfQA38NIT0mrzU4IEaRfwob/EKyEuBLQjmZML5s53aqRj1xk4j z5nRH/0JDwm0c1NYdGKnCt9AZ+CaW9f0qc2Hxq0jIh89em3PgWpweOVab GkhFWvhoZjVsE51zbhLf4Ozt/hQGPK1zke9WLkX2AbQ9WvSq5YbetIl+t ioELRLkgL4jtM2PDr1D2QQ0W1XTKGbdc3nwxvNJB3WLe8aYVM+3FMcin+ SoJEzJ+ZDFcH+zDu026s/mpich8g31fS24un5byvYWsmnL9FahVli4fB1 w==; X-CSE-ConnectionGUID: MkST4RwcTIOb/EJeTAoyiQ== X-CSE-MsgGUID: FqihLhYTSoOBFWZ/SFzQdA== X-IPAS-Result: A0BDAgBH7lBq/47/Ja1aglmCV3RfQkmUKY4IkjeBfg8BAQEPRA0EAQGEP44VAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBOAEYAVkDAQJPCyMhgwIBgjoDNgIBEbk/GjeCLIEBgygBPwJDUNhJDYJYAQsUAYE4hT+CfIUjWxgBhHwnGxuBcoR+gQWBGkIBAYglBIIigQyBWh6FB4prSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BWYEChHkjHwM5f4EwdUp5LXMSHgqBUoIWVAMLGA1IESw3FBsEPm4HjT4XD4I+gQ4sgUMRpk6gHnEKKIN1jCGPPoV8GjOqbAuYfY4KhAmSR4RpgWg8gSgfCwdwFYJuATMJShkPjjiDa4F/zFskNQIJMgEBBwIHDgMLgWiRfgEB IronPort-Data: A9a23:ZMV+mK+tQPVXnb6Zzyy+DrUD0X+TJUtcMsCJ2f8bNWPcYEJGY0x3z zdJWzuPM6qPZGHweN5+aY/i/EIPuZaBz4AwQAZsqytEQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEDmE4EzrauS9xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4mvyyHjEAX9gWAsbTpEs/vrRC5H5ZwehhtJ5jTSWtgT1LPuvyF9JI4SI6i3M0z5TuF8dsamR /zOxa2O5WjQ+REgELuNyt4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5nXBYoUnq7vh3S9zxHJ HqhgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/wmWeG0YAzcmCA2kTPrYkptxoCl1v0 vZfBRIAUjmEluOPlefTpulE3qzPLeHxN48Z/3UlxjbDALN+HNbIQr7B4plT2zJYasJmRKmFI ZFGL2AyMVKZP0cn1lQ/UPrSmM+ki3TleiFYr3qepLE85C7YywkZPL3FbYKKK4HSG5UM9qqej kzf/mTdAiAmD9u44xS6wDWXqP32kQquDer+E5X9rJaGmma7wXQeDhATX1a3rfS1z0W5Qd93L 00P5jFoqrA/8kGuRNTxUxC05nmesXYht8F4CeY27kSJj6HT+QvcXjVCRT9aY9tgv8gzLdA36 mK0cxrSLWQHmNWopbi1rN94cRva1fApEFI/ IronPort-HdrOrdr: A9a23:1EKPR63A5NzN4dq8goqdMgqjBIIkLtp133Aq2lEZdPUzSL37qy nAppomPHPP5Qr5O0tQ+uxoWpPgfZq0z/cciuMs1NyZMzUO1lHFEGgb1+vf6gylPTHi/ehA0q olWa1/BNrsSWVet6/BkWyF+xJK+qjhzEhu7t2uq0tQcQ== X-Talos-CUID: 9a23:NRJheWOAOR0Ype5DfSpcyBIuBcsZU1rXi1ryLnORDndocejA X-Talos-MUID: 9a23:mHB+jAlDO3W4kqpHP3mvdnpMLcZox6SfNHsKtr8ohPvDDgJiAju02WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,154,1779148800"; d="scan'208";a="507950681" Received: from rcdn-l-core-05.cisco.com ([173.37.255.142]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 10 Jul 2026 13:10:28 +0000 Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com [171.68.249.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-05.cisco.com (Postfix) with ESMTPS id 57E4B180000B4 for ; Fri, 10 Jul 2026 13:10:28 +0000 (GMT) Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984) id 0600CCC2EC3; Fri, 10 Jul 2026 06:10:28 -0700 (PDT) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 07/10] expat: fix CVE-2026-56409 Date: Fri, 10 Jul 2026 06:10:23 -0700 Message-ID: <20260710131023.2822931-1-deeratho@cisco.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-3552.cisco.com [171.68.249.250];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com X-Outbound-Node: rcdn-l-core-05.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 13:10:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240647 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. [1] https://github.com/libexpat/libexpat/commit/61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56409 Signed-off-by: Deepak Rathore diff --git a/meta/recipes-core/expat/expat/CVE-2026-56409.patch b/meta/recipes-core/expat/expat/CVE-2026-56409.patch new file mode 100644 index 0000000000..a24ce369be --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56409.patch @@ -0,0 +1,52 @@ +From 10938bc2cef7573087566b5b1c948061baa68b98 Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Mon, 1 Jun 2026 11:53:19 +0530 +Subject: [PATCH] xmlwf: protect output path join from integer overflow + +CVE: CVE-2026-56409 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e] + +Backport Changes: +- Adapt the allocation hunk to the explicit cast used by Expat 2.7.5. + +(cherry picked from commit 61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e) +Signed-off-by: Deepak Rathore +--- + expat/xmlwf/xmlwf.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c +index 06416454..6a0a707a 100644 +--- a/expat/xmlwf/xmlwf.c ++++ b/expat/xmlwf/xmlwf.c +@@ -1236,8 +1236,26 @@ tmain(int argc, XML_Char **argv) { + } + #endif + } +- outName = (XML_Char *)malloc((tcslen(outputDir) + tcslen(file) + 2) +- * sizeof(XML_Char)); ++ const size_t outputDirLen = tcslen(outputDir); ++ const size_t fileLen = tcslen(file); ++ ++ /* Detect and prevent integer overflow in the addition (without ++ risking underflow) and the multiplication, mirroring the guards ++ in xcsdup() and resolveSystemId() */ ++ if (outputDirLen > SIZE_MAX - fileLen ++ || outputDirLen > SIZE_MAX - fileLen - 2) { ++ tperror(T("Could not allocate memory")); ++ exit(XMLWF_EXIT_INTERNAL_ERROR); ++ } ++ ++ const size_t charsRequired = outputDirLen + fileLen + 2; ++ ++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) { ++ tperror(T("Could not allocate memory")); ++ exit(XMLWF_EXIT_INTERNAL_ERROR); ++ } ++ ++ outName = malloc(charsRequired * sizeof(XML_Char)); + if (! outName) { + tperror(T("Could not allocate memory")); + exit(XMLWF_EXIT_INTERNAL_ERROR); +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index fa9a8bc100..a71e2f8cba 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -19,6 +19,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56410_p2.patch;striplevel=2 \ file://CVE-2026-56406-dependent.patch;striplevel=2 \ file://CVE-2026-56406.patch;striplevel=2 \ + file://CVE-2026-56409.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 10 13:10:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92186 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D499C43458 for ; Fri, 10 Jul 2026 13:10:50 +0000 (UTC) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.12239.1783689045090750577 for ; Fri, 10 Jul 2026 06:10:45 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=RdI6zQF9; spf=pass (domain: cisco.com, ip: 173.37.86.77, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2797; q=dns/txt; s=iport01; t=1783689045; x=1784898645; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=foK+iJbwW/MX8RFNwp3bXUh2kLlDbYKYQAADl/Pz3EI=; b=RdI6zQF9mn21+spgM3l44t/xHCCQgsxNNrrafCq+tSKrtZ+mSR8U1jIM EcSZCGkLNhgwyo7PO5j8vth6DJZ/UhXaeVzDd6VnL9XLtwZR+oR8YZOeA BYaCtWigocZGqrH4xh1eLKHe4nQh8u7KsQepxaVq8NefEFHQUOkSjzPLH p1zL9Whu/lTgY6giYSu93rnQ/Pk0yRbnwW5uH/Gvh2oZED/84KhXPQH68 W1phA76bj2qu8sPyvcYpffl9WXcg06wHhx+MctqJK2mIjH056t+VBor/S N2TbFpKmpOBxsMqgyxuhGB89ay8cXQZwQ/AL7UTAfyPzpIZTHhQVd0dlT A==; X-CSE-ConnectionGUID: xcv3UPWoTmiX8r8nXl0W0w== X-CSE-MsgGUID: seJYOqZMQ++2fmuTVMzhHw== X-IPAS-Result: A0BFAgBH7lBq/5X/Ja1aglmCV3RfQkmUKYIhi2eSN4F+DwEBAQ9EDQQBAYQ/jhUCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgEtCwEYAVkDAQJPCyMhgwIBgjoDNgIBEbk/GjeBeTOBAYMoAT8CQ1DYSQ2CWAELFAGBOIU/gnyFI1sYAYR8JxsbgXKBFYNpgQWBGkIBAYIthXgEgiKBDIFaHoIOgnmKa0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgVmBAoR5Ix8DOX+BMHVKeS1zEh4KgVKCFlQDCxgNSBEsNxQbBD5uB40+Fw+CPoEOLIFDEaZOoB5xCiiDdYwhjz6FfBozqmwLmH2OCoQJkkeEaYFoPIEoHwsHcBU7gjMBMwlKGQ+OLQsLg2CBf8xbJDUCCTIBAQcCBw4DC4FokR5gAQE IronPort-Data: A9a23:CMfAV6DlAwFCUxVW/3jiw5YqxClBgxIJ4kV8jS/XYbTApDorgzIOn GVODWCGbKrYYzH8Ltp0YI63pEoPu5KHy9M2OVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA /02M4eGdIZvCCeA+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357jXmthh fuo+5eBYAD9i2YtWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxPQXolOE+emc P3Ixbe/83mx109F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq+kTe5p0G2M80Mi+7vdkmc+dZk 72hvbToIesg0zaldO41C3G0GAkmVUFKFSOuzXWX6aSuI0P6n3TE0/5wV3wOAook/+dHUXse8 8wccA9VcUXW7w626OrTpuhEnM8vKozveYgYoHwllGufBvc9SpeFSKLPjTNa9G5v3YYVQrCEO pdfMGY+BPjDS0Un1lM/BJ8zhu60hn7XeDxDo1XTrq0yi4TW5FEpj+exaoaKILRmQ+1Ok2Spg Xv02l26QUsUMcGj9x+X8lKz07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/OOpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOT9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:pTrhiqzOFADNaAv6oo7CKrPwR71zdoMgy1knxilNoHNuHr36qy nDpp906faLsllhOk3I8OroUJVoKkmwlaKdj7N6XIufYA== X-Talos-CUID: 9a23:3b3lR2qXRr90749trfXRW3vmUdAubCbg9EjXH0q5OTZzGLulTQevoLwxxg== X-Talos-MUID: 9a23:OoJcLwWMJlVqEwXq/CThpgBFLfVN2uftUk4IjKk4ntuEFTMlbg== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,154,1779148800"; d="scan'208";a="507742472" Received: from rcdn-l-core-12.cisco.com ([173.37.255.149]) by rcdn-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 10 Jul 2026 13:10:44 +0000 Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com [171.68.249.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-12.cisco.com (Postfix) with ESMTPS id 16AAD180001C9 for ; Fri, 10 Jul 2026 13:10:44 +0000 (GMT) Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984) id B8EF6CC2EC3; Fri, 10 Jul 2026 06:10:43 -0700 (PDT) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 08/10] expat: fix CVE-2026-56411 Date: Fri, 10 Jul 2026 06:10:36 -0700 Message-ID: <20260710131036.2823247-1-deeratho@cisco.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-3552.cisco.com [171.68.249.250];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com X-Outbound-Node: rcdn-l-core-12.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 13:10:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240648 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. [1] https://github.com/libexpat/libexpat/commit/528a4e5017e1bd3b48b689fd0c131df940ae3ea5 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56411 Signed-off-by: Deepak Rathore diff --git a/meta/recipes-core/expat/expat/CVE-2026-56411.patch b/meta/recipes-core/expat/expat/CVE-2026-56411.patch new file mode 100644 index 0000000000..e1d7faab33 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56411.patch @@ -0,0 +1,46 @@ +From e447d5d72884a1246894f111a5b72de4e479152e Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Tue, 2 Jun 2026 13:13:34 +0530 +Subject: [PATCH] xmlwf: protect notation list allocation from integer overflow + +CVE: CVE-2026-56411 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/528a4e5017e1bd3b48b689fd0c131df940ae3ea5] + +(cherry picked from commit 528a4e5017e1bd3b48b689fd0c131df940ae3ea5) +Signed-off-by: Deepak Rathore +--- + expat/xmlwf/xmlwf.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c +index 6a0a707a..a9640190 100644 +--- a/expat/xmlwf/xmlwf.c ++++ b/expat/xmlwf/xmlwf.c +@@ -383,9 +383,9 @@ static void XMLCALL + endDoctypeDecl(void *userData) { + XmlwfUserData *data = (XmlwfUserData *)userData; + NotationList **notations; +- int notationCount = 0; ++ size_t notationCount = 0; + NotationList *p; +- int i; ++ size_t i; + + /* How many notations do we have? */ + for (p = data->notationListHead; p != NULL; p = p->next) +@@ -395,6 +395,13 @@ endDoctypeDecl(void *userData) { + goto cleanUp; + } + ++ /* Detect and prevent integer overflow in the multiplication, mirroring ++ the guards in xcsdup() and resolveSystemId() */ ++ if (notationCount > SIZE_MAX / sizeof(NotationList *)) { ++ fprintf(stderr, "Unable to sort notations"); ++ goto cleanUp; ++ } ++ + notations = malloc(notationCount * sizeof(NotationList *)); + if (notations == NULL) { + fprintf(stderr, "Unable to sort notations"); +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index a71e2f8cba..c093e99e2b 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -20,6 +20,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56406-dependent.patch;striplevel=2 \ file://CVE-2026-56406.patch;striplevel=2 \ file://CVE-2026-56409.patch;striplevel=2 \ + file://CVE-2026-56411.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 10 13:10:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92187 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1DE38C43458 for ; Fri, 10 Jul 2026 13:11:10 +0000 (UTC) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12335.1783689065849504214 for ; Fri, 10 Jul 2026 06:11:06 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=Gr3ZyBet; spf=pass (domain: cisco.com, ip: 173.37.86.78, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2848; q=dns/txt; s=iport01; t=1783689065; x=1784898665; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=kW2L57ST6aO1m2rcd50xLU4QjyT9i+Cf2wTEnEp54Lk=; b=Gr3ZyBet6rize0t/rBrW6KQQyJ6TDtfU/sdwQuu3KKLQbJ9VjkRqtVNU hL0fknKNBR7AsNdXcBoTREkvr8dhmHqzXNJ58u3rlpZaEiMEyMin4tFvy DBOHpq4u0BNhX/T0WPKIzoorU8jdNKkrcNWDjmHzKORE2hhwH21f5M8Ig +pDndpcpPHawIV7O5GuRvQlY4yRsu5UydgYuXkEaHS8tekXqnv3xEuuIV WAvphOBmHSOHIMzKMBMH0qFhufcjnaKQMUp9+QYdrCIITWCs4CIlpJKw8 6xYBKVqaweiTuEF0d1WAes61Y+PvDAhiQ9rinCebmvluPeata6NgW02zv g==; X-CSE-ConnectionGUID: NzNqJV5xSFWLv8rM8yYdPw== X-CSE-MsgGUID: kw2OpUDtSpq09IKsvwxxlw== X-IPAS-Result: A0BEAgBH7lBq/4z/Ja1aglmCV3RfQkmUKY4IkjeBfg8BAQEPRA0EAQGEP44VAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBLQsBGAFZAwECTwsjIYMCAYI6AzYCARG5Pxo3gXkzgQGDKAE/AkNQ2EkNglgBCxQBgTiFP4J8hSNbGAGEfCcbG4FyhH6BBYEaQgEBgi2FeASCIoEMgVoehQeKa0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgVmBAoR5Ix8DOX+BMHVKeS1zEh4KgVKCFlQDCxgNSBEsNxQbBD5uB40+Fw+CPoEOLIFDpl+gHnEKKIN1jCGPPoV8GjOqbAuYfY4KhAmSR4RpgWg8gSgfCwdwFYJuATMJShkPjjiDa4F/zFskNQIJMgEBBwIHDgMLgWiRfgEB IronPort-Data: A9a23:Hq/hCaIhBqr8HTZ9FE+RgJQlxSXFcZb7ZxGr2PjKsXjdYENS0TJVm DFNDTyBb/+KNmXwKY11atm+p0oCuJeAzIAwTQAd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnQ0 T/Oi5eHYgH9hGYkajt8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1IHmcvH7NF6t1ZPkVQp eY9eCE8Yiic0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSBVrAtQIvIROPB4towMDUY358VW62BI ZBENHw2MEyojx5nYj/7DLoykeqyj2X/dBVTqUmeouw85G27IAlZjeCyaISOIoLaLSlTtkWH/ EXewkjlOQkDbI2+6iGb7WK8gvCayEsXX6pXTtVU7MVCh0WewGEWAhAaWVa35PK+kEOWX9NEN 1dS/TIjq6U3/kGnQtTxGRqirxa5UgU0QdFcFag+rQqK0KeRu13fDWkfRTkHY9sj3CMreQEXO payt4uBLVRSXHe9EBpxKp/8QeuOBBUo IronPort-HdrOrdr: A9a23:/HfcUatTwQsBuMe3U6NmR85s7skDRtV00zEX/kB9WHVpm6uj5q KTdZsguyMc5Ax9ZJhCo6HiBEDjexLhHPdOiOF7V4tKNzOIhILHFu1fBPPZowHIKmnZ6vNX07 tmfuxVDd39CkU/sOPBiTPIdurJBLK8gceVbSC09QYIcT1X X-Talos-CUID: 9a23:FP8xgmqkhVMQQ4qg9R2/qQzmUeY3VGT/8irAGGGHLXg5UpjFWG6cwLwxxg== X-Talos-MUID: 9a23:TlFPEQ8AzlVHES/WVqKy9zeQf8R3uYO2NWwRqo0f45ilFjduJCeNiCviFw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,154,1779148800"; d="scan'208";a="507063068" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by rcdn-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 10 Jul 2026 13:11:04 +0000 Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com [171.68.249.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id BE7FF180001D9 for ; Fri, 10 Jul 2026 13:11:04 +0000 (GMT) Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984) id 6BFA3CC2EC3; Fri, 10 Jul 2026 06:11:04 -0700 (PDT) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 09/10] expat: fix CVE-2026-56407 Date: Fri, 10 Jul 2026 06:10:52 -0700 Message-ID: <20260710131052.2824071-1-deeratho@cisco.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-3552.cisco.com [171.68.249.250];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 13:11:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240649 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. [1] https://github.com/libexpat/libexpat/commit/30c2fc179ce5d2b1b1bae30bbe0dfddeac894e13 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56407 Signed-off-by: Deepak Rathore diff --git a/meta/recipes-core/expat/expat/CVE-2026-56407.patch b/meta/recipes-core/expat/expat/CVE-2026-56407.patch new file mode 100644 index 0000000000..075d38ec7d --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56407.patch @@ -0,0 +1,43 @@ +From 7216b3584bcfb2d415026d16b8902ee7eacad5ca Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Tue, 2 Jun 2026 11:59:01 +0530 +Subject: [PATCH] cap entity textLen against signed integer overflow + +CVE: CVE-2026-56407 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/30c2fc179ce5d2b1b1bae30bbe0dfddeac894e13] + +(cherry picked from commit 30c2fc179ce5d2b1b1bae30bbe0dfddeac894e13) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 71fe2c79..8e90fea8 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -5684,6 +5684,10 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + parser, enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar, + XML_ACCOUNT_NONE); + if (parser->m_declEntity) { ++ /* Detect and prevent signed integer overflow */ ++ if ((size_t)poolLength(&dtd->entityValuePool) > (size_t)INT_MAX) { ++ return XML_ERROR_NO_MEMORY; ++ } + parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool); + parser->m_declEntity->textLen + = (int)(poolLength(&dtd->entityValuePool)); +@@ -7099,6 +7103,11 @@ storeSelfEntityValue(XML_Parser parser, ENTITY *entity) { + return XML_ERROR_NO_MEMORY; + } + ++ /* Detect and prevent signed integer overflow */ ++ if ((size_t)poolLength(pool) > (size_t)INT_MAX) { ++ poolDiscard(pool); ++ return XML_ERROR_NO_MEMORY; ++ } + entity->textPtr = poolStart(pool); + entity->textLen = (int)(poolLength(pool)); + poolFinish(pool); +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index c093e99e2b..ef5c415a2d 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -21,6 +21,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56406.patch;striplevel=2 \ file://CVE-2026-56409.patch;striplevel=2 \ file://CVE-2026-56411.patch;striplevel=2 \ + file://CVE-2026-56407.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 10 13:11:11 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92188 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22151C43458 for ; Fri, 10 Jul 2026 13:11:30 +0000 (UTC) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12341.1783689085435381743 for ; Fri, 10 Jul 2026 06:11:25 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=R4U+sasi; spf=pass (domain: cisco.com, ip: 173.37.86.79, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=16203; q=dns/txt; s=iport01; t=1783689085; x=1784898685; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=suYy9eq3ozY/R2GPawzt4OM11jD/pJKugm/fnt5zo8E=; b=R4U+sasiJnGNDrPEJY+k1Z5HjJZgnFac53NaOVZFs+5FL3CcfEIHvFfI 5KMcAVHAf7miMk6dVQRDpOo9dFutp/mBL3vT4asLe1UohOt6ViZWkdN3z k3A5OB0FKpiDirEJ4K55ZHNU6Jgbv7Gs0jgugZ1hRlqjEJopXtF/nKwqi DIGID7gtezY5UaCaGr0CBnvLuYBpyq4Oi+LAB4pZydaU2pgY7hjVSvFuX IrVtEm2GwcC5jpdosoBaP+YFY/ljr3IvtFGfFET5f7oLfj6tIgmg5eqjh rCwAx15yn3budrp+lUamQPVbBY1qCaC10o0TvBY0AJ1ySpxPaTDwGCFxI g==; X-CSE-ConnectionGUID: OUTkyJGQTAG+gE2O8G4qqg== X-CSE-MsgGUID: J5nGJ7WkSiCPIqY277IBsA== X-IPAS-Result: A0BJAgDT7lBq/47/Ja1aglmCV3RfQisehFeBcI1igiGLZ5I3gX4PAQEBD0QNBAEBhD+OFQImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaASkECwEYARs+AwECAwImAiILIxgJgwIBgjoDNgIBCAm5SBo3en8zgQGDKAE/AkNQ2EkNglgBCxQBgQouhT+CfCABhQJbGAGEfCcbG4FygRWDaYEFgRpCAQGFO4JqBIINFYEMgVoeg2+BGII6iDFIgQIcA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+FzRYGwcFgR2BWYEChHkjHwM5f4EwdUp5LXMSHgqBUoIWVAMLGA1IESw3FBsEPQFuB40+Fw+CHg4LBgEBfg8IAwkXAYFDOgE9P5JnCpI3oB5xCiiDdYwhjz6FfBozhVulEQuYfY4KhAmDU44MMTeEaYFoPIEoHwsHcBWCbgEzCUoZD444g2uBf4MUyUckNQIJMgEBBwIHDgMLgWiRfgEB IronPort-Data: A9a23:iQebM6+3tMRAEDxgS3+3DrUD0X+TJUtcMsCJ2f8bNWPcYEJGY0x3z DNKWm2HPf6MNmb1ftl1atjipx4OsMCAzYcxGwdppSlEQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEDmE4EzrauS9xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4mvyyHjEAX9gWAsbTpEs/vrRC5H5ZwehhtJ5jTSWtgT1LPuvyF9JI4SI6i3M0z5TuF8dsamR /zOxa2O5WjQ+REgELuNyt4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5nXBYoUnq7vh3S9zxHJ HqhgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/wmWeG0YAzcmCA2kRALEb68RYOF1n2 r8XBWoqPj/fnvu5lefTpulE3qzPLeHxN48Z/3UlxjbDALN+HNbIQr7B4plT2zJYasJmRKmFI ZFGL2AyMVKZP0cn1lQ/UPrSmM+ki3TleiFYr3qepLE85C7YywkZPL3FbIuEJobQH5sI9qqej kCb+UvbXS4ZD9208Rucwyjz2c7lhgquDer+E5X9rJaGmma7wXQeDhATX1a3rfS1z0W5Qd93L 00P5jFoqrA/8kGuRNTxUxC05nmesXYht8F4CeY27kSJj6HT+QvcXjVCRT9aY9tgv8gzLdA36 mK0cxrSLWQHmNWopbi1rN94cRva1fApEFI/ IronPort-HdrOrdr: A9a23:eyWQIa+LRaKeKVxln8duk+DuI+orL9Y04lQ7vn2ZLiYlF/Bw9v re/sjzuiWbtN98YhwdcLO7Scq9qBHnlKKdiLN5VdzJYOCMggSVxe9ZgbcKuweBJwTOsshAyK xnb69yTPf0DVR8kILGxTPQKadF/DFCm5rY49s3CBxWPGZXV50= X-Talos-CUID: 9a23:K1bMO2OEB91L1u5DfxRb9182NfkZW1Kew1qKBB+XVX9wR+jA X-Talos-MUID: 9a23:7Qz+9At0lu/gI4e1Ts2npmxkG+U33KeVCWs1sIw34ZbbFAZrEmLI X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,154,1779148800"; d="scan'208";a="499422265" Received: from rcdn-l-core-05.cisco.com ([173.37.255.142]) by rcdn-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 10 Jul 2026 13:11:24 +0000 Received: from sjc-ads-3552.cisco.com (sjc-ads-3552.cisco.com [171.68.249.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-05.cisco.com (Postfix) with ESMTPS id 2E0D21800022A for ; Fri, 10 Jul 2026 13:11:24 +0000 (GMT) Received: by sjc-ads-3552.cisco.com (Postfix, from userid 1795984) id D0803CC2EC3; Fri, 10 Jul 2026 06:11:23 -0700 (PDT) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose][PATCH 10/10] expat: fix CVE-2026-56132 Date: Fri, 10 Jul 2026 06:11:11 -0700 Message-ID: <20260710131117.2824700-1-deeratho@cisco.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-3552.cisco.com [171.68.249.250];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.68.249.250, sjc-ads-3552.cisco.com X-Outbound-Node: rcdn-l-core-05.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 13:11:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240650 From: Deepak Rathore These patches apply the upstream fix shown in [2], its prerequisite [1], the regression test in [3], and the follow-up cleanups in [4] and [5], as referenced by [6]. [1] https://github.com/libexpat/libexpat/commit/3a4eaf47af8fd7abda38ea2c08308c91152061f3 [2] https://github.com/libexpat/libexpat/commit/58400483d7c97be316d7a77739c0a6af5d55932e [3] https://github.com/libexpat/libexpat/commit/353919b3b9f2174073a557ac7d517a5f3cd0cbbf [4] https://github.com/libexpat/libexpat/commit/bca93b4ba9e15fd84425568d772b69baebf790e4 [5] https://github.com/libexpat/libexpat/commit/08baa7ef9d168b99094249998fd78f8d190526e5 [6] https://nvd.nist.gov/vuln/detail/CVE-2026-56132 Signed-off-by: Deepak Rathore diff --git a/meta/recipes-core/expat/expat/CVE-2026-56132_p1.patch b/meta/recipes-core/expat/expat/CVE-2026-56132_p1.patch new file mode 100644 index 0000000000..de4c2ea482 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56132_p1.patch @@ -0,0 +1,89 @@ +From 2e5920edcbc77bf29ce8575bd38ed2886408f4af Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 4 Jun 2026 17:01:02 -0700 +Subject: [PATCH] lib: Remove reuse of `m_groupSize` to count `m_scaffIndex` + allocation + +The sizes of the two arrays `m_groupConnector` and `scaffIndex` need to +vary independently. This change is a step towards allowing this. + +Anthropic: ANT-2026-00037 +Anthropic: ANT-2026-03621 +Anthropic: ANT-2026-03867 +Co-authored-by: Alessandro Gario + +CVE: CVE-2026-56132 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/3a4eaf47af8fd7abda38ea2c08308c91152061f3] + +(cherry picked from commit 3a4eaf47af8fd7abda38ea2c08308c91152061f3) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 8e90fea8..d4864af8 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -424,6 +424,7 @@ typedef struct { + unsigned scaffCount; + int scaffLevel; + int *scaffIndex; ++ size_t scaffIndexSize; + } DTD; + + enum EntityType { +@@ -5995,7 +5996,6 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ + #if UINT_MAX >= SIZE_MAX + if (parser->m_groupSize > SIZE_MAX / sizeof(int)) { +- parser->m_groupSize /= 2; + return XML_ERROR_NO_MEMORY; + } + #endif +@@ -6003,10 +6003,10 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + int *const new_scaff_index = REALLOC( + parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int)); + if (new_scaff_index == NULL) { +- parser->m_groupSize /= 2; + return XML_ERROR_NO_MEMORY; + } + dtd->scaffIndex = new_scaff_index; ++ dtd->scaffIndexSize = parser->m_groupSize; + } + } else { + parser->m_groupConnector = MALLOC(parser, parser->m_groupSize = 32); +@@ -7587,6 +7587,7 @@ dtdCreate(XML_Parser parser) { + + p->in_eldecl = XML_FALSE; + p->scaffIndex = NULL; ++ p->scaffIndexSize = 0; + p->scaffold = NULL; + p->scaffLevel = 0; + p->scaffSize = 0; +@@ -7627,6 +7628,7 @@ dtdReset(DTD *p, XML_Parser parser) { + + FREE(parser, p->scaffIndex); + p->scaffIndex = NULL; ++ p->scaffIndexSize = 0; + FREE(parser, p->scaffold); + p->scaffold = NULL; + +@@ -7801,6 +7803,7 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + newDtd->scaffSize = oldDtd->scaffSize; + newDtd->scaffLevel = oldDtd->scaffLevel; + newDtd->scaffIndex = oldDtd->scaffIndex; ++ newDtd->scaffIndexSize = oldDtd->scaffIndexSize; + + return 1; + } /* End dtdCopy */ +@@ -8331,6 +8334,7 @@ nextScaffoldPart(XML_Parser parser) { + dtd->scaffIndex = MALLOC(parser, parser->m_groupSize * sizeof(int)); + if (! dtd->scaffIndex) + return -1; ++ dtd->scaffIndexSize = parser->m_groupSize; + dtd->scaffIndex[0] = 0; + } + +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat/CVE-2026-56132_p2.patch b/meta/recipes-core/expat/expat/CVE-2026-56132_p2.patch new file mode 100644 index 0000000000..8d99d35e9b --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56132_p2.patch @@ -0,0 +1,62 @@ +From 2b6ebe08e4b6b3dd4d0f4f197dac18eecef16e6e Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 4 Jun 2026 17:01:02 -0700 +Subject: [PATCH] lib: doProlog: Fix out-of-bound scaffolding index store +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The scaffold backing array is reallocated using the caller parser’s +per-parser `m_groupSize`, but the DTD struct (which carries +`scaffIndex`) is shared between a parent parser and any external +parameter-entity sub-parser created via +`XML_ExternalEntityParserCreate(parent, NULL, …)`. A sub-parser whose +group nesting is shallower than the parent’s can `REALLOC` the shared +`scaffIndex` down to its own size; when the parent resumes and parses a +deeper element content model, its bounds check passes (its private +`m_groupSize` is still large enough), the doubling-grow path is skipped, +and the next write lands past the shrunken buffer. + +Anthropic: ANT-2026-00037 +Anthropic: ANT-2026-03621 +Anthropic: ANT-2026-03867 +Co-authored-by: Alessandro Gario +Reported-by: Trail of Bits, in collaboration with Anthropic + +CVE: CVE-2026-56132 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/58400483d7c97be316d7a77739c0a6af5d55932e] + +(cherry picked from commit 58400483d7c97be316d7a77739c0a6af5d55932e) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index d4864af8..b528c9bc 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -6022,6 +6022,21 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + if (myindex < 0) + return XML_ERROR_NO_MEMORY; + assert(dtd->scaffIndex != NULL); ++ if ((size_t)dtd->scaffLevel >= dtd->scaffIndexSize) { ++ /* Detect and prevent integer overflow */ ++ if (dtd->scaffIndexSize > SIZE_MAX / 2 / sizeof(int)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ assert(dtd->scaffIndexSize > 0); ++ const size_t new_size = dtd->scaffIndexSize * 2; ++ int *const new_scaff_index ++ = REALLOC(parser, dtd->scaffIndex, new_size * sizeof(int)); ++ if (new_scaff_index == NULL) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ dtd->scaffIndex = new_scaff_index; ++ dtd->scaffIndexSize = new_size; ++ } + dtd->scaffIndex[dtd->scaffLevel] = myindex; + dtd->scaffLevel++; + dtd->scaffold[myindex].type = XML_CTYPE_SEQ; +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat/CVE-2026-56132_p3.patch b/meta/recipes-core/expat/expat/CVE-2026-56132_p3.patch new file mode 100644 index 0000000000..9c690c2a4f --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56132_p3.patch @@ -0,0 +1,76 @@ +From 22805ecc87ba8f66b693220442408a6f7c7e741d Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 4 Jun 2026 17:01:02 -0700 +Subject: [PATCH] tests: Add a test case for scaffolding array limits in shared + DTDs + +This test case provokes the bug fixed in the previous commit. + +Anthropic: ANT-2026-00037 +Anthropic: ANT-2026-03621 +Anthropic: ANT-2026-03867 +Co-authored-by: Alessandro Gario +Reported-by: Trail of Bits, in collaboration with Anthropic + +CVE: CVE-2026-56132 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/353919b3b9f2174073a557ac7d517a5f3cd0cbbf] + +(cherry picked from commit 353919b3b9f2174073a557ac7d517a5f3cd0cbbf) +Signed-off-by: Deepak Rathore +--- + expat/tests/basic_tests.c | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/expat/tests/basic_tests.c b/expat/tests/basic_tests.c +index 02d1d5fd..53b920da 100644 +--- a/expat/tests/basic_tests.c ++++ b/expat/tests/basic_tests.c +@@ -4091,6 +4091,37 @@ START_TEST(test_skipped_external_entity) { + } + END_TEST + ++START_TEST(test_scaff_index_shared_across_external_entity_parser) { ++ const char text[] ++ = "\n" ++ "\n" ++ "%e;\n" ++ "\n" ++ "]>\n" ++ ""; ++ ExtOption options[] ++ = {{XCS("ext"), ++ ""}, ++ {NULL, NULL}}; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ XML_SetUserData(parser, options); ++ XML_SetExternalEntityRefHandler(parser, external_entity_optioner); ++ XML_SetElementDeclHandler(parser, dummy_element_decl_handler); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Test a different form of unknown external entity */ + START_TEST(test_skipped_null_loaded_ext_entity) { + const char *text = "\n" +@@ -6448,6 +6479,8 @@ make_basic_test_case(Suite *s) { + tcase_add_test(tc_basic, test_trailing_cr_in_att_value); + tcase_add_test(tc_basic, test_standalone_internal_entity); + tcase_add_test(tc_basic, test_skipped_external_entity); ++ tcase_add_test__ifdef_xml_dtd( ++ tc_basic, test_scaff_index_shared_across_external_entity_parser); + tcase_add_test(tc_basic, test_skipped_null_loaded_ext_entity); + tcase_add_test(tc_basic, test_skipped_unloaded_ext_entity); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_param_entity_with_trailing_cr); +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat/CVE-2026-56132_p4.patch b/meta/recipes-core/expat/expat/CVE-2026-56132_p4.patch new file mode 100644 index 0000000000..0cef4df452 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56132_p4.patch @@ -0,0 +1,63 @@ +From 36df125531dab7e0dc640b341d07b4b1f5ede37b Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 4 Jun 2026 17:01:02 -0700 +Subject: [PATCH] lib: Remove unnecessary `scaffIndex` expansion + +Following the previous changes, all locations that append entries to +`scaffIndex` handle expanding the array if it is not already large +enough. So this extra expansion code is no longer necessary. In some +cases such as processing siblings with alternating scaffolding counts, +this logic would actually _shrink_ the array only to then later +re-expand it. + +Anthropic: ANT-2026-00037 +Anthropic: ANT-2026-03621 +Anthropic: ANT-2026-03867 +Co-authored-by: Alessandro Gario + +CVE: CVE-2026-56132 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/bca93b4ba9e15fd84425568d772b69baebf790e4] + +Backport Changes: +- Remove the expanded Expat 2.7.5 scaffIndex resize block, including its + branch-specific integer overflow guard. + +(cherry picked from commit bca93b4ba9e15fd84425568d772b69baebf790e4) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 20 -------------------- + 1 file changed, 20 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index b528c9bc..e59ad556 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -5988,26 +5988,6 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + } + parser->m_groupConnector = new_connector; + } +- +- if (dtd->scaffIndex) { +- /* Detect and prevent integer overflow. +- * The preprocessor guard addresses the "always false" warning +- * from -Wtype-limits on platforms where +- * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +-#if UINT_MAX >= SIZE_MAX +- if (parser->m_groupSize > SIZE_MAX / sizeof(int)) { +- return XML_ERROR_NO_MEMORY; +- } +-#endif +- +- int *const new_scaff_index = REALLOC( +- parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int)); +- if (new_scaff_index == NULL) { +- return XML_ERROR_NO_MEMORY; +- } +- dtd->scaffIndex = new_scaff_index; +- dtd->scaffIndexSize = parser->m_groupSize; +- } + } else { + parser->m_groupConnector = MALLOC(parser, parser->m_groupSize = 32); + if (! parser->m_groupConnector) { +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat/CVE-2026-56132_p5.patch b/meta/recipes-core/expat/expat/CVE-2026-56132_p5.patch new file mode 100644 index 0000000000..8655298b65 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56132_p5.patch @@ -0,0 +1,58 @@ +From c6256eca63fe36d4ef26fd59cbcaab7b72e1d6f2 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 4 Jun 2026 17:01:02 -0700 +Subject: [PATCH] lib: Remove indented scoping of `new_connector` local + +Following the previous change, the lifetime of `new_connector` as +constrained by this introduced scope was identical to the parent scope. + +CVE: CVE-2026-56132 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/08baa7ef9d168b99094249998fd78f8d190526e5] + +Backport Changes: +- Keep the Expat 2.7.5 unsigned-int overflow guard while removing the + redundant new_connector scope. + +(cherry picked from commit 08baa7ef9d168b99094249998fd78f8d190526e5) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index e59ad556..e8d6fc3a 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -5974,20 +5974,18 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + case XML_ROLE_GROUP_OPEN: + if (parser->m_prologState.level >= parser->m_groupSize) { + if (parser->m_groupSize) { +- { +- /* Detect and prevent integer overflow */ +- if (parser->m_groupSize > (unsigned int)(-1) / 2u) { +- return XML_ERROR_NO_MEMORY; +- } ++ /* Detect and prevent integer overflow */ ++ if (parser->m_groupSize > (unsigned int)(-1) / 2u) { ++ return XML_ERROR_NO_MEMORY; ++ } + +- char *const new_connector = REALLOC( +- parser, parser->m_groupConnector, parser->m_groupSize *= 2); +- if (new_connector == NULL) { +- parser->m_groupSize /= 2; +- return XML_ERROR_NO_MEMORY; +- } +- parser->m_groupConnector = new_connector; ++ char *const new_connector = REALLOC(parser, parser->m_groupConnector, ++ parser->m_groupSize *= 2); ++ if (new_connector == NULL) { ++ parser->m_groupSize /= 2; ++ return XML_ERROR_NO_MEMORY; + } ++ parser->m_groupConnector = new_connector; + } else { + parser->m_groupConnector = MALLOC(parser, parser->m_groupSize = 32); + if (! parser->m_groupConnector) { +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index ef5c415a2d..7036260ea1 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -22,6 +22,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56409.patch;striplevel=2 \ file://CVE-2026-56411.patch;striplevel=2 \ file://CVE-2026-56407.patch;striplevel=2 \ + file://CVE-2026-56132_p1.patch;striplevel=2 \ + file://CVE-2026-56132_p2.patch;striplevel=2 \ + file://CVE-2026-56132_p3.patch;striplevel=2 \ + file://CVE-2026-56132_p4.patch;striplevel=2 \ + file://CVE-2026-56132_p5.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"