From patchwork Fri Jul 17 06:04:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92690 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99567C44507 for ; Fri, 17 Jul 2026 06:05:07 +0000 (UTC) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7798.1784268305661217742 for ; Thu, 16 Jul 2026 23:05:05 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=YACieeXN; spf=pass (domain: cisco.com, ip: 173.37.86.80, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=7056; q=dns/txt; s=iport01; t=1784268305; x=1785477905; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=QPPwrUJNUshigUs7L3OB+ggi/HDsU1kgw0MpqMn1jGs=; b=YACieeXNp7ofTLR+C0Eu4OogtdsZmSh5SBcZ4E0yS1otmA0ZdXXig7/0 Tkz+dv3q0b6ezXljTgf0jaDuWkeDbB2H7KRd+J1EwxWxoLlcUzuHtSQ5w /X5mEjnX//s0QZiocsV/Uxu6b7HC97MbFfuqR1V2OE0KBfRyudSkLA/ZH iCYdcF+YIAxMxl7CQd7qVcz/mQUEl5PErnrBc2e5mcAEyJEJ5eAe0w6db FMjUpOBSbJQe/xqzPFAChmGA1KLBUxYMl0KSQT+fwrAsKXjo9I6Dn2+8o bV8qt5BD4mnDdIYKoSQrHYrXzzeS59IaAOfqrumO164HaBIKbLobFd6Kl w==; X-CSE-ConnectionGUID: ixfVjCAXQJ6FInRhSlctow== X-CSE-MsgGUID: Ww8D8qE3Q/yIKCozC4xDhA== X-IPAS-Result: A0BJAgBWw1lq/5D/Ja1aglmCV3RfQkmUKYIhA4ETnQiBfg8BAQEPRA0EAQGEP0YCjVICJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwEYAT0cAwECLysjCBEIgwIBgnQDEbx6GjeBeTOBAYMoAT8CQ1DbLgELFAGBOIU/iCBcGAGEfCcbG4FygRWCc3aBBYFcAQGIJQSCIoEMgVoehHOLDkiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgTqBAIR2Ix8DOX+BL3VKdy1qEheBToIUgT4DCxgNSBEsNxQbBD5uB41II4I/gQ4BK4FDEZQXkBaCHqESCiiDdYwhlToaM6psC5h9jgqWAFCEaYFoPIEoHwsHcBWCbgEzCUoZD44tCwuDYIF/zEE8NQIJMgEBBwIHDgMLgWiRfgEB IronPort-Data: A9a23:Uf1XMKKAUFx4c2mPFE+RgJQlxSXFcZb7ZxGr2PjKsXjdYENS0DQDx jZMCmCAb62Na2v9L40gbN6z/UgCuZbVn4NqSQsd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnQ0 T/Oi5eHYgH9hGcqajh8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1vHE8IP6Yxyt9VX09v8 8YYEzQGchec0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSBUrAtQIvIROPB4towMDUY358VW62BI ZBENHw2MEiojx5nYj/7DLoykeqyj2X/dBVTqUmeouw85G27IAlZjeG1a4aNJYDRLSlTtnmH9 k6W5kmiO1YLFf+0ziiurmKAhsaayEsXX6pXTtVU7MVCh0WewGEWAhAaWVa35PK+kEOWX9NEN 1dS/TIjq6U3/kGnQtTxGRqirxa5UgU0QdFcFag+rQqK0KeRu1nfDWkfRTkHY9sj3CMreQEXO payt4uBLVRSXHe9EBpxKp/8QeuOBBUo IronPort-HdrOrdr: A9a23:TX8oS6qtjGigl6dowlQTIlUaV5oHeYIsimQD101hICG9Ffbo8/ xG88506faZslsssTQb6LO90cq7MBbhHOBOgLX5VI3KNGKNhILrFvAB0WKI+VLd8kPFmtK1rZ 0BT4FOTPvtEFN9kcH2pCO8E9om3Z271ZrAv5a485+oJjsaEp2JKGxCe2CmLnE= X-Talos-CUID: 9a23:jSvrz2wJS3+VTofxWwo5BgUVCs4bcFb0/E7yfWGZD1xpc7meVViPrfY= X-Talos-MUID: 9a23:VMNlzwuWKg9w5ss0uc2nuy4yGJdxzv+XT1Essr4BqeLYJQBwEmLI X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,168,1779148800"; d="scan'208";a="510340743" Received: from rcdn-l-core-07.cisco.com ([173.37.255.144]) by rcdn-iport-9.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Jul 2026 06:05:04 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-07.cisco.com (Postfix) with ESMTPS id 6CF3E180003F2 for ; Fri, 17 Jul 2026 06:05:04 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 8CF68CC037D; Fri, 17 Jul 2026 11:35:02 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 01/10] expat: fix CVE-2026-56403 Date: Fri, 17 Jul 2026 11:34:28 +0530 Message-Id: <20260717060437.2910653-2-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260717060437.2910653-1-deeratho@cisco.com> References: <20260717060437.2910653-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-07.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Jul 2026 06:05:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241140 From: Deepak Rathore These patches apply the upstream fixes shown in [1] and [2], as referenced by [3]. Upstream pull request mentioned in [4] contains both the storeAtts fix and the related xcsdup overflow hardening so adding both source patches explicit, even though the published advisory description names storeAtts specifically. [1] https://github.com/libexpat/libexpat/commit/12dc6d8d3d65f79471a94d8565f6bf1cf245f648 [2] https://github.com/libexpat/libexpat/commit/147c8f36d6277d5c6011c098370a8362aed47b15 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-56403 [4] https://github.com/libexpat/libexpat/pull/1232 Signed-off-by: Deepak Rathore --- .../expat/expat/CVE-2026-56403_p1.patch | 81 +++++++++++++++++++ .../expat/expat/CVE-2026-56403_p2.patch | 52 ++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 2 + 3 files changed, 135 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch b/meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch new file mode 100644 index 0000000000..f5e55eb6e3 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch @@ -0,0 +1,81 @@ +From b689559597116ee75a633453e2f7177c8541b04e Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 20 May 2026 12:12:10 +0200 +Subject: [PATCH 01/17] lib: Protect function `storeAtts` from signed integer + overflow + +CVE: CVE-2026-56403 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/12dc6d8d3d65f79471a94d8565f6bf1cf245f648] + +Backport Changes: +- Adapt storeAtts to the Scarthgap 2.6.4 loop and URI allocation + logic while preserving the upstream overflow checks. + +(cherry picked from commit 12dc6d8d3d65f79471a94d8565f6bf1cf245f648) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 9bc67f38..df92a3ca 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -4226,26 +4226,32 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + return XML_ERROR_NONE; + prefixLen = 0; + if (parser->m_ns_triplets && binding->prefix->name) { +- for (; binding->prefix->name[prefixLen++];) +- ; /* prefixLen includes null terminator */ ++ size_t candidateLen = 0; ++ for (; binding->prefix->name[candidateLen++];) ++ ; /* candidateLen includes null terminator */ ++ /* Detect and prevent integer overflow */ ++ if (candidateLen > INT_MAX) ++ return XML_ERROR_NO_MEMORY; ++ prefixLen = (int)candidateLen; + } + tagNamePtr->localPart = localPart; + tagNamePtr->uriLen = binding->uriLen; + tagNamePtr->prefix = binding->prefix->name; + tagNamePtr->prefixLen = prefixLen; +- for (i = 0; localPart[i++];) +- ; /* i includes null terminator */ ++ ++ size_t localPartLen = 0; ++ for (; localPart[localPartLen++];) ++ ; /* localPartLen includes null terminator */ + + /* Detect and prevent integer overflow */ +- if (binding->uriLen > INT_MAX - prefixLen +- || i > INT_MAX - (binding->uriLen + prefixLen)) { ++ if (localPartLen > INT_MAX || binding->uriLen > INT_MAX - prefixLen ++ || localPartLen > (size_t)INT_MAX - (binding->uriLen + prefixLen)) { + return XML_ERROR_NO_MEMORY; + } + +- n = i + binding->uriLen + prefixLen; ++ n = (int)localPartLen + binding->uriLen + prefixLen; + if (n > binding->uriAlloc) { + TAG *p; +- + /* Detect and prevent integer overflow */ + if (n > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; +@@ -4273,10 +4279,14 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + } + /* if m_namespaceSeparator != '\0' then uri includes it already */ + uri = binding->uri + binding->uriLen; +- memcpy(uri, localPart, i * sizeof(XML_Char)); ++ /* Detect and prevent integer overflow */ ++ if (localPartLen > SIZE_MAX / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ memcpy(uri, localPart, localPartLen * sizeof(XML_Char)); + /* we always have a namespace separator between localPart and prefix */ + if (prefixLen) { +- uri += i - 1; ++ uri += localPartLen - 1; + *uri = parser->m_namespaceSeparator; /* replace null terminator */ + memcpy(uri + 1, binding->prefix->name, prefixLen * sizeof(XML_Char)); + } diff --git a/meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch b/meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch new file mode 100644 index 0000000000..b578cb60cc --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch @@ -0,0 +1,52 @@ +From 2855ce68a1ce9732267c06734427930364ab66c1 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Fri, 22 May 2026 00:43:52 +0200 +Subject: [PATCH 02/17] xmlwf: Protect function `xcsdup` from signed integer + overflow + +CVE: CVE-2026-56403 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/147c8f36d6277d5c6011c098370a8362aed47b15] + +Backport Changes: +- Add stdint.h and convert count and numBytes to size_t because + Scarthgap 2.6.4 lacks these upstream prerequisites. + +(cherry picked from commit 147c8f36d6277d5c6011c098370a8362aed47b15) +Signed-off-by: Deepak Rathore +--- + expat/xmlwf/xmlwf.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c +index fd4fc3f8..7bbdb303 100644 +--- a/expat/xmlwf/xmlwf.c ++++ b/expat/xmlwf/xmlwf.c +@@ -45,6 +45,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -304,13 +305,18 @@ processingInstruction(void *userData, const XML_Char *target, + static XML_Char * + xcsdup(const XML_Char *s) { + XML_Char *result; +- int count = 0; +- int numBytes; ++ size_t count = 0; ++ size_t numBytes; + + /* Get the length of the string, including terminator */ + while (s[count++] != 0) { + /* Do nothing */ + } ++ ++ // Detect and prevent integer overflow ++ if (count > SIZE_MAX / sizeof(XML_Char)) ++ return NULL; ++ + numBytes = count * sizeof(XML_Char); + result = malloc(numBytes); + if (result == NULL) diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 151720a9e3..dba4b2c81d 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -51,6 +51,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-32777-02.patch \ file://CVE-2026-32778-01.patch \ file://CVE-2026-32778-02.patch \ + file://CVE-2026-56403_p1.patch;striplevel=2 \ + file://CVE-2026-56403_p2.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 17 06:04:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92691 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9CD9BC4450F for ; Fri, 17 Jul 2026 06:05:17 +0000 (UTC) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7686.1784268314440757964 for ; Thu, 16 Jul 2026 23:05:14 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=EBz8AHSz; spf=pass (domain: cisco.com, ip: 173.37.86.74, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2676; q=dns/txt; s=iport01; t=1784268314; x=1785477914; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=+wR1uhWLqIMt9At/1ltt/gDvSzfK4XAD0Kc9fDwOaXs=; b=EBz8AHSzkK8IFjtIkpLDife5Nx8gD4+SFLX2ONyza7xW66rDN7Fp837L 4Fpqv8JiKT/W2drd9LhhuI+7UIIIW4Y6ld5t7tZdeNH7EBlaQ0I0Qg1O6 1BV+bEnj9yvCbdVH0Usc83JjlKxRxcd1CR99G9A4VPrNoejnVKVkvu9VX TH1ui5sXmWS8ofLMLuqNpGh1CRo0YsgZRHy8yXbfN0/psNEz2dWQGz/vu 3AX16yN9wc6iGqPthHPzOzjHIoSyV6WjgMZYjU4MH0uRpeQ7AeukzDXxa nMIzQ0vYuX89q65VTIY/J1dTp9b8G5pbJZsnxs8DDP+YAkx5xEyVsia4w g==; X-CSE-ConnectionGUID: vMHOyA84QtOSb6DYOXy0bg== X-CSE-MsgGUID: 9237OLciRq6bRpx5PAIXTw== X-IPAS-Result: A0BHAgBIxVlq/5H/Ja1aglmCV3RfQkmUKYIknhuBfg8BAQEPRA0EAQGEP0YCjVICJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMyARgBPRwDAQIvKyMIEQiDAgGCdAMRvHoaN4IsgQGDKAE/AkNQ2y4BCxQBgTiFP4ggXBgBhHwnGxuBcoEVg2mBBYFcAQGCLYV4BIIigQyBWh6Ec4sOSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BOoEAhHYjHwM5f4EvdUp3LWoSF4FOghSBPgMLGA1IESw3FBsEPm4HjUgjgj8xXQErgUOmXKESCiiDdYwhlToaM6psC5h9jgqVaGiEaYFoPIEoARoECwdwFYJuATMJShkPjjiDa4F/zEE8NQIJMgEBBwIHDgMLgWiRfgEB IronPort-Data: A9a23:oPbP3a0ya/3Rt7GPU/bD5YJwkn2cJEfYwER7XKvMYLTBsI5bpzAFz mdNDWHUMv7ZMGakKop1YIvi9R4E6sXVx4BiGVdv3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ5yFjmH4E/xbtANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX5 Lsen+WFYAX7g2EtbDpOg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauF8Au6gS u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzeJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGEmQWGpwxqrpOHUZ1/ 6I0GRc9f0iJiLfjqF67YrEEasULNsLnOsYb/3pn1zycVaZgSpHYSKKM7thdtNsyrpkRRrCFO IxDNGcpNUidC/FMEg9/5JYWkOqlnHDjczpwo1OOrq1x6G/WpOB0+OW0aYSPJobaH625mG7J/ DmZ2EDyAysDatal0SrYyluNttPQyHaTtIU6UefQGuRRqFqLy2oeDRcbWVe2rbyyjVSzc9ZeM FAPvC02oK4/8UamQtXwU1u/unHsg/IHc8BbH+t/7ESGzbDZpl7JQGMFVTVGLtchsafaWAAX6 7NApPuxbRQHjVFfYSv1Gmu8xd9qBRUoEA== IronPort-HdrOrdr: A9a23:zj0LoKAa8Cm800blHemA55DYdb4zR+YMi2TDsHoBLSC9Hfb3qy nDppkmPFrP+VUssRIb6LW90de7IE80nKQdieJ6AV7hZniFhILCFu5fBOXZrwEIYxefysdtkY F9bqN5FNr8SXJ+jcr8/U2ENuxI+qjhzEht7t2utkuEimpRGsdd0zs= X-Talos-CUID: 9a23:frio724i4Z3/kVzge9ss6ms0PdEMIiHk0FDrKRGUOEFZWeWfRgrF X-Talos-MUID: 9a23:yqCH1w/kfCFufCpL+3WSF8mQf5YyuPuJLEsMq4xYsfOcJXFIEhatsCviFw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,168,1779148800"; d="scan'208";a="511624282" Received: from rcdn-l-core-08.cisco.com ([173.37.255.145]) by rcdn-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Jul 2026 06:05:13 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-08.cisco.com (Postfix) with ESMTPS id 4D5A6180001FA for ; Fri, 17 Jul 2026 06:05:13 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 700DFCC037D; Fri, 17 Jul 2026 11:35:11 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 02/10] expat: fix CVE-2026-56408 Date: Fri, 17 Jul 2026 11:34:29 +0530 Message-Id: <20260717060437.2910653-3-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260717060437.2910653-1-deeratho@cisco.com> References: <20260717060437.2910653-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-08.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Jul 2026 06:05:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241141 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. The fix is adapted to the existing Scarthgap Expat 2.6.4 source. [1] https://github.com/libexpat/libexpat/commit/16e2efd867ea8567ffa012210b52ef5918e20817 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56408 Signed-off-by: Deepak Rathore --- .../expat/expat/CVE-2026-56408.patch | 33 +++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56408.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-56408.patch b/meta/recipes-core/expat/expat/CVE-2026-56408.patch new file mode 100644 index 0000000000..7fbe617b47 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56408.patch @@ -0,0 +1,33 @@ +From c1ad5610cf060c6374d8f8d3b39163edd7053321 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 23 Apr 2026 10:31:45 +0200 +Subject: [PATCH 03/17] lib: Waterproof `copyString` from integer overflow + +CVE: CVE-2026-56408 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/16e2efd867ea8567ffa012210b52ef5918e20817] + +Backport Changes: +- Keep the Scarthgap 2.6.4 copyString loop and add only the + upstream allocation overflow guard. + +(cherry picked from commit 16e2efd867ea8567ffa012210b52ef5918e20817) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index df92a3ca..12bbe23e 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -8489,6 +8489,10 @@ copyString(const XML_Char *s, XML_Parser parser) { + /* Include the terminator */ + charsRequired++; + ++ /* Detect and prevent integer overflow */ ++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) ++ return NULL; ++ + /* Now allocate space for the copy */ + result = MALLOC(parser, charsRequired * sizeof(XML_Char)); + if (result == NULL) diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index dba4b2c81d..acd943b4e6 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -53,6 +53,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-32778-02.patch \ file://CVE-2026-56403_p1.patch;striplevel=2 \ file://CVE-2026-56403_p2.patch;striplevel=2 \ + file://CVE-2026-56408.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 17 06:04:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92692 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A4F5C44507 for ; Fri, 17 Jul 2026 06:05:37 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7799.1784268319713933405 for ; Thu, 16 Jul 2026 23:05:19 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=SPINqKeQ; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2975; q=dns/txt; s=iport01; t=1784268319; x=1785477919; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=A1fvM1ebbTeedBXwM/XRlKM940h+7WSbtr33iP1qMEQ=; b=SPINqKeQrppN9/hee/raNxxO70nkGkqg3ImJw/QLFVEtN7rYv5AJeRf1 KsHY4mVKqyBqYFdNM1jsuneneoIH0+UwgHDIOdaXmS+j7YvZqA+3+GPlY MNIeEfS9VyXCzrHbL0yf6LmG742nguj9d4Ecx6HVI6l1/8uXzxtmApkCe bjPBL81oR45uS7RrQiw2fKaGYOr4yIHMzKops3grSmKTKW6/1Nhe7f2fP AHjvFp08HB8FZaVLbPZtsyaiDIaMk6FnFThNl7Uls+OUSmgdsqYxTOeXC rra9SCwCUJir2yshBs0E9KX/mKlYDrEnU452d9qwP2mw+gLhFFtn93n10 g==; X-CSE-ConnectionGUID: 2nvmsg9TQLyGCDmeiHnHPQ== X-CSE-MsgGUID: yXKfwgxfTS24QKYwhMHsVw== X-IPAS-Result: A0BJAgBIxVlq/43/Ja1aglmCV3RfQkmUKYIhA4tkkjeBfg8BAQEPRA0EAQGEP0YCjVICJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwEYAT0cAwECLyALIwgRCIMCAYI6AzcDEbx6GjeBeTOBAYMoAT8CQ1DYSQ2CWAELFAGBOIU/gn2FI1wYAYR8JxsbgXKEfoEFgRpCAQGBJ4EGhXgEgiKBDIFaHoRziw5IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYE6gQCEdiMfAzl/gS91SnctahIXgU6CFIE+AwsYDUgRLDcUGwQ+bgeNSCOCP4EOASuBQxGmS6AhcQoog3WMIY8+hXwaM6psC5h9jgqECZJHhGmBaDyBKB8LB3AVgm4BMwlKGQ+OOINrgX/MQTw1AgkyAQEHAgcOAwuBaJAAgX4BAQ IronPort-Data: A9a23:9BwMAq/0K24JmAHki5EhDrUD0X+TJUtcMsCJ2f8bNWPcYEJGY0x3y TEXCjiPO/qCMGegLY11Pd+y80sP6sTWndFhHFQ4pH1EQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEDmE4EzrauS9xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4mvyyHjEAX9gWAsbTtKs/jrRC5H5ZwehhtJ5jTSWtgT1LPuvyF9JI4SI6i3M0z5TuF8dsamR /zOxa2O5WjQ+REgELuNyt4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5nXBYoUnq7vh3S9zxHJ HqhgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/wmWeG0YAzcmCA2lsO5Md4ekmPVhq5 NMzBDUAbzCFp9qPlefTpulE3qzPLeHxN48Z/3UlxjbDALN+HdbIQr7B4plT2zJYasJmRKmFI ZFGL2AyMVKZP0Qn1lQ/UPrSmM+ki3TleiFYr3qepLE85C7YywkZPL3FbYOMJoXbGZQL9qqej nP23GrmDQEUCOfFlQOmw22so8/UozyuDer+E5X9rJaGmma7wXQeDhATX1a3rfS1z0W5Qd93L 00P5jFoqrA/8kGuRNTxUxC05nmesXYht8F4CeY27kSJj6HT+QvcXjRCRT9aY9tgv8gzLdA36 mK0cxrSLWQHmNWopbi1r994cRva1fApEFI/ IronPort-HdrOrdr: A9a23:b/IZL66hVHYN9pKnwgPXwOTXdLJyesId70hD6qkXc20wTiX2ra 6TdZgguCMczQxhO03I+urwXZVoP0m8yXcd2+B4Vt2ftUvdyQmVxepZgrcKrQeNJ8SHzI5g/J YlVbRiA9vtClU/p8P77A6kV+sE+rC8gceVbSO09QYVcemsAJsQiTtENg== X-Talos-CUID: 9a23:FZ2Kn2oNU3Jli8vyLt3l4w3mUZojbHjGwybsGmupJk1FTbCUaVmwwJoxxg== X-Talos-MUID: 9a23:eqPSOAXcGPZzOc7q/C7cpz99O9dm35/0VHkuoIoGnumfCzMlbg== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,168,1779148800"; d="scan'208";a="511419496" Received: from rcdn-l-core-04.cisco.com ([173.37.255.141]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Jul 2026 06:05:18 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-04.cisco.com (Postfix) with ESMTPS id 946CE180005C6 for ; Fri, 17 Jul 2026 06:05:18 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id B3B71CC037D; Fri, 17 Jul 2026 11:35:16 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 03/10] expat: fix CVE-2026-56404 Date: Fri, 17 Jul 2026 11:34:30 +0530 Message-Id: <20260717060437.2910653-4-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260717060437.2910653-1-deeratho@cisco.com> References: <20260717060437.2910653-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-04.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Jul 2026 06:05:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241142 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. [1] https://github.com/libexpat/libexpat/commit/babfc48090977cbf7be24b2c48f6053dca75c164 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56404 Signed-off-by: Deepak Rathore --- .../expat/expat/CVE-2026-56404.patch | 45 +++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 1 + 2 files changed, 46 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56404.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-56404.patch b/meta/recipes-core/expat/expat/CVE-2026-56404.patch new file mode 100644 index 0000000000..d147a7502c --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56404.patch @@ -0,0 +1,45 @@ +From d8e09a54fa9214e64d8e73057ca6918d08857022 Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Thu, 28 May 2026 12:44:11 +0530 +Subject: [PATCH 04/17] lib: protect function addBinding from signed integer + overflow + +CVE: CVE-2026-56404 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/babfc48090977cbf7be24b2c48f6053dca75c164] + +(cherry picked from commit babfc48090977cbf7be24b2c48f6053dca75c164) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 12bbe23e..9d21e136 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -4456,6 +4456,10 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + } + + for (len = 0; uri[len]; len++) { ++ /* Detect and prevent signed integer overflow */ ++ if (len == INT_MAX) { ++ return XML_ERROR_NO_MEMORY; ++ } + if (isXML && (len > xmlLen || uri[len] != xmlNamespace[len])) + isXML = XML_FALSE; + +@@ -4496,8 +4500,13 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + if (isXMLNS) + return XML_ERROR_RESERVED_NAMESPACE_URI; + +- if (parser->m_namespaceSeparator) ++ if (parser->m_namespaceSeparator) { ++ /* Detect and prevent signed integer overflow */ ++ if (len == INT_MAX) { ++ return XML_ERROR_NO_MEMORY; ++ } + len++; ++ } + if (parser->m_freeBindingList) { + b = parser->m_freeBindingList; + if (len > b->uriAlloc) { diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index acd943b4e6..815b31fc10 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -54,6 +54,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56403_p1.patch;striplevel=2 \ file://CVE-2026-56403_p2.patch;striplevel=2 \ file://CVE-2026-56408.patch;striplevel=2 \ + file://CVE-2026-56404.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 17 06:04:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92694 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD401C44515 for ; Fri, 17 Jul 2026 06:05:37 +0000 (UTC) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7800.1784268326802407589 for ; Thu, 16 Jul 2026 23:05:27 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=Y9ti25jR; spf=pass (domain: cisco.com, ip: 173.37.86.79, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2505; q=dns/txt; s=iport01; t=1784268326; x=1785477926; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=0BRhRsYwmyEzit9miq6XowVB8Zk/QcNHP7Tsxb03ngc=; b=Y9ti25jRPfF4N1CpzfTIDVcrUj6nhoJ/KhSmmMSGf0PbFD1+NmQFFcGx jXFmCRjzB0aWI1hMhflvcPTWYdFPNJBG0zlr5Q0CFE5bDZEgnn8fcF4/V mK8QrYAfISv4qPU8AG8oGd0d9RgGyPirb+g76l3TWpLXv7baQ3lwuRpNu Pr19DCuKZzFTYbjuTFq/HmviPzUobLhXjuZymDVtj1ZEAgvJ9Weg21epN tCH3io7RS7vDI4i1w9i0Fia4V6Q+7Q5fI3TgR/Czs1sPSjFf94+uLL0ds 7pZf9r63YDmcxdBSRwCW3aJJYo7ja+jkXr1rtHhbU2NjltRg6npoRUazd Q==; X-CSE-ConnectionGUID: +9a3yYLwQq6oTTEB2EWaLg== X-CSE-MsgGUID: gp4xqp/JTYKsAPgCE8cjrw== X-IPAS-Result: A0BIAgBWw1lq/5L/Ja1aHgEBCxIMggULgld0X0JJlCmCIQOLZJI3gX4PAQEBD0QNBAEBhD9GAo1SAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDMgEYAT0cAwECLyALIwgRCIMCAYI6AzcDEbx6GjeCLIEBgygBPwJDUNhJDYJYAQsUAYE4hT+CfYUjXBgBhHwnGxuBcoEUAYNpgQWBGkIBAYIGJ4V4BIIigQyBWh6Ec4sOSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BOoEAhHYjHwM5f4EvdUp3LWoSF4FOghSBPgMLGA1IESw3FBsEPm4HjUgjgj+BDgErgUMRpC2CHqAhcQoog3WMIY8+hXwaM6psC5h9jgqECZJHhGmBaDyBKB8LB3AVgm4BMwlKGQ+OOINrgX/MQTw1AgkyAQEHAgcOAwuBaJF+AQE IronPort-Data: A9a23:94CAraNaxvmlvHTvrR30lsFynXyQoLVcMsEvi/4bfWQNrUpw3mFSm 2YdW2CPbKzcYWbwctpxO4XipxkFvpaGxoBkSHM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCeaphyFTmE+kvF3oHJ9RFUzbuPSqf3FNnKMyVwQR4MYCo6gHqPocZh6mJTqYb/WV7lV e/a+ZWFZgf6gmAsaAr41orawP9RlKWq0N8nlgRWicBj5Df2i3QTBZQDEqC9R1OQapVUBOOzW 9HYx7i/+G7Dlz91Yj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnBaPpIACRYpQRw/ZwNlMDxG4 I4lWZSYEW/FN0BX8QgXe0Ew/ypWZcWq9FJbSJSymZT78qHIT5fj67Y/BRonDKkHw/8pBl1y2 NZCBQ8ESh/W0opawJrjIgVtrt4oIM+uOMYUvWttiGmIS/0nWpvEBa7N4Le03h9p2ZsIRqmYP ZdEL2MzMnwsYDUXUrsTIJ4zkf2hmnn4WzZZs1mS46Ew5gA/ySQsiOK8aoaKK4ziqcN9kV7Et nveuEbFMzIBHeSQ4hfV+XC2mbqa9c/8cMdIfFGizdZtmFCVy2kZBREaWFf+qv6jh2a6WslDM AoT4icooK04+UCnQ9W7WAe3yENopTYGUNZWVul/4waXx++MskCSB3MPSXhKb9lOWNIKeAHGH 2Shx7vBbQGDepXPIZ5B3t94dQ+PBBU= IronPort-HdrOrdr: A9a23:9d6fRq/fvVZ5Y+XqFHBuk+D0I+orL9Y04lQ7vn2ZLiYlFvBw+P rBoB1273LJYXMqKRIdcLO7Scy9qA3nlKKdiLN5VdzJYOClghrLEGgI1+TfKlPbdxEWjtQ86Y 5QN45jFdb3EV92yez+4AW+DpIc5ePvytHOuQ8bpE0dND2DrMpbnmFENjo= X-Talos-CUID: 9a23:GjHtxm13Vs33Y3XVA2naGbxfWZEsKWzs6GjpOhG/NVpEYue4dla09/Yx X-Talos-MUID: 9a23:J7D2Gg9guxji5hC91uXbhomQf8hwv7S3EAcvraQloOC8OgddazyfliviFw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,168,1779148800"; d="scan'208";a="502924798" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by rcdn-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Jul 2026 06:05:26 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id B17B118000203 for ; Fri, 17 Jul 2026 06:05:25 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id D3789CC037D; Fri, 17 Jul 2026 11:35:23 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 04/10] expat: fix CVE-2026-56405 Date: Fri, 17 Jul 2026 11:34:31 +0530 Message-Id: <20260717060437.2910653-5-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260717060437.2910653-1-deeratho@cisco.com> References: <20260717060437.2910653-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Jul 2026 06:05:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241143 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. [1] https://github.com/libexpat/libexpat/commit/2c6c42d33689f6b266a5267b639e03cde17e53c0 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56405 Signed-off-by: Deepak Rathore --- .../expat/expat/CVE-2026-56405.patch | 30 +++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56405.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-56405.patch b/meta/recipes-core/expat/expat/CVE-2026-56405.patch new file mode 100644 index 0000000000..3df0cedfb8 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56405.patch @@ -0,0 +1,30 @@ +From 49ba5bdafa7aaee9b77a32ffaa798e625bd46e73 Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Fri, 29 May 2026 11:45:17 +0530 +Subject: [PATCH 05/17] lib: Protect function getAttributeId from signed + integer overflow + +CVE: CVE-2026-56405 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2c6c42d33689f6b266a5267b639e03cde17e53c0] + +(cherry picked from commit 2c6c42d33689f6b266a5267b639e03cde17e53c0) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 9d21e136..80ad0811 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -7312,6 +7312,10 @@ getAttributeId(XML_Parser parser, const ENCODING *enc, const char *start, + } else { + int i; + for (i = 0; name[i]; i++) { ++ /* Detect and prevent signed integer overflow */ ++ if (i == INT_MAX) { ++ return NULL; ++ } + /* attributes without prefix are *not* in the default namespace */ + if (name[i] == XML_T(ASCII_COLON)) { + int j; diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 815b31fc10..615d404d56 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -55,6 +55,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56403_p2.patch;striplevel=2 \ file://CVE-2026-56408.patch;striplevel=2 \ file://CVE-2026-56404.patch;striplevel=2 \ + file://CVE-2026-56405.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 17 06:04:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92693 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C345C4450F for ; Fri, 17 Jul 2026 06:05:37 +0000 (UTC) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7689.1784268333310355865 for ; Thu, 16 Jul 2026 23:05:33 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=WebiZFR7; spf=pass (domain: cisco.com, ip: 173.37.86.74, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=5073; q=dns/txt; s=iport01; t=1784268333; x=1785477933; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=PsybrWQcpvCKR/WgIPf64UWvXQuE7BW6elJU71LffIo=; b=WebiZFR7OR3oqfaa7nUMEGpIvJnacukO/u1NA2HCof+vvNNS5/kn7q00 vVtbGd0qF0G+TTBL9HjFW20+oEx61Z3uuZVFSmGMChLK52Gz6KxI3Tx1R GjF9eDk/5r39wU09bGlwKoZZONk7S2JKq6cQKWn7d8B1uWRoqtR14ZEN2 QeFSj6HL1/dtHP44qs+ns/WJOQahqW5DgNwPAJiyq9Gq9y99E63OYQgKp f0X8ocWzg5BpL+x+s7jS2RwTFXVUX89uJMQNuM0nHQVP/V5Iwwh/t7Cx6 SOeYX1xtEG4DvlpiFdsM4q7TI6CLBRx+FLi2ejCCQezYCvXFB+XUREan5 Q==; X-CSE-ConnectionGUID: WxCdGvhRQk61JD9lDAK0CQ== X-CSE-MsgGUID: aPtHJ5JhQN+aEFjAdp6gmA== X-IPAS-Result: A0BIAgBIxVlq/4//Ja1aHgEBCxIMggULgld0X0JJlCmCIQOLZJI3gX4PAQEBD0QNBAEBhD9GAo1SAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDMgEYAT0cAwECLyALIwgRCIMCAYI6AzcDEbx6GjeCLIEBgygBPwJDUNhJDYJYAQsUAYE4hT+CfYUjXBgBhHwnGxuBcoR+gQWBGkIBAYglBIIigQyBWh6Ec4sOSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BOoEAhHYjHwM5f4EvdUp3LWoSF4FOghSBPgMLGA1IESw3FBsEPm4HjUgjgj+BDgErgUMRpkugIXEKKIN1jCGPPoV8GjOqbAuYfY4KhAmSR4RpgWg8gSgfCwdwFYJuATMJShkPjjiDa4F/zEE8NQIJMgEBBwIHDgMLgWiRfgEB IronPort-Data: A9a23:dc1gfqgFm6r0YM8hgmwZf0t/X161MREKZh0ujC45NGQN5FlHY01je htvWmnUbquDYWSjfY0lb42w/UgEucSHmIRrHQNrpX83Qi1jpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeCULOZ82QsaDxMtPvd8EkHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqUn6s17Ln9Oz 8UbdmkvQkGHq8uVmJmCH7wEasQLdKEHPasFsX1miDWcBvE8TNWbHePB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWZgx/5JEWxI9EglHzfjBCoU6VooI84nPYy0p6172F3N/9J4XTG58JxRbEz o7A123BHjE4af6f8BzG+1+ChMbDhX30XatHQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHtlYM UE8/is1sbN081SmSNT4VRC0rHOI+BkGVLJt//YS8gqBzO/Qpg2eHGVBFmAHY909v8hwTjsvv rOUo+7U6fVUmOX9YRqgGn289Fte5QB9wbc+WBI5 IronPort-HdrOrdr: A9a23:lD80LajQ23pE2slh4/JpLSoph3BQXvYji2hC6mlwRA09TyX+rb HLoB1173HJYVoqNU3I3OrwW5VoIkmskKKdn7NxAV7KZmCP0wGVxcNZnOnfKlbbdBEWmNQw6U 4ZSchDIey1K0RmhsDn5wT9OdMhzN6btJ2Mv47lvhBQpcUAUdAY0++/YTzrdHFLeA== X-Talos-CUID: 9a23:xLCDp2pFtb4kDGyIDDr8lxzmUf81WXHy0nfqGkzmUERFGbm5YHzI05oxxg== X-Talos-MUID: 9a23:w/REngtk3aIf3uGCaM2njQl+FOU1waSXLgMEvLsEksWcayN1EmLI X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,168,1779148800"; d="scan'208";a="511624384" Received: from rcdn-l-core-06.cisco.com ([173.37.255.143]) by rcdn-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Jul 2026 06:05:32 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-06.cisco.com (Postfix) with ESMTPS id 2F78C18000270 for ; Fri, 17 Jul 2026 06:05:32 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 507F9CC037D; Fri, 17 Jul 2026 11:35:30 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 05/10] expat: fix CVE-2026-56410 Date: Fri, 17 Jul 2026 11:34:32 +0530 Message-Id: <20260717060437.2910653-6-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260717060437.2910653-1-deeratho@cisco.com> References: <20260717060437.2910653-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-06.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Jul 2026 06:05:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241144 From: Deepak Rathore These patches apply the upstream fixes shown in [1] and [2], as referenced by [3]. [1] https://github.com/libexpat/libexpat/commit/deeb97f7c88d17a16b0ea2521a13733abc283347 [2] https://github.com/libexpat/libexpat/commit/cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea [3] https://nvd.nist.gov/vuln/detail/CVE-2026-56410 Signed-off-by: Deepak Rathore --- .../expat/expat/CVE-2026-56410_p1.patch | 46 +++++++++++++++++++ .../expat/expat/CVE-2026-56410_p2.patch | 39 ++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 2 + 3 files changed, 87 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch b/meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch new file mode 100644 index 0000000000..0a685bb5d1 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch @@ -0,0 +1,46 @@ +From b454931c42290c9f0faf2a01f9634d82db636bac Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Fri, 29 May 2026 17:51:25 +0530 +Subject: [PATCH 06/17] xmlwf: protect resolveSystemId from integer overflow + +CVE: CVE-2026-56410 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/deeb97f7c88d17a16b0ea2521a13733abc283347] + +Backport Changes: +- Adapt the allocation hunk to Scarthgap 2.6.4's explicit cast and + include stdint.h so SIZE_MAX is available. + +(cherry picked from commit deeb97f7c88d17a16b0ea2521a13733abc283347) +Signed-off-by: Deepak Rathore +--- + expat/xmlwf/xmlfile.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlfile.c b/expat/xmlwf/xmlfile.c +index 9c4f7f8d..ad691b12 100644 +--- a/expat/xmlwf/xmlfile.c ++++ b/expat/xmlwf/xmlfile.c +@@ -41,6 +41,7 @@ + #include "expat_config.h" + + #include ++#include + #include + #include + #include +@@ -130,8 +131,13 @@ resolveSystemId(const XML_Char *base, const XML_Char *systemId, + #endif + ) + return systemId; +- *toFree = (XML_Char *)malloc((tcslen(base) + tcslen(systemId) + 2) +- * sizeof(XML_Char)); ++ const size_t charsRequired = tcslen(base) + tcslen(systemId) + 2; ++ ++ /* Detect and prevent integer overflow */ ++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) ++ return systemId; ++ ++ *toFree = malloc(charsRequired * sizeof(XML_Char)); + if (! *toFree) + return systemId; + tcscpy(*toFree, base); diff --git a/meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch b/meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch new file mode 100644 index 0000000000..97977e6af5 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch @@ -0,0 +1,39 @@ +From 7e6230212ddc4ea74115218fdbe5717e8e1c0f2b Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Sat, 30 May 2026 11:28:51 +0530 +Subject: [PATCH 07/17] xmlwf: guard each operator in resolveSystemId length + sum + +CVE: CVE-2026-56410 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea] + +(cherry picked from commit cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea) +Signed-off-by: Deepak Rathore +--- + expat/xmlwf/xmlfile.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlfile.c b/expat/xmlwf/xmlfile.c +index ad691b12..4d2e3220 100644 +--- a/expat/xmlwf/xmlfile.c ++++ b/expat/xmlwf/xmlfile.c +@@ -131,9 +131,17 @@ resolveSystemId(const XML_Char *base, const XML_Char *systemId, + #endif + ) + return systemId; +- const size_t charsRequired = tcslen(base) + tcslen(systemId) + 2; ++ const size_t baseLen = tcslen(base); ++ const size_t systemIdLen = tcslen(systemId); + +- /* Detect and prevent integer overflow */ ++ /* Detect and prevent integer overflow in the addition (without risking ++ underflow) */ ++ if (baseLen > SIZE_MAX - systemIdLen || baseLen > SIZE_MAX - systemIdLen - 2) ++ return systemId; ++ ++ const size_t charsRequired = baseLen + systemIdLen + 2; ++ ++ /* Detect and prevent integer overflow in the multiplication */ + if (charsRequired > SIZE_MAX / sizeof(XML_Char)) + return systemId; + diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 615d404d56..ee4a88c5f9 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -56,6 +56,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56408.patch;striplevel=2 \ file://CVE-2026-56404.patch;striplevel=2 \ file://CVE-2026-56405.patch;striplevel=2 \ + file://CVE-2026-56410_p1.patch;striplevel=2 \ + file://CVE-2026-56410_p2.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 17 06:04:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C24CAC4450F for ; Fri, 17 Jul 2026 06:05:57 +0000 (UTC) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7693.1784268350177423536 for ; Thu, 16 Jul 2026 23:05:50 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=PH5fGKFo; spf=pass (domain: cisco.com, ip: 173.37.86.73, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=5738; q=dns/txt; s=iport01; t=1784268350; x=1785477950; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=YlcepQJH6pl3nD9/NvY/jlqjTMXpLI/HckGfShkO+CU=; b=PH5fGKFoR5CdIbS1nAX56CoNftoxE4vGEZwYhoIYSKJqhP6mxX3aMYtA 9/hFGUItmHBYMzzt9P5F7oUZDdkJTyKMy/VJzRxxR3rOXhcxJjCjWkb5W BNjzAwxrCp9RgPv+PbZ8xcoFch5AvyThY+8O9umxXRToJLQmI1rOsdFzC 0gRfQuGQLTuPQXDS/OImv3SXNzXquHU/9PMe0aNchN1bU7X9uFnbPpOd3 hfVZ4Aqdk6vdswcCcDqjNth/oYUgB49wVOTEV014ZmBehLI0Z3Y4cXV83 POsmd8LtGAvOR6MlpVVWXtUi6zptp9hf3h6CjVNnFik36xptMPCGl+1bL Q==; X-CSE-ConnectionGUID: yUcTW9fFT96Kmbr/FqQdRw== X-CSE-MsgGUID: pn2JU+C2SIqaPQbomtO50A== X-IPAS-Result: A0BJAgBIxVlq/4z/Ja1aHgEBCxIMggULgld0X0JJlCmCIQOLZJI3gX4PAQEBD0QNBAEBhD9GAo1SAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDJwsBGAE9HAMBAi8gCyMIEQiDAgGCOgM3AxG8eho3gXkzgQGDKAE/AkNQ2EkNglgBCxQBgTiFP4J9hSNcGAGEfCcbG4FygRWDaYEFgRpCAQGBQoZjBIIigQyBWh5QhCOLDkiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgTqBAIR2Ix8DOX+BL3VKdy1qEheBToIUgT4DCxgNSBEsNxQbBD5uB41II4I+AQEwXQErewqUOJJioCFxCiiDdYwhjz6FfBozqmwLmH2OCoQJkkeEaYFoPIEoHwsHcBWCbgEzCUoZD444g2uBf8xBPDUCCTIBAQcCBw4DC4FokX4BAQ IronPort-Data: A9a23:I0hCEKiezB5mYheEYEA7sLOJX161MREKZh0ujC45NGQN5FlHY01je htvUGjVMvnca2r3ftxyb4/l9xlUv5bRnYQ3TFZr/i4xECtjpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeCULOZ82QsaDxMtPvd8EkHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqUJx+1LPjBA2 8BJdhMIZArEqfuPzIikH7wEasQLdKEHPasFsX1miDWcBvE8TNWbGOPB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWZg9/5JEWxI9EglHzfjBCoU6VooI84nPYy0p6172F3N/9Jo3UFZUIzhrHz o7A13z/WDMnd/fF8huc+0qVjOjKgQSmAKtHQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHtlYM UE8/is1sbN081SmSNT4VRC0rHOI+BkGVLJt//YS8gqBzO/Qpg2eHGVBFmUHY909v8hwTjsvv rOUo+7U6fVUmOX9YRqgGn289Fte5QB9wbc+WBI5 IronPort-HdrOrdr: A9a23:nxC21aoweAq0sJlNRu1knSUaV5oHeYIsimQD101hICG9Ffbo8/ xG88506faZslsssTQb6LO90cq7MBbhHOBOgLX5VI3KNGKNhILrFvAB0WKI+VLd8kPFmtK1rZ 0BT4FOTPvtEFN9kcH2pCO8E9om3Z271ZrAv5a485+oJjsaEp2JKGxCe2CmLnE= X-Talos-CUID: 9a23:bz6HXGpAtCvc0nt+y2XFuOnmUdEYeUHinXn+Hx7mKmNjUvq7UGacwrwxxg== X-Talos-MUID: 9a23:noDj/g/+BUID4OE1hkDfuN6Qf99uuYaTS2tXqrQfsvG9Pyt1JxDA1B3iFw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,168,1779148800"; d="scan'208";a="496885847" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by rcdn-iport-2.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Jul 2026 06:05:49 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id 119AD180005AE for ; Fri, 17 Jul 2026 06:05:49 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 33439CC037D; Fri, 17 Jul 2026 11:35:47 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 06/10] expat: fix CVE-2026-56406 Date: Fri, 17 Jul 2026 11:34:33 +0530 Message-Id: <20260717060437.2910653-7-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260717060437.2910653-1-deeratho@cisco.com> References: <20260717060437.2910653-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Jul 2026 06:05:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241145 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [3]. The prerequisite in [2] provides XML_INDEX_MAX for the Scarthgap Expat 2.6.4 backport. [1] https://github.com/libexpat/libexpat/commit/99d8454fdf900a6d00c2a52748e6c0eeb507574d [2] https://github.com/libexpat/libexpat/commit/252ff1a307b1490ce0f430632791e7e52d7e43fd [3] https://nvd.nist.gov/vuln/detail/CVE-2026-56406 Signed-off-by: Deepak Rathore --- .../expat/CVE-2026-56406-dependent.patch | 59 +++++++++++++++++++ .../expat/expat/CVE-2026-56406.patch | 34 +++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 2 + 3 files changed, 95 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56406.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch b/meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch new file mode 100644 index 0000000000..89e5bdad1c --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch @@ -0,0 +1,59 @@ +From 9aafa47798332618f08af046c3471de1f3a9e031 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Wed, 27 May 2026 17:01:44 -0700 +Subject: [PATCH 08/17] lib: Make `XML_Index` overflow check more intuitive + +In fixing a bug, 7e5b71b748491b6e459e5c9a1d090820f94544d8 introduced a magic number `2` in this code that made it difficult to understand the rationale for this overflow check without reading the commit log. This change introduces some more readable constants to use in these situations. + +CVE: CVE-2026-56406 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/252ff1a307b1490ce0f430632791e7e52d7e43fd] + +Backport Changes: +- Adapt include context for Scarthgap 2.6.4 and expose SIZE_MAX in + the existing stdint.h comment. + +(cherry picked from commit 252ff1a307b1490ce0f430632791e7e52d7e43fd) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 80ad0811..5bf706b0 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -97,10 +97,10 @@ + #include + #include /* memset(), memcpy() */ + #include +-#include /* UINT_MAX */ ++#include /* INT_MAX, LLONG_MAX, LONG_MAX, UINT_MAX */ + #include /* fprintf */ + #include /* getenv, rand_s */ +-#include /* uintptr_t */ ++#include /* SIZE_MAX, uintptr_t */ + #include /* isnan */ + + #ifdef _WIN32 +@@ -211,6 +211,12 @@ typedef char ICHAR; + + #endif + ++#ifdef XML_LARGE_SIZE ++# define XML_INDEX_MAX LLONG_MAX ++#else ++# define XML_INDEX_MAX LONG_MAX ++#endif ++ + /* Round up n to be a multiple of sz, where sz is a power of 2. */ + #define ROUND_UP(n, sz) (((n) + ((sz) - 1)) & ~((sz) - 1)) + +@@ -2360,7 +2366,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + int nLeftOver; + enum XML_Status result; + /* Detect overflow (a+b > MAX <==> b > MAX-a) */ +- if ((XML_Size)len > ((XML_Size)-1) / 2 - parser->m_parseEndByteIndex) { ++ if (len > XML_INDEX_MAX - parser->m_parseEndByteIndex) { + parser->m_errorCode = XML_ERROR_NO_MEMORY; + parser->m_eventPtr = parser->m_eventEndPtr = NULL; + parser->m_processor = errorProcessor; diff --git a/meta/recipes-core/expat/expat/CVE-2026-56406.patch b/meta/recipes-core/expat/expat/CVE-2026-56406.patch new file mode 100644 index 0000000000..4f19876548 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56406.patch @@ -0,0 +1,34 @@ +From 5db699faa6af1c66e96abec5dbd1908efd64ef70 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 31 May 2026 15:18:58 +0200 +Subject: [PATCH 09/17] lib: Copy overflow check from `XML_Parse` to + `XML_ParseBuffer` + +CVE: CVE-2026-56406 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/99d8454fdf900a6d00c2a52748e6c0eeb507574d] + +(cherry picked from commit 99d8454fdf900a6d00c2a52748e6c0eeb507574d) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 5bf706b0..9f07b860 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -2483,6 +2483,14 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { + parser->m_parsingStatus.parsing = XML_PARSING; + } + ++ // Detect and avoid integer overflow ++ if (len > XML_INDEX_MAX - parser->m_parseEndByteIndex) { ++ parser->m_errorCode = XML_ERROR_NO_MEMORY; ++ parser->m_eventPtr = parser->m_eventEndPtr = NULL; ++ parser->m_processor = errorProcessor; ++ return XML_STATUS_ERROR; ++ } ++ + start = parser->m_bufferPtr; + parser->m_positionPtr = start; + parser->m_bufferEnd += len; diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index ee4a88c5f9..5b3d9c64f2 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -58,6 +58,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56405.patch;striplevel=2 \ file://CVE-2026-56410_p1.patch;striplevel=2 \ file://CVE-2026-56410_p2.patch;striplevel=2 \ + file://CVE-2026-56406-dependent.patch;striplevel=2 \ + file://CVE-2026-56406.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 17 06:04:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92696 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1946C4450F for ; Fri, 17 Jul 2026 06:06:17 +0000 (UTC) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7806.1784268376642356521 for ; Thu, 16 Jul 2026 23:06:16 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=AGCRGeJG; spf=pass (domain: cisco.com, ip: 173.37.86.79, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3300; q=dns/txt; s=iport01; t=1784268376; x=1785477976; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=RGB2MBmDhumxVMg9dqFGxbsQuJkHx4UT3//dzMPR/n8=; b=AGCRGeJGahm6nkmwv4Ot8/5Pds/pevERkIo3Dlu+oG87BcT1eidjxFI6 J5uCp/OAcljOQWR2Hs2EPYZ9IhDO9Y/9q1W7BwJQQVmJdun9dqBgY4qI6 Av9vfASyNEF6R/WsrFlT2O86GthAC619fr6+2vWTBTaTfTz5tZlFLnYFo JHrGtOUtjbJ4/PkhjnpLfuc2FnuRNNdpGoZmDCuvu3MOlHwZeXSw3dehD wUpgZ5RPgukkCs+vzNEH2FkkEzYplEv/48NaDdh2OILuqB1TI+gdqk2NW 5Zyq/8GuGDmKLtE8hg+GH/FBLmeeDh95ZTq1k9yVn1wAOwAMxTVeRARzb Q==; X-CSE-ConnectionGUID: iAxKL3pxQMOaJoKpX9E88w== X-CSE-MsgGUID: 0aQyfWytSaWdtS+d86HhuA== X-IPAS-Result: A0BIAgBWw1lq/4r/Ja1aHgEBCxIMggULgld0X0JJlCmCIQOLZJI3gX4PAQEBD0QNBAEBhD9GAo1SAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDMgEYAT0cAwECLyALIwgRCIMCAYI6AzcDEbx6GjeCLIEBgygBPwJDUNhJDYJYAQsUAYE4hT+CfYUjXBgBhHwnGxuBcoR+gQWBGkIBAYglBIIigQyBWh6Ec4sOSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BOoEAhHYjHwM5f4EvdUp3LWoSF4FOghSBPgMLGA1IESw3FBsEPm4HjUgjgj+BDgErgUMRpkugIXEKKIN1jCGPPoV8GjOqbAuYfY4KhAmSR4RpgWg8gSgfCwdwFYJuATMJShkPjjiDa4F/zEE8NQIJMgEBBwIHDgMLgWiRfgEB IronPort-Data: A9a23:5HTtUKLcHSwifuIFFE+RgJQlxSXFcZb7ZxGr2PjKsXjdYENSgjRUy GsYWW6GP63eZGCket9/PYS0pxgBu8CAzIUwGQQd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnQ0 T/Oi5eHYgH9hGcqajh8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1vJVEVGdYA6t9SJmhs8 t8AGGEgPkCc0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSBVLAtQIvIROPB4towMDUY358VW62BI ZBENHw2N0Sojx5nYj/7DLoykeqyj2X/dBVTqUmeouw85G27IAlZjeC3YYCIIYPSLSlTth6Rn 3PIwHXlORglOMCkijbVrFKsm8aayEsXX6pXTtVU7MVCh0WewGEWAhAaWVa35PK+kEOWX9NEN 1dS/TIjq6U3/kGnQtTxGRqirxa5UgU0QdFcFag+rQqK0KeRu1/fDWkfRTkHY9sj3CMreQEXO payt4uBLVRSXHe9EBpxKp/8QeuOBBUo IronPort-HdrOrdr: A9a23:YPCNtqmrjgDCgwlO2pvo84+UGW7pDfIA3DAbv31ZSRFFG/Fw8P re+MjzuiWbtN98YhwdcJW7Scq9qBDnhPtICPcqXItKNTOO0ADDEGgh1/qB/9SKIULDH4BmuZ uIC5IfNPTASX5nkM39/A60V/wkwNWB7eSUoN229QYLcemvAJsQljuQzW2gYytLeDU= X-Talos-CUID: 9a23:rE9J+G+B0le/1DHqr26Vv089CuMBKWXN9VL3Km2/Kn5ZGZDFGUDFrQ== X-Talos-MUID: 9a23:+om7nA6O9+0v1hTXBwQRQ16Sxoww6p2/Bn8cja4PhMWYDm98a2m9jCmeF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,168,1779148800"; d="scan'208";a="502925370" Received: from rcdn-l-core-01.cisco.com ([173.37.255.138]) by rcdn-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Jul 2026 06:06:15 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id 6F51A180002B4 for ; Fri, 17 Jul 2026 06:06:15 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 905E1CC037D; Fri, 17 Jul 2026 11:36:13 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 07/10] expat: fix CVE-2026-56409 Date: Fri, 17 Jul 2026 11:34:34 +0530 Message-Id: <20260717060437.2910653-8-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260717060437.2910653-1-deeratho@cisco.com> References: <20260717060437.2910653-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-01.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Jul 2026 06:06:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241146 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. [1] https://github.com/libexpat/libexpat/commit/61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56409 Signed-off-by: Deepak Rathore --- .../expat/expat/CVE-2026-56409.patch | 51 +++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56409.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-56409.patch b/meta/recipes-core/expat/expat/CVE-2026-56409.patch new file mode 100644 index 0000000000..3d55196d1e --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56409.patch @@ -0,0 +1,51 @@ +From 174ce18f2a283be634d830a5259bd07142635fe8 Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Mon, 1 Jun 2026 11:53:19 +0530 +Subject: [PATCH 10/17] xmlwf: protect output path join from integer overflow + +CVE: CVE-2026-56409 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e] + +Backport Changes: +- Adapt the allocation hunk to the explicit XML_Char cast used by + Scarthgap 2.6.4; overflow checks are unchanged. + +(cherry picked from commit 61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e) +Signed-off-by: Deepak Rathore +--- + expat/xmlwf/xmlwf.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c +index 7bbdb303..bd5f68a4 100644 +--- a/expat/xmlwf/xmlwf.c ++++ b/expat/xmlwf/xmlwf.c +@@ -1240,8 +1240,26 @@ tmain(int argc, XML_Char **argv) { + } + #endif + } +- outName = (XML_Char *)malloc((tcslen(outputDir) + tcslen(file) + 2) +- * sizeof(XML_Char)); ++ const size_t outputDirLen = tcslen(outputDir); ++ const size_t fileLen = tcslen(file); ++ ++ /* Detect and prevent integer overflow in the addition (without ++ risking underflow) and the multiplication, mirroring the guards ++ in xcsdup() and resolveSystemId() */ ++ if (outputDirLen > SIZE_MAX - fileLen ++ || outputDirLen > SIZE_MAX - fileLen - 2) { ++ tperror(T("Could not allocate memory")); ++ exit(XMLWF_EXIT_INTERNAL_ERROR); ++ } ++ ++ const size_t charsRequired = outputDirLen + fileLen + 2; ++ ++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) { ++ tperror(T("Could not allocate memory")); ++ exit(XMLWF_EXIT_INTERNAL_ERROR); ++ } ++ ++ outName = malloc(charsRequired * sizeof(XML_Char)); + if (! outName) { + tperror(T("Could not allocate memory")); + exit(XMLWF_EXIT_INTERNAL_ERROR); diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 5b3d9c64f2..8d7a19e79d 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -60,6 +60,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56410_p2.patch;striplevel=2 \ file://CVE-2026-56406-dependent.patch;striplevel=2 \ file://CVE-2026-56406.patch;striplevel=2 \ + file://CVE-2026-56409.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 17 06:04:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92697 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C18D9C44507 for ; Fri, 17 Jul 2026 06:06:27 +0000 (UTC) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7700.1784268386426519182 for ; Thu, 16 Jul 2026 23:06:26 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=XynsBuTC; spf=pass (domain: cisco.com, ip: 173.37.86.72, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3161; q=dns/txt; s=iport01; t=1784268386; x=1785477986; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=qoa0Yddvus9zC62V/OJF8E2Iw99yjaUPjWrU0UOTYZw=; b=XynsBuTCh/HFS5hJcjt6JVNi/c2ICJlvTLy8cVnFKNmCBBsjf+U4OqYV u3sZy9N5p3Onh7tRstZVwdtztAdD8oWCnr9f3+zu8rNaftb34CIgHeTy/ 1mFD6onIlm0REbZ4uNcqKY2S8dCIIMvXRrD3jkfK57ZHCF4+F2oVDiQk4 qvV8OUUqzfcYwwIhHMO+ijSvofWpjp5byBEbL1RkvaENHvqBWAHOt/fTN xRCHkDGTol0vAAGkMLCxb/V0yhLTRYoUEZ7lLFCgd1BIIGPFBHmYiNxm2 oc3zjjX6ZTWUzwKAsew4yJComrULCrekG3z4hBTMuVP5kZjKJdqDQeC22 Q==; X-CSE-ConnectionGUID: E5ydugeBR+2ulQVpwfgc8Q== X-CSE-MsgGUID: qOj4BUPSQl6/zAk2Vu/lzg== X-IPAS-Result: A0BJAgBIxVlq/5L/Ja1aglmCV3RfQkmUKYIhA4tkkjeBfg8BAQEPRA0EAQGEP0YCjVICJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwEYAT0cAwECLyALIwgRCIMCAYI6AzcDEbx6GjeBeTOBAYMoAT8CQ1DYSQ2CWAELFAGBOIU/gn2FI1wYAYR8JxsbgXKBFYNpgQWBGkIBAYglBIINFYEMgVoegXyCd4I0iFpIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBHYE6gQCEdiMfAzl/gS91SnctahIXgU6CFIE+AwsYDUgRLDcUGwQ+bgeNSCOCP4EOAStGfRFnpWSgIXEKKIN1jCGPPoV8GjOqbAuYfY4KhAmSR4RpgWg8gSgfCwdwFTuCMwEzCUoZD44tCwuDYIF/zEE8NQIJMgEBBwIHDgMLgWiRHmABAQ IronPort-Data: A9a23:tH02U6Dbmmnp4RVW/3jiw5YqxClBgxIJ4kV8jS/XYbTApD9w1jYDn WZOUDyGPvqNYDT3fYt+aIvk8xgC7ZSGydE1OVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA /02M4eGdIZvCCeA+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357jXmthh fuo+5eBYAD8hWYuWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxPQXolOE+emc P3Ixbe/83mx109F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq+kTe5p0G2M80Mi+7vdkmc+dZk 72hvbToIesg0zaldO41C3G0GAkmVUFKFSOuzXWX6aSuI0P6n3TE7qh/AFw5MKciubxqBVhw7 eMWJztdV0XW7w626OrTpuhEnM8vKozveYgYoHwllWCfBvc9SpeFSKLPjTNa9G5v3YYVQrCEO pdfMGYxBPjDS0Un1lM/BJ8zhu60hn7XeDxDo1XTrq0yi4TW5FEoiOizaIOPI7RmQ+1MuUTEj F/+xF39XFYIHd/F9yfC9mCj07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/KFpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOT9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:3qXTAawDGUBe2UeOVnsxKrPwAL1zdoMgy1knxilNoHtuA6ilfq +V8sjzuSWYtN9VYgBCpTniAtjkfZqjz/9ICOAqVN/INjUO+lHYTr2KhrGM/9SPIUHDH5ZmtZ tIQuxZFMD6C0R8gILR5Qm1FMtl/fy8mZrY4ts3CxxWPHhXg2YK1XYeNjqm X-Talos-CUID: 9a23:l1pRUm2K8XJAMrbpa6EXi7xfN500fmDSwV3qYBWlDV9XUKKbRlTAwfYx X-Talos-MUID: 9a23:FMvf/QaI0b7gGeBTrhju2BtfDPxR5/rpGmkOy6sb/M2WOnkl X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,168,1779148800"; d="scan'208";a="510860121" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by rcdn-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Jul 2026 06:06:25 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id 16B5818000203 for ; Fri, 17 Jul 2026 06:06:25 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 39890CC037D; Fri, 17 Jul 2026 11:36:23 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 08/10] expat: fix CVE-2026-56411 Date: Fri, 17 Jul 2026 11:34:35 +0530 Message-Id: <20260717060437.2910653-9-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260717060437.2910653-1-deeratho@cisco.com> References: <20260717060437.2910653-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Jul 2026 06:06:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241147 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. [1] https://github.com/libexpat/libexpat/commit/528a4e5017e1bd3b48b689fd0c131df940ae3ea5 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56411 Signed-off-by: Deepak Rathore --- .../expat/expat/CVE-2026-56411.patch | 50 +++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56411.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-56411.patch b/meta/recipes-core/expat/expat/CVE-2026-56411.patch new file mode 100644 index 0000000000..819638ca22 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56411.patch @@ -0,0 +1,50 @@ +From 5e696e78f8c4a709c4f774973b142e57090c4364 Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Tue, 2 Jun 2026 13:13:34 +0530 +Subject: [PATCH 11/17] xmlwf: protect notation list allocation from integer + overflow + +CVE: CVE-2026-56411 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/528a4e5017e1bd3b48b689fd0c131df940ae3ea5] + +Backport Changes: +- Use Scarthgap 2.6.4 freeNotations cleanup and return directly + because the newer shared cleanUp label is absent. + +(cherry picked from commit 528a4e5017e1bd3b48b689fd0c131df940ae3ea5) +Signed-off-by: Deepak Rathore +--- + expat/xmlwf/xmlwf.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c +index bd5f68a4..6a3d31b7 100644 +--- a/expat/xmlwf/xmlwf.c ++++ b/expat/xmlwf/xmlwf.c +@@ -387,9 +387,9 @@ static void XMLCALL + endDoctypeDecl(void *userData) { + XmlwfUserData *data = (XmlwfUserData *)userData; + NotationList **notations; +- int notationCount = 0; ++ size_t notationCount = 0; + NotationList *p; +- int i; ++ size_t i; + + /* How many notations do we have? */ + for (p = data->notationListHead; p != NULL; p = p->next) +@@ -401,6 +401,14 @@ endDoctypeDecl(void *userData) { + return; + } + ++ /* Detect and prevent integer overflow in the multiplication, mirroring ++ the guards in xcsdup() and resolveSystemId() */ ++ if (notationCount > SIZE_MAX / sizeof(NotationList *)) { ++ fprintf(stderr, "Unable to sort notations"); ++ freeNotations(data); ++ return; ++ } ++ + notations = malloc(notationCount * sizeof(NotationList *)); + if (notations == NULL) { + fprintf(stderr, "Unable to sort notations"); diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 8d7a19e79d..3a880882ae 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -61,6 +61,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56406-dependent.patch;striplevel=2 \ file://CVE-2026-56406.patch;striplevel=2 \ file://CVE-2026-56409.patch;striplevel=2 \ + file://CVE-2026-56411.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 17 06:04:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92698 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C041CC4450F for ; Fri, 17 Jul 2026 06:06:37 +0000 (UTC) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7811.1784268391497481329 for ; Thu, 16 Jul 2026 23:06:31 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=W0eB60oW; spf=pass (domain: cisco.com, ip: 173.37.86.78, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3052; q=dns/txt; s=iport01; t=1784268391; x=1785477991; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=Cr8ejVUL6Xg7Irbm14pTRUZMmCumLOizFzZ+z9oGFXM=; b=W0eB60oWh3qQ5h+/6zm8bN3COsvlMHW+042fDqIS3T/E8Nc9zpoyZWG2 sLklptbD1lpfEAZdhkMHY8FPxvI7LSAecLyXD3PvrPQaxx4U2Uv0etVzZ h8fUgMoj6kv8pO3q52aBBpKYuQ33pfrBa07+8m5swh4Rt58sJ8G4uwh4U +z41Yq0E9t0mzkEU1q28fO3bdhtZTfGPpExlQg7ytVNG2SWinKWrwekGa x1/Wb+AlQ9cl6lFg/rqN65e9HFZmvGWPqpoWjM5Vsp0PM3BtP4JCG/ujB bKECgOmHVx+WlnwT5DwgJkUCzBNAtcMJOrgki6RltkmldWP2nwf3zD0In A==; X-CSE-ConnectionGUID: uETBRzFKRAKbYAm9pwrV4g== X-CSE-MsgGUID: IJXiKXZ9SCamzwj2Q7JFDw== X-IPAS-Result: A0BIAgBWw1lq/5D/Ja1aHgEBCxIMggULgld0X0JJlCmCJItkkjeBfg8BAQEPRA0EAQGEP0YCjVICJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwEYAT0cAwECLyALIwgRCIMCAYI6AzcDEbx6GjeBeTOBAYMoAT8CQ1DYSQ2CWAELFAGBOIU/gn2FI1wYAYR8JxsbgXKEfoEFgRpCAQGIJQSCIoEMgVoehHOLDkiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgTqBAIR2Ix8DOX+BL3VKdy1qEheBToIUgT4DCxgNSBEsNxQbBD5uB41II4I/gQ4BK4FDplygIXEKKIN1jCGPPoV8GjOqbAuYfY4KhAmSR4RpgWg8gSgfCwdwFYJuATMJShkPjjiDa4F/zEE8NQIJMgEBBwIHDgMLgWiRfgEB IronPort-Data: A9a23:WcXMWa9NpQiMp/sWdvSqDrUD0X+TJUtcMsCJ2f8bNWPcYEJGY0x3y DQdWTuCOqzZYGD0KN8gO4zipEwBu5KDmIQ3SwNkqnxEQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEDmE4EzrauS9xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4mvyyHjEAX9gWAsbTtKs/jrRC5H5ZwehhtJ5jTSWtgT1LPuvyF9JI4SI6i3M0z5TuF8dsamR /zOxa2O5WjQ+REgELuNyt4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5nXBYoUnq7vh3S9zxHJ HqhgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/wmWeG0YAzcmCA2krELEywPRZIltn1 vYpATVcdg+Zub65lefTpulE3qzPLeHxN48Z/3UlxjbDALN+HtbIQr7B4plT2zJYasJmRKmFI ZFGL2AyMVKZP0En1lQ/UPrSmM+ki3TleiFYr3qepLE85C7YywkZPL3FbYONJ4TVHZsE9qqej kPkz2XaMiNLD/eWzCia8CiV2c3hsTyuDer+E5X9rJaGmma7wXQeDhATX1a3rfS1z0W5Qd93L 00P5jFoqrA/8kGuRNTxUxC05nmesXYht8F4CeY27kSJj6HT+QvcXjdCRT9aY9tgv8gzLdA36 mK0cxrSLWQHmNWopbi1r994cRva1fApEFI/ IronPort-HdrOrdr: A9a23:YMZjVa3EhfwzNPbCA9tf1gqjBJ4kLtp133Aq2lEZdPUzSL39qy nAppomPHPP5Qr5HUtQ+uxoW5PwJE80i6QV3WB5B97LN2PbUSmTXeNfBODZrAEIdReTygck78 ddWpk7LsHsBl5nisu/ygy5H9E8hOSjysmT9IDjJ7MHd3ASV0mmhD0JbDqmLg== X-Talos-CUID: 9a23:rwtrbmmOp7P25gyhoXfSnf0tY+HXOWDw8F3qMWGbM09KQoy8TA6I57laz8U7zg== X-Talos-MUID: 9a23:QPzQ/AnbzZ7TKnEuAKJLdnpDFvdpwJScWXsmmJAUpMveDHNSFRuC2WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,168,1779148800"; d="scan'208";a="510507069" Received: from rcdn-l-core-07.cisco.com ([173.37.255.144]) by rcdn-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Jul 2026 06:06:30 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-07.cisco.com (Postfix) with ESMTPS id 36A68180003C9 for ; Fri, 17 Jul 2026 06:06:30 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 58A23CC037D; Fri, 17 Jul 2026 11:36:28 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 09/10] expat: fix CVE-2026-56407 Date: Fri, 17 Jul 2026 11:34:36 +0530 Message-Id: <20260717060437.2910653-10-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260717060437.2910653-1-deeratho@cisco.com> References: <20260717060437.2910653-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-07.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Jul 2026 06:06:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241148 From: Deepak Rathore This patch applies the upstream fix shown in [1] as referenced by [2]. [1] https://github.com/libexpat/libexpat/commit/30c2fc179ce5d2b1b1bae30bbe0dfddeac894e13 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56407 Signed-off-by: Deepak Rathore --- .../expat/expat/CVE-2026-56407.patch | 41 +++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56407.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-56407.patch b/meta/recipes-core/expat/expat/CVE-2026-56407.patch new file mode 100644 index 0000000000..56fb91e6c5 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56407.patch @@ -0,0 +1,41 @@ +From d1cd2bd7da8ed830e9432660616e9b4831df959a Mon Sep 17 00:00:00 2001 +From: netliomax25-code +Date: Tue, 2 Jun 2026 11:59:01 +0530 +Subject: [PATCH 12/17] cap entity textLen against signed integer overflow + +CVE: CVE-2026-56407 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/30c2fc179ce5d2b1b1bae30bbe0dfddeac894e13] + +(cherry picked from commit 30c2fc179ce5d2b1b1bae30bbe0dfddeac894e13) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 9f07b860..8439dc0e 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -5655,6 +5655,10 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + parser, enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar, + XML_ACCOUNT_NONE); + if (parser->m_declEntity) { ++ /* Detect and prevent signed integer overflow */ ++ if ((size_t)poolLength(&dtd->entityValuePool) > (size_t)INT_MAX) { ++ return XML_ERROR_NO_MEMORY; ++ } + parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool); + parser->m_declEntity->textLen + = (int)(poolLength(&dtd->entityValuePool)); +@@ -7076,6 +7080,11 @@ storeSelfEntityValue(XML_Parser parser, ENTITY *entity) { + return XML_ERROR_NO_MEMORY; + } + ++ /* Detect and prevent signed integer overflow */ ++ if ((size_t)poolLength(pool) > (size_t)INT_MAX) { ++ poolDiscard(pool); ++ return XML_ERROR_NO_MEMORY; ++ } + entity->textPtr = poolStart(pool); + entity->textLen = (int)(poolLength(pool)); + poolFinish(pool); diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 3a880882ae..92e62e2233 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -62,6 +62,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56406.patch;striplevel=2 \ file://CVE-2026-56409.patch;striplevel=2 \ file://CVE-2026-56411.patch;striplevel=2 \ + file://CVE-2026-56407.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 17 06:04:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 92699 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C27BDC44507 for ; Fri, 17 Jul 2026 06:06:47 +0000 (UTC) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7814.1784268405792465676 for ; Thu, 16 Jul 2026 23:06:45 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=lgyS+A2h; spf=pass (domain: cisco.com, ip: 173.37.86.75, mailfrom: deeratho@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=16656; q=dns/txt; s=iport01; t=1784268405; x=1785478005; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=B4sNIm+WsYPujWnEPcejRygneBJMlHdnyu23JnRc9Z4=; b=lgyS+A2h1/DklELIlCJfIP2vbg5wb1I3gs8kUkAqJzil0AX93zMNw9Fj E2yhfklc1/tTRKShM1NB3MPjDUnBdInzOwXl41lth1gDdI2M0DmajQJP6 IkAWQfLJP5ToCKsXbbjeTKKlMoc5/1KEKgrRzl5l+FMklcoMDrLa8IAJM nkZ1UAi9Qyd3Z4VL9cxUi6LPj4vkXkfHmoO1MwcXE8ThYVStNmIl9a02Q A20OkWa5/2W+y/XKR2d52JWsv5HtxL/C3iiqNOvlEAhwBcDqKJ1r2DlTS EVPWFbvpIXVs9AgpBSbZb8lh9FZhvoMLjar7qcNAWkj5/Z1VaS8E3DZqp w==; X-CSE-ConnectionGUID: k8Cn0q5NRK6kv3thUJxQcQ== X-CSE-MsgGUID: uebCe5UCQbibGsMuZkktMw== X-IPAS-Result: A0BNAgBIxVlq/4r/Ja1aHgEBCxIMggULgld0X0IrHoRXgXCNYoIhA4tkkjeBfg8BAQEPRA0EAQGEP0YCjVICJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMjBAsBGAEbIhwDAQIDAiYCAiALIwgQAQiDAgGCOgM3AwgJvHoaN3p/M4EBgygBPwJDUNhJDYJYAQsUAYEKLoU/gn0gAYUCXBgBhHwnGxuBcoEVg2mBBYEaQgEBhTuCagSCDRWBDIFaHoNbgRiCNIhaSIECHANZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPhc0WBsHBYEdgTqBAIR2Ix8DOX+BL3VKdy1qEheBToIUgT4DCxgNSBEsNxQbBD0BbgeNSCOCHw4LBgEBfg8BBwMJFwGBQzoBBjc/kmcKkjSgIXEKKIN1jCGPPoV8GjOFW6URC5h9jgqECYNTjgwbFjeEaYFoPIEoHwsHcBWCbgEzCUoZD444g2uBf4MUyS08NQIJMgEBBwIHDgMLgWiQACyBUgEB IronPort-Data: A9a23:OqZlvan4LoBPR/r7aa1Erqvo5gzQJ0RdPkR7XQ2eYbSJt1+Wr1Gzt xIYX2yGPP/ZMDCgedF0bITk/UxV68CBz9MwTQdsqCw3RltH+JHPbTi7wugcHM8zwunrFh8PA xA2M4GYRCwMZiaC4E/raf658SUUOZigHtLUEPTDNj16WThqQSIgjQMLs+Mii+aEu/Dha++2k Y20+ZC31GONgWYubDpLsvzb8nuDgdyr0N8mlg1mDRx0lAe2e0k9VPo3Oay3Jn3kdYhYdsbSb /rD1ryw4lTC9B4rDN6/+p6jGqHdauePVeQmoiM+t5mK2nCulARrukoIHKZ0hXNsttm8t4sZJ OOhGnCHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqHLWyOE/hlgMK05FY5I0eAvGDxoz 99GKy5WchC+pfKPy4vuH4GAhux7RCXqFJkUtnclyXTSCuwrBMiaBa7L/tRfmjw3g6iiH96HO JFfMmUpNkmdJUQUaj/7C7pm9AusrnXyfidRtFKSjaE2+GPUigd21dABNfKII4XQGZ4OxBzwS mTu4mnzKRxHCfemwzuP3WmJm93Mnj/eR9dHfFG/3rsw6LGJ/UQUEBAQWF6xrPW1h0L7UNVFJ mQQ+zEytu417EGtQ9z3UhG0rXLCuQQTM+e8CMUg4w2Lj66R6AGDCy1cF3hKaccts4k9QjlCO kK1ou4FzAdH6NW9IU9xPJ/Nxd9uEUD59VM/WBI= IronPort-HdrOrdr: A9a23:TdA9dK4zBkSVk4nYIQPXwOrXdLJyesId70hD6qkXc20zTiX4rb HLoB1173HJYVoqNU3I3OrwW5VoIkmskKKdn7NxAV7KZmCP0wGVxcNZnOnfKlbbdBEWmNQw6U 4ZSchDIey1K0RmhsDn5wT9OdMhzN6btJ2Mv47lvhFQpcUAUdAZ0++/YTzra3FLeA== X-Talos-CUID: 9a23:JyXJUGlDKLn48KtSubGHNzVSd1zXOX6N53GIOhKeM0U3S6POVV+t2rNdmPM7zg== X-Talos-MUID: 9a23:CC1cXQ2onbK5tceZMCoC09v3GjUj/qmkI01QrL4/sciOGjdVJgWejyiSXdpy X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.25,168,1779148800"; d="scan'208";a="511243322" Received: from rcdn-l-core-01.cisco.com ([173.37.255.138]) by rcdn-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Jul 2026 06:06:44 +0000 Received: from bgl-ads-3413.cisco.com (bgl-ads-3413.cisco.com [173.39.60.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id 4193118000320 for ; Fri, 17 Jul 2026 06:06:44 +0000 (GMT) Received: by bgl-ads-3413.cisco.com (Postfix, from userid 1795984) id 62E46CC037D; Fri, 17 Jul 2026 11:36:42 +0530 (IST) From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 10/10] expat: fix CVE-2026-56132 Date: Fri, 17 Jul 2026 11:34:37 +0530 Message-Id: <20260717060437.2910653-11-deeratho@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260717060437.2910653-1-deeratho@cisco.com> References: <20260717060437.2910653-1-deeratho@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;bgl-ads-3413.cisco.com [173.39.60.50];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 173.39.60.50, bgl-ads-3413.cisco.com X-Outbound-Node: rcdn-l-core-01.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Jul 2026 06:06:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/241149 From: Deepak Rathore These patches apply the upstream fix shown in [2], its prerequisite [1], the regression test in [3], and the follow-up cleanups in [4] and [5], as referenced by [6]. [1] https://github.com/libexpat/libexpat/commit/3a4eaf47af8fd7abda38ea2c08308c91152061f3 [2] https://github.com/libexpat/libexpat/commit/58400483d7c97be316d7a77739c0a6af5d55932e [3] https://github.com/libexpat/libexpat/commit/353919b3b9f2174073a557ac7d517a5f3cd0cbbf [4] https://github.com/libexpat/libexpat/commit/bca93b4ba9e15fd84425568d772b69baebf790e4 [5] https://github.com/libexpat/libexpat/commit/08baa7ef9d168b99094249998fd78f8d190526e5 [6] https://nvd.nist.gov/vuln/detail/CVE-2026-56132 Signed-off-by: Deepak Rathore --- .../expat/expat/CVE-2026-56132_p1.patch | 80 +++++++++++++++++++ .../expat/expat/CVE-2026-56132_p2.patch | 60 ++++++++++++++ .../expat/expat/CVE-2026-56132_p3.patch | 74 +++++++++++++++++ .../expat/expat/CVE-2026-56132_p4.patch | 60 ++++++++++++++ .../expat/expat/CVE-2026-56132_p5.patch | 56 +++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 5 ++ 6 files changed, 335 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p1.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p2.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p3.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p4.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p5.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-56132_p1.patch b/meta/recipes-core/expat/expat/CVE-2026-56132_p1.patch new file mode 100644 index 0000000000..65e3d0801c --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56132_p1.patch @@ -0,0 +1,80 @@ +From 9d1c131840a501e6664c5770046153235467f574 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 4 Jun 2026 17:01:02 -0700 +Subject: [PATCH 13/17] lib: Remove reuse of `m_groupSize` to count + `m_scaffIndex` allocation + +The sizes of the two arrays `m_groupConnector` and `scaffIndex` need to +vary independently. This change is a step towards allowing this. + +Anthropic: ANT-2026-00037 +Anthropic: ANT-2026-03621 +Anthropic: ANT-2026-03867 +Co-authored-by: Alessandro Gario + +CVE: CVE-2026-56132 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/3a4eaf47af8fd7abda38ea2c08308c91152061f3] + +Backport Changes: +- Adapt scaffIndex sizing to Scarthgap 2.6.4, where m_groupSize is + not temporarily doubled before reallocation. + Keep the branch's equivalent size_t overflow check. + +(cherry picked from commit 3a4eaf47af8fd7abda38ea2c08308c91152061f3) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 8439dc0e..e9ad78df 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -423,6 +423,7 @@ typedef struct { + unsigned scaffCount; + int scaffLevel; + int *scaffIndex; ++ size_t scaffIndexSize; + } DTD; + + enum EntityType { +@@ -5975,6 +5976,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + if (new_scaff_index == NULL) + return XML_ERROR_NO_MEMORY; + dtd->scaffIndex = new_scaff_index; ++ dtd->scaffIndexSize = parser->m_groupSize; + } + } else { + parser->m_groupConnector = MALLOC(parser, parser->m_groupSize = 32); +@@ -7575,6 +7577,7 @@ dtdCreate(XML_Parser parser) { + + p->in_eldecl = XML_FALSE; + p->scaffIndex = NULL; ++ p->scaffIndexSize = 0; + p->scaffold = NULL; + p->scaffLevel = 0; + p->scaffSize = 0; +@@ -7615,6 +7618,7 @@ dtdReset(DTD *p, XML_Parser parser) { + + FREE(parser, p->scaffIndex); + p->scaffIndex = NULL; ++ p->scaffIndexSize = 0; + FREE(parser, p->scaffold); + p->scaffold = NULL; + +@@ -7790,6 +7794,7 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + newDtd->scaffSize = oldDtd->scaffSize; + newDtd->scaffLevel = oldDtd->scaffLevel; + newDtd->scaffIndex = oldDtd->scaffIndex; ++ newDtd->scaffIndexSize = oldDtd->scaffIndexSize; + + return 1; + } /* End dtdCopy */ +@@ -8310,6 +8315,7 @@ nextScaffoldPart(XML_Parser parser) { + dtd->scaffIndex = MALLOC(parser, parser->m_groupSize * sizeof(int)); + if (! dtd->scaffIndex) + return -1; ++ dtd->scaffIndexSize = parser->m_groupSize; + dtd->scaffIndex[0] = 0; + } + diff --git a/meta/recipes-core/expat/expat/CVE-2026-56132_p2.patch b/meta/recipes-core/expat/expat/CVE-2026-56132_p2.patch new file mode 100644 index 0000000000..3d1b834db0 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56132_p2.patch @@ -0,0 +1,60 @@ +From a4c1b874dffcc80ee63ca3b4d6a1537c56da8dc1 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 4 Jun 2026 17:01:02 -0700 +Subject: [PATCH 14/17] lib: doProlog: Fix out-of-bound scaffolding index store +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The scaffold backing array is reallocated using the caller parser’s +per-parser `m_groupSize`, but the DTD struct (which carries +`scaffIndex`) is shared between a parent parser and any external +parameter-entity sub-parser created via +`XML_ExternalEntityParserCreate(parent, NULL, …)`. A sub-parser whose +group nesting is shallower than the parent’s can `REALLOC` the shared +`scaffIndex` down to its own size; when the parent resumes and parses a +deeper element content model, its bounds check passes (its private +`m_groupSize` is still large enough), the doubling-grow path is skipped, +and the next write lands past the shrunken buffer. + +Anthropic: ANT-2026-00037 +Anthropic: ANT-2026-03621 +Anthropic: ANT-2026-03867 +Co-authored-by: Alessandro Gario +Reported-by: Trail of Bits, in collaboration with Anthropic + +CVE: CVE-2026-56132 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/58400483d7c97be316d7a77739c0a6af5d55932e] + +(cherry picked from commit 58400483d7c97be316d7a77739c0a6af5d55932e) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index e9ad78df..c46c17bc 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -5992,6 +5992,21 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + if (myindex < 0) + return XML_ERROR_NO_MEMORY; + assert(dtd->scaffIndex != NULL); ++ if ((size_t)dtd->scaffLevel >= dtd->scaffIndexSize) { ++ /* Detect and prevent integer overflow */ ++ if (dtd->scaffIndexSize > SIZE_MAX / 2 / sizeof(int)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ assert(dtd->scaffIndexSize > 0); ++ const size_t new_size = dtd->scaffIndexSize * 2; ++ int *const new_scaff_index ++ = REALLOC(parser, dtd->scaffIndex, new_size * sizeof(int)); ++ if (new_scaff_index == NULL) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ dtd->scaffIndex = new_scaff_index; ++ dtd->scaffIndexSize = new_size; ++ } + dtd->scaffIndex[dtd->scaffLevel] = myindex; + dtd->scaffLevel++; + dtd->scaffold[myindex].type = XML_CTYPE_SEQ; diff --git a/meta/recipes-core/expat/expat/CVE-2026-56132_p3.patch b/meta/recipes-core/expat/expat/CVE-2026-56132_p3.patch new file mode 100644 index 0000000000..5ceefb9690 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56132_p3.patch @@ -0,0 +1,74 @@ +From 5d4d0dab46e077b327f70a7c02a307287e8d1fe5 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 4 Jun 2026 17:01:02 -0700 +Subject: [PATCH 15/17] tests: Add a test case for scaffolding array limits in + shared DTDs + +This test case provokes the bug fixed in the previous commit. + +Anthropic: ANT-2026-00037 +Anthropic: ANT-2026-03621 +Anthropic: ANT-2026-03867 +Co-authored-by: Alessandro Gario +Reported-by: Trail of Bits, in collaboration with Anthropic + +CVE: CVE-2026-56132 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/353919b3b9f2174073a557ac7d517a5f3cd0cbbf] + +(cherry picked from commit 353919b3b9f2174073a557ac7d517a5f3cd0cbbf) +Signed-off-by: Deepak Rathore +--- + expat/tests/basic_tests.c | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/expat/tests/basic_tests.c b/expat/tests/basic_tests.c +index 023d9ce4..d52dcf1c 100644 +--- a/expat/tests/basic_tests.c ++++ b/expat/tests/basic_tests.c +@@ -4044,6 +4044,37 @@ START_TEST(test_skipped_external_entity) { + } + END_TEST + ++START_TEST(test_scaff_index_shared_across_external_entity_parser) { ++ const char text[] ++ = "\n" ++ "\n" ++ "%e;\n" ++ "\n" ++ "]>\n" ++ ""; ++ ExtOption options[] ++ = {{XCS("ext"), ++ ""}, ++ {NULL, NULL}}; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ XML_SetUserData(parser, options); ++ XML_SetExternalEntityRefHandler(parser, external_entity_optioner); ++ XML_SetElementDeclHandler(parser, dummy_element_decl_handler); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Test a different form of unknown external entity */ + START_TEST(test_skipped_null_loaded_ext_entity) { + const char *text = "\n" +@@ -6399,6 +6430,8 @@ make_basic_test_case(Suite *s) { + tcase_add_test(tc_basic, test_trailing_cr_in_att_value); + tcase_add_test(tc_basic, test_standalone_internal_entity); + tcase_add_test(tc_basic, test_skipped_external_entity); ++ tcase_add_test__ifdef_xml_dtd( ++ tc_basic, test_scaff_index_shared_across_external_entity_parser); + tcase_add_test(tc_basic, test_skipped_null_loaded_ext_entity); + tcase_add_test(tc_basic, test_skipped_unloaded_ext_entity); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_param_entity_with_trailing_cr); diff --git a/meta/recipes-core/expat/expat/CVE-2026-56132_p4.patch b/meta/recipes-core/expat/expat/CVE-2026-56132_p4.patch new file mode 100644 index 0000000000..0cb662fd5f --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56132_p4.patch @@ -0,0 +1,60 @@ +From a7d7ed5d6dbcc7231529357d64eb19ede3114868 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 4 Jun 2026 17:01:02 -0700 +Subject: [PATCH 16/17] lib: Remove unnecessary `scaffIndex` expansion + +Following the previous changes, all locations that append entries to +`scaffIndex` handle expanding the array if it is not already large +enough. So this extra expansion code is no longer necessary. In some +cases such as processing siblings with alternating scaffolding counts, +this logic would actually _shrink_ the array only to then later +re-expand it. + +Anthropic: ANT-2026-00037 +Anthropic: ANT-2026-03621 +Anthropic: ANT-2026-03867 +Co-authored-by: Alessandro Gario + +CVE: CVE-2026-56132 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/bca93b4ba9e15fd84425568d772b69baebf790e4] + +Backport Changes: +- Remove the Scarthgap 2.6.4 scaffIndex resize block because later + append paths already expand the array when required. + +(cherry picked from commit bca93b4ba9e15fd84425568d772b69baebf790e4) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 19 ------------------- + 1 file changed, 19 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index c46c17bc..3afe2884 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -5959,25 +5959,6 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + } + parser->m_groupConnector = new_connector; + } +- +- if (dtd->scaffIndex) { +- /* Detect and prevent integer overflow. +- * The preprocessor guard addresses the "always false" warning +- * from -Wtype-limits on platforms where +- * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +-#if UINT_MAX >= SIZE_MAX +- if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) { +- return XML_ERROR_NO_MEMORY; +- } +-#endif +- +- int *const new_scaff_index = REALLOC( +- parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int)); +- if (new_scaff_index == NULL) +- return XML_ERROR_NO_MEMORY; +- dtd->scaffIndex = new_scaff_index; +- dtd->scaffIndexSize = parser->m_groupSize; +- } + } else { + parser->m_groupConnector = MALLOC(parser, parser->m_groupSize = 32); + if (! parser->m_groupConnector) { diff --git a/meta/recipes-core/expat/expat/CVE-2026-56132_p5.patch b/meta/recipes-core/expat/expat/CVE-2026-56132_p5.patch new file mode 100644 index 0000000000..0cfb1093ef --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56132_p5.patch @@ -0,0 +1,56 @@ +From 778ba31c47f9930fe339194f4d97081e43893362 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 4 Jun 2026 17:01:02 -0700 +Subject: [PATCH 17/17] lib: Remove indented scoping of `new_connector` local + +Following the previous change, the lifetime of `new_connector` as +constrained by this introduced scope was identical to the parent scope. + +CVE: CVE-2026-56132 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/08baa7ef9d168b99094249998fd78f8d190526e5] + +Backport Changes: +- Retain the Scarthgap 2.6.4 unsigned integer overflow guard while + removing only the redundant new_connector scope. + +(cherry picked from commit 08baa7ef9d168b99094249998fd78f8d190526e5) +Signed-off-by: Deepak Rathore +--- + expat/lib/xmlparse.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 3afe2884..df8331d5 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -5945,20 +5945,18 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + case XML_ROLE_GROUP_OPEN: + if (parser->m_prologState.level >= parser->m_groupSize) { + if (parser->m_groupSize) { +- { +- /* Detect and prevent integer overflow */ +- if (parser->m_groupSize > (unsigned int)(-1) / 2u) { +- return XML_ERROR_NO_MEMORY; +- } ++ /* Detect and prevent integer overflow */ ++ if (parser->m_groupSize > (unsigned int)(-1) / 2u) { ++ return XML_ERROR_NO_MEMORY; ++ } + +- char *const new_connector = REALLOC( +- parser, parser->m_groupConnector, parser->m_groupSize *= 2); +- if (new_connector == NULL) { +- parser->m_groupSize /= 2; +- return XML_ERROR_NO_MEMORY; +- } +- parser->m_groupConnector = new_connector; ++ char *const new_connector = REALLOC(parser, parser->m_groupConnector, ++ parser->m_groupSize *= 2); ++ if (new_connector == NULL) { ++ parser->m_groupSize /= 2; ++ return XML_ERROR_NO_MEMORY; + } ++ parser->m_groupConnector = new_connector; + } else { + parser->m_groupConnector = MALLOC(parser, parser->m_groupSize = 32); + if (! parser->m_groupConnector) { diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 92e62e2233..34deb094f2 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -63,6 +63,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56409.patch;striplevel=2 \ file://CVE-2026-56411.patch;striplevel=2 \ file://CVE-2026-56407.patch;striplevel=2 \ + file://CVE-2026-56132_p1.patch;striplevel=2 \ + file://CVE-2026-56132_p2.patch;striplevel=2 \ + file://CVE-2026-56132_p3.patch;striplevel=2 \ + file://CVE-2026-56132_p4.patch;striplevel=2 \ + file://CVE-2026-56132_p5.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"