Re: [OE-core][PATCH] expat: upgrade 2.7.3 -> 2.7.4

Wed, 04 Feb 2026 06:01:24 -0800 

On Sat Jan 31, 2026 at 3:53 PM CET, Peter Marko via lists.openembedded.org 
wrote:
> From: Peter Marko <[email protected]>
>
> Changelog [1]:
>         Security fixes:
>            #1131  CVE-2026-24515 -- Function XML_ExternalEntityParserCreate
>                     failed to copy the encoding handler data passed to
>                     XML_SetUnknownEncodingHandler from the parent to the new
>                     subparser. This can cause a NULL dereference (CWE-476) 
> from
>                     external entities that declare use of an unknown encoding.
>                     The expected impact is denial of service. It takes use of
>                     both functions XML_ExternalEntityParserCreate and
>                     XML_SetUnknownEncodingHandler for an application to be
>                     vulnerable.
>            #1075  CVE-2026-25210 -- Add missing check for integer overflow
>                     related to buffer size determination in function doContent
>
>         Bug fixes:
>            #1073  lib: Fix missing undoing of group size expansion in doProlog
>                     failure cases
>            #1107  xmlwf: Fix a memory leak
>            #1104  WASI: Fix format specifiers for 32bit WASI SDK
>
>         Other changes:
>            #1105  lib: Fix strict aliasing
>            #1106  lib: Leverage feature "flexible array member" of C99
>            #1051  lib: Swap (size_t)(-1) for C99 equivalent SIZE_MAX
>            #1109  lib|xmlwf: Return NULL instead of 0 for pointers
>            #1068  lib|Windows: Clean up use of macro _MSC_EXTENSIONS with MSVC
>            #1112  lib: Remove unused import
>            #1110  xmlwf: Warn about XXE in --help output (and man page)
>      #1102 #1103  WASI: Stop using getpid
>
> ... and additional docs/autotools/cmake/infrastructure changes
>
> [1] https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes
>
> Signed-off-by: Peter Marko <[email protected]>
> ---
>  meta/recipes-core/expat/{expat_2.7.3.bb => expat_2.7.4.bb} | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>  rename meta/recipes-core/expat/{expat_2.7.3.bb => expat_2.7.4.bb} (92%)

Note to the master review team: I have related CVE fixing patches queued
for whinlatter and scarthgap.
This patch is currently in contrib/mathieu/master-next-success.
-- 
Yoann Congal
Smile ECS


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#230530): 
https://lists.openembedded.org/g/openembedded-core/message/230530
Mute This Topic: https://lists.openembedded.org/mt/117561520/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to