From: Hugo SIMELIERE <[email protected]> Pick patches from [1] also mentioned in [2].
[1] https://github.com/libexpat/libexpat/pull/1162 [2] https://security-tracker.debian.org/tracker/CVE-2026-32777 Signed-off-by: Bruno VERNAY <[email protected]> Signed-off-by: Hugo SIMELIERE <[email protected]> Signed-off-by: Fabien Thomas <[email protected]> --- .../expat/expat/CVE-2026-32777-01.patch | 49 ++++++++++++++ .../expat/expat/CVE-2026-32777-02.patch | 66 +++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 2 + 3 files changed, 117 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32777-01.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32777-02.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-32777-01.patch b/meta/recipes-core/expat/expat/CVE-2026-32777-01.patch new file mode 100644 index 0000000000..50ba27dcd4 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-32777-01.patch @@ -0,0 +1,49 @@ +From a6e6cf7c30e54402b2fa3c49f9d98702e74f8c34 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <[email protected]> +Date: Sun, 1 Mar 2026 20:16:13 +0100 +Subject: [PATCH 1/2] lib: Reject XML_TOK_INSTANCE_START infinite loop in + entityValueProcessor + +.. that OSS-Fuzz/ClusterFuzz uncovered + +CVE: CVE-2026-32777 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/55cda8c7125986e17d7e1825cba413bd94a35d02] + +(cherry picked from commit 55cda8c7125986e17d7e1825cba413bd94a35d02) +Signed-off-by: Hugo SIMELIERE <[email protected]> +--- + lib/xmlparse.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 56faf2eb..bfb8ac58 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5077,7 +5077,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end, + } + /* If we get this token, we have the start of what might be a + normal tag, but not a declaration (i.e. it doesn't begin with +- "<!"). In a DTD context, that isn't legal. ++ "<!" or "<?"). In a DTD context, that isn't legal. + */ + else if (tok == XML_TOK_INSTANCE_START) { + *nextPtr = next; +@@ -5166,6 +5166,15 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end, + /* found end of entity value - can store it now */ + return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT, NULL); + } ++ /* If we get this token, we have the start of what might be a ++ normal tag, but not a declaration (i.e. it doesn't begin with ++ "<!" or "<?"). In a DTD context, that isn't legal. ++ */ ++ else if (tok == XML_TOK_INSTANCE_START) { ++ *nextPtr = next; ++ return XML_ERROR_SYNTAX; ++ } ++ + start = next; + } + } +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2026-32777-02.patch b/meta/recipes-core/expat/expat/CVE-2026-32777-02.patch new file mode 100644 index 0000000000..a1518c9a3e --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-32777-02.patch @@ -0,0 +1,66 @@ +From 4b91fc7eb4998c49bfd3b701a679ad6eb7ce7682 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <[email protected]> +Date: Fri, 6 Mar 2026 18:31:34 +0100 +Subject: [PATCH 2/2] misc_tests.c: Cover XML_TOK_INSTANCE_START infinite loop + case + +.. that OSS-Fuzz/ClusterFuzz uncovered + +CVE: CVE-2026-32777 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8] + +(cherry picked from commit a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8) +Signed-off-by: Hugo SIMELIERE <[email protected]> +--- + tests/misc_tests.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/tests/misc_tests.c b/tests/misc_tests.c +index 07902d52..cdcdd507 100644 +--- a/tests/misc_tests.c ++++ b/tests/misc_tests.c +@@ -713,6 +713,35 @@ START_TEST(test_misc_async_entity_rejected) { + } + END_TEST + ++START_TEST(test_misc_no_infinite_loop_issue_1161) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ const char *text = "<!DOCTYPE d SYSTEM 'secondary.txt'>"; ++ ++ struct ExtOption options[] = { ++ {XCS("secondary.txt"), ++ "<!ENTITY % p SYSTEM 'tertiary.txt'><!ENTITY g '%p;'>"}, ++ {XCS("tertiary.txt"), "<?xml version='1.0'?><a"}, ++ {NULL, NULL}, ++ }; ++ ++ XML_SetUserData(parser, options); ++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ XML_SetExternalEntityRefHandler(parser, external_entity_optioner); ++ ++ assert_true(_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR); ++ ++#if defined(XML_DTD) ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_EXTERNAL_ENTITY_HANDLING); ++#else ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NO_ELEMENTS); ++#endif ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + void + make_miscellaneous_test_case(Suite *s) { + TCase *tc_misc = tcase_create("miscellaneous tests"); +@@ -743,4 +772,5 @@ make_miscellaneous_test_case(Suite *s) { + tcase_add_test(tc_misc, test_misc_expected_event_ptr_issue_980); + tcase_add_test(tc_misc, test_misc_sync_entity_tolerated); + tcase_add_test(tc_misc, test_misc_async_entity_rejected); ++ tcase_add_test(tc_misc, test_misc_no_infinite_loop_issue_1161); + } +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 631aebe6ca..f78d9a8a60 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -47,6 +47,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-25210-02.patch \ file://CVE-2026-25210-03.patch \ file://CVE-2026-32776.patch \ + file://CVE-2026-32777-01.patch \ + file://CVE-2026-32777-02.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/";
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236497): https://lists.openembedded.org/g/openembedded-core/message/236497 Mute This Topic: https://lists.openembedded.org/mt/119164883/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
