From: Peter Marko <[email protected]> Pick github PR [1] mentioned in [2]. * 969af8f4654ce50d837bb9199a73d1d02d2c7e16..4ba09dc471b39a78d77e5179d0243186c0c4ff7a * dropped code which doesn't exist in 2.6.4 yet (github actions, map file) * resolved minor conflicts (formatting) * picked 2 additional commits to apply the code cleanly
[1] https://github.com/libexpat/libexpat/pull/1183 [2] https://security-tracker.debian.org/tracker/CVE-2026-41080 Signed-off-by: Peter Marko <[email protected]> --- .../expat/expat/CVE-2026-41080-01.patch | 50 ++ .../expat/expat/CVE-2026-41080-02.patch | 29 ++ .../expat/expat/CVE-2026-41080-03.patch | 467 ++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 3 + 4 files changed, 549 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-01.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-02.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-03.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-01.patch b/meta/recipes-core/expat/expat/CVE-2026-41080-01.patch new file mode 100644 index 00000000000..0c6af75a5de --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-41080-01.patch @@ -0,0 +1,50 @@ +From fe04a7f0ff8afe57ba33d919f368b1ba23bcda92 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <[email protected]> +Date: Sun, 30 Mar 2025 19:26:55 +0200 +Subject: [PATCH 1/3] lib/xmlparse.c: Address clang-tidy warning + misc-no-recursion + +CVE: CVE-2026-41080 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/fe04a7f0ff8afe57ba33d919f368b1ba23bcda92] +Signed-off-by: Peter Marko <[email protected]> +--- + lib/xmlparse.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 9bc67f38..cb25c37b 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1243,9 +1243,10 @@ generate_hash_secret_salt(XML_Parser parser) { + + static unsigned long + get_hash_secret_salt(XML_Parser parser) { +- if (parser->m_parentParser != NULL) +- return get_hash_secret_salt(parser->m_parentParser); +- return parser->m_hash_secret_salt; ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); ++ assert(! rootParser->m_parentParser); ++ ++ return rootParser->m_hash_secret_salt; + } + + static enum XML_Error +@@ -2321,12 +2322,14 @@ int XMLCALL + XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) { + if (parser == NULL) + return 0; +- if (parser->m_parentParser) +- return XML_SetHashSalt(parser->m_parentParser, hash_salt); ++ ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); ++ assert(! rootParser->m_parentParser); ++ + /* block after XML_Parse()/XML_ParseBuffer() has been called */ +- if (parserBusy(parser)) ++ if (parserBusy(rootParser)) + return 0; +- parser->m_hash_secret_salt = hash_salt; ++ rootParser->m_hash_secret_salt = hash_salt; + return 1; + } + diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-02.patch b/meta/recipes-core/expat/expat/CVE-2026-41080-02.patch new file mode 100644 index 00000000000..953f93c68a9 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-41080-02.patch @@ -0,0 +1,29 @@ +From 7fb2c7a454edc9e2880073a27f899c31d9b078ce Mon Sep 17 00:00:00 2001 +From: Atrem Borovik <[email protected]> +Date: Sat, 20 Dec 2025 13:22:16 +0300 +Subject: [PATCH 2/3] WASI: remove getpid + +CVE: CVE-2026-41080 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/7fb2c7a454edc9e2880073a27f899c31d9b078ce] +Signed-off-by: Peter Marko <[email protected]> +--- + lib/xmlparse.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index cb25c37b..1bafb948 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1228,8 +1228,11 @@ generate_hash_secret_salt(XML_Parser parser) { + # endif /* ! defined(_WIN32) && defined(XML_DEV_URANDOM) */ + /* .. and self-made low quality for backup: */ + ++ entropy = gather_time_entropy(); ++# if ! defined(__wasi__) + /* Process ID is 0 bits entropy if attacker has local access */ +- entropy = gather_time_entropy() ^ getpid(); ++ entropy ^= getpid(); ++# endif + + /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ + if (sizeof(unsigned long) == 4) { diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-03.patch b/meta/recipes-core/expat/expat/CVE-2026-41080-03.patch new file mode 100644 index 00000000000..4d17f1a0b0e --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-41080-03.patch @@ -0,0 +1,467 @@ +From b77ab600e1893fdcfc3868d0a46efcc87c87943d Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <[email protected]> +Date: Wed, 8 Apr 2026 15:41:54 +0200 +Subject: [PATCH 3/3] [CVE-2026-41080] Improve protection against hash flooding + (fixes #47) + +Fixes #47 + +CVE: CVE-2026-41080 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1183] +Signed-off-by: Peter Marko <[email protected]> +--- + Changes | 16 ++++++ + doc/reference.html | 51 ++++++++++++++-- + lib/expat.h | 12 ++++ + lib/internal.h | 2 + + lib/xmlparse.c | 118 ++++++++++++++++++++++++++------------ + tests/basic_tests.c | 25 ++++++++ + 6 files changed, 181 insertions(+), 43 deletions(-) + +diff --git a/Changes b/Changes +index 4265d608..1d87d6a0 100644 +--- a/Changes ++++ b/Changes +@@ -30,6 +30,22 @@ + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + + Patches: ++ Security fixes: ++ #47 #1183 CVE-2026-41080 -- The existing hash flooding protection ++ (based on SipHash) only used 4 to 8 bytes of entropy for ++ a salt, when 16 bytes of salt are supported by the ++ implementation of SipHash used by Expat. Now full 16 bytes ++ of entropy are used to improve protection against hash ++ flooding attacks. ++ Existing API function XML_SetHashSalt is now deprecated ++ because of its limitations, and its use should be ++ considered a vulnerability. Please either use the new API ++ function XML_SetHashSalt16Bytes (with known-high-quality ++ entropy input only!) instead, or leave the derivation of ++ a 16-bytes hash salt from high quality entropy to Expat's ++ internal machinery (by *not* calling either of the two ++ XML_SetHashSalt* functions). ++ + Security fixes: + #1018 #1034 CVE-2025-59375 -- Disallow use of disproportional amounts of + dynamic memory from within an Expat parser (e.g. previously +diff --git a/doc/reference.html b/doc/reference.html +index 8f14b011..7f374f84 100644 +--- a/doc/reference.html ++++ b/doc/reference.html +@@ -174,7 +174,8 @@ interface.</p> + <li><a href="#XML_GetAttributeInfo">XML_GetAttributeInfo</a></li> + <li><a href="#XML_SetEncoding">XML_SetEncoding</a></li> + <li><a href="#XML_SetParamEntityParsing">XML_SetParamEntityParsing</a></li> +- <li><a href="#XML_SetHashSalt">XML_SetHashSalt</a></li> ++ <li><a href="#XML_SetHashSalt">XML_SetHashSalt</a> (deprecated)</li> ++ <li><a href="#XML_SetHashSalt16Bytes">XML_SetHashSalt16Bytes</a></li> + <li><a href="#XML_UseForeignDTD">XML_UseForeignDTD</a></li> + <li><a href="#XML_SetReturnNSTriplet">XML_SetReturnNSTriplet</a></li> + <li><a href="#XML_DefaultCurrent">XML_DefaultCurrent</a></li> +@@ -2553,10 +2554,10 @@ The choices for <code>code</code> are: + no effect and will always return 0. + </div> + +-<h4 id="XML_SetHashSalt">XML_SetHashSalt</h4> ++<h4 id="XML_SetHashSalt">XML_SetHashSalt (deprecated)</h4> + <pre class="fcndec"> + int XMLCALL +-XML_SetHashSalt(XML_Parser p, ++XML_SetHashSalt(XML_Parser parser, + unsigned long hash_salt); + </pre> + <div class="fcndef"> +@@ -2564,15 +2565,55 @@ Sets the hash salt to use for internal hash calculations. + Helps in preventing DoS attacks based on predicting hash + function behavior. In order to have an effect this must be called + before parsing has started. Returns 1 if successful, 0 when called +-after <code>XML_Parse</code> or <code>XML_ParseBuffer</code>. ++after <code>XML_Parse</code> or <code>XML_ParseBuffer</code> or when ++ <code>parser</code> is <code>NULL</code>. ++ <p> ++ <b>Note:</b> Function <code>XML_SetHashSalt</code> is ++ <strong>deprecated</strong>. Please use function <code><a href= ++ "#XML_SetHashSalt16Bytes">XML_SetHashSalt16Bytes</a></code> instead for better ++ security. <code>XML_SetHashSalt</code> only provides 4 to 8 bytes of entropy ++ (depending on the size of type <code>unsigned long</code>) while the SipHash ++ implementation used by Expat can leverage up to 16 bytes of entropy — at least ++ twice as much. Function <code><a href= ++ "#XML_SetHashSalt16Bytes">XML_SetHashSalt16Bytes</a></code> of Expat >=2.7.6 ++ (and where backported) matches the amount of entropy supported by SipHash. ++ </p>. + <p><b>Note:</b> This call is optional, as the parser will auto-generate +-a new random salt value if no value has been set at the start of parsing.</p> ++a new random salt value internally if no value has been set by the start of parsing.</p> + <p><b>Note:</b> One should not call <code>XML_SetHashSalt</code> with a + hash salt value of 0, as this value is used as sentinel value to indicate + that <code>XML_SetHashSalt</code> has <b>not</b> been called. Consequently + such a call will have no effect, even if it returns 1.</p> + </div> + ++ <h4 id="XML_SetHashSalt16Bytes"> ++ XML_SetHashSalt16Bytes ++ </h4> ++ ++ <pre class="fcndec"> ++/* Added in Expat 2.7.6. */ ++XML_Bool XMLCALL ++XML_SetHashSalt16Bytes(XML_Parser parser, ++ const uint8_t entropy[16]); ++</pre> ++ <div class="fcndef"> ++ Sets the hash salt to use for internal hash calculations. Helps in preventing DoS ++ attacks based on predicting hash function behavior. In order to have an effect ++ this must be called before parsing has started. Returns <code>XML_TRUE</code> if ++ successful, <code>XML_FALSE</code> when called after <code>XML_Parse</code> or ++ <code>XML_ParseBuffer</code> or when <code>parser</code> is <code>NULL</code>. ++ <p> ++ <b>Note:</b> Setting a salt that is <em>not</em> from a source of high quality ++ entropy (like <code>getentropy(3)</code>) will make the parser vulnerable to ++ hash flooding attacks. ++ </p> ++ ++ <p> ++ <b>Note:</b> This call is optional, as the parser will auto-generate a new ++ random salt value internally if no value has been set by the start of parsing. ++ </p> ++ </div> ++ + <h4 id="XML_UseForeignDTD">XML_UseForeignDTD</h4> + <pre class="fcndec"> + enum XML_Error XMLCALL +diff --git a/lib/expat.h b/lib/expat.h +index df207e9e..b356e002 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -44,6 +44,7 @@ + #ifndef Expat_INCLUDED + #define Expat_INCLUDED 1 + ++# include <stdint.h> // for uint8_t + #include <stdlib.h> + #include "expat_external.h" + +@@ -916,10 +917,21 @@ XML_SetParamEntityParsing(XML_Parser parser, + function behavior. This must be called before parsing is started. + Returns 1 if successful, 0 when called after parsing has started. + Note: If parser == NULL, the function will do nothing and return 0. ++ DEPRECATED since Expat 2.7.6. + */ + XMLPARSEAPI(int) + XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt); + ++/* Sets the hash salt to use for internal hash calculations. ++ Helps in preventing DoS attacks based on predicting hash function behavior. ++ This must be called before parsing is started. ++ Returns XML_TRUE if successful, XML_FALSE when called after parsing has ++ started or when parser is NULL. ++ Added in Expat 2.7.6. ++*/ ++XMLPARSEAPI(XML_Bool) ++XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]); ++ + /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then + XML_GetErrorCode returns information about the error. + */ +diff --git a/lib/internal.h b/lib/internal.h +index 32faaa05..617d6454 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -113,6 +113,7 @@ + #if defined(_WIN32) \ + && (! defined(__USE_MINGW_ANSI_STDIO) \ + || (1 - __USE_MINGW_ANSI_STDIO - 1 == 0)) ++# define EXPAT_FMT_LLX(midpart) "%" midpart "I64x" + # define EXPAT_FMT_ULL(midpart) "%" midpart "I64u" + # if defined(_WIN64) // Note: modifiers "td" and "zu" do not work for MinGW + # define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d" +@@ -122,6 +123,7 @@ + # define EXPAT_FMT_SIZE_T(midpart) "%" midpart "u" + # endif + #else ++# define EXPAT_FMT_LLX(midpart) "%" midpart "llx" + # define EXPAT_FMT_ULL(midpart) "%" midpart "llu" + # if ! defined(ULONG_MAX) + # error Compiler did not define ULONG_MAX for us +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 1bafb948..75a7e5d0 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -604,7 +604,7 @@ static ELEMENT_TYPE *getElementType(XML_Parser parser, const ENCODING *enc, + + static XML_Char *copyString(const XML_Char *s, XML_Parser parser); + +-static unsigned long generate_hash_secret_salt(XML_Parser parser); ++static struct sipkey generate_hash_secret_salt(void); + static XML_Bool startParsing(XML_Parser parser); + + static XML_Parser parserCreate(const XML_Char *encodingName, +@@ -777,7 +777,8 @@ struct XML_ParserStruct { + XML_Bool m_useForeignDTD; + enum XML_ParamEntityParsing m_paramEntityParsing; + #endif +- unsigned long m_hash_secret_salt; ++ struct sipkey m_hash_secret_salt_128; ++ XML_Bool m_hash_secret_salt_set; + #if XML_GE == 1 + ACCOUNTING m_accounting; + MALLOC_TRACKER m_alloc_tracker; +@@ -1189,69 +1190,65 @@ gather_time_entropy(void) { + + #endif /* ! defined(HAVE_ARC4RANDOM_BUF) && ! defined(HAVE_ARC4RANDOM) */ + +-static unsigned long +-ENTROPY_DEBUG(const char *label, unsigned long entropy) { ++static struct sipkey ++ENTROPY_DEBUG(const char *label, struct sipkey entropy_128) { + if (getDebugLevel("EXPAT_ENTROPY_DEBUG", 0) >= 1u) { +- fprintf(stderr, "expat: Entropy: %s --> 0x%0*lx (%lu bytes)\n", label, +- (int)sizeof(entropy) * 2, entropy, (unsigned long)sizeof(entropy)); ++ fprintf(stderr, ++ "expat: Entropy: %s --> [0x" EXPAT_FMT_LLX( ++ "016") ", 0x" EXPAT_FMT_LLX("016") "] (16 bytes)\n", ++ label, (unsigned long long)entropy_128.k[0], ++ (unsigned long long)entropy_128.k[1]); + } +- return entropy; ++ return entropy_128; + } + +-static unsigned long +-generate_hash_secret_salt(XML_Parser parser) { +- unsigned long entropy; +- (void)parser; ++static struct sipkey ++generate_hash_secret_salt(void) { ++ struct sipkey entropy; + + /* "Failproof" high quality providers: */ + #if defined(HAVE_ARC4RANDOM_BUF) + arc4random_buf(&entropy, sizeof(entropy)); + return ENTROPY_DEBUG("arc4random_buf", entropy); + #elif defined(HAVE_ARC4RANDOM) +- writeRandomBytes_arc4random((void *)&entropy, sizeof(entropy)); ++ writeRandomBytes_arc4random(&entropy, sizeof(entropy)); + return ENTROPY_DEBUG("arc4random", entropy); + #else + /* Try high quality providers first .. */ + # ifdef _WIN32 +- if (writeRandomBytes_rand_s((void *)&entropy, sizeof(entropy))) { ++ if (writeRandomBytes_rand_s(&entropy, sizeof(entropy))) { + return ENTROPY_DEBUG("rand_s", entropy); + } + # elif defined(HAVE_GETRANDOM) || defined(HAVE_SYSCALL_GETRANDOM) +- if (writeRandomBytes_getrandom_nonblock((void *)&entropy, sizeof(entropy))) { ++ if (writeRandomBytes_getrandom_nonblock(&entropy, sizeof(entropy))) { + return ENTROPY_DEBUG("getrandom", entropy); + } + # endif + # if ! defined(_WIN32) && defined(XML_DEV_URANDOM) +- if (writeRandomBytes_dev_urandom((void *)&entropy, sizeof(entropy))) { ++ if (writeRandomBytes_dev_urandom(&entropy, sizeof(entropy))) { + return ENTROPY_DEBUG("/dev/urandom", entropy); + } + # endif /* ! defined(_WIN32) && defined(XML_DEV_URANDOM) */ + /* .. and self-made low quality for backup: */ + +- entropy = gather_time_entropy(); ++ entropy.k[0] = 0; ++ entropy.k[1] = gather_time_entropy(); + # if ! defined(__wasi__) + /* Process ID is 0 bits entropy if attacker has local access */ +- entropy ^= getpid(); ++ entropy.k[1] ^= getpid(); + # endif + + /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ + if (sizeof(unsigned long) == 4) { +- return ENTROPY_DEBUG("fallback(4)", entropy * 2147483647); ++ entropy.k[1] *= 2147483647; ++ return ENTROPY_DEBUG("fallback(4)", entropy); + } else { +- return ENTROPY_DEBUG("fallback(8)", +- entropy * (unsigned long)2305843009213693951ULL); ++ entropy.k[1] *= 2305843009213693951ULL; ++ return ENTROPY_DEBUG("fallback(8)", entropy); + } + #endif + } + +-static unsigned long +-get_hash_secret_salt(XML_Parser parser) { +- const XML_Parser rootParser = getRootParserOf(parser, NULL); +- assert(! rootParser->m_parentParser); +- +- return rootParser->m_hash_secret_salt; +-} +- + static enum XML_Error + callProcessor(XML_Parser parser, const char *start, const char *end, + const char **endPtr) { +@@ -1320,8 +1316,10 @@ callProcessor(XML_Parser parser, const char *start, const char *end, + static XML_Bool /* only valid for root parser */ + startParsing(XML_Parser parser) { + /* hash functions must be initialized before setContext() is called */ +- if (parser->m_hash_secret_salt == 0) +- parser->m_hash_secret_salt = generate_hash_secret_salt(parser); ++ if (parser->m_hash_secret_salt_set != XML_TRUE) { ++ parser->m_hash_secret_salt_128 = generate_hash_secret_salt(); ++ parser->m_hash_secret_salt_set = XML_TRUE; ++ } + if (parser->m_ns) { + /* implicit context only set for root parser, since child + parsers (i.e. external entity parsers) will inherit it +@@ -1609,7 +1607,9 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { + parser->m_useForeignDTD = XML_FALSE; + parser->m_paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER; + #endif +- parser->m_hash_secret_salt = 0; ++ parser->m_hash_secret_salt_128.k[0] = 0; ++ parser->m_hash_secret_salt_128.k[1] = 0; ++ parser->m_hash_secret_salt_set = XML_FALSE; + + #if XML_GE == 1 + memset(&parser->m_accounting, 0, sizeof(ACCOUNTING)); +@@ -1776,7 +1776,8 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, + from hash tables associated with either parser without us having + to worry which hash secrets each table has. + */ +- unsigned long oldhash_secret_salt; ++ struct sipkey oldhash_secret_salt_128; ++ XML_Bool oldhash_secret_salt_set; + XML_Bool oldReparseDeferralEnabled; + + /* Validate the oldParser parameter before we pull everything out of it */ +@@ -1822,7 +1823,8 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, + from hash tables associated with either parser without us having + to worry which hash secrets each table has. + */ +- oldhash_secret_salt = parser->m_hash_secret_salt; ++ oldhash_secret_salt_128 = parser->m_hash_secret_salt_128; ++ oldhash_secret_salt_set = parser->m_hash_secret_salt_set; + oldReparseDeferralEnabled = parser->m_reparseDeferralEnabled; + + #ifdef XML_DTD +@@ -1877,7 +1879,8 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, + parser->m_externalEntityRefHandlerArg = oldExternalEntityRefHandlerArg; + parser->m_defaultExpandInternalEntities = oldDefaultExpandInternalEntities; + parser->m_ns_triplets = oldns_triplets; +- parser->m_hash_secret_salt = oldhash_secret_salt; ++ parser->m_hash_secret_salt_128 = oldhash_secret_salt_128; ++ parser->m_hash_secret_salt_set = oldhash_secret_salt_set; + parser->m_reparseDeferralEnabled = oldReparseDeferralEnabled; + parser->m_parentParser = oldParser; + #ifdef XML_DTD +@@ -2321,6 +2324,7 @@ XML_SetParamEntityParsing(XML_Parser parser, + #endif + } + ++// DEPRECATED since Expat 2.7.6. + int XMLCALL + XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) { + if (parser == NULL) +@@ -2332,10 +2336,46 @@ XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) { + /* block after XML_Parse()/XML_ParseBuffer() has been called */ + if (parserBusy(rootParser)) + return 0; +- rootParser->m_hash_secret_salt = hash_salt; ++ ++ rootParser->m_hash_secret_salt_128.k[0] = 0; ++ rootParser->m_hash_secret_salt_128.k[1] = hash_salt; ++ ++ if (hash_salt != 0) { // to remain backwards compatible ++ rootParser->m_hash_secret_salt_set = XML_TRUE; ++ ++ if (sizeof(unsigned long) == 4) ++ ENTROPY_DEBUG("explicit(4)", rootParser->m_hash_secret_salt_128); ++ else ++ ENTROPY_DEBUG("explicit(8)", rootParser->m_hash_secret_salt_128); ++ } ++ + return 1; + } + ++XML_Bool XMLCALL ++XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]) { ++ if (parser == NULL) ++ return XML_FALSE; ++ ++ if (entropy == NULL) ++ return XML_FALSE; ++ ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); ++ assert(! rootParser->m_parentParser); ++ ++ /* block after XML_Parse()/XML_ParseBuffer() has been called */ ++ if (parserBusy(rootParser)) ++ return XML_FALSE; ++ ++ sip_tokey(&(rootParser->m_hash_secret_salt_128), entropy); ++ ++ rootParser->m_hash_secret_salt_set = XML_TRUE; ++ ++ ENTROPY_DEBUG("explicit(16)", rootParser->m_hash_secret_salt_128); ++ ++ return XML_TRUE; ++} ++ + enum XML_Status XMLCALL + XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + if ((parser == NULL) || (len < 0) || ((s == NULL) && (len != 0))) { +@@ -7837,8 +7877,10 @@ keylen(KEY s) { + + static void + copy_salt_to_sipkey(XML_Parser parser, struct sipkey *key) { +- key->k[0] = 0; +- key->k[1] = get_hash_secret_salt(parser); ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); ++ assert(! rootParser->m_parentParser); ++ ++ *key = rootParser->m_hash_secret_salt_128; + } + + static unsigned long FASTCALL +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 023d9ce4..380caf19 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -204,6 +204,30 @@ START_TEST(test_hash_collision) { + END_TEST + #undef COLLIDING_HASH_SALT + ++START_TEST(test_hash_salt_setter) { ++ const uint8_t entropy[16] = {'0', '1', '2', '3', '4', '5', '6', '7', ++ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ // NULL parser should be rejected ++ assert_true(XML_SetHashSalt16Bytes(NULL, entropy) == XML_FALSE); ++ ++ // NULL entropy should be rejected ++ assert_true(XML_SetHashSalt16Bytes(parser, NULL) == XML_FALSE); ++ ++ // Setting should be allowed more than once ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_TRUE); ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_TRUE); ++ ++ // But not after parsing has started ++ assert_true(XML_Parse(parser, "", 0, XML_FALSE /* isFinal */) ++ == XML_STATUS_OK); ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_FALSE); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Regression test for SF bug #491986. */ + START_TEST(test_danish_latin1) { + const char *text = "<?xml version='1.0' encoding='iso-8859-1'?>\n" +@@ -6244,6 +6268,7 @@ make_basic_test_case(Suite *s) { + tcase_add_test(tc_basic, test_bom_utf16_le); + tcase_add_test(tc_basic, test_nobom_utf16_le); + tcase_add_test(tc_basic, test_hash_collision); ++ tcase_add_test(tc_basic, test_hash_salt_setter); + tcase_add_test(tc_basic, test_illegal_utf8); + tcase_add_test(tc_basic, test_utf8_auto_align); + tcase_add_test(tc_basic, test_utf16); diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 151720a9e3c..f5c3e3fdd2f 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -51,6 +51,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-32777-02.patch \ file://CVE-2026-32778-01.patch \ file://CVE-2026-32778-02.patch \ + file://CVE-2026-41080-01.patch \ + file://CVE-2026-41080-02.patch \ + file://CVE-2026-41080-03.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/";
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236528): https://lists.openembedded.org/g/openembedded-core/message/236528 Mute This Topic: https://lists.openembedded.org/mt/119168855/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
