On Tue May 19, 2026 at 4:16 PM CEST, Théo Gaigé via lists.openembedded.org
wrote:
> From: Theo Gaige <[email protected]>
>
> Backport patches from [1] also mentioned in [2].
>
> [1] https://github.com/libexpat/libexpat/pull/1216
> [2] https://security-tracker.debian.org/tracker/CVE-2026-45186
>
> Signed-off-by: Theo Gaige <[email protected]>
> Reviewed-by: Bruno Vernay <[email protected]>
> ---
> .../expat/expat/CVE-2026-45186-01.patch | 70 ++++
> .../expat/expat/CVE-2026-45186-02.patch | 318 ++++++++++++++++++
> .../expat/expat/CVE-2026-45186-03.patch | 46 +++
> .../expat/expat/CVE-2026-45186-04.patch | 32 ++
> .../expat/expat/CVE-2026-45186-05.patch | 32 ++
> .../expat/expat/CVE-2026-45186-06.patch | 87 +++++
> .../expat/expat/CVE-2026-45186-07.patch | 52 +++
> .../expat/expat/CVE-2026-45186-08.patch | 39 +++
> meta/recipes-core/expat/expat_2.6.4.bb | 8 +
> 9 files changed, 684 insertions(+)
> create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-01.patch
> create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-02.patch
> create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-03.patch
> create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-04.patch
> create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-05.patch
> create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-06.patch
> create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-07.patch
> create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-08.patch
>
> diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-01.patch
> b/meta/recipes-core/expat/expat/CVE-2026-45186-01.patch
> new file mode 100644
> index 0000000000..bc97341d44
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-01.patch
> @@ -0,0 +1,70 @@
> +From 02fd51c3475c400cf4095228eb1ce4fa19639f5f Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <[email protected]>
> +Date: Fri, 13 Mar 2026 13:26:45 +0100
> +Subject: [PATCH 1/8] Make "counting_start_element_handler" count default
> attrs
> +
> +(cherry picked from commit 0802a5892030610144b736dec6e2f63e8600fe85)
> +
> +CVE: CVE-2026-45186
> +Upstream-Status: Backport
> [https://github.com/libexpat/libexpat/pull/1216/commits/0802a5892030610144b736dec6e2f63e8600fe85]
> +Signed-off-by: Theo Gaige <[email protected]>
> +---
> + tests/basic_tests.c | 8 ++++----
> + tests/handlers.c | 2 +-
> + tests/handlers.h | 1 +
> + 3 files changed, 6 insertions(+), 5 deletions(-)
> +
> +diff --git a/tests/basic_tests.c b/tests/basic_tests.c
> +index 023d9ce4..d6edb16b 100644
> +--- a/tests/basic_tests.c
> ++++ b/tests/basic_tests.c
> +@@ -2439,9 +2439,9 @@ START_TEST(test_attributes) {
> + {XCS("id"), XCS("one")},
> + {NULL, NULL}};
> + AttrInfo tag_info[] = {{XCS("c"), XCS("3")}, {NULL, NULL}};
> +- ElementInfo info[] = {{XCS("doc"), 3, XCS("id"), NULL},
> +- {XCS("tag"), 1, NULL, NULL},
> +- {NULL, 0, NULL, NULL}};
> ++ ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), NULL},
> ++ {XCS("tag"), 1, 0, NULL, NULL},
> ++ {NULL, 0, 0, NULL, NULL}};
> + info[0].attributes = doc_info;
> + info[1].attributes = tag_info;
> +
> +@@ -5496,7 +5496,7 @@ START_TEST(test_deep_nested_attribute_entity) {
> + (long unsigned)(N_LINES - 1));
> +
> + AttrInfo doc_info[] = {{XCS("name"), XCS("deepText")}, {NULL, NULL}};
> +- ElementInfo info[] = {{XCS("foo"), 1, NULL, NULL}, {NULL, 0, NULL, NULL}};
> ++ ElementInfo info[] = {{XCS("foo"), 1, 0, NULL, NULL}, {NULL, 0, 0, NULL,
> NULL}};
> + info[0].attributes = doc_info;
> +
> + XML_Parser parser = XML_ParserCreate(NULL);
> +diff --git a/tests/handlers.c b/tests/handlers.c
> +index e6582231..9ff7b354 100644
> +--- a/tests/handlers.c
> ++++ b/tests/handlers.c
> +@@ -137,7 +137,7 @@ counting_start_element_handler(void *userData, const
> XML_Char *name,
> + fail("ID does not have the correct name");
> + return;
> + }
> +- for (i = 0; i < info->attr_count; i++) {
> ++ for (i = 0; i < info->attr_count + info->default_attr_count; i++) {
> + attr = info->attributes;
> + while (attr->name != NULL) {
> + if (! xcstrcmp(atts[0], attr->name))
> +diff --git a/tests/handlers.h b/tests/handlers.h
> +index ac4ca940..11d45ebd 100644
> +--- a/tests/handlers.h
> ++++ b/tests/handlers.h
> +@@ -88,6 +88,7 @@ typedef struct attrInfo {
> + typedef struct elementInfo {
> + const XML_Char *name;
> + int attr_count;
> ++ int default_attr_count;
> + const XML_Char *id_name;
> + AttrInfo *attributes;
> + } ElementInfo;
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-02.patch
> b/meta/recipes-core/expat/expat/CVE-2026-45186-02.patch
> new file mode 100644
> index 0000000000..d7991b3b9c
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-02.patch
> @@ -0,0 +1,318 @@
> +From 943a9bccac7fa8d156807fb7f106335b4e02da36 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <[email protected]>
> +Date: Fri, 13 Mar 2026 13:27:31 +0100
> +Subject: [PATCH 2/8] test(attlist): Cover duplicate attribute names
> +
> +Co-authored-by: Sebastian Pipping <[email protected]>
> +(cherry picked from commit e569f47181c43dca5d262089e541ddf9a9c09927)
> +
> +CVE: CVE-2026-45186
> +Upstream-Status: Backport
> [https://github.com/libexpat/libexpat/pull/1216/commits/e569f47181c43dca5d262089e541ddf9a9c09927]
> +Signed-off-by: Theo Gaige <[email protected]>
> +---
> + tests/basic_tests.c | 282 ++++++++++++++++++++++++++++++++++++++++++++
> + 1 file changed, 282 insertions(+)
> +
> +diff --git a/tests/basic_tests.c b/tests/basic_tests.c
> +index d6edb16b..907a4580 100644
> +--- a/tests/basic_tests.c
> ++++ b/tests/basic_tests.c
> +@@ -2462,6 +2462,279 @@ START_TEST(test_attributes) {
> + }
> + END_TEST
> +
> ++START_TEST(test_duplicate_cdata_attribute) {
> ++ /*
> ++ https://www.w3.org/TR/xml/#attdecls
> ++
> ++ Test the following statement from the linked specification:
> ++ When more than one definition is provided for the same attribute of a
> given
> ++ element type, the first declaration is binding and later declarations
> are
> ++ ignored.
> ++ */
> ++
> ++ const char *text
> ++ = "<!DOCTYPE doc [\n"
> ++ " <!ATTLIST doc attribute CDATA 'expected' attribute CDATA
> 'ignored'>\n"
> ++ "]>\n"
> ++ "<doc/>\n";
> ++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected")}, {NULL, NULL}};
> ++ ElementInfo info[]
> ++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
> ++
> ++ XML_Parser parser = XML_ParserCreate(NULL);
> ++ assert_true(parser != NULL);
> ++
> ++ ParserAndElementInfo parserAndElementInfos = {
> ++ parser,
> ++ info,
> ++ };
> ++
> ++ XML_SetStartElementHandler(parser, counting_start_element_handler);
> ++ XML_SetUserData(parser, &parserAndElementInfos);
> ++
> ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
> ++ != XML_STATUS_OK)
> ++ xml_failure(parser);
> ++
> ++ XML_ParserFree(parser);
> ++}
> ++END_TEST
> ++
> ++START_TEST(test_duplicate_id_attribute_1) {
> ++ /*
> ++ https://www.w3.org/TR/xml/#attdecls
> ++
> ++ Test the following statement from the linked specification:
> ++ When more than one definition is provided for the same attribute of a
> given
> ++ element type, the first declaration is binding and later declarations
> are
> ++ ignored.
> ++ */
> ++
> ++ const char *text
> ++ = "<!DOCTYPE doc [\n"
> ++ " <!ATTLIST doc identifier CDATA 'expected' identifier ID
> #REQUIRED>\n"
> ++ "]>\n"
> ++ "<doc/>\n";
> ++ AttrInfo doc_info[] = {{XCS("identifier"), XCS("expected")}, {NULL,
> NULL}};
> ++ ElementInfo info[]
> ++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
> ++
> ++ XML_Parser parser = XML_ParserCreate(NULL);
> ++ assert_true(parser != NULL);
> ++
> ++ ParserAndElementInfo parserAndElementInfos = {
> ++ parser,
> ++ info,
> ++ };
> ++
> ++ XML_SetStartElementHandler(parser, counting_start_element_handler);
> ++ XML_SetUserData(parser, &parserAndElementInfos);
> ++
> ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
> ++ != XML_STATUS_OK)
> ++ xml_failure(parser);
> ++
> ++ XML_ParserFree(parser);
> ++}
> ++END_TEST
> ++
> ++START_TEST(test_duplicate_id_attribute_2) {
> ++ /*
> ++ https://www.w3.org/TR/xml/#attdecls
> ++
> ++ Test the following statement from the linked specification:
> ++ When more than one definition is provided for the same attribute of a
> given
> ++ element type, the first declaration is binding and later declarations
> are
> ++ ignored.
> ++ */
> ++
> ++ const char *text
> ++ = "<!DOCTYPE doc [\n"
> ++ " <!ATTLIST doc identifier ID #REQUIRED identifier CDATA
> 'unexpected'>\n"
> ++ "]>\n"
> ++ "<doc/>\n";
> ++ AttrInfo doc_info[] = {{NULL, NULL}};
> ++
> ++ ElementInfo info[]
> ++ = {{XCS("doc"), 0, 0, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
> ++
> ++ XML_Parser parser = XML_ParserCreate(NULL);
> ++ assert_true(parser != NULL);
> ++
> ++ ParserAndElementInfo parserAndElementInfos = {
> ++ parser,
> ++ info,
> ++ };
> ++
> ++ XML_SetStartElementHandler(parser, counting_start_element_handler);
> ++ XML_SetUserData(parser, &parserAndElementInfos);
> ++
> ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
> ++ != XML_STATUS_OK)
> ++ xml_failure(parser);
> ++
> ++ XML_ParserFree(parser);
> ++}
> ++END_TEST
> ++
> ++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl) {
> ++ /*
> ++ https://www.w3.org/TR/xml/#attdecls
> ++
> ++ Test the following statement from the linked specification:
> ++ When more than one AttlistDecl is provided for a given element type,
> ++ the contents of all those provided are merged.
> ++ */
> ++ const char *text = "<!DOCTYPE doc [\n"
> ++ " <!ATTLIST doc attribute CDATA 'expected'>\n"
> ++ " <!ATTLIST doc attribute CDATA 'ignored'>\n"
> ++ "]>\n"
> ++ "<doc/>\n";
> ++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected")}, {NULL, NULL}};
> ++ ElementInfo info[]
> ++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
> ++
> ++ XML_Parser parser = XML_ParserCreate(NULL);
> ++ assert_true(parser != NULL);
> ++
> ++ ParserAndElementInfo parserAndElementInfos = {
> ++ parser,
> ++ info,
> ++ };
> ++
> ++ XML_SetStartElementHandler(parser, counting_start_element_handler);
> ++ XML_SetUserData(parser, &parserAndElementInfos);
> ++
> ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
> ++ != XML_STATUS_OK)
> ++ xml_failure(parser);
> ++
> ++ XML_ParserFree(parser);
> ++}
> ++END_TEST
> ++
> ++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl_2) {
> ++ /*
> ++ https://www.w3.org/TR/xml/#attdecls
> ++
> ++ Test the following statement from the linked specification:
> ++ When more than one AttlistDecl is provided for a given element type,
> ++ the contents of all those provided are merged.
> ++ */
> ++ const char *text = "<!DOCTYPE doc [\n"
> ++ " <!ATTLIST doc attribute CDATA 'expected_doc'>\n"
> ++ " <!ATTLIST tag attribute CDATA 'expected_tag'>\n"
> ++ " <!ATTLIST doc attribute CDATA 'ignored_doc'>\n"
> ++ "]>\n"
> ++ "<doc><tag></tag></doc>\n";
> ++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected_doc")}, {NULL,
> NULL}};
> ++ AttrInfo tag_info[] = {{XCS("attribute"), XCS("expected_tag")}, {NULL,
> NULL}};
> ++ ElementInfo info[] = {{XCS("doc"), 0, 1, NULL, doc_info},
> ++ {XCS("tag"), 0, 1, NULL, tag_info},
> ++ {NULL, 0, 0, NULL, NULL}};
> ++
> ++ XML_Parser parser = XML_ParserCreate(NULL);
> ++ assert_true(parser != NULL);
> ++
> ++ ParserAndElementInfo parserAndElementInfos = {
> ++ parser,
> ++ info,
> ++ };
> ++
> ++ XML_SetStartElementHandler(parser, counting_start_element_handler);
> ++ XML_SetUserData(parser, &parserAndElementInfos);
> ++
> ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
> ++ != XML_STATUS_OK)
> ++ xml_failure(parser);
> ++
> ++ XML_ParserFree(parser);
> ++}
> ++END_TEST
> ++
> ++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl_3) {
> ++ /*
> ++ https://www.w3.org/TR/xml/#attdecls
> ++
> ++ Test the following statement from the linked specification:
> ++ When more than one AttlistDecl is provided for a given element type,
> ++ the contents of all those provided are merged.
> ++ */
> ++ const char *text
> ++ = "<!DOCTYPE doc [\n"
> ++ " <!ATTLIST doc attribute CDATA 'expected_doc'>\n"
> ++ " <!ATTLIST tag attribute CDATA 'expected_tag'>\n"
> ++ " <!ATTLIST doc second_attribute CDATA 'second_expected_doc'
> attribute CDATA 'ignored_doc'>\n"
> ++ "]>\n"
> ++ "<doc><tag></tag></doc>\n";
> ++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected_doc")},
> ++ {XCS("second_attribute"),
> XCS("second_expected_doc")},
> ++ {NULL, NULL}};
> ++ AttrInfo tag_info[] = {{XCS("attribute"), XCS("expected_tag")}, {NULL,
> NULL}};
> ++ ElementInfo info[] = {{XCS("doc"), 0, 2, NULL, doc_info},
> ++ {XCS("tag"), 0, 1, NULL, tag_info},
> ++ {NULL, 0, 0, NULL, NULL}};
> ++
> ++ XML_Parser parser = XML_ParserCreate(NULL);
> ++ assert_true(parser != NULL);
> ++
> ++ ParserAndElementInfo parserAndElementInfos = {
> ++ parser,
> ++ info,
> ++ };
> ++
> ++ XML_SetStartElementHandler(parser, counting_start_element_handler);
> ++ XML_SetUserData(parser, &parserAndElementInfos);
> ++
> ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
> ++ != XML_STATUS_OK)
> ++ xml_failure(parser);
> ++
> ++ XML_ParserFree(parser);
> ++}
> ++END_TEST
> ++
> ++START_TEST(test_duplicate_id_attribute_multiple_attlistdecl) {
> ++ /*
> ++ https://www.w3.org/TR/xml/#attdecls
> ++
> ++ Test the following statement from the linked specification:
> ++ When more than one AttlistDecl is provided for a given element type,
> ++ the contents of all those provided are merged.
> ++ */
> ++ const char *text = "<!DOCTYPE doc [\n"
> ++ " <!ATTLIST doc identifier ID #REQUIRED>\n"
> ++ " <!ATTLIST tag identifier CDATA 'identifier_tag'>\n"
> ++ " <!ATTLIST doc identifier CDATA 'ignored'>\n"
> ++ "]>\n"
> ++ "<doc identifier='doc_identity'><tag></tag></doc>\n";
> ++ AttrInfo doc_info[]
> ++ = {{XCS("identifier"), XCS("doc_identity")}, {NULL, NULL}};
> ++ AttrInfo tag_info[]
> ++ = {{XCS("identifier"), XCS("identifier_tag")}, {NULL, NULL}};
> ++ ElementInfo info[] = {{XCS("doc"), 1, 0, XCS("identifier"), doc_info},
> ++ {XCS("tag"), 0, 1, NULL, tag_info},
> ++ {NULL, 0, 0, NULL, NULL}};
> ++
> ++ XML_Parser parser = XML_ParserCreate(NULL);
> ++ assert_true(parser != NULL);
> ++
> ++ ParserAndElementInfo parserAndElementInfos = {
> ++ parser,
> ++ info,
> ++ };
> ++
> ++ XML_SetStartElementHandler(parser, counting_start_element_handler);
> ++ XML_SetUserData(parser, &parserAndElementInfos);
> ++
> ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
> ++ != XML_STATUS_OK)
> ++ xml_failure(parser);
> ++
> ++ XML_ParserFree(parser);
> ++}
> ++END_TEST
> ++
> + /* Test reset works correctly in the middle of processing an internal
> + * entity. Exercises some obscure code in XML_ParserReset().
> + */
> +@@ -6325,6 +6598,15 @@ make_basic_test_case(Suite *s) {
> + tcase_add_test__ifdef_xml_dtd(tc_basic, test_empty_foreign_dtd);
> + tcase_add_test(tc_basic, test_set_base);
> + tcase_add_test(tc_basic, test_attributes);
> ++ tcase_add_test(tc_basic, test_duplicate_cdata_attribute);
> ++ tcase_add_test(tc_basic, test_duplicate_id_attribute_1);
> ++ tcase_add_test(tc_basic, test_duplicate_id_attribute_2);
> ++ tcase_add_test(tc_basic,
> test_duplicate_cdata_attribute_multiple_attlistdecl);
> ++ tcase_add_test(tc_basic,
> ++ test_duplicate_cdata_attribute_multiple_attlistdecl_2);
> ++ tcase_add_test(tc_basic,
> ++ test_duplicate_cdata_attribute_multiple_attlistdecl_3);
> ++ tcase_add_test(tc_basic,
> test_duplicate_id_attribute_multiple_attlistdecl);
> + tcase_add_test__if_xml_ge(tc_basic, test_reset_in_entity);
> + tcase_add_test(tc_basic, test_resume_invalid_parse);
> + tcase_add_test(tc_basic, test_resume_resuspended);
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-03.patch
> b/meta/recipes-core/expat/expat/CVE-2026-45186-03.patch
> new file mode 100644
> index 0000000000..fe3e329b88
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-03.patch
> @@ -0,0 +1,46 @@
> +From 74e67b6a37d2e14b899a182bad37d8c49c539f29 Mon Sep 17 00:00:00 2001
> +From: Sebastian Pipping <[email protected]>
> +Date: Mon, 20 Apr 2026 13:44:43 +0200
> +Subject: [PATCH 3/8] tests: Define .attributes the first time around
> +
> +(cherry picked from commit 05307d352a5aa858cdda57ec53a53b597b3a4a82)
> +
> +CVE: CVE-2026-45186
> +Upstream-Status: Backport
> [https://github.com/libexpat/libexpat/pull/1216/commits/05307d352a5aa858cdda57ec53a53b597b3a4a82]
> +Signed-off-by: Theo Gaige <[email protected]>
> +---
> + tests/basic_tests.c | 10 ++++------
> + 1 file changed, 4 insertions(+), 6 deletions(-)
> +
> +diff --git a/tests/basic_tests.c b/tests/basic_tests.c
> +index 907a4580..b0178fc7 100644
> +--- a/tests/basic_tests.c
> ++++ b/tests/basic_tests.c
> +@@ -2439,11 +2439,9 @@ START_TEST(test_attributes) {
> + {XCS("id"), XCS("one")},
> + {NULL, NULL}};
> + AttrInfo tag_info[] = {{XCS("c"), XCS("3")}, {NULL, NULL}};
> +- ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), NULL},
> +- {XCS("tag"), 1, 0, NULL, NULL},
> ++ ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), doc_info},
> ++ {XCS("tag"), 1, 0, NULL, tag_info},
> + {NULL, 0, 0, NULL, NULL}};
> +- info[0].attributes = doc_info;
> +- info[1].attributes = tag_info;
> +
> + XML_Parser parser = XML_ParserCreate(NULL);
> + assert_true(parser != NULL);
> +@@ -5769,8 +5767,8 @@ START_TEST(test_deep_nested_attribute_entity) {
> + (long unsigned)(N_LINES - 1));
> +
> + AttrInfo doc_info[] = {{XCS("name"), XCS("deepText")}, {NULL, NULL}};
> +- ElementInfo info[] = {{XCS("foo"), 1, 0, NULL, NULL}, {NULL, 0, 0, NULL,
> NULL}};
> +- info[0].attributes = doc_info;
> ++ ElementInfo info[]
> ++ = {{XCS("foo"), 1, 0, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
> +
> + XML_Parser parser = XML_ParserCreate(NULL);
> + ParserAndElementInfo parserPlusElemenInfo = {parser, info};
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-04.patch
> b/meta/recipes-core/expat/expat/CVE-2026-45186-04.patch
> new file mode 100644
> index 0000000000..0c725b232b
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-04.patch
> @@ -0,0 +1,32 @@
> +From fa671cc8f4900c709231732c40b0941d4ec36f53 Mon Sep 17 00:00:00 2001
> +From: Sebastian Pipping <[email protected]>
> +Date: Mon, 13 Apr 2026 01:34:03 +0200
> +Subject: [PATCH 4/8] tests: Make counting_start_element_handler enforce
> + complete attribute lists
> +
> +(cherry picked from commit 4176aff73840711060913e0ac6aa1168d8ba5c8d)
> +
> +CVE: CVE-2026-45186
> +Upstream-Status: Backport
> [https://github.com/libexpat/libexpat/pull/1216/commits/4176aff73840711060913e0ac6aa1168d8ba5c8d]
> +Signed-off-by: Theo Gaige <[email protected]>
> +---
> + tests/handlers.c | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/tests/handlers.c b/tests/handlers.c
> +index 9ff7b354..5e72e8b6 100644
> +--- a/tests/handlers.c
> ++++ b/tests/handlers.c
> +@@ -155,6 +155,9 @@ counting_start_element_handler(void *userData, const
> XML_Char *name,
> + /* Remember, two entries in atts per attribute (see above) */
> + atts += 2;
> + }
> ++
> ++ // Self-test that the test case's list of expected attributes is complete
> ++ assert_true(atts[0] == NULL);
> + }
> +
> + void XMLCALL
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-05.patch
> b/meta/recipes-core/expat/expat/CVE-2026-45186-05.patch
> new file mode 100644
> index 0000000000..5ca401935c
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-05.patch
> @@ -0,0 +1,32 @@
> +From 3e060a687a3485938f98244f92ebc6f87d53a019 Mon Sep 17 00:00:00 2001
> +From: Sebastian Pipping <[email protected]>
> +Date: Sun, 8 Mar 2026 22:14:41 +0100
> +Subject: [PATCH 5/8] lib: Extract a constant for upcoming reuse
> +
> +(cherry picked from commit fb35f2d2040d114f355bae8a7450942533237530)
> +
> +CVE: CVE-2026-45186
> +Upstream-Status: Backport
> [https://github.com/libexpat/libexpat/pull/1216/commits/fb35f2d2040d114f355bae8a7450942533237530]
> +Signed-off-by: Theo Gaige <[email protected]>
> +---
> + lib/xmlparse.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> +index 9bc67f38..8d3e8db1 100644
> +--- a/lib/xmlparse.c
> ++++ b/lib/xmlparse.c
> +@@ -7708,8 +7708,9 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD
> *oldDtd,
> + newE->prefix = (PREFIX *)lookup(oldParser, &(newDtd->prefixes),
> + oldE->prefix->name, 0);
> + for (i = 0; i < newE->nDefaultAtts; i++) {
> ++ const XML_Char *const attributeName = oldE->defaultAtts[i].id->name;
> + newE->defaultAtts[i].id = (ATTRIBUTE_ID *)lookup(
> +- oldParser, &(newDtd->attributeIds),
> oldE->defaultAtts[i].id->name, 0);
> ++ oldParser, &(newDtd->attributeIds), attributeName, 0);
> + newE->defaultAtts[i].isCdata = oldE->defaultAtts[i].isCdata;
> + if (oldE->defaultAtts[i].value) {
> + newE->defaultAtts[i].value
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-06.patch
> b/meta/recipes-core/expat/expat/CVE-2026-45186-06.patch
> new file mode 100644
> index 0000000000..14e5545792
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-06.patch
> @@ -0,0 +1,87 @@
> +From cbf6df87b8525169533e0742fd587fdb0d9ec997 Mon Sep 17 00:00:00 2001
> +From: Sebastian Pipping <[email protected]>
> +Date: Sun, 8 Mar 2026 23:05:49 +0100
> +Subject: [PATCH 6/8] lib: Introduce ELEMENT_TYPE.defaultAttsNames
> +
> +(cherry picked from commit 7f0f1b9e70d937072d2e9e37ae9edf27784cc080)
> +
> +CVE: CVE-2026-45186
> +Upstream-Status: Backport
> [https://github.com/libexpat/libexpat/pull/1216/commits/7f0f1b9e70d937072d2e9e37ae9edf27784cc080]
> +Signed-off-by: Theo Gaige <[email protected]>
> +---
> + lib/xmlparse.c | 17 +++++++++++++++++
> + 1 file changed, 17 insertions(+)
> +
> +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> +index 8d3e8db1..4a29c18f 100644
> +--- a/lib/xmlparse.c
> ++++ b/lib/xmlparse.c
> +@@ -388,6 +388,7 @@ typedef struct {
> + int nDefaultAtts;
> + int allocDefaultAtts;
> + DEFAULT_ATTRIBUTE *defaultAtts;
> ++ HASH_TABLE defaultAttsNames;
> + } ELEMENT_TYPE;
> +
> + typedef struct {
> +@@ -3844,6 +3845,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
> const char *attStr,
> + sizeof(ELEMENT_TYPE));
> + if (! elementType)
> + return XML_ERROR_NO_MEMORY;
> ++ if (! elementType->defaultAttsNames.parser)
> ++ hashTableInit(&(elementType->defaultAttsNames), parser);
> + if (parser->m_ns && ! setElementTypePrefix(parser, elementType))
> + return XML_ERROR_NO_MEMORY;
> + }
> +@@ -7549,6 +7552,7 @@ dtdReset(DTD *p, XML_Parser parser) {
> + ELEMENT_TYPE *e = (ELEMENT_TYPE *)hashTableIterNext(&iter);
> + if (! e)
> + break;
> ++ hashTableDestroy(&(e->defaultAttsNames));
> + if (e->allocDefaultAtts != 0)
> + FREE(parser, e->defaultAtts);
> + }
> +@@ -7590,6 +7594,7 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, XML_Parser
> parser) {
> + ELEMENT_TYPE *e = (ELEMENT_TYPE *)hashTableIterNext(&iter);
> + if (! e)
> + break;
> ++ hashTableDestroy(&(e->defaultAttsNames));
> + if (e->allocDefaultAtts != 0)
> + FREE(parser, e->defaultAtts);
> + }
> +@@ -7683,6 +7688,10 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD
> *oldDtd,
> + sizeof(ELEMENT_TYPE));
> + if (! newE)
> + return 0;
> ++
> ++ if (! newE->defaultAttsNames.parser)
> ++ hashTableInit(&(newE->defaultAttsNames), parser);
> ++
> + if (oldE->nDefaultAtts) {
> + /* Detect and prevent integer overflow.
> + * The preprocessor guard addresses the "always false" warning
> +@@ -7719,6 +7728,12 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD
> *oldDtd,
> + return 0;
> + } else
> + newE->defaultAtts[i].value = NULL;
> ++
> ++ NAMED *const nameAddedOrFound = (NAMED *)lookup(
> ++ parser, &(newE->defaultAttsNames), attributeName, sizeof(NAMED));
> ++ if (! nameAddedOrFound) {
> ++ return 0;
> ++ }
> + }
> + }
> +
> +@@ -8458,6 +8473,8 @@ getElementType(XML_Parser parser, const ENCODING *enc,
> const char *ptr,
> + sizeof(ELEMENT_TYPE));
> + if (! ret)
> + return NULL;
> ++ if (! ret->defaultAttsNames.parser)
> ++ hashTableInit(&(ret->defaultAttsNames), getRootParserOf(parser, NULL));
> + if (ret->name != name)
> + poolDiscard(&dtd->pool);
> + else {
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-07.patch
> b/meta/recipes-core/expat/expat/CVE-2026-45186-07.patch
> new file mode 100644
> index 0000000000..77fafd67e4
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-07.patch
> @@ -0,0 +1,52 @@
> +From 6c72e124eb8f699977600edc5183ecce89ce13ec Mon Sep 17 00:00:00 2001
> +From: Sebastian Pipping <[email protected]>
> +Date: Sun, 8 Mar 2026 23:06:29 +0100
> +Subject: [PATCH 7/8] lib: Leverage ELEMENT_TYPE.defaultAttsNames for
> attribute
> + collision detection
> +
> +.. to resolve quadratic runtime behavior
> +
> +(cherry picked from commit 4cd4eb0683e04cd45a2ffc81a08ca2a2663994b5)
> +
> +CVE: CVE-2026-45186
> +Upstream-Status: Backport
> [https://github.com/libexpat/libexpat/pull/1216/commits/4cd4eb0683e04cd45a2ffc81a08ca2a2663994b5]
> +Signed-off-by: Theo Gaige <[email protected]>
> +---
> + lib/xmlparse.c | 14 ++++++++++----
> + 1 file changed, 10 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> +index 4a29c18f..b3f0b734 100644
> +--- a/lib/xmlparse.c
> ++++ b/lib/xmlparse.c
> +@@ -7177,10 +7177,10 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID
> *attId, XML_Bool isCdata,
> + if (value || isId) {
> + /* The handling of default attributes gets messed up if we have
> + a default which duplicates a non-default. */
> +- int i;
> +- for (i = 0; i < type->nDefaultAtts; i++)
> +- if (attId == type->defaultAtts[i].id)
> +- return 1;
> ++ NAMED *const nameFound
> ++ = (NAMED *)lookup(parser, &(type->defaultAttsNames), attId->name,
> 0);
> ++ if (nameFound)
> ++ return 1;
> + if (isId && ! type->idAtt && ! attId->xmlns)
> + type->idAtt = attId;
> + }
> +@@ -7227,6 +7227,12 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID
> *attId, XML_Bool isCdata,
> + att->isCdata = isCdata;
> + if (! isCdata)
> + attId->maybeTokenized = XML_TRUE;
> ++
> ++ NAMED *const nameAddedOrFound = (NAMED *)lookup(
> ++ parser, &(type->defaultAttsNames), attId->name, sizeof(NAMED));
> ++ if (! nameAddedOrFound)
> ++ return 0;
> ++
> + type->nDefaultAtts += 1;
> + return 1;
> + }
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-08.patch
> b/meta/recipes-core/expat/expat/CVE-2026-45186-08.patch
> new file mode 100644
> index 0000000000..1ce5494d3d
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-08.patch
> @@ -0,0 +1,39 @@
> +From 594f59a8013ab78cd2e439f4c8d56ed5d261b0a4 Mon Sep 17 00:00:00 2001
> +From: Sebastian Pipping <[email protected]>
> +Date: Fri, 8 May 2026 22:16:24 +0200
> +Subject: [PATCH 8/8] Changes: Document CVE-2026-45186
> +
> +(cherry picked from commit 1045a780a850f1fd0ee3a59b04ec79dd659705ec)
> +
> +CVE: CVE-2026-45186
> +Upstream-Status: Backport
> [https://github.com/libexpat/libexpat/pull/1216/commits/1045a780a850f1fd0ee3a59b04ec79dd659705ec]
> +Signed-off-by: Theo Gaige <[email protected]>
> +---
> + Changes | 11 +++++++++++
> + 1 file changed, 11 insertions(+)
> +
> +diff --git a/Changes b/Changes
> +index 4265d608..1d91af70 100644
> +--- a/Changes
> ++++ b/Changes
Hello,
This patch only update the upstream Changes file and there is no point
carying it. Can you send a v2 without it? The rest of the patch looks
fine.
Thanks!
> +@@ -30,6 +30,17 @@
> +
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> +
> + Patches:
> ++ Security fixes:
> ++ #1216 CVE-2026-45186 -- Fix quadratic runtime from attribute
> name
> ++ collision checks that allowed denial of service attacks
> ++ through moderately sized crafted XML input (CWE-407).
> ++ Please note that a layer of compression around XML can
> ++ significantly reduce the minimum attack payload size.
> ++
> ++ Special thanks to:
> ++ Berkay Eren Ürün
> ++ Nick Wellnhofer
> ++
> + Security fixes:
> + #1018 #1034 CVE-2025-59375 -- Disallow use of disproportional amounts
> of
> + dynamic memory from within an Expat parser (e.g.
> previously
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-core/expat/expat_2.6.4.bb
> b/meta/recipes-core/expat/expat_2.6.4.bb
> index 151720a9e3..a1997ecbba 100644
> --- a/meta/recipes-core/expat/expat_2.6.4.bb
> +++ b/meta/recipes-core/expat/expat_2.6.4.bb
> @@ -51,6 +51,14 @@ SRC_URI =
> "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
> file://CVE-2026-32777-02.patch \
> file://CVE-2026-32778-01.patch \
> file://CVE-2026-32778-02.patch \
> + file://CVE-2026-45186-01.patch \
> + file://CVE-2026-45186-02.patch \
> + file://CVE-2026-45186-03.patch \
> + file://CVE-2026-45186-04.patch \
> + file://CVE-2026-45186-05.patch \
> + file://CVE-2026-45186-06.patch \
> + file://CVE-2026-45186-07.patch \
> + file://CVE-2026-45186-08.patch \
> "
>
> GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/";
--
Yoann Congal
Smile ECS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#238113):
https://lists.openembedded.org/g/openembedded-core/message/238113
Mute This Topic: https://lists.openembedded.org/mt/119391319/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
