From: Amaury Couderc <[email protected]> Backport patch to fix CVE-2026-7210. https://nvd.nist.gov/vuln/detail/CVE-2026-7210
Upstream fixe: https://github.com/libexpat/libexpat/commit/1ac23e49a46afe040788c8a538afc89e5c4ac8cf Backport the 128-bit hash salt API (XML_SetHashSalt16Bytes) from Expat 2.8.0. The prior hash randomization used only an unsigned long (4 or 8 bytes depending on architecture) as the SipHash key, leaving k[0] as zero. This makes the parser vulnerable to hash-flooding DoS attacks due to insufficient entropy. This backport: - Adds struct sipkey m_hash_secret_salt_128 and XML_Bool m_hash_secret_salt_set to the parser structure - Adds XML_SetHashSalt16Bytes() public API function - Modifies copy_salt_to_sipkey() to use full 128-bit key when set - Modifies startParsing() to auto-generate 128 bits of entropy - Adds XML_BACKPORT_SET_HASH_SALT_16_BYTES capability macro for downstream consumers (e.g. CPython) to detect this backport - Adds basic test coverage for the new API abidiff between the unpatch and unpatched version of expat 2.6.4 : abidiff abidiff-unpatched/libexpat.so.1.10.0 abidiff-patched/libexpat.so.1.10.0 Functions changes summary: 0 Removed, 1 Changed (65 filtered out), 1 Added functions Variables changes summary: 0 Removed, 0 Changed, 0 Added variable 1 Added function: [A] 'function XML_Bool XML_SetHashSalt16Bytes(XML_Parser, const uint8_t*)' {XML_SetHashSalt16Bytes} 1 function with some indirect sub-type change: [C] 'function void XML_DefaultCurrent(XML_Parser)' at xmlparse.c:2899:1 has some indirect sub-type changes: parameter 1 of type 'typedef XML_Parser' has sub-type changes: underlying type 'XML_ParserStruct*' changed: in pointed to type 'struct XML_ParserStruct' at xmlparse.c:665:1: type size changed from 8704 to 8896 (in bits) 2 data member insertions: 'sipkey m_hash_secret_salt_128', at offset 7808 (in bits) at xmlparse.c:781:1 'XML_Bool m_hash_secret_salt_set', at offset 7936 (in bits) at xmlparse.c:782:1 4 data member changes (7 filtered): 'ACCOUNTING m_accounting' offset changed from 7808 to 8000 (in bits) (by +192 bits) 'MALLOC_TRACKER m_alloc_tracker' offset changed from 8128 to 8320 (in bits) (by +192 bits) 'ENTITY_STATS m_entity_stats' offset changed from 8448 to 8640 (in bits) (by +192 bits) 'XML_Bool m_reenter' offset changed from 8640 to 8832 (in bits) (by +192 bits) This patch does not break ABI compatibility: XML_ParserStruct is opaque so its internal layout change is invisible to consumers, and XML_SetHashSalt16Bytes is a purely additive API that doesn't affect existing callers. meta-binaryaudit (https://github.com/Nordix/meta-binaryaudit/). Signed-off-by: Amaury Couderc <[email protected]> --- .../expat/expat/CVE-2026-7210.patch | 219 ++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 1 + 2 files changed, 220 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-7210.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-7210.patch b/meta/recipes-core/expat/expat/CVE-2026-7210.patch new file mode 100644 index 0000000000..27813a871c --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-7210.patch @@ -0,0 +1,219 @@ +From d8607abf00cf94316d8c657df1e852087e141538 Mon Sep 17 00:00:00 2001 +From: Amaury Couderc <[email protected]> +Date: Wed, 10 Jun 2026 12:44:35 +0000 +Subject: [PATCH] lib: Backport XML_SetHashSalt16Bytes from Expat 2.8.0 + +Backport the 128-bit hash salt API (XML_SetHashSalt16Bytes) from Expat +2.8.0. The prior hash randomization used only an unsigned long (4 or 8 +bytes depending on architecture) as the SipHash key, leaving k[0] as +zero. This makes the parser vulnerable to hash-flooding DoS attacks +due to insufficient entropy. + +This backport: +- Adds struct sipkey m_hash_secret_salt_128 and XML_Bool + m_hash_secret_salt_set to the parser structure +- Adds XML_SetHashSalt16Bytes() public API function +- Modifies copy_salt_to_sipkey() to use full 128-bit key when set +- Modifies startParsing() to auto-generate 128 bits of entropy +- Adds XML_BACKPORT_SET_HASH_SALT_16_BYTES capability macro for + downstream consumers (e.g. CPython) to detect this backport +- Adds basic test coverage for the new API + +CVE: CVE-2026-7210 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/1ac23e49a46afe040788c8a538afc89e5c4ac8cf] +Signed-off-by: Amaury Couderc <[email protected]> +--- + lib/expat.h | 18 +++++++++++++ + lib/xmlparse.c | 65 ++++++++++++++++++++++++++++++++++++++++++--- + tests/basic_tests.c | 25 +++++++++++++++++ + 3 files changed, 104 insertions(+), 4 deletions(-) + +diff --git a/lib/expat.h b/lib/expat.h +index df207e9..cdb8e08 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -44,9 +44,15 @@ + #ifndef Expat_INCLUDED + #define Expat_INCLUDED 1 + ++#include <stdint.h> + #include <stdlib.h> + #include "expat_external.h" + ++/* Backport capability macro: 128-bit hash salt API is available. ++ Downstream consumers should test for this rather than relying on ++ XML_COMBINED_VERSION >= 20800 when linked against a backported library. */ ++#define XML_BACKPORT_SET_HASH_SALT_16_BYTES 1 ++ + #ifdef __cplusplus + extern "C" { + #endif +@@ -920,6 +926,18 @@ XML_SetParamEntityParsing(XML_Parser parser, + XMLPARSEAPI(int) + XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt); + ++/* Sets the hash salt to use for internal hash calculations. ++ Helps in preventing DoS attacks based on predicting hash function behavior. ++ This must be called before parsing is started. ++ Returns XML_TRUE if successful, XML_FALSE when called after parsing has ++ started or when parser is NULL. ++ Note: Setting a salt that is not from a source of high quality entropy ++ will make the parser vulnerable to hash flooding attacks. ++ Backported from Expat 2.8.0. ++*/ ++XMLPARSEAPI(XML_Bool) ++XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]); ++ + /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then + XML_GetErrorCode returns information about the error. + */ +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 9bc67f3..cc5ec3f 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -778,6 +778,8 @@ struct XML_ParserStruct { + enum XML_ParamEntityParsing m_paramEntityParsing; + #endif + unsigned long m_hash_secret_salt; ++ struct sipkey m_hash_secret_salt_128; ++ XML_Bool m_hash_secret_salt_set; + #if XML_GE == 1 + ACCOUNTING m_accounting; + MALLOC_TRACKER m_alloc_tracker; +@@ -1316,8 +1318,28 @@ callProcessor(XML_Parser parser, const char *start, const char *end, + static XML_Bool /* only valid for root parser */ + startParsing(XML_Parser parser) { + /* hash functions must be initialized before setContext() is called */ +- if (parser->m_hash_secret_salt == 0) +- parser->m_hash_secret_salt = generate_hash_secret_salt(parser); ++ if (! parser->m_hash_secret_salt_set) { ++ if (parser->m_hash_secret_salt == 0) ++ parser->m_hash_secret_salt = generate_hash_secret_salt(parser); ++ /* Generate full 128-bit key for SipHash */ ++ unsigned long salt_parts[2]; ++ salt_parts[0] = generate_hash_secret_salt(parser); ++ salt_parts[1] = parser->m_hash_secret_salt; ++ unsigned char entropy_buf[16]; ++ memset(entropy_buf, 0, sizeof(entropy_buf)); ++ memcpy(entropy_buf, &salt_parts[0], sizeof(salt_parts[0])); ++ memcpy(entropy_buf + sizeof(salt_parts[0]), &salt_parts[1], ++ sizeof(salt_parts[1])); ++ /* On 32-bit, fill remaining 8 bytes with more entropy */ ++ if (sizeof(unsigned long) < 8) { ++ unsigned long extra1 = generate_hash_secret_salt(parser); ++ unsigned long extra2 = generate_hash_secret_salt(parser); ++ memcpy(entropy_buf + 8, &extra1, sizeof(extra1)); ++ memcpy(entropy_buf + 12, &extra2, sizeof(extra2)); ++ } ++ sip_tokey(&parser->m_hash_secret_salt_128, entropy_buf); ++ parser->m_hash_secret_salt_set = XML_TRUE; ++ } + if (parser->m_ns) { + /* implicit context only set for root parser, since child + parsers (i.e. external entity parsers) will inherit it +@@ -1606,6 +1628,9 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { + parser->m_paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER; + #endif + parser->m_hash_secret_salt = 0; ++ memset(&parser->m_hash_secret_salt_128, 0, ++ sizeof(parser->m_hash_secret_salt_128)); ++ parser->m_hash_secret_salt_set = XML_FALSE; + + #if XML_GE == 1 + memset(&parser->m_accounting, 0, sizeof(ACCOUNTING)); +@@ -2330,6 +2355,30 @@ XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) { + return 1; + } + ++XML_Bool XMLCALL ++XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]) { ++ if (parser == NULL) ++ return XML_FALSE; ++ ++ if (entropy == NULL) ++ return XML_FALSE; ++ ++ /* Walk up to root parser */ ++ XML_Parser rootParser = parser; ++ while (rootParser->m_parentParser) ++ rootParser = rootParser->m_parentParser; ++ ++ /* block after XML_Parse()/XML_ParseBuffer() has been called */ ++ if (parserBusy(rootParser)) ++ return XML_FALSE; ++ ++ sip_tokey(&(rootParser->m_hash_secret_salt_128), entropy); ++ ++ rootParser->m_hash_secret_salt_set = XML_TRUE; ++ ++ return XML_TRUE; ++} ++ + enum XML_Status XMLCALL + XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + if ((parser == NULL) || (len < 0) || ((s == NULL) && (len != 0))) { +@@ -7831,8 +7880,16 @@ keylen(KEY s) { + + static void + copy_salt_to_sipkey(XML_Parser parser, struct sipkey *key) { +- key->k[0] = 0; +- key->k[1] = get_hash_secret_salt(parser); ++ /* Walk up to root parser to access the 128-bit salt */ ++ XML_Parser rootParser = parser; ++ while (rootParser->m_parentParser) ++ rootParser = rootParser->m_parentParser; ++ if (rootParser->m_hash_secret_salt_set) { ++ *key = rootParser->m_hash_secret_salt_128; ++ } else { ++ key->k[0] = 0; ++ key->k[1] = get_hash_secret_salt(parser); ++ } + } + + static unsigned long FASTCALL +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 023d9ce..40254e5 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -204,6 +204,30 @@ START_TEST(test_hash_collision) { + END_TEST + #undef COLLIDING_HASH_SALT + ++START_TEST(test_hash_salt_setter) { ++ const uint8_t entropy[16] = {'0', '1', '2', '3', '4', '5', '6', '7', ++ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ /* NULL parser should be rejected */ ++ assert_true(XML_SetHashSalt16Bytes(NULL, entropy) == XML_FALSE); ++ ++ /* NULL entropy should be rejected */ ++ assert_true(XML_SetHashSalt16Bytes(parser, NULL) == XML_FALSE); ++ ++ /* Setting should be allowed more than once */ ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_TRUE); ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_TRUE); ++ ++ /* But not after parsing has started */ ++ assert_true(XML_Parse(parser, "", 0, XML_FALSE /* isFinal */) ++ == XML_STATUS_OK); ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_FALSE); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Regression test for SF bug #491986. */ + START_TEST(test_danish_latin1) { + const char *text = "<?xml version='1.0' encoding='iso-8859-1'?>\n" +@@ -6244,6 +6268,7 @@ make_basic_test_case(Suite *s) { + tcase_add_test(tc_basic, test_bom_utf16_le); + tcase_add_test(tc_basic, test_nobom_utf16_le); + tcase_add_test(tc_basic, test_hash_collision); ++ tcase_add_test(tc_basic, test_hash_salt_setter); + tcase_add_test(tc_basic, test_illegal_utf8); + tcase_add_test(tc_basic, test_utf8_auto_align); + tcase_add_test(tc_basic, test_utf16); +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 151720a9e3..eda0ff9808 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -51,6 +51,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-32777-02.patch \ file://CVE-2026-32778-01.patch \ file://CVE-2026-32778-02.patch \ + file://CVE-2026-7210.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"; -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238814): https://lists.openembedded.org/g/openembedded-core/message/238814 Mute This Topic: https://lists.openembedded.org/mt/119811772/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
