Le lun. 6 juil. 2026 à 14:31, Amaury Couderc <[email protected]> a écrit :
> ------------------------------ > Hello Yoann, > I've submitted patches for CVE-2026-7210 and CVE-2026-41080 to the wrynose > branch. The master branch requires neither backports nor updates. > However, the patch for CVE-2026-7210 requires the patch for CVE-2026-41080 > for full mitigation, which I've seen was already submitted to the scarthgap > branch (see > https://lists.openembedded.org/g/openembedded-core/message/237838?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Acreated%2C%2CCVE-2026-41080%2C20%2C2%2C0%2C119168855), > but I'm uncertain whether it has been merged yet. > Given this dependency, do you think it's still worth submitting my > backport for CVE-2026-7210 to scarthgap? > Yes please. I'll take the patch for CVE-2026-41080: (see https://lore.kernel.org/all/[email protected]/ ) Note in you patch comment (below the "---") that the patch for CVE-2026-41080 needs to go first. Thanks! > Kind Regards, > Amaury > ------------------------------ > *From:* Yoann Congal <[email protected]> > *Sent:* Wednesday, 17 June 2026 01:37 > *To:* Amaury Couderc <[email protected]>; > [email protected] < > [email protected]> > *Subject:* Re: [PATCH v2 2/2][OE-core][scarthgap] python3: fix > CVE-2026-7210 > > On Mon Jun 15, 2026 at 8:36 AM CEST, Amaury Couderc via > lists.openembedded.org wrote: > > From: Amaury Couderc <[email protected]> > > > > Backport patch to fix CVE-2026-7210. > > https://nvd.nist.gov/vuln/detail/CVE-2026-7210 > > > > In order to mitigate CVE-2026-7210 this patch should come alongside > > the associated expat one which backports to expat 2.6.4 the fixes > > introduced in expat 2.8.0. > > > > Upstream fixes: > > > https://github.com/python/cpython/pull/149023/commits/03794ce9a58b1f33751c88d7d876dfbf27645c56 > > > https://github.com/python/cpython/pull/149023/commits/ccb8d2f7df9534e49a43554193d7f5f4d993189c > > Hello, > > If I'm not mistaken those fixes are in 3.14.6 or the future 3.15 and > neither are in wrynose nor master. Can you please send a fix for those > branches (either backport or upgrade), and, then, ping back here? > > Thanks! > > > > > > > Signed-off-by: Amaury Couderc <[email protected]> > > --- > > .../python/python3/CVE-2026-7210-1.patch | 90 +++++++++++++++++++ > > .../python/python3/CVE-2026-7210-2.patch | 74 +++++++++++++++ > > .../python/python3_3.12.13.bb | 2 + > > 3 files changed, 166 insertions(+) > > create mode 100644 > meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch > > create mode 100644 > meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch > > > > diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch > b/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch > > new file mode 100644 > > index 0000000000..63aac320af > > --- /dev/null > > +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch > > @@ -0,0 +1,90 @@ > > +From 03794ce9a58b1f33751c88d7d876dfbf27645c56 Mon Sep 17 00:00:00 2001 > > +From: Stan Ulbrych <[email protected]> > > +Date: Sun, 26 Apr 2026 19:31:25 +0100 > > +Subject: [PATCH] Use `XML_SetHashSalt16Bytes` from libExpat when > possible > > + > > +CVE: CVE-2026-7210 > > +Upstream-Status: Backport [ > https://github.com/python/cpython/pull/149023/commits/03794ce9a58b1f33751c88d7d876dfbf27645c56] > with downstream extension for XML_BACKPORT_SET_HASH_SALT_16_BYTES detection > > + > > +Signed-off-by: Amaury Couderc <[email protected]> > > +--- > > + Include/pyexpat.h | 3 +++ > > + .../2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst | 3 +++ > > + Modules/_elementtree.c | 8 ++++++-- > > + Modules/pyexpat.c | 11 ++++++++++- > > + 4 files changed, 22 insertions(+), 3 deletions(-) > > + create mode 100644 > Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst > > + > > +diff --git a/Include/pyexpat.h b/Include/pyexpat.h > > +index f523f8bb273983a..a676e16a7a457ea 100644 > > +--- a/Include/pyexpat.h > > ++++ b/Include/pyexpat.h > > +@@ -57,6 +57,9 @@ struct PyExpat_CAPI > > + XML_Parser parser, unsigned long long > activationThresholdBytes); > > + XML_Bool (*SetAllocTrackerMaximumAmplification)( > > + XML_Parser parser, float maxAmplificationFactor); > > ++ /* might be NULL for expat < 2.8.0 */ > > ++ XML_Bool (*SetHashSalt16Bytes)( > > ++ XML_Parser parser, const uint8_t entropy[16]); > > + /* always add new stuff to the end! */ > > + }; > > + > > +diff --git > a/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst > b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst > > +new file mode 100644 > > +index 000000000000000..d1b5b368684e6a5 > > +--- /dev/null > > ++++ > b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst > > +@@ -0,0 +1,3 @@ > > ++Improved protection against XML hash-flooding attacks in > > ++:mod:`xml.parsers.expat` and :mod:`xml.etree.ElementTree` when Python > is > > ++compiled with libExpat 2.8.0 or later. > > +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c > > +index cbd1e026df27227..b2d4b982602c583 100644 > > +--- a/Modules/_elementtree.c > > ++++ b/Modules/_elementtree.c > > +@@ -3657,8 +3657,12 @@ > _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject > *target, > > + PyErr_NoMemory(); > > + return -1; > > + } > > +- /* expat < 2.1.0 has no XML_SetHashSalt() */ > > +- if (EXPAT(st, SetHashSalt) != NULL) { > > ++ // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018 > > ++ if (EXPAT(st, SetHashSalt16Bytes) != NULL) { > > ++ EXPAT(st, SetHashSalt16Bytes)(self->parser, > > ++ (const uint8_t > *)_Py_HashSecret.uc); > > ++ } > > ++ else if (EXPAT(st, SetHashSalt) != NULL) { > > + EXPAT(st, SetHashSalt)(self->parser, > > + (unsigned > long)_Py_HashSecret.expat.hashsalt); > > + } > > +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c > > +index 0f0afe17513ef1c..1df433e64bc096f 100644 > > +--- a/Modules/pyexpat.c > > ++++ b/Modules/pyexpat.c > > +@@ -1388,7 +1388,12 @@ newxmlparseobject(pyexpat_state *state, const > char *encoding, > > + Py_DECREF(self); > > + return NULL; > > + } > > +-#if XML_COMBINED_VERSION >= 20100 > > ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \ > > ++ || XML_COMBINED_VERSION >= 20800 > > ++ /* This feature was added upstream in libexpat 2.8.0. */ > > ++ XML_SetHashSalt16Bytes(self->itself, > > ++ (const uint8_t *)_Py_HashSecret.uc); > > ++#elif XML_COMBINED_VERSION >= 20100 > > + /* This feature was added upstream in libexpat 2.1.0. */ > > + XML_SetHashSalt(self->itself, > > + (unsigned long)_Py_HashSecret.expat.hashsalt); > > +@@ -2257,6 +2262,12 @@ pyexpat_exec(PyObject *mod) > > + #else > > + capi->SetHashSalt = NULL; > > + #endif > > ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \ > > ++ || XML_COMBINED_VERSION >= 20800 > > ++ capi->SetHashSalt16Bytes = XML_SetHashSalt16Bytes; > > ++#else > > ++ capi->SetHashSalt16Bytes = NULL; > > ++#endif > > + #if XML_COMBINED_VERSION >= 20600 > > + capi->SetReparseDeferralEnabled = XML_SetReparseDeferralEnabled; > > + #else > > diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch > b/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch > > new file mode 100644 > > index 0000000000..e9a10d3705 > > --- /dev/null > > +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch > > @@ -0,0 +1,74 @@ > > +From ccb8d2f7df9534e49a43554193d7f5f4d993189c Mon Sep 17 00:00:00 2001 > > +From: Stan Ulbrych <[email protected]> > > +Date: Sun, 26 Apr 2026 19:42:01 +0100 > > +Subject: [PATCH] Add `_Py_HashSecret_t.expat.hashsalt16` instead > > + > > +CVE: CVE-2026-7210 > > +Upstream-Status: Backport [ > https://github.com/python/cpython/pull/149023/commits/ccb8d2f7df9534e49a43554193d7f5f4d993189c > ] > > + > > +Signed-off-by: Amaury Couderc <[email protected]> > > +--- > > + Include/pyhash.h | 8 +++++--- > > + Modules/_elementtree.c | 2 +- > > + Modules/pyexpat.c | 3 +-- > > + 3 files changed, 7 insertions(+), 6 deletions(-) > > + > > +diff --git a/Include/pyhash.h b/Include/pyhash.h > > +index 84cb72fa6fd1b26..3056dc44cc0f1b1 100644 > > +--- a/Include/pyhash.h > > ++++ b/Include/pyhash.h > > +@@ -39,14 +39,14 @@ > > + * pppppppp ssssssss ........ fnv -- two Py_hash_t > > + * k0k0k0k0 k1k1k1k1 ........ siphash -- two uint64_t > > + * ........ ........ ssssssss djbx33a -- 16 bytes padding + one > Py_hash_t > > +- * ........ ........ eeeeeeee pyexpat XML hash salt > > ++ * eeeeeeee eeeeeeee eeeeeeee pyexpat XML hash salt > > + * > > + * memory layout on 32 bit systems > > + * cccccccc cccccccc cccccccc uc > > + * ppppssss ........ ........ fnv -- two Py_hash_t > > + * k0k0k0k0 k1k1k1k1 ........ siphash -- two uint64_t (*) > > + * ........ ........ ssss.... djbx33a -- 16 bytes padding + one > Py_hash_t > > +- * ........ ........ eeee.... pyexpat XML hash salt > > ++ * eeeeeeee eeeeeeee eeee.... pyexpat XML hash salt > > + * > > + * (*) The siphash member may not be available on 32 bit platforms > without > > + * an unsigned int64 data type. > > +@@ -71,7 +71,9 @@ typedef union { > > + Py_hash_t suffix; > > + } djbx33a; > > + struct { > > +- unsigned char padding[16]; > > ++ /* 16 bytes for XML_SetHashSalt16Bytes */ > > ++ uint8_t hashsalt16[16]; > > ++ /* 4/8 bytes for legacy XML_SetHashSalt */ > > + Py_hash_t hashsalt; > > + } expat; > > + } _Py_HashSecret_t; > > +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c > > +index b2d4b982602c583..9e794be5c109ba5 100644 > > +--- a/Modules/_elementtree.c > > ++++ b/Modules/_elementtree.c > > +@@ -3660,7 +3660,7 @@ > _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject > *target, > > + // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018 > > + if (EXPAT(st, SetHashSalt16Bytes) != NULL) { > > + EXPAT(st, SetHashSalt16Bytes)(self->parser, > > +- (const uint8_t > *)_Py_HashSecret.uc); > > ++ _Py_HashSecret.expat.hashsalt16); > > + } > > + else if (EXPAT(st, SetHashSalt) != NULL) { > > + EXPAT(st, SetHashSalt)(self->parser, > > +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c > > +index 1df433e64bc096f..78efbef679024f3 100644 > > +--- a/Modules/pyexpat.c > > ++++ b/Modules/pyexpat.c > > +@@ -1391,8 +1391,7 @@ newxmlparseobject(pyexpat_state *state, const > char *encoding, > > + #if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \ > > + || XML_COMBINED_VERSION >= 20800 > > + /* This feature was added upstream in libexpat 2.8.0. */ > > +- XML_SetHashSalt16Bytes(self->itself, > > +- (const uint8_t *)_Py_HashSecret.uc); > > ++ XML_SetHashSalt16Bytes(self->itself, > _Py_HashSecret.expat.hashsalt16); > > + #elif XML_COMBINED_VERSION >= 20100 > > + /* This feature was added upstream in libexpat 2.1.0. */ > > + XML_SetHashSalt(self->itself, > > diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb > b/meta/recipes-devtools/python/python3_3.12.13.bb > > index 5fa25235fe..3e5575d396 100644 > > --- a/meta/recipes-devtools/python/python3_3.12.13.bb > > +++ b/meta/recipes-devtools/python/python3_3.12.13.bb > > @@ -34,6 +34,8 @@ SRC_URI = " > http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ > > file://0001-test_deadlock-skip-problematic-test.patch \ > > file://0001-test_active_children-skip-problematic-test.patch \ > > file://0001-test_readline-skip-limited-history-test.patch \ > > + file://CVE-2026-7210-1.patch \ > > + file://CVE-2026-7210-2.patch \ > > " > > > > SRC_URI:append:class-native = " \ > > > -- > Yoann Congal > Smile ECS > > -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240267): https://lists.openembedded.org/g/openembedded-core/message/240267 Mute This Topic: https://lists.openembedded.org/mt/119811774/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
