Le lun. 6 juil. 2026 à 14:31, Amaury Couderc <[email protected]> a
écrit :

> ------------------------------
> Hello Yoann,
> I've submitted patches for CVE-2026-7210 and CVE-2026-41080 to the wrynose
> branch. The master branch requires neither backports nor updates.
> However, the patch for CVE-2026-7210 requires the patch for CVE-2026-41080
> for full mitigation, which I've seen was already submitted to the scarthgap
> branch (see
> https://lists.openembedded.org/g/openembedded-core/message/237838?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Acreated%2C%2CCVE-2026-41080%2C20%2C2%2C0%2C119168855),
> but I'm uncertain whether it has been merged yet.
> Given this dependency, do you think it's still worth submitting my
> backport for CVE-2026-7210 to scarthgap?
>
Yes please.

I'll take the patch for CVE-2026-41080: (see
https://lore.kernel.org/all/[email protected]/
)
Note in you patch comment (below the "---") that the patch for
CVE-2026-41080 needs to go first.

Thanks!


> Kind Regards,
> Amaury
> ------------------------------
> *From:* Yoann Congal <[email protected]>
> *Sent:* Wednesday, 17 June 2026 01:37
> *To:* Amaury Couderc <[email protected]>;
> [email protected] <
> [email protected]>
> *Subject:* Re: [PATCH v2 2/2][OE-core][scarthgap] python3: fix
> CVE-2026-7210
>
> On Mon Jun 15, 2026 at 8:36 AM CEST, Amaury Couderc via
> lists.openembedded.org wrote:
> > From: Amaury Couderc <[email protected]>
> >
> > Backport patch to fix CVE-2026-7210.
> >   https://nvd.nist.gov/vuln/detail/CVE-2026-7210
> >
> > In order to mitigate CVE-2026-7210 this patch should come alongside
> > the associated expat one which backports to expat 2.6.4 the fixes
> > introduced in expat 2.8.0.
> >
> > Upstream fixes:
> >
> https://github.com/python/cpython/pull/149023/commits/03794ce9a58b1f33751c88d7d876dfbf27645c56
> >
> https://github.com/python/cpython/pull/149023/commits/ccb8d2f7df9534e49a43554193d7f5f4d993189c
>
> Hello,
>
> If I'm not mistaken those fixes are in 3.14.6 or the future 3.15 and
> neither are in wrynose nor master. Can you please send a fix for those
> branches (either backport or upgrade), and, then, ping back here?
>
> Thanks!
>
> >
> >
> > Signed-off-by: Amaury Couderc <[email protected]>
> > ---
> >  .../python/python3/CVE-2026-7210-1.patch      | 90 +++++++++++++++++++
> >  .../python/python3/CVE-2026-7210-2.patch      | 74 +++++++++++++++
> >  .../python/python3_3.12.13.bb                 |  2 +
> >  3 files changed, 166 insertions(+)
> >  create mode 100644
> meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch
> >  create mode 100644
> meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch
> >
> > diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch
> b/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch
> > new file mode 100644
> > index 0000000000..63aac320af
> > --- /dev/null
> > +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch
> > @@ -0,0 +1,90 @@
> > +From 03794ce9a58b1f33751c88d7d876dfbf27645c56 Mon Sep 17 00:00:00 2001
> > +From: Stan Ulbrych <[email protected]>
> > +Date: Sun, 26 Apr 2026 19:31:25 +0100
> > +Subject: [PATCH] Use `XML_SetHashSalt16Bytes` from libExpat when
> possible
> > +
> > +CVE: CVE-2026-7210
> > +Upstream-Status: Backport [
> https://github.com/python/cpython/pull/149023/commits/03794ce9a58b1f33751c88d7d876dfbf27645c56]
> with downstream extension for XML_BACKPORT_SET_HASH_SALT_16_BYTES detection
> > +
> > +Signed-off-by: Amaury Couderc <[email protected]>
> > +---
> > + Include/pyexpat.h                                     |  3 +++
> > + .../2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst   |  3 +++
> > + Modules/_elementtree.c                                |  8 ++++++--
> > + Modules/pyexpat.c                                     | 11 ++++++++++-
> > + 4 files changed, 22 insertions(+), 3 deletions(-)
> > + create mode 100644
> Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
> > +
> > +diff --git a/Include/pyexpat.h b/Include/pyexpat.h
> > +index f523f8bb273983a..a676e16a7a457ea 100644
> > +--- a/Include/pyexpat.h
> > ++++ b/Include/pyexpat.h
> > +@@ -57,6 +57,9 @@ struct PyExpat_CAPI
> > +         XML_Parser parser, unsigned long long
> activationThresholdBytes);
> > +     XML_Bool (*SetAllocTrackerMaximumAmplification)(
> > +         XML_Parser parser, float maxAmplificationFactor);
> > ++    /* might be NULL for expat < 2.8.0 */
> > ++    XML_Bool (*SetHashSalt16Bytes)(
> > ++        XML_Parser parser, const uint8_t entropy[16]);
> > +     /* always add new stuff to the end! */
> > + };
> > +
> > +diff --git
> a/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
> b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
> > +new file mode 100644
> > +index 000000000000000..d1b5b368684e6a5
> > +--- /dev/null
> > ++++
> b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
> > +@@ -0,0 +1,3 @@
> > ++Improved protection against XML hash-flooding attacks in
> > ++:mod:`xml.parsers.expat` and :mod:`xml.etree.ElementTree` when Python
> is
> > ++compiled with libExpat 2.8.0 or later.
> > +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
> > +index cbd1e026df27227..b2d4b982602c583 100644
> > +--- a/Modules/_elementtree.c
> > ++++ b/Modules/_elementtree.c
> > +@@ -3657,8 +3657,12 @@
> _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject
> *target,
> > +         PyErr_NoMemory();
> > +         return -1;
> > +     }
> > +-    /* expat < 2.1.0 has no XML_SetHashSalt() */
> > +-    if (EXPAT(st, SetHashSalt) != NULL) {
> > ++    // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018
> > ++    if (EXPAT(st, SetHashSalt16Bytes) != NULL) {
> > ++        EXPAT(st, SetHashSalt16Bytes)(self->parser,
> > ++                                      (const uint8_t
> *)_Py_HashSecret.uc);
> > ++    }
> > ++    else if (EXPAT(st, SetHashSalt) != NULL) {
> > +         EXPAT(st, SetHashSalt)(self->parser,
> > +                            (unsigned
> long)_Py_HashSecret.expat.hashsalt);
> > +     }
> > +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
> > +index 0f0afe17513ef1c..1df433e64bc096f 100644
> > +--- a/Modules/pyexpat.c
> > ++++ b/Modules/pyexpat.c
> > +@@ -1388,7 +1388,12 @@ newxmlparseobject(pyexpat_state *state, const
> char *encoding,
> > +         Py_DECREF(self);
> > +         return NULL;
> > +     }
> > +-#if XML_COMBINED_VERSION >= 20100
> > ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \
> > ++    || XML_COMBINED_VERSION >= 20800
> > ++    /* This feature was added upstream in libexpat 2.8.0. */
> > ++    XML_SetHashSalt16Bytes(self->itself,
> > ++                           (const uint8_t *)_Py_HashSecret.uc);
> > ++#elif XML_COMBINED_VERSION >= 20100
> > +     /* This feature was added upstream in libexpat 2.1.0. */
> > +     XML_SetHashSalt(self->itself,
> > +                     (unsigned long)_Py_HashSecret.expat.hashsalt);
> > +@@ -2257,6 +2262,12 @@ pyexpat_exec(PyObject *mod)
> > + #else
> > +     capi->SetHashSalt = NULL;
> > + #endif
> > ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \
> > ++    || XML_COMBINED_VERSION >= 20800
> > ++    capi->SetHashSalt16Bytes = XML_SetHashSalt16Bytes;
> > ++#else
> > ++    capi->SetHashSalt16Bytes = NULL;
> > ++#endif
> > + #if XML_COMBINED_VERSION >= 20600
> > +     capi->SetReparseDeferralEnabled = XML_SetReparseDeferralEnabled;
> > + #else
> > diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch
> b/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch
> > new file mode 100644
> > index 0000000000..e9a10d3705
> > --- /dev/null
> > +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch
> > @@ -0,0 +1,74 @@
> > +From ccb8d2f7df9534e49a43554193d7f5f4d993189c Mon Sep 17 00:00:00 2001
> > +From: Stan Ulbrych <[email protected]>
> > +Date: Sun, 26 Apr 2026 19:42:01 +0100
> > +Subject: [PATCH] Add `_Py_HashSecret_t.expat.hashsalt16` instead
> > +
> > +CVE: CVE-2026-7210
> > +Upstream-Status: Backport [
> https://github.com/python/cpython/pull/149023/commits/ccb8d2f7df9534e49a43554193d7f5f4d993189c
> ]
> > +
> > +Signed-off-by: Amaury Couderc <[email protected]>
> > +---
> > + Include/pyhash.h       | 8 +++++---
> > + Modules/_elementtree.c | 2 +-
> > + Modules/pyexpat.c      | 3 +--
> > + 3 files changed, 7 insertions(+), 6 deletions(-)
> > +
> > +diff --git a/Include/pyhash.h b/Include/pyhash.h
> > +index 84cb72fa6fd1b26..3056dc44cc0f1b1 100644
> > +--- a/Include/pyhash.h
> > ++++ b/Include/pyhash.h
> > +@@ -39,14 +39,14 @@
> > +  *   pppppppp ssssssss ........  fnv -- two Py_hash_t
> > +  *   k0k0k0k0 k1k1k1k1 ........  siphash -- two uint64_t
> > +  *   ........ ........ ssssssss  djbx33a -- 16 bytes padding + one
> Py_hash_t
> > +- *   ........ ........ eeeeeeee  pyexpat XML hash salt
> > ++ *   eeeeeeee eeeeeeee eeeeeeee  pyexpat XML hash salt
> > +  *
> > +  * memory layout on 32 bit systems
> > +  *   cccccccc cccccccc cccccccc  uc
> > +  *   ppppssss ........ ........  fnv -- two Py_hash_t
> > +  *   k0k0k0k0 k1k1k1k1 ........  siphash -- two uint64_t (*)
> > +  *   ........ ........ ssss....  djbx33a -- 16 bytes padding + one
> Py_hash_t
> > +- *   ........ ........ eeee....  pyexpat XML hash salt
> > ++ *   eeeeeeee eeeeeeee eeee....  pyexpat XML hash salt
> > +  *
> > +  * (*) The siphash member may not be available on 32 bit platforms
> without
> > +  *     an unsigned int64 data type.
> > +@@ -71,7 +71,9 @@ typedef union {
> > +         Py_hash_t suffix;
> > +     } djbx33a;
> > +     struct {
> > +-        unsigned char padding[16];
> > ++        /* 16 bytes for XML_SetHashSalt16Bytes */
> > ++        uint8_t hashsalt16[16];
> > ++        /* 4/8 bytes for legacy XML_SetHashSalt */
> > +         Py_hash_t hashsalt;
> > +     } expat;
> > + } _Py_HashSecret_t;
> > +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
> > +index b2d4b982602c583..9e794be5c109ba5 100644
> > +--- a/Modules/_elementtree.c
> > ++++ b/Modules/_elementtree.c
> > +@@ -3660,7 +3660,7 @@
> _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject
> *target,
> > +     // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018
> > +     if (EXPAT(st, SetHashSalt16Bytes) != NULL) {
> > +         EXPAT(st, SetHashSalt16Bytes)(self->parser,
> > +-                                      (const uint8_t
> *)_Py_HashSecret.uc);
> > ++                                      _Py_HashSecret.expat.hashsalt16);
> > +     }
> > +     else if (EXPAT(st, SetHashSalt) != NULL) {
> > +         EXPAT(st, SetHashSalt)(self->parser,
> > +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
> > +index 1df433e64bc096f..78efbef679024f3 100644
> > +--- a/Modules/pyexpat.c
> > ++++ b/Modules/pyexpat.c
> > +@@ -1391,8 +1391,7 @@ newxmlparseobject(pyexpat_state *state, const
> char *encoding,
> > + #if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \
> > +     || XML_COMBINED_VERSION >= 20800
> > +     /* This feature was added upstream in libexpat 2.8.0. */
> > +-    XML_SetHashSalt16Bytes(self->itself,
> > +-                           (const uint8_t *)_Py_HashSecret.uc);
> > ++    XML_SetHashSalt16Bytes(self->itself,
> _Py_HashSecret.expat.hashsalt16);
> > + #elif XML_COMBINED_VERSION >= 20100
> > +     /* This feature was added upstream in libexpat 2.1.0. */
> > +     XML_SetHashSalt(self->itself,
> > diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb
> b/meta/recipes-devtools/python/python3_3.12.13.bb
> > index 5fa25235fe..3e5575d396 100644
> > --- a/meta/recipes-devtools/python/python3_3.12.13.bb
> > +++ b/meta/recipes-devtools/python/python3_3.12.13.bb
> > @@ -34,6 +34,8 @@ SRC_URI = "
> http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
> >           file://0001-test_deadlock-skip-problematic-test.patch \
> >           file://0001-test_active_children-skip-problematic-test.patch \
> >             file://0001-test_readline-skip-limited-history-test.patch \
> > +           file://CVE-2026-7210-1.patch \
> > +           file://CVE-2026-7210-2.patch \
> >             "
> >
> >  SRC_URI:append:class-native = " \
>
>
> --
> Yoann Congal
> Smile ECS
>
>

-- 
Yoann Congal
Smile ECS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240267): 
https://lists.openembedded.org/g/openembedded-core/message/240267
Mute This Topic: https://lists.openembedded.org/mt/119811774/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to