On Thu Jul 9, 2026 at 4:06 PM CEST, Amaury Couderc via lists.openembedded.org 
wrote:
> From: Amaury Couderc <[email protected]>
>
> The existing hash flooding protection (based on SipHash) only used 4 to 8
> bytes of entropy for a salt, when 16 bytes of salt are supported by the
> implementation of SipHash used by Expat. Now full 16 bytes of entropy are
> used to improve protection against hash flooding attacks.
>
> Introduces new API function XML_SetHashSalt16Bytes and deprecates the
> legacy XML_SetHashSalt which is limited to 4-8 bytes.
>
> The fix is split into 2 patches for reviewability:
>   1. Main CVE fix: migrates hash salt to 128-bit struct sipkey, extracts
>      16 bytes of entropy, removes dead get_hash_secret_salt function
>      (copy_salt_to_sipkey accesses the struct directly), adds
>      XML_SetHashSalt16Bytes API, deprecates XML_SetHashSalt, adds symbol
>      export, backport feature macro, tests, and documentation.
>   2. Windows/cmake: adds the missing .def export for the new symbol.
>
> Note: the prerequisite commits that Peter Marko needed for scarthgap
> (clang-tidy misc-no-recursion fix and WASI getpid removal) are already
> present in expat 2.7.5, so they are not needed here.
>
> Backport patch to fix CVE-2026-41080
> https://nvd.nist.gov/vuln/detail/CVE-2026-41080
>
> Upstream fix:
> https://github.com/libexpat/libexpat/pull/1183
>
> CVE: CVE-2026-41080
>
> Signed-off-by: Amaury Couderc <[email protected]>
> ---
>  .../expat/expat/CVE-2026-41080-1.patch        | 517 ++++++++++++++++++
>  .../expat/expat/CVE-2026-41080-2.patch        |  33 ++
>  meta/recipes-core/expat/expat_2.7.5.bb        |   2 +
>  3 files changed, 552 insertions(+)
>  create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-1.patch
>  create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-2.patch
>
> [...]
> diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch 
> b/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch
> new file mode 100644
> index 0000000000..0410f8b070
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch
> @@ -0,0 +1,33 @@
> +From 3cdd1df2644388aff25dd0ed7128c7bb1de1a7d8 Mon Sep 17 00:00:00 2001
> +From: Christoph Reiter <[email protected]>
> +Date: Wed, 10 Jun 2026 21:27:51 +0200
> +Subject: [PATCH 2/2] cmake|windows: add missing export for new
> + XML_SetHashSalt16Bytes
> +
> +A new XML_SetHashSalt16Bytes symbol was added in #1183, but it
> +wasn't added to the def file, so the export is missing when building
> +libexpat on Windows with cmake.
> +
> +Add the new symbol to the .def template.
> +
> +CVE: CVE-2026-41080
> +Upstream-Status: Backport 
> [https://github.com/libexpat/libexpat/commit/3cdd1df2644388aff25dd0ed7128c7bb1de1a7d8]
> +
> +Signed-off-by: Christoph Reiter <[email protected]>
> +Signed-off-by: Amaury Couderc <[email protected]>
> +---
> + lib/libexpat.def.cmake | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake
> +index 9b9e22cb..948135a5 100644
> +--- a/lib/libexpat.def.cmake
> ++++ b/lib/libexpat.def.cmake
> +@@ -83,3 +83,5 @@ EXPORTS
> + ; added with version 2.7.2
> + @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerMaximumAmplification @72
> + @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerActivationThreshold @73
> ++; added with version 2.7.6
> ++  XML_SetHashSalt16Bytes @74

Hello,

CVE-2026-41080-2.patch patch message and linked discussion only mention
build on Windows. Are you sure we need this patch?
Does this fix a build failure you saw?
I'd rather not backport a patch we don't need...

Regards,
-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240589): 
https://lists.openembedded.org/g/openembedded-core/message/240589
Mute This Topic: https://lists.openembedded.org/mt/120190614/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to