On Thu Jul 9, 2026 at 4:06 PM CEST, Amaury Couderc via lists.openembedded.org wrote: > From: Amaury Couderc <[email protected]> > > The existing hash flooding protection (based on SipHash) only used 4 to 8 > bytes of entropy for a salt, when 16 bytes of salt are supported by the > implementation of SipHash used by Expat. Now full 16 bytes of entropy are > used to improve protection against hash flooding attacks. > > Introduces new API function XML_SetHashSalt16Bytes and deprecates the > legacy XML_SetHashSalt which is limited to 4-8 bytes. > > The fix is split into 2 patches for reviewability: > 1. Main CVE fix: migrates hash salt to 128-bit struct sipkey, extracts > 16 bytes of entropy, removes dead get_hash_secret_salt function > (copy_salt_to_sipkey accesses the struct directly), adds > XML_SetHashSalt16Bytes API, deprecates XML_SetHashSalt, adds symbol > export, backport feature macro, tests, and documentation. > 2. Windows/cmake: adds the missing .def export for the new symbol. > > Note: the prerequisite commits that Peter Marko needed for scarthgap > (clang-tidy misc-no-recursion fix and WASI getpid removal) are already > present in expat 2.7.5, so they are not needed here. > > Backport patch to fix CVE-2026-41080 > https://nvd.nist.gov/vuln/detail/CVE-2026-41080 > > Upstream fix: > https://github.com/libexpat/libexpat/pull/1183 > > CVE: CVE-2026-41080 > > Signed-off-by: Amaury Couderc <[email protected]> > --- > .../expat/expat/CVE-2026-41080-1.patch | 517 ++++++++++++++++++ > .../expat/expat/CVE-2026-41080-2.patch | 33 ++ > meta/recipes-core/expat/expat_2.7.5.bb | 2 + > 3 files changed, 552 insertions(+) > create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-1.patch > create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-2.patch > > [...] > diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch > b/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch > new file mode 100644 > index 0000000000..0410f8b070 > --- /dev/null > +++ b/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch > @@ -0,0 +1,33 @@ > +From 3cdd1df2644388aff25dd0ed7128c7bb1de1a7d8 Mon Sep 17 00:00:00 2001 > +From: Christoph Reiter <[email protected]> > +Date: Wed, 10 Jun 2026 21:27:51 +0200 > +Subject: [PATCH 2/2] cmake|windows: add missing export for new > + XML_SetHashSalt16Bytes > + > +A new XML_SetHashSalt16Bytes symbol was added in #1183, but it > +wasn't added to the def file, so the export is missing when building > +libexpat on Windows with cmake. > + > +Add the new symbol to the .def template. > + > +CVE: CVE-2026-41080 > +Upstream-Status: Backport > [https://github.com/libexpat/libexpat/commit/3cdd1df2644388aff25dd0ed7128c7bb1de1a7d8] > + > +Signed-off-by: Christoph Reiter <[email protected]> > +Signed-off-by: Amaury Couderc <[email protected]> > +--- > + lib/libexpat.def.cmake | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake > +index 9b9e22cb..948135a5 100644 > +--- a/lib/libexpat.def.cmake > ++++ b/lib/libexpat.def.cmake > +@@ -83,3 +83,5 @@ EXPORTS > + ; added with version 2.7.2 > + @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerMaximumAmplification @72 > + @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerActivationThreshold @73 > ++; added with version 2.7.6 > ++ XML_SetHashSalt16Bytes @74
Hello, CVE-2026-41080-2.patch patch message and linked discussion only mention build on Windows. Are you sure we need this patch? Does this fix a build failure you saw? I'd rather not backport a patch we don't need... Regards, -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240589): https://lists.openembedded.org/g/openembedded-core/message/240589 Mute This Topic: https://lists.openembedded.org/mt/120190614/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
