From: Deepak Rathore <[email protected]>

- wrynose contains Expat 2.7.5, that the listed CVEs affect
versions before 2.8.2, and that this series backports the
relevant upstream fixes rather than upgrading the stable-branch
recipe.
- For CVE-2026-56403, upstream pull request 1232 contains both the
storeAtts fix and the related xcsdup overflow hardening. This makes
the reason for carrying both source patches explicit, even though the
published advisory description names storeAtts specifically.

- Verified the full image build successfully after applying all the patches.

- Ran Ptest on the full image and verified that all tests passed successfully.

Deepak Rathore (10):
  expat: fix CVE-2026-56403
  expat: fix CVE-2026-56408
  expat: fix CVE-2026-56404
  expat: fix CVE-2026-56405
  expat: fix CVE-2026-56410
  expat: fix CVE-2026-56406
  expat: fix CVE-2026-56409
  expat: fix CVE-2026-56411
  expat: fix CVE-2026-56407
  expat: fix CVE-2026-56132

 .../expat/expat/CVE-2026-56132_p1.patch       | 89 +++++++++++++++++++
 .../expat/expat/CVE-2026-56132_p2.patch       | 62 +++++++++++++
 .../expat/expat/CVE-2026-56132_p3.patch       | 76 ++++++++++++++++
 .../expat/expat/CVE-2026-56132_p4.patch       | 63 +++++++++++++
 .../expat/expat/CVE-2026-56132_p5.patch       | 58 ++++++++++++
 .../expat/expat/CVE-2026-56403_p1.patch       | 83 +++++++++++++++++
 .../expat/expat/CVE-2026-56403_p2.patch       | 52 +++++++++++
 .../expat/expat/CVE-2026-56404.patch          | 46 ++++++++++
 .../expat/expat/CVE-2026-56405.patch          | 32 +++++++
 .../expat/CVE-2026-56406-dependent.patch      | 57 ++++++++++++
 .../expat/expat/CVE-2026-56406.patch          | 36 ++++++++
 .../expat/expat/CVE-2026-56407.patch          | 43 +++++++++
 .../expat/expat/CVE-2026-56408.patch          | 36 ++++++++
 .../expat/expat/CVE-2026-56409.patch          | 52 +++++++++++
 .../expat/expat/CVE-2026-56410_p1.patch       | 48 ++++++++++
 .../expat/expat/CVE-2026-56410_p2.patch       | 40 +++++++++
 .../expat/expat/CVE-2026-56411.patch          | 46 ++++++++++
 meta/recipes-core/expat/expat_2.7.5.bb        | 17 ++++
 18 files changed, 936 insertions(+)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p1.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p2.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p3.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p4.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56132_p5.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56403_p1.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56403_p2.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56404.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56405.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56406.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56407.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56408.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56409.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56410_p1.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56410_p2.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-56411.patch

-- 
2.35.6

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240640): 
https://lists.openembedded.org/g/openembedded-core/message/240640
Mute This Topic: https://lists.openembedded.org/mt/120206235/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to