From: Deepak Rathore <[email protected]> This patch applies the upstream fix shown in [1] as referenced by [2]. The fix is adapted to the existing Expat 2.7.5 copyString implementation.
[1] https://github.com/libexpat/libexpat/commit/16e2efd867ea8567ffa012210b52ef5918e20817 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56408 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta/recipes-core/expat/expat/CVE-2026-56408.patch b/meta/recipes-core/expat/expat/CVE-2026-56408.patch new file mode 100644 index 0000000000..b8c43636cc --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56408.patch @@ -0,0 +1,36 @@ +From b0cf9e9b0f5dfdd938148931a4605a0fd6b917a7 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <[email protected]> +Date: Thu, 23 Apr 2026 10:31:45 +0200 +Subject: [PATCH] lib: Waterproof `copyString` from integer overflow + +CVE: CVE-2026-56408 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/16e2efd867ea8567ffa012210b52ef5918e20817] + +Backport Changes: +- Adapt the fix to Expat 2.7.5, which calculates charsRequired using + an existing loop instead of xcslen. The upstream string helper + refactoring is not required for the overflow guard. + +(cherry picked from commit 16e2efd867ea8567ffa012210b52ef5918e20817) +Signed-off-by: Deepak Rathore <[email protected]> +--- + expat/lib/xmlparse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index e441ff7f..4ff5e33b 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -8505,6 +8505,10 @@ copyString(const XML_Char *s, XML_Parser parser) { + /* Include the terminator */ + charsRequired++; + ++ /* Detect and prevent integer overflow */ ++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) ++ return NULL; ++ + /* Now allocate space for the copy */ + result = MALLOC(parser, charsRequired * sizeof(XML_Char)); + if (result == NULL) +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index a0c28d162c..267e7db35b 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -12,6 +12,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://run-ptest \ file://CVE-2026-56403_p1.patch;striplevel=2 \ file://CVE-2026-56403_p2.patch;striplevel=2 \ + file://CVE-2026-56408.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240642): https://lists.openembedded.org/g/openembedded-core/message/240642 Mute This Topic: https://lists.openembedded.org/mt/120206243/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
