From: Deepak Rathore <[email protected]> This patch applies the upstream fix shown in [1] as referenced by [3]. The prerequisite in [2] provides XML_INDEX_MAX for the Expat 2.7.5 backport.
[1] https://github.com/libexpat/libexpat/commit/99d8454fdf900a6d00c2a52748e6c0eeb507574d [2] https://github.com/libexpat/libexpat/commit/252ff1a307b1490ce0f430632791e7e52d7e43fd [3] https://nvd.nist.gov/vuln/detail/CVE-2026-56406 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch b/meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch new file mode 100644 index 0000000000..c1303029e2 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56406-dependent.patch @@ -0,0 +1,57 @@ +From 4f828b7ee9d6efef618e8a99a0392acbb95e84f2 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez <[email protected]> +Date: Wed, 27 May 2026 17:01:44 -0700 +Subject: [PATCH] lib: Make `XML_Index` overflow check more intuitive + +In fixing a bug, 7e5b71b748491b6e459e5c9a1d090820f94544d8 introduced a +magic number `2` in this code that made it difficult to understand the +rationale for this overflow check without reading the commit log. This +change introduces some more readable constants to use in these +situations. + +CVE: CVE-2026-56406 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/252ff1a307b1490ce0f430632791e7e52d7e43fd] + +(cherry picked from commit 252ff1a307b1490ce0f430632791e7e52d7e43fd) +Signed-off-by: Deepak Rathore <[email protected]> +--- + expat/lib/xmlparse.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 96127bf8..5ecea7a8 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -101,7 +101,7 @@ + #include <stddef.h> + #include <string.h> /* memset(), memcpy() */ + #include <assert.h> +-#include <limits.h> /* INT_MAX, UINT_MAX */ ++#include <limits.h> /* INT_MAX, LLONG_MAX, LONG_MAX, UINT_MAX */ + #include <stdio.h> /* fprintf */ + #include <stdlib.h> /* getenv, rand_s */ + #include <stdint.h> /* SIZE_MAX, uintptr_t */ +@@ -209,6 +209,12 @@ typedef char ICHAR; + + #endif + ++#ifdef XML_LARGE_SIZE ++# define XML_INDEX_MAX LLONG_MAX ++#else ++# define XML_INDEX_MAX LONG_MAX ++#endif ++ + /* Round up n to be a multiple of sz, where sz is a power of 2. */ + #define ROUND_UP(n, sz) (((n) + ((sz) - 1)) & ~((sz) - 1)) + +@@ -2395,7 +2401,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + int nLeftOver; + enum XML_Status result; + /* Detect overflow (a+b > MAX <==> b > MAX-a) */ +- if ((XML_Size)len > ((XML_Size)-1) / 2 - parser->m_parseEndByteIndex) { ++ if (len > XML_INDEX_MAX - parser->m_parseEndByteIndex) { + parser->m_errorCode = XML_ERROR_NO_MEMORY; + parser->m_eventPtr = parser->m_eventEndPtr = NULL; + parser->m_processor = errorProcessor; +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat/CVE-2026-56406.patch b/meta/recipes-core/expat/expat/CVE-2026-56406.patch new file mode 100644 index 0000000000..0305f05552 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56406.patch @@ -0,0 +1,36 @@ +From 6e52f18aded0a76cf89f191d7810bc04287f5337 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <[email protected]> +Date: Sun, 31 May 2026 15:18:58 +0200 +Subject: [PATCH] lib: Copy overflow check from `XML_Parse` to + `XML_ParseBuffer` + +CVE: CVE-2026-56406 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/99d8454fdf900a6d00c2a52748e6c0eeb507574d] + +(cherry picked from commit 99d8454fdf900a6d00c2a52748e6c0eeb507574d) +Signed-off-by: Deepak Rathore <[email protected]> +--- + expat/lib/xmlparse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 5ecea7a8..71fe2c79 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -2518,6 +2518,14 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { + parser->m_parsingStatus.parsing = XML_PARSING; + } + ++ // Detect and avoid integer overflow ++ if (len > XML_INDEX_MAX - parser->m_parseEndByteIndex) { ++ parser->m_errorCode = XML_ERROR_NO_MEMORY; ++ parser->m_eventPtr = parser->m_eventEndPtr = NULL; ++ parser->m_processor = errorProcessor; ++ return XML_STATUS_ERROR; ++ } ++ + start = parser->m_bufferPtr; + parser->m_positionPtr = start; + parser->m_bufferEnd += len; +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index dcccc7597e..fa9a8bc100 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -17,6 +17,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56405.patch;striplevel=2 \ file://CVE-2026-56410_p1.patch;striplevel=2 \ file://CVE-2026-56410_p2.patch;striplevel=2 \ + file://CVE-2026-56406-dependent.patch;striplevel=2 \ + file://CVE-2026-56406.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240646): https://lists.openembedded.org/g/openembedded-core/message/240646 Mute This Topic: https://lists.openembedded.org/mt/120206277/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
