From: Deepak Rathore <[email protected]> This patch applies the upstream fix shown in [1] as referenced by [2].
[1] https://github.com/libexpat/libexpat/commit/61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56409 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta/recipes-core/expat/expat/CVE-2026-56409.patch b/meta/recipes-core/expat/expat/CVE-2026-56409.patch new file mode 100644 index 0000000000..a24ce369be --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56409.patch @@ -0,0 +1,52 @@ +From 10938bc2cef7573087566b5b1c948061baa68b98 Mon Sep 17 00:00:00 2001 +From: netliomax25-code <[email protected]> +Date: Mon, 1 Jun 2026 11:53:19 +0530 +Subject: [PATCH] xmlwf: protect output path join from integer overflow + +CVE: CVE-2026-56409 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e] + +Backport Changes: +- Adapt the allocation hunk to the explicit cast used by Expat 2.7.5. + +(cherry picked from commit 61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e) +Signed-off-by: Deepak Rathore <[email protected]> +--- + expat/xmlwf/xmlwf.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c +index 06416454..6a0a707a 100644 +--- a/expat/xmlwf/xmlwf.c ++++ b/expat/xmlwf/xmlwf.c +@@ -1236,8 +1236,26 @@ tmain(int argc, XML_Char **argv) { + } + #endif + } +- outName = (XML_Char *)malloc((tcslen(outputDir) + tcslen(file) + 2) +- * sizeof(XML_Char)); ++ const size_t outputDirLen = tcslen(outputDir); ++ const size_t fileLen = tcslen(file); ++ ++ /* Detect and prevent integer overflow in the addition (without ++ risking underflow) and the multiplication, mirroring the guards ++ in xcsdup() and resolveSystemId() */ ++ if (outputDirLen > SIZE_MAX - fileLen ++ || outputDirLen > SIZE_MAX - fileLen - 2) { ++ tperror(T("Could not allocate memory")); ++ exit(XMLWF_EXIT_INTERNAL_ERROR); ++ } ++ ++ const size_t charsRequired = outputDirLen + fileLen + 2; ++ ++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) { ++ tperror(T("Could not allocate memory")); ++ exit(XMLWF_EXIT_INTERNAL_ERROR); ++ } ++ ++ outName = malloc(charsRequired * sizeof(XML_Char)); + if (! outName) { + tperror(T("Could not allocate memory")); + exit(XMLWF_EXIT_INTERNAL_ERROR); +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index fa9a8bc100..a71e2f8cba 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -19,6 +19,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56410_p2.patch;striplevel=2 \ file://CVE-2026-56406-dependent.patch;striplevel=2 \ file://CVE-2026-56406.patch;striplevel=2 \ + file://CVE-2026-56409.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240647): https://lists.openembedded.org/g/openembedded-core/message/240647 Mute This Topic: https://lists.openembedded.org/mt/120206282/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
