From: Deepak Rathore <[email protected]> This patch applies the upstream fix shown in [1] as referenced by [2].
[1] https://github.com/libexpat/libexpat/commit/528a4e5017e1bd3b48b689fd0c131df940ae3ea5 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56411 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta/recipes-core/expat/expat/CVE-2026-56411.patch b/meta/recipes-core/expat/expat/CVE-2026-56411.patch new file mode 100644 index 0000000000..e1d7faab33 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56411.patch @@ -0,0 +1,46 @@ +From e447d5d72884a1246894f111a5b72de4e479152e Mon Sep 17 00:00:00 2001 +From: netliomax25-code <[email protected]> +Date: Tue, 2 Jun 2026 13:13:34 +0530 +Subject: [PATCH] xmlwf: protect notation list allocation from integer overflow + +CVE: CVE-2026-56411 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/528a4e5017e1bd3b48b689fd0c131df940ae3ea5] + +(cherry picked from commit 528a4e5017e1bd3b48b689fd0c131df940ae3ea5) +Signed-off-by: Deepak Rathore <[email protected]> +--- + expat/xmlwf/xmlwf.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c +index 6a0a707a..a9640190 100644 +--- a/expat/xmlwf/xmlwf.c ++++ b/expat/xmlwf/xmlwf.c +@@ -383,9 +383,9 @@ static void XMLCALL + endDoctypeDecl(void *userData) { + XmlwfUserData *data = (XmlwfUserData *)userData; + NotationList **notations; +- int notationCount = 0; ++ size_t notationCount = 0; + NotationList *p; +- int i; ++ size_t i; + + /* How many notations do we have? */ + for (p = data->notationListHead; p != NULL; p = p->next) +@@ -395,6 +395,13 @@ endDoctypeDecl(void *userData) { + goto cleanUp; + } + ++ /* Detect and prevent integer overflow in the multiplication, mirroring ++ the guards in xcsdup() and resolveSystemId() */ ++ if (notationCount > SIZE_MAX / sizeof(NotationList *)) { ++ fprintf(stderr, "Unable to sort notations"); ++ goto cleanUp; ++ } ++ + notations = malloc(notationCount * sizeof(NotationList *)); + if (notations == NULL) { + fprintf(stderr, "Unable to sort notations"); +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index a71e2f8cba..c093e99e2b 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -20,6 +20,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56406-dependent.patch;striplevel=2 \ file://CVE-2026-56406.patch;striplevel=2 \ file://CVE-2026-56409.patch;striplevel=2 \ + file://CVE-2026-56411.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240648): https://lists.openembedded.org/g/openembedded-core/message/240648 Mute This Topic: https://lists.openembedded.org/mt/120206286/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
