From: Deepak Rathore <[email protected]> This patch applies the upstream fix shown in [1] as referenced by [2].
[1] https://github.com/libexpat/libexpat/commit/30c2fc179ce5d2b1b1bae30bbe0dfddeac894e13 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56407 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta/recipes-core/expat/expat/CVE-2026-56407.patch b/meta/recipes-core/expat/expat/CVE-2026-56407.patch new file mode 100644 index 0000000000..075d38ec7d --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-56407.patch @@ -0,0 +1,43 @@ +From 7216b3584bcfb2d415026d16b8902ee7eacad5ca Mon Sep 17 00:00:00 2001 +From: netliomax25-code <[email protected]> +Date: Tue, 2 Jun 2026 11:59:01 +0530 +Subject: [PATCH] cap entity textLen against signed integer overflow + +CVE: CVE-2026-56407 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/30c2fc179ce5d2b1b1bae30bbe0dfddeac894e13] + +(cherry picked from commit 30c2fc179ce5d2b1b1bae30bbe0dfddeac894e13) +Signed-off-by: Deepak Rathore <[email protected]> +--- + expat/lib/xmlparse.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 71fe2c79..8e90fea8 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -5684,6 +5684,10 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + parser, enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar, + XML_ACCOUNT_NONE); + if (parser->m_declEntity) { ++ /* Detect and prevent signed integer overflow */ ++ if ((size_t)poolLength(&dtd->entityValuePool) > (size_t)INT_MAX) { ++ return XML_ERROR_NO_MEMORY; ++ } + parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool); + parser->m_declEntity->textLen + = (int)(poolLength(&dtd->entityValuePool)); +@@ -7099,6 +7103,11 @@ storeSelfEntityValue(XML_Parser parser, ENTITY *entity) { + return XML_ERROR_NO_MEMORY; + } + ++ /* Detect and prevent signed integer overflow */ ++ if ((size_t)poolLength(pool) > (size_t)INT_MAX) { ++ poolDiscard(pool); ++ return XML_ERROR_NO_MEMORY; ++ } + entity->textPtr = poolStart(pool); + entity->textLen = (int)(poolLength(pool)); + poolFinish(pool); +-- +2.43.7 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index c093e99e2b..ef5c415a2d 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -21,6 +21,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-56406.patch;striplevel=2 \ file://CVE-2026-56409.patch;striplevel=2 \ file://CVE-2026-56411.patch;striplevel=2 \ + file://CVE-2026-56407.patch;striplevel=2 \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240649): https://lists.openembedded.org/g/openembedded-core/message/240649 Mute This Topic: https://lists.openembedded.org/mt/120206290/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
