From: Deepak Rathore <[email protected]>

This patch applies the upstream v1.44 backport for
CVE-2026-57053. The upstream fix commit is referenced in [1],
and the public CVE advisory is referenced in [2].

[1] 
https://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f57fab06afc1e328bbe197ad3d4a4e83c829593e
[2] https://www.cve.org/CVERecord?id=CVE-2026-57053

Signed-off-by: Deepak Rathore <[email protected]>

diff --git a/meta-oe/recipes-extended/libidn/libidn/CVE-2026-57053.patch 
b/meta-oe/recipes-extended/libidn/libidn/CVE-2026-57053.patch
new file mode 100644
index 0000000000..7079f9c429
--- /dev/null
+++ b/meta-oe/recipes-extended/libidn/libidn/CVE-2026-57053.patch
@@ -0,0 +1,28 @@
+From f57fab06afc1e328bbe197ad3d4a4e83c829593e Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <[email protected]>
+Date: Tue, 16 Jun 2026 17:23:38 +0200
+Subject: [PATCH] Guard against read-out-bounds on some xn-- strings
+
+Report and suggested fix by [email protected] in:
+https://lists.gnu.org/archive/html/help-libidn/2026-05/msg00000.html
+
+CVE: CVE-2026-57053
+Upstream-Status: Backport 
[https://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f57fab06afc1e328bbe197ad3d4a4e83c829593e]
+
+(cherry picked from commit f57fab06afc1e328bbe197ad3d4a4e83c829593e)
+Signed-off-by: Deepak Rathore <[email protected]>
+---
+ lib/idna.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/idna.c b/lib/idna.c
+index 27de4489..29664245 100644
+--- a/lib/idna.c
++++ b/lib/idna.c
+@@ -388,4 +388,5 @@ step3:
+-  if (c_strcasecmp (utf8in, tmpout + strlen (IDNA_ACE_PREFIX)) != 0)
++  if (c_strncasecmp (tmpout, IDNA_ACE_PREFIX, strlen (IDNA_ACE_PREFIX)) != 0
++      || c_strcasecmp (utf8in, tmpout + strlen (IDNA_ACE_PREFIX)) != 0)
+     {
+       free (utf8in);
+       return IDNA_ROUNDTRIP_VERIFY_ERROR;
diff --git a/meta-oe/recipes-extended/libidn/libidn_1.43.bb 
b/meta-oe/recipes-extended/libidn/libidn_1.43.bb
index 7c478a1495..e645ffce20 100644
--- a/meta-oe/recipes-extended/libidn/libidn_1.43.bb
+++ b/meta-oe/recipes-extended/libidn/libidn_1.43.bb
@@ -17,6 +17,7 @@ inherit pkgconfig autotools gettext texinfo gtk-doc
 
 SRC_URI = "${GNU_MIRROR}/libidn/${BPN}-${PV}.tar.gz \
            file://dont-depend-on-help2man.patch \
+           file://CVE-2026-57053.patch \
            "
 
 SRC_URI[sha256sum] = 
"bdc662c12d041b2539d0e638f3a6e741130cdb33a644ef3496963a443482d164"
-- 
2.35.6

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#128120): 
https://lists.openembedded.org/g/openembedded-devel/message/128120
Mute This Topic: https://lists.openembedded.org/mt/120188240/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to