From: Deepak Rathore <[email protected]> This patch applies the upstream v1.44 backport for CVE-2026-57053. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2].
[1] https://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f57fab06afc1e328bbe197ad3d4a4e83c829593e [2] https://www.cve.org/CVERecord?id=CVE-2026-57053 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta-oe/recipes-extended/libidn/libidn/CVE-2026-57053.patch b/meta-oe/recipes-extended/libidn/libidn/CVE-2026-57053.patch new file mode 100644 index 0000000000..7079f9c429 --- /dev/null +++ b/meta-oe/recipes-extended/libidn/libidn/CVE-2026-57053.patch @@ -0,0 +1,28 @@ +From f57fab06afc1e328bbe197ad3d4a4e83c829593e Mon Sep 17 00:00:00 2001 +From: Simon Josefsson <[email protected]> +Date: Tue, 16 Jun 2026 17:23:38 +0200 +Subject: [PATCH] Guard against read-out-bounds on some xn-- strings + +Report and suggested fix by [email protected] in: +https://lists.gnu.org/archive/html/help-libidn/2026-05/msg00000.html + +CVE: CVE-2026-57053 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f57fab06afc1e328bbe197ad3d4a4e83c829593e] + +(cherry picked from commit f57fab06afc1e328bbe197ad3d4a4e83c829593e) +Signed-off-by: Deepak Rathore <[email protected]> +--- + lib/idna.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/idna.c b/lib/idna.c +index 27de4489..29664245 100644 +--- a/lib/idna.c ++++ b/lib/idna.c +@@ -388,4 +388,5 @@ step3: +- if (c_strcasecmp (utf8in, tmpout + strlen (IDNA_ACE_PREFIX)) != 0) ++ if (c_strncasecmp (tmpout, IDNA_ACE_PREFIX, strlen (IDNA_ACE_PREFIX)) != 0 ++ || c_strcasecmp (utf8in, tmpout + strlen (IDNA_ACE_PREFIX)) != 0) + { + free (utf8in); + return IDNA_ROUNDTRIP_VERIFY_ERROR; diff --git a/meta-oe/recipes-extended/libidn/libidn_1.43.bb b/meta-oe/recipes-extended/libidn/libidn_1.43.bb index 7c478a1495..e645ffce20 100644 --- a/meta-oe/recipes-extended/libidn/libidn_1.43.bb +++ b/meta-oe/recipes-extended/libidn/libidn_1.43.bb @@ -17,6 +17,7 @@ inherit pkgconfig autotools gettext texinfo gtk-doc SRC_URI = "${GNU_MIRROR}/libidn/${BPN}-${PV}.tar.gz \ file://dont-depend-on-help2man.patch \ + file://CVE-2026-57053.patch \ " SRC_URI[sha256sum] = "bdc662c12d041b2539d0e638f3a6e741130cdb33a644ef3496963a443482d164" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#128120): https://lists.openembedded.org/g/openembedded-devel/message/128120 Mute This Topic: https://lists.openembedded.org/mt/120188240/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
