Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libyang for openSUSE:Factory checked in at 2026-05-27 16:21:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libyang (Old) and /work/SRC/openSUSE:Factory/.libyang.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libyang" Wed May 27 16:21:04 2026 rev:21 rq:1355368 version:3.13.6 Changes: -------- --- /work/SRC/openSUSE:Factory/libyang/libyang.changes 2026-04-23 17:10:15.734698900 +0200 +++ /work/SRC/openSUSE:Factory/.libyang.new.1937/libyang.changes 2026-05-27 16:21:31.496113080 +0200 @@ -1,0 +2,7 @@ +Wed May 27 08:19:08 UTC 2026 - Petr Gajdos <[email protected]> + +- added patches + CVE-2026-41401: use-after-free in `lyd_parser_set_data_flags` when processing crafted YANG XML documents with specific metadata attributes [bsc#1266316] + * libyang-CVE-2026-41401.patch + +------------------------------------------------------------------- New: ---- libyang-CVE-2026-41401.patch ----------(New B)---------- New: CVE-2026-41401: use-after-free in `lyd_parser_set_data_flags` when processing crafted YANG XML documents with specific metadata attributes [bsc#1266316] * libyang-CVE-2026-41401.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libyang.spec ++++++ --- /var/tmp/diff_new_pack.k7deye/_old 2026-05-27 16:21:32.884170067 +0200 +++ /var/tmp/diff_new_pack.k7deye/_new 2026-05-27 16:21:32.888170231 +0200 @@ -27,6 +27,8 @@ Group: System/Libraries URL: https://github.com/CESNET/libyang Source0: https://github.com/CESNET/libyang/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# CVE-2026-41401: use-after-free in `lyd_parser_set_data_flags` when processing crafted YANG XML documents with specific metadata attributes [bsc#1266316] +Patch0: libyang-CVE-2026-41401.patch BuildRequires: cmake BuildRequires: doxygen BuildRequires: fdupes ++++++ libyang-CVE-2026-41401.patch ++++++ >From 54c3276d871023da266d4ed3ceaee7e8d71d0b04 Mon Sep 17 00:00:00 2001 From: Michal Vasko <[email protected]> Date: Thu, 26 Mar 2026 08:33:44 +0100 Subject: [PATCH] parser common BUGFIX invalid metadata removal --- src/parser_common.c | 4 ++-- tests/fuzz/corpus/lyd_parse_mem_xml/advisory2026_03_26 | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 tests/fuzz/corpus/lyd_parse_mem_xml/advisory2026_03_26 Index: libyang-3.13.6/src/parser_common.c =================================================================== --- libyang-3.13.6.orig/src/parser_common.c +++ libyang-3.13.6/src/parser_common.c @@ -413,8 +413,8 @@ lyd_parser_set_data_flags(struct lyd_nod next_meta = meta2->next; /* delete the metadata */ - if (meta != &node->meta) { - *meta = (*meta)->next; + if ((meta != &node->meta) && (meta2 == *meta)) { + *meta = next_meta; } lyd_free_meta_single(meta2); if (prev_meta) {
