From: Peter Marko <[email protected]> Pick patches from [1].
[1] https://github.com/libexpat/libexpat/pull/1075 Signed-off-by: Peter Marko <[email protected]> --- .../expat/expat/CVE-2026-25210-01.patch | 27 +++++++++++++ .../expat/expat/CVE-2026-25210-02.patch | 38 +++++++++++++++++++ .../expat/expat/CVE-2026-25210-03.patch | 28 ++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 3 ++ 4 files changed, 96 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-01.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-02.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-03.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-25210-01.patch b/meta/recipes-core/expat/expat/CVE-2026-25210-01.patch new file mode 100644 index 00000000000..d56e8811915 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-25210-01.patch @@ -0,0 +1,27 @@ +From 7ddea353ad3795f7222441274d4d9a155b523cba Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez <[email protected]> +Date: Thu, 2 Oct 2025 17:15:15 -0700 +Subject: [PATCH] lib: Make a doubling more readable + +Suggested-by: Sebastian Pipping <[email protected]> + +CVE: CVE-2026-25210 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/7ddea353ad3795f7222441274d4d9a155b523cba] +Signed-off-by: Peter Marko <[email protected]> +--- + lib/xmlparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 8cf29257..2f9adffc 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3499,7 +3499,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + tag->name.strLen = convLen; + break; + } +- bufSize = (int)(tag->bufEnd - tag->buf) << 1; ++ bufSize = (int)(tag->bufEnd - tag->buf) * 2; + { + char *temp = REALLOC(parser, tag->buf, bufSize); + if (temp == NULL) diff --git a/meta/recipes-core/expat/expat/CVE-2026-25210-02.patch b/meta/recipes-core/expat/expat/CVE-2026-25210-02.patch new file mode 100644 index 00000000000..21bd6e4fd0e --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-25210-02.patch @@ -0,0 +1,38 @@ +From 8855346359a475c022ec8c28484a76c852f144d9 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez <[email protected]> +Date: Thu, 2 Oct 2025 17:15:15 -0700 +Subject: [PATCH] lib: Realign a size with the `REALLOC` type signature it is + passed into + +Note that this implicitly assumes `tag->bufEnd >= tag->buf`, which should +already be guaranteed true. + +CVE: CVE-2026-25210 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/8855346359a475c022ec8c28484a76c852f144d9] +Signed-off-by: Peter Marko <[email protected]> +--- +--- + lib/xmlparse.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 2f9adffc..ee18a87f 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3488,7 +3488,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + const char *fromPtr = tag->rawName; + toPtr = (XML_Char *)tag->buf; + for (;;) { +- int bufSize; + int convLen; + const enum XML_Convert_Result convert_res + = XmlConvert(enc, &fromPtr, rawNameEnd, (ICHAR **)&toPtr, +@@ -3499,7 +3498,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + tag->name.strLen = convLen; + break; + } +- bufSize = (int)(tag->bufEnd - tag->buf) * 2; ++ const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2; + { + char *temp = REALLOC(parser, tag->buf, bufSize); + if (temp == NULL) diff --git a/meta/recipes-core/expat/expat/CVE-2026-25210-03.patch b/meta/recipes-core/expat/expat/CVE-2026-25210-03.patch new file mode 100644 index 00000000000..46a1618e040 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-25210-03.patch @@ -0,0 +1,28 @@ +From 9c2d990389e6abe2e44527eeaa8b39f16fe859c7 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez <[email protected]> +Date: Thu, 2 Oct 2025 17:15:15 -0700 +Subject: [PATCH] lib: Introduce an integer overflow check for tag buffer + reallocation + +Suggested-by: Sebastian Pipping <[email protected]> + +CVE: CVE-2026-25210 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/9c2d990389e6abe2e44527eeaa8b39f16fe859c7] +Signed-off-by: Peter Marko <[email protected]> +--- + lib/xmlparse.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index ee18a87f..d8c54c38 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3498,6 +3498,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + tag->name.strLen = convLen; + break; + } ++ if (SIZE_MAX / 2 < (size_t)(tag->bufEnd - tag->buf)) ++ return XML_ERROR_NO_MEMORY; + const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2; + { + char *temp = REALLOC(parser, tag->buf, bufSize); diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index a61357e6c14..048093f010d 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -43,6 +43,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2025-59375-24.patch \ file://CVE-2026-24515-01.patch \ file://CVE-2026-24515-02.patch \ + file://CVE-2026-25210-01.patch \ + file://CVE-2026-25210-02.patch \ + file://CVE-2026-25210-03.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/";
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230244): https://lists.openembedded.org/g/openembedded-core/message/230244 Mute This Topic: https://lists.openembedded.org/mt/117564593/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
