From: Deepak Rathore <[email protected]> Pick the patch [1] and [2] as mentioned in [3].
[1] https://github.com/libexpat/libexpat/commit/55cda8c7125986e17d7e1825cba413bd94a35d02 [2] https://github.com/libexpat/libexpat/commit/a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8 [3] https://security-tracker.debian.org/tracker/CVE-2026-32777 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta/recipes-core/expat/expat/CVE-2026-32777_p1.patch b/meta/recipes-core/expat/expat/CVE-2026-32777_p1.patch new file mode 100644 index 0000000000..4b30b406ed --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-32777_p1.patch @@ -0,0 +1,48 @@ +From db449df6a700b677cedf723d7be578457e0bc9c7 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <[email protected]> +Date: Sun, 1 Mar 2026 20:16:13 +0100 +Subject: [PATCH] lib: Reject XML_TOK_INSTANCE_START infinite loop in + entityValueProcessor + +.. that OSS-Fuzz/ClusterFuzz uncovered + +CVE: CVE-2026-32777 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/55cda8c7125986e17d7e1825cba413bd94a35d02] + +(cherry picked from commit 55cda8c7125986e17d7e1825cba413bd94a35d02) +Signed-off-by: Deepak Rathore <[email protected]> +--- + lib/xmlparse.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 10297c9a..c5bd7059 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5080,7 +5080,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end, + } + /* If we get this token, we have the start of what might be a + normal tag, but not a declaration (i.e. it doesn't begin with +- "<!"). In a DTD context, that isn't legal. ++ "<!" or "<?"). In a DTD context, that isn't legal. + */ + else if (tok == XML_TOK_INSTANCE_START) { + *nextPtr = next; +@@ -5169,6 +5169,15 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end, + /* found end of entity value - can store it now */ + return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT, NULL); + } ++ /* If we get this token, we have the start of what might be a ++ normal tag, but not a declaration (i.e. it doesn't begin with ++ "<!" or "<?"). In a DTD context, that isn't legal. ++ */ ++ else if (tok == XML_TOK_INSTANCE_START) { ++ *nextPtr = next; ++ return XML_ERROR_SYNTAX; ++ } ++ + start = next; + } + } +-- +2.51.0 diff --git a/meta/recipes-core/expat/expat/CVE-2026-32777_p2.patch b/meta/recipes-core/expat/expat/CVE-2026-32777_p2.patch new file mode 100644 index 0000000000..d6ba0fe10a --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-32777_p2.patch @@ -0,0 +1,65 @@ +From 14d31645bd58fceb6b3390b8ae6b0de68948bdc3 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <[email protected]> +Date: Fri, 6 Mar 2026 18:31:34 +0100 +Subject: [PATCH] misc_tests.c: Cover XML_TOK_INSTANCE_START infinite loop + case + +.. that OSS-Fuzz/ClusterFuzz uncovered + +CVE: CVE-2026-32777 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8] + +(cherry picked from commit a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8) +Signed-off-by: Deepak Rathore <[email protected]> +--- + tests/misc_tests.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/tests/misc_tests.c b/tests/misc_tests.c +index 2a805454..bdec886d 100644 +--- a/tests/misc_tests.c ++++ b/tests/misc_tests.c +@@ -771,6 +771,35 @@ START_TEST(test_misc_async_entity_rejected) { + } + END_TEST + ++START_TEST(test_misc_no_infinite_loop_issue_1161) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ const char *text = "<!DOCTYPE d SYSTEM 'secondary.txt'>"; ++ ++ struct ExtOption options[] = { ++ {XCS("secondary.txt"), ++ "<!ENTITY % p SYSTEM 'tertiary.txt'><!ENTITY g '%p;'>"}, ++ {XCS("tertiary.txt"), "<?xml version='1.0'?><a"}, ++ {NULL, NULL}, ++ }; ++ ++ XML_SetUserData(parser, options); ++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ XML_SetExternalEntityRefHandler(parser, external_entity_optioner); ++ ++ assert_true(_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR); ++ ++#if defined(XML_DTD) ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_EXTERNAL_ENTITY_HANDLING); ++#else ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NO_ELEMENTS); ++#endif ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + void + make_miscellaneous_test_case(Suite *s) { + TCase *tc_misc = tcase_create("miscellaneous tests"); +@@ -801,4 +830,5 @@ make_miscellaneous_test_case(Suite *s) { + tcase_add_test(tc_misc, test_misc_expected_event_ptr_issue_980); + tcase_add_test(tc_misc, test_misc_sync_entity_tolerated); + tcase_add_test(tc_misc, test_misc_async_entity_rejected); ++ tcase_add_test(tc_misc, test_misc_no_infinite_loop_issue_1161); + } +-- +2.51.0 diff --git a/meta/recipes-core/expat/expat_2.7.4.bb b/meta/recipes-core/expat/expat_2.7.4.bb index a1cbf77ae1..da6e4bb657 100644 --- a/meta/recipes-core/expat/expat_2.7.4.bb +++ b/meta/recipes-core/expat/expat_2.7.4.bb @@ -11,6 +11,8 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://run-ptest \ file://CVE-2026-32776.patch \ + file://CVE-2026-32777_p1.patch \ + file://CVE-2026-32777_p2.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"; -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233670): https://lists.openembedded.org/g/openembedded-core/message/233670 Mute This Topic: https://lists.openembedded.org/mt/118446074/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
