mirror of
https://git.yoctoproject.org/poky
synced 2026-06-02 01:19:52 +00:00
expat: patch CVE-2026-25210
Pick patches from [1]. [1] https://github.com/libexpat/libexpat/pull/1075 (From OE-Core rev: 97cf4b2341449b34e61a09437e2159b279f9f848) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Peter Marko
committed by
Richard Purdie
Richard Purdie
parent
46fdae1b0f
commit
236069b7e0
@@ -0,0 +1,27 @@
|
|||||||
|
From 7ddea353ad3795f7222441274d4d9a155b523cba Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matthew Fernandez <matthew.fernandez@gmail.com>
|
||||||
|
Date: Thu, 2 Oct 2025 17:15:15 -0700
|
||||||
|
Subject: [PATCH] lib: Make a doubling more readable
|
||||||
|
|
||||||
|
Suggested-by: Sebastian Pipping <sebastian@pipping.org>
|
||||||
|
|
||||||
|
CVE: CVE-2026-25210
|
||||||
|
Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/7ddea353ad3795f7222441274d4d9a155b523cba]
|
||||||
|
Signed-off-by: Peter Marko <peter.marko@siemens.com>
|
||||||
|
---
|
||||||
|
lib/xmlparse.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
||||||
|
index 8cf29257..2f9adffc 100644
|
||||||
|
--- a/lib/xmlparse.c
|
||||||
|
+++ b/lib/xmlparse.c
|
||||||
|
@@ -3499,7 +3499,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
|
||||||
|
tag->name.strLen = convLen;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
- bufSize = (int)(tag->bufEnd - tag->buf) << 1;
|
||||||
|
+ bufSize = (int)(tag->bufEnd - tag->buf) * 2;
|
||||||
|
{
|
||||||
|
char *temp = REALLOC(parser, tag->buf, bufSize);
|
||||||
|
if (temp == NULL)
|
||||||
@@ -0,0 +1,38 @@
|
|||||||
|
From 8855346359a475c022ec8c28484a76c852f144d9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matthew Fernandez <matthew.fernandez@gmail.com>
|
||||||
|
Date: Thu, 2 Oct 2025 17:15:15 -0700
|
||||||
|
Subject: [PATCH] lib: Realign a size with the `REALLOC` type signature it is
|
||||||
|
passed into
|
||||||
|
|
||||||
|
Note that this implicitly assumes `tag->bufEnd >= tag->buf`, which should
|
||||||
|
already be guaranteed true.
|
||||||
|
|
||||||
|
CVE: CVE-2026-25210
|
||||||
|
Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/8855346359a475c022ec8c28484a76c852f144d9]
|
||||||
|
Signed-off-by: Peter Marko <peter.marko@siemens.com>
|
||||||
|
---
|
||||||
|
---
|
||||||
|
lib/xmlparse.c | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
||||||
|
index 2f9adffc..ee18a87f 100644
|
||||||
|
--- a/lib/xmlparse.c
|
||||||
|
+++ b/lib/xmlparse.c
|
||||||
|
@@ -3488,7 +3488,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
|
||||||
|
const char *fromPtr = tag->rawName;
|
||||||
|
toPtr = (XML_Char *)tag->buf;
|
||||||
|
for (;;) {
|
||||||
|
- int bufSize;
|
||||||
|
int convLen;
|
||||||
|
const enum XML_Convert_Result convert_res
|
||||||
|
= XmlConvert(enc, &fromPtr, rawNameEnd, (ICHAR **)&toPtr,
|
||||||
|
@@ -3499,7 +3498,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
|
||||||
|
tag->name.strLen = convLen;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
- bufSize = (int)(tag->bufEnd - tag->buf) * 2;
|
||||||
|
+ const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2;
|
||||||
|
{
|
||||||
|
char *temp = REALLOC(parser, tag->buf, bufSize);
|
||||||
|
if (temp == NULL)
|
||||||
@@ -0,0 +1,28 @@
|
|||||||
|
From 9c2d990389e6abe2e44527eeaa8b39f16fe859c7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matthew Fernandez <matthew.fernandez@gmail.com>
|
||||||
|
Date: Thu, 2 Oct 2025 17:15:15 -0700
|
||||||
|
Subject: [PATCH] lib: Introduce an integer overflow check for tag buffer
|
||||||
|
reallocation
|
||||||
|
|
||||||
|
Suggested-by: Sebastian Pipping <sebastian@pipping.org>
|
||||||
|
|
||||||
|
CVE: CVE-2026-25210
|
||||||
|
Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/9c2d990389e6abe2e44527eeaa8b39f16fe859c7]
|
||||||
|
Signed-off-by: Peter Marko <peter.marko@siemens.com>
|
||||||
|
---
|
||||||
|
lib/xmlparse.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
||||||
|
index ee18a87f..d8c54c38 100644
|
||||||
|
--- a/lib/xmlparse.c
|
||||||
|
+++ b/lib/xmlparse.c
|
||||||
|
@@ -3498,6 +3498,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
|
||||||
|
tag->name.strLen = convLen;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ if (SIZE_MAX / 2 < (size_t)(tag->bufEnd - tag->buf))
|
||||||
|
+ return XML_ERROR_NO_MEMORY;
|
||||||
|
const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2;
|
||||||
|
{
|
||||||
|
char *temp = REALLOC(parser, tag->buf, bufSize);
|
||||||
@@ -43,6 +43,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
|
|||||||
file://CVE-2025-59375-24.patch \
|
file://CVE-2025-59375-24.patch \
|
||||||
file://CVE-2026-24515-01.patch \
|
file://CVE-2026-24515-01.patch \
|
||||||
file://CVE-2026-24515-02.patch \
|
file://CVE-2026-24515-02.patch \
|
||||||
|
file://CVE-2026-25210-01.patch \
|
||||||
|
file://CVE-2026-25210-02.patch \
|
||||||
|
file://CVE-2026-25210-03.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
|
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
|
||||||
|
|||||||
Reference in New Issue
Block a user