* [OE-core][PATCH] expat: upgrade 2.7.3 -> 2.7.4
@ 2026-01-31 14:53 Peter Marko
2026-02-04 14:01 ` Yoann Congal
0 siblings, 1 reply; 2+ messages in thread
From: Peter Marko @ 2026-01-31 14:53 UTC (permalink / raw)
To: openembedded-core; +Cc: Peter Marko
From: Peter Marko <peter.marko@siemens.com>
Changelog [1]:
Security fixes:
#1131 CVE-2026-24515 -- Function XML_ExternalEntityParserCreate
failed to copy the encoding handler data passed to
XML_SetUnknownEncodingHandler from the parent to the new
subparser. This can cause a NULL dereference (CWE-476) from
external entities that declare use of an unknown encoding.
The expected impact is denial of service. It takes use of
both functions XML_ExternalEntityParserCreate and
XML_SetUnknownEncodingHandler for an application to be
vulnerable.
#1075 CVE-2026-25210 -- Add missing check for integer overflow
related to buffer size determination in function doContent
Bug fixes:
#1073 lib: Fix missing undoing of group size expansion in doProlog
failure cases
#1107 xmlwf: Fix a memory leak
#1104 WASI: Fix format specifiers for 32bit WASI SDK
Other changes:
#1105 lib: Fix strict aliasing
#1106 lib: Leverage feature "flexible array member" of C99
#1051 lib: Swap (size_t)(-1) for C99 equivalent SIZE_MAX
#1109 lib|xmlwf: Return NULL instead of 0 for pointers
#1068 lib|Windows: Clean up use of macro _MSC_EXTENSIONS with MSVC
#1112 lib: Remove unused import
#1110 xmlwf: Warn about XXE in --help output (and man page)
#1102 #1103 WASI: Stop using getpid
... and additional docs/autotools/cmake/infrastructure changes
[1] https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/recipes-core/expat/{expat_2.7.3.bb => expat_2.7.4.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-core/expat/{expat_2.7.3.bb => expat_2.7.4.bb} (92%)
diff --git a/meta/recipes-core/expat/expat_2.7.3.bb b/meta/recipes-core/expat/expat_2.7.4.bb
similarity index 92%
rename from meta/recipes-core/expat/expat_2.7.3.bb
rename to meta/recipes-core/expat/expat_2.7.4.bb
index 069254e13c..95a1ed52c4 100644
--- a/meta/recipes-core/expat/expat_2.7.3.bb
+++ b/meta/recipes-core/expat/expat_2.7.4.bb
@@ -15,7 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
UPSTREAM_CHECK_REGEX = "releases/tag/R_(?P<pver>.+)"
-SRC_URI[sha256sum] = "59c31441fec9a66205307749eccfee551055f2d792f329f18d97099e919a3b2f"
+SRC_URI[sha256sum] = "e6af11b01e32e5ef64906a5cca8809eabc4beb7ff2f9a0e6aabbd42e825135d0"
EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF"
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [OE-core][PATCH] expat: upgrade 2.7.3 -> 2.7.4
2026-01-31 14:53 [OE-core][PATCH] expat: upgrade 2.7.3 -> 2.7.4 Peter Marko
@ 2026-02-04 14:01 ` Yoann Congal
0 siblings, 0 replies; 2+ messages in thread
From: Yoann Congal @ 2026-02-04 14:01 UTC (permalink / raw)
To: peter.marko, openembedded-core
On Sat Jan 31, 2026 at 3:53 PM CET, Peter Marko via lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> Changelog [1]:
> Security fixes:
> #1131 CVE-2026-24515 -- Function XML_ExternalEntityParserCreate
> failed to copy the encoding handler data passed to
> XML_SetUnknownEncodingHandler from the parent to the new
> subparser. This can cause a NULL dereference (CWE-476) from
> external entities that declare use of an unknown encoding.
> The expected impact is denial of service. It takes use of
> both functions XML_ExternalEntityParserCreate and
> XML_SetUnknownEncodingHandler for an application to be
> vulnerable.
> #1075 CVE-2026-25210 -- Add missing check for integer overflow
> related to buffer size determination in function doContent
>
> Bug fixes:
> #1073 lib: Fix missing undoing of group size expansion in doProlog
> failure cases
> #1107 xmlwf: Fix a memory leak
> #1104 WASI: Fix format specifiers for 32bit WASI SDK
>
> Other changes:
> #1105 lib: Fix strict aliasing
> #1106 lib: Leverage feature "flexible array member" of C99
> #1051 lib: Swap (size_t)(-1) for C99 equivalent SIZE_MAX
> #1109 lib|xmlwf: Return NULL instead of 0 for pointers
> #1068 lib|Windows: Clean up use of macro _MSC_EXTENSIONS with MSVC
> #1112 lib: Remove unused import
> #1110 xmlwf: Warn about XXE in --help output (and man page)
> #1102 #1103 WASI: Stop using getpid
>
> ... and additional docs/autotools/cmake/infrastructure changes
>
> [1] https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
> meta/recipes-core/expat/{expat_2.7.3.bb => expat_2.7.4.bb} | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> rename meta/recipes-core/expat/{expat_2.7.3.bb => expat_2.7.4.bb} (92%)
Note to the master review team: I have related CVE fixing patches queued
for whinlatter and scarthgap.
This patch is currently in contrib/mathieu/master-next-success.
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-04 14:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-31 14:53 [OE-core][PATCH] expat: upgrade 2.7.3 -> 2.7.4 Peter Marko
2026-02-04 14:01 ` Yoann Congal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox