From: "Yoann Congal" <yoann.congal@smile.fr>
To: <amaury.couderc@est.tech>, <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH v2 2/2][OE-core][scarthgap] python3: fix CVE-2026-7210
Date: Wed, 17 Jun 2026 01:37:32 +0200 [thread overview]
Message-ID: <DJAVAP82IHN7.ZUBCLSIJUS0O@smile.fr> (raw)
In-Reply-To: <20260615063640.25128-1-amaury.couderc@est.tech>
On Mon Jun 15, 2026 at 8:36 AM CEST, Amaury Couderc via lists.openembedded.org wrote:
> From: Amaury Couderc <amaury.couderc@est.tech>
>
> Backport patch to fix CVE-2026-7210.
> https://nvd.nist.gov/vuln/detail/CVE-2026-7210
>
> In order to mitigate CVE-2026-7210 this patch should come alongside
> the associated expat one which backports to expat 2.6.4 the fixes
> introduced in expat 2.8.0.
>
> Upstream fixes:
> https://github.com/python/cpython/pull/149023/commits/03794ce9a58b1f33751c88d7d876dfbf27645c56
> https://github.com/python/cpython/pull/149023/commits/ccb8d2f7df9534e49a43554193d7f5f4d993189c
Hello,
If I'm not mistaken those fixes are in 3.14.6 or the future 3.15 and
neither are in wrynose nor master. Can you please send a fix for those
branches (either backport or upgrade), and, then, ping back here?
Thanks!
>
>
> Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
> ---
> .../python/python3/CVE-2026-7210-1.patch | 90 +++++++++++++++++++
> .../python/python3/CVE-2026-7210-2.patch | 74 +++++++++++++++
> .../python/python3_3.12.13.bb | 2 +
> 3 files changed, 166 insertions(+)
> create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch
> create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch
>
> diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch b/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch
> new file mode 100644
> index 0000000000..63aac320af
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210-1.patch
> @@ -0,0 +1,90 @@
> +From 03794ce9a58b1f33751c88d7d876dfbf27645c56 Mon Sep 17 00:00:00 2001
> +From: Stan Ulbrych <stan@python.org>
> +Date: Sun, 26 Apr 2026 19:31:25 +0100
> +Subject: [PATCH] Use `XML_SetHashSalt16Bytes` from libExpat when possible
> +
> +CVE: CVE-2026-7210
> +Upstream-Status: Backport [https://github.com/python/cpython/pull/149023/commits/03794ce9a58b1f33751c88d7d876dfbf27645c56] with downstream extension for XML_BACKPORT_SET_HASH_SALT_16_BYTES detection
> +
> +Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
> +---
> + Include/pyexpat.h | 3 +++
> + .../2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst | 3 +++
> + Modules/_elementtree.c | 8 ++++++--
> + Modules/pyexpat.c | 11 ++++++++++-
> + 4 files changed, 22 insertions(+), 3 deletions(-)
> + create mode 100644 Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
> +
> +diff --git a/Include/pyexpat.h b/Include/pyexpat.h
> +index f523f8bb273983a..a676e16a7a457ea 100644
> +--- a/Include/pyexpat.h
> ++++ b/Include/pyexpat.h
> +@@ -57,6 +57,9 @@ struct PyExpat_CAPI
> + XML_Parser parser, unsigned long long activationThresholdBytes);
> + XML_Bool (*SetAllocTrackerMaximumAmplification)(
> + XML_Parser parser, float maxAmplificationFactor);
> ++ /* might be NULL for expat < 2.8.0 */
> ++ XML_Bool (*SetHashSalt16Bytes)(
> ++ XML_Parser parser, const uint8_t entropy[16]);
> + /* always add new stuff to the end! */
> + };
> +
> +diff --git a/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
> +new file mode 100644
> +index 000000000000000..d1b5b368684e6a5
> +--- /dev/null
> ++++ b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
> +@@ -0,0 +1,3 @@
> ++Improved protection against XML hash-flooding attacks in
> ++:mod:`xml.parsers.expat` and :mod:`xml.etree.ElementTree` when Python is
> ++compiled with libExpat 2.8.0 or later.
> +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
> +index cbd1e026df27227..b2d4b982602c583 100644
> +--- a/Modules/_elementtree.c
> ++++ b/Modules/_elementtree.c
> +@@ -3657,8 +3657,12 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *target,
> + PyErr_NoMemory();
> + return -1;
> + }
> +- /* expat < 2.1.0 has no XML_SetHashSalt() */
> +- if (EXPAT(st, SetHashSalt) != NULL) {
> ++ // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018
> ++ if (EXPAT(st, SetHashSalt16Bytes) != NULL) {
> ++ EXPAT(st, SetHashSalt16Bytes)(self->parser,
> ++ (const uint8_t *)_Py_HashSecret.uc);
> ++ }
> ++ else if (EXPAT(st, SetHashSalt) != NULL) {
> + EXPAT(st, SetHashSalt)(self->parser,
> + (unsigned long)_Py_HashSecret.expat.hashsalt);
> + }
> +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
> +index 0f0afe17513ef1c..1df433e64bc096f 100644
> +--- a/Modules/pyexpat.c
> ++++ b/Modules/pyexpat.c
> +@@ -1388,7 +1388,12 @@ newxmlparseobject(pyexpat_state *state, const char *encoding,
> + Py_DECREF(self);
> + return NULL;
> + }
> +-#if XML_COMBINED_VERSION >= 20100
> ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \
> ++ || XML_COMBINED_VERSION >= 20800
> ++ /* This feature was added upstream in libexpat 2.8.0. */
> ++ XML_SetHashSalt16Bytes(self->itself,
> ++ (const uint8_t *)_Py_HashSecret.uc);
> ++#elif XML_COMBINED_VERSION >= 20100
> + /* This feature was added upstream in libexpat 2.1.0. */
> + XML_SetHashSalt(self->itself,
> + (unsigned long)_Py_HashSecret.expat.hashsalt);
> +@@ -2257,6 +2262,12 @@ pyexpat_exec(PyObject *mod)
> + #else
> + capi->SetHashSalt = NULL;
> + #endif
> ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \
> ++ || XML_COMBINED_VERSION >= 20800
> ++ capi->SetHashSalt16Bytes = XML_SetHashSalt16Bytes;
> ++#else
> ++ capi->SetHashSalt16Bytes = NULL;
> ++#endif
> + #if XML_COMBINED_VERSION >= 20600
> + capi->SetReparseDeferralEnabled = XML_SetReparseDeferralEnabled;
> + #else
> diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch b/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch
> new file mode 100644
> index 0000000000..e9a10d3705
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210-2.patch
> @@ -0,0 +1,74 @@
> +From ccb8d2f7df9534e49a43554193d7f5f4d993189c Mon Sep 17 00:00:00 2001
> +From: Stan Ulbrych <stan@python.org>
> +Date: Sun, 26 Apr 2026 19:42:01 +0100
> +Subject: [PATCH] Add `_Py_HashSecret_t.expat.hashsalt16` instead
> +
> +CVE: CVE-2026-7210
> +Upstream-Status: Backport [https://github.com/python/cpython/pull/149023/commits/ccb8d2f7df9534e49a43554193d7f5f4d993189c]
> +
> +Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
> +---
> + Include/pyhash.h | 8 +++++---
> + Modules/_elementtree.c | 2 +-
> + Modules/pyexpat.c | 3 +--
> + 3 files changed, 7 insertions(+), 6 deletions(-)
> +
> +diff --git a/Include/pyhash.h b/Include/pyhash.h
> +index 84cb72fa6fd1b26..3056dc44cc0f1b1 100644
> +--- a/Include/pyhash.h
> ++++ b/Include/pyhash.h
> +@@ -39,14 +39,14 @@
> + * pppppppp ssssssss ........ fnv -- two Py_hash_t
> + * k0k0k0k0 k1k1k1k1 ........ siphash -- two uint64_t
> + * ........ ........ ssssssss djbx33a -- 16 bytes padding + one Py_hash_t
> +- * ........ ........ eeeeeeee pyexpat XML hash salt
> ++ * eeeeeeee eeeeeeee eeeeeeee pyexpat XML hash salt
> + *
> + * memory layout on 32 bit systems
> + * cccccccc cccccccc cccccccc uc
> + * ppppssss ........ ........ fnv -- two Py_hash_t
> + * k0k0k0k0 k1k1k1k1 ........ siphash -- two uint64_t (*)
> + * ........ ........ ssss.... djbx33a -- 16 bytes padding + one Py_hash_t
> +- * ........ ........ eeee.... pyexpat XML hash salt
> ++ * eeeeeeee eeeeeeee eeee.... pyexpat XML hash salt
> + *
> + * (*) The siphash member may not be available on 32 bit platforms without
> + * an unsigned int64 data type.
> +@@ -71,7 +71,9 @@ typedef union {
> + Py_hash_t suffix;
> + } djbx33a;
> + struct {
> +- unsigned char padding[16];
> ++ /* 16 bytes for XML_SetHashSalt16Bytes */
> ++ uint8_t hashsalt16[16];
> ++ /* 4/8 bytes for legacy XML_SetHashSalt */
> + Py_hash_t hashsalt;
> + } expat;
> + } _Py_HashSecret_t;
> +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
> +index b2d4b982602c583..9e794be5c109ba5 100644
> +--- a/Modules/_elementtree.c
> ++++ b/Modules/_elementtree.c
> +@@ -3660,7 +3660,7 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *target,
> + // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018
> + if (EXPAT(st, SetHashSalt16Bytes) != NULL) {
> + EXPAT(st, SetHashSalt16Bytes)(self->parser,
> +- (const uint8_t *)_Py_HashSecret.uc);
> ++ _Py_HashSecret.expat.hashsalt16);
> + }
> + else if (EXPAT(st, SetHashSalt) != NULL) {
> + EXPAT(st, SetHashSalt)(self->parser,
> +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
> +index 1df433e64bc096f..78efbef679024f3 100644
> +--- a/Modules/pyexpat.c
> ++++ b/Modules/pyexpat.c
> +@@ -1391,8 +1391,7 @@ newxmlparseobject(pyexpat_state *state, const char *encoding,
> + #if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \
> + || XML_COMBINED_VERSION >= 20800
> + /* This feature was added upstream in libexpat 2.8.0. */
> +- XML_SetHashSalt16Bytes(self->itself,
> +- (const uint8_t *)_Py_HashSecret.uc);
> ++ XML_SetHashSalt16Bytes(self->itself, _Py_HashSecret.expat.hashsalt16);
> + #elif XML_COMBINED_VERSION >= 20100
> + /* This feature was added upstream in libexpat 2.1.0. */
> + XML_SetHashSalt(self->itself,
> diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb
> index 5fa25235fe..3e5575d396 100644
> --- a/meta/recipes-devtools/python/python3_3.12.13.bb
> +++ b/meta/recipes-devtools/python/python3_3.12.13.bb
> @@ -34,6 +34,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
> file://0001-test_deadlock-skip-problematic-test.patch \
> file://0001-test_active_children-skip-problematic-test.patch \
> file://0001-test_readline-skip-limited-history-test.patch \
> + file://CVE-2026-7210-1.patch \
> + file://CVE-2026-7210-2.patch \
> "
>
> SRC_URI:append:class-native = " \
--
Yoann Congal
Smile ECS
prev parent reply other threads:[~2026-06-16 23:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-15 6:36 [PATCH v2 2/2][OE-core][scarthgap] python3: fix CVE-2026-7210 amaury.couderc
2026-06-16 23:37 ` Yoann Congal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJAVAP82IHN7.ZUBCLSIJUS0O@smile.fr \
--to=yoann.congal@smile.fr \
--cc=amaury.couderc@est.tech \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox