From 2a0476c51d74ddb3915d9111dca2e08a6c7cf2fe Mon Sep 17 00:00:00 2001 From: azurelinux-security Date: Sat, 4 Jul 2026 20:07:10 +0000 Subject: [PATCH] Patch expat for CVE-2026-56409, CVE-2026-56411 --- base/comps/components.toml | 1 - base/comps/expat/CVE-2026-56409.patch | 47 +++++++++++++++++++++++++++ base/comps/expat/CVE-2026-56411.patch | 47 +++++++++++++++++++++++++++ base/comps/expat/expat.comp.toml | 11 +++++++ locks/expat.lock | 2 +- specs/e/expat/CVE-2026-56409.patch | 47 +++++++++++++++++++++++++++ specs/e/expat/CVE-2026-56411.patch | 47 +++++++++++++++++++++++++++ specs/e/expat/expat.spec | 11 +++++-- 8 files changed, 208 insertions(+), 5 deletions(-) create mode 100644 base/comps/expat/CVE-2026-56409.patch create mode 100644 base/comps/expat/CVE-2026-56411.patch create mode 100644 base/comps/expat/expat.comp.toml create mode 100644 specs/e/expat/CVE-2026-56409.patch create mode 100644 specs/e/expat/CVE-2026-56411.patch diff --git a/base/comps/components.toml b/base/comps/components.toml index bb8ce516b0f..3bb4fd258fc 100644 --- a/base/comps/components.toml +++ b/base/comps/components.toml @@ -412,7 +412,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml", "component-min [components.exif] [components.exiv2] [components.exo] -[components.expat] [components.expect] [components.expected] [components.extra-cmake-modules] diff --git a/base/comps/expat/CVE-2026-56409.patch b/base/comps/expat/CVE-2026-56409.patch new file mode 100644 index 00000000000..ce69558f075 --- /dev/null +++ b/base/comps/expat/CVE-2026-56409.patch @@ -0,0 +1,47 @@ +From 0d91bd5ec6e04abe7869d99cba0ccf27032882a4 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Sat, 4 Jul 2026 20:04:12 +0000 +Subject: [PATCH] xmlwf: protect output path join from integer overflow + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference AI Backport of: https://github.com/libexpat/libexpat/pull/1259 +--- + xmlwf/xmlwf.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index 5357161..7402b8e 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -1244,8 +1244,26 @@ tmain(int argc, XML_Char **argv) { + } + #endif + } +- outName = (XML_Char *)malloc((tcslen(outputDir) + tcslen(file) + 2) +- * sizeof(XML_Char)); ++ const size_t outputDirLen = tcslen(outputDir); ++ const size_t fileLen = tcslen(file); ++ ++ /* Detect and prevent integer overflow in the addition (without ++ risking underflow) and the multiplication, mirroring the guards ++ in xcsdup() and resolveSystemId() */ ++ if (outputDirLen > SIZE_MAX - fileLen ++ || outputDirLen > SIZE_MAX - fileLen - 2) { ++ tperror(T("Could not allocate memory")); ++ exit(XMLWF_EXIT_INTERNAL_ERROR); ++ } ++ ++ const size_t charsRequired = outputDirLen + fileLen + 2; ++ ++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) { ++ tperror(T("Could not allocate memory")); ++ exit(XMLWF_EXIT_INTERNAL_ERROR); ++ } ++ ++ outName = (XML_Char *)malloc(charsRequired * sizeof(XML_Char)); + if (! outName) { + tperror(T("Could not allocate memory")); + exit(XMLWF_EXIT_INTERNAL_ERROR); +-- +2.45.4 + diff --git a/base/comps/expat/CVE-2026-56411.patch b/base/comps/expat/CVE-2026-56411.patch new file mode 100644 index 00000000000..0ea3dc0b83b --- /dev/null +++ b/base/comps/expat/CVE-2026-56411.patch @@ -0,0 +1,47 @@ +From 7c90066232314c96046479cf4d14be458a38cbcb Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Sat, 4 Jul 2026 20:00:15 +0000 +Subject: [PATCH] xmlwf: protect notation list allocation from integer overflow + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference AI Backport of: https://github.com/libexpat/libexpat/pull/1263 +--- + xmlwf/xmlwf.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index 534f321..5357161 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -381,9 +381,9 @@ static void XMLCALL + endDoctypeDecl(void *userData) { + XmlwfUserData *data = (XmlwfUserData *)userData; + NotationList **notations; +- int notationCount = 0; ++ size_t notationCount = 0; + NotationList *p; +- int i; ++ size_t i; + + /* How many notations do we have? */ + for (p = data->notationListHead; p != NULL; p = p->next) +@@ -395,6 +395,16 @@ endDoctypeDecl(void *userData) { + return; + } + ++ /* Detect and prevent integer overflow in the multiplication, mirroring ++ the guards in xcsdup() and resolveSystemId() */ ++ if (notationCount > SIZE_MAX / sizeof(NotationList *)) { ++ fprintf(stderr, "Unable to sort notations"); ++ freeNotations(data); ++ free((void *)data->currentDoctypeName); ++ data->currentDoctypeName = NULL; ++ return; ++ } ++ + notations = malloc(notationCount * sizeof(NotationList *)); + if (notations == NULL) { + fprintf(stderr, "Unable to sort notations"); +-- +2.45.4 + diff --git a/base/comps/expat/expat.comp.toml b/base/comps/expat/expat.comp.toml new file mode 100644 index 00000000000..141755b3fb1 --- /dev/null +++ b/base/comps/expat/expat.comp.toml @@ -0,0 +1,11 @@ +[components.expat] + +[[components.expat.overlays]] +description = "Fix CVE-2026-56409 — https://github.com/libexpat/libexpat/pull/1259" +type = "patch-add" +source = "CVE-2026-56409.patch" + +[[components.expat.overlays]] +description = "Fix CVE-2026-56411 — https://github.com/libexpat/libexpat/pull/1263" +type = "patch-add" +source = "CVE-2026-56411.patch" diff --git a/locks/expat.lock b/locks/expat.lock index 967a33af682..323e9b62366 100644 --- a/locks/expat.lock +++ b/locks/expat.lock @@ -2,5 +2,5 @@ version = 1 import-commit = 'f69cfd6d511902ab44c67eb191a826c83c4d8787' upstream-commit = 'f69cfd6d511902ab44c67eb191a826c83c4d8787' -input-fingerprint = 'sha256:4d12fb715ccb125584fc9f226e79db50380f1563a41dd1cceb935cc5f4dd6183' +input-fingerprint = 'sha256:7556c30666ac0559c4b029bbe17b8d4593697360b1a9fc15637b56774281160c' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/specs/e/expat/CVE-2026-56409.patch b/specs/e/expat/CVE-2026-56409.patch new file mode 100644 index 00000000000..ce69558f075 --- /dev/null +++ b/specs/e/expat/CVE-2026-56409.patch @@ -0,0 +1,47 @@ +From 0d91bd5ec6e04abe7869d99cba0ccf27032882a4 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Sat, 4 Jul 2026 20:04:12 +0000 +Subject: [PATCH] xmlwf: protect output path join from integer overflow + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference AI Backport of: https://github.com/libexpat/libexpat/pull/1259 +--- + xmlwf/xmlwf.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index 5357161..7402b8e 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -1244,8 +1244,26 @@ tmain(int argc, XML_Char **argv) { + } + #endif + } +- outName = (XML_Char *)malloc((tcslen(outputDir) + tcslen(file) + 2) +- * sizeof(XML_Char)); ++ const size_t outputDirLen = tcslen(outputDir); ++ const size_t fileLen = tcslen(file); ++ ++ /* Detect and prevent integer overflow in the addition (without ++ risking underflow) and the multiplication, mirroring the guards ++ in xcsdup() and resolveSystemId() */ ++ if (outputDirLen > SIZE_MAX - fileLen ++ || outputDirLen > SIZE_MAX - fileLen - 2) { ++ tperror(T("Could not allocate memory")); ++ exit(XMLWF_EXIT_INTERNAL_ERROR); ++ } ++ ++ const size_t charsRequired = outputDirLen + fileLen + 2; ++ ++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) { ++ tperror(T("Could not allocate memory")); ++ exit(XMLWF_EXIT_INTERNAL_ERROR); ++ } ++ ++ outName = (XML_Char *)malloc(charsRequired * sizeof(XML_Char)); + if (! outName) { + tperror(T("Could not allocate memory")); + exit(XMLWF_EXIT_INTERNAL_ERROR); +-- +2.45.4 + diff --git a/specs/e/expat/CVE-2026-56411.patch b/specs/e/expat/CVE-2026-56411.patch new file mode 100644 index 00000000000..0ea3dc0b83b --- /dev/null +++ b/specs/e/expat/CVE-2026-56411.patch @@ -0,0 +1,47 @@ +From 7c90066232314c96046479cf4d14be458a38cbcb Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Sat, 4 Jul 2026 20:00:15 +0000 +Subject: [PATCH] xmlwf: protect notation list allocation from integer overflow + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference AI Backport of: https://github.com/libexpat/libexpat/pull/1263 +--- + xmlwf/xmlwf.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index 534f321..5357161 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -381,9 +381,9 @@ static void XMLCALL + endDoctypeDecl(void *userData) { + XmlwfUserData *data = (XmlwfUserData *)userData; + NotationList **notations; +- int notationCount = 0; ++ size_t notationCount = 0; + NotationList *p; +- int i; ++ size_t i; + + /* How many notations do we have? */ + for (p = data->notationListHead; p != NULL; p = p->next) +@@ -395,6 +395,16 @@ endDoctypeDecl(void *userData) { + return; + } + ++ /* Detect and prevent integer overflow in the multiplication, mirroring ++ the guards in xcsdup() and resolveSystemId() */ ++ if (notationCount > SIZE_MAX / sizeof(NotationList *)) { ++ fprintf(stderr, "Unable to sort notations"); ++ freeNotations(data); ++ free((void *)data->currentDoctypeName); ++ data->currentDoctypeName = NULL; ++ return; ++ } ++ + notations = malloc(notationCount * sizeof(NotationList *)); + if (notations == NULL) { + fprintf(stderr, "Unable to sort notations"); +-- +2.45.4 + diff --git a/specs/e/expat/expat.spec b/specs/e/expat/expat.spec index c4b504ce3e2..285d38e051d 100644 --- a/specs/e/expat/expat.spec +++ b/specs/e/expat/expat.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.8.3) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 2; + release_number = 3; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -27,6 +27,8 @@ BuildRequires: autoconf, libtool, xmlto, gcc-c++ BuildRequires: make BuildRequires: gnupg2 +Patch0: CVE-2026-56409.patch +Patch1: CVE-2026-56411.patch %description This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with @@ -93,8 +95,11 @@ make check %changelog ## START: Generated by rpmautospec -* Thu Apr 30 2026 Daniel McIlvaney - 2.7.3-2 -- feat: introduce deterministic commit resolution via Azure Linux lock file +* Sat Jul 04 2026 azldev - 2.7.3-3 +- Local changes (uncommitted) + +* Thu Jul 02 2026 Tobias Brick - 2.7.3-2 +- chore(swift-lang): remove component from distro * Tue Dec 02 2025 Tomas Korbar - 2.7.3-1 - Rebase to 2.7.3 and add VCS tag