Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion base/comps/components.toml
Original file line number Diff line number Diff line change
Expand Up @@ -412,7 +412,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml", "component-min
[components.exif]
[components.exiv2]
[components.exo]
[components.expat]
[components.expect]
[components.expected]
[components.extra-cmake-modules]
Expand Down
47 changes: 47 additions & 0 deletions base/comps/expat/CVE-2026-56409.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
From 0d91bd5ec6e04abe7869d99cba0ccf27032882a4 Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Sat, 4 Jul 2026 20:04:12 +0000
Subject: [PATCH] xmlwf: protect output path join from integer overflow

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference AI Backport of: https://github.com/libexpat/libexpat/pull/1259
---
xmlwf/xmlwf.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
index 5357161..7402b8e 100644
--- a/xmlwf/xmlwf.c
+++ b/xmlwf/xmlwf.c
@@ -1244,8 +1244,26 @@ tmain(int argc, XML_Char **argv) {
}
#endif
}
- outName = (XML_Char *)malloc((tcslen(outputDir) + tcslen(file) + 2)
- * sizeof(XML_Char));
+ const size_t outputDirLen = tcslen(outputDir);
+ const size_t fileLen = tcslen(file);
+
+ /* Detect and prevent integer overflow in the addition (without
+ risking underflow) and the multiplication, mirroring the guards
+ in xcsdup() and resolveSystemId() */
+ if (outputDirLen > SIZE_MAX - fileLen
+ || outputDirLen > SIZE_MAX - fileLen - 2) {
+ tperror(T("Could not allocate memory"));
+ exit(XMLWF_EXIT_INTERNAL_ERROR);
+ }
+
+ const size_t charsRequired = outputDirLen + fileLen + 2;
+
+ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) {
+ tperror(T("Could not allocate memory"));
+ exit(XMLWF_EXIT_INTERNAL_ERROR);
+ }
+
+ outName = (XML_Char *)malloc(charsRequired * sizeof(XML_Char));
if (! outName) {
tperror(T("Could not allocate memory"));
exit(XMLWF_EXIT_INTERNAL_ERROR);
--
2.45.4

47 changes: 47 additions & 0 deletions base/comps/expat/CVE-2026-56411.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
From 7c90066232314c96046479cf4d14be458a38cbcb Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Sat, 4 Jul 2026 20:00:15 +0000
Subject: [PATCH] xmlwf: protect notation list allocation from integer overflow

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference AI Backport of: https://github.com/libexpat/libexpat/pull/1263
---
xmlwf/xmlwf.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
index 534f321..5357161 100644
--- a/xmlwf/xmlwf.c
+++ b/xmlwf/xmlwf.c
@@ -381,9 +381,9 @@ static void XMLCALL
endDoctypeDecl(void *userData) {
XmlwfUserData *data = (XmlwfUserData *)userData;
NotationList **notations;
- int notationCount = 0;
+ size_t notationCount = 0;
NotationList *p;
- int i;
+ size_t i;

/* How many notations do we have? */
for (p = data->notationListHead; p != NULL; p = p->next)
@@ -395,6 +395,16 @@ endDoctypeDecl(void *userData) {
return;
}

+ /* Detect and prevent integer overflow in the multiplication, mirroring
+ the guards in xcsdup() and resolveSystemId() */
+ if (notationCount > SIZE_MAX / sizeof(NotationList *)) {
+ fprintf(stderr, "Unable to sort notations");
+ freeNotations(data);
+ free((void *)data->currentDoctypeName);
+ data->currentDoctypeName = NULL;
+ return;
+ }
+
notations = malloc(notationCount * sizeof(NotationList *));
if (notations == NULL) {
fprintf(stderr, "Unable to sort notations");
--
2.45.4

11 changes: 11 additions & 0 deletions base/comps/expat/expat.comp.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
[components.expat]

[[components.expat.overlays]]
description = "Fix CVE-2026-56409 — https://github.com/libexpat/libexpat/pull/1259"
type = "patch-add"
source = "CVE-2026-56409.patch"

[[components.expat.overlays]]
description = "Fix CVE-2026-56411 — https://github.com/libexpat/libexpat/pull/1263"
type = "patch-add"
source = "CVE-2026-56411.patch"
2 changes: 1 addition & 1 deletion locks/expat.lock
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@
version = 1
import-commit = 'f69cfd6d511902ab44c67eb191a826c83c4d8787'
upstream-commit = 'f69cfd6d511902ab44c67eb191a826c83c4d8787'
input-fingerprint = 'sha256:4d12fb715ccb125584fc9f226e79db50380f1563a41dd1cceb935cc5f4dd6183'
input-fingerprint = 'sha256:7556c30666ac0559c4b029bbe17b8d4593697360b1a9fc15637b56774281160c'
resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e'
47 changes: 47 additions & 0 deletions specs/e/expat/CVE-2026-56409.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
From 0d91bd5ec6e04abe7869d99cba0ccf27032882a4 Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Sat, 4 Jul 2026 20:04:12 +0000
Subject: [PATCH] xmlwf: protect output path join from integer overflow

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference AI Backport of: https://github.com/libexpat/libexpat/pull/1259
---
xmlwf/xmlwf.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
index 5357161..7402b8e 100644
--- a/xmlwf/xmlwf.c
+++ b/xmlwf/xmlwf.c
@@ -1244,8 +1244,26 @@ tmain(int argc, XML_Char **argv) {
}
#endif
}
- outName = (XML_Char *)malloc((tcslen(outputDir) + tcslen(file) + 2)
- * sizeof(XML_Char));
+ const size_t outputDirLen = tcslen(outputDir);
+ const size_t fileLen = tcslen(file);
+
+ /* Detect and prevent integer overflow in the addition (without
+ risking underflow) and the multiplication, mirroring the guards
+ in xcsdup() and resolveSystemId() */
+ if (outputDirLen > SIZE_MAX - fileLen
+ || outputDirLen > SIZE_MAX - fileLen - 2) {
+ tperror(T("Could not allocate memory"));
+ exit(XMLWF_EXIT_INTERNAL_ERROR);
+ }
+
+ const size_t charsRequired = outputDirLen + fileLen + 2;
+
+ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) {
+ tperror(T("Could not allocate memory"));
+ exit(XMLWF_EXIT_INTERNAL_ERROR);
+ }
+
+ outName = (XML_Char *)malloc(charsRequired * sizeof(XML_Char));
if (! outName) {
tperror(T("Could not allocate memory"));
exit(XMLWF_EXIT_INTERNAL_ERROR);
--
2.45.4

47 changes: 47 additions & 0 deletions specs/e/expat/CVE-2026-56411.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
From 7c90066232314c96046479cf4d14be458a38cbcb Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Sat, 4 Jul 2026 20:00:15 +0000
Subject: [PATCH] xmlwf: protect notation list allocation from integer overflow

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference AI Backport of: https://github.com/libexpat/libexpat/pull/1263
---
xmlwf/xmlwf.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
index 534f321..5357161 100644
--- a/xmlwf/xmlwf.c
+++ b/xmlwf/xmlwf.c
@@ -381,9 +381,9 @@ static void XMLCALL
endDoctypeDecl(void *userData) {
XmlwfUserData *data = (XmlwfUserData *)userData;
NotationList **notations;
- int notationCount = 0;
+ size_t notationCount = 0;
NotationList *p;
- int i;
+ size_t i;

/* How many notations do we have? */
for (p = data->notationListHead; p != NULL; p = p->next)
@@ -395,6 +395,16 @@ endDoctypeDecl(void *userData) {
return;
}

+ /* Detect and prevent integer overflow in the multiplication, mirroring
+ the guards in xcsdup() and resolveSystemId() */
+ if (notationCount > SIZE_MAX / sizeof(NotationList *)) {
+ fprintf(stderr, "Unable to sort notations");
+ freeNotations(data);
+ free((void *)data->currentDoctypeName);
+ data->currentDoctypeName = NULL;
+ return;
+ }
+
notations = malloc(notationCount * sizeof(NotationList *));
if (notations == NULL) {
fprintf(stderr, "Unable to sort notations");
--
2.45.4

11 changes: 8 additions & 3 deletions specs/e/expat/expat.spec
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
## (rpmautospec version 0.8.3)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 2;
release_number = 3;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
Expand All @@ -27,6 +27,8 @@ BuildRequires: autoconf, libtool, xmlto, gcc-c++
BuildRequires: make
BuildRequires: gnupg2

Patch0: CVE-2026-56409.patch
Patch1: CVE-2026-56411.patch
%description
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
Expand Down Expand Up @@ -93,8 +95,11 @@ make check

%changelog
## START: Generated by rpmautospec
* Thu Apr 30 2026 Daniel McIlvaney <damcilva@microsoft.com> - 2.7.3-2
- feat: introduce deterministic commit resolution via Azure Linux lock file
* Sat Jul 04 2026 azldev <azldev@local> - 2.7.3-3
- Local changes (uncommitted)

* Thu Jul 02 2026 Tobias Brick <tobiasb@microsoft.com> - 2.7.3-2
- chore(swift-lang): remove component from distro

* Tue Dec 02 2025 Tomas Korbar <tkorbar@redhat.com> - 2.7.3-1
- Rebase to 2.7.3 and add VCS tag
Expand Down
Loading