3 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2024-50602-01.patch b/meta/recipes-core/expat/expat/CVE-2024-50602-01.patch
new file mode 100644
index 0000000000..6abaa85261
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-50602-01.patch
@@ -0,0 +1,56 @@
+From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:42:54 +0200
+Subject: [PATCH 1/2] lib: Make XML_StopParser refuse to stop/suspend an
+ unstarted parser
+CVE: CVE-2024-50602
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/51c7019069b862e88d94ed228659e70bddd5de09]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ expat/lib/expat.h    | 4 +++-
+ expat/lib/xmlparse.c | 6 ++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+diff --git a/lib/expat.h b/lib/expat.h
+index d0d6015a..3ba61304 100644
+--- a/lib/expat.h
+++ b/lib/expat.h
+@@ -127,7 +127,9 @@ enum XML_Error {
+   /* Added in 2.3.0. */
+   XML_ERROR_NO_BUFFER,
+   /* Added in 2.4.0. */
+-  XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+  XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
+  /* Added in 2.6.4. */
+  XML_ERROR_NOT_STARTED,
+ };
+ 
+ enum XML_Content_Type {
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index d9285b21..fa02537f 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -2189,6 +2189,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+   switch (parser->m_parsingStatus.parsing) {
+  case XML_INITIALIZED:
+    parser->m_errorCode = XML_ERROR_NOT_STARTED;
+    return XML_STATUS_ERROR;
+   case XML_SUSPENDED:
+     if (resumable) {
+       parser->m_errorCode = XML_ERROR_SUSPENDED;
+@@ -2474,6 +2477,9 @@ XML_ErrorString(enum XML_Error code) {
+   case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
+     return XML_L(
+         "limit on input amplification factor (from DTD and entities) breached");
+  /* Added in 2.6.4. */
+  case XML_ERROR_NOT_STARTED:
+    return XML_L("parser not started");
+   }
+   return NULL;
+ }
+-- 
+2.30.2
diff --git a/meta/recipes-core/expat/expat/CVE-2024-50602-02.patch b/meta/recipes-core/expat/expat/CVE-2024-50602-02.patch
new file mode 100644
index 0000000000..4d99eb738c
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-50602-02.patch
@@ -0,0 +1,38 @@
+From 5fb89e7b3afa1c314b34834fe729cd063f65a4d4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:46:11 +0200
+Subject: [PATCH 2/2] lib: Be explicit about XML_PARSING in XML_StopParser
+CVE: CVE-2024-50602
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5fb89e7b3afa1c314b34834fe729cd063f65a4d4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ expat/lib/xmlparse.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index fa02537f..983f6df0 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -2202,7 +2202,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   case XML_FINISHED:
+     parser->m_errorCode = XML_ERROR_FINISHED;
+     return XML_STATUS_ERROR;
+-  default:
+  case XML_PARSING:
+     if (resumable) {
+ #ifdef XML_DTD
+       if (parser->m_isParamEntity) {
+@@ -2213,6 +2213,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+       parser->m_parsingStatus.parsing = XML_SUSPENDED;
+     } else
+       parser->m_parsingStatus.parsing = XML_FINISHED;
+    break;
+  default:
+    assert(0);
+   }
+   return XML_STATUS_OK;
+ }
+-- 
+2.30.2
diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb
index 26190383e3..33207ff0da 100644
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -28,6 +28,8 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
           file://CVE-2024-45490-0004.patch \
           file://CVE-2024-45491.patch \
           file://CVE-2024-45492.patch \
+           file://CVE-2024-50602-01.patch \
+           file://CVE-2024-50602-02.patch \
           "
 UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"

diff --git a/meta/recipes-core/expat/expat/CVE-2024-50602-01.patch b/meta/recipes-core/expat/expat/CVE-2024-50602-01.patch new file mode 100644 index 0000000000..6abaa85261 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2024-50602-01.patch
@@ -0,0 +1,56 @@
		1	From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001
		2	From: Sebastian Pipping <sebastian@pipping.org>
		3	Date: Mon, 21 Oct 2024 01:42:54 +0200
		4	Subject: [PATCH 1/2] lib: Make XML_StopParser refuse to stop/suspend an
		5	unstarted parser
		6
		7	CVE: CVE-2024-50602
		8	Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/51c7019069b862e88d94ed228659e70bddd5de09]
		9	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		10	---
		11	expat/lib/expat.h \| 4 +++-
		12	expat/lib/xmlparse.c \| 6 ++++++
		13	2 files changed, 9 insertions(+), 1 deletion(-)
		14
		15	diff --git a/lib/expat.h b/lib/expat.h
		16	index d0d6015a..3ba61304 100644
		17	--- a/lib/expat.h
		18	+++ b/lib/expat.h
		19	@@ -127,7 +127,9 @@ enum XML_Error {
		20	/* Added in 2.3.0. */
		21	XML_ERROR_NO_BUFFER,
		22	/* Added in 2.4.0. */
		23	- XML_ERROR_AMPLIFICATION_LIMIT_BREACH
		24	+ XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
		25	+ /* Added in 2.6.4. */
		26	+ XML_ERROR_NOT_STARTED,
		27	};
		28
		29	enum XML_Content_Type {
		30	diff --git a/lib/xmlparse.c b/lib/xmlparse.c
		31	index d9285b21..fa02537f 100644
		32	--- a/lib/xmlparse.c
		33	+++ b/lib/xmlparse.c
		34	@@ -2189,6 +2189,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
		35	if (parser == NULL)
		36	return XML_STATUS_ERROR;
		37	switch (parser->m_parsingStatus.parsing) {
		38	+ case XML_INITIALIZED:
		39	+ parser->m_errorCode = XML_ERROR_NOT_STARTED;
		40	+ return XML_STATUS_ERROR;
		41	case XML_SUSPENDED:
		42	if (resumable) {
		43	parser->m_errorCode = XML_ERROR_SUSPENDED;
		44	@@ -2474,6 +2477,9 @@ XML_ErrorString(enum XML_Error code) {
		45	case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
		46	return XML_L(
		47	"limit on input amplification factor (from DTD and entities) breached");
		48	+ /* Added in 2.6.4. */
		49	+ case XML_ERROR_NOT_STARTED:
		50	+ return XML_L("parser not started");
		51	}
		52	return NULL;
		53	}
		54	--
		55	2.30.2
		56


diff --git a/meta/recipes-core/expat/expat/CVE-2024-50602-02.patch b/meta/recipes-core/expat/expat/CVE-2024-50602-02.patch new file mode 100644 index 0000000000..4d99eb738c --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2024-50602-02.patch
@@ -0,0 +1,38 @@
		1	From 5fb89e7b3afa1c314b34834fe729cd063f65a4d4 Mon Sep 17 00:00:00 2001
		2	From: Sebastian Pipping <sebastian@pipping.org>
		3	Date: Mon, 21 Oct 2024 01:46:11 +0200
		4	Subject: [PATCH 2/2] lib: Be explicit about XML_PARSING in XML_StopParser
		5
		6	CVE: CVE-2024-50602
		7	Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5fb89e7b3afa1c314b34834fe729cd063f65a4d4]
		8	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		9	---
		10	expat/lib/xmlparse.c \| 5 ++++-
		11	1 file changed, 4 insertions(+), 1 deletion(-)
		12
		13	diff --git a/lib/xmlparse.c b/lib/xmlparse.c
		14	index fa02537f..983f6df0 100644
		15	--- a/lib/xmlparse.c
		16	+++ b/lib/xmlparse.c
		17	@@ -2202,7 +2202,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
		18	case XML_FINISHED:
		19	parser->m_errorCode = XML_ERROR_FINISHED;
		20	return XML_STATUS_ERROR;
		21	- default:
		22	+ case XML_PARSING:
		23	if (resumable) {
		24	#ifdef XML_DTD
		25	if (parser->m_isParamEntity) {
		26	@@ -2213,6 +2213,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
		27	parser->m_parsingStatus.parsing = XML_SUSPENDED;
		28	} else
		29	parser->m_parsingStatus.parsing = XML_FINISHED;
		30	+ break;
		31	+ default:
		32	+ assert(0);
		33	}
		34	return XML_STATUS_OK;
		35	}
		36	--
		37	2.30.2
		38


diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb index 26190383e3..33207ff0da 100644 --- a/meta/recipes-core/expat/expat_2.5.0.bb +++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -28,6 +28,8 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
28	file://CVE-2024-45490-0004.patch \	28	file://CVE-2024-45490-0004.patch \
29	file://CVE-2024-45491.patch \	29	file://CVE-2024-45491.patch \
30	file://CVE-2024-45492.patch \	30	file://CVE-2024-45492.patch \
		31	file://CVE-2024-50602-01.patch \
		32	file://CVE-2024-50602-02.patch \
31	"	33	"
32		34
33	UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"	35	UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"