diff mbox series

[kirkstone,1/1] expat: fix CVE-2023-52426

Message ID 20240308000807.1078261-1-meenali.gupta@windriver.com
State Changes Requested
Delegated to: Steve Sakoman
Headers show
Series [kirkstone,1/1] expat: fix CVE-2023-52426 | expand

Commit Message

mgupta1 March 8, 2024, 12:08 a.m. UTC 
From: Meenali Gupta <meenali.gupta@windriver.com>

A flaw was found in Expat (libexpat). If XML_DTD is undefined at compile time, a recursive XML Entity
Expansion condition can be triggered. This issue may lead to a condition where data is expanded exponentially,
which will quickly consume system resources and cause a denial of service.

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
---
 .../expat/expat/CVE-2023-52426.patch          | 429 ++++++++++++++++++
 meta/recipes-core/expat/expat_2.5.0.bb        |   1 +
 2 files changed, 430 insertions(+)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426.patch

Comments

Mittal, Anuj March 11, 2024, 3:07 a.m. UTC | #1 
On Thu, 2024-03-07 at 16:08 -0800, Meenali Gupta via
lists.openembedded.org wrote:
> From: Meenali Gupta <meenali.gupta@windriver.com>
> 
> A flaw was found in Expat (libexpat). If XML_DTD is undefined at
> compile time, a recursive XML Entity
> Expansion condition can be triggered. This issue may lead to a
> condition where data is expanded exponentially,
> which will quickly consume system resources and cause a denial of
> service.
> 
> Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
> ---
>  .../expat/expat/CVE-2023-52426.patch          | 429
> ++++++++++++++++++
>  meta/recipes-core/expat/expat_2.5.0.bb        |   1 +
>  2 files changed, 430 insertions(+)
>  create mode 100644 meta/recipes-core/expat/expat/CVE-2023-
> 52426.patch
> 
> diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> new file mode 100644
> index 0000000000..b78a8ee0dc
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> @@ -0,0 +1,429 @@
> +From 0f075ec8ecb5e43f8fdca5182f8cca4703da0404 Mon Sep 17 00:00:00
> 2001
> +From: Sebastian Pipping <sebastian@pipping.org>
> +Date: Thu, 26 Oct 2023 00:43:22 +0200
> +Subject: [PATCH] lib|xmlwf|cmake: Extend scope of billion laughs
> attack
> + protection
> +
> +.. from "defined(XML_DTD)" to "defined(XML_DTD) || XML_GE==1".
> +
> +CVE: CVE-2023-52426
> +Upstream-Status: Backport
> [https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca518
> 2f8cca4703da0404]

The PR that this commit is part of includes other commits as well. Is
there any reason why only this is included or required? 

I didn't check in detail but as an example, it seems this commit uses
EXPAT_GE which was introduced in an earlier commit in that PR:

https://github.com/libexpat/libexpat/pull/777/commits/daa89e42c005cc7f4f7af9eee271ae0723d30300

So, is this supposed to work as intended?

Thanks,

Anuj

> +
> +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
> +---
> + CMakeLists.txt         |  8 ++++-
> + lib/expat.h            |  8 +++--
> + lib/internal.h         |  2 +-
> + lib/libexpat.def.cmake |  4 +--
> + lib/xmlparse.c         | 71 ++++++++++++++++++++++-----------------
> ---
> + xmlwf/xmlwf.c          | 18 ++++++-----
> + 6 files changed, 62 insertions(+), 49 deletions(-)
> +
> +diff --git a/CMakeLists.txt b/CMakeLists.txt
> +index 2b4c13c..183c5c2 100644
> +--- a/CMakeLists.txt
> ++++ b/CMakeLists.txt
> +@@ -381,7 +381,13 @@ if(EXPAT_SHARED_LIBS)
> +             endif()
> +         endmacro()
> +
> +-        _expat_def_file_toggle(EXPAT_DTD _EXPAT_COMMENT_DTD)
> ++	if(EXPAT_DTD OR EXPAT_GE)
> ++            set(_EXPAT_DTD_OR_GE TRUE)
> ++        else()
> ++            set(_EXPAT_DTD_OR_GE FALSE)
> ++        endif()
> ++
> ++        _expat_def_file_toggle(_EXPAT_DTD_OR_GE
> _EXPAT_COMMENT_DTD_OR_GE)
> +         _expat_def_file_toggle(EXPAT_ATTR_INFO
> _EXPAT_COMMENT_ATTR_INFO)
> +
> +        
> configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lib/libexpat.def.cmake"
> "${CMAKE_CURRENT_BINARY_DIR}/lib/libexpat.def")
> +diff --git a/lib/expat.h b/lib/expat.h
> +index 1c83563..33c94af 100644
> +--- a/lib/expat.h
> ++++ b/lib/expat.h
> +@@ -1038,13 +1038,15 @@ typedef struct {
> + XMLPARSEAPI(const XML_Feature *)
> + XML_GetFeatureList(void);
> +
> +-#ifdef XML_DTD
> +-/* Added in Expat 2.4.0. */
> ++#if defined(XML_DTD) || XML_GE == 1
> ++/* Added in Expat 2.4.0 for XML_DTD defined and
> ++ * added in Expat 2.6.0 for XML_GE == 1. */
> + XMLPARSEAPI(XML_Bool)
> + XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> +     XML_Parser parser, float maximumAmplificationFactor);
> +
> +-/* Added in Expat 2.4.0. */
> ++/* Added in Expat 2.4.0 for XML_DTD defined and
> ++ * added in Expat 2.6.0 for XML_GE == 1. */
> + XMLPARSEAPI(XML_Bool)
> + XML_SetBillionLaughsAttackProtectionActivationThreshold(
> +     XML_Parser parser, unsigned long long
> activationThresholdBytes);
> +diff --git a/lib/internal.h b/lib/internal.h
> +index e09f533..1851925 100644
> +--- a/lib/internal.h
> ++++ b/lib/internal.h
> +@@ -154,7 +154,7 @@ extern "C" {
> + void _INTERNAL_trim_to_complete_utf8_characters(const char *from,
> +                                                 const char
> **fromLimRef);
> +
> +-#if defined(XML_DTD)
> ++#if defined(XML_DTD) || XML_GE == 1
> + unsigned long long testingAccountingGetCountBytesDirect(XML_Parser
> parser);
> + unsigned long long
> testingAccountingGetCountBytesIndirect(XML_Parser parser);
> + const char *unsignedCharToPrintable(unsigned char c);
> +diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake
> +index cf434a2..61a4f00 100644
> +--- a/lib/libexpat.def.cmake
> ++++ b/lib/libexpat.def.cmake
> +@@ -75,5 +75,5 @@ EXPORTS
> +   XML_SetHashSalt @67
> + ; internal @68 removed with version 2.3.1
> + ; added with version 2.4.0
> +-@_EXPAT_COMMENT_DTD@
> XML_SetBillionLaughsAttackProtectionActivationThreshold @69
> +-@_EXPAT_COMMENT_DTD@
> XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
> ++@_EXPAT_COMMENT_DTD_OR_GE@
> XML_SetBillionLaughsAttackProtectionActivationThreshold @69
> ++@_EXPAT_COMMENT_DTD_OR_GE@
> XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
> +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> +index b6c2eca..e23441e 100644
> +--- a/lib/xmlparse.c
> ++++ b/lib/xmlparse.c
> +@@ -408,7 +408,7 @@ enum XML_Account {
> +   XML_ACCOUNT_NONE              /* i.e. do not account, was
> accounted already */
> + };
> +
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> + typedef unsigned long long XmlBigCount;
> + typedef struct accounting {
> +   XmlBigCount countBytesDirect;
> +@@ -424,7 +424,7 @@ typedef struct entity_stats {
> +   unsigned int maximumDepthSeen;
> +   int debugLevel;
> + } ENTITY_STATS;
> +-#endif /* XML_DTD */
> ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> +
> + typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const
> char *start,
> +                                          const char *end, const
> char **endPtr);
> +@@ -562,7 +562,7 @@ static XML_Parser parserCreate(const XML_Char
> *encodingName,
> +
> + static void parserInit(XML_Parser parser, const XML_Char
> *encodingName);
> +
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> + static float accountingGetCurrentAmplification(XML_Parser
> rootParser);
> + static void accountingReportStats(XML_Parser originParser, const
> char *epilog);
> + static void accountingOnAbort(XML_Parser originParser);
> +@@ -585,7 +585,7 @@ static void entityTrackingOnClose(XML_Parser
> parser, ENTITY *entity,
> +
> + static XML_Parser getRootParserOf(XML_Parser parser,
> +                                   unsigned int *outLevelDiff);
> +-#endif /* XML_DTD */
> ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> +
> + static unsigned long getDebugLevel(const char *variableName,
> +                                    unsigned long
> defaultDebugLevel);
> +@@ -703,7 +703,7 @@ struct XML_ParserStruct {
> +   enum XML_ParamEntityParsing m_paramEntityParsing;
> + #endif
> +   unsigned long m_hash_secret_salt;
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +   ACCOUNTING m_accounting;
> +   ENTITY_STATS m_entity_stats;
> + #endif
> +@@ -1163,7 +1163,7 @@ parserInit(XML_Parser parser, const XML_Char
> *encodingName) {
> + #endif
> +   parser->m_hash_secret_salt = 0;
> +
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +   memset(&parser->m_accounting, 0, sizeof(ACCOUNTING));
> +   parser->m_accounting.debugLevel =
> getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u);
> +   parser->m_accounting.maximumAmplificationFactor
> +@@ -2522,8 +2522,9 @@ XML_GetFeatureList(void) {
> + #ifdef XML_ATTR_INFO
> +       {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
> + #endif
> +-#ifdef XML_DTD
> +-      /* Added in Expat 2.4.0. */
> ++#if defined(XML_DTD) || XML_GE == 1
> ++    /* Added in Expat 2.4.0 for XML_DTD defined and
> ++     * added in Expat 2.6.0 for XML_GE == 1. */
> +      
> {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_D
> EFAULT,
> +        XML_L("XML_BLAP_MAX_AMP"),
> +        (long int)
> +@@ -2537,7 +2538,7 @@ XML_GetFeatureList(void) {
> +   return features;
> + }
> +
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> + XML_Bool XMLCALL
> + XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> +     XML_Parser parser, float maximumAmplificationFactor) {
> +@@ -2559,7 +2560,7 @@
> XML_SetBillionLaughsAttackProtectionActivationThreshold(
> +   parser->m_accounting.activationThresholdBytes =
> activationThresholdBytes;
> +   return XML_TRUE;
> + }
> +-#endif /* XML_DTD */
> ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> +
> + /* Initially tag->rawName always points into the parse buffer;
> +    for those TAG instances opened while the current parse buffer
> was
> +@@ -2645,13 +2646,13 @@ externalEntityInitProcessor2(XML_Parser
> parser, const char *start,
> +   int tok = XmlContentTok(parser->m_encoding, start, end, &next);
> +   switch (tok) {
> +   case XML_TOK_BOM:
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +     if (! accountingDiffTolerated(parser, tok, start, next,
> __LINE__,
> +                                   XML_ACCOUNT_DIRECT)) {
> +       accountingOnAbort(parser);
> +       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
> +     }
> +-#endif /* XML_DTD */
> ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> +
> +     /* If we are at the end of the buffer, this would cause the
> next stage,
> +        i.e. externalEntityInitProcessor3, to pass control directly
> to
> +@@ -2765,7 +2766,7 @@ doContent(XML_Parser parser, int
> startTagLevel, const ENCODING *enc,
> +   for (;;) {
> +     const char *next = s; /* XmlContentTok doesn't always set the
> last arg */
> +     int tok = XmlContentTok(enc, s, end, &next);
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +     const char *accountAfter
> +         = ((tok == XML_TOK_TRAILING_RSQB) || (tok ==
> XML_TOK_TRAILING_CR))
> +               ? (haveMore ? s /* i.e. 0 bytes */ : end)
> +@@ -2831,14 +2832,14 @@ doContent(XML_Parser parser, int
> startTagLevel, const ENCODING *enc,
> +       XML_Char ch = (XML_Char)XmlPredefinedEntityName(
> +           enc, s + enc->minBytesPerChar, next - enc-
> >minBytesPerChar);
> +       if (ch) {
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +         /* NOTE: We are replacing 4-6 characters original input for
> 1 character
> +          *       so there is no amplification and hence recording
> without
> +          *       protection. */
> +         accountingDiffTolerated(parser, tok, (char *)&ch,
> +                                 ((char *)&ch) + sizeof(XML_Char),
> __LINE__,
> +                                 XML_ACCOUNT_ENTITY_EXPANSION);
> +-#endif /* XML_DTD */
> ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> +         if (parser->m_characterDataHandler)
> +           parser->m_characterDataHandler(parser->m_handlerArg, &ch,
> 1);
> +         else if (parser->m_defaultHandler)
> +@@ -4040,7 +4041,7 @@ doCdataSection(XML_Parser parser, const
> ENCODING *enc, const char **startPtr,
> +   for (;;) {
> +     const char *next = s; /* in case of XML_TOK_NONE or
> XML_TOK_PARTIAL */
> +     int tok = XmlCdataSectionTok(enc, s, end, &next);
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +     if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> account)) {
> +       accountingOnAbort(parser);
> +       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
> +@@ -4192,7 +4193,7 @@ doIgnoreSection(XML_Parser parser, const
> ENCODING *enc, const char **startPtr,
> +   *eventPP = s;
> +   *startPtr = NULL;
> +   tok = XmlIgnoreSectionTok(enc, s, end, &next);
> +-#  ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +   if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> +                                 XML_ACCOUNT_DIRECT)) {
> +     accountingOnAbort(parser);
> +@@ -4284,7 +4285,7 @@ processXmlDecl(XML_Parser parser, int
> isGeneralTextEntity, const char *s,
> +   const XML_Char *storedversion = NULL;
> +   int standalone = -1;
> +
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +   if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next,
> __LINE__,
> +                                 XML_ACCOUNT_DIRECT)) {
> +     accountingOnAbort(parser);
> +@@ -4491,7 +4492,7 @@ entityValueInitProcessor(XML_Parser parser,
> const char *s, const char *end,
> +     */
> +     else if (tok == XML_TOK_BOM && next == end
> +              && ! parser->m_parsingStatus.finalBuffer) {
> +-#  ifdef XML_DTD
> ++#  if defined(XML_DTD) || XML_GE == 1
> +       if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> +                                     XML_ACCOUNT_DIRECT)) {
> +         accountingOnAbort(parser);
> +@@ -4707,11 +4708,13 @@ doProlog(XML_Parser parser, const ENCODING
> *enc, const char *s, const char *end,
> +       }
> +     }
> +     role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc);
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +     switch (role) {
> +     case XML_ROLE_INSTANCE_START: // bytes accounted in
> contentProcessor
> +     case XML_ROLE_XML_DECL:       // bytes accounted in
> processXmlDecl
> +-    case XML_ROLE_TEXT_DECL:      // bytes accounted in
> processXmlDecl
> ++    #  ifdef XML_DTD
> ++    case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl
> ++#  endif
> +       break;
> +     default:
> +       if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> account)) {
> +@@ -5648,7 +5651,7 @@ epilogProcessor(XML_Parser parser, const char
> *s, const char *end,
> +   for (;;) {
> +     const char *next = NULL;
> +     int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +     if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> +                                   XML_ACCOUNT_DIRECT)) {
> +       accountingOnAbort(parser);
> +@@ -5728,7 +5731,7 @@ processInternalEntity(XML_Parser parser,
> ENTITY *entity, XML_Bool betweenDecl) {
> +       return XML_ERROR_NO_MEMORY;
> +   }
> +   entity->open = XML_TRUE;
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +   entityTrackingOnOpen(parser, entity, __LINE__);
> + #endif
> +   entity->processed = 0;
> +@@ -5762,9 +5765,9 @@ processInternalEntity(XML_Parser parser,
> ENTITY *entity, XML_Bool betweenDecl) {
> +       entity->processed = (int)(next - textStart);
> +       parser->m_processor = internalEntityProcessor;
> +     } else {
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +       entityTrackingOnClose(parser, entity, __LINE__);
> +-#endif /* XML_DTD */
> ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> +       entity->open = XML_FALSE;
> +       parser->m_openInternalEntities = openEntity->next;
> +       /* put openEntity back in list of free instances */
> +@@ -5813,7 +5816,7 @@ internalEntityProcessor(XML_Parser parser,
> const char *s, const char *end,
> +     return result;
> +   }
> +
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +   entityTrackingOnClose(parser, entity, __LINE__);
> + #endif
> +   entity->open = XML_FALSE;
> +@@ -5892,7 +5895,7 @@ appendAttributeValue(XML_Parser parser, const
> ENCODING *enc, XML_Bool isCdata,
> +     const char *next
> +         = ptr; /* XmlAttributeValueTok doesn't always set the last
> arg */
> +     int tok = XmlAttributeValueTok(enc, ptr, end, &next);
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +     if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__,
> account)) {
> +       accountingOnAbort(parser);
> +       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
> +@@ -5957,14 +5960,14 @@ appendAttributeValue(XML_Parser parser,
> const ENCODING *enc, XML_Bool isCdata,
> +       XML_Char ch = (XML_Char)XmlPredefinedEntityName(
> +           enc, ptr + enc->minBytesPerChar, next - enc-
> >minBytesPerChar);
> +       if (ch) {
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +         /* NOTE: We are replacing 4-6 characters original input for
> 1 character
> +          *       so there is no amplification and hence recording
> without
> +          *       protection. */
> +         accountingDiffTolerated(parser, tok, (char *)&ch,
> +                                 ((char *)&ch) + sizeof(XML_Char),
> __LINE__,
> +                                 XML_ACCOUNT_ENTITY_EXPANSION);
> +-#endif /* XML_DTD */
> ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> +         if (! poolAppendChar(pool, ch))
> +           return XML_ERROR_NO_MEMORY;
> +         break;
> +@@ -6042,14 +6045,14 @@ appendAttributeValue(XML_Parser parser,
> const ENCODING *enc, XML_Bool isCdata,
> +         enum XML_Error result;
> +         const XML_Char *textEnd = entity->textPtr + entity-
> >textLen;
> +         entity->open = XML_TRUE;
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +         entityTrackingOnOpen(parser, entity, __LINE__);
> + #endif
> +         result = appendAttributeValue(parser, parser-
> >m_internalEncoding,
> +                                       isCdata, (const char
> *)entity->textPtr,
> +                                       (const char *)textEnd, pool,
> +                                      
> XML_ACCOUNT_ENTITY_EXPANSION);
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +         entityTrackingOnClose(parser, entity, __LINE__);
> + #endif
> +         entity->open = XML_FALSE;
> +@@ -6105,7 +6108,7 @@ storeEntityValue(XML_Parser parser, const
> ENCODING *enc,
> +         = entityTextPtr; /* XmlEntityValueTok doesn't always set
> the last arg */
> +     int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd,
> &next);
> +
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +     if (! accountingDiffTolerated(parser, tok, entityTextPtr, next,
> __LINE__,
> +                                   account)) {
> +       accountingOnAbort(parser);
> +@@ -7651,7 +7654,7 @@ copyString(const XML_Char *s, const
> XML_Memory_Handling_Suite *memsuite) {
> +   return result;
> + }
> +
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +
> + static float
> + accountingGetCurrentAmplification(XML_Parser rootParser) {
> +@@ -8382,7 +8385,7 @@ unsignedCharToPrintable(unsigned char c) {
> +   assert(0); /* never gets here */
> + }
> +
> +-#endif /* XML_DTD */
> ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> +
> + static unsigned long
> + getDebugLevel(const char *variableName, unsigned long
> defaultDebugLevel) {
> +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
> +index 471f2a2..be23f5a 100644
> +--- a/xmlwf/xmlwf.c
> ++++ b/xmlwf/xmlwf.c
> +@@ -1062,9 +1062,10 @@ tmain(int argc, XML_Char **argv) {
> +             " (needs a floating point number greater or equal than
> 1.0)"));
> +         exit(XMLWF_EXIT_USAGE_ERROR);
> +       }
> +-#ifndef XML_DTD
> +-      ftprintf(stderr, T("Warning: Given amplification limit
> ignored") T(
> +-                           ", xmlwf has been compiled without DTD
> support.\n"));
> ++#if ! defined(XML_DTD) && XML_GE == 0
> ++      ftprintf(stderr,
> ++               T("Warning: Given amplification limit ignored")
> ++                   T(", xmlwf has been compiled without DTD/GE
> support.\n"));
> + #endif
> +       break;
> +     }
> +@@ -1083,9 +1084,10 @@ tmain(int argc, XML_Char **argv) {
> +         exit(XMLWF_EXIT_USAGE_ERROR);
> +       }
> +       attackThresholdGiven = XML_TRUE;
> +-#ifndef XML_DTD
> +-      ftprintf(stderr, T("Warning: Given attack threshold ignored")
> T(
> +-                           ", xmlwf has been compiled without DTD
> support.\n"));
> ++#if ! defined(XML_DTD) && XML_GE == 0
> ++      ftprintf(stderr,
> ++               T("Warning: Given attack threshold ignored")
> ++                   T(", xmlwf has been compiled without DTD/GE
> support.\n"));
> + #endif
> +       break;
> +     }
> +@@ -1120,13 +1122,13 @@ tmain(int argc, XML_Char **argv) {
> +     }
> +
> +     if (attackMaximumAmplification != -1.0f) {
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +       XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> +           parser, attackMaximumAmplification);
> + #endif
> +     }
> +     if (attackThresholdGiven) {
> +-#ifdef XML_DTD
> ++#if defined(XML_DTD) || XML_GE == 1
> +       XML_SetBillionLaughsAttackProtectionActivationThreshold(
> +           parser, attackThresholdBytes);
> + #else
> +--
> +2.40.0
> diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-
> core/expat/expat_2.5.0.bb
> index 7080f934d1..e427020534 100644
> --- a/meta/recipes-core/expat/expat_2.5.0.bb
> +++ b/meta/recipes-core/expat/expat_2.5.0.bb
> @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.',
> '_')}"
>  
>  SRC_URI =
> "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_T
> AG}/expat-${PV}.tar.bz2  \
>             file://run-ptest \
> +           file://CVE-2023-52426.patch \
>             "
>  
>  UPSTREAM_CHECK_URI =
> "https://github.com/libexpat/libexpat/releases/"
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#196837):
> https://lists.openembedded.org/g/openembedded-core/message/196837
> Mute This Topic: https://lists.openembedded.org/mt/104800121/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
mgupta1 March 12, 2024, 7:58 a.m. UTC | #2 
Hi Anuj,

I have sent the upgrade to 2.6.0 , it includes the complete security fix for CVE-2023-52426 and CVE-2023-52425.

Regards
Meenali
Randy MacLeod March 12, 2024, 12:27 p.m. UTC | #3 
On Tue, Mar 12, 2024, 03:58 Meenali Gupta via lists.openembedded.org
<meenali.gupta=windriver.com@lists.openembedded.org> wrote:

> Hi Anuj,
>
> I have sent the upgrade to 2.6.0 , it includes the complete security fix
> for CVE-2023-52426 and CVE-2023-52425.
>

Unfortunately that update changes the so version number, so it isn't
acceptable for kirkstone.


  #775 #776  Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
                    to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
                    for what these numbers do


I think you will have to carefully back-port the two CVE fixes.

It looks like Debian devs may have already  back-ported at least one of
these CVs to version 2.5.0-x

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063238

Thanks,

../Randy


> Regards
> Meenali
> ------------------------------
> *From:* Mittal, Anuj <anuj.mittal@intel.com>
> *Sent:* 11 March 2024 08:37
> *To:* Gupta, Meenali <Meenali.Gupta@windriver.com>;
> openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>
> *Subject:* Re: [oe-core][kirkstone][PATCH 1/1] expat: fix CVE-2023-52426
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe.
>
> On Thu, 2024-03-07 at 16:08 -0800, Meenali Gupta via
> lists.openembedded.org wrote:
> > From: Meenali Gupta <meenali.gupta@windriver.com>
> >
> > A flaw was found in Expat (libexpat). If XML_DTD is undefined at
> > compile time, a recursive XML Entity
> > Expansion condition can be triggered. This issue may lead to a
> > condition where data is expanded exponentially,
> > which will quickly consume system resources and cause a denial of
> > service.
> >
> > Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
> > ---
> >  .../expat/expat/CVE-2023-52426.patch          | 429
> > ++++++++++++++++++
> >  meta/recipes-core/expat/expat_2.5.0.bb        |   1 +
> >  2 files changed, 430 insertions(+)
> >  create mode 100644 meta/recipes-core/expat/expat/CVE-2023-
> > 52426.patch
> >
> > diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> > b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> > new file mode 100644
> > index 0000000000..b78a8ee0dc
> > --- /dev/null
> > +++ b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> > @@ -0,0 +1,429 @@
> > +From 0f075ec8ecb5e43f8fdca5182f8cca4703da0404 Mon Sep 17 00:00:00
> > 2001
> > +From: Sebastian Pipping <sebastian@pipping.org>
> > +Date: Thu, 26 Oct 2023 00:43:22 +0200
> > +Subject: [PATCH] lib|xmlwf|cmake: Extend scope of billion laughs
> > attack
> > + protection
> > +
> > +.. from "defined(XML_DTD)" to "defined(XML_DTD) || XML_GE==1".
> > +
> > +CVE: CVE-2023-52426
> > +Upstream-Status: Backport
> > [https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca518
> > 2f8cca4703da0404]
>
> The PR that this commit is part of includes other commits as well. Is
> there any reason why only this is included or required?
>
> I didn't check in detail but as an example, it seems this commit uses
> EXPAT_GE which was introduced in an earlier commit in that PR:
>
>
> https://github.com/libexpat/libexpat/pull/777/commits/daa89e42c005cc7f4f7af9eee271ae0723d30300
>
> So, is this supposed to work as intended?
>
> Thanks,
>
> Anuj
>
> > +
> > +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
> > +---
> > + CMakeLists.txt         |  8 ++++-
> > + lib/expat.h            |  8 +++--
> > + lib/internal.h         |  2 +-
> > + lib/libexpat.def.cmake |  4 +--
> > + lib/xmlparse.c         | 71 ++++++++++++++++++++++-----------------
> > ---
> > + xmlwf/xmlwf.c          | 18 ++++++-----
> > + 6 files changed, 62 insertions(+), 49 deletions(-)
> > +
> > +diff --git a/CMakeLists.txt b/CMakeLists.txt
> > +index 2b4c13c..183c5c2 100644
> > +--- a/CMakeLists.txt
> > ++++ b/CMakeLists.txt
> > +@@ -381,7 +381,13 @@ if(EXPAT_SHARED_LIBS)
> > +             endif()
> > +         endmacro()
> > +
> > +-        _expat_def_file_toggle(EXPAT_DTD _EXPAT_COMMENT_DTD)
> > ++    if(EXPAT_DTD OR EXPAT_GE)
> > ++            set(_EXPAT_DTD_OR_GE TRUE)
> > ++        else()
> > ++            set(_EXPAT_DTD_OR_GE FALSE)
> > ++        endif()
> > ++
> > ++        _expat_def_file_toggle(_EXPAT_DTD_OR_GE
> > _EXPAT_COMMENT_DTD_OR_GE)
> > +         _expat_def_file_toggle(EXPAT_ATTR_INFO
> > _EXPAT_COMMENT_ATTR_INFO)
> > +
> > +
> > configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lib/libexpat.def.cmake"
> > "${CMAKE_CURRENT_BINARY_DIR}/lib/libexpat.def")
> > +diff --git a/lib/expat.h b/lib/expat.h
> > +index 1c83563..33c94af 100644
> > +--- a/lib/expat.h
> > ++++ b/lib/expat.h
> > +@@ -1038,13 +1038,15 @@ typedef struct {
> > + XMLPARSEAPI(const XML_Feature *)
> > + XML_GetFeatureList(void);
> > +
> > +-#ifdef XML_DTD
> > +-/* Added in Expat 2.4.0. */
> > ++#if defined(XML_DTD) || XML_GE == 1
> > ++/* Added in Expat 2.4.0 for XML_DTD defined and
> > ++ * added in Expat 2.6.0 for XML_GE == 1. */
> > + XMLPARSEAPI(XML_Bool)
> > + XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> > +     XML_Parser parser, float maximumAmplificationFactor);
> > +
> > +-/* Added in Expat 2.4.0. */
> > ++/* Added in Expat 2.4.0 for XML_DTD defined and
> > ++ * added in Expat 2.6.0 for XML_GE == 1. */
> > + XMLPARSEAPI(XML_Bool)
> > + XML_SetBillionLaughsAttackProtectionActivationThreshold(
> > +     XML_Parser parser, unsigned long long
> > activationThresholdBytes);
> > +diff --git a/lib/internal.h b/lib/internal.h
> > +index e09f533..1851925 100644
> > +--- a/lib/internal.h
> > ++++ b/lib/internal.h
> > +@@ -154,7 +154,7 @@ extern "C" {
> > + void _INTERNAL_trim_to_complete_utf8_characters(const char *from,
> > +                                                 const char
> > **fromLimRef);
> > +
> > +-#if defined(XML_DTD)
> > ++#if defined(XML_DTD) || XML_GE == 1
> > + unsigned long long testingAccountingGetCountBytesDirect(XML_Parser
> > parser);
> > + unsigned long long
> > testingAccountingGetCountBytesIndirect(XML_Parser parser);
> > + const char *unsignedCharToPrintable(unsigned char c);
> > +diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake
> > +index cf434a2..61a4f00 100644
> > +--- a/lib/libexpat.def.cmake
> > ++++ b/lib/libexpat.def.cmake
> > +@@ -75,5 +75,5 @@ EXPORTS
> > +   XML_SetHashSalt @67
> > + ; internal @68 removed with version 2.3.1
> > + ; added with version 2.4.0
> > +-@_EXPAT_COMMENT_DTD@
> > XML_SetBillionLaughsAttackProtectionActivationThreshold @69
> > +-@_EXPAT_COMMENT_DTD@
> > XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
> > ++@_EXPAT_COMMENT_DTD_OR_GE@
> > XML_SetBillionLaughsAttackProtectionActivationThreshold @69
> > ++@_EXPAT_COMMENT_DTD_OR_GE@
> > XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
> > +diff --git a/lib/xmlparse.c b/lib/xmlparse.c
> > +index b6c2eca..e23441e 100644
> > +--- a/lib/xmlparse.c
> > ++++ b/lib/xmlparse.c
> > +@@ -408,7 +408,7 @@ enum XML_Account {
> > +   XML_ACCOUNT_NONE              /* i.e. do not account, was
> > accounted already */
> > + };
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > + typedef unsigned long long XmlBigCount;
> > + typedef struct accounting {
> > +   XmlBigCount countBytesDirect;
> > +@@ -424,7 +424,7 @@ typedef struct entity_stats {
> > +   unsigned int maximumDepthSeen;
> > +   int debugLevel;
> > + } ENTITY_STATS;
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +
> > + typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const
> > char *start,
> > +                                          const char *end, const
> > char **endPtr);
> > +@@ -562,7 +562,7 @@ static XML_Parser parserCreate(const XML_Char
> > *encodingName,
> > +
> > + static void parserInit(XML_Parser parser, const XML_Char
> > *encodingName);
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > + static float accountingGetCurrentAmplification(XML_Parser
> > rootParser);
> > + static void accountingReportStats(XML_Parser originParser, const
> > char *epilog);
> > + static void accountingOnAbort(XML_Parser originParser);
> > +@@ -585,7 +585,7 @@ static void entityTrackingOnClose(XML_Parser
> > parser, ENTITY *entity,
> > +
> > + static XML_Parser getRootParserOf(XML_Parser parser,
> > +                                   unsigned int *outLevelDiff);
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +
> > + static unsigned long getDebugLevel(const char *variableName,
> > +                                    unsigned long
> > defaultDebugLevel);
> > +@@ -703,7 +703,7 @@ struct XML_ParserStruct {
> > +   enum XML_ParamEntityParsing m_paramEntityParsing;
> > + #endif
> > +   unsigned long m_hash_secret_salt;
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   ACCOUNTING m_accounting;
> > +   ENTITY_STATS m_entity_stats;
> > + #endif
> > +@@ -1163,7 +1163,7 @@ parserInit(XML_Parser parser, const XML_Char
> > *encodingName) {
> > + #endif
> > +   parser->m_hash_secret_salt = 0;
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   memset(&parser->m_accounting, 0, sizeof(ACCOUNTING));
> > +   parser->m_accounting.debugLevel =
> > getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u);
> > +   parser->m_accounting.maximumAmplificationFactor
> > +@@ -2522,8 +2522,9 @@ XML_GetFeatureList(void) {
> > + #ifdef XML_ATTR_INFO
> > +       {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
> > + #endif
> > +-#ifdef XML_DTD
> > +-      /* Added in Expat 2.4.0. */
> > ++#if defined(XML_DTD) || XML_GE == 1
> > ++    /* Added in Expat 2.4.0 for XML_DTD defined and
> > ++     * added in Expat 2.6.0 for XML_GE == 1. */
> > +
> > {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_D
> > EFAULT,
> > +        XML_L("XML_BLAP_MAX_AMP"),
> > +        (long int)
> > +@@ -2537,7 +2538,7 @@ XML_GetFeatureList(void) {
> > +   return features;
> > + }
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > + XML_Bool XMLCALL
> > + XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> > +     XML_Parser parser, float maximumAmplificationFactor) {
> > +@@ -2559,7 +2560,7 @@
> > XML_SetBillionLaughsAttackProtectionActivationThreshold(
> > +   parser->m_accounting.activationThresholdBytes =
> > activationThresholdBytes;
> > +   return XML_TRUE;
> > + }
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +
> > + /* Initially tag->rawName always points into the parse buffer;
> > +    for those TAG instances opened while the current parse buffer
> > was
> > +@@ -2645,13 +2646,13 @@ externalEntityInitProcessor2(XML_Parser
> > parser, const char *start,
> > +   int tok = XmlContentTok(parser->m_encoding, start, end, &next);
> > +   switch (tok) {
> > +   case XML_TOK_BOM:
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     if (! accountingDiffTolerated(parser, tok, start, next,
> > __LINE__,
> > +                                   XML_ACCOUNT_DIRECT)) {
> > +       accountingOnAbort(parser);
> > +       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
> > +     }
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +
> > +     /* If we are at the end of the buffer, this would cause the
> > next stage,
> > +        i.e. externalEntityInitProcessor3, to pass control directly
> > to
> > +@@ -2765,7 +2766,7 @@ doContent(XML_Parser parser, int
> > startTagLevel, const ENCODING *enc,
> > +   for (;;) {
> > +     const char *next = s; /* XmlContentTok doesn't always set the
> > last arg */
> > +     int tok = XmlContentTok(enc, s, end, &next);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     const char *accountAfter
> > +         = ((tok == XML_TOK_TRAILING_RSQB) || (tok ==
> > XML_TOK_TRAILING_CR))
> > +               ? (haveMore ? s /* i.e. 0 bytes */ : end)
> > +@@ -2831,14 +2832,14 @@ doContent(XML_Parser parser, int
> > startTagLevel, const ENCODING *enc,
> > +       XML_Char ch = (XML_Char)XmlPredefinedEntityName(
> > +           enc, s + enc->minBytesPerChar, next - enc-
> > >minBytesPerChar);
> > +       if (ch) {
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +         /* NOTE: We are replacing 4-6 characters original input for
> > 1 character
> > +          *       so there is no amplification and hence recording
> > without
> > +          *       protection. */
> > +         accountingDiffTolerated(parser, tok, (char *)&ch,
> > +                                 ((char *)&ch) + sizeof(XML_Char),
> > __LINE__,
> > +                                 XML_ACCOUNT_ENTITY_EXPANSION);
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +         if (parser->m_characterDataHandler)
> > +           parser->m_characterDataHandler(parser->m_handlerArg, &ch,
> > 1);
> > +         else if (parser->m_defaultHandler)
> > +@@ -4040,7 +4041,7 @@ doCdataSection(XML_Parser parser, const
> > ENCODING *enc, const char **startPtr,
> > +   for (;;) {
> > +     const char *next = s; /* in case of XML_TOK_NONE or
> > XML_TOK_PARTIAL */
> > +     int tok = XmlCdataSectionTok(enc, s, end, &next);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> > account)) {
> > +       accountingOnAbort(parser);
> > +       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
> > +@@ -4192,7 +4193,7 @@ doIgnoreSection(XML_Parser parser, const
> > ENCODING *enc, const char **startPtr,
> > +   *eventPP = s;
> > +   *startPtr = NULL;
> > +   tok = XmlIgnoreSectionTok(enc, s, end, &next);
> > +-#  ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> > +                                 XML_ACCOUNT_DIRECT)) {
> > +     accountingOnAbort(parser);
> > +@@ -4284,7 +4285,7 @@ processXmlDecl(XML_Parser parser, int
> > isGeneralTextEntity, const char *s,
> > +   const XML_Char *storedversion = NULL;
> > +   int standalone = -1;
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next,
> > __LINE__,
> > +                                 XML_ACCOUNT_DIRECT)) {
> > +     accountingOnAbort(parser);
> > +@@ -4491,7 +4492,7 @@ entityValueInitProcessor(XML_Parser parser,
> > const char *s, const char *end,
> > +     */
> > +     else if (tok == XML_TOK_BOM && next == end
> > +              && ! parser->m_parsingStatus.finalBuffer) {
> > +-#  ifdef XML_DTD
> > ++#  if defined(XML_DTD) || XML_GE == 1
> > +       if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> > +                                     XML_ACCOUNT_DIRECT)) {
> > +         accountingOnAbort(parser);
> > +@@ -4707,11 +4708,13 @@ doProlog(XML_Parser parser, const ENCODING
> > *enc, const char *s, const char *end,
> > +       }
> > +     }
> > +     role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     switch (role) {
> > +     case XML_ROLE_INSTANCE_START: // bytes accounted in
> > contentProcessor
> > +     case XML_ROLE_XML_DECL:       // bytes accounted in
> > processXmlDecl
> > +-    case XML_ROLE_TEXT_DECL:      // bytes accounted in
> > processXmlDecl
> > ++    #  ifdef XML_DTD
> > ++    case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl
> > ++#  endif
> > +       break;
> > +     default:
> > +       if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> > account)) {
> > +@@ -5648,7 +5651,7 @@ epilogProcessor(XML_Parser parser, const char
> > *s, const char *end,
> > +   for (;;) {
> > +     const char *next = NULL;
> > +     int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
> > +                                   XML_ACCOUNT_DIRECT)) {
> > +       accountingOnAbort(parser);
> > +@@ -5728,7 +5731,7 @@ processInternalEntity(XML_Parser parser,
> > ENTITY *entity, XML_Bool betweenDecl) {
> > +       return XML_ERROR_NO_MEMORY;
> > +   }
> > +   entity->open = XML_TRUE;
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   entityTrackingOnOpen(parser, entity, __LINE__);
> > + #endif
> > +   entity->processed = 0;
> > +@@ -5762,9 +5765,9 @@ processInternalEntity(XML_Parser parser,
> > ENTITY *entity, XML_Bool betweenDecl) {
> > +       entity->processed = (int)(next - textStart);
> > +       parser->m_processor = internalEntityProcessor;
> > +     } else {
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +       entityTrackingOnClose(parser, entity, __LINE__);
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +       entity->open = XML_FALSE;
> > +       parser->m_openInternalEntities = openEntity->next;
> > +       /* put openEntity back in list of free instances */
> > +@@ -5813,7 +5816,7 @@ internalEntityProcessor(XML_Parser parser,
> > const char *s, const char *end,
> > +     return result;
> > +   }
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +   entityTrackingOnClose(parser, entity, __LINE__);
> > + #endif
> > +   entity->open = XML_FALSE;
> > +@@ -5892,7 +5895,7 @@ appendAttributeValue(XML_Parser parser, const
> > ENCODING *enc, XML_Bool isCdata,
> > +     const char *next
> > +         = ptr; /* XmlAttributeValueTok doesn't always set the last
> > arg */
> > +     int tok = XmlAttributeValueTok(enc, ptr, end, &next);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__,
> > account)) {
> > +       accountingOnAbort(parser);
> > +       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
> > +@@ -5957,14 +5960,14 @@ appendAttributeValue(XML_Parser parser,
> > const ENCODING *enc, XML_Bool isCdata,
> > +       XML_Char ch = (XML_Char)XmlPredefinedEntityName(
> > +           enc, ptr + enc->minBytesPerChar, next - enc-
> > >minBytesPerChar);
> > +       if (ch) {
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +         /* NOTE: We are replacing 4-6 characters original input for
> > 1 character
> > +          *       so there is no amplification and hence recording
> > without
> > +          *       protection. */
> > +         accountingDiffTolerated(parser, tok, (char *)&ch,
> > +                                 ((char *)&ch) + sizeof(XML_Char),
> > __LINE__,
> > +                                 XML_ACCOUNT_ENTITY_EXPANSION);
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +         if (! poolAppendChar(pool, ch))
> > +           return XML_ERROR_NO_MEMORY;
> > +         break;
> > +@@ -6042,14 +6045,14 @@ appendAttributeValue(XML_Parser parser,
> > const ENCODING *enc, XML_Bool isCdata,
> > +         enum XML_Error result;
> > +         const XML_Char *textEnd = entity->textPtr + entity-
> > >textLen;
> > +         entity->open = XML_TRUE;
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +         entityTrackingOnOpen(parser, entity, __LINE__);
> > + #endif
> > +         result = appendAttributeValue(parser, parser-
> > >m_internalEncoding,
> > +                                       isCdata, (const char
> > *)entity->textPtr,
> > +                                       (const char *)textEnd, pool,
> > +
> > XML_ACCOUNT_ENTITY_EXPANSION);
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +         entityTrackingOnClose(parser, entity, __LINE__);
> > + #endif
> > +         entity->open = XML_FALSE;
> > +@@ -6105,7 +6108,7 @@ storeEntityValue(XML_Parser parser, const
> > ENCODING *enc,
> > +         = entityTextPtr; /* XmlEntityValueTok doesn't always set
> > the last arg */
> > +     int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd,
> > &next);
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +     if (! accountingDiffTolerated(parser, tok, entityTextPtr, next,
> > __LINE__,
> > +                                   account)) {
> > +       accountingOnAbort(parser);
> > +@@ -7651,7 +7654,7 @@ copyString(const XML_Char *s, const
> > XML_Memory_Handling_Suite *memsuite) {
> > +   return result;
> > + }
> > +
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +
> > + static float
> > + accountingGetCurrentAmplification(XML_Parser rootParser) {
> > +@@ -8382,7 +8385,7 @@ unsignedCharToPrintable(unsigned char c) {
> > +   assert(0); /* never gets here */
> > + }
> > +
> > +-#endif /* XML_DTD */
> > ++#endif /* defined(XML_DTD) || XML_GE == 1 */
> > +
> > + static unsigned long
> > + getDebugLevel(const char *variableName, unsigned long
> > defaultDebugLevel) {
> > +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
> > +index 471f2a2..be23f5a 100644
> > +--- a/xmlwf/xmlwf.c
> > ++++ b/xmlwf/xmlwf.c
> > +@@ -1062,9 +1062,10 @@ tmain(int argc, XML_Char **argv) {
> > +             " (needs a floating point number greater or equal than
> > 1.0)"));
> > +         exit(XMLWF_EXIT_USAGE_ERROR);
> > +       }
> > +-#ifndef XML_DTD
> > +-      ftprintf(stderr, T("Warning: Given amplification limit
> > ignored") T(
> > +-                           ", xmlwf has been compiled without DTD
> > support.\n"));
> > ++#if ! defined(XML_DTD) && XML_GE == 0
> > ++      ftprintf(stderr,
> > ++               T("Warning: Given amplification limit ignored")
> > ++                   T(", xmlwf has been compiled without DTD/GE
> > support.\n"));
> > + #endif
> > +       break;
> > +     }
> > +@@ -1083,9 +1084,10 @@ tmain(int argc, XML_Char **argv) {
> > +         exit(XMLWF_EXIT_USAGE_ERROR);
> > +       }
> > +       attackThresholdGiven = XML_TRUE;
> > +-#ifndef XML_DTD
> > +-      ftprintf(stderr, T("Warning: Given attack threshold ignored")
> > T(
> > +-                           ", xmlwf has been compiled without DTD
> > support.\n"));
> > ++#if ! defined(XML_DTD) && XML_GE == 0
> > ++      ftprintf(stderr,
> > ++               T("Warning: Given attack threshold ignored")
> > ++                   T(", xmlwf has been compiled without DTD/GE
> > support.\n"));
> > + #endif
> > +       break;
> > +     }
> > +@@ -1120,13 +1122,13 @@ tmain(int argc, XML_Char **argv) {
> > +     }
> > +
> > +     if (attackMaximumAmplification != -1.0f) {
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +       XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> > +           parser, attackMaximumAmplification);
> > + #endif
> > +     }
> > +     if (attackThresholdGiven) {
> > +-#ifdef XML_DTD
> > ++#if defined(XML_DTD) || XML_GE == 1
> > +       XML_SetBillionLaughsAttackProtectionActivationThreshold(
> > +           parser, attackThresholdBytes);
> > + #else
> > +--
> > +2.40.0
> > diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-
> > core/expat/expat_2.5.0.bb
> > index 7080f934d1..e427020534 100644
> > --- a/meta/recipes-core/expat/expat_2.5.0.bb
> > +++ b/meta/recipes-core/expat/expat_2.5.0.bb
> > @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.',
> > '_')}"
> >
> >  SRC_URI =
> > "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_T
> > AG}/expat-${PV}.tar.bz2  \
> >             file://run-ptest \
> > +           file://CVE-2023-52426.patch \
> >             "
> >
> >  UPSTREAM_CHECK_URI =
> > "https://github.com/libexpat/libexpat/releases/"
> >
> >
> >
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#196973):
> https://lists.openembedded.org/g/openembedded-core/message/196973
> Mute This Topic: https://lists.openembedded.org/mt/104800121/953399
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> rwmacleod@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
diff mbox series

Patch

diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426.patch b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
new file mode 100644
index 0000000000..b78a8ee0dc
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
@@ -0,0 +1,429 @@ 
+From 0f075ec8ecb5e43f8fdca5182f8cca4703da0404 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 26 Oct 2023 00:43:22 +0200
+Subject: [PATCH] lib|xmlwf|cmake: Extend scope of billion laughs attack
+ protection
+
+.. from "defined(XML_DTD)" to "defined(XML_DTD) || XML_GE==1".
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ CMakeLists.txt         |  8 ++++-
+ lib/expat.h            |  8 +++--
+ lib/internal.h         |  2 +-
+ lib/libexpat.def.cmake |  4 +--
+ lib/xmlparse.c         | 71 ++++++++++++++++++++++--------------------
+ xmlwf/xmlwf.c          | 18 ++++++-----
+ 6 files changed, 62 insertions(+), 49 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 2b4c13c..183c5c2 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -381,7 +381,13 @@ if(EXPAT_SHARED_LIBS)
+             endif()
+         endmacro()
+
+-        _expat_def_file_toggle(EXPAT_DTD _EXPAT_COMMENT_DTD)
++	if(EXPAT_DTD OR EXPAT_GE)
++            set(_EXPAT_DTD_OR_GE TRUE)
++        else()
++            set(_EXPAT_DTD_OR_GE FALSE)
++        endif()
++
++        _expat_def_file_toggle(_EXPAT_DTD_OR_GE _EXPAT_COMMENT_DTD_OR_GE)
+         _expat_def_file_toggle(EXPAT_ATTR_INFO _EXPAT_COMMENT_ATTR_INFO)
+
+         configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lib/libexpat.def.cmake" "${CMAKE_CURRENT_BINARY_DIR}/lib/libexpat.def")
+diff --git a/lib/expat.h b/lib/expat.h
+index 1c83563..33c94af 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -1038,13 +1038,15 @@ typedef struct {
+ XMLPARSEAPI(const XML_Feature *)
+ XML_GetFeatureList(void);
+
+-#ifdef XML_DTD
+-/* Added in Expat 2.4.0. */
++#if defined(XML_DTD) || XML_GE == 1
++/* Added in Expat 2.4.0 for XML_DTD defined and
++ * added in Expat 2.6.0 for XML_GE == 1. */
+ XMLPARSEAPI(XML_Bool)
+ XML_SetBillionLaughsAttackProtectionMaximumAmplification(
+     XML_Parser parser, float maximumAmplificationFactor);
+
+-/* Added in Expat 2.4.0. */
++/* Added in Expat 2.4.0 for XML_DTD defined and
++ * added in Expat 2.6.0 for XML_GE == 1. */
+ XMLPARSEAPI(XML_Bool)
+ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+     XML_Parser parser, unsigned long long activationThresholdBytes);
+diff --git a/lib/internal.h b/lib/internal.h
+index e09f533..1851925 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -154,7 +154,7 @@ extern "C" {
+ void _INTERNAL_trim_to_complete_utf8_characters(const char *from,
+                                                 const char **fromLimRef);
+
+-#if defined(XML_DTD)
++#if defined(XML_DTD) || XML_GE == 1
+ unsigned long long testingAccountingGetCountBytesDirect(XML_Parser parser);
+ unsigned long long testingAccountingGetCountBytesIndirect(XML_Parser parser);
+ const char *unsignedCharToPrintable(unsigned char c);
+diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake
+index cf434a2..61a4f00 100644
+--- a/lib/libexpat.def.cmake
++++ b/lib/libexpat.def.cmake
+@@ -75,5 +75,5 @@ EXPORTS
+   XML_SetHashSalt @67
+ ; internal @68 removed with version 2.3.1
+ ; added with version 2.4.0
+-@_EXPAT_COMMENT_DTD@ XML_SetBillionLaughsAttackProtectionActivationThreshold @69
+-@_EXPAT_COMMENT_DTD@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionActivationThreshold @69
++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index b6c2eca..e23441e 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -408,7 +408,7 @@ enum XML_Account {
+   XML_ACCOUNT_NONE              /* i.e. do not account, was accounted already */
+ };
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ typedef unsigned long long XmlBigCount;
+ typedef struct accounting {
+   XmlBigCount countBytesDirect;
+@@ -424,7 +424,7 @@ typedef struct entity_stats {
+   unsigned int maximumDepthSeen;
+   int debugLevel;
+ } ENTITY_STATS;
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+
+ typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const char *start,
+                                          const char *end, const char **endPtr);
+@@ -562,7 +562,7 @@ static XML_Parser parserCreate(const XML_Char *encodingName,
+
+ static void parserInit(XML_Parser parser, const XML_Char *encodingName);
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ static float accountingGetCurrentAmplification(XML_Parser rootParser);
+ static void accountingReportStats(XML_Parser originParser, const char *epilog);
+ static void accountingOnAbort(XML_Parser originParser);
+@@ -585,7 +585,7 @@ static void entityTrackingOnClose(XML_Parser parser, ENTITY *entity,
+
+ static XML_Parser getRootParserOf(XML_Parser parser,
+                                   unsigned int *outLevelDiff);
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+
+ static unsigned long getDebugLevel(const char *variableName,
+                                    unsigned long defaultDebugLevel);
+@@ -703,7 +703,7 @@ struct XML_ParserStruct {
+   enum XML_ParamEntityParsing m_paramEntityParsing;
+ #endif
+   unsigned long m_hash_secret_salt;
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+   ACCOUNTING m_accounting;
+   ENTITY_STATS m_entity_stats;
+ #endif
+@@ -1163,7 +1163,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ #endif
+   parser->m_hash_secret_salt = 0;
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+   memset(&parser->m_accounting, 0, sizeof(ACCOUNTING));
+   parser->m_accounting.debugLevel = getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u);
+   parser->m_accounting.maximumAmplificationFactor
+@@ -2522,8 +2522,9 @@ XML_GetFeatureList(void) {
+ #ifdef XML_ATTR_INFO
+       {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
+ #endif
+-#ifdef XML_DTD
+-      /* Added in Expat 2.4.0. */
++#if defined(XML_DTD) || XML_GE == 1
++    /* Added in Expat 2.4.0 for XML_DTD defined and
++     * added in Expat 2.6.0 for XML_GE == 1. */
+       {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
+        XML_L("XML_BLAP_MAX_AMP"),
+        (long int)
+@@ -2537,7 +2538,7 @@ XML_GetFeatureList(void) {
+   return features;
+ }
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ XML_Bool XMLCALL
+ XML_SetBillionLaughsAttackProtectionMaximumAmplification(
+     XML_Parser parser, float maximumAmplificationFactor) {
+@@ -2559,7 +2560,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+   parser->m_accounting.activationThresholdBytes = activationThresholdBytes;
+   return XML_TRUE;
+ }
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+
+ /* Initially tag->rawName always points into the parse buffer;
+    for those TAG instances opened while the current parse buffer was
+@@ -2645,13 +2646,13 @@ externalEntityInitProcessor2(XML_Parser parser, const char *start,
+   int tok = XmlContentTok(parser->m_encoding, start, end, &next);
+   switch (tok) {
+   case XML_TOK_BOM:
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+     if (! accountingDiffTolerated(parser, tok, start, next, __LINE__,
+                                   XML_ACCOUNT_DIRECT)) {
+       accountingOnAbort(parser);
+       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
+     }
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+
+     /* If we are at the end of the buffer, this would cause the next stage,
+        i.e. externalEntityInitProcessor3, to pass control directly to
+@@ -2765,7 +2766,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+   for (;;) {
+     const char *next = s; /* XmlContentTok doesn't always set the last arg */
+     int tok = XmlContentTok(enc, s, end, &next);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+     const char *accountAfter
+         = ((tok == XML_TOK_TRAILING_RSQB) || (tok == XML_TOK_TRAILING_CR))
+               ? (haveMore ? s /* i.e. 0 bytes */ : end)
+@@ -2831,14 +2832,14 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+       XML_Char ch = (XML_Char)XmlPredefinedEntityName(
+           enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar);
+       if (ch) {
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+         /* NOTE: We are replacing 4-6 characters original input for 1 character
+          *       so there is no amplification and hence recording without
+          *       protection. */
+         accountingDiffTolerated(parser, tok, (char *)&ch,
+                                 ((char *)&ch) + sizeof(XML_Char), __LINE__,
+                                 XML_ACCOUNT_ENTITY_EXPANSION);
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+         if (parser->m_characterDataHandler)
+           parser->m_characterDataHandler(parser->m_handlerArg, &ch, 1);
+         else if (parser->m_defaultHandler)
+@@ -4040,7 +4041,7 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+   for (;;) {
+     const char *next = s; /* in case of XML_TOK_NONE or XML_TOK_PARTIAL */
+     int tok = XmlCdataSectionTok(enc, s, end, &next);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+     if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
+       accountingOnAbort(parser);
+       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
+@@ -4192,7 +4193,7 @@ doIgnoreSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+   *eventPP = s;
+   *startPtr = NULL;
+   tok = XmlIgnoreSectionTok(enc, s, end, &next);
+-#  ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+   if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
+                                 XML_ACCOUNT_DIRECT)) {
+     accountingOnAbort(parser);
+@@ -4284,7 +4285,7 @@ processXmlDecl(XML_Parser parser, int isGeneralTextEntity, const char *s,
+   const XML_Char *storedversion = NULL;
+   int standalone = -1;
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+   if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, __LINE__,
+                                 XML_ACCOUNT_DIRECT)) {
+     accountingOnAbort(parser);
+@@ -4491,7 +4492,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+     */
+     else if (tok == XML_TOK_BOM && next == end
+              && ! parser->m_parsingStatus.finalBuffer) {
+-#  ifdef XML_DTD
++#  if defined(XML_DTD) || XML_GE == 1
+       if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
+                                     XML_ACCOUNT_DIRECT)) {
+         accountingOnAbort(parser);
+@@ -4707,11 +4708,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+       }
+     }
+     role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+     switch (role) {
+     case XML_ROLE_INSTANCE_START: // bytes accounted in contentProcessor
+     case XML_ROLE_XML_DECL:       // bytes accounted in processXmlDecl
+-    case XML_ROLE_TEXT_DECL:      // bytes accounted in processXmlDecl
++    #  ifdef XML_DTD
++    case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl
++#  endif
+       break;
+     default:
+       if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
+@@ -5648,7 +5651,7 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end,
+   for (;;) {
+     const char *next = NULL;
+     int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+     if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
+                                   XML_ACCOUNT_DIRECT)) {
+       accountingOnAbort(parser);
+@@ -5728,7 +5731,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+       return XML_ERROR_NO_MEMORY;
+   }
+   entity->open = XML_TRUE;
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+   entityTrackingOnOpen(parser, entity, __LINE__);
+ #endif
+   entity->processed = 0;
+@@ -5762,9 +5765,9 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+       entity->processed = (int)(next - textStart);
+       parser->m_processor = internalEntityProcessor;
+     } else {
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+       entityTrackingOnClose(parser, entity, __LINE__);
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+       entity->open = XML_FALSE;
+       parser->m_openInternalEntities = openEntity->next;
+       /* put openEntity back in list of free instances */
+@@ -5813,7 +5816,7 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+     return result;
+   }
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+   entityTrackingOnClose(parser, entity, __LINE__);
+ #endif
+   entity->open = XML_FALSE;
+@@ -5892,7 +5895,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+     const char *next
+         = ptr; /* XmlAttributeValueTok doesn't always set the last arg */
+     int tok = XmlAttributeValueTok(enc, ptr, end, &next);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+     if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, account)) {
+       accountingOnAbort(parser);
+       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
+@@ -5957,14 +5960,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+       XML_Char ch = (XML_Char)XmlPredefinedEntityName(
+           enc, ptr + enc->minBytesPerChar, next - enc->minBytesPerChar);
+       if (ch) {
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+         /* NOTE: We are replacing 4-6 characters original input for 1 character
+          *       so there is no amplification and hence recording without
+          *       protection. */
+         accountingDiffTolerated(parser, tok, (char *)&ch,
+                                 ((char *)&ch) + sizeof(XML_Char), __LINE__,
+                                 XML_ACCOUNT_ENTITY_EXPANSION);
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+         if (! poolAppendChar(pool, ch))
+           return XML_ERROR_NO_MEMORY;
+         break;
+@@ -6042,14 +6045,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+         enum XML_Error result;
+         const XML_Char *textEnd = entity->textPtr + entity->textLen;
+         entity->open = XML_TRUE;
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+         entityTrackingOnOpen(parser, entity, __LINE__);
+ #endif
+         result = appendAttributeValue(parser, parser->m_internalEncoding,
+                                       isCdata, (const char *)entity->textPtr,
+                                       (const char *)textEnd, pool,
+                                       XML_ACCOUNT_ENTITY_EXPANSION);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+         entityTrackingOnClose(parser, entity, __LINE__);
+ #endif
+         entity->open = XML_FALSE;
+@@ -6105,7 +6108,7 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+         = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */
+     int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next);
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+     if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__,
+                                   account)) {
+       accountingOnAbort(parser);
+@@ -7651,7 +7654,7 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+   return result;
+ }
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+
+ static float
+ accountingGetCurrentAmplification(XML_Parser rootParser) {
+@@ -8382,7 +8385,7 @@ unsignedCharToPrintable(unsigned char c) {
+   assert(0); /* never gets here */
+ }
+
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+
+ static unsigned long
+ getDebugLevel(const char *variableName, unsigned long defaultDebugLevel) {
+diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
+index 471f2a2..be23f5a 100644
+--- a/xmlwf/xmlwf.c
++++ b/xmlwf/xmlwf.c
+@@ -1062,9 +1062,10 @@ tmain(int argc, XML_Char **argv) {
+             " (needs a floating point number greater or equal than 1.0)"));
+         exit(XMLWF_EXIT_USAGE_ERROR);
+       }
+-#ifndef XML_DTD
+-      ftprintf(stderr, T("Warning: Given amplification limit ignored") T(
+-                           ", xmlwf has been compiled without DTD support.\n"));
++#if ! defined(XML_DTD) && XML_GE == 0
++      ftprintf(stderr,
++               T("Warning: Given amplification limit ignored")
++                   T(", xmlwf has been compiled without DTD/GE support.\n"));
+ #endif
+       break;
+     }
+@@ -1083,9 +1084,10 @@ tmain(int argc, XML_Char **argv) {
+         exit(XMLWF_EXIT_USAGE_ERROR);
+       }
+       attackThresholdGiven = XML_TRUE;
+-#ifndef XML_DTD
+-      ftprintf(stderr, T("Warning: Given attack threshold ignored") T(
+-                           ", xmlwf has been compiled without DTD support.\n"));
++#if ! defined(XML_DTD) && XML_GE == 0
++      ftprintf(stderr,
++               T("Warning: Given attack threshold ignored")
++                   T(", xmlwf has been compiled without DTD/GE support.\n"));
+ #endif
+       break;
+     }
+@@ -1120,13 +1122,13 @@ tmain(int argc, XML_Char **argv) {
+     }
+
+     if (attackMaximumAmplification != -1.0f) {
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+       XML_SetBillionLaughsAttackProtectionMaximumAmplification(
+           parser, attackMaximumAmplification);
+ #endif
+     }
+     if (attackThresholdGiven) {
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+       XML_SetBillionLaughsAttackProtectionActivationThreshold(
+           parser, attackThresholdBytes);
+ #else
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb
index 7080f934d1..e427020534 100644
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -10,6 +10,7 @@  VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
 
 SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
            file://run-ptest \
+           file://CVE-2023-52426.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"