[AutoPR- Security] Patch expat for CVE-2026-25210 [MEDIUM] (#15651)

azurelinux-security · web-flow · commit be30df0525b7 · 2026-02-03T12:13:47.000+05:30
diff --git a/SPECS/expat/CVE-2026-25210.patch b/SPECS/expat/CVE-2026-25210.patch
@@ -0,0 +1,93 @@
+From 5ffd029337a8db6b3bef77ecd0a040b3e1e573f2 Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Thu, 2 Oct 2025 17:15:15 -0700
+Subject: [PATCH 1/3] lib: Make a doubling more readable
+
+Suggested-by: Sebastian Pipping <sebastian@pipping.org>
+---
+ lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index d804753..a48acd2 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3492,7 +3492,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+             tag->name.strLen = convLen;
+             break;
+           }
+-          bufSize = (int)(tag->bufEnd - tag->buf) << 1;
++          bufSize = (int)(tag->bufEnd - tag->buf) * 2;
+           {
+             char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
+             if (temp == NULL)
+-- 
+2.45.4
+
+
+From 07d55b4f18ded4740946a9a436e787b3c178176c Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Thu, 2 Oct 2025 17:15:15 -0700
+Subject: [PATCH 2/3] lib: Realign a size with the `REALLOC` type signature it
+ is passed into
+
+Note that this implicitly assumes `tag->bufEnd >= tag->buf`, which should
+already be guaranteed true.
+---
+ lib/xmlparse.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index a48acd2..ed505b7 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3481,7 +3481,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+         const char *fromPtr = tag->rawName;
+         toPtr = (XML_Char *)tag->buf;
+         for (;;) {
+-          int bufSize;
+           int convLen;
+           const enum XML_Convert_Result convert_res
+               = XmlConvert(enc, &fromPtr, rawNameEnd, (ICHAR **)&toPtr,
+@@ -3492,7 +3491,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+             tag->name.strLen = convLen;
+             break;
+           }
+-          bufSize = (int)(tag->bufEnd - tag->buf) * 2;
++          const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2;
+           {
+             char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
+             if (temp == NULL)
+-- 
+2.45.4
+
+
+From 3776e1554b8b9506387ec8a0591560898fb1ef87 Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Thu, 2 Oct 2025 17:15:15 -0700
+Subject: [PATCH 3/3] lib: Introduce an integer overflow check for tag buffer
+ reallocation
+
+Suggested-by: Sebastian Pipping <sebastian@pipping.org>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/libexpat/libexpat/pull/1075.patch
+---
+ lib/xmlparse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index ed505b7..0bf913c 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3491,6 +3491,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+             tag->name.strLen = convLen;
+             break;
+           }
++          if (SIZE_MAX / 2 < (size_t)(tag->bufEnd - tag->buf))
++            return XML_ERROR_NO_MEMORY;
+           const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2;
+           {
+             char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
+-- 
+2.45.4
+
diff --git a/SPECS/expat/expat.spec b/SPECS/expat/expat.spec
@@ -2,7 +2,7 @@
 Summary:        An XML parser library
 Name:           expat
 Version:        2.6.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -12,6 +12,7 @@ Source0:        https://github.com/libexpat/libexpat/releases/download/R_%{under
 Patch0:         CVE-2024-8176.patch
 Patch1:         CVE-2025-59375.patch
 Patch2:         CVE-2026-24515.patch
+Patch3:         CVE-2026-25210.patch
 Requires:       %{name}-libs = %{version}-%{release}
 
 %description
@@ -69,6 +70,9 @@ rm -rf %{buildroot}/%{_docdir}/%{name}
 %{_libdir}/libexpat.so.1*
 
 %changelog
+* Mon Feb 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.6.4-4
+- Patch for CVE-2026-25210
+
 * Tue Jan 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.6.4-3
 - Patch for CVE-2026-24515
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -99,9 +99,9 @@ elfutils-libelf-0.189-6.azl3.aarch64.rpm
 elfutils-libelf-devel-0.189-6.azl3.aarch64.rpm
 elfutils-libelf-devel-static-0.189-6.azl3.aarch64.rpm
 elfutils-libelf-lang-0.189-6.azl3.aarch64.rpm
-expat-2.6.4-3.azl3.aarch64.rpm
-expat-devel-2.6.4-3.azl3.aarch64.rpm
-expat-libs-2.6.4-3.azl3.aarch64.rpm
+expat-2.6.4-4.azl3.aarch64.rpm
+expat-devel-2.6.4-4.azl3.aarch64.rpm
+expat-libs-2.6.4-4.azl3.aarch64.rpm
 libpipeline-1.5.7-1.azl3.aarch64.rpm
 libpipeline-devel-1.5.7-1.azl3.aarch64.rpm
 gdbm-1.23-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -99,9 +99,9 @@ elfutils-libelf-0.189-6.azl3.x86_64.rpm
 elfutils-libelf-devel-0.189-6.azl3.x86_64.rpm
 elfutils-libelf-devel-static-0.189-6.azl3.x86_64.rpm
 elfutils-libelf-lang-0.189-6.azl3.x86_64.rpm
-expat-2.6.4-3.azl3.x86_64.rpm
-expat-devel-2.6.4-3.azl3.x86_64.rpm
-expat-libs-2.6.4-3.azl3.x86_64.rpm
+expat-2.6.4-4.azl3.x86_64.rpm
+expat-devel-2.6.4-4.azl3.x86_64.rpm
+expat-libs-2.6.4-4.azl3.x86_64.rpm
 libpipeline-1.5.7-1.azl3.x86_64.rpm
 libpipeline-devel-1.5.7-1.azl3.x86_64.rpm
 gdbm-1.23-1.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -94,10 +94,10 @@ elfutils-libelf-0.189-6.azl3.aarch64.rpm
 elfutils-libelf-devel-0.189-6.azl3.aarch64.rpm
 elfutils-libelf-devel-static-0.189-6.azl3.aarch64.rpm
 elfutils-libelf-lang-0.189-6.azl3.aarch64.rpm
-expat-2.6.4-3.azl3.aarch64.rpm
-expat-debuginfo-2.6.4-3.azl3.aarch64.rpm
-expat-devel-2.6.4-3.azl3.aarch64.rpm
-expat-libs-2.6.4-3.azl3.aarch64.rpm
+expat-2.6.4-4.azl3.aarch64.rpm
+expat-debuginfo-2.6.4-4.azl3.aarch64.rpm
+expat-devel-2.6.4-4.azl3.aarch64.rpm
+expat-libs-2.6.4-4.azl3.aarch64.rpm
 file-5.45-1.azl3.aarch64.rpm
 file-debuginfo-5.45-1.azl3.aarch64.rpm
 file-devel-5.45-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -99,10 +99,10 @@ elfutils-libelf-0.189-6.azl3.x86_64.rpm
 elfutils-libelf-devel-0.189-6.azl3.x86_64.rpm
 elfutils-libelf-devel-static-0.189-6.azl3.x86_64.rpm
 elfutils-libelf-lang-0.189-6.azl3.x86_64.rpm
-expat-2.6.4-3.azl3.x86_64.rpm
-expat-debuginfo-2.6.4-3.azl3.x86_64.rpm
-expat-devel-2.6.4-3.azl3.x86_64.rpm
-expat-libs-2.6.4-3.azl3.x86_64.rpm
+expat-2.6.4-4.azl3.x86_64.rpm
+expat-debuginfo-2.6.4-4.azl3.x86_64.rpm
+expat-devel-2.6.4-4.azl3.x86_64.rpm
+expat-libs-2.6.4-4.azl3.x86_64.rpm
 file-5.45-1.azl3.x86_64.rpm
 file-debuginfo-5.45-1.azl3.x86_64.rpm
 file-devel-5.45-1.azl3.x86_64.rpm
