[AutoPR- Security] Patch expat for CVE-2026-25210 [MEDIUM] (#15653)

Author: azurelinux-security

SPECS/expat/CVE-2026-25210.patch

@@ -0,0 +1,93 @@
+From 1a09ad6433f9f8fd70c515cde7792ae12e3ce61a Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Thu, 2 Oct 2025 17:15:15 -0700
+Subject: [PATCH 1/3] lib: Make a doubling more readable
+
+Suggested-by: Sebastian Pipping <sebastian@pipping.org>
+---
+ lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index d804753..a48acd2 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3492,7 +3492,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+             tag->name.strLen = convLen;
+             break;
+           }
+-          bufSize = (int)(tag->bufEnd - tag->buf) << 1;
++          bufSize = (int)(tag->bufEnd - tag->buf) * 2;
+           {
+             char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
+             if (temp == NULL)
+-- 
+2.45.4
+
+
+From b74fa4400eb8a3a177a95ffbc9c27e61fdd3db6d Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Thu, 2 Oct 2025 17:15:15 -0700
+Subject: [PATCH 2/3] lib: Realign a size with the `REALLOC` type signature it
+ is passed into
+
+Note that this implicitly assumes `tag->bufEnd >= tag->buf`, which should
+already be guaranteed true.
+---
+ lib/xmlparse.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index a48acd2..ed505b7 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3481,7 +3481,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+         const char *fromPtr = tag->rawName;
+         toPtr = (XML_Char *)tag->buf;
+         for (;;) {
+-          int bufSize;
+           int convLen;
+           const enum XML_Convert_Result convert_res
+               = XmlConvert(enc, &fromPtr, rawNameEnd, (ICHAR **)&toPtr,
+@@ -3492,7 +3491,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+             tag->name.strLen = convLen;
+             break;
+           }
+-          bufSize = (int)(tag->bufEnd - tag->buf) * 2;
++          const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2;
+           {
+             char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
+             if (temp == NULL)
+-- 
+2.45.4
+
+
+From 73d9f24f8815d46005bd3c5334f668a53c8957a2 Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Thu, 2 Oct 2025 17:15:15 -0700
+Subject: [PATCH 3/3] lib: Introduce an integer overflow check for tag buffer
+ reallocation
+
+Suggested-by: Sebastian Pipping <sebastian@pipping.org>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/libexpat/libexpat/pull/1075.patch
+---
+ lib/xmlparse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index ed505b7..0bf913c 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3491,6 +3491,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+             tag->name.strLen = convLen;
+             break;
+           }
++          if (SIZE_MAX / 2 < (size_t)(tag->bufEnd - tag->buf))
++            return XML_ERROR_NO_MEMORY;
+           const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2;
+           {
+             char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
+-- 
+2.45.4
+

SPECS/expat/expat.spec

@@ -2,7 +2,7 @@
 Summary:        An XML parser library
 Name:           expat
 Version:        2.6.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -12,6 +12,7 @@ Source0:        https://github.com/libexpat/libexpat/releases/download/R_%{under
 Patch0:         CVE-2024-8176.patch
 Patch1:         CVE-2025-59375.patch
 Patch2:         CVE-2026-24515.patch
+Patch3:         CVE-2026-25210.patch
 
 Requires:       %{name}-libs = %{version}-%{release}
 
@@ -70,6 +71,9 @@ rm -rf %{buildroot}/%{_docdir}/%{name}
 %{_libdir}/libexpat.so.1*
 
 %changelog
+* Mon Feb 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.6.4-4
+- Patch for CVE-2026-25210
+
 * Tue Jan 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.6.4-3
 - Patch for CVE-2026-24515
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -95,9 +95,9 @@ elfutils-libelf-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-lang-0.186-2.cm2.aarch64.rpm
-expat-2.6.4-3.cm2.aarch64.rpm
-expat-devel-2.6.4-3.cm2.aarch64.rpm
-expat-libs-2.6.4-3.cm2.aarch64.rpm
+expat-2.6.4-4.cm2.aarch64.rpm
+expat-devel-2.6.4-4.cm2.aarch64.rpm
+expat-libs-2.6.4-4.cm2.aarch64.rpm
 libpipeline-1.5.5-3.cm2.aarch64.rpm
 libpipeline-devel-1.5.5-3.cm2.aarch64.rpm
 gdbm-1.21-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -95,9 +95,9 @@ elfutils-libelf-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-lang-0.186-2.cm2.x86_64.rpm
-expat-2.6.4-3.cm2.x86_64.rpm
-expat-devel-2.6.4-3.cm2.x86_64.rpm
-expat-libs-2.6.4-3.cm2.x86_64.rpm
+expat-2.6.4-4.cm2.x86_64.rpm
+expat-devel-2.6.4-4.cm2.x86_64.rpm
+expat-libs-2.6.4-4.cm2.x86_64.rpm
 libpipeline-1.5.5-3.cm2.x86_64.rpm
 libpipeline-devel-1.5.5-3.cm2.x86_64.rpm
 gdbm-1.21-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -73,10 +73,10 @@ elfutils-libelf-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-lang-0.186-2.cm2.aarch64.rpm
-expat-2.6.4-3.cm2.aarch64.rpm
-expat-debuginfo-2.6.4-3.cm2.aarch64.rpm
-expat-devel-2.6.4-3.cm2.aarch64.rpm
-expat-libs-2.6.4-3.cm2.aarch64.rpm
+expat-2.6.4-4.cm2.aarch64.rpm
+expat-debuginfo-2.6.4-4.cm2.aarch64.rpm
+expat-devel-2.6.4-4.cm2.aarch64.rpm
+expat-libs-2.6.4-4.cm2.aarch64.rpm
 file-5.40-3.cm2.aarch64.rpm
 file-debuginfo-5.40-3.cm2.aarch64.rpm
 file-devel-5.40-3.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -76,10 +76,10 @@ elfutils-libelf-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-lang-0.186-2.cm2.x86_64.rpm
-expat-2.6.4-3.cm2.x86_64.rpm
-expat-debuginfo-2.6.4-3.cm2.x86_64.rpm
-expat-devel-2.6.4-3.cm2.x86_64.rpm
-expat-libs-2.6.4-3.cm2.x86_64.rpm
+expat-2.6.4-4.cm2.x86_64.rpm
+expat-debuginfo-2.6.4-4.cm2.x86_64.rpm
+expat-devel-2.6.4-4.cm2.x86_64.rpm
+expat-libs-2.6.4-4.cm2.x86_64.rpm
 file-5.40-3.cm2.x86_64.rpm
 file-debuginfo-5.40-3.cm2.x86_64.rpm
 file-devel-5.40-3.cm2.x86_64.rpm