expat: fix CVE-2023-52426

A flaw was found in Expat (libexpat). If XML_DTD is undefined at compile time, a
recursive XML Entity Expansion condition can be triggered.This issue may lead to
a condition where data is expanded exponentially, which will quickly consume system
resources and cause a denial of service.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52426
https://github.com/libexpat/libexpat/pull/777

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

1 files changed, 28 insertions, 0 deletions

diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-003.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-003.patch
new file mode 100644
index 0000000000..96a62dcffc
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-003.patch
@@ -0,0 +1,28 @@
+From ed87a4793404e91c0cc0c81435fcfcc64a8be9f4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 26 Oct 2023 00:45:23 +0200
+Subject: [PATCH] configure.ac: Define macro XML_GE as 1
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/ed87a4793404e91c0cc0c81435fcfcc64a8be9f4]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ configure.ac | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index d3642de..153bb8e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -295,6 +295,8 @@ AC_SUBST(FILEMAP)
+ dnl Some basic configuration:
+ AC_DEFINE([XML_NS], 1,
+           [Define to make XML Namespaces functionality available.])
++AC_DEFINE([XML_GE], 1,
++          [Define as 1/0 to enable/disable support for general entities.])
+ AC_DEFINE([XML_DTD], 1,
+           [Define to make parameter entity parsing functionality available.])
+ AC_DEFINE([XML_DEV_URANDOM], 1,
+--
+2.40.0