From patchwork Thu Sep 4 15:22:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 69675 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CEFBCA1002 for ; Thu, 4 Sep 2025 15:22:55 +0000 (UTC) Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) by mx.groups.io with SMTP id smtpd.web11.987.1756999368724945946 for ; Thu, 04 Sep 2025 08:22:48 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=19hU2c9Z; spf=softfail (domain: sakoman.com, ip: 209.85.215.179, mailfrom: steve@sakoman.com) Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-b471737b347so740775a12.1 for ; Thu, 04 Sep 2025 08:22:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1756999368; x=1757604168; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=iRboKLJgHFLlrrQh+UXzy89E0KQk+HUx+bKoFcAztS0=; b=19hU2c9Zhy0YaT7jZmNR0Lvic+SiiONMty+FOPe9HseAgx6v1d6wboXTx7k+t3sKEv jfg2mRIyrdpyQ08BNO/uhXOESq8tM8z0tdtXnMkfUYWG3Zq8eRauXAGJ7Rk/hhWESM3x hdssbkdqw+/BJXt+E9TP3eRrrwzC//B3O6qP4/34eww10ITRC6hU10jbqsarhtysA3Xd KgDPHXc49Bmv5TcYoWfyUm1YCN7p/1V9tSyAz6kxgOvDhwYxzCz340l4TphPgyRP7b2r 1NHDjO1dQphh+sIGodRPM4DTEPdyJcKw3dwqvnsmCNm+He2dj/4WztrOilyAaykTAtHV n+yA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756999368; x=1757604168; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iRboKLJgHFLlrrQh+UXzy89E0KQk+HUx+bKoFcAztS0=; b=FA49YBC8L0w4V3PemIyxgXLpDsajuLVioIv/5Phi1McyPOMwe74rmlno9txe63fves soElOlNodZNLUiTGHOh+YfjQCUIanSHepV1HaUjhN59RkmkWjuNM0a+gD1GqhZKxNeCb sVIQfh9iSYac7bTlsY+0/6O/1LRKeAU7icugxycvMJtmz28Iq0vzW00F9MaXPpwwr2Y2 CL+w/JrYMzJAr8bzz6XF3zAm+x41Hr8Urir/WLI1q9Owio2bBjYWNXGB0YxY6lhntLuH 5QYvY+g1+eOs7WKKA6qS6Jp3IN7ZxhDYT0xjUgmrn0xfUdt2JQYd88cJUI/mzaVAmVb5 aUXQ== X-Gm-Message-State: AOJu0YwvSkjPUMqaHyiq8uFNx9LhMIEJ6jYxYx9Njv2Y91oTLMuoBU2S SOtS65pBAw44zLQyYF9zY97hKchQcj/vtA0NCRI5K0Q1jsoMy8oGFT8QMnpBduWzqQiU+Puqtio azbR8 X-Gm-Gg: ASbGnctfBMrEJxkXeGouT3LZoAFFPh6R96tORbBwIo0iFYG+J7K4g99XAPhj5MIFQEs D/0VXq8eh0jZE/ycAL36uX+kybOgLa6gsShuLawjo7OhXp8NM4WTtmtn0T0ZIDIEiThsyelmkDl 9TBIlimuTRzkZz9KygiiXgR7r9v/EJZybMlEpKIT56FUtLOs/vT+gsvSQwkfsdB8UKSZm0kX97L aMqaRxwLMvhf+ThVCYkJblsol7MCjb7Od5qkrP7kh1Yu3NqbUDdTeUn5KIiuzVcLlErmVfDiy9R tiL4HsDiAb4rv+ZiXAVEYXD5GOR2ChPvoDI6+ey5DIKs+uqBEsFSqSCKmUSXug0zIvhgMLPVrMR Kb+u91qHuF1fW9UmOTshe7yTw X-Google-Smtp-Source: AGHT+IFEyEMBvki6wZ4xud7dZ21/H1ubeBUm1gcjvLou9QuOWUR0a5MSjCPTItn69wDrwUn+xPQ95g== X-Received: by 2002:a17:903:284:b0:24c:a269:b6e5 with SMTP id d9443c01a7336-24ca269ba4cmr67586675ad.14.1756999367882; Thu, 04 Sep 2025 08:22:47 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:89a7:8cc5:2043:ebe6]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-24b11448a5asm82528085ad.54.2025.09.04.08.22.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Sep 2025 08:22:47 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 1/5] curl: update CVE_STATUS for CVE-2025-5025 Date: Thu, 4 Sep 2025 08:22:33 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Sep 2025 15:22:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/222956 From: Vrushti Dabhi This CVE applies only when curl is built with wolfSSL support. Revised CVE_STATUS description to align with CVE details. Reference: https://github.com/openembedded/openembedded-core/commit/93ae0758ef35 Signed-off-by: Vrushti Dabhi Signed-off-by: Steve Sakoman --- meta/recipes-support/curl/curl_8.7.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index a21a086f40..6845a43cd2 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -37,7 +37,7 @@ CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl dan CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack" CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older" -CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: build with openssl','unpatched',d)}" +CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}" inherit autotools pkgconfig binconfig multilib_header ptest From patchwork Thu Sep 4 15:22:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 69676 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0BD83CA1013 for ; Thu, 4 Sep 2025 15:22:55 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web10.923.1756999370570333424 for ; Thu, 04 Sep 2025 08:22:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=hemcwgZX; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-24cdd95c422so3169705ad.0 for ; Thu, 04 Sep 2025 08:22:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1756999370; x=1757604170; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=edcPSLIH9kBlxWI/GMphqZAGjkCSqptRfWei3oDVtVw=; b=hemcwgZXdYWQepnTrFe6hG6uw6v8HxTxDAr2IWtUHEIlt9d5Bv4PC3Xfy/rGTWMzOn DcQsPKFZSUUqI+zalnqmyNHQkSM9v4U1/xr5gXrfw/KIb63LMDSYXrlw1gta5Ajzydl1 Pe9l1a6ZRrXSS+C8XPCqJ8KjTSrHoPf2pPzzsQjv0cB4CZ067ZI03ouhNVLrs2mXH59v Cmjf5IhvDVaX3Vbv7DfvaKaVkKbobwJNpQkI87+Ijx33pXKguAel5MUfhdYun4ke+ZWt bO0cN2tRQ42Y1Dhv9s02/Z/EAVtRD2F4pAKbWTi2afwjSHor+9PqwGHPOh7pe5dVYc+E EP5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756999370; x=1757604170; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=edcPSLIH9kBlxWI/GMphqZAGjkCSqptRfWei3oDVtVw=; b=Gup924Aor6M99+bQc8LPwiLQFf2EMHybyP1C5Rni+2nwJvuIrmQQJNwVZNRuvdqPKk PZFXQF5RzaO/pVRIq7okal3qvsKBgm5A4pbU8Cd1Cgoztixpx4Up5z85eHcUY6xQoS/Z Jm0Ri5pIY3vc4GvGHlzo9UOuVMKJL8h2axwFoAgmOhE8ZddExbajMThry5i0wKa7e4QP rShb+sLj4qqoNQvG+YXxmVW5wpF2Uf4x+mzqLlnY2ntZPwGXNnR8T0OPqPpAsdeQ4IS3 lTE4UwgNbu4PB5RDaRBMRm3gyfDYmkiEb8Jn7TQQcz4q9QHS5DTRHW8xITsIjvPKRwGV OIhQ== X-Gm-Message-State: AOJu0Yz3TUnsBiz38+i7pTwB4VBAyW3qFpOD669fx2NHtdXKuNztO5xj I+72CSbPPdyn7EWIem6VQW2phPkpeQ5W3tqMIO3NM0fn8DMo/DcOiLATMCETraEreeW1EuST5dq zmPhv X-Gm-Gg: ASbGncuwRF3ecWlbUVEYWTn4MEJgXfc3iu7KSzqNey7IRkbvKsKGo6/sCl4NweXKy5m vEyJrTSOvF0gSN+cC1YH7Dp8D5wcsDac7jYcFtXYX0eLXgPVrvMda8TJ1CvrqA5b4ZE3lhKft9U wb2PmE0lT6tldurSGdit4W+S/Wwd9MRtqYri5qJNRnqeRjH82wK4g/R1Lx1sw7xHIu+3c5pmFSt qQialVpk89Byorvf+FefWABP8qAH0NAMFvCUMV8/P7VPGg+626vManMhqqwOHnocoxzbLvlD8SD AfOHUoOROs9QeyZXNgssK/oY/Yaw1WpxQilNCUlFwNiYzlMqBp6Gg5scxcxa/sPJRJ3zu+Pxqjl 6EQ5kjbppaFx7eGpzUQjMyyBeXjnKQEbASvA= X-Google-Smtp-Source: AGHT+IFNEHoCxsf50FmQvCOfQW4lZZBaQSK69p9s15SO1+TnzAlY5/yWwVbrQs8mJLp9xN03O6EEhg== X-Received: by 2002:a17:902:ef11:b0:24a:f79e:e5dd with SMTP id d9443c01a7336-24af79eea95mr154165025ad.37.1756999369563; Thu, 04 Sep 2025 08:22:49 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:89a7:8cc5:2043:ebe6]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-24b11448a5asm82528085ad.54.2025.09.04.08.22.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Sep 2025 08:22:49 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 2/5] libpam: fix CVE-2024-10963 Date: Thu, 4 Sep 2025 08:22:34 -0700 Message-ID: <2be498fd0872d7ccbf0e9b2eb0a1d4879823c968.1756999195.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Sep 2025 15:22:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/222957 From: Stanislav Vovk Upstream-Status: Backport from https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628 Signed-off-by: Stanislav Vovk Signed-off-by: Steve Sakoman --- .../pam/libpam/CVE-2024-10963.patch | 265 ++++++++++++++++++ meta/recipes-extended/pam/libpam_1.5.3.bb | 1 + 2 files changed, 266 insertions(+) create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-10963.patch diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10963.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10963.patch new file mode 100644 index 0000000000..b79831f0e5 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/CVE-2024-10963.patch @@ -0,0 +1,265 @@ +From f9ccee5c4c6cb0d4197b08ebeb36c1dceffe82e8 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Thu, 14 Nov 2024 10:27:28 +0100 +Subject: [PATCH] pam_access: rework resolving of tokens as hostname + +* modules/pam_access/pam_access.c: separate resolving of IP addresses + from hostnames. Don't resolve TTYs or display variables as hostname + (#834). + Add "nodns" option to disallow resolving of tokens as hostname. +* modules/pam_access/pam_access.8.xml: document nodns option +* modules/pam_access/access.conf.5.xml: document that hostnames should + be written as FQHN. + +Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628] +CVE: CVE-2024-10963 +Signed-off-by: Stanislav Vovk +--- + modules/pam_access/access.conf.5.xml | 4 ++ + modules/pam_access/pam_access.8.xml | 46 ++++++++++++------ + modules/pam_access/pam_access.c | 72 +++++++++++++++++++++++++++- + 3 files changed, 105 insertions(+), 17 deletions(-) + +diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml +index ff1cb223..158fc7df 100644 +--- a/modules/pam_access/access.conf.5.xml ++++ b/modules/pam_access/access.conf.5.xml +@@ -220,10 +220,14 @@ + the fields they are ignored. However if the list separator is changed with the + listsep option, the spaces will become part of the actual + item and the line will be most probably ignored. For this reason, it is not + recommended to put spaces around the ':' characters. + ++ ++ Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid ++ confusion with device names or PAM service names. ++ + + + + SEE ALSO + +diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml +index 010e749e..1182c907 100644 +--- a/modules/pam_access/pam_access.8.xml ++++ b/modules/pam_access/pam_access.8.xml +@@ -20,15 +20,18 @@ + + pam_access.so + + debug + ++ ++ noaudit ++ + + nodefgroup + + +- noaudit ++ nodns + + + accessfile=file + + +@@ -127,10 +130,37 @@ + Do not report logins from disallowed hosts and ttys to the audit subsystem. + + + + ++ ++ ++ nodefgroup ++ ++ ++ ++ User tokens which are not enclosed in parentheses will not be ++ matched against the group database. The backwards compatible default is ++ to try the group database match even for tokens not enclosed ++ in parentheses. ++ ++ ++ ++ ++ ++ ++ nodns ++ ++ ++ ++ Do not try to resolve tokens as hostnames, only IPv4 and IPv6 ++ addresses will be resolved. Which means to allow login from a ++ remote host, the IP addresses need to be specified in access.conf. ++ ++ ++ ++ + + + fieldsep=separators + + +@@ -168,24 +198,10 @@ + "Domain Admins" contain a space. + + + + +- +- +- nodefgroup +- +- +- +- User tokens which are not enclosed in parentheses will not be +- matched against the group database. The backwards compatible default is +- to try the group database match even for tokens not enclosed +- in parentheses. +- +- +- +- + + + + + MODULE TYPES PROVIDED +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index f70b7e49..d06496c3 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -97,10 +97,11 @@ struct login_info { + const char *config_file; + const char *hostname; + int debug; /* Print debugging messages. */ + int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */ + int noaudit; /* Do not audit denials */ ++ int nodns; /* Do not try to resolve tokens as hostnames */ + const char *fs; /* field separator */ + const char *sep; /* list-element separator */ + int from_remote_host; /* If PAM_RHOST was used for from */ + struct addrinfo *res; /* Cached DNS resolution of from */ + int gai_rv; /* Cached retval of getaddrinfo */ +@@ -148,10 +149,12 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, + loginfo->debug = YES; + } else if (strcmp (argv[i], "nodefgroup") == 0) { + loginfo->only_new_group_syntax = YES; + } else if (strcmp (argv[i], "noaudit") == 0) { + loginfo->noaudit = YES; ++ } else if (strcmp (argv[i], "nodns") == 0) { ++ loginfo->nodns = YES; + } else { + pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]); + } + } + +@@ -730,11 +733,11 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) + + if (tok[0] == '.') { /* domain: match last fields */ + if ((str_len = strlen(string)) > tok_len + && strcasecmp(tok, string + str_len - tok_len) == 0) + return YES; +- } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */ ++ } else if (tok[tok_len - 1] == '.') { /* internet network numbers/subnet (end with ".") */ + struct addrinfo hint; + + memset (&hint, '\0', sizeof (hint)); + hint.ai_flags = AI_CANONNAME; + hint.ai_family = AF_INET; +@@ -805,10 +808,43 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, + } + return (NO); + } + + ++static int ++is_device (pam_handle_t *pamh, const char *tok) ++{ ++ struct stat st; ++ const char *dev = "/dev/"; ++ char *devname; ++ ++ devname = malloc (strlen(dev) + strlen (tok) + 1); ++ if (devname == NULL) { ++ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m"); ++ /* ++ * We should return an error and abort, but pam_access has no good ++ * error handling. ++ */ ++ return NO; ++ } ++ ++ char *cp = stpcpy (devname, dev); ++ strcpy (cp, tok); ++ ++ if (lstat(devname, &st) != 0) ++ { ++ free (devname); ++ return NO; ++ } ++ free (devname); ++ ++ if (S_ISCHR(st.st_mode)) ++ return YES; ++ ++ return NO; ++} ++ + /* network_netmask_match - match a string against one token + * where string is a hostname or ip (v4,v6) address and tok + * represents either a hostname, a single ip (v4,v6) address + * or a network/netmask + */ +@@ -866,14 +902,46 @@ network_netmask_match (pam_handle_t *pamh, + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) + { + return NO; + } + } ++ else if (isipaddr(tok, NULL, NULL) == YES) ++ { ++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) ++ { ++ if (item->debug) ++ pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok); ++ ++ return NO; ++ } ++ netmask_ptr = NULL; ++ } ++ else if (item->nodns) ++ { ++ /* Only hostnames are left, which we would need to resolve via DNS */ ++ return NO; ++ } + else + { ++ /* Bail out on X11 Display entries and ttys. */ ++ if (tok[0] == ':') ++ { ++ if (item->debug) ++ pam_syslog (pamh, LOG_DEBUG, ++ "network_netmask_match: tok=%s is X11 display", tok); ++ return NO; ++ } ++ if (is_device (pamh, tok)) ++ { ++ if (item->debug) ++ pam_syslog (pamh, LOG_DEBUG, ++ "network_netmask_match: tok=%s is a TTY", tok); ++ return NO; ++ } ++ + /* +- * It is either an IP address or a hostname. ++ * It is most likely a hostname. + * Let getaddrinfo sort everything out + */ + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) + { + pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); +-- +2.43.5 + diff --git a/meta/recipes-extended/pam/libpam_1.5.3.bb b/meta/recipes-extended/pam/libpam_1.5.3.bb index 815085cc82..4c27767ab1 100644 --- a/meta/recipes-extended/pam/libpam_1.5.3.bb +++ b/meta/recipes-extended/pam/libpam_1.5.3.bb @@ -34,6 +34,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \ file://CVE-2025-6020-01.patch \ file://CVE-2025-6020-02.patch \ file://CVE-2025-6020-03.patch \ + file://CVE-2024-10963.patch \ " SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283" From patchwork Thu Sep 4 15:22:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 69678 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F217CA101C for ; Thu, 4 Sep 2025 15:22:55 +0000 (UTC) Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) by mx.groups.io with SMTP id smtpd.web10.924.1756999372044229891 for ; Thu, 04 Sep 2025 08:22:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=eDBuKs0O; spf=softfail (domain: sakoman.com, ip: 209.85.215.177, mailfrom: steve@sakoman.com) Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-b4c8bee055cso883252a12.2 for ; Thu, 04 Sep 2025 08:22:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1756999371; x=1757604171; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=GNbDkRw6yHs5Z1ufBe8gITeQMpCbCsMbcZ2sYdN/CXY=; b=eDBuKs0O+QYYVwEc/O5TMeo47OcvHyhUlnK/p0kbdgv5VjqipBc13uNfwc1siNyqai vXmI0Lg370qvsUr1UrUgp5MCRvXg9GTFlO+e+U4dZWBjjHRzlTRL8C8aBnSzzrKalHhx A7NxboVh1t3FsHGubM28ITKVWzf3Mk6xQ6WQbOl2FKPuJDwkM1/Pt7mEB4ou7llVhjsc M4XNp4tA0+hNc2MphGKZJYmRKiDnNrCduGnWXaOnRyS15RMCjdXcRA9BpOJJtpZ1b0CY GZTK40dbz86VcKKdMx/+fIDVWhVttGjUwoAKfO132+npl+PQIMIiBbOwfSJQ/swYDHNE XxEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756999371; x=1757604171; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GNbDkRw6yHs5Z1ufBe8gITeQMpCbCsMbcZ2sYdN/CXY=; b=cIHKhSMEUrWyCGNhTt1oylRTBS9uzLlOAZIk/gTz0K4WlLuJ8aC0oH1mA+S4rmij8a cCmSNZ4ULpevFlHa2SGRtBheHrPAcJvhgBP3COZWBiE2aRO4D8Y185vRDQcuF373NjQi 2DxNBJIjhYaygUlV9nPPdQPp0uzoxMYtKUfHXdFJkPGpu+DjNNuD3lEv4EpDsEYLwKkw 6jNqxyxbpx5pdDwVzQVYOwLe2nHb78FtrqBpt+p2sYBIzVtIdAmVsBsk0T1ID2DNaoSC sERO6lWy+64/eiCANPk1Tr8RQZQSiGpMzj/tMJOUpB73ds8N/w/cmRhj0H1au4THvpvo S9jg== X-Gm-Message-State: AOJu0Yw1mSs1IjC6D+rkvoIif+BRWupvppd7WQLyqWwpDhY5KG8ABlvK 08SBTKuzYIFBdVqUdjz/Ltn1S8+hKeLvuB5rE2RkVYwez99H/dO8dj4OGuLiZtgDyoU/EgmSM+r 4Aham X-Gm-Gg: ASbGncsoBQsFK+sgz+3IBM1Jj2XfvpKlR3rizlkrquq18rWehlwTF+LxKuoQlti3rPR IUxwRyMf4nx4LJAnbQre6iLBZZSCVtUJjtFx94LqW+lNtYBTsBNJWLH+rpjQPeLoCXdaCmiiRk+ psY1HbrouIKlXOoh+f9+5SBj7FJlnmJtPXIsLOkzMJ8oXukfoCo7re+fKQlO5tNDIVcoJCmhkCq BEl0yZB4SHKF1ve2UUa9rzJfxhXetrmPovmtOtz3rZsqJZ0RFbl5vUtrzxUEjOqcFGRnz+wKQb1 sTQz4ETsgL1NX25/5fOsOJd+TKmzE7igsl8h8ivZjd4F1N0dhzI0TDJCKvnxpYFdkTxjDpYDV/8 GZ8/Cz3Db/6xr7FK2NitsModW X-Google-Smtp-Source: AGHT+IG1ue5eFhpoHCpXpTysoQmLx6tvs77SYwPmlvG8myNfYCj88FvNEqK7BwWKYDITcgUYdib1GA== X-Received: by 2002:a17:902:fc84:b0:246:f13b:1b92 with SMTP id d9443c01a7336-24944b758c8mr253471675ad.55.1756999371013; Thu, 04 Sep 2025 08:22:51 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:89a7:8cc5:2043:ebe6]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-24b11448a5asm82528085ad.54.2025.09.04.08.22.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Sep 2025 08:22:50 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 3/5] rpm: keep leading `/' from sed operation Date: Thu, 4 Sep 2025 08:22:35 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Sep 2025 15:22:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/222958 From: Hongxu Jia For /usr/lib/rpm/macros, Yocto explicitly set OECMAKE_FIND_ROOT_PATH_MODE_PROGRAM = "ONLY" [1][2] to search tools from CMAKE_FIND_ROOT_PATH [5] which locates in native recipe sysroot or HOSTTOOLS_DIR. If found in native recipe sysroot or HOSTTOOLS_DIR, the sed operation removed leading `/' root@qemux86-64:~# vi /usr/lib/rpm/macros ... %__xz usr/bin/xz %__make usr/bin/make %__zstd usr/bin/zstd %__quilt usr/bin/quilt %__patch usr/bin/patch ... root@qemux86-64:~# rpm --eval "%{__xz} %{__make} %{__zstd} %{__quilt} %{__patch}" usr/bin/xz usr/bin/make usr/bin/zstd usr/bin/quilt usr/bin/patch This commit keeps leading `/' from sed operation, and similar reason for /usr/lib/cmake/rpm/rpm-targets.cmake After applying this commit: root@qemux86-64:~# rpm --eval "%{__xz} %{__make} %{__zstd} %{__quilt} %{__patch}" /usr/bin/xz /usr/bin/make /usr/bin/zstd /usr/bin/quilt /usr/bin/patch [1] https://git.openembedded.org/openembedded-core/commit/?id=f4ea12f6635125ee793f4dd801c538c0186f9dc3 [2] https://cmake.org/cmake/help/latest/variable/CMAKE_FIND_ROOT_PATH_MODE_PROGRAM.html Signed-off-by: Hongxu Jia Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 0d0773879ab9520c475c4a8c930b2e663de0e032) Signed-off-by: Deepak Rathore Signed-off-by: Steve Sakoman --- meta/recipes-devtools/rpm/rpm_4.19.1.1.bb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/recipes-devtools/rpm/rpm_4.19.1.1.bb b/meta/recipes-devtools/rpm/rpm_4.19.1.1.bb index 9330323797..7505e3452c 100644 --- a/meta/recipes-devtools/rpm/rpm_4.19.1.1.bb +++ b/meta/recipes-devtools/rpm/rpm_4.19.1.1.bb @@ -130,10 +130,10 @@ do_install:append:class-nativesdk() { } do_install:append () { - sed -i -e 's:${HOSTTOOLS_DIR}/::g' \ - -e 's:${STAGING_DIR_NATIVE}/::g' \ + sed -i -e 's:${HOSTTOOLS_DIR}::g' \ + -e 's:${STAGING_DIR_NATIVE}::g' \ ${D}/${libdir}/rpm/macros - sed -i -e 's:${RECIPE_SYSROOT}/::g' \ + sed -i -e 's:${RECIPE_SYSROOT}::g' \ ${D}/${libdir}/cmake/rpm/rpm-targets.cmake } From patchwork Thu Sep 4 15:22:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 69677 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 20791CA1015 for ; Thu, 4 Sep 2025 15:22:55 +0000 (UTC) Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) by mx.groups.io with SMTP id smtpd.web10.926.1756999373524283423 for ; Thu, 04 Sep 2025 08:22:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=fL/5TqiT; spf=softfail (domain: sakoman.com, ip: 209.85.215.170, mailfrom: steve@sakoman.com) Received: by mail-pg1-f170.google.com with SMTP id 41be03b00d2f7-b52051a2f48so164713a12.1 for ; Thu, 04 Sep 2025 08:22:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1756999373; x=1757604173; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=alikxGrWMtVQVIuqeYrk30GmUgFp33qPWxWOgYpE1vo=; b=fL/5TqiTfkfvwjXJ4yV36MYU/J28fnovF65unB1tFQmuizrTWyfDyPn2V+2AfAUYwp bGJYwm4/T2Mt1Lzv5iymeeKK64p55RlMWKg8pChRfG/wKqxmvXJR5RoTAv/3Zksr+rGC AMXgCU9wm6+aZjS70BUB7a3BiiNUJ3ZRGieRiiBIRfGKEEHKq/fx8eyRfs62o3lRf1I1 34g9wbheHqj4BpEfONAepKNTSFh7Y9jY81+UNn0J+/y78HvoCKddRAkVhj5drjjDcg9X XiRQMPUAoTT9sCjde+poaVcbYux067ZmYJlja97uVNoyja/tEdxaxWyTOMxBX5gvdsHJ KLwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756999373; x=1757604173; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=alikxGrWMtVQVIuqeYrk30GmUgFp33qPWxWOgYpE1vo=; b=b9UYfTGeNU/wJRKCuGZpH9/Vn1i57hN4O/KpSB4OVc9584X/6k7GgcOjU0uyNFmrvS sFDiJplDonA9G1HNEC0pxqXIobM4zEkEFAAHEQ9Iv+p908DRxiQPF2huBL84lieTujvw lUrvOr7lpjETGBp/ULLp+gK6ZjhN/pLScs23nSiWyak1T6QDFrEFlJuE4MpSij4z45hB cN2U+AsjWNcdyxD9vNV+4sMrJEv8u1M4gs16NmoEFYDt2UETrmaf5ke97cdf0KkYbs2o oANVBkstT7Wbcbfhxy4xVaBf591KroqWzOj49Z7puGxJQMP3BlcJJCjrg+x3kIRweLC1 m1dQ== X-Gm-Message-State: AOJu0Yw0Eb9fVE24Fs0QWyTWWBUkCpLuHZmcpnEJR8e7xFh1nW/fQ094 PQiohkiopeZpP2/5pkBY1TMViMWx2Y/fX4wkrim4HkMIqMhdbJIEfgSPoH6NK6MAFJ+KAZyNa3x lO/Os X-Gm-Gg: ASbGnctN8j69tfbQ0o2gmEdDk3NoNRFwg8pF74vNgSZLy2GHskdjqkKqnsIO1nw19XU 4jdazgFPu/ezQDiUzOdhSl8ZMHgkvFeqXvpwbyECtxku8ZEiPpCpIv8ubitrvYIiavt16dA6zDe FM6Tm3xqQaSfBSfbM/gOHqtGeXqsuWm9NUvvzvEuIeLMVn2zMiPqih9Wq5/8ofcKuj0xbs0tW6H PdcTra/y68LaMhd+vtcZsRdnWe6iyZekUM8RTiNaKYLs1W3Xr9HOcPyepfWk50wn1mbPJGMSidv wD7CLtMsPbUC5+mmxObaprcF0dSstQVKsjIp2sHYR2brUuiW58kKI8tLF7aGZ6ug/OIn86yDRLY b2yCo9aY2KXosUNJYNUUIYAER X-Google-Smtp-Source: AGHT+IE0fFN7Oz4yynCG8JRFvdYF4KiBz8kcektI9e/smh1lIn2YrwLvM+8es3xaknuG7h0Wg//3gg== X-Received: by 2002:a17:902:ce89:b0:249:1128:582f with SMTP id d9443c01a7336-24cef527929mr66765ad.17.1756999372662; Thu, 04 Sep 2025 08:22:52 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:89a7:8cc5:2043:ebe6]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-24b11448a5asm82528085ad.54.2025.09.04.08.22.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Sep 2025 08:22:52 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 4/5] default-distrovars.inc: Fix CONNECTIVITY_CHECK_URIS redirect issue Date: Thu, 4 Sep 2025 08:22:36 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Sep 2025 15:22:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/222959 From: Deepak Rathore The default CONNECTIVITY_CHECK_URIS uses "https://yoctoproject.org/connectivity.html" which redirect to "https://www.yoctoproject.org/connectivity.html". Some network configurations with proxies or restricted internet access don't handle HTTP redirects properly during the sanity check phase, causing build failures with: ERROR: OE-core's config sanity checker detected a potential misconfiguration. Either fix the cause of this error or at your own risk disable the checker (see sanity.conf). Following is the list of potential problems / advisories: Fetcher failure for URL: 'https://yoctoproject.org/connectivity.html'. URL doesn't work. Updated the default URL to use the final destination directly to avoid redirect-related connectivity check failures. Also updated SDK test cases in https.py to use the corrected URL for consistency. Signed-off-by: Deepak Rathore Signed-off-by: Richard Purdie (cherry picked from commit 60cdf960a3560f391babd559737f1afb31fb2c5c) Signed-off-by: Deepak Rathore Signed-off-by: Steve Sakoman --- meta/conf/distro/include/default-distrovars.inc | 2 +- meta/lib/oeqa/sdk/buildtools-cases/https.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/conf/distro/include/default-distrovars.inc b/meta/conf/distro/include/default-distrovars.inc index 7554081e8b..42e6de216e 100644 --- a/meta/conf/distro/include/default-distrovars.inc +++ b/meta/conf/distro/include/default-distrovars.inc @@ -61,4 +61,4 @@ KERNEL_IMAGETYPES ??= "${KERNEL_IMAGETYPE}" # fetch from the network (and warn you if not). To disable the test set # the variable to be empty. # Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master;branch=master -CONNECTIVITY_CHECK_URIS ?= "https://yoctoproject.org/connectivity.html" +CONNECTIVITY_CHECK_URIS ?= "https://www.yoctoproject.org/connectivity.html" diff --git a/meta/lib/oeqa/sdk/buildtools-cases/https.py b/meta/lib/oeqa/sdk/buildtools-cases/https.py index 4525e3d758..98f27e5994 100644 --- a/meta/lib/oeqa/sdk/buildtools-cases/https.py +++ b/meta/lib/oeqa/sdk/buildtools-cases/https.py @@ -15,8 +15,8 @@ class HTTPTests(OESDKTestCase): """ def test_wget(self): - self._run('env -i wget --debug --output-document /dev/null https://yoctoproject.org/connectivity.html') + self._run('env -i wget --debug --output-document /dev/null https://www.yoctoproject.org/connectivity.html') def test_python(self): # urlopen() returns a file-like object on success and throws an exception otherwise - self._run('python3 -c \'import urllib.request; urllib.request.urlopen("https://yoctoproject.org/connectivity.html")\'') + self._run('python3 -c \'import urllib.request; urllib.request.urlopen("https://www.yoctoproject.org/connectivity.html")\'') From patchwork Thu Sep 4 15:22:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 69679 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F1A1CA1013 for ; Thu, 4 Sep 2025 15:23:05 +0000 (UTC) Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) by mx.groups.io with SMTP id smtpd.web10.927.1756999374993262581 for ; Thu, 04 Sep 2025 08:22:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=1YYWujXC; spf=softfail (domain: sakoman.com, ip: 209.85.215.171, mailfrom: steve@sakoman.com) Received: by mail-pg1-f171.google.com with SMTP id 41be03b00d2f7-b4d1e7d5036so699752a12.1 for ; Thu, 04 Sep 2025 08:22:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1756999374; x=1757604174; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=q+ozeAbys4xK2zlPubh3Wn58HafqeUQQS/hR7ewiic8=; b=1YYWujXCgpQ+Qj7dGmH5wzvzUjSE+2OA+8/yLJXLWejco8DmF0AAO3IVokRtFqGh6V uTihqYJ5mhV75yj1Tdr8OlRYm/AtiVmVhPK1DdaDwG5PrEJdE04VTytmQ6hnyUl3+DIi R0aNCCb3qaWYkayrJa19Wn3LC2xFTdG5tVY10G71/3jRREqpJnLBBuN0Va7ptdRYi7Mu AP38Ma3isKQa9oiWmwEfF90V38NKDJSRNt1l0nS8sEBsR1TR/j4ZGccgxDK3KpiQ+Hfo uuH5glcQAaKHhMwjhY55dNcN7dp5LevVZlvK+mhzfMWH66f4vaWtaLXIA0qzdJ9SrVl8 goUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756999374; x=1757604174; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=q+ozeAbys4xK2zlPubh3Wn58HafqeUQQS/hR7ewiic8=; b=GSrIHdVJ+0myJWpujiStBAiiLEmLFTEtOOswH6jQQ/bx3LC3xph9rTk4QIXZnF4D8G LN7WXTE0+v6qSBqA6grew63hbm7V3lRuZiAinTugntJ1CKJB1KO3EB+fAUx107DjU/WQ N5lnf54Gf3ic0RbMa++qX6TcTTdGN2bS9civGvbOyEkaj/LtJO6JsK/4YjupSLDZRn1c MHscgLZyQ1SNwtU4QSODNdsS1rkyH2QiQFkbfcx4J3YcG7b2XPmJKUJ9FjACw8tuGcqm zZGPnHXq3Bmn6qf67u9nT+aLcCzl30huok5ot5GIPpLrJ1UYxhJ47ZtcV5gDWjAM9zGJ Mdkw== X-Gm-Message-State: AOJu0YzXmnB171gScppxHX/rdgsa9lhXev4Iy1xNauspnHn4dt1G8e49 xdo/0Qa7dv47iY25v9xgEAUs2eKavP0+aET9z+fAQ8F+SOpO2gJf/nZeBd0Hz2VVxNZK4kSet1x ynxHZ X-Gm-Gg: ASbGnct1/fPW23u1z8J65x3CoOQ8HrqqUracNME5dTISbBBma66K4C0AdISSmiBQ9Hm 5Jx6n3a8jwcOlxb/pMzn5l4RQomgBA72ziCpNjnMpOQt7Ld+XstQ0lWuwTjaoMRkwc+9F2soL3J sCmzwjTSPjY39S1h1eRiUOKKAhPhWJAihu9twz0iiyZitSYg10yCnvsuEVlR9lHFf2vpDtyiBr2 RX6pgR3/qx8EWSe1aoYUTxkI5gjJELl493H+YrSQUENXhyXclVoCiNqmi4BKXxfERSM7Xb+Vo4g M2QwzdXxH4FnwwKtpREpPpaXFpiLcDk+TnWS57lk9Kz5fUWKPmxPl+fZK41WfOAm8SM0A7kLqGi +bvDsnJwg6SjMdA== X-Google-Smtp-Source: AGHT+IE1XrVaz18kL22bovXFKoKcZUKUh+VmWhgKpCj/ByoW2O5kn7Ag9ahcCLPmAwpzFQci2NGRxA== X-Received: by 2002:a17:902:e5c5:b0:24c:1a84:f73e with SMTP id d9443c01a7336-24c1a84f94cmr101193925ad.60.1756999374146; Thu, 04 Sep 2025 08:22:54 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:89a7:8cc5:2043:ebe6]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-24b11448a5asm82528085ad.54.2025.09.04.08.22.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Sep 2025 08:22:53 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 5/5] pulseaudio: Add audio group explicitly Date: Thu, 4 Sep 2025 08:22:37 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Sep 2025 15:23:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/222960 From: Kyungjik Min Since pulseaudio-server requires the audio group, we explicitly add it. When use useradd-staticids or do not use the default group in base-passwd, an error will occur because the audio group is not defined. NOTE: pulseaudio: Performing useradd with [--root TOPDIR/tmp/work/cortexa72-poky-linux/pulseaudio/17.0/recipe-sysroot --home-dir /var/run/pulse --gid 998 --groups audio,pulse --no-create-home --system --shell /bin/false --uid 998 pulse] useradd: group 'audio' does not exist ERROR: pulseaudio: useradd command did not succeed. Signed-off-by: Kyungjik Min Signed-off-by: Steve Sakoman --- meta-selftest/files/static-group | 1 + meta/recipes-multimedia/pulseaudio/pulseaudio.inc | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/meta-selftest/files/static-group b/meta-selftest/files/static-group index f7a66de24d..c59f9e3019 100644 --- a/meta-selftest/files/static-group +++ b/meta-selftest/files/static-group @@ -27,3 +27,4 @@ render:x:527: sgx:x:528: ptest:x:529: xuser:x:530: +audio:x:531: diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc index 1ab3831519..a93ef8f338 100644 --- a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc @@ -146,7 +146,7 @@ do_install:append() { } USERADD_PACKAGES = "pulseaudio-server" -GROUPADD_PARAM:pulseaudio-server = "--system pulse" +GROUPADD_PARAM:pulseaudio-server = "--system audio; --system pulse" USERADD_PARAM:pulseaudio-server = "--system --home /var/run/pulse \ --no-create-home --shell /bin/false \ --groups audio,pulse --gid pulse pulse"