From patchwork Thu Jun 11 16:31:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: auh@yoctoproject.org X-Patchwork-Id: 89848 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C183CD98DF for ; Thu, 11 Jun 2026 16:32:07 +0000 (UTC) Received: from a27-29.smtp-out.us-west-2.amazonses.com (a27-29.smtp-out.us-west-2.amazonses.com [54.240.27.29]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.50437.1781195520236972115 for ; Thu, 11 Jun 2026 09:32:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@yoctoproject.org header.s=lvjh2tk576v2ro5mi6k4dt3mc6wpqbky header.b=nbqjvACE; dkim=pass header.i=@amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=le9jDxjs; spf=pass (domain: us-west-2.amazonses.com, ip: 54.240.27.29, mailfrom: 0101019eb786b6a5-d4d6d2d1-c988-4ecf-b336-b39f527e2ba7-000000@us-west-2.amazonses.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=lvjh2tk576v2ro5mi6k4dt3mc6wpqbky; d=yoctoproject.org; t=1781195519; h=Content-Type:MIME-Version:From:To:Cc:Subject:Message-Id:Date; bh=B2lkA5xiElW3AtdyIbvWjg7lCsUfPia3fb7mBispN74=; b=nbqjvACE7ZdfXhri/wIWt29TZgaCKYyQsNBsguMeDqVTHtnL32OHHyOZfNpLTw1E m/KfCHlNGFRAq8PWuCAAXPPX+pLWByCUHYoiN7g4jppCOi/UYwVsnEti75bSg3sBYtE cYH/H1Hv0JRuma0NB2E3MQ4nAfyARdHzSkrDi47s= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=hsbnp7p3ensaochzwyq5wwmceodymuwv; d=amazonses.com; t=1781195519; h=Content-Type:MIME-Version:From:To:Cc:Subject:Message-Id:Date:Feedback-ID; bh=B2lkA5xiElW3AtdyIbvWjg7lCsUfPia3fb7mBispN74=; b=le9jDxjsQiFgCnu1FGtdmZdljbMn/ixlLxgEo/e0SenbZZ2j6XT+VXIQ6aRdSFSf hj9tElPXtcnt/xIS7kyJP8efwxJQgPp8yQlnGIsZjWJU9KHY+5xubLvAaJ1TbSc/Y01 SHJhZu/ODiyAPa9CyzCQEPWiqMe1duM8IbQ0clOI= MIME-Version: 1.0 From: auh@yoctoproject.org To: Michael Opdenacker Cc: openembedded-core@lists.openembedded.org Subject: [AUH] alsa-lib: upgrading to 1.2.16 SUCCEEDED Message-ID: <0101019eb786b6a5-d4d6d2d1-c988-4ecf-b336-b39f527e2ba7-000000@us-west-2.amazonses.com> Date: Thu, 11 Jun 2026 16:31:59 +0000 Feedback-ID: ::1.us-west-2.9np3MYPs3fEaOBysGKSlUD4KtcmPijcmS9Az2Hwf7iQ=:AmazonSES X-SES-Outgoing: 2026.06.11-54.240.27.29 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 11 Jun 2026 16:32:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238554 Hello, this email is a notification from the Auto Upgrade Helper that the automatic attempt to upgrade the recipe(s) *alsa-lib* to *1.2.16* has Succeeded. Next steps: - apply the patch: git am 0001-alsa-lib-upgrade-1.2.15.3-1.2.16.patch - check the changes to upstream patches and summarize them in the commit message, - compile an image that contains the package - perform some basic sanity tests - amend the patch and sign it off: git commit -s --reset-author --amend - send it to the appropriate mailing list Alternatively, if you believe the recipe should not be upgraded at this time, you can fill RECIPE_NO_UPDATE_REASON in respective recipe file so that automatic upgrades would no longer be attempted. Please review the attached files for further information and build/update failures. Any problem please file a bug at https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Automated%20Update%20Handler Regards, The Upgrade Helper -- >8 -- From 352b73d08dd87ce9aa0db8eeb82db5f3bd24bf0e Mon Sep 17 00:00:00 2001 From: Upgrade Helper Date: Thu, 11 Jun 2026 13:34:59 +0000 Subject: [PATCH] alsa-lib: upgrade 1.2.15.3 -> 1.2.16 --- .../alsa/alsa-lib/CVE-2026-25068.patch | 34 ------------------- ...lsa-lib_1.2.15.3.bb => alsa-lib_1.2.16.bb} | 3 +- 2 files changed, 1 insertion(+), 36 deletions(-) delete mode 100644 meta/recipes-multimedia/alsa/alsa-lib/CVE-2026-25068.patch rename meta/recipes-multimedia/alsa/{alsa-lib_1.2.15.3.bb => alsa-lib_1.2.16.bb} (91%) diff --git a/meta/recipes-multimedia/alsa/alsa-lib/CVE-2026-25068.patch b/meta/recipes-multimedia/alsa/alsa-lib/CVE-2026-25068.patch deleted file mode 100644 index 9bb24c24e2..0000000000 --- a/meta/recipes-multimedia/alsa/alsa-lib/CVE-2026-25068.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 Mon Sep 17 00:00:00 2001 -From: Jaroslav Kysela -Date: Thu, 29 Jan 2026 16:51:09 +0100 -Subject: [PATCH] topology: decoder - add boundary check for channel mixer - count - -Malicious binary topology file may cause heap corruption. - -CVE: CVE-2026-25068 - -Signed-off-by: Jaroslav Kysela - -Upstream-Status: Backport [https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40] -Signed-off-by: Peter Marko ---- - src/topology/ctl.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/topology/ctl.c b/src/topology/ctl.c -index a0c24518..322c461c 100644 ---- a/src/topology/ctl.c -+++ b/src/topology/ctl.c -@@ -1250,6 +1250,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg, - if (mc->num_channels > 0) { - map = tplg_calloc(heap, sizeof(*map)); - map->num_channels = mc->num_channels; -+ if (map->num_channels > SND_TPLG_MAX_CHAN || -+ map->num_channels > SND_SOC_TPLG_MAX_CHAN) { -+ snd_error(TOPOLOGY, "mixer: unexpected channel count %d", map->num_channels); -+ return -EINVAL; -+ } - for (i = 0; i < map->num_channels; i++) { - map->channel[i].reg = mc->channel[i].reg; - map->channel[i].shift = mc->channel[i].shift; diff --git a/meta/recipes-multimedia/alsa/alsa-lib_1.2.15.3.bb b/meta/recipes-multimedia/alsa/alsa-lib_1.2.16.bb similarity index 91% rename from meta/recipes-multimedia/alsa/alsa-lib_1.2.15.3.bb rename to meta/recipes-multimedia/alsa/alsa-lib_1.2.16.bb index 1ebb356925..25b2dcde17 100644 --- a/meta/recipes-multimedia/alsa/alsa-lib_1.2.15.3.bb +++ b/meta/recipes-multimedia/alsa/alsa-lib_1.2.16.bb @@ -10,8 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7 \ " SRC_URI = "https://www.alsa-project.org/files/pub/lib/${BP}.tar.bz2" -SRC_URI += "file://CVE-2026-25068.patch" -SRC_URI[sha256sum] = "7b079d614d582cade7ab8db2364e65271d0877a37df8757ac4ac0c8970be861e" +SRC_URI[sha256sum] = "122b1e3166d55fe19bcde656535d7a36f2ab10e66c72c6ad2f43f20ffded0a96" inherit autotools pkgconfig