From patchwork Mon Jun 15 05:18:46 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: auh@yoctoproject.org
X-Patchwork-Id: 90086
Return-Path: <auh@yoctoproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 14541CD98DE
	for <webhook@archiver.kernel.org>; Mon, 15 Jun 2026 05:18:52 +0000 (UTC)
Received: from a27-33.smtp-out.us-west-2.amazonses.com
 (a27-33.smtp-out.us-west-2.amazonses.com [54.240.27.33])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.123036.1781500727074621235
 for <openembedded-core@lists.openembedded.org>;
 Sun, 14 Jun 2026 22:18:47 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@yoctoproject.org
 header.s=lvjh2tk576v2ro5mi6k4dt3mc6wpqbky header.b=G0ftKv0i;
 dkim=pass header.i=@amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv
 header.b=I4AShUtM;
 spf=pass (domain: us-west-2.amazonses.com, ip: 54.240.27.33,
 mailfrom:
 0101019ec9b7cc30-80683cb1-8a4d-4a19-af5e-620b97d2f1f0-000000@us-west-2.amazonses.com)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=lvjh2tk576v2ro5mi6k4dt3mc6wpqbky; d=yoctoproject.org;
	t=1781500726;
	h=Content-Type:MIME-Version:From:To:Cc:Subject:Message-Id:Date;
	bh=+9bw3CLyoVNjsF6QzvNicMookJfAvEiSsypLLBCx1dc=;
	b=G0ftKv0iS/SOI6TWtKnX5VyFNY8HPR7Kh5dCDZcRrw64LyPdZsD63FaHhG0vOWNn
	+zq95IDIad9mH54bAD4VKnPy8igfbrOkLMyjspmVWuZ8jr3mLf0gr8hO9oakmc5vXTY
	IJqXuH1K/bqBTG8Qt6N1SVVtTY95hgmEmojXRpPA=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=hsbnp7p3ensaochzwyq5wwmceodymuwv; d=amazonses.com; t=1781500726;
	h=Content-Type:MIME-Version:From:To:Cc:Subject:Message-Id:Date:Feedback-ID;
	bh=+9bw3CLyoVNjsF6QzvNicMookJfAvEiSsypLLBCx1dc=;
	b=I4AShUtMLVdXVblfarG1RZCJyIBTp6NPX/9sZnv6+MmbbEPyvLW4aRmVW/QkA/R5
	MXdASvT4I+fuOeKfrPVOySUJ8m/rohef4m90IFMc0uFndnBJqAtYRBY3/uBujYTTUML
	zxBY/746KXbPGMzL8VOhqgrB3MXsFncCEgx5egwo=
MIME-Version: 1.0
From: auh@yoctoproject.org
To: Michael Opdenacker <michael.opdenacker@rootcommit.com>
Cc: openembedded-core@lists.openembedded.org
Subject: [AUH] alsa-lib: upgrading to 1.2.16.1 SUCCEEDED
Message-ID: 
 <0101019ec9b7cc30-80683cb1-8a4d-4a19-af5e-620b97d2f1f0-000000@us-west-2.amazonses.com>
Date: Mon, 15 Jun 2026 05:18:46 +0000
Feedback-ID: 
 ::1.us-west-2.9np3MYPs3fEaOBysGKSlUD4KtcmPijcmS9Az2Hwf7iQ=:AmazonSES
X-SES-Outgoing: 2026.06.15-54.240.27.33
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 15 Jun 2026 05:18:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/238807

Hello,

this email is a notification from the Auto Upgrade Helper
that the automatic attempt to upgrade the recipe(s) *alsa-lib* to *1.2.16.1* has Succeeded.

Next steps:
    - apply the patch: git am 0001-alsa-lib-upgrade-1.2.15.3-1.2.16.1.patch
    - check the changes to upstream patches and summarize them in the commit message,
    - compile an image that contains the package
    - perform some basic sanity tests
    - amend the patch and sign it off: git commit -s --reset-author --amend
    - send it to the appropriate mailing list

Alternatively, if you believe the recipe should not be upgraded at this time,
you can fill RECIPE_NO_UPDATE_REASON in respective recipe file so that
automatic upgrades would no longer be attempted.

Please review the attached files for further information and build/update failures.
Any problem please file a bug at https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Automated%20Update%20Handler

Regards,
The Upgrade Helper

-- >8 --
From 70220d7ce8f71876d7bb080433916250b0d02194 Mon Sep 17 00:00:00 2001
From: Upgrade Helper <auh@yoctoproject.org>
Date: Mon, 15 Jun 2026 05:15:18 +0000
Subject: [PATCH] alsa-lib: upgrade 1.2.15.3 -> 1.2.16.1
---
 .../alsa/alsa-lib/CVE-2026-25068.patch        | 34 -------------------
 ...a-lib_1.2.15.3.bb => alsa-lib_1.2.16.1.bb} |  3 +-
 2 files changed, 1 insertion(+), 36 deletions(-)
 delete mode 100644 meta/recipes-multimedia/alsa/alsa-lib/CVE-2026-25068.patch
 rename meta/recipes-multimedia/alsa/{alsa-lib_1.2.15.3.bb => alsa-lib_1.2.16.1.bb} (91%)

diff --git a/meta/recipes-multimedia/alsa/alsa-lib/CVE-2026-25068.patch b/meta/recipes-multimedia/alsa/alsa-lib/CVE-2026-25068.patch
deleted file mode 100644
index 9bb24c24e2..0000000000
--- a/meta/recipes-multimedia/alsa/alsa-lib/CVE-2026-25068.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 Mon Sep 17 00:00:00 2001
-From: Jaroslav Kysela <perex@perex.cz>
-Date: Thu, 29 Jan 2026 16:51:09 +0100
-Subject: [PATCH] topology: decoder - add boundary check for channel mixer
- count
-
-Malicious binary topology file may cause heap corruption.
-
-CVE: CVE-2026-25068
-
-Signed-off-by: Jaroslav Kysela <perex@perex.cz>
-
-Upstream-Status: Backport [https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- src/topology/ctl.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/topology/ctl.c b/src/topology/ctl.c
-index a0c24518..322c461c 100644
---- a/src/topology/ctl.c
-+++ b/src/topology/ctl.c
-@@ -1250,6 +1250,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg,
- 	if (mc->num_channels > 0) {
- 		map = tplg_calloc(heap, sizeof(*map));
- 		map->num_channels = mc->num_channels;
-+		if (map->num_channels > SND_TPLG_MAX_CHAN ||
-+		    map->num_channels > SND_SOC_TPLG_MAX_CHAN) {
-+			snd_error(TOPOLOGY, "mixer: unexpected channel count %d", map->num_channels);
-+			return -EINVAL;
-+		}
- 		for (i = 0; i < map->num_channels; i++) {
- 			map->channel[i].reg = mc->channel[i].reg;
- 			map->channel[i].shift = mc->channel[i].shift;
diff --git a/meta/recipes-multimedia/alsa/alsa-lib_1.2.15.3.bb b/meta/recipes-multimedia/alsa/alsa-lib_1.2.16.1.bb
similarity index 91%
rename from meta/recipes-multimedia/alsa/alsa-lib_1.2.15.3.bb
rename to meta/recipes-multimedia/alsa/alsa-lib_1.2.16.1.bb
index 1ebb356925..0c81e3cb3b 100644
--- a/meta/recipes-multimedia/alsa/alsa-lib_1.2.15.3.bb
+++ b/meta/recipes-multimedia/alsa/alsa-lib_1.2.16.1.bb
@@ -10,8 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7 \
                     "
 
 SRC_URI = "https://www.alsa-project.org/files/pub/lib/${BP}.tar.bz2"
-SRC_URI += "file://CVE-2026-25068.patch"
-SRC_URI[sha256sum] = "7b079d614d582cade7ab8db2364e65271d0877a37df8757ac4ac0c8970be861e"
+SRC_URI[sha256sum] = "f740db7f488255944ffd4428416ee3390a96742856916433df468c281436480e"
 
 inherit autotools pkgconfig