Re: [OE-core] [PATCH v2 3/7] pseudo: fix for build with glibc-2.43

["Böszörményi Zoltán" <zboszor@gmail.com>]

2026. 04. 15. 15:16 keltezéssel, Richard Purdie írta:
> On Tue, 2026-04-07 at 17:38 +0200, Zoltan Boszormenyi via lists.openembedded.org wrote:
>> 2026. 04. 07. 17:21 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
>>> The issue turns out to be with GNU tar, specifically this build:
>>> https://koji.fedoraproject.org/koji/buildinfo?buildID=2924033
>>>
>>> Manually downgrading to the previous build fixed the packaging problem:
>>> https://koji.fedoraproject.org/koji/buildinfo?buildID=2917292
>>>
>>> I reported it here:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=2455965
>> According to the changelog of the current GNU tar 1.35-8.fc44 build,
>> it contains backports from what will be the official 1.36 version.
>> With that release, whenever it will be out, other distros would fail, too.
>>
>> Note this from the Fedora package changelog:
>>
>> - Backport upstream changes to jailify extraction directory
>>     Includes related gnulib changes to add openat2
>>     Fixes CVE-2025-45582 (fedora#2380007)
>>
>> which seems to be this commit:
>> https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=75b03fdff48916bd0654677ed21379bdb0db016d
>>
>> commit 75b03fdff48916bd0654677ed21379bdb0db016d
>> Author: Paul Eggert <eggert@cs.ucla.edu>
>> Date:   Thu Nov 13 13:44:10 2025 -0800
>>
>>       Use openat2 to jailify the extraction directory
>>
>>       This addresses CVE-2025-45582.
>>       * gnulib.modules: Add openat2.
>>       * src/misc.c (open_subdir): New static function.
>>       (fdbase_opendir): Use it.
>>       * src/tar.c (open_searchdir_how): New var, replacing and
>>       augmenting open_searchdir_flags.  All uses changed.
>>       * tests/extrac31.at: New file.
>>       * tests/Makefile (TESTSUITE_AT), tests/testuite.at: Add it.
>>
>> I guess it will really need fixes in pseudo to overcome this.
> I have put some patches onto this branch of pseudo:
>
> https://git.yoctoproject.org/pseudo/log/?h=rpurdie/openat2
>
> In my local testing, that did work but I don't have a Fedora 44 system
> to test on right now. There are some potential issues with chroot
> handling in there but I would be curious how this works on Fedora 44 if
> you were able to test...

Here's the patch I made against pseudo:

--------
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb 
b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 4d31629903..1282e231d7 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -1,6 +1,6 @@
  require pseudo.inc

-SRC_URI = "git://git.yoctoproject.org/pseudo;branch=master;protocol=https \
+SRC_URI = "git://git.yoctoproject.org/pseudo;branch=rpurdie/openat2;protocol=https \
             file://fallback-passwd \
             file://fallback-group \
             "
@@ -12,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \
      file://older-glibc-symbols.patch"
  SRC_URI[prebuilt.sha256sum] = 
"ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"

-SRCREV = "56e1f8df4761da60e41812fc32b1de797d1765e9"
+SRCREV = "54f3d1b4dd3eaed2c57b43c3a4d62cdf99239ed2"
  PV = "1.9.3+git"

  # largefile and 64bit time_t support adds these macros via compiler flags globally
--------

I have upgraded to tar 1.35-8.fc44 and run some build.
This change in pseudo works properly with the newer tar build shipped in Fedora 44.
FWIW, I have not tried building GNU tar from their latest git sources.

Thank you very much!