From: Bin Cao Date: Thu, 4 Jun 2026 10:10:27 +0000 (+0800) Subject: python3: sanitize userbase in _sysconfig_vars JSON to avoid host path leak X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=beb245ef60c63359cd4f5e285d2f31c5c572b51e;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git python3: sanitize userbase in _sysconfig_vars JSON to avoid host path leak The _sysconfig_vars__linux_x86_64-linux-gnu.json file contains a "userbase" field that is populated from the build host user's $HOME at build time. This leaks the build host user's home directory path into the target rootfs. The existing py_package_preprocess() cleanup for this JSON file only strips known OE build path prefixes (STAGING_DIR_TARGET, RECIPE_SYSROOT, etc.), but the userbase value comes from the build user's $HOME environment variable which doesn't match any of those patterns. Set userbase to an empty string in the packaged JSON. This is safe because at runtime, sysconfig.get_config_vars() always recomputes userbase by calling _getuserbase(), which resolves the actual target user's ~/.local path dynamically. The static value in the JSON is never used for runtime path resolution. Signed-off-by: Bin Cao Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.5.bb index 501de75fb1..919cfde9ae 100644 --- a/meta/recipes-devtools/python/python3_3.14.5.bb +++ b/meta/recipes-devtools/python/python3_3.14.5.bb @@ -390,6 +390,7 @@ py_package_preprocess () { -e 's:${RECIPE_SYSROOT_NATIVE}::g' \ -e 's:${RECIPE_SYSROOT}::g' \ -e 's:${BASE_WORKDIR}/${MULTIMACH_TARGET_SYS}::g' \ + -e 's|"userbase": ".*"|"userbase": ""|g' \ ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/_sysconfig_vars*.json }