Re: [Buildroot] [PATCH 1/4] package/unzip: import patches from Debian

[Thomas Petazzoni via buildroot <buildroot@buildroot.org>]

Hello Thomas,

On Wed, Feb 04, 2026 at 02:18:30PM +0100, Thomas Perale via buildroot wrote:
> In Buildroot there are multiple way to apply patches on a package [1]
> 
> - Adding `.patch` file in the package directory.
> - Define `<pkg>_PATCH` variable with the location of the patch tar.gz.
>   It used to download Debian patches tarball.
> - Implement custom patching logic with `PRE`/`POST` patches hooks.
> 
> To make the CycloneDX SBOM generation not dependant on downloading the
> packages, the two last options have the downside of not appearing on the
> generated SBOM.
> 
> The unzip package is downloading a tarball from the Debian mirror with
> the `<pkg>_PATCH` method [2].
> 
> To improve the tracking of the patched vulnerabilities for the unzip
> package this commit import the patches previously downloaded with the
> `_PATCH` variable in the Buildroot tree.
> This allows to add the `CVE:` trailer [3] on the patches that fix
> vulnerabilities to better track which patch is fixing the vulnerability.
> 
> [1] https://buildroot.org/downloads/manual/manual.html#patch-policy
> [2] https://snapshot.debian.org/archive/debian/20250311T215724Z/pool/main/u/unzip/unzip_6.0-29.debian.tar.xz
> [3] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Thanks a lot, entire series applied to master.

Actually PATCH 3/4 is fixing a pretty nasty bug: we were pretending
that some of the CVEs were fixed by patches, but we were not actually
applying those patches, so the CVEs were not actually fixed.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot