* [OE-core][scarthgap][PATCH] perl: link to the system zlib instead of a vendored copy
@ 2026-05-14 10:33 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-05-14 11:00 ` Paul Barker
0 siblings, 1 reply; 2+ messages in thread
From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-14 10:33 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
The perl module Compress-Raw-Zlib defaults to using a vendored copy of
the zlib sources which has a number of CVEs. A newer version of perl
updates this to zlib 1.3.2 to resolve them, but we should be linking to
our zlib recipe instead of the vendored code.
This mitigates CVE-2026-4176 so mark it as not appropriate.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bf515229043685d4f00c965eb3e0236c37b6b403)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
meta/recipes-devtools/perl/perl_5.38.4.bb | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta/recipes-devtools/perl/perl_5.38.4.bb b/meta/recipes-devtools/perl/perl_5.38.4.bb
index e59022e2bd..5ab49ed3d7 100644
--- a/meta/recipes-devtools/perl/perl_5.38.4.bb
+++ b/meta/recipes-devtools/perl/perl_5.38.4.bb
@@ -49,6 +49,11 @@ export ENC2XS_NO_COMMENTS = "1"
CFLAGS += "-D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
+# Link Compress-Raw-Zlib to the system zlib instead of a vendored copy
+EXTRA_OEMAKE += "BUILD_ZLIB=False ZLIB_INCLUDE=${STAGING_INCDIR} ZLIB_LIB=${STAGING_LIBDIR}"
+
+CVE_STATUS[CVE-2026-4176] = "not-applicable-config: we do not use the vendorered zlib"
+
do_configure:prepend() {
rm -rf ${B}
cp -rfp ${S} ${B}
--
2.35.6
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [OE-core][scarthgap][PATCH] perl: link to the system zlib instead of a vendored copy
2026-05-14 10:33 [OE-core][scarthgap][PATCH] perl: link to the system zlib instead of a vendored copy Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-05-14 11:00 ` Paul Barker
0 siblings, 0 replies; 2+ messages in thread
From: Paul Barker @ 2026-05-14 11:00 UTC (permalink / raw)
To: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco),
openembedded-core
[-- Attachment #1: Type: text/plain, Size: 959 bytes --]
On Thu, 2026-05-14 at 03:33 -0700, Sudhir Dumbhare -X (sudumbha - E
INFOCHIPS PRIVATE LIMITED at Cisco) wrote:
> From: Ross Burton <ross.burton@arm.com>
>
> The perl module Compress-Raw-Zlib defaults to using a vendored copy of
> the zlib sources which has a number of CVEs. A newer version of perl
> updates this to zlib 1.3.2 to resolve them, but we should be linking to
> our zlib recipe instead of the vendored code.
>
> This mitigates CVE-2026-4176 so mark it as not appropriate.
>
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit bf515229043685d4f00c965eb3e0236c37b6b403)
> Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Hi Sudhir,
The description in the commit message applies to Perl 5.42.0 in our
master branch, have you confirmed this this is also valid for Perl
5.38.x on Scarthgap?
Thanks,
--
Paul Barker
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-14 11:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-14 10:33 [OE-core][scarthgap][PATCH] perl: link to the system zlib instead of a vendored copy Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-05-14 11:00 ` Paul Barker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.