From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 6/6] perl: link to the system bzip2 instead of a vendored copy
Date: Tue, 14 Apr 2026 16:56:52 +0100 [thread overview]
Message-ID: <20260414155652.1214302-6-ross.burton@arm.com> (raw)
In-Reply-To: <20260414155652.1214302-1-ross.burton@arm.com>
The perl module Compress-Raw-Bzip2 defaults to using a vendored copy of
the bzip2 sources. We should be building perl against the system bzip2
recipe to avoid potential security issues.
This is a little fiddly in the DEPENDS as bzip2-native is assume-provided
so we need to depend on bzip2-replacement-native for the native build.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
meta/recipes-devtools/perl/perl_5.42.0.bb | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/perl/perl_5.42.0.bb b/meta/recipes-devtools/perl/perl_5.42.0.bb
index 5992ac2d927..cf28067bab8 100644
--- a/meta/recipes-devtools/perl/perl_5.42.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.42.0.bb
@@ -30,7 +30,9 @@ B = "${WORKDIR}/perl-${PV}-build"
inherit upstream-version-is-even update-alternatives
-DEPENDS += "perlcross-native zlib virtual/crypt"
+DEPENDS += "perlcross-native bzip2 zlib virtual/crypt"
+DEPENDS:append:class-native = " bzip2-replacement-native"
+
# make 4.1 has race issues with the double-colon usage of MakeMaker, see #14096
DEPENDS += "make-native"
@@ -59,8 +61,10 @@ CFLAGS:append:toolchain-clang = " -fno-strict-aliasing"
# Needed with -march=x86-64-v3
CFLAGS:append:toolchain-gcc:class-target:x86-64 = " -fno-builtin-memcpy -D__NO_STRING_INLINES -U_FORTIFY_SOURCE"
-# Link Compress-Raw-Zlib to the system zlib instead of a vendored copy
+# Link Compress-Raw-Zlib to the system libraries instead of a vendored copy
EXTRA_OEMAKE += "BUILD_ZLIB=False ZLIB_INCLUDE=${STAGING_INCDIR} ZLIB_LIB=${STAGING_LIBDIR}"
+# Link Compress-Raw-Bzip2 to the system libraries instead of a vendored copy
+EXTRA_OEMAKE += "BUILD_BZIP2=False BZIP2_INCLUDE=${STAGING_INCDIR} BZIP2_LIB=${STAGING_LIBDIR}"
CVE_STATUS[CVE-2026-4176] = "not-applicable-config: we do not use the vendorered zlib"
--
2.43.0
prev parent reply other threads:[~2026-04-14 15:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 15:56 [PATCH 1/6] graphene: ignore CVE-2024-1984 Ross Burton
2026-04-14 15:56 ` [PATCH 2/6] re2c: backport fix for CVE-2026-2903 Ross Burton
2026-04-14 15:56 ` [PATCH 3/6] python3-requests: backport fix for CVE-2026-25645 Ross Burton
2026-04-14 15:56 ` [PATCH 4/6] libexif: backport fixes for CVE-2026-40385/CVE-2026-40386/CVE-2026-32775 Ross Burton
2026-04-15 19:10 ` [OE-core] " Marko, Peter
2026-04-15 21:13 ` Ross Burton
2026-04-14 15:56 ` [PATCH 5/6] perl: link to the system zlib instead of a vendored copy Ross Burton
2026-04-14 15:56 ` Ross Burton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414155652.1214302-6-ross.burton@arm.com \
--to=ross.burton@arm.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox