From: Paul Barker <paul@pbarker.dev>
To: yoann.congal@smile.fr, openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][scarthgap 16/25] zlib: ignore CVE-2026-22184
Date: Mon, 09 Feb 2026 10:49:53 +0000 [thread overview]
Message-ID: <296efb168208e46298830f4af5f37b7cfb3ecfa3.camel@pbarker.dev> (raw)
In-Reply-To: <52cbace519c5d490a83550d7baa1c0fa200eafcb.1770626074.git.yoann.congal@smile.fr>
[-- Attachment #1: Type: text/plain, Size: 1322 bytes --]
On Mon, 2026-02-09 at 10:28 +0100, Yoann Congal via
lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> This is CVE for example tool contrib/untgz.
> This is not compiled in Yocto zlib recipe.
>
> This CVE has controversial CVSS3 score of 9.8.
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---
> meta/recipes-core/zlib/zlib_1.3.1.bb | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb
> index e6a81ef7898..8ebc6befc2b 100644
> --- a/meta/recipes-core/zlib/zlib_1.3.1.bb
> +++ b/meta/recipes-core/zlib/zlib_1.3.1.bb
> @@ -48,3 +48,4 @@ BBCLASSEXTEND = "native nativesdk"
>
> CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
> CVE_STATUS[CVE-2023-6992] = "cpe-incorrect: this CVE is for cloudflare zlib"
> +CVE_STATUS[CVE-2026-22184] = "not-applicable-config: vulnerable file is not compiled"
I think we should consider backporting 119b775b36df ("zlib: Add
CVE_PRODUCT to exclude false positives") and the relevant bits of
73ee9789183a ("recipes: cleanup CVE_STATUS which are resolved now"),
then we can cherry-pick b0592c51b6ad from master.
Best regards,
--
Paul Barker
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
next prev parent reply other threads:[~2026-02-09 10:50 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-09 9:28 [OE-core][scarthgap 00/25] Patch review Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 01/25] curl: fix CVE-2025-10148 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 02/25] curl: patch CVE-2025-14524 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 03/25] expat: patch CVE-2026-24515 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 04/25] expat: patch CVE-2026-25210 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 05/25] glib-2.0: patch CVE-2026-0988 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 06/25] inetutils: Fix CVE-2026-24061 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 07/25] libpng: patch CVE-2026-22695 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 08/25] libpng: patch CVE-2026-22801 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 09/25] libtasn1: Fix CVE-2025-13151 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 10/25] libxml2: patch CVE-2026-0989 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 11/25] libxml2: patch CVE-2026-0990 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 12/25] libxml2: patch CVE-2026-0992 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 13/25] libxml2: add follow-up patch for CVE-2026-0992 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 14/25] python3: patch CVE-2025-13837 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 15/25] python-urllib3: Backport fix for CVE-2026-21441 Yoann Congal
2026-02-09 9:28 ` [OE-core][scarthgap 16/25] zlib: ignore CVE-2026-22184 Yoann Congal
2026-02-09 10:49 ` Paul Barker [this message]
2026-02-10 10:45 ` Yoann Congal
2026-02-09 9:29 ` [OE-core][scarthgap 17/25] ffmpeg: upgrade 6.1.3 -> 6.1.4 Yoann Congal
2026-02-09 9:29 ` [OE-core][scarthgap 18/25] ffmpeg: ignore CVE-2025-25469 Yoann Congal
2026-02-09 9:29 ` [OE-core][scarthgap 19/25] glibc: stable 2.39 branch updates Yoann Congal
2026-02-10 15:38 ` Yoann Congal
2026-02-09 9:29 ` [OE-core][scarthgap 20/25] meta/classes: fix missing vardeps for CVE status variables Yoann Congal
2026-02-09 9:29 ` [OE-core][scarthgap 21/25] improve_kernel_cve_report: add script for postprocesing of kernel CVE data Yoann Congal
2026-02-09 10:58 ` Paul Barker
2026-02-10 9:35 ` Yoann Congal
2026-02-10 10:46 ` Yoann Congal
2026-02-09 9:29 ` [OE-core][scarthgap 22/25] lighttpd: Fix trailing slash on files in mod_dirlisting Yoann Congal
2026-02-09 9:29 ` [OE-core][scarthgap 23/25] docbook-xml-dtd4: fix the fetching failure Yoann Congal
2026-02-09 9:29 ` [OE-core][scarthgap 24/25] pseudo: Update to 1.9.3 release Yoann Congal
2026-02-09 9:29 ` [OE-core][scarthgap 25/25] libtheora: set CVE_PRODUCT Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=296efb168208e46298830f4af5f37b7cfb3ecfa3.camel@pbarker.dev \
--to=paul@pbarker.dev \
--cc=openembedded-core@lists.openembedded.org \
--cc=yoann.congal@smile.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox