@@ -30,7 +30,9 @@ B = "${WORKDIR}/perl-${PV}-build"
inherit upstream-version-is-even update-alternatives
-DEPENDS += "perlcross-native zlib virtual/crypt"
+DEPENDS += "perlcross-native bzip2 zlib virtual/crypt"
+DEPENDS:append:class-native = " bzip2-replacement-native"
+
# make 4.1 has race issues with the double-colon usage of MakeMaker, see #14096
DEPENDS += "make-native"
@@ -59,8 +61,10 @@ CFLAGS:append:toolchain-clang = " -fno-strict-aliasing"
# Needed with -march=x86-64-v3
CFLAGS:append:toolchain-gcc:class-target:x86-64 = " -fno-builtin-memcpy -D__NO_STRING_INLINES -U_FORTIFY_SOURCE"
-# Link Compress-Raw-Zlib to the system zlib instead of a vendored copy
+# Link Compress-Raw-Zlib to the system libraries instead of a vendored copy
EXTRA_OEMAKE += "BUILD_ZLIB=False ZLIB_INCLUDE=${STAGING_INCDIR} ZLIB_LIB=${STAGING_LIBDIR}"
+# Link Compress-Raw-Bzip2 to the system libraries instead of a vendored copy
+EXTRA_OEMAKE += "BUILD_BZIP2=False BZIP2_INCLUDE=${STAGING_INCDIR} BZIP2_LIB=${STAGING_LIBDIR}"
CVE_STATUS[CVE-2026-4176] = "not-applicable-config: we do not use the vendorered zlib"
The perl module Compress-Raw-Bzip2 defaults to using a vendored copy of the bzip2 sources. We should be building perl against the system bzip2 recipe to avoid potential security issues. This is a little fiddly in the DEPENDS as bzip2-native is assume-provided so we need to depend on bzip2-replacement-native for the native build. Signed-off-by: Ross Burton <ross.burton@arm.com> --- meta/recipes-devtools/perl/perl_5.42.0.bb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)