| Message ID | 20260514103317.3959488-1-sudumbha@cisco.com |
|---|---|
| State | New |
| Headers | show |
| Series | [scarthgap] perl: link to the system zlib instead of a vendored copy | expand |
On Thu, 2026-05-14 at 03:33 -0700, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote: > From: Ross Burton <ross.burton@arm.com> > > The perl module Compress-Raw-Zlib defaults to using a vendored copy of > the zlib sources which has a number of CVEs. A newer version of perl > updates this to zlib 1.3.2 to resolve them, but we should be linking to > our zlib recipe instead of the vendored code. > > This mitigates CVE-2026-4176 so mark it as not appropriate. > > Signed-off-by: Ross Burton <ross.burton@arm.com> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > (cherry picked from commit bf515229043685d4f00c965eb3e0236c37b6b403) > Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Hi Sudhir, The description in the commit message applies to Perl 5.42.0 in our master branch, have you confirmed this this is also valid for Perl 5.38.x on Scarthgap? Thanks,
diff --git a/meta/recipes-devtools/perl/perl_5.38.4.bb b/meta/recipes-devtools/perl/perl_5.38.4.bb index e59022e2bd..5ab49ed3d7 100644 --- a/meta/recipes-devtools/perl/perl_5.38.4.bb +++ b/meta/recipes-devtools/perl/perl_5.38.4.bb @@ -49,6 +49,11 @@ export ENC2XS_NO_COMMENTS = "1" CFLAGS += "-D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" +# Link Compress-Raw-Zlib to the system zlib instead of a vendored copy +EXTRA_OEMAKE += "BUILD_ZLIB=False ZLIB_INCLUDE=${STAGING_INCDIR} ZLIB_LIB=${STAGING_LIBDIR}" + +CVE_STATUS[CVE-2026-4176] = "not-applicable-config: we do not use the vendorered zlib" + do_configure:prepend() { rm -rf ${B} cp -rfp ${S} ${B}