[scarthgap,16/25] zlib: ignore CVE-2026-22184

Message ID	52cbace519c5d490a83550d7baa1c0fa200eafcb.1770626074.git.yoann.congal@smile.fr
State	RFC
Delegated to:	Yoann Congal
Headers	show Return-Path: <yoann.congal@smile.fr> ip: 209.85.221.53, mailfrom: yoann.congal@smile.fr) From: Yoann Congal <yoann.congal@smile.fr> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 16/25] zlib: ignore CVE-2026-22184 Date: Mon, 9 Feb 2026 10:28:59 +0100 Message-ID: <52cbace519c5d490a83550d7baa1c0fa200eafcb.1770626074.git.yoann.congal@smile.fr> In-Reply-To: <cover.1770626074.git.yoann.congal@smile.fr> References: <cover.1770626074.git.yoann.congal@smile.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,01/25] curl: fix CVE-2025-10148 \| expand [scarthgap,01/25] curl: fix CVE-2025-10148 [scarthgap,02/25] curl: patch CVE-2025-14524 [scarthgap,03/25] expat: patch CVE-2026-24515 [scarthgap,04/25] expat: patch CVE-2026-25210 [scarthgap,05/25] glib-2.0: patch CVE-2026-0988 [scarthgap,06/25] inetutils: Fix CVE-2026-24061 [scarthgap,07/25] libpng: patch CVE-2026-22695 [scarthgap,08/25] libpng: patch CVE-2026-22801 [scarthgap,09/25] libtasn1: Fix CVE-2025-13151 [scarthgap,10/25] libxml2: patch CVE-2026-0989 [scarthgap,11/25] libxml2: patch CVE-2026-0990 [scarthgap,12/25] libxml2: patch CVE-2026-0992 [scarthgap,13/25] libxml2: add follow-up patch for CVE-2026-0992 [scarthgap,14/25] python3: patch CVE-2025-13837 [scarthgap,15/25] python-urllib3: Backport fix for CVE-2026-21441 [scarthgap,16/25] zlib: ignore CVE-2026-22184 [scarthgap,17/25] ffmpeg: upgrade 6.1.3 -> 6.1.4 [scarthgap,18/25] ffmpeg: ignore CVE-2025-25469 [scarthgap,19/25] glibc: stable 2.39 branch updates [scarthgap,20/25] meta/classes: fix missing vardeps for CVE status variables [scarthgap,21/25] improve_kernel_cve_report: add script for postprocesing of kernel CVE data [scarthgap,22/25] lighttpd: Fix trailing slash on files in mod_dirlisting [scarthgap,23/25] docbook-xml-dtd4: fix the fetching failure [scarthgap,24/25] pseudo: Update to 1.9.3 release [scarthgap,25/25] libtheora: set CVE_PRODUCT

Message ID

52cbace519c5d490a83550d7baa1c0fa200eafcb.1770626074.git.yoann.congal@smile.fr

State

RFC

Delegated to:

Yoann Congal

Headers

From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 16/25] zlib: ignore CVE-2026-22184
Date: Mon,  9 Feb 2026 10:28:59 +0100
Message-ID: 
 <52cbace519c5d490a83550d7baa1c0fa200eafcb.1770626074.git.yoann.congal@smile.fr>
In-Reply-To: <cover.1770626074.git.yoann.congal@smile.fr>
References: <cover.1770626074.git.yoann.congal@smile.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,01/25] curl: fix CVE-2025-10148 | expand

Commit Message

Yoann Congal Feb. 9, 2026, 9:28 a.m. UTC

From: Peter Marko <peter.marko@siemens.com>

This is CVE for example tool contrib/untgz.
This is not compiled in Yocto zlib recipe.

This CVE has controversial CVSS3 score of 9.8.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-core/zlib/zlib_1.3.1.bb | 1 +
 1 file changed, 1 insertion(+)

Comments

Paul Barker Feb. 9, 2026, 10:49 a.m. UTC | #1

On Mon, 2026-02-09 at 10:28 +0100, Yoann Congal via
lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
> 
> This is CVE for example tool contrib/untgz.
> This is not compiled in Yocto zlib recipe.
> 
> This CVE has controversial CVSS3 score of 9.8.
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---
>  meta/recipes-core/zlib/zlib_1.3.1.bb | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb
> index e6a81ef7898..8ebc6befc2b 100644
> --- a/meta/recipes-core/zlib/zlib_1.3.1.bb
> +++ b/meta/recipes-core/zlib/zlib_1.3.1.bb
> @@ -48,3 +48,4 @@ BBCLASSEXTEND = "native nativesdk"
>  
>  CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
>  CVE_STATUS[CVE-2023-6992] = "cpe-incorrect: this CVE is for cloudflare zlib"
> +CVE_STATUS[CVE-2026-22184] = "not-applicable-config: vulnerable file is not compiled"

I think we should consider backporting 119b775b36df ("zlib: Add
CVE_PRODUCT to exclude false positives") and the relevant bits of
73ee9789183a ("recipes: cleanup CVE_STATUS which are resolved now"),
then we can cherry-pick b0592c51b6ad from master.

Best regards,

Yoann Congal Feb. 10, 2026, 10:45 a.m. UTC | #2

On Mon Feb 9, 2026 at 11:49 AM CET, Paul Barker wrote:
> On Mon, 2026-02-09 at 10:28 +0100, Yoann Congal via
> lists.openembedded.org wrote:
>> From: Peter Marko <peter.marko@siemens.com>
>> 
>> This is CVE for example tool contrib/untgz.
>> This is not compiled in Yocto zlib recipe.
>> 
>> This CVE has controversial CVSS3 score of 9.8.
>> 
>> Signed-off-by: Peter Marko <peter.marko@siemens.com>
>> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
>> ---
>>  meta/recipes-core/zlib/zlib_1.3.1.bb | 1 +
>>  1 file changed, 1 insertion(+)
>> 
>> diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb
>> index e6a81ef7898..8ebc6befc2b 100644
>> --- a/meta/recipes-core/zlib/zlib_1.3.1.bb
>> +++ b/meta/recipes-core/zlib/zlib_1.3.1.bb
>> @@ -48,3 +48,4 @@ BBCLASSEXTEND = "native nativesdk"
>>  
>>  CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
>>  CVE_STATUS[CVE-2023-6992] = "cpe-incorrect: this CVE is for cloudflare zlib"
>> +CVE_STATUS[CVE-2026-22184] = "not-applicable-config: vulnerable file is not compiled"
>
> I think we should consider backporting 119b775b36df ("zlib: Add
> CVE_PRODUCT to exclude false positives") and the relevant bits of
> 73ee9789183a ("recipes: cleanup CVE_STATUS which are resolved now"),
> then we can cherry-pick b0592c51b6ad from master.

Since everything is in whinlatter, I've done that: 3 commits at
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/scarthgap-nut&id=ee55482f572f13b7194baa0eabc771ceef275a4b

>
> Best regards,

diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb
index e6a81ef7898..8ebc6befc2b 100644
--- a/meta/recipes-core/zlib/zlib_1.3.1.bb
+++ b/meta/recipes-core/zlib/zlib_1.3.1.bb
@@ -48,3 +48,4 @@  BBCLASSEXTEND = "native nativesdk"
 
 CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
 CVE_STATUS[CVE-2023-6992] = "cpe-incorrect: this CVE is for cloudflare zlib"
+CVE_STATUS[CVE-2026-22184] = "not-applicable-config: vulnerable file is not compiled"

[scarthgap,16/25] zlib: ignore CVE-2026-22184

Commit Message

Comments

Patch