diff mbox series

[scarthgap,11/25] perl: link to the system zlib instead of a vendored copy

Message ID 6e83e5520f415fc6ca9029a8aaa0af31cd832a90.1780698373.git.yoann.congal@smile.fr
State New
Headers show
Series [scarthgap,01/25] cargo: set CVE_PRODUCT | expand

Commit Message

Yoann Congal June 5, 2026, 10:33 p.m. UTC 
From: Ross Burton <ross.burton@arm.com>

The perl module Compress-Raw-Zlib defaults to using a vendored copy of
the zlib sources which has a number of CVEs.  A newer version of perl
updates this to zlib 1.3.2 to resolve them, but we should be linking to
our zlib recipe instead of the vendored code.

This mitigates CVE-2026-4176 so mark it as not appropriate.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bf515229043685d4f00c965eb3e0236c37b6b403)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-devtools/perl/perl_5.38.4.bb | 5 +++++
 1 file changed, 5 insertions(+)
diff mbox series

Patch

diff --git a/meta/recipes-devtools/perl/perl_5.38.4.bb b/meta/recipes-devtools/perl/perl_5.38.4.bb
index e59022e2bdf..5ab49ed3d77 100644
--- a/meta/recipes-devtools/perl/perl_5.38.4.bb
+++ b/meta/recipes-devtools/perl/perl_5.38.4.bb
@@ -49,6 +49,11 @@  export ENC2XS_NO_COMMENTS = "1"
 
 CFLAGS += "-D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
 
+# Link Compress-Raw-Zlib to the system zlib instead of a vendored copy
+EXTRA_OEMAKE += "BUILD_ZLIB=False ZLIB_INCLUDE=${STAGING_INCDIR} ZLIB_LIB=${STAGING_LIBDIR}"
+
+CVE_STATUS[CVE-2026-4176] = "not-applicable-config: we do not use the vendorered zlib"
+
 do_configure:prepend() {
     rm -rf ${B}
     cp -rfp ${S} ${B}