Hi! The following patch looks suspicious to me:
https://git.yoctoproject.org/meta-intel/commit/?h=dunfell&id=e64954db5944bd9397357f0b2ebd58412a576993 Is it correct? It provides a file CVE-2022-37434.patch. A file with the same name but different content also exists in poky/meta/recipes-core/zlib/zlib/ (as of dunfell-23.0.24). Normally files with the same name in 2 different recipes would not cause any concern, but meta-intel/recipes-core/zlib/zlib-intel_1.2.11.1.jtkv6.3.bb does actually "require" poky/meta/recipes-core/zlib/zlib_1.2.11.bb Combined this looks like a possible "double mistake" to me. At the moment they seem to cancel each other, but that's not what robust code should do. 1. The file CVE-2022-37434.patch contained in meta-intel is not used at all. At least in in my build's FILESPATH the poky patch is found first. If that were the intention the meta-intel patch should come without any file of that name, including dead code does not seem useful to me. 2. Looking at the contents of the patches I could speculate that the one in poky is actually better. It covers two upstream commits, not only one. (I have not studied whether the missing commit would make sense in the Intel fork.) Regards, Uwe Geuder Neuro Event Labs Oy Tampere, Finland
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7931): https://lists.yoctoproject.org/g/meta-intel/message/7931 Mute This Topic: https://lists.yoctoproject.org/mt/98338236/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-intel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
