On Tue, 2023-04-18 at 08:46 +0300, Uwe Geuder wrote: > Hi! > > The following patch looks suspicious to me: > > https://git.yoctoproject.org/meta-intel/commit/?h=dunfell&id=e64954db5944bd9397357f0b2ebd58412a576993 > > Is it correct? > > It provides a file CVE-2022-37434.patch. A file with the same name > but > different content also exists in poky/meta/recipes-core/zlib/zlib/ > (as > of dunfell-23.0.24). > > Normally files with the same name in 2 different recipes would not > cause any concern, but > meta-intel/recipes-core/zlib/zlib-intel_1.2.11.1.jtkv6.3.bb does > actually "require" poky/meta/recipes-core/zlib/zlib_1.2.11.bb > > Combined this looks like a possible "double mistake" to me. At > the moment they seem to cancel each other, but that's not what > robust code should do. > > 1. The file CVE-2022-37434.patch contained in meta-intel is not used > at all. At least in in my build's FILESPATH the poky patch is found > first. If that were the intention the meta-intel patch should come > without any file of that name, including dead code does not seem > useful to me. > > 2. Looking at the contents of the patches I could speculate that the > one in poky is actually better. It covers two upstream commits, not > only one. (I have not studied whether the missing commit would make > sense in the Intel fork.)
Thank you. I think you are right. I can test and fix this or if you can send a patch, that would be nice. Thanks, Anuj
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7932): https://lists.yoctoproject.org/g/meta-intel/message/7932 Mute This Topic: https://lists.yoctoproject.org/mt/98338236/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-intel/leave/6694807/21656/1869269227/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
