Re: [meta-intel] [dunfell] zlib-intel: Incorrect patch?

Tue, 18 Apr 2023 01:39:31 -0700 

On Tue, Apr 18, 2023 at 11:04 AM Mittal, Anuj <[email protected]> wrote:
>
> On Tue, 2023-04-18 at 08:46 +0300, Uwe Geuder wrote:
> > Hi!
> >
> > The following patch looks suspicious to me:
> >
> > https://git.yoctoproject.org/meta-intel/commit/?h=dunfell&id=e64954db5944bd9397357f0b2ebd58412a576993 
> >
> > Is it correct?
> >
> > It provides a file CVE-2022-37434.patch. A file with the same name
> > but
> > different content also exists in poky/meta/recipes-core/zlib/zlib/
> > (as
> > of dunfell-23.0.24).
> >
> > Normally files with the same name in 2 different recipes would not
> > cause any concern, but
> > meta-intel/recipes-core/zlib/zlib-intel_1.2.11.1.jtkv6.3.bb does
> > actually "require" poky/meta/recipes-core/zlib/zlib_1.2.11.bb
> >
> > Combined this looks like a possible "double mistake" to me. At
> > the moment they seem to cancel each other, but that's not what
> > robust code should do.
> >
> > 1. The file CVE-2022-37434.patch contained in meta-intel is not used
> > at all. At least in in my build's FILESPATH the poky patch is found
> > first. If that were the intention the meta-intel patch should come
> > without any file of that name, including dead code does not seem
> > useful to me.
> >
> > 2. Looking at the contents of the patches I could speculate that the
> > one in poky is actually better. It covers two upstream commits, not
> > only one. (I have not studied whether the missing commit would make
> > sense in the Intel fork.)
>
> Thank you. I think you are right.
>
> I can test and fix this or if you can send a patch, that would be nice.
>
> Thanks,
>
> Anuj

Thanks for your quick reply!

Assuming that the patch in poky is actually better (which I am lacking
insights to judge within reasonable time), how should the zlib-intel
recipe be fixed?

  1. DRY: Just delete its own patch and use what's in poky?

or

  2. Least surprise: Copy the patch over from poky under a unique name
    and update SRC_URI appropriately so we don't depend on FILESPATH
    order any longer?

Regards,

Uwe


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#7933): 
https://lists.yoctoproject.org/g/meta-intel/message/7933
Mute This Topic: https://lists.yoctoproject.org/mt/98338236/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-intel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to