From: Ross Burton <[email protected]> The perl module Compress-Raw-Zlib defaults to using a vendored copy of the zlib sources which has a number of CVEs. A newer version of perl updates this to zlib 1.3.2 to resolve them, but we should be linking to our zlib recipe instead of the vendored code.
This mitigates CVE-2026-4176 so mark it as not appropriate. Signed-off-by: Ross Burton <[email protected]> Signed-off-by: Richard Purdie <[email protected]> (cherry picked from commit bf515229043685d4f00c965eb3e0236c37b6b403) Signed-off-by: Sudhir Dumbhare <[email protected]> --- meta/recipes-devtools/perl/perl_5.38.4.bb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/recipes-devtools/perl/perl_5.38.4.bb b/meta/recipes-devtools/perl/perl_5.38.4.bb index e59022e2bd..5ab49ed3d7 100644 --- a/meta/recipes-devtools/perl/perl_5.38.4.bb +++ b/meta/recipes-devtools/perl/perl_5.38.4.bb @@ -49,6 +49,11 @@ export ENC2XS_NO_COMMENTS = "1" CFLAGS += "-D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" +# Link Compress-Raw-Zlib to the system zlib instead of a vendored copy +EXTRA_OEMAKE += "BUILD_ZLIB=False ZLIB_INCLUDE=${STAGING_INCDIR} ZLIB_LIB=${STAGING_LIBDIR}" + +CVE_STATUS[CVE-2026-4176] = "not-applicable-config: we do not use the vendorered zlib" + do_configure:prepend() { rm -rf ${B} cp -rfp ${S} ${B} -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237021): https://lists.openembedded.org/g/openembedded-core/message/237021 Mute This Topic: https://lists.openembedded.org/mt/119310882/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
