Re: [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032

Jeroen Hofstee

Hello Steve,

On 4/9/22 20:14, Steve Sakoman wrote:
On Tue, Apr 5, 2022 at 9:05 AM Jeroen Hofstee via
<> wrote:
Hello Ross,

On 3/29/22 15:07, Ross Burton via wrote:
Signed-off-by: Ross Burton <ross.burton@...>
.../zlib/zlib/CVE-2018-25032.patch | 347 ++++++++++++++++++
meta/recipes-core/zlib/ | 1 +
2 files changed, 348 insertions(+)
create mode 100644 meta/recipes-core/zlib/zlib/CVE-2018-25032.patch

diff --git a/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
new file mode 100644
index 00000000000..5cb61836419
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
@@ -0,0 +1,347 @@
+CVE: CVE-2018-25032
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@...>
It seems there _might_ be another patch needed.
I did a dunfell autobuilder run with the second patch added, but
unfortunately still get the same failures.

So until we fix those I can't take this CVE patch :-(

Sorry if it wasn't clear, I mentioned it because another patch might be needed to
properly fix the CVE. I can't jugde that, simply because I am not familiar with the
code in question. It won't magically solve the builder failure...

I tried to reproduce that failure, but I get:

Task do_testimage does not exist for target core-image-sato-sdk (/home/jeroen/software/venus/sources/openembedded-core/meta/recipes-sato/images/ Close matches: 0:00:01

With kind regards,


Join { to automatically receive all group messages.