Re: [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032


Jeroen Hofstee
 

Hello Steve,

On 4/9/22 20:14, Steve Sakoman wrote:
On Tue, Apr 5, 2022 at 9:05 AM Jeroen Hofstee via
lists.openembedded.org
<jhofstee=victronenergy.com@...> wrote:
Hello Ross,

On 3/29/22 15:07, Ross Burton via lists.openembedded.org wrote:
Signed-off-by: Ross Burton <ross.burton@...>
---
.../zlib/zlib/CVE-2018-25032.patch | 347 ++++++++++++++++++
meta/recipes-core/zlib/zlib_1.2.11.bb | 1 +
2 files changed, 348 insertions(+)
create mode 100644 meta/recipes-core/zlib/zlib/CVE-2018-25032.patch

diff --git a/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
new file mode 100644
index 00000000000..5cb61836419
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
@@ -0,0 +1,347 @@
+CVE: CVE-2018-25032
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@...>
+
It seems there _might_ be another patch needed.

https://github.com/madler/zlib/issues/605
https://github.com/madler/zlib/commit/4346a16853e19b45787ce933666026903fb8f3f8.patch
I did a dunfell autobuilder run with the second patch added, but
unfortunately still get the same failures.

So until we fix those I can't take this CVE patch :-(

Sorry if it wasn't clear, I mentioned it because another patch might be needed to
properly fix the CVE. I can't jugde that, simply because I am not familiar with the
code in question. It won't magically solve the builder failure...

I tried to reproduce that failure, but I get:

Task do_testimage does not exist for target core-image-sato-sdk (/home/jeroen/software/venus/sources/openembedded-core/meta/recipes-sato/images/core-image-sato-sdk.bb:do_testimage). Close matches: 0:00:01
  do_image

With kind regards,

Jeroen

Join {openembedded-core@lists.openembedded.org to automatically receive all group messages.