| Message ID | 20220814222037.283943-3-raj.khem@gmail.com |
|---|---|
| State | Accepted, archived |
| Commit | f7f089a89a9ba83aa62e4ca1fe9a6b8649b29259 |
| Headers | show |
| Series | [01/10] json-c: Fix function prototypes | expand |
On Monday, 15 August 2022 10:20:30 NZST Khem Raj wrote: > This is only seen in development branch as per [1] > > [1] > https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166be > ce1#commitcomment-80753451 CVE: CVE-2022-37434 It's a little confusing, but I think that CVE-2022-37434 does affect existing zlib releases - at least the patch does apply. My reading was that the upstream comment was referring to the *fix* (and thus the additional segfault issue that it introduced) was not yet in any zlib release. A look around suggests Ubuntu is treating CVE-2022-37434 as needing to be fixed at least. Cheers Paul
On Sun, Aug 14, 2022 at 7:32 PM Paul Eggleton < bluelightning@bluelightning.org> wrote: > On Monday, 15 August 2022 10:20:30 NZST Khem Raj wrote: > > This is only seen in development branch as per [1] > > > > [1] > > > https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166be > > ce1#commitcomment-80753451 CVE: CVE-2022-37434 > > It's a little confusing, but I think that CVE-2022-37434 does affect > existing > zlib releases - at least the patch does apply. My reading was that the > upstream comment was referring to the *fix* (and thus the additional > segfault > issue that it introduced) was not yet in any zlib release. A look around > suggests Ubuntu is treating CVE-2022-37434 as needing to be fixed at least. Yeah I think I missed the second last and last comments which clears it So we still need those two fixes to address the CVE > > Cheers > Paul > > > > >
diff --git a/meta/recipes-core/zlib/zlib_1.2.12.bb b/meta/recipes-core/zlib/zlib_1.2.12.bb index 77e7a4937fa..d3e0f25295d 100644 --- a/meta/recipes-core/zlib/zlib_1.2.12.bb +++ b/meta/recipes-core/zlib/zlib_1.2.12.bb @@ -17,6 +17,10 @@ UPSTREAM_CHECK_URI = "http://zlib.net/" SRC_URI[sha256sum] = "7db46b8d7726232a621befaab4a1c870f00a90805511c0e0090441dac57def18" +# 1.2.12 or any other released zlib version does not have this issue see +# https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1#commitcomment-80801182 +CVE_CHECK_IGNORE += "CVE-2022-37434" + CFLAGS += "-D_REENTRANT" RDEPENDS:${PN}-ptest += "make"
This is only seen in development branch as per [1] [1] https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1#commitcomment-80753451 CVE: CVE-2022-37434 Signed-off-by: Khem Raj <raj.khem@gmail.com> --- meta/recipes-core/zlib/zlib_1.2.12.bb | 4 ++++ 1 file changed, 4 insertions(+)