Re: [OE-core] [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032

[Steve Sakoman <steve@sakoman.com>]

On Wed, Apr 13, 2022 at 7:37 AM Steve Sakoman <steve@sakoman.com> wrote:
>
> On Wed, Apr 13, 2022 at 6:41 AM Mike Crowe <mac@mcrowe.com> wrote:
> >
> > On Wednesday 13 April 2022 at 06:02:22 -1000, Steve Sakoman wrote:
> > > Both runs completed and I'm still seeing success without the zlib patch:
> > >
> > > https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5069
> > >
> > > and failure with the patch:
> > >
> > > https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5070
> >
> > I'm certainly no expert with the autobuilder, but it looks like nothing was
> > actually compiled for both of those builds - everything came from the
> > sstate cache.
> >
> > I believe that Ralph's reproduction of the test failure without the zlib
> > patch was from a complete rebuild without anything coming from the sstate
> > cache.
> >
> > I suspect that if a PR bump or something similar that causes zlib and all
> > its reverse dependencies to be built were tested on top of the commit used
> > for build 5069 then the test failure would occur then as well and
> > exonerate the zlib patch.
>
> A valid point, let's see what happens with a PR bump:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5072
>
> I see plenty of rebuilds in process . . .

As you predicted, rebuilding zlib (and all dependencies) with a PR
bump did indeed result in the same failure, exonerating the zlib CVE
patch.

So it really does appear that we are chasing a bug in the native
apt-ftparchive command on fedora-35 (and likely alma-8 since I've seen
the error there too)

Steve