backport the security patch of CVE-2024-1638

[Crispy-fried-chicken]

Here is a vulnerability which is fixed in the https://github.com/zephyrproject-rtos/zephyr/tree/main and https://github.com/zephyrproject-rtos/zephyr/tree/v3.7-branch branch d9ff7eb, but is not fixed in the branch of v3.5-branch, maybe it should be backported?

[nordicjm]

3.5 was end of life'd on 31st July 2024, no further backports should be made, projects should be updated to 3.7

[jori-nordic]

🍿

I think this phrasing is subject to interpretation. I read it as "The Zephyr project doesn't backport fixes" not as "The Zephyr project will not accept fixes".
My opinion is that since this is a security issue, we can at least make the effort to accept it in the release branch, even if we don't make an official point release.

[jhedberg]

@Crispy-fried-chicken the first requirement would be to retain the original commit message. Also fix the formatting of the actual patch. The Compliance CI check is failing because of this.

[Crispy-fried-chicken]

@jhedberg Hi, I've already fixed commit format and code format, please continue to review it, thank you!

[jhedberg]

@Crispy-fried-chicken thanks. We just discussed cases like this in the Zephyr project's release engineering meeting, and the consensus was that we will not start making exceptions to the official supported release policy: https://docs.zephyrproject.org/latest/releases/index.html#supported-releases
https://github.com/zephyrproject-rtos/zephyr/wiki/Release-Management

So unfortunately it means that you'd need to either maintain this in your own downstream tree, or move to a supported Zephyr release version.