summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/classes/buildhistory.bbclass5
-rw-r--r--meta/classes/cve-check.bbclass35
-rw-r--r--meta/classes/devshell.bbclass1
-rw-r--r--meta/classes/distutils3-base.bbclass2
-rw-r--r--meta/classes/externalsrc.bbclass18
-rw-r--r--meta/classes/image-live.bbclass2
-rw-r--r--meta/classes/image.bbclass4
-rw-r--r--meta/classes/image_types.bbclass2
-rw-r--r--meta/classes/insane.bbclass12
-rw-r--r--meta/classes/kernel-devicetree.bbclass11
-rw-r--r--meta/classes/kernel.bbclass4
-rw-r--r--meta/classes/license_image.bbclass3
-rw-r--r--meta/classes/linuxloader.bbclass6
-rw-r--r--meta/classes/npm.bbclass39
-rw-r--r--meta/classes/package.bbclass1
-rw-r--r--meta/classes/package_rpm.bbclass1
-rw-r--r--meta/classes/populate_sdk_base.bbclass9
-rw-r--r--meta/classes/populate_sdk_ext.bbclass7
-rw-r--r--meta/classes/python3native.bbclass2
-rw-r--r--meta/classes/python3targetconfig.bbclass17
-rw-r--r--meta/classes/report-error.bbclass4
-rw-r--r--meta/classes/rootfs_deb.bbclass4
-rw-r--r--meta/classes/sanity.bbclass41
-rw-r--r--meta/classes/scons.bbclass3
-rw-r--r--meta/classes/staging.bbclass4
-rw-r--r--meta/conf/bitbake.conf6
-rw-r--r--meta/conf/distro/include/ptest-packagelists.inc2
-rw-r--r--meta/conf/distro/include/yocto-uninative.inc10
-rw-r--r--meta/conf/local.conf.sample2
-rw-r--r--meta/conf/local.conf.sample.extended23
-rw-r--r--meta/conf/machine/include/qemu.inc2
-rw-r--r--meta/lib/oe/copy_buildsystem.py6
-rw-r--r--meta/lib/oe/cve_check.py65
-rw-r--r--meta/lib/oe/package_manager/__init__.py2
-rw-r--r--meta/lib/oe/package_manager/deb/__init__.py6
-rw-r--r--meta/lib/oe/package_manager/deb/sdk.py4
-rw-r--r--meta/lib/oe/patch.py14
-rw-r--r--meta/lib/oe/prservice.py4
-rw-r--r--meta/lib/oe/recipeutils.py2
-rw-r--r--meta/lib/oe/sstatesig.py6
-rw-r--r--meta/lib/oe/terminal.py16
-rw-r--r--meta/lib/oeqa/runtime/cases/df.py2
-rw-r--r--meta/lib/oeqa/runtime/cases/pam.py3
-rw-r--r--meta/lib/oeqa/selftest/cases/buildoptions.py6
-rw-r--r--meta/lib/oeqa/selftest/cases/cve_check.py44
-rw-r--r--meta/lib/oeqa/selftest/cases/reproducible.py7
-rw-r--r--meta/lib/oeqa/selftest/cases/tinfoil.py6
-rw-r--r--meta/lib/oeqa/selftest/cases/wic.py36
-rw-r--r--meta/lib/oeqa/utils/commands.py4
-rw-r--r--meta/recipes-connectivity/bind/bind-9.16.7/CVE-2020-8625.patch29
-rw-r--r--meta/recipes-connectivity/bind/bind_9.16.7.bb1
-rw-r--r--meta/recipes-connectivity/connman/connman_1.39.bb (renamed from meta/recipes-connectivity/connman/connman_1.38.bb)3
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch28
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch90
-rw-r--r--meta/recipes-connectivity/openssh/openssh_8.3p1.bb2
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.1.1k.bb (renamed from meta/recipes-connectivity/openssl/openssl_1.1.1i.bb)4
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch45
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch58
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch123
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb3
-rw-r--r--meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch58
-rw-r--r--meta/recipes-core/busybox/busybox_1.32.0.bb3
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219.patch1444
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb1
-rw-r--r--meta/recipes-core/glib-2.0/glib.inc4
-rw-r--r--meta/recipes-core/glibc/glibc-version.inc2
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2019-25013.patch137
-rw-r--r--meta/recipes-core/glibc/glibc_2.32.bb4
-rw-r--r--meta/recipes-core/images/build-appliance-image_15.0.0.bb10
-rw-r--r--meta/recipes-core/initrdscripts/files/init-install-efi.sh5
-rw-r--r--meta/recipes-core/meta/buildtools-extended-tarball.bb10
-rw-r--r--meta/recipes-core/meta/cve-update-db-native.bb14
-rw-r--r--meta/recipes-core/ncurses/ncurses.inc5
-rw-r--r--meta/recipes-core/ovmf/ovmf-shell-image.bb1
-rw-r--r--meta/recipes-core/systemd/systemd-conf/wired.network1
-rw-r--r--meta/recipes-core/systemd/systemd-conf_246.9.bb3
-rw-r--r--meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch227
-rw-r--r--meta/recipes-core/systemd/systemd_246.9.bb19
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.35.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch41
-rw-r--r--meta/recipes-devtools/bison/bison/0001-Use-mapped-file-name-for-symbols.patch62
-rw-r--r--meta/recipes-devtools/bison/bison_3.7.2.bb1
-rw-r--r--meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch32
-rw-r--r--meta/recipes-devtools/flex/flex_2.6.4.bb1
-rw-r--r--meta/recipes-devtools/gcc/gcc-sanitizers.inc7
-rw-r--r--meta/recipes-devtools/git/git.inc5
-rw-r--r--meta/recipes-devtools/git/git/CVE-2021-21300.patch304
-rw-r--r--meta/recipes-devtools/git/git/fixsort.patch31
-rw-r--r--meta/recipes-devtools/go/go-1.15.inc4
-rw-r--r--meta/recipes-devtools/go/go-binary-native_1.15.8.bb (renamed from meta/recipes-devtools/go/go-binary-native_1.15.6.bb)4
-rw-r--r--meta/recipes-devtools/libtool/libtool-2.4.6.inc1
-rw-r--r--meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch35
-rw-r--r--meta/recipes-devtools/mtd/mtd-utils_git.bb2
-rw-r--r--meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch24
-rw-r--r--meta/recipes-devtools/opkg/opkg_0.4.3.bb1
-rw-r--r--meta/recipes-devtools/pseudo/pseudo_git.bb2
-rw-r--r--meta/recipes-devtools/python/python3-jinja2_2.11.2.bb2
-rw-r--r--meta/recipes-devtools/python/python3-pycairo_1.19.1.bb2
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2021-23336.patch548
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2021-3177.patch191
-rw-r--r--meta/recipes-devtools/python/python3_3.8.5.bb17
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc3
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch46
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch126
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch74
-rw-r--r--meta/recipes-devtools/quilt/quilt.inc2
-rw-r--r--meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch31
-rw-r--r--meta/recipes-devtools/rsync/files/determism.patch28
-rw-r--r--meta/recipes-devtools/rsync/rsync_3.2.3.bb4
-rwxr-xr-xmeta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts10
-rwxr-xr-xmeta/recipes-devtools/strace/strace/run-ptest2
-rw-r--r--meta/recipes-devtools/tcf-agent/tcf-agent_git.bb1
-rw-r--r--meta/recipes-devtools/valgrind/valgrind/0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch36
-rw-r--r--meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch9
-rw-r--r--meta/recipes-devtools/valgrind/valgrind_3.16.1.bb1
-rw-r--r--meta/recipes-devtools/xmlto/xmlto_0.0.28.bb2
-rw-r--r--meta/recipes-extended/acpica/acpica_20200717.bb2
-rw-r--r--meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb2
-rw-r--r--meta/recipes-extended/cups/cups.inc3
-rw-r--r--meta/recipes-extended/cups/cups/CVE-2020-10001.patch74
-rw-r--r--meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb2
-rw-r--r--meta/recipes-extended/groff/files/0001-Include-config.h.patch1026
-rw-r--r--meta/recipes-extended/groff/groff_1.22.4.bb11
-rw-r--r--meta/recipes-extended/parted/parted_3.3.bb1
-rw-r--r--meta/recipes-extended/screen/screen/CVE-2021-26937.patch68
-rw-r--r--meta/recipes-extended/screen/screen_4.8.0.bb1
-rw-r--r--meta/recipes-extended/shadow/shadow_4.8.1.bb5
-rw-r--r--meta/recipes-extended/sudo/files/CVE-2021-23239.patch62
-rw-r--r--meta/recipes-extended/sudo/files/CVE-2021-23240.patch419
-rw-r--r--meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch100
-rw-r--r--meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch53
-rw-r--r--meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch73
-rw-r--r--meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch29
-rw-r--r--meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch41
-rw-r--r--meta/recipes-extended/sudo/sudo.inc2
-rw-r--r--meta/recipes-extended/sudo/sudo_1.9.3.bb7
-rw-r--r--meta/recipes-extended/tar/tar/CVE-2021-20193.patch133
-rw-r--r--meta/recipes-extended/tar/tar_1.32.bb1
-rw-r--r--meta/recipes-extended/timezone/timezone.inc6
-rw-r--r--meta/recipes-extended/watchdog/watchdog_5.16.bb6
-rw-r--r--meta/recipes-gnome/epiphany/epiphany_3.36.4.bb2
-rw-r--r--meta/recipes-gnome/epiphany/files/distributor.patch17
-rw-r--r--meta/recipes-gnome/epiphany/files/migrator.patch24
-rw-r--r--meta/recipes-gnome/gcr/gcr_3.36.0.bb10
-rw-r--r--meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch55
-rw-r--r--meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch40
-rw-r--r--meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb2
-rw-r--r--meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb4
-rw-r--r--meta/recipes-gnome/libsecret/libsecret/determinism.patch37
-rw-r--r--meta/recipes-gnome/libsecret/libsecret_0.20.3.bb3
-rw-r--r--meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch121
-rw-r--r--meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.pngbin0 -> 185 bytes
-rw-r--r--meta/recipes-graphics/cairo/cairo_1.16.0.bb11
-rw-r--r--meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools/reproducibility.patch38
-rw-r--r--meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb5
-rw-r--r--meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch79
-rw-r--r--meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb1
-rw-r--r--meta/recipes-graphics/mesa/mesa.inc5
-rw-r--r--meta/recipes-graphics/wayland/libinput/run-ptest2
-rw-r--r--meta/recipes-graphics/wayland/weston-init/weston.ini2
-rw-r--r--meta/recipes-graphics/wayland/weston_9.0.0.bb2
-rw-r--r--meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb8
-rw-r--r--meta/recipes-graphics/xorg-proto/xcb-proto_1.14.1.bb (renamed from meta/recipes-graphics/xorg-proto/xcb-proto_1.14.bb)4
-rw-r--r--meta/recipes-kernel/dtc/dtc.inc2
-rw-r--r--meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch36
-rw-r--r--meta/recipes-kernel/kmod/kmod.inc1
-rw-r--r--meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb (renamed from meta/recipes-kernel/linux-firmware/linux-firmware_20201218.bb)56
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb6
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb8
-rw-r--r--meta/recipes-kernel/linux/linux-yocto_5.4.bb22
-rw-r--r--meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb2
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb2
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0/0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch32
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb1
-rw-r--r--meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb6
-rw-r--r--meta/recipes-sato/images/core-image-sato-ptest-fast.bb3
-rw-r--r--meta/recipes-sato/images/core-image-sato-sdk-ptest.bb3
-rw-r--r--meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb3
-rw-r--r--meta/recipes-support/apr/apr-util_1.6.1.bb2
-rw-r--r--meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch37
-rw-r--r--meta/recipes-support/ca-certificates/ca-certificates_20210119.bb (renamed from meta/recipes-support/ca-certificates/ca-certificates_20200601.bb)9
-rw-r--r--meta/recipes-support/gpgme/gpgme_1.14.0.bb2
-rw-r--r--meta/recipes-support/iso-codes/iso-codes_4.5.0.bb2
-rw-r--r--meta/recipes-support/libcroco/files/CVE-2020-12825.patch192
-rw-r--r--meta/recipes-support/libcroco/libcroco_0.6.13.bb3
-rw-r--r--meta/recipes-support/libevdev/libevdev/determinism.patch3
-rw-r--r--meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb3
-rw-r--r--meta/recipes-support/p11-kit/p11-kit_0.23.22.bb (renamed from meta/recipes-support/p11-kit/p11-kit_0.23.21.bb)7
-rw-r--r--meta/recipes-support/vim/files/racefix.patch33
-rw-r--r--meta/recipes-support/vim/vim.inc3
-rwxr-xr-xscripts/contrib/documentation-audit.sh2
-rw-r--r--scripts/lib/devtool/standard.py13
-rw-r--r--scripts/lib/recipetool/create_npm.py6
-rw-r--r--scripts/lib/wic/canned-wks/common.wks.inc2
-rw-r--r--scripts/lib/wic/canned-wks/directdisk-gpt.wks2
-rw-r--r--scripts/lib/wic/canned-wks/mkefidisk.wks2
-rw-r--r--scripts/lib/wic/misc.py1
-rw-r--r--scripts/lib/wic/partition.py38
-rw-r--r--scripts/lib/wic/plugins/imager/direct.py6
-rwxr-xr-xscripts/oe-pkgdata-util3
-rwxr-xr-xscripts/runqemu2
-rwxr-xr-xscripts/verify-bashisms2
-rwxr-xr-xscripts/yocto-check-layer3
203 files changed, 6255 insertions, 1447 deletions
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index 7d5e3eb8fd..726f17a946 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -674,13 +674,16 @@ IMAGE_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_imageinfo"
POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_list_installed_sdk_target;"
POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_get_sdk_installed_target;"
POPULATE_SDK_POST_TARGET_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_target;| buildhistory_get_sdk_installed_target;"
+POPULATE_SDK_POST_TARGET_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_target buildhistory_get_sdk_installed_target"
POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_list_installed_sdk_host;"
POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_get_sdk_installed_host;"
POPULATE_SDK_POST_HOST_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_host;| buildhistory_get_sdk_installed_host;"
+POPULATE_SDK_POST_HOST_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_host buildhistory_get_sdk_installed_host"
SDK_POSTPROCESS_COMMAND_append = " buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; "
SDK_POSTPROCESS_COMMAND[vardepvalueexclude] .= "| buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; "
+SDK_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_sdkinfo buildhistory_get_extra_sdkinfo"
python buildhistory_write_sigs() {
if not "task" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
@@ -855,7 +858,7 @@ END
}
python buildhistory_eventhandler() {
- if e.data.getVar('BUILDHISTORY_FEATURES').strip():
+ if (e.data.getVar('BUILDHISTORY_FEATURES') or "").strip():
reset = e.data.getVar("BUILDHISTORY_RESET")
olddir = e.data.getVar("BUILDHISTORY_OLD_DIR")
if isinstance(e, bb.event.BuildStarted):
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index d843e7c4ac..112ee3379d 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -53,6 +53,16 @@ CVE_CHECK_PN_WHITELIST ?= ""
#
CVE_CHECK_WHITELIST ?= ""
+# Layers to be excluded
+CVE_CHECK_LAYER_EXCLUDELIST ??= ""
+
+# Layers to be included
+CVE_CHECK_LAYER_INCLUDELIST ??= ""
+
+
+# set to "alphabetical" for version using single alphabetical character as increament release
+CVE_VERSION_SUFFIX ??= ""
+
python cve_save_summary_handler () {
import shutil
import datetime
@@ -206,10 +216,11 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and find unpatched cves.
"""
- from distutils.version import LooseVersion
+ from oe.cve_check import Version
pn = d.getVar("PN")
real_pv = d.getVar("PV")
+ suffix = d.getVar("CVE_VERSION_SUFFIX")
cves_unpatched = []
# CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -263,8 +274,8 @@ def check_cves(d, patched_cves):
else:
if operator_start:
try:
- vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
- vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+ vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix))
+ vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix))
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_start, version_start, cve))
@@ -274,8 +285,8 @@ def check_cves(d, patched_cves):
if operator_end:
try:
- vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
- vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+ vulnerable_end = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) )
+ vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) )
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_end, version_end, cve))
@@ -330,7 +341,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
CVE manifest if enabled.
"""
+
cve_file = d.getVar("CVE_CHECK_LOG")
+ fdir_name = d.getVar("FILE_DIRNAME")
+ layer = fdir_name.split("/")[-3]
+
+ include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
+ exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+
+ if exclude_layers and layer in exclude_layers:
+ return
+
+ if include_layers and layer not in include_layers:
+ return
+
nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
write_string = ""
unpatched_cves = []
@@ -340,6 +364,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
is_patched = cve in patched
if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"):
continue
+ write_string += "LAYER: %s\n" % layer
write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
write_string += "CVE: %s\n" % cve
diff --git a/meta/classes/devshell.bbclass b/meta/classes/devshell.bbclass
index fdf7dc100f..76dd0b42ee 100644
--- a/meta/classes/devshell.bbclass
+++ b/meta/classes/devshell.bbclass
@@ -128,6 +128,7 @@ def devpyshell(d):
more = i.runsource(source, "<pyshell>")
if not more:
buf = []
+ sys.stderr.flush()
prompt(more)
except KeyboardInterrupt:
i.write("\nKeyboardInterrupt\n")
diff --git a/meta/classes/distutils3-base.bbclass b/meta/classes/distutils3-base.bbclass
index 7dbf07ac4b..a277d1c7bc 100644
--- a/meta/classes/distutils3-base.bbclass
+++ b/meta/classes/distutils3-base.bbclass
@@ -1,5 +1,5 @@
DEPENDS += "${@["${PYTHON_PN}-native ${PYTHON_PN}", ""][(d.getVar('PACKAGES') == '')]}"
RDEPENDS_${PN} += "${@['', '${PYTHON_PN}-core']['${CLASSOVERRIDE}' == 'class-target']}"
-inherit distutils-common-base python3native
+inherit distutils-common-base python3native python3targetconfig
diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index dd09395788..3d6b80bee2 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -68,6 +68,7 @@ python () {
url_data = fetch.ud[url]
parm = url_data.parm
if (url_data.type == 'file' or
+ url_data.type == 'npmsw' or
'type' in parm and parm['type'] == 'kmeta'):
local_srcuri.append(url)
@@ -190,6 +191,7 @@ def srctree_hash_files(d, srcdir=None):
import shutil
import subprocess
import tempfile
+ import hashlib
s_dir = srcdir or d.getVar('EXTERNALSRC')
git_dir = None
@@ -197,6 +199,10 @@ def srctree_hash_files(d, srcdir=None):
try:
git_dir = os.path.join(s_dir,
subprocess.check_output(['git', '-C', s_dir, 'rev-parse', '--git-dir'], stderr=subprocess.DEVNULL).decode("utf-8").rstrip())
+ top_git_dir = os.path.join(s_dir, subprocess.check_output(['git', '-C', d.getVar("TOPDIR"), 'rev-parse', '--git-dir'],
+ stderr=subprocess.DEVNULL).decode("utf-8").rstrip())
+ if git_dir == top_git_dir:
+ git_dir = None
except subprocess.CalledProcessError:
pass
@@ -210,7 +216,17 @@ def srctree_hash_files(d, srcdir=None):
env = os.environ.copy()
env['GIT_INDEX_FILE'] = tmp_index.name
subprocess.check_output(['git', 'add', '-A', '.'], cwd=s_dir, env=env)
- sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8")
+ git_sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8")
+ submodule_helper = subprocess.check_output(['git', 'submodule--helper', 'list'], cwd=s_dir, env=env).decode("utf-8")
+ for line in submodule_helper.splitlines():
+ module_dir = os.path.join(s_dir, line.rsplit(maxsplit=1)[1])
+ if os.path.isdir(module_dir):
+ proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+ proc.communicate()
+ proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
+ stdout, _ = proc.communicate()
+ git_sha1 += stdout.decode("utf-8")
+ sha1 = hashlib.sha1(git_sha1.encode("utf-8")).hexdigest()
with open(oe_hash_file, 'w') as fobj:
fobj.write(sha1)
ret = oe_hash_file + ':True'
diff --git a/meta/classes/image-live.bbclass b/meta/classes/image-live.bbclass
index 9ea5ddc312..47c44b4aad 100644
--- a/meta/classes/image-live.bbclass
+++ b/meta/classes/image-live.bbclass
@@ -30,7 +30,7 @@ do_bootimg[depends] += "dosfstools-native:do_populate_sysroot \
virtual/kernel:do_deploy \
${MLPREFIX}syslinux:do_populate_sysroot \
syslinux-native:do_populate_sysroot \
- ${PN}:do_image_${@d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')} \
+ ${@'%s:do_image_%s' % (d.getVar('PN'), d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')) if d.getVar('ROOTFS') else ''} \
"
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 045f4494c8..2f1d5cfb46 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -112,7 +112,7 @@ def rootfs_command_variables(d):
'IMAGE_PREPROCESS_COMMAND','RPM_PREPROCESS_COMMANDS','RPM_POSTPROCESS_COMMANDS','DEB_PREPROCESS_COMMANDS','DEB_POSTPROCESS_COMMANDS']
python () {
- variables = rootfs_command_variables(d) + sdk_command_variables(d)
+ variables = rootfs_command_variables(d)
for var in variables:
if d.getVar(var, False):
d.setVarFlag(var, 'func', '1')
@@ -180,6 +180,8 @@ IMAGE_LOCALES_ARCHIVE ?= '1'
# aren't yet available.
PSEUDO_PASSWD = "${IMAGE_ROOTFS}:${STAGING_DIR_NATIVE}"
+PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/intercept_scripts,${WORKDIR}/oe-rootfs-repo,${WORKDIR}/sstate-build-image_complete"
+
PACKAGE_EXCLUDE ??= ""
PACKAGE_EXCLUDE[type] = "list"
diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
index 286009057e..30951ae366 100644
--- a/meta/classes/image_types.bbclass
+++ b/meta/classes/image_types.bbclass
@@ -110,7 +110,7 @@ IMAGE_CMD_squashfs-lz4 = "mksquashfs ${IMAGE_ROOTFS} ${IMGDEPLOYDIR}/${IMAGE_NAM
IMAGE_CMD_TAR ?= "tar"
# ignore return code 1 "file changed as we read it" as other tasks(e.g. do_image_wic) may be hardlinking rootfs
-IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --sort=name --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
+IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --sort=name --format=posix --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
do_image_cpio[cleandirs] += "${WORKDIR}/cpio_append"
IMAGE_CMD_cpio () {
diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index c6dff9659c..44dbed875b 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -175,7 +175,7 @@ def package_qa_check_useless_rpaths(file, name, d, elf, messages):
if rpath_eq(rpath, libdir) or rpath_eq(rpath, base_libdir):
# The dynamic linker searches both these places anyway. There is no point in
# looking there again.
- package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d), rpath))
+ package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d, name), rpath))
QAPATHTEST[dev-so] = "package_qa_check_dev"
def package_qa_check_dev(path, name, d, elf, messages):
@@ -184,8 +184,8 @@ def package_qa_check_dev(path, name, d, elf, messages):
"""
if not name.endswith("-dev") and not name.endswith("-dbg") and not name.endswith("-ptest") and not name.startswith("nativesdk-") and path.endswith(".so") and os.path.islink(path):
- package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package contains symlink .so: %s path '%s'" % \
- (name, package_qa_clean_path(path,d)))
+ package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package %s contains symlink .so '%s'" % \
+ (name, package_qa_clean_path(path, d, name)))
QAPATHTEST[dev-elf] = "package_qa_check_dev_elf"
def package_qa_check_dev_elf(path, name, d, elf, messages):
@@ -195,8 +195,8 @@ def package_qa_check_dev_elf(path, name, d, elf, messages):
install link-time .so files that are linker scripts.
"""
if name.endswith("-dev") and path.endswith(".so") and not os.path.islink(path) and elf:
- package_qa_add_message(messages, "dev-elf", "-dev package contains non-symlink .so: %s path '%s'" % \
- (name, package_qa_clean_path(path,d)))
+ package_qa_add_message(messages, "dev-elf", "-dev package %s contains non-symlink .so '%s'" % \
+ (name, package_qa_clean_path(path, d, name)))
QAPATHTEST[staticdev] = "package_qa_check_staticdev"
def package_qa_check_staticdev(path, name, d, elf, messages):
@@ -209,7 +209,7 @@ def package_qa_check_staticdev(path, name, d, elf, messages):
if not name.endswith("-pic") and not name.endswith("-staticdev") and not name.endswith("-ptest") and path.endswith(".a") and not path.endswith("_nonshared.a") and not '/usr/lib/debug-static/' in path and not '/.debug-static/' in path:
package_qa_add_message(messages, "staticdev", "non -staticdev package contains static .a library: %s path '%s'" % \
- (name, package_qa_clean_path(path,d)))
+ (name, package_qa_clean_path(path,d, name)))
QAPATHTEST[mime] = "package_qa_check_mime"
def package_qa_check_mime(path, name, d, elf, messages):
diff --git a/meta/classes/kernel-devicetree.bbclass b/meta/classes/kernel-devicetree.bbclass
index 81dda8003f..3c5def1041 100644
--- a/meta/classes/kernel-devicetree.bbclass
+++ b/meta/classes/kernel-devicetree.bbclass
@@ -1,8 +1,11 @@
# Support for device tree generation
-PACKAGES_append = " \
- ${KERNEL_PACKAGE_NAME}-devicetree \
- ${@[d.getVar('KERNEL_PACKAGE_NAME') + '-image-zimage-bundle', ''][d.getVar('KERNEL_DEVICETREE_BUNDLE') != '1']} \
-"
+python () {
+ if not bb.data.inherits_class('nopackages', d):
+ d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-devicetree")
+ if d.getVar('KERNEL_DEVICETREE_BUNDLE') == '1':
+ d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-image-zimage-bundle")
+}
+
FILES_${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb /${KERNEL_IMAGEDEST}/*.dtbo"
FILES_${KERNEL_PACKAGE_NAME}-image-zimage-bundle = "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin"
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 1a444efabf..b03a286ed4 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -90,6 +90,8 @@ python __anonymous () {
imagedest = d.getVar('KERNEL_IMAGEDEST')
for type in types.split():
+ if bb.data.inherits_class('nopackages', d):
+ continue
typelower = type.lower()
d.appendVar('PACKAGES', ' %s-image-%s' % (kname, typelower))
d.setVar('FILES_' + kname + '-image-' + typelower, '/' + imagedest + '/' + type + '-${KERNEL_VERSION_NAME}' + ' /' + imagedest + '/' + type)
@@ -743,7 +745,7 @@ kernel_do_deploy() {
fi
if [ ! -z "${INITRAMFS_IMAGE}" -a x"${INITRAMFS_IMAGE_BUNDLE}" = x1 ]; then
- for imageType in ${KERNEL_IMAGETYPES} ; do
+ for imageType in ${KERNEL_IMAGETYPE_FOR_MAKE} ; do
if [ "$imageType" = "fitImage" ] ; then
continue
fi
diff --git a/meta/classes/license_image.bbclass b/meta/classes/license_image.bbclass
index 119c8dfc86..6f478ce22c 100644
--- a/meta/classes/license_image.bbclass
+++ b/meta/classes/license_image.bbclass
@@ -210,7 +210,8 @@ def license_deployed_manifest(d):
os.unlink(lic_manifest_symlink_dir)
# create the image dir symlink
- os.symlink(lic_manifest_dir, lic_manifest_symlink_dir)
+ if lic_manifest_dir != lic_manifest_symlink_dir:
+ os.symlink(lic_manifest_dir, lic_manifest_symlink_dir)
def get_deployed_dependencies(d):
"""
diff --git a/meta/classes/linuxloader.bbclass b/meta/classes/linuxloader.bbclass
index 720e5dfad4..b161c51a50 100644
--- a/meta/classes/linuxloader.bbclass
+++ b/meta/classes/linuxloader.bbclass
@@ -1,6 +1,6 @@
def get_musl_loader_arch(d):
import re
- ldso_arch = None
+ ldso_arch = "NotSupported"
targetarch = d.getVar("TARGET_ARCH")
if targetarch.startswith("microblaze"):
@@ -32,7 +32,7 @@ def get_musl_loader(d):
def get_glibc_loader(d):
import re
- dynamic_loader = None
+ dynamic_loader = "NotSupported"
targetarch = d.getVar("TARGET_ARCH")
if targetarch in ["powerpc", "microblaze"]:
dynamic_loader = "${base_libdir}/ld.so.1"
@@ -58,7 +58,7 @@ def get_linuxloader(d):
overrides = d.getVar("OVERRIDES").split(":")
if "libc-baremetal" in overrides:
- return None
+ return "NotSupported"
if "libc-musl" in overrides:
dynamic_loader = get_musl_loader(d)
diff --git a/meta/classes/npm.bbclass b/meta/classes/npm.bbclass
index 068032a1e5..55a6985fb0 100644
--- a/meta/classes/npm.bbclass
+++ b/meta/classes/npm.bbclass
@@ -17,8 +17,10 @@
# NPM_INSTALL_DEV:
# Set to 1 to also install devDependencies.
+inherit python3native
+
DEPENDS_prepend = "nodejs-native "
-RDEPENDS_${PN}_prepend = "nodejs "
+RDEPENDS_${PN}_append_class-target = " nodejs"
NPM_INSTALL_DEV ?= "0"
@@ -130,11 +132,17 @@ python npm_do_configure() {
cached_manifest.pop("dependencies", None)
cached_manifest.pop("devDependencies", None)
- with open(orig_shrinkwrap_file, "r") as f:
- orig_shrinkwrap = json.load(f)
+ has_shrinkwrap_file = True
+
+ try:
+ with open(orig_shrinkwrap_file, "r") as f:
+ orig_shrinkwrap = json.load(f)
+ except IOError:
+ has_shrinkwrap_file = False
- cached_shrinkwrap = copy.deepcopy(orig_shrinkwrap)
- cached_shrinkwrap.pop("dependencies", None)
+ if has_shrinkwrap_file:
+ cached_shrinkwrap = copy.deepcopy(orig_shrinkwrap)
+ cached_shrinkwrap.pop("dependencies", None)
# Manage the dependencies
progress = OutOfProgressHandler(d, r"^(\d+)/(\d+)$")
@@ -165,8 +173,10 @@ python npm_do_configure() {
progress.write("%d/%d" % (progress_done, progress_total))
dev = bb.utils.to_boolean(d.getVar("NPM_INSTALL_DEV"), False)
- foreach_dependencies(orig_shrinkwrap, _count_dependency, dev)
- foreach_dependencies(orig_shrinkwrap, _cache_dependency, dev)
+
+ if has_shrinkwrap_file:
+ foreach_dependencies(orig_shrinkwrap, _count_dependency, dev)
+ foreach_dependencies(orig_shrinkwrap, _cache_dependency, dev)
# Configure the main package
with tempfile.TemporaryDirectory() as tmpdir:
@@ -181,16 +191,19 @@ python npm_do_configure() {
cached_manifest[depkey] = {}
cached_manifest[depkey][name] = version
- _update_manifest("dependencies")
+ if has_shrinkwrap_file:
+ _update_manifest("dependencies")
if dev:
- _update_manifest("devDependencies")
+ if has_shrinkwrap_file:
+ _update_manifest("devDependencies")
with open(cached_manifest_file, "w") as f:
json.dump(cached_manifest, f, indent=2)
- with open(cached_shrinkwrap_file, "w") as f:
- json.dump(cached_shrinkwrap, f, indent=2)
+ if has_shrinkwrap_file:
+ with open(cached_shrinkwrap_file, "w") as f:
+ json.dump(cached_shrinkwrap, f, indent=2)
}
python npm_do_compile() {
@@ -237,9 +250,7 @@ python npm_do_compile() {
sysroot = d.getVar("RECIPE_SYSROOT_NATIVE")
nodedir = os.path.join(sysroot, d.getVar("prefix_native").strip("/"))
configs.append(("nodedir", nodedir))
- bindir = os.path.join(sysroot, d.getVar("bindir_native").strip("/"))
- pythondir = os.path.join(bindir, "python-native", "python")
- configs.append(("python", pythondir))
+ configs.append(("python", d.getVar("PYTHON")))
# Add node-pre-gyp configuration
args.append(("target_arch", d.getVar("NPM_ARCH")))
diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index 247bdc7bbf..5a32e5c2e3 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -2446,6 +2446,7 @@ python do_packagedata () {
bb.build.exec_func("packagedata_translate_pr_autoinc", d)
}
+do_packagedata[cleandirs] += "${WORKDIR}/pkgdata-pdata-input"
# Translate the EXTENDPRAUTO and AUTOINC to the final values
packagedata_translate_pr_autoinc() {
diff --git a/meta/classes/package_rpm.bbclass b/meta/classes/package_rpm.bbclass
index 53b4700cdd..89b4c6bbfc 100644
--- a/meta/classes/package_rpm.bbclass
+++ b/meta/classes/package_rpm.bbclass
@@ -687,6 +687,7 @@ python do_package_rpm () {
cmd = cmd + " --define '_binary_payload w6T.xzdio'"
cmd = cmd + " --define '_source_payload w6T.xzdio'"
cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'"
+ cmd = cmd + " --define 'use_source_date_epoch_as_buildtime 1'"
cmd = cmd + " --define '_buildhost reproducible'"
if perfiledeps:
cmd = cmd + " --define '__find_requires " + outdepends + "'"
diff --git a/meta/classes/populate_sdk_base.bbclass b/meta/classes/populate_sdk_base.bbclass
index 49b1833265..635b3a6b80 100644
--- a/meta/classes/populate_sdk_base.bbclass
+++ b/meta/classes/populate_sdk_base.bbclass
@@ -178,7 +178,7 @@ do_populate_sdk[sstate-inputdirs] = "${SDKDEPLOYDIR}"
do_populate_sdk[sstate-outputdirs] = "${SDK_DEPLOY}"
do_populate_sdk[stamp-extra-info] = "${MACHINE_ARCH}${SDKMACHINE}"
-PSEUDO_IGNORE_PATHS .= ",${SDKDEPLOYDIR}"
+PSEUDO_IGNORE_PATHS .= ",${SDKDEPLOYDIR},${WORKDIR}/oe-sdk-repo,${WORKDIR}/sstate-build-populate_sdk"
fakeroot create_sdk_files() {
cp ${COREBASE}/scripts/relocate_sdk.py ${SDK_OUTPUT}/${SDKPATH}/
@@ -329,6 +329,13 @@ def sdk_variables(d):
do_populate_sdk[vardeps] += "${@sdk_variables(d)}"
+python () {
+ variables = sdk_command_variables(d)
+ for var in variables:
+ if d.getVar(var, False):
+ d.setVarFlag(var, 'func', '1')
+}
+
do_populate_sdk[file-checksums] += "${TOOLCHAIN_SHAR_REL_TMPL}:True \
${TOOLCHAIN_SHAR_EXT_TMPL}:True"
diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass
index e6bf27cf38..14689ec6ac 100644
--- a/meta/classes/populate_sdk_ext.bbclass
+++ b/meta/classes/populate_sdk_ext.bbclass
@@ -251,7 +251,9 @@ python copy_buildsystem () {
# Create a layer for new recipes / appends
bbpath = d.getVar('BBPATH')
- bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')])
+ env = os.environ.copy()
+ env['PYTHONDONTWRITEBYTECODE'] = '1'
+ bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')], env=env)
# Create bblayers.conf
bb.utils.mkdirhier(baseoutpath + '/conf')
@@ -364,6 +366,9 @@ python copy_buildsystem () {
# Hide the config information from bitbake output (since it's fixed within the SDK)
f.write('BUILDCFG_HEADER = ""\n\n')
+ # Write METADATA_REVISION
+ f.write('METADATA_REVISION = "%s"\n\n' % d.getVar('METADATA_REVISION'))
+
f.write('# Provide a flag to indicate we are in the EXT_SDK Context\n')
f.write('WITHIN_EXT_SDK = "1"\n\n')
diff --git a/meta/classes/python3native.bbclass b/meta/classes/python3native.bbclass
index d98fb4c758..2e3a88c126 100644
--- a/meta/classes/python3native.bbclass
+++ b/meta/classes/python3native.bbclass
@@ -17,8 +17,6 @@ export STAGING_LIBDIR
export PYTHON_LIBRARY="${STAGING_LIBDIR}/lib${PYTHON_DIR}${PYTHON_ABI}.so"
export PYTHON_INCLUDE_DIR="${STAGING_INCDIR}/${PYTHON_DIR}${PYTHON_ABI}"
-export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
-
# suppress host user's site-packages dirs.
export PYTHONNOUSERSITE = "1"
diff --git a/meta/classes/python3targetconfig.bbclass b/meta/classes/python3targetconfig.bbclass
new file mode 100644
index 0000000000..fc1025c207
--- /dev/null
+++ b/meta/classes/python3targetconfig.bbclass
@@ -0,0 +1,17 @@
+inherit python3native
+
+EXTRA_PYTHON_DEPENDS ?= ""
+EXTRA_PYTHON_DEPENDS_class-target = "python3"
+DEPENDS_append = " ${EXTRA_PYTHON_DEPENDS}"
+
+do_configure_prepend_class-target() {
+ export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+
+do_compile_prepend_class-target() {
+ export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+
+do_install_prepend_class-target() {
+ export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass
index 1a12db1206..9cb6b0bd31 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -6,6 +6,8 @@
#
# Licensed under the MIT license, see COPYING.MIT for details
+inherit base
+
ERR_REPORT_DIR ?= "${LOG_DIR}/error-report"
def errorreport_getdata(e):
@@ -64,6 +66,8 @@ python errorreport_handler () {
data['failures'] = []
data['component'] = " ".join(e.getPkgs())
data['branch_commit'] = str(base_detect_branch(e.data)) + ": " + str(base_detect_revision(e.data))
+ data['bitbake_version'] = e.data.getVar("BB_VERSION")
+ data['layer_version'] = get_layers_branch_rev(e.data)
data['local_conf'] = get_conf_data(e, 'local.conf')
data['auto_conf'] = get_conf_data(e, 'auto.conf')
lock = bb.utils.lockfile(datafile + '.lock')
diff --git a/meta/classes/rootfs_deb.bbclass b/meta/classes/rootfs_deb.bbclass
index ef616da229..0469ba7059 100644
--- a/meta/classes/rootfs_deb.bbclass
+++ b/meta/classes/rootfs_deb.bbclass
@@ -32,4 +32,8 @@ python () {
d.setVar('DEB_SDK_ARCH', 'amd64')
elif darch == "arm":
d.setVar('DEB_SDK_ARCH', 'armel')
+ elif darch == "aarch64":
+ d.setVar('DEB_SDK_ARCH', 'arm64')
+ else:
+ bb.fatal("Unhandled SDK_ARCH %s" % darch)
}
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 3262d08fbf..03a9792f68 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -703,6 +703,23 @@ def check_sanity_version_change(status, d):
if (tmpdirmode & stat.S_ISUID):
status.addresult("TMPDIR is setuid, please don't build in a setuid directory")
+ # Check that a user isn't building in a path in PSEUDO_IGNORE_PATHS
+ pseudoignorepaths = d.getVar('PSEUDO_IGNORE_PATHS', expand=True).split(",")
+ workdir = d.getVar('WORKDIR', expand=True)
+ for i in pseudoignorepaths:
+ if i and workdir.startswith(i):
+ status.addresult("You are building in a path included in PSEUDO_IGNORE_PATHS " + str(i) + " please locate the build outside this path.\n")
+
+ # Check if PSEUDO_IGNORE_PATHS and and paths under pseudo control overlap
+ pseudoignorepaths = d.getVar('PSEUDO_IGNORE_PATHS', expand=True).split(",")
+ pseudo_control_dir = "${D},${PKGD},${PKGDEST},${IMAGEROOTFS},${SDK_OUTPUT}"
+ pseudocontroldir = d.expand(pseudo_control_dir).split(",")
+ for i in pseudoignorepaths:
+ for j in pseudocontroldir:
+ if i and j:
+ if j.startswith(i):
+ status.addresult("A path included in PSEUDO_IGNORE_PATHS " + str(i) + " and the path " + str(j) + " overlap and this will break pseudo permission and ownership tracking. Please set the path " + str(j) + " to a different directory which does not overlap with pseudo controlled directories. \n")
+
# Some third-party software apparently relies on chmod etc. being suid root (!!)
import stat
suid_check_bins = "chown chmod mknod".split()
@@ -787,6 +804,11 @@ def check_sanity_everybuild(status, d):
if "." in paths or "./" in paths or "" in paths:
status.addresult("PATH contains '.', './' or '' (empty element), which will break the build, please remove this.\nParsed PATH is " + str(paths) + "\n")
+ #Check if bitbake is present in PATH environment variable
+ bb_check = bb.utils.which(d.getVar('PATH'), 'bitbake')
+ if not bb_check:
+ bb.warn("bitbake binary is not found in PATH, did you source the script?")
+
# Check whether 'inherit' directive is found (used for a class to inherit)
# in conf file it's supposed to be uppercase INHERIT
inherit = d.getVar('inherit')
@@ -860,13 +882,18 @@ def check_sanity_everybuild(status, d):
except:
pass
- oeroot = d.getVar('COREBASE')
- if oeroot.find('+') != -1:
- status.addresult("Error, you have an invalid character (+) in your COREBASE directory path. Please move the installation to a directory which doesn't include any + characters.")
- if oeroot.find('@') != -1:
- status.addresult("Error, you have an invalid character (@) in your COREBASE directory path. Please move the installation to a directory which doesn't include any @ characters.")
- if oeroot.find(' ') != -1:
- status.addresult("Error, you have a space in your COREBASE directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this.")
+ for checkdir in ['COREBASE', 'TMPDIR']:
+ val = d.getVar(checkdir)
+ if val.find('..') != -1:
+ status.addresult("Error, you have '..' in your %s directory path. Please ensure the variable contains an absolute path as this can break some recipe builds in obtuse ways." % checkdir)
+ if val.find('+') != -1:
+ status.addresult("Error, you have an invalid character (+) in your %s directory path. Please move the installation to a directory which doesn't include any + characters." % checkdir)
+ if val.find('@') != -1:
+ status.addresult("Error, you have an invalid character (@) in your %s directory path. Please move the installation to a directory which doesn't include any @ characters." % checkdir)
+ if val.find(' ') != -1:
+ status.addresult("Error, you have a space in your %s directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this." % checkdir)
+ if val.find('%') != -1:
+ status.addresult("Error, you have an invalid character (%) in your %s directory path which causes problems with python string formatting. Please move the installation to a directory which doesn't include any % characters." % checkdir)
# Check the format of MIRRORS, PREMIRRORS and SSTATE_MIRRORS
import re
diff --git a/meta/classes/scons.bbclass b/meta/classes/scons.bbclass
index 6b171ca8df..4f3ae502ef 100644
--- a/meta/classes/scons.bbclass
+++ b/meta/classes/scons.bbclass
@@ -5,7 +5,6 @@ DEPENDS += "python3-scons-native"
EXTRA_OESCONS ?= ""
do_configure() {
- unset _PYTHON_SYSCONFIGDATA_NAME
if [ -n "${CONFIGURESTAMPFILE}" ]; then
if [ -e "${CONFIGURESTAMPFILE}" -a "`cat ${CONFIGURESTAMPFILE}`" != "${BB_TASKHASH}" -a "${CLEANBROKEN}" != "1" ]; then
${STAGING_BINDIR_NATIVE}/scons --clean PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS}
@@ -17,13 +16,11 @@ do_configure() {
}
scons_do_compile() {
- unset _PYTHON_SYSCONFIGDATA_NAME
${STAGING_BINDIR_NATIVE}/scons ${PARALLEL_MAKE} PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS} || \
die "scons build execution failed."
}
scons_do_install() {
- unset _PYTHON_SYSCONFIGDATA_NAME
${STAGING_BINDIR_NATIVE}/scons install_root=${D}${prefix} PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS} install || \
die "scons install execution failed."
}
diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index f0a619b35b..8165ab268e 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -27,11 +27,15 @@ SYSROOT_DIRS_BLACKLIST = " \
${mandir} \
${docdir} \
${infodir} \
+ ${datadir}/X11/locale \
${datadir}/applications \
+ ${datadir}/bash-completion \
${datadir}/fonts \
${datadir}/gtk-doc/html \
+ ${datadir}/installed-tests \
${datadir}/locale \
${datadir}/pixmaps \
+ ${datadir}/terminfo \
${libdir}/${BPN}/ptest \
"
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 8e0a0ec4b4..eb282d1741 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -685,7 +685,10 @@ SRC_URI = ""
PSEUDO_LOCALSTATEDIR ?= "${WORKDIR}/pseudo/"
PSEUDO_PASSWD ?= "${STAGING_DIR_TARGET}:${PSEUDO_SYSROOT}"
PSEUDO_SYSROOT = "${COMPONENTS_DIR}/${BUILD_ARCH}/pseudo-native"
-PSEUDO_IGNORE_PATHS = "/usr/,/etc/,/lib,/dev/,/run/,${T},${WORKDIR}/recipe-sysroot,${SSTATE_DIR},${STAMPS_DIR},${WORKDIR}/pkgdata-sysroot,${TMPDIR}/sstate-control,${DEPLOY_DIR},${WORKDIR}/deploy-,${TMPDIR}/buildstats,${WORKDIR}/sstate-build-package_,${WORKDIR}/sstate-install-package_,${WORKDIR}/sstate-build-image_complete,${TMPDIR}/sysroots-components,${BUILDHISTORY_DIR},${TMPDIR}/pkgdata,${TOPDIR}/cache,${COREBASE}/scripts,${CCACHE_DIR}"
+PSEUDO_IGNORE_PATHS = "/usr/,/etc/,/lib,/dev/,/run/,${T},${WORKDIR}/recipe-sysroot,${SSTATE_DIR},${STAMPS_DIR}"
+PSEUDO_IGNORE_PATHS .= ",${TMPDIR}/sstate-control,${TMPDIR}/buildstats,${TMPDIR}/sysroots-components,${TMPDIR}/pkgdata"
+PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/deploy-,${WORKDIR}/sstate-build-package_,${WORKDIR}/sstate-install-package_,${WORKDIR}/pkgdata-sysroot"
+PSEUDO_IGNORE_PATHS .= ",${DEPLOY_DIR},${BUILDHISTORY_DIR},${TOPDIR}/cache,${COREBASE}/scripts,${CCACHE_DIR}"
export PSEUDO_DISABLED = "1"
#export PSEUDO_PREFIX = "${STAGING_DIR_NATIVE}${prefix_native}"
@@ -696,6 +699,7 @@ FAKEROOTCMD = "${PSEUDO_SYSROOT}${bindir_native}/pseudo"
FAKEROOTENV = "PSEUDO_PREFIX=${PSEUDO_SYSROOT}${prefix_native} PSEUDO_LOCALSTATEDIR=${PSEUDO_LOCALSTATEDIR} PSEUDO_PASSWD=${PSEUDO_PASSWD} PSEUDO_NOSYMLINKEXP=1 PSEUDO_IGNORE_PATHS=${@oe.path.canonicalize(d.getVar('PSEUDO_IGNORE_PATHS'))} PSEUDO_DISABLED=0"
FAKEROOTNOENV = "PSEUDO_UNLOAD=1"
FAKEROOTDIRS = "${PSEUDO_LOCALSTATEDIR}"
+FAKEROOTLOGS = "${WORKDIR}/pseudo/pseudo.log"
PREFERRED_PROVIDER_virtual/fakeroot-native ?= "pseudo-native"
##################################################################
diff --git a/meta/conf/distro/include/ptest-packagelists.inc b/meta/conf/distro/include/ptest-packagelists.inc
index ce13368c2e..e0a876dbdc 100644
--- a/meta/conf/distro/include/ptest-packagelists.inc
+++ b/meta/conf/distro/include/ptest-packagelists.inc
@@ -60,6 +60,7 @@ PTESTS_FAST_remove_mips64 = "qemu-ptest"
# bash-ptest \ # Test outcomes are non-deterministic by design
# ifupdown-ptest \ # Tested separately in lib/oeqa/selftest/cases/imagefeatures.py
# mdadm-ptest \ # Tests rely on non-deterministic sleep() amounts
+# libinput-ptest \ # Tests need an unloaded system to be reliable
#"
PTESTS_SLOW = "\
@@ -72,7 +73,6 @@ PTESTS_SLOW = "\
glib-2.0-ptest \
gstreamer1.0-ptest \
libevent-ptest \
- libinput-ptest \
lttng-tools-ptest \
openssh-ptest \
openssl-ptest \
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 69b6edee5f..a2a2dd18ec 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,9 @@
# to the distro running on the build machine.
#
-UNINATIVE_MAXGLIBCVERSION = "2.32"
+UNINATIVE_MAXGLIBCVERSION = "2.33"
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/"
-UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81"
-UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36"
-UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.0/"
+UNINATIVE_CHECKSUM[aarch64] ?= "1c668909098c5b56132067adc69a249cb771f4560428e5822de903a12d97bf33"
+UNINATIVE_CHECKSUM[i686] ?= "e6cc2fc056234cffa6a2ff084cce27d544ea3f487a62b5e253351cefd4421900"
+UNINATIVE_CHECKSUM[x86_64] ?= "5ec5a9276046e7eceeac749a18b175667384e1f445cd4526300a41404d985a5b"
diff --git a/meta/conf/local.conf.sample b/meta/conf/local.conf.sample
index 22d43b20d4..985bab19f8 100644
--- a/meta/conf/local.conf.sample
+++ b/meta/conf/local.conf.sample
@@ -185,7 +185,7 @@ BB_DISKMON_DIRS ??= "\
#
# Shared-state files from other locations
#
-# As mentioned above, shared state files are prebuilt cache data objects which can
+# As mentioned above, shared state files are prebuilt cache data objects which can be
# used to accelerate build time. This variable can be used to configure the system
# to search other mirror locations for these objects before it builds the data itself.
#
diff --git a/meta/conf/local.conf.sample.extended b/meta/conf/local.conf.sample.extended
index 420b09b7d7..5b04be8892 100644
--- a/meta/conf/local.conf.sample.extended
+++ b/meta/conf/local.conf.sample.extended
@@ -331,7 +331,7 @@
# The INITRAMFS_IMAGE image variable will cause an additional recipe to
# be built as a dependency to the what ever rootfs recipe you might be
# using such as core-image-sato. The initramfs might be needed for
-# the initial boot of of the target system such as to load kernel
+# the initial boot of the target system such as to load kernel
# modules prior to mounting the root file system.
#
# INITRAMFS_IMAGE_BUNDLE variable controls if the image recipe
@@ -371,23 +371,12 @@
#
#
-# Use busybox/mdev for system initialization
+# System initialization
#
-#VIRTUAL-RUNTIME_dev_manager = "busybox-mdev"
-#VIRTUAL-RUNTIME_login_manager = "busybox"
-#VIRTUAL-RUNTIME_init_manager = "busybox"
-#VIRTUAL-RUNTIME_initscripts = "initscripts"
-#VIRTUAL-RUNTIME_keymaps = "keymaps"
-#DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
-
-#
-# Use systemd for system initialization
-#
-#DISTRO_FEATURES_append = " systemd"
-#DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
-#VIRTUAL-RUNTIME_login_manager = "shadow-base"
-#VIRTUAL-RUNTIME_init_manager = "systemd"
-#VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
+#INIT_MANAGER = "none"
+#INIT_MANAGER = "sysvinit"
+#INIT_MANAGER = "systemd"
+#INIT_MANAGER = "mdev-busybox"
#
# Use a full set of packages instead of busybox for base utils
diff --git a/meta/conf/machine/include/qemu.inc b/meta/conf/machine/include/qemu.inc
index 8dedb1a42d..7d0a6fe458 100644
--- a/meta/conf/machine/include/qemu.inc
+++ b/meta/conf/machine/include/qemu.inc
@@ -21,7 +21,7 @@ RDEPENDS_${KERNEL_PACKAGE_NAME}-base = ""
# Use a common kernel recipe for all QEMU machines
PREFERRED_PROVIDER_virtual/kernel ??= "linux-yocto"
-EXTRA_IMAGEDEPENDS += "qemu-native qemu-helper-native"
+EXTRA_IMAGEDEPENDS += "qemu-system-native qemu-helper-native"
# Provide the nfs server kernel module for all qemu images
KERNEL_FEATURES_append_pn-linux-yocto = " features/nfsd/nfsd-enable.scc"
diff --git a/meta/lib/oe/copy_buildsystem.py b/meta/lib/oe/copy_buildsystem.py
index 31a84f5b06..d97bf9d1b9 100644
--- a/meta/lib/oe/copy_buildsystem.py
+++ b/meta/lib/oe/copy_buildsystem.py
@@ -20,7 +20,7 @@ def _smart_copy(src, dest):
mode = os.stat(src).st_mode
if stat.S_ISDIR(mode):
bb.utils.mkdirhier(dest)
- cmd = "tar --exclude='.git' --xattrs --xattrs-include='*' -chf - -C %s -p . \
+ cmd = "tar --exclude='.git' --exclude='__pycache__' --xattrs --xattrs-include='*' -chf - -C %s -p . \
| tar --xattrs --xattrs-include='*' -xf - -C %s" % (src, dest)
subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
else:
@@ -259,7 +259,7 @@ def create_locked_sstate_cache(lockedsigs, input_sstate_cache, output_sstate_cac
bb.note('Generating sstate-cache...')
nativelsbstring = d.getVar('NATIVELSBSTRING')
- bb.process.run("gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or ''))
+ bb.process.run("PYTHONDONTWRITEBYTECODE=1 gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or ''))
if fixedlsbstring and nativelsbstring != fixedlsbstring:
nativedir = output_sstate_cache + '/' + nativelsbstring
if os.path.isdir(nativedir):
@@ -286,7 +286,7 @@ def check_sstate_task_list(d, targets, filteroutfile, cmdprefix='', cwd=None, lo
logparam = '-l %s' % logfile
else:
logparam = ''
- cmd = "%sBB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam)
+ cmd = "%sPYTHONDONTWRITEBYTECODE=1 BB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam)
env = dict(d.getVar('BB_ORIGENV', False))
env.pop('BUILDDIR', '')
env.pop('BBPATH', '')
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
new file mode 100644
index 0000000000..a1d7c292af
--- /dev/null
+++ b/meta/lib/oe/cve_check.py
@@ -0,0 +1,65 @@
+import collections
+import re
+import itertools
+import functools
+
+_Version = collections.namedtuple(
+ "_Version", ["release", "patch_l", "pre_l", "pre_v"]
+)
+
+@functools.total_ordering
+class Version():
+
+ def __init__(self, version, suffix=None):
+
+ suffixes = ["alphabetical", "patch"]
+
+ if str(suffix) == "alphabetical":
+ version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+ elif str(suffix) == "patch":
+ version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+ else:
+ version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+ regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
+
+ match = regex.search(version)
+ if not match:
+ raise Exception("Invalid version: '{0}'".format(version))
+
+ self._version = _Version(
+ release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
+ patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
+ pre_l=match.group("pre_l"),
+ pre_v=match.group("pre_v")
+ )
+
+ self._key = _cmpkey(
+ self._version.release,
+ self._version.patch_l,
+ self._version.pre_l,
+ self._version.pre_v
+ )
+
+ def __eq__(self, other):
+ if not isinstance(other, Version):
+ return NotImplemented
+ return self._key == other._key
+
+ def __gt__(self, other):
+ if not isinstance(other, Version):
+ return NotImplemented
+ return self._key > other._key
+
+def _cmpkey(release, patch_l, pre_l, pre_v):
+ # remove leading 0
+ _release = tuple(
+ reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release))))
+ )
+
+ _patch = patch_l.upper()
+
+ if pre_l is None and pre_v is None:
+ _pre = float('inf')
+ else:
+ _pre = float(pre_v) if pre_v else float('-inf')
+ return _release, _patch, _pre
diff --git a/meta/lib/oe/package_manager/__init__.py b/meta/lib/oe/package_manager/__init__.py
index 42225a3b2e..26f9f82aaa 100644
--- a/meta/lib/oe/package_manager/__init__.py
+++ b/meta/lib/oe/package_manager/__init__.py
@@ -189,7 +189,7 @@ class PackageManager(object, metaclass=ABCMeta):
bb.utils.remove(self.intercepts_dir, True)
bb.utils.mkdirhier(self.intercepts_dir)
for intercept in postinst_intercepts:
- bb.utils.copyfile(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept)))
+ shutil.copy(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept)))
@abstractmethod
def _handle_intercept_failure(self, failed_script):
diff --git a/meta/lib/oe/package_manager/deb/__init__.py b/meta/lib/oe/package_manager/deb/__init__.py
index 26157f591a..0f9b27f831 100644
--- a/meta/lib/oe/package_manager/deb/__init__.py
+++ b/meta/lib/oe/package_manager/deb/__init__.py
@@ -312,6 +312,12 @@ class DpkgPM(OpkgDpkgPM):
if not pkgs:
return
+ os.environ['D'] = self.target_rootfs
+ os.environ['OFFLINE_ROOT'] = self.target_rootfs
+ os.environ['IPKG_OFFLINE_ROOT'] = self.target_rootfs
+ os.environ['OPKG_OFFLINE_ROOT'] = self.target_rootfs
+ os.environ['INTERCEPT_DIR'] = self.intercepts_dir
+
if with_dependencies:
os.environ['APT_CONFIG'] = self.apt_conf_file
cmd = "%s purge %s" % (self.apt_get_cmd, ' '.join(pkgs))
diff --git a/meta/lib/oe/package_manager/deb/sdk.py b/meta/lib/oe/package_manager/deb/sdk.py
index b25eb70b00..76548b06f0 100644
--- a/meta/lib/oe/package_manager/deb/sdk.py
+++ b/meta/lib/oe/package_manager/deb/sdk.py
@@ -65,6 +65,8 @@ class DpkgSdk(Sdk):
self.target_pm.install_complementary(self.d.getVar('SDKIMAGE_INSTALL_COMPLEMENTARY'))
+ self.target_pm.run_pre_post_installs()
+
self.target_pm.run_intercepts(populate_sdk='target')
execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_TARGET_COMMAND"))
@@ -78,6 +80,8 @@ class DpkgSdk(Sdk):
self._populate_sysroot(self.host_pm, self.host_manifest)
self.install_locales(self.host_pm)
+ self.host_pm.run_pre_post_installs()
+
self.host_pm.run_intercepts(populate_sdk='host')
execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_HOST_COMMAND"))
diff --git a/meta/lib/oe/patch.py b/meta/lib/oe/patch.py
index 40755fbb03..8ad70f53f1 100644
--- a/meta/lib/oe/patch.py
+++ b/meta/lib/oe/patch.py
@@ -38,15 +38,19 @@ def runcmd(args, dir = None):
args = [ pipes.quote(str(arg)) for arg in args ]
cmd = " ".join(args)
# print("cmd: %s" % cmd)
- (exitstatus, output) = subprocess.getstatusoutput(cmd)
+ proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+ stdout, stderr = proc.communicate()
+ stdout = stdout.decode('utf-8')
+ stderr = stderr.decode('utf-8')
+ exitstatus = proc.returncode
if exitstatus != 0:
- raise CmdError(cmd, exitstatus >> 8, output)
- if " fuzz " in output and "Hunk " in output:
+ raise CmdError(cmd, exitstatus >> 8, "stdout: %s\nstderr: %s" % (stdout, stderr))
+ if " fuzz " in stdout and "Hunk " in stdout:
# Drop patch fuzz info with header and footer to log file so
# insane.bbclass can handle to throw error/warning
- bb.note("--- Patch fuzz start ---\n%s\n--- Patch fuzz end ---" % format(output))
+ bb.note("--- Patch fuzz start ---\n%s\n--- Patch fuzz end ---" % format(stdout))
- return output
+ return stdout
finally:
if dir:
diff --git a/meta/lib/oe/prservice.py b/meta/lib/oe/prservice.py
index 2d3c9c7e50..fcdbe66c19 100644
--- a/meta/lib/oe/prservice.py
+++ b/meta/lib/oe/prservice.py
@@ -3,10 +3,6 @@
#
def prserv_make_conn(d, check = False):
- # Otherwise this fails when called from recipes which e.g. inherit python3native (which sets _PYTHON_SYSCONFIGDATA_NAME) with:
- # No module named '_sysconfigdata'
- if '_PYTHON_SYSCONFIGDATA_NAME' in os.environ:
- del os.environ['_PYTHON_SYSCONFIGDATA_NAME']
import prserv.serv
host_params = list([_f for _f in (d.getVar("PRSERV_HOST") or '').split(':') if _f])
try:
diff --git a/meta/lib/oe/recipeutils.py b/meta/lib/oe/recipeutils.py
index ef69ef207f..407d168894 100644
--- a/meta/lib/oe/recipeutils.py
+++ b/meta/lib/oe/recipeutils.py
@@ -409,7 +409,7 @@ def copy_recipe_files(d, tgt_dir, whole_dir=False, download=True, all_variants=F
fetch.download()
for pth in fetch.localpaths():
if pth not in localpaths:
- localpaths.append(pth)
+ localpaths.append(os.path.abspath(pth))
uri_values.append(srcuri)
fetch_urls(d)
diff --git a/meta/lib/oe/sstatesig.py b/meta/lib/oe/sstatesig.py
index 34558a6672..31a6140984 100644
--- a/meta/lib/oe/sstatesig.py
+++ b/meta/lib/oe/sstatesig.py
@@ -557,9 +557,11 @@ def OEOuthashBasic(path, sigfile, task, d):
try:
update_hash(" %10s" % pwd.getpwuid(s.st_uid).pw_name)
update_hash(" %10s" % grp.getgrgid(s.st_gid).gr_name)
- except KeyError:
+ except KeyError as e:
bb.warn("KeyError in %s" % path)
- raise
+ msg = ("KeyError: %s\nPath %s is owned by uid %d, gid %d, which doesn't match "
+ "any user/group on target. This may be due to host contamination." % (e, path, s.st_uid, s.st_gid))
+ raise Exception(msg).with_traceback(e.__traceback__)
if include_timestamps:
update_hash(" %10d" % s.st_mtime)
diff --git a/meta/lib/oe/terminal.py b/meta/lib/oe/terminal.py
index eb10a6e33e..2ac39df9e1 100644
--- a/meta/lib/oe/terminal.py
+++ b/meta/lib/oe/terminal.py
@@ -163,7 +163,12 @@ class Tmux(Terminal):
# devshells, if it's already there, add a new window to it.
window_name = 'devshell-%i' % os.getpid()
- self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'.format(window_name)
+ self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'
+ if not check_tmux_version('1.9'):
+ # `tmux new-session -c` was added in 1.9;
+ # older versions fail with that flag
+ self.command = 'tmux new -d -s {0} -n {0} "{{command}}"'
+ self.command = self.command.format(window_name)
Terminal.__init__(self, sh_cmd, title, env, d)
attach_cmd = 'tmux att -t {0}'.format(window_name)
@@ -253,13 +258,18 @@ def spawn(name, sh_cmd, title=None, env=None, d=None):
except OSError:
return
+def check_tmux_version(desired):
+ vernum = check_terminal_version("tmux")
+ if vernum and LooseVersion(vernum) < desired:
+ return False
+ return vernum
+
def check_tmux_pane_size(tmux):
import subprocess as sub
# On older tmux versions (<1.9), return false. The reason
# is that there is no easy way to get the height of the active panel
# on current window without nested formats (available from version 1.9)
- vernum = check_terminal_version("tmux")
- if vernum and LooseVersion(vernum) < '1.9':
+ if not check_tmux_version('1.9'):
return False
try:
p = sub.Popen('%s list-panes -F "#{?pane_active,#{pane_height},}"' % tmux,
diff --git a/meta/lib/oeqa/runtime/cases/df.py b/meta/lib/oeqa/runtime/cases/df.py
index 89fd0fb901..bb155c9cf9 100644
--- a/meta/lib/oeqa/runtime/cases/df.py
+++ b/meta/lib/oeqa/runtime/cases/df.py
@@ -4,12 +4,14 @@
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.depends import OETestDepends
+from oeqa.core.decorator.data import skipIfDataVar, skipIfInDataVar
from oeqa.runtime.decorator.package import OEHasPackage
class DfTest(OERuntimeTestCase):
@OETestDepends(['ssh.SSHTest.test_ssh'])
@OEHasPackage(['coreutils', 'busybox'])
+ @skipIfInDataVar('IMAGE_FEATURES', 'read-only-rootfs', 'Test case df requires a writable rootfs')
def test_df(self):
cmd = "df -P / | sed -n '2p' | awk '{print $4}'"
(status,output) = self.target.run(cmd)
diff --git a/meta/lib/oeqa/runtime/cases/pam.py b/meta/lib/oeqa/runtime/cases/pam.py
index 271a1943e3..a482ded945 100644
--- a/meta/lib/oeqa/runtime/cases/pam.py
+++ b/meta/lib/oeqa/runtime/cases/pam.py
@@ -8,11 +8,14 @@
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.depends import OETestDepends
from oeqa.core.decorator.data import skipIfNotFeature
+from oeqa.runtime.decorator.package import OEHasPackage
class PamBasicTest(OERuntimeTestCase):
@skipIfNotFeature('pam', 'Test requires pam to be in DISTRO_FEATURES')
@OETestDepends(['ssh.SSHTest.test_ssh'])
+ @OEHasPackage(['shadow'])
+ @OEHasPackage(['shadow-base'])
def test_pam(self):
status, output = self.target.run('login --help')
msg = ('login command does not work as expected. '
diff --git a/meta/lib/oeqa/selftest/cases/buildoptions.py b/meta/lib/oeqa/selftest/cases/buildoptions.py
index e91f0bd18f..b1b9ea7e55 100644
--- a/meta/lib/oeqa/selftest/cases/buildoptions.py
+++ b/meta/lib/oeqa/selftest/cases/buildoptions.py
@@ -57,15 +57,15 @@ class ImageOptionsTests(OESelftestTestCase):
class DiskMonTest(OESelftestTestCase):
def test_stoptask_behavior(self):
- self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"')
+ self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
res = bitbake("delay -c delay", ignore_status = True)
self.assertTrue('ERROR: No new tasks can be executed since the disk space monitor action is "STOPTASKS"!' in res.output, msg = "Tasks should have stopped. Disk monitor is set to STOPTASK: %s" % res.output)
self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output))
- self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"')
+ self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
res = bitbake("delay -c delay", ignore_status = True)
self.assertTrue('ERROR: Immediately abort since the disk space monitor action is "ABORT"!' in res.output, "Tasks should have been aborted immediatelly. Disk monitor is set to ABORT: %s" % res.output)
self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output))
- self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"')
+ self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
res = bitbake("delay -c delay")
self.assertTrue('WARNING: The free space' in res.output, msg = "A warning should have been displayed for disk monitor is set to WARN: %s" %res.output)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
new file mode 100644
index 0000000000..d1947baffc
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -0,0 +1,44 @@
+from oe.cve_check import Version
+from oeqa.selftest.case import OESelftestTestCase
+
+class CVECheck(OESelftestTestCase):
+
+ def test_version_compare(self):
+ result = Version("100") > Version("99")
+ self.assertTrue( result, msg="Failed to compare version '100' > '99'")
+ result = Version("2.3.1") > Version("2.2.3")
+ self.assertTrue( result, msg="Failed to compare version '2.3.1' > '2.2.3'")
+ result = Version("2021-01-21") > Version("2020-12-25")
+ self.assertTrue( result, msg="Failed to compare version '2021-01-21' > '2020-12-25'")
+ result = Version("1.2-20200910") < Version("1.2-20200920")
+ self.assertTrue( result, msg="Failed to compare version '1.2-20200910' < '1.2-20200920'")
+
+ result = Version("1.0") >= Version("1.0beta")
+ self.assertTrue( result, msg="Failed to compare version '1.0' >= '1.0beta'")
+ result = Version("1.0-rc2") > Version("1.0-rc1")
+ self.assertTrue( result, msg="Failed to compare version '1.0-rc2' > '1.0-rc1'")
+ result = Version("1.0.alpha1") < Version("1.0")
+ self.assertTrue( result, msg="Failed to compare version '1.0.alpha1' < '1.0'")
+ result = Version("1.0_dev") <= Version("1.0")
+ self.assertTrue( result, msg="Failed to compare version '1.0_dev' <= '1.0'")
+
+ # ignore "p1" and "p2", so these should be equal
+ result = Version("1.0p2") == Version("1.0p1")
+ self.assertTrue( result ,msg="Failed to compare version '1.0p2' to '1.0p1'")
+ # ignore the "b" and "r"
+ result = Version("1.0b") == Version("1.0r")
+ self.assertTrue( result ,msg="Failed to compare version '1.0b' to '1.0r'")
+
+ # consider the trailing alphabet as patched level when comparing
+ result = Version("1.0b","alphabetical") < Version("1.0r","alphabetical")
+ self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' < '1.0r'")
+ result = Version("1.0b","alphabetical") > Version("1.0","alphabetical")
+ self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' > '1.0'")
+
+ # consider the trailing "p" and "patch" as patched released when comparing
+ result = Version("1.0","patch") < Version("1.0p1","patch")
+ self.assertTrue( result ,msg="Failed to compare version with suffix '1.0' < '1.0p1'")
+ result = Version("1.0p2","patch") > Version("1.0p1","patch")
+ self.assertTrue( result ,msg="Failed to compare version with suffix '1.0p2' > '1.0p1'")
+ result = Version("1.0_patch2","patch") < Version("1.0_patch3","patch")
+ self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'")
diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index a7ef336143..cd7be7d436 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -68,7 +68,7 @@ def compare_file(reference, test, diffutils_sysroot):
result.status = MISSING
return result
- r = runCmd(['cmp', '--quiet', reference, test], native_sysroot=diffutils_sysroot, ignore_status=True)
+ r = runCmd(['cmp', '--quiet', reference, test], native_sysroot=diffutils_sysroot, ignore_status=True, sync=False)
if r.status:
result.status = DIFFERENT
@@ -184,9 +184,10 @@ class ReproducibleTests(OESelftestTestCase):
# mirror, forcing a complete build from scratch
config += textwrap.dedent('''\
SSTATE_DIR = "${TMPDIR}/sstate"
- SSTATE_MIRROR = ""
+ SSTATE_MIRRORS = ""
''')
+ self.logger.info("Building %s (sstate%s allowed)..." % (name, '' if use_sstate else ' NOT'))
self.write_config(config)
d = get_bb_vars(capture_vars)
bitbake(' '.join(self.images))
@@ -213,6 +214,7 @@ class ReproducibleTests(OESelftestTestCase):
self.logger.info('Non-reproducible packages will be copied to %s', save_dir)
vars_A = self.do_test_build('reproducibleA', self.build_from_sstate)
+
vars_B = self.do_test_build('reproducibleB', False)
# NOTE: The temp directories from the reproducible build are purposely
@@ -227,6 +229,7 @@ class ReproducibleTests(OESelftestTestCase):
deploy_A = vars_A['DEPLOY_DIR_' + c.upper()]
deploy_B = vars_B['DEPLOY_DIR_' + c.upper()]
+ self.logger.info('Checking %s packages for differences...' % c)
result = self.compare_packages(deploy_A, deploy_B, diffutils_sysroot)
self.logger.info('Reproducibility summary for %s: %s' % (c, result))
diff --git a/meta/lib/oeqa/selftest/cases/tinfoil.py b/meta/lib/oeqa/selftest/cases/tinfoil.py
index 206168ed00..a51c6048d3 100644
--- a/meta/lib/oeqa/selftest/cases/tinfoil.py
+++ b/meta/lib/oeqa/selftest/cases/tinfoil.py
@@ -100,9 +100,11 @@ class TinfoilTests(OESelftestTestCase):
eventreceived = False
commandcomplete = False
start = time.time()
- # Wait for 10s in total so we'd detect spurious heartbeat events for example
+ # Wait for maximum 60s in total so we'd detect spurious heartbeat events for example
# The test is IO load sensitive too
- while time.time() - start < 10:
+ while (not (eventreceived == True and commandcomplete == True)
+ and (time.time() - start < 60)):
+ # if we received both events (on let's say a good day), we are done
event = tinfoil.wait_event(1)
if event:
if isinstance(event, bb.command.CommandCompleted):
diff --git a/meta/lib/oeqa/selftest/cases/wic.py b/meta/lib/oeqa/selftest/cases/wic.py
index 714637ec1e..39c6828f59 100644
--- a/meta/lib/oeqa/selftest/cases/wic.py
+++ b/meta/lib/oeqa/selftest/cases/wic.py
@@ -318,6 +318,7 @@ class Wic(WicTestCase):
"--image-name=core-image-minimal "
"-D -o %s" % self.resultdir)
self.assertEqual(1, len(glob(self.resultdir + "wictestdisk-*.direct")))
+ self.assertEqual(1, len(glob(self.resultdir + "tmp.wic*")))
def test_debug_long(self):
"""Test --debug option"""
@@ -325,6 +326,7 @@ class Wic(WicTestCase):
"--image-name=core-image-minimal "
"--debug -o %s" % self.resultdir)
self.assertEqual(1, len(glob(self.resultdir + "wictestdisk-*.direct")))
+ self.assertEqual(1, len(glob(self.resultdir + "tmp.wic*")))
def test_skip_build_check_short(self):
"""Test -s option"""
@@ -588,6 +590,9 @@ part / --source rootfs --fstype=ext4 --include-path %s --include-path core-imag
def test_permissions(self):
"""Test permissions are respected"""
+ # prepare wicenv and rootfs
+ bitbake('core-image-minimal core-image-minimal-mtdutils -c do_rootfs_wicenv')
+
oldpath = os.environ['PATH']
os.environ['PATH'] = get_bb_var("PATH", "wic-tools")
@@ -621,6 +626,19 @@ part /etc --source rootfs --fstype=ext4 --change-directory=etc
res = runCmd("debugfs -R 'ls -p' %s 2>/dev/null" % (part))
self.assertEqual(True, files_own_by_root(res.output))
+ config = 'IMAGE_FSTYPES += "wic"\nWKS_FILE = "%s"\n' % wks_file
+ self.append_config(config)
+ bitbake('core-image-minimal')
+ tmpdir = os.path.join(get_bb_var('WORKDIR', 'core-image-minimal'),'build-wic')
+
+ # check each partition for permission
+ for part in glob(os.path.join(tmpdir, 'temp-*.direct.p*')):
+ res = runCmd("debugfs -R 'ls -p' %s 2>/dev/null" % (part))
+ self.assertTrue(files_own_by_root(res.output)
+ ,msg='Files permission incorrect using wks set "%s"' % test)
+
+ # clean config and result directory for next cases
+ self.remove_config(config)
rmtree(self.resultdir, ignore_errors=True)
finally:
@@ -961,14 +979,18 @@ class Wic2(WicTestCase):
@only_for_arch(['i586', 'i686', 'x86_64'])
def test_rawcopy_plugin_qemu(self):
"""Test rawcopy plugin in qemu"""
- # build ext4 and wic images
- for fstype in ("ext4", "wic"):
- config = 'IMAGE_FSTYPES = "%s"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n' % fstype
- self.append_config(config)
- self.assertEqual(0, bitbake('core-image-minimal').status)
- self.remove_config(config)
+ # build ext4 and then use it for a wic image
+ config = 'IMAGE_FSTYPES = "ext4"\n'
+ self.append_config(config)
+ self.assertEqual(0, bitbake('core-image-minimal').status)
+ self.remove_config(config)
- with runqemu('core-image-minimal', ssh=False, image_fstype='wic') as qemu:
+ config = 'IMAGE_FSTYPES = "wic"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n'
+ self.append_config(config)
+ self.assertEqual(0, bitbake('core-image-minimal-mtdutils').status)
+ self.remove_config(config)
+
+ with runqemu('core-image-minimal-mtdutils', ssh=False, image_fstype='wic') as qemu:
cmd = "grep sda. /proc/partitions |wc -l"
status, output = qemu.run_serial(cmd)
self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
diff --git a/meta/lib/oeqa/utils/commands.py b/meta/lib/oeqa/utils/commands.py
index 8b3e12038d..a71c16ab14 100644
--- a/meta/lib/oeqa/utils/commands.py
+++ b/meta/lib/oeqa/utils/commands.py
@@ -125,11 +125,11 @@ class Command(object):
def stop(self):
for thread in self.threads:
- if thread.isAlive():
+ if thread.is_alive():
self.process.terminate()
# let's give it more time to terminate gracefully before killing it
thread.join(5)
- if thread.isAlive():
+ if thread.is_alive():
self.process.kill()
thread.join()
diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/CVE-2020-8625.patch b/meta/recipes-connectivity/bind/bind-9.16.7/CVE-2020-8625.patch
new file mode 100644
index 0000000000..98b8623139
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.16.7/CVE-2020-8625.patch
@@ -0,0 +1,29 @@
+From 5b671538216af78a0a7ef7464dc52ab2241ea7db Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Tue, 2 Mar 2021 14:03:49 +0000
+Subject: [PATCH] BIND Operational Notification: Zone journal (.jnl) file
+ incompatibility
+
+Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch]
+CVE: CVE-2020-8625
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ lib/dns/spnego.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
+index 671838c..82fd49a 100644
+--- a/lib/dns/spnego.c
++++ b/lib/dns/spnego.c
+@@ -846,7 +846,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
+ return (ASN1_OVERRUN);
+ }
+
+- data->components = malloc(len * sizeof(*data->components));
++ data->components = malloc((len + 1) * sizeof(*data->components));
+ if (data->components == NULL) {
+ return (ENOMEM);
+ }
+--
+2.17.1
+
diff --git a/meta/recipes-connectivity/bind/bind_9.16.7.bb b/meta/recipes-connectivity/bind/bind_9.16.7.bb
index 5fc2c1d3cd..82c1bb66df 100644
--- a/meta/recipes-connectivity/bind/bind_9.16.7.bb
+++ b/meta/recipes-connectivity/bind/bind_9.16.7.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
file://0001-avoid-start-failure-with-bind-user.patch \
+ file://CVE-2020-8625.patch \
"
SRC_URI[sha256sum] = "9f7d1812ebbd26a699f62b6fa8522d5dec57e4bf43af0042a0d60d39ed8314d1"
diff --git a/meta/recipes-connectivity/connman/connman_1.38.bb b/meta/recipes-connectivity/connman/connman_1.39.bb
index 027c41e9af..df42e9ffb8 100644
--- a/meta/recipes-connectivity/connman/connman_1.38.bb
+++ b/meta/recipes-connectivity/connman/connman_1.39.bb
@@ -9,8 +9,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
-SRC_URI[md5sum] = "1ed8745354c7254bdfd4def54833ee94"
-SRC_URI[sha256sum] = "cb30aca97c2f79ccaed8802aa2909ac5100a3969de74c0af8a9d73b85fc4932b"
+SRC_URI[sha256sum] = "9f62a7169b7491c670a1ff2e335b0d966308fb2f62e285c781105eb90f181af3"
RRECOMMENDS_${PN} = "connman-conf"
RCONFLICTS_${PN} = "networkmanager"
diff --git a/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch b/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch
new file mode 100644
index 0000000000..b88bc18f12
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch
@@ -0,0 +1,28 @@
+From 0f90440ca70abab947acbd77795e9f130967956c Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Fri, 20 Nov 2020 13:37:54 +1100
+Subject: [PATCH] Add new pselect6_time64 syscall on ARM.
+
+This is apparently needed on armhfp/armv7hl. bz#3232, patch from
+jjelen at redhat.com.
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Upstream-Status: Backport
+[fixes issues on 32bit IA and probably other 32 bit platforms too with glibc 2.33]
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e0768c063..5065ae7ef 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_pselect6
+ SC_ALLOW(__NR_pselect6),
+ #endif
++#ifdef __NR_pselect6_time64
++ SC_ALLOW(__NR_pselect6_time64),
++#endif
+ #ifdef __NR_read
+ SC_ALLOW(__NR_read),
+ #endif
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
new file mode 100644
index 0000000000..0046ee1a51
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
@@ -0,0 +1,90 @@
+From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 18 Sep 2020 05:23:03 +0000
+Subject: [PATCH] upstream: tweak the client hostkey preference ordering
+ algorithm to
+
+prefer the default ordering if the user has a key that matches the
+best-preference default algorithm.
+
+feedback and ok markus@
+
+OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
+
+Upstream-Status: Backport
+[https://github.com/openssh/openssh-portable/commit/b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
+CVE: CVE-2020-14145
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 347e348c60..f64aae66af 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+ return 0;
+ }
+
++/* Returns the first item from a comma-separated algorithm list */
++static char *
++first_alg(const char *algs)
++{
++ char *ret, *cp;
++
++ ret = xstrdup(algs);
++ if ((cp = strchr(ret, ',')) != NULL)
++ *cp = '\0';
++ return ret;
++}
++
+ static char *
+ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ {
+- char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
++ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
++ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
+ size_t maxlen;
+- struct hostkeys *hostkeys;
++ struct hostkeys *hostkeys = NULL;
+ int ktype;
+ u_int i;
+
+@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ for (i = 0; i < options.num_system_hostfiles; i++)
+ load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+
++ /*
++ * If a plain public key exists that matches the type of the best
++ * preference HostkeyAlgorithms, then use the whole list as is.
++ * Note that we ignore whether the best preference algorithm is a
++ * certificate type, as sshconnect.c will downgrade certs to
++ * plain keys if necessary.
++ */
++ best = first_alg(options.hostkeyalgorithms);
++ if (lookup_key_in_hostkeys_by_type(hostkeys,
++ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
++ debug3("%s: have matching best-preference key type %s, "
++ "using HostkeyAlgorithms verbatim", __func__, best);
++ ret = xstrdup(options.hostkeyalgorithms);
++ goto out;
++ }
++
++ /*
++ * Otherwise, prefer the host key algorithms that match known keys
++ * while keeping the ordering of HostkeyAlgorithms as much as possible.
++ */
+ oavail = avail = xstrdup(options.hostkeyalgorithms);
+ maxlen = strlen(avail) + 1;
+ first = xmalloc(maxlen);
+@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ if (*first != '\0')
+ debug3("%s: prefer hostkeyalgs: %s", __func__, first);
+
++ out:
++ free(best);
+ free(first);
+ free(last);
+ free(hostname);
diff --git a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
index 2aa1df20bd..a1e34a9379 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
@@ -24,6 +24,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
file://sshd_check_keys \
file://add-test-support-for-busybox.patch \
+ file://0f90440ca70abab947acbd77795e9f130967956c.patch \
+ file://CVE-2020-14145.patch \
"
SRC_URI[sha256sum] = "f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2"
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb
index c2db596f03..5f281197c9 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb
@@ -23,7 +23,7 @@ SRC_URI_append_class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242"
+SRC_URI[sha256sum] = "892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5"
inherit lib_package multilib_header multilib_script ptest
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -210,6 +210,8 @@ BBCLASSEXTEND = "native nativesdk"
CVE_PRODUCT = "openssl:openssl"
+CVE_VERSION_SUFFIX = "alphabetical"
+
# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
# Apache in meta-webserver is already recent enough
CVE_CHECK_WHITELIST += "CVE-2019-0190"
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
new file mode 100644
index 0000000000..8c90fa3421
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
+From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 9 Nov 2020 11:43:12 +0200
+Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
+ client
+
+Parsing and copying of WPS secondary device types list was verifying
+that the contents is not too long for the internal maximum in the case
+of WPS messages, but similar validation was missing from the case of P2P
+group information which encodes this information in a different
+attribute. This could result in writing beyond the memory area assigned
+for these entries and corrupting memory within an instance of struct
+p2p_device. This could result in invalid operations and unexpected
+behavior when trying to free pointers from that corrupted memory.
+
+Upstream-Status: Backport
+CVE: CVE-2021-0326
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
+
+Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
+Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/p2p/p2p.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index a08ba02..079270f 100644
+--- a/src/p2p/p2p.c
++++ b/src/p2p/p2p.c
+@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
+ dev->info.config_methods = cli->config_methods;
+ os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
+ dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
+ os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
+ dev->info.wps_sec_dev_type_list_len);
+ }
+--
+2.17.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
new file mode 100644
index 0000000000..004b1dbd19
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
@@ -0,0 +1,58 @@
+From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 8 Dec 2020 23:52:50 +0200
+Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
+
+p2p_add_device() may remove the oldest entry if there is no room in the
+peer table for a new peer. This would result in any pointer to that
+removed entry becoming stale. A corner case with an invalid PD Request
+frame could result in such a case ending up using (read+write) freed
+memory. This could only by triggered when the peer table has reached its
+maximum size and the PD Request frame is received from the P2P Device
+Address of the oldest remaining entry and the frame has incorrect P2P
+Device Address in the payload.
+
+Fix this by fetching the dev pointer again after having called
+p2p_add_device() so that the stale pointer cannot be used.
+
+Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-27803
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/p2p/p2p_pd.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
+index 3994ec0..05fd593 100644
+--- a/src/p2p/p2p_pd.c
++++ b/src/p2p/p2p_pd.c
+@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
+ goto out;
+ }
+
++ dev = p2p_get_device(p2p, sa);
+ if (!dev) {
+- dev = p2p_get_device(p2p, sa);
+- if (!dev) {
+- p2p_dbg(p2p,
+- "Provision Discovery device not found "
+- MACSTR, MAC2STR(sa));
+- goto out;
+- }
++ p2p_dbg(p2p,
++ "Provision Discovery device not found "
++ MACSTR, MAC2STR(sa));
++ goto out;
+ }
+ } else if (msg.wfd_subelems) {
+ wpabuf_free(dev->info.wfd_subelems);
+--
+2.17.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
new file mode 100644
index 0000000000..e2540fc26b
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
@@ -0,0 +1,123 @@
+From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Mar 2021 18:19:31 +0200
+Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
+
+The supported hash algorithms do not use AlgorithmIdentifier parameters.
+However, there are implementations that include NULL parameters in
+addition to ones that omit the parameters. Previous implementation did
+not check the parameters value at all which supported both these cases,
+but did not reject any other unexpected information.
+
+Use strict validation of digest algorithm parameters and reject any
+unexpected value when validating a signature. This is needed to prevent
+potential forging attacks.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport
+CVE: CVE-2021-30004
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/tls/pkcs1.c | 21 +++++++++++++++++++++
+ src/tls/x509v3.c | 20 ++++++++++++++++++++
+ 2 files changed, 41 insertions(+)
+
+diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
+index 141ac50..e09db07 100644
+--- a/src/tls/pkcs1.c
++++ b/src/tls/pkcs1.c
+@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ os_free(decrypted);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
++ hdr.payload, hdr.length);
+
+ pos = hdr.payload;
+ end = pos + hdr.length;
+@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ os_free(decrypted);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
++ hdr.payload, hdr.length);
+ da_end = hdr.payload + hdr.length;
+
+ if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ os_free(decrypted);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
++ next, da_end - next);
++
++ /*
++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
++ * omit the parameters, but there are implementation that encode these
++ * as a NULL element. Allow these two cases and reject anything else.
++ */
++ if (da_end > next &&
++ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
++ !asn1_is_null(&hdr) ||
++ hdr.payload + hdr.length != da_end)) {
++ wpa_printf(MSG_DEBUG,
++ "PKCS #1: Unexpected digest algorithm parameters");
++ os_free(decrypted);
++ return -1;
++ }
+
+ if (!asn1_oid_equal(&oid, hash_alg)) {
+ char txt[100], txt2[100];
+diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
+index 1bd5aa0..bf2289f 100644
+--- a/src/tls/x509v3.c
++++ b/src/tls/x509v3.c
+@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer,
+ os_free(data);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
+
+ pos = hdr.payload;
+ end = pos + hdr.length;
+@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer,
+ os_free(data);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
++ hdr.payload, hdr.length);
+ da_end = hdr.payload + hdr.length;
+
+ if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer,
+ os_free(data);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
++ next, da_end - next);
++
++ /*
++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
++ * omit the parameters, but there are implementation that encode these
++ * as a NULL element. Allow these two cases and reject anything else.
++ */
++ if (da_end > next &&
++ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
++ !asn1_is_null(&hdr) ||
++ hdr.payload + hdr.length != da_end)) {
++ wpa_printf(MSG_DEBUG,
++ "X509: Unexpected digest algorithm parameters");
++ os_free(data);
++ return -1;
++ }
+
+ if (x509_sha1_oid(&oid)) {
+ if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
+--
+2.17.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 7cc03fef7d..915b326b81 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -29,6 +29,9 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
+ file://CVE-2021-0326.patch \
+ file://CVE-2021-27803.patch \
+ file://CVE-2021-30004.patch \
"
SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
new file mode 100644
index 0000000000..67c9f189cc
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
@@ -0,0 +1,58 @@
+From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001
+From: Samuel Sapalski <samuel.sapalski@nokia.com>
+Date: Wed, 3 Mar 2021 16:31:22 +0100
+Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt
+
+On certain corrupt gzip files, huft_build will set the error bit on
+the result pointer. If afterwards abort_unzip is called huft_free
+might run into a segmentation fault or an invalid pointer to
+free(p).
+
+In order to mitigate this, we check in huft_free if the error bit
+is set and clear it before the linked list is freed.
+
+Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
+Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-28831
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ archival/libarchive/decompress_gunzip.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
+index eb3b64930..e93cd5005 100644
+--- a/archival/libarchive/decompress_gunzip.c
++++ b/archival/libarchive/decompress_gunzip.c
+@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = {
+ * each table.
+ * t: table to free
+ */
++#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
++#define ERR_RET ((huft_t*)(uintptr_t)1)
+ static void huft_free(huft_t *p)
+ {
+ huft_t *q;
+
++ /*
++ * If 'p' has the error bit set we have to clear it, otherwise we might run
++ * into a segmentation fault or an invalid pointer to free(p)
++ */
++ if (BAD_HUFT(p)) {
++ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
++ }
++
+ /* Go through linked list, freeing from the malloced (t[-1]) address. */
+ while (p) {
+ q = (--p)->v.t;
+@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current
+ * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table
+ * is given: "fixed inflate" decoder feeds us such data.
+ */
+-#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
+-#define ERR_RET ((huft_t*)(uintptr_t)1)
+ static huft_t* huft_build(const unsigned *b, const unsigned n,
+ const unsigned s, const struct cp_ext *cp_ext,
+ unsigned *m)
diff --git a/meta/recipes-core/busybox/busybox_1.32.0.bb b/meta/recipes-core/busybox/busybox_1.32.0.bb
index 8e23b0d4a2..b91f7cf711 100644
--- a/meta/recipes-core/busybox/busybox_1.32.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.32.0.bb
@@ -46,7 +46,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://0001-hwclock-make-glibc-2.31-compatible.patch \
file://rev.cfg \
file://pgrep.cfg \
-"
+ file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \
+ "
SRC_URI_append_libc-musl = " file://musl.cfg "
SRC_URI[tarball.md5sum] = "9576986f1a960da471d03b72a62f13c7"
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219.patch
new file mode 100644
index 0000000000..a4ec01134a
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219.patch
@@ -0,0 +1,1444 @@
+commit b70039028b4a39ea071f6ed368a58ad5b5b90ba3
+Author: Anatol Belski <anbelski@microsoft.com>
+Date: Sun Mar 14 17:51:53 2021 +0000
+
+ backport: 2.64.5_CVE-2021-27219
+
+CVE: CVE-2021-27219
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1926]
+
+Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
+
+diff --git a/docs/reference/glib/meson.build b/docs/reference/glib/meson.build
+index 62d95f78d..7eebb04ac 100644
+--- a/docs/reference/glib/meson.build
++++ b/docs/reference/glib/meson.build
+@@ -22,6 +22,7 @@ if get_option('gtk_doc')
+ 'gprintfint.h',
+ 'gmirroringtable.h',
+ 'gscripttable.h',
++ 'gstrfuncsprivate.h',
+ 'glib-mirroring-tab',
+ 'gnulib',
+ 'pcre',
+diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c
+index 2e7750cb5..2cdcbda19 100644
+--- a/gio/gdatainputstream.c
++++ b/gio/gdatainputstream.c
+@@ -27,6 +27,7 @@
+ #include "gioenumtypes.h"
+ #include "gioerror.h"
+ #include "glibintl.h"
++#include "gstrfuncsprivate.h"
+
+ #include <string.h>
+
+@@ -856,7 +857,7 @@ static gssize
+ scan_for_chars (GDataInputStream *stream,
+ gsize *checked_out,
+ const char *stop_chars,
+- gssize stop_chars_len)
++ gsize stop_chars_len)
+ {
+ GBufferedInputStream *bstream;
+ const char *buffer;
+@@ -952,7 +953,7 @@ typedef struct
+ gsize checked;
+
+ gchar *stop_chars;
+- gssize stop_chars_len;
++ gsize stop_chars_len;
+ gsize length;
+ } GDataInputStreamReadData;
+
+@@ -1078,12 +1079,17 @@ g_data_input_stream_read_async (GDataInputStream *stream,
+ {
+ GDataInputStreamReadData *data;
+ GTask *task;
++ gsize stop_chars_len_unsigned;
+
+ data = g_slice_new0 (GDataInputStreamReadData);
+- if (stop_chars_len == -1)
+- stop_chars_len = strlen (stop_chars);
+- data->stop_chars = g_memdup (stop_chars, stop_chars_len);
+- data->stop_chars_len = stop_chars_len;
++
++ if (stop_chars_len < 0)
++ stop_chars_len_unsigned = strlen (stop_chars);
++ else
++ stop_chars_len_unsigned = (gsize) stop_chars_len;
++
++ data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned);
++ data->stop_chars_len = stop_chars_len_unsigned;
+ data->last_saw_cr = FALSE;
+
+ task = g_task_new (stream, cancellable, callback, user_data);
+@@ -1338,17 +1344,20 @@ g_data_input_stream_read_upto (GDataInputStream *stream,
+ gssize found_pos;
+ gssize res;
+ char *data_until;
++ gsize stop_chars_len_unsigned;
+
+ g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL);
+
+ if (stop_chars_len < 0)
+- stop_chars_len = strlen (stop_chars);
++ stop_chars_len_unsigned = strlen (stop_chars);
++ else
++ stop_chars_len_unsigned = (gsize) stop_chars_len;
+
+ bstream = G_BUFFERED_INPUT_STREAM (stream);
+
+ checked = 0;
+
+- while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len)) == -1)
++ while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len_unsigned)) == -1)
+ {
+ if (g_buffered_input_stream_get_available (bstream) ==
+ g_buffered_input_stream_get_buffer_size (bstream))
+diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
+index 1a4dae3bd..9de661bde 100644
+--- a/gio/gdbusconnection.c
++++ b/gio/gdbusconnection.c
+@@ -110,6 +110,7 @@
+ #include "gasyncinitable.h"
+ #include "giostream.h"
+ #include "gasyncresult.h"
++#include "gstrfuncsprivate.h"
+ #include "gtask.h"
+ #include "gmarshal-internal.h"
+
+@@ -4007,7 +4008,7 @@ _g_dbus_interface_vtable_copy (const GDBusInterfaceVTable *vtable)
+ /* Don't waste memory by copying padding - remember to update this
+ * when changing struct _GDBusInterfaceVTable in gdbusconnection.h
+ */
+- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer));
++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer));
+ }
+
+ static void
+@@ -4024,7 +4025,7 @@ _g_dbus_subtree_vtable_copy (const GDBusSubtreeVTable *vtable)
+ /* Don't waste memory by copying padding - remember to update this
+ * when changing struct _GDBusSubtreeVTable in gdbusconnection.h
+ */
+- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer));
++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer));
+ }
+
+ static void
+diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c
+index 4a06516c1..4a4b719a5 100644
+--- a/gio/gdbusinterfaceskeleton.c
++++ b/gio/gdbusinterfaceskeleton.c
+@@ -28,6 +28,7 @@
+ #include "gdbusmethodinvocation.h"
+ #include "gdbusconnection.h"
+ #include "gmarshal-internal.h"
++#include "gstrfuncsprivate.h"
+ #include "gtask.h"
+ #include "gioerror.h"
+
+@@ -701,7 +702,7 @@ add_connection_locked (GDBusInterfaceSkeleton *interface_,
+ * properly before building the hooked_vtable, so we create it
+ * once at the last minute.
+ */
+- interface_->priv->hooked_vtable = g_memdup (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable));
++ interface_->priv->hooked_vtable = g_memdup2 (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable));
+ interface_->priv->hooked_vtable->method_call = skeleton_intercept_handle_method_call;
+ }
+
+diff --git a/gio/gfile.c b/gio/gfile.c
+index a2ded14ea..25930435f 100644
+--- a/gio/gfile.c
++++ b/gio/gfile.c
+@@ -60,6 +60,7 @@
+ #include "gasyncresult.h"
+ #include "gioerror.h"
+ #include "glibintl.h"
++#include "gstrfuncsprivate.h"
+
+
+ /**
+@@ -7854,7 +7855,7 @@ measure_disk_usage_progress (gboolean reporting,
+ g_main_context_invoke_full (g_task_get_context (task),
+ g_task_get_priority (task),
+ measure_disk_usage_invoke_progress,
+- g_memdup (&progress, sizeof progress),
++ g_memdup2 (&progress, sizeof progress),
+ g_free);
+ }
+
+@@ -7872,7 +7873,7 @@ measure_disk_usage_thread (GTask *task,
+ data->progress_callback ? measure_disk_usage_progress : NULL, task,
+ &result.disk_usage, &result.num_dirs, &result.num_files,
+ &error))
+- g_task_return_pointer (task, g_memdup (&result, sizeof result), g_free);
++ g_task_return_pointer (task, g_memdup2 (&result, sizeof result), g_free);
+ else
+ g_task_return_error (task, error);
+ }
+@@ -7896,7 +7897,7 @@ g_file_real_measure_disk_usage_async (GFile *file,
+
+ task = g_task_new (file, cancellable, callback, user_data);
+ g_task_set_source_tag (task, g_file_real_measure_disk_usage_async);
+- g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free);
++ g_task_set_task_data (task, g_memdup2 (&data, sizeof data), g_free);
+ g_task_set_priority (task, io_priority);
+
+ g_task_run_in_thread (task, measure_disk_usage_thread);
+diff --git a/gio/giowin32-private.c b/gio/giowin32-private.c
+index 7120ae0ea..47e840805 100644
+--- a/gio/giowin32-private.c
++++ b/gio/giowin32-private.c
+@@ -16,11 +16,12 @@
+ * along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
++#include "gstrfuncsprivate.h"
+
+-static gssize
++static gsize
+ g_utf16_len (const gunichar2 *str)
+ {
+- gssize result;
++ gsize result;
+
+ for (result = 0; str[0] != 0; str++, result++)
+ ;
+@@ -31,17 +32,20 @@ g_utf16_len (const gunichar2 *str)
+ static gunichar2 *
+ g_wcsdup (const gunichar2 *str, gssize str_len)
+ {
+- gssize str_size;
++ gsize str_len_unsigned;
++ gsize str_size;
+
+ g_return_val_if_fail (str != NULL, NULL);
+
+- if (str_len == -1)
+- str_len = g_utf16_len (str);
++ if (str_len < 0)
++ str_len_unsigned = g_utf16_len (str);
++ else
++ str_len_unsigned = (gsize) str_len;
+
+- g_assert (str_len <= G_MAXSIZE / sizeof (gunichar2) - 1);
+- str_size = (str_len + 1) * sizeof (gunichar2);
++ g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1);
++ str_size = (str_len_unsigned + 1) * sizeof (gunichar2);
+
+- return g_memdup (str, str_size);
++ return g_memdup2 (str, str_size);
+ }
+
+ static const gunichar2 *
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index cd5765afd..de216e615 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -33,6 +33,7 @@
+ #include "gfilemonitor.h"
+ #include "gsimplepermission.h"
+ #include "gsettingsbackendinternal.h"
++#include "gstrfuncsprivate.h"
+ #include "giomodule-priv.h"
+ #include "gportalsupport.h"
+
+@@ -145,8 +146,8 @@ convert_path (GKeyfileSettingsBackend *kfsb,
+ gchar **group,
+ gchar **basename)
+ {
+- gint key_len = strlen (key);
+- gint i;
++ gsize key_len = strlen (key);
++ const gchar *last_slash;
+
+ if (key_len < kfsb->prefix_len ||
+ memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0)
+@@ -155,38 +156,48 @@ convert_path (GKeyfileSettingsBackend *kfsb,
+ key_len -= kfsb->prefix_len;
+ key += kfsb->prefix_len;
+
+- for (i = key_len; i >= 0; i--)
+- if (key[i] == '/')
+- break;
++ last_slash = strrchr (key, '/');
++
++ /* Disallow empty group names or key names */
++ if (key_len == 0 ||
++ (last_slash != NULL &&
++ (*(last_slash + 1) == '\0' ||
++ last_slash == key)))
++ return FALSE;
+
+ if (kfsb->root_group)
+ {
+ /* if a root_group was specified, make sure the user hasn't given
+ * a path that ghosts that group name
+ */
+- if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0)
++ if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0)
+ return FALSE;
+ }
+ else
+ {
+ /* if no root_group was given, ensure that the user gave a path */
+- if (i == -1)
++ if (last_slash == NULL)
+ return FALSE;
+ }
+
+ if (group)
+ {
+- if (i >= 0)
++ if (last_slash != NULL)
+ {
+- *group = g_memdup (key, i + 1);
+- (*group)[i] = '\0';
++ *group = g_memdup2 (key, (last_slash - key) + 1);
++ (*group)[(last_slash - key)] = '\0';
+ }
+ else
+ *group = g_strdup (kfsb->root_group);
+ }
+
+ if (basename)
+- *basename = g_memdup (key + i + 1, key_len - i);
++ {
++ if (last_slash != NULL)
++ *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key));
++ else
++ *basename = g_strdup (key);
++ }
+
+ return TRUE;
+ }
+diff --git a/gio/gsettingsschema.c b/gio/gsettingsschema.c
+index 0b94f76f6..eb5a3b846 100644
+--- a/gio/gsettingsschema.c
++++ b/gio/gsettingsschema.c
+@@ -20,6 +20,7 @@
+
+ #include "gsettingsschema-internal.h"
+ #include "gsettings.h"
++#include "gstrfuncsprivate.h"
+
+ #include "gvdb/gvdb-reader.h"
+ #include "strinfo.c"
+@@ -1067,9 +1068,9 @@ g_settings_schema_list_children (GSettingsSchema *schema)
+
+ if (g_str_has_suffix (key, "/"))
+ {
+- gint length = strlen (key);
++ gsize length = strlen (key);
+
+- strv[j] = g_memdup (key, length);
++ strv[j] = g_memdup2 (key, length);
+ strv[j][length - 1] = '\0';
+ j++;
+ }
+diff --git a/gio/gsocket.c b/gio/gsocket.c
+index 2a15bdd22..554af026b 100644
+--- a/gio/gsocket.c
++++ b/gio/gsocket.c
+@@ -75,6 +75,7 @@
+ #include "gcredentialsprivate.h"
+ #include "glibintl.h"
+ #include "gioprivate.h"
++#include "gstrfuncsprivate.h"
+
+ #ifdef G_OS_WIN32
+ /* For Windows XP runtime compatibility, but use the system's if_nametoindex() if available */
+@@ -174,7 +175,7 @@ static gboolean g_socket_datagram_based_condition_wait (GDatagramBased
+ GError **error);
+
+ static GSocketAddress *
+-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len);
++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len);
+
+ static gssize
+ g_socket_receive_message_with_timeout (GSocket *socket,
+@@ -260,7 +261,7 @@ struct _GSocketPrivate
+ struct {
+ GSocketAddress *addr;
+ struct sockaddr *native;
+- gint native_len;
++ gsize native_len;
+ guint64 last_used;
+ } recv_addr_cache[RECV_ADDR_CACHE_SIZE];
+ };
+@@ -5259,14 +5260,14 @@ g_socket_send_messages_with_timeout (GSocket *socket,
+ }
+
+ static GSocketAddress *
+-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len)
++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len)
+ {
+ GSocketAddress *saddr;
+ gint i;
+ guint64 oldest_time = G_MAXUINT64;
+ gint oldest_index = 0;
+
+- if (native_len <= 0)
++ if (native_len == 0)
+ return NULL;
+
+ saddr = NULL;
+@@ -5274,7 +5275,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len)
+ {
+ GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr;
+ gpointer tmp_native = socket->priv->recv_addr_cache[i].native;
+- gint tmp_native_len = socket->priv->recv_addr_cache[i].native_len;
++ gsize tmp_native_len = socket->priv->recv_addr_cache[i].native_len;
+
+ if (!tmp)
+ continue;
+@@ -5304,7 +5305,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len)
+ g_free (socket->priv->recv_addr_cache[oldest_index].native);
+ }
+
+- socket->priv->recv_addr_cache[oldest_index].native = g_memdup (native, native_len);
++ socket->priv->recv_addr_cache[oldest_index].native = g_memdup2 (native, native_len);
+ socket->priv->recv_addr_cache[oldest_index].native_len = native_len;
+ socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref (saddr);
+ socket->priv->recv_addr_cache[oldest_index].last_used = g_get_monotonic_time ();
+@@ -5452,6 +5453,9 @@ g_socket_receive_message_with_timeout (GSocket *socket,
+ /* do it */
+ while (1)
+ {
++ /* addrlen has to be of type int because that’s how WSARecvFrom() is defined */
++ G_STATIC_ASSERT (sizeof addr <= G_MAXINT);
++
+ addrlen = sizeof addr;
+ if (address)
+ result = WSARecvFrom (socket->priv->fd,
+diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c
+index 1e437a7b6..bd86a6dfe 100644
+--- a/gio/gtlspassword.c
++++ b/gio/gtlspassword.c
+@@ -23,6 +23,7 @@
+ #include "glibintl.h"
+
+ #include "gioenumtypes.h"
++#include "gstrfuncsprivate.h"
+ #include "gtlspassword.h"
+
+ #include <string.h>
+@@ -287,9 +288,14 @@ g_tls_password_set_value (GTlsPassword *password,
+ g_return_if_fail (G_IS_TLS_PASSWORD (password));
+
+ if (length < 0)
+- length = strlen ((gchar *)value);
++ {
++ /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */
++ gsize length_unsigned = strlen ((gchar *) value);
++ g_return_if_fail (length_unsigned <= G_MAXSSIZE);
++ length = (gssize) length_unsigned;
++ }
+
+- g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free);
++ g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free);
+ }
+
+ /**
+diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c
+index aa7819294..efb9ae713 100644
+--- a/gio/gwin32registrykey.c
++++ b/gio/gwin32registrykey.c
+@@ -28,6 +28,8 @@
+ #include <ntstatus.h>
+ #include <winternl.h>
+
++#include "gstrfuncsprivate.h"
++
+ #ifndef _WDMDDK_
+ typedef enum _KEY_INFORMATION_CLASS {
+ KeyBasicInformation,
+@@ -125,16 +127,34 @@ typedef enum
+ G_WIN32_REGISTRY_UPDATED_PATH = 1,
+ } GWin32RegistryKeyUpdateFlag;
+
++static gsize
++g_utf16_len (const gunichar2 *str)
++{
++ gsize result;
++
++ for (result = 0; str[0] != 0; str++, result++)
++ ;
++
++ return result;
++}
++
+ static gunichar2 *
+-g_wcsdup (const gunichar2 *str,
+- gssize str_size)
++g_wcsdup (const gunichar2 *str, gssize str_len)
+ {
+- if (str_size == -1)
+- {
+- str_size = wcslen (str) + 1;
+- str_size *= sizeof (gunichar2);
+- }
+- return g_memdup (str, str_size);
++ gsize str_len_unsigned;
++ gsize str_size;
++
++ g_return_val_if_fail (str != NULL, NULL);
++
++ if (str_len < 0)
++ str_len_unsigned = g_utf16_len (str);
++ else
++ str_len_unsigned = (gsize) str_len;
++
++ g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1);
++ str_size = (str_len_unsigned + 1) * sizeof (gunichar2);
++
++ return g_memdup2 (str, str_size);
+ }
+
+ /**
+@@ -247,7 +267,7 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter)
+ new_iter->value_name_size = iter->value_name_size;
+
+ if (iter->value_data != NULL)
+- new_iter->value_data = g_memdup (iter->value_data, iter->value_data_size);
++ new_iter->value_data = g_memdup2 (iter->value_data, iter->value_data_size);
+
+ new_iter->value_data_size = iter->value_data_size;
+
+@@ -268,8 +288,8 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter)
+ new_iter->value_data_expanded_charsize = iter->value_data_expanded_charsize;
+
+ if (iter->value_data_expanded_u8 != NULL)
+- new_iter->value_data_expanded_u8 = g_memdup (iter->value_data_expanded_u8,
+- iter->value_data_expanded_charsize);
++ new_iter->value_data_expanded_u8 = g_memdup2 (iter->value_data_expanded_u8,
++ iter->value_data_expanded_charsize);
+
+ new_iter->value_data_expanded_u8_size = iter->value_data_expanded_charsize;
+
+diff --git a/gio/tests/async-close-output-stream.c b/gio/tests/async-close-output-stream.c
+index 5f6620275..d3f97a119 100644
+--- a/gio/tests/async-close-output-stream.c
++++ b/gio/tests/async-close-output-stream.c
+@@ -24,6 +24,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+
++#include "gstrfuncsprivate.h"
++
+ #define DATA_TO_WRITE "Hello world\n"
+
+ typedef struct
+@@ -147,9 +149,9 @@ prepare_data (SetupData *data,
+
+ data->expected_size = g_memory_output_stream_get_data_size (G_MEMORY_OUTPUT_STREAM (data->data_stream));
+
+- g_assert_cmpint (data->expected_size, >, 0);
++ g_assert_cmpuint (data->expected_size, >, 0);
+
+- data->expected_output = g_memdup (written, (guint)data->expected_size);
++ data->expected_output = g_memdup2 (written, data->expected_size);
+
+ /* then recreate the streams and prepare them for the asynchronous close */
+ destroy_streams (data);
+diff --git a/gio/tests/gdbus-export.c b/gio/tests/gdbus-export.c
+index fda654c44..10dd6d82f 100644
+--- a/gio/tests/gdbus-export.c
++++ b/gio/tests/gdbus-export.c
+@@ -23,6 +23,7 @@
+ #include <string.h>
+
+ #include "gdbus-tests.h"
++#include "gstrfuncsprivate.h"
+
+ /* all tests rely on a shared mainloop */
+ static GMainLoop *loop = NULL;
+@@ -671,7 +672,7 @@ subtree_introspect (GDBusConnection *connection,
+ g_assert_not_reached ();
+ }
+
+- return g_memdup (interfaces, 2 * sizeof (void *));
++ return g_memdup2 (interfaces, 2 * sizeof (void *));
+ }
+
+ static const GDBusInterfaceVTable *
+@@ -727,7 +728,7 @@ dynamic_subtree_introspect (GDBusConnection *connection,
+ {
+ const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info, NULL };
+
+- return g_memdup (interfaces, 2 * sizeof (void *));
++ return g_memdup2 (interfaces, 2 * sizeof (void *));
+ }
+
+ static const GDBusInterfaceVTable *
+diff --git a/gio/tests/gsettings.c b/gio/tests/gsettings.c
+index baadca8f5..afe594a23 100644
+--- a/gio/tests/gsettings.c
++++ b/gio/tests/gsettings.c
+@@ -1,3 +1,4 @@
++#include <errno.h>
+ #include <stdlib.h>
+ #include <locale.h>
+ #include <libintl.h>
+@@ -1740,6 +1741,14 @@ key_changed_cb (GSettings *settings, const gchar *key, gpointer data)
+ (*b) = TRUE;
+ }
+
++typedef struct
++{
++ const gchar *path;
++ const gchar *root_group;
++ const gchar *keyfile_group;
++ const gchar *root_path;
++} KeyfileTestData;
++
+ /*
+ * Test that using a keyfile works
+ */
+@@ -1834,7 +1843,11 @@ test_keyfile (Fixture *fixture,
+ g_free (str);
+
+ g_settings_set (settings, "farewell", "s", "cheerio");
+-
++
++ /* Check that empty keys/groups are not allowed. */
++ g_assert_false (g_settings_is_writable (settings, ""));
++ g_assert_false (g_settings_is_writable (settings, "/"));
++
+ /* When executing as root, changing the mode of the keyfile will have
+ * no effect on the writability of the settings.
+ */
+@@ -1866,6 +1879,149 @@ test_keyfile (Fixture *fixture,
+ g_free (keyfile_path);
+ }
+
++/*
++ * Test that using a keyfile works with a schema with no path set.
++ */
++static void
++test_keyfile_no_path (Fixture *fixture,
++ gconstpointer user_data)
++{
++ const KeyfileTestData *test_data = user_data;
++ GSettingsBackend *kf_backend;
++ GSettings *settings;
++ GKeyFile *keyfile;
++ gboolean writable;
++ gchar *key = NULL;
++ GError *error = NULL;
++ gchar *keyfile_path = NULL, *store_path = NULL;
++
++ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
++ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
++ kf_backend = g_keyfile_settings_backend_new (store_path, test_data->root_path, test_data->root_group);
++ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, test_data->path);
++ g_object_unref (kf_backend);
++
++ g_settings_reset (settings, "test-boolean");
++ g_assert_true (g_settings_get_boolean (settings, "test-boolean"));
++
++ writable = g_settings_is_writable (settings, "test-boolean");
++ g_assert_true (writable);
++ g_settings_set (settings, "test-boolean", "b", FALSE);
++
++ g_assert_false (g_settings_get_boolean (settings, "test-boolean"));
++
++ g_settings_delay (settings);
++ g_settings_set (settings, "test-boolean", "b", TRUE);
++ g_settings_apply (settings);
++
++ keyfile = g_key_file_new ();
++ g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL));
++
++ g_assert_true (g_key_file_get_boolean (keyfile, test_data->keyfile_group, "test-boolean", NULL));
++
++ g_key_file_free (keyfile);
++
++ g_settings_reset (settings, "test-boolean");
++ g_settings_apply (settings);
++ keyfile = g_key_file_new ();
++ g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL));
++
++ g_assert_false (g_key_file_get_string (keyfile, test_data->keyfile_group, "test-boolean", &error));
++ g_assert_error (error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_KEY_NOT_FOUND);
++ g_clear_error (&error);
++
++ /* Check that empty keys/groups are not allowed. */
++ g_assert_false (g_settings_is_writable (settings, ""));
++ g_assert_false (g_settings_is_writable (settings, "/"));
++
++ /* Keys which ghost the root group name are not allowed. This can only be
++ * tested when the path is `/` as otherwise it acts as a prefix and prevents
++ * any ghosting. */
++ if (g_str_equal (test_data->path, "/"))
++ {
++ key = g_strdup_printf ("%s/%s", test_data->root_group, "");
++ g_assert_false (g_settings_is_writable (settings, key));
++ g_free (key);
++
++ key = g_strdup_printf ("%s/%s", test_data->root_group, "/");
++ g_assert_false (g_settings_is_writable (settings, key));
++ g_free (key);
++
++ key = g_strdup_printf ("%s/%s", test_data->root_group, "test-boolean");
++ g_assert_false (g_settings_is_writable (settings, key));
++ g_free (key);
++ }
++
++ g_key_file_free (keyfile);
++ g_object_unref (settings);
++
++ /* Clean up the temporary directory. */
++ g_assert_cmpint (g_chmod (keyfile_path, 0777) == 0 ? 0 : errno, ==, 0);
++ g_assert_cmpint (g_remove (store_path) == 0 ? 0 : errno, ==, 0);
++ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
++ g_free (store_path);
++ g_free (keyfile_path);
++}
++
++/*
++ * Test that a keyfile rejects writes to keys outside its root path.
++ */
++static void
++test_keyfile_outside_root_path (Fixture *fixture,
++ gconstpointer user_data)
++{
++ GSettingsBackend *kf_backend;
++ GSettings *settings;
++ gchar *keyfile_path = NULL, *store_path = NULL;
++
++ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
++ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
++ kf_backend = g_keyfile_settings_backend_new (store_path, "/tests/basic-types/", "root");
++ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/tests/");
++ g_object_unref (kf_backend);
++
++ g_assert_false (g_settings_is_writable (settings, "test-boolean"));
++
++ g_object_unref (settings);
++
++ /* Clean up the temporary directory. The keyfile probably doesn’t exist, so
++ * don’t error on failure. */
++ g_remove (store_path);
++ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
++ g_free (store_path);
++ g_free (keyfile_path);
++}
++
++/*
++ * Test that a keyfile rejects writes to keys in the root if no root group is set.
++ */
++static void
++test_keyfile_no_root_group (Fixture *fixture,
++ gconstpointer user_data)
++{
++ GSettingsBackend *kf_backend;
++ GSettings *settings;
++ gchar *keyfile_path = NULL, *store_path = NULL;
++
++ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
++ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
++ kf_backend = g_keyfile_settings_backend_new (store_path, "/", NULL);
++ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/");
++ g_object_unref (kf_backend);
++
++ g_assert_false (g_settings_is_writable (settings, "test-boolean"));
++ g_assert_true (g_settings_is_writable (settings, "child/test-boolean"));
++
++ g_object_unref (settings);
++
++ /* Clean up the temporary directory. The keyfile probably doesn’t exist, so
++ * don’t error on failure. */
++ g_remove (store_path);
++ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
++ g_free (store_path);
++ g_free (keyfile_path);
++}
++
+ /* Test that getting child schemas works
+ */
+ static void
+@@ -2844,6 +3000,14 @@ main (int argc, char *argv[])
+ gchar *override_text;
+ gchar *enums;
+ gint result;
++ const KeyfileTestData keyfile_test_data_explicit_path = { "/tests/", "root", "tests", "/" };
++ const KeyfileTestData keyfile_test_data_empty_path = { "/", "root", "root", "/" };
++ const KeyfileTestData keyfile_test_data_long_path = {
++ "/tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch/",
++ "root",
++ "tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch",
++ "/"
++ };
+
+ /* Meson build sets this */
+ #ifdef TEST_LOCALE_PATH
+@@ -2967,6 +3131,11 @@ main (int argc, char *argv[])
+ }
+
+ g_test_add ("/gsettings/keyfile", Fixture, NULL, setup, test_keyfile, teardown);
++ g_test_add ("/gsettings/keyfile/explicit-path", Fixture, &keyfile_test_data_explicit_path, setup, test_keyfile_no_path, teardown);
++ g_test_add ("/gsettings/keyfile/empty-path", Fixture, &keyfile_test_data_empty_path, setup, test_keyfile_no_path, teardown);
++ g_test_add ("/gsettings/keyfile/long-path", Fixture, &keyfile_test_data_long_path, setup, test_keyfile_no_path, teardown);
++ g_test_add ("/gsettings/keyfile/outside-root-path", Fixture, NULL, setup, test_keyfile_outside_root_path, teardown);
++ g_test_add ("/gsettings/keyfile/no-root-group", Fixture, NULL, setup, test_keyfile_no_root_group, teardown);
+ g_test_add_func ("/gsettings/child-schema", test_child_schema);
+ g_test_add_func ("/gsettings/strinfo", test_strinfo);
+ g_test_add_func ("/gsettings/enums", test_enums);
+diff --git a/gio/tests/tls-interaction.c b/gio/tests/tls-interaction.c
+index 4f0737d7e..5661e8e0d 100644
+--- a/gio/tests/tls-interaction.c
++++ b/gio/tests/tls-interaction.c
+@@ -174,6 +174,38 @@ test_interaction_ask_password_finish_failure (GTlsInteraction *interaction,
+ }
+
+
++/* Return a copy of @str that is allocated in a silly way, to exercise
++ * custom free-functions. The returned pointer points to a copy of @str
++ * in a buffer of the form "BEFORE \0 str \0 AFTER". */
++static guchar *
++special_dup (const char *str)
++{
++ GString *buf = g_string_new ("BEFORE");
++ guchar *ret;
++
++ g_string_append_c (buf, '\0');
++ g_string_append (buf, str);
++ g_string_append_c (buf, '\0');
++ g_string_append (buf, "AFTER");
++ ret = (guchar *) g_string_free (buf, FALSE);
++ return ret + strlen ("BEFORE") + 1;
++}
++
++
++/* Free a copy of @str that was made with special_dup(), after asserting
++ * that it has not been corrupted. */
++static void
++special_free (gpointer p)
++{
++ gchar *s = p;
++ gchar *buf = s - strlen ("BEFORE") - 1;
++
++ g_assert_cmpstr (buf, ==, "BEFORE");
++ g_assert_cmpstr (s + strlen (s) + 1, ==, "AFTER");
++ g_free (buf);
++}
++
++
+ static GTlsInteractionResult
+ test_interaction_ask_password_sync_success (GTlsInteraction *interaction,
+ GTlsPassword *password,
+@@ -181,6 +213,8 @@ test_interaction_ask_password_sync_success (GTlsInteraction *interaction,
+ GError **error)
+ {
+ TestInteraction *self;
++ const guchar *value;
++ gsize len;
+
+ g_assert (TEST_IS_INTERACTION (interaction));
+ self = TEST_INTERACTION (interaction);
+@@ -192,6 +226,27 @@ test_interaction_ask_password_sync_success (GTlsInteraction *interaction,
+ g_assert (error != NULL);
+ g_assert (*error == NULL);
+
++ /* Exercise different ways to set the value */
++ g_tls_password_set_value (password, (const guchar *) "foo", 4);
++ len = 0;
++ value = g_tls_password_get_value (password, &len);
++ g_assert_cmpmem (value, len, "foo", 4);
++
++ g_tls_password_set_value (password, (const guchar *) "bar", -1);
++ len = 0;
++ value = g_tls_password_get_value (password, &len);
++ g_assert_cmpmem (value, len, "bar", 3);
++
++ g_tls_password_set_value_full (password, special_dup ("baa"), 4, special_free);
++ len = 0;
++ value = g_tls_password_get_value (password, &len);
++ g_assert_cmpmem (value, len, "baa", 4);
++
++ g_tls_password_set_value_full (password, special_dup ("baz"), -1, special_free);
++ len = 0;
++ value = g_tls_password_get_value (password, &len);
++ g_assert_cmpmem (value, len, "baz", 3);
++
+ /* Don't do this in real life. Include a null terminator for testing */
+ g_tls_password_set_value (password, (const guchar *)"the password", 13);
+ return G_TLS_INTERACTION_HANDLED;
+diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c
+index cf5eed31d..246ec0578 100644
+--- a/gio/win32/gwinhttpfile.c
++++ b/gio/win32/gwinhttpfile.c
+@@ -29,6 +29,7 @@
+ #include "gio/gfile.h"
+ #include "gio/gfileattribute.h"
+ #include "gio/gfileinfo.h"
++#include "gstrfuncsprivate.h"
+ #include "gwinhttpfile.h"
+ #include "gwinhttpfileinputstream.h"
+ #include "gwinhttpfileoutputstream.h"
+@@ -393,10 +394,10 @@ g_winhttp_file_resolve_relative_path (GFile *file,
+ child = g_object_new (G_TYPE_WINHTTP_FILE, NULL);
+ child->vfs = winhttp_file->vfs;
+ child->url = winhttp_file->url;
+- child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2);
+- child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2);
+- child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2);
+- child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2);
++ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2);
++ child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2);
++ child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2);
++ child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2);
+ child->url.lpszUrlPath = wnew_path;
+ child->url.dwUrlPathLength = wcslen (wnew_path);
+ child->url.lpszExtraInfo = NULL;
+diff --git a/glib/gbytes.c b/glib/gbytes.c
+index ec6923188..6f17d104c 100644
+--- a/glib/gbytes.c
++++ b/glib/gbytes.c
+@@ -34,6 +34,8 @@
+
+ #include <string.h>
+
++#include "gstrfuncsprivate.h"
++
+ /**
+ * GBytes:
+ *
+@@ -95,7 +97,7 @@ g_bytes_new (gconstpointer data,
+ {
+ g_return_val_if_fail (data != NULL || size == 0, NULL);
+
+- return g_bytes_new_take (g_memdup (data, size), size);
++ return g_bytes_new_take (g_memdup2 (data, size), size);
+ }
+
+ /**
+@@ -499,7 +501,7 @@ g_bytes_unref_to_data (GBytes *bytes,
+ * Copy: Non g_malloc (or compatible) allocator, or static memory,
+ * so we have to copy, and then unref.
+ */
+- result = g_memdup (bytes->data, bytes->size);
++ result = g_memdup2 (bytes->data, bytes->size);
+ *size = bytes->size;
+ g_bytes_unref (bytes);
+ }
+diff --git a/glib/gdir.c b/glib/gdir.c
+index 6b85e99c8..6747a8c6f 100644
+--- a/glib/gdir.c
++++ b/glib/gdir.c
+@@ -37,6 +37,7 @@
+ #include "gconvert.h"
+ #include "gfileutils.h"
+ #include "gstrfuncs.h"
++#include "gstrfuncsprivate.h"
+ #include "gtestutils.h"
+ #include "glibintl.h"
+
+@@ -112,7 +113,7 @@ g_dir_open_with_errno (const gchar *path,
+ return NULL;
+ #endif
+
+- return g_memdup (&dir, sizeof dir);
++ return g_memdup2 (&dir, sizeof dir);
+ }
+
+ /**
+diff --git a/glib/ghash.c b/glib/ghash.c
+index 0f1562a06..c1e15c957 100644
+--- a/glib/ghash.c
++++ b/glib/ghash.c
+@@ -34,6 +34,7 @@
+ #include "gmacros.h"
+ #include "glib-private.h"
+ #include "gstrfuncs.h"
++#include "gstrfuncsprivate.h"
+ #include "gatomic.h"
+ #include "gtestutils.h"
+ #include "gslice.h"
+@@ -962,7 +963,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer
+ if (hash_table->have_big_keys)
+ {
+ if (key != value)
+- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size);
++ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size);
+ /* Keys and values are both big now, so no need for further checks */
+ return;
+ }
+@@ -970,7 +971,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer
+ {
+ if (key != value)
+ {
+- hash_table->values = g_memdup (hash_table->keys, sizeof (guint) * hash_table->size);
++ hash_table->values = g_memdup2 (hash_table->keys, sizeof (guint) * hash_table->size);
+ is_a_set = FALSE;
+ }
+ }
+@@ -998,7 +999,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer
+
+ /* Just split if necessary */
+ if (is_a_set && key != value)
+- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size);
++ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size);
+
+ #endif
+ }
+diff --git a/glib/giochannel.c b/glib/giochannel.c
+index d16399846..b41381d38 100644
+--- a/glib/giochannel.c
++++ b/glib/giochannel.c
+@@ -37,6 +37,7 @@
+ #include "giochannel.h"
+
+ #include "gstrfuncs.h"
++#include "gstrfuncsprivate.h"
+ #include "gtestutils.h"
+ #include "glibintl.h"
+
+@@ -886,17 +887,26 @@ g_io_channel_set_line_term (GIOChannel *channel,
+ const gchar *line_term,
+ gint length)
+ {
++ guint length_unsigned;
++
+ g_return_if_fail (channel != NULL);
+ g_return_if_fail (line_term == NULL || length != 0); /* Disallow "" */
+
+ if (line_term == NULL)
+- length = 0;
+- else if (length < 0)
+- length = strlen (line_term);
++ length_unsigned = 0;
++ else if (length >= 0)
++ length_unsigned = (guint) length;
++ else
++ {
++ /* FIXME: We’re constrained by line_term_len being a guint here */
++ gsize length_size = strlen (line_term);
++ g_return_if_fail (length_size <= G_MAXUINT);
++ length_unsigned = (guint) length_size;
++ }
+
+ g_free (channel->line_term);
+- channel->line_term = line_term ? g_memdup (line_term, length) : NULL;
+- channel->line_term_len = length;
++ channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL;
++ channel->line_term_len = length_unsigned;
+ }
+
+ /**
+@@ -1673,10 +1683,10 @@ g_io_channel_read_line (GIOChannel *channel,
+
+ /* Copy the read bytes (including any embedded nuls) and nul-terminate.
+ * `USE_BUF (channel)->str` is guaranteed to be nul-terminated as it’s a
+- * #GString, so it’s safe to call g_memdup() with +1 length to allocate
++ * #GString, so it’s safe to call g_memdup2() with +1 length to allocate
+ * a nul-terminator. */
+ g_assert (USE_BUF (channel));
+- line = g_memdup (USE_BUF (channel)->str, got_length + 1);
++ line = g_memdup2 (USE_BUF (channel)->str, got_length + 1);
+ line[got_length] = '\0';
+ *str_return = g_steal_pointer (&line);
+ g_string_erase (USE_BUF (channel), 0, got_length);
+diff --git a/glib/gslice.c b/glib/gslice.c
+index 4c758c3be..bcdbb8853 100644
+--- a/glib/gslice.c
++++ b/glib/gslice.c
+@@ -41,6 +41,7 @@
+ #include "gmain.h"
+ #include "gmem.h" /* gslice.h */
+ #include "gstrfuncs.h"
++#include "gstrfuncsprivate.h"
+ #include "gutils.h"
+ #include "gtrashstack.h"
+ #include "gtestutils.h"
+@@ -350,7 +351,7 @@ g_slice_get_config_state (GSliceConfig ckey,
+ array[i++] = allocator->contention_counters[address];
+ array[i++] = allocator_get_magazine_threshold (allocator, address);
+ *n_values = i;
+- return g_memdup (array, sizeof (array[0]) * *n_values);
++ return g_memdup2 (array, sizeof (array[0]) * *n_values);
+ default:
+ return NULL;
+ }
+diff --git a/glib/gstrfuncsprivate.h b/glib/gstrfuncsprivate.h
+new file mode 100644
+index 000000000..85c88328a
+--- /dev/null
++++ b/glib/gstrfuncsprivate.h
+@@ -0,0 +1,55 @@
++/* GLIB - Library of useful routines for C programming
++ * Copyright (C) 1995-1997 Peter Mattis, Spencer Kimball and Josh MacDonald
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include <glib.h>
++#include <string.h>
++
++/*
++ * g_memdup2:
++ * @mem: (nullable): the memory to copy.
++ * @byte_size: the number of bytes to copy.
++ *
++ * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it
++ * from @mem. If @mem is %NULL it returns %NULL.
++ *
++ * This replaces g_memdup(), which was prone to integer overflows when
++ * converting the argument from a #gsize to a #guint.
++ *
++ * This static inline version is a backport of the new public API from
++ * GLib 2.68, kept internal to GLib for backport to older stable releases.
++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319.
++ *
++ * Returns: (nullable): a pointer to the newly-allocated copy of the memory,
++ * or %NULL if @mem is %NULL.
++ * Since: 2.68
++ */
++static inline gpointer
++g_memdup2 (gconstpointer mem,
++ gsize byte_size)
++{
++ gpointer new_mem;
++
++ if (mem && byte_size != 0)
++ {
++ new_mem = g_malloc (byte_size);
++ memcpy (new_mem, mem, byte_size);
++ }
++ else
++ new_mem = NULL;
++
++ return new_mem;
++}
+diff --git a/glib/gtestutils.c b/glib/gtestutils.c
+index 18b117285..26d46ad75 100644
+--- a/glib/gtestutils.c
++++ b/glib/gtestutils.c
+@@ -49,6 +49,7 @@
+ #include "gpattern.h"
+ #include "grand.h"
+ #include "gstrfuncs.h"
++#include "gstrfuncsprivate.h"
+ #include "gtimer.h"
+ #include "gslice.h"
+ #include "gspawn.h"
+@@ -3803,7 +3804,7 @@ g_test_log_extract (GTestLogBuffer *tbuffer)
+ if (p <= tbuffer->data->str + mlength)
+ {
+ g_string_erase (tbuffer->data, 0, mlength);
+- tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg)));
++ tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg)));
+ return TRUE;
+ }
+
+diff --git a/glib/gvariant.c b/glib/gvariant.c
+index 77d7e746b..ef4257f6d 100644
+--- a/glib/gvariant.c
++++ b/glib/gvariant.c
+@@ -33,6 +33,7 @@
+
+ #include <string.h>
+
++#include "gstrfuncsprivate.h"
+
+ /**
+ * SECTION:gvariant
+@@ -725,7 +726,7 @@ g_variant_new_variant (GVariant *value)
+ g_variant_ref_sink (value);
+
+ return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT,
+- g_memdup (&value, sizeof value),
++ g_memdup2 (&value, sizeof value),
+ 1, g_variant_is_trusted (value));
+ }
+
+@@ -1229,7 +1230,7 @@ g_variant_new_fixed_array (const GVariantType *element_type,
+ return NULL;
+ }
+
+- data = g_memdup (elements, n_elements * element_size);
++ data = g_memdup2 (elements, n_elements * element_size);
+ value = g_variant_new_from_data (array_type, data,
+ n_elements * element_size,
+ FALSE, g_free, data);
+@@ -1908,7 +1909,7 @@ g_variant_dup_bytestring (GVariant *value,
+ if (length)
+ *length = size;
+
+- return g_memdup (original, size + 1);
++ return g_memdup2 (original, size + 1);
+ }
+
+ /**
+diff --git a/glib/gvarianttype.c b/glib/gvarianttype.c
+index c46f1a2c6..585e29ab2 100644
+--- a/glib/gvarianttype.c
++++ b/glib/gvarianttype.c
+@@ -28,6 +28,7 @@
+
+ #include <string.h>
+
++#include "gstrfuncsprivate.h"
+
+ /**
+ * SECTION:gvarianttype
+@@ -1181,7 +1182,7 @@ g_variant_type_new_tuple (const GVariantType * const *items,
+ g_assert (offset < sizeof buffer);
+ buffer[offset++] = ')';
+
+- return (GVariantType *) g_memdup (buffer, offset);
++ return (GVariantType *) g_memdup2 (buffer, offset);
+ }
+
+ /**
+diff --git a/glib/meson.build b/glib/meson.build
+index 456e0c2a1..2e5cd77bb 100644
+--- a/glib/meson.build
++++ b/glib/meson.build
+@@ -268,6 +268,7 @@ glib_sources = files(
+ 'gslist.c',
+ 'gstdio.c',
+ 'gstrfuncs.c',
++ 'gstrfuncsprivate.h',
+ 'gstring.c',
+ 'gstringchunk.c',
+ 'gtestutils.c',
+diff --git a/glib/tests/array-test.c b/glib/tests/array-test.c
+index 1da514a3e..88f22de80 100644
+--- a/glib/tests/array-test.c
++++ b/glib/tests/array-test.c
+@@ -29,6 +29,8 @@
+ #include <string.h>
+ #include "glib.h"
+
++#include "gstrfuncsprivate.h"
++
+ /* Test data to be passed to any function which calls g_array_new(), providing
+ * the parameters for that call. Most #GArray tests should be repeated for all
+ * possible values of #ArrayTestData. */
+@@ -1917,7 +1919,7 @@ byte_array_new_take (void)
+ GByteArray *gbarray;
+ guint8 *data;
+
+- data = g_memdup ("woooweeewow", 11);
++ data = g_memdup2 ("woooweeewow", 11);
+ gbarray = g_byte_array_new_take (data, 11);
+ g_assert (gbarray->data == data);
+ g_assert_cmpuint (gbarray->len, ==, 11);
+diff --git a/glib/tests/io-channel.c b/glib/tests/io-channel.c
+index ff53fcef7..4a1b10876 100644
+--- a/glib/tests/io-channel.c
++++ b/glib/tests/io-channel.c
+@@ -49,8 +49,10 @@ test_read_line_embedded_nuls (void)
+ channel = g_io_channel_new_file (filename, "r", &local_error);
+ g_assert_no_error (local_error);
+
+- /* Only break on newline characters, not nuls. */
+- g_io_channel_set_line_term (channel, "\n", 1);
++ /* Only break on newline characters, not nuls.
++ * Use length -1 here to exercise glib#2323; the case where length > 0
++ * is covered in glib/tests/protocol.c. */
++ g_io_channel_set_line_term (channel, "\n", -1);
+ g_io_channel_set_encoding (channel, NULL, &local_error);
+ g_assert_no_error (local_error);
+
+diff --git a/glib/tests/option-context.c b/glib/tests/option-context.c
+index 149d22353..88d2b80d1 100644
+--- a/glib/tests/option-context.c
++++ b/glib/tests/option-context.c
+@@ -27,6 +27,8 @@
+ #include <string.h>
+ #include <locale.h>
+
++#include "gstrfuncsprivate.h"
++
+ static GOptionEntry main_entries[] = {
+ { "main-switch", 0, 0,
+ G_OPTION_ARG_NONE, NULL,
+@@ -256,7 +258,7 @@ join_stringv (int argc, char **argv)
+ static char **
+ copy_stringv (char **argv, int argc)
+ {
+- return g_memdup (argv, sizeof (char *) * (argc + 1));
++ return g_memdup2 (argv, sizeof (char *) * (argc + 1));
+ }
+
+ static void
+@@ -2323,7 +2325,7 @@ test_group_parse (void)
+ g_option_context_add_group (context, group);
+
+ argv = split_string ("program --test arg1 -f arg2 --group-test arg3 --frob arg4 -z arg5", &argc);
+- orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *));
++ orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *));
+
+ retval = g_option_context_parse (context, &argc, &argv, &error);
+
+diff --git a/glib/tests/strfuncs.c b/glib/tests/strfuncs.c
+index e1f9619c7..d968afff9 100644
+--- a/glib/tests/strfuncs.c
++++ b/glib/tests/strfuncs.c
+@@ -32,6 +32,8 @@
+ #include <string.h>
+ #include "glib.h"
+
++#include "gstrfuncsprivate.h"
++
+ #if defined (_MSC_VER) && (_MSC_VER <= 1800)
+ #define isnan(x) _isnan(x)
+
+@@ -219,6 +221,26 @@ test_memdup (void)
+ g_free (str_dup);
+ }
+
++/* Testing g_memdup2() function with various positive and negative cases */
++static void
++test_memdup2 (void)
++{
++ gchar *str_dup = NULL;
++ const gchar *str = "The quick brown fox jumps over the lazy dog";
++
++ /* Testing negative cases */
++ g_assert_null (g_memdup2 (NULL, 1024));
++ g_assert_null (g_memdup2 (str, 0));
++ g_assert_null (g_memdup2 (NULL, 0));
++
++ /* Testing normal usage cases */
++ str_dup = g_memdup2 (str, strlen (str) + 1);
++ g_assert_nonnull (str_dup);
++ g_assert_cmpstr (str, ==, str_dup);
++
++ g_free (str_dup);
++}
++
+ /* Testing g_strpcpy() function with various positive and negative cases */
+ static void
+ test_stpcpy (void)
+@@ -2523,6 +2545,7 @@ main (int argc,
+ g_test_add_func ("/strfuncs/has-prefix", test_has_prefix);
+ g_test_add_func ("/strfuncs/has-suffix", test_has_suffix);
+ g_test_add_func ("/strfuncs/memdup", test_memdup);
++ g_test_add_func ("/strfuncs/memdup2", test_memdup2);
+ g_test_add_func ("/strfuncs/stpcpy", test_stpcpy);
+ g_test_add_func ("/strfuncs/str_match_string", test_str_match_string);
+ g_test_add_func ("/strfuncs/str_tokenize_and_fold", test_str_tokenize_and_fold);
+diff --git a/gobject/gsignal.c b/gobject/gsignal.c
+index 45effa92d..effbfec62 100644
+--- a/gobject/gsignal.c
++++ b/gobject/gsignal.c
+@@ -28,6 +28,7 @@
+ #include <signal.h>
+
+ #include "gsignal.h"
++#include "gstrfuncsprivate.h"
+ #include "gtype-private.h"
+ #include "gbsearcharray.h"
+ #include "gvaluecollector.h"
+@@ -1809,7 +1810,7 @@ g_signal_newv (const gchar *signal_name,
+ node->single_va_closure_is_valid = FALSE;
+ node->flags = signal_flags & G_SIGNAL_FLAGS_MASK;
+ node->n_params = n_params;
+- node->param_types = g_memdup (param_types, sizeof (GType) * n_params);
++ node->param_types = g_memdup2 (param_types, sizeof (GType) * n_params);
+ node->return_type = return_type;
+ node->class_closure_bsa = NULL;
+ if (accumulator)
+diff --git a/gobject/gtype.c b/gobject/gtype.c
+index b5ef2d11e..8d152dccc 100644
+--- a/gobject/gtype.c
++++ b/gobject/gtype.c
+@@ -33,6 +33,7 @@
+
+ #include "glib-private.h"
+ #include "gconstructor.h"
++#include "gstrfuncsprivate.h"
+
+ #ifdef G_OS_WIN32
+ #include <windows.h>
+@@ -1470,7 +1471,7 @@ type_add_interface_Wm (TypeNode *node,
+ iholder->next = iface_node_get_holders_L (iface);
+ iface_node_set_holders_W (iface, iholder);
+ iholder->instance_type = NODE_TYPE (node);
+- iholder->info = info ? g_memdup (info, sizeof (*info)) : NULL;
++ iholder->info = info ? g_memdup2 (info, sizeof (*info)) : NULL;
+ iholder->plugin = plugin;
+
+ /* create an iface entry for this type */
+@@ -1731,7 +1732,7 @@ type_iface_retrieve_holder_info_Wm (TypeNode *iface,
+ INVALID_RECURSION ("g_type_plugin_*", iholder->plugin, NODE_NAME (iface));
+
+ check_interface_info_I (iface, instance_type, &tmp_info);
+- iholder->info = g_memdup (&tmp_info, sizeof (tmp_info));
++ iholder->info = g_memdup2 (&tmp_info, sizeof (tmp_info));
+ }
+
+ return iholder; /* we don't modify write lock upon returning NULL */
+@@ -2016,10 +2017,10 @@ type_iface_vtable_base_init_Wm (TypeNode *iface,
+ IFaceEntry *pentry = type_lookup_iface_entry_L (pnode, iface);
+
+ if (pentry)
+- vtable = g_memdup (pentry->vtable, iface->data->iface.vtable_size);
++ vtable = g_memdup2 (pentry->vtable, iface->data->iface.vtable_size);
+ }
+ if (!vtable)
+- vtable = g_memdup (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size);
++ vtable = g_memdup2 (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size);
+ entry->vtable = vtable;
+ vtable->g_type = NODE_TYPE (iface);
+ vtable->g_instance_type = NODE_TYPE (node);
+diff --git a/gobject/gtypemodule.c b/gobject/gtypemodule.c
+index 4ecaf8c88..20911fafd 100644
+--- a/gobject/gtypemodule.c
++++ b/gobject/gtypemodule.c
+@@ -19,6 +19,7 @@
+
+ #include <stdlib.h>
+
++#include "gstrfuncsprivate.h"
+ #include "gtypeplugin.h"
+ #include "gtypemodule.h"
+
+@@ -436,7 +437,7 @@ g_type_module_register_type (GTypeModule *module,
+ module_type_info->loaded = TRUE;
+ module_type_info->info = *type_info;
+ if (type_info->value_table)
+- module_type_info->info.value_table = g_memdup (type_info->value_table,
++ module_type_info->info.value_table = g_memdup2 (type_info->value_table,
+ sizeof (GTypeValueTable));
+
+ return module_type_info->type;
+diff --git a/gobject/tests/param.c b/gobject/tests/param.c
+index 93c3f4b94..0a77e51b7 100644
+--- a/gobject/tests/param.c
++++ b/gobject/tests/param.c
+@@ -2,6 +2,8 @@
+ #include <glib-object.h>
+ #include <stdlib.h>
+
++#include "gstrfuncsprivate.h"
++
+ static void
+ test_param_value (void)
+ {
+@@ -874,7 +876,7 @@ main (int argc, char *argv[])
+ test_path = g_strdup_printf ("/param/implement/subprocess/%d-%d-%d-%d",
+ data.change_this_flag, data.change_this_type,
+ data.use_this_flag, data.use_this_type);
+- test_data = g_memdup (&data, sizeof (TestParamImplementData));
++ test_data = g_memdup2 (&data, sizeof (TestParamImplementData));
+ g_test_add_data_func_full (test_path, test_data, test_param_implement_child, g_free);
+ g_free (test_path);
+ }
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb
index b9462bc945..ed7b649dc6 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
file://tzdata-update.patch \
file://CVE-2020-35457.patch \
+ file://CVE-2021-27219.patch \
"
SRC_URI_append_class-native = " file://relocate-modules.patch"
diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
index e48b5cb67b..71777bc459 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -34,10 +34,6 @@ DEPENDS_append_class-target = "${@' gtk-doc' if d.getVar('GTKDOC_ENABLED') == 'T
GTKDOC_MESON_OPTION = "gtk_doc"
-# This avoids the need to depend on target python3, which in case of mingw is not even possible.
-# meson's python configuration pokes into python3 configuration, so this provides the native config to it.
-unset _PYTHON_SYSCONFIGDATA_NAME
-
S = "${WORKDIR}/glib-${PV}"
PACKAGECONFIG ??= "system-pcre libmount \
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 1566056297..84d199bb1d 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
SRCBRANCH ?= "release/2.32/master"
PV = "2.32"
-SRCREV_glibc ?= "3de512be7ea6053255afed6154db9ee31d4e557a"
+SRCREV_glibc ?= "44b395932961a29825da4ad025124a6760858d9c"
SRCREV_localedef ?= "bd644c9e6f3e20c5504da1488448173c69c56c28"
GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
deleted file mode 100644
index 987e959db2..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001
-From: Andreas Schwab <schwab@suse.de>
-Date: Mon, 21 Dec 2020 08:56:43 +0530
-Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973)
-
-The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
-area and is not allowed. The from_euc_kr function used to skip two bytes
-when told to skip over the unknown designation, potentially running over
-the buffer end.
-
-Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b]
-CVE: CVE-2019-25013
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
----
- iconvdata/Makefile | 3 ++-
- iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++
- iconvdata/euc-kr.c | 6 +----
- iconvdata/ksc5601.h | 6 ++---
- 4 files changed, 59 insertions(+), 9 deletions(-)
- create mode 100644 iconvdata/bug-iconv13.c
-
-diff --git a/iconvdata/Makefile b/iconvdata/Makefile
-index 4ec2741cdc..85009f3390 100644
---- a/iconvdata/Makefile
-+++ b/iconvdata/Makefile
-@@ -73,7 +73,8 @@ modules.so := $(addsuffix .so, $(modules))
- ifeq (yes,$(build-shared))
- tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
- tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
-- bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4
-+ bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \
-+ bug-iconv13
- ifeq ($(have-thread-library),yes)
- tests += bug-iconv3
- endif
-diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c
-new file mode 100644
-index 0000000000..87aaff398e
---- /dev/null
-+++ b/iconvdata/bug-iconv13.c
-@@ -0,0 +1,53 @@
-+/* bug 24973: Test EUC-KR module
-+ Copyright (C) 2020 Free Software Foundation, Inc.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ <https://www.gnu.org/licenses/>. */
-+
-+#include <errno.h>
-+#include <iconv.h>
-+#include <stdio.h>
-+#include <support/check.h>
-+
-+static int
-+do_test (void)
-+{
-+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
-+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
-+
-+ /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
-+ areas, which are not allowed and should be skipped over due to
-+ //IGNORE. The trailing 0xfe also is an incomplete sequence, which
-+ should be checked first. */
-+ char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
-+ char *inptr = input;
-+ size_t insize = sizeof (input);
-+ char output[4];
-+ char *outptr = output;
-+ size_t outsize = sizeof (output);
-+
-+ /* This used to crash due to buffer overrun. */
-+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
-+ TEST_VERIFY (errno == EINVAL);
-+ /* The conversion should produce one character, the converted null
-+ character. */
-+ TEST_VERIFY (sizeof (output) - outsize == 1);
-+
-+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
-+
-+ return 0;
-+}
-+
-+#include <support/test-driver.c>
-diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c
-index b0d56cf3ee..1045bae926 100644
---- a/iconvdata/euc-kr.c
-+++ b/iconvdata/euc-kr.c
-@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
- \
- if (ch <= 0x9f) \
- ++inptr; \
-- /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \
-- user-defined areas. */ \
-- else if (__builtin_expect (ch == 0xa0, 0) \
-- || __builtin_expect (ch > 0xfe, 0) \
-- || __builtin_expect (ch == 0xc9, 0)) \
-+ else if (__glibc_unlikely (ch == 0xa0)) \
- { \
- /* This is illegal. */ \
- STANDARD_FROM_LOOP_ERR_HANDLER (1); \
-diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h
-index d3eb3a4ff8..f5cdc72797 100644
---- a/iconvdata/ksc5601.h
-+++ b/iconvdata/ksc5601.h
-@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset)
- unsigned char ch2;
- int idx;
-
-+ if (avail < 2)
-+ return 0;
-+
- /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
-
- if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
- || (ch - offset) == 0x49)
- return __UNKNOWN_10646_CHAR;
-
-- if (avail < 2)
-- return 0;
--
- ch2 = (*s)[1];
- if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
- return __UNKNOWN_10646_CHAR;
---
-2.27.0
-
diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb
index d43c8c56cb..03aea52508 100644
--- a/meta/recipes-core/glibc/glibc_2.32.bb
+++ b/meta/recipes-core/glibc/glibc_2.32.bb
@@ -1,7 +1,8 @@
require glibc.inc
require glibc-version.inc
-CVE_CHECK_WHITELIST += "CVE-2020-10029"
+# whitelist CVE's with fixes in latest release/2.32/master branch
+CVE_CHECK_WHITELIST += "CVE-2019-25013 CVE-2020-10029 CVE-2020-27618 CVE-2021-27645 CVE-2021-3326"
DEPENDS += "gperf-native bison-native make-native"
@@ -46,7 +47,6 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch \
file://CVE-2020-29562.patch \
file://CVE-2020-29573.patch \
- file://CVE-2019-25013.patch \
"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build-${TARGET_SYS}"
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index 7f87c065db..9e944a2534 100644
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -22,9 +22,9 @@ APPEND += "rootfstype=ext4 quiet"
DEPENDS = "zip-native python3-pip-native"
IMAGE_FSTYPES = "wic.vmdk"
-inherit core-image module-base setuptools3
+inherit core-image setuptools3
-SRCREV ?= "76dac9d657f3b2864dec3bfcd2ee392fafdcdfe6"
+SRCREV ?= "79c4792da2b400431c09d9a2f53efd4443812281"
SRC_URI = "git://git.yoctoproject.org/poky;branch=gatesgarth \
file://Yocto_Build_Appliance.vmx \
file://Yocto_Build_Appliance.vmxf \
@@ -61,12 +61,6 @@ fakeroot do_populate_poky_src () {
# Place the README_VirtualBox_Toaster file in builders home folder.
cp ${WORKDIR}/README_VirtualBox_Toaster.txt ${IMAGE_ROOTFS}/home/builder/
- # Create a symlink, needed for out-of-tree kernel modules build
- if [ ! -e ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build ]; then
- rm -f ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build
- lnr ${IMAGE_ROOTFS}${KERNEL_SRC_PATH} ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build
- fi
-
echo "INHERIT += \"rm_work\"" >> ${IMAGE_ROOTFS}/home/builder/poky/build/conf/auto.conf
echo "export LC_ALL=en_US.utf8" >> ${IMAGE_ROOTFS}/home/builder/.bashrc
diff --git a/meta/recipes-core/initrdscripts/files/init-install-efi.sh b/meta/recipes-core/initrdscripts/files/init-install-efi.sh
index b6855b5aac..f667518b89 100644
--- a/meta/recipes-core/initrdscripts/files/init-install-efi.sh
+++ b/meta/recipes-core/initrdscripts/files/init-install-efi.sh
@@ -279,6 +279,11 @@ fi
umount /tgt_root
+# copy any extra files needed for ESP
+if [ -d /run/media/$1/esp ]; then
+ cp -r /run/media/$1/esp/* /boot
+fi
+
# Copy kernel artifacts. To add more artifacts just add to types
# For now just support kernel types already being used by something in OE-core
for types in bzImage zImage vmlinux vmlinuz fitImage; do
diff --git a/meta/recipes-core/meta/buildtools-extended-tarball.bb b/meta/recipes-core/meta/buildtools-extended-tarball.bb
index 0816486754..83e3fddccc 100644
--- a/meta/recipes-core/meta/buildtools-extended-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-extended-tarball.bb
@@ -28,11 +28,21 @@ TOOLCHAIN_HOST_TASK += "\
nativesdk-libtool \
nativesdk-pkgconfig \
nativesdk-glibc-utils \
+ nativesdk-glibc-gconv-ibm850 \
+ nativesdk-glibc-gconv-iso8859-1 \
+ nativesdk-glibc-gconv-utf-16 \
+ nativesdk-glibc-gconv-cp1250 \
+ nativesdk-glibc-gconv-cp1251 \
+ nativesdk-glibc-gconv-cp1252 \
+ nativesdk-glibc-gconv-euc-jp \
+ nativesdk-glibc-gconv-libjis \
nativesdk-libxcrypt-dev \
nativesdk-parted \
nativesdk-dosfstools \
nativesdk-gptfdisk \
"
+# gconv-cp1250, cp1251 and euc-jp needed for iconv to work in vim builds
+# also copied list from uninative
TOOLCHAIN_OUTPUTNAME = "${SDK_ARCH}-buildtools-extended-nativesdk-standalone-${DISTRO_VERSION}"
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index cf62e1e32c..b073936298 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -138,14 +138,24 @@ def parse_node_and_insert(c, node, cveId):
for cpe in node.get('cpe_match', ()):
if not cpe['vulnerable']:
return
- cpe23 = cpe['cpe23Uri'].split(':')
+ cpe23 = cpe.get('cpe23Uri')
+ if not cpe23:
+ return
+ cpe23 = cpe23.split(':')
+ if len(cpe23) < 6:
+ return
vendor = cpe23[3]
product = cpe23[4]
version = cpe23[5]
+ if cpe23[6] == '*' or cpe23[6] == '-':
+ version_suffix = ""
+ else:
+ version_suffix = "_" + cpe23[6]
+
if version != '*' and version != '-':
# Version is defined, this is a '=' match
- yield [cveId, vendor, product, version, '=', '', '']
+ yield [cveId, vendor, product, version + version_suffix, '=', '', '']
elif version == '-':
# no version information is available
yield [cveId, vendor, product, version, '', '', '']
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
index fe4e8a5d6e..ef59bc3b0a 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -324,3 +324,8 @@ FILES_${PN}-terminfo-base = "\
RSUGGESTS_${PN}-libtinfo = "${PN}-terminfo"
RRECOMMENDS_${PN}-libtinfo = "${PN}-terminfo-base"
+
+# Putting terminfo into the sysroot adds around 2800 files to
+# each recipe specific sysroot. We can live without this, particularly
+# as many recipes may have native and target copies.
+SYSROOT_DIRS_remove = "${datadir}"
diff --git a/meta/recipes-core/ovmf/ovmf-shell-image.bb b/meta/recipes-core/ovmf/ovmf-shell-image.bb
index 0d2b8bf52f..fd4fb5b732 100644
--- a/meta/recipes-core/ovmf/ovmf-shell-image.bb
+++ b/meta/recipes-core/ovmf/ovmf-shell-image.bb
@@ -1,4 +1,5 @@
DESCRIPTION = "boot image with UEFI shell and tools"
+COMPATIBLE_HOST_class-target='(i.86|x86_64).*'
# For this image recipe, only the wic format with a
# single vfat partition makes sense. Because we have no
diff --git a/meta/recipes-core/systemd/systemd-conf/wired.network b/meta/recipes-core/systemd/systemd-conf/wired.network
index dcf3534596..06d00ea1ba 100644
--- a/meta/recipes-core/systemd/systemd-conf/wired.network
+++ b/meta/recipes-core/systemd/systemd-conf/wired.network
@@ -1,6 +1,7 @@
[Match]
Name=en* eth*
KernelCommandLine=!nfsroot
+KernelCommandLine=!ip
[Network]
DHCP=yes
diff --git a/meta/recipes-core/systemd/systemd-conf_246.9.bb b/meta/recipes-core/systemd/systemd-conf_246.9.bb
index d9ec023bfd..9b797a91f4 100644
--- a/meta/recipes-core/systemd/systemd-conf_246.9.bb
+++ b/meta/recipes-core/systemd/systemd-conf_246.9.bb
@@ -23,9 +23,6 @@ do_install() {
# Based on change from YP bug 8141, OE commit 5196d7bacaef1076c361adaa2867be31759c1b52
do_install_append_qemuall() {
install -D -m0644 ${WORKDIR}/system.conf-qemuall ${D}${systemd_unitdir}/system.conf.d/01-${PN}.conf
-
- # Do not install wired.network for qemu bsps
- rm -rf ${D}${systemd_unitdir}/network
}
PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
new file mode 100644
index 0000000000..89ef39bc3e
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
@@ -0,0 +1,227 @@
+From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17 00:00:00 2001
+From: Joshua Watt <JPEWhacker@gmail.com>
+Date: Fri, 30 Oct 2020 08:15:43 -0500
+Subject: [PATCH] logind: Restore chvt as non-root user without polkit
+
+4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke
+the ability to write user sessions that run graphical sessions (e.g.
+weston/X11). This was partially amended in 19bb87fbfa ("login: allow
+non-console sessions to change vt") by changing the default PolicyKit
+policy so that non-root users are again allowed to switch the VT. This
+makes the policy when PolKit is not enabled (as on many embedded
+systems) match the default PolKit policy and allows launching graphical
+sessions as a non-root user.
+
+Closes #17473
+---
+ src/login/logind-dbus.c | 11 ++-------
+ src/login/logind-polkit.c | 26 +++++++++++++++++++++
+ src/login/logind-polkit.h | 10 ++++++++
+ src/login/logind-seat-dbus.c | 41 ++++-----------------------------
+ src/login/logind-session-dbus.c | 11 ++-------
+ src/login/meson.build | 1 +
+ 6 files changed, 46 insertions(+), 54 deletions(-)
+ create mode 100644 src/login/logind-polkit.c
+ create mode 100644 src/login/logind-polkit.h
+
+diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
+index 0f83ed99bc..a3765d88ba 100644
+--- a/src/login/logind-dbus.c
++++ b/src/login/logind-dbus.c
+@@ -30,6 +30,7 @@
+ #include "format-util.h"
+ #include "fs-util.h"
+ #include "logind-dbus.h"
++#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-session-dbus.h"
+ #include "logind-user-dbus.h"
+@@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
+ return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT,
+ "Session %s not on seat %s", session_name, seat_name);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &m->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, m, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c
+new file mode 100644
+index 0000000000..9072570cc6
+--- /dev/null
++++ b/src/login/logind-polkit.c
+@@ -0,0 +1,26 @@
++/* SPDX-License-Identifier: LGPL-2.1+ */
++
++#include "bus-polkit.h"
++#include "logind-polkit.h"
++#include "missing_capability.h"
++#include "user-util.h"
++
++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) {
++#if ENABLE_POLKIT
++ return bus_verify_polkit_async(
++ message,
++ CAP_SYS_ADMIN,
++ "org.freedesktop.login1.chvt",
++ NULL,
++ false,
++ UID_INVALID,
++ &manager->polkit_registry,
++ error);
++#else
++ /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a
++ * non-root user when polkit is not compiled in, matching the default polkit policy */
++ return 1;
++#endif
++}
++
++
+diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h
+new file mode 100644
+index 0000000000..476c077a8a
+--- /dev/null
++++ b/src/login/logind-polkit.h
+@@ -0,0 +1,10 @@
++/* SPDX-License-Identifier: LGPL-2.1+ */
++#pragma once
++
++#include "sd-bus.h"
++
++#include "bus-object.h"
++#include "logind.h"
++
++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error);
++
+diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
+index a945132284..f22e9e2734 100644
+--- a/src/login/logind-seat-dbus.c
++++ b/src/login/logind-seat-dbus.c
+@@ -9,6 +9,7 @@
+ #include "bus-polkit.h"
+ #include "bus-util.h"
+ #include "logind-dbus.h"
++#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-seat.h"
+ #include "logind-session-dbus.h"
+@@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
+ if (session->seat != s)
+ return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
+ if (to <= 0)
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+@@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
+ assert(message);
+ assert(s);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+@@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
+ assert(message);
+ assert(s);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
+index ccc5ac8df2..57c8a4e900 100644
+--- a/src/login/logind-session-dbus.c
++++ b/src/login/logind-session-dbus.c
+@@ -11,6 +11,7 @@
+ #include "fd-util.h"
+ #include "logind-brightness.h"
+ #include "logind-dbus.h"
++#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-session-dbus.h"
+ #include "logind-session-device.h"
+@@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
+ assert(message);
+ assert(s);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+diff --git a/src/login/meson.build b/src/login/meson.build
+index 0a7d3d5440..7e46be2add 100644
+--- a/src/login/meson.build
++++ b/src/login/meson.build
+@@ -26,6 +26,7 @@ liblogind_core_sources = files('''
+ logind-device.h
+ logind-inhibit.c
+ logind-inhibit.h
++ logind-polkit.c
+ logind-seat-dbus.c
+ logind-seat-dbus.h
+ logind-seat.c
+--
+2.28.0
+
diff --git a/meta/recipes-core/systemd/systemd_246.9.bb b/meta/recipes-core/systemd/systemd_246.9.bb
index 9215adf8dc..6524b8216a 100644
--- a/meta/recipes-core/systemd/systemd_246.9.bb
+++ b/meta/recipes-core/systemd/systemd_246.9.bb
@@ -21,6 +21,7 @@ SRC_URI += "file://touchscreen.rules \
file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0003-implment-systemd-sysv-install-for-OE.patch \
file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \
+ file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \
"
# patches needed by musl
@@ -134,7 +135,7 @@ PACKAGECONFIG[hibernate] = "-Dhibernate=true,-Dhibernate=false"
PACKAGECONFIG[hostnamed] = "-Dhostnamed=true,-Dhostnamed=false"
PACKAGECONFIG[idn] = "-Didn=true,-Didn=false"
PACKAGECONFIG[ima] = "-Dima=true,-Dima=false"
-# importd requires curl/xz/zlib/bzip2/gcrypt
+# importd requires journal-upload/xz/zlib/bzip2/gcrypt
PACKAGECONFIG[importd] = "-Dimportd=true,-Dimportd=false"
# Update NAT firewall rules
PACKAGECONFIG[iptc] = "-Dlibiptc=true,-Dlibiptc=false,iptables"
@@ -357,15 +358,15 @@ USERADD_PACKAGES = "${PN} ${PN}-extra-utils \
${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \
"
GROUPADD_PARAM_${PN} = "-r systemd-journal"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /bin/nologin systemd-coredump;', '', d)}"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /bin/nologin systemd-network;', '', d)}"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}"
USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'resolved', '--system -d / -M --shell /bin/nologin systemd-resolve;', '', d)}"
-USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'timesyncd', '--system -d / -M --shell /bin/nologin systemd-timesync;', '', d)}"
-USERADD_PARAM_${PN}-extra-utils = "--system -d / -M --shell /bin/nologin systemd-bus-proxy"
-USERADD_PARAM_${PN}-journal-gateway = "--system -d / -M --shell /bin/nologin systemd-journal-gateway"
-USERADD_PARAM_${PN}-journal-remote = "--system -d / -M --shell /bin/nologin systemd-journal-remote"
-USERADD_PARAM_${PN}-journal-upload = "--system -d / -M --shell /bin/nologin systemd-journal-upload"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'resolved', '--system -d / -M --shell /sbin/nologin systemd-resolve;', '', d)}"
+USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'timesyncd', '--system -d / -M --shell /sbin/nologin systemd-timesync;', '', d)}"
+USERADD_PARAM_${PN}-extra-utils = "--system -d / -M --shell /sbin/nologin systemd-bus-proxy"
+USERADD_PARAM_${PN}-journal-gateway = "--system -d / -M --shell /sbin/nologin systemd-journal-gateway"
+USERADD_PARAM_${PN}-journal-remote = "--system -d / -M --shell /sbin/nologin systemd-journal-remote"
+USERADD_PARAM_${PN}-journal-upload = "--system -d / -M --shell /sbin/nologin systemd-journal-upload"
FILES_${PN}-analyze = "${bindir}/systemd-analyze"
diff --git a/meta/recipes-devtools/binutils/binutils-2.35.1.inc b/meta/recipes-devtools/binutils/binutils-2.35.1.inc
index 775af2b8f2..6290d5b191 100644
--- a/meta/recipes-devtools/binutils/binutils-2.35.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.35.1.inc
@@ -44,5 +44,6 @@ SRC_URI = "\
file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \
file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \
file://CVE-2020-35448.patch \
+ file://0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch b/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch
new file mode 100644
index 0000000000..f46415f440
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch
@@ -0,0 +1,41 @@
+From de24fc96bf24fca470a9ca13176ad9ad9cc4d5a9 Mon Sep 17 00:00:00 2001
+From: Nick Gasson <nick.gasson@arm.com>
+Date: Mon, 2 Nov 2020 12:02:05 +0800
+Subject: [PATCH] gold: ensure file_counts_lock is initialized before using
+
+Since upgrading to binutils 2.35 I've been experiencing random memory
+corruption related crashes with ld.gold --threads. It's caused by
+multiple threads concurrently pushing elements onto the shared
+std::vector in File_read::record_file_read(). This vector is supposed to
+be protected by file_counts_lock, but that is initialized lazily and
+might be NULL when File_read::open() is called, in which case
+Hold_optional_lock silently skips locking it.
+
+Fix by calling the initialize() method before attempting to acquire the
+lock, the same as other places that use file_counts_lock.
+
+ PR 26827
+ * fileread.cc (File_read::open): Ensure file_counts_lock is
+ initialized.
+ * testsuite/Makefile.am (check_PROGRAMS): Add a test that passes
+ -Wl,--threads.
+ * testsuite/Makefile.in: Regenerate.
+
+Upstream-Status: Backport [af61e84fd2d from 2.36.0]
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ gold/fileread.cc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/gold/fileread.cc b/gold/fileread.cc
+index f5ca719360d..0b5228e2afd 100644
+--- a/gold/fileread.cc
++++ b/gold/fileread.cc
+@@ -212,6 +212,7 @@ File_read::open(const Task* task, const std::string& name)
+ gold_debug(DEBUG_FILES, "Attempt to open %s succeeded",
+ this->name_.c_str());
+ this->token_.add_writer(task);
++ file_counts_initialize_lock.initialize();
+ Hold_optional_lock hl(file_counts_lock);
+ record_file_read(this->name_);
+ }
diff --git a/meta/recipes-devtools/bison/bison/0001-Use-mapped-file-name-for-symbols.patch b/meta/recipes-devtools/bison/bison/0001-Use-mapped-file-name-for-symbols.patch
new file mode 100644
index 0000000000..568ee4df19
--- /dev/null
+++ b/meta/recipes-devtools/bison/bison/0001-Use-mapped-file-name-for-symbols.patch
@@ -0,0 +1,62 @@
+From 2a3db4e3b8d33bad5577c2fcfe124ee7a202ef4f Mon Sep 17 00:00:00 2001
+From: Joshua Watt <JPEWhacker@gmail.com>
+Date: Mon, 15 Feb 2021 20:39:57 -0600
+Subject: [PATCH] Use mapped file name for symbols
+
+Applies the file name mapping before exporting it as a symbol. This
+allows the symbols to correctly respect the --file-prefix-map command
+line option.
+
+Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/bison-patches/2021-02/msg00014.html]
+---
+ src/muscle-tab.c | 4 +++-
+ src/output.c | 8 ++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/muscle-tab.c b/src/muscle-tab.c
+index b610d0b8..3e7657ca 100644
+--- a/src/muscle-tab.c
++++ b/src/muscle-tab.c
+@@ -204,8 +204,10 @@ static void
+ muscle_syncline_grow (char const *key, location loc)
+ {
+ obstack_printf (&muscle_obstack, "]b4_syncline(%d, ", loc.start.line);
++ char *f = map_file_name (loc.start.file);
+ obstack_quote (&muscle_obstack,
+- quotearg_style (c_quoting_style, loc.start.file));
++ quotearg_style (c_quoting_style, f));
++ free (f);
+ obstack_sgrow (&muscle_obstack, ")dnl\n[");
+ char const *extension = obstack_finish0 (&muscle_obstack);
+ muscle_grow (key, extension, "", "");
+diff --git a/src/output.c b/src/output.c
+index 391d8e65..34dbc671 100644
+--- a/src/output.c
++++ b/src/output.c
+@@ -531,7 +531,9 @@ user_actions_output (FILE *out)
+ {
+ fprintf (out, "b4_syncline(%d, ",
+ rules[r].action_loc.start.line);
+- string_output (out, rules[r].action_loc.start.file);
++ char *f = map_file_name (rules[r].action_loc.start.file);
++ string_output (out, f);
++ free(f);
+ fprintf (out, ")dnl\n");
+ }
+ fprintf (out, "[%*s%s]],\n[[",
+@@ -629,8 +631,10 @@ prepare_symbol_definitions (void)
+
+ if (p->code)
+ {
++ char *f = map_file_name (p->location.start.file);
+ SET_KEY2 (pname, "file");
+- MUSCLE_INSERT_C_STRING (key, p->location.start.file);
++ MUSCLE_INSERT_C_STRING (key, f);
++ free (f);
+
+ SET_KEY2 (pname, "line");
+ MUSCLE_INSERT_INT (key, p->location.start.line);
+--
+2.30.0
+
diff --git a/meta/recipes-devtools/bison/bison_3.7.2.bb b/meta/recipes-devtools/bison/bison_3.7.2.bb
index ace4ea5c3f..6fd9d288e0 100644
--- a/meta/recipes-devtools/bison/bison_3.7.2.bb
+++ b/meta/recipes-devtools/bison/bison_3.7.2.bb
@@ -11,6 +11,7 @@ DEPENDS = "bison-native flex-native"
SRC_URI = "${GNU_MIRROR}/bison/bison-${PV}.tar.xz \
file://add-with-bisonlocaledir.patch \
+ file://0001-Use-mapped-file-name-for-symbols.patch \
"
SRC_URI[sha256sum] = "7948d193104d979c0fb0294a1854c73c89d72ae41acfc081826142578a78a91b"
diff --git a/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch b/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch
new file mode 100644
index 0000000000..c8202b6bd5
--- /dev/null
+++ b/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch
@@ -0,0 +1,32 @@
+From 440f3f55739468cd26e22f31871eca8cbbd53294 Mon Sep 17 00:00:00 2001
+From: Oleksiy Obitotskyy <oobitots@cisco.com>
+Date: Wed, 6 Jan 2021 06:12:14 -0800
+Subject: [PATCH] Emit no #line directives if gen_line_dirs is false
+
+If we set --noline we should not print line directives.
+But setting --noline means gen_line_dirs is false.
+
+Upstream-Status: Submitted
+Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
+---
+ src/buf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/buf.c b/src/buf.c
+index 185083c..4439e28 100644
+--- a/src/buf.c
++++ b/src/buf.c
+@@ -95,8 +95,8 @@ struct Buf *buf_linedir (struct Buf *buf, const char* filename, int lineno)
+ const char *src;
+ size_t tsz;
+
+- if (gen_line_dirs)
+- return buf;
++ if (!gen_line_dirs)
++ return buf;
+
+ tsz = strlen("#line \"\"\n") + /* constant parts */
+ 2 * strlen (filename) + /* filename with possibly all backslashes escaped */
+--
+2.26.2.Cisco
+
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 3d57572865..1d43d2228a 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://github.com/westes/flex/releases/download/v${PV}/flex-${PV}.ta
${@bb.utils.contains('PTEST_ENABLED', '1', '', 'file://disable-tests.patch', d)} \
file://0001-build-AC_USE_SYSTEM_EXTENSIONS-in-configure.ac.patch \
file://check-funcs.patch \
+ file://0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch \
"
SRC_URI[md5sum] = "2882e3179748cc9f9c23ec593d6adc8d"
diff --git a/meta/recipes-devtools/gcc/gcc-sanitizers.inc b/meta/recipes-devtools/gcc/gcc-sanitizers.inc
index 668e14a59f..9e643ee277 100644
--- a/meta/recipes-devtools/gcc/gcc-sanitizers.inc
+++ b/meta/recipes-devtools/gcc/gcc-sanitizers.inc
@@ -35,6 +35,11 @@ do_compile () {
do_install () {
cd ${B}/${TARGET_SYS}/libsanitizer/
oe_runmake 'DESTDIR=${D}' MULTIBUILDTOP=${B}/${TARGET_SYS}/libsanitizer/ install
+ if [ -d ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include ]; then
+ install -d ${D}${libdir}/${TARGET_SYS}/${BINV}/include
+ mv ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include/* ${D}${libdir}/${TARGET_SYS}/${BINV}/include
+ rmdir --ignore-fail-on-non-empty -p ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include
+ fi
if [ -d ${D}${infodir} ]; then
rmdir --ignore-fail-on-non-empty -p ${D}${infodir}
fi
@@ -109,4 +114,4 @@ FILES_libtsan-dev += "\
"
FILES_libtsan-staticdev += "${libdir}/libtsan.a"
-FILES_${PN} = "${libdir}/*.spec ${libdir}/gcc/${TARGET_SYS}/${BINV}/include/sanitizer/*.h"
+FILES_${PN} = "${libdir}/*.spec ${libdir}/${TARGET_SYS}/${BINV}/include/sanitizer/*.h"
diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index 544e23c844..3e78254eec 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -7,7 +7,10 @@ DEPENDS = "openssl curl zlib expat"
PROVIDES_append_class-native = " git-replacement-native"
SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
- ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages"
+ ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
+ file://fixsort.patch \
+ file://CVE-2021-21300.patch \
+"
S = "${WORKDIR}/git-${PV}"
diff --git a/meta/recipes-devtools/git/git/CVE-2021-21300.patch b/meta/recipes-devtools/git/git/CVE-2021-21300.patch
new file mode 100644
index 0000000000..390570fe78
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2021-21300.patch
@@ -0,0 +1,304 @@
+From ba07d31bd2140190c4d8c197c9b8a503544b4c29 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowrgom@gmail.com>
+Date: Sat, 27 Mar 2021 14:05:56 +0900
+Subject: [PATCH] checkout: fix bug that makes checkout follow symlinks in
+ leading path
+
+Before checking out a file, we have to confirm that all of its leading
+components are real existing directories. And to reduce the number of
+lstat() calls in this process, we cache the last leading path known to
+contain only directories. However, when a path collision occurs (e.g.
+when checking out case-sensitive files in case-insensitive file
+systems), a cached path might have its file type changed on disk,
+leaving the cache on an invalid state. Normally, this doesn't bring
+any bad consequences as we usually check out files in index order, and
+therefore, by the time the cached path becomes outdated, we no longer
+need it anyway (because all files in that directory would have already
+been written).
+
+But, there are some users of the checkout machinery that do not always
+follow the index order. In particular: checkout-index writes the paths
+in the same order that they appear on the CLI (or stdin); and the
+delayed checkout feature -- used when a long-running filter process
+replies with "status=delayed" -- postpones the checkout of some entries,
+thus modifying the checkout order.
+
+When we have to check out an out-of-order entry and the lstat() cache is
+invalid (due to a previous path collision), checkout_entry() may end up
+using the invalid data and thrusting that the leading components are
+real directories when, in reality, they are not. In the best case
+scenario, where the directory was replaced by a regular file, the user
+will get an error: "fatal: unable to create file 'foo/bar': Not a
+directory". But if the directory was replaced by a symlink, checkout
+could actually end up following the symlink and writing the file at a
+wrong place, even outside the repository. Since delayed checkout is
+affected by this bug, it could be used by an attacker to write
+arbitrary files during the clone of a maliciously crafted repository.
+
+Some candidate solutions considered were to disable the lstat() cache
+during unordered checkouts or sort the entries before passing them to
+the checkout machinery. But both ideas include some performance penalty
+and they don't future-proof the code against new unordered use cases.
+
+Instead, we now manually reset the lstat cache whenever we successfully
+remove a directory. Note: We are not even checking whether the directory
+was the same as the lstat cache points to because we might face a
+scenario where the paths refer to the same location but differ due to
+case folding, precomposed UTF-8 issues, or the presence of `..`
+components in the path. Two regression tests, with case-collisions and
+utf8-collisions, are also added for both checkout-index and delayed
+checkout.
+
+Note: to make the previously mentioned clone attack unfeasible, it would
+be sufficient to reset the lstat cache only after the remove_subtree()
+call inside checkout_entry(). This is the place where we would remove a
+directory whose path collides with the path of another entry that we are
+currently trying to check out (possibly a symlink). However, in the
+interest of a thorough fix that does not leave Git open to
+similar-but-not-identical attack vectors, we decided to intercept
+all `rmdir()` calls in one fell swoop.
+
+This addresses CVE-2021-21300.
+
+Co-authored-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+Signed-off-by: Matheus Tavares <matheus.bernardino@usp.br>
+
+Upstream-Status: Acepted [https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592]
+CVE: CVE-2021-21300
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ cache.h | 1 +
+ compat/mingw.c | 2 ++
+ git-compat-util.h | 5 +++++
+ symlinks.c | 24 ++++++++++++++++++++
+ t/t0021-conversion.sh | 39 ++++++++++++++++++++++++++++++++
+ t/t0021/rot13-filter.pl | 21 ++++++++++++++---
+ t/t2006-checkout-index-basic.sh | 40 +++++++++++++++++++++++++++++++++
+ 7 files changed, 129 insertions(+), 3 deletions(-)
+
+diff --git a/cache.h b/cache.h
+index 6544264..64226c3 100644
+--- a/cache.h
++++ b/cache.h
+@@ -1733,6 +1733,7 @@ int has_symlink_leading_path(const char *name, int len);
+ int threaded_has_symlink_leading_path(struct cache_def *, const char *, int);
+ int check_leading_path(const char *name, int len);
+ int has_dirs_only_path(const char *name, int len, int prefix_len);
++extern void invalidate_lstat_cache(void);
+ void schedule_dir_for_removal(const char *name, int len);
+ void remove_scheduled_dirs(void);
+
+diff --git a/compat/mingw.c b/compat/mingw.c
+index 8ee0b64..be2b88e 100644
+--- a/compat/mingw.c
++++ b/compat/mingw.c
+@@ -364,6 +364,8 @@ int mingw_rmdir(const char *pathname)
+ ask_yes_no_if_possible("Deletion of directory '%s' failed. "
+ "Should I try again?", pathname))
+ ret = _wrmdir(wpathname);
++ if (!ret)
++ invalidate_lstat_cache();
+ return ret;
+ }
+
+diff --git a/git-compat-util.h b/git-compat-util.h
+index 5637114..d983853 100644
+--- a/git-compat-util.h
++++ b/git-compat-util.h
+@@ -345,6 +345,11 @@ static inline int noop_core_config(const char *var, const char *value, void *cb)
+ #define platform_core_config noop_core_config
+ #endif
+
++int lstat_cache_aware_rmdir(const char *path);
++#if !defined(__MINGW32__) && !defined(_MSC_VER)
++#define rmdir lstat_cache_aware_rmdir
++#endif
++
+ #ifndef has_dos_drive_prefix
+ static inline int git_has_dos_drive_prefix(const char *path)
+ {
+diff --git a/symlinks.c b/symlinks.c
+index 69d458a..7dbb6b2 100644
+--- a/symlinks.c
++++ b/symlinks.c
+@@ -267,6 +267,13 @@ int has_dirs_only_path(const char *name, int len, int prefix_len)
+ */
+ static int threaded_has_dirs_only_path(struct cache_def *cache, const char *name, int len, int prefix_len)
+ {
++ /*
++ * Note: this function is used by the checkout machinery, which also
++ * takes care to properly reset the cache when it performs an operation
++ * that would leave the cache outdated. If this function starts caching
++ * anything else besides FL_DIR, remember to also invalidate the cache
++ * when creating or deleting paths that might be in the cache.
++ */
+ return lstat_cache(cache, name, len,
+ FL_DIR|FL_FULLPATH, prefix_len) &
+ FL_DIR;
+@@ -321,3 +328,20 @@ void remove_scheduled_dirs(void)
+ {
+ do_remove_scheduled_dirs(0);
+ }
++
++void invalidate_lstat_cache(void)
++{
++ reset_lstat_cache(&default_cache);
++}
++
++#undef rmdir
++int lstat_cache_aware_rmdir(const char *path)
++{
++ /* Any change in this function must be made also in `mingw_rmdir()` */
++ int ret = rmdir(path);
++
++ if (!ret)
++ invalidate_lstat_cache();
++
++ return ret;
++}
+diff --git a/t/t0021-conversion.sh b/t/t0021-conversion.sh
+index 4bfffa9..c42f51e 100755
+--- a/t/t0021-conversion.sh
++++ b/t/t0021-conversion.sh
+@@ -957,4 +957,43 @@ test_expect_success PERL 'invalid file in delayed checkout' '
+ grep "error: external filter .* signaled that .unfiltered. is now available although it has not been delayed earlier" git-stderr.log
+ '
+
++for mode in 'case' 'utf-8'
++do
++ case "$mode" in
++ case) dir='A' symlink='a' mode_prereq='CASE_INSENSITIVE_FS' ;;
++ utf-8)
++ dir=$(printf "\141\314\210") symlink=$(printf "\303\244")
++ mode_prereq='UTF8_NFD_TO_NFC' ;;
++ esac
++
++ test_expect_success PERL,SYMLINKS,$mode_prereq \
++ "delayed checkout with $mode-collision don't write to the wrong place" '
++ test_config_global filter.delay.process \
++ "\"$TEST_ROOT/rot13-filter.pl\" --always-delay delayed.log clean smudge delay" &&
++ test_config_global filter.delay.required true &&
++ git init $mode-collision &&
++ (
++ cd $mode-collision &&
++ mkdir target-dir &&
++ empty_oid=$(printf "" | git hash-object -w --stdin) &&
++ symlink_oid=$(printf "%s" "$PWD/target-dir" | git hash-object -w --stdin) &&
++ attr_oid=$(echo "$dir/z filter=delay" | git hash-object -w --stdin) &&
++ cat >objs <<-EOF &&
++ 100644 blob $empty_oid $dir/x
++ 100644 blob $empty_oid $dir/y
++ 100644 blob $empty_oid $dir/z
++ 120000 blob $symlink_oid $symlink
++ 100644 blob $attr_oid .gitattributes
++ EOF
++ git update-index --index-info <objs &&
++ git commit -m "test commit"
++ ) &&
++ git clone $mode-collision $mode-collision-cloned &&
++ # Make sure z was really delayed
++ grep "IN: smudge $dir/z .* \\[DELAYED\\]" $mode-collision-cloned/delayed.log &&
++ # Should not create $dir/z at $symlink/z
++ test_path_is_missing $mode-collision/target-dir/z
++ '
++done
++
+ test_done
+diff --git a/t/t0021/rot13-filter.pl b/t/t0021/rot13-filter.pl
+index cd32a82..7bb9376 100644
+--- a/t/t0021/rot13-filter.pl
++++ b/t/t0021/rot13-filter.pl
+@@ -2,9 +2,15 @@
+ # Example implementation for the Git filter protocol version 2
+ # See Documentation/gitattributes.txt, section "Filter Protocol"
+ #
+-# The first argument defines a debug log file that the script write to.
+-# All remaining arguments define a list of supported protocol
+-# capabilities ("clean", "smudge", etc).
++# Usage: rot13-filter.pl [--always-delay] <log path> <capabilities>
++#
++# Log path defines a debug log file that the script writes to. The
++# subsequent arguments define a list of supported protocol capabilities
++# ("clean", "smudge", etc).
++#
++# When --always-delay is given all pathnames with the "can-delay" flag
++# that don't appear on the list bellow are delayed with a count of 1
++# (see more below).
+ #
+ # This implementation supports special test cases:
+ # (1) If data with the pathname "clean-write-fail.r" is processed with
+@@ -53,6 +59,13 @@ sub gitperllib {
+ use Git::Packet;
+
+ my $MAX_PACKET_CONTENT_SIZE = 65516;
++
++my $always_delay = 0;
++if ( $ARGV[0] eq '--always-delay' ) {
++ $always_delay = 1;
++ shift @ARGV;
++}
++
+ my $log_file = shift @ARGV;
+ my @capabilities = @ARGV;
+
+@@ -134,6 +147,8 @@ sub rot13 {
+ if ( $buffer eq "can-delay=1" ) {
+ if ( exists $DELAY{$pathname} and $DELAY{$pathname}{"requested"} == 0 ) {
+ $DELAY{$pathname}{"requested"} = 1;
++ } elsif ( !exists $DELAY{$pathname} and $always_delay ) {
++ $DELAY{$pathname} = { "requested" => 1, "count" => 1 };
+ }
+ } elsif ($buffer =~ /^(ref|treeish|blob)=/) {
+ print $debug " $buffer";
+diff --git a/t/t2006-checkout-index-basic.sh b/t/t2006-checkout-index-basic.sh
+index 57cbdfe..f223a02 100755
+--- a/t/t2006-checkout-index-basic.sh
++++ b/t/t2006-checkout-index-basic.sh
+@@ -21,4 +21,44 @@ test_expect_success 'checkout-index -h in broken repository' '
+ test_i18ngrep "[Uu]sage" broken/usage
+ '
+
++for mode in 'case' 'utf-8'
++do
++ case "$mode" in
++ case) dir='A' symlink='a' mode_prereq='CASE_INSENSITIVE_FS' ;;
++ utf-8)
++ dir=$(printf "\141\314\210") symlink=$(printf "\303\244")
++ mode_prereq='UTF8_NFD_TO_NFC' ;;
++ esac
++
++ test_expect_success SYMLINKS,$mode_prereq \
++ "checkout-index with $mode-collision don't write to the wrong place" '
++ git init $mode-collision &&
++ (
++ cd $mode-collision &&
++ mkdir target-dir &&
++ empty_obj_hex=$(git hash-object -w --stdin </dev/null) &&
++ symlink_hex=$(printf "%s" "$PWD/target-dir" | git hash-object -w --stdin) &&
++ cat >objs <<-EOF &&
++ 100644 blob ${empty_obj_hex} ${dir}/x
++ 100644 blob ${empty_obj_hex} ${dir}/y
++ 100644 blob ${empty_obj_hex} ${dir}/z
++ 120000 blob ${symlink_hex} ${symlink}
++ EOF
++ git update-index --index-info <objs &&
++ # Note: the order is important here to exercise the
++ # case where the file at ${dir} has its type changed by
++ # the time Git tries to check out ${dir}/z.
++ #
++ # Also, we use core.precomposeUnicode=false because we
++ # want Git to treat the UTF-8 paths transparently on
++ # Mac OS, matching what is in the index.
++ #
++ git -c core.precomposeUnicode=false checkout-index -f \
++ ${dir}/x ${dir}/y ${symlink} ${dir}/z &&
++ # Should not create ${dir}/z at ${symlink}/z
++ test_path_is_missing target-dir/z
++ )
++ '
++done
++
+ test_done
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/git/git/fixsort.patch b/meta/recipes-devtools/git/git/fixsort.patch
new file mode 100644
index 0000000000..07a487e8ca
--- /dev/null
+++ b/meta/recipes-devtools/git/git/fixsort.patch
@@ -0,0 +1,31 @@
+[PATCH] generate-configlist.sh: Fix determinism issue
+
+Currently git binaries are not entirely reproducible, at least partly
+due to config-list.h differing in order depending on the system's
+locale settings. Under different locales, the entries:
+
+"sendemail.identity",
+"sendemail.<identity>.*",
+
+would differ in order for example and this leads to differences in
+the debug symbols for the binaries.
+
+This can be fixed by specifying the C locale for the sort in the
+shell script generating the header.
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Submitted [https://public-inbox.org/git/f029a942dd3d50d85e60bd37d8e454524987842f.camel@linuxfoundation.org/T/#u]
+
+Index: git-2.30.0/generate-configlist.sh
+===================================================================
+--- git-2.30.0.orig/generate-configlist.sh
++++ git-2.30.0/generate-configlist.sh
+@@ -9,7 +9,7 @@ static const char *config_name_list[] =
+ EOF
+ grep -h '^[a-zA-Z].*\..*::$' Documentation/*config.txt Documentation/config/*.txt |
+ sed '/deprecated/d; s/::$//; s/, */\n/g' |
+- sort |
++ LC_ALL=C sort |
+ sed 's/^.*$/ "&",/'
+ cat <<EOF
+ NULL,
diff --git a/meta/recipes-devtools/go/go-1.15.inc b/meta/recipes-devtools/go/go-1.15.inc
index abe74e5eb7..7c8190f68c 100644
--- a/meta/recipes-devtools/go/go-1.15.inc
+++ b/meta/recipes-devtools/go/go-1.15.inc
@@ -1,7 +1,7 @@
require go-common.inc
GO_BASEVERSION = "1.15"
-PV = "1.15.6"
+PV = "1.15.8"
FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
@@ -16,4 +16,4 @@ SRC_URI += "\
file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
"
-SRC_URI[main.sha256sum] = "890bba73c5e2b19ffb1180e385ea225059eb008eb91b694875dd86ea48675817"
+SRC_URI[main.sha256sum] = "540c0ab7781084d124991321ed1458e479982de94454a98afab6acadf38497c2"
diff --git a/meta/recipes-devtools/go/go-binary-native_1.15.6.bb b/meta/recipes-devtools/go/go-binary-native_1.15.8.bb
index 622557ad2b..df697e2781 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.15.6.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.15.8.bb
@@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
PROVIDES = "go-native"
SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "3918e6cc85e7eaaa6f859f1bdbaac772e7a825b0eb423c63d3ae68b21f84b844"
-SRC_URI[go_linux_arm64.sha256sum] = "f87515b9744154ffe31182da9341d0a61eb0795551173d242c8cad209239e492"
+SRC_URI[go_linux_amd64.sha256sum] = "d3379c32a90fdf9382166f8f48034c459a8cc433730bc9476d39d9082c94583b"
+SRC_URI[go_linux_arm64.sha256sum] = "0e31ea4bf53496b0f0809730520dee98c0ae5c530f3701a19df0ba0a327bf3d2"
UPSTREAM_CHECK_URI = "https://golang.org/dl/"
UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
diff --git a/meta/recipes-devtools/libtool/libtool-2.4.6.inc b/meta/recipes-devtools/libtool/libtool-2.4.6.inc
index 8e17b56d46..19a03d4733 100644
--- a/meta/recipes-devtools/libtool/libtool-2.4.6.inc
+++ b/meta/recipes-devtools/libtool/libtool-2.4.6.inc
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/libtool/libtool-${PV}.tar.gz \
file://unwind-opt-parsing.patch \
file://0001-libtool-Fix-support-for-NIOS2-processor.patch \
file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \
+ file://0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch \
"
SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e"
diff --git a/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch
new file mode 100644
index 0000000000..2e9908725e
--- /dev/null
+++ b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch
@@ -0,0 +1,35 @@
+From dfbbbd359e43e0a55fbea06f2647279ad8761cb9 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Wed, 24 Mar 2021 03:04:13 +0000
+Subject: [PATCH] Makefile.am: make sure autoheader run before autoconf
+
+autoheader will update ../libtool-2.4.6/libltdl/config-h.in which
+autoconf needs, so there comes a race sometimes as below:
+ | configure.ac:45: error: required file 'config-h.in' not found
+ | touch '../libtool-2.4.6/libltdl/config-h.in'
+
+So make sure autoheader run before autoconf to avoid this race.
+
+Upstream-Status: Submitted [libtool-patches@gnu.org maillist]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 4142c90..fe1a9fc 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -365,7 +365,7 @@ lt_configure_deps = $(lt_aclocal_m4) $(lt_aclocal_m4_deps)
+ $(lt_aclocal_m4): $(lt_aclocal_m4_deps)
+ $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(ACLOCAL) -I ../m4
+
+-$(lt_configure): $(lt_configure_deps)
++$(lt_configure): $(lt_configure_deps) $(lt_config_h_in)
+ $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOCONF)
+
+ $(lt_config_h_in): $(lt_configure_deps)
+--
+2.29.2
+
diff --git a/meta/recipes-devtools/mtd/mtd-utils_git.bb b/meta/recipes-devtools/mtd/mtd-utils_git.bb
index 8d6bbfca3f..ff42219513 100644
--- a/meta/recipes-devtools/mtd/mtd-utils_git.bb
+++ b/meta/recipes-devtools/mtd/mtd-utils_git.bb
@@ -42,11 +42,9 @@ ALTERNATIVE_PRIORITY = "100"
ALTERNATIVE_${PN} = "flashcp flash_eraseall flash_lock flash_unlock nanddump nandwrite"
ALTERNATIVE_${PN}-ubifs = "ubiattach ubidetach ubimkvol ubirename ubirmvol ubirsvol ubiupdatevol"
-ALTERNATIVE_LINK_NAME[flash_eraseall] = "${sbindir}/flash_eraseall"
ALTERNATIVE_LINK_NAME[nandwrite] = "${sbindir}/nandwrite"
ALTERNATIVE_LINK_NAME[nanddump] = "${sbindir}/nanddump"
ALTERNATIVE_LINK_NAME[ubiattach] = "${sbindir}/ubiattach"
-ALTERNATIVE_LINK_NAME[ubiattach] = "${sbindir}/ubiattach"
ALTERNATIVE_LINK_NAME[ubidetach] = "${sbindir}/ubidetach"
ALTERNATIVE_LINK_NAME[ubimkvol] = "${sbindir}/ubimkvol"
ALTERNATIVE_LINK_NAME[ubirename] = "${sbindir}/ubirename"
diff --git a/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch b/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch
new file mode 100644
index 0000000000..4578fa33be
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch
@@ -0,0 +1,24 @@
+Having CLEAN_DATE come from the current date doesn't allow for build
+reproducibility. Add the option of using SOURCE_DATE_EPOCH if set
+which for OE, it will be.
+
+Upstream-Status: Pending
+RP 2021/2/2
+
+Index: opkg-0.4.4/configure.ac
+===================================================================
+--- opkg-0.4.4.orig/configure.ac
++++ opkg-0.4.4/configure.ac
+@@ -281,7 +281,11 @@ AC_FUNC_UTIME_NULL
+ AC_FUNC_VPRINTF
+ AC_CHECK_FUNCS([memmove memset mkdir regcomp strchr strcspn strdup strerror strndup strrchr strstr strtol strtoul sysinfo utime])
+
+-CLEAN_DATE=`date +"%B %Y" | tr -d '\n'`
++if ! test -z "$SOURCE_DATE_EPOCH" ; then
++ CLEAN_DATE=`LC_ALL=C date -d @$SOURCE_DATE_EPOCH +"%B %Y" | tr -d '\n'`
++else
++ CLEAN_DATE=`date +"%B %Y" | tr -d '\n'`
++fi
+
+ AC_SUBST([CLEAN_DATE])
+
diff --git a/meta/recipes-devtools/opkg/opkg_0.4.3.bb b/meta/recipes-devtools/opkg/opkg_0.4.3.bb
index 46b7aa2523..ea01d473fc 100644
--- a/meta/recipes-devtools/opkg/opkg_0.4.3.bb
+++ b/meta/recipes-devtools/opkg/opkg_0.4.3.bb
@@ -14,6 +14,7 @@ PE = "1"
SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz \
file://opkg.conf \
file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \
+ file://sourcedateepoch.patch \
file://run-ptest \
"
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 29fa9152e2..4eab133128 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -6,7 +6,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \
file://fallback-group \
"
-SRCREV = "f9754ac14672c4af19b77bc698a1a808b0828265"
+SRCREV = "ee24ebec9e5a11dd5208c9be2870f35eab3b9e20"
S = "${WORKDIR}/git"
PV = "1.9.0+git${SRCPV}"
diff --git a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb b/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb
index 89538d2f27..9d0666a5c1 100644
--- a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb
+++ b/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb
@@ -7,6 +7,8 @@ SRC_URI[sha256sum] = "89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c65
PYPI_PACKAGE = "Jinja2"
+CVE_PRODUCT = "jinja2 jinja"
+
CLEANBROKEN = "1"
inherit pypi setuptools3
diff --git a/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb b/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb
index 34c8543bce..1734610d12 100644
--- a/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb
+++ b/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb
@@ -18,7 +18,7 @@ SRC_URI[sha256sum] = "2c143183280feb67f5beb4e543fd49990c28e7df427301ede04fc550d3
S = "${WORKDIR}/pycairo-${PV}"
-inherit meson pkgconfig
+inherit meson pkgconfig python3targetconfig
CFLAGS += "-fPIC"
diff --git a/meta/recipes-devtools/python/python3/CVE-2021-23336.patch b/meta/recipes-devtools/python/python3/CVE-2021-23336.patch
new file mode 100644
index 0000000000..27893f69fb
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2021-23336.patch
@@ -0,0 +1,548 @@
+From e3110c3cfbb7daa690d54d0eff6c264c870a71bf Mon Sep 17 00:00:00 2001
+From: Senthil Kumaran <senthil@uthcode.com>
+Date: Mon, 15 Feb 2021 10:15:02 -0800
+Subject: [PATCH] [3.8] bpo-42967: only use '&' as a query string separator
+ (GH-24297) (#24529)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-42967: only use '&' as a query string separator (#24297)
+
+bpo-42967: [security] Address a web cache-poisoning issue reported in
+urllib.parse.parse_qsl().
+
+urllib.parse will only us "&" as query string separator by default
+instead of both ";" and "&" as allowed in earlier versions. An optional
+argument seperator with default value "&" is added to specify the
+separator.
+
+Co-authored-by: Éric Araujo <merwok@netwok.org>
+Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
+Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
+Co-authored-by: Éric Araujo <merwok@netwok.org>
+(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
+
+* [3.8] bpo-42967: only use '&' as a query string separator (GH-24297)
+
+bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().
+
+urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.
+
+Co-authored-by: Éric Araujo <merwok@netwok.org>
+Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
+Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
+Co-authored-by: Éric Araujo <merwok@netwok.org>.
+(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
+
+Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
+
+* Update correct version information.
+
+* fix docs and make logic clearer
+
+Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
+Co-authored-by: Fidget-Spinner <28750310+Fidget-Spinner@users.noreply.github.com>
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/e3110c3cfbb7daa690d54d0eff6c264c870a71bf]
+CVE: CVE-2020-23336
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ Doc/library/cgi.rst | 11 ++-
+ Doc/library/urllib.parse.rst | 22 +++++-
+ Doc/whatsnew/3.6.rst | 13 ++++
+ Doc/whatsnew/3.7.rst | 13 ++++
+ Doc/whatsnew/3.8.rst | 13 ++++
+ Lib/cgi.py | 23 ++++---
+ Lib/test/test_cgi.py | 29 ++++++--
+ Lib/test/test_urlparse.py | 68 +++++++++++++------
+ Lib/urllib/parse.py | 19 ++++--
+ .../2021-02-14-15-59-16.bpo-42967.YApqDS.rst | 1 +
+ 10 files changed, 166 insertions(+), 46 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
+
+diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst
+index 4048592e7361f..880074bed6026 100644
+--- a/Doc/library/cgi.rst
++++ b/Doc/library/cgi.rst
+@@ -277,14 +277,16 @@ These are useful if you want more control, or if you want to employ some of the
+ algorithms implemented in this module in other circumstances.
+
+
+-.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False)
++.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False, separator="&")
+
+ Parse a query in the environment or from a file (the file defaults to
+- ``sys.stdin``). The *keep_blank_values* and *strict_parsing* parameters are
++ ``sys.stdin``). The *keep_blank_values*, *strict_parsing* and *separator* parameters are
+ passed to :func:`urllib.parse.parse_qs` unchanged.
+
++ .. versionchanged:: 3.8.8
++ Added the *separator* parameter.
+
+-.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace")
++.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace", separator="&")
+
+ Parse input of type :mimetype:`multipart/form-data` (for file uploads).
+ Arguments are *fp* for the input file, *pdict* for a dictionary containing
+@@ -303,6 +305,9 @@ algorithms implemented in this module in other circumstances.
+ Added the *encoding* and *errors* parameters. For non-file fields, the
+ value is now a list of strings, not bytes.
+
++ .. versionchanged:: 3.8.8
++ Added the *separator* parameter.
++
+
+ .. function:: parse_header(string)
+
+diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
+index 25e5cc1a6ce0b..fcad7076e6c77 100644
+--- a/Doc/library/urllib.parse.rst
++++ b/Doc/library/urllib.parse.rst
+@@ -165,7 +165,7 @@ or on combining URL components into a URL string.
+ now raise :exc:`ValueError`.
+
+
+-.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
++.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&')
+
+ Parse a query string given as a string argument (data of type
+ :mimetype:`application/x-www-form-urlencoded`). Data are returned as a
+@@ -190,6 +190,9 @@ or on combining URL components into a URL string.
+ read. If set, then throws a :exc:`ValueError` if there are more than
+ *max_num_fields* fields read.
+
++ The optional argument *separator* is the symbol to use for separating the
++ query arguments. It defaults to ``&``.
++
+ Use the :func:`urllib.parse.urlencode` function (with the ``doseq``
+ parameter set to ``True``) to convert such dictionaries into query
+ strings.
+@@ -201,8 +204,14 @@ or on combining URL components into a URL string.
+ .. versionchanged:: 3.8
+ Added *max_num_fields* parameter.
+
++ .. versionchanged:: 3.8.8
++ Added *separator* parameter with the default value of ``&``. Python
++ versions earlier than Python 3.8.8 allowed using both ``;`` and ``&`` as
++ query parameter separator. This has been changed to allow only a single
++ separator key, with ``&`` as the default separator.
++
+
+-.. function:: parse_qsl(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
++.. function:: parse_qsl(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&')
+
+ Parse a query string given as a string argument (data of type
+ :mimetype:`application/x-www-form-urlencoded`). Data are returned as a list of
+@@ -226,6 +235,9 @@ or on combining URL components into a URL string.
+ read. If set, then throws a :exc:`ValueError` if there are more than
+ *max_num_fields* fields read.
+
++ The optional argument *separator* is the symbol to use for separating the
++ query arguments. It defaults to ``&``.
++
+ Use the :func:`urllib.parse.urlencode` function to convert such lists of pairs into
+ query strings.
+
+@@ -235,6 +247,12 @@ or on combining URL components into a URL string.
+ .. versionchanged:: 3.8
+ Added *max_num_fields* parameter.
+
++ .. versionchanged:: 3.8.8
++ Added *separator* parameter with the default value of ``&``. Python
++ versions earlier than Python 3.8.8 allowed using both ``;`` and ``&`` as
++ query parameter separator. This has been changed to allow only a single
++ separator key, with ``&`` as the default separator.
++
+
+ .. function:: urlunparse(parts)
+
+diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst
+index 85a6657fdfbda..03a877a3d9178 100644
+--- a/Doc/whatsnew/3.6.rst
++++ b/Doc/whatsnew/3.6.rst
+@@ -2443,3 +2443,16 @@ because of the behavior of the socket option ``SO_REUSEADDR`` in UDP. For more
+ details, see the documentation for ``loop.create_datagram_endpoint()``.
+ (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in
+ :issue:`37228`.)
++
++Notable changes in Python 3.6.13
++================================
++
++Earlier Python versions allowed using both ``;`` and ``&`` as
++query parameter separators in :func:`urllib.parse.parse_qs` and
++:func:`urllib.parse.parse_qsl`. Due to security concerns, and to conform with
++newer W3C recommendations, this has been changed to allow only a single
++separator key, with ``&`` as the default. This change also affects
++:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
++functions internally. For more details, please see their respective
++documentation.
++(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst
+index 4933cba3990b1..824dc13e0c6fd 100644
+--- a/Doc/whatsnew/3.7.rst
++++ b/Doc/whatsnew/3.7.rst
+@@ -2556,3 +2556,16 @@ because of the behavior of the socket option ``SO_REUSEADDR`` in UDP. For more
+ details, see the documentation for ``loop.create_datagram_endpoint()``.
+ (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in
+ :issue:`37228`.)
++
++Notable changes in Python 3.7.10
++================================
++
++Earlier Python versions allowed using both ``;`` and ``&`` as
++query parameter separators in :func:`urllib.parse.parse_qs` and
++:func:`urllib.parse.parse_qsl`. Due to security concerns, and to conform with
++newer W3C recommendations, this has been changed to allow only a single
++separator key, with ``&`` as the default. This change also affects
++:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
++functions internally. For more details, please see their respective
++documentation.
++(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+diff --git a/Doc/whatsnew/3.8.rst b/Doc/whatsnew/3.8.rst
+index 1a192800b2f02..632ccc1f2c40a 100644
+--- a/Doc/whatsnew/3.8.rst
++++ b/Doc/whatsnew/3.8.rst
+@@ -2251,3 +2251,16 @@ The constant values of future flags in the :mod:`__future__` module
+ are updated in order to prevent collision with compiler flags. Previously
+ ``PyCF_ALLOW_TOP_LEVEL_AWAIT`` was clashing with ``CO_FUTURE_DIVISION``.
+ (Contributed by Batuhan Taskaya in :issue:`39562`)
++
++Notable changes in Python 3.8.8
++===============================
++
++Earlier Python versions allowed using both ``;`` and ``&`` as
++query parameter separators in :func:`urllib.parse.parse_qs` and
++:func:`urllib.parse.parse_qsl`. Due to security concerns, and to conform with
++newer W3C recommendations, this has been changed to allow only a single
++separator key, with ``&`` as the default. This change also affects
++:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
++functions internally. For more details, please see their respective
++documentation.
++(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+diff --git a/Lib/cgi.py b/Lib/cgi.py
+index 77ab703cc0360..1e880e51848af 100755
+--- a/Lib/cgi.py
++++ b/Lib/cgi.py
+@@ -115,7 +115,8 @@ def closelog():
+ # 0 ==> unlimited input
+ maxlen = 0
+
+-def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
++def parse(fp=None, environ=os.environ, keep_blank_values=0,
++ strict_parsing=0, separator='&'):
+ """Parse a query in the environment or from a file (default stdin)
+
+ Arguments, all optional:
+@@ -134,6 +135,9 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
+ strict_parsing: flag indicating what to do with parsing errors.
+ If false (the default), errors are silently ignored.
+ If true, errors raise a ValueError exception.
++
++ separator: str. The symbol to use for separating the query arguments.
++ Defaults to &.
+ """
+ if fp is None:
+ fp = sys.stdin
+@@ -154,7 +158,7 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
+ if environ['REQUEST_METHOD'] == 'POST':
+ ctype, pdict = parse_header(environ['CONTENT_TYPE'])
+ if ctype == 'multipart/form-data':
+- return parse_multipart(fp, pdict)
++ return parse_multipart(fp, pdict, separator=separator)
+ elif ctype == 'application/x-www-form-urlencoded':
+ clength = int(environ['CONTENT_LENGTH'])
+ if maxlen and clength > maxlen:
+@@ -178,10 +182,10 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
+ qs = ""
+ environ['QUERY_STRING'] = qs # XXX Shouldn't, really
+ return urllib.parse.parse_qs(qs, keep_blank_values, strict_parsing,
+- encoding=encoding)
++ encoding=encoding, separator=separator)
+
+
+-def parse_multipart(fp, pdict, encoding="utf-8", errors="replace"):
++def parse_multipart(fp, pdict, encoding="utf-8", errors="replace", separator='&'):
+ """Parse multipart input.
+
+ Arguments:
+@@ -205,7 +209,7 @@ def parse_multipart(fp, pdict, encoding="utf-8", errors="replace"):
+ except KeyError:
+ pass
+ fs = FieldStorage(fp, headers=headers, encoding=encoding, errors=errors,
+- environ={'REQUEST_METHOD': 'POST'})
++ environ={'REQUEST_METHOD': 'POST'}, separator=separator)
+ return {k: fs.getlist(k) for k in fs}
+
+ def _parseparam(s):
+@@ -315,7 +319,7 @@ class FieldStorage:
+ def __init__(self, fp=None, headers=None, outerboundary=b'',
+ environ=os.environ, keep_blank_values=0, strict_parsing=0,
+ limit=None, encoding='utf-8', errors='replace',
+- max_num_fields=None):
++ max_num_fields=None, separator='&'):
+ """Constructor. Read multipart/* until last part.
+
+ Arguments, all optional:
+@@ -363,6 +367,7 @@ def __init__(self, fp=None, headers=None, outerboundary=b'',
+ self.keep_blank_values = keep_blank_values
+ self.strict_parsing = strict_parsing
+ self.max_num_fields = max_num_fields
++ self.separator = separator
+ if 'REQUEST_METHOD' in environ:
+ method = environ['REQUEST_METHOD'].upper()
+ self.qs_on_post = None
+@@ -589,7 +594,7 @@ def read_urlencoded(self):
+ query = urllib.parse.parse_qsl(
+ qs, self.keep_blank_values, self.strict_parsing,
+ encoding=self.encoding, errors=self.errors,
+- max_num_fields=self.max_num_fields)
++ max_num_fields=self.max_num_fields, separator=self.separator)
+ self.list = [MiniFieldStorage(key, value) for key, value in query]
+ self.skip_lines()
+
+@@ -605,7 +610,7 @@ def read_multi(self, environ, keep_blank_values, strict_parsing):
+ query = urllib.parse.parse_qsl(
+ self.qs_on_post, self.keep_blank_values, self.strict_parsing,
+ encoding=self.encoding, errors=self.errors,
+- max_num_fields=self.max_num_fields)
++ max_num_fields=self.max_num_fields, separator=self.separator)
+ self.list.extend(MiniFieldStorage(key, value) for key, value in query)
+
+ klass = self.FieldStorageClass or self.__class__
+@@ -649,7 +654,7 @@ def read_multi(self, environ, keep_blank_values, strict_parsing):
+ else self.limit - self.bytes_read
+ part = klass(self.fp, headers, ib, environ, keep_blank_values,
+ strict_parsing, limit,
+- self.encoding, self.errors, max_num_fields)
++ self.encoding, self.errors, max_num_fields, self.separator)
+
+ if max_num_fields is not None:
+ max_num_fields -= 1
+diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py
+index 101942de947fb..4e1506a6468b9 100644
+--- a/Lib/test/test_cgi.py
++++ b/Lib/test/test_cgi.py
+@@ -53,12 +53,9 @@ def do_test(buf, method):
+ ("", ValueError("bad query field: ''")),
+ ("&", ValueError("bad query field: ''")),
+ ("&&", ValueError("bad query field: ''")),
+- (";", ValueError("bad query field: ''")),
+- (";&;", ValueError("bad query field: ''")),
+ # Should the next few really be valid?
+ ("=", {}),
+ ("=&=", {}),
+- ("=;=", {}),
+ # This rest seem to make sense
+ ("=a", {'': ['a']}),
+ ("&=a", ValueError("bad query field: ''")),
+@@ -73,8 +70,6 @@ def do_test(buf, method):
+ ("a=a+b&b=b+c", {'a': ['a b'], 'b': ['b c']}),
+ ("a=a+b&a=b+a", {'a': ['a b', 'b a']}),
+ ("x=1&y=2.0&z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
+- ("x=1;y=2.0&z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
+- ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
+ ("Hbc5161168c542333633315dee1182227:key_store_seqid=400006&cuyer=r&view=bustomer&order_id=0bb2e248638833d48cb7fed300000f1b&expire=964546263&lobale=en-US&kid=130003.300038&ss=env",
+ {'Hbc5161168c542333633315dee1182227:key_store_seqid': ['400006'],
+ 'cuyer': ['r'],
+@@ -201,6 +196,30 @@ def test_strict(self):
+ else:
+ self.assertEqual(fs.getvalue(key), expect_val[0])
+
++ def test_separator(self):
++ parse_semicolon = [
++ ("x=1;y=2.0", {'x': ['1'], 'y': ['2.0']}),
++ ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
++ (";", ValueError("bad query field: ''")),
++ (";;", ValueError("bad query field: ''")),
++ ("=;a", ValueError("bad query field: 'a'")),
++ (";b=a", ValueError("bad query field: ''")),
++ ("b;=a", ValueError("bad query field: 'b'")),
++ ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}),
++ ("a=a+b;a=b+a", {'a': ['a b', 'b a']}),
++ ]
++ for orig, expect in parse_semicolon:
++ env = {'QUERY_STRING': orig}
++ fs = cgi.FieldStorage(separator=';', environ=env)
++ if isinstance(expect, dict):
++ for key in expect.keys():
++ expect_val = expect[key]
++ self.assertIn(key, fs)
++ if len(expect_val) > 1:
++ self.assertEqual(fs.getvalue(key), expect_val)
++ else:
++ self.assertEqual(fs.getvalue(key), expect_val[0])
++
+ def test_log(self):
+ cgi.log("Testing")
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 4ae6ed33858ce..90c8d6922629e 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -32,16 +32,10 @@
+ (b"&a=b", [(b'a', b'b')]),
+ (b"a=a+b&b=b+c", [(b'a', b'a b'), (b'b', b'b c')]),
+ (b"a=1&a=2", [(b'a', b'1'), (b'a', b'2')]),
+- (";", []),
+- (";;", []),
+- (";a=b", [('a', 'b')]),
+- ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]),
+- ("a=1;a=2", [('a', '1'), ('a', '2')]),
+- (b";", []),
+- (b";;", []),
+- (b";a=b", [(b'a', b'b')]),
+- (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]),
+- (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]),
++ (";a=b", [(';a', 'b')]),
++ ("a=a+b;b=b+c", [('a', 'a b;b=b c')]),
++ (b";a=b", [(b';a', b'b')]),
++ (b"a=a+b;b=b+c", [(b'a', b'a b;b=b c')]),
+ ]
+
+ # Each parse_qs testcase is a two-tuple that contains
+@@ -68,16 +62,10 @@
+ (b"&a=b", {b'a': [b'b']}),
+ (b"a=a+b&b=b+c", {b'a': [b'a b'], b'b': [b'b c']}),
+ (b"a=1&a=2", {b'a': [b'1', b'2']}),
+- (";", {}),
+- (";;", {}),
+- (";a=b", {'a': ['b']}),
+- ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}),
+- ("a=1;a=2", {'a': ['1', '2']}),
+- (b";", {}),
+- (b";;", {}),
+- (b";a=b", {b'a': [b'b']}),
+- (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}),
+- (b"a=1;a=2", {b'a': [b'1', b'2']}),
++ (";a=b", {';a': ['b']}),
++ ("a=a+b;b=b+c", {'a': ['a b;b=b c']}),
++ (b";a=b", {b';a': [b'b']}),
++ (b"a=a+b;b=b+c", {b'a':[ b'a b;b=b c']}),
+ ]
+
+ class UrlParseTestCase(unittest.TestCase):
+@@ -884,10 +872,46 @@ def test_parse_qsl_encoding(self):
+ def test_parse_qsl_max_num_fields(self):
+ with self.assertRaises(ValueError):
+ urllib.parse.parse_qs('&'.join(['a=a']*11), max_num_fields=10)
+- with self.assertRaises(ValueError):
+- urllib.parse.parse_qs(';'.join(['a=a']*11), max_num_fields=10)
+ urllib.parse.parse_qs('&'.join(['a=a']*10), max_num_fields=10)
+
++ def test_parse_qs_separator(self):
++ parse_qs_semicolon_cases = [
++ (";", {}),
++ (";;", {}),
++ (";a=b", {'a': ['b']}),
++ ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}),
++ ("a=1;a=2", {'a': ['1', '2']}),
++ (b";", {}),
++ (b";;", {}),
++ (b";a=b", {b'a': [b'b']}),
++ (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}),
++ (b"a=1;a=2", {b'a': [b'1', b'2']}),
++ ]
++ for orig, expect in parse_qs_semicolon_cases:
++ with self.subTest(f"Original: {orig!r}, Expected: {expect!r}"):
++ result = urllib.parse.parse_qs(orig, separator=';')
++ self.assertEqual(result, expect, "Error parsing %r" % orig)
++
++
++ def test_parse_qsl_separator(self):
++ parse_qsl_semicolon_cases = [
++ (";", []),
++ (";;", []),
++ (";a=b", [('a', 'b')]),
++ ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]),
++ ("a=1;a=2", [('a', '1'), ('a', '2')]),
++ (b";", []),
++ (b";;", []),
++ (b";a=b", [(b'a', b'b')]),
++ (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]),
++ (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]),
++ ]
++ for orig, expect in parse_qsl_semicolon_cases:
++ with self.subTest(f"Original: {orig!r}, Expected: {expect!r}"):
++ result = urllib.parse.parse_qsl(orig, separator=';')
++ self.assertEqual(result, expect, "Error parsing %r" % orig)
++
++
+ def test_urlencode_sequences(self):
+ # Other tests incidentally urlencode things; test non-covered cases:
+ # Sequence and object values.
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 95be7181133b4..0c1c94f5fc986 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -650,7 +650,7 @@ def unquote(string, encoding='utf-8', errors='replace'):
+
+
+ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
+- encoding='utf-8', errors='replace', max_num_fields=None):
++ encoding='utf-8', errors='replace', max_num_fields=None, separator='&'):
+ """Parse a query given as a string argument.
+
+ Arguments:
+@@ -674,12 +674,15 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
+ max_num_fields: int. If set, then throws a ValueError if there
+ are more than n fields read by parse_qsl().
+
++ separator: str. The symbol to use for separating the query arguments.
++ Defaults to &.
++
+ Returns a dictionary.
+ """
+ parsed_result = {}
+ pairs = parse_qsl(qs, keep_blank_values, strict_parsing,
+ encoding=encoding, errors=errors,
+- max_num_fields=max_num_fields)
++ max_num_fields=max_num_fields, separator=separator)
+ for name, value in pairs:
+ if name in parsed_result:
+ parsed_result[name].append(value)
+@@ -689,7 +692,7 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
+
+
+ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False,
+- encoding='utf-8', errors='replace', max_num_fields=None):
++ encoding='utf-8', errors='replace', max_num_fields=None, separator='&'):
+ """Parse a query given as a string argument.
+
+ Arguments:
+@@ -712,19 +715,25 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False,
+ max_num_fields: int. If set, then throws a ValueError
+ if there are more than n fields read by parse_qsl().
+
++ separator: str. The symbol to use for separating the query arguments.
++ Defaults to &.
++
+ Returns a list, as G-d intended.
+ """
+ qs, _coerce_result = _coerce_args(qs)
+
++ if not separator or (not isinstance(separator, (str, bytes))):
++ raise ValueError("Separator must be of type string or bytes.")
++
+ # If max_num_fields is defined then check that the number of fields
+ # is less than max_num_fields. This prevents a memory exhaustion DOS
+ # attack via post bodies with many fields.
+ if max_num_fields is not None:
+- num_fields = 1 + qs.count('&') + qs.count(';')
++ num_fields = 1 + qs.count(separator)
+ if max_num_fields < num_fields:
+ raise ValueError('Max number of fields exceeded')
+
+- pairs = [s2 for s1 in qs.split('&') for s2 in s1.split(';')]
++ pairs = [s1 for s1 in qs.split(separator)]
+ r = []
+ for name_value in pairs:
+ if not name_value and not strict_parsing:
+diff --git a/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
+new file mode 100644
+index 0000000000000..f08489b41494e
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
+@@ -0,0 +1 @@
++Fix web cache poisoning vulnerability by defaulting the query args separator to ``&``, and allowing the user to choose a custom separator.
diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch
new file mode 100644
index 0000000000..43d678db46
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch
@@ -0,0 +1,191 @@
+From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 18 Jan 2021 13:28:52 -0800
+Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode
+ formatting in ctypes param reprs. (GH-24248)
+
+(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)
+
+Co-authored-by: Benjamin Peterson <benjamin@python.org>
+
+Co-authored-by: Benjamin Peterson <benjamin@python.org>
+
+CVE: CVE-2021-3177
+Upstream-Status: Backport [https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++
+ .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 +
+ Modules/_ctypes/callproc.c | 51 +++++++------------
+ 3 files changed, 64 insertions(+), 32 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+
+diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py
+index e4c25fd880cef..531894fdec838 100644
+--- a/Lib/ctypes/test/test_parameters.py
++++ b/Lib/ctypes/test/test_parameters.py
+@@ -201,6 +201,49 @@ def __dict__(self):
+ with self.assertRaises(ZeroDivisionError):
+ WorseStruct().__setstate__({}, b'foo')
+
++ def test_parameter_repr(self):
++ from ctypes import (
++ c_bool,
++ c_char,
++ c_wchar,
++ c_byte,
++ c_ubyte,
++ c_short,
++ c_ushort,
++ c_int,
++ c_uint,
++ c_long,
++ c_ulong,
++ c_longlong,
++ c_ulonglong,
++ c_float,
++ c_double,
++ c_longdouble,
++ c_char_p,
++ c_wchar_p,
++ c_void_p,
++ )
++ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$")
++ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>")
++ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$")
++ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>")
++ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>")
++ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>")
++ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>")
++ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
++ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
++ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$")
++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$")
++ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>")
++ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>")
++ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>")
++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$")
++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$")
++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$")
++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$")
++
+ ################################################################
+
+ if __name__ == '__main__':
+diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+new file mode 100644
+index 0000000000000..7df65a156feab
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+@@ -0,0 +1,2 @@
++Avoid static buffers when computing the repr of :class:`ctypes.c_double` and
++:class:`ctypes.c_longdouble` values.
+diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
+index a9b8675cd951b..de75918d49f37 100644
+--- a/Modules/_ctypes/callproc.c
++++ b/Modules/_ctypes/callproc.c
+@@ -484,58 +484,47 @@ is_literal_char(unsigned char c)
+ static PyObject *
+ PyCArg_repr(PyCArgObject *self)
+ {
+- char buffer[256];
+ switch(self->tag) {
+ case 'b':
+ case 'B':
+- sprintf(buffer, "<cparam '%c' (%d)>",
++ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+ self->tag, self->value.b);
+- break;
+ case 'h':
+ case 'H':
+- sprintf(buffer, "<cparam '%c' (%d)>",
++ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+ self->tag, self->value.h);
+- break;
+ case 'i':
+ case 'I':
+- sprintf(buffer, "<cparam '%c' (%d)>",
++ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+ self->tag, self->value.i);
+- break;
+ case 'l':
+ case 'L':
+- sprintf(buffer, "<cparam '%c' (%ld)>",
++ return PyUnicode_FromFormat("<cparam '%c' (%ld)>",
+ self->tag, self->value.l);
+- break;
+
+ case 'q':
+ case 'Q':
+- sprintf(buffer,
+-#ifdef MS_WIN32
+- "<cparam '%c' (%I64d)>",
+-#else
+- "<cparam '%c' (%lld)>",
+-#endif
++ return PyUnicode_FromFormat("<cparam '%c' (%lld)>",
+ self->tag, self->value.q);
+- break;
+ case 'd':
+- sprintf(buffer, "<cparam '%c' (%f)>",
+- self->tag, self->value.d);
+- break;
+- case 'f':
+- sprintf(buffer, "<cparam '%c' (%f)>",
+- self->tag, self->value.f);
+- break;
+-
++ case 'f': {
++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d);
++ if (f == NULL) {
++ return NULL;
++ }
++ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f);
++ Py_DECREF(f);
++ return result;
++ }
+ case 'c':
+ if (is_literal_char((unsigned char)self->value.c)) {
+- sprintf(buffer, "<cparam '%c' ('%c')>",
++ return PyUnicode_FromFormat("<cparam '%c' ('%c')>",
+ self->tag, self->value.c);
+ }
+ else {
+- sprintf(buffer, "<cparam '%c' ('\\x%02x')>",
++ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>",
+ self->tag, (unsigned char)self->value.c);
+ }
+- break;
+
+ /* Hm, are these 'z' and 'Z' codes useful at all?
+ Shouldn't they be replaced by the functionality of c_string
+@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self)
+ case 'z':
+ case 'Z':
+ case 'P':
+- sprintf(buffer, "<cparam '%c' (%p)>",
++ return PyUnicode_FromFormat("<cparam '%c' (%p)>",
+ self->tag, self->value.p);
+ break;
+
+ default:
+ if (is_literal_char((unsigned char)self->tag)) {
+- sprintf(buffer, "<cparam '%c' at %p>",
++ return PyUnicode_FromFormat("<cparam '%c' at %p>",
+ (unsigned char)self->tag, (void *)self);
+ }
+ else {
+- sprintf(buffer, "<cparam 0x%02x at %p>",
++ return PyUnicode_FromFormat("<cparam 0x%02x at %p>",
+ (unsigned char)self->tag, (void *)self);
+ }
+- break;
+ }
+- return PyUnicode_FromString(buffer);
+ }
+
+ static PyMemberDef PyCArgType_members[] = {
+
diff --git a/meta/recipes-devtools/python/python3_3.8.5.bb b/meta/recipes-devtools/python/python3_3.8.5.bb
index f09a3c1d6e..418d35acfe 100644
--- a/meta/recipes-devtools/python/python3_3.8.5.bb
+++ b/meta/recipes-devtools/python/python3_3.8.5.bb
@@ -33,6 +33,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
file://CVE-2020-27619.patch \
+ file://CVE-2021-3177.patch \
+ file://CVE-2021-23336.patch \
"
SRC_URI_append_class-native = " \
@@ -168,6 +170,10 @@ do_install_append() {
}
do_install_append_class-nativesdk () {
+ # Make sure we use /usr/bin/env python
+ for PYTHSCRIPT in `grep -rIl ${bindir}/python ${D}${bindir}`; do
+ sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' $PYTHSCRIPT
+ done
create_wrapper ${D}${bindir}/python${PYTHON_MAJMIN} TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo' PYTHONNOUSERSITE='1'
}
@@ -306,11 +312,8 @@ do_create_manifest() {
}
# bitbake python -c create_manifest
-addtask do_create_manifest
-
# Make sure we have native python ready when we create a new manifest
-do_create_manifest[depends] += "${PN}:do_prepare_recipe_sysroot"
-do_create_manifest[depends] += "${PN}:do_patch"
+addtask do_create_manifest after do_patch do_prepare_recipe_sysroot
# manual dependency additions
RRECOMMENDS_${PN}-core_append_class-nativesdk = " nativesdk-python3-modules"
@@ -363,3 +366,9 @@ RDEPENDS_${PN}-dev = ""
RDEPENDS_${PN}-tests_append_class-target = " ${MLPREFIX}bash"
RDEPENDS_${PN}-tests_append_class-nativesdk = " ${MLPREFIX}bash"
+
+# Python's tests contain large numbers of files we don't need in the recipe sysroots
+SYSROOT_PREPROCESS_FUNCS += " py3_sysroot_cleanup"
+py3_sysroot_cleanup () {
+ rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test
+}
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 69b9a5f89e..482ca3d6e5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-25624.patch \
file://CVE-2020-25723.patch \
file://CVE-2020-28916.patch \
+ file://CVE-2020-35517.patch \
+ file://CVE-2020-29443.patch \
+ file://CVE-2021-20203.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
new file mode 100644
index 0000000000..5a3b99bb23
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,46 @@
+
+m 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 1 Dec 2020 13:09:26 +0100
+Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range
+
+A case was reported where s->io_buffer_index can be out of range.
+The report skimped on the details but it seems to be triggered
+by s->lba == -1 on the READ/READ CD paths (e.g. by sending an
+ATAPI command with LBA = 0xFFFFFFFF). For now paper over it
+with assertions. The first one ensures that there is no overflow
+when incrementing s->io_buffer_index, the second checks for the
+buffer overrun.
+
+Note that the buffer overrun is only a read, so I am not sure
+if the assertion failure is actually less harmful than the overrun.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 20201201120926.56559-1-pbonzini@redhat.com
+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=813212288970c39b1800f63e83ac6e96588095c6]
+CVE: CVE-2020-29443
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/ide/atapi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index 14a2b0b..e791578 100644
+--- a/hw/ide/atapi.c
++++ b/hw/ide/atapi.c
+@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s)
+ s->packet_transfer_size -= size;
+ s->elementary_transfer_size -= size;
+ s->io_buffer_index += size;
++ assert(size <= s->io_buffer_total_len);
++ assert(s->io_buffer_index <= s->io_buffer_total_len);
+
+ /* Some adapters process PIO data right away. In that case, we need
+ * to avoid mutual recursion between ide_transfer_start
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
new file mode 100644
index 0000000000..f818eb3bf5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
@@ -0,0 +1,126 @@
+From ebf101955ce8f8d72fba103b5151115a4335de2c Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 6 Oct 2020 10:58:26 +0100
+Subject: [PATCH] virtiofsd: avoid /proc/self/fd tempdir
+
+In order to prevent /proc/self/fd escapes a temporary directory is
+created where /proc/self/fd is bind-mounted. This doesn't work on
+read-only file systems.
+
+Avoid the temporary directory by bind-mounting /proc/self/fd over /proc.
+This does not affect other processes since we remounted / with MS_REC |
+MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to
+do this.
+
+Path traversal can be tested with the following function:
+
+ static void test_proc_fd_escape(struct lo_data *lo)
+ {
+ int fd;
+ int level = 0;
+ ino_t last_ino = 0;
+
+ fd = lo->proc_self_fd;
+ for (;;) {
+ struct stat st;
+
+ if (fstat(fd, &st) != 0) {
+ perror("fstat");
+ return;
+ }
+ if (last_ino && st.st_ino == last_ino) {
+ fprintf(stderr, "inode number unchanged, stopping\n");
+ return;
+ }
+ last_ino = st.st_ino;
+
+ fprintf(stderr, "Level %d dev %lu ino %lu\n", level,
+ (unsigned long)st.st_dev,
+ (unsigned long)last_ino);
+ fd = openat(fd, "..", O_PATH | O_DIRECTORY | O_NOFOLLOW);
+ level++;
+ }
+ }
+
+Before and after this patch only Level 0 is displayed. Without
+/proc/self/fd bind-mount protection it is possible to traverse parent
+directories.
+
+Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd")
+Cc: Miklos Szeredi <mszeredi@redhat.com>
+Cc: Jens Freimann <jfreimann@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20201006095826.59813-1-stefanha@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Tested-by: Jens Freimann <jfreimann@redhat.com>
+Reviewed-by: Jens Freimann <jfreimann@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c]
+CVE: CVE-2020-35517
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ tools/virtiofsd/passthrough_ll.c | 34 +++++++++++---------------------
+ 1 file changed, 11 insertions(+), 23 deletions(-)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 477e6ee0b53..ff53df44510 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -2393,8 +2393,6 @@ static void setup_wait_parent_capabilities(void)
+ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se)
+ {
+ pid_t child;
+- char template[] = "virtiofsd-XXXXXX";
+- char *tmpdir;
+
+ /*
+ * Create a new pid namespace for *child* processes. We'll have to
+@@ -2458,33 +2456,23 @@ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se)
+ exit(1);
+ }
+
+- tmpdir = mkdtemp(template);
+- if (!tmpdir) {
+- fuse_log(FUSE_LOG_ERR, "tmpdir(%s): %m\n", template);
+- exit(1);
+- }
+-
+- if (mount("/proc/self/fd", tmpdir, NULL, MS_BIND, NULL) < 0) {
+- fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, %s, MS_BIND): %m\n",
+- tmpdir);
++ /*
++ * We only need /proc/self/fd. Prevent ".." from accessing parent
++ * directories of /proc/self/fd by bind-mounting it over /proc. Since / was
++ * previously remounted with MS_REC | MS_SLAVE this mount change only
++ * affects our process.
++ */
++ if (mount("/proc/self/fd", "/proc", NULL, MS_BIND, NULL) < 0) {
++ fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, MS_BIND): %m\n");
+ exit(1);
+ }
+
+- /* Now we can get our /proc/self/fd directory file descriptor */
+- lo->proc_self_fd = open(tmpdir, O_PATH);
++ /* Get the /proc (actually /proc/self/fd, see above) file descriptor */
++ lo->proc_self_fd = open("/proc", O_PATH);
+ if (lo->proc_self_fd == -1) {
+- fuse_log(FUSE_LOG_ERR, "open(%s, O_PATH): %m\n", tmpdir);
++ fuse_log(FUSE_LOG_ERR, "open(/proc, O_PATH): %m\n");
+ exit(1);
+ }
+-
+- if (umount2(tmpdir, MNT_DETACH) < 0) {
+- fuse_log(FUSE_LOG_ERR, "umount2(%s, MNT_DETACH): %m\n", tmpdir);
+- exit(1);
+- }
+-
+- if (rmdir(tmpdir) < 0) {
+- fuse_log(FUSE_LOG_ERR, "rmdir(%s): %m\n", tmpdir);
+- }
+ }
+
+ /*
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
new file mode 100644
index 0000000000..31440af0bd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
@@ -0,0 +1,74 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+While activating device in vmxnet3_acticate_device(), it does not
+validate guest supplied configuration values against predefined
+minimum - maximum limits. This may lead to integer overflow or
+OOB access issues. Add checks to avoid it.
+
+Fixes: CVE-2021-20203
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913873
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+
+Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html]
+CVE: CVE-2021-20203
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ hw/net/vmxnet3.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index eff299f629..4a910ca971 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+ vmxnet3_setup_rx_filtering(s);
+ /* Cache fields from shared memory */
+ s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
+ VMW_CFPRN("MTU is %u", s->mtu);
+
+ s->max_rx_frags =
+@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+ /* Read rings memory locations for TX queues */
+ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
+ size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
++ if (size > VMXNET3_TX_RING_MAX_SIZE) {
++ size = VMXNET3_TX_RING_MAX_SIZE;
++ }
+
+ vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
+ sizeof(struct Vmxnet3_TxDesc), false);
+@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+ /* TXC ring */
+ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
+ size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
++ if (size > VMXNET3_TC_RING_MAX_SIZE) {
++ size = VMXNET3_TC_RING_MAX_SIZE;
++ }
+ vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
+ sizeof(struct Vmxnet3_TxCompDesc), true);
+ VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
+@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+ /* RX rings */
+ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
+ size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
++ if (size > VMXNET3_RX_RING_MAX_SIZE) {
++ size = VMXNET3_RX_RING_MAX_SIZE;
++ }
+ vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
+ sizeof(struct Vmxnet3_RxDesc), false);
+ VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
+@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+ /* RXC ring */
+ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
+ size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
++ if (size > VMXNET3_RC_RING_MAX_SIZE) {
++ size = VMXNET3_RC_RING_MAX_SIZE;
++ }
+ vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
+ sizeof(struct Vmxnet3_RxCompDesc), true);
+ VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
+--
+2.29.2
+
diff --git a/meta/recipes-devtools/quilt/quilt.inc b/meta/recipes-devtools/quilt/quilt.inc
index d6d06c049c..d7ecda7aaa 100644
--- a/meta/recipes-devtools/quilt/quilt.inc
+++ b/meta/recipes-devtools/quilt/quilt.inc
@@ -30,7 +30,7 @@ EXTRA_OECONF = "--with-perl='${USRBINPATH}/env perl' --with-patch=patch"
EXTRA_OECONF_append_class-native = " --disable-nls"
EXTRA_AUTORECONF += "--exclude=aclocal"
-CACHED_CONFIGUREVARS += "ac_cv_path_BASH=/bin/bash"
+CACHED_CONFIGUREVARS += "ac_cv_path_BASH=/bin/bash ac_cv_path_COLUMN=column"
# Make sure we don't have "-w" in shebang lines: it breaks using
# "/usr/bin/env perl" as parser
diff --git a/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
new file mode 100644
index 0000000000..2d51ddf965
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
@@ -0,0 +1,31 @@
+From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001
+From: Matt McCutchen <matt@mattmccutchen.net>
+Date: Wed, 26 Aug 2020 12:16:08 -0400
+Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
+ openssl.
+
+CVE: CVE-2020-14387
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ rsync-ssl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rsync-ssl b/rsync-ssl
+index 8101975..46701af 100755
+--- a/rsync-ssl
++++ b/rsync-ssl
+@@ -129,7 +129,7 @@ function rsync_ssl_helper {
+ fi
+
+ if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+ elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+ exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
+ else
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/rsync/files/determism.patch b/meta/recipes-devtools/rsync/files/determism.patch
new file mode 100644
index 0000000000..53a4ca7505
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/determism.patch
@@ -0,0 +1,28 @@
+The Makefile calls awk on a "*.c" glob. The results of this glob are sorted
+but the order depends on the locale settings, particularly whether
+"util.c" and "util2.c" sort before or after each other. In en_US.UTF-8
+they sort one way, in C, they sort the other. The sorting order changes
+the output binaries. The behaviour also changes dependning on whether
+SHELL (/bin/sh) is dash or bash.
+
+Specify a C locale setting to be deterministic.
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Pending
+
+Index: rsync-3.2.3/Makefile.in
+===================================================================
+--- rsync-3.2.3.orig/Makefile.in
++++ rsync-3.2.3/Makefile.in
+@@ -26,6 +26,11 @@ MKDIR_P=@MKDIR_P@
+ VPATH=$(srcdir)
+ SHELL=/bin/sh
+
++# We use globbing in commands, need to be deterministic
++unexport LC_ALL
++LC_COLLATE=C
++export LC_COLLATE
++
+ .SUFFIXES:
+ .SUFFIXES: .c .o
+
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/meta/recipes-devtools/rsync/rsync_3.2.3.bb
index 375efa0dea..df4fbbd0d2 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.3.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.3.bb
@@ -12,6 +12,8 @@ DEPENDS = "popt"
SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
file://rsyncd.conf \
file://makefile-no-rebuild.patch \
+ file://determism.patch \
+ file://0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch \
"
SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e"
@@ -38,7 +40,7 @@ PACKAGECONFIG[zstd] = "--enable-zstd,--disable-zstd,zstd"
CACHED_CONFIGUREVARS += "rsync_cv_can_hardlink_special=yes rsync_cv_can_hardlink_symlink=yes"
EXTRA_OEMAKE = 'STRIP=""'
-EXTRA_OECONF = "--disable-simd --disable-md2man --disable-asm"
+EXTRA_OECONF = "--disable-simd --disable-md2man --disable-asm --with-nobody-group=nogroup"
# rsync 3.0 uses configure.sh instead of configure, and
# makefile checks the existence of configure.sh
diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
index f84a7e18c8..95dccb9cae 100755
--- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
@@ -72,12 +72,12 @@ exec_postinst_scriptlets() {
else
echo "ERROR: postinst $i failed."
[ "$POSTINST_LOGGING" = "1" ] && eval echo "ERROR: postinst $i failed." $append_log
- remove_pi_dir=0
+ remove_rcsd_link=0
fi
done
}
-remove_pi_dir=1
+remove_rcsd_link=1
if $pm_installed; then
case $pm in
"ipk")
@@ -92,9 +92,7 @@ else
exec_postinst_scriptlets
fi
-# since all postinstalls executed successfully, remove the postinstalls directory
-# and the rcS.d link
-if [ $remove_pi_dir = 1 ]; then
- rm -rf $pi_dir
+# since all postinstalls executed successfully, remove the rcS.d link
+if [ $remove_rcsd_link = 1 ]; then
remove_rcsd_link
fi
diff --git a/meta/recipes-devtools/strace/strace/run-ptest b/meta/recipes-devtools/strace/strace/run-ptest
index 4660207220..3a51fb0be9 100755
--- a/meta/recipes-devtools/strace/strace/run-ptest
+++ b/meta/recipes-devtools/strace/strace/run-ptest
@@ -1,5 +1,5 @@
#!/bin/sh
-export TIMEOUT_DURATION=120
+export TIMEOUT_DURATION=240
chown nobody tests
chown nobody tests/*
chown nobody ../ptest
diff --git a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
index ed14fe66b1..c1b05691b8 100644
--- a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
+++ b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
@@ -48,6 +48,7 @@ CFLAGS_append_libc-musl = " ${LCL_STOP_SERVICES}"
CFLAGS_append_powerpc64 = " ${LCL_STOP_SERVICES}"
CFLAGS_append_powerpc64le = " ${LCL_STOP_SERVICES}"
CFLAGS_append_riscv64 = " ${LCL_STOP_SERVICES}"
+CFLAGS_append_riscv32 = " ${LCL_STOP_SERVICES}"
do_install() {
oe_runmake install INSTALLROOT=${D}
diff --git a/meta/recipes-devtools/valgrind/valgrind/0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch b/meta/recipes-devtools/valgrind/valgrind/0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch
new file mode 100644
index 0000000000..0bd8273cd8
--- /dev/null
+++ b/meta/recipes-devtools/valgrind/valgrind/0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch
@@ -0,0 +1,36 @@
+From d8c19e0bb9ca2fd48f223e1fdeffcafeb0aa1745 Mon Sep 17 00:00:00 2001
+From: Yi Fan Yu <yifan.yu@windriver.com>
+Date: Wed, 17 Feb 2021 14:53:44 -0500
+Subject: [PATCH] gdbserver_tests: Disable nlcontrolc.vgtest for x86-64
+
+Test hangs after glibc 2.33 uprev
+
+Using gdb to modify the timeout argument no longer
+affects how long `select` wait.
+
+https://bugs.kde.org/show_bug.cgi?id=432870
+Upstream-Status: Pending
+Waiting for upstream to take action.
+
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ gdbserver_tests/nlcontrolc.vgtest | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gdbserver_tests/nlcontrolc.vgtest b/gdbserver_tests/nlcontrolc.vgtest
+index bb5308403..96d2b52bb 100644
+--- a/gdbserver_tests/nlcontrolc.vgtest
++++ b/gdbserver_tests/nlcontrolc.vgtest
+@@ -13,7 +13,8 @@ args: 1000000000 1000000000 1000000000 BSBSBSBS 1
+ vgopts: --tool=none --vgdb=yes --vgdb-error=0 --vgdb-prefix=./vgdb-prefix-nlcontrolc
+ stderr_filter: filter_stderr
+ # Bug 338633 nlcontrol hangs on arm64 currently.
+-prereq: test -e gdb -a -f vgdb.invoker && ! ../tests/arch_test arm64 && ! ../tests/os_test solaris
++# Bug 432870 nlcontrolc hangs on x86-64 starting with glibc 2.33
++prereq: test -e gdb -a -f vgdb.invoker && ! ../tests/arch_test arm64 && ! ../tests/os_test solaris && ! ../tests/arch_test amd64
+ progB: gdb
+ argsB: --quiet -l 60 --nx ./sleepers
+ stdinB: nlcontrolc.stdinB.gdb
+--
+2.29.2
+
diff --git a/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch b/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
index 7985308e41..0c399ef52c 100644
--- a/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
+++ b/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
@@ -19,6 +19,11 @@ Upstream-Status: Pending
Signed-off-by: Dave Lerner <dave.lerner@windriver.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+
+Increase time limit to 90 s.
+(double of the expected time of drd/tests/std_list on qemuarm64)
+
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
---
tests/vg_regtest.in | 75 +++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 55 insertions(+), 20 deletions(-)
@@ -66,7 +71,7 @@ index a441f42..cb05b52 100755
# Since most of the program time is spent in system() calls, need this to
# propagate a Ctrl-C enabling us to quit.
-sub mysystem($)
-+# Enforce 30 seconds limit for the test.
++# Enforce 90 seconds limit for the test.
+# This resume execution of the remaining tests if valgrind hangs.
+sub mysystem($)
{
@@ -76,7 +81,7 @@ index a441f42..cb05b52 100755
+ my $exit_code=0;
+ eval {
+ local $SIG{'ALRM'} = sub { die "timed out\n" };
-+ alarm(30);
++ alarm(90);
+ $exit_code = system($_[0]);
+ alarm (0);
+ ($exit_code == 2) and die "SIGINT\n"; # 2 is SIGINT
diff --git a/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb b/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb
index 25fa58249c..fc070dec78 100644
--- a/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb
+++ b/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb
@@ -44,6 +44,7 @@ SRC_URI = "https://sourceware.org/pub/valgrind/valgrind-${PV}.tar.bz2 \
file://0001-drd-Port-to-Fedora-33.patch \
file://0001-drd-musl-fix.patch \
file://0001-helgrind-Intercept-libc-functions.patch \
+ file://0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch \
"
SRC_URI[md5sum] = "d1b153f1ab17cf1f311705e7a83ef589"
SRC_URI[sha256sum] = "c91f3a2f7b02db0f3bc99479861656154d241d2fdb265614ba918cc6720a33ca"
diff --git a/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb b/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
index 7d27c43c83..5ed2709e31 100644
--- a/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
+++ b/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
@@ -29,7 +29,7 @@ RDEPENDS_${PN}_append_class-target = " \
libxslt-bin \
coreutils \
"
-CACHED_CONFIGUREVARS += "ac_cv_path_TAIL=tail"
+CACHED_CONFIGUREVARS += "ac_cv_path_TAIL=tail ac_cv_path_GREP=grep"
BBCLASSEXTEND = "native"
diff --git a/meta/recipes-extended/acpica/acpica_20200717.bb b/meta/recipes-extended/acpica/acpica_20200717.bb
index d1d06c0c24..e3c8c2bdfb 100644
--- a/meta/recipes-extended/acpica/acpica_20200717.bb
+++ b/meta/recipes-extended/acpica/acpica_20200717.bb
@@ -34,6 +34,8 @@ EXTRA_OEMAKE = "CC='${CC}' \
PREFIX=${prefix} \
INSTALLDIR=${bindir} \
INSTALLFLAGS= \
+ YACC=bison \
+ YFLAGS='-y --file-prefix-map=${WORKDIR}=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}' \
"
do_install() {
diff --git a/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb b/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb
index 711bfbfb9b..5fd3832ef9 100644
--- a/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb
+++ b/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb
@@ -8,7 +8,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=4e5d1baf6f20559e3bec172226a47e4e \
file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 "
-SRC_URI = "git://github.com/asciidoc/asciidoc-py3;protocol=https \
+SRC_URI = "git://github.com/asciidoc/asciidoc-py3;protocol=https;branch=main \
file://auto-catalogs.patch"
SRCREV = "9a407dc9a497364c91421fd961954eddb565baf1"
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index e7a704134c..244c87001f 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -15,6 +15,7 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
file://0004-cups-fix-multilib-install-file-conflicts.patch \
file://volatiles.99_cups \
file://cups-volatiles.conf \
+ file://CVE-2020-10001.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
@@ -54,6 +55,8 @@ EXTRA_OECONF = " \
--enable-debug \
--disable-relro \
--enable-libusb \
+ --with-system-groups=lpadmin \
+ --with-cups-group=lp \
--with-domainsocket=/run/cups/cups.sock \
DSOFLAGS='${LDFLAGS}' \
"
diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
new file mode 100644
index 0000000000..09a0a5765d
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
@@ -0,0 +1,74 @@
+From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 1 Feb 2021 15:02:32 -0500
+Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
+
+Upstream-Status: Backport
+CVE: CVE-2020-10001
+
+Reference to upstream patch:
+[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9]
+
+[SG: Addapted for version 2.3.3]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ CHANGES.md | 2 ++
+ cups/ipp.c | 8 +++++---
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index df72892..5ca12da 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24
+ Changes in CUPS v2.3.3
+ ----------------------
+
++- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
++ (CVE-2020-10001)
+ - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
+ constraint. `ppdcSource::get_resolution` function did not handle
+ invalid resolution strings.
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 3d52934..adbb26f 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */
+ unsigned char *buffer, /* Data buffer */
+ string[IPP_MAX_TEXT],
+ /* Small string buffer */
+- *bufptr; /* Pointer into buffer */
++ *bufptr, /* Pointer into buffer */
++ *bufend; /* End of buffer */
+ ipp_attribute_t *attr; /* Current attribute */
+ ipp_tag_t tag; /* Current tag */
+ ipp_tag_t value_tag; /* Current value tag */
+@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */
+ }
+
+ bufptr = buffer;
++ bufend = buffer + n;
+
+ /*
+ * text-with-language and name-with-language are composite
+@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */
+
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
++ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ _("IPP language length overflows value."), 1);
+@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */
+ bufptr += 2 + n;
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
++ if ((bufptr + 2 + n) > bufend)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ _("IPP string length overflows value."), 1);
+--
+2.17.1
+
diff --git a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
index 65a99fc28d..02b016fdf1 100644
--- a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
+++ b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
@@ -13,7 +13,7 @@ do_configure() {
}
do_install() {
- oe_runmake CWAUTOMACROSPREFIX=${D}${prefix} install
+ oe_runmake LABEL=`date -d @${SOURCE_DATE_EPOCH} +%Y%m%d` CWAUTOMACROSPREFIX=${D}${prefix} install
# cleanup buildpaths in autogen.sh
sed -i -e 's,${D},,g' ${D}${prefix}/share/cwautomacros/scripts/autogen.sh
diff --git a/meta/recipes-extended/groff/files/0001-Include-config.h.patch b/meta/recipes-extended/groff/files/0001-Include-config.h.patch
index 348a61d9df..46065bc513 100644
--- a/meta/recipes-extended/groff/files/0001-Include-config.h.patch
+++ b/meta/recipes-extended/groff/files/0001-Include-config.h.patch
@@ -17,6 +17,9 @@ In file included from TOPDIR/build/tmp/work/aarch64-yoe-linux-musl/groff/1.22.4-
^
./lib/math.h:40:1: error: unknown type name '_GL_INLINE_HEADER_BEGIN'
+We delete eqn.cpp and qen.hpp in do_configure
+to ensure they're regenerated and deterministic.
+
Upstream-Status: Pending
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
@@ -140,1029 +143,6 @@ index f95c05e..d875045 100644
#include <string.h>
#include <stdlib.h>
-diff --git a/src/preproc/eqn/eqn.cpp b/src/preproc/eqn/eqn.cpp
-index 4ede465..fdd9484 100644
---- a/src/preproc/eqn/eqn.cpp
-+++ b/src/preproc/eqn/eqn.cpp
-@@ -1,8 +1,9 @@
--/* A Bison parser, made by GNU Bison 3.2. */
-+/* A Bison parser, made by GNU Bison 3.4.1. */
-
- /* Bison implementation for Yacc-like parsers in C
-
-- Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc.
-+ Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
-+ Inc.
-
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
-@@ -47,7 +48,7 @@
- #define YYBISON 1
-
- /* Bison version. */
--#define YYBISON_VERSION "3.2"
-+#define YYBISON_VERSION "3.4.1"
-
- /* Skeleton name. */
- #define YYSKELETON_NAME "yacc.c"
-@@ -65,7 +66,11 @@
-
-
- /* First part of user prologue. */
--#line 18 "../src/preproc/eqn/eqn.ypp" /* yacc.c:338 */
-+#line 18 "src/preproc/eqn/eqn.ypp"
-+
-+#if HAVE_CONFIG_H
-+# include <config.h>
-+#endif
-
- #include <stdio.h>
- #include <string.h>
-@@ -77,7 +82,8 @@ extern int non_empty_flag;
- int yylex();
- void yyerror(const char *);
-
--#line 81 "src/preproc/eqn/eqn.cpp" /* yacc.c:338 */
-+#line 86 "src/preproc/eqn/eqn.cpp"
-+
- # ifndef YY_NULLPTR
- # if defined __cplusplus
- # if 201103L <= __cplusplus
-@@ -98,8 +104,8 @@ void yyerror(const char *);
- # define YYERROR_VERBOSE 0
- #endif
-
--/* In a future release of Bison, this section will be replaced
-- by #include "y.tab.h". */
-+/* Use api.header.include to #include this header
-+ instead of duplicating it here. */
- #ifndef YY_YY_SRC_PREPROC_EQN_EQN_HPP_INCLUDED
- # define YY_YY_SRC_PREPROC_EQN_EQN_HPP_INCLUDED
- /* Debug traces. */
-@@ -237,10 +243,9 @@ extern int yydebug;
-
- /* Value type. */
- #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
--
- union YYSTYPE
- {
--#line 30 "../src/preproc/eqn/eqn.ypp" /* yacc.c:353 */
-+#line 34 "src/preproc/eqn/eqn.ypp"
-
- char *str;
- box *b;
-@@ -249,9 +254,9 @@ union YYSTYPE
- int n;
- column *col;
-
--#line 253 "src/preproc/eqn/eqn.cpp" /* yacc.c:353 */
--};
-+#line 258 "src/preproc/eqn/eqn.cpp"
-
-+};
- typedef union YYSTYPE YYSTYPE;
- # define YYSTYPE_IS_TRIVIAL 1
- # define YYSTYPE_IS_DECLARED 1
-@@ -366,6 +371,8 @@ typedef short yytype_int16;
- #endif
-
-
-+#define YY_ASSERT(E) ((void) (0 && (E)))
-+
- #if ! defined yyoverflow || YYERROR_VERBOSE
-
- /* The parser invokes alloca or malloc; define the necessary symbols. */
-@@ -508,16 +515,16 @@ union yyalloc
- /* YYNSTATES -- Number of states. */
- #define YYNSTATES 142
-
--/* YYTRANSLATE[YYX] -- Symbol number corresponding to YYX as returned
-- by yylex, with out-of-bounds checking. */
- #define YYUNDEFTOK 2
- #define YYMAXUTOK 315
-
-+/* YYTRANSLATE(TOKEN-NUM) -- Symbol number corresponding to TOKEN-NUM
-+ as returned by yylex, with out-of-bounds checking. */
- #define YYTRANSLATE(YYX) \
- ((unsigned) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
-
- /* YYTRANSLATE[TOKEN-NUM] -- Symbol number corresponding to TOKEN-NUM
-- as returned by yylex, without out-of-bounds checking. */
-+ as returned by yylex. */
- static const yytype_uint8 yytranslate[] =
- {
- 0, 2, 2, 2, 2, 2, 2, 2, 2, 63,
-@@ -558,14 +565,14 @@ static const yytype_uint8 yytranslate[] =
- /* YYRLINE[YYN] -- Source line where rule number YYN was defined. */
- static const yytype_uint16 yyrline[] =
- {
-- 0, 121, 121, 123, 128, 130, 141, 143, 145, 150,
-- 152, 154, 156, 158, 163, 165, 167, 169, 174, 176,
-- 181, 183, 185, 190, 192, 194, 196, 198, 200, 202,
-- 204, 206, 208, 210, 212, 214, 216, 218, 220, 222,
-- 224, 226, 228, 230, 232, 234, 236, 238, 240, 242,
-- 244, 246, 248, 250, 252, 254, 259, 269, 271, 276,
-- 278, 283, 285, 290, 292, 297, 299, 304, 306, 308,
-- 310, 314, 316, 321, 323, 325
-+ 0, 125, 125, 127, 132, 134, 145, 147, 149, 154,
-+ 156, 158, 160, 162, 167, 169, 171, 173, 178, 180,
-+ 185, 187, 189, 194, 196, 198, 200, 202, 204, 206,
-+ 208, 210, 212, 214, 216, 218, 220, 222, 224, 226,
-+ 228, 230, 232, 234, 236, 238, 240, 242, 244, 246,
-+ 248, 250, 252, 254, 256, 258, 263, 273, 275, 280,
-+ 282, 287, 289, 294, 296, 301, 303, 308, 310, 312,
-+ 314, 318, 320, 325, 327, 329
- };
- #endif
-
-@@ -818,22 +825,22 @@ static const yytype_uint8 yyr2[] =
-
- #define YYRECOVERING() (!!yyerrstatus)
-
--#define YYBACKUP(Token, Value) \
--do \
-- if (yychar == YYEMPTY) \
-- { \
-- yychar = (Token); \
-- yylval = (Value); \
-- YYPOPSTACK (yylen); \
-- yystate = *yyssp; \
-- goto yybackup; \
-- } \
-- else \
-- { \
-- yyerror (YY_("syntax error: cannot back up")); \
-- YYERROR; \
-- } \
--while (0)
-+#define YYBACKUP(Token, Value) \
-+ do \
-+ if (yychar == YYEMPTY) \
-+ { \
-+ yychar = (Token); \
-+ yylval = (Value); \
-+ YYPOPSTACK (yylen); \
-+ yystate = *yyssp; \
-+ goto yybackup; \
-+ } \
-+ else \
-+ { \
-+ yyerror (YY_("syntax error: cannot back up")); \
-+ YYERROR; \
-+ } \
-+ while (0)
-
- /* Error token number */
- #define YYTERROR 1
-@@ -948,7 +955,7 @@ yy_reduce_print (yytype_int16 *yyssp, YYSTYPE *yyvsp, int yyrule)
- YYFPRINTF (stderr, " $%d = ", yyi + 1);
- yy_symbol_print (stderr,
- yystos[yyssp[yyi + 1 - yynrhs]],
-- &(yyvsp[(yyi + 1) - (yynrhs)])
-+ &yyvsp[(yyi + 1) - (yynrhs)]
- );
- YYFPRINTF (stderr, "\n");
- }
-@@ -1052,7 +1059,10 @@ yytnamerr (char *yyres, const char *yystr)
- case '\\':
- if (*++yyp != '\\')
- goto do_not_strip_quotes;
-- /* Fall through. */
-+ else
-+ goto append;
-+
-+ append:
- default:
- if (yyres)
- yyres[yyn] = *yyp;
-@@ -1148,10 +1158,10 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
- yyarg[yycount++] = yytname[yyx];
- {
- YYSIZE_T yysize1 = yysize + yytnamerr (YY_NULLPTR, yytname[yyx]);
-- if (! (yysize <= yysize1
-- && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
-+ if (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM)
-+ yysize = yysize1;
-+ else
- return 2;
-- yysize = yysize1;
- }
- }
- }
-@@ -1175,9 +1185,10 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
-
- {
- YYSIZE_T yysize1 = yysize + yystrlen (yyformat);
-- if (! (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
-+ if (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM)
-+ yysize = yysize1;
-+ else
- return 2;
-- yysize = yysize1;
- }
-
- if (*yymsg_alloc < yysize)
-@@ -1303,23 +1314,33 @@ yyparse (void)
- yychar = YYEMPTY; /* Cause a token to be read. */
- goto yysetstate;
-
-+
- /*------------------------------------------------------------.
--| yynewstate -- Push a new state, which is found in yystate. |
-+| yynewstate -- push a new state, which is found in yystate. |
- `------------------------------------------------------------*/
-- yynewstate:
-+yynewstate:
- /* In all cases, when you get here, the value and location stacks
- have just been pushed. So pushing a state here evens the stacks. */
- yyssp++;
-
-- yysetstate:
-+
-+/*--------------------------------------------------------------------.
-+| yynewstate -- set current state (the top of the stack) to yystate. |
-+`--------------------------------------------------------------------*/
-+yysetstate:
-+ YYDPRINTF ((stderr, "Entering state %d\n", yystate));
-+ YY_ASSERT (0 <= yystate && yystate < YYNSTATES);
- *yyssp = (yytype_int16) yystate;
-
- if (yyss + yystacksize - 1 <= yyssp)
-+#if !defined yyoverflow && !defined YYSTACK_RELOCATE
-+ goto yyexhaustedlab;
-+#else
- {
- /* Get the current used size of the three stacks, in elements. */
- YYSIZE_T yysize = (YYSIZE_T) (yyssp - yyss + 1);
-
--#ifdef yyoverflow
-+# if defined yyoverflow
- {
- /* Give user a chance to reallocate the stack. Use copies of
- these so that the &'s don't force the real ones into
-@@ -1338,10 +1359,7 @@ yyparse (void)
- yyss = yyss1;
- yyvs = yyvs1;
- }
--#else /* no yyoverflow */
--# ifndef YYSTACK_RELOCATE
-- goto yyexhaustedlab;
--# else
-+# else /* defined YYSTACK_RELOCATE */
- /* Extend the stack our own way. */
- if (YYMAXDEPTH <= yystacksize)
- goto yyexhaustedlab;
-@@ -1357,12 +1375,11 @@ yyparse (void)
- goto yyexhaustedlab;
- YYSTACK_RELOCATE (yyss_alloc, yyss);
- YYSTACK_RELOCATE (yyvs_alloc, yyvs);
--# undef YYSTACK_RELOCATE
-+# undef YYSTACK_RELOCATE
- if (yyss1 != yyssa)
- YYSTACK_FREE (yyss1);
- }
- # endif
--#endif /* no yyoverflow */
-
- yyssp = yyss + yysize - 1;
- yyvsp = yyvs + yysize - 1;
-@@ -1373,19 +1390,18 @@ yyparse (void)
- if (yyss + yystacksize - 1 <= yyssp)
- YYABORT;
- }
--
-- YYDPRINTF ((stderr, "Entering state %d\n", yystate));
-+#endif /* !defined yyoverflow && !defined YYSTACK_RELOCATE */
-
- if (yystate == YYFINAL)
- YYACCEPT;
-
- goto yybackup;
-
-+
- /*-----------.
- | yybackup. |
- `-----------*/
- yybackup:
--
- /* Do appropriate processing given the current state. Read a
- lookahead token if we need one and don't already have one. */
-
-@@ -1443,7 +1459,6 @@ yybackup:
- YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
- *++yyvsp = yylval;
- YY_IGNORE_MAYBE_UNINITIALIZED_END
--
- goto yynewstate;
-
-
-@@ -1458,7 +1473,7 @@ yydefault:
-
-
- /*-----------------------------.
--| yyreduce -- Do a reduction. |
-+| yyreduce -- do a reduction. |
- `-----------------------------*/
- yyreduce:
- /* yyn is the number of a rule to reduce with. */
-@@ -1478,20 +1493,20 @@ yyreduce:
- YY_REDUCE_PRINT (yyn);
- switch (yyn)
- {
-- case 3:
--#line 124 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+ case 3:
-+#line 128 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[0].b)->top_level(); non_empty_flag = 1; }
--#line 1485 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1500 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 4:
--#line 129 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 133 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = (yyvsp[0].b); }
--#line 1491 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1506 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 5:
--#line 131 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 135 "src/preproc/eqn/eqn.ypp"
- {
- list_box *lb = (yyvsp[-1].b)->to_list_box();
- if (!lb)
-@@ -1499,436 +1514,437 @@ yyreduce:
- lb->append((yyvsp[0].b));
- (yyval.b) = lb;
- }
--#line 1503 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1518 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 6:
--#line 142 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 146 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = (yyvsp[0].b); }
--#line 1509 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1524 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 7:
--#line 144 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 148 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_mark_box((yyvsp[0].b)); }
--#line 1515 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1530 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 8:
--#line 146 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 150 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_lineup_box((yyvsp[0].b)); }
--#line 1521 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1536 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 9:
--#line 151 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 155 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = (yyvsp[0].b); }
--#line 1527 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1542 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 10:
--#line 153 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 157 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_limit_box((yyvsp[-2].b), 0, (yyvsp[0].b)); }
--#line 1533 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1548 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 11:
--#line 155 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 159 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_limit_box((yyvsp[-2].b), (yyvsp[0].b), 0); }
--#line 1539 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1554 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 12:
--#line 157 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 161 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_limit_box((yyvsp[-4].b), (yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1545 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1560 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 13:
--#line 159 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 163 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_limit_box((yyvsp[-4].b), make_limit_box((yyvsp[-2].b), (yyvsp[0].b), 0), 0); }
--#line 1551 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1566 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 14:
--#line 164 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 168 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = (yyvsp[0].b); }
--#line 1557 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1572 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 15:
--#line 166 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 170 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_sqrt_box((yyvsp[0].b)); }
--#line 1563 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1578 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 16:
--#line 168 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 172 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_over_box((yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1569 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1584 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 17:
--#line 170 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 174 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_small_over_box((yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1575 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1590 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 18:
--#line 175 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 179 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = (yyvsp[0].b); }
--#line 1581 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1596 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 19:
--#line 177 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 181 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_script_box((yyvsp[-2].b), 0, (yyvsp[0].b)); }
--#line 1587 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1602 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 20:
--#line 182 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 186 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = (yyvsp[0].b); }
--#line 1593 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1608 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 21:
--#line 184 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 188 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_script_box((yyvsp[-2].b), (yyvsp[0].b), 0); }
--#line 1599 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1614 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 22:
--#line 186 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 190 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_script_box((yyvsp[-4].b), (yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1605 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1620 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 23:
--#line 191 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 195 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = split_text((yyvsp[0].str)); }
--#line 1611 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1626 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 24:
--#line 193 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 197 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new quoted_text_box((yyvsp[0].str)); }
--#line 1617 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1632 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 25:
--#line 195 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 199 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = split_text((yyvsp[0].str)); }
--#line 1623 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1638 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 26:
--#line 197 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 201 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new quoted_text_box((yyvsp[0].str)); }
--#line 1629 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1644 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 27:
--#line 199 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 203 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new half_space_box; }
--#line 1635 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1650 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 28:
--#line 201 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 205 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new space_box; }
--#line 1641 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1656 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 29:
--#line 203 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 207 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new tab_box; }
--#line 1647 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1662 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 30:
--#line 205 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 209 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = (yyvsp[-1].b); }
--#line 1653 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1668 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 31:
--#line 207 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 211 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[0].pb)->set_alignment(CENTER_ALIGN); (yyval.b) = (yyvsp[0].pb); }
--#line 1659 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1674 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 32:
--#line 209 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 213 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[0].pb)->set_alignment(LEFT_ALIGN); (yyval.b) = (yyvsp[0].pb); }
--#line 1665 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1680 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 33:
--#line 211 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 215 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[0].pb)->set_alignment(RIGHT_ALIGN); (yyval.b) = (yyvsp[0].pb); }
--#line 1671 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1686 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 34:
--#line 213 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 217 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[0].pb)->set_alignment(CENTER_ALIGN); (yyval.b) = (yyvsp[0].pb); }
--#line 1677 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1692 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 35:
--#line 215 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 219 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = (yyvsp[-1].mb); }
--#line 1683 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1698 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 36:
--#line 217 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 221 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_delim_box((yyvsp[-3].str), (yyvsp[-2].b), (yyvsp[0].str)); }
--#line 1689 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1704 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 37:
--#line 219 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 223 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_delim_box((yyvsp[-1].str), (yyvsp[0].b), 0); }
--#line 1695 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1710 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 38:
--#line 221 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 225 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_overline_box((yyvsp[-1].b)); }
--#line 1701 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1716 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 39:
--#line 223 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 227 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_underline_box((yyvsp[-1].b)); }
--#line 1707 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1722 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 40:
--#line 225 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 229 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_prime_box((yyvsp[-1].b)); }
--#line 1713 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1728 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 41:
--#line 227 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 231 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_accent_box((yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1719 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1734 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 42:
--#line 229 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 233 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_uaccent_box((yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1725 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1740 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 43:
--#line 231 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 235 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new font_box(strsave(get_grfont()), (yyvsp[0].b)); }
--#line 1731 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1746 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 44:
--#line 233 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 237 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new font_box(strsave(get_gbfont()), (yyvsp[0].b)); }
--#line 1737 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1752 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 45:
--#line 235 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 239 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new font_box(strsave(get_gfont()), (yyvsp[0].b)); }
--#line 1743 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1758 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 46:
--#line 237 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 241 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new fat_box((yyvsp[0].b)); }
--#line 1749 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1764 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 47:
--#line 239 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 243 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new font_box((yyvsp[-1].str), (yyvsp[0].b)); }
--#line 1755 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1770 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 48:
--#line 241 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 245 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new size_box((yyvsp[-1].str), (yyvsp[0].b)); }
--#line 1761 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1776 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 49:
--#line 243 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 247 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new hmotion_box((yyvsp[-1].n), (yyvsp[0].b)); }
--#line 1767 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1782 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 50:
--#line 245 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 249 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new hmotion_box(-(yyvsp[-1].n), (yyvsp[0].b)); }
--#line 1773 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1788 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 51:
--#line 247 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 251 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new vmotion_box((yyvsp[-1].n), (yyvsp[0].b)); }
--#line 1779 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1794 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 52:
--#line 249 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 253 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new vmotion_box(-(yyvsp[-1].n), (yyvsp[0].b)); }
--#line 1785 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1800 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 53:
--#line 251 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 255 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[0].b)->set_spacing_type((yyvsp[-1].str)); (yyval.b) = (yyvsp[0].b); }
--#line 1791 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1806 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 54:
--#line 253 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 257 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = new vcenter_box((yyvsp[0].b)); }
--#line 1797 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1812 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 55:
--#line 255 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 259 "src/preproc/eqn/eqn.ypp"
- { (yyval.b) = make_special_box((yyvsp[-1].str), (yyvsp[0].b)); }
--#line 1803 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1818 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 56:
--#line 260 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 264 "src/preproc/eqn/eqn.ypp"
- {
- int n;
- if (sscanf((yyvsp[0].str), "%d", &n) == 1)
- (yyval.n) = n;
- a_delete (yyvsp[0].str);
- }
--#line 1814 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1829 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 57:
--#line 270 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 274 "src/preproc/eqn/eqn.ypp"
- { (yyval.pb) = new pile_box((yyvsp[0].b)); }
--#line 1820 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1835 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 58:
--#line 272 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 276 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[-2].pb)->append((yyvsp[0].b)); (yyval.pb) = (yyvsp[-2].pb); }
--#line 1826 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1841 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 59:
--#line 277 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 281 "src/preproc/eqn/eqn.ypp"
- { (yyval.pb) = (yyvsp[-1].pb); }
--#line 1832 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1847 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 60:
--#line 279 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 283 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[-1].pb)->set_space((yyvsp[-3].n)); (yyval.pb) = (yyvsp[-1].pb); }
--#line 1838 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1853 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 61:
--#line 284 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 288 "src/preproc/eqn/eqn.ypp"
- { (yyval.mb) = new matrix_box((yyvsp[0].col)); }
--#line 1844 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1859 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 62:
--#line 286 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 290 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[-1].mb)->append((yyvsp[0].col)); (yyval.mb) = (yyvsp[-1].mb); }
--#line 1850 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1865 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 63:
--#line 291 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 295 "src/preproc/eqn/eqn.ypp"
- { (yyval.col) = new column((yyvsp[0].b)); }
--#line 1856 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1871 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 64:
--#line 293 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 297 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[-2].col)->append((yyvsp[0].b)); (yyval.col) = (yyvsp[-2].col); }
--#line 1862 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1877 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 65:
--#line 298 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 302 "src/preproc/eqn/eqn.ypp"
- { (yyval.col) = (yyvsp[-1].col); }
--#line 1868 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1883 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 66:
--#line 300 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 304 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[-1].col)->set_space((yyvsp[-3].n)); (yyval.col) = (yyvsp[-1].col); }
--#line 1874 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1889 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 67:
--#line 305 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 309 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[0].col)->set_alignment(CENTER_ALIGN); (yyval.col) = (yyvsp[0].col); }
--#line 1880 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1895 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 68:
--#line 307 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 311 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[0].col)->set_alignment(LEFT_ALIGN); (yyval.col) = (yyvsp[0].col); }
--#line 1886 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1901 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 69:
--#line 309 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 313 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[0].col)->set_alignment(RIGHT_ALIGN); (yyval.col) = (yyvsp[0].col); }
--#line 1892 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1907 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 70:
--#line 311 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 315 "src/preproc/eqn/eqn.ypp"
- { (yyvsp[0].col)->set_alignment(CENTER_ALIGN); (yyval.col) = (yyvsp[0].col); }
--#line 1898 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1913 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 71:
--#line 315 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 319 "src/preproc/eqn/eqn.ypp"
- { (yyval.str) = (yyvsp[0].str); }
--#line 1904 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1919 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 72:
--#line 317 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 321 "src/preproc/eqn/eqn.ypp"
- { (yyval.str) = (yyvsp[0].str); }
--#line 1910 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1925 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 73:
--#line 322 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 326 "src/preproc/eqn/eqn.ypp"
- { (yyval.str) = (yyvsp[0].str); }
--#line 1916 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1931 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 74:
--#line 324 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 328 "src/preproc/eqn/eqn.ypp"
- { (yyval.str) = strsave("{"); }
--#line 1922 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1937 "src/preproc/eqn/eqn.cpp"
- break;
-
- case 75:
--#line 326 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */
-+#line 330 "src/preproc/eqn/eqn.ypp"
- { (yyval.str) = strsave("}"); }
--#line 1928 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1943 "src/preproc/eqn/eqn.cpp"
- break;
-
-
--#line 1932 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */
-+#line 1947 "src/preproc/eqn/eqn.cpp"
-+
- default: break;
- }
- /* User semantic actions sometimes alter yychar, and that requires
-@@ -2042,12 +2058,10 @@ yyerrlab:
- | yyerrorlab -- error raised explicitly by YYERROR. |
- `---------------------------------------------------*/
- yyerrorlab:
--
-- /* Pacify compilers like GCC when the user code never invokes
-- YYERROR and the label yyerrorlab therefore never appears in user
-- code. */
-- if (/*CONSTCOND*/ 0)
-- goto yyerrorlab;
-+ /* Pacify compilers when the user code never invokes YYERROR and the
-+ label yyerrorlab therefore never appears in user code. */
-+ if (0)
-+ YYERROR;
-
- /* Do not reclaim the symbols of the rule whose action triggered
- this YYERROR. */
-@@ -2109,6 +2123,7 @@ yyacceptlab:
- yyresult = 0;
- goto yyreturn;
-
-+
- /*-----------------------------------.
- | yyabortlab -- YYABORT comes here. |
- `-----------------------------------*/
-@@ -2116,6 +2131,7 @@ yyabortlab:
- yyresult = 1;
- goto yyreturn;
-
-+
- #if !defined yyoverflow || YYERROR_VERBOSE
- /*-------------------------------------------------.
- | yyexhaustedlab -- memory exhaustion comes here. |
-@@ -2126,6 +2142,10 @@ yyexhaustedlab:
- /* Fall through. */
- #endif
-
-+
-+/*-----------------------------------------------------.
-+| yyreturn -- parsing is finished, return the result. |
-+`-----------------------------------------------------*/
- yyreturn:
- if (yychar != YYEMPTY)
- {
-@@ -2155,5 +2175,5 @@ yyreturn:
- #endif
- return yyresult;
- }
--#line 329 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1903 */
-+#line 333 "src/preproc/eqn/eqn.ypp"
-
-diff --git a/src/preproc/eqn/eqn.hpp b/src/preproc/eqn/eqn.hpp
-index 32a32a5..9a092c1 100644
---- a/src/preproc/eqn/eqn.hpp
-+++ b/src/preproc/eqn/eqn.hpp
-@@ -1,8 +1,9 @@
--/* A Bison parser, made by GNU Bison 3.2. */
-+/* A Bison parser, made by GNU Bison 3.4.1. */
-
- /* Bison interface for Yacc-like parsers in C
-
-- Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc.
-+ Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
-+ Inc.
-
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
-@@ -170,10 +171,9 @@ extern int yydebug;
-
- /* Value type. */
- #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
--
- union YYSTYPE
- {
--#line 30 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1906 */
-+#line 34 "src/preproc/eqn/eqn.ypp"
-
- char *str;
- box *b;
-@@ -182,9 +182,9 @@ union YYSTYPE
- int n;
- column *col;
-
--#line 186 "src/preproc/eqn/eqn.hpp" /* yacc.c:1906 */
--};
-+#line 186 "src/preproc/eqn/eqn.hpp"
-
-+};
- typedef union YYSTYPE YYSTYPE;
- # define YYSTYPE_IS_TRIVIAL 1
- # define YYSTYPE_IS_DECLARED 1
diff --git a/src/preproc/eqn/eqn.ypp b/src/preproc/eqn/eqn.ypp
index fb318c3..b7b647e 100644
--- a/src/preproc/eqn/eqn.ypp
diff --git a/meta/recipes-extended/groff/groff_1.22.4.bb b/meta/recipes-extended/groff/groff_1.22.4.bb
index 0867452ce7..7bb393e09c 100644
--- a/meta/recipes-extended/groff/groff_1.22.4.bb
+++ b/meta/recipes-extended/groff/groff_1.22.4.bb
@@ -18,6 +18,10 @@ SRC_URI = "${GNU_MIRROR}/groff/groff-${PV}.tar.gz \
SRC_URI[md5sum] = "08fb04335e2f5e73f23ea4c3adbf0c5f"
SRC_URI[sha256sum] = "e78e7b4cb7dec310849004fa88847c44701e8d133b5d4c13057d876c1bad0293"
+# Remove at the next upgrade
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
+
DEPENDS = "bison-native"
RDEPENDS_${PN} += "perl sed"
@@ -30,6 +34,13 @@ PARALLEL_MAKE = ""
CACHED_CONFIGUREVARS += "ac_cv_path_PERL='/usr/bin/env perl' ac_cv_path_BASH_PROG='no' PAGE=A4"
+# Delete these generated files since we depend on bison-native
+# and regenerate them. Do it deterministically (always).
+do_configure_prepend() {
+ rm -f ${S}/src/preproc/eqn/eqn.cpp
+ rm -f ${S}/src/preproc/eqn/eqn.hpp
+}
+
do_install_append() {
# Some distros have both /bin/perl and /usr/bin/perl, but we set perl location
# for target as /usr/bin/perl, so fix it to /usr/bin/perl.
diff --git a/meta/recipes-extended/parted/parted_3.3.bb b/meta/recipes-extended/parted/parted_3.3.bb
index ce40c04ad4..915ab05b65 100644
--- a/meta/recipes-extended/parted/parted_3.3.bb
+++ b/meta/recipes-extended/parted/parted_3.3.bb
@@ -42,6 +42,7 @@ do_install_ptest() {
sed -i "s|^abs_srcdir =.*|abs_srcdir = \.|g" $t/tests/Makefile
sed -i "s|^abs_top_srcdir =.*|abs_top_srcdir = \.\.|g" $t/tests/Makefile
sed -i "s|^Makefile:.*|Makefile:|g" $t/tests/Makefile
+ sed -i "/^BUILDINFO.*$/d" $t/tests/Makefile
for i in print-align print-max print-flags dup-clobber duplicate fs-resize; \
do cp ${B}/tests/.libs/$i $t/tests/; \
done
diff --git a/meta/recipes-extended/screen/screen/CVE-2021-26937.patch b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch
new file mode 100644
index 0000000000..983b35c1b0
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch
@@ -0,0 +1,68 @@
+Description: [CVE-2021-26937] Fix out of bounds array access
+Author: Michael Schröder <mls@suse.de>
+Bug-Debian: https://bugs.debian.org/982435
+Bug: https://savannah.gnu.org/bugs/?60030
+Bug: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
+Bug-OSS-Security: https://www.openwall.com/lists/oss-security/2021/02/09/3
+Origin: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html
+
+CVE: CVE-2021-26937
+Upstream-Status: Pending
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+
+--- a/encoding.c
++++ b/encoding.c
+@@ -43,7 +43,7 @@
+ # ifdef UTF8
+ static int recode_char __P((int, int, int));
+ static int recode_char_to_encoding __P((int, int));
+-static void comb_tofront __P((int, int));
++static void comb_tofront __P((int));
+ # ifdef DW_CHARS
+ static int recode_char_dw __P((int, int *, int, int));
+ static int recode_char_dw_to_encoding __P((int, int *, int));
+@@ -1263,6 +1263,8 @@
+ {0x30000, 0x3FFFD},
+ };
+
++ if (c >= 0xdf00 && c <= 0xdfff)
++ return 1; /* dw combining sequence */
+ return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) ||
+ (cjkwidth &&
+ bisearch(c, ambiguous,
+@@ -1330,11 +1332,12 @@
+ }
+
+ static void
+-comb_tofront(root, i)
+-int root, i;
++comb_tofront(i)
++int i;
+ {
+ for (;;)
+ {
++ int root = i >= 0x700 ? 0x801 : 0x800;
+ debug1("bring to front: %x\n", i);
+ combchars[combchars[i]->prev]->next = combchars[i]->next;
+ combchars[combchars[i]->next]->prev = combchars[i]->prev;
+@@ -1396,9 +1399,9 @@
+ {
+ /* full, recycle old entry */
+ if (c1 >= 0xd800 && c1 < 0xe000)
+- comb_tofront(root, c1 - 0xd800);
++ comb_tofront(c1 - 0xd800);
+ i = combchars[root]->prev;
+- if (c1 == i + 0xd800)
++ if (i == 0x800 || i == 0x801 || c1 == i + 0xd800)
+ {
+ /* completely full, can't recycle */
+ debug("utf8_handle_comp: completely full!\n");
+@@ -1422,7 +1425,7 @@
+ mc->font = (i >> 8) + 0xd8;
+ mc->fontx = 0;
+ debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800);
+- comb_tofront(root, i);
++ comb_tofront(i);
+ }
+
+ #else /* !UTF8 */
diff --git a/meta/recipes-extended/screen/screen_4.8.0.bb b/meta/recipes-extended/screen/screen_4.8.0.bb
index 4772eb6c7a..fe640c262b 100644
--- a/meta/recipes-extended/screen/screen_4.8.0.bb
+++ b/meta/recipes-extended/screen/screen_4.8.0.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
file://0002-comm.h-now-depends-on-term.h.patch \
file://0001-fix-for-multijob-build.patch \
file://0001-Remove-more-compatibility-stuff.patch \
+ file://CVE-2021-26937.patch \
"
SRC_URI[md5sum] = "d276213d3acd10339cd37848b8c4ab1e"
diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb
index c975395ff8..ff4aad926f 100644
--- a/meta/recipes-extended/shadow/shadow_4.8.1.bb
+++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb
@@ -6,5 +6,6 @@ BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
BBCLASSEXTEND = "native nativesdk"
-
-
+# Severity is low and marked as closed and won't fix.
+# https://bugzilla.redhat.com/show_bug.cgi?id=884658
+CVE_CHECK_WHITELIST += "CVE-2013-4235"
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-23239.patch b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch
new file mode 100644
index 0000000000..e16baecd5a
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch
@@ -0,0 +1,62 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1609953360 25200
+# Node ID ea19d0073c02951bbbf35342dd63304da83edce8
+# Parent f1ca39a0d87089d005b78a2556e2b1a2dc17f672
+Fix potential directory existing info leak in sudoedit.
+When creating a new file, sudoedit checks to make sure the parent
+directory exists so it can provide the user with a sensible error
+message. However, this could be used to test for the existence of
+directories not normally accessible to the user by pointing to them
+with a symbolic link when the parent directory is controlled by the
+user. Problem reported by Matthias Gerstner of SUSE.
+
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/ea19d0073c02]
+CVE: CVE-2021-23239
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r f1ca39a0d870 -r ea19d0073c02 src/sudo_edit.c
+--- a/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700
++++ b/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700
+@@ -541,14 +541,33 @@
+ S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
+ if (ofd != -1 || errno == ENOENT) {
+ if (ofd == -1) {
+- /* New file, verify parent dir exists unless in cwd. */
++ /*
++ * New file, verify parent dir exists unless in cwd.
++ * This fails early so the user knows ahead of time if the
++ * edit won't succeed. Additional checks are performed
++ * when copying the temporary file back to the origin.
++ */
+ char *slash = strrchr(files[i], '/');
+ if (slash != NULL && slash != files[i]) {
+- int serrno = errno;
++ const int sflags = command_details->flags;
++ const int serrno = errno;
++ int dfd;
++
++ /*
++ * The parent directory is allowed to be a symbolic
++ * link as long as *its* parent is not writable.
++ */
+ *slash = '\0';
+- if (stat(files[i], &sb) == 0 && S_ISDIR(sb.st_mode)) {
+- memset(&sb, 0, sizeof(sb));
+- rc = 0;
++ SET(command_details->flags, CD_SUDOEDIT_FOLLOW);
++ dfd = sudo_edit_open(files[i], DIR_OPEN_FLAGS,
++ S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
++ command_details->flags = sflags;
++ if (dfd != -1) {
++ if (fstat(dfd, &sb) == 0 && S_ISDIR(sb.st_mode)) {
++ memset(&sb, 0, sizeof(sb));
++ rc = 0;
++ }
++ close(dfd);
+ }
+ *slash = '/';
+ errno = serrno;
+
+
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-23240.patch b/meta/recipes-extended/sudo/files/CVE-2021-23240.patch
new file mode 100644
index 0000000000..740a13cd90
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-23240.patch
@@ -0,0 +1,419 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/8fcb36ef422a]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-23240
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1609953360 25200
+# Node ID 8fcb36ef422a251fe33738a347551439944a4a37
+# Parent ea19d0073c02951bbbf35342dd63304da83edce8
+Add security checks before using temp files for SELinux RBAC sudoedit.
+Otherwise, it may be possible for the user running sudoedit to
+replace the newly-created temporary files with a symbolic link and
+have sudoedit set the owner of an arbitrary file.
+Problem reported by Matthias Gerstner of SUSE.
+
+diff -r ea19d0073c02 -r 8fcb36ef422a src/copy_file.c
+--- a/src/copy_file.c Wed Jan 06 10:16:00 2021 -0700
++++ b/src/copy_file.c Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+ * SPDX-License-Identifier: ISC
+ *
+- * Copyright (c) 2020 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -23,6 +23,8 @@
+
+ #include <config.h>
+
++#include <sys/stat.h>
++
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <errno.h>
+@@ -134,3 +136,34 @@
+ sudo_warn(U_("unable to write to %s"), dst);
+ debug_return_int(-1);
+ }
++
++#ifdef HAVE_SELINUX
++bool
++sudo_check_temp_file(int tfd, const char *tfile, uid_t uid, struct stat *sb)
++{
++ struct stat sbuf;
++ debug_decl(sudo_check_temp_file, SUDO_DEBUG_UTIL);
++
++ if (sb == NULL)
++ sb = &sbuf;
++
++ if (fstat(tfd, sb) == -1) {
++ sudo_warn(U_("unable to stat %s"), tfile);
++ debug_return_bool(false);
++ }
++ if (!S_ISREG(sb->st_mode)) {
++ sudo_warnx(U_("%s: not a regular file"), tfile);
++ debug_return_bool(false);
++ }
++ if ((sb->st_mode & ALLPERMS) != (S_IRUSR|S_IWUSR)) {
++ sudo_warnx(U_("%s: bad file mode: 0%o"), tfile, sb->st_mode & ALLPERMS);
++ debug_return_bool(false);
++ }
++ if (sb->st_uid != uid) {
++ sudo_warnx(U_("%s is owned by uid %u, should be %u"),
++ tfile, (unsigned int)sb->st_uid, (unsigned int)uid);
++ debug_return_bool(false);
++ }
++ debug_return_bool(true);
++}
++#endif /* SELINUX */
+diff -r ea19d0073c02 -r 8fcb36ef422a src/sesh.c
+--- a/src/sesh.c Wed Jan 06 10:16:00 2021 -0700
++++ b/src/sesh.c Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+ * SPDX-License-Identifier: ISC
+ *
+- * Copyright (c) 2008, 2010-2018, 2020 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2008, 2010-2018, 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -132,7 +132,7 @@
+ static int
+ sesh_sudoedit(int argc, char *argv[])
+ {
+- int i, oflags_dst, post, ret = SESH_ERR_FAILURE;
++ int i, oflags_src, oflags_dst, post, ret = SESH_ERR_FAILURE;
+ int fd_src = -1, fd_dst = -1, follow = 0;
+ struct stat sb;
+ struct timespec times[2];
+@@ -174,10 +174,12 @@
+ debug_return_int(SESH_ERR_BAD_PATHS);
+
+ /*
+- * Use O_EXCL if we are not in the post editing stage
+- * so that it's ensured that the temporary files are
+- * created by us and that we are not opening any symlinks.
++ * In the pre-editing stage, use O_EXCL to ensure that the temporary
++ * files are created by us and that we are not opening any symlinks.
++ * In the post-editing stage, use O_NOFOLLOW so we don't follow symlinks
++ * when opening the temporary files.
+ */
++ oflags_src = O_RDONLY|(post ? O_NONBLOCK|O_NOFOLLOW : follow);
+ oflags_dst = O_WRONLY|O_CREAT|(post ? follow : O_EXCL);
+ for (i = 0; i < argc - 1; i += 2) {
+ const char *path_src = argv[i];
+@@ -187,7 +189,7 @@
+ * doesn't exist, that's OK, we'll create an empty
+ * destination file.
+ */
+- if ((fd_src = open(path_src, O_RDONLY|follow, S_IRUSR|S_IWUSR)) < 0) {
++ if ((fd_src = open(path_src, oflags_src, S_IRUSR|S_IWUSR)) < 0) {
+ if (errno != ENOENT) {
+ sudo_warn("%s", path_src);
+ if (post) {
+@@ -197,6 +199,14 @@
+ goto cleanup_0;
+ }
+ }
++ if (post) {
++ /* Make sure the temporary file is safe and has the proper owner. */
++ if (!sudo_check_temp_file(fd_src, path_src, geteuid(), &sb)) {
++ ret = SESH_ERR_SOME_FILES;
++ goto nocleanup;
++ }
++ fcntl(fd_src, F_SETFL, fcntl(fd_src, F_GETFL, 0) & ~O_NONBLOCK);
++ }
+
+ if ((fd_dst = open(path_dst, oflags_dst, post ?
+ (S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) : (S_IRUSR|S_IWUSR))) < 0) {
+@@ -214,10 +224,7 @@
+ off_t len_dst = -1;
+
+ if (post) {
+- if (fstat(fd_src, &sb) != 0) {
+- ret = SESH_ERR_SOME_FILES;
+- goto nocleanup;
+- }
++ /* sudo_check_temp_file() filled in sb for us. */
+ len_src = sb.st_size;
+ if (fstat(fd_dst, &sb) != 0) {
+ ret = SESH_ERR_SOME_FILES;
+diff -r ea19d0073c02 -r 8fcb36ef422a src/sudo_edit.c
+--- a/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700
++++ b/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+ * SPDX-License-Identifier: ISC
+ *
+- * Copyright (c) 2004-2008, 2010-2020 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2004-2008, 2010-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -259,8 +259,10 @@
+ } else {
+ len = asprintf(tfile, "%s/%s.XXXXXXXX", edit_tmpdir, cp);
+ }
+- if (len == -1)
+- sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
++ if (len == -1) {
++ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
++ debug_return_int(-1);
++ }
+ tfd = mkstemps(*tfile, suff ? strlen(suff) : 0);
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "%s -> %s, fd %d", ofile, *tfile, tfd);
+@@ -735,7 +737,8 @@
+
+ #ifdef HAVE_SELINUX
+ static int
+-selinux_run_helper(char *argv[], char *envp[])
++selinux_run_helper(uid_t uid, gid_t gid, int ngroups, GETGROUPS_T *groups,
++ char *const argv[], char *const envp[])
+ {
+ int status, ret = SESH_ERR_FAILURE;
+ const char *sesh;
+@@ -755,8 +758,10 @@
+ break;
+ case 0:
+ /* child runs sesh in new context */
+- if (selinux_setcon() == 0)
++ if (selinux_setcon() == 0) {
++ switch_user(uid, gid, ngroups, groups);
+ execve(sesh, argv, envp);
++ }
+ _exit(SESH_ERR_FAILURE);
+ default:
+ /* parent waits */
+@@ -775,7 +780,7 @@
+ struct tempfile *tf, char *files[], int nfiles)
+ {
+ char **sesh_args, **sesh_ap;
+- int i, rc, sesh_nargs;
++ int i, error, sesh_nargs, ret = -1;
+ struct stat sb;
+ debug_decl(selinux_edit_create_tfiles, SUDO_DEBUG_EDIT);
+
+@@ -787,7 +792,7 @@
+ sesh_args = sesh_ap = reallocarray(NULL, sesh_nargs, sizeof(char *));
+ if (sesh_args == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+- debug_return_int(-1);
++ goto done;
+ }
+ *sesh_ap++ = "sesh";
+ *sesh_ap++ = "-e";
+@@ -795,7 +800,6 @@
+ *sesh_ap++ = "-h";
+ *sesh_ap++ = "0";
+
+- /* XXX - temp files should be created with user's context */
+ for (i = 0; i < nfiles; i++) {
+ char *tfile, *ofile = files[i];
+ int tfd;
+@@ -813,8 +817,7 @@
+ if (tfd == -1) {
+ sudo_warn("mkstemps");
+ free(tfile);
+- free(sesh_args);
+- debug_return_int(-1);
++ goto done;
+ }
+ /* Helper will re-create temp file with proper security context. */
+ close(tfd);
+@@ -825,8 +828,10 @@
+ *sesh_ap = NULL;
+
+ /* Run sesh -e [-h] 0 <o1> <t1> ... <on> <tn> */
+- rc = selinux_run_helper(sesh_args, command_details->envp);
+- switch (rc) {
++ error = selinux_run_helper(command_details->uid, command_details->gid,
++ command_details->ngroups, command_details->groups, sesh_args,
++ command_details->envp);
++ switch (error) {
+ case SESH_SUCCESS:
+ break;
+ case SESH_ERR_BAD_PATHS:
+@@ -836,21 +841,35 @@
+ case SESH_ERR_KILLED:
+ sudo_fatalx("%s", U_("sesh: killed by a signal"));
+ default:
+- sudo_fatalx(U_("sesh: unknown error %d"), rc);
++ sudo_warnx(U_("sesh: unknown error %d"), error);
++ goto done;
+ }
+
+- /* Chown to user's UID so they can edit the temporary files. */
+ for (i = 0; i < nfiles; i++) {
+- if (chown(tf[i].tfile, user_details.uid, user_details.gid) != 0) {
++ int tfd = open(tf[i].tfile, O_RDONLY|O_NONBLOCK|O_NOFOLLOW);
++ if (tfd == -1) {
++ sudo_warn(U_("unable to open %s"), tf[i].tfile);
++ goto done;
++ }
++ if (!sudo_check_temp_file(tfd, tf[i].tfile, command_details->uid, NULL)) {
++ close(tfd);
++ goto done;
++ }
++ if (fchown(tfd, user_details.uid, user_details.gid) != 0) {
+ sudo_warn("unable to chown(%s) to %d:%d for editing",
+ tf[i].tfile, user_details.uid, user_details.gid);
++ close(tfd);
++ goto done;
+ }
++ close(tfd);
+ }
++ ret = nfiles;
+
++done:
+ /* Contents of tf will be freed by caller. */
+ free(sesh_args);
+
+- return (nfiles);
++ debug_return_int(ret);
+ }
+
+ static int
+@@ -858,7 +877,8 @@
+ struct tempfile *tf, int nfiles, struct timespec *times)
+ {
+ char **sesh_args, **sesh_ap;
+- int i, rc, sesh_nargs, ret = 1;
++ int i, error, sesh_nargs, ret = 1;
++ int tfd = -1;
+ struct timespec ts;
+ struct stat sb;
+ debug_decl(selinux_edit_copy_tfiles, SUDO_DEBUG_EDIT);
+@@ -879,33 +899,43 @@
+
+ /* Construct args for sesh -e 1 */
+ for (i = 0; i < nfiles; i++) {
+- if (stat(tf[i].tfile, &sb) == 0) {
+- mtim_get(&sb, ts);
+- if (tf[i].osize == sb.st_size && sudo_timespeccmp(&tf[i].omtim, &ts, ==)) {
+- /*
+- * If mtime and size match but the user spent no measurable
+- * time in the editor we can't tell if the file was changed.
+- */
+- if (sudo_timespeccmp(&times[0], &times[1], !=)) {
+- sudo_warnx(U_("%s unchanged"), tf[i].ofile);
+- unlink(tf[i].tfile);
+- continue;
+- }
++ if (tfd != -1)
++ close(tfd);
++ if ((tfd = open(tf[i].tfile, O_RDONLY|O_NONBLOCK|O_NOFOLLOW)) == -1) {
++ sudo_warn(U_("unable to open %s"), tf[i].tfile);
++ continue;
++ }
++ if (!sudo_check_temp_file(tfd, tf[i].tfile, user_details.uid, &sb))
++ continue;
++ mtim_get(&sb, ts);
++ if (tf[i].osize == sb.st_size && sudo_timespeccmp(&tf[i].omtim, &ts, ==)) {
++ /*
++ * If mtime and size match but the user spent no measurable
++ * time in the editor we can't tell if the file was changed.
++ */
++ if (sudo_timespeccmp(&times[0], &times[1], !=)) {
++ sudo_warnx(U_("%s unchanged"), tf[i].ofile);
++ unlink(tf[i].tfile);
++ continue;
+ }
+ }
+ *sesh_ap++ = tf[i].tfile;
+ *sesh_ap++ = tf[i].ofile;
+- if (chown(tf[i].tfile, command_details->uid, command_details->gid) != 0) {
++ if (fchown(tfd, command_details->uid, command_details->gid) != 0) {
+ sudo_warn("unable to chown(%s) back to %d:%d", tf[i].tfile,
+ command_details->uid, command_details->gid);
+ }
+ }
+ *sesh_ap = NULL;
++ if (tfd != -1)
++ close(tfd);
+
+ if (sesh_ap - sesh_args > 3) {
+ /* Run sesh -e 1 <t1> <o1> ... <tn> <on> */
+- rc = selinux_run_helper(sesh_args, command_details->envp);
+- switch (rc) {
++ error = selinux_run_helper(command_details->uid, command_details->gid,
++ command_details->ngroups, command_details->groups, sesh_args,
++ command_details->envp);
++ switch (error) {
+ case SESH_SUCCESS:
+ ret = 0;
+ break;
+@@ -921,7 +951,7 @@
+ sudo_warnx("%s", U_("sesh: killed by a signal"));
+ break;
+ default:
+- sudo_warnx(U_("sesh: unknown error %d"), rc);
++ sudo_warnx(U_("sesh: unknown error %d"), error);
+ break;
+ }
+ if (ret != 0)
+@@ -943,7 +973,7 @@
+ {
+ struct command_details saved_command_details;
+ char **nargv = NULL, **ap, **files = NULL;
+- int errors, i, ac, nargc, rc;
++ int errors, i, ac, nargc, ret;
+ int editor_argc = 0, nfiles = 0;
+ struct timespec times[2];
+ struct tempfile *tf = NULL;
+@@ -1038,7 +1068,7 @@
+ command_details->ngroups = user_details.ngroups;
+ command_details->groups = user_details.groups;
+ command_details->argv = nargv;
+- rc = run_command(command_details);
++ ret = run_command(command_details);
+ if (sudo_gettime_real(&times[1]) == -1) {
+ sudo_warn("%s", U_("unable to read the clock"));
+ goto cleanup;
+@@ -1062,14 +1092,14 @@
+ errors = sudo_edit_copy_tfiles(command_details, tf, nfiles, times);
+ if (errors) {
+ /* Preserve the edited temporary files. */
+- rc = W_EXITCODE(1, 0);
++ ret = W_EXITCODE(1, 0);
+ }
+
+ for (i = 0; i < nfiles; i++)
+ free(tf[i].tfile);
+ free(tf);
+ free(nargv);
+- debug_return_int(rc);
++ debug_return_int(ret);
+
+ cleanup:
+ /* Clean up temp files and return. */
+diff -r ea19d0073c02 -r 8fcb36ef422a src/sudo_exec.h
+--- a/src/sudo_exec.h Wed Jan 06 10:16:00 2021 -0700
++++ b/src/sudo_exec.h Wed Jan 06 10:16:00 2021 -0700
+@@ -1,7 +1,7 @@
+ /*
+ * SPDX-License-Identifier: ISC
+ *
+- * Copyright (c) 2010-2016 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2010-2017, 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -84,9 +84,11 @@
+ */
+ struct command_details;
+ struct command_status;
++struct stat;
+
+ /* copy_file.c */
+ int sudo_copy_file(const char *src, int src_fd, off_t src_len, const char *dst, int dst_fd, off_t dst_len);
++bool sudo_check_temp_file(int tfd, const char *tname, uid_t uid, struct stat *sb);
+
+ /* exec.c */
+ void exec_cmnd(struct command_details *details, int errfd);
+
+
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
new file mode 100644
index 0000000000..83c277575e
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
@@ -0,0 +1,100 @@
+Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/9b97f1787804]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID 9b97f1787804aedccaec63c379053b1a91a0e409
+# Parent 90aba6ba6e03f3bc33b4eabf16358396ed83642d
+Reset valid_flags to MODE_NONINTERACTIVE for sudoedit.
+This is consistent with how the -e option is handled.
+Also reject -H and -P flags for sudoedit as was done in sudo 1.7.
+Found by Qualys, this is part of the fix for CVE-2021-3156.
+
+diff -r 90aba6ba6e03 -r 9b97f1787804 src/parse_args.c
+--- a/src/parse_args.c Mon Jan 18 12:30:52 2021 +0100
++++ b/src/parse_args.c Sat Jan 23 08:43:59 2021 -0700
+@@ -117,7 +117,10 @@
+ /*
+ * Default flags allowed when running a command.
+ */
+-#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL)
++#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL)
++#define EDIT_VALID_FLAGS MODE_NONINTERACTIVE
++#define LIST_VALID_FLAGS (MODE_NONINTERACTIVE|MODE_LONG_LIST)
++#define VALIDATE_VALID_FLAGS MODE_NONINTERACTIVE
+
+ /* Option number for the --host long option due to ambiguity of the -h flag. */
+ #define OPT_HOSTNAME 256
+@@ -262,6 +265,7 @@
+ progname = "sudoedit";
+ mode = MODE_EDIT;
+ sudo_settings[ARG_SUDOEDIT].value = "true";
++ valid_flags = EDIT_VALID_FLAGS;
+ }
+
+ /* Load local IP addresses and masks. */
+@@ -365,7 +369,7 @@
+ usage_excl();
+ mode = MODE_EDIT;
+ sudo_settings[ARG_SUDOEDIT].value = "true";
+- valid_flags = MODE_NONINTERACTIVE;
++ valid_flags = EDIT_VALID_FLAGS;
+ break;
+ case 'g':
+ assert(optarg != NULL);
+@@ -377,6 +381,7 @@
+ break;
+ case 'H':
+ sudo_settings[ARG_SET_HOME].value = "true";
++ SET(flags, MODE_RESET_HOME);
+ break;
+ case 'h':
+ if (optarg == NULL) {
+@@ -431,7 +436,7 @@
+ usage_excl();
+ }
+ mode = MODE_LIST;
+- valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST;
++ valid_flags = LIST_VALID_FLAGS;
+ break;
+ case 'n':
+ SET(flags, MODE_NONINTERACTIVE);
+@@ -439,6 +444,7 @@
+ break;
+ case 'P':
+ sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
++ SET(flags, MODE_PRESERVE_GROUPS);
+ break;
+ case 'p':
+ /* An empty prompt is allowed. */
+@@ -505,7 +511,7 @@
+ if (mode && mode != MODE_VALIDATE)
+ usage_excl();
+ mode = MODE_VALIDATE;
+- valid_flags = MODE_NONINTERACTIVE;
++ valid_flags = VALIDATE_VALID_FLAGS;
+ break;
+ case 'V':
+ if (mode && mode != MODE_VERSION)
+@@ -533,7 +539,7 @@
+ if (!mode) {
+ /* Defer -k mode setting until we know whether it is a flag or not */
+ if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
+- if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) {
++ if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) {
+ mode = MODE_INVALIDATE; /* -k by itself */
+ sudo_settings[ARG_IGNORE_TICKET].value = NULL;
+ valid_flags = 0;
+@@ -601,7 +607,7 @@
+ /*
+ * For shell mode we need to rewrite argv
+ */
+- if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
++ if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
+ char **av, *cmnd = NULL;
+ int ac = 1;
+
+
+
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
new file mode 100644
index 0000000000..6d051252cb
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
@@ -0,0 +1,53 @@
+From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001
+From: Anuj Mittal <anuj.mittal@intel.com>
+Date: Sat, 6 Feb 2021 15:57:55 +0800
+Subject: [PATCH] sudo: fix CVE-2021-3156
+
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID a97dc92eae6b60ae285055441341d493c17262ff
+# Parent 9b97f1787804aedccaec63c379053b1a91a0e409
+Add sudoedit flag checks in plugin that are consistent with front-end.
+Don't assume the sudo front-end is sending reasonable mode flags.
+These checks need to be kept consistent between the sudo front-end
+and the sudoers plugin.
+
+---
+ plugins/sudoers/policy.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
+index c4749a6..2f18fe1 100644
+--- a/plugins/sudoers/policy.c
++++ b/plugins/sudoers/policy.c
+@@ -88,10 +88,11 @@ parse_bool(const char *line, int varlen, int *flags, int fval)
+ int
+ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
+ {
++ const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE;
+ struct sudoers_open_info *info = v;
+- char * const *cur;
+ const char *p, *errstr, *groups = NULL;
+ const char *remhost = NULL;
++ char * const *cur;
+ int flags = 0;
+ debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN);
+
+@@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
+ #endif
+ }
+
++ /* Sudo front-end should restrict mode flags for sudoedit. */
++ if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) {
++ sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags);
++ goto bad;
++ }
++
+ user_gid = (gid_t)-1;
+ user_sid = (pid_t)-1;
+ user_uid = (gid_t)-1;
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
new file mode 100644
index 0000000000..30a574d05c
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
@@ -0,0 +1,73 @@
+Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/049ad90590be]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID 049ad90590be1e5dfb7df2675d2eb3e37c96ab86
+# Parent a97dc92eae6b60ae285055441341d493c17262ff
+Fix potential buffer overflow when unescaping backslashes in user_args.
+Also, do not try to unescaping backslashes unless in run mode *and*
+we are running the command via a shell.
+Found by Qualys, this fixes CVE-2021-3156.
+
+diff -r a97dc92eae6b -r 049ad90590be plugins/sudoers/sudoers.c
+--- a/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700
++++ b/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700
+@@ -547,7 +547,7 @@
+
+ /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
+ /* XXX - causes confusion when root is not listed in sudoers */
+- if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
++ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
+ if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
+ struct passwd *pw;
+
+@@ -932,8 +932,8 @@
+ if (user_cmnd == NULL)
+ user_cmnd = NewArgv[0];
+
+- if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
+- if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
++ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
++ if (!ISSET(sudo_mode, MODE_EDIT)) {
+ const char *runchroot = user_runchroot;
+ if (runchroot == NULL && def_runchroot != NULL &&
+ strcmp(def_runchroot, "*") != 0)
+@@ -961,7 +961,8 @@
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_int(NOT_FOUND_ERROR);
+ }
+- if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
++ if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
++ ISSET(sudo_mode, MODE_RUN)) {
+ /*
+ * When running a command via a shell, the sudo front-end
+ * escapes potential meta chars. We unescape non-spaces
+@@ -969,10 +970,22 @@
+ */
+ for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
+ while (*from) {
+- if (from[0] == '\\' && !isspace((unsigned char)from[1]))
++ if (from[0] == '\\' && from[1] != '\0' &&
++ !isspace((unsigned char)from[1])) {
+ from++;
++ }
++ if (size - (to - user_args) < 1) {
++ sudo_warnx(U_("internal error, %s overflow"),
++ __func__);
++ debug_return_int(NOT_FOUND_ERROR);
++ }
+ *to++ = *from++;
+ }
++ if (size - (to - user_args) < 1) {
++ sudo_warnx(U_("internal error, %s overflow"),
++ __func__);
++ debug_return_int(NOT_FOUND_ERROR);
++ }
+ *to++ = ' ';
+ }
+ *--to = '\0';
+
+
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch
new file mode 100644
index 0000000000..c1b00c740e
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/09f98816fc89]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416640 25200
+# Node ID 09f98816fc8978f1d8623a857073d2d5746f0379
+# Parent 049ad90590be1e5dfb7df2675d2eb3e37c96ab86
+Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL.
+We want to zero the struct starting at flags, not type (which was just set).
+Found by Qualys.
+
+diff -r 049ad90590be -r 09f98816fc89 plugins/sudoers/timestamp.c
+--- a/plugins/sudoers/timestamp.c Sat Jan 23 08:43:59 2021 -0700
++++ b/plugins/sudoers/timestamp.c Sat Jan 23 08:44:00 2021 -0700
+@@ -643,8 +643,8 @@
+ if (entry.size == sizeof(struct timestamp_entry_v1)) {
+ /* Old sudo record, convert it to TS_LOCKEXCL. */
+ entry.type = TS_LOCKEXCL;
+- memset((char *)&entry + offsetof(struct timestamp_entry, type), 0,
+- nread - offsetof(struct timestamp_entry, type));
++ memset((char *)&entry + offsetof(struct timestamp_entry, flags), 0,
++ nread - offsetof(struct timestamp_entry, flags));
+ if (ts_write(cookie->fd, cookie->fname, &entry, 0) == -1)
+ debug_return_bool(false);
+ } else {
+
+
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
new file mode 100644
index 0000000000..c04b8e72a6
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
@@ -0,0 +1,41 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416640 25200
+# Node ID c125fbe6878395d10f01d891d3c09b1229ada404
+# Parent 09f98816fc8978f1d8623a857073d2d5746f0379
+Don't assume that argv is allocated as a single flat buffer.
+While this is how the kernel behaves it is not a portable assumption.
+The assumption may also be violated if getopt_long(3) permutes arguments.
+Found by Qualys.
+
+diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c
+--- a/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700
++++ b/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700
+@@ -614,16 +614,16 @@
+ if (argc != 0) {
+ /* shell -c "command" */
+ char *src, *dst;
+- size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
+- strlen(argv[argc - 1]) + 1;
++ size_t size = 0;
+
+- cmnd = dst = reallocarray(NULL, cmnd_size, 2);
+- if (cmnd == NULL)
++ for (av = argv; *av != NULL; av++)
++ size += strlen(*av) + 1;
++ if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL)
+ sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ if (!gc_add(GC_PTR, cmnd))
+ exit(EXIT_FAILURE);
+
+- for (av = argv; *av != NULL; av++) {
++ for (dst = cmnd, av = argv; *av != NULL; av++) {
+ for (src = *av; *src != '\0'; src++) {
+ /* quote potential meta characters */
+ if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$')
+
+
diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc
index 86a18be7e2..8b50f5eee5 100644
--- a/meta/recipes-extended/sudo/sudo.inc
+++ b/meta/recipes-extended/sudo/sudo.inc
@@ -49,3 +49,5 @@ do_compile_prepend () {
do_install_prepend (){
mkdir -p ${D}/${localstatedir}/lib
}
+
+CVE_VERSION_SUFFIX = "patch"
diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb
index 0d0be9ab8b..37fd6386dd 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.3.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb
@@ -3,6 +3,13 @@ require sudo.inc
SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
+ file://CVE-2021-23239.patch \
+ file://CVE-2021-23240.patch \
+ file://CVE-2021-3156-1.patch \
+ file://CVE-2021-3156-2.patch \
+ file://CVE-2021-3156-3.patch \
+ file://CVE-2021-3156-4.patch \
+ file://CVE-2021-3156-5.patch \
"
PAM_SRC_URI = "file://sudo.pam"
diff --git a/meta/recipes-extended/tar/tar/CVE-2021-20193.patch b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch
new file mode 100644
index 0000000000..89e8e20844
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch
@@ -0,0 +1,133 @@
+From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sun, 17 Jan 2021 20:41:11 +0200
+Subject: Fix memory leak in read_header
+
+Bug reported in https://savannah.gnu.org/bugs/?59897
+
+* src/list.c (read_header): Don't return directly from the loop.
+Instead set the status and break. Return the status. Free
+next_long_name and next_long_link before returning.
+
+CVE: CVE-2021-20193
+Upstream-Status: Backport
+[https://git.savannah.gnu.org/cgit/tar.git/patch/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777]
+Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
+
+---
+ src/list.c | 40 ++++++++++++++++++++++++++++------------
+ 1 file changed, 28 insertions(+), 12 deletions(-)
+
+diff --git a/src/list.c b/src/list.c
+index e40a5c8..d7ef441 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -408,26 +408,27 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ enum read_header_mode mode)
+ {
+ union block *header;
+- union block *header_copy;
+ char *bp;
+ union block *data_block;
+ size_t size, written;
+- union block *next_long_name = 0;
+- union block *next_long_link = 0;
++ union block *next_long_name = NULL;
++ union block *next_long_link = NULL;
+ size_t next_long_name_blocks = 0;
+ size_t next_long_link_blocks = 0;
+-
++ enum read_header status = HEADER_SUCCESS;
++
+ while (1)
+ {
+- enum read_header status;
+-
+ header = find_next_block ();
+ *return_block = header;
+ if (!header)
+- return HEADER_END_OF_FILE;
++ {
++ status = HEADER_END_OF_FILE;
++ break;
++ }
+
+ if ((status = tar_checksum (header, false)) != HEADER_SUCCESS)
+- return status;
++ break;
+
+ /* Good block. Decode file size and return. */
+
+@@ -437,7 +438,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ {
+ info->stat.st_size = OFF_FROM_HEADER (header->header.size);
+ if (info->stat.st_size < 0)
+- return HEADER_FAILURE;
++ {
++ status = HEADER_FAILURE;
++ break;
++ }
+ }
+
+ if (header->header.typeflag == GNUTYPE_LONGNAME
+@@ -447,10 +451,14 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ || header->header.typeflag == SOLARIS_XHDTYPE)
+ {
+ if (mode == read_header_x_raw)
+- return HEADER_SUCCESS_EXTENDED;
++ {
++ status = HEADER_SUCCESS_EXTENDED;
++ break;
++ }
+ else if (header->header.typeflag == GNUTYPE_LONGNAME
+ || header->header.typeflag == GNUTYPE_LONGLINK)
+ {
++ union block *header_copy;
+ size_t name_size = info->stat.st_size;
+ size_t n = name_size % BLOCKSIZE;
+ size = name_size + BLOCKSIZE;
+@@ -517,7 +525,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ xheader_decode_global (&xhdr);
+ xheader_destroy (&xhdr);
+ if (mode == read_header_x_global)
+- return HEADER_SUCCESS_EXTENDED;
++ {
++ status = HEADER_SUCCESS_EXTENDED;
++ break;
++ }
+ }
+
+ /* Loop! */
+@@ -536,6 +547,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ name = next_long_name->buffer + BLOCKSIZE;
+ recent_long_name = next_long_name;
+ recent_long_name_blocks = next_long_name_blocks;
++ next_long_name = NULL;
+ }
+ else
+ {
+@@ -567,6 +579,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ name = next_long_link->buffer + BLOCKSIZE;
+ recent_long_link = next_long_link;
+ recent_long_link_blocks = next_long_link_blocks;
++ next_long_link = NULL;
+ }
+ else
+ {
+@@ -578,9 +591,12 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ }
+ assign_string (&info->link_name, name);
+
+- return HEADER_SUCCESS;
++ break;
+ }
+ }
++ free (next_long_name);
++ free (next_long_link);
++ return status;
+ }
+
+ #define ISOCTAL(c) ((c)>='0'&&(c)<='7')
+--
+cgit v1.2.1
+
diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb
index ebe6cb0dbd..3ae6d674a5 100644
--- a/meta/recipes-extended/tar/tar_1.32.bb
+++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
file://musl_dirent.patch \
+ file://CVE-2021-20193.patch \
"
SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05"
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index 9a19093e24..a89560b424 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
LICENSE = "PD & BSD & BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
-PV = "2020f"
+PV = "2021a"
SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \
http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \
@@ -14,5 +14,5 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz
UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
-SRC_URI[tzcode.sha256sum] = "cfeeea2a7745164f64bd9f6d76e47916f4ac820c4434493674adbbd4324329c5"
-SRC_URI[tzdata.sha256sum] = "121131918c3ae6dc5d40f0eb87563a2be920b71a76e2392c09519a5e4a666881"
+SRC_URI[tzcode.sha256sum] = "eb46bfa124b5b6bd13d61a609bfde8351bd192894708d33aa06e5c1e255802d0"
+SRC_URI[tzdata.sha256sum] = "39e7d2ba08c68cbaefc8de3227aab0dec2521be8042cf56855f7dc3a9fb14e08"
diff --git a/meta/recipes-extended/watchdog/watchdog_5.16.bb b/meta/recipes-extended/watchdog/watchdog_5.16.bb
index 1988952603..a44a459c20 100644
--- a/meta/recipes-extended/watchdog/watchdog_5.16.bb
+++ b/meta/recipes-extended/watchdog/watchdog_5.16.bb
@@ -18,6 +18,11 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/watchdog/watchdog-${PV}.tar.gz \
SRC_URI[md5sum] = "1b4f51cabc64d1bee2fce7cdd626831f"
SRC_URI[sha256sum] = "b8e7c070e1b72aee2663bdc13b5cc39f76c9232669cfbb1ac0adc7275a3b019d"
+# Can be dropped when the output next changes, avoids failures after
+# reproducibility issues
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
+
UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/watchdog/files/watchdog/"
UPSTREAM_CHECK_REGEX = "/watchdog/(?P<pver>(\d+[\.\-_]*)+)/"
@@ -28,6 +33,7 @@ CFLAGS += "-I${STAGING_INCDIR}/tirpc"
LDFLAGS += "-ltirpc"
EXTRA_OECONF += " --disable-nfs "
+CACHED_CONFIGUREVARS += "ac_cv_path_PATH_SENDMAIL=${sbindir}/sendmail"
INITSCRIPT_PACKAGES = "${PN} ${PN}-keepalive"
diff --git a/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb b/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb
index 4c3b18331a..0c22a67bde 100644
--- a/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb
+++ b/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb
@@ -13,6 +13,8 @@ REQUIRED_DISTRO_FEATURES = "x11 opengl"
SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \
file://0002-help-meson.build-disable-the-use-of-yelp.patch \
+ file://migrator.patch \
+ file://distributor.patch \
"
SRC_URI[archive.sha256sum] = "588a75b1588f5a509c33cf0be6a38a0f4fc1748eeb499a51d991ddef485242bf"
diff --git a/meta/recipes-gnome/epiphany/files/distributor.patch b/meta/recipes-gnome/epiphany/files/distributor.patch
new file mode 100644
index 0000000000..b09c9b38d2
--- /dev/null
+++ b/meta/recipes-gnome/epiphany/files/distributor.patch
@@ -0,0 +1,17 @@
+Don't encode the distro from /etc/os-release into the binaries.
+
+Upstream-Status: Pending
+RP 2021/2/26
+
+Index: epiphany-3.38.2/meson.build
+===================================================================
+--- epiphany-3.38.2.orig/meson.build
++++ epiphany-3.38.2/meson.build
+@@ -15,6 +15,7 @@ if r.returncode() == 0
+ else
+ distributor_name = 'GNOME Web'
+ endif
++distributor_name = 'OpenEmbedded'
+
+ prefix = get_option('prefix')
+ datadir = join_paths(prefix, get_option('datadir'))
diff --git a/meta/recipes-gnome/epiphany/files/migrator.patch b/meta/recipes-gnome/epiphany/files/migrator.patch
new file mode 100644
index 0000000000..a9a650a64a
--- /dev/null
+++ b/meta/recipes-gnome/epiphany/files/migrator.patch
@@ -0,0 +1,24 @@
+We don't want to encide BUILD_ROOT into target packages. This is used
+for build time tests but in our case those would be on target anyway
+do use the target paths.
+
+Upstream-Status: Pending
+RP 2021/2/25
+
+Index: epiphany-3.38.2/lib/ephy-profile-utils.c
+===================================================================
+--- epiphany-3.38.2.orig/lib/ephy-profile-utils.c
++++ epiphany-3.38.2/lib/ephy-profile-utils.c
+@@ -130,10 +130,10 @@ ephy_profile_utils_do_migration (const c
+ argv[i++] = NULL;
+
+ #if DEVELOPER_MODE
+- argv[0] = BUILD_ROOT "/src/" EPHY_PROFILE_MIGRATOR;
++ argv[0] = PKGLIBEXECDIR "/" EPHY_PROFILE_MIGRATOR;
+ #else
+ if (debug)
+- argv[0] = BUILD_ROOT "/src/" EPHY_PROFILE_MIGRATOR;
++ argv[0] = PKGLIBEXECDIR "/" EPHY_PROFILE_MIGRATOR;
+ #endif
+
+ g_spawn_sync (NULL, (char **)argv, envp, G_SPAWN_SEARCH_PATH,
diff --git a/meta/recipes-gnome/gcr/gcr_3.36.0.bb b/meta/recipes-gnome/gcr/gcr_3.36.0.bb
index ff455a68ec..567ca8b774 100644
--- a/meta/recipes-gnome/gcr/gcr_3.36.0.bb
+++ b/meta/recipes-gnome/gcr/gcr_3.36.0.bb
@@ -11,6 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605"
DEPENDS = "gtk+3 p11-kit glib-2.0 libgcrypt gnupg-native \
${@bb.utils.contains('GI_DATA_ENABLED', 'True', 'libxslt-native', '', d)}"
+CACHED_CONFIGUREVARS += "ac_cv_path_GPG='gpg2'"
+
GNOMEBASEBUILDCLASS = "meson"
GTKDOC_MESON_OPTION = "gtk_doc"
inherit gnomebase gtk-icon-cache gtk-doc features_check upstream-version-is-even vala gobject-introspection gettext mime mime-xdg
@@ -32,3 +34,11 @@ FILES_${PN} += " \
ARM_INSTRUCTION_SET_armv4 = "arm"
ARM_INSTRUCTION_SET_armv5 = "arm"
ARM_INSTRUCTION_SET_armv6 = "arm"
+
+EXTRA_OEMESON += "--cross-file ${WORKDIR}/meson-${PN}.cross"
+do_write_config_append() {
+ cat >${WORKDIR}/meson-${PN}.cross <<EOF
+[binaries]
+gpg2 = '${bindir}/gpg2'
+EOF
+}
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch
new file mode 100644
index 0000000000..3fef2bc1eb
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch
@@ -0,0 +1,55 @@
+From bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <robert.ancell@canonical.com>
+Date: Mon, 30 Nov 2020 12:26:12 +1300
+Subject: [PATCH 02/13] gif: Fix LZW decoder accepting invalid LZW code.
+
+The code value after a reset wasn't being validated, which means we would
+accept invalid codes. This could cause an infinite loop in the decoder.
+
+Fixes CVE-2020-29385
+
+Fixes https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81]
+CVE: CVE-2020-29385
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ gdk-pixbuf/lzw.c | 13 +++++++------
+ 1 files changed, 7 insertions(+), 6 deletions(-)
+ create mode 100644 tests/test-images/fail/hang_114.gif
+
+diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
+index 9e052a6f7..105daf2b1 100644
+--- a/gdk-pixbuf/lzw.c
++++ b/gdk-pixbuf/lzw.c
+@@ -195,19 +195,20 @@ lzw_decoder_feed (LZWDecoder *self,
+ if (self->last_code != self->clear_code && self->code_table_size < MAX_CODES) {
+ if (self->code < self->code_table_size)
+ add_code (self, self->code);
+- else if (self->code == self->code_table_size)
++ else
+ add_code (self, self->last_code);
+- else {
+- /* Invalid code received - just stop here */
+- self->last_code = self->eoi_code;
+- return output_length;
+- }
+
+ /* When table is full increase code size */
+ if (self->code_table_size == (1 << self->code_size) && self->code_size < LZW_CODE_MAX)
+ self->code_size++;
+ }
+
++ /* Invalid code received - just stop here */
++ if (self->code >= self->code_table_size) {
++ self->last_code = self->eoi_code;
++ return output_length;
++ }
++
+ /* Convert codeword into indexes */
+ n_written += write_indexes (self, output + n_written, output_length - n_written);
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
new file mode 100644
index 0000000000..fe594b24bb
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
@@ -0,0 +1,40 @@
+From 086e8adf4cc352cd11572f96066b001b545f354e Mon Sep 17 00:00:00 2001
+From: Emmanuele Bassi <ebassi@gnome.org>
+Date: Wed, 1 Apr 2020 18:11:55 +0100
+Subject: [PATCH] Check the memset length argument
+
+Avoid overflows by using the checked multiplication macro for gsize.
+
+Fixes: #132
+
+Upstream-Status: Backported [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e]
+CVE: CVE-2021-20240
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ gdk-pixbuf/io-gif-animation.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
+index c9db3c66e..49674fd2e 100644
+--- a/gdk-pixbuf/io-gif-animation.c
++++ b/gdk-pixbuf/io-gif-animation.c
+@@ -412,11 +412,15 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
+
+ /* If no rendered frame, render the first frame */
+ if (anim->last_frame == NULL) {
++ gsize len = 0;
+ if (anim->last_frame_data == NULL)
+ anim->last_frame_data = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, anim->width, anim->height);
+ if (anim->last_frame_data == NULL)
+ return NULL;
+- memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height);
++ if (g_size_checked_mul (&len, gdk_pixbuf_get_rowstride (anim->last_frame_data), anim->height))
++ memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, len);
++ else
++ return NULL;
+ composite_frame (anim, g_list_nth_data (anim->frames, 0));
+ }
+
+--
+GitLab
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
index 3dec5ed052..32af2de1e8 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
@@ -24,6 +24,8 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
file://0004-Do-not-run-tests-when-building.patch \
file://0006-Build-thumbnailer-and-tests-also-in-cross-builds.patch \
file://missing-test-data.patch \
+ file://CVE-2020-29385.patch \
+ file://CVE-2021-20240.patch \
"
SRC_URI_append_class-target = " \
diff --git a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb
index 4d80f00e10..0f0f7a82c4 100644
--- a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb
+++ b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb
@@ -29,14 +29,14 @@ GTKDOC_MESON_OPTION = "gtk_doc"
MULTILIB_SCRIPTS = "${PN}:${bindir}/g-ir-annotation-tool ${PN}:${bindir}/g-ir-scanner"
-DEPENDS_append = " libffi zlib glib-2.0 python3 flex-native bison-native autoconf-archive"
+DEPENDS += " libffi zlib glib-2.0 python3 flex-native bison-native autoconf-archive"
# target build needs qemu to run temporary introspection binaries created
# on the fly by g-ir-scanner and a native version of itself to run
# native versions of its own tools during build.
# Also prelink-rtld is used to find out library dependencies of introspection binaries
# (standard ldd doesn't work when cross-compiling).
-DEPENDS_class-target_append = " gobject-introspection-native qemu-native prelink-native"
+DEPENDS_append_class-target = " gobject-introspection-native qemu-native prelink-native"
# needed for writing out the qemu wrapper script
export STAGING_DIR_HOST
diff --git a/meta/recipes-gnome/libsecret/libsecret/determinism.patch b/meta/recipes-gnome/libsecret/libsecret/determinism.patch
new file mode 100644
index 0000000000..ad96e8f59b
--- /dev/null
+++ b/meta/recipes-gnome/libsecret/libsecret/determinism.patch
@@ -0,0 +1,37 @@
+secret-enum-types.c/h.template: Fix reproducibility issue
+
+When full filenames are used in generated sources it makes the resulting
+debug packages non-reproducible. Best practise is to use basename in
+comments instead.
+
+Signed-off-by: Richard Purdie richard.purdie@linuxfoundation.org
+Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libsecret/-/merge_requests/68]
+
+Index: libsecret-0.20.4/libsecret/secret-enum-types.c.template
+===================================================================
+--- libsecret-0.20.4.orig/libsecret/secret-enum-types.c.template
++++ libsecret-0.20.4/libsecret/secret-enum-types.c.template
+@@ -23,8 +23,8 @@
+ /*** END file-header ***/
+
+ /*** BEGIN file-production ***/
+-#include "@filename@"
+-/* enumerations from "@filename@" */
++#include "@basename@"
++/* enumerations from "@basename@" */
+ /*** END file-production ***/
+
+ /*** BEGIN value-header ***/
+Index: libsecret-0.20.4/libsecret/secret-enum-types.h.template
+===================================================================
+--- libsecret-0.20.4.orig/libsecret/secret-enum-types.h.template
++++ libsecret-0.20.4/libsecret/secret-enum-types.h.template
+@@ -27,7 +27,7 @@ G_BEGIN_DECLS
+
+ /*** BEGIN file-production ***/
+
+-/* enumerations from "@filename@" */
++/* enumerations from "@basename@" */
+ /*** END file-production ***/
+
+ /*** BEGIN value-header ***/
diff --git a/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb b/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb
index 533015a1e4..b72206535f 100644
--- a/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb
+++ b/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb
@@ -13,7 +13,8 @@ inherit gnomebase gtk-doc vala gobject-introspection manpages
DEPENDS += "glib-2.0 libgcrypt gettext-native"
-SRC_URI += "file://0001-meson-add-option-introspection.patch"
+SRC_URI += "file://0001-meson-add-option-introspection.patch \
+ file://determinism.patch"
SRC_URI[archive.md5sum] = "47c3fdfeb111a87b509ad271e4a6f496"
SRC_URI[archive.sha256sum] = "4fcb3c56f8ac4ab9c75b66901fb0104ec7f22aa9a012315a14c0d6dffa5290e4"
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
new file mode 100644
index 0000000000..f8e69beb0b
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
@@ -0,0 +1,121 @@
+From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <heiko.lewin@worldiety.de>
+Date: Tue, 15 Dec 2020 16:48:19 +0100
+Subject: [PATCH] Fix mask usage in image-compositor
+
+CVE: CVE-2020-35492
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be?merge_request_iid=85]
+
+original patch from upstream has a binary file, it will cause
+do_patch failed with "git binary diffs are not supported".
+
+so add do_patch_append in recipe to add this binary source. when removing
+this patch, please also remove do_patch_append for this patch
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/cairo-image-compositor.c | 8 ++--
+ test/Makefile.sources | 1 +
+ test/bug-image-compositor.c | 39 ++++++++++++++++++++
+ 3 files changed, 44 insertions(+), 4 deletions(-)
+ create mode 100644 test/bug-image-compositor.c
+
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 79ad69f68..4f8aaed99 100644
+--- a/src/cairo-image-compositor.c
++++ b/src/cairo-image-compositor.c
+@@ -2610,14 +2610,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ unsigned num_spans)
+ {
+ cairo_image_span_renderer_t *r = abstract_renderer;
+- uint8_t *m;
++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
+ int x0;
+
+ if (num_spans == 0)
+ return CAIRO_STATUS_SUCCESS;
+
+ x0 = spans[0].x;
+- m = r->_buf;
++ m = base;
+ do {
+ int len = spans[1].x - spans[0].x;
+ if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
+@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ spans[0].x, y,
+ spans[1].x - spans[0].x, h);
+
+- m = r->_buf;
++ m = base;
+ x0 = spans[1].x;
+ } else if (spans[0].coverage == 0x0) {
+ if (spans[0].x != x0) {
+@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ #endif
+ }
+
+- m = r->_buf;
++ m = base;
+ x0 = spans[1].x;
+ } else {
+ *m++ = spans[0].coverage;
+diff --git a/test/Makefile.sources b/test/Makefile.sources
+index 7eb73647f..86494348d 100644
+--- a/test/Makefile.sources
++++ b/test/Makefile.sources
+@@ -34,6 +34,7 @@ test_sources = \
+ bug-source-cu.c \
+ bug-extents.c \
+ bug-seams.c \
++ bug-image-compositor.c \
+ caps.c \
+ checkerboard.c \
+ caps-joins.c \
+diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c
+new file mode 100644
+index 000000000..fc4fd370b
+--- /dev/null
++++ b/test/bug-image-compositor.c
+@@ -0,0 +1,39 @@
++#include "cairo-test.h"
++
++static cairo_test_status_t
++draw (cairo_t *cr, int width, int height)
++{
++ cairo_set_source_rgb (cr, 0., 0., 0.);
++ cairo_paint (cr);
++
++ cairo_set_source_rgb (cr, 1., 1., 1.);
++ cairo_set_line_width (cr, 1.);
++
++ cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height);
++ cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1);
++ cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1);
++ cairo_set_source (cr, p);
++
++ cairo_move_to (cr, 0.5, -1);
++ for (int i = 0; i < width; i+=3) {
++ cairo_rel_line_to (cr, 2, 2);
++ cairo_rel_line_to (cr, 1, -2);
++ }
++
++ cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE);
++ cairo_stroke (cr);
++
++ cairo_pattern_destroy(p);
++
++ return CAIRO_TEST_SUCCESS;
++}
++
++
++CAIRO_TEST (bug_image_compositor,
++ "Crash in image-compositor",
++ "stroke, stress", /* keywords */
++ NULL, /* requirements */
++ 10000, 1,
++ NULL, draw)
++
++
+--
+GitLab
diff --git a/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png b/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png
new file mode 100644
index 0000000000..939f659d2c
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png
Binary files differ
diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/meta/recipes-graphics/cairo/cairo_1.16.0.bb
index 68f993d7ca..d48da1a4c7 100644
--- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb
+++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb
@@ -27,6 +27,8 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \
file://CVE-2018-19876.patch \
file://CVE-2019-6461.patch \
file://CVE-2019-6462.patch \
+ file://CVE-2020-35492.patch \
+ file://bug-image-compositor.ref.png \
"
SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552"
@@ -64,6 +66,15 @@ export ac_cv_lib_bfd_bfd_openr="no"
# Ensure we don't depend on LZO
export ac_cv_lib_lzo2_lzo2a_decompress="no"
+#for CVE-2020-35492.patch
+do_patch_append() {
+ bb.build.exec_func('do_cp_binary_source', d)
+}
+
+do_cp_binary_source () {
+ cp ${WORKDIR}/bug-image-compositor.ref.png ${S}/test/reference/
+}
+
do_install_append () {
rm -rf ${D}${bindir}/cairo-sphinx
rm -rf ${D}${libdir}/cairo/cairo-fdr*
diff --git a/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools/reproducibility.patch b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools/reproducibility.patch
new file mode 100644
index 0000000000..39e36d8737
--- /dev/null
+++ b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools/reproducibility.patch
@@ -0,0 +1,38 @@
+meson: Allow source location to be configurable
+
+Hardcoding a build source path into a binary when cross compiling isn't
+appropriate and breaks build reproducibility. Allow the srcdir to be
+specified by an optional configuration option to meson.
+
+Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
+Upstream-Status: Submitted [https://lists.freedesktop.org/archives/igt-dev/2021-February/029443.html]
+
+Index: git/lib/meson.build
+===================================================================
+--- git.orig/lib/meson.build
++++ git/lib/meson.build
+@@ -122,7 +122,11 @@ if chamelium.found()
+ lib_sources += 'igt_chamelium_stream.c'
+ endif
+
+-srcdir = join_paths(meson.source_root(), 'tests')
++if get_option('srcdir') != ''
++ srcdir = join_paths(get_option('srcdir'), 'tests')
++else
++ srcdir = join_paths(meson.source_root(), 'tests')
++endif
+
+ lib_version = vcs_tag(input : 'version.h.in', output : 'version.h',
+ fallback : 'NO-GIT',
+Index: git/meson_options.txt
+===================================================================
+--- git.orig/meson_options.txt
++++ git/meson_options.txt
+@@ -50,3 +50,7 @@ option('use_rpath',
+ type : 'boolean',
+ value : false,
+ description : 'Set runpath on installed executables for libigt.so')
++
++option('srcdir',
++ type : 'string',
++ description : 'Path to source code to be compiled into binaries (optional)')
diff --git a/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb
index 89480d79d2..f25cbc0603 100644
--- a/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb
+++ b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb
@@ -10,7 +10,8 @@ inherit meson
SRCREV = "d16ad07e7f2a028e14d61f570931c87fa5ce404c"
PV = "1.25+git${SRCPV}"
-SRC_URI = "git://gitlab.freedesktop.org/drm/igt-gpu-tools.git;protocol=https"
+SRC_URI = "git://gitlab.freedesktop.org/drm/igt-gpu-tools.git;protocol=https \
+ file://reproducibility.patch"
S = "${WORKDIR}/git"
@@ -22,7 +23,7 @@ PACKAGE_BEFORE_PN = "${PN}-benchmarks ${PN}-tests"
PACKAGECONFIG[chamelium] = "-Dchamelium=enabled,-Dchamelium=disabled,gsl xmlrpc-c"
-EXTRA_OEMESON = "-Ddocs=disabled -Drunner=enabled"
+EXTRA_OEMESON = "-Ddocs=disabled -Drunner=enabled -Dsrcdir=/usr/src/debug/${PN}/${PV}-${PR}/git/"
COMPATIBLE_HOST = "(x86_64.*|i.86.*|arm.*|aarch64).*-linux"
COMPATIBLE_HOST_libc-musl_class-target = "null"
SECURITY_LDFLAGS = "${SECURITY_X_LDFLAGS}"
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch
new file mode 100644
index 0000000000..d8fa24bc65
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch
@@ -0,0 +1,79 @@
+From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Wed, 17 Jun 2020 08:44:45 -0700
+Subject: [PATCH] Fixed overflow in surface pitch calculation
+
+
+Upstream-Status: Backport
+[https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294]
+CVE: CVE-2020-14409 CVE-2020-14410
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ src/video/SDL_surface.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
+index 085d9ff1e..bff826f7c 100644
+--- a/src/video/SDL_surface.c
++++ b/src/video/SDL_surface.c
+@@ -28,24 +28,23 @@
+ #include "SDL_yuv_c.h"
+
+
+-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
+-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
+- sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */
++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32));
+
+ /* Public routines */
+
+ /*
+ * Calculate the pad-aligned scanline width of a surface
+ */
+-static int
++static Sint64
+ SDL_CalculatePitch(Uint32 format, int width)
+ {
+- int pitch;
++ Sint64 pitch;
+
+ if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) {
+- pitch = (width * SDL_BYTESPERPIXEL(format));
++ pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format));
+ } else {
+- pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8;
++ pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8;
+ }
+ pitch = (pitch + 3) & ~3; /* 4-byte aligning for speed */
+ return pitch;
+@@ -59,11 +58,19 @@ SDL_Surface *
+ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
+ Uint32 format)
+ {
++ Sint64 pitch;
+ SDL_Surface *surface;
+
+ /* The flags are no longer used, make the compiler happy */
+ (void)flags;
+
++ pitch = SDL_CalculatePitch(format, width);
++ if (pitch < 0 || pitch > SDL_MAX_SINT32) {
++ /* Overflow... */
++ SDL_OutOfMemory();
++ return NULL;
++ }
++
+ /* Allocate the surface */
+ surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface));
+ if (surface == NULL) {
+@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
+ }
+ surface->w = width;
+ surface->h = height;
+- surface->pitch = SDL_CalculatePitch(format, width);
++ surface->pitch = (int)pitch;
+ SDL_SetClipRect(surface, NULL);
+
+ if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) {
diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
index 1513746492..639a465567 100644
--- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
+++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \
file://more-gen-depends.patch \
file://directfb-spurious-curly-brace-missing-e.patch \
file://directfb-renderfillrect-fix.patch \
+ file://CVE-2020-14409-14410.patch \
"
S = "${WORKDIR}/SDL2-${PV}"
diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes-graphics/mesa/mesa.inc
index 9fc62e95e1..a4c7007157 100644
--- a/meta/recipes-graphics/mesa/mesa.inc
+++ b/meta/recipes-graphics/mesa/mesa.inc
@@ -48,11 +48,6 @@ PROVIDES = " \
inherit meson pkgconfig python3native gettext features_check
-# Unset these to stop python trying to report the target Python setup
-_PYTHON_SYSCONFIGDATA_NAME[unexport] = "1"
-STAGING_INCDIR[unexport] = "1"
-STAGING_LIBDIR[unexport] = "1"
-
BBCLASSEXTEND = "native nativesdk"
ANY_OF_DISTRO_FEATURES_class-target = "opengl vulkan"
diff --git a/meta/recipes-graphics/wayland/libinput/run-ptest b/meta/recipes-graphics/wayland/libinput/run-ptest
index 5a84c568b9..d11e6eb25b 100644
--- a/meta/recipes-graphics/wayland/libinput/run-ptest
+++ b/meta/recipes-graphics/wayland/libinput/run-ptest
@@ -1,6 +1,6 @@
#!/bin/sh
-/usr/libexec/libinput/libinput-test-suite
+/usr/libexec/libinput/libinput-test-suite -j1
if [ $? -eq 0 ]; then
echo 'PASS: libinput-test-suite'
else
diff --git a/meta/recipes-graphics/wayland/weston-init/weston.ini b/meta/recipes-graphics/wayland/weston-init/weston.ini
index b48726d59c..6bd5aef55a 100644
--- a/meta/recipes-graphics/wayland/weston-init/weston.ini
+++ b/meta/recipes-graphics/wayland/weston-init/weston.ini
@@ -42,7 +42,7 @@ require-input=false
#path=/build/weston-0lEgCh/weston-1.11.0/weston-flower
#[input-method]
-#path=/usr/lib/weston/weston-keyboard
+#path=/usr/libexec/weston-keyboard
#[output]
#name=LVDS1
diff --git a/meta/recipes-graphics/wayland/weston_9.0.0.bb b/meta/recipes-graphics/wayland/weston_9.0.0.bb
index 75f9fb05fd..d60b5e1a35 100644
--- a/meta/recipes-graphics/wayland/weston_9.0.0.bb
+++ b/meta/recipes-graphics/wayland/weston_9.0.0.bb
@@ -73,7 +73,7 @@ PACKAGECONFIG[colord] = "-Dcolor-management-colord=true,-Dcolor-management-color
# Clients support
PACKAGECONFIG[clients] = "-Dsimple-clients=all -Ddemo-clients=true,-Dsimple-clients= -Ddemo-clients=false"
# Virtual remote output with GStreamer on DRM backend
-PACKAGECONFIG[remoting] = "-Dremoting=true,-Dremoting=false,gstreamer1.0"
+PACKAGECONFIG[remoting] = "-Dremoting=true,-Dremoting=false,gstreamer1.0 gstreamer1.0-plugins-base"
# Weston with PAM support
PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam"
# Weston with screen-share support
diff --git a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
index 1ea08a6c99..bf8385fe6d 100644
--- a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
+++ b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
@@ -10,8 +10,12 @@ LIC_FILES_CHKSUM = "file://../misc/fonts.dir;md5=82a143d94d6a974aafe97132d2d519a
SRC_URI = "file://misc"
+SOURCE_DATE_EPOCH = "1613559011"
+
PE = "1"
-PR = "r2"
+PR = "r3"
+HASHEQUIV_HASH_VERSION .= ".1"
+
inherit allarch features_check
@@ -27,6 +31,8 @@ RDEPENDS_${PN} += "font-alias"
do_install() {
install -d ${D}/${datadir}/fonts/X11/misc
install -m 0644 ${S}/* ${D}/${datadir}/fonts/X11/misc/
+ # Pick a date/time as otherwise it would be the git checkout/modify time
+ touch -d @1613559011 ${D}/${datadir}/fonts/X11/misc/*
install -d ${D}/${libdir}/X11
ln -sf ${datadir}/fonts/X11/ ${D}/${libdir}/X11/fonts -s
}
diff --git a/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.bb b/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.1.bb
index 6de30098d6..52e474a2e9 100644
--- a/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.bb
+++ b/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.1.bb
@@ -11,8 +11,8 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://COPYING;md5=d763b081cb10c223435b01e00dc0aba7 \
file://src/dri2.xml;beginline=2;endline=28;md5=f8763b13ff432e8597e0d610cf598e65"
-SRC_URI = "http://xcb.freedesktop.org/dist/${BP}.tar.xz"
-SRC_URI[sha256sum] = "186a3ceb26f9b4a015f5a44dcc814c93033a5fc39684f36f1ecc79834416a605"
+SRC_URI = "https://xorg.freedesktop.org/archive/individual/proto/${BP}.tar.xz"
+SRC_URI[sha256sum] = "f04add9a972ac334ea11d9d7eb4fc7f8883835da3e4859c9afa971efdf57fcc3"
inherit autotools pkgconfig python3native
diff --git a/meta/recipes-kernel/dtc/dtc.inc b/meta/recipes-kernel/dtc/dtc.inc
index 0650e3c82e..5da6c24fbf 100644
--- a/meta/recipes-kernel/dtc/dtc.inc
+++ b/meta/recipes-kernel/dtc/dtc.inc
@@ -7,7 +7,9 @@ DEPENDS = "flex-native bison-native"
SRC_URI = "git://git.kernel.org/pub/scm/utils/dtc/dtc.git \
file://make_install.patch \
+ file://0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch \
"
+
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
EXTRA_OEMAKE='NO_PYTHON=1 PREFIX="${prefix}" LIBDIR="${libdir}" DESTDIR="${D}"'
diff --git a/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch b/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch
new file mode 100644
index 0000000000..a2deb12d4b
--- /dev/null
+++ b/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch
@@ -0,0 +1,36 @@
+From f0119060ef1b9bd80e2cae487df1e4aedffb0e9b Mon Sep 17 00:00:00 2001
+From: Oleksiy Obitotskyy <oobitots@cisco.com>
+Date: Fri, 22 Jan 2021 09:12:48 +0200
+Subject: [PATCH] dtc: Fix Makefile to add CFLAGS not override
+
+Makefile override CFLAGS not extend them, so some of them
+missing. Sources builds out of kernel tree and probably not all
+options could be used (?). We need at least -fmacro-prefix-map/
+debug-prefix-map to eliminate absolute path in binaries.
+
+Upstream-Status: Pending
+Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 35d936f..b5b13cf 100644
+--- a/Makefile
++++ b/Makefile
+@@ -20,10 +20,10 @@ CONFIG_LOCALVERSION =
+ # See libfdt_internal.h for details
+ ASSUME_MASK ?= 0
+
+-CPPFLAGS = -I libfdt -I . -DFDT_ASSUME_MASK=$(ASSUME_MASK)
++CPPFLAGS += -I libfdt -I . -DFDT_ASSUME_MASK=$(ASSUME_MASK)
+ WARNINGS = -Wall -Wpointer-arith -Wcast-qual -Wnested-externs \
+ -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wshadow
+-CFLAGS = -g -Os $(SHAREDLIB_CFLAGS) -Werror $(WARNINGS) $(EXTRA_CFLAGS)
++CFLAGS += -g -Os $(SHAREDLIB_CFLAGS) -Werror $(WARNINGS) $(EXTRA_CFLAGS)
+
+ BISON = bison
+ LEX = flex
+--
+2.25.1
+
diff --git a/meta/recipes-kernel/kmod/kmod.inc b/meta/recipes-kernel/kmod/kmod.inc
index 646dff9a97..10a319ac9f 100644
--- a/meta/recipes-kernel/kmod/kmod.inc
+++ b/meta/recipes-kernel/kmod/kmod.inc
@@ -26,7 +26,6 @@ SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git \
S = "${WORKDIR}/git"
-EXTRA_AUTORECONF += "--install --symlink"
EXTRA_OECONF +=" --enable-tools --with-zlib"
PACKAGECONFIG[debug] = "--enable-debug,--disable-debug"
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20201218.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb
index 700a79b118..1a9374d0b4 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20201218.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb
@@ -128,7 +128,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \
file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \
file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \
- file://WHENCE;md5=03f0fad70b8b557b56084e3090198021 \
+ file://WHENCE;md5=ef0565762eac313c409567b59dff00b2 \
"
# These are not common licenses, set NO_GENERIC_LICENSE for them
@@ -201,7 +201,7 @@ PE = "1"
SRC_URI = "${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "a1cc1ff72c739f312b095df589e9fd639fc81c3f8f7966377ea35222dc94c04b"
+SRC_URI[sha256sum] = "1bcb1a3944c361507754a7d26ccff40ffc28d1fb93bce711d67da26b33e785b7"
inherit allarch
@@ -225,6 +225,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \
${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \
${PN}-ti-connectivity-license ${PN}-wlcommon ${PN}-wl12xx ${PN}-wl18xx \
${PN}-vt6656-license ${PN}-vt6656 \
+ ${PN}-rs9113 ${PN}-rs9116 \
${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \
${PN}-rtl8168 \
${PN}-cypress-license \
@@ -492,6 +493,13 @@ FILES_${PN}-netronome = " \
${nonarch_base_libdir}/firmware/netronome/nic_AMDA0096*.nffw \
${nonarch_base_libdir}/firmware/netronome/nic_AMDA0097*.nffw \
${nonarch_base_libdir}/firmware/netronome/nic_AMDA0099*.nffw \
+ ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0011_2x40.nffw \
+ ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0012_2x40.nffw \
+ ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0078-0011_1x100.nffw \
+ ${nonarch_base_libdir}/firmware/netronome/bpf \
+ ${nonarch_base_libdir}/firmware/netronome/flower \
+ ${nonarch_base_libdir}/firmware/netronome/nic \
+ ${nonarch_base_libdir}/firmware/netronome/nic-sriov \
"
RDEPENDS_${PN}-netronome += "${PN}-netronome-license"
@@ -518,6 +526,16 @@ RDEPENDS_${PN}-nvidia-gpu += "${PN}-nvidia-license"
RDEPENDS_${PN}-nvidia-tegra += "${PN}-nvidia-license"
RDEPENDS_${PN}-nvidia-tegra-k1 += "${PN}-nvidia-license"
+# For RSI RS911x WiFi
+LICENSE_${PN}-rs9113 = "WHENCE"
+LICENSE_${PN}-rs9116 = "WHENCE"
+
+FILES_${PN}-rs9113 = " ${nonarch_base_libdir}/firmware/rsi/rs9113*.rps "
+FILES_${PN}-rs9116 = " ${nonarch_base_libdir}/firmware/rsi/rs9116*.rps "
+
+RDEPENDS_${PN}-rs9113 += "${PN}-whence-license"
+RDEPENDS_${PN}-rs9116 += "${PN}-whence-license"
+
# For rtl
LICENSE_${PN}-rtl8188 = "Firmware-rtlwifi_firmware"
LICENSE_${PN}-rtl8192cu = "Firmware-rtlwifi_firmware"
@@ -618,7 +636,9 @@ FILES_${PN}-bcm4329 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4329-sdio.bi
FILES_${PN}-bcm4330 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4330-sdio.*"
FILES_${PN}-bcm4334 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4334-sdio.bin"
FILES_${PN}-bcm4335 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4335-sdio.bin"
-FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin"
+FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin \
+ ${nonarch_base_libdir}/firmware/cypress/cyfmac4339-sdio.bin \
+"
FILES_${PN}-bcm43241b0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b0-sdio.bin"
FILES_${PN}-bcm43241b4 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b4-sdio.bin"
FILES_${PN}-bcm43241b5 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b5-sdio.bin"
@@ -627,12 +647,18 @@ FILES_${PN}-bcm43143 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43143.bin \
${nonarch_base_libdir}/firmware/brcm/brcmfmac43143-sdio.bin \
"
FILES_${PN}-bcm43430a0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430a0-sdio.*"
-FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.*"
+FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.* \
+ ${nonarch_base_libdir}/firmware/cypress/cyfmac43455-sdio.* \
+"
FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin"
FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin"
-FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin"
+FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin \
+ ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.bin \
+"
FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin"
-FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin"
+FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin \
+ ${nonarch_base_libdir}/firmware/cypress/cyfmac43570-pcie.bin \
+"
FILES_${PN}-bcm4358 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4358-pcie.bin"
FILES_${PN}-bcm43602 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.bin \
${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.ap.bin \
@@ -703,13 +729,21 @@ LICENSE_${PN}-cypress-license = "Firmware-cypress"
FILES_${PN}-cypress-license = "${nonarch_base_libdir}/firmware/LICENCE.cypress"
FILES_${PN}-bcm-0bb4-0306 = "${nonarch_base_libdir}/firmware/brcm/BCM-0bb4-0306.hcd"
-FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.*"
-FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.*"
-FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.*"
-FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin"
-FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.*"
+FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.* \
+ ${nonarch_base_libdir}/firmware/cypress/cyfmac43340-sdio.*"
+FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.* \
+ ${nonarch_base_libdir}/firmware/cypress/cyfmac43362-sdio.*"
+FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.* \
+ ${nonarch_base_libdir}/firmware/cypress/cyfmac43430-sdio.*"
+FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin \
+ ${nonarch_base_libdir}/firmware/cypress/cyfmac4354-sdio.bin \
+"
+FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.* \
+ ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-pcie.* \
+"
FILES_${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \
${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \
+ ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \
"
LICENSE_${PN}-bcm-0bb4-0306 = "Firmware-cypress"
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index f6dd97c9b4..da1d5b72da 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "b82b3d52ee94caf6165eda89d3294a561bfb4f0b"
-SRCREV_meta ?= "bc855ca4626f33c38c1398d48c71df10334a9132"
+SRCREV_machine ?= "324e77d816cf6434507ab29140beb24044009efa"
+SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.87"
+LINUX_VERSION ?= "5.4.112"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 05edcfa63d..1edc632de7 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.87"
+LINUX_VERSION ?= "5.4.112"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "18b82a8554b25c86cbf31af312765832edca3498"
-SRCREV_machine ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_meta ?= "bc855ca4626f33c38c1398d48c71df10334a9132"
+SRCREV_machine_qemuarm ?= "8463db325b93f0669446f68c19334cfe11ffb9c2"
+SRCREV_machine ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
+SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index ba8660d5d3..53cfabb3a7 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base"
KBRANCH_qemux86-64 ?= "v5.4/standard/base"
KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "03f94e8a96d027da980f2cc2ad6e95bbb45e22c5"
-SRCREV_machine_qemuarm64 ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_machine_qemumips ?= "0b055d3e2e8d41743b00cd84975ff383e35f1ae9"
-SRCREV_machine_qemuppc ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_machine_qemuriscv64 ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_machine_qemux86 ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_machine_qemux86-64 ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_machine_qemumips64 ?= "126e385b2dd8580a266fe15907c3725d2da12458"
-SRCREV_machine ?= "292d752af8e4015e40e7c523641983bac543e2b4"
-SRCREV_meta ?= "bc855ca4626f33c38c1398d48c71df10334a9132"
+SRCREV_machine_qemuarm ?= "133328e5d558f6060a5633d71506a6b716bb4fc6"
+SRCREV_machine_qemuarm64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
+SRCREV_machine_qemumips ?= "eef7365804592f95bceefa143cdb3cc19e8c6b66"
+SRCREV_machine_qemuppc ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
+SRCREV_machine_qemuriscv64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
+SRCREV_machine_qemux86 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
+SRCREV_machine_qemux86-64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
+SRCREV_machine_qemumips64 ?= "996fe040c8d8d01a9af6be42dae3844d127471bf"
+SRCREV_machine ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a"
+SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642"
# remap qemuarm to qemuarma15 for the 5.4 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.87"
+LINUX_VERSION ?= "5.4.112"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb b/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb
index c65882581d..32ba75bf36 100644
--- a/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb
+++ b/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb
@@ -17,7 +17,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>2(\.\d+)+)$"
S = "${WORKDIR}/git"
-inherit autotools pkgconfig ptest
+inherit autotools pkgconfig ptest python3targetconfig
EXTRA_OECONF = "--disable-debug-info"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
index 14b34a2808..3eeb69d72c 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
@@ -16,6 +16,8 @@ PNREAL = "gst-python"
S = "${WORKDIR}/${PNREAL}-${PV}"
+EXTRA_OEMESON += "-Dlibpython-dir=${libdir}"
+
# gobject-introspection is mandatory and cannot be configured
REQUIRED_DISTRO_FEATURES = "gobject-introspection-data"
UNKNOWN_CONFIGURE_WHITELIST_append = " introspection"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0/0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch
new file mode 100644
index 0000000000..e0e64e2c7a
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch
@@ -0,0 +1,32 @@
+From 1db36347d05d88835519368442e9aa89c64091ad Mon Sep 17 00:00:00 2001
+From: Seungha Yang <seungha@centricular.com>
+Date: Tue, 15 Sep 2020 00:54:58 +0900
+Subject: [PATCH] tests: seek: Don't use too strict timeout for validation
+
+Expected segment-done message might not be seen within expected
+time if system is not powerful enough.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/625>
+
+Upstream-Status: Backport [https://cgit.freedesktop.org/gstreamer/gstreamer/commit?id=f44312ae5d831438fcf8041162079c65321c588c]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ tests/check/pipelines/seek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/check/pipelines/seek.c b/tests/check/pipelines/seek.c
+index 28bb8846d..5f7447bc5 100644
+--- a/tests/check/pipelines/seek.c
++++ b/tests/check/pipelines/seek.c
+@@ -521,7 +521,7 @@ GST_START_TEST (test_loopback_2)
+
+ GST_INFO ("wait for segment done message");
+
+- msg = gst_bus_timed_pop_filtered (bus, (GstClockTime) 2 * GST_SECOND,
++ msg = gst_bus_timed_pop_filtered (bus, GST_CLOCK_TIME_NONE,
+ GST_MESSAGE_SEGMENT_DONE | GST_MESSAGE_ERROR);
+ fail_unless (msg, "no message within the timed window");
+ fail_unless_equals_string (GST_MESSAGE_TYPE_NAME (msg), "segment-done");
+--
+2.29.2
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
index 7afe56cd7b..632ef8819c 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
@@ -22,6 +22,7 @@ SRC_URI = " \
file://0003-meson-Add-valgrind-feature.patch \
file://0004-meson-Add-option-for-installed-tests.patch \
file://0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch \
+ file://0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch \
"
SRC_URI[md5sum] = "beecf6965a17fb17fa3b262fd36df70a"
SRC_URI[sha256sum] = "692f037968e454e508b0f71d9674e2e26c78475021407fcf8193b1c7e59543c7"
diff --git a/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb b/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb
index 2061c280e4..82cdaf54c7 100644
--- a/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb
+++ b/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "Bellagio is an opensource implementation of the Khronos OpenMAX \
HOMEPAGE = "http://omxil.sourceforge.net/"
LICENSE = "LGPLv2.1+"
-LICENSE_FLAGS = "commercial"
+LICENSE_FLAGS = "${@bb.utils.contains('PACKAGECONFIG', 'amr', 'commercial', '', d)}"
LIC_FILES_CHKSUM = "file://COPYING;md5=ae6f0f4dbc7ac193b50f323a6ae191cb \
file://src/omxcore.h;beginline=1;endline=27;md5=806b1e5566c06486fe8e42b461e03a90"
@@ -28,6 +28,10 @@ PROVIDES += "virtual/libomxil"
CFLAGS += "-fcommon"
+PACKAGECONFIG ??= ""
+
+PACKAGECONFIG[amr] = "--enable-amr,,"
+
#
# The .so files under ${libdir}/bellagio are not intended to be versioned and symlinked.
# Make sure they get packaged in the main package.
diff --git a/meta/recipes-sato/images/core-image-sato-ptest-fast.bb b/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
index 3641217306..4f08d6eb64 100644
--- a/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
+++ b/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
@@ -1,3 +1,6 @@
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ptest"
+
require core-image-sato-sdk.bb
require conf/distro/include/ptest-packagelists.inc
diff --git a/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb b/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
index bf749acd79..4d59c9536b 100644
--- a/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
+++ b/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
@@ -1,3 +1,6 @@
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ptest"
+
require core-image-sato-sdk.bb
require conf/distro/include/ptest-packagelists.inc
diff --git a/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb b/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb
index 519762d125..15f4f4276c 100644
--- a/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb
+++ b/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb
@@ -15,3 +15,6 @@ REQUIRED_DISTRO_FEATURES = "opengl"
SRC_URI = "https://wpewebkit.org/releases/${BPN}-${PV}.tar.xz"
SRC_URI[sha256sum] = "9b980a73ea4e3762266c48f81ded56d9dcad4acf32bad9bd05d0dffdd454c6f5"
+FILES_${PN} += "${libdir}/libWPEBackend-fdo-1.0.so"
+FILES_SOLIBSDEV = ""
+INSANE_SKIP_${PN} += "dev-so"
diff --git a/meta/recipes-support/apr/apr-util_1.6.1.bb b/meta/recipes-support/apr/apr-util_1.6.1.bb
index f7d827a1d8..4e183ca374 100644
--- a/meta/recipes-support/apr/apr-util_1.6.1.bb
+++ b/meta/recipes-support/apr/apr-util_1.6.1.bb
@@ -35,6 +35,7 @@ OE_BINCONFIG_EXTRA_MANGLE = " -e 's:location=source:location=installed:'"
do_configure_append() {
if [ "${CLASSOVERRIDE}" = "class-target" ]; then
cp ${STAGING_DATADIR}/apr/apr_rules.mk ${B}/build/rules.mk
+ sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${B}/build/rules.mk
fi
}
do_configure_prepend_class-native() {
@@ -49,6 +50,7 @@ do_configure_append_class-native() {
do_configure_prepend_class-nativesdk() {
cp ${STAGING_DATADIR}/apr/apr_rules.mk ${S}/build/rules.mk
+ sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${S}/build/rules.mk
}
do_configure_append_class-nativesdk() {
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch
deleted file mode 100644
index aa2c85ff43..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From b6d18ca77f131cdcaa10d0eaa9d303399767edf6 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Wed, 28 Aug 2019 19:18:14 +0200
-Subject: [PATCH] certdata2pem.py: use python3
-
-Comments in that file imply it is already py3 compatible.
-
-Upstream-Status: Pending
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
----
- mozilla/Makefile | 2 +-
- mozilla/certdata2pem.py | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/mozilla/Makefile b/mozilla/Makefile
-index 6f46118..f98877c 100644
---- a/mozilla/Makefile
-+++ b/mozilla/Makefile
-@@ -3,7 +3,7 @@
- #
-
- all:
-- python certdata2pem.py
-+ python3 certdata2pem.py
-
- clean:
- -rm -f *.crt
-diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
-index 0b02b2a..7d796f1 100644
---- a/mozilla/certdata2pem.py
-+++ b/mozilla/certdata2pem.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- # vim:set et sw=4:
- #
- # certdata2pem.py - splits certdata.txt into multiple files
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20200601.bb b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
index 6f39df7985..7dcc86fdc1 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20200601.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
@@ -14,7 +14,7 @@ DEPENDS_class-nativesdk = "openssl-native"
# Need rehash from openssl and run-parts from debianutils
PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
-SRCREV = "b3a8980b781bc9a370e42714a605cd4191bb6c0b"
+SRCREV = "181be7ebd169b4a6fb5d90c3e6dc791e90534144"
SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
file://0002-update-ca-certificates-use-SYSROOT.patch \
@@ -23,7 +23,6 @@ SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
file://default-sysroot.patch \
file://sbindir.patch \
file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
- file://0001-certdata2pem.py-use-python3.patch \
"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)"
@@ -84,8 +83,8 @@ do_install_append_class-native () {
SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
}
-RDEPENDS_${PN}_class-target = "openssl-bin"
-RDEPENDS_${PN}_class-native = "openssl-native"
-RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin"
+RDEPENDS_${PN}_append_class-target = " openssl-bin openssl"
+RDEPENDS_${PN}_append_class-native = " openssl-native"
+RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/gpgme/gpgme_1.14.0.bb b/meta/recipes-support/gpgme/gpgme_1.14.0.bb
index 9fa8212808..fb7215381c 100644
--- a/meta/recipes-support/gpgme/gpgme_1.14.0.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.14.0.bb
@@ -48,7 +48,7 @@ DEFAULT_LANGUAGES_class-target = "cpp"
LANGUAGES ?= "${DEFAULT_LANGUAGES} python"
PYTHON_INHERIT = "${@bb.utils.contains('PACKAGECONFIG', 'python2', 'pythonnative', '', d)}"
-PYTHON_INHERIT .= "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native', '', d)}"
+PYTHON_INHERIT .= "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native python3targetconfig', '', d)}"
EXTRA_OECONF += '--enable-languages="${LANGUAGES}" \
--disable-gpgconf-test \
diff --git a/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb b/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb
index 9d02f5c794..0b4582b202 100644
--- a/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb
+++ b/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb
@@ -5,7 +5,7 @@ BUGTRACKER = "https://salsa.debian.org/iso-codes-team/iso-codes/issues"
LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
-SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http;branch=main;"
+SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=https;branch=main;"
SRCREV = "a36019e5014bff251f83d522ddcfebaecf52afd3"
# inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which
diff --git a/meta/recipes-support/libcroco/files/CVE-2020-12825.patch b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch
new file mode 100644
index 0000000000..42f92e3607
--- /dev/null
+++ b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch
@@ -0,0 +1,192 @@
+From fdf78a4877afa987ba646a8779b513f258e6d04c Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Fri, 31 Jul 2020 15:21:53 -0500
+Subject: [PATCH] libcroco: Limit recursion in block and any productions
+
+ (CVE-2020-12825)
+
+If we don't have any limits, we can recurse forever and overflow the
+stack.
+
+Fixes #8
+This is per https://gitlab.gnome.org/Archive/libcroco/-/issues/8
+
+https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1404
+
+CVE: CVE-2020-12825
+Upstream-Status: Backport [https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a]
+Comment: No refreshing changes done.
+Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
+
+---
+ src/cr-parser.c | 44 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/src/cr-parser.c b/src/cr-parser.c
+index 18c9a01..f4a62e3 100644
+--- a/src/cr-parser.c
++++ b/src/cr-parser.c
+@@ -136,6 +136,8 @@ struct _CRParserPriv {
+
+ #define CHARS_TAB_SIZE 12
+
++#define RECURSIVE_CALLERS_LIMIT 100
++
+ /**
+ * IS_NUM:
+ *@a_char: the char to test.
+@@ -344,9 +346,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
+
+ static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
+
+-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls);
+
+-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls);
+
+ static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
+
+@@ -784,7 +788,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_parser_try_to_skip_spaces_and_comments (a_this);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ } while (status == CR_OK);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
+@@ -795,7 +799,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status,
+ FALSE);
+ goto done;
+@@ -930,11 +934,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
+
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+
+ } while (status == CR_OK);
+
+@@ -956,10 +960,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
+ *in chapter 4.1 of the css2 spec.
+ *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
+ *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+ *FIXME: code this function.
+ */
+ static enum CRStatus
+-cr_parser_parse_block_core (CRParser * a_this)
++cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token = NULL;
+ CRInputPos init_pos;
+@@ -967,6 +973,9 @@ cr_parser_parse_block_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
+@@ -996,13 +1005,13 @@ cr_parser_parse_block_core (CRParser * a_this)
+ } else if (token->type == CBO_TK) {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ } else {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ }
+@@ -1109,7 +1118,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+ ref++;
+ goto continue_parsing;
+@@ -1123,7 +1132,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ if (status == CR_OK) {
+ ref++;
+ goto continue_parsing;
+@@ -1162,10 +1171,12 @@ cr_parser_parse_value_core (CRParser * a_this)
+ * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
+ *
+ *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+ *@return CR_OK upon successfull completion, an error code otherwise.
+ */
+ static enum CRStatus
+-cr_parser_parse_any_core (CRParser * a_this)
++cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token1 = NULL,
+ *token2 = NULL;
+@@ -1174,6 +1185,9 @@ cr_parser_parse_any_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
+@@ -1212,7 +1226,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ *We consider parameter as being an "any*" production.
+ */
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1237,7 +1251,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1265,7 +1279,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
index 9171a9de5c..a443ff23fe 100644
--- a/meta/recipes-support/libcroco/libcroco_0.6.13.bb
+++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -18,3 +18,6 @@ inherit gnomebase gtk-doc binconfig-disabled
SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
+
+SRC_URI +="file://CVE-2020-12825.patch \
+"
diff --git a/meta/recipes-support/libevdev/libevdev/determinism.patch b/meta/recipes-support/libevdev/libevdev/determinism.patch
index f6b7fc82d3..71cbd876eb 100644
--- a/meta/recipes-support/libevdev/libevdev/determinism.patch
+++ b/meta/recipes-support/libevdev/libevdev/determinism.patch
@@ -9,7 +9,8 @@ Sort to remove this inconsistency.
RP 2020/2/7
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-Upstream-Status: Pending
+Submitted: https://lists.freedesktop.org/archives/input-tools/2021-February/001560.html
+Upstream-Status: Backport [https://gitlab.freedesktop.org/libevdev/libevdev/-/commit/8d70f449892c6f7659e07bb0f06b8347677bb7d8]
---
libevdev/make-event-names.py | 6 +++---
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb
index ac09417e89..832d07d515 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb
@@ -28,6 +28,9 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
"
SRC_URI[sha256sum] = "0cba2700617b99fc33864a0c16b1fa7fdf9781d9ed3509f5d767178e5fd7b975"
+# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
+CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438"
+
BINCONFIG = "${bindir}/libgcrypt-config"
inherit autotools texinfo binconfig-disabled pkgconfig
diff --git a/meta/recipes-support/p11-kit/p11-kit_0.23.21.bb b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb
index b1fd2334b2..c539ecdbc6 100644
--- a/meta/recipes-support/p11-kit/p11-kit_0.23.21.bb
+++ b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb
@@ -2,17 +2,18 @@ SUMMARY = "Provides a way to load and enumerate PKCS#11 modules"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://COPYING;md5=02933887f609807fbb57aa4237d14a50"
-inherit meson gettext pkgconfig gtk-doc bash-completion
+inherit meson gettext pkgconfig gtk-doc bash-completion manpages
DEPENDS = "libtasn1 libtasn1-native libffi"
DEPENDS_append = "${@' glib-2.0' if d.getVar('GTKDOC_ENABLED') == 'True' else ''}"
-SRC_URI = "git://github.com/p11-glue/p11-kit"
-SRCREV = "fd8b56f3ee971f94dc6fc95411fc01e1c12153ab"
+SRC_URI = "git://github.com/p11-glue/p11-kit;branch=0.23"
+SRCREV = "bd97afbfe28d5fbbde95ce36ff7a8834fc0291ee"
S = "${WORKDIR}/git"
PACKAGECONFIG ??= ""
+PACKAGECONFIG[manpages] = "-Dman=true,-Dman=false,libxslt-native"
PACKAGECONFIG[trust-paths] = "-Dtrust_paths=/etc/ssl/certs/ca-certificates.crt,,,ca-certificates"
GTKDOC_MESON_OPTION = 'gtk_doc'
diff --git a/meta/recipes-support/vim/files/racefix.patch b/meta/recipes-support/vim/files/racefix.patch
new file mode 100644
index 0000000000..48dca44cad
--- /dev/null
+++ b/meta/recipes-support/vim/files/racefix.patch
@@ -0,0 +1,33 @@
+The creation of the LINGUAS file is duplicated for each desktop file
+which can lead the commands to race against each other. Rework
+the makefile to avoid this as the expense of leaving the file on disk.
+
+Upstream-Status: Pending
+RP 2021/2/15
+
+Index: git/src/po/Makefile
+===================================================================
+--- git.orig/src/po/Makefile
++++ git/src/po/Makefile
+@@ -165,17 +165,16 @@ $(PACKAGE).pot: ../*.c ../if_perl.xs ../
+ po/gvim.desktop.in po/vim.desktop.in
+ mv -f ../$(PACKAGE).po $(PACKAGE).pot
+
+-vim.desktop: vim.desktop.in $(POFILES)
++LINGUAS:
+ echo $(LANGUAGES) | tr " " "\n" |sed -e '/\./d' | sort > LINGUAS
++
++vim.desktop: vim.desktop.in $(POFILES) LINGUAS
+ $(MSGFMT) --desktop -d . --template vim.desktop.in -o tmp_vim.desktop
+- rm -f LINGUAS
+ if command -v desktop-file-validate; then desktop-file-validate tmp_vim.desktop; fi
+ mv tmp_vim.desktop vim.desktop
+
+-gvim.desktop: gvim.desktop.in $(POFILES)
+- echo $(LANGUAGES) | tr " " "\n" |sed -e '/\./d' | sort > LINGUAS
++gvim.desktop: gvim.desktop.in $(POFILES) LINGUAS
+ $(MSGFMT) --desktop -d . --template gvim.desktop.in -o tmp_gvim.desktop
+- rm -f LINGUAS
+ if command -v desktop-file-validate; then desktop-file-validate tmp_gvim.desktop; fi
+ mv tmp_gvim.desktop gvim.desktop
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 4d2886c19e..d57f784da5 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -12,6 +12,7 @@ SRC_URI = "git://github.com/vim/vim.git \
file://vim-add-knob-whether-elf.h-are-checked.patch \
file://0001-src-Makefile-improve-reproducibility.patch \
file://no-path-adjust.patch \
+ file://racefix.patch \
"
SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
@@ -68,8 +69,10 @@ EXTRA_OECONF = " \
--disable-gtktest \
--disable-xim \
--disable-netbeans \
+ --disable-desktop-database-update \
--with-tlib=ncurses \
ac_cv_small_wchar_t=no \
+ ac_cv_path_GLIB_COMPILE_RESOURCES=no \
vim_cv_getcwd_broken=no \
vim_cv_memmove_handles_overlap=yes \
vim_cv_stat_ignores_slash=no \
diff --git a/scripts/contrib/documentation-audit.sh b/scripts/contrib/documentation-audit.sh
index 1191f57a8e..f436f9bae0 100755
--- a/scripts/contrib/documentation-audit.sh
+++ b/scripts/contrib/documentation-audit.sh
@@ -27,7 +27,7 @@ fi
echo "REMINDER: you need to build for MACHINE=qemux86 or you won't get useful results"
echo "REMINDER: you need to set LICENSE_FLAGS_WHITELIST appropriately in local.conf or "
-echo " you'll get false positives. For example, LICENSE_FLAGS_WHITELIST = \"Commercial\""
+echo " you'll get false positives. For example, LICENSE_FLAGS_WHITELIST = \"commercial\""
for pkg in `bitbake -s | awk '{ print \$1 }'`; do
if [[ "$pkg" == "Loading" || "$pkg" == "Loaded" ||
diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py
index f7d8a82117..f364a45283 100644
--- a/scripts/lib/devtool/standard.py
+++ b/scripts/lib/devtool/standard.py
@@ -474,7 +474,11 @@ def symlink_oelocal_files_srctree(rd,srctree):
destpth = os.path.join(srctree, relpth, fn)
if os.path.exists(destpth):
os.unlink(destpth)
- os.symlink('oe-local-files/%s' % fn, destpth)
+ if relpth != '.':
+ back_relpth = os.path.relpath(local_files_dir, root)
+ os.symlink('%s/oe-local-files/%s/%s' % (back_relpth, relpth, fn), destpth)
+ else:
+ os.symlink('oe-local-files/%s' % fn, destpth)
addfiles.append(os.path.join(relpth, fn))
if addfiles:
bb.process.run('git add %s' % ' '.join(addfiles), cwd=srctree)
@@ -949,12 +953,17 @@ def modify(args, config, basepath, workspace):
if bb.data.inherits_class('kernel', rd):
f.write('SRCTREECOVEREDTASKS = "do_validate_branches do_kernel_checkout '
- 'do_fetch do_unpack do_kernel_configme do_kernel_configcheck"\n')
+ 'do_fetch do_unpack do_kernel_configcheck"\n')
f.write('\ndo_patch[noexec] = "1"\n')
f.write('\ndo_configure_append() {\n'
' cp ${B}/.config ${S}/.config.baseline\n'
' ln -sfT ${B}/.config ${S}/.config.new\n'
'}\n')
+ f.write('\ndo_kernel_configme_prepend() {\n'
+ ' if [ -e ${S}/.config ]; then\n'
+ ' mv ${S}/.config ${S}/.config.old\n'
+ ' fi\n'
+ '}\n')
if rd.getVarFlag('do_menuconfig','task'):
f.write('\ndo_configure_append() {\n'
' if [ ! ${DEVTOOL_DISABLE_MENUCONFIG} ]; then\n'
diff --git a/scripts/lib/recipetool/create_npm.py b/scripts/lib/recipetool/create_npm.py
index 579b7ae48a..2bcae91dfa 100644
--- a/scripts/lib/recipetool/create_npm.py
+++ b/scripts/lib/recipetool/create_npm.py
@@ -204,6 +204,9 @@ class NpmRecipeHandler(RecipeHandler):
self._run_npm_install(d, srctree, registry, dev)
shrinkwrap_file = self._generate_shrinkwrap(d, srctree, dev)
+ with open(shrinkwrap_file, "r") as f:
+ shrinkwrap = json.load(f)
+
if os.path.exists(lock_copy):
bb.utils.movefile(lock_copy, lock_file)
@@ -226,7 +229,8 @@ class NpmRecipeHandler(RecipeHandler):
value = origvalue.replace("version=" + data["version"], "version=${PV}")
value = value.replace("version=latest", "version=${PV}")
values = [line.strip() for line in value.strip('\n').splitlines()]
- values.append(url_recipe)
+ if "dependencies" in shrinkwrap:
+ values.append(url_recipe)
return values, None, 4, False
(_, newlines) = bb.utils.edit_metadata(lines_before, ["SRC_URI"], _handle_srcuri)
diff --git a/scripts/lib/wic/canned-wks/common.wks.inc b/scripts/lib/wic/canned-wks/common.wks.inc
index 89880b417b..4fd29fa8c1 100644
--- a/scripts/lib/wic/canned-wks/common.wks.inc
+++ b/scripts/lib/wic/canned-wks/common.wks.inc
@@ -1,3 +1,3 @@
# This file is included into 3 canned wks files from this directory
part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024
-part / --source rootfs --use-uuid --fstype=ext4 --label platform --align 1024
+part / --source rootfs --use-uuid --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024
diff --git a/scripts/lib/wic/canned-wks/directdisk-gpt.wks b/scripts/lib/wic/canned-wks/directdisk-gpt.wks
index 8d7d8de6ea..cf16c0c30b 100644
--- a/scripts/lib/wic/canned-wks/directdisk-gpt.wks
+++ b/scripts/lib/wic/canned-wks/directdisk-gpt.wks
@@ -4,7 +4,7 @@
part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024
-part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid
+part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid
bootloader --ptable gpt --timeout=0 --append="rootwait rootfstype=ext4 video=vesafb vga=0x318 console=tty0 console=ttyS0,115200n8"
diff --git a/scripts/lib/wic/canned-wks/mkefidisk.wks b/scripts/lib/wic/canned-wks/mkefidisk.wks
index 9f534fe184..d1878e23e5 100644
--- a/scripts/lib/wic/canned-wks/mkefidisk.wks
+++ b/scripts/lib/wic/canned-wks/mkefidisk.wks
@@ -4,7 +4,7 @@
part /boot --source bootimg-efi --sourceparams="loader=grub-efi" --ondisk sda --label msdos --active --align 1024
-part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid
+part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid
part swap --ondisk sda --size 44 --label swap1 --fstype=swap
diff --git a/scripts/lib/wic/misc.py b/scripts/lib/wic/misc.py
index 75b219cd3f..57c042c503 100644
--- a/scripts/lib/wic/misc.py
+++ b/scripts/lib/wic/misc.py
@@ -26,6 +26,7 @@ logger = logging.getLogger('wic')
# executable -> recipe pairs for exec_native_cmd
NATIVE_RECIPES = {"bmaptool": "bmap-tools",
+ "dumpe2fs": "e2fsprogs",
"grub-mkimage": "grub-efi",
"isohybrid": "syslinux",
"mcopy": "mtools",
diff --git a/scripts/lib/wic/partition.py b/scripts/lib/wic/partition.py
index e574f40c47..85f9847047 100644
--- a/scripts/lib/wic/partition.py
+++ b/scripts/lib/wic/partition.py
@@ -298,6 +298,8 @@ class Partition():
mkfs_cmd = "fsck.%s -pvfD %s" % (self.fstype, rootfs)
exec_native_cmd(mkfs_cmd, native_sysroot, pseudo=pseudo)
+ self.check_for_Y2038_problem(rootfs, native_sysroot)
+
def prepare_rootfs_btrfs(self, rootfs, cr_workdir, oe_builddir, rootfs_dir,
native_sysroot, pseudo):
"""
@@ -388,6 +390,8 @@ class Partition():
(self.fstype, extraopts, label_str, self.fsuuid, rootfs)
exec_native_cmd(mkfs_cmd, native_sysroot)
+ self.check_for_Y2038_problem(rootfs, native_sysroot)
+
def prepare_empty_partition_btrfs(self, rootfs, oe_builddir,
native_sysroot):
"""
@@ -449,3 +453,37 @@ class Partition():
mkswap_cmd = "mkswap %s -U %s %s" % (label_str, self.fsuuid, path)
exec_native_cmd(mkswap_cmd, native_sysroot)
+
+ def check_for_Y2038_problem(self, rootfs, native_sysroot):
+ """
+ Check if the filesystem is affected by the Y2038 problem
+ (Y2038 problem = 32 bit time_t overflow in January 2038)
+ """
+ def get_err_str(part):
+ err = "The {} filesystem {} has no Y2038 support."
+ if part.mountpoint:
+ args = [part.fstype, "mounted at %s" % part.mountpoint]
+ elif part.label:
+ args = [part.fstype, "labeled '%s'" % part.label]
+ elif part.part_name:
+ args = [part.fstype, "in partition '%s'" % part.part_name]
+ else:
+ args = [part.fstype, "in partition %s" % part.num]
+ return err.format(*args)
+
+ # ext2 and ext3 are always affected by the Y2038 problem
+ if self.fstype in ["ext2", "ext3"]:
+ logger.warn(get_err_str(self))
+ return
+
+ ret, out = exec_native_cmd("dumpe2fs %s" % rootfs, native_sysroot)
+
+ # if ext4 is affected by the Y2038 problem depends on the inode size
+ for line in out.splitlines():
+ if line.startswith("Inode size:"):
+ size = int(line.split(":")[1].strip())
+ if size < 256:
+ logger.warn("%s Inodes (of size %d) are too small." %
+ (get_err_str(self), size))
+ break
+
diff --git a/scripts/lib/wic/plugins/imager/direct.py b/scripts/lib/wic/plugins/imager/direct.py
index 7e1c1c03ab..ea709e8c54 100644
--- a/scripts/lib/wic/plugins/imager/direct.py
+++ b/scripts/lib/wic/plugins/imager/direct.py
@@ -54,6 +54,7 @@ class DirectPlugin(ImagerPlugin):
self.native_sysroot = native_sysroot
self.oe_builddir = oe_builddir
+ self.debug = options.debug
self.outdir = options.outdir
self.compressor = options.compressor
self.bmap = options.bmap
@@ -274,8 +275,9 @@ class DirectPlugin(ImagerPlugin):
if os.path.isfile(path):
shutil.move(path, os.path.join(self.outdir, fname))
- # remove work directory
- shutil.rmtree(self.workdir, ignore_errors=True)
+ # remove work directory when it is not in debugging mode
+ if not self.debug:
+ shutil.rmtree(self.workdir, ignore_errors=True)
# Overhead of the MBR partitioning scheme (just one sector)
MBR_OVERHEAD = 1
diff --git a/scripts/oe-pkgdata-util b/scripts/oe-pkgdata-util
index 93220e3617..75dd23efa3 100755
--- a/scripts/oe-pkgdata-util
+++ b/scripts/oe-pkgdata-util
@@ -598,6 +598,9 @@ def main():
logger.error("Unable to find bitbake by searching parent directory of this script or PATH")
sys.exit(1)
logger.debug('Found bitbake path: %s' % bitbakepath)
+ if not os.environ.get('BUILDDIR', ''):
+ logger.error("This script can only be run after initialising the build environment (e.g. by using oe-init-build-env)")
+ sys.exit(1)
tinfoil = tinfoil_init()
try:
args.pkgdata_dir = tinfoil.config_data.getVar('PKGDATA_DIR')
diff --git a/scripts/runqemu b/scripts/runqemu
index e5e66f3453..b80fec1c99 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -1340,6 +1340,8 @@ class BaseConfig(object):
for ovmf in self.ovmf_bios:
format = ovmf.rsplit('.', 1)[-1]
+ if format == "bin":
+ format = "raw"
self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf)
self.qemu_opt += ' ' + self.qemu_opt_script
diff --git a/scripts/verify-bashisms b/scripts/verify-bashisms
index fb0cc719ea..14d8c298e9 100755
--- a/scripts/verify-bashisms
+++ b/scripts/verify-bashisms
@@ -100,7 +100,7 @@ if __name__=='__main__':
args = parser.parse_args()
if shutil.which("checkbashisms.pl") is None:
- print("Cannot find checkbashisms.pl on $PATH, get it from https://anonscm.debian.org/cgit/collab-maint/devscripts.git/plain/scripts/checkbashisms.pl")
+ print("Cannot find checkbashisms.pl on $PATH, get it from https://salsa.debian.org/debian/devscripts/raw/master/scripts/checkbashisms.pl")
sys.exit(1)
# The order of defining the worker function,
diff --git a/scripts/yocto-check-layer b/scripts/yocto-check-layer
index b7c83c8b54..deba3cb4f8 100755
--- a/scripts/yocto-check-layer
+++ b/scripts/yocto-check-layer
@@ -138,6 +138,9 @@ def main():
layer['type'] == LayerType.ERROR_BSP_DISTRO:
continue
+ # Reset to a clean backup copy for each run
+ shutil.copyfile(bblayersconf + '.backup', bblayersconf)
+
if check_bblayers(bblayersconf, layer['path'], logger):
logger.info("%s already in %s. To capture initial signatures, layer under test should not present "
"in BBLAYERS. Please remove %s from BBLAYERS." % (layer['name'], bblayersconf, layer['name']))