aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/classes/libc-package.bbclass2
-rw-r--r--meta/classes/rm_work.bbclass8
-rw-r--r--meta/classes/testimage.bbclass12
-rw-r--r--meta/classes/useradd.bbclass4
-rw-r--r--meta/conf/distro/include/maintainers.inc2
-rw-r--r--meta/files/common-licenses/Unlicense24
-rw-r--r--meta/lib/buildstats.py4
-rw-r--r--meta/lib/oeqa/selftest/cases/gotoolchain.py6
-rw-r--r--meta/lib/oeqa/utils/buildproject.py3
-rw-r--r--meta/lib/oeqa/utils/qemurunner.py2
-rw-r--r--meta/lib/oeqa/utils/targetbuild.py4
-rw-r--r--meta/recipes-connectivity/connman/connman.inc2
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch20
-rw-r--r--meta/recipes-connectivity/openssh/openssh_8.2p1.bb1
-rw-r--r--meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch2
-rw-r--r--meta/recipes-core/systemd/systemd/basic-pass-allocation-info-for-ordered-set-new-and-introd.patch78
-rw-r--r--meta/recipes-core/systemd/systemd/introduce-ordered_set_clear-free-with-destructor.patch35
-rw-r--r--meta/recipes-core/systemd/systemd/network-add-skeleton-of-request-queue.patch285
-rw-r--r--meta/recipes-core/systemd/systemd/network-also-drop-requests-when-link-enters-linger-state.patch50
-rw-r--r--meta/recipes-core/systemd/systemd/network-fix-Link-reference-counter-issue.patch278
-rw-r--r--meta/recipes-core/systemd/systemd/network-merge-link_drop-and-link_detach_from_manager.patch67
-rw-r--r--meta/recipes-core/systemd/systemd_244.5.bb6
-rw-r--r--meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch62
-rw-r--r--meta/recipes-devtools/mtd/mtd-utils_git.bb9
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc8
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch164
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch139
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch47
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch100
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch266
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch49
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch48
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch41
-rw-r--r--meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch25
-rw-r--r--meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch253
-rw-r--r--meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb1
-rw-r--r--meta/recipes-extended/bash/bash.inc5
-rw-r--r--meta/recipes-extended/bzip2/bzip2/Makefile.am2
-rw-r--r--meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch79
-rw-r--r--meta/recipes-extended/iputils/iputils_s20190709.bb1
-rw-r--r--meta/recipes-extended/tar/tar_1.32.bb1
-rw-r--r--meta/recipes-graphics/glew/glew/notempdir.patch19
-rw-r--r--meta/recipes-graphics/glew/glew_2.2.0.bb1
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb6
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb8
-rw-r--r--meta/recipes-kernel/linux/linux-yocto_5.4.bb22
-rw-r--r--meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch13
-rw-r--r--meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb1
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch36
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch44
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb2
-rw-r--r--meta/recipes-sato/images/core-image-sato.bb1
-rw-r--r--meta/recipes-support/apr/apr/CVE-2021-35940.patch58
-rw-r--r--meta/recipes-support/apr/apr_1.7.0.bb1
-rw-r--r--meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch86
-rw-r--r--meta/recipes-support/curl/curl/CVE-2021-22946.patch328
-rw-r--r--meta/recipes-support/curl/curl/CVE-2021-22947.patch352
-rw-r--r--meta/recipes-support/curl/curl_7.69.1.bb5
-rw-r--r--meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch109
-rw-r--r--meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb1
-rw-r--r--meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb2
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch215
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch53
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch122
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch48
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch53
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch277
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch163
-rw-r--r--meta/recipes-support/nettle/nettle_3.5.1.bb7
-rw-r--r--meta/recipes-support/vim/files/CVE-2021-3778.patch49
-rw-r--r--meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch207
-rw-r--r--meta/recipes-support/vim/vim.inc3
-rw-r--r--scripts/lib/wic/partition.py2
-rw-r--r--scripts/pybootchartgui/pybootchartgui/draw.py5
74 files changed, 4379 insertions, 115 deletions
diff --git a/meta/classes/libc-package.bbclass b/meta/classes/libc-package.bbclass
index de3b4250c7..1143f538d6 100644
--- a/meta/classes/libc-package.bbclass
+++ b/meta/classes/libc-package.bbclass
@@ -355,7 +355,7 @@ python package_do_split_gconvs () {
m.write("\t@echo 'Progress %d/%d'\n" % (i, total))
m.write("\t" + makerecipe + "\n\n")
d.setVar("EXTRA_OEMAKE", "-C %s ${PARALLEL_MAKE}" % (os.path.dirname(makefile)))
- d.setVarFlag("oe_runmake", "progress", "outof:Progress\s(\d+)/(\d+)")
+ d.setVarFlag("oe_runmake", "progress", r"outof:Progress\s(\d+)/(\d+)")
bb.note("Executing binary locale generation makefile")
bb.build.exec_func("oe_runmake", d)
bb.note("collecting binary locales from locale tree")
diff --git a/meta/classes/rm_work.bbclass b/meta/classes/rm_work.bbclass
index 01c2ab1c78..2d5a56c238 100644
--- a/meta/classes/rm_work.bbclass
+++ b/meta/classes/rm_work.bbclass
@@ -73,7 +73,7 @@ do_rm_work () {
# sstate version since otherwise we'd need to leave 'plaindirs' around
# such as 'packages' and 'packages-split' and these can be large. No end
# of chain tasks depend directly on do_package anymore.
- rm -f $i;
+ rm -f -- $i;
;;
*_setscene*)
# Skip stamps which are already setscene versions
@@ -90,7 +90,7 @@ do_rm_work () {
;;
esac
done
- rm -f $i
+ rm -f -- $i
esac
done
@@ -100,9 +100,9 @@ do_rm_work () {
# Retain only logs and other files in temp, safely ignore
# failures of removing pseudo folers on NFS2/3 server.
if [ $dir = 'pseudo' ]; then
- rm -rf $dir 2> /dev/null || true
+ rm -rf -- $dir 2> /dev/null || true
elif ! echo "$excludes" | grep -q -w "$dir"; then
- rm -rf $dir
+ rm -rf -- $dir
fi
done
}
diff --git a/meta/classes/testimage.bbclass b/meta/classes/testimage.bbclass
index c709384b91..db1d54e5cb 100644
--- a/meta/classes/testimage.bbclass
+++ b/meta/classes/testimage.bbclass
@@ -193,6 +193,7 @@ def testimage_main(d):
import json
import signal
import logging
+ import shutil
from bb.utils import export_proxies
from oeqa.core.utils.misc import updateTestData
@@ -397,10 +398,17 @@ def testimage_main(d):
get_testimage_result_id(configuration),
dump_streams=d.getVar('TESTREPORT_FULLLOGS'))
results.logSummary(pn)
+
+ # Copy additional logs to tmp/log/oeqa so it's easier to find them
+ targetdir = os.path.join(get_testimage_json_result_dir(d), d.getVar("PN"))
+ os.makedirs(targetdir, exist_ok=True)
+ os.symlink(bootlog, os.path.join(targetdir, os.path.basename(bootlog)))
+ os.symlink(d.getVar("BB_LOGFILE"), os.path.join(targetdir, os.path.basename(d.getVar("BB_LOGFILE") + "." + d.getVar('DATETIME'))))
+
if not results or not complete:
- bb.fatal('%s - FAILED - tests were interrupted during execution' % pn, forcelog=True)
+ bb.fatal('%s - FAILED - tests were interrupted during execution, check the logs in %s' % (pn, d.getVar("LOG_DIR")), forcelog=True)
if not results.wasSuccessful():
- bb.fatal('%s - FAILED - check the task log and the ssh log' % pn, forcelog=True)
+ bb.fatal('%s - FAILED - also check the logs in %s' % (pn, d.getVar("LOG_DIR")), forcelog=True)
def get_runtime_paths(d):
"""
diff --git a/meta/classes/useradd.bbclass b/meta/classes/useradd.bbclass
index e5f3ba24f9..0f0ed3446d 100644
--- a/meta/classes/useradd.bbclass
+++ b/meta/classes/useradd.bbclass
@@ -230,6 +230,10 @@ fakeroot python populate_packages_prepend () {
preinst += 'perform_useradd () {\n%s}\n' % d.getVar('perform_useradd')
preinst += 'perform_groupmems () {\n%s}\n' % d.getVar('perform_groupmems')
preinst += d.getVar('useradd_preinst')
+ # Expand out the *_PARAM variables to the package specific versions
+ for rep in ["GROUPADD_PARAM", "USERADD_PARAM", "GROUPMEMS_PARAM"]:
+ val = d.getVar(rep + "_" + pkg) or ""
+ preinst = preinst.replace("${" + rep + "}", val)
d.setVar('pkg_preinst_%s' % pkg, preinst)
# RDEPENDS setup
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index ef1e7fe2f4..895cf89487 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -4,7 +4,7 @@
#
# Please submit any patches against recipes in meta to the
# OE-Core mail list (openembedded-core@lists.openembedded.org)
-# For recipes in meta-yocto please use the Poky list (poky@yoctoproject.org)
+# For recipes in meta-yocto please use the Poky list (poky@lists.yoctoproject.org)
#
# If you have problems with or questions about a particular recipe, feel
# free to contact the maintainer directly (cc:ing the appropriate mailing list
diff --git a/meta/files/common-licenses/Unlicense b/meta/files/common-licenses/Unlicense
new file mode 100644
index 0000000000..68a49daad8
--- /dev/null
+++ b/meta/files/common-licenses/Unlicense
@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org/>
diff --git a/meta/lib/buildstats.py b/meta/lib/buildstats.py
index 8627ed3c31..c52b6c3b72 100644
--- a/meta/lib/buildstats.py
+++ b/meta/lib/buildstats.py
@@ -43,8 +43,8 @@ class SystemStats:
# depends on the heartbeat event, which fires less often.
self.min_seconds = 1
- self.meminfo_regex = re.compile(b'^(MemTotal|MemFree|Buffers|Cached|SwapTotal|SwapFree):\s*(\d+)')
- self.diskstats_regex = re.compile(b'^([hsv]d.|mtdblock\d|mmcblk\d|cciss/c\d+d\d+.*)$')
+ self.meminfo_regex = re.compile(rb'^(MemTotal|MemFree|Buffers|Cached|SwapTotal|SwapFree):\s*(\d+)')
+ self.diskstats_regex = re.compile(rb'^([hsv]d.|mtdblock\d|mmcblk\d|cciss/c\d+d\d+.*)$')
self.diskstats_ltime = None
self.diskstats_data = None
self.stat_ltimes = None
diff --git a/meta/lib/oeqa/selftest/cases/gotoolchain.py b/meta/lib/oeqa/selftest/cases/gotoolchain.py
index 3119520f0d..59f80aad28 100644
--- a/meta/lib/oeqa/selftest/cases/gotoolchain.py
+++ b/meta/lib/oeqa/selftest/cases/gotoolchain.py
@@ -43,6 +43,12 @@ class oeGoToolchainSelfTest(OESelftestTestCase):
@classmethod
def tearDownClass(cls):
+ # Go creates file which are readonly
+ for dirpath, dirnames, filenames in os.walk(cls.tmpdir_SDKQA):
+ for filename in filenames + dirnames:
+ f = os.path.join(dirpath, filename)
+ if not os.path.islink(f):
+ os.chmod(f, 0o775)
shutil.rmtree(cls.tmpdir_SDKQA, ignore_errors=True)
super(oeGoToolchainSelfTest, cls).tearDownClass()
diff --git a/meta/lib/oeqa/utils/buildproject.py b/meta/lib/oeqa/utils/buildproject.py
index e6d80cc8dc..dfb9661868 100644
--- a/meta/lib/oeqa/utils/buildproject.py
+++ b/meta/lib/oeqa/utils/buildproject.py
@@ -18,6 +18,7 @@ class BuildProject(metaclass=ABCMeta):
def __init__(self, uri, foldername=None, tmpdir=None, dl_dir=None):
self.uri = uri
self.archive = os.path.basename(uri)
+ self.tempdirobj = None
if not tmpdir:
self.tempdirobj = tempfile.TemporaryDirectory(prefix='buildproject-')
tmpdir = self.tempdirobj.name
@@ -57,6 +58,8 @@ class BuildProject(metaclass=ABCMeta):
return self._run('cd %s; make install %s' % (self.targetdir, install_args))
def clean(self):
+ if self.tempdirobj:
+ self.tempdirobj.cleanup()
if not self.needclean:
return
self._run('rm -rf %s' % self.targetdir)
diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py
index f7e5a3b3a6..de0dff3ff0 100644
--- a/meta/lib/oeqa/utils/qemurunner.py
+++ b/meta/lib/oeqa/utils/qemurunner.py
@@ -234,7 +234,7 @@ class QemuRunner:
r = os.fdopen(r)
x = r.read()
os.killpg(os.getpgid(self.runqemu.pid), signal.SIGTERM)
- sys.exit(0)
+ os._exit(0)
self.logger.debug("runqemu started, pid is %s" % self.runqemu.pid)
self.logger.debug("waiting at most %s seconds for qemu pid (%s)" %
diff --git a/meta/lib/oeqa/utils/targetbuild.py b/meta/lib/oeqa/utils/targetbuild.py
index 1055810ca3..09738add1d 100644
--- a/meta/lib/oeqa/utils/targetbuild.py
+++ b/meta/lib/oeqa/utils/targetbuild.py
@@ -19,6 +19,7 @@ class BuildProject(metaclass=ABCMeta):
self.d = d
self.uri = uri
self.archive = os.path.basename(uri)
+ self.tempdirobj = None
if not tmpdir:
tmpdir = self.d.getVar('WORKDIR')
if not tmpdir:
@@ -71,9 +72,10 @@ class BuildProject(metaclass=ABCMeta):
return self._run('cd %s; make install %s' % (self.targetdir, install_args))
def clean(self):
+ if self.tempdirobj:
+ self.tempdirobj.cleanup()
self._run('rm -rf %s' % self.targetdir)
subprocess.check_call('rm -f %s' % self.localarchive, shell=True)
- pass
class TargetBuildProject(BuildProject):
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index 55e5bf97c7..c495ae29ad 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
inherit autotools pkgconfig systemd update-rc.d update-alternatives
+CVE_PRODUCT = "connman connection_manager"
+
DEPENDS = "dbus glib-2.0 ppp"
INC_PR = "r20"
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch
new file mode 100644
index 0000000000..9fd7e932d1
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch
@@ -0,0 +1,20 @@
+Description: fix double-free memory corruption in ssh-agent
+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+Origin: minimal fix for https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2021-28041
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_8.2p1-4ubuntu0.3.debian.tar.xz]
+Comment: No change in any hunk
+
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -496,6 +496,7 @@ process_add_identity(SocketEntry *e)
+ goto err;
+ }
+ free(ext_name);
++ ext_name = NULL;
+ break;
+ default:
+ error("%s: Unknown constraint %d", __func__, ctype);
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index 64a0a72a8f..5f03bdc877 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://sshd_check_keys \
file://add-test-support-for-busybox.patch \
file://CVE-2020-14145.patch \
+ file://CVE-2021-28041.patch \
"
SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
diff --git a/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch b/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
index 52986e61c7..d1835c7a10 100644
--- a/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
+++ b/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
@@ -400,7 +400,7 @@ Index: ldconfig-native-2.12.1/ldconfig.c
return 0;
}
-+#define REPORT_BUGS_TO "mailing list : poky@yoctoproject.org"
++#define REPORT_BUGS_TO "mailing list : poky@lists.yoctoproject.org"
/* Print bug-reporting information in the help message. */
static char *
more_help (int key, const char *text, void *input)
diff --git a/meta/recipes-core/systemd/systemd/basic-pass-allocation-info-for-ordered-set-new-and-introd.patch b/meta/recipes-core/systemd/systemd/basic-pass-allocation-info-for-ordered-set-new-and-introd.patch
new file mode 100644
index 0000000000..86d9b0499a
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/basic-pass-allocation-info-for-ordered-set-new-and-introd.patch
@@ -0,0 +1,78 @@
+From 1f25c71d9d0b5fe6cf383c347dcebc2443a99fe1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 1 Sep 2020 12:42:35 +0200
+Subject: [PATCH] basic: pass allocation info for ordered_set_new() and
+ introduce ordered_set_ensure_put()
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/1f25c71d9d0b5fe6cf383c347dcebc2443a99fe1]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/basic/ordered-set.c | 21 +++++++++++++++++++++
+ src/basic/ordered-set.h | 18 +++++++-----------
+ 2 files changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/src/basic/ordered-set.c b/src/basic/ordered-set.c
+index 7fdb47e064..fb82c17b5a 100644
+--- a/src/basic/ordered-set.c
++++ b/src/basic/ordered-set.c
+@@ -4,6 +4,27 @@
+ #include "ordered-set.h"
+ #include "strv.h"
+
++int _ordered_set_ensure_allocated(OrderedSet **s, const struct hash_ops *ops HASHMAP_DEBUG_PARAMS) {
++ if (*s)
++ return 0;
++
++ *s = _ordered_set_new(ops HASHMAP_DEBUG_PASS_ARGS);
++ if (!*s)
++ return -ENOMEM;
++
++ return 0;
++}
++
++int _ordered_set_ensure_put(OrderedSet **s, const struct hash_ops *ops, void *p HASHMAP_DEBUG_PARAMS) {
++ int r;
++
++ r = _ordered_set_ensure_allocated(s, ops HASHMAP_DEBUG_PASS_ARGS);
++ if (r < 0)
++ return r;
++
++ return ordered_set_put(*s, p);
++}
++
+ int ordered_set_consume(OrderedSet *s, void *p) {
+ int r;
+
+diff --git a/src/basic/ordered-set.h b/src/basic/ordered-set.h
+index a42a57eb49..2c241a808b 100644
+--- a/src/basic/ordered-set.h
++++ b/src/basic/ordered-set.h
+@@ -7,20 +7,16 @@
+
+ typedef struct OrderedSet OrderedSet;
+
+-static inline OrderedSet* ordered_set_new(const struct hash_ops *ops) {
+- return (OrderedSet*) ordered_hashmap_new(ops);
++static inline OrderedSet* _ordered_set_new(const struct hash_ops *ops HASHMAP_DEBUG_PARAMS) {
++ return (OrderedSet*) internal_ordered_hashmap_new(ops HASHMAP_DEBUG_PASS_ARGS);
+ }
++#define ordered_set_new(ops) _ordered_set_new(ops HASHMAP_DEBUG_SRC_ARGS)
+
+-static inline int ordered_set_ensure_allocated(OrderedSet **s, const struct hash_ops *ops) {
+- if (*s)
+- return 0;
++int _ordered_set_ensure_allocated(OrderedSet **s, const struct hash_ops *ops HASHMAP_DEBUG_PARAMS);
++#define ordered_set_ensure_allocated(s, ops) _ordered_set_ensure_allocated(s, ops HASHMAP_DEBUG_SRC_ARGS)
+
+- *s = ordered_set_new(ops);
+- if (!*s)
+- return -ENOMEM;
+-
+- return 0;
+-}
++int _ordered_set_ensure_put(OrderedSet **s, const struct hash_ops *ops, void *p HASHMAP_DEBUG_PARAMS);
++#define ordered_set_ensure_put(s, hash_ops, key) _ordered_set_ensure_put(s, hash_ops, key HASHMAP_DEBUG_SRC_ARGS)
+
+ static inline OrderedSet* ordered_set_free(OrderedSet *s) {
+ return (OrderedSet*) ordered_hashmap_free((OrderedHashmap*) s);
diff --git a/meta/recipes-core/systemd/systemd/introduce-ordered_set_clear-free-with-destructor.patch b/meta/recipes-core/systemd/systemd/introduce-ordered_set_clear-free-with-destructor.patch
new file mode 100644
index 0000000000..42b6e05b55
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/introduce-ordered_set_clear-free-with-destructor.patch
@@ -0,0 +1,35 @@
+From d38a6476aad3f2cc80a2a4bc11f3898cc06a70f5 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 26 Apr 2021 23:52:40 +0900
+Subject: [PATCH] ordered-set: introduce
+ ordered_set_clear/free_with_destructor()
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/d38a6476aad3f2cc80a2a4bc11f3898cc06a70f5]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/basic/ordered-set.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/basic/ordered-set.h b/src/basic/ordered-set.h
+index a377f20b1f..64df41766f 100644
+--- a/src/basic/ordered-set.h
++++ b/src/basic/ordered-set.h
+@@ -63,6 +63,17 @@ void ordered_set_print(FILE *f, const char *field, OrderedSet *s);
+ #define ORDERED_SET_FOREACH(e, s, i) \
+ for ((i) = ITERATOR_FIRST; ordered_set_iterate((s), &(i), (void**)&(e)); )
+
++#define ordered_set_clear_with_destructor(s, f) \
++ ({ \
++ OrderedSet *_s = (s); \
++ void *_item; \
++ while ((_item = ordered_set_steal_first(_s))) \
++ f(_item); \
++ _s; \
++ })
++#define ordered_set_free_with_destructor(s, f) \
++ ordered_set_free(ordered_set_clear_with_destructor(s, f))
++
+ DEFINE_TRIVIAL_CLEANUP_FUNC(OrderedSet*, ordered_set_free);
+ DEFINE_TRIVIAL_CLEANUP_FUNC(OrderedSet*, ordered_set_free_free);
+
diff --git a/meta/recipes-core/systemd/systemd/network-add-skeleton-of-request-queue.patch b/meta/recipes-core/systemd/systemd/network-add-skeleton-of-request-queue.patch
new file mode 100644
index 0000000000..06c523834d
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-add-skeleton-of-request-queue.patch
@@ -0,0 +1,285 @@
+From 19d9a5adf0c1a6b5a243eea0390f6f6526d569de Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Fri, 7 May 2021 15:39:16 +0900
+Subject: [PATCH] network: add skeleton of request queue
+
+This will be used in later commits.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/19d9a5adf0c1a6b5a243eea0390f6f6526d569de]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/network/meson.build | 2 +
+ src/network/networkd-link.c | 20 +++++-
+ src/network/networkd-manager.c | 7 ++
+ src/network/networkd-manager.h | 2 +
+ src/network/networkd-queue.c | 121 +++++++++++++++++++++++++++++++++
+ src/network/networkd-queue.h | 42 ++++++++++++
+ 6 files changed, 192 insertions(+), 2 deletions(-)
+ create mode 100644 src/network/networkd-queue.c
+ create mode 100644 src/network/networkd-queue.h
+
+diff --git a/src/network/meson.build b/src/network/meson.build
+index 4fca3106dc..a8b9232e64 100644
+--- a/src/network/meson.build
++++ b/src/network/meson.build
+@@ -105,6 +105,8 @@ sources = files('''
+ networkd-network.h
+ networkd-nexthop.c
+ networkd-nexthop.h
++ networkd-queue.c
++ networkd-queue.h
+ networkd-route.c
+ networkd-route.h
+ networkd-routing-policy-rule.c
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 34359b2541..2f33305a27 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -30,6 +30,7 @@
+ #include "networkd-manager.h"
+ #include "networkd-ndisc.h"
+ #include "networkd-neighbor.h"
++#include "networkd-queue.h"
+ #include "networkd-radv.h"
+ #include "networkd-routing-policy-rule.h"
+ #include "networkd-wifi.h"
+
+@@ -2232,6 +2244,8 @@ static int link_reconfigure_internal(Link *link, sd_netlink_message *m, bool for
+ if (r < 0)
+ return r;
+
++ link_drop_requests(link);
++
+ r = link_drop_config(link);
+ if (r < 0)
+ return r;
+@@ -2664,6 +2678,8 @@ static int link_carrier_lost(Link *link) {
+ return r;
+ }
+
++ link_drop_requests(link);
++
+ r = link_drop_config(link);
+ if (r < 0)
+ return r;
+diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
+index 562ce5ca54..fd576169a9 100644
+--- a/src/network/networkd-manager.c
++++ b/src/network/networkd-manager.c
+@@ -34,6 +34,7 @@
+ #include "networkd-manager-bus.h"
+ #include "networkd-manager.h"
+ #include "networkd-network-bus.h"
++#include "networkd-queue.h"
+ #include "networkd-speed-meter.h"
+ #include "ordered-set.h"
+ #include "path-util.h"
+@@ -406,6 +407,10 @@ int manager_new(Manager **ret) {
+ if (r < 0)
+ return r;
+
++ r = sd_event_add_post(m->event, NULL, manager_process_requests, m);
++ if (r < 0)
++ return r;
++
+ r = manager_connect_rtnl(m);
+ if (r < 0)
+ return r;
+@@ -446,6 +451,8 @@ Manager* manager_free(Manager *m) {
+
+ free(m->state_file);
+
++ m->request_queue = ordered_set_free_with_destructor(m->request_queue, request_free);
++
+ while ((a = hashmap_first_key(m->dhcp6_prefixes)))
+ (void) dhcp6_prefix_remove(m, a);
+ m->dhcp6_prefixes = hashmap_free(m->dhcp6_prefixes);
+diff --git a/src/network/networkd-manager.h b/src/network/networkd-manager.h
+index 301b97c1a1..26e8802871 100644
+--- a/src/network/networkd-manager.h
++++ b/src/network/networkd-manager.h
+@@ -91,6 +91,8 @@ struct Manager {
+ usec_t speed_meter_usec_old;
+
+ bool dhcp4_prefix_root_cannot_set_table;
++
++ OrderedSet *request_queue;
+ };
+
+ int manager_new(Manager **ret);
+diff --git a/src/network/networkd-queue.c b/src/network/networkd-queue.c
+new file mode 100644
+index 0000000000..24bb2c845d
+--- /dev/null
++++ b/src/network/networkd-queue.c
+@@ -0,0 +1,121 @@
++/* SPDX-License-Identifier: LGPL-2.1-or-later */
++
++#include "networkd-address.h"
++#include "networkd-manager.h"
++#include "networkd-neighbor.h"
++#include "networkd-nexthop.h"
++#include "networkd-route.h"
++#include "networkd-routing-policy-rule.h"
++#include "networkd-queue.h"
++
++static void request_free_object(RequestType type, void *object) {
++ switch(type) {
++ default:
++ assert_not_reached("invalid request type.");
++ }
++}
++
++Request *request_free(Request *req) {
++ if (!req)
++ return NULL;
++
++ if (req->on_free)
++ req->on_free(req);
++ if (req->consume_object)
++ request_free_object(req->type, req->object);
++ if (req->link && req->link->manager)
++ ordered_set_remove(req->link->manager->request_queue, req);
++ link_unref(req->link);
++
++ return mfree(req);
++}
++
++DEFINE_TRIVIAL_CLEANUP_FUNC(Request*, request_free);
++
++void request_drop(Request *req) {
++ if (req->message_counter)
++ (*req->message_counter)--;
++
++ request_free(req);
++}
++
++int link_queue_request(
++ Link *link,
++ RequestType type,
++ void *object,
++ bool consume_object,
++ unsigned *message_counter,
++ link_netlink_message_handler_t netlink_handler,
++ Request **ret) {
++
++ _cleanup_(request_freep) Request *req = NULL;
++ int r;
++
++ assert(link);
++ assert(link->manager);
++ assert(type >= 0 && type < _REQUEST_TYPE_MAX);
++ assert(object);
++ assert(netlink_handler);
++
++ req = new(Request, 1);
++ if (!req) {
++ if (consume_object)
++ request_free_object(type, object);
++ return -ENOMEM;
++ }
++
++ *req = (Request) {
++ .link = link,
++ .type = type,
++ .object = object,
++ .consume_object = consume_object,
++ .message_counter = message_counter,
++ .netlink_handler = netlink_handler,
++ };
++
++ link_ref(link);
++
++ r = ordered_set_ensure_put(&link->manager->request_queue, NULL, req);
++ if (r < 0)
++ return r;
++
++ if (req->message_counter)
++ (*req->message_counter)++;
++
++ if (ret)
++ *ret = req;
++
++ TAKE_PTR(req);
++ return 0;
++}
++
++int manager_process_requests(sd_event_source *s, void *userdata) {
++ Manager *manager = userdata;
++ int r;
++
++ assert(manager);
++
++ for (;;) {
++ bool processed = false;
++ Request *req;
++ Iterator i;
++ ORDERED_SET_FOREACH(req, manager->request_queue, i) {
++ switch(req->type) {
++ default:
++ return -EINVAL;
++ }
++ if (r < 0)
++ link_enter_failed(req->link);
++ if (r > 0) {
++ ordered_set_remove(manager->request_queue, req);
++ request_free(req);
++ processed = true;
++ }
++ }
++
++ if (!processed)
++ break;
++ }
++
++ return 0;
++}
+diff --git a/src/network/networkd-queue.h b/src/network/networkd-queue.h
+new file mode 100644
+index 0000000000..4558ae548f
+--- /dev/null
++++ b/src/network/networkd-queue.h
+@@ -0,0 +1,42 @@
++/* SPDX-License-Identifier: LGPL-2.1-or-later */
++#pragma once
++
++#include "sd-event.h"
++
++#include "networkd-link.h"
++
++typedef struct Request Request;
++
++typedef int (*request_after_configure_handler_t)(Request*, void*);
++typedef void (*request_on_free_handler_t)(Request*);
++
++typedef enum RequestType {
++ _REQUEST_TYPE_MAX,
++ _REQUEST_TYPE_INVALID = -EINVAL,
++} RequestType;
++
++typedef struct Request {
++ Link *link;
++ RequestType type;
++ bool consume_object;
++ void *object;
++ void *userdata;
++ unsigned *message_counter;
++ link_netlink_message_handler_t netlink_handler;
++ request_after_configure_handler_t after_configure;
++ request_on_free_handler_t on_free;
++} Request;
++
++Request *request_free(Request *req);
++void request_drop(Request *req);
++
++int link_queue_request(
++ Link *link,
++ RequestType type,
++ void *object,
++ bool consume_object,
++ unsigned *message_counter,
++ link_netlink_message_handler_t netlink_handler,
++ Request **ret);
++
++int manager_process_requests(sd_event_source *s, void *userdata);
diff --git a/meta/recipes-core/systemd/systemd/network-also-drop-requests-when-link-enters-linger-state.patch b/meta/recipes-core/systemd/systemd/network-also-drop-requests-when-link-enters-linger-state.patch
new file mode 100644
index 0000000000..4c402e7e55
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-also-drop-requests-when-link-enters-linger-state.patch
@@ -0,0 +1,50 @@
+From 56001f023305ea99329e27141d6e6067596491a9 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 17 May 2021 15:32:57 +0900
+Subject: [PATCH] network: also drop requests when link enters linger state
+
+Otherwise, if link is removed, several references to the link in remain
+exist in requests.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/56001f023305ea99329e27141d6e6067596491a9]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/network/networkd-link.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 67d01ac44d..b56c232eca 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -1771,6 +1771,18 @@ static void link_drop_from_master(Link *link, NetDev *netdev) {
+ link_unref(set_remove(master->slaves, link));
+ }
+
++static void link_drop_requests(Link *link) {
++ Request *req;
++ Iterator i;
++
++ assert(link);
++ assert(link->manager);
++
++ ORDERED_SET_FOREACH(req, link->manager->request_queue, i)
++ if (req->link == link)
++ request_drop(req);
++}
++
+ void link_drop(Link *link) {
+ if (!link)
+ return;
+@@ -1782,6 +1793,8 @@ void link_drop(Link *link) {
+ /* Drop all references from other links and manager. Note that async netlink calls may have
+ * references to the link, and they will be dropped when we receive replies. */
+
++ link_drop_requests(link);
++
+ link_free_carrier_maps(link);
+
+ if (link->network) {
+--
+2.17.1
+
diff --git a/meta/recipes-core/systemd/systemd/network-fix-Link-reference-counter-issue.patch b/meta/recipes-core/systemd/systemd/network-fix-Link-reference-counter-issue.patch
new file mode 100644
index 0000000000..a186bb4095
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-fix-Link-reference-counter-issue.patch
@@ -0,0 +1,278 @@
+From cc2d7efc5ca09a7de4bec55e80476986839a655c Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Fri, 14 May 2021 15:58:15 +0900
+Subject: [PATCH] network: fix Link reference counter issue
+
+Previously, when link_new() fails, `link_unref()` was called, so,
+`Manager::links` may become dirty.
+This introduces `link_drop_or_unref()` and it will be called on
+failure.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/cc2d7efc5ca09a7de4bec55e80476986839a655c]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/network/networkd-link.c | 240 ++++++++++++++++++------------------
+ 1 file changed, 122 insertions(+), 118 deletions(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index b56c232eca..d493afda4c 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -540,109 +540,6 @@ static int link_update_flags(Link *link,
+ return 0;
+ }
+
+-static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) {
+- _cleanup_(link_unrefp) Link *link = NULL;
+- uint16_t type;
+- const char *ifname, *kind = NULL;
+- int r, ifindex;
+- unsigned short iftype;
+-
+- assert(manager);
+- assert(message);
+- assert(ret);
+-
+- /* check for link kind */
+- r = sd_netlink_message_enter_container(message, IFLA_LINKINFO);
+- if (r == 0) {
+- (void) sd_netlink_message_read_string(message, IFLA_INFO_KIND, &kind);
+- r = sd_netlink_message_exit_container(message);
+- if (r < 0)
+- return r;
+- }
+-
+- r = sd_netlink_message_get_type(message, &type);
+- if (r < 0)
+- return r;
+- else if (type != RTM_NEWLINK)
+- return -EINVAL;
+-
+- r = sd_rtnl_message_link_get_ifindex(message, &ifindex);
+- if (r < 0)
+- return r;
+- else if (ifindex <= 0)
+- return -EINVAL;
+-
+- r = sd_rtnl_message_link_get_type(message, &iftype);
+- if (r < 0)
+- return r;
+-
+- r = sd_netlink_message_read_string(message, IFLA_IFNAME, &ifname);
+- if (r < 0)
+- return r;
+-
+- link = new(Link, 1);
+- if (!link)
+- return -ENOMEM;
+-
+- *link = (Link) {
+- .n_ref = 1,
+- .manager = manager,
+- .state = LINK_STATE_PENDING,
+- .ifindex = ifindex,
+- .iftype = iftype,
+-
+- .n_dns = (unsigned) -1,
+- .dns_default_route = -1,
+- .llmnr = _RESOLVE_SUPPORT_INVALID,
+- .mdns = _RESOLVE_SUPPORT_INVALID,
+- .dnssec_mode = _DNSSEC_MODE_INVALID,
+- .dns_over_tls_mode = _DNS_OVER_TLS_MODE_INVALID,
+- };
+-
+- link->ifname = strdup(ifname);
+- if (!link->ifname)
+- return -ENOMEM;
+-
+- if (kind) {
+- link->kind = strdup(kind);
+- if (!link->kind)
+- return -ENOMEM;
+- }
+-
+- r = sd_netlink_message_read_u32(message, IFLA_MASTER, (uint32_t *)&link->master_ifindex);
+- if (r < 0)
+- log_link_debug_errno(link, r, "New device has no master, continuing without");
+-
+- r = sd_netlink_message_read_ether_addr(message, IFLA_ADDRESS, &link->mac);
+- if (r < 0)
+- log_link_debug_errno(link, r, "MAC address not found for new device, continuing without");
+-
+- if (asprintf(&link->state_file, "/run/systemd/netif/links/%d", link->ifindex) < 0)
+- return -ENOMEM;
+-
+- if (asprintf(&link->lease_file, "/run/systemd/netif/leases/%d", link->ifindex) < 0)
+- return -ENOMEM;
+-
+- if (asprintf(&link->lldp_file, "/run/systemd/netif/lldp/%d", link->ifindex) < 0)
+- return -ENOMEM;
+-
+- r = hashmap_ensure_allocated(&manager->links, NULL);
+- if (r < 0)
+- return r;
+-
+- r = hashmap_put(manager->links, INT_TO_PTR(link->ifindex), link);
+- if (r < 0)
+- return r;
+-
+- r = link_update_flags(link, message, false);
+- if (r < 0)
+- return r;
+-
+- *ret = TAKE_PTR(link);
+-
+- return 0;
+-}
+-
+ void link_ntp_settings_clear(Link *link) {
+ link->ntp = strv_free(link->ntp);
+ }
+@@ -2030,9 +1927,9 @@ static void link_drop_requests(Link *lin
+ request_drop(req);
+ }
+
+-void link_drop(Link *link) {
++Link *link_drop(Link *link) {
+ if (!link)
+- return;
++ return NULL;
+
+ assert(link->manager);
+
+@@ -2057,7 +1954,7 @@ void link_drop(Link *link) {
+
+ /* The following must be called at last. */
+ assert_se(hashmap_remove(link->manager->links, INT_TO_PTR(link->ifindex)) == link);
+- link_unref(link);
++ return link_unref(link);
+ }
+
+ static int link_joined(Link *link) {
+@@ -3295,6 +3192,112 @@ ipv4ll_address_fail:
+
+ return 0;
+ }
++
++static Link *link_drop_or_unref(Link *link) {
++ if (!link)
++ return NULL;
++ if (!link->manager)
++ return link_unref(link);
++ return link_drop(link);
++}
++
++DEFINE_TRIVIAL_CLEANUP_FUNC(Link*, link_drop_or_unref);
++
++static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) {
++ _cleanup_(link_drop_or_unrefp) Link *link = NULL;
++ uint16_t type;
++ _cleanup_free_ char *ifname = NULL, *kind = NULL;
++ int r, ifindex;
++ unsigned short iftype;
++
++ assert(manager);
++ assert(message);
++ assert(ret);
++
++ r = sd_netlink_message_get_type(message, &type);
++ if (r < 0)
++ return r;
++ else if (type != RTM_NEWLINK)
++ return -EINVAL;
++
++ r = sd_rtnl_message_link_get_ifindex(message, &ifindex);
++ if (r < 0)
++ return r;
++ else if (ifindex <= 0)
++ return -EINVAL;
++
++ r = sd_rtnl_message_link_get_type(message, &iftype);
++ if (r < 0)
++ return r;
++
++ r = sd_netlink_message_read_string_strdup(message, IFLA_IFNAME, &ifname);
++ if (r < 0)
++ return r;
++
++ /* check for link kind */
++ r = sd_netlink_message_enter_container(message, IFLA_LINKINFO);
++ if (r >= 0) {
++ (void) sd_netlink_message_read_string_strdup(message, IFLA_INFO_KIND, &kind);
++ r = sd_netlink_message_exit_container(message);
++ if (r < 0)
++ return r;
++ }
++
++ link = new(Link, 1);
++ if (!link)
++ return -ENOMEM;
++
++ *link = (Link) {
++ .n_ref = 1,
++ .state = LINK_STATE_PENDING,
++ .ifindex = ifindex,
++ .iftype = iftype,
++ .ifname = TAKE_PTR(ifname),
++ .kind = TAKE_PTR(kind),
++
++ .n_dns = (unsigned) -1,
++ .dns_default_route = -1,
++ .llmnr = _RESOLVE_SUPPORT_INVALID,
++ .mdns = _RESOLVE_SUPPORT_INVALID,
++ .dnssec_mode = _DNSSEC_MODE_INVALID,
++ .dns_over_tls_mode = _DNS_OVER_TLS_MODE_INVALID,
++ };
++
++ r = hashmap_ensure_allocated(&manager->links, NULL);
++ if (r < 0)
++ return r;
++
++ r = hashmap_put(manager->links, INT_TO_PTR(link->ifindex), link);
++ if (r < 0)
++ return r;
++
++ link->manager = manager;
++
++ r = sd_netlink_message_read_u32(message, IFLA_MASTER, (uint32_t*) &link->master_ifindex);
++ if (r < 0)
++ log_link_debug_errno(link, r, "New device has no master, continuing without");
++
++ r = sd_netlink_message_read_ether_addr(message, IFLA_ADDRESS, &link->mac);
++ if (r < 0)
++ log_link_debug_errno(link, r, "MAC address not found for new device, continuing without");
++
++ if (asprintf(&link->state_file, "/run/systemd/netif/links/%d", link->ifindex) < 0)
++ return -ENOMEM;
++
++ if (asprintf(&link->lease_file, "/run/systemd/netif/leases/%d", link->ifindex) < 0)
++ return -ENOMEM;
++
++ if (asprintf(&link->lldp_file, "/run/systemd/netif/lldp/%d", link->ifindex) < 0)
++ return -ENOMEM;
++
++ r = link_update_flags(link, message, false);
++ if (r < 0)
++ return r;
++
++ *ret = TAKE_PTR(link);
++
++ return 0;
++}
+
+ int link_add(Manager *m, sd_netlink_message *message, Link **ret) {
+ _cleanup_(sd_device_unrefp) sd_device *device = NULL;
+
+--- a/src/network/networkd-link.h 2021-09-02 18:04:16.900542857 +0530
++++ b/src/network/networkd-link.h 2021-09-02 18:18:56.776571563 +0530
+@@ -175,7 +175,7 @@ DEFINE_TRIVIAL_DESTRUCTOR(link_netlink_d
+
+ int link_get(Manager *m, int ifindex, Link **ret);
+ int link_add(Manager *manager, sd_netlink_message *message, Link **ret);
+-void link_drop(Link *link);
++Link *link_drop(Link *link);
+
+ int link_down(Link *link, link_netlink_message_handler_t callback);
+
+
diff --git a/meta/recipes-core/systemd/systemd/network-merge-link_drop-and-link_detach_from_manager.patch b/meta/recipes-core/systemd/systemd/network-merge-link_drop-and-link_detach_from_manager.patch
new file mode 100644
index 0000000000..65bdc611df
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-merge-link_drop-and-link_detach_from_manager.patch
@@ -0,0 +1,67 @@
+From 63130eb36dc51e4fd50716c585f98ebe456ca7cf Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 17 May 2021 15:40:15 +0900
+Subject: [PATCH] network: merge link_drop() and link_detach_from_manager()
+
+link_detach_from_manager() is only called by link_drop(). It is not
+necessary to split such tiny function.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/63130eb36dc51e4fd50716c585f98ebe456ca7cf]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/network/networkd-link.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 9d30e16b0a..67d01ac44d 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -2019,24 +2019,17 @@ static void link_drop_from_master(Link *link, NetDev *netdev) {
+ link_unref(set_remove(master->slaves, link));
+ }
+
+-static void link_detach_from_manager(Link *link) {
+- if (!link || !link->manager)
+- return;
+-
+- link_unref(set_remove(link->manager->links_requesting_uuid, link));
+- link_clean(link);
+-
+- /* The following must be called at last. */
+- assert_se(hashmap_remove(link->manager->links, INT_TO_PTR(link->ifindex)) == link);
+- link_unref(link);
+-}
+-
+ void link_drop(Link *link) {
+- if (!link || link->state == LINK_STATE_LINGER)
++ if (!link)
+ return;
+
++ assert(link->manager);
++
+ link_set_state(link, LINK_STATE_LINGER);
+
++ /* Drop all references from other links and manager. Note that async netlink calls may have
++ * references to the link, and they will be dropped when we receive replies. */
++
+ link_free_carrier_maps(link);
+
+ if (link->network) {
+@@ -2044,10 +2037,14 @@ void link_drop(Link *link) {
+ link_drop_from_master(link, link->network->bond);
+ }
+
+- log_link_debug(link, "Link removed");
++ link_unref(set_remove(link->manager->links_requesting_uuid, link));
+
+ (void) unlink(link->state_file);
+- link_detach_from_manager(link);
++ link_clean(link);
++
++ /* The following must be called at last. */
++ assert_se(hashmap_remove(link->manager->links, INT_TO_PTR(link->ifindex)) == link);
++ link_unref(link);
+ }
+
+ static int link_joined(Link *link) {
diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index 7a7eddcd45..bf33b8d6a1 100644
--- a/meta/recipes-core/systemd/systemd_244.5.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -22,6 +22,12 @@ SRC_URI += "file://touchscreen.rules \
file://0003-implment-systemd-sysv-install-for-OE.patch \
file://CVE-2021-33910.patch \
file://CVE-2020-13529.patch \
+ file://basic-pass-allocation-info-for-ordered-set-new-and-introd.patch \
+ file://introduce-ordered_set_clear-free-with-destructor.patch \
+ file://network-add-skeleton-of-request-queue.patch \
+ file://network-merge-link_drop-and-link_detach_from_manager.patch \
+ file://network-also-drop-requests-when-link-enters-linger-state.patch \
+ file://network-fix-Link-reference-counter-issue.patch \
"
# patches needed by musl
diff --git a/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch b/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch
deleted file mode 100644
index d43f7e1a7a..0000000000
--- a/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 4d19bffcfd66e25d3ee74536ae2d2da7ad52e8e2 Mon Sep 17 00:00:00 2001
-From: Barry Grussling <barry@grussling.com>
-Date: Sun, 12 Jan 2020 12:33:32 -0800
-Subject: [PATCH] mtd-utils: Fix return value of ubiformat
-Organization: O.S. Systems Software LTDA.
-
-This changeset fixes a feature regression in ubiformat. Older versions of
-ubiformat, when invoked with a flash-image, would return 0 in the case no error
-was encountered. Upon upgrading to latest, it was discovered that ubiformat
-returned 255 even without encountering an error condition.
-
-This changeset corrects the above issue and causes ubiformat, when given an
-image file, to return 0 when no errors are detected.
-
-Tested by running through my loading scripts and verifying ubiformat returned
-0.
-
-Upstream-Status: Backport [2.1.2]
-
-Signed-off-by: Barry Grussling <barry@grussling.com>
-Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
-Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
----
- ubi-utils/ubiformat.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/ubi-utils/ubiformat.c b/ubi-utils/ubiformat.c
-index a90627c..5377b12 100644
---- a/ubi-utils/ubiformat.c
-+++ b/ubi-utils/ubiformat.c
-@@ -550,6 +550,7 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
- struct ubi_vtbl_record *vtbl;
- int eb1 = -1, eb2 = -1;
- long long ec1 = -1, ec2 = -1;
-+ int ret = -1;
-
- write_size = UBI_EC_HDR_SIZE + mtd->subpage_size - 1;
- write_size /= mtd->subpage_size;
-@@ -643,8 +644,10 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
- if (!args.quiet && !args.verbose)
- printf("\n");
-
-- if (novtbl)
-+ if (novtbl) {
-+ ret = 0;
- goto out_free;
-+ }
-
- if (eb1 == -1 || eb2 == -1) {
- errmsg("no eraseblocks for volume table");
-@@ -669,7 +672,7 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
-
- out_free:
- free(hdr);
-- return -1;
-+ return ret;
- }
-
- int main(int argc, char * const argv[])
---
-2.27.0
-
diff --git a/meta/recipes-devtools/mtd/mtd-utils_git.bb b/meta/recipes-devtools/mtd/mtd-utils_git.bb
index 9c05dc03dc..d8355bbad3 100644
--- a/meta/recipes-devtools/mtd/mtd-utils_git.bb
+++ b/meta/recipes-devtools/mtd/mtd-utils_git.bb
@@ -11,18 +11,15 @@ inherit autotools pkgconfig update-alternatives
DEPENDS = "zlib e2fsprogs util-linux"
RDEPENDS_mtd-utils-tests += "bash"
-PV = "2.1.1"
+PV = "2.1.3"
-SRCREV = "4443221ce9b88440cd9f5bb78e6fe95621d36c8a"
+SRCREV = "42ea7cd48d2b3c306d59bb6c530d79f8c25bf9f5"
SRC_URI = "git://git.infradead.org/mtd-utils.git \
file://add-exclusion-to-mkfs-jffs2-git-2.patch \
- file://0001-mtd-utils-Fix-return-value-of-ubiformat.patch \
-"
+ "
S = "${WORKDIR}/git/"
-EXTRA_OECONF += "--enable-install-tests"
-
# xattr support creates an additional compile-time dependency on acl because
# the sys/acl.h header is needed. libacl is not needed and thus enabling xattr
# regardless whether acl is enabled or disabled in the distro should be okay.
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index c8c170dda0..ef9bc3f64a 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -84,6 +84,14 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3582.patch \
file://CVE-2021-3607.patch \
file://CVE-2021-3608.patch \
+ file://CVE-2020-12829_1.patch \
+ file://CVE-2020-12829_2.patch \
+ file://CVE-2020-12829_3.patch \
+ file://CVE-2020-12829_4.patch \
+ file://CVE-2020-12829_5.patch \
+ file://CVE-2020-27617.patch \
+ file://CVE-2020-28916.patch \
+ file://CVE-2021-3682.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
new file mode 100644
index 0000000000..6fee4f640d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
@@ -0,0 +1,164 @@
+From e29da77e5fddf6480e3a0e80b63d703edaec751b Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH] sm501: Convert printf + abort to qemu_log_mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some places already use qemu_log_mask() to log unimplemented features
+or errors but some others have printf() then abort(). Convert these to
+qemu_log_mask() and avoid aborting to prevent guests to easily cause
+denial of service.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 305af87f59d81e92f2aaff09eb8a3603b8baa322.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 57 ++++++++++++++++++++++------------------------
+ 1 file changed, 27 insertions(+), 30 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index acc692531a..bd3ccfe311 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -727,8 +727,8 @@ static void sm501_2d_operation(SM501State *s)
+ int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+
+ if (addressing != 0x0) {
+- printf("%s: only XY addressing is supported.\n", __func__);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
++ return;
+ }
+
+ if (rop_mode == 0) {
+@@ -754,8 +754,8 @@ static void sm501_2d_operation(SM501State *s)
+
+ if ((s->twoD_source_base & 0x08000000) ||
+ (s->twoD_destination_base & 0x08000000)) {
+- printf("%s: only local memory is supported.\n", __func__);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
++ return;
+ }
+
+ switch (operation) {
+@@ -823,9 +823,9 @@ static void sm501_2d_operation(SM501State *s)
+ break;
+
+ default:
+- printf("non-implemented SM501 2D operation. %d\n", operation);
+- abort();
+- break;
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
++ operation);
++ return;
+ }
+
+ if (dst_base >= get_fb_addr(s, crt) &&
+@@ -892,9 +892,8 @@ static uint64_t sm501_system_config_read(void *opaque, hwaddr addr,
+ break;
+
+ default:
+- printf("sm501 system config : not implemented register read."
+- " addr=%x\n", (int)addr);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
++ "register read. addr=%" HWADDR_PRIx "\n", addr);
+ }
+
+ return ret;
+@@ -948,15 +947,15 @@ static void sm501_system_config_write(void *opaque, hwaddr addr,
+ break;
+ case SM501_ENDIAN_CONTROL:
+ if (value & 0x00000001) {
+- printf("sm501 system config : big endian mode not implemented.\n");
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: system config big endian mode not"
++ " implemented.\n");
+ }
+ break;
+
+ default:
+- printf("sm501 system config : not implemented register write."
+- " addr=%x, val=%x\n", (int)addr, (uint32_t)value);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
++ "register write. addr=%" HWADDR_PRIx
++ ", val=%" PRIx64 "\n", addr, value);
+ }
+ }
+
+@@ -1207,9 +1206,8 @@ static uint64_t sm501_disp_ctrl_read(void *opaque, hwaddr addr,
+ break;
+
+ default:
+- printf("sm501 disp ctrl : not implemented register read."
+- " addr=%x\n", (int)addr);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
++ "read. addr=%" HWADDR_PRIx "\n", addr);
+ }
+
+ return ret;
+@@ -1345,9 +1343,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr,
+ break;
+
+ default:
+- printf("sm501 disp ctrl : not implemented register write."
+- " addr=%x, val=%x\n", (int)addr, (unsigned)value);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
++ "write. addr=%" HWADDR_PRIx
++ ", val=%" PRIx64 "\n", addr, value);
+ }
+ }
+
+@@ -1433,9 +1431,8 @@ static uint64_t sm501_2d_engine_read(void *opaque, hwaddr addr,
+ ret = 0; /* Should return interrupt status */
+ break;
+ default:
+- printf("sm501 disp ctrl : not implemented register read."
+- " addr=%x\n", (int)addr);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
++ "read. addr=%" HWADDR_PRIx "\n", addr);
+ }
+
+ return ret;
+@@ -1520,9 +1517,9 @@ static void sm501_2d_engine_write(void *opaque, hwaddr addr,
+ /* ignored, writing 0 should clear interrupt status */
+ break;
+ default:
+- printf("sm501 2d engine : not implemented register write."
+- " addr=%x, val=%x\n", (int)addr, (unsigned)value);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2d engine register "
++ "write. addr=%" HWADDR_PRIx
++ ", val=%" PRIx64 "\n", addr, value);
+ }
+ }
+
+@@ -1670,9 +1667,9 @@ static void sm501_update_display(void *opaque)
+ draw_line = draw_line32_funcs[dst_depth_index];
+ break;
+ default:
+- printf("sm501 update display : invalid control register value.\n");
+- abort();
+- break;
++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: update display"
++ "invalid control register value.\n");
++ return;
+ }
+
+ /* set up to draw hardware cursor */
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
new file mode 100644
index 0000000000..e7258a43d3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
@@ -0,0 +1,139 @@
+From 6f8183b5dc5b309378687830a25e85ea8fb860ea Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 2/5] sm501: Shorten long variable names in sm501_2d_operation
+
+This increases readability and cleans up some confusing naming.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Message-id: b9b67b94c46e945252a73c77dfd117132c63c4fb.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 45 ++++++++++++++++++++++-----------------------
+ 1 file changed, 22 insertions(+), 23 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index bd3ccfe311..f42d05e1e4 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -700,17 +700,16 @@ static inline void hwc_invalidate(SM501State *s, int crt)
+ static void sm501_2d_operation(SM501State *s)
+ {
+ /* obtain operation parameters */
+- int operation = (s->twoD_control >> 16) & 0x1f;
++ int cmd = (s->twoD_control >> 16) & 0x1F;
+ int rtl = s->twoD_control & 0x8000000;
+ int src_x = (s->twoD_source >> 16) & 0x01FFF;
+ int src_y = s->twoD_source & 0xFFFF;
+ int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+ int dst_y = s->twoD_destination & 0xFFFF;
+- int operation_width = (s->twoD_dimension >> 16) & 0x1FFF;
+- int operation_height = s->twoD_dimension & 0xFFFF;
++ int width = (s->twoD_dimension >> 16) & 0x1FFF;
++ int height = s->twoD_dimension & 0xFFFF;
+ uint32_t color = s->twoD_foreground;
+- int format_flags = (s->twoD_stretch >> 20) & 0x3;
+- int addressing = (s->twoD_stretch >> 16) & 0xF;
++ int format = (s->twoD_stretch >> 20) & 0x3;
+ int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
+ /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+ int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+@@ -721,12 +720,12 @@ static void sm501_2d_operation(SM501State *s)
+ /* get frame buffer info */
+ uint8_t *src = s->local_mem + src_base;
+ uint8_t *dst = s->local_mem + dst_base;
+- int src_width = s->twoD_pitch & 0x1FFF;
+- int dst_width = (s->twoD_pitch >> 16) & 0x1FFF;
++ int src_pitch = s->twoD_pitch & 0x1FFF;
++ int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+ int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+ int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+
+- if (addressing != 0x0) {
++ if ((s->twoD_stretch >> 16) & 0xF) {
+ qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
+ return;
+ }
+@@ -758,20 +757,20 @@ static void sm501_2d_operation(SM501State *s)
+ return;
+ }
+
+- switch (operation) {
++ switch (cmd) {
+ case 0x00: /* copy area */
+ #define COPY_AREA(_bpp, _pixel_type, rtl) { \
+ int y, x, index_d, index_s; \
+- for (y = 0; y < operation_height; y++) { \
+- for (x = 0; x < operation_width; x++) { \
++ for (y = 0; y < height; y++) { \
++ for (x = 0; x < width; x++) { \
+ _pixel_type val; \
+ \
+ if (rtl) { \
+- index_s = ((src_y - y) * src_width + src_x - x) * _bpp; \
+- index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp; \
++ index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \
++ index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \
+ } else { \
+- index_s = ((src_y + y) * src_width + src_x + x) * _bpp; \
+- index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
++ index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \
++ index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
+ } \
+ if (rop_mode == 1 && rop == 5) { \
+ /* Invert dest */ \
+@@ -783,7 +782,7 @@ static void sm501_2d_operation(SM501State *s)
+ } \
+ } \
+ }
+- switch (format_flags) {
++ switch (format) {
+ case 0:
+ COPY_AREA(1, uint8_t, rtl);
+ break;
+@@ -799,15 +798,15 @@ static void sm501_2d_operation(SM501State *s)
+ case 0x01: /* fill rectangle */
+ #define FILL_RECT(_bpp, _pixel_type) { \
+ int y, x; \
+- for (y = 0; y < operation_height; y++) { \
+- for (x = 0; x < operation_width; x++) { \
+- int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
++ for (y = 0; y < height; y++) { \
++ for (x = 0; x < width; x++) { \
++ int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
+ *(_pixel_type *)&dst[index] = (_pixel_type)color; \
+ } \
+ } \
+ }
+
+- switch (format_flags) {
++ switch (format) {
+ case 0:
+ FILL_RECT(1, uint8_t);
+ break;
+@@ -824,14 +823,14 @@ static void sm501_2d_operation(SM501State *s)
+
+ default:
+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
+- operation);
++ cmd);
+ return;
+ }
+
+ if (dst_base >= get_fb_addr(s, crt) &&
+ dst_base <= get_fb_addr(s, crt) + fb_len) {
+- int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width +
+- dst_x + operation_width) * (1 << format_flags));
++ int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch +
++ dst_x + width) * (1 << format));
+ if (dst_len) {
+ memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len);
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch
new file mode 100644
index 0000000000..c647028cfe
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch
@@ -0,0 +1,47 @@
+From 2824809b7f8f03ddc6e2b7e33e78c06022424298 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 3/5] sm501: Use BIT(x) macro to shorten constant
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 124bf5de8d7cf503b32b377d0445029a76bfbd49.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#3
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index f42d05e1e4..97660090bb 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -701,7 +701,7 @@ static void sm501_2d_operation(SM501State *s)
+ {
+ /* obtain operation parameters */
+ int cmd = (s->twoD_control >> 16) & 0x1F;
+- int rtl = s->twoD_control & 0x8000000;
++ int rtl = s->twoD_control & BIT(27);
+ int src_x = (s->twoD_source >> 16) & 0x01FFF;
+ int src_y = s->twoD_source & 0xFFFF;
+ int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+@@ -751,8 +751,7 @@ static void sm501_2d_operation(SM501State *s)
+ }
+ }
+
+- if ((s->twoD_source_base & 0x08000000) ||
+- (s->twoD_destination_base & 0x08000000)) {
++ if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {
+ qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
+ return;
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
new file mode 100644
index 0000000000..485af05e1e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
@@ -0,0 +1,100 @@
+From 3d0b096298b5579a7fa0753ad90968b27bc65372 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 4/5] sm501: Clean up local variables in sm501_2d_operation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Make variables local to the block they are used in to make it clearer
+which operation they are needed for.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: ae59f8138afe7f6a5a4a82539d0f61496a906b06.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index 97660090bb..5ed57703d8 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -699,28 +699,19 @@ static inline void hwc_invalidate(SM501State *s, int crt)
+
+ static void sm501_2d_operation(SM501State *s)
+ {
+- /* obtain operation parameters */
+ int cmd = (s->twoD_control >> 16) & 0x1F;
+ int rtl = s->twoD_control & BIT(27);
+- int src_x = (s->twoD_source >> 16) & 0x01FFF;
+- int src_y = s->twoD_source & 0xFFFF;
+- int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+- int dst_y = s->twoD_destination & 0xFFFF;
+- int width = (s->twoD_dimension >> 16) & 0x1FFF;
+- int height = s->twoD_dimension & 0xFFFF;
+- uint32_t color = s->twoD_foreground;
+ int format = (s->twoD_stretch >> 20) & 0x3;
+ int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
+ /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+ int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+ int rop = s->twoD_control & 0xFF;
+- uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
++ int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
++ int dst_y = s->twoD_destination & 0xFFFF;
++ int width = (s->twoD_dimension >> 16) & 0x1FFF;
++ int height = s->twoD_dimension & 0xFFFF;
+ uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
+-
+- /* get frame buffer info */
+- uint8_t *src = s->local_mem + src_base;
+ uint8_t *dst = s->local_mem + dst_base;
+- int src_pitch = s->twoD_pitch & 0x1FFF;
+ int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+ int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+ int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+@@ -758,6 +749,13 @@ static void sm501_2d_operation(SM501State *s)
+
+ switch (cmd) {
+ case 0x00: /* copy area */
++ {
++ int src_x = (s->twoD_source >> 16) & 0x01FFF;
++ int src_y = s->twoD_source & 0xFFFF;
++ uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
++ uint8_t *src = s->local_mem + src_base;
++ int src_pitch = s->twoD_pitch & 0x1FFF;
++
+ #define COPY_AREA(_bpp, _pixel_type, rtl) { \
+ int y, x, index_d, index_s; \
+ for (y = 0; y < height; y++) { \
+@@ -793,8 +791,11 @@ static void sm501_2d_operation(SM501State *s)
+ break;
+ }
+ break;
+-
++ }
+ case 0x01: /* fill rectangle */
++ {
++ uint32_t color = s->twoD_foreground;
++
+ #define FILL_RECT(_bpp, _pixel_type) { \
+ int y, x; \
+ for (y = 0; y < height; y++) { \
+@@ -819,7 +820,7 @@ static void sm501_2d_operation(SM501State *s)
+ break;
+ }
+ break;
+-
++ }
+ default:
+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
+ cmd);
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch
new file mode 100644
index 0000000000..ab09e8b039
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch
@@ -0,0 +1,266 @@
+From b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 5/5] sm501: Replace hand written implementation with pixman
+ where possible
+
+Besides being faster this should also prevent malicious guests to
+abuse 2D engine to overwrite data or cause a crash.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Message-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 207 ++++++++++++++++++++++++++-------------------
+ 1 file changed, 119 insertions(+), 88 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index 5ed57703d8..8bf4d111f4 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -706,13 +706,12 @@ static void sm501_2d_operation(SM501State *s)
+ /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+ int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+ int rop = s->twoD_control & 0xFF;
+- int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+- int dst_y = s->twoD_destination & 0xFFFF;
+- int width = (s->twoD_dimension >> 16) & 0x1FFF;
+- int height = s->twoD_dimension & 0xFFFF;
++ unsigned int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
++ unsigned int dst_y = s->twoD_destination & 0xFFFF;
++ unsigned int width = (s->twoD_dimension >> 16) & 0x1FFF;
++ unsigned int height = s->twoD_dimension & 0xFFFF;
+ uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
+- uint8_t *dst = s->local_mem + dst_base;
+- int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
++ unsigned int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+ int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+ int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+
+@@ -721,104 +720,136 @@ static void sm501_2d_operation(SM501State *s)
+ return;
+ }
+
+- if (rop_mode == 0) {
+- if (rop != 0xcc) {
+- /* Anything other than plain copies are not supported */
+- qemu_log_mask(LOG_UNIMP, "sm501: rop3 mode with rop %x is not "
+- "supported.\n", rop);
+- }
+- } else {
+- if (rop2_source_is_pattern && rop != 0x5) {
+- /* For pattern source, we support only inverse dest */
+- qemu_log_mask(LOG_UNIMP, "sm501: rop2 source being the pattern and "
+- "rop %x is not supported.\n", rop);
+- } else {
+- if (rop != 0x5 && rop != 0xc) {
+- /* Anything other than plain copies or inverse dest is not
+- * supported */
+- qemu_log_mask(LOG_UNIMP, "sm501: rop mode %x is not "
+- "supported.\n", rop);
+- }
+- }
+- }
+-
+ if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {
+ qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
+ return;
+ }
+
++ if (!dst_pitch) {
++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero dest pitch.\n");
++ return;
++ }
++
++ if (!width || !height) {
++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero size 2D op.\n");
++ return;
++ }
++
++ if (rtl) {
++ dst_x -= width - 1;
++ dst_y -= height - 1;
++ }
++
++ if (dst_base >= get_local_mem_size(s) || dst_base +
++ (dst_x + width + (dst_y + height) * (dst_pitch + width)) *
++ (1 << format) >= get_local_mem_size(s)) {
++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: 2D op dest is outside vram.\n");
++ return;
++ }
++
+ switch (cmd) {
+- case 0x00: /* copy area */
++ case 0: /* BitBlt */
+ {
+- int src_x = (s->twoD_source >> 16) & 0x01FFF;
+- int src_y = s->twoD_source & 0xFFFF;
++ unsigned int src_x = (s->twoD_source >> 16) & 0x01FFF;
++ unsigned int src_y = s->twoD_source & 0xFFFF;
+ uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
+- uint8_t *src = s->local_mem + src_base;
+- int src_pitch = s->twoD_pitch & 0x1FFF;
+-
+-#define COPY_AREA(_bpp, _pixel_type, rtl) { \
+- int y, x, index_d, index_s; \
+- for (y = 0; y < height; y++) { \
+- for (x = 0; x < width; x++) { \
+- _pixel_type val; \
+- \
+- if (rtl) { \
+- index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \
+- index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \
+- } else { \
+- index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \
+- index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
+- } \
+- if (rop_mode == 1 && rop == 5) { \
+- /* Invert dest */ \
+- val = ~*(_pixel_type *)&dst[index_d]; \
+- } else { \
+- val = *(_pixel_type *)&src[index_s]; \
+- } \
+- *(_pixel_type *)&dst[index_d] = val; \
+- } \
+- } \
+- }
+- switch (format) {
+- case 0:
+- COPY_AREA(1, uint8_t, rtl);
+- break;
+- case 1:
+- COPY_AREA(2, uint16_t, rtl);
+- break;
+- case 2:
+- COPY_AREA(4, uint32_t, rtl);
+- break;
++ unsigned int src_pitch = s->twoD_pitch & 0x1FFF;
++
++ if (!src_pitch) {
++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero src pitch.\n");
++ return;
++ }
++
++ if (rtl) {
++ src_x -= width - 1;
++ src_y -= height - 1;
++ }
++
++ if (src_base >= get_local_mem_size(s) || src_base +
++ (src_x + width + (src_y + height) * (src_pitch + width)) *
++ (1 << format) >= get_local_mem_size(s)) {
++ qemu_log_mask(LOG_GUEST_ERROR,
++ "sm501: 2D op src is outside vram.\n");
++ return;
++ }
++
++ if ((rop_mode && rop == 0x5) || (!rop_mode && rop == 0x55)) {
++ /* Invert dest, is there a way to do this with pixman? */
++ unsigned int x, y, i;
++ uint8_t *d = s->local_mem + dst_base;
++
++ for (y = 0; y < height; y++) {
++ i = (dst_x + (dst_y + y) * dst_pitch) * (1 << format);
++ for (x = 0; x < width; x++, i += (1 << format)) {
++ switch (format) {
++ case 0:
++ d[i] = ~d[i];
++ break;
++ case 1:
++ *(uint16_t *)&d[i] = ~*(uint16_t *)&d[i];
++ break;
++ case 2:
++ *(uint32_t *)&d[i] = ~*(uint32_t *)&d[i];
++ break;
++ }
++ }
++ }
++ } else {
++ /* Do copy src for unimplemented ops, better than unpainted area */
++ if ((rop_mode && (rop != 0xc || rop2_source_is_pattern)) ||
++ (!rop_mode && rop != 0xcc)) {
++ qemu_log_mask(LOG_UNIMP,
++ "sm501: rop%d op %x%s not implemented\n",
++ (rop_mode ? 2 : 3), rop,
++ (rop2_source_is_pattern ?
++ " with pattern source" : ""));
++ }
++ /* Check for overlaps, this could be made more exact */
++ uint32_t sb, se, db, de;
++ sb = src_base + src_x + src_y * (width + src_pitch);
++ se = sb + width + height * (width + src_pitch);
++ db = dst_base + dst_x + dst_y * (width + dst_pitch);
++ de = db + width + height * (width + dst_pitch);
++ if (rtl && ((db >= sb && db <= se) || (de >= sb && de <= se))) {
++ /* regions may overlap: copy via temporary */
++ int llb = width * (1 << format);
++ int tmp_stride = DIV_ROUND_UP(llb, sizeof(uint32_t));
++ uint32_t *tmp = g_malloc(tmp_stride * sizeof(uint32_t) *
++ height);
++ pixman_blt((uint32_t *)&s->local_mem[src_base], tmp,
++ src_pitch * (1 << format) / sizeof(uint32_t),
++ tmp_stride, 8 * (1 << format), 8 * (1 << format),
++ src_x, src_y, 0, 0, width, height);
++ pixman_blt(tmp, (uint32_t *)&s->local_mem[dst_base],
++ tmp_stride,
++ dst_pitch * (1 << format) / sizeof(uint32_t),
++ 8 * (1 << format), 8 * (1 << format),
++ 0, 0, dst_x, dst_y, width, height);
++ g_free(tmp);
++ } else {
++ pixman_blt((uint32_t *)&s->local_mem[src_base],
++ (uint32_t *)&s->local_mem[dst_base],
++ src_pitch * (1 << format) / sizeof(uint32_t),
++ dst_pitch * (1 << format) / sizeof(uint32_t),
++ 8 * (1 << format), 8 * (1 << format),
++ src_x, src_y, dst_x, dst_y, width, height);
++ }
+ }
+ break;
+ }
+- case 0x01: /* fill rectangle */
++ case 1: /* Rectangle Fill */
+ {
+ uint32_t color = s->twoD_foreground;
+
+-#define FILL_RECT(_bpp, _pixel_type) { \
+- int y, x; \
+- for (y = 0; y < height; y++) { \
+- for (x = 0; x < width; x++) { \
+- int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
+- *(_pixel_type *)&dst[index] = (_pixel_type)color; \
+- } \
+- } \
+- }
+-
+- switch (format) {
+- case 0:
+- FILL_RECT(1, uint8_t);
+- break;
+- case 1:
+- color = cpu_to_le16(color);
+- FILL_RECT(2, uint16_t);
+- break;
+- case 2:
++ if (format == 2) {
+ color = cpu_to_le32(color);
+- FILL_RECT(4, uint32_t);
+- break;
++ } else if (format == 1) {
++ color = cpu_to_le16(color);
+ }
++
++ pixman_fill((uint32_t *)&s->local_mem[dst_base],
++ dst_pitch * (1 << format) / sizeof(uint32_t),
++ 8 * (1 << format), dst_x, dst_y, width, height, color);
+ break;
+ }
+ default:
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch
new file mode 100644
index 0000000000..7bfc2beecb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch
@@ -0,0 +1,49 @@
+From 7564bf7701f00214cdc8a678a9f7df765244def1 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 21 Oct 2020 11:35:50 +0530
+Subject: [PATCH] net: remove an assert call in eth_get_gso_type
+
+eth_get_gso_type() routine returns segmentation offload type based on
+L3 protocol type. It calls g_assert_not_reached if L3 protocol is
+unknown, making the following return statement unreachable. Remove the
+g_assert call, it maybe triggered by a guest user.
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upsteram-Status: Backport
+CVE: CVE-2020-27617
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ net/eth.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/eth.c b/net/eth.c
+index 0c1d413ee2..1e0821c5f8 100644
+--- a/net/eth.c
++++ b/net/eth.c
+@@ -16,6 +16,7 @@
+ */
+
+ #include "qemu/osdep.h"
++#include "qemu/log.h"
+ #include "net/eth.h"
+ #include "net/checksum.h"
+ #include "net/tap.h"
+@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto)
+ return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
+ }
+ }
+-
+- /* Unsupported offload */
+- g_assert_not_reached();
++ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, "
++ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);
+
+ return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
new file mode 100644
index 0000000000..756b1c1495
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
@@ -0,0 +1,48 @@
+From c2cb511634012344e3d0fe49a037a33b12d8a98a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 11 Nov 2020 18:36:36 +0530
+Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null descriptor
+
+While receiving packets via e1000e_write_packet_to_guest() routine,
+'desc_offset' is advanced only when RX descriptor is processed. And
+RX descriptor is not processed if it has NULL buffer address.
+This may lead to an infinite loop condition. Increament 'desc_offset'
+to process next descriptor in the ring to avoid infinite loop.
+
+Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-28916
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/net/e1000e_core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
+index d8b9e4b2f4..095c01ebc6 100644
+--- a/hw/net/e1000e_core.c
++++ b/hw/net/e1000e_core.c
+@@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
+ (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
+ }
+ }
+- desc_offset += desc_size;
+- if (desc_offset >= total_size) {
+- is_last = true;
+- }
+ } else { /* as per intel docs; skip descriptors with null buf addr */
+ trace_e1000e_rx_null_descriptor();
+ }
++ desc_offset += desc_size;
++ if (desc_offset >= total_size) {
++ is_last = true;
++ }
+
+ e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
+ rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch
new file mode 100644
index 0000000000..50a49233d3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch
@@ -0,0 +1,41 @@
+From 5e796671e6b8d5de4b0b423dce1b3eba144a92c9 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 22 Jul 2021 09:27:56 +0200
+Subject: [PATCH] usbredir: fix free call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+data might point into the middle of a larger buffer, there is a separate
+free_on_destroy pointer passed into bufp_alloc() to handle that. It is
+only used in the normal workflow though, not when dropping packets due
+to the queue being full. Fix that.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210722072756.647673-1-kraxel@redhat.com>
+
+CVE: CVE-2021-3682
+Upstream-Status: Backport [5e796671e6b8d5de4b0b423dce1b3eba144a92c9]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/usb/redirect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 4ec9326e05..1ec909a63a 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -476,7 +476,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len,
+ if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) {
+ if (dev->endpoint[EP2I(ep)].bufpq_size >
+ dev->endpoint[EP2I(ep)].bufpq_target_size) {
+- free(data);
++ free(free_on_destroy);
+ return -1;
+ }
+ dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch b/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
index 6454785254..dc3f74fecd 100644
--- a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
+++ b/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
@@ -11,36 +11,39 @@ CPU thread.
Upstream-Status: Pending [merge of multithreading patches to upstream]
Signed-off-by: Peter Bergin <peter@berginkonsult.se>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
---
- rpmio/rpmio.c | 34 ++++++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
+ rpmio/rpmio.c | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
index e051c98..b3c56b6 100644
--- a/rpmio/rpmio.c
+++ b/rpmio/rpmio.c
-@@ -845,6 +845,40 @@ static LZFILE *lzopen_internal(const char *mode, int fd, int xz)
+@@ -845,6 +845,42 @@ static LZFILE *lzopen_internal(const char *mode, int fd, int xz)
}
#endif
-+ struct rlimit virtual_memory;
-+ getrlimit(RLIMIT_AS, &virtual_memory);
-+ if (virtual_memory.rlim_cur != RLIM_INFINITY) {
++ struct rlimit virtual_memory = {RLIM_INFINITY , RLIM_INFINITY};
++ int status = getrlimit(RLIMIT_AS, &virtual_memory);
++ if ((status != -1) && (virtual_memory.rlim_cur != RLIM_INFINITY)) {
+ const uint64_t virtual_memlimit = virtual_memory.rlim_cur;
++ uint32_t threads_max = lzma_cputhreads();
+ const uint64_t virtual_memlimit_per_cpu_thread =
-+ virtual_memlimit / lzma_cputhreads();
-+ uint64_t memory_usage_virt;
++ virtual_memlimit / ((threads_max == 0) ? 1 : threads_max);
+ rpmlog(RPMLOG_NOTICE, "XZ: virtual memory restricted to %lu and "
+ "per CPU thread %lu\n", virtual_memlimit, virtual_memlimit_per_cpu_thread);
++ uint64_t memory_usage_virt;
+ /* keep reducing the number of compression threads until memory
+ usage falls below the limit per CPU thread*/
+ while ((memory_usage_virt = lzma_stream_encoder_mt_memusage(&mt_options)) >
+ virtual_memlimit_per_cpu_thread) {
-+ /* If number of threads goes down to zero lzma_stream_encoder will
-+ * will return UINT64_MAX. We must check here to avoid an infinite loop.
++ /* If number of threads goes down to zero or in case of any other error
++ * lzma_stream_encoder_mt_memusage will return UINT64_MAX. We must check
++ * for both the cases here to avoid an infinite loop.
+ * If we get into situation that one thread requires more virtual memory
+ * than available we set one thread, print error message and try anyway. */
-+ if (--mt_options.threads == 0) {
++ if ((--mt_options.threads == 0) || (memory_usage_virt == UINT64_MAX)) {
+ mt_options.threads = 1;
+ rpmlog(RPMLOG_WARNING,
+ "XZ: Could not adjust number of threads to get below "
diff --git a/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
new file mode 100644
index 0000000000..95e2534ee4
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
@@ -0,0 +1,253 @@
+Backport patch to fix CVE-2021-40153, and remove version update in unsquashfs.c
+for compatible.
+
+Upstream-Status: Backport [https://github.com/plougher/squashfs-tools/commit/79b5a55]
+CVE: CVE-2021-40153
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 79b5a555058eef4e1e7ff220c344d39f8cd09646 Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Sat, 16 Jan 2021 20:08:55 +0000
+Subject: [PATCH] Unsquashfs: fix write outside destination directory exploit
+
+An issue on Github (https://github.com/plougher/squashfs-tools/issues/72)
+shows how some specially crafted Squashfs filesystems containing
+invalid file names (with '/' and ..) can cause Unsquashfs to write
+files outside of the destination directory.
+
+This commit fixes this exploit by checking all names for
+validity.
+
+In doing so I have also added checks for '.' and for names that
+are shorter than they should be (names in the file system should
+not have '\0' terminators).
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/Makefile | 5 ++-
+ squashfs-tools/unsquash-1.c | 9 +++++-
+ squashfs-tools/unsquash-1234.c | 58 ++++++++++++++++++++++++++++++++++
+ squashfs-tools/unsquash-2.c | 9 +++++-
+ squashfs-tools/unsquash-3.c | 9 +++++-
+ squashfs-tools/unsquash-4.c | 9 +++++-
+ squashfs-tools/unsquashfs.h | 5 ++-
+ 7 files changed, 98 insertions(+), 6 deletions(-)
+ create mode 100644 squashfs-tools/unsquash-1234.c
+
+diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile
+index aee4b960..20feaca2 100644
+--- a/squashfs-tools/Makefile
++++ b/squashfs-tools/Makefile
+@@ -156,7 +156,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o action.o swap.o pseudo.o compressor.o \
+ caches-queues-lists.o
+
+ UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \
+- unsquash-4.o unsquash-123.o unsquash-34.o swap.o compressor.o unsquashfs_info.o
++ unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \
++ compressor.o unsquashfs_info.o
+
+ CFLAGS ?= -O2
+ CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \
+@@ -350,6 +351,8 @@ unsquash-123.o: unsquashfs.h unsquash-123.c squashfs_fs.h squashfs_compat.h
+
+ unsquash-34.o: unsquashfs.h unsquash-34.c
+
++unsquash-1234.o: unsquash-1234.c
++
+ unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h
+
+ unsquashfs_info.o: unsquashfs.h squashfs_fs.h
+diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
+index 34eced36..28326cb1 100644
+--- a/squashfs-tools/unsquash-1.c
++++ b/squashfs-tools/unsquash-1.c
+@@ -2,7 +2,7 @@
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2019, 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+@@ -285,6 +285,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ memcpy(dire->name, directory_table + bytes,
+ dire->size + 1);
+ dire->name[dire->size + 1] = '\0';
++
++ /* check name for invalid characters (i.e /, ., ..) */
++ if(check_name(dire->name, dire->size + 1) == FALSE) {
++ ERROR("File system corrupted: invalid characters in name\n");
++ goto corrupted;
++ }
++
+ TRACE("squashfs_opendir: directory entry %s, inode "
+ "%d:%d, type %d\n", dire->name,
+ dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
+new file mode 100644
+index 00000000..c2d4f42b
+--- /dev/null
++++ b/squashfs-tools/unsquash-1234.c
+@@ -0,0 +1,58 @@
++/*
++ * Unsquash a squashfs filesystem. This is a highly compressed read only
++ * filesystem.
++ *
++ * Copyright (c) 2021
++ * Phillip Lougher <phillip@squashfs.org.uk>
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2,
++ * or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++ *
++ * unsquash-1234.c
++ *
++ * Helper functions used by unsquash-1, unsquash-2, unsquash-3 and
++ * unsquash-4.
++ */
++
++#define TRUE 1
++#define FALSE 0
++/*
++ * Check name for validity, name should not
++ * - be ".", "./", or
++ * - be "..", "../" or
++ * - have a "/" anywhere in the name, or
++ * - be shorter than the expected size
++ */
++int check_name(char *name, int size)
++{
++ char *start = name;
++
++ if(name[0] == '.') {
++ if(name[1] == '.')
++ name++;
++ if(name[1] == '/' || name[1] == '\0')
++ return FALSE;
++ }
++
++ while(name[0] != '/' && name[0] != '\0')
++ name ++;
++
++ if(name[0] == '/')
++ return FALSE;
++
++ if((name - start) != size)
++ return FALSE;
++
++ return TRUE;
++}
+diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
+index 4b3d767e..474064e1 100644
+--- a/squashfs-tools/unsquash-2.c
++++ b/squashfs-tools/unsquash-2.c
+@@ -2,7 +2,7 @@
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+- * Copyright (c) 2009, 2010, 2013, 2019
++ * Copyright (c) 2009, 2010, 2013, 2019, 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+@@ -386,6 +386,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ memcpy(dire->name, directory_table + bytes,
+ dire->size + 1);
+ dire->name[dire->size + 1] = '\0';
++
++ /* check name for invalid characters (i.e /, ., ..) */
++ if(check_name(dire->name, dire->size + 1) == FALSE) {
++ ERROR("File system corrupted: invalid characters in name\n");
++ goto corrupted;
++ }
++
+ TRACE("squashfs_opendir: directory entry %s, inode "
+ "%d:%d, type %d\n", dire->name,
+ dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
+index 02c31fc5..65cfe4d9 100644
+--- a/squashfs-tools/unsquash-3.c
++++ b/squashfs-tools/unsquash-3.c
+@@ -2,7 +2,7 @@
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+@@ -413,6 +413,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ memcpy(dire->name, directory_table + bytes,
+ dire->size + 1);
+ dire->name[dire->size + 1] = '\0';
++
++ /* check name for invalid characters (i.e /, ., ..) */
++ if(check_name(dire->name, dire->size + 1) == FALSE) {
++ ERROR("File system corrupted: invalid characters in name\n");
++ goto corrupted;
++ }
++
+ TRACE("squashfs_opendir: directory entry %s, inode "
+ "%d:%d, type %d\n", dire->name,
+ dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
+index 8475835c..aa23a841 100644
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -2,7 +2,7 @@
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+@@ -349,6 +349,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ memcpy(dire->name, directory_table + bytes,
+ dire->size + 1);
+ dire->name[dire->size + 1] = '\0';
++
++ /* check name for invalid characters (i.e /, ., ..) */
++ if(check_name(dire->name, dire->size + 1) == FALSE) {
++ ERROR("File system corrupted: invalid characters in name\n");
++ goto corrupted;
++ }
++
+ TRACE("squashfs_opendir: directory entry %s, inode "
+ "%d:%d, type %d\n", dire->name,
+ dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
+index 934618b2..db1da7a0 100644
+--- a/squashfs-tools/unsquashfs.h
++++ b/squashfs-tools/unsquashfs.h
+@@ -4,7 +4,7 @@
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+- * Copyright (c) 2009, 2010, 2013, 2014, 2019
++ * Copyright (c) 2009, 2010, 2013, 2014, 2019, 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+@@ -261,4 +261,7 @@ extern int read_ids(int, long long, long long, unsigned int **);
+
+ /* unsquash-34.c */
+ extern long long *alloc_index_table(int);
++
++/* unsquash-1234.c */
++extern int check_name(char *, int);
+ #endif
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
index 2b1409d78d..083e597b03 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
@@ -11,6 +11,7 @@ PV = "4.4"
SRCREV = "52eb4c279cd283ed9802dd1ceb686560b22ffb67"
SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https \
file://0001-squashfs-tools-fix-build-failure-against-gcc-10.patch;striplevel=2 \
+ file://CVE-2021-40153.patch;striplevel=2 \
"
S = "${WORKDIR}/git/squashfs-tools"
diff --git a/meta/recipes-extended/bash/bash.inc b/meta/recipes-extended/bash/bash.inc
index c7cf8cddd3..4e6176d2e6 100644
--- a/meta/recipes-extended/bash/bash.inc
+++ b/meta/recipes-extended/bash/bash.inc
@@ -49,6 +49,11 @@ do_compile_ptest () {
oe_runmake buildtest
}
+do_install_prepend () {
+ # Ensure determinism as this counter increases for each make call
+ rm -f ${B}/.build
+}
+
do_install_append () {
# Move /usr/bin/bash to /bin/bash, if need
if [ "${base_bindir}" != "${bindir}" ]; then
diff --git a/meta/recipes-extended/bzip2/bzip2/Makefile.am b/meta/recipes-extended/bzip2/bzip2/Makefile.am
index dcf64584d9..adc85a62b2 100644
--- a/meta/recipes-extended/bzip2/bzip2/Makefile.am
+++ b/meta/recipes-extended/bzip2/bzip2/Makefile.am
@@ -1,6 +1,6 @@
lib_LTLIBRARIES = libbz2.la
-libbz2_la_LDFLAGS = -version-info 1:6:0
+libbz2_la_LDFLAGS = -version-info 1:8:0
libbz2_la_SOURCES = blocksort.c \
huffman.c \
diff --git a/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch
new file mode 100644
index 0000000000..bf86115843
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch
@@ -0,0 +1,79 @@
+From 86ed08936d49e2c81ef49dfbd02aca1c74d0c098 Mon Sep 17 00:00:00 2001
+From: lac-0073 <61903197+lac-0073@users.noreply.github.com>
+Date: Mon, 26 Oct 2020 09:45:42 +0800
+Subject: [PATCH] arpping: make update neighbours work again
+
+The arping is using inconsistent sender_ip_addr and target_ip_addr in
+messages. This causes the client receiving the arp message not to update
+the arp table entries.
+
+The specific performance is as follows:
+
+There is a machine 2 with IP 10.20.30.3 configured on eth0:0 that is in the
+same IP subnet as eth0. This IP was originally used on another machine 1,
+and th IP needs to be changed back to the machine 1. When using the arping
+command to announce what ethernet address has IP 10.20.30.3, the arp table
+on machine 3 is not updated.
+
+Machine 3 original arp table:
+
+ 10.20.30.3 machine 2 eth0:0 00:00:00:00:00:02
+ 10.20.30.2 machine 2 eth0 00:00:00:00:00:02
+ 10.20.30.1 machine 1 eth0 00:00:00:00:00:01
+
+Create interface eth0:0 on machine 1, and use the arping command to send arp
+packets. Expected outcome on machine 3:
+
+ 10.20.30.3 machine 1 eth0:0 00:00:00:00:00:01
+ 10.20.30.2 machine 2 eth0 00:00:00:00:00:02
+ 10.20.30.1 machine 1 eth0 00:00:00:00:00:01
+
+Actual results on machine 3:
+
+ 10.20.30.3 machine 2 eth0:0 00:00:00:00:00:02
+ 10.20.30.2 machine 2 eth0 00:00:00:00:00:02
+ 10.20.30.1 machine 1 eth0 00:00:00:00:00:01
+
+Fixes: https://github.com/iputils/iputils/issues/298
+Fixes: 68f12fc4a0dbef4ae4c404da24040d22c5a14339
+Signed-off-by: Aichun Li <liaichun@huawei.com>
+Upstream-Status: Backport [https://github.com/iputils/iputils/commit/86ed08936d49e2c81ef49dfbd02aca1c74d0c098]
+Signed-off-by: Visa Hankala <visa@hankala.org>
+---
+ arping.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/arping.c b/arping.c
+index a002786..53fdbb4 100644
+--- a/arping.c
++++ b/arping.c
+@@ -968,7 +968,7 @@ int main(int argc, char **argv)
+ }
+ memset(&saddr, 0, sizeof(saddr));
+ saddr.sin_family = AF_INET;
+- if (!ctl.unsolicited && (ctl.source || ctl.gsrc.s_addr)) {
++ if (ctl.source || ctl.gsrc.s_addr) {
+ saddr.sin_addr = ctl.gsrc;
+ if (bind(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
+ error(2, errno, "bind");
+@@ -979,12 +979,14 @@ int main(int argc, char **argv)
+ saddr.sin_port = htons(1025);
+ saddr.sin_addr = ctl.gdst;
+
+- if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
+- error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
+- if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
+- error(2, errno, "connect");
+- if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
+- error(2, errno, "getsockname");
++ if (!ctl.unsolicited) {
++ if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
++ error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
++ if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
++ error(2, errno, "connect");
++ if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
++ error(2, errno, "getsockname");
++ }
+ ctl.gsrc = saddr.sin_addr;
+ }
+ close(probe_fd);
diff --git a/meta/recipes-extended/iputils/iputils_s20190709.bb b/meta/recipes-extended/iputils/iputils_s20190709.bb
index d652bfcaad..b33b913817 100644
--- a/meta/recipes-extended/iputils/iputils_s20190709.bb
+++ b/meta/recipes-extended/iputils/iputils_s20190709.bb
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/iputils/iputils \
file://0003-arping-Fix-comparison-of-different-signedness-warnin.patch \
file://0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch \
file://0005-arping-use-additional-timerfd-to-control-when-timeou.patch \
+ file://0001-arping-make-update-neighbours-work-again.patch \
"
SRCREV = "13e00847176aa23683d68fce1d17ffb523510946"
diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb
index 0fe0b801c2..87eb8b4188 100644
--- a/meta/recipes-extended/tar/tar_1.32.bb
+++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -68,3 +68,4 @@ BBCLASSEXTEND = "native nativesdk"
# These are both specific to the NPM package node-tar
CVE_CHECK_WHITELIST += "CVE-2021-32803 CVE-2021-32804"
+CVE_CHECK_WHITELIST += "CVE-2021-37701 CVE-2021-37712 CVE-2021-37713"
diff --git a/meta/recipes-graphics/glew/glew/notempdir.patch b/meta/recipes-graphics/glew/glew/notempdir.patch
new file mode 100644
index 0000000000..8d79ce0cdf
--- /dev/null
+++ b/meta/recipes-graphics/glew/glew/notempdir.patch
@@ -0,0 +1,19 @@
+We don't use the dist-* targets and hence DIST_DIR isn't used. The current code
+creates a new temp directory in /tmp/ for every invocation of make. Lets
+not do that.
+
+Upstream-Status: Pending [a revised version would be needed for upstream]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: glew-2.2.0/Makefile
+===================================================================
+--- glew-2.2.0.orig/Makefile
++++ glew-2.2.0/Makefile
+@@ -56,7 +56,6 @@ DIST_SRC_ZIP ?= $(shell pwd)/$(DIST_NAME
+ DIST_SRC_TGZ ?= $(shell pwd)/$(DIST_NAME).tgz
+ DIST_WIN32 ?= $(shell pwd)/$(DIST_NAME)-win32.zip
+
+-DIST_DIR := $(shell mktemp -d /tmp/glew.XXXXXX)/$(DIST_NAME)
+
+ # To disable stripping of linked binaries either:
+ # - use STRIP= on gmake command-line
diff --git a/meta/recipes-graphics/glew/glew_2.2.0.bb b/meta/recipes-graphics/glew/glew_2.2.0.bb
index 92b6083648..d7a26a3438 100644
--- a/meta/recipes-graphics/glew/glew_2.2.0.bb
+++ b/meta/recipes-graphics/glew/glew_2.2.0.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=2ac251558de685c6b9478d89be3149c2"
SRC_URI = "${SOURCEFORGE_MIRROR}/project/glew/glew/${PV}/glew-${PV}.tgz \
file://0001-Fix-build-race-in-Makefile.patch \
+ file://notempdir.patch \
file://no-strip.patch"
SRC_URI[md5sum] = "3579164bccaef09e36c0af7f4fd5c7c7"
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 69958c5631..b6c84d0f1c 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "b872fc896dcc555149f26c5dd683f7e6394852d6"
-SRCREV_meta ?= "719be4bd6c3c7575e7942dc016e3c3bb028f163d"
+SRCREV_machine ?= "7f67141bca949eff8953f965c26475286d1a20cf"
+SRCREV_meta ?= "e4ccb53f204f722583178a9249fbf5d745f0d56a"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.142"
+LINUX_VERSION ?= "5.4.144"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 0178d172f8..5ee1d359b2 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.142"
+LINUX_VERSION ?= "5.4.144"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "4addf3f9e4f68bc7c03ea19ad95f2a4836ac9873"
-SRCREV_machine ?= "964802684eb1495bd1c5f625307b6d41515a3e9a"
-SRCREV_meta ?= "719be4bd6c3c7575e7942dc016e3c3bb028f163d"
+SRCREV_machine_qemuarm ?= "08336ce8b4ebc2b21c28488c85098c6816f3d99f"
+SRCREV_machine ?= "8220749d3e8643091b118d93a857333e2c91a1eb"
+SRCREV_meta ?= "e4ccb53f204f722583178a9249fbf5d745f0d56a"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 7e35e082fb..ac0a72605d 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base"
KBRANCH_qemux86-64 ?= "v5.4/standard/base"
KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "9b1b66b01c88cf5035d148f37c70b8215c8fde15"
-SRCREV_machine_qemuarm64 ?= "e91700bf8d8130226679954a8137c5f3fd54b81d"
-SRCREV_machine_qemumips ?= "332bc089f06636156b9d5b2a04228c03c680c6d0"
-SRCREV_machine_qemuppc ?= "1bf103767b96923aa6ca76e9e095b04c13ce93cd"
-SRCREV_machine_qemuriscv64 ?= "108b8b822e7bbba492deafe60ee86839291c3250"
-SRCREV_machine_qemux86 ?= "108b8b822e7bbba492deafe60ee86839291c3250"
-SRCREV_machine_qemux86-64 ?= "108b8b822e7bbba492deafe60ee86839291c3250"
-SRCREV_machine_qemumips64 ?= "7b31f99f9e245d029de7fb9e3480f7b00f846b8f"
-SRCREV_machine ?= "108b8b822e7bbba492deafe60ee86839291c3250"
-SRCREV_meta ?= "719be4bd6c3c7575e7942dc016e3c3bb028f163d"
+SRCREV_machine_qemuarm ?= "78a2f9d323a755a34cdc96af4bcf61ffd32a3db0"
+SRCREV_machine_qemuarm64 ?= "aa6ec6934e35c8b0948f6b7c9bdbdef45d72be35"
+SRCREV_machine_qemumips ?= "a892524441b30e5e8c491e22e36e3473fc6a0fe0"
+SRCREV_machine_qemuppc ?= "784ca7c7837811123b5bd97cde964e45fbf5179b"
+SRCREV_machine_qemuriscv64 ?= "e3134debcf01f0aa20103e22fe2ef5fc7c201120"
+SRCREV_machine_qemux86 ?= "e3134debcf01f0aa20103e22fe2ef5fc7c201120"
+SRCREV_machine_qemux86-64 ?= "e3134debcf01f0aa20103e22fe2ef5fc7c201120"
+SRCREV_machine_qemumips64 ?= "d765ea7455bf978a9a86e8e90e032336b0baf887"
+SRCREV_machine ?= "e3134debcf01f0aa20103e22fe2ef5fc7c201120"
+SRCREV_meta ?= "e4ccb53f204f722583178a9249fbf5d745f0d56a"
# remap qemuarm to qemuarma15 for the 5.4 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.142"
+LINUX_VERSION ?= "5.4.144"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch b/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch
new file mode 100644
index 0000000000..b42d564b4b
--- /dev/null
+++ b/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch
@@ -0,0 +1,13 @@
+Index: libsamplerate-0.1.8/configure.ac
+===================================================================
+--- libsamplerate-0.1.8.orig/configure.ac
++++ libsamplerate-0.1.8/configure.ac
+@@ -53,7 +53,7 @@ AC_PROG_LN_S
+ # 6. If any interfaces have been removed since the last public release, then set age
+ # to 0.
+
+-SHARED_VERSION_INFO="1:8:1"
++SHARED_VERSION_INFO="1:9:1"
+
+
+
diff --git a/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb b/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb
index 6dfc42b436..8345d6880f 100644
--- a/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb
+++ b/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb
@@ -10,6 +10,7 @@ PR = "r1"
SRC_URI = "http://www.mega-nerd.com/SRC/libsamplerate-${PV}.tar.gz \
file://0001-configure.ac-improve-alsa-handling.patch \
+ file://shared_version_info.patch \
"
SRC_URI[md5sum] = "2b78ae9fe63b36b9fbb6267fad93f259"
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
new file mode 100644
index 0000000000..6354f856cb
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
@@ -0,0 +1,36 @@
+From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Wed, 17 Feb 2021 23:21:48 +0000
+Subject: [PATCH 1/2] wavlike: Fix incorrect size check
+
+The SF_CART_INFO_16K struct has an additional 4 byte field to hold
+the size of 'tag_text' which the file header doesn't, so don't
+include it as part of the check when looking for the max length.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026
+
+Upstream-Status: Backport
+CVE: CVE-2021-3246 patch 1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/wavlike.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: libsndfile-1.0.28/src/wavlike.c
+===================================================================
+--- libsndfile-1.0.28.orig/src/wavlike.c
++++ libsndfile-1.0.28/src/wavlike.c
+@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
+ return 0 ;
+ } ;
+
+- if (chunksize >= sizeof (SF_CART_INFO_16K))
++ /*
++ ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
++ ** of the chunk, so don't include it in the size check.
++ */
++ if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
+ { psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
+ psf_binheader_readf (psf, "j", chunksize) ;
+ return 0 ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
new file mode 100644
index 0000000000..d6b03d7d4d
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
@@ -0,0 +1,44 @@
+From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Thu, 18 Feb 2021 21:52:09 +0000
+Subject: [PATCH 2/2] ms_adpcm: Fix and extend size checks
+
+'blockalign' is the size of a block, and each block contains 7 samples
+per channel as part of the preamble, so check against 'samplesperblock'
+rather than 'blockalign'. Also add an additional check that the block
+is big enough to hold the samples it claims to hold.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
+
+Upstream-Status: Backport
+CVE: CVE-2021-3246 patch 2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/ms_adpcm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
+index 5e8f1a31..a21cb994 100644
+--- a/src/ms_adpcm.c
++++ b/src/ms_adpcm.c
+@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)
+ if (psf->file.mode == SFM_WRITE)
+ samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
+
+- if (blockalign < 7 * psf->sf.channels)
+- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
++ /* There's 7 samples per channel in the preamble of each block */
++ if (samplesperblock < 7 * psf->sf.channels)
++ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
++ return SFE_INTERNAL ;
++ } ;
++
++ if (2 * blockalign < samplesperblock * psf->sf.channels)
++ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
+ return SFE_INTERNAL ;
+ } ;
+
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 044881a859..2525af8fe0 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -20,6 +20,8 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
file://CVE-2017-12562.patch \
file://CVE-2018-19758.patch \
file://CVE-2019-3832.patch \
+ file://CVE-2021-3246_1.patch \
+ file://CVE-2021-3246_2.patch \
"
SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
diff --git a/meta/recipes-sato/images/core-image-sato.bb b/meta/recipes-sato/images/core-image-sato.bb
index e50b24a476..300d8e0d43 100644
--- a/meta/recipes-sato/images/core-image-sato.bb
+++ b/meta/recipes-sato/images/core-image-sato.bb
@@ -13,4 +13,5 @@ TOOLCHAIN_HOST_TASK_append = " nativesdk-intltool nativesdk-glib-2.0"
TOOLCHAIN_HOST_TASK_remove_task-populate-sdk-ext = " nativesdk-intltool nativesdk-glib-2.0"
QB_MEM = '${@bb.utils.contains("DISTRO_FEATURES", "opengl", "-m 512", "-m 256", d)}'
+QB_MEM_qemuarmv5 = "-m 256"
QB_MEM_qemumips = "-m 256"
diff --git a/meta/recipes-support/apr/apr/CVE-2021-35940.patch b/meta/recipes-support/apr/apr/CVE-2021-35940.patch
new file mode 100644
index 0000000000..00befdacee
--- /dev/null
+++ b/meta/recipes-support/apr/apr/CVE-2021-35940.patch
@@ -0,0 +1,58 @@
+
+SECURITY: CVE-2021-35940 (cve.mitre.org)
+
+Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+was addressed in 1.6.x in 1.6.3 and later via r1807976.
+
+The fix was merged back to 1.7.x in r1891198.
+
+Since this was a regression in 1.7.0, a new CVE name has been assigned
+to track this, CVE-2021-35940.
+
+Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
+
+https://svn.apache.org/viewvc?view=revision&revision=1891198
+
+Upstream-Status: Backport
+CVE: CVE-2021-35940
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+
+Index: time/unix/time.c
+===================================================================
+--- a/time/unix/time.c (revision 1891197)
++++ b/time/unix/time.c (revision 1891198)
+@@ -142,6 +142,9 @@
+ static const int dayoffset[12] =
+ {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+
++ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++ return APR_EBADDATE;
++
+ /* shift new year to 1st March in order to make leap year calc easy */
+
+ if (xt->tm_mon < 2)
+Index: time/win32/time.c
+===================================================================
+--- a/time/win32/time.c (revision 1891197)
++++ b/time/win32/time.c (revision 1891198)
+@@ -54,6 +54,9 @@
+ static const int dayoffset[12] =
+ {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+
++ if (tm->wMonth < 1 || tm->wMonth > 12)
++ return APR_EBADDATE;
++
+ /* Note; the caller is responsible for filling in detailed tm_usec,
+ * tm_gmtoff and tm_isdst data when applicable.
+ */
+@@ -228,6 +231,9 @@
+ static const int dayoffset[12] =
+ {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+
++ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++ return APR_EBADDATE;
++
+ /* shift new year to 1st March in order to make leap year calc easy */
+
+ if (xt->tm_mon < 2)
diff --git a/meta/recipes-support/apr/apr_1.7.0.bb b/meta/recipes-support/apr/apr_1.7.0.bb
index 432fa3255c..92cc61a864 100644
--- a/meta/recipes-support/apr/apr_1.7.0.bb
+++ b/meta/recipes-support/apr/apr_1.7.0.bb
@@ -23,6 +23,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \
file://libtoolize_check.patch \
file://0001-Add-option-to-disable-timed-dependant-tests.patch \
+ file://CVE-2021-35940.patch \
"
SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7"
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
new file mode 100644
index 0000000000..4afd755149
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
@@ -0,0 +1,86 @@
+Backport of:
+
+From 1397a7de6e312e019a3b339f855ba0a5cafa9127 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 21 Sep 2020 09:15:51 +0200
+Subject: [PATCH] ftp: separate FTPS from FTP over "HTTPS proxy"
+
+When using HTTPS proxy, SSL is used but not in the view of the FTP
+protocol handler itself so separate the connection's use of SSL from the
+FTP control connection's sue.
+
+Reported-by: Mingtao Yang
+Fixes #5523
+Closes #6006
+
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/ftp.c | 13 ++++++-------
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 3382772..677527f 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2488,7 +2488,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn)
+ {
+ CURLcode result = CURLE_OK;
+
+- if(conn->ssl[FIRSTSOCKET].use) {
++ if(conn->bits.ftp_use_control_ssl) {
+ /* PBSZ = PROTECTION BUFFER SIZE.
+
+ The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says:
+@@ -2633,11 +2633,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ }
+ #endif
+
+- if(data->set.use_ssl &&
+- (!conn->ssl[FIRSTSOCKET].use ||
+- (conn->bits.proxy_ssl_connected[FIRSTSOCKET] &&
+- !conn->proxy_ssl[FIRSTSOCKET].use))) {
+- /* We don't have a SSL/TLS connection yet, but FTPS is
++ if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) {
++ /* We don't have a SSL/TLS control connection yet, but FTPS is
+ requested. Try a FTPS connection now */
+
+ ftpc->count3 = 0;
+@@ -2682,6 +2679,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ result = Curl_ssl_connect(conn, FIRSTSOCKET);
+ if(!result) {
+ conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */
++ conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */
+ result = ftp_state_user(conn);
+ }
+ }
+@@ -3072,7 +3070,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn)
+ *
+ */
+ static CURLcode ftp_connect(struct connectdata *conn,
+- bool *done) /* see description above */
++ bool *done) /* see description above */
+ {
+ CURLcode result;
+ struct ftp_conn *ftpc = &conn->proto.ftpc;
+@@ -3093,6 +3091,7 @@ static CURLcode ftp_connect(struct connectdata *conn,
+ result = Curl_ssl_connect(conn, FIRSTSOCKET);
+ if(result)
+ return result;
++ conn->bits.ftp_use_control_ssl = TRUE;
+ }
+
+ Curl_pp_init(pp); /* init the generic pingpong data */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ff2d686..d1fb4a9 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -461,6 +461,7 @@ struct ConnectBits {
+ EPRT doesn't work we disable it for the forthcoming
+ requests */
+ BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */
++ BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */
+ #endif
+ BIT(netrc); /* name+password provided by netrc */
+ BIT(userpwd_in_url); /* name+password found in url */
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
new file mode 100644
index 0000000000..98032d8b78
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
@@ -0,0 +1,328 @@
+Backport of:
+
+From 96d71feb27e533a8b337512841a537952916262c Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Wed, 8 Sep 2021 11:56:22 +0200
+Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
+
+In imap and pop3, check if TLS is required even when capabilities
+request has failed.
+
+In ftp, ignore preauthentication (230 status of server greeting) if TLS
+is required.
+
+Bug: https://curl.se/docs/CVE-2021-22946.html
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+CVE: CVE-2021-22946
+---
+ lib/ftp.c | 9 ++++---
+ lib/imap.c | 24 ++++++++----------
+ lib/pop3.c | 33 +++++++++++-------------
+ tests/data/Makefile.inc | 2 ++
+ tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 195 insertions(+), 36 deletions(-)
+ create mode 100644 tests/data/test984
+ create mode 100644 tests/data/test985
+ create mode 100644 tests/data/test986
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 677527f..91b43d8 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2606,9 +2606,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ /* we have now received a full FTP server response */
+ switch(ftpc->state) {
+ case FTP_WAIT220:
+- if(ftpcode == 230)
+- /* 230 User logged in - already! */
+- return ftp_state_user_resp(conn, ftpcode, ftpc->state);
++ if(ftpcode == 230) {
++ /* 230 User logged in - already! Take as 220 if TLS required. */
++ if(data->set.use_ssl <= CURLUSESSL_TRY ||
++ conn->bits.ftp_use_control_ssl)
++ return ftp_state_user_resp(conn, ftpcode, ftpc->state);
++ }
+ else if(ftpcode != 220) {
+ failf(data, "Got a %03d ftp-server response when 220 was expected",
+ ftpcode);
+diff --git a/lib/imap.c b/lib/imap.c
+index 66172bd..9880ce1 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
+ line += wordlen;
+ }
+ }
+- else if(imapcode == IMAP_RESP_OK) {
+- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+- /* We don't have a SSL/TLS connection yet, but SSL is requested */
+- if(imapc->tls_supported)
+- /* Switch to TLS connection now */
+- result = imap_perform_starttls(conn);
+- else if(data->set.use_ssl == CURLUSESSL_TRY)
+- /* Fallback and carry on with authentication */
+- result = imap_perform_authentication(conn);
+- else {
+- failf(data, "STARTTLS not supported.");
+- result = CURLE_USE_SSL_FAILED;
+- }
++ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
++ /* PREAUTH is not compatible with STARTTLS. */
++ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
++ /* Switch to TLS connection now */
++ result = imap_perform_starttls(conn);
+ }
+- else
++ else if(data->set.use_ssl <= CURLUSESSL_TRY)
+ result = imap_perform_authentication(conn);
++ else {
++ failf(data, "STARTTLS not available.");
++ result = CURLE_USE_SSL_FAILED;
++ }
+ }
+ else
+ result = imap_perform_authentication(conn);
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 57c1373..145b2b4 100644
+--- a/lib/pop3.c
++++ b/lib/pop3.c
+@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code,
+ }
+ }
+ }
+- else if(pop3code == '+') {
+- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+- /* We don't have a SSL/TLS connection yet, but SSL is requested */
+- if(pop3c->tls_supported)
+- /* Switch to TLS connection now */
+- result = pop3_perform_starttls(conn);
+- else if(data->set.use_ssl == CURLUSESSL_TRY)
+- /* Fallback and carry on with authentication */
+- result = pop3_perform_authentication(conn);
+- else {
+- failf(data, "STLS not supported.");
+- result = CURLE_USE_SSL_FAILED;
+- }
+- }
+- else
+- result = pop3_perform_authentication(conn);
+- }
+ else {
+ /* Clear text is supported when CAPA isn't recognised */
+- pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
++ if(pop3code != '+')
++ pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
+
+- result = pop3_perform_authentication(conn);
++ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
++ result = pop3_perform_authentication(conn);
++ else if(pop3code == '+' && pop3c->tls_supported)
++ /* Switch to TLS connection now */
++ result = pop3_perform_starttls(conn);
++ else if(data->set.use_ssl <= CURLUSESSL_TRY)
++ /* Fallback and carry on with authentication */
++ result = pop3_perform_authentication(conn);
++ else {
++ failf(data, "STLS not supported.");
++ result = CURLE_USE_SSL_FAILED;
++ }
+ }
+
+ return result;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index f9535a6..0fa6799 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 \
+ \
++test984 test985 test986 \
++\
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
+ test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
+diff --git a/tests/data/test984 b/tests/data/test984
+new file mode 100644
+index 0000000..e573f23
+--- /dev/null
++++ b/tests/data/test984
+@@ -0,0 +1,56 @@
++<testcase>
++<info>
++<keywords>
++IMAP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY CAPABILITY A001 BAD Not implemented
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++imap
++</server>
++ <name>
++IMAP require STARTTLS with failing capabilities
++ </name>
++ <command>
++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
++</command>
++<file name="log/upload%TESTNUMBER">
++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
++From: Fred Foobar <foobar@example.COM>
++Subject: afternoon meeting
++To: joe@example.com
++Message-Id: <B27397-0100000@example.COM>
++MIME-Version: 1.0
++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
++
++Hello Joe, do you think we can meet at 3:30 tomorrow?
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++A001 CAPABILITY
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test985 b/tests/data/test985
+new file mode 100644
+index 0000000..d0db4aa
+--- /dev/null
++++ b/tests/data/test985
+@@ -0,0 +1,54 @@
++<testcase>
++<info>
++<keywords>
++POP3
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY CAPA -ERR Not implemented
++</servercmd>
++<data nocheck="yes">
++From: me@somewhere
++To: fake@nowhere
++
++body
++
++--
++ yours sincerely
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++pop3
++</server>
++ <name>
++POP3 require STARTTLS with failing capabilities
++ </name>
++ <command>
++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
++ </command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++CAPA
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test986 b/tests/data/test986
+new file mode 100644
+index 0000000..a709437
+--- /dev/null
++++ b/tests/data/test986
+@@ -0,0 +1,53 @@
++<testcase>
++<info>
++<keywords>
++FTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY welcome 230 Welcome
++REPLY AUTH 500 unknown command
++</servercmd>
++</reply>
++
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++ftp
++</server>
++ <name>
++FTP require STARTTLS while preauthenticated
++ </name>
++<file name="log/test%TESTNUMBER.txt">
++data
++ to
++ see
++that FTPS
++works
++ so does it?
++</file>
++ <command>
++--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++AUTH SSL
++AUTH TLS
++</protocol>
++</verify>
++</testcase>
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22947.patch b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
new file mode 100644
index 0000000000..070a328e27
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
@@ -0,0 +1,352 @@
+Backport of:
+
+From 259b4f2e1fd01fbc55e569ee0a507afeae34f77c Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Tue, 7 Sep 2021 13:26:42 +0200
+Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
+ pipelining
+
+If a server pipelines future responses within the STARTTLS response, the
+former are preserved in the pingpong cache across TLS negotiation and
+used as responses to the encrypted commands.
+
+This fix detects pipelined STARTTLS responses and rejects them with an
+error.
+
+Bug: https://curl.se/docs/CVE-2021-22947.html
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+CVE: CVE-2021-22947
+
+---
+ lib/ftp.c | 3 +++
+ lib/imap.c | 4 +++
+ lib/pop3.c | 4 +++
+ lib/smtp.c | 4 +++
+ tests/data/Makefile.inc | 2 ++
+ tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++
+ tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++
+ 9 files changed, 237 insertions(+)
+ create mode 100644 tests/data/test980
+ create mode 100644 tests/data/test981
+ create mode 100644 tests/data/test982
+ create mode 100644 tests/data/test983
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 91b43d8..31a34e8 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2670,6 +2670,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ case FTP_AUTH:
+ /* we have gotten the response to a previous AUTH command */
+
++ if(pp->cache_size)
++ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
++
+ /* RFC2228 (page 5) says:
+ *
+ * If the server is willing to accept the named security mechanism,
+diff --git a/lib/imap.c b/lib/imap.c
+index 9880ce1..0ca700f 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
+
+ (void)instate; /* no use for this yet */
+
++ /* Pipelining in response is forbidden. */
++ if(data->conn->proto.imapc.pp.cache_size)
++ return CURLE_WEIRD_SERVER_REPLY;
++
+ if(imapcode != IMAP_RESP_OK) {
+ if(data->set.use_ssl != CURLUSESSL_TRY) {
+ failf(data, "STARTTLS denied");
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 145b2b4..8a2d52e 100644
+--- a/lib/pop3.c
++++ b/lib/pop3.c
+@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
+
+ (void)instate; /* no use for this yet */
+
++ /* Pipelining in response is forbidden. */
++ if(data->conn->proto.pop3c.pp.cache_size)
++ return CURLE_WEIRD_SERVER_REPLY;
++
+ if(pop3code != '+') {
+ if(data->set.use_ssl != CURLUSESSL_TRY) {
+ failf(data, "STARTTLS denied");
+diff --git a/lib/smtp.c b/lib/smtp.c
+index e187287..66183e2 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -820,6 +820,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn,
+
+ (void)instate; /* no use for this yet */
+
++ /* Pipelining in response is forbidden. */
++ if(data->conn->proto.smtpc.pp.cache_size)
++ return CURLE_WEIRD_SERVER_REPLY;
++
+ if(smtpcode != 220) {
+ if(data->set.use_ssl != CURLUSESSL_TRY) {
+ failf(data, "STARTTLS denied, code %d", smtpcode);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 0fa6799..60e8176 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 \
+ \
++test980 test981 test982 test983 \
++\
+ test984 test985 test986 \
+ \
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+diff --git a/tests/data/test980 b/tests/data/test980
+new file mode 100644
+index 0000000..97567f8
+--- /dev/null
++++ b/tests/data/test980
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++SMTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STARTTLS
++AUTH PLAIN
++REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
++REPLY AUTH 535 5.7.8 Authentication credentials invalid
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++smtp
++</server>
++ <name>
++SMTP STARTTLS pipelined server response
++ </name>
++<stdin>
++mail body
++</stdin>
++ <command>
++smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++EHLO %TESTNUMBER
++STARTTLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test981 b/tests/data/test981
+new file mode 100644
+index 0000000..2b98ce4
+--- /dev/null
++++ b/tests/data/test981
+@@ -0,0 +1,59 @@
++<testcase>
++<info>
++<keywords>
++IMAP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STARTTLS
++REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
++REPLY LOGIN A003 BAD Authentication credentials invalid
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++imap
++</server>
++ <name>
++IMAP STARTTLS pipelined server response
++ </name>
++ <command>
++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
++</command>
++<file name="log/upload%TESTNUMBER">
++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
++From: Fred Foobar <foobar@example.COM>
++Subject: afternoon meeting
++To: joe@example.com
++Message-Id: <B27397-0100000@example.COM>
++MIME-Version: 1.0
++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
++
++Hello Joe, do you think we can meet at 3:30 tomorrow?
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++A001 CAPABILITY
++A002 STARTTLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test982 b/tests/data/test982
+new file mode 100644
+index 0000000..9e07cc0
+--- /dev/null
++++ b/tests/data/test982
+@@ -0,0 +1,57 @@
++<testcase>
++<info>
++<keywords>
++POP3
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STLS USER
++REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
++REPLY PASS -ERR Authentication credentials invalid
++</servercmd>
++<data nocheck="yes">
++From: me@somewhere
++To: fake@nowhere
++
++body
++
++--
++ yours sincerely
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++pop3
++</server>
++ <name>
++POP3 STARTTLS pipelined server response
++ </name>
++ <command>
++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
++ </command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++CAPA
++STLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test983 b/tests/data/test983
+new file mode 100644
+index 0000000..300ec45
+--- /dev/null
++++ b/tests/data/test983
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++FTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
++REPLY PASS 530 Login incorrect
++</servercmd>
++</reply>
++
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++ftp
++</server>
++ <name>
++FTP STARTTLS pipelined server response
++ </name>
++<file name="log/test%TESTNUMBER.txt">
++data
++ to
++ see
++that FTPS
++works
++ so does it?
++</file>
++ <command>
++--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++AUTH SSL
++</protocol>
++</verify>
++</testcase>
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 21c673feda..d7ffb2dc50 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -22,6 +22,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2021-22898.patch \
file://CVE-2021-22924.patch \
file://CVE-2021-22925.patch \
+ file://CVE-2021-22946-pre1.patch \
+ file://CVE-2021-22946.patch \
+ file://CVE-2021-22947.patch \
"
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
@@ -29,7 +32,7 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5
# Curl has used many names over the years...
CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
-CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926"
+CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-22945"
inherit autotools pkgconfig binconfig multilib_header
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
new file mode 100644
index 0000000000..c0d00485e6
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -0,0 +1,109 @@
+From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+Cherry-pick master commit of:
+ 632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+This change basically reverts encryption changes in two commits:
+
+ 74386120dad6b3da62db37f7044267c8ef34689b
+ 78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+ Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+ "On the (in)security of ElGamal in OpenPGP";
+ in the proceedings of CCS'2021.
+
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-33560
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ cipher/elgamal.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..ae7a631e 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+
+
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+ gcry_mpi_t **factors);
+ static int check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+
+ /****************
+ * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1. With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+ */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+ gcry_mpi_t k = mpi_alloc_secure( 0 );
+ gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+ unsigned int nbits, nbytes;
+ char *rndbuf = NULL;
+
+- if (small_k)
+- {
+- /* Using a k much lesser than p is sufficient for encryption and
+- * it greatly improves the encryption performance. We use
+- * Wiener's table and add a large safety margin. */
+- nbits = wiener_map( orig_nbits ) * 3 / 2;
+- if( nbits >= orig_nbits )
+- BUG();
+- }
+- else
+- nbits = orig_nbits;
+-
++ nbits = orig_nbits;
+
+ nbytes = (nbits+7)/8;
+ if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+ * error code.
+ */
+
+- k = gen_k( pkey->p, 1 );
++ k = gen_k( pkey->p );
+ mpi_powm (a, pkey->g, k, pkey->p);
+
+ /* b = (y^k * input) mod p
+@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+ *
+ */
+ mpi_sub_ui(p_1, p_1, 1);
+- k = gen_k( skey->p, 0 /* no small K ! */ );
++ k = gen_k( skey->p );
+ mpi_powm( a, skey->g, k, skey->p );
+ mpi_mul(t, skey->x, a );
+ mpi_subm(t, input, t, p_1 );
+--
+2.30.2
+
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
index 16a58ad9b8..174b087b24 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -28,6 +28,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
file://determinism.patch \
+ file://CVE-2021-33560.patch \
"
SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
index 65b32557e7..e42ac30bf2 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
@@ -7,7 +7,7 @@ SECTION = "x11/gnome/libs"
LICENSE = "LGPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
-DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 intltool-native libpsl"
+DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl"
SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
new file mode 100644
index 0000000000..cfc0f382fa
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
@@ -0,0 +1,215 @@
+Backport of:
+
+From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Thu, 11 Mar 2021 19:37:41 +0100
+Subject: [PATCH] New functions ecc_mod_mul_canonical and
+ ecc_mod_sqr_canonical.
+
+* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+New functions.
+* ecc-internal.h: Declare and document new functions.
+* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
+* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
+* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
+* ecc-j-to-a.c (ecc_j_to_a): Likewise.
+* ecc-mul-m.c (ecc_mul_m): Likewise.
+
+(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch
+CVE: CVE-2021-20305 dep1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 11 +++++++++++
+ curve25519-eh-to-x.c | 6 +-----
+ curve448-eh-to-x.c | 5 +----
+ ecc-eh-to-a.c | 12 ++----------
+ ecc-internal.h | 15 +++++++++++++++
+ ecc-j-to-a.c | 15 +++------------
+ ecc-mod-arith.c | 24 ++++++++++++++++++++++++
+ ecc-mul-m.c | 6 ++----
+ 8 files changed, 59 insertions(+), 35 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index fd138d82..5cc5c188 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,14 @@
+#+2021-03-11 Niels Möller <nisse@lysator.liu.se>
+#+
+#+ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+#+ New functions.
+#+ * ecc-internal.h: Declare and document new functions.
+#+ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
+#+ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
+#+ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
+#+ * ecc-j-to-a.c (ecc_j_to_a): Likewise.
+#+ * ecc-mul-m.c (ecc_mul_m): Likewise.
+#+
+# 2021-02-17 Niels Möller <nisse@lysator.liu.se>
+#
+# * Released Nettle-3.7.1.
+Index: nettle-3.5.1/curve25519-eh-to-x.c
+===================================================================
+--- nettle-3.5.1.orig/curve25519-eh-to-x.c
++++ nettle-3.5.1/curve25519-eh-to-x.c
+@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const
+ #define t2 (scratch + 2*ecc->p.size)
+
+ const struct ecc_curve *ecc = &_nettle_curve25519;
+- mp_limb_t cy;
+
+ /* If u = U/W and v = V/W are the coordiantes of the point on the
+ Edwards curve we get the curve25519 x coordinate as
+@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const
+ ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
+
+ ecc_modp_add (ecc, t0, wp, vp);
+- ecc_modp_mul (ecc, t2, t0, t1);
+-
+- cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
+- cnd_copy (cy, xp, t2, ecc->p.size);
++ ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);
+ #undef vp
+ #undef wp
+ #undef t0
+Index: nettle-3.5.1/ecc-eh-to-a.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-eh-to-a.c
++++ nettle-3.5.1/ecc-eh-to-a.c
+@@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc
+ /* Needs 2*size + scratch for the invert call. */
+ ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
+
+- ecc_modp_mul (ecc, tp, xp, izp);
+- cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
+- cnd_copy (cy, r, tp, ecc->p.size);
++ ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);
+
+ if (op)
+ {
+@@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc
+ }
+ return;
+ }
+- ecc_modp_mul (ecc, tp, yp, izp);
+- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
+- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
++ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);
+ }
+Index: nettle-3.5.1/ecc-internal.h
+===================================================================
+--- nettle-3.5.1.orig/ecc-internal.h
++++ nettle-3.5.1/ecc-internal.h
+@@ -49,6 +49,8 @@
+ #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
+ #define ecc_mod_mul _nettle_ecc_mod_mul
+ #define ecc_mod_sqr _nettle_ecc_mod_sqr
++#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical
++#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical
+ #define ecc_mod_random _nettle_ecc_mod_random
+ #define ecc_mod _nettle_ecc_mod
+ #define ecc_mod_inv _nettle_ecc_mod_inv
+@@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m,
+ #define ecc_modq_mul(ecc, r, a, b) \
+ ecc_mod_mul (&(ecc)->q, (r), (a), (b))
+
++/* These mul and sqr functions produce a canonical result, 0 <= R < M.
++ Requirements on input and output areas are similar to the above
++ functions, except that it is *not* allowed to pass rp = rp +
++ m->size.
++ */
++void
++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp);
++
++void
++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++ const mp_limb_t *ap, mp_limb_t *tp);
++
+ /* mod q operations. */
+ void
+ ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp,
+Index: nettle-3.5.1/ecc-j-to-a.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-j-to-a.c
++++ nettle-3.5.1/ecc-j-to-a.c
+@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+ #define izBp (scratch + 3*ecc->p.size)
+ #define tp scratch
+
+- mp_limb_t cy;
+-
+ if (ecc->use_redc)
+ {
+ /* Set v = (r_z / B^2)^-1,
+@@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+ ecc_modp_sqr (ecc, iz2p, izp);
+ }
+
+- ecc_modp_mul (ecc, iz3p, iz2p, p);
+- /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so
+- do a conditional subtraction. */
+- cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);
+- cnd_copy (cy, r, iz3p, ecc->p.size);
++ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);
+
+ if (op)
+ {
+ /* Skip y coordinate */
+ if (op > 1)
+ {
++ mp_limb_t cy;
+ /* Also reduce the x coordinate mod ecc->q. It should
+ already be < 2*ecc->q, so one subtraction should
+ suffice. */
+@@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+ return;
+ }
+ ecc_modp_mul (ecc, iz3p, iz2p, izp);
+- ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size);
+- /* And a similar subtraction. */
+- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
+- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
++ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);
+
+ #undef izp
+ #undef up
+Index: nettle-3.5.1/ecc-mod-arith.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-mod-arith.c
++++ nettle-3.5.1/ecc-mod-arith.c
+@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,
+ }
+
+ void
++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp)
++{
++ mp_limb_t cy;
++ mpn_mul_n (tp + m->size, ap, bp, m->size);
++ m->reduce (m, tp + m->size);
++
++ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
++ cnd_copy (cy, rp, tp + m->size, m->size);
++}
++
++void
++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++ const mp_limb_t *ap, mp_limb_t *tp)
++{
++ mp_limb_t cy;
++ mpn_sqr (tp + m->size, ap, m->size);
++ m->reduce (m, tp + m->size);
++
++ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
++ cnd_copy (cy, rp, tp + m->size, m->size);
++}
++
++void
+ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
+ const mp_limb_t *ap)
+ {
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
new file mode 100644
index 0000000000..bb56b14c8c
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
@@ -0,0 +1,53 @@
+Backport of:
+
+From 971bed6ab4b27014eb23085e8176917e1a096fd5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 17:26:37 +0100
+Subject: [PATCH] Use ecc_mod_mul_canonical for point comparison.
+
+* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+
+(cherry picked from commit 5b7608fde3a6d2ab82bffb35db1e4e330927c906)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-2.patch
+CVE: CVE-2021-20305 dep2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 4 ++++
+ eddsa-verify.c | 9 ++-------
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 5cc5c188..2a9217a6 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,7 @@
+#+2021-03-13 Niels Möller <nisse@lysator.liu.se>
+#+
+#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+#+
+# 2021-03-11 Niels Möller <nisse@lysator.liu.se>
+#
+# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+Index: nettle-3.5.1/eddsa-verify.c
+===================================================================
+--- nettle-3.5.1.orig/eddsa-verify.c
++++ nettle-3.5.1/eddsa-verify.c
+@@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p,
+ #define t0 scratch
+ #define t1 (scratch + p->size)
+
+- ecc_mod_mul (p, t0, x1, z2);
+- if (mpn_cmp (t0, p->m, p->size) >= 0)
+- mpn_sub_n (t0, t0, p->m, p->size);
+-
+- ecc_mod_mul (p, t1, x2, z1);
+- if (mpn_cmp (t1, p->m, p->size) >= 0)
+- mpn_sub_n (t1, t1, p->m, p->size);
++ ecc_mod_mul_canonical (p, t0, x1, z2, t0);
++ ecc_mod_mul_canonical (p, t1, x2, z1, t1);
+
+ return mpn_cmp (t0, t1, p->size) == 0;
+
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
new file mode 100644
index 0000000000..15a892ecdf
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
@@ -0,0 +1,122 @@
+Backport of:
+
+From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 15:19:19 +0100
+Subject: [PATCH] Fix bug in ecc_ecdsa_verify.
+
+* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+to compute the scalars used for ecc multiplication.
+* testsuite/ecdsa-verify-test.c (test_main): Add test case that
+triggers an assert on 64-bit platforms, without above fix.
+* testsuite/ecdsa-sign-test.c (test_main): Test case generating
+the same signature.
+
+(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch
+CVE: CVE-2021-20305 dep3
+[Minor fixup on _nettle_secp_224r1]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 10 +++++++++-
+ ecc-ecdsa-verify.c | 4 ++--
+ testsuite/ecdsa-sign-test.c | 13 +++++++++++++
+ testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++
+ 4 files changed, 44 insertions(+), 3 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 2a9217a6..63848f53 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,7 +1,15 @@
+# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
+#
+#- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+#+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+#+ to compute the scalars used for ecc multiplication.
+#+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that
+#+ triggers an assert on 64-bit platforms, without above fix.
+#+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating
+#+ the same signature.
+#+
+#+2021-03-13 Niels Möller <nisse@lysator.liu.se>
+#
+#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+# 2021-03-11 Niels Möller <nisse@lysator.liu.se>
+#
+# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+Index: nettle-3.5.1/ecc-ecdsa-verify.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-ecdsa-verify.c
++++ nettle-3.5.1/ecc-ecdsa-verify.c
+@@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve
+
+ /* u1 = h / s, P1 = u1 * G */
+ ecc_hash (&ecc->q, hp, length, digest);
+- ecc_modq_mul (ecc, u1, hp, sinv);
++ ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1);
+
+ /* u2 = r / s, P2 = u2 * Y */
+- ecc_modq_mul (ecc, u2, rp, sinv);
++ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2);
+
+ /* Total storage: 5*ecc->p.size + ecc->mul_itch */
+ ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
+Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c
++++ nettle-3.5.1/testsuite/ecdsa-sign-test.c
+@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc,
+ void
+ test_main (void)
+ {
++ /* Producing the signature for corresponding test in
++ ecdsa-verify-test.c, with special u1 and u2. */
++ test_ecdsa (&_nettle_secp_224r1,
++ "99b5b787484def12894ca507058b3bf5"
++ "43d72d82fa7721d2e805e5e6",
++ "2",
++ SHEX("cdb887ac805a3b42e22d224c85482053"
++ "16c755d4a736bb2032c92553"),
++ "706a46dc76dcb76798e60e6d89474788"
++ "d16dc18032d268fd1a704fa6", /* r */
++ "3a41e1423b1853e8aa89747b1f987364"
++ "44705d6d6d8371ea1f578f2e"); /* s */
++
+ /* Test cases for the smaller groups, verified with a
+ proof-of-concept implementation done for Yubico AB. */
+ test_ecdsa (&_nettle_secp_192r1,
+Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c
++++ nettle-3.5.1/testsuite/ecdsa-verify-test.c
+@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc,
+ void
+ test_main (void)
+ {
++ /* Corresponds to nonce k = 2 and private key z =
++ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
++ hash are chosen so that intermediate scalars in the verify
++ equations are u1 = 0x6b245680e700, u2 =
++ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical
++ reduction of the scalars. Bug caused by missing canonical
++ reduction reported by Guido Vranken. */
++ test_ecdsa (&_nettle_secp_224r1,
++ "9e7e6cc6b1bdfa8ee039b66ad85e5490"
++ "7be706a900a3cba1c8fdd014", /* x */
++ "74855db3f7c1b4097ae095745fc915e3"
++ "8a79d2a1de28f282eafb22ba", /* y */
++
++ SHEX("cdb887ac805a3b42e22d224c85482053"
++ "16c755d4a736bb2032c92553"),
++ "706a46dc76dcb76798e60e6d89474788"
++ "d16dc18032d268fd1a704fa6", /* r */
++ "3a41e1423b1853e8aa89747b1f987364"
++ "44705d6d6d8371ea1f578f2e"); /* s */
++
+ /* From RFC 4754 */
+ test_ecdsa (&_nettle_secp_256r1,
+ "2442A5CC 0ECD015F A3CA31DC 8E2BBC70"
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
new file mode 100644
index 0000000000..54b4fa584c
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
@@ -0,0 +1,48 @@
+Backport of:
+
+From 51f643eee00e2caa65c8a2f5857f49acdf3ef1ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 16:27:50 +0100
+Subject: [PATCH] Ensure ecdsa_sign output is canonically reduced.
+
+* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
+canonical range.
+
+(cherry picked from commit c24b36160dc5303f7541dd9da1429c4046f27398)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-4.patch
+CVE: CVE-2021-20305 dep4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 3 +++
+ ecc-ecdsa-sign.c | 3 +--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 63848f53..fb2d7f66 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,8 @@
+# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
+#
+#+ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
+#+ canonical range.
+#+
+# * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+# to compute the scalars used for ecc multiplication.
+# * testsuite/ecdsa-verify-test.c (test_main): Add test case that
+--- a/ecc-ecdsa-sign.c
++++ b/ecc-ecdsa-sign.c
+@@ -90,9 +90,8 @@ ecc_ecdsa_sign (const struct ecc_curve *
+
+ ecc_modq_mul (ecc, tp, zp, rp);
+ ecc_modq_add (ecc, hp, hp, tp);
+- ecc_modq_mul (ecc, tp, hp, kinv);
++ ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp);
+
+- mpn_copyi (sp, tp, ecc->p.size);
+ #undef P
+ #undef hp
+ #undef kinv
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
new file mode 100644
index 0000000000..468ff66266
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
@@ -0,0 +1,53 @@
+Backport of:
+
+From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 16:42:21 +0100
+Subject: [PATCH] Similar fix for eddsa.
+
+* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
+reduced. Two of the three call sites need that.
+
+(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)
+
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch
+CVE: CVE-2021-20305
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 3 +++
+ eddsa-hash.c | 10 +++++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 5f8a22c2..ce330831 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,8 @@
+# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
+#
+#+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically
+#+ reduced. Two of the three call sites need that.
+#+
+# * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
+# to compute the scalars used for ecc multiplication.
+#
+Index: nettle-3.5.1/eddsa-hash.c
+===================================================================
+--- nettle-3.5.1.orig/eddsa-hash.c
++++ nettle-3.5.1/eddsa-hash.c
+@@ -46,7 +46,12 @@ void
+ _eddsa_hash (const struct ecc_modulo *m,
+ mp_limb_t *rp, const uint8_t *digest)
+ {
++ mp_limb_t cy;
+ size_t nbytes = 1 + m->bit_size / 8;
+ mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes);
+ m->mod (m, rp);
++ mpn_copyi (rp + m->size, rp, m->size);
++ /* Ensure canonical reduction. */
++ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
++ cnd_copy (cy, rp, rp + m->size, m->size);
+ }
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
new file mode 100644
index 0000000000..ac3a638e72
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
@@ -0,0 +1,277 @@
+From cd6059aebdd3059fbcf674dddb850b821c13b6c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Tue, 8 Jun 2021 21:31:39 +0200
+Subject: [PATCH 1/2] Change _rsa_sec_compute_root_tr to take a fix input size.
+
+Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug.
+
+(cherry picked from commit 485b5e2820a057e873b1ba812fdb39cae4adf98c)
+
+Upstream-Status: Backport
+CVE: CVE-2021-3580 dep#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 17 +++++++++-
+ rsa-decrypt-tr.c | 7 ++---
+ rsa-internal.h | 4 +--
+ rsa-sec-decrypt.c | 9 ++++--
+ rsa-sign-tr.c | 61 +++++++++++++++++-------------------
+ testsuite/rsa-encrypt-test.c | 14 ++++++++-
+ 6 files changed, 69 insertions(+), 43 deletions(-)
+
+Index: nettle-3.5.1/rsa-decrypt-tr.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-decrypt-tr.c
++++ nettle-3.5.1/rsa-decrypt-tr.c
+@@ -52,14 +52,13 @@ rsa_decrypt_tr(const struct rsa_public_k
+ mp_size_t key_limb_size;
+ int res;
+
+- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
++ key_limb_size = mpz_size(pub->n);
+
+ TMP_GMP_ALLOC (m, key_limb_size);
+ TMP_GMP_ALLOC (em, key->size);
++ mpz_limbs_copy(m, gibberish, key_limb_size);
+
+- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+- mpz_limbs_read(gibberish),
+- mpz_size(gibberish));
++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+
+ mpn_get_base256 (em, key->size, m, key_limb_size);
+
+Index: nettle-3.5.1/rsa-internal.h
+===================================================================
+--- nettle-3.5.1.orig/rsa-internal.h
++++ nettle-3.5.1/rsa-internal.h
+@@ -78,11 +78,11 @@ _rsa_sec_compute_root(const struct rsa_p
+ mp_limb_t *scratch);
+
+ /* Safe side-channel silent variant, using RSA blinding, and checking the
+- * result after CRT. */
++ * result after CRT. In-place calls, with x == m, is allowed. */
+ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *x, const mp_limb_t *m, size_t mn);
++ mp_limb_t *x, const mp_limb_t *m);
+
+ #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
+Index: nettle-3.5.1/rsa-sec-decrypt.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-sec-decrypt.c
++++ nettle-3.5.1/rsa-sec-decrypt.c
+@@ -58,9 +58,12 @@ rsa_sec_decrypt(const struct rsa_public_
+ TMP_GMP_ALLOC (m, mpz_size(pub->n));
+ TMP_GMP_ALLOC (em, key->size);
+
+- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+- mpz_limbs_read(gibberish),
+- mpz_size(gibberish));
++ /* We need a copy because m can be shorter than key_size,
++ * but _rsa_sec_compute_root_tr expect all inputs to be
++ * normalized to a key_size long buffer length */
++ mpz_limbs_copy(m, gibberish, mpz_size(pub->n));
++
++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+
+ mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
+
+Index: nettle-3.5.1/rsa-sign-tr.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-sign-tr.c
++++ nettle-3.5.1/rsa-sign-tr.c
+@@ -131,35 +131,34 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *x, const mp_limb_t *m, size_t mn)
++ mp_limb_t *x, const mp_limb_t *m)
+ {
++ mp_size_t nn;
+ mpz_t mz;
+ mpz_t xz;
+ int res;
+
+- mpz_init(mz);
+ mpz_init(xz);
+
+- mpn_copyi(mpz_limbs_write(mz, mn), m, mn);
+- mpz_limbs_finish(mz, mn);
++ nn = mpz_size (pub->n);
+
+- res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz);
++ res = rsa_compute_root_tr(pub, key, random_ctx, random, xz,
++ mpz_roinit_n(mz, m, nn));
+
+ if (res)
+- mpz_limbs_copy(x, xz, mpz_size(pub->n));
++ mpz_limbs_copy(x, xz, nn);
+
+- mpz_clear(mz);
+ mpz_clear(xz);
+ return res;
+ }
+ #else
+ /* Blinds m, by computing c = m r^e (mod n), for a random r. Also
+- returns the inverse (ri), for use by rsa_unblind. */
++ returns the inverse (ri), for use by rsa_unblind. Must have c != m,
++ no in-place operation.*/
+ static void
+ rsa_sec_blind (const struct rsa_public_key *pub,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m,
+- mp_size_t mn)
++ mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m)
+ {
+ const mp_limb_t *ep = mpz_limbs_read (pub->e);
+ const mp_limb_t *np = mpz_limbs_read (pub->n);
+@@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_k
+
+ /* c = m*(r^e) mod n */
+ itch = mpn_sec_powm_itch(nn, ebn, nn);
+- i2 = mpn_sec_mul_itch(nn, mn);
++ i2 = mpn_sec_mul_itch(nn, nn);
+ itch = MAX(itch, i2);
+- i2 = mpn_sec_div_r_itch(nn + mn, nn);
++ i2 = mpn_sec_div_r_itch(2*nn, nn);
+ itch = MAX(itch, i2);
+ i2 = mpn_sec_invert_itch(nn);
+ itch = MAX(itch, i2);
+
+- TMP_GMP_ALLOC (tp, nn + mn + itch);
+- scratch = tp + nn + mn;
++ TMP_GMP_ALLOC (tp, 2*nn + itch);
++ scratch = tp + 2*nn;
+
+ /* ri = r^(-1) */
+ do
+@@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_k
+ while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch));
+
+ mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch);
+- /* normally mn == nn, but m can be smaller in some cases */
+- mpn_sec_mul (tp, c, nn, m, mn, scratch);
+- mpn_sec_div_r (tp, nn + mn, np, nn, scratch);
++ mpn_sec_mul (tp, c, nn, m, nn, scratch);
++ mpn_sec_div_r (tp, 2*nn, np, nn, scratch);
+ mpn_copyi(c, tp, nn);
+
+ TMP_GMP_FREE (r);
+@@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_k
+ TMP_GMP_FREE (tp);
+ }
+
+-/* m = c ri mod n */
++/* m = c ri mod n. Allows x == c. */
+ static void
+ rsa_sec_unblind (const struct rsa_public_key *pub,
+ mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c)
+@@ -299,7 +297,7 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *x, const mp_limb_t *m, size_t mn)
++ mp_limb_t *x, const mp_limb_t *m)
+ {
+ TMP_GMP_DECL (c, mp_limb_t);
+ TMP_GMP_DECL (ri, mp_limb_t);
+@@ -307,7 +305,7 @@ _rsa_sec_compute_root_tr(const struct rs
+ size_t key_limb_size;
+ int ret;
+
+- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
++ key_limb_size = mpz_size(pub->n);
+
+ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
+ key is invalid and rejected by rsa_private_key_prepare. However,
+@@ -321,19 +319,18 @@ _rsa_sec_compute_root_tr(const struct rs
+ }
+
+ assert(mpz_size(pub->n) == key_limb_size);
+- assert(mn <= key_limb_size);
+
+ TMP_GMP_ALLOC (c, key_limb_size);
+ TMP_GMP_ALLOC (ri, key_limb_size);
+ TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key));
+
+- rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn);
++ rsa_sec_blind (pub, random_ctx, random, c, ri, m);
+
+- _rsa_sec_compute_root(key, c, x, scratch);
++ _rsa_sec_compute_root(key, x, c, scratch);
+
+- ret = rsa_sec_check_root(pub, c, x);
++ ret = rsa_sec_check_root(pub, x, c);
+
+- rsa_sec_unblind(pub, x, ri, c);
++ rsa_sec_unblind(pub, x, ri, x);
+
+ cnd_mpn_zero(1 - ret, x, key_limb_size);
+
+@@ -357,17 +354,17 @@ rsa_compute_root_tr(const struct rsa_pub
+ mpz_t x, const mpz_t m)
+ {
+ TMP_GMP_DECL (l, mp_limb_t);
++ mp_size_t nn = mpz_size(pub->n);
+ int res;
+
+- mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+- TMP_GMP_ALLOC (l, l_size);
++ TMP_GMP_ALLOC (l, nn);
++ mpz_limbs_copy(l, m, nn);
+
+- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
+- mpz_limbs_read(m), mpz_size(m));
++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l);
+ if (res) {
+- mp_limb_t *xp = mpz_limbs_write (x, l_size);
+- mpn_copyi (xp, l, l_size);
+- mpz_limbs_finish (x, l_size);
++ mp_limb_t *xp = mpz_limbs_write (x, nn);
++ mpn_copyi (xp, l, nn);
++ mpz_limbs_finish (x, nn);
+ }
+
+ TMP_GMP_FREE (l);
+Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c
++++ nettle-3.5.1/testsuite/rsa-encrypt-test.c
+@@ -19,6 +19,7 @@ test_main(void)
+ uint8_t after;
+
+ mpz_t gibberish;
++ mpz_t zero;
+
+ rsa_private_key_init(&key);
+ rsa_public_key_init(&pub);
+@@ -101,6 +102,17 @@ test_main(void)
+ ASSERT(decrypted[decrypted_length] == after);
+ ASSERT(decrypted[0] == 'A');
+
++ /* Test zero input. */
++ mpz_init_set_ui (zero, 0);
++ decrypted_length = msg_length;
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
++ ASSERT(!rsa_decrypt_tr(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ &decrypted_length, decrypted, zero));
++ ASSERT(!rsa_sec_decrypt(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ decrypted_length, decrypted, zero));
++ ASSERT(decrypted_length == msg_length);
+
+ /* Test invalid key. */
+ mpz_add_ui (key.q, key.q, 2);
+@@ -112,6 +124,6 @@ test_main(void)
+ rsa_private_key_clear(&key);
+ rsa_public_key_clear(&pub);
+ mpz_clear(gibberish);
++ mpz_clear(zero);
+ free(decrypted);
+ }
+-
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch
new file mode 100644
index 0000000000..18e952ddf7
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch
@@ -0,0 +1,163 @@
+From c80961c646b0962ab152619ac0a7c6a21850a380 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Tue, 8 Jun 2021 21:32:38 +0200
+Subject: [PATCH 2/2] Add input check to rsa_decrypt family of functions.
+
+(cherry picked from commit 0ad0b5df315665250dfdaa4a1e087f4799edaefe)
+
+Upstream-Status: Backport
+CVE: CVE-2021-3580
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 10 +++++++++-
+ rsa-decrypt-tr.c | 4 ++++
+ rsa-decrypt.c | 10 ++++++++++
+ rsa-sec-decrypt.c | 4 ++++
+ rsa.h | 5 +++--
+ testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------
+ 6 files changed, 62 insertions(+), 9 deletions(-)
+
+Index: nettle-3.5.1/rsa-decrypt-tr.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-decrypt-tr.c
++++ nettle-3.5.1/rsa-decrypt-tr.c
+@@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_k
+ mp_size_t key_limb_size;
+ int res;
+
++ /* First check that input is in range. */
++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
++ return 0;
++
+ key_limb_size = mpz_size(pub->n);
+
+ TMP_GMP_ALLOC (m, key_limb_size);
+Index: nettle-3.5.1/rsa-decrypt.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-decrypt.c
++++ nettle-3.5.1/rsa-decrypt.c
+@@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key
+ int res;
+
+ mpz_init(m);
++
++ /* First check that input is in range. Since we don't have the
++ public key available here, we need to reconstruct n. */
++ mpz_mul (m, key->p, key->q);
++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0)
++ {
++ mpz_clear (m);
++ return 0;
++ }
++
+ rsa_compute_root(key, m, gibberish);
+
+ res = pkcs1_decrypt (key->size, m, length, message);
+Index: nettle-3.5.1/rsa-sec-decrypt.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-sec-decrypt.c
++++ nettle-3.5.1/rsa-sec-decrypt.c
+@@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_
+ TMP_GMP_DECL (em, uint8_t);
+ int res;
+
++ /* First check that input is in range. */
++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
++ return 0;
++
+ TMP_GMP_ALLOC (m, mpz_size(pub->n));
+ TMP_GMP_ALLOC (em, key->size);
+
+Index: nettle-3.5.1/rsa.h
+===================================================================
+--- nettle-3.5.1.orig/rsa.h
++++ nettle-3.5.1/rsa.h
+@@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_
+ size_t length, uint8_t *message,
+ const mpz_t gibberish);
+
+-/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
++/* Compute x, the e:th root of m. Calling it with x == m is allowed.
++ It is required that 0 <= m < n. */
+ void
+ rsa_compute_root(const struct rsa_private_key *key,
+ mpz_t x, const mpz_t m);
+
+ /* Safer variant, using RSA blinding, and checking the result after
+- CRT. */
++ CRT. It is required that 0 <= m < n. */
+ int
+ rsa_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c
++++ nettle-3.5.1/testsuite/rsa-encrypt-test.c
+@@ -19,11 +19,12 @@ test_main(void)
+ uint8_t after;
+
+ mpz_t gibberish;
+- mpz_t zero;
++ mpz_t bad_input;
+
+ rsa_private_key_init(&key);
+ rsa_public_key_init(&pub);
+ mpz_init(gibberish);
++ mpz_init(bad_input);
+
+ knuth_lfib_init(&lfib, 17);
+
+@@ -103,15 +104,40 @@ test_main(void)
+ ASSERT(decrypted[0] == 'A');
+
+ /* Test zero input. */
+- mpz_init_set_ui (zero, 0);
++ mpz_set_ui (bad_input, 0);
+ decrypted_length = msg_length;
+- ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_decrypt_tr(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+- &decrypted_length, decrypted, zero));
++ &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_sec_decrypt(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+- decrypted_length, decrypted, zero));
++ decrypted_length, decrypted, bad_input));
++ ASSERT(decrypted_length == msg_length);
++
++ /* Test input that is slightly larger than n */
++ mpz_add(bad_input, gibberish, pub.n);
++ decrypted_length = msg_length;
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_decrypt_tr(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_sec_decrypt(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ decrypted_length, decrypted, bad_input));
++ ASSERT(decrypted_length == msg_length);
++
++ /* Test input that is considerably larger than n */
++ mpz_mul_2exp (bad_input, pub.n, 100);
++ mpz_add (bad_input, bad_input, gibberish);
++ decrypted_length = msg_length;
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_decrypt_tr(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_sec_decrypt(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ decrypted_length, decrypted, bad_input));
+ ASSERT(decrypted_length == msg_length);
+
+ /* Test invalid key. */
+@@ -124,6 +150,6 @@ test_main(void)
+ rsa_private_key_clear(&key);
+ rsa_public_key_clear(&pub);
+ mpz_clear(gibberish);
+- mpz_clear(zero);
++ mpz_clear(bad_input);
+ free(decrypted);
+ }
diff --git a/meta/recipes-support/nettle/nettle_3.5.1.bb b/meta/recipes-support/nettle/nettle_3.5.1.bb
index b2ec24b36c..192fd295e9 100644
--- a/meta/recipes-support/nettle/nettle_3.5.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.5.1.bb
@@ -18,6 +18,13 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
file://Add-target-to-only-build-tests-not-run-them.patch \
file://run-ptest \
file://check-header-files-of-openssl-only-if-enable_.patch \
+ file://CVE-2021-3580_1.patch \
+ file://CVE-2021-3580_2.patch \
+ file://CVE-2021-20305-1.patch \
+ file://CVE-2021-20305-2.patch \
+ file://CVE-2021-20305-3.patch \
+ file://CVE-2021-20305-4.patch \
+ file://CVE-2021-20305-5.patch \
"
SRC_URI_append_class-target = "\
diff --git a/meta/recipes-support/vim/files/CVE-2021-3778.patch b/meta/recipes-support/vim/files/CVE-2021-3778.patch
new file mode 100644
index 0000000000..9e1c4d29be
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3778.patch
@@ -0,0 +1,49 @@
+From eb41373c8c88b0789e5cf04669d6116f9a199264 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Sun, 26 Sep 2021 23:48:00 +0000
+Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8
+ character
+
+Problem: Reading beyond end of line with invalid utf-8 character.
+Solution: Check for NUL when advancing.
+
+Upstream-Status: Accepted [https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f]
+CVE: CVE-2021-3778
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ src/regexp_nfa.c | 3 ++-
+ src/testdir/test_regexp_utf8.vim | 7 +++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
+index fb512f961..4d337f1f1 100644
+--- a/src/regexp_nfa.c
++++ b/src/regexp_nfa.c
+@@ -5455,7 +5455,8 @@ find_match_text(colnr_T startcol, int regstart, char_u *match_text)
+ match = FALSE;
+ break;
+ }
+- len2 += MB_CHAR2LEN(c2);
++ len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2)
++ : MB_CHAR2LEN(c2);
+ }
+ if (match
+ // check that no composing char follows
+diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
+index 19ff882be..e0665818b 100644
+--- a/src/testdir/test_regexp_utf8.vim
++++ b/src/testdir/test_regexp_utf8.vim
+@@ -215,3 +215,10 @@ func Test_optmatch_toolong()
+ set re=0
+ endfunc
+
++func Test_match_invalid_byte()
++ call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid')
++ new
++ source Xinvalid
++ bwipe!
++ call delete('Xinvalid')
++endfunc
+--
+2.17.1
+
diff --git a/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch b/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
new file mode 100644
index 0000000000..1cee759502
--- /dev/null
+++ b/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
@@ -0,0 +1,207 @@
+From b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 4 Sep 2021 18:47:28 +0200
+Subject: [PATCH] patch 8.2.3402: invalid memory access when using :retab with
+ large value
+
+Problem: Invalid memory access when using :retab with large value.
+Solution: Check the number is positive.
+
+CVE: CVE-2021-3770
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Backport [https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9]
+---
+ src/indent.c | 34 +++++++++++++++++++++-------------
+ src/option.c | 12 ++++++------
+ src/optionstr.c | 4 ++--
+ src/testdir/test_retab.vim | 3 +++
+ src/version.c | 2 ++
+ 5 files changed, 34 insertions(+), 21 deletions(-)
+
+Index: git/src/indent.c
+===================================================================
+--- git.orig/src/indent.c
++++ git/src/indent.c
+@@ -18,18 +18,19 @@
+ /*
+ * Set the integer values corresponding to the string setting of 'vartabstop'.
+ * "array" will be set, caller must free it if needed.
++ * Return FAIL for an error.
+ */
+ int
+ tabstop_set(char_u *var, int **array)
+ {
+- int valcount = 1;
+- int t;
+- char_u *cp;
++ int valcount = 1;
++ int t;
++ char_u *cp;
+
+ if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
+ {
+ *array = NULL;
+- return TRUE;
++ return OK;
+ }
+
+ for (cp = var; *cp != NUL; ++cp)
+@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array)
+ if (cp != end)
+ emsg(_(e_positive));
+ else
+- emsg(_(e_invarg));
+- return FALSE;
++ semsg(_(e_invarg2), cp);
++ return FAIL;
+ }
+ }
+
+@@ -55,26 +56,33 @@ tabstop_set(char_u *var, int **array)
+ ++valcount;
+ continue;
+ }
+- emsg(_(e_invarg));
+- return FALSE;
++ semsg(_(e_invarg2), var);
++ return FAIL;
+ }
+
+ *array = ALLOC_MULT(int, valcount + 1);
+ if (*array == NULL)
+- return FALSE;
++ return FAIL;
+ (*array)[0] = valcount;
+
+ t = 1;
+ for (cp = var; *cp != NUL;)
+ {
+- (*array)[t++] = atoi((char *)cp);
+- while (*cp != NUL && *cp != ',')
++ int n = atoi((char *)cp);
++
++ if (n < 0 || n > 9999)
++ {
++ semsg(_(e_invarg2), cp);
++ return FAIL;
++ }
++ (*array)[t++] = n;
++ while (*cp != NUL && *cp != ',')
+ ++cp;
+ if (*cp != NUL)
+ ++cp;
+ }
+
+- return TRUE;
++ return OK;
+ }
+
+ /*
+@@ -1556,7 +1564,7 @@ ex_retab(exarg_T *eap)
+
+ #ifdef FEAT_VARTABS
+ new_ts_str = eap->arg;
+- if (!tabstop_set(eap->arg, &new_vts_array))
++ if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
+ return;
+ while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
+ ++(eap->arg);
+Index: git/src/option.c
+===================================================================
+--- git.orig/src/option.c
++++ git/src/option.c
+@@ -2292,9 +2292,9 @@ didset_options2(void)
+ #endif
+ #ifdef FEAT_VARTABS
+ vim_free(curbuf->b_p_vsts_array);
+- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
++ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
+ vim_free(curbuf->b_p_vts_array);
+- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
++ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
+ #endif
+ }
+
+@@ -5756,7 +5756,7 @@ buf_copy_options(buf_T *buf, int flags)
+ buf->b_p_vsts = vim_strsave(p_vsts);
+ COPY_OPT_SCTX(buf, BV_VSTS);
+ if (p_vsts && p_vsts != empty_option)
+- tabstop_set(p_vsts, &buf->b_p_vsts_array);
++ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ else
+ buf->b_p_vsts_array = 0;
+ buf->b_p_vsts_nopaste = p_vsts_nopaste
+@@ -5914,7 +5914,7 @@ buf_copy_options(buf_T *buf, int flags)
+ buf->b_p_isk = save_p_isk;
+ #ifdef FEAT_VARTABS
+ if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+- tabstop_set(p_vts, &buf->b_p_vts_array);
++ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ else
+ buf->b_p_vts_array = NULL;
+ #endif
+@@ -5929,7 +5929,7 @@ buf_copy_options(buf_T *buf, int flags)
+ buf->b_p_vts = vim_strsave(p_vts);
+ COPY_OPT_SCTX(buf, BV_VTS);
+ if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+- tabstop_set(p_vts, &buf->b_p_vts_array);
++ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ else
+ buf->b_p_vts_array = NULL;
+ #endif
+@@ -6634,7 +6634,7 @@ paste_option_changed(void)
+ if (buf->b_p_vsts_array)
+ vim_free(buf->b_p_vsts_array);
+ if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
+- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
++ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ else
+ buf->b_p_vsts_array = 0;
+ #endif
+Index: git/src/optionstr.c
+===================================================================
+--- git.orig/src/optionstr.c
++++ git/src/optionstr.c
+@@ -2166,7 +2166,7 @@ did_set_string_option(
+ if (errmsg == NULL)
+ {
+ int *oldarray = curbuf->b_p_vsts_array;
+- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
++ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
+ {
+ if (oldarray)
+ vim_free(oldarray);
+@@ -2205,7 +2205,7 @@ did_set_string_option(
+ {
+ int *oldarray = curbuf->b_p_vts_array;
+
+- if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
++ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
+ {
+ vim_free(oldarray);
+ #ifdef FEAT_FOLDING
+Index: git/src/testdir/test_retab.vim
+===================================================================
+--- git.orig/src/testdir/test_retab.vim
++++ git/src/testdir/test_retab.vim
+@@ -74,4 +74,7 @@ endfunc
+ func Test_retab_error()
+ call assert_fails('retab -1', 'E487:')
+ call assert_fails('retab! -1', 'E487:')
++ call assert_fails('ret -1000', 'E487:')
++ call assert_fails('ret 10000', 'E475:')
++ call assert_fails('ret 80000000000000000000', 'E475:')
+ endfunc
+Index: git/src/version.c
+===================================================================
+--- git.orig/src/version.c
++++ git/src/version.c
+@@ -743,6 +743,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 3402,
++/**/
+ 0
+ };
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 6fe8fb90db..fc4e205b74 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -17,7 +17,10 @@ SRC_URI = "git://github.com/vim/vim.git \
file://0001-src-Makefile-improve-reproducibility.patch \
file://no-path-adjust.patch \
file://racefix.patch \
+ file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
+ file://CVE-2021-3778.patch \
"
+
SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
# Do not consider .z in x.y.z, as that is updated with every commit
diff --git a/scripts/lib/wic/partition.py b/scripts/lib/wic/partition.py
index 85f9847047..792bb3dcd3 100644
--- a/scripts/lib/wic/partition.py
+++ b/scripts/lib/wic/partition.py
@@ -104,7 +104,7 @@ class Partition():
extra_blocks = self.extra_space
rootfs_size = actual_rootfs_size + extra_blocks
- rootfs_size *= self.overhead_factor
+ rootfs_size = int(rootfs_size * self.overhead_factor)
logger.debug("Added %d extra blocks to %s to get to %d total blocks",
extra_blocks, self.mountpoint, rootfs_size)
diff --git a/scripts/pybootchartgui/pybootchartgui/draw.py b/scripts/pybootchartgui/pybootchartgui/draw.py
index 29eb7505bc..fc708b55c3 100644
--- a/scripts/pybootchartgui/pybootchartgui/draw.py
+++ b/scripts/pybootchartgui/pybootchartgui/draw.py
@@ -267,7 +267,10 @@ def draw_chart(ctx, color, fill, chart_bounds, data, proc_tree, data_range):
# avoid divide by zero
if max_y == 0:
max_y = 1.0
- xscale = float (chart_bounds[2]) / (max_x - x_shift)
+ if (max_x - x_shift):
+ xscale = float (chart_bounds[2]) / (max_x - x_shift)
+ else:
+ xscale = float (chart_bounds[2])
# If data_range is given, scale the chart so that the value range in
# data_range matches the chart bounds exactly.
# Otherwise, scale so that the actual data matches the chart bounds.