[OE-core] [warrior-next 51/54] useradd: Ensure do_populate_sysroot has dependency on useradd variables

[Armin Kuster]

From: Richard Purdie 

The do_populate_sysroot task doesn't rerun if you change any of the 
USERADD_PARAM
or GROUPADD_PARAM variables, only do_package will.

If another task depends on the recipe, this means it won't see any updated 
changes.

This patch adds in the missing vardeps ensuring the code is deterministic.

[YOCTO #13232]

Signed-off-by: Richard Purdie 
(cherry picked from commit 37d0382a3c67f47f8cfdd977a041069bf912b8c3)
Signed-off-by: Armin Kuster 
---
 meta/classes/useradd.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/useradd.bbclass b/meta/classes/useradd.bbclass
index 5e600de..e5f3ba2 100644
--- a/meta/classes/useradd.bbclass
+++ b/meta/classes/useradd.bbclass
@@ -184,6 +184,7 @@ def update_useradd_after_parse(d):
 bb.fatal("%s inherits useradd but doesn't set USERADD_PACKAGES" % 
d.getVar('FILE', False))
 
 for pkg in useradd_packages.split():
+d.appendVarFlag("do_populate_sysroot", "vardeps", "USERADD_PARAM_%s 
GROUPADD_PARAM_%s GROUPMEMS_PARAM_%s" % (pkg, pkg, pkg))
 if not d.getVar('USERADD_PARAM_%s' % pkg) and not 
d.getVar('GROUPADD_PARAM_%s' % pkg) and not d.getVar('GROUPMEMS_PARAM_%s' % 
pkg):
 bb.fatal("%s inherits useradd but doesn't set USERADD_PARAM, 
GROUPADD_PARAM or GROUPMEMS_PARAM for package %s" % (d.getVar('FILE', False), 
pkg))
 
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 54/54] cve-check: backport rewrite from master

[Armin Kuster]

From: Ross Burton 

As detailed at [1] the XML feeds provided by NIST are being discontinued on
October 9th 2019.  As cve-check-tool uses these feeds, cve-check.bbclass will be
inoperable after this date.

To ensure that cve-check continues working, backport the following commits from
master to move away from the unmaintained cve-check-tool to our own Python code
that fetches the JSON:

546d14135c5 cve-update-db: New recipe to update CVE database
bc144b028f6 cve-check: Remove dependency to cve-check-tool-native
7f62a20b32a cve-check: Manage CVE_PRODUCT with more than one name
3bf63bc6084 cve-check: Consider CVE that affects versions with less than 
operator
c0eabd30d7b cve-update-db: Use std library instead of urllib3
27eb839ee65 cve-check: be idiomatic
09be21f4d17 cve-update-db: Manage proxy if needed.
975793e3825 cve-update-db: do_populate_cve_db depends on do_fetch
0325dd72714 cve-update-db: Catch request.urlopen errors.
4078da92b49 cve-check: Depends on cve-update-db-native
f7676e9a38d cve-update-db: Use NVD CPE data to populate PRODUCTS table
bc0195be1b1 cve-check: Update unpatched CVE matching
c807c2a6409 cve-update-db-native: Skip recipe when cve-check class is not 
loaded.
07bb8b25e17 cve-check: remove redundant readline CVE whitelisting
5388ed6d137 cve-check-tool: remove
270ac00cb43 cve-check.bbclass: initialize to_append
e6bf9000987 cve-check: allow comparison of Vendor as well as Product
91770338f76 cve-update-db-native: use SQL placeholders instead of format strings
7069302a4cc cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST
78de2cb39d7 cve-update-db-native: Remove hash column from database.
4b301030cf9 cve-update-db-native: use os.path.join instead of +
f0d822fad2a cve-update-db: actually inherit native
b309840b6aa cve-update-db-native: use executemany() to optimise CPE insertion
bb4e53af33d cve-update-db-native: improve metadata parsing
94227459792 cve-update-db-native: clean up JSON fetching
95438d52b73 cve-update-db-native: fix https proxy issues
1f9a963b9ff glibc: exclude child recipes from CVE scanning

[1] https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement

Signed-off-by: Ross Burton 
Signed-off-by: Armin Kuster 
---
 meta/classes/cve-check.bbclass | 142 --
 meta/conf/distro/include/maintainers.inc   |   1 +
 meta/recipes-core/glibc/glibc-locale.inc   |   3 +
 meta/recipes-core/glibc/glibc-mtrace.inc   |   3 +
 meta/recipes-core/glibc/glibc-scripts.inc  |   3 +
 meta/recipes-core/meta/cve-update-db-native.bb | 195 +++
 .../cve-check-tool/cve-check-tool_5.6.4.bb |  62 --
 ...01-Fix-freeing-memory-allocated-by-sqlite.patch |  50 -
 ...ow-overriding-default-CA-certificate-file.patch | 215 -
 ...ogress-in-percent-when-downloading-CVE-db.patch | 135 -
 ...are-computed-vs-expected-sha256-digit-str.patch |  52 -
 .../check-for-malloc_trim-before-using-it.patch|  51 -
 12 files changed, 292 insertions(+), 620 deletions(-)
 create mode 100644 meta/recipes-core/meta/cve-update-db-native.bb
 delete mode 100644 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
 delete mode 100644 
meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
 delete mode 100644 
meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
 delete mode 100644 
meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
 delete mode 100644 
meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
 delete mode 100644 
meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 743bc08..c00d291 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 
 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
 
 CVE_CHECK_LOG ?= "${T}/cve.log"
 CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -37,32 +37,33 @@ CVE_CHECK_COPY_FILES ??= "1"
 CVE_CHECK_CREATE_MANIFEST ??= "1"
 
 # Whitelist for packages (PN)
-CVE_CHECK_PN_WHITELIST = "\
-glibc-locale \
-"
+CVE_CHECK_PN_WHITELIST ?= ""
 
-# Whitelist for CVE and version of package
-CVE_CHECK_CVE_WHITELIST = "{\
-'CVE-2014-2524': ('6.3','5.2',), \
-}"
+# Whitelist for CVE. If a CVE is found, then it is considered patched.
+# The value is a string containing space separated CVE values:
+# 
+# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234'
+# 
+CVE_CHECK_WHITELIST ?= ""
 
 python do_cve_check () {
 """
 Check recipe for patched and unpatched CVEs
 """
 
-if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
+   

[OE-core] [warrior-next 53/54] kernel-uboot: compress arm64 kernels

[Armin Kuster]

From: "Bedel, Alban" 

AArch64 images are not self-decompressing, thus usually much larger.
Boot times can be reduced by compressing them in FIT and uImages.

This commit is a backport of commit a725d188b5 (kernel-uboot: compress
arm64 kernels) and commit 60bc7e180e (kernel-uboot: remove useless
special casing of arm64 Image) from master. Both commit were melted
into one to avoid some useless churn.

Signed-off-by: Alban Bedel 
Signed-off-by: Armin Kuster 
---
 meta/classes/kernel-uboot.bbclass | 4 
 1 file changed, 4 deletions(-)

diff --git a/meta/classes/kernel-uboot.bbclass 
b/meta/classes/kernel-uboot.bbclass
index 2364053..87f0265 100644
--- a/meta/classes/kernel-uboot.bbclass
+++ b/meta/classes/kernel-uboot.bbclass
@@ -3,10 +3,6 @@ uboot_prep_kimage() {
vmlinux_path="arch/${ARCH}/boot/compressed/vmlinux"
linux_suffix=""
linux_comp="none"
-   elif [ -e arch/${ARCH}/boot/Image ] ; then
-   vmlinux_path="vmlinux"
-   linux_suffix=""
-   linux_comp="none"
elif [ -e arch/${ARCH}/boot/vmlinuz.bin ]; then
rm -f linux.bin
cp -l arch/${ARCH}/boot/vmlinuz.bin linux.bin
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 52/54] uboot: fixes to uboot-extlinux-config attribute values

[Armin Kuster]

From: Will Page 

The way this class uses overrides to support generation of multiple
sections is subject to two different issues: 1) labels that conflict
with existing override names causing the value for the conflicting label
to be set for all labels, and 2) reusing the override list through each
iteration, prepending each new label to the list of overrides makes
earlier labels' value take precedence over later labels, making later
labels virtually impossible to customize.

The first issue is resolved by removing all label names from overrides
before iterating over labels.  The second issue is resolved by
generating a fresh list of overrides with only the current label added.

The current label is also appended to the list of overrides instead of
prepended, which makes it the highest priority override.  This is
matches the behavior of devtool-source.bbclass, which similarly
monkey-patches overrides.

Closes https://bugzilla.yoctoproject.org/show_bug.cgi?id=13469 .

Signed-off-by: Will Page 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/classes/uboot-extlinux-config.bbclass | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/meta/classes/uboot-extlinux-config.bbclass 
b/meta/classes/uboot-extlinux-config.bbclass
index b5b1a81..f4bf94b 100644
--- a/meta/classes/uboot-extlinux-config.bbclass
+++ b/meta/classes/uboot-extlinux-config.bbclass
@@ -104,13 +104,16 @@ python do_create_extlinux_config() {
 if default:
 cfgfile.write('DEFAULT %s\n' % (default))
 
-for label in labels.split():
+# Need to deconflict the labels with existing overrides
+label_overrides = labels.split()
+default_overrides = localdata.getVar('OVERRIDES').split(':')
+# We're keeping all the existing overrides that aren't used as a 
label
+# an override for that label will be added back in while we're 
processing that label
+keep_overrides = list(filter(lambda x: x not in label_overrides, 
default_overrides))
 
-overrides = localdata.getVar('OVERRIDES')
-if not overrides:
-bb.fatal('OVERRIDES not defined')
+for label in labels.split():
 
-localdata.setVar('OVERRIDES', label + ':' + overrides)
+localdata.setVar('OVERRIDES', ':'.join(keep_overrides + 
[label]))
 
 extlinux_console = localdata.getVar('UBOOT_EXTLINUX_CONSOLE')
 
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 49/54] multilib.bbclass: Reduce ALTERNATIVE_PRIORITY for extended recipes

[Armin Kuster]

From: Robert Yang 

Fixed:
MACHINE = "qemux86-64"
require conf/multilib.conf
MULTILIBS = "multilib:lib32"
DEFAULTTUNE_virtclass-multilib-lib32 = "x86"

$ bitbake core-image-minimal
update-alternatives: libtool has multiple providers with the same priority,
please check
/path/to/rootfs/usr/lib/opkg/alternatives/libtool for details

Both libtool and lib32-libtool have the same priority (as they're the same
recipe), so update-alternatives won't deterministically pick a provider. This
means you could end up with an image using a 32-bit pkgconfig and 64-bit
libtool, for example.

Make extended recipes reduce priority by 1 (or 2, 3 ... when there are multiple
variants in MULTILIB_VARIANTS) to fix the problem.

[YOCTO #13418]

Signed-off-by: Robert Yang 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/classes/multilib.bbclass | 47 +++
 1 file changed, 47 insertions(+)

diff --git a/meta/classes/multilib.bbclass b/meta/classes/multilib.bbclass
index 2b761f3..9b27b53 100644
--- a/meta/classes/multilib.bbclass
+++ b/meta/classes/multilib.bbclass
@@ -123,8 +123,55 @@ python __anonymous () {
 clsextend.map_variable("USERADD_PACKAGES")
 clsextend.map_variable("SYSTEMD_PACKAGES")
 clsextend.map_variable("UPDATERCPN")
+
+reset_alternative_priority(d)
 }
 
+def reset_alternative_priority(d):
+if not bb.data.inherits_class('update-alternatives', d):
+return
+
+# There might be multiple multilibs at the same time, e.g., lib32 and
+# lib64, each of them should have a different priority.
+multilib_variants = d.getVar('MULTILIB_VARIANTS')
+bbextendvariant = d.getVar('BBEXTENDVARIANT')
+reset_gap = multilib_variants.split().index(bbextendvariant) + 1
+
+# ALTERNATIVE_PRIORITY = priority
+alt_priority_recipe = d.getVar('ALTERNATIVE_PRIORITY')
+# Reset ALTERNATIVE_PRIORITY when found
+if alt_priority_recipe:
+reset_priority = int(alt_priority_recipe) - reset_gap
+bb.debug(1, '%s: Setting ALTERNATIVE_PRIORITY to %s' % 
(d.getVar('PN'), reset_priority))
+d.setVar('ALTERNATIVE_PRIORITY', reset_priority)
+
+handled_pkgs = []
+for pkg in (d.getVar('PACKAGES') or "").split():
+# ALTERNATIVE_PRIORITY_pkg = priority
+alt_priority_pkg = d.getVar('ALTERNATIVE_PRIORITY_%s' % pkg)
+# Reset ALTERNATIVE_PRIORITY_pkg when found
+if alt_priority_pkg:
+reset_priority = int(alt_priority_pkg) - reset_gap
+if not pkg in handled_pkgs:
+handled_pkgs.append(pkg)
+bb.debug(1, '%s: Setting ALTERNATIVE_PRIORITY_%s to %s' % 
(pkg, pkg, reset_priority))
+d.setVar('ALTERNATIVE_PRIORITY_%s' % pkg, reset_priority)
+
+for alt_name in (d.getVar('ALTERNATIVE_%s' % pkg) or "").split():
+# ALTERNATIVE_PRIORITY_pkg[tool]  = priority
+alt_priority_pkg_name = d.getVarFlag('ALTERNATIVE_PRIORITY_%s' % 
pkg, alt_name)
+# ALTERNATIVE_PRIORITY[tool] = priority
+alt_priority_name = d.getVarFlag('ALTERNATIVE_PRIORITY', alt_name)
+
+if alt_priority_pkg_name:
+reset_priority = int(alt_priority_pkg_name) - reset_gap
+bb.debug(1, '%s: Setting ALTERNATIVE_PRIORITY_%s[%s] to %s' % 
(pkg, pkg, alt_name, reset_priority))
+d.setVarFlag('ALTERNATIVE_PRIORITY_%s' % pkg, alt_name, 
reset_priority)
+elif alt_priority_name:
+reset_priority = int(alt_priority_name) - reset_gap
+bb.debug(1, '%s: Setting ALTERNATIVE_PRIORITY[%s] to %s' % 
(pkg, alt_name, reset_priority))
+d.setVarFlag('ALTERNATIVE_PRIORITY', alt_name, reset_priority)
+
 PACKAGEFUNCS_append = " do_package_qa_multilib"
 
 python do_package_qa_multilib() {
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 50/54] useradd: Fix build architecture corruption of sstate artefacts

[Armin Kuster]

From: Richard Purdie 

When mixing aarch64 and x86_64 host builds with common sstate, useradd failures
were found. This was due to references to:

/home/pokybuild/yocto-worker/qemuarm/build/build/tmp/sysroots-components/aarch64/pseudo-native/usr/bin/pseudo
or
/home/pokybuild/yocto-worker/qemuarm/build/build/tmp/sysroots-components/x86_64/pseudo-native/usr/bin/pseudo

on the wrong architecture within the useradd postinst files.

Instead of using COMPONENTS_DIR as the FIXME, use PSEUDO_SYSROOT which contains
the arch component as well to avoid this.

Add extra comments to cause the relavent sstate to be rebuilt.

Signed-off-by: Richard Purdie 
(cherry picked from commit 0384622f72a6c0bd8225cf06f692340fdef67d4a)
Signed-off-by: Armin Kuster 
---
 meta/classes/staging.bbclass | 2 +-
 meta/classes/useradd.bbclass | 6 --
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index 062b281..546fc81 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -167,7 +167,7 @@ def staging_processfixme(fixme, target, recipesysroot, 
recipesysrootnative, d):
 if not fixme:
 return
 cmd = "sed -e 's:^[^/]*/:%s/:g' %s | xargs sed -i -e 
's:FIXMESTAGINGDIRTARGET:%s:g; s:FIXMESTAGINGDIRHOST:%s:g'" % (target, " 
".join(fixme), recipesysroot, recipesysrootnative)
-for fixmevar in ['COMPONENTS_DIR', 'HOSTTOOLS_DIR', 'PKGDATA_DIR', 
'PSEUDO_LOCALSTATEDIR', 'LOGFIFO']:
+for fixmevar in ['PSEUDO_SYSROOT', 'HOSTTOOLS_DIR', 'PKGDATA_DIR', 
'PSEUDO_LOCALSTATEDIR', 'LOGFIFO']:
 fixme_path = d.getVar(fixmevar)
 cmd += " -e 's:FIXME_%s:%s:g'" % (fixmevar, fixme_path)
 bb.debug(2, cmd)
diff --git a/meta/classes/useradd.bbclass b/meta/classes/useradd.bbclass
index 124becd..5e600de 100644
--- a/meta/classes/useradd.bbclass
+++ b/meta/classes/useradd.bbclass
@@ -100,6 +100,8 @@ useradd_sysroot () {
# Pseudo may (do_prepare_recipe_sysroot) or may not 
(do_populate_sysroot_setscene) be running 
# at this point so we're explicit about the environment so pseudo can 
load if 
# not already present.
+   # PSEUDO_SYSROOT can contain references to the build architecture and 
COMPONENT_DIR
+   # so needs the STAGING_FIXME below
export PSEUDO="${FAKEROOTENV} ${PSEUDO_SYSROOT}${bindir_native}/pseudo"
 
# Explicitly set $D since it isn't set to anything
@@ -134,10 +136,10 @@ useradd_sysroot () {
 }
 
 # The export of PSEUDO in useradd_sysroot() above contains references to
-# ${COMPONENTS_DIR} and ${PSEUDO_LOCALSTATEDIR}. Additionally, the logging
+# ${PSEUDO_SYSROOT} and ${PSEUDO_LOCALSTATEDIR}. Additionally, the logging
 # shell functions use ${LOGFIFO}. These need to be handled when restoring
 # postinst-useradd-${PN} from the sstate cache.
-EXTRA_STAGING_FIXMES += "COMPONENTS_DIR PSEUDO_LOCALSTATEDIR LOGFIFO"
+EXTRA_STAGING_FIXMES += "PSEUDO_SYSROOT PSEUDO_LOCALSTATEDIR LOGFIFO"
 
 python useradd_sysroot_sstate () {
 scriptfile = None
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 43/54] kernel-fitimage: uboot-sign: fix missing signature

[Armin Kuster]

From: Jun Nie 

u-boot.bin with dtb & signature should be placed in ${B} so that
it can be deployed by u-boot as expected. Otherwise, the version
without signature is installed.

Signed-off-by: Jun Nie 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/classes/uboot-sign.bbclass | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index 8beafff..1fc2a37 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -66,7 +66,7 @@ concat_dtb_helper() {
install ${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e 
"$deployed_uboot_dtb_binary" ]; then
cd ${DEPLOYDIR}
-   cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee 
${UBOOT_BINARY} > ${UBOOT_IMAGE}
+   cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee 
${B}/${CONFIG_B_PATH}/${UBOOT_BINARY} > ${UBOOT_IMAGE}
else
bbwarn "Failure while adding public key to u-boot binary. 
Verified boot won't be available."
fi
@@ -77,10 +77,12 @@ concat_dtb() {
mkdir -p ${DEPLOYDIR}
if [ -n "${UBOOT_CONFIG}" ]; then
for config in ${UBOOT_MACHINE}; do
+   CONFIG_B_PATH="${config}"
cd ${B}/${config}
concat_dtb_helper
done
else
+   CONFIG_B_PATH=""
cd ${B}
concat_dtb_helper
fi
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 46/54] libgpg-error: Fix build with gawk 5.x

[Armin Kuster]

From: Sean Nyekjaer 

Based on poky master, but for version 1.35

Signed-off-by: Sean Nyekjaer 
Signed-off-by: Armin Kuster 
---
 .../libgpg-error-1.35-gawk5-support.patch  | 161 +
 .../libgpg-error/libgpg-error_1.35.bb  |   1 +
 2 files changed, 162 insertions(+)
 create mode 100644 
meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch

diff --git 
a/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
 
b/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
new file mode 100644
index 000..dc3d558
--- /dev/null
+++ 
b/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
@@ -0,0 +1,161 @@
+Upstream-Status: Backport [https://dev.gnupg.org/T4459]
+Signed-off-by: Sean Nyekjaer 
+
+From 37069826e497d6af01e3e48fe5d2220ae7f85449 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka 
+Date: Mon, 15 Apr 2019 15:10:44 +0900
+Subject: [PATCH] awk: Prepare for Gawk 5.0.
+
+* src/Makefile.am: Use pkg_namespace (instead of namespace).
+* src/mkerrnos.awk: Likewise.
+* lang/cl/mkerrcodes.awk: Don't escape # in regexp.
+* src/mkerrcodes.awk, src/mkerrcodes1.awk, src/mkerrcodes2.awk: Ditto.
+
+--
+
+In Gawk 5.0, regexp routines are replaced by Gnulib implementation,
+which only allows escaping specific characters.
+
+GnuPG-bug-id: 4459
+Reported-by: Marius Schamschula
+Signed-off-by: NIIBE Yutaka 
+---
+ lang/cl/mkerrcodes.awk |  2 +-
+ src/Makefile.am|  2 +-
+ src/mkerrcodes.awk |  2 +-
+ src/mkerrcodes1.awk|  2 +-
+ src/mkerrcodes2.awk|  2 +-
+ src/mkerrnos.awk   |  2 +-
+ src/mkstrtable.awk | 10 +-
+ 7 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/lang/cl/mkerrcodes.awk b/lang/cl/mkerrcodes.awk
+index ae29043..9a1fc18 100644
+--- a/lang/cl/mkerrcodes.awk
 b/lang/cl/mkerrcodes.awk
+@@ -122,7 +122,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 42998e4..0ceac9f 100644
+--- a/src/Makefile.am
 b/src/Makefile.am
+@@ -281,7 +281,7 @@ code-from-errno.h: mkerrcodes Makefile
+ 
+ errnos-sym.h: Makefile mkstrtable.awk errnos.in
+   $(AWK) -f $(srcdir)/mkstrtable.awk -v textidx=2 -v nogettext=1 \
+-  -v prefix=GPG_ERR_ -v namespace=errnos_ \
++  -v prefix=GPG_ERR_ -v pkg_namespace=errnos_ \
+   $(srcdir)/errnos.in >$@
+ 
+ 
+diff --git a/src/mkerrcodes.awk b/src/mkerrcodes.awk
+index 46d436c..e9c857c 100644
+--- a/src/mkerrcodes.awk
 b/src/mkerrcodes.awk
+@@ -85,7 +85,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+diff --git a/src/mkerrcodes1.awk b/src/mkerrcodes1.awk
+index a771a73..4578e29 100644
+--- a/src/mkerrcodes1.awk
 b/src/mkerrcodes1.awk
+@@ -81,7 +81,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+diff --git a/src/mkerrcodes2.awk b/src/mkerrcodes2.awk
+index ea58503..188f7a4 100644
+--- a/src/mkerrcodes2.awk
 b/src/mkerrcodes2.awk
+@@ -91,7 +91,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+diff --git a/src/mkerrnos.awk b/src/mkerrnos.awk
+index f79df66..15b1aad 100644
+--- a/src/mkerrnos.awk
 b/src/mkerrnos.awk
+@@ -83,7 +83,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+diff --git a/src/mkstrtable.awk b/src/mkstrtable.awk
+index c9de9c1..285e45f 100644
+--- a/src/mkstrtable.awk
 b/src/mkstrtable.awk
+@@ -77,7 +77,7 @@
+ #
+ # The variable prefix can be used to prepend a string to each message.
+ #
+-# The variable namespace can be used to prepend a string to each
++# The variable pkg_namespace can be used to prepend a string to each
+ # variable and macro name.
+ 
+ BEGIN {
+@@ -102,7 +102,7 @@ header {
+   print "/* The purpose of this complex string table is to produce";
+   print "   optimal code with a minimum of relocations.  */";
+   print "";
+-  print "static const char " namespace "msgstr[] = ";
++  print "static const char " pkg_namespace "msgstr[] = ";
+   header = 0;
+ }
+   else
+@@ -110,7 +110,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+@@ -150,7 +150,7 @@ END {
+   else
+ print "  gettext_noop (\"" last_msgstr "\");";
+   print "";
+-  print "static const int " namespace "msgidx[] =";
++  print "static const int " pkg_namespace "msgidx[] =";
+   pr

[OE-core] [warrior-next 48/54] gcc: Security fix for CVE-2019-15847

[Armin Kuster]

From: Armin Kuster 

Affects <= 9.2.0

Dropped Changelog changes

Signed-off-by: Armin Kuster 
---
 meta/recipes-devtools/gcc/gcc-8.3.inc  |   3 +
 .../gcc/gcc-8.3/CVE-2019-15847_p1.patch| 521 +
 .../gcc/gcc-8.3/CVE-2019-15847_p2.patch|  77 +++
 .../gcc/gcc-8.3/CVE-2019-15847_p3.patch|  45 ++
 4 files changed, 646 insertions(+)
 create mode 100644 meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p1.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p2.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p3.patch

diff --git a/meta/recipes-devtools/gcc/gcc-8.3.inc 
b/meta/recipes-devtools/gcc/gcc-8.3.inc
index 80f716a..8548830 100644
--- a/meta/recipes-devtools/gcc/gcc-8.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.3.inc
@@ -75,6 +75,9 @@ SRC_URI = "\
file://0042-PR-debug-86964.patch \

file://0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch \
file://CVE-2019-14250.patch \
+   file://CVE-2019-15847_p1.patch \
+   file://CVE-2019-15847_p2.patch \
+   file://CVE-2019-15847_p3.patch \
 "
 SRC_URI[md5sum] = "65b210b4bfe7e060051f799e0f994896"
 SRC_URI[sha256sum] = 
"64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c"
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p1.patch 
b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p1.patch
new file mode 100644
index 000..6fb5afc
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p1.patch
@@ -0,0 +1,521 @@
+From baf7c861e1cc523425029dcf81467f16c734fbd5 Mon Sep 17 00:00:00 2001
+From: segher 
+Date: Fri, 30 Aug 2019 14:13:51 +
+Subject: [PATCH 1/3]   Backport from trunk 2019-08-22  Segher Boessenkool
+  
+
+   * config/rs6000/altivec.md (unspec): Delete UNSPEC_DARN, UNSPEC_DARN_32,
+   UNSPEC_DARN_RAW, UNSPEC_CMPRB, UNSPEC_CMPRB2, UNSPEC_CMPEQB; move to...
+   * config/rs6000/rs6000.md (unspec): ... here.
+   * config/rs6000/altivec.md (darn_32, darn_raw, darn, cmprb,
+   *cmprb_internal, setb_signed, setb_unsigned, cmprb2, *cmprb2_internal,
+   cmpeqb, *cmpeqb_internal): Delete, move to...
+   * config/rs6000/rs6000.md (darn_32, darn_raw, darn, cmprb,
+   *cmprb_internal, setb_signed, setb_unsigned, cmprb2, *cmprb2_internal,
+   cmpeqb, *cmpeqb_internal): ... here.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@275180 
138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+CVE: CVE-2019-14847 p1
+Affects <= 9.2.0
+Dropped Changelog changes
+Signed-off-by: Armin Kuster 
+
+---
+ gcc/config/rs6000/altivec.md | 223 --
+ gcc/config/rs6000/rs6000.md  | 224 +++
+ 3 files changed, 239 insertions(+), 223 deletions(-)
+
+Index: gcc-8.3.0/gcc/config/rs6000/altivec.md
+===
+--- gcc-8.3.0.orig/gcc/config/rs6000/altivec.md
 gcc-8.3.0/gcc/config/rs6000/altivec.md
+@@ -80,9 +80,6 @@
+UNSPEC_VUPKHPX
+UNSPEC_VUPKLPX
+UNSPEC_CONVERT_4F32_8I16
+-   UNSPEC_DARN
+-   UNSPEC_DARN_32
+-   UNSPEC_DARN_RAW
+UNSPEC_DST
+UNSPEC_DSTT
+UNSPEC_DSTST
+@@ -161,9 +158,6 @@
+UNSPEC_BCDADD
+UNSPEC_BCDSUB
+UNSPEC_BCD_OVERFLOW
+-   UNSPEC_CMPRB
+-   UNSPEC_CMPRB2
+-   UNSPEC_CMPEQB
+UNSPEC_VRLMI
+UNSPEC_VRLNM
+ ])
+@@ -4317,223 +4311,6 @@
+   [(set_attr "length" "4")
+(set_attr "type" "vecsimple")])
+ 
+-(define_insn "darn_32"
+-  [(set (match_operand:SI 0 "register_operand" "=r")
+-(unspec:SI [(const_int 0)] UNSPEC_DARN_32))]
+-  "TARGET_P9_MISC"
+-  "darn %0,0"
+-  [(set_attr "type" "integer")])
+-
+-(define_insn "darn_raw"
+-  [(set (match_operand:DI 0 "register_operand" "=r")
+-(unspec:DI [(const_int 0)] UNSPEC_DARN_RAW))]
+-  "TARGET_P9_MISC && TARGET_64BIT"
+-  "darn %0,2"
+-  [(set_attr "type" "integer")])
+-
+-(define_insn "darn"
+-  [(set (match_operand:DI 0 "register_operand" "=r")
+-(unspec:DI [(const_int 0)] UNSPEC_DARN))]
+-  "TARGET_P9_MISC && TARGET_64BIT"
+-  "darn %0,1"
+-  [(set_attr "type" "integer")])
+-
+-;; Test byte within range.
+-;;
+-;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
+-;; represents a byte whose value is ignored in this context and
+-;; vv, the least significant byte, holds the byte value that is to
+-;; be tested for membership within the range specified by operand 2.
+-;; The bytes of operand 2 are organized as xx:xx:hi:lo.
+-;;
+-;; Return in target register operand 0 a value of 1 if lo <= vv and
+-;; vv <= hi.  Otherwise, set register operand 0 to 0.
+-;;
+-;; Though the instructions to which this expansion maps operate on
+-;; 64-bit registers, the current implementation only operates on
+-;; SI-mode operands as the high-order bits provide no information
+-;; that is not already available in the low-order bits.  To avoi

[OE-core] [warrior-next 47/54] Curl: Security fix for CVE-2019-5482

[Armin Kuster]

From: Armin Kuster 

Source: curl.org
MR: 99905
Type: Security Fix
Disposition: Backport from 
https://github.com/curl/curl/commit/facb0e4662415b5f28163e853dc6742ac5fafb3d
ChangeID: e0c807da8937f687a4b2e28eaa6b4b5a51845bc5
Description:

Fixes CVE-2019-5482
- Affected versions: libcurl >= 7.19.4 to and including 7.65.3
- Not affected versions: libcurl < 7.19.4

Signed-off-by: Armin Kuster 
---
 meta/recipes-support/curl/curl/CVE-2019-5482.patch | 65 ++
 meta/recipes-support/curl/curl_7.64.1.bb   |  1 +
 2 files changed, 66 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2019-5482.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2019-5482.patch 
b/meta/recipes-support/curl/curl/CVE-2019-5482.patch
new file mode 100644
index 000..30122d1
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2019-5482.patch
@@ -0,0 +1,65 @@
+From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
+ received
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE-2019-5482
+
+Upstream-Status: Backport
+CVE: CVE-2019-5482
+
+Signed-off-by: Armin Kuster 
+
+---
+ lib/tftp.c | 12 +---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+Index: curl-7.64.1/lib/tftp.c
+===
+--- curl-7.64.1.orig/lib/tftp.c
 curl-7.64.1/lib/tftp.c
+@@ -973,6 +973,7 @@ static CURLcode tftp_connect(struct conn
+ {
+   tftp_state_data_t *state;
+   int blksize;
++  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -987,15 +988,20 @@ static CURLcode tftp_connect(struct conn
+   return CURLE_TFTP_ILLEGAL;
+   }
+ 
++  need_blksize = blksize;
++  /* default size is the fallback when no OACK is received */
++  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+   if(!state->rpacket.data) {
+-state->rpacket.data = calloc(1, blksize + 2 + 2);
++state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+ if(!state->rpacket.data)
+   return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-state->spacket.data = calloc(1, blksize + 2 + 2);
++state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+ if(!state->spacket.data)
+   return CURLE_OUT_OF_MEMORY;
+@@ -1009,7 +1015,7 @@ static CURLcode tftp_connect(struct conn
+   state->sockfd = state->conn->sock[FIRSTSOCKET];
+   state->state = TFTP_STATE_START;
+   state->error = TFTP_ERR_NONE;
+-  state->blksize = blksize;
++  state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+   state->requested_blksize = blksize;
+ 
+   ((struct sockaddr *)&state->local_addr)->sa_family =
diff --git a/meta/recipes-support/curl/curl_7.64.1.bb 
b/meta/recipes-support/curl/curl_7.64.1.bb
index 00c8c5a..151d74a 100644
--- a/meta/recipes-support/curl/curl_7.64.1.bb
+++ b/meta/recipes-support/curl/curl_7.64.1.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://0001-replace-krb5-config-with-pkg-config.patch \
file://CVE-2019-5435.patch \
file://CVE-2019-5436.patch \
+   file://CVE-2019-5482.patch \
 "
 
 SRC_URI[md5sum] = "790c101927845208a9d7e8c429ddd1b2"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 44/54] kernel-devsrc: tweak for v5.3+

[Armin Kuster]

From: Bruce Ashfield 

The 5.3 kernel has two changes that require tweaks to the minimal
kernel-devsrc package.

- 4ce97317f [x86/purgatory: Do not use __builtin_memcpy and __builtin_memset]

  This change removes the need for arch/x86/purgatory/string.c and
  instead reuses a copy in arch/x86/boot/compressed/, so we can't copy
  the file anymore. To support older kernels, we make the copy survive
  the non-existence of the file.

- b1663d7e [docs: Kbuild/Makefile: allow check for missing docs at build time]

  This change adds the sourceing of Documentation/Kbuild to the top
  level Kbuild file. So we now leave the copy of Documention/'s Kbuild
  in the devsrc.

Signed-off-by: Bruce Ashfield 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-kernel/linux/kernel-devsrc.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-kernel/linux/kernel-devsrc.bb 
b/meta/recipes-kernel/linux/kernel-devsrc.bb
index 5ec5929..3900489 100644
--- a/meta/recipes-kernel/linux/kernel-devsrc.bb
+++ b/meta/recipes-kernel/linux/kernel-devsrc.bb
@@ -65,7 +65,6 @@ do_install() {
 )
 
 # then drop all but the needed Makefiles/Kconfig files
-rm -rf $kerneldir/build/Documentation
 rm -rf $kerneldir/build/scripts
 rm -rf $kerneldir/build/include
 
@@ -205,11 +204,12 @@ do_install() {
cp -a --parents arch/x86/purgatory/sha256.c $kerneldir/build/ 
2>/dev/null || :
 
cp -a --parents arch/x86/purgatory/stack.S $kerneldir/build/
-   cp -a --parents arch/x86/purgatory/string.c $kerneldir/build/
+   cp -a --parents arch/x86/purgatory/string.c $kerneldir/build/ 
2>/dev/null || :
cp -a --parents arch/x86/purgatory/setup-x86_64.S $kerneldir/build/
cp -a --parents arch/x86/purgatory/entry64.S $kerneldir/build/
cp -a --parents arch/x86/boot/string.h $kerneldir/build/
cp -a --parents arch/x86/boot/string.c $kerneldir/build/
+   cp -a --parents arch/x86/boot/compressed/string.c $kerneldir/build/ 
2>/dev/null || :
cp -a --parents arch/x86/boot/ctype.h $kerneldir/build/
fi
 
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 42/54] gcc-8.3: Security fix for CVE-2019-14250

[Armin Kuster]

From: Armin Kuster 

Affects < 9.2

Signed-off-by: Armin Kuster 
Signed-off-by: Armin Kuster 
---
 meta/recipes-devtools/gcc/gcc-8.3.inc  |  1 +
 .../gcc/gcc-8.3/CVE-2019-14250.patch   | 44 ++
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch

diff --git a/meta/recipes-devtools/gcc/gcc-8.3.inc 
b/meta/recipes-devtools/gcc/gcc-8.3.inc
index dce85a2..80f716a 100644
--- a/meta/recipes-devtools/gcc/gcc-8.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.3.inc
@@ -74,6 +74,7 @@ SRC_URI = "\

file://0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch \
file://0042-PR-debug-86964.patch \

file://0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch \
+   file://CVE-2019-14250.patch \
 "
 SRC_URI[md5sum] = "65b210b4bfe7e060051f799e0f994896"
 SRC_URI[sha256sum] = 
"64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c"
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch 
b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch
new file mode 100644
index 000..e327684
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch
@@ -0,0 +1,44 @@
+From a4f1b58eb48b349a5f353bc69c30be553506d33b Mon Sep 17 00:00:00 2001
+From: rguenth 
+Date: Thu, 25 Jul 2019 10:48:26 +
+Subject: [PATCH] 2019-07-25  Richard Biener  
+
+   PR lto/90924
+   Backport from mainline
+   2019-07-12  Ren Kimura  
+
+   * simple-object-elf.c (simple_object_elf_match): Check zero value
+   shstrndx.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@273794 
138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+Affectes: <  9.2
+CVE: CVE-2019-14250
+Dropped changelog
+Signed-off-by: Armin Kuster 
+
+---
+ libiberty/simple-object-elf.c | 8 
+ 2 files changed, 17 insertions(+)
+
+Index: gcc-8.2.0/libiberty/simple-object-elf.c
+===
+--- gcc-8.2.0.orig/libiberty/simple-object-elf.c
 gcc-8.2.0/libiberty/simple-object-elf.c
+@@ -549,6 +549,14 @@ simple_object_elf_match (unsigned char h
+   return NULL;
+ }
+ 
++  if (eor->shstrndx == 0)
++{
++  *errmsg = "invalid ELF shstrndx == 0";
++  *err = 0;
++  XDELETE (eor);
++  return NULL;
++}
++
+   return (void *) eor;
+ }
+ 
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 45/54] libxcrypt: Fix the build with -Os

[Armin Kuster]

From: Adrian Bunk 

| In file included from ../git/lib/alg-des.c:66:
| ../git/lib/alg-des.c: In function '_crypt_des_set_key':
| ../git/lib/byteorder.h:24:1: error: inlining failed in call to 'be32_to_cpu': 
call is unlikely and code size would grow [-Werror=inline]
|  be32_to_cpu (const unsigned char *buf)
|  ^~~
| ../git/lib/alg-des.c:81:13: note: called from here
|rawkey1 = be32_to_cpu (&key[4]);
|  ^

Signed-off-by: Adrian Bunk 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-core/libxcrypt/libxcrypt.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-core/libxcrypt/libxcrypt.bb 
b/meta/recipes-core/libxcrypt/libxcrypt.bb
index 3b9af6d..a712e72 100644
--- a/meta/recipes-core/libxcrypt/libxcrypt.bb
+++ b/meta/recipes-core/libxcrypt/libxcrypt.bb
@@ -24,7 +24,7 @@ FILES_${PN} = "${libdir}/libcrypt*.so.* 
${libdir}/libcrypt-*.so ${libdir}/libowc
 S = "${WORKDIR}/git"
 
 BUILD_CPPFLAGS = "-I${STAGING_INCDIR_NATIVE} -std=gnu99"
-TARGET_CPPFLAGS = "-I${STAGING_DIR_TARGET}${includedir} 
-Wno-error=missing-attributes"
-CPPFLAGS_append_class-nativesdk = " -Wno-error=missing-attributes"
+TARGET_CPPFLAGS = "-I${STAGING_DIR_TARGET}${includedir} -Wno-error"
+CPPFLAGS_append_class-nativesdk = " -Wno-error"
 
 BBCLASSEXTEND = "nativesdk"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 41/54] glibc / glibc-locale: Fix stash_locale determinism problems

[Armin Kuster]

From: Jason Wessel 

When using sstate, or performing an incremental build any change to
the do_stash_locale() will cause a build failure because
do_stash_locale() was destroying the results obtained from the
do_install() with several mv operations.  A recent change to
do_stash_locale() for a different problem illustrated a number of
build failures for users in the community.

To fix the problem, do_stash_locale() must use copy operations instead
of the mv operations.  Because this is changed to a copy, the sysroot
and package stage need to remove the files that would have been
previously removed.  The correct "fixup" code to deal with the removal
already existed in the previous do_poststash_install_cleanup().  All
that needed change was the path to where to remove the files
from the sysroot and package stages.

In order to force a re-compilation of glibc some unused white space
was removed from do_compile() for glibc.  I could not find any other
way around this and we don't want to have all the community folks to
have another iteration where they have to remove their tmp directories
or purge some portion of the sstate.  It also makes this change
bisectable. If the change to the glibc is not included, it will fail
with the following message:

=
| DEBUG: Executing shell function do_prep_locale_tree
| tar: i18n: Cannot stat: No such file or directory
| tar: Exiting with failure status due to previous errors
| gzip: 
/poky/build/tmp/work/core2-64-poky-linux/glibc-locale/2.29-r0/locale-tree//usr/share/i18n/charmaps/*gz.gz:
 No such file or directory
=

After this one time change I tested changing only the
do_stash_locale() function and it now works well because it is
deterministically operating off the sstate data or a local build.

Signed-off-by: Jason Wessel 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-core/glibc/glibc-package.inc | 40 ++-
 meta/recipes-core/glibc/glibc_2.29.bb |  1 -
 2 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/meta/recipes-core/glibc/glibc-package.inc 
b/meta/recipes-core/glibc/glibc-package.inc
index ff17a19..5cfb1b6 100644
--- a/meta/recipes-core/glibc/glibc-package.inc
+++ b/meta/recipes-core/glibc/glibc-package.inc
@@ -164,13 +164,13 @@ do_stash_locale () {
install -d ${dest}${base_libdir} ${dest}${bindir} ${dest}${libdir} 
${dest}${datadir}
# Hide away the locale data from the deployment
if [ -e ${D}${bindir}/localedef ]; then
-   mv -f ${D}${bindir}/localedef ${dest}${bindir}
+   cp -a ${D}${bindir}/localedef ${dest}${bindir}
fi
if [ -e ${D}${libdir}/gconv ]; then
-   mv -f ${D}${libdir}/gconv ${dest}${libdir}
+   cp -a ${D}${libdir}/gconv ${dest}${libdir}
fi
if [ -e ${D}${datadir}/i18n ]; then
-   mv ${D}${datadir}/i18n ${dest}${datadir}
+   cp -a  ${D}${datadir}/i18n ${dest}${datadir}
fi
 
# Make a copy of all the libraries into the locale stash
@@ -210,30 +210,38 @@ python do_stash_locale_setscene () {
 }
 addtask do_stash_locale_setscene
 
-do_poststash_install_cleanup () {
-   # Remove all files which do_stash_locale would remove (mv)
-   # since that task could have come from sstate and not get run.
+PACKAGE_PREPROCESS_FUNCS += "stash_locale_package_cleanup"
+SYSROOT_PREPROCESS_FUNCS += "stash_locale_sysroot_cleanup"
+stash_locale_cleanup () {
+   cleanupdir=$1
+   # Remove all files which do_stash_locale() copies
for i in ${bashscripts}; do
-   rm -f ${D}${bindir}/$i
+   rm -f ${cleanupdir}${bindir}/$i
done
-   rm -f ${D}${bindir}/localedef
-   rm -rf ${D}${datadir}/i18n
-   rm -rf ${D}${libdir}/gconv
-   rm -rf ${D}/${localedir}
-   rm -rf ${D}${datadir}/locale
+   rm -f ${cleanupdir}${bindir}/localedef
+   rm -rf ${cleanupdir}${datadir}/i18n
+   rm -rf ${cleanupdir}${libdir}/gconv
+   rm -rf ${cleanupdir}/${localedir}
+   rm -rf ${cleanupdir}${datadir}/locale
if [ "${libdir}" != "${exec_prefix}/lib" ] && [ "${root_prefix}/lib" != 
"${exec_prefix}/lib" ]; then
-   if [ -d "${D}${exec_prefix}/lib" ]; then
+   if [ -d "${cleanupdir}${exec_prefix}/lib" ]; then
if [ -z "${ARCH_DYNAMIC_LOADER}" -o \
-! -e "${D}${exec_prefix}/lib/${ARCH_DYNAMIC_LOADER}" ]; 
then
+! -e 
"${cleanupdir}${exec_prefix}/lib/${ARCH_DYNAMIC_LOADER}" ]; then
# error out if directory isn't empty
# this dir should only contain locale dir
# which has been deleted in the previous step
-   rmdir ${D}${exec_prefix}/lib
+   rmdir ${cleanupdir}${exec_prefix}/lib
fi
fi
fi
 }
-addtask do_poststash_install_cleanup after do_stash_locale do_install before 
do_populate_sysroot

[OE-core] [warrior-next 35/54] gcc: reduce the variables in symtab

[Armin Kuster]

From: Zhixiong Chi 

Backport the patch from upstream:
https://github.com/gcc-mirror/gcc.git [commit beb921e]
https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=269925

Add the premark_used_variables function, meanwhile do not mark
not premarked external variables in prune_unused_types_walk.

Signed-off-by: Zhixiong Chi 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-devtools/gcc/gcc-8.3.inc  |  1 +
 .../gcc/gcc-8.3/0042-PR-debug-86964.patch  | 94 ++
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch

diff --git a/meta/recipes-devtools/gcc/gcc-8.3.inc 
b/meta/recipes-devtools/gcc/gcc-8.3.inc
index a64f48a..7925337 100644
--- a/meta/recipes-devtools/gcc/gcc-8.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.3.inc
@@ -72,6 +72,7 @@ SRC_URI = "\
file://0039-riscv-Disable-multilib-for-OE.patch \
file://0040-powerpc-powerpc64-Add-support-for-musl-ldso.patch \

file://0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch \
+   file://0042-PR-debug-86964.patch \
 "
 SRC_URI[md5sum] = "65b210b4bfe7e060051f799e0f994896"
 SRC_URI[sha256sum] = 
"64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c"
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch 
b/meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch
new file mode 100644
index 000..d9b5d39
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch
@@ -0,0 +1,94 @@
+From beb921e1106b5bcbb0c6e2be84b241327e2ffc51 Mon Sep 17 00:00:00 2001
+From: law 
+Date: Mon, 25 Mar 2019 21:19:09 +
+Subject: [PATCH]   PR debug/86964  * dwarf2out.c
+ (premark_used_variables): New function.   (prune_unused_types_walk): Do
+ not mark not premarked external   variables.  (prune_unused_types):
+ Call premark_used_variables.
+
+   * gcc.dg/debug/dwarf2/pr86964.c: New testcase.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@269925 
138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi 
+---
+ gcc/ChangeLog   |  8 ++
+ gcc/dwarf2out.c | 32 +
+ 2 files changed, 40 insertions(+)
+
+diff --git a/gcc/ChangeLog b/gcc/ChangeLog
+index 2075480ca2b..cdce539ac6f 100644
+--- a/gcc/ChangeLog
 b/gcc/ChangeLog
+@@ -1,3 +1,11 @@
++2019-03-25  Johan Karlsson 
++
++  PR debug/86964
++  * dwarf2out.c (premark_used_variables): New function.
++  (prune_unused_types_walk): Do not mark not premarked external
++  variables.
++  (prune_unused_types): Call premark_used_variables.
++
+ 2019-02-22  Release Manager
+ 
+   * GCC 8.3.0 released.
+diff --git a/gcc/dwarf2out.c b/gcc/dwarf2out.c
+index ae8bdee9981..b9a624e1ac7 100644
+--- a/gcc/dwarf2out.c
 b/gcc/dwarf2out.c
+@@ -22658,6 +22658,21 @@ premark_types_used_by_global_vars (void)
+   ->traverse (NULL);
+ }
+ 
++/* Mark all variables used by the symtab as perennial.  */
++
++static void
++premark_used_variables (void)
++{
++  /* Mark DIEs in the symtab as used.  */
++  varpool_node *var;
++  FOR_EACH_VARIABLE (var)
++{
++  dw_die_ref die = lookup_decl_die (var->decl);
++  if (die)
++  die->die_perennial_p = 1;
++}
++}
++
+ /* Generate a DW_TAG_call_site DIE in function DECL under SUBR_DIE
+for CA_LOC call arg loc node.  */
+ 
+@@ -29264,6 +29279,19 @@ prune_unused_types_walk (dw_die_ref die)
+ 
+   return;
+ 
++case DW_TAG_variable:
++  if (flag_debug_only_used_symbols)
++  {
++if (die->die_perennial_p)
++  break;
++
++/* premark_used_variables marks external variables --- don't mark
++   them here.  */
++if (get_AT (die, DW_AT_external))
++  return;
++  }
++  /* FALLTHROUGH */
++
+ default:
+   /* Mark everything else.  */
+   break;
+@@ -29390,6 +29418,10 @@ prune_unused_types (void)
+   /* Mark types that are used in global variables.  */
+   premark_types_used_by_global_vars ();
+ 
++  /* Mark variables used in the symtab.  */
++  if (flag_debug_only_used_symbols)
++premark_used_variables ();
++
+   /* Set the mark on nodes that are actually used.  */
+   prune_unused_types_walk (comp_unit_die ());
+   for (node = limbo_die_list; node; node = node->next)
+-- 
+2.21.0
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 39/54] glibc-locale: Fix build error with PACKAGE_NO_GCONV = "1"

[Armin Kuster]

From: Jason Wessel 

When the PACKAGE_NO_GCONV is set to 1 an empty directory is left behind from 
the do_install rule:

=
ERROR: glibc-locale-2.29-r0 do_package: QA Issue: glibc-locale: 
Files/directories were installed but not shipped in any package:
  /usr/lib
  /usr/lib/locale
Please set FILES such that these items are packaged. Alternatively if they are 
unneeded, avoid installing them or delete them within do_install.
glibc-locale: 2 installed and not shipped files. [installed-vs-shipped]
ERROR: glibc-locale-2.29-r0 do_package: Fatal QA errors found, failing task.
=

The simple fix is to prune the empty directory.

Signed-off-by: Jason Wessel 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-core/glibc/glibc-locale.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-core/glibc/glibc-locale.inc 
b/meta/recipes-core/glibc/glibc-locale.inc
index a985d26..17f5b78 100644
--- a/meta/recipes-core/glibc/glibc-locale.inc
+++ b/meta/recipes-core/glibc/glibc-locale.inc
@@ -89,6 +89,9 @@ do_install() {
if [ ${PACKAGE_NO_GCONV} -eq 0 ]; then
copy_locale_files ${libdir}/gconv 0755
copy_locale_files ${datadir}/i18n 0644
+   else
+   # Remove the libdir if it is empty when gconv is not copied
+   find ${D}${libdir} -type d -empty -delete
fi
copy_locale_files ${datadir}/locale 0644
install -m 0644 ${LOCALETREESRC}/SUPPORTED ${WORKDIR}/SUPPORTED
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 40/54] glibc/glibc-locale: Fix do_stash_locale to work with usrmerge and multilibs

[Armin Kuster]

From: Jason Wessel 

The do_stash_locale was not working consistently across the 4 build
configurations and the multilib, usrmerge configuration would fail
entirely with the obscure message:

| DEBUG: Executing shell function do_prep_locale_tree
| tar: i18n: Cannot stat: No such file or directory
| tar: Exiting with failure status due to previous errors
| gzip: 
/poky/build/tmp/work/core2-64-poky-linux/glibc-locale/2.29-r0/locale-tree//usr/share/i18n/charmaps/*gz.gz:
 No such file or directory
| WARNING: 
/poky/build/tmp/work/core2-64-poky-linux/glibc-locale/2.29-r0/temp/run.do_prep_locale_tree.124690:1
 exit 1 from 'gunzip $i'

Here is the 4 build configurations without the patch applied:

A) x86-64 no multilibs, no usrmerge
find ./tmp/work/*/glibc/2.29-r0/stashed-locale -type f |grep -v nscd.service 
|wc -l
909
B) x86-64 no multilibs, usrmerge
find ./tmp/work/*/glibc/2.29-r0/stashed-locale -type f |grep -v nscd.service 
|wc -l
909
C) x86-64 multilibs, no usrmerge
find ./tmp/work/*/glibc/2.29-r0/stashed-locale -type f |grep -v nscd.service 
|wc -l
885
D) x86-64 multilibs, usrmerge
find ./tmp/work/*/glibc/2.29-r0/stashed-locale -type f |grep -v nscd.service 
|wc -l
864

The issue here is that all the moves should be processed first, then a
copy should be made of the lib directories, but only in the case they
are different when using the usrmerge feature.  Even though the build
worked for the multilib configuration without usrmerge, the content
was not the same.

After applying the patch the same number of files are in all the
configurations.  The list of files was also diffed, after normalizing
the directory names to ensure all the correct files were copied.

Ultimately there are probably additional files that should be pruned
from what is copied to the stated_locale, but the purpose of this
patch is make it 100% consistent between the build types and fix the
builds.

Signed-off-by: Jason Wessel 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-core/glibc/glibc-package.inc | 19 +--
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/meta/recipes-core/glibc/glibc-package.inc 
b/meta/recipes-core/glibc/glibc-package.inc
index a1d79b3..ff17a19 100644
--- a/meta/recipes-core/glibc/glibc-package.inc
+++ b/meta/recipes-core/glibc/glibc-package.inc
@@ -162,21 +162,28 @@ bashscripts = "mtrace sotruss xtrace"
 do_stash_locale () {
dest=${LOCALESTASH}
install -d ${dest}${base_libdir} ${dest}${bindir} ${dest}${libdir} 
${dest}${datadir}
-   if [ "${base_libdir}" != "${libdir}" ]; then
-   cp -fpPR ${D}${base_libdir}/* ${dest}${base_libdir}
-   fi
+   # Hide away the locale data from the deployment
if [ -e ${D}${bindir}/localedef ]; then
mv -f ${D}${bindir}/localedef ${dest}${bindir}
fi
if [ -e ${D}${libdir}/gconv ]; then
mv -f ${D}${libdir}/gconv ${dest}${libdir}
fi
-   if [ -e ${D}${exec_prefix}/lib ]; then
-   cp -fpPR ${D}${exec_prefix}/lib ${dest}${exec_prefix}
-   fi
if [ -e ${D}${datadir}/i18n ]; then
mv ${D}${datadir}/i18n ${dest}${datadir}
fi
+
+   # Make a copy of all the libraries into the locale stash
+   cp -fpPR ${D}${libdir}/* ${dest}${libdir}
+   if [ "${base_libdir}" != "${libdir}" ]; then
+   cp -fpPR ${D}${base_libdir}/* ${dest}${base_libdir}
+   fi
+   if [ -e ${D}${exec_prefix}/lib ]; then
+   if [ ${exec_prefix}/lib != ${base_libdir} ] && [ 
${exec_prefix}/lib != ${libdir} ]; then
+   cp -fpPR ${D}${exec_prefix}/lib ${dest}${exec_prefix}
+   fi
+   fi
+
cp -fpPR ${D}${datadir}/* ${dest}${datadir}
rm -rf ${D}${datadir}/locale/
cp -fpPR ${WORKDIR}/SUPPORTED ${dest}
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 34/54] glib-2.0: fix CVE-2019-13012

[Armin Kuster]

From: Anuj Mittal 

Signed-off-by: Anuj Mittal 
Signed-off-by: Armin Kuster 
---
 .../glib-2.0/glib-2.0/CVE-2019-13012.patch | 40 ++
 meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb  |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch 
b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
new file mode 100644
index 000..c882cba
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
@@ -0,0 +1,40 @@
+From 9fd6b4b21891adc318784f6a141f40d767b0d73c Mon Sep 17 00:00:00 2001
+From: Matthias Clasen 
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: [PATCH] keyfile settings: Use tighter permissions
+
+When creating directories, create them with 700 permissions,
+instead of 777.
+
+Closes: #1658
+CVE: CVE-2019-13012
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429]
+Signed-off-by: Anuj Mittal 
+
+---
+ gio/gkeyfilesettingsbackend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index a37978e..580a0b0 100644
+--- a/gio/gkeyfilesettingsbackend.c
 b/gio/gkeyfilesettingsbackend.c
+@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write 
(GKeyfileSettingsBackend *kfsb)
+ 
+   contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+   g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+-   G_FILE_CREATE_REPLACE_DESTINATION,
++   G_FILE_CREATE_REPLACE_DESTINATION |
++   G_FILE_CREATE_PRIVATE,
+NULL, NULL, NULL);
+ 
+   compute_checksum (kfsb->digest, contents, length);
+@@ -640,7 +641,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
+ 
+   kfsb->file = g_file_new_for_path (filename);
+   kfsb->dir = g_file_get_parent (kfsb->file);
+-  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
++  g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
+ 
+   kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
+   kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb 
b/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
index 733a2d4..2286d03 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz 
\

file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \

file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \
file://glib-meson.cross \
+   file://CVE-2019-13012.patch \
"
 
 SRC_URI_append_class-native = " file://relocate-modules.patch"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 33/54] pango: fix CVE-2019-1010238

[Armin Kuster]

From: Anuj Mittal 

Signed-off-by: Anuj Mittal 
Signed-off-by: Armin Kuster 
---
 .../pango/pango/CVE-2019-1010238.patch | 38 ++
 meta/recipes-graphics/pango/pango_1.42.4.bb|  4 ++-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch

diff --git a/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch 
b/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch
new file mode 100644
index 000..5b0c342
--- /dev/null
+++ b/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch
@@ -0,0 +1,38 @@
+From 490f8979a260c16b1df055eab386345da18a2d54 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen 
+Date: Wed, 10 Jul 2019 20:26:23 -0400
+Subject: [PATCH] bidi: Be safer against bad input
+
+Don't run off the end of an array that we
+allocated to certain length.
+
+Closes: https://gitlab.gnome.org/GNOME/pango/issues/342
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54]
+CVE: CVE-2019-1010238
+Signed-off-by: Anuj Mittal 
+---
+ pango/pango-bidi-type.c | 7 +--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/pango/pango-bidi-type.c b/pango/pango-bidi-type.c
+index 3e46b66c..5c02dbbb 100644
+--- a/pango/pango-bidi-type.c
 b/pango/pango-bidi-type.c
+@@ -181,8 +181,11 @@ pango_log2vis_get_embedding_levels (const gchar*text,
+   for (i = 0, p = text; p < text + length; p = g_utf8_next_char(p), i++)
+ {
+   gunichar ch = g_utf8_get_char (p);
+-  FriBidiCharType char_type;
+-  char_type = fribidi_get_bidi_type (ch);
++  FriBidiCharType char_type = fribidi_get_bidi_type (ch);
++
++  if (i == n_chars)
++break;
++
+   bidi_types[i] = char_type;
+   ored_types |= char_type;
+   if (FRIBIDI_IS_STRONG (char_type))
+-- 
+2.21.0
+
diff --git a/meta/recipes-graphics/pango/pango_1.42.4.bb 
b/meta/recipes-graphics/pango/pango_1.42.4.bb
index f3be9f4..1e1a5b8 100644
--- a/meta/recipes-graphics/pango/pango_1.42.4.bb
+++ b/meta/recipes-graphics/pango/pango_1.42.4.bb
@@ -16,7 +16,9 @@ GNOMEBASEBUILDCLASS = "meson"
 inherit gnomebase gtk-doc ptest-gnome upstream-version-is-even 
gobject-introspection
 
 SRC_URI += "file://run-ptest \
-file://insensitive-diff.patch"
+file://insensitive-diff.patch \
+file://CVE-2019-1010238.patch \
+"
 
 SRC_URI[archive.md5sum] = "deb171a31a3ad76342d5195a1b5bbc7c"
 SRC_URI[archive.sha256sum] = 
"1d2b74cd63e8bd41961f2f8d952355aa0f9be6002b52c8aa7699d9f5da597c9d"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 31/54] powertop: import a fix from buildroot

[Armin Kuster]

From: Martin Jansa 

Signed-off-by: Martin Jansa 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 .../0001-wakeup_xxx.h-include-limits.h.patch   | 55 ++
 meta/recipes-kernel/powertop/powertop_2.10.bb  |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 
meta/recipes-kernel/powertop/powertop/0001-wakeup_xxx.h-include-limits.h.patch

diff --git 
a/meta/recipes-kernel/powertop/powertop/0001-wakeup_xxx.h-include-limits.h.patch
 
b/meta/recipes-kernel/powertop/powertop/0001-wakeup_xxx.h-include-limits.h.patch
new file mode 100644
index 000..7bfca8a
--- /dev/null
+++ 
b/meta/recipes-kernel/powertop/powertop/0001-wakeup_xxx.h-include-limits.h.patch
@@ -0,0 +1,55 @@
+From 4c24fdd8e0a42359df7308155b2d43c28a5e02fd Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine 
+Date: Mon, 20 May 2019 20:25:00 +0200
+Subject: [PATCH] wakeup_xxx.h: include limits.h
+
+limits.h must be included to define PATH_MAX otherwise build will fail
+on:
+
+In file included from wakeup/wakeup_ethernet.cpp:45:0:
+wakeup/wakeup_ethernet.h:35:16: error: 'PATH_MAX' was not declared in this 
scope
+  char eth_path[PATH_MAX];
+
+In file included from wakeup/wakeup_usb.cpp:45:0:
+wakeup/wakeup_usb.h:35:16: error: 'PATH_MAX' was not declared in this scope
+  char usb_path[PATH_MAX];
+
+Fixes:
+ - 
http://autobuild.buildroot.org/results/a0b3337cf4a827e6566f8b15b6bb180f0dcef7a3
+
+Signed-off-by: Fabrice Fontaine 
+Signed-off-by: Martin Jansa 
+
+Upstream-Status: Submitted 
[https://lists.01.org/pipermail/powertop/2019-May/002052.html]
+---
+ src/wakeup/wakeup_ethernet.h | 1 +
+ src/wakeup/wakeup_usb.h  | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/wakeup/wakeup_ethernet.h b/src/wakeup/wakeup_ethernet.h
+index 682bf95..e0fa628 100644
+--- a/src/wakeup/wakeup_ethernet.h
 b/src/wakeup/wakeup_ethernet.h
+@@ -25,6 +25,7 @@
+ #ifndef _INCLUDE_GUARD_ETHERNET_WAKEUP_H
+ #define _INCLUDE_GUARD_ETHERNET_WAKEUP_H
+ 
++#include 
+ #include 
+ 
+ #include "wakeup.h"
+diff --git a/src/wakeup/wakeup_usb.h b/src/wakeup/wakeup_usb.h
+index f7a1f7e..15898e3 100644
+--- a/src/wakeup/wakeup_usb.h
 b/src/wakeup/wakeup_usb.h
+@@ -25,6 +25,7 @@
+ #ifndef _INCLUDE_GUARD_USB_WAKEUP_H
+ #define _INCLUDE_GUARD_USB_WAKEUP_H
+ 
++#include 
+ #include 
+ 
+ #include "wakeup.h"
+-- 
+2.20.1
+
diff --git a/meta/recipes-kernel/powertop/powertop_2.10.bb 
b/meta/recipes-kernel/powertop/powertop_2.10.bb
index d943ba9..5be8d23 100644
--- a/meta/recipes-kernel/powertop/powertop_2.10.bb
+++ b/meta/recipes-kernel/powertop/powertop_2.10.bb
@@ -7,6 +7,7 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e"
 
 SRC_URI = "http://01.org/sites/default/files/downloads/powertop-v${PV}.tar.gz \
+file://0001-wakeup_xxx.h-include-limits.h.patch \
 "
 
 SRC_URI[md5sum] = "a69bd55901cf919cc564187402ea2c9c"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 37/54] binutils: Fix mips patch which changes default emulation

[Armin Kuster]

From: Nathan Rossi 

The patch incorrectly removes 'mips_elf32_ntrad_le_vec' from the
'targ_selvecs' replacing it with duplicate entries for
'mips_elf32_ntrad_be_vec'. Correct this so that the default binutils can
still handle 'mips_elf32_ntrad_le_vec' binaries.

Signed-off-by: Nathan Rossi 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 .../0010-Change-default-emulation-for-mips64-linux.patch | 9 +++--
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git 
a/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch
 
b/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch
index ba5e4c2..5f4ac72 100644
--- 
a/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch
+++ 
b/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch
@@ -1,4 +1,4 @@
-From d540e95d05cd7c4b8924ac7b257c14ae0105d0ab Mon Sep 17 00:00:00 2001
+From 958a49749b772660d3bafb80748829cba6bed065 Mon Sep 17 00:00:00 2001
 From: Khem Raj 
 Date: Mon, 2 Mar 2015 01:44:14 +
 Subject: [PATCH 10/15] Change default emulation for mips64*-*-linux
@@ -14,7 +14,7 @@ Signed-off-by: Khem Raj 
  2 files changed, 8 insertions(+), 8 deletions(-)
 
 diff --git a/bfd/config.bfd b/bfd/config.bfd
-index 0e1ddb659c..cc65547588 100644
+index 0e1ddb659c..d4f50f0a8d 100644
 --- a/bfd/config.bfd
 +++ b/bfd/config.bfd
 @@ -919,12 +919,12 @@ case "${targ}" in
@@ -30,7 +30,7 @@ index 0e1ddb659c..cc65547588 100644
 -targ_defvec=mips_elf32_ntrad_be_vec
 -targ_selvecs="mips_elf32_ntrad_le_vec mips_elf32_trad_be_vec 
mips_elf32_trad_le_vec mips_elf64_trad_be_vec mips_elf64_trad_le_vec"
 +targ_defvec=mips_elf64_trad_be_vec
-+targ_selvecs="mips_elf32_ntrad_be_vec mips_elf32_ntrad_be_vec 
mips_elf32_trad_be_vec mips_elf32_trad_le_vec mips_elf64_trad_le_vec"
++targ_selvecs="mips_elf32_ntrad_be_vec mips_elf32_ntrad_le_vec 
mips_elf32_trad_be_vec mips_elf32_trad_le_vec mips_elf64_trad_le_vec"
  ;;
mips*el-*-linux*)
  targ_defvec=mips_elf32_trad_le_vec
@@ -54,6 +54,3 @@ index beba17ef51..917be6f8eb 100644
targ_extra_libpath=$targ_extra_emuls ;;
  mips*el-*-linux-*)targ_emul=elf32ltsmip
targ_extra_emuls="elf32btsmip elf32ltsmipn32 
elf64ltsmip elf32btsmipn32 elf64btsmip"
--- 
-2.20.1
-
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 32/54] binutils: fix CVE-2019-14250 CVE-2019-14444

[Armin Kuster]

From: Anuj Mittal 

Signed-off-by: Anuj Mittal 
Signed-off-by: Armin Kuster 
---
 meta/recipes-devtools/binutils/binutils-2.32.inc   |  2 ++
 .../binutils/binutils/CVE-2019-14250.patch | 33 ++
 .../binutils/binutils/CVE-2019-1.patch | 28 ++
 3 files changed, 63 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-1.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc 
b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 31c24a3..d3c5293 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -50,6 +50,8 @@ SRC_URI = "\
  file://CVE-2019-9077.patch \
  file://CVE-2019-9071.patch \
  file://CVE-2019-12972.patch \
+ file://CVE-2019-14250.patch \
+ file://CVE-2019-1.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch 
b/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch
new file mode 100644
index 000..c915a83
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch
@@ -0,0 +1,33 @@
+From df78be05daf4eb07f60f50ec1080cb979af32ec0 Mon Sep 17 00:00:00 2001
+From: marxin 
+Date: Tue, 23 Jul 2019 07:33:32 +
+Subject: [PATCH] libiberty: Check zero value shstrndx in simple-object-elf.c
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@273718 
138bc75d-0d04-0410-961f-82ee72b054a4
+
+CVE: CVE-2019-14250
+Upstream-Status: Backport [from gcc: 
https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=273718]
+[Removed Changelog entry]
+Signed-off-by: Anuj Mittal 
+---
+diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
+index 502388991a08..bdee963634d6 100644
+--- a/libiberty/simple-object-elf.c
 b/libiberty/simple-object-elf.c
+@@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char 
header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
+   XDELETE (eor);
+   return NULL;
+ }
+-
++  
++  if (eor->shstrndx == 0)
++{
++  *errmsg = "invalid ELF shstrndx == 0";
++  *err = 0;
++  XDELETE (eor);
++  return NULL;
++}
++  
+   return (void *) eor;
+ }
+ 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-1.patch 
b/meta/recipes-devtools/binutils/binutils/CVE-2019-1.patch
new file mode 100644
index 000..85b9a9f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-1.patch
@@ -0,0 +1,28 @@
+From e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 Mon Sep 17 00:00:00 2001
+From: Nick Clifton 
+Date: Mon, 5 Aug 2019 10:40:35 +0100
+Subject: [PATCH] Catch potential integer overflow in readelf when processing
+ corrupt binaries.
+
+   PR 24829
+   * readelf.c (apply_relocations): Catch potential integer overflow
+   whilst checking reloc location against section size.
+
+CVE: CVE-2019-1
+Upstream-Status: Backport 
[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7]
+[Removed Changelog entry]
+Signed-off-by: Anuj Mittal 
+---
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index b896ad9f406..e785fde43e7 100644
+--- a/binutils/readelf.c
 b/binutils/readelf.c
+@@ -13366,7 +13366,7 @@ apply_relocations (Filedata * filedata,
+   }
+ 
+ rloc = start + rp->r_offset;
+-if ((rloc + reloc_size) > end || (rloc < start))
++if (rloc >= end || (rloc + reloc_size) > end || (rloc < start))
+   {
+ warn (_("skipping invalid relocation offset 0x%lx in section 
%s\n"),
+   (unsigned long) rp->r_offset,
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 36/54] gcc: CVE-2018-12886

[Armin Kuster]

From: Zhixiong Chi 

Backprot CVE patch from the upstream:
https://github.com/gcc-mirror/gcc.git [commit f98495d]
https://nvd.nist.gov/vuln/detail/CVE-2018-12886

Signed-off-by: Zhixiong Chi 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-devtools/gcc/gcc-8.3.inc  |   1 +
 ...vent-spilling-of-stack-protector-guard-s-.patch | 813 +
 2 files changed, 814 insertions(+)
 create mode 100644 
meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch

diff --git a/meta/recipes-devtools/gcc/gcc-8.3.inc 
b/meta/recipes-devtools/gcc/gcc-8.3.inc
index 7925337..dce85a2 100644
--- a/meta/recipes-devtools/gcc/gcc-8.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.3.inc
@@ -73,6 +73,7 @@ SRC_URI = "\
file://0040-powerpc-powerpc64-Add-support-for-musl-ldso.patch \

file://0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch \
file://0042-PR-debug-86964.patch \
+   
file://0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch \
 "
 SRC_URI[md5sum] = "65b210b4bfe7e060051f799e0f994896"
 SRC_URI[sha256sum] = 
"64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c"
diff --git 
a/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch
 
b/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch
new file mode 100644
index 000..f15207f
--- /dev/null
+++ 
b/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch
@@ -0,0 +1,813 @@
+From f98495d90ba66f67fe922a4b9229ea787041c418 Mon Sep 17 00:00:00 2001
+From: thopre01 
+Date: Thu, 22 Nov 2018 14:46:17 +
+Subject: [PATCH] PR85434: Prevent spilling of stack protector guard's address
+ on ARM
+
+In case of high register pressure in PIC mode, address of the stack
+protector's guard can be spilled on ARM targets as shown in PR85434,
+thus allowing an attacker to control what the canary would be compared
+against. ARM does lack stack_protect_set and stack_protect_test insn
+patterns, defining them does not help as the address is expanded
+regularly and the patterns only deal with the copy and test of the
+guard with the canary.
+
+This problem does not occur for x86 targets because the PIC access and
+the test can be done in the same instruction. Aarch64 is exempt too
+because PIC access insn pattern are mov of UNSPEC which prevents it from
+the second access in the epilogue being CSEd in cse_local pass with the
+first access in the prologue.
+
+The approach followed here is to create new "combined" set and test
+standard pattern names that take the unexpanded guard and do the set or
+test. This allows the target to use an opaque pattern (eg. using UNSPEC)
+to hide the individual instructions being generated to the compiler and
+split the pattern into generic load, compare and branch instruction
+after register allocator, therefore avoiding any spilling. This is here
+implemented for the ARM targets. For targets not implementing these new
+standard pattern names, the existing stack_protect_set and
+stack_protect_test pattern names are used.
+
+To be able to split PIC access after register allocation, the functions
+had to be augmented to force a new PIC register load and to control
+which register it loads into. This is because sharing the PIC register
+between prologue and epilogue could lead to spilling due to CSE again
+which an attacker could use to control what the canary gets compared
+against.
+
+2018-11-22  Thomas Preud'homme  
+
+gcc/
+PR target/85434
+* target-insns.def (stack_protect_combined_set): Define new standard
+pattern name.
+(stack_protect_combined_test): Likewise.
+* cfgexpand.c (stack_protect_prologue): Try new
+stack_protect_combined_set pattern first.
+* function.c (stack_protect_epilogue): Try new
+stack_protect_combined_test pattern first.
+* config/arm/arm.c (require_pic_register): Add pic_reg and compute_now
+parameters to control which register to use as PIC register and force
+reloading PIC register respectively.  Insert in the stream of insns if
+possible.
+(legitimize_pic_address): Expose above new parameters in prototype and
+adapt recursive calls accordingly.  Use pic_reg if non null instead of
+cached one.
+(arm_load_pic_register): Add pic_reg parameter and use it if non null.
+(arm_legitimize_address): Adapt to new legitimize_pic_address
+prototype.
+(thumb_legitimize_address): Likewise.
+(arm_emit_call_insn): Adapt to require_pic_register prototype change.
+(arm_expand_prologue): Adapt to arm_load_pic_register prototype change.
+(thumb1_expand_prologue): Likewise.
+* config/arm/arm-protos.h (legitimize_pic_address): Adapt to prototype
+change.
+(arm_load_pic_register): Likewise.
+* config/arm/predicated.md (guard_addr_operand): New predicate.
+ 

[OE-core] [warrior-next 38/54] glibc: Fix multilibs + usrmerge builds

[Armin Kuster]

From: Jason Wessel 

The build of glibc fails when you have multilibs enabled + the distro
feature usrmerge.  Here is an example configuration:

===
MACHINE = "qemux86-64"
VIRTUAL-RUNTIME_init_manager = "systemd"
DISTRO_FEATURES_append = " systemd "
DISTRO_FEATURES_append += " usrmerge"

require conf/multilib.conf
MULTILIBS = "multilib:lib32"
DEFAULTTUNE_virtclass-multilib-lib32 = "x86"
===

This will fail with the following error:

NOTE: Executing SetScene Tasks
NOTE: Executing RunQueue Tasks
ERROR: glibc-2.28-r0 do_poststash_install_cleanup: Function failed: 
do_poststash_install_cleanup (log file is located at 
/poky/build/tmp/work/core2-64-poky-linux/glibc/2.28-r0/temp/log.do_poststash_install_cleanup.107893)
ERROR: Logfile of failure stored in: 
/poky/build/tmp/work/core2-64-poky-linux/glibc/2.28-r0/temp/log.do_poststash_install_cleanup.107893

The fix is to not perform the rmdir check when using the multilib + usr/merge, 
namely:

if [ "${libdir}" != "${exec_prefix}/lib" ] && [ "${root_prefix}/lib" != 
"${exec_prefix}/lib" ]; then

This will evaluate as follows (collecting the output from bitbake -e glibc)

* no multilibs no usrmerge
if [ "/usr/lib" != "/usr/lib" ] && [ "/lib" != "/usr/lib" ]; then
* no multilibs yes usrmerge
if [ "/usr/lib" != "/usr/lib" ] && [ "/usr/lib" != "/usr/lib" ]; then
* yes multilibs no usrmerge
if [ "/usr/lib64" != "/usr/lib" ] && [ "/lib" != "/usr/lib" ]; then
* yes multilibs yes user merge
if [ "/usr/lib64" != "/usr/lib" ] && [ "/usr/lib" != "/usr/lib" ]; then

Signed-off-by: Jason Wessel 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-core/glibc/glibc-package.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc-package.inc 
b/meta/recipes-core/glibc/glibc-package.inc
index b7c64a0..a1d79b3 100644
--- a/meta/recipes-core/glibc/glibc-package.inc
+++ b/meta/recipes-core/glibc/glibc-package.inc
@@ -214,7 +214,7 @@ do_poststash_install_cleanup () {
rm -rf ${D}${libdir}/gconv
rm -rf ${D}/${localedir}
rm -rf ${D}${datadir}/locale
-   if [ "${libdir}" != "${exec_prefix}/lib" ]; then
+   if [ "${libdir}" != "${exec_prefix}/lib" ] && [ "${root_prefix}/lib" != 
"${exec_prefix}/lib" ]; then
if [ -d "${D}${exec_prefix}/lib" ]; then
if [ -z "${ARCH_DYNAMIC_LOADER}" -o \
 ! -e "${D}${exec_prefix}/lib/${ARCH_DYNAMIC_LOADER}" ]; 
then
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 28/54] dpkg: Use less as pager

[Armin Kuster]

From: Ricardo Ribalda Delgado 

Debian traditionaly uses /usr/bin/pager as the system pager, which is a
link to the user preferred pager. This is a Debianism.

Without this patch:

root@qt5122:~# dpkg -l
sh: pager: command not found
dpkg-query: error: showing package list on pager subprocess returned error exit 
status 127

Signed-off-by: Ricardo Ribalda Delgado 
Signed-off-by: Richard Purdie 
Signed-off-by: Richard Leitner 
Signed-off-by: Armin Kuster 
---
 meta/recipes-devtools/dpkg/dpkg/pager.patch | 21 +
 meta/recipes-devtools/dpkg/dpkg_1.19.4.bb   |  1 +
 2 files changed, 22 insertions(+)
 create mode 100644 meta/recipes-devtools/dpkg/dpkg/pager.patch

diff --git a/meta/recipes-devtools/dpkg/dpkg/pager.patch 
b/meta/recipes-devtools/dpkg/dpkg/pager.patch
new file mode 100644
index 000..e56b9d2
--- /dev/null
+++ b/meta/recipes-devtools/dpkg/dpkg/pager.patch
@@ -0,0 +1,21 @@
+pager: Use less instead of pager
+
+pager is a Debianism. Istead use directly pager.
+
+Upstream-Status: Inappropriate [OE-Core integration specific]
+
+Suggested-by: Burton, Ross 
+Signed-off-by: Ricardo Ribalda 
+diff --git a/lib/dpkg/dpkg.h b/lib/dpkg/dpkg.h
+index 2bb067a..6cbce80 100644
+--- a/lib/dpkg/dpkg.h
 b/lib/dpkg/dpkg.h
+@@ -95,7 +95,7 @@ DPKG_BEGIN_DECLS
+ #define MAXUPDATES 250
+ 
+ #define DEFAULTSHELL"sh"
+-#define DEFAULTPAGER"pager"
++#define DEFAULTPAGER"less"
+ 
+ #define MD5HASHLEN   32
+ #define MAXTRIGDIRECTIVE 256
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb 
b/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb
index c3dbda7..e6083e2 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb
@@ -13,6 +13,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/d/${BPN}/${BPN}_${PV}.tar.xz 
\
file://0006-add-musleabi-to-known-target-tripets.patch \

file://0007-dpkg-deb-build.c-Remove-usage-of-clamp-mtime-in-tar.patch \
file://0001-dpkg-Support-muslx32-build.patch \
+   file://pager.patch \
"
 SRC_URI_append_class-native = " file://glibc2.5-sync_file_range.patch \
 file://tweak-options-require-tar-1.27.patch \
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 30/54] meson: backport fix for builds with -Werror=return-type

[Armin Kuster]

From: Martin Jansa 

Signed-off-by: Martin Jansa 
Signed-off-by: Armin Kuster 
---
 meta/recipes-devtools/meson/meson.inc  |  1 +
 ...-return-statements-that-are-seen-with-Wer.patch | 84 ++
 2 files changed, 85 insertions(+)
 create mode 100644 
meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch

diff --git a/meta/recipes-devtools/meson/meson.inc 
b/meta/recipes-devtools/meson/meson.inc
index 2d18f72..bfe9851 100644
--- a/meta/recipes-devtools/meson/meson.inc
+++ b/meta/recipes-devtools/meson/meson.inc
@@ -16,6 +16,7 @@ SRC_URI = 
"https://github.com/mesonbuild/meson/releases/download/${PV}/meson-${P
file://cross-prop-default.patch \
file://many-cross.patch \
file://cross-libdir.patch \
+   
file://0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch \
"
 SRC_URI[sha256sum] = 
"ef9f14326ec1e30d3ba1a26df0f92826ede5a79255ad723af78a2691c37109fd"
 SRC_URI[md5sum] = "0267b0871266056184c484792572c682"
diff --git 
a/meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch
 
b/meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch
new file mode 100644
index 000..1f22755
--- /dev/null
+++ 
b/meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch
@@ -0,0 +1,84 @@
+From 7e83cf1edac2a57c08ebb1ce7f21c2a539d5c300 Mon Sep 17 00:00:00 2001
+From: Martin Liska 
+Date: Mon, 15 Jul 2019 10:06:17 +0200
+Subject: [PATCH] Fix missing return statements that are seen with
+ -Werror=return-type.
+
+Error example:
+
+Code:
+
+#include 
+int main () {
+/* If it's not defined as a macro, try to use as a symbol */
+#ifndef LC_MESSAGES
+LC_MESSAGES;
+#endif
+}
+Compiler stdout:
+
+Compiler stderr:
+ In file included from /usr/include/locale.h:25,
+ from /tmp/tmpep_i4iwg/testfile.c:2:
+/usr/include/features.h:382:4: warning: #warning _FORTIFY_SOURCE requires 
compiling with optimization (-O) [-Wcpp]
+  382 | #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
+  |^~~
+/tmp/tmpep_i4iwg/testfile.c: In function 'main':
+/tmp/tmpep_i4iwg/testfile.c:8:9: error: control reaches end of non-void 
function [-Werror=return-type]
+8 | }
+  | ^
+cc1: some warnings being treated as errors
+
+Upstream-Status: Backport
+Signed-off-by: Martin Jansa 
+---
+ mesonbuild/compilers/c.py | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mesonbuild/compilers/c.py b/mesonbuild/compilers/c.py
+index b0096459..69cf84a4 100644
+--- a/mesonbuild/compilers/c.py
 b/mesonbuild/compilers/c.py
+@@ -387,6 +387,7 @@ class CCompiler(Compiler):
+ #ifndef {symbol}
+ {symbol};
+ #endif
++return 0;
+ }}'''
+ return self.compiles(t.format(**fargs), env, extra_args=extra_args,
+  dependencies=dependencies)
+@@ -563,6 +564,7 @@ class CCompiler(Compiler):
+ {prefix}
+ int main(int argc, char **argv) {{
+ {type} something;
++return 0;
+ }}'''
+ if not self.compiles(t.format(**fargs), env, extra_args=extra_args,
+  dependencies=dependencies):
+@@ -598,6 +600,7 @@ class CCompiler(Compiler):
+ {prefix}
+ int main(int argc, char **argv) {{
+ {type} something;
++return 0;
+ }}'''
+ if not self.compiles(t.format(**fargs), env, extra_args=extra_args,
+  dependencies=dependencies):
+@@ -672,6 +675,7 @@ class CCompiler(Compiler):
+ #include 
+ int main(int argc, char *argv[]) {{
+ printf ("{fmt}", {cast} {f}());
++return 0;
+ }}'''.format(**fargs)
+ res = self.run(code, env, extra_args=extra_args, 
dependencies=dependencies)
+ if not res.compiled:
+@@ -823,6 +827,7 @@ class CCompiler(Compiler):
+ #error "No definition for __builtin_{func} found in the 
prefix"
+ #endif
+ #endif
++return 0;
+ }}'''
+ return self.links(t.format(**fargs), env, extra_args=extra_args,
+   dependencies=dependencies)
+-- 
+2.17.1
+
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 29/54] icecc.bbclass: catch subprocess.CalledProcessError

[Armin Kuster]

From: Martin Jansa 

* this might be related to:
  commit d2fcaeb153fdc3f8d7143ea823139f1537055ff1
  Author: Douglas Royds 
  Date:   Thu Dec 20 11:59:47 2018 +1300

icecc: Don't generate recipe-sysroot symlinks at recipe-parsing time

* it's still a bit unclear when and why this happends, but I'm seeing
  random tasks sometimes failing with:

WARNING: Exception during build_dependencies for set_icecc_env
WARNING: Error during finalise of 
/build/meta-oe/meta-python/recipes-devtools/python/python-markupsafe_1.0.bb
ERROR: Traceback (most recent call last):
  File "/build/bitbake/lib/bb/data_smart.py", line 411, in expandWithRefs
s = __expand_python_regexp__.sub(varparse.python_sub, s)
  File "/build/bitbake/lib/bb/data_smart.py", line 136, in python_sub
value = utils.better_eval(codeobj, DataContext(self.d), {'d' : self.d})
  File "/build/bitbake/lib/bb/utils.py", line 421, in better_eval
return eval(source, ctx, locals)
  File "Var ", line 1, in 
  File "/build/oe-core/meta/classes/icecc.bbclass", line 287, in 
icecc_get_and_check_tool
link_path = icecc_get_tool_link(t, d)
  File "/build/oe-core/meta/classes/icecc.bbclass", line 246, in 
icecc_get_tool_link
return subprocess.check_output("readlink -f %s" % tool, 
shell=True).decode("utf-8")[:-1]
  File "/usr/lib/python3.6/subprocess.py", line 336, in check_output
**kwargs).stdout
  File "/usr/lib/python3.6/subprocess.py", line 418, in run
output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'readlink -f 
/build/BUILD/work/qemux86-oe-linux/python-markupsafe/1.0-r0/recipe-sysroot-native/usr/bin/x86_64-oe-linux/x86_64-oe-linux-g++'
 returned non-zero exit status 1.

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/build/bitbake/bin/bitbake-worker", line 239, in child
the_data = bb_cache.loadDataFull(fn, appends)
  File "/build/bitbake/lib/bb/cache.py", line 327, in loadDataFull
bb_data = self.load_bbfile(virtualfn, appends, virtonly=True)
  File "/build/bitbake/lib/bb/cache.py", line 340, in load_bbfile
datastores = parse_recipe(bb_data, bbfile, appends, mc)
  File "/build/bitbake/lib/bb/cache.py", line 303, in parse_recipe
bb_data = bb.parse.handle(bbfile, bb_data)
  File "/build/bitbake/lib/bb/parse/__init__.py", line 107, in handle
return h['handle'](fn, data, include)
  File "/build/bitbake/lib/bb/parse/parse_py/BBHandler.py", line 142, in handle
return ast.multi_finalize(fn, d)
  File "/build/bitbake/lib/bb/parse/ast.py", line 386, in multi_finalize
finalize(fn, d)
  File "/build/bitbake/lib/bb/parse/ast.py", line 351, in finalize
bb.parse.siggen.finalise(fn, d, variant)
  File "/build/bitbake/lib/bb/siggen.py", line 147, in finalise
taskdeps = self._build_data(fn, d)
  File "/build/bitbake/lib/bb/siggen.py", line 118, in _build_data
tasklist, gendeps, lookupcache = bb.data.generate_dependencies(d)
  File "/build/bitbake/lib/bb/data.py", line 388, in generate_dependencies
deps[dep], values[dep] = build_dependencies(dep, keys, shelldeps, 
varflagsexcl, d)
  File "/build/bitbake/lib/bb/data.py", line 317, in build_dependencies
value, parsedvar = d.getVarFlag(key, "_content", False, retparser=True)
  File "/build/bitbake/lib/bb/data_smart.py", line 802, in getVarFlag
parser = self.expandWithRefs(value, cachename)
  File "/build/bitbake/lib/bb/data_smart.py", line 424, in expandWithRefs
raise ExpansionError(varname, s, exc).with_traceback(tb) from exc
  File "/build/bitbake/lib/bb/data_smart.py", line 411, in expandWithRefs
s = __expand_python_regexp__.sub(varparse.python_sub, s)
  File "/build/bitbake/lib/bb/data_smart.py", line 136, in python_sub
value = utils.better_eval(codeobj, DataContext(self.d), {'d' : self.d})
  File "/build/bitbake/lib/bb/utils.py", line 421, in better_eval
return eval(source, ctx, locals)
  File "Var ", line 1, in 
  File "/build/oe-core/meta/classes/icecc.bbclass", line 287, in 
icecc_get_and_check_tool
link_path = icecc_get_tool_link(t, d)
  File "/build/oe-core/meta/classes/icecc.bbclass", line 246, in 
icecc_get_tool_link
return subprocess.check_output("readlink -f %s" % tool, 
shell=True).decode("utf-8")[:-1]
  File "/usr/lib/python3.6/subprocess.py", line 336, in check_output
**kwargs).stdout
  File "/usr/lib/python3.6/subprocess.py", line 418, in run
output=stdout, stderr=stderr)
bb.data_smart.ExpansionError: Failure expanding variable set_icecc_env, 
expression was if [ "${@use_icecc(bb, d)}" = "no" ]
then
return
fi
ICECC_VERSION="${@icecc_version(bb, d)}"
if [ "x${ICECC_VERSION}" = "x" ]
then
bbwarn "Cannot use icecc: could not get ICECC_VERSION"
return
fi

ICE_PATH="${@icecc_path(bb, d)}"
if [ "x${ICE_PATH}" = "x" ]
then
bbwarn "Cannot use icecc: could not get ICE_PATH"
return
fi

ICECC_BIN="${@get_icecc(d)}"
if [ -z "${ICECC_BIN}" ]; th

[OE-core] [warrior-next 27/54] patch: backport fixes

[Armin Kuster]

From: Anuj Mittal 

The original fix for CVE-2018-1000156 was incomplete. Backport more
fixes done later for a complete fix.

Also see:
https://savannah.gnu.org/bugs/index.php?53820

Signed-off-by: Anuj Mittal 
Signed-off-by: Armin Kuster 
---
 ...k-temporary-file-on-failed-ed-style-patch.patch | 93 ++
 ...ak-temporary-file-on-failed-multi-file-ed.patch | 80 +++
 meta/recipes-devtools/patch/patch_2.7.6.bb |  2 +
 3 files changed, 175 insertions(+)
 create mode 100644 
meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
 create mode 100644 
meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch

diff --git 
a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
 
b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
new file mode 100644
index 000..9891526
--- /dev/null
+++ 
b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
@@ -0,0 +1,93 @@
+From 7f770b9c20da1a192dad8cb572a6391f2773285a Mon Sep 17 00:00:00 2001
+From: Jean Delvare 
+Date: Thu, 3 May 2018 14:31:55 +0200
+Subject: [PATCH 1/2] Don't leak temporary file on failed ed-style patch
+
+Now that we write ed-style patches to a temporary file before we
+apply them, we need to ensure that the temporary file is removed
+before we leave, even on fatal error.
+
+* src/pch.c (do_ed_script): Use global TMPEDNAME instead of local
+  tmpname. Don't unlink the file directly, instead tag it for removal
+  at exit time.
+* src/patch.c (cleanup): Unlink TMPEDNAME at exit.
+
+This closes bug #53820:
+https://savannah.gnu.org/bugs/index.php?53820
+
+Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches 
(CVE-2018-1000156)")
+
+Upstream-Status: Backport 
[http://git.savannah.gnu.org/cgit/patch.git/commit/?id=19599883ffb6a450d2884f081f8ecf68edbed7ee]
+Signed-off-by: Anuj Mittal 
+---
+ src/common.h |  2 ++
+ src/pch.c| 12 +---
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/common.h b/src/common.h
+index ec50b40..22238b5 100644
+--- a/src/common.h
 b/src/common.h
+@@ -94,10 +94,12 @@ XTERN char const *origsuff;
+ XTERN char const * TMPINNAME;
+ XTERN char const * TMPOUTNAME;
+ XTERN char const * TMPPATNAME;
++XTERN char const * TMPEDNAME;
+ 
+ XTERN bool TMPINNAME_needs_removal;
+ XTERN bool TMPOUTNAME_needs_removal;
+ XTERN bool TMPPATNAME_needs_removal;
++XTERN bool TMPEDNAME_needs_removal;
+ 
+ #ifdef DEBUGGING
+ XTERN int debug;
+diff --git a/src/pch.c b/src/pch.c
+index 16e001a..c1a62cf 100644
+--- a/src/pch.c
 b/src/pch.c
+@@ -2392,7 +2392,6 @@ do_ed_script (char const *inname, char const *outname,
+ file_offset beginning_of_this_line;
+ size_t chars_read;
+ FILE *tmpfp = 0;
+-char const *tmpname;
+ int tmpfd;
+ pid_t pid;
+ 
+@@ -2404,12 +2403,13 @@ do_ed_script (char const *inname, char const *outname,
+  invalid commands and treats the next line as a new command, which
+  can lead to arbitrary command execution.  */
+ 
+-  tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++  tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0);
+   if (tmpfd == -1)
+-pfatal ("Can't create temporary file %s", quotearg (tmpname));
++pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME));
++TMPEDNAME_needs_removal = true;
+   tmpfp = fdopen (tmpfd, "w+b");
+   if (! tmpfp)
+-pfatal ("Can't open stream for file %s", quotearg (tmpname));
++pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME));
+   }
+ 
+ for (;;) {
+@@ -2449,8 +2449,7 @@ do_ed_script (char const *inname, char const *outname,
+   write_fatal ();
+ 
+ if (lseek (tmpfd, 0, SEEK_SET) == -1)
+-  pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
+-
++pfatal ("Can't rewind to the beginning of file %s", quotearg 
(TMPEDNAME));
+ if (! dry_run && ! skip_rest_of_patch) {
+   int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+   *outname_needs_removal = true;
+@@ -2482,7 +2481,6 @@ do_ed_script (char const *inname, char const *outname,
+ }
+ 
+ fclose (tmpfp);
+-safe_unlink (tmpname);
+ 
+ if (ofp)
+   {
+-- 
+2.17.0
+
diff --git 
a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
 
b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
new file mode 100644
index 000..d6a219a
--- /dev/null
+++ 
b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
@@ -0,0 +1,80 @@
+From 369dcccdfa6336e5a873d6d63705cfbe04c55727 Mon Sep 17 00:00:00 2001
+From: Jean Delvare 
+Date: Mon, 7 May 2018 15:14:45 +0200
+Subject: Don't leak temporary file on failed

[OE-core] [warrior-next 26/54] patch: fix CVE-2019-13638

[Armin Kuster]

From: Trevor Gamblin 

(From OE-Core rev: b59b1222b3f73f982286222a583de09c661dc781)

Signed-off-by: Trevor Gamblin 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 ...ke-ed-directly-instead-of-using-the-shell.patch | 44 ++
 meta/recipes-devtools/patch/patch_2.7.6.bb |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 
meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch

diff --git 
a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
 
b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
new file mode 100644
index 000..f60dfe8
--- /dev/null
+++ 
b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
@@ -0,0 +1,44 @@
+From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher 
+Date: Fri, 6 Apr 2018 19:36:15 +0200
+Subject: [PATCH] Invoke ed directly instead of using the shell
+
+* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
+command to avoid quoting vulnerabilities.
+
+CVE: CVE-2019-13638
+Upstream-Status: 
Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
+Signed-off-by: Trevor Gamblin 
+
+---
+ src/pch.c | 6 ++
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..16e001a 100644
+--- a/src/pch.c
 b/src/pch.c
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
+   *outname_needs_removal = true;
+   copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ }
+-  sprintf (buf, "%s %s%s", editor_program,
+-   verbosity == VERBOSE ? "" : "- ",
+-   outname);
+   fflush (stdout);
+ 
+   pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
+   else if (pid == 0)
+ {
+   dup2 (tmpfd, 0);
+-  execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++  assert (outname[0] != '!' && outname[0] != '-');
++  execlp (editor_program, editor_program, "-", outname, (char  *) 
NULL);
+   _exit (2);
+ }
+   else
+-- 
+2.7.4
+
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb 
b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 8cf20a3..8908910 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -7,6 +7,7 @@ SRC_URI += 
"file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
 
file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
 file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
 file://CVE-2019-13636.patch \
+file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
 "
 
 SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 23/54] linux-yocto/4.19: update to v4.19.61

[Armin Kuster]

From: Bruce Ashfield 

Integrating the korg -stable commits that comprise the following
changes:

   7250956f6eaf Linux 4.19.61
   025eb12bb4b0 dm bufio: fix deadlock with loop device
   404f59e265ac dt-bindings: allow up to four clocks for orion-mdio
   03e6a668ea1f net: mvmdio: allow up to four clocks to be specified for 
orion-mdio
   dd87cc633ba5 blkcg: update blkcg_print_stat() to handle larger outputs
   73efdc5d7d3b blk-iolatency: clear use_delay when io.latency is set to zero
   1ab644bd02ab blk-throttle: fix zero wait time for iops throttled group
   91da712ff592 usb: Handle USB3 remote wakeup for LPM enabled devices correctly
   152ddf9f0458 Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse 
bug
   98318cd31b95 intel_th: msu: Fix single mode with disabled IOMMU
   d6328d7c1a71 mtd: spinand: read returns badly if the last page has bitflips
   94f1db42a968 mtd: rawnand: mtk: Correct low level time calculation of r/w 
cycle
   30c6b34759f6 eCryptfs: fix a couple type promotion bugs
   92e23f5fc049 mmc: sdhci-msm: fix mutex while in spinlock
   01982f7bcc9d powerpc/pseries: Fix oops in hotplug memory notifier
   e725502b8548 powerpc/powernv/npu: Fix reference leak
   1e3b61cbc30d powerpc/watchpoint: Restore NV GPRs while returning from 
exception
   237ac0d73b55 powerpc/32s: fix suspend/resume when IBATs 4-7 are used
   7961981718d6 parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
   a6a0daa775e8 parisc: Ensure userspace privilege for ptraced processes in 
regset functions
   ef5c2e165ab0 crypto: caam - limit output IV to CBC to work around CTR mode 
DMA issue
   376b80276d84 gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
   ef30c0739439 xfs: abort unaligned nowait directio early
   669c867972c0 xfs: serialize unaligned dio writes against all other dio writes
   d61d885b17b0 xfs: fix reporting supported extra file attributes for statx()
   f614ef7a34b0 xfs: reserve blocks for ifree transaction during log recovery
   424543a53ae0 xfs: don't ever put nlink > 0 inodes on the unlinked list
   3a895cc066c0 xfs: rename m_inotbt_nores to m_finobt_nores
   2ab62234e823 xfs: don't overflow xattr listent buffer
   1dc8b13cc66d xfs: flush removing page cache in xfs_reflink_remap_prep
   788920d12b95 xfs: fix pagecache truncation prior to reflink
   41f64437f030 include/asm-generic/bug.h: fix "cut here" for WARN_ON for 
__WARN_TAINT architectures
   afa3e571cde3 coda: pass the host file in vma->vm_file on mmap
   2c0222b48e77 libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields
   656d06dab4d6 HID: wacom: correct touch resolution x/y typo
   1c871b4006b2 HID: wacom: generic: Correct pad syncing
   46f71a15abe7 HID: wacom: generic: only switch the mode on devices with LEDs
   cb4c2b94f629 IB/mlx5: Report correctly tag matching rendezvous capability
   4bd953241d81 Btrfs: add missing inode version, ctime and mtime updates when 
punching hole
   fffedf5cf67e Btrfs: fix fsync not persisting dentry deletions due to inode 
evictions
   110850fffeb0 Btrfs: fix data loss after inode eviction, renaming it, and 
fsync it
   6b71c62ea9da PCI: qcom: Ensure that PERST is asserted for at least 100 ms
   529e71cae929 PCI: Do not poll for PME if the device is in D3cold
   4d8504004c86 PCI: hv: Fix a use-after-free bug in hv_eject_device_work()
   f0ff76a42ef5 intel_th: pci: Add Ice Lake NNPI support
   66a13b5e4e9c drm/edid: parse CEA blocks embedded in DisplayID
   9854e06842bc perf/x86/amd/uncore: Set the thread mask for F17h L3 PMCs
   82c46f7b0918 perf/x86/amd/uncore: Do not set 'ThreadMask' and 'SliceMask' 
for non-L3 PMCs
   a847a5225432 perf/x86/intel: Fix spurious NMI on fixed counter
   0d4c0bb70665 x86/boot: Fix memory leak in default_get_smp_config()
   b52807e607f1 9p/virtio: Add cleanup path in p9_virtio_init
   1253882d64d0 9p/xen: Add cleanup path in p9_trans_xen_init
   007e5aaf287c xen/events: fix binding user event channels to cpus
   e380170b3b3a dm zoned: fix zone state management race
   1e4247d7958b padata: use smp_mb in padata_reorder to avoid orphaned padata 
jobs
   0489d808a5f2 drm/nouveau/i2c: Enable i2c pads & busses during preinit
   c77cbc873586 kconfig: fix missing choice values in auto.conf
   2c7b50c7b1d0 fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on 
/proc/sys inodes.
   ba271659ad42 arm64: tegra: Fix AGIC register range
   ba27a25df6df KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
   87bae91a0fe9 media: videobuf2-dma-sg: Prevent size from overflowing
   cb2e2b0ae554 media: videobuf2-core: Prevent size alignment wrapping buffer 
size to 0
   deb78bd24e0c media: coda: Remove unbalanced and unneeded mutex unlock
   fc0232e24541 media: v4l2: Test type instead of cfg->type in 
v4l2_ctrl_new_custom()
   a4c4c06f1755 ALSA: hda/realtek: apply ALC891 headset fixup to one Dell 
machine
   8ba78e4d564e ALSA: hda/realtek - Fixed Headphone Mic can't record on Dell 
platform
   c92212a81617 ALSA: seq: Break too long mutex con

[OE-core] [warrior-next 24/54] boost: Fix build and enable context and coroutines on aarch64

[Armin Kuster]

From: "Bedel, Alban" 

Like for ARM bjam need some hints about the ABI to properly build on
aarch64. While at it also enable context and coroutine as these are
supported on aarch64.

Signed-off-by: Alban Bedel 
Signed-off-by: Armin Kuster 
---
 meta/recipes-support/boost/boost.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/boost/boost.inc 
b/meta/recipes-support/boost/boost.inc
index 9be3717..c2e2cbb 100644
--- a/meta/recipes-support/boost/boost.inc
+++ b/meta/recipes-support/boost/boost.inc
@@ -33,6 +33,7 @@ BOOST_LIBS_append_x86 = " context coroutine"
 BOOST_LIBS_append_x86-64 = " context coroutine"
 BOOST_LIBS_append_powerpc = " context coroutine"
 BOOST_LIBS_append_arm = " context coroutine"
+BOOST_LIBS_append_aarch64 = " context coroutine"
 # need consistent settings for native builds (x86 override not applied for 
native)
 BOOST_LIBS_remove_class-native = " context coroutine"
 # does not compile
@@ -151,6 +152,7 @@ BJAM_OPTS_append_x86-x32 = " abi=x32 address-model=64"
 
 # cross compiling for arm fails to detect abi, so provide some help
 BJAM_OPTS_append_arm = " abi=aapcs architecture=arm"
+BJAM_OPTS_append_aarch64 = " abi=aapcs address-model=64 architecture=arm"
 
 do_configure() {
cp -f ${S}/boost/config/platform/linux.hpp 
${S}/boost/config/platform/linux-gnueabi.hpp
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 21/54] qemu: fix CVE-2018-20815

[Armin Kuster]

Signed-off-by: Naveen Saini 
Signed-off-by: Armin Kuster 
---
 meta/recipes-devtools/qemu/qemu.inc|  1 +
 .../qemu/qemu/CVE-2018-20815.patch | 38 ++
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index ecf13dc..3de87d3 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -31,6 +31,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0019-fix-CVE-2018-20216.patch \
file://CVE-2019-3812.patch \

file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
+   file://CVE-2018-20815.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch
new file mode 100644
index 000..c9508d9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch
@@ -0,0 +1,38 @@
+From 8bb018af1a7f2b9965f872a4b1121864e73e1b61 Mon Sep 17 00:00:00 2001
+From: Peter Maydell 
+Date: Fri, 14 Dec 2018 13:30:52 +
+Subject: [PATCH] device_tree.c: Don't use load_image()
+
+The load_image() function is deprecated, as it does not let the
+caller specify how large the buffer to read the file into is.
+Instead use load_image_size().
+
+Signed-off-by: Peter Maydell 
+Reviewed-by: Richard Henderson 
+Reviewed-by: Stefan Hajnoczi 
+Reviewed-by: Michael S. Tsirkin 
+Reviewed-by: Eric Blake 
+Message-id: 20181130151712.2312-9-peter.mayd...@linaro.org
+
+Upstream-Status: Backport 
[https://github.com/qemu/qemu/commit/da885fe1ee8b4589047484bd7fa05a4905b52b17]
+CVE: CVE-2018-20815
+Signed-off-by: Naveen Saini 
+---
+ device_tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/device_tree.c b/device_tree.c
+index 6d9c9726f6..296278e12a 100644
+--- a/device_tree.c
 b/device_tree.c
+@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep)
+ /* First allocate space in qemu for device tree */
+ fdt = g_malloc0(dt_size);
+ 
+-dt_file_load_size = load_image(filename_path, fdt);
++dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
+ if (dt_file_load_size < 0) {
+ error_report("Unable to open device tree file '%s'",
+  filename_path);
+-- 
+2.17.1
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 25/54] rsync: fix CVEs for included zlib

[Armin Kuster]

From: Anuj Mittal 

rsync includes its own copy of zlib and doesn't recommend linking with
the system version [1].

Import CVE fixes that impact zlib version 1.2.8 [2] that is currently used
by rsync.

[1] https://git.samba.org/rsync.git/?p=rsync.git;a=blob;f=zlib/README.rsync
[2] 
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3agnu%3azlib%3a1.2.8

(From OE-Core rev: a55fbb4cb489853dfb0b4553f6e187c3f3633f48)

Signed-off-by: Anuj Mittal 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 .../rsync/files/CVE-2016-9840.patch|  75 +++
 .../rsync/files/CVE-2016-9841.patch| 228 +
 .../rsync/files/CVE-2016-9842.patch|  33 +++
 .../rsync/files/CVE-2016-9843.patch|  53 +
 meta/recipes-devtools/rsync/rsync_3.1.3.bb |   4 +
 5 files changed, 393 insertions(+)
 create mode 100644 meta/recipes-devtools/rsync/files/CVE-2016-9840.patch
 create mode 100644 meta/recipes-devtools/rsync/files/CVE-2016-9841.patch
 create mode 100644 meta/recipes-devtools/rsync/files/CVE-2016-9842.patch
 create mode 100644 meta/recipes-devtools/rsync/files/CVE-2016-9843.patch

diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch 
b/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch
new file mode 100644
index 000..7581887
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch
@@ -0,0 +1,75 @@
+From 6a043145ca6e9c55184013841a67b2fef87e44c0 Mon Sep 17 00:00:00 2001
+From: Mark Adler 
+Date: Wed, 21 Sep 2016 23:35:50 -0700
+Subject: [PATCH] Remove offset pointer optimization in inftrees.c.
+
+inftrees.c was subtracting an offset from a pointer to an array,
+in order to provide a pointer that allowed indexing starting at
+the offset. This is not compliant with the C standard, for which
+the behavior of a pointer decremented before its allocated memory
+is undefined. Per the recommendation of a security audit of the
+zlib code by Trail of Bits and TrustInSoft, in support of the
+Mozilla Foundation, this tiny optimization was removed, in order
+to avoid the possibility of undefined behavior.
+
+CVE: CVE-2016-9840
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal 
+---
+ inftrees.c | 18 --
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/zlib/inftrees.c b/zlib/inftrees.c
+index 22fcd666..0d2670d5 100644
+--- a/zlib/inftrees.c
 b/zlib/inftrees.c
+@@ -54,7 +54,7 @@ unsigned short FAR *work;
+ code FAR *next; /* next available space in table */
+ const unsigned short FAR *base; /* base value table to use */
+ const unsigned short FAR *extra;/* extra bits table to use */
+-int end;/* use base and extra for symbol > end */
++unsigned match; /* use base and extra for symbol >= match */
+ unsigned short count[MAXBITS+1];/* number of codes of each length */
+ unsigned short offs[MAXBITS+1]; /* offsets in table for each length */
+ static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+@@ -181,19 +181,17 @@ unsigned short FAR *work;
+ switch (type) {
+ case CODES:
+ base = extra = work;/* dummy value--not used */
+-end = 19;
++match = 20;
+ break;
+ case LENS:
+ base = lbase;
+-base -= 257;
+ extra = lext;
+-extra -= 257;
+-end = 256;
++match = 257;
+ break;
+ default:/* DISTS */
+ base = dbase;
+ extra = dext;
+-end = -1;
++match = 0;
+ }
+ 
+ /* initialize state for loop */
+@@ -216,13 +214,13 @@ unsigned short FAR *work;
+ for (;;) {
+ /* create table entry */
+ here.bits = (unsigned char)(len - drop);
+-if ((int)(work[sym]) < end) {
++if (work[sym] + 1 < match) {
+ here.op = (unsigned char)0;
+ here.val = work[sym];
+ }
+-else if ((int)(work[sym]) > end) {
+-here.op = (unsigned char)(extra[work[sym]]);
+-here.val = base[work[sym]];
++else if (work[sym] >= match) {
++here.op = (unsigned char)(extra[work[sym] - match]);
++here.val = base[work[sym] - match];
+ }
+ else {
+ here.op = (unsigned char)(32 + 64); /* end of block */
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch 
b/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch
new file mode 100644
index 000..3942176
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch
@@ -0,0 +1,228 @@
+From 9aaec95e82117c1cb0f9624264c3618fc380cecb Mon Sep 17 00:00:00 2001
+From: Mark Adler 
+Date: Wed, 21 Sep 2016 22:25:21 -0700
+Subject: [PATCH] Use post-increment only in inffast.c.
+
+An old inffast.c optimization turns out to not be optimal anymore
+with modern compilers, and furthermore was not compliant 

[OE-core] [warrior-next 22/54] linux-yocto/4.19: update to 4.19.57 and -rt22

[Armin Kuster]

From: Bruce Ashfield 

Updating the linux-yocto 4.19 recipe to the latest -stable and -rt
releases.

We also integrate a configuration change to support ptests on scsci
targets:

  scsi-debug: include core scsi support for standalone inclusion

The -stable changes comprise the following commits:

   1a0592436669 Linux 4.19.57
   3919d91f4d36 arm64: insn: Fix ldadd instruction encoding
   9c423fd89a2b usb: dwc3: Reset num_trbs after skipping
   2bbb6b547fbe tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb
   89c49e7b6b0a RDMA: Directly cast the sockaddr union to sockaddr
   a319c8ff4f09 futex: Update comments and docs about return values of arch 
futex code
   4423a82cbde3 bpf, arm64: use more scalable stadd over ldxr / stxr loop in 
xadd
   436869e0cd6d arm64: futex: Avoid copying out uninitialised stack in failed 
cmpxchg()
   ba6340a7297f bpf: udp: ipv6: Avoid running reuseport's bpf_prog from 
__udp6_lib_err
   79c6a8c09978 bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro
   613bc37f74c9 bpf: fix unconnected udp hooks
   a7177b94aff4 bpf: fix nested bpf tracepoints with per-cpu data
   4992d4af5881 bpf: lpm_trie: check left child of last leftmost node for NULL
   5e558f9a6d7b bpf: simplify definition of BPF_FIB_LOOKUP related flags
   7d2c0ec20cb2 tun: wake up waitqueues after IFF_UP is set
   a08b915457d6 tipc: check msg->req data len in tipc_nl_compat_bearer_disable
   fdf3e98e1fd9 tipc: change to use register_pernet_device
   32b711f57ce7 team: Always enable vlan tx offload
   eeb770d6ab77 sctp: change to hold sk after auth shkey is created successfully
   9b7b0aab4750 net: stmmac: set IC bit when transmitting frames with HW 
timestamp
   a373bf728188 net: stmmac: fixed new system time seconds value calculation
   7d76fc211609 net: remove duplicate fetch in sock_getsockopt
   05dceb60e5dd net/packet: fix memory leak in packet_set_ring()
   7c92f3efbad0 ipv4: Use return value of inet_iif() for __raw_v4_lookup in the 
while loop
   0f3451723ddc bonding: Always enable vlan tx offload
   a4709127e5dd af_packet: Block execution of tasks waiting for transmit to 
complete in AF_PACKET
   64032e2d9ba8 eeprom: at24: fix unexpected timeout under high load
   c22cea5a21b2 irqchip/mips-gic: Use the correct local interrupt map registers
   dd9f2fb59e01 SUNRPC: Clean up initialisation of the struct rpc_rqst
   b78ad2169282 cpu/speculation: Warn on unsupported mitigations= parameter
   27380331755f NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O
   01a02a98ab1c KVM: x86/mmu: Allocate PAE root array when using SVM's 32-bit 
NPT
   327460322c7c x86/resctrl: Prevent possible overrun during bitmap operations
   1746dc529104 x86/microcode: Fix the microcode load on CPU hotplug for real
   690049eddb0c x86/speculation: Allow guests to use SSBD even if host does not
   ee71e97285c2 scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()
   2ba0a5009607 dm log writes: make sure super sector log updates are written 
in order
   87cf811ab6fb mm/page_idle.c: fix oops because end_pfn is larger than max_pfn
   1192fb703d09 mm: hugetlb: soft-offline: dissolve_free_huge_page() return 
zero on !PageHuge
   aab629188848 mm: soft-offline: return -EBUSY if 
set_hwpoison_free_buddy_page() fails
   bcfed145e583 clk: socfpga: stratix10: fix divider entry for the emac clocks
   75f5d78d9fbe fs/binfmt_flat.c: make load_flat_shared_library() work
   49e9b499a34d mm/mempolicy.c: fix an incorrect rebind node in 
mpol_rebind_nodemask
   6a811c099186 fs/proc/array.c: allow reporting eip/esp for all coredumping 
threads
   385cacd953b9 usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup
   6edcdd0e6d8f usb: dwc3: gadget: remove wait_end_transfer
   d7ff2e3ff0e0 usb: dwc3: gadget: move requests to cancelled_list
   bba5f9878f67 usb: dwc3: gadget: introduce cancelled_list
   65e1f3403108 usb: dwc3: gadget: extract dwc3_gadget_ep_skip_trbs()
   56092bd50eb9 usb: dwc3: gadget: use num_trbs when skipping TRBs on 
->dequeue()
   2a2b1c4dc510 usb: dwc3: gadget: track number of TRBs per request
   420b1237c79f usb: dwc3: gadget: combine unaligned and zero flags
   62805d31969b Revert "usb: dwc3: gadget: Clear req->needs_extra_trb flag on 
cleanup"
   3726d8d0b60f qmi_wwan: Fix out-of-bounds read
   cfbe930c7142 net/9p: include trans_common.h to fix missing prototype warning.
   6518b4126b3f 9p/trans_fd: put worker reqs on destroy
   6fad469c84fc 9p/trans_fd: abort p9_read_work if req status changed
   39bf142ae0ca 9p: potential NULL dereference
   6490cdf9d29d 9p: p9dirent_read: check network-provided name length
   e48e7e27e4df 9p/rdma: remove useless check in cm_event_handler
   fb0cbbd8dec7 9p: acl: fix uninitialized iattr access
   3dc511c9ccb9 9p: Rename req to rreq in trans_fd
   04ee7e7b4795 9p/rdma: do not disconnect on down_interruptible EAGAIN
   3665a4d9dca1 9p: Add refcount to p9_req_t
   fa3625794f1a 9p: rename p9_free_req() function
   be87f21e6b25 9p: add a per-client fcall kmem_cache
   183b6

[OE-core] [warrior-next 20/54] mesa: Update 19.0.1 -> 19.0.8

[Armin Kuster]

From: Fabio Berton 

This commit adds the following changes:

Updates from 19.0.8:

  - Mesa 19.0.8 is an emergency bug fix release which fixes a critical
bug found in the 19.0.7 release.

  Full log:
  https://www.mesa3d.org/relnotes/19.0.8.html

Updates from 19.0.7:

  - Mesa 19.0.7 is a bug fix release which fixes bugs found since the
19.0.6 release.

  Full log:
  https://www.mesa3d.org/relnotes/19.0.7.html

Updates from 19.0.6:

  - Mesa 19.0.6 is a bug fix release which fixes bugs found since the
19.0.5 release.

  Full log:
  https://www.mesa3d.org/relnotes/19.0.6.html

Updates from 19.0.5:

  - Mesa 19.0.5 is a bug fix release which fixes bugs found since the
19.0.4 release.

  Full log:
  https://www.mesa3d.org/relnotes/19.0.5.html

Updates from 19.0.4:

  - Mesa 19.0.4 is a bug fix release which fixes bugs found since the
19.0.3 release.

  Full log:
  https://www.mesa3d.org/relnotes/19.0.4.html

Updates from 19.0.3:

  - Mesa 19.0.3 is a bug fix release which fixes bugs found since the
19.0.2 release.

  Full log:
  https://www.mesa3d.org/relnotes/19.0.3.html

Updates from 19.0.2:

  - Mesa 19.0.2 is a bug fix release which fixes bugs found since the
19.0.1 release.

  Full log:
  https://www.mesa3d.org/relnotes/19.0.2.html

Signed-off-by: Fabio Berton 
Signed-off-by: Armin Kuster 
---
 meta/recipes-graphics/mesa/{mesa-gl_19.0.1.bb => mesa-gl_19.0.8.bb} | 0
 meta/recipes-graphics/mesa/{mesa_19.0.1.bb => mesa_19.0.8.bb}   | 4 ++--
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-graphics/mesa/{mesa-gl_19.0.1.bb => mesa-gl_19.0.8.bb} 
(100%)
 rename meta/recipes-graphics/mesa/{mesa_19.0.1.bb => mesa_19.0.8.bb} (85%)

diff --git a/meta/recipes-graphics/mesa/mesa-gl_19.0.1.bb 
b/meta/recipes-graphics/mesa/mesa-gl_19.0.8.bb
similarity index 100%
rename from meta/recipes-graphics/mesa/mesa-gl_19.0.1.bb
rename to meta/recipes-graphics/mesa/mesa-gl_19.0.8.bb
diff --git a/meta/recipes-graphics/mesa/mesa_19.0.1.bb 
b/meta/recipes-graphics/mesa/mesa_19.0.8.bb
similarity index 85%
rename from meta/recipes-graphics/mesa/mesa_19.0.1.bb
rename to meta/recipes-graphics/mesa/mesa_19.0.8.bb
index d90be8a..8cb80b5 100644
--- a/meta/recipes-graphics/mesa/mesa_19.0.1.bb
+++ b/meta/recipes-graphics/mesa/mesa_19.0.8.bb
@@ -7,8 +7,8 @@ SRC_URI = 
"https://mesa.freedesktop.org/archive/mesa-${PV}.tar.xz \

file://0004-use-PKG_CHECK_VAR-for-defining-WAYLAND_PROTOCOLS_DAT.patch \
 "
 
-SRC_URI[md5sum] = "19636bb3da35c21f43040d31e575d5ce"
-SRC_URI[sha256sum] = 
"6884163c0ea9e4c98378ab8fecd72fe7b5f437713a14471beda378df247999d4"
+SRC_URI[md5sum] = "9634964d87f1ce8d0230493e43f34c50"
+SRC_URI[sha256sum] = 
"d017eb53a810c32dabeedf6ca2238ae1e897ce9090e470e9ce1d6c9e3f1b0862"
 
 #because we cannot rely on the fact that all apps will use pkgconfig,
 #make eglplatform.h independent of MESA_EGL_NO_X11_HEADER
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 18/54] package.bbclass: fix directories setuid and setgid bits

[Armin Kuster]

From: Joël Esponde 

populate_packages relies on ``mkdir`` to both create a directory and set
its permissions. However, ``mkdir`` honors the ``umask`` value.
Therefore, some bits may be lost in the operation. In our case, the
setgid bit on the directories were lost.

This commit fixes this by having a distinct call to create the directory
and to set the permissions.

Signed-off-by: Jean-Tiare Le Bigot 
Signed-off-by: Armin Kuster 
---
 meta/classes/package.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index 2c44fc1..472d542 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -1210,7 +1210,8 @@ python populate_packages () {
 src = os.path.join(src, p)
 dest = os.path.join(dest, p)
 fstat = cpath.stat(src)
-os.mkdir(dest, fstat.st_mode)
+os.mkdir(dest)
+os.chmod(dest, fstat.st_mode)
 os.chown(dest, fstat.st_uid, fstat.st_gid)
 if p not in seen:
 seen.append(p)
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 19/54] qemu: add a patch fixing the native build on newer kernels

[Armin Kuster]

From: Bartosz Golaszewski 

The build fails on qemu-native if we're using kernels after commit
0768e17073dc527ccd18ed5f96ce85f9985e9115. This adds an upstream
patch that fixes the issue.

Signed-off-by: Bartosz Golaszewski 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-devtools/qemu/qemu.inc|   1 +
 ...fix-to-handle-variably-sized-SIOCGSTAMP-w.patch | 339 +
 2 files changed, 340 insertions(+)
 create mode 100644 
meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index e503aa8..ecf13dc 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -30,6 +30,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0018-fix-CVE-2018-20191.patch \
file://0019-fix-CVE-2018-20216.patch \
file://CVE-2019-3812.patch \
+   
file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git 
a/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch
 
b/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch
new file mode 100644
index 000..f7939b8
--- /dev/null
+++ 
b/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch
@@ -0,0 +1,339 @@
+From 8104018ba4c66e568d2583a3a0ee940851ee7471 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrangé 
+Date: Tue, 23 Jul 2019 17:50:00 +0200
+Subject: [PATCH] linux-user: fix to handle variably sized SIOCGSTAMP with new
+ kernels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The SIOCGSTAMP symbol was previously defined in the
+asm-generic/sockios.h header file. QEMU sees that header
+indirectly via sys/socket.h
+
+In linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115
+the asm-generic/sockios.h header no longer defines SIOCGSTAMP.
+Instead it provides only SIOCGSTAMP_OLD, which only uses a
+32-bit time_t on 32-bit architectures.
+
+The linux/sockios.h header then defines SIOCGSTAMP using
+either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. If
+SIOCGSTAMP_NEW is used, then the tv_sec field is 64-bit even
+on 32-bit architectures
+
+To cope with this we must now convert the old and new type from
+the target to the host one.
+
+Signed-off-by: Daniel P. Berrangé 
+Signed-off-by: Laurent Vivier 
+Reviewed-by: Arnd Bergmann 
+Message-Id: <20190718130641.15294-1-laur...@vivier.eu>
+Signed-off-by: Laurent Vivier 
+Signed-off-by: Bartosz Golaszewski 
+---
+Uptream-status: Backport (upstream commit: 
6d5d5dde9adb5acb32e6b8e3dfbf47fff0f308d2)
+
+ linux-user/ioctls.h|  21 +-
+ linux-user/syscall.c   | 140 +
+ linux-user/syscall_defs.h  |  30 +++-
+ linux-user/syscall_types.h |   6 --
+ 4 files changed, 159 insertions(+), 38 deletions(-)
+
+diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
+index ae8951625f..e6a27ad9d6 100644
+--- a/linux-user/ioctls.h
 b/linux-user/ioctls.h
+@@ -219,8 +219,25 @@
+   IOCTL(SIOCGRARP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_arpreq)))
+   IOCTL(SIOCGIWNAME, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_char_ifreq)))
+   IOCTL(SIOCGPGRP, IOC_R, MK_PTR(TYPE_INT)) /* pid_t */
+-  IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval)))
+-  IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec)))
++
++  /*
++   * We can't use IOCTL_SPECIAL() because it will set
++   * host_cmd to XXX_OLD and XXX_NEW and these macros
++   * are not defined with kernel prior to 5.2.
++   * We must set host_cmd to the same value as in target_cmd
++   * otherwise the consistency check in syscall_init()
++   * will trigger an error.
++   * host_cmd is ignored by the do_ioctl_XXX() helpers.
++   * FIXME: create a macro to define this kind of entry
++   */
++  { TARGET_SIOCGSTAMP_OLD, TARGET_SIOCGSTAMP_OLD,
++"SIOCGSTAMP_OLD", IOC_R, do_ioctl_SIOCGSTAMP },
++  { TARGET_SIOCGSTAMPNS_OLD, TARGET_SIOCGSTAMPNS_OLD,
++"SIOCGSTAMPNS_OLD", IOC_R, do_ioctl_SIOCGSTAMPNS },
++  { TARGET_SIOCGSTAMP_NEW, TARGET_SIOCGSTAMP_NEW,
++"SIOCGSTAMP_NEW", IOC_R, do_ioctl_SIOCGSTAMP },
++  { TARGET_SIOCGSTAMPNS_NEW, TARGET_SIOCGSTAMPNS_NEW,
++"SIOCGSTAMPNS_NEW", IOC_R, do_ioctl_SIOCGSTAMPNS },
+ 
+   IOCTL(RNDGETENTCNT, IOC_R, MK_PTR(TYPE_INT))
+   IOCTL(RNDADDTOENTCNT, IOC_W, MK_PTR(TYPE_INT))
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index 96cd4bf86d..6df480e13d 100644
+--- a/linux-user/syscall.c
 b/linux-user/syscall.c
+@@ -37,6 +37,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ #include 
+ #include 
+ #include 
+@@ -1139,8 +1140,9 @@ static inline abi_long copy_from_user_timeval(struct 
timeval *tv,
+ {
+ struct target_timeval *target_tv;
+ 
+-if (

[OE-core] [warrior-next 17/54] psmisc: Fix dependency for USE_NLS=no

[Armin Kuster]

From: Jason Wessel 

When using USE_NLS="no" in the local.conf psmisc will fail to
compile as follows:

| autoreconf: Entering directory `.'
| autoreconf: running: autopoint --force
| autoreconf: failed to run autopoint: No such file or directory
| autoreconf: autopoint is needed because this package uses Gettext
| ERROR: autoreconf execution failed.

This is because the gettext.bbclass returns gettext-minimal-native for
the host dependency which does not include autopoint.  The autopoint
utility is required to build psmisc, so it needs to list
gettext-native as a dependency.

Signed-off-by: Jason Wessel 
Signed-off-by: Richard Purdie 
Signed-off-by: Adrian Bunk 
Signed-off-by: Armin Kuster 
---
 meta/recipes-extended/psmisc/psmisc.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-extended/psmisc/psmisc.inc 
b/meta/recipes-extended/psmisc/psmisc.inc
index 82ef947..594a10c 100644
--- a/meta/recipes-extended/psmisc/psmisc.inc
+++ b/meta/recipes-extended/psmisc/psmisc.inc
@@ -7,7 +7,7 @@ command sends a specified signal (SIGTERM if nothing is 
specified) to \
 processes identified by name.  The fuser command identifies the PIDs \
 of processes that are using specified files or filesystems."
 SECTION = "base"
-DEPENDS = "ncurses virtual/libintl"
+DEPENDS = "ncurses virtual/libintl gettext-native"
 LICENSE = "GPLv2"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/psmisc/psmisc-${PV}.tar.gz"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 13/54] patch: fix CVE-2019-13636

[Armin Kuster]

From: Anuj Mittal 

Signed-off-by: Anuj Mittal 
Signed-off-by: Armin Kuster 
---
 .../patch/patch/CVE-2019-13636.patch   | 113 +
 meta/recipes-devtools/patch/patch_2.7.6.bb |   1 +
 2 files changed, 114 insertions(+)
 create mode 100644 meta/recipes-devtools/patch/patch/CVE-2019-13636.patch

diff --git a/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch 
b/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
new file mode 100644
index 000..9f8b6db
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
@@ -0,0 +1,113 @@
+From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher 
+Date: Mon, 15 Jul 2019 16:21:48 +0200
+Subject: Don't follow symlinks unless --follow-symlinks is given
+
+* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,
+append_to_file): Unless the --follow-symlinks option is given, open files with
+the O_NOFOLLOW flag to avoid following symlinks.  So far, we were only doing
+that consistently for input files.
+* src/util.c (create_backup): When creating empty backup files, (re)create them
+with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
+
+CVE: CVE-2019-13636
+Upstream-Status: 
Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a]
+Signed-off-by: Anuj Mittal 
+
+---
+ src/inp.c  | 12 ++--
+ src/util.c | 14 +++---
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/inp.c b/src/inp.c
+index 32d0919..22d7473 100644
+--- a/src/inp.c
 b/src/inp.c
+@@ -238,8 +238,13 @@ plan_a (char const *filename)
+ {
+   if (S_ISREG (instat.st_mode))
+ {
+-int ifd = safe_open (filename, O_RDONLY|binary_transput, 0);
++int flags = O_RDONLY | binary_transput;
+ size_t buffered = 0, n;
++int ifd;
++
++if (! follow_symlinks)
++  flags |= O_NOFOLLOW;
++ifd = safe_open (filename, flags, 0);
+ if (ifd < 0)
+   pfatal ("can't open file %s", quotearg (filename));
+ 
+@@ -340,6 +345,7 @@ plan_a (char const *filename)
+ static void
+ plan_b (char const *filename)
+ {
++  int flags = O_RDONLY | binary_transput;
+   int ifd;
+   FILE *ifp;
+   int c;
+@@ -353,7 +359,9 @@ plan_b (char const *filename)
+ 
+   if (instat.st_size == 0)
+ filename = NULL_DEVICE;
+-  if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0
++  if (! follow_symlinks)
++flags |= O_NOFOLLOW;
++  if ((ifd = safe_open (filename, flags, 0)) < 0
+   || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r")))
+ pfatal ("Can't open file %s", quotearg (filename));
+   if (TMPINNAME_needs_removal)
+diff --git a/src/util.c b/src/util.c
+index 1cc08ba..fb38307 100644
+--- a/src/util.c
 b/src/util.c
+@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, 
bool leave_original)
+ 
+ try_makedirs_errno = ENOENT;
+ safe_unlink (bakname);
+-while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) 
< 0)
++while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | 
O_TRUNC, 0666)) < 0)
+   {
+ if (errno != try_makedirs_errno)
+   pfatal ("Can't create file %s", quotearg (bakname));
+@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t 
mode,
+ static void
+ copy_to_fd (const char *from, int tofd)
+ {
++  int from_flags = O_RDONLY | O_BINARY;
+   int fromfd;
+   ssize_t i;
+ 
+-  if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0)
++  if (! follow_symlinks)
++from_flags |= O_NOFOLLOW;
++  if ((fromfd = safe_open (from, from_flags, 0)) < 0)
+ pfatal ("Can't reopen file %s", quotearg (from));
+   while ((i = read (fromfd, buf, bufsize)) != 0)
+ {
+@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat 
*tost,
+   else
+ {
+   assert (S_ISREG (mode));
++  if (! follow_symlinks)
++  to_flags |= O_NOFOLLOW;
+   tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode,
+ to_dir_known_to_exist);
+   copy_to_fd (from, tofd);
+@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat 
*tost,
+ void
+ append_to_file (char const *from, char const *to)
+ {
++  int to_flags = O_WRONLY | O_APPEND | O_BINARY;
+   int tofd;
+ 
+-  if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0)
++  if (! follow_symlinks)
++to_flags |= O_NOFOLLOW;
++  if ((tofd = safe_open (to, to_flags, 0)) < 0)
+ pfatal ("Can't reopen file %s", quotearg (to));
+   copy_to_fd (from, tofd);
+   if (close (tofd) != 0)
+-- 
+cgit v1.0-41-gc330
+
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb 
b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 85b0db7..8cf20a3 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -6,6 +6,7 @@ SRC_URI += 
"file://0

[OE-core] [warrior-next 12/54] package: Improve determinism

[Armin Kuster]

From: Richard Purdie 

Its possible in cases with multiple shlib providers we were not being
deterministic. Add in a couple of sorted() calls to fix the shlibs and
pkgconfig cases with this potential issue.

Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/classes/package.bbclass | 2 +-
 meta/lib/oe/package.py   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index eef1f7b..2c44fc1 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -1918,7 +1918,7 @@ python package_do_pkgconfig () {
 for dir in reversed(shlibs_dirs):
 if not os.path.exists(dir):
 continue
-for file in os.listdir(dir):
+for file in sorted(os.listdir(dir)):
 m = re.match(r'^(.*)\.pclist$', file)
 if m:
 pkg = m.group(1)
diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
index b595132..b8585d4 100644
--- a/meta/lib/oe/package.py
+++ b/meta/lib/oe/package.py
@@ -265,7 +265,7 @@ def read_shlib_providers(d):
 bb.debug(2, "Reading shlib providers in %s" % (dir))
 if not os.path.exists(dir):
 continue
-for file in os.listdir(dir):
+for file in sorted(os.listdir(dir)):
 m = list_re.match(file)
 if m:
 dep_pkg = m.group(1)
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 16/54] rng-tools: fix very long shutdown delay with systemd

[Armin Kuster]

From: "Bedel, Alban" 

The systemd service file has DefaultDependencies=no but is not
properly configured to also stop the unit. Because of this the unit
keep running after shutdown but systemd still waits for it to finish to
then later resort to a hard kill. All this take 1m30s with the default
configuration.

To fix this problem add the missing Before=shutdown.target and
Conflicts=shutdown.target to have systemd stop the unit on shutdown.

Signed-off-by: Alban Bedel 
Signed-off-by: Armin Kuster 
---
 meta/recipes-support/rng-tools/rng-tools/rngd.service | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-support/rng-tools/rng-tools/rngd.service 
b/meta/recipes-support/rng-tools/rng-tools/rngd.service
index f0355db..5c8253b 100644
--- a/meta/recipes-support/rng-tools/rng-tools/rngd.service
+++ b/meta/recipes-support/rng-tools/rng-tools/rngd.service
@@ -2,7 +2,8 @@
 Description=Hardware RNG Entropy Gatherer Daemon
 DefaultDependencies=no
 After=systemd-udev-settle.service
-Before=sysinit.target
+Before=sysinit.target shutdown.target
+Conflicts=shutdown.target
 
 [Service]
 ExecStart=@SBINDIR@/rngd -f -r /dev/hwrng
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 15/54] ghostscript: fix CVE-2019-3839

[Armin Kuster]

From: Naveen Saini 

Signed-off-by: Naveen Saini 
Signed-off-by: Armin Kuster 
---
 .../ghostscript/CVE-2019-3839-0008.patch   | 440 +
 .../ghostscript/ghostscript_9.26.bb|   1 +
 2 files changed, 441 insertions(+)
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch

diff --git 
a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch 
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch
new file mode 100644
index 000..4be1c84
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch
@@ -0,0 +1,440 @@
+From c253752ef731f49922e0a97490d1ef09ca697c91 Mon Sep 17 00:00:00 2001
+From: Ray Johnston 
+Date: Thu, 31 Jan 2019 11:31:30 -0800
+Subject: [PATCH] Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF
+ interp).
+
+We now keep GS_PDF_ProcSet in pdfdict, and immediately bind pdfdict
+where needed so we can undef it after the last PDF interp file has
+run (pdf_sec.ps).
+
+CVE: CVE-2019-3839
+Upstream-Status: Backport 
[http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9]
+Signed-off-by: Naveen Saini 
+---
+ Resource/Init/pdf_base.ps | 11 
+ Resource/Init/pdf_draw.ps | 59 +++
+ Resource/Init/pdf_font.ps |  9 +++---
+ Resource/Init/pdf_main.ps | 25 +
+ Resource/Init/pdf_ops.ps  | 11 
+ Resource/Init/pdf_sec.ps  |  4 ++-
+ 6 files changed, 60 insertions(+), 59 deletions(-)
+
+diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
+index e35e0e373..13dd51f46 100644
+--- a/Resource/Init/pdf_base.ps
 b/Resource/Init/pdf_base.ps
+@@ -23,7 +23,6 @@
+ 
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
+ 
+ % Define the name interpretation dictionary for reading values.
+@@ -133,11 +132,11 @@ currentdict /num-chars-dict .undef
+ 
+ /.pdfexectoken {  %.pdfexectoken ?
+   PDFDEBUG {
+-pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } 
executeonly if
++//pdfdict /PDFSTEPcount known not { //pdfdict /PDFSTEPcount 1 .forceput } 
executeonly if
+ PDFSTEP {
+-  pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
++  //pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse 
.forceput
+   PDFSTEPcount 1 gt {
+-pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
++//pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
+   } executeonly
+   {
+ dup ==only
+@@ -145,10 +144,10 @@ currentdict /num-chars-dict .undef
+ ( ? ) print flush 1 //false .outputpage
+ (%stdin) (r) file 255 string readline {
+   token {
+-exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput
++exch pop //pdfdict /PDFSTEPcount 3 -1 roll .forceput
+   } executeonly
+   {
+-pdfdict /PDFSTEPcount 1 .forceput
++//pdfdict /PDFSTEPcount 1 .forceput
+   } executeonly ifelse % token
+ } {
+   pop /PDFSTEP //false def % EOF on stdin
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index 36c41a9a3..2e39c87d2 100644
+--- a/Resource/Init/pdf_draw.ps
 b/Resource/Init/pdf_draw.ps
+@@ -18,8 +18,7 @@
+ 
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+-GS_PDF_ProcSet begin
++/GS_PDF_ProcSet load begin
+ pdfdict begin
+ 
+ % For simplicity, we use a single interpretation dictionary for all
+@@ -113,7 +112,7 @@ pdfdict begin
+ 
+ /resolvefunction {%  resolvefunction 
+   .resolvefn
+-  PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { 
(%Function: ) print dup === flush } if } if
++  PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { 
(%Function: ) print dup === flush } if } if
+ } bind executeonly def
+ 
+ /resolvefnproc {  %  resolvefnproc 
+@@ -1086,7 +1085,7 @@ currentdict end readonly def
+ %% finished running the PaintProc.
+ 
+ /.actual_pdfpaintproc { %   .pdfpaintproc -
+-  PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { 
(%Begin PaintProc) print dup === flush } if } if
++  PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { 
(%Begin PaintProc) print dup === flush } if } if
+   PDFfile fileposition 3 1 roll
+   q
+   1 index /PaintType oget 1 eq {
+@@ -1121,21 +1120,21 @@ currentdict end readonly def
+   Q
+ }{
+   (\n    Error: File has unbalanced q/Q operators \(too many Q's\)\n  
 Output may be incorrect.\n)
+-  pdfdict /.Qqwarning_issued .knownget
++  //pdfdict /.Qqwarning_issued .knownget
+   {
+ {
+   pop
+ }
+ {
+-  currentglobal p

[OE-core] [warrior-next 11/54] gstreamer1.0-vaapi: backport jpeg encode/decode fixes

[Armin Kuster]

From: Anuj Mittal 

Backport patches from 1.15 to fix JPEG encode/decode issues when
using VAAPI with Intel media-driver. See for details:

https://bugzilla.gnome.org/show_bug.cgi?id=796705
https://bugzilla.gnome.org/show_bug.cgi?id=796505

Signed-off-by: Anuj Mittal 
Signed-off-by: Armin Kuster 
---
 ...der-release-VA-buffers-after-vaEndPicture.patch | 45 +++
 ...ibs-encoder-jpeg-set-component-id-and-Tqi.patch | 65 ++
 .../gstreamer/gstreamer1.0-vaapi_1.14.4.bb |  2 +
 3 files changed, 112 insertions(+)
 create mode 100644 
meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-decoder-release-VA-buffers-after-vaEndPicture.patch
 create mode 100644 
meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-encoder-jpeg-set-component-id-and-Tqi.patch

diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-decoder-release-VA-buffers-after-vaEndPicture.patch
 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-decoder-release-VA-buffers-after-vaEndPicture.patch
new file mode 100644
index 000..b52e61b
--- /dev/null
+++ 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-decoder-release-VA-buffers-after-vaEndPicture.patch
@@ -0,0 +1,45 @@
+From bb8894aaf934b3af4d44cf54e860510fe4d615b3 Mon Sep 17 00:00:00 2001
+From: Tianhao Liu 
+Date: Thu, 7 Jun 2018 09:34:11 +0800
+Subject: [PATCH] libs: decoder: release VA buffers after vaEndPicture
+
+This change is due a problem decoding JPEGs with Intel's media-driver:
+no image was generated.
+
+This patch relases the VA buffers after vaEndPicture() is called,
+and not before (after vaRenderPicture()).
+
+https://bugzilla.gnome.org/show_bug.cgi?id=796505
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/gstreamer/gstreamer-vaapi/commit/bb8894aaf934b3af4d44cf54e860510fe4d615b3]
+Signed-off-by: Anuj Mittal 
+---
+ gst-libs/gst/vaapi/gstvaapidecoder_objects.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/gst-libs/gst/vaapi/gstvaapidecoder_objects.c 
b/gst-libs/gst/vaapi/gstvaapidecoder_objects.c
+index 20d4f55..2dd4c27 100644
+--- a/gst-libs/gst/vaapi/gstvaapidecoder_objects.c
 b/gst-libs/gst/vaapi/gstvaapidecoder_objects.c
+@@ -304,12 +304,17 @@ gst_vaapi_picture_decode (GstVaapiPicture * picture)
+ status = vaRenderPicture (va_display, va_context, va_buffers, 2);
+ if (!vaapi_check_status (status, "vaRenderPicture()"))
+   return FALSE;
++  }
++
++  status = vaEndPicture (va_display, va_context);
++
++  for (i = 0; i < picture->slices->len; i++) {
++GstVaapiSlice *const slice = g_ptr_array_index (picture->slices, i);
+ 
+ vaapi_destroy_buffer (va_display, &slice->param_id);
+ vaapi_destroy_buffer (va_display, &slice->data_id);
+   }
+ 
+-  status = vaEndPicture (va_display, va_context);
+   if (!vaapi_check_status (status, "vaEndPicture()"))
+ return FALSE;
+   return TRUE;
+-- 
+2.7.4
+
diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-encoder-jpeg-set-component-id-and-Tqi.patch
 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-encoder-jpeg-set-component-id-and-Tqi.patch
new file mode 100644
index 000..eb1228b
--- /dev/null
+++ 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-encoder-jpeg-set-component-id-and-Tqi.patch
@@ -0,0 +1,65 @@
+From f5eb4faa5914f3745820e557ac2401a7d738be66 Mon Sep 17 00:00:00 2001
+From: Tianhao Liu 
+Date: Wed, 4 Jul 2018 12:51:10 +0800
+Subject: [PATCH] libs: encoder: jpeg: set component id and Tqi
+
+This change is due a problem encoding JPEGs with Intel's
+media-driver: green/black image when playback jpeg
+
+This patch sets component identifier and quantization table
+destination selector in frame header to support packing headers
+by Intel's media-driver that does not accept packed header
+in AP level.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=796705
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/gstreamer/gstreamer-vaapi/commit/f5eb4faa5914f3745820e557ac2401a7d738be66]
+Signed-off-by: Anuj Mittal 
+---
+ gst-libs/gst/vaapi/gstvaapiencoder_jpeg.c | 14 +-
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/gst-libs/gst/vaapi/gstvaapiencoder_jpeg.c 
b/gst-libs/gst/vaapi/gstvaapiencoder_jpeg.c
+index b3f409d..8491fbc 100644
+--- a/gst-libs/gst/vaapi/gstvaapiencoder_jpeg.c
 b/gst-libs/gst/vaapi/gstvaapiencoder_jpeg.c
+@@ -205,6 +205,7 @@ fill_picture (GstVaapiEncoderJpeg * encoder,
+ GstVaapiEncPicture * picture,
+ GstVaapiCodedBuffer * codedbuf, GstVaapiSurfaceProxy * surface)
+ {
++  guint i;
+   VAEncPictureParameterBufferJPEG *const pic_param = picture->param;
+ 
+   memset (pic_param, 0, sizeof (VAEncPictureParameterBufferJPEG));
+@@ -224,6 +225,11 @@ fill_picture (GstVaapiEncoderJpeg * encoder,
+   pic_param->num_scan = 1;
+   pic_param->num_components = encoder->n_components;
+   pic_param->quality = encoder->quality;
++  for (i = 0; i <

[OE-core] [warrior-next 14/54] python3: fix CVE-2019-9740

[Armin Kuster]

From: Anuj Mittal 

CVE-2019-9947 is same as CVE-2019-9740 and mark it as such. See:

https://bugs.python.org/issue30458

Signed-off-by: Anuj Mittal 
Signed-off-by: Armin Kuster 
---
 .../python/python3/CVE-2019-9740.patch | 151 +
 meta/recipes-devtools/python/python3_3.7.2.bb  |   1 +
 2 files changed, 152 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2019-9740.patch

diff --git a/meta/recipes-devtools/python/python3/CVE-2019-9740.patch 
b/meta/recipes-devtools/python/python3/CVE-2019-9740.patch
new file mode 100644
index 000..9bb336d
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2019-9740.patch
@@ -0,0 +1,151 @@
+From 7e200e0763f5b71c199aaf98bd5588f291585619 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= 
+Date: Tue, 7 May 2019 17:28:47 +0200
+Subject: [PATCH] bpo-30458: Disallow control chars in http URLs. (GH-12755)
+ (GH-13154)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Disallow control chars in http URLs in urllib.urlopen.  This addresses a 
potential security problem for applications that do not sanity check their URLs 
where http request headers could be injected.
+
+Disable https related urllib tests on a build without ssl (GH-13032)
+These tests require an SSL enabled build. Skip these tests when python is 
built without SSL to fix test failures.
+
+Use http.client.InvalidURL instead of ValueError as the new error case's 
exception. (GH-13044)
+
+Backport Co-Authored-By: Miro Hrončok 
+Upstream-Status: 
Backport[https://github.com/python/cpython/commit/7e200e0763f5b71c199aaf98bd5588f291585619]
+CVE: CVE-2019-9740
+CVE: CVE-2019-9947
+Signed-off-by: Anuj Mittal 
+---
+ Lib/http/client.py| 15 ++
+ Lib/test/test_urllib.py   | 53 +++
+ Lib/test/test_xmlrpc.py   |  7 ++-
+ .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst  |  1 +
+ 4 files changed, 75 insertions(+), 1 deletion(-)
+ create mode 100644 
Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+index 1de151c38e92..2afd452fe30f 100644
+--- a/Lib/http/client.py
 b/Lib/http/client.py
+@@ -140,6 +140,16 @@
+ _is_legal_header_name = re.compile(rb'[^:\s][^:\r\n]*').fullmatch
+ _is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search
+ 
++# These characters are not allowed within HTTP URL paths.
++#  See https://tools.ietf.org/html/rfc3986#section-3.3 and the
++#  https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
++# Prevents CVE-2019-9740.  Includes control characters such as \r\n.
++# We don't restrict chars above \x7f as putrequest() limits us to ASCII.
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
++# Arguably only these _should_ allowed:
++#  _is_allowed_url_pchars_re = 
re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
++# We are more lenient for assumed real world compatibility purposes.
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -1101,6 +,11 @@ def putrequest(self, method, url, skip_host=False,
+ self._method = method
+ if not url:
+ url = '/'
++# Prevent CVE-2019-9740.
++match = _contains_disallowed_url_pchar_re.search(url)
++if match:
++raise InvalidURL(f"URL can't contain control characters. {url!r} "
++ f"(found at least {match.group()!r})")
+ request = '%s %s %s' % (method, url, self._http_vsn_str)
+ 
+ # Non-ASCII characters should have been eliminated earlier
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 2ac73b58d832..7214492eca9d 100644
+--- a/Lib/test/test_urllib.py
 b/Lib/test/test_urllib.py
+@@ -329,6 +329,59 @@ def test_willclose(self):
+ finally:
+ self.unfakehttp()
+ 
++@unittest.skipUnless(ssl, "ssl module required")
++def test_url_with_control_char_rejected(self):
++for char_no in list(range(0, 0x21)) + [0x7f]:
++char = chr(char_no)
++schemeless_url = f"//localhost:/test{char}/"
++self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++try:
++# We explicitly test urllib.request.urlopen() instead of the 
top
++# level 'def urlopen()' function defined in this... (quite 
ugly)
++# test suite.  They use different url opening codepaths.  
Plain
++# urlopen uses FancyURLOpener which goes via a codepath that
++# calls urllib.parse.quote() on the URL which makes all of the
++# above attempts at injection within the url _path_ safe.
++escaped_char_repr = repr(char).replace('\\', r'\\')
++Invalid

[OE-core] [warrior-next 10/54] libsdl: CVE fixes

[Armin Kuster]

From: Anuj Mittal 

Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576,
CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637,
CVE-2019-7638.

Signed-off-by: Anuj Mittal 
Signed-off-by: Armin Kuster 
---
 .../libsdl/libsdl-1.2.15/CVE-2019-7572.patch   | 114 
 .../libsdl/libsdl-1.2.15/CVE-2019-7574.patch   |  68 
 .../libsdl/libsdl-1.2.15/CVE-2019-7575.patch   |  81 +
 .../libsdl/libsdl-1.2.15/CVE-2019-7576.patch   |  80 +
 .../libsdl/libsdl-1.2.15/CVE-2019-7577.patch   | 123 +
 .../libsdl/libsdl-1.2.15/CVE-2019-7578.patch   |  64 +++
 .../libsdl/libsdl-1.2.15/CVE-2019-7635.patch   |  63 +++
 .../libsdl/libsdl-1.2.15/CVE-2019-7637.patch   | 192 +
 .../libsdl/libsdl-1.2.15/CVE-2019-7638.patch   |  38 
 meta/recipes-graphics/libsdl/libsdl_1.2.15.bb  |   9 +
 10 files changed, 832 insertions(+)
 create mode 100644 
meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch
 create mode 100644 
meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
 create mode 100644 
meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch
 create mode 100644 
meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch
 create mode 100644 
meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
 create mode 100644 
meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch
 create mode 100644 
meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch
 create mode 100644 
meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch
 create mode 100644 
meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch

diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch 
b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch
new file mode 100644
index 000..c41c2de
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch
@@ -0,0 +1,114 @@
+# HG changeset patch
+# User Petr Písař 
+# Date 1560182231 25200
+#  Mon Jun 10 08:57:11 2019 -0700
+# Branch SDL-1.2
+# Node ID a8afedbcaea0e84921dc770195c4699bda3ccdc5
+# Parent  faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02
+CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
+If data chunk was longer than expected based on a WAV format
+definition, IMA_ADPCM_decode() tried to write past the output
+buffer. This patch fixes it.
+
+Based on patch from
+.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař 
+
+# HG changeset patch
+# User Petr Písař 
+# Date 1560041863 25200
+#  Sat Jun 08 17:57:43 2019 -0700
+# Branch SDL-1.2
+# Node ID e52413f5258600878f9a10d2f92605a729aa8976
+# Parent  4e73be7b47877ae11d2279bd916910d469d18f8e
+CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
+If an IMA ADPCM block contained an initial index out of step table
+range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
+this bogus value and that lead to a buffer overread.
+
+This patch fixes it by moving clamping the index value at the
+beginning of IMA_ADPCM_nibble() function instead of the end after
+an update.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař 
+
+CVE: CVE-2019-7572
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal 
+
+diff -r faf9abbcfb5f -r a8afedbcaea0 src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c Mon Jun 10 08:54:29 2019 -0700
 b/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700
+@@ -346,7 +346,7 @@
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+   struct IMA_ADPCM_decodestate *state;
+-  Uint8 *freeable, *encoded, *encoded_end, *decoded;
++  Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+   Sint32 encoded_len, samplesleft;
+   unsigned int c, channels;
+ 
+@@ -373,6 +373,7 @@
+   return(-1);
+   }
+   decoded = *audio_buf;
++  decoded_end = decoded + *audio_len;
+ 
+   /* Get ready... Go! */
+   while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+@@ -392,6 +393,7 @@
+   }
+ 
+   /* Store the initial sample we start with */
++  if (decoded + 2 > decoded_end) goto invalid_size;
+   decoded[0] = (Uint8)(state[c].sample&0xFF);
+   decoded[1] = (Uint8)(state[c].sample>>8);
+   decoded += 2;
+@@ -402,6 +404,8 @@
+   while ( samplesleft > 0 ) {
+   for ( c=0; c encoded_end) goto 
invalid_size;
++  if (decoded + 4 * 4 * channels > decoded_end)
++  goto invalid_size;
+   Fill_IMA_ADPCM_block(decoded, encoded,
+   c, channels, &state[c]);
+   encoded += 4;

[OE-core] [warrior-next 08/54] tiff: fix CVE-2019-6128

[Armin Kuster]

From: Ross Burton 

(From OE-Core rev: 7293e417dd9bdd04fe0fec177a76c9286234ed46)

Signed-off-by: Ross Burton 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 .../libtiff/tiff/CVE-2019-6128.patch   | 52 ++
 meta/recipes-multimedia/libtiff/tiff_4.0.10.bb |  2 +-
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch 
b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch
new file mode 100644
index 000..6f1fd4d
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch
@@ -0,0 +1,52 @@
+CVE: CVE-2019-6128
+Upstream-Status: Backport
+Signed-off-by: Ross Burton 
+
+From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001
+From: Scott Gayou 
+Date: Wed, 23 Jan 2019 15:03:53 -0500
+Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128.
+
+pal2rgb failed to free memory on a few errors. This was reported
+here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
+---
+ tools/pal2rgb.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 01d8502ec..9492f1cf1 100644
+--- a/tools/pal2rgb.c
 b/tools/pal2rgb.c
+@@ -118,12 +118,14 @@ main(int argc, char* argv[])
+   shortv != PHOTOMETRIC_PALETTE) {
+   fprintf(stderr, "%s: Expecting a palette image.\n",
+   argv[optind]);
++  (void) TIFFClose(in);
+   return (-1);
+   }
+   if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
+   fprintf(stderr,
+   "%s: No colormap (not a valid palette image).\n",
+   argv[optind]);
++  (void) TIFFClose(in);
+   return (-1);
+   }
+   bitspersample = 0;
+@@ -131,11 +133,14 @@ main(int argc, char* argv[])
+   if (bitspersample != 8) {
+   fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
+   argv[optind]);
++  (void) TIFFClose(in);
+   return (-1);
+   }
+   out = TIFFOpen(argv[optind+1], "w");
+-  if (out == NULL)
++  if (out == NULL) {
++  (void) TIFFClose(in);
+   return (-2);
++  }
+   cpTags(in, out);
+   TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
+   TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
+-- 
+2.21.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
index 152fa81..a82d744 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
@@ -6,8 +6,8 @@ CVE_PRODUCT = "libtiff"
 
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://libtool2.patch \
+   file://CVE-2019-6128.patch"
"
-
 SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"
 SRC_URI[sha256sum] = 
"2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"
 
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 06/54] libid3tag: handle unknown encodings (CVE-2017-11550)

[Armin Kuster]

From: Ross Burton 

(From OE-Core rev: 5090afc1b07e62f70ebcf63a7abb75b8552f0a52)

Signed-off-by: Ross Burton 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 .../libid3tag/libid3tag/unknown-encoding.patch | 39 ++
 .../libid3tag/libid3tag_0.15.1b.bb |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 
meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch

diff --git a/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch 
b/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch
new file mode 100644
index 000..f0867b5
--- /dev/null
+++ b/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch
@@ -0,0 +1,39 @@
+In case of an unknown/invalid encoding, id3_parse_string() will
+return NULL, but the return value wasn't checked resulting
+in segfault in id3_ucs4_length().  This is the only place
+the return value wasn't checked.
+
+Patch taken from Debian:
+https://sources.debian.org/patches/libid3tag/0.15.1b-14/11_unknown_encoding.dpatch/
+
+CVE: CVE-2017-11550
+Upstream-Status: Pending
+Signed-off-by: Ross Burton 
+
+diff -urNad libid3tag-0.15.1b~/compat.gperf libid3tag-0.15.1b/compat.gperf
+--- libid3tag-0.15.1b~/compat.gperf2004-01-23 09:41:32.0 +
 libid3tag-0.15.1b/compat.gperf 2007-01-14 14:36:53.0 +
+@@ -236,6 +236,10 @@
+ 
+ encoding = id3_parse_uint(&data, 1);
+ string   = id3_parse_string(&data, end - data, encoding, 0);
++if (!string)
++{
++  continue;
++}
+ 
+ if (id3_ucs4_length(string) < 4) {
+   free(string);
+diff -urNad libid3tag-0.15.1b~/parse.c libid3tag-0.15.1b/parse.c
+--- libid3tag-0.15.1b~/parse.c 2004-01-23 09:41:32.0 +
 libid3tag-0.15.1b/parse.c  2007-01-14 14:37:34.0 +
+@@ -165,6 +165,9 @@
+   case ID3_FIELD_TEXTENCODING_UTF_8:
+ ucs4 = id3_utf8_deserialize(ptr, length);
+ break;
++  default:
++  /* FIXME: Unknown encoding! Print warning? */
++  return NULL;
+   }
+ 
+   if (ucs4 && !full) {
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb 
b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
index 43edd3f..0312a61 100644
--- a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
+++ b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
@@ -14,6 +14,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \
file://obsolete_automake_macros.patch \
file://0001-Fix-gperf-3.1-incompatibility.patch \
file://10_utf16.patch \
+   file://unknown-encoding.patch \
"
 UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/";
 UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P.*)/$"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 07/54] libid3tag: CVE-2017-11551 is the same as CVE-2004-2779

[Armin Kuster]

From: Ross Burton 

(From OE-Core rev: 0663e5f8f906803685f018061d51fd6277916e50)

Signed-off-by: Ross Burton 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch 
b/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch
index 8d09ce7..10e0890 100644
--- a/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch
+++ b/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch
@@ -6,6 +6,7 @@ 
https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch
 Upstream-Status: Pending
 
 CVE: CVE-2004-2779
+CVE: CVE-2017-11551
 
 Signed-off-by: Changqing Li 
 
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 03/54] python: fix CVE-2019-9740

[Armin Kuster]

From: Anuj Mittal 

(From OE-Core rev: 8eddac3305b7b428565103cde88cba444e3f0dd0)

Signed-off-by: Anuj Mittal 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 .../python/python/CVE-2019-9740.patch  | 215 +
 meta/recipes-devtools/python/python_2.7.16.bb  |   1 +
 2 files changed, 216 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python/CVE-2019-9740.patch

diff --git a/meta/recipes-devtools/python/python/CVE-2019-9740.patch 
b/meta/recipes-devtools/python/python/CVE-2019-9740.patch
new file mode 100644
index 000..066ac68
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2019-9740.patch
@@ -0,0 +1,215 @@
+From bb8071a4cae5ab3fe321481dd3d73662ffb26052 Mon Sep 17 00:00:00 2001
+From: Victor Stinner 
+Date: Tue, 21 May 2019 15:12:33 +0200
+Subject: [PATCH] bpo-30458: Disallow control chars in http URLs (GH-12755)
+ (GH-13154) (GH-13315)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Disallow control chars in http URLs in urllib2.urlopen.  This
+addresses a potential security problem for applications that do not
+sanity check their URLs where http request headers could be injected.
+
+Disable https related urllib tests on a build without ssl (GH-13032)
+These tests require an SSL enabled build. Skip these tests when
+python is built without SSL to fix test failures.
+
+Use httplib.InvalidURL instead of ValueError as the new error case's
+exception. (GH-13044)
+
+Backport Co-Authored-By: Miro Hrončok 
+
+(cherry picked from commit 7e200e0763f5b71c199aaf98bd5588f291585619)
+
+Notes on backport to Python 2.7:
+
+* test_urllib tests urllib.urlopen() which quotes the URL and so is
+  not vulerable to HTTP Header Injection.
+* Add tests to test_urllib2 on urllib2.urlopen().
+* Reject non-ASCII characters: range 0x80-0xff.
+
+Upstream-Status: Backport
+CVE: CVE-2019-9740
+Signed-off-by: Anuj Mittal 
+---
+ Lib/httplib.py| 16 ++
+ Lib/test/test_urllib.py   | 25 +
+ Lib/test/test_urllib2.py  | 51 ++-
+ Lib/test/test_xmlrpc.py   |  8 ++-
+ .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst  |  1 +
+ 5 files changed, 99 insertions(+), 2 deletions(-)
+ create mode 100644 
Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+
+diff --git a/Lib/httplib.py b/Lib/httplib.py
+index 60a8fb4e355f..1b41c346e090 100644
+--- a/Lib/httplib.py
 b/Lib/httplib.py
+@@ -247,6 +247,16 @@
+ _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
+ _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
+ 
++# These characters are not allowed within HTTP URL paths.
++#  See https://tools.ietf.org/html/rfc3986#section-3.3 and the
++#  https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
++# Prevents CVE-2019-9740.  Includes control characters such as \r\n.
++# Restrict non-ASCII characters above \x7f (0x80-0xff).
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]')
++# Arguably only these _should_ allowed:
++#  _is_allowed_url_pchars_re = 
re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
++# We are more lenient for assumed real world compatibility purposes.
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -927,6 +937,12 @@ def putrequest(self, method, url, skip_host=0, 
skip_accept_encoding=0):
+ self._method = method
+ if not url:
+ url = '/'
++# Prevent CVE-2019-9740.
++match = _contains_disallowed_url_pchar_re.search(url)
++if match:
++raise InvalidURL("URL can't contain control characters. %r "
++ "(found at least %r)"
++ % (url, match.group()))
+ hdr = '%s %s %s' % (method, url, self._http_vsn_str)
+ 
+ self._output(hdr)
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 1ce9201c0693..d7778d4194f3 100644
+--- a/Lib/test/test_urllib.py
 b/Lib/test/test_urllib.py
+@@ -257,6 +257,31 @@ def test_url_fragment(self):
+ finally:
+ self.unfakehttp()
+ 
++def test_url_with_control_char_rejected(self):
++for char_no in range(0, 0x21) + range(0x7f, 0x100):
++char = chr(char_no)
++schemeless_url = "//localhost:/test%s/" % char
++self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++try:
++# urllib quotes the URL so there is no injection.
++resp = urllib.urlopen("http:" + schemeless_url)
++self.assertNotIn(char, resp.geturl())
++finally:
++self.unfakehttp()
++
++def test_url_with_newline_header_injection_rejected(self):
++self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ho

[OE-core] [warrior-next 05/54] glibc: CVE-2018-20796 is same as CVE-2019-9169

[Armin Kuster]

From: Anuj Mittal 

See:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
https://www.securityfocus.com/bid/107160

(From OE-Core rev: 7e90506534ed2a70680382cf28614f02fdb98409)

Signed-off-by: Anuj Mittal 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-core/glibc/glibc/CVE-2019-9169.patch | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch 
b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
index bc40361..cf3744b 100644
--- a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
+++ b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
@@ -1,4 +1,5 @@
 CVE: CVE-2019-9169
+CVE: CVE-2018-20796
 Upstream-Status: Backport
 Signed-off-by: Ross Burton 
 
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 09/54] tiff: fix CVE-2019-7663

[Armin Kuster]

From: Ross Burton 

(From OE-Core rev: d06d6910d1ec9374bb15e02809e64e81198731b6)

Signed-off-by: Ross Burton 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 .../libtiff/tiff/CVE-2019-7663.patch   | 77 ++
 meta/recipes-multimedia/libtiff/tiff_4.0.10.bb |  3 +-
 2 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch 
b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
new file mode 100644
index 000..f244fb2
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
@@ -0,0 +1,77 @@
+CVE: CVE-2019-7663
+Upstream-Status: Backport
+Signed-off-by: Ross Burton 
+
+From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard 
+Date: Mon, 11 Feb 2019 10:05:33 +0100
+Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow
+
+fixes bug 2833
+---
+ tools/tiffcp.c | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 2f406e2d..f0ee2c02 100644
+--- a/tools/tiffcp.c
 b/tools/tiffcp.c
+@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+   int status = 1;
+   uint32 imagew = TIFFRasterScanlineSize(in);
+   uint32 tilew = TIFFTileRowSize(in);
+-  int iskew  = imagew - tilew*spp;
++  int iskew;
+   tsize_t tilesize = TIFFTileSize(in);
+   tdata_t tilebuf;
+   uint8* bufp = (uint8*) buf;
+@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+   uint32 row;
+   uint16 bps = 0, bytes_per_sample;
+ 
++  if (spp > (0x7fff / tilew))
++  {
++  TIFFError(TIFFFileName(in), "Error, cannot handle that much 
samples per tile row (Tile Width * Samples/Pixel)");
++  return 0;
++  }
++  iskew = imagew - tilew*spp;
+   tilebuf = _TIFFmalloc(tilesize);
+   if (tilebuf == 0)
+   return 0;
+-- 
+2.20.1
+
+
+From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard 
+Date: Mon, 11 Feb 2019 21:42:03 +0100
+Subject: [PATCH 2/2] tiffcp.c: use INT_MAX
+
+---
+ tools/tiffcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index f0ee2c02..8c81aa4f 100644
+--- a/tools/tiffcp.c
 b/tools/tiffcp.c
+@@ -41,6 +41,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ 
+ #include 
+ 
+@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+   uint32 row;
+   uint16 bps = 0, bytes_per_sample;
+ 
+-  if (spp > (0x7fff / tilew))
++  if (spp > (INT_MAX / tilew))
+   {
+   TIFFError(TIFFFileName(in), "Error, cannot handle that much 
samples per tile row (Tile Width * Samples/Pixel)");
+   return 0;
+-- 
+2.20.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
index a82d744..8e3e227 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
@@ -6,7 +6,8 @@ CVE_PRODUCT = "libtiff"
 
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://libtool2.patch \
-   file://CVE-2019-6128.patch"
+   file://CVE-2019-6128.patch \
+   file://CVE-2019-7663.patch \
"
 SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"
 SRC_URI[sha256sum] = 
"2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 04/54] libxslt: fix CVE-2019-13117 CVE-2019-13118

[Armin Kuster]

From: Anuj Mittal 

(From OE-Core rev: 7dc3048fec88dd62ef49ef16517b7382ab7cf2a5)

Signed-off-by: Anuj Mittal 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 .../libxslt/files/CVE-2019-13117.patch | 33 ++
 .../libxslt/files/CVE-2019-13118.patch | 76 ++
 meta/recipes-support/libxslt/libxslt_1.1.33.bb |  2 +
 3 files changed, 111 insertions(+)
 create mode 100644 meta/recipes-support/libxslt/files/CVE-2019-13117.patch
 create mode 100644 meta/recipes-support/libxslt/files/CVE-2019-13118.patch

diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch 
b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
new file mode 100644
index 000..ef3f270
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
@@ -0,0 +1,33 @@
+From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: [PATCH] Fix uninitialized read of xsl:number token
+
+Found by OSS-Fuzz.
+
+CVE: CVE-2019-13117
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1]
+Signed-off-by: Anuj Mittal 
+---
+ libxslt/numbers.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668..75c31eba 100644
+--- a/libxslt/numbers.c
 b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+   tokens->tokens[tokens->nTokens].token = val - 1;
+   ix += len;
+   val = xmlStringCurrentChar(NULL, format+ix, &len);
+-  }
++  } else {
++tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++tokens->tokens[tokens->nTokens].width = 1;
++}
+   } else if ( (val == (xmlChar)'A') ||
+   (val == (xmlChar)'a') ||
+   (val == (xmlChar)'I') ||
+-- 
+2.21.0
+
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch 
b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
new file mode 100644
index 000..595e6c2
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
@@ -0,0 +1,76 @@
+From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+
+CVE: CVE-2019-13118
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b]
+Signed-off-by: Anuj Mittal 
+
+---
+ libxslt/numbers.c | 5 +++--
+ tests/docs/bug-222.xml| 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed8846..20b99d5a 100644
+--- a/libxslt/numbers.c
 b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+ number = floor((scale * number + 0.5)) / scale;
+ if ((self->grouping != NULL) &&
+ (self->grouping[0] != 0)) {
++int gchar;
+ 
+   len = xmlStrlen(self->grouping);
+-  pchar = xsltGetUTF8Char(self->grouping, &len);
++  gchar = xsltGetUTF8Char(self->grouping, &len);
+   xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+   format_info.integer_digits,
+   format_info.group,
+-  pchar, len);
++  gchar, len);
+ } else
+   xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+   format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index ..69d62f2c
+--- /dev/null
 b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index ..e3139698
+--- /dev/null
 b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index ..e32dc473
+--- /dev/null
 b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++http://www.w3.org/1999/XSL/Transform"; 
version="1.0">
++  
++  
++
++  
++
+-- 
+2.21.0
+
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb 
b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
index 42b21c7..92d3099 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
@@ -10,

[OE-core] [warrior-next 02/54] binutils: CVE-2019-9070 is same as CVE-2019-9071

[Armin Kuster]

From: Anuj Mittal 

See:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89395

(From OE-Core rev: cef180de3684491f1ac4180ddbcc102121222181)

Signed-off-by: Anuj Mittal 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch 
b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
index 26f4809..f025399 100644
--- a/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
@@ -16,6 +16,7 @@ Subject: [PATCH] Pull in patch for libiberty that fixes a 
stack exhaustion bug
reached.
 
 CVE: CVE-2019-9071
+CVE: CVE-2019-9070
 Upstream-Status: Backport
 Signed-off-by: Anuj Mittal 
 ---
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior-next 01/54] binutils: fix CVE-2019-12972 CVE-2019-9071

[Armin Kuster]

From: Anuj Mittal 

(From OE-Core rev: 093f0914f261a27d58ecba9c1e9d3b78a35af012)

Signed-off-by: Anuj Mittal 
Signed-off-by: Richard Purdie 
Signed-off-by: Armin Kuster 
---
 meta/recipes-devtools/binutils/binutils-2.32.inc   |   2 +
 .../binutils/binutils/CVE-2019-12972.patch |  51 +++
 .../binutils/binutils/CVE-2019-9071.patch  | 164 +
 3 files changed, 217 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc 
b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 49e6827..31c24a3 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -48,6 +48,8 @@ SRC_URI = "\
  file://CVE-2019-9075.patch \
  file://CVE-2019-9076.patch \
  file://CVE-2019-9077.patch \
+ file://CVE-2019-9071.patch \
+ file://CVE-2019-12972.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch 
b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
new file mode 100644
index 000..07d1d65
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
@@ -0,0 +1,51 @@
+From 30bcc01478433a1cb05b36dc5c4beef7d2c89b5b Mon Sep 17 00:00:00 2001
+From: Alan Modra 
+Date: Fri, 21 Jun 2019 11:51:38 +0930
+Subject: [PATCH] PR24689, string table corruption
+
+The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
+hdr->contents were initialized by setup_group rather than being read
+from the file, thus last byte was not zero and string dereference ran
+off the end of the buffer.
+
+   PR 24689
+   * elfcode.h (elf_object_p): Check type of e_shstrndx section.
+
+Upstream-Status: Backport
+CVE: CVE-2019-12972
+Signed-off-by: Anuj Mittal 
+---
+ bfd/ChangeLog | 5 +
+ bfd/elfcode.h | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 91f09e6346..e66fb40a2c 100644
+--- a/bfd/ChangeLog
 b/bfd/ChangeLog
+@@ -1,3 +1,8 @@
++2019-06-21  Alan Modra  
++
++  PR 24689
++  * elfcode.h (elf_object_p): Check type of e_shstrndx section.
++
+ 2019-02-20  Alan Modra  
+ 
+   PR 24236
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index ec5ea766de..a35a629087 100644
+--- a/bfd/elfcode.h
 b/bfd/elfcode.h
+@@ -755,7 +755,8 @@ elf_object_p (bfd *abfd)
+   /* A further sanity check.  */
+   if (i_ehdrp->e_shnum != 0)
+ {
+-  if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
++  if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
++|| i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
+   {
+ /* PR 2257:
+We used to just goto got_wrong_format_error here
+-- 
+2.20.1
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch 
b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
new file mode 100644
index 000..26f4809
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
@@ -0,0 +1,164 @@
+From c1202057eb9161a86af27d867703235fee7b7555 Mon Sep 17 00:00:00 2001
+From: Nick Clifton 
+Date: Wed, 10 Apr 2019 15:49:36 +0100
+Subject: [PATCH] Pull in patch for libiberty that fixes a stack exhaustion bug
+ when demangling a pathalogically constructed mangled name.
+
+   PR 89394
+   * cp-demangle.c (cplus_demangle_fill_name): Reject negative
+   lengths.
+   (d_count_templates_scopes): Replace num_templates and num_scopes
+   parameters with a struct d_print_info pointer parameter.  Adjust
+   body of the function accordingly.  Add recursion counter and check
+   that the recursion limit is not reached.
+   (d_print_init): Pass dpi parameter to d_count_templates_scopes.
+   Reset recursion counter afterwards, unless the recursion limit was
+   reached.
+
+CVE: CVE-2019-9071
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal 
+---
+ ChangeLog   | 16 ++
+ libiberty/cp-demangle.c | 48 ++---
+ 2 files changed, 42 insertions(+), 22 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index cd631a15b6..4df3aaa62c 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,19 @@
++2019-04-10  Nick Clifton  
++
++  * libiberty: Sync with gcc.  Bring in:
++  2019-04-10  Nick Clifton  
++
++  PR 89394
++  * cp-demangle.c (cplus_demangle_fill_name): Reject negative
++  lengths.
++  (d_count_templates_scopes): Replace num_templates and num_scopes
++  parameters with a struct d_print_info pointer parameter.  Adjust
++  body of the function accordingly.  Add recursion counter and check
++  that the recursion limit is not reached.
++  (d_print_init): Pass dpi parameter to d_count_templates_scopes.
++  Reset recursion counter afterwards, unless the recursion limit was
++  r

[OE-core] [warrior-next 00/54] warrior-next pull request

[Armin Kuster]

This series passes the AB. 

Added to get AB to build:
useradd: Ensure do_populate_sysroot has dependency on useradd variables
useradd: Fix build architecture corruption of sstate artefacts

Picked up a few more backport requests.


The following changes since commit 952bfcc3f4b9ee5ba584da0f991f95e80654355a:

  curl: fix CVE-2019-5435 CVE-2019-5436 (2019-07-29 10:25:01 +0100)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/warrior-next
  
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/warrior-next

Adrian Bunk (1):
  libxcrypt: Fix the build with -Os

Anuj Mittal (14):
  binutils: fix CVE-2019-12972 CVE-2019-9071
  binutils: CVE-2019-9070 is same as CVE-2019-9071
  python: fix CVE-2019-9740
  libxslt: fix CVE-2019-13117 CVE-2019-13118
  glibc: CVE-2018-20796 is same as CVE-2019-9169
  libsdl: CVE fixes
  gstreamer1.0-vaapi: backport jpeg encode/decode fixes
  patch: fix CVE-2019-13636
  python3: fix CVE-2019-9740
  rsync: fix CVEs for included zlib
  patch: backport fixes
  binutils: fix CVE-2019-14250 CVE-2019-1
  pango: fix CVE-2019-1010238
  glib-2.0: fix CVE-2019-13012

Armin Kuster (4):
  qemu: fix CVE-2018-20815
  gcc-8.3: Security fix for CVE-2019-14250
  Curl: Security fix for CVE-2019-5482
  gcc: Security fix for CVE-2019-15847

Bartosz Golaszewski (1):
  qemu: add a patch fixing the native build on newer kernels

Bedel, Alban (3):
  rng-tools: fix very long shutdown delay with systemd
  boost: Fix build and enable context and coroutines on aarch64
  kernel-uboot: compress arm64 kernels

Bruce Ashfield (3):
  linux-yocto/4.19: update to 4.19.57 and -rt22
  linux-yocto/4.19: update to v4.19.61
  kernel-devsrc: tweak for v5.3+

Fabio Berton (1):
  mesa: Update 19.0.1 -> 19.0.8

Jason Wessel (5):
  psmisc: Fix dependency for USE_NLS=no
  glibc: Fix multilibs + usrmerge builds
  glibc-locale: Fix build error with PACKAGE_NO_GCONV = "1"
  glibc/glibc-locale: Fix do_stash_locale to work with usrmerge and
multilibs
  glibc / glibc-locale: Fix stash_locale determinism problems

Joël Esponde (1):
  package.bbclass: fix directories setuid and setgid bits

Jun Nie (1):
  kernel-fitimage: uboot-sign: fix missing signature

Martin Jansa (3):
  icecc.bbclass: catch subprocess.CalledProcessError
  meson: backport fix for builds with -Werror=return-type
  powertop: import a fix from buildroot

Nathan Rossi (1):
  binutils: Fix mips patch which changes default emulation

Naveen Saini (1):
  ghostscript: fix CVE-2019-3839

Ricardo Ribalda Delgado (1):
  dpkg: Use less as pager

Richard Purdie (3):
  package: Improve determinism
  useradd: Fix build architecture corruption of sstate artefacts
  useradd: Ensure do_populate_sysroot has dependency on useradd
variables

Robert Yang (1):
  multilib.bbclass: Reduce ALTERNATIVE_PRIORITY for extended recipes

Ross Burton (5):
  libid3tag: handle unknown encodings (CVE-2017-11550)
  libid3tag: CVE-2017-11551 is the same as CVE-2004-2779
  tiff: fix CVE-2019-6128
  tiff: fix CVE-2019-7663
  cve-check: backport rewrite from master

Sean Nyekjaer (1):
  libgpg-error: Fix build with gawk 5.x

Trevor Gamblin (1):
  patch: fix CVE-2019-13638

Will Page (1):
  uboot: fixes to uboot-extlinux-config attribute values

Zhixiong Chi (2):
  gcc: reduce the variables in symtab
  gcc: CVE-2018-12886

 meta/classes/cve-check.bbclass | 142 ++--
 meta/classes/icecc.bbclass |   6 +-
 meta/classes/kernel-uboot.bbclass  |   4 -
 meta/classes/multilib.bbclass  |  47 ++
 meta/classes/package.bbclass   |   5 +-
 meta/classes/staging.bbclass   |   2 +-
 meta/classes/uboot-extlinux-config.bbclass |  13 +-
 meta/classes/uboot-sign.bbclass|   4 +-
 meta/classes/useradd.bbclass   |   7 +-
 meta/conf/distro/include/maintainers.inc   |   1 +
 meta/lib/oe/package.py |   2 +-
 .../glib-2.0/glib-2.0/CVE-2019-13012.patch |  40 +
 meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb  |   1 +
 meta/recipes-core/glibc/glibc-locale.inc   |   6 +
 meta/recipes-core/glibc/glibc-mtrace.inc   |   3 +
 meta/recipes-core/glibc/glibc-package.inc  |  61 +-
 meta/recipes-core/glibc/glibc-scripts.inc  |   3 +
 meta/recipes-core/glibc/glibc/CVE-2019-9169.patch  |   1 +
 meta/recipes-core/glibc/glibc_2.29.bb  |   1 -
 meta/recipes-core/libxcrypt/libxcrypt.bb   |   4 +-
 meta/recipes-core/meta/cve-update-db-native.bb | 195 +
 meta/recipes-devtools/binutils/binutils-2.32.inc   |   4 +
 ...Change-default-emulation-for-mips64-linux.patch |   9 +-
 .../binutils/binutils/CVE-2019-12972.patch |  51 ++
 .../binutils/binutils/CVE-2019-14250.patch |  33 +
 .../binutils/binutils/CVE-2019-1.patch |  28 +
 .../binutils/binutils/CVE-2019-9071.patch  |

[OE-core] [PATCH v3] ltp: Fix hang of cve test cases

[zhe.he]

From: He Zhe 

Backport a patch to the fix possible hang caused by the case of CVE-2017-17052.

CVE: CVE-2017-17052

Signed-off-by: He Zhe 
---
 ...-2017-17052-Avoid-unsafe-exits-in-threads.patch | 64 ++
 meta/recipes-extended/ltp/ltp_20190517.bb  |  1 +
 2 files changed, 65 insertions(+)
 create mode 100644 
meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch

diff --git 
a/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch
 
b/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch
new file mode 100644
index 000..cc40081
--- /dev/null
+++ 
b/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch
@@ -0,0 +1,64 @@
+From e3a8502d0a4f8a44ddd02ca4b2efc097133fb9f7 Mon Sep 17 00:00:00 2001
+From: Mathias Fiedler 
+Date: Fri, 23 Aug 2019 12:46:48 +0200
+Subject: [PATCH] cve-2017-17052: Avoid unsafe exits in threads
+
+According to manpage exit(3) calling exit is not thread-safe.
+And with glibc 2.28 (and probably also with glibc >=2.27) sometimes
+child processes created in fork_thread can get stuck on process exit in
+glibc's __run_exit_handlers trying to acquire some lock which was in
+locked state while the fork was created. This can happen when exit is
+called in mmap_thread concurrently to the fork.
+While the main process will still return with PASSED some of its
+children are left behind.
+
+Comparing the source code with the original program as described in the
+commit 2b7e8665b4ff51c034c55df3cff76518d1a9ee3a of linux kernel >=4.13
+the exits in mmap_thread and fork_thread should not be necessary to
+trigger the original bug.
+
+Therefore those exit calls are removed. The mmap_thread and fork_thread
+should still exit when their corresponding main thread in do_test_fork
+calls exit_group. The remaining exit in do_test_fork will be called in
+the main thread without any concurrent thread in the same process.
+
+Signed-off-by: Mathias Fiedler 
+Acked-by: Cyril Hrubis 
+Acked-by: Jan Stancek 
+
+Upstream-Status: Backport
+[https://github.com/linux-test-project/ltp/commit/9f0b452c1af4bcb54da35711eb3fa77334a350b4]
+
+CVE: CVE-2017-17052
+
+Signed-off-by: He Zhe 
+---
+ testcases/cve/cve-2017-17052.c | 5 -
+ 1 file changed, 5 deletions(-)
+
+diff --git a/testcases/cve/cve-2017-17052.c b/testcases/cve/cve-2017-17052.c
+index d7da7e919..18cd2a6d7 100644
+--- a/testcases/cve/cve-2017-17052.c
 b/testcases/cve/cve-2017-17052.c
+@@ -58,8 +58,6 @@ static void *mmap_thread(void *arg)
+   for (;;) {
+   SAFE_MMAP(NULL, 0x100, PROT_READ,
+   MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
+-  if (*do_exit)
+-  exit(0);
+   }
+ 
+   return arg;
+@@ -67,9 +65,6 @@ static void *mmap_thread(void *arg)
+ 
+ static void *fork_thread(void *arg)
+ {
+-  if (*do_exit)
+-  exit(0);
+-
+   usleep(rand() % 1);
+   SAFE_FORK();
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-extended/ltp/ltp_20190517.bb 
b/meta/recipes-extended/ltp/ltp_20190517.bb
index e9a588f..4650715 100644
--- a/meta/recipes-extended/ltp/ltp_20190517.bb
+++ b/meta/recipes-extended/ltp/ltp_20190517.bb
@@ -48,6 +48,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \
file://0001-cve-meltdown.c-Fix-kernel-symbol-finding.patch \

file://0001-testcases-use-python3-everywhere-to-run-python-scrip.patch \

file://0001-syscall-rt_sigtimedwait01-Fix-wrong-sigset-length-fo.patch \
+   file://0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch \
"
 
 S = "${WORKDIR}/git"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] ✗ patchtest: failure for ltp: Fix hang of cve test cases (rev2)

[Patchwork]

== Series Details ==

Series: ltp: Fix hang of cve test cases (rev2)
Revision: 2
URL   : https://patchwork.openembedded.org/series/20234/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Patch[v2] ltp: Fix hang of cve test cases
 Issue Missing or incorrectly formatted CVE tag in included patch 
file [test_cve_tag_format] 
  Suggested fixCorrect or include the CVE tag on cve patch with format: 
"CVE: CVE--"



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines: 
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v2] ltp: Fix hang of cve test cases

[zhe.he]

From: He Zhe 

Backport a patch to the fix possible hang caused by the case of CVE-2017-17052.

CVE: CVE-2017-17052

Signed-off-by: He Zhe 
---
 ...-2017-17052-Avoid-unsafe-exits-in-threads.patch | 62 ++
 meta/recipes-extended/ltp/ltp_20190517.bb  |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 
meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch

diff --git 
a/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch
 
b/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch
new file mode 100644
index 000..1b66238
--- /dev/null
+++ 
b/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch
@@ -0,0 +1,62 @@
+From e3a8502d0a4f8a44ddd02ca4b2efc097133fb9f7 Mon Sep 17 00:00:00 2001
+From: Mathias Fiedler 
+Date: Fri, 23 Aug 2019 12:46:48 +0200
+Subject: [PATCH] cve-2017-17052: Avoid unsafe exits in threads
+
+According to manpage exit(3) calling exit is not thread-safe.
+And with glibc 2.28 (and probably also with glibc >=2.27) sometimes
+child processes created in fork_thread can get stuck on process exit in
+glibc's __run_exit_handlers trying to acquire some lock which was in
+locked state while the fork was created. This can happen when exit is
+called in mmap_thread concurrently to the fork.
+While the main process will still return with PASSED some of its
+children are left behind.
+
+Comparing the source code with the original program as described in the
+commit 2b7e8665b4ff51c034c55df3cff76518d1a9ee3a of linux kernel >=4.13
+the exits in mmap_thread and fork_thread should not be necessary to
+trigger the original bug.
+
+Therefore those exit calls are removed. The mmap_thread and fork_thread
+should still exit when their corresponding main thread in do_test_fork
+calls exit_group. The remaining exit in do_test_fork will be called in
+the main thread without any concurrent thread in the same process.
+
+Signed-off-by: Mathias Fiedler 
+Acked-by: Cyril Hrubis 
+Acked-by: Jan Stancek 
+
+Upstream-Status: Backport
+[https://github.com/linux-test-project/ltp/commit/9f0b452c1af4bcb54da35711eb3fa77334a350b4]
+
+Signed-off-by: He Zhe 
+---
+ testcases/cve/cve-2017-17052.c | 5 -
+ 1 file changed, 5 deletions(-)
+
+diff --git a/testcases/cve/cve-2017-17052.c b/testcases/cve/cve-2017-17052.c
+index d7da7e919..18cd2a6d7 100644
+--- a/testcases/cve/cve-2017-17052.c
 b/testcases/cve/cve-2017-17052.c
+@@ -58,8 +58,6 @@ static void *mmap_thread(void *arg)
+   for (;;) {
+   SAFE_MMAP(NULL, 0x100, PROT_READ,
+   MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
+-  if (*do_exit)
+-  exit(0);
+   }
+ 
+   return arg;
+@@ -67,9 +65,6 @@ static void *mmap_thread(void *arg)
+ 
+ static void *fork_thread(void *arg)
+ {
+-  if (*do_exit)
+-  exit(0);
+-
+   usleep(rand() % 1);
+   SAFE_FORK();
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-extended/ltp/ltp_20190517.bb 
b/meta/recipes-extended/ltp/ltp_20190517.bb
index e9a588f..4650715 100644
--- a/meta/recipes-extended/ltp/ltp_20190517.bb
+++ b/meta/recipes-extended/ltp/ltp_20190517.bb
@@ -48,6 +48,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \
file://0001-cve-meltdown.c-Fix-kernel-symbol-finding.patch \

file://0001-testcases-use-python3-everywhere-to-run-python-scrip.patch \

file://0001-syscall-rt_sigtimedwait01-Fix-wrong-sigset-length-fo.patch \
+   file://0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch \
"
 
 S = "${WORKDIR}/git"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] ✗ patchtest: failure for Update patch to fix do_patch error when PATCHTOOL = "patch".

[Patchwork]

== Series Details ==

Series: Update patch to fix do_patch error when PATCHTOOL = "patch".
Revision: 1
URL   : https://patchwork.openembedded.org/series/20241/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* PatchUpdate patch to fix do_patch error when PATCHTOOL = "patch".
 Issue Shortlog does not follow expected format 
[test_shortlog_format] 
  Suggested fixCommit shortlog (first line of commit message) should follow 
the format ": "



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines: 
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] Update patch to fix do_patch error when PATCHTOOL = "patch".

[Lei Maohui]

Signed-off-by: Lei Maohui 
---
 .../bluez5/bluez5/CVE-2018-10910.patch| 726 +++---
 1 file changed, 263 insertions(+), 463 deletions(-)

diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2018-10910.patch 
b/meta/recipes-connectivity/bluez5/bluez5/CVE-2018-10910.patch
index b4b1846c45..2a78077443 100644
--- a/meta/recipes-connectivity/bluez5/bluez5/CVE-2018-10910.patch
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2018-10910.patch
@@ -1,3 +1,8 @@
+From 977321f2c7f974ea68a3d90df296c66189a3f254 Mon Sep 17 00:00:00 2001
+From: Lei Maohui 
+Date: Fri, 21 Jun 2019 17:57:35 +0900
+Subject: [PATCH] CVE-2018-10910
+
 A bug in Bluez may allow for the Bluetooth Discoverable state being set to on
 when no Bluetooth agent is registered with the system. This situation could
 lead to the unauthorized pairing of certain Bluetooth devices without any
@@ -21,14 +26,24 @@ DiscoverableTimeout property:
 [bluetooth]# discoverable-timeout 180
 Changing discoverable-timeout 180 succeeded
 ---
- client/main.c | 43 +++
- 1 file changed, 43 insertions(+)
+ client/main.c   |  82 +-
+ doc/adapter-api.txt |   6 +++
+ src/adapter.c   | 125 ++--
+ 3 files changed, 198 insertions(+), 15 deletions(-)
 
 diff --git a/client/main.c b/client/main.c
-index 87323d8f7..59820c6d9 100644
+index 87323d8..1a66a3a 100644
 --- a/client/main.c
 +++ b/client/main.c
-@@ -1061,6 +1061,47 @@ static void cmd_discoverable(int argc, char *argv[])
+@@ -877,6 +877,7 @@ static void cmd_show(int argc, char *argv[])
+   print_property(proxy, "Class");
+   print_property(proxy, "Powered");
+   print_property(proxy, "Discoverable");
++  print_property(proxy, "DiscoverableTimeout");
+   print_property(proxy, "Pairable");
+   print_uuids(proxy);
+   print_property(proxy, "Modalias");
+@@ -1061,6 +1062,47 @@ static void cmd_discoverable(int argc, char *argv[])
return bt_shell_noninteractive_quit(EXIT_FAILURE);
  }
  
@@ -76,7 +91,87 @@ index 87323d8f7..59820c6d9 100644
  static void cmd_agent(int argc, char *argv[])
  {
dbus_bool_t enable;
-@@ -2549,6 +2590,8 @@ static const struct bt_shell_menu main_menu = {
+@@ -1124,6 +1166,7 @@ static struct set_discovery_filter_args {
+   char **uuids;
+   size_t uuids_len;
+   dbus_bool_t duplicate;
++  dbus_bool_t discoverable;
+   bool set;
+ } filter = {
+   .rssi = DISTANCE_VAL_INVALID,
+@@ -1163,6 +1206,11 @@ static void set_discovery_filter_setup(DBusMessageIter 
*iter, void *user_data)
+   DBUS_TYPE_BOOLEAN,
+   &args->duplicate);
+ 
++  if (args->discoverable)
++  g_dbus_dict_append_entry(&dict, "Discoverable",
++  DBUS_TYPE_BOOLEAN,
++  &args->discoverable);
++
+   dbus_message_iter_close_container(iter, &dict);
+ }
+ 
+@@ -1320,6 +1368,26 @@ static void cmd_scan_filter_duplicate_data(int argc, 
char *argv[])
+   filter.set = false;
+ }
+ 
++static void cmd_scan_filter_discoverable(int argc, char *argv[])
++{
++  if (argc < 2 || !strlen(argv[1])) {
++  bt_shell_printf("Discoverable: %s\n",
++  filter.discoverable ? "on" : "off");
++  return bt_shell_noninteractive_quit(EXIT_SUCCESS);
++  }
++
++  if (!strcmp(argv[1], "on"))
++  filter.discoverable = true;
++  else if (!strcmp(argv[1], "off"))
++  filter.discoverable = false;
++  else {
++  bt_shell_printf("Invalid option: %s\n", argv[1]);
++  return bt_shell_noninteractive_quit(EXIT_FAILURE);
++  }
++
++  filter.set = false;
++}
++
+ static void filter_clear_uuids(void)
+ {
+   g_strfreev(filter.uuids);
+@@ -1348,6 +1416,11 @@ static void filter_clear_duplicate(void)
+   filter.duplicate = false;
+ }
+ 
++static void filter_clear_discoverable(void)
++{
++  filter.discoverable = false;
++}
++
+ struct clear_entry {
+   const char *name;
+   void (*clear) (void);
+@@ -1359,6 +1432,7 @@ static const struct clear_entry filter_clear[] = {
+   { "pathloss", filter_clear_pathloss },
+   { "transport", filter_clear_transport },
+   { "duplicate-data", filter_clear_duplicate },
++  { "discoverable", filter_clear_discoverable },
+   {}
+ };
+ 
+@@ -2468,7 +2542,11 @@ static const struct bt_shell_menu scan_menu = {
+   { "duplicate-data", "[on/off]", cmd_scan_filter_duplicate_data,
+   "Set/Get duplicate data filter",
+   NULL },
+-  { "clear", "[uuids/rssi/pathloss/transport/duplicate-data]",
++  { "discoverable", "[on/off]", cmd_scan_filter_discoverable,
++  "Set/Get discoverable filter",
++  

[OE-core] [thud][PATCH] json-c: Don't --enable-rdrand

[Adrian Bunk]

In recent years AMD CPUs have had various problems with RDRAND
giving either non-random data or no result at all, which is
problematic if either build or target machine has a CPU with
this problem.

The fallback is /dev/urandom, and I'd trust the kernel here.

--enable-rdrand was added in an upgrade to a new upstream
version without mentioning any reason.

[YOCTO #13534]

Signed-off-by: Adrian Bunk 
Signed-off-by: Richard Purdie 
---
 meta/recipes-devtools/json-c/json-c_0.13.1.bb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/meta/recipes-devtools/json-c/json-c_0.13.1.bb 
b/meta/recipes-devtools/json-c/json-c_0.13.1.bb
index 5b10e68297..e6a38995cb 100644
--- a/meta/recipes-devtools/json-c/json-c_0.13.1.bb
+++ b/meta/recipes-devtools/json-c/json-c_0.13.1.bb
@@ -20,8 +20,6 @@ RPROVIDES_${PN} = "libjson"
 
 inherit autotools
 
-EXTRA_OECONF = "--enable-rdrand"
-
 do_configure_prepend() {
 # Clean up autoconf cruft that should not be in the tarball
 rm -f ${S}/config.status
-- 
2.17.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [warrior][PATCH] json-c: Don't --enable-rdrand

[Adrian Bunk]

In recent years AMD CPUs have had various problems with RDRAND
giving either non-random data or no result at all, which is
problematic if either build or target machine has a CPU with
this problem.

The fallback is /dev/urandom, and I'd trust the kernel here.

--enable-rdrand was added in an upgrade to a new upstream
version without mentioning any reason.

[YOCTO #13534]

Signed-off-by: Adrian Bunk 
Signed-off-by: Richard Purdie 
---
 meta/recipes-devtools/json-c/json-c_0.13.1.bb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/meta/recipes-devtools/json-c/json-c_0.13.1.bb 
b/meta/recipes-devtools/json-c/json-c_0.13.1.bb
index 5b10e68297..e6a38995cb 100644
--- a/meta/recipes-devtools/json-c/json-c_0.13.1.bb
+++ b/meta/recipes-devtools/json-c/json-c_0.13.1.bb
@@ -20,8 +20,6 @@ RPROVIDES_${PN} = "libjson"
 
 inherit autotools
 
-EXTRA_OECONF = "--enable-rdrand"
-
 do_configure_prepend() {
 # Clean up autoconf cruft that should not be in the tarball
 rm -f ${S}/config.status
-- 
2.17.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v2 4/5] image-uefi.conf: define generic EFI_COMPATIBLE_HOST

[dbaryshkov]

From: Dmitry Eremin-Solenikov 

Signed-off-by: Dmitry Eremin-Solenikov 
---
 meta/conf/image-uefi.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/conf/image-uefi.conf b/meta/conf/image-uefi.conf
index 669c16d42af4..19729c401dfa 100644
--- a/meta/conf/image-uefi.conf
+++ b/meta/conf/image-uefi.conf
@@ -16,3 +16,5 @@ EFI_ARCH_aarch64 = "aa64"
 EFI_ARCH_arm = "arm"
 
 EFI_BOOT_IMAGE ?= "boot${EFI_ARCH}.efi"
+
+EFI_COMPATIBLE_HOST = "(x86_64.*|i.86.*|arm.*|aarch64.*)-linux.*"
-- 
2.23.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol

[dbaryshkov]

From: Dmitry Eremin-Solenikov 

Signed-off-by: Dmitry Eremin-Solenikov 
---
 ...ompareMem-on-MokListNode.Type-instea.patch | 69 ++
 meta/recipes-bsp/shim/shim_git.bb | 72 +++
 2 files changed, 141 insertions(+)
 create mode 100644 
meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
 create mode 100644 meta/recipes-bsp/shim/shim_git.bb

diff --git 
a/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
 
b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
new file mode 100644
index ..12ee342e9f64
--- /dev/null
+++ 
b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
@@ -0,0 +1,69 @@
+From f30cd0b6330be8ea72a93bf25e43829c222ba611 Mon Sep 17 00:00:00 2001
+From: Gary Lin 
+Date: Tue, 26 Feb 2019 11:33:53 +0800
+Subject: [PATCH] MokManager: Use CompareMem on MokListNode.Type instead of
+ CompareGuid
+
+Fix the errors from gcc9 '-Werror=address-of-packed-member'
+
+https://github.com/rhboot/shim/issues/161
+
+Signed-off-by: Gary Lin 
+Upstream-Status: Submitted[https://github.com/rhboot/shim/pull/170]
+---
+ MokManager.c | 14 +-
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index d69b4dbe..05dc1622 100644
+--- a/MokManager.c
 b/MokManager.c
+@@ -1053,7 +1053,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * 
list, INTN key_num,
+   continue;
+ 
+   DataSize += sizeof(EFI_SIGNATURE_LIST);
+-  if (CompareGuid(&(list[i].Type), &X509_GUID) == 0)
++  if (CompareMem(&(list[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0)
+   DataSize += sizeof(EFI_GUID);
+   DataSize += list[i].MokSize;
+   }
+@@ -1075,7 +1076,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * 
list, INTN key_num,
+   CertList->SignatureType = list[i].Type;
+   CertList->SignatureHeaderSize = 0;
+ 
+-  if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) {
++  if (CompareMem(&(list[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0) {
+   CertList->SignatureListSize = list[i].MokSize +
+   sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
+   CertList->SignatureSize =
+@@ -1116,7 +1118,8 @@ static void delete_cert(void *key, UINT32 key_size,
+   int i;
+ 
+   for (i = 0; i < mok_num; i++) {
+-  if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0)
++  if (CompareMem(&(mok[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) != 0)
+   continue;
+ 
+   if (mok[i].MokSize == key_size &&
+@@ -1167,7 +1170,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * 
hash, UINT32 hash_size,
+   sig_size = hash_size + sizeof(EFI_GUID);
+ 
+   for (i = 0; i < mok_num; i++) {
+-  if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
++  if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) 
||
+   (mok[i].MokSize < sig_size))
+   continue;
+ 
+@@ -1331,7 +1334,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN 
MokDelSize, BOOLEAN MokX)
+ 
+   /* Search and destroy */
+   for (i = 0; i < del_num; i++) {
+-  if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) {
++  if (CompareMem(&(del_key[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0) {
+   delete_cert(del_key[i].Mok, del_key[i].MokSize,
+   mok, mok_num);
+   } else if (is_sha2_hash(del_key[i].Type)) {
diff --git a/meta/recipes-bsp/shim/shim_git.bb 
b/meta/recipes-bsp/shim/shim_git.bb
new file mode 100644
index ..10769ac75a0a
--- /dev/null
+++ b/meta/recipes-bsp/shim/shim_git.bb
@@ -0,0 +1,72 @@
+SUMMARY = "shim is a first stage EFI bootloader."
+DESCRIPTION = "shim is a trivial EFI application that, when run, \
+attempts to open and execute another application. It will initially \
+attempt to do this via the standard EFI LoadImage() and StartImage() \
+calls. If these fail (because secure boot is enabled and the binary \
+is not signed with an appropriate key, for instance) it will then \
+validate the binary against a built-in certificate. If this succeeds \
+and if the binary or signing key are not blacklisted then shim will \
+relocate and execute the binary."
+HOMEPAGE = "https://github.com/rhboot/shim.git";
+SECTION = "bootloaders"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b92e63892681ee4e8d27e7a7e87ef2bc"
+
+DEPENDS += "\
+gnu-efi \
+"
+
+PV = "15+git${SRCPV}"
+
+SRC_URI = "\
+git://github.com/rhboot/shim.git \
+file://0001-MokManager-Use

[OE-core] [PATCH v2 3/5] image-uefi.conf: define EFI_ARCH variable

[dbaryshkov]

From: Dmitry Eremin-Solenikov 

Define EFI_ARCH to suffix used by UEFI on the platform to name files.

Signed-off-by: Dmitry Eremin-Solenikov 
---
 meta/conf/image-uefi.conf | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/meta/conf/image-uefi.conf b/meta/conf/image-uefi.conf
index aaeff12ccb80..669c16d42af4 100644
--- a/meta/conf/image-uefi.conf
+++ b/meta/conf/image-uefi.conf
@@ -9,8 +9,10 @@ EFI_PREFIX ?= "/boot"
 EFI_FILES_PATH = "${EFI_PREFIX}${EFIDIR}"
 
 # Determine name of bootloader image
-EFI_BOOT_IMAGE ?= "bootINVALID.efi"
-EFI_BOOT_IMAGE_x86-64 = "bootx64.efi"
-EFI_BOOT_IMAGE_x86 = "bootia32.efi"
-EFI_BOOT_IMAGE_aarch64 = "bootaa64.efi"
-EFI_BOOT_IMAGE_arm = "bootarm.efi"
+EFI_ARCH ?= "INVALID"
+EFI_ARCH_x86-64 = "x64"
+EFI_ARCH_x86 = "ia32"
+EFI_ARCH_aarch64 = "aa64"
+EFI_ARCH_arm = "arm"
+
+EFI_BOOT_IMAGE ?= "boot${EFI_ARCH}.efi"
-- 
2.23.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v2 1/5] grub-efi: replace anonymous function with static configuration

[dbaryshkov]

From: Dmitry Eremin-Solenikov 

Replace anonymous function setting GRUB_* variables with static
configuration, since grub-efi.bbclass will use fixed names for grub
bootloader.

Signed-off-by: Dmitry Eremin-Solenikov 
---
 meta/recipes-bsp/grub/grub-efi_2.04.bb | 40 --
 1 file changed, 18 insertions(+), 22 deletions(-)

diff --git a/meta/recipes-bsp/grub/grub-efi_2.04.bb 
b/meta/recipes-bsp/grub/grub-efi_2.04.bb
index b9d6225d2774..419f25c014b9 100644
--- a/meta/recipes-bsp/grub/grub-efi_2.04.bb
+++ b/meta/recipes-bsp/grub/grub-efi_2.04.bb
@@ -13,26 +13,22 @@ SRC_URI += " \
 
 S = "${WORKDIR}/grub-${PV}"
 
-# Determine the target arch for the grub modules
+GRUB_TARGET = "UNSUPPORTED"
+GRUB_TARGET_x86-64 = "x86_64"
+GRUB_TARGET_x86 = "i386"
+GRUB_TARGET_aarch64 = "arm64"
+GRUB_TARGET_arm = "arm"
+
+GRUB_IMAGE = "grub-efi-${EFI_BOOT_IMAGE}"
+
+# install to the image as boot*.efi if its the EFI_PROVIDER,
+# otherwise install as the full name.
+# This allows multiple bootloaders to coexist in a single image.
 python __anonymous () {
-import re
-target = d.getVar('TARGET_ARCH')
-prefix = "" if d.getVar('EFI_PROVIDER') == "grub-efi" else "grub-efi-"
-if target == "x86_64":
-grubtarget = 'x86_64'
-elif re.match('i.86', target):
-grubtarget = 'i386'
-elif re.match('aarch64', target):
-grubtarget = 'arm64'
-elif re.match('arm', target):
-grubtarget = 'arm'
+if d.getVar('EFI_PROVIDER') == "grub-efi":
+d.setVar("GRUB_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
 else:
-raise bb.parse.SkipRecipe("grub-efi is incompatible with target %s" % 
target)
-grubimage = prefix + d.getVar("EFI_BOOT_IMAGE")
-d.setVar("GRUB_TARGET", grubtarget)
-d.setVar("GRUB_IMAGE", grubimage)
-prefix = "grub-efi-" if prefix == "" else ""
-d.setVar("GRUB_IMAGE_PREFIX", prefix)
+d.setVar("GRUB_EFI_BOOT_IMAGE", d.getVar("GRUB_IMAGE"))
 }
 
 inherit deploy
@@ -45,7 +41,7 @@ do_mkimage() {
# Search for the grub.cfg on the local boot media by using the
# built in cfg file provided via this recipe
grub-mkimage -c ../cfg -p ${EFIDIR} -d ./grub-core/ \
-  -O ${GRUB_TARGET}-efi -o 
./${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} \
+  -O ${GRUB_TARGET}-efi -o ./${GRUB_IMAGE} \
   ${GRUB_BUILDIN}
 }
 
@@ -57,7 +53,7 @@ do_mkimage_class-native() {
 
 do_install_append_class-target() {
install -d ${D}${EFI_FILES_PATH}
-   install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} 
${D}${EFI_FILES_PATH}/${GRUB_IMAGE}
+   install -m 644 ${B}/${GRUB_IMAGE} 
${D}${EFI_FILES_PATH}/${GRUB_EFI_BOOT_IMAGE}
 }
 
 do_install_class-native() {
@@ -86,7 +82,7 @@ GRUB_BUILDIN ?= "boot linux ext2 fat serial part_msdos 
part_gpt normal \
  efi_gop iso9660 configfile search loadenv test"
 
 do_deploy() {
-   install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${DEPLOYDIR}
+   install -m 644 ${B}/${GRUB_IMAGE} ${DEPLOYDIR}
 }
 
 do_deploy_class-native() {
@@ -97,7 +93,7 @@ addtask deploy after do_install before do_build
 
 FILES_${PN} = "${libdir}/grub/${GRUB_TARGET}-efi \
${datadir}/grub \
-   ${EFI_FILES_PATH}/${GRUB_IMAGE} \
+   ${EFI_FILES_PATH}/${GRUB_EFI_BOOT_IMAGE} \
"
 
 FILES_${PN}_remove_aarch64 = "${libdir}/grub/${GRUB_TARGET}-efi"
-- 
2.23.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v2 2/5] systemd-boot: replace anonymous function with static configuration

[dbaryshkov]

From: Dmitry Eremin-Solenikov 

Replace anonymous function setting GRUB_* variables with static
configuration, since systemd-boot.bbclass will use fixed names for
systemd bootloader.

Signed-off-by: Dmitry Eremin-Solenikov 
---
 meta/recipes-core/systemd/systemd-boot_243.bb | 19 +--
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/meta/recipes-core/systemd/systemd-boot_243.bb 
b/meta/recipes-core/systemd/systemd-boot_243.bb
index 515abc289bef..832532077d07 100644
--- a/meta/recipes-core/systemd/systemd-boot_243.bb
+++ b/meta/recipes-core/systemd/systemd-boot_243.bb
@@ -28,20 +28,19 @@ EXTRA_OEMESON += "-Defi=true \
   -Defi-objcopy='${OBJCOPY}' \
   "
 
+SYSTEMD_BOOT_IMAGE = "systemd-${EFI_BOOT_IMAGE}"
+
 # install to the image as boot*.efi if its the EFI_PROVIDER,
 # otherwise install as the full name.
 # This allows multiple bootloaders to coexist in a single image.
 python __anonymous () {
-import re
-target = d.getVar('TARGET_ARCH')
-prefix = "" if d.getVar('EFI_PROVIDER') == "systemd-boot" else "systemd-"
-systemdimage = prefix + d.getVar("EFI_BOOT_IMAGE")
-d.setVar("SYSTEMD_BOOT_IMAGE", systemdimage)
-prefix = "systemd-" if prefix == "" else ""
-d.setVar("SYSTEMD_BOOT_IMAGE_PREFIX", prefix)
+if d.getVar('EFI_PROVIDER') == "grub-efi":
+d.setVar("SYSTEMD_BOOT_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
+else:
+d.setVar("SYSTEMD_BOOT_EFI_BOOT_IMAGE", d.getVar("SYSTEMD_BOOT_IMAGE"))
 }
 
-FILES_${PN} = "${EFI_FILES_PATH}/${SYSTEMD_BOOT_IMAGE}"
+FILES_${PN} = "${EFI_FILES_PATH}/${SYSTEMD_BOOT_EFI_BOOT_IMAGE}"
 
 RDEPENDS_${PN} += "virtual/systemd-bootconf"
 
@@ -56,12 +55,12 @@ do_compile() {
SYSTEMD_BOOT_EFI_ARCH="x64"
fi
 
-   ninja src/boot/efi/${SYSTEMD_BOOT_IMAGE_PREFIX}${SYSTEMD_BOOT_IMAGE}
+   ninja src/boot/efi/${SYSTEMD_BOOT_IMAGE}
 }
 
 do_install() {
install -d ${D}${EFI_FILES_PATH}
-   install ${B}/src/boot/efi/systemd-boot*.efi 
${D}${EFI_FILES_PATH}/${SYSTEMD_BOOT_IMAGE}
+   install ${B}/src/boot/efi/systemd-boot*.efi 
${D}${EFI_FILES_PATH}/${SYSTEMD_BOOT_EFI_BOOT_IMAGE}
 }
 
 do_deploy () {
-- 
2.23.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] llvm: Update to 9.0.0

[Khem Raj]

libOptRemarks has been renamed as libRemarks
RISC-V backend is now supported

Signed-off-by: Khem Raj 
---
 meta/conf/distro/include/tcmode-default.inc   |  2 +-
 ...ryInfo-Undefine-libc-functions-if-th.patch |  9 ++--
 ...-llvm-allow-env-override-of-exe-path.patch |  8 ++-
 meta/recipes-devtools/llvm/llvm_git.bb| 23 ++-
 4 files changed, 17 insertions(+), 25 deletions(-)

diff --git a/meta/conf/distro/include/tcmode-default.inc 
b/meta/conf/distro/include/tcmode-default.inc
index d8f434609b..4a23c50631 100644
--- a/meta/conf/distro/include/tcmode-default.inc
+++ b/meta/conf/distro/include/tcmode-default.inc
@@ -26,7 +26,7 @@ QEMUVERSION ?= "4.1%"
 GOVERSION ?= "1.12%"
 # This can not use wildcards like 8.0.% since it is also used in mesa to denote
 # llvm version being used, so always bump it with llvm recipe version bump
-LLVMVERSION ?= "8.0.1"
+LLVMVERSION ?= "9.0.0"
 
 PREFERRED_VERSION_gcc ?= "${GCCVERSION}"
 PREFERRED_VERSION_gcc-cross-${TARGET_ARCH} ?= "${GCCVERSION}"
diff --git 
a/meta/recipes-devtools/llvm/llvm/0006-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch
 
b/meta/recipes-devtools/llvm/llvm/0006-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch
index 789c308863..d75c94e9e9 100644
--- 
a/meta/recipes-devtools/llvm/llvm/0006-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch
+++ 
b/meta/recipes-devtools/llvm/llvm/0006-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch
@@ -1,13 +1,11 @@
-From 4c08879d2dfbe7face4e679ac8499dc7bff2dd20 Mon Sep 17 00:00:00 2001
+From dbeecdb307be8b783b42cbc89dcb9c5e7f528989 Mon Sep 17 00:00:00 2001
 From: Khem Raj 
 Date: Sat, 21 May 2016 00:33:20 +
-Subject: [PATCH 06/19] llvm: TargetLibraryInfo: Undefine libc functions if
- they are macros
+Subject: [PATCH] llvm: TargetLibraryInfo: Undefine libc functions if they are 
macros
 
 musl defines some functions as macros and not inline functions
 if this is the case then make sure to undefine them
 
-Upstream-Status: Pending
 Signed-off-by: Khem Raj 
 ---
  .../llvm/Analysis/TargetLibraryInfo.def   | 21 +++
@@ -87,6 +85,3 @@ index afed404f04c..876888656f2 100644
  TLI_DEFINE_ENUM_INTERNAL(tmpfile64)
  TLI_DEFINE_STRING_INTERNAL("tmpfile64")
  /// int toascii(int c);
--- 
-2.22.0
-
diff --git 
a/meta/recipes-devtools/llvm/llvm/0007-llvm-allow-env-override-of-exe-path.patch
 
b/meta/recipes-devtools/llvm/llvm/0007-llvm-allow-env-override-of-exe-path.patch
index f47080c9fd..58dce513c2 100644
--- 
a/meta/recipes-devtools/llvm/llvm/0007-llvm-allow-env-override-of-exe-path.patch
+++ 
b/meta/recipes-devtools/llvm/llvm/0007-llvm-allow-env-override-of-exe-path.patch
@@ -1,14 +1,13 @@
-From b66d6f39a374b8df41e7235351e5dee2e81f440c Mon Sep 17 00:00:00 2001
+From 61b00e1e051e367f5483d7b5253b6c85a9e8a90f Mon Sep 17 00:00:00 2001
 From: Martin Kelly 
 Date: Fri, 19 May 2017 00:22:57 -0700
-Subject: [PATCH 07/19] llvm: allow env override of exe path
+Subject: [PATCH] llvm: allow env override of exe path
 
 When using a native llvm-config from inside a sysroot, we need llvm-config to
 return the libraries, include directories, etc. from inside the sysroot rather
 than from the native sysroot. Thus provide an env override for calling
 llvm-config from a target sysroot.
 
-Upstream-Status: Pending
 Signed-off-by: Martin Kelly 
 Signed-off-by: Khem Raj 
 ---
@@ -33,6 +32,3 @@ index 7ef7c46a262..a4f7ed82c7b 100644
// This just needs to be some symbol in the binary; C++ doesn't
// allow taking the address of ::main however.
void *P = (void *)(intptr_t)GetExecutablePath;
--- 
-2.22.0
-
diff --git a/meta/recipes-devtools/llvm/llvm_git.bb 
b/meta/recipes-devtools/llvm/llvm_git.bb
index 08b19a33e3..aba8e4e829 100644
--- a/meta/recipes-devtools/llvm/llvm_git.bb
+++ b/meta/recipes-devtools/llvm/llvm_git.bb
@@ -3,10 +3,10 @@
 
 DESCRIPTION = "The LLVM Compiler Infrastructure"
 HOMEPAGE = "http://llvm.org";
-LICENSE = "NCSA"
+LICENSE = "Apache-2.0-with-LLVM-exception"
 SECTION = "devel"
 
-LIC_FILES_CHKSUM = "file://LICENSE.TXT;md5=c6b766a4e85dd28301eeed54a6684648"
+LIC_FILES_CHKSUM = "file://LICENSE.TXT;md5=8a15a0759ef07f2682d2ba4b893c9afe"
 
 DEPENDS = "libffi libxml2 zlib libedit ninja-native llvm-native"
 
@@ -16,17 +16,17 @@ inherit cmake pkgconfig
 
 PROVIDES += "llvm${PV}"
 
+MAJOR_VERSION = "9"
+MINOR_VERSION = "0"
+PATCH_VERSION = "0"
+
+PV = "${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION}"
+
 LLVM_RELEASE = "${PV}"
 LLVM_DIR = "llvm${LLVM_RELEASE}"
 
-SRCREV = "19a71f6bdf2dddb10764939e7f0ec2b98dba76c9"
-
 BRANCH = "release/${MAJOR_VERSION}.x"
-MAJOR_VERSION = "8"
-MINOR_VERSION = "0"
-PATCH_VERSION = "1"
-SOLIBVER = "1"
-PV = "${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION}"
+SRCREV = "0399d5a9682b3cef71c653373e38890c63c4c365"
 SRC_URI = "git://github.com/llvm/llvm-project.git;branch=${BRANCH} \

file://0006-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch;striplevel=2
 \
file://0007-llvm-allo

[OE-core] ✗ patchtest: failure for ltp: Fix hang of cve test cases

[Patchwork]

== Series Details ==

Series: ltp: Fix hang of cve test cases
Revision: 1
URL   : https://patchwork.openembedded.org/series/20234/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Patchltp: Fix hang of cve test cases
 Issue Missing or incorrectly formatted CVE tag in included patch 
file [test_cve_tag_format] 
  Suggested fixCorrect or include the CVE tag on cve patch with format: 
"CVE: CVE--"



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines: 
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] ltp: Fix hang of cve test cases

[zhe.he]

From: He Zhe 

Backport a patch to the fix possible hang caused by the case of cve-2017-17052.

Signed-off-by: He Zhe 
---
 ...-2017-17052-Avoid-unsafe-exits-in-threads.patch | 62 ++
 meta/recipes-extended/ltp/ltp_20190517.bb  |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 
meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch

diff --git 
a/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch
 
b/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch
new file mode 100644
index 000..1b66238
--- /dev/null
+++ 
b/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch
@@ -0,0 +1,62 @@
+From e3a8502d0a4f8a44ddd02ca4b2efc097133fb9f7 Mon Sep 17 00:00:00 2001
+From: Mathias Fiedler 
+Date: Fri, 23 Aug 2019 12:46:48 +0200
+Subject: [PATCH] cve-2017-17052: Avoid unsafe exits in threads
+
+According to manpage exit(3) calling exit is not thread-safe.
+And with glibc 2.28 (and probably also with glibc >=2.27) sometimes
+child processes created in fork_thread can get stuck on process exit in
+glibc's __run_exit_handlers trying to acquire some lock which was in
+locked state while the fork was created. This can happen when exit is
+called in mmap_thread concurrently to the fork.
+While the main process will still return with PASSED some of its
+children are left behind.
+
+Comparing the source code with the original program as described in the
+commit 2b7e8665b4ff51c034c55df3cff76518d1a9ee3a of linux kernel >=4.13
+the exits in mmap_thread and fork_thread should not be necessary to
+trigger the original bug.
+
+Therefore those exit calls are removed. The mmap_thread and fork_thread
+should still exit when their corresponding main thread in do_test_fork
+calls exit_group. The remaining exit in do_test_fork will be called in
+the main thread without any concurrent thread in the same process.
+
+Signed-off-by: Mathias Fiedler 
+Acked-by: Cyril Hrubis 
+Acked-by: Jan Stancek 
+
+Upstream-Status: Backport
+[https://github.com/linux-test-project/ltp/commit/9f0b452c1af4bcb54da35711eb3fa77334a350b4]
+
+Signed-off-by: He Zhe 
+---
+ testcases/cve/cve-2017-17052.c | 5 -
+ 1 file changed, 5 deletions(-)
+
+diff --git a/testcases/cve/cve-2017-17052.c b/testcases/cve/cve-2017-17052.c
+index d7da7e919..18cd2a6d7 100644
+--- a/testcases/cve/cve-2017-17052.c
 b/testcases/cve/cve-2017-17052.c
+@@ -58,8 +58,6 @@ static void *mmap_thread(void *arg)
+   for (;;) {
+   SAFE_MMAP(NULL, 0x100, PROT_READ,
+   MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
+-  if (*do_exit)
+-  exit(0);
+   }
+ 
+   return arg;
+@@ -67,9 +65,6 @@ static void *mmap_thread(void *arg)
+ 
+ static void *fork_thread(void *arg)
+ {
+-  if (*do_exit)
+-  exit(0);
+-
+   usleep(rand() % 1);
+   SAFE_FORK();
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-extended/ltp/ltp_20190517.bb 
b/meta/recipes-extended/ltp/ltp_20190517.bb
index e9a588f..4650715 100644
--- a/meta/recipes-extended/ltp/ltp_20190517.bb
+++ b/meta/recipes-extended/ltp/ltp_20190517.bb
@@ -48,6 +48,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \
file://0001-cve-meltdown.c-Fix-kernel-symbol-finding.patch \

file://0001-testcases-use-python3-everywhere-to-run-python-scrip.patch \

file://0001-syscall-rt_sigtimedwait01-Fix-wrong-sigset-length-fo.patch \
+   file://0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch \
"
 
 S = "${WORKDIR}/git"
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [oe-core][PATCH 1/1] bash-completion: add image feature

[Adrian Bunk]

On Fri, Sep 27, 2019 at 11:16:51AM -0700, Joe Slater wrote:
> Create bc-pkgs image feature to load *-bash-completion packages
> into an image.  The packages are created by the bash-completion
> bbclass but are currently never referenced.
>...
> +COMPLEMENTARY_GLOB[bc-pkgs] = '*-bash-completion'
>...

What about naming it bash-completion-pkgs?

This is not related to meta/recipes-extended/bc,
and descriptive names are easier to understand.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] ✗ patchtest: failure for "grub-efi: replace anonymous fu..." and 4 more

[Patchwork]

== Series Details ==

Series: "grub-efi: replace anonymous fu..." and 4 more
Revision: 1
URL   : https://patchwork.openembedded.org/series/20233/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue Added patch file is missing Upstream-Status in the header 
[test_upstream_status_presence_format] 
  Suggested fixAdd Upstream-Status:  to the header of 
meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
  Standard format  Upstream-Status: 
  Valid status Pending, Accepted, Backport, Denied, Inappropriate [reason], 
Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines: 
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 3/5] image-uefi.conf: define EFI_ARCH variable

[dbaryshkov]

From: Dmitry Eremin-Solenikov 

Define EFI_ARCH to suffix used by UEFI on the platform to name files.

Signed-off-by: Dmitry Eremin-Solenikov 
---
 meta/conf/image-uefi.conf | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/meta/conf/image-uefi.conf b/meta/conf/image-uefi.conf
index aaeff12ccb80..669c16d42af4 100644
--- a/meta/conf/image-uefi.conf
+++ b/meta/conf/image-uefi.conf
@@ -9,8 +9,10 @@ EFI_PREFIX ?= "/boot"
 EFI_FILES_PATH = "${EFI_PREFIX}${EFIDIR}"
 
 # Determine name of bootloader image
-EFI_BOOT_IMAGE ?= "bootINVALID.efi"
-EFI_BOOT_IMAGE_x86-64 = "bootx64.efi"
-EFI_BOOT_IMAGE_x86 = "bootia32.efi"
-EFI_BOOT_IMAGE_aarch64 = "bootaa64.efi"
-EFI_BOOT_IMAGE_arm = "bootarm.efi"
+EFI_ARCH ?= "INVALID"
+EFI_ARCH_x86-64 = "x64"
+EFI_ARCH_x86 = "ia32"
+EFI_ARCH_aarch64 = "aa64"
+EFI_ARCH_arm = "arm"
+
+EFI_BOOT_IMAGE ?= "boot${EFI_ARCH}.efi"
-- 
2.23.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 4/5] image-uefi.conf: define generic EFI_COMPATIBLE_HOST

[dbaryshkov]

From: Dmitry Eremin-Solenikov 

Signed-off-by: Dmitry Eremin-Solenikov 
---
 meta/conf/image-uefi.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/conf/image-uefi.conf b/meta/conf/image-uefi.conf
index 669c16d42af4..19729c401dfa 100644
--- a/meta/conf/image-uefi.conf
+++ b/meta/conf/image-uefi.conf
@@ -16,3 +16,5 @@ EFI_ARCH_aarch64 = "aa64"
 EFI_ARCH_arm = "arm"
 
 EFI_BOOT_IMAGE ?= "boot${EFI_ARCH}.efi"
+
+EFI_COMPATIBLE_HOST = "(x86_64.*|i.86.*|arm.*|aarch64.*)-linux.*"
-- 
2.23.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 2/5] systemd-boot: replace anonymous function with static configuration

[dbaryshkov]

From: Dmitry Eremin-Solenikov 

Replace anonymous function setting GRUB_* variables with static
configuration, since systemd-boot.bbclass will use fixed names for
systemd bootloader.

Signed-off-by: Dmitry Eremin-Solenikov 
---
 meta/recipes-core/systemd/systemd-boot_243.bb | 19 +--
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/meta/recipes-core/systemd/systemd-boot_243.bb 
b/meta/recipes-core/systemd/systemd-boot_243.bb
index 515abc289bef..832532077d07 100644
--- a/meta/recipes-core/systemd/systemd-boot_243.bb
+++ b/meta/recipes-core/systemd/systemd-boot_243.bb
@@ -28,20 +28,19 @@ EXTRA_OEMESON += "-Defi=true \
   -Defi-objcopy='${OBJCOPY}' \
   "
 
+SYSTEMD_BOOT_IMAGE = "systemd-${EFI_BOOT_IMAGE}"
+
 # install to the image as boot*.efi if its the EFI_PROVIDER,
 # otherwise install as the full name.
 # This allows multiple bootloaders to coexist in a single image.
 python __anonymous () {
-import re
-target = d.getVar('TARGET_ARCH')
-prefix = "" if d.getVar('EFI_PROVIDER') == "systemd-boot" else "systemd-"
-systemdimage = prefix + d.getVar("EFI_BOOT_IMAGE")
-d.setVar("SYSTEMD_BOOT_IMAGE", systemdimage)
-prefix = "systemd-" if prefix == "" else ""
-d.setVar("SYSTEMD_BOOT_IMAGE_PREFIX", prefix)
+if d.getVar('EFI_PROVIDER') == "grub-efi":
+d.setVar("SYSTEMD_BOOT_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
+else:
+d.setVar("SYSTEMD_BOOT_EFI_BOOT_IMAGE", d.getVar("SYSTEMD_BOOT_IMAGE"))
 }
 
-FILES_${PN} = "${EFI_FILES_PATH}/${SYSTEMD_BOOT_IMAGE}"
+FILES_${PN} = "${EFI_FILES_PATH}/${SYSTEMD_BOOT_EFI_BOOT_IMAGE}"
 
 RDEPENDS_${PN} += "virtual/systemd-bootconf"
 
@@ -56,12 +55,12 @@ do_compile() {
SYSTEMD_BOOT_EFI_ARCH="x64"
fi
 
-   ninja src/boot/efi/${SYSTEMD_BOOT_IMAGE_PREFIX}${SYSTEMD_BOOT_IMAGE}
+   ninja src/boot/efi/${SYSTEMD_BOOT_IMAGE}
 }
 
 do_install() {
install -d ${D}${EFI_FILES_PATH}
-   install ${B}/src/boot/efi/systemd-boot*.efi 
${D}${EFI_FILES_PATH}/${SYSTEMD_BOOT_IMAGE}
+   install ${B}/src/boot/efi/systemd-boot*.efi 
${D}${EFI_FILES_PATH}/${SYSTEMD_BOOT_EFI_BOOT_IMAGE}
 }
 
 do_deploy () {
-- 
2.23.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol

[dbaryshkov]

From: Dmitry Eremin-Solenikov 

Signed-off-by: Dmitry Eremin-Solenikov 
---
 ...ompareMem-on-MokListNode.Type-instea.patch | 68 ++
 meta/recipes-bsp/shim/shim_git.bb | 72 +++
 2 files changed, 140 insertions(+)
 create mode 100644 
meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
 create mode 100644 meta/recipes-bsp/shim/shim_git.bb

diff --git 
a/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
 
b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
new file mode 100644
index ..cee7713ca82b
--- /dev/null
+++ 
b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
@@ -0,0 +1,68 @@
+From f30cd0b6330be8ea72a93bf25e43829c222ba611 Mon Sep 17 00:00:00 2001
+From: Gary Lin 
+Date: Tue, 26 Feb 2019 11:33:53 +0800
+Subject: [PATCH] MokManager: Use CompareMem on MokListNode.Type instead of
+ CompareGuid
+
+Fix the errors from gcc9 '-Werror=address-of-packed-member'
+
+https://github.com/rhboot/shim/issues/161
+
+Signed-off-by: Gary Lin 
+---
+ MokManager.c | 14 +-
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index d69b4dbe..05dc1622 100644
+--- a/MokManager.c
 b/MokManager.c
+@@ -1053,7 +1053,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * 
list, INTN key_num,
+   continue;
+ 
+   DataSize += sizeof(EFI_SIGNATURE_LIST);
+-  if (CompareGuid(&(list[i].Type), &X509_GUID) == 0)
++  if (CompareMem(&(list[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0)
+   DataSize += sizeof(EFI_GUID);
+   DataSize += list[i].MokSize;
+   }
+@@ -1075,7 +1076,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * 
list, INTN key_num,
+   CertList->SignatureType = list[i].Type;
+   CertList->SignatureHeaderSize = 0;
+ 
+-  if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) {
++  if (CompareMem(&(list[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0) {
+   CertList->SignatureListSize = list[i].MokSize +
+   sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
+   CertList->SignatureSize =
+@@ -1116,7 +1118,8 @@ static void delete_cert(void *key, UINT32 key_size,
+   int i;
+ 
+   for (i = 0; i < mok_num; i++) {
+-  if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0)
++  if (CompareMem(&(mok[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) != 0)
+   continue;
+ 
+   if (mok[i].MokSize == key_size &&
+@@ -1167,7 +1170,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * 
hash, UINT32 hash_size,
+   sig_size = hash_size + sizeof(EFI_GUID);
+ 
+   for (i = 0; i < mok_num; i++) {
+-  if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
++  if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) 
||
+   (mok[i].MokSize < sig_size))
+   continue;
+ 
+@@ -1331,7 +1334,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN 
MokDelSize, BOOLEAN MokX)
+ 
+   /* Search and destroy */
+   for (i = 0; i < del_num; i++) {
+-  if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) {
++  if (CompareMem(&(del_key[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0) {
+   delete_cert(del_key[i].Mok, del_key[i].MokSize,
+   mok, mok_num);
+   } else if (is_sha2_hash(del_key[i].Type)) {
diff --git a/meta/recipes-bsp/shim/shim_git.bb 
b/meta/recipes-bsp/shim/shim_git.bb
new file mode 100644
index ..10769ac75a0a
--- /dev/null
+++ b/meta/recipes-bsp/shim/shim_git.bb
@@ -0,0 +1,72 @@
+SUMMARY = "shim is a first stage EFI bootloader."
+DESCRIPTION = "shim is a trivial EFI application that, when run, \
+attempts to open and execute another application. It will initially \
+attempt to do this via the standard EFI LoadImage() and StartImage() \
+calls. If these fail (because secure boot is enabled and the binary \
+is not signed with an appropriate key, for instance) it will then \
+validate the binary against a built-in certificate. If this succeeds \
+and if the binary or signing key are not blacklisted then shim will \
+relocate and execute the binary."
+HOMEPAGE = "https://github.com/rhboot/shim.git";
+SECTION = "bootloaders"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b92e63892681ee4e8d27e7a7e87ef2bc"
+
+DEPENDS += "\
+gnu-efi \
+"
+
+PV = "15+git${SRCPV}"
+
+SRC_URI = "\
+git://github.com/rhboot/shim.git \
+file://0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch \
+"
+
+SRCREV = "a4a1fb

[OE-core] [PATCH 1/5] grub-efi: replace anonymous function with static configuration

[dbaryshkov]

From: Dmitry Eremin-Solenikov 

Replace anonymous function setting GRUB_* variables with static
configuration, since grub-efi.bbclass will use fixed names for grub
bootloader.

Signed-off-by: Dmitry Eremin-Solenikov 
---
 meta/recipes-bsp/grub/grub-efi_2.04.bb | 40 --
 1 file changed, 18 insertions(+), 22 deletions(-)

diff --git a/meta/recipes-bsp/grub/grub-efi_2.04.bb 
b/meta/recipes-bsp/grub/grub-efi_2.04.bb
index b9d6225d2774..419f25c014b9 100644
--- a/meta/recipes-bsp/grub/grub-efi_2.04.bb
+++ b/meta/recipes-bsp/grub/grub-efi_2.04.bb
@@ -13,26 +13,22 @@ SRC_URI += " \
 
 S = "${WORKDIR}/grub-${PV}"
 
-# Determine the target arch for the grub modules
+GRUB_TARGET = "UNSUPPORTED"
+GRUB_TARGET_x86-64 = "x86_64"
+GRUB_TARGET_x86 = "i386"
+GRUB_TARGET_aarch64 = "arm64"
+GRUB_TARGET_arm = "arm"
+
+GRUB_IMAGE = "grub-efi-${EFI_BOOT_IMAGE}"
+
+# install to the image as boot*.efi if its the EFI_PROVIDER,
+# otherwise install as the full name.
+# This allows multiple bootloaders to coexist in a single image.
 python __anonymous () {
-import re
-target = d.getVar('TARGET_ARCH')
-prefix = "" if d.getVar('EFI_PROVIDER') == "grub-efi" else "grub-efi-"
-if target == "x86_64":
-grubtarget = 'x86_64'
-elif re.match('i.86', target):
-grubtarget = 'i386'
-elif re.match('aarch64', target):
-grubtarget = 'arm64'
-elif re.match('arm', target):
-grubtarget = 'arm'
+if d.getVar('EFI_PROVIDER') == "grub-efi":
+d.setVar("GRUB_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
 else:
-raise bb.parse.SkipRecipe("grub-efi is incompatible with target %s" % 
target)
-grubimage = prefix + d.getVar("EFI_BOOT_IMAGE")
-d.setVar("GRUB_TARGET", grubtarget)
-d.setVar("GRUB_IMAGE", grubimage)
-prefix = "grub-efi-" if prefix == "" else ""
-d.setVar("GRUB_IMAGE_PREFIX", prefix)
+d.setVar("GRUB_EFI_BOOT_IMAGE", d.getVar("GRUB_IMAGE"))
 }
 
 inherit deploy
@@ -45,7 +41,7 @@ do_mkimage() {
# Search for the grub.cfg on the local boot media by using the
# built in cfg file provided via this recipe
grub-mkimage -c ../cfg -p ${EFIDIR} -d ./grub-core/ \
-  -O ${GRUB_TARGET}-efi -o 
./${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} \
+  -O ${GRUB_TARGET}-efi -o ./${GRUB_IMAGE} \
   ${GRUB_BUILDIN}
 }
 
@@ -57,7 +53,7 @@ do_mkimage_class-native() {
 
 do_install_append_class-target() {
install -d ${D}${EFI_FILES_PATH}
-   install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} 
${D}${EFI_FILES_PATH}/${GRUB_IMAGE}
+   install -m 644 ${B}/${GRUB_IMAGE} 
${D}${EFI_FILES_PATH}/${GRUB_EFI_BOOT_IMAGE}
 }
 
 do_install_class-native() {
@@ -86,7 +82,7 @@ GRUB_BUILDIN ?= "boot linux ext2 fat serial part_msdos 
part_gpt normal \
  efi_gop iso9660 configfile search loadenv test"
 
 do_deploy() {
-   install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${DEPLOYDIR}
+   install -m 644 ${B}/${GRUB_IMAGE} ${DEPLOYDIR}
 }
 
 do_deploy_class-native() {
@@ -97,7 +93,7 @@ addtask deploy after do_install before do_build
 
 FILES_${PN} = "${libdir}/grub/${GRUB_TARGET}-efi \
${datadir}/grub \
-   ${EFI_FILES_PATH}/${GRUB_IMAGE} \
+   ${EFI_FILES_PATH}/${GRUB_EFI_BOOT_IMAGE} \
"
 
 FILES_${PN}_remove_aarch64 = "${libdir}/grub/${GRUB_TARGET}-efi"
-- 
2.23.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core