[PATCH 00/15] denzil pull request 5

[PATCH 00/15] denzil pull request 5

[Scott Garman]

This is a pull request for denzil, it includes a number of security
fixes and a few important bugfixes. The poky-based tree has been run
through the autobuilder as follows:

nightly-x86: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-x86/builds/853

nightly-x86-lsb: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-x86-lsb/builds/182

nightly-x86-64: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-x86-64/builds/776

nightly-x86-64-lsb: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-x86-64-lsb/builds/177

nightly-arm: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-arm/builds/782

nightly-arm-lsb: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-arm-lsb/builds/175

nightly-mips: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-mips/builds/755

nightly-mips-lsb: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-mips-lsb/builds/182

nightly-ppc: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-ppc/builds/733

nightly-ppc-lsb: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-ppc-lsb/builds/185

nightly-non-gpl3: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-non-gpl3/builds/412

nightly-multilib: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-multilib/builds/408

nightly-tiny: Green
http://autobuilder.yoctoproject.org:8010/builders/nightly-tiny/builds/389

build-appliance: Green
http://autobuilder.yoctoproject.org:8010/builders/build-appliance/builds/188

eclipse-plugin: Failed
http://autobuilder.yoctoproject.org:8010/builders/eclipse-plugin/builds/717

This appears to be due to some issue on the autobuilder, it failed to
find the branch I sumbmitted. I've notified Beth so she can look into
this.

crownbay: Green
http://autobuilder.yoctoproject.org:8010/builders/crownbay/builds/251

crownbay-noemgd: Green
http://autobuilder.yoctoproject.org:8010/builders/crownbay-noemgd/builds/252

emenlow: Green
http://autobuilder.yoctoproject.org:8010/builders/emenlow/builds/235

n450: Green
http://autobuilder.yoctoproject.org:8010/builders/n450/builds/239

jasperforest: Green
http://autobuilder.yoctoproject.org:8010/builders/jasperforest/builds/234

sugarbay: Green
http://autobuilder.yoctoproject.org:8010/builders/sugarbay/builds/245

fri2-noemgd: Green
http://autobuilder.yoctoproject.org:8010/builders/fri2-noemgd/builds/247

fri2: Green
http://autobuilder.yoctoproject.org:8010/builders/fri2/builds/262

romley: Green
http://autobuilder.yoctoproject.org:8010/builders/romley/builds/209

cedartrail: Green
http://autobuilder.yoctoproject.org:8010/builders/cedartrail/builds/214

sys940x: Failed
http://autobuilder.yoctoproject.org:8010/builders/sys940x/builds/109

Failure during do_rootfs:

| error: Failed dependencies:
| 	libva.so.1 is needed by libegl1-1.10-r0.core2
| 	libva-tpi.so.1 is needed by libegl1-1.10-r0.core2
| 	libva-x11.so.1 is needed by libegl1-1.10-r0.core2

Filed as bug #3659:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=3659

sys940x-noemgd: Green
http://autobuilder.yoctoproject.org:8010/builders/sys940x-noemgd/builds/108

cheifriver: Green
http://autobuilder.yoctoproject.org:8010/builders/chiefriver/builds/92

p1022ds: Green
http://autobuilder.yoctoproject.org:8010/builders/p1022ds/builds/185



The following changes since commit d35560f33f257bd12a07c7c0be770319086d6ad9:

  squashfs: fix for CVE-2012-4024 (2012-11-30 14:51:10 -0800)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib sgarman/denzil-next-pull5
  http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=sgarman/denzil-next-pull5

Khem Raj (5):
  coreutils: Fix build with eglibc 2.16
  diffutils: Fix build with eglibc 2.16
  gettext,m4,augeas,gnutls: Account for removal of gets in eglibc 2.16
  bison: Fix for gets being removed from eglibc 2.16
  grub,guile,cpio,tar,wget: Fix gnulib for absense of gets in eglibc

Li Wang (1):
  librsvg: CVE-2011-3146

Mihai Lindner (1):
  sysklogd: removed tabs from syslog.conf

Richard Purdie (1):
  boot-directdisk: Fix kernel location after STAGING_KERNEL_DIR change

Scott Garman (6):
  psplash: new patch to fix segfault
  build-appliance-image: Allow SRCREV to be overriden
  gitignore: add generated doc files to ignore list
  libxml2: patch for CVE-2012-2871
  freetype: patches for CVE-2012-5668, 5669, and 5670
  cups: patch for CVE-2011-2896

yanjun.zhu (1):
  squashfs: fix CVE-2012-4025

 .gitignore                                         |   24 +-
 meta/classes/boot-directdisk.bbclass               |    2 +-
 meta/recipes-bsp/grub/grub-1.99/remove-gets.patch  |   20 +
 meta/recipes-bsp/grub/grub_1.99.bb                 |    3 +-
 .../coreutils/coreutils-8.14/remove-gets.patch     |   23 +
 meta/recipes-core/coreutils/coreutils_8.14.bb      |    3 +-
 .../gettext/gettext-0.18.1.1/remove_gets.patch     |   58 ++
 meta/recipes-core/gettext/gettext_0.18.1.1.bb      |    3 +-
 meta/recipes-core/images/build-appliance-image.bb  |    2 +-
 .../libxml/libxml2/libxml2-CVE-2012-2871.patch     |   36 +
 meta/recipes-core/libxml/libxml2_2.8.0.bb          |    4 +-
 .../files/psplash_fix_bad_arg_segfault.patch       |   22 +
 meta/recipes-core/psplash/psplash_git.bb           |    3 +-
 .../recipes-devtools/bison/bison/remove-gets.patch |   20 +
 meta/recipes-devtools/bison/bison_2.5.bb           |    6 +-
 .../recipes-devtools/guile/files/remove-gets.patch |   25 +
 meta/recipes-devtools/guile/guile_2.0.3.bb         |    3 +-
 meta/recipes-devtools/m4/m4-1.4.16.inc             |    6 +-
 meta/recipes-devtools/m4/m4/remove-gets.patch      |   21 +
 .../patches/squashfs-4.2-fix-CVE-2012-4025.patch   |  190 ++++
 ...dd-a-commment-and-fix-some-other-comments.patch |   38 +
 .../patches/squashfs-fix-open-file-limit.patch     |  215 ++++
 .../squashfs-tools/squashfs-tools_4.2.bb           |    5 +-
 .../augeas/augeas/remove-gets.patch                |   20 +
 meta/recipes-extended/augeas/augeas_0.10.0.bb      |    4 +-
 .../cpio/cpio-2.11/remove-gets.patch               |   20 +
 meta/recipes-extended/cpio/cpio_2.11.bb            |    5 +-
 .../cups/cups-1.4.6/cups-CVE-2011-2896.patch       |  140 +++
 meta/recipes-extended/cups/cups_1.4.6.bb           |    3 +-
 .../diffutils/diffutils-3.2/remove-gets.patch      |   22 +
 meta/recipes-extended/diffutils/diffutils_3.2.bb   |    6 +-
 meta/recipes-extended/sysklogd/files/syslog.conf   |   23 +-
 meta/recipes-extended/sysklogd/sysklogd_1.5.bb     |    2 +-
 .../tar/tar-1.26/remove-gets.patch                 |   20 +
 meta/recipes-extended/tar/tar_1.26.bb              |    5 +-
 .../wget/wget-1.13.4/remove-gets.patch             |   23 +
 meta/recipes-extended/wget/wget_1.13.4.bb          |    3 +-
 .../librsvg-2.32.1/librsvg-CVE-2011-3146.patch     | 1088 ++++++++++++++++++++
 meta/recipes-gnome/librsvg/librsvg_2.32.1.bb       |    6 +-
 .../freetype/freetype-2.4.9/CVE-2012-5668.patch    |   31 +
 .../freetype/freetype-2.4.9/CVE-2012-5669.patch    |   31 +
 .../freetype/freetype-2.4.9/CVE-2012-5670.patch    |   29 +
 meta/recipes-graphics/freetype/freetype_2.4.9.bb   |    7 +-
 .../gnutls/gnutls/remove-gets.patch                |   42 +
 meta/recipes-support/gnutls/gnutls_2.12.17.bb      |    3 +-
 45 files changed, 2226 insertions(+), 39 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/grub-1.99/remove-gets.patch
 create mode 100644 meta/recipes-core/coreutils/coreutils-8.14/remove-gets.patch
 create mode 100644 meta/recipes-core/gettext/gettext-0.18.1.1/remove_gets.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2012-2871.patch
 create mode 100644 meta/recipes-core/psplash/files/psplash_fix_bad_arg_segfault.patch
 create mode 100644 meta/recipes-devtools/bison/bison/remove-gets.patch
 create mode 100644 meta/recipes-devtools/guile/files/remove-gets.patch
 create mode 100644 meta/recipes-devtools/m4/m4/remove-gets.patch
 create mode 100644 meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4025.patch
 create mode 100644 meta/recipes-devtools/squashfs-tools/patches/squashfs-add-a-commment-and-fix-some-other-comments.patch
 create mode 100644 meta/recipes-devtools/squashfs-tools/patches/squashfs-fix-open-file-limit.patch
 create mode 100644 meta/recipes-extended/augeas/augeas/remove-gets.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.11/remove-gets.patch
 create mode 100644 meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-2896.patch
 create mode 100644 meta/recipes-extended/diffutils/diffutils-3.2/remove-gets.patch
 create mode 100644 meta/recipes-extended/tar/tar-1.26/remove-gets.patch
 create mode 100644 meta/recipes-extended/wget/wget-1.13.4/remove-gets.patch
 create mode 100644 meta/recipes-gnome/librsvg/librsvg-2.32.1/librsvg-CVE-2011-3146.patch
 create mode 100644 meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch
 create mode 100644 meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch
 create mode 100644 meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/remove-gets.patch

-- 
1.7.9.5

[PATCH 01/15] coreutils: Fix build with eglibc 2.16

[Scott Garman]

From: Khem Raj <raj.khem@gmail.com>

eglibc 2.16 has removed gets so we account for that

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Resolved merge conflicts with denzil branch.

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
 .../coreutils/coreutils-8.14/remove-gets.patch     |   23 ++++++++++++++++++++
 meta/recipes-core/coreutils/coreutils_8.14.bb      |    3 ++-
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/coreutils/coreutils-8.14/remove-gets.patch

diff --git a/meta/recipes-core/coreutils/coreutils-8.14/remove-gets.patch b/meta/recipes-core/coreutils/coreutils-8.14/remove-gets.patch
new file mode 100644
index 0000000..4f61c92
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils-8.14/remove-gets.patch
@@ -0,0 +1,23 @@
+use gets iff its defined. eglibc 2.16 removed gets
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Pending
+
+Index: coreutils-8.14/lib/stdio.in.h
+===================================================================
+--- coreutils-8.14.orig/lib/stdio.in.h	2011-09-24 04:20:48.000000000 -0700
++++ coreutils-8.14/lib/stdio.in.h	2012-07-03 10:36:19.886296576 -0700
+@@ -713,11 +713,13 @@
+ _GL_CXXALIAS_SYS (gets, char *, (char *s));
+ #  undef gets
+ # endif
++# if defined gets
+ _GL_CXXALIASWARN (gets);
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++# endif
+ #endif
+ 
+ 
diff --git a/meta/recipes-core/coreutils/coreutils_8.14.bb b/meta/recipes-core/coreutils/coreutils_8.14.bb
index 688cec9..cd0cada 100644
--- a/meta/recipes-core/coreutils/coreutils_8.14.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.14.bb
@@ -7,7 +7,7 @@ BUGTRACKER = "http://debbugs.gnu.org/coreutils"
 LICENSE = "GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504\
                     file://src/ls.c;startline=5;endline=16;md5=e1a509558876db58fb6667ba140137ad"
-PR = "r3"
+PR = "r4"
 DEPENDS = "gmp libcap"
 DEPENDS_virtclass-native = ""
 
@@ -15,6 +15,7 @@ inherit autotools gettext
 
 SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
            file://remove-usr-local-lib-from-m4.patch \
+           file://remove-gets.patch \
           "
 SRC_URI[md5sum] = "bcb135ce553493a45aba01b39eb3920a"
 SRC_URI[sha256sum] = "0d120817c19292edb19e92ae6b8eac9020e03d51e0af9cb116cf82b65d18b02d"
-- 
1.7.9.5

[PATCH 02/15] diffutils: Fix build with eglibc 2.16

[Scott Garman]

From: Khem Raj <raj.khem@gmail.com>

eglibc 2.16 has removed gets so we account for that

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../diffutils/diffutils-3.2/remove-gets.patch      |   22 ++++++++++++++++++++
 meta/recipes-extended/diffutils/diffutils_3.2.bb   |    6 ++++--
 2 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-extended/diffutils/diffutils-3.2/remove-gets.patch

diff --git a/meta/recipes-extended/diffutils/diffutils-3.2/remove-gets.patch b/meta/recipes-extended/diffutils/diffutils-3.2/remove-gets.patch
new file mode 100644
index 0000000..58ed62d
--- /dev/null
+++ b/meta/recipes-extended/diffutils/diffutils-3.2/remove-gets.patch
@@ -0,0 +1,22 @@
+check for gets before using it
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Pending
+Index: diffutils-3.2/lib/stdio.in.h
+===================================================================
+--- diffutils-3.2.orig/lib/stdio.in.h	2011-08-28 04:57:28.000000000 -0700
++++ diffutils-3.2/lib/stdio.in.h	2012-07-03 10:45:07.518322117 -0700
+@@ -693,11 +693,13 @@
+ _GL_CXXALIAS_SYS (gets, char *, (char *s));
+ #  undef gets
+ # endif
++# if defined gets
+ _GL_CXXALIASWARN (gets);
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++# endif
+ #endif
+ 
+ 
diff --git a/meta/recipes-extended/diffutils/diffutils_3.2.bb b/meta/recipes-extended/diffutils/diffutils_3.2.bb
index 174866c..c46863d 100644
--- a/meta/recipes-extended/diffutils/diffutils_3.2.bb
+++ b/meta/recipes-extended/diffutils/diffutils_3.2.bb
@@ -5,9 +5,11 @@ SECTION = "base"
 LICENSE = "GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
-PR = "r0"
+PR = "r1"
 
-SRC_URI = "${GNU_MIRROR}/diffutils/diffutils-${PV}.tar.gz"
+SRC_URI = "${GNU_MIRROR}/diffutils/diffutils-${PV}.tar.gz \
+           file://remove-gets.patch \
+          "
 
 inherit autotools update-alternatives gettext
 
-- 
1.7.9.5

[PATCH 03/15] gettext, m4, augeas, gnutls: Account for removal of gets in eglibc 2.16

[Scott Garman]

From: Khem Raj <raj.khem@gmail.com>

These recipes use gnulib which needs this change to use gets
when its defined and not otherwise. Until that change goes into
gnulib and then all these package upgrade gnulib in their sourcebase
we patch them

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Resolved merge conflicts with denzil branch and backported gnutls
patch.

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
 .../gettext/gettext-0.18.1.1/remove_gets.patch     |   58 ++++++++++++++++++++
 meta/recipes-core/gettext/gettext_0.18.1.1.bb      |    3 +-
 meta/recipes-devtools/m4/m4-1.4.16.inc             |    6 +-
 meta/recipes-devtools/m4/m4/remove-gets.patch      |   21 +++++++
 .../augeas/augeas/remove-gets.patch                |   20 +++++++
 meta/recipes-extended/augeas/augeas_0.10.0.bb      |    4 +-
 .../gnutls/gnutls/remove-gets.patch                |   42 ++++++++++++++
 meta/recipes-support/gnutls/gnutls_2.12.17.bb      |    3 +-
 8 files changed, 152 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-core/gettext/gettext-0.18.1.1/remove_gets.patch
 create mode 100644 meta/recipes-devtools/m4/m4/remove-gets.patch
 create mode 100644 meta/recipes-extended/augeas/augeas/remove-gets.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/remove-gets.patch

diff --git a/meta/recipes-core/gettext/gettext-0.18.1.1/remove_gets.patch b/meta/recipes-core/gettext/gettext-0.18.1.1/remove_gets.patch
new file mode 100644
index 0000000..3d3c400
--- /dev/null
+++ b/meta/recipes-core/gettext/gettext-0.18.1.1/remove_gets.patch
@@ -0,0 +1,58 @@
+eglibc 2.16 has removed gets so we need to check for it
+being there before using it.
+
+
+From glibc stdio.h
+
+The function has been officially removed in ISO C11.  This opportunity
+   is used to also remove it from the GNU feature list.  It is now only
+   available when explicitly using an old ISO C, Unix, or POSIX standard.
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Upstream-Status: Pending
+Index: gettext-0.18.1.1/gettext-runtime/gnulib-lib/stdio.in.h
+===================================================================
+--- gettext-0.18.1.1.orig/gettext-runtime/gnulib-lib/stdio.in.h	2010-05-17 12:56:12.000000000 -0700
++++ gettext-0.18.1.1/gettext-runtime/gnulib-lib/stdio.in.h	2012-07-02 22:42:21.292223316 -0700
+@@ -140,8 +140,10 @@
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
++#if defined gets
+ #undef gets
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
+Index: gettext-0.18.1.1/gettext-tools/gnulib-lib/stdio.in.h
+===================================================================
+--- gettext-0.18.1.1.orig/gettext-tools/gnulib-lib/stdio.in.h	2010-05-24 02:42:46.000000000 -0700
++++ gettext-0.18.1.1/gettext-tools/gnulib-lib/stdio.in.h	2012-07-02 23:02:33.476281979 -0700
+@@ -140,8 +140,10 @@
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
++#if defined gets
+ #undef gets
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
+Index: gettext-0.18.1.1/gettext-tools/libgettextpo/stdio.in.h
+===================================================================
+--- gettext-0.18.1.1.orig/gettext-tools/libgettextpo/stdio.in.h	2010-05-17 12:58:03.000000000 -0700
++++ gettext-0.18.1.1/gettext-tools/libgettextpo/stdio.in.h	2012-07-02 23:01:57.440280253 -0700
+@@ -140,8 +140,10 @@
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
++#if defined gets
+ #undef gets
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
diff --git a/meta/recipes-core/gettext/gettext_0.18.1.1.bb b/meta/recipes-core/gettext/gettext_0.18.1.1.bb
index 1e67afb..16ea010 100644
--- a/meta/recipes-core/gettext/gettext_0.18.1.1.bb
+++ b/meta/recipes-core/gettext/gettext_0.18.1.1.bb
@@ -5,7 +5,7 @@ SECTION = "libs"
 LICENSE = "GPLv3+ & LGPL-2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
-PR = "r12"
+PR = "r13"
 DEPENDS = "libxml2-native gettext-native virtual/libiconv ncurses expat"
 DEPENDS_virtclass-native = "libxml2-native gettext-minimal-native"
 PROVIDES = "virtual/libintl virtual/gettext"
@@ -13,6 +13,7 @@ PROVIDES_virtclass-native = "virtual/gettext-native"
 CONFLICTS_${PN} = "proxy-libintl"
 SRC_URI = "${GNU_MIRROR}/gettext/gettext-${PV}.tar.gz \
 	   file://parallel.patch \
+	   file://remove_gets.patch \
           "
 
 SRC_URI_append_libc-uclibc = " file://wchar-uclibc.patch \
diff --git a/meta/recipes-devtools/m4/m4-1.4.16.inc b/meta/recipes-devtools/m4/m4-1.4.16.inc
index 139193c..bb82a3b 100644
--- a/meta/recipes-devtools/m4/m4-1.4.16.inc
+++ b/meta/recipes-devtools/m4/m4-1.4.16.inc
@@ -5,8 +5,10 @@ LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504\
 	            file://examples/COPYING;md5=fbc986d45b3dae6725c29870dd6b669d"
 
-PR = "r2"
-SRC_URI += "file://ac_config_links.patch"
+PR = "r3"
+SRC_URI += "file://ac_config_links.patch \
+            file://remove-gets.patch \
+           "
 
 SRC_URI[md5sum] = "a5dfb4f2b7370e9d34293d23fd09b280"
 SRC_URI[sha256sum] = "e9176a35bb13a1b08482359aa554ee8072794f58f00e4827bf0e06b570c827da"
diff --git a/meta/recipes-devtools/m4/m4/remove-gets.patch b/meta/recipes-devtools/m4/m4/remove-gets.patch
new file mode 100644
index 0000000..9c396d9
--- /dev/null
+++ b/meta/recipes-devtools/m4/m4/remove-gets.patch
@@ -0,0 +1,21 @@
+eglibc has remove gets starting 2.16
+therefore check for its being there before 
+undefining it.
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Index: m4-1.4.16/lib/stdio.in.h
+===================================================================
+--- m4-1.4.16.orig/lib/stdio.in.h	2011-03-01 08:39:29.000000000 -0800
++++ m4-1.4.16/lib/stdio.in.h	2012-07-03 08:32:08.145935928 -0700
+@@ -161,8 +161,10 @@
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
++#if defined gets
+ #undef gets
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
diff --git a/meta/recipes-extended/augeas/augeas/remove-gets.patch b/meta/recipes-extended/augeas/augeas/remove-gets.patch
new file mode 100644
index 0000000..bd6e92c
--- /dev/null
+++ b/meta/recipes-extended/augeas/augeas/remove-gets.patch
@@ -0,0 +1,20 @@
+eglibc 2.16 has remove gets so check for it to be there before using it
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Upstream-Status: Pending
+Index: augeas-0.10.0/gnulib/lib/stdio.in.h
+===================================================================
+--- augeas-0.10.0.orig/gnulib/lib/stdio.in.h	2011-03-03 17:07:59.000000000 -0800
++++ augeas-0.10.0/gnulib/lib/stdio.in.h	2012-07-03 19:46:42.871894833 -0700
+@@ -161,8 +161,10 @@
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
++#if defined gets
+ #undef gets
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
diff --git a/meta/recipes-extended/augeas/augeas_0.10.0.bb b/meta/recipes-extended/augeas/augeas_0.10.0.bb
index 00921aa..06ef494 100644
--- a/meta/recipes-extended/augeas/augeas_0.10.0.bb
+++ b/meta/recipes-extended/augeas/augeas_0.10.0.bb
@@ -1,6 +1,8 @@
 require augeas.inc
 
-PR = "r1"
+PR = "r2"
+SRC_URI += "file://remove-gets.patch \
+           "
 
 SRC_URI[md5sum] = "fe1834e90a066c3208ac0214622c7352"
 SRC_URI[sha256sum] = "ec111af06186216930176ebe5ecccdf7bf528528aee9acde1d5d70088484afca"
diff --git a/meta/recipes-support/gnutls/gnutls/remove-gets.patch b/meta/recipes-support/gnutls/gnutls/remove-gets.patch
new file mode 100644
index 0000000..d694a3d
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/remove-gets.patch
@@ -0,0 +1,42 @@
+eglibc 2.16 has removed gets completely
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Backported to gnutls 2.12.17 by Scott Garman <scott.a.garman@intel.com>
+
+Upstream-Status: Pending
+
+diff -urN gnutls-2.12.17.orig/gl/stdio.in.h gnutls-2.12.17/gl/stdio.in.h
+--- gnutls-2.12.17.orig/gl/stdio.in.h	2012-03-01 07:47:48.000000000 -0800
++++ gnutls-2.12.17/gl/stdio.in.h	2012-12-12 20:27:54.833297791 -0800
+@@ -710,11 +710,13 @@
+ _GL_CXXALIAS_SYS (gets, char *, (char *s));
+ #  undef gets
+ # endif
++# if defined gets
+ _GL_CXXALIASWARN (gets);
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++# endif
+ #endif
+ 
+ 
+diff -urN gnutls-2.12.17.orig/lib/gl/stdio.in.h gnutls-2.12.17/lib/gl/stdio.in.h
+--- gnutls-2.12.17.orig/lib/gl/stdio.in.h	2012-03-01 07:53:13.000000000 -0800
++++ gnutls-2.12.17/lib/gl/stdio.in.h	2012-12-12 20:29:09.669295717 -0800
+@@ -710,11 +710,13 @@
+ _GL_CXXALIAS_SYS (gets, char *, (char *s));
+ #  undef gets
+ # endif
++# if defined gets
+ _GL_CXXALIASWARN (gets);
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++# endif
+ #endif
+ 
+ 
diff --git a/meta/recipes-support/gnutls/gnutls_2.12.17.bb b/meta/recipes-support/gnutls/gnutls_2.12.17.bb
index 7a33ec2..ebcbea3 100644
--- a/meta/recipes-support/gnutls/gnutls_2.12.17.bb
+++ b/meta/recipes-support/gnutls/gnutls_2.12.17.bb
@@ -1,10 +1,11 @@
 require gnutls.inc
 
-PR = "${INC_PR}.0"
+PR = "${INC_PR}.2"
 
 SRC_URI += "file://gnutls-openssl.patch \
             file://correct_rpl_gettimeofday_signature.patch \
             file://configure-fix.patch \
+            file://remove-gets.patch \
            "
 
 SRC_URI[md5sum] = "f08990f1afa4e1d0ee13e64e537c7854"
-- 
1.7.9.5

[PATCH 04/15] bison: Fix for gets being removed from eglibc 2.16

[Scott Garman]

From: Khem Raj <raj.khem@gmail.com>

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../recipes-devtools/bison/bison/remove-gets.patch |   20 ++++++++++++++++++++
 meta/recipes-devtools/bison/bison_2.5.bb           |    6 ++++--
 2 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-devtools/bison/bison/remove-gets.patch

diff --git a/meta/recipes-devtools/bison/bison/remove-gets.patch b/meta/recipes-devtools/bison/bison/remove-gets.patch
new file mode 100644
index 0000000..2dfa00f
--- /dev/null
+++ b/meta/recipes-devtools/bison/bison/remove-gets.patch
@@ -0,0 +1,20 @@
+gets has been removed from eglibc 2.16
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Upstream-Status: Pending
+Index: bison-2.5/lib/stdio.in.h
+===================================================================
+--- bison-2.5.orig/lib/stdio.in.h	2012-07-04 09:09:48.336532195 -0700
++++ bison-2.5/lib/stdio.in.h	2012-07-04 09:10:22.868533884 -0700
+@@ -180,8 +180,10 @@
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
++#if defined gets
+ #undef gets
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
diff --git a/meta/recipes-devtools/bison/bison_2.5.bb b/meta/recipes-devtools/bison/bison_2.5.bb
index c5113cd..e3f9273 100644
--- a/meta/recipes-devtools/bison/bison_2.5.bb
+++ b/meta/recipes-devtools/bison/bison_2.5.bb
@@ -9,14 +9,16 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 SECTION = "devel"
 DEPENDS = "bison-native flex-native"
 
-PR = "r1"
+PR = "r2"
 
 BASE_SRC_URI = "${GNU_MIRROR}/bison/bison-${PV}.tar.gz \
 	   file://m4.patch \
 	  "
 
 SRC_URI = "${BASE_SRC_URI} \
-        file://fix_cross_manpage_building.patch "
+           file://fix_cross_manpage_building.patch \
+           file://remove-gets.patch \
+          "
 
 SRC_URI[md5sum] = "687e1dcd29452789d34eaeea4c25abe4"
 SRC_URI[sha256sum] = "722def46e4a19a5b7a579ef30db1965f86c37c1a20a5f0113743a2e4399f7c99"
-- 
1.7.9.5

[PATCH 05/15] grub, guile, cpio, tar, wget: Fix gnulib for absense of gets in eglibc

[Scott Garman]

From: Khem Raj <raj.khem@gmail.com>

eglibc 2.16 does not export gets anymore

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Resolved merge conflicts with denzil branch and backported guile
patch.

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
 meta/recipes-bsp/grub/grub-1.99/remove-gets.patch  |   20 ++++++++++++++++
 meta/recipes-bsp/grub/grub_1.99.bb                 |    3 ++-
 .../recipes-devtools/guile/files/remove-gets.patch |   25 ++++++++++++++++++++
 meta/recipes-devtools/guile/guile_2.0.3.bb         |    3 ++-
 .../cpio/cpio-2.11/remove-gets.patch               |   20 ++++++++++++++++
 meta/recipes-extended/cpio/cpio_2.11.bb            |    5 +++-
 .../tar/tar-1.26/remove-gets.patch                 |   20 ++++++++++++++++
 meta/recipes-extended/tar/tar_1.26.bb              |    5 +++-
 .../wget/wget-1.13.4/remove-gets.patch             |   23 ++++++++++++++++++
 meta/recipes-extended/wget/wget_1.13.4.bb          |    3 ++-
 10 files changed, 122 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/grub-1.99/remove-gets.patch
 create mode 100644 meta/recipes-devtools/guile/files/remove-gets.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.11/remove-gets.patch
 create mode 100644 meta/recipes-extended/tar/tar-1.26/remove-gets.patch
 create mode 100644 meta/recipes-extended/wget/wget-1.13.4/remove-gets.patch

diff --git a/meta/recipes-bsp/grub/grub-1.99/remove-gets.patch b/meta/recipes-bsp/grub/grub-1.99/remove-gets.patch
new file mode 100644
index 0000000..463f784
--- /dev/null
+++ b/meta/recipes-bsp/grub/grub-1.99/remove-gets.patch
@@ -0,0 +1,20 @@
+ISO C11 removes the specification of gets() from the C language, eglibc 2.16+ removed it
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Upstream-Status: Pending
+Index: grub-1.99/grub-core/gnulib/stdio.in.h
+===================================================================
+--- grub-1.99.orig/grub-core/gnulib/stdio.in.h	2010-12-01 06:45:43.000000000 -0800
++++ grub-1.99/grub-core/gnulib/stdio.in.h	2012-07-04 12:25:02.057099107 -0700
+@@ -140,8 +140,10 @@
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
++#if defined gets
+ #undef gets
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
diff --git a/meta/recipes-bsp/grub/grub_1.99.bb b/meta/recipes-bsp/grub/grub_1.99.bb
index 882f21d..9747525 100644
--- a/meta/recipes-bsp/grub/grub_1.99.bb
+++ b/meta/recipes-bsp/grub/grub_1.99.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
 DEPENDS = "autogen-native"
 RDEPENDS_${PN} = "diffutils freetype"
-PR = "r7"
+PR = "r8"
 
 SRC_URI = "ftp://ftp.gnu.org/gnu/grub/grub-${PV}.tar.gz \
           file://grub-install.in.patch \
@@ -23,6 +23,7 @@ SRC_URI = "ftp://ftp.gnu.org/gnu/grub/grub-${PV}.tar.gz \
           file://grub-1.99-gcc-4.7.0-uninitialized-var-errors.patch \
           file://grub-1.99-gcc-4.7.0-strict-aliasing-errors.patch \
           file://grub-1.99-fix-enable_execute_stack-check.patch \
+          file://remove-gets.patch \
           file://40_custom"
 
 SRC_URI[md5sum] = "ca9f2a2d571b57fc5c53212d1d22e2b5"
diff --git a/meta/recipes-devtools/guile/files/remove-gets.patch b/meta/recipes-devtools/guile/files/remove-gets.patch
new file mode 100644
index 0000000..1b4ca62
--- /dev/null
+++ b/meta/recipes-devtools/guile/files/remove-gets.patch
@@ -0,0 +1,25 @@
+ISO C11 removes the specification of gets() from the C language, eglibc 2.16+ removed it
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Backported to guile 2.0.3 by Scott Garman <scott.a.garman@intel.com>
+
+Upstream-Status: Pending
+
+diff -urN guile-2.0.3.orig/lib/stdio.in.h guile-2.0.3/lib/stdio.in.h
+--- guile-2.0.3.orig/lib/stdio.in.h	2011-10-22 07:19:35.000000000 -0700
++++ guile-2.0.3/lib/stdio.in.h	2012-12-12 20:47:06.397265942 -0800
+@@ -711,11 +711,13 @@
+ _GL_CXXALIAS_SYS (gets, char *, (char *s));
+ #  undef gets
+ # endif
++# if defined gets
+ _GL_CXXALIASWARN (gets);
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++# endif
+ #endif
+ 
+ 
diff --git a/meta/recipes-devtools/guile/guile_2.0.3.bb b/meta/recipes-devtools/guile/guile_2.0.3.bb
index 164ab8c..5201f6b 100644
--- a/meta/recipes-devtools/guile/guile_2.0.3.bb
+++ b/meta/recipes-devtools/guile/guile_2.0.3.bb
@@ -19,12 +19,13 @@ SRC_URI = "${GNU_MIRROR}/guile/guile-${PV}.tar.gz \
            file://debian/0003-Include-gc.h-rather-than-gc-gc_version.h-in-pthread-.patch \
            file://opensuse/guile-64bit.patch \
            file://opensuse/guile-turn-off-gc-test.patch \
+           file://remove-gets.patch \
            "
 
 SRC_URI[md5sum] = "3b8b4e1083037f29d2c4704a6d55f2a8"
 SRC_URI[sha256sum] = "a53b21159befe3e89bbaca71e9e62cf00af0f49fcca297c407944b988d59eb08"
 
-PR = "r5"
+PR = "r6"
 
 inherit autotools gettext
 BBCLASSEXTEND = "native"
diff --git a/meta/recipes-extended/cpio/cpio-2.11/remove-gets.patch b/meta/recipes-extended/cpio/cpio-2.11/remove-gets.patch
new file mode 100644
index 0000000..b4d113d
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.11/remove-gets.patch
@@ -0,0 +1,20 @@
+ISO C11 removes the specification of gets() from the C language, eglibc 2.16+ removed it
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Upstream-Status: Pending
+Index: cpio-2.11/gnu/stdio.in.h
+===================================================================
+--- cpio-2.11.orig/gnu/stdio.in.h	2012-07-04 12:13:43.133066247 -0700
++++ cpio-2.11/gnu/stdio.in.h	2012-07-04 12:14:10.189067564 -0700
+@@ -138,8 +138,10 @@
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
++#if defined gets
+ #undef gets
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
diff --git a/meta/recipes-extended/cpio/cpio_2.11.bb b/meta/recipes-extended/cpio/cpio_2.11.bb
index 78da20e..75fa2b1 100644
--- a/meta/recipes-extended/cpio/cpio_2.11.bb
+++ b/meta/recipes-extended/cpio/cpio_2.11.bb
@@ -3,7 +3,10 @@ include cpio_v2.inc
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
 
-PR = "r1"
+PR = "r2"
+
+SRC_URI += "file://remove-gets.patch \
+           "
 
 SRC_URI[md5sum] = "1112bb6c45863468b5496ba128792f6c"
 SRC_URI[sha256sum] = "601b1d774cd6e4cd39416203c91ec59dbd65dd27d79d75e1a9b89497ea643978"
diff --git a/meta/recipes-extended/tar/tar-1.26/remove-gets.patch b/meta/recipes-extended/tar/tar-1.26/remove-gets.patch
new file mode 100644
index 0000000..2429d42
--- /dev/null
+++ b/meta/recipes-extended/tar/tar-1.26/remove-gets.patch
@@ -0,0 +1,20 @@
+ISO C11 removes the specification of gets() from the C language, eglibc 2.16+ removed it
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Upstream-Status: Pending
+Index: tar-1.26/gnu/stdio.in.h
+===================================================================
+--- tar-1.26.orig/gnu/stdio.in.h	2011-03-12 01:14:33.000000000 -0800
++++ tar-1.26/gnu/stdio.in.h	2012-07-04 12:18:58.997081535 -0700
+@@ -163,8 +163,10 @@
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
++#if defined gets
+ #undef gets
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
diff --git a/meta/recipes-extended/tar/tar_1.26.bb b/meta/recipes-extended/tar/tar_1.26.bb
index e679ccb..dfe63b1 100644
--- a/meta/recipes-extended/tar/tar_1.26.bb
+++ b/meta/recipes-extended/tar/tar_1.26.bb
@@ -3,7 +3,10 @@ require tar.inc
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
-PR = "r1"
+PR = "r2"
+
+SRC_URI += "file://remove-gets.patch \
+           "
 
 SRC_URI[md5sum] = "2cee42a2ff4f1cd4f9298eeeb2264519"
 SRC_URI[sha256sum] = "5a5369f464502a598e938029c310d4b3abd51e6bb8dfd045663e61c8ea9f6d41"
diff --git a/meta/recipes-extended/wget/wget-1.13.4/remove-gets.patch b/meta/recipes-extended/wget/wget-1.13.4/remove-gets.patch
new file mode 100644
index 0000000..ed1d019
--- /dev/null
+++ b/meta/recipes-extended/wget/wget-1.13.4/remove-gets.patch
@@ -0,0 +1,23 @@
+ISO C11 removes the specification of gets() from the C language, eglibc 2.16+ removed it
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Upstream-Status: Pending
+Index: wget-1.13.4/lib/stdio.in.h
+===================================================================
+--- wget-1.13.4.orig/lib/stdio.in.h	2011-09-13 01:15:14.000000000 -0700
++++ wget-1.13.4/lib/stdio.in.h	2012-07-04 12:22:45.749092515 -0700
+@@ -693,11 +693,13 @@
+ _GL_CXXALIAS_SYS (gets, char *, (char *s));
+ #  undef gets
+ # endif
++# if defined gets
+ _GL_CXXALIASWARN (gets);
+ /* It is very rare that the developer ever has full control of stdin,
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++# endif
+ #endif
+ 
+ 
diff --git a/meta/recipes-extended/wget/wget_1.13.4.bb b/meta/recipes-extended/wget/wget_1.13.4.bb
index e20ff48..9a9441e 100644
--- a/meta/recipes-extended/wget/wget_1.13.4.bb
+++ b/meta/recipes-extended/wget/wget_1.13.4.bb
@@ -1,7 +1,8 @@
-PR = "${INC_PR}.2"
+PR = "${INC_PR}.3"
 
 SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
            file://fix_makefile.patch \
+           file://remove-gets.patch \
           "
 SRC_URI[md5sum] = "1df489976a118b9cbe1b03502adbfc27"
 SRC_URI[sha256sum] = "24c7710bc9f220ce23d8a9e0f5673b0efc1cace62db6de0239b5863ecc934dcd"
-- 
1.7.9.5

[PATCH 06/15] sysklogd: removed tabs from syslog.conf

[Scott Garman]

From: Mihai Lindner <mihaix.lindner@linux.intel.com>

Yocto #2926: syslog.conf should not have tabs within the selector field.
Removed tabs from the selector field of syslog rules. Tabs or spaces
should be used, in syslog.conf, only when separating selectors from
actions.

(From OE-Core rev: 1316be4e597332a629842b3f5a7dde8e45dd057d)

Signed-off-by: Mihai Lindner <mihaix.lindner@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Resolved merge conflicts with denzil branch.

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
 meta/recipes-extended/sysklogd/files/syslog.conf |   23 +++++++++++-----------
 meta/recipes-extended/sysklogd/sysklogd_1.5.bb   |    2 +-
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/meta/recipes-extended/sysklogd/files/syslog.conf b/meta/recipes-extended/sysklogd/files/syslog.conf
index 7d1858c..0849de1 100644
--- a/meta/recipes-extended/sysklogd/files/syslog.conf
+++ b/meta/recipes-extended/sysklogd/files/syslog.conf
@@ -34,12 +34,13 @@ news.notice			-/var/log/news.notice
 # Some `catch-all' logfiles.
 #
 *.=debug;\
-	auth,authpriv.none;\
-	news.none;mail.none	-/var/log/debug
+auth,authpriv.none;\
+news.none;mail.none	-/var/log/debug
+
 *.=info;*.=notice;*.=warn;\
-	auth,authpriv.none;\
-	cron,daemon.none;\
-	mail,news.none		-/var/log/messages
+auth,authpriv.none;\
+cron,daemon.none;\
+mail,news.none		-/var/log/messages
 
 #
 # Emergencies are sent to everybody logged in.
@@ -51,9 +52,9 @@ news.notice			-/var/log/news.notice
 # console I usually leave idle.
 #
 #daemon,mail.*;\
-#	news.=crit;news.=err;news.=notice;\
-#	*.=debug;*.=info;\
-#	*.=notice;*.=warn	/dev/tty8
+#news.=crit;news.=err;news.=notice;\
+#*.=debug;*.=info;\
+#*.=notice;*.=warn	/dev/tty8
 
 # The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
 # you must invoke `xconsole' with the `-file' option:
@@ -64,7 +65,7 @@ news.notice			-/var/log/news.notice
 #      busy site..
 #
 daemon.*;mail.*;\
-	news.err;\
-	*.=debug;*.=info;\
-	*.=notice;*.=warn	|/dev/xconsole
+news.err;\
+*.=debug;*.=info;\
+*.=notice;*.=warn	|/dev/xconsole
 
diff --git a/meta/recipes-extended/sysklogd/sysklogd_1.5.bb b/meta/recipes-extended/sysklogd/sysklogd_1.5.bb
index b58094e..471c8c8 100644
--- a/meta/recipes-extended/sysklogd/sysklogd_1.5.bb
+++ b/meta/recipes-extended/sysklogd/sysklogd_1.5.bb
@@ -1,5 +1,5 @@
 require sysklogd.inc
-PR = "r5"
+PR = "r6"
 
 SRC_URI[md5sum] = "e053094e8103165f98ddafe828f6ae4b"
 SRC_URI[sha256sum] = "6169b8e91d29288e90404f01462b69e7f2afb1161aa419826fe4736c7f9eb773"
-- 
1.7.9.5

[PATCH 07/15] psplash: new patch to fix segfault

[Scott Garman]

This fixes a segmentation fault when passing -a without
an argument.

Fixes [YOCTO #2903]

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
 .../files/psplash_fix_bad_arg_segfault.patch       |   22 ++++++++++++++++++++
 meta/recipes-core/psplash/psplash_git.bb           |    3 ++-
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/psplash/files/psplash_fix_bad_arg_segfault.patch

diff --git a/meta/recipes-core/psplash/files/psplash_fix_bad_arg_segfault.patch b/meta/recipes-core/psplash/files/psplash_fix_bad_arg_segfault.patch
new file mode 100644
index 0000000..f69c8a2
--- /dev/null
+++ b/meta/recipes-core/psplash/files/psplash_fix_bad_arg_segfault.patch
@@ -0,0 +1,22 @@
+Fix segmentation fault when passing -a without angle value.
+
+When psplash -a is called instead of psplash -a<angle value>, it will
+cause a segmentation fault by calling an out of bound argv[]. 
+
+Upstream-Status: Accepted
+Needed for denzil since we're not upgrading the recipe.
+
+Signed-off-by: Scott Garman <scott.a.garman@intel.com>
+
+diff -urN git.orig/psplash.c git/psplash.c
+--- git.orig/psplash.c	2012-12-22 21:28:05.830631789 -0800
++++ git/psplash.c	2012-12-22 21:29:54.962633330 -0800
+@@ -219,7 +219,7 @@
+ 
+       if (!strcmp(argv[i],"-a") || !strcmp(argv[i],"--angle"))
+         {
+-	  if (++i > argc) goto fail;
++	  if (++i >= argc) goto fail;
+ 	  angle = atoi(argv[i]);
+ 	  continue;
+ 	}
diff --git a/meta/recipes-core/psplash/psplash_git.bb b/meta/recipes-core/psplash/psplash_git.bb
index f93afea..56a953b 100644
--- a/meta/recipes-core/psplash/psplash_git.bb
+++ b/meta/recipes-core/psplash/psplash_git.bb
@@ -7,10 +7,11 @@ LIC_FILES_CHKSUM = "file://psplash.h;beginline=1;endline=16;md5=840fb2356b10a85b
 
 SRCREV = "e05374aae945bcfc6d962ed0d7b2774b77987e1d"
 PV = "0.1+git${SRCPV}"
-PR = "r2"
+PR = "r3"
 
 SRC_URI = "git://git.yoctoproject.org/${BPN};protocol=git \
            file://psplash-init \
+           file://psplash_fix_bad_arg_segfault.patch \
            ${SPLASH_IMAGES}"
 
 SPLASH_IMAGES = "file://psplash-poky-img.h;outsuffix=default"
-- 
1.7.9.5

[PATCH 08/15] build-appliance-image: Allow SRCREV to be overriden

[Scott Garman]

This will allow use to automagically set the SRCREV for builds on the
autobuilder. It will still require manual updating for releases.

Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-core/images/build-appliance-image.bb |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/images/build-appliance-image.bb b/meta/recipes-core/images/build-appliance-image.bb
index 77d3b0d..a82dfdd 100644
--- a/meta/recipes-core/images/build-appliance-image.bb
+++ b/meta/recipes-core/images/build-appliance-image.bb
@@ -20,7 +20,7 @@ IMAGE_FSTYPES = "vmdk"
 
 inherit core-image
 
-SRCREV = "73cdebf60df225ee10f2eb215935be3b61e1b831"
+SRCREV ?= "73cdebf60df225ee10f2eb215935be3b61e1b831"
 SRC_URI = "git://git.yoctoproject.org/poky;protocol=git \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \
-- 
1.7.9.5

[PATCH 09/15] boot-directdisk: Fix kernel location after STAGING_KERNEL_DIR change

[Scott Garman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

This catches up with the STAGING_KERNEL_DIR location change
and uses the correct variable to future proof this issue.

[YOCTO #2783]

(From OE-Core rev: 28715eff6dff3415b1d7b0be8cbb465c417e307f)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/classes/boot-directdisk.bbclass |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/boot-directdisk.bbclass b/meta/classes/boot-directdisk.bbclass
index 7d8f8ff..1c601c6 100644
--- a/meta/classes/boot-directdisk.bbclass
+++ b/meta/classes/boot-directdisk.bbclass
@@ -46,7 +46,7 @@ build_boot_dd() {
 	IMAGE=${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.hdddirect
 
 	install -d ${HDDDIR}
-	install -m 0644 ${STAGING_DIR_HOST}/kernel/bzImage ${HDDDIR}/vmlinuz
+	install -m 0644 ${STAGING_KERNEL_DIR}/bzImage ${HDDDIR}/vmlinuz
 	install -m 0644 ${S}/syslinux.cfg ${HDDDIR}/syslinux.cfg
 	install -m 444 ${STAGING_LIBDIR}/syslinux/ldlinux.sys ${HDDDIR}/ldlinux.sys
 
-- 
1.7.9.5

[PATCH 10/15] gitignore: add generated doc files to ignore list

[Scott Garman]

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
 .gitignore |   24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index f8db092..32ade34 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,5 +17,25 @@ meta-*
 *.orig
 *.rej
 *~
-
-
+documentation/adt-manual/adt-manual.html
+documentation/adt-manual/adt-manual.pdf
+documentation/adt-manual/adt-manual.tgz
+documentation/dev-manual/dev-manual.html
+documentation/dev-manual/dev-manual.pdf
+documentation/dev-manual/dev-manual.tgz
+documentation/poky-ref-manual/poky-ref-manual.html
+documentation/poky-ref-manual/poky-ref-manual.pdf
+documentation/poky-ref-manual/poky-ref-manual.tgz
+documentation/poky-ref-manual/bsp-guide.html
+documentation/poky-ref-manual/bsp-guide.pdf
+documentation/bsp-guide/bsp-guide.html
+documentation/bsp-guide/bsp-guide.pdf
+documentation/bsp-guide/bsp-guide.tgz
+documentation/yocto-project-qs/yocto-project-qs.html
+documentation/yocto-project-qs/yocto-project-qs.tgz
+documentation/kernel-manual/kernel-manual.html
+documentation/kernel-manual/kernel-manual.tgz
+documentation/kernel-manual/kernel-manual.pdf
+documentation/mega-manual/mega-manual.html
+documentation/mega-manual/mega-manual.pdf
+documentation/mega-manual/mega-manual.tgz
-- 
1.7.9.5

[PATCH 11/15] libxml2: patch for CVE-2012-2871

[Scott Garman]

the patch come from:
http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxml/ \
src/include/libxml/tree.h?r1=56276&r2=149930

libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before
21.0.1180.89, does not properly support a cast of an unspecified
variable during handling of XSL transforms, which allows remote
attackers to cause a denial of service or possibly have unknown other
impact via a crafted document, related to the _xmlNs data structure in
include/libxml/tree.h.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2871

[YOCTO #3580]
[ CQID: WIND00376779 ]

Signed-off-by: Li Wang <li.wang at windriver.com>

This fixes denzil bug [YOCTO #3648]

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
 .../libxml/libxml2/libxml2-CVE-2012-2871.patch     |   36 ++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.8.0.bb          |    4 ++-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/libxml2-CVE-2012-2871.patch

diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2012-2871.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2012-2871.patch
new file mode 100644
index 0000000..41b19d0
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2012-2871.patch
@@ -0,0 +1,36 @@
+libxml2 CVE-2012-2871
+
+the patch come from:
+http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxml/src \
+/include/libxml/tree.h?r1=56276&r2=149930
+
+libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89,
+does not properly support a cast of an unspecified variable during handling
+of XSL transforms, which allows remote attackers to cause a denial of service
+or possibly have unknown other impact via a crafted document, related to the
+_xmlNs data structure in include/libxml/tree.h.
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2871
+
+Upstream-Status: Pending
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ include/libxml/tree.h |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index b733589..5422dda 100644
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
+@@ -351,6 +351,7 @@ struct _xmlNs {
+     struct _xmlNs  *next;	/* next Ns link for this node  */
+     xmlNsType      type;	/* global or local */
+     const xmlChar *href;	/* URL for the namespace */
++    const char *dummy_children;	/* lines up with node->children */
+     const xmlChar *prefix;	/* prefix for the namespace */
+     void           *_private;   /* application data */
+     struct _xmlDoc *context;		/* normally an xmlDoc */
+-- 
+1.7.0.5
+
diff --git a/meta/recipes-core/libxml/libxml2_2.8.0.bb b/meta/recipes-core/libxml/libxml2_2.8.0.bb
index fe9ec05..f2790b3 100644
--- a/meta/recipes-core/libxml/libxml2_2.8.0.bb
+++ b/meta/recipes-core/libxml/libxml2_2.8.0.bb
@@ -1,6 +1,8 @@
 require libxml2.inc
 
-PR = "r1"
+PR = "r2"
 
 SRC_URI[md5sum] = "c62106f02ee00b6437f0fb9d370c1093"
 SRC_URI[sha256sum] = "f2e2d0e322685193d1affec83b21dc05d599e17a7306d7b90de95bb5b9ac622a"
+
+SRC_URI += "file://libxml2-CVE-2012-2871.patch"
-- 
1.7.9.5

[PATCH 12/15] freetype: patches for CVE-2012-5668, 5669, and 5670

[Scott Garman]

For details of these security issues, please see:

http://www.openwall.com/lists/oss-security/2012/12/25/1

Thanks to Eren Turkay <eren@hambedded.org> for submitting source
patches that apply cleanly to freetype 2.4.9.

This fixes denzil bug [YOCTO #3649]

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
 .../freetype/freetype-2.4.9/CVE-2012-5668.patch    |   31 ++++++++++++++++++++
 .../freetype/freetype-2.4.9/CVE-2012-5669.patch    |   31 ++++++++++++++++++++
 .../freetype/freetype-2.4.9/CVE-2012-5670.patch    |   29 ++++++++++++++++++
 meta/recipes-graphics/freetype/freetype_2.4.9.bb   |    7 +++--
 4 files changed, 96 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch
 create mode 100644 meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch
 create mode 100644 meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch

diff --git a/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch
new file mode 100644
index 0000000..609d73d
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch
@@ -0,0 +1,31 @@
+From 9b6b5754b57c12b820e01305eb69b8863a161e5a Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 15 Dec 2012 00:34:41 +0000
+Subject: [bdf] Fix Savannah bug #37905.
+
+* src/bdf/bdflib.c (_bdf_parse_start): Reset `props_size' to zero in
+case of allocation error; this value gets used in a loop in
+`bdf_free_font'.
+
+Upstream-Status: Pending
+
+Signed-off-by: Eren Turkay <eren@hambedded.org>
+Signed-off-by: Scott Garman <scott.a.garman@intel.com>
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index ed08a6e..8d7f9a0 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -2169,7 +2169,10 @@
+       p->cnt = p->font->props_size = _bdf_atoul( p->list.field[1], 0, 10 );
+ 
+       if ( FT_NEW_ARRAY( p->font->props, p->cnt ) )
++      {
++        p->font->props_size = 0;
+         goto Exit;
++      }
+ 
+       p->flags |= _BDF_PROPS;
+       *next     = _bdf_parse_properties;
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch
new file mode 100644
index 0000000..e4a991e
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch
@@ -0,0 +1,31 @@
+From 07bdb6e289c7954e2a533039dc93c1c136099d2d Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 15 Dec 2012 01:02:23 +0000
+Subject: [bdf] Fix Savannah bug #37906.
+
+* src/bdf/bdflib.c (_bdf_parse_glyphs): Use correct array size for
+checking `glyph_enc'.
+
+Upstream-Status: Pending
+
+Signed-off-by: Eren Turkay <eren@hambedded.org>
+Signed-off-by: Scott Garman <scott.a.garman@intel.com>
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index 8d7f9a0..f9c06ca 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1628,8 +1628,9 @@
+ 
+       /* Check that the encoding is in the Unicode range because  */
+       /* otherwise p->have (a bitmap with static size) overflows. */
+-      if ( p->glyph_enc > 0                               &&
+-           (size_t)p->glyph_enc >= sizeof ( p->have ) * 8 )
++      if ( p->glyph_enc > 0                                      &&
++           (size_t)p->glyph_enc >= sizeof ( p->have ) /
++                                   sizeof ( unsigned long ) * 32 )
+       {
+         FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG5, lineno, "ENCODING" ));
+         error = BDF_Err_Invalid_File_Format;
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch
new file mode 100644
index 0000000..73a41ca
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch
@@ -0,0 +1,29 @@
+From 7f2e4f4f553f6836be7683f66226afac3fa979b8 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 15 Dec 2012 08:39:41 +0000
+Subject: [bdf] Fix Savannah bug #37907.
+
+* src/bdf/bdflib.c (_bdf_parse_glyphs) <ENCODING>: Normalize
+negative second parameter of `ENCODING' field also.
+
+Upstream-Status: Pending
+
+Signed-off-by: Eren Turkay <eren@hambedded.org>
+Signed-off-by: Scott Garman <scott.a.garman@intel.com>
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index f9c06ca..365e671 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1624,6 +1624,9 @@
+       if ( p->glyph_enc == -1 && p->list.used > 2 )
+         p->glyph_enc = _bdf_atol( p->list.field[2], 0, 10 );
+ 
++      if ( p->glyph_enc < -1 )
++        p->glyph_enc = -1;
++
+       FT_TRACE4(( DBGMSG2, p->glyph_enc ));
+ 
+       /* Check that the encoding is in the Unicode range because  */
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-graphics/freetype/freetype_2.4.9.bb b/meta/recipes-graphics/freetype/freetype_2.4.9.bb
index 31bee80..6aa0f60 100644
--- a/meta/recipes-graphics/freetype/freetype_2.4.9.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.4.9.bb
@@ -13,10 +13,13 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=28d5381b1bef2649c59f20c20bae4f39
 
 SECTION = "libs"
 
-PR = "r0"
+PR = "r1"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/freetype/freetype-${PV}.tar.bz2 \
-           file://no-hardcode.patch"
+           file://no-hardcode.patch \
+           file://CVE-2012-5668.patch \
+           file://CVE-2012-5669.patch \
+           file://CVE-2012-5670.patch"
 
 SRC_URI[md5sum] = "77a893dae81fd5b896632715ca041179"
 SRC_URI[sha256sum] = "c4204ac1d48e99d4375a2f32bf4f3f92780a9d9f015e64e57e852f6c004859b9"
-- 
1.7.9.5

[PATCH 13/15] squashfs: fix CVE-2012-4025

[Scott Garman]

From: "yanjun.zhu" <yanjun.zhu@windriver.com>

CQID:WIND00366813

Reference: http://squashfs.git.sourceforge.net/git/gitweb.cgi?
p=squashfs/squashfs;a=patch;h=8515b3d420f502c5c0236b86e2d6d7e3b23c190e

Integer overflow in the queue_init function in unsquashfs.c in
unsquashfs in Squashfs 4.2 and earlier allows remote attackers
to execute arbitrary code via a crafted block_log field in the
superblock of a .sqsh file, leading to a heap-based buffer overflow.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4025

Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>

[YOCTO #3564]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
---
 .../patches/squashfs-4.2-fix-CVE-2012-4025.patch   |  190 +++++++++++++++++
 ...dd-a-commment-and-fix-some-other-comments.patch |   38 ++++
 .../patches/squashfs-fix-open-file-limit.patch     |  215 ++++++++++++++++++++
 .../squashfs-tools/squashfs-tools_4.2.bb           |    5 +-
 4 files changed, 447 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4025.patch
 create mode 100644 meta/recipes-devtools/squashfs-tools/patches/squashfs-add-a-commment-and-fix-some-other-comments.patch
 create mode 100644 meta/recipes-devtools/squashfs-tools/patches/squashfs-fix-open-file-limit.patch

diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4025.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4025.patch
new file mode 100644
index 0000000..0dabfba
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4025.patch
@@ -0,0 +1,190 @@
+Upstream-Status: Backport
+
+Reference: http://squashfs.git.sourceforge.net/git/gitweb.cgi?
+p=squashfs/squashfs;a=patch;h=8515b3d420f502c5c0236b86e2d6d7e3b23c190e
+
+Integer overflow in the queue_init function in unsquashfs.c in
+unsquashfs in Squashfs 4.2 and earlier allows remote attackers
+to execute arbitrary code via a crafted block_log field in the
+superblock of a .sqsh file, leading to a heap-based buffer overflow.
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4025
+
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> 
+
+--- a/unsquashfs.c	2012-11-30 17:57:57.000000000 +0800
++++ b/unsquashfs.c	2012-11-30 17:58:09.000000000 +0800
+@@ -33,6 +33,7 @@
+ #include <sys/types.h>
+ #include <sys/time.h>
+ #include <sys/resource.h>
++#include <limits.h>
+ 
+ struct cache *fragment_cache, *data_cache;
+ struct queue *to_reader, *to_deflate, *to_writer, *from_writer;
+@@ -138,6 +139,24 @@ void sigalrm_handler()
+ }
+ 
+ 
++int add_overflow(int a, int b)
++{
++	return (INT_MAX - a) < b;
++}
++
++
++int shift_overflow(int a, int shift)
++{
++	return (INT_MAX >> shift) < a;
++}
++
++ 
++int multiply_overflow(int a, int multiplier)
++{
++	return (INT_MAX / multiplier) < a;
++}
++
++
+ struct queue *queue_init(int size)
+ {
+ 	struct queue *queue = malloc(sizeof(struct queue));
+@@ -145,6 +164,10 @@ struct queue *queue_init(int size)
+ 	if(queue == NULL)
+ 		EXIT_UNSQUASH("Out of memory in queue_init\n");
+ 
++	if(add_overflow(size, 1) ||
++				multiply_overflow(size + 1, sizeof(void *)))
++		EXIT_UNSQUASH("Size too large in queue_init\n");
++
+ 	queue->data = malloc(sizeof(void *) * (size + 1));
+ 	if(queue->data == NULL)
+ 		EXIT_UNSQUASH("Out of memory in queue_init\n");
+@@ -1948,13 +1971,30 @@ void initialise_threads(int fragment_buf
+ 	 * allocate to_reader, to_deflate and to_writer queues.  Set based on
+ 	 * open file limit and cache size, unless open file limit is unlimited,
+ 	 * in which case set purely based on cache limits
++	 *
++	 * In doing so, check that the user supplied values do not overflow
++	 * a signed int
+ 	 */
+ 	if (max_files != -1) {
++		if(add_overflow(data_buffer_size, max_files) ||
++				add_overflow(data_buffer_size, max_files * 2))
++			EXIT_UNSQUASH("Data queue size is too large\n");
++
+ 		to_reader = queue_init(max_files + data_buffer_size);
+ 		to_deflate = queue_init(max_files + data_buffer_size);
+ 		to_writer = queue_init(max_files * 2 + data_buffer_size);
+ 	} else {
+-		int all_buffers_size = fragment_buffer_size + data_buffer_size;
++		int all_buffers_size;
++
++		if(add_overflow(fragment_buffer_size, data_buffer_size))
++			EXIT_UNSQUASH("Data and fragment queues combined are"
++							" too large\n");
++
++		all_buffers_size = fragment_buffer_size + data_buffer_size;
++
++		if(add_overflow(all_buffers_size, all_buffers_size))
++			EXIT_UNSQUASH("Data and fragment queues combined are"
++							" too large\n");
+ 
+ 		to_reader = queue_init(all_buffers_size);
+ 		to_deflate = queue_init(all_buffers_size);
+@@ -2059,6 +2099,32 @@ void progress_bar(long long current, lon
+ }
+ 
+ 
++int parse_number(char *arg, int *res)
++{
++	char *b;
++	long number = strtol(arg, &b, 10);
++
++	/* check for trailing junk after number */
++	if(*b != '\0')
++		return 0;
++
++	/* check for strtol underflow or overflow in conversion */
++	if(number == LONG_MIN || number == LONG_MAX)
++		return 0;
++
++	/* reject negative numbers as invalid */
++	if(number < 0)
++		return 0;
++
++	/* check if long result will overflow signed int */
++	if(number > INT_MAX)
++		return 0;
++
++	*res = number;
++	return 1;
++}
++
++
+ #define VERSION() \
+ 	printf("unsquashfs version 4.2 (2011/02/28)\n");\
+ 	printf("copyright (C) 2011 Phillip Lougher "\
+@@ -2140,8 +2206,8 @@ int main(int argc, char *argv[])
+ 		} else if(strcmp(argv[i], "-data-queue") == 0 ||
+ 					 strcmp(argv[i], "-da") == 0) {
+ 			if((++i == argc) ||
+-					(data_buffer_size = strtol(argv[i], &b,
+-					 10), *b != '\0')) {
++					!parse_number(argv[i],
++						&data_buffer_size)) {
+ 				ERROR("%s: -data-queue missing or invalid "
+ 					"queue size\n", argv[0]);
+ 				exit(1);
+@@ -2154,8 +2220,8 @@ int main(int argc, char *argv[])
+ 		} else if(strcmp(argv[i], "-frag-queue") == 0 ||
+ 					strcmp(argv[i], "-fr") == 0) {
+ 			if((++i == argc) ||
+-					(fragment_buffer_size = strtol(argv[i],
+-					 &b, 10), *b != '\0')) {
++					!parse_number(argv[i],
++						&fragment_buffer_size)) {
+ 				ERROR("%s: -frag-queue missing or invalid "
+ 					"queue size\n", argv[0]);
+ 				exit(1);
+@@ -2280,11 +2346,39 @@ options:
+ 	block_log = sBlk.s.block_log;
+ 
+ 	/*
++	 * Sanity check block size and block log.
++	 *
++	 * Check they're within correct limits
++	 */
++	if(block_size > SQUASHFS_FILE_MAX_SIZE ||
++					block_log > SQUASHFS_FILE_MAX_LOG)
++		EXIT_UNSQUASH("Block size or block_log too large."
++			"  File system is corrupt.\n");
++
++	/*
++	 * Check block_size and block_log match
++	 */
++	if(block_size != (1 << block_log))
++		EXIT_UNSQUASH("Block size and block_log do not match."
++			"  File system is corrupt.\n");
++
++	/*
+ 	 * convert from queue size in Mbytes to queue size in
+-	 * blocks
++	 * blocks.
++	 *
++	 * In doing so, check that the user supplied values do not
++	 * overflow a signed int
+ 	 */
+-	fragment_buffer_size <<= 20 - block_log;
+-	data_buffer_size <<= 20 - block_log;
++	if(shift_overflow(fragment_buffer_size, 20 - block_log))
++		EXIT_UNSQUASH("Fragment queue size is too large\n");
++	else
++		fragment_buffer_size <<= 20 - block_log;
++
++	if(shift_overflow(data_buffer_size, 20 - block_log))
++		EXIT_UNSQUASH("Data queue size is too large\n");
++	else
++		data_buffer_size <<= 20 - block_log;
++
+ 	initialise_threads(fragment_buffer_size, data_buffer_size);
+ 
+ 	fragment_data = malloc(block_size);
diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-add-a-commment-and-fix-some-other-comments.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-add-a-commment-and-fix-some-other-comments.patch
new file mode 100644
index 0000000..fa075f9
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-add-a-commment-and-fix-some-other-comments.patch
@@ -0,0 +1,38 @@
+Upstream-Status: Backport
+
+unsquashfs: add a commment and fix some other comments
+
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> 
+
+diff -urpN a/unsquashfs.c b/unsquashfs.c
+--- a/unsquashfs.c	2012-11-30 15:27:14.000000000 +0800
++++ b/unsquashfs.c	2012-11-30 15:27:56.000000000 +0800
+@@ -814,7 +814,7 @@ int write_file(struct inode *inode, char
+ 
+ 	/*
+ 	 * the writer thread is queued a squashfs_file structure describing the
+- 	 * file.  If the file has one or more blocks or a fragments they are
++ 	 * file.  If the file has one or more blocks or a fragment they are
+  	 * queued separately (references to blocks in the cache).
+  	 */
+ 	file->fd = file_fd;
+@@ -838,7 +838,7 @@ int write_file(struct inode *inode, char
+ 		block->offset = 0;
+ 		block->size = i == file_end ? inode->data & (block_size - 1) :
+ 			block_size;
+-		if(block_list[i] == 0) /* sparse file */
++		if(block_list[i] == 0) /* sparse block */
+ 			block->buffer = NULL;
+ 		else {
+ 			block->buffer = cache_get(data_cache, start,
+@@ -2161,6 +2161,10 @@ options:
+ 	block_size = sBlk.s.block_size;
+ 	block_log = sBlk.s.block_log;
+ 
++	/*
++	 * convert from queue size in Mbytes to queue size in
++	 * blocks
++	 */
+ 	fragment_buffer_size <<= 20 - block_log;
+ 	data_buffer_size <<= 20 - block_log;
+ 	initialise_threads(fragment_buffer_size, data_buffer_size);
diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-fix-open-file-limit.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-fix-open-file-limit.patch
new file mode 100644
index 0000000..c60f7b4
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-fix-open-file-limit.patch
@@ -0,0 +1,215 @@
+Upstream-Status: Backport
+
+unsquashfs: fix open file limit
+
+Previously Unsquashfs relied on the to_writer queue being
+set to 1000 to limit the amount of open file read-ahead to a
+maximum of 500.  For the default process limit of 1024 open files
+this was perhaps acceptable, but it obviously breaks if ulimit has
+been used to set the open file limit to below 504 (this includes
+stdin, stdout, stderr and the Squashfs filesystem being unsquashed).
+
+More importantly setting the to_writer queue to 1000 to limit
+the amount of files open has always been an inherent performance
+hit because the to_writer queue queues blocks.  It limits the
+block readhead to 1000 blocks, irrespective of how many files
+that represents.  A single file containing more than 1000 blocks
+will still be limited to a 1000 block readahead even though the
+data block cache typically can buffer more than this (at the
+default data cache size of 256 Mbytes and the default block size
+of 128 Kbytes, it can buffer 2048 blocks).  Obviously the
+caches serve more than just a read-ahead role (they also
+cache decompressed blocks in case they're referenced later e.g.
+by duplicate files), but the artificial limit imposed on
+the read-ahead due to setting the to_writer queue to 1000 is
+unnecessary.
+
+This commit does away with the need to limit the to_writer queue,
+by introducing open_wait() and close_wake() calls which correctly
+track the amount of open files.
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> 
+
+diff -urpN a/unsquashfs.c b/unsquashfs.c
+--- a/unsquashfs.c	2012-11-30 15:31:29.000000000 +0800
++++ b/unsquashfs.c	2012-11-30 15:32:03.000000000 +0800
+@@ -31,6 +31,8 @@
+ 
+ #include <sys/sysinfo.h>
+ #include <sys/types.h>
++#include <sys/time.h>
++#include <sys/resource.h>
+ 
+ struct cache *fragment_cache, *data_cache;
+ struct queue *to_reader, *to_deflate, *to_writer, *from_writer;
+@@ -784,6 +786,46 @@ failure:
+ }
+ 
+ 
++pthread_mutex_t open_mutex = PTHREAD_MUTEX_INITIALIZER;
++pthread_cond_t open_empty = PTHREAD_COND_INITIALIZER;
++int open_unlimited, open_count;
++#define OPEN_FILE_MARGIN 10
++
++
++void open_init(int count)
++{
++	open_count = count;
++	open_unlimited = count == -1;
++}
++
++
++int open_wait(char *pathname, int flags, mode_t mode)
++{
++	if (!open_unlimited) {
++		pthread_mutex_lock(&open_mutex);
++		while (open_count == 0)
++			pthread_cond_wait(&open_empty, &open_mutex);
++		open_count --;
++		pthread_mutex_unlock(&open_mutex);
++	}
++
++	return open(pathname, flags, mode);
++}
++
++
++void close_wake(int fd)
++{
++	close(fd);
++
++	if (!open_unlimited) {
++		pthread_mutex_lock(&open_mutex);
++		open_count ++;
++		pthread_cond_signal(&open_empty);
++		pthread_mutex_unlock(&open_mutex);
++	}
++}
++
++
+ int write_file(struct inode *inode, char *pathname)
+ {
+ 	unsigned int file_fd, i;
+@@ -794,8 +836,8 @@ int write_file(struct inode *inode, char
+ 
+ 	TRACE("write_file: regular file, blocks %d\n", inode->blocks);
+ 
+-	file_fd = open(pathname, O_CREAT | O_WRONLY | (force ? O_TRUNC : 0),
+-		(mode_t) inode->mode & 0777);
++	file_fd = open_wait(pathname, O_CREAT | O_WRONLY |
++		(force ? O_TRUNC : 0), (mode_t) inode->mode & 0777);
+ 	if(file_fd == -1) {
+ 		ERROR("write_file: failed to create file %s, because %s\n",
+ 			pathname, strerror(errno));
+@@ -1712,7 +1754,7 @@ void *writer(void *arg)
+ 			}
+ 		}
+ 
+-		close(file_fd);
++		close_wake(file_fd);
+ 		if(failed == FALSE)
+ 			set_attributes(file->pathname, file->mode, file->uid,
+ 				file->gid, file->time, file->xattr, force);
+@@ -1803,9 +1845,9 @@ void *progress_thread(void *arg)
+ 
+ void initialise_threads(int fragment_buffer_size, int data_buffer_size)
+ {
+-	int i;
++	struct rlimit rlim;
++	int i, max_files, res;
+ 	sigset_t sigmask, old_mask;
+-	int all_buffers_size = fragment_buffer_size + data_buffer_size;
+ 
+ 	sigemptyset(&sigmask);
+ 	sigaddset(&sigmask, SIGINT);
+@@ -1841,10 +1883,86 @@ void initialise_threads(int fragment_buf
+ 		EXIT_UNSQUASH("Out of memory allocating thread descriptors\n");
+ 	deflator_thread = &thread[3];
+ 
+-	to_reader = queue_init(all_buffers_size);
+-	to_deflate = queue_init(all_buffers_size);
+-	to_writer = queue_init(1000);
++	/*
++	 * dimensioning the to_reader and to_deflate queues.  The size of
++	 * these queues is directly related to the amount of block
++	 * read-ahead possible.  To_reader queues block read requests to
++	 * the reader thread and to_deflate queues block decompression
++	 * requests to the deflate thread(s) (once the block has been read by
++	 * the reader thread).  The amount of read-ahead is determined by
++	 * the combined size of the data_block and fragment caches which
++	 * determine the total number of blocks which can be "in flight"
++	 * at any one time (either being read or being decompressed)
++	 *
++	 * The maximum file open limit, however, affects the read-ahead
++	 * possible, in that for normal sizes of the fragment and data block
++	 * caches, where the incoming files have few data blocks or one fragment
++	 * only, the file open limit is likely to be reached before the
++	 * caches are full.  This means the worst case sizing of the combined
++	 * sizes of the caches is unlikely to ever be necessary.  However, is is
++	 * obvious read-ahead up to the data block cache size is always possible
++	 * irrespective of the file open limit, because a single file could
++	 * contain that number of blocks.
++	 *
++	 * Choosing the size as "file open limit + data block cache size" seems
++	 * to be a reasonable estimate.  We can reasonably assume the maximum
++	 * likely read-ahead possible is data block cache size + one fragment
++	 * per open file.
++	 *
++	 * dimensioning the to_writer queue.  The size of this queue is
++	 * directly related to the amount of block read-ahead possible.
++	 * However, unlike the to_reader and to_deflate queues, this is
++	 * complicated by the fact the to_writer queue not only contains
++	 * entries for fragments and data_blocks but it also contains
++	 * file entries, one per open file in the read-ahead.
++	 *
++	 * Choosing the size as "2 * (file open limit) +
++	 * data block cache size" seems to be a reasonable estimate.
++	 * We can reasonably assume the maximum likely read-ahead possible
++	 * is data block cache size + one fragment per open file, and then
++	 * we will have a file_entry for each open file.
++	 */
++	res = getrlimit(RLIMIT_NOFILE, &rlim);
++	if (res == -1) {
++		ERROR("failed to get open file limit!  Defaulting to 1\n");
++		rlim.rlim_cur = 1;
++	}
++
++	if (rlim.rlim_cur != RLIM_INFINITY) {
++		/*
++		 * leave OPEN_FILE_MARGIN free (rlim_cur includes fds used by
++		 * stdin, stdout, stderr and filesystem fd
++		 */
++		if (rlim.rlim_cur <= OPEN_FILE_MARGIN)
++			/* no margin, use minimum possible */
++			max_files = 1;
++		else
++			max_files = rlim.rlim_cur - OPEN_FILE_MARGIN;
++	} else
++		max_files = -1;
++
++	/* set amount of available files for use by open_wait and close_wake */
++	open_init(max_files);
++
++	/*
++	 * allocate to_reader, to_deflate and to_writer queues.  Set based on
++	 * open file limit and cache size, unless open file limit is unlimited,
++	 * in which case set purely based on cache limits
++	 */
++	if (max_files != -1) {
++		to_reader = queue_init(max_files + data_buffer_size);
++		to_deflate = queue_init(max_files + data_buffer_size);
++		to_writer = queue_init(max_files * 2 + data_buffer_size);
++	} else {
++		int all_buffers_size = fragment_buffer_size + data_buffer_size;
++
++		to_reader = queue_init(all_buffers_size);
++		to_deflate = queue_init(all_buffers_size);
++		to_writer = queue_init(all_buffers_size * 2);
++	}
++
+ 	from_writer = queue_init(1);
++
+ 	fragment_cache = cache_init(block_size, fragment_buffer_size);
+ 	data_cache = cache_init(block_size, data_buffer_size);
+ 	pthread_create(&thread[0], NULL, reader, NULL);
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
index 9922f1e..528efed 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
@@ -8,12 +8,15 @@ LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
                     file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \
                    "
 DEPENDS = "attr zlib xz"
-PR = "1"
+PR = "r2"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \
            http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \
           "
 SRC_URI += "file://squashfs-4.2-fix-CVE-2012-4024.patch \
+            file://squashfs-add-a-commment-and-fix-some-other-comments.patch \
+            file://squashfs-fix-open-file-limit.patch \
+            file://squashfs-4.2-fix-CVE-2012-4025.patch \
            " 
 SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852"
 SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96"
-- 
1.7.9.5

[PATCH 14/15] librsvg: CVE-2011-3146

[Scott Garman]

From: Li Wang <li.wang@windriver.com>

Store node type separately in RsvgNode

commit 34c95743ca692ea0e44778e41a7c0a129363de84 upstream

The node name (formerly RsvgNode:type) cannot be used to infer
the sub-type of RsvgNode that we're dealing with, since for unknown
elements we put type = node-name. This lead to a (potentially exploitable)
crash e.g. when the element name started with "fe" which tricked
the old code into considering it as a RsvgFilterPrimitive.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3146

https://bugzilla.gnome.org/show_bug.cgi?id=658014

[YOCTO #3581]
[ CQID: WIND00376773 ]
Upstream-Status: Backport

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>

Resolved merge conflicts with denzil branch.

Fixes denzil bug [YOCTO #3651].

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
 .../librsvg-2.32.1/librsvg-CVE-2011-3146.patch     | 1088 ++++++++++++++++++++
 meta/recipes-gnome/librsvg/librsvg_2.32.1.bb       |    6 +-
 2 files changed, 1092 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-gnome/librsvg/librsvg-2.32.1/librsvg-CVE-2011-3146.patch

diff --git a/meta/recipes-gnome/librsvg/librsvg-2.32.1/librsvg-CVE-2011-3146.patch b/meta/recipes-gnome/librsvg/librsvg-2.32.1/librsvg-CVE-2011-3146.patch
new file mode 100644
index 0000000..251f31e
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg-2.32.1/librsvg-CVE-2011-3146.patch
@@ -0,0 +1,1088 @@
+librsvg: CVE-2011-3146
+
+Store node type separately in RsvgNode
+
+commit 34c95743ca692ea0e44778e41a7c0a129363de84 upstream
+
+The node name (formerly RsvgNode:type) cannot be used to infer
+the sub-type of RsvgNode that we're dealing with, since for unknown
+elements we put type = node-name. This lead to a (potentially exploitable)
+crash e.g. when the element name started with "fe" which tricked
+the old code into considering it as a RsvgFilterPrimitive.
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3146
+
+https://bugzilla.gnome.org/show_bug.cgi?id=658014
+---
+ rsvg-base.c         |   68 ++++++++++++++++++++++++++------------------
+ rsvg-cairo-draw.c   |    2 +-
+ rsvg-filter.c       |   79 +++++++++++++++++++++++++++------------------------
+ rsvg-filter.h       |    2 +-
+ rsvg-image.c        |    2 +-
+ rsvg-marker.c       |    4 +-
+ rsvg-mask.c         |    8 ++--
+ rsvg-paint-server.c |   25 ++++++++--------
+ rsvg-private.h      |   60 ++++++++++++++++++++++++++++++++++++++-
+ rsvg-shapes.c       |   25 ++++++++--------
+ rsvg-shapes.h       |    2 +-
+ rsvg-structure.c    |   25 ++++++++--------
+ rsvg-structure.h    |    5 ++-
+ rsvg-text.c         |   22 ++++++++------
+ 14 files changed, 204 insertions(+), 125 deletions(-)
+
+diff --git a/rsvg-base.c b/rsvg-base.c
+index 1f5c48c..b1a2d8b 100644
+--- a/rsvg-base.c
++++ b/rsvg-base.c
+@@ -147,7 +147,6 @@ rsvg_start_style (RsvgHandle * ctx, RsvgPropertyBag * atts)
+ static void
+ rsvg_standard_element_start (RsvgHandle * ctx, const char *name, RsvgPropertyBag * atts)
+ {
+-
+     /*replace this stuff with a hash for fast reading! */
+     RsvgNode *newnode = NULL;
+     if (!strcmp (name, "g"))
+@@ -241,11 +240,11 @@ rsvg_standard_element_start (RsvgHandle * ctx, const char *name, RsvgPropertyBag
+     else if (!strcmp (name, "feFuncA"))
+         newnode = rsvg_new_node_component_transfer_function ('a');
+     else if (!strcmp (name, "feDistantLight"))
+-        newnode = rsvg_new_filter_primitive_light_source ('d');
++        newnode = rsvg_new_node_light_source ('d');
+     else if (!strcmp (name, "feSpotLight"))
+-        newnode = rsvg_new_filter_primitive_light_source ('s');
++        newnode = rsvg_new_node_light_source ('s');
+     else if (!strcmp (name, "fePointLight"))
+-        newnode = rsvg_new_filter_primitive_light_source ('p');
++        newnode = rsvg_new_node_light_source ('p');
+     /* hack to make multiImage sort-of work */
+     else if (!strcmp (name, "multiImage"))
+         newnode = rsvg_new_switch ();
+@@ -259,21 +258,22 @@ rsvg_standard_element_start (RsvgHandle * ctx, const char *name, RsvgPropertyBag
+         newnode = rsvg_new_tspan ();
+     else if (!strcmp (name, "tref"))
+         newnode = rsvg_new_tref ();
+-	else {
++    else {
+ 		/* hack for bug 401115. whenever we encounter a node we don't understand, push it into a group. 
+ 		   this will allow us to handle things like conditionals properly. */
+ 		newnode = rsvg_new_group ();
+ 	}
+ 
+     if (newnode) {
+-        newnode->type = g_string_new (name);
++        g_assert (RSVG_NODE_TYPE (newnode) != RSVG_NODE_TYPE_INVALID);
++        newnode->name = (char *) name; /* libxml will keep this while parsing */
+         newnode->parent = ctx->priv->currentnode;
+         rsvg_node_set_atts (newnode, ctx, atts);
+         rsvg_defs_register_memory (ctx->priv->defs, newnode);
+         if (ctx->priv->currentnode) {
+             rsvg_node_group_pack (ctx->priv->currentnode, newnode);
+             ctx->priv->currentnode = newnode;
+-        } else if (!strcmp (name, "svg")) {
++        } else if (RSVG_NODE_TYPE (newnode) == RSVG_NODE_TYPE_SVG) {
+             ctx->priv->treebase = newnode;
+             ctx->priv->currentnode = newnode;
+         }
+@@ -689,10 +689,11 @@ rsvg_end_element (void *data, const xmlChar * name)
+             ctx->priv->handler = NULL;
+         }
+ 
+-        if (ctx->priv->currentnode
+-            && !strcmp ((const char *) name, ctx->priv->currentnode->type->str))
+-            rsvg_pop_def_group (ctx);
++        if (ctx->priv->currentnode &&
++            !strcmp ((const char *) name, ctx->priv->currentnode->name))
++                rsvg_pop_def_group (ctx);
+ 
++        /* FIXMEchpe: shouldn't this check that currentnode == treebase or sth like that? */
+         if (ctx->priv->treebase && !strcmp ((const char *)name, "svg"))
+             _rsvg_node_svg_apply_atts ((RsvgNodeSvg *)ctx->priv->treebase, ctx);
+     }
+@@ -706,6 +707,30 @@ _rsvg_node_chars_free (RsvgNode * node)
+     _rsvg_node_free (node);
+ }
+ 
++static RsvgNodeChars *
++rsvg_new_node_chars (const char *text,
++                     int len)
++{
++    RsvgNodeChars *self;
++
++    self = g_new (RsvgNodeChars, 1);
++    _rsvg_node_init (&self->super, RSVG_NODE_TYPE_CHARS);
++
++    if (!g_utf8_validate (text, len, NULL)) {
++        char *utf8;
++        utf8 = rsvg_make_valid_utf8 (text, len);
++        self->contents = g_string_new (utf8);
++        g_free (utf8);
++    } else {
++        self->contents = g_string_new_len (text, len);
++    }
++
++    self->super.free = _rsvg_node_chars_free;
++    self->super.state->cond_true = FALSE;
++
++    return self;
++}
++
+ static void
+ rsvg_characters_impl (RsvgHandle * ctx, const xmlChar * ch, int len)
+ {
+@@ -715,8 +740,9 @@ rsvg_characters_impl (RsvgHandle * ctx, const xmlChar * ch, int len)
+         return;
+ 
+     if (ctx->priv->currentnode) {
+-        if (!strcmp ("tspan", ctx->priv->currentnode->type->str) ||
+-            !strcmp ("text", ctx->priv->currentnode->type->str)) {
++        RsvgNodeType type = RSVG_NODE_TYPE (ctx->priv->currentnode);
++        if (type == RSVG_NODE_TYPE_TSPAN ||
++            type == RSVG_NODE_TYPE_TEXT) {
+             guint i;
+ 
+             /* find the last CHARS node in the text or tspan node, so that we
+@@ -724,7 +750,7 @@ rsvg_characters_impl (RsvgHandle * ctx, const xmlChar * ch, int len)
+             self = NULL;
+             for (i = 0; i < ctx->priv->currentnode->children->len; i++) {
+                 RsvgNode *node = g_ptr_array_index (ctx->priv->currentnode->children, i);
+-                if (!strcmp (node->type->str, "RSVG_NODE_CHARS")) {
++                if (RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CHARS) {
+                     self = (RsvgNodeChars*)node;
+                 }
+             }
+@@ -744,21 +770,7 @@ rsvg_characters_impl (RsvgHandle * ctx, const xmlChar * ch, int len)
+         }
+     }
+ 
+-    self = g_new (RsvgNodeChars, 1);
+-    _rsvg_node_init (&self->super);
+-
+-    if (!g_utf8_validate ((char *) ch, len, NULL)) {
+-        char *utf8;
+-        utf8 = rsvg_make_valid_utf8 ((char *) ch, len);
+-        self->contents = g_string_new (utf8);
+-        g_free (utf8);
+-    } else {
+-        self->contents = g_string_new_len ((char *) ch, len);
+-    }
+-
+-    self->super.type = g_string_new ("RSVG_NODE_CHARS");
+-    self->super.free = _rsvg_node_chars_free;
+-    self->super.state->cond_true = FALSE;
++    self = rsvg_new_node_chars ((char *) ch, len);
+ 
+     rsvg_defs_register_memory (ctx->priv->defs, (RsvgNode *) self);
+     if (ctx->priv->currentnode)
+diff --git a/rsvg-cairo-draw.c b/rsvg-cairo-draw.c
+index 0b74e22..c01cd17 100644
+--- a/rsvg-cairo-draw.c
++++ b/rsvg-cairo-draw.c
+@@ -147,7 +147,7 @@ _pattern_add_rsvg_color_stops (cairo_pattern_t * pattern,
+ 
+     for (i = 0; i < stops->len; i++) {
+         node = (RsvgNode *) g_ptr_array_index (stops, i);
+-        if (strcmp (node->type->str, "stop"))
++        if (RSVG_NODE_TYPE (node) != RSVG_NODE_TYPE_STOP)
+             continue;
+         stop = (RsvgGradientStop *) node;
+         rgba = stop->rgba;
+diff --git a/rsvg-filter.c b/rsvg-filter.c
+index e65be41..ce96c4f 100644
+--- a/rsvg-filter.c
++++ b/rsvg-filter.c
+@@ -495,7 +495,7 @@ rsvg_filter_render (RsvgFilter * self, GdkPixbuf * source,
+ 
+     for (i = 0; i < self->super.children->len; i++) {
+         current = g_ptr_array_index (self->super.children, i);
+-        if (!strncmp (current->super.type->str, "fe", 2))
++        if (RSVG_NODE_IS_FILTER_PRIMITIVE (&current->super))
+             rsvg_filter_primitive_render (current, ctx);
+     }
+ 
+@@ -703,7 +703,7 @@ rsvg_filter_parse (const RsvgDefs * defs, const char *str)
+         val = rsvg_defs_lookup (defs, name);
+         g_free (name);
+ 
+-        if (val && (!strcmp (val->type->str, "filter")))
++        if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_FILTER)
+             return (RsvgFilter *) val;
+     }
+     return NULL;
+@@ -754,7 +754,7 @@ rsvg_new_filter (void)
+     RsvgFilter *filter;
+ 
+     filter = g_new (RsvgFilter, 1);
+-    _rsvg_node_init (&filter->super);
++    _rsvg_node_init (&filter->super, RSVG_NODE_TYPE_FILTER);
+     filter->filterunits = objectBoundingBox;
+     filter->primitiveunits = userSpaceOnUse;
+     filter->x = _rsvg_css_parse_length ("-10%");
+@@ -978,7 +978,7 @@ rsvg_new_filter_primitive_blend (void)
+ {
+     RsvgFilterPrimitiveBlend *filter;
+     filter = g_new (RsvgFilterPrimitiveBlend, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_BLEND);
+     filter->mode = normal;
+     filter->super.in = g_string_new ("none");
+     filter->in2 = g_string_new ("none");
+@@ -1230,7 +1230,7 @@ rsvg_new_filter_primitive_convolve_matrix (void)
+ {
+     RsvgFilterPrimitiveConvolveMatrix *filter;
+     filter = g_new (RsvgFilterPrimitiveConvolveMatrix, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_CONVOLVE_MATRIX);
+     filter->super.in = g_string_new ("none");
+     filter->super.result = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+@@ -1471,7 +1471,7 @@ rsvg_new_filter_primitive_gaussian_blur (void)
+ {
+     RsvgFilterPrimitiveGaussianBlur *filter;
+     filter = g_new (RsvgFilterPrimitiveGaussianBlur, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_GAUSSIAN_BLUR);
+     filter->super.in = g_string_new ("none");
+     filter->super.result = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+@@ -1607,7 +1607,7 @@ rsvg_new_filter_primitive_offset (void)
+ {
+     RsvgFilterPrimitiveOffset *filter;
+     filter = g_new (RsvgFilterPrimitiveOffset, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_OFFSET);
+     filter->super.in = g_string_new ("none");
+     filter->super.result = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+@@ -1648,7 +1648,7 @@ rsvg_filter_primitive_merge_render (RsvgFilterPrimitive * self, RsvgFilterContex
+     for (i = 0; i < upself->super.super.children->len; i++) {
+         RsvgFilterPrimitive *mn;
+         mn = g_ptr_array_index (upself->super.super.children, i);
+-        if (strcmp (mn->super.type->str, "feMergeNode"))
++        if (RSVG_NODE_TYPE (&mn->super) != RSVG_NODE_TYPE_FILTER_PRIMITIVE_MERGE_NODE)
+             continue;
+         in = rsvg_filter_get_in (mn->in, ctx);
+         rsvg_alpha_blt (in, boundarys.x0, boundarys.y0, boundarys.x1 - boundarys.x0,
+@@ -1701,7 +1701,7 @@ rsvg_new_filter_primitive_merge (void)
+ {
+     RsvgFilterPrimitiveMerge *filter;
+     filter = g_new (RsvgFilterPrimitiveMerge, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_MERGE);
+     filter->super.result = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+         filter->super.height.factor = 'n';
+@@ -1744,7 +1744,7 @@ rsvg_new_filter_primitive_merge_node (void)
+ {
+     RsvgFilterPrimitive *filter;
+     filter = g_new (RsvgFilterPrimitive, 1);
+-    _rsvg_node_init (&filter->super);
++    _rsvg_node_init (&filter->super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_MERGE_NODE);
+     filter->in = g_string_new ("none");
+     filter->super.free = rsvg_filter_primitive_merge_node_free;
+     filter->render = &rsvg_filter_primitive_merge_node_render;
+@@ -1978,7 +1978,7 @@ rsvg_new_filter_primitive_colour_matrix (void)
+ {
+     RsvgFilterPrimitiveColourMatrix *filter;
+     filter = g_new (RsvgFilterPrimitiveColourMatrix, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_COLOUR_MATRIX);
+     filter->super.in = g_string_new ("none");
+     filter->super.result = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+@@ -2010,8 +2010,9 @@ struct _RsvgNodeComponentTransferFunc {
+     gint slope;
+     gint intercept;
+     gint amplitude;
+-    gdouble exponent;
+     gint offset;
++    gdouble exponent;
++    char channel;
+ };
+ 
+ struct _RsvgFilterPrimitiveComponentTransfer {
+@@ -2107,15 +2108,18 @@ rsvg_filter_primitive_component_transfer_render (RsvgFilterPrimitive *
+     for (c = 0; c < 4; c++) {
+         char channel = "RGBA"[c];
+         for (i = 0; i < self->super.children->len; i++) {
+-            RsvgNodeComponentTransferFunc *temp;
+-            temp = (RsvgNodeComponentTransferFunc *)
+-                g_ptr_array_index (self->super.children, i);
+-            if (!strncmp (temp->super.type->str, "feFunc", 6))
+-                if (temp->super.type->str[6] == channel) {
++            RsvgNode *child_node;
++
++            child_node = (RsvgNode *) g_ptr_array_index (self->super.children, i);
++            if (RSVG_NODE_TYPE (child_node) == RSVG_NODE_TYPE_FILTER_PRIMITIVE_COMPONENT_TRANSFER) {
++                RsvgNodeComponentTransferFunc *temp = (RsvgNodeComponentTransferFunc *) child_node;
++
++                if (temp->channel == channel) {
+                     functions[ctx->channelmap[c]] = temp->function;
+                     channels[ctx->channelmap[c]] = temp;
+                     break;
+                 }
++            }
+         }
+         if (i == self->super.children->len)
+             functions[ctx->channelmap[c]] = identity_component_transfer_func;
+@@ -2198,7 +2202,7 @@ rsvg_new_filter_primitive_component_transfer (void)
+     RsvgFilterPrimitiveComponentTransfer *filter;
+ 
+     filter = g_new (RsvgFilterPrimitiveComponentTransfer, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_COMPONENT_TRANSFER);
+     filter->super.result = g_string_new ("none");
+     filter->super.in = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+@@ -2272,7 +2276,7 @@ rsvg_new_node_component_transfer_function (char channel)
+     RsvgNodeComponentTransferFunc *filter;
+ 
+     filter = g_new (RsvgNodeComponentTransferFunc, 1);
+-    _rsvg_node_init (&filter->super);
++    _rsvg_node_init (&filter->super, RSVG_NODE_TYPE_COMPONENT_TRANFER_FUNCTION);
+     filter->super.free = rsvg_component_transfer_function_free;
+     filter->super.set_atts = rsvg_node_component_transfer_function_set_atts;
+     filter->function = identity_component_transfer_func;
+@@ -2414,7 +2418,7 @@ rsvg_new_filter_primitive_erode (void)
+ {
+     RsvgFilterPrimitiveErode *filter;
+     filter = g_new (RsvgFilterPrimitiveErode, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_ERODE);
+     filter->super.in = g_string_new ("none");
+     filter->super.result = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+@@ -2639,7 +2643,7 @@ rsvg_new_filter_primitive_composite (void)
+ {
+     RsvgFilterPrimitiveComposite *filter;
+     filter = g_new (RsvgFilterPrimitiveComposite, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_COMPOSITE);
+     filter->mode = COMPOSITE_MODE_OVER;
+     filter->super.in = g_string_new ("none");
+     filter->in2 = g_string_new ("none");
+@@ -2744,7 +2748,7 @@ rsvg_new_filter_primitive_flood (void)
+ {
+     RsvgFilterPrimitive *filter;
+     filter = g_new (RsvgFilterPrimitive, 1);
+-    _rsvg_node_init (&filter->super);
++    _rsvg_node_init (&filter->super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_FLOOD);
+     filter->in = g_string_new ("none");
+     filter->result = g_string_new ("none");
+     filter->x.factor = filter->y.factor = filter->width.factor = filter->height.factor = 'n';
+@@ -2920,7 +2924,7 @@ rsvg_new_filter_primitive_displacement_map (void)
+ {
+     RsvgFilterPrimitiveDisplacementMap *filter;
+     filter = g_new (RsvgFilterPrimitiveDisplacementMap, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_DISPLACEMENT_MAP);
+     filter->super.in = g_string_new ("none");
+     filter->in2 = g_string_new ("none");
+     filter->super.result = g_string_new ("none");
+@@ -3291,7 +3295,7 @@ rsvg_new_filter_primitive_turbulence (void)
+ {
+     RsvgFilterPrimitiveTurbulence *filter;
+     filter = g_new (RsvgFilterPrimitiveTurbulence, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_TURBULENCE);
+     filter->super.in = g_string_new ("none");
+     filter->super.result = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+@@ -3510,7 +3514,7 @@ rsvg_new_filter_primitive_image (void)
+ {
+     RsvgFilterPrimitiveImage *filter;
+     filter = g_new (RsvgFilterPrimitiveImage, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_IMAGE);
+     filter->super.in = g_string_new ("none");
+     filter->super.result = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+@@ -3871,8 +3875,8 @@ get_light_colour (RsvgNodeLightSource * source, vector3 colour,
+ 
+ 
+ static void
+-rsvg_filter_primitive_light_source_set_atts (RsvgNode * self,
+-                                             RsvgHandle * ctx, RsvgPropertyBag * atts)
++rsvg_node_light_source_set_atts (RsvgNode * self,
++                                 RsvgHandle * ctx, RsvgPropertyBag * atts)
+ {
+     RsvgNodeLightSource *data;
+     const char *value;
+@@ -3904,13 +3908,13 @@ rsvg_filter_primitive_light_source_set_atts (RsvgNode * self,
+ }
+ 
+ RsvgNode *
+-rsvg_new_filter_primitive_light_source (char type)
++rsvg_new_node_light_source (char type)
+ {
+     RsvgNodeLightSource *data;
+     data = g_new (RsvgNodeLightSource, 1);
+-    _rsvg_node_init (&data->super);
++    _rsvg_node_init (&data->super, RSVG_NODE_TYPE_LIGHT_SOURCE);
+     data->super.free = _rsvg_node_free;
+-    data->super.set_atts = rsvg_filter_primitive_light_source_set_atts;
++    data->super.set_atts = rsvg_node_light_source_set_atts;
+     data->specularExponent = 1;
+     if (type == 's')
+         data->type = SPOTLIGHT;
+@@ -3960,10 +3964,11 @@ rsvg_filter_primitive_diffuse_lighting_render (RsvgFilterPrimitive * self, RsvgF
+ 
+     for (i = 0; i < self->super.children->len; i++) {
+         RsvgNode *temp;
++
+         temp = g_ptr_array_index (self->super.children, i);
+-        if (!strcmp (temp->type->str, "feDistantLight") ||
+-            !strcmp (temp->type->str, "fePointLight") || !strcmp (temp->type->str, "feSpotLight"))
++        if (RSVG_NODE_TYPE (temp) == RSVG_NODE_TYPE_LIGHT_SOURCE) {
+             source = (RsvgNodeLightSource *) temp;
++        }
+     }
+     if (source == NULL)
+         return;
+@@ -4080,7 +4085,7 @@ rsvg_new_filter_primitive_diffuse_lighting (void)
+ {
+     RsvgFilterPrimitiveDiffuseLighting *filter;
+     filter = g_new (RsvgFilterPrimitiveDiffuseLighting, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_DIFFUSE_LIGHTING);
+     filter->super.in = g_string_new ("none");
+     filter->super.result = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+@@ -4135,9 +4140,9 @@ rsvg_filter_primitive_specular_lighting_render (RsvgFilterPrimitive * self, Rsvg
+     for (i = 0; i < self->super.children->len; i++) {
+         RsvgNode *temp;
+         temp = g_ptr_array_index (self->super.children, i);
+-        if (!strcmp (temp->type->str, "feDistantLight") ||
+-            !strcmp (temp->type->str, "fePointLight") || !strcmp (temp->type->str, "feSpotLight"))
++        if (RSVG_NODE_TYPE (temp) == RSVG_NODE_TYPE_LIGHT_SOURCE) {
+             source = (RsvgNodeLightSource *) temp;
++        }
+     }
+     if (source == NULL)
+         return;
+@@ -4259,7 +4264,7 @@ rsvg_new_filter_primitive_specular_lighting (void)
+ {
+     RsvgFilterPrimitiveSpecularLighting *filter;
+     filter = g_new (RsvgFilterPrimitiveSpecularLighting, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_SPECULAR_LIGHTING);
+     filter->super.in = g_string_new ("none");
+     filter->super.result = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+@@ -4381,7 +4386,7 @@ rsvg_new_filter_primitive_tile (void)
+ {
+     RsvgFilterPrimitiveTile *filter;
+     filter = g_new (RsvgFilterPrimitiveTile, 1);
+-    _rsvg_node_init (&filter->super.super);
++    _rsvg_node_init (&filter->super.super, RSVG_NODE_TYPE_FILTER_PRIMITIVE_TILE);
+     filter->super.in = g_string_new ("none");
+     filter->super.result = g_string_new ("none");
+     filter->super.x.factor = filter->super.y.factor = filter->super.width.factor =
+diff --git a/rsvg-filter.h b/rsvg-filter.h
+index 25dac75..0aeda22 100644
+--- a/rsvg-filter.h
++++ b/rsvg-filter.h
+@@ -64,7 +64,7 @@ RsvgNode    *rsvg_new_filter_primitive_displacement_map     (void);
+ RsvgNode    *rsvg_new_filter_primitive_turbulence           (void);
+ RsvgNode    *rsvg_new_filter_primitive_image                (void);
+ RsvgNode    *rsvg_new_filter_primitive_diffuse_lighting	    (void);
+-RsvgNode    *rsvg_new_filter_primitive_light_source	        (char type);
++RsvgNode    *rsvg_new_node_light_source	                    (char type);
+ RsvgNode    *rsvg_new_filter_primitive_specular_lighting    (void);
+ RsvgNode    *rsvg_new_filter_primitive_tile                 (void);
+ 
+diff --git a/rsvg-image.c b/rsvg-image.c
+index a81dcf5..02882bd 100644
+--- a/rsvg-image.c
++++ b/rsvg-image.c
+@@ -356,7 +356,7 @@ rsvg_new_image (void)
+ {
+     RsvgNodeImage *image;
+     image = g_new (RsvgNodeImage, 1);
+-    _rsvg_node_init (&image->super);
++    _rsvg_node_init (&image->super, RSVG_NODE_TYPE_IMAGE);
+     g_assert (image->super.state);
+     image->img = NULL;
+     image->preserve_aspect_ratio = RSVG_ASPECT_RATIO_XMID_YMID;
+diff --git a/rsvg-marker.c b/rsvg-marker.c
+index 591e1e0..c7e76f1 100644
+--- a/rsvg-marker.c
++++ b/rsvg-marker.c
+@@ -84,7 +84,7 @@ rsvg_new_marker (void)
+ {
+     RsvgMarker *marker;
+     marker = g_new (RsvgMarker, 1);
+-    _rsvg_node_init (&marker->super);
++    _rsvg_node_init (&marker->super, RSVG_NODE_TYPE_MARKER);
+     marker->orient = 0;
+     marker->orientAuto = FALSE;
+     marker->preserve_aspect_ratio = RSVG_ASPECT_RATIO_XMID_YMID;
+@@ -198,7 +198,7 @@ rsvg_marker_parse (const RsvgDefs * defs, const char *str)
+         val = rsvg_defs_lookup (defs, name);
+         g_free (name);
+ 
+-        if (val && (!strcmp (val->type->str, "marker")))
++        if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MARKER)
+             return val;
+     }
+     return NULL;
+diff --git a/rsvg-mask.c b/rsvg-mask.c
+index dd36a38..8e3cba3 100644
+--- a/rsvg-mask.c
++++ b/rsvg-mask.c
+@@ -74,7 +74,7 @@ rsvg_new_mask (void)
+     RsvgMask *mask;
+ 
+     mask = g_new (RsvgMask, 1);
+-    _rsvg_node_init (&mask->super);
++    _rsvg_node_init (&mask->super, RSVG_NODE_TYPE_MASK);
+     mask->maskunits = objectBoundingBox;
+     mask->contentunits = userSpaceOnUse;
+     mask->x = _rsvg_css_parse_length ("0");
+@@ -113,7 +113,7 @@ rsvg_mask_parse (const RsvgDefs * defs, const char *str)
+         val = rsvg_defs_lookup (defs, name);
+         g_free (name);
+ 
+-        if (val && (!strcmp (val->type->str, "mask")))
++        if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK)
+             return val;
+     }
+     return NULL;
+@@ -130,7 +130,7 @@ rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
+         val = rsvg_defs_lookup (defs, name);
+         g_free (name);
+ 
+-        if (val && (!strcmp (val->type->str, "clipPath")))
++        if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_CLIP_PATH)
+             return val;
+     }
+     return NULL;
+@@ -168,7 +168,7 @@ rsvg_new_clip_path (void)
+     RsvgClipPath *clip_path;
+ 
+     clip_path = g_new (RsvgClipPath, 1);
+-    _rsvg_node_init (&clip_path->super);
++    _rsvg_node_init (&clip_path->super, RSVG_NODE_TYPE_CLIP_PATH);
+     clip_path->units = userSpaceOnUse;
+     clip_path->super.set_atts = rsvg_clip_path_set_atts;
+     clip_path->super.free = _rsvg_node_free;
+diff --git a/rsvg-paint-server.c b/rsvg-paint-server.c
+index 4967e03..7903684 100644
+--- a/rsvg-paint-server.c
++++ b/rsvg-paint-server.c
+@@ -129,11 +129,11 @@ rsvg_paint_server_parse (gboolean * inherit, const RsvgDefs * defs, const char *
+ 
+         if (val == NULL)
+             return NULL;
+-        if (!strcmp (val->type->str, "linearGradient"))
++        if (RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_LINEAR_GRADIENT)
+             return rsvg_paint_server_lin_grad ((RsvgLinearGradient *) val);
+-        else if (!strcmp (val->type->str, "radialGradient"))
++        else if (RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_RADIAL_GRADIENT)
+             return rsvg_paint_server_rad_grad ((RsvgRadialGradient *) val);
+-        else if (!strcmp (val->type->str, "pattern"))
++        else if (RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_PATTERN)
+             return rsvg_paint_server_pattern ((RsvgPattern *) val);
+         else
+             return NULL;
+@@ -224,7 +224,7 @@ RsvgNode *
+ rsvg_new_stop (void)
+ {
+     RsvgGradientStop *stop = g_new (RsvgGradientStop, 1);
+-    _rsvg_node_init (&stop->super);
++    _rsvg_node_init (&stop->super, RSVG_NODE_TYPE_STOP);
+     stop->super.set_atts = rsvg_stop_set_atts;
+     stop->offset = 0;
+     stop->rgba = 0;
+@@ -293,7 +293,7 @@ rsvg_new_linear_gradient (void)
+ {
+     RsvgLinearGradient *grad = NULL;
+     grad = g_new (RsvgLinearGradient, 1);
+-    _rsvg_node_init (&grad->super);
++    _rsvg_node_init (&grad->super, RSVG_NODE_TYPE_LINEAR_GRADIENT);
+     _rsvg_affine_identity (grad->affine);
+     grad->has_current_color = FALSE;
+     grad->x1 = grad->y1 = grad->y2 = _rsvg_css_parse_length ("0");
+@@ -376,7 +376,7 @@ rsvg_new_radial_gradient (void)
+ {
+ 
+     RsvgRadialGradient *grad = g_new (RsvgRadialGradient, 1);
+-    _rsvg_node_init (&grad->super);
++    _rsvg_node_init (&grad->super, RSVG_NODE_TYPE_RADIAL_GRADIENT);
+     _rsvg_affine_identity (grad->affine);
+     grad->has_current_color = FALSE;
+     grad->obj_bbox = TRUE;
+@@ -458,7 +458,7 @@ RsvgNode *
+ rsvg_new_pattern (void)
+ {
+     RsvgPattern *pattern = g_new (RsvgPattern, 1);
+-    _rsvg_node_init (&pattern->super);
++    _rsvg_node_init (&pattern->super, RSVG_NODE_TYPE_PATTERN);
+     pattern->obj_bbox = TRUE;
+     pattern->obj_cbbox = FALSE;
+     pattern->x = pattern->y = pattern->width = pattern->height = _rsvg_css_parse_length ("0");
+@@ -477,7 +477,8 @@ hasstop (GPtrArray * lookin)
+ {
+     unsigned int i;
+     for (i = 0; i < lookin->len; i++) {
+-        if (!strcmp (((RsvgNode *) g_ptr_array_index (lookin, i))->type->str, "stop"))
++        RsvgNode *node = g_ptr_array_index (lookin, i);
++        if (RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_STOP)
+             return 1;
+     }
+     return 0;
+@@ -490,7 +491,7 @@ rsvg_linear_gradient_fix_fallback (RsvgLinearGradient * grad)
+     int i;
+     ufallback = grad->fallback;
+     while (ufallback != NULL) {
+-        if (!strcmp (ufallback->type->str, "linearGradient")) {
++        if (RSVG_NODE_TYPE (ufallback) == RSVG_NODE_TYPE_LINEAR_GRADIENT) {
+             RsvgLinearGradient *fallback = (RsvgLinearGradient *) ufallback;
+             if (!grad->hasx1 && fallback->hasx1) {
+                 grad->hasx1 = TRUE;
+@@ -525,7 +526,7 @@ rsvg_linear_gradient_fix_fallback (RsvgLinearGradient * grad)
+                 grad->super.children = fallback->super.children;
+             }
+             ufallback = fallback->fallback;
+-        } else if (!strcmp (ufallback->type->str, "radialGradient")) {
++        } else if (RSVG_NODE_TYPE (ufallback) == RSVG_NODE_TYPE_RADIAL_GRADIENT) {
+             RsvgRadialGradient *fallback = (RsvgRadialGradient *) ufallback;
+             if (!grad->hastransform && fallback->hastransform) {
+                 grad->hastransform = TRUE;
+@@ -555,7 +556,7 @@ rsvg_radial_gradient_fix_fallback (RsvgRadialGradient * grad)
+     int i;
+     ufallback = grad->fallback;
+     while (ufallback != NULL) {
+-        if (!strcmp (ufallback->type->str, "radialGradient")) {
++        if (RSVG_NODE_TYPE (ufallback) == RSVG_NODE_TYPE_RADIAL_GRADIENT) {
+             RsvgRadialGradient *fallback = (RsvgRadialGradient *) ufallback;
+             if (!grad->hascx && fallback->hascx) {
+                 grad->hascx = TRUE;
+@@ -594,7 +595,7 @@ rsvg_radial_gradient_fix_fallback (RsvgRadialGradient * grad)
+                 grad->super.children = fallback->super.children;
+             }
+             ufallback = fallback->fallback;
+-        } else if (!strcmp (ufallback->type->str, "linearGradient")) {
++        } else if (RSVG_NODE_TYPE (ufallback) == RSVG_NODE_TYPE_LINEAR_GRADIENT) {
+             RsvgLinearGradient *fallback = (RsvgLinearGradient *) ufallback;
+             if (!grad->hastransform && fallback->hastransform) {
+                 grad->hastransform = TRUE;
+diff --git a/rsvg-private.h b/rsvg-private.h
+index 288c2de..162917a 100644
+--- a/rsvg-private.h
++++ b/rsvg-private.h
+@@ -255,16 +255,74 @@ struct RsvgSizeCallbackData {
+ 
+ void _rsvg_size_callback (int *width, int *height, gpointer data);
+ 
++typedef enum {
++    RSVG_NODE_TYPE_INVALID = 0,
++
++    RSVG_NODE_TYPE_CHARS,
++    RSVG_NODE_TYPE_CIRCLE,
++    RSVG_NODE_TYPE_CLIP_PATH,
++    RSVG_NODE_TYPE_COMPONENT_TRANFER_FUNCTION,
++    RSVG_NODE_TYPE_DEFS,
++    RSVG_NODE_TYPE_ELLIPSE,
++    RSVG_NODE_TYPE_FILTER,
++    RSVG_NODE_TYPE_GROUP,
++    RSVG_NODE_TYPE_IMAGE,
++    RSVG_NODE_TYPE_LIGHT_SOURCE,
++    RSVG_NODE_TYPE_LINE,
++    RSVG_NODE_TYPE_LINEAR_GRADIENT,
++    RSVG_NODE_TYPE_MARKER,
++    RSVG_NODE_TYPE_MASK,
++    RSVG_NODE_TYPE_PATH,
++    RSVG_NODE_TYPE_PATTERN,
++    RSVG_NODE_TYPE_POLYGON,
++    RSVG_NODE_TYPE_POLYLINE,
++    RSVG_NODE_TYPE_RADIAL_GRADIENT,
++    RSVG_NODE_TYPE_RECT,
++    RSVG_NODE_TYPE_STOP,
++    RSVG_NODE_TYPE_SVG,
++    RSVG_NODE_TYPE_SWITCH,
++    RSVG_NODE_TYPE_SYMBOL,
++    RSVG_NODE_TYPE_TEXT,
++    RSVG_NODE_TYPE_TREF,
++    RSVG_NODE_TYPE_TSPAN,
++    RSVG_NODE_TYPE_USE,
++
++    /* Filter primitives */
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE = 64,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_BLEND,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_COLOUR_MATRIX,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_COMPONENT_TRANSFER,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_COMPOSITE,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_CONVOLVE_MATRIX,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_DIFFUSE_LIGHTING,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_DISPLACEMENT_MAP,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_ERODE,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_FLOOD,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_GAUSSIAN_BLUR,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_IMAGE,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_MERGE,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_MERGE_NODE,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_OFFSET,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_SPECULAR_LIGHTING,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_TILE,
++    RSVG_NODE_TYPE_FILTER_PRIMITIVE_TURBULENCE,
++
++} RsvgNodeType;
++
+ struct _RsvgNode {
+     RsvgState *state;
+     RsvgNode *parent;
+-    GString *type;
+     GPtrArray *children;
++    RsvgNodeType type;
++    const char *name; /* owned by the xmlContext, invalid after parsing! */
+     void (*free) (RsvgNode * self);
+     void (*draw) (RsvgNode * self, RsvgDrawingCtx * ctx, int dominate);
+     void (*set_atts) (RsvgNode * self, RsvgHandle * ctx, RsvgPropertyBag *);
+ };
+ 
++#define RSVG_NODE_TYPE(node)                ((node)->type)
++#define RSVG_NODE_IS_FILTER_PRIMITIVE(node) (RSVG_NODE_TYPE((node)) & RSVG_NODE_TYPE_FILTER_PRIMITIVE)
++
+ struct _RsvgNodeChars {
+     RsvgNode super;
+     GString *contents;
+diff --git a/rsvg-shapes.c b/rsvg-shapes.c
+index d481abf..07baf24 100644
+--- a/rsvg-shapes.c
++++ b/rsvg-shapes.c
+@@ -89,7 +89,7 @@ rsvg_new_path (void)
+ {
+     RsvgNodePath *path;
+     path = g_new (RsvgNodePath, 1);
+-    _rsvg_node_init (&path->super);
++    _rsvg_node_init (&path->super, RSVG_NODE_TYPE_PATH);
+     path->d = NULL;
+     path->super.free = rsvg_node_path_free;
+     path->super.draw = rsvg_node_path_draw;
+@@ -101,7 +101,6 @@ rsvg_new_path (void)
+ struct _RsvgNodePoly {
+     RsvgNode super;
+     gdouble *pointlist;
+-    gboolean is_polyline;
+     guint pointlist_len;
+ };
+ 
+@@ -126,7 +125,8 @@ _rsvg_node_poly_set_atts (RsvgNode * self, RsvgHandle * ctx, RsvgPropertyBag * a
+             rsvg_defs_register_name (ctx->priv->defs, value, self);
+         }
+ 
+-        rsvg_parse_style_attrs (ctx, self->state, (poly->is_polyline ? "polyline" : "polygon"),
++        rsvg_parse_style_attrs (ctx, self->state,
++                                RSVG_NODE_TYPE (self) == RSVG_NODE_TYPE_POLYLINE ? "polyline" : "polygon",
+                                 klazz, id, atts);
+     }
+ 
+@@ -160,7 +160,7 @@ _rsvg_node_poly_draw (RsvgNode * self, RsvgDrawingCtx * ctx, int dominate)
+         g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), poly->pointlist[i + 1]));
+     }
+ 
+-    if (!poly->is_polyline)
++    if (RSVG_NODE_TYPE (self) == RSVG_NODE_TYPE_POLYGON)
+         g_string_append (d, " Z");
+ 
+     rsvg_state_reinherit_top (ctx, self->state, dominate);
+@@ -181,16 +181,15 @@ _rsvg_node_poly_free (RsvgNode * self)
+ 
+ 
+ static RsvgNode *
+-rsvg_new_any_poly (gboolean is_polyline)
++rsvg_new_any_poly (RsvgNodeType type)
+ {
+     RsvgNodePoly *poly;
+     poly = g_new (RsvgNodePoly, 1);
+-    _rsvg_node_init (&poly->super);
++    _rsvg_node_init (&poly->super, type);
+     poly->super.free = _rsvg_node_poly_free;
+     poly->super.draw = _rsvg_node_poly_draw;
+     poly->super.set_atts = _rsvg_node_poly_set_atts;
+     poly->pointlist = NULL;
+-    poly->is_polyline = is_polyline;
+     poly->pointlist_len = 0;
+     return &poly->super;
+ }
+@@ -198,13 +197,13 @@ rsvg_new_any_poly (gboolean is_polyline)
+ RsvgNode *
+ rsvg_new_polygon (void)
+ {
+-    return rsvg_new_any_poly (FALSE);
++    return rsvg_new_any_poly (RSVG_NODE_TYPE_POLYGON);
+ }
+ 
+ RsvgNode *
+ rsvg_new_polyline (void)
+ {
+-    return rsvg_new_any_poly (TRUE);
++    return rsvg_new_any_poly (RSVG_NODE_TYPE_POLYLINE);
+ }
+ 
+ 
+@@ -275,7 +274,7 @@ rsvg_new_line (void)
+ {
+     RsvgNodeLine *line;
+     line = g_new (RsvgNodeLine, 1);
+-    _rsvg_node_init (&line->super);
++    _rsvg_node_init (&line->super, RSVG_NODE_TYPE_LINE);
+     line->super.draw = _rsvg_node_line_draw;
+     line->super.set_atts = _rsvg_node_line_set_atts;
+     line->x1 = line->x2 = line->y1 = line->y2 = _rsvg_css_parse_length ("0");
+@@ -451,7 +450,7 @@ rsvg_new_rect (void)
+ {
+     RsvgNodeRect *rect;
+     rect = g_new (RsvgNodeRect, 1);
+-    _rsvg_node_init (&rect->super);
++    _rsvg_node_init (&rect->super, RSVG_NODE_TYPE_RECT);
+     rect->super.draw = _rsvg_node_rect_draw;
+     rect->super.set_atts = _rsvg_node_rect_set_atts;
+     rect->x = rect->y = rect->w = rect->h = rect->rx = rect->ry = _rsvg_css_parse_length ("0");
+@@ -577,7 +576,7 @@ rsvg_new_circle (void)
+ {
+     RsvgNodeCircle *circle;
+     circle = g_new (RsvgNodeCircle, 1);
+-    _rsvg_node_init (&circle->super);
++    _rsvg_node_init (&circle->super, RSVG_NODE_TYPE_CIRCLE);
+     circle->super.draw = _rsvg_node_circle_draw;
+     circle->super.set_atts = _rsvg_node_circle_set_atts;
+     circle->cx = circle->cy = circle->r = _rsvg_css_parse_length ("0");
+@@ -703,7 +702,7 @@ rsvg_new_ellipse (void)
+ {
+     RsvgNodeEllipse *ellipse;
+     ellipse = g_new (RsvgNodeEllipse, 1);
+-    _rsvg_node_init (&ellipse->super);
++    _rsvg_node_init (&ellipse->super, RSVG_NODE_TYPE_ELLIPSE);
+     ellipse->super.draw = _rsvg_node_ellipse_draw;
+     ellipse->super.set_atts = _rsvg_node_ellipse_set_atts;
+     ellipse->cx = ellipse->cy = ellipse->rx = ellipse->ry = _rsvg_css_parse_length ("0");
+diff --git a/rsvg-shapes.h b/rsvg-shapes.h
+index 7cf6621..baad98f 100644
+--- a/rsvg-shapes.h
++++ b/rsvg-shapes.h
+@@ -34,7 +34,7 @@
+ 
+ G_BEGIN_DECLS 
+ 
+-RsvgNode * rsvg_new_path (void);
++RsvgNode *rsvg_new_path (void);
+ RsvgNode *rsvg_new_polygon (void);
+ RsvgNode *rsvg_new_polyline (void);
+ RsvgNode *rsvg_new_line (void);
+diff --git a/rsvg-structure.c b/rsvg-structure.c
+index b078fea..33889be 100644
+--- a/rsvg-structure.c
++++ b/rsvg-structure.c
+@@ -103,8 +103,10 @@ _rsvg_node_dont_set_atts (RsvgNode * node, RsvgHandle * ctx, RsvgPropertyBag * a
+ }
+ 
+ void
+-_rsvg_node_init (RsvgNode * self)
++_rsvg_node_init (RsvgNode * self,
++                 RsvgNodeType type)
+ {
++    self->type = type;
+     self->parent = NULL;
+     self->children = g_ptr_array_new ();
+     self->state = g_new (RsvgState, 1);
+@@ -112,7 +114,6 @@ _rsvg_node_init (RsvgNode * self)
+     self->free = _rsvg_node_free;
+     self->draw = _rsvg_node_draw_nothing;
+     self->set_atts = _rsvg_node_dont_set_atts;
+-    self->type = NULL;
+ }
+ 
+ void
+@@ -124,8 +125,6 @@ _rsvg_node_finalize (RsvgNode * self)
+     }
+     if (self->children != NULL)
+         g_ptr_array_free (self->children, TRUE);
+-    if (self->type != NULL)
+-        g_string_free (self->type, TRUE);
+ }
+ 
+ void
+@@ -157,7 +156,7 @@ rsvg_new_group (void)
+ {
+     RsvgNodeGroup *group;
+     group = g_new (RsvgNodeGroup, 1);
+-    _rsvg_node_init (&group->super);
++    _rsvg_node_init (&group->super, RSVG_NODE_TYPE_GROUP);
+     group->super.draw = _rsvg_node_draw_children;
+     group->super.set_atts = rsvg_node_group_set_atts;
+     return &group->super;
+@@ -166,8 +165,8 @@ rsvg_new_group (void)
+ void
+ rsvg_pop_def_group (RsvgHandle * ctx)
+ {
+-    if (ctx->priv->currentnode != NULL)
+-        ctx->priv->currentnode = ctx->priv->currentnode->parent;
++    g_assert (ctx->priv->currentnode != NULL);
++    ctx->priv->currentnode = ctx->priv->currentnode->parent;
+ }
+ 
+ void
+@@ -218,7 +217,7 @@ rsvg_node_use_draw (RsvgNode * self, RsvgDrawingCtx * ctx, int dominate)
+         return;
+ 
+     state = rsvg_current_state (ctx);
+-    if (strcmp (child->type->str, "symbol")) {
++    if (RSVG_NODE_TYPE (child) != RSVG_NODE_TYPE_SYMBOL) {
+         _rsvg_affine_translate (affine, x, y);
+         _rsvg_affine_multiply (state->affine, affine, state->affine);
+ 
+@@ -397,7 +396,7 @@ rsvg_new_svg (void)
+ {
+     RsvgNodeSvg *svg;
+     svg = g_new (RsvgNodeSvg, 1);
+-    _rsvg_node_init (&svg->super);
++    _rsvg_node_init (&svg->super, RSVG_NODE_TYPE_SVG);
+     svg->vbox.active = FALSE;
+     svg->preserve_aspect_ratio = RSVG_ASPECT_RATIO_XMID_YMID;
+     svg->x = _rsvg_css_parse_length ("0");
+@@ -444,7 +443,7 @@ rsvg_new_use (void)
+ {
+     RsvgNodeUse *use;
+     use = g_new (RsvgNodeUse, 1);
+-    _rsvg_node_init (&use->super);
++    _rsvg_node_init (&use->super, RSVG_NODE_TYPE_USE);
+     use->super.draw = rsvg_node_use_draw;
+     use->super.set_atts = rsvg_node_use_set_atts;
+     use->x = _rsvg_css_parse_length ("0");
+@@ -485,7 +484,7 @@ rsvg_new_symbol (void)
+ {
+     RsvgNodeSymbol *symbol;
+     symbol = g_new (RsvgNodeSymbol, 1);
+-    _rsvg_node_init (&symbol->super);
++    _rsvg_node_init (&symbol->super, RSVG_NODE_TYPE_SYMBOL);
+     symbol->vbox.active = FALSE;
+     symbol->preserve_aspect_ratio = RSVG_ASPECT_RATIO_XMID_YMID;
+     symbol->super.draw = _rsvg_node_draw_nothing;
+@@ -498,7 +497,7 @@ rsvg_new_defs (void)
+ {
+     RsvgNodeGroup *group;
+     group = g_new (RsvgNodeGroup, 1);
+-    _rsvg_node_init (&group->super);
++    _rsvg_node_init (&group->super, RSVG_NODE_TYPE_DEFS);
+     group->super.draw = _rsvg_node_draw_nothing;
+     group->super.set_atts = rsvg_node_group_set_atts;
+     return &group->super;
+@@ -533,7 +532,7 @@ rsvg_new_switch (void)
+ {
+     RsvgNodeGroup *group;
+     group = g_new (RsvgNodeGroup, 1);
+-    _rsvg_node_init (&group->super);
++    _rsvg_node_init (&group->super, RSVG_NODE_TYPE_SWITCH);
+     group->super.draw = _rsvg_node_switch_draw;
+     group->super.set_atts = rsvg_node_group_set_atts;
+     return &group->super;
+diff --git a/rsvg-structure.h b/rsvg-structure.h
+index d672977..7d17c82 100644
+--- a/rsvg-structure.h
++++ b/rsvg-structure.h
+@@ -36,7 +36,7 @@
+ 
+ G_BEGIN_DECLS 
+ 
+-RsvgNode * rsvg_new_use (void);
++RsvgNode *rsvg_new_use (void);
+ RsvgNode *rsvg_new_symbol (void);
+ RsvgNode *rsvg_new_svg (void);
+ RsvgNode *rsvg_new_defs (void);
+@@ -50,6 +50,7 @@ typedef struct _RsvgNodeSvg RsvgNodeSvg;
+ 
+ struct _RsvgNodeGroup {
+     RsvgNode super;
++    char *name;
+ };
+ 
+ struct _RsvgNodeSymbol {
+@@ -80,7 +81,7 @@ void rsvg_node_draw         (RsvgNode * self, RsvgDrawingCtx * ctx, int dominate
+ void _rsvg_node_draw_children   (RsvgNode * self, RsvgDrawingCtx * ctx, int dominate);
+ void _rsvg_node_finalize    (RsvgNode * self);
+ void _rsvg_node_free        (RsvgNode * self);
+-void _rsvg_node_init        (RsvgNode * self);
++void _rsvg_node_init        (RsvgNode * self, RsvgNodeType type);
+ void _rsvg_node_svg_apply_atts  (RsvgNodeSvg * self, RsvgHandle * ctx);
+ 
+ G_END_DECLS
+diff --git a/rsvg-text.c b/rsvg-text.c
+index 7066f24..89720de 100644
+--- a/rsvg-text.c
++++ b/rsvg-text.c
+@@ -170,17 +170,19 @@ _rsvg_node_text_type_children (RsvgNode * self, RsvgDrawingCtx * ctx,
+     rsvg_push_discrete_layer (ctx);
+     for (i = 0; i < self->children->len; i++) {
+         RsvgNode *node = g_ptr_array_index (self->children, i);
+-        if (!strcmp (node->type->str, "RSVG_NODE_CHARS")) {
++        RsvgNodeType type = RSVG_NODE_TYPE (node);
++
++        if (type == RSVG_NODE_TYPE_CHARS) {
+             RsvgNodeChars *chars = (RsvgNodeChars *) node;
+             GString *str = _rsvg_text_chomp (rsvg_current_state (ctx), chars->contents, lastwasspace);
+             rsvg_text_render_text (ctx, str->str, x, y);
+             g_string_free (str, TRUE);
+-        } else if (!strcmp (node->type->str, "tspan")) {
++        } else if (type == RSVG_NODE_TYPE_TSPAN) {
+             RsvgNodeText *tspan = (RsvgNodeText *) node;
+             rsvg_state_push (ctx);
+             _rsvg_node_text_type_tspan (tspan, ctx, x, y, lastwasspace);
+             rsvg_state_pop (ctx);
+-        } else if (!strcmp (node->type->str, "tref")) {
++        } else if (type == RSVG_NODE_TYPE_TREF) {
+             RsvgNodeTref *tref = (RsvgNodeTref *) node;
+             _rsvg_node_text_type_tref (tref, ctx, x, y, lastwasspace);
+         }
+@@ -206,17 +208,19 @@ _rsvg_node_text_length_children (RsvgNode * self, RsvgDrawingCtx * ctx,
+     int out = FALSE;
+     for (i = 0; i < self->children->len; i++) {
+         RsvgNode *node = g_ptr_array_index (self->children, i);
++        RsvgNodeType type = RSVG_NODE_TYPE (node);
++
+         rsvg_state_push (ctx);
+         rsvg_state_reinherit_top (ctx, node->state, 0);
+-        if (!strcmp (node->type->str, "RSVG_NODE_CHARS")) {
++        if (type == RSVG_NODE_TYPE_CHARS) {
+             RsvgNodeChars *chars = (RsvgNodeChars *) node;
+             GString *str = _rsvg_text_chomp (rsvg_current_state (ctx), chars->contents, lastwasspace);
+             *x += rsvg_text_length_text_as_string (ctx, str->str);
+             g_string_free (str, TRUE);
+-        } else if (!strcmp (node->type->str, "tspan")) {
++        } else if (type == RSVG_NODE_TYPE_TSPAN) {
+             RsvgNodeText *tspan = (RsvgNodeText *) node;
+             out = _rsvg_node_text_length_tspan (tspan, ctx, x, lastwasspace);
+-        } else if (!strcmp (node->type->str, "tref")) {
++        } else if (type == RSVG_NODE_TYPE_TREF) {
+             RsvgNodeTref *tref = (RsvgNodeTref *) node;
+             out = _rsvg_node_text_length_tref (tref, ctx, x, lastwasspace);
+         }
+@@ -259,7 +263,7 @@ rsvg_new_text (void)
+ {
+     RsvgNodeText *text;
+     text = g_new (RsvgNodeText, 1);
+-    _rsvg_node_init (&text->super);
++    _rsvg_node_init (&text->super, RSVG_NODE_TYPE_TEXT);
+     text->super.draw = _rsvg_node_text_draw;
+     text->super.set_atts = _rsvg_node_text_set_atts;
+     text->x = text->y = text->dx = text->dy = _rsvg_css_parse_length ("0");
+@@ -331,7 +335,7 @@ rsvg_new_tspan (void)
+ {
+     RsvgNodeText *text;
+     text = g_new (RsvgNodeText, 1);
+-    _rsvg_node_init (&text->super);
++    _rsvg_node_init (&text->super, RSVG_NODE_TYPE_TSPAN);
+     text->super.set_atts = _rsvg_node_tspan_set_atts;
+     text->x.factor = text->y.factor = 'n';
+     text->dx = text->dy = _rsvg_css_parse_length ("0");
+@@ -374,7 +378,7 @@ rsvg_new_tref (void)
+ {
+     RsvgNodeTref *text;
+     text = g_new (RsvgNodeTref, 1);
+-    _rsvg_node_init (&text->super);
++    _rsvg_node_init (&text->super, RSVG_NODE_TYPE_TREF);
+     text->super.set_atts = _rsvg_node_tref_set_atts;
+     text->link = NULL;
+     return &text->super;
+-- 
+1.7.0.5
+
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.32.1.bb b/meta/recipes-gnome/librsvg/librsvg_2.32.1.bb
index 1e57647..ed2630e 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.32.1.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.32.1.bb
@@ -9,13 +9,15 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
 SECTION = "x11/utils"
 DEPENDS = "gtk+ libcroco cairo libxml2 popt"
 
-PR = "r5"
+PR = "r6"
 
 inherit autotools pkgconfig gnome
 
 EXTRA_OECONF = "--disable-mozilla-plugin --without-svgz --without-croco --disable-gnome-vfs"
 
-SRC_URI += "file://doc_Makefile.patch"
+SRC_URI += "file://doc_Makefile.patch \
+	    file://librsvg-CVE-2011-3146.patch \
+	    "
 
 SRC_URI[archive.md5sum] = "4b00d0fee130c936644892c152f42db7"
 SRC_URI[archive.sha256sum] = "91b98051f352fab8a6257688d6b2fd665b4648ed66144861f2f853ccf876d334"
-- 
1.7.9.5

[PATCH 15/15] cups: patch for CVE-2011-2896

[Scott Garman]

Patch from: http://cups.org/strfiles/3867/str3867.patch

The LZW decompressor in the LWZReadByte function in giftoppm.c in the
David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw
function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte
function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier,
the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4
and earlier, and other products, does not properly handle code words
that are absent from the decompression table when encountered, which
allows remote attackers to trigger an infinite loop or a heap-based
buffer overflow, and possibly execute arbitrary code, via a crafted
compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2896

[YOCTO #3582]
[ CQID: WIND00299595 ]

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>

Merged with denzil branch, partial fix for denzil bug [YOCTO #3652]

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
 .../cups/cups-1.4.6/cups-CVE-2011-2896.patch       |  140 ++++++++++++++++++++
 meta/recipes-extended/cups/cups_1.4.6.bb           |    3 +-
 2 files changed, 142 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-2896.patch

diff --git a/meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-2896.patch b/meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-2896.patch
new file mode 100644
index 0000000..7c6f75b
--- /dev/null
+++ b/meta/recipes-extended/cups/cups-1.4.6/cups-CVE-2011-2896.patch
@@ -0,0 +1,140 @@
+cups - CVE-2011-2896
+
+the patch come from:
+http://cups.org/strfiles/3867/str3867.patch
+
+The LZW decompressor in the LWZReadByte function in giftoppm.c
+in the David Koblas GIF decoder in PBMPLUS, as used in the
+gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7,
+the LZWReadByte function in plug-ins/common/file-gif-load.c
+in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c
+in XPCE in SWI-Prolog 5.10.4 and earlier, and other products,
+does not properly handle code words that are absent from the
+decompression table when encountered, which allows remote attackers to
+trigger an infinite loop or a heap-based buffer overflow, and possibly
+execute arbitrary code, via a crafted compressed stream, a related
+issue to CVE-2006-1168 and CVE-2011-2895.
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2896
+
+Integrated-by: Li Wang <li.wang@windriver.com>
+---
+ filter/image-gif.c |   46 ++++++++++++++++++++--------------------------
+ 1 files changed, 20 insertions(+), 26 deletions(-)
+
+diff --git a/filter/image-gif.c b/filter/image-gif.c
+index 3857c21..fa9691e 100644
+--- a/filter/image-gif.c
++++ b/filter/image-gif.c
+@@ -353,7 +353,7 @@ gif_get_code(FILE *fp,			/* I - File to read from */
+     * Read in another buffer...
+     */
+ 
+-    if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
++    if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
+     {
+      /*
+       * Whoops, no more data!
+@@ -582,19 +582,13 @@ gif_read_lzw(FILE *fp,			/* I - File to read from */
+     gif_get_code(fp, 0, 1);
+ 
+    /*
+-    * Wipe the decompressor table...
++    * Wipe the decompressor table (already mostly 0 due to the calloc above...)
+     */
+ 
+     fresh = 1;
+ 
+-    for (i = 0; i < clear_code; i ++)
+-    {
+-      table[0][i] = 0;
++    for (i = 1; i < clear_code; i ++)
+       table[1][i] = i;
+-    }
+-
+-    for (; i < 4096; i ++)
+-      table[0][i] = table[1][0] = 0;
+ 
+     sp = stack;
+ 
+@@ -605,29 +599,30 @@ gif_read_lzw(FILE *fp,			/* I - File to read from */
+     fresh = 0;
+ 
+     do
++    {
+       firstcode = oldcode = gif_get_code(fp, code_size, 0);
++    }
+     while (firstcode == clear_code);
+ 
+-    return (firstcode);
++    return (firstcode & 255);
+   }
+   else if (!table)
+     return (0);
+ 
+   if (sp > stack)
+-    return (*--sp);
++    return ((*--sp) & 255);
+ 
+-  while ((code = gif_get_code (fp, code_size, 0)) >= 0)
++  while ((code = gif_get_code(fp, code_size, 0)) >= 0)
+   {
+     if (code == clear_code)
+     {
+-      for (i = 0; i < clear_code; i ++)
+-      {
+-	table[0][i] = 0;
+-	table[1][i] = i;
+-      }
++     /*
++      * Clear/reset the compression table...
++      */
+ 
+-      for (; i < 4096; i ++)
+-	table[0][i] = table[1][i] = 0;
++      memset(table, 0, 2 * sizeof(gif_table_t));
++      for (i = 1; i < clear_code; i ++)
++	table[1][i] = i;
+ 
+       code_size     = set_code_size + 1;
+       max_code_size = 2 * clear_code;
+@@ -637,12 +632,11 @@ gif_read_lzw(FILE *fp,			/* I - File to read from */
+ 
+       firstcode = oldcode = gif_get_code(fp, code_size, 0);
+ 
+-      return (firstcode);
++      return (firstcode & 255);
+     }
+-    else if (code == end_code)
++    else if (code == end_code || code > max_code)
+     {
+-      unsigned char	buf[260];
+-
++      unsigned char	buf[260];	/* Block buffer */
+ 
+       if (!gif_eof)
+         while (gif_get_block(fp, buf) > 0);
+@@ -652,7 +646,7 @@ gif_read_lzw(FILE *fp,			/* I - File to read from */
+ 
+     incode = code;
+ 
+-    if (code >= max_code)
++    if (code == max_code)
+     {
+       if (sp < (stack + 8192))
+ 	*sp++ = firstcode;
+@@ -690,10 +684,10 @@ gif_read_lzw(FILE *fp,			/* I - File to read from */
+     oldcode = incode;
+ 
+     if (sp > stack)
+-      return (*--sp);
++      return ((*--sp) & 255);
+   }
+ 
+-  return (code);
++  return (code & 255);
+ }
+ 
+ 
+-- 
+1.7.0.5
+
diff --git a/meta/recipes-extended/cups/cups_1.4.6.bb b/meta/recipes-extended/cups/cups_1.4.6.bb
index ec555d7..3e31c08 100644
--- a/meta/recipes-extended/cups/cups_1.4.6.bb
+++ b/meta/recipes-extended/cups/cups_1.4.6.bb
@@ -1,6 +1,6 @@
 require cups14.inc
 
-PR = "r3"
+PR = "r4"
 DEPENDS += "libusb \
        ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=956e7600195e6139f12de8c2a5bbefa9"
 SRC_URI += " \
 	file://use_echo_only_in_init.patch \
     file://0001-don-t-try-to-run-generated-binaries.patch \
+    file://cups-CVE-2011-2896.patch \
 	"
 
 SRC_URI[md5sum] = "de8fb5a29c36554925c0c6a6e2c0dae1"
-- 
1.7.9.5

Re: [PATCH 00/15] denzil pull request 5

[Richard Purdie]

On Fri, 2012-12-28 at 13:41 -0800, Scott Garman wrote:
> This is a pull request for denzil, it includes a number of security
> fixes and a few important bugfixes. The poky-based tree has been run
> through the autobuilder as follows:
[...]
> The following changes since commit d35560f33f257bd12a07c7c0be770319086d6ad9:
> 
>   squashfs: fix for CVE-2012-4024 (2012-11-30 14:51:10 -0800)
> 
> are available in the git repository at:
> 
>   git://git.openembedded.org/openembedded-core-contrib sgarman/denzil-next-pull5
>   http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=sgarman/denzil-next-pull5
> 
> Khem Raj (5):
>   coreutils: Fix build with eglibc 2.16
>   diffutils: Fix build with eglibc 2.16
>   gettext,m4,augeas,gnutls: Account for removal of gets in eglibc 2.16
>   bison: Fix for gets being removed from eglibc 2.16
>   grub,guile,cpio,tar,wget: Fix gnulib for absense of gets in eglibc
> 
> Li Wang (1):
>   librsvg: CVE-2011-3146
> 
> Mihai Lindner (1):
>   sysklogd: removed tabs from syslog.conf
> 
> Richard Purdie (1):
>   boot-directdisk: Fix kernel location after STAGING_KERNEL_DIR change
> 
> Scott Garman (6):
>   psplash: new patch to fix segfault
>   build-appliance-image: Allow SRCREV to be overriden
>   gitignore: add generated doc files to ignore list
>   libxml2: patch for CVE-2012-2871
>   freetype: patches for CVE-2012-5668, 5669, and 5670
>   cups: patch for CVE-2011-2896
> 
> yanjun.zhu (1):
>   squashfs: fix CVE-2012-4025

Merged into denzil, thanks.

Richard