[OE-core][dunfell 00/24] Patch review

[OE-core][dunfell 00/24] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back
by end of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1381

The following changes since commit 210ebed1e9c2285d6e457bf03d1f1a1f3ddc7fda:

  package: get_package_mapping: avoid dependency mapping if renamed package provides original name (2020-09-04 04:31:45 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Adrian Freihofer (1):
  oe-publish-sdk: fix layers init via ssh

Chris Laplante (4):
  cve-update-db-native: add progress handler
  cve-check/cve-update-db-native: use lockfile to fix usage under
    multiconfig
  cve-update-db-native: use context manager for cve_f
  cve-check: avoid FileNotFoundError if no do_cve_check task has run

Khem Raj (2):
  uninative: Upgrade to 2.9
  rpcbind: Use update-alternatives for rpcinfo

Lee Chee Yang (3):
  xserver-xorg: fix CVE-2020-14347
  qemu: fix CVE-2020-14364 CVE-2020-14415
  libx11 : fix CVE-2020-14344

Matt Madison (1):
  image.bbclass: fix REPRODUCIBLE_TIMESTAMP_ROOTFS reference

Oleksandr Kravchuk (1):
  ell: update to 0.33

Ovidiu Panait (1):
  libxml2: Fix CVE-2020-24977

Rahul Kumar (1):
  systemd-serialgetty: Fix sed expression quoting

Richard Purdie (3):
  runqemu: Add a hook to allow it to renice
  selftest/signing: Ensure build path relocation is safe
  oeqa/concurrencytest: Improve builddir path manipulations

Ross Burton (5):
  gdk-pixbuf: add tests PACKAGECONFIG
  insane: only load real files as ELF
  autoconf: consolidate DEPENDS
  curl: add vendors to CVE_PRODUCT to exclude false positives
  cmake: whitelist CVE-2016-10642

Zhixiong Chi (1):
  gnutls: CVE-2020-24659

akuster (1):
  cve-check.bbclass: always save cve report

 meta/classes/cve-check.bbclass                |  34 ++
 meta/classes/image.bbclass                    |   2 +-
 meta/classes/insane.bbclass                   |  13 +-
 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 meta/lib/oeqa/selftest/cases/signing.py       |   4 +-
 meta/lib/oeqa/selftest/context.py             |   4 +-
 .../ell/{ell_0.32.bb => ell_0.33.bb}          |   2 +-
 .../libxml/libxml2/CVE-2020-24977.patch       |  41 +++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |   1 +
 .../recipes-core/meta/cve-update-db-native.bb |  96 +++---
 .../systemd/systemd-serialgetty.bb            |   2 +-
 meta/recipes-devtools/autoconf/autoconf.inc   |   5 +-
 meta/recipes-devtools/cmake/cmake.inc         |   4 +
 meta/recipes-devtools/qemu/qemu.inc           |   2 +
 .../qemu/qemu/CVE-2020-14364.patch            |  93 +++++
 .../qemu/qemu/CVE-2020-14415.patch            |  37 ++
 .../recipes-extended/rpcbind/rpcbind_1.2.5.bb |   5 +-
 .../gdk-pixbuf/gdk-pixbuf_2.40.0.bb           |   8 +-
 .../xorg-lib/libx11/CVE-2020-14344.patch      | 321 ++++++++++++++++++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |   4 +-
 .../xserver-xorg/CVE-2020-14347.patch         |  38 +++
 .../xorg-xserver/xserver-xorg_1.20.8.bb       |   1 +
 meta/recipes-support/curl/curl_7.69.1.bb      |   4 +-
 .../gnutls/gnutls/CVE-2020-24659.patch        | 117 +++++++
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |   1 +
 scripts/oe-publish-sdk                        |   2 +-
 scripts/runqemu                               |   5 +
 27 files changed, 782 insertions(+), 74 deletions(-)
 rename meta/recipes-core/ell/{ell_0.32.bb => ell_0.33.bb} (89%)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-14415.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch

-- 
2.17.1

[OE-core][dunfell 01/24] uninative: Upgrade to 2.9

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

This supports glibc upto 2.32 which is now rolling into distributions

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5cda8c7d642cfb72242c95f450e3391bd6537709)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/conf/distro/include/yocto-uninative.inc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 889695eae3..69b6edee5f 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,9 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.31"
+UNINATIVE_MAXGLIBCVERSION = "2.32"
 
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.8/"
-UNINATIVE_CHECKSUM[aarch64] ?= "989187344bf9539b464fb7ed9c223e51f4bdb4c7a677d2c314e6fed393176efe"
-UNINATIVE_CHECKSUM[i686] ?= "cc3e45bc8594488b407363e3fa9af5a099279dab2703c64342098719bd674990"
-UNINATIVE_CHECKSUM[x86_64] ?= "a09922172c3a439105e0ae6b943daad2d83505b17da0aba97961ff433b8c21ab"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/"
+UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81"
+UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36"
+UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423"
-- 
2.17.1

[OE-core][dunfell 02/24] xserver-xorg: fix CVE-2020-14347

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xserver-xorg/CVE-2020-14347.patch         | 38 +++++++++++++++++++
 .../xorg-xserver/xserver-xorg_1.20.8.bb       |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
new file mode 100644
index 0000000000..cf3f5f9417
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
@@ -0,0 +1,38 @@
+From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sat, 25 Jul 2020 19:33:50 +0200
+Subject: [PATCH] fix for ZDI-11426
+
+Avoid leaking un-initalized memory to clients by zeroing the
+whole pixmap on initial allocation.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/aac28e162e5108510065ad4c323affd6deffd816]
+CVE: CVE-2020-14347
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ dix/pixmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dix/pixmap.c b/dix/pixmap.c
+index 1186d7dbbf..5a0146bbb6 100644
+--- a/dix/pixmap.c
++++ b/dix/pixmap.c
+@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
+     if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
+         return NullPixmap;
+ 
+-    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
++    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
+     if (!pPixmap)
+         return NullPixmap;
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
index 3f7fbe85b8..5101134538 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -5,6 +5,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
            file://0001-test-xtest-Initialize-array-with-braces.patch \
            file://sdksyms-no-build-path.patch \
            file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
+           file://CVE-2020-14347.patch \
            "
 SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
 SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"
-- 
2.17.1

[OE-core][dunfell 03/24] qemu: fix CVE-2020-14364 CVE-2020-14415

[Steve Sakoman]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 6649 bytes --]

From: Lee Chee Yang <chee.yang.lee@intel.com>

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  2 +
 .../qemu/qemu/CVE-2020-14364.patch            | 93 +++++++++++++++++++
 .../qemu/qemu/CVE-2020-14415.patch            | 37 ++++++++
 3 files changed, 132 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-14415.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 49dbb1c13d..e0ea5ad477 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -45,6 +45,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
 	   file://CVE-2020-13800.patch \
 	   file://CVE-2020-13362.patch \
 	   file://CVE-2020-15863.patch \
+	   file://CVE-2020-14364.patch \
+	   file://CVE-2020-14415.patch \
 	   "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
new file mode 100644
index 0000000000..8333025a32
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
@@ -0,0 +1,93 @@
+From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 25 Aug 2020 07:36:36 +0200
+Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
+
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200825053636.29648-1-kraxel@redhat.com
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb]
+CVE: CVE-2020-14364
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 5abd128..5234dcc 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+     int request, value, index;
++    unsigned int setup_len;
+ 
+     if (p->iov.size != 8) {
+         p->status = USB_RET_STALL;
+@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+     usb_packet_copy(p, s->setup_buf, p->iov.size);
+     s->setup_index = 0;
+     p->actual_length = 0;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+     int i, request, value, index;
++    unsigned int setup_len;
+ 
+     for (i = 0; i < 8; i++) {
+         s->setup_buf[i] = p->parameter >> (i*8);
+     }
+ 
+     s->setup_state = SETUP_STATE_PARAM;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+     s->setup_index = 0;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
+ 
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     if (p->pid == USB_TOKEN_OUT) {
+         usb_packet_copy(p, s->data_buf, s->setup_len);
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14415.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14415.patch
new file mode 100644
index 0000000000..dca2f90a49
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14415.patch
@@ -0,0 +1,37 @@
+From 7a4ede0047a8613b0e3b72c9d351038f013dd357 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 20 Jan 2020 11:18:04 +0100
+Subject: [PATCH] audio/oss: fix buffer pos calculation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Fixes: 3ba4066d085f ("ossaudio: port to the new audio backend api")
+Reported-by: ziming zhang <ezrakiez@gmail.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20200120101804.29578-1-kraxel@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7a4ede0047a8613b0e3b72c9d351038f013dd357]
+CVE: CVE-2020-14415
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ audio/ossaudio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/audio/ossaudio.c b/audio/ossaudio.c
+index c43faee..9456491 100644
+--- a/audio/ossaudio.c
++++ b/audio/ossaudio.c
+@@ -420,7 +420,7 @@ static size_t oss_write(HWVoiceOut *hw, void *buf, size_t len)
+             size_t to_copy = MIN(len, hw->size_emul - hw->pos_emul);
+             memcpy(hw->buf_emul + hw->pos_emul, buf, to_copy);
+ 
+-            hw->pos_emul = (hw->pos_emul + to_copy) % hw->pos_emul;
++            hw->pos_emul = (hw->pos_emul + to_copy) % hw->size_emul;
+             buf += to_copy;
+             len -= to_copy;
+         }
+-- 
+1.8.3.1
+
-- 
2.17.1

[OE-core][dunfell 04/24] libx11 : fix CVE-2020-14344

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

fix CVE-2020-14344 with squashed patch.
squashed patch include below patch,
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488

also include fix to issue introduced in above patch
(388b303c62aa35a245f1704211a023440ad2c488)
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xorg-lib/libx11/CVE-2020-14344.patch      | 321 ++++++++++++++++++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |   4 +-
 2 files changed, 324 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch
new file mode 100644
index 0000000000..9d07202b06
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch
@@ -0,0 +1,321 @@
+From f64388ed036b6668686ad5448bc7d4f73b35e1c7 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Fri, 24 Jul 2020 21:09:10 +0200
+Subject: [PATCH] Fix CVE-2020-14344
+
+This is a squashed of below commit:
+
+commit 1 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
+Change the data_len parameter of _XimAttributeToValue() to CARD16
+
+It's coming from a length in the protocol (unsigned) and passed
+to functions that expect unsigned int parameters (_XCopyToArg()
+and memcpy()).
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Todd Carson <toc@daybefore.net>
+
+commit 2 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+Zero out buffers in functions
+
+It looks like uninitialized stack or heap memory can leak
+out via padding bytes.
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit 3 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
+Fix more unchecked lengths
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit 4 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
+fix integer overflows in _XimAttributeToValue()
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit 5 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b
+Fix size calculation in `_XimAttributeToValue`.
+
+The check here guards the read below.
+For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
+these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
+(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
+function and doesn't need to be checked.)
+
+The old code here used the native datatype size instead of the wire protocol size causing
+the check to always fail.
+
+Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
+despite the unused `CARD16` for `XimType_XIMStyles`.
+
+[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles
+
+This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.
+
+Fix #116
+
+Upstream-Status: Backport
+[ https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b ]
+CVE: CVE-2020-14344
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ modules/im/ximcp/imDefIc.c  |  6 ++++--
+ modules/im/ximcp/imDefIm.c  | 25 +++++++++++++++++--------
+ modules/im/ximcp/imRmAttr.c | 31 +++++++++++++++++++++++--------
+ 3 files changed, 44 insertions(+), 18 deletions(-)
+
+diff --git a/modules/im/ximcp/imDefIc.c b/modules/im/ximcp/imDefIc.c
+index 7564dbad..d552aa9e 100644
+--- a/modules/im/ximcp/imDefIc.c
++++ b/modules/im/ximcp/imDefIc.c
+@@ -350,7 +350,7 @@ _XimProtoGetICValues(
+ 	     + sizeof(INT16)
+ 	     + XIM_PAD(2 + buf_size);
+ 
+-    if (!(buf = Xmalloc(buf_size)))
++    if (!(buf = Xcalloc(buf_size, 1)))
+ 	return arg->name;
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+ 
+@@ -708,6 +708,7 @@ _XimProtoSetICValues(
+ #endif /* XIM_CONNECTABLE */
+ 
+     _XimGetCurrentICValues(ic, &ic_values);
++    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE
+ 	+ sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);
+@@ -730,7 +731,7 @@ _XimProtoSetICValues(
+ 
+ 	buf_size += ret_len;
+ 	if (buf == tmp_buf) {
+-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
++	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ 		return tmp_name;
+ 	    }
+ 	    memcpy(tmp, buf, buf_size);
+@@ -740,6 +741,7 @@ _XimProtoSetICValues(
+ 		Xfree(buf);
+ 		return tmp_name;
+ 	    }
++            memset(&tmp[buf_size], 0, data_len);
+ 	    buf = tmp;
+ 	}
+     }
+diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
+index cf922e48..d0329b54 100644
+--- a/modules/im/ximcp/imDefIm.c
++++ b/modules/im/ximcp/imDefIm.c
+@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE.
+ #include "XimTrInt.h"
+ #include "Ximint.h"
+ 
++#include <limits.h>
+ 
+ int
+ _XimCheckDataSize(
+@@ -807,12 +808,16 @@ _XimOpen(
+     int			 buf_size;
+     int			 ret_code;
+     char		*locale_name;
++    size_t		 locale_len;
+ 
+     locale_name = im->private.proto.locale_name;
+-    len = strlen(locale_name);
+-    buf_b[0] = (BYTE)len;			   /* length of locale name */
+-    (void)strcpy((char *)&buf_b[1], locale_name);  /* locale name */
+-    len += sizeof(BYTE);			   /* sizeof length */
++    locale_len = strlen(locale_name);
++    if (locale_len > UCHAR_MAX)
++      return False;
++    memset(buf32, 0, sizeof(buf32));
++    buf_b[0] = (BYTE)locale_len;		/* length of locale name */
++    memcpy(&buf_b[1], locale_name, locale_len);	   /* locale name */
++    len = (INT16)(locale_len + sizeof(BYTE));	   /* sizeof length */
+     XIM_SET_PAD(buf_b, len);			   /* pad */
+ 
+     _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);
+@@ -1287,6 +1292,7 @@ _XimProtoSetIMValues(
+ #endif /* XIM_CONNECTABLE */
+ 
+     _XimGetCurrentIMValues(im, &im_values);
++    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+     data_len = BUFSIZE - buf_size;
+@@ -1307,7 +1313,7 @@ _XimProtoSetIMValues(
+ 
+ 	buf_size += ret_len;
+ 	if (buf == tmp_buf) {
+-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
++	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ 		return arg->name;
+ 	    }
+ 	    memcpy(tmp, buf, buf_size);
+@@ -1317,6 +1323,7 @@ _XimProtoSetIMValues(
+ 		Xfree(buf);
+ 		return arg->name;
+ 	    }
++            memset(&tmp[buf_size], 0, data_len);
+ 	    buf = tmp;
+ 	}
+     }
+@@ -1458,7 +1465,7 @@ _XimProtoGetIMValues(
+ 	     + sizeof(INT16)
+ 	     + XIM_PAD(buf_size);
+ 
+-    if (!(buf = Xmalloc(buf_size)))
++    if (!(buf = Xcalloc(buf_size, 1)))
+ 	return arg->name;
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+ 
+@@ -1720,7 +1727,7 @@ _XimEncodingNegotiation(
+ 	+ sizeof(CARD16)
+ 	+ detail_len;
+ 
+-    if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))
++    if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))
+ 	goto free_detail_ptr;
+ 
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+@@ -1816,6 +1823,7 @@ _XimSendSavedIMValues(
+     int			 ret_code;
+ 
+     _XimGetCurrentIMValues(im, &im_values);
++    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+     data_len = BUFSIZE - buf_size;
+@@ -1838,7 +1846,7 @@ _XimSendSavedIMValues(
+ 
+ 	buf_size += ret_len;
+ 	if (buf == tmp_buf) {
+-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
++	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ 		return False;
+ 	    }
+ 	    memcpy(tmp, buf, buf_size);
+@@ -1848,6 +1856,7 @@ _XimSendSavedIMValues(
+ 		Xfree(buf);
+ 		return False;
+ 	    }
++            memset(&tmp[buf_size], 0, data_len);
+ 	    buf = tmp;
+ 	}
+     }
+diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
+index 9d4e4625..118f191d 100644
+--- a/modules/im/ximcp/imRmAttr.c
++++ b/modules/im/ximcp/imRmAttr.c
+@@ -29,6 +29,8 @@ PERFORMANCE OF THIS SOFTWARE.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
++
+ #include "Xlibint.h"
+ #include "Xlcint.h"
+ #include "Ximint.h"
+@@ -214,7 +216,7 @@ _XimAttributeToValue(
+     Xic			  ic,
+     XIMResourceList	  res,
+     CARD16		 *data,
+-    INT16		  data_len,
++    CARD16		  data_len,
+     XPointer		  value,
+     BITMASK32		  mode)
+ {
+@@ -250,18 +252,24 @@ _XimAttributeToValue(
+ 
+     case XimType_XIMStyles:
+ 	{
+-	    INT16		 num = data[0];
++	    CARD16		 num = data[0];
+ 	    register CARD32	*style_list = (CARD32 *)&data[2];
+ 	    XIMStyle		*style;
+ 	    XIMStyles		*rep;
+ 	    register int	 i;
+ 	    char		*p;
+-	    int			 alloc_len;
++	    unsigned int         alloc_len;
+ 
+ 	    if (!(value))
+ 		return False;
+ 
++	    if (num > (USHRT_MAX / sizeof(XIMStyle)))
++		return False;
++	    if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
++		return False;
+ 	    alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
++	    if (alloc_len < sizeof(XIMStyles))
++		return False;
+ 	    if (!(p = Xmalloc(alloc_len)))
+ 		return False;
+ 
+@@ -313,7 +321,7 @@ _XimAttributeToValue(
+ 
+     case XimType_XFontSet:
+ 	{
+-	    INT16	 len = data[0];
++	    CARD16	 len = data[0];
+ 	    char	*base_name;
+ 	    XFontSet	 rep = (XFontSet)NULL;
+ 	    char	**missing_list = NULL;
+@@ -324,11 +332,12 @@ _XimAttributeToValue(
+ 		return False;
+ 	    if (!ic)
+ 		return False;
+-
++	    if (len > data_len)
++		return False;
+ 	    if (!(base_name = Xmalloc(len + 1)))
+ 		return False;
+ 
+-	    (void)strncpy(base_name, (char *)&data[1], (int)len);
++	    (void)strncpy(base_name, (char *)&data[1], (size_t)len);
+ 	    base_name[len] = '\0';
+ 
+ 	    if (mode & XIM_PREEDIT_ATTR) {
+@@ -357,19 +366,25 @@ _XimAttributeToValue(
+ 
+     case XimType_XIMHotKeyTriggers:
+ 	{
+-	    INT32			 num = *((CARD32 *)data);
++	    CARD32			 num = *((CARD32 *)data);
+ 	    register CARD32		*key_list = (CARD32 *)&data[2];
+ 	    XIMHotKeyTrigger		*key;
+ 	    XIMHotKeyTriggers		*rep;
+ 	    register int		 i;
+ 	    char			*p;
+-	    int				 alloc_len;
++	    unsigned int		 alloc_len;
+ 
+ 	    if (!(value))
+ 		return False;
+ 
++	    if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
++		return False;
++	    if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
++		return False;
+ 	    alloc_len = sizeof(XIMHotKeyTriggers)
+ 		      + sizeof(XIMHotKeyTrigger) * num;
++	    if (alloc_len < sizeof(XIMHotKeyTriggers))
++		return False;
+ 	    if (!(p = Xmalloc(alloc_len)))
+ 		return False;
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
index ff60a4240c..84e0e4457e 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -12,7 +12,9 @@ PE = "1"
 
 SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
             file://disable_tests.patch \
-            file://libx11-whitespace.patch"
+            file://libx11-whitespace.patch \
+            file://CVE-2020-14344.patch \
+"
 
 SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"
 SRC_URI[sha256sum] = "9cc7e8d000d6193fa5af580d50d689380b8287052270f5bb26a5fb6b58b2bed1"
-- 
2.17.1

[OE-core][dunfell 05/24] rpcbind: Use update-alternatives for rpcinfo

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

rpcinfo is also provided vy netkit in meta-networking

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 28183dfd7446de9113773ab89edd0afb4ab82f7e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb b/meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb
index aff00e56e6..ec8f9e48b2 100644
--- a/meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb
+++ b/meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb
@@ -19,7 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \
 SRC_URI[md5sum] = "ed46f09b9c0fa2d49015f6431bc5ea7b"
 SRC_URI[sha256sum] = "2ce360683963b35c19c43f0ee2c7f18aa5b81ef41c3fdbd15ffcb00b8bffda7a"
 
-inherit autotools update-rc.d systemd pkgconfig
+inherit autotools update-rc.d systemd pkgconfig update-alternatives
 
 PACKAGECONFIG ??= "tcp-wrappers"
 PACKAGECONFIG[tcp-wrappers] = "--enable-libwrap,--disable-libwrap,tcp-wrappers"
@@ -50,3 +50,6 @@ do_install_append () {
 		${WORKDIR}/init.d > ${D}${sysconfdir}/init.d/rpcbind
 	chmod 0755 ${D}${sysconfdir}/init.d/rpcbind
 }
+
+ALTERNATIVE_${PN} = "rpcinfo"
+ALTERNATIVE_LINK_NAME[rpcinfo] = "${bindir}/rpcinfo"
-- 
2.17.1

[OE-core][dunfell 06/24] gdk-pixbuf: add tests PACKAGECONFIG

[Steve Sakoman]

From: Ross Burton <ross@burtonini.com>

Convert the installed-tests toggle from simply respecting PTEST_ENABLED
to a PACKAGECONFIG, so that it can be turned on/off in the usual manner.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 08e61ffae6056055b56f93678bcbb9fd71f3303e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
index d0df5015a5..0405fa78b5 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
@@ -40,20 +40,20 @@ inherit meson pkgconfig gettext pixbufcache ptest-gnome upstream-version-is-even
 
 GIR_MESON_OPTION = 'gir'
 
-EXTRA_OEMESON_append = " ${@bb.utils.contains('PTEST_ENABLED', '1', '-Dinstalled_tests=true', '-Dinstalled_tests=false', d)}"
-
 LIBV = "2.10.0"
 
 GDK_PIXBUF_LOADERS ?= "png jpeg"
 
-PACKAGECONFIG = "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)} ${GDK_PIXBUF_LOADERS}"
+PACKAGECONFIG = "${GDK_PIXBUF_LOADERS} \
+                 ${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)} \
+                 ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}"
 PACKAGECONFIG_class-native = "${GDK_PIXBUF_LOADERS}"
 
 PACKAGECONFIG[png] = "-Dpng=true,-Dpng=false,libpng"
 PACKAGECONFIG[jpeg] = "-Djpeg=true,-Djpeg=false,jpeg"
 PACKAGECONFIG[tiff] = "-Dtiff=true,-Dtiff=false,tiff"
 PACKAGECONFIG[jpeg2000] = "-Djasper=true,-Djasper=false,jasper"
-
+PACKAGECONFIG[tests] = "-Dinstalled_tests=true,-Dinstalled_tests=false"
 PACKAGECONFIG[x11] = "-Dx11=true,-Dx11=false,virtual/libx11"
 
 PACKAGES =+ "${PN}-xlib"
-- 
2.17.1

[OE-core][dunfell 07/24] insane: only load real files as ELF

[Steve Sakoman]

From: Ross Burton <ross@burtonini.com>

The file path checks are passed an ELF object if the file is an ELF. It
doesn't make a lot of sense to load symlinks to ELFs as if they're in
the same package then the real file will be checked too.

This should speed up do_package_qa slightly as libraries won't be
scanned repeatedly.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c63af30d3b6350361daff94a59d4f14d7c5395e1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/insane.bbclass | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index c595080bdf..46d386a38b 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -708,12 +708,13 @@ def package_qa_walk(warnfuncs, errorfuncs, package, d):
     warnings = {}
     errors = {}
     for path in pkgfiles[package]:
-            elf = oe.qa.ELFFile(path)
-            try:
-                elf.open()
-            except (IOError, oe.qa.NotELFFileError):
-                # IOError can happen if the packaging control files disappear,
-                elf = None
+            elf = None
+            if os.path.isfile(path):
+                elf = oe.qa.ELFFile(path)
+                try:
+                    elf.open()
+                except oe.qa.NotELFFileError:
+                    elf = None
             for func in warnfuncs:
                 func(path, package, d, elf, warnings)
             for func in errorfuncs:
-- 
2.17.1

[OE-core][dunfell 08/24] autoconf: consolidate DEPENDS

[Steve Sakoman]

From: Ross Burton <ross@burtonini.com>

Depending on nativesdk- varients in a nativesdk build isn't correct, so
just collapse the DEPENDS down and let bitbake do the right thing (which
is leaving them as -native).

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4864167ad4ed4c57e49f2aa5e7c58383bddb052b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/autoconf/autoconf.inc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-devtools/autoconf/autoconf.inc b/meta/recipes-devtools/autoconf/autoconf.inc
index 2c87bf8296..36a48d9116 100644
--- a/meta/recipes-devtools/autoconf/autoconf.inc
+++ b/meta/recipes-devtools/autoconf/autoconf.inc
@@ -5,9 +5,8 @@ file that lists the operating system features that the package can use, in the f
 LICENSE = "GPLv3"
 HOMEPAGE = "http://www.gnu.org/software/autoconf/"
 SECTION = "devel"
-DEPENDS += "m4-native"
-DEPENDS_class-native = "m4-native gnu-config-native"
-DEPENDS_class-nativesdk = "nativesdk-m4 nativesdk-gnu-config"
+DEPENDS = "m4-native gnu-config-native"
+
 RDEPENDS_${PN} = "m4 gnu-config \
 		  perl \
 		  perl-module-bytes \
-- 
2.17.1

[OE-core][dunfell 09/24] runqemu: Add a hook to allow it to renice

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

We have an issue where qemu is being starved of resources on our autobuilders.
We can't raise its priority without special capacilties, therefore add a hook
which if present can allow this to happen using an executable
"~/runqemu-renice".

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 141a3c9ce93bc3d526303021ecf0460c6e9fea8a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/runqemu | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/scripts/runqemu b/scripts/runqemu
index b24ac1c804..cc87ea871a 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -1507,6 +1507,11 @@ def main():
     try:
         config = BaseConfig()
 
+        renice = os.path.expanduser("~/bin/runqemu-renice")
+        if os.path.exists(renice):
+            logger.info('Using %s to renice' % renice)
+            subprocess.check_call([renice, str(os.getpid())])
+
         def sigterm_handler(signum, frame):
             logger.info("SIGTERM received")
             os.kill(config.qemupid, signal.SIGTERM)
-- 
2.17.1

[OE-core][dunfell 10/24] image.bbclass: fix REPRODUCIBLE_TIMESTAMP_ROOTFS reference

[Steve Sakoman]

From: Matt Madison <matt@madison.systems>

Commit 97b439469a45a089431ca9c31893288c855045f4 added a fallback
mechanism for getting the rootfs timestamp. However, it uses curly
braces around the variable name, which causes bitbake resolve the
variable reference, rather than the shell, so the git timestamp
never gets used. Fix the reference to restore the intent of
making it a fallback for when there is no git timestamp to
retrieve.

Signed-off-by: Matt Madison <matt@madison.systems>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fbcf2c1c255b0c61a795c032cf7b67f5db41baa8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/image.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 6620a9e9c3..459d872b4a 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -654,7 +654,7 @@ reproducible_final_image_task () {
     if [ "${BUILD_REPRODUCIBLE_BINARIES}" = "1" ]; then
         if [ "$REPRODUCIBLE_TIMESTAMP_ROOTFS" = "" ]; then
             REPRODUCIBLE_TIMESTAMP_ROOTFS=`git -C "${COREBASE}" log -1 --pretty=%ct 2>/dev/null` || true
-            if [ "${REPRODUCIBLE_TIMESTAMP_ROOTFS}" = "" ]; then
+            if [ "$REPRODUCIBLE_TIMESTAMP_ROOTFS" = "" ]; then
                 REPRODUCIBLE_TIMESTAMP_ROOTFS=`stat -c%Y ${@bb.utils.which(d.getVar("BBPATH"), "conf/bitbake.conf")}`
             fi
         fi
-- 
2.17.1

[OE-core][dunfell 11/24] oe-publish-sdk: fix layers init via ssh

[Steve Sakoman]

From: Adrian Freihofer <adrian.freihofer@gmail.com>

Escaping does not work in my use case. It must be escaped for
python, ssh and shell as well as for different versions of echo.
Let's try it a little less elegant, but hopefully more reliable.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5cc1ae332eb6b05d83802c8d64ab2767c7079412)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/oe-publish-sdk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/oe-publish-sdk b/scripts/oe-publish-sdk
index 4b70f436b1..19a5d69864 100755
--- a/scripts/oe-publish-sdk
+++ b/scripts/oe-publish-sdk
@@ -106,7 +106,7 @@ def publish(args):
     if not is_remote:
         cmd = 'set -e; mkdir -p %s/layers; cd %s/layers; if [ ! -e .git ]; then git init .; cp .git/hooks/post-update.sample .git/hooks/post-commit; echo "*.pyc\n*.pyo\npyshtables.py" > .gitignore; fi; git add -A .; git config user.email "oe@oe.oe" && git config user.name "OE" && git commit -q -m "init repo" || true' % (destination, destination)
     else:
-        cmd = "ssh %s 'set -e; mkdir -p %s/layers; cd %s/layers; if [ ! -e .git ]; then git init .; cp .git/hooks/post-update.sample .git/hooks/post-commit; echo '*.pyc\n*.pyo\npyshtables.py' > .gitignore; fi; git add -A .; git config user.email 'oe@oe.oe' && git config user.name 'OE' && git commit -q -m \"init repo\" || true'" % (host, destdir, destdir)
+        cmd = "ssh %s 'set -e; mkdir -p %s/layers; cd %s/layers; if [ ! -e .git ]; then git init .; cp .git/hooks/post-update.sample .git/hooks/post-commit; echo '*.pyc' > .gitignore; echo '*.pyo' >> .gitignore; echo 'pyshtables.py' >> .gitignore; fi; git add -A .; git config user.email 'oe@oe.oe' && git config user.name 'OE' && git commit -q -m \"init repo\" || true'" % (host, destdir, destdir)
     ret = subprocess.call(cmd, shell=True)
     if ret == 0:
         logger.info('SDK published successfully')
-- 
2.17.1

[OE-core][dunfell 12/24] systemd-serialgetty: Fix sed expression quoting

[Steve Sakoman]

From: Rahul Kumar <rahulk@mvista.com>

Fix sed: -e expression #1, char 13: unterminated `s' command

Error Message:
| NOTE: Installed into sysroot: []
| NOTE: Skipping as already exists in sysroot: ['pseudo-native', 'glibc', 'patch-native', 'quilt-native', 'gcc-cross-arm', 'gcc-runtime', 'linux-libc-headers', 'libgcc', 'flex-native', 'xz-native', 'libtool-native', 'automake-native', 'binutils-cross-arm', 'zlib-native', 'mpfr-native', 'texinfo-dummy-native', 'autoconf-native', 'libmpc-native', 'gnu-config-native', 'gmp-native', 'attr-native', 'm4-native', 'gettext-minimal-native']
| DEBUG: Python function extend_recipe_sysroot finished
| DEBUG: Executing shell function do_install
| sed: -e expression #1, char 13: unterminated `s' command
| WARNING: exit code 1 from a shell command.
| ERROR: Execution of '/opt/Projects/poky/build/tmp/work/qemux86_64-poky-linux/systemd-serialgetty/1.0-r5/temp/run.do_install.11228' failed with exit code 1:
| sed: -e expression #1, char 13: unterminated `s' command
| WARNING: exit code 1 from a shell command.
|

To Fix this Issue using the strong (single quote) character in sed command.
It is recommend to use quotes. If we have meta-characters in the command, quotes are necessary.

Signed-off-by: Rahul Kumar <rahulk@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e2fea05e150dcfec4b7dfbd8edddb53897026bf9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/systemd/systemd-serialgetty.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/systemd/systemd-serialgetty.bb b/meta/recipes-core/systemd/systemd-serialgetty.bb
index 044c6c5b67..059fccc2b6 100644
--- a/meta/recipes-core/systemd/systemd-serialgetty.bb
+++ b/meta/recipes-core/systemd/systemd-serialgetty.bb
@@ -21,7 +21,7 @@ do_install() {
 		install -d ${D}${systemd_unitdir}/system/
 		install -d ${D}${sysconfdir}/systemd/system/getty.target.wants/
 		install -m 0644 ${WORKDIR}/serial-getty@.service ${D}${systemd_unitdir}/system/
-		sed -i -e s/\@BAUDRATE\@/$default_baudrate/g ${D}${systemd_unitdir}/system/serial-getty@.service
+		sed -i -e 's/\@BAUDRATE\@/$default_baudrate/g' ${D}${systemd_unitdir}/system/serial-getty@.service
 
 		tmp="${SERIAL_CONSOLES}"
 		for entry in $tmp ; do
-- 
2.17.1

[OE-core][dunfell 13/24] selftest/signing: Ensure build path relocation is safe

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Similarly to 04ee0e8b95cd8ed890374e0007f976684206b630, ensure only full
build paths are replaced in the environment to avoid breaking buildtools.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fcd0a9683af1a9155eabbd9056e3b46d4a931b2e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/signing.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
index 202d54994b..a28c7eb19a 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -44,7 +44,9 @@ class Signing(OESelftestTestCase):
         origenv = os.environ.copy()
 
         for e in os.environ:
-            if builddir in os.environ[e]:
+            if builddir + "/" in os.environ[e]:
+                os.environ[e] = os.environ[e].replace(builddir + "/", newbuilddir + "/")
+            if os.environ[e].endswith(builddir):
                 os.environ[e] = os.environ[e].replace(builddir, newbuilddir)
 
         os.chdir(newbuilddir)
-- 
2.17.1

[OE-core][dunfell 14/24] oeqa/concurrencytest: Improve builddir path manipulations

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Its possible some patterns may cause problems with the current path
manipulations, make a small tweak to try and avoid potential pathname
overlap issues.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 889005dc17d3e3b8eadee907ee2c05b8ff613285)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/context.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/selftest/context.py b/meta/lib/oeqa/selftest/context.py
index 9baad58321..33557b1240 100644
--- a/meta/lib/oeqa/selftest/context.py
+++ b/meta/lib/oeqa/selftest/context.py
@@ -82,7 +82,9 @@ class OESelftestTestContext(OETestContext):
         oe.path.copytree(selftestdir, newselftestdir)
 
         for e in os.environ:
-            if builddir + "/" in os.environ[e] or os.environ[e].endswith(builddir):
+            if builddir + "/" in os.environ[e]:
+                os.environ[e] = os.environ[e].replace(builddir + "/", newbuilddir + "/")
+            if os.environ[e].endswith(builddir):
                 os.environ[e] = os.environ[e].replace(builddir, newbuilddir)
 
         subprocess.check_output("git init; git add *; git commit -a -m 'initial'", cwd=newselftestdir, shell=True)
-- 
2.17.1

[OE-core][dunfell 15/24] gnutls: CVE-2020-24659

[Steve Sakoman]

From: Zhixiong Chi <zhixiong.chi@windriver.com>

Backport the CVE patch from the usptream:
https://gitlab.com/gnutls/gnutls.git
commit 29ee67c205855e848a0a26e6d0e4f65b6b943e0a

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 84b1bc500e318657cb7a8a189b59cc63bc91dca3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../gnutls/gnutls/CVE-2020-24659.patch        | 117 ++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |   1 +
 2 files changed, 118 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch
new file mode 100644
index 0000000000..1702325e66
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch
@@ -0,0 +1,117 @@
+From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Sat, 22 Aug 2020 17:19:39 +0200
+Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is
+ incomplete
+
+If the initial handshake is incomplete and the server sends a
+no_renegotiation alert, the client should treat it as a fatal error
+even if its level is warning.  Otherwise the same handshake
+state (e.g., DHE parameters) are reused in the next gnutls_handshake
+call, if it is called in the loop idiom:
+
+  do {
+          ret = gnutls_handshake(session);
+  } while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+CVE: CVE-2020-24659
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls.git]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ lib/gnutls_int.h                              |   1 +
+ lib/handshake.c                               |  48 +++++++++++++-----
+ 2 files changed, 36 insertions(+), 13 deletions(-)
+
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index bb6c19713..31cec5c0c 100644
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -1370,6 +1370,7 @@ typedef struct {
+ #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */
+ #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */
+ #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */
++#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */
+ 
+ 	/* The hsk_flags are for use within the ongoing handshake;
+ 	 * they are reset to zero prior to handshake start by gnutls_handshake. */
+diff --git a/lib/handshake.c b/lib/handshake.c
+index b40f84b3d..ce2d160e2 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -2051,6 +2051,8 @@ read_server_hello(gnutls_session_t session,
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
++	session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
++
+ 	return 0;
+ }
+ 
+@@ -2575,16 +2577,42 @@ int gnutls_rehandshake(gnutls_session_t session)
+ 	return 0;
+ }
+ 
++/* This function checks whether the error code should be treated fatal
++ * or not, and also does the necessary state transition.  In
++ * particular, in the case of a rehandshake abort it resets the
++ * handshake's internal state.
++ */
+ inline static int
+ _gnutls_abort_handshake(gnutls_session_t session, int ret)
+ {
+-	if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
+-	     (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION))
+-	    || ret == GNUTLS_E_GOT_APPLICATION_DATA)
+-		return 0;
++	switch (ret) {
++	case GNUTLS_E_WARNING_ALERT_RECEIVED:
++		if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
++			/* The server always toleretes a "no_renegotiation" alert. */
++			if (session->security_parameters.entity == GNUTLS_SERVER) {
++				STATE = STATE0;
++				return ret;
++			}
++
++			/* The client should tolerete a "no_renegotiation" alert only if:
++			 * - the initial handshake has completed, or
++			 * - a Server Hello is not yet received
++			 */
++			if (session->internals.initial_negotiation_completed ||
++			    !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
++				STATE = STATE0;
++				return ret;
++			}
+ 
+-	/* this doesn't matter */
+-	return GNUTLS_E_INTERNAL_ERROR;
++			return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
++		}
++		return ret;
++	case GNUTLS_E_GOT_APPLICATION_DATA:
++		STATE = STATE0;
++		return ret;
++	default:
++		return ret;
++	}
+ }
+ 
+ 
+@@ -2747,13 +2774,7 @@ int gnutls_handshake(gnutls_session_t session)
+ 	}
+ 
+ 	if (ret < 0) {
+-		/* In the case of a rehandshake abort
+-		 * we should reset the handshake's internal state.
+-		 */
+-		if (_gnutls_abort_handshake(session, ret) == 0)
+-			STATE = STATE0;
+-
+-		return ret;
++		return _gnutls_abort_handshake(session, ret);
+ 	}
+ 
+ 	/* clear handshake buffer */
+-- 
+2.17.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
index cc0454a561..51578b4b3b 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -20,6 +20,7 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
            file://arm_eabi.patch \
            file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \
+           file://CVE-2020-24659.patch \
 "
 
 SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"
-- 
2.17.1

[OE-core][dunfell 16/24] ell: update to 0.33

[Steve Sakoman]

From: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>

Changelog
- Fix issue with uintset and number of bytes copied.
- Fix issue with overflow in DHCP lease T2 computation.
- Fix issue with side channel leak in l_ecc_scalar_new.
- Fix issue with missing MSG_MORE in l_cipher_set_iv.
- Add support for DHCP v6 client implementation.

Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3ad8ca257d40f5041b3ec167e4117c687da448a9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/ell/{ell_0.32.bb => ell_0.33.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/ell/{ell_0.32.bb => ell_0.33.bb} (89%)

diff --git a/meta/recipes-core/ell/ell_0.32.bb b/meta/recipes-core/ell/ell_0.33.bb
similarity index 89%
rename from meta/recipes-core/ell/ell_0.32.bb
rename to meta/recipes-core/ell/ell_0.33.bb
index 07dc4d4cbb..2fa05104fb 100644
--- a/meta/recipes-core/ell/ell_0.32.bb
+++ b/meta/recipes-core/ell/ell_0.33.bb
@@ -14,7 +14,7 @@ DEPENDS = "dbus"
 inherit autotools pkgconfig
 
 SRC_URI = "https://mirrors.edge.kernel.org/pub/linux/libs/${BPN}/${BPN}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "42fdb9e24ff561a101389d51445cab1ff7d55f5385dc22a05b0493088cf99e30"
+SRC_URI[sha256sum] = "d9e40e641164150394b74b719b9726fc734f24b2cde679cf5f3be6915c34eded"
 
 do_configure_prepend () {
     mkdir -p ${S}/build-aux
-- 
2.17.1

[OE-core][dunfell 17/24] curl: add vendors to CVE_PRODUCT to exclude false positives

[Steve Sakoman]

From: Ross Burton <ross@burtonini.com>

To avoid false positives (such as CVE-2010-0734, rubygems:curl), expand
the CVE_PRODUCT list to include all the vendors that have been used.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bb265122cccea9466405fdd924ad10ce8cda0dec)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/curl/curl_7.69.1.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 8b5170f021..dfcd533c80 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -14,7 +14,9 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
 SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a56c4de8"
 
-CVE_PRODUCT = "curl libcurl"
+# Curl has used many names over the years...
+CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
+
 inherit autotools pkgconfig binconfig multilib_header
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
-- 
2.17.1

[OE-core][dunfell 18/24] cmake: whitelist CVE-2016-10642

[Steve Sakoman]

From: Ross Burton <ross@burtonini.com>

This CVE is specific to the npm package that can install cmake, so isn't
relevant to our cmake recipe.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8e74ed809ec4c1f61264ecf5be4bc319e5e07766)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/cmake/cmake.inc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 09949b566c..a2c7d513b3 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -26,3 +26,7 @@ SRC_URI[md5sum] = "d86ccaf3d2462b6b5947919abe5b9f15"
 SRC_URI[sha256sum] = "5f760b50b8ecc9c0c37135fae5fbf00a2fef617059aa9d61c1bb91653e5a8bfc"
 
 UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
+
+# This is specific to the npm package that installs cmake, so isn't
+# relevant to OpenEmbedded
+CVE_CHECK_WHITELIST += "CVE-2016-10642"
-- 
2.17.1

[OE-core][dunfell 19/24] libxml2: Fix CVE-2020-24977

[Steve Sakoman]

From: Ovidiu Panait <ovidiu.panait@windriver.com>

GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow
vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has
been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).

Reference:
https://gitlab.gnome.org/GNOME/libxml2/-/issues/178

Upstream patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 92dc02b8f03f3586de0a2ec1463b189a3918e303)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libxml/libxml2/CVE-2020-24977.patch       | 41 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
new file mode 100644
index 0000000000..8224346660
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch
@@ -0,0 +1,41 @@
+From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Aug 2020 21:54:27 +0200
+Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
+
+Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
+array access.
+
+Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
+the report.
+
+Fixes #178.
+
+CVE: CVE-2020-24977
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ xmllint.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/xmllint.c b/xmllint.c
+index f6a8e463..c647486f 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -528,6 +528,12 @@ static void
+ xmlHTMLEncodeSend(void) {
+     char *result;
+ 
++    /*
++     * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
++     * end with a truncated UTF-8 sequence. This is a hack to at least avoid
++     * an out-of-bounds read.
++     */
++    memset(&buffer[sizeof(buffer)-4], 0, 4);
+     result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
+     if (result) {
+ 	xmlGenericError(xmlGenericErrorContext, "%s", result);
+-- 
+2.17.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 097aceb2c0..4ebfb9e556 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://fix-execution-of-ptests.patch \
            file://CVE-2020-7595.patch \
            file://CVE-2019-20388.patch \
+           file://CVE-2020-24977.patch \
            "
 
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
-- 
2.17.1

[OE-core][dunfell 20/24] cve-check.bbclass: always save cve report

[Steve Sakoman]

From: akuster <akuster808@gmail.com>

The cve-check file should be saved always, it has good info.

Put a copy in the log dir as cve-summary with symlinks to latest run.

[Yocto #13974]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 859849c7b594d844819ad8c3f7d8325388d94b93)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/cve-check.bbclass | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 514897e8b8..0889e7544a 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -30,6 +30,9 @@ CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
 
 CVE_CHECK_LOG ?= "${T}/cve.log"
 CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
+CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve"
+CVE_CHECK_SUMMARY_FILE_NAME ?= "cve-summary"
+CVE_CHECK_SUMMARY_FILE ?= "${CVE_CHECK_SUMMARY_DIR}/${CVE_CHECK_SUMMARY_FILE_NAME}"
 
 CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
 CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve"
@@ -46,6 +49,32 @@ CVE_CHECK_PN_WHITELIST ?= ""
 # 
 CVE_CHECK_WHITELIST ?= ""
 
+python cve_save_summary_handler () {
+    import shutil
+    import datetime
+
+    cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE")
+
+    cve_summary_name = d.getVar("CVE_CHECK_SUMMARY_FILE_NAME")
+    cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
+    bb.utils.mkdirhier(cvelogpath)
+
+    timestamp = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
+    cve_summary_file = os.path.join(cvelogpath, "%s-%s.txt" % (cve_summary_name, timestamp))
+
+    shutil.copyfile(cve_tmp_file, cve_summary_file)
+
+    if cve_summary_file and os.path.exists(cve_summary_file):
+        cvefile_link = os.path.join(cvelogpath, cve_summary_name)
+
+        if os.path.exists(os.path.realpath(cvefile_link)):
+            os.remove(cvefile_link)
+        os.symlink(os.path.basename(cve_summary_file), cvefile_link)
+}
+
+addhandler cve_save_summary_handler
+cve_save_summary_handler[eventmask] = "bb.event.BuildCompleted"
+
 python do_cve_check () {
     """
     Check recipe for patched and unpatched CVEs
@@ -331,5 +360,8 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
             f.write(write_string)
 
     if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1":
+        cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
+        bb.utils.mkdirhier(cvelogpath)
+
         with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f:
             f.write("%s" % write_string)
-- 
2.17.1

[OE-core][dunfell 21/24] cve-update-db-native: add progress handler

[Steve Sakoman]

From: Chris Laplante <chris.laplante@agilent.com>

Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 79ae2e82b8ec11578177f428060b568d6c7d44ca)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../recipes-core/meta/cve-update-db-native.bb | 90 ++++++++++---------
 1 file changed, 47 insertions(+), 43 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 32d6dbdffc..2221825bf8 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -29,6 +29,7 @@ python do_populate_cve_db() {
     Update NVD database with json data feed
     """
     import bb.utils
+    import bb.progress
     import sqlite3, urllib, urllib.parse, shutil, gzip
     from datetime import date
 
@@ -60,54 +61,57 @@ python do_populate_cve_db() {
 
     initialize_db(c)
 
-    for year in range(YEAR_START, date.today().year + 1):
-        year_url = BASE_URL + str(year)
-        meta_url = year_url + ".meta"
-        json_url = year_url + ".json.gz"
+    with bb.progress.ProgressHandler(d) as ph:
+        total_years = date.today().year + 1 - YEAR_START
+        for i, year in enumerate(range(YEAR_START, date.today().year + 1)):
+            ph.update((float(i + 1) / total_years) * 100)
+            year_url = BASE_URL + str(year)
+            meta_url = year_url + ".meta"
+            json_url = year_url + ".json.gz"
 
-        # Retrieve meta last modified date
-        try:
-            response = urllib.request.urlopen(meta_url)
-        except urllib.error.URLError as e:
-            cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
-            bb.warn("Failed to fetch CVE data (%s)" % e.reason)
-            return
-
-        if response:
-            for l in response.read().decode("utf-8").splitlines():
-                key, value = l.split(":", 1)
-                if key == "lastModifiedDate":
-                    last_modified = value
-                    break
-            else:
-                bb.warn("Cannot parse CVE metadata, update failed")
-                return
-
-        # Compare with current db last modified date
-        c.execute("select DATE from META where YEAR = ?", (year,))
-        meta = c.fetchone()
-        if not meta or meta[0] != last_modified:
-            # Clear products table entries corresponding to current year
-            c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,))
-
-            # Update db with current year json file
+            # Retrieve meta last modified date
             try:
-                response = urllib.request.urlopen(json_url)
-                if response:
-                    update_db(c, gzip.decompress(response.read()).decode('utf-8'))
-                c.execute("insert or replace into META values (?, ?)", [year, last_modified])
+                response = urllib.request.urlopen(meta_url)
             except urllib.error.URLError as e:
-                cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
-                bb.warn("Cannot parse CVE data (%s), update failed" % e.reason)
+                cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
+                bb.warn("Failed to fetch CVE data (%s)" % e.reason)
                 return
 
-        # Update success, set the date to cve_check file.
-        if year == date.today().year:
-            cve_f.write('CVE database update : %s\n\n' % date.today())
-
-    cve_f.close()
-    conn.commit()
-    conn.close()
+            if response:
+                for l in response.read().decode("utf-8").splitlines():
+                    key, value = l.split(":", 1)
+                    if key == "lastModifiedDate":
+                        last_modified = value
+                        break
+                else:
+                    bb.warn("Cannot parse CVE metadata, update failed")
+                    return
+
+            # Compare with current db last modified date
+            c.execute("select DATE from META where YEAR = ?", (year,))
+            meta = c.fetchone()
+            if not meta or meta[0] != last_modified:
+                # Clear products table entries corresponding to current year
+                c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,))
+
+                # Update db with current year json file
+                try:
+                    response = urllib.request.urlopen(json_url)
+                    if response:
+                        update_db(c, gzip.decompress(response.read()).decode('utf-8'))
+                    c.execute("insert or replace into META values (?, ?)", [year, last_modified])
+                except urllib.error.URLError as e:
+                    cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
+                    bb.warn("Cannot parse CVE data (%s), update failed" % e.reason)
+                    return
+
+            # Update success, set the date to cve_check file.
+            if year == date.today().year:
+                cve_f.write('CVE database update : %s\n\n' % date.today())
+
+        cve_f.close()
+        conn.commit()
+        conn.close()
 }
 
 def initialize_db(c):
-- 
2.17.1

[OE-core][dunfell 22/24] cve-check/cve-update-db-native: use lockfile to fix usage under multiconfig

[Steve Sakoman]

From: Chris Laplante <chris.laplante@agilent.com>

Previously CVE_CHECK_DB_FILE / CVE_CHECK_DB_DIR was the same across
multiconfigs which led to a race condition wherein multiple
cve-update-db-native:do_populate_cve_db tasks could attempt to write to
the same sqlite database. This led to the following task failure:

    Error executing a python function in exec_python_func() autogenerated:

    The stack trace of python calls that resulted in this exception/failure was:
    File: 'exec_python_func() autogenerated', lineno: 2, function: <module>
         0001:
     *** 0002:do_populate_cve_db(d)
         0003:
    File: '/mnt/data/agent/work/74f119cccb44f133/yocto/sources/poky/meta/recipes-core/meta/cve-update-db-native.bb', lineno: 103, function: do_populate_cve_db
         0099:        if year == date.today().year:
         0100:            cve_f.write('CVE database update : %s\n\n' % date.today())
         0101:
         0102:    cve_f.close()
     *** 0103:    conn.commit()
         0104:    conn.close()
         0105:}
         0106:
         0107:def initialize_db(c):
    Exception: sqlite3.OperationalError: disk I/O error

Use a lockfile to ensure multiple tasks don't step over each other.

Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 24e9380643a2ae3fcae193519cb64aedaf682153)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/cve-check.bbclass                 | 1 +
 meta/recipes-core/meta/cve-update-db-native.bb | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 0889e7544a..35b7d0f298 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -27,6 +27,7 @@ CVE_VERSION ??= "${PV}"
 
 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
 CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
+CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
 
 CVE_CHECK_LOG ?= "${T}/cve.log"
 CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 2221825bf8..d22b66f6c7 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -52,8 +52,7 @@ python do_populate_cve_db() {
 
     cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
 
-    if not os.path.isdir(db_dir):
-        os.mkdir(db_dir)
+    bb.utils.mkdirhier(db_dir)
 
     # Connect to database
     conn = sqlite3.connect(db_file)
@@ -114,6 +113,8 @@ python do_populate_cve_db() {
         conn.close()
 }
 
+do_populate_cve_db[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
+
 def initialize_db(c):
     c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
 
-- 
2.17.1

[OE-core][dunfell 23/24] cve-update-db-native: use context manager for cve_f

[Steve Sakoman]

From: Chris Laplante <chris.laplante@agilent.com>

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ff422652e1b5db62205fafc75ce56bb5951d478d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/meta/cve-update-db-native.bb | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index d22b66f6c7..328f6ab364 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -50,8 +50,6 @@ python do_populate_cve_db() {
     except OSError:
         pass
 
-    cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
-
     bb.utils.mkdirhier(db_dir)
 
     # Connect to database
@@ -60,7 +58,7 @@ python do_populate_cve_db() {
 
     initialize_db(c)
 
-    with bb.progress.ProgressHandler(d) as ph:
+    with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
         total_years = date.today().year + 1 - YEAR_START
         for i, year in enumerate(range(YEAR_START, date.today().year + 1)):
             ph.update((float(i + 1) / total_years) * 100)
@@ -108,7 +106,6 @@ python do_populate_cve_db() {
             if year == date.today().year:
                 cve_f.write('CVE database update : %s\n\n' % date.today())
 
-        cve_f.close()
         conn.commit()
         conn.close()
 }
-- 
2.17.1

[OE-core][dunfell 24/24] cve-check: avoid FileNotFoundError if no do_cve_check task has run

[Steve Sakoman]

From: Chris Laplante <chris.laplante@agilent.com>

For example, if you just run 'bitbake cve-update-db-native' in a clean
build system, |cve_tmp_file| won't exist yet.

Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dd4473f3d8e1c1a587b6de660775e4b46ddc5fad)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/cve-check.bbclass | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 35b7d0f298..17f64a8a9c 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -63,14 +63,15 @@ python cve_save_summary_handler () {
     timestamp = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
     cve_summary_file = os.path.join(cvelogpath, "%s-%s.txt" % (cve_summary_name, timestamp))
 
-    shutil.copyfile(cve_tmp_file, cve_summary_file)
+    if os.path.exists(cve_tmp_file):
+        shutil.copyfile(cve_tmp_file, cve_summary_file)
 
-    if cve_summary_file and os.path.exists(cve_summary_file):
-        cvefile_link = os.path.join(cvelogpath, cve_summary_name)
+        if cve_summary_file and os.path.exists(cve_summary_file):
+            cvefile_link = os.path.join(cvelogpath, cve_summary_name)
 
-        if os.path.exists(os.path.realpath(cvefile_link)):
-            os.remove(cvefile_link)
-        os.symlink(os.path.basename(cve_summary_file), cvefile_link)
+            if os.path.exists(os.path.realpath(cvefile_link)):
+                os.remove(cvefile_link)
+            os.symlink(os.path.basename(cve_summary_file), cvefile_link)
 }
 
 addhandler cve_save_summary_handler
-- 
2.17.1

Re: [OE-core][dunfell 12/24] systemd-serialgetty: Fix sed expression quoting

[Steve Sakoman]

In reviewing new master branch commits this morning I see that this
patch introduces a bug and a fix patch has been merged.

I will drop this patch from the final pull request and will submit it
next week along with the fix (systemd-serialgetty: Replace sed quoting
using ' with " to allow var expansion)

Steve

On Mon, Sep 14, 2020 at 4:12 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> From: Rahul Kumar <rahulk@mvista.com>
>
> Fix sed: -e expression #1, char 13: unterminated `s' command
>
> Error Message:
> | NOTE: Installed into sysroot: []
> | NOTE: Skipping as already exists in sysroot: ['pseudo-native', 'glibc', 'patch-native', 'quilt-native', 'gcc-cross-arm', 'gcc-runtime', 'linux-libc-headers', 'libgcc', 'flex-native', 'xz-native', 'libtool-native', 'automake-native', 'binutils-cross-arm', 'zlib-native', 'mpfr-native', 'texinfo-dummy-native', 'autoconf-native', 'libmpc-native', 'gnu-config-native', 'gmp-native', 'attr-native', 'm4-native', 'gettext-minimal-native']
> | DEBUG: Python function extend_recipe_sysroot finished
> | DEBUG: Executing shell function do_install
> | sed: -e expression #1, char 13: unterminated `s' command
> | WARNING: exit code 1 from a shell command.
> | ERROR: Execution of '/opt/Projects/poky/build/tmp/work/qemux86_64-poky-linux/systemd-serialgetty/1.0-r5/temp/run.do_install.11228' failed with exit code 1:
> | sed: -e expression #1, char 13: unterminated `s' command
> | WARNING: exit code 1 from a shell command.
> |
>
> To Fix this Issue using the strong (single quote) character in sed command.
> It is recommend to use quotes. If we have meta-characters in the command, quotes are necessary.
>
> Signed-off-by: Rahul Kumar <rahulk@mvista.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit e2fea05e150dcfec4b7dfbd8edddb53897026bf9)
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/recipes-core/systemd/systemd-serialgetty.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-core/systemd/systemd-serialgetty.bb b/meta/recipes-core/systemd/systemd-serialgetty.bb
> index 044c6c5b67..059fccc2b6 100644
> --- a/meta/recipes-core/systemd/systemd-serialgetty.bb
> +++ b/meta/recipes-core/systemd/systemd-serialgetty.bb
> @@ -21,7 +21,7 @@ do_install() {
>                 install -d ${D}${systemd_unitdir}/system/
>                 install -d ${D}${sysconfdir}/systemd/system/getty.target.wants/
>                 install -m 0644 ${WORKDIR}/serial-getty@.service ${D}${systemd_unitdir}/system/
> -               sed -i -e s/\@BAUDRATE\@/$default_baudrate/g ${D}${systemd_unitdir}/system/serial-getty@.service
> +               sed -i -e 's/\@BAUDRATE\@/$default_baudrate/g' ${D}${systemd_unitdir}/system/serial-getty@.service
>
>                 tmp="${SERIAL_CONSOLES}"
>                 for entry in $tmp ; do
> --
> 2.17.1
>
>