[OE-core][kirkstone 0/8] Patch review

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, December 1

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6260

The following changes since commit 8726ae02d760270f9e7fe7ef5715d8f7553371ce:

  goarch: Move Go architecture mapping to a library (2023-11-21 05:32:39 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (2):
  gstreamer1.0-plugins-bad: fix CVE-2023-44429
  vim: Upgrade 9.0.2048 -> 9.0.2068

Hitendra Prajapati (1):
  grub: fix CVE-2023-4693

Li Wang (1):
  systemtap_git: fix used uninitialized error

Ninad Palsule (1):
  kernel-fitImage: Strip path component from dtb

Richard Purdie (1):
  vim: Improve locale handling

Steve Sakoman (1):
  vim: use upstream generated .po files

Vivek Kumbhar (1):
  openssl: fix CVE-2023-5678 Generating excessively long X9.42 DH keys
    or checking excessively long X9.42 DH keys or parameters may be very
    slow

 meta/classes/kernel-fitimage.bbclass          |   5 +
 .../grub/files/CVE-2023-4693.patch            |  62 ++++++
 meta/recipes-bsp/grub/grub2.inc               |   1 +
 .../openssl/openssl/CVE-2023-5678.patch       | 180 ++++++++++++++++++
 .../openssl/openssl_3.0.12.bb                 |   1 +
 ...x-Prevent-Werror-maybe-uninitialized.patch |  53 ++++++
 .../recipes-kernel/systemtap/systemtap_git.bb |   1 +
 .../CVE-2023-44429.patch                      |  38 ++++
 .../gstreamer1.0-plugins-bad_1.20.7.bb        |   1 +
 meta/recipes-support/vim/vim.inc              |  20 +-
 10 files changed, 350 insertions(+), 12 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4693.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
 create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch

-- 
2.34.1

[OE-core][kirkstone 1/8] gstreamer1.0-plugins-bad: fix CVE-2023-44429

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

AV1 codec parser buffer overflow

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../CVE-2023-44429.patch                      | 38 +++++++++++++++++++
 .../gstreamer1.0-plugins-bad_1.20.7.bb        |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch
new file mode 100644
index 0000000000..5070d6b865
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch
@@ -0,0 +1,38 @@
+From 1db83d3f745332cbda6adf954b2c53a10caa205e Mon Sep 17 00:00:00 2001
+From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
+Date: Wed, 4 Oct 2023 11:14:38 +0200
+Subject: [PATCH] codecparsers: av1: Clip max tile rows and cols values
+
+Clip tile rows and cols to 64 as describe in AV1 specification.
+
+Fixes ZDI-CAN-22226 / CVE-2023-44429
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3015
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5634>
+
+CVE: CVE-2023-44429
+
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1db83d3f745332cbda6adf954b2c53a10caa205e]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ gst-libs/gst/codecparsers/gstav1parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gst-libs/gst/codecparsers/gstav1parser.c b/gst-libs/gst/codecparsers/gstav1parser.c
+index 7b9378c..68f8a76 100644
+--- a/gst-libs/gst/codecparsers/gstav1parser.c
++++ b/gst-libs/gst/codecparsers/gstav1parser.c
+@@ -2219,6 +2219,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
+       ((parser->state.mi_cols + 31) >> 5) : ((parser->state.mi_cols + 15) >> 4);
+   sb_rows = seq_header->use_128x128_superblock ? ((parser->state.mi_rows +
+           31) >> 5) : ((parser->state.mi_rows + 15) >> 4);
++  sb_cols = MIN (GST_AV1_MAX_TILE_COLS, sb_cols);
++  sb_rows = MIN (GST_AV1_MAX_TILE_ROWS, sb_rows);
+   sb_shift = seq_header->use_128x128_superblock ? 5 : 4;
+   sb_size = sb_shift + 2;
+   max_tile_width_sb = GST_AV1_MAX_TILE_WIDTH >> sb_size;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index fbaabda3f9..504cfce1fd 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
            file://CVE-2023-40474.patch \
            file://CVE-2023-40475.patch \
            file://CVE-2023-40476.patch \
+           file://CVE-2023-44429.patch \
            "
 SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
 
-- 
2.34.1

[OE-core][kirkstone 2/8] openssl: fix CVE-2023-5678 Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow

[Steve Sakoman]

From: Vivek Kumbhar <vkumbhar@mvista.com>

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/openssl/CVE-2023-5678.patch       | 180 ++++++++++++++++++
 .../openssl/openssl_3.0.12.bb                 |   1 +
 2 files changed, 181 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
new file mode 100644
index 0000000000..796a4f8be9
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
@@ -0,0 +1,180 @@
+From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Fri, 20 Oct 2023 09:18:19 +0200
+Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
+
+We already check for an excessively large P in DH_generate_key(), but not in
+DH_check_pub_key(), and none of them check for an excessively large Q.
+
+This change adds all the missing excessive size checks of P and Q.
+
+It's to be noted that behaviours surrounding excessively sized P and Q
+differ.  DH_check() raises an error on the excessively sized P, but only
+sets a flag for the excessively sized Q.  This behaviour is mimicked in
+DH_check_pub_key().
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/22518)
+
+(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
+
+Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017]
+CVE: CVE-2023-5678
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ crypto/dh/dh_check.c    | 12 ++++++++++++
+ crypto/dh/dh_err.c      |  3 ++-
+ crypto/dh/dh_key.c      | 12 ++++++++++++
+ crypto/err/openssl.txt  |  1 +
+ include/crypto/dherr.h  |  2 +-
+ include/openssl/dh.h    |  6 +++---
+ include/openssl/dherr.h |  3 ++-
+ 7 files changed, 33 insertions(+), 6 deletions(-)
+
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index 7ba2bea..e20eb62 100644
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
+  */
+ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
+ {
++    /* Don't do any checks at all with an excessively large modulus */
++    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
++        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
++        return 0;
++    }
++
++    if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
++        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
++        return 1;
++    }
++
+     return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
+ }
+
+diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
+index 4152397..f76ac0d 100644
+--- a/crypto/dh/dh_err.c
++++ b/crypto/dh/dh_err.c
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
+     "parameter encoding error"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
++    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
+     "unable to check generator"},
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index d84ea99..afc49f5 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+         goto err;
+     }
+
++    if (dh->params.q != NULL
++        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
++        goto err;
++    }
++
+     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
+         return 0;
+@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
+         return 0;
+     }
+
++    if (dh->params.q != NULL
++        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
++        return 0;
++    }
++
+     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
+         return 0;
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index e51504b..36de321 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
+ DH_R_NO_PRIVATE_VALUE:100:no private value
+ DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
+ DH_R_PEER_KEY_ERROR:111:peer key error
++DH_R_Q_TOO_LARGE:130:q too large
+ DH_R_SHARED_INFO_ERROR:113:shared info error
+ DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
+ DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
+diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
+index bb24d13..519327f 100644
+--- a/include/crypto/dherr.h
++++ b/include/crypto/dherr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+diff --git a/include/openssl/dh.h b/include/openssl/dh.h
+index 6533260..50e0cf5 100644
+--- a/include/openssl/dh.h
++++ b/include/openssl/dh.h
+@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams)
+ #   define DH_GENERATOR_3          3
+ #   define DH_GENERATOR_5          5
+
+-/* DH_check error codes */
++/* DH_check error codes, some of them shared with DH_check_pub_key */
+ /*
+  * NB: These values must align with the equivalently named macros in
+  * internal/ffc.h.
+@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams)
+ #   define DH_UNABLE_TO_CHECK_GENERATOR    0x04
+ #   define DH_NOT_SUITABLE_GENERATOR       0x08
+ #   define DH_CHECK_Q_NOT_PRIME            0x10
+-#   define DH_CHECK_INVALID_Q_VALUE        0x20
++#   define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
+ #   define DH_CHECK_INVALID_J_VALUE        0x40
+ #   define DH_MODULUS_TOO_SMALL            0x80
+-#   define DH_MODULUS_TOO_LARGE            0x100
++#   define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
+
+ /* DH_check_pub_key error codes */
+ #   define DH_CHECK_PUBKEY_TOO_SMALL       0x01
+diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
+index 5d2a762..074a701 100644
+--- a/include/openssl/dherr.h
++++ b/include/openssl/dherr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -50,6 +50,7 @@
+ #  define DH_R_NO_PRIVATE_VALUE                            100
+ #  define DH_R_PARAMETER_ENCODING_ERROR                    105
+ #  define DH_R_PEER_KEY_ERROR                              111
++#  define DH_R_Q_TOO_LARGE                                 130
+ #  define DH_R_SHARED_INFO_ERROR                           113
+ #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121
+
+--
+2.40.1
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.12.bb b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
index d8c9b073a2..395cace2ec 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://CVE-2023-5678.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
-- 
2.34.1

[OE-core][kirkstone 3/8] grub: fix CVE-2023-4693

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../grub/files/CVE-2023-4693.patch            | 62 +++++++++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4693.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
new file mode 100644
index 0000000000..1b6013d86d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,62 @@
+From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:32:33 +0300
+Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident
+ $DATA attribute
+
+When reading a file containing resident data, i.e., the file data is stored in
+the $DATA attribute within the NTFS file record, not in external clusters,
+there are no checks that this resident data actually fits the corresponding
+file record segment.
+
+When parsing a specially-crafted file system image, the current NTFS code will
+read the file data from an arbitrary, attacker-chosen memory offset and of
+arbitrary, attacker-chosen length.
+
+This allows an attacker to display arbitrary chunks of memory, which could
+contain sensitive information like password hashes or even plain-text,
+obfuscated passwords from BS EFI variables.
+
+This fix implements a check to ensure that resident data is read from the
+corresponding file record segment only.
+
+Fixes: CVE-2023-4693
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
+CVE: CVE-2023-4693
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/ntfs.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 7e43fd6..8f63c83 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+     {
+       if (ofs + len > u32at (pa, 0x10))
+ 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+-      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
++
++      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
++
++      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
+       return 0;
+     }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index aaee8a1e03..e6c6cd98b4 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -39,6 +39,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://commands-boot-Add-API-to-pass-context-to-loader.patch \
            file://CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch \
 	   file://CVE-2023-4692.patch \
+           file://CVE-2023-4693.patch \
 "
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
-- 
2.34.1

[OE-core][kirkstone 4/8] vim: Improve locale handling

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

When making checkouts from git, the timestamps can vary and occasionally two files
can end up with the same stamp. This triggers make to regenerate ru.cp1251.po from
ru.po for example. If it isn't regenerated, the output isn't quite the same leading
to reproducibility issues (CP1251 vs cp1251).

Since we added all locales to buildtools tarball now, we can drop the locale
restrictions too. We need to generate a native binary for the sjis conversion
tool so also tweak that.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 042c1a501b1dae5ddb31307b461be02c3591c589)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 58025828f2..38212a1fa6 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -40,22 +40,16 @@ do_configure () {
     cd src
     rm -f auto/*
     touch auto/config.mk
+    # git timestamps aren't reliable and we want to consistently regenerate these generated files
+    rm -f po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po
     aclocal
     autoconf
     cd ..
     oe_runconf
     touch src/auto/configure
     touch src/auto/config.mk src/auto/config.h
-}
-
-do_compile() {
-    # We do not support fully / correctly the following locales.  Attempting
-    # to use these with msgfmt in order to update the ".desktop" files exposes
-    # this problem and leads to the compile failing.
-    for LOCALE in cs fr ko pl sk zh_CN zh_TW;do
-        echo -n > src/po/${LOCALE}.po
-    done
-    autotools_do_compile
+    # need a native tool, not a target one
+    ${BUILD_CC} src/po/sjiscorr.c -o src/po/sjiscorr
 }
 
 PACKAGECONFIG ??= "\
-- 
2.34.1

[OE-core][kirkstone 5/8] vim: use upstream generated .po files

[Steve Sakoman]

A previous commit attempted to fix reproducibility errors by forcing
regeneration of .po files. Unfortunately this triggered a different
type of reproducibility issue.

Work around this by adjusting the timestamps of the troublesome .po
files so they are not regenerated and we use the shipped upstream
versions of the files.

The shipped version of ru.cp1251.po doesn't seem to have been created
with the vim tooling and specifies CP1251 instead of cp1251, fix that.

Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 13d9551ba626f001c71bf908df16caf1d739cf13)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 38212a1fa6..888f8f0e5a 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -40,8 +40,10 @@ do_configure () {
     cd src
     rm -f auto/*
     touch auto/config.mk
-    # git timestamps aren't reliable and we want to consistently regenerate these generated files
-    rm -f po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po
+    # git timestamps aren't reliable, so touch the shipped .po files so they aren't regenerated
+    touch -c po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po
+    # ru.cp1251.po uses CP1251 rather than cp1251, fix that
+    sed -i -e s/CP1251/cp1251/ po/ru.cp1251.po
     aclocal
     autoconf
     cd ..
-- 
2.34.1

[OE-core][kirkstone 6/8] vim: Upgrade 9.0.2048 -> 9.0.2068

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

This includes CVE fix for CVE-2023-46246.
9198c1f2b (tag: v9.0.2068) patch 9.0.2068: [security] overflow in :history

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-46246

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 63bc72ccb63d2f8eb591d7cc481657a538f0fd42)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 888f8f0e5a..a37310afd8 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://no-path-adjust.patch \
            "
 
-PV .= ".2048"
-SRCREV = "982ef16059bd163a77271107020defde0740bbd6"
+PV .= ".2068"
+SRCREV = "9198c1f2b1ddecde22af918541e0de2a32f0f45a"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0"
-- 
2.34.1

[OE-core][kirkstone 7/8] kernel-fitImage: Strip path component from dtb

[Steve Sakoman]

From: Ninad Palsule <ninad@linux.ibm.com>

Machines that have added subdirectires to the KERNEL_DEVICETREE
recently, such as arm32 boards that were moved under subdirectories in
Linux 6.5, will have that subdirectory in the node name of the FIT. This
breaks existing systems that select a configuration in u-boot by it's
name.

Strip off the directory component from the device tree to preserve
compatibility.

(From OE-Core rev: 941ba1a132bafa9c9be855fb91fec96d8b06299f)

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Ninad Palsule <ninad@linux.ibm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de> # backport to kirkstone
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel-fitimage.bbclass | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 27e17db951..194d825b0e 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -542,6 +542,11 @@ fitimage_assemble() {
 				DTB_PATH="arch/${ARCH}/boot/$DTB"
 			fi
 
+			# Strip off the path component from the filename
+			if "${@'false' if oe.types.boolean(d.getVar('KERNEL_DTBVENDORED')) else 'true'}"; then
+				DTB=`basename $DTB`
+			fi
+
 			DTB=$(echo "$DTB" | tr '/' '_')
 
 			# Skip DTB if we've picked it up previously
-- 
2.34.1

Re: [OE-core][kirkstone 7/8] kernel-fitImage: Strip path component from dtb

[Max Krummenacher]

On Thu, Nov 30, 2023 at 12:05 AM Steve Sakoman <steve@sakoman.com> wrote:
>
> From: Ninad Palsule <ninad@linux.ibm.com>
>
> Machines that have added subdirectires to the KERNEL_DEVICETREE
> recently, such as arm32 boards that were moved under subdirectories in
> Linux 6.5, will have that subdirectory in the node name of the FIT. This
> breaks existing systems that select a configuration in u-boot by it's
> name.
>
> Strip off the directory component from the device tree to preserve
> compatibility.

This now breaks each arm64 machine (and likely mips & riscv) as they did
have the vendor subdirectories since (nearly) ever and expect those in the
fitimage.

Breaking those existing machines / kernel combination in order to have a
smooth transition for arm32 machines which bring a 6.5 kernel to kirkstone
seems wrong to me.

I think we should revert the backport to kirkstone. If someone builds a 6.5
or later kernel in kirkstone for an arm32 based machine one could cope
with the change e.g. in the kernel recipe which provides that 6.5 kernel.

Any comments? Thanks.

Sorry that I didn't notice the change on the mailing list before it got applied.

Regards
Max

>
> (From OE-Core rev: 941ba1a132bafa9c9be855fb91fec96d8b06299f)
>
> Signed-off-by: Joel Stanley <joel@jms.id.au>
> Signed-off-by: Ninad Palsule <ninad@linux.ibm.com>
> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de> # backport to kirkstone
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/classes/kernel-fitimage.bbclass | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> index 27e17db951..194d825b0e 100644
> --- a/meta/classes/kernel-fitimage.bbclass
> +++ b/meta/classes/kernel-fitimage.bbclass
> @@ -542,6 +542,11 @@ fitimage_assemble() {
>                                 DTB_PATH="arch/${ARCH}/boot/$DTB"
>                         fi
>
> +                       # Strip off the path component from the filename
> +                       if "${@'false' if oe.types.boolean(d.getVar('KERNEL_DTBVENDORED')) else 'true'}"; then
> +                               DTB=`basename $DTB`
> +                       fi
> +
>                         DTB=$(echo "$DTB" | tr '/' '_')
>
>                         # Skip DTB if we've picked it up previously
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#191471): https://lists.openembedded.org/g/openembedded-core/message/191471
> Mute This Topic: https://lists.openembedded.org/mt/102883133/3617484
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [max.oss.09@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core][kirkstone 7/8] kernel-fitImage: Strip path component from dtb

[Steve Sakoman]

On Thu, Dec 14, 2023 at 12:42 AM Max Krummenacher <max.oss.09@gmail.com> wrote:
>
> On Thu, Nov 30, 2023 at 12:05 AM Steve Sakoman <steve@sakoman.com> wrote:
> >
> > From: Ninad Palsule <ninad@linux.ibm.com>
> >
> > Machines that have added subdirectires to the KERNEL_DEVICETREE
> > recently, such as arm32 boards that were moved under subdirectories in
> > Linux 6.5, will have that subdirectory in the node name of the FIT. This
> > breaks existing systems that select a configuration in u-boot by it's
> > name.
> >
> > Strip off the directory component from the device tree to preserve
> > compatibility.
>
> This now breaks each arm64 machine (and likely mips & riscv) as they did
> have the vendor subdirectories since (nearly) ever and expect those in the
> fitimage.
>
> Breaking those existing machines / kernel combination in order to have a
> smooth transition for arm32 machines which bring a 6.5 kernel to kirkstone
> seems wrong to me.
>
> I think we should revert the backport to kirkstone. If someone builds a 6.5
> or later kernel in kirkstone for an arm32 based machine one could cope
> with the change e.g. in the kernel recipe which provides that 6.5 kernel.
>
> Any comments? Thanks.
>
> Sorry that I didn't notice the change on the mailing list before it got applied.

Since this is causing breakage I will revert it prior to the upcoming
kirkstone release build.

Steve

> > (From OE-Core rev: 941ba1a132bafa9c9be855fb91fec96d8b06299f)
> >
> > Signed-off-by: Joel Stanley <joel@jms.id.au>
> > Signed-off-by: Ninad Palsule <ninad@linux.ibm.com>
> > Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de> # backport to kirkstone
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  meta/classes/kernel-fitimage.bbclass | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> > index 27e17db951..194d825b0e 100644
> > --- a/meta/classes/kernel-fitimage.bbclass
> > +++ b/meta/classes/kernel-fitimage.bbclass
> > @@ -542,6 +542,11 @@ fitimage_assemble() {
> >                                 DTB_PATH="arch/${ARCH}/boot/$DTB"
> >                         fi
> >
> > +                       # Strip off the path component from the filename
> > +                       if "${@'false' if oe.types.boolean(d.getVar('KERNEL_DTBVENDORED')) else 'true'}"; then
> > +                               DTB=`basename $DTB`
> > +                       fi
> > +
> >                         DTB=$(echo "$DTB" | tr '/' '_')
> >
> >                         # Skip DTB if we've picked it up previously
> > --
> > 2.34.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#191471): https://lists.openembedded.org/g/openembedded-core/message/191471
> > Mute This Topic: https://lists.openembedded.org/mt/102883133/3617484
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [max.oss.09@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

Re: [OE-core][kirkstone 7/8] kernel-fitImage: Strip path component from dtb

[Max Krummenacher]

On Thu, Dec 14, 2023 at 03:56:13AM -1000, Steve Sakoman wrote:
> On Thu, Dec 14, 2023 at 12:42 AM Max Krummenacher <max.oss.09@gmail.com> wrote:
> >
> > On Thu, Nov 30, 2023 at 12:05 AM Steve Sakoman <steve@sakoman.com> wrote:
> > >
> > > From: Ninad Palsule <ninad@linux.ibm.com>
> > >
> > > Machines that have added subdirectires to the KERNEL_DEVICETREE
> > > recently, such as arm32 boards that were moved under subdirectories in
> > > Linux 6.5, will have that subdirectory in the node name of the FIT. This
> > > breaks existing systems that select a configuration in u-boot by it's
> > > name.
> > >
> > > Strip off the directory component from the device tree to preserve
> > > compatibility.
> >
> > This now breaks each arm64 machine (and likely mips & riscv) as they did
> > have the vendor subdirectories since (nearly) ever and expect those in the
> > fitimage.
> >
> > Breaking those existing machines / kernel combination in order to have a
> > smooth transition for arm32 machines which bring a 6.5 kernel to kirkstone
> > seems wrong to me.
> >
> > I think we should revert the backport to kirkstone. If someone builds a 6.5
> > or later kernel in kirkstone for an arm32 based machine one could cope
> > with the change e.g. in the kernel recipe which provides that 6.5 kernel.
> >
> > Any comments? Thanks.
> >
> > Sorry that I didn't notice the change on the mailing list before it got applied.
> 
> Since this is causing breakage I will revert it prior to the upcoming
> kirkstone release build.
> 
> Steve

Thanks Steve. Much appreciated.
Max

> 
> > > (From OE-Core rev: 941ba1a132bafa9c9be855fb91fec96d8b06299f)
> > >
> > > Signed-off-by: Joel Stanley <joel@jms.id.au>
> > > Signed-off-by: Ninad Palsule <ninad@linux.ibm.com>
> > > Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
> > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > > Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de> # backport to kirkstone
> > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > > ---
> > >  meta/classes/kernel-fitimage.bbclass | 5 +++++
> > >  1 file changed, 5 insertions(+)
> > >
> > > diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> > > index 27e17db951..194d825b0e 100644
> > > --- a/meta/classes/kernel-fitimage.bbclass
> > > +++ b/meta/classes/kernel-fitimage.bbclass
> > > @@ -542,6 +542,11 @@ fitimage_assemble() {
> > >                                 DTB_PATH="arch/${ARCH}/boot/$DTB"
> > >                         fi
> > >
> > > +                       # Strip off the path component from the filename
> > > +                       if "${@'false' if oe.types.boolean(d.getVar('KERNEL_DTBVENDORED')) else 'true'}"; then
> > > +                               DTB=`basename $DTB`
> > > +                       fi
> > > +
> > >                         DTB=$(echo "$DTB" | tr '/' '_')
> > >
> > >                         # Skip DTB if we've picked it up previously
> > > --
> > > 2.34.1
> > >
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > > View/Reply Online (#191471): https://lists.openembedded.org/g/openembedded-core/message/191471
> > > Mute This Topic: https://lists.openembedded.org/mt/102883133/3617484
> > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [max.oss.09@gmail.com]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > >
> 

[OE-core][kirkstone 8/8] systemtap_git: fix used uninitialized error

[Steve Sakoman]

From: Li Wang <li.wang@windriver.com>

bpf-translate.cxx: error: 'this_column_size' may be used uninitialized in this function [-Werror=maybe-uninitialized]
bpf-translate.cxx: error: 'num' may be used uninitialized in this function [-Werror=maybe-uninitialized]

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...x-Prevent-Werror-maybe-uninitialized.patch | 53 +++++++++++++++++++
 .../recipes-kernel/systemtap/systemtap_git.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch

diff --git a/meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch b/meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch
new file mode 100644
index 0000000000..130eefab5d
--- /dev/null
+++ b/meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch
@@ -0,0 +1,53 @@
+From df3425f51a512f65522522daf1f78c7fab0a63fd Mon Sep 17 00:00:00 2001
+From: Aaron Merey <amerey@redhat.com>
+Date: Fri, 25 Feb 2022 19:18:29 -0500
+Subject: [PATCH] bpf-translate.cxx: Prevent -Werror=maybe-uninitialized
+
+Two variables in bpf-translate.cxx can trigger -Werror=maybe-uninitialized.
+The code is designed so that uninitialized uses are not actually possible,
+but to convince gcc of this we move a throw statement and initialize one
+of the variables with a value.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=systemtap.git;a=commit;h=df3425f51a512f65522522daf1f78c7fab0a63fd]
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ bpf-translate.cxx | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/bpf-translate.cxx b/bpf-translate.cxx
+index 3f45c721f..1b63d6078 100644
+--- a/bpf-translate.cxx
++++ b/bpf-translate.cxx
+@@ -1203,7 +1203,7 @@ bpf_unparser::emit_asm_arg (const asm_stmt &stmt, const std::string &arg,
+     {
+       /* arg is a register number */
+       std::string reg = arg[0] == 'r' ? arg.substr(1) : arg;
+-      unsigned long num;
++      unsigned long num = ULONG_MAX;
+       bool parsed = false;
+       try {
+         num = stoul(reg, 0, 0);
+@@ -1941,8 +1941,6 @@ bpf_unparser::visit_foreach_loop(foreach_loop* s)
+   for (unsigned k = 0; k < arraydecl->index_types.size(); k++)
+     {
+       auto type = arraydecl->index_types[k];
+-      if (type != pe_long && type != pe_string)
+-        throw SEMANTIC_ERROR(_("unhandled foreach index type"), s->tok);
+       int this_column_size;
+       // PR23875: foreach should handle string keys
+       if (type == pe_long)
+@@ -1953,6 +1951,10 @@ bpf_unparser::visit_foreach_loop(foreach_loop* s)
+         {
+           this_column_size = BPF_MAXSTRINGLEN;
+         }
++      else
++        {
++          throw SEMANTIC_ERROR(_("unhandled foreach index type"), s->tok);
++        }
+       if (info.sort_column == k + 1) // record sort column
+         {
+           info.sort_column_size = this_column_size;
+-- 
+2.25.1
+
diff --git a/meta/recipes-kernel/systemtap/systemtap_git.bb b/meta/recipes-kernel/systemtap/systemtap_git.bb
index ce86d5274d..c84fc27001 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.bb
+++ b/meta/recipes-kernel/systemtap/systemtap_git.bb
@@ -9,6 +9,7 @@ require systemtap_git.inc
 SRC_URI += "file://0001-improve-reproducibility-for-c-compiling.patch \
             file://0001-staprun-address-ncurses-6.3-failures.patch \
             file://0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch \
+            file://0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch \
            "
 
 DEPENDS = "elfutils"
-- 
2.34.1