[OE-core][dunfell 00/16] Patch review

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this first set of changes for dunfell and have comments back
by end of day Friday.

Clean a-full build on autobuilder (other than tickling a Send QA Email bug):

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/898

The following changes since commit 1795f30d8ab73d35710ca99064c51190dc84853e:

  build-appliance-image: Update to master head revision (2020-04-07 22:15:32 +0100)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-next
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-next

Bartosz Golaszewski (1):
  qemuboot.bbclass: don't redefine IMGDEPLOYDIR

Changqing Li (1):
  parselogs.py: ignore pulseaudio startup warning messages

Denys Dmytriyenko (1):
  u-boot.inc: install u-boot-initial-env as ${PN}-initial-env in $D and
    $DEPLOYDIR

Jeremy Puhlman (3):
  qemu-system-native: Fix commented out PACKAGECONFIG
  nativesdk-gcc-runtime: enable building libstdc++.a
  buildtools-extended-tarball: Add libstc++.a

Khem Raj (2):
  libucontext: Bring in mips/mips64 support
  ruby: Link with libucontext on musl

Maxime Roussin-B?langer (1):
  tzdata: remove exit 0 from pkg_postinst

Paul Barker (1):
  kernel-yocto.bbclass: Fix deps when externalsrc is used

Pierre-Jean Texier (1):
  ell: upgrade 0.30 -> 0.31

Richard Purdie (1):
  bzip2/pbzip2: Correct license information

Tim Orling (1):
  python3-manifest.json: add pathlib to core

Wang Mingyu (1):
  gnutls: upgrade 3.6.12 -> 3.6.13

Yi Zhao (1):
  alsa-state: ignore 'No soundcards found' error in pkg_postinst

hongxu (1):
  buildtools-tarball: add nativesdk-mtools for `wic ls'

 meta/classes/kernel-yocto.bbclass             |  6 +++
 meta/classes/qemuboot.bbclass                 |  1 -
 .../common-licenses/{bzip2 => bzip2-1.0.6}    |  0
 meta/lib/oeqa/runtime/cases/parselogs.py      |  4 +-
 meta/recipes-bsp/alsa-state/alsa-state.bb     |  2 +-
 meta/recipes-bsp/u-boot/u-boot.inc            | 28 +++++------
 .../ell/{ell_0.30.bb => ell_0.31.bb}          |  4 +-
 .../meta/buildtools-extended-tarball.bb       |  1 +
 meta/recipes-core/meta/buildtools-tarball.bb  |  1 +
 ...move-using-.end-directive-with-clang.patch | 36 ++++++++++++++
 .../0001-Makefile-Add-LIBDIR-variable.patch   | 46 ------------------
 .../0001-pass-LDFLAGS-to-link-step.patch      | 31 ------------
 meta/recipes-core/musl/libucontext_git.bb     | 48 +++++++++----------
 meta/recipes-devtools/gcc/gcc-runtime.inc     |  2 +
 .../python/python3/python3-manifest.json      |  2 +
 meta/recipes-devtools/qemu/qemu.inc           |  2 +-
 meta/recipes-devtools/ruby/ruby_2.7.0.bb      |  9 +++-
 meta/recipes-extended/bzip2/bzip2_1.0.8.bb    |  2 +-
 meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb |  2 +-
 meta/recipes-extended/timezone/tzdata.bb      |  8 +---
 .../{gnutls_3.6.12.bb => gnutls_3.6.13.bb}    |  4 +-
 21 files changed, 106 insertions(+), 133 deletions(-)
 rename meta/files/common-licenses/{bzip2 => bzip2-1.0.6} (100%)
 rename meta/recipes-core/ell/{ell_0.30.bb => ell_0.31.bb} (83%)
 create mode 100644 meta/recipes-core/musl/0001-Remove-using-.end-directive-with-clang.patch
 delete mode 100644 meta/recipes-core/musl/libucontext/0001-Makefile-Add-LIBDIR-variable.patch
 delete mode 100644 meta/recipes-core/musl/libucontext/0001-pass-LDFLAGS-to-link-step.patch
 rename meta/recipes-support/gnutls/{gnutls_3.6.12.bb => gnutls_3.6.13.bb} (93%)

-- 
2.17.1

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back
by end of day Wednesday.

The following changes since commit c88cf750f26f6786d6ba5b4f1f7e5d4f0c800e6e:

  avahi: Don't advertise example services by default (2020-05-26 04:12:28 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Adrian Bunk (1):
  libubootenv: Remove the DEPENDS on mtd-utils

Gregor Zatko (1):
  sanity.bbclass: Detect and fail if 'inherit' is used in conf file

Joe Slater (1):
  terminal.py: do not stop searching for auto

Joshua Watt (1):
  checklayer: Skip layers without a collection

Khem Raj (2):
  cve-check: Run it after do_fetch
  make-mod-scripts: Fix a rare build race condition

Konrad Weihmann (1):
  qemurunner: fix ip fallback detection

Lee Chee Yang (2):
  bind: fix CVE-2020-8616/7
  libexif: fix CVE-2020-13114

Mark Hatle (1):
  sstate.bbclass: When siginfo or sig files are missing, stop fetcher
    errors

Richard Purdie (2):
  resulttool/report: Remove leftover debugging
  resulttool/log: Add ability to dump ltp logs as well as ptest

Robert P. J. Day (1):
  bitbake.conf: Remove unused DEPLOY_DIR_TOOLS variable

Robert Yang (1):
  archiver.bbclass: Fix duplicated SRC_URIs for do_ar_original

Steve Sakoman (1):
  oeqa/concurrencytest: don't delete build directory for failed tests

Trevor Gamblin (1):
  qemuarm: check serial consoles vs /proc/consoles

 meta/classes/archiver.bbclass                 |   8 +-
 meta/classes/cve-check.bbclass                |   2 +-
 meta/classes/sanity.bbclass                   |   6 +
 meta/classes/sstate.bbclass                   |   6 +-
 meta/conf/bitbake.conf                        |   1 -
 meta/conf/machine/qemuarm.conf                |   1 +
 meta/conf/machine/qemuarm64.conf              |   1 +
 meta/lib/oe/terminal.py                       |   5 +-
 meta/lib/oeqa/core/utils/concurrencytest.py   |  10 +-
 meta/lib/oeqa/utils/qemurunner.py             |   2 +-
 meta/recipes-bsp/u-boot/libubootenv_0.2.bb    |   2 +-
 .../bind/bind/CVE-2020-8616.patch             | 206 ++++++++++++++++++
 .../bind/bind/CVE-2020-8617.patch             |  29 +++
 .../recipes-connectivity/bind/bind_9.11.13.bb |   2 +
 .../make-mod-scripts/make-mod-scripts_1.0.bb  |   7 +-
 .../libexif/libexif/CVE-2020-13114.patch      |  73 +++++++
 .../recipes-support/libexif/libexif_0.6.21.bb |   4 +-
 scripts/lib/checklayer/__init__.py            |   3 +
 scripts/lib/resulttool/log.py                 |  21 +-
 scripts/lib/resulttool/report.py              |   1 -
 scripts/lib/resulttool/resultutils.py         |  22 +-
 21 files changed, 383 insertions(+), 29 deletions(-)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
 create mode 100644 meta/recipes-support/libexif/libexif/CVE-2020-13114.patch

-- 
2.17.1

[OE-core][dunfell 01/16] cve-check: Run it after do_fetch

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

Certain recipes e.g. bash readline ( from meta-gplv2 ) download patches instead of having them in
metadata, this could fail cve_check

ERROR: readline-5.2-r9 do_cve_check: File Not found: qemuarm/build/../downloads/readline52-001

This patch ensures that download is done before running CVE scan, even
though these will be external patches and may not contain CVE tags as it
expects, but it will fix the run failures as seen above

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e406fcb6c609a0d2456d7da0d2406d2d9fa52dd2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 2a530a0489..556ac6e67f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -65,7 +65,7 @@ python do_cve_check () {
 
 }
 
-addtask cve_check before do_build
+addtask cve_check before do_build after do_fetch
 do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db"
 do_cve_check[nostamp] = "1"
 
-- 
2.17.1

[OE-core][dunfell 02/16] checklayer: Skip layers without a collection

[Steve Sakoman]

From: Joshua Watt <JPEWhacker@gmail.com>

As in other places in the file, skip layers that don't define a
collection when searching for a layer to resolve a dependency. Fixes
KeyError exceptions when attempting to access the layer collections
later

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 26090a2861ebe21224aaf89d7be0c0a89ca58e48)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/lib/checklayer/__init__.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scripts/lib/checklayer/__init__.py b/scripts/lib/checklayer/__init__.py
index 5aeec2f00f..1138000275 100644
--- a/scripts/lib/checklayer/__init__.py
+++ b/scripts/lib/checklayer/__init__.py
@@ -143,6 +143,9 @@ def detect_layers(layer_directories, no_auto):
 
 def _find_layer_depends(depend, layers):
     for layer in layers:
+        if 'collections' not in layer:
+            continue
+
         for collection in layer['collections']:
             if depend == collection:
                 return layer
-- 
2.17.1

[OE-core][dunfell 03/16] oeqa/concurrencytest: don't delete build directory for failed tests

[Steve Sakoman]

Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3d5aa170d2e88b852bd2a4452aab9311a24badef)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/core/utils/concurrencytest.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/meta/lib/oeqa/core/utils/concurrencytest.py b/meta/lib/oeqa/core/utils/concurrencytest.py
index fac59f765a..01c39830f9 100644
--- a/meta/lib/oeqa/core/utils/concurrencytest.py
+++ b/meta/lib/oeqa/core/utils/concurrencytest.py
@@ -77,14 +77,17 @@ class ProxyTestResult:
     # a very basic TestResult proxy, in order to modify add* calls
     def __init__(self, target):
         self.result = target
+        self.failed_tests = 0
 
     def _addResult(self, method, test, *args, exception = False, **kwargs):
         return method(test, *args, **kwargs)
 
     def addError(self, test, err = None, **kwargs):
+        self.failed_tests += 1
         self._addResult(self.result.addError, test, err, exception = True, **kwargs)
 
     def addFailure(self, test, err = None, **kwargs):
+        self.failed_tests += 1
         self._addResult(self.result.addFailure, test, err, exception = True, **kwargs)
 
     def addSuccess(self, test, **kwargs):
@@ -96,6 +99,9 @@ class ProxyTestResult:
     def addUnexpectedSuccess(self, test, **kwargs):
         self._addResult(self.result.addUnexpectedSuccess, test, **kwargs)
 
+    def wasSuccessful(self):
+        return self.failed_tests == 0
+
     def __getattr__(self, attr):
         return getattr(self.result, attr)
 
@@ -287,10 +293,10 @@ def fork_for_tests(concurrency_num, suite):
                 # as per default in parent code
                 subunit_client.buffer = True
                 subunit_result = AutoTimingTestResultDecorator(subunit_client)
-                process_suite.run(ExtraResultsEncoderTestResult(subunit_result))
+                unittest_result = process_suite.run(ExtraResultsEncoderTestResult(subunit_result))
                 if ourpid != os.getpid():
                     os._exit(0)
-                if newbuilddir:
+                if newbuilddir and unittest_result.wasSuccessful():
                     removebuilddir(newbuilddir)
             except:
                 # Don't do anything with process children
-- 
2.17.1

[OE-core][dunfell 04/16] sanity.bbclass: Detect and fail if 'inherit' is used in conf file

[Steve Sakoman]

From: Gregor Zatko <gzatko@gmail.com>

'inherit' directive may not be used in conf files as it's supposed
to be used for the inheritance of classes.
Correct form in conf file is INHERIT.

This commit adds:
- a sanity check to find whether the wrong case exists
- fail the build if so
- tell user about the difference in directives

[YOCTO #5426]

Signed-off-by: Gregor Zatko <gzatko@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 07bf9b460fe97dec86439302a83bbefa8bac9d70)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/sanity.bbclass | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 9e87101738..5ddde9cc9c 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -784,6 +784,12 @@ def check_sanity_everybuild(status, d):
     if "." in paths or "./" in paths or "" in paths:
         status.addresult("PATH contains '.', './' or '' (empty element), which will break the build, please remove this.\nParsed PATH is " + str(paths) + "\n")
 
+    # Check whether 'inherit' directive is found (used for a class to inherit)
+    # in conf file it's supposed to be uppercase INHERIT
+    inherit = d.getVar('inherit')
+    if inherit:
+        status.addresult("Please don't use inherit directive in your local.conf. The directive is supposed to be used in classes and recipes only to inherit of bbclasses. Here INHERIT should be used.\n")
+
     # Check that the DISTRO is valid, if set
     # need to take into account DISTRO renaming DISTRO
     distro = d.getVar('DISTRO')
-- 
2.17.1

[OE-core][dunfell 05/16] archiver.bbclass: Fix duplicated SRC_URIs for do_ar_original

[Steve Sakoman]

From: Robert Yang <liezhi.yang@windriver.com>

The argument urls of bb.fetch2.Fetch(urls, d) are duplicated to SRC_URI, which caused errors like:

bb.data_smart.ExpansionError: Failure expanding variable SRCPV, expression was ${@bb.fetch2.get_srcrev(d)} which triggered exception FetchError: Fetcher failure: The SRCREV_FORMAT variable must be set when multiple SCMs are used.
The SCMs are:
git://github.com/docker/notary.git;destsuffix=git/src/github.com/docker/notary
git://github.com/docker/notary.git

The first one is from original SRC_URI, the second one is from the
variable 'urls', so cleanup SRC_URI before call bb.fetch2.Fetch() can fix the
problem.

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b244c4f3427cd07376d4b8f7d27e38735bcc90e7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/archiver.bbclass | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/meta/classes/archiver.bbclass b/meta/classes/archiver.bbclass
index 43333a7551..780c562b68 100644
--- a/meta/classes/archiver.bbclass
+++ b/meta/classes/archiver.bbclass
@@ -193,7 +193,13 @@ python do_ar_original() {
                 del decoded[5][param]
         encoded = bb.fetch2.encodeurl(decoded)
         urls[i] = encoded
-    fetch = bb.fetch2.Fetch(urls, d)
+
+    # Cleanup SRC_URI before call bb.fetch2.Fetch() since now SRC_URI is in the
+    # variable "urls", otherwise there might be errors like:
+    # The SRCREV_FORMAT variable must be set when multiple SCMs are used
+    ld = bb.data.createCopy(d)
+    ld.setVar('SRC_URI', '')
+    fetch = bb.fetch2.Fetch(urls, ld)
     tarball_suffix = {}
     for url in fetch.urls:
         local = fetch.localpath(url).rstrip("/");
-- 
2.17.1

[OE-core][dunfell 06/16] resulttool/report: Remove leftover debugging

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

I've long since wondered why there was some odd output in result reports,
remove the leftover debug which was causing it.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 66e96bf70753933714ff8edcc13a1f35a052656f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/lib/resulttool/report.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/scripts/lib/resulttool/report.py b/scripts/lib/resulttool/report.py
index 7ceceac802..f0ca50ebe2 100644
--- a/scripts/lib/resulttool/report.py
+++ b/scripts/lib/resulttool/report.py
@@ -96,7 +96,6 @@ class ResultsTextReport(object):
         if 'ltpresult.sections' in result and suite not in result['ltpresult.sections']:
             try:
                 _, suite, suite1, test = k.split(".", 3)
-                print("split2: %s %s %s" % (suite, suite1, test))
                 if suite + "." + suite1 in result['ltpresult.sections']:
                     suite = suite + "." + suite1
             except ValueError:
-- 
2.17.1

[OE-core][dunfell 07/16] resulttool/log: Add ability to dump ltp logs as well as ptest

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Currently only ptest logs are accessible with the log command, this
adds support so the ltp logs can be extracted too.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 64a2121a875ce128959ee0a62e310d5f91f87b0d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/lib/resulttool/log.py         | 21 ++++++++++++++-------
 scripts/lib/resulttool/resultutils.py | 22 ++++++++++++++--------
 2 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/scripts/lib/resulttool/log.py b/scripts/lib/resulttool/log.py
index f1bfd99500..eb3927ec82 100644
--- a/scripts/lib/resulttool/log.py
+++ b/scripts/lib/resulttool/log.py
@@ -34,13 +34,17 @@ def log(args, logger):
         return 1
 
     for _, run_name, _, r in resultutils.test_run_results(results):
-        if args.dump_ptest and 'ptestresult.sections' in r:
-            for name, ptest in r['ptestresult.sections'].items():
-                logdata = resultutils.ptestresult_get_log(r, name)
+        if args.dump_ptest:
+            for sectname in ['ptestresult.sections', 'ltpposixresult.sections', 'ltpresult.sections']:
+             if sectname in r:
+              for name, ptest in r[sectname].items():
+                logdata = resultutils.generic_get_log(sectname, r, name)
                 if logdata is not None:
                     dest_dir = args.dump_ptest
                     if args.prepend_run:
                         dest_dir = os.path.join(dest_dir, run_name)
+                    if not sectname.startswith("ptest"):
+                        dest_dir = os.path.join(dest_dir, sectname.split(".")[0])
 
                     os.makedirs(dest_dir, exist_ok=True)
                     dest = os.path.join(dest_dir, '%s.log' % name)
@@ -49,10 +53,13 @@ def log(args, logger):
                         f.write(logdata)
 
         if args.raw_ptest:
-            rawlog = resultutils.ptestresult_get_rawlogs(r)
-            if rawlog is not None:
-                print(rawlog)
-            else:
+            found = False
+            for sectname in ['ptestresult.rawlogs', 'ltpposixresult.rawlogs', 'ltpresult.rawlogs']:
+                rawlog = resultutils.generic_get_rawlogs(sectname, r)
+                if rawlog is not None:
+                    print(rawlog)
+                    found = True
+            if not found:
                 print('Raw ptest logs not found')
                 return 1
 
diff --git a/scripts/lib/resulttool/resultutils.py b/scripts/lib/resulttool/resultutils.py
index 5fec01f6f3..8917022d36 100644
--- a/scripts/lib/resulttool/resultutils.py
+++ b/scripts/lib/resulttool/resultutils.py
@@ -130,23 +130,29 @@ def decode_log(logdata):
             return data.decode("utf-8", errors='ignore')
     return None
 
-def ptestresult_get_log(results, section):
-    if 'ptestresult.sections' not in results:
+def generic_get_log(sectionname, results, section):
+    if sectionname not in results:
         return None
-    if section not in results['ptestresult.sections']:
+    if section not in results[sectionname]:
         return None
 
-    ptest = results['ptestresult.sections'][section]
+    ptest = results[sectionname][section]
     if 'log' not in ptest:
         return None
     return decode_log(ptest['log'])
 
-def ptestresult_get_rawlogs(results):
-    if 'ptestresult.rawlogs' not in results:
+def ptestresult_get_log(results, section):
+    return generic_get_log('ptestresuls.sections', results, section)
+
+def generic_get_rawlogs(sectname, results):
+    if sectname not in results:
         return None
-    if 'log' not in results['ptestresult.rawlogs']:
+    if 'log' not in results[sectname]:
         return None
-    return decode_log(results['ptestresult.rawlogs']['log'])
+    return decode_log(results[sectname]['log'])
+
+def ptestresult_get_rawlogs(results):
+    return generic_get_rawlogs('ptestresult.rawlogs', results)
 
 def save_resultsdata(results, destdir, fn="testresults.json", ptestjson=False, ptestlogs=False):
     for res in results:
-- 
2.17.1

[OE-core][dunfell 08/16] terminal.py: do not stop searching for auto

[Steve Sakoman]

From: Joe Slater <joe.slater@windriver.com>

If a terminal fails to spawn() we should continue looking.
gnome-terminal, in particular can be present but not start.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6e4babdeee38d32002a4c9129e77466ae4156dd7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oe/terminal.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oe/terminal.py b/meta/lib/oe/terminal.py
index a1daa2bed6..eb10a6e33e 100644
--- a/meta/lib/oe/terminal.py
+++ b/meta/lib/oe/terminal.py
@@ -207,7 +207,10 @@ def spawn_preferred(sh_cmd, title=None, env=None, d=None):
             spawn(terminal.name, sh_cmd, title, env, d)
             break
         except UnsupportedTerminal:
-            continue
+            pass
+        except:
+            bb.warn("Terminal %s is supported but did not start" % (terminal.name))
+    # when we've run out of options
     else:
         raise NoSupportedTerminals(get_cmd_list())
 
-- 
2.17.1

[OE-core][dunfell 09/16] bind: fix CVE-2020-8616/7

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

fix CVE-2020-8616 and CVE-2020-8617

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d0df831830e4c5f8df2343a45ea75c2ab4f57058)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../bind/bind/CVE-2020-8616.patch             | 206 ++++++++++++++++++
 .../bind/bind/CVE-2020-8617.patch             |  29 +++
 .../recipes-connectivity/bind/bind_9.11.13.bb |   2 +
 3 files changed, 237 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
new file mode 100644
index 0000000000..8f00231919
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
@@ -0,0 +1,206 @@
+Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch]
+CVE: CVE-2020-8616
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+diff --git a/lib/dns/adb.c b/lib/dns/adb.c
+index 058495f6a5..6b8a9537f0 100644
+--- a/lib/dns/adb.c
++++ b/lib/dns/adb.c
+@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
+  */
+ #define FIND_WANTEVENT(fn)      (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
+ #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
+-#define FIND_AVOIDFETCHES(fn)   (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
+-				 != 0)
+-#define FIND_STARTATZONE(fn)    (((fn)->options & DNS_ADBFIND_STARTATZONE) \
+-				 != 0)
+-#define FIND_HINTOK(fn)         (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+-#define FIND_GLUEOK(fn)         (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+-#define FIND_HAS_ADDRS(fn)      (!ISC_LIST_EMPTY((fn)->list))
+-#define FIND_RETURNLAME(fn)     (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
++#define FIND_AVOIDFETCHES(fn)	(((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
++#define FIND_STARTATZONE(fn)	(((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
++#define FIND_HINTOK(fn)		(((fn)->options & DNS_ADBFIND_HINTOK) != 0)
++#define FIND_GLUEOK(fn)		(((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
++#define FIND_HAS_ADDRS(fn)	(!ISC_LIST_EMPTY((fn)->list))
++#define FIND_RETURNLAME(fn)	(((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
++#define FIND_NOFETCH(fn)	(((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
+ 
+ /*
+  * These are currently used on simple unsigned ints, so they are
+@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ 		 * Listen to negative cache hints, and don't start
+ 		 * another query.
+ 		 */
+-		if (NCACHE_RESULT(result) || AUTH_NX(result))
++		if (NCACHE_RESULT(result) || AUTH_NX(result)) {
+ 			goto fetch;
++		}
+ 
+-		if (!NAME_FETCH_V6(adbname))
++		if (!NAME_FETCH_V6(adbname)) {
+ 			wanted_fetches |= DNS_ADBFIND_INET6;
++		}
+ 	}
+ 
+  fetch:
+ 	if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
+ 	    (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
++	{
+ 		have_address = true;
+-	else
++	} else {
+ 		have_address = false;
+-	if (wanted_fetches != 0 &&
+-	    ! (FIND_AVOIDFETCHES(find) && have_address)) {
++	}
++	if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
++	    !FIND_NOFETCH(find))
++	{
+ 		/*
+ 		 * We're missing at least one address family.  Either the
+ 		 * caller hasn't instructed us to avoid fetches, or we don't
+@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ 		 * be acceptable so we have to launch fetches.
+ 		 */
+ 
+-		if (FIND_STARTATZONE(find))
++		if (FIND_STARTATZONE(find)) {
+ 			start_at_zone = true;
++		}
+ 
+ 		/*
+ 		 * Start V4.
+diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
+index 63a13c4e41..edf6e54935 100644
+--- a/lib/dns/include/dns/adb.h
++++ b/lib/dns/include/dns/adb.h
+@@ -207,6 +207,10 @@ struct dns_adbfind {
+  *      lame for this query.
+  */
+ #define DNS_ADBFIND_OVERQUOTA		0x00000400
++/*%
++ *	Don't perform a fetch even if there are no address records available.
++ */
++#define DNS_ADBFIND_NOFETCH		0x00000800
+ 
+ /*%
+  * The answers to queries come back as a list of these.
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 7c44478a26..0a40859d08 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -172,6 +172,14 @@
+ #define DEFAULT_MAX_QUERIES 75
+ #endif
+ 
++/*
++ * After NS_FAIL_LIMIT attempts to fetch a name server address,
++ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
++ * stop trying to fetch, in order to avoid wasting resources.
++ */
++#define NS_FAIL_LIMIT 4
++#define NS_RR_LIMIT   5
++
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+ #define RES_DOMAIN_BUCKETS	523
+@@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
+ static void
+ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
+ 	 unsigned int options, unsigned int flags, isc_stdtime_t now,
+-	 bool *overquota, bool *need_alternate)
+-{
++	 bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
+ 	dns_adbaddrinfo_t *ai;
+ 	dns_adbfind_t *find;
+ 	dns_resolver_t *res;
+@@ -3219,7 +3226,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
+ 			      find->result_v6 != DNS_R_NXDOMAIN) ||
+ 			     (res->dispatches6 == NULL &&
+ 			      find->result_v4 != DNS_R_NXDOMAIN)))
++			{
+ 				*need_alternate = true;
++			}
++			if (no_addresses != NULL) {
++				(*no_addresses)++;
++			}
+ 		} else {
+ 			if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
+ 				if (overquota != NULL)
+@@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 	dns_rdata_ns_t ns;
+ 	bool need_alternate = false;
+ 	bool all_spilled = true;
++	unsigned int no_addresses = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 		 * Extract the name from the NS record.
+ 		 */
+ 		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+-		if (result != ISC_R_SUCCESS)
++		if (result != ISC_R_SUCCESS) {
+ 			continue;
++		}
+ 
+-		findname(fctx, &ns.name, 0, stdoptions, 0, now,
+-			 &overquota, &need_alternate);
++		if (no_addresses > NS_FAIL_LIMIT &&
++		    dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
++		{
++			stdoptions |= DNS_ADBFIND_NOFETCH;
++		}
++		findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
++			 &need_alternate, &no_addresses);
+ 
+-		if (!overquota)
++		if (!overquota) {
+ 			all_spilled = false;
++		}
+ 
+ 		dns_rdata_reset(&rdata);
+ 		dns_rdata_freestruct(&ns);
+ 	}
+-	if (result != ISC_R_NOMORE)
++	if (result != ISC_R_NOMORE) {
+ 		return (result);
++	}
+ 
+ 	/*
+ 	 * Do we need to use 6 to 4?
+@@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 			if (!a->isaddress) {
+ 				findname(fctx, &a->_u._n.name, a->_u._n.port,
+ 					 stdoptions, FCTX_ADDRINFO_FORWARDER,
+-					 now, NULL, NULL);
++					 now, NULL, NULL, NULL);
+ 				continue;
+ 			}
+ 			if (isc_sockaddr_pf(&a->_u.addr) != family)
+@@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
+ 		}
+ 	}
+ 
+-	if (dns_name_countlabels(&fctx->domain) > 2) {
+-		result = isc_counter_increment(fctx->qc);
+-		if (result != ISC_R_SUCCESS) {
+-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+-				      "exceeded max queries resolving '%s'",
+-				      fctx->info);
+-			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+-			return;
+-		}
++	result = isc_counter_increment(fctx->qc);
++	if (result != ISC_R_SUCCESS) {
++		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
++			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
++			      "exceeded max queries resolving '%s'",
++			      fctx->info);
++		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
++		return;
+ 	}
+ 
+ 	bucketnum = fctx->bucketnum;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
new file mode 100644
index 0000000000..d8769c45cc
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch]
+CVE: CVE-2020-8617
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
+index b597a18d49..6357a3a486 100644
+--- a/lib/dns/tsig.c
++++ b/lib/dns/tsig.c
+@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ 			goto cleanup_context;
+ 		}
+ 		msg->verified_sig = 1;
+-	} else if (tsig.error != dns_tsigerror_badsig &&
+-		   tsig.error != dns_tsigerror_badkey) {
++	} else if (!response || (tsig.error != dns_tsigerror_badsig &&
++				 tsig.error != dns_tsigerror_badkey))
++	{
+ 		tsig_log(msg->tsigkey, 2, "signature was empty");
+ 		return (DNS_R_TSIGVERIFYFAILURE);
+ 	}
+@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ 		}
+ 	}
+ 
+-	if (tsig.error != dns_rcode_noerror) {
++	if (response && tsig.error != dns_rcode_noerror) {
+ 		msg->tsigstatus = tsig.error;
+ 		if (tsig.error == dns_tsigerror_badtime)
+ 			ret = DNS_R_CLOCKSKEW;
diff --git a/meta/recipes-connectivity/bind/bind_9.11.13.bb b/meta/recipes-connectivity/bind/bind_9.11.13.bb
index 4e64171cc1..8f2d702dcb 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.13.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.13.bb
@@ -18,6 +18,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
            file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
            file://0001-avoid-start-failure-with-bind-user.patch \
+           file://CVE-2020-8616.patch \
+           file://CVE-2020-8617.patch \
            "
 
 SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057"
-- 
2.17.1

[OE-core][dunfell 10/16] libexif: fix CVE-2020-13114

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libexif/libexif/CVE-2020-13114.patch      | 73 +++++++++++++++++++
 .../recipes-support/libexif/libexif_0.6.21.bb |  4 +-
 2 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libexif/libexif/CVE-2020-13114.patch

diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
new file mode 100644
index 0000000000..06b8b46c21
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
@@ -0,0 +1,73 @@
+From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 16 May 2020 19:32:30 +0200
+Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote
+
+ subtags.
+
+A malicious file could be crafted to cause extremely large values in some
+tags without tripping any buffer range checks.  This is bad with the libexif
+representation of Canon MakerNotes because some arrays are turned into
+individual tags that the application must loop around.
+
+The largest value I've seen for failsafe_size in a (very small) sample of valid
+Canon files is <5000.  The limit is set two orders of magnitude larger to avoid
+tripping up falsely in case some models use much larger values.
+
+Patch from Google.
+
+CVE-2020-13114
+
+Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab]
+CVE: CVE-2020-13114
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
+index eb53598..72fd7a3 100644
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -32,6 +32,9 @@
+ 
+ #define DEBUG
+ 
++/* Total size limit to prevent abuse by DoS */
++#define FAILSAFE_SIZE_MAX 1000000L
++
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ 	ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
+ 	ExifShort c;
+ 	size_t i, tcount, o, datao;
++	long failsafe_size = 0;
+ 
+ 	if (!n || !buf || !buf_size) {
+ 		exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ 			memcpy (n->entries[tcount].data, buf + dataofs, s);
+ 		}
+ 
++		/* Track the size of decoded tag data. A malicious file could
++		 * be crafted to cause extremely large values here without
++		 * tripping any buffer range checks.  This is especially bad
++		 * with the libexif representation of Canon MakerNotes because
++		 * some arrays are turned into individual tags that the
++		 * application must loop around. */
++		failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
++
++		if (failsafe_size > FAILSAFE_SIZE_MAX) {
++			/* Abort if the total size of the data in the tags extraordinarily large, */
++			exif_mem_free (ne->mem, n->entries[tcount].data);
++			exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
++					  "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
++					  failsafe_size, FAILSAFE_SIZE_MAX);
++			break;
++		}
++
+ 		/* Tag was successfully parsed */
+ 		++tcount;
+ 	}
diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb
index d847beab18..3f6fa32b25 100644
--- a/meta/recipes-support/libexif/libexif_0.6.21.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
 SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
            file://CVE-2017-7544.patch \
            file://CVE-2016-6328.patch \
-           file://CVE-2018-20030.patch"
+           file://CVE-2018-20030.patch \
+           file://CVE-2020-13114.patch \
+"
 
 SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
 SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"
-- 
2.17.1

[OE-core][dunfell 11/16] libubootenv: Remove the DEPENDS on mtd-utils

[Steve Sakoman]

From: Adrian Bunk <bunk@stusta.de>

It was only used for pulling in zlib, but this is now
a direct dependency.

Also move the DEPENDS to a more common location in the file.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a99fd8b705be3b8c70cb0f17f60b013d989d625c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-bsp/u-boot/libubootenv_0.2.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-bsp/u-boot/libubootenv_0.2.bb b/meta/recipes-bsp/u-boot/libubootenv_0.2.bb
index fa90a12bf8..ea29b668e8 100644
--- a/meta/recipes-bsp/u-boot/libubootenv_0.2.bb
+++ b/meta/recipes-bsp/u-boot/libubootenv_0.2.bb
@@ -1,5 +1,4 @@
 SUMMARY = "U-Boot libraries and tools to access environment"
-DEPENDS += "mtd-utils zlib"
 
 DESCRIPTION = "This package contains tools and libraries to read \
 and modify U-Boot environment. \
@@ -21,6 +20,7 @@ inherit cmake lib_package
 
 EXTRA_OECMAKE = "-DCMAKE_BUILD_TYPE=Release"
 
+DEPENDS = "zlib"
 PROVIDES += "u-boot-fw-utils"
 RPROVIDES_${PN}-bin += "u-boot-fw-utils"
 
-- 
2.17.1

[OE-core][dunfell 12/16] qemurunner: fix ip fallback detection

[Steve Sakoman]

From: Konrad Weihmann <kweihmann@outlook.com>

When falling back from detecting ip from /proc/./cmdline the
output of runqemu is acutally
'Network configuration: ip=192.168.7.2::192.168.7.1::255.255.255.0'
which doesn't match the given regex and leading to run failure, although
IP is detectable.
Fix regex by inserting an optional 'ip=' prefix to first IP

Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 75f2471d15fab024775c59cb70c54e3f25f9ae72)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/utils/qemurunner.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py
index cd95d33bdc..77ae08ebeb 100644
--- a/meta/lib/oeqa/utils/qemurunner.py
+++ b/meta/lib/oeqa/utils/qemurunner.py
@@ -287,7 +287,7 @@ class QemuRunner:
                 self.logger.debug("qemu cmdline used:\n{}".format(cmdline))
             except (IndexError, ValueError):
                 # Try to get network configuration from runqemu output
-                match = re.match(r'.*Network configuration: ([0-9.]+)::([0-9.]+):([0-9.]+)$.*',
+                match = re.match(r'.*Network configuration: (?:ip=)*([0-9.]+)::([0-9.]+):([0-9.]+)$.*',
                                  out, re.MULTILINE|re.DOTALL)
                 if match:
                     self.ip, self.server_ip, self.netmask = match.groups()
-- 
2.17.1

[OE-core][dunfell 13/16] make-mod-scripts: Fix a rare build race condition

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

There is a build break which rarely happens but is seen often enough
with 4.1 kernel based builds

/bin/sh: 1: scripts/basic/fixdep: Permission denied
scripts/Makefile.host:124: recipe for target 'scripts/dtc/srcpos.o' failed
make[3]: *** [scripts/dtc/srcpos.o] Error 126

this patch sequences the build targets so it can work reliably with
different kernel versions

Divide the target into scripts_basic scripts is not
strictly necessary and was simply what was used for
testing on kernel 4.1, which is quite an old kernel

perhaps just using scripts is sufficient, but it is not tested to not
known will cause the build race as seen above.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 55ac6e2d251287419138931aa0d0894cf1267787)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../make-mod-scripts/make-mod-scripts_1.0.bb               | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
index 0be1422a24..c7edb20ee4 100644
--- a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
+++ b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
@@ -23,7 +23,8 @@ EXTRA_OEMAKE = " HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCPP="
 #
 do_configure() {
 	unset CFLAGS CPPFLAGS CXXFLAGS LDFLAGS
-	oe_runmake CC="${KERNEL_CC}" LD="${KERNEL_LD}" AR="${KERNEL_AR}" \
-	           -C ${STAGING_KERNEL_DIR} O=${STAGING_KERNEL_BUILDDIR} scripts prepare
-
+	for t in prepare scripts_basic scripts; do
+		oe_runmake CC="${KERNEL_CC}" LD="${KERNEL_LD}" AR="${KERNEL_AR}" \
+		-C ${STAGING_KERNEL_DIR} O=${STAGING_KERNEL_BUILDDIR} $t
+	done
 }
-- 
2.17.1

[OE-core][dunfell 14/16] bitbake.conf: Remove unused DEPLOY_DIR_TOOLS variable

[Steve Sakoman]

From: "Robert P. J. Day" <rpjday@crashcourse.ca>

Variable DEPLOY_DIR_TOOLS was introduced in 2007:

  commit f751a20152c651a33f08ceda0502fa1d4f11c005
  Author: Richard Purdie <richard@openedhand.com>
  Date:   Wed Aug 8 21:02:39 2007 +0000

      bitbake.conf: Sync with OE.dev

apparently never used so get rid of it.

Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b1f15f651461d07a8cfbd3bdcfea0e89f195212d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/conf/bitbake.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index bdade79abe..4acf235930 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -410,7 +410,6 @@ DEPLOY_DIR_IPK = "${DEPLOY_DIR}/ipk"
 DEPLOY_DIR_RPM = "${DEPLOY_DIR}/rpm"
 DEPLOY_DIR_DEB = "${DEPLOY_DIR}/deb"
 DEPLOY_DIR_IMAGE ?= "${DEPLOY_DIR}/images/${MACHINE}"
-DEPLOY_DIR_TOOLS = "${DEPLOY_DIR}/tools"
 
 PKGDATA_DIR = "${TMPDIR}/pkgdata/${MACHINE}"
 
-- 
2.17.1

[OE-core][dunfell 15/16] sstate.bbclass: When siginfo or sig files are missing, stop fetcher errors

[Steve Sakoman]

From: Mark Hatle <mark.hatle@xilinx.com>

Prior to fetching, the system checks if the sstate file is present
either locally or on the mirror.  If it is, then it goes to the fetch
stage.  Up to three files can be fetched, sstate, sstate.siginfo and
sstate.sig (if signature validation is enabled).

The previous pstaging_fetch function would iterate over these, and if
a download error occurred would spew forth a great amount of fetcher
failure messages as well as stop fetching the next item in the set.

This was resolved by adding a fetcher.checkstatus() call prior to
the download.  If the file isn't present, then the exception will
be triggered, and no fetcher failure messages will reach the user.

The exception handler is then modified to be a pass so that it will
loop and pull the rest of the files that that are requested.

Additionally, a check for the existance of the .sig file was added
to the sstate_installpkg to avoid an error trying to load the .sig
if it wasn't downloaded.

Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a9085140434e2d26c0bb75bb53fcb7f7c19ef86d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/sstate.bbclass | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index aa9c30b4e1..375196ef21 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -355,6 +355,9 @@ def sstate_installpkg(ss, d):
     d.setVar('SSTATE_INSTDIR', sstateinst)
 
     if bb.utils.to_boolean(d.getVar("SSTATE_VERIFY_SIG"), False):
+        if not os.path.isfile(sstatepkg + '.sig'):
+            bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg)
+            return False
         signer = get_signer(d, 'local')
         if not signer.verify(sstatepkg + '.sig'):
             bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg)
@@ -733,10 +736,11 @@ def pstaging_fetch(sstatefetch, d):
         localdata.setVar('SRC_URI', srcuri)
         try:
             fetcher = bb.fetch2.Fetch([srcuri], localdata, cache=False)
+            fetcher.checkstatus()
             fetcher.download()
 
         except bb.fetch2.BBFetchException:
-            break
+            pass
 
 def sstate_setscene(d):
     shared_state = sstate_state_fromvars(d)
-- 
2.17.1

[OE-core][dunfell 16/16] qemuarm: check serial consoles vs /proc/consoles

[Steve Sakoman]

From: Trevor Gamblin <trevor.gamblin@windriver.com>

Note that this patch affects qemuarm AND qemuarm64.

When booting a VM and during operation, the following message
periodically appears:

INIT: Id "hvc0" respawning too fast: disabled for 5 minutes

This is because hvc0 is specified in SERIAL_CONSOLES in qemuarm.conf
and qemuarm64.conf, but it is not in /proc/consoles and
SERIAL_CONSOLES_CHECK is not specified, leaving getty to attempt to
enable hvc0. Add SERIAL_CONSOLES_CHECK to both conf files so that
hvc0 isn't enabled if it hasn't been set there or in local.conf.

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 982b7f98b8423236cc986346379b1bde3694f131)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/conf/machine/qemuarm.conf   | 1 +
 meta/conf/machine/qemuarm64.conf | 1 +
 2 files changed, 2 insertions(+)

diff --git a/meta/conf/machine/qemuarm.conf b/meta/conf/machine/qemuarm.conf
index 367fcef019..4e605d3a92 100644
--- a/meta/conf/machine/qemuarm.conf
+++ b/meta/conf/machine/qemuarm.conf
@@ -8,6 +8,7 @@ require conf/machine/include/qemu.inc
 KERNEL_IMAGETYPE = "zImage"
 
 SERIAL_CONSOLES ?= "115200;ttyAMA0 115200;hvc0"
+SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
 
 # For runqemu
 QB_SYSTEM_NAME = "qemu-system-arm"
diff --git a/meta/conf/machine/qemuarm64.conf b/meta/conf/machine/qemuarm64.conf
index 1e2d4f018d..2cf1a0206c 100644
--- a/meta/conf/machine/qemuarm64.conf
+++ b/meta/conf/machine/qemuarm64.conf
@@ -8,6 +8,7 @@ require conf/machine/include/qemu.inc
 KERNEL_IMAGETYPE = "Image"
 
 SERIAL_CONSOLES ?= "115200;ttyAMA0 115200;hvc0"
+SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
 
 # For runqemu
 QB_SYSTEM_NAME = "qemu-system-aarch64"
-- 
2.17.1

Re: [OE-core][dunfell 14/16] bitbake.conf: Remove unused DEPLOY_DIR_TOOLS variable

[Richard Purdie]

On Mon, 2020-06-01 at 04:11 -1000, Steve Sakoman wrote:
> From: "Robert P. J. Day" <rpjday@crashcourse.ca>
> 
> Variable DEPLOY_DIR_TOOLS was introduced in 2007:
> 
>   commit f751a20152c651a33f08ceda0502fa1d4f11c005
>   Author: Richard Purdie <richard@openedhand.com>
>   Date:   Wed Aug 8 21:02:39 2007 +0000
> 
>       bitbake.conf: Sync with OE.dev
> 
> apparently never used so get rid of it.
> 
> Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit b1f15f651461d07a8cfbd3bdcfea0e89f195212d)
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/conf/bitbake.conf | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> index bdade79abe..4acf235930 100644
> --- a/meta/conf/bitbake.conf
> +++ b/meta/conf/bitbake.conf
> @@ -410,7 +410,6 @@ DEPLOY_DIR_IPK = "${DEPLOY_DIR}/ipk"
>  DEPLOY_DIR_RPM = "${DEPLOY_DIR}/rpm"
>  DEPLOY_DIR_DEB = "${DEPLOY_DIR}/deb"
>  DEPLOY_DIR_IMAGE ?= "${DEPLOY_DIR}/images/${MACHINE}"
> -DEPLOY_DIR_TOOLS = "${DEPLOY_DIR}/tools"
>  
>  PKGDATA_DIR = "${TMPDIR}/pkgdata/${MACHINE}"

This does cause breakage in meta-oe (single recipe) so probably not
stable material.

Cheers,

Richard

Re: [OE-core][dunfell 14/16] bitbake.conf: Remove unused DEPLOY_DIR_TOOLS variable

[Steve Sakoman]

On Mon, Jun 1, 2020 at 6:38 AM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Mon, 2020-06-01 at 04:11 -1000, Steve Sakoman wrote:
> > From: "Robert P. J. Day" <rpjday@crashcourse.ca>
> >
> > Variable DEPLOY_DIR_TOOLS was introduced in 2007:
> >
> >   commit f751a20152c651a33f08ceda0502fa1d4f11c005
> >   Author: Richard Purdie <richard@openedhand.com>
> >   Date:   Wed Aug 8 21:02:39 2007 +0000
> >
> >       bitbake.conf: Sync with OE.dev
> >
> > apparently never used so get rid of it.
> >
> > Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > (cherry picked from commit b1f15f651461d07a8cfbd3bdcfea0e89f195212d)
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  meta/conf/bitbake.conf | 1 -
> >  1 file changed, 1 deletion(-)
> >
> > diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> > index bdade79abe..4acf235930 100644
> > --- a/meta/conf/bitbake.conf
> > +++ b/meta/conf/bitbake.conf
> > @@ -410,7 +410,6 @@ DEPLOY_DIR_IPK = "${DEPLOY_DIR}/ipk"
> >  DEPLOY_DIR_RPM = "${DEPLOY_DIR}/rpm"
> >  DEPLOY_DIR_DEB = "${DEPLOY_DIR}/deb"
> >  DEPLOY_DIR_IMAGE ?= "${DEPLOY_DIR}/images/${MACHINE}"
> > -DEPLOY_DIR_TOOLS = "${DEPLOY_DIR}/tools"
> >
> >  PKGDATA_DIR = "${TMPDIR}/pkgdata/${MACHINE}"
>
> This does cause breakage in meta-oe (single recipe) so probably not
> stable material.

OK, I'll remove this patch from the pull request.

Thanks!

Steve

Re: [OE-core][dunfell 11/16] libubootenv: Remove the DEPENDS on mtd-utils

[Adrian Bunk]

On Mon, Jun 01, 2020 at 04:11:19AM -1000, Steve Sakoman wrote:
>...
> It was only used for pulling in zlib, but this is now
> a direct dependency.
>...

This should be harmless, but no reason to backport this cleanup.

cu
Adrian

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have changes back
by end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1514

The following changes since commit 89e6fc44a378cb3489376d7193672cdf94c504b6:

  qemu: change TLBs number to 64 in 34Kf mips cpu model (2020-10-21 04:42:42 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Jose Quaresma (12):
  gstreamer1.0: Fix reproducibility issue around libcap
  gstreamer1.0: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-plugins-base: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-plugins-good: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-plugins-bad: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-plugins-ugly: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-libav: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-vaapi: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-rtsp-server: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-omx: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-python: Update 1.16.2 -> Update 1.16.3
  gst-validate: Update 1.16.2 -> Update 1.16.3

Lee Chee Yang (1):
  ffmpeg: fix CVE-2020-12284

Richard Purdie (1):
  oeqa: Add sync call to command execution

Ross Burton (2):
  gcc: mitigate the Straight-line Speculation attack
  glib-2.0: fix parsing of slim encoded tzdata

 meta/lib/oeqa/selftest/cases/runcmd.py        |  16 +-
 meta/lib/oeqa/utils/commands.py               |   8 +-
 .../glib-2.0/glib-2.0/tzdata-update.patch     | 458 ++++++++++++
 meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb |   1 +
 meta/recipes-devtools/gcc/gcc-9.3.inc         |   3 +
 ...ight-Line-Speculation-SLS-mitigation.patch | 204 ++++++
 ...e-SLS-mitigation-for-RET-and-BR-inst.patch | 600 ++++++++++++++++
 ...h64-Mitigate-SLS-for-BLR-instruction.patch | 659 ++++++++++++++++++
 .../ffmpeg/ffmpeg/CVE-2020-12284.patch        |  36 +
 .../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb |   1 +
 ...idate_1.16.2.bb => gst-validate_1.16.3.bb} |   4 +-
 ...1.16.2.bb => gstreamer1.0-libav_1.16.3.bb} |   4 +-
 ...x_1.16.2.bb => gstreamer1.0-omx_1.16.3.bb} |   4 +-
 ....bb => gstreamer1.0-plugins-bad_1.16.3.bb} |   4 +-
 ...bb => gstreamer1.0-plugins-base_1.16.3.bb} |   4 +-
 ...bb => gstreamer1.0-plugins-good_1.16.3.bb} |   4 +-
 ...bb => gstreamer1.0-plugins-ugly_1.16.3.bb} |   4 +-
 ...son.build-fix-builds-with-python-3.8.patch |  24 -
 ....16.2.bb => gstreamer1.0-python_1.16.3.bb} |   8 +-
 ....bb => gstreamer1.0-rtsp-server_1.16.3.bb} |   4 +-
 ...1.16.2.bb => gstreamer1.0-vaapi_1.16.3.bb} |   4 +-
 .../gstreamer/gstreamer1.0/capfix.patch       |  37 -
 ...er1.0_1.16.2.bb => gstreamer1.0_1.16.3.bb} |   9 +-
 23 files changed, 2002 insertions(+), 98 deletions(-)
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/tzdata-update.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-9.3/0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-9.3/0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-9.3/0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-12284.patch
 rename meta/recipes-multimedia/gstreamer/{gst-validate_1.16.2.bb => gst-validate_1.16.3.bb} (87%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-libav_1.16.2.bb => gstreamer1.0-libav_1.16.3.bb} (90%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-omx_1.16.2.bb => gstreamer1.0-omx_1.16.3.bb} (92%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-bad_1.16.2.bb => gstreamer1.0-plugins-bad_1.16.3.bb} (98%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-base_1.16.2.bb => gstreamer1.0-plugins-base_1.16.3.bb} (96%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-good_1.16.2.bb => gstreamer1.0-plugins-good_1.16.3.bb} (96%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-ugly_1.16.2.bb => gstreamer1.0-plugins-ugly_1.16.3.bb} (90%)
 delete mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-python/0001-meson.build-fix-builds-with-python-3.8.patch
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-python_1.16.2.bb => gstreamer1.0-python_1.16.3.bb} (80%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-rtsp-server_1.16.2.bb => gstreamer1.0-rtsp-server_1.16.3.bb} (86%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-vaapi_1.16.2.bb => gstreamer1.0-vaapi_1.16.3.bb} (93%)
 delete mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/capfix.patch
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0_1.16.2.bb => gstreamer1.0_1.16.3.bb} (90%)

-- 
2.17.1

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1638

The following changes since commit b885888df67eb5cdb3b82f4f0a07369a449e223b:

  build-appliance-image: Update to dunfell head revision (2020-11-25 23:25:31 +0000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Anuj Mittal (1):
  distutils-common-base: fix LINKSHARED expansion

Bruce Ashfield (2):
  kernel: provide module.lds for out of tree builds in v5.10+
  kernel: relocate copy of module.lds to module compilation task

Fedor Ross (2):
  sysvinit: remove bashism to be compatible with dash
  eudev: remove bashism to be compatible with dash

Loic Domaigne (1):
  roofs_*.bbclass: fix missing vardeps for do_rootfs

Max Krummenacher (1):
  linux-firmware: rdepend on license for all nvidia packages

Richard Purdie (2):
  fs-perms: Ensure /usr/src/debug/ file modes are correct
  e2fsprogs: Fix a ptest permissions determinism issue

Ross Burton (4):
  cve-check: show real PN/PV
  python3: add CVE-2007-4559 to whitelist
  gstreamer1.0-rtsp-server: set CVE_PRODUCT
  gstreamer1.0-plugins-base: set CVE_PRODUCT

Steve Sakoman (1):
  sqlite3: add CVE-2015-3717 to whitelist

Vyacheslav Yurkov (1):
  license_image.bbclass: use canonical name for license files

Wonmin Jung (1):
  kernel: Set proper LD in KERNEL_KCONFIG_COMMAND

 meta/classes/cve-check.bbclass                           | 9 ++++++---
 meta/classes/distutils-common-base.bbclass               | 2 +-
 meta/classes/kernel.bbclass                              | 6 +++++-
 meta/classes/license_image.bbclass                       | 3 ++-
 meta/classes/package.bbclass                             | 2 +-
 meta/classes/rootfs_deb.bbclass                          | 2 +-
 meta/classes/rootfs_ipk.bbclass                          | 2 +-
 meta/classes/rootfs_rpm.bbclass                          | 2 +-
 meta/conf/abi_version.conf                               | 2 +-
 meta/files/fs-perms-persistent-log.txt                   | 2 +-
 meta/files/fs-perms.txt                                  | 2 +-
 meta/recipes-core/sysvinit/sysvinit/rc                   | 2 +-
 meta/recipes-core/udev/eudev/init                        | 2 +-
 meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb      | 2 ++
 meta/recipes-devtools/python/python3_3.8.2.bb            | 2 ++
 .../linux-firmware/linux-firmware_20201022.bb            | 1 +
 meta/recipes-kernel/linux/kernel-devsrc.bb               | 6 ++++++
 .../gstreamer/gstreamer1.0-plugins-base_1.16.3.bb        | 2 ++
 .../gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb         | 2 ++
 meta/recipes-support/sqlite/sqlite3_3.31.1.bb            | 2 ++
 20 files changed, 40 insertions(+), 15 deletions(-)

-- 
2.17.1

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4828

with the exception of a known autobuilder intermittent issue on qemuppc:

https://bugzilla.yoctoproject.org/show_bug.cgi?id=14824

which passed on subsequent re-test:

https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/6517

The following changes since commit db81e3c7e7f1d4d9eba52ac35ac97627d0240b63:

  build-appliance-image: Update to dunfell head revision (2023-01-13 18:11:40 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (2):
  linux-firmware: upgrade 20221109 -> 20221214
  selftest/virgl: use pkg-config from the host

Benoît Mauduit (1):
  lib/oe/reproducible: Use git log without gpg signature

Bhabu Bindu (1):
  ffmpeg: Fix CVE-2022-3109

Hitendra Prajapati (2):
  QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can
    lead to out-of-bounds read
  xserver-xorg: Fix Multiple CVEs

Jan Kircher (1):
  toolchain-scripts: compatibility with unbound variable protection

Jermain Horsman (1):
  cve-check: write the cve manifest to IMGDEPLOYDIR

Marta Rybczynska (1):
  cve-update-db-native: avoid incomplete updates

Niko Mauno (1):
  systemd: Consider PACKAGECONFIG in RRECOMMENDS

Quentin Schulz (1):
  cairo: fix CVE patches assigned wrong CVE number

Randy MacLeod (1):
  vim: upgrade 9.0.0947 -> 9.0.1211

Ross Burton (2):
  cve-update-db-native: add more logging when fetching
  cve-update-db-native: show IP on failure

Steve Sakoman (1):
  python3: fix packaging of Windows distutils installer stubs

jan (1):
  cve-update-db-native: Allow to overrule the URL in a bbappend.

 meta/classes/cve-check.bbclass                |   6 +-
 meta/classes/toolchain-scripts.bbclass        |   2 +-
 meta/lib/oe/reproducible.py                   |   3 +-
 meta/lib/oeqa/selftest/cases/runtime_test.py  |   2 +-
 .../recipes-core/meta/cve-update-db-native.bb |  97 ++++++++++++-----
 meta/recipes-core/systemd/systemd_244.5.bb    |   4 +-
 .../python/python3/python3-manifest.json      |   4 +-
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2022-4144.patch             | 103 ++++++++++++++++++
 .../cairo/cairo/CVE-2019-6461.patch           |  46 +++-----
 .../cairo/cairo/CVE-2019-6462.patch           |  46 +++++---
 .../xserver-xorg/CVE-2022-4283.patch          |  39 +++++++
 .../xserver-xorg/CVE-2022-46340.patch         |  55 ++++++++++
 .../xserver-xorg/CVE-2022-46341.patch         |  86 +++++++++++++++
 .../xserver-xorg/CVE-2022-46342.patch         |  78 +++++++++++++
 .../xserver-xorg/CVE-2022-46343.patch         |  51 +++++++++
 .../xserver-xorg/CVE-2022-46344.patch         |  75 +++++++++++++
 .../xorg-xserver/xserver-xorg_1.20.14.bb      |   8 +-
 ...20221109.bb => linux-firmware_20221214.bb} |   4 +-
 .../ffmpeg/ffmpeg/CVE-2022-3109.patch         |  41 +++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 22 files changed, 670 insertions(+), 86 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20221109.bb => linux-firmware_20221214.bb} (99%)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch

-- 
2.25.1

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4950

The following changes since commit daaee6fcb0d201f041678af433d8e1cd6f924d09:

  build-appliance-image: Update to dunfell head revision (2023-02-13 07:48:21 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  oeqa/qemurunner: do not use Popen.poll() when terminating runqemu with
    a signal

Antonin Godard (2):
  busybox: always start do_compile with orig config files
  busybox: rm temporary files if do_compile was interrupted

Hitendra Prajapati (1):
  git: CVE-2022-23521 gitattributes parsing integer overflow

Martin Jansa (1):
  meta: remove True option to getVar and getVarFlag calls (again)

Mikko Rapeli (1):
  oeqa context.py: fix --target-ip comment to include ssh port number

Omkar Patil (1):
  sudo: Fix CVE-2023-22809

Pawel Zalewski (1):
  classes/fs-uuid: Fix command output decoding issue

Richard Purdie (3):
  nativesdk: Handle chown/chgrp calls in nativesdk do_install tasks
  make-mod-scripts: Ensure kernel build output is deterministic
  libc-locale: Fix on target locale generation

Ross Burton (3):
  quilt: fix intermittent failure in faildiff.test
  quilt: use upstreamed faildiff.test fix
  git: ignore CVE-2022-41953

Steve Sakoman (1):
  qemu: Fix slirp determinism issue

Vivek Kumbhar (1):
  qemu: fix CVE-2021-3929 nvme DMA reentrancy issue leads to
    use-after-free

 meta/classes/fs-uuid.bbclass                  |   2 +-
 meta/classes/image.bbclass                    |   2 +-
 meta/classes/libc-package.bbclass             |   1 +
 meta/classes/license_image.bbclass            |   2 +-
 meta/classes/nativesdk.bbclass                |   2 +
 meta/lib/oeqa/runtime/context.py              |   4 +-
 meta/lib/oeqa/utils/qemurunner.py             |  11 +-
 meta/recipes-core/busybox/busybox.inc         |  27 +-
 .../git/files/CVE-2022-23521.patch            | 367 ++++++++++++++++++
 meta/recipes-devtools/git/git.inc             |   4 +-
 meta/recipes-devtools/go/go_1.14.bb           |   4 +-
 .../qemu/qemu-system-native_4.2.0.bb          |   2 +-
 meta/recipes-devtools/qemu/qemu.inc           |   3 +
 .../qemu/qemu/CVE-2021-3929.patch             |  78 ++++
 meta/recipes-devtools/qemu/qemu_4.2.0.bb      |   4 +-
 meta/recipes-devtools/quilt/quilt.inc         |   1 +
 .../quilt/quilt/faildiff-order.patch          |  41 ++
 .../sudo/files/CVE-2023-22809.patch           | 113 ++++++
 meta/recipes-extended/sudo/sudo_1.8.32.bb     |   1 +
 .../make-mod-scripts/make-mod-scripts_1.0.bb  |   2 +-
 scripts/lib/devtool/menuconfig.py             |   2 +-
 scripts/nativesdk-intercept/chgrp             |  27 ++
 scripts/nativesdk-intercept/chown             |  27 ++
 23 files changed, 702 insertions(+), 25 deletions(-)
 create mode 100644 meta/recipes-devtools/git/files/CVE-2022-23521.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
 create mode 100644 meta/recipes-devtools/quilt/quilt/faildiff-order.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2023-22809.patch
 create mode 100755 scripts/nativesdk-intercept/chgrp
 create mode 100755 scripts/nativesdk-intercept/chown

-- 
2.34.1