[OE-core][dunfell 00/18] Patch review

[OE-core][dunfell 00/18] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back
by end of day Wednesday.

The following changes since commit ea886d57db917a41a0d106a15e1e96c72d6407b0:

  kernel-yocto: account for extracted defconfig in elements check (2020-07-23 04:07:37 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Ahmad Fatoum (1):
  core: glib-2.0: fix requested libmount/mkostemp/selinux not being
    linked in

Armin Kuster (1):
  glibc: Secruity fix for CVE-2020-6096

Bruce Ashfield (2):
  linux-yocto/5.4: update to v5.4.51
  linux-yocto-rt/5.4: fix mmdrop stress test issues

Changqing Li (1):
  gtk-immodules-cache.bbclass: fix post install scriptlet error

Chen Qi (1):
  rpm: fix nativesdk's default var location

Daniel Ammann (1):
  image.bbclass: improve wording when image size exceeds the specified
    limit

Joshua Watt (2):
  classes/cmake: Fix host detection
  classes/package: Use HOST_OS for runtime dependencies

Kevin Hao (3):
  wic/filemap: Drop the unused block_is_unmapped()
  wic/filemap: Drop the unused get_unmapped_ranges()
  wic/filemap: Fall back to standard copy when no way to get the block
    map

Kurt Kiefer (1):
  linux-firmware: add ibt-20 package

Lee Chee Yang (1):
  buildhistory: use pid for temporary txt file name

Richard Purdie (1):
  oeqa/qemurunner: Add priority/nice information for running processes

Robert Yang (1):
  openssl: openssl-bin requires openssl-conf to run

Ross Burton (1):
  startup-notification: add time_t type mismatch patch from upstream

Sakib Sajal (1):
  busybox: make hwclock compatible with glibc 2.31

 meta/classes/buildhistory.bbclass             |  11 +-
 meta/classes/cmake.bbclass                    |  19 +-
 meta/classes/gtk-immodules-cache.bbclass      |   1 +
 meta/classes/image.bbclass                    |   4 +-
 meta/classes/package.bbclass                  |  10 +-
 meta/lib/oeqa/utils/qemurunner.py             |   2 +-
 meta/lib/oeqa/utils/qemutinyrunner.py         |   2 +-
 .../openssl/openssl_1.1.1g.bb                 |   2 +
 ...1-hwclock-make-glibc-2.31-compatible.patch |  83 ++++++++
 meta/recipes-core/busybox/busybox_1.31.1.bb   |   1 +
 ...ot-hardcode-linux-as-the-host-system.patch |  49 +++++
 meta/recipes-core/glib-2.0/glib-2.0_2.62.4.bb |   1 +
 .../glibc/glibc/CVE-2020-6096.patch           | 112 ++++++++++
 .../glibc/glibc/CVE-2020-6096_2.patch         | 194 ++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.31.bb         |   2 +
 meta/recipes-devtools/rpm/rpm_4.14.2.1.bb     |   2 +-
 .../startup-notification-0.12/time_t.patch    | 108 ++++++++++
 .../startup-notification_0.12.bb              |   1 +
 .../linux-firmware/linux-firmware_20200619.bb |   4 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 scripts/lib/wic/filemap.py                    |  75 +++----
 23 files changed, 630 insertions(+), 89 deletions(-)
 create mode 100644 meta/recipes-core/busybox/busybox/0001-hwclock-make-glibc-2.31-compatible.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/0020-meson.build-do-not-hardcode-linux-as-the-host-system.patch
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
 create mode 100644 meta/recipes-graphics/startup-notification/startup-notification-0.12/time_t.patch

-- 
2.17.1

[OE-core][dunfell 00/18] Patch review

[Steve Sakoman]

Please review this next set of changes for dunfell and have comments back
by end of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1350

NOTE: json-c: Fix CVE-2020-12762 has a line longer than 988 characters and thus
breaks send-pull-request.  I've truncated that line and tagged it with a <snip>

The full patch is of course  available in the git repo linked below.

The following changes since commit 0d4d0df6084cce3c3d9051db88f3199a030d3352:

  linux-firmware: update 20200721 -> 20200817 (2020-09-01 05:45:54 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Anibal Limon (1):
  recipes-kernel: linux-firmware add qcom-venus-{5.2,5.4} packages

Bruce Ashfield (1):
  kernel-yocto: checksum all modifications to available kernel fragments
    directories

Joshua Watt (1):
  oeqa: sdk: Capture stderr output

Khem Raj (3):
  json-c: Fix CVE-2020-12762
  util-linux: Allow update alternatives for additional apps
  json-glib: Backport a build fix with clang

Martin Jansa (1):
  devtool: expand SRC_URI when guessing recipe update mode

Michael Tretter (1):
  devtool: deploy-target: Fix size calculation for hard links

Nicolas Dechesne (1):
  linux-libc-headers: kernel headers are installed in
    STAGING_KERNEL_BUILDDIR

Rasmus Villemoes (1):
  cml1: Move find_cfgs() helper to cml1.bbclass

Richard Purdie (1):
  selftest/prservice: Improve test failure message

Ross Burton (2):
  package.bbclass: explode the RPROVIDES so we don't think the versions
    are provides
  insane: improve gnu-hash-style warning

Steve Sakoman (1):
  sanity.conf: update BB_MIN_VERSION to 1.46.0

Sumit Garg (1):
  insane: fix gnu-hash-style check

Vijai Kumar K (1):
  wic: misc: Add /bin to the list of searchpaths

Yann Dirson (1):
  package: get_package_mapping: avoid dependency mapping if renamed
    package provides original name

hongxu (1):
  sysstat: fix installed-vs-shipped QA Issue in systemd

 meta/classes/cml1.bbclass                     |  10 +
 meta/classes/insane.bbclass                   |   5 +-
 meta/classes/kernel-yocto.bbclass             |  16 ++
 meta/classes/package.bbclass                  |  18 +-
 meta/conf/sanity.conf                         |   2 +-
 meta/lib/oeqa/sdk/case.py                     |   2 +-
 meta/lib/oeqa/sdk/cases/assimp.py             |   2 +-
 meta/lib/oeqa/sdk/cases/buildcpio.py          |   2 +-
 meta/lib/oeqa/sdk/cases/buildepoxy.py         |   2 +-
 meta/lib/oeqa/sdk/cases/buildgalculator.py    |   2 +-
 meta/lib/oeqa/sdk/cases/buildlzip.py          |   2 +-
 meta/lib/oeqa/selftest/cases/prservice.py     |   4 +-
 meta/recipes-bsp/u-boot/u-boot.inc            |  10 -
 meta/recipes-core/busybox/busybox.inc         |  10 -
 meta/recipes-core/util-linux/util-linux.inc   |   3 +
 .../json-c/json-c/CVE-2020-12762.patch        | 231 ++++++++++++++++++
 meta/recipes-devtools/json-c/json-c_0.13.1.bb |   1 +
 meta/recipes-extended/sysstat/sysstat.inc     |   2 +-
 ...o-instead-of-cast-to-convert-pointer.patch |  33 +++
 .../json-glib/json-glib_1.4.4.bb              |   4 +-
 .../linux-firmware/linux-firmware_20200817.bb |   6 +-
 .../linux-libc-headers/linux-libc-headers.inc |   2 +-
 scripts/lib/devtool/deploy.py                 |   8 +-
 scripts/lib/devtool/standard.py               |   2 +-
 scripts/lib/wic/misc.py                       |   5 +-
 25 files changed, 341 insertions(+), 43 deletions(-)
 create mode 100644 meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch
 create mode 100644 meta/recipes-gnome/json-glib/json-glib/0001-scanner-use-macro-instead-of-cast-to-convert-pointer.patch

-- 
2.17.1

[OE-core][dunfell 00/18] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back by
end of day on Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1588

The following changes since commit 4f395ad49ef9035954d0fda7b7df14dea18b49a0:

  grub: clean up CVE patches (2020-11-08 16:51:24 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alex Kiernan (1):
  openssh: Upgrade 8.2p1 -> 8.3p1

Alexander Kanavin (2):
  clutter-gst-3.0: do not call out to host gstreamer plugin scanner
  openssh: upgrade 8.3p1 -> 8.4p1 to fix CVE-2020-14145 and
    CVE-2020-15778

Denys Zagorui (1):
  binutils: reproducibility: reuse debug-prefix-map for stabs

Diego Santa Cruz (1):
  freetype: fix CVE-2020-15999, backport from 2.10.4

Gratian Crisan (1):
  kernel-module-split.bbclass: identify kernel modconf files as
    configuration files

Jose Quaresma (1):
  gstreamer1.0: warn the user when something is wrong with GstBufferPool

Konrad Weihmann (3):
  oeqa/core/context: expose results as variable
  oeqa/core/context: initialize _run_end_time
  testimage: print results for interrupted runs

Nathan Rossi (1):
  diffstat: add nativesdk to BBCLASSEXTEND

Ricardo Salveti (1):
  dosfstools: add mkfs.vfat to ALTERNATIVE

Richard Purdie (3):
  ptest-runner: Fix license as it contains 'or later' clause
  libdnf: Fix license as it contains 'or later' clause
  alsa-utils: Fix license to GPLv2 only

Ross Burton (1):
  syslinux: add link to upstream discussion in patch

Steve Sakoman (1):
  openssh: whitelist CVE-2014-9278

akash hadke (1):
  systemd: udev SECLABEL{selinux} crash fix

 meta/classes/kernel-module-split.bbclass      |  1 +
 meta/classes/testimage.bbclass                | 19 ++++---
 meta/lib/oeqa/core/context.py                 |  4 ++
 .../{openssh_8.2p1.bb => openssh_8.4p1.bb}    |  7 ++-
 ...temd-udev-seclabel-options-crash-fix.patch | 30 +++++++++++
 meta/recipes-core/systemd/systemd_244.3.bb    |  1 +
 .../binutils/binutils-2.34.inc                |  1 +
 ...oducibility-for-stabs-debugging-data.patch | 32 ++++++++++++
 .../diffstat/diffstat_1.63.bb                 |  2 +
 .../dosfstools/dosfstools_4.1.bb              |  6 ++-
 meta/recipes-devtools/libdnf/libdnf_0.28.1.bb |  2 +-
 ...nux-syslinux-support-ext2-3-4-device.patch |  2 +-
 .../clutter/clutter-gst-3.0.inc               |  2 +
 ...-sfnt-Fix-heap-buffer-overflow-59308.patch | 51 +++++++++++++++++++
 .../freetype/freetype_2.10.1.bb               |  1 +
 .../alsa/alsa-utils_1.2.1.bb                  |  3 +-
 ...size-in-reset-when-maxsize-is-larger.patch | 49 ++++++++++++++++++
 .../gstreamer/gstreamer1.0_1.16.3.bb          |  1 +
 .../ptest-runner/ptest-runner_2.3.2.bb        |  2 +-
 19 files changed, 201 insertions(+), 15 deletions(-)
 rename meta/recipes-connectivity/openssh/{openssh_8.2p1.bb => openssh_8.4p1.bb} (95%)
 create mode 100644 meta/recipes-core/systemd/systemd/systemd-udev-seclabel-options-crash-fix.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0001-gas-improve-reproducibility-for-stabs-debugging-data.patch
 create mode 100644 meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch

-- 
2.17.1

[OE-core][dunfell 01/18] dosfstools: add mkfs.vfat to ALTERNATIVE

[Steve Sakoman]

From: Ricardo Salveti <ricardo@foundries.io>

The mkfs.vfat tool can also be provided by busybox via the CONFIG_MKFS_VFAT
configuration (not enabled by default in OE but can be enabled on
systems avoiding components based on GPLv3).

Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1227a29974671fd52014deaca7ac859a037cdeb5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/dosfstools/dosfstools_4.1.bb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/dosfstools/dosfstools_4.1.bb b/meta/recipes-devtools/dosfstools/dosfstools_4.1.bb
index 23b8836670..e4ab113391 100644
--- a/meta/recipes-devtools/dosfstools/dosfstools_4.1.bb
+++ b/meta/recipes-devtools/dosfstools/dosfstools_4.1.bb
@@ -16,7 +16,7 @@ SRC_URI[sha256sum] = "e6b2aca70ccc3fe3687365009dd94a2e18e82b688ed4e260e04b741247
 
 UPSTREAM_CHECK_URI = "https://github.com/dosfstools/dosfstools/releases"
 
-inherit autotools pkgconfig
+inherit autotools pkgconfig update-alternatives
 
 EXTRA_OECONF = "--without-udev --enable-compat-symlinks"
 
@@ -26,3 +26,7 @@ BBCLASSEXTEND = "native"
 
 # Add codepage437 to avoid error from `dosfsck -l`
 RRECOMMENDS_${PN}_append_libc-glibc = " glibc-gconv-ibm437"
+
+ALTERNATIVE_PRIORITY = "100"
+ALTERNATIVE_${PN} = "mkfs.vfat"
+ALTERNATIVE_LINK_NAME[mkfs.vfat] = "${sbindir}/mkfs.vfat"
-- 
2.17.1

[OE-core][dunfell 02/18] ptest-runner: Fix license as it contains 'or later' clause

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

The license headers are clear that the code is "or later", fix LICENSE
to match.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5f0b5cdfcb104ac50222a47652e090ad8770e49f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb b/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb
index 187f22df04..3a0dbf84fd 100644
--- a/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb
+++ b/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb
@@ -4,7 +4,7 @@ program which loops through all installed ptest test suites and \
 runs them in sequence."
 HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/ptest-runner2/about/"
 
-LICENSE = "GPLv2"
+LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=751419260aa954499f7abaabaa882bbe"
 
 SRCREV = "7015e9199ce748c0717addeebe7a8c47448bab03"
-- 
2.17.1

[OE-core][dunfell 03/18] libdnf: Fix license as it contains 'or later' clause

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

The license headers are clear that the code is "or later", fix LICENSE
to match.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e565e0b908c71ad5106d1c6c73d269b819787e55)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/libdnf/libdnf_0.28.1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb b/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb
index cc2ceb8816..43de06e7f9 100644
--- a/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb
+++ b/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb
@@ -1,5 +1,5 @@
 SUMMARY = "Library providing simplified C and Python API to libsolv"
-LICENSE = "LGPLv2.1"
+LICENSE = "LGPLv2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
 
 SRC_URI = "git://github.com/rpm-software-management/libdnf \
-- 
2.17.1

[OE-core][dunfell 04/18] alsa-utils: Fix license to GPLv2 only

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Parts of alsa-utils are v2 only, parts are v2 or later. The effect is
the end result is GPLv2 and there seems little value in marking everything
as being a mixture of both. Fix LICENSE to match reality.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a9a17a991174b732597e21045763ea851f486a01)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb b/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb
index 9144af628a..1dc30f377b 100644
--- a/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb
+++ b/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb
@@ -2,7 +2,8 @@ SUMMARY = "ALSA sound utilities"
 HOMEPAGE = "http://www.alsa-project.org"
 BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking"
 SECTION = "console/utils"
-LICENSE = "GPLv2+"
+# Some parts are GPLv2+, some are only GPLv2 (e.g. axfer, alsactl) so result is GPLv2
+LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552 \
                     file://alsactl/utils.c;beginline=3;endline=18;md5=96cc06a4cebe5eb7975688ffb0e65642"
 DEPENDS = "alsa-lib ncurses libsamplerate0"
-- 
2.17.1

[OE-core][dunfell 05/18] kernel-module-split.bbclass: identify kernel modconf files as configuration files

[Steve Sakoman]

From: Gratian Crisan <gratian.crisan@ni.com>

Currently the modconf fragments representing the configuration for
kernel modules are written out to appropriate .conf files and added to
the FILES variable. However they are not identified as 'configuration
files' and installing a new version of a kernel module results in a
conflict and a failed installed because the respective .conf file is
already in place from a previous install.

Add the generated .conf files to the CONFFILES variable denoting their
true nature.

Signed-off-by: Gratian Crisan <gratian.crisan@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1a70a92d1f1006be115429a4262259c9084f484d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel-module-split.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/kernel-module-split.bbclass b/meta/classes/kernel-module-split.bbclass
index 221022b7bc..c8ede26996 100644
--- a/meta/classes/kernel-module-split.bbclass
+++ b/meta/classes/kernel-module-split.bbclass
@@ -120,6 +120,7 @@ python split_kernel_module_packages () {
         files = d.getVar('FILES_%s' % pkg)
         files = "%s /etc/modules-load.d/%s.conf /etc/modprobe.d/%s.conf" % (files, basename, basename)
         d.setVar('FILES_%s' % pkg, files)
+        d.setVar('CONFFILES_%s' % pkg, files)
 
         if "description" in vals:
             old_desc = d.getVar('DESCRIPTION_' + pkg) or ""
-- 
2.17.1

[OE-core][dunfell 06/18] syslinux: add link to upstream discussion in patch

[Steve Sakoman]

From: Ross Burton <ross@burtonini.com>

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dfc2b114e9d62f0eee04129009a24a8edb2a8dd1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../syslinux/0001-linux-syslinux-support-ext2-3-4-device.patch  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/syslinux/syslinux/0001-linux-syslinux-support-ext2-3-4-device.patch b/meta/recipes-devtools/syslinux/syslinux/0001-linux-syslinux-support-ext2-3-4-device.patch
index 3ab7875274..47a8dac10e 100644
--- a/meta/recipes-devtools/syslinux/syslinux/0001-linux-syslinux-support-ext2-3-4-device.patch
+++ b/meta/recipes-devtools/syslinux/syslinux/0001-linux-syslinux-support-ext2-3-4-device.patch
@@ -10,7 +10,7 @@ Subject: [PATCH 1/9] linux/syslinux: support ext2/3/4 device
 * The ext2/3/4 support doesn't require root privileges since it doesn't need
   mount (but write permission is required).
 
-Upstream-Status: Submitted
+Upstream-Status: Submitted [https://www.syslinux.org/archives/2015-January/023039.html]
 
 Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
 Tested-by: Du Dolpher <dolpher.du@intel.com>
-- 
2.17.1

[OE-core][dunfell 07/18] diffstat: add nativesdk to BBCLASSEXTEND

[Steve Sakoman]

From: Nathan Rossi <nathan@nathanrossi.com>

The diffstat tool is part of HOSTTOOLS. To support hosts that do not
have it installed with buildtools-tarball it must be enabled for
nativesdk.

Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0ed002422bc46539f1d71ed19ee17358b6691bf0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/diffstat/diffstat_1.63.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/diffstat/diffstat_1.63.bb b/meta/recipes-devtools/diffstat/diffstat_1.63.bb
index ee0a7e7bd6..61b2ea5dc2 100644
--- a/meta/recipes-devtools/diffstat/diffstat_1.63.bb
+++ b/meta/recipes-devtools/diffstat/diffstat_1.63.bb
@@ -27,3 +27,5 @@ LDFLAGS += "${TOOLCHAIN_OPTIONS}"
 do_install_ptest() {
 	cp -r ${S}/testing ${D}${PTEST_PATH}
 }
+
+BBCLASSEXTEND = "nativesdk"
-- 
2.17.1

[OE-core][dunfell 08/18] clutter-gst-3.0: do not call out to host gstreamer plugin scanner

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

This is host contamination and can also fail for all kinds of
reasons when running under usermode qemu.

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fb60d0920b660dffb346b2212dc6f8ba2a0b9fde)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-graphics/clutter/clutter-gst-3.0.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-graphics/clutter/clutter-gst-3.0.inc b/meta/recipes-graphics/clutter/clutter-gst-3.0.inc
index fc3eade886..7d9db1f38c 100644
--- a/meta/recipes-graphics/clutter/clutter-gst-3.0.inc
+++ b/meta/recipes-graphics/clutter/clutter-gst-3.0.inc
@@ -6,6 +6,8 @@ inherit clutter features_check upstream-version-is-even gobject-introspection
 # depends on clutter-1.0 which depends on cogl-1.0
 REQUIRED_DISTRO_FEATURES ?= "opengl"
 
+export GST_PLUGIN_SCANNER_1_0="${S}/gst-plugin-scanner-dummy"
+
 SRC_URI += "file://0001-Install-example-binary-needed-for-core-image-clutter.patch"
 
 DEPENDS = "gstreamer1.0-plugins-base gstreamer1.0-plugins-bad clutter-1.0 libgudev"
-- 
2.17.1

[OE-core][dunfell 09/18] gstreamer1.0: warn the user when something is wrong with GstBufferPool

[Steve Sakoman]

From: Jose Quaresma <quaresma.jose@gmail.com>

This is not a critical bug fix but it can be usefull in some BSP
with exotic drivers like on nvidia tegra bsp.

Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...size-in-reset-when-maxsize-is-larger.patch | 49 +++++++++++++++++++
 .../gstreamer/gstreamer1.0_1.16.3.bb          |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch
new file mode 100644
index 0000000000..dacc399d28
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch
@@ -0,0 +1,49 @@
+From a1b41b2b2493069365a8274c6a544e6799a5a8df Mon Sep 17 00:00:00 2001
+From: Matthew Waters <matthew@centricular.com>
+Date: Mon, 20 Jul 2020 17:08:32 +1000
+Subject: [PATCH] gst/bufferpool: only resize in reset when maxsize is larger
+
+Only resize the buffer if the maxsize is larger then the configued pool
+size.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/570>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a1b41b2b2493069365a8274c6a544e6799a5a8df]
+
+Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com>
+---
+ gst/gstbufferpool.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/gst/gstbufferpool.c b/gst/gstbufferpool.c
+index 8ae868cf2c7..a8167d017d6 100644
+--- a/gst/gstbufferpool.c
++++ b/gst/gstbufferpool.c
+@@ -1223,9 +1223,21 @@ default_reset_buffer (GstBufferPool * pool, GstBuffer * buffer)
+ 
+   /* if the memory is intact reset the size to the full size */
+   if (!GST_BUFFER_FLAG_IS_SET (buffer, GST_BUFFER_FLAG_TAG_MEMORY)) {
+-    gsize offset;
+-    gst_buffer_get_sizes (buffer, &offset, NULL);
+-    gst_buffer_resize (buffer, -offset, pool->priv->size);
++    gsize offset, maxsize;
++    gst_buffer_get_sizes (buffer, &offset, &maxsize);
++    /* check if we can resize to at least the pool configured size.  If not,
++     * then this will fail internally in gst_buffer_resize().
++     * default_release_buffer() will drop the buffer from the pool if the
++     * sizes don't match */
++    if (maxsize >= pool->priv->size) {
++      gst_buffer_resize (buffer, -offset, pool->priv->size);
++    } else {
++      GST_WARNING_OBJECT (pool, "Buffer %p without the memory tag has "
++          "maxsize (%" G_GSIZE_FORMAT ") that is smaller than the "
++          "configured buffer pool size (%u). The buffer will be not be "
++          "reused. This is most likely a bug in this GstBufferPool subclass",
++          buffer, maxsize, pool->priv->size);
++    }
+   }
+ 
+   /* remove all metadata without the POOLED flag */
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
index 66ad3e3381..7afe56cd7b 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
@@ -21,6 +21,7 @@ SRC_URI = " \
     file://0002-meson-build-gir-even-when-cross-compiling-if-introsp.patch \
     file://0003-meson-Add-valgrind-feature.patch \
     file://0004-meson-Add-option-for-installed-tests.patch \
+    file://0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch \
 "
 SRC_URI[md5sum] = "beecf6965a17fb17fa3b262fd36df70a"
 SRC_URI[sha256sum] = "692f037968e454e508b0f71d9674e2e26c78475021407fcf8193b1c7e59543c7"
-- 
2.17.1

[OE-core][dunfell 10/18] systemd: udev SECLABEL{selinux} crash fix

[Steve Sakoman]

From: akash hadke <akash.hadke@kpit.com>

Adding SECLABEL{selinux}="some value" causes systemd-udev
to crash.
So applied below available patch to fix the issue.

systemd-udev-seclabel-options-crash-fix.patch

Link: https://github.com/systemd/systemd/commit/0335d110afc08baf47d76b7011ce02510dfdd524.patch
Signed-off-by: akash hadke <akash.hadke@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...temd-udev-seclabel-options-crash-fix.patch | 30 +++++++++++++++++++
 meta/recipes-core/systemd/systemd_244.3.bb    |  1 +
 2 files changed, 31 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/systemd-udev-seclabel-options-crash-fix.patch

diff --git a/meta/recipes-core/systemd/systemd/systemd-udev-seclabel-options-crash-fix.patch b/meta/recipes-core/systemd/systemd/systemd-udev-seclabel-options-crash-fix.patch
new file mode 100644
index 0000000000..27b2b60fad
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/systemd-udev-seclabel-options-crash-fix.patch
@@ -0,0 +1,30 @@
+From 0335d110afc08baf47d76b7011ce02510dfdd524 Mon Sep 17 00:00:00 2001
+From: Valery0xff <valery.chernous@gmail.com>
+Date: Wed, 11 Mar 2020 02:20:36 +0200
+Subject: [PATCH] udev: fix SECLABEL{selinux} issue (#15064)
+
+Add SECLABEL{selinux}="some value" cause udevadm crash
+systemd-udevd[x]: Worker [x] terminated by signal 11 (SEGV)
+ 
+It happens since 25de7aa7b90 (Yu Watanabe 2019-04-25 01:21:11 +0200)
+when udev rules processing changed to token model. Yu forgot store
+attr to SECLABEL token so fix it.
+---
+ src/udev/udev-rules.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/0335d110afc08baf47d76b7011ce02510dfdd524.patch]
+---
+diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
+index b9b350d1ef..b990f68e93 100644
+--- a/src/udev/udev-rules.c
++++ b/src/udev/udev-rules.c
+@@ -921,7 +921,7 @@ static int parse_token(UdevRules *rules, const char *key, char *attr, UdevRuleOp
+                         op = OP_ASSIGN;
+                 }
+ 
+-                r = rule_line_add_token(rule_line, TK_A_SECLABEL, op, value, NULL);
++                r = rule_line_add_token(rule_line, TK_A_SECLABEL, op, value, attr);
+         } else if (streq(key, "RUN")) {
+                 if (is_match || op == OP_REMOVE)
+                         return log_token_invalid_op(rules, key);
diff --git a/meta/recipes-core/systemd/systemd_244.3.bb b/meta/recipes-core/systemd/systemd_244.3.bb
index 850d64e8b0..64e3b18333 100644
--- a/meta/recipes-core/systemd/systemd_244.3.bb
+++ b/meta/recipes-core/systemd/systemd_244.3.bb
@@ -21,6 +21,7 @@ SRC_URI += "file://touchscreen.rules \
            file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
            file://0003-implment-systemd-sysv-install-for-OE.patch \
            file://CVE-2020-13776.patch \
+           file://systemd-udev-seclabel-options-crash-fix.patch \
            "
 
 # patches needed by musl
-- 
2.17.1

[OE-core][dunfell 11/18] oeqa/core/context: expose results as variable

[Steve Sakoman]

From: Konrad Weihmann <kweihmann@outlook.com>

register an unittest handler for testresults and expose it as
variable result.
With this even partial results from an interrupted test suite run
can be made available

Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a97ae47525157871b6c098ffc352293e365a4335)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/core/context.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/lib/oeqa/core/context.py b/meta/lib/oeqa/core/context.py
index 4705d608ac..4ce3089ad0 100644
--- a/meta/lib/oeqa/core/context.py
+++ b/meta/lib/oeqa/core/context.py
@@ -31,6 +31,9 @@ class OETestContext(object):
         self._registry = {}
         self._registry['cases'] = collections.OrderedDict()
 
+        self.results = unittest.TestResult()
+        unittest.registerResult(self.results)
+
     def _read_modules_from_manifest(self, manifest):
         if not os.path.exists(manifest):
             raise OEQAMissingManifest("Manifest does not exist on %s" % manifest)
-- 
2.17.1

[OE-core][dunfell 12/18] oeqa/core/context: initialize _run_end_time

[Steve Sakoman]

From: Konrad Weihmann <kweihmann@outlook.com>

with _run_start_time as value. For partial results of interrupted runs,
this info might be otherwise missing for at least one testcase

Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1c5e8baf57fa2a33b9ef507b11d9ea9acaa77238)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/core/context.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/lib/oeqa/core/context.py b/meta/lib/oeqa/core/context.py
index 4ce3089ad0..4e238f80a4 100644
--- a/meta/lib/oeqa/core/context.py
+++ b/meta/lib/oeqa/core/context.py
@@ -85,6 +85,7 @@ class OETestContext(object):
         self.skipTests(skips)
 
         self._run_start_time = time.time()
+        self._run_end_time = self._run_start_time
         if not processes:
             self.runner.buffer = True
         result = self.runner.run(self.prepareSuite(self.suites, processes))
-- 
2.17.1

[OE-core][dunfell 13/18] testimage: print results for interrupted runs

[Steve Sakoman]

From: Konrad Weihmann <kweihmann@outlook.com>

When a run is ended by overall timeout, print the already executed
testcases, to provide some hints which testcase might made the
test suite reach global timeout.
Nonetheless make the testrun exit with an error

Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2bcc643195a3b3c66d698fac8b7af037c08545ac)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/testimage.bbclass | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/meta/classes/testimage.bbclass b/meta/classes/testimage.bbclass
index 00f0c29836..c709384b91 100644
--- a/meta/classes/testimage.bbclass
+++ b/meta/classes/testimage.bbclass
@@ -364,6 +364,7 @@ def testimage_main(d):
     package_extraction(d, tc.suites)
 
     results = None
+    complete = False
     orig_sigterm_handler = signal.signal(signal.SIGTERM, sigterm_exception)
     try:
         # We need to check if runqemu ends unexpectedly
@@ -375,6 +376,7 @@ def testimage_main(d):
         except ValueError:
             pass
         results = tc.runTests()
+        complete = True
     except (KeyboardInterrupt, BlockingIOError) as err:
         if isinstance(err, KeyboardInterrupt):
             bb.error('testimage interrupted, shutting down...')
@@ -382,20 +384,21 @@ def testimage_main(d):
             bb.error('runqemu failed, shutting down...')
         if results:
             results.stop()
-            results = None
+        results = tc.results
     finally:
         signal.signal(signal.SIGTERM, orig_sigterm_handler)
         tc.target.stop()
 
     # Show results (if we have them)
-    if not results:
+    if results:
+        configuration = get_testimage_configuration(d, 'runtime', machine)
+        results.logDetails(get_testimage_json_result_dir(d),
+                        configuration,
+                        get_testimage_result_id(configuration),
+                        dump_streams=d.getVar('TESTREPORT_FULLLOGS'))
+        results.logSummary(pn)
+    if not results or not complete:
         bb.fatal('%s - FAILED - tests were interrupted during execution' % pn, forcelog=True)
-    configuration = get_testimage_configuration(d, 'runtime', machine)
-    results.logDetails(get_testimage_json_result_dir(d),
-                       configuration,
-                       get_testimage_result_id(configuration),
-                       dump_streams=d.getVar('TESTREPORT_FULLLOGS'))
-    results.logSummary(pn)
     if not results.wasSuccessful():
         bb.fatal('%s - FAILED - check the task log and the ssh log' % pn, forcelog=True)
 
-- 
2.17.1

[OE-core][dunfell 14/18] binutils: reproducibility: reuse debug-prefix-map for stabs

[Steve Sakoman]

From: Denys Zagorui <dzagorui@cisco.com>

powerpc 32bit Linux Kernel widely uses .stabs pseudo-op to
produce debugging information in stabs format. Faced an issue
that during Linux Kernel build with Yocto build system for 32bit
powerpc platform resulting vmlinux contains absolute path in
.stabstr section that cannot be remapped with -fdebug-prefix-map
option.

Yocto uses scripts/mkmakefile Linux Kernel build approach that
allows to store all generated files outside of kernel source
tree. With this approach each compilier invocation is performed
with an absolute path to a file that will be compiled and this
absolute path is recorded in init stab. There is no way to remap
this path.

Reuse remap_debug_filename api to make -fdebug-prefix-map flag
aplicable for init stab.

Signed-off-by: Denys Zagorui <dzagorui@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.34.inc                |  1 +
 ...oducibility-for-stabs-debugging-data.patch | 32 +++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0001-gas-improve-reproducibility-for-stabs-debugging-data.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index f65fdb7328..b5f5a1c69a 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -43,5 +43,6 @@ SRC_URI = "\
      file://0016-Check-for-clang-before-checking-gcc-version.patch \
      file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \
      file://CVE-2020-0551.patch \
+     file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0001-gas-improve-reproducibility-for-stabs-debugging-data.patch b/meta/recipes-devtools/binutils/binutils/0001-gas-improve-reproducibility-for-stabs-debugging-data.patch
new file mode 100644
index 0000000000..98dab1b41d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-gas-improve-reproducibility-for-stabs-debugging-data.patch
@@ -0,0 +1,32 @@
+From 96882eb9263b6b1c953e33a6764a83f4a87a9a41 Mon Sep 17 00:00:00 2001
+From: Denys Zagorui <dzagorui@cisco.com>
+Date: Mon, 9 Nov 2020 15:39:10 +0000
+Subject: [PATCH] gas: improve reproducibility for stabs debugging data format
+
+	* config/obj-elf (obj_elf_init_stab_section): Improve
+	reproducibility for stabs debugging data format
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0541201782c006c09d029d18a45c6e743cfea906]
+---
+ gas/config/obj-elf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gas/config/obj-elf.c b/gas/config/obj-elf.c
+index 7cf921c051..92b55e06c2 100644
+--- a/gas/config/obj-elf.c
++++ b/gas/config/obj-elf.c
+@@ -2186,12 +2186,13 @@ obj_elf_init_stab_section (segT seg)
+   p = frag_more (12);
+   /* Zero it out.  */
+   memset (p, 0, 12);
+-  file = as_where (NULL);
++  file = remap_debug_filename (as_where (NULL));
+   stabstr_name = concat (segment_name (seg), "str", (char *) NULL);
+   stroff = get_stab_string_offset (file, stabstr_name, TRUE);
+   know (stroff == 1 || (stroff == 0 && file[0] == '\0'));
+   md_number_to_chars (p, stroff, 4);
+   seg_info (seg)->stabu.p = p;
++  xfree ((char *) file);
+ }
+ 
+ #endif
-- 
2.17.1

[OE-core][dunfell 15/18] openssh: Upgrade 8.2p1 -> 8.3p1

[Steve Sakoman]

From: Alex Kiernan <alex.kiernan@gmail.com>

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b8ec59302bd2fc1a78f4d828ba93b3ad64ab7f37)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssh/{openssh_8.2p1.bb => openssh_8.3p1.bb}             | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 rename meta/recipes-connectivity/openssh/{openssh_8.2p1.bb => openssh_8.3p1.bb} (98%)

diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
similarity index 98%
rename from meta/recipes-connectivity/openssh/openssh_8.2p1.bb
rename to meta/recipes-connectivity/openssh/openssh_8.3p1.bb
index 17138c0ad8..e007328704 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
@@ -25,8 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
            "
-SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
-SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
+SRC_URI[sha256sum] = "f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2"
 
 PAM_SRC_URI = "file://sshd"
 
-- 
2.17.1

[OE-core][dunfell 16/18] openssh: upgrade 8.3p1 -> 8.4p1 to fix CVE-2020-14145 and CVE-2020-15778

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

CVE-2020-14145

The client side in OpenSSH 5.7 through 8.3 has an Observable
Discrepancy leading to an information leak in the algorithm
negotiation. This allows man-in-the-middle attackers to target
initial connection attempts (where no host key for the server
has been cached by the client).

CVE-2020-15778

scp in OpenSSH through 8.3p1 allows command injection in the scp.c
toremote function, as demonstrated by backtick characters in the
destination argument.

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fc394ade8a0033bc695d979e592e8e92a882c54d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssh/{openssh_8.3p1.bb => openssh_8.4p1.bb}              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssh/{openssh_8.3p1.bb => openssh_8.4p1.bb} (98%)

diff --git a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb b/meta/recipes-connectivity/openssh/openssh_8.4p1.bb
similarity index 98%
rename from meta/recipes-connectivity/openssh/openssh_8.3p1.bb
rename to meta/recipes-connectivity/openssh/openssh_8.4p1.bb
index e007328704..720b238e71 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.4p1.bb
@@ -25,7 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
            "
-SRC_URI[sha256sum] = "f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2"
+SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24"
 
 PAM_SRC_URI = "file://sshd"
 
-- 
2.17.1

[OE-core][dunfell 17/18] openssh: whitelist CVE-2014-9278

[Steve Sakoman]

The OpenSSH server, as used in Fedora and Red Hat Enterprise
Linux 7 and when running in a Kerberos environment, allows remote
authenticated users to log in as another user when they are listed
in the .k5users file of that user, which might bypass intended
authentication requirements that would force a local login.

Whitelist the CVE since this issue is Redhat specific.

Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 309132e50d23b1e3f15ef8db1a101166b35f7ca4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-connectivity/openssh/openssh_8.4p1.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb b/meta/recipes-connectivity/openssh/openssh_8.4p1.bb
index 720b238e71..676a8a6533 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.4p1.bb
@@ -27,6 +27,10 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            "
 SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24"
 
+# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
+# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
+CVE_CHECK_WHITELIST += "CVE-2014-9278"
+
 PAM_SRC_URI = "file://sshd"
 
 inherit manpages useradd update-rc.d update-alternatives systemd
-- 
2.17.1

[OE-core][dunfell 18/18] freetype: fix CVE-2020-15999, backport from 2.10.4

[Steve Sakoman]

From: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>

Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...-sfnt-Fix-heap-buffer-overflow-59308.patch | 51 +++++++++++++++++++
 .../freetype/freetype_2.10.1.bb               |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch

diff --git a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
new file mode 100644
index 0000000000..fa8a29b798
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
@@ -0,0 +1,51 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd]
+
+Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
+---
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 2e64e5846..f55016122 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+ 
+     if ( populate_map_and_metrics )
+     {
++      /* reject too large bitmaps similarly to the rasterizer */
++      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
++      {
++        error = FT_THROW( Array_Too_Large );
++        goto DestroyExit;
++      }
++
+       metrics->width  = (FT_UShort)imgWidth;
+       metrics->height = (FT_UShort)imgHeight;
+ 
+@@ -340,13 +347,6 @@
+       map->pixel_mode = FT_PIXEL_MODE_BGRA;
+       map->pitch      = (int)( map->width * 4 );
+       map->num_grays  = 256;
+-
+-      /* reject too large bitmaps similarly to the rasterizer */
+-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+-      {
+-        error = FT_THROW( Array_Too_Large );
+-        goto DestroyExit;
+-      }
+     }
+ 
+     /* convert palette/gray image to rgb */
+-- 
+2.18.4
+
diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
index d1c093054b..2d444bbf19 100644
--- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
@@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1
 
 SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \
            file://use-right-libtool.patch \
+           file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \
           "
 SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f"
 SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f"
-- 
2.17.1

Re: [OE-core][dunfell 16/18] openssh: upgrade 8.3p1 -> 8.4p1 to fix CVE-2020-14145 and CVE-2020-15778

[Anuj Mittal]

Hi Steve,

On Fri, 2020-11-13 at 04:52 -1000, Steve Sakoman wrote:
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> 
> CVE-2020-14145
> 
> The client side in OpenSSH 5.7 through 8.3 has an Observable
> Discrepancy leading to an information leak in the algorithm
> negotiation. This allows man-in-the-middle attackers to target
> initial connection attempts (where no host key for the server
> has been cached by the client).

I am not sure if this CVE should be considered fixed. Please see
Section 3.1:

https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf

Also, this isn't a bug fix release and has potentially incompatible
changes that may affect existing configurations as per the release
notes:

https://www.openssh.com/txt/release-8.4

Thanks,

Anuj

Re: [OE-core][dunfell 16/18] openssh: upgrade 8.3p1 -> 8.4p1 to fix CVE-2020-14145 and CVE-2020-15778

[Steve Sakoman]

On Fri, Nov 13, 2020 at 5:34 AM Anuj Mittal <anuj.mittal@intel.com> wrote:
>
> Hi Steve,
>
> On Fri, 2020-11-13 at 04:52 -1000, Steve Sakoman wrote:
> > From: Alexander Kanavin <alex.kanavin@gmail.com>
> >
> > CVE-2020-14145
> >
> > The client side in OpenSSH 5.7 through 8.3 has an Observable
> > Discrepancy leading to an information leak in the algorithm
> > negotiation. This allows man-in-the-middle attackers to target
> > initial connection attempts (where no host key for the server
> > has been cached by the client).
>
> I am not sure if this CVE should be considered fixed. Please see
> Section 3.1:
>
> https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf

I hadn't seen this.  I'll drop the version upgrade from the pull request.

Hopefully someone can submit a patch set that does fix these issues.

Steve


> Also, this isn't a bug fix release and has potentially incompatible
> changes that may affect existing configurations as per the release
> notes:
>
> https://www.openssh.com/txt/release-8.4
>
> Thanks,
>
> Anuj
>
>
> 
>

Re: [OE-core][dunfell 02/18] ptest-runner: Fix license as it contains 'or later' clause

[Adrian Freihofer]

Hi Steve

There is a nasty problem with ptest-runner 2.3.2: It prints an internal
warning for each test case, which got fixed by
commit: d3e9e5ebf36d1d1d7ee4bc38a64f6ec9e8fc819b
"Backport patch to fix inappropriate ioctl error"

You might want to consider updating ptest-runner to the latest version
by picking 4 commits instead of just one.

- ptest-runner: Bump to 2.4.0
  792d1ebba98b097d4d68c7261bf6af0c9d186eab
- ptest-runner: fix upstream version check
  5df6dc44370c446c699007659782323814a4d9ce
- ptest-runner: Backport patch to fix inappropriate ioctl error
  d3e9e5ebf36d1d1d7ee4bc38a64f6ec9e8fc819b
- ptest-runner: Fix license as it contains 'or later' clause
  744a463831016abdac3433db8ca9d1b656881915

We did this a few weeks ago on our local dunfell branch. So far it
seems to be the right approach for us.

Thank you and regards,
Adrian


On Fri, 2020-11-13 at 04:52 -1000, Steve Sakoman wrote:
> From: Richard Purdie <richard.purdie@linuxfoundation.org>
> 
> The license headers are clear that the code is "or later", fix LICENSE
> to match.
> 
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit 5f0b5cdfcb104ac50222a47652e090ad8770e49f)
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb b/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb
> index 187f22df04..3a0dbf84fd 100644
> --- a/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb
> +++ b/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb
> @@ -4,7 +4,7 @@ program which loops through all installed ptest test suites and \
>  runs them in sequence."
>  HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/ptest-runner2/about/"
>  
> -LICENSE = "GPLv2"
> +LICENSE = "GPLv2+"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=751419260aa954499f7abaabaa882bbe"
>  
>  SRCREV = "7015e9199ce748c0717addeebe7a8c47448bab03"
> 
> 
We have been doing this without any problems for a few weeks now.

Re: [OE-core][dunfell 02/18] ptest-runner: Fix license as it contains 'or later' clause

[Steve Sakoman]

On Sun, Nov 15, 2020 at 4:53 AM Adrian Freihofer
<adrian.freihofer@gmail.com> wrote:
>
> Hi Steve
>
> There is a nasty problem with ptest-runner 2.3.2: It prints an internal
> warning for each test case, which got fixed by
> commit: d3e9e5ebf36d1d1d7ee4bc38a64f6ec9e8fc819b
> "Backport patch to fix inappropriate ioctl error"
>
> You might want to consider updating ptest-runner to the latest version
> by picking 4 commits instead of just one.
>
> - ptest-runner: Bump to 2.4.0
>   792d1ebba98b097d4d68c7261bf6af0c9d186eab
> - ptest-runner: fix upstream version check
>   5df6dc44370c446c699007659782323814a4d9ce
> - ptest-runner: Backport patch to fix inappropriate ioctl error
>   d3e9e5ebf36d1d1d7ee4bc38a64f6ec9e8fc819b
> - ptest-runner: Fix license as it contains 'or later' clause
>   744a463831016abdac3433db8ca9d1b656881915
>
> We did this a few weeks ago on our local dunfell branch. So far it
> seems to be the right approach for us.

This looks reasonable to me.  I'll add these to my next autobuilder
test run and if all goes well will submit to the list for
review/comments.

Steve


> Thank you and regards,
> Adrian
>
>
> On Fri, 2020-11-13 at 04:52 -1000, Steve Sakoman wrote:
> > From: Richard Purdie <richard.purdie@linuxfoundation.org>
> >
> > The license headers are clear that the code is "or later", fix LICENSE
> > to match.
> >
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > (cherry picked from commit 5f0b5cdfcb104ac50222a47652e090ad8770e49f)
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb b/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb
> > index 187f22df04..3a0dbf84fd 100644
> > --- a/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb
> > +++ b/meta/recipes-support/ptest-runner/ptest-runner_2.3.2.bb
> > @@ -4,7 +4,7 @@ program which loops through all installed ptest test suites and \
> >  runs them in sequence."
> >  HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/ptest-runner2/about/"
> >
> > -LICENSE = "GPLv2"
> > +LICENSE = "GPLv2+"
> >  LIC_FILES_CHKSUM = "file://LICENSE;md5=751419260aa954499f7abaabaa882bbe"
> >
> >  SRCREV = "7015e9199ce748c0717addeebe7a8c47448bab03"
> >
> >
> We have been doing this without any problems for a few weeks now.
>
>
> 
>

[OE-core][dunfell 00/18] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2988

with the exception of a known autobuilder intermittent issue (on qemuppc test)
which passed on subsequent retest:

https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/4402

The following changes since commit f61fcb6e176f19f1e768ce63a693f238713c8887:

  openssh: remove redundant BSD license (2021-12-02 05:11:21 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Dhruva Gole (1):
  scripts/checklayer/common.py: Fixed a minor grammatical error

Eero Aaltonen (1):
  cmake: FindGTest: Add target for gmock library

Jate Sujjavanich (2):
  libdnf: Backport bugfix for upgrade calc
  dnf: Backport bugfix for upgrade

Khem Raj (1):
  libunwind: Backport a fix for -fno-common option to compile

Neetika Singh (1):
  glib-2.0: Add security fixes

Pavel Zhukov (2):
  busybox: Fix for CVE-2021-42374
  busybox: Fix for CVE-2021-42376

Quentin Schulz (1):
  README.OE-Core.md: update URLs

Ranjitsinh Rathod (2):
  ncurses: Fix for CVE-2021-39537
  libsolv: update tag for missing CVEs

Richard Purdie (2):
  buildhistory: Fix srcrevs output
  oeqa/parselogs: Fix quoting

Ross Burton (1):
  vim: fix CVE-2021-3968 and CVE-2021-3973

Steve Sakoman (4):
  cve-extra-exclusions: add db CVEs to exclusion list
  bind: update to 9.11.33
  bind: update to 9.11.34
  bind: update to 9.11.35

 README.OE-Core                                |  10 +-
 meta/classes/buildhistory.bbclass             |  30 +-
 .../distro/include/cve-extra-exclusions.inc   |   9 +-
 meta/lib/oeqa/runtime/cases/parselogs.py      |  14 +-
 .../bind/{bind_9.11.32.bb => bind_9.11.35.bb} |   2 +-
 .../busybox/busybox/CVE-2021-42374.patch      |  53 +++
 .../busybox/busybox/CVE-2021-42376.patch      | 138 ++++++
 meta/recipes-core/busybox/busybox_1.31.1.bb   |   2 +
 .../glib-2.0/glib-2.0/CVE-2021-27218.patch    | 129 ++++++
 .../glib-2.0/glib-2.0/CVE-2021-27219-01.patch | 170 +++++++
 .../glib-2.0/glib-2.0/CVE-2021-27219-02.patch | 249 +++++++++++
 .../glib-2.0/glib-2.0/CVE-2021-27219-03.patch | 131 ++++++
 .../glib-2.0/glib-2.0/CVE-2021-27219-04.patch | 298 +++++++++++++
 .../glib-2.0/glib-2.0/CVE-2021-27219-05.patch |  54 +++
 .../glib-2.0/glib-2.0/CVE-2021-27219-06.patch | 101 +++++
 .../glib-2.0/glib-2.0/CVE-2021-27219-07.patch |  76 ++++
 .../glib-2.0/glib-2.0/CVE-2021-27219-08.patch | 101 +++++
 .../glib-2.0/glib-2.0/CVE-2021-27219-09.patch | 100 +++++
 .../glib-2.0/glib-2.0/CVE-2021-27219-10.patch |  59 +++
 .../glib-2.0/glib-2.0/CVE-2021-27219-11.patch |  63 +++
 .../glib-2.0/CVE-2021-27219-reg1-1.patch      |  36 ++
 .../glib-2.0/CVE-2021-27219-reg1-2.patch      |  38 ++
 .../glib-2.0/CVE-2021-27219-reg1-4.patch      |  38 ++
 .../glib-2.0/CVE-2021-27219-reg1-5.patch      | 100 +++++
 .../glib-2.0/CVE-2021-27219-reg2-1.patch      |  49 ++
 .../glib-2.0/CVE-2021-27219-reg2-2.patch      |  43 ++
 .../glib-2.0/CVE-2021-27219-reg2-3.patch      | 232 ++++++++++
 .../glib-2.0/glib-2.0/CVE-2021-28153-1.patch  |  27 ++
 .../glib-2.0/glib-2.0/CVE-2021-28153-2.patch  |  42 ++
 .../glib-2.0/glib-2.0/CVE-2021-28153-3.patch  |  57 +++
 .../glib-2.0/glib-2.0/CVE-2021-28153-4.patch  | 265 +++++++++++
 .../glib-2.0/glib-2.0/CVE-2021-28153-5.patch  |  55 +++
 meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb |  24 +
 .../ncurses/files/CVE-2021-39537.patch        |  30 ++
 meta/recipes-core/ncurses/ncurses_6.2.bb      |   1 +
 .../cmake/cmake-native_3.16.5.bb              |   1 +
 ...ndGTest-Add-target-for-gmock-library.patch | 255 +++++++++++
 ...ackages-in-upgrade-job-RhBug-1728252.patch |  60 +++
 meta/recipes-devtools/dnf/dnf_4.2.2.bb        |   1 +
 ...job-goal.upgrade-with-sltr-as-target.patch |  58 +++
 meta/recipes-devtools/libdnf/libdnf_0.28.1.bb |   1 +
 .../libsolv/files/CVE-2021-3200.patch         |   9 +-
 ...0001-Fix-compilation-with-fno-common.patch | 420 ++++++++++++++++++
 .../libunwind/libunwind_1.3.1.bb              |   1 +
 ...rash-when-using-CTRL-W-f-without-fin.patch |  92 ++++
 meta/recipes-support/vim/vim.inc              |   4 +
 scripts/lib/checklayer/cases/common.py        |   2 +-
 47 files changed, 3696 insertions(+), 34 deletions(-)
 rename meta/recipes-connectivity/bind/{bind_9.11.32.bb => bind_9.11.35.bb} (98%)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2021-42374.patch
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2021-42376.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-02.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-03.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-07.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-09.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-10.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-11.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-1.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-2.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-4.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-5.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-1.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-2.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-3.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2021-39537.patch
 create mode 100644 meta/recipes-devtools/cmake/cmake/0006-cmake-FindGTest-Add-target-for-gmock-library.patch
 create mode 100644 meta/recipes-devtools/dnf/dnf/0040-Keep-installed-packages-in-upgrade-job-RhBug-1728252.patch
 create mode 100644 meta/recipes-devtools/libdnf/libdnf/0040-Mark-job-goal.upgrade-with-sltr-as-target.patch
 create mode 100644 meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch
 create mode 100644 meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch

-- 
2.25.1

[OE-core][dunfell 00/18] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3314

with the exception of a known autobuilder intermittent issue on qemumips64:

https://bugzilla.yoctoproject.org/show_bug.cgi?id=14029

which passed on subsequent retest:

https://autobuilder.yoctoproject.org/typhoon/#/builders/74/builds/4787

The following changes since commit 79ce9059f716546a7d6f4562ba194aedd90c22cd:

  grub: add a fix for a crash in scripts (2022-02-23 05:00:42 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Jose Quaresma (1):
  buildhistory.bbclass: create the buildhistory directory when needed

Marek Vasut (1):
  bootchart2: Add missing python3-math dependency

Michael Halstead (1):
  uninative: Upgrade to 3.5

Minjae Kim (2):
  go: fix CVE-2022-23806
  go: fix CVE-2022-23772

Nathan Rossi (1):
  cml1.bbclass: Handle ncurses-native being available via pkg-config

Richard Purdie (2):
  libxml-parser-perl: Add missing RDEPENDS
  uninative: Add version to uninative tarball name

Ross Burton (3):
  coreutils: remove obsolete ignored CVE list
  cve-check: get_cve_info should open the database read-only
  Revert "cve-check: add lockfile to task"

Steve Sakoman (5):
  expat: fix CVE-2022-25235
  expat: fix CVE-2022-25236
  expat: fix CVE-2022-25313
  expat: fix CVE-2022-25314
  expat: fix CVE-2022-25315

Virendra Thakur (1):
  libarchive: Fix for CVE-2021-36976

wangmy (1):
  wireless-regdb: upgrade 2021.08.28 -> 2022.02.18

 meta/classes/buildhistory.bbclass             |   1 +
 meta/classes/cml1.bbclass                     |   8 +
 meta/classes/cve-check.bbclass                |   4 +-
 meta/classes/uninative.bbclass                |   2 +-
 meta/conf/distro/include/yocto-uninative.inc  |  11 +-
 meta/recipes-core/coreutils/coreutils_8.31.bb |   3 -
 .../expat/expat/CVE-2022-25235.patch          | 283 +++++++++++++++
 .../expat/expat/CVE-2022-25236.patch          | 129 +++++++
 .../expat/CVE-2022-25313-regression.patch     | 131 +++++++
 .../expat/expat/CVE-2022-25313.patch          | 230 +++++++++++++
 .../expat/expat/CVE-2022-25314.patch          |  32 ++
 .../expat/expat/CVE-2022-25315.patch          | 145 ++++++++
 meta/recipes-core/expat/expat_2.2.9.bb        |   6 +
 .../bootchart2/bootchart2_0.14.9.bb           |   2 +-
 meta/recipes-devtools/go/go-1.14.inc          |   2 +
 .../go/go-1.14/CVE-2022-23772.patch           |  50 +++
 .../go/go-1.14/CVE-2022-23806.patch           | 142 ++++++++
 .../perl/libxml-parser-perl_2.46.bb           |   1 +
 .../libarchive/CVE-2021-36976-1.patch         | 321 ++++++++++++++++++
 .../libarchive/CVE-2021-36976-2.patch         | 121 +++++++
 .../libarchive/CVE-2021-36976-3.patch         |  93 +++++
 .../libarchive/libarchive_3.4.2.bb            |   6 +-
 ....08.28.bb => wireless-regdb_2022.02.18.bb} |   2 +-
 23 files changed, 1711 insertions(+), 14 deletions(-)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25235.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25236.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25313.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25314.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25315.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2021.08.28.bb => wireless-regdb_2022.02.18.bb} (94%)

-- 
2.25.1

[OE-core][dunfell 00/18] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4715

The following changes since commit cc8ec63310f9a936371ea1070cb257c926808755:

  oeqa/selftest/tinfoil: Add test for separate config_data with recipe_parse_file() (2022-12-14 16:34:29 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  tzdata: update 2022d -> 2022g

Bruce Ashfield (4):
  linux-yocto/5.4: update to v5.4.221
  linux-yocto/5.4: update to v5.4.224
  linux-yocto/5.4: update to v5.4.225
  linux-yocto/5.4: update to v5.4.228

Chen Qi (1):
  bc: extend to nativesdk

Hitendra Prajapati (1):
  grub2: CVE-2022-28735 shim_lock verifier allows non-kernel files to be
    loaded

Jagadeesh Krishnanjanappa (1):
  qemuboot.bbclass: make sure runqemu boots bundled initramfs kernel
    image

Joshua Watt (1):
  sudo: Use specific BSD license variant

Minjae Kim (1):
  ppp: fix CVE-2022-4603

Peter Marko (1):
  externalsrc: fix lookup for .gitmodules

Quentin Schulz (1):
  cairo: update patch for CVE-2019-6461 with upstream solution

Robert Andersson (1):
  go-crosssdk: avoid host contamination by GOCACHE

Ross Burton (1):
  lib/buildstats: fix parsing of trees with reduced_proc_pressure
    directories

Vivek Kumbhar (4):
  go: fix CVE-2022-41717 Excessive memory use in got server
  rsync: fix CVE-2022-29154 remote arbitrary files write inside the
    directories of connecting peers
  libx11: fix CVE-2022-3555 memory leak in _XFreeX11XCBStructure() of
    xcb_disp.c
  qemu: fix CVE-2021-3507 fdc heap buffer overflow in DMA read data
    transfers

 meta/classes/externalsrc.bbclass              |   2 +-
 meta/classes/qemuboot.bbclass                 |   3 +-
 .../grub/files/CVE-2022-28735.patch           | 271 ++++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |   1 +
 .../ppp/ppp/CVE-2022-4603.patch               |  50 +++
 meta/recipes-connectivity/ppp/ppp_2.4.7.bb    |   1 +
 meta/recipes-devtools/go/go-1.14.inc          |   1 +
 .../go/go-1.14/CVE-2022-41717.patch           |  75 ++++
 meta/recipes-devtools/go/go-crosssdk.inc      |   2 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2021-3507.patch             |  87 +++++
 .../rsync/files/CVE-2022-29154.patch          | 334 ++++++++++++++++++
 meta/recipes-devtools/rsync/rsync_3.1.3.bb    |   1 +
 meta/recipes-extended/bc/bc_1.07.1.bb         |   2 +-
 meta/recipes-extended/sudo/sudo.inc           |   2 +-
 meta/recipes-extended/timezone/timezone.inc   |   7 +-
 .../cairo/cairo/CVE-2019-6461.patch           |  35 +-
 .../xorg-lib/libx11/CVE-2022-3555.patch       |  38 ++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |   1 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 scripts/lib/buildstats.py                     |   4 +-
 23 files changed, 919 insertions(+), 35 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28735.patch
 create mode 100644 meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41717.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
 create mode 100644 meta/recipes-devtools/rsync/files/CVE-2022-29154.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch

-- 
2.25.1