[OE-core][dunfell 00/16] Patch review

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this first set of changes for dunfell and have comments back
by end of day Friday.

Clean a-full build on autobuilder (other than tickling a Send QA Email bug):

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/898

The following changes since commit 1795f30d8ab73d35710ca99064c51190dc84853e:

  build-appliance-image: Update to master head revision (2020-04-07 22:15:32 +0100)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-next
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-next

Bartosz Golaszewski (1):
  qemuboot.bbclass: don't redefine IMGDEPLOYDIR

Changqing Li (1):
  parselogs.py: ignore pulseaudio startup warning messages

Denys Dmytriyenko (1):
  u-boot.inc: install u-boot-initial-env as ${PN}-initial-env in $D and
    $DEPLOYDIR

Jeremy Puhlman (3):
  qemu-system-native: Fix commented out PACKAGECONFIG
  nativesdk-gcc-runtime: enable building libstdc++.a
  buildtools-extended-tarball: Add libstc++.a

Khem Raj (2):
  libucontext: Bring in mips/mips64 support
  ruby: Link with libucontext on musl

Maxime Roussin-B?langer (1):
  tzdata: remove exit 0 from pkg_postinst

Paul Barker (1):
  kernel-yocto.bbclass: Fix deps when externalsrc is used

Pierre-Jean Texier (1):
  ell: upgrade 0.30 -> 0.31

Richard Purdie (1):
  bzip2/pbzip2: Correct license information

Tim Orling (1):
  python3-manifest.json: add pathlib to core

Wang Mingyu (1):
  gnutls: upgrade 3.6.12 -> 3.6.13

Yi Zhao (1):
  alsa-state: ignore 'No soundcards found' error in pkg_postinst

hongxu (1):
  buildtools-tarball: add nativesdk-mtools for `wic ls'

 meta/classes/kernel-yocto.bbclass             |  6 +++
 meta/classes/qemuboot.bbclass                 |  1 -
 .../common-licenses/{bzip2 => bzip2-1.0.6}    |  0
 meta/lib/oeqa/runtime/cases/parselogs.py      |  4 +-
 meta/recipes-bsp/alsa-state/alsa-state.bb     |  2 +-
 meta/recipes-bsp/u-boot/u-boot.inc            | 28 +++++------
 .../ell/{ell_0.30.bb => ell_0.31.bb}          |  4 +-
 .../meta/buildtools-extended-tarball.bb       |  1 +
 meta/recipes-core/meta/buildtools-tarball.bb  |  1 +
 ...move-using-.end-directive-with-clang.patch | 36 ++++++++++++++
 .../0001-Makefile-Add-LIBDIR-variable.patch   | 46 ------------------
 .../0001-pass-LDFLAGS-to-link-step.patch      | 31 ------------
 meta/recipes-core/musl/libucontext_git.bb     | 48 +++++++++----------
 meta/recipes-devtools/gcc/gcc-runtime.inc     |  2 +
 .../python/python3/python3-manifest.json      |  2 +
 meta/recipes-devtools/qemu/qemu.inc           |  2 +-
 meta/recipes-devtools/ruby/ruby_2.7.0.bb      |  9 +++-
 meta/recipes-extended/bzip2/bzip2_1.0.8.bb    |  2 +-
 meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb |  2 +-
 meta/recipes-extended/timezone/tzdata.bb      |  8 +---
 .../{gnutls_3.6.12.bb => gnutls_3.6.13.bb}    |  4 +-
 21 files changed, 106 insertions(+), 133 deletions(-)
 rename meta/files/common-licenses/{bzip2 => bzip2-1.0.6} (100%)
 rename meta/recipes-core/ell/{ell_0.30.bb => ell_0.31.bb} (83%)
 create mode 100644 meta/recipes-core/musl/0001-Remove-using-.end-directive-with-clang.patch
 delete mode 100644 meta/recipes-core/musl/libucontext/0001-Makefile-Add-LIBDIR-variable.patch
 delete mode 100644 meta/recipes-core/musl/libucontext/0001-pass-LDFLAGS-to-link-step.patch
 rename meta/recipes-support/gnutls/{gnutls_3.6.12.bb => gnutls_3.6.13.bb} (93%)

-- 
2.17.1

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back
by end of day Wednesday.

The following changes since commit c88cf750f26f6786d6ba5b4f1f7e5d4f0c800e6e:

  avahi: Don't advertise example services by default (2020-05-26 04:12:28 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Adrian Bunk (1):
  libubootenv: Remove the DEPENDS on mtd-utils

Gregor Zatko (1):
  sanity.bbclass: Detect and fail if 'inherit' is used in conf file

Joe Slater (1):
  terminal.py: do not stop searching for auto

Joshua Watt (1):
  checklayer: Skip layers without a collection

Khem Raj (2):
  cve-check: Run it after do_fetch
  make-mod-scripts: Fix a rare build race condition

Konrad Weihmann (1):
  qemurunner: fix ip fallback detection

Lee Chee Yang (2):
  bind: fix CVE-2020-8616/7
  libexif: fix CVE-2020-13114

Mark Hatle (1):
  sstate.bbclass: When siginfo or sig files are missing, stop fetcher
    errors

Richard Purdie (2):
  resulttool/report: Remove leftover debugging
  resulttool/log: Add ability to dump ltp logs as well as ptest

Robert P. J. Day (1):
  bitbake.conf: Remove unused DEPLOY_DIR_TOOLS variable

Robert Yang (1):
  archiver.bbclass: Fix duplicated SRC_URIs for do_ar_original

Steve Sakoman (1):
  oeqa/concurrencytest: don't delete build directory for failed tests

Trevor Gamblin (1):
  qemuarm: check serial consoles vs /proc/consoles

 meta/classes/archiver.bbclass                 |   8 +-
 meta/classes/cve-check.bbclass                |   2 +-
 meta/classes/sanity.bbclass                   |   6 +
 meta/classes/sstate.bbclass                   |   6 +-
 meta/conf/bitbake.conf                        |   1 -
 meta/conf/machine/qemuarm.conf                |   1 +
 meta/conf/machine/qemuarm64.conf              |   1 +
 meta/lib/oe/terminal.py                       |   5 +-
 meta/lib/oeqa/core/utils/concurrencytest.py   |  10 +-
 meta/lib/oeqa/utils/qemurunner.py             |   2 +-
 meta/recipes-bsp/u-boot/libubootenv_0.2.bb    |   2 +-
 .../bind/bind/CVE-2020-8616.patch             | 206 ++++++++++++++++++
 .../bind/bind/CVE-2020-8617.patch             |  29 +++
 .../recipes-connectivity/bind/bind_9.11.13.bb |   2 +
 .../make-mod-scripts/make-mod-scripts_1.0.bb  |   7 +-
 .../libexif/libexif/CVE-2020-13114.patch      |  73 +++++++
 .../recipes-support/libexif/libexif_0.6.21.bb |   4 +-
 scripts/lib/checklayer/__init__.py            |   3 +
 scripts/lib/resulttool/log.py                 |  21 +-
 scripts/lib/resulttool/report.py              |   1 -
 scripts/lib/resulttool/resultutils.py         |  22 +-
 21 files changed, 383 insertions(+), 29 deletions(-)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
 create mode 100644 meta/recipes-support/libexif/libexif/CVE-2020-13114.patch

-- 
2.17.1

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have changes back
by end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1514

The following changes since commit 89e6fc44a378cb3489376d7193672cdf94c504b6:

  qemu: change TLBs number to 64 in 34Kf mips cpu model (2020-10-21 04:42:42 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Jose Quaresma (12):
  gstreamer1.0: Fix reproducibility issue around libcap
  gstreamer1.0: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-plugins-base: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-plugins-good: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-plugins-bad: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-plugins-ugly: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-libav: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-vaapi: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-rtsp-server: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-omx: Update 1.16.2 -> Update 1.16.3
  gstreamer1.0-python: Update 1.16.2 -> Update 1.16.3
  gst-validate: Update 1.16.2 -> Update 1.16.3

Lee Chee Yang (1):
  ffmpeg: fix CVE-2020-12284

Richard Purdie (1):
  oeqa: Add sync call to command execution

Ross Burton (2):
  gcc: mitigate the Straight-line Speculation attack
  glib-2.0: fix parsing of slim encoded tzdata

 meta/lib/oeqa/selftest/cases/runcmd.py        |  16 +-
 meta/lib/oeqa/utils/commands.py               |   8 +-
 .../glib-2.0/glib-2.0/tzdata-update.patch     | 458 ++++++++++++
 meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb |   1 +
 meta/recipes-devtools/gcc/gcc-9.3.inc         |   3 +
 ...ight-Line-Speculation-SLS-mitigation.patch | 204 ++++++
 ...e-SLS-mitigation-for-RET-and-BR-inst.patch | 600 ++++++++++++++++
 ...h64-Mitigate-SLS-for-BLR-instruction.patch | 659 ++++++++++++++++++
 .../ffmpeg/ffmpeg/CVE-2020-12284.patch        |  36 +
 .../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb |   1 +
 ...idate_1.16.2.bb => gst-validate_1.16.3.bb} |   4 +-
 ...1.16.2.bb => gstreamer1.0-libav_1.16.3.bb} |   4 +-
 ...x_1.16.2.bb => gstreamer1.0-omx_1.16.3.bb} |   4 +-
 ....bb => gstreamer1.0-plugins-bad_1.16.3.bb} |   4 +-
 ...bb => gstreamer1.0-plugins-base_1.16.3.bb} |   4 +-
 ...bb => gstreamer1.0-plugins-good_1.16.3.bb} |   4 +-
 ...bb => gstreamer1.0-plugins-ugly_1.16.3.bb} |   4 +-
 ...son.build-fix-builds-with-python-3.8.patch |  24 -
 ....16.2.bb => gstreamer1.0-python_1.16.3.bb} |   8 +-
 ....bb => gstreamer1.0-rtsp-server_1.16.3.bb} |   4 +-
 ...1.16.2.bb => gstreamer1.0-vaapi_1.16.3.bb} |   4 +-
 .../gstreamer/gstreamer1.0/capfix.patch       |  37 -
 ...er1.0_1.16.2.bb => gstreamer1.0_1.16.3.bb} |   9 +-
 23 files changed, 2002 insertions(+), 98 deletions(-)
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/tzdata-update.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-9.3/0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-9.3/0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-9.3/0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-12284.patch
 rename meta/recipes-multimedia/gstreamer/{gst-validate_1.16.2.bb => gst-validate_1.16.3.bb} (87%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-libav_1.16.2.bb => gstreamer1.0-libav_1.16.3.bb} (90%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-omx_1.16.2.bb => gstreamer1.0-omx_1.16.3.bb} (92%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-bad_1.16.2.bb => gstreamer1.0-plugins-bad_1.16.3.bb} (98%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-base_1.16.2.bb => gstreamer1.0-plugins-base_1.16.3.bb} (96%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-good_1.16.2.bb => gstreamer1.0-plugins-good_1.16.3.bb} (96%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-ugly_1.16.2.bb => gstreamer1.0-plugins-ugly_1.16.3.bb} (90%)
 delete mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-python/0001-meson.build-fix-builds-with-python-3.8.patch
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-python_1.16.2.bb => gstreamer1.0-python_1.16.3.bb} (80%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-rtsp-server_1.16.2.bb => gstreamer1.0-rtsp-server_1.16.3.bb} (86%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-vaapi_1.16.2.bb => gstreamer1.0-vaapi_1.16.3.bb} (93%)
 delete mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/capfix.patch
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0_1.16.2.bb => gstreamer1.0_1.16.3.bb} (90%)

-- 
2.17.1

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1638

The following changes since commit b885888df67eb5cdb3b82f4f0a07369a449e223b:

  build-appliance-image: Update to dunfell head revision (2020-11-25 23:25:31 +0000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Anuj Mittal (1):
  distutils-common-base: fix LINKSHARED expansion

Bruce Ashfield (2):
  kernel: provide module.lds for out of tree builds in v5.10+
  kernel: relocate copy of module.lds to module compilation task

Fedor Ross (2):
  sysvinit: remove bashism to be compatible with dash
  eudev: remove bashism to be compatible with dash

Loic Domaigne (1):
  roofs_*.bbclass: fix missing vardeps for do_rootfs

Max Krummenacher (1):
  linux-firmware: rdepend on license for all nvidia packages

Richard Purdie (2):
  fs-perms: Ensure /usr/src/debug/ file modes are correct
  e2fsprogs: Fix a ptest permissions determinism issue

Ross Burton (4):
  cve-check: show real PN/PV
  python3: add CVE-2007-4559 to whitelist
  gstreamer1.0-rtsp-server: set CVE_PRODUCT
  gstreamer1.0-plugins-base: set CVE_PRODUCT

Steve Sakoman (1):
  sqlite3: add CVE-2015-3717 to whitelist

Vyacheslav Yurkov (1):
  license_image.bbclass: use canonical name for license files

Wonmin Jung (1):
  kernel: Set proper LD in KERNEL_KCONFIG_COMMAND

 meta/classes/cve-check.bbclass                           | 9 ++++++---
 meta/classes/distutils-common-base.bbclass               | 2 +-
 meta/classes/kernel.bbclass                              | 6 +++++-
 meta/classes/license_image.bbclass                       | 3 ++-
 meta/classes/package.bbclass                             | 2 +-
 meta/classes/rootfs_deb.bbclass                          | 2 +-
 meta/classes/rootfs_ipk.bbclass                          | 2 +-
 meta/classes/rootfs_rpm.bbclass                          | 2 +-
 meta/conf/abi_version.conf                               | 2 +-
 meta/files/fs-perms-persistent-log.txt                   | 2 +-
 meta/files/fs-perms.txt                                  | 2 +-
 meta/recipes-core/sysvinit/sysvinit/rc                   | 2 +-
 meta/recipes-core/udev/eudev/init                        | 2 +-
 meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb      | 2 ++
 meta/recipes-devtools/python/python3_3.8.2.bb            | 2 ++
 .../linux-firmware/linux-firmware_20201022.bb            | 1 +
 meta/recipes-kernel/linux/kernel-devsrc.bb               | 6 ++++++
 .../gstreamer/gstreamer1.0-plugins-base_1.16.3.bb        | 2 ++
 .../gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb         | 2 ++
 meta/recipes-support/sqlite/sqlite3_3.31.1.bb            | 2 ++
 20 files changed, 40 insertions(+), 15 deletions(-)

-- 
2.17.1

[OE-core][dunfell 01/16] kernel: provide module.lds for out of tree builds in v5.10+

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

The upstream commit 596b0474d3d [kbuild: preprocess module linker
script], adds a dependency on module.lds for external module
building.

Since module.lds is generated as part of 'modules_prepare', we
must make it available with the other kernel artifacts in the
kernel shared workdir, otherwise out of tree builds fail.

This fixes errors like:

    | make[4]: *** No rule to make target 'scripts/module.lds', needed by
        'build/tmp/work/qemuarm64-poky-linux/cryptodev-module/1.11-r0/git/cryptodev.ko'.
        Stop.
    | make[4]: *** Waiting for unfinished jobs....

We also ensure that kernel-devsrc has a copy to support on
target module builds that are often prepared with 'make scripts
prepare'. Those targets won't regenerate it, so the build fails.
If 'make modules_prepare' is used, the file will be regenerated
and overwrite our copy (as expected).

Signed-off-by: Pan, Kris <kris.pan@intel.com>
Signed-off-by: Lili Li <lili.li@intel.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0fc66a0b64953aae38d0124b57615fffaec8de52)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel.bbclass                | 1 +
 meta/recipes-kernel/linux/kernel-devsrc.bb | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 9e3c34ad48..58c9f171dc 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -465,6 +465,7 @@ do_shared_workdir () {
 	# Copy files required for module builds
 	cp System.map $kerneldir/System.map-${KERNEL_VERSION}
 	[ -e Module.symvers ] && cp Module.symvers $kerneldir/
+	[ -e scripts/module.lds ] && install -Dm 0644 scripts/module.lds $kerneldir/scripts/module.lds
 	cp .config $kerneldir/
 	mkdir -p $kerneldir/include/config
 	cp include/config/kernel.release $kerneldir/include/config/kernel.release
diff --git a/meta/recipes-kernel/linux/kernel-devsrc.bb b/meta/recipes-kernel/linux/kernel-devsrc.bb
index 5940cc90ea..951e7635cc 100644
--- a/meta/recipes-kernel/linux/kernel-devsrc.bb
+++ b/meta/recipes-kernel/linux/kernel-devsrc.bb
@@ -86,6 +86,12 @@ do_install() {
 	# be dealt with.
 	# cp -a scripts $kerneldir/build
 
+	# although module.lds can be regenerated on target via 'make modules_prepare'
+	# there are several places where 'makes scripts prepare' is done, and that won't
+	# regenerate the file. So we copy it onto the target as a migration to using
+	# modules_prepare
+	cp -a --parents scripts/module.lds $kerneldir/build/ 2>/dev/null || :
+
         if [ -d arch/${ARCH}/scripts ]; then
 	    cp -a arch/${ARCH}/scripts $kerneldir/build/arch/${ARCH}
 	fi
-- 
2.17.1

[OE-core][dunfell 02/16] kernel: relocate copy of module.lds to module compilation task

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

There were two copies of this patch floating around, and the merged
variant has the copy in the wrong place.

module.lds is only created during modules_prepare, and that target is
not invoked during our main build of the kernel. We aren't about to
change the kernel build (there's no need), so we move the copy into
the compile_kernelmodules task. After that runs, we have module.lds
availble to copy.

This has been tested against clean kernel + out of tree module
builds, and the dependencies are correct that the file is copied
before the out of tree module build starts.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7d94f9209ebaaf59ea001239a889dd7f928a0e7c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel.bbclass | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 58c9f171dc..700ba0ad8d 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -358,6 +358,10 @@ do_compile_kernelmodules() {
 		# other kernel modules and will look at this
 		# file to do symbol lookups
 		cp ${B}/Module.symvers ${STAGING_KERNEL_BUILDDIR}/
+		# 5.10+ kernels have module.lds that we need to copy for external module builds
+		if [ -e "${B}/scripts/module.lds" ]; then
+			install -Dm 0644 ${B}/scripts/module.lds ${STAGING_KERNEL_BUILDDIR}/scripts/module.lds
+		fi
 	else
 		bbnote "no modules to compile"
 	fi
@@ -465,7 +469,6 @@ do_shared_workdir () {
 	# Copy files required for module builds
 	cp System.map $kerneldir/System.map-${KERNEL_VERSION}
 	[ -e Module.symvers ] && cp Module.symvers $kerneldir/
-	[ -e scripts/module.lds ] && install -Dm 0644 scripts/module.lds $kerneldir/scripts/module.lds
 	cp .config $kerneldir/
 	mkdir -p $kerneldir/include/config
 	cp include/config/kernel.release $kerneldir/include/config/kernel.release
-- 
2.17.1

[OE-core][dunfell 03/16] kernel: Set proper LD in KERNEL_KCONFIG_COMMAND

[Steve Sakoman]

From: Wonmin Jung <wonmin82@gmail.com>

With 'ld-is-gold' and linux kernel 5.4 or later, menuconfig
task for kernel recipes will fail with:

$ bitbake -c menuconfig virtual/kernel
...
scripts/kconfig/mconf  Kconfig
scripts/Kconfig.include:43:  gold linker 'x86_64-poky-linux-ld' not supported
/OE/build/tmp/work-shared/qemux86-64/kernel-source/scripts/kconfig/Makefile:29:
 recipe for target 'menuconfig' failed
make[2]: *** [menuconfig] Error 1
/OE/build/tmp/work-shared/qemux86-64/kernel-source/Makefile:606:
 recipe for target 'menuconfig' failed
make[1]: *** [menuconfig] Error 2
/OE/build/tmp/work-shared/qemux86-64/kernel-source/Makefile:185:
 recipe for target '__sub-make' failed
make: *** [__sub-make] Error 2
Command failed.

This is because that the KERNEL_LD variable already set in
kernel-arch.bbclass isn't used by do_menuconfig function of
cml1.bbclass.

To fix this issue specify LD variable while calling the kernel
menuconfig command through KERNEL_KCONFIG_COMMAND.

Signed-off-by: Wonmin Jung <wonmin82@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1faf66ce0b1f8f5165277161e07e25e672370c3f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 700ba0ad8d..29afd791e9 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -569,7 +569,7 @@ addtask savedefconfig after do_configure
 
 inherit cml1
 
-KCONFIG_CONFIG_COMMAND_append = " HOSTLDFLAGS='${BUILD_LDFLAGS}'"
+KCONFIG_CONFIG_COMMAND_append = " LD='${KERNEL_LD}' HOSTLDFLAGS='${BUILD_LDFLAGS}'"
 
 EXPORT_FUNCTIONS do_compile do_install do_configure
 
-- 
2.17.1

[OE-core][dunfell 04/16] roofs_*.bbclass: fix missing vardeps for do_rootfs

[Steve Sakoman]

From: Loic Domaigne <tech@domaigne.com>

As per lib/oe/rootfs.py and lib/oe/package_manager/???/__init__.py
the PACKAGE_FEED baseurl is defined as the joined paths of:
URIS/BASE_PATHS/ARCHS

Therefore, the do_rootfs task should depend furthermore on
PACKAGE_FEED_{BASE_PATHS,ARCHS} to properly retrigger a build if
the value changes.

Signed-off-by: Loic Domaigne (ljd) <tech@domaigne.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e5329464f5ebad909c4c9bd27a718bbd8f4cc221)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/rootfs_deb.bbclass | 2 +-
 meta/classes/rootfs_ipk.bbclass | 2 +-
 meta/classes/rootfs_rpm.bbclass | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/classes/rootfs_deb.bbclass b/meta/classes/rootfs_deb.bbclass
index 2b93796a76..ef616da229 100644
--- a/meta/classes/rootfs_deb.bbclass
+++ b/meta/classes/rootfs_deb.bbclass
@@ -7,7 +7,7 @@ ROOTFS_PKGMANAGE = "dpkg apt"
 do_rootfs[depends] += "dpkg-native:do_populate_sysroot apt-native:do_populate_sysroot"
 do_populate_sdk[depends] += "dpkg-native:do_populate_sysroot apt-native:do_populate_sysroot bzip2-native:do_populate_sysroot"
 do_rootfs[recrdeptask] += "do_package_write_deb do_package_qa"
-do_rootfs[vardeps] += "PACKAGE_FEED_URIS"
+do_rootfs[vardeps] += "PACKAGE_FEED_URIS PACKAGE_FEED_BASE_PATHS PACKAGE_FEED_ARCHS"
 
 do_rootfs[lockfiles] += "${DEPLOY_DIR_DEB}/deb.lock"
 do_populate_sdk[lockfiles] += "${DEPLOY_DIR_DEB}/deb.lock"
diff --git a/meta/classes/rootfs_ipk.bbclass b/meta/classes/rootfs_ipk.bbclass
index e73d2bfdae..f1e0219732 100644
--- a/meta/classes/rootfs_ipk.bbclass
+++ b/meta/classes/rootfs_ipk.bbclass
@@ -11,7 +11,7 @@ ROOTFS_PKGMANAGE = "opkg ${EXTRAOPKGCONFIG}"
 do_rootfs[depends] += "opkg-native:do_populate_sysroot opkg-utils-native:do_populate_sysroot"
 do_populate_sdk[depends] += "opkg-native:do_populate_sysroot opkg-utils-native:do_populate_sysroot"
 do_rootfs[recrdeptask] += "do_package_write_ipk do_package_qa"
-do_rootfs[vardeps] += "PACKAGE_FEED_URIS"
+do_rootfs[vardeps] += "PACKAGE_FEED_URIS PACKAGE_FEED_BASE_PATHS PACKAGE_FEED_ARCHS"
 
 do_rootfs[lockfiles] += "${WORKDIR}/ipk.lock"
 do_populate_sdk[lockfiles] += "${WORKDIR}/ipk.lock"
diff --git a/meta/classes/rootfs_rpm.bbclass b/meta/classes/rootfs_rpm.bbclass
index 51f89ea990..ae0f541c49 100644
--- a/meta/classes/rootfs_rpm.bbclass
+++ b/meta/classes/rootfs_rpm.bbclass
@@ -24,7 +24,7 @@ do_rootfs[depends] += "${RPMROOTFSDEPENDS}"
 do_populate_sdk[depends] += "${RPMROOTFSDEPENDS}"
 
 do_rootfs[recrdeptask] += "do_package_write_rpm do_package_qa"
-do_rootfs[vardeps] += "PACKAGE_FEED_URIS"
+do_rootfs[vardeps] += "PACKAGE_FEED_URIS PACKAGE_FEED_BASE_PATHS PACKAGE_FEED_ARCHS"
 
 python () {
     if d.getVar('BUILD_IMAGES_FROM_FEEDS'):
-- 
2.17.1

[OE-core][dunfell 05/16] linux-firmware: rdepend on license for all nvidia packages

[Steve Sakoman]

From: Max Krummenacher <max.oss.09@gmail.com>

Fixes commit 0671d04978 ("linux-firmware: package nvidia firmware")

Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 59789dea33629a96f0fe5646eb684aa131e167bf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-kernel/linux-firmware/linux-firmware_20201022.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20201022.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20201022.bb
index 045f2647e0..93b9d5308a 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20201022.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20201022.bb
@@ -501,6 +501,7 @@ FILES_${PN}-nvidia-license = "${nonarch_base_libdir}/firmware/LICENCE.nvidia"
 
 RDEPENDS_${PN}-nvidia-gpu += "${PN}-nvidia-license"
 RDEPENDS_${PN}-nvidia-tegra += "${PN}-nvidia-license"
+RDEPENDS_${PN}-nvidia-tegra-k1 += "${PN}-nvidia-license"
 
 # For rtl
 LICENSE_${PN}-rtl8188 = "Firmware-rtlwifi_firmware"
-- 
2.17.1

[OE-core][dunfell 06/16] license_image.bbclass: use canonical name for license files

[Steve Sakoman]

From: Vyacheslav Yurkov <Vyacheslav.Yurkov@bruker.com>

When copying license files to the image rootfs, i.e to
/usr/share/common-licenses, a canonical name of a license should be
used, otherwise duplicated files end up in common-licenses directory.

For example, GPL-2.0 license according to conf/license.conf can be
referenced in recipes as GPL-2, GPLv2, and GPLv2.0. If a license name is
used directly, we end up with three files in the rootfs with the same
content. If a canonical name used instead, then each license gets copied
only once.

Signed-off-by: Vyacheslav Yurkov <Vyacheslav.Yurkov@bruker.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 670fe71dd18ea675f35581db4a61fda137f8bf00)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/license_image.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/license_image.bbclass b/meta/classes/license_image.bbclass
index a8c72da3cb..acd8126f68 100644
--- a/meta/classes/license_image.bbclass
+++ b/meta/classes/license_image.bbclass
@@ -125,7 +125,6 @@ def write_license_files(d, license_manifest, pkg_dic, rootfs=True):
 
                 licenses = os.listdir(pkg_license_dir)
                 for lic in licenses:
-                    rootfs_license = os.path.join(rootfs_license_dir, lic)
                     pkg_license = os.path.join(pkg_license_dir, lic)
                     pkg_rootfs_license = os.path.join(pkg_rootfs_license_dir, lic)
 
@@ -144,6 +143,8 @@ def write_license_files(d, license_manifest, pkg_dic, rootfs=True):
                                 bad_licenses) == False:
                             continue
 
+                        # Make sure we use only canonical name for the license file
+                        rootfs_license = os.path.join(rootfs_license_dir, "generic_%s" % generic_lic)
                         if not os.path.exists(rootfs_license):
                             oe.path.copyhardlink(pkg_license, rootfs_license)
 
-- 
2.17.1

[OE-core][dunfell 07/16] cve-check: show real PN/PV

[Steve Sakoman]

From: Ross Burton <ross@burtonini.com>

The output currently shows the remapped product and version fields,
which may not be the actual recipe name/version. As this report is about
recipes, use the real values.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 18827d7f40db4a4f92680bd59ca655cca373ad65)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/cve-check.bbclass | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 17f64a8a9c..669da6c8e9 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -205,6 +205,9 @@ def check_cves(d, patched_cves):
     """
     from distutils.version import LooseVersion
 
+    pn = d.getVar("PN")
+    real_pv = d.getVar("PV")
+
     cves_unpatched = []
     # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
     products = d.getVar("CVE_PRODUCT").split()
@@ -214,7 +217,7 @@ def check_cves(d, patched_cves):
     pv = d.getVar("CVE_VERSION").split("+git")[0]
 
     # If the recipe has been whitlisted we return empty lists
-    if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
+    if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split():
         bb.note("Recipe has been whitelisted, skipping check")
         return ([], [], [])
 
@@ -283,12 +286,12 @@ def check_cves(d, patched_cves):
                         vulnerable = vulnerable_start or vulnerable_end
 
                 if vulnerable:
-                    bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
+                    bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
                     cves_unpatched.append(cve)
                     break
 
             if not vulnerable:
-                bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
+                bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
                 # TODO: not patched but not vulnerable
                 patched_cves.add(cve)
 
-- 
2.17.1

[OE-core][dunfell 08/16] python3: add CVE-2007-4559 to whitelist

[Steve Sakoman]

From: Ross Burton <ross@burtonini.com>

This issue describes expected behaviour, do not use tarfile with
untrusted data.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f4c22e83f2e68ff157da5ea1303acc2931d63f5f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/python/python3_3.8.2.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.2.bb
index 1d0b4cdb77..b4cce88e87 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.2.bb
@@ -52,6 +52,8 @@ UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
 
 CVE_PRODUCT = "python"
 
+# Upstream consider this expected behaviour
+CVE_CHECK_WHITELIST += "CVE-2007-4559"
 # This is not exploitable when glibc has CVE-2016-10739 fixed.
 CVE_CHECK_WHITELIST += "CVE-2019-18348"
 
-- 
2.17.1

[OE-core][dunfell 09/16] sqlite3: add CVE-2015-3717 to whitelist

[Steve Sakoman]

As per https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA this issue
is believed to be either iOS specific, or fixed in 3.8.9.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 (cherry-picked from d11a2157befcfe40517140988dd26bf0ed7240b6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index c289affd60..877e80f5a3 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -19,3 +19,5 @@ SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b5
 
 # -19242 is only an issue in specific development branch commits
 CVE_CHECK_WHITELIST += "CVE-2019-19242"
+# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
+CVE_CHECK_WHITELIST += "CVE-2015-3717"
-- 
2.17.1

[OE-core][dunfell 10/16] gstreamer1.0-rtsp-server: set CVE_PRODUCT

[Steve Sakoman]

From: Ross Burton <ross@burtonini.com>

There are CVEs with the 'gst-rtsp-server' product, so set that.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit eb5cbdead78d092733e783b09528b208efccac3d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb                | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb
index 5f1b1d44fa..ed51a5693e 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb
@@ -29,3 +29,5 @@ GIR_MESON_DISABLE_FLAG = "disabled"
 
 # Starting with 1.8.0 gst-rtsp-server includes dependency-less plugins as well
 require gstreamer1.0-plugins-packaging.inc
+
+CVE_PRODUCT += "gst-rtsp-server"
-- 
2.17.1

[OE-core][dunfell 11/16] gstreamer1.0-plugins-base: set CVE_PRODUCT

[Steve Sakoman]

From: Ross Burton <ross@burtonini.com>

There are CVEs with the 'gst-plugins-base' product, so set that.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ec0f0e5995ab498f50ad51ceb361784247614982)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../gstreamer/gstreamer1.0-plugins-base_1.16.3.bb               | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
index a4f4772c1c..9daaf7587e 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
@@ -97,3 +97,5 @@ def get_opengl_cmdline_list(switch_name, options, d):
         return '-D' + switch_name + '=' + ','.join(selected_options)
     else:
         return ''
+
+CVE_PRODUCT += "gst-plugins-base"
-- 
2.17.1

[OE-core][dunfell 12/16] distutils-common-base: fix LINKSHARED expansion

[Steve Sakoman]

From: Anuj Mittal <anuj.mittal@intel.com>

Add the missing $ so SECURITY_CFLAGS actually gets expanded.

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6ed2f892ebb0b4e30a3bf167eac68027ea378a2d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/distutils-common-base.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/distutils-common-base.bbclass b/meta/classes/distutils-common-base.bbclass
index 94b5fd426d..43a38e5a3a 100644
--- a/meta/classes/distutils-common-base.bbclass
+++ b/meta/classes/distutils-common-base.bbclass
@@ -11,7 +11,7 @@ export LDCXXSHARED  = "${CXX} -shared"
 export CCSHARED  = "-fPIC -DPIC"
 # LINKFORSHARED are the flags passed to the $(CC) command that links
 # the python executable
-export LINKFORSHARED = "{SECURITY_CFLAGS} -Xlinker -export-dynamic"
+export LINKFORSHARED = "${SECURITY_CFLAGS} -Xlinker -export-dynamic"
 
 FILES_${PN} += "${libdir}/* ${libdir}/${PYTHON_DIR}/*"
 
-- 
2.17.1

[OE-core][dunfell 13/16] sysvinit: remove bashism to be compatible with dash

[Steve Sakoman]

From: Fedor Ross <fedor.ross@ifm.com>

Replace the equality operator '==' with '=' inside of '[]' to be
compatible with bash and dash.

Signed-off-by: Fedor Ross <fedor.ross@ifm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b7f0ec6eafb35117eaf4eeef281162080f0ca79a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/sysvinit/sysvinit/rc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/sysvinit/sysvinit/rc b/meta/recipes-core/sysvinit/sysvinit/rc
index fd1fdd26ba..d0d3149821 100755
--- a/meta/recipes-core/sysvinit/sysvinit/rc
+++ b/meta/recipes-core/sysvinit/sysvinit/rc
@@ -63,7 +63,7 @@ startup() {
   stty onlcr 0>&1
 
   # Limit stack size for startup scripts
-  [ "$STACK_SIZE" == "" ] || ulimit -S -s $STACK_SIZE
+  [ "$STACK_SIZE" = "" ] || ulimit -S -s $STACK_SIZE
 
   # Now find out what the current and what the previous runlevel are.
 
-- 
2.17.1

[OE-core][dunfell 14/16] eudev: remove bashism to be compatible with dash

[Steve Sakoman]

From: Fedor Ross <fedor.ross@ifm.com>

Remove 'echo -e' and replace it with 'printf'. In bash the builtin
'echo' has an option for interpreting backslash escapes. In a shell like
dash the builtin 'echo' interprets backslash escapes by default.
Therefor the 'echo' in dash doesn't have the '-e' option. When using
'printf' instead it is safe to use it either with bash or dash.

Signed-off-by: Fedor Ross <fedor.ross@ifm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c747acca33f84879a1ebd0ef972c07f4d5dff8b7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/udev/eudev/init | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/udev/eudev/init b/meta/recipes-core/udev/eudev/init
index 0455ade258..c60dbbf6d5 100644
--- a/meta/recipes-core/udev/eudev/init
+++ b/meta/recipes-core/udev/eudev/init
@@ -52,7 +52,7 @@ case "$1" in
     kill_udevd > "/dev/null" 2>&1
 
     # trigger the sorted events
-    [ -e /proc/sys/kernel/hotplug ] && echo -e '\000' >/proc/sys/kernel/hotplug
+    [ -e /proc/sys/kernel/hotplug ] && printf '\0\n' >/proc/sys/kernel/hotplug
     @UDEVD@ -d
 
     udevadm control --env=STARTUP=1
-- 
2.17.1

[OE-core][dunfell 15/16] fs-perms: Ensure /usr/src/debug/ file modes are correct

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

If files are copied into /usr/src/debug directly from WORKDIR (e.g. makedevs)
we'd get the permissions from the checkout which would depend on the host umask.

Avoid this and be deterministic by setting the file modes consistently. Core
code copies the files in so we're responsible for the permissions.

Unfortunately to force this change to apply we need to invalidate both
the package tasks and the hash equivalance mappings since file mode
'corruption' already made it into the output hashes (both input options
were mapped to the output hashes).

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1f958bcd6c9cd12ec76d80586cba15f4d6ed17a7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/package.bbclass           | 2 +-
 meta/conf/abi_version.conf             | 2 +-
 meta/files/fs-perms-persistent-log.txt | 2 +-
 meta/files/fs-perms.txt                | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index cc64ddffc3..7c252dd46b 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -2225,7 +2225,7 @@ python do_package () {
     # cache.  This is useful if an item this class depends on changes in a
     # way that the output of this class changes.  rpmdeps is a good example
     # as any change to rpmdeps requires this to be rerun.
-    # PACKAGE_BBCLASS_VERSION = "2"
+    # PACKAGE_BBCLASS_VERSION = "4"
 
     # Init cachedpath
     global cpath
diff --git a/meta/conf/abi_version.conf b/meta/conf/abi_version.conf
index 2bdc55695b..0a3fb307c8 100644
--- a/meta/conf/abi_version.conf
+++ b/meta/conf/abi_version.conf
@@ -12,4 +12,4 @@ OELAYOUT_ABI = "12"
 # a reset of the equivalence, for example when reproducibility issues break the
 # existing match data. Distros can also append to this value for the same effect.
 #
-HASHEQUIV_HASH_VERSION  = "1"
+HASHEQUIV_HASH_VERSION  = "4"
diff --git a/meta/files/fs-perms-persistent-log.txt b/meta/files/fs-perms-persistent-log.txt
index 3a7cf3ab94..518c1be3c9 100644
--- a/meta/files/fs-perms-persistent-log.txt
+++ b/meta/files/fs-perms-persistent-log.txt
@@ -41,7 +41,7 @@ ${includedir}		0755	root	root	true	0644	root	root
 ${oldincludedir}	0755	root	root	true	0644	root	root
 
 # Cleanup debug src
-/usr/src/debug		0755	root	root	true	-	root	root
+/usr/src/debug		0755	root	root	true	0644	root	root
 
 # Items from base-files
 # Links
diff --git a/meta/files/fs-perms.txt b/meta/files/fs-perms.txt
index c8c3ac5dbe..daa4aed840 100644
--- a/meta/files/fs-perms.txt
+++ b/meta/files/fs-perms.txt
@@ -41,7 +41,7 @@ ${includedir}		0755	root	root	true	0644	root	root
 ${oldincludedir}	0755	root	root	true	0644	root	root
 
 # Cleanup debug src
-/usr/src/debug		0755	root	root	true	-	root	root
+/usr/src/debug		0755	root	root	true	0644	root	root
 
 # Items from base-files
 # Links
-- 
2.17.1

[OE-core][dunfell 16/16] e2fsprogs: Fix a ptest permissions determinism issue

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

When comparing builds built with different host umasks, this file jumped out.
The umask from do_compile was influencing ${D} and as cp was used to add the
file it wasn't deterministic. Fix the file mode to ensure determinism.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 37f37f4a52de3711973b372160f23672b61ff6ad)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb
index 4f7cafeac9..439928e433 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb
@@ -128,6 +128,8 @@ do_compile_ptest() {
 }
 
 do_install_ptest() {
+	# This file's permissions depends on the host umask so be deterministic
+	chmod 0644 ${B}/tests/test_data.tmp
 	cp -R --no-dereference --preserve=mode,links -v ${B}/tests ${D}${PTEST_PATH}/test
 	cp -R --no-dereference --preserve=mode,links -v ${S}/tests/* ${D}${PTEST_PATH}/test
 	sed -e 's!../e2fsck/e2fsck!e2fsck!g' \
-- 
2.17.1

Re: [OE-core][dunfell 04/16] roofs_*.bbclass: fix missing vardeps for do_rootfs

[Robert P. J. Day]

  "roofs_*.bbclass"

rday

Re: [OE-core][dunfell 04/16] roofs_*.bbclass: fix missing vardeps for do_rootfs

[Steve Sakoman]

On Tue, Dec 1, 2020 at 8:59 AM Robert P. J. Day <rpjday@crashcourse.ca> wrote:
>
>
>   "roofs_*.bbclass"

Typos come along for free with a cherry-pick ;-)

Steve

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4828

with the exception of a known autobuilder intermittent issue on qemuppc:

https://bugzilla.yoctoproject.org/show_bug.cgi?id=14824

which passed on subsequent re-test:

https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/6517

The following changes since commit db81e3c7e7f1d4d9eba52ac35ac97627d0240b63:

  build-appliance-image: Update to dunfell head revision (2023-01-13 18:11:40 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (2):
  linux-firmware: upgrade 20221109 -> 20221214
  selftest/virgl: use pkg-config from the host

Benoît Mauduit (1):
  lib/oe/reproducible: Use git log without gpg signature

Bhabu Bindu (1):
  ffmpeg: Fix CVE-2022-3109

Hitendra Prajapati (2):
  QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can
    lead to out-of-bounds read
  xserver-xorg: Fix Multiple CVEs

Jan Kircher (1):
  toolchain-scripts: compatibility with unbound variable protection

Jermain Horsman (1):
  cve-check: write the cve manifest to IMGDEPLOYDIR

Marta Rybczynska (1):
  cve-update-db-native: avoid incomplete updates

Niko Mauno (1):
  systemd: Consider PACKAGECONFIG in RRECOMMENDS

Quentin Schulz (1):
  cairo: fix CVE patches assigned wrong CVE number

Randy MacLeod (1):
  vim: upgrade 9.0.0947 -> 9.0.1211

Ross Burton (2):
  cve-update-db-native: add more logging when fetching
  cve-update-db-native: show IP on failure

Steve Sakoman (1):
  python3: fix packaging of Windows distutils installer stubs

jan (1):
  cve-update-db-native: Allow to overrule the URL in a bbappend.

 meta/classes/cve-check.bbclass                |   6 +-
 meta/classes/toolchain-scripts.bbclass        |   2 +-
 meta/lib/oe/reproducible.py                   |   3 +-
 meta/lib/oeqa/selftest/cases/runtime_test.py  |   2 +-
 .../recipes-core/meta/cve-update-db-native.bb |  97 ++++++++++++-----
 meta/recipes-core/systemd/systemd_244.5.bb    |   4 +-
 .../python/python3/python3-manifest.json      |   4 +-
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2022-4144.patch             | 103 ++++++++++++++++++
 .../cairo/cairo/CVE-2019-6461.patch           |  46 +++-----
 .../cairo/cairo/CVE-2019-6462.patch           |  46 +++++---
 .../xserver-xorg/CVE-2022-4283.patch          |  39 +++++++
 .../xserver-xorg/CVE-2022-46340.patch         |  55 ++++++++++
 .../xserver-xorg/CVE-2022-46341.patch         |  86 +++++++++++++++
 .../xserver-xorg/CVE-2022-46342.patch         |  78 +++++++++++++
 .../xserver-xorg/CVE-2022-46343.patch         |  51 +++++++++
 .../xserver-xorg/CVE-2022-46344.patch         |  75 +++++++++++++
 .../xorg-xserver/xserver-xorg_1.20.14.bb      |   8 +-
 ...20221109.bb => linux-firmware_20221214.bb} |   4 +-
 .../ffmpeg/ffmpeg/CVE-2022-3109.patch         |  41 +++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 22 files changed, 670 insertions(+), 86 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20221109.bb => linux-firmware_20221214.bb} (99%)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch

-- 
2.25.1

[OE-core][dunfell 00/16] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4950

The following changes since commit daaee6fcb0d201f041678af433d8e1cd6f924d09:

  build-appliance-image: Update to dunfell head revision (2023-02-13 07:48:21 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  oeqa/qemurunner: do not use Popen.poll() when terminating runqemu with
    a signal

Antonin Godard (2):
  busybox: always start do_compile with orig config files
  busybox: rm temporary files if do_compile was interrupted

Hitendra Prajapati (1):
  git: CVE-2022-23521 gitattributes parsing integer overflow

Martin Jansa (1):
  meta: remove True option to getVar and getVarFlag calls (again)

Mikko Rapeli (1):
  oeqa context.py: fix --target-ip comment to include ssh port number

Omkar Patil (1):
  sudo: Fix CVE-2023-22809

Pawel Zalewski (1):
  classes/fs-uuid: Fix command output decoding issue

Richard Purdie (3):
  nativesdk: Handle chown/chgrp calls in nativesdk do_install tasks
  make-mod-scripts: Ensure kernel build output is deterministic
  libc-locale: Fix on target locale generation

Ross Burton (3):
  quilt: fix intermittent failure in faildiff.test
  quilt: use upstreamed faildiff.test fix
  git: ignore CVE-2022-41953

Steve Sakoman (1):
  qemu: Fix slirp determinism issue

Vivek Kumbhar (1):
  qemu: fix CVE-2021-3929 nvme DMA reentrancy issue leads to
    use-after-free

 meta/classes/fs-uuid.bbclass                  |   2 +-
 meta/classes/image.bbclass                    |   2 +-
 meta/classes/libc-package.bbclass             |   1 +
 meta/classes/license_image.bbclass            |   2 +-
 meta/classes/nativesdk.bbclass                |   2 +
 meta/lib/oeqa/runtime/context.py              |   4 +-
 meta/lib/oeqa/utils/qemurunner.py             |  11 +-
 meta/recipes-core/busybox/busybox.inc         |  27 +-
 .../git/files/CVE-2022-23521.patch            | 367 ++++++++++++++++++
 meta/recipes-devtools/git/git.inc             |   4 +-
 meta/recipes-devtools/go/go_1.14.bb           |   4 +-
 .../qemu/qemu-system-native_4.2.0.bb          |   2 +-
 meta/recipes-devtools/qemu/qemu.inc           |   3 +
 .../qemu/qemu/CVE-2021-3929.patch             |  78 ++++
 meta/recipes-devtools/qemu/qemu_4.2.0.bb      |   4 +-
 meta/recipes-devtools/quilt/quilt.inc         |   1 +
 .../quilt/quilt/faildiff-order.patch          |  41 ++
 .../sudo/files/CVE-2023-22809.patch           | 113 ++++++
 meta/recipes-extended/sudo/sudo_1.8.32.bb     |   1 +
 .../make-mod-scripts/make-mod-scripts_1.0.bb  |   2 +-
 scripts/lib/devtool/menuconfig.py             |   2 +-
 scripts/nativesdk-intercept/chgrp             |  27 ++
 scripts/nativesdk-intercept/chown             |  27 ++
 23 files changed, 702 insertions(+), 25 deletions(-)
 create mode 100644 meta/recipes-devtools/git/files/CVE-2022-23521.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
 create mode 100644 meta/recipes-devtools/quilt/quilt/faildiff-order.patch
 create mode 100644 meta/recipes-extended/sudo/files/CVE-2023-22809.patch
 create mode 100755 scripts/nativesdk-intercept/chgrp
 create mode 100755 scripts/nativesdk-intercept/chown

-- 
2.34.1