[OE-core][kirkstone 00/35] Patch review

[OE-core][kirkstone 00/35] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3928

The following changes since commit 171415e38e526033a0423f4dc39e9d8e9dc4e5f6:

  perf: fix reproducibility in 5.19+ (2022-07-16 08:20:22 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alejandro Hernandez Samaniego (2):
  package.bbclass: Fix base directory for debugsource files when using
    externalsrc
  package.bbclass: Fix kernel source handling when not using externalsrc

Alexander Kanavin (1):
  waffle: correctly request wayland-scanner executable

Chanho Park (2):
  cargo_common.bbclass: enable bitbake vendoring for externalsrc
  externalsrc.bbclass: support crate fetcher on externalsrc

Christoph Lauer (1):
  package.bbclass: Avoid stripping signed kernel modules in
    splitdebuginfo

Khem Raj (1):
  libmodule-build-perl: Use env utility to find perl interpreter

Markus Volk (1):
  python3: Backport patch to fix an issue in subinterpreters

Ming Liu (3):
  udev-extraconf: let automount base directory configurable
  udev-extraconf: fix some systemd automount issues
  udev-extraconf:mount.sh: fix path mismatching issues

Muhammad Hamza (5):
  udev-extraconf/mount.sh: add LABELs to mountpoints
  udev-extraconf/mount.sh: save mount name in our tmp filecache
  udev-extraconf/mount.sh: only mount devices on hotplug
  udev-extraconf: force systemd-udevd to use shared MountFlags
  udev-extraconf/mount.sh: ignore lvm in automount

Pascal Bach (1):
  bin_package: install into base_prefix

Paul Eggleton (4):
  devtool: ignore pn- overrides when determining SRC_URI overrides
  patch: handle if S points to a subdirectory of a git repo
  devtool: finish: handle patching when S points to subdir of a git repo
  oe-selftest: devtool: test modify git recipe building from a subdir

Pavel Zhukov (1):
  harfbuzz: Fix compilation with clang

Peter Marko (1):
  alsa-state: correct license

Richard Purdie (9):
  udev-extraconf/initrdscripts/parted: Rename mount.blacklist ->
    mount.ignorelist
  insane: Fix buildpaths test to work with special devices
  lua: Fix multilib buildpath reproducibility issues
  vala: Fix on target wrapper buildpaths issue
  gtk-doc: Remove hardcoded buildpath
  kernel-arch: Fix buildpaths leaking into external module compiles
  gcc-runtime: Fix build when using gold
  gcc-runtime: Fix missing MLPREFIX in debug mappings
  selftest/runtime_test/virgl: Disable for all almalinux

Robert Joslyn (1):
  curl: Fix multiple CVEs

Ross Burton (2):
  perl: don't install Makefile.old into perl-ptest
  pulseaudio: add m4-native to DEPENDS

 meta/classes/bin_package.bbclass              |   3 +-
 meta/classes/cargo_common.bbclass             |   2 +-
 meta/classes/externalsrc.bbclass              |   2 +-
 meta/classes/insane.bbclass                   |   6 +-
 meta/classes/kernel-arch.bbclass              |   2 +-
 meta/classes/package.bbclass                  |  36 ++-
 meta/lib/oe/patch.py                          |   8 +-
 meta/lib/oe/recipeutils.py                    |   9 +-
 meta/lib/oeqa/selftest/cases/devtool.py       | 114 +++++--
 meta/lib/oeqa/selftest/cases/runtime_test.py  |   2 +-
 meta/recipes-bsp/alsa-state/alsa-state.bb     |   7 +-
 .../alsa-state/alsa-state/alsa-state-init     |   3 +-
 .../files/init-install-efi-testfs.sh          |   2 +-
 .../initrdscripts/files/init-install-efi.sh   |   2 +-
 .../files/init-install-testfs.sh              |   2 +-
 .../initrdscripts/files/init-install.sh       |   2 +-
 .../{mount.blacklist => mount.ignorelist}     |   0
 .../recipes-core/udev/udev-extraconf/mount.sh |  90 ++++--
 meta/recipes-core/udev/udev-extraconf_1.1.bb  |  27 +-
 meta/recipes-devtools/gcc/gcc-runtime.inc     |   5 +-
 meta/recipes-devtools/lua/lua/lua.pc.in       |   5 +-
 meta/recipes-devtools/lua/lua_5.4.4.bb        |   2 +-
 .../perl/libmodule-build-perl_0.4231.bb       |   1 +
 meta/recipes-devtools/perl/perl-ptest.inc     |   4 +-
 ...h-92036-Fix-gc_fini_untrack-GH-92037.patch |  54 ++++
 .../recipes-devtools/python/python3_3.10.4.bb |   1 +
 meta/recipes-devtools/vala/vala.inc           |   6 +
 meta/recipes-extended/parted/files/run-ptest  |   6 +-
 meta/recipes-gnome/gtk-doc/gtk-doc_1.33.2.bb  |   2 +
 .../harfbuzz/0001-Fix-conditional.patch       |  25 ++
 .../harfbuzz/harfbuzz_4.0.1.bb                |   5 +-
 ...build-request-native-wayland-scanner.patch |  27 ++
 meta/recipes-graphics/waffle/waffle_1.7.0.bb  |   1 +
 .../pulseaudio/pulseaudio.inc                 |   2 +-
 .../curl/curl/CVE-2022-32205.patch            | 174 +++++++++++
 .../curl/curl/CVE-2022-32206.patch            |  51 ++++
 .../curl/curl/CVE-2022-32207.patch            | 283 ++++++++++++++++++
 .../curl/curl/CVE-2022-32208.patch            |  67 +++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   4 +
 scripts/lib/devtool/standard.py               |  29 +-
 40 files changed, 982 insertions(+), 91 deletions(-)
 rename meta/recipes-core/udev/udev-extraconf/{mount.blacklist => mount.ignorelist} (100%)
 create mode 100644 meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch
 create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/0001-Fix-conditional.patch
 create mode 100644 meta/recipes-graphics/waffle/waffle/0001-meson.build-request-native-wayland-scanner.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32205.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32206.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32207.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32208.patch

-- 
2.25.1

[OE-core][kirkstone 01/35] curl: Fix multiple CVEs

[Steve Sakoman]

From: Robert Joslyn <robert.joslyn@redrectangle.org>

Backport fixes for:
 * CVE-2022-32205 - https://curl.se/docs/CVE-2022-32205.html
 * CVE-2022-32206 - https://curl.se/docs/CVE-2022-32206.html
 * CVE-2022-32207 - https://curl.se/docs/CVE-2022-32207.html
 * CVE-2022-32208 - https://curl.se/docs/CVE-2022-32208.html

Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../curl/curl/CVE-2022-32205.patch            | 174 +++++++++++
 .../curl/curl/CVE-2022-32206.patch            |  51 ++++
 .../curl/curl/CVE-2022-32207.patch            | 283 ++++++++++++++++++
 .../curl/curl/CVE-2022-32208.patch            |  67 +++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   4 +
 5 files changed, 579 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32205.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32206.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32207.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32208.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2022-32205.patch b/meta/recipes-support/curl/curl/CVE-2022-32205.patch
new file mode 100644
index 0000000000..165fd8af47
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32205.patch
@@ -0,0 +1,174 @@
+From a91c22a072cbb32e296f1efba3502f1b7775dfaf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 26 Jun 2022 11:00:48 +0200
+Subject: [PATCH] cookie: apply limits
+
+- Send no more than 150 cookies per request
+- Cap the max length used for a cookie: header to 8K
+- Cap the max number of received Set-Cookie: headers to 50
+
+Bug: https://curl.se/docs/CVE-2022-32205.html
+CVE-2022-32205
+Reported-by: Harry Sintonen
+Closes #9048
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/48d7064a49148f0394]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/cookie.c  | 14 ++++++++++++--
+ lib/cookie.h  | 21 +++++++++++++++++++--
+ lib/http.c    | 13 +++++++++++--
+ lib/urldata.h |  1 +
+ 4 files changed, 43 insertions(+), 6 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 1b8c8f9..8a6aa1a 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -477,6 +477,10 @@ Curl_cookie_add(struct Curl_easy *data,
+   (void)data;
+ #endif
+ 
++  DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */
++  if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT)
++    return NULL;
++
+   /* First, alloc and init a new struct for it */
+   co = calloc(1, sizeof(struct Cookie));
+   if(!co)
+@@ -816,7 +820,7 @@ Curl_cookie_add(struct Curl_easy *data,
+       freecookie(co);
+       return NULL;
+     }
+-
++    data->req.setcookies++;
+   }
+   else {
+     /*
+@@ -1354,7 +1358,8 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+  *
+  * It shall only return cookies that haven't expired.
+  */
+-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
++                                   struct CookieInfo *c,
+                                    const char *host, const char *path,
+                                    bool secure)
+ {
+@@ -1409,6 +1414,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
+             mainco = newco;
+ 
+             matches++;
++            if(matches >= MAX_COOKIE_SEND_AMOUNT) {
++              infof(data, "Included max number of cookies (%u) in request!",
++                    matches);
++              break;
++            }
+           }
+           else
+             goto fail;
+diff --git a/lib/cookie.h b/lib/cookie.h
+index 0ffe08e..7411980 100644
+--- a/lib/cookie.h
++++ b/lib/cookie.h
+@@ -81,10 +81,26 @@ struct CookieInfo {
+ */
+ #define MAX_COOKIE_LINE 5000
+ 
+-/* This is the maximum length of a cookie name or content we deal with: */
++/* Maximum length of an incoming cookie name or content we deal with. Longer
++   cookies are ignored. */
+ #define MAX_NAME 4096
+ #define MAX_NAME_TXT "4095"
+ 
++/* Maximum size for an outgoing cookie line libcurl will use in an http
++   request. This is the default maximum length used in some versions of Apache
++   httpd. */
++#define MAX_COOKIE_HEADER_LEN 8190
++
++/* Maximum number of cookies libcurl will send in a single request, even if
++   there might be more cookies that match. One reason to cap the number is to
++   keep the maximum HTTP request within the maximum allowed size. */
++#define MAX_COOKIE_SEND_AMOUNT 150
++
++/* Maximum number of Set-Cookie: lines accepted in a single response. If more
++   such header lines are received, they are ignored. This value must be less
++   than 256 since an unsigned char is used to count. */
++#define MAX_SET_COOKIE_AMOUNT 50
++
+ struct Curl_easy;
+ /*
+  * Add a cookie to the internal list of cookies. The domain and path arguments
+@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data,
+                                const char *domain, const char *path,
+                                bool secure);
+ 
+-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host,
++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
++                                   struct CookieInfo *c, const char *host,
+                                    const char *path, bool secure);
+ void Curl_cookie_freelist(struct Cookie *cookies);
+ void Curl_cookie_clearall(struct CookieInfo *cookies);
+diff --git a/lib/http.c b/lib/http.c
+index 4433824..2c8b0c4 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2709,12 +2709,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn,
+ }
+ 
+ #if !defined(CURL_DISABLE_COOKIES)
++
+ CURLcode Curl_http_cookies(struct Curl_easy *data,
+                            struct connectdata *conn,
+                            struct dynbuf *r)
+ {
+   CURLcode result = CURLE_OK;
+   char *addcookies = NULL;
++  bool linecap = FALSE;
+   if(data->set.str[STRING_COOKIE] &&
+      !Curl_checkheaders(data, STRCONST("Cookie")))
+     addcookies = data->set.str[STRING_COOKIE];
+@@ -2732,7 +2734,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
+         !strcmp(host, "127.0.0.1") ||
+         !strcmp(host, "[::1]") ? TRUE : FALSE;
+       Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
+-      co = Curl_cookie_getlist(data->cookies, host, data->state.up.path,
++      co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path,
+                                secure_context);
+       Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
+     }
+@@ -2746,6 +2748,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
+             if(result)
+               break;
+           }
++          if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >=
++             MAX_COOKIE_HEADER_LEN) {
++            infof(data, "Restricted outgoing cookies due to header size, "
++                  "'%s' not sent", co->name);
++            linecap = TRUE;
++            break;
++          }
+           result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"",
+                                  co->name, co->value);
+           if(result)
+@@ -2756,7 +2765,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
+       }
+       Curl_cookie_freelist(store);
+     }
+-    if(addcookies && !result) {
++    if(addcookies && !result && !linecap) {
+       if(!count)
+         result = Curl_dyn_addn(r, STRCONST("Cookie: "));
+       if(!result) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index e006495..54faf7d 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -707,6 +707,7 @@ struct SingleRequest {
+ #ifndef CURL_DISABLE_DOH
+   struct dohdata *doh; /* DoH specific data for this request */
+ #endif
++  unsigned char setcookies;
+   BIT(header);        /* incoming data has HTTP header */
+   BIT(content_range); /* set TRUE if Content-Range: was found */
+   BIT(upload_done);   /* set to TRUE when doing chunked transfer-encoding
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32206.patch b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
new file mode 100644
index 0000000000..25f5b27cc7
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
@@ -0,0 +1,51 @@
+From e12531340b03d242d3f892aa8797faf12b56dddf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:28:13 +0200
+Subject: [PATCH] content_encoding: return error on too many compression steps
+
+The max allowed steps is arbitrarily set to 5.
+
+Bug: https://curl.se/docs/CVE-2022-32206.html
+CVE-2022-32206
+Reported-by: Harry Sintonen
+Closes #9049
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/content_encoding.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index c03637a..6f994b3 100644
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name,
+   return NULL;
+ }
+ 
++/* allow no more than 5 "chained" compression steps */
++#define MAX_ENCODE_STACK 5
++
+ /* Set-up the unencoding stack from the Content-Encoding header value.
+  * See RFC 7231 section 3.1.2.2. */
+ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+                                      const char *enclist, int maybechunked)
+ {
+   struct SingleRequest *k = &data->req;
++  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
++      if(++counter >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to %u content encodings",
++              counter);
++        return CURLE_BAD_CONTENT_ENCODING;
++      }
+       /* Stack the unencoding stage. */
+       writer = new_unencoding_writer(data, encoding, k->writer_stack);
+       if(!writer)
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32207.patch b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
new file mode 100644
index 0000000000..bc16b62f39
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
@@ -0,0 +1,283 @@
+From 759088694e2ba68ddc5ffe042b071dadad6ff675 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:53 +0200
+Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files
+
+Bug: https://curl.se/docs/CVE-2022-32207.html
+CVE-2022-32207
+Reported-by: Harry Sintonen
+Closes #9050
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ CMakeLists.txt          |   1 +
+ configure.ac            |   1 +
+ lib/Makefile.inc        |   2 +
+ lib/cookie.c            |  19 ++-----
+ lib/curl_config.h.cmake |   3 ++
+ lib/fopen.c             | 113 ++++++++++++++++++++++++++++++++++++++++
+ lib/fopen.h             |  30 +++++++++++
+ 7 files changed, 154 insertions(+), 15 deletions(-)
+ create mode 100644 lib/fopen.c
+ create mode 100644 lib/fopen.h
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index b77de6d..a0bfaad 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -1027,6 +1027,7 @@ elseif(HAVE_LIBSOCKET)
+   set(CMAKE_REQUIRED_LIBRARIES socket)
+ endif()
+ 
++check_symbol_exists(fchmod        "${CURL_INCLUDES}" HAVE_FCHMOD)
+ check_symbol_exists(basename      "${CURL_INCLUDES}" HAVE_BASENAME)
+ check_symbol_exists(socket        "${CURL_INCLUDES}" HAVE_SOCKET)
+ check_symbol_exists(select        "${CURL_INCLUDES}" HAVE_SELECT)
+diff --git a/configure.ac b/configure.ac
+index d431870..7433bb9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3351,6 +3351,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
+ 
+ 
+ AC_CHECK_FUNCS([fnmatch \
++  fchmod \
+   geteuid \
+   getpass_r \
+   getppid \
+diff --git a/lib/Makefile.inc b/lib/Makefile.inc
+index e8f110f..5139b03 100644
+--- a/lib/Makefile.inc
++++ b/lib/Makefile.inc
+@@ -133,6 +133,7 @@ LIB_CFILES =         \
+   escape.c           \
+   file.c             \
+   fileinfo.c         \
++  fopen.c            \
+   formdata.c         \
+   ftp.c              \
+   ftplistparser.c    \
+@@ -263,6 +264,7 @@ LIB_HFILES =         \
+   escape.h           \
+   file.h             \
+   fileinfo.h         \
++  fopen.h            \
+   formdata.h         \
+   ftp.h              \
+   ftplistparser.h    \
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 8a6aa1a..cb0c03b 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -96,8 +96,8 @@ Example set of cookies:
+ #include "curl_get_line.h"
+ #include "curl_memrchr.h"
+ #include "parsedate.h"
+-#include "rand.h"
+ #include "rename.h"
++#include "fopen.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -1620,20 +1620,9 @@ static CURLcode cookie_output(struct Curl_easy *data,
+     use_stdout = TRUE;
+   }
+   else {
+-    unsigned char randsuffix[9];
+-
+-    if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+-      return 2;
+-
+-    tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+-    if(!tempstore)
+-      return CURLE_OUT_OF_MEMORY;
+-
+-    out = fopen(tempstore, FOPEN_WRITETEXT);
+-    if(!out) {
+-      error = CURLE_WRITE_ERROR;
++    error = Curl_fopen(data, filename, &out, &tempstore);
++    if(error)
+       goto error;
+-    }
+   }
+ 
+   fputs("# Netscape HTTP Cookie File\n"
+@@ -1680,7 +1669,7 @@ static CURLcode cookie_output(struct Curl_easy *data,
+   if(!use_stdout) {
+     fclose(out);
+     out = NULL;
+-    if(Curl_rename(tempstore, filename)) {
++    if(tempstore && Curl_rename(tempstore, filename)) {
+       unlink(tempstore);
+       error = CURLE_WRITE_ERROR;
+       goto error;
+diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
+index d2a0f43..c254359 100644
+--- a/lib/curl_config.h.cmake
++++ b/lib/curl_config.h.cmake
+@@ -157,6 +157,9 @@
+ /* Define to 1 if you have the <assert.h> header file. */
+ #cmakedefine HAVE_ASSERT_H 1
+ 
++/* Define to 1 if you have the `fchmod' function. */
++#cmakedefine HAVE_FCHMOD 1
++
+ /* Define to 1 if you have the `basename' function. */
+ #cmakedefine HAVE_BASENAME 1
+ 
+diff --git a/lib/fopen.c b/lib/fopen.c
+new file mode 100644
+index 0000000..ad3691b
+--- /dev/null
++++ b/lib/fopen.c
+@@ -0,0 +1,113 @@
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++#include "curl_setup.h"
++
++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
++  !defined(CURL_DISABLE_HSTS)
++
++#ifdef HAVE_FCNTL_H
++#include <fcntl.h>
++#endif
++
++#include "urldata.h"
++#include "rand.h"
++#include "fopen.h"
++/* The last 3 #include files should be in this order */
++#include "curl_printf.h"
++#include "curl_memory.h"
++#include "memdebug.h"
++
++/*
++ * Curl_fopen() opens a file for writing with a temp name, to be renamed
++ * to the final name when completed. If there is an existing file using this
++ * name at the time of the open, this function will clone the mode from that
++ * file.  if 'tempname' is non-NULL, it needs a rename after the file is
++ * written.
++ */
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++                    FILE **fh, char **tempname)
++{
++  CURLcode result = CURLE_WRITE_ERROR;
++  unsigned char randsuffix[9];
++  char *tempstore = NULL;
++  struct_stat sb;
++  int fd = -1;
++  *tempname = NULL;
++
++  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
++    /* a non-regular file, fallback to direct fopen() */
++    *fh = fopen(filename, FOPEN_WRITETEXT);
++    if(*fh)
++      return CURLE_OK;
++    goto fail;
++  }
++
++  result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
++  if(result)
++    goto fail;
++
++  tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
++  if(!tempstore) {
++    result = CURLE_OUT_OF_MEMORY;
++    goto fail;
++  }
++
++  result = CURLE_WRITE_ERROR;
++  fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
++  if(fd == -1)
++    goto fail;
++
++#ifdef HAVE_FCHMOD
++  {
++    struct_stat nsb;
++    if((fstat(fd, &nsb) != -1) &&
++       (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
++      /* if the user and group are the same, clone the original mode */
++      if(fchmod(fd, sb.st_mode) == -1)
++        goto fail;
++    }
++  }
++#endif
++
++  *fh = fdopen(fd, FOPEN_WRITETEXT);
++  if(!*fh)
++    goto fail;
++
++  *tempname = tempstore;
++  return CURLE_OK;
++
++fail:
++  if(fd != -1) {
++    close(fd);
++    unlink(tempstore);
++  }
++
++  free(tempstore);
++
++  *tempname = NULL;
++  return result;
++}
++
++#endif /* ! disabled */
+diff --git a/lib/fopen.h b/lib/fopen.h
+new file mode 100644
+index 0000000..289e55f
+--- /dev/null
++++ b/lib/fopen.h
+@@ -0,0 +1,30 @@
++#ifndef HEADER_CURL_FOPEN_H
++#define HEADER_CURL_FOPEN_H
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++                    FILE **fh, char **tempname);
++
++#endif
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
new file mode 100644
index 0000000000..9a4e398370
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
@@ -0,0 +1,67 @@
+From fd2ffddec315c029e923e6e6f2c049809d01a5fc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/krb5.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/lib/krb5.c b/lib/krb5.c
+index 787137c..6f9e1f7 100644
+--- a/lib/krb5.c
++++ b/lib/krb5.c
+@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
+   enc.value = buf;
+   enc.length = len;
+   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+-  if(maj != GSS_S_COMPLETE) {
+-    if(len >= 4)
+-      strcpy(buf, "599 ");
++  if(maj != GSS_S_COMPLETE)
+     return -1;
+-  }
+ 
+   memcpy(buf, dec.value, dec.length);
+   len = curlx_uztosi(dec.length);
+@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+   int len;
+   CURLcode result;
++  int nread;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+   if(result)
+@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    buf->data = Curl_saferealloc(buf->data, len);
++    if(len > CURL_MAX_INPUT_LENGTH)
++      len = 0;
++    else
++      buf->data = Curl_saferealloc(buf->data, len);
+   }
+   if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+-                                 conn->data_prot, conn);
++  nread = conn->mech->decode(conn->app_data, buf->data, len,
++                             conn->data_prot, conn);
++  if(nread < 0)
++    return CURLE_RECV_ERROR;
++  buf->size = (size_t)nread;
+   buf->index = 0;
+   return CURLE_OK;
+ }
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index d5dfe62a39..67de0220c6 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -24,6 +24,10 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2022-27782-1.patch \
            file://CVE-2022-27782-2.patch \
            file://0001-openssl-fix-CN-check-error-code.patch \
+           file://CVE-2022-32205.patch \
+           file://CVE-2022-32206.patch \
+           file://CVE-2022-32207.patch \
+           file://CVE-2022-32208.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
 
-- 
2.25.1

[OE-core][kirkstone 02/35] harfbuzz: Fix compilation with clang

[Steve Sakoman]

From: Pavel Zhukov <pavel@zhukoff.net>

Fixup commit for prevous CVE-2022-33068 fix.

Fixes:
| In file included from ../harfbuzz-4.0.1/src/hb-ot-face.cc:39:
4429| ../harfbuzz-4.0.1/src/hb-ot-color-sbix-table.hh:301:11: error: use of bitwise '|' with boolean operands [-Werror,-Wbitwise-instead-of-logical]
4430|       if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536)
4431|           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4432|                                    ||
4433| ../harfbuzz-4.0.1/src/hb-ot-color-sbix-table.hh:301:11: note: cast one or both operands to int to silence this warning
4434| 1 error generated.

Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../harfbuzz/0001-Fix-conditional.patch       | 25 +++++++++++++++++++
 .../harfbuzz/harfbuzz_4.0.1.bb                |  5 ++--
 2 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/0001-Fix-conditional.patch

diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/0001-Fix-conditional.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/0001-Fix-conditional.patch
new file mode 100644
index 0000000000..0f9b86973b
--- /dev/null
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/0001-Fix-conditional.patch
@@ -0,0 +1,25 @@
+From e421613e8f825508afa9a0b54d33085557c37441 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Wed, 1 Jun 2022 09:07:57 -0600
+Subject: [PATCH] [sbix] Fix conditional
+
+Signed-off: Pavel Zhukov <pavel.zhukov@huawei.com>
+Upstream-Status: Backport [e421613e8f825508afa9a0b54d33085557c37441]
+
+---
+ src/hb-ot-color-sbix-table.hh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh
+index 6efae43cda..d0e2235fb2 100644
+--- a/src/hb-ot-color-sbix-table.hh
++++ b/src/hb-ot-color-sbix-table.hh
+@@ -298,7 +298,7 @@ struct sbix
+ 
+       const PNGHeader &png = *blob->as<PNGHeader>();
+ 
+-      if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536)
++      if (png.IHDR.height >= 65536 || png.IHDR.width >= 65536)
+       {
+ 	hb_blob_destroy (blob);
+ 	return false;
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
index 81518a53ea..b639c276db 100644
--- a/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb
@@ -11,8 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6ee0f16281694fb6aa689cca1e0fb3da \
 UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
 UPSTREAM_CHECK_REGEX = "harfbuzz-(?P<pver>\d+(\.\d+)+).tar"
 
-SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz\
-           file://CVE-2022-33068.patch"
+SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz \
+           file://CVE-2022-33068.patch \
+           file://0001-Fix-conditional.patch"
 SRC_URI[sha256sum] = "98f68777272db6cd7a3d5152bac75083cd52a26176d87bc04c8b3929d33bce49"
 
 inherit meson pkgconfig lib_package gtk-doc gobject-introspection
-- 
2.25.1

[OE-core][kirkstone 03/35] udev-extraconf/initrdscripts/parted: Rename mount.blacklist -> mount.ignorelist

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 69e486ddb3059f80ba538e1f59c2ca8a8df0faf9)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../initrdscripts/files/init-install-efi-testfs.sh     |  2 +-
 .../initrdscripts/files/init-install-efi.sh            |  2 +-
 .../initrdscripts/files/init-install-testfs.sh         |  2 +-
 meta/recipes-core/initrdscripts/files/init-install.sh  |  2 +-
 .../{mount.blacklist => mount.ignorelist}              |  0
 meta/recipes-core/udev/udev-extraconf/mount.sh         |  4 ++--
 meta/recipes-core/udev/udev-extraconf_1.1.bb           | 10 +++++-----
 meta/recipes-extended/parted/files/run-ptest           |  6 +++---
 8 files changed, 14 insertions(+), 14 deletions(-)
 rename meta/recipes-core/udev/udev-extraconf/{mount.blacklist => mount.ignorelist} (100%)

diff --git a/meta/recipes-core/initrdscripts/files/init-install-efi-testfs.sh b/meta/recipes-core/initrdscripts/files/init-install-efi-testfs.sh
index 1fcd29e54c..4bd6ace7b3 100644
--- a/meta/recipes-core/initrdscripts/files/init-install-efi-testfs.sh
+++ b/meta/recipes-core/initrdscripts/files/init-install-efi-testfs.sh
@@ -138,7 +138,7 @@ touch /ssd/etc/controllerimage
 if [ -d /ssd/etc/ ] ; then
     # We dont want udev to mount our root device while we're booting...
     if [ -d /ssd/etc/udev/ ] ; then
-        echo "/dev/${device}" >> /ssd/etc/udev/mount.blacklist
+        echo "/dev/${device}" >> /ssd/etc/udev/mount.ignorelist
     fi
 fi
 
diff --git a/meta/recipes-core/initrdscripts/files/init-install-efi.sh b/meta/recipes-core/initrdscripts/files/init-install-efi.sh
index f667518b89..ffd3870199 100644
--- a/meta/recipes-core/initrdscripts/files/init-install-efi.sh
+++ b/meta/recipes-core/initrdscripts/files/init-install-efi.sh
@@ -229,7 +229,7 @@ if [ -d /tgt_root/etc/ ] ; then
     echo "UUID=$boot_uuid              /boot            vfat       defaults              1  2" >> /tgt_root/etc/fstab
     # We dont want udev to mount our root device while we're booting...
     if [ -d /tgt_root/etc/udev/ ] ; then
-        echo "${device}" >> /tgt_root/etc/udev/mount.blacklist
+        echo "${device}" >> /tgt_root/etc/udev/mount.ignorelist
     fi
 fi
 
diff --git a/meta/recipes-core/initrdscripts/files/init-install-testfs.sh b/meta/recipes-core/initrdscripts/files/init-install-testfs.sh
index 7b49001659..8ab74ddc5d 100644
--- a/meta/recipes-core/initrdscripts/files/init-install-testfs.sh
+++ b/meta/recipes-core/initrdscripts/files/init-install-testfs.sh
@@ -164,7 +164,7 @@ if [ -d /tgt_root/etc/ ] ; then
     echo "$bootfs              /boot            ext3       defaults              1  2" >> /tgt_root/etc/fstab
     # We dont want udev to mount our root device while we're booting...
     if [ -d /tgt_root/etc/udev/ ] ; then
-	echo "/dev/${device}" >> /tgt_root/etc/udev/mount.blacklist
+	echo "/dev/${device}" >> /tgt_root/etc/udev/mount.ignorelist
     fi
 fi
 umount /tgt_root
diff --git a/meta/recipes-core/initrdscripts/files/init-install.sh b/meta/recipes-core/initrdscripts/files/init-install.sh
index e71579631b..df33791ec7 100644
--- a/meta/recipes-core/initrdscripts/files/init-install.sh
+++ b/meta/recipes-core/initrdscripts/files/init-install.sh
@@ -261,7 +261,7 @@ if [ -d /tgt_root/etc/ ] ; then
     echo "$bootdev              /boot            ext3       defaults              1  2" >> /tgt_root/etc/fstab
     # We dont want udev to mount our root device while we're booting...
     if [ -d /tgt_root/etc/udev/ ] ; then
-        echo "${device}" >> /tgt_root/etc/udev/mount.blacklist
+        echo "${device}" >> /tgt_root/etc/udev/mount.ignorelist
     fi
 fi
 umount /tgt_root
diff --git a/meta/recipes-core/udev/udev-extraconf/mount.blacklist b/meta/recipes-core/udev/udev-extraconf/mount.ignorelist
similarity index 100%
rename from meta/recipes-core/udev/udev-extraconf/mount.blacklist
rename to meta/recipes-core/udev/udev-extraconf/mount.ignorelist
diff --git a/meta/recipes-core/udev/udev-extraconf/mount.sh b/meta/recipes-core/udev/udev-extraconf/mount.sh
index b23731870e..5ba66e98e2 100644
--- a/meta/recipes-core/udev/udev-extraconf/mount.sh
+++ b/meta/recipes-core/udev/udev-extraconf/mount.sh
@@ -26,11 +26,11 @@ fi
 
 PMOUNT="/usr/bin/pmount"
 
-for line in `grep -h -v ^# /etc/udev/mount.blacklist /etc/udev/mount.blacklist.d/*`
+for line in `grep -h -v ^# /etc/udev/mount.ignorelist /etc/udev/mount.ignorelist.d/*`
 do
 	if [ ` expr match "$DEVNAME" "$line" ` -gt 0 ];
 	then
-		logger "udev/mount.sh" "[$DEVNAME] is blacklisted, ignoring"
+		logger "udev/mount.sh" "[$DEVNAME] is marked to ignore"
 		exit 0
 	fi
 done
diff --git a/meta/recipes-core/udev/udev-extraconf_1.1.bb b/meta/recipes-core/udev/udev-extraconf_1.1.bb
index 2ba35b0df6..7da04379c0 100644
--- a/meta/recipes-core/udev/udev-extraconf_1.1.bb
+++ b/meta/recipes-core/udev/udev-extraconf_1.1.bb
@@ -1,13 +1,13 @@
 SUMMARY = "Extra machine specific configuration files"
 HOMEPAGE = "https://wiki.gentoo.org/wiki/Eudev"
-DESCRIPTION = "Extra machine specific configuration files for udev, specifically blacklist information."
+DESCRIPTION = "Extra machine specific configuration files for udev, specifically information on devices to ignore."
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
 SRC_URI = " \
        file://automount.rules \
        file://mount.sh \
-       file://mount.blacklist \
+       file://mount.ignorelist \
        file://autonet.rules \
        file://network.sh \
        file://localextra.rules \
@@ -23,8 +23,8 @@ do_install() {
     install -m 0644 ${WORKDIR}/autonet.rules       ${D}${sysconfdir}/udev/rules.d/autonet.rules
     install -m 0644 ${WORKDIR}/localextra.rules    ${D}${sysconfdir}/udev/rules.d/localextra.rules
 
-    install -d ${D}${sysconfdir}/udev/mount.blacklist.d
-    install -m 0644 ${WORKDIR}/mount.blacklist     ${D}${sysconfdir}/udev/
+    install -d ${D}${sysconfdir}/udev/mount.ignorelist.d
+    install -m 0644 ${WORKDIR}/mount.ignorelist     ${D}${sysconfdir}/udev/
 
     install -d ${D}${sysconfdir}/udev/scripts/
 
@@ -37,7 +37,7 @@ do_install() {
 
 FILES:${PN} = "${sysconfdir}/udev"
 RDEPENDS:${PN} = "udev"
-CONFFILES:${PN} = "${sysconfdir}/udev/mount.blacklist"
+CONFFILES:${PN} = "${sysconfdir}/udev/mount.ignorelist"
 
 # to replace udev-extra-rules from meta-oe
 RPROVIDES:${PN} = "udev-extra-rules"
diff --git a/meta/recipes-extended/parted/files/run-ptest b/meta/recipes-extended/parted/files/run-ptest
index c3d6fca339..096078967f 100644
--- a/meta/recipes-extended/parted/files/run-ptest
+++ b/meta/recipes-extended/parted/files/run-ptest
@@ -1,7 +1,7 @@
 #!/bin/sh
 
-mkdir -p /etc/udev/mount.blacklist.d
-echo /dev/sda1 >> /etc/udev/mount.blacklist.d/parted-tmp
+mkdir -p /etc/udev/mount.ignorelist.d
+echo /dev/sda1 >> /etc/udev/mount.ignorelist.d/parted-tmp
 rm -f tests/*.log
 make -C tests test-suite.log
-rm /etc/udev/mount.blacklist.d/parted-tmp
+rm /etc/udev/mount.ignorelist.d/parted-tmp
-- 
2.25.1

[OE-core][kirkstone 04/35] udev-extraconf: let automount base directory configurable

[Steve Sakoman]

From: Ming Liu <liu.ming50@gmail.com>

Dont hard-code automount base directory to '/run/media', introduce a
variable MOUNT_BASE to let it configurable, like in udisks2 the mount
base is also configurable by setting option: --enable-fhs-media.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f077befd5f36ad88623aaf6a38b1a837ecb18650)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../recipes-core/udev/udev-extraconf/mount.sh | 25 ++++++++++---------
 meta/recipes-core/udev/udev-extraconf_1.1.bb  |  2 ++
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/meta/recipes-core/udev/udev-extraconf/mount.sh b/meta/recipes-core/udev/udev-extraconf/mount.sh
index 5ba66e98e2..c8b773bc07 100644
--- a/meta/recipes-core/udev/udev-extraconf/mount.sh
+++ b/meta/recipes-core/udev/udev-extraconf/mount.sh
@@ -6,6 +6,7 @@
 
 BASE_INIT="`readlink -f "@base_sbindir@/init"`"
 INIT_SYSTEMD="@systemd_unitdir@/systemd"
+MOUNT_BASE="@MOUNT_BASE@"
 
 if [ "x$BASE_INIT" = "x$INIT_SYSTEMD" ];then
     # systemd as init uses systemd-mount to mount block devices
@@ -40,7 +41,7 @@ automount_systemd() {
 
     # Skip already mounted partitions
     if [ -f /run/systemd/transient/run-media-$name.mount ]; then
-        logger "mount.sh/automount" "/run/media/$name already mounted"
+        logger "mount.sh/automount" "$MOUNT_BASE/$name already mounted"
         return
     fi
 
@@ -53,7 +54,7 @@ automount_systemd() {
         grep "^[[:space:]]*$tmp" /etc/fstab && return
     done
 
-    [ -d "/run/media/$name" ] || mkdir -p "/run/media/$name"
+    [ -d "$MOUNT_BASE/$name" ] || mkdir -p "$MOUNT_BASE/$name"
 
     MOUNT="$MOUNT -o silent"
 
@@ -70,12 +71,12 @@ automount_systemd() {
         ;;
     esac
 
-    if ! $MOUNT --no-block -t auto $DEVNAME "/run/media/$name"
+    if ! $MOUNT --no-block -t auto $DEVNAME "$MOUNT_BASE/$name"
     then
-        #logger "mount.sh/automount" "$MOUNT -t auto $DEVNAME \"/run/media/$name\" failed!"
-        rm_dir "/run/media/$name"
+        #logger "mount.sh/automount" "$MOUNT -t auto $DEVNAME \"$MOUNT_BASE/$name\" failed!"
+        rm_dir "$MOUNT_BASE/$name"
     else
-        logger "mount.sh/automount" "Auto-mount of [/run/media/$name] successful"
+        logger "mount.sh/automount" "Auto-mount of [$MOUNT_BASE/$name] successful"
         touch "/tmp/.automount-$name"
     fi
 }
@@ -93,7 +94,7 @@ automount() {
 	# configured in fstab
 	grep -q "^$DEVNAME " /proc/mounts && return
 
-	! test -d "/run/media/$name" && mkdir -p "/run/media/$name"
+	! test -d "$MOUNT_BASE/$name" && mkdir -p "$MOUNT_BASE/$name"
 	# Silent util-linux's version of mounting auto
 	if [ "x`readlink $MOUNT`" = "x/bin/mount.util-linux" ] ;
 	then
@@ -113,12 +114,12 @@ automount() {
 		;;
 	esac
 
-	if ! $MOUNT -t auto $DEVNAME "/run/media/$name"
+	if ! $MOUNT -t auto $DEVNAME "$MOUNT_BASE/$name"
 	then
-		#logger "mount.sh/automount" "$MOUNT -t auto $DEVNAME \"/run/media/$name\" failed!"
-		rm_dir "/run/media/$name"
+		#logger "mount.sh/automount" "$MOUNT -t auto $DEVNAME \"$MOUNT_BASE/$name\" failed!"
+		rm_dir "$MOUNT_BASE/$name"
 	else
-		logger "mount.sh/automount" "Auto-mount of [/run/media/$name] successful"
+		logger "mount.sh/automount" "Auto-mount of [$MOUNT_BASE/$name] successful"
 		touch "/tmp/.automount-$name"
 	fi
 }
@@ -157,5 +158,5 @@ if [ "$ACTION" = "remove" ] || [ "$ACTION" = "change" ] && [ -x "$UMOUNT" ] && [
 
     # Remove empty directories from auto-mounter
     name="`basename "$DEVNAME"`"
-    test -e "/tmp/.automount-$name" && rm_dir "/run/media/$name"
+    test -e "/tmp/.automount-$name" && rm_dir "$MOUNT_BASE/$name"
 fi
diff --git a/meta/recipes-core/udev/udev-extraconf_1.1.bb b/meta/recipes-core/udev/udev-extraconf_1.1.bb
index 7da04379c0..2b908ac05b 100644
--- a/meta/recipes-core/udev/udev-extraconf_1.1.bb
+++ b/meta/recipes-core/udev/udev-extraconf_1.1.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
 
 S = "${WORKDIR}"
 
+MOUNT_BASE = "/run/media"
 
 do_install() {
     install -d ${D}${sysconfdir}/udev/rules.d
@@ -31,6 +32,7 @@ do_install() {
     install -m 0755 ${WORKDIR}/mount.sh ${D}${sysconfdir}/udev/scripts/mount.sh
     sed -i 's|@systemd_unitdir@|${systemd_unitdir}|g' ${D}${sysconfdir}/udev/scripts/mount.sh
     sed -i 's|@base_sbindir@|${base_sbindir}|g' ${D}${sysconfdir}/udev/scripts/mount.sh
+    sed -i 's|@MOUNT_BASE@|${MOUNT_BASE}|g' ${D}${sysconfdir}/udev/scripts/mount.sh
 
     install -m 0755 ${WORKDIR}/network.sh ${D}${sysconfdir}/udev/scripts
 }
-- 
2.25.1

[OE-core][kirkstone 05/35] udev-extraconf/mount.sh: add LABELs to mountpoints

[Steve Sakoman]

From: Muhammad Hamza <Muhammad_Hamza@mentor.com>

This alters the mountpoints such that if a device has a LABEL or
a PARTLABEL, it will be mounted at e.g.:

  /run/media/$LABEL-<device-node>
  /run/media/$PARTLABEL-<device-node>
  /run/media/rootfs-sda2

otherwise the device will be mounted at e.g.:

  /run/media/<device-node>
  /run/media/sda1

The <device-node> appended with LABEL or PARTLABEL makes sure that
the mountpoint is unique, therefore, avoids overlapping mounts.

Signed-off-by: Arsalan H. Awan <Arsalan_Awan@mentor.com>
Signed-off-by: Muhammad Hamza <muhammad_hamza@mentor.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit a9a0a0967832445f1bcc65d58f95343d1b562e1b)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/udev/udev-extraconf/mount.sh | 18 ++++++++++++++++++
 meta/recipes-core/udev/udev-extraconf_1.1.bb   |  2 +-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/udev/udev-extraconf/mount.sh b/meta/recipes-core/udev/udev-extraconf/mount.sh
index c8b773bc07..40910be8bd 100644
--- a/meta/recipes-core/udev/udev-extraconf/mount.sh
+++ b/meta/recipes-core/udev/udev-extraconf/mount.sh
@@ -54,6 +54,9 @@ automount_systemd() {
         grep "^[[:space:]]*$tmp" /etc/fstab && return
     done
 
+    # Get the unique name for mount point
+    get_label_name "${DEVNAME}"
+
     [ -d "$MOUNT_BASE/$name" ] || mkdir -p "$MOUNT_BASE/$name"
 
     MOUNT="$MOUNT -o silent"
@@ -94,6 +97,9 @@ automount() {
 	# configured in fstab
 	grep -q "^$DEVNAME " /proc/mounts && return
 
+	# Get the unique name for mount point
+	get_label_name "${DEVNAME}"
+
 	! test -d "$MOUNT_BASE/$name" && mkdir -p "$MOUNT_BASE/$name"
 	# Silent util-linux's version of mounting auto
 	if [ "x`readlink $MOUNT`" = "x/bin/mount.util-linux" ] ;
@@ -134,6 +140,18 @@ rm_dir() {
 	fi
 }
 
+get_label_name() {
+	# Get the LABEL or PARTLABEL
+	LABEL=`/sbin/blkid | grep "$1:" | grep -o 'LABEL=".*"' | cut -d '"' -f2`
+	# If the $DEVNAME has a LABEL or a PARTLABEL
+	if [ -n "$LABEL" ]; then
+	        # Set the mount location dir name to LABEL appended
+        	# with $name e.g. label-sda. That would avoid overlapping
+	        # mounts in case two devices have same LABEL
+        	name="${LABEL}-${name}"
+	fi
+}
+
 # No ID_FS_TYPE for cdrom device, yet it should be mounted
 name="`basename "$DEVNAME"`"
 [ -e /sys/block/$name/device/media ] && media_type=`cat /sys/block/$name/device/media`
diff --git a/meta/recipes-core/udev/udev-extraconf_1.1.bb b/meta/recipes-core/udev/udev-extraconf_1.1.bb
index 2b908ac05b..8213c1a930 100644
--- a/meta/recipes-core/udev/udev-extraconf_1.1.bb
+++ b/meta/recipes-core/udev/udev-extraconf_1.1.bb
@@ -38,7 +38,7 @@ do_install() {
 }
 
 FILES:${PN} = "${sysconfdir}/udev"
-RDEPENDS:${PN} = "udev"
+RDEPENDS:${PN} = "udev util-linux-blkid"
 CONFFILES:${PN} = "${sysconfdir}/udev/mount.ignorelist"
 
 # to replace udev-extra-rules from meta-oe
-- 
2.25.1

[OE-core][kirkstone 06/35] udev-extraconf/mount.sh: save mount name in our tmp filecache

[Steve Sakoman]

From: Muhammad Hamza <Muhammad_Hamza@mentor.com>

Doing this will allow to fetch the exact name created by the
auto-mounter during the remove action where depending on the
scenario utilities such as the blkid might not be usable due
to actual device not being present on the system.

Signed-off-by: Awais Belal <awais_belal@mentor.com>
Signed-off-by: Muhammad Hamza <muhammad_hamza@mentor.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 496b76f8775a620c1d449eb6f62a41656abf2a9b)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/udev/udev-extraconf/mount.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/udev/udev-extraconf/mount.sh b/meta/recipes-core/udev/udev-extraconf/mount.sh
index 40910be8bd..c4695ee27d 100644
--- a/meta/recipes-core/udev/udev-extraconf/mount.sh
+++ b/meta/recipes-core/udev/udev-extraconf/mount.sh
@@ -126,7 +126,10 @@ automount() {
 		rm_dir "$MOUNT_BASE/$name"
 	else
 		logger "mount.sh/automount" "Auto-mount of [$MOUNT_BASE/$name] successful"
-		touch "/tmp/.automount-$name"
+		# The actual device might not be present in the remove event so blkid cannot
+		# be used to calculate what name was generated here. Simply save the mount
+		# name in our tmp file.
+		echo "$name" > "/tmp/.automount-$name"
 	fi
 }
 	
-- 
2.25.1

[OE-core][kirkstone 07/35] udev-extraconf/mount.sh: only mount devices on hotplug

[Steve Sakoman]

From: Muhammad Hamza <Muhammad_Hamza@mentor.com>

fdisk from util-linux (2.31.1) and above allows the user to
manipulate an already mounted device. In order to achieve this
functionality it issues a BLKRRPART (block device re-read part)
ioctl and in response the kernel generates remove/change/add
events if the device is not mounted (manually unmounted etc)
which are caught and processed by udev. This causes our auto-mounter
to remount everything because it does not keep track and things
go out of control.
Differentiating between types of remove events such as the one
described above (generated by BLKRRPART) and one where the device
is physically plugged out is only possible using the DEVPATH variable
which is cleaned up only when the device is actually plugged-out.
This fixes the above anomaly by only mounting a device in add event
which is cleaned up properly (tmp cache deleted) in the remove event
or is not present in the tmp cache while making use of the DEVPATH
variable during the remove action.

Signed-off-by: Awais Belal <awais_belal@mentor.com>
Signed-off-by: Muhammad Hamza <muhammad_hamza@mentor.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 11a5e6c17535438ea1e7a8403ed260c8b3a22bc8)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../recipes-core/udev/udev-extraconf/mount.sh | 34 +++++++++++++++----
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-core/udev/udev-extraconf/mount.sh b/meta/recipes-core/udev/udev-extraconf/mount.sh
index c4695ee27d..537828e3e3 100644
--- a/meta/recipes-core/udev/udev-extraconf/mount.sh
+++ b/meta/recipes-core/udev/udev-extraconf/mount.sh
@@ -45,6 +45,13 @@ automount_systemd() {
         return
     fi
 
+    # Only go for auto-mounting when the device has been cleaned up in remove
+    # or has not been identified yet
+    if [ -e "/tmp/.automount-$name" ]; then
+            logger "mount.sh/automount" "[$MOUNT_BASE/$name] is already cached"
+            return
+    fi
+
     # Skip the partition which are already in /etc/fstab
     grep "^[[:space:]]*$DEVNAME" /etc/fstab && return
     for n in LABEL PARTLABEL UUID PARTUUID; do
@@ -100,6 +107,13 @@ automount() {
 	# Get the unique name for mount point
 	get_label_name "${DEVNAME}"
 
+        # Only go for auto-mounting when the device has been cleaned up in remove
+        # or has not been identified yet
+        if [ -e "/tmp/.automount-$name" ]; then
+                logger "mount.sh/automount" "[$MOUNT_BASE/$name] is already cached"
+                return
+        fi
+
 	! test -d "$MOUNT_BASE/$name" && mkdir -p "$MOUNT_BASE/$name"
 	# Silent util-linux's version of mounting auto
 	if [ "x`readlink $MOUNT`" = "x/bin/mount.util-linux" ] ;
@@ -172,12 +186,18 @@ if [ "$ACTION" = "add" ] && [ -n "$DEVNAME" ] && [ -n "$ID_FS_TYPE" -o "$media_t
 fi
 
 if [ "$ACTION" = "remove" ] || [ "$ACTION" = "change" ] && [ -x "$UMOUNT" ] && [ -n "$DEVNAME" ]; then
-    for mnt in `cat /proc/mounts | grep "$DEVNAME" | cut -f 2 -d " " `
-    do
-        $UMOUNT $mnt
-    done
-
-    # Remove empty directories from auto-mounter
     name="`basename "$DEVNAME"`"
-    test -e "/tmp/.automount-$name" && rm_dir "$MOUNT_BASE/$name"
+    tmpfile=`find /tmp | grep "\.automount-.*${name}$"`
+    if [ ! -e "/sys/$DEVPATH" -a -e "$tmpfile" ]; then
+        logger "mount.sh/remove" "cleaning up $DEVNAME, was mounted by the auto-mounter"
+        for mnt in `cat /proc/mounts | grep "$DEVNAME" | cut -f 2 -d " " `
+        do
+                $UMOUNT $mnt
+        done
+        # Remove mount directory created by the auto-mounter
+        # and clean up our tmp cache file
+        mntdir=`cat "$tmpfile"`
+        rm_dir "$MOUNT_BASE/$mntdir"
+        rm "$tmpfile"
+    fi
 fi
-- 
2.25.1

[OE-core][kirkstone 08/35] udev-extraconf: force systemd-udevd to use shared MountFlags

[Steve Sakoman]

From: Muhammad Hamza <Muhammad_Hamza@mentor.com>

Automounting does not work cleanly in case systemd as well as
udev rules are being used simultaneously and in most cases
race conditions and unknown behavior can come up.
In case we're running on top of systemd we need to make sure
that systemd-udevd knows that udev is in play as well and
mounting should be done using shared flags. Also as we're
using mount from sources other than systemd-mount in current
scripts this is the most manageable fix to automounting
problems.

Signed-off-by: Awais Belal <awais_belal@mentor.com>
Signed-off-by: Muhammad Hamza <muhammad_hamza@mentor.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 1e770416b4c9a0468404fb64d55114d93e84763b)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../udev/udev-extraconf/systemd-udevd.service            | 3 +++
 meta/recipes-core/udev/udev-extraconf_1.1.bb             | 9 ++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/udev/udev-extraconf/systemd-udevd.service

diff --git a/meta/recipes-core/udev/udev-extraconf/systemd-udevd.service b/meta/recipes-core/udev/udev-extraconf/systemd-udevd.service
new file mode 100644
index 0000000000..a9b86eb6e4
--- /dev/null
+++ b/meta/recipes-core/udev/udev-extraconf/systemd-udevd.service
@@ -0,0 +1,3 @@
+.include @systemd_unitdir@/system/systemd-udevd.service
+[Service]
+MountFlags=shared
diff --git a/meta/recipes-core/udev/udev-extraconf_1.1.bb b/meta/recipes-core/udev/udev-extraconf_1.1.bb
index 8213c1a930..ef6019259e 100644
--- a/meta/recipes-core/udev/udev-extraconf_1.1.bb
+++ b/meta/recipes-core/udev/udev-extraconf_1.1.bb
@@ -11,6 +11,7 @@ SRC_URI = " \
        file://autonet.rules \
        file://network.sh \
        file://localextra.rules \
+       ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://systemd-udevd.service', '', d)} \
 "
 
 S = "${WORKDIR}"
@@ -35,9 +36,15 @@ do_install() {
     sed -i 's|@MOUNT_BASE@|${MOUNT_BASE}|g' ${D}${sysconfdir}/udev/scripts/mount.sh
 
     install -m 0755 ${WORKDIR}/network.sh ${D}${sysconfdir}/udev/scripts
+
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+        install -d ${D}${sysconfdir}/systemd/system
+        install ${WORKDIR}/systemd-udevd.service ${D}${sysconfdir}/systemd/system/systemd-udevd.service
+        sed -i 's|@systemd_unitdir@|${systemd_unitdir}|g' ${D}${sysconfdir}/systemd/system/systemd-udevd.service
+    fi
 }
 
-FILES:${PN} = "${sysconfdir}/udev"
+FILES:${PN} = "${sysconfdir}/udev ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${sysconfdir}/systemd/system/systemd-udevd.service', '', d)}"
 RDEPENDS:${PN} = "udev util-linux-blkid"
 CONFFILES:${PN} = "${sysconfdir}/udev/mount.ignorelist"
 
-- 
2.25.1

[OE-core][kirkstone 09/35] udev-extraconf/mount.sh: ignore lvm in automount

[Steve Sakoman]

From: Muhammad Hamza <Muhammad_Hamza@mentor.com>

Failure message is shown in boot logs when trying to
mount lvm as automounter does not handle cases where
lvm is mounted. This simply skips lvm while automounting
to avoid failure message in boot logs.

Signed-off-by: Ansar Rasool <ansar_rasool@mentor.com>
Signed-off-by: Muhammad Hamza <muhammad_hamza@mentor.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit b1d18072ed9a8b0bca0f20f8e5deefa73ab6acbe)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/udev/udev-extraconf/mount.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-core/udev/udev-extraconf/mount.sh b/meta/recipes-core/udev/udev-extraconf/mount.sh
index 537828e3e3..8b6ce77741 100644
--- a/meta/recipes-core/udev/udev-extraconf/mount.sh
+++ b/meta/recipes-core/udev/udev-extraconf/mount.sh
@@ -76,6 +76,8 @@ automount_systemd() {
         ;;
     swap)
         return ;;
+    lvm*|LVM*)
+        return ;;
     # TODO
     *)
         ;;
@@ -129,6 +131,8 @@ automount() {
 		;;
 	swap)
 		return ;;
+	lvm*|LVM*)
+                return ;;
 	# TODO
 	*)
 		;;
-- 
2.25.1

[OE-core][kirkstone 10/35] udev-extraconf: fix some systemd automount issues

[Steve Sakoman]

From: Ming Liu <liu.ming50@gmail.com>

The '.include' syntax has been dropped from latest systemd releases,
we need drop the systemd-udevd.service here, introduce a postinst
function to add "MountFlags=shared" to systemd-udevd.service.

Also lsblk binary is being called in mount.sh automount_systemd
function, add it to RDEPENDS.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 356520d60b9429c6f62124821e42468ff2b7b1d6)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../udev/udev-extraconf/systemd-udevd.service |  3 ---
 meta/recipes-core/udev/udev-extraconf_1.1.bb  | 20 +++++++++++--------
 2 files changed, 12 insertions(+), 11 deletions(-)
 delete mode 100644 meta/recipes-core/udev/udev-extraconf/systemd-udevd.service

diff --git a/meta/recipes-core/udev/udev-extraconf/systemd-udevd.service b/meta/recipes-core/udev/udev-extraconf/systemd-udevd.service
deleted file mode 100644
index a9b86eb6e4..0000000000
--- a/meta/recipes-core/udev/udev-extraconf/systemd-udevd.service
+++ /dev/null
@@ -1,3 +0,0 @@
-.include @systemd_unitdir@/system/systemd-udevd.service
-[Service]
-MountFlags=shared
diff --git a/meta/recipes-core/udev/udev-extraconf_1.1.bb b/meta/recipes-core/udev/udev-extraconf_1.1.bb
index ef6019259e..30f1fe76d0 100644
--- a/meta/recipes-core/udev/udev-extraconf_1.1.bb
+++ b/meta/recipes-core/udev/udev-extraconf_1.1.bb
@@ -11,7 +11,6 @@ SRC_URI = " \
        file://autonet.rules \
        file://network.sh \
        file://localextra.rules \
-       ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://systemd-udevd.service', '', d)} \
 "
 
 S = "${WORKDIR}"
@@ -36,16 +35,21 @@ do_install() {
     sed -i 's|@MOUNT_BASE@|${MOUNT_BASE}|g' ${D}${sysconfdir}/udev/scripts/mount.sh
 
     install -m 0755 ${WORKDIR}/network.sh ${D}${sysconfdir}/udev/scripts
+}
+
+pkg_postinst:${PN} () {
+	if [ -e $D${systemd_unitdir}/system/systemd-udevd.service ]; then
+		sed -i "/\[Service\]/aMountFlags=shared" $D${systemd_unitdir}/system/systemd-udevd.service
+	fi
+}
 
-    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-        install -d ${D}${sysconfdir}/systemd/system
-        install ${WORKDIR}/systemd-udevd.service ${D}${sysconfdir}/systemd/system/systemd-udevd.service
-        sed -i 's|@systemd_unitdir@|${systemd_unitdir}|g' ${D}${sysconfdir}/systemd/system/systemd-udevd.service
-    fi
+pkg_postrm:${PN} () {
+	if [ -e $D${systemd_unitdir}/system/systemd-udevd.service ]; then
+		sed -i "/MountFlags=shared/d" $D${systemd_unitdir}/system/systemd-udevd.service
+	fi
 }
 
-FILES:${PN} = "${sysconfdir}/udev ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${sysconfdir}/systemd/system/systemd-udevd.service', '', d)}"
-RDEPENDS:${PN} = "udev util-linux-blkid"
+RDEPENDS:${PN} = "udev util-linux-blkid ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'util-linux-lsblk', '', d)}"
 CONFFILES:${PN} = "${sysconfdir}/udev/mount.ignorelist"
 
 # to replace udev-extra-rules from meta-oe
-- 
2.25.1

[OE-core][kirkstone 11/35] udev-extraconf:mount.sh: fix path mismatching issues

[Steve Sakoman]

From: Ming Liu <liu.ming50@gmail.com>

Since commit f077befd5f36ad88623aaf6a38b1a837ecb18650:
[ udev-extraconf: let automount base directory configurable ]

the mount base directory was configurable, we need drop 'run-media'
usage as well, change to figure it out from MOUNT_BASE.

Also 'get_label_name' function needs to be called ealier in
automount_systemd before checking '/tmp/.automount-$name', otherwise
they would never match.

(From OE-Core rev: c013b33162546fb5bd4bcc1daac75aa65d0be1a3)

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7ed210054b3e253d5a67075bb9d4768d1661bef1)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/udev/udev-extraconf/mount.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-core/udev/udev-extraconf/mount.sh b/meta/recipes-core/udev/udev-extraconf/mount.sh
index 8b6ce77741..43acb3a7a0 100644
--- a/meta/recipes-core/udev/udev-extraconf/mount.sh
+++ b/meta/recipes-core/udev/udev-extraconf/mount.sh
@@ -40,11 +40,14 @@ automount_systemd() {
     name="`basename "$DEVNAME"`"
 
     # Skip already mounted partitions
-    if [ -f /run/systemd/transient/run-media-$name.mount ]; then
+    if [ -f /run/systemd/transient/$(echo $MOUNT_BASE | cut -d '/' -f 2- | sed 's#/#-#g')-*$name.mount ]; then
         logger "mount.sh/automount" "$MOUNT_BASE/$name already mounted"
         return
     fi
 
+    # Get the unique name for mount point
+    get_label_name "${DEVNAME}"
+
     # Only go for auto-mounting when the device has been cleaned up in remove
     # or has not been identified yet
     if [ -e "/tmp/.automount-$name" ]; then
@@ -61,9 +64,6 @@ automount_systemd() {
         grep "^[[:space:]]*$tmp" /etc/fstab && return
     done
 
-    # Get the unique name for mount point
-    get_label_name "${DEVNAME}"
-
     [ -d "$MOUNT_BASE/$name" ] || mkdir -p "$MOUNT_BASE/$name"
 
     MOUNT="$MOUNT -o silent"
-- 
2.25.1

[OE-core][kirkstone 12/35] python3: Backport patch to fix an issue in subinterpreters

[Steve Sakoman]

From: Markus Volk <f_l_k@t-online.de>

This adds a backport patch that fixes a problem in subinterpreters related
to the garbagecollector. Without the patch, there are random segfaults in
several Kodi addons that use python3-sqlite3. Presumably there are real world
issues in other programs as well.

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...h-92036-Fix-gc_fini_untrack-GH-92037.patch | 54 +++++++++++++++++++
 .../recipes-devtools/python/python3_3.10.4.bb |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch

diff --git a/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch b/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch
new file mode 100644
index 0000000000..6a58c35cc6
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch
@@ -0,0 +1,54 @@
+From 178a238f25ab8aff7689d7a09d66dc1583ecd6cb Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Wed, 4 May 2022 03:23:29 -0700
+Subject: [PATCH 01/40] gh-92036: Fix gc_fini_untrack() (GH-92037)
+
+Fix a crash in subinterpreters related to the garbage collector. When
+a subinterpreter is deleted, untrack all objects tracked by its GC.
+To prevent a crash in deallocator functions expecting objects to be
+tracked by the GC, leak a strong reference to these objects on
+purpose, so they are never deleted and their deallocator functions
+are not called.
+(cherry picked from commit 14243369b5f80613628a565c224bba7fb3fcacd8)
+
+Co-authored-by: Victor Stinner <vstinner@python.org>
+
+Upstream-Status: Backport
+---
+ .../2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst           | 5 +++++
+ Modules/gcmodule.c                                          | 6 ++++++
+ 2 files changed, 11 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst
+
+diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst b/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst
+new file mode 100644
+index 0000000000..78094c5e4f
+--- /dev/null
++++ b/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst	
+@@ -0,0 +1,5 @@
++Fix a crash in subinterpreters related to the garbage collector. When a
++subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a
++crash in deallocator functions expecting objects to be tracked by the GC, leak
++a strong reference to these objects on purpose, so they are never deleted and
++their deallocator functions are not called. Patch by Victor Stinner.
+diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c
+index 805a159d53..43ae6fa98b 100644
+--- a/Modules/gcmodule.c
++++ b/Modules/gcmodule.c
+@@ -2170,6 +2170,12 @@ gc_fini_untrack(PyGC_Head *list)
+     for (gc = GC_NEXT(list); gc != list; gc = GC_NEXT(list)) {
+         PyObject *op = FROM_GC(gc);
+         _PyObject_GC_UNTRACK(op);
++        // gh-92036: If a deallocator function expect the object to be tracked
++        // by the GC (ex: func_dealloc()), it can crash if called on an object
++        // which is no longer tracked by the GC. Leak one strong reference on
++        // purpose so the object is never deleted and its deallocator is not
++        // called.
++        Py_INCREF(op);
+     }
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/python/python3_3.10.4.bb b/meta/recipes-devtools/python/python3_3.10.4.bb
index 357025f856..34fd2895a3 100644
--- a/meta/recipes-devtools/python/python3_3.10.4.bb
+++ b/meta/recipes-devtools/python/python3_3.10.4.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
            file://deterministic_imports.patch \
            file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
+           file://0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch \
            "
 
 SRC_URI:append:class-native = " \
-- 
2.25.1

[OE-core][kirkstone 13/35] package.bbclass: Fix base directory for debugsource files when using externalsrc

[Steve Sakoman]

From: Alejandro Hernandez Samaniego <alhe@linux.microsoft.com>

While executing do_package, bitbake checks for a list of
debug source files and uses a pattern to match the ones
to be included in copydebugsources.

Previously when externalsrc was in use either directly or by
using devtool, the source location changed and this pattern
no longer matched, hence debug source files failed to be
included in the corresponding package.

Check when the source directory isnt the default (based on
WORKDIR), and change the pattern used to match debug source
files if that is the case, allowing us to perform do_package
properly.

Workaround debugsource.list containing paths from the host by
moving debug source files away from the host directory
structure  to avoid host contamination (this seems to happen
when packages use $TMPDIR/work-shared and externalsrc is
in use).

Test matrix included using:
- devtool to use externalsrc automatically
- externalsrc with a non-devtool based source directory
- No externalsrc at all
Tested the following packages to be working:
- glibc ($TMPDIR/work-shared based)
- libxcrypt ($TMPDIR/work based)

[YOCTO 8015]

Signed-off-by: Alejandro Enedino Hernandez Samaniego <alhe@linux.microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a887bd96fd0a15398e8077ea79df5070971866e4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/package.bbclass | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index 62050a18b8..4850134022 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -553,13 +553,25 @@ def copydebugsources(debugsrcdir, sources, d):
         strip = d.getVar("STRIP")
         objcopy = d.getVar("OBJCOPY")
         workdir = d.getVar("WORKDIR")
+        sdir = d.getVar("S")
+        sparentdir = os.path.dirname(os.path.dirname(sdir))
+        sbasedir = os.path.basename(os.path.dirname(sdir)) + "/" + os.path.basename(sdir)
         workparentdir = os.path.dirname(os.path.dirname(workdir))
         workbasedir = os.path.basename(os.path.dirname(workdir)) + "/" + os.path.basename(workdir)
 
+        # If S isnt based on WORKDIR we can infer our sources are located elsewhere,
+        # e.g. using externalsrc; use S as base for our dirs
+        if workdir in sdir:
+            basedir = workbasedir
+            parentdir = workparentdir
+        else:
+            basedir = sbasedir
+            parentdir = sparentdir
+
         # If build path exists in sourcefile, it means toolchain did not use
         # -fdebug-prefix-map to compile
         if checkbuildpath(sourcefile, d):
-            localsrc_prefix = workparentdir + "/"
+            localsrc_prefix = parentdir + "/"
         else:
             localsrc_prefix = "/usr/src/debug/"
 
@@ -581,7 +593,7 @@ def copydebugsources(debugsrcdir, sources, d):
         processdebugsrc += "sed 's#%s##g' | "
         processdebugsrc += "(cd '%s' ; cpio -pd0mlL --no-preserve-owner '%s%s' 2>/dev/null)"
 
-        cmd = processdebugsrc % (sourcefile, workbasedir, localsrc_prefix, workparentdir, dvar, debugsrcdir)
+        cmd = processdebugsrc % (sourcefile, basedir, localsrc_prefix, parentdir, dvar, debugsrcdir)
         try:
             subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
         except subprocess.CalledProcessError:
@@ -591,9 +603,22 @@ def copydebugsources(debugsrcdir, sources, d):
         # cpio seems to have a bug with -lL together and symbolic links are just copied, not dereferenced.
         # Work around this by manually finding and copying any symbolic links that made it through.
         cmd = "find %s%s -type l -print0 -delete | sed s#%s%s/##g | (cd '%s' ; cpio -pd0mL --no-preserve-owner '%s%s')" % \
-                (dvar, debugsrcdir, dvar, debugsrcdir, workparentdir, dvar, debugsrcdir)
+                (dvar, debugsrcdir, dvar, debugsrcdir, parentdir, dvar, debugsrcdir)
         subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
 
+
+        # debugsources.list may be polluted from the host if we used externalsrc,
+        # cpio uses copy-pass and may have just created a directory structure
+        # matching the one from the host, if thats the case move those files to
+        # debugsrcdir to avoid host contamination.
+        # Empty dir structure will be deleted in the next step.
+
+        # Same check as above for externalsrc
+        if workdir not in sdir:
+            if os.path.exists(dvar + debugsrcdir + sdir):
+                cmd = "mv %s%s%s/* %s%s" % (dvar, debugsrcdir, sdir, dvar,debugsrcdir)
+                subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
+
         # The copy by cpio may have resulted in some empty directories!  Remove these
         cmd = "find %s%s -empty -type d -delete" % (dvar, debugsrcdir)
         subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
-- 
2.25.1

[OE-core][kirkstone 14/35] package.bbclass: Avoid stripping signed kernel modules in splitdebuginfo

[Steve Sakoman]

From: Christoph Lauer <christoph.lauer@xtronic.de>

Since commit d756b346f248df47b0540644adb1d0f17bcc4b6e kernel modules are stripped by the functions 'runstrip' and 'splitdebuginfo'. Signed modules must not be stripped. Function 'runstrip' avoids this by running is_kernel_module_signed. Apply the same check to splitdebuginfo.

(From OE-Core rev: 6859226652339b19cbc7bdfec074fe2016cdee60)

Signed-off-by: Christoph Lauer <christoph.lauer@xtronic.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dc0f0413eabfd50f78d887f73f808d40a314fbd8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/package.bbclass | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index 4850134022..63887b34f8 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -382,6 +382,11 @@ def splitdebuginfo(file, dvar, dv, d):
     debugfile = dvar + dest
     sources = []
 
+    if file.endswith(".ko") and file.find("/lib/modules/") != -1:
+        if oe.package.is_kernel_module_signed(file):
+            bb.debug(1, "Skip strip on signed module %s" % file)
+            return (file, sources)
+
     # Split the file...
     bb.utils.mkdirhier(os.path.dirname(debugfile))
     #bb.note("Split %s -> %s" % (file, debugfile))
-- 
2.25.1

[OE-core][kirkstone 15/35] package.bbclass: Fix kernel source handling when not using externalsrc

[Steve Sakoman]

From: Alejandro Hernandez Samaniego <alhe@linux.microsoft.com>

Previous commit c725bdb29b266 broke kernel source handling, this was due
to the code expecting the sources to be in a different directory, this did
not happen when using externalsrc since sources were found in the expected
directories.

Pass work-shared to the check to allow sources to be found in the proper
directory, allowing these to be packaged in the next step.

To test this we grabbed a commit where we knew the buildpaths
QA test should flag a file inside the kernel sources, with the previous
commit the QA warning wasnt flagged since no sources where there, with
this fix the buildpaths QA warning gets flagged properly.

Signed-off-by: Alejandro Enedino Hernandez Samaniego <alhe@linux.microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2714a8ef8c7b3c66d50f27f4f52fe2fe4db39b00)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/package.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index 63887b34f8..97e97d2703 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -566,7 +566,7 @@ def copydebugsources(debugsrcdir, sources, d):
 
         # If S isnt based on WORKDIR we can infer our sources are located elsewhere,
         # e.g. using externalsrc; use S as base for our dirs
-        if workdir in sdir:
+        if workdir in sdir or 'work-shared' in sdir:
             basedir = workbasedir
             parentdir = workparentdir
         else:
-- 
2.25.1

[OE-core][kirkstone 16/35] insane: Fix buildpaths test to work with special devices

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

If enabled, the buildpaths test hangs in psplash as it tries to open
a fifo and read from it, hanging indefinitely.

Tweak the test to ignore fifo/socket/device files.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2567edb7e0a8c5ca9a88d6940491bf33bfe0eff9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/insane.bbclass | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index 6f6dcb3dd5..f3f80334f6 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -444,12 +444,14 @@ def package_qa_check_buildpaths(path, name, d, elf, messages):
     Check for build paths inside target files and error if paths are not
     explicitly ignored.
     """
+    import stat
     # Ignore .debug files, not interesting
     if path.find(".debug") != -1:
         return
 
-    # Ignore symlinks
-    if os.path.islink(path):
+    # Ignore symlinks/devs/fifos
+    mode = os.lstat(path).st_mode
+    if stat.S_ISLNK(mode) or stat.S_ISBLK(mode) or stat.S_ISFIFO(mode) or stat.S_ISCHR(mode) or stat.S_ISSOCK(mode):
         return
 
     tmpdir = bytes(d.getVar('TMPDIR'), encoding="utf-8")
-- 
2.25.1

[OE-core][kirkstone 17/35] waffle: correctly request wayland-scanner executable

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cd05e2543bde4175da67781ec6f3eebc143d95d0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...build-request-native-wayland-scanner.patch | 27 +++++++++++++++++++
 meta/recipes-graphics/waffle/waffle_1.7.0.bb  |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 meta/recipes-graphics/waffle/waffle/0001-meson.build-request-native-wayland-scanner.patch

diff --git a/meta/recipes-graphics/waffle/waffle/0001-meson.build-request-native-wayland-scanner.patch b/meta/recipes-graphics/waffle/waffle/0001-meson.build-request-native-wayland-scanner.patch
new file mode 100644
index 0000000000..1b62db92e9
--- /dev/null
+++ b/meta/recipes-graphics/waffle/waffle/0001-meson.build-request-native-wayland-scanner.patch
@@ -0,0 +1,27 @@
+From 2195cec1e5bc66128d72049c11ff381ca4516a4b Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Tue, 5 Jul 2022 11:51:39 +0200
+Subject: [PATCH] meson.build: request native wayland-scanner
+
+This matters in cross compilation, as otherwise meson will
+try to use a cross-binary, and fail.
+
+Upstream-Status: Submitted [https://gitlab.freedesktop.org/mesa/waffle/-/merge_requests/110]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index 0bb6128..0b6da1f 100644
+--- a/meson.build
++++ b/meson.build
+@@ -108,7 +108,7 @@ else
+     'wayland-egl', version : '>= 9.1', required : get_option('wayland'),
+   )
+   dep_wayland_scanner = dependency(
+-    'wayland-scanner', version : '>= 1.15', required : get_option('wayland'),
++    'wayland-scanner', version : '>= 1.15', required : get_option('wayland'), native: true,
+   )
+   if dep_wayland_scanner.found()
+     prog_wayland_scanner = find_program(dep_wayland_scanner.get_pkgconfig_variable('wayland_scanner'))
diff --git a/meta/recipes-graphics/waffle/waffle_1.7.0.bb b/meta/recipes-graphics/waffle/waffle_1.7.0.bb
index f1fd9e7630..dc475908d0 100644
--- a/meta/recipes-graphics/waffle/waffle_1.7.0.bb
+++ b/meta/recipes-graphics/waffle/waffle_1.7.0.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=4c5154407c2490750dd461c50ad94797 \
 
 SRC_URI = "git://gitlab.freedesktop.org/mesa/waffle.git;protocol=https;branch=master \
            file://0001-waffle-do-not-make-core-protocol-into-the-library.patch \
+           file://0001-meson.build-request-native-wayland-scanner.patch \
            "
 SRCREV = "905c6c10f2483adf0cbfa024e2d3c2ed541fb300"
 S = "${WORKDIR}/git"
-- 
2.25.1

[OE-core][kirkstone 18/35] lua: Fix multilib buildpath reproducibility issues

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

The .pc we install ourselves for lua has hardcoded /lib assumptions in it
which means in a multilib environment, full build paths end up in users
like rpm's configuration.

Fix the .pc file to use a correct includedir and libdir to resolve
those reproducibility issues.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 93bee5c74b8d181adf93de4b4101e25d24780603)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/lua/lua/lua.pc.in | 5 ++---
 meta/recipes-devtools/lua/lua_5.4.4.bb  | 2 +-
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-devtools/lua/lua/lua.pc.in b/meta/recipes-devtools/lua/lua/lua.pc.in
index c27e86e85d..1fc288c4fe 100644
--- a/meta/recipes-devtools/lua/lua/lua.pc.in
+++ b/meta/recipes-devtools/lua/lua/lua.pc.in
@@ -1,6 +1,5 @@
-prefix=/usr
-libdir=${prefix}/lib
-includedir=${prefix}/include
+libdir=@LIBDIR@
+includedir=@INCLUDEDIR@
 
 Name: Lua
 Description: Lua language engine
diff --git a/meta/recipes-devtools/lua/lua_5.4.4.bb b/meta/recipes-devtools/lua/lua_5.4.4.bb
index d704841378..6f2cea5314 100644
--- a/meta/recipes-devtools/lua/lua_5.4.4.bb
+++ b/meta/recipes-devtools/lua/lua_5.4.4.bb
@@ -45,7 +45,7 @@ do_install () {
         install
     install -d ${D}${libdir}/pkgconfig
 
-    sed -e s/@VERSION@/${PV}/ ${WORKDIR}/lua.pc.in > ${WORKDIR}/lua.pc
+    sed -e s/@VERSION@/${PV}/ -e s#@LIBDIR@#${libdir}# -e s#@INCLUDEDIR@#${includedir}# ${WORKDIR}/lua.pc.in > ${WORKDIR}/lua.pc
     install -m 0644 ${WORKDIR}/lua.pc ${D}${libdir}/pkgconfig/
     rmdir ${D}${datadir}/lua/5.4
     rmdir ${D}${datadir}/lua
-- 
2.25.1

[OE-core][kirkstone 19/35] vala: Fix on target wrapper buildpaths issue

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

The on target wrapper contains paths from the host build. Remove them.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 10980ae59f18679413f2d3fd428a9386e4d6fc3a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/vala/vala.inc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta/recipes-devtools/vala/vala.inc b/meta/recipes-devtools/vala/vala.inc
index 90e0b77de0..974baa33f5 100644
--- a/meta/recipes-devtools/vala/vala.inc
+++ b/meta/recipes-devtools/vala/vala.inc
@@ -60,3 +60,9 @@ vapigen_sysroot_preprocess() {
 }
 
 SSTATE_SCAN_FILES += "vapigen-wrapper"
+
+PACKAGE_PREPROCESS_FUNCS += "vala_package_preprocess"
+
+vala_package_preprocess () {
+	sed -i -e 's:${RECIPE_SYSROOT}::g;' ${PKGD}${bindir}/vapigen-wrapper
+}
-- 
2.25.1

[OE-core][kirkstone 20/35] libmodule-build-perl: Use env utility to find perl interpreter

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

Fixes
ERROR: QA Issue: : /work/x86_64-linux/libmodule-build-perl-native/0.4231-r0/sysroot-destdir/work/x86_64-linux/libmodule-build-perl-native/0.4231-r0/recipe-sysroot-native/usr/bin/config_data maximum shebang size exceeded, the maximum size is 128. [shebang-size]

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 54ecb2d3f2523293383103cbe590ebdd037ee483)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb b/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb
index e2c79d962b..881d5e672e 100644
--- a/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb
+++ b/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb
@@ -37,6 +37,7 @@ EXTRA_CPAN_BUILD_FLAGS = "--create_packlist=0"
 
 do_install:append () {
         rm -rf ${D}${docdir}/perl/html
+        sed -i "s:^#!.*:#!/usr/bin/env perl:" ${D}${bindir}/config_data
 }
 
 do_install_ptest() {
-- 
2.25.1

[OE-core][kirkstone 21/35] gtk-doc: Remove hardcoded buildpath

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

When api-documentation is enabled, we see a hardcoded build path to xsltproc in
the target python configuration file. We curate PATH carefully so we don't
need the path there, tweak configure to remove it and solve the issue.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f7924a85de548f9403d561b15c1f2c33d9912393)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-gnome/gtk-doc/gtk-doc_1.33.2.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-gnome/gtk-doc/gtk-doc_1.33.2.bb b/meta/recipes-gnome/gtk-doc/gtk-doc_1.33.2.bb
index 392913fcc6..150eca9274 100644
--- a/meta/recipes-gnome/gtk-doc/gtk-doc_1.33.2.bb
+++ b/meta/recipes-gnome/gtk-doc/gtk-doc_1.33.2.bb
@@ -18,6 +18,8 @@ PACKAGECONFIG ??= "${@bb.utils.contains("DISTRO_FEATURES", "api-documentation",
 PACKAGECONFIG[working-scripts] = ",,libxslt-native xmlto-native python3-six python3-pygments"
 PACKAGECONFIG[tests] = "--enable-tests,--disable-tests,glib-2.0"
 
+CACHED_CONFIGUREVARS += "ac_cv_path_XSLTPROC=xsltproc"
+
 SRC_URI[archive.sha256sum] = "cc1b709a20eb030a278a1f9842a362e00402b7f834ae1df4c1998a723152bf43"
 SRC_URI += "file://0001-Do-not-hardocode-paths-to-perl-python-in-scripts.patch \
            file://0001-Do-not-error-out-if-xsltproc-is-not-found.patch \
-- 
2.25.1

[OE-core][kirkstone 22/35] perl: don't install Makefile.old into perl-ptest

[Steve Sakoman]

From: Ross Burton <ross.burton@arm.com>

We already exclude Makefile, makefile, and makefile.old from copy of the
perl source tree that is used by perl-ptest, but Makefile.old is not
being excluded.  In a rebuild of perl with an existing source tree these
files now exist but have build paths in. As they're backup files, they
can just be excluded from the packages.

Use range globs to clean up the expressions, and exclude Makefile.old.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 30a99affca7930f7fe0ddeb016b6183240b5f13c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/perl/perl-ptest.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-devtools/perl/perl-ptest.inc b/meta/recipes-devtools/perl/perl-ptest.inc
index 54c7807571..c233fab545 100644
--- a/meta/recipes-devtools/perl/perl-ptest.inc
+++ b/meta/recipes-devtools/perl/perl-ptest.inc
@@ -10,12 +10,12 @@ do_install_ptest () {
 	sed -e "s:\/usr\/local:${bindir}:g" -i cpan/version/t/*
 	sed -e "s:\/opt:\/usr:" -i Porting/add-package.pl
 	sed -e "s:\/local\/gnu\/:\/:" -i hints/cxux.sh
-	tar -c --exclude=try --exclude=a.out --exclude='*.o' --exclude=libperl.so* --exclude=Makefile --exclude=makefile --exclude=hostperl \
+	tar -c --exclude=try --exclude=a.out --exclude='*.o' --exclude=libperl.so* --exclude=[Mm]akefile --exclude=hostperl \
 	    --exclude=cygwin --exclude=os2 --exclude=djgpp --exclude=qnx --exclude=symbian --exclude=haiku \
 	    --exclude=vms --exclude=vos --exclude=NetWare --exclude=amigaos4  --exclude=buildcustomize.pl \
 	    --exclude='win32/config.*' --exclude=plan9 --exclude=README.plan9 --exclude=perlplan9.pod --exclude=Configure \
 	    --exclude=veryclean.sh --exclude=realclean.sh  --exclude=getioctlsizes \
-	    --exclude=dl_aix.xs --exclude=sdbm.3 --exclude='cflags.SH' --exclude=makefile.old \
+	    --exclude=dl_aix.xs --exclude=sdbm.3 --exclude='cflags.SH' --exclude=[Mm]akefile.old \
 		--exclude=miniperl --exclude=generate_uudmap --exclude=patches --exclude='config.log' * | ( cd ${D}${PTEST_PATH} && tar -x )
 
 	ln -sf ${bindir}/perl ${D}${PTEST_PATH}/t/perl
-- 
2.25.1

[OE-core][kirkstone 23/35] alsa-state: correct license

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

* add GPL license because of alsa-state-init file
* gpl link points to gpl3, but at time of adding this file was actually
  pointing to gpl2, so should correspond to SPDX GPL-2.0-or-later
* remove date as the file was already changed several times since then

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ca73ff0d9930d545ce8cb8a62e259c0b43310f99)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-bsp/alsa-state/alsa-state.bb              | 7 +++++--
 meta/recipes-bsp/alsa-state/alsa-state/alsa-state-init | 3 +--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-bsp/alsa-state/alsa-state.bb b/meta/recipes-bsp/alsa-state/alsa-state.bb
index df546633f1..27b2eccbe4 100644
--- a/meta/recipes-bsp/alsa-state/alsa-state.bb
+++ b/meta/recipes-bsp/alsa-state/alsa-state.bb
@@ -8,8 +8,11 @@ SUMMARY = "Alsa scenario files to enable alsa state restoration"
 HOMEPAGE = "http://www.alsa-project.org/"
 DESCRIPTION = "Alsa Scenario Files - an init script and state files to restore \
 sound state at system boot and save it at system shut down."
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+LICENSE = "MIT & GPL-2.0-or-later"
+LIC_FILES_CHKSUM = " \
+    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 \
+    file://alsa-state-init;beginline=3;endline=4;md5=3ff7ecbf534d7d503941abe8e268ef50 \
+"
 PV = "0.2.0"
 PR = "r5"
 
diff --git a/meta/recipes-bsp/alsa-state/alsa-state/alsa-state-init b/meta/recipes-bsp/alsa-state/alsa-state/alsa-state-init
index eee59cb321..a04cc27004 100755
--- a/meta/recipes-bsp/alsa-state/alsa-state/alsa-state-init
+++ b/meta/recipes-bsp/alsa-state/alsa-state/alsa-state-init
@@ -1,10 +1,9 @@
 #! /bin/sh
 #
 # Copyright Matthias Hentges <devel@hentges.net> (c) 2007
-# License: GPL (see http://www.gnu.org/licenses/gpl.txt for a copy of the license)
+# SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Filename: alsa-state
-# Date: 20070308 (YMD)
 
 # source function library
 . /etc/init.d/functions
-- 
2.25.1

[OE-core][kirkstone 24/35] kernel-arch: Fix buildpaths leaking into external module compiles

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Building external kernel modules like lttng-modules was showing build paths
inside the debug symbols for the modules and breaking build reproducibility.

Fix this by adding in the mapping needed to map the kernel build directory
to something more approriate on target.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b56dc9009ba93174de6bf4c01e17808ef249dc5c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel-arch.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/kernel-arch.bbclass b/meta/classes/kernel-arch.bbclass
index 07ec242e63..348a3adf22 100644
--- a/meta/classes/kernel-arch.bbclass
+++ b/meta/classes/kernel-arch.bbclass
@@ -61,7 +61,7 @@ HOST_LD_KERNEL_ARCH ?= "${TARGET_LD_KERNEL_ARCH}"
 TARGET_AR_KERNEL_ARCH ?= ""
 HOST_AR_KERNEL_ARCH ?= "${TARGET_AR_KERNEL_ARCH}"
 
-KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} -fuse-ld=bfd ${DEBUG_PREFIX_MAP} -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH}"
+KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} -fuse-ld=bfd ${DEBUG_PREFIX_MAP} -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} -fdebug-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH}"
 KERNEL_LD = "${CCACHE}${HOST_PREFIX}ld.bfd ${HOST_LD_KERNEL_ARCH}"
 KERNEL_AR = "${CCACHE}${HOST_PREFIX}ar ${HOST_AR_KERNEL_ARCH}"
 TOOLCHAIN = "gcc"
-- 
2.25.1

[OE-core][kirkstone 25/35] devtool: ignore pn- overrides when determining SRC_URI overrides

[Steve Sakoman]

From: Paul Eggleton <paul.eggleton@microsoft.com>

If (perhaps foolishly) at your configuration level you have e.g.

  SRC_URI_append_pn-recipename = " file://patchname.patch"

and then run devtool modify on a different recipe, an error occurs:

  INFO: SRC_URI contains some conditional appends/prepends - will create branches to represent these
  ...
  ERROR: [Errno 2] No such file or directory: '/path/to/downloads/patchname.patch'

pn- overrides would not constitute an alternative configuration that we
should handle in this context, so just ignore them to avoid the issue.

Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3f2a812ade42ece0bb59b2d303125a91b29936dd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/lib/devtool/standard.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py
index 4b50e3c63b..e53569c5cc 100644
--- a/scripts/lib/devtool/standard.py
+++ b/scripts/lib/devtool/standard.py
@@ -520,7 +520,9 @@ def _extract_source(srctree, keep_temp, devbranch, sync, config, basepath, works
         for event in history:
             if not 'flag' in event:
                 if event['op'].startswith((':append[', ':prepend[')):
-                    extra_overrides.append(event['op'].split('[')[1].split(']')[0])
+                    override = event['op'].split('[')[1].split(']')[0]
+                    if not override.startswith('pn-'):
+                        extra_overrides.append(override)
         # We want to remove duplicate overrides. If a recipe had multiple
         # SRC_URI_override += values it would cause mulitple instances of
         # overrides. This doesn't play nicely with things like creating a
-- 
2.25.1

[OE-core][kirkstone 26/35] bin_package: install into base_prefix

[Steve Sakoman]

From: Pascal Bach <pascal.bach@siemens.com>

This makes the bin_package.bbclass work properly with the native class.

Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ad330b6d4b6e2ba051b5c6c437e07a183831f757)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/bin_package.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/bin_package.bbclass b/meta/classes/bin_package.bbclass
index c3aca20443..f0407e1329 100644
--- a/meta/classes/bin_package.bbclass
+++ b/meta/classes/bin_package.bbclass
@@ -30,8 +30,9 @@ bin_package_do_install () {
         bbfatal bin_package has nothing to install. Be sure the SRC_URI unpacks into S.
     fi
     cd ${S}
+    install -d ${D}${base_prefix}
     tar --no-same-owner --exclude='./patches' --exclude='./.pc' -cpf - . \
-        | tar --no-same-owner -xpf - -C ${D}
+        | tar --no-same-owner -xpf - -C ${D}${base_prefix}
 }
 
 FILES:${PN} = "/"
-- 
2.25.1

[OE-core][kirkstone 27/35] patch: handle if S points to a subdirectory of a git repo

[Steve Sakoman]

From: Paul Eggleton <paul.eggleton@microsoft.com>

If PATCHTOOL = "git", SRC_URI fetches from a git repo and S points to
a subdirectory of the checked out sources, then we were erroneously
initialising the subdirectory as its own git repo. Check if the returned
top-level repo directory is a subdirectory of WORKDIR and do not
run initialise the source directory if that is the case.

(This was a regression introduced with OE-Core revision
6184b56a7a0fc6f5d19fdfb81e7453667f7da940, however we didn't have a test
that verified the behaviour.)

Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9cca53a2bcbf6809615ce5626c86c6ee481a7a76)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oe/patch.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/lib/oe/patch.py b/meta/lib/oe/patch.py
index 95b915a6ab..4ec9caed45 100644
--- a/meta/lib/oe/patch.py
+++ b/meta/lib/oe/patch.py
@@ -299,10 +299,10 @@ class GitApplyTree(PatchTree):
         PatchTree.__init__(self, dir, d)
         self.commituser = d.getVar('PATCH_GIT_USER_NAME')
         self.commitemail = d.getVar('PATCH_GIT_USER_EMAIL')
-        if not self._isInitialized():
+        if not self._isInitialized(d):
             self._initRepo()
 
-    def _isInitialized(self):
+    def _isInitialized(self, d):
         cmd = "git rev-parse --show-toplevel"
         try:
             output = runcmd(cmd.split(), self.dir).strip()
@@ -310,8 +310,8 @@ class GitApplyTree(PatchTree):
             ## runcmd returned non-zero which most likely means 128
             ## Not a git directory
             return False
-        ## Make sure repo is in builddir to not break top-level git repos
-        return os.path.samefile(output, self.dir)
+        ## Make sure repo is in builddir to not break top-level git repos, or under workdir
+        return os.path.samefile(output, self.dir) or oe.path.is_path_parent(d.getVar('WORKDIR'), output)
 
     def _initRepo(self):
         runcmd("git init".split(), self.dir)
-- 
2.25.1

[OE-core][kirkstone 28/35] devtool: finish: handle patching when S points to subdir of a git repo

[Steve Sakoman]

From: Paul Eggleton <paul.eggleton@microsoft.com>

If devtool finish needs to create a patch and have it applied to the
sources for a recipe where S points to a subdirectory of the sources,
then the patch needs to be applied at the root of the repo i.e. we need
to add a patchdir= parameter to the SRC_URI entry.

Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ad3736d9ca14cac14a7da22c1cfdeda219665e6f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oe/recipeutils.py      |  9 +++++++--
 scripts/lib/devtool/standard.py | 25 +++++++++++++++++++------
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/meta/lib/oe/recipeutils.py b/meta/lib/oe/recipeutils.py
index 872ff97b89..b04992c66d 100644
--- a/meta/lib/oe/recipeutils.py
+++ b/meta/lib/oe/recipeutils.py
@@ -666,7 +666,7 @@ def get_bbappend_path(d, destlayerdir, wildcardver=False):
     return (appendpath, pathok)
 
 
-def bbappend_recipe(rd, destlayerdir, srcfiles, install=None, wildcardver=False, machine=None, extralines=None, removevalues=None, redirect_output=None):
+def bbappend_recipe(rd, destlayerdir, srcfiles, install=None, wildcardver=False, machine=None, extralines=None, removevalues=None, redirect_output=None, params=None):
     """
     Writes a bbappend file for a recipe
     Parameters:
@@ -696,6 +696,9 @@ def bbappend_recipe(rd, destlayerdir, srcfiles, install=None, wildcardver=False,
         redirect_output:
             If specified, redirects writing the output file to the
             specified directory (for dry-run purposes)
+        params:
+            Parameters to use when adding entries to SRC_URI. If specified,
+            should be a list of dicts with the same length as srcfiles.
     """
 
     if not removevalues:
@@ -762,12 +765,14 @@ def bbappend_recipe(rd, destlayerdir, srcfiles, install=None, wildcardver=False,
     copyfiles = {}
     if srcfiles:
         instfunclines = []
-        for newfile, origsrcfile in srcfiles.items():
+        for i, (newfile, origsrcfile) in enumerate(srcfiles.items()):
             srcfile = origsrcfile
             srcurientry = None
             if not srcfile:
                 srcfile = os.path.basename(newfile)
                 srcurientry = 'file://%s' % srcfile
+                if params and params[i]:
+                    srcurientry = '%s;%s' % (srcurientry, ';'.join('%s=%s' % (k,v) for k,v in params[i].items()))
                 # Double-check it's not there already
                 # FIXME do we care if the entry is added by another bbappend that might go away?
                 if not srcurientry in rd.getVar('SRC_URI').split():
diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py
index e53569c5cc..c98bfe8195 100644
--- a/scripts/lib/devtool/standard.py
+++ b/scripts/lib/devtool/standard.py
@@ -1606,6 +1606,19 @@ def _update_recipe_patch(recipename, workspace, srctree, rd, appendlayerdir, wil
     if not os.path.exists(append):
         raise DevtoolError('unable to find workspace bbappend for recipe %s' %
                            recipename)
+    srctreebase = workspace[recipename]['srctreebase']
+    relpatchdir = os.path.relpath(srctreebase, srctree)
+    if relpatchdir == '.':
+        patchdir_params = {}
+    else:
+        patchdir_params = {'patchdir': relpatchdir}
+
+    def srcuri_entry(fname):
+        if patchdir_params:
+            paramstr = ';' + ';'.join('%s=%s' % (k,v) for k,v in patchdir_params.items())
+        else:
+            paramstr = ''
+        return 'file://%s%s' % (basepath, paramstr)
 
     initial_rev, update_rev, changed_revs, filter_patches = _get_patchset_revs(srctree, append, initial_rev, force_patch_refresh)
     if not initial_rev:
@@ -1627,7 +1640,6 @@ def _update_recipe_patch(recipename, workspace, srctree, rd, appendlayerdir, wil
             new_f = {}
             del_f = {}
         else:
-            srctreebase = workspace[recipename]['srctreebase']
             upd_f, new_f, del_f = _export_local_files(srctree, rd, local_files_dir, srctreebase)
 
         remove_files = []
@@ -1663,14 +1675,15 @@ def _update_recipe_patch(recipename, workspace, srctree, rd, appendlayerdir, wil
                     removedentries, remaining = _remove_file_entries(
                                                     srcuri, remove_files)
                     if removedentries or remaining:
-                        remaining = ['file://' + os.path.basename(item) for
+                        remaining = [srcuri_entry(os.path.basename(item)) for
                                      item in remaining]
                         removevalues = {'SRC_URI': removedentries + remaining}
                 appendfile, destpath = oe.recipeutils.bbappend_recipe(
                                 rd, appendlayerdir, files,
                                 wildcardver=wildcard_version,
                                 removevalues=removevalues,
-                                redirect_output=dry_run_outdir)
+                                redirect_output=dry_run_outdir,
+                                params=[patchdir_params] * len(files))
             else:
                 logger.info('No patches or local source files needed updating')
         else:
@@ -1694,7 +1707,7 @@ def _update_recipe_patch(recipename, workspace, srctree, rd, appendlayerdir, wil
                     # replace the entry in SRC_URI with our local version
                     logger.info('Replacing remote patch %s with updated local version' % basepath)
                     path = os.path.join(files_dir, basepath)
-                    _replace_srcuri_entry(srcuri, basepath, 'file://%s' % basepath)
+                    _replace_srcuri_entry(srcuri, basepath, srcuri_entry(basepath))
                     updaterecipe = True
                 else:
                     logger.info('Updating patch %s%s' % (basepath, dry_run_suffix))
@@ -1708,7 +1721,7 @@ def _update_recipe_patch(recipename, workspace, srctree, rd, appendlayerdir, wil
                            os.path.join(files_dir, basepath),
                            dry_run_outdir=dry_run_outdir,
                            base_outdir=recipedir)
-                srcuri.append('file://%s' % basepath)
+                srcuri.append(srcuri_entry(basepath))
                 updaterecipe = True
             for basepath, path in new_p.items():
                 logger.info('Adding new patch %s%s' % (basepath, dry_run_suffix))
@@ -1716,7 +1729,7 @@ def _update_recipe_patch(recipename, workspace, srctree, rd, appendlayerdir, wil
                            os.path.join(files_dir, basepath),
                            dry_run_outdir=dry_run_outdir,
                            base_outdir=recipedir)
-                srcuri.append('file://%s' % basepath)
+                srcuri.append(srcuri_entry(basepath))
                 updaterecipe = True
             # Update recipe, if needed
             if _remove_file_entries(srcuri, remove_files)[0]:
-- 
2.25.1

[OE-core][kirkstone 29/35] oe-selftest: devtool: test modify git recipe building from a subdir

[Steve Sakoman]

From: Paul Eggleton <paul.eggleton@microsoft.com>

Add a test that verifies that devtool modify + devtool finish do the
right thing on a recipe that fetches from git and sets S to point to
a subdirectory of the source tree. We have a few examples among the core
recipes, dos2unix is a convenient one so let's use that. (The test first
verifies that that is still true in case the recipe is changed in
future.)

Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a84d9ed14173b0bf467ea78dff4f0f7bae0bc082)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/devtool.py | 114 ++++++++++++++++++++----
 1 file changed, 97 insertions(+), 17 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/devtool.py b/meta/lib/oeqa/selftest/cases/devtool.py
index ddf6c0c9f8..34fc791f3a 100644
--- a/meta/lib/oeqa/selftest/cases/devtool.py
+++ b/meta/lib/oeqa/selftest/cases/devtool.py
@@ -218,6 +218,34 @@ class DevtoolTestCase(OESelftestTestCase):
             filelist.append(' '.join(splitline))
         return filelist
 
+    def _check_diff(self, diffoutput, addlines, removelines):
+        """Check output from 'git diff' matches expectation"""
+        remaining_addlines = addlines[:]
+        remaining_removelines = removelines[:]
+        for line in diffoutput.splitlines():
+            if line.startswith('+++') or line.startswith('---'):
+                continue
+            elif line.startswith('+'):
+                matched = False
+                for item in addlines:
+                    if re.match(item, line[1:].strip()):
+                        matched = True
+                        remaining_addlines.remove(item)
+                        break
+                self.assertTrue(matched, 'Unexpected diff add line: %s' % line)
+            elif line.startswith('-'):
+                matched = False
+                for item in removelines:
+                    if re.match(item, line[1:].strip()):
+                        matched = True
+                        remaining_removelines.remove(item)
+                        break
+                self.assertTrue(matched, 'Unexpected diff remove line: %s' % line)
+        if remaining_addlines:
+            self.fail('Expected added lines not found: %s' % remaining_addlines)
+        if remaining_removelines:
+            self.fail('Expected removed lines not found: %s' % remaining_removelines)
+
 
 class DevtoolBase(DevtoolTestCase):
 
@@ -718,6 +746,7 @@ class DevtoolModifyTests(DevtoolBase):
 
         self.assertTrue(bbclassextended, 'None of these recipes are BBCLASSEXTENDed to native - need to adjust testrecipes list: %s' % ', '.join(testrecipes))
         self.assertTrue(inheritnative, 'None of these recipes do "inherit native" - need to adjust testrecipes list: %s' % ', '.join(testrecipes))
+
     def test_devtool_modify_localfiles_only(self):
         # Check preconditions
         testrecipe = 'base-files'
@@ -930,23 +959,7 @@ class DevtoolUpdateTests(DevtoolBase):
         srcurilines[0] = 'SRC_URI = "' + srcurilines[0]
         srcurilines.append('"')
         removelines = ['SRCREV = ".*"'] + srcurilines
-        for line in result.output.splitlines():
-            if line.startswith('+++') or line.startswith('---'):
-                continue
-            elif line.startswith('+'):
-                matched = False
-                for item in addlines:
-                    if re.match(item, line[1:].strip()):
-                        matched = True
-                        break
-                self.assertTrue(matched, 'Unexpected diff add line: %s' % line)
-            elif line.startswith('-'):
-                matched = False
-                for item in removelines:
-                    if re.match(item, line[1:].strip()):
-                        matched = True
-                        break
-                self.assertTrue(matched, 'Unexpected diff remove line: %s' % line)
+        self._check_diff(result.output, addlines, removelines)
         # Now try with auto mode
         runCmd('cd %s; git checkout %s %s' % (os.path.dirname(recipefile), testrecipe, os.path.basename(recipefile)))
         result = runCmd('devtool update-recipe %s' % testrecipe)
@@ -1316,6 +1329,73 @@ class DevtoolUpdateTests(DevtoolBase):
         expected_status = []
         self._check_repo_status(os.path.dirname(recipefile), expected_status)
 
+    def test_devtool_finish_modify_git_subdir(self):
+        # Check preconditions
+        testrecipe = 'dos2unix'
+        bb_vars = get_bb_vars(['SRC_URI', 'S', 'WORKDIR', 'FILE'], testrecipe)
+        self.assertIn('git://', bb_vars['SRC_URI'], 'This test expects the %s recipe to be a git recipe' % testrecipe)
+        workdir_git = '%s/git/' % bb_vars['WORKDIR']
+        if not bb_vars['S'].startswith(workdir_git):
+            self.fail('This test expects the %s recipe to be building from a subdirectory of the git repo' % testrecipe)
+        subdir = bb_vars['S'].split(workdir_git, 1)[1]
+        # Clean up anything in the workdir/sysroot/sstate cache
+        bitbake('%s -c cleansstate' % testrecipe)
+        # Try modifying a recipe
+        tempdir = tempfile.mkdtemp(prefix='devtoolqa')
+        self.track_for_cleanup(tempdir)
+        self.track_for_cleanup(self.workspacedir)
+        self.add_command_to_tearDown('bitbake -c clean %s' % testrecipe)
+        self.add_command_to_tearDown('bitbake-layers remove-layer */workspace')
+        result = runCmd('devtool modify %s -x %s' % (testrecipe, tempdir))
+        testsrcfile = os.path.join(tempdir, subdir, 'dos2unix.c')
+        self.assertExists(testsrcfile, 'Extracted source could not be found')
+        self.assertExists(os.path.join(self.workspacedir, 'conf', 'layer.conf'), 'Workspace directory not created. devtool output: %s' % result.output)
+        self.assertNotExists(os.path.join(tempdir, subdir, '.git'), 'Subdirectory has been initialised as a git repo')
+        # Check git repo
+        self._check_src_repo(tempdir)
+        # Modify file
+        runCmd("sed -i '1s:^:/* Add a comment */\\n:' %s" % testsrcfile)
+        result = runCmd('git commit -a -m "Add a comment"', cwd=tempdir)
+        # Now try updating original recipe
+        recipefile = bb_vars['FILE']
+        recipedir = os.path.dirname(recipefile)
+        self.add_command_to_tearDown('cd %s; rm -f %s/*.patch; git checkout .' % (recipedir, testrecipe))
+        result = runCmd('devtool update-recipe %s' % testrecipe)
+        expected_status = [(' M', '.*/%s$' % os.path.basename(recipefile)),
+                           ('??', '.*/%s/%s/$' % (testrecipe, testrecipe))]
+        self._check_repo_status(os.path.dirname(recipefile), expected_status)
+        result = runCmd('git diff %s' % os.path.basename(recipefile), cwd=os.path.dirname(recipefile))
+        removelines = ['SRC_URI = "git://.*"']
+        addlines = [
+            'SRC_URI = "git://.* \\\\',
+            'file://0001-Add-a-comment.patch;patchdir=.. \\\\',
+            '"'
+        ]
+        self._check_diff(result.output, addlines, removelines)
+        # Put things back so we can run devtool finish on a different layer
+        runCmd('cd %s; rm -f %s/*.patch; git checkout .' % (recipedir, testrecipe))
+        # Run devtool finish
+        res = re.search('recipes-.*', recipedir)
+        self.assertTrue(res, 'Unable to find recipe subdirectory')
+        recipesubdir = res[0]
+        self.add_command_to_tearDown('rm -rf %s' % os.path.join(self.testlayer_path, recipesubdir))
+        result = runCmd('devtool finish %s meta-selftest' % testrecipe)
+        # Check bbappend file contents
+        appendfn = os.path.join(self.testlayer_path, recipesubdir, '%s_%%.bbappend' % testrecipe)
+        with open(appendfn, 'r') as f:
+            appendlines = f.readlines()
+        expected_appendlines = [
+            'FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"\n',
+            '\n',
+            'SRC_URI += "file://0001-Add-a-comment.patch;patchdir=.."\n',
+            '\n'
+        ]
+        self.assertEqual(appendlines, expected_appendlines)
+        self.assertExists(os.path.join(os.path.dirname(appendfn), testrecipe, '0001-Add-a-comment.patch'))
+        # Try building
+        bitbake('%s -c patch' % testrecipe)
+
+
 class DevtoolExtractTests(DevtoolBase):
 
     def test_devtool_extract(self):
-- 
2.25.1

[OE-core][kirkstone 30/35] gcc-runtime: Fix build when using gold

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

If gold is enabled as the default linker, it errors trying to link
to our dummy library empty file and this turns off things which should
be present in libstdc++.

For example, _GLIBCXX_HAVE_S_ISREG isn't defined and HAVE_S_ISREG in
libstdc++-v3/config.h isn't set properly.

Instead of just creating an empty file, create an empty elf binary
instead which addresses the issue.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2070bcd10aa3a05c96c8501c6a8c1e129fb1d440)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/gcc/gcc-runtime.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/gcc/gcc-runtime.inc b/meta/recipes-devtools/gcc/gcc-runtime.inc
index e9f2cf16e8..dc903c2b88 100644
--- a/meta/recipes-devtools/gcc/gcc-runtime.inc
+++ b/meta/recipes-devtools/gcc/gcc-runtime.inc
@@ -68,7 +68,8 @@ do_configure () {
 	# libstdc++ isn't built yet so CXX would error not able to find it which breaks stdc++'s configure
 	# tests. Create a dummy empty lib for the purposes of configure.
 	mkdir -p ${WORKDIR}/dummylib
-	touch ${WORKDIR}/dummylib/libstdc++.so
+	touch ${WORKDIR}/dummylib/dummylib.c
+	${CC} ${WORKDIR}/dummylib/dummylib.c -shared -o ${WORKDIR}/dummylib/libstdc++.so
 	for d in libgcc ${RUNTIMETARGET}; do
 		echo "Configuring $d"
 		rm -rf ${B}/${TARGET_SYS}/$d/
-- 
2.25.1

[OE-core][kirkstone 31/35] gcc-runtime: Fix missing MLPREFIX in debug mappings

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

This fixes reproducibility issues with multilibs were a different recipe
specific sysroot is used which was leaking into debug symbols in libraries.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f442edf51e256bd315bd8e4ac4d9fa12b8e9e092)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/gcc/gcc-runtime.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/gcc/gcc-runtime.inc b/meta/recipes-devtools/gcc/gcc-runtime.inc
index dc903c2b88..c85b5888d4 100644
--- a/meta/recipes-devtools/gcc/gcc-runtime.inc
+++ b/meta/recipes-devtools/gcc/gcc-runtime.inc
@@ -53,7 +53,7 @@ RUNTIMETARGET:libc-newlib = "libstdc++-v3"
 REL_S = "/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}"
 
 DEBUG_PREFIX_MAP:class-target = " \
-   -fdebug-prefix-map=${WORKDIR}/recipe-sysroot= \
+   -fdebug-prefix-map=${WORKDIR}/${MLPREFIX}recipe-sysroot= \
    -fdebug-prefix-map=${WORKDIR}/recipe-sysroot-native= \
    -fdebug-prefix-map=${S}=${REL_S} \
    -fdebug-prefix-map=${S}/include=${REL_S}/libstdc++-v3/../include \
-- 
2.25.1

[OE-core][kirkstone 32/35] selftest/runtime_test/virgl: Disable for all almalinux

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

We can't support vgem on RHEL derived distros so disable this test for
all almalinux hosts rather than specific versions.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e921f3c1b917072e4c5a110c7dfeeadd2e571bde)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/runtime_test.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
index 8eacde40ad..857737f730 100644
--- a/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -252,7 +252,7 @@ class TestImage(OESelftestTestCase):
         import subprocess, os
 
         distro = oe.lsb.distro_identifier()
-        if distro and distro in ['debian-9', 'debian-10', 'centos-7', 'centos-8', 'ubuntu-16.04', 'ubuntu-18.04', 'almalinux-8.5', 'almalinux-8.6']:
+        if distro and (distro in ['debian-9', 'debian-10', 'centos-7', 'centos-8', 'ubuntu-16.04', 'ubuntu-18.04'] or distro.startswith('almalinux')):
             self.skipTest('virgl headless cannot be tested with %s' %(distro))
 
         render_hint = """If /dev/dri/renderD* is absent due to lack of suitable GPU, 'modprobe vgem' will create one suitable for mesa llvmpipe software renderer."""
-- 
2.25.1

[OE-core][kirkstone 33/35] cargo_common.bbclass: enable bitbake vendoring for externalsrc

[Steve Sakoman]

From: Chanho Park <chanho61.park@samsung.com>

To support crate:// fetcher on externalsrc, we need to remove "-z
${EXTERNALSRC} check of bitbake vendoring. It is possible to disable
vendoring by CARGO_DISABLE_BITBAKE_VENDORING = "1" if externalsrc-ed
project does not want to enablt it.

Signed-off-by: Chanho Park <chanho61.park@samsung.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Richard Pastrick <ripastri@linux.microsoft.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/cargo_common.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/cargo_common.bbclass b/meta/classes/cargo_common.bbclass
index 90fad75415..39f32829fd 100644
--- a/meta/classes/cargo_common.bbclass
+++ b/meta/classes/cargo_common.bbclass
@@ -45,7 +45,7 @@ cargo_common_do_configure () {
 	directory = "${CARGO_VENDORING_DIRECTORY}"
 	EOF
 
-	if [ -z "${EXTERNALSRC}" ] && [ ${CARGO_DISABLE_BITBAKE_VENDORING} = "0" ]; then
+	if [ ${CARGO_DISABLE_BITBAKE_VENDORING} = "0" ]; then
 		cat <<- EOF >> ${CARGO_HOME}/config
 
 		[source.crates-io]
-- 
2.25.1

[OE-core][kirkstone 34/35] externalsrc.bbclass: support crate fetcher on externalsrc

[Steve Sakoman]

From: Chanho Park <chanho61.park@samsung.com>

To support crate:// fetcher on externalsrc, we need to make pass-through
the URIs in SRC_URI.

Signed-off-by: Chanho Park <chanho61.park@samsung.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Richard Pastrick <ripastri@linux.microsoft.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/externalsrc.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index b2f216f361..90792a737b 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -68,7 +68,7 @@ python () {
             url_data = fetch.ud[url]
             parm = url_data.parm
             if (url_data.type == 'file' or
-                    url_data.type == 'npmsw' or
+                    url_data.type == 'npmsw' or url_data.type == 'crate' or
                     'type' in parm and parm['type'] == 'kmeta'):
                 local_srcuri.append(url)
 
-- 
2.25.1

[OE-core][kirkstone 35/35] pulseaudio: add m4-native to DEPENDS

[Steve Sakoman]

From: Ross Burton <ross.burton@arm.com>

Normally m4-native ends up in the sysroot via the toolchain, but if a
non-standard toolchain is used them m4-native may not be installed.

However Pulseaudio explicitly checks for m4 in the meson.build, so add
it to DEPENDS.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ddf846635783923d43520c9dd6f63ca59ed6e3b8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-multimedia/pulseaudio/pulseaudio.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
index 821ce7d1df..61d5bb00ba 100644
--- a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
@@ -61,7 +61,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=0e5cd938de1a7a53ea5adac38cc10c39 \
 "
 
 # libtool is needed for libltdl, used in module loading.
-DEPENDS = "libatomic-ops libsndfile1 libtool"
+DEPENDS = "m4-native libatomic-ops libsndfile1 libtool"
 # optional
 DEPENDS += "udev alsa-lib glib-2.0"
 DEPENDS += "speexdsp libxml-parser-perl-native libcap"
-- 
2.25.1

Re: [OE-core][kirkstone 01/35] curl: Fix multiple CVEs

[Yu, Mingli]

Ping.

Thanks,

On 7/18/22 22:48, Steve Sakoman wrote:
> [Please note: This e-mail is from an EXTERNAL e-mail address]
> 
> From: Robert Joslyn <robert.joslyn@redrectangle.org>
> 
> Backport fixes for:
>   * CVE-2022-32205 - https://curl.se/docs/CVE-2022-32205.html
>   * CVE-2022-32206 - https://curl.se/docs/CVE-2022-32206.html
>   * CVE-2022-32207 - https://curl.se/docs/CVE-2022-32207.html
>   * CVE-2022-32208 - https://curl.se/docs/CVE-2022-32208.html
> 
> Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>   .../curl/curl/CVE-2022-32205.patch            | 174 +++++++++++
>   .../curl/curl/CVE-2022-32206.patch            |  51 ++++
>   .../curl/curl/CVE-2022-32207.patch            | 283 ++++++++++++++++++
>   .../curl/curl/CVE-2022-32208.patch            |  67 +++++
>   meta/recipes-support/curl/curl_7.82.0.bb      |   4 +
>   5 files changed, 579 insertions(+)
>   create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32205.patch
>   create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32206.patch
>   create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32207.patch
>   create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32208.patch
> 
> diff --git a/meta/recipes-support/curl/curl/CVE-2022-32205.patch b/meta/recipes-support/curl/curl/CVE-2022-32205.patch
> new file mode 100644
> index 0000000000..165fd8af47
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2022-32205.patch
> @@ -0,0 +1,174 @@
> +From a91c22a072cbb32e296f1efba3502f1b7775dfaf Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Sun, 26 Jun 2022 11:00:48 +0200
> +Subject: [PATCH] cookie: apply limits
> +
> +- Send no more than 150 cookies per request
> +- Cap the max length used for a cookie: header to 8K
> +- Cap the max number of received Set-Cookie: headers to 50
> +
> +Bug: https://curl.se/docs/CVE-2022-32205.html
> +CVE-2022-32205
> +Reported-by: Harry Sintonen
> +Closes #9048
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/48d7064a49148f0394]
> +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> +---
> + lib/cookie.c  | 14 ++++++++++++--
> + lib/cookie.h  | 21 +++++++++++++++++++--
> + lib/http.c    | 13 +++++++++++--
> + lib/urldata.h |  1 +
> + 4 files changed, 43 insertions(+), 6 deletions(-)
> +
> +diff --git a/lib/cookie.c b/lib/cookie.c
> +index 1b8c8f9..8a6aa1a 100644
> +--- a/lib/cookie.c
> ++++ b/lib/cookie.c
> +@@ -477,6 +477,10 @@ Curl_cookie_add(struct Curl_easy *data,
> +   (void)data;
> + #endif
> +
> ++  DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */
> ++  if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT)
> ++    return NULL;
> ++
> +   /* First, alloc and init a new struct for it */
> +   co = calloc(1, sizeof(struct Cookie));
> +   if(!co)
> +@@ -816,7 +820,7 @@ Curl_cookie_add(struct Curl_easy *data,
> +       freecookie(co);
> +       return NULL;
> +     }
> +-
> ++    data->req.setcookies++;
> +   }
> +   else {
> +     /*
> +@@ -1354,7 +1358,8 @@ static struct Cookie *dup_cookie(struct Cookie *src)
> +  *
> +  * It shall only return cookies that haven't expired.
> +  */
> +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
> ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
> ++                                   struct CookieInfo *c,
> +                                    const char *host, const char *path,
> +                                    bool secure)
> + {
> +@@ -1409,6 +1414,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
> +             mainco = newco;
> +
> +             matches++;
> ++            if(matches >= MAX_COOKIE_SEND_AMOUNT) {
> ++              infof(data, "Included max number of cookies (%u) in request!",
> ++                    matches);
> ++              break;
> ++            }
> +           }
> +           else
> +             goto fail;
> +diff --git a/lib/cookie.h b/lib/cookie.h
> +index 0ffe08e..7411980 100644
> +--- a/lib/cookie.h
> ++++ b/lib/cookie.h
> +@@ -81,10 +81,26 @@ struct CookieInfo {
> + */
> + #define MAX_COOKIE_LINE 5000
> +
> +-/* This is the maximum length of a cookie name or content we deal with: */
> ++/* Maximum length of an incoming cookie name or content we deal with. Longer
> ++   cookies are ignored. */
> + #define MAX_NAME 4096
> + #define MAX_NAME_TXT "4095"
> +
> ++/* Maximum size for an outgoing cookie line libcurl will use in an http
> ++   request. This is the default maximum length used in some versions of Apache
> ++   httpd. */
> ++#define MAX_COOKIE_HEADER_LEN 8190
> ++
> ++/* Maximum number of cookies libcurl will send in a single request, even if
> ++   there might be more cookies that match. One reason to cap the number is to
> ++   keep the maximum HTTP request within the maximum allowed size. */
> ++#define MAX_COOKIE_SEND_AMOUNT 150
> ++
> ++/* Maximum number of Set-Cookie: lines accepted in a single response. If more
> ++   such header lines are received, they are ignored. This value must be less
> ++   than 256 since an unsigned char is used to count. */
> ++#define MAX_SET_COOKIE_AMOUNT 50
> ++
> + struct Curl_easy;
> + /*
> +  * Add a cookie to the internal list of cookies. The domain and path arguments
> +@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data,
> +                                const char *domain, const char *path,
> +                                bool secure);
> +
> +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host,
> ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
> ++                                   struct CookieInfo *c, const char *host,
> +                                    const char *path, bool secure);
> + void Curl_cookie_freelist(struct Cookie *cookies);
> + void Curl_cookie_clearall(struct CookieInfo *cookies);
> +diff --git a/lib/http.c b/lib/http.c
> +index 4433824..2c8b0c4 100644
> +--- a/lib/http.c
> ++++ b/lib/http.c
> +@@ -2709,12 +2709,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn,
> + }
> +
> + #if !defined(CURL_DISABLE_COOKIES)
> ++
> + CURLcode Curl_http_cookies(struct Curl_easy *data,
> +                            struct connectdata *conn,
> +                            struct dynbuf *r)
> + {
> +   CURLcode result = CURLE_OK;
> +   char *addcookies = NULL;
> ++  bool linecap = FALSE;
> +   if(data->set.str[STRING_COOKIE] &&
> +      !Curl_checkheaders(data, STRCONST("Cookie")))
> +     addcookies = data->set.str[STRING_COOKIE];
> +@@ -2732,7 +2734,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
> +         !strcmp(host, "127.0.0.1") ||
> +         !strcmp(host, "[::1]") ? TRUE : FALSE;
> +       Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
> +-      co = Curl_cookie_getlist(data->cookies, host, data->state.up.path,
> ++      co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path,
> +                                secure_context);
> +       Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
> +     }
> +@@ -2746,6 +2748,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
> +             if(result)
> +               break;
> +           }
> ++          if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >=
> ++             MAX_COOKIE_HEADER_LEN) {
> ++            infof(data, "Restricted outgoing cookies due to header size, "
> ++                  "'%s' not sent", co->name);
> ++            linecap = TRUE;
> ++            break;
> ++          }
> +           result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"",
> +                                  co->name, co->value);
> +           if(result)
> +@@ -2756,7 +2765,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
> +       }
> +       Curl_cookie_freelist(store);
> +     }
> +-    if(addcookies && !result) {
> ++    if(addcookies && !result && !linecap) {
> +       if(!count)
> +         result = Curl_dyn_addn(r, STRCONST("Cookie: "));
> +       if(!result) {
> +diff --git a/lib/urldata.h b/lib/urldata.h
> +index e006495..54faf7d 100644
> +--- a/lib/urldata.h
> ++++ b/lib/urldata.h
> +@@ -707,6 +707,7 @@ struct SingleRequest {
> + #ifndef CURL_DISABLE_DOH
> +   struct dohdata *doh; /* DoH specific data for this request */
> + #endif
> ++  unsigned char setcookies;
> +   BIT(header);        /* incoming data has HTTP header */
> +   BIT(content_range); /* set TRUE if Content-Range: was found */
> +   BIT(upload_done);   /* set to TRUE when doing chunked transfer-encoding
> diff --git a/meta/recipes-support/curl/curl/CVE-2022-32206.patch b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
> new file mode 100644
> index 0000000000..25f5b27cc7
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
> @@ -0,0 +1,51 @@
> +From e12531340b03d242d3f892aa8797faf12b56dddf Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Mon, 16 May 2022 16:28:13 +0200
> +Subject: [PATCH] content_encoding: return error on too many compression steps
> +
> +The max allowed steps is arbitrarily set to 5.
> +
> +Bug: https://curl.se/docs/CVE-2022-32206.html
> +CVE-2022-32206
> +Reported-by: Harry Sintonen
> +Closes #9049
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43]
> +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> +---
> + lib/content_encoding.c | 9 +++++++++
> + 1 file changed, 9 insertions(+)
> +
> +diff --git a/lib/content_encoding.c b/lib/content_encoding.c
> +index c03637a..6f994b3 100644
> +--- a/lib/content_encoding.c
> ++++ b/lib/content_encoding.c
> +@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name,
> +   return NULL;
> + }
> +
> ++/* allow no more than 5 "chained" compression steps */
> ++#define MAX_ENCODE_STACK 5
> ++
> + /* Set-up the unencoding stack from the Content-Encoding header value.
> +  * See RFC 7231 section 3.1.2.2. */
> + CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
> +                                      const char *enclist, int maybechunked)
> + {
> +   struct SingleRequest *k = &data->req;
> ++  int counter = 0;
> +
> +   do {
> +     const char *name;
> +@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
> +       if(!encoding)
> +         encoding = &error_encoding;  /* Defer error at stack use. */
> +
> ++      if(++counter >= MAX_ENCODE_STACK) {
> ++        failf(data, "Reject response due to %u content encodings",
> ++              counter);
> ++        return CURLE_BAD_CONTENT_ENCODING;
> ++      }
> +       /* Stack the unencoding stage. */
> +       writer = new_unencoding_writer(data, encoding, k->writer_stack);
> +       if(!writer)
> diff --git a/meta/recipes-support/curl/curl/CVE-2022-32207.patch b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
> new file mode 100644
> index 0000000000..bc16b62f39
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
> @@ -0,0 +1,283 @@
> +From 759088694e2ba68ddc5ffe042b071dadad6ff675 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Wed, 25 May 2022 10:09:53 +0200
> +Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files
> +
> +Bug: https://curl.se/docs/CVE-2022-32207.html
> +CVE-2022-32207
> +Reported-by: Harry Sintonen
> +Closes #9050
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b]
> +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> +---
> + CMakeLists.txt          |   1 +
> + configure.ac            |   1 +
> + lib/Makefile.inc        |   2 +
> + lib/cookie.c            |  19 ++-----
> + lib/curl_config.h.cmake |   3 ++
> + lib/fopen.c             | 113 ++++++++++++++++++++++++++++++++++++++++
> + lib/fopen.h             |  30 +++++++++++
> + 7 files changed, 154 insertions(+), 15 deletions(-)
> + create mode 100644 lib/fopen.c
> + create mode 100644 lib/fopen.h
> +
> +diff --git a/CMakeLists.txt b/CMakeLists.txt
> +index b77de6d..a0bfaad 100644
> +--- a/CMakeLists.txt
> ++++ b/CMakeLists.txt
> +@@ -1027,6 +1027,7 @@ elseif(HAVE_LIBSOCKET)
> +   set(CMAKE_REQUIRED_LIBRARIES socket)
> + endif()
> +
> ++check_symbol_exists(fchmod        "${CURL_INCLUDES}" HAVE_FCHMOD)
> + check_symbol_exists(basename      "${CURL_INCLUDES}" HAVE_BASENAME)
> + check_symbol_exists(socket        "${CURL_INCLUDES}" HAVE_SOCKET)
> + check_symbol_exists(select        "${CURL_INCLUDES}" HAVE_SELECT)
> +diff --git a/configure.ac b/configure.ac
> +index d431870..7433bb9 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -3351,6 +3351,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
> +
> +
> + AC_CHECK_FUNCS([fnmatch \
> ++  fchmod \
> +   geteuid \
> +   getpass_r \
> +   getppid \
> +diff --git a/lib/Makefile.inc b/lib/Makefile.inc
> +index e8f110f..5139b03 100644
> +--- a/lib/Makefile.inc
> ++++ b/lib/Makefile.inc
> +@@ -133,6 +133,7 @@ LIB_CFILES =         \
> +   escape.c           \
> +   file.c             \
> +   fileinfo.c         \
> ++  fopen.c            \
> +   formdata.c         \
> +   ftp.c              \
> +   ftplistparser.c    \
> +@@ -263,6 +264,7 @@ LIB_HFILES =         \
> +   escape.h           \
> +   file.h             \
> +   fileinfo.h         \
> ++  fopen.h            \
> +   formdata.h         \
> +   ftp.h              \
> +   ftplistparser.h    \
> +diff --git a/lib/cookie.c b/lib/cookie.c
> +index 8a6aa1a..cb0c03b 100644
> +--- a/lib/cookie.c
> ++++ b/lib/cookie.c
> +@@ -96,8 +96,8 @@ Example set of cookies:
> + #include "curl_get_line.h"
> + #include "curl_memrchr.h"
> + #include "parsedate.h"
> +-#include "rand.h"
> + #include "rename.h"
> ++#include "fopen.h"
> +
> + /* The last 3 #include files should be in this order */
> + #include "curl_printf.h"
> +@@ -1620,20 +1620,9 @@ static CURLcode cookie_output(struct Curl_easy *data,
> +     use_stdout = TRUE;
> +   }
> +   else {
> +-    unsigned char randsuffix[9];
> +-
> +-    if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
> +-      return 2;
> +-
> +-    tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
> +-    if(!tempstore)
> +-      return CURLE_OUT_OF_MEMORY;
> +-
> +-    out = fopen(tempstore, FOPEN_WRITETEXT);
> +-    if(!out) {
> +-      error = CURLE_WRITE_ERROR;
> ++    error = Curl_fopen(data, filename, &out, &tempstore);
> ++    if(error)
> +       goto error;
> +-    }
> +   }
> +
> +   fputs("# Netscape HTTP Cookie File\n"
> +@@ -1680,7 +1669,7 @@ static CURLcode cookie_output(struct Curl_easy *data,
> +   if(!use_stdout) {
> +     fclose(out);
> +     out = NULL;
> +-    if(Curl_rename(tempstore, filename)) {
> ++    if(tempstore && Curl_rename(tempstore, filename)) {
> +       unlink(tempstore);
> +       error = CURLE_WRITE_ERROR;
> +       goto error;
> +diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
> +index d2a0f43..c254359 100644
> +--- a/lib/curl_config.h.cmake
> ++++ b/lib/curl_config.h.cmake
> +@@ -157,6 +157,9 @@
> + /* Define to 1 if you have the <assert.h> header file. */
> + #cmakedefine HAVE_ASSERT_H 1
> +
> ++/* Define to 1 if you have the `fchmod' function. */
> ++#cmakedefine HAVE_FCHMOD 1
> ++
> + /* Define to 1 if you have the `basename' function. */
> + #cmakedefine HAVE_BASENAME 1
> +
> +diff --git a/lib/fopen.c b/lib/fopen.c
> +new file mode 100644
> +index 0000000..ad3691b
> +--- /dev/null
> ++++ b/lib/fopen.c
> +@@ -0,0 +1,113 @@
> ++/***************************************************************************
> ++ *                                  _   _ ____  _
> ++ *  Project                     ___| | | |  _ \| |
> ++ *                             / __| | | | |_) | |
> ++ *                            | (__| |_| |  _ <| |___
> ++ *                             \___|\___/|_| \_\_____|
> ++ *
> ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
> ++ *
> ++ * This software is licensed as described in the file COPYING, which
> ++ * you should have received as part of this distribution. The terms
> ++ * are also available at https://curl.se/docs/copyright.html.
> ++ *
> ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
> ++ * copies of the Software, and permit persons to whom the Software is
> ++ * furnished to do so, under the terms of the COPYING file.
> ++ *
> ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
> ++ * KIND, either express or implied.
> ++ *
> ++ * SPDX-License-Identifier: curl
> ++ *
> ++ ***************************************************************************/
> ++
> ++#include "curl_setup.h"
> ++
> ++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
> ++  !defined(CURL_DISABLE_HSTS)
> ++
> ++#ifdef HAVE_FCNTL_H
> ++#include <fcntl.h>
> ++#endif
> ++
> ++#include "urldata.h"
> ++#include "rand.h"
> ++#include "fopen.h"
> ++/* The last 3 #include files should be in this order */
> ++#include "curl_printf.h"
> ++#include "curl_memory.h"
> ++#include "memdebug.h"
> ++
> ++/*
> ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed
> ++ * to the final name when completed. If there is an existing file using this
> ++ * name at the time of the open, this function will clone the mode from that
> ++ * file.  if 'tempname' is non-NULL, it needs a rename after the file is
> ++ * written.
> ++ */
> ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
> ++                    FILE **fh, char **tempname)
> ++{
> ++  CURLcode result = CURLE_WRITE_ERROR;
> ++  unsigned char randsuffix[9];
> ++  char *tempstore = NULL;
> ++  struct_stat sb;
> ++  int fd = -1;
> ++  *tempname = NULL;
> ++
> ++  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
> ++    /* a non-regular file, fallback to direct fopen() */
> ++    *fh = fopen(filename, FOPEN_WRITETEXT);
> ++    if(*fh)
> ++      return CURLE_OK;
> ++    goto fail;
> ++  }
> ++
> ++  result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
> ++  if(result)
> ++    goto fail;
> ++
> ++  tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
> ++  if(!tempstore) {
> ++    result = CURLE_OUT_OF_MEMORY;
> ++    goto fail;
> ++  }
> ++
> ++  result = CURLE_WRITE_ERROR;
> ++  fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
> ++  if(fd == -1)
> ++    goto fail;
> ++
> ++#ifdef HAVE_FCHMOD
> ++  {
> ++    struct_stat nsb;
> ++    if((fstat(fd, &nsb) != -1) &&
> ++       (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
> ++      /* if the user and group are the same, clone the original mode */
> ++      if(fchmod(fd, sb.st_mode) == -1)
> ++        goto fail;
> ++    }
> ++  }
> ++#endif
> ++
> ++  *fh = fdopen(fd, FOPEN_WRITETEXT);
> ++  if(!*fh)
> ++    goto fail;
> ++
> ++  *tempname = tempstore;
> ++  return CURLE_OK;
> ++
> ++fail:
> ++  if(fd != -1) {
> ++    close(fd);
> ++    unlink(tempstore);
> ++  }
> ++
> ++  free(tempstore);
> ++
> ++  *tempname = NULL;
> ++  return result;
> ++}
> ++
> ++#endif /* ! disabled */
> +diff --git a/lib/fopen.h b/lib/fopen.h
> +new file mode 100644
> +index 0000000..289e55f
> +--- /dev/null
> ++++ b/lib/fopen.h
> +@@ -0,0 +1,30 @@
> ++#ifndef HEADER_CURL_FOPEN_H
> ++#define HEADER_CURL_FOPEN_H
> ++/***************************************************************************
> ++ *                                  _   _ ____  _
> ++ *  Project                     ___| | | |  _ \| |
> ++ *                             / __| | | | |_) | |
> ++ *                            | (__| |_| |  _ <| |___
> ++ *                             \___|\___/|_| \_\_____|
> ++ *
> ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
> ++ *
> ++ * This software is licensed as described in the file COPYING, which
> ++ * you should have received as part of this distribution. The terms
> ++ * are also available at https://curl.se/docs/copyright.html.
> ++ *
> ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
> ++ * copies of the Software, and permit persons to whom the Software is
> ++ * furnished to do so, under the terms of the COPYING file.
> ++ *
> ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
> ++ * KIND, either express or implied.
> ++ *
> ++ * SPDX-License-Identifier: curl
> ++ *
> ++ ***************************************************************************/
> ++
> ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
> ++                    FILE **fh, char **tempname);
> ++
> ++#endif
> diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
> new file mode 100644
> index 0000000000..9a4e398370
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
> @@ -0,0 +1,67 @@
> +From fd2ffddec315c029e923e6e6f2c049809d01a5fc Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Thu, 9 Jun 2022 09:27:24 +0200
> +Subject: [PATCH] krb5: return error properly on decode errors
> +
> +Bug: https://curl.se/docs/CVE-2022-32208.html
> +CVE-2022-32208
> +Reported-by: Harry Sintonen
> +Closes #9051
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
> +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> +---
> + lib/krb5.c | 18 +++++++++++-------
> + 1 file changed, 11 insertions(+), 7 deletions(-)
> +
> +diff --git a/lib/krb5.c b/lib/krb5.c
> +index 787137c..6f9e1f7 100644
> +--- a/lib/krb5.c
> ++++ b/lib/krb5.c
> +@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
> +   enc.value = buf;
> +   enc.length = len;
> +   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
> +-  if(maj != GSS_S_COMPLETE) {
> +-    if(len >= 4)
> +-      strcpy(buf, "599 ");
> ++  if(maj != GSS_S_COMPLETE)
> +     return -1;
> +-  }
> +
> +   memcpy(buf, dec.value, dec.length);
> +   len = curlx_uztosi(dec.length);
> +@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
> + {
> +   int len;
> +   CURLcode result;
> ++  int nread;
> +
> +   result = socket_read(fd, &len, sizeof(len));
> +   if(result)
> +@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
> +   if(len) {
> +     /* only realloc if there was a length */
> +     len = ntohl(len);
> +-    buf->data = Curl_saferealloc(buf->data, len);
> ++    if(len > CURL_MAX_INPUT_LENGTH)
> ++      len = 0;
> ++    else
> ++      buf->data = Curl_saferealloc(buf->data, len);
> +   }
> +   if(!len || !buf->data)
> +     return CURLE_OUT_OF_MEMORY;
> +@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
> +   result = socket_read(fd, buf->data, len);
> +   if(result)
> +     return result;
> +-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
> +-                                 conn->data_prot, conn);
> ++  nread = conn->mech->decode(conn->app_data, buf->data, len,
> ++                             conn->data_prot, conn);
> ++  if(nread < 0)
> ++    return CURLE_RECV_ERROR;
> ++  buf->size = (size_t)nread;
> +   buf->index = 0;
> +   return CURLE_OK;
> + }
> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
> index d5dfe62a39..67de0220c6 100644
> --- a/meta/recipes-support/curl/curl_7.82.0.bb
> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
> @@ -24,6 +24,10 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
>              file://CVE-2022-27782-1.patch \
>              file://CVE-2022-27782-2.patch \
>              file://0001-openssl-fix-CN-check-error-code.patch \
> +           file://CVE-2022-32205.patch \
> +           file://CVE-2022-32206.patch \
> +           file://CVE-2022-32207.patch \
> +           file://CVE-2022-32208.patch \
>              "
>   SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
> 
> --
> 2.25.1
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#168201): https://lists.openembedded.org/g/openembedded-core/message/168201
> Mute This Topic: https://lists.openembedded.org/mt/92460238/3618448
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mingli.yu@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [OE-core][kirkstone 01/35] curl: Fix multiple CVEs

[Steve Sakoman]

On Sun, Jul 24, 2022 at 5:32 PM Yu, Mingli <mingli.yu@windriver.com> wrote:
>
> Ping.

Richard accepted the pull request this morning, so this patch is now
in the kirkstone branch:

https://git.yoctoproject.org/poky/commit/?h=kirkstone&id=702cf1e964f09d15b3681f20131988fcfdbbd387

Steve

> On 7/18/22 22:48, Steve Sakoman wrote:
> > [Please note: This e-mail is from an EXTERNAL e-mail address]
> >
> > From: Robert Joslyn <robert.joslyn@redrectangle.org>
> >
> > Backport fixes for:
> >   * CVE-2022-32205 - https://curl.se/docs/CVE-2022-32205.html
> >   * CVE-2022-32206 - https://curl.se/docs/CVE-2022-32206.html
> >   * CVE-2022-32207 - https://curl.se/docs/CVE-2022-32207.html
> >   * CVE-2022-32208 - https://curl.se/docs/CVE-2022-32208.html
> >
> > Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >   .../curl/curl/CVE-2022-32205.patch            | 174 +++++++++++
> >   .../curl/curl/CVE-2022-32206.patch            |  51 ++++
> >   .../curl/curl/CVE-2022-32207.patch            | 283 ++++++++++++++++++
> >   .../curl/curl/CVE-2022-32208.patch            |  67 +++++
> >   meta/recipes-support/curl/curl_7.82.0.bb      |   4 +
> >   5 files changed, 579 insertions(+)
> >   create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32205.patch
> >   create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32206.patch
> >   create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32207.patch
> >   create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32208.patch
> >
> > diff --git a/meta/recipes-support/curl/curl/CVE-2022-32205.patch b/meta/recipes-support/curl/curl/CVE-2022-32205.patch
> > new file mode 100644
> > index 0000000000..165fd8af47
> > --- /dev/null
> > +++ b/meta/recipes-support/curl/curl/CVE-2022-32205.patch
> > @@ -0,0 +1,174 @@
> > +From a91c22a072cbb32e296f1efba3502f1b7775dfaf Mon Sep 17 00:00:00 2001
> > +From: Daniel Stenberg <daniel@haxx.se>
> > +Date: Sun, 26 Jun 2022 11:00:48 +0200
> > +Subject: [PATCH] cookie: apply limits
> > +
> > +- Send no more than 150 cookies per request
> > +- Cap the max length used for a cookie: header to 8K
> > +- Cap the max number of received Set-Cookie: headers to 50
> > +
> > +Bug: https://curl.se/docs/CVE-2022-32205.html
> > +CVE-2022-32205
> > +Reported-by: Harry Sintonen
> > +Closes #9048
> > +
> > +Upstream-Status: Backport [https://github.com/curl/curl/commit/48d7064a49148f0394]
> > +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> > +---
> > + lib/cookie.c  | 14 ++++++++++++--
> > + lib/cookie.h  | 21 +++++++++++++++++++--
> > + lib/http.c    | 13 +++++++++++--
> > + lib/urldata.h |  1 +
> > + 4 files changed, 43 insertions(+), 6 deletions(-)
> > +
> > +diff --git a/lib/cookie.c b/lib/cookie.c
> > +index 1b8c8f9..8a6aa1a 100644
> > +--- a/lib/cookie.c
> > ++++ b/lib/cookie.c
> > +@@ -477,6 +477,10 @@ Curl_cookie_add(struct Curl_easy *data,
> > +   (void)data;
> > + #endif
> > +
> > ++  DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */
> > ++  if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT)
> > ++    return NULL;
> > ++
> > +   /* First, alloc and init a new struct for it */
> > +   co = calloc(1, sizeof(struct Cookie));
> > +   if(!co)
> > +@@ -816,7 +820,7 @@ Curl_cookie_add(struct Curl_easy *data,
> > +       freecookie(co);
> > +       return NULL;
> > +     }
> > +-
> > ++    data->req.setcookies++;
> > +   }
> > +   else {
> > +     /*
> > +@@ -1354,7 +1358,8 @@ static struct Cookie *dup_cookie(struct Cookie *src)
> > +  *
> > +  * It shall only return cookies that haven't expired.
> > +  */
> > +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
> > ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
> > ++                                   struct CookieInfo *c,
> > +                                    const char *host, const char *path,
> > +                                    bool secure)
> > + {
> > +@@ -1409,6 +1414,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
> > +             mainco = newco;
> > +
> > +             matches++;
> > ++            if(matches >= MAX_COOKIE_SEND_AMOUNT) {
> > ++              infof(data, "Included max number of cookies (%u) in request!",
> > ++                    matches);
> > ++              break;
> > ++            }
> > +           }
> > +           else
> > +             goto fail;
> > +diff --git a/lib/cookie.h b/lib/cookie.h
> > +index 0ffe08e..7411980 100644
> > +--- a/lib/cookie.h
> > ++++ b/lib/cookie.h
> > +@@ -81,10 +81,26 @@ struct CookieInfo {
> > + */
> > + #define MAX_COOKIE_LINE 5000
> > +
> > +-/* This is the maximum length of a cookie name or content we deal with: */
> > ++/* Maximum length of an incoming cookie name or content we deal with. Longer
> > ++   cookies are ignored. */
> > + #define MAX_NAME 4096
> > + #define MAX_NAME_TXT "4095"
> > +
> > ++/* Maximum size for an outgoing cookie line libcurl will use in an http
> > ++   request. This is the default maximum length used in some versions of Apache
> > ++   httpd. */
> > ++#define MAX_COOKIE_HEADER_LEN 8190
> > ++
> > ++/* Maximum number of cookies libcurl will send in a single request, even if
> > ++   there might be more cookies that match. One reason to cap the number is to
> > ++   keep the maximum HTTP request within the maximum allowed size. */
> > ++#define MAX_COOKIE_SEND_AMOUNT 150
> > ++
> > ++/* Maximum number of Set-Cookie: lines accepted in a single response. If more
> > ++   such header lines are received, they are ignored. This value must be less
> > ++   than 256 since an unsigned char is used to count. */
> > ++#define MAX_SET_COOKIE_AMOUNT 50
> > ++
> > + struct Curl_easy;
> > + /*
> > +  * Add a cookie to the internal list of cookies. The domain and path arguments
> > +@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data,
> > +                                const char *domain, const char *path,
> > +                                bool secure);
> > +
> > +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host,
> > ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
> > ++                                   struct CookieInfo *c, const char *host,
> > +                                    const char *path, bool secure);
> > + void Curl_cookie_freelist(struct Cookie *cookies);
> > + void Curl_cookie_clearall(struct CookieInfo *cookies);
> > +diff --git a/lib/http.c b/lib/http.c
> > +index 4433824..2c8b0c4 100644
> > +--- a/lib/http.c
> > ++++ b/lib/http.c
> > +@@ -2709,12 +2709,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn,
> > + }
> > +
> > + #if !defined(CURL_DISABLE_COOKIES)
> > ++
> > + CURLcode Curl_http_cookies(struct Curl_easy *data,
> > +                            struct connectdata *conn,
> > +                            struct dynbuf *r)
> > + {
> > +   CURLcode result = CURLE_OK;
> > +   char *addcookies = NULL;
> > ++  bool linecap = FALSE;
> > +   if(data->set.str[STRING_COOKIE] &&
> > +      !Curl_checkheaders(data, STRCONST("Cookie")))
> > +     addcookies = data->set.str[STRING_COOKIE];
> > +@@ -2732,7 +2734,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
> > +         !strcmp(host, "127.0.0.1") ||
> > +         !strcmp(host, "[::1]") ? TRUE : FALSE;
> > +       Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
> > +-      co = Curl_cookie_getlist(data->cookies, host, data->state.up.path,
> > ++      co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path,
> > +                                secure_context);
> > +       Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
> > +     }
> > +@@ -2746,6 +2748,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
> > +             if(result)
> > +               break;
> > +           }
> > ++          if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >=
> > ++             MAX_COOKIE_HEADER_LEN) {
> > ++            infof(data, "Restricted outgoing cookies due to header size, "
> > ++                  "'%s' not sent", co->name);
> > ++            linecap = TRUE;
> > ++            break;
> > ++          }
> > +           result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"",
> > +                                  co->name, co->value);
> > +           if(result)
> > +@@ -2756,7 +2765,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
> > +       }
> > +       Curl_cookie_freelist(store);
> > +     }
> > +-    if(addcookies && !result) {
> > ++    if(addcookies && !result && !linecap) {
> > +       if(!count)
> > +         result = Curl_dyn_addn(r, STRCONST("Cookie: "));
> > +       if(!result) {
> > +diff --git a/lib/urldata.h b/lib/urldata.h
> > +index e006495..54faf7d 100644
> > +--- a/lib/urldata.h
> > ++++ b/lib/urldata.h
> > +@@ -707,6 +707,7 @@ struct SingleRequest {
> > + #ifndef CURL_DISABLE_DOH
> > +   struct dohdata *doh; /* DoH specific data for this request */
> > + #endif
> > ++  unsigned char setcookies;
> > +   BIT(header);        /* incoming data has HTTP header */
> > +   BIT(content_range); /* set TRUE if Content-Range: was found */
> > +   BIT(upload_done);   /* set to TRUE when doing chunked transfer-encoding
> > diff --git a/meta/recipes-support/curl/curl/CVE-2022-32206.patch b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
> > new file mode 100644
> > index 0000000000..25f5b27cc7
> > --- /dev/null
> > +++ b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
> > @@ -0,0 +1,51 @@
> > +From e12531340b03d242d3f892aa8797faf12b56dddf Mon Sep 17 00:00:00 2001
> > +From: Daniel Stenberg <daniel@haxx.se>
> > +Date: Mon, 16 May 2022 16:28:13 +0200
> > +Subject: [PATCH] content_encoding: return error on too many compression steps
> > +
> > +The max allowed steps is arbitrarily set to 5.
> > +
> > +Bug: https://curl.se/docs/CVE-2022-32206.html
> > +CVE-2022-32206
> > +Reported-by: Harry Sintonen
> > +Closes #9049
> > +
> > +Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43]
> > +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> > +---
> > + lib/content_encoding.c | 9 +++++++++
> > + 1 file changed, 9 insertions(+)
> > +
> > +diff --git a/lib/content_encoding.c b/lib/content_encoding.c
> > +index c03637a..6f994b3 100644
> > +--- a/lib/content_encoding.c
> > ++++ b/lib/content_encoding.c
> > +@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name,
> > +   return NULL;
> > + }
> > +
> > ++/* allow no more than 5 "chained" compression steps */
> > ++#define MAX_ENCODE_STACK 5
> > ++
> > + /* Set-up the unencoding stack from the Content-Encoding header value.
> > +  * See RFC 7231 section 3.1.2.2. */
> > + CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
> > +                                      const char *enclist, int maybechunked)
> > + {
> > +   struct SingleRequest *k = &data->req;
> > ++  int counter = 0;
> > +
> > +   do {
> > +     const char *name;
> > +@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
> > +       if(!encoding)
> > +         encoding = &error_encoding;  /* Defer error at stack use. */
> > +
> > ++      if(++counter >= MAX_ENCODE_STACK) {
> > ++        failf(data, "Reject response due to %u content encodings",
> > ++              counter);
> > ++        return CURLE_BAD_CONTENT_ENCODING;
> > ++      }
> > +       /* Stack the unencoding stage. */
> > +       writer = new_unencoding_writer(data, encoding, k->writer_stack);
> > +       if(!writer)
> > diff --git a/meta/recipes-support/curl/curl/CVE-2022-32207.patch b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
> > new file mode 100644
> > index 0000000000..bc16b62f39
> > --- /dev/null
> > +++ b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
> > @@ -0,0 +1,283 @@
> > +From 759088694e2ba68ddc5ffe042b071dadad6ff675 Mon Sep 17 00:00:00 2001
> > +From: Daniel Stenberg <daniel@haxx.se>
> > +Date: Wed, 25 May 2022 10:09:53 +0200
> > +Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files
> > +
> > +Bug: https://curl.se/docs/CVE-2022-32207.html
> > +CVE-2022-32207
> > +Reported-by: Harry Sintonen
> > +Closes #9050
> > +
> > +Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b]
> > +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> > +---
> > + CMakeLists.txt          |   1 +
> > + configure.ac            |   1 +
> > + lib/Makefile.inc        |   2 +
> > + lib/cookie.c            |  19 ++-----
> > + lib/curl_config.h.cmake |   3 ++
> > + lib/fopen.c             | 113 ++++++++++++++++++++++++++++++++++++++++
> > + lib/fopen.h             |  30 +++++++++++
> > + 7 files changed, 154 insertions(+), 15 deletions(-)
> > + create mode 100644 lib/fopen.c
> > + create mode 100644 lib/fopen.h
> > +
> > +diff --git a/CMakeLists.txt b/CMakeLists.txt
> > +index b77de6d..a0bfaad 100644
> > +--- a/CMakeLists.txt
> > ++++ b/CMakeLists.txt
> > +@@ -1027,6 +1027,7 @@ elseif(HAVE_LIBSOCKET)
> > +   set(CMAKE_REQUIRED_LIBRARIES socket)
> > + endif()
> > +
> > ++check_symbol_exists(fchmod        "${CURL_INCLUDES}" HAVE_FCHMOD)
> > + check_symbol_exists(basename      "${CURL_INCLUDES}" HAVE_BASENAME)
> > + check_symbol_exists(socket        "${CURL_INCLUDES}" HAVE_SOCKET)
> > + check_symbol_exists(select        "${CURL_INCLUDES}" HAVE_SELECT)
> > +diff --git a/configure.ac b/configure.ac
> > +index d431870..7433bb9 100644
> > +--- a/configure.ac
> > ++++ b/configure.ac
> > +@@ -3351,6 +3351,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
> > +
> > +
> > + AC_CHECK_FUNCS([fnmatch \
> > ++  fchmod \
> > +   geteuid \
> > +   getpass_r \
> > +   getppid \
> > +diff --git a/lib/Makefile.inc b/lib/Makefile.inc
> > +index e8f110f..5139b03 100644
> > +--- a/lib/Makefile.inc
> > ++++ b/lib/Makefile.inc
> > +@@ -133,6 +133,7 @@ LIB_CFILES =         \
> > +   escape.c           \
> > +   file.c             \
> > +   fileinfo.c         \
> > ++  fopen.c            \
> > +   formdata.c         \
> > +   ftp.c              \
> > +   ftplistparser.c    \
> > +@@ -263,6 +264,7 @@ LIB_HFILES =         \
> > +   escape.h           \
> > +   file.h             \
> > +   fileinfo.h         \
> > ++  fopen.h            \
> > +   formdata.h         \
> > +   ftp.h              \
> > +   ftplistparser.h    \
> > +diff --git a/lib/cookie.c b/lib/cookie.c
> > +index 8a6aa1a..cb0c03b 100644
> > +--- a/lib/cookie.c
> > ++++ b/lib/cookie.c
> > +@@ -96,8 +96,8 @@ Example set of cookies:
> > + #include "curl_get_line.h"
> > + #include "curl_memrchr.h"
> > + #include "parsedate.h"
> > +-#include "rand.h"
> > + #include "rename.h"
> > ++#include "fopen.h"
> > +
> > + /* The last 3 #include files should be in this order */
> > + #include "curl_printf.h"
> > +@@ -1620,20 +1620,9 @@ static CURLcode cookie_output(struct Curl_easy *data,
> > +     use_stdout = TRUE;
> > +   }
> > +   else {
> > +-    unsigned char randsuffix[9];
> > +-
> > +-    if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
> > +-      return 2;
> > +-
> > +-    tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
> > +-    if(!tempstore)
> > +-      return CURLE_OUT_OF_MEMORY;
> > +-
> > +-    out = fopen(tempstore, FOPEN_WRITETEXT);
> > +-    if(!out) {
> > +-      error = CURLE_WRITE_ERROR;
> > ++    error = Curl_fopen(data, filename, &out, &tempstore);
> > ++    if(error)
> > +       goto error;
> > +-    }
> > +   }
> > +
> > +   fputs("# Netscape HTTP Cookie File\n"
> > +@@ -1680,7 +1669,7 @@ static CURLcode cookie_output(struct Curl_easy *data,
> > +   if(!use_stdout) {
> > +     fclose(out);
> > +     out = NULL;
> > +-    if(Curl_rename(tempstore, filename)) {
> > ++    if(tempstore && Curl_rename(tempstore, filename)) {
> > +       unlink(tempstore);
> > +       error = CURLE_WRITE_ERROR;
> > +       goto error;
> > +diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
> > +index d2a0f43..c254359 100644
> > +--- a/lib/curl_config.h.cmake
> > ++++ b/lib/curl_config.h.cmake
> > +@@ -157,6 +157,9 @@
> > + /* Define to 1 if you have the <assert.h> header file. */
> > + #cmakedefine HAVE_ASSERT_H 1
> > +
> > ++/* Define to 1 if you have the `fchmod' function. */
> > ++#cmakedefine HAVE_FCHMOD 1
> > ++
> > + /* Define to 1 if you have the `basename' function. */
> > + #cmakedefine HAVE_BASENAME 1
> > +
> > +diff --git a/lib/fopen.c b/lib/fopen.c
> > +new file mode 100644
> > +index 0000000..ad3691b
> > +--- /dev/null
> > ++++ b/lib/fopen.c
> > +@@ -0,0 +1,113 @@
> > ++/***************************************************************************
> > ++ *                                  _   _ ____  _
> > ++ *  Project                     ___| | | |  _ \| |
> > ++ *                             / __| | | | |_) | |
> > ++ *                            | (__| |_| |  _ <| |___
> > ++ *                             \___|\___/|_| \_\_____|
> > ++ *
> > ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
> > ++ *
> > ++ * This software is licensed as described in the file COPYING, which
> > ++ * you should have received as part of this distribution. The terms
> > ++ * are also available at https://curl.se/docs/copyright.html.
> > ++ *
> > ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
> > ++ * copies of the Software, and permit persons to whom the Software is
> > ++ * furnished to do so, under the terms of the COPYING file.
> > ++ *
> > ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
> > ++ * KIND, either express or implied.
> > ++ *
> > ++ * SPDX-License-Identifier: curl
> > ++ *
> > ++ ***************************************************************************/
> > ++
> > ++#include "curl_setup.h"
> > ++
> > ++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
> > ++  !defined(CURL_DISABLE_HSTS)
> > ++
> > ++#ifdef HAVE_FCNTL_H
> > ++#include <fcntl.h>
> > ++#endif
> > ++
> > ++#include "urldata.h"
> > ++#include "rand.h"
> > ++#include "fopen.h"
> > ++/* The last 3 #include files should be in this order */
> > ++#include "curl_printf.h"
> > ++#include "curl_memory.h"
> > ++#include "memdebug.h"
> > ++
> > ++/*
> > ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed
> > ++ * to the final name when completed. If there is an existing file using this
> > ++ * name at the time of the open, this function will clone the mode from that
> > ++ * file.  if 'tempname' is non-NULL, it needs a rename after the file is
> > ++ * written.
> > ++ */
> > ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
> > ++                    FILE **fh, char **tempname)
> > ++{
> > ++  CURLcode result = CURLE_WRITE_ERROR;
> > ++  unsigned char randsuffix[9];
> > ++  char *tempstore = NULL;
> > ++  struct_stat sb;
> > ++  int fd = -1;
> > ++  *tempname = NULL;
> > ++
> > ++  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
> > ++    /* a non-regular file, fallback to direct fopen() */
> > ++    *fh = fopen(filename, FOPEN_WRITETEXT);
> > ++    if(*fh)
> > ++      return CURLE_OK;
> > ++    goto fail;
> > ++  }
> > ++
> > ++  result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
> > ++  if(result)
> > ++    goto fail;
> > ++
> > ++  tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
> > ++  if(!tempstore) {
> > ++    result = CURLE_OUT_OF_MEMORY;
> > ++    goto fail;
> > ++  }
> > ++
> > ++  result = CURLE_WRITE_ERROR;
> > ++  fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
> > ++  if(fd == -1)
> > ++    goto fail;
> > ++
> > ++#ifdef HAVE_FCHMOD
> > ++  {
> > ++    struct_stat nsb;
> > ++    if((fstat(fd, &nsb) != -1) &&
> > ++       (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
> > ++      /* if the user and group are the same, clone the original mode */
> > ++      if(fchmod(fd, sb.st_mode) == -1)
> > ++        goto fail;
> > ++    }
> > ++  }
> > ++#endif
> > ++
> > ++  *fh = fdopen(fd, FOPEN_WRITETEXT);
> > ++  if(!*fh)
> > ++    goto fail;
> > ++
> > ++  *tempname = tempstore;
> > ++  return CURLE_OK;
> > ++
> > ++fail:
> > ++  if(fd != -1) {
> > ++    close(fd);
> > ++    unlink(tempstore);
> > ++  }
> > ++
> > ++  free(tempstore);
> > ++
> > ++  *tempname = NULL;
> > ++  return result;
> > ++}
> > ++
> > ++#endif /* ! disabled */
> > +diff --git a/lib/fopen.h b/lib/fopen.h
> > +new file mode 100644
> > +index 0000000..289e55f
> > +--- /dev/null
> > ++++ b/lib/fopen.h
> > +@@ -0,0 +1,30 @@
> > ++#ifndef HEADER_CURL_FOPEN_H
> > ++#define HEADER_CURL_FOPEN_H
> > ++/***************************************************************************
> > ++ *                                  _   _ ____  _
> > ++ *  Project                     ___| | | |  _ \| |
> > ++ *                             / __| | | | |_) | |
> > ++ *                            | (__| |_| |  _ <| |___
> > ++ *                             \___|\___/|_| \_\_____|
> > ++ *
> > ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
> > ++ *
> > ++ * This software is licensed as described in the file COPYING, which
> > ++ * you should have received as part of this distribution. The terms
> > ++ * are also available at https://curl.se/docs/copyright.html.
> > ++ *
> > ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
> > ++ * copies of the Software, and permit persons to whom the Software is
> > ++ * furnished to do so, under the terms of the COPYING file.
> > ++ *
> > ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
> > ++ * KIND, either express or implied.
> > ++ *
> > ++ * SPDX-License-Identifier: curl
> > ++ *
> > ++ ***************************************************************************/
> > ++
> > ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
> > ++                    FILE **fh, char **tempname);
> > ++
> > ++#endif
> > diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
> > new file mode 100644
> > index 0000000000..9a4e398370
> > --- /dev/null
> > +++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
> > @@ -0,0 +1,67 @@
> > +From fd2ffddec315c029e923e6e6f2c049809d01a5fc Mon Sep 17 00:00:00 2001
> > +From: Daniel Stenberg <daniel@haxx.se>
> > +Date: Thu, 9 Jun 2022 09:27:24 +0200
> > +Subject: [PATCH] krb5: return error properly on decode errors
> > +
> > +Bug: https://curl.se/docs/CVE-2022-32208.html
> > +CVE-2022-32208
> > +Reported-by: Harry Sintonen
> > +Closes #9051
> > +
> > +Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
> > +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> > +---
> > + lib/krb5.c | 18 +++++++++++-------
> > + 1 file changed, 11 insertions(+), 7 deletions(-)
> > +
> > +diff --git a/lib/krb5.c b/lib/krb5.c
> > +index 787137c..6f9e1f7 100644
> > +--- a/lib/krb5.c
> > ++++ b/lib/krb5.c
> > +@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
> > +   enc.value = buf;
> > +   enc.length = len;
> > +   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
> > +-  if(maj != GSS_S_COMPLETE) {
> > +-    if(len >= 4)
> > +-      strcpy(buf, "599 ");
> > ++  if(maj != GSS_S_COMPLETE)
> > +     return -1;
> > +-  }
> > +
> > +   memcpy(buf, dec.value, dec.length);
> > +   len = curlx_uztosi(dec.length);
> > +@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
> > + {
> > +   int len;
> > +   CURLcode result;
> > ++  int nread;
> > +
> > +   result = socket_read(fd, &len, sizeof(len));
> > +   if(result)
> > +@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
> > +   if(len) {
> > +     /* only realloc if there was a length */
> > +     len = ntohl(len);
> > +-    buf->data = Curl_saferealloc(buf->data, len);
> > ++    if(len > CURL_MAX_INPUT_LENGTH)
> > ++      len = 0;
> > ++    else
> > ++      buf->data = Curl_saferealloc(buf->data, len);
> > +   }
> > +   if(!len || !buf->data)
> > +     return CURLE_OUT_OF_MEMORY;
> > +@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
> > +   result = socket_read(fd, buf->data, len);
> > +   if(result)
> > +     return result;
> > +-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
> > +-                                 conn->data_prot, conn);
> > ++  nread = conn->mech->decode(conn->app_data, buf->data, len,
> > ++                             conn->data_prot, conn);
> > ++  if(nread < 0)
> > ++    return CURLE_RECV_ERROR;
> > ++  buf->size = (size_t)nread;
> > +   buf->index = 0;
> > +   return CURLE_OK;
> > + }
> > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
> > index d5dfe62a39..67de0220c6 100644
> > --- a/meta/recipes-support/curl/curl_7.82.0.bb
> > +++ b/meta/recipes-support/curl/curl_7.82.0.bb
> > @@ -24,6 +24,10 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
> >              file://CVE-2022-27782-1.patch \
> >              file://CVE-2022-27782-2.patch \
> >              file://0001-openssl-fix-CN-check-error-code.patch \
> > +           file://CVE-2022-32205.patch \
> > +           file://CVE-2022-32206.patch \
> > +           file://CVE-2022-32207.patch \
> > +           file://CVE-2022-32208.patch \
> >              "
> >   SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
> >
> > --
> > 2.25.1
> >
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#168201): https://lists.openembedded.org/g/openembedded-core/message/168201
> > Mute This Topic: https://lists.openembedded.org/mt/92460238/3618448
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mingli.yu@windriver.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

[OE-core][kirkstone 00/35] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back
by end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4507

The following changes since commit 3243b069db7629d15e4b8c25b4133f824d18520c:

  qemu: add io_uring PACKAGECONFIG (2022-11-10 07:13:46 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alex Kiernan (1):
  cargo_common.bbclass: Fix typos

Alexander Kanavin (6):
  lttng-tools: submit determinism.patch upstream
  groff: submit patches upstream
  tcl: correct patch status
  kea: submit patch upstream
  ovmf: correct patches status
  libffi: submit patch upstream

Diego Sueiro (1):
  kernel.bbclass: Include randstruct seed assets in
    STAGING_KERNEL_BUILDDIR

Hitendra Prajapati (1):
  systemd: CVE-2022-3821 Fix buffer overrun

Jose Quaresma (1):
  archiver: avoid using machine variable as it breaks multiconfig

Kai Kang (1):
  libuv: fixup SRC_URI

Leon Anavi (1):
  get_module_deps3.py: Check attribute '__file__'

Marek Vasut (1):
  bluez5: Point hciattach bcm43xx firmware search path to /lib/firmware

Nathan Rossi (4):
  oeqa/selftest/lic_checksum: Cleanup changes to emptytest include
  oeqa/selftest/minidebuginfo: Create selftest for minidebuginfo
  glibc-locale: Do not INHIBIT_DEFAULT_DEPS
  package: Fix handling of minidebuginfo with newer binutils

Niko Mauno (1):
  systemd: Consider PACKAGECONFIG in RRECOMMENDS

Richard Purdie (6):
  lttng-modules: upgrade 2.13.5 -> 2.13.7
  bitbake.conf: Drop export of SOURCE_DATE_EPOCH_FALLBACK
  gcc-shared-source: Fix source date epoch handling
  gcc-source: Fix gengtypes race
  gcc-source: Drop gengtype manipulation
  gcc-source: Ensure deploy_source_date_epoch sstate hash doesn't change

Ross Burton (1):
  expat: upgrade to 2.5.0

Sergei Zhmylev (1):
  wic: make ext2/3/4 images reproducible

Steve Sakoman (1):
  Revert "expat: backport the fix for CVE-2022-43680"

Wang Mingyu (3):
  bind: upgrade 9.18.7 -> 9.18.8
  socat: upgrade 1.7.4.3 -> 1.7.4.4
  libxcrypt: upgrade 4.4.28 -> 4.4.30

Xiangyu Chen (5):
  dbus: fix CVE-2022-42010 Check brackets in signature nest correctly
  dbus: fix CVE-2022-42011 dbus-daemon can be crashed by messages with
    array length inconsistent with element type
  dbus: fix CVE-2022-42012 dbus-marshal-byteswap: Byte-swap Unix fd
    indexes if needed
  lttng-tools: Upgrade 2.13.4 -> 2.13.8
  sudo: upgrade 1.9.10 -> sudo 1.9.12p1

 meta/classes/archiver.bbclass                 |   2 +-
 meta/classes/cargo_common.bbclass             |   4 +-
 meta/classes/kernel.bbclass                   |  16 +++
 meta/classes/package.bbclass                  |  21 +++-
 meta/conf/bitbake.conf                        |   2 +-
 meta/lib/oeqa/selftest/cases/lic_checksum.py  |   2 +
 meta/lib/oeqa/selftest/cases/minidebuginfo.py |  49 ++++++++
 ...1-avoid-start-failure-with-bind-user.patch |   0
 ...d-V-and-start-log-hide-build-options.patch |   0
 ...ching-for-json-headers-searches-sysr.patch |   0
 .../bind/{bind-9.18.7 => bind-9.18.8}/bind9   |   0
 .../{bind-9.18.7 => bind-9.18.8}/conf.patch   |   0
 .../generate-rndc-key.sh                      |   0
 ...t.d-add-support-for-read-only-rootfs.patch |   0
 .../make-etc-initd-bind-stop-work.patch       |   0
 .../named.service                             |   0
 .../bind/{bind_9.18.7.bb => bind_9.18.8.bb}   |   2 +-
 meta/recipes-connectivity/bluez5/bluez5.inc   |   2 +
 .../kea/files/fix-multilib-conflict.patch     |   2 +-
 .../libuv/libuv_1.44.2.bb                     |   2 +-
 ...ck-getprotobynumber_r-with-AC_TRY_LI.patch |  35 ------
 .../{socat_1.7.4.3.bb => socat_1.7.4.4.bb}    |   6 +-
 ...eswap-Byte-swap-Unix-fd-indexes-if-n.patch |  76 +++++++++++
 ...idate-Check-brackets-in-signature-ne.patch | 119 ++++++++++++++++++
 ...idate-Validate-length-of-arrays-of-f.patch |  61 +++++++++
 meta/recipes-core/dbus/dbus_1.14.0.bb         |   3 +
 .../expat/expat/CVE-2022-43680.patch          |  33 -----
 .../expat/{expat_2.4.9.bb => expat_2.5.0.bb}  |   3 +-
 meta/recipes-core/glibc/glibc-locale.inc      |  11 +-
 ...t_4.4.28.bb => libxcrypt-compat_4.4.30.bb} |   0
 meta/recipes-core/libxcrypt/libxcrypt.inc     |   2 +-
 ...ibxcrypt_4.4.28.bb => libxcrypt_4.4.30.bb} |   0
 ...ovmf-update-path-to-native-BaseTools.patch |   2 +-
 ...ile-adjust-to-build-in-under-bitbake.patch |   7 +-
 .../systemd/systemd/CVE-2022-3821.patch       |  45 +++++++
 meta/recipes-core/systemd/systemd_250.5.bb    |   5 +-
 .../gcc/gcc-shared-source.inc                 |  10 ++
 meta/recipes-devtools/gcc/gcc-source.inc      |   9 +-
 .../python/python3/get_module_deps3.py        |   2 +-
 .../tcl/fix_non_native_build_issue.patch      |   2 +-
 ...001-Make-manpages-mulitlib-identical.patch |   2 +-
 ...001-replace-perl-w-with-use-warnings.patch |   2 +-
 meta/recipes-extended/sudo/sudo.inc           |   2 +-
 .../sudo/{sudo_1.9.10.bb => sudo_1.9.12p1.bb} |   2 +-
 ...djust-range-v5.10.137-in-block-probe.patch |  92 --------------
 ...4-fix-kernel-crash-caused-by-do_get_.patch |  94 --------------
 ...ules_2.13.5.bb => lttng-modules_2.13.7.bb} |   4 +-
 .../lttng/lttng-tools/determinism.patch       |   2 +-
 ...-tools_2.13.4.bb => lttng-tools_2.13.8.bb} |  11 +-
 ...m-sysv-reverted-clang-VFP-mitigation.patch |   2 +-
 scripts/lib/wic/partition.py                  |  29 ++++-
 51 files changed, 474 insertions(+), 303 deletions(-)
 create mode 100644 meta/lib/oeqa/selftest/cases/minidebuginfo.py
 rename meta/recipes-connectivity/bind/{bind-9.18.7 => bind-9.18.8}/0001-avoid-start-failure-with-bind-user.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.7 => bind-9.18.8}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.7 => bind-9.18.8}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.7 => bind-9.18.8}/bind9 (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.7 => bind-9.18.8}/conf.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.7 => bind-9.18.8}/generate-rndc-key.sh (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.7 => bind-9.18.8}/init.d-add-support-for-read-only-rootfs.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.7 => bind-9.18.8}/make-etc-initd-bind-stop-work.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.7 => bind-9.18.8}/named.service (100%)
 rename meta/recipes-connectivity/bind/{bind_9.18.7.bb => bind_9.18.8.bb} (97%)
 delete mode 100644 meta/recipes-connectivity/socat/socat/0001-configure.ac-check-getprotobynumber_r-with-AC_TRY_LI.patch
 rename meta/recipes-connectivity/socat/{socat_1.7.4.3.bb => socat_1.7.4.4.bb} (89%)
 create mode 100644 meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
 create mode 100644 meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch
 create mode 100644 meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2022-43680.patch
 rename meta/recipes-core/expat/{expat_2.4.9.bb => expat_2.5.0.bb} (88%)
 rename meta/recipes-core/libxcrypt/{libxcrypt-compat_4.4.28.bb => libxcrypt-compat_4.4.30.bb} (100%)
 rename meta/recipes-core/libxcrypt/{libxcrypt_4.4.28.bb => libxcrypt_4.4.30.bb} (100%)
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-3821.patch
 rename meta/recipes-extended/sudo/{sudo_1.9.10.bb => sudo_1.9.12p1.bb} (96%)
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-adjust-range-v5.10.137-in-block-probe.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch
 rename meta/recipes-kernel/lttng/{lttng-modules_2.13.5.bb => lttng-modules_2.13.7.bb} (86%)
 rename meta/recipes-kernel/lttng/{lttng-tools_2.13.4.bb => lttng-tools_2.13.8.bb} (90%)

-- 
2.25.1