[OE-core][dunfell 0/4] Patch review

[OE-core][dunfell 0/4] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Friday.  This should be the final set of patches for the 3.1.8 build.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3944

The following changes since commit bba069463ca3813666d084643b0239b9af0199e1:

  classes/cve-check: Move get_patches_cves to library (2022-07-13 05:25:10 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (2):
  linux-yocto/5.4: update to v5.4.205
  linux-yocto-rt/5.4: fixup -rt build breakage

Ranjitsinh Rathod (1):
  cve-extra-exclusions.inc: Use CVE_CHECK_WHITELIST

Robert Joslyn (1):
  curl: Fix CVE-2022-32206, CVE-2022-32207, and CVE-2022-32208

 .../distro/include/cve-extra-exclusions.inc   |   6 +-
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../curl/curl/CVE-2022-32206.patch            |  52 ++++
 .../curl/curl/CVE-2022-32207.patch            | 284 ++++++++++++++++++
 .../curl/curl/CVE-2022-32208.patch            |  72 +++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   3 +
 8 files changed, 432 insertions(+), 21 deletions(-)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32206.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32207.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32208.patch

-- 
2.25.1

[OE-core][dunfell 1/4] cve-extra-exclusions.inc: Use CVE_CHECK_WHITELIST

[Steve Sakoman]

From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>

Use CVE_CHECK_WHITELIST as CVE_CHECK_IGNORE is not valid on dunfell
branch

Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/conf/distro/include/cve-extra-exclusions.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 70442df991..f3490db9dd 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -57,19 +57,19 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
 # There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
 # qemu maintainers say the patch is incorrect and should not be applied
 # Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-CVE_CHECK_IGNORE += "CVE-2021-20255"
+CVE_CHECK_WHITELIST += "CVE-2021-20255"
 
 # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
 # There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
 # still be reproduced or where exactly any bug is.
 # Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
-CVE_CHECK_IGNORE += "CVE-2019-12067"
+CVE_CHECK_WHITELIST += "CVE-2019-12067"
 
 # nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
 # It is a fuzzing related buffer overflow. It is of low impact since most devices
 # wouldn't expose an assembler. The upstream is inactive and there is little to be
 # done about the bug, ignore from an OE perspective.
-CVE_CHECK_IGNORE += "CVE-2020-18974"
+CVE_CHECK_WHITELIST += "CVE-2020-18974"
 
 
 
-- 
2.25.1

Re: [dunfell 1/4] cve-extra-exclusions.inc: Use CVE_CHECK_WHITELIST

[Hitendra Prajapati]

[-- Attachment #1: Type: text/plain, Size: 105 bytes --]

Hi Ranjitsinh,

Any specific reason to ignore the QEMU: CVE-2021-20255  CVE ??

Regards,
Hitendra

[-- Attachment #2: Type: text/html, Size: 359 bytes --]

[OE-core][dunfell 2/4] curl: Fix CVE-2022-32206, CVE-2022-32207, and CVE-2022-32208

[Steve Sakoman]

From: Robert Joslyn <robert.joslyn@redrectangle.org>

Backport fixes for:
 * CVE-2022-32206 - https://curl.se/docs/CVE-2022-32206.html
 * CVE-2022-32207 - https://curl.se/docs/CVE-2022-32207.html
 * CVE-2022-32208 - https://curl.se/docs/CVE-2022-32208.html

Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../curl/curl/CVE-2022-32206.patch            |  52 ++++
 .../curl/curl/CVE-2022-32207.patch            | 284 ++++++++++++++++++
 .../curl/curl/CVE-2022-32208.patch            |  72 +++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   3 +
 4 files changed, 411 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32206.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32207.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32208.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2022-32206.patch b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
new file mode 100644
index 0000000000..3d76aeb43d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
@@ -0,0 +1,52 @@
+From 25e7be39be5f8ed696b6085ced9cf6c17e6128f4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:28:13 +0200
+Subject: [PATCH] content_encoding: return error on too many compression steps
+
+The max allowed steps is arbitrarily set to 5.
+
+Bug: https://curl.se/docs/CVE-2022-32206.html
+CVE-2022-32206
+Reported-by: Harry Sintonen
+Closes #9049
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/content_encoding.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index 6d47537..91e621f 100644
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -934,6 +934,9 @@ static const content_encoding *find_encoding(const char *name, size_t len)
+   return NULL;
+ }
+ 
++/* allow no more than 5 "chained" compression steps */
++#define MAX_ENCODE_STACK 5
++
+ /* Set-up the unencoding stack from the Content-Encoding header value.
+  * See RFC 7231 section 3.1.2.2. */
+ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
+@@ -941,6 +944,7 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
+ {
+   struct Curl_easy *data = conn->data;
+   struct SingleRequest *k = &data->req;
++  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -975,6 +979,11 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
++      if(++counter >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to %u content encodings",
++              counter);
++        return CURLE_BAD_CONTENT_ENCODING;
++      }    
+       /* Stack the unencoding stage. */
+       writer = new_unencoding_writer(conn, encoding, k->writer_stack);
+       if(!writer)
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32207.patch b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
new file mode 100644
index 0000000000..f75aaecd64
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
@@ -0,0 +1,284 @@
+From af92181055d7d64dfc0bc9d5a13c8b98af3196be Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:53 +0200
+Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files
+
+Bug: https://curl.se/docs/CVE-2022-32207.html
+CVE-2022-32207
+Reported-by: Harry Sintonen
+Closes #9050
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ CMakeLists.txt          |   1 +
+ configure.ac            |   1 +
+ lib/Makefile.inc        |   4 +-
+ lib/cookie.c            |  19 ++-----
+ lib/curl_config.h.cmake |   3 ++
+ lib/fopen.c             | 113 ++++++++++++++++++++++++++++++++++++++++
+ lib/fopen.h             |  30 +++++++++++
+ 7 files changed, 155 insertions(+), 16 deletions(-)
+ create mode 100644 lib/fopen.c
+ create mode 100644 lib/fopen.h
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 73b053b..cc587b0 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -869,6 +869,7 @@ elseif(HAVE_LIBSOCKET)
+   set(CMAKE_REQUIRED_LIBRARIES socket)
+ endif()
+ 
++check_symbol_exists(fchmod        "${CURL_INCLUDES}" HAVE_FCHMOD)
+ check_symbol_exists(basename      "${CURL_INCLUDES}" HAVE_BASENAME)
+ check_symbol_exists(socket        "${CURL_INCLUDES}" HAVE_SOCKET)
+ check_symbol_exists(select        "${CURL_INCLUDES}" HAVE_SELECT)
+diff --git a/configure.ac b/configure.ac
+index d090622..7071077 100755
+--- a/configure.ac
++++ b/configure.ac
+@@ -4059,6 +4059,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
+ 
+ 
+ AC_CHECK_FUNCS([fnmatch \
++  fchmod \
+   geteuid \
+   getpass_r \
+   getppid \
+diff --git a/lib/Makefile.inc b/lib/Makefile.inc
+index 46ded90..79307d8 100644
+--- a/lib/Makefile.inc
++++ b/lib/Makefile.inc
+@@ -63,7 +63,7 @@ LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c   \
+   curl_multibyte.c hostcheck.c conncache.c dotdot.c                     \
+   x509asn1.c http2.c smb.c curl_endian.c curl_des.c system_win32.c      \
+   mime.c sha256.c setopt.c curl_path.c curl_ctype.c curl_range.c psl.c  \
+-  doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c
++  doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c fopen.c
+ 
+ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
+   formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h if2ip.h         \
+@@ -84,7 +84,7 @@ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
+   x509asn1.h http2.h sigpipe.h smb.h curl_endian.h curl_des.h           \
+   curl_printf.h system_win32.h rand.h mime.h curl_sha256.h setopt.h     \
+   curl_path.h curl_ctype.h curl_range.h psl.h doh.h urlapi-int.h        \
+-  curl_get_line.h altsvc.h quic.h socketpair.h rename.h
++  curl_get_line.h altsvc.h quic.h socketpair.h rename.h fopen.h
+ 
+ LIB_RCFILES = libcurl.rc
+ 
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 68054e1..a9ad20a 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -97,8 +97,8 @@ Example set of cookies:
+ #include "curl_memrchr.h"
+ #include "inet_pton.h"
+ #include "parsedate.h"
+-#include "rand.h"
+ #include "rename.h"
++#include "fopen.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -1524,18 +1524,9 @@ static int cookie_output(struct Curl_easy *data,
+     use_stdout = TRUE;
+   }
+   else {
+-    unsigned char randsuffix[9];
+-
+-    if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+-      return 2;
+-
+-    tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+-    if(!tempstore)
+-      return 1;
+-
+-    out = fopen(tempstore, FOPEN_WRITETEXT);
+-    if(!out)
+-      goto error;
++      error = Curl_fopen(data, filename, &out, &tempstore);
++      if(error)
++        goto error;
+   }
+ 
+   fputs("# Netscape HTTP Cookie File\n"
+@@ -1581,7 +1572,7 @@ static int cookie_output(struct Curl_easy *data,
+   if(!use_stdout) {
+     fclose(out);
+     out = NULL;
+-    if(Curl_rename(tempstore, filename)) {
++    if(tempstore && Curl_rename(tempstore, filename)) {
+       unlink(tempstore);
+       goto error;
+     }
+diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
+index 98cdf51..fe43751 100644
+--- a/lib/curl_config.h.cmake
++++ b/lib/curl_config.h.cmake
+@@ -124,6 +124,9 @@
+ /* Define to 1 if you have the <assert.h> header file. */
+ #cmakedefine HAVE_ASSERT_H 1
+ 
++/* Define to 1 if you have the `fchmod' function. */
++#cmakedefine HAVE_FCHMOD 1
++
+ /* Define to 1 if you have the `basename' function. */
+ #cmakedefine HAVE_BASENAME 1
+ 
+diff --git a/lib/fopen.c b/lib/fopen.c
+new file mode 100644
+index 0000000..ad3691b
+--- /dev/null
++++ b/lib/fopen.c
+@@ -0,0 +1,113 @@
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++#include "curl_setup.h"
++
++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
++  !defined(CURL_DISABLE_HSTS)
++
++#ifdef HAVE_FCNTL_H
++#include <fcntl.h>
++#endif
++
++#include "urldata.h"
++#include "rand.h"
++#include "fopen.h"
++/* The last 3 #include files should be in this order */
++#include "curl_printf.h"
++#include "curl_memory.h"
++#include "memdebug.h"
++
++/*
++ * Curl_fopen() opens a file for writing with a temp name, to be renamed
++ * to the final name when completed. If there is an existing file using this
++ * name at the time of the open, this function will clone the mode from that
++ * file.  if 'tempname' is non-NULL, it needs a rename after the file is
++ * written.
++ */
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++                    FILE **fh, char **tempname)
++{
++  CURLcode result = CURLE_WRITE_ERROR;
++  unsigned char randsuffix[9];
++  char *tempstore = NULL;
++  struct_stat sb;
++  int fd = -1;
++  *tempname = NULL;
++
++  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
++    /* a non-regular file, fallback to direct fopen() */
++    *fh = fopen(filename, FOPEN_WRITETEXT);
++    if(*fh)
++      return CURLE_OK;
++    goto fail;
++  }
++
++  result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
++  if(result)
++    goto fail;
++
++  tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
++  if(!tempstore) {
++    result = CURLE_OUT_OF_MEMORY;
++    goto fail;
++  }
++
++  result = CURLE_WRITE_ERROR;
++  fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
++  if(fd == -1)
++    goto fail;
++
++#ifdef HAVE_FCHMOD
++  {
++    struct_stat nsb;
++    if((fstat(fd, &nsb) != -1) &&
++       (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
++      /* if the user and group are the same, clone the original mode */
++      if(fchmod(fd, sb.st_mode) == -1)
++        goto fail;
++    }
++  }
++#endif
++
++  *fh = fdopen(fd, FOPEN_WRITETEXT);
++  if(!*fh)
++    goto fail;
++
++  *tempname = tempstore;
++  return CURLE_OK;
++
++fail:
++  if(fd != -1) {
++    close(fd);
++    unlink(tempstore);
++  }
++
++  free(tempstore);
++
++  *tempname = NULL;
++  return result;
++}
++
++#endif /* ! disabled */
+diff --git a/lib/fopen.h b/lib/fopen.h
+new file mode 100644
+index 0000000..289e55f
+--- /dev/null
++++ b/lib/fopen.h
+@@ -0,0 +1,30 @@
++#ifndef HEADER_CURL_FOPEN_H
++#define HEADER_CURL_FOPEN_H
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++                    FILE **fh, char **tempname);
++
++#endif
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
new file mode 100644
index 0000000000..2939314d09
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
@@ -0,0 +1,72 @@
+From 3b90f0b2a7a84645acce151c86b40d25b5de6615 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/krb5.c     |  5 +----
+ lib/security.c | 13 ++++++++++---
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/lib/krb5.c b/lib/krb5.c
+index f50287a..5b77e35 100644
+--- a/lib/krb5.c
++++ b/lib/krb5.c
+@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len,
+   enc.value = buf;
+   enc.length = len;
+   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+-  if(maj != GSS_S_COMPLETE) {
+-    if(len >= 4)
+-      strcpy(buf, "599 ");
++  if(maj != GSS_S_COMPLETE)
+     return -1;
+-  }
+ 
+   memcpy(buf, dec.value, dec.length);
+   len = curlx_uztosi(dec.length);
+diff --git a/lib/security.c b/lib/security.c
+index fbfa707..3542210 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -192,6 +192,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+   int len;
+   CURLcode result;
++  int nread;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+   if(result)
+@@ -200,7 +201,10 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    buf->data = Curl_saferealloc(buf->data, len);
++    if(len > CURL_MAX_INPUT_LENGTH)
++      len = 0;
++    else
++      buf->data = Curl_saferealloc(buf->data, len);
+   }
+   if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+@@ -208,8 +212,11 @@ static CURLcode read_data(struct connectdata *conn,
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+-                                 conn->data_prot, conn);
++  nread = buf->size = conn->mech->decode(conn->app_data, buf->data, len,
++                                         conn->data_prot, conn);
++  if(nread < 0)
++    return CURLE_RECV_ERROR;
++  buf->size = (size_t)nread;
+   buf->index = 0;
+   return CURLE_OK;
+ }
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 5a597a7dd9..7b67b68f1d 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -35,6 +35,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2022-27781.patch \
            file://CVE-2022-27782-1.patch \
            file://CVE-2022-27782-2.patch \
+           file://CVE-2022-32206.patch \
+           file://CVE-2022-32207.patch \
+           file://CVE-2022-32208.patch \
 "
 
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
-- 
2.25.1

[OE-core][dunfell 3/4] linux-yocto/5.4: update to v5.4.205

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Updating  to the latest korg -stable release that comprises
the following commits:

    0ec831fa971d Linux 5.4.205
    1be11d7f3c89 dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate
    b31ab132561c dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate
    f19026ede26e dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly
    164e88024f82 dmaengine: pl330: Fix lockdep warning about non-static key
    5af3f2a697d5 ida: don't use BUG_ON() for debugging
    d88022b41eff dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo
    aaf875578fd9 misc: rtsx_usb: set return value in rsp_buf alloc err path
    29612c43a2c5 misc: rtsx_usb: use separate command and response buffers
    0e517d0d7feb misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer
    858c2d070895 dmaengine: imx-sdma: Allow imx8m for imx7 FW revs
    67586906893c i2c: cadence: Unregister the clk notifier in error path
    acb72388aed5 selftests: forwarding: fix error message in learning_test
    7adf3d45c460 selftests: forwarding: fix learning_test when h1 supports IFF_UNICAST_FLT
    681738560bf2 selftests: forwarding: fix flood_unicast_test when h2 supports IFF_UNICAST_FLT
    0711d15ccb27 ibmvnic: Properly dispose of all skbs during a failover.
    aa698affa62c ARM: at91: pm: use proper compatibles for sam9x60's rtc and rtt
    6b4747d5af43 ARM: at91: pm: use proper compatible for sama5d2's rtc
    123540275034 pinctrl: sunxi: sunxi_pconf_set: use correct offset
    12a690536931 pinctrl: sunxi: a83t: Fix NAND function name for some pins
    3cf8ece91132 ARM: meson: Fix refcount leak in meson_smp_prepare_cpus
    c465bbcd3c74 xfs: remove incorrect ASSERT in xfs_rename
    845dac0276a5 can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits
    9afdff9dd820 can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression
    93f228fcbef2 can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info
    0adb049bac09 powerpc/powernv: delay rng platform device creation until later in boot
    782b65ee7bbe video: of_display_timing.h: include errno.h
    af93e8219734 fbcon: Prevent that screen size is smaller than font size
    4f34f380f952 fbcon: Disallow setting font bigger than screen size
    997d86cd3e39 fbmem: Check virtual screen sizes in fb_set_var()
    407c1b491fbd fbdev: fbmem: Fix logo center image dx issue
    14ff1184310f iommu/vt-d: Fix PCI bus rescan device hot add
    800bb66ab275 net: rose: fix UAF bug caused by rose_t0timer_expiry
    04894ab34faf usbnet: fix memory leak in error case
    6f655b5e13fa can: gs_usb: gs_usb_open/close(): fix memory leak
    eb7bbd7728da can: grcan: grcan_probe(): remove extra of_node_get()
    5b48f5711f1c can: bcm: use call_rcu() instead of costly synchronize_rcu()
    e7e3e90d6710 mm/slub: add missing TID updates on slab deactivation
    3defefd22ad5 esp: limit skb_page_frag_refill use to a single page
    49286fbdad47 Linux 5.4.204
    0ac2845937ce clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup()
    d40057538bee net: usb: qmi_wwan: add Telit 0x1070 composition
    ea89a522b4cc net: usb: qmi_wwan: add Telit 0x1060 composition
    5c03cad51b84 xen/arm: Fix race in RB-tree based P2M accounting
    60ac50daad36 xen/blkfront: force data bouncing when backend is untrusted
    ede57be88a5f xen/netfront: force data bouncing when backend is untrusted
    04945b5beb73 xen/netfront: fix leaking data in shared pages
    42112e8f9461 xen/blkfront: fix leaking data in shared pages
    b7c996abe545 selftests/rseq: Change type of rseq_offset to ptrdiff_t
    dc2825288012 selftests/rseq: x86-32: use %gs segment selector for accessing rseq thread area
    f89d15c9861c selftests/rseq: x86-64: use %fs segment selector for accessing rseq thread area
    618da2318e15 selftests/rseq: Fix: work-around asm goto compiler bugs
    58082d4e8186 selftests/rseq: Remove arm/mips asm goto compiler work-around
    1c9f13880f47 selftests/rseq: Fix warnings about #if checks of undefined tokens
    6f87493c3aa6 selftests/rseq: Fix ppc32 offsets by using long rather than off_t
    4e9c8fd7f7f0 selftests/rseq: Fix ppc32 missing instruction selection "u" and "x" for load/store
    d0ca70238f40 selftests/rseq: Fix ppc32: wrong rseq_cs 32-bit field pointer on big endian
    20e2f0108539 selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35
    71c04fdf59ca selftests/rseq: Introduce thread pointer getters
    f491e073b992 selftests/rseq: Introduce rseq_get_abi() helper
    158d91ffe0be selftests/rseq: Remove volatile from __rseq_abi
    7037c511f67d selftests/rseq: Remove useless assignment to cpu variable
    9aa134cb66b4 selftests/rseq: introduce own copy of rseq uapi header
    8417f4475959 selftests/rseq: remove ARRAY_SIZE define from individual tests
    b13119007056 rseq/selftests,x86_64: Add rseq_offset_deref_addv()
    7b6bffcfb9d3 ipv6/sit: fix ipip6_tunnel_get_prl return value
    05387c4ff568 sit: use min
    e99a98616191 net: dsa: bcm_sf2: force pause link settings
    ac9cd4f66a4d hwmon: (ibmaem) don't call platform_device_del() if platform_device_add() fails
    ee25841221c1 xen/gntdev: Avoid blocking in unmap_grant_pages()
    5eac00ef2a11 net: tun: avoid disabling NAPI twice
    8f968872ec34 NFC: nxp-nci: Don't issue a zero length i2c_master_read()
    37287fd28fb0 nfc: nfcmrvl: Fix irq_of_parse_and_map() return value
    893825289ba8 net: bonding: fix use-after-free after 802.3ad slave unbind
    6fdef80e7eaa net: bonding: fix possible NULL deref in rlb code
    bb1dc7cc576e net/sched: act_api: Notify user space if any actions were flushed before error
    3b2ddeb89fe7 netfilter: nft_dynset: restore set element counter when failing to update
    5b3a1c6bca38 s390: remove unneeded 'select BUILD_BIN2C'
    bdecd912e99a PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events
    e1284ec4a6d7 caif_virtio: fix race between virtio_device_ready() and ndo_open()
    9204bc3e8722 net: ipv6: unexport __init-annotated seg6_hmac_net_init()
    7a79f71f6931 usbnet: fix memory allocation in helpers
    5af106f8e072 linux/dim: Fix divide by 0 in RDMA DIM
    85d7d672e896 RDMA/qedr: Fix reporting QP timeout attribute
    ea0519bc578d net: tun: stop NAPI when detaching queues
    a8cf91902237 net: tun: unlink NAPI from device on destruction
    22e75461014b selftests/net: pass ipv6_args to udpgso_bench's IPv6 TCP test
    1d877327da33 virtio-net: fix race between ndo_open() and virtio_device_ready()
    7f89bb5d7102 net: usb: ax88179_178a: Fix packet receiving
    bb91556d2af0 net: rose: fix UAF bugs caused by timer handler
    76a477d39836 SUNRPC: Fix READ_PLUS crasher
    13816057eaf2 s390/archrandom: simplify back to earlier design and initialize earlier
    f157bd9cf377 dm raid: fix KASAN warning in raid5_add_disks
    90de15357504 dm raid: fix accesses beyond end of raid member array
    b6125c5dc3d6 powerpc/bpf: Fix use of user_pt_regs in uapi
    1ef2e87736a6 powerpc/prom_init: Fix kernel config grep
    d5e32f08e7f1 nvdimm: Fix badblocks clear off-by-one error
    53fb996f2709 ipv6: take care of disable_policy when restoring routes

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../linux/linux-yocto-rt_5.4.bb               |  6 ++---
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++++++++----------
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 7fa1b81229..5bc1993cf2 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "fa8536530bdd6a87856aa6fe0af4f9ef4af21fe0"
-SRCREV_meta ?= "010ac788e81b6cb6c3fd2367802eee9d8feac34f"
+SRCREV_machine ?= "086bb7f7d2b47d654922e5cc526cc6274b28e319"
+SRCREV_meta ?= "aaaf9f090dfb3160154b24fbc2f9a6e669babc87"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.203"
+LINUX_VERSION ?= "5.4.205"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index d08658cf7e..769743856f 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.203"
+LINUX_VERSION ?= "5.4.205"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "d92cd7d5916772a20105ef776c7f3bf433df55a4"
-SRCREV_machine ?= "5f7c3e952857eb90a4113a41901bb770150af46b"
-SRCREV_meta ?= "010ac788e81b6cb6c3fd2367802eee9d8feac34f"
+SRCREV_machine_qemuarm ?= "6a3e65256e24a2ff0e4e9fcd877987fb8afd12f2"
+SRCREV_machine ?= "d730b865a7cb7ff89efcf8ac725ca247283f3eeb"
+SRCREV_meta ?= "aaaf9f090dfb3160154b24fbc2f9a6e669babc87"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 545c754c1d..1043da7208 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "bf4029e0d9ff2e65d654909d7e9df50dce294c77"
-SRCREV_machine_qemuarm64 ?= "3e0dab732964f7bbc26671fee05be420fd02890a"
-SRCREV_machine_qemumips ?= "e8bea70e0c6a527383f2351e4f3d189aedf543a3"
-SRCREV_machine_qemuppc ?= "24cc2a066b8151925fdf86136b70b63cf37cc540"
-SRCREV_machine_qemuriscv64 ?= "9eab27738de4b3222b1c99cdebf3bde9611ef9fa"
-SRCREV_machine_qemux86 ?= "9eab27738de4b3222b1c99cdebf3bde9611ef9fa"
-SRCREV_machine_qemux86-64 ?= "9eab27738de4b3222b1c99cdebf3bde9611ef9fa"
-SRCREV_machine_qemumips64 ?= "5a5e07ef8df0e73b2f318b921f9262b49a6125d5"
-SRCREV_machine ?= "9eab27738de4b3222b1c99cdebf3bde9611ef9fa"
-SRCREV_meta ?= "010ac788e81b6cb6c3fd2367802eee9d8feac34f"
+SRCREV_machine_qemuarm ?= "943e7e1f32e61dc7dd7a7029062e789219d81b14"
+SRCREV_machine_qemuarm64 ?= "24d18667d92b460ee33480942306a0d9c80c491b"
+SRCREV_machine_qemumips ?= "2d469a0343033962ecea678491852aa9457b8ff6"
+SRCREV_machine_qemuppc ?= "85932dee050f49fa824fd9b49af7b8159fe28a8e"
+SRCREV_machine_qemuriscv64 ?= "8a59dfded81659402005acfb06fbb00b71c8ce86"
+SRCREV_machine_qemux86 ?= "8a59dfded81659402005acfb06fbb00b71c8ce86"
+SRCREV_machine_qemux86-64 ?= "8a59dfded81659402005acfb06fbb00b71c8ce86"
+SRCREV_machine_qemumips64 ?= "0edbd472c7f0b51994d20d07bb26ead379dc10ed"
+SRCREV_machine ?= "8a59dfded81659402005acfb06fbb00b71c8ce86"
+SRCREV_meta ?= "aaaf9f090dfb3160154b24fbc2f9a6e669babc87"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.203"
+LINUX_VERSION ?= "5.4.205"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
-- 
2.25.1

[OE-core][dunfell 4/4] linux-yocto-rt/5.4: fixup -rt build breakage

[Steve Sakoman]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Integrating the following commit(s) to linux-yocto/5.4:

    cc478e363cc3 rt: fixup random and irq/manage merge issues

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 5bc1993cf2..fe75aee4da 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,7 +11,7 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "086bb7f7d2b47d654922e5cc526cc6274b28e319"
+SRCREV_machine ?= "cc478e363cc35064b58a871a4cc535aa973c5891"
 SRCREV_meta ?= "aaaf9f090dfb3160154b24fbc2f9a6e669babc87"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
-- 
2.25.1

[OE-core][dunfell 0/4] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5184

The following changes since commit 4045bf02bbc6e87a05ba689a63c675e49c940772:

  bmap-tools: switch to main branch (2023-04-03 07:16:26 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bhabu Bindu (1):
  ffmpeg: fix for CVE-2022-3341

Gaurav Gupta (1):
  qemu: fix build error introduced by CVE-2021-3929 fix

Hitendra Prajapati (2):
  ruby: CVE-2023-28756 ReDoS vulnerability in Time
  curl: CVE-2023-27534 SFTP path ~ resolving discrepancy

 meta/recipes-devtools/qemu/qemu.inc           |   2 +
 .../qemu/qemu/CVE-2021-3929.patch             |  33 ++--
 .../hw-block-nvme-handle-dma-errors.patch     | 146 ++++++++++++++++++
 ...w-block-nvme-refactor-nvme_addr_read.patch |  55 +++++++
 .../ruby/ruby/CVE-2023-28756.patch            |  61 ++++++++
 meta/recipes-devtools/ruby/ruby_2.7.6.bb      |   1 +
 .../ffmpeg/ffmpeg/CVE-2022-3341.patch         |  67 ++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb |   1 +
 .../curl/curl/CVE-2023-27534.patch            | 123 +++++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   1 +
 10 files changed, 475 insertions(+), 15 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch

-- 
2.34.1

[OE-core][dunfell 0/4] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3702
The following changes since commit 665f981fccbb09d51349c4bd4cfe4ca91001e3bd:

  cve-check: Fix report generation (2022-05-18 05:41:41 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  mobile-broadband-provider-info: upgrade 20220315 -> 20220511

Hitendra Prajapati (1):
  pcre2: CVE-2022-1586 Out-of-bounds read

Minjae Kim (1):
  libdrm: add libdrm-{nouveau,radeon,intel} to RPROVIDES

Ross Burton (1):
  oeqa/selftest/cve_check: add tests for recipe and image reports

 meta/lib/oeqa/selftest/cases/cve_check.py     | 77 ++++++++++++++++++-
 .../mobile-broadband-provider-info_git.bb     |  4 +-
 meta/recipes-graphics/drm/libdrm_2.4.101.bb   |  6 ++
 .../libpcre/libpcre2/CVE-2022-1586.patch      | 59 ++++++++++++++
 .../recipes-support/libpcre/libpcre2_10.34.bb |  1 +
 5 files changed, 144 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch

-- 
2.25.1

[OE-core][dunfell 0/4] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2804

The following changes since commit 62cdc20a2186ecd54d3a7131ec8f6937aa0229ed:

  uninative: Upgrade to 3.4 (2021-10-25 10:23:54 +0100)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Joshua Watt (1):
  classes/reproducible_build: Use atomic rename for SDE file

Richard Purdie (2):
  rpm: Deterministically set vendor macro entry
  reproducible_build: Work around caching issues

Steve Sakoman (1):
  selftest/reproducible: adjust exclusion list for dunfell

 meta/classes/reproducible_build.bbclass      | 24 +++++++++++---------
 meta/lib/oeqa/selftest/cases/reproducible.py |  5 ----
 meta/recipes-devtools/rpm/rpm_4.14.2.1.bb    |  3 ++-
 3 files changed, 15 insertions(+), 17 deletions(-)

-- 
2.25.1