[OE-core][dunfell 00/13] Patch review

[OE-core][dunfell 00/13] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end of
day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3397

The following changes since commit ff90d0e91aec252d3f5986df9ce02293cddadbca:

  build-appliance-image: Update to dunfell head revision (2022-03-14 14:45:29 +0000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  mobile-broadband-provider-info: upgrade 20201225 -> 20210805

Changhyeok Bae (1):
  mobile-broadband-provider-info: upgrade 20210805 -> 20220315

Davide Gardenal (2):
  re2c: backport fix for CVE-2018-21232
  qemu: backport fix for CVE-2020-13253

Minjae Kim (1):
  bluez5: fix CVE-2021-3658

Ovidiu Panait (1):
  openssl: upgrade 1.1.1l -> 1.1.1n

Ralph Siemsen (2):
  libxml2: backport fix for CVE-2022-23308
  libxml2: move to gitlab.gnome.org

Richard Purdie (3):
  python3targetconfig: Use for nativesdk too
  oeqa/runtime/ping: Improve failure message to include more detail
  oeqa/selftest/tinfoil: Improve tinfoil event test debugging

Tim Orling (1):
  python3: upgrade 3.8.12 -> 3.8.13

wangmy (1):
  linux-firmware: upgrade 20220209 -> 20220310

 meta/classes/python3targetconfig.bbclass      |  12 +
 meta/lib/oeqa/runtime/cases/ping.py           |  20 +-
 meta/lib/oeqa/selftest/cases/tinfoil.py       |   4 +-
 meta/recipes-connectivity/bluez5/bluez5.inc   |   1 +
 .../bluez5/bluez5/CVE-2021-3658.patch         |  95 +++++
 .../mobile-broadband-provider-info_git.bb     |   7 +-
 .../openssl/openssl/CVE-2021-4160.patch       | 145 --------
 .../{openssl_1.1.1l.bb => openssl_1.1.1n.bb}  |   4 +-
 .../libxml/libxml2/CVE-2022-23308.patch       | 204 ++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |  11 +-
 ...-detection-of-mips-architecture-for-.patch |  42 ++-
 .../{python3_3.8.12.bb => python3_3.8.13.bb}  |   6 +-
 meta/recipes-devtools/qemu/qemu.inc           |   5 +
 .../qemu/qemu/CVE-2020-13253_1.patch          |  50 +++
 .../qemu/qemu/CVE-2020-13253_2.patch          | 112 ++++++
 .../qemu/qemu/CVE-2020-13253_3.patch          |  86 +++++
 .../qemu/qemu/CVE-2020-13253_4.patch          | 139 +++++++
 .../qemu/qemu/CVE-2020-13253_5.patch          |  54 +++
 ...20220209.bb => linux-firmware_20220310.bb} |   6 +-
 .../re2c/re2c/CVE-2018-21232-1.patch          | 347 ++++++++++++++++++
 .../re2c/re2c/CVE-2018-21232-2.patch          | 243 ++++++++++++
 .../re2c/re2c/CVE-2018-21232-3.patch          | 156 ++++++++
 .../re2c/re2c/CVE-2018-21232-4.patch          | 166 +++++++++
 meta/recipes-support/re2c/re2c_1.0.1.bb       |   6 +-
 24 files changed, 1730 insertions(+), 191 deletions(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1n.bb} (97%)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
 rename meta/recipes-devtools/python/{python3_3.8.12.bb => python3_3.8.13.bb} (98%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220209.bb => linux-firmware_20220310.bb} (99%)
 create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch
 create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
 create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch
 create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch

-- 
2.25.1

[OE-core][dunfell 00/13] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back
by end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4633

The following changes since commit e44f0cda8176186d42a752631810c1cb5f1971eb:

  kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild (2022-12-06 07:52:17 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexey Smirnov (1):
  classes: make TOOLCHAIN more permissive for kernel

Chen Qi (1):
  psplash: consider the situation of psplash not exist for systemd

Harald Seiler (1):
  opkg: Set correct info_dir and status_file in opkg.conf

Hitendra Prajapati (3):
  libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c
  sysstat: fix CVE-2022-39377
  golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing
    regexps

Lee Chee Yang (1):
  dropbear: fix CVE-2021-36369

Mathieu Dubois-Briand (1):
  curl: Fix CVE CVE-2022-35260

Minjae Kim (1):
  xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and
    CVE-2022-3553

Pawan Badganchi (1):
  python3: Fix CVE-2022-37454

Qiu, Zheng (1):
  vim: upgrade 9.0.0820 -> 9.0.0947

Richard Purdie (1):
  oeqa/selftest/tinfoil: Add test for separate config_data with
    recipe_parse_file()

Riyaz Khan (1):
  rpm: Fix rpm CVE CVE-2021-3521

 meta/classes/kernel-arch.bbclass              |   2 +-
 meta/lib/oeqa/selftest/cases/tinfoil.py       |  14 +
 meta/recipes-core/dropbear/dropbear.inc       |   1 +
 .../dropbear/dropbear/CVE-2021-36369.patch    | 145 ++++++++
 .../psplash/files/psplash-start.service       |   1 +
 .../psplash/files/psplash-systemd.service     |   1 +
 meta/recipes-devtools/go/go-1.14.inc          |   1 +
 .../go/go-1.14/CVE-2022-41715.patch           | 271 ++++++++++++++
 meta/recipes-devtools/opkg/opkg_0.4.2.bb      |   4 +-
 .../python/python3/CVE-2022-37454.patch       | 105 ++++++
 .../recipes-devtools/python/python3_3.8.14.bb |   1 +
 .../rpm/files/CVE-2021-3521-01.patch          |  60 ++++
 .../rpm/files/CVE-2021-3521-02.patch          |  55 +++
 .../rpm/files/CVE-2021-3521-03.patch          |  34 ++
 .../rpm/files/CVE-2021-3521.patch             | 330 ++++++++++++++++++
 meta/recipes-devtools/rpm/rpm_4.14.2.1.bb     |   4 +
 .../libarchive/CVE-2022-36227.patch           |  43 +++
 .../libarchive/libarchive_3.4.2.bb            |   1 +
 .../sysstat/sysstat/CVE-2022-39377.patch      |  92 +++++
 .../sysstat/sysstat_12.2.1.bb                 |   4 +-
 .../xserver-xorg/CVE-2022-3550.patch          |  40 +++
 .../xserver-xorg/CVE-2022-3551.patch          |  64 ++++
 .../xserver-xorg/CVE-2022-3553.patch          |  49 +++
 .../xorg-xserver/xserver-xorg_1.20.14.bb      |   3 +
 .../curl/curl/CVE-2022-35260.patch            |  68 ++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 27 files changed, 1393 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2022-37454.patch
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch
 create mode 100644 meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-35260.patch

-- 
2.25.1

[OE-core][dunfell 01/13] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553

[Steve Sakoman]

From: Minjae Kim <flowergom@gmail.com>

<CVE-2022-3550>
xkb: proof GetCountedString against request length attacks
Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e]

<CVE-2022-3551>
xkb: fix some possible memleaks in XkbGetKbdByName
Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]

<CVE-2022-3553>
xquartz: Fix a possible crash when editing the Application
menu due to mutaing immutable arrays
Upstream-Status: Backport[https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3]

Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xserver-xorg/CVE-2022-3550.patch          | 40 ++++++++++++
 .../xserver-xorg/CVE-2022-3551.patch          | 64 +++++++++++++++++++
 .../xserver-xorg/CVE-2022-3553.patch          | 49 ++++++++++++++
 .../xorg-xserver/xserver-xorg_1.20.14.bb      |  3 +
 4 files changed, 156 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
new file mode 100644
index 0000000000..efec7b6b4e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
@@ -0,0 +1,40 @@
+From d2dcbdc67c96c84dff301505072b0b7b022f1a14 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Sun, 4 Dec 2022 17:40:21 +0000
+Subject: [PATCH 1/3] xkb: proof GetCountedString against request length
+ attacks
+
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Ustream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e]
+CVE: CVE-2022-3550
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 68c59df..bf8aaa3 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+     CARD16 len;
+ 
+     wire = *wire_inout;
++
++    if (client->req_len <
++        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
++	return BadValue;
++
+     len = *(CARD16 *) wire;
+     if (client->swapped) {
+         swaps(&len);
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
new file mode 100644
index 0000000000..a3b977aac9
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
@@ -0,0 +1,64 @@
+From d3787290f56165f5656ddd2123dbf676a32d0a68 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Sun, 4 Dec 2022 17:44:00 +0000
+Subject: [PATCH 2/3] xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]
+CVE: CVE-2022-3551
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+
+---
+ xkb/xkb.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index bf8aaa3..f79d306 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5908,19 +5908,31 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
++    {
++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
++        if (keymap) {
++            free(keymap);
++            return BadMatch;
++        }
++    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
+-        return status;
+-    len = str - ((unsigned char *) stuff);
+-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+-        return BadLength;
++    if (status == Success) {
++        len = str - ((unsigned char *) stuff);
++        if ((XkbPaddedSize(len) / 4) != stuff->length)
++            status = BadLength;
++    }
+ 
++    if (status != Success) {
++        free(names.keycodes);
++        free(names.types);
++        free(names.compat);
++        free(names.symbols);
++        free(names.geometry);
++    }
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
new file mode 100644
index 0000000000..94cea77edc
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
@@ -0,0 +1,49 @@
+From 57ad2c03730d56f8432b6d66b29c0e5a9f9b1ec2 Mon Sep 17 00:00:00 2001
+From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Date: Sun, 4 Dec 2022 17:46:18 +0000
+Subject: [PATCH 3/3] xquartz: Fix a possible crash when editing the
+ Application menu due to mutaing immutable arrays
+
+Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object
+
+Application Specific Backtrace 0:
+0   CoreFoundation                      0x00007ff80d2c5e9b __exceptionPreprocess + 242
+1   libobjc.A.dylib                     0x00007ff80d027e48 objc_exception_throw + 48
+2   CoreFoundation                      0x00007ff80d38167b _CFThrowFormattedException + 194
+3   CoreFoundation                      0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0
+4   CoreFoundation                      0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119
+5   X11.bin                             0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169
+
+Fixes: https://github.com/XQuartz/XQuartz/issues/267
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3]
+CVE: CVE-2022-3553
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+
+---
+ hw/xquartz/X11Controller.m | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
+index 3efda50..9870ff2 100644
+--- a/hw/xquartz/X11Controller.m
++++ b/hw/xquartz/X11Controller.m
+@@ -467,8 +467,12 @@ extern char *bundle_id_prefix;
+     self.table_apps = table_apps;
+ 
+     NSArray * const apps = self.apps;
+-    if (apps != nil)
+-        [table_apps addObjectsFromArray:apps];
++
++    if (apps != nil) {
++        for (NSArray <NSString *> * row in apps) {
++            [table_apps addObject:row.mutableCopy];
++        }
++    }
+ 
+     columns = [apps_table tableColumns];
+     [[columns objectAtIndex:0] setIdentifier:@"0"];
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index d176f390a4..4f5528f78b 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -5,6 +5,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
            file://0001-test-xtest-Initialize-array-with-braces.patch \
            file://sdksyms-no-build-path.patch \
            file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
+           file://CVE-2022-3550.patch \
+           file://CVE-2022-3551.patch \
+           file://CVE-2022-3553.patch \
            "
 SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
 SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
-- 
2.25.1

[OE-core][dunfell 02/13] rpm: Fix rpm CVE CVE-2021-3521

[Steve Sakoman]

From: Riyaz Khan <Riyaz.Khan@kpit.com>

Links:
Dependent Patches:
CVE-2021-3521-01
https://github.com/rpm-software-management/rpm/commit/b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8
CVE-2021-3521-02
https://github.com/rpm-software-management/rpm/commit/9f03f42e2614a68f589f9db8fe76287146522c0c
CVE-2021-3521-03
https://github.com/rpm-software-management/rpm/commit/5ff86764b17f31535cb247543a90dd739076ec38
CVE-2021-3521
https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8

Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../rpm/files/CVE-2021-3521-01.patch          |  60 ++++
 .../rpm/files/CVE-2021-3521-02.patch          |  55 +++
 .../rpm/files/CVE-2021-3521-03.patch          |  34 ++
 .../rpm/files/CVE-2021-3521.patch             | 330 ++++++++++++++++++
 meta/recipes-devtools/rpm/rpm_4.14.2.1.bb     |   4 +
 5 files changed, 483 insertions(+)
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
 create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3521.patch

diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
new file mode 100644
index 0000000000..0882d6f310
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
@@ -0,0 +1,60 @@
+From b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:51:10 +0300
+Subject: [PATCH] Process MPI's from all kinds of signatures
+
+No immediate effect but needed by the following commits.
+
+Dependent patch:
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8]
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+
+---
+ rpmio/rpmpgp.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index ee5c81e246..340de5fc9a 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -511,7 +511,7 @@  pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
+     return NULL;
+ }
+ 
+-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
++static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
+ 		const uint8_t *p, const uint8_t *h, size_t hlen,
+ 		pgpDigParams sigp)
+ {
+@@ -524,10 +524,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
+ 	int mpil = pgpMpiLen(p);
+ 	if (p + mpil > pend)
+ 	    break;
+-	if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) {
+-	    if (sigalg->setmpi(sigalg, i, p))
+-		break;
+-	}
++        if (sigalg->setmpi(sigalg, i, p))
++           break;
+ 	p += mpil;
+     }
+ 
+@@ -600,7 +598,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+ 	}
+ 
+ 	p = ((uint8_t *)v) + sizeof(*v);
+-	rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
++	rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+     }	break;
+     case 4:
+     {   pgpPktSigV4 v = (pgpPktSigV4)h;
+@@ -658,7 +656,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+ 	if (p > (h + hlen))
+ 	    return 1;
+ 
+-	rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
++	rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+     }	break;
+     default:
+ 	rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
new file mode 100644
index 0000000000..c5f88a8c72
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
@@ -0,0 +1,55 @@
+From 9f03f42e2614a68f589f9db8fe76287146522c0c Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:56:20 +0300
+Subject: [PATCH] Refactor pgpDigParams construction to helper function
+
+No functional changes, just to reduce code duplication and needed by
+the following commits.
+
+Dependent patch:
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/9f03f42e2614a68f589f9db8fe76287146522c0c]
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+
+---
+ rpmio/rpmpgp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index 340de5fc9a..aad7c275c9 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -1055,6 +1055,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
+     return algo;
+ }
+ 
++static pgpDigParams pgpDigParamsNew(uint8_t tag)
++{
++    pgpDigParams digp = xcalloc(1, sizeof(*digp));
++    digp->tag = tag;
++    return digp;
++}
++
+ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ 		 pgpDigParams * ret)
+ {
+@@ -1072,8 +1079,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ 	    if (pkttype && pkt.tag != pkttype) {
+ 		break;
+ 	    } else {
+-		digp = xcalloc(1, sizeof(*digp));
+-		digp->tag = pkt.tag;
++		digp = pgpDigParamsNew(pkt.tag);
+ 	    }
+ 	}
+ 
+@@ -1121,8 +1127,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
+ 		digps = xrealloc(digps, alloced * sizeof(*digps));
+ 	    }
+ 
+-	    digps[count] = xcalloc(1, sizeof(**digps));
+-	    digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
++	    digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
+ 	    /* Copy UID from main key to subkey */
+ 	    digps[count]->userid = xstrdup(mainkey->userid);
+ 
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
new file mode 100644
index 0000000000..fd31f11beb
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
@@ -0,0 +1,34 @@
+From 5ff86764b17f31535cb247543a90dd739076ec38 Mon Sep 17 00:00:00 2001
+From: Demi Marie Obenour <demi@invisiblethingslab.com>
+Date: Thu, 6 May 2021 18:34:45 -0400
+Subject: [PATCH] Do not allow extra packets to follow a signature
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+According to RFC 4880 § 11.4, a detached signature is “simply a
+Signature packet”.  Therefore, extra packets following a detached
+signature are not allowed.
+
+Dependent patch:
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/5ff86764b17f31535cb247543a90dd739076ec38]
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+
+---
+ rpmio/rpmpgp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index f1a99e7169..5b346a8253 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -1068,6 +1068,8 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ 	    break;
+ 
+ 	p += (pkt.body - pkt.head) + pkt.blen;
++	if (pkttype == PGPTAG_SIGNATURE)
++	    break;
+     }
+ 
+     rc = (digp && (p == pend)) ? 0 : -1;
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch
new file mode 100644
index 0000000000..cb9e9842fe
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch
@@ -0,0 +1,330 @@
+From bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:59:30 +0300
+Subject: [PATCH] Validate and require subkey binding signatures on PGP public
+ keys
+
+All subkeys must be followed by a binding signature by the primary key
+as per the OpenPGP RFC, enforce the presence and validity in the parser.
+
+The implementation is as kludgey as they come to work around our
+simple-minded parser structure without touching API, to maximise
+backportability. Store all the raw packets internally as we decode them
+to be able to access previous elements at will, needed to validate ordering
+and access the actual data. Add testcases for manipulated keys whose
+import previously would succeed.
+
+Depends on the two previous commits:
+7b399fcb8f52566e6f3b4327197a85facd08db91 and
+236b802a4aa48711823a191d1b7f753c82a89ec5
+
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8]
+Comment: Hunk refreshed
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+
+Fixes CVE-2021-3521.
+---
+ rpmio/rpmpgp.c                                | 98 +++++++++++++++++--
+ tests/Makefile.am                             |  3 +
+ tests/data/keys/CVE-2021-3521-badbind.asc     | 25 +++++
+ .../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 +++++
+ tests/data/keys/CVE-2021-3521-nosubsig.asc    | 37 +++++++
+ tests/rpmsigdig.at                            | 28 ++++++
+ 6 files changed, 209 insertions(+), 7 deletions(-)
+ create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index aad7c275c9..d70802ae86 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -1004,37 +1004,121 @@  static pgpDigParams pgpDigParamsNew(uint8_t tag)
+     return digp;
+ }
+ 
++static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
++{
++    int rc = -1;
++    if (pkt->tag == exptag) {
++	uint8_t head[] = {
++	    0x99,
++	    (pkt->blen >> 8),
++	    (pkt->blen     ),
++	};
++
++	rpmDigestUpdate(hash, head, 3);
++	rpmDigestUpdate(hash, pkt->body, pkt->blen);
++	rc = 0;
++    }
++    return rc;
++}
++
++static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
++			const struct pgpPkt *all, int i)
++{
++    int rc = -1;
++    DIGEST_CTX hash = NULL;
++
++    switch (selfsig->sigtype) {
++    case PGPSIGTYPE_SUBKEY_BINDING:
++	hash = rpmDigestInit(selfsig->hash_algo, 0);
++	if (hash) {
++	    rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
++	    if (!rc)
++		rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
++	}
++	break;
++    default:
++	/* ignore types we can't handle */
++	rc = 0;
++	break;
++    }
++
++    if (hash && rc == 0)
++	rc = pgpVerifySignature(key, selfsig, hash);
++
++    rpmDigestFinal(hash, NULL, NULL, 0);
++
++    return rc;
++}
++
+ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ 		 pgpDigParams * ret)
+ {
+     const uint8_t *p = pkts;
+     const uint8_t *pend = pkts + pktlen;
+     pgpDigParams digp = NULL;
+-    struct pgpPkt pkt;
++    pgpDigParams selfsig = NULL;
++    int i = 0;
++    int alloced = 16; /* plenty for normal cases */
++    struct pgpPkt *all = xmalloc(alloced * sizeof(*all));
+     int rc = -1; /* assume failure */
++    int expect = 0;
++    int prevtag = 0;
+ 
+     while (p < pend) {
+-	if (decodePkt(p, (pend - p), &pkt))
++	struct pgpPkt *pkt = &all[i];
++	if (decodePkt(p, (pend - p), pkt))
+ 	    break;
+ 
+ 	if (digp == NULL) {
+-	    if (pkttype && pkt.tag != pkttype) {
++	    if (pkttype && pkt->tag != pkttype) {
+ 		break;
+ 	    } else {
+-		digp = pgpDigParamsNew(pkt.tag);
++		digp = pgpDigParamsNew(pkt->tag);
+ 	    }
+ 	}
+ 
+-	if (pgpPrtPkt(&pkt, digp))
++	if (expect) {
++	    if (pkt->tag != expect)
++		break;
++	    selfsig = pgpDigParamsNew(pkt->tag);
++	}
++
++	if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
+ 	    break;
+ 
+-	p += (pkt.body - pkt.head) + pkt.blen;
++	if (selfsig) {
++	    /* subkeys must be followed by binding signature */
++	    if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
++		if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
++		    break;
++	    }
++
++	    int xx = pgpVerifySelf(digp, selfsig, all, i);
++
++	    selfsig = pgpDigParamsFree(selfsig);
++	    if (xx)
++		break;
++	    expect = 0;
++	}
++
++	if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
++	    expect = PGPTAG_SIGNATURE;
++	prevtag = pkt->tag;
++
++	i++;
++	p += (pkt->body - pkt->head) + pkt->blen;
+ 	if (pkttype == PGPTAG_SIGNATURE)
+ 	    break;
++
++	if (alloced <= i) {
++	    alloced *= 2;
++	    all = xrealloc(all, alloced * sizeof(*all));
++	}
+     }
+ 
+-    rc = (digp && (p == pend)) ? 0 : -1;
++    rc = (digp && (p == pend) && expect == 0) ? 0 : -1;
+ 
++    free(all);
+     if (ret && rc == 0) {
+ 	*ret = digp;
+     } else {
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index b4a2e2e1ce..bc535d2833 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -87,6 +87,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
+ EXTRA_DIST += data/SPECS/hello-cd.spec
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
++EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
++EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
++EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
+ EXTRA_DIST += data/macros.testfile
+
+ # testsuite voodoo
+diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
+new file mode 100644
+index 0000000000..aea00f9d7a
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-badbind.asc
+@@ -0,0 +1,25 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
++=WCfs
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+new file mode 100644
+index 0000000000..aea00f9d7a
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+@@ -0,0 +1,25 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
++=WCfs
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+new file mode 100644
+index 0000000000..3a2e7417f8
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+@@ -0,0 +1,37 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
++VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
++uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
++8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
++v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
++qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
++Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
++mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
++3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
++zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
++Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
++gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
++E4XX4jtDmdZPreZALsiB
++=rRop
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
+index 0f8f2b4884..c8b9f139e1 100644
+--- a/tests/rpmsigdig.at
++++ b/tests/rpmsigdig.at
+@@ -240,6 +240,34 @@ gpg(185e6146f00650f8) = 4:185e6146f00650f8-58e63918
+ [])
+ AT_CLEANUP
+ 
++AT_SETUP([rpmkeys --import invalid keys])
++AT_KEYWORDS([rpmkeys import])
++RPMDB_INIT
++
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
++)
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
++)
++
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
++)
++AT_CLEANUP
++
+ # ------------------------------
+ # Test pre-built package verification
+ AT_SETUP([rpmkeys -K <signed> 1])
+
diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
index 376021d913..4d605c8501 100644
--- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
@@ -47,6 +47,10 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x;protoc
            file://0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch \
            file://CVE-2021-3421.patch \
            file://CVE-2021-20266.patch \
+           file://CVE-2021-3521-01.patch \
+           file://CVE-2021-3521-02.patch \
+           file://CVE-2021-3521-03.patch \
+           file://CVE-2021-3521.patch \
            "
 
 PE = "1"
-- 
2.25.1

[OE-core][dunfell 03/13] curl: Fix CVE CVE-2022-35260

[Steve Sakoman]

From: Mathieu Dubois-Briand <mathieu.dubois-briand@hyprua.org>

Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../curl/curl/CVE-2022-35260.patch            | 68 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
 2 files changed, 69 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-35260.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/meta/recipes-support/curl/curl/CVE-2022-35260.patch
new file mode 100644
index 0000000000..476c996b0a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-35260.patch
@@ -0,0 +1,68 @@
+From 3ff3989ec53d9ddcf4bdd99f5d5788dd87486768 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Oct 2022 14:37:24 +0200
+Subject: [PATCH] netrc: replace fgets with Curl_get_line
+
+Upstream-Status: Backport
+CVE: CVE-2022-35260
+Reference to upstream patch: https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c
+
+Make the parser only accept complete lines and avoid problems with
+overly long lines.
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9789
+---
+ lib/curl_get_line.c | 4 ++--
+ lib/netrc.c         | 5 +++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c
+index c4194851ae09..4b9eea9e631c 100644
+--- a/lib/curl_get_line.c
++++ b/lib/curl_get_line.c
+@@ -28,8 +28,8 @@
+ #include "memdebug.h"
+ 
+ /*
+- * get_line() makes sure to only return complete whole lines that fit in 'len'
+- * bytes and end with a newline.
++ * Curl_get_line() makes sure to only return complete whole lines that fit in
++ * 'len' bytes and end with a newline.
+  */
+ char *Curl_get_line(char *buf, int len, FILE *input)
+ {
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 1c9da31993c9..93239132c9d8 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -31,6 +31,7 @@
+ #include "netrc.h"
+ #include "strtok.h"
+ #include "strcase.h"
++#include "curl_get_line.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -83,7 +84,7 @@ static int parsenetrc(const char *host,
+     char netrcbuffer[4096];
+     int  netrcbuffsize = (int)sizeof(netrcbuffer);
+ 
+-    while(!done && fgets(netrcbuffer, netrcbuffsize, file)) {
++    while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) {
+       tok = strtok_r(netrcbuffer, " \t\n", &tok_buf);
+       if(tok && *tok == '#')
+         /* treat an initial hash as a comment line */
+@@ -169,7 +170,7 @@ static int parsenetrc(const char *host,
+ 
+         tok = strtok_r(NULL, " \t\n", &tok_buf);
+       } /* while(tok) */
+-    } /* while fgets() */
++    } /* while Curl_get_line() */
+ 
+     out:
+     if(!retcode) {
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 31aa9d7185..63faae6296 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -40,6 +40,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2022-32208.patch \
            file://CVE-2022-35252.patch \
            file://CVE-2022-32221.patch \
+           file://CVE-2022-35260.patch \
 "
 
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
-- 
2.25.1

[OE-core][dunfell 04/13] libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libarchive/CVE-2022-36227.patch           | 43 +++++++++++++++++++
 .../libarchive/libarchive_3.4.2.bb            |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch
new file mode 100644
index 0000000000..980a0e884a
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch
@@ -0,0 +1,43 @@
+From 6311080bff566fcc5591dadfd78efb41705b717f Mon Sep 17 00:00:00 2001
+From: obiwac <obiwac@gmail.com>
+Date: Fri, 22 Jul 2022 22:41:10 +0200
+Subject: [PATCH] CVE-2022-36227
+
+libarchive: CVE-2022-36227 Handle a `calloc` returning NULL (fixes #1754)
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5]
+CVE: CVE-2022-36227
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com
+---
+ libarchive/archive_write.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
+index 98a55fb..7fe88b6 100644
+--- a/libarchive/archive_write.c
++++ b/libarchive/archive_write.c
+@@ -211,6 +211,10 @@ __archive_write_allocate_filter(struct archive *_a)
+ 	struct archive_write_filter *f;
+ 
+ 	f = calloc(1, sizeof(*f));
++
++	if (f == NULL)
++		return (NULL);
++
+ 	f->archive = _a;
+ 	f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
+ 	if (a->filter_first == NULL)
+@@ -527,6 +531,10 @@ archive_write_open(struct archive *_a, void *client_data,
+ 	a->client_data = client_data;
+ 
+ 	client_filter = __archive_write_allocate_filter(_a);
++
++	if (client_filter == NULL)
++		return (ARCHIVE_FATAL);
++
+ 	client_filter->open = archive_write_client_open;
+ 	client_filter->write = archive_write_client_write;
+ 	client_filter->close = archive_write_client_close;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
index 7d2e7b711b..e0a6174d8b 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
@@ -39,6 +39,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
            file://CVE-2021-23177.patch \
            file://CVE-2021-31566-01.patch \
            file://CVE-2021-31566-02.patch \
+           file://CVE-2022-36227.patch \
 "
 
 SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451"
-- 
2.25.1

[OE-core][dunfell 05/13] sysstat: fix CVE-2022-39377

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../sysstat/sysstat/CVE-2022-39377.patch      | 92 +++++++++++++++++++
 .../sysstat/sysstat_12.2.1.bb                 |  4 +-
 2 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch

diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
new file mode 100644
index 0000000000..972cc8938b
--- /dev/null
+++ b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
@@ -0,0 +1,92 @@
+From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001
+From: Sebastien <seb@fedora-2.home>
+Date: Sat, 15 Oct 2022 14:24:22 +0200
+Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074)
+
+allocate_structures function located in sa_common.c insufficiently
+checks bounds before arithmetic multiplication allowing for an
+overflow in the size allocated for the buffer representing system
+activities.
+
+This patch checks that the post-multiplied value is not greater than
+UINT_MAX.
+
+Signed-off-by: Sebastien <seb@fedora-2.home>
+
+Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540]
+CVE : CVE-2022-39377
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common.c    | 25 +++++++++++++++++++++++++
+ common.h    |  2 ++
+ sa_common.c |  6 ++++++
+ 3 files changed, 33 insertions(+)
+
+diff --git a/common.c b/common.c
+index ddfe75d..28d475e 100644
+--- a/common.c
++++ b/common.c
+@@ -1528,4 +1528,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char
+ 
+ 	return 0;
+ }
++
++/*
++ ***************************************************************************
++ * Check if the multiplication of the 3 values may be greater than UINT_MAX.
++ *
++ * IN:
++ * @val1	First value.
++ * @val2	Second value.
++ * @val3	Third value.
++ ***************************************************************************
++ */
++void check_overflow(size_t val1, size_t val2, size_t val3)
++{
++	if ((unsigned long long) val1 *
++	    (unsigned long long) val2 *
++	    (unsigned long long) val3 > UINT_MAX) {
++#ifdef DEBUG
++		fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
++			__FUNCTION__,
++			(unsigned long long) val1 * (unsigned long long) val2 *	(unsigned long long) val3);
++#endif
++	exit(4);
++	}
++}
++
+ #endif /* SOURCE_SADC undefined */
+diff --git a/common.h b/common.h
+index 86905ba..75f837a 100644
+--- a/common.h
++++ b/common.h
+@@ -249,6 +249,8 @@ int get_wwnid_from_pretty
+ 	(char *, unsigned long long *, unsigned int *);
+ 
+ #ifndef SOURCE_SADC
++void check_overflow
++	(size_t, size_t, size_t);
+ int count_bits
+ 	(void *, int);
+ int count_csvalues
+diff --git a/sa_common.c b/sa_common.c
+index 8a03099..ff90c1f 100644
+--- a/sa_common.c
++++ b/sa_common.c
+@@ -452,7 +452,13 @@ void allocate_structures(struct activity *act[])
+ 	int i, j;
+ 
+ 	for (i = 0; i < NR_ACT; i++) {
++
+ 		if (act[i]->nr_ini > 0) {
++
++			/* Look for a possible overflow */
++			check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini,
++				       (size_t) act[i]->nr2);
++
+ 			for (j = 0; j < 3; j++) {
+ 				SREALLOC(act[i]->buf[j], void,
+ 						(size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/sysstat/sysstat_12.2.1.bb b/meta/recipes-extended/sysstat/sysstat_12.2.1.bb
index 2a90f89d25..2c0d5c8136 100644
--- a/meta/recipes-extended/sysstat/sysstat_12.2.1.bb
+++ b/meta/recipes-extended/sysstat/sysstat_12.2.1.bb
@@ -2,7 +2,9 @@ require sysstat.inc
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb"
 
-SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch"
+SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch \
+            file://CVE-2022-39377.patch \
+           "
 
 SRC_URI[md5sum] = "9dfff5fac24e35bd92fb7896debf2ffb"
 SRC_URI[sha256sum] = "8edb0e19b514ac560a098a02933a4735b881296d61014db89bf80f05dd7a4732"
-- 
2.25.1

[OE-core][dunfell 06/13] dropbear: fix CVE-2021-36369

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/dropbear/dropbear.inc       |   1 +
 .../dropbear/dropbear/CVE-2021-36369.patch    | 145 ++++++++++++++++++
 2 files changed, 146 insertions(+)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch

diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index 026292230c..0f5e9ba4ac 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -29,6 +29,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
            ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
            file://CVE-2020-36254.patch \
+           file://CVE-2021-36369.patch \
            "
 
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
new file mode 100644
index 0000000000..5cabe8339d
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
+From e10dec82930863e487b22978d3df107274f366b2 Mon Sep 17 00:00:00 2001
+From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
+Date: Thu, 19 Aug 2021 17:37:14 +0200
+Subject: [PATCH] added option to disable trivial auth methods (#128)
+
+* added option to disable trivial auth methods
+
+* rename argument to match with other ssh clients
+
+* fixed trivial auth detection for pubkeys
+
+[https://github.com/mkj/dropbear/pull/128]
+Upstream-Status: Backport
+CVE: CVE-2021-36369
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ cli-auth.c         | 3 +++
+ cli-authinteract.c | 1 +
+ cli-authpasswd.c   | 2 +-
+ cli-authpubkey.c   | 1 +
+ cli-runopts.c      | 7 +++++++
+ cli-session.c      | 1 +
+ runopts.h          | 1 +
+ session.h          | 1 +
+ 8 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/cli-auth.c b/cli-auth.c
+index 2e509e5..6f04495 100644
+--- a/cli-auth.c
++++ b/cli-auth.c
+@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
+ 	if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
+ 
+ 	TRACE(("received msg_userauth_success"))
++	if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
++		dropbear_exit("trivial authentication not allowed");
++	}
+ 	/* Note: in delayed-zlib mode, setting authdone here 
+ 	 * will enable compression in the transport layer */
+ 	ses.authstate.authdone = 1;
+diff --git a/cli-authinteract.c b/cli-authinteract.c
+index e1cc9a1..f7128ee 100644
+--- a/cli-authinteract.c
++++ b/cli-authinteract.c
+@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
+ 	m_free(instruction);
+ 
+ 	for (i = 0; i < num_prompts; i++) {
++		cli_ses.is_trivial_auth = 0;
+ 		unsigned int response_len = 0;
+ 		prompt = buf_getstring(ses.payload, NULL);
+ 		cleantext(prompt);
+diff --git a/cli-authpasswd.c b/cli-authpasswd.c
+index 00fdd8b..a24d43e 100644
+--- a/cli-authpasswd.c
++++ b/cli-authpasswd.c
+@@ -155,7 +155,7 @@ void cli_auth_password() {
+ 
+ 	encrypt_packet();
+ 	m_burn(password, strlen(password));
+-
++	cli_ses.is_trivial_auth = 0;
+ 	TRACE(("leave cli_auth_password"))
+ }
+ #endif	/* DROPBEAR_CLI_PASSWORD_AUTH */
+diff --git a/cli-authpubkey.c b/cli-authpubkey.c
+index 7cee164..7da1a04 100644
+--- a/cli-authpubkey.c
++++ b/cli-authpubkey.c
+@@ -174,6 +174,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) {
+ 		buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
+ 		cli_buf_put_sign(ses.writepayload, key, type, sigbuf);
+ 		buf_free(sigbuf); /* Nothing confidential in the buffer */
++		cli_ses.is_trivial_auth = 0;
+ 	}
+ 
+ 	encrypt_packet();
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 7d1fffe..6bf8b8e 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ 	cli_opts.exit_on_fwd_failure = 0;
+ #endif
++	cli_opts.disable_trivial_auth = 0;
+ #if DROPBEAR_CLI_LOCALTCPFWD
+ 	cli_opts.localfwds = list_new();
+ 	opts.listen_fwd_all = 0;
+@@ -888,6 +889,7 @@ static void add_extendedopt(const char* origstr) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ 			"\tExitOnForwardFailure\n"
+ #endif
++			"\tDisableTrivialAuth\n"
+ #ifndef DISABLE_SYSLOG
+ 			"\tUseSyslog\n"
+ #endif
+@@ -915,5 +917,10 @@ static void add_extendedopt(const char* origstr) {
+ 		return;
+ 	}
+ 
++	if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
++		cli_opts.disable_trivial_auth = parse_flag_value(optstr);
++		return;
++	}
++
+ 	dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+ }
+diff --git a/cli-session.c b/cli-session.c
+index 56dd4af..73ef0db 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -164,6 +164,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
+ 	/* Auth */
+ 	cli_ses.lastprivkey = NULL;
+ 	cli_ses.lastauthtype = 0;
++	cli_ses.is_trivial_auth = 1;
+ 
+ 	/* For printing "remote host closed" for the user */
+ 	ses.remoteclosed = cli_remoteclosed;
+diff --git a/runopts.h b/runopts.h
+index 31eae1f..8519626 100644
+--- a/runopts.h
++++ b/runopts.h
+@@ -154,6 +154,7 @@ typedef struct cli_runopts {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ 	int exit_on_fwd_failure;
+ #endif
++	int disable_trivial_auth;
+ #if DROPBEAR_CLI_REMOTETCPFWD
+ 	m_list * remotefwds;
+ #endif
+diff --git a/session.h b/session.h
+index 0f77055..8676054 100644
+--- a/session.h
++++ b/session.h
+@@ -287,6 +287,7 @@ struct clientsession {
+ 
+ 	int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
+ 						 for the last type of auth we tried */
++	int is_trivial_auth;
+ 	int ignore_next_auth_response;
+ #if DROPBEAR_CLI_INTERACT_AUTH
+ 	int auth_interact_failed; /* flag whether interactive auth can still
-- 
2.25.1

[OE-core][dunfell 07/13] golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.14.inc          |   1 +
 .../go/go-1.14/CVE-2022-41715.patch           | 271 ++++++++++++++++++
 2 files changed, 272 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index cec37c1b09..b4a137b8c8 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -49,6 +49,7 @@ SRC_URI += "\
     file://CVE-2022-24921.patch \
     file://CVE-2022-28131.patch \
     file://CVE-2022-28327.patch \
+    file://CVE-2022-41715.patch \
 "
 
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch
new file mode 100644
index 0000000000..fac0ebe94c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch
@@ -0,0 +1,271 @@
+From e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Wed, 28 Sep 2022 11:18:51 -0400
+Subject: [PATCH] [release-branch.go1.18] regexp: limit size of parsed regexps
+
+Set a 128 MB limit on the amount of space used by []syntax.Inst
+in the compiled form corresponding to a given regexp.
+
+Also set a 128 MB limit on the rune storage in the *syntax.Regexp
+tree itself.
+
+Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
+
+Fixes CVE-2022-41715.
+Updates #55949.
+Fixes #55950.
+
+Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/438501
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997]
+CVE: CVE-2022-41715
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+---
+ src/regexp/syntax/parse.go      | 145 ++++++++++++++++++++++++++++++--
+ src/regexp/syntax/parse_test.go |  13 +--
+ 2 files changed, 148 insertions(+), 10 deletions(-)
+
+diff --git a/src/regexp/syntax/parse.go b/src/regexp/syntax/parse.go
+index 55bd20d..60491d5 100644
+--- a/src/regexp/syntax/parse.go
++++ b/src/regexp/syntax/parse.go
+@@ -90,15 +90,49 @@ const (
+ // until we've allocated at least maxHeight Regexp structures.
+ const maxHeight = 1000
+ 
++// maxSize is the maximum size of a compiled regexp in Insts.
++// It too is somewhat arbitrarily chosen, but the idea is to be large enough
++// to allow significant regexps while at the same time small enough that
++// the compiled form will not take up too much memory.
++// 128 MB is enough for a 3.3 million Inst structures, which roughly
++// corresponds to a 3.3 MB regexp.
++const (
++	maxSize  = 128 << 20 / instSize
++	instSize = 5 * 8 // byte, 2 uint32, slice is 5 64-bit words
++)
++
++// maxRunes is the maximum number of runes allowed in a regexp tree
++// counting the runes in all the nodes.
++// Ignoring character classes p.numRunes is always less than the length of the regexp.
++// Character classes can make it much larger: each \pL adds 1292 runes.
++// 128 MB is enough for 32M runes, which is over 26k \pL instances.
++// Note that repetitions do not make copies of the rune slices,
++// so \pL{1000} is only one rune slice, not 1000.
++// We could keep a cache of character classes we've seen,
++// so that all the \pL we see use the same rune list,
++// but that doesn't remove the problem entirely:
++// consider something like [\pL01234][\pL01235][\pL01236]...[\pL^&*()].
++// And because the Rune slice is exposed directly in the Regexp,
++// there is not an opportunity to change the representation to allow
++// partial sharing between different character classes.
++// So the limit is the best we can do.
++const (
++	maxRunes = 128 << 20 / runeSize
++	runeSize = 4 // rune is int32
++)
++
+ type parser struct {
+ 	flags       Flags     // parse mode flags
+ 	stack       []*Regexp // stack of parsed expressions
+ 	free        *Regexp
+ 	numCap      int // number of capturing groups seen
+ 	wholeRegexp string
+-	tmpClass    []rune          // temporary char class work space
+-	numRegexp   int             // number of regexps allocated
+-	height      map[*Regexp]int // regexp height for height limit check
++	tmpClass    []rune            // temporary char class work space
++	numRegexp   int               // number of regexps allocated
++	numRunes    int               // number of runes in char classes
++	repeats     int64             // product of all repetitions seen
++	height      map[*Regexp]int   // regexp height, for height limit check
++	size        map[*Regexp]int64 // regexp compiled size, for size limit check
+ }
+ 
+ func (p *parser) newRegexp(op Op) *Regexp {
+@@ -122,6 +156,104 @@ func (p *parser) reuse(re *Regexp) {
+ 	p.free = re
+ }
+ 
++func (p *parser) checkLimits(re *Regexp) {
++	if p.numRunes > maxRunes {
++		panic(ErrInternalError)
++	}
++	p.checkSize(re)
++	p.checkHeight(re)
++}
++
++func (p *parser) checkSize(re *Regexp) {
++	if p.size == nil {
++		// We haven't started tracking size yet.
++		// Do a relatively cheap check to see if we need to start.
++		// Maintain the product of all the repeats we've seen
++		// and don't track if the total number of regexp nodes
++		// we've seen times the repeat product is in budget.
++		if p.repeats == 0 {
++			p.repeats = 1
++		}
++		if re.Op == OpRepeat {
++			n := re.Max
++			if n == -1 {
++				n = re.Min
++			}
++			if n <= 0 {
++				n = 1
++			}
++			if int64(n) > maxSize/p.repeats {
++				p.repeats = maxSize
++			} else {
++				p.repeats *= int64(n)
++			}
++		}
++		if int64(p.numRegexp) < maxSize/p.repeats {
++			return
++		}
++
++		// We need to start tracking size.
++		// Make the map and belatedly populate it
++		// with info about everything we've constructed so far.
++		p.size = make(map[*Regexp]int64)
++		for _, re := range p.stack {
++			p.checkSize(re)
++		}
++	}
++
++	if p.calcSize(re, true) > maxSize {
++		panic(ErrInternalError)
++	}
++}
++
++func (p *parser) calcSize(re *Regexp, force bool) int64 {
++	if !force {
++		if size, ok := p.size[re]; ok {
++			return size
++		}
++	}
++
++	var size int64
++	switch re.Op {
++	case OpLiteral:
++		size = int64(len(re.Rune))
++	case OpCapture, OpStar:
++		// star can be 1+ or 2+; assume 2 pessimistically
++		size = 2 + p.calcSize(re.Sub[0], false)
++	case OpPlus, OpQuest:
++		size = 1 + p.calcSize(re.Sub[0], false)
++	case OpConcat:
++		for _, sub := range re.Sub {
++			size += p.calcSize(sub, false)
++		}
++	case OpAlternate:
++		for _, sub := range re.Sub {
++			size += p.calcSize(sub, false)
++		}
++		if len(re.Sub) > 1 {
++			size += int64(len(re.Sub)) - 1
++		}
++	case OpRepeat:
++		sub := p.calcSize(re.Sub[0], false)
++		if re.Max == -1 {
++			if re.Min == 0 {
++				size = 2 + sub // x*
++			} else {
++				size = 1 + int64(re.Min)*sub // xxx+
++			}
++			break
++		}
++		// x{2,5} = xx(x(x(x)?)?)?
++		size = int64(re.Max)*sub + int64(re.Max-re.Min)
++	}
++
++	if size < 1 {
++		size = 1
++	}
++	p.size[re] = size
++	return size
++}
++
+ func (p *parser) checkHeight(re *Regexp) {
+ 	if p.numRegexp < maxHeight {
+ 		return
+@@ -158,6 +290,7 @@ func (p *parser) calcHeight(re *Regexp, force bool) int {
+ 
+ // push pushes the regexp re onto the parse stack and returns the regexp.
+ func (p *parser) push(re *Regexp) *Regexp {
++	p.numRunes += len(re.Rune)
+ 	if re.Op == OpCharClass && len(re.Rune) == 2 && re.Rune[0] == re.Rune[1] {
+ 		// Single rune.
+ 		if p.maybeConcat(re.Rune[0], p.flags&^FoldCase) {
+@@ -189,7 +322,7 @@ func (p *parser) push(re *Regexp) *Regexp {
+ 	}
+ 
+ 	p.stack = append(p.stack, re)
+-	p.checkHeight(re)
++	p.checkLimits(re)
+ 	return re
+ }
+ 
+@@ -305,7 +438,7 @@ func (p *parser) repeat(op Op, min, max int, before, after, lastRepeat string) (
+ 	re.Sub = re.Sub0[:1]
+ 	re.Sub[0] = sub
+ 	p.stack[n-1] = re
+-	p.checkHeight(re)
++	p.checkLimits(re)
+ 
+ 	if op == OpRepeat && (min >= 2 || max >= 2) && !repeatIsValid(re, 1000) {
+ 		return "", &Error{ErrInvalidRepeatSize, before[:len(before)-len(after)]}
+@@ -509,6 +642,7 @@ func (p *parser) factor(sub []*Regexp) []*Regexp {
+ 
+ 			for j := start; j < i; j++ {
+ 				sub[j] = p.removeLeadingString(sub[j], len(str))
++				p.checkLimits(sub[j])
+ 			}
+ 			suffix := p.collapse(sub[start:i], OpAlternate) // recurse
+ 
+@@ -566,6 +700,7 @@ func (p *parser) factor(sub []*Regexp) []*Regexp {
+ 			for j := start; j < i; j++ {
+ 				reuse := j != start // prefix came from sub[start]
+ 				sub[j] = p.removeLeadingRegexp(sub[j], reuse)
++				p.checkLimits(sub[j])
+ 			}
+ 			suffix := p.collapse(sub[start:i], OpAlternate) // recurse
+ 
+diff --git a/src/regexp/syntax/parse_test.go b/src/regexp/syntax/parse_test.go
+index 1ef6d8a..67e3c56 100644
+--- a/src/regexp/syntax/parse_test.go
++++ b/src/regexp/syntax/parse_test.go
+@@ -484,12 +484,15 @@ var invalidRegexps = []string{
+ 	`(?P<>a)`,
+ 	`[a-Z]`,
+ 	`(?i)[a-Z]`,
+-	`a{100000}`,
+-	`a{100000,}`,
+-	"((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})",
+-	strings.Repeat("(", 1000) + strings.Repeat(")", 1000),
+-	strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000),
+ 	`\Q\E*`,
++	`a{100000}`,  // too much repetition
++	`a{100000,}`, // too much repetition
++	"((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})",    // too much repetition
++	strings.Repeat("(", 1000) + strings.Repeat(")", 1000),    // too deep
++	strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000), // too deep
++	"(" + strings.Repeat("(xx?)", 1000) + "){1000}",          // too long
++	strings.Repeat("(xx?){1000}", 1000),                      // too long
++	strings.Repeat(`\pL`, 27000),                             // too many runes
+ }
+ 
+ var onlyPerl = []string{
+-- 
+2.25.1
+
-- 
2.25.1

[OE-core][dunfell 08/13] python3: Fix CVE-2022-37454

[Steve Sakoman]

From: Pawan Badganchi <pawan.badganchi@kpit.com>

Add below patch to fix CVE-2022-37454

CVE-2022-37454.patch
Link: https://security-tracker.debian.org/tracker/CVE-2022-37454
Link: https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631

Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
Signed-off-by: pawan <badganchipv@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../python/python3/CVE-2022-37454.patch       | 105 ++++++++++++++++++
 .../recipes-devtools/python/python3_3.8.14.bb |   1 +
 2 files changed, 106 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2022-37454.patch

diff --git a/meta/recipes-devtools/python/python3/CVE-2022-37454.patch b/meta/recipes-devtools/python/python3/CVE-2022-37454.patch
new file mode 100644
index 0000000000..a41cc301e2
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2022-37454.patch
@@ -0,0 +1,105 @@
+From 948c6794711458fd148a3fa62296cadeeb2ed631 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Fri, 28 Oct 2022 03:07:50 -0700
+Subject: [PATCH] [3.8] gh-98517: Fix buffer overflows in _sha3 module
+ (GH-98519) (#98527)
+
+This is a port of the applicable part of XKCP's fix [1] for
+CVE-2022-37454 and avoids the segmentation fault and the infinite
+loop in the test cases published in [2].
+
+[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
+[2]: https://mouha.be/sha-3-buffer-overflow/
+
+Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
+(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3)
+
+Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
+
+CVE: CVE-2022-37454
+Upstream-Status: Backport [https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ Lib/test/test_hashlib.py                          |  9 +++++++++
+ .../2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst |  1 +
+ Modules/_sha3/kcp/KeccakSponge.inc                | 15 ++++++++-------
+ 3 files changed, 18 insertions(+), 7 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+
+diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
+index 8b53d23ef525..e6cec4e306e5 100644
+--- a/Lib/test/test_hashlib.py
++++ b/Lib/test/test_hashlib.py
+@@ -434,6 +434,15 @@ def test_case_md5_huge(self, size):
+     def test_case_md5_uintmax(self, size):
+         self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
+ 
++    @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
++    @bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
++    def test_sha3_update_overflow(self, size):
++        """Regression test for gh-98517 CVE-2022-37454."""
++        h = hashlib.sha3_224()
++        h.update(b'\x01')
++        h.update(b'\x01'*0xffff_ffff)
++        self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
++
+     # use the three examples from Federal Information Processing Standards
+     # Publication 180-1, Secure Hash Standard,  1995 April 17
+     # http://www.itl.nist.gov/div897/pubs/fip180-1.htm
+diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+new file mode 100644
+index 000000000000..2d23a6ad93c7
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+@@ -0,0 +1 @@
++Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
+diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc
+index e10739deafa8..cf92e4db4d36 100644
+--- a/Modules/_sha3/kcp/KeccakSponge.inc
++++ b/Modules/_sha3/kcp/KeccakSponge.inc
+@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
+     i = 0;
+     curData = data;
+     while(i < dataByteLen) {
+-        if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
++        if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
+ #ifdef SnP_FastLoop_Absorb
+             /* processing full blocks first */
+ 
+@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
+         }
+         else {
+             /* normal lane: using the message queue */
+-
+-            partialBlock = (unsigned int)(dataByteLen - i);
+-            if (partialBlock+instance->byteIOIndex > rateInBytes)
++            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
+                 partialBlock = rateInBytes-instance->byteIOIndex;
++            else
++                partialBlock = (unsigned int)(dataByteLen - i);
+             #ifdef KeccakReference
+             displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
+             #endif
+@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
+     i = 0;
+     curData = data;
+     while(i < dataByteLen) {
+-        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
++        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
+             for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
+                 SnP_Permute(instance->state);
+                 SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
+@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
+                 SnP_Permute(instance->state);
+                 instance->byteIOIndex = 0;
+             }
+-            partialBlock = (unsigned int)(dataByteLen - i);
+-            if (partialBlock+instance->byteIOIndex > rateInBytes)
++            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
+                 partialBlock = rateInBytes-instance->byteIOIndex;
++            else
++                partialBlock = (unsigned int)(dataByteLen - i);
+             i += partialBlock;
+ 
+             SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
diff --git a/meta/recipes-devtools/python/python3_3.8.14.bb b/meta/recipes-devtools/python/python3_3.8.14.bb
index cbf57684ca..960e41aced 100644
--- a/meta/recipes-devtools/python/python3_3.8.14.bb
+++ b/meta/recipes-devtools/python/python3_3.8.14.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
            file://makerace.patch \
            file://CVE-2022-45061.patch \
+           file://CVE-2022-37454.patch \
            "
 
 SRC_URI_append_class-native = " \
-- 
2.25.1

[OE-core][dunfell 09/13] vim: upgrade 9.0.0820 -> 9.0.0947

[Steve Sakoman]

From: "Qiu, Zheng" <Zheng.Qiu@windriver.com>

Includes fixes for CVE-2022-4141
https://nvd.nist.gov/vuln/detail/CVE-2022-4141

For a short list of important changes, see:
https://www.arp242.net/vimlog/

Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 160f459febc7fb36cc0fe85c63eb26780ace3bfd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 262c97bf0f..1e5ef1c811 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -20,8 +20,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://no-path-adjust.patch \
            "
 
-PV .= ".0820"
-SRCREV = "03d6e6f42b0deeb02d52c8a48c14abe431370c1c"
+PV .= ".0947"
+SRCREV = "cc762a48d42b579fb7bdec2c614636b830342dd5"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.25.1

[OE-core][dunfell 10/13] opkg: Set correct info_dir and status_file in opkg.conf

[Steve Sakoman]

From: Harald Seiler <hws@denx.de>

Distros can customize the location of OPKG data using OPKGLIBDIR.  In
OE-Core commit 11f1956cf5d7 ("package_manager.py: define info_dir and
status_file when OPKGLIBDIR isn't the default"), a fix was applied to
correctly set the info_dir and status_file options relative to
OPKGLIBDIR.

However, as the commit message notes, the opkg.conf file deployed as
part of the opkg package must also be adjusted to correctly reflect the
changed location.  Otherwise, opkg running inside the image cannot find
its data.

Fix this by also setting the info_dir and status_file options in
opkg.conf to the correct location relative to OPKGLIBDIR.

Fixes: 11f1956cf5d7 ("package_manager.py: define info_dir and status_file when OPKGLIBDIR isn't the default")
Signed-off-by: Harald Seiler <hws@denx.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit adb939ae3635de6e02208859fbf29cf0ed39f565)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/opkg/opkg_0.4.2.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/opkg/opkg_0.4.2.bb b/meta/recipes-devtools/opkg/opkg_0.4.2.bb
index a813f7258b..55be6547c0 100644
--- a/meta/recipes-devtools/opkg/opkg_0.4.2.bb
+++ b/meta/recipes-devtools/opkg/opkg_0.4.2.bb
@@ -50,7 +50,9 @@ EXTRA_OECONF_class-native = "--localstatedir=/${@os.path.relpath('${localstatedi
 do_install_append () {
 	install -d ${D}${sysconfdir}/opkg
 	install -m 0644 ${WORKDIR}/opkg.conf ${D}${sysconfdir}/opkg/opkg.conf
-	echo "option lists_dir ${OPKGLIBDIR}/opkg/lists" >>${D}${sysconfdir}/opkg/opkg.conf
+	echo "option lists_dir   ${OPKGLIBDIR}/opkg/lists"  >>${D}${sysconfdir}/opkg/opkg.conf
+	echo "option info_dir    ${OPKGLIBDIR}/opkg/info"   >>${D}${sysconfdir}/opkg/opkg.conf
+	echo "option status_file ${OPKGLIBDIR}/opkg/status" >>${D}${sysconfdir}/opkg/opkg.conf
 
 	# We need to create the lock directory
 	install -d ${D}${OPKGLIBDIR}/opkg
-- 
2.25.1

[OE-core][dunfell 11/13] classes: make TOOLCHAIN more permissive for kernel

[Steve Sakoman]

From: Alexey Smirnov <pyih.soft@gmail.com>

Currently TOOLCHAIN is strictly set to gcc in kernel-arch.bbclass.
And this prevents any TOOLCHAIN changes for any kernel recipe.
This change makes TOOLCHAIN configurable as usual.

Signed-off-by: Alexey Smirnov <pyih.soft@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit be1634fc35dcc81f0301d942064a6eed584e0704)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel-arch.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/kernel-arch.bbclass b/meta/classes/kernel-arch.bbclass
index 348a3adf22..4cd08b96fb 100644
--- a/meta/classes/kernel-arch.bbclass
+++ b/meta/classes/kernel-arch.bbclass
@@ -64,5 +64,5 @@ HOST_AR_KERNEL_ARCH ?= "${TARGET_AR_KERNEL_ARCH}"
 KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} -fuse-ld=bfd ${DEBUG_PREFIX_MAP} -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} -fdebug-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH}"
 KERNEL_LD = "${CCACHE}${HOST_PREFIX}ld.bfd ${HOST_LD_KERNEL_ARCH}"
 KERNEL_AR = "${CCACHE}${HOST_PREFIX}ar ${HOST_AR_KERNEL_ARCH}"
-TOOLCHAIN = "gcc"
+TOOLCHAIN ?= "gcc"
 
-- 
2.25.1

[OE-core][dunfell 12/13] psplash: consider the situation of psplash not exist for systemd

[Steve Sakoman]

From: Chen Qi <Qi.Chen@windriver.com>

In current psplash framework, the psplash might not exist at all.
For example, in case DSITRO is set to nodistro, the psplash does
not exist.

In our psplash recipe, we have:
SPLASH_IMAGES = "file://psplash-poky-img.h;outsuffix=default"
This variable is parsed to if psplash-poky-img.h exists, a package
named psplash-default is created and is added to RDEPENDS:${PN}.

We can see that the psplash-poky-img.h resides in meta-poky,
and in psplash_git.bbappend file in meta-poky, we have:
FILESEXTRAPATHS:prepend:poky := "${THISDIR}/files:"
So this file is only available in case poky distro is used.

To fix this issue, add condition check in the corresponding systemd
services.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7a62ff9ed39c179d2b9b0c40f4f8423ced413063)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/psplash/files/psplash-start.service   | 1 +
 meta/recipes-core/psplash/files/psplash-systemd.service | 1 +
 2 files changed, 2 insertions(+)

diff --git a/meta/recipes-core/psplash/files/psplash-start.service b/meta/recipes-core/psplash/files/psplash-start.service
index 36c2bb38e0..bec9368427 100644
--- a/meta/recipes-core/psplash/files/psplash-start.service
+++ b/meta/recipes-core/psplash/files/psplash-start.service
@@ -2,6 +2,7 @@
 Description=Start psplash boot splash screen
 DefaultDependencies=no
 RequiresMountsFor=/run
+ConditionFileIsExecutable=/usr/bin/psplash
 
 [Service]
 Type=notify
diff --git a/meta/recipes-core/psplash/files/psplash-systemd.service b/meta/recipes-core/psplash/files/psplash-systemd.service
index 082207f232..e93e3deb35 100644
--- a/meta/recipes-core/psplash/files/psplash-systemd.service
+++ b/meta/recipes-core/psplash/files/psplash-systemd.service
@@ -4,6 +4,7 @@ DefaultDependencies=no
 After=psplash-start.service
 Requires=psplash-start.service
 RequiresMountsFor=/run
+ConditionFileIsExecutable=/usr/bin/psplash
 
 [Service]
 ExecStart=/usr/bin/psplash-systemd
-- 
2.25.1

[OE-core][dunfell 13/13] oeqa/selftest/tinfoil: Add test for separate config_data with recipe_parse_file()

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

We've seen two different regressions in this API since it is used by
layer-index but not be the core code. Add a test for it to try and
ensure we don't break it again.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit b07de5de43ec9c9a2c5d496a64940ccdc5b47cf8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/tinfoil.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/meta/lib/oeqa/selftest/cases/tinfoil.py b/meta/lib/oeqa/selftest/cases/tinfoil.py
index 686ce7e6b9..6668d7cdc8 100644
--- a/meta/lib/oeqa/selftest/cases/tinfoil.py
+++ b/meta/lib/oeqa/selftest/cases/tinfoil.py
@@ -65,6 +65,20 @@ class TinfoilTests(OESelftestTestCase):
             localdata.setVar('PN', 'hello')
             self.assertEqual('hello', localdata.getVar('BPN'))
 
+    # The config_data API tp parse_recipe_file is used by:
+    # layerindex-web layerindex/update_layer.py
+    def test_parse_recipe_custom_data(self):
+        with bb.tinfoil.Tinfoil() as tinfoil:
+            tinfoil.prepare(config_only=False, quiet=2)
+            localdata = bb.data.createCopy(tinfoil.config_data)
+            localdata.setVar("TESTVAR", "testval")
+            testrecipe = 'mdadm'
+            best = tinfoil.find_best_provider(testrecipe)
+            if not best:
+                self.fail('Unable to find recipe providing %s' % testrecipe)
+            rd = tinfoil.parse_recipe_file(best[3], config_data=localdata)
+            self.assertEqual("testval", rd.getVar('TESTVAR'))
+
     def test_list_recipes(self):
         with bb.tinfoil.Tinfoil() as tinfoil:
             tinfoil.prepare(config_only=False, quiet=2)
-- 
2.25.1

[OE-core][dunfell 00/13] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5614

The following changes since commit b3fc8ef9aba822b3d485242c8ebd0e0bff0ebfc8:

  cve-update-nvd2-native: actually use API keys (2023-07-13 06:54:58 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (2):
  linux-firmware: upgrade 20230404 -> 20230515
  wireless-regdb: upgrade 2023.02.13 -> 2023.05.03

Anthony Bagwell (1):
  kernel-fitimage: fix dtbo support for fit images

Ashish Sharma (1):
  go: Fix CVE-2023-29400

Deepthi Hemraj (1):
  glibc: stable 2.31 branch updates.

Nikhil R (1):
  libpng: Add ptest for libpng

Poonam Jadhav (1):
  libx11: Fix CVE-2023-3138 for dunfell branch

Priyal Doshi (1):
  tzdata: upgrade to 2023c

Tom Hochstein (1):
  cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK

Trevor Gamblin (1):
  vim: upgrade 9.0.1527 -> 9.0.1592

Vijay Anusuri (1):
  qemu: backport Debian patch to fix CVE-2023-0330

Vivek Kumbhar (2):
  curl: fix CVE-2023-28320 siglongjmp race condition may lead to crash
  python3: fix CVE-2023-24329 urllib.parse url blocklisting bypass

 meta/classes/kernel-fitimage.bbclass          |   2 +-
 .../distro/include/ptest-packagelists.inc     |   1 +
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../cmake/cmake/OEToolchainConfig.cmake       |   5 +-
 meta/recipes-devtools/go/go-1.14.inc          |   1 +
 .../go/go-1.14/CVE-2023-29400.patch           |  94 +++++++++
 .../python/python3/CVE-2023-24329.patch       |  80 +++++++
 .../recipes-devtools/python/python3_3.8.17.bb |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2023-0330.patch             |  77 +++++++
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../xorg-lib/libx11/CVE-2023-3138.patch       | 111 ++++++++++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |   1 +
 ...20230404.bb => linux-firmware_20230515.bb} |   4 +-
 ....02.13.bb => wireless-regdb_2023.05.03.bb} |   2 +-
 .../recipes-multimedia/libpng/files/run-ptest |  29 +++
 .../libpng/libpng_1.6.37.bb                   |  15 +-
 .../curl/curl/CVE-2023-28320-fol1.patch       | 197 ++++++++++++++++++
 .../curl/curl/CVE-2023-28320.patch            |  86 ++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   2 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 21 files changed, 705 insertions(+), 16 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2023-24329.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230404.bb => linux-firmware_20230515.bb} (99%)
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.02.13.bb => wireless-regdb_2023.05.03.bb} (94%)
 create mode 100644 meta/recipes-multimedia/libpng/files/run-ptest
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320.patch

-- 
2.34.1

[OE-core][dunfell 00/13] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Tuesday, October 3

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5966

The following changes since commit a9d194f21a3bdebca8aaff204804a5fdc67c76d1:

  vim: Upgrade 9.0.1664 -> 9.0.1894 (2023-09-25 07:03:13 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  nasm: update 2.15.03 -> 2.15.05

Archana Polampalli (1):
  nasm: fix CVE-2022-44370

Ashish Sharma (1):
  mdadm: Backport fix for CVE-2023-28736

Bruce Ashfield (4):
  linux-yocto/5.4: update to v5.4.252
  linux-yocto/5.4: update to v5.4.254
  linux-yocto/5.4: update to v5.4.256
  linux-yocto/5.4: update to v5.4.257

Colin McAllister (1):
  libwebp: Fix CVE-2023-5129

Lee Chee Yang (3):
  libxpm: fix CVE-2022-46285
  qemu: fix CVE-2020-24165
  python3: update to 3.8.18

Siddharth Doshi (1):
  go: Fix CVE-2023-39318 and CVE-2023-39319

Vijay Anusuri (1):
  ghostscript: fix CVE-2023-36664

 meta/recipes-devtools/go/go-1.14.inc          |   2 +
 .../go/go-1.14/CVE-2023-39318.patch           | 238 ++++++++++++
 .../go/go-1.14/CVE-2023-39319.patch           | 230 +++++++++++
 .../0002-Add-debug-prefix-map-option.patch    |  42 +-
 .../nasm/nasm/CVE-2022-44370.patch            | 104 +++++
 .../nasm/{nasm_2.15.03.bb => nasm_2.15.05.bb} |   5 +-
 .../{python3_3.8.17.bb => python3_3.8.18.bb}  |   4 +-
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2020-24165.patch            |  94 +++++
 .../ghostscript/CVE-2023-36664-1.patch        | 145 +++++++
 .../ghostscript/CVE-2023-36664-2.patch        |  60 +++
 .../ghostscript/CVE-2023-36664-pre1.patch     |  62 +++
 .../ghostscript/ghostscript_9.52.bb           |   3 +
 .../mdadm/files/CVE-2023-28736.patch          |  77 ++++
 meta/recipes-extended/mdadm/mdadm_4.1.bb      |   1 +
 .../xorg-lib/libxpm/CVE-2022-46285.patch      |  40 ++
 .../xorg-lib/libxpm_3.5.13.bb                 |   2 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../webp/files/CVE-2023-5129.patch            | 364 ++++++++++++++++++
 meta/recipes-multimedia/webp/libwebp_1.1.0.bb |   1 +
 22 files changed, 1467 insertions(+), 44 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch
 create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
 rename meta/recipes-devtools/nasm/{nasm_2.15.03.bb => nasm_2.15.05.bb} (80%)
 rename meta/recipes-devtools/python/{python3_3.8.17.bb => python3_3.8.18.bb} (99%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
 create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-5129.patch

-- 
2.34.1

[OE-core][dunfell 00/13] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Thursday, November 30

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6252

The following changes since commit ff7dbcc0206203e2ece68ca91a37050a4bc822a2:

  selftest: skip virgl test on all fedora (2023-11-14 06:35:38 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Archana Polampalli (1):
  vim: Upgrade 9.0.2048 -> 9.0.2068

Etienne Cordonnier (1):
  vim: update obsolete comment

Hitendra Prajapati (1):
  grub: fix CVE-2023-4692 & CVE-2023-4693

Lee Chee Yang (3):
  wayland: fix CVE-2021-3782
  python3-setuptools: fix CVE-2022-40897
  curl: fix CVE-2023-28321 CVE-2023-28322

Richard Purdie (1):
  vim: Improve locale handling

Steve Sakoman (1):
  vim: use upstream generated .po files

Vijay Anusuri (5):
  libx11: Fix for CVE-2023-43785 CVE-2023-43786 and CVE-2023-43787
  shadow: backport patch to fix CVE-2023-29383
  bind: Backport fix for CVE-2023-3341
  avahi: backport Debian patches to fix multiple CVE's
  tiff: backport Debian patch to fix CVE-2022-40090

 .../grub/files/CVE-2023-4692.patch            |  97 ++++
 .../grub/files/CVE-2023-4693.patch            |  62 ++
 meta/recipes-bsp/grub/grub2.inc               |   2 +
 meta/recipes-connectivity/avahi/avahi.inc     |   9 +
 .../avahi/files/CVE-2023-1981.patch           |  60 ++
 .../avahi/files/CVE-2023-38469-1.patch        |  48 ++
 .../avahi/files/CVE-2023-38469-2.patch        |  65 +++
 .../avahi/files/CVE-2023-38470-1.patch        |  57 ++
 .../avahi/files/CVE-2023-38470-2.patch        |  53 ++
 .../avahi/files/CVE-2023-38471-1.patch        |  73 +++
 .../avahi/files/CVE-2023-38471-2.patch        |  52 ++
 .../avahi/files/CVE-2023-38472.patch          |  45 ++
 .../avahi/files/CVE-2023-38473.patch          | 109 ++++
 .../bind/bind/CVE-2023-3341.patch             | 175 ++++++
 .../recipes-connectivity/bind/bind_9.11.37.bb |   1 +
 .../python/python-setuptools.inc              |   2 +
 .../python3-setuptools/CVE-2022-40897.patch   |  29 +
 .../files/0001-Overhaul-valid_field.patch     |  66 +++
 .../shadow/files/CVE-2023-29383.patch         |  54 ++
 meta/recipes-extended/shadow/shadow.inc       |   2 +
 .../wayland/wayland/CVE-2021-3782.patch       | 111 ++++
 .../wayland/wayland_1.18.0.bb                 |   1 +
 .../xorg-lib/libx11/CVE-2023-43785.patch      |  63 ++
 .../xorg-lib/libx11/CVE-2023-43786-1.patch    |  42 ++
 .../xorg-lib/libx11/CVE-2023-43786-2.patch    |  46 ++
 .../xorg-lib/libx11/CVE-2023-43787-1.patch    |  52 ++
 .../xorg-lib/libx11/CVE-2023-43787-2.patch    |  64 ++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |   5 +
 .../libtiff/files/CVE-2022-40090.patch        | 548 ++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |   1 +
 .../curl/curl/CVE-2023-28321.patch            | 272 +++++++++
 .../curl/curl/CVE-2023-28322.patch            | 380 ++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   2 +
 meta/recipes-support/vim/vim.inc              |  25 +-
 34 files changed, 2658 insertions(+), 15 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4692.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4693.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
 create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch
 create mode 100644 meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch
 create mode 100644 meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28321.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28322.patch

-- 
2.34.1