[OE-core][dunfell 00/14] Patch review

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back
by end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1464

The following changes since commit 552739383321bd9b4780bd0026d6107ece530522:

  perl: fix ptest test count (2020-10-05 04:29:40 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (4):
  linux-yocto/5.4: fix kprobes build warning
  linux-yocto/5.4: update to v5.4.67
  linux-yocto/5.4: update to v5.4.68
  linux-yocto/5.4: update to v5.4.69

Joshua Watt (1):
  classes/sanity: Bump minimum python version to 3.5

Marek Vasut (4):
  lttng-modules: update to 2.11.6
  lttng-tools: update to 2.11.5
  lttng-ust: update to 2.11.1
  stress-ng: Upgrade 0.11.01 -> 0.11.17

Richard Purdie (2):
  glibc: do_stash_locale must not delete files from ${D}
  libtools-cross/shadow-sysroot: Use nopackages inherit

Steve Sakoman (1):
  Revert "lttng-modules: backport writeback.h changes from 2.12.x to fix
    kernel 5.4.62+"

Victor Kamensky (2):
  qemu: add 34Kf-64tlb fictitious cpu type
  qemumips: use 34Kf-64tlb CPU emulation

 meta/classes/sanity.bbclass                   |   4 +-
 meta/conf/machine/qemumips.conf               |   2 +-
 meta/recipes-core/glibc/glibc-package.inc     |   1 -
 .../libtool/libtool-cross_2.4.6.bb            |   2 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 ...tlb-fictitious-cpu-type-like-34Kf-bu.patch | 118 ++++++++++++++++
 .../shadow/shadow-sysroot_4.6.bb              |   2 +
 ...ownership-when-installing-example-jo.patch |   2 +-
 ...ess-ng_0.11.01.bb => stress-ng_0.11.17.bb} |   4 +-
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +--
 ...ckport-writeback.h-changes-from-2.12.patch | 128 ------------------
 ...ules_2.11.2.bb => lttng-modules_2.11.6.bb} |  11 +-
 ...-tools_2.11.2.bb => lttng-tools_2.11.5.bb} |   4 +-
 ...ttng-ust_2.11.1.bb => lttng-ust_2.11.2.bb} |   4 +-
 16 files changed, 156 insertions(+), 163 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu/0001-mips-add-34Kf-64tlb-fictitious-cpu-type-like-34Kf-bu.patch
 rename meta/recipes-extended/stress-ng/{stress-ng_0.11.01.bb => stress-ng_0.11.17.bb} (83%)
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-lttng-modules-backport-writeback.h-changes-from-2.12.patch
 rename meta/recipes-kernel/lttng/{lttng-modules_2.11.2.bb => lttng-modules_2.11.6.bb} (81%)
 rename meta/recipes-kernel/lttng/{lttng-tools_2.11.2.bb => lttng-tools_2.11.5.bb} (98%)
 rename meta/recipes-kernel/lttng/{lttng-ust_2.11.1.bb => lttng-ust_2.11.2.bb} (93%)

-- 
2.17.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back
by end of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1501

The following changes since commit 3ee9590f96cb50e93864db768b254773e2ff9465:

  uninative: Fix typo in error message (2020-10-19 04:27:15 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  selftest/virgl: drop the custom 30 sec timeout

Changqing Li (1):
  toolchain-shar-extract.sh: don't print useless info

Khem Raj (1):
  packagegroup-core-tools-debug: Disable for rv32/glibc as well

Lee Chee Yang (3):
  libproxy: fix CVE-2020-25219
  python3: fix CVE-2020-26116
  grub2: fix CVE-2020-10713

Martin Jansa (7):
  arch-armv7a.inc: fix typo
  arch-mips.inc: remove duplicated mips64el-o32 from
    PACKAGE_EXTRA_ARCHS_tune-mips64el-o32
  tune-mips64r6.inc: fix typo in mipsisa64r6-nf
  tune-ep9312.inc: add t suffix for thumb to
    PACKAGE_EXTRA_ARCHS_tune-ep9312
  tune-riscv.inc: use nf suffix also for TUNE_PKGARCH
  siteinfo: Recognize 32bit PPC LE
  siteinfo: Recognize bigendian sh3be and sh4be

Victor Kamensky (1):
  qemu: change TLBs number to 64 in 34Kf mips cpu model

 meta-selftest/lib/oeqa/runtime/cases/virgl.py |   2 +-
 meta/classes/siteinfo.bbclass                 |   5 +
 meta/conf/machine/include/arm/arch-armv7a.inc |   2 +-
 meta/conf/machine/include/mips/arch-mips.inc  |   2 +-
 .../conf/machine/include/riscv/tune-riscv.inc |   4 +-
 meta/conf/machine/include/tune-ep9312.inc     |   3 +-
 meta/conf/machine/include/tune-mips64r6.inc   |   2 +-
 meta/files/toolchain-shar-extract.sh          |   2 +-
 .../grub/files/CVE-2020-10713.patch           |  73 ++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |   1 +
 .../packagegroup-core-tools-debug.bb          |   2 +-
 .../python/python3/CVE-2020-26116.patch       | 104 ++++++++++++++++++
 meta/recipes-devtools/python/python3_3.8.2.bb |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 ...ease-number-of-TLB-entries-on-the-34.patch |  59 ++++++++++
 .../libproxy/libproxy/CVE-2020-25219.patch    |  61 ++++++++++
 .../libproxy/libproxy_0.4.15.bb               |   1 +
 17 files changed, 315 insertions(+), 10 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-10713.patch
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch
 create mode 100644 meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch

-- 
2.17.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back by
end of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2291

The following changes since commit ac8181d9b9ad8360f7dba03aba8b00f008c6ebb4:

  Revert "python3: fix CVE-2021-23336" (2021-06-19 13:11:58 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Jasper Orschulko (3):
  expat: fix CVE-2013-0340
  libxml2: Fix CVE-2021-3518
  libx11: Fix CVE-2021-31535

Michael Halstead (1):
  uninative: Upgrade to 3.2 (gcc11 support)

Tim Orling (10):
  python3: upgrade 3.8.2 -> 3.8.3
  python3: upgrade 3.8.3 -> 3.8.4
  python3: upgrade 3.8.4 -> 3.8.5
  python3: upgrade 3.8.5 -> 3.8.6
  python3: upgrade 3.8.6 -> 3.8.7
  python3: upgrade 3.8.7 -> 3.8.8
  powertop: fix aclocal error too many loops
  python3: upgrade 3.8.8 -> 3.8.9
  python3: upgrade 3.8.9 -> 3.8.10
  python3-ptest: add newly discovered missing rdeps

 meta/conf/distro/include/yocto-uninative.inc  |    8 +-
 .../expat/expat/CVE-2013-0340.patch           | 1758 +++++++++++++++++
 .../expat/expat/libtool-tag.patch             |   41 +-
 meta/recipes-core/expat/expat_2.2.9.bb        |   12 +-
 .../libxml/libxml2/CVE-2021-3518.patch        |  112 ++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |    1 +
 ...20-8492-Fix-AbstractBasicAuthHandler.patch |  248 ---
 ...le.py-correct-the-test-output-format.patch |   24 +-
 .../python/python3/CVE-2019-20907.patch       |   44 -
 .../python/python3/CVE-2020-14422.patch       |   77 -
 .../python/python3/CVE-2020-26116.patch       |  104 -
 .../python/python3/CVE-2020-27619.patch       |   70 -
 .../python/python3/CVE-2021-3177.patch        |  191 --
 .../{python3_3.8.2.bb => python3_3.8.10.bb}   |   19 +-
 .../xorg-lib/libx11/CVE-2021-31535.patch      |  333 ++++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |    1 +
 ...2-configure.ac-ax_add_fortify_source.patch |   70 +
 ...003-configure-Use-AX_REQUIRE_DEFINED.patch |   29 +
 meta/recipes-kernel/powertop/powertop_2.10.bb |    8 +-
 19 files changed, 2357 insertions(+), 793 deletions(-)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
 delete mode 100644 meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2019-20907.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-14422.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-27619.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2021-3177.patch
 rename meta/recipes-devtools/python/{python3_3.8.2.bb => python3_3.8.10.bb} (95%)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
 create mode 100644 meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch
 create mode 100644 meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch

-- 
2.25.1

Re: [OE-core] [dunfell 00/14] Patch review

[Steve Sakoman]

On Mon, Jun 28, 2021 at 2:13 PM Minjae Kim <flowergom@gmail.com> wrote:

> How about this patch? I already tested on qemux86-64.
> https://lists.openembedded.org/g/openembedded-core/message/153284
> Do I need more testing?

It will be in the next set of patches.  I haven't seen any issues on
the autobuilder.

Steve

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Friday.

The following changes since commit 38fc0807eea14dc12610da4ba73c082d5a4b0744:

  meta/scripts: Manual git url branch additions (2021-11-03 08:43:53 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Jose Quaresma (1):
  sstate: another fix for touching files inside pseudo

Joshua Watt (1):
  oeqa: reproducible: Fix test not producing diffs

Khem Raj (1):
  webkitgtk: Fix reproducibility in minibrowser

Marek Vasut (1):
  piglit: upgrade to latest revision

Mark Hatle (1):
  reproducible_build: Remove BUILD_REPRODUCIBLE_BINARIES checking

Mingli Yu (1):
  python3-magic: add the missing rdepends

Richard Purdie (6):
  linunistring: Add missing gperf-native dependency
  pseudo: Add in ability to flush database with shutdown request
  pseudo: Add fcntl64 wrapper
  mirrors: Add uninative mirror on kernel.org
  sstate: Ensure SDE is accounted for in package task timestamps
  sstate: Avoid deploy_source_date_epoch sstate when unneeded

Steve Sakoman (2):
  python3-magic: add missing DEPENDS
  selftest/reproducible: add webkitgtk back to exclusion list for
    dunfell

 meta/classes/mirrors.bbclass                  |  1 +
 meta/classes/reproducible_build.bbclass       | 53 ++++++++++++-------
 meta/classes/sstate.bbclass                   | 34 +++++++++---
 .../oeqa/selftest/cases/diffoscope/A/file.txt |  1 +
 .../oeqa/selftest/cases/diffoscope/B/file.txt |  1 +
 meta/lib/oeqa/selftest/cases/reproducible.py  | 29 +++++++++-
 meta/recipes-devtools/pseudo/pseudo_git.bb    |  2 +-
 .../python/python3-magic_0.4.15.bb            |  7 ++-
 ...ssing-include-for-htobe32-definition.patch | 27 ++++++++++
 ...file.py-make-test-lists-reproducible.patch | 31 +++++++++++
 ...gen_tcs-tes_input_tests.py-do-not-ha.patch | 44 +++++++++++++++
 ...lizer.py-make-.gz-files-reproducible.patch | 30 +++++++++++
 ...sort-the-file-list-before-working-on.patch | 28 ++++++++++
 ...t-shader.c-do-not-hardcode-build-pat.patch | 30 +++++++++++
 meta/recipes-graphics/piglit/piglit_git.bb    | 12 ++++-
 .../0001-MiniBrowser-Fix-reproduciblity.patch | 31 +++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.28.4.bb  |  1 +
 .../libunistring/libunistring_0.9.10.bb       |  1 +
 18 files changed, 333 insertions(+), 30 deletions(-)
 create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt
 create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt
 create mode 100644 meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch
 create mode 100644 meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch
 create mode 100644 meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch
 create mode 100644 meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch
 create mode 100644 meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch
 create mode 100644 meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch

-- 
2.25.1

Re: [OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

On Wed, Nov 10, 2021 at 6:08 PM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> Please review this set of patches for dunfell and have comments back by end
> of day Friday.

I forgot to add:

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2910

>
> The following changes since commit 38fc0807eea14dc12610da4ba73c082d5a4b0744:
>
>   meta/scripts: Manual git url branch additions (2021-11-03 08:43:53 -1000)
>
> are available in the Git repository at:
>
>   git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
>   http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
>
> Jose Quaresma (1):
>   sstate: another fix for touching files inside pseudo
>
> Joshua Watt (1):
>   oeqa: reproducible: Fix test not producing diffs
>
> Khem Raj (1):
>   webkitgtk: Fix reproducibility in minibrowser
>
> Marek Vasut (1):
>   piglit: upgrade to latest revision
>
> Mark Hatle (1):
>   reproducible_build: Remove BUILD_REPRODUCIBLE_BINARIES checking
>
> Mingli Yu (1):
>   python3-magic: add the missing rdepends
>
> Richard Purdie (6):
>   linunistring: Add missing gperf-native dependency
>   pseudo: Add in ability to flush database with shutdown request
>   pseudo: Add fcntl64 wrapper
>   mirrors: Add uninative mirror on kernel.org
>   sstate: Ensure SDE is accounted for in package task timestamps
>   sstate: Avoid deploy_source_date_epoch sstate when unneeded
>
> Steve Sakoman (2):
>   python3-magic: add missing DEPENDS
>   selftest/reproducible: add webkitgtk back to exclusion list for
>     dunfell
>
>  meta/classes/mirrors.bbclass                  |  1 +
>  meta/classes/reproducible_build.bbclass       | 53 ++++++++++++-------
>  meta/classes/sstate.bbclass                   | 34 +++++++++---
>  .../oeqa/selftest/cases/diffoscope/A/file.txt |  1 +
>  .../oeqa/selftest/cases/diffoscope/B/file.txt |  1 +
>  meta/lib/oeqa/selftest/cases/reproducible.py  | 29 +++++++++-
>  meta/recipes-devtools/pseudo/pseudo_git.bb    |  2 +-
>  .../python/python3-magic_0.4.15.bb            |  7 ++-
>  ...ssing-include-for-htobe32-definition.patch | 27 ++++++++++
>  ...file.py-make-test-lists-reproducible.patch | 31 +++++++++++
>  ...gen_tcs-tes_input_tests.py-do-not-ha.patch | 44 +++++++++++++++
>  ...lizer.py-make-.gz-files-reproducible.patch | 30 +++++++++++
>  ...sort-the-file-list-before-working-on.patch | 28 ++++++++++
>  ...t-shader.c-do-not-hardcode-build-pat.patch | 30 +++++++++++
>  meta/recipes-graphics/piglit/piglit_git.bb    | 12 ++++-
>  .../0001-MiniBrowser-Fix-reproduciblity.patch | 31 +++++++++++
>  meta/recipes-sato/webkit/webkitgtk_2.28.4.bb  |  1 +
>  .../libunistring/libunistring_0.9.10.bb       |  1 +
>  18 files changed, 333 insertions(+), 30 deletions(-)
>  create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt
>  create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch
>  create mode 100644 meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch
>  create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch
>
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#158132): https://lists.openembedded.org/g/openembedded-core/message/158132
> Mute This Topic: https://lists.openembedded.org/mt/86975084/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3047

with the exception of a known intermittent autobuilder issue on oe-selftest-centos
which passed on subsequent retest:

https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/2977

The following changes since commit 90a07178ea26be453d101c2e8b33d3a0f437635d:

  build-appliance-image: Update to dunfell head revision (2021-12-14 22:49:32 +0000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Anuj Mittal (1):
  gstreamer1.0: fix failing ptest

Bruce Ashfield (5):
  linux-yocto/5.4: update to v5.4.159
  linux-yocto/5.4: update to v5.4.162
  linux-yocto/5.4: update to v5.4.163
  linux-yocto/5.4: update to v5.4.165
  linux-yocto/5.4: update to v5.4.167

Ernst Sjöstrand (1):
  dropbear: Fix CVE-2020-36254

Marta Rybczynska (1):
  bluez: fix CVE-2021-0129

Mingli Yu (1):
  bootchart2: remove wait_boot logic

Minjae Kim (2):
  vim: fix CVE-2021-4069
  inetutils: fix CVE-2021-40491

Steve Sakoman (1):
  selftest: skip virgl test on fedora 34 entirely

sana kazi (2):
  openssh: Fix CVE-2021-41617
  openssh: Whitelist CVE-2016-20012

 meta/lib/oeqa/selftest/cases/runtime_test.py  |   2 +
 meta/recipes-connectivity/bluez5/bluez5.inc   |   1 +
 .../bluez5/bluez5/CVE-2021-0129.patch         | 109 ++++++++++++++++++
 .../inetutils/inetutils/CVE-2021-40491.patch  |  67 +++++++++++
 .../inetutils/inetutils_1.9.4.bb              |   1 +
 .../openssh/openssh/CVE-2021-41617.patch      |  52 +++++++++
 .../openssh/openssh_8.2p1.bb                  |  10 ++
 meta/recipes-core/dropbear/dropbear.inc       |   4 +-
 .../dropbear/dropbear/CVE-2020-36254.patch    |  29 +++++
 ...ake-sure-only-one-bootchartd-process.patch |  68 +++++++++++
 .../bootchart2/bootchart2_0.14.9.bb           |   1 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 ++--
 ...-use-too-strict-timeout-for-validati.patch |  33 ++++++
 .../gstreamer/gstreamer1.0_1.16.3.bb          |   1 +
 .../vim/files/CVE-2021-4069.patch             |  43 +++++++
 meta/recipes-support/vim/vim.inc              |   1 +
 18 files changed, 439 insertions(+), 19 deletions(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch
 create mode 100644 meta/recipes-devtools/bootchart2/bootchart2/0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch
 create mode 100644 meta/recipes-support/vim/files/CVE-2021-4069.patch

-- 
2.25.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3648

with the exception of the newly added meta-virt test (which has never
worked with dunfell)

The following changes since commit 7c0345ab1058a7e29d37f110923ecd368e102ed7:

  uninative: Upgrade to 3.6 with gcc 12 support (2022-05-09 11:51:55 +0100)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (1):
  linux-yocto/5.4: update to v5.4.192

Davide Gardenal (3):
  cve-check: add JSON format to summary output
  cve-check: fix symlinks where link and output path are equal
  rootfs-postcommands: fix symlinks where link and output path are equal

Marta Rybczynska (2):
  cve-update-db-native: update the CVE database once a day only
  cve-update-db-native: let the user to drive the update interval

Pawan Badganchi (2):
  fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
  libinput: Add fix for CVE-2022-1215

Portia (1):
  volatile-binds: Change DefaultDependencies from false to no

Richard Purdie (3):
  base: Avoid circular references to our own scripts
  scripts: Make git intercept global
  scripts/git: Ensure we don't have circular references

Ross Burton (1):
  cve-check: no need to depend on the fetch task

Steve Sakoman (1):
  busybox: fix CVE-2022-28391

 meta/classes/base.bbclass                     |   4 +
 meta/classes/cve-check.bbclass                |  72 ++--
 meta/classes/rootfs-postcommands.bbclass      |  14 +-
 ...tr-ensure-only-printable-characters-.patch |  38 ++
 ...e-all-printed-strings-with-printable.patch |  64 ++++
 meta/recipes-core/busybox/busybox_1.31.1.bb   |   2 +
 .../recipes-core/meta/cve-update-db-native.bb |  13 +-
 .../files/volatile-binds.service.in           |   2 +-
 .../wayland/libinput/CVE-2022-1215.patch      | 360 ++++++++++++++++++
 .../wayland/libinput_1.15.2.bb                |   1 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../fribidi/fribidi/CVE-2022-25308.patch      |  50 +++
 .../fribidi/fribidi/CVE-2022-25309.patch      |  31 ++
 .../fribidi/fribidi/CVE-2022-25310.patch      |  30 ++
 meta/recipes-support/fribidi/fribidi_1.0.9.bb |   3 +
 scripts/{git-intercept => }/git               |   9 +-
 18 files changed, 674 insertions(+), 55 deletions(-)
 create mode 100644 meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
 create mode 100644 meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
 create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch
 create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
 create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
 create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
 rename scripts/{git-intercept => }/git (52%)

-- 
2.25.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3760

The following changes since commit 4051d1a3aa5f70da96c381f9dea5f52cd9306939:

  openssl: Backport fix for ptest cert expiry (2022-06-07 11:33:46 +0100)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (1):
  linux-yocto/5.4: update to v5.4.196

Hitendra Prajapati (2):
  e2fsprogs: CVE-2022-1304 out-of-bounds read/write via crafted
    filesystem
  pcre2: CVE-2022-1587 Out-of-bounds read

Marta Rybczynska (4):
  cve-check: move update_symlinks to a library
  cve-check: write empty fragment files in the text mode
  cve-check: add coverage statistics on recipes with/without CVEs
  cve-update-db-native: make it possible to disable database updates

Richard Purdie (1):
  libxslt: Mark CVE-2022-29824 as not applying

Robert Joslyn (2):
  curl: Backport CVE fixes
  curl: Fix CVE_CHECK_WHITELIST typo

Steve Sakoman (3):
  Revert "openssl: Backport fix for ptest cert expiry"
  openssl: backport fix for ptest certificate expiration
  openssl: update the epoch time for ct_test ptest

omkar patil (1):
  libxslt: Fix CVE-2021-30560

 meta/classes/cve-check.bbclass                |  86 ++-
 meta/lib/oe/cve_check.py                      |  10 +
 ...5d82489b3ec09ccc772dfcee14fef0e8e908.patch | 192 +++++
 ...ea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch |  55 --
 ...611887cfac633aacc052b2e71a7f195418b8.patch |  29 +
 .../openssl/openssl_1.1.1o.bb                 |   3 +-
 .../recipes-core/meta/cve-update-db-native.bb |   6 +-
 .../e2fsprogs/e2fsprogs/CVE-2022-1304.patch   |  42 ++
 .../e2fsprogs/e2fsprogs_1.45.7.bb             |   1 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../curl/curl/CVE-2022-27774-1.patch          |  45 ++
 .../curl/curl/CVE-2022-27774-2.patch          |  80 +++
 .../curl/curl/CVE-2022-27774-3.patch          |  83 +++
 .../curl/curl/CVE-2022-27774-4.patch          |  35 +
 .../curl/curl/CVE-2022-27781.patch            |  46 ++
 .../curl/curl/CVE-2022-27782-1.patch          | 363 ++++++++++
 .../curl/curl/CVE-2022-27782-2.patch          |  71 ++
 meta/recipes-support/curl/curl_7.69.1.bb      |   9 +-
 .../libpcre/libpcre2/CVE-2022-1587.patch      | 660 ++++++++++++++++++
 .../recipes-support/libpcre/libpcre2_10.34.bb |   1 +
 .../libxslt/libxslt/CVE-2021-30560.patch      | 201 ++++++
 .../recipes-support/libxslt/libxslt_1.1.34.bb |   5 +
 24 files changed, 1949 insertions(+), 110 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/770aea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch
 create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
 create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch

-- 
2.25.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3880

The following changes since commit b75caf4a985e3c20996531785125eaffdc832104:

  insane.bbclass: host-user-contaminated: Correct per package home path (2022-06-29 05:15:49 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Anuj Mittal (1):
  efivar: change branch name to main

Bruce Ashfield (2):
  linux-yocto/5.4: update to v5.4.199
  linux-yocto/5.4: update to v5.4.203

Jate Sujjavanich (1):
  IMAGE_LOCALES_ARCHIVE: add option to prevent locale archive creation

Ranjitsinh Rathod (1):
  openssl: Minor security upgrade 1.1.1o to 1.1.1p

Richard Purdie (5):
  cve-extra-exclusions: Clean up and ignore three CVEs (2xqemu and nasm)
  vim: 8.2.5083 -> 9.0.0005
  oeqa/runtime/scp: Disable scp test for dropbear
  packagegroup-core-ssh-dropbear: Add openssh-sftp-server recommendation
  oe-selftest-image: Ensure the image has sftp as well as dropbear

Ross Burton (1):
  cve-check: hook cleanup to the BuildCompleted event, not CookerExit

Steve Sakoman (3):
  openssh: break dependency on base package for -dev package
  dropbear: break dependency on base package for -dev package
  qemu: add PACKAGECONFIG for capstone

 .../recipes-test/images/oe-selftest-image.bb  |   2 +-
 meta/classes/cve-check.bbclass                |   2 +-
 meta/classes/image.bbclass                    |   5 +-
 .../distro/include/cve-extra-exclusions.inc   |  31 ++-
 meta/lib/oe/package_manager.py                |  13 +-
 meta/lib/oeqa/runtime/cases/scp.py            |   2 +-
 meta/recipes-bsp/efivar/efivar_37.bb          |   2 +-
 .../openssh/openssh_8.2p1.bb                  |   5 +
 ...5d82489b3ec09ccc772dfcee14fef0e8e908.patch | 192 ------------------
 ...611887cfac633aacc052b2e71a7f195418b8.patch |  29 ---
 .../{openssl_1.1.1o.bb => openssl_1.1.1p.bb}  |   4 +-
 meta/recipes-core/dropbear/dropbear.inc       |   5 +
 .../packagegroup-core-ssh-dropbear.bb         |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../vim/{vim-tiny_8.2.bb => vim-tiny_9.0.bb}  |   0
 meta/recipes-support/vim/vim.inc              |   6 +-
 .../vim/{vim_8.2.bb => vim_9.0.bb}            |   0
 20 files changed, 64 insertions(+), 272 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1o.bb => openssl_1.1.1p.bb} (97%)
 rename meta/recipes-support/vim/{vim-tiny_8.2.bb => vim-tiny_9.0.bb} (100%)
 rename meta/recipes-support/vim/{vim_8.2.bb => vim_9.0.bb} (100%)

-- 
2.25.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by end
of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4151

The following changes since commit a3cba15142e98177119ef36c09f553d09acf35ef:

  build-appliance-image: Update to dunfell head revision (2022-08-22 16:07:02 +0100)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (3):
  mobile-broadband-provider-info: upgrade 20220511 -> 20220725
  tzdata: upgrade 2022a -> 2022b
  wireless-regdb: upgrade 2022.06.06 -> 2022.08.12

Anuj Mittal (1):
  cryptodev-module: fix build with 5.11+ kernels

Bruce Ashfield (1):
  linux-yocto/5.4: update to v5.4.210

Ernst Sjöstrand (1):
  cve-check: Don't use f-strings

Hitendra Prajapati (5):
  libtiff: CVE-2022-34526 A stack overflow was discovered
  golang: fix CVE-2022-30629 and CVE-2022-30631
  golang: fix CVE-2022-30632 and CVE-2022-30633
  golang: fix CVE-2022-30635 and CVE-2022-32148
  golang: CVE-2022-32189 a denial of service

Paul Eggleton (1):
  relocate_sdk.py: ensure interpreter size error causes relocation to
    fail

Pawan Badganchi (1):
  libxml2: Add fix for CVE-2016-3709

Richard Purdie (1):
  vim: Upgrade 9.0.0115 -> 9.0.0242

 meta/lib/oe/cve_check.py                      |   2 +-
 .../mobile-broadband-provider-info_git.bb     |   4 +-
 .../libxml/libxml2/CVE-2016-3709.patch        |  89 ++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |   1 +
 meta/recipes-devtools/go/go-1.14.inc          |   7 +
 .../go/go-1.14/CVE-2022-30629.patch           |  47 +++++++
 .../go/go-1.14/CVE-2022-30631.patch           | 116 ++++++++++++++++
 .../go/go-1.14/CVE-2022-30632.patch           |  71 ++++++++++
 .../go/go-1.14/CVE-2022-30633.patch           | 131 ++++++++++++++++++
 .../go/go-1.14/CVE-2022-30635.patch           | 120 ++++++++++++++++
 .../go/go-1.14/CVE-2022-32148.patch           |  49 +++++++
 .../go/go-1.14/CVE-2022-32189.patch           | 113 +++++++++++++++
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../cryptodev/cryptodev-module_1.10.bb        |   1 +
 .../files/fix-build-for-Linux-5.11-rc1.patch  |  32 +++++
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +--
 ....06.06.bb => wireless-regdb_2022.08.12.bb} |   2 +-
 .../libtiff/files/CVE-2022-34526.patch        |  29 ++++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 scripts/relocate_sdk.py                       |  10 +-
 23 files changed, 842 insertions(+), 29 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch
 create mode 100644 meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2022.06.06.bb => wireless-regdb_2022.08.12.bb} (94%)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch

-- 
2.25.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review these patches for dunfell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5073

The following changes since commit efb1a73a13907bed3acac8e06053aef3e2ef57f5:

  build-appliance-image: Update to dunfell head revision (2023-03-15 23:09:39 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alban Bedel (1):
  systemd: Fix systemd when used with busybox less

Andrej Valek (1):
  libarchive: fix CVE-2022-26280

Chee Yang Lee (2):
  ghostscript: add CVE tag for
    check-stack-limits-after-function-evalution.patch
  libksba: fix CVE-2022-3515

Hitendra Prajapati (1):
  QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can
    lead to out-of-bounds read

Kenfe-Mickael Laventure (3):
  buildtools-tarball: Handle spaces within user $PATH
  toolchain-scripts: Handle spaces within user $PATH
  populate_sdk_ext: Handle spaces within user $PATH

Richard Purdie (4):
  staging: Separate out different multiconfig manifests
  staging/multilib: Fix manifest corruption
  glibc: Add missing binutils dependency
  base-files: Drop localhost.localdomain from hosts file

Ross Burton (2):
  vim: upgrade to 9.0.1403
  vim: set modified-by to the recipe MAINTAINER

 meta/classes/multilib.bbclass                 |   1 +
 meta/classes/populate_sdk_ext.bbclass         |   2 +-
 meta/classes/staging.bbclass                  |   4 +
 meta/classes/toolchain-scripts.bbclass        |   2 +-
 meta/recipes-core/base-files/base-files/hosts |   2 +-
 meta/recipes-core/glibc/glibc.inc             |   4 +-
 meta/recipes-core/meta/buildtools-tarball.bb  |   2 +-
 .../systemd/systemd/systemd-pager.sh          |   7 ++
 meta/recipes-core/systemd/systemd_244.5.bb    |   5 +
 meta/recipes-devtools/qemu/qemu.inc           |   9 +-
 .../qemu/qemu/CVE-2022-4144.patch             | 103 ++++++++++++++++++
 ...tack-limits-after-function-evalution.patch |   2 +-
 .../libarchive/CVE-2022-26280.patch           |  29 +++++
 .../libarchive/libarchive_3.4.2.bb            |   1 +
 .../libksba/libksba/CVE-2022-3515.patch       |  47 ++++++++
 meta/recipes-support/libksba/libksba_1.3.5.bb |   1 +
 meta/recipes-support/vim/vim.inc              |   8 +-
 17 files changed, 215 insertions(+), 14 deletions(-)
 create mode 100644 meta/recipes-core/systemd/systemd/systemd-pager.sh
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch
 create mode 100644 meta/recipes-support/libksba/libksba/CVE-2022-3515.patch

-- 
2.34.1

[OE-core][dunfell 01/14] libarchive: fix CVE-2022-26280

[Steve Sakoman]

From: Andrej Valek <andrej.valek@siemens.com>

Backport fix from https://github.com/libarchive/libarchive/issues/1672

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libarchive/CVE-2022-26280.patch           | 29 +++++++++++++++++++
 .../libarchive/libarchive_3.4.2.bb            |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch
new file mode 100644
index 0000000000..501fcc5848
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch
@@ -0,0 +1,29 @@
+From cfaa28168a07ea4a53276b63068f94fce37d6aff Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Thu, 24 Mar 2022 10:35:00 +0100
+Subject: [PATCH] ZIP reader: fix possible out-of-bounds read in
+ zipx_lzma_alone_init()
+
+Fixes #1672
+
+CVE: CVE-2022-26280
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff]
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+---
+ libarchive/archive_read_support_format_zip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
+index 38ada70b5..9d6c900b2 100644
+--- a/libarchive/archive_read_support_format_zip.c
++++ b/libarchive/archive_read_support_format_zip.c
+@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip)
+ 	 */
+ 
+ 	/* Read magic1,magic2,lzma_params from the ZIPX stream. */
+-	if((p = __archive_read_ahead(a, 9, NULL)) == NULL) {
++	if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) {
+ 		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ 		    "Truncated lzma data");
+ 		return (ARCHIVE_FATAL);
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
index e0a6174d8b..582787d3f3 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
@@ -39,6 +39,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
            file://CVE-2021-23177.patch \
            file://CVE-2021-31566-01.patch \
            file://CVE-2021-31566-02.patch \
+           file://CVE-2022-26280.patch \
            file://CVE-2022-36227.patch \
 "
 
-- 
2.34.1

[OE-core][dunfell 02/14] QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can lead to out-of-bounds read

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

Replace the tabs with spaces to correct the indent.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |   9 +-
 .../qemu/qemu/CVE-2022-4144.patch             | 103 ++++++++++++++++++
 2 files changed, 108 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 36d0b9320f..0649727338 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -112,10 +112,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2022-0216-1.patch \
            file://CVE-2022-0216-2.patch \
            file://CVE-2021-3750.patch \
-	   file://CVE-2021-3638.patch \
-	   file://CVE-2021-20196.patch \
-	   file://CVE-2021-3507.patch \
-	   file://CVE-2021-3929.patch \
+           file://CVE-2021-3638.patch \
+           file://CVE-2021-20196.patch \
+           file://CVE-2021-3507.patch \
+           file://CVE-2021-3929.patch \
+           file://CVE-2022-4144.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
new file mode 100644
index 0000000000..3f0d5fbd5c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
@@ -0,0 +1,103 @@
+From 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
+Date: Mon, 28 Nov 2022 21:27:40 +0100
+Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt
+ (CVE-2022-4144)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Have qxl_get_check_slot_offset() return false if the requested
+buffer size does not fit within the slot memory region.
+
+Similarly qxl_phys2virt() now returns NULL in such case, and
+qxl_dirty_one_surface() aborts.
+
+This avoids buffer overrun in the host pointer returned by
+memory_region_get_ram_ptr().
+
+Fixes: CVE-2022-4144 (out-of-bounds read)
+Reported-by: Wenxu Yin (@awxylitol)
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20221128202741.4945-5-philmd@linaro.org>
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622]
+CVE: CVE-2022-4144
+Comments: Deleted patch hunk in qxl.h,as it contains change
+in comments which is not present in current version of qemu.
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ hw/display/qxl.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index cd7eb39d..6bc8385b 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -1440,11 +1440,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d)
+ 
+ /* can be also called from spice server thread context */
+ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+-                                      uint32_t *s, uint64_t *o)
++                                      uint32_t *s, uint64_t *o,
++                                      size_t size_requested)
+ {
+     uint64_t phys   = le64_to_cpu(pqxl);
+     uint32_t slot   = (phys >> (64 -  8)) & 0xff;
+     uint64_t offset = phys & 0xffffffffffff;
++    uint64_t size_available;
+ 
+     if (slot >= NUM_MEMSLOTS) {
+         qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot,
+@@ -1468,6 +1470,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+                           slot, offset, qxl->guest_slots[slot].size);
+         return false;
+     }
++    size_available = memory_region_size(qxl->guest_slots[slot].mr);
++    if (qxl->guest_slots[slot].offset + offset >= size_available) {
++        qxl_set_guest_bug(qxl,
++                          "slot %d offset %"PRIu64" > region size %"PRIu64"\n",
++                          slot, qxl->guest_slots[slot].offset + offset,
++                          size_available);
++        return false;
++    }
++    size_available -= qxl->guest_slots[slot].offset + offset;
++    if (size_requested > size_available) {
++        qxl_set_guest_bug(qxl,
++                          "slot %d offset %"PRIu64" size %zu: "
++                          "overrun by %"PRIu64" bytes\n",
++                          slot, offset, size_requested,
++                          size_requested - size_available);
++        return false;
++    }
+ 
+     *s = slot;
+     *o = offset;
+@@ -1486,7 +1505,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
+         offset = le64_to_cpu(pqxl) & 0xffffffffffff;
+         return (void *)(intptr_t)offset;
+     case MEMSLOT_GROUP_GUEST:
+-        if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) {
++        if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) {
+             return NULL;
+         }
+         ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr);
+@@ -1944,9 +1963,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+     uint32_t slot;
+     bool rc;
+ 
+-    rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset);
+-    assert(rc == true);
+     size = (uint64_t)height * abs(stride);
++    rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size);
++    assert(rc == true);
+     trace_qxl_surfaces_dirty(qxl->id, offset, size);
+     qxl_set_dirty(qxl->guest_slots[slot].mr,
+                   qxl->guest_slots[slot].offset + offset,
+-- 
+2.25.1
+
-- 
2.34.1

[OE-core][dunfell 03/14] ghostscript: add CVE tag for check-stack-limits-after-function-evalution.patch

[Steve Sakoman]

From: Chee Yang Lee <chee.yang.lee@intel.com>

This patch fix CVE-2021-45944.
https://nvd.nist.gov/vuln/detail/CVE-2021-45944

Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../check-stack-limits-after-function-evalution.patch           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch
index 722bab4ddb..77eec7d158 100644
--- a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch
+++ b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch
@@ -14,7 +14,7 @@ stack than are available.
 
 To cope, add in stack limit checking to throw an appropriate error when this
 happens.
-
+CVE: CVE-2021-45944
 Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25]
 Signed-off-by: Minjae Kim <flowergom@gmail.com>
 ---
-- 
2.34.1

[OE-core][dunfell 04/14] libksba: fix CVE-2022-3515

[Steve Sakoman]

From: Chee Yang Lee <chee.yang.lee@intel.com>

Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libksba/libksba/CVE-2022-3515.patch       | 47 +++++++++++++++++++
 meta/recipes-support/libksba/libksba_1.3.5.bb |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 meta/recipes-support/libksba/libksba/CVE-2022-3515.patch

diff --git a/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch
new file mode 100644
index 0000000000..ff9f2f9275
--- /dev/null
+++ b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch
@@ -0,0 +1,47 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+
+It is quite common to have checks like
+
+    if (ti.nhdr + ti.length >= DIM(tmpbuf))
+       return gpg_error (GPG_ERR_TOO_LARGE);
+
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+
+
+Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=patch;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b]
+CVE: CVE-2022-3515 
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
++++ b/src/ber-help.c
+@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+       ti->length = len;
+     }
+ 
++  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
++    {
++      ti->err_string = "header+length would overflow";
++      return gpg_error (GPG_ERR_EOVERFLOW);
++    }
++
+   /* Without this kludge some example certs can't be parsed */
+   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+     ti->length = 0;
+-- 
+2.11.0
+
diff --git a/meta/recipes-support/libksba/libksba_1.3.5.bb b/meta/recipes-support/libksba/libksba_1.3.5.bb
index 841830efa8..5293aa91e1 100644
--- a/meta/recipes-support/libksba/libksba_1.3.5.bb
+++ b/meta/recipes-support/libksba/libksba_1.3.5.bb
@@ -24,6 +24,7 @@ UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
 SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://ksba-add-pkgconfig-support.patch \
            file://CVE-2022-47629.patch \
+           file://CVE-2022-3515.patch \
 "
 
 SRC_URI[md5sum] = "8302a3e263a7c630aa7dea7d341f07a2"
-- 
2.34.1

[OE-core][dunfell 05/14] vim: upgrade to 9.0.1403

[Steve Sakoman]

From: Ross Burton <ross.burton@arm.com>

This incorporates fixes for CVE-2023-1127, CVE-2023-1170, CVE-2023-1175.

Also remove runtime/doc/uganda.txt from the license checksum: the Vim
license is also in the top-level LICENSE file so this is redundant.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 71111e6b62d37c5e6853d7940dec2993df127a35)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 828cf84757..1f5e570757 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -10,8 +10,7 @@ DEPENDS = "ncurses gettext-native"
 RSUGGESTS_${PN} = "diffutils"
 
 LICENSE = "vim"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=6b30ea4fa660c483b619924bc709ef99 \
-                    file://runtime/doc/uganda.txt;md5=001ef779f422a0e9106d428c84495b4d"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=6b30ea4fa660c483b619924bc709ef99"
 
 SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://disable_acl_header_check.patch \
@@ -20,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://no-path-adjust.patch \
            "
 
-PV .= ".1293"
-SRCREV = "0caaf1e46511f7a92e036f05e6aa9d5992540117"
+PV .= ".1403"
+SRCREV = "e764d1b4219e6615a04df1c3a6a5c0210a0a7dac"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.34.1

[OE-core][dunfell 06/14] vim: set modified-by to the recipe MAINTAINER

[Steve Sakoman]

From: Ross Burton <ross.burton@arm.com>

Clause II.3 of the Vim license states that any distribution of Vim that
has been extended or modified must _at least_ indicate in the :version
output that this is the case.

Handily, Vim has a --with-modified-by argument to add a line in that
text, so use MAINTAINER.  This is the distribution maintainer contact,
by default it is OE-Core Developers
<openembedded-core@lists.openembedded.org>.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit acc007e23445aa53182e13902dd9509c39dd5645)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 1f5e570757..1225005b0c 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -80,6 +80,7 @@ EXTRA_OECONF = " \
     --disable-netbeans \
     --disable-desktop-database-update \
     --with-tlib=ncurses \
+    --with-modified-by='${MAINTAINER}' \
     ac_cv_small_wchar_t=no \
     ac_cv_path_GLIB_COMPILE_RESOURCES=no \
     vim_cv_getcwd_broken=no \
-- 
2.34.1

[OE-core][dunfell 07/14] systemd: Fix systemd when used with busybox less

[Steve Sakoman]

From: Alban Bedel <alban.bedel@aerq.com>

Per default systemd use a pager for the output of most of its tools
and it expect this pager to be color capable. But that is not the case
when the busybox `less` is used, which lead to output garbled by color
escape sequences.

To fix this issue add a profile frament that disable the systemd pager
when busybox `less` is detected.

Signed-off-by: Alban Bedel <alban.bedel@aerq.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit de7e36a7858ebca4615975967fcad1c399eacdb0)
Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/systemd/systemd/systemd-pager.sh | 7 +++++++
 meta/recipes-core/systemd/systemd_244.5.bb         | 5 +++++
 2 files changed, 12 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/systemd-pager.sh

diff --git a/meta/recipes-core/systemd/systemd/systemd-pager.sh b/meta/recipes-core/systemd/systemd/systemd-pager.sh
new file mode 100644
index 0000000000..86e3e0ab78
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/systemd-pager.sh
@@ -0,0 +1,7 @@
+# Systemd expect a color capable pager, however the less provided
+# by busybox is not. This make many interaction with systemd pretty
+# annoying. As a workaround we disable the systemd pager if less
+# is not the GNU version.
+if ! less -V > /dev/null 2>&1 ; then
+	export SYSTEMD_PAGER=
+fi
diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index 2bca1fbc82..98a580e2ea 100644
--- a/meta/recipes-core/systemd/systemd_244.5.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -18,6 +18,7 @@ SRC_URI += "file://touchscreen.rules \
            file://00-create-volatile.conf \
            file://init \
            file://99-default.preset \
+           file://systemd-pager.sh \
            file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
            file://0003-implment-systemd-sysv-install-for-OE.patch \
            file://CVE-2021-33910.patch \
@@ -317,6 +318,9 @@ do_install() {
 	# install default policy for presets
 	# https://www.freedesktop.org/wiki/Software/systemd/Preset/#howto
 	install -Dm 0644 ${WORKDIR}/99-default.preset ${D}${systemd_unitdir}/system-preset/99-default.preset
+
+	# add a profile fragment to disable systemd pager with busybox less
+	install -Dm 0644 ${WORKDIR}/systemd-pager.sh ${D}${sysconfdir}/profile.d/systemd-pager.sh
 }
 
 python populate_packages_prepend (){
@@ -539,6 +543,7 @@ FILES_${PN} = " ${base_bindir}/* \
                 ${sysconfdir}/dbus-1/ \
                 ${sysconfdir}/modules-load.d/ \
                 ${sysconfdir}/pam.d/ \
+                ${sysconfdir}/profile.d/ \
                 ${sysconfdir}/sysctl.d/ \
                 ${sysconfdir}/systemd/ \
                 ${sysconfdir}/tmpfiles.d/ \
-- 
2.34.1

[OE-core][dunfell 08/14] staging: Separate out different multiconfig manifests

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

"""
require conf/multilib.conf
MACHINE = "qemuarm64"
MULTILIBS = "multilib:lib32"
DEFAULTTUNE:virtclass-multilib-lib32 = "armv7athf-neon"

bitbake gcc-cross-canadian-arm
"""

and then inspecting the lib32* manifest files under recipe-sysroot-native shows
them referencing lib32-recipe-sysroot instead of recipe-sysroot as used by
gcc-cross-canadian recipes.

To fix this separate out the manifest by multilib. It is caching mechanism to
optimise disk usage so this doesn't break anything, just separated out some files.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 891d3faa3ed3d1cc231da58e5fa1325f05d5ade5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/staging.bbclass | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index 78eb914921..4177e6cf05 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -267,6 +267,9 @@ python extend_recipe_sysroot() {
     pn = d.getVar("PN")
     stagingdir = d.getVar("STAGING_DIR")
     sharedmanifests = d.getVar("COMPONENTS_DIR") + "/manifests"
+    mlprefix = d.getVar("MLPREFIX")
+    if mlprefix:
+        sharedmanifests = sharedmanifests + "/" + mlprefix
     recipesysroot = d.getVar("RECIPE_SYSROOT")
     recipesysrootnative = d.getVar("RECIPE_SYSROOT_NATIVE")
 
-- 
2.34.1

[OE-core][dunfell 09/14] staging/multilib: Fix manifest corruption

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

The previous fix wasn't enough to address all the possible ways the
manifests might be ordered. Rework the previous fix so it is tied
to the multilib cross-canadian code which is causing the problem.

RECIPE_SYSROOT_MANIFEST_SUBDIR is not documented as I'd hope nobody
ever needs to use this outside the core multilib code.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit beab42e00713880cd95a04729c892f8662fbcbed)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/multilib.bbclass | 1 +
 meta/classes/staging.bbclass  | 7 ++++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/meta/classes/multilib.bbclass b/meta/classes/multilib.bbclass
index 9a8b02d4f6..b5c59ac593 100644
--- a/meta/classes/multilib.bbclass
+++ b/meta/classes/multilib.bbclass
@@ -45,6 +45,7 @@ python multilib_virtclass_handler () {
         e.data.setVar("RECIPE_SYSROOT", "${WORKDIR}/recipe-sysroot")
         e.data.setVar("STAGING_DIR_TARGET", "${WORKDIR}/recipe-sysroot")
         e.data.setVar("STAGING_DIR_HOST", "${WORKDIR}/recipe-sysroot")
+        e.data.setVar("RECIPE_SYSROOT_MANIFEST_SUBDIR", "nativesdk-" + variant)
         e.data.setVar("MLPREFIX", variant + "-")
         override = ":virtclass-multilib-" + variant
         e.data.setVar("OVERRIDES", e.data.getVar("OVERRIDES", False) + override)
diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index 4177e6cf05..21523c8f75 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -267,9 +267,10 @@ python extend_recipe_sysroot() {
     pn = d.getVar("PN")
     stagingdir = d.getVar("STAGING_DIR")
     sharedmanifests = d.getVar("COMPONENTS_DIR") + "/manifests"
-    mlprefix = d.getVar("MLPREFIX")
-    if mlprefix:
-        sharedmanifests = sharedmanifests + "/" + mlprefix
+    # only needed by multilib cross-canadian since it redefines RECIPE_SYSROOT
+    manifestprefix = d.getVar("RECIPE_SYSROOT_MANIFEST_SUBDIR")
+    if manifestprefix:
+        sharedmanifests = sharedmanifests + "/" + manifestprefix
     recipesysroot = d.getVar("RECIPE_SYSROOT")
     recipesysrootnative = d.getVar("RECIPE_SYSROOT_NATIVE")
 
-- 
2.34.1

[OE-core][dunfell 10/14] glibc: Add missing binutils dependency

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

glibc has it's dependencies handled more manually due to it's place
in the toolchain bootstrap. It depends upon the compiler and indirectly
through that to binutils. This did mean that if binutils changes and the
compiler does not, sstate and hash equivalence could mean that glibc
wouldn't rebuild.

Add a direct dependency on binutils that if it changes, it forces glibc
to rebuild, as it should.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c4a7b3decff636292f5e76e95406a22b6fe4a994)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/glibc/glibc.inc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc.inc b/meta/recipes-core/glibc/glibc.inc
index 23a6ca99ae..e42040f3dc 100644
--- a/meta/recipes-core/glibc/glibc.inc
+++ b/meta/recipes-core/glibc/glibc.inc
@@ -1,7 +1,9 @@
 require glibc-common.inc
 require glibc-ld.inc
 
-DEPENDS = "virtual/${TARGET_PREFIX}gcc libgcc-initial linux-libc-headers"
+DEPENDS = "virtual/${TARGET_PREFIX}gcc virtual/${TARGET_PREFIX}binutils${BUSUFFIX} libgcc-initial linux-libc-headers"
+BUSUFFIX= ""
+BUSUFFIX:class-nativesdk = "-crosssdk"
 
 PROVIDES = "virtual/libc"
 PROVIDES += "virtual/libintl virtual/libiconv"
-- 
2.34.1

[OE-core][dunfell 11/14] buildtools-tarball: Handle spaces within user $PATH

[Steve Sakoman]

From: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>

The environment-setup script generated by the recipe was not quoting the
user existing PATH when updating it causing the export command to fail.

Add necessary double quotes around $PATH.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 2d4c032bf3187aaa953a0c33a999074e695f54bb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/meta/buildtools-tarball.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb
index faf7108a86..24f5f28589 100644
--- a/meta/recipes-core/meta/buildtools-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-tarball.bb
@@ -66,7 +66,7 @@ create_sdk_files_append () {
 	# Generate new (mini) sdk-environment-setup file
 	script=${1:-${SDK_OUTPUT}/${SDKPATH}/environment-setup-${SDK_SYS}}
 	touch $script
-	echo 'export PATH=${SDKPATHNATIVE}${bindir_nativesdk}:${SDKPATHNATIVE}${sbindir_nativesdk}:${SDKPATHNATIVE}${base_bindir_nativesdk}:${SDKPATHNATIVE}${base_sbindir_nativesdk}:$PATH' >> $script
+	echo 'export PATH="${SDKPATHNATIVE}${bindir_nativesdk}:${SDKPATHNATIVE}${sbindir_nativesdk}:${SDKPATHNATIVE}${base_bindir_nativesdk}:${SDKPATHNATIVE}${base_sbindir_nativesdk}:$PATH"' >> $script
 	echo 'export OECORE_NATIVE_SYSROOT="${SDKPATHNATIVE}"' >> $script
 	echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
 	echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
-- 
2.34.1

[OE-core][dunfell 12/14] toolchain-scripts: Handle spaces within user $PATH

[Steve Sakoman]

From: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>

The environment-setup script generated by the recipe was not quoting the
user existing PATH when updating it causing the export command to fail.

Add necessary double quotes around $PATH.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 42177ff2d45ee70ad00917bb6fbabca49dae4f59)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/toolchain-scripts.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/toolchain-scripts.bbclass b/meta/classes/toolchain-scripts.bbclass
index 9aa31dc6cd..21762b803b 100644
--- a/meta/classes/toolchain-scripts.bbclass
+++ b/meta/classes/toolchain-scripts.bbclass
@@ -44,7 +44,7 @@ toolchain_create_sdk_env_script () {
 	for i in ${CANADIANEXTRAOS}; do
 		EXTRAPATH="$EXTRAPATH:$sdkpathnative$bindir/${TARGET_ARCH}${TARGET_VENDOR}-$i"
 	done
-	echo "export PATH=$sdkpathnative$bindir:$sdkpathnative$sbindir:$sdkpathnative$base_bindir:$sdkpathnative$base_sbindir:$sdkpathnative$bindir/../${HOST_SYS}/bin:$sdkpathnative$bindir/${TARGET_SYS}"$EXTRAPATH':$PATH' >> $script
+	echo "export PATH=$sdkpathnative$bindir:$sdkpathnative$sbindir:$sdkpathnative$base_bindir:$sdkpathnative$base_sbindir:$sdkpathnative$bindir/../${HOST_SYS}/bin:$sdkpathnative$bindir/${TARGET_SYS}"$EXTRAPATH':"$PATH"' >> $script
 	echo 'export PKG_CONFIG_SYSROOT_DIR=$SDKTARGETSYSROOT' >> $script
 	echo 'export PKG_CONFIG_PATH=$SDKTARGETSYSROOT'"$libdir"'/pkgconfig:$SDKTARGETSYSROOT'"$prefix"'/share/pkgconfig' >> $script
 	echo 'export CONFIG_SITE=${SDKPATH}/site-config-'"${multimach_target_sys}" >> $script
-- 
2.34.1

[OE-core][dunfell 13/14] populate_sdk_ext: Handle spaces within user $PATH

[Steve Sakoman]

From: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>

The script generated by the sdk_ext_postinst function was not quoting
the user existing PATH when updating it causing the export command to
fail.

Add necessary double quotes around $PATH.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 00e96bf250eaaded839caf465dbc0af5b604aed7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/populate_sdk_ext.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass
index b24f8d99d5..a43ff3fb32 100644
--- a/meta/classes/populate_sdk_ext.bbclass
+++ b/meta/classes/populate_sdk_ext.bbclass
@@ -669,7 +669,7 @@ sdk_ext_postinst() {
 
 	# A bit of another hack, but we need this in the path only for devtool
 	# so put it at the end of $PATH.
-	echo "export PATH=$target_sdk_dir/sysroots/${SDK_SYS}${bindir_nativesdk}:\$PATH" >> $env_setup_script
+	echo "export PATH=\"$target_sdk_dir/sysroots/${SDK_SYS}${bindir_nativesdk}:\$PATH\"" >> $env_setup_script
 
 	echo "printf 'SDK environment now set up; additionally you may now run devtool to perform development tasks.\nRun devtool --help for further details.\n'" >> $env_setup_script
 
-- 
2.34.1

[OE-core][dunfell 14/14] base-files: Drop localhost.localdomain from hosts file

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

This was likely something we took inspiration from elsewhere with.
It was added in:

https://git.openembedded.org/openembedded/commit/packages/netbase/netbase/hosts?id=c8e5702127e507e82e6f68a4b8c546803accea9d

in 2005. Debian added this entry around 2004 and discussed and dropped
it in 2005:

https://lists.debian.org/debian-devel/2005/10/msg00559.html

resulting in:

https://salsa.debian.org/installer-team/netcfg/-/commit/3c15ee521b2b8f47b34ccc7f610523cd284f2221

We should drop this for some of the reasons in those threads,
it doesn't seem to be doing anything too helpful and isn't what most
applications expect.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e730d005fa8aec07f9ae25c58d4566eaa92a6997)
Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/base-files/base-files/hosts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/base-files/base-files/hosts b/meta/recipes-core/base-files/base-files/hosts
index b94f414d5c..10a5b6c704 100644
--- a/meta/recipes-core/base-files/base-files/hosts
+++ b/meta/recipes-core/base-files/base-files/hosts
@@ -1,4 +1,4 @@
-127.0.0.1	localhost.localdomain		localhost
+127.0.0.1	localhost
 
 # The following lines are desirable for IPv6 capable hosts
 ::1     localhost ip6-localhost ip6-loopback
-- 
2.34.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5493

The following changes since commit 77f6fbfa18b4ad77c3756cfdc45d441a20210781:

  build-appliance-image: Update to dunfell head revision (2023-06-17 09:47:49 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Abdellatif El Khlifi (1):
  kernel-fitimage: adding support for Initramfs bundle and u-boot script

Andrej Valek (1):
  kernel-fitimage: use correct kernel image

Hitendra Prajapati (1):
  openssl: CVE-2023-2650 Possible DoS translating ASN.1 object
    identifiers

Ian Ray (1):
  systemd-systemctl: support instance expansion in WantedBy

Jan Vermaete (1):
  cve-update-nvd2-native: added the missing http import

Marta Rybczynska (1):
  cve-update-nvd2-native: new CVE database fetcher

Martin Siegumfeldt (1):
  systemd-systemctl: fix instance template WantedBy symlink construction

Michael Halstead (4):
  uninative: Upgrade to 3.8.1 to include libgcc
  uninative: Upgrade to 3.9 to include glibc 2.37
  uninative: Upgrade to 3.10 to support gcc 13
  uninative: Upgrade to 4.0 to include latest gcc 13.1.1

Richard Purdie (1):
  uninative: Ensure uninative is enabled in all cases for BuildStarted
    event

Sanjay Chitroda (1):
  cups: Fix CVE-2023-32324

Steve Sakoman (1):
  uninative.bbclass: handle read only files outside of patchelf

 meta/classes/cve-check.bbclass                |   4 +-
 meta/classes/kernel-fitimage.bbclass          | 142 ++++++--
 meta/classes/uninative.bbclass                |   4 +
 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 .../openssl/openssl/CVE-2023-2650.patch       | 122 +++++++
 .../openssl/openssl_1.1.1t.bb                 |   1 +
 .../meta/cve-update-nvd2-native.bb            | 334 ++++++++++++++++++
 .../systemd/systemd-systemctl/systemctl       |   8 +-
 meta/recipes-extended/cups/cups.inc           |   1 +
 .../cups/cups/CVE-2023-32324.patch            |  36 ++
 10 files changed, 629 insertions(+), 33 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
 create mode 100644 meta/recipes-core/meta/cve-update-nvd2-native.bb
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32324.patch

-- 
2.34.1

Re: [OE-core][dunfell 00/14] Patch review

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 2867 bytes --]

On Thu, Jun 22, 2023 at 5:31 PM Steve Sakoman <steve@sakoman.com> wrote:

> Please review this set of changes for dunfell and have comments back by
> end of day Monday.
>
> Passed a-full on autobuilder:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5493
>
> The following changes since commit
> 77f6fbfa18b4ad77c3756cfdc45d441a20210781:
>
>   build-appliance-image: Update to dunfell head revision (2023-06-17
> 09:47:49 -1000)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib
> stable/dunfell-nut
>
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
>
> Abdellatif El Khlifi (1):
>   kernel-fitimage: adding support for Initramfs bundle and u-boot script
>
> Andrej Valek (1):
>   kernel-fitimage: use correct kernel image
>
> Hitendra Prajapati (1):
>   openssl: CVE-2023-2650 Possible DoS translating ASN.1 object
>     identifiers
>
> Ian Ray (1):
>   systemd-systemctl: support instance expansion in WantedBy
>
> Jan Vermaete (1):
>   cve-update-nvd2-native: added the missing http import
>
> Marta Rybczynska (1):
>   cve-update-nvd2-native: new CVE database fetcher
>
> Martin Siegumfeldt (1):
>   systemd-systemctl: fix instance template WantedBy symlink construction
>
> Michael Halstead (4):
>   uninative: Upgrade to 3.8.1 to include libgcc
>   uninative: Upgrade to 3.9 to include glibc 2.37
>   uninative: Upgrade to 3.10 to support gcc 13
>   uninative: Upgrade to 4.0 to include latest gcc 13.1.1
>
> Richard Purdie (1):
>   uninative: Ensure uninative is enabled in all cases for BuildStarted
>     event
>
> Sanjay Chitroda (1):
>   cups: Fix CVE-2023-32324
>
> Steve Sakoman (1):
>   uninative.bbclass: handle read only files outside of patchelf
>
>  meta/classes/cve-check.bbclass                |   4 +-
>  meta/classes/kernel-fitimage.bbclass          | 142 ++++++--
>  meta/classes/uninative.bbclass                |   4 +
>  meta/conf/distro/include/yocto-uninative.inc  |  10 +-
>  .../openssl/openssl/CVE-2023-2650.patch       | 122 +++++++
>  .../openssl/openssl_1.1.1t.bb                 |   1 +
>  .../meta/cve-update-nvd2-native.bb            | 334 ++++++++++++++++++
>  .../systemd/systemd-systemctl/systemctl       |   8 +-
>  meta/recipes-extended/cups/cups.inc           |   1 +
>  .../cups/cups/CVE-2023-32324.patch            |  36 ++
>  10 files changed, 629 insertions(+), 33 deletions(-)
>  create mode 100644
> meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
>  create mode 100644 meta/recipes-core/meta/cve-update-nvd2-native.bb
>  create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32324.patch
>
>
Tested this version for the CVE fetcher backport to dunfell, no unexpected
issues seen.

Kind regards,
Marta

[-- Attachment #2: Type: text/html, Size: 4051 bytes --]

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Satuday, August 26.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5779

The following changes since commit b70a8333a7467162b9d148b99f5970c0af2a531f:

  kernel: skip installing fitImage when using Initramfs bundles (2023-08-12 05:38:11 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Ashish Sharma (1):
  curl: Backport fix CVE-2023-32001

BELOUARGA Mohamed (1):
  linux-firmware : Add firmware of RTL8822 serie

Chee Yang Lee (1):
  tiff: CVE-2022-3599.patch also fix CVE-2022-4645 CVE-2023-30774

Dmitry Baryshkov (2):
  linux-firmware: package firmare for Dragonboard 410c
  linux-firmware: split platform-specific Adreno shaders to separate
    packages

Jasper Orschulko (1):
  cve_check: Fix cpe_id generation

Kai Kang (1):
  grub2.inc: remove '-O2' from CFLAGS

Michael Halstead (2):
  yocto-uninative: Update hashes for uninative 4.1
  yocto-uninative: Update to 4.2 for glibc 2.38

Ross Burton (1):
  oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case

Trevor Gamblin (1):
  linux-firmware: upgrade 20230515 -> 20230625

Vijay Anusuri (1):
  elfutils: Backport fix for CVE-2021-33294

Wang Mingyu (1):
  libnss-nis: upgrade 3.1 -> 3.2

Yoann Congal (1):
  recipetool: Fix inherit in created -native* recipes

 meta/conf/distro/include/yocto-uninative.inc  | 10 +--
 meta/lib/oe/cve_check.py                      |  2 +-
 meta/lib/oeqa/runtime/cases/rpm.py            |  4 +-
 meta/recipes-bsp/grub/grub2.inc               |  2 +
 .../elfutils/elfutils_0.178.bb                |  1 +
 .../elfutils/files/CVE-2021-33294.patch       | 72 +++++++++++++++++++
 .../recipes-extended/libnss-nis/libnss-nis.bb |  4 +-
 ...20230515.bb => linux-firmware_20230625.bb} | 37 +++++++---
 .../libtiff/files/CVE-2022-3599.patch         |  2 +-
 .../curl/curl/CVE-2023-32001.patch            | 38 ++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
 scripts/lib/recipetool/create.py              |  4 ++
 12 files changed, 158 insertions(+), 19 deletions(-)
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230515.bb => linux-firmware_20230625.bb} (96%)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-32001.patch

-- 
2.34.1

[OE-core][dunfell 00/14] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Thursday, September 14.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5868

The following changes since commit c953ccba6c2a334cc58a97eee073bdb51a68f1d3:

  linux/cve-exclusion: remove obsolete manual entries (2023-08-31 04:26:32 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Anuj Mittal (4):
  glibc/check-test-wrapper: don't emit warnings from ssh
  selftest/cases/glibc.py: increase the memory for testing
  oeqa/utils/nfs: allow requesting non-udp ports
  selftest/cases/glibc.py: switch to using NFS over TCP

Ashish Sharma (1):
  qemu: Backport fix CVE-2023-3180

Michael Halstead (2):
  yocto-uninative: Update to 4.3
  resulttool/resultutils: allow index generation despite corrupt json

Priyal Doshi (1):
  rootfs-post: remove traling blanks from tasks

Richard Purdie (2):
  oeqa/target/ssh: Ensure EAGAIN doesn't truncate output
  oeqa/runtime/ltp: Increase ltp test output timeout

Shubham Kulkarni (1):
  openssh: Securiry fix for CVE-2023-38408

Staffan Rydén (1):
  kernel: Fix path comparison in kernel staging dir symlinking

Vijay Anusuri (2):
  bind: Backport fix for CVE-2023-2828
  qemu: Backport fix for CVE-2023-0330

 meta/classes/kernel.bbclass                   |   7 +-
 meta/classes/rootfs-postcommands.bbclass      |   6 +-
 meta/classes/rootfsdebugfiles.bbclass         |   2 +-
 meta/conf/distro/include/yocto-uninative.inc  |   8 +-
 meta/lib/oeqa/core/target/ssh.py              |   3 +
 meta/lib/oeqa/runtime/cases/ltp.py            |   2 +-
 meta/lib/oeqa/selftest/cases/glibc.py         |   6 +-
 meta/lib/oeqa/utils/nfs.py                    |   4 +-
 .../bind/bind/CVE-2023-2828.patch             | 166 +++++
 .../recipes-connectivity/bind/bind_9.11.37.bb |   1 +
 .../openssh/openssh/CVE-2023-38408-01.patch   | 189 ++++++
 .../openssh/openssh/CVE-2023-38408-02.patch   | 581 ++++++++++++++++++
 .../openssh/openssh/CVE-2023-38408-03.patch   | 171 ++++++
 .../openssh/openssh/CVE-2023-38408-04.patch   |  34 +
 .../openssh/openssh/CVE-2023-38408-05.patch   | 194 ++++++
 .../openssh/openssh/CVE-2023-38408-06.patch   |  73 +++
 .../openssh/openssh/CVE-2023-38408-07.patch   | 125 ++++
 .../openssh/openssh/CVE-2023-38408-08.patch   | 315 ++++++++++
 .../openssh/openssh/CVE-2023-38408-09.patch   |  38 ++
 .../openssh/openssh/CVE-2023-38408-10.patch   |  39 ++
 .../openssh/openssh/CVE-2023-38408-11.patch   | 307 +++++++++
 .../openssh/openssh/CVE-2023-38408-12.patch   | 120 ++++
 .../openssh/openssh_8.2p1.bb                  |  12 +
 .../glibc/glibc/check-test-wrapper            |   2 +-
 meta/recipes-devtools/qemu/qemu.inc           |   4 +-
 ...-2023-0330.patch => CVE-2023-0330_1.patch} |   0
 .../qemu/qemu/CVE-2023-0330_2.patch           | 135 ++++
 .../qemu/qemu/CVE-2023-3180.patch             |  49 ++
 scripts/lib/resulttool/resultutils.py         |   6 +-
 29 files changed, 2579 insertions(+), 20 deletions(-)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
 rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => CVE-2023-0330_1.patch} (100%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch

-- 
2.34.1