[OE-core][kirkstone 00/15] Patch review

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3799

The following changes since commit 0f7a8359ba370c7f5d5153453ed699e9566f5b1d:

  rootfs.py: close kernel_abi_ver_file (2022-06-10 05:13:53 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Jack Mitchell (1):
  meson.bbclass: add cython binary to cross/native toolchain config

Jose Quaresma (2):
  archiver: use bb.note instead of echo
  archiver: don't use machine variables in shared recipes

Kai Kang (1):
  xxhash: fix build with gcc 12

Mingli Yu (1):
  oescripts: change compare logic in OEListPackageconfigTests

Pavel Zhukov (1):
  systemd: update 0008-add-missing-FTW_-macros-for-musl.patch

Rasmus Villemoes (1):
  e2fsprogs: add alternatives handling of lsattr as well

Richard Purdie (5):
  vim: Upgrade 8.2.5034 -> 8.2.5083
  uboot-sign: Fix potential index error issues
  selftest/multiconfig: Test that multiconfigs in separate layers works
  gcc-source: Fix incorrect task dependencies from ${B}
  liberror-perl: Update sstate/equiv versions to clean cache

Xiaobing Luo (1):
  devtool: Fix _copy_file() TypeError

Yi Zhao (2):
  popt: fix override syntax in RDEPENDS
  git: fix override syntax in RDEPENDS

 meta-selftest/conf/multiconfig/muslmc.conf          |  2 ++
 meta/classes/archiver.bbclass                       | 11 ++++++++---
 meta/classes/meson.bbclass                          |  2 ++
 meta/classes/uboot-sign.bbclass                     |  2 ++
 meta/lib/oeqa/selftest/cases/multiconfig.py         | 13 +++++++++++++
 meta/lib/oeqa/selftest/cases/oescripts.py           |  3 ++-
 .../0008-add-missing-FTW_-macros-for-musl.patch     |  8 ++++----
 meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.5.bb |  5 ++++-
 meta/recipes-devtools/gcc/gcc-common.inc            |  2 +-
 meta/recipes-devtools/gcc/gcc-source.inc            |  1 +
 meta/recipes-devtools/git/git_2.35.3.bb             |  2 +-
 meta/recipes-devtools/perl/liberror-perl_0.17029.bb |  4 ++++
 meta/recipes-support/popt/popt_1.18.bb              |  2 +-
 meta/recipes-support/vim/vim.inc                    |  4 ++--
 meta/recipes-support/xxhash/xxhash_0.8.1.bb         |  2 ++
 scripts/lib/devtool/standard.py                     |  2 +-
 16 files changed, 50 insertions(+), 15 deletions(-)
 create mode 100644 meta-selftest/conf/multiconfig/muslmc.conf

-- 
2.25.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3979

The following changes since commit f1c2e21a28f8ad5dc6ff7b0db877aa22e01a9e00:

  pulseaudio: add m4-native to DEPENDS (2022-07-17 16:59:57 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (1):
  gnupg: update 2.3.4 -> 2.3.6

Joshua Watt (1):
  sstatesig: Include all dependencies in SPDX task signatures

Khem Raj (2):
  lua: Backport fix for CVE-2022-33099
  gcc-runtime: Pass -nostartfiles when building dummy libstdc++.so

Ming Liu (1):
  rootfs-postcommands.bbclass: move host-user-contaminated.txt to ${S}

Naveen (1):
  gcc: Backport a fix for gcc bug 105039

Richard Purdie (1):
  vim: Upgrade 9.0.0021 -> 9.0.0063

Sakib Sajal (3):
  dpkg: fix CVE-2022-1664
  go: update v1.17.10 -> v1.17.12
  git: upgrade v2.35.3 -> v2.35.4

Tom Hochstein (1):
  gobject-introspection-data: Disable cache for g-ir-scanner

Yi Zhao (1):
  tiff: Security fixes CVE-2022-1354 and CVE-2022-1355

Yue Tao (1):
  gnupg: upgrade to 2.3.7 to fix CVE-2022-34903

wangmy (2):
  bind: upgrade 9.18.2 -> 9.18.3
  bind: upgrade 9.18.3 -> 9.18.4

 .../gobject-introspection-data.bbclass        |   5 +
 meta/classes/rootfs-postcommands.bbclass      |   2 +-
 meta/lib/oe/sstatesig.py                      |   9 +
 ...1-avoid-start-failure-with-bind-user.patch |   0
 ...d-V-and-start-log-hide-build-options.patch |   0
 ...ching-for-json-headers-searches-sysr.patch |   0
 .../bind/{bind-9.18.2 => bind-9.18.4}/bind9   |   0
 .../{bind-9.18.2 => bind-9.18.4}/conf.patch   |   0
 .../generate-rndc-key.sh                      |   0
 ...t.d-add-support-for-read-only-rootfs.patch |   0
 .../make-etc-initd-bind-stop-work.patch       |   0
 .../named.service                             |   0
 .../bind/{bind_9.18.2.bb => bind_9.18.4.bb}   |   2 +-
 ...ive-Prevent-directory-traversal-for-.patch | 328 ++++++++++++++++++
 meta/recipes-devtools/dpkg/dpkg_1.21.4.bb     |   1 +
 meta/recipes-devtools/gcc/gcc-11.3.inc        |   2 +-
 meta/recipes-devtools/gcc/gcc-runtime.inc     |   3 +-
 .../gcc/gcc/0030-rust-recursion-limit.patch   |  92 +++++
 .../git/{git_2.35.3.bb => git_2.35.4.bb}      |   2 +-
 .../go/{go-1.17.10.inc => go-1.17.12.inc}     |   2 +-
 ...1.17.10.bb => go-binary-native_1.17.12.bb} |   4 +-
 ....17.10.bb => go-cross-canadian_1.17.12.bb} |   0
 ...o-cross_1.17.10.bb => go-cross_1.17.12.bb} |   0
 ...ssdk_1.17.10.bb => go-crosssdk_1.17.12.bb} |   0
 ...native_1.17.10.bb => go-native_1.17.12.bb} |   0
 ...ntime_1.17.10.bb => go-runtime_1.17.12.bb} |   0
 .../go/{go_1.17.10.bb => go_1.17.12.bb}       |   0
 .../lua/lua/CVE-2022-33099.patch              |  61 ++++
 meta/recipes-devtools/lua/lua_5.4.4.bb        |   1 +
 .../gobject-introspection_1.72.0.bb           |   3 -
 .../libtiff/tiff/CVE-2022-1354.patch          | 212 +++++++++++
 .../libtiff/tiff/CVE-2022-1355.patch          |  62 ++++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |   2 +
 ...-a-custom-value-for-the-location-of-.patch |   6 +-
 .../0003-dirmngr-uses-libgpg-error.patch      |  29 --
 .../gnupg/gnupg/relocate.patch                |  18 +-
 .../gnupg/{gnupg_2.3.4.bb => gnupg_2.3.7.bb}  |   3 +-
 .../vim/files/crosscompile.patch              |  51 +++
 meta/recipes-support/vim/files/racefix.patch  |  12 +-
 meta/recipes-support/vim/vim.inc              |   9 +-
 40 files changed, 860 insertions(+), 61 deletions(-)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/0001-avoid-start-failure-with-bind-user.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/bind9 (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/conf.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/generate-rndc-key.sh (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/init.d-add-support-for-read-only-rootfs.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/make-etc-initd-bind-stop-work.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/named.service (100%)
 rename meta/recipes-connectivity/bind/{bind_9.18.2.bb => bind_9.18.4.bb} (98%)
 create mode 100644 meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc/0030-rust-recursion-limit.patch
 rename meta/recipes-devtools/git/{git_2.35.3.bb => git_2.35.4.bb} (98%)
 rename meta/recipes-devtools/go/{go-1.17.10.inc => go-1.17.12.inc} (92%)
 rename meta/recipes-devtools/go/{go-binary-native_1.17.10.bb => go-binary-native_1.17.12.bb} (83%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.17.10.bb => go-cross-canadian_1.17.12.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.17.10.bb => go-cross_1.17.12.bb} (100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.17.10.bb => go-crosssdk_1.17.12.bb} (100%)
 rename meta/recipes-devtools/go/{go-native_1.17.10.bb => go-native_1.17.12.bb} (100%)
 rename meta/recipes-devtools/go/{go-runtime_1.17.10.bb => go-runtime_1.17.12.bb} (100%)
 rename meta/recipes-devtools/go/{go_1.17.10.bb => go_1.17.12.bb} (100%)
 create mode 100644 meta/recipes-devtools/lua/lua/CVE-2022-33099.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
 delete mode 100644 meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
 rename meta/recipes-support/gnupg/{gnupg_2.3.4.bb => gnupg_2.3.7.bb} (95%)
 create mode 100644 meta/recipes-support/vim/files/crosscompile.patch

-- 
2.25.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5269

The following changes since commit 2d67702bdfc64358d364dd6484ae41842ee7c52f:

  glibc: stable 2.35 branch updates. (2023-04-28 03:55:33 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Arturo Buzarra (1):
  run-postinsts: Set dependency for ldconfig to avoid boot issues

Deepthi Hemraj (4):
  binutils : Fix CVE-2023-25584
  binutils : Fix CVE-2023-25585
  binutils : Fix CVE-2023-1972
  binutils : Fix CVE-2023-25588

Hitendra Prajapati (1):
  connman: fix CVE-2023-28488 DoS in client.c

Kai Kang (1):
  webkitgtk: fix CVE-2022-32888 & CVE-2022-32923

Narpat Mali (2):
  ffmpeg: fix for CVE-2022-48434
  python3-cryptography: fix for CVE-2023-23931

Randolph Sapp (2):
  wic/bootimg-efi: if fixed-size is set then use that for mkdosfs
  kernel-devicetree: allow specification of dtb directory

Ranjitsinh Rathod (1):
  libbsd: Add correct license for all packages

Shubham Kulkarni (1):
  go: Security fix for CVE-2023-24538

Vivek Kumbhar (2):
  freetype: fix CVE-2023-2004 integer overflowin in
    tt_hvadvance_adjust() in src/truetype/ttgxvar.c
  go: fix CVE-2023-24534 denial of service from excessive memory
    allocation

 meta/classes/kernel-devicetree.bbclass        |  22 +-
 meta/classes/kernel.bbclass                   |   2 +
 .../connman/connman/CVE-2023-28488.patch      |  60 ++
 .../connman/connman_1.41.bb                   |   1 +
 .../binutils/binutils-2.38.inc                |   6 +
 .../binutils/0022-CVE-2023-25584-1.patch      |  56 ++
 .../binutils/0022-CVE-2023-25584-2.patch      |  38 ++
 .../binutils/0022-CVE-2023-25584-3.patch      | 534 ++++++++++++++++++
 .../binutils/0023-CVE-2023-25585.patch        |  54 ++
 .../binutils/0025-CVE-2023-25588.patch        | 147 +++++
 .../binutils/0026-CVE-2023-1972.patch         |  41 ++
 meta/recipes-devtools/go/go-1.17.13.inc       |   2 +
 .../go/go-1.18/CVE-2023-24534.patch           | 200 +++++++
 .../go/go-1.18/CVE-2023-24538.patch           | 208 +++++++
 .../python3-cryptography/CVE-2023-23931.patch |  49 ++
 .../python/python3-cryptography_36.0.2.bb     |   1 +
 .../run-postinsts/run-postinsts.service       |   2 +-
 .../freetype/freetype/CVE-2023-2004.patch     |  41 ++
 .../freetype/freetype_2.11.1.bb               |   1 +
 .../ffmpeg/ffmpeg/CVE-2022-48434.patch        | 130 +++++
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |   3 +-
 .../webkit/webkitgtk/CVE-2022-32888.patch     |  41 ++
 .../webkit/webkitgtk/CVE-2022-32923.patch     | 435 ++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   2 +
 meta/recipes-support/libbsd/libbsd_0.11.5.bb  |   7 +
 scripts/lib/wic/plugins/source/bootimg-efi.py |   7 +
 26 files changed, 2083 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
 create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch

-- 
2.34.1

[OE-core][kirkstone 01/15] ffmpeg: fix for CVE-2022-48434

[Steve Sakoman]

From: Narpat Mali <narpat.mali@windriver.com>

libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and
other products, leaves stale hwaccel state in worker threads, which
allows attackers to trigger a use-after-free and execute arbitrary
code in some circumstances (e.g., hardware re-initialization upon a
mid-video SPS change when Direct3D11 is used).

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ffmpeg/ffmpeg/CVE-2022-48434.patch        | 130 ++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |   3 +-
 2 files changed, 132 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
new file mode 100644
index 0000000000..3cd374dc39
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
@@ -0,0 +1,130 @@
+From e40c964a0678908e2c756741343ed50d6a99ee12 Mon Sep 17 00:00:00 2001
+From: Anton Khirnov <anton@khirnov.net>
+Date: Fri, 28 Apr 2023 11:45:30 +0000
+Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in
+ worker threads
+
+This state is not refcounted, so make sure it always has a well-defined
+owner.
+
+Remove the block added in 091341f, as
+this commit also solves that issue in a more general way.
+
+CVE:CVE-2022-48434
+
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11]
+
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++---------
+ 1 file changed, 35 insertions(+), 11 deletions(-)
+
+diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c
+index 85a6bc9..e40dced 100644
+--- a/libavcodec/pthread_frame.c
++++ b/libavcodec/pthread_frame.c
+@@ -145,6 +145,12 @@ typedef struct FrameThreadContext {
+                                     * Set for the first N packets, where N is the number of threads.
+                                     * While it is set, ff_thread_en/decode_frame won't return any results.
+                                     */
++
++    /* hwaccel state is temporarily stored here in order to transfer its ownership
++     * to the next decoding thread without the need for extra synchronization */
++    const AVHWAccel *stash_hwaccel;
++    void            *stash_hwaccel_context;
++    void            *stash_hwaccel_priv;
+ } FrameThreadContext;
+ 
+ #if FF_API_THREAD_SAFE_CALLBACKS
+@@ -229,9 +235,17 @@ FF_ENABLE_DEPRECATION_WARNINGS
+             ff_thread_finish_setup(avctx);
+ 
+         if (p->hwaccel_serializing) {
++            /* wipe hwaccel state to avoid stale pointers lying around;
++             * the state was transferred to FrameThreadContext in
++             * ff_thread_finish_setup(), so nothing is leaked */
++            avctx->hwaccel                     = NULL;
++            avctx->hwaccel_context             = NULL;
++            avctx->internal->hwaccel_priv_data = NULL;
++
+             p->hwaccel_serializing = 0;
+             pthread_mutex_unlock(&p->parent->hwaccel_mutex);
+         }
++        av_assert0(!avctx->hwaccel);
+ 
+         if (p->async_serializing) {
+             p->async_serializing = 0;
+@@ -294,14 +308,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
+         dst->color_range = src->color_range;
+         dst->chroma_sample_location = src->chroma_sample_location;
+ 
+-        dst->hwaccel = src->hwaccel;
+-        dst->hwaccel_context = src->hwaccel_context;
+-
+         dst->channels       = src->channels;
+         dst->sample_rate    = src->sample_rate;
+         dst->sample_fmt     = src->sample_fmt;
+         dst->channel_layout = src->channel_layout;
+-        dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;
+ 
+         if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
+             (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
+@@ -442,6 +452,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx,
+             pthread_mutex_unlock(&p->mutex);
+             return err;
+         }
++
++        /* transfer hwaccel state stashed from previous thread, if any */
++        av_assert0(!p->avctx->hwaccel);
++        FFSWAP(const AVHWAccel*, p->avctx->hwaccel,                     fctx->stash_hwaccel);
++        FFSWAP(void*,            p->avctx->hwaccel_context,             fctx->stash_hwaccel_context);
++        FFSWAP(void*,            p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+     }
+ 
+     av_packet_unref(p->avpkt);
+@@ -647,6 +663,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
+         async_lock(p->parent);
+     }
+ 
++    /* save hwaccel state for passing to the next thread;
++     * this is done here so that this worker thread can wipe its own hwaccel
++     * state after decoding, without requiring synchronization */
++    av_assert0(!p->parent->stash_hwaccel);
++    p->parent->stash_hwaccel         = avctx->hwaccel;
++    p->parent->stash_hwaccel_context = avctx->hwaccel_context;
++    p->parent->stash_hwaccel_priv    = avctx->internal->hwaccel_priv_data;
++
+     pthread_mutex_lock(&p->progress_mutex);
+     if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
+         av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
+@@ -700,13 +724,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
+ 
+     park_frame_worker_threads(fctx, thread_count);
+ 
+-    if (fctx->prev_thread && avctx->internal->hwaccel_priv_data !=
+-                             fctx->prev_thread->avctx->internal->hwaccel_priv_data) {
+-        if (update_context_from_thread(avctx, fctx->prev_thread->avctx, 1) < 0) {
+-            av_log(avctx, AV_LOG_ERROR, "Failed to update user thread.\n");
+-        }
+-    }
+-
+     if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
+         if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
+             av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
+@@ -760,6 +777,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
+     av_freep(&fctx->threads);
+     ff_pthread_free(fctx, thread_ctx_offsets);
+ 
++    /* if we have stashed hwaccel state, move it to the user-facing context,
++     * so it will be freed in avcodec_close() */
++    av_assert0(!avctx->hwaccel);
++    FFSWAP(const AVHWAccel*, avctx->hwaccel,                     fctx->stash_hwaccel);
++    FFSWAP(void*,            avctx->hwaccel_context,             fctx->stash_hwaccel_context);
++    FFSWAP(void*,            avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
++
+     av_freep(&avctx->internal->thread_ctx);
+ }
+ 
+-- 
+2.40.0
+
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 4bcbda9976..6ece34fcfd 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -28,7 +28,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \
            file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \
            file://0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch \
-           "
+           file://CVE-2022-48434.patch \
+          "
 
 SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
 
-- 
2.34.1

[OE-core][kirkstone 02/15] connman: fix CVE-2023-28488 DoS in client.c

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../connman/connman/CVE-2023-28488.patch      | 60 +++++++++++++++++++
 .../connman/connman_1.41.bb                   |  1 +
 2 files changed, 61 insertions(+)
 create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
new file mode 100644
index 0000000000..a6cabdfb20
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
@@ -0,0 +1,60 @@
+From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 11 Apr 2023 08:12:56 +0200
+Subject: gdhcp: Verify and sanitize packet length first
+
+Avoid overwriting the read packet length after the initial test. Thus
+move all the length checks which depends on the total length first
+and do not use the total lenght from the IP packet afterwards.
+
+Reported by Polina Smirnova <moe.hwr@gmail.com>
+
+CVE: CVE-2023-28488
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ gdhcp/client.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 3016dfc..28fa606 100644
+--- a/gdhcp/client.c
++++ b/gdhcp/client.c
+@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
+ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ 				struct sockaddr_in *dst_addr)
+ {
+-	int bytes;
+ 	struct ip_udp_dhcp_packet packet;
+ 	uint16_t check;
++	int bytes, tot_len;
+ 
+ 	memset(&packet, 0, sizeof(packet));
+ 
+@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ 	if (bytes < 0)
+ 		return -1;
+ 
+-	if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+-		return -1;
+-
+-	if (bytes < ntohs(packet.ip.tot_len))
++	tot_len = ntohs(packet.ip.tot_len);
++	if (bytes > tot_len) {
++		/* ignore any extra garbage bytes */
++		bytes = tot_len;
++	} else if (bytes < tot_len) {
+ 		/* packet is bigger than sizeof(packet), we did partial read */
+ 		return -1;
++	}
+ 
+-	/* ignore any extra garbage bytes */
+-	bytes = ntohs(packet.ip.tot_len);
++	if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
++		return -1;
+ 
+ 	if (!sanity_check(&packet, bytes))
+ 		return -1;
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb
index 79542b2175..27b28be41c 100644
--- a/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -8,6 +8,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
            file://CVE-2022-32293_p1.patch \
            file://CVE-2022-32293_p2.patch \
            file://CVE-2022-32292.patch \
+           file://CVE-2023-28488.patch \
            "
 
 SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
-- 
2.34.1

[OE-core][kirkstone 03/15] freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c

[Steve Sakoman]

From: Vivek Kumbhar <vkumbhar@mvista.com>

Fix An integer overflow vulnerability was discovered in Freetype in tt_hvadvance_adjust() function in src/truetype/ttgxvar.c

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../freetype/freetype/CVE-2023-2004.patch     | 41 +++++++++++++++++++
 .../freetype/freetype_2.11.1.bb               |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch

diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
new file mode 100644
index 0000000000..f600309d3e
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
@@ -0,0 +1,41 @@
+From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 14 Nov 2022 19:18:19 +0100
+Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
+ overflow.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
+
+Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611]
+CVE: CVE-2023-2004
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/truetype/ttgxvar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index 7f2db0c..8968111 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -42,6 +42,7 @@
+ #include <ft2build.h>
+ #include <freetype/internal/ftdebug.h>
+ #include FT_CONFIG_CONFIG_H
++#include <freetype/internal/ftcalc.h>
+ #include <freetype/internal/ftstream.h>
+ #include <freetype/internal/sfnt.h>
+ #include <freetype/tttags.h>
+@@ -1147,7 +1148,7 @@
+                 delta == 1 ? "" : "s",
+                 vertical ? "VVAR" : "HVAR" ));
+ 
+-    *avalue += delta;
++    *avalue = ADD_INT( *avalue, delta );
+ 
+   Exit:
+     return error;
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/freetype/freetype_2.11.1.bb b/meta/recipes-graphics/freetype/freetype_2.11.1.bb
index d425e162bc..29f4d8dfb7 100644
--- a/meta/recipes-graphics/freetype/freetype_2.11.1.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.11.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.xz \
            file://CVE-2022-27404.patch \
            file://CVE-2022-27405.patch \
            file://CVE-2022-27406.patch \
+           file://CVE-2023-2004.patch \
            "
 SRC_URI[sha256sum] = "3333ae7cfda88429c97a7ae63b7d01ab398076c3b67182e960e5684050f2c5c8"
 
-- 
2.34.1

[OE-core][kirkstone 04/15] go: fix CVE-2023-24534 denial of service from excessive memory allocation

[Steve Sakoman]

From: Vivek Kumbhar <vkumbhar@mvista.com>

A parsed MIME header is a map[string][]string. In the common case,
a header contains many one-element []string slices. To avoid
allocating a separate slice for each key, ReadMIMEHeader looks
ahead in the input to predict the number of keys that will be
parsed, and allocates a single []string of that length.
The individual slices are then allocated out of the larger one.

The prediction of the number of header keys was done by counting
newlines in the input buffer, which does not take into account
header continuation lines (where a header key/value spans multiple
lines) or the end of the header block and the start of the body.
This could lead to a substantial amount of overallocation, for
example when the body consists of nothing but a large block of
newlines.

Fix header key count prediction to take into account the end of
the headers (indicated by a blank line) and continuation lines
(starting with whitespace).

Thanks to Jakob Ackermann (@das7pad) for reporting this issue.

Fixes CVE-2023-24534
For #58975
Fixes #59267

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
 .../go/go-1.18/CVE-2023-24534.patch           | 200 ++++++++++++++++++
 2 files changed, 201 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index cda9227042..c5260569e2 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -28,6 +28,7 @@ SRC_URI += "\
     file://cve-2022-41725.patch \
     file://CVE-2022-41722.patch \
     file://CVE-2023-24537.patch \
+    file://CVE-2023-24534.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch
new file mode 100644
index 0000000000..c65c7852d5
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch
@@ -0,0 +1,200 @@
+From d6759e7a059f4208f07aa781402841d7ddaaef96 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Fri, 10 Mar 2023 14:21:05 -0800
+Subject: [PATCH] [release-branch.go1.19] net/textproto: avoid overpredicting
+ the number of MIME header keys
+ 
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802452
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+(cherry picked from commit f739f080a72fd5b06d35c8e244165159645e2ed6)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802393
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Change-Id: I675451438d619a9130360c56daf529559004903f
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481982
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/d6759e7a059f4208f07aa781402841d7ddaaef96]
+CVE: CVE-2023-24534
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+
+---
+ src/bytes/bytes.go               | 14 ++++++++
+ src/net/textproto/reader.go      | 30 ++++++++++------
+ src/net/textproto/reader_test.go | 59 ++++++++++++++++++++++++++++++++
+ 3 files changed, 92 insertions(+), 11 deletions(-)
+
+diff --git a/src/bytes/bytes.go b/src/bytes/bytes.go
+index ce52649..95ff31c 100644
+--- a/src/bytes/bytes.go
++++ b/src/bytes/bytes.go
+@@ -1174,3 +1174,17 @@ func Index(s, sep []byte) int {
+ 	}
+ 	return -1
+ }
++
++// Cut slices s around the first instance of sep,
++// returning the text before and after sep.
++// The found result reports whether sep appears in s.
++// If sep does not appear in s, cut returns s, nil, false.
++//
++// Cut returns slices of the original slice s, not copies.
++func Cut(s, sep []byte) (before, after []byte, found bool) {
++	if i := Index(s, sep); i >= 0 {
++		return s[:i], s[i+len(sep):], true
++	}
++	return s, nil, false
++}
++
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index 6a680f4..fcbede8 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -493,8 +493,11 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
+ 	// large one ahead of time which we'll cut up into smaller
+ 	// slices. If this isn't big enough later, we allocate small ones.
+ 	var strs []string
+-	hint := r.upcomingHeaderNewlines()
++	hint := r.upcomingHeaderKeys()
+ 	if hint > 0 {
++		if hint > 1000 {
++			hint = 1000 // set a cap to avoid overallocation
++		}
+ 		strs = make([]string, hint)
+ 	}
+ 
+@@ -589,9 +592,11 @@ func mustHaveFieldNameColon(line []byte) error {
+ 	return nil
+ }
+ 
+-// upcomingHeaderNewlines returns an approximation of the number of newlines
++var nl = []byte("\n")
++
++// upcomingHeaderKeys returns an approximation of the number of keys
+ // that will be in this header. If it gets confused, it returns 0.
+-func (r *Reader) upcomingHeaderNewlines() (n int) {
++func (r *Reader) upcomingHeaderKeys() (n int) {
+ 	// Try to determine the 'hint' size.
+ 	r.R.Peek(1) // force a buffer load if empty
+ 	s := r.R.Buffered()
+@@ -599,17 +604,20 @@ func (r *Reader) upcomingHeaderNewlines() (n int) {
+ 		return
+ 	}
+ 	peek, _ := r.R.Peek(s)
+-	for len(peek) > 0 {
+-		i := bytes.IndexByte(peek, '\n')
+-		if i < 3 {
+-			// Not present (-1) or found within the next few bytes,
+-			// implying we're at the end ("\r\n\r\n" or "\n\n")
+-			return
++	for len(peek) > 0 && n < 1000 {
++		var line []byte
++		line, peek, _ = bytes.Cut(peek, nl)
++		if len(line) == 0 || (len(line) == 1 && line[0] == '\r') {
++			// Blank line separating headers from the body.
++			break
++		}
++		if line[0] == ' ' || line[0] == '\t' {
++			// Folded continuation of the previous line.
++			continue
+ 		}
+ 		n++
+-		peek = peek[i+1:]
+ 	}
+-	return
++	return n
+ }
+ 
+ // CanonicalMIMEHeaderKey returns the canonical format of the
+diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
+index 3124d43..3ae0de1 100644
+--- a/src/net/textproto/reader_test.go
++++ b/src/net/textproto/reader_test.go
+@@ -9,6 +9,7 @@ import (
+ 	"bytes"
+ 	"io"
+ 	"reflect"
++	"runtime"
+ 	"strings"
+ 	"testing"
+ )
+@@ -127,6 +128,42 @@ func TestReadMIMEHeaderSingle(t *testing.T) {
+ 	}
+ }
+ 
++// TestReaderUpcomingHeaderKeys is testing an internal function, but it's very
++// difficult to test well via the external API.
++func TestReaderUpcomingHeaderKeys(t *testing.T) {
++	for _, test := range []struct {
++		input string
++		want  int
++	}{{
++		input: "",
++		want:  0,
++	}, {
++		input: "A: v",
++		want:  1,
++	}, {
++		input: "A: v\r\nB: v\r\n",
++		want:  2,
++	}, {
++		input: "A: v\nB: v\n",
++		want:  2,
++	}, {
++		input: "A: v\r\n  continued\r\n  still continued\r\nB: v\r\n\r\n",
++		want:  2,
++	}, {
++		input: "A: v\r\n\r\nB: v\r\nC: v\r\n",
++		want:  1,
++	}, {
++		input: "A: v" + strings.Repeat("\n", 1000),
++		want:  1,
++	}} {
++		r := reader(test.input)
++		got := r.upcomingHeaderKeys()
++		if test.want != got {
++			t.Fatalf("upcomingHeaderKeys(%q): %v; want %v", test.input, got, test.want)
++		}
++	}
++}
++
+ func TestReadMIMEHeaderNoKey(t *testing.T) {
+ 	r := reader(": bar\ntest-1: 1\n\n")
+ 	m, err := r.ReadMIMEHeader()
+@@ -223,6 +260,28 @@ func TestReadMIMEHeaderTrimContinued(t *testing.T) {
+ 	}
+ }
+ 
++// Test that reading a header doesn't overallocate. Issue 58975.
++func TestReadMIMEHeaderAllocations(t *testing.T) {
++	var totalAlloc uint64
++	const count = 200
++	for i := 0; i < count; i++ {
++		r := reader("A: b\r\n\r\n" + strings.Repeat("\n", 4096))
++		var m1, m2 runtime.MemStats
++		runtime.ReadMemStats(&m1)
++		_, err := r.ReadMIMEHeader()
++		if err != nil {
++			t.Fatalf("ReadMIMEHeader: %v", err)
++		}
++		runtime.ReadMemStats(&m2)
++		totalAlloc += m2.TotalAlloc - m1.TotalAlloc
++	}
++	// 32k is large and we actually allocate substantially less,
++	// but prior to the fix for #58975 we allocated ~400k in this case.
++	if got, want := totalAlloc/count, uint64(32768); got > want {
++		t.Fatalf("ReadMIMEHeader allocated %v bytes, want < %v", got, want)
++	}
++}
++
+ type readResponseTest struct {
+ 	in       string
+ 	inCode   int
+-- 
+2.25.1
+
-- 
2.34.1

[OE-core][kirkstone 05/15] go: Security fix for CVE-2023-24538

[Steve Sakoman]

From: Shubham Kulkarni <skulkarni@mvista.com>

html/template: disallow actions in JS template literals

Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b

Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
 .../go/go-1.18/CVE-2023-24538.patch           | 208 ++++++++++++++++++
 2 files changed, 209 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index c5260569e2..d7cb47ebf4 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -29,6 +29,7 @@ SRC_URI += "\
     file://CVE-2022-41722.patch \
     file://CVE-2023-24537.patch \
     file://CVE-2023-24534.patch \
+    file://CVE-2023-24538.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch
new file mode 100644
index 0000000000..502486befc
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch
@@ -0,0 +1,208 @@
+From 07cc3b8711a8efbb5885f56dd90d854049ad2f7d Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Mon, 20 Mar 2023 11:01:13 -0700
+Subject: [PATCH] html/template: disallow actions in JS template literals
+
+ECMAScript 6 introduced template literals[0][1] which are delimited with
+backticks. These need to be escaped in a similar fashion to the
+delimiters for other string literals. Additionally template literals can
+contain special syntax for string interpolation.
+
+There is no clear way to allow safe insertion of actions within JS
+template literals, as handling (JS) string interpolation inside of these
+literals is rather complex. As such we've chosen to simply disallow
+template actions within these template literals.
+
+A new error code is added for this parsing failure case, errJsTmplLit,
+but it is unexported as it is not backwards compatible with other minor
+release versions to introduce an API change in a minor release. We will
+export this code in the next major release.
+
+The previous behavior (with the cavet that backticks are now escaped
+properly) can be re-enabled with GODEBUG=jstmpllitinterp=1.
+
+This change subsumes CL471455.
+
+Thanks to Sohom Datta, Manipal Institute of Technology, for reporting
+this issue.
+
+Fixes CVE-2023-24538
+For #59234
+Fixes #59271
+
+[0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals
+[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481987
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/html/template/context.go      |  2 ++
+ src/html/template/error.go        | 13 +++++++++++++
+ src/html/template/escape.go       | 11 +++++++++++
+ src/html/template/js.go           |  2 ++
+ src/html/template/jsctx_string.go |  9 +++++++++
+ src/html/template/transition.go   |  7 ++++++-
+ 6 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index f7d4849..0b65313 100644
+--- a/src/html/template/context.go
++++ b/src/html/template/context.go
+@@ -116,6 +116,8 @@ const (
+	stateJSDqStr
+	// stateJSSqStr occurs inside a JavaScript single quoted string.
+	stateJSSqStr
++	// stateJSBqStr occurs inside a JavaScript back quoted string.
++	stateJSBqStr
+	// stateJSRegexp occurs inside a JavaScript regexp literal.
+	stateJSRegexp
+	// stateJSBlockCmt occurs inside a JavaScript /* block comment */.
+diff --git a/src/html/template/error.go b/src/html/template/error.go
+index 0e52706..fd26b64 100644
+--- a/src/html/template/error.go
++++ b/src/html/template/error.go
+@@ -211,6 +211,19 @@ const (
+	//   pipeline occurs in an unquoted attribute value context, "html" is
+	//   disallowed. Avoid using "html" and "urlquery" entirely in new templates.
+	ErrPredefinedEscaper
++
++	// errJSTmplLit: "... appears in a JS template literal"
++	// Example:
++	//     <script>var tmpl = `{{.Interp}`</script>
++	// Discussion:
++	//   Package html/template does not support actions inside of JS template
++	//   literals.
++	//
++	// TODO(rolandshoemaker): we cannot add this as an exported error in a minor
++	// release, since it is backwards incompatible with the other minor
++	// releases. As such we need to leave it unexported, and then we'll add it
++	// in the next major release.
++	errJSTmplLit
+ )
+
+ func (e *Error) Error() string {
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 8739735..ca078f4 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -8,6 +8,7 @@ import (
+	"bytes"
+	"fmt"
+	"html"
++	"internal/godebug"
+	"io"
+	"text/template"
+	"text/template/parse"
+@@ -205,6 +206,16 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
+		c.jsCtx = jsCtxDivOp
+	case stateJSDqStr, stateJSSqStr:
+		s = append(s, "_html_template_jsstrescaper")
++	case stateJSBqStr:
++		debugAllowActionJSTmpl := godebug.Get("jstmpllitinterp")
++		if debugAllowActionJSTmpl == "1" {
++			s = append(s, "_html_template_jsstrescaper")
++		} else {
++			return context{
++				state: stateError,
++				err:   errorf(errJSTmplLit, n, n.Line, "%s appears in a JS template literal", n),
++			}
++		}
+	case stateJSRegexp:
+		s = append(s, "_html_template_jsregexpescaper")
+	case stateCSS:
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index ea9c183..b888eaf 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -308,6 +308,7 @@ var jsStrReplacementTable = []string{
+	// Encode HTML specials as hex so the output can be embedded
+	// in HTML attributes without further encoding.
+	'"':  `\u0022`,
++	'`':  `\u0060`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
+	'+':  `\u002b`,
+@@ -331,6 +332,7 @@ var jsStrNormReplacementTable = []string{
+	'"':  `\u0022`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
++	'`':  `\u0060`,
+	'+':  `\u002b`,
+	'/':  `\/`,
+	'<':  `\u003c`,
+diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go
+index dd1d87e..2394893 100644
+--- a/src/html/template/jsctx_string.go
++++ b/src/html/template/jsctx_string.go
+@@ -4,6 +4,15 @@ package template
+
+ import "strconv"
+
++func _() {
++	// An "invalid array index" compiler error signifies that the constant values have changed.
++	// Re-run the stringer command to generate them again.
++	var x [1]struct{}
++	_ = x[jsCtxRegexp-0]
++	_ = x[jsCtxDivOp-1]
++	_ = x[jsCtxUnknown-2]
++}
++
+ const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown"
+
+ var _jsCtx_index = [...]uint8{0, 11, 21, 33}
+diff --git a/src/html/template/transition.go b/src/html/template/transition.go
+index 06df679..92eb351 100644
+--- a/src/html/template/transition.go
++++ b/src/html/template/transition.go
+@@ -27,6 +27,7 @@ var transitionFunc = [...]func(context, []byte) (context, int){
+	stateJS:          tJS,
+	stateJSDqStr:     tJSDelimited,
+	stateJSSqStr:     tJSDelimited,
++	stateJSBqStr:     tJSDelimited,
+	stateJSRegexp:    tJSDelimited,
+	stateJSBlockCmt:  tBlockCmt,
+	stateJSLineCmt:   tLineCmt,
+@@ -262,7 +263,7 @@ func tURL(c context, s []byte) (context, int) {
+
+ // tJS is the context transition function for the JS state.
+ func tJS(c context, s []byte) (context, int) {
+-	i := bytes.IndexAny(s, `"'/`)
++	i := bytes.IndexAny(s, "\"`'/")
+	if i == -1 {
+		// Entire input is non string, comment, regexp tokens.
+		c.jsCtx = nextJSCtx(s, c.jsCtx)
+@@ -274,6 +275,8 @@ func tJS(c context, s []byte) (context, int) {
+		c.state, c.jsCtx = stateJSDqStr, jsCtxRegexp
+	case '\'':
+		c.state, c.jsCtx = stateJSSqStr, jsCtxRegexp
++	case '`':
++		c.state, c.jsCtx = stateJSBqStr, jsCtxRegexp
+	case '/':
+		switch {
+		case i+1 < len(s) && s[i+1] == '/':
+@@ -303,6 +306,8 @@ func tJSDelimited(c context, s []byte) (context, int) {
+	switch c.state {
+	case stateJSSqStr:
+		specials = `\'`
++	case stateJSBqStr:
++		specials = "`\\"
+	case stateJSRegexp:
+		specials = `\/[]`
+	}
+--
+2.7.4
-- 
2.34.1

[OE-core][kirkstone 06/15] binutils : Fix CVE-2023-25584

[Steve Sakoman]

From: Deepthi Hemraj <deepadeepthi98@gmail.com>

Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44]

Signed-off-by: Deepthi Hemraj <deepadeepthi98@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.38.inc                |   3 +
 .../binutils/0022-CVE-2023-25584-1.patch      |  56 ++
 .../binutils/0022-CVE-2023-25584-2.patch      |  38 ++
 .../binutils/0022-CVE-2023-25584-3.patch      | 534 ++++++++++++++++++
 4 files changed, 631 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index bf44e6c762..69fb8539ba 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -50,5 +50,8 @@ SRC_URI = "\
      file://0021-CVE-2023-1579-2.patch \
      file://0021-CVE-2023-1579-3.patch \
      file://0021-CVE-2023-1579-4.patch \
+     file://0022-CVE-2023-25584-1.patch \
+     file://0022-CVE-2023-25584-2.patch \
+     file://0022-CVE-2023-25584-3.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch
new file mode 100644
index 0000000000..990243f5c9
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch
@@ -0,0 +1,56 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 17 Mar 2022 09:35:39 +0000 (+1030)
+Subject: ubsan: Null dereference in parse_module
+X-Git-Tag: gdb-12.1-release~59
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c9178f285acf19e066be8367185d52837161b0a2
+
+ubsan: Null dereference in parse_module
+
+	* vms-alpha.c (parse_module): Sanity check that DST__K_RTNBEG
+	has set module->func_table for DST__K_RTNEND.  Check return
+	of bfd_zalloc.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c9178f285acf19e066be8367185d52837161b0a2]
+
+CVE: CVE-2023-25584
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
+index 4a92574c850..1129c98f0e2 100644
+--- a/bfd/vms-alpha.c
++++ b/bfd/vms-alpha.c
+@@ -4352,9 +4352,13 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+
+   /* Initialize tables with zero element.  */
+   curr_srec = (struct srecinfo *) bfd_zalloc (abfd, sizeof (struct srecinfo));
++  if (!curr_srec)
++    return false;
+   module->srec_table = curr_srec;
+
+   curr_line = (struct lineinfo *) bfd_zalloc (abfd, sizeof (struct lineinfo));
++  if (!curr_line)
++    return false;
+   module->line_table = curr_line;
+
+   while (length == -1 || ptr < maxptr)
+@@ -4389,6 +4393,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+	case DST__K_RTNBEG:
+	  funcinfo = (struct funcinfo *)
+	    bfd_zalloc (abfd, sizeof (struct funcinfo));
++	  if (!funcinfo)
++	    return false;
+	  funcinfo->name
+	    = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME,
+					    maxptr - (ptr + DST_S_B_RTNBEG_NAME));
+@@ -4401,6 +4407,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+	  break;
+
+	case DST__K_RTNEND:
++	  if (!module->func_table)
++	    return false;
+	  module->func_table->high = module->func_table->low
+	    + bfd_getl32 (ptr + DST_S_L_RTNEND_SIZE) - 1;
+
diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch
new file mode 100644
index 0000000000..f4c5ed2aff
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch
@@ -0,0 +1,38 @@
+From da928f639002002dfc649ed9f50492d5d6cb4cee Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 5 Dec 2022 11:11:44 +0000
+Subject: [PATCH] Fix an illegal memory access when parsing a corrupt VMS Alpha
+ file.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix an illegal memory access when parsing a corrupt VMS Alpha file.
+
+        PR 29848
+        * vms-alpha.c (parse_module): Fix potential out of bounds memory
+        access.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=942fa4fb32738ecbb447546d54f1e5f0312d2ed4]
+
+CVE: CVE-2023-25584
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+ bfd/vms-alpha.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
+index c548722c..53b3f1bf 100644
+--- a/bfd/vms-alpha.c
++++ b/bfd/vms-alpha.c
+@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+     return false;
+   module->line_table = curr_line;
+
+-  while (length == -1 || ptr < maxptr)
++  while (length == -1 || (ptr + 3) < maxptr)
+     {
+       /* The first byte is not counted in the recorded length.  */
+       int rec_length = bfd_getl16 (ptr) + 1;
diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch
new file mode 100644
index 0000000000..abe501e570
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch
@@ -0,0 +1,534 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 12 Dec 2022 07:58:49 +0000 (+1030)
+Subject: Lack of bounds checking in vms-alpha.c parse_module
+X-Git-Tag: gdb-13-branchpoint~87
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=77c225bdeb410cf60da804879ad41622f5f1aa44
+
+Lack of bounds checking in vms-alpha.c parse_module
+
+	PR 29873
+	PR 29874
+	PR 29875
+	PR 29876
+	PR 29877
+	PR 29878
+	PR 29879
+	PR 29880
+	PR 29881
+	PR 29882
+	PR 29883
+	PR 29884
+	PR 29885
+	PR 29886
+	PR 29887
+	PR 29888
+	PR 29889
+	PR 29890
+	PR 29891
+	* vms-alpha.c (parse_module): Make length param bfd_size_type.
+	Delete length == -1 checks.  Sanity check record_length.
+	Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths.
+	Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements
+	before accessing.
+	(build_module_list): Pass dst_section size to parse_module.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=77c225bdeb410cf60da804879ad41622f5f1aa44]
+
+CVE: CVE-2023-25584
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
+index c0eb5bc5a2a..3b63259cc81 100644
+--- a/bfd/vms-alpha.c
++++ b/bfd/vms-alpha.c
+@@ -4340,7 +4340,7 @@ new_module (bfd *abfd)
+
+ static bool
+ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+-	      int length)
++	      bfd_size_type length)
+ {
+   unsigned char *maxptr = ptr + length;
+   unsigned char *src_ptr, *pcl_ptr;
+@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+     return false;
+   module->line_table = curr_line;
+
+-  while (length == -1 || (ptr + 3) < maxptr)
++  while (ptr + 3 < maxptr)
+     {
+       /* The first byte is not counted in the recorded length.  */
+       int rec_length = bfd_getl16 (ptr) + 1;
+@@ -4369,15 +4369,19 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+
+       vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type));
+
+-      if (length == -1 && rec_type == DST__K_MODEND)
++      if (rec_length > maxptr - ptr)
++	break;
++      if (rec_type == DST__K_MODEND)
+	break;
+
+       switch (rec_type)
+	{
+	case DST__K_MODBEG:
++	  if (rec_length <= DST_S_B_MODBEG_NAME)
++	    break;
+	  module->name
+	    = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME,
+-					    maxptr - (ptr + DST_S_B_MODBEG_NAME));
++					    rec_length - DST_S_B_MODBEG_NAME);
+
+	  curr_pc = 0;
+	  prev_pc = 0;
+@@ -4391,13 +4395,15 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+	  break;
+
+	case DST__K_RTNBEG:
++	  if (rec_length <= DST_S_B_RTNBEG_NAME)
++	    break;
+	  funcinfo = (struct funcinfo *)
+	    bfd_zalloc (abfd, sizeof (struct funcinfo));
+	  if (!funcinfo)
+	    return false;
+	  funcinfo->name
+	    = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME,
+-					    maxptr - (ptr + DST_S_B_RTNBEG_NAME));
++					    rec_length - DST_S_B_RTNBEG_NAME);
+	  funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS);
+	  funcinfo->next = module->func_table;
+	  module->func_table = funcinfo;
+@@ -4407,6 +4413,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+	  break;
+
+	case DST__K_RTNEND:
++	  if (rec_length < DST_S_L_RTNEND_SIZE + 4)
++	    break;
+	  if (!module->func_table)
+	    return false;
+	  module->func_table->high = module->func_table->low
+@@ -4439,10 +4447,63 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+
+	  vms_debug2 ((3, "source info\n"));
+
+-	  while (src_ptr < ptr + rec_length)
++	  while (src_ptr - ptr < rec_length)
+	    {
+	      int cmd = src_ptr[0], cmd_length, data;
+
++	      switch (cmd)
++		{
++		case DST__K_SRC_DECLFILE:
++		  if (src_ptr - ptr + DST_S_B_SRC_DF_LENGTH >= rec_length)
++		    cmd_length = 0x10000;
++		  else
++		    cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
++		  break;
++
++		case DST__K_SRC_DEFLINES_B:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_SRC_DEFLINES_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SRC_INCRLNUM_B:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_SRC_SETFILE:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SRC_SETLNUM_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SRC_SETLNUM_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SRC_SETREC_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SRC_SETREC_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SRC_FORMFEED:
++		  cmd_length = 1;
++		  break;
++
++		default:
++		  cmd_length = 2;
++		  break;
++		}
++
++	      if (src_ptr - ptr + cmd_length > rec_length)
++		break;
++
+	      switch (cmd)
+		{
+		case DST__K_SRC_DECLFILE:
+@@ -4467,7 +4528,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+
+		    module->file_table [fileid].name = filename;
+		    module->file_table [fileid].srec = 1;
+-		    cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
+		    vms_debug2 ((4, "DST_S_C_SRC_DECLFILE: %d, %s\n",
+				 fileid, module->file_table [fileid].name));
+		  }
+@@ -4484,7 +4544,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+		  srec->sfile = curr_srec->sfile;
+		  curr_srec->next = srec;
+		  curr_srec = srec;
+-		  cmd_length = 2;
+		  vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_B: %d\n", data));
+		  break;
+
+@@ -4499,14 +4558,12 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+		  srec->sfile = curr_srec->sfile;
+		  curr_srec->next = srec;
+		  curr_srec = srec;
+-		  cmd_length = 3;
+		  vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_W: %d\n", data));
+		  break;
+
+		case DST__K_SRC_INCRLNUM_B:
+		  data = src_ptr[DST_S_B_SRC_UNSBYTE];
+		  curr_srec->line += data;
+-		  cmd_length = 2;
+		  vms_debug2 ((4, "DST_S_C_SRC_INCRLNUM_B: %d\n", data));
+		  break;
+
+@@ -4514,21 +4571,18 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+		  data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
+		  curr_srec->sfile = data;
+		  curr_srec->srec = module->file_table[data].srec;
+-		  cmd_length = 3;
+		  vms_debug2 ((4, "DST_S_C_SRC_SETFILE: %d\n", data));
+		  break;
+
+		case DST__K_SRC_SETLNUM_L:
+		  data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
+		  curr_srec->line = data;
+-		  cmd_length = 5;
+		  vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_L: %d\n", data));
+		  break;
+
+		case DST__K_SRC_SETLNUM_W:
+		  data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
+		  curr_srec->line = data;
+-		  cmd_length = 3;
+		  vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_W: %d\n", data));
+		  break;
+
+@@ -4536,7 +4590,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+		  data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
+		  curr_srec->srec = data;
+		  module->file_table[curr_srec->sfile].srec = data;
+-		  cmd_length = 5;
+		  vms_debug2 ((4, "DST_S_C_SRC_SETREC_L: %d\n", data));
+		  break;
+
+@@ -4544,19 +4597,16 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+		  data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
+		  curr_srec->srec = data;
+		  module->file_table[curr_srec->sfile].srec = data;
+-		  cmd_length = 3;
+		  vms_debug2 ((4, "DST_S_C_SRC_SETREC_W: %d\n", data));
+		  break;
+
+		case DST__K_SRC_FORMFEED:
+-		  cmd_length = 1;
+		  vms_debug2 ((4, "DST_S_C_SRC_FORMFEED\n"));
+		  break;
+
+		default:
+		  _bfd_error_handler (_("unknown source command %d"),
+				      cmd);
+-		  cmd_length = 2;
+		  break;
+		}
+
+@@ -4569,18 +4619,114 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+
+	  vms_debug2 ((3, "line info\n"));
+
+-	  while (pcl_ptr < ptr + rec_length)
++	  while (pcl_ptr - ptr < rec_length)
+	    {
+	      /* The command byte is signed so we must sign-extend it.  */
+	      int cmd = ((signed char *)pcl_ptr)[0], cmd_length, data;
+
++	      switch (cmd)
++		{
++		case DST__K_DELTA_PC_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_DELTA_PC_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_INCR_LINUM:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_INCR_LINUM_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_INCR_LINUM_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SET_LINUM_INCR:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_SET_LINUM_INCR_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_RESET_LINUM_INCR:
++		  cmd_length = 1;
++		  break;
++
++		case DST__K_BEG_STMT_MODE:
++		  cmd_length = 1;
++		  break;
++
++		case DST__K_END_STMT_MODE:
++		  cmd_length = 1;
++		  break;
++
++		case DST__K_SET_LINUM_B:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_SET_LINUM:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SET_LINUM_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SET_PC:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_SET_PC_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SET_PC_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SET_STMTNUM:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_TERM:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_TERM_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_TERM_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SET_ABS_PC:
++		  cmd_length = 5;
++		  break;
++
++		default:
++		  if (cmd <= 0)
++		    cmd_length = 1;
++		  else
++		    cmd_length = 2;
++		  break;
++		}
++
++	      if (pcl_ptr - ptr + cmd_length > rec_length)
++		break;
++
+	      switch (cmd)
+		{
+		case DST__K_DELTA_PC_W:
+		  data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+		  curr_pc += data;
+		  curr_linenum += 1;
+-		  cmd_length = 3;
+		  vms_debug2 ((4, "DST__K_DELTA_PC_W: %d\n", data));
+		  break;
+
+@@ -4588,131 +4734,111 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+		  data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+		  curr_pc += data;
+		  curr_linenum += 1;
+-		  cmd_length = 5;
+		  vms_debug2 ((4, "DST__K_DELTA_PC_L: %d\n", data));
+		  break;
+
+		case DST__K_INCR_LINUM:
+		  data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
+		  curr_linenum += data;
+-		  cmd_length = 2;
+		  vms_debug2 ((4, "DST__K_INCR_LINUM: %d\n", data));
+		  break;
+
+		case DST__K_INCR_LINUM_W:
+		  data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+		  curr_linenum += data;
+-		  cmd_length = 3;
+		  vms_debug2 ((4, "DST__K_INCR_LINUM_W: %d\n", data));
+		  break;
+
+		case DST__K_INCR_LINUM_L:
+		  data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+		  curr_linenum += data;
+-		  cmd_length = 5;
+		  vms_debug2 ((4, "DST__K_INCR_LINUM_L: %d\n", data));
+		  break;
+
+		case DST__K_SET_LINUM_INCR:
+		  _bfd_error_handler
+		    (_("%s not implemented"), "DST__K_SET_LINUM_INCR");
+-		  cmd_length = 2;
+		  break;
+
+		case DST__K_SET_LINUM_INCR_W:
+		  _bfd_error_handler
+		    (_("%s not implemented"), "DST__K_SET_LINUM_INCR_W");
+-		  cmd_length = 3;
+		  break;
+
+		case DST__K_RESET_LINUM_INCR:
+		  _bfd_error_handler
+		    (_("%s not implemented"), "DST__K_RESET_LINUM_INCR");
+-		  cmd_length = 1;
+		  break;
+
+		case DST__K_BEG_STMT_MODE:
+		  _bfd_error_handler
+		    (_("%s not implemented"), "DST__K_BEG_STMT_MODE");
+-		  cmd_length = 1;
+		  break;
+
+		case DST__K_END_STMT_MODE:
+		  _bfd_error_handler
+		    (_("%s not implemented"), "DST__K_END_STMT_MODE");
+-		  cmd_length = 1;
+		  break;
+
+		case DST__K_SET_LINUM_B:
+		  data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
+		  curr_linenum = data;
+-		  cmd_length = 2;
+		  vms_debug2 ((4, "DST__K_SET_LINUM_B: %d\n", data));
+		  break;
+
+		case DST__K_SET_LINUM:
+		  data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+		  curr_linenum = data;
+-		  cmd_length = 3;
+		  vms_debug2 ((4, "DST__K_SET_LINE_NUM: %d\n", data));
+		  break;
+
+		case DST__K_SET_LINUM_L:
+		  data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+		  curr_linenum = data;
+-		  cmd_length = 5;
+		  vms_debug2 ((4, "DST__K_SET_LINUM_L: %d\n", data));
+		  break;
+
+		case DST__K_SET_PC:
+		  _bfd_error_handler
+		    (_("%s not implemented"), "DST__K_SET_PC");
+-		  cmd_length = 2;
+		  break;
+
+		case DST__K_SET_PC_W:
+		  _bfd_error_handler
+		    (_("%s not implemented"), "DST__K_SET_PC_W");
+-		  cmd_length = 3;
+		  break;
+
+		case DST__K_SET_PC_L:
+		  _bfd_error_handler
+		    (_("%s not implemented"), "DST__K_SET_PC_L");
+-		  cmd_length = 5;
+		  break;
+
+		case DST__K_SET_STMTNUM:
+		  _bfd_error_handler
+		    (_("%s not implemented"), "DST__K_SET_STMTNUM");
+-		  cmd_length = 2;
+		  break;
+
+		case DST__K_TERM:
+		  data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
+		  curr_pc += data;
+-		  cmd_length = 2;
+		  vms_debug2 ((4, "DST__K_TERM: %d\n", data));
+		  break;
+
+		case DST__K_TERM_W:
+		  data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+		  curr_pc += data;
+-		  cmd_length = 3;
+		  vms_debug2 ((4, "DST__K_TERM_W: %d\n", data));
+		  break;
+
+		case DST__K_TERM_L:
+		  data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+		  curr_pc += data;
+-		  cmd_length = 5;
+		  vms_debug2 ((4, "DST__K_TERM_L: %d\n", data));
+		  break;
+
+		case DST__K_SET_ABS_PC:
+		  data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+		  curr_pc = data;
+-		  cmd_length = 5;
+		  vms_debug2 ((4, "DST__K_SET_ABS_PC: 0x%x\n", data));
+		  break;
+
+@@ -4721,15 +4847,11 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+		    {
+		      curr_pc -= cmd;
+		      curr_linenum += 1;
+-		      cmd_length = 1;
+		      vms_debug2 ((4, "bump pc to 0x%lx and line to %d\n",
+				   (unsigned long)curr_pc, curr_linenum));
+		    }
+		  else
+-		    {
+-		      _bfd_error_handler (_("unknown line command %d"), cmd);
+-		      cmd_length = 2;
+-		    }
++		    _bfd_error_handler (_("unknown line command %d"), cmd);
+		  break;
+		}
+
+@@ -4859,7 +4981,8 @@ build_module_list (bfd *abfd)
+	return NULL;
+
+       module = new_module (abfd);
+-      if (!parse_module (abfd, module, PRIV (dst_section)->contents, -1))
++      if (!parse_module (abfd, module, PRIV (dst_section)->contents,
++			 PRIV (dst_section)->size))
+	return NULL;
+       list = module;
+     }
-- 
2.34.1

[OE-core][kirkstone 07/15] binutils : Fix CVE-2023-25585

[Steve Sakoman]

From: Deepthi Hemraj <deepadeepthi98@gmail.com>

Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7]

Signed-off-by: Deepthi Hemraj <deepadeepthi98@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.38.inc                |  1 +
 .../binutils/0023-CVE-2023-25585.patch        | 54 +++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 69fb8539ba..408b503644 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -53,5 +53,6 @@ SRC_URI = "\
      file://0022-CVE-2023-25584-1.patch \
      file://0022-CVE-2023-25584-2.patch \
      file://0022-CVE-2023-25584-3.patch \
+     file://0023-CVE-2023-25585.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch b/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch
new file mode 100644
index 0000000000..e31a027b9f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch
@@ -0,0 +1,54 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 12 Dec 2022 08:31:08 +0000 (+1030)
+Subject: PR29892, Field file_table of struct module is uninitialized
+X-Git-Tag: gdb-13-branchpoint~86
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7
+
+PR29892, Field file_table of struct module is uninitialized
+
+	PR 29892
+	* vms-alphs.c (new_module): Use bfd_zmalloc to alloc file_table.
+	(parse_module): Rewrite file_table reallocation code and clear.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7]
+
+CVE: CVE-2023-25585
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
+index 3b63259cc81..6ee7060b0b2 100644
+--- a/bfd/vms-alpha.c
++++ b/bfd/vms-alpha.c
+@@ -4337,7 +4337,7 @@ new_module (bfd *abfd)
+     = (struct module *) bfd_zalloc (abfd, sizeof (struct module));
+   module->file_table_count = 16; /* Arbitrary.  */
+   module->file_table
+-    = bfd_malloc (module->file_table_count * sizeof (struct fileinfo));
++    = bfd_zmalloc (module->file_table_count * sizeof (struct fileinfo));
+   return module;
+ }
+
+@@ -4520,15 +4520,18 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+		       src_ptr + DST_S_B_SRC_DF_FILENAME,
+		       ptr + rec_length - (src_ptr + DST_S_B_SRC_DF_FILENAME));
+
+-		    while (fileid >= module->file_table_count)
++		    if (fileid >= module->file_table_count)
+		      {
+-			module->file_table_count *= 2;
++			unsigned int old_count = module->file_table_count;
++			module->file_table_count += fileid;
+			module->file_table
+			  = bfd_realloc_or_free (module->file_table,
+						 module->file_table_count
+						 * sizeof (struct fileinfo));
+			if (module->file_table == NULL)
+			  return false;
++			memset (module->file_table + old_count, 0,
++				fileid * sizeof (struct fileinfo));
+		      }
+
+		    module->file_table [fileid].name = filename;
-- 
2.34.1

[OE-core][kirkstone 08/15] binutils : Fix CVE-2023-1972

[Steve Sakoman]

From: Deepthi Hemraj <deepadeepthi98@gmail.com>

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57]

Signed-off-by: Deepthi Hemraj <deepadeepthi98@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.38.inc                |  1 +
 .../binutils/0026-CVE-2023-1972.patch         | 41 +++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 408b503644..1ea17990c8 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -54,5 +54,6 @@ SRC_URI = "\
      file://0022-CVE-2023-25584-2.patch \
      file://0022-CVE-2023-25584-3.patch \
      file://0023-CVE-2023-25585.patch \
+     file://0026-CVE-2023-1972.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch b/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch
new file mode 100644
index 0000000000..f86adad217
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch
@@ -0,0 +1,41 @@
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 30 Mar 2023 09:10:09 +0000 (+0100)
+Subject: Fix an illegal memory access when an accessing a zer0-lengthverdef table.
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57
+
+Fix an illegal memory access when an accessing a zer0-lengthverdef table.
+
+  PR 30285
+  * elf.c (_bfd_elf_slurp_version_tables): Fail if no version definitions are allocated.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57]
+
+CVE: CVE-2023-1972
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 027d0143735..185028cbd97 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -9030,6 +9030,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver)
+	  bfd_set_error (bfd_error_file_too_big);
+	  goto error_return_verdef;
+	}
++
++      if (amt == 0)
++	goto error_return_verdef;
+       elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt);
+       if (elf_tdata (abfd)->verdef == NULL)
+	goto error_return_verdef;
+@@ -9133,6 +9136,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver)
+	  bfd_set_error (bfd_error_file_too_big);
+	  goto error_return;
+	}
++      if (amt == 0)
++	goto error_return;
+       elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt);
+       if (elf_tdata (abfd)->verdef == NULL)
+	goto error_return;
-- 
2.34.1

[OE-core][kirkstone 09/15] binutils : Fix CVE-2023-25588

[Steve Sakoman]

From: Deepthi Hemraj <deepadeepthi98@gmail.com>

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]

Signed-off-by: Deepthi Hemraj <deepadeepthi98@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.38.inc                |   1 +
 .../binutils/0025-CVE-2023-25588.patch        | 147 ++++++++++++++++++
 2 files changed, 148 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 1ea17990c8..5c3ff3d93a 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -55,5 +55,6 @@ SRC_URI = "\
      file://0022-CVE-2023-25584-3.patch \
      file://0023-CVE-2023-25585.patch \
      file://0026-CVE-2023-1972.patch \
+     file://0025-CVE-2023-25588.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch
new file mode 100644
index 0000000000..142d201c40
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch
@@ -0,0 +1,147 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 14 Oct 2022 00:00:21 +0000 (+1030)
+Subject: PR29677, Field `the_bfd` of `asymbol` is uninitialised
+X-Git-Tag: gdb-13-branchpoint~871
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1
+
+PR29677, Field `the_bfd` of `asymbol` is uninitialised
+
+Besides not initialising the_bfd of synthetic symbols, counting
+symbols when sizing didn't match symbols created if there were any
+dynsyms named "".  We don't want synthetic symbols without names
+anyway, so get rid of them.  Also, simplify and correct sanity checks.
+
+	PR 29677
+	* mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
+
+CVE: CVE-2023-25588
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/bfd/mach-o.c b/bfd/mach-o.c
+index acb35e7f0c6..5279343768c 100644
+--- a/bfd/mach-o.c
++++ b/bfd/mach-o.c
+@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+   bfd_mach_o_symtab_command *symtab = mdata->symtab;
+   asymbol *s;
+   char * s_start;
+-  char * s_end;
+   unsigned long count, i, j, n;
+   size_t size;
+   char *names;
+-  char *nul_name;
+   const char stub [] = "$stub";
+
+   *ret = NULL;
+@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+   /* We need to allocate a bfd symbol for every indirect symbol and to
+      allocate the memory for its name.  */
+   count = dysymtab->nindirectsyms;
+-  size = count * sizeof (asymbol) + 1;
+-
++  size = 0;
+   for (j = 0; j < count; j++)
+     {
+-      const char * strng;
+       unsigned int isym = dysymtab->indirect_syms[j];
++      const char *str;
+
+       /* Some indirect symbols are anonymous.  */
+-      if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name))
+-	/* PR 17512: file: f5b8eeba.  */
+-	size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub);
++      if (isym < symtab->nsyms
++	  && (str = symtab->symbols[isym].symbol.name) != NULL)
++	{
++	  /* PR 17512: file: f5b8eeba.  */
++	  size += strnlen (str, symtab->strsize - (str - symtab->strtab));
++	  size += sizeof (stub);
++	}
+     }
+
+-  s_start = bfd_malloc (size);
++  s_start = bfd_malloc (size + count * sizeof (asymbol));
+   s = *ret = (asymbol *) s_start;
+   if (s == NULL)
+     return -1;
+   names = (char *) (s + count);
+-  nul_name = names;
+-  *names++ = 0;
+-  s_end = s_start + size;
+
+   n = 0;
+   for (i = 0; i < mdata->nsects; i++)
+@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+	  entry_size = bfd_mach_o_section_get_entry_size (abfd, sec);
+
+	  /* PR 17512: file: 08e15eec.  */
+-	  if (first >= count || last >= count || first > last)
++	  if (first >= count || last > count || first > last)
+	    goto fail;
+
+	  for (j = first; j < last; j++)
+	    {
+	      unsigned int isym = dysymtab->indirect_syms[j];
+-
+-	      /* PR 17512: file: 04d64d9b.  */
+-	      if (((char *) s) + sizeof (* s) > s_end)
+-		goto fail;
+-
+-	      s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
+-	      s->section = sec->bfdsection;
+-	      s->value = addr - sec->addr;
+-	      s->udata.p = NULL;
++	      const char *str;
++	      size_t len;
+
+	      if (isym < symtab->nsyms
+-		  && symtab->symbols[isym].symbol.name)
++		  && (str = symtab->symbols[isym].symbol.name) != NULL)
+		{
+-		  const char *sym = symtab->symbols[isym].symbol.name;
+-		  size_t len;
+-
+-		  s->name = names;
+-		  len = strlen (sym);
+-		  /* PR 17512: file: 47dfd4d2.  */
+-		  if (names + len >= s_end)
++		  /* PR 17512: file: 04d64d9b.  */
++		  if (n >= count)
+		    goto fail;
+-		  memcpy (names, sym, len);
+-		  names += len;
+-		  /* PR 17512: file: 18f340a4.  */
+-		  if (names + sizeof (stub) >= s_end)
++		  len = strnlen (str, symtab->strsize - (str - symtab->strtab));
++		  /* PR 17512: file: 47dfd4d2, 18f340a4.  */
++		  if (size < len + sizeof (stub))
+		    goto fail;
+-		  memcpy (names, stub, sizeof (stub));
+-		  names += sizeof (stub);
++		  memcpy (names, str, len);
++		  memcpy (names + len, stub, sizeof (stub));
++		  s->name = names;
++		  names += len + sizeof (stub);
++		  size -= len + sizeof (stub);
++		  s->the_bfd = symtab->symbols[isym].symbol.the_bfd;
++		  s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
++		  s->section = sec->bfdsection;
++		  s->value = addr - sec->addr;
++		  s->udata.p = NULL;
++		  s++;
++		  n++;
+		}
+-	      else
+-		s->name = nul_name;
+-
+	      addr += entry_size;
+-	      s++;
+-	      n++;
+	    }
+	  break;
+	default:
-- 
2.34.1

[OE-core][kirkstone 10/15] webkitgtk: fix CVE-2022-32888 & CVE-2022-32923

[Steve Sakoman]

From: Kai Kang <kai.kang@windriver.com>

Backport patches to fix CVE-2022-32888 and CVE-2022-32923 for webkitgtk
2.36.8. The bugzilla IDs of the CVEs are from https://support.apple.com
which have been listed in patch headers.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../webkit/webkitgtk/CVE-2022-32888.patch     |  41 ++
 .../webkit/webkitgtk/CVE-2022-32923.patch     | 435 ++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   2 +
 3 files changed, 478 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch
new file mode 100644
index 0000000000..1a6b685450
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch
@@ -0,0 +1,41 @@
+CVE: CVE-2022-32888
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/a3dd7dc]
+
+[1]: https://support.apple.com/en-us/HT213446
+[2]: https://bugs.webkit.org/show_bug.cgi?id=242047
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From a3dd7dc5f60b87a7cfd14c372e40ebd339076763 Mon Sep 17 00:00:00 2001
+From: Yusuke Suzuki <ysuzuki@apple.com>
+Date: Mon, 27 Jun 2022 21:34:55 -0700
+Subject: [PATCH] [JSC] Drop wasm stale assertion
+ https://bugs.webkit.org/show_bug.cgi?id=242047 rdar://95866655
+
+Reviewed by Mark Lam.
+
+This patch drops stale assertion in addDelegateToUnreachable.
+
+* Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:
+(JSC::Wasm::LLIntGenerator::addDelegateToUnreachable):
+
+Canonical link: https://commits.webkit.org/251902@main
+---
+ Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp b/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
+index 39fb39b3331f..d0d2b9725991 100644
+--- a/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
++++ b/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
+@@ -1182,7 +1182,6 @@ auto LLIntGenerator::addDelegateToUnreachable(ControlType& target, ControlType&
+ 
+     ControlTry& tryData = std::get<ControlTry>(data);
+     m_codeBlock->addExceptionHandler({ HandlerType::Delegate, tryData.m_try->location(), delegateLabel->location(), 0, m_tryDepth, targetDepth });
+-    checkConsistency();
+     return { };
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch
new file mode 100644
index 0000000000..60342a14f8
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch
@@ -0,0 +1,435 @@
+CVE: CVE-2022-32923
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ef76e31]
+
+[1]: https://support.apple.com/en-us/HT213495
+[2]: https://bugs.webkit.org/show_bug.cgi?id=242964
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From ef76e31a2a066c3d65a9c94a9e2cd88133260c1f Mon Sep 17 00:00:00 2001
+From: Yusuke Suzuki <ysuzuki@apple.com>
+Date: Wed, 20 Jul 2022 19:30:48 -0700
+Subject: [PATCH] [JSC] BakcwardPropagationPhase should carry NaN / Infinity
+ handling https://bugs.webkit.org/show_bug.cgi?id=242964 rdar://96791603
+
+Reviewed by Mark Lam.
+
+For correctness, we should carry NaN / Infinity handling to make it more clear in the code generation site.
+
+* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp:
+(JSC::DFG::BackwardsPropagationPhase::propagate):
+* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
+(JSC::DFG::FixupPhase::fixupArithDivInt32):
+(JSC::DFG::FixupPhase::fixupArithDiv):
+* Source/JavaScriptCore/dfg/DFGGraph.h:
+* Source/JavaScriptCore/dfg/DFGNode.h:
+* Source/JavaScriptCore/dfg/DFGNodeFlags.cpp:
+(JSC::DFG::dumpNodeFlags):
+* Source/JavaScriptCore/dfg/DFGNodeFlags.h:
+(JSC::DFG::bytecodeCanIgnoreNaNAndInfinity):
+(JSC::DFG::nodeCanSpeculateInt32ForDiv):
+* Source/JavaScriptCore/dfg/DFGNodeType.h:
+
+Canonical link: https://commits.webkit.org/252675@main
+---
+ .../dfg/DFGBackwardsPropagationPhase.cpp      | 51 +++++++++++--------
+ Source/JavaScriptCore/dfg/DFGFixupPhase.cpp   |  6 ++-
+ Source/JavaScriptCore/dfg/DFGGraph.h          | 11 ++++
+ Source/JavaScriptCore/dfg/DFGNode.h           | 12 +++--
+ Source/JavaScriptCore/dfg/DFGNodeFlags.cpp    | 10 ++--
+ Source/JavaScriptCore/dfg/DFGNodeFlags.h      | 37 +++++++++++---
+ Source/JavaScriptCore/dfg/DFGNodeType.h       |  3 +-
+ 7 files changed, 91 insertions(+), 39 deletions(-)
+
+diff --git a/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
+index 306ea5d6b974..83a08aff7c20 100644
+--- a/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
++++ b/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
+@@ -272,7 +272,7 @@ private:
+         case ValueBitNot:
+         case ArithBitNot: {
+             flags |= NodeBytecodeUsesAsInt;
+-            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther);
++            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther);
+             flags &= ~NodeBytecodeUsesAsArrayIndex;
+             node->child1()->mergeFlags(flags);
+             break;
+@@ -291,7 +291,7 @@ private:
+         case BitURShift:
+         case ArithIMul: {
+             flags |= NodeBytecodeUsesAsInt;
+-            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther);
++            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther);
+             flags &= ~NodeBytecodeUsesAsArrayIndex;
+             node->child1()->mergeFlags(flags);
+             node->child2()->mergeFlags(flags);
+@@ -308,9 +308,9 @@ private:
+ 
+         case StringSlice: {
+             node->child1()->mergeFlags(NodeBytecodeUsesAsValue);
+-            node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++            node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+             if (node->child3())
+-                node->child3()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++                node->child3()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+             break;
+         }
+ 
+@@ -320,11 +320,11 @@ private:
+             if (node->numChildren() == 2)
+                 m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsValue);
+             else if (node->numChildren() == 3) {
+-                m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++                m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+                 m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsValue);
+             } else if (node->numChildren() == 4) {
+-                m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
+-                m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++                m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
++                m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+                 m_graph.varArgChild(node, 3)->mergeFlags(NodeBytecodeUsesAsValue);
+             }
+             break;
+@@ -345,6 +345,7 @@ private:
+                 flags |= NodeBytecodeUsesAsNumber;
+             if (!m_allowNestedOverflowingAdditions)
+                 flags |= NodeBytecodeUsesAsNumber;
++            flags |= NodeBytecodeNeedsNaNOrInfinity;
+             
+             node->child1()->mergeFlags(flags);
+             node->child2()->mergeFlags(flags);
+@@ -359,6 +360,7 @@ private:
+                 flags |= NodeBytecodeUsesAsNumber;
+             if (!m_allowNestedOverflowingAdditions)
+                 flags |= NodeBytecodeUsesAsNumber;
++            flags |= NodeBytecodeNeedsNaNOrInfinity;
+             
+             node->child1()->mergeFlags(flags);
+             node->child2()->mergeFlags(flags);
+@@ -366,7 +368,7 @@ private:
+         }
+ 
+         case ArithClz32: {
+-            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther | ~NodeBytecodeUsesAsArrayIndex);
++            flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther | ~NodeBytecodeUsesAsArrayIndex);
+             flags |= NodeBytecodeUsesAsInt;
+             node->child1()->mergeFlags(flags);
+             break;
+@@ -380,6 +382,7 @@ private:
+                 flags |= NodeBytecodeUsesAsNumber;
+             if (!m_allowNestedOverflowingAdditions)
+                 flags |= NodeBytecodeUsesAsNumber;
++            flags |= NodeBytecodeNeedsNaNOrInfinity;
+             
+             node->child1()->mergeFlags(flags);
+             node->child2()->mergeFlags(flags);
+@@ -387,6 +390,7 @@ private:
+         }
+             
+         case ArithNegate: {
++            // negation does not care about NaN, Infinity, -Infinity are converted into 0 if the result is evaluated under the integer context.
+             flags &= ~NodeBytecodeUsesAsOther;
+ 
+             node->child1()->mergeFlags(flags);
+@@ -401,6 +405,7 @@ private:
+                 flags |= NodeBytecodeUsesAsNumber;
+             if (!m_allowNestedOverflowingAdditions)
+                 flags |= NodeBytecodeUsesAsNumber;
++            flags |= NodeBytecodeNeedsNaNOrInfinity;
+ 
+             node->child1()->mergeFlags(flags);
+             break;
+@@ -421,7 +426,7 @@ private:
+             
+             node->mergeFlags(flags);
+             
+-            flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero;
++            flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity;
+             flags &= ~NodeBytecodeUsesAsOther;
+ 
+             node->child1()->mergeFlags(flags);
+@@ -431,7 +436,13 @@ private:
+             
+         case ValueDiv:
+         case ArithDiv: {
+-            flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero;
++            // ArithDiv / ValueDiv need to have NodeBytecodeUsesAsNumber even if it is used in the context of integer.
++            // For example,
++            //     ((@x / @y) + @z) | 0
++            // In this context, (@x / @y) can have integer context at first, but the result can be different if div
++            // generates NaN. Div and Mod are operations that can produce NaN / Infinity though only taking binary Int32 operands.
++            // Thus, we always need to check for overflow since it can affect downstream calculations.
++            flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity;
+             flags &= ~NodeBytecodeUsesAsOther;
+ 
+             node->child1()->mergeFlags(flags);
+@@ -441,7 +452,7 @@ private:
+             
+         case ValueMod:
+         case ArithMod: {
+-            flags |= NodeBytecodeUsesAsNumber;
++            flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity;
+             flags &= ~NodeBytecodeUsesAsOther;
+ 
+             node->child1()->mergeFlags(flags);
+@@ -452,7 +463,7 @@ private:
+         case EnumeratorGetByVal:
+         case GetByVal: {
+             m_graph.varArgChild(node, 0)->mergeFlags(NodeBytecodeUsesAsValue);
+-            m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++            m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsArrayIndex);
+             break;
+         }
+             
+@@ -461,13 +472,13 @@ private:
+             // Negative zero is not observable. NaN versus undefined are only observable
+             // in that you would get a different exception message. So, like, whatever: we
+             // claim here that NaN v. undefined is observable.
+-            node->child1()->mergeFlags(NodeBytecodeUsesAsInt | NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsArrayIndex);
++            node->child1()->mergeFlags(NodeBytecodeUsesAsInt | NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsArrayIndex);
+             break;
+         }
+             
+         case ToString:
+         case CallStringConstructor: {
+-            node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
++            node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
+             break;
+         }
+             
+@@ -487,15 +498,15 @@ private:
+         case CompareBelowEq:
+         case CompareEq:
+         case CompareStrictEq: {
+-            node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
+-            node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
++            node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
++            node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
+             break;
+         }
+ 
+         case PutByValDirect:
+         case PutByVal: {
+             m_graph.varArgChild(node, 0)->mergeFlags(NodeBytecodeUsesAsValue);
+-            m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++            m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+             m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsValue);
+             break;
+         }
+@@ -508,20 +519,20 @@ private:
+                 // then -0 and 0 are treated the same.  We don't need NodeBytecodeUsesAsOther
+                 // because if all of the cases are integers then NaN and undefined are
+                 // treated the same (i.e. they will take default).
+-                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt);
++                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt | NodeBytecodeNeedsNaNOrInfinity);
+                 break;
+             case SwitchChar: {
+                 // We don't need NodeBytecodeNeedsNegZero because if the cases are all strings
+                 // then -0 and 0 are treated the same.  We don't need NodeBytecodeUsesAsOther
+                 // because if all of the cases are single-character strings then NaN
+                 // and undefined are treated the same (i.e. they will take default).
+-                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber);
++                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNaNOrInfinity);
+                 break;
+             }
+             case SwitchString:
+                 // We don't need NodeBytecodeNeedsNegZero because if the cases are all strings
+                 // then -0 and 0 are treated the same.
+-                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
++                node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
+                 break;
+             case SwitchCell:
+                 // There is currently no point to being clever here since this is used for switching
+diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+index e8bee58ada15..b679539de2e6 100644
+--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
++++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+@@ -81,7 +81,9 @@ private:
+         if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
+             fixIntOrBooleanEdge(leftChild);
+             fixIntOrBooleanEdge(rightChild);
+-            if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
++            // We need to be careful about skipping overflow check because div / mod can generate non integer values
++            // from (Int32, Int32) inputs. For now, we always check non-zero divisor.
++            if (bytecodeCanTruncateInteger(node->arithNodeFlags()) && bytecodeCanIgnoreNaNAndInfinity(node->arithNodeFlags()) && bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+                 node->setArithMode(Arith::Unchecked);
+             else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+                 node->setArithMode(Arith::CheckOverflow);
+@@ -122,7 +124,7 @@ private:
+ 
+     void fixupArithDiv(Node* node, Edge& leftChild, Edge& rightChild)
+     {
+-        if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
++        if (m_graph.divShouldSpeculateInt32(node, FixupPass)) {
+             fixupArithDivInt32(node, leftChild, rightChild);
+             return;
+         }
+diff --git a/Source/JavaScriptCore/dfg/DFGGraph.h b/Source/JavaScriptCore/dfg/DFGGraph.h
+index ca566d3a484e..284c87672849 100644
+--- a/Source/JavaScriptCore/dfg/DFGGraph.h
++++ b/Source/JavaScriptCore/dfg/DFGGraph.h
+@@ -373,6 +373,17 @@ public:
+ 
+         return shouldSpeculateInt52ForAdd(left) && shouldSpeculateInt52ForAdd(right);
+     }
++
++    bool divShouldSpeculateInt32(Node* node, PredictionPass pass)
++    {
++        // Even if inputs are Int32, div can generate NaN or Infinity.
++        // Thus, Overflow in div can be caused by these non integer values as well as actual Int32 overflow.
++        Node* left = node->child1().node();
++        Node* right = node->child2().node();
++
++        return Node::shouldSpeculateInt32OrBooleanForArithmetic(left, right)
++            && nodeCanSpeculateInt32ForDiv(node->arithNodeFlags(), node->sourceFor(pass));
++    }
+     
+     bool binaryArithShouldSpeculateInt32(Node* node, PredictionPass pass)
+     {
+diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h
+index f9ff50658e93..04509a3846ca 100644
+--- a/Source/JavaScriptCore/dfg/DFGNode.h
++++ b/Source/JavaScriptCore/dfg/DFGNode.h
+@@ -3308,21 +3308,25 @@ public:
+         out.printf(", @%u", child3()->index());
+     }
+ 
+-    NodeOrigin origin;
++    NO_UNIQUE_ADDRESS NodeOrigin origin;
+ 
++private:
++    NO_UNIQUE_ADDRESS NodeType m_op;
++
++    NO_UNIQUE_ADDRESS unsigned m_index { std::numeric_limits<unsigned>::max() };
++
++public:
+     // References to up to 3 children, or links to a variable length set of children.
+     AdjacencyList children;
+ 
+ private:
+     friend class B3::SparseCollection<Node>;
+ 
+-    unsigned m_index { std::numeric_limits<unsigned>::max() };
+-    unsigned m_op : 10; // real type is NodeType
+-    unsigned m_flags : 21;
+     // The virtual register number (spill location) associated with this .
+     VirtualRegister m_virtualRegister;
+     // The number of uses of the result of this operation (+1 for 'must generate' nodes, which have side-effects).
+     unsigned m_refCount;
++    NodeFlags m_flags;
+     // The prediction ascribed to this node after propagation.
+     SpeculatedType m_prediction { SpecNone };
+     // Immediate values, accesses type-checked via accessors above.
+diff --git a/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp b/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp
+index 88242947f6ef..0c53cd976c5c 100644
+--- a/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp
++++ b/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp
+@@ -74,12 +74,14 @@ void dumpNodeFlags(PrintStream& actualOut, NodeFlags flags)
+         out.print(comma, "VarArgs");
+     
+     if (flags & NodeResultMask) {
+-        if (!(flags & NodeBytecodeUsesAsNumber) && !(flags & NodeBytecodeNeedsNegZero))
++        if (!(flags & NodeBytecodeUsesAsNumber))
+             out.print(comma, "PureInt");
+-        else if (!(flags & NodeBytecodeUsesAsNumber))
+-            out.print(comma, "PureInt(w/ neg zero)");
+-        else if (!(flags & NodeBytecodeNeedsNegZero))
++        else
+             out.print(comma, "PureNum");
++        if (flags & NodeBytecodeNeedsNegZero)
++            out.print(comma, "NeedsNegZero");
++        if (flags & NodeBytecodeNeedsNaNOrInfinity)
++            out.print(comma, "NeedsNaNOrInfinity");
+         if (flags & NodeBytecodeUsesAsOther)
+             out.print(comma, "UseAsOther");
+     }
+diff --git a/Source/JavaScriptCore/dfg/DFGNodeFlags.h b/Source/JavaScriptCore/dfg/DFGNodeFlags.h
+index 2ebe3544f601..aa60db7e6ba0 100644
+--- a/Source/JavaScriptCore/dfg/DFGNodeFlags.h
++++ b/Source/JavaScriptCore/dfg/DFGNodeFlags.h
+@@ -61,18 +61,19 @@ namespace JSC { namespace DFG {
+ #define NodeBytecodeUseBottom            0x00000
+ #define NodeBytecodeUsesAsNumber         0x04000 // The result of this computation may be used in a context that observes fractional, or bigger-than-int32, results.
+ #define NodeBytecodeNeedsNegZero         0x08000 // The result of this computation may be used in a context that observes -0.
+-#define NodeBytecodeUsesAsOther          0x10000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined).
+-#define NodeBytecodeUsesAsInt            0x20000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values.
+-#define NodeBytecodeUsesAsArrayIndex     0x40000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible.
+-#define NodeBytecodeUsesAsValue          (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther)
+-#define NodeBytecodeBackPropMask         (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex)
++#define NodeBytecodeNeedsNaNOrInfinity   0x10000 // The result of this computation may be used in a context that observes NaN or Infinity.
++#define NodeBytecodeUsesAsOther          0x20000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined).
++#define NodeBytecodeUsesAsInt            0x40000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values.
++#define NodeBytecodeUsesAsArrayIndex     0x80000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible.
++#define NodeBytecodeUsesAsValue          (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther)
++#define NodeBytecodeBackPropMask         (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex)
+ 
+ #define NodeArithFlagsMask               (NodeBehaviorMask | NodeBytecodeBackPropMask)
+ 
+-#define NodeIsFlushed                    0x80000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush.
++#define NodeIsFlushed                   0x100000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush.
+ 
+-#define NodeMiscFlag1                   0x100000
+-#define NodeMiscFlag2                   0x200000
++#define NodeMiscFlag1                   0x200000
++#define NodeMiscFlag2                   0x400000
+ 
+ typedef uint32_t NodeFlags;
+ 
+@@ -91,6 +92,11 @@ static inline bool bytecodeCanIgnoreNegativeZero(NodeFlags flags)
+     return !(flags & NodeBytecodeNeedsNegZero);
+ }
+ 
++static inline bool bytecodeCanIgnoreNaNAndInfinity(NodeFlags flags)
++{
++    return !(flags & NodeBytecodeNeedsNaNOrInfinity);
++}
++
+ enum RareCaseProfilingSource {
+     BaselineRareCase, // Comes from slow case counting in the baseline JIT.
+     DFGRareCase, // Comes from OSR exit profiles.
+@@ -147,6 +153,21 @@ static inline bool nodeCanSpeculateInt32(NodeFlags flags, RareCaseProfilingSourc
+     return true;
+ }
+ 
++static inline bool nodeCanSpeculateInt32ForDiv(NodeFlags flags, RareCaseProfilingSource source)
++{
++    if (nodeMayOverflowInt32(flags, source)) {
++        if (bytecodeUsesAsNumber(flags))
++            return false;
++        if (!bytecodeCanIgnoreNaNAndInfinity(flags))
++            return false;
++    }
++
++    if (nodeMayNegZero(flags, source))
++        return bytecodeCanIgnoreNegativeZero(flags);
++
++    return true;
++}
++
+ static inline bool nodeCanSpeculateInt52(NodeFlags flags, RareCaseProfilingSource source)
+ {
+     if (nodeMayOverflowInt52(flags, source))
+diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h
+index 8f885b570665..aad4d559ccf7 100644
+--- a/Source/JavaScriptCore/dfg/DFGNodeType.h
++++ b/Source/JavaScriptCore/dfg/DFGNodeType.h
+@@ -567,7 +567,7 @@ namespace JSC { namespace DFG {
+ 
+ // This enum generates a monotonically increasing id for all Node types,
+ // and is used by the subsequent enum to fill out the id (as accessed via the NodeIdMask).
+-enum NodeType {
++enum NodeType : uint16_t {
+ #define DFG_OP_ENUM(opcode, flags) opcode,
+     FOR_EACH_DFG_OP(DFG_OP_ENUM)
+ #undef DFG_OP_ENUM
+@@ -577,6 +577,7 @@ enum NodeType {
+ #define DFG_OP_COUNT(opcode, flags) + 1
+ constexpr unsigned numberOfNodeTypes = FOR_EACH_DFG_OP(DFG_OP_COUNT);
+ #undef DFG_OP_COUNT
++static_assert(numberOfNodeTypes <= UINT16_MAX);
+ 
+ // Specifies the default flags for each node.
+ inline NodeFlags defaultFlags(NodeType op)
+-- 
+2.34.1
+
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 7b2c5c6e36..1dac4f5677 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -15,6 +15,8 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
            file://0001-Fix-build-without-opengl-or-es.patch \
            file://reproducibility.patch \
            file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
+           file://CVE-2022-32888.patch \
+           file://CVE-2022-32923.patch \
            "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.34.1

[OE-core][kirkstone 11/15] python3-cryptography: fix for CVE-2023-23931

[Steve Sakoman]

From: Narpat Mali <narpat.mali@windriver.com>

cryptography is a package designed to expose cryptographic primitives
and recipes to Python developers. In affected versions `Cipher.update_into`
would accept Python objects which implement the buffer protocol, but
provide only immutable buffers. This would allow immutable objects
(such as `bytes`) to be mutated, thus violating fundamental rules of
Python and resulting in corrupted output. This now correctly raises
an exception. This issue has been present since `update_into` was
originally introduced in cryptography 1.8.

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../python3-cryptography/CVE-2023-23931.patch | 49 +++++++++++++++++++
 .../python/python3-cryptography_36.0.2.bb     |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch

diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
new file mode 100644
index 0000000000..5fc4878978
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
@@ -0,0 +1,49 @@
+From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Tue, 7 Feb 2023 11:34:18 -0500
+Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230)
+
+CVE: CVE-2023-23931
+
+Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696]
+
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
+ tests/hazmat/primitives/test_ciphers.py             | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 286583f93..075d68fb9 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -156,7 +156,7 @@ class _CipherContext:
+         data_processed = 0
+         total_out = 0
+         outlen = self._backend._ffi.new("int *")
+-        baseoutbuf = self._backend._ffi.from_buffer(buf)
++        baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
+         baseinbuf = self._backend._ffi.from_buffer(data)
+
+         while data_processed != total_data_len:
+diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
+index 02127dd9c..bf3b047de 100644
+--- a/tests/hazmat/primitives/test_ciphers.py
++++ b/tests/hazmat/primitives/test_ciphers.py
+@@ -318,6 +318,14 @@ class TestCipherUpdateInto:
+         with pytest.raises(ValueError):
+             encryptor.update_into(b"testing", buf)
+
++    def test_update_into_immutable(self, backend):
++        key = b"\x00" * 16
++        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
++        encryptor = c.encryptor()
++        buf = b"\x00" * 32
++        with pytest.raises((TypeError, BufferError)):
++            encryptor.update_into(b"testing", buf)
++
+     @pytest.mark.supported(
+         only_if=lambda backend: backend.cipher_supported(
+             AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
index 9ef5ff39c8..c3ae0c1ab9 100644
--- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
@@ -17,6 +17,7 @@ SRC_URI += " \
     file://0001-Cargo.toml-specify-pem-version.patch \
     file://0002-Cargo.toml-edition-2018-2021.patch \
     file://fix-leak-metric.patch \
+    file://CVE-2023-23931.patch \
 "
 
 inherit pypi python_setuptools3_rust
-- 
2.34.1

[OE-core][kirkstone 12/15] wic/bootimg-efi: if fixed-size is set then use that for mkdosfs

[Steve Sakoman]

From: Randolph Sapp <rs@ti.com>

This is a bit of a compatibility issue more than anything. Some devices
get upset if the FAT file system contains less blocks than the
partition.

The fixed-size argument is currently respected by the partition creation
step but not by the file system creation step. Let's make it so the file
system respects this value as well.

Signed-off-by: Randolph Sapp <rs@ti.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/lib/wic/plugins/source/bootimg-efi.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py
index a65a5b9780..c28d3917c2 100644
--- a/scripts/lib/wic/plugins/source/bootimg-efi.py
+++ b/scripts/lib/wic/plugins/source/bootimg-efi.py
@@ -390,6 +390,13 @@ class BootimgEFIPlugin(SourcePlugin):
         logger.debug("Added %d extra blocks to %s to get to %d total blocks",
                      extra_blocks, part.mountpoint, blocks)
 
+        # required for compatibility with certain devices expecting file system
+        # block count to be equal to partition block count
+        if blocks < part.fixed_size:
+            blocks = part.fixed_size
+            logger.debug("Overriding %s to %d total blocks for compatibility",
+                     part.mountpoint, blocks)
+
         # dosfs image, created by mkdosfs
         bootimg = "%s/boot.img" % cr_workdir
 
-- 
2.34.1

[OE-core][kirkstone 13/15] kernel-devicetree: allow specification of dtb directory

[Steve Sakoman]

From: Randolph Sapp <rs@ti.com>

Fedora/Redhat and Arch are somewhat standardized on their dtb directory
structure. Let's add some flags to configure yocto to mimic that
behavior.

Add the following variables to the kernel class:
	- KERNEL_DTBDEST (controls the destination directory for dtbs)
	- KERNEL_DTBVENDORED (controls if vendor subdirectories are to
	  be respected)

Currently KERNEL_DTBDEST is expected to be a subdir of KERNEL_IMAGEDEST
and KERNEL_DTBVENDORED is expected to be "true"/"false". This only
applies to the package directory structure. The deploydir structure is
purposely left untouched for compatibility with existing recipes.

By default this is configured to behave the same as the current recipe
and produce a flat dtb directory at KERNEL_IMAGEDEST.

Signed-off-by: Randolph Sapp <rs@ti.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel-devicetree.bbclass | 22 +++++++++++++++++-----
 meta/classes/kernel.bbclass            |  2 ++
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/meta/classes/kernel-devicetree.bbclass b/meta/classes/kernel-devicetree.bbclass
index b4338da1b1..11b57adc92 100644
--- a/meta/classes/kernel-devicetree.bbclass
+++ b/meta/classes/kernel-devicetree.bbclass
@@ -6,7 +6,12 @@ python () {
             d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-image-zimage-bundle")
 }
 
-FILES:${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb /${KERNEL_IMAGEDEST}/*.dtbo"
+FILES:${KERNEL_PACKAGE_NAME}-devicetree = " \
+    /${KERNEL_DTBDEST}/*.dtb \
+    /${KERNEL_DTBDEST}/*.dtbo \
+    /${KERNEL_DTBDEST}/*/*.dtb \
+    /${KERNEL_DTBDEST}/*/*.dtbo \
+"
 FILES:${KERNEL_PACKAGE_NAME}-image-zimage-bundle = "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin"
 
 # Generate kernel+devicetree bundle
@@ -67,12 +72,16 @@ do_compile:append() {
 }
 
 do_install:append() {
+	install -d ${D}/${KERNEL_DTBDEST}
 	for dtbf in ${KERNEL_DEVICETREE}; do
 		dtb=`normalize_dtb "$dtbf"`
-		dtb_ext=${dtb##*.}
-		dtb_base_name=`basename $dtb .$dtb_ext`
 		dtb_path=`get_real_dtb_path_in_kernel "$dtb"`
-		install -m 0644 $dtb_path ${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext
+		if [ ${KERNEL_DTBVENDORED} == "false" ]; then
+			dtb_ext=${dtb##*.}
+			dtb_base_name=`basename $dtb .$dtb_ext`
+			dtb=$dtb_base_name.$dtb_ext
+		fi
+		install -Dm 0644 $dtb_path ${D}/${KERNEL_DTBDEST}/$dtb
 	done
 }
 
@@ -82,7 +91,10 @@ do_deploy:append() {
 		dtb_ext=${dtb##*.}
 		dtb_base_name=`basename $dtb .$dtb_ext`
 		install -d $deployDir
-		install -m 0644 ${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext $deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
+		if [ ${KERNEL_DTBVENDORED} == "false" ]; then
+			dtb=$dtb_base_name.$dtb_ext
+		fi
+		install -m 0644 ${D}/${KERNEL_DTBDEST}/$dtb $deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
 		if [ "${KERNEL_IMAGETYPE_SYMLINK}" = "1" ] ; then
 			ln -sf $dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext $deployDir/$dtb_base_name.$dtb_ext
 		fi
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index b315737fd2..3e3ac2d47d 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -210,6 +210,8 @@ KERNEL_RELEASE ?= "${KERNEL_VERSION}"
 # The directory where built kernel lies in the kernel tree
 KERNEL_OUTPUT_DIR ?= "arch/${ARCH}/boot"
 KERNEL_IMAGEDEST ?= "boot"
+KERNEL_DTBDEST ?= "${KERNEL_IMAGEDEST}"
+KERNEL_DTBVENDORED ?= "false"
 
 #
 # configuration
-- 
2.34.1

[OE-core][kirkstone 14/15] libbsd: Add correct license for all packages

[Steve Sakoman]

From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>

BSD-4-Clause is only applicable to the {PN}-doc package as when I
check for the source code I find below files which only uses the
license BSD-4-Clause

~/sources/libbsd$ grep -rl "All advertising materials mentioning features or use of this software" *|grep -v \.1|grep -v \.5|grep -v \.8 | sort
COPYING
man/arc4random.3bsd
man/getprogname.3bsd

~/sources/libbsd$ grep -rnB5 "BSD-4"
COPYING-9-Files:
COPYING-10- man/arc4random.3bsd
COPYING-11-Copyright:
COPYING-12- Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
COPYING-13- All rights reserved.
COPYING:14:License: BSD-4-clause-Niels-Provos

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/libbsd/libbsd_0.11.5.bb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/meta/recipes-support/libbsd/libbsd_0.11.5.bb b/meta/recipes-support/libbsd/libbsd_0.11.5.bb
index bb8766a070..21af37882f 100644
--- a/meta/recipes-support/libbsd/libbsd_0.11.5.bb
+++ b/meta/recipes-support/libbsd/libbsd_0.11.5.bb
@@ -29,6 +29,13 @@ HOMEPAGE = "https://libbsd.freedesktop.org/wiki/"
 # License: public-domain-Colin-Plumb
 LICENSE = "BSD-3-Clause & BSD-4-Clause & ISC & PD"
 LICENSE:${PN} = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-dbg = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-dev = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-doc = "BSD-3-Clause & BSD-4-Clause & ISC & PD"
+LICENSE:${PN}-locale = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-src = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-staticdev = "BSD-3-Clause & ISC & PD"
+
 LIC_FILES_CHKSUM = "file://COPYING;md5=0b31944ca2c1075410a30f0c17379d3b"
 SECTION = "libs"
 
-- 
2.34.1

[OE-core][kirkstone 15/15] run-postinsts: Set dependency for ldconfig to avoid boot issues

[Steve Sakoman]

From: Arturo Buzarra <arturo.buzarra@digi.com>

If a package with a postsints script requires ldconfig, the package class adds
a ldconfig postinst fragment to initialize it before. Systemd has its own
ldconfig.service to initialize it and sometimes if both services are running
at the same time in the first boot, the first one will work, but the second
one will fail with the following error:

    ldconfig[141]: /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: No such file or directory

This commit adds a ordering dependency between them to make sure that only one
service is running at the same time.

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4e9d812e127dc6743f52f4881e509e8e2e833afe)
Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../run-postinsts/run-postinsts/run-postinsts.service           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
index 7f72f3388a..b6b81d5c1a 100644
--- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Run pending postinsts
 DefaultDependencies=no
-After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount
+After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount ldconfig.service
 Before=sysinit.target
 
 [Service]
-- 
2.34.1

Re: [OE-core][kirkstone 13/15] kernel-devicetree: allow specification of dtb directory

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 4938 bytes --]

This one doesn't work correctly, maybe better to postpone this until a fix
is in master, see:
https://lists.openembedded.org/g/openembedded-core/message/180981
and possible fix:
https://git.openembedded.org/openembedded-core-contrib/commit/?h=jansa/master&id=e2a6da5202a6671113758f9746ddbd8141a75757

Regards,

On Sat, May 6, 2023 at 5:25 PM Steve Sakoman <steve@sakoman.com> wrote:

> From: Randolph Sapp <rs@ti.com>
>
> Fedora/Redhat and Arch are somewhat standardized on their dtb directory
> structure. Let's add some flags to configure yocto to mimic that
> behavior.
>
> Add the following variables to the kernel class:
>         - KERNEL_DTBDEST (controls the destination directory for dtbs)
>         - KERNEL_DTBVENDORED (controls if vendor subdirectories are to
>           be respected)
>
> Currently KERNEL_DTBDEST is expected to be a subdir of KERNEL_IMAGEDEST
> and KERNEL_DTBVENDORED is expected to be "true"/"false". This only
> applies to the package directory structure. The deploydir structure is
> purposely left untouched for compatibility with existing recipes.
>
> By default this is configured to behave the same as the current recipe
> and produce a flat dtb directory at KERNEL_IMAGEDEST.
>
> Signed-off-by: Randolph Sapp <rs@ti.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/classes/kernel-devicetree.bbclass | 22 +++++++++++++++++-----
>  meta/classes/kernel.bbclass            |  2 ++
>  2 files changed, 19 insertions(+), 5 deletions(-)
>
> diff --git a/meta/classes/kernel-devicetree.bbclass
> b/meta/classes/kernel-devicetree.bbclass
> index b4338da1b1..11b57adc92 100644
> --- a/meta/classes/kernel-devicetree.bbclass
> +++ b/meta/classes/kernel-devicetree.bbclass
> @@ -6,7 +6,12 @@ python () {
>              d.appendVar("PACKAGES", "
> ${KERNEL_PACKAGE_NAME}-image-zimage-bundle")
>  }
>
> -FILES:${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb
> /${KERNEL_IMAGEDEST}/*.dtbo"
> +FILES:${KERNEL_PACKAGE_NAME}-devicetree = " \
> +    /${KERNEL_DTBDEST}/*.dtb \
> +    /${KERNEL_DTBDEST}/*.dtbo \
> +    /${KERNEL_DTBDEST}/*/*.dtb \
> +    /${KERNEL_DTBDEST}/*/*.dtbo \
> +"
>  FILES:${KERNEL_PACKAGE_NAME}-image-zimage-bundle =
> "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin"
>
>  # Generate kernel+devicetree bundle
> @@ -67,12 +72,16 @@ do_compile:append() {
>  }
>
>  do_install:append() {
> +       install -d ${D}/${KERNEL_DTBDEST}
>         for dtbf in ${KERNEL_DEVICETREE}; do
>                 dtb=`normalize_dtb "$dtbf"`
> -               dtb_ext=${dtb##*.}
> -               dtb_base_name=`basename $dtb .$dtb_ext`
>                 dtb_path=`get_real_dtb_path_in_kernel "$dtb"`
> -               install -m 0644 $dtb_path
> ${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext
> +               if [ ${KERNEL_DTBVENDORED} == "false" ]; then
> +                       dtb_ext=${dtb##*.}
> +                       dtb_base_name=`basename $dtb .$dtb_ext`
> +                       dtb=$dtb_base_name.$dtb_ext
> +               fi
> +               install -Dm 0644 $dtb_path ${D}/${KERNEL_DTBDEST}/$dtb
>         done
>  }
>
> @@ -82,7 +91,10 @@ do_deploy:append() {
>                 dtb_ext=${dtb##*.}
>                 dtb_base_name=`basename $dtb .$dtb_ext`
>                 install -d $deployDir
> -               install -m 0644
> ${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext
> $deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
> +               if [ ${KERNEL_DTBVENDORED} == "false" ]; then
> +                       dtb=$dtb_base_name.$dtb_ext
> +               fi
> +               install -m 0644 ${D}/${KERNEL_DTBDEST}/$dtb
> $deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
>                 if [ "${KERNEL_IMAGETYPE_SYMLINK}" = "1" ] ; then
>                         ln -sf $dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
> $deployDir/$dtb_base_name.$dtb_ext
>                 fi
> diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
> index b315737fd2..3e3ac2d47d 100644
> --- a/meta/classes/kernel.bbclass
> +++ b/meta/classes/kernel.bbclass
> @@ -210,6 +210,8 @@ KERNEL_RELEASE ?= "${KERNEL_VERSION}"
>  # The directory where built kernel lies in the kernel tree
>  KERNEL_OUTPUT_DIR ?= "arch/${ARCH}/boot"
>  KERNEL_IMAGEDEST ?= "boot"
> +KERNEL_DTBDEST ?= "${KERNEL_IMAGEDEST}"
> +KERNEL_DTBVENDORED ?= "false"
>
>  #
>  # configuration
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#180996):
> https://lists.openembedded.org/g/openembedded-core/message/180996
> Mute This Topic: https://lists.openembedded.org/mt/98726684/3617156
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> Martin.Jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 6744 bytes --]

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5285

The following changes since commit 5fca673d8fe0ee97dc37ed2c9941696842cd667a:

  run-postinsts: Set dependency for ldconfig to avoid boot issues (2023-05-08 04:15:11 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (2):
  git: fix CVE-2023-29007
  git: fix CVE-2023-25652

Bruce Ashfield (1):
  kernel: improve initramfs bundle processing time

Dmitry Baryshkov (1):
  linux-firmware: upgrade 20230210 -> 20230404

Martin Jansa (1):
  populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO
    override

Peter Bergin (1):
  update-alternatives.bbclass: fix old override syntax

Peter Marko (1):
  libxml2: patch CVE-2023-28484 and CVE-2023-29469

Piotr Łobacz (1):
  libarchive: Enable acls, xattr for native as well as target

Steve Sakoman (1):
  Revert "xserver-xorg: backport fix for CVE-2023-1393"

Thomas Roos (1):
  oeqa/utils/metadata.py: Fix running oe-selftest running with no distro
    set

Wang Mingyu (2):
  wpebackend-fdo: upgrade 1.14.0 -> 1.14.2
  xserver-xorg: upgrade 21.1.7 -> 21.1.8

Yoann Congal (1):
  linux-yocto: Exclude 121 CVEs already fixed upstream

Zhixiong Chi (1):
  libpam: Fix the xtests/tst-pam_motd[1|3] failures

bkylerussell@gmail.com (1):
  kernel-devsrc: depend on python3-core instead of python3

 meta/classes/kernel.bbclass                   |   2 +-
 meta/classes/populate_sdk_ext.bbclass         |   3 +-
 meta/classes/update-alternatives.bbclass      |   4 +-
 meta/lib/oeqa/utils/metadata.py               |   6 +-
 .../libxml/libxml2/CVE-2023-28484.patch       |  79 ++
 .../libxml/libxml2/CVE-2023-29469.patch       |  42 +
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |   2 +
 .../git/git/CVE-2023-25652.patch              |  94 ++
 .../git/git/CVE-2023-29007.patch              | 162 ++++
 meta/recipes-devtools/git/git_2.35.7.bb       |   2 +
 .../libarchive/libarchive_3.6.2.bb            |   6 +-
 ...rely-on-all-filesystems-providing-a-.patch | 108 +++
 meta/recipes-extended/pam/libpam_1.5.2.bb     |   1 +
 ...posite-Fix-use-after-free-of-the-COW.patch |  46 -
 ...-xorg_21.1.7.bb => xserver-xorg_21.1.8.bb} |   5 +-
 ...20230210.bb => linux-firmware_20230404.bb} |   6 +-
 meta/recipes-kernel/linux/cve-exclusion.inc   | 875 ++++++++++++++++++
 meta/recipes-kernel/linux/kernel-devsrc.bb    |   2 +-
 meta/recipes-kernel/linux/linux-yocto.inc     |   3 +
 ...fdo_1.14.0.bb => wpebackend-fdo_1.14.2.bb} |   2 +-
 20 files changed, 1384 insertions(+), 66 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-25652.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-29007.patch
 create mode 100644 meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
 rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_21.1.7.bb => xserver-xorg_21.1.8.bb} (80%)
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230210.bb => linux-firmware_20230404.bb} (99%)
 create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc
 rename meta/recipes-sato/webkit/{wpebackend-fdo_1.14.0.bb => wpebackend-fdo_1.14.2.bb} (90%)

-- 
2.34.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Monday, December 11

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6300

The following changes since commit 11da43b58e19583a9bc16044309610cfb2e86469:

  systemtap_git: fix used uninitialized error (2023-11-28 05:11:52 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (3):
  linux-yocto/5.10: update to v5.10.198
  linux-yocto/5.10: update to v5.10.200
  linux-yocto/5.10: update to v5.10.202

Lee Chee Yang (1):
  xwayland: fix CVE-2023-5367

Narpat Mali (1):
  python3-cryptography: fix CVE-2023-49083

Niko Mauno (1):
  rust-llvm: Allow overriding LLVM target archs

Richard Purdie (5):
  rust-common: Set llvm-target correctly for cross SDK targets
  rust-cross-canadian: Fix ordering of target json config generation
  rust-cross/rust-common: Merge arm target handling code to fix
    cross-canadian
  rust-cross: Simplfy the rust_gen_target calls
  native: Clear TUNE_FEATURES/ABIEXTENSION

Steve Sakoman (1):
  cve-exclusion_5.10.inc: update for 5.10.202

Tim Orling (1):
  vim: upgrade 9.0.2068 -> 9.0.2130

Vivek Kumbhar (1):
  libsndfile: fix CVE-2022-33065 Signed integer overflow in src/mat4.c

Wenlin Kang (1):
  bash: changes to SIGINT handler while waiting for a child

 meta/classes/native.bbclass                   |   2 +
 .../python3-cryptography/CVE-2023-49083.patch |  53 ++++
 .../python/python3-cryptography_36.0.2.bb     |   1 +
 meta/recipes-devtools/rust/rust-common.inc    |  24 +-
 .../rust/rust-cross-canadian-common.inc       |   5 +-
 meta/recipes-devtools/rust/rust-cross.inc     |  21 +-
 meta/recipes-devtools/rust/rust-llvm.inc      |   4 +-
 ...T-handler-while-waiting-for-a-child-.patch | 229 ++++++++++++++++++
 meta/recipes-extended/bash/bash_5.1.16.bb     |   1 +
 .../xwayland/xwayland/CVE-2023-5367.patch     |  85 +++++++
 .../xwayland/xwayland_22.1.8.bb               |   4 +-
 .../linux/cve-exclusion_5.10.inc              |  92 +++++--
 .../linux/linux-yocto-rt_5.10.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb            |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  24 +-
 .../libsndfile1/CVE-2022-33065.patch          |  46 ++++
 .../libsndfile/libsndfile1_1.0.31.bb          |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 18 files changed, 542 insertions(+), 68 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch
 create mode 100644 meta/recipes-extended/bash/bash/0001-changes-to-SIGINT-handler-while-waiting-for-a-child-.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-5367.patch
 create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch

-- 
2.34.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, March 22

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6699

The following changes since commit 2501534c9581c6c3439f525d630be11554a57d24:

  build-appliance-image: Update to kirkstone head revision (2024-03-13 07:39:46 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alex Kiernan (1):
  wireless-regdb: Upgrade 2023.09.01 -> 2024.01.23

Alexander Kanavin (1):
  linux-firmware: upgrade 20231211 -> 20240220

Haitao Liu (1):
  glibc: Fix subscript typos for get_nscd_addresses

Martin Jansa (1):
  stress-ng: avoid calling sync during do_compile

Meenali Gupta (1):
  expat: fix CVE-2023-52426

Michael Halstead (1):
  yocto-uninative: Update to 4.4 for glibc 2.39

Peter Marko (1):
  expat: patch CVE-2024-28757

Vijay Anusuri (1):
  python3-cryptography: Backport fix for CVE-2024-26130

Wang Mingyu (1):
  wireless-regdb: upgrade 2023.05.03 -> 2023.09.01

Yoann Congal (6):
  cve-update-nvd2-native: Fix typo in comment
  cve-update-nvd2-native: Add an age threshold for incremental update
  cve-update-nvd2-native: Remove duplicated CVE_CHECK_DB_FILE definition
  cve-update-nvd2-native: nvd_request_next: Improve comment
  cve-update-nvd2-native: Fix CVE configuration update
  cve-update-nvd2-native: Remove rejected CVE from database

 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 .../expat/expat/CVE-2023-52426-001.patch      |  35 ++
 .../expat/expat/CVE-2023-52426-002.patch      |  72 +++
 .../expat/expat/CVE-2023-52426-003.patch      |  28 ++
 .../expat/expat/CVE-2023-52426-004.patch      | 429 ++++++++++++++++++
 .../expat/expat/CVE-2023-52426-005.patch      |  34 ++
 .../expat/expat/CVE-2023-52426-006.patch      | 174 +++++++
 .../expat/expat/CVE-2023-52426-007.patch      |  53 +++
 .../expat/expat/CVE-2023-52426-008.patch      |  37 ++
 .../expat/expat/CVE-2023-52426-009.patch      | 354 +++++++++++++++
 .../expat/expat/CVE-2023-52426-010.patch      |  50 ++
 .../expat/expat/CVE-2023-52426-011.patch      |  45 ++
 .../expat/expat/CVE-2024-28757.patch          |  58 +++
 meta/recipes-core/expat/expat_2.5.0.bb        |  12 +
 ...dresses-Fix-subscript-typos-BZ-29605.patch |  40 ++
 meta/recipes-core/glibc/glibc_2.35.bb         |   1 +
 .../meta/cve-update-nvd2-native.bb            |  35 +-
 .../python3-cryptography/CVE-2024-26130.patch |  66 +++
 .../python/python3-cryptography_36.0.2.bb     |   1 +
 .../0001-Makefile-avoid-calling-sync.patch    |  35 ++
 .../stress-ng/stress-ng_0.13.12.bb            |   1 +
 ...20231211.bb => linux-firmware_20240220.bb} |   6 +-
 ....05.03.bb => wireless-regdb_2024.01.23.bb} |   4 +-
 23 files changed, 1562 insertions(+), 18 deletions(-)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-001.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-002.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-003.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-004.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-005.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-006.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-007.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-008.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-009.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-010.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-011.patch
 create mode 100755 meta/recipes-core/expat/expat/CVE-2024-28757.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
 create mode 100644 meta/recipes-extended/stress-ng/stress-ng-0.13.12/0001-Makefile-avoid-calling-sync.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20231211.bb => linux-firmware_20240220.bb} (99%)
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.05.03.bb => wireless-regdb_2024.01.23.bb} (88%)

-- 
2.34.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, September 24

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7353

The following changes since commit 88630352d6d1cfee06787fa84b73ca8ad335cb08:

  libedit: Make docs generation deterministic (2024-09-11 05:03:48 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Colin McAllister (2):
  busybox: Fix cut with "-s" flag
  udev-extraconf: Add collect flag to mount

Divya Chellam (1):
  python3: Upgrade 3.10.14 -> 3.10.15

Konrad Weihmann (3):
  runqemu: keep generating tap devices
  testimage: fallback for empty IMAGE_LINK_NAME
  testexport: fallback for empty IMAGE_LINK_NAME

Michael Halstead (2):
  yocto-uninative: Update to 4.5 for gcc 14
  yocto-uninative: Update to 4.6 for glibc 2.40

Pedro Ferreira (2):
  buildhistory: Fix intermittent package file list creation
  buildhistory: Restoring files from preserve list

Richard Purdie (1):
  buildhistory: Simplify intercept call sites and drop
    SSTATEPOSTINSTFUNC usage

Rohini Sangam (1):
  cups: Security fix for CVE-2024-35235

Ross Burton (1):
  lib/oeqa: rename assertRaisesRegexp to assertRaisesRegex

Vijay Anusuri (1):
  libpcap: Security fix for CVE-2023-7256 & CVE-2024-8006

Vivek Kumbhar (1):
  webkitgtk: Security fix CVE-2024-40779

 meta/classes/buildhistory.bbclass             |  71 ++-
 meta/classes/sstate.bbclass                   |   5 +-
 meta/classes/testexport.bbclass               |   2 +-
 meta/classes/testimage.bbclass                |   4 +-
 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 meta/lib/oeqa/selftest/cases/runcmd.py        |   4 +-
 .../libpcap/libpcap/CVE-2023-7256-pre1.patch  |  99 ++++
 .../libpcap/libpcap/CVE-2023-7256-pre2.patch  | 131 +++++
 .../libpcap/libpcap/CVE-2023-7256-pre3.patch  |  67 +++
 .../libpcap/libpcap/CVE-2023-7256-pre4.patch  |  37 ++
 .../libpcap/libpcap/CVE-2023-7256.patch       | 368 +++++++++++++
 .../libpcap/libpcap/CVE-2024-8006.patch       |  42 ++
 .../libpcap/libpcap_1.10.1.bb                 |  10 +-
 ...1-cut-Fix-s-flag-to-omit-blank-lines.patch |  66 +++
 meta/recipes-core/busybox/busybox_1.35.0.bb   |   1 +
 .../recipes-core/udev/udev-extraconf/mount.sh |   2 +-
 .../python/python3/CVE-2023-27043.patch       | 510 ------------------
 .../python/python3/CVE-2024-6232.patch        | 251 ---------
 .../python/python3/CVE-2024-7592.patch        | 140 -----
 .../python/python3/CVE-2024-8088.patch        | 124 -----
 ...{python3_3.10.14.bb => python3_3.10.15.bb} |   6 +-
 meta/recipes-extended/cups/cups.inc           |   1 +
 .../cups/cups/CVE-2024-35235.patch            | 121 +++++
 .../webkit/webkitgtk/CVE-2024-40779.patch     |  91 ++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 scripts/runqemu                               |  24 +-
 26 files changed, 1109 insertions(+), 1079 deletions(-)
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre2.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre3.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre4.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch
 create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch
 create mode 100644 meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2023-27043.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-6232.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch
 rename meta/recipes-devtools/python/{python3_3.10.14.bb => python3_3.10.15.bb} (98%)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-35235.patch
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch

-- 
2.34.1

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Monday, March 3

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1094

The following changes since commit 73b5570a16708d1e749b1ec525299d10557cbf56:

  vim: Upgrade 9.1.0764 -> 9.1.1043 (2025-02-24 06:54:05 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Guocai He (2):
  tzcode: Update SRC_URI
  xz: Update SRC_URI

Jiaying Song (1):
  boost: fix do_fetch error

Libo Chen (1):
  virglrenderer: fix do_fetch error

Moritz Haase (1):
  meta: Enable '-o pipefail' for the SDK installer

Narpat Mali (1):
  systemd: upgrade 250.5 -> 250.14

Vijay Anusuri (9):
  xserver-xorg: Fix for CVE-2025-26594
  xserver-xorg: Fix for CVE-2025-26595
  xserver-xorg: Fix for CVE-2025-26596
  xserver-xorg: Fix for CVE-2025-26597
  xserver-xorg: Fix for CVE-2025-26598
  xserver-xorg: Fix for CVE-2025-26599
  xserver-xorg: Fix for CVE-2025-26600
  xserver-xorg: Fix for CVE-2025-26601
  bind: Upgrade 9.18.28 -> 9.18.33

 meta/files/toolchain-shar-extract.sh          |   5 +
 .../bind/{bind_9.18.28.bb => bind_9.18.33.bb} |   2 +-
 ...d-boot_250.5.bb => systemd-boot_250.14.bb} |   0
 meta/recipes-core/systemd/systemd.inc         |   2 +-
 .../0001-Adjust-for-musl-headers.patch        |  20 +-
 ...sysctl.d-binfmt.d-modules-load.d-to-.patch |  18 +-
 ...1-core-fix-build-when-seccomp-is-off.patch |  41 ++
 ...ass-correct-parameters-to-getdents64.patch |  49 ++-
 ...w-json_variant_dump-to-return-an-err.patch |  60 ---
 .../0002-Add-sys-stat.h-for-S_IFDIR.patch     |   6 +-
 ...3-missing_type.h-add-comparison_fn_t.patch |   6 +-
 ...k-parse_printf_format-implementation.patch |   6 +-
 ...missing.h-check-for-missing-strndupa.patch |  62 ++-
 ...OB_BRACE-and-GLOB_ALTDIRFUNC-is-not-.patch |   8 +-
 ...008-add-missing-FTW_-macros-for-musl.patch |   4 +-
 ..._register_atfork-for-non-glibc-build.patch |   6 +-
 ...10-Use-uintmax_t-for-handling-rlim_t.patch |   6 +-
 ...sable-tests-for-missing-typedefs-in-.patch |   2 +-
 ...T_SYMLINK_NOFOLLOW-flag-to-faccessat.patch |   4 +-
 ...patible-basename-for-non-glibc-syste.patch |   2 +-
 ...uffering-when-writing-to-oom_score_a.patch |   6 +-
 ...compliant-strerror_r-from-GNU-specif.patch |   2 +-
 ...definition-of-prctl_mm_map-structure.patch |   2 +-
 .../0021-test-json.c-define-M_PIl.patch       |   4 +-
 ...-not-disable-buffer-in-writing-files.patch |  38 +-
 .../0025-Handle-__cpu_mask-usage.patch        |   2 +-
 .../systemd/0026-Handle-missing-gshadow.patch |   4 +-
 ...l.h-Define-MIPS-ABI-defines-for-musl.patch |   4 +-
 .../systemd/systemd/CVE-2022-3821.patch       |  45 --
 .../systemd/systemd/CVE-2022-4415-1.patch     | 109 -----
 .../systemd/systemd/CVE-2022-4415-2.patch     | 391 ------------------
 .../systemd/systemd/CVE-2022-45873.patch      | 124 ------
 .../systemd/systemd/CVE-2023-7008.patch       |  40 --
 .../{systemd_250.5.bb => systemd_250.14.bb}   |   7 +-
 meta/recipes-extended/timezone/timezone.inc   |   8 +-
 meta/recipes-extended/xz/xz_5.2.6.bb          |   2 +-
 .../virglrenderer/virglrenderer_0.9.1.bb      |   2 +-
 .../xserver-xorg/CVE-2025-26594-1.patch       |  54 +++
 .../xserver-xorg/CVE-2025-26594-2.patch       |  51 +++
 .../xserver-xorg/CVE-2025-26595.patch         |  65 +++
 .../xserver-xorg/CVE-2025-26596.patch         |  49 +++
 .../xserver-xorg/CVE-2025-26597.patch         |  46 +++
 .../xserver-xorg/CVE-2025-26598.patch         | 120 ++++++
 .../xserver-xorg/CVE-2025-26599-1.patch       |  66 +++
 .../xserver-xorg/CVE-2025-26599-2.patch       | 129 ++++++
 .../xserver-xorg/CVE-2025-26600.patch         |  68 +++
 .../xserver-xorg/CVE-2025-26601-1.patch       |  71 ++++
 .../xserver-xorg/CVE-2025-26601-2.patch       |  85 ++++
 .../xserver-xorg/CVE-2025-26601-3.patch       |  52 +++
 .../xserver-xorg/CVE-2025-26601-4.patch       | 132 ++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |  13 +
 meta/recipes-support/boost/boost-1.78.0.inc   |   2 +-
 52 files changed, 1201 insertions(+), 901 deletions(-)
 rename meta/recipes-connectivity/bind/{bind_9.18.28.bb => bind_9.18.33.bb} (97%)
 rename meta/recipes-core/systemd/{systemd-boot_250.5.bb => systemd-boot_250.14.bb} (100%)
 create mode 100644 meta/recipes-core/systemd/systemd/0001-core-fix-build-when-seccomp-is-off.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/0001-shared-json-allow-json_variant_dump-to-return-an-err.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-3821.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-4415-1.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-4415-2.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-45873.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-7008.patch
 rename meta/recipes-core/systemd/{systemd_250.5.bb => systemd_250.14.bb} (99%)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-2.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26596.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26597.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26598.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-2.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-2.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-3.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-4.patch

-- 
2.43.0

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, May 15

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1582

The following changes since commit 00f7a2f60dd6de95a1a47fa642978613ce76dc56:

  glibc: Add single-threaded fast path to rand() (2025-05-09 09:01:16 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Aleksandar Nikolic (1):
  scripts/install-buildtools: Update to 4.0.26

Alexander Kanavin (1):
  perl: enable _GNU_SOURCE define via d_gnulibc

Alon Bar-Lev (1):
  module.bbclass: add KBUILD_EXTRA_SYMBOLS to install

Deepesh Varatharajan (1):
  glibc: stable 2.35 branch updates

Peter Marko (1):
  perl: patch CVE-2024-56406

Vijay Anusuri (10):
  libsoup-2.4: Update fix CVE-2024-52532
  libsoup-2.4: Fix CVE-2025-32906
  libsoup-2.4: Fix CVE-2025-32909
  libsoup: update fix CVE-2024-52532
  libsoup: Fix CVE-2025-32906
  libsoup: Fix CVE-2025-32909
  libsoup: Fix CVE-2025-32910
  libsoup: Fix CVE-2025-32911 & CVE-2025-32913
  libsoup: Fix CVE-2025-32912
  libsoup: Fix CVE-2025-32914

 meta/classes/module.bbclass                   |   1 +
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 ...4-56406-Heap-buffer-overflow-with-tr.patch |  30 ++++
 meta/recipes-devtools/perl/perl_5.34.3.bb     |   2 +
 .../libsoup-2.4/CVE-2024-52532-3.patch        |  46 ++++++
 .../libsoup-2.4/CVE-2025-32906-1.patch        |  61 +++++++
 .../libsoup-2.4/CVE-2025-32906-2.patch        |  83 ++++++++++
 .../libsoup/libsoup-2.4/CVE-2025-32909.patch  |  36 +++++
 .../libsoup/libsoup-2.4_2.74.2.bb             |   4 +
 .../libsoup/libsoup/CVE-2024-52532-3.patch    |  46 ++++++
 .../libsoup/libsoup/CVE-2025-32906-1.patch    |  61 +++++++
 .../libsoup/libsoup/CVE-2025-32906-2.patch    |  83 ++++++++++
 .../libsoup/libsoup/CVE-2025-32909.patch      |  36 +++++
 .../libsoup/libsoup/CVE-2025-32910-1.patch    |  98 ++++++++++++
 .../libsoup/libsoup/CVE-2025-32910-2.patch    | 149 ++++++++++++++++++
 .../libsoup/libsoup/CVE-2025-32910-3.patch    |  27 ++++
 .../CVE-2025-32911_CVE-2025-32913-1.patch     |  72 +++++++++
 .../CVE-2025-32911_CVE-2025-32913-2.patch     |  44 ++++++
 .../libsoup/libsoup/CVE-2025-32912-1.patch    |  41 +++++
 .../libsoup/libsoup/CVE-2025-32912-2.patch    |  30 ++++
 .../libsoup/libsoup/CVE-2025-32914.patch      | 111 +++++++++++++
 meta/recipes-support/libsoup/libsoup_3.0.7.bb |  12 ++
 scripts/install-buildtools                    |   4 +-
 23 files changed, 1076 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-devtools/perl/files/0001-CVE-2024-56406-Heap-buffer-overflow-with-tr.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2024-52532-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32906-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32906-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32909.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32912-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32912-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32914.patch

-- 
2.43.0

[OE-core][kirkstone 00/15] Patch review

[Steve Sakoman]

Please review this set of hcanges for kirkstone and have comments back by
end of day Thursday, June 12

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1770

The following changes since commit 415e73d53e5342f3f6ff6acd521ded2df3fbca1f:

  nfs-utils: don't use signals to shut down nfs server. (2025-05-29 08:22:59 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (4):
  ghostscript: fix CVE-2025-48708
  ffmpeg: upgrade 5.0.1 -> 5.0.3
  ffmpeg: fix CVE-2025-22919
  ffmpeg: fix CVE-2025-22921

Deepesh Varatharajan (1):
  binutils: Fix CVE-2025-5244 & CVE-2025-5245

Divya Chellam (2):
  screen: fix CVE-2025-46802
  screen: fix CVE-2025-46804

Harish Sadineni (1):
  binutils: add CVE-2025-1182 patch file to SRC_URI

Hitendra Prajapati (1):
  icu: fix CVE-2025-5222

Jiaying Song (1):
  taglib: fix CVE-2023-47466

Martin Jansa (1):
  kernel.bbclass: add original package name to RPROVIDES for -image and
    -base

Peter Marko (1):
  python3: upgrade 3.10.16 -> 3.10.18

Vijay Anusuri (3):
  libsoup-2.4: Backport auth tests for CVE-2025-32910
  python3-setuptools: Fix CVE-2025-47273
  git: Fix CVE-2024-50349 and CVE-2024-52006

 meta/classes/kernel.bbclass                   |   3 +-
 .../binutils/binutils-2.38.inc                |   3 +
 .../binutils/0040-CVE-2025-1182.patch         |  18 +-
 .../binutils/0041-CVE-2025-5244.patch         |  25 ++
 .../binutils/0042-CVE-2025-5245.patch         |  38 +++
 .../git/git/CVE-2024-50349-0001.patch         | 100 ++++++
 .../git/git/CVE-2024-50349-0002.patch         | 321 ++++++++++++++++++
 .../git/git/CVE-2024-52006.patch              | 165 +++++++++
 meta/recipes-devtools/git/git_2.35.7.bb       |   3 +
 .../CVE-2025-47273-pre1.patch                 |  54 +++
 .../python3-setuptools/CVE-2025-47273.patch   |  59 ++++
 .../python/python3-setuptools_59.5.0.bb       |   2 +
 ...ib-termcap-to-linker-flags-to-avoid-.patch |   2 +-
 ...hell-version-of-python-config-that-w.patch |   2 +-
 ...file-do-not-compile-.pyc-in-parallel.patch |   2 +-
 ...sts-due-to-load-variability-on-YP-AB.patch |   6 +-
 ...e-treat-overflow-in-UID-GID-as-failu.patch |   2 +-
 ...asename-to-replace-CC-for-checking-c.patch |  16 +-
 ...detect-multiarch-paths-when-cross-co.patch |   2 +-
 ...orlines-skip-due-to-load-variability.patch |   2 +-
 ...report-missing-dependencies-for-disa.patch |   2 +-
 ...up.py-do-not-add-a-curses-include-pa.patch |   4 +-
 .../python/python3/CVE-2025-0938.patch        | 131 -------
 .../python3/avoid_warning_about_tkinter.patch |   2 +-
 .../python/python3/makerace.patch             |   2 +-
 ...{python3_3.10.16.bb => python3_3.10.18.bb} |   3 +-
 .../ghostscript/CVE-2025-48708.patch          |  46 +++
 .../ghostscript/ghostscript_9.55.0.bb         |   1 +
 .../screen/screen/CVE-2025-46802.patch        | 146 ++++++++
 .../screen/screen/CVE-2025-46804.patch        | 131 +++++++
 meta/recipes-extended/screen/screen_4.9.0.bb  |   2 +
 .../ffmpeg/ffmpeg/CVE-2024-36613.patch        |  18 +-
 .../ffmpeg/ffmpeg/CVE-2025-22919.patch        |  41 +++
 .../ffmpeg/ffmpeg/CVE-2025-22921.patch        |  34 ++
 .../{ffmpeg_5.0.1.bb => ffmpeg_5.0.3.bb}      |   9 +-
 .../icu/icu/CVE-2025-5222.patch               | 164 +++++++++
 meta/recipes-support/icu/icu_70.1.bb          |   1 +
 ...ckport-auth-tests-for-CVE-2025-32910.patch |  76 +++++
 .../libsoup/libsoup-2.4_2.74.2.bb             |   1 +
 .../taglib/files/CVE-2023-47466.patch         |  38 +++
 meta/recipes-support/taglib/taglib_1.12.bb    |   4 +-
 41 files changed, 1500 insertions(+), 181 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0041-CVE-2025-5244.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0042-CVE-2025-5245.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-50349-0001.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-50349-0002.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-52006.patch
 create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch
 create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-0938.patch
 rename meta/recipes-devtools/python/{python3_3.10.16.bb => python3_3.10.18.bb} (99%)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-48708.patch
 create mode 100644 meta/recipes-extended/screen/screen/CVE-2025-46802.patch
 create mode 100644 meta/recipes-extended/screen/screen/CVE-2025-46804.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22919.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch
 rename meta/recipes-multimedia/ffmpeg/{ffmpeg_5.0.1.bb => ffmpeg_5.0.3.bb} (96%)
 create mode 100644 meta/recipes-support/icu/icu/CVE-2025-5222.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch
 create mode 100644 meta/recipes-support/taglib/files/CVE-2023-47466.patch

-- 
2.43.0