[OE-core][kirkstone 00/27] Patch review

[OE-core][kirkstone 00/27] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3547

The following changes since commit d2ba3b8850d461bc7b773240cdf15b22b31a3f9e:

  lua: fix CVE-2022-28805 (2022-04-19 14:02:08 +0100)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (1):
  webkitgtk: adjust patch status

Davide Gardenal (1):
  create-spdx: fix error when symlink cannot be created

Ferry Toth (2):
  apt: add apt selftest to test signed package feeds
  package_manager: fix missing dependency on gnupg when signing deb
    package feeds

Jon Mason (1):
  qemuarm64: use virtio pci interfaces

Kai Kang (1):
  update_udev_hwdb: fix multilib issue with systemd

Khem Raj (5):
  babeltrace: Disable warnings as errors
  xserver-xorg: Fix build with gcc12
  systemtap: Fix build with gcc-12
  gnupg: Disable FORTIFY_SOURCES on mips
  mdadm: Drop clang specific cflags

Konrad Weihmann (2):
  git: correct license
  ncurses: use COPYING file

Martin Jansa (1):
  systemd-boot: remove outdated EFI_LD comment

Paulo Neves (1):
  selftest/lic_checksum: Add test for filename containing space

Peter Kjellerstedt (2):
  u-boot: Correct the SRC_URI
  u-boot: Inherit pkgconfig

Richard Purdie (1):
  buildtools-tarball: Only add cert envvars if certs are included

Ross Burton (1):
  zlib: upgrade to 1.2.12

wangmy (5):
  linux-firmware: upgrade 20220310 -> 20220411
  libsoup: upgrade 3.0.5 -> 3.0.6
  apt: upgrade 2.4.3 -> 2.4.4
  libusb1: upgrade 1.0.25 -> 1.0.26
  libgit2: upgrade 1.4.2 -> 1.4.3

zhengruoqin (3):
  wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
  git: upgrade 2.35.2 -> 2.35.3
  ruby: upgrade 3.1.1 -> 3.1.2

 meta/classes/create-spdx.bbclass              |  10 +-
 meta/classes/sign_package_feed.bbclass        |   1 +
 meta/conf/machine/qemuarm64.conf              |   8 +-
 meta/lib/oeqa/runtime/cases/apt.py            |  38 +-
 meta/lib/oeqa/selftest/cases/lic_checksum.py  |  18 +
 meta/lib/oeqa/selftest/cases/runtime_test.py  |  38 ++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |   6 +-
 meta/recipes-core/meta/buildtools-tarball.bb  |   6 +-
 meta/recipes-core/ncurses/ncurses.inc         |   2 +-
 .../systemd/systemd-boot_250.4.bb             |   1 -
 meta/recipes-core/systemd/systemd_250.4.bb    |   5 -
 meta/recipes-core/udev/eudev_3.2.10.bb        |   4 -
 ...configure-Pass-LDFLAGS-to-link-tests.patch |  25 +-
 .../zlib/zlib/CVE-2018-25032.patch            | 347 ------------------
 meta/recipes-core/zlib/zlib/cc.patch          |  27 ++
 .../zlib/{zlib_1.2.11.bb => zlib_1.2.12.bb}   |   7 +-
 .../apt/{apt_2.4.3.bb => apt_2.4.4.bb}        |   2 +-
 .../git/{git_2.35.2.bb => git_2.35.3.bb}      |  15 +-
 .../ruby/{ruby_3.1.1.bb => ruby_3.1.2.bb}     |   2 +-
 meta/recipes-extended/mdadm/mdadm_4.2.bb      |   2 -
 .../0001-render-Fix-build-with-gcc-12.patch   |  90 +++++
 .../xorg-xserver/xserver-xorg_21.1.3.bb       |   1 +
 ...20220310.bb => linux-firmware_20220411.bb} |   4 +-
 .../recipes-kernel/lttng/babeltrace2_2.0.4.bb |   2 +-
 ...ility-re-tweak-for-rhel6-use-functio.patch |  49 +++
 .../recipes-kernel/systemtap/systemtap_git.bb |   3 +-
 ....02.18.bb => wireless-regdb_2022.04.08.bb} |   2 +-
 ...spection.cmake-prefix-variables-obta.patch |   5 +-
 meta/recipes-support/gnupg/gnupg_2.3.4.bb     |   3 +
 .../{libgit2_1.4.2.bb => libgit2_1.4.3.bb}    |   2 +-
 .../{libsoup_3.0.5.bb => libsoup_3.0.6.bb}    |   2 +-
 .../{libusb1_1.0.25.bb => libusb1_1.0.26.bb}  |   2 +-
 scripts/postinst-intercepts/update_udev_hwdb  |   5 +-
 33 files changed, 322 insertions(+), 412 deletions(-)
 delete mode 100644 meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
 create mode 100644 meta/recipes-core/zlib/zlib/cc.patch
 rename meta/recipes-core/zlib/{zlib_1.2.11.bb => zlib_1.2.12.bb} (83%)
 rename meta/recipes-devtools/apt/{apt_2.4.3.bb => apt_2.4.4.bb} (97%)
 rename meta/recipes-devtools/git/{git_2.35.2.bb => git_2.35.3.bb} (86%)
 rename meta/recipes-devtools/ruby/{ruby_3.1.1.bb => ruby_3.1.2.bb} (97%)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-render-Fix-build-with-gcc-12.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220310.bb => linux-firmware_20220411.bb} (99%)
 create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2022.02.18.bb => wireless-regdb_2022.04.08.bb} (94%)
 rename meta/recipes-support/libgit2/{libgit2_1.4.2.bb => libgit2_1.4.3.bb} (91%)
 rename meta/recipes-support/libsoup/{libsoup_3.0.5.bb => libsoup_3.0.6.bb} (94%)
 rename meta/recipes-support/libusb/{libusb1_1.0.25.bb => libusb1_1.0.26.bb} (94%)

-- 
2.25.1

Re: [OE-core][kirkstone 00/27] Patch review

[Steve Sakoman]

On Wed, Apr 20, 2022 at 4:08 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> Please review this set of patches for kirkstone and have comments back by
> end of day Friday.

I'd particularly like feedback on the security/bug fix version updates
at the end of this series.

In the past I took these only on request.

Would people like me to be more proactive on this type of upgrade
(such as this series), or should I continue to take them only on
request?

Steve

>
> Passed a-full on autobuilder:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3547
>
> The following changes since commit d2ba3b8850d461bc7b773240cdf15b22b31a3f9e:
>
>   lua: fix CVE-2022-28805 (2022-04-19 14:02:08 +0100)
>
> are available in the Git repository at:
>
>   git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
>   http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
>
> Alexander Kanavin (1):
>   webkitgtk: adjust patch status
>
> Davide Gardenal (1):
>   create-spdx: fix error when symlink cannot be created
>
> Ferry Toth (2):
>   apt: add apt selftest to test signed package feeds
>   package_manager: fix missing dependency on gnupg when signing deb
>     package feeds
>
> Jon Mason (1):
>   qemuarm64: use virtio pci interfaces
>
> Kai Kang (1):
>   update_udev_hwdb: fix multilib issue with systemd
>
> Khem Raj (5):
>   babeltrace: Disable warnings as errors
>   xserver-xorg: Fix build with gcc12
>   systemtap: Fix build with gcc-12
>   gnupg: Disable FORTIFY_SOURCES on mips
>   mdadm: Drop clang specific cflags
>
> Konrad Weihmann (2):
>   git: correct license
>   ncurses: use COPYING file
>
> Martin Jansa (1):
>   systemd-boot: remove outdated EFI_LD comment
>
> Paulo Neves (1):
>   selftest/lic_checksum: Add test for filename containing space
>
> Peter Kjellerstedt (2):
>   u-boot: Correct the SRC_URI
>   u-boot: Inherit pkgconfig
>
> Richard Purdie (1):
>   buildtools-tarball: Only add cert envvars if certs are included
>
> Ross Burton (1):
>   zlib: upgrade to 1.2.12
>
> wangmy (5):
>   linux-firmware: upgrade 20220310 -> 20220411
>   libsoup: upgrade 3.0.5 -> 3.0.6
>   apt: upgrade 2.4.3 -> 2.4.4
>   libusb1: upgrade 1.0.25 -> 1.0.26
>   libgit2: upgrade 1.4.2 -> 1.4.3
>
> zhengruoqin (3):
>   wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
>   git: upgrade 2.35.2 -> 2.35.3
>   ruby: upgrade 3.1.1 -> 3.1.2
>
>  meta/classes/create-spdx.bbclass              |  10 +-
>  meta/classes/sign_package_feed.bbclass        |   1 +
>  meta/conf/machine/qemuarm64.conf              |   8 +-
>  meta/lib/oeqa/runtime/cases/apt.py            |  38 +-
>  meta/lib/oeqa/selftest/cases/lic_checksum.py  |  18 +
>  meta/lib/oeqa/selftest/cases/runtime_test.py  |  38 ++
>  meta/recipes-bsp/u-boot/u-boot-common.inc     |   6 +-
>  meta/recipes-core/meta/buildtools-tarball.bb  |   6 +-
>  meta/recipes-core/ncurses/ncurses.inc         |   2 +-
>  .../systemd/systemd-boot_250.4.bb             |   1 -
>  meta/recipes-core/systemd/systemd_250.4.bb    |   5 -
>  meta/recipes-core/udev/eudev_3.2.10.bb        |   4 -
>  ...configure-Pass-LDFLAGS-to-link-tests.patch |  25 +-
>  .../zlib/zlib/CVE-2018-25032.patch            | 347 ------------------
>  meta/recipes-core/zlib/zlib/cc.patch          |  27 ++
>  .../zlib/{zlib_1.2.11.bb => zlib_1.2.12.bb}   |   7 +-
>  .../apt/{apt_2.4.3.bb => apt_2.4.4.bb}        |   2 +-
>  .../git/{git_2.35.2.bb => git_2.35.3.bb}      |  15 +-
>  .../ruby/{ruby_3.1.1.bb => ruby_3.1.2.bb}     |   2 +-
>  meta/recipes-extended/mdadm/mdadm_4.2.bb      |   2 -
>  .../0001-render-Fix-build-with-gcc-12.patch   |  90 +++++
>  .../xorg-xserver/xserver-xorg_21.1.3.bb       |   1 +
>  ...20220310.bb => linux-firmware_20220411.bb} |   4 +-
>  .../recipes-kernel/lttng/babeltrace2_2.0.4.bb |   2 +-
>  ...ility-re-tweak-for-rhel6-use-functio.patch |  49 +++
>  .../recipes-kernel/systemtap/systemtap_git.bb |   3 +-
>  ....02.18.bb => wireless-regdb_2022.04.08.bb} |   2 +-
>  ...spection.cmake-prefix-variables-obta.patch |   5 +-
>  meta/recipes-support/gnupg/gnupg_2.3.4.bb     |   3 +
>  .../{libgit2_1.4.2.bb => libgit2_1.4.3.bb}    |   2 +-
>  .../{libsoup_3.0.5.bb => libsoup_3.0.6.bb}    |   2 +-
>  .../{libusb1_1.0.25.bb => libusb1_1.0.26.bb}  |   2 +-
>  scripts/postinst-intercepts/update_udev_hwdb  |   5 +-
>  33 files changed, 322 insertions(+), 412 deletions(-)
>  delete mode 100644 meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
>  create mode 100644 meta/recipes-core/zlib/zlib/cc.patch
>  rename meta/recipes-core/zlib/{zlib_1.2.11.bb => zlib_1.2.12.bb} (83%)
>  rename meta/recipes-devtools/apt/{apt_2.4.3.bb => apt_2.4.4.bb} (97%)
>  rename meta/recipes-devtools/git/{git_2.35.2.bb => git_2.35.3.bb} (86%)
>  rename meta/recipes-devtools/ruby/{ruby_3.1.1.bb => ruby_3.1.2.bb} (97%)
>  create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-render-Fix-build-with-gcc-12.patch
>  rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220310.bb => linux-firmware_20220411.bb} (99%)
>  create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch
>  rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2022.02.18.bb => wireless-regdb_2022.04.08.bb} (94%)
>  rename meta/recipes-support/libgit2/{libgit2_1.4.2.bb => libgit2_1.4.3.bb} (91%)
>  rename meta/recipes-support/libsoup/{libsoup_3.0.5.bb => libsoup_3.0.6.bb} (94%)
>  rename meta/recipes-support/libusb/{libusb1_1.0.25.bb => libusb1_1.0.26.bb} (94%)
>
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164668): https://lists.openembedded.org/g/openembedded-core/message/164668
> Mute This Topic: https://lists.openembedded.org/mt/90584508/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core][kirkstone 00/27] Patch review

[Khem Raj]

On Wed, Apr 20, 2022 at 7:54 AM Steve Sakoman <steve@sakoman.com> wrote:
>
> On Wed, Apr 20, 2022 at 4:08 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > Please review this set of patches for kirkstone and have comments back by
> > end of day Friday.
>
> I'd particularly like feedback on the security/bug fix version updates
> at the end of this series.
>
> In the past I took these only on request.
>
> Would people like me to be more proactive on this type of upgrade
> (such as this series), or should I continue to take them only on
> request?

I think being proactive would be fine

>
> Steve
>
> >
> > Passed a-full on autobuilder:
> >
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3547
> >
> > The following changes since commit d2ba3b8850d461bc7b773240cdf15b22b31a3f9e:
> >
> >   lua: fix CVE-2022-28805 (2022-04-19 14:02:08 +0100)
> >
> > are available in the Git repository at:
> >
> >   git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
> >   http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
> >
> > Alexander Kanavin (1):
> >   webkitgtk: adjust patch status
> >
> > Davide Gardenal (1):
> >   create-spdx: fix error when symlink cannot be created
> >
> > Ferry Toth (2):
> >   apt: add apt selftest to test signed package feeds
> >   package_manager: fix missing dependency on gnupg when signing deb
> >     package feeds
> >
> > Jon Mason (1):
> >   qemuarm64: use virtio pci interfaces
> >
> > Kai Kang (1):
> >   update_udev_hwdb: fix multilib issue with systemd
> >
> > Khem Raj (5):
> >   babeltrace: Disable warnings as errors
> >   xserver-xorg: Fix build with gcc12
> >   systemtap: Fix build with gcc-12
> >   gnupg: Disable FORTIFY_SOURCES on mips
> >   mdadm: Drop clang specific cflags
> >
> > Konrad Weihmann (2):
> >   git: correct license
> >   ncurses: use COPYING file
> >
> > Martin Jansa (1):
> >   systemd-boot: remove outdated EFI_LD comment
> >
> > Paulo Neves (1):
> >   selftest/lic_checksum: Add test for filename containing space
> >
> > Peter Kjellerstedt (2):
> >   u-boot: Correct the SRC_URI
> >   u-boot: Inherit pkgconfig
> >
> > Richard Purdie (1):
> >   buildtools-tarball: Only add cert envvars if certs are included
> >
> > Ross Burton (1):
> >   zlib: upgrade to 1.2.12
> >
> > wangmy (5):
> >   linux-firmware: upgrade 20220310 -> 20220411
> >   libsoup: upgrade 3.0.5 -> 3.0.6
> >   apt: upgrade 2.4.3 -> 2.4.4
> >   libusb1: upgrade 1.0.25 -> 1.0.26
> >   libgit2: upgrade 1.4.2 -> 1.4.3
> >
> > zhengruoqin (3):
> >   wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
> >   git: upgrade 2.35.2 -> 2.35.3
> >   ruby: upgrade 3.1.1 -> 3.1.2
> >
> >  meta/classes/create-spdx.bbclass              |  10 +-
> >  meta/classes/sign_package_feed.bbclass        |   1 +
> >  meta/conf/machine/qemuarm64.conf              |   8 +-
> >  meta/lib/oeqa/runtime/cases/apt.py            |  38 +-
> >  meta/lib/oeqa/selftest/cases/lic_checksum.py  |  18 +
> >  meta/lib/oeqa/selftest/cases/runtime_test.py  |  38 ++
> >  meta/recipes-bsp/u-boot/u-boot-common.inc     |   6 +-
> >  meta/recipes-core/meta/buildtools-tarball.bb  |   6 +-
> >  meta/recipes-core/ncurses/ncurses.inc         |   2 +-
> >  .../systemd/systemd-boot_250.4.bb             |   1 -
> >  meta/recipes-core/systemd/systemd_250.4.bb    |   5 -
> >  meta/recipes-core/udev/eudev_3.2.10.bb        |   4 -
> >  ...configure-Pass-LDFLAGS-to-link-tests.patch |  25 +-
> >  .../zlib/zlib/CVE-2018-25032.patch            | 347 ------------------
> >  meta/recipes-core/zlib/zlib/cc.patch          |  27 ++
> >  .../zlib/{zlib_1.2.11.bb => zlib_1.2.12.bb}   |   7 +-
> >  .../apt/{apt_2.4.3.bb => apt_2.4.4.bb}        |   2 +-
> >  .../git/{git_2.35.2.bb => git_2.35.3.bb}      |  15 +-
> >  .../ruby/{ruby_3.1.1.bb => ruby_3.1.2.bb}     |   2 +-
> >  meta/recipes-extended/mdadm/mdadm_4.2.bb      |   2 -
> >  .../0001-render-Fix-build-with-gcc-12.patch   |  90 +++++
> >  .../xorg-xserver/xserver-xorg_21.1.3.bb       |   1 +
> >  ...20220310.bb => linux-firmware_20220411.bb} |   4 +-
> >  .../recipes-kernel/lttng/babeltrace2_2.0.4.bb |   2 +-
> >  ...ility-re-tweak-for-rhel6-use-functio.patch |  49 +++
> >  .../recipes-kernel/systemtap/systemtap_git.bb |   3 +-
> >  ....02.18.bb => wireless-regdb_2022.04.08.bb} |   2 +-
> >  ...spection.cmake-prefix-variables-obta.patch |   5 +-
> >  meta/recipes-support/gnupg/gnupg_2.3.4.bb     |   3 +
> >  .../{libgit2_1.4.2.bb => libgit2_1.4.3.bb}    |   2 +-
> >  .../{libsoup_3.0.5.bb => libsoup_3.0.6.bb}    |   2 +-
> >  .../{libusb1_1.0.25.bb => libusb1_1.0.26.bb}  |   2 +-
> >  scripts/postinst-intercepts/update_udev_hwdb  |   5 +-
> >  33 files changed, 322 insertions(+), 412 deletions(-)
> >  delete mode 100644 meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
> >  create mode 100644 meta/recipes-core/zlib/zlib/cc.patch
> >  rename meta/recipes-core/zlib/{zlib_1.2.11.bb => zlib_1.2.12.bb} (83%)
> >  rename meta/recipes-devtools/apt/{apt_2.4.3.bb => apt_2.4.4.bb} (97%)
> >  rename meta/recipes-devtools/git/{git_2.35.2.bb => git_2.35.3.bb} (86%)
> >  rename meta/recipes-devtools/ruby/{ruby_3.1.1.bb => ruby_3.1.2.bb} (97%)
> >  create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-render-Fix-build-with-gcc-12.patch
> >  rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220310.bb => linux-firmware_20220411.bb} (99%)
> >  create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch
> >  rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2022.02.18.bb => wireless-regdb_2022.04.08.bb} (94%)
> >  rename meta/recipes-support/libgit2/{libgit2_1.4.2.bb => libgit2_1.4.3.bb} (91%)
> >  rename meta/recipes-support/libsoup/{libsoup_3.0.5.bb => libsoup_3.0.6.bb} (94%)
> >  rename meta/recipes-support/libusb/{libusb1_1.0.25.bb => libusb1_1.0.26.bb} (94%)
> >
> > --
> > 2.25.1
> >
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164699): https://lists.openembedded.org/g/openembedded-core/message/164699
> Mute This Topic: https://lists.openembedded.org/mt/90584508/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core][kirkstone 00/27] Patch review

[Randy MacLeod]

[-- Attachment #1: Type: text/plain, Size: 3203 bytes --]

On Wed., Apr. 20, 2022, 10:54 Steve Sakoman, <steve@sakoman.com> wrote:

> On Wed, Apr 20, 2022 at 4:08 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > Please review this set of patches for kirkstone and have comments back by
> > end of day Friday.
>
> I'd particularly like feedback on the security/bug fix version updates
> at the end of this series.
>
> In the past I took these only on request.
>
> Would people like me to be more proactive on this type of upgrade
> (such as this series), or should I continue to take them only on
> request?
>

Proactive but reasonably cautious. ;-)
Some comments below.


> Steve
>
> >
> > Passed a-full on autobuilder:
> >
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3547
> >
> > The following changes since commit
> d2ba3b8850d461bc7b773240cdf15b22b31a3f9e:
> >
> >   lua: fix CVE-2022-28805 (2022-04-19 14:02:08 +0100)
> >
> > are available in the Git repository at:
> >
> >   git://git.openembedded.org/openembedded-core-contrib
> stable/kirkstone-nut
> >
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
> >
> > Alexander Kanavin (1):
> >   webkitgtk: adjust patch status
> >
> > Davide Gardenal (1):
> >   create-spdx: fix error when symlink cannot be created
> >
> > Ferry Toth (2):
> >   apt: add apt selftest to test signed package feeds
> >   package_manager: fix missing dependency on gnupg when signing deb
> >     package feeds
> >
> > Jon Mason (1):
> >   qemuarm64: use virtio pci interfaces
> >
> > Kai Kang (1):
> >   update_udev_hwdb: fix multilib issue with systemd
> >
> > Khem Raj (5):
> >   babeltrace: Disable warnings as errors
> >   xserver-xorg: Fix build with gcc12
> >   systemtap: Fix build with gcc-12
> >   gnupg: Disable FORTIFY_SOURCES on mips
> >   mdadm: Drop clang specific cflags
> >
> > Konrad Weihmann (2):
> >   git: correct license
> >   ncurses: use COPYING file
> >
> > Martin Jansa (1):
> >   systemd-boot: remove outdated EFI_LD comment
> >
> > Paulo Neves (1):
> >   selftest/lic_checksum: Add test for filename containing space
> >
> > Peter Kjellerstedt (2):
> >   u-boot: Correct the SRC_URI
> >   u-boot: Inherit pkgconfig
> >
> > Richard Purdie (1):
> >   buildtools-tarball: Only add cert envvars if certs are included
> >
> > Ross Burton (1):
> >   zlib: upgrade to 1.2.12
> >
> > wangmy (5):
> >   linux-firmware: upgrade 20220310 -> 20220411
>


It's firmware so it should be fine but I don't know much about such things.
Have  firmware updates ever broken older kernels?
Certainly there could be performance degradation. I guess it's a release
note item for others to worry about.


>   libsoup: upgrade 3.0.5 -> 3.0.6
> >   apt: upgrade 2.4.3 -> 2.4.4
> >   libusb1: upgrade 1.0.25 -> 1.0.26
> >   libgit2: upgrade 1.4.2 -> 1.4.3
> >
> > zhengruoqin (3):
> >   wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
> >   git: upgrade 2.35.2 -> 2.35.3
> >   ruby: upgrade 3.1.1 -> 3.1.2
>

These all seem like bug fix only updates.
Are you assuming that third number updates don't change API/ABI or looking
at commit summaries, git logs, or using a tool?


Thanks Steve.


Randy


>< snip ><

[-- Attachment #2: Type: text/html, Size: 5639 bytes --]

Re: [OE-core][kirkstone 00/27] Patch review

[Steve Sakoman]

On Wed, Apr 20, 2022 at 7:14 PM Randy MacLeod <rwmacleod@gmail.com> wrote:
>
>
>
> On Wed., Apr. 20, 2022, 10:54 Steve Sakoman, <steve@sakoman.com> wrote:
>>
>> On Wed, Apr 20, 2022 at 4:08 AM Steve Sakoman via
>> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
>> wrote:
>> >
>> > Please review this set of patches for kirkstone and have comments back by
>> > end of day Friday.
>>
>> I'd particularly like feedback on the security/bug fix version updates
>> at the end of this series.
>>
>> In the past I took these only on request.
>>
>> Would people like me to be more proactive on this type of upgrade
>> (such as this series), or should I continue to take them only on
>> request?
>
>
> Proactive but reasonably cautious. ;-)

That's my feeling too.

>> > Passed a-full on autobuilder:
>> >
>> > https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3547
>> >
>> > The following changes since commit d2ba3b8850d461bc7b773240cdf15b22b31a3f9e:
>> >
>> >   lua: fix CVE-2022-28805 (2022-04-19 14:02:08 +0100)
>> >
>> > are available in the Git repository at:
>> >
>> >   git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
>> >   http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
>> >
>> > Alexander Kanavin (1):
>> >   webkitgtk: adjust patch status
>> >
>> > Davide Gardenal (1):
>> >   create-spdx: fix error when symlink cannot be created
>> >
>> > Ferry Toth (2):
>> >   apt: add apt selftest to test signed package feeds
>> >   package_manager: fix missing dependency on gnupg when signing deb
>> >     package feeds
>> >
>> > Jon Mason (1):
>> >   qemuarm64: use virtio pci interfaces
>> >
>> > Kai Kang (1):
>> >   update_udev_hwdb: fix multilib issue with systemd
>> >
>> > Khem Raj (5):
>> >   babeltrace: Disable warnings as errors
>> >   xserver-xorg: Fix build with gcc12
>> >   systemtap: Fix build with gcc-12
>> >   gnupg: Disable FORTIFY_SOURCES on mips
>> >   mdadm: Drop clang specific cflags
>> >
>> > Konrad Weihmann (2):
>> >   git: correct license
>> >   ncurses: use COPYING file
>> >
>> > Martin Jansa (1):
>> >   systemd-boot: remove outdated EFI_LD comment
>> >
>> > Paulo Neves (1):
>> >   selftest/lic_checksum: Add test for filename containing space
>> >
>> > Peter Kjellerstedt (2):
>> >   u-boot: Correct the SRC_URI
>> >   u-boot: Inherit pkgconfig
>> >
>> > Richard Purdie (1):
>> >   buildtools-tarball: Only add cert envvars if certs are included
>> >
>> > Ross Burton (1):
>> >   zlib: upgrade to 1.2.12
>> >
>> > wangmy (5):
>> >   linux-firmware: upgrade 20220310 -> 20220411
>
>
>
> It's firmware so it should be fine but I don't know much about such things. Have  firmware updates ever broken older kernels?
> Certainly there could be performance degradation. I guess it's a release note item for others to worry about.

I've been doing these regularly for dunfell and it hasn't been an
issue in the past two years.

>> >   libsoup: upgrade 3.0.5 -> 3.0.6
>> >   apt: upgrade 2.4.3 -> 2.4.4
>> >   libusb1: upgrade 1.0.25 -> 1.0.26
>> >   libgit2: upgrade 1.4.2 -> 1.4.3
>> >
>> > zhengruoqin (3):
>> >   wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
>> >   git: upgrade 2.35.2 -> 2.35.3
>> >   ruby: upgrade 3.1.1 -> 3.1.2
>
>
> These all seem like bug fix only updates.
> Are you assuming that third number updates don't change API/ABI or looking at commit summaries, git logs, or using a tool?

Yes, my criteria for including is that they are bug/security only updates.

I don't assume anything from the version number, I review the release
notes (if any) and the git logs.  In many cases the version updates in
master don't include this info in the commit message.  In that case I
add either the release notes or the git log to the commit message when
cherry-picking from master.

So it is a time consuming manual process :-)

BTW, those who include release notes or commit logs in their version
bumps get smiles and brownie points from me!

Steve

Re: [OE-core][kirkstone 00/27] Patch review

[Randy MacLeod]

On 2022-04-21 10:00, Steve Sakoman wrote:
> On Wed, Apr 20, 2022 at 7:14 PM Randy MacLeod <rwmacleod@gmail.com> wrote:
>>
>> On Wed., Apr. 20, 2022, 10:54 Steve Sakoman, <steve@sakoman.com> wrote:
>>> On Wed, Apr 20, 2022 at 4:08 AM Steve Sakoman via
>>> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
>>> wrote:
>>>> Please review this set of patches for kirkstone and have comments back by
>>>> end of day Friday.
>>> I'd particularly like feedback on the security/bug fix version updates
>>> at the end of this series.
>>>
>>> In the past I took these only on request.
>>>
>>> Would people like me to be more proactive on this type of upgrade
>>> (such as this series), or should I continue to take them only on
>>> request?
>> Proactive but reasonably cautious. ;-)
> That's my feeling too.
>
>>>> Passed a-full on autobuilder:
>>>>
>>>> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3547
>>>>
>>>> The following changes since commit d2ba3b8850d461bc7b773240cdf15b22b31a3f9e:
>>>>
>>>>    lua: fix CVE-2022-28805 (2022-04-19 14:02:08 +0100)
>>>>
>>>> are available in the Git repository at:
>>>>
>>>>    git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
>>>>    http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
>>>>
>>>> Alexander Kanavin (1):
>>>>    webkitgtk: adjust patch status
>>>>
>>>> Davide Gardenal (1):
>>>>    create-spdx: fix error when symlink cannot be created
>>>>
>>>> Ferry Toth (2):
>>>>    apt: add apt selftest to test signed package feeds
>>>>    package_manager: fix missing dependency on gnupg when signing deb
>>>>      package feeds
>>>>
>>>> Jon Mason (1):
>>>>    qemuarm64: use virtio pci interfaces
>>>>
>>>> Kai Kang (1):
>>>>    update_udev_hwdb: fix multilib issue with systemd
>>>>
>>>> Khem Raj (5):
>>>>    babeltrace: Disable warnings as errors
>>>>    xserver-xorg: Fix build with gcc12
>>>>    systemtap: Fix build with gcc-12
>>>>    gnupg: Disable FORTIFY_SOURCES on mips
>>>>    mdadm: Drop clang specific cflags
>>>>
>>>> Konrad Weihmann (2):
>>>>    git: correct license
>>>>    ncurses: use COPYING file
>>>>
>>>> Martin Jansa (1):
>>>>    systemd-boot: remove outdated EFI_LD comment
>>>>
>>>> Paulo Neves (1):
>>>>    selftest/lic_checksum: Add test for filename containing space
>>>>
>>>> Peter Kjellerstedt (2):
>>>>    u-boot: Correct the SRC_URI
>>>>    u-boot: Inherit pkgconfig
>>>>
>>>> Richard Purdie (1):
>>>>    buildtools-tarball: Only add cert envvars if certs are included
>>>>
>>>> Ross Burton (1):
>>>>    zlib: upgrade to 1.2.12
>>>>
>>>> wangmy (5):
>>>>    linux-firmware: upgrade 20220310 -> 20220411
>>
>> It's firmware so it should be fine but I don't know much about such things. Have  firmware updates ever broken older kernels?
>> Certainly there could be performance degradation. I guess it's a release note item for others to worry about.
> I've been doing these regularly for dunfell and it hasn't been an
> issue in the past two years.
As expected but that's good to hear.
>
>>>>    libsoup: upgrade 3.0.5 -> 3.0.6
>>>>    apt: upgrade 2.4.3 -> 2.4.4
>>>>    libusb1: upgrade 1.0.25 -> 1.0.26
>>>>    libgit2: upgrade 1.4.2 -> 1.4.3
>>>>
>>>> zhengruoqin (3):
>>>>    wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
>>>>    git: upgrade 2.35.2 -> 2.35.3
>>>>    ruby: upgrade 3.1.1 -> 3.1.2
>> These all seem like bug fix only updates.
>> Are you assuming that third number updates don't change API/ABI or looking at commit summaries, git logs, or using a tool?
> Yes, my criteria for including is that they are bug/security only updates.
>
> I don't assume anything from the version number, I review the release
> notes (if any) and the git logs.  In many cases the version updates in
> master don't include this info in the commit message.  In that case I
> add either the release notes or the git log to the commit message when
> cherry-picking from master.
That's great. The only better response would be if we could run API/ABI 
test.
I'll see if that's something that we can work on for release branches 
but no promises

or timeline for that so far.


>
> So it is a time consuming manual process :-)


It is; thanks for the careful work.


>
> BTW, those who include release notes or commit logs in their version
> bumps get smiles and brownie points from me!

+1


../Randy

>
> Steve
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164762): https://lists.openembedded.org/g/openembedded-core/message/164762
> Mute This Topic: https://lists.openembedded.org/mt/90584508/3616765
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

-- 
# Randy MacLeod
# Wind River Linux

[OE-core][kirkstone 00/27] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by end
of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3911

with the exception of an intermittent autobuilder issue on qemumips-alt which
passed on subsequent retest:

https://autobuilder.yoctoproject.org/typhoon/#/builders/102/builds/3279

The following changes since commit 4667abcc925ae0c430cccb480ec530506f6201ae:

  dropbear: break dependency on base package for -dev package (2022-07-01 08:35:07 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (6):
  openssl: update 3.0.4 -> 3.0.5
  gstreamer1.0: upgrade 1.20.2 -> 1.20.3
  weston: update 10.0.0 -> 10.0.1
  glib-2.0: upgrade 2.72.2 -> 2.72.3
  glib-networking: upgrade 2.72.0 -> 2.72.1
  libsoup: upgrade 3.0.6 -> 3.0.7

Richard Purdie (2):
  qemu: Avoid accidental librdmacm linkage
  glibc-tests: Avoid reproducibility issues

Ross Burton (2):
  tiff: backport the fix for CVE-2022-2056, CVE-2022-2057, and
    CVE-2022-2058
  vim: upgrade to 9.0.0021

Sakib Sajal (1):
  u-boot: fix CVE-2022-34835

Steve Sakoman (3):
  ruby: add PACKAGECONFIG for capstone
  qemu: add PACKAGECONFIG for capstone
  qemu: Avoid accidental libvdeplug linkage

Sundeep KOKKONDA (2):
  glibc: stable 2.35 branch updates
  binutils : stable 2.38 branch updates

Wentao Zhang (1):
  harfbuzz: fix CVE-2022-33068

wangmy (10):
  gst-devtools: upgrade 1.20.2 -> 1.20.3
  gstreamer1.0-libav: upgrade 1.20.2 -> 1.20.3
  gstreamer1.0-omx: upgrade 1.20.2 -> 1.20.3
  gstreamer1.0-plugins-bad: upgrade 1.20.2 -> 1.20.3
  gstreamer1.0-plugins-base: upgrade 1.20.2 -> 1.20.3
  gstreamer1.0-plugins-good: upgrade 1.20.2 -> 1.20.3
  gstreamer1.0-plugins-ugly: upgrade 1.20.2 -> 1.20.3
  gstreamer1.0-python: upgrade 1.20.2 -> 1.20.3
  gstreamer1.0-rtsp-server: upgrade 1.20.2 -> 1.20.3
  gstreamer1.0-vaapi: upgrade 1.20.2 -> 1.20.3

 ...ffer-overflow-vulnerability-in-i2c-m.patch | 126 ++++++++++++
 meta/recipes-bsp/u-boot/u-boot_2022.01.bb     |   1 +
 .../{openssl_3.0.4.bb => openssl_3.0.5.bb}    |   2 +-
 .../glib-2.0/glib-2.0/relocate-modules.patch  |   2 +-
 ...{glib-2.0_2.72.2.bb => glib-2.0_2.72.3.bb} |   2 +-
 ...ng_2.72.0.bb => glib-networking_2.72.1.bb} |   2 +-
 meta/recipes-core/glibc/glibc-tests_2.35.bb   |   3 +
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../glibc/glibc/reproducible-paths.patch      |  23 +++
 .../binutils/binutils-2.38.inc                |   2 +-
 meta/recipes-devtools/qemu/qemu.inc           |   3 +
 meta/recipes-devtools/ruby/ruby_3.1.2.bb      |   1 +
 .../harfbuzz/harfbuzz/CVE-2022-33068.patch    |  35 ++++
 .../harfbuzz/harfbuzz_4.0.1.bb                |   3 +-
 .../{weston_10.0.0.bb => weston_10.0.1.bb}    |   4 +-
 ...tools_1.20.2.bb => gst-devtools_1.20.3.bb} |   2 +-
 ...1.20.2.bb => gstreamer1.0-libav_1.20.3.bb} |   2 +-
 ...x_1.20.2.bb => gstreamer1.0-omx_1.20.3.bb} |   2 +-
 ....bb => gstreamer1.0-plugins-bad_1.20.3.bb} |   2 +-
 ...bb => gstreamer1.0-plugins-base_1.20.3.bb} |   2 +-
 ...bb => gstreamer1.0-plugins-good_1.20.3.bb} |   2 +-
 ...bb => gstreamer1.0-plugins-ugly_1.20.3.bb} |   2 +-
 ....20.2.bb => gstreamer1.0-python_1.20.3.bb} |   2 +-
 ....bb => gstreamer1.0-rtsp-server_1.20.3.bb} |   2 +-
 ...1.20.2.bb => gstreamer1.0-vaapi_1.20.3.bb} |   2 +-
 ...er1.0_1.20.2.bb => gstreamer1.0_1.20.3.bb} |   2 +-
 ...-the-FPE-in-tiffcrop-415-427-and-428.patch | 182 ++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |   1 +
 .../{libsoup_3.0.6.bb => libsoup_3.0.7.bb}    |   2 +-
 meta/recipes-support/vim/vim.inc              |   4 +-
 30 files changed, 399 insertions(+), 23 deletions(-)
 create mode 100644 meta/recipes-bsp/u-boot/files/0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.0.4.bb => openssl_3.0.5.bb} (99%)
 rename meta/recipes-core/glib-2.0/{glib-2.0_2.72.2.bb => glib-2.0_2.72.3.bb} (96%)
 rename meta/recipes-core/glib-networking/{glib-networking_2.72.0.bb => glib-networking_2.72.1.bb} (93%)
 create mode 100644 meta/recipes-core/glibc/glibc/reproducible-paths.patch
 create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2022-33068.patch
 rename meta/recipes-graphics/wayland/{weston_10.0.0.bb => weston_10.0.1.bb} (97%)
 rename meta/recipes-multimedia/gstreamer/{gst-devtools_1.20.2.bb => gst-devtools_1.20.3.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-libav_1.20.2.bb => gstreamer1.0-libav_1.20.3.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-omx_1.20.2.bb => gstreamer1.0-omx_1.20.3.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-bad_1.20.2.bb => gstreamer1.0-plugins-bad_1.20.3.bb} (98%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-base_1.20.2.bb => gstreamer1.0-plugins-base_1.20.3.bb} (97%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-good_1.20.2.bb => gstreamer1.0-plugins-good_1.20.3.bb} (97%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-ugly_1.20.2.bb => gstreamer1.0-plugins-ugly_1.20.3.bb} (94%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-python_1.20.2.bb => gstreamer1.0-python_1.20.3.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-rtsp-server_1.20.2.bb => gstreamer1.0-rtsp-server_1.20.3.bb} (90%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-vaapi_1.20.2.bb => gstreamer1.0-vaapi_1.20.3.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0_1.20.2.bb => gstreamer1.0_1.20.3.bb} (97%)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch
 rename meta/recipes-support/libsoup/{libsoup_3.0.6.bb => libsoup_3.0.7.bb} (94%)

-- 
2.25.1

[OE-core][kirkstone 00/27] Patch review

[Steve Sakoman]

Please review these patches for kirkstone and have comments back by end
of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4921

The following changes since commit cb64ace13db85e143d99627c8803fbb13ba18617:

  Fix missing leading whitespace with ':append' (2023-02-01 04:16:52 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alejandro Hernandez Samaniego (1):
  testimage: Fix error message to reflect new syntax

Alexander Kanavin (3):
  vulkan-samples: branch rename master -> main
  gdk-pixbuf: do not use tools from gdk-pixbuf-native when building
    tests
  oeqa/qemurunner: do not use Popen.poll() when terminating runqemu with
    a signal

Arnout Vandecappelle (1):
  python3-pytest: depend on python3-tomli instead of python3-toml

Bruce Ashfield (2):
  linux-yocto/5.15: update to v5.15.89
  linux-yocto/5.15: update to v5.15.91

Changqing Li (1):
  apt: fix do_package_qa failure

Chee Yang Lee (1):
  git: upgrade to 2.35.6

Harald Seiler (1):
  bootchart2: Fix usrmerge support

Khem Raj (2):
  scons: Pass MAXLINELENGTH to scons invocation
  scons.bbclass: Make MAXLINELENGTH overridable

Louis Rannou (1):
  oeqa/selftest/locales: Add selftest for locale generation/presence

Martin Jansa (1):
  meta: remove True option to getVar and getVarFlag calls (again)

Mikko Rapeli (1):
  oeqa context.py: fix --target-ip comment to include ssh port number

Mingli Yu (1):
  glslang: branch rename master -> main

Narpat Mali (1):
  python3-certifi: fix for CVE-2022-23491

Pawel Zalewski (1):
  classes/fs-uuid: Fix command output decoding issue

Richard Purdie (3):
  kernel/linux-kernel-base: Fix kernel build artefact determinism issues
  make-mod-scripts: Ensure kernel build output is deterministic
  libc-locale: Fix on target locale generation

Ross Burton (4):
  git: ignore CVE-2022-41953
  buildtools-tarball: set pkg-config search path
  sdkext/cases/devtool: pass a logger to HTTPService
  httpserver: add error handler that write to the logger

Ulrich Ölmann (2):
  recipe_sanity: fix old override syntax
  lsof: fix old override syntax

 meta/classes/fs-uuid.bbclass                  |   2 +-
 meta/classes/image.bbclass                    |   2 +-
 meta/classes/kernel.bbclass                   |   3 -
 meta/classes/libc-package.bbclass             |   1 +
 meta/classes/license_image.bbclass            |   2 +-
 meta/classes/linux-kernel-base.bbclass        |   4 +
 meta/classes/recipe_sanity.bbclass            |   2 +-
 meta/classes/scons.bbclass                    |   8 +-
 meta/classes/testimage.bbclass                |   2 +-
 meta/lib/oe/package_manager/deb/__init__.py   |   8 +-
 meta/lib/oeqa/runtime/context.py              |   4 +-
 meta/lib/oeqa/sdkext/cases/devtool.py         |   2 +-
 meta/lib/oeqa/selftest/cases/locales.py       |  45 ++++
 meta/lib/oeqa/utils/httpserver.py             |   6 +
 meta/lib/oeqa/utils/qemurunner.py             |  11 +-
 meta/recipes-core/meta/buildtools-tarball.bb  |   3 +
 meta/recipes-devtools/apt/apt_2.4.5.bb        |   1 +
 .../0001-bootchart2-support-usrmerge.patch    |  37 ---
 .../bootchart2/bootchart2_0.14.9.bb           |  11 +-
 .../git/{git_2.35.5.bb => git_2.35.6.bb}      |   4 +-
 meta/recipes-devtools/go/go_1.17.13.bb        |   4 +-
 .../python3-certifi/CVE-2022-23491.patch      | 230 ++++++++++++++++++
 .../python/python3-certifi_2021.10.8.bb       |   2 +
 .../python/python3-pytest_7.1.1.bb            |   2 +-
 meta/recipes-devtools/rust/rust-common.inc    |   2 +-
 meta/recipes-devtools/rust/rust.inc           |  20 +-
 meta/recipes-extended/lsof/lsof_4.94.0.bb     |   2 +-
 .../0001-Add-use_prebuilt_tools-option.patch  | 173 -------------
 ...w-a-subset-of-tests-in-cross-compile.patch |  66 +++++
 .../gdk-pixbuf/gdk-pixbuf_2.42.10.bb          |  17 +-
 .../glslang/glslang_1.3.204.1.bb              |   2 +-
 .../vulkan/vulkan-samples_git.bb              |   2 +-
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +-
 .../make-mod-scripts/make-mod-scripts_1.0.bb  |   2 +-
 scripts/contrib/image-manifest                |   2 +-
 scripts/lib/devtool/menuconfig.py             |   2 +-
 38 files changed, 432 insertions(+), 292 deletions(-)
 create mode 100644 meta/lib/oeqa/selftest/cases/locales.py
 delete mode 100644 meta/recipes-devtools/bootchart2/bootchart2/0001-bootchart2-support-usrmerge.patch
 rename meta/recipes-devtools/git/{git_2.35.5.bb => git_2.35.6.bb} (97%)
 create mode 100644 meta/recipes-devtools/python/python3-certifi/CVE-2022-23491.patch
 delete mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-Add-use_prebuilt_tools-option.patch
 create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch

-- 
2.34.1

[OE-core][kirkstone 00/27] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5608

with the exception of a known intermittent issue on oe-selftest-ubuntu involving
a regression introduced in recent kernel stable branch updates:

https://bugzilla.yoctoproject.org/show_bug.cgi?id=15138

This will be fixed in an upcoming linux-yocto version bump, see thread below
for details:

https://lists.openembedded.org/g/openembedded-core/topic/99542122#182828

The following changes since commit 200c2783b3f8546f561382fff6bd5268680d403a:

  cve-update-nvd2-native: actually use API keys (2023-07-13 06:39:45 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alberto Planas (1):
  bitbake.conf: add unzstd in HOSTTOOLS

Alexander Kanavin (5):
  serf: upgrade 1.3.9 -> 1.3.10
  wget: upgrade 1.21.3 -> 1.21.4
  linux-firmware: upgrade 20230404 -> 20230515
  wireless-regdb: upgrade 2023.02.13 -> 2023.05.03
  sysfsutils: fetch a supported fork from github

Alexander Sverdlin (1):
  rust-llvm: backport a fix for build with gcc-13

Chen Qi (4):
  sdk.py: error out when moving file fails
  sdk.py: fix moving dnf contents
  zip: fix configure check by using _Static_assert
  unzip: fix configure check for cross compilation

Heiko Thole (1):
  wic: Add dependencies for erofs-utils

Hitendra Prajapati (1):
  bind : fix CVE-2023-2828 & CVE-2023-2911

Jermain Horsman (1):
  logrotate: Do not create logrotate.status file

Jose Quaresma (1):
  selftest/reproducible: Allow chose the package manager

Marek Vasut (1):
  systemd: Backport nspawn: make sure host root can write to the
    uidmapped mounts we prepare for the container payload

Mauro Queiros (1):
  pybootchartgui: show elapsed time for each task

Mikko Rapeli (1):
  selftest reproducible.py: support different build targets

Nikhil R (1):
  libpng: Add ptest for libpng

Poonam Jadhav (1):
  libx11: Fix CVE-2023-3138 for kirkstone branch

Ross Burton (1):
  tzdata: upgrade to 2023c

Soumya (2):
  perl: Fix CVE-2023-31486
  libwebp: Fix CVE-2023-1999

Tom Hochstein (1):
  cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK

Trevor Gamblin (1):
  vim: upgrade 9.0.1527 -> 9.0.1592

Vijay Anusuri (1):
  sqlite3: CVE-2023-36191 CLI fault on missing -nonce

Vivek Kumbhar (1):
  curl: Added CVE-2023-28320 Follow-up patch

 meta/classes/image_types_wic.bbclass          |   2 +-
 meta/conf/bitbake.conf                        |   2 +-
 .../distro/include/ptest-packagelists.inc     |   1 +
 meta/lib/oe/package_manager/rpm/sdk.py        |   3 +-
 meta/lib/oe/sdk.py                            |   2 +-
 meta/lib/oeqa/selftest/cases/reproducible.py  |  14 +-
 .../bind/bind-9.18.11/CVE-2023-2828.patch     | 197 ++++++++++++
 .../bind/bind-9.18.11/CVE-2023-2911.patch     |  97 ++++++
 .../recipes-connectivity/bind/bind_9.18.11.bb |   2 +
 meta/recipes-core/meta/wic-tools.bb           |   2 +-
 .../sysfsutils/sysfsutils_2.1.0.bb            |  10 +-
 ...-host-root-can-write-to-the-uidmappe.patch | 216 +++++++++++++
 meta/recipes-core/systemd/systemd_250.5.bb    |   1 +
 .../cmake/cmake/OEToolchainConfig.cmake       |   5 +-
 .../perl/files/CVE-2023-31486-0001.patch      | 215 +++++++++++++
 .../perl/files/CVE-2023-31486-0002.patch      |  36 +++
 meta/recipes-devtools/perl/perl_5.34.1.bb     |   2 +
 meta/recipes-devtools/rust/rust-llvm.inc      |   4 +-
 ...-missing-cstdint-header-to-Signals.h.patch |  32 ++
 .../logrotate/logrotate_3.20.1.bb             |   1 -
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../timezone/tzcode-native.bb                 |   2 -
 ...0001-Fix-C23-related-conformance-bug.patch | 301 ------------------
 ...-fix-detection-for-cross-compilation.patch | 103 ++++++
 meta/recipes-extended/unzip/unzip_6.0.bb      |   1 +
 meta/recipes-extended/wget/wget.inc           |   2 +-
 .../wget/{wget_1.21.3.bb => wget_1.21.4.bb}   |   2 +-
 ...se-_Static_assert-to-do-correct-dete.patch |  96 ++++++
 meta/recipes-extended/zip/zip_3.0.bb          |   1 +
 .../xorg-lib/libx11/CVE-2023-3138.patch       | 111 +++++++
 .../xorg-lib/libx11_1.7.3.1.bb                |   1 +
 ...20230404.bb => linux-firmware_20230515.bb} |   4 +-
 ....02.13.bb => wireless-regdb_2023.05.03.bb} |   2 +-
 .../recipes-multimedia/libpng/files/run-ptest |  29 ++
 .../libpng/libpng_1.6.39.bb                   |  16 +-
 .../webp/files/CVE-2023-1999.patch            |  60 ++++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |   4 +-
 .../curl/curl/CVE-2023-28320-fol1.patch       | 197 ++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   1 +
 ...print-in-the-scons-file-to-unbreak-b.patch |  29 --
 ...sl_buckets.c-do-not-use-ERR_GET_FUNC.patch |  28 --
 ...11083-fix-building-with-scons-3.0.0-.patch |  29 --
 ...ories.without.sandbox-install.prefix.patch |   2 +-
 .../serf/{serf_1.3.9.bb => serf_1.3.10.bb}    |   6 +-
 .../sqlite/files/CVE-2023-36191.patch         |  37 +++
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 scripts/lib/wic/misc.py                       |   1 +
 scripts/pybootchartgui/pybootchartgui/draw.py |   5 +
 49 files changed, 1496 insertions(+), 429 deletions(-)
 create mode 100644 meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch
 create mode 100644 meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch
 create mode 100644 meta/recipes-core/systemd/systemd/0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch
 create mode 100644 meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch
 delete mode 100644 meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch
 create mode 100644 meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch
 rename meta/recipes-extended/wget/{wget_1.21.3.bb => wget_1.21.4.bb} (60%)
 create mode 100644 meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230404.bb => linux-firmware_20230515.bb} (99%)
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.02.13.bb => wireless-regdb_2023.05.03.bb} (94%)
 create mode 100644 meta/recipes-multimedia/libpng/files/run-ptest
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
 delete mode 100644 meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
 delete mode 100644 meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch
 delete mode 100644 meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch
 rename meta/recipes-support/serf/{serf_1.3.9.bb => serf_1.3.10.bb} (78%)
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2023-36191.patch

-- 
2.34.1

[OE-core][kirkstone 01/27] perl: Fix CVE-2023-31486

[Steve Sakoman]

From: Soumya <soumya.sambu@windriver.com>

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available
standalone on CPAN, has an insecure default TLS configuration where
users must opt in to verify certificates.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31486

Upstream patches:
https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d
https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d

Signed-off-by: Soumya <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../perl/files/CVE-2023-31486-0001.patch      | 215 ++++++++++++++++++
 .../perl/files/CVE-2023-31486-0002.patch      |  36 +++
 meta/recipes-devtools/perl/perl_5.34.1.bb     |   2 +
 3 files changed, 253 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
new file mode 100644
index 0000000000..d29996ddcb
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
@@ -0,0 +1,215 @@
+From 77f557ef84698efeb6eed04e4a9704eaf85b741d
+From: Stig Palmquist <git@stig.io>
+Date: Mon Jun 5 16:46:22 2023 +0200
+Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
+ insecure default - Changes the `verify_SSL` default parameter from `0` to `1`
+
+  Based on patch by Dominic Hargreaves:
+  https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
+
+  CVE: CVE-2023-31486
+
+- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
+  enables the previous insecure default behaviour if set to `1`.
+
+  This provides a workaround for users who encounter problems with the
+  new `verify_SSL` default.
+
+  Example to disable certificate checks:
+  ```
+    $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
+  ```
+
+- Updates to documentation:
+  - Describe changing the verify_SSL value
+  - Describe the escape-hatch environment variable
+  - Remove rationale for not enabling verify_SSL
+  - Add missing certificate search paths
+  - Replace "SSL" with "TLS/SSL" where appropriate
+  - Use "machine-in-the-middle" instead of "man-in-the-middle"
+
+Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]
+
+Signed-off-by: Soumya <soumya.sambu@windriver.com>
+---
+ cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++++++++++++++++++++++-----------
+ 1 file changed, 57 insertions(+), 29 deletions(-)
+
+diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+index 5803e45..1808c41 100644
+--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
++++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+@@ -39,10 +39,14 @@ sub _croak { require Carp; Carp::croak(@_) }
+ #pod   C<$ENV{no_proxy}> —)
+ #pod * C<timeout> — Request timeout in seconds (default is 60) If a socket open,
+ #pod   read or write takes longer than the timeout, an exception is thrown.
+-#pod * C<verify_SSL> — A boolean that indicates whether to validate the SSL
+-#pod   certificate of an C<https> — connection (default is false)
++#pod * C<verify_SSL> — A boolean that indicates whether to validate the TLS/SSL
++#pod   certificate of an C<https> — connection (default is true). Changed from false
++#pod   to true in version 0.083.
+ #pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to
+ #pod   L<IO::Socket::SSL>
++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
++#pod   certificate verification behavior to not check server identity if set to 1.
++#pod   Only effective if C<verify_SSL> is not set. Added in version 0.083.
+ #pod
+ #pod Passing an explicit C<undef> for C<proxy>, C<http_proxy> or C<https_proxy> will
+ #pod prevent getting the corresponding proxies from the environment.
+@@ -108,11 +112,17 @@ sub timeout {
+ sub new {
+     my($class, %args) = @_;
+
++    # Support lower case verify_ssl argument, but only if verify_SSL is not
++    # true.
++    if ( exists $args{verify_ssl} ) {
++        $args{verify_SSL}  ||= $args{verify_ssl};
++    }
++
+     my $self = {
+         max_redirect => 5,
+         timeout      => defined $args{timeout} ? $args{timeout} : 60,
+         keep_alive   => 1,
+-        verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default
++        verify_SSL   => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(),
+         no_proxy     => $ENV{no_proxy},
+     };
+
+@@ -131,6 +141,13 @@ sub new {
+     return $self;
+ }
+
++sub _verify_SSL_default {
++    my ($self) = @_;
++    # Check if insecure default certificate verification behaviour has been
++    # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
++    return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
++}
++
+ sub _set_proxies {
+     my ($self) = @_;
+
+@@ -1038,7 +1055,7 @@ sub new {
+         timeout          => 60,
+         max_line_size    => 16384,
+         max_header_lines => 64,
+-        verify_SSL       => 0,
++        verify_SSL       => HTTP::Tiny::_verify_SSL_default(),
+         SSL_options      => {},
+         %args
+     }, $class;
+@@ -2009,11 +2026,11 @@ proxy
+ timeout
+ verify_SSL
+
+-=head1 SSL SUPPORT
++=head1 TLS/SSL SUPPORT
+
+ Direct C<https> connections are supported only if L<IO::Socket::SSL> 1.56 or
+ greater and L<Net::SSLeay> 1.49 or greater are installed. An exception will be
+-thrown if new enough versions of these modules are not installed or if the SSL
++thrown if new enough versions of these modules are not installed or if the TLS
+ encryption fails. You can also use C<HTTP::Tiny::can_ssl()> utility function
+ that returns boolean to see if the required modules are installed.
+
+@@ -2021,7 +2038,7 @@ An C<https> connection may be made via an C<http> proxy that supports the CONNEC
+ command (i.e. RFC 2817).  You may not proxy C<https> via a proxy that itself
+ requires C<https> to communicate.
+
+-SSL provides two distinct capabilities:
++TLS/SSL provides two distinct capabilities:
+
+ =over 4
+
+@@ -2035,24 +2052,17 @@ Verification of server identity
+
+ =back
+
+-B<By default, HTTP::Tiny does not verify server identity>.
+-
+-Server identity verification is controversial and potentially tricky because it
+-depends on a (usually paid) third-party Certificate Authority (CA) trust model
+-to validate a certificate as legitimate.  This discriminates against servers
+-with self-signed certificates or certificates signed by free, community-driven
+-CA's such as L<CAcert.org|http://cacert.org>.
++B<By default, HTTP::Tiny verifies server identity>.
+
+-By default, HTTP::Tiny does not make any assumptions about your trust model,
+-threat level or risk tolerance.  It just aims to give you an encrypted channel
+-when you need one.
++This was changed in version 0.083 due to security concerns. The previous default
++behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}>
++to 1.
+
+-Setting the C<verify_SSL> attribute to a true value will make HTTP::Tiny verify
+-that an SSL connection has a valid SSL certificate corresponding to the host
+-name of the connection and that the SSL certificate has been verified by a CA.
+-Assuming you trust the CA, this will protect against a L<man-in-the-middle
+-attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>.  If you are
+-concerned about security, you should enable this option.
++Verification is done by checking that that the TLS/SSL connection has a valid
++certificate corresponding to the host name of the connection and that the
++certificate has been verified by a CA. Assuming you trust the CA, this will
++protect against L<machine-in-the-middle
++attacks|http://en.wikipedia.org/wiki/Machine-in-the-middle_attack>.
+
+ Certificate verification requires a file containing trusted CA certificates.
+
+@@ -2060,9 +2070,7 @@ If the environment variable C<SSL_CERT_FILE> is present, HTTP::Tiny
+ will try to find a CA certificate file in that location.
+
+ If the L<Mozilla::CA> module is installed, HTTP::Tiny will use the CA file
+-included with it as a source of trusted CA's.  (This means you trust Mozilla,
+-the author of Mozilla::CA, the CPAN mirror where you got Mozilla::CA, the
+-toolchain used to install it, and your operating system security, right?)
++included with it as a source of trusted CA's.
+
+ If that module is not available, then HTTP::Tiny will search several
+ system-specific default locations for a CA certificate file:
+@@ -2081,13 +2089,33 @@ system-specific default locations for a CA certificate file:
+
+ /etc/ssl/ca-bundle.pem
+
++=item *
++
++/etc/openssl/certs/ca-certificates.crt
++
++=item *
++
++/etc/ssl/cert.pem
++
++=item *
++
++/usr/local/share/certs/ca-root-nss.crt
++
++=item *
++
++/etc/pki/tls/cacert.pem
++
++=item *
++
++/etc/certs/ca-certificates.crt
++
+ =back
+
+ An exception will be raised if C<verify_SSL> is true and no CA certificate file
+ is available.
+
+-If you desire complete control over SSL connections, the C<SSL_options> attribute
+-lets you provide a hash reference that will be passed through to
++If you desire complete control over TLS/SSL connections, the C<SSL_options>
++attribute lets you provide a hash reference that will be passed through to
+ C<IO::Socket::SSL::start_SSL()>, overriding any options set by HTTP::Tiny. For
+ example, to provide your own trusted CA file:
+
+@@ -2097,7 +2125,7 @@ example, to provide your own trusted CA file:
+
+ The C<SSL_options> attribute could also be used for such things as providing a
+ client certificate for authentication to a server or controlling the choice of
+-cipher used for the SSL connection. See L<IO::Socket::SSL> documentation for
++cipher used for the TLS/SSL connection. See L<IO::Socket::SSL> documentation for
+ details.
+
+ =head1 PROXY SUPPORT
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch b/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch
new file mode 100644
index 0000000000..45452be389
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch
@@ -0,0 +1,36 @@
+From a22785783b17cbaa28afaee4a024d81a1903701d
+From: Stig Palmquist <git@stig.io>
+Date: Sun Jun 18 11:36:05 2023 +0200
+Subject: [PATCH] Fix incorrect env var name for verify_SSL default
+
+The variable to override the verify_SSL default differed slightly in the
+documentation from what was checked for in the code.
+
+This commit makes the code use `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT`
+as documented, instead of `PERL_HTTP_TINY_INSECURE_BY_DEFAULT` which was
+missing `SSL_`
+
+CVE: CVE-2023-31486
+
+Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d]
+
+Signed-off-by: Soumya <soumya.sambu@windriver.com>
+---
+ cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+index ebc34a1..65ac8ff 100644
+--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
++++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+@@ -148,7 +148,7 @@ sub _verify_SSL_default {
+     my ($self) = @_;
+     # Check if insecure default certificate verification behaviour has been
+     # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
+-    return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
++    return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
+ }
+
+ sub _set_proxies {
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/perl_5.34.1.bb b/meta/recipes-devtools/perl/perl_5.34.1.bb
index e0ee006e50..db306d0be3 100644
--- a/meta/recipes-devtools/perl/perl_5.34.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.1.bb
@@ -19,6 +19,8 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
            file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
            file://0001-Fix-build-with-gcc-12.patch \
            file://CVE-2023-31484.patch \
+           file://CVE-2023-31486-0001.patch \
+           file://CVE-2023-31486-0002.patch \
            "
 SRC_URI:append:class-native = " \
            file://perl-configpm-switch.patch \
-- 
2.34.1

[OE-core][kirkstone 02/27] sqlite3: CVE-2023-36191 CLI fault on missing -nonce

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport [https://sqlite.org/src/info/cd24178bbaad4a1d]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../sqlite/files/CVE-2023-36191.patch         | 37 +++++++++++++++++++
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2023-36191.patch

diff --git a/meta/recipes-support/sqlite/files/CVE-2023-36191.patch b/meta/recipes-support/sqlite/files/CVE-2023-36191.patch
new file mode 100644
index 0000000000..aca79c334a
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2023-36191.patch
@@ -0,0 +1,37 @@
+From 4e8a0eb4e773b808d9e9697af94319599777169a Mon Sep 17 00:00:00 2001
+From: larrybr <larrybr@noemail.net>
+Date: Fri, 2 Jun 2023 12:56:32 +0000
+Subject: [PATCH] Fix CLI fault on missing -nonce reported by [forum:/info/f8c14a1134|forum post f8c14a1134].
+
+FossilOrigin-Name: cd24178bbaad4a1dafc3848e7d74240f90030160b5c43c93e1e0e11b073c2df5
+
+Upstream-Status: Backport [https://sqlite.org/src/info/cd24178bbaad4a1d
+Upstream commit https://github.com/sqlite/sqlite/commit/4e8a0eb4e773b808d9e9697af94319599777169a]
+CVE: CVE-2023-36191
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ shell.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/shell.c b/shell.c
+index 0200c0a..fa45d40 100644
+--- a/shell.c
++++ b/shell.c
+@@ -23163,8 +23163,12 @@ int SQLITE_CDECL wmain(int argc, wchar_t **wargv){
+     }else if( strcmp(z,"-bail")==0 ){
+       bail_on_error = 1;
+     }else if( strcmp(z,"-nonce")==0 ){
+-      free(data.zNonce);
+-      data.zNonce = strdup(argv[++i]);
++      if( data.zNonce ) free(data.zNonce);
++      if( i+1 < argc ) data.zNonce = strdup(argv[++i]);
++      else{
++        data.zNonce = 0;
++        break;
++      }
+     }else if( strcmp(z,"-safe")==0 ){
+       /* no-op - catch this on the second pass */
+     }
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index 313c15dff4..55cc514412 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
            file://0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch \
            file://CVE-2022-46908.patch \
+           file://CVE-2023-36191.patch \
 "
 SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
 
-- 
2.34.1

[OE-core][kirkstone 03/27] bind : fix CVE-2023-2828 & CVE-2023-2911

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Backport fixes for:
* CVE-2023-2828 - Upstream-Status: Backport from https://gitlab.isc.org/isc-projects/bind9/-/commit/e9d5219fca9f6b819d953990b369d6acfb4e952b
* CVE-2023-2911 - Upstream-Status: Backport from https://gitlab.isc.org/isc-projects/bind9/-/commit/240caa32b9cab90a38ab863fd64e6becf5d1393c && https://gitlab.isc.org/isc-projects/bind9/-/commit/ff5bacf17c2451e9d48c78a5ef96ec0c376ff33d

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../bind/bind-9.18.11/CVE-2023-2828.patch     | 197 ++++++++++++++++++
 .../bind/bind-9.18.11/CVE-2023-2911.patch     |  97 +++++++++
 .../recipes-connectivity/bind/bind_9.18.11.bb |   2 +
 3 files changed, 296 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch
 create mode 100644 meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch

diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch
new file mode 100644
index 0000000000..ef2d64b16c
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch
@@ -0,0 +1,197 @@
+From e9d5219fca9f6b819d953990b369d6acfb4e952b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Tue, 30 May 2023 08:46:17 +0200
+Subject: [PATCH] Improve RBT overmem cache cleaning
+
+When cache memory usage is over the configured cache size (overmem) and
+we are cleaning unused entries, it might not be enough to clean just two
+entries if the entries to be expired are smaller than the newly added
+rdata.  This could be abused by an attacker to cause a remote Denial of
+Service by possibly running out of the operating system memory.
+
+Currently, the addrdataset() tries to do a single TTL-based cleaning
+considering the serve-stale TTL and then optionally moves to overmem
+cleaning if we are in that condition.  Then the overmem_purge() tries to
+do another single TTL based cleaning from the TTL heap and then continue
+with LRU-based cleaning up to 2 entries cleaned.
+
+Squash the TTL-cleaning mechanism into single call from addrdataset(),
+but ignore the serve-stale TTL if we are currently overmem.
+
+Then instead of having a fixed number of entries to clean, pass the size
+of newly added rdatasetheader to the overmem_purge() function and
+cleanup at least the size of the newly added data.  This prevents the
+cache going over the configured memory limit (`max-cache-size`).
+
+Additionally, refactor the overmem_purge() function to reduce for-loop
+nesting for readability.
+
+Patch taken from : https://downloads.isc.org/isc/bind9/9.18.16/patches/0001-CVE-2023-2828.patch
+
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/e9d5219fca9f6b819d953990b369d6acfb4e952b]
+CVE: CVE-2023-2828
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++-------------------
+ 1 file changed, 65 insertions(+), 41 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index d1aee54..ba60a49 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -561,7 +561,7 @@ static void
+ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked,
+ 	      expire_t reason);
+ static void
+-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now,
++overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
+ 	      bool tree_locked);
+ static void
+ resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader);
+@@ -6787,6 +6787,16 @@ cleanup:
+ 
+ static dns_dbmethods_t zone_methods;
+ 
++static size_t
++rdataset_size(rdatasetheader_t *header) {
++	if (!NONEXISTENT(header)) {
++		return (dns_rdataslab_size((unsigned char *)header,
++					   sizeof(*header)));
++	}
++
++	return (sizeof(*header));
++}
++
+ static isc_result_t
+ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ 	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+@@ -6951,7 +6961,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ 	}
+ 
+ 	if (cache_is_overmem) {
+-		overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
++		overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
++			      tree_locked);
+ 	}
+ 
+ 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+@@ -6970,11 +6981,18 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ 		}
+ 
+ 		header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
+-		if (header != NULL &&
+-		    header->rdh_ttl + STALE_TTL(header, rbtdb) <
+-			    now - RBTDB_VIRTUAL)
+-		{
+-			expire_header(rbtdb, header, tree_locked, expire_ttl);
++		if (header != NULL) {
++			dns_ttl_t rdh_ttl = header->rdh_ttl;
++
++			/* Only account for stale TTL if cache is not overmem */
++			if (!cache_is_overmem) {
++				rdh_ttl += STALE_TTL(header, rbtdb);
++			}
++
++			if (rdh_ttl < now - RBTDB_VIRTUAL) {
++				expire_header(rbtdb, header, tree_locked,
++					      expire_ttl);
++			}
+ 		}
+ 
+ 		/*
+@@ -10114,52 +10132,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_stdtime_t now) {
+ 	ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
+ }
+ 
++static size_t
++expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
++		   bool tree_locked) {
++	rdatasetheader_t *header, *header_prev;
++	size_t purged = 0;
++
++	for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
++	     header != NULL && purged <= purgesize; header = header_prev)
++	{
++		header_prev = ISC_LIST_PREV(header, link);
++		/*
++		 * Unlink the entry at this point to avoid checking it
++		 * again even if it's currently used someone else and
++		 * cannot be purged at this moment.  This entry won't be
++		 * referenced any more (so unlinking is safe) since the
++		 * TTL was reset to 0.
++		 */
++		ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
++		size_t header_size = rdataset_size(header);
++		expire_header(rbtdb, header, tree_locked, expire_lru);
++		purged += header_size;
++	}
++
++	return (purged);
++}
++
+ /*%
+- * Purge some expired and/or stale (i.e. unused for some period) cache entries
+- * under an overmem condition.  To recover from this condition quickly, up to
+- * 2 entries will be purged.  This process is triggered while adding a new
+- * entry, and we specifically avoid purging entries in the same LRU bucket as
+- * the one to which the new entry will belong.  Otherwise, we might purge
+- * entries of the same name of different RR types while adding RRsets from a
+- * single response (consider the case where we're adding A and AAAA glue records
+- * of the same NS name).
++ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
++ * entries under the overmem condition.  To recover from this condition quickly,
++ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
++ *
++ * This process is triggered while adding a new entry, and we specifically avoid
++ * purging entries in the same LRU bucket as the one to which the new entry will
++ * belong.  Otherwise, we might purge entries of the same name of different RR
++ * types while adding RRsets from a single response (consider the case where
++ * we're adding A and AAAA glue records of the same NS name).
+  */
+ static void
+-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now,
++overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
+ 	      bool tree_locked) {
+-	rdatasetheader_t *header, *header_prev;
+ 	unsigned int locknum;
+-	int purgecount = 2;
++	size_t purged = 0;
+ 
+ 	for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
+-	     locknum != locknum_start && purgecount > 0;
++	     locknum != locknum_start && purged <= purgesize;
+ 	     locknum = (locknum + 1) % rbtdb->node_lock_count)
+ 	{
+ 		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+ 			  isc_rwlocktype_write);
+ 
+-		header = isc_heap_element(rbtdb->heaps[locknum], 1);
+-		if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
+-			expire_header(rbtdb, header, tree_locked, expire_ttl);
+-			purgecount--;
+-		}
+-
+-		for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+-		     header != NULL && purgecount > 0; header = header_prev)
+-		{
+-			header_prev = ISC_LIST_PREV(header, link);
+-			/*
+-			 * Unlink the entry at this point to avoid checking it
+-			 * again even if it's currently used someone else and
+-			 * cannot be purged at this moment.  This entry won't be
+-			 * referenced any more (so unlinking is safe) since the
+-			 * TTL was reset to 0.
+-			 */
+-			ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
+-					link);
+-			expire_header(rbtdb, header, tree_locked, expire_lru);
+-			purgecount--;
+-		}
++		purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
++					     tree_locked);
+ 
+ 		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+ 			    isc_rwlocktype_write);
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch
new file mode 100644
index 0000000000..8e9a358dee
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch
@@ -0,0 +1,97 @@
+From ff5bacf17c2451e9d48c78a5ef96ec0c376ff33d Mon Sep 17 00:00:00 2001
+From: Matthijs Mekking <matthijs@isc.org>
+Date: Thu, 1 Jun 2023 10:03:48 +0200
+Subject: [PATCH] Fix serve-stale hang at shutdown
+
+The 'refresh_rrset' variable is used to determine if we can detach from
+the client. This can cause a hang on shutdown. To fix this, move setting
+of the 'nodetach' variable up to where 'refresh_rrset' is set (in
+query_lookup(), and thus not in ns_query_done()), and set it to false
+when actually refreshing the RRset, so that when this lookup is
+completed, the client will be detached.
+
+Patch taken from :https://downloads.isc.org/isc/bind9/9.18.16/patches/0003-CVE-2023-2911.patch
+
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/240caa32b9cab90a38ab863fd64e6becf5d1393c && https://gitlab.isc.org/isc-projects/bind9/-/commit/ff5bacf17c2451e9d48c78a5ef96ec0c376ff33d]
+CVE: CVE-2023-2911
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/ns/query.c | 30 ++++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/lib/ns/query.c b/lib/ns/query.c
+index 0d2ba6b..8945dd4 100644
+--- a/lib/ns/query.c
++++ b/lib/ns/query.c
+@@ -5824,6 +5824,7 @@ query_refresh_rrset(query_ctx_t *orig_qctx) {
+ 	qctx.client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT |
+ 					  DNS_DBFIND_STALEOK |
+ 					  DNS_DBFIND_STALEENABLED);
++	qctx.client->nodetach = false;
+ 
+ 	/*
+ 	 * We'll need some resources...
+@@ -6076,7 +6077,14 @@ query_lookup(query_ctx_t *qctx) {
+ 					"%s stale answer used, an attempt to "
+ 					"refresh the RRset will still be made",
+ 					namebuf);
++
+ 				qctx->refresh_rrset = STALE(qctx->rdataset);
++				/*
++				 * If we are refreshing the RRSet, we must not
++				 * detach from the client in query_send().
++				 */
++				qctx->client->nodetach = qctx->refresh_rrset;
++
+ 				ns_client_extendederror(
+ 					qctx->client, ede,
+ 					"stale data prioritized over lookup");
+@@ -6503,7 +6511,7 @@ ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
+ 	if (recparam_match(&client->query.recparam, qtype, qname, qdomain)) {
+ 		ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
+ 			      ISC_LOG_INFO, "recursion loop detected");
+-		return (ISC_R_FAILURE);
++		return (ISC_R_ALREADYRUNNING);
+ 	}
+ 
+ 	recparam_update(&client->query.recparam, qtype, qname, qdomain);
+@@ -7620,10 +7628,21 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
+ 		return (false);
+ 	}
+ 
+-	if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) {
++	if (qctx->refresh_rrset) {
++		/*
++		 * This is a refreshing query, we have already prioritized
++		 * stale data, so don't enable serve-stale again.
++		 */
++		return (false);
++	}
++
++	if (result == DNS_R_DUPLICATE || result == DNS_R_DROP ||
++	    result == ISC_R_ALREADYRUNNING)
++	{
+ 		/*
+ 		 * Don't enable serve-stale if the result signals a duplicate
+-		 * query or query that is being dropped.
++		 * query or a query that is being dropped or can't proceed
++		 * because of a recursion loop.
+ 		 */
+ 		return (false);
+ 	}
+@@ -11927,12 +11946,7 @@ ns_query_done(query_ctx_t *qctx) {
+ 	/*
+ 	 * Client may have been detached after query_send(), so
+ 	 * we test and store the flag state here, for safety.
+-	 * If we are refreshing the RRSet, we must not detach from the client
+-	 * in the query_send(), so we need to override the flag.
+ 	 */
+-	if (qctx->refresh_rrset) {
+-		qctx->client->nodetach = true;
+-	}
+ 	nodetach = qctx->client->nodetach;
+ 	query_send(qctx->client);
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bind/bind_9.18.11.bb b/meta/recipes-connectivity/bind/bind_9.18.11.bb
index 0618129318..b3e3b8bef0 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.11.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.11.bb
@@ -18,6 +18,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
            file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
            file://0001-avoid-start-failure-with-bind-user.patch \
+           file://CVE-2023-2828.patch \
+           file://CVE-2023-2911.patch \
            "
 
 SRC_URI[sha256sum] = "8ff3352812230cbcbda42df87cad961f94163d3da457c5e4bef8057fd5df2158"
-- 
2.34.1

[OE-core][kirkstone 04/27] libx11: Fix CVE-2023-3138 for kirkstone branch

[Steve Sakoman]

From: Poonam Jadhav <poonam.jadhav@kpit.com>

Add patch to fix CVE-2023-3138 for kirkstone branch

Link: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch

Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xorg-lib/libx11/CVE-2023-3138.patch       | 111 ++++++++++++++++++
 .../xorg-lib/libx11_1.7.3.1.bb                |   1 +
 2 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
new file mode 100644
index 0000000000..c724cf8fdd
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
@@ -0,0 +1,111 @@
+From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 10 Jun 2023 16:30:07 -0700
+Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, &
+ error codes
+
+Fixes CVE-2023-3138: X servers could return values from XQueryExtension
+that would cause Xlib to write entries out-of-bounds of the arrays to
+store them, though this would only overwrite other parts of the Display
+struct, not outside the bounds allocated for that structure.
+
+Reported-by: Gregory James DUCK <gjduck@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+CVE: CVE-2023-3138
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch]
+Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
+---
+ src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+diff --git a/src/InitExt.c b/src/InitExt.c
+index 4de46f15..afc00a6b 100644
+--- a/src/InitExt.c
++++ b/src/InitExt.c
+@@ -33,6 +33,18 @@ from The Open Group.
+ #include <X11/Xos.h>
+ #include <stdio.h>
+ 
++/* The X11 protocol spec reserves events 64 through 127 for extensions */
++#ifndef LastExtensionEvent
++#define LastExtensionEvent 127
++#endif
++
++/* The X11 protocol spec reserves requests 128 through 255 for extensions */
++#ifndef LastExtensionRequest
++#define FirstExtensionRequest 128
++#define LastExtensionRequest 255
++#endif
++
++
+ /*
+  * This routine is used to link a extension in so it will be called
+  * at appropriate times.
+@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
+ 	WireToEventType proc)	/* routine to call when converting event */
+ {
+ 	register WireToEventType oldproc;
++	if (event_number < 0 ||
++	    event_number > LastExtensionEvent) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++		    event_number);
++	    return (WireToEventType)_XUnknownWireEvent;
++	}
+ 	if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->event_vec[event_number];
+@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
+     )
+ {
+ 	WireToEventCookieType oldproc;
++	if (extension < FirstExtensionRequest ||
++	    extension > LastExtensionRequest) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++		    extension);
++	    return (WireToEventCookieType)_XUnknownWireEventCookie;
++	}
+ 	if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->generic_event_vec[extension & 0x7F];
+@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
+     )
+ {
+ 	CopyEventCookieType oldproc;
++	if (extension < FirstExtensionRequest ||
++	    extension > LastExtensionRequest) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++		    extension);
++	    return (CopyEventCookieType)_XUnknownCopyEventCookie;
++	}
+ 	if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
+@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
+ 	EventToWireType proc)	/* routine to call when converting event */
+ {
+ 	register EventToWireType oldproc;
++	if (event_number < 0 ||
++	    event_number > LastExtensionEvent) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++		    event_number);
++	    return (EventToWireType)_XUnknownNativeEvent;
++	}
+ 	if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->wire_vec[event_number];
+@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
+ 	WireToErrorType proc)	/* routine to call when converting error */
+ {
+ 	register WireToErrorType oldproc = NULL;
++	if (error_number < 0 ||
++	    error_number > LastExtensionError) {
++	   fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
++		    error_number);
++	   return (WireToErrorType)_XDefaultWireError;
++	}
+ 	if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
+ 	LockDisplay (dpy);
+ 	if (!dpy->error_vec) {
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb b/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb
index 3e6b50c0a3..19687d546b 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.xz"
 SRC_URI += "file://disable_tests.patch \
             file://CVE-2022-3554.patch \
             file://CVE-2022-3555.patch \
+            file://CVE-2023-3138.patch \
            "
 SRC_URI[sha256sum] = "2ffd417266fb875028fdc0ef349694f63dbcd76d0b0cfacfb52e6151f4b60989"
 
-- 
2.34.1

[OE-core][kirkstone 05/27] curl: Added CVE-2023-28320 Follow-up patch

[Steve Sakoman]

From: Vivek Kumbhar <vkumbhar@mvista.com>

Introduced by: https://github.com/curl/curl/commit/3c49b405de4fbf1fd7127f91908261268640e54f (curl-7_9_8)
Fixed by: https://github.com/curl/curl/commit/13718030ad4b3209a7583b4f27f683cd3a6fa5f2 (curl-8_1_0)
Follow-up: https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3 (curl-8_1_0)

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../curl/curl/CVE-2023-28320-fol1.patch       | 197 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   1 +
 2 files changed, 198 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
new file mode 100644
index 0000000000..2ba74aaaa9
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
@@ -0,0 +1,197 @@
+From f446258f0269a62289cca0210157cb8558d0edc3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 16 May 2023 23:40:42 +0200
+Subject: [PATCH] hostip: include easy_lock.h before using
+ GLOBAL_INIT_IS_THREADSAFE
+
+Since that header file is the only place that define can be defined.
+
+Reported-by: Marc Deslauriers
+
+Follow-up to 13718030ad4b3209
+
+Closes #11121
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3]
+CVE: CVE-2023-28320
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ lib/easy_lock.h | 109 ++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/hostip.c    |  10 ++---
+ lib/hostip.h    |   9 ----
+ 3 files changed, 113 insertions(+), 15 deletions(-)
+ create mode 100644 lib/easy_lock.h
+
+diff --git a/lib/easy_lock.h b/lib/easy_lock.h
+new file mode 100644
+index 0000000..6399a39
+--- /dev/null
++++ b/lib/easy_lock.h
+@@ -0,0 +1,109 @@
++#ifndef HEADER_CURL_EASY_LOCK_H
++#define HEADER_CURL_EASY_LOCK_H
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++#include "curl_setup.h"
++
++#define GLOBAL_INIT_IS_THREADSAFE
++
++#if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600
++
++#ifdef __MINGW32__
++#ifndef __MINGW64_VERSION_MAJOR
++#if (__MINGW32_MAJOR_VERSION < 5) || \
++    (__MINGW32_MAJOR_VERSION == 5 && __MINGW32_MINOR_VERSION == 0)
++/* mingw >= 5.0.1 defines SRWLOCK, and slightly different from MS define */
++typedef PVOID SRWLOCK, *PSRWLOCK;
++#endif
++#endif
++#ifndef SRWLOCK_INIT
++#define SRWLOCK_INIT NULL
++#endif
++#endif /* __MINGW32__ */
++
++#define curl_simple_lock SRWLOCK
++#define CURL_SIMPLE_LOCK_INIT SRWLOCK_INIT
++
++#define curl_simple_lock_lock(m) AcquireSRWLockExclusive(m)
++#define curl_simple_lock_unlock(m) ReleaseSRWLockExclusive(m)
++
++#elif defined(HAVE_ATOMIC) && defined(HAVE_STDATOMIC_H)
++#include <stdatomic.h>
++#if defined(HAVE_SCHED_YIELD)
++#include <sched.h>
++#endif
++
++#define curl_simple_lock atomic_int
++#define CURL_SIMPLE_LOCK_INIT 0
++
++/* a clang-thing */
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++#ifndef __INTEL_COMPILER
++/* The Intel compiler tries to look like GCC *and* clang *and* lies in its
++   __has_builtin() function, so override it. */
++
++/* if GCC on i386/x86_64 or if the built-in is present */
++#if ( (defined(__GNUC__) && !defined(__clang__)) &&     \
++      (defined(__i386__) || defined(__x86_64__))) ||    \
++  __has_builtin(__builtin_ia32_pause)
++#define HAVE_BUILTIN_IA32_PAUSE
++#endif
++
++#endif
++
++static inline void curl_simple_lock_lock(curl_simple_lock *lock)
++{
++  for(;;) {
++    if(!atomic_exchange_explicit(lock, true, memory_order_acquire))
++      break;
++    /* Reduce cache coherency traffic */
++    while(atomic_load_explicit(lock, memory_order_relaxed)) {
++      /* Reduce load (not mandatory) */
++#ifdef HAVE_BUILTIN_IA32_PAUSE
++      __builtin_ia32_pause();
++#elif defined(__aarch64__)
++      __asm__ volatile("yield" ::: "memory");
++#elif defined(HAVE_SCHED_YIELD)
++      sched_yield();
++#endif
++    }
++  }
++}
++
++static inline void curl_simple_lock_unlock(curl_simple_lock *lock)
++{
++  atomic_store_explicit(lock, false, memory_order_release);
++}
++
++#else
++
++#undef  GLOBAL_INIT_IS_THREADSAFE
++
++#endif
++
++#endif /* HEADER_CURL_EASY_LOCK_H */
+diff --git a/lib/hostip.c b/lib/hostip.c
+index e15c17a..c2e0962 100644
+--- a/lib/hostip.c
++++ b/lib/hostip.c
+@@ -72,6 +72,8 @@
+ #include <SystemConfiguration/SCDynamicStoreCopySpecific.h>
+ #endif
+
++#include "easy_lock.h"
++
+ #if defined(CURLRES_SYNCH) &&                   \
+   defined(HAVE_ALARM) &&                        \
+   defined(SIGALRM) &&                           \
+@@ -81,10 +83,6 @@
+ #define USE_ALARM_TIMEOUT
+ #endif
+
+-#ifdef USE_ALARM_TIMEOUT
+-#include "easy_lock.h"
+-#endif
+-
+ #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */
+
+ /*
+@@ -260,8 +258,8 @@ void Curl_hostcache_prune(struct Curl_easy *data)
+ /* Beware this is a global and unique instance. This is used to store the
+    return address that we can jump back to from inside a signal handler. This
+    is not thread-safe stuff. */
+-sigjmp_buf curl_jmpenv;
+-curl_simple_lock curl_jmpenv_lock;
++static sigjmp_buf curl_jmpenv;
++static curl_simple_lock curl_jmpenv_lock;
+ #endif
+
+ /* lookup address, returns entry if found and not stale */
+diff --git a/lib/hostip.h b/lib/hostip.h
+index 1db5981..a46bdc6 100644
+--- a/lib/hostip.h
++++ b/lib/hostip.h
+@@ -189,15 +189,6 @@ Curl_cache_addr(struct Curl_easy *data, struct Curl_addrinfo *addr,
+ #define CURL_INADDR_NONE INADDR_NONE
+ #endif
+
+-#ifdef HAVE_SIGSETJMP
+-/* Forward-declaration of variable defined in hostip.c. Beware this
+- * is a global and unique instance. This is used to store the return
+- * address that we can jump back to from inside a signal handler.
+- * This is not thread-safe stuff.
+- */
+-extern sigjmp_buf curl_jmpenv;
+-#endif
+-
+ /*
+  * Function provided by the resolver backend to set DNS servers to use.
+  */
+--
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 96280b31b2..7f18ef7ee6 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -47,6 +47,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2023-27536.patch \
            file://CVE-2023-28319.patch \
            file://CVE-2023-28320.patch \
+           file://CVE-2023-28320-fol1.patch \
            file://CVE-2023-28321.patch \
            file://CVE-2023-28322-1.patch \
            file://CVE-2023-28322-2.patch \
-- 
2.34.1

[OE-core][kirkstone 06/27] libwebp: Fix CVE-2023-1999

[Steve Sakoman]

From: Soumya <soumya.sambu@windriver.com>

There exists a use after free/double free in libwebp. An attacker can
use the ApplyFiltersAndEncode() function and loop through to free
best.bw and assign best = trial pointer. The second loop will then
return 0 because of an Out of memory error in VP8 encoder, the pointer
is still assigned to trial and the AddressSanitizer will attempt a double free.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-1999

Upstream patch:
https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129

Signed-off-by: Soumya <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../webp/files/CVE-2023-1999.patch            | 60 +++++++++++++++++++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  4 +-
 2 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-1999.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
new file mode 100644
index 0000000000..895d01ea7d
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
@@ -0,0 +1,60 @@
+From a486d800b60d0af4cc0836bf7ed8f21e12974129 Mon Sep 17 00:00:00 2001
+From: James Zern <jzern@google.com>
+Date: Wed, 22 Feb 2023 22:15:47 -0800
+Subject: [PATCH] EncodeAlphaInternal: clear result->bw on error
+
+This avoids a double free should the function fail prior to
+VP8BitWriterInit() and a previous trial result's buffer carried over.
+Previously in ApplyFiltersAndEncode() trial.bw (with a previous
+iteration's buffer) would be freed, followed by best.bw pointing to the
+same buffer.
+
+Since:
+187d379d add a fallback to ALPHA_NO_COMPRESSION
+
+In addition, check the return value of VP8BitWriterInit() in this
+function.
+
+Bug: webp:603
+Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910
+
+CVE: CVE-2023-1999
+
+Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129]
+
+Signed-off-by: Soumya <soumya.sambu@windriver.com>
+---
+ src/enc/alpha_enc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/enc/alpha_enc.c b/src/enc/alpha_enc.c
+index f7c0269..7d20558 100644
+--- a/src/enc/alpha_enc.c
++++ b/src/enc/alpha_enc.c
+@@ -13,6 +13,7 @@
+
+ #include <assert.h>
+ #include <stdlib.h>
++#include <string.h>
+
+ #include "src/enc/vp8i_enc.h"
+ #include "src/dsp/dsp.h"
+@@ -148,6 +149,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height,
+       }
+     } else {
+       VP8LBitWriterWipeOut(&tmp_bw);
++      memset(&result->bw, 0, sizeof(result->bw));
+       return 0;
+     }
+   }
+@@ -162,7 +164,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height,
+   header = method | (filter << 2);
+   if (reduce_levels) header |= ALPHA_PREPROCESSED_LEVELS << 4;
+
+-  VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size);
++  if (!VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size)) ok = 0;
+   ok = ok && VP8BitWriterAppend(&result->bw, &header, ALPHA_HEADER_LEN);
+   ok = ok && VP8BitWriterAppend(&result->bw, output, output_size);
+
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 263589846a..5d868b3b96 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -13,7 +13,9 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
                     file://PATENTS;md5=c6926d0cb07d296f886ab6e0cc5a85b7"
 
-SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz"
+SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
+           file://CVE-2023-1999.patch \
+           "
 SRC_URI[sha256sum] = "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
 UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html"
-- 
2.34.1

[OE-core][kirkstone 07/27] tzdata: upgrade to 2023c

[Steve Sakoman]

From: Ross Burton <ross.burton@arm.com>

Drop a backport patch as it is now integrated.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 80d26d1da47dcd9213a7083d9493a7bce0897a57)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../timezone/tzcode-native.bb                 |   2 -
 ...0001-Fix-C23-related-conformance-bug.patch | 301 ------------------
 3 files changed, 3 insertions(+), 306 deletions(-)
 delete mode 100644 meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch

diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index eec7177228..14a1ce18f3 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
 LICENSE = "PD & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
 
-PV = "2022g"
+PV = "2023c"
 
 SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \
            http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \
@@ -16,5 +16,5 @@ S = "${WORKDIR}/tz"
 
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
 
-SRC_URI[tzcode.sha256sum] = "9610bb0b9656ff404c361a41f3286da53064b5469d84f00c9cb2314c8614da74"
-SRC_URI[tzdata.sha256sum] = "4491db8281ae94a84d939e427bdd83dc389f26764d27d9a5c52d782c16764478"
+SRC_URI[tzcode.sha256sum] = "46d17f2bb19ad73290f03a203006152e0fa0d7b11e5b71467c4a823811b214e7"
+SRC_URI[tzdata.sha256sum] = "3f510b5d1b4ae9bb38e485aa302a776b317fb3637bdb6404c4adf7b6cadd965c"
diff --git a/meta/recipes-extended/timezone/tzcode-native.bb b/meta/recipes-extended/timezone/tzcode-native.bb
index 6d52b3c422..d0b23a9d80 100644
--- a/meta/recipes-extended/timezone/tzcode-native.bb
+++ b/meta/recipes-extended/timezone/tzcode-native.bb
@@ -2,8 +2,6 @@ require timezone.inc
 
 SUMMARY = "tzcode, timezone zoneinfo utils -- zic, zdump, tzselect"
 
-SRC_URI += "file://0001-Fix-C23-related-conformance-bug.patch"
-
 inherit native
 
 EXTRA_OEMAKE += "cc='${CC}'"
diff --git a/meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch b/meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch
deleted file mode 100644
index c91ef93e95..0000000000
--- a/meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch
+++ /dev/null
@@ -1,301 +0,0 @@
-From 509c5974398952618abdd17f39117b88e3f50057 Mon Sep 17 00:00:00 2001
-From: Paul Eggert <eggert@cs.ucla.edu>
-Date: Thu, 1 Dec 2022 10:28:04 -0800
-Subject: [PATCH] Fix C23-related conformance bug
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Problem reported by Houge Langley for ‘gcc -std=gnu99’ in:
-https://bugs.gentoo.org/show_bug.cgi?id=883719
-* NEWS: Mention this.
-* date.c, localtime.c, private.h, zdump.c, zic.c:
-Use ATTRIBUTE_* at the start of function declarations,
-not later (such as after the keyword ‘static’).
-This is required for strict conformance to C23.
-
-Upstream-Status: Backport [https://github.com/eggert/tz/commit/9cfe9507fcc22cd4a0c4da486ea1c7f0de6b075f]
-
-NEWS change skipped to avoid conflicts.
-
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
----
- date.c      |  2 +-
- localtime.c |  4 ++--
- private.h   |  6 +++---
- zdump.c     | 12 ++++++------
- zic.c       | 34 +++++++++++++++++-----------------
- 5 files changed, 29 insertions(+), 29 deletions(-)
-
-diff --git a/date.c b/date.c
-index 11c5e5fe..97df6ab0 100644
---- a/date.c
-+++ b/date.c
-@@ -42,7 +42,7 @@ static void		display(const char *, time_t);
- static void		dogmt(void);
- static void		errensure(void);
- static void		timeout(FILE *, const char *, const struct tm *);
--static ATTRIBUTE_NORETURN void usage(void);
-+ATTRIBUTE_NORETURN static void usage(void);
- 
- int
- main(const int argc, char *argv[])
-diff --git a/localtime.c b/localtime.c
-index 1d22d351..3bf1b911 100644
---- a/localtime.c
-+++ b/localtime.c
-@@ -838,7 +838,7 @@ is_digit(char c)
- ** Return a pointer to that character.
- */
- 
--static ATTRIBUTE_REPRODUCIBLE const char *
-+ATTRIBUTE_REPRODUCIBLE static const char *
- getzname(register const char *strp)
- {
- 	register char	c;
-@@ -859,7 +859,7 @@ getzname(register const char *strp)
- ** We don't do any checking here; checking is done later in common-case code.
- */
- 
--static ATTRIBUTE_REPRODUCIBLE const char *
-+ATTRIBUTE_REPRODUCIBLE static const char *
- getqzname(register const char *strp, const int delim)
- {
- 	register int	c;
-diff --git a/private.h b/private.h
-index 7a73eff7..ae522986 100644
---- a/private.h
-+++ b/private.h
-@@ -628,7 +628,7 @@ char *asctime(struct tm const *);
- char *asctime_r(struct tm const *restrict, char *restrict);
- char *ctime(time_t const *);
- char *ctime_r(time_t const *, char *);
--double difftime(time_t, time_t) ATTRIBUTE_UNSEQUENCED;
-+ATTRIBUTE_UNSEQUENCED double difftime(time_t, time_t);
- size_t strftime(char *restrict, size_t, char const *restrict,
- 		struct tm const *restrict);
- # if HAVE_STRFTIME_L
-@@ -740,10 +740,10 @@ timezone_t tzalloc(char const *);
- void tzfree(timezone_t);
- # ifdef STD_INSPIRED
- #  if TZ_TIME_T || !defined posix2time_z
--time_t posix2time_z(timezone_t, time_t) ATTRIBUTE_REPRODUCIBLE;
-+ATTRIBUTE_REPRODUCIBLE time_t posix2time_z(timezone_t, time_t);
- #  endif
- #  if TZ_TIME_T || !defined time2posix_z
--time_t time2posix_z(timezone_t, time_t) ATTRIBUTE_REPRODUCIBLE;
-+ATTRIBUTE_REPRODUCIBLE time_t time2posix_z(timezone_t, time_t);
- #  endif
- # endif
- #endif
-diff --git a/zdump.c b/zdump.c
-index 7acb3e2d..3e482ba3 100644
---- a/zdump.c
-+++ b/zdump.c
-@@ -89,7 +89,7 @@ static bool	warned;
- static bool	errout;
- 
- static char const *abbr(struct tm const *);
--static intmax_t	delta(struct tm *, struct tm *) ATTRIBUTE_REPRODUCIBLE;
-+ATTRIBUTE_REPRODUCIBLE static intmax_t delta(struct tm *, struct tm *);
- static void dumptime(struct tm const *);
- static time_t hunt(timezone_t, time_t, time_t, bool);
- static void show(timezone_t, char *, time_t, bool);
-@@ -97,7 +97,7 @@ static void showextrema(timezone_t, char *, time_t, struct tm *, time_t);
- static void showtrans(char const *, struct tm const *, time_t, char const *,
- 		      char const *);
- static const char *tformat(void);
--static time_t yeartot(intmax_t) ATTRIBUTE_REPRODUCIBLE;
-+ATTRIBUTE_REPRODUCIBLE static time_t yeartot(intmax_t);
- 
- /* Is C an ASCII digit?  */
- static bool
-@@ -125,7 +125,7 @@ is_alpha(char a)
- 	}
- }
- 
--static ATTRIBUTE_NORETURN void
-+ATTRIBUTE_NORETURN static void
- size_overflow(void)
- {
-   fprintf(stderr, _("%s: size overflow\n"), progname);
-@@ -134,7 +134,7 @@ size_overflow(void)
- 
- /* Return A + B, exiting if the result would overflow either ptrdiff_t
-    or size_t.  */
--static ATTRIBUTE_REPRODUCIBLE ptrdiff_t
-+ATTRIBUTE_REPRODUCIBLE static ptrdiff_t
- sumsize(size_t a, size_t b)
- {
- #ifdef ckd_add
-@@ -151,7 +151,7 @@ sumsize(size_t a, size_t b)
- 
- /* Return a pointer to a newly allocated buffer of size SIZE, exiting
-    on failure.  SIZE should be nonzero.  */
--static void * ATTRIBUTE_MALLOC
-+ATTRIBUTE_MALLOC static void *
- xmalloc(size_t size)
- {
-   void *p = malloc(size);
-@@ -920,7 +920,7 @@ showextrema(timezone_t tz, char *zone, time_t lo, struct tm *lotmp, time_t hi)
- # include <stdarg.h>
- 
- /* A substitute for snprintf that is good enough for zdump.  */
--static int ATTRIBUTE_FORMAT((printf, 3, 4))
-+ATTRIBUTE_FORMAT((printf, 3, 4)) static int
- my_snprintf(char *s, size_t size, char const *format, ...)
- {
-   int n;
-diff --git a/zic.c b/zic.c
-index 892414af..f143fcef 100644
---- a/zic.c
-+++ b/zic.c
-@@ -459,20 +459,20 @@ static char		roll[TZ_MAX_LEAPS];
- ** Memory allocation.
- */
- 
--static ATTRIBUTE_NORETURN void
-+ATTRIBUTE_NORETURN static void
- memory_exhausted(const char *msg)
- {
- 	fprintf(stderr, _("%s: Memory exhausted: %s\n"), progname, msg);
- 	exit(EXIT_FAILURE);
- }
- 
--static ATTRIBUTE_NORETURN void
-+ATTRIBUTE_NORETURN static void
- size_overflow(void)
- {
-   memory_exhausted(_("size overflow"));
- }
- 
--static ATTRIBUTE_REPRODUCIBLE ptrdiff_t
-+ATTRIBUTE_REPRODUCIBLE static ptrdiff_t
- size_sum(size_t a, size_t b)
- {
- #ifdef ckd_add
-@@ -487,7 +487,7 @@ size_sum(size_t a, size_t b)
-   size_overflow();
- }
- 
--static ATTRIBUTE_REPRODUCIBLE ptrdiff_t
-+ATTRIBUTE_REPRODUCIBLE static ptrdiff_t
- size_product(ptrdiff_t nitems, ptrdiff_t itemsize)
- {
- #ifdef ckd_mul
-@@ -502,7 +502,7 @@ size_product(ptrdiff_t nitems, ptrdiff_t itemsize)
-   size_overflow();
- }
- 
--static ATTRIBUTE_REPRODUCIBLE ptrdiff_t
-+ATTRIBUTE_REPRODUCIBLE static ptrdiff_t
- align_to(ptrdiff_t size, ptrdiff_t alignment)
- {
-   ptrdiff_t lo_bits = alignment - 1, sum = size_sum(size, lo_bits);
-@@ -526,7 +526,7 @@ memcheck(void *ptr)
- 	return ptr;
- }
- 
--static void * ATTRIBUTE_MALLOC
-+ATTRIBUTE_MALLOC static void *
- emalloc(size_t size)
- {
-   return memcheck(malloc(size));
-@@ -538,7 +538,7 @@ erealloc(void *ptr, size_t size)
-   return memcheck(realloc(ptr, size));
- }
- 
--static char * ATTRIBUTE_MALLOC
-+ATTRIBUTE_MALLOC static char *
- estrdup(char const *str)
- {
-   return memcheck(strdup(str));
-@@ -608,7 +608,7 @@ eat(int fnum, lineno num)
- 	eats(fnum, num, 0, -1);
- }
- 
--static void ATTRIBUTE_FORMAT((printf, 1, 0))
-+ATTRIBUTE_FORMAT((printf, 1, 0)) static void
- verror(const char *const string, va_list args)
- {
- 	/*
-@@ -626,7 +626,7 @@ verror(const char *const string, va_list args)
- 	fprintf(stderr, "\n");
- }
- 
--static void ATTRIBUTE_FORMAT((printf, 1, 2))
-+ATTRIBUTE_FORMAT((printf, 1, 2)) static void
- error(const char *const string, ...)
- {
- 	va_list args;
-@@ -636,7 +636,7 @@ error(const char *const string, ...)
- 	errors = true;
- }
- 
--static void ATTRIBUTE_FORMAT((printf, 1, 2))
-+ATTRIBUTE_FORMAT((printf, 1, 2)) static void
- warning(const char *const string, ...)
- {
- 	va_list args;
-@@ -666,7 +666,7 @@ close_file(FILE *stream, char const *dir, char const *name,
-   }
- }
- 
--static ATTRIBUTE_NORETURN void
-+ATTRIBUTE_NORETURN static void
- usage(FILE *stream, int status)
- {
-   fprintf(stream,
-@@ -3597,7 +3597,7 @@ lowerit(char a)
- }
- 
- /* case-insensitive equality */
--static ATTRIBUTE_REPRODUCIBLE bool
-+ATTRIBUTE_REPRODUCIBLE static bool
- ciequal(register const char *ap, register const char *bp)
- {
- 	while (lowerit(*ap) == lowerit(*bp++))
-@@ -3606,7 +3606,7 @@ ciequal(register const char *ap, register const char *bp)
- 	return false;
- }
- 
--static ATTRIBUTE_REPRODUCIBLE bool
-+ATTRIBUTE_REPRODUCIBLE static bool
- itsabbr(register const char *abbr, register const char *word)
- {
- 	if (lowerit(*abbr) != lowerit(*word))
-@@ -3622,7 +3622,7 @@ itsabbr(register const char *abbr, register const char *word)
- 
- /* Return true if ABBR is an initial prefix of WORD, ignoring ASCII case.  */
- 
--static ATTRIBUTE_REPRODUCIBLE bool
-+ATTRIBUTE_REPRODUCIBLE static bool
- ciprefix(char const *abbr, char const *word)
- {
-   do
-@@ -3725,14 +3725,14 @@ getfields(char *cp, char **array, int arrayelts)
- 	return nsubs;
- }
- 
--static ATTRIBUTE_NORETURN void
-+ATTRIBUTE_NORETURN static void
- time_overflow(void)
- {
-   error(_("time overflow"));
-   exit(EXIT_FAILURE);
- }
- 
--static ATTRIBUTE_REPRODUCIBLE zic_t
-+ATTRIBUTE_REPRODUCIBLE static zic_t
- oadd(zic_t t1, zic_t t2)
- {
- #ifdef ckd_add
-@@ -3746,7 +3746,7 @@ oadd(zic_t t1, zic_t t2)
-   time_overflow();
- }
- 
--static ATTRIBUTE_REPRODUCIBLE zic_t
-+ATTRIBUTE_REPRODUCIBLE static zic_t
- tadd(zic_t t1, zic_t t2)
- {
- #ifdef ckd_add
-- 
2.34.1

[OE-core][kirkstone 08/27] serf: upgrade 1.3.9 -> 1.3.10

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Apache Serf 1.3.10 [2023-05-31, from tags/1.3.10, r1910048]
  Support for OpenSSL 3 (r1901937, ...)
  Fix issue #171: Win32: Running tests fails with "no OPENSSL_Applink" error
  Fix issue #194: Win32: Linking error when building against OpenSSL 1.1+
  Fix issue #198: OpenSSL BIO control method incorrectly handles unknown requests
  Fix issue #202: SSL tests are not passing with OpenSSL 3
  Fix error handling when reading the outgoing request body (r1804534, ...)
  Fix handling of invalid chunk lengths in the dechunk bucket (r1804005, ...)
  Fix an endless loop in the deflate bucket with truncated input (r1805301)
  Fix BIO control handlers to support BIO_CTRL_EOF (r1902208)
  Fix a CRT mismatch issue caused by using certain OpenSSL functions (r1909252)
  Build changes to support VS2017, VS2019 and VS2022 (r1712131, ...)
  Build changes to support Python 3 (r1875933)

As serf is undead, we need to reassess all the remaining patches.

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 775cbcc876edcb6c339f342a3253f5afcf6ef163)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 17a46eee905f0ecfdbebb014533848dc7e906ec7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...print-in-the-scons-file-to-unbreak-b.patch | 29 -------------------
 ...sl_buckets.c-do-not-use-ERR_GET_FUNC.patch | 28 ------------------
 ...11083-fix-building-with-scons-3.0.0-.patch | 29 -------------------
 ...ories.without.sandbox-install.prefix.patch |  2 +-
 .../serf/{serf_1.3.9.bb => serf_1.3.10.bb}    |  6 +---
 5 files changed, 2 insertions(+), 92 deletions(-)
 delete mode 100644 meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
 delete mode 100644 meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch
 delete mode 100644 meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch
 rename meta/recipes-support/serf/{serf_1.3.9.bb => serf_1.3.10.bb} (78%)

diff --git a/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch b/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
deleted file mode 100644
index 4a5832ac1a..0000000000
--- a/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 99f6e1b0d68281b63218d6adfe68cd9e331ac5be Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Mon, 3 Sep 2018 10:50:08 -0700
-Subject: [PATCH] Fix syntax of a print() in the scons file to unbreak building
- with most recent scons version.
-
-* SConstruct Use Python 3.0 valid syntax to make Scons 3.0.0 happy on both python
-  3.0 and 2.7.
-
-Upstream-Status: Backport
-[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1809132&r2=1811083&diff_format=h]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- SConstruct | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/SConstruct b/SConstruct
-index 1670459..18a45fa 100644
---- a/SConstruct
-+++ b/SConstruct
-@@ -184,7 +184,7 @@ CALLOUT_OKAY = not (env.GetOption('clean') or env.GetOption('help'))
- 
- unknown = opts.UnknownVariables()
- if unknown:
--  print 'Warning: Used unknown variables:', ', '.join(unknown.keys())
-+  print('Warning: Used unknown variables:', ', '.join(unknown.keys()))
- 
- apr = str(env['APR'])
- apu = str(env['APU'])
diff --git a/meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch b/meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch
deleted file mode 100644
index 91ccc8a474..0000000000
--- a/meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 2f45711a66ff99886b6e4a5708e2db01a63e5af4 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex@linutronix.de>
-Date: Fri, 10 Sep 2021 11:05:10 +0200
-Subject: [PATCH] buckets/ssl_buckets.c: do not use ERR_GET_FUNC
-
-Upstream removed it in
-https://github.com/openssl/openssl/pull/16004
-
-Upstream-Status: Inactive-Upstream [lastrelease: 2015, lastcommit: 2019]
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
----
- buckets/ssl_buckets.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/buckets/ssl_buckets.c b/buckets/ssl_buckets.c
-index b01e535..9801f87 100644
---- a/buckets/ssl_buckets.c
-+++ b/buckets/ssl_buckets.c
-@@ -1325,8 +1325,7 @@ static int ssl_need_client_cert(SSL *ssl, X509 **cert, EVP_PKEY **pkey)
-                 return 0;
-             }
-             else {
--                printf("OpenSSL cert error: %d %d %d\n", ERR_GET_LIB(err),
--                       ERR_GET_FUNC(err),
-+                printf("OpenSSL cert error: %d %d\n", ERR_GET_LIB(err),
-                        ERR_GET_REASON(err));
-                 PKCS12_free(p12);
-                 bio_meth_free(biom);
diff --git a/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch b/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch
deleted file mode 100644
index 02fa9e3a06..0000000000
--- a/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 565211fd082ef653ca9c44a345350fc1451f5a0f Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Mon, 3 Sep 2018 11:12:38 -0700
-Subject: [PATCH] Follow-up to r1811083 fix building with scons 3.0.0 and
- Python3
-
-* SConstruct: Append decode('utf-8) to FILE.get_contents() to avoid
-  TypeError: cannot use a string pattern on a bytes-like object
-
-Upstream-Status: Backport
-[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1811088&r2=1814604]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- SConstruct | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/SConstruct b/SConstruct
-index 877731e..7678bb1 100644
---- a/SConstruct
-+++ b/SConstruct
-@@ -169,7 +169,7 @@ env.Append(BUILDERS = {
- match = re.search('SERF_MAJOR_VERSION ([0-9]+).*'
-                   'SERF_MINOR_VERSION ([0-9]+).*'
-                   'SERF_PATCH_VERSION ([0-9]+)',
--                  env.File('serf.h').get_contents(),
-+                  env.File('serf.h').get_contents().decode('utf-8'),
-                   re.DOTALL)
- MAJOR, MINOR, PATCH = [int(x) for x in match.groups()]
- env.Append(MAJOR=str(MAJOR))
diff --git a/meta/recipes-support/serf/serf/SConstruct.stop.creating.directories.without.sandbox-install.prefix.patch b/meta/recipes-support/serf/serf/SConstruct.stop.creating.directories.without.sandbox-install.prefix.patch
index 4105868a7e..91640d6044 100644
--- a/meta/recipes-support/serf/serf/SConstruct.stop.creating.directories.without.sandbox-install.prefix.patch
+++ b/meta/recipes-support/serf/serf/SConstruct.stop.creating.directories.without.sandbox-install.prefix.patch
@@ -31,7 +31,7 @@ ERROR: scons install execution failed.
   and the installed paths (including the paths inside libserf*.pc)
   look correct
 
-Upstream-Status: Inactive-Upstream [lastrelease: 2015, lastcommit: 2019]
+Upstream-Status: Pending
 
 Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
 
diff --git a/meta/recipes-support/serf/serf_1.3.9.bb b/meta/recipes-support/serf/serf_1.3.10.bb
similarity index 78%
rename from meta/recipes-support/serf/serf_1.3.9.bb
rename to meta/recipes-support/serf/serf_1.3.10.bb
index 669f42b8e7..c6b51452aa 100644
--- a/meta/recipes-support/serf/serf_1.3.9.bb
+++ b/meta/recipes-support/serf/serf_1.3.10.bb
@@ -7,16 +7,12 @@ HOMEPAGE = "http://serf.apache.org/"
 SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://norpath.patch \
            file://env.patch \
-           file://0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch \
            file://0002-SConstruct-Fix-path-quoting-for-.def-generator.patch \
            file://0003-gen_def.patch \
-           file://0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch \
            file://SConstruct.stop.creating.directories.without.sandbox-install.prefix.patch \
-           file://0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch \
            "
 
-SRC_URI[md5sum] = "370a6340ff20366ab088012cd13f2b57"
-SRC_URI[sha256sum] = "549c2d21c577a8a9c0450facb5cca809f26591f048e466552240947bdf7a87cc"
+SRC_URI[sha256sum] = "be81ef08baa2516ecda76a77adf7def7bc3227eeb578b9a33b45f7b41dc064e6"
 
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
-- 
2.34.1

[OE-core][kirkstone 09/27] wget: upgrade 1.21.3 -> 1.21.4

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Stable version release

Noteworthy changes in release 1.21.4 (2023-05-11)

** Document --retry-on-host-error in help text

** Increase read buffer size to 64k. This should speed up downloads on gigabit
and faster connections

** Update deprecated option '--html-extension' to '--adjust-extension' in
documentation

** Update gnulib compatibility layer.
   Fixes HSTS test failures on i686. (Thanks to Andreas Enge for ponting it out)

License-Update: copyright years

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 67ec2d5bab891cb92af9ca32304a4927daf51ed0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 4e7ec4bef86c79b4221a800ace700c58ce033de1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/wget/wget.inc                           | 2 +-
 meta/recipes-extended/wget/{wget_1.21.3.bb => wget_1.21.4.bb} | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-extended/wget/{wget_1.21.3.bb => wget_1.21.4.bb} (60%)

diff --git a/meta/recipes-extended/wget/wget.inc b/meta/recipes-extended/wget/wget.inc
index 58cb5ca73d..30abaff7b7 100644
--- a/meta/recipes-extended/wget/wget.inc
+++ b/meta/recipes-extended/wget/wget.inc
@@ -7,7 +7,7 @@ FTP sites"
 HOMEPAGE = "https://www.gnu.org/software/wget/"
 SECTION = "console/network"
 LICENSE = "GPL-3.0-only"
-LIC_FILES_CHKSUM = "file://COPYING;md5=c678957b0c8e964aa6c70fd77641a71e"
+LIC_FILES_CHKSUM = "file://COPYING;md5=6f65012d1daf98cb09b386cfb68df26b"
 
 inherit autotools gettext texinfo update-alternatives pkgconfig
 
diff --git a/meta/recipes-extended/wget/wget_1.21.3.bb b/meta/recipes-extended/wget/wget_1.21.4.bb
similarity index 60%
rename from meta/recipes-extended/wget/wget_1.21.3.bb
rename to meta/recipes-extended/wget/wget_1.21.4.bb
index f176a1546c..1d31b0116d 100644
--- a/meta/recipes-extended/wget/wget_1.21.3.bb
+++ b/meta/recipes-extended/wget/wget_1.21.4.bb
@@ -2,6 +2,6 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
            file://0002-improve-reproducibility.patch \
           "
 
-SRC_URI[sha256sum] = "5726bb8bc5ca0f6dc7110f6416e4bb7019e2d2ff5bf93d1ca2ffcc6656f220e5"
+SRC_URI[sha256sum] = "81542f5cefb8faacc39bbbc6c82ded80e3e4a88505ae72ea51df27525bcde04c"
 
 require wget.inc
-- 
2.34.1

[OE-core][kirkstone 10/27] linux-firmware: upgrade 20230404 -> 20230515

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

License-Update: additional firmwares

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 64603f602d00999220fe5bafeed996ddcb56d36b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...{linux-firmware_20230404.bb => linux-firmware_20230515.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230404.bb => linux-firmware_20230515.bb} (99%)

diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
similarity index 99%
rename from meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
rename to meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
index 7412c022ba..3470131294 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
@@ -134,7 +134,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                     "
 # WHENCE checksum is defined separately to ease overriding it if
 # class-devupstream is selected.
-WHENCE_CHKSUM  = "0782deea054d4b1b7f10c92c3a245da4"
+WHENCE_CHKSUM  = "a0997fc7a9af4e46d96529d6ef13b58a"
 
 # These are not common licenses, set NO_GENERIC_LICENSE for them
 # so that the license files will be copied from fetched source
@@ -212,7 +212,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw
 # Pin this to the 20220509 release, override this in local.conf
 SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
 
-SRC_URI[sha256sum] = "c3f9ad2bb5311cce2490f37a8052f836703d6936aabd840246b6576f1f71f607"
+SRC_URI[sha256sum] = "8b1acfa16f1ee94732a6acb50d9d6c835cf53af11068bd89ed207bbe04a1e951"
 
 inherit allarch
 
-- 
2.34.1

[OE-core][kirkstone 11/27] wireless-regdb: upgrade 2023.02.13 -> 2023.05.03

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 47438402fa430499864a4b1f1a13eaac66aa21c0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...ireless-regdb_2023.02.13.bb => wireless-regdb_2023.05.03.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.02.13.bb => wireless-regdb_2023.05.03.bb} (94%)

diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb
similarity index 94%
rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb
rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb
index ce60154f1e..cd3f52fc76 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
 
 SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "fe81e8a8694dc4753a45087a1c4c7e1b48dee5a59f5f796ce374ea550f0b2e73"
+SRC_URI[sha256sum] = "f254d08ab3765aeae2b856222e11a95d44aef519a6663877c71ef68fae4c8c12"
 
 inherit bin_package allarch
 
-- 
2.34.1

[OE-core][kirkstone 12/27] vim: upgrade 9.0.1527 -> 9.0.1592

[Steve Sakoman]

From: Trevor Gamblin <tgamblin@baylibre.com>

Fixes:

https://nvd.nist.gov/vuln/detail/CVE-2023-2609
d1ae836 patch 9.0.1531: crash when register contents ends up being invalid
https://nvd.nist.gov/vuln/detail/CVE-2023-2610
ab9a2d8 patch 9.0.1532: crash when expanding "~" in substitute causes very long text

Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1e4b4dfb4145bc00eb6937b5f54a41170e9a5b4c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index e1d2563316..33ae0d8079 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://no-path-adjust.patch \
            "
 
-PV .= ".1527"
-SRCREV = "c28e7a2b2f23dbd246a1ad7ad7aaa6f7ab2e5887"
+PV .= ".1592"
+SRCREV = "29b4c513b11deb37f0e0538df53d195f602fa42c"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.34.1

[OE-core][kirkstone 13/27] selftest reproducible.py: support different build targets

[Steve Sakoman]

From: Mikko Rapeli <mikko.rapeli@linaro.org>

Allow users to set different build reproducibility targets than
the defaults using OEQA_REPRODUCIBLE_TEST_TARGET and
OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS variables in local.conf.

Fixing all issues from "world" builds is not possible in some
complex build environments with lots of layers. Limiting the focus to
a smaller subset allows using this test to detect and fix build
reproduction issues incrementally.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit c66bebbce5995e386a1a4d055a914a39b6ee518d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/reproducible.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index 2c9bc0bf90..98259ae515 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -132,9 +132,13 @@ class ReproducibleTests(OESelftestTestCase):
     max_report_size = 250 * 1024 * 1024
 
     # targets are the things we want to test the reproducibility of
-    targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline', 'core-image-weston', 'world']
+    targets = get_bb_var("OEQA_REPRODUCIBLE_TEST_TARGET")
+    if targets:
+        targets = targets.split()
+    else:
+        targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline', 'core-image-weston', 'world']
     # sstate targets are things to pull from sstate to potentially cut build/debugging time
-    sstate_targets = []
+    sstate_targets = (get_bb_var("OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS") or "").split()
     save_results = False
     if 'OEQA_DEBUGGING_SAVED_OUTPUT' in os.environ:
         save_results = os.environ['OEQA_DEBUGGING_SAVED_OUTPUT']
-- 
2.34.1

[OE-core][kirkstone 14/27] selftest/reproducible: Allow chose the package manager

[Steve Sakoman]

From: Jose Quaresma <quaresma.jose@gmail.com>

This is a follow-up of 76e5fcb2 that also allow users to chose
the package manager using OEQA_REPRODUCIBLE_TEST_PACKAGE

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3d414d85b44077bac57aba36707b0fc699a73e97)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/reproducible.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index 98259ae515..49318be43a 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -126,7 +126,11 @@ class DiffoscopeTests(OESelftestTestCase):
 class ReproducibleTests(OESelftestTestCase):
     # Test the reproducibility of whatever is built between sstate_targets and targets
 
-    package_classes = ['deb', 'ipk', 'rpm']
+    package_classes = get_bb_var("OEQA_REPRODUCIBLE_TEST_PACKAGE")
+    if package_classes:
+        package_classes = package_classes.split()
+    else:
+        package_classes = ['deb', 'ipk', 'rpm']
 
     # Maximum report size, in bytes
     max_report_size = 250 * 1024 * 1024
-- 
2.34.1

[OE-core][kirkstone 15/27] libpng: Add ptest for libpng

[Steve Sakoman]

From: Nikhil R <nikhilar2410@gmail.com>

libpng is a platform-independent library which
supports all PNG features.
This ptest executes the below binaries, parses
the png image and prints the image features.

1. pngfix - provides information about PNG image
copyrights details.

2. pngtest - tests, optimizes and optionally fixes
the zlib header in PNG files.

3. pngstest - verifies the integrity of PNG image by
dumping chunk level information.

4. timepng - provides details about PNG image chunks.

Signed-off-by: Nikhil R <nikhil.r@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../distro/include/ptest-packagelists.inc     |  1 +
 .../recipes-multimedia/libpng/files/run-ptest | 29 +++++++++++++++++++
 .../libpng/libpng_1.6.39.bb                   | 16 ++++++++--
 3 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-multimedia/libpng/files/run-ptest

diff --git a/meta/conf/distro/include/ptest-packagelists.inc b/meta/conf/distro/include/ptest-packagelists.inc
index 5bcff83093..5c6a30635f 100644
--- a/meta/conf/distro/include/ptest-packagelists.inc
+++ b/meta/conf/distro/include/ptest-packagelists.inc
@@ -29,6 +29,7 @@ PTESTS_FAST = "\
     libnl-ptest \
     libmodule-build-perl-ptest \
     libpcre-ptest \
+    libpng-ptest \
     libssh2-ptest \
     libtimedate-perl-ptest \
     libtest-needs-perl-ptest \
diff --git a/meta/recipes-multimedia/libpng/files/run-ptest b/meta/recipes-multimedia/libpng/files/run-ptest
new file mode 100644
index 0000000000..9ab5d0c1f4
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/run-ptest
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -eux
+
+./pngfix pngtest.png &> log.txt  2>&1
+
+if grep -i "OK" log.txt 2>&1 ; then
+   echo "PASS: pngfix passed"
+else
+   echo "FAIL: pngfix failed"
+fi
+rm -f log.txt
+
+./pngtest pngtest.png &> log.txt 2>&1
+
+if grep -i "PASS" log.txt 2>&1 ; then
+   echo "PASS: pngtest passed"
+else
+   echo "FAIL: pngtest failed"
+fi
+rm -f log.txt
+
+for i in pngstest timepng; do
+    if "./${i}" pngtest.png 2>&1; then
+        echo "PASS: $i"
+    else
+        echo "FAIL: $i"
+    fi
+done
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index d9dcf379e9..94db1d3f6b 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -10,7 +10,11 @@ DEPENDS = "zlib"
 
 LIBV = "16"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz"
+SRC_URI = "\
+           ${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
+           file://run-ptest \
+           "
+
 SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
 
 MIRRORS += "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/older-releases/"
@@ -19,7 +23,7 @@ UPSTREAM_CHECK_URI = "http://libpng.org/pub/png/libpng.html"
 
 BINCONFIG = "${bindir}/libpng-config ${bindir}/libpng16-config"
 
-inherit autotools binconfig-disabled pkgconfig
+inherit autotools binconfig-disabled pkgconfig ptest
 
 # Work around missing symbols
 EXTRA_OECONF:append:class-target = " ${@bb.utils.contains("TUNE_FEATURES", "neon", "--enable-arm-neon=on", "--enable-arm-neon=off", d)}"
@@ -32,3 +36,11 @@ BBCLASSEXTEND = "native nativesdk"
 
 # CVE-2019-17371 is actually a memory leak in gif2png 2.x
 CVE_CHECK_IGNORE += "CVE-2019-17371"
+
+do_install_ptest() {
+    install -m644 "${S}/pngtest.png" "${D}${PTEST_PATH}"
+    install -m755 "${B}/.libs/pngfix" "${D}${PTEST_PATH}"
+    install -m755 "${B}/.libs/pngtest" "${D}${PTEST_PATH}"
+    install -m755 "${B}/.libs/pngstest" "${D}${PTEST_PATH}"
+    install -m755 "${B}/.libs/timepng" "${D}${PTEST_PATH}"
+}
-- 
2.34.1

[OE-core][kirkstone 16/27] logrotate: Do not create logrotate.status file

[Steve Sakoman]

From: Jermain Horsman <jermain.horsman@nedap.com>

The first time logrotate runs it reports an error:

  error: state file /var/lib/logrotate.status is
  world-readable and thus can be locked from other
  unprivileged users. Skipping lock acquisition...

This check was added with
https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9

This error is only reported once as logrotate removes
the world-readable permissions if this happens.
Since logrotate creates this file if it does not exist,
there should be no need to install it in the first place.

Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8169cd2d18f1569e4357f082adbef492710e8c36)
Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/logrotate/logrotate_3.20.1.bb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/meta/recipes-extended/logrotate/logrotate_3.20.1.bb b/meta/recipes-extended/logrotate/logrotate_3.20.1.bb
index 35977535aa..3df6ebd26d 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.20.1.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.20.1.bb
@@ -67,7 +67,6 @@ do_install(){
     install -p -m 644 ${S}/examples/logrotate.conf ${D}${sysconfdir}/logrotate.conf
     install -p -m 644 ${S}/examples/btmp ${D}${sysconfdir}/logrotate.d/btmp
     install -p -m 644 ${S}/examples/wtmp ${D}${sysconfdir}/logrotate.d/wtmp
-    touch ${D}${localstatedir}/lib/logrotate.status
 
     if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
         install -d ${D}${systemd_system_unitdir}
-- 
2.34.1

[OE-core][kirkstone 17/27] pybootchartgui: show elapsed time for each task

[Steve Sakoman]

From: Mauro Queiros <Mauro.Queiros@criticaltechworks.com>

Currently, finding the elapsed time of each task in buildtimes.svg
is a manual effort of checking the top axis and finding and subtracting
the end and start time of the task.

This change adds the elapsed time for each task, so that
manual effort of comparing start/end time is avoided.

Signed-off-by: Mauro Queiros <Mauro.Queiros@criticaltechworks.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3efebd3404de548f0757863da237f2d18ce60013)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/pybootchartgui/pybootchartgui/draw.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/scripts/pybootchartgui/pybootchartgui/draw.py b/scripts/pybootchartgui/pybootchartgui/draw.py
index fc708b55c3..707e7fe427 100644
--- a/scripts/pybootchartgui/pybootchartgui/draw.py
+++ b/scripts/pybootchartgui/pybootchartgui/draw.py
@@ -558,6 +558,11 @@ def render_processes_chart(ctx, options, trace, curr_y, w, h, sec_w):
             draw_rect(ctx, PROC_BORDER_COLOR, (x, y, w, proc_h))
 
             draw_label_in_box(ctx, PROC_TEXT_COLOR, process, x, y + proc_h - 4, w, proc_h)
+
+            # Show elapsed time for each task
+            elapsed_time = f"{trace.processes[process][1] - start}s"
+            draw_text(ctx, elapsed_time, PROC_TEXT_COLOR, x + w + 4, y + proc_h - 4)
+
             y = y + proc_h
 
     return curr_y
-- 
2.34.1

[OE-core][kirkstone 18/27] systemd: Backport nspawn: make sure host root can write to the uidmapped mounts we prepare for the container payload

[Steve Sakoman]

From: Marek Vasut <marex@denx.de>

Backport fix for systemd nspawn uidmap handling from systemd v253 .
Without this, attempt to start mkosi generated debian stable 12
container would ultimately fail (per "$ strace -ff") with:
"
symlinkat("usr/lib/aarch64-linux-gnu", 8, "lib64") = -1 EOVERFLOW (Value too large for defined data type)
"

Command to generate test container:
"
mkosi --distribution debian --release stable --architecture arm64 \
      --cache-dir /home/oe/cache/ --format tar --compress-output xz \
      --output-dir /home/oe/output/ --checksum 1 --root-password root \
      --package systemd --package udev --package dbus
"

Command to import test container and start it, which triggers the failure:
"
$ machinectl pull-tar http://192.168.1.300/image.tar.xz default
$ machinectl read-only default false
$ rm -f /var/lib/machines/default/etc/machine-id
$ dbus-uuidgen --ensure=/var/lib/machines/default/etc/machine-id
$ machinectl start default
"

Minimal command to trigger the failure once container is imported:
"
$ strace -ff systemd-nspawn --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=default
"

Extracted from systemd MR:
https://github.com/systemd/systemd/pull/22774

Further explanation by Christian Brauner at second half of:
https://github.com/systemd/systemd/issues/20989

Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...-host-root-can-write-to-the-uidmappe.patch | 216 ++++++++++++++++++
 meta/recipes-core/systemd/systemd_250.5.bb    |   1 +
 2 files changed, 217 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch

diff --git a/meta/recipes-core/systemd/systemd/0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch b/meta/recipes-core/systemd/systemd/0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch
new file mode 100644
index 0000000000..8715019c99
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch
@@ -0,0 +1,216 @@
+From e34fb1a4568bd080032065bb1506ab9b6c6606f1 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 17 Mar 2022 13:46:12 +0100
+Subject: [PATCH] nspawn: make sure host root can write to the uidmapped mounts
+ we prepare for the container payload
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When using user namespaces in conjunction with uidmapped mounts, nspawn
+so far set up two uidmappings:
+
+1. One that is used for the uidmapped mount and that maps the UID range
+   0…65535 on the backing fs to some high UID range X…X+65535 on the
+   uidmapped fs. (Let's call this mapping the "mount mapping")
+
+2. One that is used for the userns namespace the container payload
+   processes run in, that maps X…X+65535 back to 0…65535. (Let's call
+   this one the "process mapping").
+
+These mappings hence are pretty much identical, one just moves things up
+and one back down. (Reminder: we do all this so that the processes can
+run under high UIDs while running off file systems that require no
+recursive chown()ing, i.e. we want processes with high UID range but
+files with low UID range.)
+
+This creates one problem, i.e. issue #20989: if nspawn (which runs as
+host root, i.e. host UID 0) wants to add inodes to the uidmapped mount
+it can't do that, since host UID 0 is not defined in the mount mapping
+(only the X…X+65536 range is, after all, and X > 0), and processes whose
+UID is not mapped in a uidmapped fs cannot create inodes in it since
+those would be owned by an unmapped UID, which then triggers
+the famous EOVERFLOW error.
+
+Let's fix this, by explicitly including an entry for the host UID 0 in
+the mount mapping. Specifically, we'll extend the mount mapping to map
+UID 2147483646 (which is INT32_MAX-1, see code for an explanation why I
+picked this one) of the backing fs to UID 0 on the uidmapped fs. This
+way nspawn can creates inode on the uidmapped as it likes (which will
+then actually be owned by UID 2147483646 on the backing fs), and as it
+always did. Note that we do *not* create a similar entry in the process
+mapping. Thus any files created by nspawn that way (and not chown()ed to
+something better) will appear as unmapped (i.e. as overflowuid/"nobody")
+in the container payload. And that's good. Of course, the latter is
+mostly theoretic, as nspawn should generally chown() the inodes it
+creates to UID ranges that actually make sense for the container (and we
+generally already do this correctly), but it#s good to know that we are
+safe here, given we might accidentally forget to chown() some inodes we
+create.
+
+Net effect: the two mappings will not be identical anymore. The mount
+mapping has one entry more, and the only reason it exists is so that
+nspawn can access the uidmapped fs reasonably independently from any
+process mapping.
+
+Fixes: #20989
+
+Upstream-Status: Backport [50ae2966d20b0b4a19def060de3b966b7a70b54a]
+Signed-off-by: Marek Vasut <marex@denx.de>
+---
+ src/basic/user-util.h      | 13 +++++++++++++
+ src/nspawn/nspawn-mount.c  |  2 +-
+ src/nspawn/nspawn.c        |  2 +-
+ src/shared/dissect-image.c |  2 +-
+ src/shared/mount-util.c    | 28 +++++++++++++++++++++++-----
+ src/shared/mount-util.h    | 13 ++++++++++++-
+ 6 files changed, 51 insertions(+), 9 deletions(-)
+
+diff --git a/src/basic/user-util.h b/src/basic/user-util.h
+index ab1ce48b2d..0b9749ef8b 100644
+--- a/src/basic/user-util.h
++++ b/src/basic/user-util.h
+@@ -59,6 +59,19 @@ int take_etc_passwd_lock(const char *root);
+ #define UID_NOBODY ((uid_t) 65534U)
+ #define GID_NOBODY ((gid_t) 65534U)
+ 
++/* If REMOUNT_IDMAP_HOST_ROOT is set for remount_idmap() we'll include a mapping here that maps the host root
++ * user accessing the idmapped mount to the this user ID on the backing fs. This is the last valid UID in the
++ * *signed* 32bit range. You might wonder why precisely use this specific UID for this purpose? Well, we
++ * definitely cannot use the first 0…65536 UIDs for that, since in most cases that's precisely the file range
++ * we intend to map to some high UID range, and since UID mappings have to be bijective we thus cannot use
++ * them at all. Furthermore the UID range beyond INT32_MAX (i.e. the range above the signed 32bit range) is
++ * icky, since many APIs cannot use it (example: setfsuid() returns the old UID as signed integer). Following
++ * our usual logic of assigning a 16bit UID range to each container, so that the upper 16bit of a 32bit UID
++ * value indicate kind of a "container ID" and the lower 16bit map directly to the intended user you can read
++ * this specific UID as the "nobody" user of the container with ID 0x7FFF, which is kinda nice. */
++#define UID_MAPPED_ROOT ((uid_t) (INT32_MAX-1))
++#define GID_MAPPED_ROOT ((gid_t) (INT32_MAX-1))
++
+ #define ETC_PASSWD_LOCK_PATH "/etc/.pwd.lock"
+ 
+ /* The following macros add 1 when converting things, since UID 0 is a valid UID, while the pointer
+diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
+index 40773d90c1..f2fad0f462 100644
+--- a/src/nspawn/nspawn-mount.c
++++ b/src/nspawn/nspawn-mount.c
+@@ -780,7 +780,7 @@ static int mount_bind(const char *dest, CustomMount *m, uid_t uid_shift, uid_t u
+         }
+ 
+         if (idmapped) {
+-                r = remount_idmap(where, uid_shift, uid_range);
++                r = remount_idmap(where, uid_shift, uid_range, REMOUNT_IDMAP_HOST_ROOT);
+                 if (r < 0)
+                         return log_error_errno(r, "Failed to map ids for bind mount %s: %m", where);
+         }
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 8f17ab8810..fe0af8e42d 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -3779,7 +3779,7 @@ static int outer_child(
+             IN_SET(arg_userns_ownership, USER_NAMESPACE_OWNERSHIP_MAP, USER_NAMESPACE_OWNERSHIP_AUTO) &&
+             arg_uid_shift != 0) {
+ 
+-                r = remount_idmap(directory, arg_uid_shift, arg_uid_range);
++                r = remount_idmap(directory, arg_uid_shift, arg_uid_range, REMOUNT_IDMAP_HOST_ROOT);
+                 if (r == -EINVAL || ERRNO_IS_NOT_SUPPORTED(r)) {
+                         /* This might fail because the kernel or file system doesn't support idmapping. We
+                          * can't really distinguish this nicely, nor do we have any guarantees about the
+diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
+index 39a7f4c3f2..471c165257 100644
+--- a/src/shared/dissect-image.c
++++ b/src/shared/dissect-image.c
+@@ -1807,7 +1807,7 @@ static int mount_partition(
+                 (void) fs_grow(node, p);
+ 
+         if (remap_uid_gid) {
+-                r = remount_idmap(p, uid_shift, uid_range);
++                r = remount_idmap(p, uid_shift, uid_range, REMOUNT_IDMAP_HOST_ROOT);
+                 if (r < 0)
+                         return r;
+         }
+diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c
+index c75c02f5be..fb2e9a0711 100644
+--- a/src/shared/mount-util.c
++++ b/src/shared/mount-util.c
+@@ -1049,14 +1049,31 @@ int make_mount_point(const char *path) {
+         return 1;
+ }
+ 
+-static int make_userns(uid_t uid_shift, uid_t uid_range) {
+-        char line[DECIMAL_STR_MAX(uid_t)*3+3+1];
++static int make_userns(uid_t uid_shift, uid_t uid_range, RemountIdmapFlags flags) {
+         _cleanup_close_ int userns_fd = -1;
++        _cleanup_free_ char *line = NULL;
+ 
+         /* Allocates a userns file descriptor with the mapping we need. For this we'll fork off a child
+          * process whose only purpose is to give us a new user namespace. It's killed when we got it. */
+ 
+-        xsprintf(line, UID_FMT " " UID_FMT " " UID_FMT "\n", 0, uid_shift, uid_range);
++        if (asprintf(&line, UID_FMT " " UID_FMT " " UID_FMT "\n", 0, uid_shift, uid_range) < 0)
++                return log_oom_debug();
++
++        /* If requested we'll include an entry in the mapping so that the host root user can make changes to
++         * the uidmapped mount like it normally would. Specifically, we'll map the user with UID_HOST_ROOT on
++         * the backing fs to UID 0. This is useful, since nspawn code wants to create various missing inodes
++         * in the OS tree before booting into it, and this becomes very easy and straightforward to do if it
++         * can just do it under its own regular UID. Note that in that case the container's runtime uidmap
++         * (i.e. the one the container payload processes run in) will leave this UID unmapped, i.e. if we
++         * accidentally leave files owned by host root in the already uidmapped tree around they'll show up
++         * as owned by 'nobody', which is safe. (Of course, we shouldn't leave such inodes around, but always
++         * chown() them to the container's own UID range, but it's good to have a safety net, in case we
++         * forget it.) */
++        if (flags & REMOUNT_IDMAP_HOST_ROOT)
++                if (strextendf(&line,
++                               UID_FMT " " UID_FMT " " UID_FMT "\n",
++                               UID_MAPPED_ROOT, 0, 1) < 0)
++                        return log_oom_debug();
+ 
+         /* We always assign the same UID and GID ranges */
+         userns_fd = userns_acquire(line, line);
+@@ -1069,7 +1086,8 @@ static int make_userns(uid_t uid_shift, uid_t uid_range) {
+ int remount_idmap(
+                 const char *p,
+                 uid_t uid_shift,
+-                uid_t uid_range) {
++                uid_t uid_range,
++                RemountIdmapFlags flags) {
+ 
+         _cleanup_close_ int mount_fd = -1, userns_fd = -1;
+         int r;
+@@ -1085,7 +1103,7 @@ int remount_idmap(
+                 return log_debug_errno(errno, "Failed to open tree of mounted filesystem '%s': %m", p);
+ 
+         /* Create a user namespace mapping */
+-        userns_fd = make_userns(uid_shift, uid_range);
++        userns_fd = make_userns(uid_shift, uid_range, flags);
+         if (userns_fd < 0)
+                 return userns_fd;
+ 
+diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h
+index ce73aebd4b..f53a64186f 100644
+--- a/src/shared/mount-util.h
++++ b/src/shared/mount-util.h
+@@ -112,7 +112,18 @@ int mount_image_in_namespace(pid_t target, const char *propagate_path, const cha
+ 
+ int make_mount_point(const char *path);
+ 
+-int remount_idmap(const char *p, uid_t uid_shift, uid_t uid_range);
++typedef enum RemountIdmapFlags {
++        /* Include a mapping from UID_MAPPED_ROOT (i.e. UID 2^31-2) on the backing fs to UID 0 on the
++         * uidmapped fs. This is useful to ensure that the host root user can safely add inodes to the
++         * uidmapped fs (which otherwise wouldn't work as the host root user is not defined on the uidmapped
++         * mount and any attempts to create inodes will then be refused with EOVERFLOW). The idea is that
++         * these inodes are quickly re-chown()ed to more suitable UIDs/GIDs. Any code that intends to be able
++         * to add inodes to file systems mapped this way should set this flag, but given it comes with
++         * certain security implications defaults to off, and requires explicit opt-in. */
++        REMOUNT_IDMAP_HOST_ROOT = 1 << 0,
++} RemountIdmapFlags;
++
++int remount_idmap(const char *p, uid_t uid_shift, uid_t uid_range, RemountIdmapFlags flags);
+ 
+ /* Creates a mount point (not parents) based on the source path or stat - ie, a file or a directory */
+ int make_mount_point_inode_from_stat(const struct stat *st, const char *dest, mode_t mode);
+-- 
+2.40.1
+
diff --git a/meta/recipes-core/systemd/systemd_250.5.bb b/meta/recipes-core/systemd/systemd_250.5.bb
index 21a09d8594..c35557471a 100644
--- a/meta/recipes-core/systemd/systemd_250.5.bb
+++ b/meta/recipes-core/systemd/systemd_250.5.bb
@@ -31,6 +31,7 @@ SRC_URI += "file://touchscreen.rules \
            file://CVE-2022-4415-1.patch \
            file://CVE-2022-4415-2.patch \
            file://0001-network-remove-only-managed-configs-on-reconfigure-o.patch \
+           file://0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch \
            "
 
 # patches needed by musl
-- 
2.34.1

[OE-core][kirkstone 19/27] rust-llvm: backport a fix for build with gcc-13

[Steve Sakoman]

From: Alexander Sverdlin <alexander.sverdlin@siemens.com>

* needed for rust-llvm-native on hosts with gcc-13

Based on commit 3382759cb6c5 ("llvm: backport a fix for build with gcc-13")

Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/rust/rust-llvm.inc      |  4 ++-
 ...-missing-cstdint-header-to-Signals.h.patch | 32 +++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch

diff --git a/meta/recipes-devtools/rust/rust-llvm.inc b/meta/recipes-devtools/rust/rust-llvm.inc
index 5c2ccdac9a..e645e7a7ac 100644
--- a/meta/recipes-devtools/rust/rust-llvm.inc
+++ b/meta/recipes-devtools/rust/rust-llvm.inc
@@ -3,7 +3,9 @@ LICENSE ?= "Apache-2.0-with-LLVM-exception"
 HOMEPAGE = "http://www.rust-lang.org"
 
 SRC_URI += "file://0002-llvm-allow-env-override-of-exe-path.patch;striplevel=2 \
-            file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2"
+            file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2 \
+            file://0003-Support-Add-missing-cstdint-header-to-Signals.h.patch;striplevel=2 \
+"
 
 S = "${RUSTSRC}/src/llvm-project/llvm"
 
diff --git a/meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch b/meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch
new file mode 100644
index 0000000000..6ed23aa9c5
--- /dev/null
+++ b/meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch
@@ -0,0 +1,32 @@
+From a94bf34221fc4519bd8ec72560c2d363ffe2de4c Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyich@gmail.com>
+Date: Mon, 23 May 2022 08:03:23 +0100
+Subject: [PATCH] [Support] Add missing <cstdint> header to Signals.h
+
+Without the change llvm build fails on this week's gcc-13 snapshot as:
+
+    [  0%] Building CXX object lib/Support/CMakeFiles/LLVMSupport.dir/Signals.cpp.o
+    In file included from llvm/lib/Support/Signals.cpp:14:
+    llvm/include/llvm/Support/Signals.h:119:8: error: variable or field 'CleanupOnSignal' declared void
+      119 |   void CleanupOnSignal(uintptr_t Context);
+          |        ^~~~~~~~~~~~~~~
+
+Upstream-Status: Backport [llvmorg-15.0.0 ff1681ddb303223973653f7f5f3f3435b48a1983]
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+---
+ llvm/include/llvm/Support/Signals.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/llvm/include/llvm/Support/Signals.h b/llvm/include/llvm/Support/Signals.h
+index 44f5a750ff5c..937e0572d4a7 100644
+--- a/llvm/include/llvm/Support/Signals.h
++++ b/llvm/include/llvm/Support/Signals.h
+@@ -14,6 +14,7 @@
+ #ifndef LLVM_SUPPORT_SIGNALS_H
+ #define LLVM_SUPPORT_SIGNALS_H
+ 
++#include <cstdint>
+ #include <string>
+ 
+ namespace llvm {
-- 
2.34.1

[OE-core][kirkstone 20/27] bitbake.conf: add unzstd in HOSTTOOLS

[Steve Sakoman]

From: Alberto Planas <aplanas@suse.com>

rpm2cpio.sh can make calls to unzstd to uncompress the RPM payload that
conform the cpio file.

zstd is already part of HOSTTOOLS, as a link to the system installed
zstd.

This patch add unzstd in HOSTOOLS list as a non-optional binary, so is
available to rpm2cpio.sh when it is required.

Signed-off-by: Alberto Planas <aplanas@suse.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bff58d337890e804d33d7decbaa46065a4d3bba4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/conf/bitbake.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 8ef4b00d08..290dfda6c8 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -523,7 +523,7 @@ HOSTTOOLS += " \
     python3 pzstd ranlib readelf readlink realpath rm rmdir rpcgen sed seq sh \
     sha1sum sha224sum sha256sum sha384sum sha512sum \
     sleep sort split stat strings strip tail tar tee test touch tr true uname \
-    uniq wc wget which xargs zstd \
+    uniq unzstd wc wget which xargs zstd \
 "
 
 # Tools needed to run testimage runtime image testing
-- 
2.34.1

[OE-core][kirkstone 21/27] sdk.py: error out when moving file fails

[Steve Sakoman]

From: Chen Qi <Qi.Chen@windriver.com>

Instead of printing an error message and continuing, we should just
error out when moving file fails.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 12aecd9da94b5f27041982c661e8bab316d365d4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oe/sdk.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oe/sdk.py b/meta/lib/oe/sdk.py
index 27347667e8..2383bd58b7 100644
--- a/meta/lib/oe/sdk.py
+++ b/meta/lib/oe/sdk.py
@@ -68,7 +68,7 @@ class Sdk(object, metaclass=ABCMeta):
         #FIXME: using umbrella exc catching because bb.utils method raises it
         except Exception as e:
             bb.debug(1, "printing the stack trace\n %s" %traceback.format_exc())
-            bb.error("unable to place %s in final SDK location" % sourcefile)
+            bb.fatal("unable to place %s in final SDK location" % sourcefile)
 
     def mkdirhier(self, dirpath):
         try:
-- 
2.34.1

[OE-core][kirkstone 22/27] sdk.py: fix moving dnf contents

[Steve Sakoman]

From: Chen Qi <Qi.Chen@windriver.com>

The dnf contents should be moved to <host_sysroot>/etc/dnf/xxx
instead of just <host_sysroot>/etc.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 74b78d160a985e98f869c777847ab798e419dd2d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oe/package_manager/rpm/sdk.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oe/package_manager/rpm/sdk.py b/meta/lib/oe/package_manager/rpm/sdk.py
index c5f232431f..04dccf49d7 100644
--- a/meta/lib/oe/package_manager/rpm/sdk.py
+++ b/meta/lib/oe/package_manager/rpm/sdk.py
@@ -110,5 +110,6 @@ class PkgSdk(Sdk):
         for f in glob.glob(os.path.join(self.sdk_output, "etc", "rpm*")):
             self.movefile(f, native_sysconf_dir)
         for f in glob.glob(os.path.join(self.sdk_output, "etc", "dnf", "*")):
-            self.movefile(f, native_sysconf_dir)
+            self.mkdirhier(native_sysconf_dir + "/dnf")
+            self.movefile(f, native_sysconf_dir + "/dnf")
         self.remove(os.path.join(self.sdk_output, "etc"), True)
-- 
2.34.1

[OE-core][kirkstone 23/27] zip: fix configure check by using _Static_assert

[Steve Sakoman]

From: Chen Qi <Qi.Chen@windriver.com>

It's incorrect to run a cross-compiled program on build machine
to check if some feature is available or not. As these two checks
in zip are basically just checking the size, we can use _Static_assert
and sizeof to do such check at compile time.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dda778d855b1838ae3004a9af310724b913490b4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...se-_Static_assert-to-do-correct-dete.patch | 96 +++++++++++++++++++
 meta/recipes-extended/zip/zip_3.0.bb          |  1 +
 2 files changed, 97 insertions(+)
 create mode 100644 meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch

diff --git a/meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch b/meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch
new file mode 100644
index 0000000000..106f246a7c
--- /dev/null
+++ b/meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch
@@ -0,0 +1,96 @@
+From 9916fc6f1f93f3e092e3c6937c30dc8137c26d34 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Thu, 15 Jun 2023 18:31:26 +0800
+Subject: [PATCH] unix/configure: use _Static_assert to do correct detection
+
+We're doing cross compilation, running a cross-compiled problem
+on host to detemine feature is not correct. Use _Static_assert
+to do the detection correctly.
+
+Upstream-Status: Inactive-Upstream
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ unix/configure | 42 ++++++++++++------------------------------
+ 1 file changed, 12 insertions(+), 30 deletions(-)
+
+diff --git a/unix/configure b/unix/configure
+index f2b3d02..f917086 100644
+--- a/unix/configure
++++ b/unix/configure
+@@ -361,6 +361,10 @@ cat > conftest.c << _EOF_
+ #include <sys/stat.h>
+ #include <unistd.h>
+ #include <stdio.h>
++
++_Static_assert(sizeof((struct stat){0}.st_uid) == 2, "sizeof st_uid is not 16 bit");
++_Static_assert(sizeof((struct stat){0}.st_gid) == 2, "sizeof st_gid is not 16 bit");
++
+ int main()
+ {
+   struct stat s;
+@@ -385,21 +389,7 @@ if [ $? -ne 0 ]; then
+   echo -- UID/GID test failed on compile - disabling old 16-bit UID/GID support
+   CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT"
+ else
+-# run it
+-  ./conftest
+-  r=$?
+-  if [ $r -eq 1 ]; then
+-    echo -- UID not 2 bytes - disabling old 16-bit UID/GID support
+-    CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT"
+-  elif [ $r -eq 2 ]; then
+-    echo -- GID not 2 bytes - disabling old 16-bit UID/GID support
+-    CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT"
+-  elif [ $r -eq 3 ]; then
+-    echo -- 16-bit UIDs and GIDs - keeping old 16-bit UID/GID support
+-  else
+-    echo -- test failed - conftest returned $r - disabling old 16-bit UID/GID support
+-    CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT"
+-  fi
++  echo -- 16-bit UIDs and GIDs - keeping old 16-bit UID/GID support
+ fi
+ 
+ 
+@@ -417,6 +407,10 @@ cat > conftest.c << _EOF_
+ #include <sys/stat.h>
+ #include <unistd.h>
+ #include <stdio.h>
++
++_Static_assert(sizeof(off_t) < 8, "sizeof off_t < 8 failed");
++_Static_assert(sizeof((struct stat){0}.st_size) < 8, "sizeof st_size < 8 failed");
++
+ int main()
+ {
+   off_t offset;
+@@ -436,24 +430,12 @@ _EOF_
+ # compile it
+ $CC -o conftest conftest.c >/dev/null 2>/dev/null
+ if [ $? -ne 0 ]; then
+-  echo -- no Large File Support
++  echo -- yes we have Large File Support!
++  CFLAGS="${CFLAGS} -DLARGE_FILE_SUPPORT"
+ else
+-# run it
+-  ./conftest
+-  r=$?
+-  if [ $r -eq 1 ]; then
+-    echo -- no Large File Support - no 64-bit off_t
+-  elif [ $r -eq 2 ]; then
+-    echo -- no Large File Support - no 64-bit stat
+-  elif [ $r -eq 3 ]; then
+-    echo -- yes we have Large File Support!
+-    CFLAGS="${CFLAGS} -DLARGE_FILE_SUPPORT"
+-  else
+-    echo -- no Large File Support - conftest returned $r
+-  fi
++  echo -- no Large File Support
+ fi
+ 
+-
+ # Check for wide char for Unicode support
+ # Added 11/24/2005 EG
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 07a67b9634..83e1e52e97 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -17,6 +17,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/Zip%203.x%20%28latest%29/3.0/zip30.tar.
            file://0001-configure-use-correct-CPP.patch \
            file://0002-configure-support-PIC-code-build.patch \
            file://0001-configure-Use-CFLAGS-and-LDFLAGS-when-doing-link-tes.patch \
+           file://0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch \
            "
 UPSTREAM_VERSION_UNKNOWN = "1"
 
-- 
2.34.1

[OE-core][kirkstone 24/27] unzip: fix configure check for cross compilation

[Steve Sakoman]

From: Chen Qi <Qi.Chen@windriver.com>

The original configure runs a generated binary to determine
features. This is not correct for cross compilation. So change
the runtime tests into compile-time tests to fix the issue.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b9aca339b59238988c48b90ea5019bfc939ba4b3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...-fix-detection-for-cross-compilation.patch | 103 ++++++++++++++++++
 meta/recipes-extended/unzip/unzip_6.0.bb      |   1 +
 2 files changed, 104 insertions(+)
 create mode 100644 meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch

diff --git a/meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch b/meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch
new file mode 100644
index 0000000000..2fa7f481b7
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch
@@ -0,0 +1,103 @@
+From 5cbf901b5c3b6a7d1d0ed91b6df4194bb6d25a40 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Thu, 15 Jun 2023 07:14:17 -0700
+Subject: [PATCH] unix/configure: fix detection for cross compilation
+
+We're doing cross compilation, running a cross-compiled problem
+on host to detemine feature is not correct. So we change runtime
+check into compile-time check to detect the features.
+
+Upstream-Status: Inactive-Upstream
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ unix/configure | 44 +++++++++++++++-----------------------------
+ 1 file changed, 15 insertions(+), 29 deletions(-)
+
+diff --git a/unix/configure b/unix/configure
+index 8fd82dd..68dee98 100755
+--- a/unix/configure
++++ b/unix/configure
+@@ -259,6 +259,10 @@ cat > conftest.c << _EOF_
+ #include <sys/stat.h>
+ #include <unistd.h>
+ #include <stdio.h>
++
++_Static_assert(sizeof(off_t) < 8, "sizeof off_t < 8 failed");
++_Static_assert(sizeof((struct stat){0}.st_size) < 8, "sizeof st_size < 8 failed");
++
+ int main()
+ {
+   off_t offset;
+@@ -278,21 +282,10 @@ _EOF_
+ # compile it
+ $CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null
+ if [ $? -ne 0 ]; then
+-  echo -- no Large File Support
++  echo -- yes we have Large File Support!
++  CFLAGSR="${CFLAGSR} -DLARGE_FILE_SUPPORT"
+ else
+-# run it
+-  ./conftest
+-  r=$?
+-  if [ $r -eq 1 ]; then
+-    echo -- no Large File Support - no 64-bit off_t
+-  elif [ $r -eq 2 ]; then
+-    echo -- no Large File Support - no 64-bit stat
+-  elif [ $r -eq 3 ]; then
+-    echo -- yes we have Large File Support!
+-    CFLAGSR="${CFLAGSR} -DLARGE_FILE_SUPPORT"
+-  else
+-    echo -- no Large File Support - conftest returned $r
+-  fi
++  echo -- no Large File Support
+ fi
+ 
+ # Added 11/24/2005 EG
+@@ -302,6 +295,11 @@ cat > conftest.c << _EOF_
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <wchar.h>
++
++#ifndef __STDC_ISO_10646__
++#error "__STDC_ISO_10646__ not defined
++#endif
++
+ int main()
+ {
+   size_t wsize;
+@@ -327,19 +325,8 @@ if [ $? -ne 0 ]; then
+   echo "-- no Unicode (wchar_t) support"
+ else
+ # have wide char support
+-# run it
+-  ./conftest
+-  r=$?
+-  if [ $r -eq 0 ]; then
+-    echo -- no Unicode wchar_t support - wchar_t allocation error
+-  elif [ $r -eq 1 ]; then
+-    echo -- no Unicode support - wchar_t encoding unspecified
+-  elif [ $r -eq 2 ]; then
+-    echo -- have wchar_t with known UCS encoding - enabling Unicode support!
+-    CFLAGSR="${CFLAGSR} -DUNICODE_SUPPORT -DUNICODE_WCHAR"
+-  else
+-    echo "-- no Unicode (wchar_t) support - conftest returned $r"
+-  fi
++  echo -- have wchar_t with known UCS encoding - enabling Unicode support!
++  CFLAGSR="${CFLAGSR} -DUNICODE_SUPPORT -DUNICODE_WCHAR"
+ fi
+ 
+ echo "Check for setlocale support (needed for UNICODE Native check)"
+@@ -418,8 +405,7 @@ temp_link="link_$$"
+   echo "int main() { lchmod(\"${temp_file}\", 0666); }" \
+ ) > conftest.c
+ ln -s "${temp_link}" "${temp_file}" && \
+- $CC $BFLAG $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null && \
+- ./conftest
++ $CC -Werror=implicit-function-declaration $BFLAG $LDFLAGS -o conftest conftest.c >/dev/null
+ [ $? -ne 0 ] && CFLAGSR="${CFLAGSR} -DNO_LCHMOD"
+ rm -f "${temp_file}"
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index f35856cf61..e3fffa30ab 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -31,6 +31,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
         file://CVE-2021-4217.patch \
         file://CVE-2022-0529.patch \
         file://CVE-2022-0530.patch \
+        file://0001-unix-configure-fix-detection-for-cross-compilation.patch \
 "
 UPSTREAM_VERSION_UNKNOWN = "1"
 
-- 
2.34.1

[OE-core][kirkstone 25/27] sysfsutils: fetch a supported fork from github

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Debian does the same:
https://packages.debian.org/source/sid/sysfsutils

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 504b2f590cb94b217c5f48090cfb71a749bd5ac8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb b/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb
index c90a02f131..fd72cf4165 100644
--- a/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb
+++ b/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb
@@ -10,18 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3d06403ea54c7574a9e581c6478cc393 \
                     file://lib/LGPL;md5=b75d069791103ffe1c0d6435deeff72e"
 PR = "r5"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/linux-diag/sysfsutils-${PV}.tar.gz \
+SRC_URI = "git://github.com/linux-ras/sysfsutils.git;protocol=https;branch=master \
            file://sysfsutils-2.0.0-class-dup.patch \
            file://obsolete_automake_macros.patch \
            file://separatebuild.patch"
 
-SRC_URI[md5sum] = "14e7dcd0436d2f49aa403f67e1ef7ddc"
-SRC_URI[sha256sum] = "e865de2c1f559fff0d3fc936e660c0efaf7afe662064f2fb97ccad1ec28d208a"
+SRCREV = "0d5456e1c9d969cdad6accef2ae2d4881d5db085"
 
-UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/linux-diag/files/sysfsutils/"
-UPSTREAM_CHECK_REGEX = "/sysfsutils/(?P<pver>(\d+[\.\-_]*)+)/"
-
-S = "${WORKDIR}/sysfsutils-${PV}"
+S = "${WORKDIR}/git"
 
 inherit autotools
 
-- 
2.34.1

[OE-core][kirkstone 26/27] wic: Add dependencies for erofs-utils

[Steve Sakoman]

From: Heiko Thole <heiko.thole@entwicklung.eq-3.de>

In order to build erofs filesystems, wic must have the erofs-utils package installed into its sysroot.

Signed-off-by: Heiko Thole <heiko.thole@entwicklung.eq-3.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/image_types_wic.bbclass | 2 +-
 meta/recipes-core/meta/wic-tools.bb  | 2 +-
 scripts/lib/wic/misc.py              | 1 +
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/meta/classes/image_types_wic.bbclass b/meta/classes/image_types_wic.bbclass
index 6453dd1b74..8497916d48 100644
--- a/meta/classes/image_types_wic.bbclass
+++ b/meta/classes/image_types_wic.bbclass
@@ -83,7 +83,7 @@ do_image_wic[recrdeptask] += "do_deploy"
 do_image_wic[deptask] += "do_image_complete"
 
 WKS_FILE_DEPENDS_DEFAULT = '${@bb.utils.contains_any("BUILD_ARCH", [ 'x86_64', 'i686' ], "syslinux-native", "",d)}'
-WKS_FILE_DEPENDS_DEFAULT += "bmap-tools-native cdrtools-native btrfs-tools-native squashfs-tools-native e2fsprogs-native"
+WKS_FILE_DEPENDS_DEFAULT += "bmap-tools-native cdrtools-native btrfs-tools-native squashfs-tools-native e2fsprogs-native erofs-utils-native"
 # Unified kernel images need objcopy
 WKS_FILE_DEPENDS_DEFAULT += "virtual/${MLPREFIX}${TARGET_PREFIX}binutils"
 WKS_FILE_DEPENDS_BOOTLOADERS = ""
diff --git a/meta/recipes-core/meta/wic-tools.bb b/meta/recipes-core/meta/wic-tools.bb
index daaf3ea576..9282d36a4d 100644
--- a/meta/recipes-core/meta/wic-tools.bb
+++ b/meta/recipes-core/meta/wic-tools.bb
@@ -6,7 +6,7 @@ DEPENDS = "\
            parted-native gptfdisk-native dosfstools-native \
            mtools-native bmap-tools-native grub-native cdrtools-native \
            btrfs-tools-native squashfs-tools-native pseudo-native \
-           e2fsprogs-native util-linux-native tar-native \
+           e2fsprogs-native util-linux-native tar-native erofs-utils-native \
            virtual/${TARGET_PREFIX}binutils \
            "
 DEPENDS:append:x86 = " syslinux-native syslinux grub-efi systemd-boot"
diff --git a/scripts/lib/wic/misc.py b/scripts/lib/wic/misc.py
index a8aab6c524..2b90821b30 100644
--- a/scripts/lib/wic/misc.py
+++ b/scripts/lib/wic/misc.py
@@ -36,6 +36,7 @@ NATIVE_RECIPES = {"bmaptool": "bmap-tools",
                   "mkdosfs": "dosfstools",
                   "mkisofs": "cdrtools",
                   "mkfs.btrfs": "btrfs-tools",
+                  "mkfs.erofs": "erofs-utils",
                   "mkfs.ext2": "e2fsprogs",
                   "mkfs.ext3": "e2fsprogs",
                   "mkfs.ext4": "e2fsprogs",
-- 
2.34.1

[OE-core][kirkstone 27/27] cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK

[Steve Sakoman]

From: Tom Hochstein <tom.hochstein@nxp.com>

When building using an SDK, cmake complains that the target
architecture 'cortexa53-crypto' is unknown. The same build in bitbake
uses the target architecture 'aarch64'.

Set CMAKE_SYSTEM_PROCESSOR the same as for bitbake.

Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d32a6225eefce2073a1cd401034b5b4c68351bfe)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
index 3ddef12c83..d6a1e0464c 100644
--- a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
+++ b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
@@ -11,10 +11,7 @@ set( CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY )
 
 set(CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX "$ENV{OE_CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX}")
 
-# Set CMAKE_SYSTEM_PROCESSOR from the sysroot name (assuming processor-distro-os).
-if ($ENV{SDKTARGETSYSROOT} MATCHES "/sysroots/([a-zA-Z0-9_-]+)-.+-.+")
-  set(CMAKE_SYSTEM_PROCESSOR ${CMAKE_MATCH_1})
-endif()
+set( CMAKE_SYSTEM_PROCESSOR $ENV{OECORE_TARGET_ARCH} )
 
 # Include the toolchain configuration subscripts
 file( GLOB toolchain_config_files "${CMAKE_CURRENT_LIST_FILE}.d/*.cmake" )
-- 
2.34.1

[OE-core][kirkstone 00/27] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, June 19

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1828

The following changes since commit 350513959f6800eef6579153c2ae95960ca24ea7:

  kernel.bbclass: add original package name to RPROVIDES for -image and -base (2025-06-09 08:44:59 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Aditya Tayade (1):
  e2fsprogs: removed 'sed -u' option

Aleksandar Nikolic (1):
  scripts/install-buildtools: Update to 4.0.27

Colin Pinnell McAllister (1):
  ffmpeg: fix CVE-2025-1373

Guocai He (1):
  babeltrace/libatomic-ops: correct the SRC_URI

Jiaying Song (1):
  python3-requests: fix CVE-2024-47081

Peter Marko (1):
  net-tools: patch CVE-2025-46836

Poonam Jadhav (1):
  libpng: Improve ptest

Sunil Dora (9):
  Glibc: Fix for CVE-2025-4802
  glibc: pthreads NPTL lost wakeup fix 2
  glibc: nptl Update comments and indentation for new condvar
    implementation
  glibc: nptl Remove unnecessary catch-all-wake in condvar group switch
  glibc: nptl Remove unnecessary quadruple check in pthread_cond_wait
  glibc: nptl Use a single loop in pthread_cond_wait instaed of a nested
    loop
  glibc: nptl Fix indentation
  glibc: nptl rename __condvar_quiesce_and_switch_g1
  glibc: nptl Use all of g1_start and g_signals

Vijay Anusuri (9):
  libsoup-2.4: Fix CVE-2025-2784
  libsoup: Fix CVE-2025-2784
  libsoup-2.4: Fix CVE-2025-32050
  libsoup: Fix CVE-2025-32050
  libsoup-2.4: Fix CVE-2025-32052
  libsoup: Fix CVE-2025-32052
  libsoup-2.4: Fix CVE-2025-32053
  libsoup: Fix CVE-2025-32053
  libsoup: Fix CVE-2025-46420

aszh07 (2):
  ffmpeg: Add "libswresample libavcodec" to CVE_PRODUCT
  xz: Update LICENSE variable for xz packages

 .../distro/include/ptest-packagelists.inc     |   2 +-
 .../glibc/glibc/0025-CVE-2025-4802.patch      | 249 ++++++++++
 .../glibc/glibc/0026-PR25847-1.patch          | 455 ++++++++++++++++++
 .../glibc/glibc/0026-PR25847-2.patch          | 144 ++++++
 .../glibc/glibc/0026-PR25847-3.patch          |  77 +++
 .../glibc/glibc/0026-PR25847-4.patch          | 117 +++++
 .../glibc/glibc/0026-PR25847-5.patch          | 105 ++++
 .../glibc/glibc/0026-PR25847-6.patch          | 169 +++++++
 .../glibc/glibc/0026-PR25847-7.patch          | 160 ++++++
 .../glibc/glibc/0026-PR25847-8.patch          | 192 ++++++++
 meta/recipes-core/glibc/glibc_2.35.bb         |   9 +
 .../e2fsprogs/e2fsprogs/run-ptest             |   3 +-
 .../python3-requests/CVE-2024-47081.patch     |  37 ++
 .../python/python3-requests_2.27.1.bb         |   1 +
 .../net-tools/CVE-2025-46836-01.patch         |  91 ++++
 .../net-tools/CVE-2025-46836-02.patch         |  31 ++
 .../net-tools/net-tools_2.10.bb               |   2 +
 meta/recipes-extended/xz/xz_5.2.6.bb          |   6 +-
 .../recipes-kernel/lttng/babeltrace_1.5.11.bb |   2 +-
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb |   7 +
 .../recipes-multimedia/libpng/files/run-ptest |  26 +-
 .../libpng/libpng_1.6.39.bb                   |  43 +-
 .../libatomic-ops/libatomic-ops_7.6.14.bb     |   4 +-
 .../libsoup/libsoup-2.4/CVE-2025-2784-1.patch |  52 ++
 .../libsoup/libsoup-2.4/CVE-2025-2784-2.patch | 135 ++++++
 .../libsoup/libsoup-2.4/CVE-2025-32050.patch  |  28 ++
 .../libsoup/libsoup-2.4/CVE-2025-32052.patch  |  30 ++
 .../libsoup/libsoup-2.4/CVE-2025-32053.patch  |  38 ++
 .../libsoup/libsoup-2.4_2.74.2.bb             |   5 +
 .../libsoup/libsoup/CVE-2025-2784-1.patch     |  73 +++
 .../libsoup/libsoup/CVE-2025-2784-2.patch     | 140 ++++++
 .../libsoup/libsoup/CVE-2025-32050.patch      |  28 ++
 .../libsoup/libsoup/CVE-2025-32052.patch      |  30 ++
 .../libsoup/libsoup/CVE-2025-32053.patch      |  38 ++
 .../libsoup/libsoup/CVE-2025-46420.patch      |  60 +++
 meta/recipes-support/libsoup/libsoup_3.0.7.bb |   6 +
 scripts/install-buildtools                    |   4 +-
 37 files changed, 2557 insertions(+), 42 deletions(-)
 create mode 100644 meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0026-PR25847-1.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0026-PR25847-2.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0026-PR25847-3.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0026-PR25847-4.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0026-PR25847-5.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0026-PR25847-6.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0026-PR25847-7.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0026-PR25847-8.patch
 create mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2024-47081.patch
 create mode 100644 meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-01.patch
 create mode 100644 meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-02.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-2784-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-2784-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32050.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32052.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32053.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-46420.patch

-- 
2.43.0