[OE-core][dunfell 00/11] Patch review

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Thursday, October 12.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6026

The following changes since commit 9a800a2e2c2b14eab8c1f83cb4ac3b94a70dd23c:

  glibc: Fix CVE-2023-4911 "Looney Tunables" (2023-10-05 13:10:56 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Hitendra Prajapati (1):
  xdg-utils: Fix CVE-2022-4055

Julian Haller (2):
  dbus: Backport fix for CVE-2023-34969
  dbus: Add missing CVE_PRODUCT

Marek Vasut (2):
  busybox: Backport CVE-2022-48174 fix
  cpio: Replace fix wrong CRC with ASCII CRC for large files with
    upstream backport

Shinu Chandran (1):
  libpcre2 : Follow up fix CVE-2022-1586

Shubham Kulkarni (1):
  go: Update fix for CVE-2023-24538 & CVE-2023-39318

Sourav Pramanik (1):
  openssl: Upgrade 1.1.1v -> 1.1.1w

Vijay Anusuri (3):
  cups: Backport fix for CVE-2023-32360 and CVE-2023-4504
  gawk: backport Debian patch to fix CVE-2023-4156
  ghostscript: Backport fix CVE-2023-43115

 .../{openssl_1.1.1v.bb => openssl_1.1.1w.bb}  |   2 +-
 .../busybox/busybox/CVE-2022-48174.patch      |  82 +++
 meta/recipes-core/busybox/busybox_1.31.1.bb   |   1 +
 meta/recipes-core/dbus/dbus.inc               |   3 +
 .../dbus/dbus/CVE-2023-34969.patch            |  96 +++
 meta/recipes-devtools/go/go-1.14.inc          |   5 +-
 .../go/go-1.14/CVE-2023-24538-1.patch         |   4 +-
 .../go/go-1.14/CVE-2023-24538-2.patch         | 447 ++++++++++++-
 .../go/go-1.14/CVE-2023-24538_3.patch         | 393 ++++++++++++
 .../go/go-1.14/CVE-2023-24538_4.patch         | 497 +++++++++++++++
 .../go/go-1.14/CVE-2023-24538_5.patch         | 585 ++++++++++++++++++
 ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++-
 .../go/go-1.14/CVE-2023-39318.patch           |  38 +-
 ...g-CRC-with-ASCII-CRC-for-large-files.patch |  39 --
 ...-calculation-of-CRC-in-copy-out-mode.patch |  58 ++
 ...appending-to-archives-bigger-than-2G.patch | 312 ++++++++++
 meta/recipes-extended/cpio/cpio_2.13.bb       |   3 +-
 meta/recipes-extended/cups/cups.inc           |   2 +
 .../cups/cups/CVE-2023-32360.patch            |  31 +
 .../cups/cups/CVE-2023-4504.patch             |  40 ++
 .../gawk/gawk/CVE-2023-4156.patch             |  28 +
 meta/recipes-extended/gawk/gawk_5.0.1.bb      |   1 +
 .../ghostscript/CVE-2023-43115.patch          |  62 ++
 .../ghostscript/ghostscript_9.52.bb           |   1 +
 .../xdg-utils/xdg-utils/CVE-2022-4055.patch   | 165 +++++
 .../xdg-utils/xdg-utils_1.1.3.bb              |   1 +
 .../libpcre2/CVE-2022-1586-regression.patch   |  30 +
 .../recipes-support/libpcre/libpcre2_10.34.bb |   1 +
 28 files changed, 3041 insertions(+), 61 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1v.bb => openssl_1.1.1w.bb} (98%)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
 create mode 100644 meta/recipes-core/dbus/dbus/CVE-2023-34969.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
 rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => CVE-2023-24538_6.patch} (53%)
 delete mode 100644 meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32360.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-4504.patch
 create mode 100644 meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
 create mode 100644 meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
 create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch

-- 
2.34.1

[OE-core][dunfell 01/11] cups: Backport fix for CVE-2023-32360 and CVE-2023-4504

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream commits:
https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
& https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/cups/cups.inc           |  2 +
 .../cups/cups/CVE-2023-32360.patch            | 31 ++++++++++++++
 .../cups/cups/CVE-2023-4504.patch             | 40 +++++++++++++++++++
 3 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32360.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-4504.patch

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 1d2377486a..6cfe314f20 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -16,6 +16,8 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
            file://CVE-2022-26691.patch \
            file://CVE-2023-32324.patch \
            file://CVE-2023-34241.patch \
+           file://CVE-2023-32360.patch \
+           file://CVE-2023-4504.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.patch b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
new file mode 100644
index 0000000000..4d39e1e57f
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
@@ -0,0 +1,31 @@
+From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Tue, 6 Dec 2022 09:04:01 -0500
+Subject: [PATCH] Require authentication for CUPS-Get-Document.
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913]
+CVE: CVE-2023-32360
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ conf/cupsd.conf.in | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index b258849078..a07536f3e4 100644
+--- a/conf/cupsd.conf.in
++++ b/conf/cupsd.conf.in
+@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
+     Order deny,allow
+   </Limit>
+ 
+-  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
++  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
++    Require user @OWNER @SYSTEM
++    Order deny,allow
++  </Limit>
++
++  <Limit CUPS-Get-Document>
++    AuthType Default
+     Require user @OWNER @SYSTEM
+     Order deny,allow
+   </Limit>
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
new file mode 100644
index 0000000000..be0db1fbd4
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
@@ -0,0 +1,40 @@
+From a9a7daa77699bd58001c25df8a61a8029a217ddf Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Fri, 1 Sep 2023 16:47:29 +0200
+Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
+
+We didn't check for end of buffer if it looks there is an escaped
+character - check for NULL terminator there and if found, return NULL
+as return value and in `ptr`, because a lone backslash is not
+a valid PostScript character.
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31]
+CVE: CVE-2023-4504
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cups/raster-interpret.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/cups/raster-interpret.c
++++ b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - S
+ 
+ 	    cur ++;
+ 
+-            if (*cur == 'b')
++	   /*
++	    * Return NULL if we reached NULL terminator, a lone backslash
++            * is not a valid character in PostScript.
++	    */
++
++	    if (!*cur)
++	    {
++	      *ptr = NULL;
++
++	      return (NULL);
++	    }
++
++	    if (*cur == 'b')
+ 	      *valptr++ = '\b';
+ 	    else if (*cur == 'f')
+ 	      *valptr++ = '\f';
-- 
2.34.1

[OE-core][dunfell 02/11] gawk: backport Debian patch to fix CVE-2023-4156

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport
[https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/focal-security
&
https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../gawk/gawk/CVE-2023-4156.patch             | 28 +++++++++++++++++++
 meta/recipes-extended/gawk/gawk_5.0.1.bb      |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch

diff --git a/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
new file mode 100644
index 0000000000..c6cba058a7
--- /dev/null
+++ b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
@@ -0,0 +1,28 @@
+From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001
+From: "Arnold D. Robbins" <arnold@skeeve.com>
+Date: Wed, 3 Aug 2022 13:00:54 +0300
+Subject: [PATCH] Smal bug fix in builtin.c.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches/CVE-2023-4156.patch?h=ubuntu/focal-security
+Upstream commit https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]
+CVE: CVE-2023-4156
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ ChangeLog | 6 ++++++
+ builtin.c | 5 ++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- gawk-5.1.0.orig/builtin.c
++++ gawk-5.1.0/builtin.c
+@@ -957,7 +957,10 @@ check_pos:
+ 					s1++;
+ 					n0--;
+ 				}
+-				if (val >= num_args) {
++				// val could be less than zero if someone provides a field width
++				// so large that it causes integer overflow. Mainly fuzzers do this,
++				// but let's try to be good anyway.
++				if (val < 0 || val >= num_args) {
+ 					toofew = true;
+ 					break;
+ 				}
diff --git a/meta/recipes-extended/gawk/gawk_5.0.1.bb b/meta/recipes-extended/gawk/gawk_5.0.1.bb
index 1b29ec3113..c71890c19e 100644
--- a/meta/recipes-extended/gawk/gawk_5.0.1.bb
+++ b/meta/recipes-extended/gawk/gawk_5.0.1.bb
@@ -18,6 +18,7 @@ PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr"
 SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \
            file://remove-sensitive-tests.patch \
            file://run-ptest \
+           file://CVE-2023-4156.patch \
 "
 
 SRC_URI[md5sum] = "c5441c73cc451764055ee65e9a4292bb"
-- 
2.34.1

[OE-core][dunfell 03/11] go: Update fix for CVE-2023-24538 & CVE-2023-39318

[Steve Sakoman]

From: Shubham Kulkarni <skulkarni@mvista.com>

Add missing files in fix for CVE-2023-24538 & CVE-2023-39318

Upstream Link -
CVE-2023-24538: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
CVE-2023-39318: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c

Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.14.inc          |   5 +-
 .../go/go-1.14/CVE-2023-24538-1.patch         |   4 +-
 .../go/go-1.14/CVE-2023-24538-2.patch         | 447 ++++++++++++-
 .../go/go-1.14/CVE-2023-24538_3.patch         | 393 ++++++++++++
 .../go/go-1.14/CVE-2023-24538_4.patch         | 497 +++++++++++++++
 .../go/go-1.14/CVE-2023-24538_5.patch         | 585 ++++++++++++++++++
 ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++-
 .../go/go-1.14/CVE-2023-39318.patch           |  38 +-
 8 files changed, 2124 insertions(+), 20 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
 rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => CVE-2023-24538_6.patch} (53%)

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index be63f64825..091b778de8 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -60,7 +60,10 @@ SRC_URI += "\
     file://CVE-2023-24534.patch \
     file://CVE-2023-24538-1.patch \
     file://CVE-2023-24538-2.patch \
-    file://CVE-2023-24538-3.patch \
+    file://CVE-2023-24538_3.patch \
+    file://CVE-2023-24538_4.patch \
+    file://CVE-2023-24538_5.patch \
+    file://CVE-2023-24538_6.patch \
     file://CVE-2023-24539.patch \
     file://CVE-2023-24540.patch \
     file://CVE-2023-29405-1.patch \
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
index eda26e5ff6..23c5075e41 100644
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
@@ -1,7 +1,7 @@
 From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001
 From: Brad Fitzpatrick <bradfitz@golang.org>
 Date: Mon, 2 Aug 2021 14:55:51 -0700
-Subject: [PATCH 1/3] net/netip: add new IP address package
+Subject: [PATCH 1/6] net/netip: add new IP address package
 
 Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati)
 Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
@@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick <bradfitz@golang.org>
 
 Dependency Patch #1
 
-Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0]
+Upstream-Status: Backport from https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
 CVE: CVE-2023-24538
 Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
 ---
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
index 5036f2890b..f200c41e16 100644
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
@@ -1,7 +1,7 @@
 From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
 From: empijei <robclap8@gmail.com>
 Date: Fri, 27 Mar 2020 19:27:55 +0100
-Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes
+Subject: [PATCH 2/6] html/template,text/template: switch to Unicode escapes
  for JSON compatibility
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -31,10 +31,238 @@ Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072
 CVE: CVE-2023-24538
 Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
 ---
- src/html/template/js.go    | 70 +++++++++++++++++++++++++++-------------------
- src/text/template/funcs.go |  8 +++---
- 2 files changed, 46 insertions(+), 32 deletions(-)
+ src/html/template/content_test.go  | 70 +++++++++++++++++++-------------------
+ src/html/template/escape_test.go   |  6 ++--
+ src/html/template/example_test.go  |  6 ++--
+ src/html/template/js.go            | 70 +++++++++++++++++++++++---------------
+ src/html/template/js_test.go       | 68 ++++++++++++++++++------------------
+ src/html/template/template_test.go | 39 +++++++++++++++++++++
+ src/text/template/exec_test.go     |  6 ++--
+ src/text/template/funcs.go         |  8 ++---
+ 8 files changed, 163 insertions(+), 110 deletions(-)
 
+diff --git a/src/html/template/content_test.go b/src/html/template/content_test.go
+index 72d56f5..bd86527 100644
+--- a/src/html/template/content_test.go
++++ b/src/html/template/content_test.go
+@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) {
+		HTML(`Hello, <b>World</b> &amp;tc!`),
+		HTMLAttr(` dir="ltr"`),
+		JS(`c && alert("Hello, World!");`),
+-		JSStr(`Hello, World & O'Reilly\x21`),
++		JSStr(`Hello, World & O'Reilly\u0021`),
+		URL(`greeting=H%69,&addressee=(World)`),
+		Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`),
+		URL(`,foo/,`),
+@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, <b>World</b> &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello,&#32;World&#32;&amp;tc!`,
+				`&#32;dir&#61;&#34;ltr&#34;`,
+				`c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,
+-				`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\x21`,
++				`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\u0021`,
+				`greeting&#61;H%69,&amp;addressee&#61;(World)`,
+				`greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;https://golang.org/favicon.ico&#32;500.5w`,
+				`,foo/,`,
+@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, World &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, &lt;b&gt;World&lt;/b&gt; &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) {
+				// Not escaped.
+				`c && alert("Hello, World!");`,
+				// Escape sequence not over-escaped.
+-				`"Hello, World & O'Reilly\x21"`,
++				`"Hello, World & O'Reilly\u0021"`,
+				`"greeting=H%69,\u0026addressee=(World)"`,
+				`"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
+				`",foo/,"`,
+@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) {
+				// Not JS escaped but HTML escaped.
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+				// Escape sequence not over-escaped.
+-				`&#34;Hello, World &amp; O&#39;Reilly\x21&#34;`,
++				`&#34;Hello, World &amp; O&#39;Reilly\u0021&#34;`,
+				`&#34;greeting=H%69,\u0026addressee=(World)&#34;`,
+				`&#34;greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w&#34;`,
+				`&#34;,foo/,&#34;`,
+@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) {
+		{
+			`<script>alert("{{.}}")</script>`,
+			[]string{
+-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
+-				`a[href =~ \x22\/\/example.com\x22]#foo`,
+-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
+-				` dir=\x22ltr\x22`,
+-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
++				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
++				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
++				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
++				` dir=\u0022ltr\u0022`,
++				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
+				// Escape sequence not over-escaped.
+-				`Hello, World \x26 O\x27Reilly\x21`,
+-				`greeting=H%69,\x26addressee=(World)`,
+-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
++				`Hello, World \u0026 O\u0027Reilly\u0021`,
++				`greeting=H%69,\u0026addressee=(World)`,
++				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`,foo\/,`,
+			},
+		},
+		{
+			`<script type="text/javascript">alert("{{.}}")</script>`,
+			[]string{
+-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
+-				`a[href =~ \x22\/\/example.com\x22]#foo`,
+-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
+-				` dir=\x22ltr\x22`,
+-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
++				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
++				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
++				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
++				` dir=\u0022ltr\u0022`,
++				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
+				// Escape sequence not over-escaped.
+-				`Hello, World \x26 O\x27Reilly\x21`,
+-				`greeting=H%69,\x26addressee=(World)`,
+-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
++				`Hello, World \u0026 O\u0027Reilly\u0021`,
++				`greeting=H%69,\u0026addressee=(World)`,
++				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`,foo\/,`,
+			},
+		},
+@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) {
+				// Not escaped.
+				`c && alert("Hello, World!");`,
+				// Escape sequence not over-escaped.
+-				`"Hello, World & O'Reilly\x21"`,
++				`"Hello, World & O'Reilly\u0021"`,
+				`"greeting=H%69,\u0026addressee=(World)"`,
+				`"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
+				`",foo/,"`,
+@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, <b>World</b> &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) {
+		{
+			`<button onclick='alert("{{.}}")'>`,
+			[]string{
+-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
+-				`a[href =~ \x22\/\/example.com\x22]#foo`,
+-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
+-				` dir=\x22ltr\x22`,
+-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
++				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
++				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
++				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
++				` dir=\u0022ltr\u0022`,
++				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
+				// Escape sequence not over-escaped.
+-				`Hello, World \x26 O\x27Reilly\x21`,
+-				`greeting=H%69,\x26addressee=(World)`,
+-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
++				`Hello, World \u0026 O\u0027Reilly\u0021`,
++				`greeting=H%69,\u0026addressee=(World)`,
++				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`,foo\/,`,
+			},
+		},
+@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
+				`%20dir%3d%22ltr%22`,
+				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
+-				`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
++				`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
+				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done.
+				`greeting=H%69,&amp;addressee=%28World%29`,
+				`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
+@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
+				`%20dir%3d%22ltr%22`,
+				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
+-				`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
++				`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
+				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done.
+				`greeting=H%69,&addressee=%28World%29`,
+				`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index e72a9ba..c709660 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) {
+		{
+			"jsStr",
+			"<button onclick='alert(&quot;{{.H}}&quot;)'>",
+-			`<button onclick='alert(&quot;\x3cHello\x3e&quot;)'>`,
++			`<button onclick='alert(&quot;\u003cHello\u003e&quot;)'>`,
+		},
+		{
+			"badMarshaler",
+@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) {
+		{
+			"jsRe",
+			`<button onclick='alert(/{{"foo+bar"}}/.test(""))'>`,
+-			`<button onclick='alert(/foo\x2bbar/.test(""))'>`,
++			`<button onclick='alert(/foo\u002bbar/.test(""))'>`,
+		},
+		{
+			"jsReBlank",
+@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) {
+				"main":   `<button onclick="title='{{template "helper"}}'; ...">{{template "helper"}}</button>`,
+				"helper": `{{11}} of {{"<100>"}}`,
+			},
+-			`<button onclick="title='11 of \x3c100\x3e'; ...">11 of &lt;100&gt;</button>`,
++			`<button onclick="title='11 of \u003c100\u003e'; ...">11 of &lt;100&gt;</button>`,
+		},
+		// A non-recursive template that ends in a different context.
+		// helper starts in jsCtxRegexp and ends in jsCtxDivOp.
+diff --git a/src/html/template/example_test.go b/src/html/template/example_test.go
+index 9d965f1..6cf936f 100644
+--- a/src/html/template/example_test.go
++++ b/src/html/template/example_test.go
+@@ -116,9 +116,9 @@ func Example_escape() {
+	// &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
+	// &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
+	// &#34;Fran &amp; Freddie&#39;s Diner&#34;32&lt;tasty@example.com&gt;
+-	// \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
+-	// \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
+-	// \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E
++	// \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
++	// \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
++	// \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com\u003E
+	// %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E
+
+ }
 diff --git a/src/html/template/js.go b/src/html/template/js.go
 index 0e91458..ea9c183 100644
 --- a/src/html/template/js.go
@@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644
 	'?':  `\?`,
 	'[':  `\[`,
 	'\\': `\\`,
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index 075adaa..d7ee47b 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) {
+		{"foo", `"foo"`},
+		// Newlines.
+		{"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
+-		// "\v" == "v" on IE 6 so use "\x0b" instead.
++		// "\v" == "v" on IE 6 so use "\u000b" instead.
+		{"\t\x0b", `"\t\u000b"`},
+		{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
+		{[]interface{}{}, "[]"},
+@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) {
+	}{
+		{"", ``},
+		{"foo", `foo`},
+-		{"\u0000", `\0`},
++		{"\u0000", `\u0000`},
+		{"\t", `\t`},
+		{"\n", `\n`},
+		{"\r", `\r`},
+@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) {
+		{"\\n", `\\n`},
+		{"foo\r\nbar", `foo\r\nbar`},
+		// Preserve attribute boundaries.
+-		{`"`, `\x22`},
+-		{`'`, `\x27`},
++		{`"`, `\u0022`},
++		{`'`, `\u0027`},
+		// Allow embedding in HTML without further escaping.
+-		{`&amp;`, `\x26amp;`},
++		{`&amp;`, `\u0026amp;`},
+		// Prevent breaking out of text node and element boundaries.
+-		{"</script>", `\x3c\/script\x3e`},
+-		{"<![CDATA[", `\x3c![CDATA[`},
+-		{"]]>", `]]\x3e`},
++		{"</script>", `\u003c\/script\u003e`},
++		{"<![CDATA[", `\u003c![CDATA[`},
++		{"]]>", `]]\u003e`},
+		// https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
+		//   "The text in style, script, title, and textarea elements
+		//   must not have an escaping text span start that is not
+@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) {
+		// allow regular text content to be interpreted as script
+		// allowing script execution via a combination of a JS string
+		// injection followed by an HTML text injection.
+-		{"<!--", `\x3c!--`},
+-		{"-->", `--\x3e`},
++		{"<!--", `\u003c!--`},
++		{"-->", `--\u003e`},
+		// From https://code.google.com/p/doctype/wiki/ArticleUtf7
+		{"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
+-			`\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
++			`\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
+		},
+		// Invalid UTF-8 sequence
+		{"foo\xA0bar", "foo\xA0bar"},
+@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) {
+	}{
+		{"", `(?:)`},
+		{"foo", `foo`},
+-		{"\u0000", `\0`},
++		{"\u0000", `\u0000`},
+		{"\t", `\t`},
+		{"\n", `\n`},
+		{"\r", `\r`},
+@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) {
+		{"\\n", `\\n`},
+		{"foo\r\nbar", `foo\r\nbar`},
+		// Preserve attribute boundaries.
+-		{`"`, `\x22`},
+-		{`'`, `\x27`},
++		{`"`, `\u0022`},
++		{`'`, `\u0027`},
+		// Allow embedding in HTML without further escaping.
+-		{`&amp;`, `\x26amp;`},
++		{`&amp;`, `\u0026amp;`},
+		// Prevent breaking out of text node and element boundaries.
+-		{"</script>", `\x3c\/script\x3e`},
+-		{"<![CDATA[", `\x3c!\[CDATA\[`},
+-		{"]]>", `\]\]\x3e`},
++		{"</script>", `\u003c\/script\u003e`},
++		{"<![CDATA[", `\u003c!\[CDATA\[`},
++		{"]]>", `\]\]\u003e`},
+		// Escaping text spans.
+-		{"<!--", `\x3c!\-\-`},
+-		{"-->", `\-\-\x3e`},
++		{"<!--", `\u003c!\-\-`},
++		{"-->", `\-\-\u003e`},
+		{"*", `\*`},
+-		{"+", `\x2b`},
++		{"+", `\u002b`},
+		{"?", `\?`},
+		{"[](){}", `\[\]\(\)\{\}`},
+		{"$foo|x.y", `\$foo\|x\.y`},
+@@ -284,27 +284,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
+		{
+			"jsStrEscaper",
+			jsStrEscaper,
+-			"\\0\x01\x02\x03\x04\x05\x06\x07" +
+-				"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
+-				"\x10\x11\x12\x13\x14\x15\x16\x17" +
+-				"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
+-				` !\x22#$%\x26\x27()*\x2b,-.\/` +
+-				`0123456789:;\x3c=\x3e?` +
++			`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
++				`\u0008\t\n\u000b\f\r\u000e\u000f` +
++				`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
++				`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
++				` !\u0022#$%\u0026\u0027()*\u002b,-.\/` +
++				`0123456789:;\u003c=\u003e?` +
+				`@ABCDEFGHIJKLMNO` +
+				`PQRSTUVWXYZ[\\]^_` +
+				"`abcdefghijklmno" +
+-				"pqrstuvwxyz{|}~\x7f" +
++				"pqrstuvwxyz{|}~\u007f" +
+				"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
+		},
+		{
+			"jsRegexpEscaper",
+			jsRegexpEscaper,
+-			"\\0\x01\x02\x03\x04\x05\x06\x07" +
+-				"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
+-				"\x10\x11\x12\x13\x14\x15\x16\x17" +
+-				"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
+-				` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +
+-				`0123456789:;\x3c=\x3e\?` +
++			`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
++				`\u0008\t\n\u000b\f\r\u000e\u000f` +
++				`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
++				`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
++				` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +
++				`0123456789:;\u003c=\u003e\?` +
+				`@ABCDEFGHIJKLMNO` +
+				`PQRSTUVWXYZ\[\\\]\^_` +
+				"`abcdefghijklmno" +
+diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go
+index 13e6ba4..86bd4db 100644
+--- a/src/html/template/template_test.go
++++ b/src/html/template/template_test.go
+@@ -6,6 +6,7 @@ package template_test
+
+ import (
+	"bytes"
++	"encoding/json"
+	. "html/template"
+	"strings"
+	"testing"
+@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) {
+	c.mustExecute(c.root, nil, "12.34 7.5")
+ }
+
++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) {
++	// See #33671 and #37634 for more context on this.
++	tests := []struct{ name, in string }{
++		{"empty", ""},
++		{"invalid", string(rune(-1))},
++		{"null", "\u0000"},
++		{"unit separator", "\u001F"},
++		{"tab", "\t"},
++		{"gt and lt", "<>"},
++		{"quotes", `'"`},
++		{"ASCII letters", "ASCII letters"},
++		{"Unicode", "ʕ⊙ϖ⊙ʔ"},
++		{"Pizza", "P"},
++	}
++	const (
++		prefix = `<script type="application/ld+json">`
++		suffix = `</script>`
++		templ  = prefix + `"{{.}}"` + suffix
++	)
++	tpl := Must(New("JS string is JSON string").Parse(templ))
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			var buf bytes.Buffer
++			if err := tpl.Execute(&buf, tt.in); err != nil {
++				t.Fatalf("Cannot render template: %v", err)
++			}
++			trimmed := bytes.TrimSuffix(bytes.TrimPrefix(buf.Bytes(), []byte(prefix)), []byte(suffix))
++			var got string
++			if err := json.Unmarshal(trimmed, &got); err != nil {
++				t.Fatalf("Cannot parse JS string %q as JSON: %v", trimmed[1:len(trimmed)-1], err)
++			}
++			if got != tt.in {
++				t.Errorf("Serialization changed the string value: got %q want %q", got, tt.in)
++			}
++		})
++	}
++}
++
+ type testCase struct {
+	t    *testing.T
+	root *Template
+diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go
+index 77294ed..b8a809e 100644
+--- a/src/text/template/exec_test.go
++++ b/src/text/template/exec_test.go
+@@ -911,9 +911,9 @@ func TestJSEscaping(t *testing.T) {
+		{`Go "jump" \`, `Go \"jump\" \\`},
+		{`Yukihiro says "今日は世界"`, `Yukihiro says \"今日は世界\"`},
+		{"unprintable \uFDFF", `unprintable \uFDFF`},
+-		{`<html>`, `\x3Chtml\x3E`},
+-		{`no = in attributes`, `no \x3D in attributes`},
+-		{`&#x27; does not become HTML entity`, `\x26#x27; does not become HTML entity`},
++		{`<html>`, `\u003Chtml\u003E`},
++		{`no = in attributes`, `no \u003D in attributes`},
++		{`&#x27; does not become HTML entity`, `\u0026#x27; does not become HTML entity`},
+	}
+	for _, tc := range testCases {
+		s := JSEscapeString(tc.in)
 diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go
 index 46125bc..f3de9fb 100644
 --- a/src/text/template/funcs.go
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
new file mode 100644
index 0000000000..cd7dd0957c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
@@ -0,0 +1,393 @@
+From 7ddce23c7d5b728acf8482f5006497c7b9915f8a Mon Sep 17 00:00:00 2001
+From: Ariel Mashraki <ariel@mashraki.co.il>
+Date: Wed, 22 Apr 2020 22:17:56 +0300
+Subject: [PATCH 3/6] text/template: add CommentNode to template parse tree
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes #34652
+
+Change-Id: Icf6e3eda593fed826736f34f95a9d66f5450cc98
+Reviewed-on: https://go-review.googlesource.com/c/go/+/229398
+Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
+Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+
+Dependency Patch #3
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/c8ea03828b0645b1fd5725888e44873b75fcfbb6
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ api/next.txt                          | 19 +++++++++++++++++++
+ src/html/template/escape.go           |  2 ++
+ src/html/template/template_test.go    | 16 ++++++++++++++++
+ src/text/template/exec.go             |  1 +
+ src/text/template/parse/lex.go        |  8 +++++++-
+ src/text/template/parse/lex_test.go   |  7 +++++--
+ src/text/template/parse/node.go       | 33 +++++++++++++++++++++++++++++++++
+ src/text/template/parse/parse.go      | 22 +++++++++++++++++++---
+ src/text/template/parse/parse_test.go | 25 +++++++++++++++++++++++++
+ 9 files changed, 127 insertions(+), 6 deletions(-)
+
+diff --git a/api/next.txt b/api/next.txt
+index e69de29..076f39e 100644
+--- a/api/next.txt
++++ b/api/next.txt
+@@ -0,0 +1,19 @@
++pkg unicode, const Version = "13.0.0"
++pkg unicode, var Chorasmian *RangeTable
++pkg unicode, var Dives_Akuru *RangeTable
++pkg unicode, var Khitan_Small_Script *RangeTable
++pkg unicode, var Yezidi *RangeTable
++pkg text/template/parse, const NodeComment = 20
++pkg text/template/parse, const NodeComment NodeType
++pkg text/template/parse, const ParseComments = 1
++pkg text/template/parse, const ParseComments Mode
++pkg text/template/parse, method (*CommentNode) Copy() Node
++pkg text/template/parse, method (*CommentNode) String() string
++pkg text/template/parse, method (CommentNode) Position() Pos
++pkg text/template/parse, method (CommentNode) Type() NodeType
++pkg text/template/parse, type CommentNode struct
++pkg text/template/parse, type CommentNode struct, Text string
++pkg text/template/parse, type CommentNode struct, embedded NodeType
++pkg text/template/parse, type CommentNode struct, embedded Pos
++pkg text/template/parse, type Mode uint
++pkg text/template/parse, type Tree struct, Mode Mode
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index f12dafa..8739735 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -124,6 +124,8 @@ func (e *escaper) escape(c context, n parse.Node) context {
+	switch n := n.(type) {
+	case *parse.ActionNode:
+		return e.escapeAction(c, n)
++	case *parse.CommentNode:
++		return c
+	case *parse.IfNode:
+		return e.escapeBranch(c, &n.BranchNode, "if")
+	case *parse.ListNode:
+diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go
+index 86bd4db..1f2c888 100644
+--- a/src/html/template/template_test.go
++++ b/src/html/template/template_test.go
+@@ -10,6 +10,7 @@ import (
+	. "html/template"
+	"strings"
+	"testing"
++	"text/template/parse"
+ )
+
+ func TestTemplateClone(t *testing.T) {
+@@ -160,6 +161,21 @@ func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) {
+	}
+ }
+
++func TestSkipEscapeComments(t *testing.T) {
++	c := newTestCase(t)
++	tr := parse.New("root")
++	tr.Mode = parse.ParseComments
++	newT, err := tr.Parse("{{/* A comment */}}{{ 1 }}{{/* Another comment */}}", "", "", make(map[string]*parse.Tree))
++	if err != nil {
++		t.Fatalf("Cannot parse template text: %v", err)
++	}
++	c.root, err = c.root.AddParseTree("root", newT)
++	if err != nil {
++		t.Fatalf("Cannot add parse tree to template: %v", err)
++	}
++	c.mustExecute(c.root, nil, "1")
++}
++
+ type testCase struct {
+	t    *testing.T
+	root *Template
+diff --git a/src/text/template/exec.go b/src/text/template/exec.go
+index ac3e741..7ac5175 100644
+--- a/src/text/template/exec.go
++++ b/src/text/template/exec.go
+@@ -256,6 +256,7 @@ func (s *state) walk(dot reflect.Value, node parse.Node) {
+		if len(node.Pipe.Decl) == 0 {
+			s.printValue(node, val)
+		}
++	case *parse.CommentNode:
+	case *parse.IfNode:
+		s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List, node.ElseList)
+	case *parse.ListNode:
+diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go
+index 30371f2..e41373a 100644
+--- a/src/text/template/parse/lex.go
++++ b/src/text/template/parse/lex.go
+@@ -41,6 +41,7 @@ const (
+	itemBool                         // boolean constant
+	itemChar                         // printable ASCII character; grab bag for comma etc.
+	itemCharConstant                 // character constant
++	itemComment                      // comment text
+	itemComplex                      // complex constant (1+2i); imaginary is just a number
+	itemAssign                       // equals ('=') introducing an assignment
+	itemDeclare                      // colon-equals (':=') introducing a declaration
+@@ -112,6 +113,7 @@ type lexer struct {
+	leftDelim      string    // start of action
+	rightDelim     string    // end of action
+	trimRightDelim string    // end of action with trim marker
++	emitComment    bool      // emit itemComment tokens.
+	pos            Pos       // current position in the input
+	start          Pos       // start position of this item
+	width          Pos       // width of last rune read from input
+@@ -203,7 +205,7 @@ func (l *lexer) drain() {
+ }
+
+ // lex creates a new scanner for the input string.
+-func lex(name, input, left, right string) *lexer {
++func lex(name, input, left, right string, emitComment bool) *lexer {
+	if left == "" {
+		left = leftDelim
+	}
+@@ -216,6 +218,7 @@ func lex(name, input, left, right string) *lexer {
+		leftDelim:      left,
+		rightDelim:     right,
+		trimRightDelim: rightTrimMarker + right,
++		emitComment:    emitComment,
+		items:          make(chan item),
+		line:           1,
+		startLine:      1,
+@@ -323,6 +326,9 @@ func lexComment(l *lexer) stateFn {
+	if !delim {
+		return l.errorf("comment ends before closing delimiter")
+	}
++	if l.emitComment {
++		l.emit(itemComment)
++	}
+	if trimSpace {
+		l.pos += trimMarkerLen
+	}
+diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go
+index 563c4fc..f6d5f28 100644
+--- a/src/text/template/parse/lex_test.go
++++ b/src/text/template/parse/lex_test.go
+@@ -15,6 +15,7 @@ var itemName = map[itemType]string{
+	itemBool:         "bool",
+	itemChar:         "char",
+	itemCharConstant: "charconst",
++	itemComment:      "comment",
+	itemComplex:      "complex",
+	itemDeclare:      ":=",
+	itemEOF:          "EOF",
+@@ -90,6 +91,7 @@ var lexTests = []lexTest{
+	{"text", `now is the time`, []item{mkItem(itemText, "now is the time"), tEOF}},
+	{"text with comment", "hello-{{/* this is a comment */}}-world", []item{
+		mkItem(itemText, "hello-"),
++		mkItem(itemComment, "/* this is a comment */"),
+		mkItem(itemText, "-world"),
+		tEOF,
+	}},
+@@ -311,6 +313,7 @@ var lexTests = []lexTest{
+	}},
+	{"trimming spaces before and after comment", "hello- {{- /* hello */ -}} -world", []item{
+		mkItem(itemText, "hello-"),
++		mkItem(itemComment, "/* hello */"),
+		mkItem(itemText, "-world"),
+		tEOF,
+	}},
+@@ -389,7 +392,7 @@ var lexTests = []lexTest{
+
+ // collect gathers the emitted items into a slice.
+ func collect(t *lexTest, left, right string) (items []item) {
+-	l := lex(t.name, t.input, left, right)
++	l := lex(t.name, t.input, left, right, true)
+	for {
+		item := l.nextItem()
+		items = append(items, item)
+@@ -529,7 +532,7 @@ func TestPos(t *testing.T) {
+ func TestShutdown(t *testing.T) {
+	// We need to duplicate template.Parse here to hold on to the lexer.
+	const text = "erroneous{{define}}{{else}}1234"
+-	lexer := lex("foo", text, "{{", "}}")
++	lexer := lex("foo", text, "{{", "}}", false)
+	_, err := New("root").parseLexer(lexer)
+	if err == nil {
+		t.Fatalf("expected error")
+diff --git a/src/text/template/parse/node.go b/src/text/template/parse/node.go
+index 1c116ea..a9dad5e 100644
+--- a/src/text/template/parse/node.go
++++ b/src/text/template/parse/node.go
+@@ -70,6 +70,7 @@ const (
+	NodeTemplate                   // A template invocation action.
+	NodeVariable                   // A $ variable.
+	NodeWith                       // A with action.
++	NodeComment                    // A comment.
+ )
+
+ // Nodes.
+@@ -149,6 +150,38 @@ func (t *TextNode) Copy() Node {
+	return &TextNode{tr: t.tr, NodeType: NodeText, Pos: t.Pos, Text: append([]byte{}, t.Text...)}
+ }
+
++// CommentNode holds a comment.
++type CommentNode struct {
++	NodeType
++	Pos
++	tr   *Tree
++	Text string // Comment text.
++}
++
++func (t *Tree) newComment(pos Pos, text string) *CommentNode {
++	return &CommentNode{tr: t, NodeType: NodeComment, Pos: pos, Text: text}
++}
++
++func (c *CommentNode) String() string {
++	var sb strings.Builder
++	c.writeTo(&sb)
++	return sb.String()
++}
++
++func (c *CommentNode) writeTo(sb *strings.Builder) {
++	sb.WriteString("{{")
++	sb.WriteString(c.Text)
++	sb.WriteString("}}")
++}
++
++func (c *CommentNode) tree() *Tree {
++	return c.tr
++}
++
++func (c *CommentNode) Copy() Node {
++	return &CommentNode{tr: c.tr, NodeType: NodeComment, Pos: c.Pos, Text: c.Text}
++}
++
+ // PipeNode holds a pipeline with optional declaration
+ type PipeNode struct {
+	NodeType
+diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go
+index c9b80f4..496d8bf 100644
+--- a/src/text/template/parse/parse.go
++++ b/src/text/template/parse/parse.go
+@@ -21,6 +21,7 @@ type Tree struct {
+	Name      string    // name of the template represented by the tree.
+	ParseName string    // name of the top-level template during parsing, for error messages.
+	Root      *ListNode // top-level root of the tree.
++	Mode      Mode      // parsing mode.
+	text      string    // text parsed to create the template (or its parent)
+	// Parsing only; cleared after parse.
+	funcs     []map[string]interface{}
+@@ -29,8 +30,16 @@ type Tree struct {
+	peekCount int
+	vars      []string // variables defined at the moment.
+	treeSet   map[string]*Tree
++	mode      Mode
+ }
+
++// A mode value is a set of flags (or 0). Modes control parser behavior.
++type Mode uint
++
++const (
++	ParseComments Mode = 1 << iota // parse comments and add them to AST
++)
++
+ // Copy returns a copy of the Tree. Any parsing state is discarded.
+ func (t *Tree) Copy() *Tree {
+	if t == nil {
+@@ -220,7 +229,8 @@ func (t *Tree) stopParse() {
+ func (t *Tree) Parse(text, leftDelim, rightDelim string, treeSet map[string]*Tree, funcs ...map[string]interface{}) (tree *Tree, err error) {
+	defer t.recover(&err)
+	t.ParseName = t.Name
+-	t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim), treeSet)
++	emitComment := t.Mode&ParseComments != 0
++	t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim, emitComment), treeSet)
+	t.text = text
+	t.parse()
+	t.add()
+@@ -240,12 +250,14 @@ func (t *Tree) add() {
+	}
+ }
+
+-// IsEmptyTree reports whether this tree (node) is empty of everything but space.
++// IsEmptyTree reports whether this tree (node) is empty of everything but space or comments.
+ func IsEmptyTree(n Node) bool {
+	switch n := n.(type) {
+	case nil:
+		return true
+	case *ActionNode:
++	case *CommentNode:
++		return true
+	case *IfNode:
+	case *ListNode:
+		for _, node := range n.Nodes {
+@@ -276,6 +288,7 @@ func (t *Tree) parse() {
+			if t.nextNonSpace().typ == itemDefine {
+				newT := New("definition") // name will be updated once we know it.
+				newT.text = t.text
++				newT.Mode = t.Mode
+				newT.ParseName = t.ParseName
+				newT.startParse(t.funcs, t.lex, t.treeSet)
+				newT.parseDefinition()
+@@ -331,13 +344,15 @@ func (t *Tree) itemList() (list *ListNode, next Node) {
+ }
+
+ // textOrAction:
+-//	text | action
++//	text | comment | action
+ func (t *Tree) textOrAction() Node {
+	switch token := t.nextNonSpace(); token.typ {
+	case itemText:
+		return t.newText(token.pos, token.val)
+	case itemLeftDelim:
+		return t.action()
++	case itemComment:
++		return t.newComment(token.pos, token.val)
+	default:
+		t.unexpected(token, "input")
+	}
+@@ -539,6 +554,7 @@ func (t *Tree) blockControl() Node {
+
+	block := New(name) // name will be updated once we know it.
+	block.text = t.text
++	block.Mode = t.Mode
+	block.ParseName = t.ParseName
+	block.startParse(t.funcs, t.lex, t.treeSet)
+	var end Node
+diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go
+index 4e09a78..d9c13c5 100644
+--- a/src/text/template/parse/parse_test.go
++++ b/src/text/template/parse/parse_test.go
+@@ -348,6 +348,30 @@ func TestParseCopy(t *testing.T) {
+	testParse(true, t)
+ }
+
++func TestParseWithComments(t *testing.T) {
++	textFormat = "%q"
++	defer func() { textFormat = "%s" }()
++	tests := [...]parseTest{
++		{"comment", "{{/*\n\n\n*/}}", noError, "{{/*\n\n\n*/}}"},
++		{"comment trim left", "x \r\n\t{{- /* hi */}}", noError, `"x"{{/* hi */}}`},
++		{"comment trim right", "{{/* hi */ -}}\n\n\ty", noError, `{{/* hi */}}"y"`},
++		{"comment trim left and right", "x \r\n\t{{- /* */ -}}\n\n\ty", noError, `"x"{{/* */}}"y"`},
++	}
++	for _, test := range tests {
++		t.Run(test.name, func(t *testing.T) {
++			tr := New(test.name)
++			tr.Mode = ParseComments
++			tmpl, err := tr.Parse(test.input, "", "", make(map[string]*Tree))
++			if err != nil {
++				t.Errorf("%q: expected error; got none", test.name)
++			}
++			if result := tmpl.Root.String(); result != test.result {
++				t.Errorf("%s=(%q): got\n\t%v\nexpected\n\t%v", test.name, test.input, result, test.result)
++			}
++		})
++	}
++}
++
+ type isEmptyTest struct {
+	name  string
+	input string
+@@ -358,6 +382,7 @@ var isEmptyTests = []isEmptyTest{
+	{"empty", ``, true},
+	{"nonempty", `hello`, false},
+	{"spaces only", " \t\n \t\n", true},
++	{"comment only", "{{/* comment */}}", true},
+	{"definition", `{{define "x"}}something{{end}}`, true},
+	{"definitions and space", "{{define `x`}}something{{end}}\n\n{{define `y`}}something{{end}}\n\n", true},
+	{"definitions and text", "{{define `x`}}something{{end}}\nx\n{{define `y`}}something{{end}}\ny\n", false},
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
new file mode 100644
index 0000000000..d5e2eb6684
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
@@ -0,0 +1,497 @@
+From 760d88497091fb5d6d231a18e6f4e06ecb9af9b2 Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Thu, 10 Sep 2020 18:53:26 -0400
+Subject: [PATCH 4/6] text/template: allow newlines inside action delimiters
+
+This allows multiline constructs like:
+
+	{{"hello" |
+	  printf}}
+
+Now that unclosed actions can span multiple lines,
+track and report the start of the action when reporting errors.
+
+Also clean up a few "unexpected <error message>" to be just "<error message>".
+
+Fixes #29770.
+
+Change-Id: I54c6c016029a8328b7902a4b6d85eab713ec3285
+Reviewed-on: https://go-review.googlesource.com/c/go/+/254257
+Trust: Russ Cox <rsc@golang.org>
+Run-TryBot: Russ Cox <rsc@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Rob Pike <r@golang.org>
+
+Dependency Patch #4
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/9384d34c58099657bb1b133beaf3ff37ada9b017
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/text/template/doc.go              | 21 ++++-----
+ src/text/template/exec_test.go        |  2 +-
+ src/text/template/parse/lex.go        | 84 +++++++++++++++++------------------
+ src/text/template/parse/lex_test.go   |  2 +-
+ src/text/template/parse/parse.go      | 59 +++++++++++++-----------
+ src/text/template/parse/parse_test.go | 36 ++++++++++++---
+ 6 files changed, 117 insertions(+), 87 deletions(-)
+
+diff --git a/src/text/template/doc.go b/src/text/template/doc.go
+index 4b0efd2..7b30294 100644
+--- a/src/text/template/doc.go
++++ b/src/text/template/doc.go
+@@ -40,16 +40,17 @@ More intricate examples appear below.
+ Text and spaces
+
+ By default, all text between actions is copied verbatim when the template is
+-executed. For example, the string " items are made of " in the example above appears
+-on standard output when the program is run.
+-
+-However, to aid in formatting template source code, if an action's left delimiter
+-(by default "{{") is followed immediately by a minus sign and ASCII space character
+-("{{- "), all trailing white space is trimmed from the immediately preceding text.
+-Similarly, if the right delimiter ("}}") is preceded by a space and minus sign
+-(" -}}"), all leading white space is trimmed from the immediately following text.
+-In these trim markers, the ASCII space must be present; "{{-3}}" parses as an
+-action containing the number -3.
++executed. For example, the string " items are made of " in the example above
++appears on standard output when the program is run.
++
++However, to aid in formatting template source code, if an action's left
++delimiter (by default "{{") is followed immediately by a minus sign and white
++space, all trailing white space is trimmed from the immediately preceding text.
++Similarly, if the right delimiter ("}}") is preceded by white space and a minus
++sign, all leading white space is trimmed from the immediately following text.
++In these trim markers, the white space must be present:
++"{{- 3}}" is like "{{3}}" but trims the immediately preceding text, while
++"{{-3}}" parses as an action containing the number -3.
+
+ For instance, when executing the template whose source is
+
+diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go
+index b8a809e..3309b33 100644
+--- a/src/text/template/exec_test.go
++++ b/src/text/template/exec_test.go
+@@ -1295,7 +1295,7 @@ func TestUnterminatedStringError(t *testing.T) {
+		t.Fatal("expected error")
+	}
+	str := err.Error()
+-	if !strings.Contains(str, "X:3: unexpected unterminated raw quoted string") {
++	if !strings.Contains(str, "X:3: unterminated raw quoted string") {
+		t.Fatalf("unexpected error: %s", str)
+	}
+ }
+diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go
+index e41373a..6784071 100644
+--- a/src/text/template/parse/lex.go
++++ b/src/text/template/parse/lex.go
+@@ -92,15 +92,14 @@ const eof = -1
+ // If the action begins "{{- " rather than "{{", then all space/tab/newlines
+ // preceding the action are trimmed; conversely if it ends " -}}" the
+ // leading spaces are trimmed. This is done entirely in the lexer; the
+-// parser never sees it happen. We require an ASCII space to be
+-// present to avoid ambiguity with things like "{{-3}}". It reads
++// parser never sees it happen. We require an ASCII space (' ', \t, \r, \n)
++// to be present to avoid ambiguity with things like "{{-3}}". It reads
+ // better with the space present anyway. For simplicity, only ASCII
+-// space does the job.
++// does the job.
+ const (
+-	spaceChars      = " \t\r\n" // These are the space characters defined by Go itself.
+-	leftTrimMarker  = "- "      // Attached to left delimiter, trims trailing spaces from preceding text.
+-	rightTrimMarker = " -"      // Attached to right delimiter, trims leading spaces from following text.
+-	trimMarkerLen   = Pos(len(leftTrimMarker))
++	spaceChars    = " \t\r\n"  // These are the space characters defined by Go itself.
++	trimMarker    = '-'        // Attached to left/right delimiter, trims trailing spaces from preceding/following text.
++	trimMarkerLen = Pos(1 + 1) // marker plus space before or after
+ )
+
+ // stateFn represents the state of the scanner as a function that returns the next state.
+@@ -108,19 +107,18 @@ type stateFn func(*lexer) stateFn
+
+ // lexer holds the state of the scanner.
+ type lexer struct {
+-	name           string    // the name of the input; used only for error reports
+-	input          string    // the string being scanned
+-	leftDelim      string    // start of action
+-	rightDelim     string    // end of action
+-	trimRightDelim string    // end of action with trim marker
+-	emitComment    bool      // emit itemComment tokens.
+-	pos            Pos       // current position in the input
+-	start          Pos       // start position of this item
+-	width          Pos       // width of last rune read from input
+-	items          chan item // channel of scanned items
+-	parenDepth     int       // nesting depth of ( ) exprs
+-	line           int       // 1+number of newlines seen
+-	startLine      int       // start line of this item
++	name        string    // the name of the input; used only for error reports
++	input       string    // the string being scanned
++	leftDelim   string    // start of action
++	rightDelim  string    // end of action
++	emitComment bool      // emit itemComment tokens.
++	pos         Pos       // current position in the input
++	start       Pos       // start position of this item
++	width       Pos       // width of last rune read from input
++	items       chan item // channel of scanned items
++	parenDepth  int       // nesting depth of ( ) exprs
++	line        int       // 1+number of newlines seen
++	startLine   int       // start line of this item
+ }
+
+ // next returns the next rune in the input.
+@@ -213,15 +211,14 @@ func lex(name, input, left, right string, emitComment bool) *lexer {
+		right = rightDelim
+	}
+	l := &lexer{
+-		name:           name,
+-		input:          input,
+-		leftDelim:      left,
+-		rightDelim:     right,
+-		trimRightDelim: rightTrimMarker + right,
+-		emitComment:    emitComment,
+-		items:          make(chan item),
+-		line:           1,
+-		startLine:      1,
++		name:        name,
++		input:       input,
++		leftDelim:   left,
++		rightDelim:  right,
++		emitComment: emitComment,
++		items:       make(chan item),
++		line:        1,
++		startLine:   1,
+	}
+	go l.run()
+	return l
+@@ -251,7 +248,7 @@ func lexText(l *lexer) stateFn {
+		ldn := Pos(len(l.leftDelim))
+		l.pos += Pos(x)
+		trimLength := Pos(0)
+-		if strings.HasPrefix(l.input[l.pos+ldn:], leftTrimMarker) {
++		if hasLeftTrimMarker(l.input[l.pos+ldn:]) {
+			trimLength = rightTrimLength(l.input[l.start:l.pos])
+		}
+		l.pos -= trimLength
+@@ -280,7 +277,7 @@ func rightTrimLength(s string) Pos {
+
+ // atRightDelim reports whether the lexer is at a right delimiter, possibly preceded by a trim marker.
+ func (l *lexer) atRightDelim() (delim, trimSpaces bool) {
+-	if strings.HasPrefix(l.input[l.pos:], l.trimRightDelim) { // With trim marker.
++	if hasRightTrimMarker(l.input[l.pos:]) && strings.HasPrefix(l.input[l.pos+trimMarkerLen:], l.rightDelim) { // With trim marker.
+		return true, true
+	}
+	if strings.HasPrefix(l.input[l.pos:], l.rightDelim) { // Without trim marker.
+@@ -297,7 +294,7 @@ func leftTrimLength(s string) Pos {
+ // lexLeftDelim scans the left delimiter, which is known to be present, possibly with a trim marker.
+ func lexLeftDelim(l *lexer) stateFn {
+	l.pos += Pos(len(l.leftDelim))
+-	trimSpace := strings.HasPrefix(l.input[l.pos:], leftTrimMarker)
++	trimSpace := hasLeftTrimMarker(l.input[l.pos:])
+	afterMarker := Pos(0)
+	if trimSpace {
+		afterMarker = trimMarkerLen
+@@ -342,7 +339,7 @@ func lexComment(l *lexer) stateFn {
+
+ // lexRightDelim scans the right delimiter, which is known to be present, possibly with a trim marker.
+ func lexRightDelim(l *lexer) stateFn {
+-	trimSpace := strings.HasPrefix(l.input[l.pos:], rightTrimMarker)
++	trimSpace := hasRightTrimMarker(l.input[l.pos:])
+	if trimSpace {
+		l.pos += trimMarkerLen
+		l.ignore()
+@@ -369,7 +366,7 @@ func lexInsideAction(l *lexer) stateFn {
+		return l.errorf("unclosed left paren")
+	}
+	switch r := l.next(); {
+-	case r == eof || isEndOfLine(r):
++	case r == eof:
+		return l.errorf("unclosed action")
+	case isSpace(r):
+		l.backup() // Put space back in case we have " -}}".
+@@ -439,7 +436,7 @@ func lexSpace(l *lexer) stateFn {
+	}
+	// Be careful about a trim-marked closing delimiter, which has a minus
+	// after a space. We know there is a space, so check for the '-' that might follow.
+-	if strings.HasPrefix(l.input[l.pos-1:], l.trimRightDelim) {
++	if hasRightTrimMarker(l.input[l.pos-1:]) && strings.HasPrefix(l.input[l.pos-1+trimMarkerLen:], l.rightDelim) {
+		l.backup() // Before the space.
+		if numSpaces == 1 {
+			return lexRightDelim // On the delim, so go right to that.
+@@ -526,7 +523,7 @@ func lexFieldOrVariable(l *lexer, typ itemType) stateFn {
+ // day to implement arithmetic.
+ func (l *lexer) atTerminator() bool {
+	r := l.peek()
+-	if isSpace(r) || isEndOfLine(r) {
++	if isSpace(r) {
+		return true
+	}
+	switch r {
+@@ -657,15 +654,18 @@ Loop:
+
+ // isSpace reports whether r is a space character.
+ func isSpace(r rune) bool {
+-	return r == ' ' || r == '\t'
+-}
+-
+-// isEndOfLine reports whether r is an end-of-line character.
+-func isEndOfLine(r rune) bool {
+-	return r == '\r' || r == '\n'
++	return r == ' ' || r == '\t' || r == '\r' || r == '\n'
+ }
+
+ // isAlphaNumeric reports whether r is an alphabetic, digit, or underscore.
+ func isAlphaNumeric(r rune) bool {
+	return r == '_' || unicode.IsLetter(r) || unicode.IsDigit(r)
+ }
++
++func hasLeftTrimMarker(s string) bool {
++	return len(s) >= 2 && s[0] == trimMarker && isSpace(rune(s[1]))
++}
++
++func hasRightTrimMarker(s string) bool {
++	return len(s) >= 2 && isSpace(rune(s[0])) && s[1] == trimMarker
++}
+diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go
+index f6d5f28..6510eed 100644
+--- a/src/text/template/parse/lex_test.go
++++ b/src/text/template/parse/lex_test.go
+@@ -323,7 +323,7 @@ var lexTests = []lexTest{
+		tLeft,
+		mkItem(itemError, "unrecognized character in action: U+0001"),
+	}},
+-	{"unclosed action", "{{\n}}", []item{
++	{"unclosed action", "{{", []item{
+		tLeft,
+		mkItem(itemError, "unclosed action"),
+	}},
+diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go
+index 496d8bf..5e6e512 100644
+--- a/src/text/template/parse/parse.go
++++ b/src/text/template/parse/parse.go
+@@ -24,13 +24,14 @@ type Tree struct {
+	Mode      Mode      // parsing mode.
+	text      string    // text parsed to create the template (or its parent)
+	// Parsing only; cleared after parse.
+-	funcs     []map[string]interface{}
+-	lex       *lexer
+-	token     [3]item // three-token lookahead for parser.
+-	peekCount int
+-	vars      []string // variables defined at the moment.
+-	treeSet   map[string]*Tree
+-	mode      Mode
++	funcs      []map[string]interface{}
++	lex        *lexer
++	token      [3]item // three-token lookahead for parser.
++	peekCount  int
++	vars       []string // variables defined at the moment.
++	treeSet    map[string]*Tree
++	actionLine int // line of left delim starting action
++	mode       Mode
+ }
+
+ // A mode value is a set of flags (or 0). Modes control parser behavior.
+@@ -187,6 +188,16 @@ func (t *Tree) expectOneOf(expected1, expected2 itemType, context string) item {
+
+ // unexpected complains about the token and terminates processing.
+ func (t *Tree) unexpected(token item, context string) {
++	if token.typ == itemError {
++		extra := ""
++		if t.actionLine != 0 && t.actionLine != token.line {
++			extra = fmt.Sprintf(" in action started at %s:%d", t.ParseName, t.actionLine)
++			if strings.HasSuffix(token.val, " action") {
++				extra = extra[len(" in action"):] // avoid "action in action"
++			}
++		}
++		t.errorf("%s%s", token, extra)
++	}
+	t.errorf("unexpected %s in %s", token, context)
+ }
+
+@@ -350,6 +361,8 @@ func (t *Tree) textOrAction() Node {
+	case itemText:
+		return t.newText(token.pos, token.val)
+	case itemLeftDelim:
++		t.actionLine = token.line
++		defer t.clearActionLine()
+		return t.action()
+	case itemComment:
+		return t.newComment(token.pos, token.val)
+@@ -359,6 +372,10 @@ func (t *Tree) textOrAction() Node {
+	return nil
+ }
+
++func (t *Tree) clearActionLine() {
++	t.actionLine = 0
++}
++
+ // Action:
+ //	control
+ //	command ("|" command)*
+@@ -384,12 +401,12 @@ func (t *Tree) action() (n Node) {
+	t.backup()
+	token := t.peek()
+	// Do not pop variables; they persist until "end".
+-	return t.newAction(token.pos, token.line, t.pipeline("command"))
++	return t.newAction(token.pos, token.line, t.pipeline("command", itemRightDelim))
+ }
+
+ // Pipeline:
+ //	declarations? command ('|' command)*
+-func (t *Tree) pipeline(context string) (pipe *PipeNode) {
++func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode) {
+	token := t.peekNonSpace()
+	pipe = t.newPipeline(token.pos, token.line, nil)
+	// Are there declarations or assignments?
+@@ -430,12 +447,9 @@ decls:
+	}
+	for {
+		switch token := t.nextNonSpace(); token.typ {
+-		case itemRightDelim, itemRightParen:
++		case end:
+			// At this point, the pipeline is complete
+			t.checkPipeline(pipe, context)
+-			if token.typ == itemRightParen {
+-				t.backup()
+-			}
+			return
+		case itemBool, itemCharConstant, itemComplex, itemDot, itemField, itemIdentifier,
+			itemNumber, itemNil, itemRawString, itemString, itemVariable, itemLeftParen:
+@@ -464,7 +478,7 @@ func (t *Tree) checkPipeline(pipe *PipeNode, context string) {
+
+ func (t *Tree) parseControl(allowElseIf bool, context string) (pos Pos, line int, pipe *PipeNode, list, elseList *ListNode) {
+	defer t.popVars(len(t.vars))
+-	pipe = t.pipeline(context)
++	pipe = t.pipeline(context, itemRightDelim)
+	var next Node
+	list, next = t.itemList()
+	switch next.Type() {
+@@ -550,7 +564,7 @@ func (t *Tree) blockControl() Node {
+
+	token := t.nextNonSpace()
+	name := t.parseTemplateName(token, context)
+-	pipe := t.pipeline(context)
++	pipe := t.pipeline(context, itemRightDelim)
+
+	block := New(name) // name will be updated once we know it.
+	block.text = t.text
+@@ -580,7 +594,7 @@ func (t *Tree) templateControl() Node {
+	if t.nextNonSpace().typ != itemRightDelim {
+		t.backup()
+		// Do not pop variables; they persist until "end".
+-		pipe = t.pipeline(context)
++		pipe = t.pipeline(context, itemRightDelim)
+	}
+	return t.newTemplate(token.pos, token.line, name, pipe)
+ }
+@@ -614,13 +628,12 @@ func (t *Tree) command() *CommandNode {
+		switch token := t.next(); token.typ {
+		case itemSpace:
+			continue
+-		case itemError:
+-			t.errorf("%s", token.val)
+		case itemRightDelim, itemRightParen:
+			t.backup()
+		case itemPipe:
++			// nothing here; break loop below
+		default:
+-			t.errorf("unexpected %s in operand", token)
++			t.unexpected(token, "operand")
+		}
+		break
+	}
+@@ -675,8 +688,6 @@ func (t *Tree) operand() Node {
+ // A nil return means the next item is not a term.
+ func (t *Tree) term() Node {
+	switch token := t.nextNonSpace(); token.typ {
+-	case itemError:
+-		t.errorf("%s", token.val)
+	case itemIdentifier:
+		if !t.hasFunction(token.val) {
+			t.errorf("function %q not defined", token.val)
+@@ -699,11 +710,7 @@ func (t *Tree) term() Node {
+		}
+		return number
+	case itemLeftParen:
+-		pipe := t.pipeline("parenthesized pipeline")
+-		if token := t.next(); token.typ != itemRightParen {
+-			t.errorf("unclosed right paren: unexpected %s", token)
+-		}
+-		return pipe
++		return t.pipeline("parenthesized pipeline", itemRightParen)
+	case itemString, itemRawString:
+		s, err := strconv.Unquote(token.val)
+		if err != nil {
+diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go
+index d9c13c5..220f984 100644
+--- a/src/text/template/parse/parse_test.go
++++ b/src/text/template/parse/parse_test.go
+@@ -250,6 +250,13 @@ var parseTests = []parseTest{
+	{"comment trim left and right", "x \r\n\t{{- /* */ -}}\n\n\ty", noError, `"x""y"`},
+	{"block definition", `{{block "foo" .}}hello{{end}}`, noError,
+		`{{template "foo" .}}`},
++
++	{"newline in assignment", "{{ $x \n := \n 1 \n }}", noError, "{{$x := 1}}"},
++	{"newline in empty action", "{{\n}}", hasError, "{{\n}}"},
++	{"newline in pipeline", "{{\n\"x\"\n|\nprintf\n}}", noError, `{{"x" | printf}}`},
++	{"newline in comment", "{{/*\nhello\n*/}}", noError, ""},
++	{"newline in comment", "{{-\n/*\nhello\n*/\n-}}", noError, ""},
++
+	// Errors.
+	{"unclosed action", "hello{{range", hasError, ""},
+	{"unmatched end", "{{end}}", hasError, ""},
+@@ -426,23 +433,38 @@ var errorTests = []parseTest{
+	// Check line numbers are accurate.
+	{"unclosed1",
+		"line1\n{{",
+-		hasError, `unclosed1:2: unexpected unclosed action in command`},
++		hasError, `unclosed1:2: unclosed action`},
+	{"unclosed2",
+		"line1\n{{define `x`}}line2\n{{",
+-		hasError, `unclosed2:3: unexpected unclosed action in command`},
++		hasError, `unclosed2:3: unclosed action`},
++	{"unclosed3",
++		"line1\n{{\"x\"\n\"y\"\n",
++		hasError, `unclosed3:4: unclosed action started at unclosed3:2`},
++	{"unclosed4",
++		"{{\n\n\n\n\n",
++		hasError, `unclosed4:6: unclosed action started at unclosed4:1`},
++	{"var1",
++		"line1\n{{\nx\n}}",
++		hasError, `var1:3: function "x" not defined`},
+	// Specific errors.
+	{"function",
+		"{{foo}}",
+		hasError, `function "foo" not defined`},
+-	{"comment",
++	{"comment1",
+		"{{/*}}",
+-		hasError, `unclosed comment`},
++		hasError, `comment1:1: unclosed comment`},
++	{"comment2",
++		"{{/*\nhello\n}}",
++		hasError, `comment2:1: unclosed comment`},
+	{"lparen",
+		"{{.X (1 2 3}}",
+		hasError, `unclosed left paren`},
+	{"rparen",
+-		"{{.X 1 2 3)}}",
+-		hasError, `unexpected ")"`},
++		"{{.X 1 2 3 ) }}",
++		hasError, `unexpected ")" in command`},
++	{"rparen2",
++		"{{(.X 1 2 3",
++		hasError, `unclosed action`},
+	{"space",
+		"{{`x`3}}",
+		hasError, `in operand`},
+@@ -488,7 +510,7 @@ var errorTests = []parseTest{
+		hasError, `missing value for parenthesized pipeline`},
+	{"multilinerawstring",
+		"{{ $v := `\n` }} {{",
+-		hasError, `multilinerawstring:2: unexpected unclosed action`},
++		hasError, `multilinerawstring:2: unclosed action`},
+	{"rangeundefvar",
+		"{{range $k}}{{end}}",
+		hasError, `undefined variable`},
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
new file mode 100644
index 0000000000..fc38929648
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
@@ -0,0 +1,585 @@
+From e0e6bca6ddc0e6d9fa3a5b644af9b446924fbf83 Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Thu, 20 May 2021 12:46:33 -0400
+Subject: [PATCH 5/6] html/template, text/template: implement break and
+ continue for range loops
+
+Break and continue for range loops was accepted as a proposal in June 2017.
+It was implemented in CL 66410 (Oct 2017)
+but then rolled back in CL 92155 (Feb 2018)
+because html/template changes had not been implemented.
+
+This CL reimplements break and continue in text/template
+and then adds support for them in html/template as well.
+
+Fixes #20531.
+
+Change-Id: I05330482a976f1c078b4b49c2287bd9031bb7616
+Reviewed-on: https://go-review.googlesource.com/c/go/+/321491
+Trust: Russ Cox <rsc@golang.org>
+Run-TryBot: Russ Cox <rsc@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Rob Pike <r@golang.org>
+
+Dependency Patch #5
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/d0dd26a88c019d54f22463daae81e785f5867565
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/html/template/context.go          |  4 ++
+ src/html/template/escape.go           | 71 ++++++++++++++++++++++++++++++++++-
+ src/html/template/escape_test.go      | 24 ++++++++++++
+ src/text/template/doc.go              |  8 ++++
+ src/text/template/exec.go             | 24 +++++++++++-
+ src/text/template/exec_test.go        |  2 +
+ src/text/template/parse/lex.go        | 13 ++++++-
+ src/text/template/parse/lex_test.go   |  2 +
+ src/text/template/parse/node.go       | 36 ++++++++++++++++++
+ src/text/template/parse/parse.go      | 42 ++++++++++++++++++++-
+ src/text/template/parse/parse_test.go |  8 ++++
+ 11 files changed, 230 insertions(+), 4 deletions(-)
+
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index f7d4849..aaa7d08 100644
+--- a/src/html/template/context.go
++++ b/src/html/template/context.go
+@@ -6,6 +6,7 @@ package template
+
+ import (
+	"fmt"
++	"text/template/parse"
+ )
+
+ // context describes the state an HTML parser must be in when it reaches the
+@@ -22,6 +23,7 @@ type context struct {
+	jsCtx   jsCtx
+	attr    attr
+	element element
++	n       parse.Node // for range break/continue
+	err     *Error
+ }
+
+@@ -141,6 +143,8 @@ const (
+	// stateError is an infectious error state outside any valid
+	// HTML/CSS/JS construct.
+	stateError
++	// stateDead marks unreachable code after a {{break}} or {{continue}}.
++	stateDead
+ )
+
+ // isComment is true for any state that contains content meant for template
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 8739735..6dea79c 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -97,6 +97,15 @@ type escaper struct {
+	actionNodeEdits   map[*parse.ActionNode][]string
+	templateNodeEdits map[*parse.TemplateNode]string
+	textNodeEdits     map[*parse.TextNode][]byte
++	// rangeContext holds context about the current range loop.
++	rangeContext *rangeContext
++}
++
++// rangeContext holds information about the current range loop.
++type rangeContext struct {
++	outer     *rangeContext // outer loop
++	breaks    []context     // context at each break action
++	continues []context     // context at each continue action
+ }
+
+ // makeEscaper creates a blank escaper for the given set.
+@@ -109,6 +118,7 @@ func makeEscaper(n *nameSpace) escaper {
+		map[*parse.ActionNode][]string{},
+		map[*parse.TemplateNode]string{},
+		map[*parse.TextNode][]byte{},
++		nil,
+	}
+ }
+
+@@ -124,8 +134,16 @@ func (e *escaper) escape(c context, n parse.Node) context {
+	switch n := n.(type) {
+	case *parse.ActionNode:
+		return e.escapeAction(c, n)
++	case *parse.BreakNode:
++		c.n = n
++		e.rangeContext.breaks = append(e.rangeContext.breaks, c)
++		return context{state: stateDead}
+	case *parse.CommentNode:
+		return c
++	case *parse.ContinueNode:
++		c.n = n
++		e.rangeContext.continues = append(e.rangeContext.breaks, c)
++		return context{state: stateDead}
+	case *parse.IfNode:
+		return e.escapeBranch(c, &n.BranchNode, "if")
+	case *parse.ListNode:
+@@ -427,6 +445,12 @@ func join(a, b context, node parse.Node, nodeName string) context {
+	if b.state == stateError {
+		return b
+	}
++	if a.state == stateDead {
++		return b
++	}
++	if b.state == stateDead {
++		return a
++	}
+	if a.eq(b) {
+		return a
+	}
+@@ -466,14 +490,27 @@ func join(a, b context, node parse.Node, nodeName string) context {
+
+ // escapeBranch escapes a branch template node: "if", "range" and "with".
+ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) context {
++	if nodeName == "range" {
++		e.rangeContext = &rangeContext{outer: e.rangeContext}
++	}
+	c0 := e.escapeList(c, n.List)
+-	if nodeName == "range" && c0.state != stateError {
++	if nodeName == "range" {
++		if c0.state != stateError {
++			c0 = joinRange(c0, e.rangeContext)
++		}
++		e.rangeContext = e.rangeContext.outer
++		if c0.state == stateError {
++			return c0
++		}
++
+		// The "true" branch of a "range" node can execute multiple times.
+		// We check that executing n.List once results in the same context
+		// as executing n.List twice.
++		e.rangeContext = &rangeContext{outer: e.rangeContext}
+		c1, _ := e.escapeListConditionally(c0, n.List, nil)
+		c0 = join(c0, c1, n, nodeName)
+		if c0.state == stateError {
++			e.rangeContext = e.rangeContext.outer
+			// Make clear that this is a problem on loop re-entry
+			// since developers tend to overlook that branch when
+			// debugging templates.
+@@ -481,11 +518,39 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string)
+			c0.err.Description = "on range loop re-entry: " + c0.err.Description
+			return c0
+		}
++		c0 = joinRange(c0, e.rangeContext)
++		e.rangeContext = e.rangeContext.outer
++		if c0.state == stateError {
++			return c0
++		}
+	}
+	c1 := e.escapeList(c, n.ElseList)
+	return join(c0, c1, n, nodeName)
+ }
+
++func joinRange(c0 context, rc *rangeContext) context {
++	// Merge contexts at break and continue statements into overall body context.
++	// In theory we could treat breaks differently from continues, but for now it is
++	// enough to treat them both as going back to the start of the loop (which may then stop).
++	for _, c := range rc.breaks {
++		c0 = join(c0, c, c.n, "range")
++		if c0.state == stateError {
++			c0.err.Line = c.n.(*parse.BreakNode).Line
++			c0.err.Description = "at range loop break: " + c0.err.Description
++			return c0
++		}
++	}
++	for _, c := range rc.continues {
++		c0 = join(c0, c, c.n, "range")
++		if c0.state == stateError {
++			c0.err.Line = c.n.(*parse.ContinueNode).Line
++			c0.err.Description = "at range loop continue: " + c0.err.Description
++			return c0
++		}
++	}
++	return c0
++}
++
+ // escapeList escapes a list template node.
+ func (e *escaper) escapeList(c context, n *parse.ListNode) context {
+	if n == nil {
+@@ -493,6 +558,9 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) context {
+	}
+	for _, m := range n.Nodes {
+		c = e.escape(c, m)
++		if c.state == stateDead {
++			break
++		}
+	}
+	return c
+ }
+@@ -503,6 +571,7 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) context {
+ // which is the same as whether e was updated.
+ func (e *escaper) escapeListConditionally(c context, n *parse.ListNode, filter func(*escaper, context) bool) (context, bool) {
+	e1 := makeEscaper(e.ns)
++	e1.rangeContext = e.rangeContext
+	// Make type inferences available to f.
+	for k, v := range e.output {
+		e1.output[k] = v
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index c709660..fa2b84a 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -920,6 +920,22 @@ func TestErrors(t *testing.T) {
+			"<a href='/foo?{{range .Items}}&{{.K}}={{.V}}{{end}}'>",
+			"",
+		},
++		{
++			"{{range .Items}}<a{{if .X}}{{end}}>{{end}}",
++			"",
++		},
++		{
++			"{{range .Items}}<a{{if .X}}{{end}}>{{continue}}{{end}}",
++			"",
++		},
++		{
++			"{{range .Items}}<a{{if .X}}{{end}}>{{break}}{{end}}",
++			"",
++		},
++		{
++			"{{range .Items}}<a{{if .X}}{{end}}>{{if .X}}{{break}}{{end}}{{end}}",
++			"",
++		},
+		// Error cases.
+		{
+			"{{if .Cond}}<a{{end}}",
+@@ -956,6 +972,14 @@ func TestErrors(t *testing.T) {
+			"z:2:8: on range loop re-entry: {{range}} branches",
+		},
+		{
++			"{{range .Items}}<a{{if .X}}{{break}}{{end}}>{{end}}",
++			"z:1:29: at range loop break: {{range}} branches end in different contexts",
++		},
++		{
++			"{{range .Items}}<a{{if .X}}{{continue}}{{end}}>{{end}}",
++			"z:1:29: at range loop continue: {{range}} branches end in different contexts",
++		},
++		{
+			"<a b=1 c={{.H}}",
+			"z: ends in a non-text context: {stateAttr delimSpaceOrTagEnd",
+		},
+diff --git a/src/text/template/doc.go b/src/text/template/doc.go
+index 7b30294..0228b15 100644
+--- a/src/text/template/doc.go
++++ b/src/text/template/doc.go
+@@ -112,6 +112,14 @@ data, defined in detail in the corresponding sections that follow.
+		T0 is executed; otherwise, dot is set to the successive elements
+		of the array, slice, or map and T1 is executed.
+
++	{{break}}
++		The innermost {{range pipeline}} loop is ended early, stopping the
++		current iteration and bypassing all remaining iterations.
++
++	{{continue}}
++		The current iteration of the innermost {{range pipeline}} loop is
++		stopped, and the loop starts the next iteration.
++
+	{{template "name"}}
+		The template with the specified name is executed with nil data.
+
+diff --git a/src/text/template/exec.go b/src/text/template/exec.go
+index 7ac5175..6cb140a 100644
+--- a/src/text/template/exec.go
++++ b/src/text/template/exec.go
+@@ -5,6 +5,7 @@
+ package template
+
+ import (
++	"errors"
+	"fmt"
+	"internal/fmtsort"
+	"io"
+@@ -244,6 +245,12 @@ func (t *Template) DefinedTemplates() string {
+	return b.String()
+ }
+
++// Sentinel errors for use with panic to signal early exits from range loops.
++var (
++	walkBreak    = errors.New("break")
++	walkContinue = errors.New("continue")
++)
++
+ // Walk functions step through the major pieces of the template structure,
+ // generating output as they go.
+ func (s *state) walk(dot reflect.Value, node parse.Node) {
+@@ -256,7 +263,11 @@ func (s *state) walk(dot reflect.Value, node parse.Node) {
+		if len(node.Pipe.Decl) == 0 {
+			s.printValue(node, val)
+		}
++	case *parse.BreakNode:
++		panic(walkBreak)
+	case *parse.CommentNode:
++	case *parse.ContinueNode:
++		panic(walkContinue)
+	case *parse.IfNode:
+		s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List, node.ElseList)
+	case *parse.ListNode:
+@@ -335,6 +346,11 @@ func isTrue(val reflect.Value) (truth, ok bool) {
+
+ func (s *state) walkRange(dot reflect.Value, r *parse.RangeNode) {
+	s.at(r)
++	defer func() {
++		if r := recover(); r != nil && r != walkBreak {
++			panic(r)
++		}
++	}()
+	defer s.pop(s.mark())
+	val, _ := indirect(s.evalPipeline(dot, r.Pipe))
+	// mark top of stack before any variables in the body are pushed.
+@@ -348,8 +364,14 @@ func (s *state) walkRange(dot reflect.Value, r *parse.RangeNode) {
+		if len(r.Pipe.Decl) > 1 {
+			s.setTopVar(2, index)
+		}
++		defer s.pop(mark)
++		defer func() {
++			// Consume panic(walkContinue)
++			if r := recover(); r != nil && r != walkContinue {
++				panic(r)
++			}
++		}()
+		s.walk(elem, r.List)
+-		s.pop(mark)
+	}
+	switch val.Kind() {
+	case reflect.Array, reflect.Slice:
+diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go
+index 3309b33..a639f44 100644
+--- a/src/text/template/exec_test.go
++++ b/src/text/template/exec_test.go
+@@ -563,6 +563,8 @@ var execTests = []execTest{
+	{"range empty no else", "{{range .SIEmpty}}-{{.}}-{{end}}", "", tVal, true},
+	{"range []int else", "{{range .SI}}-{{.}}-{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true},
+	{"range empty else", "{{range .SIEmpty}}-{{.}}-{{else}}EMPTY{{end}}", "EMPTY", tVal, true},
++	{"range []int break else", "{{range .SI}}-{{.}}-{{break}}NOTREACHED{{else}}EMPTY{{end}}", "-3-", tVal, true},
++	{"range []int continue else", "{{range .SI}}-{{.}}-{{continue}}NOTREACHED{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true},
+	{"range []bool", "{{range .SB}}-{{.}}-{{end}}", "-true--false-", tVal, true},
+	{"range []int method", "{{range .SI | .MAdd .I}}-{{.}}-{{end}}", "-20--21--22-", tVal, true},
+	{"range map", "{{range .MSI}}-{{.}}-{{end}}", "-1--3--2-", tVal, true},
+diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go
+index 6784071..95e3377 100644
+--- a/src/text/template/parse/lex.go
++++ b/src/text/template/parse/lex.go
+@@ -62,6 +62,8 @@ const (
+	// Keywords appear after all the rest.
+	itemKeyword  // used only to delimit the keywords
+	itemBlock    // block keyword
++	itemBreak    // break keyword
++	itemContinue // continue keyword
+	itemDot      // the cursor, spelled '.'
+	itemDefine   // define keyword
+	itemElse     // else keyword
+@@ -76,6 +78,8 @@ const (
+ var key = map[string]itemType{
+	".":        itemDot,
+	"block":    itemBlock,
++	"break":    itemBreak,
++	"continue": itemContinue,
+	"define":   itemDefine,
+	"else":     itemElse,
+	"end":      itemEnd,
+@@ -119,6 +123,8 @@ type lexer struct {
+	parenDepth  int       // nesting depth of ( ) exprs
+	line        int       // 1+number of newlines seen
+	startLine   int       // start line of this item
++	breakOK     bool      // break keyword allowed
++	continueOK  bool      // continue keyword allowed
+ }
+
+ // next returns the next rune in the input.
+@@ -461,7 +467,12 @@ Loop:
+			}
+			switch {
+			case key[word] > itemKeyword:
+-				l.emit(key[word])
++				item := key[word]
++				if item == itemBreak && !l.breakOK || item == itemContinue && !l.continueOK {
++					l.emit(itemIdentifier)
++				} else {
++					l.emit(item)
++				}
+			case word[0] == '.':
+				l.emit(itemField)
+			case word == "true", word == "false":
+diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go
+index 6510eed..df6aabf 100644
+--- a/src/text/template/parse/lex_test.go
++++ b/src/text/template/parse/lex_test.go
+@@ -35,6 +35,8 @@ var itemName = map[itemType]string{
+	// keywords
+	itemDot:      ".",
+	itemBlock:    "block",
++	itemBreak:    "break",
++	itemContinue: "continue",
+	itemDefine:   "define",
+	itemElse:     "else",
+	itemIf:       "if",
+diff --git a/src/text/template/parse/node.go b/src/text/template/parse/node.go
+index a9dad5e..c398da0 100644
+--- a/src/text/template/parse/node.go
++++ b/src/text/template/parse/node.go
+@@ -71,6 +71,8 @@ const (
+	NodeVariable                   // A $ variable.
+	NodeWith                       // A with action.
+	NodeComment                    // A comment.
++	NodeBreak                      // A break action.
++	NodeContinue                   // A continue action.
+ )
+
+ // Nodes.
+@@ -907,6 +909,40 @@ func (i *IfNode) Copy() Node {
+	return i.tr.newIf(i.Pos, i.Line, i.Pipe.CopyPipe(), i.List.CopyList(), i.ElseList.CopyList())
+ }
+
++// BreakNode represents a {{break}} action.
++type BreakNode struct {
++	tr *Tree
++	NodeType
++	Pos
++	Line int
++}
++
++func (t *Tree) newBreak(pos Pos, line int) *BreakNode {
++	return &BreakNode{tr: t, NodeType: NodeBreak, Pos: pos, Line: line}
++}
++
++func (b *BreakNode) Copy() Node                  { return b.tr.newBreak(b.Pos, b.Line) }
++func (b *BreakNode) String() string              { return "{{break}}" }
++func (b *BreakNode) tree() *Tree                 { return b.tr }
++func (b *BreakNode) writeTo(sb *strings.Builder) { sb.WriteString("{{break}}") }
++
++// ContinueNode represents a {{continue}} action.
++type ContinueNode struct {
++	tr *Tree
++	NodeType
++	Pos
++	Line int
++}
++
++func (t *Tree) newContinue(pos Pos, line int) *ContinueNode {
++	return &ContinueNode{tr: t, NodeType: NodeContinue, Pos: pos, Line: line}
++}
++
++func (c *ContinueNode) Copy() Node                  { return c.tr.newContinue(c.Pos, c.Line) }
++func (c *ContinueNode) String() string              { return "{{continue}}" }
++func (c *ContinueNode) tree() *Tree                 { return c.tr }
++func (c *ContinueNode) writeTo(sb *strings.Builder) { sb.WriteString("{{continue}}") }
++
+ // RangeNode represents a {{range}} action and its commands.
+ type RangeNode struct {
+	BranchNode
+diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go
+index 5e6e512..7f78b56 100644
+--- a/src/text/template/parse/parse.go
++++ b/src/text/template/parse/parse.go
+@@ -31,6 +31,7 @@ type Tree struct {
+	vars       []string // variables defined at the moment.
+	treeSet    map[string]*Tree
+	actionLine int // line of left delim starting action
++	rangeDepth int
+	mode       Mode
+ }
+
+@@ -223,6 +224,8 @@ func (t *Tree) startParse(funcs []map[string]interface{}, lex *lexer, treeSet ma
+	t.vars = []string{"$"}
+	t.funcs = funcs
+	t.treeSet = treeSet
++	lex.breakOK = !t.hasFunction("break")
++	lex.continueOK = !t.hasFunction("continue")
+ }
+
+ // stopParse terminates parsing.
+@@ -385,6 +388,10 @@ func (t *Tree) action() (n Node) {
+	switch token := t.nextNonSpace(); token.typ {
+	case itemBlock:
+		return t.blockControl()
++	case itemBreak:
++		return t.breakControl(token.pos, token.line)
++	case itemContinue:
++		return t.continueControl(token.pos, token.line)
+	case itemElse:
+		return t.elseControl()
+	case itemEnd:
+@@ -404,6 +411,32 @@ func (t *Tree) action() (n Node) {
+	return t.newAction(token.pos, token.line, t.pipeline("command", itemRightDelim))
+ }
+
++// Break:
++//	{{break}}
++// Break keyword is past.
++func (t *Tree) breakControl(pos Pos, line int) Node {
++	if token := t.next(); token.typ != itemRightDelim {
++		t.unexpected(token, "in {{break}}")
++	}
++	if t.rangeDepth == 0 {
++		t.errorf("{{break}} outside {{range}}")
++	}
++	return t.newBreak(pos, line)
++}
++
++// Continue:
++//	{{continue}}
++// Continue keyword is past.
++func (t *Tree) continueControl(pos Pos, line int) Node {
++	if token := t.next(); token.typ != itemRightDelim {
++		t.unexpected(token, "in {{continue}}")
++	}
++	if t.rangeDepth == 0 {
++		t.errorf("{{continue}} outside {{range}}")
++	}
++	return t.newContinue(pos, line)
++}
++
+ // Pipeline:
+ //	declarations? command ('|' command)*
+ func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode) {
+@@ -479,8 +512,14 @@ func (t *Tree) checkPipeline(pipe *PipeNode, context string) {
+ func (t *Tree) parseControl(allowElseIf bool, context string) (pos Pos, line int, pipe *PipeNode, list, elseList *ListNode) {
+	defer t.popVars(len(t.vars))
+	pipe = t.pipeline(context, itemRightDelim)
++	if context == "range" {
++		t.rangeDepth++
++	}
+	var next Node
+	list, next = t.itemList()
++	if context == "range" {
++		t.rangeDepth--
++	}
+	switch next.Type() {
+	case nodeEnd: //done
+	case nodeElse:
+@@ -522,7 +561,8 @@ func (t *Tree) ifControl() Node {
+ //	{{range pipeline}} itemList {{else}} itemList {{end}}
+ // Range keyword is past.
+ func (t *Tree) rangeControl() Node {
+-	return t.newRange(t.parseControl(false, "range"))
++	r := t.newRange(t.parseControl(false, "range"))
++	return r
+ }
+
+ // With:
+diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go
+index 220f984..ba45636 100644
+--- a/src/text/template/parse/parse_test.go
++++ b/src/text/template/parse/parse_test.go
+@@ -230,6 +230,10 @@ var parseTests = []parseTest{
+		`{{range $x := .SI}}{{.}}{{end}}`},
+	{"range 2 vars", "{{range $x, $y := .SI}}{{.}}{{end}}", noError,
+		`{{range $x, $y := .SI}}{{.}}{{end}}`},
++	{"range with break", "{{range .SI}}{{.}}{{break}}{{end}}", noError,
++		`{{range .SI}}{{.}}{{break}}{{end}}`},
++	{"range with continue", "{{range .SI}}{{.}}{{continue}}{{end}}", noError,
++		`{{range .SI}}{{.}}{{continue}}{{end}}`},
+	{"constants", "{{range .SI 1 -3.2i true false 'a' nil}}{{end}}", noError,
+		`{{range .SI 1 -3.2i true false 'a' nil}}{{end}}`},
+	{"template", "{{template `x`}}", noError,
+@@ -279,6 +283,10 @@ var parseTests = []parseTest{
+	{"adjacent args", "{{printf 3`x`}}", hasError, ""},
+	{"adjacent args with .", "{{printf `x`.}}", hasError, ""},
+	{"extra end after if", "{{if .X}}a{{else if .Y}}b{{end}}{{end}}", hasError, ""},
++	{"break outside range", "{{range .}}{{end}} {{break}}", hasError, ""},
++	{"continue outside range", "{{range .}}{{end}} {{continue}}", hasError, ""},
++	{"break in range else", "{{range .}}{{else}}{{break}}{{end}}", hasError, ""},
++	{"continue in range else", "{{range .}}{{else}}{{continue}}{{end}}", hasError, ""},
+	// Other kinds of assignments and operators aren't available yet.
+	{"bug0a", "{{$x := 0}}{{$x}}", noError, "{{$x := 0}}{{$x}}"},
+	{"bug0b", "{{$x += 1}}{{$x}}", hasError, ""},
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch
similarity index 53%
rename from meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch
rename to meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch
index d5bb33e091..baf400b891 100644
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch
@@ -1,7 +1,7 @@
 From 16f4882984569f179d73967c9eee679bb9b098c5 Mon Sep 17 00:00:00 2001
 From: Roland Shoemaker <bracewell@google.com>
 Date: Mon, 20 Mar 2023 11:01:13 -0700
-Subject: [PATCH 3/3] html/template: disallow actions in JS template literals
+Subject: [PATCH 6/6] html/template: disallow actions in JS template literals
 
 ECMAScript 6 introduced template literals[0][1] which are delimited with
 backticks. These need to be escaped in a similar fashion to the
@@ -52,12 +52,15 @@ CVE: CVE-2023-24538
 Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
 ---
  src/html/template/context.go      |  2 ++
- src/html/template/error.go        | 13 +++++++++++++
- src/html/template/escape.go       | 11 +++++++++++
+ src/html/template/error.go        | 13 ++++++++
+ src/html/template/escape.go       | 11 +++++++
+ src/html/template/escape_test.go  | 66 ++++++++++++++++++++++-----------------
  src/html/template/js.go           |  2 ++
- src/html/template/jsctx_string.go |  9 +++++++++
- src/html/template/transition.go   |  7 ++++++-
- 6 files changed, 43 insertions(+), 1 deletion(-)
+ src/html/template/js_test.go      |  2 +-
+ src/html/template/jsctx_string.go |  9 ++++++
+ src/html/template/state_string.go | 37 ++++++++++++++++++++--
+ src/html/template/transition.go   |  7 ++++-
+ 9 files changed, 116 insertions(+), 33 deletions(-)
 
 diff --git a/src/html/template/context.go b/src/html/template/context.go
 index f7d4849..0b65313 100644
@@ -125,6 +128,104 @@ index f12dafa..29ca5b3 100644
 	case stateJSRegexp:
 		s = append(s, "_html_template_jsregexpescaper")
 	case stateCSS:
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index fa2b84a..1b150e9 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -681,35 +681,31 @@ func TestEscape(t *testing.T) {
+	}
+
+	for _, test := range tests {
+-		tmpl := New(test.name)
+-		tmpl = Must(tmpl.Parse(test.input))
+-		// Check for bug 6459: Tree field was not set in Parse.
+-		if tmpl.Tree != tmpl.text.Tree {
+-			t.Errorf("%s: tree not set properly", test.name)
+-			continue
+-		}
+-		b := new(bytes.Buffer)
+-		if err := tmpl.Execute(b, data); err != nil {
+-			t.Errorf("%s: template execution failed: %s", test.name, err)
+-			continue
+-		}
+-		if w, g := test.output, b.String(); w != g {
+-			t.Errorf("%s: escaped output: want\n\t%q\ngot\n\t%q", test.name, w, g)
+-			continue
+-		}
+-		b.Reset()
+-		if err := tmpl.Execute(b, pdata); err != nil {
+-			t.Errorf("%s: template execution failed for pointer: %s", test.name, err)
+-			continue
+-		}
+-		if w, g := test.output, b.String(); w != g {
+-			t.Errorf("%s: escaped output for pointer: want\n\t%q\ngot\n\t%q", test.name, w, g)
+-			continue
+-		}
+-		if tmpl.Tree != tmpl.text.Tree {
+-			t.Errorf("%s: tree mismatch", test.name)
+-			continue
+-		}
++		t.Run(test.name, func(t *testing.T) {
++			tmpl := New(test.name)
++			tmpl = Must(tmpl.Parse(test.input))
++			// Check for bug 6459: Tree field was not set in Parse.
++			if tmpl.Tree != tmpl.text.Tree {
++				t.Fatalf("%s: tree not set properly", test.name)
++			}
++			b := new(strings.Builder)
++			if err := tmpl.Execute(b, data); err != nil {
++				t.Fatalf("%s: template execution failed: %s", test.name, err)
++			}
++			if w, g := test.output, b.String(); w != g {
++				t.Fatalf("%s: escaped output: want\n\t%q\ngot\n\t%q", test.name, w, g)
++			}
++			b.Reset()
++			if err := tmpl.Execute(b, pdata); err != nil {
++				t.Fatalf("%s: template execution failed for pointer: %s", test.name, err)
++			}
++			if w, g := test.output, b.String(); w != g {
++				t.Fatalf("%s: escaped output for pointer: want\n\t%q\ngot\n\t%q", test.name, w, g)
++			}
++			if tmpl.Tree != tmpl.text.Tree {
++				t.Fatalf("%s: tree mismatch", test.name)
++			}
++		})
+	}
+ }
+
+@@ -936,6 +932,10 @@ func TestErrors(t *testing.T) {
+			"{{range .Items}}<a{{if .X}}{{end}}>{{if .X}}{{break}}{{end}}{{end}}",
+			"",
+		},
++		{
++			"<script>var a = `${a+b}`</script>`",
++			"",
++		},
+		// Error cases.
+		{
+			"{{if .Cond}}<a{{end}}",
+@@ -1082,6 +1082,10 @@ func TestErrors(t *testing.T) {
+			// html is allowed since it is the last command in the pipeline, but urlquery is not.
+			`predefined escaper "urlquery" disallowed in template`,
+		},
++		{
++			"<script>var tmpl = `asd {{.}}`;</script>",
++			`{{.}} appears in a JS template literal`,
++		},
+	}
+	for _, test := range tests {
+		buf := new(bytes.Buffer)
+@@ -1304,6 +1308,10 @@ func TestEscapeText(t *testing.T) {
+			context{state: stateJSSqStr, delim: delimDoubleQuote, attr: attrScript},
+		},
+		{
++			"<a onclick=\"`foo",
++			context{state: stateJSBqStr, delim: delimDoubleQuote, attr: attrScript},
++		},
++		{
+			`<A ONCLICK="'`,
+			context{state: stateJSSqStr, delim: delimDoubleQuote, attr: attrScript},
+		},
 diff --git a/src/html/template/js.go b/src/html/template/js.go
 index ea9c183..b888eaf 100644
 --- a/src/html/template/js.go
@@ -145,6 +246,19 @@ index ea9c183..b888eaf 100644
 	'+':  `\u002b`,
 	'/':  `\/`,
 	'<':  `\u003c`,
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index d7ee47b..7d963ae 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -292,7 +292,7 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
+				`0123456789:;\u003c=\u003e?` +
+				`@ABCDEFGHIJKLMNO` +
+				`PQRSTUVWXYZ[\\]^_` +
+-				"`abcdefghijklmno" +
++				"\\u0060abcdefghijklmno" +
+				"pqrstuvwxyz{|}~\u007f" +
+				"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
+		},
 diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go
 index dd1d87e..2394893 100644
 --- a/src/html/template/jsctx_string.go
@@ -165,6 +279,55 @@ index dd1d87e..2394893 100644
  const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown"
 
  var _jsCtx_index = [...]uint8{0, 11, 21, 33}
+diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
+index 05104be..6fb1a6e 100644
+--- a/src/html/template/state_string.go
++++ b/src/html/template/state_string.go
+@@ -4,9 +4,42 @@ package template
+
+ import "strconv"
+
+-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError"
++func _() {
++	// An "invalid array index" compiler error signifies that the constant values have changed.
++	// Re-run the stringer command to generate them again.
++	var x [1]struct{}
++	_ = x[stateText-0]
++	_ = x[stateTag-1]
++	_ = x[stateAttrName-2]
++	_ = x[stateAfterName-3]
++	_ = x[stateBeforeValue-4]
++	_ = x[stateHTMLCmt-5]
++	_ = x[stateRCDATA-6]
++	_ = x[stateAttr-7]
++	_ = x[stateURL-8]
++	_ = x[stateSrcset-9]
++	_ = x[stateJS-10]
++	_ = x[stateJSDqStr-11]
++	_ = x[stateJSSqStr-12]
++	_ = x[stateJSBqStr-13]
++	_ = x[stateJSRegexp-14]
++	_ = x[stateJSBlockCmt-15]
++	_ = x[stateJSLineCmt-16]
++	_ = x[stateCSS-17]
++	_ = x[stateCSSDqStr-18]
++	_ = x[stateCSSSqStr-19]
++	_ = x[stateCSSDqURL-20]
++	_ = x[stateCSSSqURL-21]
++	_ = x[stateCSSURL-22]
++	_ = x[stateCSSBlockCmt-23]
++	_ = x[stateCSSLineCmt-24]
++	_ = x[stateError-25]
++	_ = x[stateDead-26]
++}
++
++const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
+
+-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286, 296}
++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}
+
+ func (i state) String() string {
+	if i >= state(len(_state_index)-1) {
 diff --git a/src/html/template/transition.go b/src/html/template/transition.go
 index 06df679..92eb351 100644
 --- a/src/html/template/transition.go
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
index 20e70c0485..00def8fcda 100644
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
@@ -34,9 +34,9 @@ Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
  src/html/template/context.go      |  6 ++-
  src/html/template/escape.go       |  5 +-
  src/html/template/escape_test.go  | 10 ++++
- src/html/template/state_string.go |  4 +-
+ src/html/template/state_string.go | 26 +++++-----
  src/html/template/transition.go   | 80 ++++++++++++++++++++-----------
- 5 files changed, 72 insertions(+), 33 deletions(-)
+ 5 files changed, 84 insertions(+), 43 deletions(-)
 
 diff --git a/src/html/template/context.go b/src/html/template/context.go
 index 0b65313..4eb7891 100644
@@ -105,14 +105,38 @@ diff --git a/src/html/template/state_string.go b/src/html/template/state_string.
 index 05104be..b5cfe70 100644
 --- a/src/html/template/state_string.go
 +++ b/src/html/template/state_string.go
-@@ -4,9 +4,9 @@ package template
- 
- import "strconv"
+@@ -25,21 +25,23 @@ func _() {
+ 	_ = x[stateJSRegexp-14]
+ 	_ = x[stateJSBlockCmt-15]
+ 	_ = x[stateJSLineCmt-16]
+-	_ = x[stateCSS-17]
+-	_ = x[stateCSSDqStr-18]
+-	_ = x[stateCSSSqStr-19]
+-	_ = x[stateCSSDqURL-20]
+-	_ = x[stateCSSSqURL-21]
+-	_ = x[stateCSSURL-22]
+-	_ = x[stateCSSBlockCmt-23]
+-	_ = x[stateCSSLineCmt-24]
+-	_ = x[stateError-25]
+-	_ = x[stateDead-26]
++	_ = x[stateJSHTMLOpenCmt-17]
++	_ = x[stateJSHTMLCloseCmt-18]
++	_ = x[stateCSS-19]
++	_ = x[stateCSSDqStr-20]
++	_ = x[stateCSSSqStr-21]
++	_ = x[stateCSSDqURL-22]
++	_ = x[stateCSSSqURL-23]
++	_ = x[stateCSSURL-24]
++	_ = x[stateCSSBlockCmt-25]
++	_ = x[stateCSSLineCmt-26]
++	_ = x[stateError-27]
++	_ = x[stateDead-28]
+ }
  
--const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError"
+-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
 +const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
  
--var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286, 296}
+-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}
 +var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354}
  
  func (i state) String() string {
-- 
2.34.1

[OE-core][dunfell 04/11] dbus: Backport fix for CVE-2023-34969

[Steve Sakoman]

From: Julian Haller <julian.haller@philips.com>

Upstream commit https://gitlab.freedesktop.org/dbus/dbus/-/commit/37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c

Signed-off-by: Julian Haller <julian.haller@philips.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/dbus/dbus.inc               |  1 +
 .../dbus/dbus/CVE-2023-34969.patch            | 96 +++++++++++++++++++
 2 files changed, 97 insertions(+)
 create mode 100644 meta/recipes-core/dbus/dbus/CVE-2023-34969.patch

diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index 82e91c7b13..948aaf2e24 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -8,6 +8,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
            file://tmpdir.patch \
            file://dbus-1.init \
            file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+           file://CVE-2023-34969.patch \
 "
 
 SRC_URI[sha256sum] = "bc42d196c1756ac520d61bf3ccd6f42013617def45dd1e591a6091abf51dca38"
diff --git a/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch b/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch
new file mode 100644
index 0000000000..8f29185cf6
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch
@@ -0,0 +1,96 @@
+From 37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Mon Sep 17 00:00:00 2001
+From: hongjinghao <q1204531485@163.com>
+Date: Mon, 5 Jun 2023 18:17:06 +0100
+Subject: [PATCH] bus: Assign a serial number for messages from the driver
+
+Normally, it's enough to rely on a message being given a serial number
+by the DBusConnection just before it is actually sent. However, in the
+rare case where the policy blocks the driver from sending a message
+(due to a deny rule or the outgoing message quota being full), we need
+to get a valid serial number sooner, so that we can copy it into the
+DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error
+message sent to monitors. Otherwise, the dbus-daemon will crash with
+an assertion failure if at least one Monitoring client is attached,
+because zero is not a valid serial number to copy.
+
+This fixes a denial-of-service vulnerability: if a privileged user is
+monitoring the well-known system bus using a Monitoring client like
+dbus-monitor or `busctl monitor`, then an unprivileged user can cause
+denial-of-service by triggering this crash. A mitigation for this
+vulnerability is to avoid attaching Monitoring clients to the system
+bus when they are not needed. If there are no Monitoring clients, then
+the vulnerable code is not reached.
+
+Co-authored-by: Simon McVittie <smcv@collabora.com>
+Resolves: dbus/dbus#457
+(cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534)
+---
+ bus/connection.c                | 15 +++++++++++++++
+ dbus/dbus-connection-internal.h |  2 ++
+ dbus/dbus-connection.c          | 11 ++++++++++-
+ 3 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/bus/connection.c b/bus/connection.c
+index b3583433..215f0230 100644
+--- a/bus/connection.c
++++ b/bus/connection.c
+@@ -2350,6 +2350,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+   if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS))
+     return FALSE;
+ 
++  /* Make sure the message has a non-zero serial number, otherwise
++   * bus_transaction_capture_error_reply() will not be able to mock up
++   * a corresponding reply for it. Normally this would be delayed until
++   * the first time we actually send the message out from a
++   * connection, when the transaction is committed, but that's too late
++   * in this case.
++   */
++  if (dbus_message_get_serial (message) == 0)
++    {
++      dbus_uint32_t next_serial;
++
++      next_serial = _dbus_connection_get_next_client_serial (connection);
++      dbus_message_set_serial (message, next_serial);
++    }
++
+   if (bus_connection_is_active (connection))
+     {
+       if (!dbus_message_set_destination (message,
+diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
+index 48357321..ba79b192 100644
+--- a/dbus/dbus-connection-internal.h
++++ b/dbus/dbus-connection-internal.h
+@@ -54,6 +54,8 @@ DBUS_PRIVATE_EXPORT
+ DBusConnection *  _dbus_connection_ref_unlocked                (DBusConnection     *connection);
+ DBUS_PRIVATE_EXPORT
+ void              _dbus_connection_unref_unlocked              (DBusConnection     *connection);
++DBUS_PRIVATE_EXPORT
++dbus_uint32_t     _dbus_connection_get_next_client_serial      (DBusConnection *connection);
+ void              _dbus_connection_queue_received_message_link (DBusConnection     *connection,
+                                                                 DBusList           *link);
+ dbus_bool_t       _dbus_connection_has_messages_to_send_unlocked (DBusConnection     *connection);
+diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
+index c525b6dc..09cef278 100644
+--- a/dbus/dbus-connection.c
++++ b/dbus/dbus-connection.c
+@@ -1456,7 +1456,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection)
+     _dbus_connection_last_unref (connection);
+ }
+ 
+-static dbus_uint32_t
++/**
++ * Allocate and return the next non-zero serial number for outgoing messages.
++ *
++ * This method is only valid to call from single-threaded code, such as
++ * the dbus-daemon, or with the connection lock held.
++ *
++ * @param connection the connection
++ * @returns A suitable serial number for the next message to be sent on the connection.
++ */
++dbus_uint32_t
+ _dbus_connection_get_next_client_serial (DBusConnection *connection)
+ {
+   dbus_uint32_t serial;
+-- 
+2.25.1
+
-- 
2.34.1

[OE-core][dunfell 05/11] dbus: Add missing CVE_PRODUCT

[Steve Sakoman]

From: Julian Haller <julian.haller@philips.com>

The current dunfell CVE scans report 0 CVEs for our dbus version. This
is not correct, though, as we use the wrong product name to query it.
Fix this to get a proper CVE list.

Signed-off-by: Julian Haller <julian.haller@philips.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/dbus/dbus.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index 948aaf2e24..9b5cc53d92 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -32,3 +32,5 @@ PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd
 PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
 PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session"
 PACKAGECONFIG[verbose-mode] = "--enable-verbose-mode,,,"
+
+CVE_PRODUCT += "d-bus_project:d-bus freedesktop:dbus freedesktop:libdbus"
-- 
2.34.1

[OE-core][dunfell 06/11] xdg-utils: Fix CVE-2022-4055

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xdg-utils/xdg-utils/CVE-2022-4055.patch   | 165 ++++++++++++++++++
 .../xdg-utils/xdg-utils_1.1.3.bb              |   1 +
 2 files changed, 166 insertions(+)
 create mode 100644 meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch

diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
new file mode 100644
index 0000000000..383634ad53
--- /dev/null
+++ b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
@@ -0,0 +1,165 @@
+From f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 Mon Sep 17 00:00:00 2001
+From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>
+Date: Thu, 25 Aug 2022 23:51:45 +0200
+Subject: [PATCH] Disable special support for Thunderbird in xdg-email (fixes
+ CVE-2020-27748, CVE-2022-4055)
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780]
+CVE: CVE-2022-4055
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ scripts/xdg-email.in | 108 -------------------------------------------
+ 1 file changed, 108 deletions(-)
+
+diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
+index 13ba2d5..b700679 100644
+--- a/scripts/xdg-email.in
++++ b/scripts/xdg-email.in
+@@ -30,76 +30,8 @@ _USAGE
+ 
+ #@xdg-utils-common@
+ 
+-run_thunderbird()
+-{
+-    local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
+-    THUNDERBIRD="$1"
+-    MAILTO=$(echo "$2" | sed 's/^mailto://')
+-    echo "$MAILTO" | grep -qs "^?"
+-    if [ "$?" = "0" ] ; then
+-        MAILTO=$(echo "$MAILTO" | sed 's/^?//')
+-    else
+-        MAILTO=$(echo "$MAILTO" | sed 's/^/to=/' | sed 's/?/\&/')
+-    fi
+-
+-    MAILTO=$(echo "$MAILTO" | sed 's/&/\n/g')
+-    TO=$(/bin/echo -e $(echo "$MAILTO" | grep '^to=' | sed 's/^to=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    CC=$(/bin/echo -e $(echo "$MAILTO" | grep '^cc=' | sed 's/^cc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1)
+-    BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1)
+-
+-    if [ -z "$TO" ] ; then
+-        NEWMAILTO=
+-    else
+-        NEWMAILTO="to='$TO'"
+-    fi
+-    if [ -n "$CC" ] ; then
+-        NEWMAILTO="${NEWMAILTO},cc='$CC'"
+-    fi
+-    if [ -n "$BCC" ] ; then
+-        NEWMAILTO="${NEWMAILTO},bcc='$BCC'"
+-    fi
+-    if [ -n "$SUBJECT" ] ; then
+-        NEWMAILTO="${NEWMAILTO},$SUBJECT"
+-    fi
+-    if [ -n "$BODY" ] ; then
+-        NEWMAILTO="${NEWMAILTO},$BODY"
+-    fi
+-
+-    NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//')
+-    DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
+-    "$THUNDERBIRD" -compose "$NEWMAILTO"
+-    if [ $? -eq 0 ]; then
+-        exit_success
+-    else
+-        exit_failure_operation_failed
+-    fi
+-}
+-
+ open_kde()
+ {
+-    if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then
+-        local kreadconfig=kreadconfig$KDE_SESSION_VERSION
+-    else
+-        local kreadconfig=kreadconfig
+-    fi
+-
+-    if which $kreadconfig >/dev/null 2>&1; then
+-        local profile=$($kreadconfig --file emaildefaults \
+-                                     --group Defaults --key Profile)
+-        if [ -n "$profile" ]; then
+-            local client=$($kreadconfig --file emaildefaults \
+-                                        --group "PROFILE_$profile" \
+-                                        --key EmailClient \
+-                                  | cut -d ' ' -f 1)
+-
+-            if echo "$client" | grep -Eq 'thunderbird|icedove'; then
+-                run_thunderbird "$client" "$1"
+-            fi
+-        fi
+-    fi
+-
+     local command
+     case "$KDE_SESSION_VERSION" in
+         '') command=kmailservice ;;
+@@ -130,15 +62,6 @@ open_kde()
+ 
+ open_gnome3()
+ {
+-    local client
+-    local desktop
+-    desktop=`xdg-mime query default "x-scheme-handler/mailto"`
+-    client=`desktop_file_to_binary "$desktop"`
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     if gio help open 2>/dev/null 1>&2; then
+         DEBUG 1 "Running gio open \"$1\""
+         gio open "$1"
+@@ -159,13 +82,6 @@ open_gnome3()
+ 
+ open_gnome()
+ {
+-    local client
+-    client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1` || ""
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     if gio help open 2>/dev/null 1>&2; then
+         DEBUG 1 "Running gio open \"$1\""
+         gio open "$1"
+@@ -231,15 +147,6 @@ open_flatpak()
+ 
+ open_generic()
+ {
+-    local client
+-    local desktop
+-    desktop=`xdg-mime query default "x-scheme-handler/mailto"`
+-    client=`desktop_file_to_binary "$desktop"`
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     xdg-open "$1"
+     local ret=$?
+ 
+@@ -364,21 +271,6 @@ while [ $# -gt 0 ] ; do
+         shift
+         ;;
+ 
+-      --attach)
+-        if [ -z "$1" ] ; then
+-            exit_failure_syntax "file argument missing for --attach option"
+-        fi
+-        check_input_file "$1"
+-        file=`readlink -f "$1"` # Normalize path
+-        if [ -z "$file" ] || [ ! -f "$file" ] ; then
+-            exit_failure_file_missing "file '$1' does not exist"
+-        fi
+-
+-        url_encode "$file"
+-        options="${options}attach=${result}&"
+-        shift
+-        ;;
+-
+       -*)
+         exit_failure_syntax "unexpected option '$parm'"
+         ;;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
index 41b74b8598..f6989430f5 100644
--- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
+++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
@@ -21,6 +21,7 @@ SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \
            file://0001-Reinstate-xdg-terminal.patch \
            file://0001-Don-t-build-the-in-script-manual.patch \
            file://1f199813e0eb0246f63b54e9e154970e609575af.patch \
+           file://CVE-2022-4055.patch \
           "
 
 SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff"
-- 
2.34.1

[OE-core][dunfell 07/11] libpcre2 : Follow up fix CVE-2022-1586

[Steve Sakoman]

From: Shinu Chandran <shinucha@cisco.com>

CVE-2022-1586 was originally fixed by OE commit
https://github.com/openembedded/openembedded-core/commit/7f4daf88b71f
through libpcre2 commit
https://github.com/PCRE2Project/pcre2/commit/50a51cb7e672

The follow up patch is required to resolve a bug in the initial fix[50a51cb7e672]
https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc3

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-1586
https://security-tracker.debian.org/tracker/CVE-2022-1586

Signed-off-by: Shinu Chandran <shinucha@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libpcre2/CVE-2022-1586-regression.patch   | 30 +++++++++++++++++++
 .../recipes-support/libpcre/libpcre2_10.34.bb |  1 +
 2 files changed, 31 insertions(+)
 create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch

diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch
new file mode 100644
index 0000000000..42ee417fe7
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch
@@ -0,0 +1,30 @@
+From 5d1e62b0155292b994aa1c96d4ed8ce4346ef4c2 Mon Sep 17 00:00:00 2001
+From: Zoltan Herczeg <hzmester@freemail.hu>
+Date: Thu, 24 Mar 2022 05:34:42 +0000
+Subject: [PATCH] Fix incorrect value reading in JIT.
+
+CVE: CVE-2022-1586
+Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc3]
+
+(cherry picked from commit d4fa336fbcc388f89095b184ba6d99422cfc676c)
+Signed-off-by: Shinu Chandran <shinucha@cisco.com>
+---
+ src/pcre2_jit_compile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
+index 493c96d..fa57942 100644
+--- a/src/pcre2_jit_compile.c
++++ b/src/pcre2_jit_compile.c
+@@ -7188,7 +7188,7 @@ while (*cc != XCL_END)
+     {
+     SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
+     cc++;
+-    if (*cc == PT_CLIST && *cc == XCL_PROP)
++    if (*cc == PT_CLIST && cc[-1] == XCL_PROP)
+       {
+       other_cases = PRIV(ucd_caseless_sets) + cc[1];
+       while (*other_cases != NOTACHAR)
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/libpcre/libpcre2_10.34.bb b/meta/recipes-support/libpcre/libpcre2_10.34.bb
index 3e1b001c32..53277270d2 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.34.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.34.bb
@@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37"
 SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/pcre2-${PV}.tar.bz2 \
            file://pcre-cross.patch \
            file://CVE-2022-1586.patch \
+           file://CVE-2022-1586-regression.patch \
 	    file://CVE-2022-1587.patch \
 	    file://CVE-2022-41409.patch \
 "
-- 
2.34.1

[OE-core][dunfell 08/11] ghostscript: Backport fix CVE-2023-43115

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote
code execution via crafted PostScript documents because they can switch to the
IJS device, or change the IjsServer parameter, after SAFER has been activated.
NOTE: it is a documented risk that the IJS server can be specified on a gs
command line (the IJS device inherently must execute a command to start the IJS server).

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-43115

Upstream commit:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2023-43115.patch          | 62 +++++++++++++++++++
 .../ghostscript/ghostscript_9.52.bb           |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
new file mode 100644
index 0000000000..3acb8a503c
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
@@ -0,0 +1,62 @@
+From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: [PATCH] IJS device - try and secure the IJS server startup
+
+Bug #707051 ""ijs" device can execute arbitrary commands"
+
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an arbitrary command line. There is (apparently) no way
+to validate it. Indeed, this is covered quite clearly in the comments
+at the start of the source:
+
+ * WARNING: The ijs server can be selected on the gs command line
+ * which is a security risk, since any program can be run.
+
+Previously this used the awful LockSafetyParams hackery, which we
+abandoned some time ago because it simply couldn't be made secure (it
+was implemented in PostScript and was therefore vulnerable to PostScript
+programs).
+
+This commit prevents PostScript programs switching to the IJS device
+after SAFER has been activated, and prevents changes to the IjsServer
+parameter after SAFER has been activated.
+
+SAFER is activated, unless explicitly disabled, before any user
+PostScript is executed which means that the device and the server
+invocation can only be configured on the command line. This does at
+least provide minimal security against malicious PostScript programs.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5]
+CVE: CVE-2023-43115
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ devices/gdevijs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/devices/gdevijs.c b/devices/gdevijs.c
+index 3d337c5..e50d69f 100644
+--- a/devices/gdevijs.c
++++ b/devices/gdevijs.c
+@@ -934,6 +934,9 @@ gsijs_finish_copydevice(gx_device *dev, const gx_device *from_dev)
+     static const char rgb[] = "DeviceRGB";
+     gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ 
++    if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
++	return_error(gs_error_invalidaccess);
++
+     code = gx_default_finish_copydevice(dev, from_dev);
+     if(code < 0)
+         return code;
+@@ -1363,7 +1366,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
+     if (code >= 0)
+         code = gsijs_read_string(plist, "IjsServer",
+             ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
+-            dev->LockSafetyParams, is_open);
++	    ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
+ 
+     if (code >= 0)
+         code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index 0a2f9f5046..9712871e7f 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -44,6 +44,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2023-36664-pre1.patch \
                 file://CVE-2023-36664-1.patch \
                 file://CVE-2023-36664-2.patch \
+                file://CVE-2023-43115.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.34.1

[OE-core][dunfell 09/11] busybox: Backport CVE-2022-48174 fix

[Steve Sakoman]

From: Marek Vasut <marex@denx.de>

There is a stack overflow vulnerability in ash.c:6030 in busybox before
1.35. In the environment of Internet of Vehicles, this vulnerability can
be executed from command to arbitrary code execution.

https://nvd.nist.gov/vuln/detail/CVE-2022-48174

CVE: CVE-2022-48174
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../busybox/busybox/CVE-2022-48174.patch      | 82 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.31.1.bb   |  1 +
 2 files changed, 83 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2022-48174.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
new file mode 100644
index 0000000000..dfba2a7e0f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,82 @@
+From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 12 Jun 2023 17:48:47 +0200
+Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
+
+function                                             old     new   delta
+evaluate_string                                     1011    1053     +42
+
+CVE: CVE-2022-48174
+Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/shell/math.c b/shell/math.c
+index af1ab55c0..79824e81f 100644
+--- a/shell/math.c
++++ b/shell/math.c
+@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+ 
++//TODO: much better estimation than expr_len/2? Such as:
++//static unsigned estimate_nums_and_names(const char *expr)
++//{
++//	unsigned count = 0;
++//	while (*(expr = skip_whitespace(expr)) != '\0') {
++//		const char *p;
++//		if (isdigit(*expr)) {
++//			while (isdigit(*++expr))
++//				continue;
++//			count++;
++//			continue;
++//		}
++//		p = endofname(expr);
++//		if (p != expr) {
++//			expr = p;
++//			count++;
++//			continue;
++//		}
++//	}
++//	return count;
++//}
++
+ static arith_t FAST_FUNC
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 	const char *errmsg;
+ 	const char *start_expr = expr = skip_whitespace(expr);
+ 	unsigned expr_len = strlen(expr) + 2;
+-	/* Stack of integers */
+-	/* The proof that there can be no more than strlen(startbuf)/2+1
+-	 * integers in any given correct or incorrect expression
+-	 * is left as an exercise to the reader. */
++	/* Stack of integers/names */
++	/* There can be no more than strlen(startbuf)/2+1
++	 * integers/names in any given correct or incorrect expression.
++	 * (modulo "09v09v09v09v09v" case,
++	 * but we have code to detect that early)
++	 */
+ 	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+ 	var_or_num_t *numstackptr = numstack;
+ 	/* Stack of operator tokens */
+@@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 			numstackptr->var = NULL;
+ 			errno = 0;
+ 			numstackptr->val = strto_arith_t(expr, (char**) &expr);
++			/* A number can't be followed by another number, or a variable name.
++			 * We'd catch this later anyway, but this would require numstack[]
++			 * to be twice as deep to handle strings where _every_ char is
++			 * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
++			 */
++			if (isalnum(*expr) || *expr == '_')
++				goto err;
+ 			if (errno)
+ 				numstackptr->val = 0; /* bash compat */
+ 			goto num;
+-- 
+2.40.1
+
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb
index d062f0f7dd..94aa1467df 100644
--- a/meta/recipes-core/busybox/busybox_1.31.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -55,6 +55,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2021-42374.patch \
            file://CVE-2021-42376.patch \
            file://CVE-2021-423xx-awk.patch \
+           file://CVE-2022-48174.patch \
            file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \
            file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
            "
-- 
2.34.1

[OE-core][dunfell 10/11] openssl: Upgrade 1.1.1v -> 1.1.1w

[Steve Sakoman]

From: Sourav Pramanik <sourav.pramanik@kpit.com>

https://www.openssl.org/news/openssl-1.1.1-notes.html

Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023]

* Fix POLY1305 MAC implementation corrupting XMM registers on Windows (CVE-2023-4807)

Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/{openssl_1.1.1v.bb => openssl_1.1.1w.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1v.bb => openssl_1.1.1w.bb} (98%)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1v.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_1.1.1v.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
index d1222dc470..8a53b06862 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1v.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
@@ -26,7 +26,7 @@ SRC_URI_append_class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0"
+SRC_URI[sha256sum] = "cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8"
 
 inherit lib_package multilib_header multilib_script ptest
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.34.1

[OE-core][dunfell 11/11] cpio: Replace fix wrong CRC with ASCII CRC for large files with upstream backport

[Steve Sakoman]

From: Marek Vasut <marex@denx.de>

Replace the original "Wrong CRC with ASCII CRC for large files"
patch with upstream backport, and add additional fix on top of
the same problem which upstream detected and fixed.

Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...g-CRC-with-ASCII-CRC-for-large-files.patch |  39 ---
 ...-calculation-of-CRC-in-copy-out-mode.patch |  58 ++++
 ...appending-to-archives-bigger-than-2G.patch | 312 ++++++++++++++++++
 meta/recipes-extended/cpio/cpio_2.13.bb       |   3 +-
 4 files changed, 372 insertions(+), 40 deletions(-)
 delete mode 100644 meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch

diff --git a/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch b/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch
deleted file mode 100644
index 4b96e4316c..0000000000
--- a/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 77ff5f1be394eb2c786df561ff37dde7f982ec76 Mon Sep 17 00:00:00 2001
-From: Stefano Babic <sbabic@denx.de>
-Date: Fri, 28 Jul 2017 13:20:52 +0200
-Subject: [PATCH] Wrong CRC with ASCII CRC for large files
-
-Due to signedness, the checksum is not computed when filesize is bigger
-a 2GB.
-
-Upstream-Status: Submitted [https://lists.gnu.org/archive/html/bug-cpio/2017-07/msg00004.html]
-Signed-off-by: Stefano Babic <sbabic@denx.de>
----
- src/copyout.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/copyout.c b/src/copyout.c
-index 1f0987a..727aeca 100644
---- a/src/copyout.c
-+++ b/src/copyout.c
-@@ -34,13 +34,13 @@
-    compute and return a checksum for them.  */
- 
- static uint32_t
--read_for_checksum (int in_file_des, int file_size, char *file_name)
-+read_for_checksum (int in_file_des, unsigned int file_size, char *file_name)
- {
-   uint32_t crc;
-   char buf[BUFSIZ];
--  int bytes_left;
--  int bytes_read;
--  int i;
-+  unsigned int bytes_left;
-+  unsigned int bytes_read;
-+  unsigned int i;
- 
-   crc = 0;
- 
--- 
-2.7.4
-
diff --git a/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
new file mode 100644
index 0000000000..2dfd348d7c
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
@@ -0,0 +1,58 @@
+From d257e47a6c6b41ba727b196ac96c05ab91bd9d65 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Fri, 7 Apr 2023 11:23:37 +0300
+Subject: [PATCH 3/4] Fix calculation of CRC in copy-out mode.
+
+* src/copyout.c (read_for_checksum): Fix type of the file_size argument.
+Rewrite the reading loop.
+
+Original patch by Stefano Babic <sbabic@denx.de>
+
+Upstream-Status: Backport [a1b2f7871c3ae5113e0102b870b15ea06a8f0e3d]
+Signed-off-by: Marek Vasut <marex@denx.de>
+---
+ src/copyout.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/src/copyout.c b/src/copyout.c
+index 8b0beb6..f1ff351 100644
+--- a/src/copyout.c
++++ b/src/copyout.c
+@@ -34,27 +34,25 @@
+    compute and return a checksum for them.  */
+ 
+ static uint32_t
+-read_for_checksum (int in_file_des, int file_size, char *file_name)
++read_for_checksum (int in_file_des, off_t file_size, char *file_name)
+ {
+   uint32_t crc;
+-  char buf[BUFSIZ];
+-  int bytes_left;
+-  int bytes_read;
+-  int i;
++  unsigned char buf[BUFSIZ];
++  ssize_t bytes_read;
++  ssize_t i;
+ 
+   crc = 0;
+ 
+-  for (bytes_left = file_size; bytes_left > 0; bytes_left -= bytes_read)
++  while (file_size > 0)
+     {
+       bytes_read = read (in_file_des, buf, BUFSIZ);
+       if (bytes_read < 0)
+ 	error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name);
+       if (bytes_read == 0)
+ 	break;
+-      if (bytes_left < bytes_read)
+-        bytes_read = bytes_left;
+-      for (i = 0; i < bytes_read; ++i)
++      for (i = 0; i < bytes_read; i++)
+ 	crc += buf[i] & 0xff;
++      file_size -= bytes_read;
+     }
+   if (lseek (in_file_des, 0L, SEEK_SET))
+     error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name);
+-- 
+2.39.2
+
diff --git a/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch
new file mode 100644
index 0000000000..c212bddf7d
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch
@@ -0,0 +1,312 @@
+From 8513495ab5cfb63eb7c4c933fdf0b78c6196cd27 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Fri, 28 Apr 2023 15:23:46 +0300
+Subject: [PATCH 4/4] Fix appending to archives bigger than 2G
+
+* src/extern.h (last_header_start): Change type to off_t.
+* src/global.c: Likewise.
+* src/util.c (prepare_append): Use off_t for file offsets.
+
+Upstream-Status: Backport [0987d63384f0419b4b14aecdc6a61729b75ce86a]
+Signed-off-by: Marek Vasut <marex@denx.de>
+---
+ src/extern.h | 11 ++++-----
+ src/global.c |  2 +-
+ src/util.c   | 66 ++++++++++++++++++++++++++--------------------------
+ 3 files changed, 39 insertions(+), 40 deletions(-)
+
+diff --git a/src/extern.h b/src/extern.h
+index 11ac6bf..12f14a9 100644
+--- a/src/extern.h
++++ b/src/extern.h
+@@ -67,7 +67,7 @@ extern int ignore_devno_option;
+ 
+ extern bool to_stdout_option;
+ 
+-extern int last_header_start;
++extern off_t last_header_start;
+ extern int copy_matching_files;
+ extern int numeric_uid;
+ extern char *pattern_file_name;
+@@ -123,7 +123,7 @@ void field_width_error (const char *filename, const char *fieldname,
+ 
+ /* copypass.c */
+ void process_copy_pass (void);
+-int link_to_maj_min_ino (char *file_name, int st_dev_maj, 
++int link_to_maj_min_ino (char *file_name, int st_dev_maj,
+ 			 int st_dev_min, ino_t st_ino);
+ int link_to_name (char const *link_name, char const *link_target);
+ 
+@@ -171,7 +171,7 @@ void copy_files_tape_to_disk (int in_des, int out_des, off_t num_bytes);
+ void copy_files_disk_to_tape (int in_des, int out_des, off_t num_bytes, char *filename);
+ void copy_files_disk_to_disk (int in_des, int out_des, off_t num_bytes, char *filename);
+ void warn_if_file_changed (char *file_name, off_t old_file_size,
+-                           time_t old_file_mtime);
++			   time_t old_file_mtime);
+ void create_all_directories (char const *name);
+ void prepare_append (int out_file_des);
+ char *find_inode_file (ino_t node_num,
+@@ -185,7 +185,7 @@ void set_new_media_message (char *message);
+ #ifdef HPUX_CDF
+ char *add_cdf_double_slashes (char *filename);
+ #endif
+-void write_nuls_to_file (off_t num_bytes, int out_des, 
++void write_nuls_to_file (off_t num_bytes, int out_des,
+ 			 void (*writer) (char *in_buf,
+ 					 int out_des, off_t num_bytes));
+ #define DISK_IO_BLOCK_SIZE	512
+@@ -229,6 +229,5 @@ void delay_set_stat (char const *file_name, struct stat *st,
+ 		     mode_t invert_permissions);
+ int repair_delayed_set_stat (struct cpio_file_stat *file_hdr);
+ void apply_delayed_set_stat (void);
+-     
+-int arf_stores_inode_p (enum archive_format arf);
+ 
++int arf_stores_inode_p (enum archive_format arf);
+diff --git a/src/global.c b/src/global.c
+index fb3abe9..5c9fc05 100644
+--- a/src/global.c
++++ b/src/global.c
+@@ -114,7 +114,7 @@ int debug_flag = false;
+ 
+ /* File position of last header read.  Only used during -A to determine
+    where the old TRAILER!!! record started.  */
+-int last_header_start = 0;
++off_t last_header_start = 0;
+ 
+ /* With -i; if true, copy only files that match any of the given patterns;
+    if false, copy only files that do not match any of the patterns. (-f) */
+diff --git a/src/util.c b/src/util.c
+index 4421b20..3be89a4 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -60,8 +60,8 @@ tape_empty_output_buffer (int out_des)
+   static long output_bytes_before_lseek = 0;
+ 
+   /* Some tape drivers seem to have a signed internal seek pointer and
+-     they lose if it overflows and becomes negative (e.g. when writing 
+-     tapes > 2Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the 
++     they lose if it overflows and becomes negative (e.g. when writing
++     tapes > 2Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the
+      seek pointer and prevent it from overflowing.  */
+   if (output_is_special
+      && ( (output_bytes_before_lseek += output_size) >= 1073741824L) )
+@@ -106,7 +106,7 @@ static ssize_t sparse_write (int fildes, char *buf, size_t nbyte, bool flush);
+    descriptor OUT_DES and reset `output_size' and `out_buff'.
+    If `swapping_halfwords' or `swapping_bytes' is set,
+    do the appropriate swapping first.  Our callers have
+-   to make sure to only set these flags if `output_size' 
++   to make sure to only set these flags if `output_size'
+    is appropriate (a multiple of 4 for `swapping_halfwords',
+    2 for `swapping_bytes').  The fact that DISK_IO_BLOCK_SIZE
+    must always be a multiple of 4 helps us (and our callers)
+@@ -188,8 +188,8 @@ tape_fill_input_buffer (int in_des, int num_bytes)
+ {
+ #ifdef BROKEN_LONG_TAPE_DRIVER
+   /* Some tape drivers seem to have a signed internal seek pointer and
+-     they lose if it overflows and becomes negative (e.g. when writing 
+-     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the 
++     they lose if it overflows and becomes negative (e.g. when writing
++     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the
+      seek pointer and prevent it from overflowing.  */
+   if (input_is_special
+       && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) )
+@@ -332,8 +332,8 @@ tape_buffered_peek (char *peek_buf, int in_des, int num_bytes)
+ 
+ #ifdef BROKEN_LONG_TAPE_DRIVER
+   /* Some tape drivers seem to have a signed internal seek pointer and
+-     they lose if it overflows and becomes negative (e.g. when writing 
+-     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the 
++     they lose if it overflows and becomes negative (e.g. when writing
++     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the
+      seek pointer and prevent it from overflowing.  */
+   if (input_is_special
+       && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) )
+@@ -404,7 +404,7 @@ tape_toss_input (int in_des, off_t num_bytes)
+ 
+       if (crc_i_flag && only_verify_crc_flag)
+ 	{
+- 	  int k;
++	  int k;
+ 	  for (k = 0; k < space_left; ++k)
+ 	    crc += in_buff[k] & 0xff;
+ 	}
+@@ -416,14 +416,14 @@ tape_toss_input (int in_des, off_t num_bytes)
+ }
+ \f
+ void
+-write_nuls_to_file (off_t num_bytes, int out_des, 
+-                    void (*writer) (char *in_buf, int out_des, off_t num_bytes))
++write_nuls_to_file (off_t num_bytes, int out_des,
++		    void (*writer) (char *in_buf, int out_des, off_t num_bytes))
+ {
+   off_t	blocks;
+   off_t	extra_bytes;
+   off_t	i;
+   static char zeros_512[512];
+-  
++
+   blocks = num_bytes / sizeof zeros_512;
+   extra_bytes = num_bytes % sizeof zeros_512;
+   for (i = 0; i < blocks; ++i)
+@@ -603,7 +603,7 @@ create_all_directories (char const *name)
+   char *dir;
+ 
+   dir = dir_name (name);
+-  
++
+   if (dir == NULL)
+     error (PAXEXIT_FAILURE, 0, _("virtual memory exhausted"));
+ 
+@@ -637,9 +637,9 @@ create_all_directories (char const *name)
+ void
+ prepare_append (int out_file_des)
+ {
+-  int start_of_header;
+-  int start_of_block;
+-  int useful_bytes_in_block;
++  off_t start_of_header;
++  off_t start_of_block;
++  size_t useful_bytes_in_block;
+   char *tmp_buf;
+ 
+   start_of_header = last_header_start;
+@@ -697,8 +697,8 @@ inode_val_compare (const void *val1, const void *val2)
+   const struct inode_val *ival1 = val1;
+   const struct inode_val *ival2 = val2;
+   return ival1->inode == ival2->inode
+-         && ival1->major_num == ival2->major_num
+-         && ival1->minor_num == ival2->minor_num;
++	 && ival1->major_num == ival2->major_num
++	 && ival1->minor_num == ival2->minor_num;
+ }
+ 
+ static struct inode_val *
+@@ -706,10 +706,10 @@ find_inode_val (ino_t node_num, unsigned long major_num,
+ 		 unsigned long minor_num)
+ {
+   struct inode_val sample;
+-  
++
+   if (!hash_table)
+     return NULL;
+-  
++
+   sample.inode = node_num;
+   sample.major_num = major_num;
+   sample.minor_num = minor_num;
+@@ -734,7 +734,7 @@ add_inode (ino_t node_num, char *file_name, unsigned long major_num,
+ {
+   struct inode_val *temp;
+   struct inode_val *e = NULL;
+-  
++
+   /* Create new inode record.  */
+   temp = (struct inode_val *) xmalloc (sizeof (struct inode_val));
+   temp->inode = node_num;
+@@ -1007,7 +1007,7 @@ buf_all_zeros (char *buf, int bufsize)
+ 
+ /* Write NBYTE bytes from BUF to file descriptor FILDES, trying to
+    create holes instead of writing blockfuls of zeros.
+-   
++
+    Return the number of bytes written (including bytes in zero
+    regions) on success, -1 on error.
+ 
+@@ -1027,7 +1027,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
+ 
+   enum { begin, in_zeros, not_in_zeros } state =
+ 			   delayed_seek_count ? in_zeros : begin;
+-  
++
+   while (nbytes)
+     {
+       size_t rest = nbytes;
+@@ -1042,7 +1042,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
+ 	      if (state == not_in_zeros)
+ 		{
+ 		  ssize_t bytes = buf - start_ptr + rest;
+-		  
++
+ 		  n = write (fildes, start_ptr, bytes);
+ 		  if (n == -1)
+ 		    return -1;
+@@ -1091,8 +1091,8 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
+       if (n != 1)
+ 	return n;
+       delayed_seek_count = 0;
+-    }      
+-  
++    }
++
+   return nwritten + seek_count;
+ }
+ 
+@@ -1222,7 +1222,7 @@ set_perms (int fd, struct cpio_file_stat *header)
+   if (!no_chown_flag)
+     {
+       uid_t uid = CPIO_UID (header->c_uid);
+-      gid_t gid = CPIO_GID (header->c_gid); 
++      gid_t gid = CPIO_GID (header->c_gid);
+       if ((fchown_or_chown (fd, header->c_name, uid, gid) < 0)
+ 	  && errno != EPERM)
+ 	chown_error_details (header->c_name, uid, gid);
+@@ -1239,13 +1239,13 @@ set_file_times (int fd,
+ 		const char *name, unsigned long atime, unsigned long mtime)
+ {
+   struct timespec ts[2];
+-  
++
+   memset (&ts, 0, sizeof ts);
+ 
+   ts[0].tv_sec = atime;
+   ts[1].tv_sec = mtime;
+ 
+-  /* Silently ignore EROFS because reading the file won't have upset its 
++  /* Silently ignore EROFS because reading the file won't have upset its
+      timestamp if it's on a read-only filesystem. */
+   if (fdutimens (fd, name, ts) < 0 && errno != EROFS)
+     utime_error (name);
+@@ -1297,7 +1297,7 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+ \f
+ /* This is a simplified form of delayed set_stat used by GNU tar.
+    With the time, both forms will merge and pass to paxutils
+-   
++
+    List of directories whose statuses we need to extract after we've
+    finished extracting their subsidiary files.  If you consider each
+    contiguous subsequence of elements of the form [D]?[^D]*, where [D]
+@@ -1415,7 +1415,7 @@ cpio_mkdir (struct cpio_file_stat *file_hdr, int *setstat_delayed)
+ {
+   int rc;
+   mode_t mode = file_hdr->c_mode;
+-  
++
+   if (!(file_hdr->c_mode & S_IWUSR))
+     {
+       rc = mkdir (file_hdr->c_name, mode | S_IWUSR);
+@@ -1438,10 +1438,10 @@ cpio_create_dir (struct cpio_file_stat *file_hdr, int existing_dir)
+ {
+   int res;			/* Result of various function calls.  */
+   int setstat_delayed = 0;
+-  
++
+   if (to_stdout_option)
+     return 0;
+-  
++
+   /* Strip any trailing `/'s off the filename; tar puts
+      them on.  We might as well do it here in case anybody
+      else does too, since they cause strange things to happen.  */
+@@ -1530,7 +1530,7 @@ arf_stores_inode_p (enum archive_format arf)
+     }
+   return 1;
+ }
+-  
++
+ void
+ cpio_file_stat_init (struct cpio_file_stat *file_hdr)
+ {
+-- 
+2.39.2
+
diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb
index 86527da744..5ab567f360 100644
--- a/meta/recipes-extended/cpio/cpio_2.13.bb
+++ b/meta/recipes-extended/cpio/cpio_2.13.bb
@@ -10,7 +10,8 @@ SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
            file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0002-src-global.c-Remove-superfluous-declaration-of-progr.patch \
            file://CVE-2021-38185.patch \
-           file://0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch \
+           file://0003-Fix-calculation-of-CRC-in-copy-out-mode.patch \
+           file://0004-Fix-appending-to-archives-bigger-than-2G.patch \
            "
 
 SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810"
-- 
2.34.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Friday, December 8

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6293

The following changes since commit 0764da7e3f1d71eb390e5eb8a9aa1323c24d1c19:

  vim: use upstream generated .po files (2023-11-28 12:31:43 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Ashish Sharma (1):
  mdadm: Backport fix for CVE-2023-28938

Bruce Ashfield (3):
  linux-yocto/5.4: update to v5.4.258
  linux-yocto/5.4: update to v5.4.260
  linux-yocto/5.4: update to v5.4.262

Lee Chee Yang (2):
  epiphany: fix CVE-2022-29536
  qemu: ignore CVE-2021-20295 CVE-2023-2680

Steve Sakoman (1):
  cve-exclusion_5.4.inc: update for 5.4.262

Tim Orling (1):
  vim: upgrade 9.0.2068 -> 9.0.2130

Vivek Kumbhar (1):
  libsndfile: fix CVE-2022-33065 Signed integer overflow in src/mat4.c

poojitha adireddy (2):
  binutils 2.34: Fix CVE-2021-46174
  binutils: Mark CVE-2022-47696 as patched

 .../binutils/binutils-2.34.inc                |  1 +
 .../binutils/binutils/CVE-2021-46174.patch    | 35 ++++++++
 .../binutils/binutils/CVE-2023-25588.patch    |  3 +
 meta/recipes-devtools/qemu/qemu.inc           |  7 ++
 .../mdadm/files/CVE-2023-28938.patch          | 80 +++++++++++++++++++
 meta/recipes-extended/mdadm/mdadm_4.1.bb      |  1 +
 .../recipes-gnome/epiphany/epiphany_3.34.4.bb |  1 +
 .../epiphany/files/CVE-2022-29536.patch       | 46 +++++++++++
 .../linux/cve-exclusion_5.4.inc               | 79 ++++++++++++++----
 .../linux/linux-yocto-rt_5.4.bb               |  6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 ++---
 .../libsndfile1/CVE-2022-33065.patch          | 46 +++++++++++
 .../libsndfile/libsndfile1_1.0.28.bb          |  3 +-
 meta/recipes-support/vim/vim.inc              |  4 +-
 15 files changed, 306 insertions(+), 36 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch
 create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
 create mode 100644 meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch
 create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch

-- 
2.34.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5422

The following changes since commit e4b98a42970574296e0da06842691b9fc1ffc9a1:

  selftest: skip virgl test on ubuntu 22.10, fedora 37, and all rocky (2023-05-20 06:02:24 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alex Kiernan (1):
  openssh: Move sshdgenkeys.service to sshd.socket

Ashish Sharma (1):
  golang: Fix CVE-2023-24539

Bruce Ashfield (5):
  linux-yocto/5.4: update to v5.4.238
  linux-yocto/5.4: update to v5.4.240
  linux-yocto/5.4: update to v5.4.241
  linux-yocto/5.4: update to v5.4.242
  linux-yocto/5.4: update to v5.4.243

Nikhil R (1):
  ffmpeg: Fix CVE-2022-48434

Vijay Anusuri (3):
  ghostscript: Fix CVE-2023-28879
  xserver-xorg: Security fix CVE-2023-0494 and CVE-2023-1393
  go: Security fix CVE-2023-24540

 .../openssh/openssh/sshd.socket               |   1 +
 .../openssh/openssh/sshd@.service             |   2 -
 meta/recipes-devtools/go/go-1.14.inc          |   2 +
 .../go/go-1.14/CVE-2023-24539.patch           |  60 ++++++++
 .../go/go-1.14/CVE-2023-24540.patch           |  90 ++++++++++++
 .../ghostscript/CVE-2023-28879.patch          |  54 +++++++
 .../ghostscript/ghostscript_9.52.bb           |   1 +
 .../xserver-xorg/CVE-2023-0494.patch          |  38 +++++
 .../xserver-xorg/CVE-2023-1393.patch          |  46 ++++++
 .../xorg-xserver/xserver-xorg_1.20.14.bb      |   2 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +--
 .../ffmpeg/ffmpeg/CVE-2022-48434.patch        | 136 ++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb |   1 +
 15 files changed, 449 insertions(+), 20 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch

-- 
2.34.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5324

The following changes since commit 1bc254e7969f3d5470bacf9ad9f065d38b7b7fde:

  run-postinsts: Set dependency for ldconfig to avoid boot issues (2023-05-11 07:47:14 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alex Kiernan (1):
  pypi.bbclass: Set CVE_PRODUCT to PYPI_PACKAGE

Dmitry Baryshkov (1):
  linux-firmware: upgrade 20230210 -> 20230404

Hitendra Prajapati (2):
  git: fix CVE-2023-29007
  git: fix CVE-2023-25652

Khem Raj (1):
  perf: Depend on native setuptools3

Marek Vasut (1):
  cpio: Fix wrong CRC with ASCII CRC for large files

Martin Jansa (1):
  populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO
    override

Randolph Sapp (1):
  wic/bootimg-efi: if fixed-size is set then use that for mkdosfs

Siddharth (1):
  curl: ammend fix for CVE-2023-27534 to fix error when ssh is enabled

Steve Sakoman (1):
  selftest: skip virgl test on ubuntu 22.10, fedora 37, and all rocky

Thomas Roos (1):
  oeqa/utils/metadata.py: Fix running oe-selftest running with no distro
    set

 meta/classes/populate_sdk_ext.bbclass         |   3 +-
 meta/classes/pypi.bbclass                     |   2 +
 meta/lib/oeqa/selftest/cases/runtime_test.py  |   6 +
 meta/lib/oeqa/utils/metadata.py               |   6 +-
 .../git/files/CVE-2023-25652.patch            |  94 +++++++++++
 .../git/files/CVE-2023-29007.patch            | 159 ++++++++++++++++++
 meta/recipes-devtools/git/git.inc             |   2 +
 ...g-CRC-with-ASCII-CRC-for-large-files.patch |  39 +++++
 meta/recipes-extended/cpio/cpio_2.13.bb       |   1 +
 ...20230210.bb => linux-firmware_20230404.bb} |   6 +-
 meta/recipes-kernel/perf/perf.bb              |   2 +-
 .../curl/curl/CVE-2023-27534-pre1.patch       |  51 ++++++
 .../curl/curl/CVE-2023-27534.patch            | 122 ++------------
 meta/recipes-support/curl/curl_7.69.1.bb      |   1 +
 scripts/lib/wic/plugins/source/bootimg-efi.py |   7 +
 15 files changed, 387 insertions(+), 114 deletions(-)
 create mode 100644 meta/recipes-devtools/git/files/CVE-2023-25652.patch
 create mode 100644 meta/recipes-devtools/git/files/CVE-2023-29007.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230210.bb => linux-firmware_20230404.bb} (99%)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch

-- 
2.34.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4469

The following changes since commit babcb7cd3bbefe9c0ea28e960e4fd6cefbc03cae:

  bluez5: add dbus to RDEPENDS (2022-11-04 07:52:01 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alex Kiernan (1):
  openssl: upgrade 1.1.1q to 1.1.1s

Hitendra Prajapati (1):
  bluez: CVE-2022-3637 A DoS exists in monitor/jlink.c

Martin Jansa (1):
  externalsrc.bbclass: fix git repo detection

Peter Kjellerstedt (1):
  externalsrc.bbclass: Remove a trailing slash from ${B}

Ross Burton (1):
  sanity: check for GNU tar specifically

Sundeep KOKKONDA (2):
  binutils: stable 2.34 branch updates
  glibc : stable 2.31 branch updates.

Sunil Kumar (1):
  go: Security Fix for CVE-2022-2879

Vivek Kumbhar (2):
  curl: fix CVE-2022-32221 POST following PUT
  qemu: fix CVE-2021-3638 ati-vga: inconsistent check in ati_2d_blt()
    may lead to out-of-bounds write

ciarancourtney (1):
  wic: swap partitions are not added to fstab

 meta/classes/externalsrc.bbclass              |   6 +-
 meta/classes/sanity.bbclass                   |   8 ++
 meta/recipes-connectivity/bluez5/bluez5.inc   |   1 +
 .../bluez5/bluez5/CVE-2022-3637.patch         |  39 ++++++
 .../{openssl_1.1.1q.bb => openssl_1.1.1s.bb}  |   2 +-
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../glibc/glibc/CVE-2021-33574_1.patch        |  26 ++--
 .../binutils/binutils-2.34.inc                |   2 +-
 .../binutils/binutils/CVE-2020-16593.patch    |   4 +-
 .../binutils/binutils/CVE-2021-3549.patch     |  80 ++++++-------
 meta/recipes-devtools/go/go-1.14.inc          |   1 +
 .../go/go-1.14/CVE-2022-2879.patch            | 111 ++++++++++++++++++
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2021-3638.patch             |  80 +++++++++++++
 .../curl/curl/CVE-2022-32221.patch            |  29 +++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   1 +
 scripts/lib/wic/plugins/imager/direct.py      |   2 +-
 17 files changed, 329 insertions(+), 66 deletions(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1q.bb => openssl_1.1.1s.bb} (98%)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-2879.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32221.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Sunday.

This is the final patch set for the 3.1.19 release.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4098

The following changes since commit ac6ea1a96645d2a4dd54660256603f0b191bb4d3:

  gstreamer1.0: use the correct meson option for the capabilities (2022-08-10 05:04:10 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (1):
  linux-firmware: update 20220610 -> 20220708

Dmitry Baryshkov (1):
  linux-firwmare: restore WHENCE_CHKSUM variable

Hitendra Prajapati (3):
  qemu: CVE-2020-27821 heap buffer overflow in msix_table_mmio_write
  gnutls: CVE-2022-2509 Double free during gnutls_pkcs7_verify
  zlib: CVE-2022-37434 a heap-based buffer over-read

Ming Liu (1):
  rootfs-postcommands.bbclass: move host-user-contaminated.txt to ${S}

Pascal Bach (1):
  bin_package: install into base_prefix

Randy MacLeod (1):
  vim: update from 9.0.0063 to 9.0.0115

Richard Purdie (2):
  vim: Upgrade 9.0.0021 -> 9.0.0063
  kernel-arch: Fix buildpaths leaking into external module compiles

Shruthi Ravichandran (1):
  initscripts: run umountnfs as a KILL script

 meta/classes/bin_package.bbclass              |   3 +-
 meta/classes/kernel-arch.bbclass              |   2 +-
 meta/classes/rootfs-postcommands.bbclass      |   2 +-
 .../initscripts/initscripts_1.0.bb            |   2 +-
 .../zlib/zlib/CVE-2022-37434.patch            |  44 +++
 meta/recipes-core/zlib/zlib_1.2.11.bb         |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2020-27821.patch            |  73 +++++
 ...20220610.bb => linux-firmware_20220708.bb} |  14 +-
 .../gnutls/gnutls/CVE-2022-2509.patch         | 282 ++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |   1 +
 meta/recipes-support/vim/files/racefix.patch  |  33 --
 meta/recipes-support/vim/vim.inc              |  10 +-
 13 files changed, 418 insertions(+), 50 deletions(-)
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2022-37434.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220610.bb => linux-firmware_20220708.bb} (98%)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch
 delete mode 100644 meta/recipes-support/vim/files/racefix.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4058

The following changes since commit 73d2b640ad665f6ff3c4fbe8f5da4ef0dbb175f2:

  libtirpc: CVE-2021-46828 DoS vulnerability with lots of connections (2022-07-28 06:26:48 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alex Kiernan (1):
  openssh: Add openssh-sftp-server to openssh RDEPENDS

Bruce Ashfield (2):
  linux-yocto/5.4: update to v5.4.208
  linux-yocto/5.4: update to v5.4.209

Hitendra Prajapati (2):
  grub2: Fix several security issue of integer underflow
  gdk-pixbuf: CVE-2021-46829 a heap-based buffer overflow

Jose Quaresma (1):
  gstreamer1.0: use the correct meson option for the capabilities

Khem Raj (1):
  libmodule-build-perl: Use env utility to find perl interpreter

Martin Jansa (1):
  libxml2: Port gentest.py to Python-3

Richard Purdie (1):
  insane: Fix buildpaths test to work with special devices

Ross Burton (1):
  cve_check: skip remote patches that haven't been fetched when
    searching for CVE tags

Steve Sakoman (1):
  selftest: skip virgl test on fedora 36

 meta/classes/insane.bbclass                   |   6 +-
 meta/lib/oe/cve_check.py                      |   5 +-
 meta/lib/oeqa/selftest/cases/runtime_test.py  |   2 +
 .../grub/files/CVE-2022-28733.patch           |  60 ++
 .../grub/files/CVE-2022-28734.patch           |  67 ++
 .../grub/files/CVE-2022-28736.patch           | 275 ++++++
 meta/recipes-bsp/grub/grub2.inc               |   3 +
 .../openssh/openssh_8.2p1.bb                  |   2 +-
 .../0001-Port-gentest.py-to-Python-3.patch    | 813 ++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |  11 +
 .../perl/libmodule-build-perl_0.4231.bb       |   1 +
 .../gdk-pixbuf/CVE-2021-46829.patch           |  61 ++
 .../gdk-pixbuf/gdk-pixbuf_2.40.0.bb           |   1 +
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../gstreamer/gstreamer1.0_1.16.3.bb          |   2 +-
 17 files changed, 1321 insertions(+), 24 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28733.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28736.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch
 create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3738

The following changes since commit add860e1a69f848097bbc511137a62d5746e5019:

  oeqa/selftest/cve_check: add tests for recipe and image reports (2022-05-24 04:31:18 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Dan Tran (1):
  ncurses: Fix CVE-2022-29458

Ernst Sjöstrand (2):
  cve-check: Add helper for symlink handling
  cve-check: Only include installed packages for rootfs manifest

Ranjitsinh Rathod (3):
  ruby: Upgrade ruby to 2.7.6 for security fix
  ruby: Whitelist CVE-2021-28966 as this affects Windows OS only
  libsdl2: Add fix for CVE-2021-33657

Richard Purdie (2):
  vim: Upgrade 8.2.4912 -> 8.2.5034 to fix 9 CVEs
  cve-check: Allow warnings to be disabled

Riyaz (1):
  libxml2: Fix CVE-2022-29824 for libxml2

Virendra Thakur (1):
  ffmpeg: Fix for CVE-2022-1475

leimaohui (1):
  cve-check.bbclass: Added do_populate_sdk[recrdeptask].

 meta/classes/cve-check.bbclass                | 109 ++++--
 .../libxml2/CVE-2022-29824-dependent.patch    |  53 +++
 .../libxml/libxml2/CVE-2022-29824.patch       | 348 ++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |   2 +
 .../ncurses/files/CVE-2022-29458.patch        | 135 +++++++
 meta/recipes-core/ncurses/ncurses_6.2.bb      |   1 +
 .../ruby/{ruby_2.7.5.bb => ruby_2.7.6.bb}     |   8 +-
 .../libsdl2/libsdl2/CVE-2021-33657.patch      |  38 ++
 .../libsdl2/libsdl2_2.0.12.bb                 |   1 +
 .../ffmpeg/ffmpeg/CVE-2022-1475.patch         |  36 ++
 .../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 12 files changed, 694 insertions(+), 42 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2022-29458.patch
 rename meta/recipes-devtools/ruby/{ruby_2.7.5.bb => ruby_2.7.6.bb} (90%)
 create mode 100644 meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3537

with the exception of a known issue with meta-intel due to the zlib CVE fix, see:

https://lists.openembedded.org/g/openembedded-core/message/163793

The intent is to fix meta-intel after this patch set is merged to dunfell.

The following changes since commit aa762b7ca2417b80dd114a4ab263d69074912f82:

  tzdata: update to 2022a (2022-04-04 04:22:32 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexandre Belloni (1):
  pseudo: Fix handling of absolute links

Martin Jansa (1):
  license_image.bbclass: close package.manifest file

Peter Kjellerstedt (1):
  metadata_scm.bbclass: Use immediate expansion for the METADATA_*
    variables

Ralph Siemsen (3):
  gzip: fix CVE-2022-1271
  xz: fix CVE-2022-1271
  apt: add -fno-strict-aliasing to CXXFLAGS to fix SHA256 bug

Richard Purdie (4):
  vim: Upgrade 8.2.4524 -> 8.2.4681
  git: Ignore CVE-2022-24975
  pseudo: Add patch to workaround paths with crazy lengths
  libxshmfence: Correct LICENSE to HPND

Ross Burton (1):
  zlib: backport the fix for CVE-2018-25032

 .../recipeutils/recipeutils-test_1.2.bb       |   2 +-
 meta/classes/license_image.bbclass            |   4 +-
 meta/classes/metadata_scm.bbclass             |  10 +-
 .../zlib/zlib/CVE-2018-25032.patch            | 347 ++++++++++++++++++
 meta/recipes-core/zlib/zlib_1.2.11.bb         |   1 +
 meta/recipes-devtools/apt/apt.inc             |   4 +
 meta/recipes-devtools/git/git.inc             |   5 +
 meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
 .../gzip/gzip-1.10/CVE-2022-1271.patch        |  45 +++
 meta/recipes-extended/gzip/gzip_1.10.bb       |   1 +
 .../xz/xz/CVE-2022-1271.patch                 |  96 +++++
 meta/recipes-extended/xz/xz_5.2.4.bb          |   4 +-
 .../xorg-lib/libxshmfence_1.3.bb              |   2 +-
 meta/recipes-support/vim/vim.inc              |   6 +-
 14 files changed, 515 insertions(+), 14 deletions(-)
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
 create mode 100644 meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
 create mode 100644 meta/recipes-extended/xz/xz/CVE-2022-1271.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3141

The following changes since commit 01f256bc72fb45c80b6a6c77506bc4c375965a3a:

  glibc: Add fix for data races in pthread_create and TLS access (2022-01-12 04:37:31 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (5):
  linux-yocto/5.4: update to v5.4.169
  linux-yocto/5.4: update to v5.4.170
  linux-yocto/5.4: update to v5.4.171
  linux-yocto/5.4: update to v5.4.172
  kernel: introduce python3-dtschema-wrapper

Kai Kang (1):
  speex: fix CVE-2020-23903

Marek Vasut (1):
  Revert "weston: Use systemd notify,"

Richard Purdie (1):
  lttng-tools: Add missing DEPENDS on bison-native

Steve Sakoman (3):
  expat fix CVE-2022-22822 through CVE-2022-22827
  expat: fix CVE-2021-45960
  expat: fix CVE-2021-46143

 meta/conf/distro/include/maintainers.inc      |   1 +
 .../expat/expat/CVE-2021-45960.patch          |  65 +++++
 .../expat/expat/CVE-2021-46143.patch          |  43 +++
 .../expat/expat/CVE-2022-22822-27.patch       | 257 ++++++++++++++++++
 meta/recipes-core/expat/expat_2.2.9.bb        |   3 +
 .../wayland/weston-init/weston-start          |  12 -
 .../wayland/weston-init/weston@.service       |   6 -
 .../weston/systemd-notify.weston-start        |   9 -
 .../wayland/weston/xwayland.weston-start      |   3 +-
 meta/recipes-graphics/wayland/weston_8.0.0.bb |   6 -
 .../python3-dtschema-wrapper/dt-doc-validate  |  20 ++
 .../dtc/python3-dtschema-wrapper/dt-mk-schema |  20 ++
 .../dtc/python3-dtschema-wrapper/dt-validate  |  20 ++
 .../dtc/python3-dtschema-wrapper_2021.10.bb   |  17 ++
 .../linux/linux-yocto-rt_5.4.bb               |   6 +-
 .../linux/linux-yocto-tiny_5.4.bb             |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  |  22 +-
 .../lttng/lttng-tools_2.11.5.bb               |   2 +-
 .../speex/speex/CVE-2020-23903.patch          |  30 ++
 meta/recipes-multimedia/speex/speex_1.2.0.bb  |   4 +-
 20 files changed, 500 insertions(+), 54 deletions(-)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2021-45960.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2021-46143.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
 delete mode 100644 meta/recipes-graphics/wayland/weston/systemd-notify.weston-start
 create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate
 create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema
 create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate
 create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb
 create mode 100644 meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3112

The following changes since commit da3bd5e0934b6462ae53225a58305235849b32d5:

  asciidoc: properly detect and compare Python versions >= 3.10 (2022-01-09 06:49:29 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Akash Hadke (1):
  glibc: Add fix for data races in pthread_create and TLS access

Alexander Kanavin (1):
  parselogs: add a couple systemd false positives

Anuj Mittal (1):
  xserver-xorg: update CVE_PRODUCT

Konrad Weihmann (1):
  cve-check: add lockfile to task

Mingli Yu (1):
  wic: use shutil.which

Ricardo Ribalda Delgado (1):
  wic: misc: Do not find for executables in ASSUME_PROVIDED

Richard Purdie (1):
  expat: Update HOMEPAGE to current url

Ross Burton (2):
  cve-update-db-native: use fetch task
  xserver-xorg: whitelist two CVEs

Steve Sakoman (2):
  valgrind: skip flakey ptest (gdbserver_tests/hginfo)
  oeqa/selftest/cases/tinfoil.py: increase timeout 60->120s
    test_wait_event

 meta/classes/cve-check.bbclass                |   3 +-
 meta/lib/oeqa/runtime/cases/parselogs.py      |   2 +
 meta/lib/oeqa/selftest/cases/tinfoil.py       |   4 +-
 meta/recipes-core/expat/expat_2.2.9.bb        |   2 +-
 ...ate-slotinfo-to-avoid-use-after-free.patch |  66 +++++
 ...hread_create-and-TLS-access-BZ-19329.patch | 191 ++++++++++++
 ...d-atomics-for-racy-accesses-BZ-19329.patch | 206 +++++++++++++
 .../0033-elf-Add-test-case-for-BZ-19329.patch | 144 +++++++++
 ...elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch | 180 ++++++++++++
 ...-lazy-relocation-of-tlsdesc-BZ-27137.patch |  56 ++++
 ...-lazy-relocation-of-tlsdesc-BZ-27137.patch | 124 ++++++++
 ...ock-between-pthread_create-and-ctors.patch | 276 ++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.31.bb         |   8 +
 .../recipes-core/meta/cve-update-db-native.bb |   9 +-
 .../valgrind/valgrind/remove-for-aarch64      |   1 +
 .../valgrind/valgrind/remove-for-all          |   1 +
 .../xorg-xserver/xserver-xorg.inc             |  10 +-
 scripts/lib/wic/engine.py                     |   6 +-
 scripts/lib/wic/misc.py                       |  16 +-
 scripts/wic                                   |   4 +-
 20 files changed, 1292 insertions(+), 17 deletions(-)
 create mode 100644 meta/recipes-core/glibc/glibc/0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0033-elf-Add-test-case-for-BZ-19329.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0037-Avoid-deadlock-between-pthread_create-and-ctors.patch

-- 
2.25.1

[OE-core][dunfell 00/11] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back by
end of day Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2031

except for a known autobuilder intermittent issue on qemuppc which passed on
subsequent retest:

https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/3261

The following changes since commit d044d9c0cb672c499059eb273e399ce4aee17e0d:

  image,populate_sdk_base: move 'func' flag setting for sdk command vars (2021-04-02 04:21:56 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (3):
  selftest/reproducible: enable world reproducibility test
  selftest/reproducible: add an exclusion list for items that are not
    yet reproducible
  selftest/reproducible: track unusued entries in the exclusion list

Guillaume Champagne (1):
  image-live.bbclass: optional depends when ROOTFS empty

Mike Crowe (1):
  curl: Patch CVE-2021-22876 & CVE-2021-22890

Peter Morrow (2):
  goarch: map target os to windows for mingw* TARGET_OS
  go_1.14: don't set -buildmode=pie when building for windows targets

Richard Purdie (3):
  selftest/reproducible: Sort the unused exclusion list
  diffoscope: Upgrade 136 -> 168
  diffoscope: Upgrade 168 -> 172

Steve Sakoman (1):
  selftest/reproducible: adjust exclusion list for dunfell

 meta/classes/go.bbclass                       |   8 +-
 meta/classes/goarch.bbclass                   |   2 +
 meta/classes/image-live.bbclass               |   2 +-
 meta/lib/oeqa/selftest/cases/reproducible.py  |  80 ++-
 meta/recipes-devtools/go/go_1.14.bb           |   8 +-
 .../curl/curl/CVE-2021-22876.patch            |  59 +++
 .../curl/curl/CVE-2021-22890.patch            | 464 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |   2 +
 .../{diffoscope_136.bb => diffoscope_172.bb}  |  15 +-
 9 files changed, 620 insertions(+), 20 deletions(-)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22876.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22890.patch
 rename meta/recipes-support/diffoscope/{diffoscope_136.bb => diffoscope_172.bb} (46%)

-- 
2.25.1