aboutsummaryrefslogtreecommitdiffstats
path: root/meta-oe
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe')
-rw-r--r--meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb2
-rw-r--r--meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb2
-rw-r--r--meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb4
-rw-r--r--meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb2
-rw-r--r--meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb2
-rw-r--r--meta-oe/recipes-benchmark/fio/fio_3.17.bb2
-rw-r--r--meta-oe/recipes-benchmark/glmark2/glmark2_git.bb2
-rw-r--r--meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb2
-rw-r--r--meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb4
-rw-r--r--meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb2
-rw-r--r--meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb2
-rw-r--r--meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb2
-rw-r--r--meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb2
-rw-r--r--meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb2
-rw-r--r--meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb2
-rw-r--r--meta-oe/recipes-bsp/ledmon/ledmon_git.bb2
-rw-r--r--meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb4
-rw-r--r--meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb2
-rw-r--r--meta-oe/recipes-connectivity/gattlib/gattlib_git.bb6
-rw-r--r--meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb2
-rw-r--r--meta-oe/recipes-connectivity/iwd/iwd_1.9.bb2
-rw-r--r--meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb2
-rw-r--r--meta-oe/recipes-connectivity/libndp/libndp_1.7.bb2
-rw-r--r--meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb2
-rw-r--r--meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb2
-rw-r--r--meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb (renamed from meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb)5
-rw-r--r--meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb2
-rw-r--r--meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb2
-rw-r--r--meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb2
-rw-r--r--meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb2
-rw-r--r--meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb2
-rw-r--r--meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb2
-rw-r--r--meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch2
-rw-r--r--meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb2
-rw-r--r--meta-oe/recipes-core/emlog/emlog.inc2
-rw-r--r--meta-oe/recipes-core/glfw/glfw_3.3.bb2
-rw-r--r--meta-oe/recipes-core/libnfc/libnfc_git.bb2
-rw-r--r--meta-oe/recipes-core/mdbus2/mdbus2_git.bb2
-rw-r--r--meta-oe/recipes-core/ndctl/ndctl_v67.bb2
-rw-r--r--meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb2
-rw-r--r--meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb2
-rw-r--r--meta-oe/recipes-core/safec/safec_3.5.1.bb2
-rw-r--r--meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch96
-rw-r--r--meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb2
-rw-r--r--meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb9
-rw-r--r--meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb (renamed from meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb)6
-rw-r--r--meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb2
-rw-r--r--meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb2
-rw-r--r--meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb2
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb-native_10.4.25.bb (renamed from meta-oe/recipes-dbs/mysql/mariadb-native_10.4.20.bb)0
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb.inc6
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch73
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch32
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb_10.4.25.bb (renamed from meta-oe/recipes-dbs/mysql/mariadb_10.4.20.bb)0
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch6
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch947
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch904
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch38
-rw-r--r--meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb (renamed from meta-oe/recipes-dbs/postgresql/postgresql_12.7.bb)5
-rw-r--r--meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb2
-rw-r--r--meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb2
-rw-r--r--meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb1
-rw-r--r--meta-oe/recipes-devtools/bootchart/bootchart_git.bb2
-rw-r--r--meta-oe/recipes-devtools/breakpad/breakpad_git.bb10
-rw-r--r--meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb4
-rw-r--r--meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch49
-rw-r--r--meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb2
-rw-r--r--meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb2
-rw-r--r--meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb4
-rw-r--r--meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb9
-rw-r--r--meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb5
-rw-r--r--meta-oe/recipes-devtools/guider/guider_3.9.7.bb2
-rw-r--r--meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb2
-rw-r--r--meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb2
-rw-r--r--meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb2
-rw-r--r--meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb2
-rw-r--r--meta-oe/recipes-devtools/libubox/libubox_git.bb2
-rw-r--r--meta-oe/recipes-devtools/ltrace/ltrace_git.bb2
-rw-r--r--meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch73
-rw-r--r--meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch28
-rw-r--r--meta-oe/recipes-devtools/lua/lua_5.3.6.bb3
-rw-r--r--meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb2
-rw-r--r--meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb2
-rw-r--r--meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb2
-rw-r--r--meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb2
-rw-r--r--meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb2
-rw-r--r--meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb (renamed from meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb)4
-rw-r--r--meta-oe/recipes-devtools/openocd/openocd_git.bb8
-rw-r--r--meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb2
-rw-r--r--meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb2
-rw-r--r--meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb2
-rw-r--r--meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb2
-rw-r--r--meta-oe/recipes-devtools/php/php_7.4.33.bb (renamed from meta-oe/recipes-devtools/php/php_7.4.21.bb)2
-rw-r--r--meta-oe/recipes-devtools/ply/ply_git.bb2
-rw-r--r--meta-oe/recipes-devtools/pmtools/pmtools_git.bb2
-rw-r--r--meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb2
-rw-r--r--meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch73
-rw-r--r--meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb3
-rw-r--r--meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb2
-rw-r--r--meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb2
-rw-r--r--meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb2
-rw-r--r--meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb2
-rw-r--r--meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb2
-rw-r--r--meta-oe/recipes-devtools/valijson/valijson_git.bb2
-rw-r--r--meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb2
-rw-r--r--meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb2
-rw-r--r--meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb2
-rw-r--r--meta-oe/recipes-devtools/yasm/yasm_git.bb2
-rw-r--r--meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch44
-rw-r--r--meta-oe/recipes-extended/brotli/brotli_1.0.7.bb4
-rw-r--r--meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb2
-rw-r--r--meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb2
-rw-r--r--meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb2
-rw-r--r--meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb2
-rw-r--r--meta-oe/recipes-extended/figlet/figlet_git.bb2
-rw-r--r--meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb2
-rw-r--r--meta-oe/recipes-extended/haveged/haveged_1.9.13.bb2
-rw-r--r--meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb2
-rw-r--r--meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb2
-rw-r--r--meta-oe/recipes-extended/iotop/iotop_0.6.bb2
-rw-r--r--meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb2
-rw-r--r--meta-oe/recipes-extended/jansson/jansson_2.13.1.bb3
-rw-r--r--meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb2
-rw-r--r--meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb2
-rw-r--r--meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb2
-rw-r--r--meta-oe/recipes-extended/libcec/libcec_git.bb2
-rw-r--r--meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb2
-rw-r--r--meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb2
-rw-r--r--meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb2
-rw-r--r--meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb2
-rw-r--r--meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb2
-rw-r--r--meta-oe/recipes-extended/libqb/libqb_1.0.5.bb2
-rw-r--r--meta-oe/recipes-extended/libreport/libreport_2.10.0.bb2
-rw-r--r--meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb2
-rw-r--r--meta-oe/recipes-extended/libuio/libuio_0.2.1.bb2
-rw-r--r--meta-oe/recipes-extended/md5deep/md5deep_git.bb2
-rw-r--r--meta-oe/recipes-extended/mraa/mraa_git.bb2
-rw-r--r--meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb2
-rw-r--r--meta-oe/recipes-extended/ostree/ostree_2020.3.bb4
-rw-r--r--meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch27
-rw-r--r--meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch226
-rw-r--r--meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch27
-rw-r--r--meta-oe/recipes-extended/p7zip/p7zip_16.02.bb23
-rw-r--r--meta-oe/recipes-extended/p8platform/p8platform_git.bb2
-rw-r--r--meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb2
-rw-r--r--meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb2
-rw-r--r--meta-oe/recipes-extended/pmdk/pmdk_1.7.bb2
-rw-r--r--meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch74
-rw-r--r--meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch87
-rw-r--r--meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch33
-rw-r--r--meta-oe/recipes-extended/polkit/polkit_0.116.bb3
-rw-r--r--meta-oe/recipes-extended/redis/redis_5.0.14.bb (renamed from meta-oe/recipes-extended/redis/redis_5.0.9.bb)3
-rw-r--r--meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb2
-rw-r--r--meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb2
-rw-r--r--meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb2
-rw-r--r--meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb2
-rw-r--r--meta-oe/recipes-extended/sedutil/sedutil_git.bb2
-rw-r--r--meta-oe/recipes-extended/socketcan/can-isotp_git.bb2
-rw-r--r--meta-oe/recipes-extended/socketcan/can-utils_git.bb2
-rw-r--r--meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb2
-rw-r--r--meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb2
-rw-r--r--meta-oe/recipes-extended/sysdig/sysdig_git.bb2
-rw-r--r--meta-oe/recipes-extended/tipcutils/tipcutils_git.bb2
-rw-r--r--meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb2
-rw-r--r--meta-oe/recipes-extended/upm/upm_git.bb2
-rw-r--r--meta-oe/recipes-extended/wipe/wipe_0.24.bb2
-rw-r--r--meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb2
-rw-r--r--meta-oe/recipes-extended/zlog/zlog_1.2.14.bb2
-rw-r--r--meta-oe/recipes-extended/zstd/zstd_1.4.5.bb2
-rw-r--r--meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb2
-rw-r--r--meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb2
-rw-r--r--meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb2
-rw-r--r--meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb2
-rw-r--r--meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb2
-rw-r--r--meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb2
-rw-r--r--meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb2
-rw-r--r--meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb13
-rw-r--r--meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb2
-rw-r--r--meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb2
-rw-r--r--meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb2
-rw-r--r--meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb2
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch72
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch86
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch43
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch29
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch27
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch30
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch27
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch29
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch24
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch238
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch31
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch31
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch74
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb29
-rw-r--r--meta-oe/recipes-graphics/qrencode/qrencode_git.bb2
-rw-r--r--meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb2
-rw-r--r--meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb2
-rw-r--r--meta-oe/recipes-graphics/spir/spirv-tools_git.bb11
-rw-r--r--meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb2
-rw-r--r--meta-oe/recipes-graphics/tesseract/tesseract_git.bb2
-rw-r--r--meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb2
-rw-r--r--meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb2
-rw-r--r--meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb2
-rw-r--r--meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb2
-rw-r--r--meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb2
-rw-r--r--meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb2
-rw-r--r--meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb2
-rw-r--r--meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch84
-rw-r--r--meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch785
-rw-r--r--meta-oe/recipes-graphics/xorg-app/xterm_353.bb3
-rw-r--r--meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb2
-rw-r--r--meta-oe/recipes-graphics/yad/yad_6.0.bb2
-rw-r--r--meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb2
-rw-r--r--meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb2
-rw-r--r--meta-oe/recipes-kernel/crash/crash_7.2.8.bb2
-rw-r--r--meta-oe/recipes-kernel/kpatch/kpatch.inc2
-rw-r--r--meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb2
-rw-r--r--meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb2
-rw-r--r--meta-oe/recipes-multimedia/jack/a2jmidid_9.bb2
-rw-r--r--meta-oe/recipes-multimedia/jack/jack_1.19.14.bb2
-rw-r--r--meta-oe/recipes-multimedia/libass/libass_0.14.0.bb2
-rw-r--r--meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb2
-rw-r--r--meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb2
-rw-r--r--meta-oe/recipes-multimedia/pipewire/pipewire_git.bb2
-rw-r--r--meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb2
-rw-r--r--meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb2
-rw-r--r--meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb15
-rw-r--r--meta-oe/recipes-security/softhsm/softhsm_git.bb2
-rw-r--r--meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb2
-rw-r--r--meta-oe/recipes-support/anthy/anthy_9100h.bb4
-rw-r--r--meta-oe/recipes-support/avro/avro-c_1.9.2.bb2
-rw-r--r--meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb2
-rw-r--r--meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch27
-rw-r--r--meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch84
-rw-r--r--meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb (renamed from meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb)10
-rw-r--r--meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb2
-rw-r--r--meta-oe/recipes-support/cli11/cli11_1.8.0.bb2
-rw-r--r--meta-oe/recipes-support/cmark/cmark_git.bb2
-rw-r--r--meta-oe/recipes-support/daemonize/daemonize_git.bb2
-rw-r--r--meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb2
-rw-r--r--meta-oe/recipes-support/dstat/dstat_0.7.4.bb4
-rw-r--r--meta-oe/recipes-support/epeg/epeg_git.bb2
-rw-r--r--meta-oe/recipes-support/fmt/fmt_6.2.0.bb2
-rw-r--r--meta-oe/recipes-support/freerdp/freerdp_git.bb2
-rw-r--r--meta-oe/recipes-support/function2/function2_4.0.0.bb2
-rw-r--r--meta-oe/recipes-support/gd/gd_2.3.0.bb2
-rw-r--r--meta-oe/recipes-support/gflags/gflags_2.2.2.bb2
-rw-r--r--meta-oe/recipes-support/glog/glog_0.3.5.bb2
-rw-r--r--meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb2
-rw-r--r--meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb2
-rw-r--r--meta-oe/recipes-support/gpm/gpm_git.bb2
-rw-r--r--meta-oe/recipes-support/hidapi/hidapi_git.bb2
-rw-r--r--meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb2
-rw-r--r--meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb2
-rw-r--r--meta-oe/recipes-support/hwdata/hwdata_git.bb2
-rw-r--r--meta-oe/recipes-support/iksemel/iksemel_1.5.bb2
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb2
-rw-r--r--meta-oe/recipes-support/inih/libinih_git.bb2
-rw-r--r--meta-oe/recipes-support/iniparser/iniparser_4.1.bb2
-rw-r--r--meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb2
-rw-r--r--meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb2
-rw-r--r--meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb2
-rw-r--r--meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb2
-rw-r--r--meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb2
-rw-r--r--meta-oe/recipes-support/libfann/libfann_git.bb2
-rw-r--r--meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb2
-rw-r--r--meta-oe/recipes-support/libgusb/libgusb_git.bb2
-rw-r--r--meta-oe/recipes-support/libharu/libharu_2.3.0.bb2
-rw-r--r--meta-oe/recipes-support/libiio/libiio_git.bb2
-rw-r--r--meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch158
-rw-r--r--meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb3
-rw-r--r--meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb2
-rw-r--r--meta-oe/recipes-support/libmxml/libmxml_3.1.bb2
-rw-r--r--meta-oe/recipes-support/libp11/libp11_0.4.10.bb2
-rw-r--r--meta-oe/recipes-support/librsync/librsync_2.3.1.bb2
-rw-r--r--meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb2
-rw-r--r--meta-oe/recipes-support/libteam/libteam_1.30.bb2
-rw-r--r--meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb2
-rw-r--r--meta-oe/recipes-support/libusbg/libusbg_git.bb2
-rw-r--r--meta-oe/recipes-support/libusbgx/libusbgx_git.bb2
-rw-r--r--meta-oe/recipes-support/libutempter/libutempter.bb2
-rw-r--r--meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb2
-rw-r--r--meta-oe/recipes-support/lvm2/lvm2.inc2
-rw-r--r--meta-oe/recipes-support/mcelog/mce-inject_git.bb2
-rw-r--r--meta-oe/recipes-support/mcelog/mce-test_git.bb2
-rw-r--r--meta-oe/recipes-support/mcelog/mcelog_168.bb2
-rw-r--r--meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb2
-rw-r--r--meta-oe/recipes-support/ne10/ne10_1.2.1.bb2
-rw-r--r--meta-oe/recipes-support/nss/nss/CVE-2020-12403_1.patch65
-rw-r--r--meta-oe/recipes-support/nss/nss/CVE-2020-12403_2.patch80
-rw-r--r--meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch283
-rw-r--r--meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch63
-rw-r--r--meta-oe/recipes-support/nss/nss_3.51.1.bb4
-rw-r--r--meta-oe/recipes-support/numactl/numactl_git.bb2
-rw-r--r--meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb2
-rw-r--r--meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb2
-rw-r--r--meta-oe/recipes-support/opencv/ade_0.1.1f.bb2
-rw-r--r--meta-oe/recipes-support/opencv/opencv_4.1.0.bb12
-rw-r--r--meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch277
-rw-r--r--meta-oe/recipes-support/openldap/openldap_2.4.57.bb2
-rw-r--r--meta-oe/recipes-support/opensc/opensc_0.20.0.bb2
-rw-r--r--meta-oe/recipes-support/picocom/picocom_git.bb2
-rw-r--r--meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb2
-rw-r--r--meta-oe/recipes-support/pidgin/icyque_git.bb2
-rw-r--r--meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb2
-rw-r--r--meta-oe/recipes-support/poco/poco_1.9.4.bb2
-rw-r--r--meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb2
-rw-r--r--meta-oe/recipes-support/remmina/remmina_1.3.6.bb2
-rw-r--r--meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb2
-rw-r--r--meta-oe/recipes-support/sass/libsass_3.6.3.bb2
-rw-r--r--meta-oe/recipes-support/sass/sassc_git.bb2
-rw-r--r--meta-oe/recipes-support/satyr/satyr_0.28.bb2
-rw-r--r--meta-oe/recipes-support/serial-utils/pty-forward-native.bb2
-rw-r--r--meta-oe/recipes-support/serial-utils/serial-forward_git.bb2
-rw-r--r--meta-oe/recipes-support/span-lite/span-lite_git.bb2
-rw-r--r--meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb2
-rw-r--r--meta-oe/recipes-support/spitools/spitools_git.bb2
-rw-r--r--meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb2
-rw-r--r--meta-oe/recipes-support/toscoterm/toscoterm_git.bb2
-rw-r--r--meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch63
-rw-r--r--meta-oe/recipes-support/udisks/udisks2_git.bb3
-rw-r--r--meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb2
-rw-r--r--meta-oe/recipes-support/uthash/uthash_2.1.0.bb2
-rw-r--r--meta-oe/recipes-support/utouch/utouch-evemu_git.bb2
-rw-r--r--meta-oe/recipes-support/utouch/utouch-frame_git.bb2
-rw-r--r--meta-oe/recipes-support/utouch/utouch-mtview_git.bb2
-rw-r--r--meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb2
-rw-r--r--meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb2
-rw-r--r--meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb2
-rw-r--r--meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb2
-rw-r--r--meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb2
-rw-r--r--meta-oe/recipes-support/zbar/zbar_git.bb2
-rw-r--r--meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb2
-rw-r--r--meta-oe/recipes-test/bats/bats_1.1.0.bb2
-rw-r--r--meta-oe/recipes-test/catch2/catch2_2.9.2.bb2
-rw-r--r--meta-oe/recipes-test/evtest/evtest_1.34.bb2
-rw-r--r--meta-oe/recipes-test/fbtest/fb-test_git.bb2
-rw-r--r--meta-oe/recipes-test/googletest/googletest_git.bb2
-rw-r--r--meta-oe/recipes-test/pm-qa/pm-qa_git.bb3
340 files changed, 5752 insertions, 565 deletions
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb b/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb
index de4fa1642..75a206c6b 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
inherit setuptools3
-SRC_URI = "git://github.com/sivel/speedtest-cli.git"
+SRC_URI = "git://github.com/sivel/speedtest-cli.git;branch=master;protocol=https"
SRCREV = "c58ad3367bf27f4b4a4d5b1bca29ebd574731c5d"
S = "${WORKDIR}/git"
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb
index 065243ccf..f55247d9e 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb
@@ -21,7 +21,7 @@ SRCREV_inih = "4b10c654051a86556dfdb634c891b6c3224c4109"
SRCREV_FORMAT = "rwmem_inih"
SRC_URI = " \
- git://github.com/tomba/rwmem.git;protocol=https;name=rwmem \
+ git://github.com/tomba/rwmem.git;protocol=https;name=rwmem;branch=master \
git://github.com/benhoyt/inih.git;protocol=https;name=inih;nobranch=1;destsuffix=git/ext/inih \
"
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
index 58841ef31..cc15a8de3 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
@@ -14,7 +14,7 @@ inherit scons dos2unix siteinfo python3native
PV = "4.2.2"
#v4.2.2
SRCREV = "a0bbbff6ada159e19298d37946ac8dc4b497eadf"
-SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.2 \
+SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.2;protocol=https \
file://0001-Tell-scons-to-use-build-settings-from-environment-va.patch \
file://0001-Use-long-long-instead-of-int64_t.patch \
file://0001-Use-__GLIBC__-to-control-use-of-gnu_get_libc_version.patch \
@@ -56,6 +56,8 @@ EXTRA_OESCONS = "--prefix=${D}${prefix} \
LINKFLAGS='${LDFLAGS}' \
CXXFLAGS='${CXXFLAGS}' \
TARGET_ARCH=${TARGET_ARCH} \
+ MONGO_VERSION=${PV} \
+ OBJCOPY=${OBJCOPY} \
--ssl \
--disable-warnings-as-errors \
--use-system-zlib \
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb
index 275b984e4..f0a0c6797 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=18810669f13b87348459e611d31ab760 \
PV = "0.5.9+git${SRCPV}"
SRCREV = "3a3d622d9bb74c44fa67bc20573751a207514134"
-SRC_URI = "git://github.com/lcdproc/lcdproc \
+SRC_URI = "git://github.com/lcdproc/lcdproc;branch=master;protocol=https \
file://0001-Fix-parallel-build-fix-port-internal-make-dependenci.patch \
file://0002-Include-limits.h-for-PATH_MAX-definition.patch \
file://0003-Fix-non-x86-platforms-on-musl.patch \
diff --git a/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb b/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb
index b21212a43..de2341da4 100644
--- a/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb
+++ b/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb
@@ -9,7 +9,7 @@ SRCREV = "ad7e646700d14b81413297bda02fb7fe96613c3f"
PV = "1.0+git${SRCPV}"
-SRC_URI = "git://github.com/ssvb/cpuburn-arm.git \
+SRC_URI = "git://github.com/ssvb/cpuburn-arm.git;branch=master;protocol=https \
file://0001-cpuburn-a8.S-Remove-.func-.endfunc.patch \
file://0002-burn.S-Add.patch \
file://0003-burn.S-Remove-.func-.endfunc.patch \
diff --git a/meta-oe/recipes-benchmark/fio/fio_3.17.bb b/meta-oe/recipes-benchmark/fio/fio_3.17.bb
index 759d1087c..bb3243a5c 100644
--- a/meta-oe/recipes-benchmark/fio/fio_3.17.bb
+++ b/meta-oe/recipes-benchmark/fio/fio_3.17.bb
@@ -23,7 +23,7 @@ PACKAGECONFIG ??= "${PACKAGECONFIG_NUMA}"
PACKAGECONFIG[numa] = ",--disable-numa,numactl"
SRCREV = "08ce9dc20b8a4e55db7af6d869ddfa49b4a02d03"
-SRC_URI = "git://git.kernel.dk/fio.git \
+SRC_URI = "git://git.kernel.dk/fio.git;branch=master \
file://0001-update-the-interpreter-paths.patch \
file://python3_shebangs.patch \
"
diff --git a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb
index 6d20bbdaf..4976bf690 100644
--- a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb
+++ b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb
@@ -14,7 +14,7 @@ PV = "20191226+${SRCPV}"
COMPATIBLE_HOST_rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '.*-linux*', 'null', d)}"
-SRC_URI = "git://github.com/glmark2/glmark2.git;protocol=https \
+SRC_URI = "git://github.com/glmark2/glmark2.git;protocol=https;branch=master \
file://python3.patch"
SRCREV = "72dabc5d72b49c6d45badeb8a941ba4d829b0bd6"
diff --git a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb
index 4a520e3be..86e5fef53 100644
--- a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb
+++ b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb
@@ -19,3 +19,5 @@ EXTRA_OECONF = "--exec-prefix=${STAGING_DIR_HOST}${layout_exec_prefix}"
PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}"
PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
+
+CVE_PRODUCT = "iperf_project:iperf"
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb
index 98d2faabf..b7ffb029a 100644
--- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9088fe7ffdccd042f7645f1012d7f70"
DEPENDS = "openssl"
-SRC_URI = "git://github.com/esnet/iperf.git \
+SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
file://0002-Remove-pg-from-profile_CFLAGS.patch \
"
@@ -28,3 +28,5 @@ PACKAGECONFIG[lksctp] = "ac_cv_header_netinet_sctp_h=yes,ac_cv_header_netinet_sc
CFLAGS += "-D_GNU_SOURCE"
EXTRA_OECONF = "--with-openssl=${RECIPE_SYSROOT}${prefix}"
+
+CVE_PRODUCT = "iperf_project:iperf"
diff --git a/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb b/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb
index e81389431..60286c324 100644
--- a/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb
+++ b/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=9a825c63897c53f487ef900598c31527"
SRCREV = "b6b2ce5f9f87a09b14499cb00c600c601f022634"
PV = "20110206+git${SRCPV}"
-SRC_URI = "git://git.musl-libc.org/libc-bench \
+SRC_URI = "git://git.musl-libc.org/libc-bench;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb b/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb
index 4768d7b63..d6c35d0b3 100644
--- a/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb
+++ b/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb
@@ -12,7 +12,7 @@ PE = "1"
SRCREV = "e6499ff92b4a7dcffbd131d1f5d24933e48c3f20"
SRC_URI = " \
- git://github.com/libhugetlbfs/libhugetlbfs.git;protocol=https \
+ git://github.com/libhugetlbfs/libhugetlbfs.git;protocol=https;branch=master \
file://skip-checking-LIB32-and-LIB64-if-they-point-to-the-s.patch \
file://libhugetlbfs-avoid-search-host-library-path-for-cros.patch \
file://tests-Makefile-install-static-4G-edge-testcases.patch \
diff --git a/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb b/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb
index a2966e99d..d30ea5a01 100644
--- a/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb
+++ b/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=55ea9d559f985fb4834317d8ed6b9e58"
SRCREV = "fb72e5e5f0879231f38e0e826a98a6ca2d1ca38e"
-SRC_URI = "git://github.com/stressapptest/stressapptest \
+SRC_URI = "git://github.com/stressapptest/stressapptest;branch=master;protocol=https \
file://libcplusplus-compat.patch \
file://read_sysfs_for_cachesize.patch \
"
diff --git a/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb b/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb
index 2ce10f9c4..9c20d68ef 100644
--- a/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb
+++ b/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://main.c;endline=22;md5=879b9bbb60851454885b5fa47eb6b34
PV = "0.4.0+git${SRCPV}"
SRCREV = "a2cf6d7e382e3aea1eb39173174d9fa28cad15f3"
-SRC_URI = "git://github.com/ssvb/tinymembench.git \
+SRC_URI = "git://github.com/ssvb/tinymembench.git;branch=master;protocol=https \
file://0001-asm-Delete-.func-.endfunc-directives.patch \
"
diff --git a/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb b/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb
index 88fcc0200..589d62717 100644
--- a/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb
+++ b/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
SRCREV = "a2f0c39d5f21596bb9f5223e895c0ff210b265d0"
# SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/cpufreq/cpufrequtils.git
-SRC_URI = "git://github.com/emagii/cpufrequtils.git \
+SRC_URI = "git://github.com/emagii/cpufrequtils.git;branch=master;protocol=https \
file://0001-dont-unset-cflags.patch \
"
diff --git a/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb b/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb
index b89fe6771..e42adc6dc 100644
--- a/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb
+++ b/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb
@@ -11,7 +11,7 @@ PV = "0.18+git${SRCPV}"
S = "${WORKDIR}/git"
-SRC_URI = "git://github.com/grondo/edac-utils \
+SRC_URI = "git://github.com/grondo/edac-utils;branch=master;protocol=https \
file://make-init-script-be-able-to-automatically-load-EDAC-.patch \
file://add-restart-to-initscript.patch \
file://edac.service \
diff --git a/meta-oe/recipes-bsp/ledmon/ledmon_git.bb b/meta-oe/recipes-bsp/ledmon/ledmon_git.bb
index f9ae9aad9..1a9cb18c5 100644
--- a/meta-oe/recipes-bsp/ledmon/ledmon_git.bb
+++ b/meta-oe/recipes-bsp/ledmon/ledmon_git.bb
@@ -16,7 +16,7 @@ inherit autotools systemd
SYSTEMD_SERVICE_${PN} = "ledmon.service"
# 0.93
-SRC_URI = "git://github.com/intel/ledmon;branch=master \
+SRC_URI = "git://github.com/intel/ledmon;branch=master;protocol=https \
file://0002-include-sys-select.h-and-sys-types.h.patch \
file://0001-Don-t-build-with-Werror-to-fix-compile-error.patch \
"
diff --git a/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb b/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb
index 890db55bc..37a98a099 100644
--- a/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb
+++ b/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb
@@ -10,7 +10,7 @@ DEPENDS = " \
virtual/libiconv \
"
-SRC_URI = "git://github.com/lm-sensors/lm-sensors.git;protocol=https \
+SRC_URI = "git://github.com/lm-sensors/lm-sensors.git;protocol=https;branch=master \
file://fancontrol.init \
file://sensord.init \
"
@@ -95,7 +95,7 @@ RDEPENDS_${PN} += " \
${PN}-sensorsdetect \
${PN}-sensorsconfconvert \
${PN}-pwmconfig \
- ${PN}-isatools \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'x86', '${PN}-isatools', '', d)} \
"
# libsensors packages
diff --git a/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb b/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb
index 4f4bb2dfa..9344c17dc 100644
--- a/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb
+++ b/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8264535c0c4e9c6c335635c4026a8022"
DEPENDS = "util-linux"
PV .= "+git${SRCPV}"
-SRC_URI = "git://github.com/linux-nvme/nvme-cli.git \
+SRC_URI = "git://github.com/linux-nvme/nvme-cli.git;branch=master;protocol=https \
file://0001-fix-musl-compilation.patch \
"
SRCREV = "1d84d6ae0c7d7ceff5a73fe174dde8b0005f6108"
diff --git a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
index 6b4decce5..64595d59c 100644
--- a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
+++ b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
@@ -9,7 +9,7 @@ DEPENDS += "glib-2.0-native"
PV = "0.2+git${SRCPV}"
-SRC_URI = "git://github.com/labapart/gattlib.git \
+SRC_URI = "git://github.com/labapart/gattlib.git;branch=master;protocol=https \
file://dbus-avoid-strange-chars-from-the-build-dir.patch \
file://0001-cmake-Use-GNUInstallDirs.patch \
"
@@ -28,5 +28,5 @@ EXTRA_OECMAKE += "-DGATTLIB_BUILD_DOCS=OFF"
inherit pkgconfig cmake
-FILES_${PN} = "${libdir}/* ${includedir}/*"
-FILES_${PN}-dev = "${includedir}/*"
+FILES_${PN} = "${libdir}/*"
+FILES_${PN}-dev = "${includedir}/* ${libdir}/pkgconfig"
diff --git a/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb b/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb
index 8c97662df..bee757d5a 100644
--- a/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb
+++ b/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=a0fd36908af843bcee10cb6dfc47fa67 \
SRCREV = "95ec1ab31ee97411fc37156d12061adcf0331598"
PV = "1.5.3+git${SRCPV}"
-SRC_URI = "git://github.com/cminyard/gensio;protocol=https \
+SRC_URI = "git://github.com/cminyard/gensio;protocol=https;branch=master \
file://0001-filter-Rename-some-variables-to-tr_stdxxx.patch \
"
diff --git a/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb b/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb
index 25500e650..1606f10cf 100644
--- a/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb
+++ b/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fb504b67c50331fc78734fed90fb0e09"
DEPENDS = "ell"
-SRC_URI = "git://git.kernel.org/pub/scm/network/wireless/iwd.git"
+SRC_URI = "git://git.kernel.org/pub/scm/network/wireless/iwd.git;branch=master"
SRCREV = "aa3dc1b95348dea177e9d8c2c3063b29e20fe2e9"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb b/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb
index 908b98d8c..b1a9ed7ec 100644
--- a/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb
+++ b/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb
@@ -12,7 +12,7 @@ DEPENDS = "libplist usbmuxd libusbmuxd libtasn1 gnutls libgcrypt"
SRCREV = "fb71aeef10488ed7b0e60a1c8a553193301428c0"
PV = "1.2.0+git${SRCPV}"
SRC_URI = "\
- git://github.com/libimobiledevice/libimobiledevice;protocol=https \
+ git://github.com/libimobiledevice/libimobiledevice;protocol=https;branch=master \
file://configure-fix-largefile.patch \
"
diff --git a/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb b/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb
index 07a7a1d23..2537963dd 100644
--- a/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb
+++ b/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://libndp.org/"
LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
-SRC_URI = "git://github.com/jpirko/libndp \
+SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \
"
# tag for v1.6
SRCREV = "96674e7d4f4d569c2c961e865cc16152dfab5f09"
diff --git a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
index 3ee69554b..b4094dd6f 100644
--- a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
+++ b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
DEPENDS = "zlib libsigc++-2.0 openssl cppunit"
-SRC_URI = "git://github.com/rakshasa/libtorrent \
+SRC_URI = "git://github.com/rakshasa/libtorrent;branch=master;protocol=https \
file://don-t-run-code-while-configuring-package.patch \
"
SRCREV = "756f70010779927dc0691e1e722ed433d5d295e1"
diff --git a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb
index 757720731..41e95f56a 100644
--- a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb
+++ b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb
@@ -5,7 +5,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=a68902a430e32200263d182d44924d47"
SRCREV = "533b738838ad8407032e14b6772b29ef9af63cfa"
-SRC_URI = "git://github.com/libuv/libuv;branch=v1.x \
+SRC_URI = "git://github.com/libuv/libuv;branch=v1.x;protocol=https \
file://CVE-2020-8252.patch"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb
index c98976779..79e59a8fe 100644
--- a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb
+++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb
@@ -2,14 +2,13 @@ DESCRIPTION = "Precision Time Protocol (PTP) according to IEEE standard 1588 for
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v${PV}/linuxptp-${PV}.tgz \
+SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v2.0/linuxptp-${PV}.tgz \
file://build-Allow-CC-and-prefix-to-be-overriden.patch \
file://Use-cross-cpp-in-incdefs.patch \
file://time_t_maybe_long_long.patch \
"
-SRC_URI[md5sum] = "d8bb7374943bb747db7786ac26f17f11"
-SRC_URI[sha256sum] = "0a24d9401e87d4af023d201e234d91127d82c350daad93432106284aa9459c7d"
+SRC_URI[sha256sum] = "6f4669db1733747427217a9e74c8b5ca25c4245947463e9cdb860ec8f5ec797a"
EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} EXTRA_CFLAGS='${CFLAGS}'"
diff --git a/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb b/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb
index 3a1222e89..d070111e9 100644
--- a/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb
+++ b/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = " \
file://about.html;md5=e5662cbb5f8fd5c9faac526e4077898e \
"
-SRC_URI = "git://github.com/eclipse/paho.mqtt.c;protocol=http \
+SRC_URI = "git://github.com/eclipse/paho.mqtt.c;protocol=http;branch=master;protocol=https \
file://0001-Fix-bug-of-free-with-musl.patch"
SRCREV = "3148fe2d5f4b87e16266dfe559c0764e16ca0546"
diff --git a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb
index 2ef6b187e..bbc311ee1 100644
--- a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb
+++ b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/alanxz/rabbitmq-c"
LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=6b7424f9db80cfb11fdd5c980b583f53"
LICENSE = "MIT"
-SRC_URI = "git://github.com/alanxz/rabbitmq-c.git"
+SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https"
# v0.10.0-master
SRCREV = "ffe918a5fcef72038a88054dca3c56762b1953d4"
diff --git a/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb b/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb
index 331f978f8..41fb1ec82 100644
--- a/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb
+++ b/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
DEPENDS = "libsigc++-2.0 curl cppunit libtorrent ncurses"
-SRC_URI = "git://github.com/rakshasa/rtorrent \
+SRC_URI = "git://github.com/rakshasa/rtorrent;branch=master;protocol=https \
file://don-t-run-code-while-configuring-package.patch \
"
# v0.9.8
diff --git a/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb b/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb
index 728423432..7993e608d 100644
--- a/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb
+++ b/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb
@@ -10,7 +10,7 @@ inherit autotools pkgconfig gitpkgv systemd
PKGV = "${GITPKGVTAG}"
SRCREV = "ee85938c21043ef5f7cd4dfbc7677f385814d4d8"
-SRC_URI = "git://github.com/libimobiledevice/usbmuxd;protocol=https"
+SRC_URI = "git://github.com/libimobiledevice/usbmuxd;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb b/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb
index 99cfb3205..dd2b4392c 100644
--- a/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb
+++ b/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb
@@ -9,7 +9,7 @@ SECTION = "test"
S = "${WORKDIR}/git"
SRCREV = "f7a8d7ef7d1a831c1bb47de21fa083536ea2f3a9"
-SRC_URI = "git://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT.git \
+SRC_URI = "git://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT.git;branch=master;protocol=https \
file://0001-Use-toolchain-from-environment-variables.patch \
file://0002-Add-missing-include-removes-unnedded-stuff-and-add-n.patch \
file://0003-fix-path-to-usr-sbin-for-script-and-make-script-for-.patch \
diff --git a/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb b/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb
index 0b66970a9..2a435897d 100644
--- a/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb
+++ b/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb
@@ -7,7 +7,7 @@ DEPENDS = "zeromq"
SRCREV = "8d5c9a88988dcbebb72939ca0939d432230ffde1"
PV = "4.6.0"
-SRC_URI = "git://github.com/zeromq/cppzmq.git"
+SRC_URI = "git://github.com/zeromq/cppzmq.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch
index 2c4ca057f..1c2fc3813 100644
--- a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch
+++ b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch
@@ -21,7 +21,7 @@ index 009e4fd..f3f0d80 100644
if (!dbus_conn)
- return;
-+ DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
if (verbose)
g_print ("New message from server: type='%d' path='%s' iface='%s'"
diff --git a/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb b/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb
index 42cd032c2..f40b48836 100644
--- a/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb
+++ b/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb
@@ -6,7 +6,7 @@ SRCREV = "1226a0a1374628ff191f6d8a56000be5e53e7608"
PV = "0.0.0+gitr${SRCPV}"
PR = "r1.59"
-SRC_URI = "git://github.com/alban/dbus-daemon-proxy \
+SRC_URI = "git://github.com/alban/dbus-daemon-proxy;branch=master;protocol=https \
file://0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-core/emlog/emlog.inc b/meta-oe/recipes-core/emlog/emlog.inc
index 9a0f9ba92..948e18da4 100644
--- a/meta-oe/recipes-core/emlog/emlog.inc
+++ b/meta-oe/recipes-core/emlog/emlog.inc
@@ -3,7 +3,7 @@ most recent (and only the most recent) output from a process"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-SRC_URI = "git://github.com/nicupavel/emlog.git;protocol=http"
+SRC_URI = "git://github.com/nicupavel/emlog.git;protocol=http;branch=master;protocol=https"
SRCREV = "aee53e8dee862f35291242ba41b0ca88010f6c71"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-core/glfw/glfw_3.3.bb b/meta-oe/recipes-core/glfw/glfw_3.3.bb
index 0fcf716c8..c920cbd50 100644
--- a/meta-oe/recipes-core/glfw/glfw_3.3.bb
+++ b/meta-oe/recipes-core/glfw/glfw_3.3.bb
@@ -12,7 +12,7 @@ inherit pkgconfig cmake features_check
PV .= "+git${SRCPV}"
SRCREV = "781fbbadb0bccc749058177b1385c82da9ace880"
-SRC_URI = "git://github.com/glfw/glfw.git"
+SRC_URI = "git://github.com/glfw/glfw.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-core/libnfc/libnfc_git.bb b/meta-oe/recipes-core/libnfc/libnfc_git.bb
index 2851ecf9f..65586247a 100644
--- a/meta-oe/recipes-core/libnfc/libnfc_git.bb
+++ b/meta-oe/recipes-core/libnfc/libnfc_git.bb
@@ -11,7 +11,7 @@ PV = "1.7.1+git${SRCPV}"
S = "${WORKDIR}/git"
SRCREV = "2d4543673e9b76c02679ca8b89259659f1afd932"
-SRC_URI = "git://github.com/nfc-tools/libnfc.git \
+SRC_URI = "git://github.com/nfc-tools/libnfc.git;branch=master;protocol=https \
file://0001-usbbus-Include-stdint.h-for-uintX_t.patch \
"
diff --git a/meta-oe/recipes-core/mdbus2/mdbus2_git.bb b/meta-oe/recipes-core/mdbus2/mdbus2_git.bb
index 82f2cf8c9..fa98e1cb4 100644
--- a/meta-oe/recipes-core/mdbus2/mdbus2_git.bb
+++ b/meta-oe/recipes-core/mdbus2/mdbus2_git.bb
@@ -6,7 +6,7 @@ DEPENDS = "readline"
PV = "2.3.3+git${SRCPV}"
-SRC_URI = "git://github.com/freesmartphone/mdbus.git;protocol=http"
+SRC_URI = "git://github.com/freesmartphone/mdbus.git;protocol=http;branch=master;protocol=https"
SRCREV = "28202692d0b441000f4ddb8f347f72d1355021aa"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-core/ndctl/ndctl_v67.bb b/meta-oe/recipes-core/ndctl/ndctl_v67.bb
index da0c6563a..19d96414d 100644
--- a/meta-oe/recipes-core/ndctl/ndctl_v67.bb
+++ b/meta-oe/recipes-core/ndctl/ndctl_v67.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e66651809cac5da60c8b80e9e4e79e08"
inherit autotools-brokensep pkgconfig bash-completion systemd
SRCREV = "637bb424dc317a044c722a671355ef9df0e0d30f"
-SRC_URI = "git://github.com/pmem/ndctl.git"
+SRC_URI = "git://github.com/pmem/ndctl.git;branch=master;protocol=https"
DEPENDS = "kmod udev json-c keyutils"
diff --git a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb
index dec1bea56..1d86f48ae 100644
--- a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb
+++ b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb
@@ -6,7 +6,7 @@ SECTION = "base"
S = "${WORKDIR}/git"
SRCREV = "40c5d226c7c0706f0176884e9b94b3886679c983"
-SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git"
+SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git;branch=main;protocol=https"
do_configure[noexec] = "1"
do_compile[noexec] = "1"
diff --git a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb
index 7c49c8d55..de355d29d 100644
--- a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb
+++ b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb
@@ -8,7 +8,7 @@ inherit pkgconfig cmake
S = "${WORKDIR}/git"
SRCREV = "b342ff7b7f70a4b3f2cfc53215af8fa20adc3d86"
-SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git"
+SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git;branch=main;protocol=https"
do_install () {
install -d ${D}${bindir}
diff --git a/meta-oe/recipes-core/safec/safec_3.5.1.bb b/meta-oe/recipes-core/safec/safec_3.5.1.bb
index 91d8fc65a..29158094a 100644
--- a/meta-oe/recipes-core/safec/safec_3.5.1.bb
+++ b/meta-oe/recipes-core/safec/safec_3.5.1.bb
@@ -9,7 +9,7 @@ inherit autotools pkgconfig
S = "${WORKDIR}/git"
# v08112019
SRCREV = "ad76c7b1dbd0403b0c9decf54164fcce271c590f"
-SRC_URI = "git://github.com/rurban/safeclib.git \
+SRC_URI = "git://github.com/rurban/safeclib.git;branch=master;protocol=https \
"
COMPATIBLE_HOST = '(x86_64|i.86|powerpc|powerpc64|arm|aarch64|mips).*-linux'
diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch
new file mode 100644
index 000000000..89cb593e6
--- /dev/null
+++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch
@@ -0,0 +1,96 @@
+From b073e1c2b9a8138da83300f598b9a56fc9762b4b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stanislav=20Angelovi=C4=8D?= <angelovic.s@gmail.com>
+Date: Mon, 16 Nov 2020 17:05:36 +0100
+Subject: [PATCH] Try to first find googletest in the system before downloading
+ it (#125)
+
+Upstream-Status: Backport [d6fdaca]
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+
+---
+ tests/CMakeLists.txt | 62 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 40 insertions(+), 22 deletions(-)
+
+diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
+index 97f7c1a..7ecc327 100644
+--- a/tests/CMakeLists.txt
++++ b/tests/CMakeLists.txt
+@@ -2,26 +2,44 @@
+ # DOWNLOAD AND BUILD OF GOOGLETEST
+ #-------------------------------
+
+-include(FetchContent)
+-
+-message("Fetching googletest...")
+-FetchContent_Declare(googletest
+- GIT_REPOSITORY https://github.com/google/googletest.git
+- GIT_TAG master
+- GIT_SHALLOW 1
+- UPDATE_COMMAND "")
+-
+-#FetchContent_MakeAvailable(googletest) # Not available in CMake 3.13 :-( Let's do it manually:
+-FetchContent_GetProperties(googletest)
+-if(NOT googletest_POPULATED)
+- FetchContent_Populate(googletest)
+- set(gtest_force_shared_crt ON CACHE INTERNAL "" FORCE)
+- set(BUILD_GMOCK ON CACHE INTERNAL "" FORCE)
+- set(INSTALL_GTEST OFF CACHE INTERNAL "" FORCE)
+- set(BUILD_SHARED_LIBS_BAK ${BUILD_SHARED_LIBS})
+- set(BUILD_SHARED_LIBS OFF)
+- add_subdirectory(${googletest_SOURCE_DIR} ${googletest_BINARY_DIR})
+- set(BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS_BAK})
++set(GOOGLETEST_VERSION 1.10.0 CACHE STRING "Version of gmock to use")
++set(GOOGLETEST_GIT_REPO "https://github.com/google/googletest.git" CACHE STRING "A git repo to clone and build googletest from if gmock is not found in the system")
++
++find_package(GTest ${GOOGLETEST_VERSION} CONFIG)
++if (NOT TARGET GTest::gmock)
++ # Try pkg-config if GTest was not found through CMake config
++ find_package(PkgConfig)
++ if (PkgConfig_FOUND)
++ pkg_check_modules(GMock IMPORTED_TARGET GLOBAL gmock>=${GOOGLETEST_VERSION})
++ if(TARGET PkgConfig::GMock)
++ add_library(GTest::gmock ALIAS PkgConfig::GMock)
++ endif()
++ endif()
++ # GTest was not found in the system, build it on our own
++ if (NOT TARGET GTest::gmock)
++ include(FetchContent)
++
++ message("Fetching googletest...")
++ FetchContent_Declare(googletest
++ GIT_REPOSITORY ${GOOGLETEST_GIT_REPO}
++ GIT_TAG release-${GOOGLETEST_VERSION}
++ GIT_SHALLOW 1
++ UPDATE_COMMAND "")
++
++ #FetchContent_MakeAvailable(googletest) # Not available in CMake 3.13 :-( Let's do it manually:
++ FetchContent_GetProperties(googletest)
++ if(NOT googletest_POPULATED)
++ FetchContent_Populate(googletest)
++ set(gtest_force_shared_crt ON CACHE INTERNAL "" FORCE)
++ set(BUILD_GMOCK ON CACHE INTERNAL "" FORCE)
++ set(INSTALL_GTEST OFF CACHE INTERNAL "" FORCE)
++ set(BUILD_SHARED_LIBS_BAK ${BUILD_SHARED_LIBS})
++ set(BUILD_SHARED_LIBS OFF)
++ add_subdirectory(${googletest_SOURCE_DIR} ${googletest_BINARY_DIR})
++ set(BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS_BAK})
++ add_library(GTest::gmock ALIAS gmock)
++ endif()
++ endif()
+ endif()
+
+ #-------------------------------
+@@ -87,11 +105,11 @@ include_directories(${CMAKE_CURRENT_SOURCE_DIR})
+
+ add_executable(sdbus-c++-unit-tests ${UNITTESTS_SRCS})
+ target_compile_definitions(sdbus-c++-unit-tests PRIVATE LIBSYSTEMD_VERSION=${LIBSYSTEMD_VERSION})
+-target_link_libraries(sdbus-c++-unit-tests sdbus-c++-objlib gmock gmock_main)
++target_link_libraries(sdbus-c++-unit-tests sdbus-c++-objlib GTest::gmock)
+
+ add_executable(sdbus-c++-integration-tests ${INTEGRATIONTESTS_SRCS})
+ target_compile_definitions(sdbus-c++-integration-tests PRIVATE LIBSYSTEMD_VERSION=${LIBSYSTEMD_VERSION})
+-target_link_libraries(sdbus-c++-integration-tests sdbus-c++ gmock gmock_main)
++target_link_libraries(sdbus-c++-integration-tests sdbus-c++ GTest::gmock)
+
+ # Manual performance and stress tests
+ option(ENABLE_PERF_TESTS "Build and install manual performance tests (default OFF)" OFF)
diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb
index c8e81a412..f0e928d0d 100644
--- a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb
+++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb
@@ -12,7 +12,7 @@ DEPENDS += "gperf-native gettext-native util-linux libcap"
SRCREV = "efb536d0cbe2e58f80e501d19999928c75e08f6a"
SRCBRANCH = "v243-stable"
-SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}"
+SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=https;branch=${SRCBRANCH}"
SRC_URI += "file://static-libsystemd-pkgconfig.patch"
diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb b/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb
index c4d63fd27..a94fb8def 100644
--- a/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb
+++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb
@@ -12,13 +12,16 @@ PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'with-exte
${@bb.utils.contains('PTEST_ENABLED', '1', 'with-tests', '', d)}"
PACKAGECONFIG[with-builtin-libsystemd] = ",,sdbus-c++-libsystemd,libcap"
PACKAGECONFIG[with-external-libsystemd] = ",,systemd,libsystemd"
-PACKAGECONFIG[with-tests] = "-DBUILD_TESTS=ON -DTESTS_INSTALL_PATH=${libdir}/${BPN}/tests,-DBUILD_TESTS=OFF"
+PACKAGECONFIG[with-tests] = "-DBUILD_TESTS=ON -DTESTS_INSTALL_PATH=${libdir}/${BPN}/tests,-DBUILD_TESTS=OFF,googletest gmock"
DEPENDS += "expat"
SRCREV = "3a4f343fb924650e7639660efa5f143961162044"
-SRC_URI = "git://github.com/Kistler-Group/sdbus-cpp.git;protocol=https;branch=master"
-SRC_URI += "file://run-ptest"
+
+SRC_URI = "git://github.com/Kistler-Group/sdbus-cpp.git;protocol=https;branch=master \
+ file://0001-Try-to-first-find-googletest-in-the-system-before-do.patch \
+ file://run-ptest \
+"
EXTRA_OECMAKE = "-DBUILD_CODE_GEN=ON \
-DBUILD_DOC=ON \
diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb
index b9668eb09..d303f27eb 100644
--- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb
+++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb
@@ -21,8 +21,8 @@ RDEPENDS_${PN} = " \
"
SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz"
-SRC_URI[md5sum] = "6e4ffb6d35a73f7539a5d0c1354654cd"
-SRC_URI[sha256sum] = "a89e13dff0798fd0280e801d5f0cc8cfdb2aa5b1929bec1b7322e13d3eca95fb"
+SRC_URI[md5sum] = "9c5952cebb836ee783b0b76c5380a964"
+SRC_URI[sha256sum] = "61835132a5986217af17b8943013aa3fe6d47bdc1a07386343526765e2ce27a9"
inherit autotools gettext pkgconfig
@@ -54,7 +54,7 @@ PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup"
PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt"
PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup"
PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux"
-PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev"
+PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules"
PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto"
# gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't
# recognized.
diff --git a/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb b/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb
index 4e217a351..ad5355ea6 100644
--- a/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb
+++ b/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb
@@ -9,7 +9,7 @@ S = "${WORKDIR}/git"
SRCREV = "5649050d201856bf06c8738b5d2aa1710c86ac2f"
PV = "1.1.5"
SRC_URI = " \
- git://github.com/smuellerDD/libkcapi.git \
+ git://github.com/smuellerDD/libkcapi.git;branch=master;protocol=https \
file://0001-kcapi-kdf-Move-code-to-fix.patch \
file://0001-Use-__builtin_bswap32-on-Clang-if-supported.patch \
"
diff --git a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb
index 9b6e7ccbe..321aa4fdc 100644
--- a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb
+++ b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb
@@ -15,7 +15,7 @@ LIC_FILES_CHKSUM = " \
file://COPYING.GPL;md5=8a71d0475d08eee76d8b6d0c6dbec543 \
file://COPYING.BSD;md5=66b7a37c3c10483c1fd86007726104d7 \
"
-SRC_URI = "git://github.com/OpenSC/${BPN}.git"
+SRC_URI = "git://github.com/OpenSC/${BPN}.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
# v1.26
diff --git a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb
index b597ef1ea..48f2fd8ac 100644
--- a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb
+++ b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "https://github.com/google/leveldb"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=92d1b128950b11ba8495b64938fc164d"
-SRC_URI = "git://github.com/google/${BPN}.git \
+SRC_URI = "git://github.com/google/${BPN}.git;branch=main;protocol=https \
file://run-ptest"
SRCREV = "78b39d68c15ba020c0d60a3906fb66dbf1697595"
diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.20.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.25.bb
index e1a038dfa..e1a038dfa 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.20.bb
+++ b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.25.bb
diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index 0fb0c95ec..565f4d561 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -15,12 +15,10 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz
file://support-files-CMakeLists.txt-fix-do_populate_sysroot.patch \
file://sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \
file://0001-disable-ucontext-on-musl.patch \
- file://c11_atomics.patch \
- file://clang_version_header_conflict.patch \
file://fix-arm-atomic.patch \
"
-SRC_URI[md5sum] = "c3bc7a3eca3b0bbae5748f7b22a55c0c"
-SRC_URI[sha256sum] = "87d5e29ee1f18de153266ec658138607703ed2a05b3ffb1f89091d33f4abf545"
+
+SRC_URI[sha256sum] = "ff963c4e11bc06b775f66f2b1ddef184996208fb4b23cfdb50d95fb02eaa7ef8"
UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases"
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch b/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch
deleted file mode 100644
index b1ce96360..000000000
--- a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-Author: Vicențiu Ciorbaru <vicentiu@mariadb.org>
-Date: Fri Dec 21 19:14:04 2018 +0200
-
- Link with libatomic to enable C11 atomics support
-
- Some architectures (mips) require libatomic to support proper
- atomic operations. Check first if support is available without
- linking, otherwise use the library.
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
-Index: mariadb-10.4.17/configure.cmake
-===================================================================
---- mariadb-10.4.17.orig/configure.cmake
-+++ mariadb-10.4.17/configure.cmake
-@@ -863,7 +863,25 @@ int main()
- long long int *ptr= &var;
- return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST);
- }"
--HAVE_GCC_C11_ATOMICS)
-+HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC)
-+IF (HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC)
-+ SET(HAVE_GCC_C11_ATOMICS True)
-+ELSE()
-+ SET(OLD_CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES})
-+ LIST(APPEND CMAKE_REQUIRED_LIBRARIES "atomic")
-+ CHECK_CXX_SOURCE_COMPILES("
-+ int main()
-+ {
-+ long long int var= 1;
-+ long long int *ptr= &var;
-+ return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST);
-+ }"
-+ HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC)
-+ IF(HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC)
-+ SET(HAVE_GCC_C11_ATOMICS True)
-+ ENDIF()
-+ SET(CMAKE_REQUIRED_LIBRARIES ${OLD_CMAKE_REQUIRED_LIBRARIES})
-+ENDIF()
-
- IF(WITH_VALGRIND)
- SET(HAVE_valgrind 1)
-Index: mariadb-10.4.17/mysys/CMakeLists.txt
-===================================================================
---- mariadb-10.4.17.orig/mysys/CMakeLists.txt
-+++ mariadb-10.4.17/mysys/CMakeLists.txt
-@@ -78,6 +78,10 @@ TARGET_LINK_LIBRARIES(mysys dbug strings
- ${LIBNSL} ${LIBM} ${LIBRT} ${CMAKE_DL_LIBS} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY})
- DTRACE_INSTRUMENT(mysys)
-
-+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC)
-+ TARGET_LINK_LIBRARIES(mysys atomic)
-+ENDIF()
-+
- IF(HAVE_BFD_H)
- TARGET_LINK_LIBRARIES(mysys bfd)
- ENDIF(HAVE_BFD_H)
-Index: mariadb-10.4.17/sql/CMakeLists.txt
-===================================================================
---- mariadb-10.4.17.orig/sql/CMakeLists.txt
-+++ mariadb-10.4.17/sql/CMakeLists.txt
-@@ -196,6 +196,10 @@ ELSE()
- SET(MYSQLD_SOURCE main.cc ${DTRACE_PROBES_ALL})
- ENDIF()
-
-+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC)
-+ TARGET_LINK_LIBRARIES(sql atomic)
-+ENDIF()
-+
-
- IF(MSVC AND NOT WITHOUT_DYNAMIC_PLUGINS)
-
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch b/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch
deleted file mode 100644
index c77a86944..000000000
--- a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-libc++ also has a file called version and this file and how cflags are specified
-it ends up including this file and resulting in compile errors
-
-fixes errors like
-storage/mroonga/version:1:1: error: expected unqualified-id
-7.07
-^
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
---- a/storage/mroonga/CMakeLists.txt
-+++ b/storage/mroonga/CMakeLists.txt
-@@ -80,7 +80,7 @@ else()
- set(MRN_SOURCE_DIR ${CMAKE_SOURCE_DIR})
- endif()
-
--file(READ ${MRN_SOURCE_DIR}/version MRN_VERSION)
-+file(READ ${MRN_SOURCE_DIR}/ver MRN_VERSION)
- file(READ ${MRN_SOURCE_DIR}/version_major MRN_VERSION_MAJOR)
- file(READ ${MRN_SOURCE_DIR}/version_minor MRN_VERSION_MINOR)
- file(READ ${MRN_SOURCE_DIR}/version_micro MRN_VERSION_MICRO)
---- /dev/null
-+++ b/storage/mroonga/ver
-@@ -0,0 +1 @@
-+7.07
-\ No newline at end of file
---- a/storage/mroonga/version
-+++ /dev/null
-@@ -1 +0,0 @@
--7.07
-\ No newline at end of file
diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.4.20.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.4.25.bb
index c0b53379d..c0b53379d 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb_10.4.20.bb
+++ b/meta-oe/recipes-dbs/mysql/mariadb_10.4.25.bb
diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
index 865ad3287..a1f5b2a7b 100644
--- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
@@ -13,7 +13,7 @@ diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h
index 3fe29ce..7cd578f 100644
--- a/src/include/storage/s_lock.h
+++ b/src/include/storage/s_lock.h
-@@ -316,11 +316,12 @@ tas(volatile slock_t *lock)
+@@ -317,11 +317,12 @@ tas(volatile slock_t *lock)
/*
* On ARM and ARM64, we use __sync_lock_test_and_set(int *, int) if available.
@@ -27,7 +27,7 @@ index 3fe29ce..7cd578f 100644
#ifdef HAVE_GCC__SYNC_INT32_TAS
#define HAS_TEST_AND_SET
-@@ -337,7 +338,7 @@ tas(volatile slock_t *lock)
+@@ -338,7 +339,7 @@ tas(volatile slock_t *lock)
#define S_UNLOCK(lock) __sync_lock_release(lock)
#endif /* HAVE_GCC__SYNC_INT32_TAS */
@@ -35,7 +35,7 @@ index 3fe29ce..7cd578f 100644
+#endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */
- /* S/390 and S/390x Linux (32- and 64-bit zSeries) */
+ /*
--
2.9.3
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch
new file mode 100644
index 000000000..6f0d5ac06
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch
@@ -0,0 +1,947 @@
+From 31eefa1efc8eecb6ab91c8835d2952d44a3b1ae1 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 22 Sep 2022 11:20:41 +0530
+Subject: [PATCH] CVE-2022-1552
+
+Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=ab49ce7c3414ac19e4afb386d7843ce2d2fb8bda && https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=677a494789062ca88e0142a17bedd5415f6ab0aa]
+
+CVE: CVE-2022-1552
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ contrib/amcheck/expected/check_btree.out | 23 ++++++
+ contrib/amcheck/sql/check_btree.sql | 21 +++++
+ contrib/amcheck/verify_nbtree.c | 27 +++++++
+ src/backend/access/brin/brin.c | 29 ++++++-
+ src/backend/catalog/index.c | 65 ++++++++++++----
+ src/backend/commands/cluster.c | 37 ++++++---
+ src/backend/commands/indexcmds.c | 98 ++++++++++++++++++++----
+ src/backend/commands/matview.c | 30 +++-----
+ src/backend/utils/init/miscinit.c | 24 +++---
+ src/test/regress/expected/privileges.out | 71 +++++++++++++++++
+ src/test/regress/sql/privileges.sql | 64 ++++++++++++++++
+ 11 files changed, 422 insertions(+), 67 deletions(-)
+
+diff --git a/contrib/amcheck/expected/check_btree.out b/contrib/amcheck/expected/check_btree.out
+index 59a805d..0fd6ea0 100644
+--- a/contrib/amcheck/expected/check_btree.out
++++ b/contrib/amcheck/expected/check_btree.out
+@@ -168,11 +168,34 @@ SELECT bt_index_check('toasty', true);
+
+ (1 row)
+
++--
++-- Check that index expressions and predicates are run as the table's owner
++--
++TRUNCATE bttest_a;
++INSERT INTO bttest_a SELECT * FROM generate_series(1, 1000);
++ALTER TABLE bttest_a OWNER TO regress_bttest_role;
++-- A dummy index function checking current_user
++CREATE FUNCTION ifun(int8) RETURNS int8 AS $$
++BEGIN
++ ASSERT current_user = 'regress_bttest_role',
++ format('ifun(%s) called by %s', $1, current_user);
++ RETURN $1;
++END;
++$$ LANGUAGE plpgsql IMMUTABLE;
++CREATE INDEX bttest_a_expr_idx ON bttest_a ((ifun(id) + ifun(0)))
++ WHERE ifun(id + 10) > ifun(10);
++SELECT bt_index_check('bttest_a_expr_idx', true);
++ bt_index_check
++----------------
++
++(1 row)
++
+ -- cleanup
+ DROP TABLE bttest_a;
+ DROP TABLE bttest_b;
+ DROP TABLE bttest_multi;
+ DROP TABLE delete_test_table;
+ DROP TABLE toast_bug;
++DROP FUNCTION ifun(int8);
+ DROP OWNED BY regress_bttest_role; -- permissions
+ DROP ROLE regress_bttest_role;
+diff --git a/contrib/amcheck/sql/check_btree.sql b/contrib/amcheck/sql/check_btree.sql
+index 99acbc8..3248187 100644
+--- a/contrib/amcheck/sql/check_btree.sql
++++ b/contrib/amcheck/sql/check_btree.sql
+@@ -110,11 +110,32 @@ INSERT INTO toast_bug SELECT repeat('a', 2200);
+ -- Should not get false positive report of corruption:
+ SELECT bt_index_check('toasty', true);
+
++--
++-- Check that index expressions and predicates are run as the table's owner
++--
++TRUNCATE bttest_a;
++INSERT INTO bttest_a SELECT * FROM generate_series(1, 1000);
++ALTER TABLE bttest_a OWNER TO regress_bttest_role;
++-- A dummy index function checking current_user
++CREATE FUNCTION ifun(int8) RETURNS int8 AS $$
++BEGIN
++ ASSERT current_user = 'regress_bttest_role',
++ format('ifun(%s) called by %s', $1, current_user);
++ RETURN $1;
++END;
++$$ LANGUAGE plpgsql IMMUTABLE;
++
++CREATE INDEX bttest_a_expr_idx ON bttest_a ((ifun(id) + ifun(0)))
++ WHERE ifun(id + 10) > ifun(10);
++
++SELECT bt_index_check('bttest_a_expr_idx', true);
++
+ -- cleanup
+ DROP TABLE bttest_a;
+ DROP TABLE bttest_b;
+ DROP TABLE bttest_multi;
+ DROP TABLE delete_test_table;
+ DROP TABLE toast_bug;
++DROP FUNCTION ifun(int8);
+ DROP OWNED BY regress_bttest_role; -- permissions
+ DROP ROLE regress_bttest_role;
+diff --git a/contrib/amcheck/verify_nbtree.c b/contrib/amcheck/verify_nbtree.c
+index 700a02f..cb6475d 100644
+--- a/contrib/amcheck/verify_nbtree.c
++++ b/contrib/amcheck/verify_nbtree.c
+@@ -228,6 +228,9 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,
+ Relation indrel;
+ Relation heaprel;
+ LOCKMODE lockmode;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+
+ if (parentcheck)
+ lockmode = ShareLock;
+@@ -244,9 +247,27 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,
+ */
+ heapid = IndexGetRelation(indrelid, true);
+ if (OidIsValid(heapid))
++ {
+ heaprel = table_open(heapid, lockmode);
++
++ /*
++ * Switch to the table owner's userid, so that any index functions are
++ * run as that user. Also lock down security-restricted operations
++ * and arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heaprel->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++ }
+ else
++ {
+ heaprel = NULL;
++ /* for "gcc -Og" https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78394 */
++ save_userid = InvalidOid;
++ save_sec_context = -1;
++ save_nestlevel = -1;
++ }
+
+ /*
+ * Open the target index relations separately (like relation_openrv(), but
+@@ -293,6 +314,12 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,
+ heapallindexed, rootdescend);
+ }
+
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
++
+ /*
+ * Release locks early. That's ok here because nothing in the called
+ * routines will trigger shared cache invalidations to be sent, so we can
+diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c
+index c7b403b..781cac2 100644
+--- a/src/backend/access/brin/brin.c
++++ b/src/backend/access/brin/brin.c
+@@ -873,6 +873,9 @@ brin_summarize_range(PG_FUNCTION_ARGS)
+ Oid heapoid;
+ Relation indexRel;
+ Relation heapRel;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+ double numSummarized = 0;
+
+ if (RecoveryInProgress())
+@@ -899,7 +902,22 @@ brin_summarize_range(PG_FUNCTION_ARGS)
+ */
+ heapoid = IndexGetRelation(indexoid, true);
+ if (OidIsValid(heapoid))
++ {
+ heapRel = table_open(heapoid, ShareUpdateExclusiveLock);
++
++ /*
++ * Autovacuum calls us. For its benefit, switch to the table owner's
++ * userid, so that any index functions are run as that user. Also
++ * lock down security-restricted operations and arrange to make GUC
++ * variable changes local to this command. This is harmless, albeit
++ * unnecessary, when called from SQL, because we fail shortly if the
++ * user does not own the index.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heapRel->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++ }
+ else
+ heapRel = NULL;
+
+@@ -914,7 +932,7 @@ brin_summarize_range(PG_FUNCTION_ARGS)
+ RelationGetRelationName(indexRel))));
+
+ /* User must own the index (comparable to privileges needed for VACUUM) */
+- if (!pg_class_ownercheck(indexoid, GetUserId()))
++ if (heapRel != NULL && !pg_class_ownercheck(indexoid, save_userid))
+ aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX,
+ RelationGetRelationName(indexRel));
+
+@@ -932,6 +950,12 @@ brin_summarize_range(PG_FUNCTION_ARGS)
+ /* OK, do it */
+ brinsummarize(indexRel, heapRel, heapBlk, true, &numSummarized, NULL);
+
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
++
+ relation_close(indexRel, ShareUpdateExclusiveLock);
+ relation_close(heapRel, ShareUpdateExclusiveLock);
+
+@@ -973,6 +997,9 @@ brin_desummarize_range(PG_FUNCTION_ARGS)
+ * passed indexoid isn't an index then IndexGetRelation() will fail.
+ * Rather than emitting a not-very-helpful error message, postpone
+ * complaining, expecting that the is-it-an-index test below will fail.
++ *
++ * Unlike brin_summarize_range(), autovacuum never calls this. Hence, we
++ * don't switch userid.
+ */
+ heapoid = IndexGetRelation(indexoid, true);
+ if (OidIsValid(heapoid))
+diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c
+index 3ece136..0333bfd 100644
+--- a/src/backend/catalog/index.c
++++ b/src/backend/catalog/index.c
+@@ -1400,6 +1400,9 @@ index_concurrently_build(Oid heapRelationId,
+ Oid indexRelationId)
+ {
+ Relation heapRel;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+ Relation indexRelation;
+ IndexInfo *indexInfo;
+
+@@ -1409,7 +1412,16 @@ index_concurrently_build(Oid heapRelationId,
+ /* Open and lock the parent heap relation */
+ heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock);
+
+- /* And the target index relation */
++ /*
++ * Switch to the table owner's userid, so that any index functions are run
++ * as that user. Also lock down security-restricted operations and
++ * arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heapRel->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++
+ indexRelation = index_open(indexRelationId, RowExclusiveLock);
+
+ /*
+@@ -1425,6 +1437,12 @@ index_concurrently_build(Oid heapRelationId,
+ /* Now build the index */
+ index_build(heapRel, indexRelation, indexInfo, false, true);
+
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
++
+ /* Close both the relations, but keep the locks */
+ table_close(heapRel, NoLock);
+ index_close(indexRelation, NoLock);
+@@ -3271,7 +3289,17 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot)
+
+ /* Open and lock the parent heap relation */
+ heapRelation = table_open(heapId, ShareUpdateExclusiveLock);
+- /* And the target index relation */
++
++ /*
++ * Switch to the table owner's userid, so that any index functions are run
++ * as that user. Also lock down security-restricted operations and
++ * arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heapRelation->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++
+ indexRelation = index_open(indexId, RowExclusiveLock);
+
+ /*
+@@ -3284,16 +3312,6 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot)
+ /* mark build is concurrent just for consistency */
+ indexInfo->ii_Concurrent = true;
+
+- /*
+- * Switch to the table owner's userid, so that any index functions are run
+- * as that user. Also lock down security-restricted operations and
+- * arrange to make GUC variable changes local to this command.
+- */
+- GetUserIdAndSecContext(&save_userid, &save_sec_context);
+- SetUserIdAndSecContext(heapRelation->rd_rel->relowner,
+- save_sec_context | SECURITY_RESTRICTED_OPERATION);
+- save_nestlevel = NewGUCNestLevel();
+-
+ /*
+ * Scan the index and gather up all the TIDs into a tuplesort object.
+ */
+@@ -3497,6 +3515,9 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence,
+ Relation iRel,
+ heapRelation;
+ Oid heapId;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+ IndexInfo *indexInfo;
+ volatile bool skipped_constraint = false;
+ PGRUsage ru0;
+@@ -3527,6 +3548,16 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence,
+ */
+ iRel = index_open(indexId, AccessExclusiveLock);
+
++ /*
++ * Switch to the table owner's userid, so that any index functions are run
++ * as that user. Also lock down security-restricted operations and
++ * arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heapRelation->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++
+ if (progress)
+ pgstat_progress_update_param(PROGRESS_CREATEIDX_ACCESS_METHOD_OID,
+ iRel->rd_rel->relam);
+@@ -3684,12 +3715,18 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence,
+ errdetail_internal("%s",
+ pg_rusage_show(&ru0))));
+
+- if (progress)
+- pgstat_progress_end_command();
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
+
+ /* Close rels, but keep locks */
+ index_close(iRel, NoLock);
+ table_close(heapRelation, NoLock);
++
++ if (progress)
++ pgstat_progress_end_command();
+ }
+
+ /*
+diff --git a/src/backend/commands/cluster.c b/src/backend/commands/cluster.c
+index bd6f408..74db03e 100644
+--- a/src/backend/commands/cluster.c
++++ b/src/backend/commands/cluster.c
+@@ -266,6 +266,9 @@ void
+ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ {
+ Relation OldHeap;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+ bool verbose = ((options & CLUOPT_VERBOSE) != 0);
+ bool recheck = ((options & CLUOPT_RECHECK) != 0);
+
+@@ -295,6 +298,16 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ return;
+ }
+
++ /*
++ * Switch to the table owner's userid, so that any index functions are run
++ * as that user. Also lock down security-restricted operations and
++ * arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(OldHeap->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++
+ /*
+ * Since we may open a new transaction for each relation, we have to check
+ * that the relation still is what we think it is.
+@@ -309,11 +322,10 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ Form_pg_index indexForm;
+
+ /* Check that the user still owns the relation */
+- if (!pg_class_ownercheck(tableOid, GetUserId()))
++ if (!pg_class_ownercheck(tableOid, save_userid))
+ {
+ relation_close(OldHeap, AccessExclusiveLock);
+- pgstat_progress_end_command();
+- return;
++ goto out;
+ }
+
+ /*
+@@ -327,8 +339,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ if (RELATION_IS_OTHER_TEMP(OldHeap))
+ {
+ relation_close(OldHeap, AccessExclusiveLock);
+- pgstat_progress_end_command();
+- return;
++ goto out;
+ }
+
+ if (OidIsValid(indexOid))
+@@ -339,8 +350,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ if (!SearchSysCacheExists1(RELOID, ObjectIdGetDatum(indexOid)))
+ {
+ relation_close(OldHeap, AccessExclusiveLock);
+- pgstat_progress_end_command();
+- return;
++ goto out;
+ }
+
+ /*
+@@ -350,8 +360,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ if (!HeapTupleIsValid(tuple)) /* probably can't happen */
+ {
+ relation_close(OldHeap, AccessExclusiveLock);
+- pgstat_progress_end_command();
+- return;
++ goto out;
+ }
+ indexForm = (Form_pg_index) GETSTRUCT(tuple);
+ if (!indexForm->indisclustered)
+@@ -413,8 +422,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ !RelationIsPopulated(OldHeap))
+ {
+ relation_close(OldHeap, AccessExclusiveLock);
+- pgstat_progress_end_command();
+- return;
++ goto out;
+ }
+
+ /*
+@@ -430,6 +438,13 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+
+ /* NB: rebuild_relation does table_close() on OldHeap */
+
++out:
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
++
+ pgstat_progress_end_command();
+ }
+
+diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c
+index be1cf8c..167b377 100644
+--- a/src/backend/commands/indexcmds.c
++++ b/src/backend/commands/indexcmds.c
+@@ -470,21 +470,22 @@ DefineIndex(Oid relationId,
+ LOCKTAG heaplocktag;
+ LOCKMODE lockmode;
+ Snapshot snapshot;
+- int save_nestlevel = -1;
++ Oid root_save_userid;
++ int root_save_sec_context;
++ int root_save_nestlevel;
+ int i;
+
++ root_save_nestlevel = NewGUCNestLevel();
++
+ /*
+ * Some callers need us to run with an empty default_tablespace; this is a
+ * necessary hack to be able to reproduce catalog state accurately when
+ * recreating indexes after table-rewriting ALTER TABLE.
+ */
+ if (stmt->reset_default_tblspc)
+- {
+- save_nestlevel = NewGUCNestLevel();
+ (void) set_config_option("default_tablespace", "",
+ PGC_USERSET, PGC_S_SESSION,
+ GUC_ACTION_SAVE, true, 0, false);
+- }
+
+ /*
+ * Force non-concurrent build on temporary relations, even if CONCURRENTLY
+@@ -563,6 +564,15 @@ DefineIndex(Oid relationId,
+ lockmode = concurrent ? ShareUpdateExclusiveLock : ShareLock;
+ rel = table_open(relationId, lockmode);
+
++ /*
++ * Switch to the table owner's userid, so that any index functions are run
++ * as that user. Also lock down security-restricted operations. We
++ * already arranged to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context);
++ SetUserIdAndSecContext(rel->rd_rel->relowner,
++ root_save_sec_context | SECURITY_RESTRICTED_OPERATION);
++
+ namespaceId = RelationGetNamespace(rel);
+
+ /* Ensure that it makes sense to index this kind of relation */
+@@ -648,7 +658,7 @@ DefineIndex(Oid relationId,
+ {
+ AclResult aclresult;
+
+- aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(),
++ aclresult = pg_namespace_aclcheck(namespaceId, root_save_userid,
+ ACL_CREATE);
+ if (aclresult != ACLCHECK_OK)
+ aclcheck_error(aclresult, OBJECT_SCHEMA,
+@@ -680,7 +690,7 @@ DefineIndex(Oid relationId,
+ {
+ AclResult aclresult;
+
+- aclresult = pg_tablespace_aclcheck(tablespaceId, GetUserId(),
++ aclresult = pg_tablespace_aclcheck(tablespaceId, root_save_userid,
+ ACL_CREATE);
+ if (aclresult != ACLCHECK_OK)
+ aclcheck_error(aclresult, OBJECT_TABLESPACE,
+@@ -1066,15 +1076,17 @@ DefineIndex(Oid relationId,
+
+ ObjectAddressSet(address, RelationRelationId, indexRelationId);
+
+- /*
+- * Revert to original default_tablespace. Must do this before any return
+- * from this function, but after index_create, so this is a good time.
+- */
+- if (save_nestlevel >= 0)
+- AtEOXact_GUC(true, save_nestlevel);
+-
+ if (!OidIsValid(indexRelationId))
+ {
++ /*
++ * Roll back any GUC changes executed by index functions. Also revert
++ * to original default_tablespace if we changed it above.
++ */
++ AtEOXact_GUC(false, root_save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(root_save_userid, root_save_sec_context);
++
+ table_close(rel, NoLock);
+
+ /* If this is the top-level index, we're done */
+@@ -1084,6 +1096,17 @@ DefineIndex(Oid relationId,
+ return address;
+ }
+
++ /*
++ * Roll back any GUC changes executed by index functions, and keep
++ * subsequent changes local to this command. It's barely possible that
++ * some index function changed a behavior-affecting GUC, e.g. xmloption,
++ * that affects subsequent steps. This improves bug-compatibility with
++ * older PostgreSQL versions. They did the AtEOXact_GUC() here for the
++ * purpose of clearing the above default_tablespace change.
++ */
++ AtEOXact_GUC(false, root_save_nestlevel);
++ root_save_nestlevel = NewGUCNestLevel();
++
+ /* Add any requested comment */
+ if (stmt->idxcomment != NULL)
+ CreateComments(indexRelationId, RelationRelationId, 0,
+@@ -1130,6 +1153,9 @@ DefineIndex(Oid relationId,
+ {
+ Oid childRelid = part_oids[i];
+ Relation childrel;
++ Oid child_save_userid;
++ int child_save_sec_context;
++ int child_save_nestlevel;
+ List *childidxs;
+ ListCell *cell;
+ AttrNumber *attmap;
+@@ -1138,6 +1164,12 @@ DefineIndex(Oid relationId,
+
+ childrel = table_open(childRelid, lockmode);
+
++ GetUserIdAndSecContext(&child_save_userid,
++ &child_save_sec_context);
++ SetUserIdAndSecContext(childrel->rd_rel->relowner,
++ child_save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ child_save_nestlevel = NewGUCNestLevel();
++
+ /*
+ * Don't try to create indexes on foreign tables, though. Skip
+ * those if a regular index, or fail if trying to create a
+@@ -1153,6 +1185,9 @@ DefineIndex(Oid relationId,
+ errdetail("Table \"%s\" contains partitions that are foreign tables.",
+ RelationGetRelationName(rel))));
+
++ AtEOXact_GUC(false, child_save_nestlevel);
++ SetUserIdAndSecContext(child_save_userid,
++ child_save_sec_context);
+ table_close(childrel, lockmode);
+ continue;
+ }
+@@ -1226,6 +1261,9 @@ DefineIndex(Oid relationId,
+ }
+
+ list_free(childidxs);
++ AtEOXact_GUC(false, child_save_nestlevel);
++ SetUserIdAndSecContext(child_save_userid,
++ child_save_sec_context);
+ table_close(childrel, NoLock);
+
+ /*
+@@ -1280,12 +1318,21 @@ DefineIndex(Oid relationId,
+ if (found_whole_row)
+ elog(ERROR, "cannot convert whole-row table reference");
+
++ /*
++ * Recurse as the starting user ID. Callee will use that
++ * for permission checks, then switch again.
++ */
++ Assert(GetUserId() == child_save_userid);
++ SetUserIdAndSecContext(root_save_userid,
++ root_save_sec_context);
+ DefineIndex(childRelid, childStmt,
+ InvalidOid, /* no predefined OID */
+ indexRelationId, /* this is our child */
+ createdConstraintId,
+ is_alter_table, check_rights, check_not_in_use,
+ skip_build, quiet);
++ SetUserIdAndSecContext(child_save_userid,
++ child_save_sec_context);
+ }
+
+ pgstat_progress_update_param(PROGRESS_CREATEIDX_PARTITIONS_DONE,
+@@ -1322,12 +1369,17 @@ DefineIndex(Oid relationId,
+ * Indexes on partitioned tables are not themselves built, so we're
+ * done here.
+ */
++ AtEOXact_GUC(false, root_save_nestlevel);
++ SetUserIdAndSecContext(root_save_userid, root_save_sec_context);
+ table_close(rel, NoLock);
+ if (!OidIsValid(parentIndexId))
+ pgstat_progress_end_command();
+ return address;
+ }
+
++ AtEOXact_GUC(false, root_save_nestlevel);
++ SetUserIdAndSecContext(root_save_userid, root_save_sec_context);
++
+ if (!concurrent)
+ {
+ /* Close the heap and we're done, in the non-concurrent case */
+@@ -3040,6 +3092,9 @@ ReindexRelationConcurrently(Oid relationOid, int options)
+ Oid newIndexId;
+ Relation indexRel;
+ Relation heapRel;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+ Relation newIndexRel;
+ LockRelId *lockrelid;
+
+@@ -3047,6 +3102,16 @@ ReindexRelationConcurrently(Oid relationOid, int options)
+ heapRel = table_open(indexRel->rd_index->indrelid,
+ ShareUpdateExclusiveLock);
+
++ /*
++ * Switch to the table owner's userid, so that any index functions are
++ * run as that user. Also lock down security-restricted operations
++ * and arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heapRel->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++
+ /* This function shouldn't be called for temporary relations. */
+ if (indexRel->rd_rel->relpersistence == RELPERSISTENCE_TEMP)
+ elog(ERROR, "cannot reindex a temporary table concurrently");
+@@ -3101,6 +3166,13 @@ ReindexRelationConcurrently(Oid relationOid, int options)
+
+ index_close(indexRel, NoLock);
+ index_close(newIndexRel, NoLock);
++
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
++
+ table_close(heapRel, NoLock);
+ }
+
+diff --git a/src/backend/commands/matview.c b/src/backend/commands/matview.c
+index 80e9ec0..e485661 100644
+--- a/src/backend/commands/matview.c
++++ b/src/backend/commands/matview.c
+@@ -167,6 +167,17 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
+ lockmode, 0,
+ RangeVarCallbackOwnsTable, NULL);
+ matviewRel = table_open(matviewOid, NoLock);
++ relowner = matviewRel->rd_rel->relowner;
++
++ /*
++ * Switch to the owner's userid, so that any functions are run as that
++ * user. Also lock down security-restricted operations and arrange to
++ * make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
+
+ /* Make sure it is a materialized view. */
+ if (matviewRel->rd_rel->relkind != RELKIND_MATVIEW)
+@@ -268,19 +279,6 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
+ */
+ SetMatViewPopulatedState(matviewRel, !stmt->skipData);
+
+- relowner = matviewRel->rd_rel->relowner;
+-
+- /*
+- * Switch to the owner's userid, so that any functions are run as that
+- * user. Also arrange to make GUC variable changes local to this command.
+- * Don't lock it down too tight to create a temporary table just yet. We
+- * will switch modes when we are about to execute user code.
+- */
+- GetUserIdAndSecContext(&save_userid, &save_sec_context);
+- SetUserIdAndSecContext(relowner,
+- save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
+- save_nestlevel = NewGUCNestLevel();
+-
+ /* Concurrent refresh builds new data in temp tablespace, and does diff. */
+ if (concurrent)
+ {
+@@ -303,12 +301,6 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
+ LockRelationOid(OIDNewHeap, AccessExclusiveLock);
+ dest = CreateTransientRelDestReceiver(OIDNewHeap);
+
+- /*
+- * Now lock down security-restricted operations.
+- */
+- SetUserIdAndSecContext(relowner,
+- save_sec_context | SECURITY_RESTRICTED_OPERATION);
+-
+ /* Generate the data, if wanted. */
+ if (!stmt->skipData)
+ processed = refresh_matview_datafill(dest, dataQuery, queryString);
+diff --git a/src/backend/utils/init/miscinit.c b/src/backend/utils/init/miscinit.c
+index de554e2..c9f858e 100644
+--- a/src/backend/utils/init/miscinit.c
++++ b/src/backend/utils/init/miscinit.c
+@@ -455,15 +455,21 @@ GetAuthenticatedUserId(void)
+ * with guc.c's internal state, so SET ROLE has to be disallowed.
+ *
+ * SECURITY_RESTRICTED_OPERATION indicates that we are inside an operation
+- * that does not wish to trust called user-defined functions at all. This
+- * bit prevents not only SET ROLE, but various other changes of session state
+- * that normally is unprotected but might possibly be used to subvert the
+- * calling session later. An example is replacing an existing prepared
+- * statement with new code, which will then be executed with the outer
+- * session's permissions when the prepared statement is next used. Since
+- * these restrictions are fairly draconian, we apply them only in contexts
+- * where the called functions are really supposed to be side-effect-free
+- * anyway, such as VACUUM/ANALYZE/REINDEX.
++ * that does not wish to trust called user-defined functions at all. The
++ * policy is to use this before operations, e.g. autovacuum and REINDEX, that
++ * enumerate relations of a database or schema and run functions associated
++ * with each found relation. The relation owner is the new user ID. Set this
++ * as soon as possible after locking the relation. Restore the old user ID as
++ * late as possible before closing the relation; restoring it shortly after
++ * close is also tolerable. If a command has both relation-enumerating and
++ * non-enumerating modes, e.g. ANALYZE, both modes set this bit. This bit
++ * prevents not only SET ROLE, but various other changes of session state that
++ * normally is unprotected but might possibly be used to subvert the calling
++ * session later. An example is replacing an existing prepared statement with
++ * new code, which will then be executed with the outer session's permissions
++ * when the prepared statement is next used. These restrictions are fairly
++ * draconian, but the functions called in relation-enumerating operations are
++ * really supposed to be side-effect-free anyway.
+ *
+ * SECURITY_NOFORCE_RLS indicates that we are inside an operation which should
+ * ignore the FORCE ROW LEVEL SECURITY per-table indication. This is used to
+diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
+index 186d2fb..0f0c1b3 100644
+--- a/src/test/regress/expected/privileges.out
++++ b/src/test/regress/expected/privileges.out
+@@ -1336,6 +1336,61 @@ SELECT has_table_privilege('regress_priv_user1', 'atest4', 'SELECT WITH GRANT OP
+ -- security-restricted operations
+ \c -
+ CREATE ROLE regress_sro_user;
++-- Check that index expressions and predicates are run as the table's owner
++-- A dummy index function checking current_user
++CREATE FUNCTION sro_ifun(int) RETURNS int AS $$
++BEGIN
++ -- Below we set the table's owner to regress_sro_user
++ ASSERT current_user = 'regress_sro_user',
++ format('sro_ifun(%s) called by %s', $1, current_user);
++ RETURN $1;
++END;
++$$ LANGUAGE plpgsql IMMUTABLE;
++-- Create a table owned by regress_sro_user
++CREATE TABLE sro_tab (a int);
++ALTER TABLE sro_tab OWNER TO regress_sro_user;
++INSERT INTO sro_tab VALUES (1), (2), (3);
++-- Create an expression index with a predicate
++CREATE INDEX sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++DROP INDEX sro_idx;
++-- Do the same concurrently
++CREATE INDEX CONCURRENTLY sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++-- REINDEX
++REINDEX TABLE sro_tab;
++REINDEX INDEX sro_idx;
++REINDEX TABLE CONCURRENTLY sro_tab;
++DROP INDEX sro_idx;
++-- CLUSTER
++CREATE INDEX sro_cluster_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)));
++CLUSTER sro_tab USING sro_cluster_idx;
++DROP INDEX sro_cluster_idx;
++-- BRIN index
++CREATE INDEX sro_brin ON sro_tab USING brin ((sro_ifun(a) + sro_ifun(0)));
++SELECT brin_desummarize_range('sro_brin', 0);
++ brin_desummarize_range
++------------------------
++
++(1 row)
++
++SELECT brin_summarize_range('sro_brin', 0);
++ brin_summarize_range
++----------------------
++ 1
++(1 row)
++
++DROP TABLE sro_tab;
++-- Check with a partitioned table
++CREATE TABLE sro_ptab (a int) PARTITION BY RANGE (a);
++ALTER TABLE sro_ptab OWNER TO regress_sro_user;
++CREATE TABLE sro_part PARTITION OF sro_ptab FOR VALUES FROM (1) TO (10);
++ALTER TABLE sro_part OWNER TO regress_sro_user;
++INSERT INTO sro_ptab VALUES (1), (2), (3);
++CREATE INDEX sro_pidx ON sro_ptab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++REINDEX TABLE sro_ptab;
++REINDEX INDEX CONCURRENTLY sro_pidx;
+ SET SESSION AUTHORIZATION regress_sro_user;
+ CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS
+ 'GRANT regress_priv_group2 TO regress_sro_user';
+@@ -1373,6 +1428,22 @@ CONTEXT: SQL function "unwanted_grant" statement 1
+ SQL statement "SELECT unwanted_grant()"
+ PL/pgSQL function sro_trojan() line 1 at PERFORM
+ SQL function "mv_action" statement 1
++-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions()
++SET SESSION AUTHORIZATION regress_sro_user;
++CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int
++ IMMUTABLE LANGUAGE plpgsql AS $$
++BEGIN
++ PERFORM unwanted_grant();
++ RAISE WARNING 'owned';
++ RETURN 1;
++EXCEPTION WHEN OTHERS THEN
++ RETURN 2;
++END$$;
++CREATE MATERIALIZED VIEW sro_index_mv AS SELECT 1 AS c;
++CREATE UNIQUE INDEX ON sro_index_mv (c) WHERE unwanted_grant_nofail(1) > 0;
++\c -
++REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv;
++REFRESH MATERIALIZED VIEW sro_index_mv;
+ DROP OWNED BY regress_sro_user;
+ DROP ROLE regress_sro_user;
+ -- Admin options
+diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
+index 34fbf0e..c0b88a6 100644
+--- a/src/test/regress/sql/privileges.sql
++++ b/src/test/regress/sql/privileges.sql
+@@ -826,6 +826,53 @@ SELECT has_table_privilege('regress_priv_user1', 'atest4', 'SELECT WITH GRANT OP
+ \c -
+ CREATE ROLE regress_sro_user;
+
++-- Check that index expressions and predicates are run as the table's owner
++
++-- A dummy index function checking current_user
++CREATE FUNCTION sro_ifun(int) RETURNS int AS $$
++BEGIN
++ -- Below we set the table's owner to regress_sro_user
++ ASSERT current_user = 'regress_sro_user',
++ format('sro_ifun(%s) called by %s', $1, current_user);
++ RETURN $1;
++END;
++$$ LANGUAGE plpgsql IMMUTABLE;
++-- Create a table owned by regress_sro_user
++CREATE TABLE sro_tab (a int);
++ALTER TABLE sro_tab OWNER TO regress_sro_user;
++INSERT INTO sro_tab VALUES (1), (2), (3);
++-- Create an expression index with a predicate
++CREATE INDEX sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++DROP INDEX sro_idx;
++-- Do the same concurrently
++CREATE INDEX CONCURRENTLY sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++-- REINDEX
++REINDEX TABLE sro_tab;
++REINDEX INDEX sro_idx;
++REINDEX TABLE CONCURRENTLY sro_tab;
++DROP INDEX sro_idx;
++-- CLUSTER
++CREATE INDEX sro_cluster_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)));
++CLUSTER sro_tab USING sro_cluster_idx;
++DROP INDEX sro_cluster_idx;
++-- BRIN index
++CREATE INDEX sro_brin ON sro_tab USING brin ((sro_ifun(a) + sro_ifun(0)));
++SELECT brin_desummarize_range('sro_brin', 0);
++SELECT brin_summarize_range('sro_brin', 0);
++DROP TABLE sro_tab;
++-- Check with a partitioned table
++CREATE TABLE sro_ptab (a int) PARTITION BY RANGE (a);
++ALTER TABLE sro_ptab OWNER TO regress_sro_user;
++CREATE TABLE sro_part PARTITION OF sro_ptab FOR VALUES FROM (1) TO (10);
++ALTER TABLE sro_part OWNER TO regress_sro_user;
++INSERT INTO sro_ptab VALUES (1), (2), (3);
++CREATE INDEX sro_pidx ON sro_ptab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++REINDEX TABLE sro_ptab;
++REINDEX INDEX CONCURRENTLY sro_pidx;
++
+ SET SESSION AUTHORIZATION regress_sro_user;
+ CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS
+ 'GRANT regress_priv_group2 TO regress_sro_user';
+@@ -852,6 +899,23 @@ REFRESH MATERIALIZED VIEW sro_mv;
+ REFRESH MATERIALIZED VIEW sro_mv;
+ BEGIN; SET CONSTRAINTS ALL IMMEDIATE; REFRESH MATERIALIZED VIEW sro_mv; COMMIT;
+
++-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions()
++SET SESSION AUTHORIZATION regress_sro_user;
++CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int
++ IMMUTABLE LANGUAGE plpgsql AS $$
++BEGIN
++ PERFORM unwanted_grant();
++ RAISE WARNING 'owned';
++ RETURN 1;
++EXCEPTION WHEN OTHERS THEN
++ RETURN 2;
++END$$;
++CREATE MATERIALIZED VIEW sro_index_mv AS SELECT 1 AS c;
++CREATE UNIQUE INDEX ON sro_index_mv (c) WHERE unwanted_grant_nofail(1) > 0;
++\c -
++REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv;
++REFRESH MATERIALIZED VIEW sro_index_mv;
++
+ DROP OWNED BY regress_sro_user;
+ DROP ROLE regress_sro_user;
+
+--
+2.25.1
+
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch
new file mode 100644
index 000000000..6417d8a2b
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch
@@ -0,0 +1,904 @@
+From 84375c1db25ef650902cf80712495fc514b0ff63 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 13 Oct 2022 10:35:32 +0530
+Subject: [PATCH] CVE-2022-2625
+
+Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5579726bd60a6e7afb04a3548bced348cd5ffd89]
+CVE: CVE-2022-2625
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ doc/src/sgml/extend.sgml | 11 --
+ src/backend/catalog/pg_collation.c | 49 ++++--
+ src/backend/catalog/pg_depend.c | 74 ++++++++-
+ src/backend/catalog/pg_operator.c | 2 +-
+ src/backend/catalog/pg_type.c | 7 +-
+ src/backend/commands/createas.c | 18 ++-
+ src/backend/commands/foreigncmds.c | 19 ++-
+ src/backend/commands/schemacmds.c | 25 ++-
+ src/backend/commands/sequence.c | 8 +
+ src/backend/commands/statscmds.c | 4 +
+ src/backend/commands/view.c | 16 +-
+ src/backend/parser/parse_utilcmd.c | 10 ++
+ src/include/catalog/dependency.h | 2 +
+ src/test/modules/test_extensions/Makefile | 5 +-
+ .../expected/test_extensions.out | 153 ++++++++++++++++++
+ .../test_extensions/sql/test_extensions.sql | 110 +++++++++++++
+ .../test_ext_cine--1.0--1.1.sql | 26 +++
+ .../test_extensions/test_ext_cine--1.0.sql | 25 +++
+ .../test_extensions/test_ext_cine.control | 3 +
+ .../test_extensions/test_ext_cor--1.0.sql | 20 +++
+ .../test_extensions/test_ext_cor.control | 3 +
+ 21 files changed, 540 insertions(+), 50 deletions(-)
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine.control
+ create mode 100644 src/test/modules/test_extensions/test_ext_cor--1.0.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cor.control
+
+diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml
+index 53f2638..bcc7a80 100644
+--- a/doc/src/sgml/extend.sgml
++++ b/doc/src/sgml/extend.sgml
+@@ -1109,17 +1109,6 @@ SELECT * FROM pg_extension_update_paths('<replaceable>extension_name</replaceabl
+ <varname>search_path</varname>. However, no mechanism currently exists
+ to require that.
+ </para>
+-
+- <para>
+- Do <emphasis>not</emphasis> use <command>CREATE OR REPLACE
+- FUNCTION</command>, except in an update script that must change the
+- definition of a function that is known to be an extension member
+- already. (Likewise for other <literal>OR REPLACE</literal> options.)
+- Using <literal>OR REPLACE</literal> unnecessarily not only has a risk
+- of accidentally overwriting someone else's function, but it creates a
+- security hazard since the overwritten function would still be owned by
+- its original owner, who could modify it.
+- </para>
+ </sect3>
+ </sect2>
+
+diff --git a/src/backend/catalog/pg_collation.c b/src/backend/catalog/pg_collation.c
+index dd99d53..ba4c3ef 100644
+--- a/src/backend/catalog/pg_collation.c
++++ b/src/backend/catalog/pg_collation.c
+@@ -78,15 +78,25 @@ CollationCreate(const char *collname, Oid collnamespace,
+ * friendlier error message. The unique index provides a backstop against
+ * race conditions.
+ */
+- if (SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(collencoding),
+- ObjectIdGetDatum(collnamespace)))
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(collencoding),
++ ObjectIdGetDatum(collnamespace));
++ if (OidIsValid(oid))
+ {
+ if (quiet)
+ return InvalidOid;
+ else if (if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, CollationRelationId, oid);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ collencoding == -1
+@@ -116,16 +126,19 @@ CollationCreate(const char *collname, Oid collnamespace,
+ * so we take a ShareRowExclusiveLock earlier, to protect against
+ * concurrent changes fooling this check.
+ */
+- if ((collencoding == -1 &&
+- SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(GetDatabaseEncoding()),
+- ObjectIdGetDatum(collnamespace))) ||
+- (collencoding != -1 &&
+- SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(-1),
+- ObjectIdGetDatum(collnamespace))))
++ if (collencoding == -1)
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(GetDatabaseEncoding()),
++ ObjectIdGetDatum(collnamespace));
++ else
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(-1),
++ ObjectIdGetDatum(collnamespace));
++ if (OidIsValid(oid))
+ {
+ if (quiet)
+ {
+@@ -134,6 +147,14 @@ CollationCreate(const char *collname, Oid collnamespace,
+ }
+ else if (if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, CollationRelationId, oid);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ table_close(rel, NoLock);
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+diff --git a/src/backend/catalog/pg_depend.c b/src/backend/catalog/pg_depend.c
+index 9ffadbb..71c7cef 100644
+--- a/src/backend/catalog/pg_depend.c
++++ b/src/backend/catalog/pg_depend.c
+@@ -124,15 +124,23 @@ recordMultipleDependencies(const ObjectAddress *depender,
+
+ /*
+ * If we are executing a CREATE EXTENSION operation, mark the given object
+- * as being a member of the extension. Otherwise, do nothing.
++ * as being a member of the extension, or check that it already is one.
++ * Otherwise, do nothing.
+ *
+ * This must be called during creation of any user-definable object type
+ * that could be a member of an extension.
+ *
+- * If isReplace is true, the object already existed (or might have already
+- * existed), so we must check for a pre-existing extension membership entry.
+- * Passing false is a guarantee that the object is newly created, and so
+- * could not already be a member of any extension.
++ * isReplace must be true if the object already existed, and false if it is
++ * newly created. In the former case we insist that it already be a member
++ * of the current extension. In the latter case we can skip checking whether
++ * it is already a member of any extension.
++ *
++ * Note: isReplace = true is typically used when updating a object in
++ * CREATE OR REPLACE and similar commands. We used to allow the target
++ * object to not already be an extension member, instead silently absorbing
++ * it into the current extension. However, this was both error-prone
++ * (extensions might accidentally overwrite free-standing objects) and
++ * a security hazard (since the object would retain its previous ownership).
+ */
+ void
+ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+@@ -150,6 +158,12 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ {
+ Oid oldext;
+
++ /*
++ * Side note: these catalog lookups are safe only because the
++ * object is a pre-existing one. In the not-isReplace case, the
++ * caller has most likely not yet done a CommandCounterIncrement
++ * that would make the new object visible.
++ */
+ oldext = getExtensionOfObject(object->classId, object->objectId);
+ if (OidIsValid(oldext))
+ {
+@@ -163,6 +177,13 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ getObjectDescription(object),
+ get_extension_name(oldext))));
+ }
++ /* It's a free-standing object, so reject */
++ ereport(ERROR,
++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++ errmsg("%s is not a member of extension \"%s\"",
++ getObjectDescription(object),
++ get_extension_name(CurrentExtensionObject)),
++ errdetail("An extension is not allowed to replace an object that it does not own.")));
+ }
+
+ /* OK, record it as a member of CurrentExtensionObject */
+@@ -174,6 +195,49 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ }
+ }
+
++/*
++ * If we are executing a CREATE EXTENSION operation, check that the given
++ * object is a member of the extension, and throw an error if it isn't.
++ * Otherwise, do nothing.
++ *
++ * This must be called whenever a CREATE IF NOT EXISTS operation (for an
++ * object type that can be an extension member) has found that an object of
++ * the desired name already exists. It is insecure for an extension to use
++ * IF NOT EXISTS except when the conflicting object is already an extension
++ * member; otherwise a hostile user could substitute an object with arbitrary
++ * properties.
++ */
++void
++checkMembershipInCurrentExtension(const ObjectAddress *object)
++{
++ /*
++ * This is actually the same condition tested in
++ * recordDependencyOnCurrentExtension; but we want to issue a
++ * differently-worded error, and anyway it would be pretty confusing to
++ * call recordDependencyOnCurrentExtension in these circumstances.
++ */
++
++ /* Only whole objects can be extension members */
++ Assert(object->objectSubId == 0);
++
++ if (creating_extension)
++ {
++ Oid oldext;
++
++ oldext = getExtensionOfObject(object->classId, object->objectId);
++ /* If already a member of this extension, OK */
++ if (oldext == CurrentExtensionObject)
++ return;
++ /* Else complain */
++ ereport(ERROR,
++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++ errmsg("%s is not a member of extension \"%s\"",
++ getObjectDescription(object),
++ get_extension_name(CurrentExtensionObject)),
++ errdetail("An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.")));
++ }
++}
++
+ /*
+ * deleteDependencyRecordsFor -- delete all records with given depender
+ * classId/objectId. Returns the number of records deleted.
+diff --git a/src/backend/catalog/pg_operator.c b/src/backend/catalog/pg_operator.c
+index bcaa26c..84784e6 100644
+--- a/src/backend/catalog/pg_operator.c
++++ b/src/backend/catalog/pg_operator.c
+@@ -867,7 +867,7 @@ makeOperatorDependencies(HeapTuple tuple, bool isUpdate)
+ oper->oprowner);
+
+ /* Dependency on extension */
+- recordDependencyOnCurrentExtension(&myself, true);
++ recordDependencyOnCurrentExtension(&myself, isUpdate);
+
+ return myself;
+ }
+diff --git a/src/backend/catalog/pg_type.c b/src/backend/catalog/pg_type.c
+index 2a51501..3ff017f 100644
+--- a/src/backend/catalog/pg_type.c
++++ b/src/backend/catalog/pg_type.c
+@@ -528,10 +528,9 @@ TypeCreate(Oid newTypeOid,
+ * If rebuild is true, we remove existing dependencies and rebuild them
+ * from scratch. This is needed for ALTER TYPE, and also when replacing
+ * a shell type. We don't remove an existing extension dependency, though.
+- * (That means an extension can't absorb a shell type created in another
+- * extension, nor ALTER a type created by another extension. Also, if it
+- * replaces a free-standing shell type or ALTERs a free-standing type,
+- * that type will become a member of the extension.)
++ * That means an extension can't absorb a shell type that is free-standing
++ * or belongs to another extension, nor ALTER a type that is free-standing or
++ * belongs to another extension.
+ */
+ void
+ GenerateTypeDependencies(Oid typeObjectId,
+diff --git a/src/backend/commands/createas.c b/src/backend/commands/createas.c
+index 4c1d909..a68d945 100644
+--- a/src/backend/commands/createas.c
++++ b/src/backend/commands/createas.c
+@@ -243,15 +243,27 @@ ExecCreateTableAs(CreateTableAsStmt *stmt, const char *queryString,
+ if (stmt->if_not_exists)
+ {
+ Oid nspid;
++ Oid oldrelid;
+
+- nspid = RangeVarGetCreationNamespace(stmt->into->rel);
++ nspid = RangeVarGetCreationNamespace(into->rel);
+
+- if (get_relname_relid(stmt->into->rel->relname, nspid))
++ oldrelid = get_relname_relid(into->rel->relname, nspid);
++ if (OidIsValid(oldrelid))
+ {
++ /*
++ * The relation exists and IF NOT EXISTS has been specified.
++ *
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, RelationRelationId, oldrelid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+- stmt->into->rel->relname)));
++ into->rel->relname)));
+ return InvalidObjectAddress;
+ }
+ }
+diff --git a/src/backend/commands/foreigncmds.c b/src/backend/commands/foreigncmds.c
+index d7bc6e3..bc583c6 100644
+--- a/src/backend/commands/foreigncmds.c
++++ b/src/backend/commands/foreigncmds.c
+@@ -887,13 +887,22 @@ CreateForeignServer(CreateForeignServerStmt *stmt)
+ ownerId = GetUserId();
+
+ /*
+- * Check that there is no other foreign server by this name. Do nothing if
+- * IF NOT EXISTS was enforced.
++ * Check that there is no other foreign server by this name. If there is
++ * one, do nothing if IF NOT EXISTS was specified.
+ */
+- if (GetForeignServerByName(stmt->servername, true) != NULL)
++ srvId = get_foreign_server_oid(stmt->servername, true);
++ if (OidIsValid(srvId))
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, ForeignServerRelationId, srvId);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("server \"%s\" already exists, skipping",
+@@ -1182,6 +1191,10 @@ CreateUserMapping(CreateUserMappingStmt *stmt)
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * Since user mappings aren't members of extensions (see comments
++ * below), no need for checkMembershipInCurrentExtension here.
++ */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("user mapping for \"%s\" already exists for server \"%s\", skipping",
+diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
+index 6cf94a3..6bc4edc 100644
+--- a/src/backend/commands/schemacmds.c
++++ b/src/backend/commands/schemacmds.c
+@@ -113,14 +113,25 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
+ * the permissions checks, but since CREATE TABLE IF NOT EXISTS makes its
+ * creation-permission check first, we do likewise.
+ */
+- if (stmt->if_not_exists &&
+- SearchSysCacheExists1(NAMESPACENAME, PointerGetDatum(schemaName)))
++ if (stmt->if_not_exists)
+ {
+- ereport(NOTICE,
+- (errcode(ERRCODE_DUPLICATE_SCHEMA),
+- errmsg("schema \"%s\" already exists, skipping",
+- schemaName)));
+- return InvalidOid;
++ namespaceId = get_namespace_oid(schemaName, true);
++ if (OidIsValid(namespaceId))
++ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, NamespaceRelationId, namespaceId);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
++ ereport(NOTICE,
++ (errcode(ERRCODE_DUPLICATE_SCHEMA),
++ errmsg("schema \"%s\" already exists, skipping",
++ schemaName)));
++ return InvalidOid;
++ }
+ }
+
+ /*
+diff --git a/src/backend/commands/sequence.c b/src/backend/commands/sequence.c
+index 0960b33..0577184 100644
+--- a/src/backend/commands/sequence.c
++++ b/src/backend/commands/sequence.c
+@@ -149,6 +149,14 @@ DefineSequence(ParseState *pstate, CreateSeqStmt *seq)
+ RangeVarGetAndCheckCreationNamespace(seq->sequence, NoLock, &seqoid);
+ if (OidIsValid(seqoid))
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, RelationRelationId, seqoid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+diff --git a/src/backend/commands/statscmds.c b/src/backend/commands/statscmds.c
+index 5678d31..409cf28 100644
+--- a/src/backend/commands/statscmds.c
++++ b/src/backend/commands/statscmds.c
+@@ -173,6 +173,10 @@ CreateStatistics(CreateStatsStmt *stmt)
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * Since stats objects aren't members of extensions (see comments
++ * below), no need for checkMembershipInCurrentExtension here.
++ */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("statistics object \"%s\" already exists, skipping",
+diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
+index 87ed453..dd7cc97 100644
+--- a/src/backend/commands/view.c
++++ b/src/backend/commands/view.c
+@@ -205,7 +205,7 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace,
+ CommandCounterIncrement();
+
+ /*
+- * Finally update the view options.
++ * Update the view's options.
+ *
+ * The new options list replaces the existing options list, even if
+ * it's empty.
+@@ -218,8 +218,22 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace,
+ /* EventTriggerAlterTableStart called by ProcessUtilitySlow */
+ AlterTableInternal(viewOid, atcmds, true);
+
++ /*
++ * There is very little to do here to update the view's dependencies.
++ * Most view-level dependency relationships, such as those on the
++ * owner, schema, and associated composite type, aren't changing.
++ * Because we don't allow changing type or collation of an existing
++ * view column, those dependencies of the existing columns don't
++ * change either, while the AT_AddColumnToView machinery took care of
++ * adding such dependencies for new view columns. The dependencies of
++ * the view's query could have changed arbitrarily, but that was dealt
++ * with inside StoreViewQuery. What remains is only to check that
++ * view replacement is allowed when we're creating an extension.
++ */
+ ObjectAddressSet(address, RelationRelationId, viewOid);
+
++ recordDependencyOnCurrentExtension(&address, true);
++
+ /*
+ * Seems okay, so return the OID of the pre-existing view.
+ */
+diff --git a/src/backend/parser/parse_utilcmd.c b/src/backend/parser/parse_utilcmd.c
+index 44aa38a..8f4d940 100644
+--- a/src/backend/parser/parse_utilcmd.c
++++ b/src/backend/parser/parse_utilcmd.c
+@@ -206,6 +206,16 @@ transformCreateStmt(CreateStmt *stmt, const char *queryString)
+ */
+ if (stmt->if_not_exists && OidIsValid(existing_relid))
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddress address;
++
++ ObjectAddressSet(address, RelationRelationId, existing_relid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+diff --git a/src/include/catalog/dependency.h b/src/include/catalog/dependency.h
+index 8b1e3aa..27c7509 100644
+--- a/src/include/catalog/dependency.h
++++ b/src/include/catalog/dependency.h
+@@ -201,6 +201,8 @@ extern void recordMultipleDependencies(const ObjectAddress *depender,
+ extern void recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ bool isReplace);
+
++extern void checkMembershipInCurrentExtension(const ObjectAddress *object);
++
+ extern long deleteDependencyRecordsFor(Oid classId, Oid objectId,
+ bool skipExtensionDeps);
+
+diff --git a/src/test/modules/test_extensions/Makefile b/src/test/modules/test_extensions/Makefile
+index d18108e..7428f15 100644
+--- a/src/test/modules/test_extensions/Makefile
++++ b/src/test/modules/test_extensions/Makefile
+@@ -4,10 +4,13 @@ MODULE = test_extensions
+ PGFILEDESC = "test_extensions - regression testing for EXTENSION support"
+
+ EXTENSION = test_ext1 test_ext2 test_ext3 test_ext4 test_ext5 test_ext6 \
+- test_ext7 test_ext8 test_ext_cyclic1 test_ext_cyclic2
++ test_ext7 test_ext8 test_ext_cine test_ext_cor \
++ test_ext_cyclic1 test_ext_cyclic2
+ DATA = test_ext1--1.0.sql test_ext2--1.0.sql test_ext3--1.0.sql \
+ test_ext4--1.0.sql test_ext5--1.0.sql test_ext6--1.0.sql \
+ test_ext7--1.0.sql test_ext7--1.0--2.0.sql test_ext8--1.0.sql \
++ test_ext_cine--1.0.sql test_ext_cine--1.0--1.1.sql \
++ test_ext_cor--1.0.sql \
+ test_ext_cyclic1--1.0.sql test_ext_cyclic2--1.0.sql
+
+ REGRESS = test_extensions test_extdepend
+diff --git a/src/test/modules/test_extensions/expected/test_extensions.out b/src/test/modules/test_extensions/expected/test_extensions.out
+index b5cbdfc..1e91640 100644
+--- a/src/test/modules/test_extensions/expected/test_extensions.out
++++ b/src/test/modules/test_extensions/expected/test_extensions.out
+@@ -154,3 +154,156 @@ DROP TABLE test_ext4_tab;
+ DROP FUNCTION create_extension_with_temp_schema();
+ RESET client_min_messages;
+ \unset SHOW_CONTEXT
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++-- Replacing a shell type or operator is sort of like CREATE OR REPLACE;
++-- check that too.
++CREATE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: function ext_cor_func() is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++SELECT ext_cor_func();
++ ext_cor_func
++------------------------
++ ext_cor_func: original
++(1 row)
++
++DROP FUNCTION ext_cor_func();
++CREATE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: original'::text AS col;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: view ext_cor_view is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++SELECT ext_cor_func();
++ERROR: function ext_cor_func() does not exist
++LINE 1: SELECT ext_cor_func();
++ ^
++HINT: No function matches the given name and argument types. You might need to add explicit type casts.
++SELECT * FROM ext_cor_view;
++ col
++------------------------
++ ext_cor_view: original
++(1 row)
++
++DROP VIEW ext_cor_view;
++CREATE TYPE test_ext_type;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: type test_ext_type is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++DROP TYPE test_ext_type;
++-- this makes a shell "point <<@@ polygon" operator too
++CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt,
++ LEFTARG = polygon, RIGHTARG = point,
++ COMMUTATOR = <<@@ );
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: operator <<@@(point,polygon) is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++DROP OPERATOR <<@@ (point, polygon);
++CREATE EXTENSION test_ext_cor; -- now it should work
++SELECT ext_cor_func();
++ ext_cor_func
++------------------------------
++ ext_cor_func: from extension
++(1 row)
++
++SELECT * FROM ext_cor_view;
++ col
++------------------------------
++ ext_cor_view: from extension
++(1 row)
++
++SELECT 'x'::test_ext_type;
++ test_ext_type
++---------------
++ x
++(1 row)
++
++SELECT point(0,0) <<@@ polygon(circle(point(0,0),1));
++ ?column?
++----------
++ t
++(1 row)
++
++\dx+ test_ext_cor
++Objects in extension "test_ext_cor"
++ Object description
++------------------------------
++ function ext_cor_func()
++ operator <<@@(point,polygon)
++ type test_ext_type
++ view ext_cor_view
++(4 rows)
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++CREATE COLLATION ext_cine_coll
++ ( LC_COLLATE = "C", LC_CTYPE = "C" );
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: collation ext_cine_coll is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP COLLATION ext_cine_coll;
++CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: materialized view ext_cine_mv is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP MATERIALIZED VIEW ext_cine_mv;
++CREATE FOREIGN DATA WRAPPER dummy;
++CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: server ext_cine_srv is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SERVER ext_cine_srv;
++CREATE SCHEMA ext_cine_schema;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: schema ext_cine_schema is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SCHEMA ext_cine_schema;
++CREATE SEQUENCE ext_cine_seq;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: sequence ext_cine_seq is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SEQUENCE ext_cine_seq;
++CREATE TABLE ext_cine_tab1 (x int);
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: table ext_cine_tab1 is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP TABLE ext_cine_tab1;
++CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: table ext_cine_tab2 is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP TABLE ext_cine_tab2;
++CREATE EXTENSION test_ext_cine;
++\dx+ test_ext_cine
++Objects in extension "test_ext_cine"
++ Object description
++-----------------------------------
++ collation ext_cine_coll
++ foreign-data wrapper ext_cine_fdw
++ materialized view ext_cine_mv
++ schema ext_cine_schema
++ sequence ext_cine_seq
++ server ext_cine_srv
++ table ext_cine_tab1
++ table ext_cine_tab2
++(8 rows)
++
++ALTER EXTENSION test_ext_cine UPDATE TO '1.1';
++\dx+ test_ext_cine
++Objects in extension "test_ext_cine"
++ Object description
++-----------------------------------
++ collation ext_cine_coll
++ foreign-data wrapper ext_cine_fdw
++ materialized view ext_cine_mv
++ schema ext_cine_schema
++ sequence ext_cine_seq
++ server ext_cine_srv
++ table ext_cine_tab1
++ table ext_cine_tab2
++ table ext_cine_tab3
++(9 rows)
++
+diff --git a/src/test/modules/test_extensions/sql/test_extensions.sql b/src/test/modules/test_extensions/sql/test_extensions.sql
+index f505466..b3d4579 100644
+--- a/src/test/modules/test_extensions/sql/test_extensions.sql
++++ b/src/test/modules/test_extensions/sql/test_extensions.sql
+@@ -93,3 +93,113 @@ DROP TABLE test_ext4_tab;
+ DROP FUNCTION create_extension_with_temp_schema();
+ RESET client_min_messages;
+ \unset SHOW_CONTEXT
++
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++-- Replacing a shell type or operator is sort of like CREATE OR REPLACE;
++-- check that too.
++
++CREATE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++SELECT ext_cor_func();
++
++DROP FUNCTION ext_cor_func();
++
++CREATE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: original'::text AS col;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++SELECT ext_cor_func();
++
++SELECT * FROM ext_cor_view;
++
++DROP VIEW ext_cor_view;
++
++CREATE TYPE test_ext_type;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++DROP TYPE test_ext_type;
++
++-- this makes a shell "point <<@@ polygon" operator too
++CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt,
++ LEFTARG = polygon, RIGHTARG = point,
++ COMMUTATOR = <<@@ );
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++DROP OPERATOR <<@@ (point, polygon);
++
++CREATE EXTENSION test_ext_cor; -- now it should work
++
++SELECT ext_cor_func();
++
++SELECT * FROM ext_cor_view;
++
++SELECT 'x'::test_ext_type;
++
++SELECT point(0,0) <<@@ polygon(circle(point(0,0),1));
++
++\dx+ test_ext_cor
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++
++CREATE COLLATION ext_cine_coll
++ ( LC_COLLATE = "C", LC_CTYPE = "C" );
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP COLLATION ext_cine_coll;
++
++CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP MATERIALIZED VIEW ext_cine_mv;
++
++CREATE FOREIGN DATA WRAPPER dummy;
++
++CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SERVER ext_cine_srv;
++
++CREATE SCHEMA ext_cine_schema;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SCHEMA ext_cine_schema;
++
++CREATE SEQUENCE ext_cine_seq;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SEQUENCE ext_cine_seq;
++
++CREATE TABLE ext_cine_tab1 (x int);
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP TABLE ext_cine_tab1;
++
++CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP TABLE ext_cine_tab2;
++
++CREATE EXTENSION test_ext_cine;
++
++\dx+ test_ext_cine
++
++ALTER EXTENSION test_ext_cine UPDATE TO '1.1';
++
++\dx+ test_ext_cine
+diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+new file mode 100644
+index 0000000..6dadfd2
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+@@ -0,0 +1,26 @@
++/* src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql */
++-- complain if script is sourced in psql, rather than via ALTER EXTENSION
++\echo Use "ALTER EXTENSION test_ext_cine UPDATE TO '1.1'" to load this file. \quit
++
++--
++-- These are the same commands as in the 1.0 script; we expect them
++-- to do nothing.
++--
++
++CREATE COLLATION IF NOT EXISTS ext_cine_coll
++ ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" );
++
++CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1;
++
++CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SCHEMA IF NOT EXISTS ext_cine_schema;
++
++CREATE SEQUENCE IF NOT EXISTS ext_cine_seq;
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int);
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y;
++
++-- just to verify the script ran
++CREATE TABLE ext_cine_tab3 (z int);
+diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0.sql b/src/test/modules/test_extensions/test_ext_cine--1.0.sql
+new file mode 100644
+index 0000000..01408ff
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine--1.0.sql
+@@ -0,0 +1,25 @@
++/* src/test/modules/test_extensions/test_ext_cine--1.0.sql */
++-- complain if script is sourced in psql, rather than via CREATE EXTENSION
++\echo Use "CREATE EXTENSION test_ext_cine" to load this file. \quit
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++
++CREATE COLLATION IF NOT EXISTS ext_cine_coll
++ ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" );
++
++CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1;
++
++CREATE FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SCHEMA IF NOT EXISTS ext_cine_schema;
++
++CREATE SEQUENCE IF NOT EXISTS ext_cine_seq;
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int);
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y;
+diff --git a/src/test/modules/test_extensions/test_ext_cine.control b/src/test/modules/test_extensions/test_ext_cine.control
+new file mode 100644
+index 0000000..ced713b
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine.control
+@@ -0,0 +1,3 @@
++comment = 'Test extension using CREATE IF NOT EXISTS'
++default_version = '1.0'
++relocatable = true
+diff --git a/src/test/modules/test_extensions/test_ext_cor--1.0.sql b/src/test/modules/test_extensions/test_ext_cor--1.0.sql
+new file mode 100644
+index 0000000..2e8d89c
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cor--1.0.sql
+@@ -0,0 +1,20 @@
++/* src/test/modules/test_extensions/test_ext_cor--1.0.sql */
++-- complain if script is sourced in psql, rather than via CREATE EXTENSION
++\echo Use "CREATE EXTENSION test_ext_cor" to load this file. \quit
++
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++
++CREATE OR REPLACE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: from extension'::text $$ LANGUAGE sql;
++
++CREATE OR REPLACE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: from extension'::text AS col;
++
++-- These are for testing replacement of a shell type/operator, which works
++-- enough like an implicit OR REPLACE to be important to check.
++
++CREATE TYPE test_ext_type AS ENUM('x', 'y');
++
++CREATE OPERATOR <<@@ ( PROCEDURE = pt_contained_poly,
++ LEFTARG = point, RIGHTARG = polygon );
+diff --git a/src/test/modules/test_extensions/test_ext_cor.control b/src/test/modules/test_extensions/test_ext_cor.control
+new file mode 100644
+index 0000000..0e972e5
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cor.control
+@@ -0,0 +1,3 @@
++comment = 'Test extension using CREATE OR REPLACE'
++default_version = '1.0'
++relocatable = true
+--
+2.25.1
+
diff --git a/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch b/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch
new file mode 100644
index 000000000..92a3dcc71
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch
@@ -0,0 +1,38 @@
+Remove duplicate code for riscv
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+--- a/src/include/storage/s_lock.h
++++ b/src/include/storage/s_lock.h
+@@ -341,30 +341,6 @@ tas(volatile slock_t *lock)
+ #endif /* HAVE_GCC__SYNC_INT32_TAS */
+ #endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */
+
+-
+-/*
+- * RISC-V likewise uses __sync_lock_test_and_set(int *, int) if available.
+- */
+-#if defined(__riscv)
+-#ifdef HAVE_GCC__SYNC_INT32_TAS
+-#define HAS_TEST_AND_SET
+-
+-#define TAS(lock) tas(lock)
+-
+-typedef int slock_t;
+-
+-static __inline__ int
+-tas(volatile slock_t *lock)
+-{
+- return __sync_lock_test_and_set(lock, 1);
+-}
+-
+-#define S_UNLOCK(lock) __sync_lock_release(lock)
+-
+-#endif /* HAVE_GCC__SYNC_INT32_TAS */
+-#endif /* __riscv */
+-
+-
+ /* S/390 and S/390x Linux (32- and 64-bit zSeries) */
+ #if defined(__s390__) || defined(__s390x__)
+ #define HAS_TEST_AND_SET
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.7.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
index 18ba2178f..860e821b2 100644
--- a/meta-oe/recipes-dbs/postgresql/postgresql_12.7.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
@@ -6,6 +6,9 @@ SRC_URI += "\
file://not-check-libperl.patch \
file://0001-Add-support-for-RISC-V.patch \
file://0001-Improve-reproducibility.patch \
+ file://remove_duplicate.patch \
+ file://CVE-2022-1552.patch \
+ file://CVE-2022-2625.patch \
"
-SRC_URI[sha256sum] = "8490741f47c88edc8b6624af009ce19fda4dc9b31c4469ce2551d84075d5d995"
+SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce"
diff --git a/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb b/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb
index b9038df81..f97131991 100644
--- a/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb
+++ b/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb
@@ -10,7 +10,7 @@ SRCREV = "551a110918493a19d11243f53408b97485de1411"
SRCBRANCH = "6.6.fb"
PV = "6.6.4"
-SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH} \
+SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH};protocol=https \
file://0001-db-write_thread.cc-Initialize-state.patch \
file://0001-cmake-Add-check-for-atomic-support.patch \
"
diff --git a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb
index e874e4a5e..87f9c23eb 100644
--- a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb
+++ b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=df52c6edb7adc22e533b2bacc3bd3915"
PV = "20190808+git${SRCPV}"
SRCREV = "aa844899c937bde5d2b24f276b59997e5b668bde"
BRANCH = "lts_2019_08_08"
-SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH} \
+SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH};protocol=https \
file://0001-Remove-maes-option-from-cross-compilation.patch \
file://0002-Add-forgotten-ABSL_HAVE_VDSO_SUPPORT-conditional.patch \
file://0003-Add-fPIC-option.patch \
diff --git a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb
index fb6125e2a..ef440471b 100644
--- a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb
+++ b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb
@@ -19,6 +19,7 @@ SRCREV_libhardware = "be55eb1f4d840c82ffaf7c47460df17ff5bc4d9b"
SRCREV_libselinux = "07e9e1339ad1ba608acfba9dce2d0f474b252feb"
SRCREV_build = "16e987def3d7d8f7d30805eb95cef69e52a87dbc"
+SRCREV_FORMAT = "core_extras_libhardware_libselinux_build"
SRC_URI = " \
git://${ANDROID_MIRROR}/platform/system/core;name=core;protocol=https;nobranch=1;destsuffix=git/system/core \
git://${ANDROID_MIRROR}/platform/system/extras;name=extras;protocol=https;nobranch=1;destsuffix=git/system/extras \
diff --git a/meta-oe/recipes-devtools/bootchart/bootchart_git.bb b/meta-oe/recipes-devtools/bootchart/bootchart_git.bb
index 2b75eaac9..79754050d 100644
--- a/meta-oe/recipes-devtools/bootchart/bootchart_git.bb
+++ b/meta-oe/recipes-devtools/bootchart/bootchart_git.bb
@@ -8,7 +8,7 @@ PV = "1.17"
PR = "r1"
PE = "1"
-SRC_URI = "git://gitorious.org/meego-developer-tools/bootchart.git;protocol=https \
+SRC_URI = "git://gitorious.org/meego-developer-tools/bootchart.git;protocol=https;branch=master \
file://0001-svg-add-rudimentary-support-for-ARM-cpuinfo.patch \
file://0002-svg-open-etc-os-release-and-use-PRETTY_NAME-for-the-.patch \
"
diff --git a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb
index daf262ed6..1e474225a 100644
--- a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb
+++ b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb
@@ -26,11 +26,11 @@ SRCREV_protobuf = "cb6dd4ef5f82e41e06179dcd57d3b1d9246ad6ac"
SRCREV_lss = "8048ece6c16c91acfe0d36d1d3cc0890ab6e945c"
SRCREV_gyp = "324dd166b7c0b39d513026fa52d6280ac6d56770"
-SRC_URI = "git://github.com/google/breakpad;name=breakpad \
- git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest \
- git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf \
- git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss \
- git://chromium.googlesource.com/external/gyp;protocol=https;destsuffix=git/src/tools/gyp;name=gyp \
+SRC_URI = "git://github.com/google/breakpad;name=breakpad;branch=main;protocol=https \
+ git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest;branch=main;protocol=https \
+ git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf;branch=main;protocol=https \
+ git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss;branch=main \
+ git://chromium.googlesource.com/external/gyp;protocol=https;destsuffix=git/src/tools/gyp;name=gyp;branch=master \
file://0001-include-sys-reg.h-to-get-__WORDSIZE-on-musl-libc.patch \
file://0003-Fix-conflict-between-musl-libc-dirent.h-and-lss.patch \
file://0001-Turn-off-sign-compare-for-musl-libc.patch \
diff --git a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
index c6bab5ec2..fa1751e56 100644
--- a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
+++ b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
@@ -5,7 +5,9 @@ SECTION = "console/tools"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://../LICENSE;md5=a05663ae6cca874123bf667a60dca8c9"
-SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV}"
+SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https \
+ file://CVE-2022-46149.patch \
+"
SRCREV = "3f44c6db0f0f6c0cab0633f15f15d0a2acd01d19"
S = "${WORKDIR}/git/c++"
diff --git a/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch
new file mode 100644
index 000000000..b6b1fa651
--- /dev/null
+++ b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch
@@ -0,0 +1,49 @@
+From 25d34c67863fd960af34fc4f82a7ca3362ee74b9 Mon Sep 17 00:00:00 2001
+From: Kenton Varda <kenton@cloudflare.com>
+Date: Wed, 23 Nov 2022 12:02:29 -0600
+Subject: [PATCH] Apply data offset for list-of-pointers at access time rather
+ than ListReader creation time.
+
+Baking this offset into `ptr` reduced ops needed at access time but made the interpretation of `ptr` inconsistent depending on what type of list was expected.
+
+CVE: CVE-2022-46149
+Upstream-Status: Backport [https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+ c++/src/capnp/layout.c++ | 4 ----
+ c++/src/capnp/layout.h | 6 +++++-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+Index: c++/src/capnp/layout.c++
+===================================================================
+--- c++.orig/src/capnp/layout.c++
++++ c++/src/capnp/layout.c++
+@@ -2322,10 +2322,6 @@ struct WireHelpers {
+ break;
+
+ case ElementSize::POINTER:
+- // We expected a list of pointers but got a list of structs. Assuming the first field
+- // in the struct is the pointer we were looking for, we want to munge the pointer to
+- // point at the first element's pointer section.
+- ptr += tag->structRef.dataSize.get();
+ KJ_REQUIRE(tag->structRef.ptrCount.get() > ZERO * POINTERS,
+ "Expected a pointer list, but got a list of data-only structs.") {
+ goto useDefault;
+Index: c++/src/capnp/layout.h
+===================================================================
+--- c++.orig/src/capnp/layout.h
++++ c++/src/capnp/layout.h
+@@ -1235,8 +1235,12 @@ inline Void ListReader::getDataElement<V
+ }
+
+ inline PointerReader ListReader::getPointerElement(ElementCount index) const {
++ // If the list elements have data sections we need to skip those. Note that for pointers to be
++ // present at all (which already must be true if we get here), then `structDataSize` must be a
++ // whole number of words, so we don't have to worry about unaligned reads here.
++ auto offset = structDataSize / BITS_PER_BYTE;
+ return PointerReader(segment, capTable, reinterpret_cast<const WirePointer*>(
+- ptr + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit);
++ ptr + offset + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit);
+ }
+
+ // -------------------------------------------------------------------
diff --git a/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb b/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb
index e6174821f..7af05acf9 100644
--- a/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb
+++ b/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb
@@ -5,7 +5,7 @@ SECTION = "libs"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=218947f77e8cb8e2fa02918dc41c50d0"
-SRC_URI = "git://github.com/DaveGamble/cJSON.git"
+SRC_URI = "git://github.com/DaveGamble/cJSON.git;branch=master;protocol=https"
SRCREV = "39853e5148dad8dc5d32ea2b00943cf4a0c6f120"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb b/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb
index 8c6cf7db2..996314a75 100644
--- a/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb
+++ b/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb
@@ -10,7 +10,7 @@ SECTION = "base"
PV = "0.5.1+git${SRCPV}"
SRCREV = "f97d3da5c375ac2fc5a9173cdd36cb828915a2e1"
LIC_FILES_CHKSUM = "file://LICENSE;md5=a0b24c1a8f9ad516a297d055b0294231"
-SRC_URI = "git://github.com/concurrencykit/ck.git \
+SRC_URI = "git://github.com/concurrencykit/ck.git;branch=master;protocol=https \
file://cross.patch \
"
diff --git a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb
index 406494ebb..d1b7134b8 100644
--- a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb
+++ b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb
@@ -3,11 +3,11 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "git://github.com/ubinux/dnf-plugin-tui.git;branch=master "
+SRC_URI = "git://github.com/ubinux/dnf-plugin-tui.git;branch=master;protocol=https"
SRCREV = "c5416adeb210154dc4ccc4c3e1c5297d83ebd41e"
PV = "1.1"
-SRC_URI_append_class-target = "file://oe-remote.repo.sample"
+SRC_URI_append_class-target = " file://oe-remote.repo.sample"
inherit distutils3-base
diff --git a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb
index 7b8d47d8d..c4f3594f3 100644
--- a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb
+++ b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57"
SRCREV = "6df40a2471737b27271bdd9b900ab5f3aec746c7"
-SRC_URI = "git://github.com/google/flatbuffers.git"
+SRC_URI = "git://github.com/google/flatbuffers.git;branch=master;protocol=https"
# affects only flatbuffers rust crate
CVE_CHECK_WHITELIST += "CVE-2020-35864"
@@ -24,12 +24,17 @@ BUILD_CXXFLAGS += "-std=c++11 -fPIC"
# BUILD_TYPE=Release is required, otherwise flatc is not installed
EXTRA_OECMAKE += "\
-DCMAKE_BUILD_TYPE=Release \
- -DFLATBUFFERS_BUILD_TESTS=OFF \
+ -DFLATBUFFERS_BUILD_TESTS=OFF \
-DFLATBUFFERS_BUILD_SHAREDLIB=ON \
"
inherit cmake
+rm_flatc_cmaketarget_for_target() {
+ rm -f "${SYSROOT_DESTDIR}/${libdir}/cmake/flatbuffers/FlatcTargets.cmake"
+}
+SYSROOT_PREPROCESS_FUNCS:class-target += "rm_flatc_cmaketarget_for_target"
+
S = "${WORKDIR}/git"
FILES_${PN}-compiler = "${bindir}"
diff --git a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb
index 752562eb3..8a055412f 100644
--- a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb
+++ b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb
@@ -15,9 +15,10 @@ SRCREV_grpc = "2de2e8dd8921e1f7d043e01faf7fe8a291fbb072"
SRCREV_upb = "9effcbcb27f0a665f9f345030188c0b291e32482"
BRANCH = "v1.24.x"
SRC_URI = "git://github.com/grpc/grpc.git;protocol=https;name=grpc;branch=${BRANCH} \
- git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb \
+ git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb;branch=main;protocol=https \
file://0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch \
"
+SRCREV_FORMAT = "grpc_upb"
SRC_URI_append_class-target = " file://0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch \
"
SRC_URI_append_class-nativesdk = " file://0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch"
@@ -62,6 +63,6 @@ do_configure_prepend_toolchain-clang_x86() {
BBCLASSEXTEND = "native nativesdk"
-SYSROOT_DIRS_BLACKLIST_append_class-target = "${baselib}/cmake/grpc"
+SYSROOT_DIRS_BLACKLIST_append_class-target = " ${baselib}/cmake/grpc"
FILES_${PN}-dev += "${bindir}"
diff --git a/meta-oe/recipes-devtools/guider/guider_3.9.7.bb b/meta-oe/recipes-devtools/guider/guider_3.9.7.bb
index 88fad936b..cc81443d5 100644
--- a/meta-oe/recipes-devtools/guider/guider_3.9.7.bb
+++ b/meta-oe/recipes-devtools/guider/guider_3.9.7.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2"
PV = "3.9.7+git${SRCPV}"
-SRC_URI = "git://github.com/iipeace/${BPN}"
+SRC_URI = "git://github.com/iipeace/${BPN};branch=master;protocol=https"
SRCREV = "459b5189a46023fc98e19888b196bdc2674022fd"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb
index 8a5db3da3..629881f0c 100644
--- a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb
+++ b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb
@@ -14,7 +14,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=fa2a23dd1dc6c139f35105379d76df2b"
SRCREV = "d2e6a971f4544c55b8e3b25cf96db266971b778f"
-SRC_URI = "git://github.com/open-source-parsers/jsoncpp"
+SRC_URI = "git://github.com/open-source-parsers/jsoncpp;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb b/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb
index ca9675ed6..e9672ea4d 100644
--- a/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb
+++ b/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb
@@ -9,7 +9,7 @@ SECTION = "libs"
DEPENDS = "curl jsoncpp libmicrohttpd hiredis"
-SRC_URI = "git://github.com/cinemast/libjson-rpc-cpp"
+SRC_URI = "git://github.com/cinemast/libjson-rpc-cpp;branch=master;protocol=https"
SRCREV = "c696f6932113b81cd20cd4a34fdb1808e773f23e"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb b/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb
index 62d4df5e0..72f06ae44 100644
--- a/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb
+++ b/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb
@@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=930f8aa500a47c7dab0f8efb5a1c9a40"
DEPENDS = "libgfortran"
SRCREV = "6acc99d5f39130be7cec00fb835606042101a970"
-SRC_URI = "git://github.com/Reference-LAPACK/lapack.git;protocol=https"
+SRC_URI = "git://github.com/Reference-LAPACK/lapack.git;protocol=https;branch=master"
S = "${WORKDIR}/git"
EXTRA_OECMAKE = " -DBUILD_SHARED_LIBS=ON "
diff --git a/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb b/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb
index b83e86a48..2dc3776e8 100644
--- a/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb
+++ b/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb
@@ -7,7 +7,7 @@ Cluster segmentation described in Annex #29 (UAX #29)."
LICENSE = "Artistic-1.0 | GPLv1+"
LIC_FILES_CHKSUM = "file://COPYING;md5=5b122a36d0f6dc55279a0ebc69f3c60b"
-SRC_URI = "git://github.com/hatukanezumi/sombok.git;protocol=https \
+SRC_URI = "git://github.com/hatukanezumi/sombok.git;protocol=https;branch=master \
file://0001-configure.ac-fix-cross-compiling-issue.patch \
"
diff --git a/meta-oe/recipes-devtools/libubox/libubox_git.bb b/meta-oe/recipes-devtools/libubox/libubox_git.bb
index 7dbefa115..18f26b009 100644
--- a/meta-oe/recipes-devtools/libubox/libubox_git.bb
+++ b/meta-oe/recipes-devtools/libubox/libubox_git.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "\
"
SRC_URI = "\
- git://git.openwrt.org/project/libubox.git \
+ git://git.openwrt.org/project/libubox.git;branch=master \
file://0001-version-libraries.patch \
file://fix-libdir.patch \
file://0001-blobmsg-fix-array-out-of-bounds-GCC-10-warning.patch \
diff --git a/meta-oe/recipes-devtools/ltrace/ltrace_git.bb b/meta-oe/recipes-devtools/ltrace/ltrace_git.bb
index 5710943d7..339841acf 100644
--- a/meta-oe/recipes-devtools/ltrace/ltrace_git.bb
+++ b/meta-oe/recipes-devtools/ltrace/ltrace_git.bb
@@ -14,7 +14,7 @@ PV = "7.91+git${SRCPV}"
SRCREV = "c22d359433b333937ee3d803450dc41998115685"
DEPENDS = "elfutils"
-SRC_URI = "git://github.com/sparkleholic/ltrace.git;branch=master;protocol=http \
+SRC_URI = "git://github.com/sparkleholic/ltrace.git;branch=master;protocol=http;protocol=https \
file://configure-allow-to-disable-selinux-support.patch \
file://0001-replace-readdir_r-with-readdir.patch \
file://0001-Use-correct-enum-type.patch \
diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
new file mode 100644
index 000000000..606c9ea98
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
@@ -0,0 +1,73 @@
+From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001
+From: Steve Sakoman <steve@sakoman.com>
+Date: Mon, 18 Apr 2022 09:04:08 -1000
+Subject: [PATCH] lua: fix CVE-2022-28805
+
+singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
+call, leading to a heap-based buffer over-read that might affect a system that
+compiles untrusted Lua code.
+
+https://nvd.nist.gov/vuln/detail/CVE-2022-28805
+
+(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)
+
+Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354)
+Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
+---
+ .../lua/lua/CVE-2022-28805.patch | 28 +++++++++++++++++++
+ meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 +
+ 2 files changed, 29 insertions(+)
+ create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+
+diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+new file mode 100644
+index 000000000..0a21d1ce7
+--- /dev/null
++++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+@@ -0,0 +1,28 @@
++From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
++From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
++Date: Tue, 15 Feb 2022 12:28:46 -0300
++Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
++
++CVE: CVE-2022-28805
++
++Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
++
++Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
++Signed-off-by: Steve Sakoman <steve@sakoman.com>
++---
++ src/lparser.c | 1 +
++ 1 files changed, 1 insertions(+)
++
++diff --git a/src/lparser.c b/src/lparser.c
++index 3abe3d751..a5cd55257 100644
++--- a/src/lparser.c
+++++ b/src/lparser.c
++@@ -300,6 +300,7 @@
++ expdesc key;
++ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
++ lua_assert(var->k != VVOID); /* this one must exist */
+++ luaK_exp2anyregup(fs, var); /* but could be a constant */
++ codestring(ls, &key, varname); /* key is variable name */
++ luaK_indexed(fs, var, &key); /* env[varname] */
++ }
++
+diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+index 342ed1b54..0137cc3c5 100644
+--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
++++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
+ file://CVE-2020-15888.patch \
+ file://CVE-2020-15945.patch \
+ file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
++ file://CVE-2022-28805.patch \
+ "
+
+ # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
+--
+2.17.1
+
diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
new file mode 100644
index 000000000..0a21d1ce7
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
@@ -0,0 +1,28 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+CVE: CVE-2022-28805
+
+Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
+
+Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ src/lparser.c | 1 +
+ 1 files changed, 1 insertions(+)
+
+diff --git a/src/lparser.c b/src/lparser.c
+index 3abe3d751..a5cd55257 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -300,6 +300,7 @@
+ expdesc key;
+ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
+ lua_assert(var->k != VVOID); /* this one must exist */
++ luaK_exp2anyregup(fs, var); /* but could be a constant */
+ codestring(ls, &key, varname); /* key is variable name */
+ luaK_indexed(fs, var, &key); /* env[varname] */
+ }
+
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
index 342ed1b54..d46d402aa 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
file://CVE-2020-15888.patch \
file://CVE-2020-15945.patch \
file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
+ file://CVE-2022-28805.patch \
"
# if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
@@ -31,7 +32,7 @@ PACKAGECONFIG ??= "readline"
PACKAGECONFIG[readline] = ",,readline"
UCLIBC_PATCHES += "file://uclibc-pthread.patch"
-SRC_URI_append_libc-uclibc = "${UCLIBC_PATCHES}"
+SRC_URI_append_libc-uclibc = " ${UCLIBC_PATCHES}"
TARGET_CC_ARCH += " -fPIC ${LDFLAGS}"
EXTRA_OEMAKE = "'CC=${CC} -fPIC' 'MYCFLAGS=${CFLAGS} -fPIC' MYLDFLAGS='${LDFLAGS}'"
diff --git a/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb b/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb
index 1bee9fe0b..83f6aa0f4 100644
--- a/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb
+++ b/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7dd2aad04bb7ca212e69127ba8d58f9f"
DEPENDS += "lua-native lua"
-SRC_URI = "git://github.com/luaposix/luaposix.git;branch=release \
+SRC_URI = "git://github.com/luaposix/luaposix.git;branch=release;protocol=https \
file://0001-fix-avoid-race-condition-between-test-and-mkdir.patch \
"
SRCREV = "8e4902ed81c922ed8f76a7ed85be1eaa3fd7e66d"
diff --git a/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb b/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb
index d410dc6e0..90b55ad2d 100644
--- a/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb
+++ b/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://NOTICE;md5=7a858c074723608e08614061dc044352 \
PV .= "+git${SRCPV}"
-SRC_URI = "git://github.com/msgpack/msgpack-c \
+SRC_URI = "git://github.com/msgpack/msgpack-c;branch=master;protocol=https \
"
# cpp-3.2.1
SRCREV = "8085ab8721090a447cf98bb802d1406ad7afe420"
diff --git a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb
index 21d110aee..5b1e2dfbf 100644
--- a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb
+++ b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f"
DEPENDS = "protobuf-native"
-SRC_URI = "git://github.com/nanopb/nanopb.git"
+SRC_URI = "git://github.com/nanopb/nanopb.git;branch=master;protocol=https"
SRCREV = "70f0de9877b1ce12abc0229d5df84db6349fcbfc"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb b/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb
index a97eb53c1..62fdecf6f 100644
--- a/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb
+++ b/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb
@@ -4,7 +4,7 @@ SECTION = "libs"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.MIT;md5=b67209a1e36b682a8226de19d265b1e0"
-SRC_URI = "git://github.com/nlohmann/fifo_map.git"
+SRC_URI = "git://github.com/nlohmann/fifo_map.git;branch=master;protocol=https"
PV = "1.0.0+git${SRCPV}"
diff --git a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb
index 5766194d2..2749f4497 100644
--- a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb
+++ b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb
@@ -4,7 +4,7 @@ SECTION = "libs"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.MIT;md5=f5f7c71504da070bcf4f090205ce1080"
-SRC_URI = "git://github.com/nlohmann/json.git;nobranch=1 \
+SRC_URI = "git://github.com/nlohmann/json.git;nobranch=1;protocol=https \
file://0001-Templatize-basic_json-ctor-from-json_ref.patch \
file://0001-typo-fix.patch \
"
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb
index b9e382177..8dbdd088e 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb
@@ -1,7 +1,7 @@
DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript"
HOMEPAGE = "http://nodejs.org"
LICENSE = "MIT & BSD & Artistic-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=8c66ff8861d9f96076a7cb61e3d75f54"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=93997aa7a45ba0f25f9c61aaab153ab8"
DEPENDS = "openssl"
DEPENDS_append_class-target = " nodejs-native"
@@ -26,7 +26,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
SRC_URI_append_class-target = " \
file://0002-Using-native-binaries.patch \
"
-SRC_URI[sha256sum] = "052f37ace6f569b513b5a1154b2a45d3c4d8b07d7d7c807b79f1566db61e979d"
+SRC_URI[sha256sum] = "bc42b7f8495b9bfc7f7850dd180bb02a5bdf139cc232b8c6f02a6967e20714f2"
S = "${WORKDIR}/node-v${PV}"
diff --git a/meta-oe/recipes-devtools/openocd/openocd_git.bb b/meta-oe/recipes-devtools/openocd/openocd_git.bb
index e95f1cfa5..9ff23d17a 100644
--- a/meta-oe/recipes-devtools/openocd/openocd_git.bb
+++ b/meta-oe/recipes-devtools/openocd/openocd_git.bb
@@ -5,10 +5,10 @@ DEPENDS = "libusb-compat libftdi"
RDEPENDS_${PN} = "libusb1"
SRC_URI = " \
- git://repo.or.cz/openocd.git;protocol=http;name=openocd \
- git://repo.or.cz/r/git2cl.git;protocol=http;destsuffix=tools/git2cl;name=git2cl \
- git://repo.or.cz/r/jimtcl.git;protocol=http;destsuffix=git/jimtcl;name=jimtcl \
- git://repo.or.cz/r/libjaylink.git;protocol=http;destsuffix=git/src/jtag/drivers/libjaylink;name=libjaylink \
+ git://repo.or.cz/openocd.git;protocol=http;name=openocd;branch=master \
+ git://repo.or.cz/r/git2cl.git;protocol=http;destsuffix=tools/git2cl;name=git2cl;branch=master \
+ git://repo.or.cz/r/jimtcl.git;protocol=http;destsuffix=git/jimtcl;name=jimtcl;branch=master \
+ git://repo.or.cz/r/libjaylink.git;protocol=http;destsuffix=git/src/jtag/drivers/libjaylink;name=libjaylink;branch=master \
file://0001-Do-not-include-syscrtl.h-with-glibc.patch \
"
diff --git a/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb b/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb
index 107d5a8b7..84f6c3ce2 100644
--- a/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb
+++ b/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263"
COMPATIBLE_HOST = "(x86_64|aarch64|arm)"
SRCREV = "09724edb1783a98da2b7ae53c5aaa87493aabc9b"
-SRC_URI = "git://github.com/billfarrow/pcimem.git "
+SRC_URI = "git://github.com/billfarrow/pcimem.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb b/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb
index c812ae137..03812e901 100644
--- a/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb
+++ b/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb
@@ -9,7 +9,7 @@ LICENSE = "Artistic-1.0 | GPL-1.0+"
LIC_FILES_CHKSUM = "file://LICENSE;md5=0ebd37caf53781e8b7223e6b99b63f4e"
DEPENDS = "perl"
-SRC_URI = "git://github.com/toddr/IPC-Run.git"
+SRC_URI = "git://github.com/toddr/IPC-Run.git;branch=master;protocol=https"
SRCREV = "0b409702490729eeb97ae65f5b94d949ec083134"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb b/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb
index 049dc665d..760c0ad0a 100644
--- a/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb
+++ b/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb
@@ -15,7 +15,7 @@ DEPENDS += "libdev-checklib-perl-native libdbi-perl-native libmysqlclient"
LIC_FILES_CHKSUM = "file://LICENSE;md5=d0a06964340e5c0cde88b7af611f755c"
SRCREV = "9b5b70ea372f49fe9bc9e592dae3870596d1e3d6"
-SRC_URI = "git://github.com/perl5-dbi/DBD-mysql.git;protocol=https"
+SRC_URI = "git://github.com/perl5-dbi/DBD-mysql.git;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb b/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb
index 4e5a8a6ff..29bc99e14 100644
--- a/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb
+++ b/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://README;beginline=1171;endline=1176;md5=3be2cb8159d094
DEPENDS += "perl"
-SRC_URI = "git://github.com/makamaka/JSON.git;protocol=https"
+SRC_URI = "git://github.com/makamaka/JSON.git;protocol=https;branch=master"
SRCREV = "42a6324df654e92419512cee80c0b49155d9e56d"
diff --git a/meta-oe/recipes-devtools/php/php_7.4.21.bb b/meta-oe/recipes-devtools/php/php_7.4.33.bb
index c7c00ac30..caaaa2342 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.21.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb
@@ -33,7 +33,7 @@ SRC_URI_append_class-target = " \
"
S = "${WORKDIR}/php-${PV}"
-SRC_URI[sha256sum] = "36ec6102e757e2c2b7742057a700bbff77c76fa0ccbe9c860398c3d24e32822a"
+SRC_URI[sha256sum] = "4e8117458fe5a475bf203128726b71bcbba61c42ad463dffadee5667a198a98a"
inherit autotools pkgconfig python3native gettext
diff --git a/meta-oe/recipes-devtools/ply/ply_git.bb b/meta-oe/recipes-devtools/ply/ply_git.bb
index 7d693b36d..bf789488d 100644
--- a/meta-oe/recipes-devtools/ply/ply_git.bb
+++ b/meta-oe/recipes-devtools/ply/ply_git.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
DEPENDS += "bison-native"
-SRC_URI = "git://github.com/iovisor/ply"
+SRC_URI = "git://github.com/iovisor/ply;branch=master;protocol=https"
SRCREV = "aa5b9ac31307ec1acece818be334ef801c802a12"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/pmtools/pmtools_git.bb b/meta-oe/recipes-devtools/pmtools/pmtools_git.bb
index 9afcbbb7f..f605d2c90 100644
--- a/meta-oe/recipes-devtools/pmtools/pmtools_git.bb
+++ b/meta-oe/recipes-devtools/pmtools/pmtools_git.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3"
PV = "20130209+git${SRCPV}"
-SRC_URI = "git://github.com/anyc/pmtools.git \
+SRC_URI = "git://github.com/anyc/pmtools.git;branch=master;protocol=https \
file://pmtools-switch-to-dynamic-buffer-for-huge-ACPI-table.patch \
"
SRCREV = "3ebe0e54c54061b4c627236cbe35d820de2e1168"
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb
index ed8773443..7bc1f23e7 100644
--- a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb
+++ b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb
@@ -14,7 +14,7 @@ DEPENDS = "protobuf-native protobuf"
SRCREV = "f20a3fa131c275a0e795d99a28f94b4dbbb5af26"
-SRC_URI = "git://github.com/protobuf-c/protobuf-c.git \
+SRC_URI = "git://github.com/protobuf-c/protobuf-c.git;branch=master;protocol=https \
file://0001-avoid-race-condition.patch \
"
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch
new file mode 100644
index 000000000..bb9594e96
--- /dev/null
+++ b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch
@@ -0,0 +1,73 @@
+From f5ce0700d80c776186b0fb0414ef20966a3a6a03 Mon Sep 17 00:00:00 2001
+From: "Sana.Kazi" <Sana.Kazi@kpit.com>
+Date: Wed, 23 Feb 2022 15:50:16 +0530
+Subject: [PATCH] protobuf: Fix CVE-2021-22570
+
+CVE: CVE-2021-22570
+Upstream-Status: Backport [https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch]
+Comment: Removed first and second hunk
+Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
+
+---
+ src/google/protobuf/descriptor.cc | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc
+index 6835a3cde..1514ae531 100644
+--- a/src/google/protobuf/descriptor.cc
++++ b/src/google/protobuf/descriptor.cc
+@@ -2603,6 +2603,8 @@ void Descriptor::DebugString(int depth, std::string* contents,
+ const Descriptor::ReservedRange* range = reserved_range(i);
+ if (range->end == range->start + 1) {
+ strings::SubstituteAndAppend(contents, "$0, ", range->start);
++ } else if (range->end > FieldDescriptor::kMaxNumber) {
++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+ } else {
+ strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+ range->end - 1);
+@@ -2815,6 +2817,8 @@ void EnumDescriptor::DebugString(
+ const EnumDescriptor::ReservedRange* range = reserved_range(i);
+ if (range->end == range->start) {
+ strings::SubstituteAndAppend(contents, "$0, ", range->start);
++ } else if (range->end == INT_MAX) {
++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+ } else {
+ strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+ range->end);
+@@ -4002,6 +4006,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
+ // Use its file as the parent instead.
+ if (parent == nullptr) parent = file_;
+
++ if (full_name.find('\0') != std::string::npos) {
++ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + full_name + "\" contains null character.");
++ return false;
++ }
+ if (tables_->AddSymbol(full_name, symbol)) {
+ if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) {
+ // This is only possible if there was already an error adding something of
+@@ -4041,6 +4050,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
+ void DescriptorBuilder::AddPackage(const std::string& name,
+ const Message& proto,
+ const FileDescriptor* file) {
++ if (name.find('\0') != std::string::npos) {
++ AddError(name, proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + name + "\" contains null character.");
++ return;
++ }
+ if (tables_->AddSymbol(name, Symbol(file))) {
+ // Success. Also add parent package, if any.
+ std::string::size_type dot_pos = name.find_last_of('.');
+@@ -4354,6 +4368,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl(
+ }
+ result->pool_ = pool_;
+
++ if (result->name().find('\0') != std::string::npos) {
++ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + result->name() + "\" contains null character.");
++ return nullptr;
++ }
++
+ // Add to tables.
+ if (!tables_->AddFile(result)) {
+ AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER,
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
index 4d6c5b255..55d56ff08 100644
--- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
+++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
@@ -12,11 +12,12 @@ DEPENDS_append_class-target = " protobuf-native"
SRCREV = "d0bfd5221182da1a7cc280f3337b5e41a89539cf"
-SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x \
+SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x;protocol=https \
file://run-ptest \
file://0001-protobuf-fix-configure-error.patch \
file://0001-Makefile.am-include-descriptor.cc-when-building-libp.patch \
file://0001-examples-Makefile-respect-CXX-LDFLAGS-variables-fix-.patch \
+ file://CVE-2021-22570.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb
index 5b5c8b257..04ac93e92 100644
--- a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb
+++ b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb
@@ -4,7 +4,7 @@ SECTION = "libs"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://license.txt;md5=ba04aa8f65de1396a7e59d1d746c2125"
-SRC_URI = "git://github.com/miloyip/rapidjson.git;nobranch=1"
+SRC_URI = "git://github.com/miloyip/rapidjson.git;nobranch=1;protocol=https"
SRCREV = "0ccdbf364c577803e2a751f5aededce935314313"
diff --git a/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb b/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb
index cd5e0a4e5..20cad69b5 100644
--- a/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb
+++ b/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://git.breakpoint.cc/cgit/bigeasy/serialcheck.git/"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "git://git.breakpoint.cc/bigeasy/serialcheck.git \
+SRC_URI = "git://git.breakpoint.cc/bigeasy/serialcheck.git;branch=master \
file://0001-Add-option-to-enable-internal-loopback.patch \
file://0002-Restore-original-loopback-config.patch \
file://0001-Makefile-Change-order-of-link-flags.patch \
diff --git a/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb b/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb
index 4a27e4b2a..9d0740556 100644
--- a/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb
+++ b/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb
@@ -8,7 +8,7 @@ inherit cmake
DEPENDS += "sqlite3"
SRCREV = "e8a9e9416f421303f4b8970caab26dadf8bae98b"
-SRC_URI = "git://github.com/fnc12/sqlite_orm;protocol=https"
+SRC_URI = "git://github.com/fnc12/sqlite_orm;protocol=https;branch=master"
S = "${WORKDIR}/git"
EXTRA_OECMAKE += "-DSqliteOrm_BuildTests=OFF"
diff --git a/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb b/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb
index 46a940803..3280dba49 100644
--- a/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb
+++ b/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb
@@ -4,7 +4,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://COPYING;md5=0ca8b9c5c5445cfa7af7e78fd27e60ed"
SRCREV = "75f440bcac1276c847f5351e14216f6e91def44d"
-SRC_URI = "git://git.code.sf.net/p/tclap/code \
+SRC_URI = "git://git.code.sf.net/p/tclap/code;branch=master \
file://Makefile.am-disable-docs.patch \
"
diff --git a/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb b/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb
index c33fa048c..a78eecfea 100644
--- a/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb
+++ b/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb
@@ -12,7 +12,7 @@ inherit autotools
# v0.9.4
SRCREV = "d648bbffedef529220896283fb59e35531c13804"
-SRC_URI = "git://github.com/namhyung/${BPN} \
+SRC_URI = "git://github.com/namhyung/${BPN};branch=master;protocol=https \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/valijson/valijson_git.bb b/meta-oe/recipes-devtools/valijson/valijson_git.bb
index c3254d16e..5cff40752 100644
--- a/meta-oe/recipes-devtools/valijson/valijson_git.bb
+++ b/meta-oe/recipes-devtools/valijson/valijson_git.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/tristanpenman/valijson"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=015106c62262b2383f6c72063f0998f2"
-SRC_URI = "git://github.com/tristanpenman/valijson.git"
+SRC_URI = "git://github.com/tristanpenman/valijson.git;branch=master;protocol=https"
PV = "0.1+git${SRCPV}"
SRCREV = "c2f22fddf599d04dc33fcd7ed257c698a05345d9"
diff --git a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb
index 6c31b6981..34df70126 100644
--- a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb
+++ b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "http://xmlrpc-c.sourceforge.net/"
LICENSE = "BSD & MIT"
LIC_FILES_CHKSUM = "file://doc/COPYING;md5=aefbf81ba0750f02176b6f86752ea951"
-SRC_URI = "git://github.com/mirror/xmlrpc-c.git \
+SRC_URI = "git://github.com/mirror/xmlrpc-c.git;branch=master;protocol=https \
file://0001-test-cpp-server_abyss-Fix-build-with-clang-libc.patch \
file://0002-fix-formatting-issues.patch \
"
diff --git a/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb b/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb
index e112a5e30..186f2c8ed 100644
--- a/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb
+++ b/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=da2e9aa80962d54e7c726f232a2bd1e8"
# Use 1.0.12 tag
SRCREV = "17b1790fb9c8abbb3c0f7e083864a6a014191d56"
-SRC_URI = "git://github.com/lloyd/yajl;nobranch=1"
+SRC_URI = "git://github.com/lloyd/yajl;nobranch=1;protocol=https"
inherit cmake lib_package
diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
index d9a5821cb..cf8dbb183 100644
--- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
+++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
@@ -8,7 +8,7 @@ HOMEPAGE = "http://lloyd.github.com/yajl/"
LICENSE = "ISC"
LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d"
-SRC_URI = "git://github.com/lloyd/yajl"
+SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https"
SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb
index 53856263f..6aae29ad8 100644
--- a/meta-oe/recipes-devtools/yasm/yasm_git.bb
+++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb
@@ -9,7 +9,7 @@ DEPENDS += "flex-native bison-native xmlto-native"
PV = "1.3.0+git${SRCPV}"
# v1.3.0
SRCREV = "ba463d3c26c0ece2e797b8d6381b161633b5971a"
-SRC_URI = "git://github.com/yasm/yasm.git"
+SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch
new file mode 100644
index 000000000..c21794d14
--- /dev/null
+++ b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch
@@ -0,0 +1,44 @@
+From 95ab3786ce0f16e08e41f7bf216969a37dc86cad Mon Sep 17 00:00:00 2001
+From: Jan Kraemer <jan@spectrejan.de>
+Date: Thu, 7 Oct 2021 12:48:04 +0200
+Subject: [PATCH] brotli: fix CVE-2020-8927
+
+[No upstream tracking] --
+
+This fixes a potential overflow when input chunk is >2GiB in
+BrotliGetAvailableBits by capping the returned value to 2^30
+
+Fixed in brotli version 1.0.8
+https://github.com/google/brotli as of commit id
+223d80cfbec8fd346e32906c732c8ede21f0cea6
+
+Patch taken from Debian Buster: 1.0.7-2+deb10u1
+http://deb.debian.org/debian/pool/main/b/brotli/brotli_1.0.7-2+deb10u1.dsc
+https://security-tracker.debian.org/tracker/CVE-2020-8927
+
+
+Upstream-Status: Backported
+CVE: CVE-2020-8927
+
+Signed-off-by: Jan Kraemer <jan@spectrejan.de>
+---
+ c/dec/bit_reader.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/c/dec/bit_reader.h b/c/dec/bit_reader.h
+index c06e914..0d20312 100644
+--- a/c/dec/bit_reader.h
++++ b/c/dec/bit_reader.h
+@@ -87,8 +87,11 @@ static BROTLI_INLINE uint32_t BrotliGetAvailableBits(
+ }
+
+ /* Returns amount of unread bytes the bit reader still has buffered from the
+- BrotliInput, including whole bytes in br->val_. */
++ BrotliInput, including whole bytes in br->val_. Result is capped with
++ maximal ring-buffer size (larger number won't be utilized anyway). */
+ static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) {
++ static const size_t kCap = (size_t)1 << 30;
++ if (br->avail_in > kCap) return kCap;
+ return br->avail_in + (BrotliGetAvailableBits(br) >> 3);
+ }
+
diff --git a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb
index 70dbcaffb..77fef778a 100644
--- a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb
+++ b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb
@@ -6,7 +6,9 @@ BUGTRACKER = "https://github.com/google/brotli/issues"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=941ee9cd1609382f946352712a319b4b"
-SRC_URI = "git://github.com/google/brotli.git"
+SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https \
+ file://0001-brotli-fix-CVE-2020-8927.patch \
+ "
# tag 1.0.7
SRCREV= "d6d98957ca8ccb1ef45922e978bb10efca0ea541"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb b/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb
index 6c71d534b..388feb703 100644
--- a/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb
+++ b/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b19ee058d2d5f69af45da98051d91064"
SECTION = "Development/Libraries"
DEPENDS = "swig-native python3 sblim-cmpi-devel"
-SRC_URI = "git://github.com/kkaempf/cmpi-bindings.git;protocol=http \
+SRC_URI = "git://github.com/kkaempf/cmpi-bindings.git;protocol=http;branch=master;protocol=https \
file://cmpi-bindings-0.4.17-no-ruby-perl.patch \
file://cmpi-bindings-0.4.17-sblim-sigsegv.patch \
file://cmpi-bindings-0.9.5-python-lib-dir.patch \
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb
index 842652889..2a045f579 100644
--- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb
@@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8184208060df880fe3137b93eb88aeea"
DEPENDS = "zlib gzip-native json-c"
-SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \
+SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https;branch=master \
file://0002-Don-t-execute-processes-as-a-specific-user.patch \
file://0004-Modify-systemd-config-directory.patch \
file://317.patch \
diff --git a/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb b/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb
index aa55ebf84..162f5aa33 100644
--- a/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb
+++ b/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb
@@ -18,7 +18,7 @@ SRCREV = "3dd23e3280f213bacefdf5fcb04857bf52e90917"
PV = "0.6.2+git${SRCPV}"
SRC_URI = "\
- git://github.com/docopt/docopt.cpp.git;protocol=https \
+ git://github.com/docopt/docopt.cpp.git;protocol=https;branch=master \
file://0001-Set-library-VERSION-and-SOVERSION.patch \
"
diff --git a/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb b/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb
index 09eab9dcd..eb00092c7 100644
--- a/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb
+++ b/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb
@@ -4,7 +4,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=5940d39995ea6857d01b8227109c2e9c"
SRCREV = "b1e978e486114797347deefcc03ab12629a13cc3"
-SRC_URI = "git://github.com/Yelp/dumb-init"
+SRC_URI = "git://github.com/Yelp/dumb-init;branch=master;protocol=https"
S = "${WORKDIR}/git"
EXTRA_OEMAKE = "CC='${CC}' CFLAGS='${CFLAGS} ${LDFLAGS}'"
diff --git a/meta-oe/recipes-extended/figlet/figlet_git.bb b/meta-oe/recipes-extended/figlet/figlet_git.bb
index 4611646b9..61b050aac 100644
--- a/meta-oe/recipes-extended/figlet/figlet_git.bb
+++ b/meta-oe/recipes-extended/figlet/figlet_git.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "http://www.figlet.org/"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=1688bcd97b27704f1afcac7336409857"
-SRC_URI = "git://github.com/cmatsuoka/figlet.git \
+SRC_URI = "git://github.com/cmatsuoka/figlet.git;branch=master;protocol=https \
file://0001-build-add-autotools-support-to-allow-easy-cross-comp.patch"
SRCREV = "5bbcd7383a8c3a531299b216b0c734e1495c6db3"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb
index 926d8851d..b2c41756e 100644
--- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb
@@ -32,7 +32,7 @@ BBCLASSEXTEND = "native"
DEPENDS_class-native = "readline-native"
PACKAGECONFIG_class-native = ""
-SRC_URI_append_class-native = "file://0001-reduce-build-to-conversion-tools-for-native-build.patch"
+SRC_URI_append_class-native = " file://0001-reduce-build-to-conversion-tools-for-native-build.patch"
do_install_class-native() {
install -d ${D}${bindir}
diff --git a/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb b/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb
index 50326ea2f..19b0d8dbd 100644
--- a/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb
+++ b/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM="file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
# v1.9.9
SRCREV = "1283a65c541c4a83e152024a63faf7b267b9b1cd"
-SRC_URI = "git://github.com/jirka-h/haveged.git \
+SRC_URI = "git://github.com/jirka-h/haveged.git;branch=master;protocol=https \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb b/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb
index 050b7da3d..c0d1b1b8b 100644
--- a/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb
+++ b/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb
@@ -6,7 +6,7 @@ DEPENDS = "ncurses"
LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3"
-SRC_URI = "git://github.com/pixel/hexedit.git \
+SRC_URI = "git://github.com/pixel/hexedit.git;branch=master;protocol=https \
"
SRCREV = "800e4b2e6280531a84fd23ee0b48e16baeb90878"
diff --git a/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb b/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb
index 29f8de8d2..cee1f342b 100644
--- a/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb
+++ b/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb
@@ -6,7 +6,7 @@ DEPENDS = "redis"
LIC_FILES_CHKSUM = "file://COPYING;md5=d84d659a35c666d23233e54503aaea51"
SRCREV = "685030652cd98c5414ce554ff5b356dfe8437870"
-SRC_URI = "git://github.com/redis/hiredis;protocol=git \
+SRC_URI = "git://github.com/redis/hiredis;protocol=https;branch=master \
file://0001-Makefile-remove-hardcoding-of-CC.patch"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/iotop/iotop_0.6.bb b/meta-oe/recipes-extended/iotop/iotop_0.6.bb
index 3a597218d..19af46cb1 100644
--- a/meta-oe/recipes-extended/iotop/iotop_0.6.bb
+++ b/meta-oe/recipes-extended/iotop/iotop_0.6.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4325afd396febcb659c36b49533135d4"
PV .= "+git${SRCPV}"
SRCREV = "1bfb3bc70febb1ffb95146b6dcd65257228099a3"
-SRC_URI = "git://repo.or.cz/iotop.git"
+SRC_URI = "git://repo.or.cz/iotop.git;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb b/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb
index b7899a11b..2f4724a33 100644
--- a/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb
+++ b/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb
@@ -7,7 +7,7 @@ RDEPENDS_${BPN} = "openssl curl"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
-SRC_URI = "git://github.com/rhinstaller/isomd5sum.git;branch=master \
+SRC_URI = "git://github.com/rhinstaller/isomd5sum.git;branch=master;protocol=https \
file://0001-tweak-install-prefix.patch \
file://0002-fix-parallel-error.patch \
"
diff --git a/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb b/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb
index d6e56ea76..7beea9f1e 100644
--- a/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb
+++ b/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb
@@ -11,4 +11,7 @@ SRC_URI[sha256sum] = "f4f377da17b10201a60c1108613e78ee15df6b12016b116b6de42209f4
inherit autotools pkgconfig
+# upstream considers it isn't a real bug https://github.com/akheron/jansson/issues/548
+CVE_CHECK_WHITELIST = "CVE-2020-36325 "
+
BBCLASSEXTEND = "native"
diff --git a/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb b/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb
index 50dd74b68..ba1fece05 100644
--- a/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb
+++ b/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=892f569a555ba9c07a568a7c0c4fa63a"
PV = "2.3.5+git${SRCPV}"
-SRC_URI = "git://github.com/snarlistic/jpnevulator.git;protocol=http"
+SRC_URI = "git://github.com/snarlistic/jpnevulator.git;protocol=http;branch=master;protocol=https"
SRCREV = "c2d857091c0dfed05139ac07ea9b0f36ad259638"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb b/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb
index e6d5663f8..977aabf04 100644
--- a/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb
+++ b/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f673270bfc350d9ce1efc8724c6c1873"
DEPENDS_append_class-target = " swig-native sblim-cmpi-devel python3"
DEPENDS_append_class-native = " cmpi-bindings-native"
-SRC_URI = "git://github.com/rnovacek/konkretcmpi.git \
+SRC_URI = "git://github.com/rnovacek/konkretcmpi.git;branch=master;protocol=https \
file://0001-CMakeLists.txt-fix-lib64-can-not-be-shiped-in-64bit-.patch \
file://0001-drop-including-rpath-cmake-module.patch \
"
diff --git a/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb b/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb
index 99cdee5bb..c1023e625 100644
--- a/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb
+++ b/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c07cb499d259452f324bb90c3067d85c"
inherit autotools gobject-introspection
-SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch"
+SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch;protocol=https"
SRCREV = "f5a4ba8bb298f8cbc435707d0b19b4b2ff836a8e"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/libcec/libcec_git.bb b/meta-oe/recipes-extended/libcec/libcec_git.bb
index 39ceb489e..07320e42b 100644
--- a/meta-oe/recipes-extended/libcec/libcec_git.bb
+++ b/meta-oe/recipes-extended/libcec/libcec_git.bb
@@ -12,7 +12,7 @@ DEPENDS_append_rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', ''
PV = "5.0.0"
SRCREV = "43bc27fe7be491149e6f57d14110e02abdac2f24"
-SRC_URI = "git://github.com/Pulse-Eight/libcec.git;branch=release \
+SRC_URI = "git://github.com/Pulse-Eight/libcec.git;branch=release;protocol=https \
file://0001-CheckPlatformSupport.cmake-Do-not-hardcode-lib-path.patch \
file://0001-Enhance-reproducibility.patch \
"
diff --git a/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb b/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb
index b7c1958ee..e763a701e 100644
--- a/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb
+++ b/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb
@@ -11,7 +11,7 @@ inherit autotools pkgconfig
PV = "0.6.0"
SRCREV = "1195abc2f4acc7b10175d570ec73549d0938c83e"
-SRC_URI = "git://github.com/libdivecomputer/libdivecomputer.git;protocol=https \
+SRC_URI = "git://github.com/libdivecomputer/libdivecomputer.git;protocol=https;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb b/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb
index a990deb91..0906e9a64 100644
--- a/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb
+++ b/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb
@@ -9,7 +9,7 @@ DEPENDS = "libxml2 glib-2.0 swig python3"
inherit autotools pkgconfig python3native python3targetconfig
SRCREV = "3df02d4d0e9008771e8622fdc10de8333b3f0d85"
-SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https \
+SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb
index 36fc5c858..e9c58bf58 100644
--- a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb
+++ b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb
@@ -9,7 +9,7 @@ inherit autotools pkgconfig gitpkgv
PKGV = "${GITPKGVTAG}"
SRCREV = "78df9be5fc8222ed53846cb553de9b5d24c85c6c"
-SRC_URI = "git://github.com/libimobiledevice/libusbmuxd;protocol=https"
+SRC_URI = "git://github.com/libimobiledevice/libusbmuxd;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb b/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb
index 7fc599798..bbfee1ff7 100644
--- a/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb
+++ b/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=84dcc94da3adb52b53ae4fa38fe49e5d"
inherit cmake pkgconfig
-SRC_URI = "git://github.com/Jacajack/liblightmodbus.git;protocol=https \
+SRC_URI = "git://github.com/Jacajack/liblightmodbus.git;protocol=https;branch=master \
file://0001-cmake-Use-GNUInstallDirs-instead-of-hardcoding-lib-p.patch \
"
SRCREV = "59d2b405f95701e5b04326589786dbb43ce49e81"
diff --git a/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb b/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb
index c9d259b1a..29c35caf5 100644
--- a/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb
+++ b/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb
@@ -17,7 +17,7 @@ PV = "1.3+git${SRCPV}"
SRCREV = "116219e215858f4af9370171d3ead63baca8fdb4"
-SRC_URI = "git://github.com/thkukuk/libnss_nisplus \
+SRC_URI = "git://github.com/thkukuk/libnss_nisplus;branch=master;protocol=https \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb b/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb
index cd4019666..dbe03fede 100644
--- a/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb
+++ b/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb
@@ -11,7 +11,7 @@ inherit autotools pkgconfig
# v1.0.5
SRCREV = "d08dbcf08b0da418bce9b5427dfd89522916322a"
-SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=version_1 \
+SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=version_1;protocol=https \
file://0001-build-fix-configure-script-neglecting-re-enable-out-.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb b/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb
index 4276c4917..24784f77a 100644
--- a/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb
+++ b/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb
@@ -11,7 +11,7 @@ DEPENDS = "xmlrpc-c xmlrpc-c-native intltool-native \
LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
-SRC_URI = "git://github.com/abrt/libreport.git;protocol=https"
+SRC_URI = "git://github.com/abrt/libreport.git;protocol=https;branch=master"
SRC_URI += "file://0001-Makefile.am-remove-doc-and-apidoc.patch \
file://0002-configure.ac-remove-prog-test-of-xmlto-and-asciidoc.patch \
file://0003-without-build-plugins.patch \
diff --git a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb
index a081cb17a..27fe0e2c4 100644
--- a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb
+++ b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb
@@ -31,4 +31,4 @@ FILES_statgrab-dbg = "${bindir}/.debug/statgrab"
FILES_saidar = "${bindir}/saidar"
FILES_saidar-dbg = "${bindir}/.debug/saidar"
FILES_${PN}-mrtg = "${bindir}/statgrab-make-mrtg-config ${bindir}/statgrab-make-mrtg-index"
-RDEPENDS_${PN}-mrtg_append = "perl statgrab"
+RDEPENDS_${PN}-mrtg_append = " perl statgrab"
diff --git a/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb b/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb
index dd34c180a..0278e55f3 100644
--- a/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb
+++ b/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb
@@ -3,7 +3,7 @@ SECTION = "base"
LICENSE = "GPL-2.0"
LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-SRC_URI = "git://git.code.sf.net/p/libuio/code \
+SRC_URI = "git://git.code.sf.net/p/libuio/code;branch=master \
file://replace_inline_with_static-inline.patch \
file://0001-include-fcntl.h-for-O_RDWR-define.patch \
"
diff --git a/meta-oe/recipes-extended/md5deep/md5deep_git.bb b/meta-oe/recipes-extended/md5deep/md5deep_git.bb
index e8c6864c1..cc31323c3 100644
--- a/meta-oe/recipes-extended/md5deep/md5deep_git.bb
+++ b/meta-oe/recipes-extended/md5deep/md5deep_git.bb
@@ -9,7 +9,7 @@ PV = "4.4+git${SRCPV}"
SRCREV = "877613493ff44807888ce1928129574be393cbb0"
-SRC_URI = "git://github.com/jessek/hashdeep.git \
+SRC_URI = "git://github.com/jessek/hashdeep.git;branch=master;protocol=https \
file://wrong-variable-expansion.patch \
file://0001-Fix-literal-and-identifier-spacing-as-dictated-by-C-.patch \
"
diff --git a/meta-oe/recipes-extended/mraa/mraa_git.bb b/meta-oe/recipes-extended/mraa/mraa_git.bb
index 0b40dcb71..540ef6e12 100644
--- a/meta-oe/recipes-extended/mraa/mraa_git.bb
+++ b/meta-oe/recipes-extended/mraa/mraa_git.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=91e7de50a8d3cf01057f318d72460acd"
SRCREV = "e15ce6fbc76148ba8835adc92196b0d0a3f245e7"
PV = "2.1.0+git${SRCPV}"
-SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http \
+SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http;branch=master;protocol=https \
file://0001-cmake-Use-a-regular-expression-to-match-x86-architec.patch \
"
diff --git a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb
index 9d5a2307e..f635a9b13 100644
--- a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb
+++ b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb
@@ -17,7 +17,7 @@ REQUIRED_DISTRO_FEATURES = "pam"
SRCREV = "d8eba6cb6682b59d84ca1da67a523520b879ade6"
-SRC_URI = "git://github.com/Openwsman/openwsman.git \
+SRC_URI = "git://github.com/Openwsman/openwsman.git;branch=master;protocol=https \
file://libssl-is-required-if-eventint-supported.patch \
file://openwsmand.service \
file://0001-lock.c-Define-PTHREAD_MUTEX_RECURSIVE_NP-if-undefine.patch \
diff --git a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb
index c1f43feb6..5b0171d8c 100644
--- a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb
+++ b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb
@@ -22,7 +22,7 @@ DEPENDS = " \
PREMIRRORS = ""
SRC_URI = " \
- gitsm://github.com/ostreedev/ostree;branch=main \
+ gitsm://github.com/ostreedev/ostree;branch=main;protocol=https \
file://run-ptest \
"
SRCREV = "6ed48234ba579ff73eb128af237212b0a00f2057"
@@ -181,7 +181,7 @@ RDEPENDS_${PN}-ptest += " \
"
RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils glibc-localedata-en-us"
-RRECOMMENDS_${PN} += "kernel-module-overlay"
+RRECOMMENDS_${PN}_append_class-target = " kernel-module-overlay"
SYSTEMD_SERVICE_${PN} = "ostree-remount.service ostree-finalize-staged.path"
SYSTEMD_SERVICE_${PN}-switchroot = "ostree-prepare-root.service"
diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch
new file mode 100644
index 000000000..98e186cbf
--- /dev/null
+++ b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch
@@ -0,0 +1,27 @@
+p7zip: Update CVE-2016-9296 patch URL.
+From: Robert Luberda <robert@debian.org>
+Date: Sat, 19 Nov 2016 08:48:08 +0100
+Subject: Fix nullptr dereference (CVE-2016-9296)
+
+Patch taken from https://sourceforge.net/p/p7zip/bugs/185/
+This patch file taken from Debian's patch set for p7zip
+
+Upstream-Status: Backport [https://sourceforge.net/p/p7zip/bugs/185/]
+CVE: CVE-2016-9296
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+Index: p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Archive/7z/7zIn.cpp
++++ p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp
+@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS
+ if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+ ThrowIncorrect();
+ }
+- HeadersSize += folders.PackPositions[folders.NumPackStreams];
++ if (folders.PackPositions)
++ HeadersSize += folders.PackPositions[folders.NumPackStreams];
+ return S_OK;
+ }
+
diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch
new file mode 100644
index 000000000..b6deb5d3a
--- /dev/null
+++ b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch
@@ -0,0 +1,226 @@
+From: Robert Luberda <robert@debian.org>
+Date: Sun, 28 Jan 2018 23:47:40 +0100
+Subject: CVE-2018-5996
+
+Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by
+applying a few changes from 7Zip 18.00-beta.
+
+Bug-Debian: https://bugs.debian.org/#888314
+
+Upstream-Status: Backport [https://sources.debian.org/data/non-free/p/p7zip-rar/16.02-3/debian/patches/06-CVE-2018-5996.patch]
+CVE: CVE-2018-5996
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ CPP/7zip/Compress/Rar1Decoder.cpp | 13 +++++++++----
+ CPP/7zip/Compress/Rar1Decoder.h | 1 +
+ CPP/7zip/Compress/Rar2Decoder.cpp | 10 +++++++++-
+ CPP/7zip/Compress/Rar2Decoder.h | 1 +
+ CPP/7zip/Compress/Rar3Decoder.cpp | 23 ++++++++++++++++++++---
+ CPP/7zip/Compress/Rar3Decoder.h | 2 ++
+ 6 files changed, 42 insertions(+), 8 deletions(-)
+
+Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.cpp
++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp
+@@ -29,7 +29,7 @@ public:
+ };
+ */
+
+-CDecoder::CDecoder(): m_IsSolid(false) { }
++CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { }
+
+ void CDecoder::InitStructures()
+ {
+@@ -406,9 +406,14 @@ HRESULT CDecoder::CodeReal(ISequentialIn
+ InitData();
+ if (!m_IsSolid)
+ {
++ _errorMode = false;
+ InitStructures();
+ InitHuff();
+ }
++
++ if (_errorMode)
++ return S_FALSE;
++
+ if (m_UnpackSize > 0)
+ {
+ GetFlagsBuf();
+@@ -477,9 +482,9 @@ STDMETHODIMP CDecoder::Code(ISequentialI
+ const UInt64 *inSize, const UInt64 *outSize, ICompressProgressInfo *progress)
+ {
+ try { return CodeReal(inStream, outStream, inSize, outSize, progress); }
+- catch(const CInBufferException &e) { return e.ErrorCode; }
+- catch(const CLzOutWindowException &e) { return e.ErrorCode; }
+- catch(...) { return S_FALSE; }
++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; }
++ catch(const CLzOutWindowException &e) { _errorMode = true; return e.ErrorCode; }
++ catch(...) { _errorMode = true; return S_FALSE; }
+ }
+
+ STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size)
+Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.h
++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h
+@@ -39,6 +39,7 @@ public:
+
+ Int64 m_UnpackSize;
+ bool m_IsSolid;
++ bool _errorMode;
+
+ UInt32 ReadBits(int numBits);
+ HRESULT CopyBlock(UInt32 distance, UInt32 len);
+Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.cpp
++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp
+@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 <<
+ static const UInt32 kWindowReservSize = (1 << 22) + 256;
+
+ CDecoder::CDecoder():
+- m_IsSolid(false)
++ m_IsSolid(false),
++ m_TablesOK(false)
+ {
+ }
+
+@@ -100,6 +101,8 @@ UInt32 CDecoder::ReadBits(unsigned numBi
+
+ bool CDecoder::ReadTables(void)
+ {
++ m_TablesOK = false;
++
+ Byte levelLevels[kLevelTableSize];
+ Byte newLevels[kMaxTableSize];
+ m_AudioMode = (ReadBits(1) == 1);
+@@ -170,6 +173,8 @@ bool CDecoder::ReadTables(void)
+ }
+
+ memcpy(m_LastLevels, newLevels, kMaxTableSize);
++ m_TablesOK = true;
++
+ return true;
+ }
+
+@@ -344,6 +349,9 @@ HRESULT CDecoder::CodeReal(ISequentialIn
+ return S_FALSE;
+ }
+
++ if (!m_TablesOK)
++ return S_FALSE;
++
+ UInt64 startPos = m_OutWindowStream.GetProcessedSize();
+ while (pos < unPackSize)
+ {
+Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.h
++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h
+@@ -139,6 +139,7 @@ class CDecoder :
+
+ UInt64 m_PackSize;
+ bool m_IsSolid;
++ bool m_TablesOK;
+
+ void InitStructures();
+ UInt32 ReadBits(unsigned numBits);
+Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.cpp
++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp
+@@ -92,7 +92,8 @@ CDecoder::CDecoder():
+ _writtenFileSize(0),
+ _vmData(0),
+ _vmCode(0),
+- m_IsSolid(false)
++ m_IsSolid(false),
++ _errorMode(false)
+ {
+ Ppmd7_Construct(&_ppmd);
+ }
+@@ -545,6 +546,9 @@ HRESULT CDecoder::ReadTables(bool &keepD
+ return InitPPM();
+ }
+
++ TablesRead = false;
++ TablesOK = false;
++
+ _lzMode = true;
+ PrevAlignBits = 0;
+ PrevAlignCount = 0;
+@@ -606,6 +610,9 @@ HRESULT CDecoder::ReadTables(bool &keepD
+ }
+ }
+ }
++ if (InputEofError())
++ return S_FALSE;
++
+ TablesRead = true;
+
+ // original code has check here:
+@@ -623,6 +630,9 @@ HRESULT CDecoder::ReadTables(bool &keepD
+ RIF(m_LenDecoder.Build(&newLevels[kMainTableSize + kDistTableSize + kAlignTableSize]));
+
+ memcpy(m_LastLevels, newLevels, kTablesSizesSum);
++
++ TablesOK = true;
++
+ return S_OK;
+ }
+
+@@ -824,7 +834,12 @@ HRESULT CDecoder::CodeReal(ICompressProg
+ PpmEscChar = 2;
+ PpmError = true;
+ InitFilters();
++ _errorMode = false;
+ }
++
++ if (_errorMode)
++ return S_FALSE;
++
+ if (!m_IsSolid || !TablesRead)
+ {
+ bool keepDecompressing;
+@@ -838,6 +853,8 @@ HRESULT CDecoder::CodeReal(ICompressProg
+ bool keepDecompressing;
+ if (_lzMode)
+ {
++ if (!TablesOK)
++ return S_FALSE;
+ RINOK(DecodeLZ(keepDecompressing))
+ }
+ else
+@@ -901,8 +918,8 @@ STDMETHODIMP CDecoder::Code(ISequentialI
+ _unpackSize = outSize ? *outSize : (UInt64)(Int64)-1;
+ return CodeReal(progress);
+ }
+- catch(const CInBufferException &e) { return e.ErrorCode; }
+- catch(...) { return S_FALSE; }
++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; }
++ catch(...) { _errorMode = true; return S_FALSE; }
+ // CNewException is possible here. But probably CNewException is caused
+ // by error in data stream.
+ }
+Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.h
++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h
+@@ -192,6 +192,7 @@ class CDecoder:
+ UInt32 _lastFilter;
+
+ bool m_IsSolid;
++ bool _errorMode;
+
+ bool _lzMode;
+ bool _unsupportedFilter;
+@@ -200,6 +201,7 @@ class CDecoder:
+ UInt32 PrevAlignCount;
+
+ bool TablesRead;
++ bool TablesOK;
+
+ CPpmd7 _ppmd;
+ int PpmEscChar;
diff --git a/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch
new file mode 100644
index 000000000..dcde83e8a
--- /dev/null
+++ b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch
@@ -0,0 +1,27 @@
+fixes the below error
+
+| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp: In member function 'virtual LONG NArchive::NWim::CHandler::GetArchiveProperty(PROPID, PROPVARIANT*)':
+| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:308:11: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17
+| 308 | numMethods++;
+| | ^~~~~~~~~~
+| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:318:9: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17
+| 318 | numMethods++;
+
+
+use unsigned instead of bool
+Signed-off-by: Nisha Parrakat <Nisha.Parrakat@kpit.com>
+
+Upstream-Status: Pending
+Index: p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Archive/Wim/WimHandler.cpp
++++ p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp
+@@ -298,7 +298,7 @@ STDMETHODIMP CHandler::GetArchivePropert
+
+ AString res;
+
+- bool numMethods = 0;
++ unsigned numMethods = 0;
+ for (unsigned i = 0; i < ARRAY_SIZE(k_Methods); i++)
+ {
+ if (methodMask & ((UInt32)1 << i))
diff --git a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
index 13479a90f..79677c648 100644
--- a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
+++ b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
@@ -9,6 +9,9 @@ SRC_URI = "http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al
file://do_not_override_compiler_and_do_not_strip.patch \
file://CVE-2017-17969.patch \
file://0001-Fix-narrowing-errors-Wc-11-narrowing.patch \
+ file://change_numMethods_from_bool_to_unsigned.patch \
+ file://CVE-2018-5996.patch \
+ file://CVE-2016-9296.patch \
"
SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf"
@@ -16,10 +19,26 @@ SRC_URI[sha256sum] = "5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6
S = "${WORKDIR}/${BPN}_${PV}"
+do_compile_append() {
+ oe_runmake 7z
+}
+FILES_${PN} += "${libdir}/* ${bindir}/7z"
+
+FILES_SOLIBSDEV = ""
+INSANE_SKIP_${PN} += "dev-so"
+
do_install() {
install -d ${D}${bindir}
- install -m 0755 ${S}/bin/* ${D}${bindir}
+ install -d ${D}${bindir}/Codecs
+ install -d ${D}${libdir}
+ install -d ${D}${libdir}/Codecs
+ install -m 0755 ${S}/bin/7za ${D}${bindir}
ln -s 7za ${D}${bindir}/7z
+ install -m 0755 ${S}/bin/Codecs/* ${D}${libdir}/Codecs/
+ install -m 0755 ${S}/bin/7z.so ${D}${libdir}/lib7z.so
}
-BBCLASSEXTEND = "native"
+RPROVIDES_${PN} += "lib7z.so()(64bit) 7z lib7z.so"
+RPROVIDES_${PN}-dev += "lib7z.so()(64bit) 7z lib7z.so"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-oe/recipes-extended/p8platform/p8platform_git.bb b/meta-oe/recipes-extended/p8platform/p8platform_git.bb
index 0690d4ba3..2e52caeff 100644
--- a/meta-oe/recipes-extended/p8platform/p8platform_git.bb
+++ b/meta-oe/recipes-extended/p8platform/p8platform_git.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://src/os.h;md5=752555fa94e82005d45fd201fee5bd33"
PV = "2.1.0.1"
-SRC_URI = "git://github.com/Pulse-Eight/platform.git \
+SRC_URI = "git://github.com/Pulse-Eight/platform.git;branch=master;protocol=https \
file://0001-Make-resulting-cmake-config-relocatable.patch"
SRCREV = "2d90f98620e25f47702c9e848380c0d93f29462b"
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
index 9838e75ef..5c2af44c7 100644
--- a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
@@ -11,7 +11,7 @@ REQUIRED_DISTRO_FEATURES = "pam"
SRCREV = "e2145df09469bf84878e4729b4ecd814efb797d1"
-SRC_URI = "git://github.com/PADL/pam_ccreds"
+SRC_URI = "git://github.com/PADL/pam_ccreds;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb b/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb
index 626b22fe4..5022300ba 100644
--- a/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb
@@ -11,7 +11,7 @@ inherit features_check
REQUIRED_DISTRO_FEATURES = "pam"
SRCREV = "84d7b260f1ae6857ae36e014c9a5968e8aa1cbe8"
-SRC_URI = "git://github.com/rmbreak/pam_ldapdb \
+SRC_URI = "git://github.com/rmbreak/pam_ldapdb;branch=master;protocol=https \
file://0001-include-stdexcept-for-std-invalid_argument.patch \
"
diff --git a/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb b/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb
index f5066da0d..5c56a16f4 100644
--- a/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb
+++ b/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb
@@ -11,7 +11,7 @@ DEPENDS_append_libc-musl = " fts"
S = "${WORKDIR}/git"
-SRC_URI = "git://github.com/pmem/pmdk.git \
+SRC_URI = "git://github.com/pmem/pmdk.git;branch=master;protocol=https \
file://0001-jemalloc-jemalloc.cfg-Specify-the-host-when-building.patch \
file://0002-Makefile-Don-t-install-the-docs.patch \
file://0001-os_posix-Use-__FreeBSD__-to-control-secure_getenv-de.patch \
diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch
new file mode 100644
index 000000000..cab1c83c0
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch
@@ -0,0 +1,74 @@
+From ed8b418f1341cf7fc576f6b17de5c6dd4017e034 Mon Sep 17 00:00:00 2001
+From: "Jeremy A. Puhlman" <jpuhlman@mvista.com>
+Date: Thu, 27 Jan 2022 00:01:27 +0000
+Subject: [PATCH] CVE-2021-4034: Local privilege escalation in pkexec due to
+ incorrect handling of argument vector
+
+Upstream-Status: Backport https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
+CVE: CVE-2021-4034
+
+Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
+---
+ src/programs/pkcheck.c | 6 ++++++
+ src/programs/pkexec.c | 21 ++++++++++++++++++++-
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
+index f1bb4e1..aff4f60 100644
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,12 @@ main (int argc, char *argv[])
+ local_agent_handle = NULL;
+ ret = 126;
+
++ if (argc < 1)
++ {
++ help();
++ exit(1);
++ }
++
+ /* Disable remote file access from GIO. */
+ setenv ("GIO_USE_VFS", "local", 1);
+
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 7698c5c..3ff4c58 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,17 @@ main (int argc, char *argv[])
+ pid_t pid_of_caller;
+ gpointer local_agent_handle;
+
++
++ /*
++ * If 'pkexec' is called wrong, just show help and bail out.
++ */
++ if (argc<1)
++ {
++ clearenv();
++ usage(argc, argv);
++ exit(1);
++ }
++
+ ret = 127;
+ authority = NULL;
+ subject = NULL;
+@@ -636,7 +647,15 @@ main (int argc, char *argv[])
+ goto out;
+ }
+ g_free (path);
+- argv[n] = path = s;
++ path = s;
++
++ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++ */
++ if (argv[n] != NULL)
++ {
++ argv[n] = path;
++ }
+ }
+ if (access (path, F_OK) != 0)
+ {
+--
+2.26.2
+
diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch
new file mode 100644
index 000000000..37e0d6063
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch
@@ -0,0 +1,87 @@
+From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Mon, 21 Feb 2022 08:29:05 +0000
+Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/41cb093f554da8772362654a128a84dd8a5542a7.patch]
+CVE: CVE-2021-4115
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++----
+ 1 file changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8ed1363..2fbf5f1 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -62,6 +62,10 @@ enum
+ PROP_NAME,
+ };
+
++
++guint8 dbus_call_respond_fails; // has to be global because of callback
++
++
+ static void subject_iface_init (PolkitSubjectIface *subject_iface);
+
+ G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
+@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
+ if (!v)
+ {
+ data->caught_error = TRUE;
++ dbus_call_respond_fails += 1;
+ }
+ else
+ {
+@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ tmp_context = g_main_context_new ();
+ g_main_context_push_thread_default (tmp_context);
+
++ dbus_call_respond_fails = 0;
++
+ /* Do two async calls as it's basically as fast as one sync call.
+ */
+ g_dbus_connection_call (connection,
+@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ on_retrieved_unix_uid_pid,
+ &data);
+
+- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+- g_main_context_iteration (tmp_context, TRUE);
++ while (TRUE)
++ {
++ /* If one dbus call returns error, we must wait until the other call
++ * calls _call_finish(), otherwise fd leak is possible.
++ * Resolves: GHSL-2021-077
++ */
+
+- if (data.caught_error)
+- goto out;
++ if ( (dbus_call_respond_fails > 1) )
++ {
++ // we got two faults, we can leave
++ goto out;
++ }
++
++ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
++ {
++ // we got one fault and the other call finally finished, we can leave
++ goto out;
++ }
++
++ if ( !(data.retrieved_uid && data.retrieved_pid) )
++ {
++ g_main_context_iteration (tmp_context, TRUE);
++ }
++ else
++ {
++ break;
++ }
++ }
+
+ if (out_uid)
+ *out_uid = data.uid;
+--
+GitLab
+
diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch
new file mode 100644
index 000000000..76308ffdb
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch
@@ -0,0 +1,33 @@
+From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Wed, 2 Jun 2021 15:43:38 +0200
+Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit
+
+initial values returned if error caught
+
+CVE: CVE-2021-3560
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/polkit/polkitsystembusname.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12c..8ed1363 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+ g_main_context_iteration (tmp_context, TRUE);
+
++ if (data.caught_error)
++ goto out;
++
+ if (out_uid)
+ *out_uid = data.uid;
+ if (out_pid)
+--
+2.29.2
+
diff --git a/meta-oe/recipes-extended/polkit/polkit_0.116.bb b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
index ad1973b13..dd8e20861 100644
--- a/meta-oe/recipes-extended/polkit/polkit_0.116.bb
+++ b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
@@ -25,6 +25,9 @@ PAM_SRC_URI = "file://polkit-1_pam.patch"
SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
file://0003-make-netgroup-support-optional.patch \
+ file://CVE-2021-3560.patch \
+ file://CVE-2021-4034.patch \
+ file://CVE-2021-4115.patch \
"
SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a"
SRC_URI[sha256sum] = "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1"
diff --git a/meta-oe/recipes-extended/redis/redis_5.0.9.bb b/meta-oe/recipes-extended/redis/redis_5.0.14.bb
index d04293369..3d849ec8c 100644
--- a/meta-oe/recipes-extended/redis/redis_5.0.9.bb
+++ b/meta-oe/recipes-extended/redis/redis_5.0.14.bb
@@ -17,8 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://GNU_SOURCE.patch \
"
-SRC_URI[md5sum] = "c94523c9f4ee662027ddf90575d0e058"
-SRC_URI[sha256sum] = "53d0ae164cd33536c3d4b720ae9a128ea6166ebf04ff1add3b85f1242090cb85"
+SRC_URI[sha256sum] = "3ea5024766d983249e80d4aa9457c897a9f079957d0fb1f35682df233f997f32"
inherit autotools-brokensep update-rc.d systemd useradd
diff --git a/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb b/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb
index 5662e6347..914b12e7c 100644
--- a/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb
+++ b/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb
@@ -10,7 +10,7 @@ SRCREV = "56a83f4f52e6745cd4352f9ee008be3183a6dedf"
PV = "1.7.2"
SRC_URI = "\
- git://github.com/oetiker/rrdtool-1.x.git;branch=master;protocol=http; \
+ git://github.com/oetiker/rrdtool-1.x.git;branch=master;protocol=http;protocol=https \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb b/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb
index b84dde3d3..3b63971e5 100644
--- a/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb
+++ b/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a958bb07122368f3e1d9b2efe07d231f"
DEPENDS = ""
-SRC_URI = "git://github.com/rsyslog/libfastjson.git;protocol=https \
+SRC_URI = "git://github.com/rsyslog/libfastjson.git;protocol=https;branch=master \
file://0001-fix-jump-misses-init-gcc-8-warning.patch"
SRCREV = "4758b1caf69ada911ef79e1d80793fe489b98dff"
diff --git a/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb b/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb
index a4663148c..9da9d7c96 100644
--- a/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb
+++ b/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1fb9c10ed9fd6826757615455ca893a9"
DEPENDS = "gmp nettle libidn zlib gnutls openssl"
-SRC_URI = "git://github.com/rsyslog/librelp.git;protocol=https \
+SRC_URI = "git://github.com/rsyslog/librelp.git;protocol=https;branch=master \
"
SRCREV = "0beb2258e12e4131dc31e261078ea53d18f787d7"
diff --git a/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb b/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb
index ffd46da0a..e720d3e5c 100644
--- a/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb
+++ b/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://../README.license;md5=60487bf0bf429d6b5aa72b6d37a0eb2
PV .= "+git${SRCPV}"
-SRC_URI = "git://pagure.io/sanlock.git;protocol=http \
+SRC_URI = "git://pagure.io/sanlock.git;protocol=http;branch=master \
file://0001-sanlock-Replace-cp-a-with-cp-R-no-dereference-preser.patch;patchdir=../ \
"
SRCREV = "cff348800722f7dadf030ffe7494c2df714996e3"
diff --git a/meta-oe/recipes-extended/sedutil/sedutil_git.bb b/meta-oe/recipes-extended/sedutil/sedutil_git.bb
index 765618433..03446c324 100644
--- a/meta-oe/recipes-extended/sedutil/sedutil_git.bb
+++ b/meta-oe/recipes-extended/sedutil/sedutil_git.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://Common/LICENSE.txt;md5=d32239bcb673463ab874e80d47fae5
BASEPV = "1.15.1"
PV = "${BASEPV}+git${SRCPV}"
SRCREV = "358cc758948be788284d5faba46ccf4cc1813796"
-SRC_URI = "git://github.com/Drive-Trust-Alliance/sedutil.git \
+SRC_URI = "git://github.com/Drive-Trust-Alliance/sedutil.git;branch=master;protocol=https \
file://0001-Fix-build-on-big-endian-architectures.patch \
"
diff --git a/meta-oe/recipes-extended/socketcan/can-isotp_git.bb b/meta-oe/recipes-extended/socketcan/can-isotp_git.bb
index e40e1cd26..7d016bc96 100644
--- a/meta-oe/recipes-extended/socketcan/can-isotp_git.bb
+++ b/meta-oe/recipes-extended/socketcan/can-isotp_git.bb
@@ -3,7 +3,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=72d977d697c3c05830fdff00a7448931"
SRCREV = "b31bce98d65f894aad6427bcf6f3f7822e261a59"
PV = "1.0+git${SRCPV}"
-SRC_URI = "git://github.com/hartkopp/can-isotp.git;protocol=https"
+SRC_URI = "git://github.com/hartkopp/can-isotp.git;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/socketcan/can-utils_git.bb b/meta-oe/recipes-extended/socketcan/can-utils_git.bb
index 519368817..92b38030f 100644
--- a/meta-oe/recipes-extended/socketcan/can-utils_git.bb
+++ b/meta-oe/recipes-extended/socketcan/can-utils_git.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://include/linux/can.h;endline=44;md5=a9e1169c6c9a114a61
DEPENDS = "libsocketcan"
-SRC_URI = "git://github.com/linux-can/${BPN}.git;protocol=git"
+SRC_URI = "git://github.com/linux-can/${BPN}.git;protocol=https;branch=master"
SRCREV = "da65fdfe0d1986625ee00af0b56ae17ec132e700"
diff --git a/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb b/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb
index e1508af85..56466a6cd 100644
--- a/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb
+++ b/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
DEPENDS = "libsocketcan"
SRCREV = "299dff7f5322bf0348dcdd60071958ebedf5f09d"
-SRC_URI = "git://git.pengutronix.de/git/tools/canutils.git;protocol=git \
+SRC_URI = "git://git.pengutronix.de/git/tools/canutils.git;protocol=git;branch=master \
file://0001-canutils-candump-Add-error-frame-s-handling.patch \
"
diff --git a/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb b/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb
index 0debe47e0..6a44cff93 100644
--- a/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb
+++ b/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://src/libsocketcan.c;beginline=3;endline=17;md5=97e38ad
SRCREV = "0ff01ae7e4d271a7b81241e7a7026bfcea0add3f"
-SRC_URI = "git://git.pengutronix.de/git/tools/libsocketcan.git;protocol=git"
+SRC_URI = "git://git.pengutronix.de/git/tools/libsocketcan.git;protocol=git;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/sysdig/sysdig_git.bb b/meta-oe/recipes-extended/sysdig/sysdig_git.bb
index 04a022af4..d15ecdb03 100644
--- a/meta-oe/recipes-extended/sysdig/sysdig_git.bb
+++ b/meta-oe/recipes-extended/sysdig/sysdig_git.bb
@@ -18,7 +18,7 @@ JIT_riscv32 = ""
DEPENDS += "lua${JIT} zlib c-ares grpc-native grpc curl ncurses jsoncpp tbb jq openssl elfutils protobuf protobuf-native jq-native"
RDEPENDS_${PN} = "bash"
-SRC_URI = "git://github.com/draios/sysdig.git;branch=dev \
+SRC_URI = "git://github.com/draios/sysdig.git;branch=dev;protocol=https \
file://0001-fix-build-with-LuaJIT-2.1-betas.patch \
file://0001-Fix-build-with-musl-backtrace-APIs-are-glibc-specifi.patch \
file://fix-uint64-const.patch \
diff --git a/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb b/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb
index 637770af2..c9d9fb572 100644
--- a/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb
+++ b/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb
@@ -2,7 +2,7 @@ SUMMARY = "Transparent Inter-Process Communication protocol"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://tipclog/tipc.h;endline=35;md5=985b6ea8735818511d276c1b466cce98"
-SRC_URI = "git://git.code.sf.net/p/tipc/tipcutils \
+SRC_URI = "git://git.code.sf.net/p/tipc/tipcutils;branch=master \
file://0001-include-sys-select.h-for-FD_-definitions.patch \
file://0002-replace-non-standard-uint-with-unsigned-int.patch \
file://0001-multicast_blast-tipcc-Fix-struct-type-for-TIPC_GROUP.patch \
diff --git a/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb b/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb
index 38ce4f557..c62cef36d 100644
--- a/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb
+++ b/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
# matches debian/0.5.0-1 tag
SRCREV = "44a173195986d0d853316cb02a58785ded66c12b"
PV = "0.5.0+git${SRCPV}"
-SRC_URI = "git://github.com/wertarbyte/${BPN}.git;branch=debian"
+SRC_URI = "git://github.com/wertarbyte/${BPN}.git;branch=debian;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/upm/upm_git.bb b/meta-oe/recipes-extended/upm/upm_git.bb
index 6a7611f38..7643d13e2 100644
--- a/meta-oe/recipes-extended/upm/upm_git.bb
+++ b/meta-oe/recipes-extended/upm/upm_git.bb
@@ -10,7 +10,7 @@ DEPENDS = "libjpeg-turbo mraa"
SRCREV = "5cf20df96c6b35c19d5b871ba4e319e96b4df72d"
PV = "2.0.0+git${SRCPV}"
-SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http \
+SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http;branch=master;protocol=https \
file://0001-CMakeLists.txt-Use-SWIG_SUPPORT_FILES-to-find-the-li.patch \
file://0001-Use-stdint-types.patch \
file://0001-initialize-local-variables-before-use.patch \
diff --git a/meta-oe/recipes-extended/wipe/wipe_0.24.bb b/meta-oe/recipes-extended/wipe/wipe_0.24.bb
index 831d514a4..3ccc5afd5 100644
--- a/meta-oe/recipes-extended/wipe/wipe_0.24.bb
+++ b/meta-oe/recipes-extended/wipe/wipe_0.24.bb
@@ -9,7 +9,7 @@ HOMEPAGE = "http://lambda-diode.com/software/wipe/"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://GPL;md5=0636e73ff0215e8d672dc4c32c317bb3"
-SRC_URI = "git://github.com/berke/wipe.git;branch=master \
+SRC_URI = "git://github.com/berke/wipe.git;branch=master;protocol=https \
file://support-cross-compile-for-linux.patch \
file://makefile-add-ldflags.patch \
"
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb b/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb
index 06337b79c..8f766ac87 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb
@@ -21,7 +21,7 @@ DEPENDS += " \
tiff \
"
-SRC_URI = "git://github.com/wxWidgets/wxWidgets.git"
+SRC_URI = "git://github.com/wxWidgets/wxWidgets.git;branch=master;protocol=https"
PV = "3.1.3"
SRCREV= "8a40d23b27ed1c80b5a2ca9f7e8461df4fbc1a31"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb b/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb
index b94664c33..eddf1ed96 100644
--- a/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb
+++ b/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb
@@ -4,7 +4,7 @@ LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
SRCREV = "8fc78c3c65cb705953a2f3f9a813c3ef3c8b2270"
-SRC_URI = "git://github.com/HardySimpson/zlog"
+SRC_URI = "git://github.com/HardySimpson/zlog;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb b/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb
index cd0b471e1..f8fa226f6 100644
--- a/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb
+++ b/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb
@@ -9,7 +9,7 @@ LICENSE = "BSD-3-Clause & GPLv2"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c7f0b161edbe52f5f345a3d1311d0b32 \
file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0"
-SRC_URI = "git://github.com/facebook/zstd.git;nobranch=1 \
+SRC_URI = "git://github.com/facebook/zstd.git;nobranch=1;protocol=https \
file://0001-Fix-legacy-build-after-2103.patch \
"
diff --git a/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb b/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb
index a957c1d67..6fa31c58f 100644
--- a/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb
+++ b/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb
@@ -5,7 +5,7 @@ LICENSE = "LGPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=f30a9716ef3762e3467a2f62bf790f0a"
SRCREV = "7db14dcf4c4305c3859a2d9fcf9f5da2db328330"
-SRC_URI = "git://anongit.freedesktop.org/xdg/pyxdg"
+SRC_URI = "git://anongit.freedesktop.org/xdg/pyxdg;branch=master"
inherit distutils3
diff --git a/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb b/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb
index 32f081592..2d13f26a3 100644
--- a/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb
+++ b/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb
@@ -8,7 +8,7 @@ PV = "0.3"
PR = "r1"
SRCREV = "ef2e1a390e768e21e6a6268977580ee129a96633"
-SRC_URI = "git://github.com/lucasdemarchi/dietsplash.git \
+SRC_URI = "git://github.com/lucasdemarchi/dietsplash.git;branch=master;protocol=https \
file://0001-configure.ac-Do-not-demand-linker-hash-style.patch \
"
diff --git a/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb b/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb
index 007385101..24f8e44d8 100644
--- a/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb
+++ b/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb
@@ -3,7 +3,7 @@ LICENSE = "GPLv3"
LIC_FILES_CHKSUM = "file://LICENSE;md5=d32239bcb673463ab874e80d47fae504 \
"
-SRC_URI = "git://github.com/manatools/dnfdragora.git \
+SRC_URI = "git://github.com/manatools/dnfdragora.git;branch=master;protocol=https \
file://0001-disable-build-manpages.patch \
file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
file://0001-To-fix-error-when-do_package.patch \
diff --git a/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb b/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb
index e3dff9191..8036d5f7a 100644
--- a/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb
+++ b/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb
@@ -4,7 +4,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=ea5bed2f60d357618ca161ad539f7c0a"
SECTION = "console/utils"
DEPENDS = "libpng zlib"
-SRC_URI = "git://github.com/GunnarMonell/fbgrab.git;protocol=https"
+SRC_URI = "git://github.com/GunnarMonell/fbgrab.git;protocol=https;branch=master"
SRCREV = "b179e2a42b8a5d72516b9c8d91713c9025cf6044"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
index 1863f95f0..8f65da2c1 100644
--- a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
+++ b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
@@ -15,7 +15,7 @@ REQUIRED_DISTRO_FEATURES_append_class-target = " x11"
# tag 20190801
SRCREV = "ac635b818e38ddb8e7e2e1057330a32b4e25476e"
-SRC_URI = "git://github.com/${BPN}/${BPN}.git \
+SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
file://0001-include-sys-select-on-non-glibc-platforms.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb b/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb
index 3b01a216b..d405cb877 100644
--- a/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb
+++ b/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb
@@ -32,7 +32,7 @@ DEPENDS = " \
"
SRC_URI = " \
- git://github.com/fvwmorg/fvwm.git;protocol=https \
+ git://github.com/fvwmorg/fvwm.git;protocol=https;branch=master \
file://0001-Fix-compilation-for-disabled-gnome.patch \
"
diff --git a/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb b/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb
index e2f4dbebc..b44f06c55 100644
--- a/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb
+++ b/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb
@@ -9,7 +9,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://copying.txt;md5=4a735e33f271f57404fda17e80085411"
SRC_URI = " \
- git://github.com/g-truc/glm;branch=master \
+ git://github.com/g-truc/glm;branch=master;protocol=https \
file://0001-Fix-Wimplicit-int-float-conversion-warnings-with-cla.patch \
file://glmConfig.cmake.in \
file://glmConfigVersion.cmake.in \
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb
index d393ae2a1..72e2f5cc7 100644
--- a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb
+++ b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb
@@ -24,7 +24,7 @@ inherit autotools-brokensep pkgconfig gettext
# https://github.com/ellson/MOTHBALLED-graphviz/releases/tag/stable_release_2.40.1
# https://gitlab.com/graphviz/graphviz/-/commit/67cd2e5121379a38e0801cc05cce5033f8a2a609
SRCREV = "67cd2e5121379a38e0801cc05cce5033f8a2a609"
-SRC_URI = "git://gitlab.com/${BPN}/${BPN}.git \
+SRC_URI = "git://gitlab.com/${BPN}/${BPN}.git;branch=master \
file://0001-plugin-pango-Include-freetype-headers-explicitly.patch \
"
# Use native mkdefs
@@ -55,6 +55,17 @@ do_install_append_class-native() {
install -m755 ${B}/lib/gvpr/mkdefs ${D}${bindir}
}
+# create /usr/lib/graphviz/config6
+graphviz_sstate_postinst() {
+ mkdir -p ${SYSROOT_DESTDIR}${bindir}
+ dest=${SYSROOT_DESTDIR}${bindir}/postinst-${PN}
+ echo '#!/bin/sh' > $dest
+ echo '' >> $dest
+ echo 'dot -c' >> $dest
+ chmod 0755 $dest
+}
+SYSROOT_PREPROCESS_FUNCS_append_class-native = " graphviz_sstate_postinst"
+
PACKAGES =+ "${PN}-python ${PN}-perl ${PN}-demo"
FILES_${PN}-python += "${libdir}/python*/site-packages/ ${libdir}/graphviz/python/"
diff --git a/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb b/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb
index 1d5a29438..977c0961b 100644
--- a/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb
+++ b/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/mdadams/jasper"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb"
-SRC_URI = "git://github.com/mdadams/jasper.git;protocol=https"
+SRC_URI = "git://github.com/mdadams/jasper.git;protocol=https;branch=master"
SRCREV = "9aef6d91a82a8a6aecb575cbee57f74470603cc2"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb
index dfdf82458..7f622c279 100644
--- a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb
+++ b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb
@@ -44,7 +44,7 @@ FILES_libvncclient = "${libdir}/libvncclient.*"
inherit cmake
-SRC_URI = "git://github.com/LibVNC/libvncserver"
+SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https"
SRCREV = "1354f7f1bb6962dab209eddb9d6aac1f03408110"
PV .= "+git${SRCPV}"
diff --git a/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb b/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb
index 1a376a469..8fda4b5fb 100644
--- a/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb
+++ b/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING.lgpl-3;md5=e6a600fd5e1d9cbde2d983680233ad02 \
file://COPYING.lgpl-2.1;md5=4fbd65380cdd255951079008b364516c \
"
-SRC_URI = "git://github.com/libyui/libyui-ncurses.git \
+SRC_URI = "git://github.com/libyui/libyui-ncurses.git;branch=master;protocol=https \
file://0003-Simplify-ncurses-finding-module.patch \
"
diff --git a/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb b/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb
index f3c112c3b..72a86955e 100644
--- a/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb
+++ b/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING.gpl-3;md5=d32239bcb673463ab874e80d47fae504 \
file://COPYING.lgpl-3;md5=e6a600fd5e1d9cbde2d983680233ad02 \
"
-SRC_URI = "git://github.com/libyui/libyui-old.git \
+SRC_URI = "git://github.com/libyui/libyui-old.git;branch=master;protocol=https \
file://0001-Fix-build-with-clang.patch \
file://0001-Use-relative-install-paths-for-CMake.patch \
"
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch
new file mode 100644
index 000000000..98988e686
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch
@@ -0,0 +1,72 @@
+From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Sat, 16 Mar 2019 19:57:27 +0800
+Subject: [PATCH] convertbmp: detect invalid file dimensions early
+
+width/length dimensions read from bmp headers are not necessarily
+valid. For instance they may have been maliciously set to very large
+values with the intention to cause DoS (large memory allocation, stack
+overflow). In these cases we want to detect the invalid size as early
+as possible.
+
+This commit introduces a counter which verifies that the number of
+written bytes corresponds to the advertized width/length.
+
+See commit 8ee335227bbc for details.
+
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2019-12973
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/bin/jp2/convertbmp.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index 0af52f816..ec34f535b 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
+ {
+- OPJ_UINT32 x, y;
++ OPJ_UINT32 x, y, written;
+ OPJ_UINT8 *pix;
+ const OPJ_UINT8 *beyond;
+
+ beyond = pData + stride * height;
+ pix = pData;
+- x = y = 0U;
++ x = y = written = 0U;
+ while (y < height) {
+ int c = getc(IN);
+ if (c == EOF) {
+@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+ *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
++ written++;
+ }
+ } else { /* absolute mode */
+ c = getc(IN);
+@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ c1 = (OPJ_UINT8)getc(IN);
+ }
+ *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
++ written++;
+ }
+ if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
+ getc(IN);
+@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ }
+ }
+ } /* while(y < height) */
++ if (written != width * height) {
++ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
++ return OPJ_FALSE;
++ }
+ return OPJ_TRUE;
+ }
+
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch
new file mode 100644
index 000000000..2177bfdbd
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch
@@ -0,0 +1,86 @@
+From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Sat, 16 Mar 2019 20:09:59 +0800
+Subject: [PATCH] bmp_read_rle4_data(): avoid potential infinite loop
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2019-12973
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index ec34f535b..2fc4e9bc4 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ while (y < height) {
+ int c = getc(IN);
+ if (c == EOF) {
+- break;
++ return OPJ_FALSE;
+ }
+
+ if (c) { /* encoded mode */
+- int j;
+- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN);
++ int j, c1_int;
++ OPJ_UINT8 c1;
++
++ c1_int = getc(IN);
++ if (c1_int == EOF) {
++ return OPJ_FALSE;
++ }
++ c1 = (OPJ_UINT8)c1_int;
+
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ } else { /* absolute mode */
+ c = getc(IN);
+ if (c == EOF) {
+- break;
++ return OPJ_FALSE;
+ }
+
+ if (c == 0x00) { /* EOL */
+@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ break;
+ } else if (c == 0x02) { /* MOVE by dxdy */
+ c = getc(IN);
++ if (c == EOF) {
++ return OPJ_FALSE;
++ }
+ x += (OPJ_UINT32)c;
+ c = getc(IN);
++ if (c == EOF) {
++ return OPJ_FALSE;
++ }
+ y += (OPJ_UINT32)c;
+ pix = pData + y * stride + x;
+ } else { /* 03 .. 255 : absolute mode */
+@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+ if ((j & 1) == 0) {
+- c1 = (OPJ_UINT8)getc(IN);
++ int c1_int;
++ c1_int = getc(IN);
++ if (c1_int == EOF) {
++ return OPJ_FALSE;
++ }
++ c1 = (OPJ_UINT8)c1_int;
+ }
+ *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
+ written++;
+ }
+ if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
+- getc(IN);
++ c = getc(IN);
++ if (c == EOF) {
++ return OPJ_FALSE;
++ }
+ }
+ }
+ }
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch
new file mode 100644
index 000000000..f22e153b5
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch
@@ -0,0 +1,43 @@
+From e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 28 Jun 2020 14:19:59 +0200
+Subject: [PATCH] opj_decompress: fix double-free on input directory with mix
+ of valid and invalid images (CVE-2020-15389)
+
+Fixes #1261
+
+Credits to @Ruia-ruia for reporting and analysis.
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2020-15389
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/bin/jp2/opj_decompress.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
+index 7eeb0952f..2634907f0 100644
+--- a/src/bin/jp2/opj_decompress.c
++++ b/src/bin/jp2/opj_decompress.c
+@@ -1316,10 +1316,6 @@ static opj_image_t* upsample_image_components(opj_image_t* original)
+ int main(int argc, char **argv)
+ {
+ opj_decompress_parameters parameters; /* decompression parameters */
+- opj_image_t* image = NULL;
+- opj_stream_t *l_stream = NULL; /* Stream */
+- opj_codec_t* l_codec = NULL; /* Handle to a decompressor */
+- opj_codestream_index_t* cstr_index = NULL;
+
+ OPJ_INT32 num_images, imageno;
+ img_fol_t img_fol;
+@@ -1393,6 +1389,10 @@ int main(int argc, char **argv)
+
+ /*Decoding image one by one*/
+ for (imageno = 0; imageno < num_images ; imageno++) {
++ opj_image_t* image = NULL;
++ opj_stream_t *l_stream = NULL; /* Stream */
++ opj_codec_t* l_codec = NULL; /* Handle to a decompressor */
++ opj_codestream_index_t* cstr_index = NULL;
+
+ if (!parameters.quiet) {
+ fprintf(stderr, "\n");
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch
new file mode 100644
index 000000000..da06db6db
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch
@@ -0,0 +1,29 @@
+From eaa098b59b346cb88e4d10d505061f669d7134fc Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 23 Nov 2020 13:49:05 +0100
+Subject: [PATCH] Encoder: grow buffer size in
+ opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
+ opj_mqc_flush (fixes #1283)
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2020-27814
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/lib/openjp2/tcd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -1235,9 +1235,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_a
+
+ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
++ /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */
++ /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */
+ /* TODO: is there a theoretical upper-bound for the compressed code */
+ /* block size ? */
+- l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
++ l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+
+ if (l_data_size > p_code_block->data_size) {
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch
new file mode 100644
index 000000000..9c5894c72
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch
@@ -0,0 +1,27 @@
+From 15cf3d95814dc931ca0ecb132f81cb152e051bae Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 23 Nov 2020 18:14:02 +0100
+Subject: [PATCH] Encoder: grow again buffer size in
+ opj_tcd_code_block_enc_allocate_data() (fixes #1283)
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2020-27814
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/lib/openjp2/tcd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -1237,9 +1237,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_a
+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
+ /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */
+ /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */
++ /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */
+ /* TODO: is there a theoretical upper-bound for the compressed code */
+ /* block size ? */
+- l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
++ l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+
+ if (l_data_size > p_code_block->data_size) {
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch
new file mode 100644
index 000000000..1eb030af4
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch
@@ -0,0 +1,30 @@
+From 649298dcf84b2f20cfe458d887c1591db47372a6 Mon Sep 17 00:00:00 2001
+From: yuan <zodf0055980@gmail.com>
+Date: Wed, 25 Nov 2020 20:41:39 +0800
+Subject: [PATCH] Encoder: grow again buffer size in
+ opj_tcd_code_block_enc_allocate_data() (fixes #1283)
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2020-27814
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/lib/openjp2/tcd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -1238,10 +1238,12 @@ static OPJ_BOOL opj_tcd_code_block_enc_a
+ /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */
+ /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */
+ /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */
++ /* and +33 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4) */
++ /* and +63 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -IMF 2K) */
+ /* TODO: is there a theoretical upper-bound for the compressed code */
+ /* block size ? */
+- l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+- (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
++ l_data_size = 63 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
++ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+
+ if (l_data_size > p_code_block->data_size) {
+ if (p_code_block->data) {
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch
new file mode 100644
index 000000000..1c267c313
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch
@@ -0,0 +1,27 @@
+From 4ce7d285a55d29b79880d0566d4b010fe1907aa9 Mon Sep 17 00:00:00 2001
+From: yuan <zodf0055980@gmail.com>
+Date: Fri, 4 Dec 2020 19:00:22 +0800
+Subject: [PATCH] Encoder: grow again buffer size in
+ opj_tcd_code_block_enc_allocate_data() (fixes #1283)
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2020-27814
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/lib/openjp2/tcd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -1240,9 +1240,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_a
+ /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */
+ /* and +33 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4) */
+ /* and +63 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -IMF 2K) */
++ /* and +74 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -n 8 -s 7,7 -I) */
+ /* TODO: is there a theoretical upper-bound for the compressed code */
+ /* block size ? */
+- l_data_size = 63 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
++ l_data_size = 74 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+
+ if (l_data_size > p_code_block->data_size) {
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch
new file mode 100644
index 000000000..e4373d0d3
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch
@@ -0,0 +1,29 @@
+From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 30 Nov 2020 22:31:51 +0100
+Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is
+ used, that would result in a heap buffer overflow (fixes #1284)
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2020-27823
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/bin/jp2/convertpng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c
+index 328c91beb..00f596e27 100644
+--- a/src/bin/jp2/convertpng.c
++++ b/src/bin/jp2/convertpng.c
+@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params)
+ image->x0 = (OPJ_UINT32)params->image_offset_x0;
+ image->y0 = (OPJ_UINT32)params->image_offset_y0;
+ image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32)
+- params->subsampling_dx + 1 + image->x0);
++ params->subsampling_dx + 1);
+ image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32)
+- params->subsampling_dy + 1 + image->y0);
++ params->subsampling_dy + 1);
+
+ row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32));
+ if (row32s == NULL) {
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch
new file mode 100644
index 000000000..5f3deb4dd
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch
@@ -0,0 +1,24 @@
+From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 30 Nov 2020 22:37:07 +0100
+Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible
+ conversion when too many decomposition levels are specified (fixes #1286)
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2020-27824
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/lib/openjp2/dwt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/lib/openjp2/dwt.c
++++ b/src/lib/openjp2/dwt.c
+@@ -1293,7 +1293,7 @@ void opj_dwt_calc_explicit_stepsizes(opj
+ if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) {
+ stepsize = 1.0;
+ } else {
+- OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level];
++ OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient);
+ stepsize = (1 << (gain)) / norm;
+ }
+ opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0),
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch
new file mode 100644
index 000000000..db6d12dc2
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch
@@ -0,0 +1,238 @@
+From 00383e162ae2f8fc951f5745bf1011771acb8dce Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 2 Dec 2020 14:02:17 +0100
+Subject: [PATCH] pi.c: avoid out of bounds access with POC (refs
+ https://github.com/uclouvain/openjpeg/issues/1293#issuecomment-737122836)
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2020-27841
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/lib/openjp2/pi.c | 49 +++++++++++++++++++++++++++++---------------
+ src/lib/openjp2/pi.h | 10 +++++++--
+ src/lib/openjp2/t2.c | 4 ++--
+ 3 files changed, 42 insertions(+), 21 deletions(-)
+
+--- a/src/lib/openjp2/pi.c
++++ b/src/lib/openjp2/pi.c
+@@ -192,10 +192,12 @@ static void opj_get_all_encoding_paramet
+ * @param p_image the image used to initialize the packet iterator (in fact only the number of components is relevant.
+ * @param p_cp the coding parameters.
+ * @param tileno the index of the tile from which creating the packet iterator.
++ * @param manager Event manager
+ */
+ static opj_pi_iterator_t * opj_pi_create(const opj_image_t *p_image,
+ const opj_cp_t *p_cp,
+- OPJ_UINT32 tileno);
++ OPJ_UINT32 tileno,
++ opj_event_mgr_t* manager);
+ /**
+ * FIXME DOC
+ */
+@@ -230,12 +232,6 @@ static OPJ_BOOL opj_pi_check_next_level(
+ ==========================================================
+ */
+
+-static void opj_pi_emit_error(opj_pi_iterator_t * pi, const char* msg)
+-{
+- (void)pi;
+- (void)msg;
+-}
+-
+ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_iterator_t * pi)
+ {
+ opj_pi_comp_t *comp = NULL;
+@@ -272,7 +268,7 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_
+ /* include should be resized when a POC arises, or */
+ /* the POC should be rejected */
+ if (index >= pi->include_size) {
+- opj_pi_emit_error(pi, "Invalid access to pi->include");
++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include");
+ return OPJ_FALSE;
+ }
+ if (!pi->include[index]) {
+@@ -318,7 +314,7 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_
+ index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno *
+ pi->step_c + pi->precno * pi->step_p;
+ if (index >= pi->include_size) {
+- opj_pi_emit_error(pi, "Invalid access to pi->include");
++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include");
+ return OPJ_FALSE;
+ }
+ if (!pi->include[index]) {
+@@ -449,7 +445,7 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_
+ index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno *
+ pi->step_c + pi->precno * pi->step_p;
+ if (index >= pi->include_size) {
+- opj_pi_emit_error(pi, "Invalid access to pi->include");
++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include");
+ return OPJ_FALSE;
+ }
+ if (!pi->include[index]) {
+@@ -473,6 +469,13 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_
+ opj_pi_resolution_t *res = NULL;
+ OPJ_UINT32 index = 0;
+
++ if (pi->poc.compno0 >= pi->numcomps ||
++ pi->poc.compno1 >= pi->numcomps + 1) {
++ opj_event_msg(pi->manager, EVT_ERROR,
++ "opj_pi_next_pcrl(): invalid compno0/compno1");
++ return OPJ_FALSE;
++ }
++
+ if (!pi->first) {
+ comp = &pi->comps[pi->compno];
+ goto LABEL_SKIP;
+@@ -580,7 +583,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_
+ index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno *
+ pi->step_c + pi->precno * pi->step_p;
+ if (index >= pi->include_size) {
+- opj_pi_emit_error(pi, "Invalid access to pi->include");
++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include");
+ return OPJ_FALSE;
+ }
+ if (!pi->include[index]) {
+@@ -604,6 +607,13 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_
+ opj_pi_resolution_t *res = NULL;
+ OPJ_UINT32 index = 0;
+
++ if (pi->poc.compno0 >= pi->numcomps ||
++ pi->poc.compno1 >= pi->numcomps + 1) {
++ opj_event_msg(pi->manager, EVT_ERROR,
++ "opj_pi_next_cprl(): invalid compno0/compno1");
++ return OPJ_FALSE;
++ }
++
+ if (!pi->first) {
+ comp = &pi->comps[pi->compno];
+ goto LABEL_SKIP;
+@@ -708,7 +718,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_
+ index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno *
+ pi->step_c + pi->precno * pi->step_p;
+ if (index >= pi->include_size) {
+- opj_pi_emit_error(pi, "Invalid access to pi->include");
++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include");
+ return OPJ_FALSE;
+ }
+ if (!pi->include[index]) {
+@@ -981,7 +991,8 @@ static void opj_get_all_encoding_paramet
+
+ static opj_pi_iterator_t * opj_pi_create(const opj_image_t *image,
+ const opj_cp_t *cp,
+- OPJ_UINT32 tileno)
++ OPJ_UINT32 tileno,
++ opj_event_mgr_t* manager)
+ {
+ /* loop*/
+ OPJ_UINT32 pino, compno;
+@@ -1015,6 +1026,8 @@ static opj_pi_iterator_t * opj_pi_create
+ l_current_pi = l_pi;
+ for (pino = 0; pino < l_poc_bound ; ++pino) {
+
++ l_current_pi->manager = manager;
++
+ l_current_pi->comps = (opj_pi_comp_t*) opj_calloc(image->numcomps,
+ sizeof(opj_pi_comp_t));
+ if (! l_current_pi->comps) {
+@@ -1352,7 +1365,8 @@ static OPJ_BOOL opj_pi_check_next_level(
+ */
+ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
+ opj_cp_t *p_cp,
+- OPJ_UINT32 p_tile_no)
++ OPJ_UINT32 p_tile_no,
++ opj_event_mgr_t* manager)
+ {
+ OPJ_UINT32 numcomps = p_image->numcomps;
+
+@@ -1407,7 +1421,7 @@ opj_pi_iterator_t *opj_pi_create_decode(
+ }
+
+ /* memory allocation for pi */
+- l_pi = opj_pi_create(p_image, p_cp, p_tile_no);
++ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager);
+ if (!l_pi) {
+ opj_free(l_tmp_data);
+ opj_free(l_tmp_ptr);
+@@ -1552,7 +1566,8 @@ opj_pi_iterator_t *opj_pi_create_decode(
+ opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image,
+ opj_cp_t *p_cp,
+ OPJ_UINT32 p_tile_no,
+- J2K_T2_MODE p_t2_mode)
++ J2K_T2_MODE p_t2_mode,
++ opj_event_mgr_t* manager)
+ {
+ OPJ_UINT32 numcomps = p_image->numcomps;
+
+@@ -1606,7 +1621,7 @@ opj_pi_iterator_t *opj_pi_initialise_enc
+ }
+
+ /* memory allocation for pi*/
+- l_pi = opj_pi_create(p_image, p_cp, p_tile_no);
++ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager);
+ if (!l_pi) {
+ opj_free(l_tmp_data);
+ opj_free(l_tmp_ptr);
+--- a/src/lib/openjp2/pi.h
++++ b/src/lib/openjp2/pi.h
+@@ -107,6 +107,8 @@ typedef struct opj_pi_iterator {
+ OPJ_INT32 x, y;
+ /** FIXME DOC*/
+ OPJ_UINT32 dx, dy;
++ /** event manager */
++ opj_event_mgr_t* manager;
+ } opj_pi_iterator_t;
+
+ /** @name Exported functions */
+@@ -119,13 +121,15 @@ typedef struct opj_pi_iterator {
+ * @param cp the coding parameters.
+ * @param tileno index of the tile being encoded.
+ * @param t2_mode the type of pass for generating the packet iterator
++ * @param manager Event manager
+ *
+ * @return a list of packet iterator that points to the first packet of the tile (not true).
+ */
+ opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *image,
+ opj_cp_t *cp,
+ OPJ_UINT32 tileno,
+- J2K_T2_MODE t2_mode);
++ J2K_T2_MODE t2_mode,
++ opj_event_mgr_t* manager);
+
+ /**
+ * Updates the encoding parameters of the codec.
+@@ -161,12 +165,14 @@ Create a packet iterator for Decoder
+ @param image Raw image for which the packets will be listed
+ @param cp Coding parameters
+ @param tileno Number that identifies the tile for which to list the packets
++@param manager Event manager
+ @return Returns a packet iterator that points to the first packet of the tile
+ @see opj_pi_destroy
+ */
+ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t * image,
+ opj_cp_t * cp,
+- OPJ_UINT32 tileno);
++ OPJ_UINT32 tileno,
++ opj_event_mgr_t* manager);
+ /**
+ * Destroys a packet iterator array.
+ *
+--- a/src/lib/openjp2/t2.c
++++ b/src/lib/openjp2/t2.c
+@@ -244,7 +244,7 @@ OPJ_BOOL opj_t2_encode_packets(opj_t2_t*
+ l_image->numcomps : 1;
+ OPJ_UINT32 l_nb_pocs = l_tcp->numpocs + 1;
+
+- l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode);
++ l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode, p_manager);
+ if (!l_pi) {
+ return OPJ_FALSE;
+ }
+@@ -405,7 +405,7 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t
+ #endif
+
+ /* create a packet iterator */
+- l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no);
++ l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no, p_manager);
+ if (!l_pi) {
+ return OPJ_FALSE;
+ }
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch
new file mode 100644
index 000000000..6984aa860
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch
@@ -0,0 +1,31 @@
+From fbd30b064f8f9607d500437b6fedc41431fd6cdc Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 1 Dec 2020 19:51:35 +0100
+Subject: [PATCH] opj_t2_encode_packet(): avoid out of bound access of #1294,
+ but likely not the proper fix
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2020-27842
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/lib/openjp2/t2.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/src/lib/openjp2/t2.c
++++ b/src/lib/openjp2/t2.c
+@@ -711,6 +711,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ
+ continue;
+ }
+
++ /* Avoid out of bounds access of https://github.com/uclouvain/openjpeg/issues/1294 */
++ /* but likely not a proper fix. */
++ if (precno >= res->pw * res->ph) {
++ opj_event_msg(p_manager, EVT_ERROR,
++ "opj_t2_encode_packet(): accessing precno=%u >= %u\n",
++ precno, res->pw * res->ph);
++ return OPJ_FALSE;
++ }
++
+ prc = &band->precincts[precno];
+ opj_tgt_reset(prc->incltree);
+ opj_tgt_reset(prc->imsbtree);
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch
new file mode 100644
index 000000000..53c86ea5e
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch
@@ -0,0 +1,31 @@
+From 38d661a3897052c7ff0b39b30c29cb067e130121 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 2 Dec 2020 13:13:26 +0100
+Subject: [PATCH] opj_t2_encode_packet(): avoid out of bound access of #1297,
+ but likely not the proper fix
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2020-27843
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/lib/openjp2/t2.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/src/lib/openjp2/t2.c
++++ b/src/lib/openjp2/t2.c
+@@ -787,6 +787,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ
+ continue;
+ }
+
++ /* Avoid out of bounds access of https://github.com/uclouvain/openjpeg/issues/1297 */
++ /* but likely not a proper fix. */
++ if (precno >= res->pw * res->ph) {
++ opj_event_msg(p_manager, EVT_ERROR,
++ "opj_t2_encode_packet(): accessing precno=%u >= %u\n",
++ precno, res->pw * res->ph);
++ return OPJ_FALSE;
++ }
++
+ prc = &band->precincts[precno];
+ l_nb_blocks = prc->cw * prc->ch;
+ cblk = prc->cblks.enc;
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch
new file mode 100644
index 000000000..a1aa49a21
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch
@@ -0,0 +1,74 @@
+From 8f5aff1dff510a964d3901d0fba281abec98ab63 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Fri, 4 Dec 2020 20:45:25 +0100
+Subject: [PATCH] pi.c: avoid out of bounds access with POC (fixes #1302)
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2020-27845
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ src/lib/openjp2/pi.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/src/lib/openjp2/pi.c
++++ b/src/lib/openjp2/pi.c
+@@ -238,6 +238,13 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_
+ opj_pi_resolution_t *res = NULL;
+ OPJ_UINT32 index = 0;
+
++ if (pi->poc.compno0 >= pi->numcomps ||
++ pi->poc.compno1 >= pi->numcomps + 1) {
++ opj_event_msg(pi->manager, EVT_ERROR,
++ "opj_pi_next_lrcp(): invalid compno0/compno1\n");
++ return OPJ_FALSE;
++ }
++
+ if (!pi->first) {
+ comp = &pi->comps[pi->compno];
+ res = &comp->resolutions[pi->resno];
+@@ -291,6 +298,13 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_
+ opj_pi_resolution_t *res = NULL;
+ OPJ_UINT32 index = 0;
+
++ if (pi->poc.compno0 >= pi->numcomps ||
++ pi->poc.compno1 >= pi->numcomps + 1) {
++ opj_event_msg(pi->manager, EVT_ERROR,
++ "opj_pi_next_rlcp(): invalid compno0/compno1\n");
++ return OPJ_FALSE;
++ }
++
+ if (!pi->first) {
+ comp = &pi->comps[pi->compno];
+ res = &comp->resolutions[pi->resno];
+@@ -337,6 +351,13 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_
+ opj_pi_resolution_t *res = NULL;
+ OPJ_UINT32 index = 0;
+
++ if (pi->poc.compno0 >= pi->numcomps ||
++ pi->poc.compno1 >= pi->numcomps + 1) {
++ opj_event_msg(pi->manager, EVT_ERROR,
++ "opj_pi_next_rpcl(): invalid compno0/compno1\n");
++ return OPJ_FALSE;
++ }
++
+ if (!pi->first) {
+ goto LABEL_SKIP;
+ } else {
+@@ -472,7 +493,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_
+ if (pi->poc.compno0 >= pi->numcomps ||
+ pi->poc.compno1 >= pi->numcomps + 1) {
+ opj_event_msg(pi->manager, EVT_ERROR,
+- "opj_pi_next_pcrl(): invalid compno0/compno1");
++ "opj_pi_next_pcrl(): invalid compno0/compno1\n");
+ return OPJ_FALSE;
+ }
+
+@@ -610,7 +631,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_
+ if (pi->poc.compno0 >= pi->numcomps ||
+ pi->poc.compno1 >= pi->numcomps + 1) {
+ opj_event_msg(pi->manager, EVT_ERROR,
+- "opj_pi_next_cprl(): invalid compno0/compno1");
++ "opj_pi_next_cprl(): invalid compno0/compno1\n");
+ return OPJ_FALSE;
+ }
+
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
index 42011efa9..9cf513f3f 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
@@ -6,10 +6,23 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c648878b4840d7babaade1303e7f108c"
DEPENDS = "libpng tiff lcms zlib"
SRC_URI = " \
- git://github.com/uclouvain/openjpeg.git \
+ git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \
file://0002-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \
+ file://CVE-2019-12973-1.patch \
+ file://CVE-2019-12973-2.patch \
file://CVE-2020-6851.patch \
file://CVE-2020-8112.patch \
+ file://CVE-2020-15389.patch \
+ file://CVE-2020-27814-1.patch \
+ file://CVE-2020-27814-2.patch \
+ file://CVE-2020-27814-3.patch \
+ file://CVE-2020-27814-4.patch \
+ file://CVE-2020-27823.patch \
+ file://CVE-2020-27824.patch \
+ file://CVE-2020-27841.patch \
+ file://CVE-2020-27842.patch \
+ file://CVE-2020-27843.patch \
+ file://CVE-2020-27845.patch \
"
SRCREV = "57096325457f96d8cd07bd3af04fe81d7a2ba788"
S = "${WORKDIR}/git"
@@ -20,3 +33,17 @@ inherit cmake
EXTRA_OECMAKE += "-DOPENJPEG_INSTALL_LIB_DIR=${@d.getVar('baselib').replace('/', '')}"
FILES_${PN} += "${libdir}/openjpeg*"
+
+# This flaw is introduced by
+# https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5
+# but the contents of this patch is not present in openjpeg_2.3.1
+# Hence, it can be whitelisted.
+# https://security-tracker.debian.org/tracker/CVE-2020-27844
+
+CVE_CHECK_WHITELIST += "CVE-2020-27844"
+
+# The CVE description clearly states that j2k_read_ppm_v3 function in openjpeg
+# is affected due to CVE-2015-1239 but in openjpeg_2.3.1 this function is not present.
+# Hence, CVE-2015-1239 does not affect openjpeg_2.3.1
+
+CVE_CHECK_WHITELIST += "CVE-2015-1239"
diff --git a/meta-oe/recipes-graphics/qrencode/qrencode_git.bb b/meta-oe/recipes-graphics/qrencode/qrencode_git.bb
index 108c339bf..3ef4f5959 100644
--- a/meta-oe/recipes-graphics/qrencode/qrencode_git.bb
+++ b/meta-oe/recipes-graphics/qrencode/qrencode_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2d5025d4aa3495befef8f17206a5b0a1"
PV = "4.0.1+git${SRCPV}"
SRCREV = "7c83deb8f562ae6013fea4c3e65278df93f98fb7"
-SRC_URI = "git://github.com/fukuchi/libqrencode.git"
+SRC_URI = "git://github.com/fukuchi/libqrencode.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb b/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb
index 6ea632d06..b20e06a45 100644
--- a/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb
+++ b/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb
@@ -5,7 +5,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=df7ea9e196efc7014c124747a0ef9772"
SRCREV = "a56af589d94dc851809fd5344d0ae441da70c1f2"
-SRC_URI = "git://github.com/baldurk/${BPN}.git;protocol=http;branch=v1.x \
+SRC_URI = "git://github.com/baldurk/${BPN}.git;protocol=http;branch=v1.x;protocol=https \
file://0001-renderdoc-use-xxd-instead-of-cross-compiling-shim-bi.patch \
file://0001-Remove-glslang-pool_allocator-setAllocator.patch \
"
diff --git a/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb b/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb
index b787972da..bf0a5947b 100644
--- a/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb
+++ b/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb
@@ -6,7 +6,7 @@ SECTION = "graphics"
S = "${WORKDIR}/git"
SRCREV = "ed16b3e69985feaf565efbecea70a1cc2fca2a58"
-SRC_URI = "git://github.com/KhronosGroup/SPIRV-Cross.git \
+SRC_URI = "git://github.com/KhronosGroup/SPIRV-Cross.git;branch=master;protocol=https \
file://0001-Add-install-PHONY-target-in-Makefile.patch \
"
diff --git a/meta-oe/recipes-graphics/spir/spirv-tools_git.bb b/meta-oe/recipes-graphics/spir/spirv-tools_git.bb
index 8e8388e8d..a76c97ad6 100644
--- a/meta-oe/recipes-graphics/spir/spirv-tools_git.bb
+++ b/meta-oe/recipes-graphics/spir/spirv-tools_git.bb
@@ -8,11 +8,11 @@ SECTION = "graphics"
S = "${WORKDIR}/git"
DEST_DIR = "${S}/external"
-SRC_URI = "git://github.com/KhronosGroup/SPIRV-Tools.git;name=spirv-tools \
- git://github.com/KhronosGroup/SPIRV-Headers.git;name=spirv-headers;destsuffix=${DEST_DIR}/spirv-headers \
- git://github.com/google/effcee.git;name=effcee;destsuffix=${DEST_DIR}/effcee \
- git://github.com/google/re2.git;name=re2;destsuffix=${DEST_DIR}/re2 \
- git://github.com/google/googletest.git;name=googletest;destsuffix=${DEST_DIR}/googletest \
+SRC_URI = "git://github.com/KhronosGroup/SPIRV-Tools.git;name=spirv-tools;branch=master;protocol=https \
+ git://github.com/KhronosGroup/SPIRV-Headers.git;name=spirv-headers;destsuffix=${DEST_DIR}/spirv-headers;branch=master;protocol=https \
+ git://github.com/google/effcee.git;name=effcee;destsuffix=${DEST_DIR}/effcee;branch=master;protocol=https \
+ git://github.com/google/re2.git;name=re2;destsuffix=${DEST_DIR}/re2;branch=master;protocol=https \
+ git://github.com/google/googletest.git;name=googletest;destsuffix=${DEST_DIR}/googletest;branch=main;protocol=https \
file://0001-Respect-CMAKE_INSTALL_LIBDIR-in-installed-CMake-file.patch \
file://0001-Avoid-pessimizing-std-move-3124.patch \
"
@@ -21,6 +21,7 @@ SRCREV_spirv-headers = "af64a9e826bf5bb5fcd2434dd71be1e41e922563"
SRCREV_effcee = "cd25ec17e9382f99a895b9ef53ff3c277464d07d"
SRCREV_re2 = "5bd613749fd530b576b890283bfb6bc6ea6246cb"
SRCREV_googletest = "f2fb48c3b3d79a75a88a99fba6576b25d42ec528"
+SRCREV_FORMAT = "spirv-ttols_spirv-headers_effcee_re2_googletest"
inherit cmake python3native
diff --git a/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb b/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb
index 75c2bc00e..9fe61ae9c 100644
--- a/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb
+++ b/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb
@@ -4,7 +4,7 @@ LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://COPYING;md5=9648bd7af63bd3cc4f5ac046d12c49e4"
SRCREV = "590567f20dc044f6948a8e2c61afc714c360ad0e"
-SRC_URI = "git://github.com/tesseract-ocr/tessdata.git"
+SRC_URI = "git://github.com/tesseract-ocr/tessdata.git;branch=main;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-graphics/tesseract/tesseract_git.bb b/meta-oe/recipes-graphics/tesseract/tesseract_git.bb
index 89d09a0f5..70c98372b 100644
--- a/meta-oe/recipes-graphics/tesseract/tesseract_git.bb
+++ b/meta-oe/recipes-graphics/tesseract/tesseract_git.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7ea4f9a43aba9d3c849fe5c203a0ed40"
BRANCH = "3.05"
PV = "${BRANCH}.01+git${SRCPV}"
SRCREV = "215866151e774972c9502282111b998d7a053562"
-SRC_URI = "git://github.com/${BPN}-ocr/${BPN}.git;branch=${BRANCH}"
+SRC_URI = "git://github.com/${BPN}-ocr/${BPN}.git;branch=${BRANCH};protocol=https"
S = "${WORKDIR}/git"
DEPENDS = "leptonica"
diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb
index f97c2b2d6..03b9d6488 100644
--- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb
+++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb
@@ -17,7 +17,7 @@ B = "${S}"
SRCREV = "4739493b635372bd40a34640a719f79fa90e4dba"
-SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.10-branch \
+SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.10-branch;protocol=https \
file://0002-do-not-build-tests-sub-directory.patch \
file://0003-add-missing-dynamic-library-to-FLTK_LIBRARIES.patch \
file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \
diff --git a/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb b/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb
index 8dba7ee6f..16ac65b1b 100644
--- a/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb
+++ b/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb
@@ -8,7 +8,7 @@ SRCREV = "21e6e2de1f0062f949fcc52d0b4559dfa3246e0e"
PV = "0.1+gitr${SRCPV}"
PR = "r3"
-SRC_URI = "git://github.com/android/platform_frameworks_base.git;branch=master"
+SRC_URI = "git://github.com/android/platform_frameworks_base.git;branch=master;protocol=https"
S = "${WORKDIR}/git/data/fonts"
diff --git a/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb b/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb
index 0af0e91d6..7dde4cc66 100644
--- a/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb
+++ b/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb
@@ -8,7 +8,7 @@ LICENSE = "OFL-1.1"
LIC_FILES_CHKSUM = "file://OFL.txt;md5=7dfa0a236dc535ad2d2548e6170c4402"
SRCREV = "d678f1b1807ea5602586279e90b5db6d62ed475e"
-SRC_URI = "git://github.com/pravins/lohit.git;branch=master"
+SRC_URI = "git://github.com/pravins/lohit.git;branch=master;protocol=https"
DEPENDS = "fontforge-native"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb b/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb
index e74f7a7f6..1a2f6cb4d 100644
--- a/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb
+++ b/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/googlefonts/noto-emoji"
LICENSE = "OFL-1.1"
LIC_FILES_CHKSUM = "file://fonts/LICENSE;md5=55719faa0112708e946b820b24b14097"
-SRC_URI = "git://github.com/googlefonts/noto-emoji;protocol=https"
+SRC_URI = "git://github.com/googlefonts/noto-emoji;protocol=https;branch=master"
SRCREV = "833a43d03246a9325e748a2d783006454d76ff66"
PACKAGES = "${PN}-color ${PN}-regular"
diff --git a/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb b/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb
index 7e22038f2..427882d32 100644
--- a/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb
+++ b/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb
@@ -5,7 +5,7 @@ AUTHOR = "Ingo Bürk"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=b25d2c4cca175f44120d1b8e67cb358d"
-SRC_URI = "git://github.com/Airblader/unclutter-xfixes.git \
+SRC_URI = "git://github.com/Airblader/unclutter-xfixes.git;branch=master;protocol=https \
file://0001-build-use-autotools.patch"
SRCREV = "10fd337bb77e4e93c3380f630a0555372778a948"
diff --git a/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb b/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb
index 240949f55..dd8f41aa5 100644
--- a/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb
+++ b/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=83af8811a28727a13f04132cc33b7f58"
DEPENDS = "virtual/libx11 libxext xorgproto"
SRCREV = "f57a9904c43ef5d726320c77baa91d0c38361ed4"
-SRC_URI = "git://anongit.freedesktop.org/vdpau/libvdpau"
+SRC_URI = "git://anongit.freedesktop.org/vdpau/libvdpau;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb b/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb
index e3a1914fe..fe725879d 100644
--- a/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb
+++ b/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
file://src/x11vnc.h;endline=31;md5=e871a2ad004776794b616822dcab6314"
SRCREV = "4ca006fed80410bd9b061a1519bd5d9366bb0bc8"
-SRC_URI = "git://github.com/LibVNC/x11vnc \
+SRC_URI = "git://github.com/LibVNC/x11vnc;branch=master;protocol=https \
file://starting-fix.patch \
file://0001-misc-Makefile.am-don-t-install-Xdummy-when-configure.patch \
file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch
new file mode 100644
index 000000000..b7a5f297a
--- /dev/null
+++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch
@@ -0,0 +1,84 @@
+From 85666286473f2fbb2d4731d4e175f00d7a76e21f Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 21 Jun 2022 10:53:01 +0530
+Subject: [PATCH] CVE-2022-24130
+
+Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d]
+CVE: CVE-2022-24130
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f
+ Check for out-of-bounds condition while drawing sixels, and quit that
+ operation (report by Nick Black, CVE-2022-24130).
+Bug-Debian: https://bugs.debian.org/1004689
+
+---
+ graphics_sixel.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/graphics_sixel.c b/graphics_sixel.c
+index 00ba3ef..6a82295 100644
+--- a/graphics_sixel.c
++++ b/graphics_sixel.c
+@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic, SixelContext const *context)
+ graphic->color_registers_used[context->background] = 1;
+ }
+
+-static void
++static Boolean
+ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+ {
+ const int mh = graphic->max_height;
+@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+ ((color != COLOR_HOLE)
+ ? (unsigned) graphic->color_registers[color].b : 0U)));
+ for (pix = 0; pix < 6; pix++) {
+- if (context->col < mw && context->row + pix < mh) {
++ if (context->col >= 0 &&
++ context->col < mw &&
++ context->row + pix >= 0 &&
++ context->row + pix < mh) {
+ if (sixel & (1 << pix)) {
+ if (context->col + 1 > graphic->actual_width) {
+ graphic->actual_width = context->col + 1;
+@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+ }
+ } else {
+ TRACE(("sixel pixel %d out of bounds\n", pix));
++ return False;
+ }
+ }
++ return True;
+ }
+
+ static void
+@@ -451,7 +456,10 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string)
+ init_sixel_background(graphic, &context);
+ graphic->valid = 1;
+ }
+- set_sixel(graphic, &context, sixel);
++ if (!set_sixel(graphic, &context, sixel)) {
++ context.col = 0;
++ break;
++ }
+ context.col++;
+ } else if (ch == '$') { /* DECGCR */
+ /* ignore DECCRNLM in sixel mode */
+@@ -529,8 +537,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string)
+ graphic->valid = 1;
+ }
+ for (i = 0; i < Pcount; i++) {
+- set_sixel(graphic, &context, sixel);
+- context.col++;
++ if (set_sixel(graphic, &context, sixel)) {
++ context.col++;
++ } else {
++ context.col = 0;
++ break;
++ }
+ }
+ } else if (ch == '#') { /* DECGCI */
+ ANSI color_params;
+--
+2.25.1
+
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch
new file mode 100644
index 000000000..8d1be3210
--- /dev/null
+++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch
@@ -0,0 +1,785 @@
+From 787636674918873a091e7a4ef5977263ba982322 Mon Sep 17 00:00:00 2001
+From: "Thomas E. Dickey" <dickey@invisible-island.net>
+Date: Sun, 23 Oct 2022 22:59:52 +0000
+Subject: [PATCH] snapshot of project "xterm", label xterm-374c
+
+Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/787636674918873a091e7a4ef5977263ba982322]
+CVE: CVE-2022-45063
+
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ button.c | 16 +--
+ charproc.c | 9 +-
+ doublechr.c | 4 +-
+ fontutils.c | 266 ++++++++++++++++++++++++++-----------------------
+ fontutils.h | 4 +-
+ misc.c | 7 +-
+ screen.c | 2 +-
+ xterm.h | 2 +-
+ xterm.log.html | 6 ++
+ 9 files changed, 164 insertions(+), 152 deletions(-)
+
+diff --git a/button.c b/button.c
+index 66a6181..e05ca50 100644
+--- a/button.c
++++ b/button.c
+@@ -1619,14 +1619,9 @@ static void
+ UnmapSelections(XtermWidget xw)
+ {
+ TScreen *screen = TScreenOf(xw);
+- Cardinal n;
+
+- if (screen->mappedSelect) {
+- for (n = 0; screen->mappedSelect[n] != 0; ++n)
+- free((void *) screen->mappedSelect[n]);
+- free(screen->mappedSelect);
+- screen->mappedSelect = 0;
+- }
++ free(screen->mappedSelect);
++ screen->mappedSelect = 0;
+ }
+
+ /*
+@@ -1662,14 +1657,11 @@ MapSelections(XtermWidget xw, String *params, Cardinal num_params)
+ if ((result = TypeMallocN(String, num_params + 1)) != 0) {
+ result[num_params] = 0;
+ for (j = 0; j < num_params; ++j) {
+- result[j] = x_strdup((isSELECT(params[j])
++ result[j] = (String) (isSELECT(params[j])
+ ? mapTo
+- : params[j]));
++ : params[j]);
+ if (result[j] == 0) {
+ UnmapSelections(xw);
+- while (j != 0) {
+- free((void *) result[--j]);
+- }
+ free(result);
+ result = 0;
+ break;
+diff --git a/charproc.c b/charproc.c
+index 55f0108..b07de4c 100644
+--- a/charproc.c
++++ b/charproc.c
+@@ -12548,7 +12548,6 @@ DoSetSelectedFont(Widget w,
+ Bell(xw, XkbBI_MinorError, 0);
+ } else {
+ Boolean failed = False;
+- int oldFont = TScreenOf(xw)->menu_font_number;
+ char *save = TScreenOf(xw)->SelectFontName();
+ char *val;
+ char *test;
+@@ -12593,10 +12592,6 @@ DoSetSelectedFont(Widget w,
+ failed = True;
+ }
+ if (failed) {
+- (void) xtermLoadFont(xw,
+- xtermFontName(TScreenOf(xw)->MenuFontName(oldFont)),
+- True,
+- oldFont);
+ Bell(xw, XkbBI_MinorError, 0);
+ }
+ free(used);
+@@ -12605,7 +12600,7 @@ DoSetSelectedFont(Widget w,
+ }
+ }
+
+-void
++Bool
+ FindFontSelection(XtermWidget xw, const char *atom_name, Bool justprobe)
+ {
+ TScreen *screen = TScreenOf(xw);
+@@ -12645,7 +12640,7 @@ FindFontSelection(XtermWidget xw, const char *atom_name, Bool justprobe)
+ DoSetSelectedFont, NULL,
+ XtLastTimestampProcessed(XtDisplay(xw)));
+ }
+- return;
++ return (screen->SelectFontName() != NULL) ? True : False;
+ }
+
+ Bool
+diff --git a/doublechr.c b/doublechr.c
+index a60f5bd..f7b6bae 100644
+--- a/doublechr.c
++++ b/doublechr.c
+@@ -294,7 +294,7 @@ xterm_DoubleGC(XTermDraw * params, GC old_gc, int *inxp)
+ temp.flags = (params->attr_flags & BOLD);
+ temp.warn = fwResource;
+
+- if (!xtermOpenFont(params->xw, name, &temp, False)) {
++ if (!xtermOpenFont(params->xw, name, &temp, NULL, False)) {
+ XTermDraw local = *params;
+ char *nname;
+
+@@ -303,7 +303,7 @@ xterm_DoubleGC(XTermDraw * params, GC old_gc, int *inxp)
+ nname = xtermSpecialFont(&local);
+ if (nname != 0) {
+ found = (Boolean) xtermOpenFont(params->xw, nname, &temp,
+- False);
++ NULL, False);
+ free(nname);
+ }
+ } else {
+diff --git a/fontutils.c b/fontutils.c
+index 4b0ef85..d9bfaf8 100644
+--- a/fontutils.c
++++ b/fontutils.c
+@@ -92,9 +92,9 @@
+ }
+
+ #define FREE_FNAME(field) \
+- if (fonts == 0 || myfonts.field != fonts->field) { \
+- FREE_STRING(myfonts.field); \
+- myfonts.field = 0; \
++ if (fonts == 0 || new_fnames.field != fonts->field) { \
++ FREE_STRING(new_fnames.field); \
++ new_fnames.field = 0; \
+ }
+
+ /*
+@@ -573,7 +573,7 @@ open_italic_font(XtermWidget xw, int n, FontNameProperties *fp, XTermFonts * dat
+ if ((name = italic_font_name(fp, slant[pass])) != 0) {
+ TRACE(("open_italic_font %s %s\n",
+ whichFontEnum((VTFontEnum) n), name));
+- if (xtermOpenFont(xw, name, data, False)) {
++ if (xtermOpenFont(xw, name, data, NULL, False)) {
+ result = (data->fs != 0);
+ #if OPT_REPORT_FONTS
+ if (resource.reportFonts) {
+@@ -1006,13 +1006,14 @@ cannotFont(XtermWidget xw, const char *who, const char *tag, const char *name)
+ }
+
+ /*
+- * Open the given font and verify that it is non-empty. Return a null on
++ * Open the given font and verify that it is non-empty. Return false on
+ * failure.
+ */
+ Bool
+ xtermOpenFont(XtermWidget xw,
+ const char *name,
+ XTermFonts * result,
++ XTermFonts * current,
+ Bool force)
+ {
+ Bool code = False;
+@@ -1020,7 +1021,12 @@ xtermOpenFont(XtermWidget xw,
+
+ TRACE(("xtermOpenFont %d:%d '%s'\n",
+ result->warn, xw->misc.fontWarnings, NonNull(name)));
++
+ if (!IsEmpty(name)) {
++ Bool existing = (current != NULL
++ && current->fs != NULL
++ && current->fn != NULL);
++
+ if ((result->fs = XLoadQueryFont(screen->display, name)) != 0) {
+ code = True;
+ if (EmptyFont(result->fs)) {
+@@ -1039,9 +1045,13 @@ xtermOpenFont(XtermWidget xw,
+ } else {
+ TRACE(("xtermOpenFont: cannot load font '%s'\n", name));
+ }
+- if (force) {
++ if (existing) {
++ TRACE(("...continue using font '%s'\n", current->fn));
++ result->fn = x_strdup(current->fn);
++ result->fs = current->fs;
++ } else if (force) {
+ NoFontWarning(result);
+- code = xtermOpenFont(xw, DEFFONT, result, True);
++ code = xtermOpenFont(xw, DEFFONT, result, NULL, True);
+ }
+ }
+ }
+@@ -1289,6 +1299,7 @@ static Bool
+ loadNormFP(XtermWidget xw,
+ char **nameOutP,
+ XTermFonts * infoOut,
++ XTermFonts * current,
+ int fontnum)
+ {
+ Bool status = True;
+@@ -1298,7 +1309,7 @@ loadNormFP(XtermWidget xw,
+ if (!xtermOpenFont(xw,
+ *nameOutP,
+ infoOut,
+- (fontnum == fontMenu_default))) {
++ current, (fontnum == fontMenu_default))) {
+ /*
+ * If we are opening the default font, and it happens to be missing,
+ * force that to the compiled-in default font, e.g., "fixed". If we
+@@ -1333,10 +1344,10 @@ loadBoldFP(XtermWidget xw,
+ if (fp != 0) {
+ NoFontWarning(infoOut);
+ *nameOutP = bold_font_name(fp, fp->average_width);
+- if (!xtermOpenFont(xw, *nameOutP, infoOut, False)) {
++ if (!xtermOpenFont(xw, *nameOutP, infoOut, NULL, False)) {
+ free(*nameOutP);
+ *nameOutP = bold_font_name(fp, -1);
+- xtermOpenFont(xw, *nameOutP, infoOut, False);
++ xtermOpenFont(xw, *nameOutP, infoOut, NULL, False);
+ }
+ TRACE(("...derived bold '%s'\n", NonNull(*nameOutP)));
+ }
+@@ -1354,7 +1365,7 @@ loadBoldFP(XtermWidget xw,
+ TRACE(("...did not get a matching bold font\n"));
+ }
+ free(normal);
+- } else if (!xtermOpenFont(xw, *nameOutP, infoOut, False)) {
++ } else if (!xtermOpenFont(xw, *nameOutP, infoOut, NULL, False)) {
+ xtermCopyFontInfo(infoOut, infoRef);
+ TRACE(("...cannot load bold font '%s'\n", NonNull(*nameOutP)));
+ } else {
+@@ -1408,7 +1419,7 @@ loadWideFP(XtermWidget xw,
+ }
+
+ if (check_fontname(*nameOutP)) {
+- if (xtermOpenFont(xw, *nameOutP, infoOut, False)
++ if (xtermOpenFont(xw, *nameOutP, infoOut, NULL, False)
+ && is_derived_font_name(*nameOutP)
+ && EmptyFont(infoOut->fs)) {
+ xtermCloseFont2(xw, infoOut - fWide, fWide);
+@@ -1452,7 +1463,7 @@ loadWBoldFP(XtermWidget xw,
+
+ if (check_fontname(*nameOutP)) {
+
+- if (xtermOpenFont(xw, *nameOutP, infoOut, False)
++ if (xtermOpenFont(xw, *nameOutP, infoOut, NULL, False)
+ && is_derived_font_name(*nameOutP)
+ && !compatibleWideCounts(wideInfoRef->fs, infoOut->fs)) {
+ xtermCloseFont2(xw, infoOut - fWBold, fWBold);
+@@ -1505,6 +1516,10 @@ loadWBoldFP(XtermWidget xw,
+ }
+ #endif
+
++/*
++ * Load a given bitmap font, along with the bold/wide variants.
++ * Returns nonzero on success.
++ */
+ int
+ xtermLoadFont(XtermWidget xw,
+ const VTFontNames * fonts,
+@@ -1514,33 +1529,37 @@ xtermLoadFont(XtermWidget xw,
+ TScreen *screen = TScreenOf(xw);
+ VTwin *win = WhichVWin(screen);
+
+- VTFontNames myfonts;
+- XTermFonts fnts[fMAX];
++ VTFontNames new_fnames;
++ XTermFonts new_fonts[fMAX];
++ XTermFonts old_fonts[fMAX];
+ char *tmpname = NULL;
+ Boolean proportional = False;
++ Boolean recovered;
++ int code = 0;
+
+- memset(&myfonts, 0, sizeof(myfonts));
+- memset(fnts, 0, sizeof(fnts));
++ memset(&new_fnames, 0, sizeof(new_fnames));
++ memset(new_fonts, 0, sizeof(new_fonts));
++ memcpy(&old_fonts, screen->fnts, sizeof(old_fonts));
+
+ if (fonts != 0)
+- myfonts = *fonts;
+- if (!check_fontname(myfonts.f_n))
+- return 0;
++ new_fnames = *fonts;
++ if (!check_fontname(new_fnames.f_n))
++ return code;
+
+ if (fontnum == fontMenu_fontescape
+- && myfonts.f_n != screen->MenuFontName(fontnum)) {
+- if ((tmpname = x_strdup(myfonts.f_n)) == 0)
+- return 0;
++ && new_fnames.f_n != screen->MenuFontName(fontnum)) {
++ if ((tmpname = x_strdup(new_fnames.f_n)) == 0)
++ return code;
+ }
+
+- TRACE(("Begin Cgs - xtermLoadFont(%s)\n", myfonts.f_n));
++ TRACE(("Begin Cgs - xtermLoadFont(%s)\n", new_fnames.f_n));
+ releaseWindowGCs(xw, win);
+
+ #define DbgResource(name, field, index) \
+ TRACE(("xtermLoadFont #%d "name" %s%s\n", \
+ fontnum, \
+- (fnts[index].warn == fwResource) ? "*" : " ", \
+- NonNull(myfonts.field)))
++ (new_fonts[index].warn == fwResource) ? "*" : " ", \
++ NonNull(new_fnames.field)))
+ DbgResource("normal", f_n, fNorm);
+ DbgResource("bold ", f_b, fBold);
+ #if OPT_WIDE_CHARS
+@@ -1549,16 +1568,17 @@ xtermLoadFont(XtermWidget xw,
+ #endif
+
+ if (!loadNormFP(xw,
+- &myfonts.f_n,
+- &fnts[fNorm],
++ &new_fnames.f_n,
++ &new_fonts[fNorm],
++ &old_fonts[fNorm],
+ fontnum))
+ goto bad;
+
+ if (!loadBoldFP(xw,
+- &myfonts.f_b,
+- &fnts[fBold],
+- myfonts.f_n,
+- &fnts[fNorm],
++ &new_fnames.f_b,
++ &new_fonts[fBold],
++ new_fnames.f_n,
++ &new_fonts[fNorm],
+ fontnum))
+ goto bad;
+
+@@ -1570,20 +1590,20 @@ xtermLoadFont(XtermWidget xw,
+ if_OPT_WIDE_CHARS(screen, {
+
+ if (!loadWideFP(xw,
+- &myfonts.f_w,
+- &fnts[fWide],
+- myfonts.f_n,
+- &fnts[fNorm],
++ &new_fnames.f_w,
++ &new_fonts[fWide],
++ new_fnames.f_n,
++ &new_fonts[fNorm],
+ fontnum))
+ goto bad;
+
+ if (!loadWBoldFP(xw,
+- &myfonts.f_wb,
+- &fnts[fWBold],
+- myfonts.f_w,
+- &fnts[fWide],
+- myfonts.f_b,
+- &fnts[fBold],
++ &new_fnames.f_wb,
++ &new_fonts[fWBold],
++ new_fnames.f_w,
++ &new_fonts[fWide],
++ new_fnames.f_b,
++ &new_fonts[fBold],
+ fontnum))
+ goto bad;
+
+@@ -1593,30 +1613,30 @@ xtermLoadFont(XtermWidget xw,
+ * Normal/bold fonts should be the same width. Also, the min/max
+ * values should be the same.
+ */
+- if (fnts[fNorm].fs != 0
+- && fnts[fBold].fs != 0
+- && (!is_fixed_font(fnts[fNorm].fs)
+- || !is_fixed_font(fnts[fBold].fs)
+- || differing_widths(fnts[fNorm].fs, fnts[fBold].fs))) {
++ if (new_fonts[fNorm].fs != 0
++ && new_fonts[fBold].fs != 0
++ && (!is_fixed_font(new_fonts[fNorm].fs)
++ || !is_fixed_font(new_fonts[fBold].fs)
++ || differing_widths(new_fonts[fNorm].fs, new_fonts[fBold].fs))) {
+ TRACE(("Proportional font! normal %d/%d, bold %d/%d\n",
+- fnts[fNorm].fs->min_bounds.width,
+- fnts[fNorm].fs->max_bounds.width,
+- fnts[fBold].fs->min_bounds.width,
+- fnts[fBold].fs->max_bounds.width));
++ new_fonts[fNorm].fs->min_bounds.width,
++ new_fonts[fNorm].fs->max_bounds.width,
++ new_fonts[fBold].fs->min_bounds.width,
++ new_fonts[fBold].fs->max_bounds.width));
+ proportional = True;
+ }
+
+ if_OPT_WIDE_CHARS(screen, {
+- if (fnts[fWide].fs != 0
+- && fnts[fWBold].fs != 0
+- && (!is_fixed_font(fnts[fWide].fs)
+- || !is_fixed_font(fnts[fWBold].fs)
+- || differing_widths(fnts[fWide].fs, fnts[fWBold].fs))) {
++ if (new_fonts[fWide].fs != 0
++ && new_fonts[fWBold].fs != 0
++ && (!is_fixed_font(new_fonts[fWide].fs)
++ || !is_fixed_font(new_fonts[fWBold].fs)
++ || differing_widths(new_fonts[fWide].fs, new_fonts[fWBold].fs))) {
+ TRACE(("Proportional font! wide %d/%d, wide bold %d/%d\n",
+- fnts[fWide].fs->min_bounds.width,
+- fnts[fWide].fs->max_bounds.width,
+- fnts[fWBold].fs->min_bounds.width,
+- fnts[fWBold].fs->max_bounds.width));
++ new_fonts[fWide].fs->min_bounds.width,
++ new_fonts[fWide].fs->max_bounds.width,
++ new_fonts[fWBold].fs->min_bounds.width,
++ new_fonts[fWBold].fs->max_bounds.width));
+ proportional = True;
+ }
+ });
+@@ -1635,13 +1655,13 @@ xtermLoadFont(XtermWidget xw,
+ screen->ifnts_ok = False;
+ #endif
+
+- xtermCopyFontInfo(GetNormalFont(screen, fNorm), &fnts[fNorm]);
+- xtermCopyFontInfo(GetNormalFont(screen, fBold), &fnts[fBold]);
++ xtermCopyFontInfo(GetNormalFont(screen, fNorm), &new_fonts[fNorm]);
++ xtermCopyFontInfo(GetNormalFont(screen, fBold), &new_fonts[fBold]);
+ #if OPT_WIDE_CHARS
+- xtermCopyFontInfo(GetNormalFont(screen, fWide), &fnts[fWide]);
+- if (fnts[fWBold].fs == NULL)
+- xtermCopyFontInfo(GetNormalFont(screen, fWide), &fnts[fWide]);
+- xtermCopyFontInfo(GetNormalFont(screen, fWBold), &fnts[fWBold]);
++ xtermCopyFontInfo(GetNormalFont(screen, fWide), &new_fonts[fWide]);
++ if (new_fonts[fWBold].fs == NULL)
++ xtermCopyFontInfo(GetNormalFont(screen, fWide), &new_fonts[fWide]);
++ xtermCopyFontInfo(GetNormalFont(screen, fWBold), &new_fonts[fWBold]);
+ #endif
+
+ xtermUpdateFontGCs(xw, getNormalFont);
+@@ -1672,7 +1692,7 @@ xtermLoadFont(XtermWidget xw,
+ unsigned ch;
+
+ #if OPT_TRACE
+-#define TRACE_MISS(index) show_font_misses(#index, &fnts[index])
++#define TRACE_MISS(index) show_font_misses(#index, &new_fonts[index])
+ TRACE_MISS(fNorm);
+ TRACE_MISS(fBold);
+ #if OPT_WIDE_CHARS
+@@ -1689,8 +1709,8 @@ xtermLoadFont(XtermWidget xw,
+ if ((n != UCS_REPL)
+ && (n != ch)
+ && (screen->fnt_boxes & 2)) {
+- if (xtermMissingChar(n, &fnts[fNorm]) ||
+- xtermMissingChar(n, &fnts[fBold])) {
++ if (xtermMissingChar(n, &new_fonts[fNorm]) ||
++ xtermMissingChar(n, &new_fonts[fBold])) {
+ UIntClr(screen->fnt_boxes, 2);
+ TRACE(("missing graphics character #%d, U+%04X\n",
+ ch, n));
+@@ -1702,12 +1722,12 @@ xtermLoadFont(XtermWidget xw,
+ #endif
+
+ for (ch = 1; ch < 32; ch++) {
+- if (xtermMissingChar(ch, &fnts[fNorm])) {
++ if (xtermMissingChar(ch, &new_fonts[fNorm])) {
+ TRACE(("missing normal char #%d\n", ch));
+ UIntClr(screen->fnt_boxes, 1);
+ break;
+ }
+- if (xtermMissingChar(ch, &fnts[fBold])) {
++ if (xtermMissingChar(ch, &new_fonts[fBold])) {
+ TRACE(("missing bold char #%d\n", ch));
+ UIntClr(screen->fnt_boxes, 1);
+ break;
+@@ -1724,8 +1744,8 @@ xtermLoadFont(XtermWidget xw,
+ screen->enbolden = screen->bold_mode;
+ } else {
+ screen->enbolden = screen->bold_mode
+- && ((fnts[fNorm].fs == fnts[fBold].fs)
+- || same_font_name(myfonts.f_n, myfonts.f_b));
++ && ((new_fonts[fNorm].fs == new_fonts[fBold].fs)
++ || same_font_name(new_fnames.f_n, new_fnames.f_b));
+ }
+ TRACE(("Will %suse 1-pixel offset/overstrike to simulate bold\n",
+ screen->enbolden ? "" : "not "));
+@@ -1741,7 +1761,7 @@ xtermLoadFont(XtermWidget xw,
+ update_font_escape();
+ }
+ #if OPT_SHIFT_FONTS
+- screen->menu_font_sizes[fontnum] = FontSize(fnts[fNorm].fs);
++ screen->menu_font_sizes[fontnum] = FontSize(new_fonts[fNorm].fs);
+ #endif
+ }
+ set_cursor_gcs(xw);
+@@ -1756,20 +1776,21 @@ xtermLoadFont(XtermWidget xw,
+ FREE_FNAME(f_w);
+ FREE_FNAME(f_wb);
+ #endif
+- if (fnts[fNorm].fn == fnts[fBold].fn) {
+- free(fnts[fNorm].fn);
++ if (new_fonts[fNorm].fn == new_fonts[fBold].fn) {
++ free(new_fonts[fNorm].fn);
+ } else {
+- free(fnts[fNorm].fn);
+- free(fnts[fBold].fn);
++ free(new_fonts[fNorm].fn);
++ free(new_fonts[fBold].fn);
+ }
+ #if OPT_WIDE_CHARS
+- free(fnts[fWide].fn);
+- free(fnts[fWBold].fn);
++ free(new_fonts[fWide].fn);
++ free(new_fonts[fWBold].fn);
+ #endif
+ xtermSetWinSize(xw);
+ return 1;
+
+ bad:
++ recovered = False;
+ if (tmpname)
+ free(tmpname);
+
+@@ -1780,15 +1801,15 @@ xtermLoadFont(XtermWidget xw,
+ SetItemSensitivity(fontMenuEntries[fontnum].widget, True);
+ #endif
+ Bell(xw, XkbBI_MinorError, 0);
+- myfonts.f_n = screen->MenuFontName(old_fontnum);
+- return xtermLoadFont(xw, &myfonts, doresize, old_fontnum);
+- } else if (x_strcasecmp(myfonts.f_n, DEFFONT)) {
+- int code;
+-
+- myfonts.f_n = x_strdup(DEFFONT);
+- TRACE(("...recovering for TrueType fonts\n"));
+- code = xtermLoadFont(xw, &myfonts, doresize, fontnum);
+- if (code) {
++ new_fnames.f_n = screen->MenuFontName(old_fontnum);
++ if (xtermLoadFont(xw, &new_fnames, doresize, old_fontnum))
++ recovered = True;
++ } else if (x_strcasecmp(new_fnames.f_n, DEFFONT)
++ && x_strcasecmp(new_fnames.f_n, old_fonts[fNorm].fn)) {
++ new_fnames.f_n = x_strdup(old_fonts[fNorm].fn);
++ TRACE(("...recovering from failed font-load\n"));
++ if (xtermLoadFont(xw, &new_fnames, doresize, fontnum)) {
++ recovered = True;
+ if (fontnum != fontMenu_fontsel) {
+ SetItemSensitivity(fontMenuEntries[fontnum].widget,
+ UsingRenderFont(xw));
+@@ -1797,15 +1818,15 @@ xtermLoadFont(XtermWidget xw,
+ FontHeight(screen),
+ FontWidth(screen)));
+ }
+- return code;
+ }
+ #endif
+-
+- releaseWindowGCs(xw, win);
+-
+- xtermCloseFonts(xw, fnts);
+- TRACE(("Fail Cgs - xtermLoadFont\n"));
+- return 0;
++ if (!recovered) {
++ releaseWindowGCs(xw, win);
++ xtermCloseFonts(xw, new_fonts);
++ TRACE(("Fail Cgs - xtermLoadFont\n"));
++ code = 0;
++ }
++ return code;
+ }
+
+ #if OPT_WIDE_ATTRS
+@@ -1853,7 +1874,7 @@ xtermLoadItalics(XtermWidget xw)
+ } else {
+ xtermOpenFont(xw,
+ getNormalFont(screen, n)->fn,
+- data, False);
++ data, NULL, False);
+ }
+ }
+ }
+@@ -4119,6 +4140,8 @@ findXftGlyph(XtermWidget xw, XftFont *given, unsigned wc)
+ }
+ #endif
+ if (foundXftGlyph(xw, check, wc)) {
++ (void) added;
++ (void) actual;
+ markXftOpened(xw, which, n, wc);
+ reportXftFonts(xw, check, "fallback", tag, myReport);
+ result = check;
+@@ -4317,7 +4340,7 @@ lookupOneFontSize(XtermWidget xw, int fontnum)
+
+ memset(&fnt, 0, sizeof(fnt));
+ screen->menu_font_sizes[fontnum] = -1;
+- if (xtermOpenFont(xw, screen->MenuFontName(fontnum), &fnt, True)) {
++ if (xtermOpenFont(xw, screen->MenuFontName(fontnum), &fnt, NULL, True)) {
+ if (fontnum <= fontMenu_lastBuiltin
+ || strcmp(fnt.fn, DEFFONT)) {
+ screen->menu_font_sizes[fontnum] = FontSize(fnt.fs);
+@@ -4722,13 +4745,14 @@ HandleSetFont(Widget w GCC_UNUSED,
+ }
+ }
+
+-void
++Bool
+ SetVTFont(XtermWidget xw,
+ int which,
+ Bool doresize,
+ const VTFontNames * fonts)
+ {
+ TScreen *screen = TScreenOf(xw);
++ Bool result = False;
+
+ TRACE(("SetVTFont(which=%d, f_n=%s, f_b=%s)\n", which,
+ (fonts && fonts->f_n) ? fonts->f_n : "<null>",
+@@ -4737,34 +4761,31 @@ SetVTFont(XtermWidget xw,
+ if (IsIcon(screen)) {
+ Bell(xw, XkbBI_MinorError, 0);
+ } else if (which >= 0 && which < NMENUFONTS) {
+- VTFontNames myfonts;
++ VTFontNames new_fnames;
+
+- memset(&myfonts, 0, sizeof(myfonts));
++ memset(&new_fnames, 0, sizeof(new_fnames));
+ if (fonts != 0)
+- myfonts = *fonts;
++ new_fnames = *fonts;
+
+ if (which == fontMenu_fontsel) { /* go get the selection */
+- FindFontSelection(xw, myfonts.f_n, False);
++ result = FindFontSelection(xw, new_fnames.f_n, False);
+ } else {
+- int oldFont = screen->menu_font_number;
+-
+ #define USE_CACHED(field, name) \
+- if (myfonts.field == 0) { \
+- myfonts.field = x_strdup(screen->menu_font_names[which][name]); \
+- TRACE(("set myfonts." #field " from menu_font_names[%d][" #name "] %s\n", \
+- which, NonNull(myfonts.field))); \
++ if (new_fnames.field == NULL) { \
++ new_fnames.field = x_strdup(screen->menu_font_names[which][name]); \
++ TRACE(("set new_fnames." #field " from menu_font_names[%d][" #name "] %s\n", \
++ which, NonNull(new_fnames.field))); \
+ } else { \
+- TRACE(("set myfonts." #field " reused\n")); \
++ TRACE(("set new_fnames." #field " reused\n")); \
+ }
+ #define SAVE_FNAME(field, name) \
+- if (myfonts.field != 0) { \
+- if (screen->menu_font_names[which][name] == 0 \
+- || strcmp(screen->menu_font_names[which][name], myfonts.field)) { \
+- TRACE(("updating menu_font_names[%d][" #name "] to %s\n", \
+- which, myfonts.field)); \
+- FREE_STRING(screen->menu_font_names[which][name]); \
+- screen->menu_font_names[which][name] = x_strdup(myfonts.field); \
+- } \
++ if (new_fnames.field != NULL \
++ && (screen->menu_font_names[which][name] == NULL \
++ || strcmp(screen->menu_font_names[which][name], new_fnames.field))) { \
++ TRACE(("updating menu_font_names[%d][" #name "] to \"%s\"\n", \
++ which, new_fnames.field)); \
++ FREE_STRING(screen->menu_font_names[which][name]); \
++ screen->menu_font_names[which][name] = x_strdup(new_fnames.field); \
+ }
+
+ USE_CACHED(f_n, fNorm);
+@@ -4774,7 +4795,7 @@ SetVTFont(XtermWidget xw,
+ USE_CACHED(f_wb, fWBold);
+ #endif
+ if (xtermLoadFont(xw,
+- &myfonts,
++ &new_fnames,
+ doresize, which)) {
+ /*
+ * If successful, save the data so that a subsequent query via
+@@ -4786,10 +4807,8 @@ SetVTFont(XtermWidget xw,
+ SAVE_FNAME(f_w, fWide);
+ SAVE_FNAME(f_wb, fWBold);
+ #endif
++ result = True;
+ } else {
+- (void) xtermLoadFont(xw,
+- xtermFontName(screen->MenuFontName(oldFont)),
+- doresize, oldFont);
+ Bell(xw, XkbBI_MinorError, 0);
+ }
+ FREE_FNAME(f_n);
+@@ -4802,7 +4821,8 @@ SetVTFont(XtermWidget xw,
+ } else {
+ Bell(xw, XkbBI_MinorError, 0);
+ }
+- return;
++ TRACE(("...SetVTFont: %d\n", result));
++ return result;
+ }
+
+ #if OPT_RENDERFONT
+diff --git a/fontutils.h b/fontutils.h
+index 9d530c5..ceaf44a 100644
+--- a/fontutils.h
++++ b/fontutils.h
+@@ -37,7 +37,7 @@
+ /* *INDENT-OFF* */
+
+ extern Bool xtermLoadDefaultFonts (XtermWidget /* xw */);
+-extern Bool xtermOpenFont (XtermWidget /* xw */, const char */* name */, XTermFonts * /* result */, Bool /* force */);
++extern Bool xtermOpenFont (XtermWidget /* xw */, const char */* name */, XTermFonts * /* result */, XTermFonts * /* current */, Bool /* force */);
+ extern XTermFonts * getDoubleFont (TScreen * /* screen */, int /* which */);
+ extern XTermFonts * getItalicFont (TScreen * /* screen */, int /* which */);
+ extern XTermFonts * getNormalFont (TScreen * /* screen */, int /* which */);
+@@ -50,7 +50,7 @@ extern int lookupRelativeFontSize (XtermWidget /* xw */, int /* old */, int /* r
+ extern int xtermGetFont (const char * /* param */);
+ extern int xtermLoadFont (XtermWidget /* xw */, const VTFontNames */* fonts */, Bool /* doresize */, int /* fontnum */);
+ extern void HandleSetFont PROTO_XT_ACTIONS_ARGS;
+-extern void SetVTFont (XtermWidget /* xw */, int /* i */, Bool /* doresize */, const VTFontNames */* fonts */);
++extern Bool SetVTFont (XtermWidget /* xw */, int /* i */, Bool /* doresize */, const VTFontNames */* fonts */);
+ extern void allocFontList (XtermWidget /* xw */, const char * /* name */, XtermFontNames * /* target */, VTFontEnum /* which */, const char * /* source */, Bool /* ttf */);
+ extern void copyFontList (char *** /* targetp */, char ** /* source */);
+ extern void initFontLists (XtermWidget /* xw */);
+diff --git a/misc.c b/misc.c
+index cc323f8..6c5e938 100644
+--- a/misc.c
++++ b/misc.c
+@@ -3787,9 +3787,9 @@ ChangeFontRequest(XtermWidget xw, String buf)
+ {
+ memset(&fonts, 0, sizeof(fonts));
+ fonts.f_n = name;
+- SetVTFont(xw, num, True, &fonts);
+- if (num == screen->menu_font_number &&
+- num != fontMenu_fontescape) {
++ if (SetVTFont(xw, num, True, &fonts)
++ && num == screen->menu_font_number
++ && num != fontMenu_fontescape) {
+ screen->EscapeFontName() = x_strdup(name);
+ }
+ }
+@@ -6237,7 +6237,6 @@ xtermSetenv(const char *var, const char *value)
+
+ found = envindex;
+ environ[found + 1] = NULL;
+- environ = environ;
+ }
+
+ environ[found] = TextAlloc(1 + len + strlen(value));
+diff --git a/screen.c b/screen.c
+index 690e3e2..f84254f 100644
+--- a/screen.c
++++ b/screen.c
+@@ -1497,7 +1497,7 @@ ScrnRefresh(XtermWidget xw,
+ screen->topline, toprow, leftcol,
+ nrows, ncols,
+ force ? " force" : ""));
+-
++ (void) recurse;
+ ++recurse;
+
+ if (screen->cursorp.col >= leftcol
+diff --git a/xterm.h b/xterm.h
+index ec70e43..aa71f96 100644
+--- a/xterm.h
++++ b/xterm.h
+@@ -967,7 +967,7 @@ extern Bool CheckBufPtrs (TScreen * /* screen */);
+ extern Bool set_cursor_gcs (XtermWidget /* xw */);
+ extern char * vt100ResourceToString (XtermWidget /* xw */, const char * /* name */);
+ extern int VTInit (XtermWidget /* xw */);
+-extern void FindFontSelection (XtermWidget /* xw */, const char * /* atom_name */, Bool /* justprobe */);
++extern Bool FindFontSelection (XtermWidget /* xw */, const char * /* atom_name */, Bool /* justprobe */);
+ extern void HideCursor (void);
+ extern void RestartBlinking(XtermWidget /* xw */);
+ extern void ShowCursor (void);
+diff --git a/xterm.log.html b/xterm.log.html
+index 47d590b..e27dc31 100644
+--- a/xterm.log.html
++++ b/xterm.log.html
+@@ -991,6 +991,12 @@
+ 2020/02/01</a></h1>
+
+ <ul>
++ <li>improve error-recovery when setting a bitmap font for the
++ VT100 window, e.g., in case <em>OSC&nbsp;50</em> failed,
++ restoring the most recent valid font so that a subsequent
++ <em>OSC&nbsp;50</em> reports this correctly (report by David
++ Leadbeater).</li>
++
+ <li>amend change in <a href="#xterm_352">patch #352</a> for
+ button-events to fix a case where some followup events were not
+ processed soon enough (report/patch by Jimmy Aguilar
+--
+2.24.4
+
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
index 264320212..4e2b0c9d5 100644
--- a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
+++ b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
@@ -7,8 +7,9 @@ LIC_FILES_CHKSUM = "file://xterm.h;beginline=3;endline=31;md5=996b1ce0584c0747b1
SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
file://0001-Add-configure-time-check-for-setsid.patch \
file://CVE-2021-27135.patch \
+ file://CVE-2022-24130.patch \
+ file://CVE-2022-45063.patch \
"
-
SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f"
SRC_URI[sha256sum] = "e521d3ee9def61f5d5c911afc74dd5c3a56ce147c7071c74023ea24cac9bb768"
PACKAGECONFIG ?= ""
diff --git a/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb b/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb
index b436ef1e4..3d60ed131 100644
--- a/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb
+++ b/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=10ce5de3b111315ea652a5f74ec0c602"
DEPENDS += "virtual/libx11 libdrm xorgproto"
SRCREV = "8bbdb2ae3bb8ef649999a8da33ddbe11a04763b8"
-SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-armsoc"
+SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-armsoc;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-graphics/yad/yad_6.0.bb b/meta-oe/recipes-graphics/yad/yad_6.0.bb
index 3760a37d3..92a5c284b 100644
--- a/meta-oe/recipes-graphics/yad/yad_6.0.bb
+++ b/meta-oe/recipes-graphics/yad/yad_6.0.bb
@@ -5,7 +5,7 @@ AUTHOR = "Victor Ananjevsky"
LICENSE = "GPLv3"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
-SRC_URI = "git://github.com/v1cont/yad.git"
+SRC_URI = "git://github.com/v1cont/yad.git;branch=master;protocol=https"
SRCREV = "a5b1a7a3867bc7dffbbc539f586f301687b6ec02"
inherit autotools gsettings features_check
diff --git a/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb b/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb
index 2eb19206d..57232f8d5 100644
--- a/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb
+++ b/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb
@@ -10,7 +10,7 @@ EXTRA_OEMAKE = "'CC=${CC}'"
SRCREV = "468fe4c31e6c62c9bbb328b06ba71eaf7be0b76a"
-SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kgdb/agent-proxy.git;protocol=git \
+SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kgdb/agent-proxy.git;protocol=git;branch=master \
file://0001-Makefile-Add-LDFLAGS-variable.patch \
"
diff --git a/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb b/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb
index 8c474ecdc..b6fbccfbf 100644
--- a/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb
+++ b/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb
@@ -9,7 +9,7 @@ LICENSE = "Firmware-Broadcom-WIDCOMM"
NO_GENERIC_LICENSE[Firmware-Broadcom-WIDCOMM] = "LICENSE.broadcom_bcm20702"
LIC_FILES_CHKSUM = "file://LICENSE.broadcom_bcm20702;md5=c0d5ea0502b00df74173d0f8a48b619d"
-SRC_URI = "git://github.com/winterheart/broadcom-bt-firmware.git"
+SRC_URI = "git://github.com/winterheart/broadcom-bt-firmware.git;branch=master;protocol=https"
SRCREV = "c0bd928b8ae5754b6077c99afe6ef5c949a58f32"
PE = "1"
PV = "0.0+git${SRCPV}"
diff --git a/meta-oe/recipes-kernel/crash/crash_7.2.8.bb b/meta-oe/recipes-kernel/crash/crash_7.2.8.bb
index 834c92cc4..5dd2c0aa0 100644
--- a/meta-oe/recipes-kernel/crash/crash_7.2.8.bb
+++ b/meta-oe/recipes-kernel/crash/crash_7.2.8.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING3;md5=d32239bcb673463ab874e80d47fae504"
DEPENDS = "zlib readline coreutils-native ncurses-native"
S = "${WORKDIR}/git"
-SRC_URI = "git://github.com/crash-utility/${BPN}.git \
+SRC_URI = "git://github.com/crash-utility/${BPN}.git;branch=master;protocol=https \
${GNU_MIRROR}/gdb/gdb-7.6.tar.gz;name=gdb;subdir=git \
file://7001force_define_architecture.patch \
file://7003cross_ranlib.patch \
diff --git a/meta-oe/recipes-kernel/kpatch/kpatch.inc b/meta-oe/recipes-kernel/kpatch/kpatch.inc
index 1f70f7205..685be7d40 100644
--- a/meta-oe/recipes-kernel/kpatch/kpatch.inc
+++ b/meta-oe/recipes-kernel/kpatch/kpatch.inc
@@ -3,7 +3,7 @@ DESCRIPTION = "kpatch is a Linux dynamic kernel patching infrastructure which al
LICENSE = "GPLv2 & LGPLv2"
DEPENDS = "elfutils bash"
-SRC_URI = "git://github.com/dynup/kpatch.git;protocol=https \
+SRC_URI = "git://github.com/dynup/kpatch.git;protocol=https;branch=master \
file://0001-kpatch-build-add-cross-compilation-support.patch \
file://0002-kpatch-build-allow-overriding-of-distro-name.patch \
"
diff --git a/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb b/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb
index d381c83ae..8188ae599 100644
--- a/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb
+++ b/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb
@@ -13,7 +13,7 @@ SRCREV = "16a0d44f1725eaa93096eaa0e086f42ef4c2712c"
PR .= "+git${SRCPV}"
-SRC_URI = "git://github.com/diamon/minicoredumper;protocol=https \
+SRC_URI = "git://github.com/diamon/minicoredumper;protocol=https;branch=master \
file://minicoredumper.service \
file://minicoredumper.init \
"
diff --git a/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb b/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb
index a1378866a..78d9c36c9 100644
--- a/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb
+++ b/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb
@@ -6,7 +6,7 @@ LICENSE = "GPL-2"
LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e"
SRCREV = "cf59527dc24fdd2f314ae4dcaeb3d68a117988f6"
-SRC_URI = "git://github.com/intel/pm-graph.git \
+SRC_URI = "git://github.com/intel/pm-graph.git;branch=master;protocol=https \
file://0001-Makefile-fix-multilib-build-failure.patch \
file://0001-sleepgraph.py-use-python3.patch \
"
diff --git a/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb b/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb
index 5fffe77c2..e33a3f257 100644
--- a/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb
+++ b/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb
@@ -11,7 +11,7 @@ DEPENDS_append_libc-musl = " libexecinfo"
SRCREV = "de37569c926c5886768f892c019e3f0468615038"
SRC_URI = " \
- git://github.com/linuxaudio/a2jmidid;protocol=https \
+ git://github.com/linuxaudio/a2jmidid;protocol=https;branch=master \
file://riscv_ucontext.patch \
"
diff --git a/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb b/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb
index e954341ff..dbf4c1ae7 100644
--- a/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb
+++ b/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb
@@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = " \
DEPENDS = "libsamplerate0 libsndfile1 readline"
-SRC_URI = "git://github.com/jackaudio/jack2.git \
+SRC_URI = "git://github.com/jackaudio/jack2.git;branch=master;protocol=https \
file://0001-example-clients-Use-c-compiler-for-jack_simdtests.patch \
"
SRCREV = "b54a09bf7ef760d81fdb8544ad10e45575394624"
diff --git a/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb b/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb
index 3454a5c27..f6c64212f 100644
--- a/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb
+++ b/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a42532a0684420bdb15556c3cdd49a75"
DEPENDS = "enca fontconfig freetype libpng fribidi"
-SRC_URI = "git://github.com/libass/libass.git"
+SRC_URI = "git://github.com/libass/libass.git;branch=master;protocol=https"
SRCREV = "73284b676b12b47e17af2ef1b430527299e10c17"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb b/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb
index 70a39c7b6..13979ae9b 100644
--- a/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb
+++ b/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb
@@ -17,7 +17,7 @@ LICENSE_FLAGS = "commercial"
SRCREV_mpv = "70b991749df389bcc0a4e145b5687233a03b4ed7"
SRC_URI = " \
- git://github.com/mpv-player/mpv;name=mpv \
+ git://github.com/mpv-player/mpv;name=mpv;branch=master;protocol=https \
https://waf.io/waf-2.0.20;name=waf;subdir=git \
"
SRC_URI[waf.sha256sum] = "bf971e98edc2414968a262c6aa6b88541a26c3cd248689c89f4c57370955ee7f"
diff --git a/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb b/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb
index bcb3015f8..f6cefd810 100644
--- a/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb
+++ b/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb
@@ -11,7 +11,7 @@ DEPENDS = "alsa-lib dbus udev"
SRCREV = "14c11c0fe4d366bad4cfecdee97b6652ff9ed63d"
PV = "0.2.7"
-SRC_URI = "git://github.com/PipeWire/pipewire"
+SRC_URI = "git://github.com/PipeWire/pipewire;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb b/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb
index 1a415c13c..c55432d3b 100644
--- a/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb
+++ b/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb
@@ -11,7 +11,7 @@ DEPENDS = "alsa-lib dbus udev"
SRCREV = "74a1632f0720886d5b3b6c23ee8fcd6c03ca7aac"
PV = "0.3.1"
-SRC_URI = "git://github.com/PipeWire/pipewire"
+SRC_URI = "git://github.com/PipeWire/pipewire;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb b/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb
index a192d1a3b..98542ffe6 100644
--- a/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb
+++ b/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb
@@ -2,7 +2,7 @@ SUMMARY = "Yet Another V4L2 Test Application"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING.GPL;md5=751419260aa954499f7abaabaa882bbe"
-SRC_URI = "git://git.ideasonboard.org/yavta.git \
+SRC_URI = "git://git.ideasonboard.org/yavta.git;branch=master \
file://0001-Add-stdout-mode-to-allow-streaming-over-the-network-.patch"
SRCREV = "7e9f28bedc1ed3205fb5164f686aea96f27a0de2"
diff --git a/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb b/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb
index 4a98ec17d..d607bbebe 100644
--- a/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb
+++ b/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb
@@ -8,7 +8,7 @@ LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=d5b04755015be901744a78cc30d390d4"
SRCREV = "7ec7a33a081aeeb53fed1a8d87e4cbd189152527"
-SRC_URI += "git://chromium.googlesource.com/webm/libvpx;protocol=https \
+SRC_URI += "git://chromium.googlesource.com/webm/libvpx;protocol=https;branch=master \
file://libvpx-configure-support-blank-prefix.patch \
"
diff --git a/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb b/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb
index 0a8c2e483..879dbe5ca 100644
--- a/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb
+++ b/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb
@@ -31,6 +31,9 @@ EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \
LIBDIR=${libdir} \
USRLIBDIR=${libdir} \
INCLUDEDIR=${includedir} \
+ ETCDIR=${sysconfdir} \
+ SHAREDIR=${datadir}/keyutils \
+ MANDIR=${datadir}/man \
BUILDFOR=${SITEINFO_BITS}-bit \
NO_GLIBC_KEYERR=1 \
"
@@ -40,18 +43,6 @@ do_install () {
oe_runmake DESTDIR=${D} install
}
-do_install_append_class-nativesdk() {
- install -d ${D}${datadir}
- src_dir="${D}${target_datadir}"
- mv $src_dir/* ${D}${datadir}
- par_dir=`dirname $src_dir`
- rmdir $src_dir $par_dir
-
- install -d ${D}${sysconfdir}
- mv ${D}/etc/* ${D}${sysconfdir}/
- rmdir ${D}/etc
-}
-
do_install_ptest () {
cp -r ${S}/tests ${D}${PTEST_PATH}/
sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh
diff --git a/meta-oe/recipes-security/softhsm/softhsm_git.bb b/meta-oe/recipes-security/softhsm/softhsm_git.bb
index 3236cb9a6..4ceda3d4b 100644
--- a/meta-oe/recipes-security/softhsm/softhsm_git.bb
+++ b/meta-oe/recipes-security/softhsm/softhsm_git.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210"
DEPENDS = "openssl"
PV = "2.5.0"
-SRC_URI = "git://github.com/opendnssec/SoftHSMv2.git;branch=master"
+SRC_URI = "git://github.com/opendnssec/SoftHSMv2.git;branch=master;protocol=https"
SRCREV = "369df0383d101bc8952692c2a368ac8bc887d1b4"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb b/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb
index 4ea6c8a29..8df94d91e 100644
--- a/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb
+++ b/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb
@@ -4,7 +4,7 @@ SUMMARY = "Ace is a code editor written in JavaScript. This repository has only
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=794d11c5219c59c9efa2487c2b4066b2"
-SRC_URI = "git://github.com/ajaxorg/ace-builds.git;protocol=https"
+SRC_URI = "git://github.com/ajaxorg/ace-builds.git;protocol=https;branch=master"
PV = "02.07.17+git${SRCPV}"
SRCREV = "812e2c56aed246931a667f16c28b096e34597016"
diff --git a/meta-oe/recipes-support/anthy/anthy_9100h.bb b/meta-oe/recipes-support/anthy/anthy_9100h.bb
index a65d324ea..b464c0000 100644
--- a/meta-oe/recipes-support/anthy/anthy_9100h.bb
+++ b/meta-oe/recipes-support/anthy/anthy_9100h.bb
@@ -10,8 +10,8 @@ SRC_URI = "http://osdn.dl.sourceforge.jp/anthy/37536/anthy-9100h.tar.gz \
file://2ch_t.patch \
"
-SRC_URI_append_class-target = "file://target-helpers.patch"
-SRC_URI_append_class-native = "file://native-helpers.patch"
+SRC_URI_append_class-target = " file://target-helpers.patch"
+SRC_URI_append_class-native = " file://native-helpers.patch"
SRC_URI[md5sum] = "1f558ff7ed296787b55bb1c6cf131108"
SRC_URI[sha256sum] = "d256f075f018b4a3cb0d165ed6151fda4ba7db1621727e0eb54569b6e2275547"
diff --git a/meta-oe/recipes-support/avro/avro-c_1.9.2.bb b/meta-oe/recipes-support/avro/avro-c_1.9.2.bb
index 0642179fb..e85f341f1 100644
--- a/meta-oe/recipes-support/avro/avro-c_1.9.2.bb
+++ b/meta-oe/recipes-support/avro/avro-c_1.9.2.bb
@@ -9,7 +9,7 @@ DEPENDS = "jansson zlib xz"
BRANCH = "branch-1.9"
SRCREV = "bf20128ca6138a830b2ea13e0490f3df6b035639"
-SRC_URI = "git://github.com/apache/avro;branch=${BRANCH} \
+SRC_URI = "git://github.com/apache/avro;branch=${BRANCH};protocol=https \
file://0001-cmake-Use-GNUInstallDirs-instead-of-hard-coded-paths.patch;patchdir=../../ \
"
diff --git a/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb b/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb
index 407de2138..d7d0b9c15 100644
--- a/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb
+++ b/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb
@@ -24,7 +24,7 @@ LIC_FILES_CHKSUM = "file://README.QUICK;md5=81b447d779e278628c843aef92f088fa"
DEPENDS = "libatomic-ops"
SRCREV = "d3dede3ce4462cd82a15f161af797ca51654546a"
-SRC_URI = "git://github.com/ivmai/bdwgc.git;branch=release-8_0"
+SRC_URI = "git://github.com/ivmai/bdwgc.git;branch=release-8_0;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch b/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch
deleted file mode 100644
index 8f15f8424..000000000
--- a/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From f2f1e134bf5d9d0789942848e03006af8d926cf8 Mon Sep 17 00:00:00 2001
-From: Wang Mingyu <wangmy@cn.fujitsu.com>
-Date: Tue, 17 Mar 2020 12:53:35 +0800
-Subject: [PATCH] fix configure error : mv libcares.pc.cmakein to
- libcares.pc.cmake
-
-Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
----
- CMakeLists.txt | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 3a5878d..c2e5740 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -563,7 +563,7 @@ IF (CARES_STATIC)
- ENDIF()
-
- # Write ares_config.h configuration file. This is used only for the build.
--CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY)
-+CONFIGURE_FILE (libcares.pc.cmake ${PROJECT_BINARY_DIR}/libcares.pc @ONLY)
-
-
-
---
-2.17.1
-
diff --git a/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch b/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch
deleted file mode 100644
index 0eb7e4bbb..000000000
--- a/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 12414304245cce6ef0e8b9547949be5109845353 Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Tue, 24 Jul 2018 13:33:33 +0800
-Subject: [PATCH] cmake: Install libcares.pc
-
-Prepare and install libcares.pc file during cmake build, so libraries
-using pkg-config to find libcares will not fail.
-
-Signed-off-by: Alexey Firago <alexey_firago@mentor.com>
-
-update to 1.14.0, fix patch warning
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
----
- CMakeLists.txt | 28 +++++++++++++++++++++++-----
- 1 file changed, 23 insertions(+), 5 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index fd123e1..3a5878d 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -214,22 +214,25 @@ ADD_DEFINITIONS(${SYSFLAGS})
-
-
- # Tell C-Ares about libraries to depend on
-+# Also pass these libraries to pkg-config file
-+SET(CARES_PRIVATE_LIBS_LIST)
- IF (HAVE_LIBRESOLV)
-- LIST (APPEND CARES_DEPENDENT_LIBS resolv)
-+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lresolv")
- ENDIF ()
- IF (HAVE_LIBNSL)
-- LIST (APPEND CARES_DEPENDENT_LIBS nsl)
-+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lnsl")
- ENDIF ()
- IF (HAVE_LIBSOCKET)
-- LIST (APPEND CARES_DEPENDENT_LIBS socket)
-+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lsocket")
- ENDIF ()
- IF (HAVE_LIBRT)
-- LIST (APPEND CARES_DEPENDENT_LIBS rt)
-+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lrt")
- ENDIF ()
- IF (WIN32)
-- LIST (APPEND CARES_DEPENDENT_LIBS ws2_32 Advapi32)
-+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lws2_32")
- ENDIF ()
-
-+string (REPLACE ";" " " CARES_PRIVATE_LIBS "${CARES_PRIVATE_LIBS_LIST}")
-
- # When checking for symbols, we need to make sure we set the proper
- # headers, libraries, and definitions for the detection to work properly
-@@ -554,6 +557,15 @@ CONFIGURE_FILE (ares_build.h.cmake ${PROJECT_BINARY_DIR}/ares_build.h)
- # Write ares_config.h configuration file. This is used only for the build.
- CONFIGURE_FILE (ares_config.h.cmake ${PROJECT_BINARY_DIR}/ares_config.h)
-
-+# Pass required CFLAGS to pkg-config in case of static library
-+IF (CARES_STATIC)
-+ SET (CPPFLAG_CARES_STATICLIB "-DCARES_STATICLIB")
-+ENDIF()
-+
-+# Write ares_config.h configuration file. This is used only for the build.
-+CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY)
-+
-+
-
- # TRANSFORM_MAKEFILE_INC
- #
-@@ -728,6 +740,12 @@ IF (CARES_INSTALL)
- INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" COMPONENT Devel DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig")
- ENDIF ()
-
-+# pkg-config file
-+IF (CARES_INSTALL)
-+ SET (PKGCONFIG_INSTALL_DIR "${CMAKE_INSTALL_LIBDIR}/pkgconfig")
-+ INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" DESTINATION ${PKGCONFIG_INSTALL_DIR})
-+ENDIF ()
-+
- # Legacy chain-building variables (provided for compatibility with old code).
- # Don't use these, external code should be updated to refer to the aliases directly (e.g., Cares::cares).
- SET (CARES_FOUND 1 CACHE INTERNAL "CARES LIBRARY FOUND")
---
-2.17.1
-
diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
index 67dd70180..25ce45d74 100644
--- a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
+++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
@@ -5,14 +5,8 @@ SECTION = "libs"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006"
-PV = "1.16.0+gitr${SRCPV}"
-
-SRC_URI = "\
- git://github.com/c-ares/c-ares.git \
- file://cmake-install-libcares.pc.patch \
- file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \
-"
-SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e"
+SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main"
+SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed"
UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)"
diff --git a/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb b/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb
index 105610be5..e0e50366d 100644
--- a/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb
+++ b/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=35e00f0c4c96a0820a03e0b31e6416be"
DEPENDS = "libeigen glog"
-SRC_URI = "git://github.com/ceres-solver/ceres-solver.git"
+SRC_URI = "git://github.com/ceres-solver/ceres-solver.git;branch=master;protocol=https"
SRCREV = "facb199f3eda902360f9e1d5271372b7e54febe1"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/cli11/cli11_1.8.0.bb b/meta-oe/recipes-support/cli11/cli11_1.8.0.bb
index dd129cbec..a49eab72f 100644
--- a/meta-oe/recipes-support/cli11/cli11_1.8.0.bb
+++ b/meta-oe/recipes-support/cli11/cli11_1.8.0.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b73927b18d5c6cd8d2ed28a6ad539733"
SRCREV = "13becaddb657eacd090537719a669d66d393b8b2"
PV .= "+git${SRCPV}"
-SRC_URI += "gitsm://github.com/CLIUtils/CLI11 \
+SRC_URI += "gitsm://github.com/CLIUtils/CLI11;branch=main;protocol=https \
file://0001-Add-CLANG_TIDY-check.patch \
file://0001-Use-GNUInstallDirs-instead-of-hard-coded-path.patch \
"
diff --git a/meta-oe/recipes-support/cmark/cmark_git.bb b/meta-oe/recipes-support/cmark/cmark_git.bb
index f74a39b50..4f07beb31 100644
--- a/meta-oe/recipes-support/cmark/cmark_git.bb
+++ b/meta-oe/recipes-support/cmark/cmark_git.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/commonmark/cmark"
LICENSE = "BSD-2-Clause & MIT"
LIC_FILES_CHKSUM = "file://COPYING;md5=81f9cae6293cc0345a9144b78152ab62"
-SRC_URI = "git://github.com/commonmark/cmark.git"
+SRC_URI = "git://github.com/commonmark/cmark.git;branch=master;protocol=https"
SRCREV = "8daa6b1495124f0b67e6034130e12d7be83e38bd"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/daemonize/daemonize_git.bb b/meta-oe/recipes-support/daemonize/daemonize_git.bb
index c76632781..f46dec59f 100644
--- a/meta-oe/recipes-support/daemonize/daemonize_git.bb
+++ b/meta-oe/recipes-support/daemonize/daemonize_git.bb
@@ -7,7 +7,7 @@ PV = "1.7.8"
inherit autotools
SRCREV = "18869a797dab12bf1c917ba3b4782fef484c407c"
-SRC_URI = "git://github.com/bmc/daemonize.git \
+SRC_URI = "git://github.com/bmc/daemonize.git;branch=master;protocol=https \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb b/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb
index 9fcc278d3..cac2b4fd6 100644
--- a/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb
+++ b/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb
@@ -4,7 +4,7 @@ DEPENDS = "libusb1"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=44fee82a1d2ed0676cf35478283e0aa0"
-SRC_URI = "git://github.com/bcl/digitemp"
+SRC_URI = "git://github.com/bcl/digitemp;branch=master;protocol=https"
SRCREV = "a162e63aad35358aab325388f3d5e88121606419"
diff --git a/meta-oe/recipes-support/dstat/dstat_0.7.4.bb b/meta-oe/recipes-support/dstat/dstat_0.7.4.bb
index 74af54ca5..18c3cdf82 100644
--- a/meta-oe/recipes-support/dstat/dstat_0.7.4.bb
+++ b/meta-oe/recipes-support/dstat/dstat_0.7.4.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
DEPENDS += "asciidoc-native xmlto-native"
-SRC_URI = "git://github.com/dagwieers/dstat.git \
+SRC_URI = "git://github.com/dagwieers/dstat.git;branch=master;protocol=https \
file://0001-change-dstat-to-python3.patch \
"
@@ -21,4 +21,4 @@ do_install() {
oe_runmake 'DESTDIR=${D}' install
}
-RDEPENDS_${PN} += "python3-core python3-misc python3-resource python3-shell python3-unixadmin"
+RDEPENDS_${PN} += "python3-core python3-misc python3-resource python3-shell python3-six python3-unixadmin"
diff --git a/meta-oe/recipes-support/epeg/epeg_git.bb b/meta-oe/recipes-support/epeg/epeg_git.bb
index 8ca574014..bdffe4ba7 100644
--- a/meta-oe/recipes-support/epeg/epeg_git.bb
+++ b/meta-oe/recipes-support/epeg/epeg_git.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e7732a9290ea1e4b034fdc15cf49968d \
file://COPYING-PLAIN;md5=f59cacc08235a546b0c34a5422133035"
DEPENDS = "jpeg libexif"
-SRC_URI = "git://github.com/mattes/epeg.git"
+SRC_URI = "git://github.com/mattes/epeg.git;branch=master;protocol=https"
SRCREV = "9a175cd67eaa61fe45413d8da82da72936567047"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/fmt/fmt_6.2.0.bb b/meta-oe/recipes-support/fmt/fmt_6.2.0.bb
index 05dc94a99..1a05f0d54 100644
--- a/meta-oe/recipes-support/fmt/fmt_6.2.0.bb
+++ b/meta-oe/recipes-support/fmt/fmt_6.2.0.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "https://fmt.dev"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=af88d758f75f3c5c48a967501f24384b"
-SRC_URI += "git://github.com/fmtlib/fmt"
+SRC_URI += "git://github.com/fmtlib/fmt;branch=master;protocol=https"
SRCREV = "9bdd1596cef1b57b9556f8bef32dc4a32322ef3e"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/freerdp/freerdp_git.bb b/meta-oe/recipes-support/freerdp/freerdp_git.bb
index 82ef561fb..309acfbff 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_git.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_git.bb
@@ -16,7 +16,7 @@ PKGV = "${GITPKGVTAG}"
# 2.0.0 release
SRCREV = "5ab2bed8749747b8e4b2ed431fd102bc726be684"
-SRC_URI = "git://github.com/FreeRDP/FreeRDP.git \
+SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
file://winpr-makecert-Build-with-install-RPATH.patch \
"
diff --git a/meta-oe/recipes-support/function2/function2_4.0.0.bb b/meta-oe/recipes-support/function2/function2_4.0.0.bb
index 556a25aa1..07aa66937 100644
--- a/meta-oe/recipes-support/function2/function2_4.0.0.bb
+++ b/meta-oe/recipes-support/function2/function2_4.0.0.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e4224ccaecb14d942c71d31bef20d78c"
SRCREV = "d2acdb6c3c7612a6133cd03464ef941161258f4e"
PV .= "+git${SRCPV}"
-SRC_URI += "gitsm://github.com/Naios/function2"
+SRC_URI += "gitsm://github.com/Naios/function2;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/gd/gd_2.3.0.bb b/meta-oe/recipes-support/gd/gd_2.3.0.bb
index eec8a05ae..8adb7db4d 100644
--- a/meta-oe/recipes-support/gd/gd_2.3.0.bb
+++ b/meta-oe/recipes-support/gd/gd_2.3.0.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=8e5bc8627b9494741c905d65238c66b7"
DEPENDS = "freetype libpng jpeg zlib tiff"
-SRC_URI = "git://github.com/libgd/libgd.git;branch=master \
+SRC_URI = "git://github.com/libgd/libgd.git;branch=master;protocol=https \
"
SRCREV = "b079fa06223c3ab862c8f0eea58a968727971988"
diff --git a/meta-oe/recipes-support/gflags/gflags_2.2.2.bb b/meta-oe/recipes-support/gflags/gflags_2.2.2.bb
index 6eea0c00e..4379c2d9e 100644
--- a/meta-oe/recipes-support/gflags/gflags_2.2.2.bb
+++ b/meta-oe/recipes-support/gflags/gflags_2.2.2.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/gflags/gflags"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://COPYING.txt;md5=c80d1a3b623f72bb85a4c75b556551df"
-SRC_URI = "git://github.com/gflags/gflags.git"
+SRC_URI = "git://github.com/gflags/gflags.git;branch=master;protocol=https"
SRCREV = "e171aa2d15ed9eb17054558e0b3a6a413bb01067"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/glog/glog_0.3.5.bb b/meta-oe/recipes-support/glog/glog_0.3.5.bb
index 56bf51554..55ca838cd 100644
--- a/meta-oe/recipes-support/glog/glog_0.3.5.bb
+++ b/meta-oe/recipes-support/glog/glog_0.3.5.bb
@@ -7,7 +7,7 @@ LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://COPYING;md5=dc9db360e0bbd4e46672f3fd91dd6c4b"
SRC_URI = " \
- git://github.com/google/glog.git;nobranch=1 \
+ git://github.com/google/glog.git;nobranch=1;protocol=https \
file://0001-Rework-CMake-glog-VERSION-management.patch \
file://0002-Find-Libunwind-during-configure.patch \
file://0003-installation-path-fix.patch \
diff --git a/meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb b/meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb
index 146747eee..ac46b5676 100644
--- a/meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb
+++ b/meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb
@@ -13,7 +13,7 @@ LICENSE = "LGPLv2+"
LIC_FILES_CHKSUM = "file://COPYING;md5=56a22a6e5bcce45e2c8ac184f81412b5"
SRCREV = "0d6e3307bbdb8df4d56043d5f373eeeffe4cbef3"
-SRC_URI = "git://git.sv.gnu.org/gnulib.git \
+SRC_URI = "git://git.sv.gnu.org/gnulib.git;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb b/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb
index b7b783931..1a1f7db5c 100644
--- a/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb
+++ b/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb
@@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://COPYING;md5=762732742c73dc6c7fbe8632f06c059a"
SRCREV = "db7aa547abb5abdd558587a15502584cbc825438"
-SRC_URI = "git://github.com/gperftools/gperftools \
+SRC_URI = "git://github.com/gperftools/gperftools;branch=master;protocol=https \
file://0001-Support-Atomic-ops-on-clang.patch \
file://0001-fix-build-with-musl-libc.patch \
file://0001-disbale-heap-checkers-and-debug-allocator-on-musl.patch \
diff --git a/meta-oe/recipes-support/gpm/gpm_git.bb b/meta-oe/recipes-support/gpm/gpm_git.bb
index 3800d147f..6bf071d89 100644
--- a/meta-oe/recipes-support/gpm/gpm_git.bb
+++ b/meta-oe/recipes-support/gpm/gpm_git.bb
@@ -13,7 +13,7 @@ SRCREV = "1fd19417b8a4dd9945347e98dfa97e4cfd798d77"
DEPENDS = "ncurses bison-native"
-SRC_URI = "git://github.com/telmich/gpm;protocol=git \
+SRC_URI = "git://github.com/telmich/gpm;protocol=https;branch=master \
file://init \
file://gpm.service.in \
file://0001-Use-sigemptyset-API-instead-of-__sigemptyset.patch \
diff --git a/meta-oe/recipes-support/hidapi/hidapi_git.bb b/meta-oe/recipes-support/hidapi/hidapi_git.bb
index a34797ff5..1cc3acac2 100644
--- a/meta-oe/recipes-support/hidapi/hidapi_git.bb
+++ b/meta-oe/recipes-support/hidapi/hidapi_git.bb
@@ -8,7 +8,7 @@ DEPENDS = "libusb udev"
PV = "0.7.99+0.8.0-rc1+git${SRCPV}"
SRCREV = "d17db57b9d4354752e0af42f5f33007a42ef2906"
-SRC_URI = "git://github.com/signal11/hidapi.git"
+SRC_URI = "git://github.com/signal11/hidapi.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb b/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb
index 3da67d1e3..2e902ca4c 100644
--- a/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb
+++ b/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb
@@ -135,7 +135,7 @@ RDEPENDS_${PN} = "hunspell"
PV = "0.0.0+git${SRCPV}"
SRCREV = "820a65e539e34a3a8c2a855d2450b84745c624ee"
-SRC_URI = "git://github.com/wooorm/dictionaries.git"
+SRC_URI = "git://github.com/wooorm/dictionaries.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb b/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb
index c2fb4fa05..63d68ea06 100644
--- a/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb
+++ b/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = " \
"
SRCREV = "4ddd8ed5ca6484b930b111aec50c2750a6119a0f"
-SRC_URI = "git://github.com/${BPN}/${BPN}.git"
+SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/hwdata/hwdata_git.bb b/meta-oe/recipes-support/hwdata/hwdata_git.bb
index 5f3e3f686..1d0c64000 100644
--- a/meta-oe/recipes-support/hwdata/hwdata_git.bb
+++ b/meta-oe/recipes-support/hwdata/hwdata_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=1556547711e8246992b999edd9445a57"
PV = "0.333"
SRCREV = "2de52be0d00015fa6cde70bb845fa9b86cf6f420"
-SRC_URI = "git://github.com/vcrhonek/${BPN}.git"
+SRC_URI = "git://github.com/vcrhonek/${BPN}.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/iksemel/iksemel_1.5.bb b/meta-oe/recipes-support/iksemel/iksemel_1.5.bb
index 986984d1f..ac23630d0 100644
--- a/meta-oe/recipes-support/iksemel/iksemel_1.5.bb
+++ b/meta-oe/recipes-support/iksemel/iksemel_1.5.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499"
SRCREV = "978b733462e41efd5db72bc9974cb3b0d1d5f6fa"
PV = "1.5+git${SRCPV}"
-SRC_URI = "git://github.com/meduketto/iksemel.git;protocol=https \
+SRC_URI = "git://github.com/meduketto/iksemel.git;protocol=https;branch=master \
file://fix-configure-option-parsing.patch \
file://avoid-obsolete-gnutls-apis.patch"
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb
index 3f7d06e26..21f51ff15 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb
@@ -10,7 +10,7 @@ DEPENDS = "lcms bzip2 jpeg libpng tiff zlib fftw freetype libtool"
BASE_PV := "${PV}"
PV .= "_13"
-SRC_URI = "git://github.com/ImageMagick/ImageMagick.git "
+SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=https"
SRCREV = "15b935d64f613b5a0fc9d3fead5c6ec1b0e3908f"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/inih/libinih_git.bb b/meta-oe/recipes-support/inih/libinih_git.bb
index 227e2a7b7..4c3c8f0fa 100644
--- a/meta-oe/recipes-support/inih/libinih_git.bb
+++ b/meta-oe/recipes-support/inih/libinih_git.bb
@@ -9,7 +9,7 @@ PR = "r3"
# The github repository provides a cmake and pkg-config integration
SRCREV = "c858aff8c31fa63ef4d1e0176c10e5928cde9a23"
-SRC_URI = "git://github.com/OSSystems/inih.git \
+SRC_URI = "git://github.com/OSSystems/inih.git;branch=master;protocol=https \
"
UPSTREAM_CHECK_COMMITS = "1"
diff --git a/meta-oe/recipes-support/iniparser/iniparser_4.1.bb b/meta-oe/recipes-support/iniparser/iniparser_4.1.bb
index f4b553a57..f3593fb5f 100644
--- a/meta-oe/recipes-support/iniparser/iniparser_4.1.bb
+++ b/meta-oe/recipes-support/iniparser/iniparser_4.1.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e02baf71c76e0650e667d7da133379ac"
DEPENDS = "doxygen-native"
-SRC_URI = "git://github.com/ndevilla/iniparser.git;protocol=https \
+SRC_URI = "git://github.com/ndevilla/iniparser.git;protocol=https;branch=master \
file://Add-CMake-support.patch"
# tag 4.1
diff --git a/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb b/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb
index f42abeb2b..1d84bfd49 100644
--- a/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb
+++ b/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ac6c26e52aea428ee7f56dc2c56424c6"
SRCREV = "cfa93aa19f81d85b63cd64da30c7499890d4c07d"
PV = "3.20.2.2"
-SRC_URI = "git://github.com/rvoicilas/${BPN} \
+SRC_URI = "git://github.com/rvoicilas/${BPN};branch=master;protocol=https \
file://0001-Makefile.am-add-build-rule-for-README.patch \
"
diff --git a/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb b/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb
index 4cfb73293..d084a3b9b 100644
--- a/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb
+++ b/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://LGPL;md5=2d5025d4aa3495befef8f17206a5b0a1"
DEPENDS = "udev"
SRCREV = "de6258940960443038b4c1651dfda3620075e870"
-SRC_URI = "git://git.0pointer.de/libatasmart.git \
+SRC_URI = "git://git.0pointer.de/libatasmart.git;branch=master \
file://0001-Makefile.am-add-CFLAGS-and-LDFLAGS-definiton.patch \
"
diff --git a/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb b/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb
index a954499c6..527de93e4 100644
--- a/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb
+++ b/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb
@@ -10,7 +10,7 @@ S = "${WORKDIR}/git"
B = "${S}"
SRCREV = "e64e752a28a4a41b0a43cba3bedf9571c22af807"
-SRC_URI = "git://github.com/rhinstaller/libbytesize;branch=master"
+SRC_URI = "git://github.com/rhinstaller/libbytesize;branch=master;protocol=https"
inherit gettext autotools python3native
diff --git a/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb b/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb
index 6fc5881c5..ac6aedfd5 100644
--- a/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb
+++ b/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb
@@ -7,7 +7,7 @@ LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e612690af2f575dfd02e2e91443cea23"
SRCREV = "02eace19a99ce3cd564ca4e379753d69af08c2c8"
-SRC_URI = "git://github.com/USCiLab/cereal.git"
+SRC_URI = "git://github.com/USCiLab/cereal.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb b/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb
index 74b5e21e2..c6878577e 100644
--- a/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb
+++ b/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb
@@ -8,7 +8,7 @@ DEPENDS = "libusb udev"
PV = "1.0.0+git${SRCPV}"
SRCREV = "655e2d544183d094f0e2d119c7e0c6206a0ddb3f"
-SRC_URI = "git://github.com/cyrozap/${BPN}.git"
+SRC_URI = "git://github.com/cyrozap/${BPN}.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/libfann/libfann_git.bb b/meta-oe/recipes-support/libfann/libfann_git.bb
index eae24461d..5ab484d8a 100644
--- a/meta-oe/recipes-support/libfann/libfann_git.bb
+++ b/meta-oe/recipes-support/libfann/libfann_git.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=f14599a2f089f6ff8c97e2baa4e3d575"
inherit cmake
SRCREV ?= "7ec1fc7e5bd734f1d3c89b095e630e83c86b9be1"
-SRC_URI = "git://github.com/libfann/fann.git;branch=master \
+SRC_URI = "git://github.com/libfann/fann.git;branch=master;protocol=https \
"
PV = "2.2.0+git${SRCPV}"
diff --git a/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb b/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb
index 9b9c19104..c971491b1 100644
--- a/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb
+++ b/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3f2cd5d3cccd71d62066ba619614592b"
DEPENDS = "curl openssl zlib libssh2 libgcrypt"
-SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v0.28"
+SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v0.28;protocol=https"
SRCREV = "106a5f27586504ea371528191f0ea3aac2ad432b"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/libgusb/libgusb_git.bb b/meta-oe/recipes-support/libgusb/libgusb_git.bb
index e3c0bdd15..a26c23465 100644
--- a/meta-oe/recipes-support/libgusb/libgusb_git.bb
+++ b/meta-oe/recipes-support/libgusb/libgusb_git.bb
@@ -6,7 +6,7 @@ DEPENDS = "glib-2.0 libusb"
inherit meson gobject-introspection gtk-doc gettext vala
-SRC_URI = "git://github.com/hughsie/libgusb.git"
+SRC_URI = "git://github.com/hughsie/libgusb.git;branch=master;protocol=https"
SRCREV = "636efc0624aa2a88174220fcabc9764c13d7febf"
PV = "0.3.0+git${SRCPV}"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/libharu/libharu_2.3.0.bb b/meta-oe/recipes-support/libharu/libharu_2.3.0.bb
index 2d1a37c42..86b5ba540 100644
--- a/meta-oe/recipes-support/libharu/libharu_2.3.0.bb
+++ b/meta-oe/recipes-support/libharu/libharu_2.3.0.bb
@@ -6,7 +6,7 @@ DESCRIPTION = "libHaru is a library for generating PDF files. \
LICENSE = "Zlib"
LIC_FILES_CHKSUM = "file://README;md5=3ee6bc1f64d9cc7907f44840c8e50cb1"
-SRC_URI = "git://github.com/libharu/libharu.git;branch=2_3 \
+SRC_URI = "git://github.com/libharu/libharu.git;branch=2_3;protocol=https \
file://libharu-RELEASE_2_3_0_cmake.patch \
"
diff --git a/meta-oe/recipes-support/libiio/libiio_git.bb b/meta-oe/recipes-support/libiio/libiio_git.bb
index f83d9c922..0892a3693 100644
--- a/meta-oe/recipes-support/libiio/libiio_git.bb
+++ b/meta-oe/recipes-support/libiio/libiio_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING.txt;md5=7c13b3376cea0ce68d2d2da0a1b3a72c"
SRCREV = "5f5af2e417129ad8f4e05fc5c1b730f0694dca12"
PV = "0.19+git${SRCPV}"
-SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https"
+SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https;branch=master"
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch
new file mode 100644
index 000000000..ff792d4da
--- /dev/null
+++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch
@@ -0,0 +1,158 @@
+From 86d9a61be6395220714b1a50d5144e65668961f6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ernst=20Sj=C3=B6strand?= <ernst.sjostrand@verisure.com>
+Date: Tue, 21 Dec 2021 11:05:22 +0000
+Subject: [PATCH] Fix buffer overflow in url parser and add test
+
+Reference:
+https://git.gnunet.org/libmicrohttpd.git/commit/?id=a110ae6276660bee3caab30e9ff3f12f85cf3241
+
+Upstream-Status: Backport
+CVE: CVE-2021-3466
+
+Signed-off-by: Ernst Sjstrand <ernst.sjostrand@verisure.com>
+---
+ src/microhttpd/postprocessor.c | 18 ++++++--
+ src/microhttpd/test_postprocessor.c | 66 +++++++++++++++++++++++++++++
+ 2 files changed, 80 insertions(+), 4 deletions(-)
+
+diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c
+index b7f6b10..ebd1686 100644
+--- a/src/microhttpd/postprocessor.c
++++ b/src/microhttpd/postprocessor.c
+@@ -137,8 +137,7 @@ struct MHD_PostProcessor
+ void *cls;
+
+ /**
+- * Encoding as given by the headers of the
+- * connection.
++ * Encoding as given by the headers of the connection.
+ */
+ const char *encoding;
+
+@@ -586,7 +585,7 @@ post_process_urlencoded (struct MHD_PostProcessor *pp,
+ pp->state = PP_Error;
+ break;
+ case PP_Callback:
+- if ( (pp->buffer_pos + (end_key - start_key) >
++ if ( (pp->buffer_pos + (end_key - start_key) >=
+ pp->buffer_size) ||
+ (pp->buffer_pos + (end_key - start_key) <
+ pp->buffer_pos) )
+@@ -636,6 +635,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp,
+ {
+ if (NULL == end_key)
+ end_key = &post_data[poff];
++ if (pp->buffer_pos + (end_key - start_key) >= pp->buffer_size)
++ {
++ pp->state = PP_Error;
++ return MHD_NO;
++ }
+ memcpy (&kbuf[pp->buffer_pos],
+ start_key,
+ end_key - start_key);
+@@ -663,6 +667,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp,
+ last_escape);
+ pp->must_ikvi = false;
+ }
++ if (PP_Error == pp->state)
++ {
++ /* State in error, returning failure */
++ return MHD_NO;
++ }
+ return MHD_YES;
+ }
+
+@@ -1424,7 +1433,8 @@ MHD_destroy_post_processor (struct MHD_PostProcessor *pp)
+ the post-processing may have been interrupted
+ at any stage */
+ if ( (pp->xbuf_pos > 0) ||
+- (pp->state != PP_Done) )
++ ( (pp->state != PP_Done) &&
++ (pp->state != PP_Init) ) )
+ ret = MHD_NO;
+ else
+ ret = MHD_YES;
+diff --git a/src/microhttpd/test_postprocessor.c b/src/microhttpd/test_postprocessor.c
+index 2c37565..cba486d 100644
+--- a/src/microhttpd/test_postprocessor.c
++++ b/src/microhttpd/test_postprocessor.c
+@@ -451,6 +451,71 @@ test_empty_value (void)
+ }
+
+
++static enum MHD_Result
++value_checker2 (void *cls,
++ enum MHD_ValueKind kind,
++ const char *key,
++ const char *filename,
++ const char *content_type,
++ const char *transfer_encoding,
++ const char *data,
++ uint64_t off,
++ size_t size)
++{
++ return MHD_YES;
++}
++
++
++static int
++test_overflow ()
++{
++ struct MHD_Connection connection;
++ struct MHD_HTTP_Header header;
++ struct MHD_PostProcessor *pp;
++ size_t i;
++ size_t j;
++ size_t delta;
++ char *buf;
++
++ memset (&connection, 0, sizeof (struct MHD_Connection));
++ memset (&header, 0, sizeof (struct MHD_HTTP_Header));
++ connection.headers_received = &header;
++ header.header = MHD_HTTP_HEADER_CONTENT_TYPE;
++ header.value = MHD_HTTP_POST_ENCODING_FORM_URLENCODED;
++ header.header_size = strlen (header.header);
++ header.value_size = strlen (header.value);
++ header.kind = MHD_HEADER_KIND;
++ for (i = 128; i < 1024 * 1024; i += 1024)
++ {
++ pp = MHD_create_post_processor (&connection,
++ 1024,
++ &value_checker2,
++ NULL);
++ buf = malloc (i);
++ if (NULL == buf)
++ return 1;
++ memset (buf, 'A', i);
++ buf[i / 2] = '=';
++ delta = 1 + (MHD_random_ () % (i - 1));
++ j = 0;
++ while (j < i)
++ {
++ if (j + delta > i)
++ delta = i - j;
++ if (MHD_NO ==
++ MHD_post_process (pp,
++ &buf[j],
++ delta))
++ break;
++ j += delta;
++ }
++ free (buf);
++ MHD_destroy_post_processor (pp);
++ }
++ return 0;
++}
++
++
+ int
+ main (int argc, char *const *argv)
+ {
+@@ -463,6 +528,7 @@ main (int argc, char *const *argv)
+ errorCount += test_multipart ();
+ errorCount += test_nested_multipart ();
+ errorCount += test_empty_value ();
++ errorCount += test_overflow ();
+ if (errorCount != 0)
+ fprintf (stderr, "Error (code: %u)\n", errorCount);
+ return errorCount != 0; /* 0 == pass */
diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb
index 94976d2e9..9d5e85e1a 100644
--- a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb
+++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb
@@ -7,7 +7,8 @@ SECTION = "net"
DEPENDS = "file"
SRC_URI = "${GNU_MIRROR}/libmicrohttpd/${BPN}-${PV}.tar.gz \
-"
+ file://CVE-2021-3466.patch \
+ "
SRC_URI[md5sum] = "dcd6045ecb4ea18c120afedccbd1da74"
SRC_URI[sha256sum] = "90d0a3d396f96f9bc41eb0f7e8187796049285fabef82604acd4879590977307"
diff --git a/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb b/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb
index 590c4ebc2..fc0b1ee49 100644
--- a/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb
+++ b/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb
@@ -10,7 +10,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=b49da7df0ca479ef01ff7f2d799eabee"
SRCREV = "50486af99b4f9b35522d7b3de40b6ce107505279"
-SRC_URI += "git://github.com/LadislavSopko/mimetic/ \
+SRC_URI += "git://github.com/LadislavSopko/mimetic/;branch=master;protocol=https \
file://0001-libmimetic-Removing-test-directory-from-the-Makefile.patch \
file://0001-mimetic-Check-for-MMAP_FAILED-return-from-mmap.patch \
"
diff --git a/meta-oe/recipes-support/libmxml/libmxml_3.1.bb b/meta-oe/recipes-support/libmxml/libmxml_3.1.bb
index 4e77d6cc0..fd3369d8d 100644
--- a/meta-oe/recipes-support/libmxml/libmxml_3.1.bb
+++ b/meta-oe/recipes-support/libmxml/libmxml_3.1.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
HOMEPAGE = "https://www.msweet.org/mxml/"
BUGTRACKER = "https://github.com/michaelrsweet/mxml/issues"
-SRC_URI = "git://github.com/michaelrsweet/mxml.git"
+SRC_URI = "git://github.com/michaelrsweet/mxml.git;branch=master;protocol=https"
SRCREV = "e483e5fd8a33386fd46967681521bdd2da2b548f"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/libp11/libp11_0.4.10.bb b/meta-oe/recipes-support/libp11/libp11_0.4.10.bb
index 7fe0640d9..142002a26 100644
--- a/meta-oe/recipes-support/libp11/libp11_0.4.10.bb
+++ b/meta-oe/recipes-support/libp11/libp11_0.4.10.bb
@@ -9,7 +9,7 @@ LICENSE = "LGPLv2+"
LIC_FILES_CHKSUM = "file://COPYING;md5=fad9b3332be894bab9bc501572864b29"
DEPENDS = "libtool openssl"
-SRC_URI = "git://github.com/OpenSC/libp11.git"
+SRC_URI = "git://github.com/OpenSC/libp11.git;branch=master;protocol=https"
SRCREV = "973d31f3f58d5549ddd8b1f822ce8f72186f9d68"
UPSTREAM_CHECK_GITTAGREGEX = "libp11-(?P<pver>\d+(\.\d+)+)"
diff --git a/meta-oe/recipes-support/librsync/librsync_2.3.1.bb b/meta-oe/recipes-support/librsync/librsync_2.3.1.bb
index 004c93d0f..fddece8d1 100644
--- a/meta-oe/recipes-support/librsync/librsync_2.3.1.bb
+++ b/meta-oe/recipes-support/librsync/librsync_2.3.1.bb
@@ -4,7 +4,7 @@ AUTHOR = "Martin Pool, Andrew Tridgell, Donovan Baarda, Adam Schubert"
LICENSE = "LGPLv2.1+"
LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499"
-SRC_URI = "git://github.com/librsync/librsync.git"
+SRC_URI = "git://github.com/librsync/librsync.git;branch=master;protocol=https"
SRCREV = "27f738650c20fef1285f11d85a34e5094a71c06f"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb b/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb
index 8b773aefa..f6fc0e36b 100644
--- a/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb
+++ b/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=e0bfebea12a718922225ba987b2126a5"
inherit autotools pkgconfig python3-dir
SRCREV = "fd1ad6e7823fa76d8db0d3c5884faffa8ffddafb"
-SRC_URI = "git://github.com/jackmitch/libsoc.git"
+SRC_URI = "git://github.com/jackmitch/libsoc.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/libteam/libteam_1.30.bb b/meta-oe/recipes-support/libteam/libteam_1.30.bb
index 9cd02b0c0..d04660ca1 100644
--- a/meta-oe/recipes-support/libteam/libteam_1.30.bb
+++ b/meta-oe/recipes-support/libteam/libteam_1.30.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
DEPENDS = "libnl libdaemon jansson"
-SRC_URI = "git://github.com/jpirko/libteam \
+SRC_URI = "git://github.com/jpirko/libteam;branch=master;protocol=https \
file://0001-include-sys-select.h-for-fd_set-definition.patch \
file://0002-teamd-Re-adjust-include-header-order.patch \
file://0001-team_basic_test.py-disable-RedHat-specific-test.patch \
diff --git a/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb b/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb
index a2491cf9e..2a33284b8 100644
--- a/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb
+++ b/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb
@@ -4,7 +4,7 @@ SECTION = "libs"
LICENSE = "Zlib"
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=135624eef03e1f1101b9ba9ac9b5fffd"
-SRC_URI = "git://github.com/leethomason/tinyxml2.git"
+SRC_URI = "git://github.com/leethomason/tinyxml2.git;branch=master;protocol=https"
SRCREV = "bf15233ad88390461f6ab0dbcf046cce643c5fcb"
diff --git a/meta-oe/recipes-support/libusbg/libusbg_git.bb b/meta-oe/recipes-support/libusbg/libusbg_git.bb
index 97d60a6a8..6edac56fe 100644
--- a/meta-oe/recipes-support/libusbg/libusbg_git.bb
+++ b/meta-oe/recipes-support/libusbg/libusbg_git.bb
@@ -8,7 +8,7 @@ inherit autotools
PV = "0.1.0"
SRCREV = "a826d136e0e8fa53815f1ba05893e6dd74208c15"
-SRC_URI = "git://github.com/libusbg/libusbg.git \
+SRC_URI = "git://github.com/libusbg/libusbg.git;branch=master;protocol=https \
file://0001-Fix-out-of-tree-builds.patch \
"
diff --git a/meta-oe/recipes-support/libusbgx/libusbgx_git.bb b/meta-oe/recipes-support/libusbgx/libusbgx_git.bb
index d73ca6106..b88941d6e 100644
--- a/meta-oe/recipes-support/libusbgx/libusbgx_git.bb
+++ b/meta-oe/recipes-support/libusbgx/libusbgx_git.bb
@@ -11,7 +11,7 @@ PV = "0.2.0+git${SRCPV}"
SRCREV = "45c14ef4d5d7ced0fbf984208de44ced6d5ed898"
SRCBRANCH = "master"
SRC_URI = " \
- git://github.com/libusbgx/libusbgx.git;branch=${SRCBRANCH} \
+ git://github.com/libusbgx/libusbgx.git;branch=${SRCBRANCH};protocol=https \
file://gadget-start \
file://usbgx.initd \
file://usbgx.service \
diff --git a/meta-oe/recipes-support/libutempter/libutempter.bb b/meta-oe/recipes-support/libutempter/libutempter.bb
index b8a700b7b..d259f166d 100644
--- a/meta-oe/recipes-support/libutempter/libutempter.bb
+++ b/meta-oe/recipes-support/libutempter/libutempter.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2d5025d4aa3495befef8f17206a5b0a1"
SRCREV = "3ef74fff310f09e2601e241b9f042cd39d591018"
PV = "1.1.6-alt2+git${SRCPV}"
-SRC_URI = "git://git.altlinux.org/people/ldv/packages/libutempter.git \
+SRC_URI = "git://git.altlinux.org/people/ldv/packages/libutempter.git;branch=master \
file://0001-Fix-macro-error.patch \
file://0002-Proper-macro-path-generation.patch \
file://libutempter-remove-glibc-assumption.patch \
diff --git a/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb b/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb
index 0fb4a6e51..aab81461a 100644
--- a/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb
+++ b/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://debian/copyright;md5=c3ea231a32635cbb5debedf3e88aa3df
PV = "4.1+git${SRCPV}"
-SRC_URI = "git://github.com/Datera/lio-utils.git \
+SRC_URI = "git://github.com/Datera/lio-utils.git;branch=master;protocol=https \
file://0001-Makefiles-Respect-environment-variables-and-add-LDFL.patch \
"
SRCREV = "0ac9091c1ff7a52d5435a4f4449e82637142e06e"
diff --git a/meta-oe/recipes-support/lvm2/lvm2.inc b/meta-oe/recipes-support/lvm2/lvm2.inc
index 2fe97d571..d0fb33d11 100644
--- a/meta-oe/recipes-support/lvm2/lvm2.inc
+++ b/meta-oe/recipes-support/lvm2/lvm2.inc
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12713b4d9386533feeb07d6e4831765a \
DEPENDS += "libaio"
-SRC_URI = "git://sourceware.org/git/lvm2.git \
+SRC_URI = "git://sourceware.org/git/lvm2.git;branch=master \
file://lvm.conf \
file://0001-implement-libc-specific-reopen_stream.patch \
file://0002-Guard-use-of-mallinfo-with-__GLIBC__.patch \
diff --git a/meta-oe/recipes-support/mcelog/mce-inject_git.bb b/meta-oe/recipes-support/mcelog/mce-inject_git.bb
index cc33cbaf2..8241bd234 100644
--- a/meta-oe/recipes-support/mcelog/mce-inject_git.bb
+++ b/meta-oe/recipes-support/mcelog/mce-inject_git.bb
@@ -4,7 +4,7 @@ software level into a running Linux kernel. This is intended for \
validation of the kernel machine check handler."
SECTION = "System Environment/Base"
-SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-inject.git"
+SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-inject.git;branch=master"
SRCREV = "4cbe46321b4a81365ff3aafafe63967264dbfec5"
diff --git a/meta-oe/recipes-support/mcelog/mce-test_git.bb b/meta-oe/recipes-support/mcelog/mce-test_git.bb
index 35fb94470..f24551521 100644
--- a/meta-oe/recipes-support/mcelog/mce-test_git.bb
+++ b/meta-oe/recipes-support/mcelog/mce-test_git.bb
@@ -10,7 +10,7 @@ containment and recovery, ACPI/APEI support etc."
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3"
-SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-test.git;protocol=git \
+SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-test.git;protocol=git;branch=master \
file://makefile-remove-ldflags.patch \
file://0001-gcov_merge.py-scov_merge.py-switch-to-python3.patch \
"
diff --git a/meta-oe/recipes-support/mcelog/mcelog_168.bb b/meta-oe/recipes-support/mcelog/mcelog_168.bb
index e2ef6ea58..c46413217 100644
--- a/meta-oe/recipes-support/mcelog/mcelog_168.bb
+++ b/meta-oe/recipes-support/mcelog/mcelog_168.bb
@@ -5,7 +5,7 @@ and should run on all Linux systems that need error handling."
HOMEPAGE = "http://mcelog.org/"
SECTION = "System Environment/Base"
-SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mcelog.git;protocol=http; \
+SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mcelog.git;protocol=http;branch=master \
file://run-ptest \
"
diff --git a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb
index 8b0c89338..90cfd7d20 100644
--- a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb
+++ b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb
@@ -29,7 +29,7 @@ DEPENDS = "libdevmapper \
LICENSE = "GPLv2"
-SRC_URI = "git://git.opensvc.com/multipath-tools/.git;protocol=http \
+SRC_URI = "git://github.com/opensvc/multipath-tools.git;protocol=http;branch=master \
file://multipathd.oe \
file://multipath.conf.example \
file://0021-RH-fixup-udev-rules-for-redhat.patch \
diff --git a/meta-oe/recipes-support/ne10/ne10_1.2.1.bb b/meta-oe/recipes-support/ne10/ne10_1.2.1.bb
index f37ccde1c..6cb53212a 100644
--- a/meta-oe/recipes-support/ne10/ne10_1.2.1.bb
+++ b/meta-oe/recipes-support/ne10/ne10_1.2.1.bb
@@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e7fe20c9be97be5579e3ab5d92d3a218"
SECTION = "libs"
-SRC_URI = "git://github.com/projectNe10/Ne10.git \
+SRC_URI = "git://github.com/projectNe10/Ne10.git;branch=master;protocol=https \
file://0001-CMakeLists.txt-Remove-mthumb-interwork.patch \
file://0001-Dont-specify-march-explicitly.patch \
"
diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12403_1.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_1.patch
new file mode 100644
index 000000000..a229a2d20
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_1.patch
@@ -0,0 +1,65 @@
+From 9ff9d3925d31ab265a965ab1d16d76c496ddb5c8 Mon Sep 17 00:00:00 2001
+From: Benjamin Beurdouche <bbeurdouche@mozilla.com>
+Date: Sat, 18 Jul 2020 00:13:38 +0000
+Subject: [PATCH] Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by
+ PKCS11. r=jcj,kjacobs,rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D74801
+
+--HG--
+extra : moz-landing-system : lando
+---
+ nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc | 11 +++++++++--
+ nss/lib/freebl/chacha20poly1305.c | 2 +-
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+CVE: CVE-2020-12403
+Upstream-Status: Backport [https://github.com/nss-dev/nss/commit/9ff9d3925d31ab265a965ab1d16d76c496ddb5c8]
+Comment: Refreshed path for whole patchset
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+diff --git a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+index 41f9da71d6..3ea17678d9 100644
+--- a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
++++ b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+@@ -45,7 +45,7 @@ class Pkcs11ChaCha20Poly1305Test
+ SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
+ sizeof(aead_params)};
+
+- // Encrypt with bad parameters.
++ // Encrypt with bad parameters (TagLen is too long).
+ unsigned int encrypted_len = 0;
+ std::vector<uint8_t> encrypted(data_len + aead_params.ulTagLen);
+ aead_params.ulTagLen = 158072;
+@@ -54,9 +54,16 @@ class Pkcs11ChaCha20Poly1305Test
+ &encrypted_len, encrypted.size(), data, data_len);
+ EXPECT_EQ(SECFailure, rv);
+ EXPECT_EQ(0U, encrypted_len);
+- aead_params.ulTagLen = 16;
++
++ // Encrypt with bad parameters (TagLen is too short).
++ aead_params.ulTagLen = 2;
++ rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
++ &encrypted_len, encrypted.size(), data, data_len);
++ EXPECT_EQ(SECFailure, rv);
++ EXPECT_EQ(0U, encrypted_len);
+
+ // Encrypt.
++ aead_params.ulTagLen = 16;
+ rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
+ &encrypted_len, encrypted.size(), data, data_len);
+
+diff --git a/nss/lib/freebl/chacha20poly1305.c b/nss/lib/freebl/chacha20poly1305.c
+index 970c6436da..5c294a9eaf 100644
+--- a/nss/lib/freebl/chacha20poly1305.c
++++ b/nss/lib/freebl/chacha20poly1305.c
+@@ -81,7 +81,7 @@ ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return SECFailure;
+ }
+- if (tagLen == 0 || tagLen > 16) {
++ if (tagLen != 16) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ return SECFailure;
+ }
+
diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12403_2.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_2.patch
new file mode 100644
index 000000000..7b093d0cd
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_2.patch
@@ -0,0 +1,80 @@
+From 06b2b1c50bd4eaa7f65d858e5e3f44f678cb3c45 Mon Sep 17 00:00:00 2001
+From: Benjamin Beurdouche <bbeurdouche@mozilla.com>
+Date: Sat, 18 Jul 2020 00:13:14 +0000
+Subject: [PATCH] Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20.
+ r=kjacobs,rrelyea
+
+Depends on D74801
+
+Differential Revision: https://phabricator.services.mozilla.com/D83994
+
+--HG--
+extra : moz-landing-system : lando
+---
+ nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc | 49 +++++++++++++++++++++
+ nss/lib/softoken/pkcs11c.c | 1 +
+ 2 files changed, 50 insertions(+)
+
+CVE: CVE-2020-12403
+Upstream-Status: Backport [https://github.com/nss-dev/nss/commit/06b2b1c50bd4eaa7f65d858e5e3f44f678cb3c45]
+Comment: Refreshed path for whole patchset and removed change for pkcs11c.c
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+diff --git a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+index 38982fd885..700750cc90 100644
+--- a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
++++ b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+@@ -77,4 +77,53 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) {
+ NSS_ShutdownContext(globalctx);
+ }
+
++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
++ PK11SlotInfo* slot;
++ PK11SymKey* key;
++ PK11Context* ctx;
++
++ NSSInitContext* globalctx =
++ NSS_InitContext("", "", "", "", NULL,
++ NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
++ NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
++
++ const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
++
++ slot = PK11_GetInternalSlot();
++ ASSERT_TRUE(slot);
++
++ // Use arbitrary bytes for the ChaCha20 key and IV
++ uint8_t key_bytes[32];
++ for (size_t i = 0; i < 32; i++) {
++ key_bytes[i] = i;
++ }
++ SECItem keyItem = {siBuffer, key_bytes, 32};
++
++ uint8_t iv_bytes[16];
++ for (size_t i = 0; i < 16; i++) {
++ key_bytes[i] = i;
++ }
++ SECItem ivItem = {siBuffer, iv_bytes, 16};
++
++ SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
++
++ key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
++ &keyItem, NULL);
++ ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
++ ASSERT_TRUE(key);
++ ASSERT_TRUE(ctx);
++
++ uint8_t outbuf[128];
++ // This is supposed to fail for Chacha20. This is because the underlying
++ // PK11_CipherOp operation is calling the C_EncryptUpdate function for
++ // which multi-part is disabled for ChaCha20 in counter mode.
++ ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
++
++ PK11_FreeSymKey(key);
++ PK11_FreeSlot(slot);
++ SECITEM_FreeItem(param, PR_TRUE);
++ PK11_DestroyContext(ctx, PR_TRUE);
++ NSS_ShutdownContext(globalctx);
++}
++
+ } // namespace nss_test
diff --git a/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch
new file mode 100644
index 000000000..cf3ea63ca
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch
@@ -0,0 +1,283 @@
+Description: fix heap overflow when verifying DSA/RSA-PSS DER-encoded signatures
+Origin: Provided by Mozilla
+
+CVE: CVE-2021-43527
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.35-2ubuntu2.13.debian.tar.xz]
+Comment: Refreshed hunk 1 and 6 due to fuzz
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+--- a/nss/lib/cryptohi/secvfy.c
++++ b/nss/lib/cryptohi/secvfy.c
+@@ -164,6 +164,37 @@
+ PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
+ }
+
++static unsigned int
++checkedSignatureLen(const SECKEYPublicKey *pubk)
++{
++ unsigned int sigLen = SECKEY_SignatureLen(pubk);
++ if (sigLen == 0) {
++ /* Error set by SECKEY_SignatureLen */
++ return sigLen;
++ }
++ unsigned int maxSigLen;
++ switch (pubk->keyType) {
++ case rsaKey:
++ case rsaPssKey:
++ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
++ break;
++ case dsaKey:
++ maxSigLen = DSA_MAX_SIGNATURE_LEN;
++ break;
++ case ecKey:
++ maxSigLen = 2 * MAX_ECKEY_LEN;
++ break;
++ default:
++ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
++ return 0;
++ }
++ if (sigLen > maxSigLen) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return 0;
++ }
++ return sigLen;
++}
++
+ /*
+ * decode the ECDSA or DSA signature from it's DER wrapping.
+ * The unwrapped/raw signature is placed in the buffer pointed
+@@ -174,38 +205,38 @@ decodeECorDSASignature(SECOidTag algid,
+ unsigned int len)
+ {
+ SECItem *dsasig = NULL; /* also used for ECDSA */
+- SECStatus rv = SECSuccess;
+
+- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
+- if (sig->len != len) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
++ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
++ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
++ if (len > DSA_MAX_SIGNATURE_LEN) {
++ goto loser;
+ }
+-
+- PORT_Memcpy(dsig, sig->data, sig->len);
+- return SECSuccess;
+- }
+-
+- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
++ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+ if (len > MAX_ECKEY_LEN * 2) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
++ goto loser;
+ }
+- }
+- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+-
+- if ((dsasig == NULL) || (dsasig->len != len)) {
+- rv = SECFailure;
+ } else {
+- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
++ goto loser;
+ }
+
+- if (dsasig != NULL)
++ /* Decode and pad to length */
++ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
++ if (dsasig == NULL) {
++ goto loser;
++ }
++ if (dsasig->len != len) {
+ SECITEM_FreeItem(dsasig, PR_TRUE);
+- if (rv == SECFailure)
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return rv;
++ goto loser;
++ }
++
++ PORT_Memcpy(dsig, dsasig->data, len);
++ SECITEM_FreeItem(dsasig, PR_TRUE);
++
++ return SECSuccess;
++
++loser:
++ PORT_SetError(SEC_ERROR_BAD_DER);
++ return SECFailure;
+ }
+
+ const SEC_ASN1Template hashParameterTemplate[] =
+@@ -231,7 +262,7 @@ SECStatus
+ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
+ const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg)
+ {
+- int len;
++ unsigned int len;
+ PLArenaPool *arena;
+ SECStatus rv;
+ SECItem oid;
+@@ -458,48 +489,52 @@ vfy_CreateContext(const SECKEYPublicKey
+ cx->pkcs1RSADigestInfo = NULL;
+ rv = SECSuccess;
+ if (sig) {
+- switch (type) {
+- case rsaKey:
+- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+- &cx->pkcs1RSADigestInfo,
+- &cx->pkcs1RSADigestInfoLen,
+- cx->key,
+- sig, wincx);
+- break;
+- case rsaPssKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
+- rv = SECFailure;
++ rv = SECFailure;
++ if (type == rsaKey) {
++ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
++ &cx->pkcs1RSADigestInfo,
++ &cx->pkcs1RSADigestInfoLen,
++ cx->key,
++ sig, wincx);
++ } else {
++ sigLen = checkedSignatureLen(key);
++ /* Check signature length is within limits */
++ if (sigLen == 0) {
++ /* error set by checkedSignatureLen */
++ rv = SECFailure;
++ goto loser;
++ }
++ if (sigLen > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ switch (type) {
++ case rsaPssKey:
++ if (sig->len != sigLen) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
++ rv = SECSuccess;
+ break;
+- }
+- if (sig->len != sigLen) {
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- rv = SECFailure;
++ case ecKey:
++ case dsaKey:
++ /* decodeECorDSASignature will check sigLen == sig->len after padding */
++ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+ break;
+- }
+- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+- break;
+- case dsaKey:
+- case ecKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
++ default:
++ /* Unreachable */
+ rv = SECFailure;
+- break;
+- }
+- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+- break;
+- default:
+- rv = SECFailure;
+- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+- break;
++ goto loser;
++ }
++ }
++ if (rv != SECSuccess) {
++ goto loser;
+ }
+ }
+
+- if (rv)
+- goto loser;
+-
+ /* check hash alg again, RSA may have changed it.*/
+ if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
+ /* error set by HASH_GetHashTypeByOidTag */
+@@ -634,11 +669,16 @@ VFY_EndWithSignature(VFYContext *cx, SEC
+ switch (cx->key->keyType) {
+ case ecKey:
+ case dsaKey:
+- dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
+ return SECFailure;
+ }
++ if (dsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ return SECFailure;
++ }
++ dsasig.data = cx->u.buffer;
++
+ if (sig) {
+ rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
+ dsasig.len);
+@@ -667,8 +698,13 @@
+ }
+
+ rsasig.data = cx->u.buffer;
+- rsasig.len = SECKEY_SignatureLen(cx->key);
++ rsasig.len = checkedSignatureLen(cx->key);
+ if (rsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ return SECFailure;
++ }
++ if (rsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ if (sig) {
+@@ -743,7 +788,6 @@ vfy_VerifyDigest(const SECItem *digest,
+ SECStatus rv;
+ VFYContext *cx;
+ SECItem dsasig; /* also used for ECDSA */
+-
+ rv = SECFailure;
+
+ cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
+@@ -751,19 +795,25 @@ vfy_VerifyDigest(const SECItem *digest,
+ switch (key->keyType) {
+ case rsaKey:
+ rv = verifyPKCS1DigestInfo(cx, digest);
++ /* Error (if any) set by verifyPKCS1DigestInfo */
+ break;
+- case dsaKey:
+ case ecKey:
++ case dsaKey:
+ dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ rv = SECFailure;
+ break;
+ }
+- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
+- SECSuccess) {
++ if (dsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ break;
++ }
++ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
++ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- } else {
+- rv = SECSuccess;
+ }
+ break;
+ default:
diff --git a/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch
new file mode 100644
index 000000000..cccb73187
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch
@@ -0,0 +1,63 @@
+# HG changeset patch
+# User John M. Schanck <jschanck@mozilla.com>
+# Date 1633990165 0
+# Node ID 7ff99e71f3e37faed12bc3cc90a3eed27e3418d0
+# Parent f80fafd04cf82b4d315c8fe42bb4639703f6ee4f
+Bug 1735028 - check for missing signedData field r=keeler
+
+Differential Revision: https://phabricator.services.mozilla.com/D128112
+
+Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/raw-rev/7ff99e71f3e37faed12bc3cc90a3eed27e3418d0]
+CVE: CVE-2022-22747
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+diff --git a/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
+--- a/nss/gtests/certdb_gtest/decode_certs_unittest.cc
++++ b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
+@@ -21,8 +21,21 @@ TEST_F(DecodeCertsTest, EmptyCertPackage
+ unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+ 0x05, 0xa0, 0x02, 0x30, 0x00};
+ EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage(
+ reinterpret_cast<char*>(emptyCertPackage),
+ sizeof(emptyCertPackage)));
+ EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+ }
++
++TEST_F(DecodeCertsTest, EmptySignedData) {
++ // This represents a PKCS#7 ContentInfo of contentType
++ // 1.2.840.113549.1.7.2 (signedData) with missing content.
++ unsigned char emptySignedData[] = {0x30, 0x80, 0x06, 0x09, 0x2a, 0x86,
++ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
++ 0x02, 0x00, 0x00, 0x05, 0x00};
++
++ EXPECT_EQ(nullptr,
++ CERT_DecodeCertFromPackage(reinterpret_cast<char*>(emptySignedData),
++ sizeof(emptySignedData)));
++ EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
++}
+diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c
+--- a/nss/lib/pkcs7/certread.c
++++ b/nss/lib/pkcs7/certread.c
+@@ -134,16 +134,21 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, C
+ pkcs7Item) != SECSuccess) {
+ goto done;
+ }
+
+ if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) {
+ goto done;
+ }
+
++ if (contentInfo.content.signedData == NULL) {
++ PORT_SetError(SEC_ERROR_BAD_DER);
++ goto done;
++ }
++
+ rv = SECSuccess;
+
+ certs = contentInfo.content.signedData->certificates;
+ if (certs) {
+ count = 0;
+
+ while (*certs) {
+ count++;
diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb
index ac046ed0f..8b59f7ea8 100644
--- a/meta-oe/recipes-support/nss/nss_3.51.1.bb
+++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb
@@ -37,6 +37,10 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \
file://CVE-2020-12401.patch \
file://CVE-2020-6829_12400.patch \
+ file://CVE-2020-12403_1.patch \
+ file://CVE-2020-12403_2.patch \
+ file://CVE-2021-43527.patch \
+ file://CVE-2022-22747.patch \
"
SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"
diff --git a/meta-oe/recipes-support/numactl/numactl_git.bb b/meta-oe/recipes-support/numactl/numactl_git.bb
index 20b7fed86..af082237c 100644
--- a/meta-oe/recipes-support/numactl/numactl_git.bb
+++ b/meta-oe/recipes-support/numactl/numactl_git.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://README.md;beginline=19;endline=32;md5=f8ff2391624f28e
SRCREV = "5d9f16722e3df49dc618a9f361bd482559695db7"
PV = "2.0.13+git${SRCPV}"
-SRC_URI = "git://github.com/numactl/numactl \
+SRC_URI = "git://github.com/numactl/numactl;branch=master;protocol=https \
file://Fix-the-test-output-format.patch \
file://Makefile \
file://run-ptest \
diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb b/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb
index 34a81d21f..3cf0aa829 100644
--- a/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb
+++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb
@@ -21,7 +21,7 @@ LICENSE_modules/freebsd/vmxnet = "GPL-2.0"
LICENSE_modules/linux = "GPL-2.0"
LICENSE_modules/solaris = "CDDL-1.0"
-SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https \
+SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=master \
file://tools.conf \
file://vmtoolsd.service \
file://vmtoolsd.init \
diff --git a/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb b/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb
index 9fd88ced9..831b15a45 100644
--- a/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb
+++ b/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb
@@ -7,7 +7,7 @@ HOMEPAGE = "https://github.com/Oblomov/clinfo"
LICENSE = "CC0-1.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=fd8857f774dfb0eefe1e80c8f9240a7e"
-SRC_URI = "git://github.com/Oblomov/clinfo.git;protocol=https"
+SRC_URI = "git://github.com/Oblomov/clinfo.git;protocol=https;branch=master"
SRCREV = "59d0daf898e48d76ccbb788acbba258fa0a8ba7c"
diff --git a/meta-oe/recipes-support/opencv/ade_0.1.1f.bb b/meta-oe/recipes-support/opencv/ade_0.1.1f.bb
index 386180215..7e9bbc31c 100644
--- a/meta-oe/recipes-support/opencv/ade_0.1.1f.bb
+++ b/meta-oe/recipes-support/opencv/ade_0.1.1f.bb
@@ -4,7 +4,7 @@ and processing framework. ADE Framework is suitable for \
organizing data flow processing and execution."
HOMEPAGE = "https://github.com/opencv/ade"
-SRC_URI = "git://github.com/opencv/ade.git \
+SRC_URI = "git://github.com/opencv/ade.git;branch=master;protocol=https \
file://0001-use-GNUInstallDirs-for-detecting-install-paths.patch \
"
diff --git a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
index 19d5d0c89..d7a015874 100644
--- a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
+++ b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
@@ -37,12 +37,12 @@ IPP_FILENAME = "${@ipp_filename(d)}"
IPP_MD5 = "${@ipp_md5sum(d)}"
SRCREV_FORMAT = "opencv_contrib_ipp_boostdesc_vgg"
-SRC_URI = "git://github.com/opencv/opencv.git;name=opencv \
- git://github.com/opencv/opencv_contrib.git;destsuffix=contrib;name=contrib \
- git://github.com/opencv/opencv_3rdparty.git;branch=ippicv/master_20180723;destsuffix=ipp;name=ipp \
- git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_boostdesc_20161012;destsuffix=boostdesc;name=boostdesc \
- git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_vgg_20160317;destsuffix=vgg;name=vgg \
- git://github.com/opencv/opencv_3rdparty.git;branch=contrib_face_alignment_20170818;destsuffix=face;name=face \
+SRC_URI = "git://github.com/opencv/opencv.git;name=opencv;branch=master;protocol=https \
+ git://github.com/opencv/opencv_contrib.git;destsuffix=contrib;name=contrib;branch=master;protocol=https \
+ git://github.com/opencv/opencv_3rdparty.git;branch=ippicv/master_20180723;destsuffix=ipp;name=ipp;protocol=https \
+ git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_boostdesc_20161012;destsuffix=boostdesc;name=boostdesc;protocol=https \
+ git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_vgg_20160317;destsuffix=vgg;name=vgg;protocol=https \
+ git://github.com/opencv/opencv_3rdparty.git;branch=contrib_face_alignment_20170818;destsuffix=face;name=face;protocol=https \
file://0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch \
file://0002-Make-opencv-ts-create-share-library-intead-of-static.patch \
file://0003-To-fix-errors-as-following.patch \
diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch
new file mode 100644
index 000000000..2860b9522
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch
@@ -0,0 +1,277 @@
+From 11e136f15085a4bda5701e910988966bed699977 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 18 May 2022 13:57:59 +0530
+Subject: [PATCH] CVE-2022-29155
+
+Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134]
+CVE: CVE-2022-29155
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+---
+ servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++-----
+ 1 file changed, 105 insertions(+), 18 deletions(-)
+
+diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
+index bb0f1e2..1770bde 100644
+--- a/servers/slapd/back-sql/search.c
++++ b/servers/slapd/back-sql/search.c
+@@ -63,6 +63,38 @@ static void send_paged_response(
+ ID *lastid );
+ #endif /* ! BACKSQL_ARBITRARY_KEY */
+
++/* Look for chars that need to be escaped, return count of them.
++ * If out is non-NULL, copy escape'd val to it.
++ */
++static int
++backsql_val_escape( Operation *op, struct berval *in, struct berval *out )
++{
++ char *ptr, *end;
++ int q = 0;
++
++ ptr = in->bv_val;
++ end = ptr + in->bv_len;
++ while (ptr < end) {
++ if ( *ptr == '\'' )
++ q++;
++ ptr++;
++ }
++ if ( q && out ) {
++ char *dst;
++ out->bv_len = in->bv_len + q;
++ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx );
++ ptr = in->bv_val;
++ dst = out->bv_val;
++ while (ptr < end ) {
++ if ( *ptr == '\'' )
++ *dst++ = '\'';
++ *dst++ = *ptr++;
++ }
++ *dst = '\0';
++ }
++ return q;
++}
++
+ static int
+ backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad )
+ {
+@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
+ backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private;
+ int i;
+ int casefold = 0;
++ int escaped = 0;
++ struct berval escval, *fvalue;
+
+ if ( !f ) {
+ return 0;
+@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
+
+ BER_BVZERO( &bv );
+ if ( f->f_sub_initial.bv_val ) {
+- bv.bv_len += f->f_sub_initial.bv_len;
++ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL );
+ }
+ if ( f->f_sub_any != NULL ) {
+ for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) {
+- bv.bv_len += f->f_sub_any[ a ].bv_len;
++ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL );
+ }
+ }
+ if ( f->f_sub_final.bv_val ) {
+- bv.bv_len += f->f_sub_final.bv_len;
++ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL );
+ }
+ bv.bv_len = 2 * bv.bv_len - 1;
+ bv.bv_val = ch_malloc( bv.bv_len + 1 );
+
+ s = 0;
+ if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
+- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ];
+- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) {
++ fvalue = &f->f_sub_initial;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++ for ( i = 1; i < fvalue->bv_len; i++ ) {
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ];
++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ }
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+ s += 2 * i;
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ }
+
+ if ( f->f_sub_any != NULL ) {
+ for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) {
+- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ];
+- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) {
++ fvalue = &f->f_sub_any[ a ];
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++ for ( i = 1; i < fvalue->bv_len; i++ ) {
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ];
++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ }
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+ s += 2 * i;
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ }
+ }
+
+ if ( !BER_BVISNULL( &f->f_sub_final ) ) {
+- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ];
+- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) {
++ fvalue = &f->f_sub_final;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++ for ( i = 1; i < fvalue->bv_len; i++ ) {
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ];
++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ }
+- bv.bv_val[ s + 2 * i - 1 ] = '%';
++ bv.bv_val[ s + 2 * i - 1 ] = '%';
+ s += 2 * i;
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ }
+
+ bv.bv_val[ s - 1 ] = '\0';
+@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
+ f->f_sub_initial.bv_val, 0 );
+ #endif /* BACKSQL_TRACE */
+
++ fvalue = &f->f_sub_initial;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
+ start = bsi->bsi_flt_where.bb_val.bv_len;
+ backsql_strfcat_x( &bsi->bsi_flt_where,
+ bsi->bsi_op->o_tmpmemctx,
+ "b",
+- &f->f_sub_initial );
++ fvalue );
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+ ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
+ }
+@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
+ i, f->f_sub_any[ i ].bv_val );
+ #endif /* BACKSQL_TRACE */
+
++ fvalue = &f->f_sub_any[ i ];
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
+ start = bsi->bsi_flt_where.bb_val.bv_len;
+ backsql_strfcat_x( &bsi->bsi_flt_where,
+ bsi->bsi_op->o_tmpmemctx,
+ "bc",
+- &f->f_sub_any[ i ],
++ fvalue,
+ '%' );
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+ /*
+ * Note: toupper('%') = '%'
+@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
+ f->f_sub_final.bv_val, 0 );
+ #endif /* BACKSQL_TRACE */
+
++ fvalue = &f->f_sub_final;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
+ start = bsi->bsi_flt_where.bb_val.bv_len;
+ backsql_strfcat_x( &bsi->bsi_flt_where,
+ bsi->bsi_op->o_tmpmemctx,
+ "b",
+- &f->f_sub_final );
++ fvalue );
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+ ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
+ }
+@@ -1183,6 +1253,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r
+ struct berval *filter_value = NULL;
+ MatchingRule *matching_rule = NULL;
+ struct berval ordering = BER_BVC("<=");
++ struct berval escval;
++ int escaped = 0;
+
+ Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n",
+ at->bam_ad->ad_cname.bv_val, 0, 0 );
+@@ -1237,6 +1309,10 @@ equality_match:;
+ casefold = 1;
+ }
+
++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++ if ( escaped )
++ filter_value = &escval;
++
+ /* FIXME: directoryString filtering should use a similar
+ * approach to deal with non-prettified values like
+ * " A non prettified value ", by using a LIKE
+@@ -1317,6 +1393,10 @@ equality_match:;
+ casefold = 1;
+ }
+
++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++ if ( escaped )
++ filter_value = &escval;
++
+ /*
+ * FIXME: should we uppercase the operands?
+ */
+@@ -1350,7 +1430,7 @@ equality_match:;
+ &at->bam_sel_expr,
+ &ordering,
+ '\'',
+- &f->f_av_value,
++ filter_value,
+ (ber_len_t)STRLENOF( /* (' */ "')" ),
+ /* ( */ "')" );
+ }
+@@ -1374,13 +1454,17 @@ equality_match:;
+ case LDAP_FILTER_APPROX:
+ /* we do our best */
+
++ filter_value = &f->f_av_value;
++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++ if ( escaped )
++ filter_value = &escval;
+ /*
+ * maybe we should check type of at->sel_expr here somehow,
+ * to know whether upper_func is applicable, but for now
+ * upper_func stuff is made for Oracle, where UPPER is
+ * safely applicable to NUMBER etc.
+ */
+- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value );
++ (void)backsql_process_filter_like( bsi, at, 1, filter_value );
+ break;
+
+ default:
+@@ -1394,6 +1478,9 @@ equality_match:;
+
+ }
+
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
++
+ Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n",
+ at->bam_ad->ad_cname.bv_val, 0, 0 );
+
+--
+2.25.1
+
diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb
index a282523a3..e3e9caa1b 100644
--- a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb
+++ b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb
@@ -23,8 +23,8 @@ SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/$
file://thread_stub.patch \
file://openldap-CVE-2015-3276.patch \
file://remove-user-host-pwd-from-version.patch \
+ file://CVE-2022-29155.patch \
"
-
SRC_URI[md5sum] = "e3349456c3a66e5e6155be7ddc3f042c"
SRC_URI[sha256sum] = "c7ba47e1e6ecb5b436f3d43281df57abeffa99262141aec822628bc220f6b45a"
diff --git a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb
index a815980c4..b8cf203b7 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
#v0.19.0
SRCREV = "45e29056ccde422e70ed3585084a7f150c632515"
-SRC_URI = "git://github.com/OpenSC/OpenSC \
+SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
"
DEPENDS = "virtual/libiconv openssl"
diff --git a/meta-oe/recipes-support/picocom/picocom_git.bb b/meta-oe/recipes-support/picocom/picocom_git.bb
index 3d26b9364..801300e70 100644
--- a/meta-oe/recipes-support/picocom/picocom_git.bb
+++ b/meta-oe/recipes-support/picocom/picocom_git.bb
@@ -9,7 +9,7 @@ PV = "${BASEPV}+git${SRCPV}"
SRCREV = "90385aabe2b51f39fa130627d46b377569f82d4a"
-SRC_URI = "git://github.com/npat-efault/picocom \
+SRC_URI = "git://github.com/npat-efault/picocom;branch=master;protocol=https \
file://0001-Fix-building-with-musl.patch \
"
diff --git a/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb b/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb
index 3a437659e..0e3e5ff73 100644
--- a/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb
+++ b/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb
@@ -7,7 +7,7 @@ DEPENDS = "pidgin json-glib glib-2.0"
inherit pkgconfig
-SRC_URI = "git://github.com/EionRobb/funyahoo-plusplus;branch=master;protocol=git"
+SRC_URI = "git://github.com/EionRobb/funyahoo-plusplus;branch=master;protocol=https"
SRCREV = "fbbd9c591100aa00a0487738ec7b6acd3d924b3f"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/pidgin/icyque_git.bb b/meta-oe/recipes-support/pidgin/icyque_git.bb
index 0f32dc3a3..2905e16fc 100644
--- a/meta-oe/recipes-support/pidgin/icyque_git.bb
+++ b/meta-oe/recipes-support/pidgin/icyque_git.bb
@@ -9,7 +9,7 @@ PV = "0.1+gitr${SRCPV}"
inherit pkgconfig
-SRC_URI = "git://github.com/EionRobb/icyque"
+SRC_URI = "git://github.com/EionRobb/icyque;branch=master;protocol=https"
SRCREV = "513fc162d5d1a201c2b044e2b42941436d1069d5"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb b/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb
index 092e6059b..854920d2e 100644
--- a/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb
+++ b/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb
@@ -7,7 +7,7 @@ DEPENDS = "pidgin json-glib glib-2.0 zlib"
inherit pkgconfig
-SRC_URI = "git://github.com/EionRobb/skype4pidgin;branch=master;protocol=git"
+SRC_URI = "git://github.com/EionRobb/skype4pidgin;branch=master;protocol=https"
SRCREV = "14f1b69b6292bbdc98cca484b050ec8359394c4e"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/poco/poco_1.9.4.bb b/meta-oe/recipes-support/poco/poco_1.9.4.bb
index fcd521975..1c3a4ebb0 100644
--- a/meta-oe/recipes-support/poco/poco_1.9.4.bb
+++ b/meta-oe/recipes-support/poco/poco_1.9.4.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=4267f48fc738f50380cbeeb76f95cebc"
DEPENDS = "libpcre zlib"
SRC_URI = " \
- git://github.com/pocoproject/poco.git;branch=poco-${PV} \
+ git://github.com/pocoproject/poco.git;branch=poco-${PV};protocol=https \
file://0001-Don-t-try-to-install-non-existing-Encodings-testsuit.patch \
file://0001-riscv-Enable-double-operations-when-using-double-flo.patch \
file://run-ptest \
diff --git a/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb b/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb
index c8baa5d9c..5b5358774 100644
--- a/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb
+++ b/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb
@@ -5,7 +5,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
SRCREV = "cb48b7ecf7079ceba7081c78d4e61e507b0e8d2d"
-SRC_URI = "git://github.com/ago/pps-tools.git"
+SRC_URI = "git://github.com/ago/pps-tools.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/remmina/remmina_1.3.6.bb b/meta-oe/recipes-support/remmina/remmina_1.3.6.bb
index 1c2f270e3..3b1e8706c 100644
--- a/meta-oe/recipes-support/remmina/remmina_1.3.6.bb
+++ b/meta-oe/recipes-support/remmina/remmina_1.3.6.bb
@@ -10,7 +10,7 @@ DEPENDS_append_libc-musl = " libexecinfo"
LDFLAGS_append_libc-musl = " -lexecinfo"
SRCREV = "cc391370d8b4c07597617e0a771a9732f0802411"
-SRC_URI = "git://gitlab.com/Remmina/Remmina;protocol=https \
+SRC_URI = "git://gitlab.com/Remmina/Remmina;protocol=https;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb b/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb
index 33f5dccca..6fe8aa76f 100644
--- a/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb
+++ b/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb
@@ -25,7 +25,7 @@ RDEPENDS_${PN} = "rsync \
SRCREV = "a9e29850fc33c503c289e245c7bad350eed746d9"
PV = "1.4.3+git${SRCPV}"
-SRC_URI = "git://github.com/DrHyde/${BPN};branch=master;protocol=git \
+SRC_URI = "git://github.com/DrHyde/${BPN};branch=master;protocol=https \
file://configure-fix-cmd_rsync.patch \
"
diff --git a/meta-oe/recipes-support/sass/libsass_3.6.3.bb b/meta-oe/recipes-support/sass/libsass_3.6.3.bb
index d893be223..4b4fe5566 100644
--- a/meta-oe/recipes-support/sass/libsass_3.6.3.bb
+++ b/meta-oe/recipes-support/sass/libsass_3.6.3.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=8f34396ca205f5e119ee77aae91fa27d"
inherit autotools
-SRC_URI = "git://github.com/sass/libsass.git;branch=master"
+SRC_URI = "git://github.com/sass/libsass.git;branch=master;protocol=https"
SRCREV = "e1c16e09b4a953757a15149deaaf28a3fd81dc97"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/sass/sassc_git.bb b/meta-oe/recipes-support/sass/sassc_git.bb
index 3c7a55cc3..985d519f9 100644
--- a/meta-oe/recipes-support/sass/sassc_git.bb
+++ b/meta-oe/recipes-support/sass/sassc_git.bb
@@ -6,7 +6,7 @@ DEPENDS = "libsass"
inherit autotools pkgconfig
-SRC_URI = "git://github.com/sass/sassc.git"
+SRC_URI = "git://github.com/sass/sassc.git;branch=master;protocol=https"
SRCREV = "46748216ba0b60545e814c07846ca10c9fefc5b6"
S = "${WORKDIR}/git"
PV = "3.6.1"
diff --git a/meta-oe/recipes-support/satyr/satyr_0.28.bb b/meta-oe/recipes-support/satyr/satyr_0.28.bb
index fbf018d7f..a928681ae 100644
--- a/meta-oe/recipes-support/satyr/satyr_0.28.bb
+++ b/meta-oe/recipes-support/satyr/satyr_0.28.bb
@@ -7,7 +7,7 @@ LICENSE = "GPLv2"
inherit autotools-brokensep python3native pkgconfig
-SRC_URI = "git://github.com/abrt/satyr.git \
+SRC_URI = "git://github.com/abrt/satyr.git;branch=master;protocol=https \
file://0002-fix-compile-failure-against-musl-C-library.patch \
"
SRCREV = "8b5547b89b712b39a59f1d8b366e7de0f5f46108"
diff --git a/meta-oe/recipes-support/serial-utils/pty-forward-native.bb b/meta-oe/recipes-support/serial-utils/pty-forward-native.bb
index 7f59b3eca..87d9c5290 100644
--- a/meta-oe/recipes-support/serial-utils/pty-forward-native.bb
+++ b/meta-oe/recipes-support/serial-utils/pty-forward-native.bb
@@ -6,7 +6,7 @@ SECTION = "console/network"
SRCREV = "00dbec2636ae0385ad028587e20e446272ff97ec"
PV = "1.1+gitr${SRCPV}"
-SRC_URI = "git://github.com/freesmartphone/cornucopia.git;protocol=https"
+SRC_URI = "git://github.com/freesmartphone/cornucopia.git;protocol=https;branch=master"
S = "${WORKDIR}/git/tools/serial_forward"
inherit autotools native
diff --git a/meta-oe/recipes-support/serial-utils/serial-forward_git.bb b/meta-oe/recipes-support/serial-utils/serial-forward_git.bb
index 0ef829856..dcad8f710 100644
--- a/meta-oe/recipes-support/serial-utils/serial-forward_git.bb
+++ b/meta-oe/recipes-support/serial-utils/serial-forward_git.bb
@@ -6,7 +6,7 @@ SECTION = "console/devel"
SRCREV = "07c6fdede0870edc37a8d51d033b6e7e29aa7c91"
PV = "1.1+gitr${SRCPV}"
-SRC_URI = "git://github.com/freesmartphone/cornucopia.git \
+SRC_URI = "git://github.com/freesmartphone/cornucopia.git;branch=master;protocol=https \
file://0001-serial_forward-Disable-default-static-linking.patch;striplevel=3 \
"
S = "${WORKDIR}/git/tools/serial_forward"
diff --git a/meta-oe/recipes-support/span-lite/span-lite_git.bb b/meta-oe/recipes-support/span-lite/span-lite_git.bb
index 96ec829b7..abb3ec2f3 100644
--- a/meta-oe/recipes-support/span-lite/span-lite_git.bb
+++ b/meta-oe/recipes-support/span-lite/span-lite_git.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/martinmoene/span-lite"
LICENSE = "BSL-1.0"
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e4224ccaecb14d942c71d31bef20d78c"
-SRC_URI += "git://github.com/martinmoene/span-lite"
+SRC_URI += "git://github.com/martinmoene/span-lite;branch=master;protocol=https"
SRCREV = "e03d1166ccc8481d993dc02aae703966301a5e6e"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb b/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb
index 39629cce0..9294d1a70 100644
--- a/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb
+++ b/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb
@@ -4,7 +4,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
SRCREV = "cf6f1dd01e660d5865d68bf5fa78f6376b89470a"
-SRC_URI = "git://github.com/gabime/spdlog.git;protocol=git;branch=v1.x;"
+SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x;"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/spitools/spitools_git.bb b/meta-oe/recipes-support/spitools/spitools_git.bb
index 625756873..b9ed1bcd7 100644
--- a/meta-oe/recipes-support/spitools/spitools_git.bb
+++ b/meta-oe/recipes-support/spitools/spitools_git.bb
@@ -10,7 +10,7 @@ SRCREV = "4a36a84f7df291ddaebd397aecf0c8515256a8e0"
S = "${WORKDIR}/git"
-SRC_URI = "git://github.com/cpb-/spi-tools.git;protocol=git"
+SRC_URI = "git://github.com/cpb-/spi-tools.git;protocol=https;branch=master"
inherit autotools
diff --git a/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb b/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb
index 3f82734ac..5bcbea460 100644
--- a/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb
+++ b/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb
@@ -7,7 +7,7 @@ SECTION = "devel"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
S = "${WORKDIR}/git"
-SRC_URI = "git://github.com/jthornber/thin-provisioning-tools;branch=main \
+SRC_URI = "git://github.com/jthornber/thin-provisioning-tools;branch=main;protocol=https \
file://0001-do-not-strip-pdata_tools-at-do_install.patch \
file://use-sh-on-path.patch \
"
diff --git a/meta-oe/recipes-support/toscoterm/toscoterm_git.bb b/meta-oe/recipes-support/toscoterm/toscoterm_git.bb
index aba485e1a..4dddd54c5 100644
--- a/meta-oe/recipes-support/toscoterm/toscoterm_git.bb
+++ b/meta-oe/recipes-support/toscoterm/toscoterm_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://main.c;start_line=5;end_line=16;md5=9ae4bf20caf291afa
# 0.2 version
SRCREV = "8586d617aed19fc75f5ae1e07270752c1b2f9a30"
-SRC_URI = "git://github.com/OSSystems/toscoterm.git"
+SRC_URI = "git://github.com/OSSystems/toscoterm.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch
new file mode 100644
index 000000000..0189833b4
--- /dev/null
+++ b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch
@@ -0,0 +1,63 @@
+From 2517b8feb13919c382e53ab5f9b63c5b5ee5b063 Mon Sep 17 00:00:00 2001
+From: Emilio Pozuelo Monfort <pochu@debian.org>
+Date: Fri, 5 Nov 2021 09:29:13 +0100
+Subject: [PATCH] udisks2 security update
+
+mount options: Always use errors=remount-ro for ext filesystems
+
+Stefan Walter found that udisks2, a service to access and manipulate
+storage devices, could cause denial of service via system crash if a
+corrupted or specially crafted ext2/3/4 device or image was mounted,
+which could happen automatically on certain environments.
+
+For Debian 9 stretch, this problem has been fixed in version
+2.1.8-1+deb9u1.
+
+Default mount options are focused primarily on data safety, mounting
+damaged ext2/3/4 filesystem as readonly would indicate something's wrong.
+
+Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/u/udisks2/udisks2_2.1.8-1+deb9u1.debian.tar.xz]
+CVE: CVE-2021-3802
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ src/udiskslinuxfilesystem.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/src/udiskslinuxfilesystem.c b/src/udiskslinuxfilesystem.c
+index a5a3898c..eac8cab3 100644
+--- a/src/udiskslinuxfilesystem.c
++++ b/src/udiskslinuxfilesystem.c
+@@ -421,6 +421,21 @@ static const gchar *hfsplus_allow[] = { "creator", "type", "umask", "session", "
+ static const gchar *hfsplus_allow_uid_self[] = { "uid", NULL };
+ static const gchar *hfsplus_allow_gid_self[] = { "gid", NULL };
+
++/* ---------------------- ext2 -------------------- */
++
++static const gchar *ext2_defaults[] = { "errors=remount-ro", NULL };
++static const gchar *ext2_allow[] = { "errors=remount-ro", NULL };
++
++/* ---------------------- ext3 -------------------- */
++
++static const gchar *ext3_defaults[] = { "errors=remount-ro", NULL };
++static const gchar *ext3_allow[] = { "errors=remount-ro", NULL };
++
++/* ---------------------- ext4 -------------------- */
++
++static const gchar *ext4_defaults[] = { "errors=remount-ro", NULL };
++static const gchar *ext4_allow[] = { "errors=remount-ro", NULL };
++
+ /* ------------------------------------------------ */
+ /* TODO: support context= */
+
+@@ -434,6 +449,9 @@ static const FSMountOptions fs_mount_options[] =
+ { "udf", udf_defaults, udf_allow, udf_allow_uid_self, udf_allow_gid_self },
+ { "exfat", exfat_defaults, exfat_allow, exfat_allow_uid_self, exfat_allow_gid_self },
+ { "hfsplus", hfsplus_defaults, hfsplus_allow, hfsplus_allow_uid_self, hfsplus_allow_gid_self },
++ { "ext2", ext2_defaults, ext2_allow, NULL, NULL },
++ { "ext3", ext3_defaults, ext3_allow, NULL, NULL },
++ { "ext4", ext4_defaults, ext4_allow, NULL, NULL },
+ };
+
+ /* ------------------------------------------------ */
diff --git a/meta-oe/recipes-support/udisks/udisks2_git.bb b/meta-oe/recipes-support/udisks/udisks2_git.bb
index ecaf01e71..58c8a9899 100644
--- a/meta-oe/recipes-support/udisks/udisks2_git.bb
+++ b/meta-oe/recipes-support/udisks/udisks2_git.bb
@@ -17,7 +17,8 @@ DEPENDS += "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
RDEPENDS_${PN} = "acl"
SRC_URI = " \
- git://github.com/storaged-project/udisks.git;branch=master \
+ git://github.com/storaged-project/udisks.git;branch=master;protocol=https \
+ file://CVE-2021-3802.patch \
"
PV = "2.8.4+git${SRCREV}"
SRCREV = "db5f487345da2eaa87976450ea51c2c465d9b82e"
diff --git a/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb b/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb
index b294d77ba..0bb48412a 100644
--- a/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb
+++ b/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb
@@ -7,7 +7,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
SRCREV = "c9fa3c68a1b2c9790c731602b8bae2b513e80605"
-SRC_URI = "git://github.com/mvp/${BPN}"
+SRC_URI = "git://github.com/mvp/${BPN};branch=master;protocol=https"
S = "${WORKDIR}/git"
# uhubctl gets its program version from "git describe". As we use the source
diff --git a/meta-oe/recipes-support/uthash/uthash_2.1.0.bb b/meta-oe/recipes-support/uthash/uthash_2.1.0.bb
index 09cef44a8..3f4529e1a 100644
--- a/meta-oe/recipes-support/uthash/uthash_2.1.0.bb
+++ b/meta-oe/recipes-support/uthash/uthash_2.1.0.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a2513f7d2291df840527b76b2a8f9718"
SRCREV = "8b214aefcb81df86a7e5e0d4fa20e59a6c18bc02"
SRC_URI = "\
- git://github.com/troydhanson/${BPN}.git \
+ git://github.com/troydhanson/${BPN}.git;branch=master;protocol=https \
file://run-ptest \
"
diff --git a/meta-oe/recipes-support/utouch/utouch-evemu_git.bb b/meta-oe/recipes-support/utouch/utouch-evemu_git.bb
index 7c5a73439..e1ec1fda8 100644
--- a/meta-oe/recipes-support/utouch/utouch-evemu_git.bb
+++ b/meta-oe/recipes-support/utouch/utouch-evemu_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
inherit autotools
-SRC_URI = "git://bitmath.org/git/evemu.git;protocol=http \
+SRC_URI = "git://bitmath.org/git/evemu.git;protocol=http;branch=master \
file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \
"
SRCREV = "9752b50e922572e4cd214ac45ed95e4ee410fe24"
diff --git a/meta-oe/recipes-support/utouch/utouch-frame_git.bb b/meta-oe/recipes-support/utouch/utouch-frame_git.bb
index 1ebebfa9f..599395635 100644
--- a/meta-oe/recipes-support/utouch/utouch-frame_git.bb
+++ b/meta-oe/recipes-support/utouch/utouch-frame_git.bb
@@ -9,7 +9,7 @@ DEPENDS += "mtdev utouch-evemu"
inherit autotools pkgconfig
-SRC_URI = "git://bitmath.org/git/frame.git;protocol=http \
+SRC_URI = "git://bitmath.org/git/frame.git;protocol=http;branch=master \
file://remove-man-page-creation.patch \
file://0001-include-sys-stat.h-for-fixing-build-issue-on-musl.patch \
file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \
diff --git a/meta-oe/recipes-support/utouch/utouch-mtview_git.bb b/meta-oe/recipes-support/utouch/utouch-mtview_git.bb
index 5f07bf28e..65edaf1e5 100644
--- a/meta-oe/recipes-support/utouch/utouch-mtview_git.bb
+++ b/meta-oe/recipes-support/utouch/utouch-mtview_git.bb
@@ -9,7 +9,7 @@ inherit autotools pkgconfig features_check
# depends on virtual/libx11
REQUIRED_DISTRO_FEATURES = "x11"
-SRC_URI = "git://bitmath.org/git/mtview.git;protocol=http"
+SRC_URI = "git://bitmath.org/git/mtview.git;protocol=http;branch=master"
SRCREV = "ad437c38dc111cf3990a03abf14efe1b5d89604b"
DEPENDS += "mtdev utouch-frame utouch-evemu libx11"
diff --git a/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb b/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb
index 79a5ac5c4..673fc5899 100644
--- a/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb
+++ b/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=4d168d763c111f4ffc62249870e4e0ea"
DEPENDS = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'openssl boost zlib', '', d)} "
-SRC_URI = "git://github.com/zaphoyd/websocketpp.git;protocol=https \
+SRC_URI = "git://github.com/zaphoyd/websocketpp.git;protocol=https;branch=master \
file://0001-cmake-Use-GNUInstallDirs.patch \
file://855.patch \
file://857.patch \
diff --git a/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb b/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb
index d100030f9..c16178198 100644
--- a/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb
+++ b/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb
@@ -7,7 +7,7 @@ SECTION = "console/utils"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-SRC_URI = "git://github.com/jmacd/xdelta.git;branch=release3_1_apl"
+SRC_URI = "git://github.com/jmacd/xdelta.git;branch=release3_1_apl;protocol=https"
SRCREV = "4b4aed71a959fe11852e45242bb6524be85d3709"
S = "${WORKDIR}/git/xdelta3"
diff --git a/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb b/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb
index 481e7303b..1ba4a32ba 100644
--- a/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb
+++ b/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb
@@ -10,7 +10,7 @@ DEPENDS = "virtual/libx11 xserver-xorg xrdp nasm-native"
inherit features_check
REQUIRED_DISTRO_FEATURES = "x11 pam"
-SRC_URI = "git://github.com/neutrinolabs/xorgxrdp.git"
+SRC_URI = "git://github.com/neutrinolabs/xorgxrdp.git;branch=master;protocol=https"
SRCREV = "c122544f184d4031bbae1ad80fbab554c34a9427"
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb
index deda0fd1b..36184705b 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb
@@ -10,7 +10,7 @@ DEPENDS = "openssl virtual/libx11 libxfixes libxrandr libpam nasm-native"
REQUIRED_DISTRO_FEATURES = "x11 pam"
-SRC_URI = "git://github.com/neutrinolabs/xrdp.git \
+SRC_URI = "git://github.com/neutrinolabs/xrdp.git;branch=master;protocol=https \
file://xrdp.sysconfig \
file://0001-Added-req_distinguished_name-in-etc-xrdp-openssl.con.patch \
file://0001-Fix-the-compile-error.patch \
diff --git a/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb b/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb
index 865adc5a1..783af89be 100644
--- a/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb
+++ b/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "http://www.xxhash.com/"
LICENSE = "BSD-2-Clause & GPL-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=01a7eba4212ef1e882777a38585e7a9b"
-SRC_URI = "git://github.com/Cyan4973/xxHash.git"
+SRC_URI = "git://github.com/Cyan4973/xxHash.git;branch=master;protocol=https"
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
SRCREV = "d408e9b0606d07b1ddc5452ffc0ec8512211b174"
diff --git a/meta-oe/recipes-support/zbar/zbar_git.bb b/meta-oe/recipes-support/zbar/zbar_git.bb
index 935e09cd5..46ca549c5 100644
--- a/meta-oe/recipes-support/zbar/zbar_git.bb
+++ b/meta-oe/recipes-support/zbar/zbar_git.bb
@@ -10,7 +10,7 @@ PV = "0.10+git${SRCPV}"
# iPhoneSDK-1.3.1 tag
SRCREV = "67003d2a985b5f9627bee2d8e3e0b26d0c474b57"
-SRC_URI = "git://github.com/ZBar/Zbar \
+SRC_URI = "git://github.com/ZBar/Zbar;branch=master;protocol=https \
file://0001-make-relies-GNU-extentions.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb b/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb
index e041132b1..e4c0232bd 100644
--- a/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb
+++ b/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb
@@ -4,7 +4,7 @@ AUTHOR = "Jonathan Dieter"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=cd6e590282010ce90a94ef25dd31410f"
-SRC_URI = "git://github.com/zchunk/zchunk.git;protocol=https"
+SRC_URI = "git://github.com/zchunk/zchunk.git;protocol=https;branch=master"
SRCREV = "f5593aa11584faa691c81b4898f0aaded47f8bf7"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-test/bats/bats_1.1.0.bb b/meta-oe/recipes-test/bats/bats_1.1.0.bb
index a8179744a..7ee020576 100644
--- a/meta-oe/recipes-test/bats/bats_1.1.0.bb
+++ b/meta-oe/recipes-test/bats/bats_1.1.0.bb
@@ -6,7 +6,7 @@ HOMEPAGE = "https://github.com/bats-core/bats-core"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=2970203aedf9e829edb96a137a4fe81b"
-SRC_URI = "git://github.com/bats-core/bats-core.git \
+SRC_URI = "git://github.com/bats-core/bats-core.git;branch=master;protocol=https \
"
# v1.1.0
SRCREV = "c706d1470dd1376687776bbe985ac22d09780327"
diff --git a/meta-oe/recipes-test/catch2/catch2_2.9.2.bb b/meta-oe/recipes-test/catch2/catch2_2.9.2.bb
index 57fc935f7..9d449a23a 100644
--- a/meta-oe/recipes-test/catch2/catch2_2.9.2.bb
+++ b/meta-oe/recipes-test/catch2/catch2_2.9.2.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/catchorg/Catch2"
LICENSE = "BSL-1.0"
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e4224ccaecb14d942c71d31bef20d78c"
-SRC_URI = "git://github.com/catchorg/Catch2.git"
+SRC_URI = "git://github.com/catchorg/Catch2.git;branch=master;protocol=https"
SRCREV = "2c869e17e4803d30b3d5ca5b0d76387b9db97fa5"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-test/evtest/evtest_1.34.bb b/meta-oe/recipes-test/evtest/evtest_1.34.bb
index a3a23c895..eb6a34f30 100644
--- a/meta-oe/recipes-test/evtest/evtest_1.34.bb
+++ b/meta-oe/recipes-test/evtest/evtest_1.34.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
DEPENDS = "libxml2"
SRCREV = "16e5104127a620686bdddc4a9ad62881134d6c69"
-SRC_URI = "git://gitlab.freedesktop.org/libevdev/evtest.git;protocol=https \
+SRC_URI = "git://gitlab.freedesktop.org/libevdev/evtest.git;protocol=https;branch=master \
file://add_missing_limits_h_include.patch \
file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \
"
diff --git a/meta-oe/recipes-test/fbtest/fb-test_git.bb b/meta-oe/recipes-test/fbtest/fb-test_git.bb
index 6a9d4b278..299213572 100644
--- a/meta-oe/recipes-test/fbtest/fb-test_git.bb
+++ b/meta-oe/recipes-test/fbtest/fb-test_git.bb
@@ -6,7 +6,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a"
SRCREV = "063ec650960c2d79ac51f5c5f026cb05343a33e2"
-SRC_URI = "git://github.com/prpplague/fb-test-app.git"
+SRC_URI = "git://github.com/prpplague/fb-test-app.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-test/googletest/googletest_git.bb b/meta-oe/recipes-test/googletest/googletest_git.bb
index 354e7de33..35fe1bed0 100644
--- a/meta-oe/recipes-test/googletest/googletest_git.bb
+++ b/meta-oe/recipes-test/googletest/googletest_git.bb
@@ -11,7 +11,7 @@ PROVIDES += "gmock gtest"
S = "${WORKDIR}/git"
SRCREV = "703bd9caab50b139428cea1aaff9974ebee5742e"
-SRC_URI = "git://github.com/google/googletest.git"
+SRC_URI = "git://github.com/google/googletest.git;branch=main;protocol=https"
inherit cmake
diff --git a/meta-oe/recipes-test/pm-qa/pm-qa_git.bb b/meta-oe/recipes-test/pm-qa/pm-qa_git.bb
index 7e9971ea4..bb641437c 100644
--- a/meta-oe/recipes-test/pm-qa/pm-qa_git.bb
+++ b/meta-oe/recipes-test/pm-qa/pm-qa_git.bb
@@ -42,6 +42,7 @@ do_install () {
do
# Remove hardcoded relative paths
sed -i -e 's#..\/utils\/##' ${script}
+ sed -i -e 's#. ..\/Switches#${bindir}#g' ${script}
script_basename=`basename ${script}`
install -m 0755 $script ${D}${libdir}/${BPN}/${script_basename}
@@ -54,7 +55,7 @@ do_install () {
# if the script includes any helper scripts from the $libdir
# directory then change the source path to the absolute path
# to reflect the install location of the helper scripts.
- sed -i -e "s#source ../include#source ${libdir}/${BPN}#g" ${script}
+ sed -i -e "s#. ../include#. ${libdir}/${BPN}#g" ${script}
# Remove hardcoded relative paths
sed -i -e 's#..\/utils\/##' ${script}