aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/classes/kernel-devicetree.bbclass18
-rw-r--r--meta/classes/kernel.bbclass4
-rw-r--r--meta/classes/package_pkgdata.bbclass2
-rw-r--r--meta/classes/report-error.bbclass2
-rw-r--r--meta/classes/sstate.bbclass18
-rw-r--r--meta/classes/staging.bbclass6
-rw-r--r--meta/conf/distro/include/yocto-uninative.inc8
-rw-r--r--meta/lib/oeqa/selftest/cases/archiver.py16
-rw-r--r--meta/lib/oeqa/selftest/cases/oelib/utils.py3
-rw-r--r--meta/lib/oeqa/selftest/cases/runcmd.py4
-rw-r--r--meta/lib/oeqa/selftest/cases/runtime_test.py28
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch17
-rw-r--r--meta/recipes-connectivity/bind/bind_9.11.32.bb (renamed from meta/recipes-connectivity/bind/bind_9.11.22.bb)5
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5.inc1
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch34
-rw-r--r--meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch66
-rw-r--r--meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb1
-rw-r--r--meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch51
-rw-r--r--meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch81
-rw-r--r--meta/recipes-core/busybox/busybox_1.31.1.bb4
-rw-r--r--meta/recipes-core/expat/expat/CVE-2013-0340.patch1758
-rw-r--r--meta/recipes-core/expat/expat/libtool-tag.patch41
-rw-r--r--meta/recipes-core/expat/expat_2.2.9.bb12
-rw-r--r--meta/recipes-core/glibc/glibc-version.inc2
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch112
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.10.bb1
-rw-r--r--meta/recipes-core/update-rc.d/update-rc.d_0.8.bb2
-rw-r--r--meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb (renamed from meta/recipes-devtools/bootchart2/bootchart2_0.14.8.bb)3
-rw-r--r--meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c13
-rw-r--r--meta/recipes-devtools/pseudo/pseudo.inc13
-rw-r--r--meta/recipes-devtools/pseudo/pseudo_git.bb2
-rw-r--r--meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch248
-rw-r--r--meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch33
-rw-r--r--meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch24
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2019-20907.patch44
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2020-14422.patch77
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2020-26116.patch104
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2020-27619.patch70
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2021-3177.patch191
-rw-r--r--meta/recipes-devtools/python/python3_3.8.10.bb (renamed from meta/recipes-devtools/python/python3_3.8.2.bb)20
-rw-r--r--meta/recipes-devtools/python/python3_3.8.11.bb362
-rw-r--r--meta/recipes-devtools/rpm/files/CVE-2021-3421.patch197
-rw-r--r--meta/recipes-devtools/rpm/rpm_4.14.2.1.bb1
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch40
-rw-r--r--meta/recipes-devtools/ruby/ruby_2.7.3.bb (renamed from meta/recipes-devtools/ruby/ruby_2.7.1.bb)5
-rw-r--r--meta/recipes-devtools/valgrind/valgrind_3.15.0.bb2
-rw-r--r--meta/recipes-extended/timezone/tzdata.bb10
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch333
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb1
-rw-r--r--meta/recipes-kernel/linux/kernel-devsrc.bb2
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb6
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb8
-rw-r--r--meta/recipes-kernel/linux/linux-yocto_5.4.bb22
-rw-r--r--meta/recipes-kernel/perf/perf.bb2
-rw-r--r--meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch70
-rw-r--r--meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch29
-rw-r--r--meta/recipes-kernel/powertop/powertop_2.10.bb8
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch36
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb5
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch207
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch44
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb7
-rw-r--r--meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch66
-rw-r--r--meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch15
-rw-r--r--meta/recipes-sato/webkit/webkitgtk_2.28.4.bb (renamed from meta/recipes-sato/webkit/webkitgtk_2.28.2.bb)5
-rw-r--r--scripts/lib/devtool/deploy.py2
66 files changed, 3672 insertions, 952 deletions
diff --git a/meta/classes/kernel-devicetree.bbclass b/meta/classes/kernel-devicetree.bbclass
index 81dda8003f..27a4905ac6 100644
--- a/meta/classes/kernel-devicetree.bbclass
+++ b/meta/classes/kernel-devicetree.bbclass
@@ -1,14 +1,20 @@
# Support for device tree generation
-PACKAGES_append = " \
- ${KERNEL_PACKAGE_NAME}-devicetree \
- ${@[d.getVar('KERNEL_PACKAGE_NAME') + '-image-zimage-bundle', ''][d.getVar('KERNEL_DEVICETREE_BUNDLE') != '1']} \
-"
+python () {
+ if not bb.data.inherits_class('nopackages', d):
+ d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-devicetree")
+ if d.getVar('KERNEL_DEVICETREE_BUNDLE') == '1':
+ d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-image-zimage-bundle")
+}
+
FILES_${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb /${KERNEL_IMAGEDEST}/*.dtbo"
FILES_${KERNEL_PACKAGE_NAME}-image-zimage-bundle = "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin"
# Generate kernel+devicetree bundle
KERNEL_DEVICETREE_BUNDLE ?= "0"
+# dtc flags passed via DTC_FLAGS env variable
+KERNEL_DTC_FLAGS ?= ""
+
normalize_dtb () {
dtb="$1"
if echo $dtb | grep -q '/dts/'; then
@@ -50,6 +56,10 @@ do_configure_append() {
}
do_compile_append() {
+ if [ -n "${KERNEL_DTC_FLAGS}" ]; then
+ export DTC_FLAGS="${KERNEL_DTC_FLAGS}"
+ fi
+
for dtbf in ${KERNEL_DEVICETREE}; do
dtb=`normalize_dtb "$dtbf"`
oe_runmake $dtb CC="${KERNEL_CC} $cc_extra " LD="${KERNEL_LD}" ${KERNEL_EXTRA_ARGS}
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 518aaef724..2a3cb21fc0 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -91,6 +91,8 @@ python __anonymous () {
imagedest = d.getVar('KERNEL_IMAGEDEST')
for type in types.split():
+ if bb.data.inherits_class('nopackages', d):
+ continue
typelower = type.lower()
d.appendVar('PACKAGES', ' %s-image-%s' % (kname, typelower))
d.setVar('FILES_' + kname + '-image-' + typelower, '/' + imagedest + '/' + type + '-${KERNEL_VERSION_NAME}' + ' /' + imagedest + '/' + type)
@@ -680,7 +682,7 @@ do_sizecheck() {
at_least_one_fits=
for imageType in ${KERNEL_IMAGETYPES} ; do
size=`du -ks ${B}/${KERNEL_OUTPUT_DIR}/$imageType | awk '{print $1}'`
- if [ $size -ge ${KERNEL_IMAGE_MAXSIZE} ]; then
+ if [ $size -gt ${KERNEL_IMAGE_MAXSIZE} ]; then
bbwarn "This kernel $imageType (size=$size(K) > ${KERNEL_IMAGE_MAXSIZE}(K)) is too big for your device."
else
at_least_one_fits=y
diff --git a/meta/classes/package_pkgdata.bbclass b/meta/classes/package_pkgdata.bbclass
index 18b7ed62e0..a1ea8fc041 100644
--- a/meta/classes/package_pkgdata.bbclass
+++ b/meta/classes/package_pkgdata.bbclass
@@ -162,6 +162,6 @@ python package_prepare_pkgdata() {
}
package_prepare_pkgdata[cleandirs] = "${WORKDIR_PKGDATA}"
-package_prepare_pkgdata[vardepsexclude] += "MACHINE_ARCH PACKAGE_EXTRA_ARCHS SDK_ARCH BUILD_ARCH SDK_OS BB_TASKDEPDATA"
+package_prepare_pkgdata[vardepsexclude] += "MACHINE_ARCH PACKAGE_EXTRA_ARCHS SDK_ARCH BUILD_ARCH SDK_OS BB_TASKDEPDATA SSTATETASKS"
diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass
index 9cb6b0bd31..de48e4ff0f 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -6,8 +6,6 @@
#
# Licensed under the MIT license, see COPYING.MIT for details
-inherit base
-
ERR_REPORT_DIR ?= "${LOG_DIR}/error-report"
def errorreport_getdata(e):
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index a689f7f677..0a25e3ed9d 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -123,8 +123,6 @@ SSTATE_HASHEQUIV_REPORT_TASKDATA[doc] = "Report additional useful data to the \
python () {
if bb.data.inherits_class('native', d):
d.setVar('SSTATE_PKGARCH', d.getVar('BUILD_ARCH', False))
- if d.getVar("PN") == "pseudo-native":
- d.appendVar('SSTATE_PKGARCH', '_${ORIGNATIVELSBSTRING}')
elif bb.data.inherits_class('crosssdk', d):
d.setVar('SSTATE_PKGARCH', d.expand("${BUILD_ARCH}_${SDK_ARCH}_${SDK_OS}"))
elif bb.data.inherits_class('cross', d):
@@ -483,7 +481,7 @@ def sstate_clean_cachefiles(d):
ss = sstate_state_fromvars(ld, task)
sstate_clean_cachefile(ss, ld)
-def sstate_clean_manifest(manifest, d, prefix=None):
+def sstate_clean_manifest(manifest, d, canrace=False, prefix=None):
import oe.path
mfile = open(manifest)
@@ -501,7 +499,9 @@ def sstate_clean_manifest(manifest, d, prefix=None):
if entry.endswith("/"):
if os.path.islink(entry[:-1]):
os.remove(entry[:-1])
- elif os.path.exists(entry) and len(os.listdir(entry)) == 0:
+ elif os.path.exists(entry) and len(os.listdir(entry)) == 0 and not canrace:
+ # Removing directories whilst builds are in progress exposes a race. Only
+ # do it in contexts where it is safe to do so.
os.rmdir(entry[:-1])
else:
os.remove(entry)
@@ -539,7 +539,7 @@ def sstate_clean(ss, d):
for lock in ss['lockfiles']:
locks.append(bb.utils.lockfile(lock))
- sstate_clean_manifest(manifest, d)
+ sstate_clean_manifest(manifest, d, canrace=True)
for lock in locks:
bb.utils.unlockfile(lock)
@@ -703,6 +703,10 @@ def sstate_package(ss, d):
os.utime(siginfo, None)
except PermissionError:
pass
+ except OSError as e:
+ # Handle read-only file systems gracefully
+ if e.errno != errno.EROFS:
+ raise e
return
@@ -1141,6 +1145,10 @@ python sstate_eventhandler() {
os.utime(siginfo, None)
except PermissionError:
pass
+ except OSError as e:
+ # Handle read-only file systems gracefully
+ if e.errno != errno.EROFS:
+ raise e
}
diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index 506ce0665e..78eb914921 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -408,7 +408,7 @@ python extend_recipe_sysroot() {
if os.path.islink(f) and not os.path.exists(f):
bb.note("%s no longer exists, removing from sysroot" % f)
lnk = os.readlink(f.replace(".complete", ""))
- sstate_clean_manifest(depdir + "/" + lnk, d, workdir)
+ sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir)
os.unlink(f)
os.unlink(f.replace(".complete", ""))
@@ -453,7 +453,7 @@ python extend_recipe_sysroot() {
fl = depdir + "/" + l
bb.note("Task %s no longer depends on %s, removing from sysroot" % (mytaskname, l))
lnk = os.readlink(fl)
- sstate_clean_manifest(depdir + "/" + lnk, d, workdir)
+ sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir)
os.unlink(fl)
os.unlink(fl + ".complete")
@@ -474,7 +474,7 @@ python extend_recipe_sysroot() {
continue
else:
bb.note("%s exists in sysroot, but is stale (%s vs. %s), removing." % (c, lnk, c + "." + taskhash))
- sstate_clean_manifest(depdir + "/" + lnk, d, workdir)
+ sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir)
os.unlink(depdir + "/" + c)
if os.path.lexists(depdir + "/" + c + ".complete"):
os.unlink(depdir + "/" + c + ".complete")
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 05b79d14c3..740cca0ecf 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -8,7 +8,7 @@
UNINATIVE_MAXGLIBCVERSION = "2.33"
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.1/"
-UNINATIVE_CHECKSUM[aarch64] ?= "7fa12b9fe7a95934cc09beb0e8a25ff97179ef3105116015d32548eadd27b024"
-UNINATIVE_CHECKSUM[i686] ?= "bbfcdd48336800b5af97e294918c6586a0a8fa903f127f813b0bd5110de8c55c"
-UNINATIVE_CHECKSUM[x86_64] ?= "5d0611df544edff6428cef7d871257a91aa6ba1bd92f5365a2df8deb54b6b31e"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.2/"
+UNINATIVE_CHECKSUM[aarch64] ?= "4f0872cdca2775b637a8a99815ca5c8dd42146abe903a24a50ee0448358c764b"
+UNINATIVE_CHECKSUM[i686] ?= "e2eeab92e67263db37d9bb6d4c58579abd1f47ff4cded3171bde572fece124b2"
+UNINATIVE_CHECKSUM[x86_64] ?= "3ee8c7d55e2d4c7ae3887cddb97219f97b94efddfeee2e24923c0cb0e8ce84c6"
diff --git a/meta/lib/oeqa/selftest/cases/archiver.py b/meta/lib/oeqa/selftest/cases/archiver.py
index bc5447d2a3..6a5c8ec71e 100644
--- a/meta/lib/oeqa/selftest/cases/archiver.py
+++ b/meta/lib/oeqa/selftest/cases/archiver.py
@@ -35,11 +35,11 @@ class Archiver(OESelftestTestCase):
src_path = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['TARGET_SYS'])
# Check that include_recipe was included
- included_present = len(glob.glob(src_path + '/%s-*' % include_recipe))
+ included_present = len(glob.glob(src_path + '/%s-*/*' % include_recipe))
self.assertTrue(included_present, 'Recipe %s was not included.' % include_recipe)
# Check that exclude_recipe was excluded
- excluded_present = len(glob.glob(src_path + '/%s-*' % exclude_recipe))
+ excluded_present = len(glob.glob(src_path + '/%s-*/*' % exclude_recipe))
self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % exclude_recipe)
def test_archiver_filters_by_type(self):
@@ -67,11 +67,11 @@ class Archiver(OESelftestTestCase):
src_path_native = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['BUILD_SYS'])
# Check that target_recipe was included
- included_present = len(glob.glob(src_path_target + '/%s-*' % target_recipe))
+ included_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipe))
self.assertTrue(included_present, 'Recipe %s was not included.' % target_recipe)
# Check that native_recipe was excluded
- excluded_present = len(glob.glob(src_path_native + '/%s-*' % native_recipe))
+ excluded_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipe))
self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % native_recipe)
def test_archiver_filters_by_type_and_name(self):
@@ -104,17 +104,17 @@ class Archiver(OESelftestTestCase):
src_path_native = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['BUILD_SYS'])
# Check that target_recipe[0] and native_recipes[1] were included
- included_present = len(glob.glob(src_path_target + '/%s-*' % target_recipes[0]))
+ included_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipes[0]))
self.assertTrue(included_present, 'Recipe %s was not included.' % target_recipes[0])
- included_present = len(glob.glob(src_path_native + '/%s-*' % native_recipes[1]))
+ included_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipes[1]))
self.assertTrue(included_present, 'Recipe %s was not included.' % native_recipes[1])
# Check that native_recipes[0] and target_recipes[1] were excluded
- excluded_present = len(glob.glob(src_path_native + '/%s-*' % native_recipes[0]))
+ excluded_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipes[0]))
self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % native_recipes[0])
- excluded_present = len(glob.glob(src_path_target + '/%s-*' % target_recipes[1]))
+ excluded_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipes[1]))
self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % target_recipes[1])
diff --git a/meta/lib/oeqa/selftest/cases/oelib/utils.py b/meta/lib/oeqa/selftest/cases/oelib/utils.py
index a7214beb4c..bbf67bf9c9 100644
--- a/meta/lib/oeqa/selftest/cases/oelib/utils.py
+++ b/meta/lib/oeqa/selftest/cases/oelib/utils.py
@@ -64,7 +64,7 @@ class TestMultiprocessLaunch(TestCase):
import bb
def testfunction(item, d):
- if item == "2" or item == "1":
+ if item == "2":
raise KeyError("Invalid number %s" % item)
return "Found %s" % item
@@ -99,5 +99,4 @@ class TestMultiprocessLaunch(TestCase):
# Assert the function prints exceptions
with captured_output() as (out, err):
self.assertRaises(bb.BBHandledException, multiprocess_launch, testfunction, ["1", "2", "3", "4", "5", "6"], d, extraargs=(d,))
- self.assertIn("KeyError: 'Invalid number 1'", out.getvalue())
self.assertIn("KeyError: 'Invalid number 2'", out.getvalue())
diff --git a/meta/lib/oeqa/selftest/cases/runcmd.py b/meta/lib/oeqa/selftest/cases/runcmd.py
index fa6113d7fa..e9612389fe 100644
--- a/meta/lib/oeqa/selftest/cases/runcmd.py
+++ b/meta/lib/oeqa/selftest/cases/runcmd.py
@@ -27,8 +27,8 @@ class RunCmdTests(OESelftestTestCase):
# The delta is intentionally smaller than the timeout, to detect cases where
# we incorrectly apply the timeout more than once.
- TIMEOUT = 5
- DELTA = 3
+ TIMEOUT = 10
+ DELTA = 8
def test_result_okay(self):
result = runCmd("true")
diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
index 976b513727..353d411681 100644
--- a/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -14,11 +14,6 @@ from oeqa.core.decorator.data import skipIfNotQemu
class TestExport(OESelftestTestCase):
- @classmethod
- def tearDownClass(cls):
- runCmd("rm -rf /tmp/sdk")
- super(TestExport, cls).tearDownClass()
-
def test_testexport_basic(self):
"""
Summary: Check basic testexport functionality with only ping test enabled.
@@ -95,19 +90,20 @@ class TestExport(OESelftestTestCase):
msg = "Couldn't find SDK tarball: %s" % tarball_path
self.assertEqual(os.path.isfile(tarball_path), True, msg)
- # Extract SDK and run tar from SDK
- result = runCmd("%s -y -d /tmp/sdk" % tarball_path)
- self.assertEqual(0, result.status, "Couldn't extract SDK")
+ with tempfile.TemporaryDirectory() as tmpdirname:
+ # Extract SDK and run tar from SDK
+ result = runCmd("%s -y -d %s" % (tarball_path, tmpdirname))
+ self.assertEqual(0, result.status, "Couldn't extract SDK")
- env_script = result.output.split()[-1]
- result = runCmd(". %s; which tar" % env_script, shell=True)
- self.assertEqual(0, result.status, "Couldn't setup SDK environment")
- is_sdk_tar = True if "/tmp/sdk" in result.output else False
- self.assertTrue(is_sdk_tar, "Couldn't setup SDK environment")
+ env_script = result.output.split()[-1]
+ result = runCmd(". %s; which tar" % env_script, shell=True)
+ self.assertEqual(0, result.status, "Couldn't setup SDK environment")
+ is_sdk_tar = True if tmpdirname in result.output else False
+ self.assertTrue(is_sdk_tar, "Couldn't setup SDK environment")
- tar_sdk = result.output
- result = runCmd("%s --version" % tar_sdk)
- self.assertEqual(0, result.status, "Couldn't run tar from SDK")
+ tar_sdk = result.output
+ result = runCmd("%s --version" % tar_sdk)
+ self.assertEqual(0, result.status, "Couldn't run tar from SDK")
class TestImage(OESelftestTestCase):
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch
deleted file mode 100644
index 9078f2448e..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Upstream-Status: Backporting [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch]
-CVE: CVE-2020-8625
-Signed-off-by: Minjae Kim <flowergom@gmail.com>
-
-diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
-index e61d1c600f2..753dc8049fa 100644
---- a/lib/dns/spnego.c
-+++ b/lib/dns/spnego.c
-@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
- return (ASN1_OVERRUN);
- }
-
-- data->components = malloc(len * sizeof(*data->components));
-+ data->components = malloc((len + 1) * sizeof(*data->components));
- if (data->components == NULL) {
- return (ENOMEM);
- }
diff --git a/meta/recipes-connectivity/bind/bind_9.11.22.bb b/meta/recipes-connectivity/bind/bind_9.11.32.bb
index 5598ba976d..9feebe5ae2 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.22.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.32.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
SECTION = "console/network"
LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b88e7ca5f21908e1b2720169f6807cf6"
DEPENDS = "openssl libcap zlib"
@@ -19,10 +19,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
file://0001-avoid-start-failure-with-bind-user.patch \
- file://CVE-2020-8625.patch \
"
-SRC_URI[sha256sum] = "afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9"
+SRC_URI[sha256sum] = "cbf8cb4b74dd1452d97c3a2a8c625ea346df8516b4b3508ef07443121a591342"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index f34ba0dce5..202a14dee0 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -52,6 +52,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
file://0001-test-gatt-Fix-hung-issue.patch \
+ file://CVE-2021-3588.patch \
"
S = "${WORKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
new file mode 100644
index 0000000000..f52ff47a06
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
@@ -0,0 +1,34 @@
+From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 4 Jan 2021 10:38:31 -0800
+Subject: [PATCH] gatt: Fix potential buffer out-of-bound
+
+When client features is read check if the offset is within the cli_feat
+bounds.
+
+Fixes: https://github.com/bluez/bluez/issues/70
+
++Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
++Signed-off-by: Steve Sakoman <steve@sakoman.com>
++CVE: CVE-2021-3588
+
+---
+ src/gatt-database.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/gatt-database.c b/src/gatt-database.c
+index 90cc4bade..f2d7b5821 100644
+--- a/src/gatt-database.c
++++ b/src/gatt-database.c
+@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
+ goto done;
+ }
+
++ if (offset >= sizeof(state->cli_feat)) {
++ ecode = BT_ATT_ERROR_INVALID_OFFSET;
++ goto done;
++ }
++
+ len = sizeof(state->cli_feat) - offset;
+ value = len ? &state->cli_feat[offset] : NULL;
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
new file mode 100644
index 0000000000..91aaf83a77
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
@@ -0,0 +1,66 @@
+From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Thu, 8 Jul 2021 00:08:25 +0000
+Subject: [PATCH] ISC has disclosed a vulnerability in ISC DHCP
+ (CVE-2021-25217)
+
+On May 26, 2021, we (Internet Systems Consortium) disclosed a
+vulnerability affecting our ISC DHCP software:
+
+ CVE-2021-25217: A buffer overrun in lease file parsing code can be
+ used to exploit a common vulnerability shared by dhcpd and dhclient
+ https://kb.isc.org/docs/cve-2021-25217
+
+New versions of ISC DHCP are available from https://www.isc.org/downloads
+
+Operators and package maintainers who prefer to apply patches selectively can
+find individual vulnerability-specific patches in the "patches" subdirectory
+of the release directories for our two stable release branches (4.4 and 4.1-ESV)
+
+ https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches
+ https://downloads.isc.org/isc/dhcp/4.1-ESV-R16-P1/patches
+
+With the public announcement of this vulnerability, the embargo
+period is ended and any updated software packages that have been
+prepared may be released.
+
+Upstream-Status: Accepted [https://www.openwall.com/lists/oss-security/2021/05/26/6]
+CVE: CVE-2021-25217
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ common/parse.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/common/parse.c b/common/parse.c
+index 386a632..fc7b39c 100644
+--- a/common/parse.c
++++ b/common/parse.c
+@@ -3,7 +3,7 @@
+ Common parser code for dhcpd and dhclient. */
+
+ /*
+- * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995-2003 by Internet Software Consortium
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+@@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max)
+ skip_to_semi (cfile);
+ return 0;
+ }
+- convert_num (cfile, &buf [len], val, 16, 8);
+- if (len++ > max) {
++ if (len >= max) {
+ parse_warn (cfile,
+ "hexadecimal constant too long.");
+ skip_to_semi (cfile);
+ return 0;
+ }
++ convert_num (cfile, &buf [len], val, 16, 8);
++ len++;
+ token = peek_token (&val, (unsigned *)0, cfile);
+ if (token == COLON)
+ token = next_token (&val,
+--
+2.17.1
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
index b56a204821..5609a350cc 100644
--- a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
+++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
file://0013-fixup_use_libbind.patch \
file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \
+ file://CVE-2021-25217.patch \
"
SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1"
diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
new file mode 100644
index 0000000000..b75f0907e7
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
@@ -0,0 +1,51 @@
+From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001
+From: Samuel Sapalski <samuel.sapalski@nokia.com>
+Date: Wed, 3 Mar 2021 16:31:22 +0100
+Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt
+
+On certain corrupt gzip files, huft_build will set the error bit on
+the result pointer. If afterwards abort_unzip is called huft_free
+might run into a segmentation fault or an invalid pointer to
+free(p).
+
+In order to mitigate this, we check in huft_free if the error bit
+is set and clear it before the linked list is freed.
+
+Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
+Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-28831
+Comment: One hunk from this patch is removed as it was not relevant.
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+Signed-off-by: Akash Hadke <Akash.Hadke@kpit.com>
+---
+ archival/libarchive/decompress_gunzip.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
+index eb3b64930..e93cd5005 100644
+--- a/archival/libarchive/decompress_gunzip.c
++++ b/archival/libarchive/decompress_gunzip.c
+@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = {
+ * each table.
+ * t: table to free
+ */
++#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
++#define ERR_RET ((huft_t*)(uintptr_t)1)
+ static void huft_free(huft_t *p)
+ {
+ huft_t *q;
+
++ /*
++ * If 'p' has the error bit set we have to clear it, otherwise we might run
++ * into a segmentation fault or an invalid pointer to free(p)
++ */
++ if (BAD_HUFT(p)) {
++ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
++ }
++
+ /* Go through linked list, freeing from the malloced (t[-1]) address. */
+ while (p) {
+ q = (--p)->v.t;
diff --git a/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch b/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch
new file mode 100644
index 0000000000..4a1960dff2
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch
@@ -0,0 +1,81 @@
+From ceb378209f953ea745ed93a8645567196380ce3c Mon Sep 17 00:00:00 2001
+From: Andrej Valek <andrej.valek@siemens.com>
+Date: Thu, 24 Jun 2021 19:13:22 +0200
+Subject: [PATCH] mktemp: add tmpdir option
+
+Make mktemp more compatible with coreutils.
+- add "--tmpdir" option
+- add long variants for "d,q,u" options
+
+Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2021-June/088932.html]
+
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ coreutils/mktemp.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/coreutils/mktemp.c b/coreutils/mktemp.c
+index 5393320a5..05c6d98c6 100644
+--- a/coreutils/mktemp.c
++++ b/coreutils/mktemp.c
+@@ -39,16 +39,17 @@
+ //kbuild:lib-$(CONFIG_MKTEMP) += mktemp.o
+
+ //usage:#define mktemp_trivial_usage
+-//usage: "[-dt] [-p DIR] [TEMPLATE]"
++//usage: "[-dt] [-p DIR, --tmpdir[=DIR]] [TEMPLATE]"
+ //usage:#define mktemp_full_usage "\n\n"
+ //usage: "Create a temporary file with name based on TEMPLATE and print its name.\n"
+ //usage: "TEMPLATE must end with XXXXXX (e.g. [/dir/]nameXXXXXX).\n"
+ //usage: "Without TEMPLATE, -t tmp.XXXXXX is assumed.\n"
+-//usage: "\n -d Make directory, not file"
+-//usage: "\n -q Fail silently on errors"
+-//usage: "\n -t Prepend base directory name to TEMPLATE"
+-//usage: "\n -p DIR Use DIR as a base directory (implies -t)"
+-//usage: "\n -u Do not create anything; print a name"
++//usage: "\n -d Make directory, not file"
++//usage: "\n -q Fail silently on errors"
++//usage: "\n -t Prepend base directory name to TEMPLATE"
++//usage: "\n -p DIR, --tmpdir[=DIR] Use DIR as a base directory (implies -t)"
++//usage: "\n For --tmpdir is a optional one."
++//usage: "\n -u Do not create anything; print a name"
+ //usage: "\n"
+ //usage: "\nBase directory is: -p DIR, else $TMPDIR, else /tmp"
+ //usage:
+@@ -72,13 +73,22 @@ int mktemp_main(int argc UNUSED_PARAM, char **argv)
+ OPT_t = 1 << 2,
+ OPT_p = 1 << 3,
+ OPT_u = 1 << 4,
++ OPT_td = 1 << 5,
+ };
+
+ path = getenv("TMPDIR");
+ if (!path || path[0] == '\0')
+ path = "/tmp";
+
+- opts = getopt32(argv, "^" "dqtp:u" "\0" "?1"/*1 arg max*/, &path);
++ opts = getopt32long(argv, "^"
++ "dqtp:u\0"
++ "?1" /* 1 arg max */,
++ "directory\0" No_argument "d"
++ "quiet\0" No_argument "q"
++ "dry-run\0" No_argument "u"
++ "tmpdir\0" Optional_argument "\xff"
++ , &path, &path
++ );
+
+ chp = argv[optind];
+ if (!chp) {
+@@ -95,7 +105,7 @@ int mktemp_main(int argc UNUSED_PARAM, char **argv)
+ goto error;
+ }
+ #endif
+- if (opts & (OPT_t|OPT_p))
++ if (opts & (OPT_t|OPT_p|OPT_td))
+ chp = concat_path_file(path, chp);
+
+ if (opts & OPT_u) {
+--
+2.11.0
+
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb
index 7563368287..d9d5f4f96b 100644
--- a/meta/recipes-core/busybox/busybox_1.31.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -50,7 +50,9 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
file://busybox-CVE-2018-1000500.patch \
file://0001-hwclock-make-glibc-2.31-compatible.patch \
-"
+ file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \
+ file://0001-mktemp-add-tmpdir-option.patch \
+ "
SRC_URI_append_libc-musl = " file://musl.cfg "
SRC_URI[tarball.md5sum] = "70913edaf2263a157393af07565c17f0"
diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
new file mode 100644
index 0000000000..1ab4d06508
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
@@ -0,0 +1,1758 @@
+From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Apr 2021 21:42:51 +0200
+Subject: [PATCH] expat: Backport fix for CVE-2013-0340
+
+Issue: https://github.com/libexpat/libexpat/issues/34
+
+This patch cherry-picks the following commits from upstream release
+2.4.0 onto 2.2.9:
+
+- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
+- 60959f2b491876199879d97c8ed956eabb0c2e73
+
+Upstream-Status: Backport
+CVE: CVE-2013-0340
+Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
+---
+ lib/expat.h | 21 +-
+ lib/internal.h | 30 +
+ lib/libexpat.def | 3 +
+ lib/libexpatw.def | 3 +
+ lib/xmlparse.c | 1147 +++++++++++++++++++++++++++++++++++++--
+ 5 files changed, 1143 insertions(+), 61 deletions(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index 48a6e2a3..0fb70d9d 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -115,7 +115,9 @@ enum XML_Error {
+ XML_ERROR_RESERVED_PREFIX_XMLNS,
+ XML_ERROR_RESERVED_NAMESPACE_URI,
+ /* Added in 2.2.1. */
+- XML_ERROR_INVALID_ARGUMENT
++ XML_ERROR_INVALID_ARGUMENT,
++ /* Added in 2.4.0. */
++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+ };
+
+ enum XML_Content_Type {
+@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
+ XML_FEATURE_SIZEOF_XML_LCHAR,
+ XML_FEATURE_NS,
+ XML_FEATURE_LARGE_SIZE,
+- XML_FEATURE_ATTR_INFO
++ XML_FEATURE_ATTR_INFO,
++ /* Added in Expat 2.4.0. */
++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT
+ /* Additional features must be added to the end of this enum. */
+ };
+
+@@ -1010,6 +1015,18 @@ typedef struct {
+ XMLPARSEAPI(const XML_Feature *)
+ XML_GetFeatureList(void);
+
++#ifdef XML_DTD
++/* Added in Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionMaximumAmplification(
++ XML_Parser parser, float maximumAmplificationFactor);
++
++/* Added in Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionActivationThreshold(
++ XML_Parser parser, unsigned long long activationThresholdBytes);
++#endif
++
+ /* Expat follows the semantic versioning convention.
+ See http://semver.org.
+ */
+diff --git a/lib/internal.h b/lib/internal.h
+index 60913dab..d8b31fa2 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -101,10 +101,40 @@
+ # endif
+ #endif
+
++#include <limits.h> // ULONG_MAX
++
++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO)
++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u"
++# if defined(_WIN64) // Note: modifier "td" does not work for MinGW
++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d"
++# else
++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++# endif
++#else
++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu"
++# if ! defined(ULONG_MAX)
++# error Compiler did not define ULONG_MAX for us
++# elif ULONG_MAX == 18446744073709551615u // 2^64-1
++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld"
++# else
++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++# endif
++#endif
++
+ #ifndef UNUSED_P
+ # define UNUSED_P(p) (void)p
+ #endif
+
++/* NOTE BEGIN If you ever patch these defaults to greater values
++ for non-attack XML payload in your environment,
++ please file a bug report with libexpat. Thank you!
++*/
++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT \
++ 100.0f
++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT \
++ 8388608 // 8 MiB, 2^23
++/* NOTE END */
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+diff --git a/lib/libexpat.def b/lib/libexpat.def
+index 16faf595..5aefa6df 100644
+--- a/lib/libexpat.def
++++ b/lib/libexpat.def
+@@ -76,3 +76,6 @@ EXPORTS
+ XML_SetHashSalt @67
+ ; added with version 2.2.5
+ _INTERNAL_trim_to_complete_utf8_characters @68
++; added with version 2.4.0
++ XML_SetBillionLaughsAttackProtectionActivationThreshold @69
++ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
+diff --git a/lib/libexpatw.def b/lib/libexpatw.def
+index 16faf595..5aefa6df 100644
+--- a/lib/libexpatw.def
++++ b/lib/libexpatw.def
+@@ -76,3 +76,6 @@ EXPORTS
+ XML_SetHashSalt @67
+ ; added with version 2.2.5
+ _INTERNAL_trim_to_complete_utf8_characters @68
++; added with version 2.4.0
++ XML_SetBillionLaughsAttackProtectionActivationThreshold @69
++ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 3aaf35b9..6790bc28 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -47,6 +47,8 @@
+ #include <limits.h> /* UINT_MAX */
+ #include <stdio.h> /* fprintf */
+ #include <stdlib.h> /* getenv, rand_s */
++#include <stdint.h> /* uintptr_t */
++#include <math.h> /* isnan */
+
+ #ifdef _WIN32
+ # define getpid GetCurrentProcessId
+@@ -373,6 +375,31 @@ typedef struct open_internal_entity {
+ XML_Bool betweenDecl; /* WFC: PE Between Declarations */
+ } OPEN_INTERNAL_ENTITY;
+
++enum XML_Account {
++ XML_ACCOUNT_DIRECT, /* bytes directly passed to the Expat parser */
++ XML_ACCOUNT_ENTITY_EXPANSION, /* intermediate bytes produced during entity
++ expansion */
++ XML_ACCOUNT_NONE /* i.e. do not account, was accounted already */
++};
++
++#ifdef XML_DTD
++typedef unsigned long long XmlBigCount;
++typedef struct accounting {
++ XmlBigCount countBytesDirect;
++ XmlBigCount countBytesIndirect;
++ int debugLevel;
++ float maximumAmplificationFactor; // >=1.0
++ unsigned long long activationThresholdBytes;
++} ACCOUNTING;
++
++typedef struct entity_stats {
++ unsigned int countEverOpened;
++ unsigned int currentDepth;
++ unsigned int maximumDepthSeen;
++ int debugLevel;
++} ENTITY_STATS;
++#endif /* XML_DTD */
++
+ typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const char *start,
+ const char *end, const char **endPtr);
+
+@@ -403,16 +430,18 @@ static enum XML_Error initializeEncoding(XML_Parser parser);
+ static enum XML_Error doProlog(XML_Parser parser, const ENCODING *enc,
+ const char *s, const char *end, int tok,
+ const char *next, const char **nextPtr,
+- XML_Bool haveMore, XML_Bool allowClosingDoctype);
++ XML_Bool haveMore, XML_Bool allowClosingDoctype,
++ enum XML_Account account);
+ static enum XML_Error processInternalEntity(XML_Parser parser, ENTITY *entity,
+ XML_Bool betweenDecl);
+ static enum XML_Error doContent(XML_Parser parser, int startTagLevel,
+ const ENCODING *enc, const char *start,
+ const char *end, const char **endPtr,
+- XML_Bool haveMore);
++ XML_Bool haveMore, enum XML_Account account);
+ static enum XML_Error doCdataSection(XML_Parser parser, const ENCODING *,
+ const char **startPtr, const char *end,
+- const char **nextPtr, XML_Bool haveMore);
++ const char **nextPtr, XML_Bool haveMore,
++ enum XML_Account account);
+ #ifdef XML_DTD
+ static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *,
+ const char **startPtr, const char *end,
+@@ -422,7 +451,8 @@ static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *,
+ static void freeBindings(XML_Parser parser, BINDING *bindings);
+ static enum XML_Error storeAtts(XML_Parser parser, const ENCODING *,
+ const char *s, TAG_NAME *tagNamePtr,
+- BINDING **bindingsPtr);
++ BINDING **bindingsPtr,
++ enum XML_Account account);
+ static enum XML_Error addBinding(XML_Parser parser, PREFIX *prefix,
+ const ATTRIBUTE_ID *attId, const XML_Char *uri,
+ BINDING **bindingsPtr);
+@@ -431,15 +461,18 @@ static int defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *, XML_Bool isCdata,
+ XML_Parser parser);
+ static enum XML_Error storeAttributeValue(XML_Parser parser, const ENCODING *,
+ XML_Bool isCdata, const char *,
+- const char *, STRING_POOL *);
++ const char *, STRING_POOL *,
++ enum XML_Account account);
+ static enum XML_Error appendAttributeValue(XML_Parser parser, const ENCODING *,
+ XML_Bool isCdata, const char *,
+- const char *, STRING_POOL *);
++ const char *, STRING_POOL *,
++ enum XML_Account account);
+ static ATTRIBUTE_ID *getAttributeId(XML_Parser parser, const ENCODING *enc,
+ const char *start, const char *end);
+ static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *);
+ static enum XML_Error storeEntityValue(XML_Parser parser, const ENCODING *enc,
+- const char *start, const char *end);
++ const char *start, const char *end,
++ enum XML_Account account);
+ static int reportProcessingInstruction(XML_Parser parser, const ENCODING *enc,
+ const char *start, const char *end);
+ static int reportComment(XML_Parser parser, const ENCODING *enc,
+@@ -503,6 +536,35 @@ static XML_Parser parserCreate(const XML_Char *encodingName,
+
+ static void parserInit(XML_Parser parser, const XML_Char *encodingName);
+
++#ifdef XML_DTD
++static float accountingGetCurrentAmplification(XML_Parser rootParser);
++static void accountingReportStats(XML_Parser originParser, const char *epilog);
++static void accountingOnAbort(XML_Parser originParser);
++static void accountingReportDiff(XML_Parser rootParser,
++ unsigned int levelsAwayFromRootParser,
++ const char *before, const char *after,
++ ptrdiff_t bytesMore, int source_line,
++ enum XML_Account account);
++static XML_Bool accountingDiffTolerated(XML_Parser originParser, int tok,
++ const char *before, const char *after,
++ int source_line,
++ enum XML_Account account);
++
++static void entityTrackingReportStats(XML_Parser parser, ENTITY *entity,
++ const char *action, int sourceLine);
++static void entityTrackingOnOpen(XML_Parser parser, ENTITY *entity,
++ int sourceLine);
++static void entityTrackingOnClose(XML_Parser parser, ENTITY *entity,
++ int sourceLine);
++
++static XML_Parser getRootParserOf(XML_Parser parser,
++ unsigned int *outLevelDiff);
++static const char *unsignedCharToPrintable(unsigned char c);
++#endif /* XML_DTD */
++
++static unsigned long getDebugLevel(const char *variableName,
++ unsigned long defaultDebugLevel);
++
+ #define poolStart(pool) ((pool)->start)
+ #define poolEnd(pool) ((pool)->ptr)
+ #define poolLength(pool) ((pool)->ptr - (pool)->start)
+@@ -616,6 +678,10 @@ struct XML_ParserStruct {
+ enum XML_ParamEntityParsing m_paramEntityParsing;
+ #endif
+ unsigned long m_hash_secret_salt;
++#ifdef XML_DTD
++ ACCOUNTING m_accounting;
++ ENTITY_STATS m_entity_stats;
++#endif
+ };
+
+ #define MALLOC(parser, s) (parser->m_mem.malloc_fcn((s)))
+@@ -1055,6 +1121,18 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ parser->m_paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER;
+ #endif
+ parser->m_hash_secret_salt = 0;
++
++#ifdef XML_DTD
++ memset(&parser->m_accounting, 0, sizeof(ACCOUNTING));
++ parser->m_accounting.debugLevel = getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u);
++ parser->m_accounting.maximumAmplificationFactor
++ = EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT;
++ parser->m_accounting.activationThresholdBytes
++ = EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT;
++
++ memset(&parser->m_entity_stats, 0, sizeof(ENTITY_STATS));
++ parser->m_entity_stats.debugLevel = getDebugLevel("EXPAT_ENTITY_DEBUG", 0u);
++#endif
+ }
+
+ /* moves list of bindings to m_freeBindingList */
+@@ -2318,6 +2396,10 @@ XML_ErrorString(enum XML_Error code) {
+ /* Added in 2.2.5. */
+ case XML_ERROR_INVALID_ARGUMENT: /* Constant added in 2.2.1, already */
+ return XML_L("invalid argument");
++ /* Added in 2.4.0. */
++ case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
++ return XML_L(
++ "limit on input amplification factor (from DTD and entities) breached");
+ }
+ return NULL;
+ }
+@@ -2354,41 +2436,75 @@ XML_ExpatVersionInfo(void) {
+
+ const XML_Feature *XMLCALL
+ XML_GetFeatureList(void) {
+- static const XML_Feature features[]
+- = {{XML_FEATURE_SIZEOF_XML_CHAR, XML_L("sizeof(XML_Char)"),
+- sizeof(XML_Char)},
+- {XML_FEATURE_SIZEOF_XML_LCHAR, XML_L("sizeof(XML_LChar)"),
+- sizeof(XML_LChar)},
++ static const XML_Feature features[] = {
++ {XML_FEATURE_SIZEOF_XML_CHAR, XML_L("sizeof(XML_Char)"),
++ sizeof(XML_Char)},
++ {XML_FEATURE_SIZEOF_XML_LCHAR, XML_L("sizeof(XML_LChar)"),
++ sizeof(XML_LChar)},
+ #ifdef XML_UNICODE
+- {XML_FEATURE_UNICODE, XML_L("XML_UNICODE"), 0},
++ {XML_FEATURE_UNICODE, XML_L("XML_UNICODE"), 0},
+ #endif
+ #ifdef XML_UNICODE_WCHAR_T
+- {XML_FEATURE_UNICODE_WCHAR_T, XML_L("XML_UNICODE_WCHAR_T"), 0},
++ {XML_FEATURE_UNICODE_WCHAR_T, XML_L("XML_UNICODE_WCHAR_T"), 0},
+ #endif
+ #ifdef XML_DTD
+- {XML_FEATURE_DTD, XML_L("XML_DTD"), 0},
++ {XML_FEATURE_DTD, XML_L("XML_DTD"), 0},
+ #endif
+ #ifdef XML_CONTEXT_BYTES
+- {XML_FEATURE_CONTEXT_BYTES, XML_L("XML_CONTEXT_BYTES"),
+- XML_CONTEXT_BYTES},
++ {XML_FEATURE_CONTEXT_BYTES, XML_L("XML_CONTEXT_BYTES"),
++ XML_CONTEXT_BYTES},
+ #endif
+ #ifdef XML_MIN_SIZE
+- {XML_FEATURE_MIN_SIZE, XML_L("XML_MIN_SIZE"), 0},
++ {XML_FEATURE_MIN_SIZE, XML_L("XML_MIN_SIZE"), 0},
+ #endif
+ #ifdef XML_NS
+- {XML_FEATURE_NS, XML_L("XML_NS"), 0},
++ {XML_FEATURE_NS, XML_L("XML_NS"), 0},
+ #endif
+ #ifdef XML_LARGE_SIZE
+- {XML_FEATURE_LARGE_SIZE, XML_L("XML_LARGE_SIZE"), 0},
++ {XML_FEATURE_LARGE_SIZE, XML_L("XML_LARGE_SIZE"), 0},
+ #endif
+ #ifdef XML_ATTR_INFO
+- {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
++ {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
+ #endif
+- {XML_FEATURE_END, NULL, 0}};
++#ifdef XML_DTD
++ /* Added in Expat 2.4.0. */
++ {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
++ XML_L("XML_BLAP_MAX_AMP"),
++ (long int)
++ EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT},
++ {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT,
++ XML_L("XML_BLAP_ACT_THRES"),
++ EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT},
++#endif
++ {XML_FEATURE_END, NULL, 0}};
+
+ return features;
+ }
+
++#ifdef XML_DTD
++XML_Bool XMLCALL
++XML_SetBillionLaughsAttackProtectionMaximumAmplification(
++ XML_Parser parser, float maximumAmplificationFactor) {
++ if ((parser == NULL) || (parser->m_parentParser != NULL)
++ || isnan(maximumAmplificationFactor)
++ || (maximumAmplificationFactor < 1.0f)) {
++ return XML_FALSE;
++ }
++ parser->m_accounting.maximumAmplificationFactor = maximumAmplificationFactor;
++ return XML_TRUE;
++}
++
++XML_Bool XMLCALL
++XML_SetBillionLaughsAttackProtectionActivationThreshold(
++ XML_Parser parser, unsigned long long activationThresholdBytes) {
++ if ((parser == NULL) || (parser->m_parentParser != NULL)) {
++ return XML_FALSE;
++ }
++ parser->m_accounting.activationThresholdBytes = activationThresholdBytes;
++ return XML_TRUE;
++}
++#endif /* XML_DTD */
++
+ /* Initially tag->rawName always points into the parse buffer;
+ for those TAG instances opened while the current parse buffer was
+ processed, and not yet closed, we need to store tag->rawName in a more
+@@ -2441,9 +2557,9 @@ storeRawNames(XML_Parser parser) {
+ static enum XML_Error PTRCALL
+ contentProcessor(XML_Parser parser, const char *start, const char *end,
+ const char **endPtr) {
+- enum XML_Error result
+- = doContent(parser, 0, parser->m_encoding, start, end, endPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer);
++ enum XML_Error result = doContent(
++ parser, 0, parser->m_encoding, start, end, endPtr,
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT);
+ if (result == XML_ERROR_NONE) {
+ if (! storeRawNames(parser))
+ return XML_ERROR_NO_MEMORY;
+@@ -2468,6 +2584,14 @@ externalEntityInitProcessor2(XML_Parser parser, const char *start,
+ int tok = XmlContentTok(parser->m_encoding, start, end, &next);
+ switch (tok) {
+ case XML_TOK_BOM:
++#ifdef XML_DTD
++ if (! accountingDiffTolerated(parser, tok, start, next, __LINE__,
++ XML_ACCOUNT_DIRECT)) {
++ accountingOnAbort(parser);
++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++ }
++#endif /* XML_DTD */
++
+ /* If we are at the end of the buffer, this would cause the next stage,
+ i.e. externalEntityInitProcessor3, to pass control directly to
+ doContent (by detecting XML_TOK_NONE) without processing any xml text
+@@ -2505,6 +2629,10 @@ externalEntityInitProcessor3(XML_Parser parser, const char *start,
+ const char *next = start; /* XmlContentTok doesn't always set the last arg */
+ parser->m_eventPtr = start;
+ tok = XmlContentTok(parser->m_encoding, start, end, &next);
++ /* Note: These bytes are accounted later in:
++ - processXmlDecl
++ - externalEntityContentProcessor
++ */
+ parser->m_eventEndPtr = next;
+
+ switch (tok) {
+@@ -2546,7 +2674,8 @@ externalEntityContentProcessor(XML_Parser parser, const char *start,
+ const char *end, const char **endPtr) {
+ enum XML_Error result
+ = doContent(parser, 1, parser->m_encoding, start, end, endPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer);
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++ XML_ACCOUNT_ENTITY_EXPANSION);
+ if (result == XML_ERROR_NONE) {
+ if (! storeRawNames(parser))
+ return XML_ERROR_NO_MEMORY;
+@@ -2557,7 +2686,7 @@ externalEntityContentProcessor(XML_Parser parser, const char *start,
+ static enum XML_Error
+ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ const char *s, const char *end, const char **nextPtr,
+- XML_Bool haveMore) {
++ XML_Bool haveMore, enum XML_Account account) {
+ /* save one level of indirection */
+ DTD *const dtd = parser->m_dtd;
+
+@@ -2575,6 +2704,17 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ for (;;) {
+ const char *next = s; /* XmlContentTok doesn't always set the last arg */
+ int tok = XmlContentTok(enc, s, end, &next);
++#ifdef XML_DTD
++ const char *accountAfter
++ = ((tok == XML_TOK_TRAILING_RSQB) || (tok == XML_TOK_TRAILING_CR))
++ ? (haveMore ? s /* i.e. 0 bytes */ : end)
++ : next;
++ if (! accountingDiffTolerated(parser, tok, s, accountAfter, __LINE__,
++ account)) {
++ accountingOnAbort(parser);
++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++ }
++#endif
+ *eventEndPP = next;
+ switch (tok) {
+ case XML_TOK_TRAILING_CR:
+@@ -2630,6 +2770,14 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ XML_Char ch = (XML_Char)XmlPredefinedEntityName(
+ enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar);
+ if (ch) {
++#ifdef XML_DTD
++ /* NOTE: We are replacing 4-6 characters original input for 1 character
++ * so there is no amplification and hence recording without
++ * protection. */
++ accountingDiffTolerated(parser, tok, (char *)&ch,
++ ((char *)&ch) + sizeof(XML_Char), __LINE__,
++ XML_ACCOUNT_ENTITY_EXPANSION);
++#endif /* XML_DTD */
+ if (parser->m_characterDataHandler)
+ parser->m_characterDataHandler(parser->m_handlerArg, &ch, 1);
+ else if (parser->m_defaultHandler)
+@@ -2748,7 +2896,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ }
+ tag->name.str = (XML_Char *)tag->buf;
+ *toPtr = XML_T('\0');
+- result = storeAtts(parser, enc, s, &(tag->name), &(tag->bindings));
++ result
++ = storeAtts(parser, enc, s, &(tag->name), &(tag->bindings), account);
+ if (result)
+ return result;
+ if (parser->m_startElementHandler)
+@@ -2772,7 +2921,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ if (! name.str)
+ return XML_ERROR_NO_MEMORY;
+ poolFinish(&parser->m_tempPool);
+- result = storeAtts(parser, enc, s, &name, &bindings);
++ result = storeAtts(parser, enc, s, &name, &bindings,
++ XML_ACCOUNT_NONE /* token spans whole start tag */);
+ if (result != XML_ERROR_NONE) {
+ freeBindings(parser, bindings);
+ return result;
+@@ -2907,7 +3057,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ /* END disabled code */
+ else if (parser->m_defaultHandler)
+ reportDefault(parser, enc, s, next);
+- result = doCdataSection(parser, enc, &next, end, nextPtr, haveMore);
++ result
++ = doCdataSection(parser, enc, &next, end, nextPtr, haveMore, account);
+ if (result != XML_ERROR_NONE)
+ return result;
+ else if (! next) {
+@@ -3036,7 +3187,8 @@ freeBindings(XML_Parser parser, BINDING *bindings) {
+ */
+ static enum XML_Error
+ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+- TAG_NAME *tagNamePtr, BINDING **bindingsPtr) {
++ TAG_NAME *tagNamePtr, BINDING **bindingsPtr,
++ enum XML_Account account) {
+ DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+ ELEMENT_TYPE *elementType;
+ int nDefaultAtts;
+@@ -3146,7 +3298,7 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ /* normalize the attribute value */
+ result = storeAttributeValue(
+ parser, enc, isCdata, parser->m_atts[i].valuePtr,
+- parser->m_atts[i].valueEnd, &parser->m_tempPool);
++ parser->m_atts[i].valueEnd, &parser->m_tempPool, account);
+ if (result)
+ return result;
+ appAtts[attIndex] = poolStart(&parser->m_tempPool);
+@@ -3535,9 +3687,9 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+ static enum XML_Error PTRCALL
+ cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
+ const char **endPtr) {
+- enum XML_Error result
+- = doCdataSection(parser, parser->m_encoding, &start, end, endPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer);
++ enum XML_Error result = doCdataSection(
++ parser, parser->m_encoding, &start, end, endPtr,
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT);
+ if (result != XML_ERROR_NONE)
+ return result;
+ if (start) {
+@@ -3557,7 +3709,8 @@ cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
+ */
+ static enum XML_Error
+ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+- const char *end, const char **nextPtr, XML_Bool haveMore) {
++ const char *end, const char **nextPtr, XML_Bool haveMore,
++ enum XML_Account account) {
+ const char *s = *startPtr;
+ const char **eventPP;
+ const char **eventEndPP;
+@@ -3575,6 +3728,14 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+ for (;;) {
+ const char *next;
+ int tok = XmlCdataSectionTok(enc, s, end, &next);
++#ifdef XML_DTD
++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
++ accountingOnAbort(parser);
++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++ }
++#else
++ UNUSED_P(account);
++#endif
+ *eventEndPP = next;
+ switch (tok) {
+ case XML_TOK_CDATA_SECT_CLOSE:
+@@ -3719,6 +3880,13 @@ doIgnoreSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+ *eventPP = s;
+ *startPtr = NULL;
+ tok = XmlIgnoreSectionTok(enc, s, end, &next);
++# ifdef XML_DTD
++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
++ XML_ACCOUNT_DIRECT)) {
++ accountingOnAbort(parser);
++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++ }
++# endif
+ *eventEndPP = next;
+ switch (tok) {
+ case XML_TOK_IGNORE_SECT:
+@@ -3803,6 +3971,15 @@ processXmlDecl(XML_Parser parser, int isGeneralTextEntity, const char *s,
+ const char *versionend;
+ const XML_Char *storedversion = NULL;
+ int standalone = -1;
++
++#ifdef XML_DTD
++ if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, __LINE__,
++ XML_ACCOUNT_DIRECT)) {
++ accountingOnAbort(parser);
++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++ }
++#endif
++
+ if (! (parser->m_ns ? XmlParseXmlDeclNS : XmlParseXmlDecl)(
+ isGeneralTextEntity, parser->m_encoding, s, next, &parser->m_eventPtr,
+ &version, &versionend, &encodingName, &newEncoding, &standalone)) {
+@@ -3952,6 +4129,10 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+
+ for (;;) {
+ tok = XmlPrologTok(parser->m_encoding, start, end, &next);
++ /* Note: Except for XML_TOK_BOM below, these bytes are accounted later in:
++ - storeEntityValue
++ - processXmlDecl
++ */
+ parser->m_eventEndPtr = next;
+ if (tok <= 0) {
+ if (! parser->m_parsingStatus.finalBuffer && tok != XML_TOK_INVALID) {
+@@ -3970,7 +4151,8 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+ break;
+ }
+ /* found end of entity value - can store it now */
+- return storeEntityValue(parser, parser->m_encoding, s, end);
++ return storeEntityValue(parser, parser->m_encoding, s, end,
++ XML_ACCOUNT_DIRECT);
+ } else if (tok == XML_TOK_XML_DECL) {
+ enum XML_Error result;
+ result = processXmlDecl(parser, 0, start, next);
+@@ -3997,6 +4179,14 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+ */
+ else if (tok == XML_TOK_BOM && next == end
+ && ! parser->m_parsingStatus.finalBuffer) {
++# ifdef XML_DTD
++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
++ XML_ACCOUNT_DIRECT)) {
++ accountingOnAbort(parser);
++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++ }
++# endif
++
+ *nextPtr = next;
+ return XML_ERROR_NONE;
+ }
+@@ -4039,16 +4229,24 @@ externalParEntProcessor(XML_Parser parser, const char *s, const char *end,
+ }
+ /* This would cause the next stage, i.e. doProlog to be passed XML_TOK_BOM.
+ However, when parsing an external subset, doProlog will not accept a BOM
+- as valid, and report a syntax error, so we have to skip the BOM
++ as valid, and report a syntax error, so we have to skip the BOM, and
++ account for the BOM bytes.
+ */
+ else if (tok == XML_TOK_BOM) {
++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
++ XML_ACCOUNT_DIRECT)) {
++ accountingOnAbort(parser);
++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++ }
++
+ s = next;
+ tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+ }
+
+ parser->m_processor = prologProcessor;
+ return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE);
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE,
++ XML_ACCOUNT_DIRECT);
+ }
+
+ static enum XML_Error PTRCALL
+@@ -4061,6 +4259,9 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end,
+
+ for (;;) {
+ tok = XmlPrologTok(enc, start, end, &next);
++ /* Note: These bytes are accounted later in:
++ - storeEntityValue
++ */
+ if (tok <= 0) {
+ if (! parser->m_parsingStatus.finalBuffer && tok != XML_TOK_INVALID) {
+ *nextPtr = s;
+@@ -4078,7 +4279,7 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end,
+ break;
+ }
+ /* found end of entity value - can store it now */
+- return storeEntityValue(parser, enc, s, end);
++ return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT);
+ }
+ start = next;
+ }
+@@ -4092,13 +4293,14 @@ prologProcessor(XML_Parser parser, const char *s, const char *end,
+ const char *next = s;
+ int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+ return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE);
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE,
++ XML_ACCOUNT_DIRECT);
+ }
+
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ int tok, const char *next, const char **nextPtr, XML_Bool haveMore,
+- XML_Bool allowClosingDoctype) {
++ XML_Bool allowClosingDoctype, enum XML_Account account) {
+ #ifdef XML_DTD
+ static const XML_Char externalSubsetName[] = {ASCII_HASH, '\0'};
+ #endif /* XML_DTD */
+@@ -4125,6 +4327,10 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ static const XML_Char enumValueSep[] = {ASCII_PIPE, '\0'};
+ static const XML_Char enumValueStart[] = {ASCII_LPAREN, '\0'};
+
++#ifndef XML_DTD
++ UNUSED_P(account);
++#endif
++
+ /* save one level of indirection */
+ DTD *const dtd = parser->m_dtd;
+
+@@ -4189,6 +4395,19 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ }
+ }
+ role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc);
++#ifdef XML_DTD
++ switch (role) {
++ case XML_ROLE_INSTANCE_START: // bytes accounted in contentProcessor
++ case XML_ROLE_XML_DECL: // bytes accounted in processXmlDecl
++ case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl
++ break;
++ default:
++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
++ accountingOnAbort(parser);
++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++ }
++ }
++#endif
+ switch (role) {
+ case XML_ROLE_XML_DECL: {
+ enum XML_Error result = processXmlDecl(parser, 0, s, next);
+@@ -4464,7 +4683,8 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ const XML_Char *attVal;
+ enum XML_Error result = storeAttributeValue(
+ parser, enc, parser->m_declAttributeIsCdata,
+- s + enc->minBytesPerChar, next - enc->minBytesPerChar, &dtd->pool);
++ s + enc->minBytesPerChar, next - enc->minBytesPerChar, &dtd->pool,
++ XML_ACCOUNT_NONE);
+ if (result)
+ return result;
+ attVal = poolStart(&dtd->pool);
+@@ -4497,8 +4717,9 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ break;
+ case XML_ROLE_ENTITY_VALUE:
+ if (dtd->keepProcessing) {
+- enum XML_Error result = storeEntityValue(
+- parser, enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar);
++ enum XML_Error result
++ = storeEntityValue(parser, enc, s + enc->minBytesPerChar,
++ next - enc->minBytesPerChar, XML_ACCOUNT_NONE);
+ if (parser->m_declEntity) {
+ parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool);
+ parser->m_declEntity->textLen
+@@ -4888,12 +5109,15 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ if (parser->m_externalEntityRefHandler) {
+ dtd->paramEntityRead = XML_FALSE;
+ entity->open = XML_TRUE;
++ entityTrackingOnOpen(parser, entity, __LINE__);
+ if (! parser->m_externalEntityRefHandler(
+ parser->m_externalEntityRefHandlerArg, 0, entity->base,
+ entity->systemId, entity->publicId)) {
++ entityTrackingOnClose(parser, entity, __LINE__);
+ entity->open = XML_FALSE;
+ return XML_ERROR_EXTERNAL_ENTITY_HANDLING;
+ }
++ entityTrackingOnClose(parser, entity, __LINE__);
+ entity->open = XML_FALSE;
+ handleDefault = XML_FALSE;
+ if (! dtd->paramEntityRead) {
+@@ -5091,6 +5315,13 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end,
+ for (;;) {
+ const char *next = NULL;
+ int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
++#ifdef XML_DTD
++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
++ XML_ACCOUNT_DIRECT)) {
++ accountingOnAbort(parser);
++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++ }
++#endif
+ parser->m_eventEndPtr = next;
+ switch (tok) {
+ /* report partial linebreak - it might be the last token */
+@@ -5164,6 +5395,9 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+ return XML_ERROR_NO_MEMORY;
+ }
+ entity->open = XML_TRUE;
++#ifdef XML_DTD
++ entityTrackingOnOpen(parser, entity, __LINE__);
++#endif
+ entity->processed = 0;
+ openEntity->next = parser->m_openInternalEntities;
+ parser->m_openInternalEntities = openEntity;
+@@ -5182,17 +5416,22 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+ int tok
+ = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd,
+- tok, next, &next, XML_FALSE, XML_FALSE);
++ tok, next, &next, XML_FALSE, XML_FALSE,
++ XML_ACCOUNT_ENTITY_EXPANSION);
+ } else
+ #endif /* XML_DTD */
+ result = doContent(parser, parser->m_tagLevel, parser->m_internalEncoding,
+- textStart, textEnd, &next, XML_FALSE);
++ textStart, textEnd, &next, XML_FALSE,
++ XML_ACCOUNT_ENTITY_EXPANSION);
+
+ if (result == XML_ERROR_NONE) {
+ if (textEnd != next && parser->m_parsingStatus.parsing == XML_SUSPENDED) {
+ entity->processed = (int)(next - textStart);
+ parser->m_processor = internalEntityProcessor;
+ } else {
++#ifdef XML_DTD
++ entityTrackingOnClose(parser, entity, __LINE__);
++#endif /* XML_DTD */
+ entity->open = XML_FALSE;
+ parser->m_openInternalEntities = openEntity->next;
+ /* put openEntity back in list of free instances */
+@@ -5225,12 +5464,13 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ int tok
+ = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd,
+- tok, next, &next, XML_FALSE, XML_TRUE);
++ tok, next, &next, XML_FALSE, XML_TRUE,
++ XML_ACCOUNT_ENTITY_EXPANSION);
+ } else
+ #endif /* XML_DTD */
+ result = doContent(parser, openEntity->startTagLevel,
+ parser->m_internalEncoding, textStart, textEnd, &next,
+- XML_FALSE);
++ XML_FALSE, XML_ACCOUNT_ENTITY_EXPANSION);
+
+ if (result != XML_ERROR_NONE)
+ return result;
+@@ -5239,6 +5479,9 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ entity->processed = (int)(next - (char *)entity->textPtr);
+ return result;
+ } else {
++#ifdef XML_DTD
++ entityTrackingOnClose(parser, entity, __LINE__);
++#endif
+ entity->open = XML_FALSE;
+ parser->m_openInternalEntities = openEntity->next;
+ /* put openEntity back in list of free instances */
+@@ -5252,7 +5495,8 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ parser->m_processor = prologProcessor;
+ tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+ return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE);
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE,
++ XML_ACCOUNT_DIRECT);
+ } else
+ #endif /* XML_DTD */
+ {
+@@ -5260,7 +5504,8 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ /* see externalEntityContentProcessor vs contentProcessor */
+ return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
+ s, end, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer);
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++ XML_ACCOUNT_DIRECT);
+ }
+ }
+
+@@ -5275,9 +5520,10 @@ errorProcessor(XML_Parser parser, const char *s, const char *end,
+
+ static enum XML_Error
+ storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+- const char *ptr, const char *end, STRING_POOL *pool) {
++ const char *ptr, const char *end, STRING_POOL *pool,
++ enum XML_Account account) {
+ enum XML_Error result
+- = appendAttributeValue(parser, enc, isCdata, ptr, end, pool);
++ = appendAttributeValue(parser, enc, isCdata, ptr, end, pool, account);
+ if (result)
+ return result;
+ if (! isCdata && poolLength(pool) && poolLastChar(pool) == 0x20)
+@@ -5289,11 +5535,22 @@ storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+
+ static enum XML_Error
+ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+- const char *ptr, const char *end, STRING_POOL *pool) {
++ const char *ptr, const char *end, STRING_POOL *pool,
++ enum XML_Account account) {
+ DTD *const dtd = parser->m_dtd; /* save one level of indirection */
++#ifndef XML_DTD
++ UNUSED_P(account);
++#endif
++
+ for (;;) {
+ const char *next;
+ int tok = XmlAttributeValueTok(enc, ptr, end, &next);
++#ifdef XML_DTD
++ if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, account)) {
++ accountingOnAbort(parser);
++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++ }
++#endif
+ switch (tok) {
+ case XML_TOK_NONE:
+ return XML_ERROR_NONE;
+@@ -5353,6 +5610,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ XML_Char ch = (XML_Char)XmlPredefinedEntityName(
+ enc, ptr + enc->minBytesPerChar, next - enc->minBytesPerChar);
+ if (ch) {
++#ifdef XML_DTD
++ /* NOTE: We are replacing 4-6 characters original input for 1 character
++ * so there is no amplification and hence recording without
++ * protection. */
++ accountingDiffTolerated(parser, tok, (char *)&ch,
++ ((char *)&ch) + sizeof(XML_Char), __LINE__,
++ XML_ACCOUNT_ENTITY_EXPANSION);
++#endif /* XML_DTD */
+ if (! poolAppendChar(pool, ch))
+ return XML_ERROR_NO_MEMORY;
+ break;
+@@ -5430,9 +5695,16 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ enum XML_Error result;
+ const XML_Char *textEnd = entity->textPtr + entity->textLen;
+ entity->open = XML_TRUE;
++#ifdef XML_DTD
++ entityTrackingOnOpen(parser, entity, __LINE__);
++#endif
+ result = appendAttributeValue(parser, parser->m_internalEncoding,
+- isCdata, (char *)entity->textPtr,
+- (char *)textEnd, pool);
++ isCdata, (const char *)entity->textPtr,
++ (const char *)textEnd, pool,
++ XML_ACCOUNT_ENTITY_EXPANSION);
++#ifdef XML_DTD
++ entityTrackingOnClose(parser, entity, __LINE__);
++#endif
+ entity->open = XML_FALSE;
+ if (result)
+ return result;
+@@ -5462,13 +5734,16 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+
+ static enum XML_Error
+ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+- const char *entityTextPtr, const char *entityTextEnd) {
++ const char *entityTextPtr, const char *entityTextEnd,
++ enum XML_Account account) {
+ DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+ STRING_POOL *pool = &(dtd->entityValuePool);
+ enum XML_Error result = XML_ERROR_NONE;
+ #ifdef XML_DTD
+ int oldInEntityValue = parser->m_prologState.inEntityValue;
+ parser->m_prologState.inEntityValue = 1;
++#else
++ UNUSED_P(account);
+ #endif /* XML_DTD */
+ /* never return Null for the value argument in EntityDeclHandler,
+ since this would indicate an external entity; therefore we
+@@ -5481,6 +5756,16 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ for (;;) {
+ const char *next;
+ int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next);
++
++#ifdef XML_DTD
++ if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__,
++ account)) {
++ accountingOnAbort(parser);
++ result = XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++ goto endEntityValue;
++ }
++#endif
++
+ switch (tok) {
+ case XML_TOK_PARAM_ENTITY_REF:
+ #ifdef XML_DTD
+@@ -5516,13 +5801,16 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ if (parser->m_externalEntityRefHandler) {
+ dtd->paramEntityRead = XML_FALSE;
+ entity->open = XML_TRUE;
++ entityTrackingOnOpen(parser, entity, __LINE__);
+ if (! parser->m_externalEntityRefHandler(
+ parser->m_externalEntityRefHandlerArg, 0, entity->base,
+ entity->systemId, entity->publicId)) {
++ entityTrackingOnClose(parser, entity, __LINE__);
+ entity->open = XML_FALSE;
+ result = XML_ERROR_EXTERNAL_ENTITY_HANDLING;
+ goto endEntityValue;
+ }
++ entityTrackingOnClose(parser, entity, __LINE__);
+ entity->open = XML_FALSE;
+ if (! dtd->paramEntityRead)
+ dtd->keepProcessing = dtd->standalone;
+@@ -5530,9 +5818,12 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ dtd->keepProcessing = dtd->standalone;
+ } else {
+ entity->open = XML_TRUE;
++ entityTrackingOnOpen(parser, entity, __LINE__);
+ result = storeEntityValue(
+- parser, parser->m_internalEncoding, (char *)entity->textPtr,
+- (char *)(entity->textPtr + entity->textLen));
++ parser, parser->m_internalEncoding, (const char *)entity->textPtr,
++ (const char *)(entity->textPtr + entity->textLen),
++ XML_ACCOUNT_ENTITY_EXPANSION);
++ entityTrackingOnClose(parser, entity, __LINE__);
+ entity->open = XML_FALSE;
+ if (result)
+ goto endEntityValue;
+@@ -6893,3 +7184,741 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+ memcpy(result, s, charsRequired * sizeof(XML_Char));
+ return result;
+ }
++
++#ifdef XML_DTD
++
++static float
++accountingGetCurrentAmplification(XML_Parser rootParser) {
++ const XmlBigCount countBytesOutput
++ = rootParser->m_accounting.countBytesDirect
++ + rootParser->m_accounting.countBytesIndirect;
++ const float amplificationFactor
++ = rootParser->m_accounting.countBytesDirect
++ ? (countBytesOutput
++ / (float)(rootParser->m_accounting.countBytesDirect))
++ : 1.0f;
++ assert(! rootParser->m_parentParser);
++ return amplificationFactor;
++}
++
++static void
++accountingReportStats(XML_Parser originParser, const char *epilog) {
++ const XML_Parser rootParser = getRootParserOf(originParser, NULL);
++ assert(! rootParser->m_parentParser);
++
++ if (rootParser->m_accounting.debugLevel < 1) {
++ return;
++ }
++
++ const float amplificationFactor
++ = accountingGetCurrentAmplification(rootParser);
++ fprintf(stderr,
++ "expat: Accounting(%p): Direct " EXPAT_FMT_ULL(
++ "10") ", indirect " EXPAT_FMT_ULL("10") ", amplification %8.2f%s",
++ (void *)rootParser, rootParser->m_accounting.countBytesDirect,
++ rootParser->m_accounting.countBytesIndirect,
++ (double)amplificationFactor, epilog);
++}
++
++static void
++accountingOnAbort(XML_Parser originParser) {
++ accountingReportStats(originParser, " ABORTING\n");
++}
++
++static void
++accountingReportDiff(XML_Parser rootParser,
++ unsigned int levelsAwayFromRootParser, const char *before,
++ const char *after, ptrdiff_t bytesMore, int source_line,
++ enum XML_Account account) {
++ assert(! rootParser->m_parentParser);
++
++ fprintf(stderr,
++ " (+" EXPAT_FMT_PTRDIFF_T("6") " bytes %s|%d, xmlparse.c:%d) %*s\"",
++ bytesMore, (account == XML_ACCOUNT_DIRECT) ? "DIR" : "EXP",
++ levelsAwayFromRootParser, source_line, 10, "");
++
++ const char ellipis[] = "[..]";
++ const size_t ellipsisLength = sizeof(ellipis) /* because compile-time */ - 1;
++ const unsigned int contextLength = 10;
++
++ /* Note: Performance is of no concern here */
++ const char *walker = before;
++ if ((rootParser->m_accounting.debugLevel >= 3)
++ || (after - before)
++ <= (ptrdiff_t)(contextLength + ellipsisLength + contextLength)) {
++ for (; walker < after; walker++) {
++ fprintf(stderr, "%s", unsignedCharToPrintable(walker[0]));
++ }
++ } else {
++ for (; walker < before + contextLength; walker++) {
++ fprintf(stderr, "%s", unsignedCharToPrintable(walker[0]));
++ }
++ fprintf(stderr, ellipis);
++ walker = after - contextLength;
++ for (; walker < after; walker++) {
++ fprintf(stderr, "%s", unsignedCharToPrintable(walker[0]));
++ }
++ }
++ fprintf(stderr, "\"\n");
++}
++
++static XML_Bool
++accountingDiffTolerated(XML_Parser originParser, int tok, const char *before,
++ const char *after, int source_line,
++ enum XML_Account account) {
++ /* Note: We need to check the token type *first* to be sure that
++ * we can even access variable <after>, safely.
++ * E.g. for XML_TOK_NONE <after> may hold an invalid pointer. */
++ switch (tok) {
++ case XML_TOK_INVALID:
++ case XML_TOK_PARTIAL:
++ case XML_TOK_PARTIAL_CHAR:
++ case XML_TOK_NONE:
++ return XML_TRUE;
++ }
++
++ if (account == XML_ACCOUNT_NONE)
++ return XML_TRUE; /* because these bytes have been accounted for, already */
++
++ unsigned int levelsAwayFromRootParser;
++ const XML_Parser rootParser
++ = getRootParserOf(originParser, &levelsAwayFromRootParser);
++ assert(! rootParser->m_parentParser);
++
++ const int isDirect
++ = (account == XML_ACCOUNT_DIRECT) && (originParser == rootParser);
++ const ptrdiff_t bytesMore = after - before;
++
++ XmlBigCount *const additionTarget
++ = isDirect ? &rootParser->m_accounting.countBytesDirect
++ : &rootParser->m_accounting.countBytesIndirect;
++
++ /* Detect and avoid integer overflow */
++ if (*additionTarget > (XmlBigCount)(-1) - (XmlBigCount)bytesMore)
++ return XML_FALSE;
++ *additionTarget += bytesMore;
++
++ const XmlBigCount countBytesOutput
++ = rootParser->m_accounting.countBytesDirect
++ + rootParser->m_accounting.countBytesIndirect;
++ const float amplificationFactor
++ = accountingGetCurrentAmplification(rootParser);
++ const XML_Bool tolerated
++ = (countBytesOutput < rootParser->m_accounting.activationThresholdBytes)
++ || (amplificationFactor
++ <= rootParser->m_accounting.maximumAmplificationFactor);
++
++ if (rootParser->m_accounting.debugLevel >= 2) {
++ accountingReportStats(rootParser, "");
++ accountingReportDiff(rootParser, levelsAwayFromRootParser, before, after,
++ bytesMore, source_line, account);
++ }
++
++ return tolerated;
++}
++
++static void
++entityTrackingReportStats(XML_Parser rootParser, ENTITY *entity,
++ const char *action, int sourceLine) {
++ assert(! rootParser->m_parentParser);
++ if (rootParser->m_entity_stats.debugLevel < 1)
++ return;
++
++# if defined(XML_UNICODE)
++ const char *const entityName = "[..]";
++# else
++ const char *const entityName = entity->name;
++# endif
++
++ fprintf(
++ stderr,
++ "expat: Entities(%p): Count %9d, depth %2d/%2d %*s%s%s; %s length %d (xmlparse.c:%d)\n",
++ (void *)rootParser, rootParser->m_entity_stats.countEverOpened,
++ rootParser->m_entity_stats.currentDepth,
++ rootParser->m_entity_stats.maximumDepthSeen,
++ (rootParser->m_entity_stats.currentDepth - 1) * 2, "",
++ entity->is_param ? "%" : "&", entityName, action, entity->textLen,
++ sourceLine);
++}
++
++static void
++entityTrackingOnOpen(XML_Parser originParser, ENTITY *entity, int sourceLine) {
++ const XML_Parser rootParser = getRootParserOf(originParser, NULL);
++ assert(! rootParser->m_parentParser);
++
++ rootParser->m_entity_stats.countEverOpened++;
++ rootParser->m_entity_stats.currentDepth++;
++ if (rootParser->m_entity_stats.currentDepth
++ > rootParser->m_entity_stats.maximumDepthSeen) {
++ rootParser->m_entity_stats.maximumDepthSeen++;
++ }
++
++ entityTrackingReportStats(rootParser, entity, "OPEN ", sourceLine);
++}
++
++static void
++entityTrackingOnClose(XML_Parser originParser, ENTITY *entity, int sourceLine) {
++ const XML_Parser rootParser = getRootParserOf(originParser, NULL);
++ assert(! rootParser->m_parentParser);
++
++ entityTrackingReportStats(rootParser, entity, "CLOSE", sourceLine);
++ rootParser->m_entity_stats.currentDepth--;
++}
++
++static XML_Parser
++getRootParserOf(XML_Parser parser, unsigned int *outLevelDiff) {
++ XML_Parser rootParser = parser;
++ unsigned int stepsTakenUpwards = 0;
++ while (rootParser->m_parentParser) {
++ rootParser = rootParser->m_parentParser;
++ stepsTakenUpwards++;
++ }
++ assert(! rootParser->m_parentParser);
++ if (outLevelDiff != NULL) {
++ *outLevelDiff = stepsTakenUpwards;
++ }
++ return rootParser;
++}
++
++static const char *
++unsignedCharToPrintable(unsigned char c) {
++ switch (c) {
++ case 0:
++ return "\\0";
++ case 1:
++ return "\\x1";
++ case 2:
++ return "\\x2";
++ case 3:
++ return "\\x3";
++ case 4:
++ return "\\x4";
++ case 5:
++ return "\\x5";
++ case 6:
++ return "\\x6";
++ case 7:
++ return "\\x7";
++ case 8:
++ return "\\x8";
++ case 9:
++ return "\\t";
++ case 10:
++ return "\\n";
++ case 11:
++ return "\\xB";
++ case 12:
++ return "\\xC";
++ case 13:
++ return "\\r";
++ case 14:
++ return "\\xE";
++ case 15:
++ return "\\xF";
++ case 16:
++ return "\\x10";
++ case 17:
++ return "\\x11";
++ case 18:
++ return "\\x12";
++ case 19:
++ return "\\x13";
++ case 20:
++ return "\\x14";
++ case 21:
++ return "\\x15";
++ case 22:
++ return "\\x16";
++ case 23:
++ return "\\x17";
++ case 24:
++ return "\\x18";
++ case 25:
++ return "\\x19";
++ case 26:
++ return "\\x1A";
++ case 27:
++ return "\\x1B";
++ case 28:
++ return "\\x1C";
++ case 29:
++ return "\\x1D";
++ case 30:
++ return "\\x1E";
++ case 31:
++ return "\\x1F";
++ case 32:
++ return " ";
++ case 33:
++ return "!";
++ case 34:
++ return "\\\"";
++ case 35:
++ return "#";
++ case 36:
++ return "$";
++ case 37:
++ return "%";
++ case 38:
++ return "&";
++ case 39:
++ return "'";
++ case 40:
++ return "(";
++ case 41:
++ return ")";
++ case 42:
++ return "*";
++ case 43:
++ return "+";
++ case 44:
++ return ",";
++ case 45:
++ return "-";
++ case 46:
++ return ".";
++ case 47:
++ return "/";
++ case 48:
++ return "0";
++ case 49:
++ return "1";
++ case 50:
++ return "2";
++ case 51:
++ return "3";
++ case 52:
++ return "4";
++ case 53:
++ return "5";
++ case 54:
++ return "6";
++ case 55:
++ return "7";
++ case 56:
++ return "8";
++ case 57:
++ return "9";
++ case 58:
++ return ":";
++ case 59:
++ return ";";
++ case 60:
++ return "<";
++ case 61:
++ return "=";
++ case 62:
++ return ">";
++ case 63:
++ return "?";
++ case 64:
++ return "@";
++ case 65:
++ return "A";
++ case 66:
++ return "B";
++ case 67:
++ return "C";
++ case 68:
++ return "D";
++ case 69:
++ return "E";
++ case 70:
++ return "F";
++ case 71:
++ return "G";
++ case 72:
++ return "H";
++ case 73:
++ return "I";
++ case 74:
++ return "J";
++ case 75:
++ return "K";
++ case 76:
++ return "L";
++ case 77:
++ return "M";
++ case 78:
++ return "N";
++ case 79:
++ return "O";
++ case 80:
++ return "P";
++ case 81:
++ return "Q";
++ case 82:
++ return "R";
++ case 83:
++ return "S";
++ case 84:
++ return "T";
++ case 85:
++ return "U";
++ case 86:
++ return "V";
++ case 87:
++ return "W";
++ case 88:
++ return "X";
++ case 89:
++ return "Y";
++ case 90:
++ return "Z";
++ case 91:
++ return "[";
++ case 92:
++ return "\\\\";
++ case 93:
++ return "]";
++ case 94:
++ return "^";
++ case 95:
++ return "_";
++ case 96:
++ return "`";
++ case 97:
++ return "a";
++ case 98:
++ return "b";
++ case 99:
++ return "c";
++ case 100:
++ return "d";
++ case 101:
++ return "e";
++ case 102:
++ return "f";
++ case 103:
++ return "g";
++ case 104:
++ return "h";
++ case 105:
++ return "i";
++ case 106:
++ return "j";
++ case 107:
++ return "k";
++ case 108:
++ return "l";
++ case 109:
++ return "m";
++ case 110:
++ return "n";
++ case 111:
++ return "o";
++ case 112:
++ return "p";
++ case 113:
++ return "q";
++ case 114:
++ return "r";
++ case 115:
++ return "s";
++ case 116:
++ return "t";
++ case 117:
++ return "u";
++ case 118:
++ return "v";
++ case 119:
++ return "w";
++ case 120:
++ return "x";
++ case 121:
++ return "y";
++ case 122:
++ return "z";
++ case 123:
++ return "{";
++ case 124:
++ return "|";
++ case 125:
++ return "}";
++ case 126:
++ return "~";
++ case 127:
++ return "\\x7F";
++ case 128:
++ return "\\x80";
++ case 129:
++ return "\\x81";
++ case 130:
++ return "\\x82";
++ case 131:
++ return "\\x83";
++ case 132:
++ return "\\x84";
++ case 133:
++ return "\\x85";
++ case 134:
++ return "\\x86";
++ case 135:
++ return "\\x87";
++ case 136:
++ return "\\x88";
++ case 137:
++ return "\\x89";
++ case 138:
++ return "\\x8A";
++ case 139:
++ return "\\x8B";
++ case 140:
++ return "\\x8C";
++ case 141:
++ return "\\x8D";
++ case 142:
++ return "\\x8E";
++ case 143:
++ return "\\x8F";
++ case 144:
++ return "\\x90";
++ case 145:
++ return "\\x91";
++ case 146:
++ return "\\x92";
++ case 147:
++ return "\\x93";
++ case 148:
++ return "\\x94";
++ case 149:
++ return "\\x95";
++ case 150:
++ return "\\x96";
++ case 151:
++ return "\\x97";
++ case 152:
++ return "\\x98";
++ case 153:
++ return "\\x99";
++ case 154:
++ return "\\x9A";
++ case 155:
++ return "\\x9B";
++ case 156:
++ return "\\x9C";
++ case 157:
++ return "\\x9D";
++ case 158:
++ return "\\x9E";
++ case 159:
++ return "\\x9F";
++ case 160:
++ return "\\xA0";
++ case 161:
++ return "\\xA1";
++ case 162:
++ return "\\xA2";
++ case 163:
++ return "\\xA3";
++ case 164:
++ return "\\xA4";
++ case 165:
++ return "\\xA5";
++ case 166:
++ return "\\xA6";
++ case 167:
++ return "\\xA7";
++ case 168:
++ return "\\xA8";
++ case 169:
++ return "\\xA9";
++ case 170:
++ return "\\xAA";
++ case 171:
++ return "\\xAB";
++ case 172:
++ return "\\xAC";
++ case 173:
++ return "\\xAD";
++ case 174:
++ return "\\xAE";
++ case 175:
++ return "\\xAF";
++ case 176:
++ return "\\xB0";
++ case 177:
++ return "\\xB1";
++ case 178:
++ return "\\xB2";
++ case 179:
++ return "\\xB3";
++ case 180:
++ return "\\xB4";
++ case 181:
++ return "\\xB5";
++ case 182:
++ return "\\xB6";
++ case 183:
++ return "\\xB7";
++ case 184:
++ return "\\xB8";
++ case 185:
++ return "\\xB9";
++ case 186:
++ return "\\xBA";
++ case 187:
++ return "\\xBB";
++ case 188:
++ return "\\xBC";
++ case 189:
++ return "\\xBD";
++ case 190:
++ return "\\xBE";
++ case 191:
++ return "\\xBF";
++ case 192:
++ return "\\xC0";
++ case 193:
++ return "\\xC1";
++ case 194:
++ return "\\xC2";
++ case 195:
++ return "\\xC3";
++ case 196:
++ return "\\xC4";
++ case 197:
++ return "\\xC5";
++ case 198:
++ return "\\xC6";
++ case 199:
++ return "\\xC7";
++ case 200:
++ return "\\xC8";
++ case 201:
++ return "\\xC9";
++ case 202:
++ return "\\xCA";
++ case 203:
++ return "\\xCB";
++ case 204:
++ return "\\xCC";
++ case 205:
++ return "\\xCD";
++ case 206:
++ return "\\xCE";
++ case 207:
++ return "\\xCF";
++ case 208:
++ return "\\xD0";
++ case 209:
++ return "\\xD1";
++ case 210:
++ return "\\xD2";
++ case 211:
++ return "\\xD3";
++ case 212:
++ return "\\xD4";
++ case 213:
++ return "\\xD5";
++ case 214:
++ return "\\xD6";
++ case 215:
++ return "\\xD7";
++ case 216:
++ return "\\xD8";
++ case 217:
++ return "\\xD9";
++ case 218:
++ return "\\xDA";
++ case 219:
++ return "\\xDB";
++ case 220:
++ return "\\xDC";
++ case 221:
++ return "\\xDD";
++ case 222:
++ return "\\xDE";
++ case 223:
++ return "\\xDF";
++ case 224:
++ return "\\xE0";
++ case 225:
++ return "\\xE1";
++ case 226:
++ return "\\xE2";
++ case 227:
++ return "\\xE3";
++ case 228:
++ return "\\xE4";
++ case 229:
++ return "\\xE5";
++ case 230:
++ return "\\xE6";
++ case 231:
++ return "\\xE7";
++ case 232:
++ return "\\xE8";
++ case 233:
++ return "\\xE9";
++ case 234:
++ return "\\xEA";
++ case 235:
++ return "\\xEB";
++ case 236:
++ return "\\xEC";
++ case 237:
++ return "\\xED";
++ case 238:
++ return "\\xEE";
++ case 239:
++ return "\\xEF";
++ case 240:
++ return "\\xF0";
++ case 241:
++ return "\\xF1";
++ case 242:
++ return "\\xF2";
++ case 243:
++ return "\\xF3";
++ case 244:
++ return "\\xF4";
++ case 245:
++ return "\\xF5";
++ case 246:
++ return "\\xF6";
++ case 247:
++ return "\\xF7";
++ case 248:
++ return "\\xF8";
++ case 249:
++ return "\\xF9";
++ case 250:
++ return "\\xFA";
++ case 251:
++ return "\\xFB";
++ case 252:
++ return "\\xFC";
++ case 253:
++ return "\\xFD";
++ case 254:
++ return "\\xFE";
++ case 255:
++ return "\\xFF";
++ default:
++ assert(0); /* never gets here */
++ return "dead code";
++ }
++ assert(0); /* never gets here */
++}
++
++#endif /* XML_DTD */
++
++static unsigned long
++getDebugLevel(const char *variableName, unsigned long defaultDebugLevel) {
++ const char *const valueOrNull = getenv(variableName);
++ if (valueOrNull == NULL) {
++ return defaultDebugLevel;
++ }
++ const char *const value = valueOrNull;
++
++ errno = 0;
++ char *afterValue = (char *)value;
++ unsigned long debugLevel = strtoul(value, &afterValue, 10);
++ if ((errno != 0) || (afterValue[0] != '\0')) {
++ errno = 0;
++ return defaultDebugLevel;
++ }
++
++ return debugLevel;
++}
+--
+2.32.0
+
diff --git a/meta/recipes-core/expat/expat/libtool-tag.patch b/meta/recipes-core/expat/expat/libtool-tag.patch
index 0a0aed23e5..c59ccbbede 100644
--- a/meta/recipes-core/expat/expat/libtool-tag.patch
+++ b/meta/recipes-core/expat/expat/libtool-tag.patch
@@ -1,30 +1,27 @@
-From 10342e6b600858b091bc7771e454d9e06af06410 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Thu, 2 Nov 2017 18:20:57 +0800
+From da433dbe79f2d4d5d7d79869c669594c99c5de9c Mon Sep 17 00:00:00 2001
+From: Jasper Orschulko <jasper@fancydomain.eu>
+Date: Wed, 16 Jun 2021 19:00:30 +0200
Subject: [PATCH] Add CC tag to build
-Add CC tag to build
-
Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Signed-off-by: Dengke Du <dengke.du@windriver.com>
+Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
---
- Makefile.in | 2 +-
+ Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/Makefile.in b/Makefile.in
-index 9560a95..d444bd6 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -319,7 +319,7 @@ LIBCURRENT = @LIBCURRENT@
- LIBOBJS = @LIBOBJS@
- LIBREVISION = @LIBREVISION@
- LIBS = @LIBS@
--LIBTOOL = @LIBTOOL@
-+LIBTOOL = @LIBTOOL@ --tag CC
- LIPO = @LIPO@
- LN_S = @LN_S@
- LTLIBOBJS = @LTLIBOBJS@
+diff --git a/Makefile.am b/Makefile.am
+index 5e1d37dd..f7a6dece 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -36,7 +36,7 @@ AUTOMAKE_OPTIONS = \
+ subdir-objects
+
+ ACLOCAL_AMFLAGS = -I m4
+-LIBTOOLFLAGS = --verbose
++LIBTOOLFLAGS = --verbose --tag=CC
+
+ SUBDIRS = lib # lib goes first to build first
+ if WITH_EXAMPLES
--
-2.7.4
+2.32.0
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb
index 174bf4be1f..cd38df91d9 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -6,18 +6,16 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://COPYING;md5=5b8620d98e49772d95fc1d291c26aa79"
-SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
+SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https \
+ file://CVE-2013-0340.patch \
file://libtool-tag.patch \
- "
+ "
-SRC_URI[md5sum] = "875a2c2ff3e8eb9e5a5cd62db2033ab5"
-SRC_URI[sha256sum] = "f1063084dc4302a427dabcca499c8312b3a32a29b7d2506653ecc8f950a9a237"
+SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13"
inherit autotools lib_package
-do_configure_prepend () {
- rm -f ${S}/conftools/libtool.m4
-}
+S = "${WORKDIR}/git/expat"
BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 7ae64a190f..aac0d9b3bf 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
SRCBRANCH ?= "release/2.31/master"
PV = "2.31+git${SRCPV}"
-SRCREV_glibc ?= "f84949f1c4bbf20e6a1d9a5859cf012cde060ede"
+SRCREV_glibc ?= "4f0a61f75385c9a5879cbe7202042e88f692a3c8"
SRCREV_localedef ?= "cd9f958c4c94a638fa7b2b4e21627364f1a1a655"
GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
new file mode 100644
index 0000000000..40d3debea1
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
@@ -0,0 +1,112 @@
+From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 10 Jun 2020 16:34:52 +0200
+Subject: [PATCH 1/2] Don't recurse into xi:include children in
+ xmlXIncludeDoProcess
+
+Otherwise, nested xi:include nodes might result in a use-after-free
+if XML_PARSE_NOXINCNODE is specified.
+
+Found with libFuzzer and ASan.
+
+Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
+
+The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
+as to avoid unnecessary modifications to fallback files.
+
+CVE: CVE-2021-3518
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ xinclude.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index ba850fa5..f260c1a7 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+ * First phase: lookup the elements in the document
+ */
+ cur = tree;
+- if (xmlXIncludeTestNode(ctxt, cur) == 1)
+- xmlXIncludePreProcessNode(ctxt, cur);
+ while ((cur != NULL) && (cur != tree->parent)) {
+ /* TODO: need to work on entities -> stack */
+- if ((cur->children != NULL) &&
+- (cur->children->type != XML_ENTITY_DECL) &&
+- (cur->children->type != XML_XINCLUDE_START) &&
+- (cur->children->type != XML_XINCLUDE_END)) {
+- cur = cur->children;
+- if (xmlXIncludeTestNode(ctxt, cur))
+- xmlXIncludePreProcessNode(ctxt, cur);
+- } else if (cur->next != NULL) {
++ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
++ xmlXIncludePreProcessNode(ctxt, cur);
++ } else if ((cur->children != NULL) &&
++ (cur->children->type != XML_ENTITY_DECL) &&
++ (cur->children->type != XML_XINCLUDE_START) &&
++ (cur->children->type != XML_XINCLUDE_END)) {
++ cur = cur->children;
++ continue;
++ }
++ if (cur->next != NULL) {
+ cur = cur->next;
+- if (xmlXIncludeTestNode(ctxt, cur))
+- xmlXIncludePreProcessNode(ctxt, cur);
+ } else {
+ if (cur == tree)
+ break;
+@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+ break; /* do */
+ if (cur->next != NULL) {
+ cur = cur->next;
+- if (xmlXIncludeTestNode(ctxt, cur))
+- xmlXIncludePreProcessNode(ctxt, cur);
+ break; /* do */
+ }
+ } while (cur != NULL);
+--
+2.32.0
+
+
+From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
+
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+
+Fixes #237.
+Upstream-Status: Backport
+CVE: CVE-2021-3518
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index f260c1a7..d7648529 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+ xmlXIncludePreProcessNode(ctxt, cur);
+ } else if ((cur->children != NULL) &&
+- (cur->children->type != XML_ENTITY_DECL) &&
+- (cur->children->type != XML_XINCLUDE_START) &&
+- (cur->children->type != XML_XINCLUDE_END)) {
++ ((cur->type == XML_DOCUMENT_NODE) ||
++ (cur->type == XML_ELEMENT_NODE))) {
+ cur = cur->children;
+ continue;
+ }
+--
+2.32.0
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 097613fb28..b5fb3e6315 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
file://CVE-2020-24977.patch \
file://CVE-2021-3517.patch \
file://CVE-2021-3537.patch \
+ file://CVE-2021-3518.patch \
"
SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
diff --git a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
index 75632d9434..da716674c3 100644
--- a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
+++ b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
@@ -7,7 +7,7 @@ LICENSE = "GPLv2+"
LIC_FILES_CHKSUM = "file://update-rc.d;beginline=5;endline=15;md5=d40a07c27f535425934bb5001f2037d9"
SRC_URI = "git://git.yoctoproject.org/update-rc.d"
-SRCREV = "4b150b25b38de688d25cde2b2d22c268ed65a748"
+SRCREV = "8636cf478d426b568c1be11dbd9346f67e03adac"
UPSTREAM_CHECK_COMMITS = "1"
diff --git a/meta/recipes-devtools/bootchart2/bootchart2_0.14.8.bb b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb
index a938b2da49..6571c19938 100644
--- a/meta/recipes-devtools/bootchart2/bootchart2_0.14.8.bb
+++ b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb
@@ -97,8 +97,7 @@ SRC_URI = "git://github.com/xrmx/bootchart.git \
"
S = "${WORKDIR}/git"
-SRCREV = "331ada031f1d65f6d934d918f896e1c708c64bf7"
-PV .= "+git${SRCPV}"
+SRCREV = "868a2afab9da34f32c007d773b77253c93104636"
inherit systemd update-rc.d python3native update-alternatives
diff --git a/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c b/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c
index af7af524eb..9eb5ca807a 100644
--- a/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c
+++ b/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c
@@ -9,6 +9,7 @@
#include <argp.h>
#include <stdio.h>
+#include <stdlib.h>
#include <dwarf.h>
#include <elfutils/libdw.h>
@@ -83,13 +84,15 @@ process_cu (Dwarf_Die *cu_die)
int
main (int argc, char **argv)
{
- char* args[3];
+ char* args[5];
int res = 0;
Dwfl *dwfl;
Dwarf_Addr bias;
- if (argc != 2)
+ if (argc != 2) {
fprintf(stderr, "Usage %s <file>", argv[0]);
+ exit(EXIT_FAILURE);
+ }
// Pretend "dwarfsrcfiles -e <file>" was given, so we can use standard
// dwfl argp parser to open the file for us and get our Dwfl. Useful
@@ -98,8 +101,12 @@ main (int argc, char **argv)
args[0] = argv[0];
args[1] = "-e";
args[2] = argv[1];
+ // We don't want to follow debug linked files due to the way OE processes
+ // files, could race against changes in the linked binary (e.g. objcopy on it)
+ args[3] = "--debuginfo-path";
+ args[4] = "/not/exist";
- argp_parse (dwfl_standard_argp (), 3, args, 0, NULL, &dwfl);
+ argp_parse (dwfl_standard_argp (), 5, args, 0, NULL, &dwfl);
Dwarf_Die *cu = NULL;
while ((cu = dwfl_nextcu (dwfl, cu, &bias)) != NULL)
diff --git a/meta/recipes-devtools/pseudo/pseudo.inc b/meta/recipes-devtools/pseudo/pseudo.inc
index 65d6e5068d..e6512bc6e6 100644
--- a/meta/recipes-devtools/pseudo/pseudo.inc
+++ b/meta/recipes-devtools/pseudo/pseudo.inc
@@ -112,6 +112,19 @@ do_compile_prepend_class-nativesdk () {
fi
}
+do_compile_append_class-native () {
+ if [ '${@bb.data.inherits_class('uninative', d)}' = 'True' ]; then
+ for i in PSEUDO_PORT_UNIX_SYNCFS PSEUDO_PORT_UIDS_GENERIC PSEUDO_PORT_LINUX_NEWCLONE PSEUDO_PORT_LINUX_XATTR PSEUDO_PORT_LINUX_STATVFS; do
+ grep $i.1 ${S}/pseudo_ports.h
+ if [ $? != 0 ]; then
+ echo "$i not enabled in pseudo which is incompatible with uninative"
+ exit 1
+ fi
+ done
+ fi
+}
+
+
do_install () {
oe_runmake 'DESTDIR=${D}' ${MAKEOPTS} 'LIB=lib/pseudo/lib$(MARK64)' install
}
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 4eab133128..0ba460f3e6 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -6,7 +6,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \
file://fallback-group \
"
-SRCREV = "ee24ebec9e5a11dd5208c9be2870f35eab3b9e20"
+SRCREV = "b988b0a6b8afd8d459bc9a2528e834f63a3d59b2"
S = "${WORKDIR}/git"
PV = "1.9.0+git${SRCPV}"
diff --git a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
deleted file mode 100644
index e16b99bcb9..0000000000
--- a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
+++ /dev/null
@@ -1,248 +0,0 @@
-From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <vstinner@python.org>
-Date: Thu, 2 Apr 2020 02:52:20 +0200
-Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
- (GH-18284)
-
-Upstream-Status: Backport
-(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
-
-CVE: CVE-2020-8492
-
-The AbstractBasicAuthHandler class of the urllib.request module uses
-an inefficient regular expression which can be exploited by an
-attacker to cause a denial of service. Fix the regex to prevent the
-catastrophic backtracking. Vulnerability reported by Ben Caller
-and Matt Schwager.
-
-AbstractBasicAuthHandler of urllib.request now parses all
-WWW-Authenticate HTTP headers and accepts multiple challenges per
-header: use the realm of the first Basic challenge.
-
-Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
-Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
----
- Lib/test/test_urllib2.py | 90 ++++++++++++-------
- Lib/urllib/request.py | 69 ++++++++++----
- .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | 3 +
- .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 5 ++
- 4 files changed, 115 insertions(+), 52 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
- create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-
-diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
-index 8abedaac98..e69ac3e213 100644
---- a/Lib/test/test_urllib2.py
-+++ b/Lib/test/test_urllib2.py
-@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase):
- bypass = {'exclude_simple': True, 'exceptions': []}
- self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
-
-- def test_basic_auth(self, quote_char='"'):
-- opener = OpenerDirector()
-- password_manager = MockPasswordManager()
-- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-- realm = "ACME Widget Store"
-- http_handler = MockHTTPHandler(
-- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
-- (quote_char, realm, quote_char))
-- opener.add_handler(auth_handler)
-- opener.add_handler(http_handler)
-- self._test_basic_auth(opener, auth_handler, "Authorization",
-- realm, http_handler, password_manager,
-- "http://acme.example.com/protected",
-- "http://acme.example.com/protected",
-- )
--
-- def test_basic_auth_with_single_quoted_realm(self):
-- self.test_basic_auth(quote_char="'")
--
-- def test_basic_auth_with_unquoted_realm(self):
-- opener = OpenerDirector()
-- password_manager = MockPasswordManager()
-- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-- realm = "ACME Widget Store"
-- http_handler = MockHTTPHandler(
-- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
-- opener.add_handler(auth_handler)
-- opener.add_handler(http_handler)
-- with self.assertWarns(UserWarning):
-+ def check_basic_auth(self, headers, realm):
-+ with self.subTest(realm=realm, headers=headers):
-+ opener = OpenerDirector()
-+ password_manager = MockPasswordManager()
-+ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-+ body = '\r\n'.join(headers) + '\r\n\r\n'
-+ http_handler = MockHTTPHandler(401, body)
-+ opener.add_handler(auth_handler)
-+ opener.add_handler(http_handler)
- self._test_basic_auth(opener, auth_handler, "Authorization",
-- realm, http_handler, password_manager,
-- "http://acme.example.com/protected",
-- "http://acme.example.com/protected",
-- )
-+ realm, http_handler, password_manager,
-+ "http://acme.example.com/protected",
-+ "http://acme.example.com/protected")
-+
-+ def test_basic_auth(self):
-+ realm = "realm2@example.com"
-+ realm2 = "realm2@example.com"
-+ basic = f'Basic realm="{realm}"'
-+ basic2 = f'Basic realm="{realm2}"'
-+ other_no_realm = 'Otherscheme xxx'
-+ digest = (f'Digest realm="{realm2}", '
-+ f'qop="auth, auth-int", '
-+ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
-+ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
-+ for realm_str in (
-+ # test "quote" and 'quote'
-+ f'Basic realm="{realm}"',
-+ f"Basic realm='{realm}'",
-+
-+ # charset is ignored
-+ f'Basic realm="{realm}", charset="UTF-8"',
-+
-+ # Multiple challenges per header
-+ f'{basic}, {basic2}',
-+ f'{basic}, {other_no_realm}',
-+ f'{other_no_realm}, {basic}',
-+ f'{basic}, {digest}',
-+ f'{digest}, {basic}',
-+ ):
-+ headers = [f'WWW-Authenticate: {realm_str}']
-+ self.check_basic_auth(headers, realm)
-+
-+ # no quote: expect a warning
-+ with support.check_warnings(("Basic Auth Realm was unquoted",
-+ UserWarning)):
-+ headers = [f'WWW-Authenticate: Basic realm={realm}']
-+ self.check_basic_auth(headers, realm)
-+
-+ # Multiple headers: one challenge per header.
-+ # Use the first Basic realm.
-+ for challenges in (
-+ [basic, basic2],
-+ [basic, digest],
-+ [digest, basic],
-+ ):
-+ headers = [f'WWW-Authenticate: {challenge}'
-+ for challenge in challenges]
-+ self.check_basic_auth(headers, realm)
-
- def test_proxy_basic_auth(self):
- opener = OpenerDirector()
-diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
-index 7fe50535da..2a3d71554f 100644
---- a/Lib/urllib/request.py
-+++ b/Lib/urllib/request.py
-@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
-
- # allow for double- and single-quoted realm values
- # (single quotes are a violation of the RFC, but appear in the wild)
-- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
-- 'realm=(["\']?)([^"\']*)\\2', re.I)
-+ rx = re.compile('(?:^|,)' # start of the string or ','
-+ '[ \t]*' # optional whitespaces
-+ '([^ \t]+)' # scheme like "Basic"
-+ '[ \t]+' # mandatory whitespaces
-+ # realm=xxx
-+ # realm='xxx'
-+ # realm="xxx"
-+ 'realm=(["\']?)([^"\']*)\\2',
-+ re.I)
-
- # XXX could pre-emptively send auth info already accepted (RFC 2617,
- # end of section 2, and section 1.2 immediately after "credentials"
-@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler:
- self.passwd = password_mgr
- self.add_password = self.passwd.add_password
-
-+ def _parse_realm(self, header):
-+ # parse WWW-Authenticate header: accept multiple challenges per header
-+ found_challenge = False
-+ for mo in AbstractBasicAuthHandler.rx.finditer(header):
-+ scheme, quote, realm = mo.groups()
-+ if quote not in ['"', "'"]:
-+ warnings.warn("Basic Auth Realm was unquoted",
-+ UserWarning, 3)
-+
-+ yield (scheme, realm)
-+
-+ found_challenge = True
-+
-+ if not found_challenge:
-+ if header:
-+ scheme = header.split()[0]
-+ else:
-+ scheme = ''
-+ yield (scheme, None)
-+
- def http_error_auth_reqed(self, authreq, host, req, headers):
- # host may be an authority (without userinfo) or a URL with an
- # authority
-- # XXX could be multiple headers
-- authreq = headers.get(authreq, None)
-+ headers = headers.get_all(authreq)
-+ if not headers:
-+ # no header found
-+ return
-
-- if authreq:
-- scheme = authreq.split()[0]
-- if scheme.lower() != 'basic':
-- raise ValueError("AbstractBasicAuthHandler does not"
-- " support the following scheme: '%s'" %
-- scheme)
-- else:
-- mo = AbstractBasicAuthHandler.rx.search(authreq)
-- if mo:
-- scheme, quote, realm = mo.groups()
-- if quote not in ['"',"'"]:
-- warnings.warn("Basic Auth Realm was unquoted",
-- UserWarning, 2)
-- if scheme.lower() == 'basic':
-- return self.retry_http_basic_auth(host, req, realm)
-+ unsupported = None
-+ for header in headers:
-+ for scheme, realm in self._parse_realm(header):
-+ if scheme.lower() != 'basic':
-+ unsupported = scheme
-+ continue
-+
-+ if realm is not None:
-+ # Use the first matching Basic challenge.
-+ # Ignore following challenges even if they use the Basic
-+ # scheme.
-+ return self.retry_http_basic_auth(host, req, realm)
-+
-+ if unsupported is not None:
-+ raise ValueError("AbstractBasicAuthHandler does not "
-+ "support the following scheme: %r"
-+ % (scheme,))
-
- def retry_http_basic_auth(self, host, req, realm):
- user, pw = self.passwd.find_user_password(realm, host)
-diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
-new file mode 100644
-index 0000000000..be80ce79d9
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
-@@ -0,0 +1,3 @@
-+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
-+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
-+per header: use the realm of the first Basic challenge.
-diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-new file mode 100644
-index 0000000000..9f2800581c
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-@@ -0,0 +1,5 @@
-+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
-+:mod:`urllib.request` module uses an inefficient regular expression which can
-+be exploited by an attacker to cause a denial of service. Fix the regex to
-+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
-+and Matt Schwager.
---
-2.24.1
-
diff --git a/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch b/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch
new file mode 100644
index 0000000000..a44d3396a6
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch
@@ -0,0 +1,33 @@
+From 7a2bddfa437be633bb6945d0e6b7d6f27da870ad Mon Sep 17 00:00:00 2001
+From: Tim Orling <timothy.t.orling@intel.com>
+Date: Fri, 18 Jun 2021 11:56:50 -0700
+Subject: [PATCH] test_ctypes.test_find: skip without tools-sdk
+
+These tests need full packagegroup-core-buildessential, the
+easiest way to dynamically check for that is looking for
+'tools-sdk' in IMAGE_FEATURES.
+
+Upstream-Status: Inappropriate [oe-specific]
+
+Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
+---
+ Lib/ctypes/test/test_find.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Lib/ctypes/test/test_find.py b/Lib/ctypes/test/test_find.py
+index 92ac184..0d009d1 100644
+--- a/Lib/ctypes/test/test_find.py
++++ b/Lib/ctypes/test/test_find.py
+@@ -112,10 +112,12 @@ class FindLibraryLinux(unittest.TestCase):
+ # LD_LIBRARY_PATH)
+ self.assertEqual(find_library(libname), 'lib%s.so' % libname)
+
++ @unittest.skip("Needs IMAGE_FEATURES += \"tools-sdk\"")
+ def test_find_library_with_gcc(self):
+ with unittest.mock.patch("ctypes.util._findSoname_ldconfig", lambda *args: None):
+ self.assertNotEqual(find_library('c'), None)
+
++ @unittest.skip("Needs IMAGE_FEATURES += \"tools-sdk\"")
+ def test_find_library_with_ld(self):
+ with unittest.mock.patch("ctypes.util._findSoname_ldconfig", lambda *args: None), \
+ unittest.mock.patch("ctypes.util._findLib_gcc", lambda *args: None):
diff --git a/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch b/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
index 35b7e0c480..f9d2eadc11 100644
--- a/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
+++ b/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
@@ -1,6 +1,6 @@
-From b94995e0c694ec9561efec0d1a59b323340e6105 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <mingli.yu@windriver.com>
-Date: Mon, 5 Aug 2019 15:57:39 +0800
+From e11787d373baa6d7b0e0d94aff8ccd373203bfb1 Mon Sep 17 00:00:00 2001
+From: Tim Orling <ticotimo@gmail.com>
+Date: Wed, 16 Jun 2021 07:49:52 -0700
Subject: [PATCH] test_locale.py: correct the test output format
Before this patch:
@@ -24,23 +24,25 @@ Before this patch:
Upstream-Status: Submitted [https://github.com/python/cpython/pull/15132]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+
+
+Refresh patch for upstream changes in 3.8.9
+
+Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
---
Lib/test/test_locale.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Lib/test/test_locale.py b/Lib/test/test_locale.py
-index e2c2178..558d63c 100644
+index 39091c0..5050f3d 100644
--- a/Lib/test/test_locale.py
+++ b/Lib/test/test_locale.py
-@@ -527,7 +527,7 @@ class TestMiscellaneous(unittest.TestCase):
+@@ -563,7 +563,7 @@ class TestMiscellaneous(unittest.TestCase):
self.skipTest('test needs Turkish locale')
loc = locale.getlocale(locale.LC_CTYPE)
if verbose:
- print('testing with %a' % (loc,), end=' ', flush=True)
+ print('testing with %a...' % (loc,), end=' ', flush=True)
- locale.setlocale(locale.LC_CTYPE, loc)
- self.assertEqual(loc, locale.getlocale(locale.LC_CTYPE))
-
---
-2.7.4
-
+ try:
+ locale.setlocale(locale.LC_CTYPE, loc)
+ except locale.Error as exc:
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-20907.patch b/meta/recipes-devtools/python/python3/CVE-2019-20907.patch
deleted file mode 100644
index a2e72372dd..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2019-20907.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From a06a6bf4e67a50561f6d6fb33534df1d3035ea34 Mon Sep 17 00:00:00 2001
-From: Rishi <rishi_devan@mail.com>
-Date: Wed, 15 Jul 2020 13:51:00 +0200
-Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module
- (GH-21454)
-
-Avoid infinite loop when reading specially crafted TAR files using the tarfile module
-(CVE-2019-20907).
-(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
-
-Co-authored-by: Rishi <rishi_devan@mail.com>
-
-Removed testing 'recursion.tar' tar file due to binary data
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559]
-CVE: CVE-2019-20907
-Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
----
- Lib/tarfile.py | 2 ++
- .../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 +
- 4 files changed, 10 insertions(+)
- create mode 100644 Lib/test/recursion.tar
- create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
-
-diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index d31b9cbb51d65..7a69e1b1aa544 100755
---- a/Lib/tarfile.py
-+++ b/Lib/tarfile.py
-@@ -1241,6 +1241,8 @@ def _proc_pax(self, tarfile):
-
- length, keyword = match.groups()
- length = int(length)
-+ if length == 0:
-+ raise InvalidHeaderError("invalid header")
- value = buf[match.end(2) + 1:match.start(1) + length - 1]
-
- # Normally, we could just use "utf-8" as the encoding and "strict"
-diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
-new file mode 100644
-index 0000000000000..ad26676f8b856
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
-@@ -0,0 +1 @@
-+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-14422.patch b/meta/recipes-devtools/python/python3/CVE-2020-14422.patch
deleted file mode 100644
index 6889e46da9..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-14422.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From dc8ce8ead182de46584cc1ed8a8c51d48240cbd5 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Mon, 29 Jun 2020 11:12:50 -0700
-Subject: [PATCH] bpo-41004: Resolve hash collisions for IPv4Interface and
- IPv6Interface (GH-21033)
-
-The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
-of generating constant hash values of 32 and 128 respectively causing hash collisions.
-The fix uses the hash() function to generate hash values for the objects
-instead of XOR operation
-(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
-
-Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/dc8ce8ead182de46584cc1ed8a8c51d48240cbd5]
-CVE: CVE-2020-14422
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
----
- Lib/ipaddress.py | 4 ++--
- Lib/test/test_ipaddress.py | 12 ++++++++++++
- .../2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst | 1 +
- 3 files changed, 15 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
-
-diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
-index 873c7644081af..a3a04f7f4b309 100644
---- a/Lib/ipaddress.py
-+++ b/Lib/ipaddress.py
-@@ -1370,7 +1370,7 @@ def __lt__(self, other):
- return False
-
- def __hash__(self):
-- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
-+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
-
- __reduce__ = _IPAddressBase.__reduce__
-
-@@ -2017,7 +2017,7 @@ def __lt__(self, other):
- return False
-
- def __hash__(self):
-- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
-+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
-
- __reduce__ = _IPAddressBase.__reduce__
-
-diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
-index de77111705b69..2eba740e5e7a4 100644
---- a/Lib/test/test_ipaddress.py
-+++ b/Lib/test/test_ipaddress.py
-@@ -2053,6 +2053,18 @@ def testsixtofour(self):
- sixtofouraddr.sixtofour)
- self.assertFalse(bad_addr.sixtofour)
-
-+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
-+ def testV4HashIsNotConstant(self):
-+ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
-+ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
-+ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
-+
-+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
-+ def testV6HashIsNotConstant(self):
-+ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
-+ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
-+ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
-+
-
- if __name__ == '__main__':
- unittest.main()
-diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
-new file mode 100644
-index 0000000000000..1380b31fbe9f4
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
-@@ -0,0 +1 @@
-+The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
deleted file mode 100644
index c019db2a76..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From 668d321476d974c4f51476b33aaca870272523bf Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Sat, 18 Jul 2020 13:39:12 -0700
-Subject: [PATCH] bpo-39603: Prevent header injection in http methods
- (GH-18485)
-
-reject control chars in http method in http.client.putrequest to prevent http header injection
-(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
-
-Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf]
-CVE: CVE-2020-26116
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
-
----
- Lib/http/client.py | 15 +++++++++++++
- Lib/test/test_httplib.py | 22 +++++++++++++++++++
- .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | 2 ++
- 3 files changed, 39 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
-
-diff --git a/Lib/http/client.py b/Lib/http/client.py
-index 019380a720318..c2ad0471bfee5 100644
---- a/Lib/http/client.py
-+++ b/Lib/http/client.py
-@@ -147,6 +147,10 @@
- # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
- # We are more lenient for assumed real world compatibility purposes.
-
-+# These characters are not allowed within HTTP method names
-+# to prevent http header injection.
-+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
-+
- # We always set the Content-Length header for these methods because some
- # servers will otherwise respond with a 411
- _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
-@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,
- else:
- raise CannotSendRequest(self.__state)
-
-+ self._validate_method(method)
-+
- # Save the method for use later in the response phase
- self._method = method
-
-@@ -1177,6 +1183,15 @@ def _encode_request(self, request):
- # ASCII also helps prevent CVE-2019-9740.
- return request.encode('ascii')
-
-+ def _validate_method(self, method):
-+ """Validate a method name for putrequest."""
-+ # prevent http header injection
-+ match = _contains_disallowed_method_pchar_re.search(method)
-+ if match:
-+ raise ValueError(
-+ f"method can't contain control characters. {method!r} "
-+ f"(found at least {match.group()!r})")
-+
- def _validate_path(self, url):
- """Validate a url for putrequest."""
- # Prevent CVE-2019-9740.
-diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
-index 8f0e27a1fb836..5a5fcecbc9c15 100644
---- a/Lib/test/test_httplib.py
-+++ b/Lib/test/test_httplib.py
-@@ -364,6 +364,28 @@ def test_headers_debuglevel(self):
- self.assertEqual(lines[3], "header: Second: val2")
-
-
-+class HttpMethodTests(TestCase):
-+ def test_invalid_method_names(self):
-+ methods = (
-+ 'GET\r',
-+ 'POST\n',
-+ 'PUT\n\r',
-+ 'POST\nValue',
-+ 'POST\nHOST:abc',
-+ 'GET\nrHost:abc\n',
-+ 'POST\rRemainder:\r',
-+ 'GET\rHOST:\n',
-+ '\nPUT'
-+ )
-+
-+ for method in methods:
-+ with self.assertRaisesRegex(
-+ ValueError, "method can't contain control characters"):
-+ conn = client.HTTPConnection('example.com')
-+ conn.sock = FakeSocket(None)
-+ conn.request(method=method, url="/")
-+
-+
- class TransferEncodingTest(TestCase):
- expected_body = b"It's just a flesh wound"
-
-diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
-new file mode 100644
-index 0000000000000..990affc3edd9d
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
-@@ -0,0 +1,2 @@
-+Prevent http header injection by rejecting control characters in
-+http.client.putrequest(...).
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch b/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
deleted file mode 100644
index bafa1cb999..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 6c6c256df3636ff6f6136820afaefa5a10a3ac33 Mon Sep 17 00:00:00 2001
-From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com>
-Date: Tue, 6 Oct 2020 05:38:54 -0700
-Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP
- in the CJK codec tests (GH-22566) (GH-22577)
-
-(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
-
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
-
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33]
-CVE: CVE-2020-27619
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
----
- Lib/test/multibytecodec_support.py | 22 +++++++------------
- .../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst | 1 +
- 2 files changed, 9 insertions(+), 14 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
-
-diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py
-index cca8af67d6d1d..f76c0153f5ecf 100644
---- a/Lib/test/multibytecodec_support.py
-+++ b/Lib/test/multibytecodec_support.py
-@@ -305,29 +305,23 @@ def test_mapping_file(self):
- self._test_mapping_file_plain()
-
- def _test_mapping_file_plain(self):
-- unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+'))))
-+ def unichrs(s):
-+ return ''.join(chr(int(x, 16)) for x in s.split('+'))
-+
- urt_wa = {}
-
- with self.open_mapping_file() as f:
- for line in f:
- if not line:
- break
-- data = line.split('#')[0].strip().split()
-+ data = line.split('#')[0].split()
- if len(data) != 2:
- continue
-
-- csetval = eval(data[0])
-- if csetval <= 0x7F:
-- csetch = bytes([csetval & 0xff])
-- elif csetval >= 0x1000000:
-- csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff),
-- ((csetval >> 8) & 0xff), (csetval & 0xff)])
-- elif csetval >= 0x10000:
-- csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff),
-- (csetval & 0xff)])
-- elif csetval >= 0x100:
-- csetch = bytes([(csetval >> 8), (csetval & 0xff)])
-- else:
-+ if data[0][:2] != '0x':
-+ self.fail(f"Invalid line: {line!r}")
-+ csetch = bytes.fromhex(data[0][2:])
-+ if len(csetch) == 1 and 0x80 <= csetch[0]:
- continue
-
- unich = unichrs(data[1])
-diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
-new file mode 100644
-index 0000000000000..4f9782f1c85af
---- /dev/null
-+++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
-@@ -0,0 +1 @@
-+Tests for CJK codecs no longer call ``eval()`` on content received via HTTP.
diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch
deleted file mode 100644
index 43d678db46..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch
+++ /dev/null
@@ -1,191 +0,0 @@
-From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Mon, 18 Jan 2021 13:28:52 -0800
-Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode
- formatting in ctypes param reprs. (GH-24248)
-
-(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)
-
-Co-authored-by: Benjamin Peterson <benjamin@python.org>
-
-Co-authored-by: Benjamin Peterson <benjamin@python.org>
-
-CVE: CVE-2021-3177
-Upstream-Status: Backport [https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++
- .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 +
- Modules/_ctypes/callproc.c | 51 +++++++------------
- 3 files changed, 64 insertions(+), 32 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
-
-diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py
-index e4c25fd880cef..531894fdec838 100644
---- a/Lib/ctypes/test/test_parameters.py
-+++ b/Lib/ctypes/test/test_parameters.py
-@@ -201,6 +201,49 @@ def __dict__(self):
- with self.assertRaises(ZeroDivisionError):
- WorseStruct().__setstate__({}, b'foo')
-
-+ def test_parameter_repr(self):
-+ from ctypes import (
-+ c_bool,
-+ c_char,
-+ c_wchar,
-+ c_byte,
-+ c_ubyte,
-+ c_short,
-+ c_ushort,
-+ c_int,
-+ c_uint,
-+ c_long,
-+ c_ulong,
-+ c_longlong,
-+ c_ulonglong,
-+ c_float,
-+ c_double,
-+ c_longdouble,
-+ c_char_p,
-+ c_wchar_p,
-+ c_void_p,
-+ )
-+ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$")
-+ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>")
-+ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$")
-+ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>")
-+ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>")
-+ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>")
-+ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>")
-+ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
-+ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
-+ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
-+ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
-+ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$")
-+ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$")
-+ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>")
-+ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>")
-+ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>")
-+ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$")
-+ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$")
-+ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$")
-+ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$")
-+
- ################################################################
-
- if __name__ == '__main__':
-diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
-new file mode 100644
-index 0000000000000..7df65a156feab
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
-@@ -0,0 +1,2 @@
-+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and
-+:class:`ctypes.c_longdouble` values.
-diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
-index a9b8675cd951b..de75918d49f37 100644
---- a/Modules/_ctypes/callproc.c
-+++ b/Modules/_ctypes/callproc.c
-@@ -484,58 +484,47 @@ is_literal_char(unsigned char c)
- static PyObject *
- PyCArg_repr(PyCArgObject *self)
- {
-- char buffer[256];
- switch(self->tag) {
- case 'b':
- case 'B':
-- sprintf(buffer, "<cparam '%c' (%d)>",
-+ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
- self->tag, self->value.b);
-- break;
- case 'h':
- case 'H':
-- sprintf(buffer, "<cparam '%c' (%d)>",
-+ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
- self->tag, self->value.h);
-- break;
- case 'i':
- case 'I':
-- sprintf(buffer, "<cparam '%c' (%d)>",
-+ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
- self->tag, self->value.i);
-- break;
- case 'l':
- case 'L':
-- sprintf(buffer, "<cparam '%c' (%ld)>",
-+ return PyUnicode_FromFormat("<cparam '%c' (%ld)>",
- self->tag, self->value.l);
-- break;
-
- case 'q':
- case 'Q':
-- sprintf(buffer,
--#ifdef MS_WIN32
-- "<cparam '%c' (%I64d)>",
--#else
-- "<cparam '%c' (%lld)>",
--#endif
-+ return PyUnicode_FromFormat("<cparam '%c' (%lld)>",
- self->tag, self->value.q);
-- break;
- case 'd':
-- sprintf(buffer, "<cparam '%c' (%f)>",
-- self->tag, self->value.d);
-- break;
-- case 'f':
-- sprintf(buffer, "<cparam '%c' (%f)>",
-- self->tag, self->value.f);
-- break;
--
-+ case 'f': {
-+ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d);
-+ if (f == NULL) {
-+ return NULL;
-+ }
-+ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f);
-+ Py_DECREF(f);
-+ return result;
-+ }
- case 'c':
- if (is_literal_char((unsigned char)self->value.c)) {
-- sprintf(buffer, "<cparam '%c' ('%c')>",
-+ return PyUnicode_FromFormat("<cparam '%c' ('%c')>",
- self->tag, self->value.c);
- }
- else {
-- sprintf(buffer, "<cparam '%c' ('\\x%02x')>",
-+ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>",
- self->tag, (unsigned char)self->value.c);
- }
-- break;
-
- /* Hm, are these 'z' and 'Z' codes useful at all?
- Shouldn't they be replaced by the functionality of c_string
-@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self)
- case 'z':
- case 'Z':
- case 'P':
-- sprintf(buffer, "<cparam '%c' (%p)>",
-+ return PyUnicode_FromFormat("<cparam '%c' (%p)>",
- self->tag, self->value.p);
- break;
-
- default:
- if (is_literal_char((unsigned char)self->tag)) {
-- sprintf(buffer, "<cparam '%c' at %p>",
-+ return PyUnicode_FromFormat("<cparam '%c' at %p>",
- (unsigned char)self->tag, (void *)self);
- }
- else {
-- sprintf(buffer, "<cparam 0x%02x at %p>",
-+ return PyUnicode_FromFormat("<cparam 0x%02x at %p>",
- (unsigned char)self->tag, (void *)self);
- }
-- break;
- }
-- return PyUnicode_FromString(buffer);
- }
-
- static PyMemberDef PyCArgType_members[] = {
-
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.10.bb
index 072ce97472..7295c6320e 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.10.bb
@@ -1,10 +1,10 @@
SUMMARY = "The Python Programming Language"
HOMEPAGE = "http://www.python.org"
DESCRIPTION = "Python is a programming language that lets you work more quickly and integrate your systems more effectively."
-LICENSE = "PSFv2"
+LICENSE = "PSF-2.0 & BSD-0-Clause"
SECTION = "devel/python"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=c22d2438294c784731bf9dd224a467b7"
SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://run-ptest \
@@ -33,12 +33,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-configure.ac-fix-LIBPL.patch \
file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
- file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \
- file://CVE-2019-20907.patch \
- file://CVE-2020-14422.patch \
- file://CVE-2020-26116.patch \
- file://CVE-2020-27619.patch \
- file://CVE-2021-3177.patch \
+ file://0001-test_ctypes.test_find-skip-without-tools-sdk.patch \
"
SRC_URI_append_class-native = " \
@@ -47,8 +42,8 @@ SRC_URI_append_class-native = " \
file://0001-Don-t-search-system-for-headers-libraries.patch \
"
-SRC_URI[md5sum] = "e9d6ebc92183a177b8e8a58cad5b8d67"
-SRC_URI[sha256sum] = "2646e7dc233362f59714c6193017bb2d6f7b38d6ab4a0cb5fbac5c36c4d845df"
+SRC_URI[md5sum] = "d9eee4b20155553830a2025e4dcaa7b3"
+SRC_URI[sha256sum] = "6af24a66093dd840bcccf371d4044a3027e655cf24591ce26e48022bc79219d9"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
@@ -78,7 +73,7 @@ ALTERNATIVE_LINK_NAME[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config
ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}"
-DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2"
+DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2 autoconf-archive"
DEPENDS_append_class-target = " python3-native"
DEPENDS_append_class-nativesdk = " python3-native"
@@ -337,6 +332,7 @@ PACKAGES =+ "libpython3 libpython3-staticdev"
FILES_libpython3 = "${libdir}/libpython*.so.*"
FILES_libpython3-staticdev += "${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}-*/libpython${PYTHON_MAJMIN}.a"
INSANE_SKIP_${PN}-dev += "dev-elf"
+INSANE_SKIP_${PN}-ptest += "dev-deps"
# catch all the rest (unsorted)
PACKAGES += "${PN}-misc"
@@ -352,7 +348,7 @@ FILES_${PN}-man = "${datadir}/man"
# See https://bugs.python.org/issue18748 and https://bugs.python.org/issue37395
RDEPENDS_libpython3_append_libc-glibc = " libgcc"
RDEPENDS_${PN}-ctypes_append_libc-glibc = " ${MLPREFIX}ldconfig"
-RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests unzip bzip2 libgcc tzdata-europe coreutils sed"
+RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests ${PN}-dev unzip bzip2 libgcc tzdata-europe coreutils sed"
RDEPENDS_${PN}-ptest_append_libc-glibc = " locale-base-tr-tr.iso-8859-9"
RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}"
RDEPENDS_${PN}-dev = ""
diff --git a/meta/recipes-devtools/python/python3_3.8.11.bb b/meta/recipes-devtools/python/python3_3.8.11.bb
new file mode 100644
index 0000000000..f549bb2205
--- /dev/null
+++ b/meta/recipes-devtools/python/python3_3.8.11.bb
@@ -0,0 +1,362 @@
+SUMMARY = "The Python Programming Language"
+HOMEPAGE = "http://www.python.org"
+DESCRIPTION = "Python is a programming language that lets you work more quickly and integrate your systems more effectively."
+LICENSE = "PSF-2.0 & BSD-0-Clause"
+SECTION = "devel/python"
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=c22d2438294c784731bf9dd224a467b7"
+
+SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
+ file://run-ptest \
+ file://create_manifest3.py \
+ file://get_module_deps3.py \
+ file://python3-manifest.json \
+ file://check_build_completeness.py \
+ file://cgi_py.patch \
+ file://0001-Do-not-add-usr-lib-termcap-to-linker-flags-to-avoid-.patch \
+ ${@bb.utils.contains('PACKAGECONFIG', 'tk', '', 'file://avoid_warning_about_tkinter.patch', d)} \
+ file://0001-Do-not-use-the-shell-version-of-python-config-that-w.patch \
+ file://python-config.patch \
+ file://0001-Makefile.pre-use-qemu-wrapper-when-gathering-profile.patch \
+ file://0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch \
+ file://0001-python3-use-cc_basename-to-replace-CC-for-checking-c.patch \
+ file://0001-Lib-sysconfig.py-fix-another-place-where-lib-is-hard.patch \
+ file://0001-Makefile-fix-Issue36464-parallel-build-race-problem.patch \
+ file://0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch \
+ file://crosspythonpath.patch \
+ file://reformat_sysconfig.py \
+ file://0001-Use-FLAG_REF-always-for-interned-strings.patch \
+ file://0001-test_locale.py-correct-the-test-output-format.patch \
+ file://0017-setup.py-do-not-report-missing-dependencies-for-disa.patch \
+ file://0001-setup.py-pass-missing-libraries-to-Extension-for-mul.patch \
+ file://0001-Makefile-do-not-compile-.pyc-in-parallel.patch \
+ file://0001-configure.ac-fix-LIBPL.patch \
+ file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
+ file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
+ "
+
+SRC_URI_append_class-native = " \
+ file://0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch \
+ file://12-distutils-prefix-is-inside-staging-area.patch \
+ file://0001-Don-t-search-system-for-headers-libraries.patch \
+ "
+
+SRC_URI[md5sum] = "5840ba601128f48fee4e7c98fbdac65d"
+SRC_URI[sha256sum] = "fb1a1114ebfe9e97199603c6083e20b236a0e007a2c51f29283ffb50c1420fb2"
+
+# exclude pre-releases for both python 2.x and 3.x
+UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
+
+CVE_PRODUCT = "python"
+
+# Upstream consider this expected behaviour
+CVE_CHECK_WHITELIST += "CVE-2007-4559"
+# This is not exploitable when glibc has CVE-2016-10739 fixed.
+CVE_CHECK_WHITELIST += "CVE-2019-18348"
+
+# This is windows only issue.
+CVE_CHECK_WHITELIST += "CVE-2020-15523"
+
+PYTHON_MAJMIN = "3.8"
+
+S = "${WORKDIR}/Python-${PV}"
+
+BBCLASSEXTEND = "native nativesdk"
+
+inherit autotools pkgconfig qemu ptest multilib_header update-alternatives
+
+MULTILIB_SUFFIX = "${@d.getVar('base_libdir',1).split('/')[-1]}"
+
+ALTERNATIVE_${PN}-dev = "python3-config"
+ALTERNATIVE_LINK_NAME[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config"
+ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}"
+
+
+DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2 autoconf-archive"
+DEPENDS_append_class-target = " python3-native"
+DEPENDS_append_class-nativesdk = " python3-native"
+
+EXTRA_OECONF = " --without-ensurepip --enable-shared"
+EXTRA_OECONF_append_class-native = " --bindir=${bindir}/${PN}"
+
+export CROSSPYTHONPATH="${STAGING_LIBDIR_NATIVE}/python${PYTHON_MAJMIN}/lib-dynload/"
+
+EXTRANATIVEPATH += "python3-native"
+
+CACHED_CONFIGUREVARS = " \
+ ac_cv_file__dev_ptmx=yes \
+ ac_cv_file__dev_ptc=no \
+ ac_cv_working_tzset=yes \
+"
+python() {
+ # PGO currently causes builds to not be reproducible, so disable it for
+ # now. See YOCTO #13407
+ if bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', True, False, d) and d.getVar('BUILD_REPRODUCIBLE_BINARIES') != '1':
+ d.setVar('PACKAGECONFIG_PGO', 'pgo')
+ else:
+ d.setVar('PACKAGECONFIG_PGO', '')
+}
+
+PACKAGECONFIG_class-target ??= "readline ${PACKAGECONFIG_PGO} gdbm"
+PACKAGECONFIG_class-native ??= "readline gdbm"
+PACKAGECONFIG_class-nativesdk ??= "readline gdbm"
+PACKAGECONFIG[readline] = ",,readline"
+# Use profile guided optimisation by running PyBench inside qemu-user
+PACKAGECONFIG[pgo] = "--enable-optimizations,,qemu-native"
+PACKAGECONFIG[tk] = ",,tk"
+PACKAGECONFIG[gdbm] = ",,gdbm"
+
+do_configure_prepend () {
+ mkdir -p ${B}/Modules
+ cat > ${B}/Modules/Setup.local << EOF
+*disabled*
+${@bb.utils.contains('PACKAGECONFIG', 'gdbm', '', '_gdbm _dbm', d)}
+${@bb.utils.contains('PACKAGECONFIG', 'readline', '', 'readline', d)}
+EOF
+}
+
+CPPFLAGS_append = " -I${STAGING_INCDIR}/ncursesw -I${STAGING_INCDIR}/uuid"
+
+EXTRA_OEMAKE = '\
+ STAGING_LIBDIR=${STAGING_LIBDIR} \
+ STAGING_INCDIR=${STAGING_INCDIR} \
+ LIB=${baselib} \
+'
+
+do_compile_prepend_class-target() {
+ if ${@bb.utils.contains('PACKAGECONFIG', 'pgo', 'true', 'false', d)}; then
+ qemu_binary="${@qemu_wrapper_cmdline(d, '${STAGING_DIR_TARGET}', ['${B}', '${STAGING_DIR_TARGET}/${base_libdir}'])}"
+ cat >pgo-wrapper <<EOF
+#!/bin/sh
+cd ${B}
+$qemu_binary "\$@"
+EOF
+ chmod +x pgo-wrapper
+ fi
+}
+
+do_install_prepend() {
+ ${WORKDIR}/check_build_completeness.py ${T}/log.do_compile
+}
+
+do_install_append_class-target() {
+ oe_multilib_header python${PYTHON_MAJMIN}/pyconfig.h
+}
+
+do_install_append_class-native() {
+ # Make sure we use /usr/bin/env python
+ for PYTHSCRIPT in `grep -rIl ${bindir}/${PN}/python ${D}${bindir}/${PN}`; do
+ sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' $PYTHSCRIPT
+ done
+ # Add a symlink to the native Python so that scripts can just invoke
+ # "nativepython" and get the right one without needing absolute paths
+ # (these often end up too long for the #! parser in the kernel as the
+ # buffer is 128 bytes long).
+ ln -s python3-native/python3 ${D}${bindir}/nativepython3
+}
+
+do_install_append() {
+ mkdir -p ${D}${libdir}/python-sysconfigdata
+ sysconfigfile=`find ${D} -name _sysconfig*.py`
+ cp $sysconfigfile ${D}${libdir}/python-sysconfigdata/_sysconfigdata.py
+
+ sed -i \
+ -e "s,^ 'LIBDIR'.*, 'LIBDIR': '${STAGING_LIBDIR}'\,,g" \
+ -e "s,^ 'INCLUDEDIR'.*, 'INCLUDEDIR': '${STAGING_INCDIR}'\,,g" \
+ -e "s,^ 'CONFINCLUDEDIR'.*, 'CONFINCLUDEDIR': '${STAGING_INCDIR}'\,,g" \
+ -e "/^ 'INCLDIRSTOMAKE'/{N; s,/usr/include,${STAGING_INCDIR},g}" \
+ -e "/^ 'INCLUDEPY'/s,/usr/include,${STAGING_INCDIR},g" \
+ ${D}${libdir}/python-sysconfigdata/_sysconfigdata.py
+}
+
+do_install_append_class-nativesdk () {
+ create_wrapper ${D}${bindir}/python${PYTHON_MAJMIN} TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo' PYTHONNOUSERSITE='1'
+}
+
+SSTATE_SCAN_FILES += "Makefile _sysconfigdata.py"
+PACKAGE_PREPROCESS_FUNCS += "py_package_preprocess"
+
+py_package_preprocess () {
+ # Remove references to buildmachine paths in target Makefile and _sysconfigdata
+ sed -i -e 's:--sysroot=${STAGING_DIR_TARGET}::g' -e s:'--with-libtool-sysroot=${STAGING_DIR_TARGET}'::g \
+ -e 's|${DEBUG_PREFIX_MAP}||g' \
+ -e 's:${HOSTTOOLS_DIR}/::g' \
+ -e 's:${RECIPE_SYSROOT_NATIVE}::g' \
+ -e 's:${RECIPE_SYSROOT}::g' \
+ -e 's:${BASE_WORKDIR}/${MULTIMACH_TARGET_SYS}::g' \
+ ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}${PYTHON_ABI}*/Makefile \
+ ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/_sysconfigdata*.py \
+ ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config
+
+ # Reformat _sysconfigdata after modifying it so that it remains
+ # reproducible
+ for c in ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/_sysconfigdata*.py; do
+ python3 ${WORKDIR}/reformat_sysconfig.py $c
+ done
+
+ # Recompile _sysconfigdata after modifying it
+ cd ${PKGD}
+ sysconfigfile=`find . -name _sysconfigdata_*.py`
+ ${STAGING_BINDIR_NATIVE}/python3-native/python3 \
+ -c "from py_compile import compile; compile('$sysconfigfile')"
+ ${STAGING_BINDIR_NATIVE}/python3-native/python3 \
+ -c "from py_compile import compile; compile('$sysconfigfile', optimize=1)"
+ ${STAGING_BINDIR_NATIVE}/python3-native/python3 \
+ -c "from py_compile import compile; compile('$sysconfigfile', optimize=2)"
+ cd -
+
+ mv ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}
+
+ #Remove the unneeded copy of target sysconfig data
+ rm -rf ${PKGD}/${libdir}/python-sysconfigdata
+}
+
+# We want bytecode precompiled .py files (.pyc's) by default
+# but the user may set it on their own conf
+INCLUDE_PYCS ?= "1"
+
+python(){
+ import collections, json
+
+ filename = os.path.join(d.getVar('THISDIR'), 'python3', 'python3-manifest.json')
+ # This python changes the datastore based on the contents of a file, so mark
+ # that dependency.
+ bb.parse.mark_dependency(d, filename)
+
+ with open(filename) as manifest_file:
+ manifest_str = manifest_file.read()
+ json_start = manifest_str.find('# EOC') + 6
+ manifest_file.seek(json_start)
+ manifest_str = manifest_file.read()
+ python_manifest = json.loads(manifest_str, object_pairs_hook=collections.OrderedDict)
+
+ # First set RPROVIDES for -native case
+ # Hardcoded since it cant be python3-native-foo, should be python3-foo-native
+ pn = 'python3'
+ rprovides = d.getVar('RPROVIDES').split()
+
+ # ${PN}-misc-native is not in the manifest
+ rprovides.append(pn + '-misc-native')
+
+ for key in python_manifest:
+ pypackage = pn + '-' + key + '-native'
+ if pypackage not in rprovides:
+ rprovides.append(pypackage)
+
+ d.setVar('RPROVIDES_class-native', ' '.join(rprovides))
+
+ # Then work on the target
+ include_pycs = d.getVar('INCLUDE_PYCS')
+
+ packages = d.getVar('PACKAGES').split()
+ pn = d.getVar('PN')
+
+ newpackages=[]
+ for key in python_manifest:
+ pypackage = pn + '-' + key
+
+ if pypackage not in packages:
+ # We need to prepend, otherwise python-misc gets everything
+ # so we use a new variable
+ newpackages.append(pypackage)
+
+ # "Build" python's manifest FILES, RDEPENDS and SUMMARY
+ d.setVar('FILES_' + pypackage, '')
+ for value in python_manifest[key]['files']:
+ d.appendVar('FILES_' + pypackage, ' ' + value)
+
+ # Add cached files
+ if include_pycs == '1':
+ for value in python_manifest[key]['cached']:
+ d.appendVar('FILES_' + pypackage, ' ' + value)
+
+ for value in python_manifest[key]['rdepends']:
+ # Make it work with or without $PN
+ if '${PN}' in value:
+ value=value.split('-', 1)[1]
+ d.appendVar('RDEPENDS_' + pypackage, ' ' + pn + '-' + value)
+
+ for value in python_manifest[key].get('rrecommends', ()):
+ if '${PN}' in value:
+ value=value.split('-', 1)[1]
+ d.appendVar('RRECOMMENDS_' + pypackage, ' ' + pn + '-' + value)
+
+ d.setVar('SUMMARY_' + pypackage, python_manifest[key]['summary'])
+
+ # Prepending so to avoid python-misc getting everything
+ packages = newpackages + packages
+ d.setVar('PACKAGES', ' '.join(packages))
+ d.setVar('ALLOW_EMPTY_${PN}-modules', '1')
+ d.setVar('ALLOW_EMPTY_${PN}-pkgutil', '1')
+}
+
+# Files needed to create a new manifest
+
+do_create_manifest() {
+ # This task should be run with every new release of Python.
+ # We must ensure that PACKAGECONFIG enables everything when creating
+ # a new manifest, this is to base our new manifest on a complete
+ # native python build, containing all dependencies, otherwise the task
+ # wont be able to find the required files.
+ # e.g. BerkeleyDB is an optional build dependency so it may or may not
+ # be present, we must ensure it is.
+
+ cd ${WORKDIR}
+ # This needs to be executed by python-native and NOT by HOST's python
+ nativepython3 create_manifest3.py ${PYTHON_MAJMIN}
+ cp python3-manifest.json.new ${THISDIR}/python3/python3-manifest.json
+}
+
+# bitbake python -c create_manifest
+# Make sure we have native python ready when we create a new manifest
+addtask do_create_manifest after do_patch do_prepare_recipe_sysroot
+
+# manual dependency additions
+RRECOMMENDS_${PN}-core_append_class-nativesdk = " nativesdk-python3-modules"
+RRECOMMENDS_${PN}-crypt_append_class-target = " openssl ca-certificates"
+RRECOMMENDS_${PN}-crypt_append_class-nativesdk = " openssl ca-certificates"
+
+# For historical reasons PN is empty and provided by python3-modules
+FILES_${PN} = ""
+RPROVIDES_${PN}-modules = "${PN}"
+
+FILES_${PN}-pydoc += "${bindir}/pydoc${PYTHON_MAJMIN} ${bindir}/pydoc3"
+FILES_${PN}-idle += "${bindir}/idle3 ${bindir}/idle${PYTHON_MAJMIN}"
+
+# provide python-pyvenv from python3-venv
+RPROVIDES_${PN}-venv += "python3-pyvenv"
+
+# package libpython3
+PACKAGES =+ "libpython3 libpython3-staticdev"
+FILES_libpython3 = "${libdir}/libpython*.so.*"
+FILES_libpython3-staticdev += "${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}-*/libpython${PYTHON_MAJMIN}.a"
+INSANE_SKIP_${PN}-dev += "dev-elf"
+INSANE_SKIP_${PN}-ptest += "dev-deps"
+
+# catch all the rest (unsorted)
+PACKAGES += "${PN}-misc"
+RDEPENDS_${PN}-misc += "python3-core python3-email python3-codecs python3-pydoc python3-pickle python3-audio"
+RDEPENDS_${PN}-modules_append_class-target = " python3-misc"
+RDEPENDS_${PN}-modules_append_class-nativesdk = " python3-misc"
+FILES_${PN}-misc = "${libdir}/python${PYTHON_MAJMIN} ${libdir}/python${PYTHON_MAJMIN}/lib-dynload"
+
+# catch manpage
+PACKAGES += "${PN}-man"
+FILES_${PN}-man = "${datadir}/man"
+
+# See https://bugs.python.org/issue18748 and https://bugs.python.org/issue37395
+RDEPENDS_libpython3_append_libc-glibc = " libgcc"
+RDEPENDS_${PN}-ctypes_append_libc-glibc = " ${MLPREFIX}ldconfig"
+RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests ${PN}-dev unzip bzip2 libgcc tzdata-europe coreutils sed"
+RDEPENDS_${PN}-ptest_append_libc-glibc = " locale-base-tr-tr.iso-8859-9"
+RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}"
+RDEPENDS_${PN}-dev = ""
+
+RDEPENDS_${PN}-tests_append_class-target = " bash"
+RDEPENDS_${PN}-tests_append_class-nativesdk = " bash"
+
+# Python's tests contain large numbers of files we don't need in the recipe sysroots
+SYSROOT_PREPROCESS_FUNCS += " py3_sysroot_cleanup"
+py3_sysroot_cleanup () {
+ rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test
+}
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch
new file mode 100644
index 0000000000..b1a05b6863
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch
@@ -0,0 +1,197 @@
+From 1e5b70cab83c95aa138107a38ecda75ff70e8985 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Thu, 24 Jun 2021 01:11:26 +0000
+Subject: [PATCH] Be much more careful about copying data from the signature
+ header
+
+Only look for known tags, and ensure correct type and size where known
+before copying over. Bump the old arbitrary 16k count limit to 16M limit
+though, it's not inconceivable that a package could have that many files.
+While at it, ensure none of these tags exist in the main header,
+which would confuse us greatly.
+
+This is optimized for backporting ease, upstream can remove redundancies
+and further improve checking later.
+
+Reported and initial patches by Demi Marie Obenour.
+
+Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ...
+
+Fixes: CVE-2021-3421, CVE-2021-20271
+
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21]
+CVE: CVE-2021-3421
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ lib/package.c | 115 ++++++++++++++++++++++++--------------------------
+ lib/rpmtag.h | 4 ++
+ 2 files changed, 58 insertions(+), 61 deletions(-)
+
+diff --git a/lib/package.c b/lib/package.c
+index 081123d84e..7c26ea323f 100644
+--- a/lib/package.c
++++ b/lib/package.c
+@@ -20,76 +20,68 @@
+
+ #include "debug.h"
+
++struct taglate_s {
++ rpmTagVal stag;
++ rpmTagVal xtag;
++ rpm_count_t count;
++} const xlateTags[] = {
++ { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1 },
++ { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0 },
++ { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16 },
++ { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0 },
++ /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0 }, */ /* long obsolete, dont use */
++ { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1 },
++ { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0 },
++ { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1 },
++ { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1 },
++ { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1 },
++ { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0 },
++ { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0 },
++ { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1 },
++ { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1 },
++ { 0 }
++};
++
+ /** \ingroup header
+ * Translate and merge legacy signature tags into header.
+ * @param h header (dest)
+ * @param sigh signature header (src)
+ */
+ static
+-void headerMergeLegacySigs(Header h, Header sigh)
++rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg)
+ {
+- HeaderIterator hi;
++ const struct taglate_s *xl;
+ struct rpmtd_s td;
+
+- hi = headerInitIterator(sigh);
+- for (; headerNext(hi, &td); rpmtdFreeData(&td))
+- {
+- switch (td.tag) {
+- /* XXX Translate legacy signature tag values. */
+- case RPMSIGTAG_SIZE:
+- td.tag = RPMTAG_SIGSIZE;
+- break;
+- case RPMSIGTAG_PGP:
+- td.tag = RPMTAG_SIGPGP;
+- break;
+- case RPMSIGTAG_MD5:
+- td.tag = RPMTAG_SIGMD5;
+- break;
+- case RPMSIGTAG_GPG:
+- td.tag = RPMTAG_SIGGPG;
+- break;
+- case RPMSIGTAG_PGP5:
+- td.tag = RPMTAG_SIGPGP5;
+- break;
+- case RPMSIGTAG_PAYLOADSIZE:
+- td.tag = RPMTAG_ARCHIVESIZE;
+- break;
+- case RPMSIGTAG_SHA1:
+- case RPMSIGTAG_SHA256:
+- case RPMSIGTAG_DSA:
+- case RPMSIGTAG_RSA:
+- default:
+- if (!(td.tag >= HEADER_SIGBASE && td.tag < HEADER_TAGBASE))
+- continue;
+- break;
+- }
+- if (!headerIsEntry(h, td.tag)) {
+- switch (td.type) {
+- case RPM_NULL_TYPE:
+- continue;
+- break;
+- case RPM_CHAR_TYPE:
+- case RPM_INT8_TYPE:
+- case RPM_INT16_TYPE:
+- case RPM_INT32_TYPE:
+- case RPM_INT64_TYPE:
+- if (td.count != 1)
+- continue;
+- break;
+- case RPM_STRING_TYPE:
+- case RPM_BIN_TYPE:
+- if (td.count >= 16*1024)
+- continue;
+- break;
+- case RPM_STRING_ARRAY_TYPE:
+- case RPM_I18NSTRING_TYPE:
+- continue;
+- break;
+- }
+- (void) headerPut(h, &td, HEADERPUT_DEFAULT);
+- }
++ rpmtdReset(&td);
++ for (xl = xlateTags; xl->stag; xl++) {
++ /* There mustn't be one in the main header */
++ if (headerIsEntry(h, xl->xtag))
++ break;
++ if (headerGet(sigh, xl->stag, &td, HEADERGET_RAW|HEADERGET_MINMEM)) {
++ /* Translate legacy tags */
++ if (xl->stag != xl->xtag)
++ td.tag = xl->xtag;
++ /* Ensure type and tag size match expectations */
++ if (td.type != rpmTagGetTagType(td.tag))
++ break;
++ if (td.count < 1 || td.count > 16*1024*1024)
++ break;
++ if (xl->count && td.count != xl->count)
++ break;
++ if (!headerPut(h, &td, HEADERPUT_DEFAULT))
++ break;
++ rpmtdFreeData(&td);
++ }
++ }
++ rpmtdFreeData(&td);
++
++ if (xl->stag) {
++ rasprintf(msg, "invalid signature tag %s (%d)",
++ rpmTagGetName(xl->xtag), xl->xtag);
+ }
+- headerFreeIterator(hi);
++
++ return xl->stag;
+ }
+
+ /**
+@@ -337,7 +329,8 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t fd, const char * fn, Header * hdrp)
+ goto exit;
+
+ /* Append (and remap) signature tags to the metadata. */
+- headerMergeLegacySigs(h, sigh);
++ if (headerMergeLegacySigs(h, sigh,&msg))
++ goto exit;
+ applyRetrofits(h);
+
+ /* Bump reference count for return. */
+diff --git a/lib/rpmtag.h b/lib/rpmtag.h
+index 8c718b31b5..d562572c6f 100644
+--- a/lib/rpmtag.h
++++ b/lib/rpmtag.h
+@@ -65,6 +65,8 @@ typedef enum rpmTag_e {
+ RPMTAG_LONGARCHIVESIZE = RPMTAG_SIG_BASE+15, /* l */
+ /* RPMTAG_SIG_BASE+16 reserved */
+ RPMTAG_SHA256HEADER = RPMTAG_SIG_BASE+17, /* s */
++ /* RPMTAG_SIG_BASE+18 reserved for RPMSIGTAG_FILESIGNATURES */
++ /* RPMTAG_SIG_BASE+19 reserved for RPMSIGTAG_FILESIGNATURELENGTH */
+
+ RPMTAG_NAME = 1000, /* s */
+ #define RPMTAG_N RPMTAG_NAME /* s */
+@@ -422,6 +424,8 @@ typedef enum rpmSigTag_e {
+ RPMSIGTAG_LONGSIZE = RPMTAG_LONGSIGSIZE, /*!< internal Header+Payload size (64bit) in bytes. */
+ RPMSIGTAG_LONGARCHIVESIZE = RPMTAG_LONGARCHIVESIZE, /*!< internal uncompressed payload size (64bit) in bytes. */
+ RPMSIGTAG_SHA256 = RPMTAG_SHA256HEADER,
++ RPMSIGTAG_FILESIGNATURES = RPMTAG_SIG_BASE + 18,
++ RPMSIGTAG_FILESIGNATURELENGTH = RPMTAG_SIG_BASE + 19,
+ } rpmSigTag;
+
+
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
index 4029217d08..018b2f8700 100644
--- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
@@ -44,6 +44,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x \
file://0001-mono-find-provides-requires-do-not-use-monodis-from-.patch \
file://0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch \
file://0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch \
+ file://CVE-2021-3421.patch \
"
PE = "1"
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch b/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
deleted file mode 100644
index 1abcb7547e..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
-From: Yusuke Endoh <mame@ruby-lang.org>
-Date: Tue, 29 Sep 2020 13:15:58 +0900
-Subject: [PATCH] Make it more strict to interpret some headers
-
-Some regexps were too tolerant.
-
-Upstream-Status: Backport
-[https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7]
-CVE: CVE-2020-25613
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
----
- lib/webrick/httprequest.rb | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
-index 294bd91..d34eac7 100644
---- a/lib/webrick/httprequest.rb
-+++ b/lib/webrick/httprequest.rb
-@@ -227,9 +227,9 @@ def parse(socket=nil)
- raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
- end
-
-- if /close/io =~ self["connection"]
-+ if /\Aclose\z/io =~ self["connection"]
- @keep_alive = false
-- elsif /keep-alive/io =~ self["connection"]
-+ elsif /\Akeep-alive\z/io =~ self["connection"]
- @keep_alive = true
- elsif @http_version < "1.1"
- @keep_alive = false
-@@ -508,7 +508,7 @@ def read_body(socket, block)
- return unless socket
- if tc = self['transfer-encoding']
- case tc
-- when /chunked/io then read_chunked(socket, block)
-+ when /\Achunked\z/io then read_chunked(socket, block)
- else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
- end
- elsif self['content-length'] || @remaining_size
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.1.bb b/meta/recipes-devtools/ruby/ruby_2.7.3.bb
index a6c65e887b..318b9acdae 100644
--- a/meta/recipes-devtools/ruby/ruby_2.7.1.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.7.3.bb
@@ -6,12 +6,11 @@ SRC_URI += " \
file://remove_has_include_macros.patch \
file://run-ptest \
file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \
- file://CVE-2020-25613.patch \
file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
"
-SRC_URI[md5sum] = "debb9c325bf65021214451660f46e909"
-SRC_URI[sha256sum] = "d418483bdd0000576c1370571121a6eb24582116db0b7bb2005e90e250eae418"
+SRC_URI[md5sum] = "72ef97685008981de3ddb748d0dab31f"
+SRC_URI[sha256sum] = "8925a95e31d8f2c81749025a52a544ea1d05dad18794e6828709268b92e55338"
PACKAGECONFIG ??= ""
PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
diff --git a/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb b/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
index 4621471d67..67999e579a 100644
--- a/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
+++ b/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
@@ -107,7 +107,7 @@ VALGRINDARCH_mipsel = "mips32"
VALGRINDARCH_mips64el = "mips64"
VALGRINDARCH_powerpc = "ppc"
VALGRINDARCH_powerpc64 = "ppc64"
-VALGRINDARCH_powerpc64el = "ppc64le"
+VALGRINDARCH_powerpc64le = "ppc64le"
INHIBIT_PACKAGE_STRIP_FILES = "${PKGD}${libdir}/valgrind/vgpreload_memcheck-${VALGRINDARCH}-linux.so"
diff --git a/meta/recipes-extended/timezone/tzdata.bb b/meta/recipes-extended/timezone/tzdata.bb
index e6a0655afe..cc6206ac70 100644
--- a/meta/recipes-extended/timezone/tzdata.bb
+++ b/meta/recipes-extended/timezone/tzdata.bb
@@ -19,13 +19,17 @@ TZONES= "africa antarctica asia australasia europe northamerica southamerica \
"
# pacificnew
+# "slim" is the default since 2020b
+# "fat" is needed by e.g. MariaDB's mysql_tzinfo_to_sql
+ZIC_FMT ?= "slim"
+
do_compile () {
for zone in ${TZONES}; do \
- ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo -L /dev/null \
+ ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo -L /dev/null \
${S}/${zone} ; \
- ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo/posix -L /dev/null \
+ ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/posix -L /dev/null \
${S}/${zone} ; \
- ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo/right -L ${S}/leapseconds \
+ ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/right -L ${S}/leapseconds \
${S}/${zone} ; \
done
}
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
new file mode 100644
index 0000000000..97c4c17a8a
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
@@ -0,0 +1,333 @@
+From 5c539ee6aba5872fcc73aa3d46a4e9a33dc030db Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Fri, 19 Feb 2021 15:30:39 +0100
+Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on
+ the wire
+
+The X protocol uses CARD16 values to represent the length so
+this would overflow.
+
+CVE-2021-31535
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+https://lists.x.org/archives/xorg-announce/2021-May/003088.html
+
+XLookupColor() and other X libraries function lack proper validation
+of the length of their string parameters. If those parameters can be
+controlled by an external application (for instance a color name that
+can be emitted via a terminal control sequence) it can lead to the
+emission of extra X protocol requests to the X server.
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605]
+CVE: CVE-2021-31535
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ src/Font.c | 6 ++++--
+ src/FontInfo.c | 3 +++
+ src/FontNames.c | 3 +++
+ src/GetColor.c | 4 ++++
+ src/LoadFont.c | 4 ++++
+ src/LookupCol.c | 6 ++++--
+ src/ParseCol.c | 5 ++++-
+ src/QuExt.c | 5 +++++
+ src/SetFPath.c | 8 +++++++-
+ src/SetHints.c | 7 +++++++
+ src/StNColor.c | 3 +++
+ src/StName.c | 7 ++++++-
+ 12 files changed, 54 insertions(+), 7 deletions(-)
+
+diff --git a/src/Font.c b/src/Font.c
+index 09d2ae91..3f468e4b 100644
+--- a/src/Font.c
++++ b/src/Font.c
+@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont(
+ XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
+ #endif
+
++ if (strlen(name) >= USHRT_MAX)
++ return NULL;
+ if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
+ return font_result;
+ LockDisplay(dpy);
+@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont(
+
+ if (!name)
+ return 0;
+- l = strlen(name);
+- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
++ l = (int) strlen(name);
++ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
+ return 0;
+ charset = NULL;
+ /* next three lines stolen from _XkbGetCharset() */
+diff --git a/src/FontInfo.c b/src/FontInfo.c
+index f870e431..51b48e29 100644
+--- a/src/FontInfo.c
++++ b/src/FontInfo.c
+@@ -58,6 +58,9 @@ XFontStruct **info) /* RETURN */
+ register xListFontsReq *req;
+ int j;
+
++ if (strlen(pattern) >= USHRT_MAX)
++ return NULL;
++
+ LockDisplay(dpy);
+ GetReq(ListFontsWithInfo, req);
+ req->maxNames = maxNames;
+diff --git a/src/FontNames.c b/src/FontNames.c
+index b78792d6..4dac4916 100644
+--- a/src/FontNames.c
++++ b/src/FontNames.c
+@@ -51,6 +51,9 @@ int *actualCount) /* RETURN */
+ register xListFontsReq *req;
+ unsigned long rlen = 0;
+
++ if (strlen(pattern) >= USHRT_MAX)
++ return NULL;
++
+ LockDisplay(dpy);
+ GetReq(ListFonts, req);
+ req->maxNames = maxNames;
+diff --git a/src/GetColor.c b/src/GetColor.c
+index cd0eb9f6..512ac308 100644
+--- a/src/GetColor.c
++++ b/src/GetColor.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */
+ XcmsColor cmsColor_exact;
+ Status ret;
+
++ if (strlen(colorname) >= USHRT_MAX)
++ return (0);
++
+ #ifdef XCMS
+ /*
+ * Let's Attempt to use Xcms and i18n approach to Parse Color
+diff --git a/src/LoadFont.c b/src/LoadFont.c
+index f547976b..85735249 100644
+--- a/src/LoadFont.c
++++ b/src/LoadFont.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include "Xlibint.h"
+
+ Font
+@@ -38,6 +39,9 @@ XLoadFont (
+ Font fid;
+ register xOpenFontReq *req;
+
++ if (strlen(name) >= USHRT_MAX)
++ return (0);
++
+ if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
+ return fid;
+
+diff --git a/src/LookupCol.c b/src/LookupCol.c
+index f7f969f5..cd9b1368 100644
+--- a/src/LookupCol.c
++++ b/src/LookupCol.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,9 @@ XLookupColor (
+ XcmsCCC ccc;
+ XcmsColor cmsColor_exact;
+
++ n = (int) strlen (spec);
++ if (n >= USHRT_MAX)
++ return 0;
+ #ifdef XCMS
+ /*
+ * Let's Attempt to use Xcms and i18n approach to Parse Color
+@@ -77,8 +81,6 @@ XLookupColor (
+ * Xcms and i18n methods failed, so lets pass it to the server
+ * for parsing.
+ */
+-
+- n = strlen (spec);
+ LockDisplay(dpy);
+ GetReq (LookupColor, req);
+ req->cmap = cmap;
+diff --git a/src/ParseCol.c b/src/ParseCol.c
+index e997b1b8..180132dd 100644
+--- a/src/ParseCol.c
++++ b/src/ParseCol.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,7 +47,9 @@ XParseColor (
+ XcmsColor cmsColor;
+
+ if (!spec) return(0);
+- n = strlen (spec);
++ n = (int) strlen (spec);
++ if (n >= USHRT_MAX)
++ return(0);
+ if (*spec == '#') {
+ /*
+ * RGB
+diff --git a/src/QuExt.c b/src/QuExt.c
+index 4e230e77..d38a1572 100644
+--- a/src/QuExt.c
++++ b/src/QuExt.c
+@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
++#include <stdbool.h>
+ #include "Xlibint.h"
+
+ Bool
+@@ -40,6 +42,9 @@ XQueryExtension(
+ xQueryExtensionReply rep;
+ register xQueryExtensionReq *req;
+
++ if (strlen(name) >= USHRT_MAX)
++ return false;
++
+ LockDisplay(dpy);
+ GetReq(QueryExtension, req);
+ req->nbytes = name ? strlen(name) : 0;
+diff --git a/src/SetFPath.c b/src/SetFPath.c
+index 60aaef01..3d8c50cb 100644
+--- a/src/SetFPath.c
++++ b/src/SetFPath.c
+@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
+
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
++#include <limits.h>
+ #endif
+ #include "Xlibint.h"
+
+@@ -48,7 +49,12 @@ XSetFontPath (
+ GetReq (SetFontPath, req);
+ req->nFonts = ndirs;
+ for (i = 0; i < ndirs; i++) {
+- n += safestrlen (directories[i]) + 1;
++ n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
++ if (n >= USHRT_MAX) {
++ UnlockDisplay(dpy);
++ SyncHandle();
++ return 0;
++ }
+ }
+ nbytes = (n + 3) & ~3;
+ req->length += nbytes >> 2;
+diff --git a/src/SetHints.c b/src/SetHints.c
+index bc46498a..f3d727ec 100644
+--- a/src/SetHints.c
++++ b/src/SetHints.c
+@@ -49,6 +49,7 @@ SOFTWARE.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xutil.h>
+ #include "Xatomtype.h"
+@@ -214,6 +215,8 @@ XSetCommand (
+ register char *buf, *bp;
+ for (i = 0, nbytes = 0; i < argc; i++) {
+ nbytes += safestrlen(argv[i]) + 1;
++ if (nbytes >= USHRT_MAX)
++ return 1;
+ }
+ if ((bp = buf = Xmalloc(nbytes))) {
+ /* copy arguments into single buffer */
+@@ -256,6 +259,8 @@ XSetStandardProperties (
+
+ if (name != NULL) XStoreName (dpy, w, name);
+
++ if (safestrlen(icon_string) >= USHRT_MAX)
++ return 1;
+ if (icon_string != NULL) {
+ XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+ PropModeReplace,
+@@ -298,6 +303,8 @@ XSetClassHint(
+
+ len_nm = safestrlen(classhint->res_name);
+ len_cl = safestrlen(classhint->res_class);
++ if (len_nm + len_cl >= USHRT_MAX)
++ return 1;
+ if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
+ if (len_nm) {
+ strcpy(s, classhint->res_name);
+diff --git a/src/StNColor.c b/src/StNColor.c
+index 8b821c3e..ba021958 100644
+--- a/src/StNColor.c
++++ b/src/StNColor.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */
+ XcmsColor cmsColor_exact;
+ XColor scr_def;
+
++ if (strlen(name) >= USHRT_MAX)
++ return 0;
+ #ifdef XCMS
+ /*
+ * Let's Attempt to use Xcms approach to Parse Color
+diff --git a/src/StName.c b/src/StName.c
+index b4048bff..5a632d0c 100644
+--- a/src/StName.c
++++ b/src/StName.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xatom.h>
+
+@@ -36,7 +37,9 @@ XStoreName (
+ Window w,
+ _Xconst char *name)
+ {
+- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
++ if (strlen(name) >= USHRT_MAX)
++ return 0;
++ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */
+ 8, PropModeReplace, (_Xconst unsigned char *)name,
+ name ? strlen(name) : 0);
+ }
+@@ -47,6 +50,8 @@ XSetIconName (
+ Window w,
+ _Xconst char *icon_name)
+ {
++ if (strlen(icon_name) >= USHRT_MAX)
++ return 0;
+ return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+ PropModeReplace, (_Xconst unsigned char *)icon_name,
+ icon_name ? strlen(icon_name) : 0);
+--
+2.32.0
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
index ebd2640743..ff2a6f7265 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -15,6 +15,7 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
file://libx11-whitespace.patch \
file://CVE-2020-14344.patch \
file://CVE-2020-14363.patch \
+ file://CVE-2021-31535.patch \
"
SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"
diff --git a/meta/recipes-kernel/linux/kernel-devsrc.bb b/meta/recipes-kernel/linux/kernel-devsrc.bb
index 951e7635cc..887e1e2430 100644
--- a/meta/recipes-kernel/linux/kernel-devsrc.bb
+++ b/meta/recipes-kernel/linux/kernel-devsrc.bb
@@ -177,7 +177,7 @@ do_install() {
cp -a --parents $SYSCALL_TOOLS $kerneldir/build/
fi
- cp -a --parents arch/arm/kernel/module.lds $kerneldir/build/
+ cp -a --parents arch/arm/kernel/module.lds $kerneldir/build/ 2>/dev/null || :
fi
if [ -d arch/${ARCH}/include ]; then
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 3643e6af46..dcf4f12f45 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "c279b45a44858da788a13f23130ed06663e77c57"
-SRCREV_meta ?= "aa019cb8e4af653d6e136f1b8720884b97ddde49"
+SRCREV_machine ?= "135b02c845043f37c8eac73607b62b0735286756"
+SRCREV_meta ?= "2ff6e592745fd397ec2da205ab02daafbf49351a"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.123"
+LINUX_VERSION ?= "5.4.132"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index cf8e81e0f3..eaef9d9b64 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.123"
+LINUX_VERSION ?= "5.4.132"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "445028ae9ec9a904122bb5c60995def98d2b1ddc"
-SRCREV_machine ?= "edc1395a32f99faaebc6b48769c4bd02a8b074be"
-SRCREV_meta ?= "aa019cb8e4af653d6e136f1b8720884b97ddde49"
+SRCREV_machine_qemuarm ?= "629ca595e3eafd1fdc3a3d978d6ed4547b419968"
+SRCREV_machine ?= "35abc20f52ebdd41bbe76e6f2d6ee189ab3078f6"
+SRCREV_meta ?= "2ff6e592745fd397ec2da205ab02daafbf49351a"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 7282fbcd6e..cb3ff75d27 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base"
KBRANCH_qemux86-64 ?= "v5.4/standard/base"
KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "c292705386cfec860dad5e1dee74f22407fb7f94"
-SRCREV_machine_qemuarm64 ?= "edc1395a32f99faaebc6b48769c4bd02a8b074be"
-SRCREV_machine_qemumips ?= "d4c949dc0b88dba72f9f94a18fd994aa8482ff8e"
-SRCREV_machine_qemuppc ?= "edc1395a32f99faaebc6b48769c4bd02a8b074be"
-SRCREV_machine_qemuriscv64 ?= "edc1395a32f99faaebc6b48769c4bd02a8b074be"
-SRCREV_machine_qemux86 ?= "edc1395a32f99faaebc6b48769c4bd02a8b074be"
-SRCREV_machine_qemux86-64 ?= "edc1395a32f99faaebc6b48769c4bd02a8b074be"
-SRCREV_machine_qemumips64 ?= "417e8e4e101314f02439a88c78d4cf2ab98df209"
-SRCREV_machine ?= "edc1395a32f99faaebc6b48769c4bd02a8b074be"
-SRCREV_meta ?= "aa019cb8e4af653d6e136f1b8720884b97ddde49"
+SRCREV_machine_qemuarm ?= "cf8b645d7a1c268d071bdfe606f01d739afbdb80"
+SRCREV_machine_qemuarm64 ?= "8d40ced691b9d211840801614a1031089ed6c2a2"
+SRCREV_machine_qemumips ?= "c574c7303a75e700cb7123fc93a7ca7c19c963d6"
+SRCREV_machine_qemuppc ?= "5550c64c43f81e6c29abfbc6ce31f44f200644ec"
+SRCREV_machine_qemuriscv64 ?= "92705f96294a9c4ac611d3242f20651d5cf6224a"
+SRCREV_machine_qemux86 ?= "92705f96294a9c4ac611d3242f20651d5cf6224a"
+SRCREV_machine_qemux86-64 ?= "92705f96294a9c4ac611d3242f20651d5cf6224a"
+SRCREV_machine_qemumips64 ?= "9cd841f768e0b5a07251df29ba202b5ff2bdf114"
+SRCREV_machine ?= "92705f96294a9c4ac611d3242f20651d5cf6224a"
+SRCREV_meta ?= "2ff6e592745fd397ec2da205ab02daafbf49351a"
# remap qemuarm to qemuarma15 for the 5.4 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.123"
+LINUX_VERSION ?= "5.4.132"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb
index b6f50583f7..e04047e85a 100644
--- a/meta/recipes-kernel/perf/perf.bb
+++ b/meta/recipes-kernel/perf/perf.bb
@@ -45,7 +45,7 @@ PROVIDES = "virtual/perf"
inherit linux-kernel-base kernel-arch manpages
# needed for building the tools/perf Python bindings
-inherit ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'python3native', '', d)}
+inherit ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'python3targetconfig', '', d)}
inherit python3-dir
export PYTHON_SITEPACKAGES_DIR
diff --git a/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch b/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch
new file mode 100644
index 0000000000..4ccbdbfcd1
--- /dev/null
+++ b/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch
@@ -0,0 +1,70 @@
+From 0d833743954ac1c58773cbf7a78fe0dc8105ae4a Mon Sep 17 00:00:00 2001
+From: Joe Konno <joe.konno@linux.intel.com>
+Date: Tue, 11 Feb 2020 14:15:42 -0800
+Subject: [PATCH] configure.ac: ax_add_fortify_source
+
+Use a maintained autoconf-archive macro to determine whether we need to
+add -D_FORTIFY_SOURCE=3D2, or if the underlying OS (or toolchain) has it
+baked in.
+
+Signed-off-by: Joe Konno <joe.konno@intel.com>
+
+Fixes:
+ aclocal: error: too many loops
+
+Upstream-Status: Backport from 2.12
+Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
+---
+ configure.ac | 2 +-
+ m4/gcc_fortify_source_cc.m4 | 29 -----------------------------
+ 2 files changed, 1 insertion(+), 30 deletions(-)
+ delete mode 100644 m4/gcc_fortify_source_cc.m4
+
+diff --git a/configure.ac b/configure.ac
+index d6a15e1..d68369c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -36,7 +36,7 @@ AC_PROG_LIBTOOL
+ AC_PROG_CC
+ AC_PROG_INSTALL
+ AM_PROG_CC_C_O
+-GCC_FORTIFY_SOURCE_CC
++AX_ADD_FORTIFY_SOURCE
+ AX_CXX_COMPILE_STDCXX_11([noext], [mandatory])
+
+ # Checks for libraries.
+diff --git a/m4/gcc_fortify_source_cc.m4 b/m4/gcc_fortify_source_cc.m4
+deleted file mode 100644
+index 1206672..0000000
+--- a/m4/gcc_fortify_source_cc.m4
++++ /dev/null
+@@ -1,29 +0,0 @@
+-dnl GCC_FORTIFY_SOURCE_CC
+-dnl checks -D_FORTIFY_SOURCE with the C++ compiler, if it exists then
+-dnl updates CXXCPP
+-AC_DEFUN([GCC_FORTIFY_SOURCE_CC],[
+- AC_LANG_ASSERT([C++])
+- AS_IF([test "X$CXX" != "X"], [
+- AC_MSG_CHECKING([for FORTIFY_SOURCE support])
+- fs_old_cxxcpp="$CXXCPP"
+- fs_old_cxxflags="$CXXFLAGS"
+- CXXCPP="$CXXCPP -D_FORTIFY_SOURCE=2"
+- CXXFLAGS="$CXXFLAGS -Werror"
+- AC_COMPILE_IFELSE([
+- AC_LANG_PROGRAM([[]], [[
+- int main(void) {
+- #if !(__GNUC_PREREQ (4, 1) )
+- #error No FORTIFY_SOURCE support
+- #endif
+- return 0;
+- }
+- ]], [
+- AC_MSG_RESULT([yes])
+- ], [
+- AC_MSG_RESULT([no])
+- CXXCPP="$fs_old_cxxcpp"
+- ])
+- ])
+- CXXFLAGS="$fs_old_cxxflags"
+- ])
+-])
diff --git a/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch b/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch
new file mode 100644
index 0000000000..ac728f4a39
--- /dev/null
+++ b/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch
@@ -0,0 +1,29 @@
+From fbf74492236676e844b021b0dbb45b1ca43a0410 Mon Sep 17 00:00:00 2001
+From: David King <amigadave@amigadave.com>
+Date: Thu, 15 Apr 2021 11:45:13 +0100
+Subject: [PATCH] configure: Use AX_REQUIRE_DEFINED
+
+Require additional macros to be defined early, to avoid an aclocal
+"too many loops" error when copying macros.
+
+Upstream-Status: Backport from tip
+
+Signed-off-by: Tim Orling <ticotimo@gmail.com>
+---
+ configure.ac | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index d68369c..b90831b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -29,6 +29,9 @@ AM_GNU_GETTEXT([external])
+ AM_GNU_GETTEXT_VERSION([0.18.2])
+
+ m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
++AX_REQUIRE_DEFINED([AX_ADD_FORTIFY_SOURCE])
++AX_REQUIRE_DEFINED([AX_CXX_COMPILE_STDCXX])
++AX_REQUIRE_DEFINED([AX_PTHREAD])
+ # Checks for programs.
+ AC_PROG_CPP
+ AC_PROG_CXX
diff --git a/meta/recipes-kernel/powertop/powertop_2.10.bb b/meta/recipes-kernel/powertop/powertop_2.10.bb
index f1b0e92b2b..ffa3b4685c 100644
--- a/meta/recipes-kernel/powertop/powertop_2.10.bb
+++ b/meta/recipes-kernel/powertop/powertop_2.10.bb
@@ -2,13 +2,15 @@ SUMMARY = "Power usage tool"
DESCRIPTION = "Linux tool to diagnose issues with power consumption and power management."
HOMEPAGE = "https://01.org/powertop/"
BUGTRACKER = "https://app.devzing.com/powertopbugs/bugzilla"
-DEPENDS = "ncurses libnl pciutils"
+DEPENDS = "ncurses libnl pciutils autoconf-archive"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e"
SRC_URI = "git://github.com/fenrus75/powertop;protocol=https \
- file://0001-wakeup_xxx.h-include-limits.h.patch \
-"
+ file://0001-wakeup_xxx.h-include-limits.h.patch \
+ file://0002-configure.ac-ax_add_fortify_source.patch \
+ file://0003-configure-Use-AX_REQUIRE_DEFINED.patch \
+ "
SRCREV = "e8765b5475b22b7a2b6e9e8a031c68a268a0b0b3"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch
new file mode 100644
index 0000000000..3717f0cf3a
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch
@@ -0,0 +1,36 @@
+From 067e759136904b82bba9c6d1d781c4408dfecfe6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
+Date: Wed, 3 Mar 2021 01:08:25 +0000
+Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads
+
+Check the right variable when checking if there's
+enough data left to read the frame size.
+
+Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1066>
+
+Upstream-Status: Backport
+[https://gstreamer.freedesktop.org/security/sa-2021-0001.html]
+CVE: CVE-2021-3522
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ gst-libs/gst/tag/id3v2frames.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c
+index 8e9f782..f39659b 100644
+--- a/gst-libs/gst/tag/id3v2frames.c
++++ b/gst-libs/gst/tag/id3v2frames.c
+@@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work)
+
+ if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION |
+ ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) {
+- if (work->hdr.frame_data_size <= 4)
++ if (frame_data_size <= 4)
+ return FALSE;
+ if (ID3V2_VER_MAJOR (work->hdr.version) == 3) {
+ work->parse_size = GST_READ_UINT32_BE (frame_data);
+--
+2.17.1
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
index f8f5caa94a..431468d459 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
@@ -15,10 +15,15 @@ SRC_URI = " \
file://0003-ssaparse-enhance-SSA-text-lines-parsing.patch \
file://0005-viv-fb-Make-sure-config.h-is-included.patch \
file://0009-glimagesink-Downrank-to-marginal.patch \
+ file://CVE-2021-3522.patch \
"
SRC_URI[md5sum] = "e3ddb1bae9fb510b49a295f212f1e6e4"
SRC_URI[sha256sum] = "9f02678b0bbbcc9eff107d3bd89d83ce92fec2154cd607c7c8bd34dc7fee491c"
+# CPE entries for gst-plugins-base are listed as gstreamer issues
+# so we need to ignore the false hit
+CVE_CHECK_WHITELIST += "CVE-2021-3522"
+
S = "${WORKDIR}/gst-plugins-base-${PV}"
DEPENDS += "iso-codes util-linux zlib"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch
new file mode 100644
index 0000000000..81f7c59a7b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch
@@ -0,0 +1,207 @@
+From 9181191511f9c0be6a89c98b311f49d66bd46dc3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 4 Mar 2021 13:05:19 +0200
+Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack
+
+The old code had a couple of issues that all lead to potential memory
+safety bugs.
+
+ - Use a constant for the Wavpack4Header size instead of using sizeof.
+ It's written out into the data and not from the struct and who knows
+ what special alignment/padding requirements some C compilers have.
+ - gst_buffer_set_size() does not realloc the buffer when setting a
+ bigger size than allocated, it only allows growing up to the maximum
+ allocated size. Instead use a GstAdapter to collect all the blocks
+ and take out everything at once in the end.
+ - Check that enough data is actually available in the input and
+ otherwise handle it an error in all cases instead of silently
+ ignoring it.
+
+Among other things this fixes out of bounds writes because the code
+assumed gst_buffer_set_size() can grow the buffer and simply wrote after
+the end of the buffer.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/859
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903>
+
+Upstream-Status: Backport
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903
+CVE: CVE-2021-3497
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ gst/matroska/matroska-demux.c | 99 +++++++++++++++++++----------------
+ gst/matroska/matroska-ids.h | 2 +
+ 2 files changed, 55 insertions(+), 46 deletions(-)
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 467815986..0e47ee7b5 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3851,6 +3851,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ guint32 block_samples, tmp;
+ gsize size = gst_buffer_get_size (*buf);
+
++ if (size < 4) {
++ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++ gst_buffer_unmap (*buf, &map);
++ return GST_FLOW_ERROR;
++ }
++
+ gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
+ block_samples = GUINT32_FROM_LE (tmp);
+ /* we need to reconstruct the header of the wavpack block */
+@@ -3858,10 +3864,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ /* -20 because ck_size is the size of the wavpack block -8
+ * and lace_size is the size of the wavpack block + 12
+ * (the three guint32 of the header that already are in the buffer) */
+- wvh.ck_size = size + sizeof (Wavpack4Header) - 20;
++ wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20;
+
+ /* block_samples, flags and crc are already in the buffer */
+- newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL);
++ newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL);
+
+ gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+ data = outmap.data;
+@@ -3886,9 +3892,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ audiocontext->wvpk_block_index += block_samples;
+ } else {
+ guint8 *outdata = NULL;
+- guint outpos = 0;
+- gsize buf_size, size, out_size = 0;
++ gsize buf_size, size;
+ guint32 block_samples, flags, crc, blocksize;
++ GstAdapter *adapter;
++
++ adapter = gst_adapter_new ();
+
+ gst_buffer_map (*buf, &map, GST_MAP_READ);
+ buf_data = map.data;
+@@ -3897,6 +3905,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ if (buf_size < 4) {
+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+ gst_buffer_unmap (*buf, &map);
++ g_object_unref (adapter);
+ return GST_FLOW_ERROR;
+ }
+
+@@ -3918,59 +3927,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ data += 4;
+ size -= 4;
+
+- if (blocksize == 0 || size < blocksize)
+- break;
+-
+- g_assert ((newbuf == NULL) == (outdata == NULL));
++ if (blocksize == 0 || size < blocksize) {
++ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++ gst_buffer_unmap (*buf, &map);
++ g_object_unref (adapter);
++ return GST_FLOW_ERROR;
++ }
+
+- if (newbuf == NULL) {
+- out_size = sizeof (Wavpack4Header) + blocksize;
+- newbuf = gst_buffer_new_allocate (NULL, out_size, NULL);
++ g_assert (newbuf == NULL);
+
+- gst_buffer_copy_into (newbuf, *buf,
+- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++ newbuf =
++ gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
++ NULL);
++ gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
++ outdata = outmap.data;
++
++ outdata[0] = 'w';
++ outdata[1] = 'v';
++ outdata[2] = 'p';
++ outdata[3] = 'k';
++ outdata += 4;
++
++ GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8);
++ GST_WRITE_UINT16_LE (outdata + 4, wvh.version);
++ GST_WRITE_UINT8 (outdata + 6, wvh.track_no);
++ GST_WRITE_UINT8 (outdata + 7, wvh.index_no);
++ GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples);
++ GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index);
++ GST_WRITE_UINT32_LE (outdata + 16, block_samples);
++ GST_WRITE_UINT32_LE (outdata + 20, flags);
++ GST_WRITE_UINT32_LE (outdata + 24, crc);
++ outdata += 28;
++
++ memcpy (outdata, data, blocksize);
+
+- outpos = 0;
+- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+- outdata = outmap.data;
+- } else {
+- gst_buffer_unmap (newbuf, &outmap);
+- out_size += sizeof (Wavpack4Header) + blocksize;
+- gst_buffer_set_size (newbuf, out_size);
+- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+- outdata = outmap.data;
+- }
++ gst_buffer_unmap (newbuf, &outmap);
++ gst_adapter_push (adapter, newbuf);
++ newbuf = NULL;
+
+- outdata[outpos] = 'w';
+- outdata[outpos + 1] = 'v';
+- outdata[outpos + 2] = 'p';
+- outdata[outpos + 3] = 'k';
+- outpos += 4;
+-
+- GST_WRITE_UINT32_LE (outdata + outpos,
+- blocksize + sizeof (Wavpack4Header) - 8);
+- GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version);
+- GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no);
+- GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no);
+- GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples);
+- GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index);
+- GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples);
+- GST_WRITE_UINT32_LE (outdata + outpos + 20, flags);
+- GST_WRITE_UINT32_LE (outdata + outpos + 24, crc);
+- outpos += 28;
+-
+- memmove (outdata + outpos, data, blocksize);
+- outpos += blocksize;
+ data += blocksize;
+ size -= blocksize;
+ }
+ gst_buffer_unmap (*buf, &map);
+- gst_buffer_unref (*buf);
+
+- if (newbuf)
+- gst_buffer_unmap (newbuf, &outmap);
++ newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
++ g_object_unref (adapter);
+
++ gst_buffer_copy_into (newbuf, *buf,
++ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++ gst_buffer_unref (*buf);
+ *buf = newbuf;
++
+ audiocontext->wvpk_block_index += block_samples;
+ }
+
+diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h
+index 429213f77..8d4a685a9 100644
+--- a/gst/matroska/matroska-ids.h
++++ b/gst/matroska/matroska-ids.h
+@@ -688,6 +688,8 @@ typedef struct _Wavpack4Header {
+ guint32 crc; /* crc for actual decoded data */
+ } Wavpack4Header;
+
++#define WAVPACK4_HEADER_SIZE (32)
++
+ typedef enum {
+ GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
+ GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
+--
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch
new file mode 100644
index 0000000000..d3de2d5014
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch
@@ -0,0 +1,44 @@
+From 02174790726dd20a5c73ce2002189bf240ad4fe0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 3 Mar 2021 11:31:52 +0200
+Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL
+ before parsing
+
+Various error return paths don't set it to NULL and callers are only
+checking if the pointer is NULL. As it's allocated on the stack this
+usually contains random stack memory, and more often than not the memory
+of a previously parsed track.
+
+This then causes all kinds of memory corruptions further down the line.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/858
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903>
+
+Upstream-Status: Backport [
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903 ]
+CVE: CVE-2021-3498
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ gst/matroska/matroska-demux.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 4d0234743..467815986 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -692,6 +692,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
+
+ DEBUG_ELEMENT_START (demux, ebml, "TrackEntry");
+
++ *dest_context = NULL;
++
+ /* start with the master */
+ if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
+ DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
+--
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
index b3f17d4a4a..e8830103ce 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
@@ -8,11 +8,18 @@ SRC_URI = " \
https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \
file://0001-qmlgl-ensure-Qt-defines-GLsync-to-fix-compile-on-som.patch \
file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \
+ file://CVE-2021-3497.patch \
+ file://CVE-2021-3498.patch \
"
SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e"
SRC_URI[sha256sum] = "d3a23a3fe73de673f591b7655494990c9e8a0e22a3c70d6f1dbf50198b29f85f"
+# CPE entries for gst-plugins-good are listed as gstreamer issues
+# so we need to ignore the false hit
+CVE_CHECK_WHITELIST += "CVE-2021-3497"
+CVE_CHECK_WHITELIST += "CVE-2021-3498"
+
S = "${WORKDIR}/gst-plugins-good-${PV}"
LICENSE = "GPLv2+ & LGPLv2.1+"
diff --git a/meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch b/meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch
new file mode 100644
index 0000000000..d8bb8efb88
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch
@@ -0,0 +1,66 @@
+From cb929f59b527fe890376e47613dfe1434a320bc0 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 11 Aug 2020 15:44:48 -0700
+Subject: [PATCH] [clang 11] fix build errors due to -WWc++11-narrowing
+
+https://bugs.webkit.org/show_bug.cgi?id=211193
+
+Reviewed by Adrian Perez de Castro.
+
+Fixes the following errors,
+
+Source/WebCore/html/MediaElementSession.cpp:1059:9: error: type 'WebCore::RenderMedia *' cannot be narrowed to 'bool' in initializer list [-Wc++11-narrowing]
+m_element.renderer(),
+^~~~~~~~~~~~~~~~~~~~
+
+Source/WebCore/style/StyleResolver.cpp:106:55: error: type 'const char [4]' cannot be narrowed to 'bool' in initializer list [-Wc++11-narrowing]
+m_mediaQueryEvaluator = MediaQueryEvaluator { "all" };
+ ^~~~~
+Source/WebCore/style/StyleResolver.cpp:106:55: note: insert an explicit cast to silence this issue
+m_mediaQueryEvaluator = MediaQueryEvaluator { "all" };
+ ^~~~~
+ static_cast<bool>( )
+
+* html/HTMLMediaElement.h:
+(WebCore::HTMLMediaElement::hasRenderer const):
+MediaElementSession was implicitly casting a pointer to a bool,
+which is not allowed with modern Clang checks. Add a helper method
+to encapsulate the now required static_cast<bool>.
+* html/MediaElementSession.cpp: Use the new helper method to see
+if the HTMLMediaElement has an associated renderer.
+(WebCore::MediaElementSession::updateMediaUsageIfChanged):
+* style/StyleResolver.cpp: This was calling MediaQueryEvaluator {
+"all" }; and seemingly expecting to cast a const char[] to a bool,
+or maybe String? It's confusing because of the MediaQueryEvaluator
+API. If it was implicitly converting to bool then that could be
+unintentional. Such casts are not allowed either now. The
+MediaQueryEvaluator's default constructor says it returns true for
+"all", which appears to be the original intent of this call, so I
+replaced it with that.
+(WebCore::Style::Resolver::Resolver):
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@260951 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+Upstream-Status: Backport [https://github.com/WebKit/webkit/commit/c3cf651016e4cdcb4350598d4a586821071f91bf.patch]
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ Source/WebCore/style/StyleResolver.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Source/WebCore/style/StyleResolver.cpp b/Source/WebCore/style/StyleResolver.cpp
+index 8bf371a0..34580ddb 100644
+--- a/Source/WebCore/style/StyleResolver.cpp
++++ b/Source/WebCore/style/StyleResolver.cpp
+@@ -107,7 +107,7 @@ Resolver::Resolver(Document& document)
+ if (view)
+ m_mediaQueryEvaluator = MediaQueryEvaluator { view->mediaType() };
+ else
+- m_mediaQueryEvaluator = MediaQueryEvaluator { "all" };
++ m_mediaQueryEvaluator = MediaQueryEvaluator { };
+
+ if (root) {
+ m_rootDefaultStyle = styleForElement(*root, m_document.renderStyle(), nullptr, RuleMatchingBehavior::MatchOnlyUserAgentRules).renderStyle;
+--
+2.28.0
+
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch
deleted file mode 100644
index d8504c2b36..0000000000
--- a/meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Upstream-Status: Backport [https://trac.webkit.org/changeset/262368/webkit?format=diff&new=262368]
-CVE: CVE-2020-13753
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
-
-Index: a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-===================================================================
---- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp (revision 262367)
-+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp (revision 262368)
-@@ -642,5 +642,5 @@
- int r;
- if (rule.arg)
-- r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, rule.arg);
-+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *rule.arg);
- else
- r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0);
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.28.2.bb b/meta/recipes-sato/webkit/webkitgtk_2.28.4.bb
index cf6b2ffae7..ceda2992d7 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.28.2.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.28.4.bb
@@ -19,10 +19,9 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
file://cross-compile.patch \
file://0001-Fix-build-with-musl.patch \
file://include_array.patch \
- file://CVE-2020-13753.patch \
+ file://0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch \
"
-SRC_URI[md5sum] = "ec0ef870ca37e3a5ebbead2f268a28ec"
-SRC_URI[sha256sum] = "b9d23525cfd8d22c37b5d964a9fe9a8ce7583042a2f8d3922e71e6bbc68c30bd"
+SRC_URI[sha256sum] = "821952e8c9303ed752f1fb1d4283f612c25249d00d705d2b79c2db1bc49c9464"
inherit cmake pkgconfig gobject-introspection perlnative features_check upstream-version-is-even gtk-doc
diff --git a/scripts/lib/devtool/deploy.py b/scripts/lib/devtool/deploy.py
index aaa25dda08..d802b22e8f 100644
--- a/scripts/lib/devtool/deploy.py
+++ b/scripts/lib/devtool/deploy.py
@@ -168,7 +168,7 @@ def deploy(args, config, basepath, workspace):
if args.strip and not args.dry_run:
# Fakeroot copy to new destination
srcdir = recipe_outdir
- recipe_outdir = os.path.join(rd.getVar('WORKDIR'), 'deploy-target-stripped')
+ recipe_outdir = os.path.join(rd.getVar('WORKDIR'), 'devtool-deploy-target-stripped')
if os.path.isdir(recipe_outdir):
bb.utils.remove(recipe_outdir, True)
exec_fakeroot(rd, "cp -af %s %s" % (os.path.join(srcdir, '.'), recipe_outdir), shell=True)