[thud][PATCH 0/9] Fixes for Thud

[thud][PATCH 0/9] Fixes for Thud

[Armin Kuster]

These are backports and Secruity fixes for thud 
already in Warrior or not affecting the versions in warrior.

Adrian Bunk (1):
  gnutls: upgrade 3.6.5 -> 3.6.7

Armin Kuster (4):
  glibc: Security fix CVE-2019-9169
  elfutils: Security fixes  CVE-2019-7146,7149,7150
  gnutls: update to 3.6.5
  nettle: update to 3.4.1

Mingli Yu (2):
  nettle: fix ptest failure
  nettle: fix the Segmentation fault

Richard Purdie (1):
  Revert "nettle: fix ptest failure"

Ross Burton (1):
  gnutls: no need to inherit binconfig

 meta/recipes-core/glibc/glibc/CVE-2019-9169.patch  |  63 +++++++++
 meta/recipes-core/glibc/glibc_2.28.bb              |   1 +
 meta/recipes-devtools/elfutils/elfutils_0.175.bb   |   4 +
 .../elfutils/files/CVE-2019-7146_p1.patch          |  52 ++++++++
 .../elfutils/files/CVE-2019-7146_p2.patch          |  65 +++++++++
 .../elfutils/files/CVE-2019-7149.patch             | 148 +++++++++++++++++++++
 .../elfutils/files/CVE-2019-7150.patch             |  51 +++++++
 .../gnutls/{gnutls_3.6.4.bb => gnutls_3.6.7.bb}    |   9 +-
 ...d-target-to-only-build-tests-not-run-them.patch |   0
 ...k-header-files-of-openssl-only-if-enable_.patch |   0
 .../{nettle-3.4 => nettle-3.4.1}/dlopen-test.patch |   0
 .../nettle/{nettle-3.4 => nettle-3.4.1}/run-ptest  |   0
 .../nettle/{nettle_3.4.bb => nettle_3.4.1.bb}      |   5 +-
 13 files changed, 391 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
 rename meta/recipes-support/gnutls/{gnutls_3.6.4.bb => gnutls_3.6.7.bb} (84%)
 rename meta/recipes-support/nettle/{nettle-3.4 => nettle-3.4.1}/Add-target-to-only-build-tests-not-run-them.patch (100%)
 rename meta/recipes-support/nettle/{nettle-3.4 => nettle-3.4.1}/check-header-files-of-openssl-only-if-enable_.patch (100%)
 rename meta/recipes-support/nettle/{nettle-3.4 => nettle-3.4.1}/dlopen-test.patch (100%)
 rename meta/recipes-support/nettle/{nettle-3.4 => nettle-3.4.1}/run-ptest (100%)
 rename meta/recipes-support/nettle/{nettle_3.4.bb => nettle_3.4.1.bb} (90%)

-- 
2.7.4

[thud][PATCH 1/9] glibc: Security fix CVE-2019-9169

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-core/glibc/glibc/CVE-2019-9169.patch | 63 +++++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.28.bb             |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2019-9169.patch

diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
new file mode 100644
index 0000000..14cfaa3
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
@@ -0,0 +1,63 @@
+From 583dd860d5b833037175247230a328f0050dbfe9 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Mon, 21 Jan 2019 11:08:13 -0800
+Subject: [PATCH] regex: fix read overrun [BZ #24114]
+
+Problem found by AddressSanitizer, reported by Hongxu Chen in:
+https://debbugs.gnu.org/34140
+* posix/regexec.c (proceed_next_node):
+Do not read past end of input buffer.
+
+Upstream-Status: Backport 
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9
+
+CVE: CVE-2019-9169
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog       | 10 +++++++++-
+ posix/regexec.c |  6 ++++--
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,11 @@
++2019-01-31  Paul Eggert  <eggert@cs.ucla.edu>
++
++       regex: fix read overrun [BZ #24114]
++       Problem found by AddressSanitizer, reported by Hongxu Chen in:
++       https://debbugs.gnu.org/34140
++       * posix/regexec.c (proceed_next_node):
++       Do not read past end of input buffer.
++
+ 2018-09-30  Martin Jansa  <Martin.Jansa@gmail.com>
+ 	Partial fix for [BZ #23716]
+ 	* locale/weight.h: Fix build with -Os.
+@@ -10917,7 +10925,7 @@
+ 	(CFLAGS-wcstof_l.c): Likewise.
+ 	(CPPFLAGS-tst-wchar-h.c): Likewise.
+ 	(CPPFLAGS-wcstold_l.c): Likewise.
+----
++
+ 2017-12-11  Paul A. Clarke  <pc@us.ibm.com>
+ 
+ 	* sysdeps/ieee754/flt-32/s_cosf.c: New implementation.
+Index: git/posix/regexec.c
+===================================================================
+--- git.orig/posix/regexec.c
++++ git/posix/regexec.c
+@@ -1289,8 +1289,10 @@ proceed_next_node (const re_match_contex
+ 	      else if (naccepted)
+ 		{
+ 		  char *buf = (char *) re_string_get_buffer (&mctx->input);
+-		  if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
+-			      naccepted) != 0)
++		  if (mctx->input.valid_len - *pidx < naccepted
++		      || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
++				  naccepted)
++			  != 0))
+ 		    return -1;
+ 		}
+ 	    }
diff --git a/meta/recipes-core/glibc/glibc_2.28.bb b/meta/recipes-core/glibc/glibc_2.28.bb
index 72cee04..1bcec3e 100644
--- a/meta/recipes-core/glibc/glibc_2.28.bb
+++ b/meta/recipes-core/glibc/glibc_2.28.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0032-sysdeps-ieee754-soft-fp-ignore-maybe-uninitialized-w.patch \
            file://0033-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
            file://0034-inject-file-assembly-directives.patch \
+           file://CVE-2019-9169.patch \
 "
 
 NATIVESDKFIXES ?= ""
-- 
2.7.4

[thud][PATCH 2/9] elfutils: Security fixes CVE-2019-7146, 7149, 7150

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Source: http://sourceware.org/git/elfutils.git
MR: 97563, 97568, 97558
Type: Security Fix
Disposition: Backport from http://sourceware.org/git/elfutils.git
ChangeID: 6183c2a25d5e32eec1846a428dd165e1de659f24
Description:

Affects <= 0.175

Fixes:
CVE-2019-7146
CVE-2019-7149
CVE-2019-7150

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/elfutils/elfutils_0.175.bb   |   4 +
 .../elfutils/files/CVE-2019-7146_p1.patch          |  52 ++++++++
 .../elfutils/files/CVE-2019-7146_p2.patch          |  65 +++++++++
 .../elfutils/files/CVE-2019-7149.patch             | 148 +++++++++++++++++++++
 .../elfutils/files/CVE-2019-7150.patch             |  51 +++++++
 5 files changed, 320 insertions(+)
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
index b0b9ddc..e94a48e 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
@@ -27,6 +27,10 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://debian/hurd_path.patch \
            file://debian/ignore_strmerge.diff \
            file://debian/disable_werror.patch \
+           file://CVE-2019-7149.patch \
+           file://CVE-2019-7150.patch \
+           file://CVE-2019-7146_p1.patch \
+           file://CVE-2019-7146_p2.patch \
            "
 SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
 
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
new file mode 100644
index 0000000..b6cd29a
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
@@ -0,0 +1,52 @@
+From 012018907ca05eb0ab51d424a596ef38fc87cae1 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 11:57:35 +0100
+Subject: [PATCH] libebl: Check GNU property note pr_datasz fits inside note
+ description.
+
+Before printing the data values, make sure pr_datasz doesn't go beyond
+the end of the note description data.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24075
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7146 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libebl/ChangeLog    | 4 ++++
+ libebl/eblobjnote.c | 7 +++++++
+ 2 files changed, 11 insertions(+)
+
+Index: elfutils-0.175/libebl/eblobjnote.c
+===================================================================
+--- elfutils-0.175.orig/libebl/eblobjnote.c
++++ elfutils-0.175/libebl/eblobjnote.c
+@@ -350,6 +350,13 @@ ebl_object_note (Ebl *ebl, uint32_t name
+ 		  desc += 8;
+ 		  descsz -= 8;
+ 
++		  if (prop.pr_datasz > descsz)
++		    {
++		      printf ("BAD property datasz: %" PRId32 "\n",
++			      prop.pr_datasz);
++		      return;
++		    }
++
+ 		  int elfclass = gelf_getclass (ebl->elf);
+ 		  char *elfident = elf_getident (ebl->elf, NULL);
+ 		  GElf_Ehdr ehdr;
+Index: elfutils-0.175/libebl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libebl/ChangeLog
++++ elfutils-0.175/libebl/ChangeLog
+@@ -1,3 +1,7 @@
++2019-01-16  Mark Wielaard  <mark@klomp.org>
++
++       * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
++
+ 2018-11-15  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* eblobjnotetypename.c (ebl_object_note_type_name): Don't update
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
new file mode 100644
index 0000000..4434b36
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
@@ -0,0 +1,65 @@
+From cd7ded3df43f655af945c869976401a602e46fcd Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 30 Jan 2019 00:04:11 +0100
+Subject: [PATCH] libebl: Check GNU property note data padding fits inside
+ note.
+
+The GNU property note data is padded. Make sure the extra padding
+still fits in the note description.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24075
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7146 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libebl/ChangeLog    |  5 +++++
+ libebl/eblobjnote.c | 17 +++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+Index: elfutils-0.175/libebl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libebl/ChangeLog
++++ elfutils-0.175/libebl/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-29  Mark Wielaard  <mark@klomp.org>
++
++	* eblobjnote.c (ebl_object_note): Check pr_datasz padding doesn't
++	overflow descsz.
++
+ 2019-01-16  Mark Wielaard  <mark@klomp.org>
+ 
+        * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
+Index: elfutils-0.175/libebl/eblobjnote.c
+===================================================================
+--- elfutils-0.175.orig/libebl/eblobjnote.c
++++ elfutils-0.175/libebl/eblobjnote.c
+@@ -486,16 +486,17 @@ ebl_object_note (Ebl *ebl, uint32_t name
+ 			  printf ("%02" PRIx8 "\n", (uint8_t) desc[i]);
+ 			}
+ 		    }
++
+ 		  if (elfclass == ELFCLASS32)
+-		    {
+-		      desc += NOTE_ALIGN4 (prop.pr_datasz);
+-		      descsz -= NOTE_ALIGN4 (prop.pr_datasz);
+-		    }
++		    prop.pr_datasz = NOTE_ALIGN4 (prop.pr_datasz);
+ 		  else
+-		    {
+-		      desc += NOTE_ALIGN8 (prop.pr_datasz);
+-		      descsz -= NOTE_ALIGN8 (prop.pr_datasz);
+-		    }
++		    prop.pr_datasz = NOTE_ALIGN8 (prop.pr_datasz);
++
++		  desc += prop.pr_datasz;
++		  if (descsz > prop.pr_datasz)
++		    descsz -= prop.pr_datasz;
++		  else
++		    descsz = 0;
+ 		}
+ 	    }
+ 	  break;
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
new file mode 100644
index 0000000..215a171
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
@@ -0,0 +1,148 @@
+From 2562759d6fe5b364fe224852e64e8bda39eb2e35 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 20 Jan 2019 22:10:18 +0100
+Subject: [PATCH] libdw: Check terminating NUL byte in dwarf_getsrclines for
+ dir/file table.
+
+For DWARF version < 5 the .debug_line directory and file tables consist
+of a terminating NUL byte after all strings. The code used to just skip
+this without checking it actually existed. This could case a spurious
+read past the end of data.
+
+Fix the same issue in readelf.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24102
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7149
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libdw/ChangeLog           |  5 +++++
+ libdw/dwarf_getsrclines.c | 11 ++++++++---
+ src/ChangeLog             |  5 +++++
+ src/readelf.c             |  8 ++++++--
+ 4 files changed, 24 insertions(+), 5 deletions(-)
+
+Index: elfutils-0.175/libdw/dwarf_getsrclines.c
+===================================================================
+--- elfutils-0.175.orig/libdw/dwarf_getsrclines.c
++++ elfutils-0.175/libdw/dwarf_getsrclines.c
+@@ -315,7 +315,7 @@ read_srclines (Dwarf *dbg,
+   if (version < 5)
+     {
+       const unsigned char *dirp = linep;
+-      while (*dirp != 0)
++      while (dirp < lineendp && *dirp != 0)
+ 	{
+ 	  uint8_t *endp = memchr (dirp, '\0', lineendp - dirp);
+ 	  if (endp == NULL)
+@@ -323,6 +323,8 @@ read_srclines (Dwarf *dbg,
+ 	  ++ndirs;
+ 	  dirp = endp + 1;
+ 	}
++      if (dirp >= lineendp || *dirp != '\0')
++	goto invalid_data;
+       ndirs = ndirs + 1; /* There is always the "unknown" dir.  */
+     }
+   else
+@@ -392,11 +394,12 @@ read_srclines (Dwarf *dbg,
+ 	{
+ 	  dirarray[n].dir = (char *) linep;
+ 	  uint8_t *endp = memchr (linep, '\0', lineendp - linep);
+-	  assert (endp != NULL);
++	  assert (endp != NULL); // Checked above when calculating ndirlist.
+ 	  dirarray[n].len = endp - linep;
+ 	  linep = endp + 1;
+ 	}
+       /* Skip the final NUL byte.  */
++      assert (*linep == '\0'); // Checked above when calculating ndirlist.
+       ++linep;
+     }
+   else
+@@ -471,7 +474,7 @@ read_srclines (Dwarf *dbg,
+     {
+       if (unlikely (linep >= lineendp))
+ 	goto invalid_data;
+-      while (*linep != 0)
++      while (linep < lineendp && *linep != '\0')
+ 	{
+ 	  struct filelist *new_file = NEW_FILE ();
+ 
+@@ -527,6 +530,8 @@ read_srclines (Dwarf *dbg,
+ 	    goto invalid_data;
+ 	  get_uleb128 (new_file->info.length, linep, lineendp);
+ 	}
++      if (linep >= lineendp || *linep != '\0')
++	goto invalid_data;
+       /* Skip the final NUL byte.  */
+       ++linep;
+     }
+Index: elfutils-0.175/src/readelf.c
+===================================================================
+--- elfutils-0.175.orig/src/readelf.c
++++ elfutils-0.175/src/readelf.c
+@@ -8444,7 +8444,7 @@ print_debug_line_section (Dwfl_Module *d
+ 	}
+       else
+ 	{
+-	  while (*linep != 0)
++	  while (linep < lineendp && *linep != 0)
+ 	    {
+ 	      unsigned char *endp = memchr (linep, '\0', lineendp - linep);
+ 	      if (unlikely (endp == NULL))
+@@ -8454,6 +8454,8 @@ print_debug_line_section (Dwfl_Module *d
+ 
+ 	      linep = endp + 1;
+ 	    }
++	  if (linep >= lineendp || *linep != 0)
++	    goto invalid_unit;
+ 	  /* Skip the final NUL byte.  */
+ 	  ++linep;
+ 	}
+@@ -8523,7 +8525,7 @@ print_debug_line_section (Dwfl_Module *d
+       else
+ 	{
+ 	  puts (gettext (" Entry Dir   Time      Size      Name"));
+-	  for (unsigned int cnt = 1; *linep != 0; ++cnt)
++	  for (unsigned int cnt = 1; linep < lineendp && *linep != 0; ++cnt)
+ 	    {
+ 	      /* First comes the file name.  */
+ 	      char *fname = (char *) linep;
+@@ -8553,6 +8555,8 @@ print_debug_line_section (Dwfl_Module *d
+ 	      printf (" %-5u %-5u %-9u %-9u %s\n",
+ 		      cnt, diridx, mtime, fsize, fname);
+ 	    }
++	  if (linep >= lineendp || *linep != '\0')
++	    goto invalid_unit;
+ 	  /* Skip the final NUL byte.  */
+ 	  ++linep;
+ 	}
+Index: elfutils-0.175/libdw/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libdw/ChangeLog
++++ elfutils-0.175/libdw/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20  Mark Wielaard  <mark@klomp.org>
++
++       * dwarf_getsrclines.c (read_srclines): Check terminating NUL byte
++       for dir and file lists.
++
+ 2018-10-20  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* libdw.map (ELFUTILS_0.175): New section. Add dwelf_elf_begin.
+Index: elfutils-0.175/src/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/src/ChangeLog
++++ elfutils-0.175/src/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20  Mark Wielaard  <mark@klomp.org>
++
++       * readelf.c (print_debug_line_section): Check terminating NUL byte
++       for dir and file tables.
++
+ 2018-11-10  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* elflint.c (check_program_header): Allow PT_GNU_EH_FRAME segment
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
new file mode 100644
index 0000000..01a4fb1
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
@@ -0,0 +1,51 @@
+From da5c5336a1eaf519de246f7d9f0f5585e1d4ac59 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 20 Jan 2019 23:05:56 +0100
+Subject: [PATCH] libdwfl: Sanity check partial core file dyn data read.
+
+When reading the dyn data from the core file check if we got everything,
+or just part of the data.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24103
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7150
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libdwfl/ChangeLog                    | 5 +++++
+ libdwfl/dwfl_segment_report_module.c | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+Index: elfutils-0.175/libdwfl/dwfl_segment_report_module.c
+===================================================================
+--- elfutils-0.175.orig/libdwfl/dwfl_segment_report_module.c
++++ elfutils-0.175/libdwfl/dwfl_segment_report_module.c
+@@ -783,6 +783,12 @@ dwfl_segment_report_module (Dwfl *dwfl,
+   if (dyn_filesz != 0 && dyn_filesz % dyn_entsize == 0
+       && ! read_portion (&dyn_data, &dyn_data_size, dyn_vaddr, dyn_filesz))
+     {
++      /* dyn_data_size will be zero if we got everything from the initial
++         buffer, otherwise it will be the size of the new buffer that
++         could be read.  */
++      if (dyn_data_size != 0)
++	dyn_filesz = dyn_data_size;
++
+       void *dyns = malloc (dyn_filesz);
+       Elf32_Dyn (*d32)[dyn_filesz / sizeof (Elf32_Dyn)] = dyns;
+       Elf64_Dyn (*d64)[dyn_filesz / sizeof (Elf64_Dyn)] = dyns;
+Index: elfutils-0.175/libdwfl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libdwfl/ChangeLog
++++ elfutils-0.175/libdwfl/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20  Mark Wielaard  <mark@klomp.org>
++
++       * dwfl_segment_report_module.c (dwfl_segment_report_module): Check
++       dyn_filesz vs dyn_data_size after read_portion call.
++
+ 2018-10-20  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* libdwflP.h (__libdw_open_elf): New internal function declaration.
-- 
2.7.4

[thud][PATCH 3/9] gnutls: no need to inherit binconfig

[Armin Kuster]

From: Ross Burton <ross.burton@intel.com>

This recipe doesn't ship a *-config binary, so don't inherit binconfig.

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-support/gnutls/gnutls_3.6.4.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/gnutls/gnutls_3.6.4.bb b/meta/recipes-support/gnutls/gnutls_3.6.4.bb
index 6d2a11d..d79a39d 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.4.bb
@@ -24,7 +24,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
 SRC_URI[md5sum] = "63363d1c00601f4d11a5cadc8b5e0799"
 SRC_URI[sha256sum] = "c663a792fbc84349c27c36059181f2ca86c9442e75ee8b0ad72f5f9b35deab3a"
 
-inherit autotools texinfo binconfig pkgconfig gettext lib_package gtk-doc
+inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
 
 PACKAGECONFIG ??= "libidn"
 
-- 
2.7.4

[thud][PATCH 4/9] gnutls: update to 3.6.5

[Armin Kuster]

Bug fix only release

Full details:
https://lists.gnupg.org/pipermail/gnutls-help/2018-December/004465.html

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-support/gnutls/{gnutls_3.6.4.bb => gnutls_3.6.5.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-support/gnutls/{gnutls_3.6.4.bb => gnutls_3.6.5.bb} (93%)

diff --git a/meta/recipes-support/gnutls/gnutls_3.6.4.bb b/meta/recipes-support/gnutls/gnutls_3.6.5.bb
similarity index 93%
rename from meta/recipes-support/gnutls/gnutls_3.6.4.bb
rename to meta/recipes-support/gnutls/gnutls_3.6.5.bb
index d79a39d..dfc3507 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.5.bb
@@ -21,8 +21,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://arm_eabi.patch \
 "
 
-SRC_URI[md5sum] = "63363d1c00601f4d11a5cadc8b5e0799"
-SRC_URI[sha256sum] = "c663a792fbc84349c27c36059181f2ca86c9442e75ee8b0ad72f5f9b35deab3a"
+SRC_URI[md5sum] = "3474849e1bbd4d16403b82ab2579000b"
+SRC_URI[sha256sum] = "073eced3acef49a3883e69ffd5f0f0b5f46e2760ad86eddc6c0866df4e7abb35"
 
 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
 
-- 
2.7.4

[thud][PATCH 5/9] gnutls: upgrade 3.6.5 -> 3.6.7

[Armin Kuster]

From: Adrian Bunk <bunk@stusta.de>

Source: Openembedded.org
MR: 97367, 97377
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-support/gnutls?h=warrior&id=93993fe8ffd31e3e94946023b2cd8927ae595fc3
ChangeID: e47c21374c83d7bbb8ec48a7c4fe14040457ea45
Description:

This is a new upstream release from the same stable branch
bringing new features and bugfixes (including CVE fixes).

COPYING changed http -> https.

configure no longer has a --without-libunistring-prefix option.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[includes: CVE-2019-3836 CVE-2019-3829]
Signed-off-by: Armin Kuster <akuster808@gmail.com>

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-support/gnutls/{gnutls_3.6.5.bb => gnutls_3.6.7.bb} | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)
 rename meta/recipes-support/gnutls/{gnutls_3.6.5.bb => gnutls_3.6.7.bb} (88%)

diff --git a/meta/recipes-support/gnutls/gnutls_3.6.5.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
similarity index 88%
rename from meta/recipes-support/gnutls/gnutls_3.6.5.bb
rename to meta/recipes-support/gnutls/gnutls_3.6.7.bb
index dfc3507..e05dc2b 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.5.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
@@ -9,7 +9,7 @@ LICENSE_${PN}-bin = "GPLv3+"
 LICENSE_${PN}-openssl = "GPLv3+"
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \
-                    file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \
+                    file://doc/COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \
                     file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
 
 DEPENDS = "nettle gmp virtual/libiconv libunistring"
@@ -21,8 +21,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://arm_eabi.patch \
 "
 
-SRC_URI[md5sum] = "3474849e1bbd4d16403b82ab2579000b"
-SRC_URI[sha256sum] = "073eced3acef49a3883e69ffd5f0f0b5f46e2760ad86eddc6c0866df4e7abb35"
+SRC_URI[md5sum] = "c4ac669c500df939d4fbfea722367929"
+SRC_URI[sha256sum] = "5b3409ad5aaf239808730d1ee12fdcd148c0be00262c7edf157af655a8a188e2"
 
 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
 
@@ -44,7 +44,6 @@ EXTRA_OECONF = " \
     --enable-local-libopts \
     --enable-openssl-compatibility \
     --with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \
-    --without-libunistring-prefix \
 "
 
 LDFLAGS_append_libc-musl = " -largp"
-- 
2.7.4

[thud][PATCH 6/9] nettle: update to 3.4.1

[Armin Kuster]

Source: Openembedded.org
MR: 98314, 98315
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-support/nettle?h=warrior&id=8ac8fa8ee10c59a081d368a5429e0eced8dd5d3c
ChangeID: 657aa277fb284b66e8d349cbc3424f10208652c3
Description:

Bug fix only release

Include:

  CVE-2018-16868 gnutls: Bleichenbacher-like side channel leakage in
  PKCS#1 1.5 verification and padding oracle verification

  CVE-2018-16869 nettle: Leaky data conversion exposing a manager oracle

For full details see:
http://lists.lysator.liu.se/pipermail/nettle-bugs/2018/007369.html

[V2]
Add -std=c99 to cflags

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../Add-target-to-only-build-tests-not-run-them.patch                | 0
 .../check-header-files-of-openssl-only-if-enable_.patch              | 0
 .../nettle/{nettle-3.4 => nettle-3.4.1}/dlopen-test.patch            | 0
 meta/recipes-support/nettle/{nettle-3.4 => nettle-3.4.1}/run-ptest   | 0
 meta/recipes-support/nettle/{nettle_3.4.bb => nettle_3.4.1.bb}       | 5 +++--
 5 files changed, 3 insertions(+), 2 deletions(-)
 rename meta/recipes-support/nettle/{nettle-3.4 => nettle-3.4.1}/Add-target-to-only-build-tests-not-run-them.patch (100%)
 rename meta/recipes-support/nettle/{nettle-3.4 => nettle-3.4.1}/check-header-files-of-openssl-only-if-enable_.patch (100%)
 rename meta/recipes-support/nettle/{nettle-3.4 => nettle-3.4.1}/dlopen-test.patch (100%)
 rename meta/recipes-support/nettle/{nettle-3.4 => nettle-3.4.1}/run-ptest (100%)
 rename meta/recipes-support/nettle/{nettle_3.4.bb => nettle_3.4.1.bb} (90%)

diff --git a/meta/recipes-support/nettle/nettle-3.4/Add-target-to-only-build-tests-not-run-them.patch b/meta/recipes-support/nettle/nettle-3.4.1/Add-target-to-only-build-tests-not-run-them.patch
similarity index 100%
rename from meta/recipes-support/nettle/nettle-3.4/Add-target-to-only-build-tests-not-run-them.patch
rename to meta/recipes-support/nettle/nettle-3.4.1/Add-target-to-only-build-tests-not-run-them.patch
diff --git a/meta/recipes-support/nettle/nettle-3.4/check-header-files-of-openssl-only-if-enable_.patch b/meta/recipes-support/nettle/nettle-3.4.1/check-header-files-of-openssl-only-if-enable_.patch
similarity index 100%
rename from meta/recipes-support/nettle/nettle-3.4/check-header-files-of-openssl-only-if-enable_.patch
rename to meta/recipes-support/nettle/nettle-3.4.1/check-header-files-of-openssl-only-if-enable_.patch
diff --git a/meta/recipes-support/nettle/nettle-3.4/dlopen-test.patch b/meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch
similarity index 100%
rename from meta/recipes-support/nettle/nettle-3.4/dlopen-test.patch
rename to meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch
diff --git a/meta/recipes-support/nettle/nettle-3.4/run-ptest b/meta/recipes-support/nettle/nettle-3.4.1/run-ptest
similarity index 100%
rename from meta/recipes-support/nettle/nettle-3.4/run-ptest
rename to meta/recipes-support/nettle/nettle-3.4.1/run-ptest
diff --git a/meta/recipes-support/nettle/nettle_3.4.bb b/meta/recipes-support/nettle/nettle_3.4.1.bb
similarity index 90%
rename from meta/recipes-support/nettle/nettle_3.4.bb
rename to meta/recipes-support/nettle/nettle_3.4.1.bb
index ca8450e..dd49c30 100644
--- a/meta/recipes-support/nettle/nettle_3.4.bb
+++ b/meta/recipes-support/nettle/nettle_3.4.1.bb
@@ -20,8 +20,8 @@ SRC_URI_append_class-target = "\
             file://dlopen-test.patch \
             "
 
-SRC_URI[md5sum] = "dc0f13028264992f58e67b4e8915f53d"
-SRC_URI[sha256sum] = "ae7a42df026550b85daca8389b6a60ba6313b0567f374392e54918588a411e94"
+SRC_URI[md5sum] = "9bdebb0e2f638d3b9d91f7fc264b70c1"
+SRC_URI[sha256sum] = "f941cf1535cd5d1819be5ccae5babef01f6db611f9b5a777bae9c7604b8a92ad"
 
 UPSTREAM_CHECK_REGEX = "nettle-(?P<pver>\d+(\.\d+)+)\.tar"
 
@@ -30,6 +30,7 @@ inherit autotools ptest multilib_header
 EXTRA_AUTORECONF += "--exclude=aclocal"
 
 EXTRA_OECONF = "--disable-openssl"
+CFLAGS_append = " -std=c99"
 
 do_compile_ptest() {
         oe_runmake buildtest
-- 
2.7.4

[thud][PATCH 7/9] nettle: fix ptest failure

[Armin Kuster]

From: Mingli Yu <Mingli.Yu@windriver.com>

Remove dlopen-test.patch which originally used
to fix the test dlopen-test, but autually the
patch didn't resolve the issue as dlopen-test.patch
supposes the file /usr/lib/libnettle.so exists.
Instead deploy ${D}${PTEST_PATH}/libnettle.so to
fix the dlopen-test failure.

Update the initialization for the salt to fix
below Segmentation fault and also nettle-pbkdf2-test
failure.
 # echo -n passwd| nettle-pbkdf2 -i 1 -l 16 salt
 [65534.886509] nettle-pbkdf2[708]: segfault at 1f594260 ip 00007f3332256998 sp 00007fff60d44410 error 4 in libnettle.so.6.5[7f3332244000+1d00]
 [65534.887525] Code: e8 6d db fe ff 44 01 6d 68 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 00 49 89 dc e9 68 ff f
 Segmentation fault

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 ...kdf2.c-change-the-initialization-for-salt.patch | 39 ++++++++++++++++++++++
 .../nettle/nettle-3.4.1/dlopen-test.patch          | 20 -----------
 meta/recipes-support/nettle/nettle_3.4.1.bb        |  9 ++---
 3 files changed, 44 insertions(+), 24 deletions(-)
 create mode 100644 meta/recipes-support/nettle/nettle-3.4.1/0001-nettle-pbkdf2.c-change-the-initialization-for-salt.patch
 delete mode 100644 meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch

diff --git a/meta/recipes-support/nettle/nettle-3.4.1/0001-nettle-pbkdf2.c-change-the-initialization-for-salt.patch b/meta/recipes-support/nettle/nettle-3.4.1/0001-nettle-pbkdf2.c-change-the-initialization-for-salt.patch
new file mode 100644
index 0000000..713823e
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.4.1/0001-nettle-pbkdf2.c-change-the-initialization-for-salt.patch
@@ -0,0 +1,39 @@
+From 7510ee2877368464ecce7de515ce056e08c75245 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <Mingli.Yu@windriver.com>
+Date: Fri, 12 Apr 2019 10:30:14 +0800
+Subject: [PATCH] nettle-pbkdf2.c: change the initialization for salt
+
+use malloc and strncpy altogether to replace
+strdup for salt initialization to fix below
+Segmentation fault:
+ # echo -n passwd| nettle-pbkdf2 -i 1 -l 16 salt
+ [65534.886509] nettle-pbkdf2[708]: segfault at 1f594260 ip 00007f3332256998 sp 00007fff60d44410 error 4 in libnettle.so.6.5[7f3332244000+1d00]
+ [65534.887525] Code: e8 6d db fe ff 44 01 6d 68 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 00 49 89 dc e9 68 ff f
+ Segmentation fault
+
+Upstream-Status: Submitted[http://lists.lysator.liu.se/pipermail/nettle-bugs/2019/007467.html]
+
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ tools/nettle-pbkdf2.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/nettle-pbkdf2.c b/tools/nettle-pbkdf2.c
+index 1f0a301..000acd3 100644
+--- a/tools/nettle-pbkdf2.c
++++ b/tools/nettle-pbkdf2.c
+@@ -141,7 +141,10 @@ main (int argc, char **argv)
+       return EXIT_FAILURE;
+     }
+ 
+-  salt = strdup (argv[0]);
++  salt = malloc (strlen(argv[0]) + 1);
++  if (! salt)
++     die ("Failed to allocate memory for salt\n");
++  strncpy(salt, argv[0], sizeof(salt) - 1);
+   salt_length = strlen(argv[0]);
+   
+   if (hex_salt)
+-- 
+2.7.4
+
diff --git a/meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch b/meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch
deleted file mode 100644
index c4f0b7e..0000000
--- a/meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Replace relative path of libnettle.so with absolute path so the test
-program can find it.
-Relative paths are not suitable, as the folder strucure for ptest
-is different from the one expected by the nettle testsuite.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
-
---- a/testsuite/dlopen-test.c	2016-10-01 00:28:38.000000000 -0700
-+++ b/testsuite/dlopen-test.c	2017-10-13 11:08:57.227572860 -0700
-@@ -9,7 +9,7 @@
- main (int argc UNUSED, char **argv UNUSED)
- {
- #if HAVE_LIBDL
--  void *handle = dlopen ("../libnettle.so", RTLD_NOW);
-+  void *handle = dlopen ("/usr/lib/libnettle.so", RTLD_NOW);
-   int (*get_version)(void);
-   if (!handle)
-     {
diff --git a/meta/recipes-support/nettle/nettle_3.4.1.bb b/meta/recipes-support/nettle/nettle_3.4.1.bb
index dd49c30..612e058 100644
--- a/meta/recipes-support/nettle/nettle_3.4.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.4.1.bb
@@ -14,12 +14,9 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
            file://Add-target-to-only-build-tests-not-run-them.patch \
            file://run-ptest \
            file://check-header-files-of-openssl-only-if-enable_.patch \
+           file://0001-nettle-pbkdf2.c-change-the-initialization-for-salt.patch \
            "
 
-SRC_URI_append_class-target = "\
-            file://dlopen-test.patch \
-            "
-
 SRC_URI[md5sum] = "9bdebb0e2f638d3b9d91f7fc264b70c1"
 SRC_URI[sha256sum] = "f941cf1535cd5d1819be5ccae5babef01f6db611f9b5a777bae9c7604b8a92ad"
 
@@ -47,6 +44,10 @@ do_install_ptest() {
         # tools can be found in PATH, not in ../tools/
         sed -i -e 's|../tools/||' ${D}${PTEST_PATH}/testsuite/*-test
         install ${B}/testsuite/*-test ${D}${PTEST_PATH}/testsuite/
+        # libnettle.so is needed for dlopen-test
+        if [ -f ${D}${libdir}/libnettle.so.6.* ]; then
+            cp ${D}${libdir}/libnettle.so.6.* ${D}${PTEST_PATH}/libnettle.so
+        fi
 }
 
 BBCLASSEXTEND = "native nativesdk"
-- 
2.7.4

[thud][PATCH 8/9] Revert "nettle: fix ptest failure"

[Armin Kuster]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

This reverts commit 83faaf7b2a5f4fc4ae504b300134409e90389770.

This should never have merged as the change was rejected upstream and adding a library
to the ptest package resulted in it providing that SONAME which led to being
included in images like core-image-sato.

This in turn led to a ton of ptest failures in the 2.7 r1 QA report.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 ...kdf2.c-change-the-initialization-for-salt.patch | 39 ----------------------
 .../nettle/nettle-3.4.1/dlopen-test.patch          | 20 +++++++++++
 meta/recipes-support/nettle/nettle_3.4.1.bb        |  9 +++--
 3 files changed, 24 insertions(+), 44 deletions(-)
 delete mode 100644 meta/recipes-support/nettle/nettle-3.4.1/0001-nettle-pbkdf2.c-change-the-initialization-for-salt.patch
 create mode 100644 meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch

diff --git a/meta/recipes-support/nettle/nettle-3.4.1/0001-nettle-pbkdf2.c-change-the-initialization-for-salt.patch b/meta/recipes-support/nettle/nettle-3.4.1/0001-nettle-pbkdf2.c-change-the-initialization-for-salt.patch
deleted file mode 100644
index 713823e..0000000
--- a/meta/recipes-support/nettle/nettle-3.4.1/0001-nettle-pbkdf2.c-change-the-initialization-for-salt.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 7510ee2877368464ecce7de515ce056e08c75245 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu@windriver.com>
-Date: Fri, 12 Apr 2019 10:30:14 +0800
-Subject: [PATCH] nettle-pbkdf2.c: change the initialization for salt
-
-use malloc and strncpy altogether to replace
-strdup for salt initialization to fix below
-Segmentation fault:
- # echo -n passwd| nettle-pbkdf2 -i 1 -l 16 salt
- [65534.886509] nettle-pbkdf2[708]: segfault at 1f594260 ip 00007f3332256998 sp 00007fff60d44410 error 4 in libnettle.so.6.5[7f3332244000+1d00]
- [65534.887525] Code: e8 6d db fe ff 44 01 6d 68 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 00 49 89 dc e9 68 ff f
- Segmentation fault
-
-Upstream-Status: Submitted[http://lists.lysator.liu.se/pipermail/nettle-bugs/2019/007467.html]
-
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
----
- tools/nettle-pbkdf2.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/tools/nettle-pbkdf2.c b/tools/nettle-pbkdf2.c
-index 1f0a301..000acd3 100644
---- a/tools/nettle-pbkdf2.c
-+++ b/tools/nettle-pbkdf2.c
-@@ -141,7 +141,10 @@ main (int argc, char **argv)
-       return EXIT_FAILURE;
-     }
- 
--  salt = strdup (argv[0]);
-+  salt = malloc (strlen(argv[0]) + 1);
-+  if (! salt)
-+     die ("Failed to allocate memory for salt\n");
-+  strncpy(salt, argv[0], sizeof(salt) - 1);
-   salt_length = strlen(argv[0]);
-   
-   if (hex_salt)
--- 
-2.7.4
-
diff --git a/meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch b/meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch
new file mode 100644
index 0000000..c4f0b7e
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.4.1/dlopen-test.patch
@@ -0,0 +1,20 @@
+Replace relative path of libnettle.so with absolute path so the test
+program can find it.
+Relative paths are not suitable, as the folder strucure for ptest
+is different from the one expected by the nettle testsuite.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+
+--- a/testsuite/dlopen-test.c	2016-10-01 00:28:38.000000000 -0700
++++ b/testsuite/dlopen-test.c	2017-10-13 11:08:57.227572860 -0700
+@@ -9,7 +9,7 @@
+ main (int argc UNUSED, char **argv UNUSED)
+ {
+ #if HAVE_LIBDL
+-  void *handle = dlopen ("../libnettle.so", RTLD_NOW);
++  void *handle = dlopen ("/usr/lib/libnettle.so", RTLD_NOW);
+   int (*get_version)(void);
+   if (!handle)
+     {
diff --git a/meta/recipes-support/nettle/nettle_3.4.1.bb b/meta/recipes-support/nettle/nettle_3.4.1.bb
index 612e058..dd49c30 100644
--- a/meta/recipes-support/nettle/nettle_3.4.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.4.1.bb
@@ -14,9 +14,12 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
            file://Add-target-to-only-build-tests-not-run-them.patch \
            file://run-ptest \
            file://check-header-files-of-openssl-only-if-enable_.patch \
-           file://0001-nettle-pbkdf2.c-change-the-initialization-for-salt.patch \
            "
 
+SRC_URI_append_class-target = "\
+            file://dlopen-test.patch \
+            "
+
 SRC_URI[md5sum] = "9bdebb0e2f638d3b9d91f7fc264b70c1"
 SRC_URI[sha256sum] = "f941cf1535cd5d1819be5ccae5babef01f6db611f9b5a777bae9c7604b8a92ad"
 
@@ -44,10 +47,6 @@ do_install_ptest() {
         # tools can be found in PATH, not in ../tools/
         sed -i -e 's|../tools/||' ${D}${PTEST_PATH}/testsuite/*-test
         install ${B}/testsuite/*-test ${D}${PTEST_PATH}/testsuite/
-        # libnettle.so is needed for dlopen-test
-        if [ -f ${D}${libdir}/libnettle.so.6.* ]; then
-            cp ${D}${libdir}/libnettle.so.6.* ${D}${PTEST_PATH}/libnettle.so
-        fi
 }
 
 BBCLASSEXTEND = "native nativesdk"
-- 
2.7.4

[thud][PATCH 9/9] nettle: fix the Segmentation fault

[Armin Kuster]

From: Mingli Yu <Mingli.Yu@windriver.com>

The commit[8ac8fa8ee1 nettle: update to 3.4.1]
add CFLAGS_append = " -std=c99" to silence the
below error for native build:
| ../nettle-3.4.1/rsa-sign-tr.c: In function 'sec_equal':
| ../nettle-3.4.1/rsa-sign-tr.c:243:3: error: 'for' loop initial declarations are only allowed in C99 mode
   for (size_t i = 0; i < limbs; i++)
   ^
| ../nettle-3.4.1/rsa-sign-tr.c:243:3: note: use option -std=c99 or -std=gnu99 to compile your code
| Makefile:263: recipe for target 'rsa-sign-tr.o' failed

But the above change will trigger below Segmentation
fault:
 # echo -n passwd| nettle-pbkdf2 -i 1 -l 16 salt
 [65534.886509] nettle-pbkdf2[708]: segfault at 1f594260 ip 00007f3332256998 sp 00007fff60d44410 error 4 in libnettle.so.6.5[7f3332244000+1d00]
 [65534.887525] Code: e8 6d db fe ff 44 01 6d 68 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 00 49 89 dc e9 68 ff f
 Segmentation fault

So update the logic to CFLAGS_append = " -std=gnu99"
to fix the issue.

(From OE-Core rev: 91359a91b8c89dc5e1f3a946137204156c47a3af)

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-support/nettle/nettle_3.4.1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/nettle/nettle_3.4.1.bb b/meta/recipes-support/nettle/nettle_3.4.1.bb
index dd49c30..8375fcf 100644
--- a/meta/recipes-support/nettle/nettle_3.4.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.4.1.bb
@@ -30,7 +30,7 @@ inherit autotools ptest multilib_header
 EXTRA_AUTORECONF += "--exclude=aclocal"
 
 EXTRA_OECONF = "--disable-openssl"
-CFLAGS_append = " -std=c99"
+CFLAGS_append = " -std=gnu99"
 
 do_compile_ptest() {
         oe_runmake buildtest
-- 
2.7.4

Re: [thud][PATCH 4/9] gnutls: update to 3.6.5

[Adrian Bunk]

On Wed, May 29, 2019 at 06:50:33AM -0700, Armin Kuster wrote:
> Bug fix only release

It is not.

> Full details:
> https://lists.gnupg.org/pipermail/gnutls-help/2018-December/004465.html
>...

...
** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
...
** libgnutls: Added support for EdDSA under PKCS#11 (#417)

** libgnutls: Added support for AES-CFB8 cipher (#357)

** libgnutls: Added support for AES-CMAC MAC (#351)
...
** libgnutls: Added support for GOST key unmasking and unwrapped GOST private
   keys parsing, as specified in R 50.1.112-2016.
...

These and other changes might or might not be acceptable for a stable 
branch, but it mustn't be treated as "Bug fix only".

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [thud][PATCH 3/9] gnutls: no need to inherit binconfig

[Adrian Bunk]

On Wed, May 29, 2019 at 06:50:32AM -0700, Armin Kuster wrote:
> From: Ross Burton <ross.burton@intel.com>
> 
> This recipe doesn't ship a *-config binary, so don't inherit binconfig.
> 
> Signed-off-by: Ross Burton <ross.burton@intel.com>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
>  meta/recipes-support/gnutls/gnutls_3.6.4.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-support/gnutls/gnutls_3.6.4.bb b/meta/recipes-support/gnutls/gnutls_3.6.4.bb
> index 6d2a11d..d79a39d 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.6.4.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.6.4.bb
> @@ -24,7 +24,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
>  SRC_URI[md5sum] = "63363d1c00601f4d11a5cadc8b5e0799"
>  SRC_URI[sha256sum] = "c663a792fbc84349c27c36059181f2ca86c9442e75ee8b0ad72f5f9b35deab3a"
>  
> -inherit autotools texinfo binconfig pkgconfig gettext lib_package gtk-doc
> +inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
>...

This doesn't look appropriate for a stable branch.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [thud][PATCH 0/9] Fixes for Thud

[Adrian Bunk]

On Wed, May 29, 2019 at 06:50:29AM -0700, Armin Kuster wrote:
>..
> Mingli Yu (2):
>   nettle: fix ptest failure
>...
> Richard Purdie (1):
>   Revert "nettle: fix ptest failure"
>...

These should be dropped for obvious reasons.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [thud][PATCH 0/9] Fixes for Thud

[akuster808]

On 5/29/19 7:11 AM, Adrian Bunk wrote:
> On Wed, May 29, 2019 at 06:50:29AM -0700, Armin Kuster wrote:
>> ..
>> Mingli Yu (2):
>>   nettle: fix ptest failure
>> ...
>> Richard Purdie (1):
>>   Revert "nettle: fix ptest failure"
>> ...
> These should be dropped for obvious reasons.

its not obvious to me.  This helps in the QA process.  I am open to
ptest fixes and other QA backports for the Stable Branches.


OE has been benefiting from the donated QA resources from Intel and Wind
River in the Yocto Project.  If I can lessing their burden on the Stable
branches, I will do that.  Richard have been spending time keeping the
Stable branches QA frameworks in sync for this reason including the
AutoBuilder. Without this, we don't have Stable branches.


- armin
>
> cu
> Adrian
>

Re: [thud][PATCH 0/9] Fixes for Thud

[Adrian Bunk]

On Sat, Jun 01, 2019 at 08:45:38AM -0700, akuster808 wrote:
> 
> 
> On 5/29/19 7:11 AM, Adrian Bunk wrote:
> > On Wed, May 29, 2019 at 06:50:29AM -0700, Armin Kuster wrote:
> >> ..
> >> Mingli Yu (2):
> >>   nettle: fix ptest failure
> >> ...
> >> Richard Purdie (1):
> >>   Revert "nettle: fix ptest failure"
> >> ...
> > These should be dropped for obvious reasons.
> 
> its not obvious to me.  This helps in the QA process.  I am open to
> ptest fixes and other QA backports for the Stable Branches.
>...

One commit is a direct revert of the other commit.

> - armin

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed