[PATCH][zeus 00/18] zeus patch review

[PATCH][zeus 00/18] zeus patch review

[Anuj Mittal]

Next set of changes for zeus. Please review.

Thanks,

Anuj

The following changes since commit bd3e0d724004a346921a25defa6d812d48d6108a:

  openssl: update to 1.1.1f (2020-04-20 19:26:57 -0700)

are available in the Git repository at:

  git://push.openembedded.org/openembedded-core-contrib anujm/zeus

Adrian Bunk (1):
  python: Upgrade 2.7.17 -> 2.17.18

Alex Kiernan (1):
  gnutls: upgrade 3.6.8 -> 3.6.11.1

Alexander Kanavin (1):
  gnutls: upgrade 3.6.11.1 -> 3.6.12

Changqing Li (1):
  qemu: fix CVE-2020-7039

Chee Yang Lee (1):
  qemu/slirp: fix CVE-2020-7211

Jan Luebbe (2):
  apt-native: don't let dpkg overwrite files by default
  openssl: upgrade 1.1.1f -> 1.1.1g

Jeremy Puhlman (1):
  python3-native: Should not search the system for headers/libraries.

Khem Raj (1):
  qemu: Replace stime() API with clock_settime

Lee Chee Yang (1):
  cve-update-db-native: clean DB if temporary file exist

Li Zhou (2):
  git: Security Advisory - git - CVE-2020-5260
  git: Security Advisory - git - CVE-2020-11008

Martin Jansa (1):
  prservice.py: fix do_package with newer Python in Ubuntu 20.04

Wang Mingyu (2):
  gnupg: upgrade 2.2.17 -> 2.2.19
  gnutls: upgrade 3.6.12 -> 3.6.13

Zhixiong Chi (1):
  glibc: CVE-2020-1751

haiqing (1):
  qemu: Add PACKAGECONFIG for glusterfs

wenlin.kang@windriver.com (1):
  systemd: Fix CVE-2020-1712

 meta/lib/oe/prservice.py                      |   4 +
 .../{openssl_1.1.1f.bb => openssl_1.1.1g.bb}  |   2 +-
 .../glibc/glibc/CVE-2020-1751.patch           |  70 +++
 meta/recipes-core/glibc/glibc_2.30.bb         |   1 +
 .../recipes-core/meta/cve-update-db-native.bb |   9 +-
 .../0001-Merge-branch-polkit-ref-count.patch  | 520 ++++++++++++++++++
 meta/recipes-core/systemd/systemd_243.2.bb    |   1 +
 meta/recipes-devtools/apt/files/apt.conf      |   2 +-
 meta/recipes-devtools/git/git.inc             |  16 +-
 ...ial-use-test_i18ncmp-to-check-stderr.patch |  35 ++
 ...t-unrepresentable-values-when-parsin.patch | 156 ++++++
 ...tmodules-URLs-with-embedded-newlines.patch | 103 ++++
 .../git/git/CVE-2020-11008-1.patch            |  70 +++
 .../git/git/CVE-2020-11008-2.patch            | 292 ++++++++++
 .../git/git/CVE-2020-11008-3.patch            |  97 ++++
 .../git/git/CVE-2020-11008-4.patch            | 173 ++++++
 .../git/git/CVE-2020-11008-5.patch            | 211 +++++++
 .../git/git/CVE-2020-11008-6.patch            |  84 +++
 .../git/git/CVE-2020-11008-7.patch            | 206 +++++++
 .../git/git/CVE-2020-11008-8.patch            | 114 ++++
 .../git/git/CVE-2020-11008-9.patch            | 114 ++++
 .../git/git/CVE-2020-5260.patch               |  65 +++
 ...tive_2.7.17.bb => python-native_2.7.18.bb} |   0
 meta/recipes-devtools/python/python.inc       |   6 +-
 ...-search-system-for-headers-libraries.patch |  29 +
 meta/recipes-devtools/python/python3_3.7.7.bb |   1 +
 .../{python_2.7.17.bb => python_2.7.18.bb}    |   0
 meta/recipes-devtools/qemu/qemu.inc           |   6 +
 ...linux-user-remove-host-stime-syscall.patch |  61 ++
 .../qemu/qemu/CVE-2020-7039-1.patch           |  44 ++
 .../qemu/qemu/CVE-2020-7039-2.patch           |  59 ++
 .../qemu/qemu/CVE-2020-7039-3.patch           |  64 +++
 .../qemu/qemu/CVE-2020-7211.patch             |  46 ++
 .../{gnupg_2.2.17.bb => gnupg_2.2.19.bb}      |   4 +-
 .../gnutls/gnutls/posix-shell.patch           |  39 --
 .../{gnutls_3.6.8.bb => gnutls_3.6.13.bb}     |   5 +-
 36 files changed, 2658 insertions(+), 51 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1f.bb => openssl_1.1.1g.bb} (98%)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-1751.patch
 create mode 100644 meta/recipes-core/systemd/systemd/0001-Merge-branch-polkit-ref-count.patch
 create mode 100644 meta/recipes-devtools/git/git/0001-t-lib-credential-use-test_i18ncmp-to-check-stderr.patch
 create mode 100644 meta/recipes-devtools/git/git/0002-credential-detect-unrepresentable-values-when-parsin.patch
 create mode 100644 meta/recipes-devtools/git/git/0003-fsck-detect-gitmodules-URLs-with-embedded-newlines.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-1.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-2.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-3.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-4.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-5.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-6.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-7.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-8.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-9.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-5260.patch
 rename meta/recipes-devtools/python/{python-native_2.7.17.bb => python-native_2.7.18.bb} (100%)
 create mode 100644 meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch
 rename meta/recipes-devtools/python/{python_2.7.17.bb => python_2.7.18.bb} (100%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
 rename meta/recipes-support/gnupg/{gnupg_2.2.17.bb => gnupg_2.2.19.bb} (93%)
 delete mode 100644 meta/recipes-support/gnutls/gnutls/posix-shell.patch
 rename meta/recipes-support/gnutls/{gnutls_3.6.8.bb => gnutls_3.6.13.bb} (92%)

-- 
2.25.4

[PATCH][zeus 01/18] python3-native: Should not search the system for headers/libraries.

[Anuj Mittal]

From: Jeremy Puhlman <jpuhlman@mvista.com>

The specific issue here is rpc/rpc.h, but its likely more general.
/usr/include is searched for rpc/rpc.h and if it exists on the
system, it changes behavior. If you are using the extended buildtools
tarball on a machine that has /usr/include/rpc/rpc.h, it will decide
that is good enough and not continue to search. nis fails to build
because /usr/include and /usr/lib are not part of the include/link
paths for the buildtools tarball compiler(nor should they be).

This makes it so python3-native will not build if you are using the
extended buildtools tarball, but from a larger issue perspective it
is building in likely different ways depending on what machine it
is building on.

libtirpc is already a depend so we shouldn't need the hosts rpc/rcp.h.

(From OE-Core rev: f37dfc7907ae7bac08d40468ddde2e5b8bba030c)

Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 400743867de587579dee85388c30190f353f80c8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 ...-search-system-for-headers-libraries.patch | 29 +++++++++++++++++++
 meta/recipes-devtools/python/python3_3.7.7.bb |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch

diff --git a/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch
new file mode 100644
index 0000000000..acf8e1e9b5
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch
@@ -0,0 +1,29 @@
+From 85e8f86ad2b7dec0848cd55b8e810a5e2722b20a Mon Sep 17 00:00:00 2001
+From: Jeremy Puhlman <jpuhlman@mvista.com>
+Date: Wed, 4 Mar 2020 00:06:42 +0000
+Subject: [PATCH] Don't search system for headers/libraries
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
+---
+ setup.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index 9da1b3a..59782c0 100644
+--- a/setup.py
++++ b/setup.py
+@@ -674,8 +674,8 @@ class PyBuildExt(build_ext):
+             add_dir_to_list(self.compiler.include_dirs,
+                             sysconfig.get_config_var("INCLUDEDIR"))
+ 
+-        system_lib_dirs = ['/lib64', '/usr/lib64', '/lib', '/usr/lib']
+-        system_include_dirs = ['/usr/include']
++        system_lib_dirs = []
++        system_include_dirs = []
+         # lib_dirs and inc_dirs are used to search for files;
+         # if a file is found in one of those directories, it can
+         # be assumed that no additional -I,-L directives are needed.
+-- 
+2.24.1
+
diff --git a/meta/recipes-devtools/python/python3_3.7.7.bb b/meta/recipes-devtools/python/python3_3.7.7.bb
index 823eb2f8fd..0a78cdab44 100644
--- a/meta/recipes-devtools/python/python3_3.7.7.bb
+++ b/meta/recipes-devtools/python/python3_3.7.7.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
 SRC_URI_append_class-native = " \
            file://0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch \
            file://12-distutils-prefix-is-inside-staging-area.patch \
+           file://0001-Don-t-search-system-for-headers-libraries.patch \
            "
 SRC_URI_append_class-nativesdk = " \
            file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \
-- 
2.25.4

[PATCH][zeus 02/18] qemu: Replace stime() API with clock_settime

[Anuj Mittal]

From: Khem Raj <raj.khem@gmail.com>

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 ...linux-user-remove-host-stime-syscall.patch | 61 +++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index f451017f6d..ad4ff52892 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -27,6 +27,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
            file://0009-Fix-webkitgtk-builds.patch \
            file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
+           file://0011-linux-user-remove-host-stime-syscall.patch \
            file://CVE-2019-15890.patch \
            file://CVE-2019-12068.patch \
            file://CVE-2020-1711.patch \
diff --git a/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch b/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch
new file mode 100644
index 0000000000..659e6be45d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch
@@ -0,0 +1,61 @@
+From 0f1f2d4596aee037d3ccbcf10592466daa54107f Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <laurent@vivier.eu>
+Date: Tue, 12 Nov 2019 15:25:56 +0100
+Subject: [PATCH] linux-user: remove host stime() syscall
+
+stime() has been withdrawn from glibc
+(12cbde1dae6f "Use clock_settime to implement stime; withdraw stime.")
+
+Implement the target stime() syscall using host
+clock_settime(CLOCK_REALTIME, ...) as it is done internally in glibc.
+
+Tested qemu-ppc/x86_64 with:
+
+	#include <time.h>
+	#include <stdio.h>
+
+	int main(void)
+	{
+		time_t t;
+		int ret;
+
+		/* date -u -d"2019-11-12T15:11:00" "+%s" */
+		t = 1573571460;
+		ret = stime(&t);
+		printf("ret %d\n", ret);
+		return 0;
+	}
+
+        # date; ./stime; date
+        Tue Nov 12 14:18:32 UTC 2019
+        ret 0
+        Tue Nov 12 15:11:00 UTC 2019
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0f1f2d4596aee037d3ccbcf10592466daa54107f]
+Buglink: https://bugs.launchpad.net/qemu/+bug/1852115
+Reported-by: Cole Robinson <crobinso@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20191112142556.6335-1-laurent@vivier.eu>
+---
+ linux-user/syscall.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -7651,10 +7651,12 @@ static abi_long do_syscall1(void *cpu_en
+ #ifdef TARGET_NR_stime /* not on alpha */
+     case TARGET_NR_stime:
+         {
+-            time_t host_time;
+-            if (get_user_sal(host_time, arg1))
++            struct timespec ts;
++            ts.tv_nsec = 0;
++            if (get_user_sal(ts.tv_sec, arg1)) {
+                 return -TARGET_EFAULT;
+-            return get_errno(stime(&host_time));
++            }
++            return get_errno(clock_settime(CLOCK_REALTIME, &ts));
+         }
+ #endif
+ #ifdef TARGET_NR_alarm /* not on alpha */
-- 
2.25.4

[PATCH][zeus 03/18] prservice.py: fix do_package with newer Python in Ubuntu 20.04

[Anuj Mittal]

From: Martin Jansa <Martin.Jansa@gmail.com>

* with Ubuntu 20.04 which is using python 3.8 I'm seeing a lot of errors like:
  ERROR: libxml2-2.9.10-r0 do_package: Can NOT get PRAUTO, exception No module named '_sysconfigdata'
  not sure what caused this from python 3.8, but this seems to work
* PRserv is enabled with:
  PRSERV_HOST = "localhost:0"

(From OE-Core rev: 4b26eaf7152fb712aba47a0c746333578f58ee8d)

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c23d6f77994698e71d9a011cddec1237158b15ca)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/lib/oe/prservice.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/lib/oe/prservice.py b/meta/lib/oe/prservice.py
index b1132ccb11..3a5ef8d921 100644
--- a/meta/lib/oe/prservice.py
+++ b/meta/lib/oe/prservice.py
@@ -3,6 +3,10 @@
 #
 
 def prserv_make_conn(d, check = False):
+    # Otherwise this fails when called from recipes which e.g. inherit python3native (which sets _PYTHON_SYSCONFIGDATA_NAME) with:
+    # No module named '_sysconfigdata'
+    if '_PYTHON_SYSCONFIGDATA_NAME' in os.environ:
+        del os.environ['_PYTHON_SYSCONFIGDATA_NAME']
     import prserv.serv
     host_params = list([_f for _f in (d.getVar("PRSERV_HOST") or '').split(':') if _f])
     try:
-- 
2.25.4

[PATCH][zeus 04/18] apt-native: don't let dpkg overwrite files by default

[Anuj Mittal]

From: Jan Luebbe <jlu@pengutronix.de>

With --force-overwrite (implied by --force-all), dpkg will not abort
when a package overwrites files from different packages. As this can
also lead to "The following package disappeared from your system as
all files have been overwritten by other packages: <package>" and
subsequently broken dependencies, this makes the simple case of
conflicting files hard to debug.

Instead of finding all possibly required force options, only disable
overwrite for now.

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/apt/files/apt.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/apt/files/apt.conf b/meta/recipes-devtools/apt/files/apt.conf
index 03351356bc..c95a5b07af 100644
--- a/meta/recipes-devtools/apt/files/apt.conf
+++ b/meta/recipes-devtools/apt/files/apt.conf
@@ -39,4 +39,4 @@ APT
   };
 };
 
-DPkg::Options {"--root=#ROOTFS#";"--admindir=#ROOTFS#/var/lib/dpkg";"--force-all";"--no-debsig"};
+DPkg::Options {"--root=#ROOTFS#";"--admindir=#ROOTFS#/var/lib/dpkg";"--force-all";"--no-force-overwrite";"--no-debsig"};
-- 
2.25.4

[PATCH][zeus 05/18] glibc: CVE-2020-1751

[Anuj Mittal]

From: Zhixiong Chi <zhixiong.chi@windriver.com>

Backport the CVE patch from upstream:
git://sourceware.org/git/glibc.git
commit d93769405996dfc11d216ddbe415946617b5a494

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../glibc/glibc/CVE-2020-1751.patch           | 70 +++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.30.bb         |  1 +
 2 files changed, 71 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-1751.patch

diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch
new file mode 100644
index 0000000000..0ed92d50e9
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch
@@ -0,0 +1,70 @@
+From d93769405996dfc11d216ddbe415946617b5a494 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Mon, 20 Jan 2020 17:01:50 +0100
+Subject: [PATCH] Fix array overflow in backtrace on PowerPC (bug 25423)
+
+When unwinding through a signal frame the backtrace function on PowerPC
+didn't check array bounds when storing the frame address.  Fixes commit
+d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
+
+CVE: CVE-2020-1751
+Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ debug/tst-backtrace5.c                | 12 ++++++++++++
+ sysdeps/powerpc/powerpc32/backtrace.c |  2 ++
+ sysdeps/powerpc/powerpc64/backtrace.c |  2 ++
+ 3 files changed, 16 insertions(+)
+
+diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c
+index e7ce410845..b2f46160e7 100644
+--- a/debug/tst-backtrace5.c
++++ b/debug/tst-backtrace5.c
+@@ -89,6 +89,18 @@ handle_signal (int signum)
+       }
+   /* Symbol names are not available for static functions, so we do not
+      check do_test.  */
++
++  /* Check that backtrace does not return more than what fits in the array
++     (bug 25423).  */
++  for (int j = 0; j < NUM_FUNCTIONS; j++)
++    {
++      n = backtrace (addresses, j);
++      if (n > j)
++	{
++	  FAIL ();
++	  return;
++	}
++    }
+ }
+ 
+ NO_INLINE int
+diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c
+index 7c2d4726f8..d1456c8ae4 100644
+--- a/sysdeps/powerpc/powerpc32/backtrace.c
++++ b/sysdeps/powerpc/powerpc32/backtrace.c
+@@ -114,6 +114,8 @@ __backtrace (void **array, int size)
+         }
+       if (gregset)
+ 	{
++	  if (count + 1 == size)
++	    break;
+ 	  array[++count] = (void*)((*gregset)[PT_NIP]);
+ 	  current = (void*)((*gregset)[PT_R1]);
+ 	}
+diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c
+index 65c260ab76..8a53a1088f 100644
+--- a/sysdeps/powerpc/powerpc64/backtrace.c
++++ b/sysdeps/powerpc/powerpc64/backtrace.c
+@@ -87,6 +87,8 @@ __backtrace (void **array, int size)
+       if (is_sigtramp_address (current->return_address))
+         {
+ 	  struct signal_frame_64 *sigframe = (struct signal_frame_64*) current;
++	  if (count + 1 == size)
++	    break;
+           array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
+ 	  current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
+ 	}
+-- 
+2.23.0
+
diff --git a/meta/recipes-core/glibc/glibc_2.30.bb b/meta/recipes-core/glibc/glibc_2.30.bb
index c9e44a396d..84a6538ea1 100644
--- a/meta/recipes-core/glibc/glibc_2.30.bb
+++ b/meta/recipes-core/glibc/glibc_2.30.bb
@@ -43,6 +43,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0028-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
            file://CVE-2019-19126.patch \
            file://CVE-2020-10029.patch \
+           file://CVE-2020-1751.patch \
            "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
-- 
2.25.4

[PATCH][zeus 06/18] git: Security Advisory - git - CVE-2020-5260

[Anuj Mittal]

From: Li Zhou <li.zhou@windriver.com>

Backport patch from <https://github.com/git/git/commit/
9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b> to solve CVE-2020-5260.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/git/git.inc             |  4 +-
 .../git/git/CVE-2020-5260.patch               | 65 +++++++++++++++++++
 2 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-5260.patch

diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index 6e137432f0..176423e972 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -7,7 +7,9 @@ DEPENDS = "openssl curl zlib expat"
 PROVIDES_append_class-native = " git-replacement-native"
 
 SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
-           ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages"
+           ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
+           file://CVE-2020-5260.patch \
+          "
 
 S = "${WORKDIR}/git-${PV}"
 
diff --git a/meta/recipes-devtools/git/git/CVE-2020-5260.patch b/meta/recipes-devtools/git/git/CVE-2020-5260.patch
new file mode 100644
index 0000000000..d03e701a8f
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-5260.patch
@@ -0,0 +1,65 @@
+From 9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Wed, 11 Mar 2020 17:53:41 -0400
+Subject: [PATCH] credential: avoid writing values with newlines
+
+The credential protocol that we use to speak to helpers can't represent
+values with newlines in them. This was an intentional design choice to
+keep the protocol simple, since none of the values we pass should
+generally have newlines.
+
+However, if we _do_ encounter a newline in a value, we blindly transmit
+it in credential_write(). Such values may break the protocol syntax, or
+worse, inject new valid lines into the protocol stream.
+
+The most likely way for a newline to end up in a credential struct is by
+decoding a URL with a percent-encoded newline. However, since the bug
+occurs at the moment we write the value to the protocol, we'll catch it
+there. That should leave no possibility of accidentally missing a code
+path that can trigger the problem.
+
+At this level of the code we have little choice but to die(). However,
+since we'd not ever expect to see this case outside of a malicious URL,
+that's an acceptable outcome.
+
+Reported-by: Felix Wilhelm <fwilhelm@google.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-5260
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ credential.c           | 2 ++
+ t/t0300-credentials.sh | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/credential.c b/credential.c
+index 9747f47..00ee4d6 100644
+--- a/credential.c
++++ b/credential.c
+@@ -194,6 +194,8 @@ static void credential_write_item(FILE *fp, const char *key, const char *value)
+ {
+ 	if (!value)
+ 		return;
++	if (strchr(value, '\n'))
++		die("credential value for %s contains newline", key);
+ 	fprintf(fp, "%s=%s\n", key, value);
+ }
+ 
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index 03bd31e..15cc3c5 100755
+--- a/t/t0300-credentials.sh
++++ b/t/t0300-credentials.sh
+@@ -309,4 +309,10 @@ test_expect_success 'empty helper spec resets helper list' '
+ 	EOF
+ '
+ 
++test_expect_success 'url parser rejects embedded newlines' '
++	test_must_fail git credential fill <<-\EOF
++	url=https://one.example.com?%0ahost=two.example.com/
++	EOF
++'
++
+ test_done
+-- 
+1.9.1
+
-- 
2.25.4

[PATCH][zeus 07/18] git: Security Advisory - git - CVE-2020-11008

[Anuj Mittal]

From: Li Zhou <li.zhou@windriver.com>

Backport the 1st -- 9th patches listed by
<https://github.com/git/git/compare/v2.17.4...v2.17.5>
to solve CVE-2020-11008.

Also backport the 2nd -- 4th patches listed by
<https://github.com/git/git/compare/v2.17.3...v2.17.4>
for CVE-2020-5260 (not necessary, and only the 1st patch is necessary
for this CVE), because some of the above 9 patches are based on them.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/git/git.inc             |  12 +
 ...ial-use-test_i18ncmp-to-check-stderr.patch |  35 +++
 ...t-unrepresentable-values-when-parsin.patch | 156 ++++++++++
 ...tmodules-URLs-with-embedded-newlines.patch | 103 ++++++
 .../git/git/CVE-2020-11008-1.patch            |  70 +++++
 .../git/git/CVE-2020-11008-2.patch            | 292 ++++++++++++++++++
 .../git/git/CVE-2020-11008-3.patch            |  97 ++++++
 .../git/git/CVE-2020-11008-4.patch            | 173 +++++++++++
 .../git/git/CVE-2020-11008-5.patch            | 211 +++++++++++++
 .../git/git/CVE-2020-11008-6.patch            |  84 +++++
 .../git/git/CVE-2020-11008-7.patch            | 206 ++++++++++++
 .../git/git/CVE-2020-11008-8.patch            | 114 +++++++
 .../git/git/CVE-2020-11008-9.patch            | 114 +++++++
 13 files changed, 1667 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/0001-t-lib-credential-use-test_i18ncmp-to-check-stderr.patch
 create mode 100644 meta/recipes-devtools/git/git/0002-credential-detect-unrepresentable-values-when-parsin.patch
 create mode 100644 meta/recipes-devtools/git/git/0003-fsck-detect-gitmodules-URLs-with-embedded-newlines.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-1.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-2.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-3.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-4.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-5.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-6.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-7.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-8.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2020-11008-9.patch

diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index 176423e972..a0ce1626a1 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -9,6 +9,18 @@ PROVIDES_append_class-native = " git-replacement-native"
 SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
            ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
            file://CVE-2020-5260.patch \
+           file://0001-t-lib-credential-use-test_i18ncmp-to-check-stderr.patch \
+           file://0002-credential-detect-unrepresentable-values-when-parsin.patch \
+           file://0003-fsck-detect-gitmodules-URLs-with-embedded-newlines.patch \
+           file://CVE-2020-11008-1.patch \
+           file://CVE-2020-11008-2.patch \
+           file://CVE-2020-11008-3.patch \
+           file://CVE-2020-11008-4.patch \
+           file://CVE-2020-11008-5.patch \
+           file://CVE-2020-11008-6.patch \
+           file://CVE-2020-11008-7.patch \
+           file://CVE-2020-11008-8.patch \
+           file://CVE-2020-11008-9.patch \
           "
 
 S = "${WORKDIR}/git-${PV}"
diff --git a/meta/recipes-devtools/git/git/0001-t-lib-credential-use-test_i18ncmp-to-check-stderr.patch b/meta/recipes-devtools/git/git/0001-t-lib-credential-use-test_i18ncmp-to-check-stderr.patch
new file mode 100644
index 0000000000..6eb3c16aef
--- /dev/null
+++ b/meta/recipes-devtools/git/git/0001-t-lib-credential-use-test_i18ncmp-to-check-stderr.patch
@@ -0,0 +1,35 @@
+From 70ef9c6ce884b2d466d3d36563f1d2aa31b56443 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Wed, 11 Mar 2020 18:11:37 -0400
+Subject: [PATCH 01/12] t/lib-credential: use test_i18ncmp to check stderr
+
+The credential tests have a "check" function which feeds some input to
+git-credential and checks the stdout and stderr. We look for exact
+matches in the output. For stdout, this makes sense; the output is
+the credential protocol. But for stderr, we may be showing various
+diagnostic messages, or the prompts fed to the askpass program, which
+could be translated. Let's mark them as such.
+
+Upstream-Status: Backport
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ t/lib-credential.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/t/lib-credential.sh b/t/lib-credential.sh
+index 937b831..bb88cc0 100755
+--- a/t/lib-credential.sh
++++ b/t/lib-credential.sh
+@@ -19,7 +19,7 @@ check() {
+ 		false
+ 	fi &&
+ 	test_cmp expect-stdout stdout &&
+-	test_cmp expect-stderr stderr
++	test_i18ncmp expect-stderr stderr
+ }
+ 
+ read_chunk() {
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/git/git/0002-credential-detect-unrepresentable-values-when-parsin.patch b/meta/recipes-devtools/git/git/0002-credential-detect-unrepresentable-values-when-parsin.patch
new file mode 100644
index 0000000000..a9b7348ef7
--- /dev/null
+++ b/meta/recipes-devtools/git/git/0002-credential-detect-unrepresentable-values-when-parsin.patch
@@ -0,0 +1,156 @@
+From 43803880b954a020dbffa5250a5b7fd893442c7c Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Thu, 12 Mar 2020 01:31:11 -0400
+Subject: [PATCH 02/12] credential: detect unrepresentable values when parsing
+ urls
+
+The credential protocol can't represent newlines in values, but URLs can
+embed percent-encoded newlines in various components. A previous commit
+taught the low-level writing routines to die() when encountering this,
+but we can be a little friendlier to the user by detecting them earlier
+and handling them gracefully.
+
+This patch teaches credential_from_url() to notice such components,
+issue a warning, and blank the credential (which will generally result
+in prompting the user for a username and password). We blank the whole
+credential in this case. Another option would be to blank only the
+invalid component. However, we're probably better off not feeding a
+partially-parsed URL result to a credential helper. We don't know how a
+given helper would handle it, so we're better off to err on the side of
+matching nothing rather than something unexpected.
+
+The die() call in credential_write() is _probably_ impossible to reach
+after this patch. Values should end up in credential structs only by URL
+parsing (which is covered here), or by reading credential protocol input
+(which by definition cannot read a newline into a value). But we should
+definitely keep the low-level check, as it's our final and most accurate
+line of defense against protocol injection attacks. Arguably it could
+become a BUG(), but it probably doesn't matter much either way.
+
+Note that the public interface of credential_from_url() grows a little
+more than we need here. We'll use the extra flexibility in a future
+patch to help fsck catch these cases.
+
+Upstream-Status: Backport
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ credential.c           | 36 ++++++++++++++++++++++++++++++++++--
+ credential.h           | 16 ++++++++++++++++
+ t/t0300-credentials.sh | 12 ++++++++++--
+ 3 files changed, 60 insertions(+), 4 deletions(-)
+
+diff --git a/credential.c b/credential.c
+index a79aff0..2482382 100644
+--- a/credential.c
++++ b/credential.c
+@@ -324,7 +324,22 @@ void credential_reject(struct credential *c)
+ 	c->approved = 0;
+ }
+ 
+-void credential_from_url(struct credential *c, const char *url)
++static int check_url_component(const char *url, int quiet,
++			       const char *name, const char *value)
++{
++	if (!value)
++		return 0;
++	if (!strchr(value, '\n'))
++		return 0;
++
++	if (!quiet)
++		warning(_("url contains a newline in its %s component: %s"),
++			name, url);
++	return -1;
++}
++
++int credential_from_url_gently(struct credential *c, const char *url,
++			       int quiet)
+ {
+ 	const char *at, *colon, *cp, *slash, *host, *proto_end;
+ 
+@@ -338,7 +353,7 @@ void credential_from_url(struct credential *c, const char *url)
+ 	 */
+ 	proto_end = strstr(url, "://");
+ 	if (!proto_end)
+-		return;
++		return 0;
+ 	cp = proto_end + 3;
+ 	at = strchr(cp, '@');
+ 	colon = strchr(cp, ':');
+@@ -373,4 +388,21 @@ void credential_from_url(struct credential *c, const char *url)
+ 		while (p > c->path && *p == '/')
+ 			*p-- = '\0';
+ 	}
++
++	if (check_url_component(url, quiet, "username", c->username) < 0 ||
++	    check_url_component(url, quiet, "password", c->password) < 0 ||
++	    check_url_component(url, quiet, "protocol", c->protocol) < 0 ||
++	    check_url_component(url, quiet, "host", c->host) < 0 ||
++	    check_url_component(url, quiet, "path", c->path) < 0)
++		return -1;
++
++	return 0;
++}
++
++void credential_from_url(struct credential *c, const char *url)
++{
++	if (credential_from_url_gently(c, url, 0) < 0) {
++		warning(_("skipping credential lookup for url: %s"), url);
++		credential_clear(c);
++	}
+ }
+diff --git a/credential.h b/credential.h
+index 6b0cd16..122a23c 100644
+--- a/credential.h
++++ b/credential.h
+@@ -28,7 +28,23 @@ struct credential {
+ 
+ int credential_read(struct credential *, FILE *);
+ void credential_write(const struct credential *, FILE *);
++
++/*
++ * Parse a url into a credential struct, replacing any existing contents.
++ *
++ * Ifthe url can't be parsed (e.g., a missing "proto://" component), the
++ * resulting credential will be empty but we'll still return success from the
++ * "gently" form.
++ *
++ * If we encounter a component which cannot be represented as a credential
++ * value (e.g., because it contains a newline), the "gently" form will return
++ * an error but leave the broken state in the credential object for further
++ * examination.  The non-gentle form will issue a warning to stderr and return
++ * an empty credential.
++ */
+ void credential_from_url(struct credential *, const char *url);
++int credential_from_url_gently(struct credential *, const char *url, int quiet);
++
+ int credential_match(const struct credential *have,
+ 		     const struct credential *want);
+ 
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index 26f3c3a..b9c0f1f 100755
+--- a/t/t0300-credentials.sh
++++ b/t/t0300-credentials.sh
+@@ -308,9 +308,17 @@ test_expect_success 'empty helper spec resets helper list' '
+ 	EOF
+ '
+ 
+-test_expect_success 'url parser rejects embedded newlines' '
+-	test_must_fail git credential fill <<-\EOF
++test_expect_success 'url parser ignores embedded newlines' '
++	check fill <<-EOF
+ 	url=https://one.example.com?%0ahost=two.example.com/
++	--
++	username=askpass-username
++	password=askpass-password
++	--
++	warning: url contains a newline in its host component: https://one.example.com?%0ahost=two.example.com/
++	warning: skipping credential lookup for url: https://one.example.com?%0ahost=two.example.com/
++	askpass: Username:
++	askpass: Password:
+ 	EOF
+ '
+ 
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/git/git/0003-fsck-detect-gitmodules-URLs-with-embedded-newlines.patch b/meta/recipes-devtools/git/git/0003-fsck-detect-gitmodules-URLs-with-embedded-newlines.patch
new file mode 100644
index 0000000000..23931e6313
--- /dev/null
+++ b/meta/recipes-devtools/git/git/0003-fsck-detect-gitmodules-URLs-with-embedded-newlines.patch
@@ -0,0 +1,103 @@
+From 1c9f8cedd34302575db40016231bdf502f17901e Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 27 Apr 2020 13:49:39 +0800
+Subject: [PATCH 03/12] fsck: detect gitmodules URLs with embedded newlines
+
+The credential protocol can't handle values with newlines. We already
+detect and block any such URLs from being used with credential helpers,
+but let's also add an fsck check to detect and block gitmodules files
+with such URLs. That will let us notice the problem earlier when
+transfer.fsckObjects is turned on. And in particular it will prevent bad
+objects from spreading, which may protect downstream users running older
+versions of Git.
+
+We'll file this under the existing gitmodulesUrl flag, which covers URLs
+with option injection. There's really no need to distinguish the exact
+flaw in the URL in this context. Likewise, I've expanded the description
+of t7416 to cover all types of bogus URLs.
+
+Upstream-Status: Backport
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ fsck.c                        | 16 +++++++++++++++-
+ t/t7416-submodule-dash-url.sh | 18 +++++++++++++++++-
+ 2 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/fsck.c b/fsck.c
+index ef8b343..ea46eea 100644
+--- a/fsck.c
++++ b/fsck.c
+@@ -15,6 +15,7 @@
+ #include "packfile.h"
+ #include "submodule-config.h"
+ #include "config.h"
++#include "credential.h"
+ #include "help.h"
+ 
+ static struct oidset gitmodules_found = OIDSET_INIT;
+@@ -947,6 +948,19 @@ static int fsck_tag(struct tag *tag, const char *data,
+ 	return fsck_tag_buffer(tag, data, size, options);
+ }
+ 
++static int check_submodule_url(const char *url)
++{
++	struct credential c = CREDENTIAL_INIT;
++	int ret;
++
++	if (looks_like_command_line_option(url))
++		return -1;
++
++	ret = credential_from_url_gently(&c, url, 1);
++	credential_clear(&c);
++	return ret;
++}
++
+ struct fsck_gitmodules_data {
+ 	struct object *obj;
+ 	struct fsck_options *options;
+@@ -971,7 +985,7 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
+ 				    "disallowed submodule name: %s",
+ 				    name);
+ 	if (!strcmp(key, "url") && value &&
+-	    looks_like_command_line_option(value))
++	    check_submodule_url(value) < 0)
+ 		data->ret |= report(data->options, data->obj,
+ 				    FSCK_MSG_GITMODULES_URL,
+ 				    "disallowed submodule url: %s",
+diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh
+index 5ba041f..41431b1 100755
+--- a/t/t7416-submodule-dash-url.sh
++++ b/t/t7416-submodule-dash-url.sh
+@@ -1,6 +1,6 @@
+ #!/bin/sh
+ 
+-test_description='check handling of .gitmodule url with dash'
++test_description='check handling of disallowed .gitmodule urls'
+ . ./test-lib.sh
+ 
+ test_expect_success 'create submodule with protected dash in url' '
+@@ -60,4 +60,20 @@ test_expect_success 'trailing backslash is handled correctly' '
+ 	test_i18ngrep ! "unknown option" err
+ '
+ 
++test_expect_success 'fsck rejects embedded newline in url' '
++	# create an orphan branch to avoid existing .gitmodules objects
++	git checkout --orphan newline &&
++	cat >.gitmodules <<-\EOF &&
++	[submodule "foo"]
++	url = "https://one.example.com?%0ahost=two.example.com/foo.git"
++	EOF
++	git add .gitmodules &&
++	git commit -m "gitmodules with newline" &&
++	test_when_finished "rm -rf dst" &&
++	git init --bare dst &&
++	git -C dst config transfer.fsckObjects true &&
++	test_must_fail git push dst HEAD 2>err &&
++	grep gitmodulesUrl err
++'
++
+ test_done
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch
new file mode 100644
index 0000000000..9cf98ea7b4
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-1.patch
@@ -0,0 +1,70 @@
+From 863f8067d8b4012904ca3bb881c659ac9894df97 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 27 Apr 2020 14:36:03 +0800
+Subject: [PATCH 04/12] t0300: make "quit" helper more realistic
+
+We test a toy credential helper that writes "quit=1" and confirms that
+we stop running other helpers. However, that helper is unrealistic in
+that it does not bother to read its stdin at all.
+
+For now we don't send any input to it, because we feed git-credential a
+blank credential. But that will change in the next patch, which will
+cause this test to racily fail, as git-credential will get SIGPIPE
+writing to the helper rather than exiting because it was asked to.
+
+Let's make this one-off helper more like our other sample helpers, and
+have it source the "dump" script. That will read stdin, fixing the
+SIGPIPE problem. But it will also write what it sees to stderr. We can
+make the test more robust by checking that output, which confirms that
+we do run the quit helper, don't run any other helpers, and exit for the
+reason we expected.
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (1)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ t/t0300-credentials.sh | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index b9c0f1f..0206b3b 100755
+--- a/t/t0300-credentials.sh
++++ b/t/t0300-credentials.sh
+@@ -22,6 +22,11 @@ test_expect_success 'setup helper scripts' '
+ 	exit 0
+ 	EOF
+ 
++	write_script git-credential-quit <<-\EOF &&
++	. ./dump
++	echo quit=1
++	EOF
++
+ 	write_script git-credential-verbatim <<-\EOF &&
+ 	user=$1; shift
+ 	pass=$1; shift
+@@ -291,10 +296,16 @@ test_expect_success 'http paths can be part of context' '
+ 
+ test_expect_success 'helpers can abort the process' '
+ 	test_must_fail git \
+-		-c credential.helper="!f() { echo quit=1; }; f" \
++		-c credential.helper=quit \
+ 		-c credential.helper="verbatim foo bar" \
+-		credential fill >stdout &&
+-	test_must_be_empty stdout
++		credential fill >stdout 2>stderr &&
++	>expect &&
++	test_cmp expect stdout &&
++	cat >expect <<-\EOF &&
++	quit: get
++	fatal: credential helper '\''quit'\'' told us to quit
++	EOF
++	test_i18ncmp expect stderr
+ '
+ 
+ test_expect_success 'empty helper spec resets helper list' '
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch
new file mode 100644
index 0000000000..c752e3d431
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch
@@ -0,0 +1,292 @@
+From 5588659069214aa0f7fea75a69687078e2f7a817 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Sat, 18 Apr 2020 20:47:30 -0700
+Subject: [PATCH 05/12] t0300: use more realistic inputs
+
+Many of the tests in t0300 give partial inputs to git-credential,
+omitting a protocol or hostname. We're checking only high-level things
+like whether and how helpers are invoked at all, and we don't care about
+specific hosts. However, in preparation for tightening up the rules
+about when we're willing to run a helper, let's start using input that's
+a bit more realistic: pretend as if http://example.com is being
+examined.
+
+This shouldn't change the point of any of the tests, but do note we have
+to adjust the expected output to accommodate this (filling a credential
+will repeat back the protocol/host fields to stdout, and the helper
+debug messages and askpass prompt will change on stderr).
+
+Signed-off-by: Jeff King <peff@peff.net>
+Reviewed-by: Taylor Blau <me@ttaylorr.com>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (2)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ t/t0300-credentials.sh | 89 +++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 85 insertions(+), 4 deletions(-)
+
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index 0206b3b..f4c5d7f 100755
+--- a/t/t0300-credentials.sh
++++ b/t/t0300-credentials.sh
+@@ -40,43 +40,71 @@ test_expect_success 'setup helper scripts' '
+ 
+ test_expect_success 'credential_fill invokes helper' '
+ 	check fill "verbatim foo bar" <<-\EOF
++	protocol=http
++	host=example.com
+ 	--
++	protocol=http
++	host=example.com
+ 	username=foo
+ 	password=bar
+ 	--
+ 	verbatim: get
++	verbatim: protocol=http
++	verbatim: host=example.com
+ 	EOF
+ '
+ 
+ test_expect_success 'credential_fill invokes multiple helpers' '
+ 	check fill useless "verbatim foo bar" <<-\EOF
++	protocol=http
++	host=example.com
+ 	--
++	protocol=http
++	host=example.com
+ 	username=foo
+ 	password=bar
+ 	--
+ 	useless: get
++	useless: protocol=http
++	useless: host=example.com
+ 	verbatim: get
++	verbatim: protocol=http
++	verbatim: host=example.com
+ 	EOF
+ '
+ 
+ test_expect_success 'credential_fill stops when we get a full response' '
+ 	check fill "verbatim one two" "verbatim three four" <<-\EOF
++	protocol=http
++	host=example.com
+ 	--
++	protocol=http
++	host=example.com
+ 	username=one
+ 	password=two
+ 	--
+ 	verbatim: get
++	verbatim: protocol=http
++	verbatim: host=example.com
+ 	EOF
+ '
+ 
+ test_expect_success 'credential_fill continues through partial response' '
+ 	check fill "verbatim one \"\"" "verbatim two three" <<-\EOF
++	protocol=http
++	host=example.com
+ 	--
++	protocol=http
++	host=example.com
+ 	username=two
+ 	password=three
+ 	--
+ 	verbatim: get
++	verbatim: protocol=http
++	verbatim: host=example.com
+ 	verbatim: get
++	verbatim: protocol=http
++	verbatim: host=example.com
+ 	verbatim: username=one
+ 	EOF
+ '
+@@ -102,14 +130,20 @@ test_expect_success 'credential_fill passes along metadata' '
+ 
+ test_expect_success 'credential_approve calls all helpers' '
+ 	check approve useless "verbatim one two" <<-\EOF
++	protocol=http
++	host=example.com
+ 	username=foo
+ 	password=bar
+ 	--
+ 	--
+ 	useless: store
++	useless: protocol=http
++	useless: host=example.com
+ 	useless: username=foo
+ 	useless: password=bar
+ 	verbatim: store
++	verbatim: protocol=http
++	verbatim: host=example.com
+ 	verbatim: username=foo
+ 	verbatim: password=bar
+ 	EOF
+@@ -117,6 +151,8 @@ test_expect_success 'credential_approve calls all helpers' '
+ 
+ test_expect_success 'do not bother storing password-less credential' '
+ 	check approve useless <<-\EOF
++	protocol=http
++	host=example.com
+ 	username=foo
+ 	--
+ 	--
+@@ -126,14 +162,20 @@ test_expect_success 'do not bother storing password-less credential' '
+ 
+ test_expect_success 'credential_reject calls all helpers' '
+ 	check reject useless "verbatim one two" <<-\EOF
++	protocol=http
++	host=example.com
+ 	username=foo
+ 	password=bar
+ 	--
+ 	--
+ 	useless: erase
++	useless: protocol=http
++	useless: host=example.com
+ 	useless: username=foo
+ 	useless: password=bar
+ 	verbatim: erase
++	verbatim: protocol=http
++	verbatim: host=example.com
+ 	verbatim: username=foo
+ 	verbatim: password=bar
+ 	EOF
+@@ -141,33 +183,49 @@ test_expect_success 'credential_reject calls all helpers' '
+ 
+ test_expect_success 'usernames can be preserved' '
+ 	check fill "verbatim \"\" three" <<-\EOF
++	protocol=http
++	host=example.com
+ 	username=one
+ 	--
++	protocol=http
++	host=example.com
+ 	username=one
+ 	password=three
+ 	--
+ 	verbatim: get
++	verbatim: protocol=http
++	verbatim: host=example.com
+ 	verbatim: username=one
+ 	EOF
+ '
+ 
+ test_expect_success 'usernames can be overridden' '
+ 	check fill "verbatim two three" <<-\EOF
++	protocol=http
++	host=example.com
+ 	username=one
+ 	--
++	protocol=http
++	host=example.com
+ 	username=two
+ 	password=three
+ 	--
+ 	verbatim: get
++	verbatim: protocol=http
++	verbatim: host=example.com
+ 	verbatim: username=one
+ 	EOF
+ '
+ 
+ test_expect_success 'do not bother completing already-full credential' '
+ 	check fill "verbatim three four" <<-\EOF
++	protocol=http
++	host=example.com
+ 	username=one
+ 	password=two
+ 	--
++	protocol=http
++	host=example.com
+ 	username=one
+ 	password=two
+ 	--
+@@ -179,23 +237,31 @@ test_expect_success 'do not bother completing already-full credential' '
+ # askpass helper is run, we know the internal getpass is working.
+ test_expect_success 'empty helper list falls back to internal getpass' '
+ 	check fill <<-\EOF
++	protocol=http
++	host=example.com
+ 	--
++	protocol=http
++	host=example.com
+ 	username=askpass-username
+ 	password=askpass-password
+ 	--
+-	askpass: Username:
+-	askpass: Password:
++	askpass: Username for '\''http://example.com'\'':
++	askpass: Password for '\''http://askpass-username@example.com'\'':
+ 	EOF
+ '
+ 
+ test_expect_success 'internal getpass does not ask for known username' '
+ 	check fill <<-\EOF
++	protocol=http
++	host=example.com
+ 	username=foo
+ 	--
++	protocol=http
++	host=example.com
+ 	username=foo
+ 	password=askpass-password
+ 	--
+-	askpass: Password:
++	askpass: Password for '\''http://foo@example.com'\'':
+ 	EOF
+ '
+ 
+@@ -207,7 +273,11 @@ HELPER="!f() {
+ test_expect_success 'respect configured credentials' '
+ 	test_config credential.helper "$HELPER" &&
+ 	check fill <<-\EOF
++	protocol=http
++	host=example.com
+ 	--
++	protocol=http
++	host=example.com
+ 	username=foo
+ 	password=bar
+ 	--
+@@ -298,11 +368,16 @@ test_expect_success 'helpers can abort the process' '
+ 	test_must_fail git \
+ 		-c credential.helper=quit \
+ 		-c credential.helper="verbatim foo bar" \
+-		credential fill >stdout 2>stderr &&
++		credential fill >stdout 2>stderr <<-\EOF &&
++	protocol=http
++	host=example.com
++	EOF
+ 	>expect &&
+ 	test_cmp expect stdout &&
+ 	cat >expect <<-\EOF &&
+ 	quit: get
++	quit: protocol=http
++	quit: host=example.com
+ 	fatal: credential helper '\''quit'\'' told us to quit
+ 	EOF
+ 	test_i18ncmp expect stderr
+@@ -311,11 +386,17 @@ test_expect_success 'helpers can abort the process' '
+ test_expect_success 'empty helper spec resets helper list' '
+ 	test_config credential.helper "verbatim file file" &&
+ 	check fill "" "verbatim cmdline cmdline" <<-\EOF
++	protocol=http
++	host=example.com
+ 	--
++	protocol=http
++	host=example.com
+ 	username=cmdline
+ 	password=cmdline
+ 	--
+ 	verbatim: get
++	verbatim: protocol=http
++	verbatim: host=example.com
+ 	EOF
+ '
+ 
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-3.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-3.patch
new file mode 100644
index 0000000000..c17e883d6c
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-3.patch
@@ -0,0 +1,97 @@
+From 22f28251ae575dd7a60f7a46853469025d004ca7 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Sat, 18 Apr 2020 20:48:05 -0700
+Subject: [PATCH 06/12] credential: parse URL without host as empty host, not
+ unset
+
+We may feed a URL like "cert:///path/to/cert.pem" into the credential
+machinery to get the key for a client-side certificate. That
+credential has no hostname field, which is about to be disallowed (to
+avoid confusion with protocols where a helper _would_ expect a
+hostname).
+
+This means as of the next patch, credential helpers won't work for
+unlocking certs. Let's fix that by doing two things:
+
+  - when we parse a url with an empty host, set the host field to the
+    empty string (asking only to match stored entries with an empty
+    host) rather than NULL (asking to match _any_ host).
+
+  - when we build a cert:// credential by hand, similarly assign an
+    empty string
+
+It's the latter that is more likely to impact real users in practice,
+since it's what's used for http connections. But we don't have good
+infrastructure to test it.
+
+The url-parsing version will help anybody using git-credential in a
+script, and is easy to test.
+
+Signed-off-by: Jeff King <peff@peff.net>
+Reviewed-by: Taylor Blau <me@ttaylorr.com>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (3)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ credential.c           |  3 +--
+ http.c                 |  1 +
+ t/t0300-credentials.sh | 17 +++++++++++++++++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/credential.c b/credential.c
+index 2482382..f2413ce 100644
+--- a/credential.c
++++ b/credential.c
+@@ -376,8 +376,7 @@ int credential_from_url_gently(struct credential *c, const char *url,
+ 
+ 	if (proto_end - url > 0)
+ 		c->protocol = xmemdupz(url, proto_end - url);
+-	if (slash - host > 0)
+-		c->host = url_decode_mem(host, slash - host);
++	c->host = url_decode_mem(host, slash - host);
+ 	/* Trim leading and trailing slashes from path */
+ 	while (*slash == '/')
+ 		slash++;
+diff --git a/http.c b/http.c
+index 27aa0a3..c4dfdac 100644
+--- a/http.c
++++ b/http.c
+@@ -558,6 +558,7 @@ static int has_cert_password(void)
+ 		return 0;
+ 	if (!cert_auth.password) {
+ 		cert_auth.protocol = xstrdup("cert");
++		cert_auth.host = xstrdup("");
+ 		cert_auth.username = xstrdup("");
+ 		cert_auth.path = xstrdup(ssl_cert);
+ 		credential_fill(&cert_auth);
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index f4c5d7f..1c1010b 100755
+--- a/t/t0300-credentials.sh
++++ b/t/t0300-credentials.sh
+@@ -414,4 +414,21 @@ test_expect_success 'url parser ignores embedded newlines' '
+ 	EOF
+ '
+ 
++test_expect_success 'host-less URLs are parsed as empty host' '
++	check fill "verbatim foo bar" <<-\EOF
++	url=cert:///path/to/cert.pem
++	--
++	protocol=cert
++	host=
++	path=path/to/cert.pem
++	username=foo
++	password=bar
++	--
++	verbatim: get
++	verbatim: protocol=cert
++	verbatim: host=
++	verbatim: path=path/to/cert.pem
++	EOF
++'
++
+ test_done
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-4.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-4.patch
new file mode 100644
index 0000000000..14e23466d4
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-4.patch
@@ -0,0 +1,173 @@
+From f8bf7099379990ad974c1ca8f51e1f28bf18cf2a Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Sat, 18 Apr 2020 20:50:48 -0700
+Subject: [PATCH 07/12] credential: refuse to operate when missing host or
+ protocol
+
+The credential helper protocol was designed to be very flexible: the
+fields it takes as input are treated as a pattern, and any missing
+fields are taken as wildcards. This allows unusual things like:
+
+  echo protocol=https | git credential reject
+
+to delete all stored https credentials (assuming the helpers themselves
+treat the input that way). But when helpers are invoked automatically by
+Git, this flexibility works against us. If for whatever reason we don't
+have a "host" field, then we'd match _any_ host. When you're filling a
+credential to send to a remote server, this is almost certainly not what
+you want.
+
+Prevent this at the layer that writes to the credential helper. Add a
+check to the credential API that the host and protocol are always passed
+in, and add an assertion to the credential_write function that speaks
+credential helper protocol to be doubly sure.
+
+There are a few ways this can be triggered in practice:
+
+  - the "git credential" command passes along arbitrary credential
+    parameters it reads from stdin.
+
+  - until the previous patch, when the host field of a URL is empty, we
+    would leave it unset (rather than setting it to the empty string)
+
+  - a URL like "example.com/foo.git" is treated by curl as if "http://"
+    was present, but our parser sees it as a non-URL and leaves all
+    fields unset
+
+  - the recent fix for URLs with embedded newlines blanks the URL but
+    otherwise continues. Rather than having the desired effect of
+    looking up no credential at all, many helpers will return _any_
+    credential
+
+Our earlier test for an embedded newline didn't catch this because it
+only checked that the credential was cleared, but didn't configure an
+actual helper. Configuring the "verbatim" helper in the test would show
+that it is invoked (it's obviously a silly helper which doesn't look at
+its input, but the point is that it shouldn't be run at all). Since
+we're switching this case to die(), we don't need to bother with a
+helper. We can see the new behavior just by checking that the operation
+fails.
+
+We'll add new tests covering partial input as well (these can be
+triggered through various means with url-parsing, but it's simpler to
+just check them directly, as we know we are covered even if the url
+parser changes behavior in the future).
+
+[jn: changed to die() instead of logging and showing a manual
+ username/password prompt]
+
+Reported-by: Carlo Arenas <carenas@gmail.com>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (4)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ credential.c           | 20 ++++++++++++++------
+ t/t0300-credentials.sh | 34 ++++++++++++++++++++++++++--------
+ 2 files changed, 40 insertions(+), 14 deletions(-)
+
+diff --git a/credential.c b/credential.c
+index f2413ce..e08ed84 100644
+--- a/credential.c
++++ b/credential.c
+@@ -89,6 +89,11 @@ static int proto_is_http(const char *s)
+ 
+ static void credential_apply_config(struct credential *c)
+ {
++	if (!c->host)
++		die(_("refusing to work with credential missing host field"));
++	if (!c->protocol)
++		die(_("refusing to work with credential missing protocol field"));
++
+ 	if (c->configured)
+ 		return;
+ 	git_config(credential_config_callback, c);
+@@ -191,8 +196,11 @@ int credential_read(struct credential *c, FILE *fp)
+ 	return 0;
+ }
+ 
+-static void credential_write_item(FILE *fp, const char *key, const char *value)
++static void credential_write_item(FILE *fp, const char *key, const char *value,
++				  int required)
+ {
++	if (!value && required)
++		BUG("credential value for %s is missing", key);
+ 	if (!value)
+ 		return;
+ 	if (strchr(value, '\n'))
+@@ -202,11 +210,11 @@ static void credential_write_item(FILE *fp, const char *key, const char *value)
+ 
+ void credential_write(const struct credential *c, FILE *fp)
+ {
+-	credential_write_item(fp, "protocol", c->protocol);
+-	credential_write_item(fp, "host", c->host);
+-	credential_write_item(fp, "path", c->path);
+-	credential_write_item(fp, "username", c->username);
+-	credential_write_item(fp, "password", c->password);
++	credential_write_item(fp, "protocol", c->protocol, 1);
++	credential_write_item(fp, "host", c->host, 1);
++	credential_write_item(fp, "path", c->path, 0);
++	credential_write_item(fp, "username", c->username, 0);
++	credential_write_item(fp, "password", c->password, 0);
+ }
+ 
+ static int run_credential_helper(struct credential *c,
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index 1c1010b..646f845 100755
+--- a/t/t0300-credentials.sh
++++ b/t/t0300-credentials.sh
+@@ -400,18 +400,16 @@ test_expect_success 'empty helper spec resets helper list' '
+ 	EOF
+ '
+ 
+-test_expect_success 'url parser ignores embedded newlines' '
+-	check fill <<-EOF
++test_expect_success 'url parser rejects embedded newlines' '
++	test_must_fail git credential fill 2>stderr <<-\EOF &&
+ 	url=https://one.example.com?%0ahost=two.example.com/
+-	--
+-	username=askpass-username
+-	password=askpass-password
+-	--
++	EOF
++	cat >expect <<-\EOF &&
+ 	warning: url contains a newline in its host component: https://one.example.com?%0ahost=two.example.com/
+ 	warning: skipping credential lookup for url: https://one.example.com?%0ahost=two.example.com/
+-	askpass: Username:
+-	askpass: Password:
++	fatal: refusing to work with credential missing host field
+ 	EOF
++	test_i18ncmp expect stderr
+ '
+ 
+ test_expect_success 'host-less URLs are parsed as empty host' '
+@@ -431,4 +429,24 @@ test_expect_success 'host-less URLs are parsed as empty host' '
+ 	EOF
+ '
+ 
++test_expect_success 'credential system refuses to work with missing host' '
++	test_must_fail git credential fill 2>stderr <<-\EOF &&
++	protocol=http
++	EOF
++	cat >expect <<-\EOF &&
++	fatal: refusing to work with credential missing host field
++	EOF
++	test_i18ncmp expect stderr
++'
++
++test_expect_success 'credential system refuses to work with missing protocol' '
++	test_must_fail git credential fill 2>stderr <<-\EOF &&
++	host=example.com
++	EOF
++	cat >expect <<-\EOF &&
++	fatal: refusing to work with credential missing protocol field
++	EOF
++	test_i18ncmp expect stderr
++'
++
+ test_done
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-5.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-5.patch
new file mode 100644
index 0000000000..60f8d59082
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-5.patch
@@ -0,0 +1,211 @@
+From 3431abe8c0f64f4049a31298c0b1056baa7d81dc Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 27 Apr 2020 14:45:49 +0800
+Subject: [PATCH 08/12] fsck: convert gitmodules url to URL passed to curl
+
+In 07259e74ec1 (fsck: detect gitmodules URLs with embedded newlines,
+2020-03-11), git fsck learned to check whether URLs in .gitmodules could
+be understood by the credential machinery when they are handled by
+git-remote-curl.
+
+However, the check is overbroad: it checks all URLs instead of only
+URLs that would be passed to git-remote-curl. In principle a git:// or
+file:/// URL does not need to follow the same conventions as an http://
+URL; in particular, git:// and file:// protocols are not succeptible to
+issues in the credential API because they do not support attaching
+credentials.
+
+In the HTTP case, the URL in .gitmodules does not always match the URL
+that would be passed to git-remote-curl and the credential machinery:
+Git's URL syntax allows specifying a remote helper followed by a "::"
+delimiter and a URL to be passed to it, so that
+
+	git ls-remote http::https://example.com/repo.git
+
+invokes git-remote-http with https://example.com/repo.git as its URL
+argument. With today's checks, that distinction does not make a
+difference, but for a check we are about to introduce (for empty URL
+schemes) it will matter.
+
+.gitmodules files also support relative URLs. To ensure coverage for the
+https based embedded-newline attack, urldecode and check them directly
+for embedded newlines.
+
+Helped-by: Jeff King <peff@peff.net>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+Reviewed-by: Jeff King <peff@peff.net>
+
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (5)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ fsck.c                        | 94 ++++++++++++++++++++++++++++++++++++++++---
+ t/t7416-submodule-dash-url.sh | 29 +++++++++++++
+ 2 files changed, 118 insertions(+), 5 deletions(-)
+
+diff --git a/fsck.c b/fsck.c
+index ea46eea..0f21eb1 100644
+--- a/fsck.c
++++ b/fsck.c
+@@ -9,6 +9,7 @@
+ #include "tag.h"
+ #include "fsck.h"
+ #include "refs.h"
++#include "url.h"
+ #include "utf8.h"
+ #include "decorate.h"
+ #include "oidset.h"
+@@ -948,17 +949,100 @@ static int fsck_tag(struct tag *tag, const char *data,
+ 	return fsck_tag_buffer(tag, data, size, options);
+ }
+ 
++/*
++ * Like builtin/submodule--helper.c's starts_with_dot_slash, but without
++ * relying on the platform-dependent is_dir_sep helper.
++ *
++ * This is for use in checking whether a submodule URL is interpreted as
++ * relative to the current directory on any platform, since \ is a
++ * directory separator on Windows but not on other platforms.
++ */
++static int starts_with_dot_slash(const char *str)
++{
++	return str[0] == '.' && (str[1] == '/' || str[1] == '\\');
++}
++
++/*
++ * Like starts_with_dot_slash, this is a variant of submodule--helper's
++ * helper of the same name with the twist that it accepts backslash as a
++ * directory separator even on non-Windows platforms.
++ */
++static int starts_with_dot_dot_slash(const char *str)
++{
++	return str[0] == '.' && starts_with_dot_slash(str + 1);
++}
++
++static int submodule_url_is_relative(const char *url)
++{
++	return starts_with_dot_slash(url) || starts_with_dot_dot_slash(url);
++}
++
++/*
++ * Check whether a transport is implemented by git-remote-curl.
++ *
++ * If it is, returns 1 and writes the URL that would be passed to
++ * git-remote-curl to the "out" parameter.
++ *
++ * Otherwise, returns 0 and leaves "out" untouched.
++ *
++ * Examples:
++ *   http::https://example.com/repo.git -> 1, https://example.com/repo.git
++ *   https://example.com/repo.git -> 1, https://example.com/repo.git
++ *   git://example.com/repo.git -> 0
++ *
++ * This is for use in checking for previously exploitable bugs that
++ * required a submodule URL to be passed to git-remote-curl.
++ */
++static int url_to_curl_url(const char *url, const char **out)
++{
++	/*
++	 * We don't need to check for case-aliases, "http.exe", and so
++	 * on because in the default configuration, is_transport_allowed
++	 * prevents URLs with those schemes from being cloned
++	 * automatically.
++	 */
++	if (skip_prefix(url, "http::", out) ||
++	    skip_prefix(url, "https::", out) ||
++	    skip_prefix(url, "ftp::", out) ||
++	    skip_prefix(url, "ftps::", out))
++		return 1;
++	if (starts_with(url, "http://") ||
++	    starts_with(url, "https://") ||
++	    starts_with(url, "ftp://") ||
++	    starts_with(url, "ftps://")) {
++		*out = url;
++		return 1;
++	}
++	return 0;
++}
++
+ static int check_submodule_url(const char *url)
+ {
+-	struct credential c = CREDENTIAL_INIT;
+-	int ret;
++	const char *curl_url;
+ 
+ 	if (looks_like_command_line_option(url))
+ 		return -1;
+ 
+-	ret = credential_from_url_gently(&c, url, 1);
+-	credential_clear(&c);
+-	return ret;
++	if (submodule_url_is_relative(url)) {
++		/*
++		 * This could be appended to an http URL and url-decoded;
++		 * check for malicious characters.
++		 */
++		char *decoded = url_decode(url);
++		int has_nl = !!strchr(decoded, '\n');
++		free(decoded);
++		if (has_nl)
++			return -1;
++	}
++
++	else if (url_to_curl_url(url, &curl_url)) {
++		struct credential c = CREDENTIAL_INIT;
++		int ret = credential_from_url_gently(&c, curl_url, 1);
++		credential_clear(&c);
++		return ret;
++	}
++
++	return 0;
+ }
+ 
+ struct fsck_gitmodules_data {
+diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh
+index 41431b1..afdd255 100755
+--- a/t/t7416-submodule-dash-url.sh
++++ b/t/t7416-submodule-dash-url.sh
+@@ -60,6 +60,20 @@ test_expect_success 'trailing backslash is handled correctly' '
+ 	test_i18ngrep ! "unknown option" err
+ '
+ 
++test_expect_success 'fsck permits embedded newline with unrecognized scheme' '
++	git checkout --orphan newscheme &&
++	cat >.gitmodules <<-\EOF &&
++	[submodule "foo"]
++		url = "data://acjbkd%0akajfdickajkd"
++	EOF
++	git add .gitmodules &&
++	git commit -m "gitmodules with unrecognized scheme" &&
++	test_when_finished "rm -rf dst" &&
++	git init --bare dst &&
++	git -C dst config transfer.fsckObjects true &&
++	git push dst HEAD
++'
++
+ test_expect_success 'fsck rejects embedded newline in url' '
+ 	# create an orphan branch to avoid existing .gitmodules objects
+ 	git checkout --orphan newline &&
+@@ -76,4 +90,19 @@ test_expect_success 'fsck rejects embedded newline in url' '
+ 	grep gitmodulesUrl err
+ '
+ 
++test_expect_success 'fsck rejects embedded newline in relative url' '
++	git checkout --orphan relative-newline &&
++	cat >.gitmodules <<-\EOF &&
++	[submodule "foo"]
++		url = "./%0ahost=two.example.com/foo.git"
++	EOF
++	git add .gitmodules &&
++	git commit -m "relative url with newline" &&
++	test_when_finished "rm -rf dst" &&
++	git init --bare dst &&
++	git -C dst config transfer.fsckObjects true &&
++	test_must_fail git push dst HEAD 2>err &&
++	grep gitmodulesUrl err
++'
++
+ test_done
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch
new file mode 100644
index 0000000000..6b36893030
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch
@@ -0,0 +1,84 @@
+From 883508bcebe87fbe7fb7392272e930c27c30fdc2 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Sat, 18 Apr 2020 20:53:09 -0700
+Subject: [PATCH 09/12] credential: die() when parsing invalid urls
+
+When we try to initialize credential loading by URL and find that the
+URL is invalid, we set all fields to NULL in order to avoid acting on
+malicious input. Later when we request credentials, we diagonse the
+erroneous input:
+
+	fatal: refusing to work with credential missing host field
+
+This is problematic in two ways:
+
+- The message doesn't tell the user *why* we are missing the host
+  field, so they can't tell from this message alone how to recover.
+  There can be intervening messages after the original warning of
+  bad input, so the user may not have the context to put two and two
+  together.
+
+- The error only occurs when we actually need to get a credential.  If
+  the URL permits anonymous access, the only encouragement the user gets
+  to correct their bogus URL is a quiet warning.
+
+  This is inconsistent with the check we perform in fsck, where any use
+  of such a URL as a submodule is an error.
+
+When we see such a bogus URL, let's not try to be nice and continue
+without helpers. Instead, die() immediately. This is simpler and
+obviously safe. And there's very little chance of disrupting a normal
+workflow.
+
+It's _possible_ that somebody has a legitimate URL with a raw newline in
+it. It already wouldn't work with credential helpers, so this patch
+steps that up from an inconvenience to "we will refuse to work with it
+at all". If such a case does exist, we should figure out a way to work
+with it (especially if the newline is only in the path component, which
+we normally don't even pass to helpers). But until we see a real report,
+we're better off being defensive.
+
+Reported-by: Carlo Arenas <carenas@gmail.com>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (6)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ credential.c           | 6 ++----
+ t/t0300-credentials.sh | 3 +--
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/credential.c b/credential.c
+index e08ed84..22649d5 100644
+--- a/credential.c
++++ b/credential.c
+@@ -408,8 +408,6 @@ int credential_from_url_gently(struct credential *c, const char *url,
+ 
+ void credential_from_url(struct credential *c, const char *url)
+ {
+-	if (credential_from_url_gently(c, url, 0) < 0) {
+-		warning(_("skipping credential lookup for url: %s"), url);
+-		credential_clear(c);
+-	}
++	if (credential_from_url_gently(c, url, 0) < 0)
++		die(_("credential url cannot be parsed: %s"), url);
+ }
+diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
+index 646f845..efed3ea 100755
+--- a/t/t0300-credentials.sh
++++ b/t/t0300-credentials.sh
+@@ -406,8 +406,7 @@ test_expect_success 'url parser rejects embedded newlines' '
+ 	EOF
+ 	cat >expect <<-\EOF &&
+ 	warning: url contains a newline in its host component: https://one.example.com?%0ahost=two.example.com/
+-	warning: skipping credential lookup for url: https://one.example.com?%0ahost=two.example.com/
+-	fatal: refusing to work with credential missing host field
++	fatal: credential url cannot be parsed: https://one.example.com?%0ahost=two.example.com/
+ 	EOF
+ 	test_i18ncmp expect stderr
+ '
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-7.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-7.patch
new file mode 100644
index 0000000000..5e3b6f1454
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-7.patch
@@ -0,0 +1,206 @@
+From 68acf8724e9cb2f67664dd980581c0022401daf0 Mon Sep 17 00:00:00 2001
+From: Jonathan Nieder <jrnieder@gmail.com>
+Date: Sat, 18 Apr 2020 20:54:13 -0700
+Subject: [PATCH 10/12] credential: treat URL without scheme as invalid
+
+libcurl permits making requests without a URL scheme specified.  In
+this case, it guesses the URL from the hostname, so I can run
+
+	git ls-remote http::ftp.example.com/path/to/repo
+
+and it would make an FTP request.
+
+Any user intentionally using such a URL is likely to have made a typo.
+Unfortunately, credential_from_url is not able to determine the host and
+protocol in order to determine appropriate credentials to send, and
+until "credential: refuse to operate when missing host or protocol",
+this resulted in another host's credentials being leaked to the named
+host.
+
+Teach credential_from_url_gently to consider such a URL to be invalid
+so that fsck can detect and block gitmodules files with such URLs,
+allowing server operators to avoid serving them to downstream users
+running older versions of Git.
+
+This also means that when such URLs are passed on the command line, Git
+will print a clearer error so affected users can switch to the simpler
+URL that explicitly specifies the host and protocol they intend.
+
+One subtlety: .gitmodules files can contain relative URLs, representing
+a URL relative to the URL they were cloned from.  The relative URL
+resolver used for .gitmodules can follow ".." components out of the path
+part and past the host part of a URL, meaning that such a relative URL
+can be used to traverse from a https://foo.example.com/innocent
+superproject to a https::attacker.example.com/exploit submodule.
+Fortunately a leading ':' in the first path component after a series of
+leading './' and '../' components is unlikely to show up in other
+contexts, so we can catch this by detecting that pattern.
+
+Reported-by: Jeff King <peff@peff.net>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+Reviewed-by: Jeff King <peff@peff.net>
+
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (7)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ credential.c                  |  7 +++++--
+ fsck.c                        | 47 +++++++++++++++++++++++++++++++++++++++++--
+ t/t5550-http-fetch-dumb.sh    |  7 ++-----
+ t/t7416-submodule-dash-url.sh | 32 +++++++++++++++++++++++++++++
+ 4 files changed, 84 insertions(+), 9 deletions(-)
+
+diff --git a/credential.c b/credential.c
+index 22649d5..1e1aed5 100644
+--- a/credential.c
++++ b/credential.c
+@@ -360,8 +360,11 @@ int credential_from_url_gently(struct credential *c, const char *url,
+ 	 *   (3) proto://<user>:<pass>@<host>/...
+ 	 */
+ 	proto_end = strstr(url, "://");
+-	if (!proto_end)
+-		return 0;
++	if (!proto_end) {
++		if (!quiet)
++			warning(_("url has no scheme: %s"), url);
++		return -1;
++	}
+ 	cp = proto_end + 3;
+ 	at = strchr(cp, '@');
+ 	colon = strchr(cp, ':');
+diff --git a/fsck.c b/fsck.c
+index 0f21eb1..30eac29 100644
+--- a/fsck.c
++++ b/fsck.c
+@@ -978,6 +978,34 @@ static int submodule_url_is_relative(const char *url)
+ }
+ 
+ /*
++ * Count directory components that a relative submodule URL should chop
++ * from the remote_url it is to be resolved against.
++ *
++ * In other words, this counts "../" components at the start of a
++ * submodule URL.
++ *
++ * Returns the number of directory components to chop and writes a
++ * pointer to the next character of url after all leading "./" and
++ * "../" components to out.
++ */
++static int count_leading_dotdots(const char *url, const char **out)
++{
++	int result = 0;
++	while (1) {
++		if (starts_with_dot_dot_slash(url)) {
++			result++;
++			url += strlen("../");
++			continue;
++		}
++		if (starts_with_dot_slash(url)) {
++			url += strlen("./");
++			continue;
++		}
++		*out = url;
++		return result;
++	}
++}
++/*
+  * Check whether a transport is implemented by git-remote-curl.
+  *
+  * If it is, returns 1 and writes the URL that would be passed to
+@@ -1024,15 +1052,30 @@ static int check_submodule_url(const char *url)
+ 		return -1;
+ 
+ 	if (submodule_url_is_relative(url)) {
++		char *decoded;
++		const char *next;
++		int has_nl;
++
+ 		/*
+ 		 * This could be appended to an http URL and url-decoded;
+ 		 * check for malicious characters.
+ 		 */
+-		char *decoded = url_decode(url);
+-		int has_nl = !!strchr(decoded, '\n');
++		decoded = url_decode(url);
++		has_nl = !!strchr(decoded, '\n');
++
+ 		free(decoded);
+ 		if (has_nl)
+ 			return -1;
++
++		/*
++		 * URLs which escape their root via "../" can overwrite
++		 * the host field and previous components, resolving to
++		 * URLs like https::example.com/submodule.git that were
++		 * susceptible to CVE-2020-11008.
++		 */
++		if (count_leading_dotdots(url, &next) > 0 &&
++		    *next == ':')
++			return -1;
+ 	}
+ 
+ 	else if (url_to_curl_url(url, &curl_url)) {
+diff --git a/t/t5550-http-fetch-dumb.sh b/t/t5550-http-fetch-dumb.sh
+index b811d89..1c9e5d3 100755
+--- a/t/t5550-http-fetch-dumb.sh
++++ b/t/t5550-http-fetch-dumb.sh
+@@ -321,11 +321,8 @@ test_expect_success 'git client does not send an empty Accept-Language' '
+ '
+ 
+ test_expect_success 'remote-http complains cleanly about malformed urls' '
+-	# do not actually issue "list" or other commands, as we do not
+-	# want to rely on what curl would actually do with such a broken
+-	# URL. This is just about making sure we do not segfault during
+-	# initialization.
+-	test_must_fail git remote-http http::/example.com/repo.git
++	test_must_fail git remote-http http::/example.com/repo.git 2>stderr &&
++	test_i18ngrep "url has no scheme" stderr
+ '
+ 
+ test_expect_success 'redirects can be forbidden/allowed' '
+diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh
+index afdd255..249dc3d 100755
+--- a/t/t7416-submodule-dash-url.sh
++++ b/t/t7416-submodule-dash-url.sh
+@@ -60,6 +60,38 @@ test_expect_success 'trailing backslash is handled correctly' '
+ 	test_i18ngrep ! "unknown option" err
+ '
+ 
++test_expect_success 'fsck rejects missing URL scheme' '
++	git checkout --orphan missing-scheme &&
++	cat >.gitmodules <<-\EOF &&
++	[submodule "foo"]
++		url = http::one.example.com/foo.git
++	EOF
++	git add .gitmodules &&
++	test_tick &&
++	git commit -m "gitmodules with missing URL scheme" &&
++	test_when_finished "rm -rf dst" &&
++	git init --bare dst &&
++	git -C dst config transfer.fsckObjects true &&
++	test_must_fail git push dst HEAD 2>err &&
++	grep gitmodulesUrl err
++'
++
++test_expect_success 'fsck rejects relative URL resolving to missing scheme' '
++	git checkout --orphan relative-missing-scheme &&
++	cat >.gitmodules <<-\EOF &&
++	[submodule "foo"]
++		url = "..\\../.\\../:one.example.com/foo.git"
++	EOF
++	git add .gitmodules &&
++	test_tick &&
++	git commit -m "gitmodules with relative URL that strips off scheme" &&
++	test_when_finished "rm -rf dst" &&
++	git init --bare dst &&
++	git -C dst config transfer.fsckObjects true &&
++	test_must_fail git push dst HEAD 2>err &&
++	grep gitmodulesUrl err
++'
++
+ test_expect_success 'fsck permits embedded newline with unrecognized scheme' '
+ 	git checkout --orphan newscheme &&
+ 	cat >.gitmodules <<-\EOF &&
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-8.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-8.patch
new file mode 100644
index 0000000000..935d47795f
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-8.patch
@@ -0,0 +1,114 @@
+From 5e06d0781a963d62413ae7eab4eb78cc7195af8b Mon Sep 17 00:00:00 2001
+From: Jonathan Nieder <jrnieder@gmail.com>
+Date: Sat, 18 Apr 2020 20:54:57 -0700
+Subject: [PATCH 11/12] credential: treat URL with empty scheme as invalid
+
+Until "credential: refuse to operate when missing host or protocol",
+Git's credential handling code interpreted URLs with empty scheme to
+mean "give me credentials matching this host for any protocol".
+
+Luckily libcurl does not recognize such URLs (it tries to look for a
+protocol named "" and fails). Just in case that changes, let's reject
+them within Git as well. This way, credential_from_url is guaranteed to
+always produce a "struct credential" with protocol and host set.
+
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (8)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ credential.c                  |  5 ++---
+ t/t5550-http-fetch-dumb.sh    |  9 +++++++++
+ t/t7416-submodule-dash-url.sh | 32 ++++++++++++++++++++++++++++++++
+ 3 files changed, 43 insertions(+), 3 deletions(-)
+
+diff --git a/credential.c b/credential.c
+index 1e1aed5..cf11cc9 100644
+--- a/credential.c
++++ b/credential.c
+@@ -360,7 +360,7 @@ int credential_from_url_gently(struct credential *c, const char *url,
+ 	 *   (3) proto://<user>:<pass>@<host>/...
+ 	 */
+ 	proto_end = strstr(url, "://");
+-	if (!proto_end) {
++	if (!proto_end || proto_end == url) {
+ 		if (!quiet)
+ 			warning(_("url has no scheme: %s"), url);
+ 		return -1;
+@@ -385,8 +385,7 @@ int credential_from_url_gently(struct credential *c, const char *url,
+ 		host = at + 1;
+ 	}
+ 
+-	if (proto_end - url > 0)
+-		c->protocol = xmemdupz(url, proto_end - url);
++	c->protocol = xmemdupz(url, proto_end - url);
+ 	c->host = url_decode_mem(host, slash - host);
+ 	/* Trim leading and trailing slashes from path */
+ 	while (*slash == '/')
+diff --git a/t/t5550-http-fetch-dumb.sh b/t/t5550-http-fetch-dumb.sh
+index 1c9e5d3..ea2688b 100755
+--- a/t/t5550-http-fetch-dumb.sh
++++ b/t/t5550-http-fetch-dumb.sh
+@@ -325,6 +325,15 @@ test_expect_success 'remote-http complains cleanly about malformed urls' '
+ 	test_i18ngrep "url has no scheme" stderr
+ '
+ 
++# NEEDSWORK: Writing commands to git-remote-curl can race against the latter
++# erroring out, producing SIGPIPE. Remove "ok=sigpipe" once transport-helper has
++# learned to handle early remote helper failures more cleanly.
++test_expect_success 'remote-http complains cleanly about empty scheme' '
++	test_must_fail ok=sigpipe git ls-remote \
++		http::${HTTPD_URL#http}/dumb/repo.git 2>stderr &&
++	test_i18ngrep "url has no scheme" stderr
++'
++
+ test_expect_success 'redirects can be forbidden/allowed' '
+ 	test_must_fail git -c http.followRedirects=false \
+ 		clone $HTTPD_URL/dumb-redir/repo.git dumb-redir &&
+diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh
+index 249dc3d..9309040 100755
+--- a/t/t7416-submodule-dash-url.sh
++++ b/t/t7416-submodule-dash-url.sh
+@@ -92,6 +92,38 @@ test_expect_success 'fsck rejects relative URL resolving to missing scheme' '
+ 	grep gitmodulesUrl err
+ '
+ 
++test_expect_success 'fsck rejects empty URL scheme' '
++	git checkout --orphan empty-scheme &&
++	cat >.gitmodules <<-\EOF &&
++	[submodule "foo"]
++		url = http::://one.example.com/foo.git
++	EOF
++	git add .gitmodules &&
++	test_tick &&
++	git commit -m "gitmodules with empty URL scheme" &&
++	test_when_finished "rm -rf dst" &&
++	git init --bare dst &&
++	git -C dst config transfer.fsckObjects true &&
++	test_must_fail git push dst HEAD 2>err &&
++	grep gitmodulesUrl err
++'
++
++test_expect_success 'fsck rejects relative URL resolving to empty scheme' '
++	git checkout --orphan relative-empty-scheme &&
++	cat >.gitmodules <<-\EOF &&
++	[submodule "foo"]
++		url = ../../../:://one.example.com/foo.git
++	EOF
++	git add .gitmodules &&
++	test_tick &&
++	git commit -m "relative gitmodules URL resolving to empty scheme" &&
++	test_when_finished "rm -rf dst" &&
++	git init --bare dst &&
++	git -C dst config transfer.fsckObjects true &&
++	test_must_fail git push dst HEAD 2>err &&
++	grep gitmodulesUrl err
++'
++
+ test_expect_success 'fsck permits embedded newline with unrecognized scheme' '
+ 	git checkout --orphan newscheme &&
+ 	cat >.gitmodules <<-\EOF &&
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch
new file mode 100644
index 0000000000..22292dbbbf
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2020-11008-9.patch
@@ -0,0 +1,114 @@
+From 2e084e25fa454c58a600c9434f776f2150037a76 Mon Sep 17 00:00:00 2001
+From: Jonathan Nieder <jrnieder@gmail.com>
+Date: Sat, 18 Apr 2020 20:57:22 -0700
+Subject: [PATCH 12/12] fsck: reject URL with empty host in .gitmodules
+
+Git's URL parser interprets
+
+	https:///example.com/repo.git
+
+to have no host and a path of "example.com/repo.git".  Curl, on the
+other hand, internally redirects it to https://example.com/repo.git.  As
+a result, until "credential: parse URL without host as empty host, not
+unset", tricking a user into fetching from such a URL would cause Git to
+send credentials for another host to example.com.
+
+Teach fsck to block and detect .gitmodules files using such a URL to
+prevent sharing them with Git versions that are not yet protected.
+
+A relative URL in a .gitmodules file could also be used to trigger this.
+The relative URL resolver used for .gitmodules does not normalize
+sequences of slashes and can follow ".." components out of the path part
+and to the host part of a URL, meaning that such a relative URL can be
+used to traverse from a https://foo.example.com/innocent superproject to
+a https:///attacker.example.com/exploit submodule. Fortunately,
+redundant extra slashes in .gitmodules are rare, so we can catch this by
+detecting one after a leading sequence of "./" and "../" components.
+
+Helped-by: Jeff King <peff@peff.net>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+Reviewed-by: Jeff King <peff@peff.net>
+
+Upstream-Status: Backport
+CVE: CVE-2020-11008 (9)
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ fsck.c                        | 10 +++++++---
+ t/t7416-submodule-dash-url.sh | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 39 insertions(+), 3 deletions(-)
+
+diff --git a/fsck.c b/fsck.c
+index 30eac29..00077b1 100644
+--- a/fsck.c
++++ b/fsck.c
+@@ -1070,17 +1070,21 @@ static int check_submodule_url(const char *url)
+ 		/*
+ 		 * URLs which escape their root via "../" can overwrite
+ 		 * the host field and previous components, resolving to
+-		 * URLs like https::example.com/submodule.git that were
++		 * URLs like https::example.com/submodule.git and
++		 * https:///example.com/submodule.git that were
+ 		 * susceptible to CVE-2020-11008.
+ 		 */
+ 		if (count_leading_dotdots(url, &next) > 0 &&
+-		    *next == ':')
++		    (*next == ':' || *next == '/'))
+ 			return -1;
+ 	}
+ 
+ 	else if (url_to_curl_url(url, &curl_url)) {
+ 		struct credential c = CREDENTIAL_INIT;
+-		int ret = credential_from_url_gently(&c, curl_url, 1);
++		int ret = 0;
++		if (credential_from_url_gently(&c, curl_url, 1) ||
++		    !*c.host)
++			ret = -1;
+ 		credential_clear(&c);
+ 		return ret;
+ 	}
+diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh
+index 9309040..eec96e0 100755
+--- a/t/t7416-submodule-dash-url.sh
++++ b/t/t7416-submodule-dash-url.sh
+@@ -124,6 +124,38 @@ test_expect_success 'fsck rejects relative URL resolving to empty scheme' '
+ 	grep gitmodulesUrl err
+ '
+ 
++test_expect_success 'fsck rejects empty hostname' '
++	git checkout --orphan empty-host &&
++	cat >.gitmodules <<-\EOF &&
++	[submodule "foo"]
++		url = http:///one.example.com/foo.git
++	EOF
++	git add .gitmodules &&
++	test_tick &&
++	git commit -m "gitmodules with extra slashes" &&
++	test_when_finished "rm -rf dst" &&
++	git init --bare dst &&
++	git -C dst config transfer.fsckObjects true &&
++	test_must_fail git push dst HEAD 2>err &&
++	grep gitmodulesUrl err
++'
++
++test_expect_success 'fsck rejects relative url that produced empty hostname' '
++	git checkout --orphan messy-relative &&
++	cat >.gitmodules <<-\EOF &&
++	[submodule "foo"]
++		url = ../../..//one.example.com/foo.git
++	EOF
++	git add .gitmodules &&
++	test_tick &&
++	git commit -m "gitmodules abusing relative_path" &&
++	test_when_finished "rm -rf dst" &&
++	git init --bare dst &&
++	git -C dst config transfer.fsckObjects true &&
++	test_must_fail git push dst HEAD 2>err &&
++	grep gitmodulesUrl err
++'
++
+ test_expect_success 'fsck permits embedded newline with unrecognized scheme' '
+ 	git checkout --orphan newscheme &&
+ 	cat >.gitmodules <<-\EOF &&
+-- 
+1.9.1
+
-- 
2.25.4

[PATCH][zeus 08/18] cve-update-db-native: clean DB if temporary file exist

[Anuj Mittal]

From: Lee Chee Yang <chee.yang.lee@intel.com>

when do_populate_cve_db forced stop at certain point, the
DB execution are stoped however the temporary database
file (DB-JOURNAL) are not removed. This db-journal file
indicates that DB is incomplete and set DB in readonly
mode. So when db-journal exist, remove both DB and the
db-journal and build the DB again from scratch.

[YOCTO #13682]

(From OE-Core rev: 70713df25b8ae27a21e53b0b9234567d7053800a)

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-core/meta/cve-update-db-native.bb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 1b4f31692b..d69d79cb31 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -13,8 +13,15 @@ deltask do_install
 deltask do_populate_sysroot
 
 python () {
-    if not d.getVar("CVE_CHECK_DB_FILE"):
+    cve_check_db_file = d.getVar("CVE_CHECK_DB_FILE")
+    if not cve_check_db_file:
         raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
+
+    if os.path.exists("%s-journal" % cve_check_db_file ):
+        os.remove("%s-journal" % cve_check_db_file)
+
+        if os.path.exists(cve_check_db_file):
+            os.remove(cve_check_db_file)
 }
 
 python do_populate_cve_db() {
-- 
2.25.4

[PATCH][zeus 09/18] qemu: Add PACKAGECONFIG for glusterfs

[Anuj Mittal]

From: haiqing <haiqing.bai@windriver.com>

Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/qemu/qemu.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index ad4ff52892..4e09a9b181 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -167,6 +167,7 @@ PACKAGECONFIG[spice] = "--enable-spice,--disable-spice,spice"
 # usbredir will be in meta-networking layer
 PACKAGECONFIG[usb-redir] = "--enable-usb-redir,--disable-usb-redir,usbredir"
 PACKAGECONFIG[snappy] = "--enable-snappy,--disable-snappy,snappy"
+PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs,glusterfs"
 
 INSANE_SKIP_${PN} = "arch"
 
-- 
2.25.4

[PATCH][zeus 10/18] gnupg: upgrade 2.2.17 -> 2.2.19

[Anuj Mittal]

From: Wang Mingyu <wangmy@cn.fujitsu.com>

(From OE-Core rev: 287de363f80a2f9919b942a1349f58575e8b91d8)

Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[ includes the fix for CVE-2019-14855 ]
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../gnupg/{gnupg_2.2.17.bb => gnupg_2.2.19.bb}                | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-support/gnupg/{gnupg_2.2.17.bb => gnupg_2.2.19.bb} (93%)

diff --git a/meta/recipes-support/gnupg/gnupg_2.2.17.bb b/meta/recipes-support/gnupg/gnupg_2.2.19.bb
similarity index 93%
rename from meta/recipes-support/gnupg/gnupg_2.2.17.bb
rename to meta/recipes-support/gnupg/gnupg_2.2.19.bb
index 689cf8a75e..a0577d61d3 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.17.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.19.bb
@@ -19,8 +19,8 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
 SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
                                 file://relocate.patch"
 
-SRC_URI[md5sum] = "1ba2d9b70c377f8e967742064c27a19c"
-SRC_URI[sha256sum] = "afa262868e39b651a2db4c071fba90415154243e83a830ca00516f9a807fd514"
+SRC_URI[md5sum] = "cb3b373d08ba078c325299945a7f2818"
+SRC_URI[sha256sum] = "242554c0e06f3a83c420b052f750b65ead711cc3fddddb5e7274fcdbb4e9dec0"
 
 EXTRA_OECONF = "--disable-ldap \
 		--disable-ccid-driver \
-- 
2.25.4

[PATCH][zeus 11/18] python: Upgrade 2.7.17 -> 2.17.18

[Anuj Mittal]

From: Adrian Bunk <bunk@stusta.de>

LICENSE checksum changed due to 2019 -> 2020 update.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../{python-native_2.7.17.bb => python-native_2.7.18.bb}    | 0
 meta/recipes-devtools/python/python.inc                     | 6 +++---
 .../python/{python_2.7.17.bb => python_2.7.18.bb}           | 0
 3 files changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-devtools/python/{python-native_2.7.17.bb => python-native_2.7.18.bb} (100%)
 rename meta/recipes-devtools/python/{python_2.7.17.bb => python_2.7.18.bb} (100%)

diff --git a/meta/recipes-devtools/python/python-native_2.7.17.bb b/meta/recipes-devtools/python/python-native_2.7.18.bb
similarity index 100%
rename from meta/recipes-devtools/python/python-native_2.7.17.bb
rename to meta/recipes-devtools/python/python-native_2.7.18.bb
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 19a2f3e743..fe281586fc 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -5,13 +5,13 @@ SECTION = "devel/python"
 # bump this on every change in contrib/python/generate-manifest-2.7.py
 INC_PR = "r1"
 
-LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
 
 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            "
 
-SRC_URI[md5sum] = "b3b6d2c92f42a60667814358ab9f0cfd"
-SRC_URI[sha256sum] = "4d43f033cdbd0aa7b7023c81b0e986fd11e653b5248dac9144d508f11812ba41"
+SRC_URI[md5sum] = "fd6cc8ec0a78c44036f825e739f36e5a"
+SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
 
 # python recipe is actually python 2.x
 # also, exclude pre-releases for both python 2.x and 3.x
diff --git a/meta/recipes-devtools/python/python_2.7.17.bb b/meta/recipes-devtools/python/python_2.7.18.bb
similarity index 100%
rename from meta/recipes-devtools/python/python_2.7.17.bb
rename to meta/recipes-devtools/python/python_2.7.18.bb
-- 
2.25.4

[PATCH][zeus 12/18] qemu: fix CVE-2020-7039

[Anuj Mittal]

From: Changqing Li <changqing.li@windriver.com>

(From OE-Core rev: 5ea3d9d83ed695827634e3216664c13fcff6d48a)

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  3 +
 .../qemu/qemu/CVE-2020-7039-1.patch           | 44 +++++++++++++
 .../qemu/qemu/CVE-2020-7039-2.patch           | 59 +++++++++++++++++
 .../qemu/qemu/CVE-2020-7039-3.patch           | 64 +++++++++++++++++++
 4 files changed, 170 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 4e09a9b181..22cb10b1c2 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -32,6 +32,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2019-12068.patch \
            file://CVE-2020-1711.patch \
            file://CVE-2019-20382.patch \
+           file://CVE-2020-7039-1.patch \
+           file://CVE-2020-7039-2.patch \
+           file://CVE-2020-7039-3.patch \
 	   "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
new file mode 100644
index 0000000000..df6bca6db6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
@@ -0,0 +1,44 @@
+From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2020 12:07:35 +0800
+Subject: [PATCH] tcp_emu: Fix oob access
+
+The main loop only checks for one available byte, while we sometimes
+need two bytes.
+
+CVE: CVE-2020-7039
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ slirp/src/tcp_subr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index d6dd133..4bea2d4 100644
+--- a/slirp/src/tcp_subr.c
++++ b/slirp/src/tcp_subr.c
+@@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 break;
+ 
+             case 5:
++                if (bptr == m->m_data + m->m_len - 1)
++                        return 1; /* We need two bytes */
+                 /*
+                  * The difference between versions 1.0 and
+                  * 2.0 is here. For future versions of
+@@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 /* This is the field containing the port
+                  * number that RA-player is listening to.
+                  */
++
++                if (bptr == m->m_data + m->m_len - 1)
++                        return 1; /* We need two bytes */
++
+                 lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
+                 if (lport < 6970)
+                     lport += 256; /* don't know why */
+-- 
+2.7.4
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
new file mode 100644
index 0000000000..4a00fa2afd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
@@ -0,0 +1,59 @@
+From 8f67e76e4148e37f3d8d2bcbdee7417fdedb7669 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2020 12:10:34 +0800
+Subject: [PATCH] slirp: use correct size while emulating commands
+
+While emulating services in tcp_emu(), it uses 'mbuf' size
+'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
+size to avoid possible OOB access.
+Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault's avatarSamuel Thibault
+<samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
+
+CVE: CVE-2020-7039
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ slirp/src/tcp_subr.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index 4bea2d4..e8ed4ef 100644
+--- a/slirp/src/tcp_subr.c
++++ b/slirp/src/tcp_subr.c
+@@ -696,7 +696,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+             n4 = (laddr & 0xff);
+ 
+             m->m_len = bptr - m->m_data; /* Adjust length */
+-            m->m_len += snprintf(bptr, m->m_size - m->m_len,
++            m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                  "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
+                                  n5, n6, x == 7 ? buff : "");
+             return 1;
+@@ -731,8 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+             n4 = (laddr & 0xff);
+ 
+             m->m_len = bptr - m->m_data; /* Adjust length */
+-            m->m_len +=
+-                snprintf(bptr, m->m_size - m->m_len,
++            m->m_len += snprintf(bptr, M_FREEROOM(m),
+                          "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+                          n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
+ 
+@@ -758,8 +757,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+         if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
+             (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
+                              htons(lport), SS_FACCEPTONCE)) != NULL)
+-            m->m_len =
+-                snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
++            m->m_len = snprintf(m->m_data, M_ROOM(m),
++                                "%d", ntohs(so->so_fport)) + 1;
+         return 1;
+ 
+     case EMU_IRC:
+-- 
+2.7.4
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
new file mode 100644
index 0000000000..70ce480d80
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
@@ -0,0 +1,64 @@
+From 0b03959b72036afce151783720d9e54988cf76ef Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2020 12:15:04 +0800
+Subject: [PATCH] slirp: use correct size while emulating IRC commands
+
+While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
+'m->m_size' to write DCC commands via snprintf(3). This may
+lead to OOB write access, because 'bptr' points somewhere in
+the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
+size to avoid OOB access.
+Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com>
+Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Samuel Thibault's avatarSamuel Thibault
+<samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
+
+CVE: CVE-2020-7039
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ slirp/src/tcp_subr.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index e8ed4ef..3a4a8ee 100644
+--- a/slirp/src/tcp_subr.c
++++ b/slirp/src/tcp_subr.c
+@@ -777,7 +777,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 return 1;
+             }
+             m->m_len = bptr - m->m_data; /* Adjust length */
+-            m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
++            m->m_len += snprintf(bptr, M_FREEROOM(m),
++                                 "DCC CHAT chat %lu %u%c\n",
+                                  (unsigned long)ntohl(so->so_faddr.s_addr),
+                                  ntohs(so->so_fport), 1);
+         } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
+@@ -787,8 +788,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 return 1;
+             }
+             m->m_len = bptr - m->m_data; /* Adjust length */
+-            m->m_len +=
+-                snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
++            m->m_len += snprintf(bptr, M_FREEROOM(m),
++                         "DCC SEND %s %lu %u %u%c\n", buff,
+                          (unsigned long)ntohl(so->so_faddr.s_addr),
+                          ntohs(so->so_fport), n1, 1);
+         } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
+@@ -798,8 +799,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+                 return 1;
+             }
+             m->m_len = bptr - m->m_data; /* Adjust length */
+-            m->m_len +=
+-                snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
++            m->m_len += snprintf(bptr, M_FREEROOM(m),
++                         "DCC MOVE %s %lu %u %u%c\n", buff,
+                          (unsigned long)ntohl(so->so_faddr.s_addr),
+                          ntohs(so->so_fport), n1, 1);
+         }
+-- 
+2.7.4
+
-- 
2.25.4

[PATCH][zeus 13/18] qemu/slirp: fix CVE-2020-7211

[Anuj Mittal]

From: Chee Yang Lee <chee.yang.lee@intel.com>

fix CVE-2020-7211 for qemu slirp submodule
see :
https://www.openwall.com/lists/oss-security/2020/01/17/2
https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4

(From OE-Core rev: 31362d739834377ac4ab880029c3e3dda0cd7698)

Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2020-7211.patch             | 46 +++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 22cb10b1c2..ba31c3ba60 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,6 +35,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2020-7039-1.patch \
            file://CVE-2020-7039-2.patch \
            file://CVE-2020-7039-3.patch \
+	   file://CVE-2020-7211.patch \
 	   "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
new file mode 100644
index 0000000000..11be4c92e7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
@@ -0,0 +1,46 @@
+From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 13 Jan 2020 17:44:31 +0530
+Subject: [PATCH] slirp: tftp: restrict relative path access
+
+tftp restricts relative or directory path access on Linux systems.
+Apply same restrictions on Windows systems too. It helps to avoid
+directory traversal issue.
+
+Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/slirp/libslirp/-/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4.patch]
+CVE: CVE-2020-7211
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ slirp/src/tftp.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
+index 093c2e0..e52e71b 100644
+--- a/slirp/src/tftp.c
++++ b/slirp/src/tftp.c
+@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
+     k += 6; /* skipping octet */
+ 
+     /* do sanity checks on the filename */
+-    if (!strncmp(req_fname, "../", 3) ||
+-        req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
++    if (
++#ifdef G_OS_WIN32
++        strstr(req_fname, "..\\") ||
++        req_fname[strlen(req_fname) - 1] == '\\' ||
++#endif
++        strstr(req_fname, "../") ||
++        req_fname[strlen(req_fname) - 1] == '/') {
+         tftp_send_error(spt, 2, "Access violation", tp);
+         return;
+     }
+-- 
+2.24.1
+
-- 
2.25.4

[PATCH][zeus 14/18] gnutls: upgrade 3.6.8 -> 3.6.11.1

[Anuj Mittal]

From: Alex Kiernan <alex.kiernan@gmail.com>

Drop patch from 81485be19b18 ("gnutls: don't use HOSTTOOLS_DIR/bash as a
shell on target") as upstream now honours POSIX_SHELL when set as the
primary target shell.

(From OE-Core rev: bc487ced3be40569157fb40c99bfa68871f74744)

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../gnutls/gnutls/posix-shell.patch           | 39 -------------------
 .../{gnutls_3.6.8.bb => gnutls_3.6.11.1.bb}   |  5 +--
 2 files changed, 2 insertions(+), 42 deletions(-)
 delete mode 100644 meta/recipes-support/gnutls/gnutls/posix-shell.patch
 rename meta/recipes-support/gnutls/{gnutls_3.6.8.bb => gnutls_3.6.11.1.bb} (92%)

diff --git a/meta/recipes-support/gnutls/gnutls/posix-shell.patch b/meta/recipes-support/gnutls/gnutls/posix-shell.patch
deleted file mode 100644
index 938e2d1e18..0000000000
--- a/meta/recipes-support/gnutls/gnutls/posix-shell.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Don't embed the path to the build-time POSIX shell as this will be
-$TMPDIR/hosttools/bash, which is no good on the target.
-
-Instead default to /bin/sh but allow it to be set in the environment.
-
-This isn't really upstreamable but I filed a bug at
-https://gitlab.com/gnutls/gnutls/issues/807 and hope a proper fix will be
-integrated.
-
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-diff --git a/src/libopts/m4/libopts.m4 b/src/libopts/m4/libopts.m4
-index c6ad738..a62faca 100644
---- a/src/libopts/m4/libopts.m4
-+++ b/src/libopts/m4/libopts.m4
-@@ -112,21 +112,7 @@ AC_DEFUN([INVOKE_LIBOPTS_MACROS_FIRST],[
-   AC_CHECK_FUNCS([mmap canonicalize_file_name snprintf strdup strchr \
-                  strrchr strsignal fchmod fstat chmod])
-   AC_PROG_SED
--  [while :
--  do
--      POSIX_SHELL=`which bash`
--      test -x "$POSIX_SHELL" && break
--      POSIX_SHELL=`which dash`
--      test -x "$POSIX_SHELL" && break
--      POSIX_SHELL=/usr/xpg4/bin/sh
--      test -x "$POSIX_SHELL" && break
--      POSIX_SHELL=`/bin/sh -c '
--          exec 2>/dev/null
--          if ! true ; then exit 1 ; fi
--          echo /bin/sh'`
--      test -x "$POSIX_SHELL" && break
--      ]AC_MSG_ERROR([cannot locate a working POSIX shell])[
--  done]
-+  POSIX_SHELL="${POSIX_SHELL:-/bin/sh}"
-   AC_DEFINE_UNQUOTED([POSIX_SHELL], ["${POSIX_SHELL}"],
-            [define to a working POSIX compliant shell])
-   AC_SUBST([POSIX_SHELL])
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.8.bb b/meta/recipes-support/gnutls/gnutls_3.6.11.1.bb
similarity index 92%
rename from meta/recipes-support/gnutls/gnutls_3.6.8.bb
rename to meta/recipes-support/gnutls/gnutls_3.6.11.1.bb
index c927063f0a..5b05364c25 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.8.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.11.1.bb
@@ -19,11 +19,10 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 
 SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
            file://arm_eabi.patch \
-           file://posix-shell.patch \
 "
 
-SRC_URI[md5sum] = "9dcf0aa45d1a42e1b3ca5d39ec7c61a8"
-SRC_URI[sha256sum] = "aa81944e5635de981171772857e72be231a7e0f559ae0292d2737de475383e83"
+SRC_URI[md5sum] = "3670ee0b0d95b3dee185eff2dc910ee7"
+SRC_URI[sha256sum] = "fbba12f3db9a55dbf027e14111755817ec44b57eabec3e8089aac8ac6f533cf8"
 
 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
 
-- 
2.25.4

[PATCH][zeus 15/18] gnutls: upgrade 3.6.11.1 -> 3.6.12

[Anuj Mittal]

From: Alexander Kanavin <alex.kanavin@gmail.com>

(From OE-Core rev: 8652c95ceb505dd7386166842486c833ea5a7ee7)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../gnutls/{gnutls_3.6.11.1.bb => gnutls_3.6.12.bb}           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-support/gnutls/{gnutls_3.6.11.1.bb => gnutls_3.6.12.bb} (93%)

diff --git a/meta/recipes-support/gnutls/gnutls_3.6.11.1.bb b/meta/recipes-support/gnutls/gnutls_3.6.12.bb
similarity index 93%
rename from meta/recipes-support/gnutls/gnutls_3.6.11.1.bb
rename to meta/recipes-support/gnutls/gnutls_3.6.12.bb
index 5b05364c25..f1eeebc807 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.11.1.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.12.bb
@@ -21,8 +21,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://arm_eabi.patch \
 "
 
-SRC_URI[md5sum] = "3670ee0b0d95b3dee185eff2dc910ee7"
-SRC_URI[sha256sum] = "fbba12f3db9a55dbf027e14111755817ec44b57eabec3e8089aac8ac6f533cf8"
+SRC_URI[md5sum] = "a23900f14980a467bdce3a0fd31dfa18"
+SRC_URI[sha256sum] = "bfacf16e342949ffd977a9232556092c47164bd26e166736cf3459a870506c4b"
 
 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
 
-- 
2.25.4

[PATCH][zeus 16/18] gnutls: upgrade 3.6.12 -> 3.6.13

[Anuj Mittal]

From: Wang Mingyu <wangmy@cn.fujitsu.com>

(From OE-Core rev: 5cc0f0dcf1f41bc148b034b3f7abef756a328cd3)

Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[ includes the fix for CVE-2020-11501 ]
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../gnutls/{gnutls_3.6.12.bb => gnutls_3.6.13.bb}             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-support/gnutls/{gnutls_3.6.12.bb => gnutls_3.6.13.bb} (93%)

diff --git a/meta/recipes-support/gnutls/gnutls_3.6.12.bb b/meta/recipes-support/gnutls/gnutls_3.6.13.bb
similarity index 93%
rename from meta/recipes-support/gnutls/gnutls_3.6.12.bb
rename to meta/recipes-support/gnutls/gnutls_3.6.13.bb
index f1eeebc807..f56d42a613 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.12.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.13.bb
@@ -21,8 +21,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://arm_eabi.patch \
 "
 
-SRC_URI[md5sum] = "a23900f14980a467bdce3a0fd31dfa18"
-SRC_URI[sha256sum] = "bfacf16e342949ffd977a9232556092c47164bd26e166736cf3459a870506c4b"
+SRC_URI[md5sum] = "bb1fe696a11543433785b4fc70ca225f"
+SRC_URI[sha256sum] = "32041df447d9f4644570cf573c9f60358e865637d69b7e59d1159b7240b52f38"
 
 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
 
-- 
2.25.4

[PATCH][zeus 17/18] systemd: Fix CVE-2020-1712

[Anuj Mittal]

From: "wenlin.kang@windriver.com" <wenlin.kang@windriver.com>

Fix CVE-2020-1712

Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../0001-Merge-branch-polkit-ref-count.patch  | 520 ++++++++++++++++++
 meta/recipes-core/systemd/systemd_243.2.bb    |   1 +
 2 files changed, 521 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/0001-Merge-branch-polkit-ref-count.patch

diff --git a/meta/recipes-core/systemd/systemd/0001-Merge-branch-polkit-ref-count.patch b/meta/recipes-core/systemd/systemd/0001-Merge-branch-polkit-ref-count.patch
new file mode 100644
index 0000000000..e684ab8755
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-Merge-branch-polkit-ref-count.patch
@@ -0,0 +1,520 @@
+From 0062d795bf29301ae054e1826a7189198a2565c4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 14 Apr 2020 09:06:53 +0000
+Subject: [PATCH] Merge branch 'polkit-ref-count'
+
+Upsteam-Status: Backport [https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2]
+CVE: CVE-2020-1712
+
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ TODO                            |   2 +-
+ man/rules/meson.build           |   1 +
+ man/sd_bus_enqueue_for_read.xml |  88 ++++++++++++++++
+ src/libsystemd/libsystemd.sym   |   1 +
+ src/libsystemd/sd-bus/sd-bus.c  |  24 +++++
+ src/shared/bus-util.c           | 179 +++++++++++++++++++++-----------
+ src/systemd/sd-bus.h            |   1 +
+ 7 files changed, 235 insertions(+), 61 deletions(-)
+ create mode 100644 man/sd_bus_enqueue_for_read.xml
+
+diff --git a/TODO b/TODO
+index c5b5b86057..5c5ea1f568 100644
+--- a/TODO
++++ b/TODO
+@@ -184,7 +184,7 @@ Features:
+ 
+ * the a-posteriori stopping of units bound to units that disappeared logic
+   should be reworked: there should be a queue of units, and we should only
+-  enqeue stop jobs from a defer event that processes queue instead of
++  enqueue stop jobs from a defer event that processes queue instead of
+   right-away when we find a unit that is bound to one that doesn't exist
+   anymore. (similar to how the stop-unneeded queue has been reworked the same
+   way)
+diff --git a/man/rules/meson.build b/man/rules/meson.build
+index 3b63311d7b..e80ed98c34 100644
+--- a/man/rules/meson.build
++++ b/man/rules/meson.build
+@@ -192,6 +192,7 @@ manpages = [
+    'sd_bus_open_user_with_description',
+    'sd_bus_open_with_description'],
+   ''],
++ ['sd_bus_enqueue_for_read', '3', [], ''],
+  ['sd_bus_error',
+   '3',
+   ['SD_BUS_ERROR_MAKE_CONST',
+diff --git a/man/sd_bus_enqueue_for_read.xml b/man/sd_bus_enqueue_for_read.xml
+new file mode 100644
+index 0000000000..3318a3031b
+--- /dev/null
++++ b/man/sd_bus_enqueue_for_read.xml
+@@ -0,0 +1,88 @@
++<?xml version='1.0'?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
++  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
++<!-- SPDX-License-Identifier: LGPL-2.1+ -->
++
++<refentry id="sd_bus_enqueue_for_read"
++          xmlns:xi="http://www.w3.org/2001/XInclude">
++
++  <refentryinfo>
++    <title>sd_bus_enqueue_for_read</title>
++    <productname>systemd</productname>
++  </refentryinfo>
++
++  <refmeta>
++    <refentrytitle>sd_bus_enqueue_for_read</refentrytitle>
++    <manvolnum>3</manvolnum>
++  </refmeta>
++
++  <refnamediv>
++    <refname>sd_bus_enqueue_for_read</refname>
++
++    <refpurpose>Re-enqueue a bus message on a bus connection, for reading.</refpurpose>
++  </refnamediv>
++
++  <refsynopsisdiv>
++    <funcsynopsis>
++      <funcsynopsisinfo>#include &lt;systemd/sd-bus.h&gt;</funcsynopsisinfo>
++
++      <funcprototype>
++        <funcdef>int <function>sd_bus_enqueue_for_read</function></funcdef>
++        <paramdef>sd_bus *<parameter>bus</parameter></paramdef>
++        <paramdef>sd_bus_message *<parameter>message</parameter></paramdef>
++      </funcprototype>
++
++    </funcsynopsis>
++  </refsynopsisdiv>
++
++  <refsect1>
++    <title>Description</title>
++
++    <para><function>sd_bus_enqueue_for_read()</function> may be used to re-enqueue an incoming bus message on
++    the local read queue, so that it is processed and dispatched locally again, similar to how an incoming
++    message from the peer is processed. Takes a bus connection object and the message to enqueue. A reference
++    is taken of the message and the caller's reference thus remains in possession of the caller. The message
++    is enqueued at the end of the queue, thus will be dispatched after all other already queued messages are
++    dispatched.</para>
++
++    <para>This call is primarily useful for dealing with incoming method calls that may be processed only
++    after an additional asynchronous operation completes. One example are PolicyKit authorization requests
++    that are determined to be necessary to authorize a newly incoming method call: when the PolicyKit response
++    is received the original method call may be re-enqueued to process it again, this time with the
++    authorization result known.</para>
++  </refsect1>
++
++  <refsect1>
++    <title>Return Value</title>
++
++    <para>On success, this function return 0 or a positive integer. On failure, it returns a negative errno-style
++    error code.</para>
++
++    <refsect2>
++      <title>Errors</title>
++
++      <para>Returned errors may indicate the following problems:</para>
++
++      <variablelist>
++        <varlistentry>
++          <term><constant>-ECHILD</constant></term>
++
++          <listitem><para>The bus connection has been created in a different process.</para></listitem>
++        </varlistentry>
++      </variablelist>
++    </refsect2>
++  </refsect1>
++
++  <xi:include href="libsystemd-pkgconfig.xml" />
++
++  <refsect1>
++    <title>See Also</title>
++
++    <para>
++      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
++      <citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
++      <citerefentry><refentrytitle>sd_bus_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
++    </para>
++  </refsect1>
++
++</refentry>
+diff --git a/src/libsystemd/libsystemd.sym b/src/libsystemd/libsystemd.sym
+index 5ec42e0f1f..c40f1b7d1a 100644
+--- a/src/libsystemd/libsystemd.sym
++++ b/src/libsystemd/libsystemd.sym
+@@ -679,6 +679,7 @@ global:
+ 
+ LIBSYSTEMD_243 {
+ global:
++        sd_bus_enqueue_for_read;
+         sd_bus_object_vtable_format;
+         sd_event_source_disable_unref;
+ } LIBSYSTEMD_241;
+diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
+index 026ac8cb94..07bc145f37 100644
+--- a/src/libsystemd/sd-bus/sd-bus.c
++++ b/src/libsystemd/sd-bus/sd-bus.c
+@@ -4194,3 +4194,27 @@ _public_ int sd_bus_get_close_on_exit(sd_bus *bus) {
+ 
+         return bus->close_on_exit;
+ }
++
++_public_ int sd_bus_enqueue_for_read(sd_bus *bus, sd_bus_message *m) {
++        int r;
++
++        assert_return(bus, -EINVAL);
++        assert_return(bus = bus_resolve(bus), -ENOPKG);
++        assert_return(m, -EINVAL);
++        assert_return(m->sealed, -EINVAL);
++        assert_return(!bus_pid_changed(bus), -ECHILD);
++
++        if (!BUS_IS_OPEN(bus->state))
++                return -ENOTCONN;
++
++        /* Re-enqueue a message for reading. This is primarily useful for PolicyKit-style authentication,
++         * where we accept a message, then determine we need to interactively authenticate the user, and then
++         * we want to process the message again. */
++
++        r = bus_rqueue_make_room(bus);
++        if (r < 0)
++                return r;
++
++        bus->rqueue[bus->rqueue_size++] = bus_message_ref_queued(m, bus);
++        return 0;
++}
+diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
+index e9b0b8a99d..88cad9cd0a 100644
+--- a/src/shared/bus-util.c
++++ b/src/shared/bus-util.c
+@@ -212,6 +212,34 @@ static int check_good_user(sd_bus_message *m, uid_t good_user) {
+         return sender_uid == good_user;
+ }
+ 
++#if ENABLE_POLKIT
++static int bus_message_append_strv_key_value(
++                sd_bus_message *m,
++                const char **l) {
++
++        const char **k, **v;
++        int r;
++
++        assert(m);
++
++        r = sd_bus_message_open_container(m, 'a', "{ss}");
++        if (r < 0)
++                return r;
++
++        STRV_FOREACH_PAIR(k, v, l) {
++                r = sd_bus_message_append(m, "{ss}", *k, *v);
++                if (r < 0)
++                        return r;
++        }
++
++        r = sd_bus_message_close_container(m);
++        if (r < 0)
++                return r;
++
++        return r;
++}
++#endif
++
+ int bus_test_polkit(
+                 sd_bus_message *call,
+                 int capability,
+@@ -219,7 +247,7 @@ int bus_test_polkit(
+                 const char **details,
+                 uid_t good_user,
+                 bool *_challenge,
+-                sd_bus_error *e) {
++                sd_bus_error *ret_error) {
+ 
+         int r;
+ 
+@@ -242,7 +270,7 @@ int bus_test_polkit(
+                 _cleanup_(sd_bus_message_unrefp) sd_bus_message *request = NULL;
+                 _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
+                 int authorized = false, challenge = false;
+-                const char *sender, **k, **v;
++                const char *sender;
+ 
+                 sender = sd_bus_message_get_sender(call);
+                 if (!sender)
+@@ -266,17 +294,7 @@ int bus_test_polkit(
+                 if (r < 0)
+                         return r;
+ 
+-                r = sd_bus_message_open_container(request, 'a', "{ss}");
+-                if (r < 0)
+-                        return r;
+-
+-                STRV_FOREACH_PAIR(k, v, details) {
+-                        r = sd_bus_message_append(request, "{ss}", *k, *v);
+-                        if (r < 0)
+-                                return r;
+-                }
+-
+-                r = sd_bus_message_close_container(request);
++                r = bus_message_append_strv_key_value(request, details);
+                 if (r < 0)
+                         return r;
+ 
+@@ -284,11 +302,11 @@ int bus_test_polkit(
+                 if (r < 0)
+                         return r;
+ 
+-                r = sd_bus_call(call->bus, request, 0, e, &reply);
++                r = sd_bus_call(call->bus, request, 0, ret_error, &reply);
+                 if (r < 0) {
+                         /* Treat no PK available as access denied */
+-                        if (sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN)) {
+-                                sd_bus_error_free(e);
++                        if (sd_bus_error_has_name(ret_error, SD_BUS_ERROR_SERVICE_UNKNOWN)) {
++                                sd_bus_error_free(ret_error);
+                                 return -EACCES;
+                         }
+ 
+@@ -319,15 +337,17 @@ int bus_test_polkit(
+ #if ENABLE_POLKIT
+ 
+ typedef struct AsyncPolkitQuery {
++        char *action;
++        char **details;
++
+         sd_bus_message *request, *reply;
+-        sd_bus_message_handler_t callback;
+-        void *userdata;
+         sd_bus_slot *slot;
++
+         Hashmap *registry;
++        sd_event_source *defer_event_source;
+ } AsyncPolkitQuery;
+ 
+ static void async_polkit_query_free(AsyncPolkitQuery *q) {
+-
+         if (!q)
+                 return;
+ 
+@@ -339,9 +359,25 @@ static void async_polkit_query_free(AsyncPolkitQuery *q) {
+         sd_bus_message_unref(q->request);
+         sd_bus_message_unref(q->reply);
+ 
++        free(q->action);
++        strv_free(q->details);
++
++        sd_event_source_disable_unref(q->defer_event_source);
+         free(q);
+ }
+ 
++static int async_polkit_defer(sd_event_source *s, void *userdata) {
++        AsyncPolkitQuery *q = userdata;
++
++        assert(s);
++
++        /* This is called as idle event source after we processed the async polkit reply, hopefully after the
++         * method call we re-enqueued has been properly processed. */
++
++        async_polkit_query_free(q);
++        return 0;
++}
++
+ static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_error *error) {
+         _cleanup_(sd_bus_error_free) sd_bus_error error_buffer = SD_BUS_ERROR_NULL;
+         AsyncPolkitQuery *q = userdata;
+@@ -350,21 +386,46 @@ static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_e
+         assert(reply);
+         assert(q);
+ 
++        assert(q->slot);
+         q->slot = sd_bus_slot_unref(q->slot);
++
++        assert(!q->reply);
+         q->reply = sd_bus_message_ref(reply);
+ 
++        /* Now, let's dispatch the original message a second time be re-enqueing. This will then traverse the
++         * whole message processing again, and thus re-validating and re-retrieving the "userdata" field
++         * again.
++         *
++         * We install an idle event loop event to clean-up the PolicyKit request data when we are idle again,
++         * i.e. after the second time the message is processed is complete. */
++
++        assert(!q->defer_event_source);
++        r = sd_event_add_defer(sd_bus_get_event(sd_bus_message_get_bus(reply)), &q->defer_event_source, async_polkit_defer, q);
++        if (r < 0)
++                goto fail;
++
++        r = sd_event_source_set_priority(q->defer_event_source, SD_EVENT_PRIORITY_IDLE);
++        if (r < 0)
++                goto fail;
++
++        r = sd_event_source_set_enabled(q->defer_event_source, SD_EVENT_ONESHOT);
++        if (r < 0)
++                goto fail;
++
+         r = sd_bus_message_rewind(q->request, true);
+-        if (r < 0) {
+-                r = sd_bus_reply_method_errno(q->request, r, NULL);
+-                goto finish;
+-        }
++        if (r < 0)
++                goto fail;
+ 
+-        r = q->callback(q->request, q->userdata, &error_buffer);
+-        r = bus_maybe_reply_error(q->request, r, &error_buffer);
++        r = sd_bus_enqueue_for_read(sd_bus_message_get_bus(q->request), q->request);
++        if (r < 0)
++                goto fail;
+ 
+-finish:
+-        async_polkit_query_free(q);
++        return 1;
+ 
++fail:
++        log_debug_errno(r, "Processing asynchronous PolicyKit reply failed, ignoring: %m");
++        (void) sd_bus_reply_method_errno(q->request, r, NULL);
++        async_polkit_query_free(q);
+         return r;
+ }
+ 
+@@ -378,16 +439,14 @@ int bus_verify_polkit_async(
+                 bool interactive,
+                 uid_t good_user,
+                 Hashmap **registry,
+-                sd_bus_error *error) {
++                sd_bus_error *ret_error) {
+ 
+ #if ENABLE_POLKIT
+         _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
+         AsyncPolkitQuery *q;
+-        const char *sender, **k, **v;
+-        sd_bus_message_handler_t callback;
+-        void *userdata;
+         int c;
+ #endif
++        const char *sender;
+         int r;
+ 
+         assert(call);
+@@ -403,11 +462,17 @@ int bus_verify_polkit_async(
+         if (q) {
+                 int authorized, challenge;
+ 
+-                /* This is the second invocation of this function, and
+-                 * there's already a response from polkit, let's
+-                 * process it */
++                /* This is the second invocation of this function, and there's already a response from
++                 * polkit, let's process it */
+                 assert(q->reply);
+ 
++                /* If the operation we want to authenticate changed between the first and the second time,
++                 * let's not use this authentication, it might be out of date as the object and context we
++                 * operate on might have changed. */
++                if (!streq(q->action, action) ||
++                    !strv_equal(q->details, (char**) details))
++                        return -ESTALE;
++
+                 if (sd_bus_message_is_method_error(q->reply, NULL)) {
+                         const sd_bus_error *e;
+ 
+@@ -418,7 +483,7 @@ int bus_verify_polkit_async(
+                                 return -EACCES;
+ 
+                         /* Copy error from polkit reply */
+-                        sd_bus_error_copy(error, e);
++                        sd_bus_error_copy(ret_error, e);
+                         return -sd_bus_error_get_errno(e);
+                 }
+ 
+@@ -433,7 +498,7 @@ int bus_verify_polkit_async(
+                         return 1;
+ 
+                 if (challenge)
+-                        return sd_bus_error_set(error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED, "Interactive authentication required.");
++                        return sd_bus_error_set(ret_error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED, "Interactive authentication required.");
+ 
+                 return -EACCES;
+         }
+@@ -445,20 +510,12 @@ int bus_verify_polkit_async(
+         else if (r > 0)
+                 return 1;
+ 
+-#if ENABLE_POLKIT
+-        if (sd_bus_get_current_message(call->bus) != call)
+-                return -EINVAL;
+-
+-        callback = sd_bus_get_current_handler(call->bus);
+-        if (!callback)
+-                return -EINVAL;
+-
+-        userdata = sd_bus_get_current_userdata(call->bus);
+ 
+         sender = sd_bus_message_get_sender(call);
+         if (!sender)
+                 return -EBADMSG;
+ 
++#if ENABLE_POLKIT
+         c = sd_bus_message_get_allow_interactive_authorization(call);
+         if (c < 0)
+                 return c;
+@@ -487,17 +544,7 @@ int bus_verify_polkit_async(
+         if (r < 0)
+                 return r;
+ 
+-        r = sd_bus_message_open_container(pk, 'a', "{ss}");
+-        if (r < 0)
+-                return r;
+-
+-        STRV_FOREACH_PAIR(k, v, details) {
+-                r = sd_bus_message_append(pk, "{ss}", *k, *v);
+-                if (r < 0)
+-                        return r;
+-        }
+-
+-        r = sd_bus_message_close_container(pk);
++        r = bus_message_append_strv_key_value(pk, details);
+         if (r < 0)
+                 return r;
+ 
+@@ -505,13 +552,25 @@ int bus_verify_polkit_async(
+         if (r < 0)
+                 return r;
+ 
+-        q = new0(AsyncPolkitQuery, 1);
++        q = new(AsyncPolkitQuery, 1);
+         if (!q)
+                 return -ENOMEM;
+ 
+-        q->request = sd_bus_message_ref(call);
+-        q->callback = callback;
+-        q->userdata = userdata;
++        *q = (AsyncPolkitQuery) {
++                .request = sd_bus_message_ref(call),
++        };
++
++        q->action = strdup(action);
++        if (!q->action) {
++                async_polkit_query_free(q);
++                return -ENOMEM;
++        }
++
++        q->details = strv_copy((char**) details);
++        if (!q->details) {
++                async_polkit_query_free(q);
++                return -ENOMEM;
++        }
+ 
+         r = hashmap_put(*registry, call, q);
+         if (r < 0) {
+diff --git a/src/systemd/sd-bus.h b/src/systemd/sd-bus.h
+index 84ceb62dc7..0e5c761f83 100644
+--- a/src/systemd/sd-bus.h
++++ b/src/systemd/sd-bus.h
+@@ -201,6 +201,7 @@ int sd_bus_process(sd_bus *bus, sd_bus_message **r);
+ int sd_bus_process_priority(sd_bus *bus, int64_t max_priority, sd_bus_message **r);
+ int sd_bus_wait(sd_bus *bus, uint64_t timeout_usec);
+ int sd_bus_flush(sd_bus *bus);
++int sd_bus_enqueue_for_read(sd_bus *bus, sd_bus_message *m);
+ 
+ sd_bus_slot* sd_bus_get_current_slot(sd_bus *bus);
+ sd_bus_message* sd_bus_get_current_message(sd_bus *bus);
+-- 
+2.23.0
+
diff --git a/meta/recipes-core/systemd/systemd_243.2.bb b/meta/recipes-core/systemd/systemd_243.2.bb
index 6e7f95693b..082eb4c384 100644
--- a/meta/recipes-core/systemd/systemd_243.2.bb
+++ b/meta/recipes-core/systemd/systemd_243.2.bb
@@ -24,6 +24,7 @@ SRC_URI += "file://touchscreen.rules \
            file://0005-rules-watch-metadata-changes-in-ide-devices.patch \
            file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \
            file://99-default.preset \
+           file://0001-Merge-branch-polkit-ref-count.patch \
            "
 
 # patches needed by musl
-- 
2.25.4

[PATCH][zeus 18/18] openssl: upgrade 1.1.1f -> 1.1.1g

[Anuj Mittal]

From: Jan Luebbe <jlu@pengutronix.de>

This also fixes CVE-2020-1967.

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../openssl/{openssl_1.1.1f.bb => openssl_1.1.1g.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1f.bb => openssl_1.1.1g.bb} (98%)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1f.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_1.1.1f.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
index aa4ef6f48a..c514fcd82a 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1f.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
@@ -23,7 +23,7 @@ SRC_URI_append_class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35"
+SRC_URI[sha256sum] = "ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
 
 inherit lib_package multilib_header multilib_script ptest
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.25.4

✗ patchtest: failure for zeus patch review

[Patchwork]

== Series Details ==

Series: zeus patch review
Revision: 1
URL   : https://patchwork.openembedded.org/series/23949/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Patch            [zeus,18/18] openssl: upgrade 1.1.1f -> 1.1.1g
 Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] 
  Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"

* Issue             Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format] 
  Suggested fix    Add Upstream-Status: <Valid status> to the header of meta/recipes-core/systemd/systemd/0001-Merge-branch-polkit-ref-count.patch
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe