[meta-oe][dunfell][PATCH 1/5] freerdp: Upgrade to 2.2.0

[meta-oe][dunfell][PATCH 1/5] freerdp: Upgrade to 2.2.0

[Marek Vasut]

From: Khem Raj <raj.khem@gmail.com>

(cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
---
 .../freerdp/{freerdp_git.bb => freerdp_2.2.0.bb}            | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)
 rename meta-oe/recipes-support/freerdp/{freerdp_git.bb => freerdp_2.2.0.bb} (94%)

diff --git a/meta-oe/recipes-support/freerdp/freerdp_git.bb b/meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb
similarity index 94%
rename from meta-oe/recipes-support/freerdp/freerdp_git.bb
rename to meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb
index 309acfbff..90ede1297 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_git.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb
@@ -11,12 +11,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 inherit pkgconfig cmake gitpkgv
 
 PE = "1"
-PV = "2.0.0+gitr${SRCPV}"
 PKGV = "${GITPKGVTAG}"
 
-# 2.0.0 release
-SRCREV = "5ab2bed8749747b8e4b2ed431fd102bc726be684"
-SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
+SRCREV = "d2ba84a6885f57674098fe8e76c5f99d880e580d"
+SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \
     file://winpr-makecert-Build-with-install-RPATH.patch \
 "
 
-- 
2.34.1

[meta-oe][dunfell][PATCH 2/5] freerdp: Upgrade 2.2.0 -> 2.3.0

[Marek Vasut]

From: Alejandro Hernandez Samaniego <alejandro@enedino.org>

(cherry picked from commit c6a5fa624c4c196782f6a6acc1f4426df3dce781)
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
---
 .../freerdp/{freerdp_2.2.0.bb => freerdp_2.3.0.bb}              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-oe/recipes-support/freerdp/{freerdp_2.2.0.bb => freerdp_2.3.0.bb} (98%)

diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb b/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb
similarity index 98%
rename from meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb
rename to meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb
index 90ede1297..e37e71b32 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb
@@ -13,7 +13,7 @@ inherit pkgconfig cmake gitpkgv
 PE = "1"
 PKGV = "${GITPKGVTAG}"
 
-SRCREV = "d2ba84a6885f57674098fe8e76c5f99d880e580d"
+SRCREV = "14c7f7aed7dd4e2454ee0cd81028b9f790885021"
 SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \
     file://winpr-makecert-Build-with-install-RPATH.patch \
 "
-- 
2.34.1

[meta-oe][dunfell][PATCH 3/5] freerdp: backport openssl 3.x patches

[Marek Vasut]

From: Alexander Kanavin <alex.kanavin@gmail.com>

(cherry picked from commit 17ad891757f0a66fabcb7f224c4d36fe6d69ba3b)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
---
 ...e-support-and-build-with-OpenSSL-3.0.patch | 43 +++++++++++++++++++
 ...d-calling-FIPS_mode-with-OpenSSL-3.0.patch | 28 ++++++++++++
 .../recipes-support/freerdp/freerdp_2.3.0.bb  |  2 +
 3 files changed, 73 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch b/meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
new file mode 100644
index 000000000..04fe644d4
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
@@ -0,0 +1,43 @@
+From f703b1184229796d504a2e833f72ace4cc605d15 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Wed, 12 May 2021 12:48:15 +0200
+Subject: [PATCH 1/2] Fix FIPS mode support and build with OpenSSL 3.0
+
+FreeRDP fails to build with OpenSSL 3.0 because of usage of the `FIPS_mode`
+and `FIPS_mode_set` functions, which were removed there. Just a note that
+the FIPS mode is not supported by OpenSSL 1.1.* although the mentioned
+functions are still there (see https://wiki.openssl.org/index.php/FIPS_modules).
+Let's make FreeRDP build with OpenSSL 3.0 and fix the FIPS mode support.
+
+See: https://bugzilla.redhat.com/show_bug.cgi?id=1952937
+Upstream-Status: Backport
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ winpr/libwinpr/utils/ssl.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
+index 3a8590390..03b23af43 100644
+--- a/winpr/libwinpr/utils/ssl.c
++++ b/winpr/libwinpr/utils/ssl.c
+@@ -244,9 +244,17 @@ static BOOL winpr_enable_fips(DWORD flags)
+ #else
+ 		WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
+ 
++#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
++		if (!EVP_default_properties_is_fips_enabled(NULL))
++#else
+ 		if (FIPS_mode() != 1)
++#endif
+ 		{
++#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
++			if (EVP_set_default_properties(NULL, "fips=yes"))
++#else
+ 			if (FIPS_mode_set(1))
++#endif
+ 				WLog_INFO(TAG, "Openssl fips mode ENabled!");
+ 			else
+ 			{
+-- 
+2.20.1
+
diff --git a/meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch b/meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch
new file mode 100644
index 000000000..728638e15
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch
@@ -0,0 +1,28 @@
+From 4dbf108c0ae5e997d5c432f3da4b4c5fd7b35373 Mon Sep 17 00:00:00 2001
+From: Mike Gilbert <floppym@gentoo.org>
+Date: Sun, 1 Aug 2021 12:14:43 -0400
+Subject: [PATCH 2/2] winpr: avoid calling FIPS_mode() with OpenSSL 3.0
+
+Fixes: 26bf2816c3e0daeaf524c47cf0fcda8ae13b65ad
+Upstream-Status: Backport
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ winpr/libwinpr/utils/ssl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
+index 03b23af43..74ef156e7 100644
+--- a/winpr/libwinpr/utils/ssl.c
++++ b/winpr/libwinpr/utils/ssl.c
+@@ -364,6 +364,8 @@ BOOL winpr_FIPSMode(void)
+ {
+ #if (OPENSSL_VERSION_NUMBER < 0x10001000L) || defined(LIBRESSL_VERSION_NUMBER)
+ 	return FALSE;
++#elif defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
++	return (EVP_default_properties_is_fips_enabled(NULL) == 1);
+ #else
+ 	return (FIPS_mode() == 1);
+ #endif
+-- 
+2.20.1
+
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb b/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb
index e37e71b32..57170f68a 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb
@@ -16,6 +16,8 @@ PKGV = "${GITPKGVTAG}"
 SRCREV = "14c7f7aed7dd4e2454ee0cd81028b9f790885021"
 SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \
     file://winpr-makecert-Build-with-install-RPATH.patch \
+    file://0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch \
+    file://0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch \
 "
 
 S = "${WORKDIR}/git"
-- 
2.34.1

[meta-oe][dunfell][PATCH 4/5] freerdp: Upgrade 2.3.0 -> 2.4.1

[Marek Vasut]

Upgrade freerdp to latest stable 2.x version and drop
OpenSSL 3.x backports which are already upstream.

(cherry picked from commit 2b571a394acc3e006f0207c2152f3f895816c695)
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Alexander Kanavin <alex@linutronix.de>
Cc: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE: CVE-2021-41159 CVE-2021-41160
---
CVEs added per https://lwn.net/Articles/876306/
---
 ...e-support-and-build-with-OpenSSL-3.0.patch | 43 -------------------
 ...d-calling-FIPS_mode-with-OpenSSL-3.0.patch | 28 ------------
 .../{freerdp_2.3.0.bb => freerdp_2.4.1.bb}    |  4 +-
 3 files changed, 1 insertion(+), 74 deletions(-)
 delete mode 100644 meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
 delete mode 100644 meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch
 rename meta-oe/recipes-support/freerdp/{freerdp_2.3.0.bb => freerdp_2.4.1.bb} (94%)

diff --git a/meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch b/meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
deleted file mode 100644
index 04fe644d4..000000000
--- a/meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From f703b1184229796d504a2e833f72ace4cc605d15 Mon Sep 17 00:00:00 2001
-From: Ondrej Holy <oholy@redhat.com>
-Date: Wed, 12 May 2021 12:48:15 +0200
-Subject: [PATCH 1/2] Fix FIPS mode support and build with OpenSSL 3.0
-
-FreeRDP fails to build with OpenSSL 3.0 because of usage of the `FIPS_mode`
-and `FIPS_mode_set` functions, which were removed there. Just a note that
-the FIPS mode is not supported by OpenSSL 1.1.* although the mentioned
-functions are still there (see https://wiki.openssl.org/index.php/FIPS_modules).
-Let's make FreeRDP build with OpenSSL 3.0 and fix the FIPS mode support.
-
-See: https://bugzilla.redhat.com/show_bug.cgi?id=1952937
-Upstream-Status: Backport
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
----
- winpr/libwinpr/utils/ssl.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
-index 3a8590390..03b23af43 100644
---- a/winpr/libwinpr/utils/ssl.c
-+++ b/winpr/libwinpr/utils/ssl.c
-@@ -244,9 +244,17 @@ static BOOL winpr_enable_fips(DWORD flags)
- #else
- 		WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
- 
-+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
-+		if (!EVP_default_properties_is_fips_enabled(NULL))
-+#else
- 		if (FIPS_mode() != 1)
-+#endif
- 		{
-+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
-+			if (EVP_set_default_properties(NULL, "fips=yes"))
-+#else
- 			if (FIPS_mode_set(1))
-+#endif
- 				WLog_INFO(TAG, "Openssl fips mode ENabled!");
- 			else
- 			{
--- 
-2.20.1
-
diff --git a/meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch b/meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch
deleted file mode 100644
index 728638e15..000000000
--- a/meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 4dbf108c0ae5e997d5c432f3da4b4c5fd7b35373 Mon Sep 17 00:00:00 2001
-From: Mike Gilbert <floppym@gentoo.org>
-Date: Sun, 1 Aug 2021 12:14:43 -0400
-Subject: [PATCH 2/2] winpr: avoid calling FIPS_mode() with OpenSSL 3.0
-
-Fixes: 26bf2816c3e0daeaf524c47cf0fcda8ae13b65ad
-Upstream-Status: Backport
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
----
- winpr/libwinpr/utils/ssl.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
-index 03b23af43..74ef156e7 100644
---- a/winpr/libwinpr/utils/ssl.c
-+++ b/winpr/libwinpr/utils/ssl.c
-@@ -364,6 +364,8 @@ BOOL winpr_FIPSMode(void)
- {
- #if (OPENSSL_VERSION_NUMBER < 0x10001000L) || defined(LIBRESSL_VERSION_NUMBER)
- 	return FALSE;
-+#elif defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
-+	return (EVP_default_properties_is_fips_enabled(NULL) == 1);
- #else
- 	return (FIPS_mode() == 1);
- #endif
--- 
-2.20.1
-
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb b/meta-oe/recipes-support/freerdp/freerdp_2.4.1.bb
similarity index 94%
rename from meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb
rename to meta-oe/recipes-support/freerdp/freerdp_2.4.1.bb
index 57170f68a..7ea7b71ef 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.4.1.bb
@@ -13,11 +13,9 @@ inherit pkgconfig cmake gitpkgv
 PE = "1"
 PKGV = "${GITPKGVTAG}"
 
-SRCREV = "14c7f7aed7dd4e2454ee0cd81028b9f790885021"
+SRCREV = "d39a7ba5c38e3ba3b99b1558dc2ab0970cbfb0c5"
 SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \
     file://winpr-makecert-Build-with-install-RPATH.patch \
-    file://0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch \
-    file://0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch \
 "
 
 S = "${WORKDIR}/git"
-- 
2.34.1

[meta-oe][dunfell][PATCH 5/5] freerdp: Add missing libusb1 dependency

[Marek Vasut]

The freerdp does depend on libusb1 for rdpdr device forwarding.
This missing dependency is currently hidden, since it is pulled
in by pcsc-lite, but if the later is removed from DEPENDS, the
build fails. Add the missing dependency.

(cherry picked from commit 26658cc249746f780f0aea72a638a664897c3c6e)
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Alexander Kanavin <alex@linutronix.de>
Cc: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 meta-oe/recipes-support/freerdp/freerdp_2.4.1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.4.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.4.1.bb
index 7ea7b71ef..055176e39 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.4.1.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.4.1.bb
@@ -3,7 +3,7 @@
 
 DESCRIPTION = "FreeRDP RDP client & server library"
 HOMEPAGE = "http://www.freerdp.com"
-DEPENDS = "openssl alsa-lib pcsc-lite"
+DEPENDS = "openssl alsa-lib pcsc-lite libusb1"
 SECTION = "net"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
-- 
2.34.1

Re: [oe] [meta-oe][dunfell][PATCH 1/5] freerdp: Upgrade to 2.2.0

[akuster808]

On 1/11/22 2:47 PM, Marek Vasut wrote:
> From: Khem Raj <raj.khem@gmail.com>
>
> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02)
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> Signed-off-by: Marek Vasut <marex@denx.de>

And why should I allow this?

-armin
> ---
>  .../freerdp/{freerdp_git.bb => freerdp_2.2.0.bb}            | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
>  rename meta-oe/recipes-support/freerdp/{freerdp_git.bb => freerdp_2.2.0.bb} (94%)
>
> diff --git a/meta-oe/recipes-support/freerdp/freerdp_git.bb b/meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb
> similarity index 94%
> rename from meta-oe/recipes-support/freerdp/freerdp_git.bb
> rename to meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb
> index 309acfbff..90ede1297 100644
> --- a/meta-oe/recipes-support/freerdp/freerdp_git.bb
> +++ b/meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb
> @@ -11,12 +11,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
>  inherit pkgconfig cmake gitpkgv
>  
>  PE = "1"
> -PV = "2.0.0+gitr${SRCPV}"
>  PKGV = "${GITPKGVTAG}"
>  
> -# 2.0.0 release
> -SRCREV = "5ab2bed8749747b8e4b2ed431fd102bc726be684"
> -SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
> +SRCREV = "d2ba84a6885f57674098fe8e76c5f99d880e580d"
> +SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \
>      file://winpr-makecert-Build-with-install-RPATH.patch \
>  "
>  
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#94761): https://lists.openembedded.org/g/openembedded-devel/message/94761
> Mute This Topic: https://lists.openembedded.org/mt/88361250/3616698
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [oe] [meta-oe][dunfell][PATCH 3/5] freerdp: backport openssl 3.x patches

[akuster808]

On 1/11/22 2:47 PM, Marek Vasut wrote:
> From: Alexander Kanavin <alex.kanavin@gmail.com>
>
> (cherry picked from commit 17ad891757f0a66fabcb7f224c4d36fe6d69ba3b)
> Signed-off-by: Alexander Kanavin <alex@linutronix.de>
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> Signed-off-by: Marek Vasut <marex@denx.de>
> ---
>  ...e-support-and-build-with-OpenSSL-3.0.patch | 43 +++++++++++++++++++
>  ...d-calling-FIPS_mode-with-OpenSSL-3.0.patch | 28 ++++++++++++
>  .../recipes-support/freerdp/freerdp_2.3.0.bb  |  2 +
Dunfell done not support openssl3 so why should I take this patch?

-armin
>  3 files changed, 73 insertions(+)
>  create mode 100644 meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
>  create mode 100644 meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch
>
> diff --git a/meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch b/meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
> new file mode 100644
> index 000000000..04fe644d4
> --- /dev/null
> +++ b/meta-oe/recipes-support/freerdp/freerdp/0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
> @@ -0,0 +1,43 @@
> +From f703b1184229796d504a2e833f72ace4cc605d15 Mon Sep 17 00:00:00 2001
> +From: Ondrej Holy <oholy@redhat.com>
> +Date: Wed, 12 May 2021 12:48:15 +0200
> +Subject: [PATCH 1/2] Fix FIPS mode support and build with OpenSSL 3.0
> +
> +FreeRDP fails to build with OpenSSL 3.0 because of usage of the `FIPS_mode`
> +and `FIPS_mode_set` functions, which were removed there. Just a note that
> +the FIPS mode is not supported by OpenSSL 1.1.* although the mentioned
> +functions are still there (see https://wiki.openssl.org/index.php/FIPS_modules).
> +Let's make FreeRDP build with OpenSSL 3.0 and fix the FIPS mode support.
> +
> +See: https://bugzilla.redhat.com/show_bug.cgi?id=1952937
> +Upstream-Status: Backport
> +Signed-off-by: Alexander Kanavin <alex@linutronix.de>
> +---
> + winpr/libwinpr/utils/ssl.c | 8 ++++++++
> + 1 file changed, 8 insertions(+)
> +
> +diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
> +index 3a8590390..03b23af43 100644
> +--- a/winpr/libwinpr/utils/ssl.c
> ++++ b/winpr/libwinpr/utils/ssl.c
> +@@ -244,9 +244,17 @@ static BOOL winpr_enable_fips(DWORD flags)
> + #else
> + 		WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
> + 
> ++#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
> ++		if (!EVP_default_properties_is_fips_enabled(NULL))
> ++#else
> + 		if (FIPS_mode() != 1)
> ++#endif
> + 		{
> ++#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
> ++			if (EVP_set_default_properties(NULL, "fips=yes"))
> ++#else
> + 			if (FIPS_mode_set(1))
> ++#endif
> + 				WLog_INFO(TAG, "Openssl fips mode ENabled!");
> + 			else
> + 			{
> +-- 
> +2.20.1
> +
> diff --git a/meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch b/meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch
> new file mode 100644
> index 000000000..728638e15
> --- /dev/null
> +++ b/meta-oe/recipes-support/freerdp/freerdp/0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch
> @@ -0,0 +1,28 @@
> +From 4dbf108c0ae5e997d5c432f3da4b4c5fd7b35373 Mon Sep 17 00:00:00 2001
> +From: Mike Gilbert <floppym@gentoo.org>
> +Date: Sun, 1 Aug 2021 12:14:43 -0400
> +Subject: [PATCH 2/2] winpr: avoid calling FIPS_mode() with OpenSSL 3.0
> +
> +Fixes: 26bf2816c3e0daeaf524c47cf0fcda8ae13b65ad
> +Upstream-Status: Backport
> +Signed-off-by: Alexander Kanavin <alex@linutronix.de>
> +---
> + winpr/libwinpr/utils/ssl.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
> +index 03b23af43..74ef156e7 100644
> +--- a/winpr/libwinpr/utils/ssl.c
> ++++ b/winpr/libwinpr/utils/ssl.c
> +@@ -364,6 +364,8 @@ BOOL winpr_FIPSMode(void)
> + {
> + #if (OPENSSL_VERSION_NUMBER < 0x10001000L) || defined(LIBRESSL_VERSION_NUMBER)
> + 	return FALSE;
> ++#elif defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
> ++	return (EVP_default_properties_is_fips_enabled(NULL) == 1);
> + #else
> + 	return (FIPS_mode() == 1);
> + #endif
> +-- 
> +2.20.1
> +
> diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb b/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb
> index e37e71b32..57170f68a 100644
> --- a/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb
> +++ b/meta-oe/recipes-support/freerdp/freerdp_2.3.0.bb
> @@ -16,6 +16,8 @@ PKGV = "${GITPKGVTAG}"
>  SRCREV = "14c7f7aed7dd4e2454ee0cd81028b9f790885021"
>  SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \
>      file://winpr-makecert-Build-with-install-RPATH.patch \
> +    file://0001-Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch \
> +    file://0002-winpr-avoid-calling-FIPS_mode-with-OpenSSL-3.0.patch \
>  "
>  
>  S = "${WORKDIR}/git"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#94765): https://lists.openembedded.org/g/openembedded-devel/message/94765
> Mute This Topic: https://lists.openembedded.org/mt/88361254/3616698
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [oe] [meta-oe][dunfell][PATCH 1/5] freerdp: Upgrade to 2.2.0

[Marek Vasut]

On 1/12/22 05:42, akuster808 wrote:
> 
> 
> On 1/11/22 2:47 PM, Marek Vasut wrote:
>> From: Khem Raj <raj.khem@gmail.com>
>>
>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02)
>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>> Signed-off-by: Marek Vasut <marex@denx.de>
> 
> And why should I allow this?

This ... what ? The SoB line or the update ?

SoB line, well, aren't you supposed to add them to backported patches ? 
If not, then I can resend with them dropped, or drop them where applicable.

The update to 2.4.1, because of the CVE fixes.

Re: [oe] [meta-oe][dunfell][PATCH 3/5] freerdp: backport openssl 3.x patches

[Marek Vasut]

On 1/12/22 05:43, akuster808 wrote:
> 
> 
> On 1/11/22 2:47 PM, Marek Vasut wrote:
>> From: Alexander Kanavin <alex.kanavin@gmail.com>
>>
>> (cherry picked from commit 17ad891757f0a66fabcb7f224c4d36fe6d69ba3b)
>> Signed-off-by: Alexander Kanavin <alex@linutronix.de>
>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>> Signed-off-by: Marek Vasut <marex@denx.de>
>> ---
>>   ...e-support-and-build-with-OpenSSL-3.0.patch | 43 +++++++++++++++++++
>>   ...d-calling-FIPS_mode-with-OpenSSL-3.0.patch | 28 ++++++++++++
>>   .../recipes-support/freerdp/freerdp_2.3.0.bb  |  2 +
> Dunfell done not support openssl3 so why should I take this patch?

The patches are dropped in 4/5 again since the openssl patches are part 
of freerdp 2.4.1 . I picked them as-is to avoid too many changes to the 
cherry-picked commits.

Re: [oe] [meta-oe][dunfell][PATCH 1/5] freerdp: Upgrade to 2.2.0

[akuster808]

On 1/11/22 8:57 PM, Marek Vasut wrote:
> On 1/12/22 05:42, akuster808 wrote:
>>
>>
>> On 1/11/22 2:47 PM, Marek Vasut wrote:
>>> From: Khem Raj <raj.khem@gmail.com>
>>>
>>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02)
>>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>>> Signed-off-by: Marek Vasut <marex@denx.de>
>>
>> And why should I allow this?
>
> This ... what ? The SoB line or the update ?

What is in the update from 2.2.0 to 2.4.1?

I had to look at the release notes myself and found new features being
added between those two. New features are not allowed per our process.

This patch set will not be included.

- armin
>
> SoB line, well, aren't you supposed to add them to backported patches
> ? If not, then I can resend with them dropped, or drop them where
> applicable.
>
> The update to 2.4.1, because of the CVE fixes.

Re: [oe] [meta-oe][dunfell][PATCH 1/5] freerdp: Upgrade to 2.2.0

[Marek Vasut]

On 1/15/22 14:43, akuster808 wrote:
> 
> 
> On 1/11/22 8:57 PM, Marek Vasut wrote:
>> On 1/12/22 05:42, akuster808 wrote:
>>>
>>>
>>> On 1/11/22 2:47 PM, Marek Vasut wrote:
>>>> From: Khem Raj <raj.khem@gmail.com>
>>>>
>>>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02)
>>>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>>>> Signed-off-by: Marek Vasut <marex@denx.de>
>>>
>>> And why should I allow this?
>>
>> This ... what ? The SoB line or the update ?
> 
> What is in the update from 2.2.0 to 2.4.1?

This patch updates freerdp from 2.0.0 to 2.2.0 , not from 2.2.0 to 2.4.1 
, that's a later patch. This one addresses quite a few old CVEs though, 
see below.

> I had to look at the release notes myself and found new features being
> added between those two. New features are not allowed per our process.

This should all be part of FreeRDP stable-2.0 branch
https://github.com/FreeRDP/FreeRDP/tree/stable-2.0

Their active development is happening toward 3.0 release, that's where 
features are being added.

Looking briefly at the debian changelog for the various CVEs this 
patchset addresses, here is a list:

https://metadata.ftp-master.debian.org/changelogs//main/f/freerdp2/freerdp2_2.4.1+dfsg1-1_changelog

freerdp2 (2.2.0+dfsg1-1) unstable; urgency=medium

   * New upstream release.
     + CVE-2020-15103: Integer overflow due to missing input sanitation in
...

freerdp2 (2.1.2+dfsg1-1) unstable; urgency=medium

   * New upstream release.
     - CVE-2020-4033: Out of bound read in RLEDECOMPRESS
     - CVE-2020-4031: Use-After-Free in gdi_SelectObject
     - CVE-2020-4032: Integer casting vulnerability in
       `update_recv_secondary_order`
     - CVE-2020-4030: OOB read in `TrioParse`
     - CVE-2020-11099: OOB Read in 
license_read_new_or_upgrade_license_packet
     - CVE-2020-11098: Out-of-bound read in glyph_cache_put
     - CVE-2020-11097: OOB read in ntlm_av_pair_get
     - CVE-2020-11095: Global OOB read in update_recv_primary_order
     - CVE-2020-11096: Global OOB read in update_read_cache_bitmap_v3_order
...

freerdp2 (2.4.1+dfsg1-1) unstable; urgency=medium

   * New upstream release. (Closes: #999727).
     - CVE-2021-41160: Fix improper region checks in all clients that 
allowed
       out of bound write to memory. (Closes: #1001062).
     - CVE-2021-41159: Fix improper client input validation for gateway
       connections that allowed one to overwrite memory. (Closes: #1001061).

> This patch set will not be included.

I see you've made your decision then.

How do you propose those CVEs be closed in dunfell then ?

[...]

Re: [oe] [meta-oe][dunfell][PATCH 1/5] freerdp: Upgrade to 2.2.0

[Marek Vasut]

On 1/16/22 19:05, akuster808 wrote:
> 
> 
> On 1/15/22 7:45 AM, Marek Vasut wrote:
>> On 1/15/22 14:43, akuster808 wrote:
>>>
>>>
>>> On 1/11/22 8:57 PM, Marek Vasut wrote:
>>>> On 1/12/22 05:42, akuster808 wrote:
>>>>>
>>>>>
>>>>> On 1/11/22 2:47 PM, Marek Vasut wrote:
>>>>>> From: Khem Raj <raj.khem@gmail.com>
>>>>>>
>>>>>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02)
>>>>>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>>>>>> Signed-off-by: Marek Vasut <marex@denx.de>
>>>>>
>>>>> And why should I allow this?
>>>>
>>>> This ... what ? The SoB line or the update ?
>>>
>>> What is in the update from 2.2.0 to 2.4.1?
>>
>> This patch updates freerdp from 2.0.0 to 2.2.0 , not from 2.2.0 to
>> 2.4.1 , that's a later patch.
> I still see new features being added in 2.2.0 so the same statements
> apply.  Until the process changes to allow package updates that include
> new features and functionality for a LTS branch, I am going to decline
> taking this patch series.

What about the large amount of CVE fixes and the fact that this is still 
a stable-2.0 branch update, not upgrade to 3.x , as explained below ?

>> This one addresses quite a few old CVEs though, see below.
>>
>>> I had to look at the release notes myself and found new features being
>>> added between those two. New features are not allowed per our process.
>>
>> This should all be part of FreeRDP stable-2.0 branch
>> https://github.com/FreeRDP/FreeRDP/tree/stable-2.0
>>
>> Their active development is happening toward 3.0 release, that's where
>> features are being added.
>>
>> Looking briefly at the debian changelog for the various CVEs this
>> patchset addresses, here is a list:
>>
>> https://metadata.ftp-master.debian.org/changelogs//main/f/freerdp2/freerdp2_2.4.1+dfsg1-1_changelog
>>
>>
>> freerdp2 (2.2.0+dfsg1-1) unstable; urgency=medium
>>
>>    * New upstream release.
>>      + CVE-2020-15103: Integer overflow due to missing input sanitation in
>> ...
>>
>> freerdp2 (2.1.2+dfsg1-1) unstable; urgency=medium
>>
>>    * New upstream release.
>>      - CVE-2020-4033: Out of bound read in RLEDECOMPRESS
>>      - CVE-2020-4031: Use-After-Free in gdi_SelectObject
>>      - CVE-2020-4032: Integer casting vulnerability in
>>        `update_recv_secondary_order`
>>      - CVE-2020-4030: OOB read in `TrioParse`
>>      - CVE-2020-11099: OOB Read in
>> license_read_new_or_upgrade_license_packet
>>      - CVE-2020-11098: Out-of-bound read in glyph_cache_put
>>      - CVE-2020-11097: OOB read in ntlm_av_pair_get
>>      - CVE-2020-11095: Global OOB read in update_recv_primary_order
>>      - CVE-2020-11096: Global OOB read in
>> update_read_cache_bitmap_v3_order
>> ...
>>
>> freerdp2 (2.4.1+dfsg1-1) unstable; urgency=medium
>>
>>    * New upstream release. (Closes: #999727).
>>      - CVE-2021-41160: Fix improper region checks in all clients that
>> allowed
>>        out of bound write to memory. (Closes: #1001062).
>>      - CVE-2021-41159: Fix improper client input validation for gateway
>>        connections that allowed one to overwrite memory. (Closes:
>> #1001061).
>>
>>> This patch set will not be included.
>>
>> I see you've made your decision then.
>>
>> How do you propose those CVEs be closed in dunfell then ?
>>
>> [...]

What about this ?

Re: [oe] [meta-oe][dunfell][PATCH 1/5] freerdp: Upgrade to 2.2.0

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1411 bytes --]

On Sun, Jan 16, 2022 at 7:22 PM Marek Vasut <marex@denx.de> wrote:

> On 1/16/22 19:05, akuster808 wrote:
> >
> >
> > On 1/15/22 7:45 AM, Marek Vasut wrote:
> >> On 1/15/22 14:43, akuster808 wrote:
> >>>
> >>>
> >>> On 1/11/22 8:57 PM, Marek Vasut wrote:
> >>>> On 1/12/22 05:42, akuster808 wrote:
> >>>>>
> >>>>>
> >>>>> On 1/11/22 2:47 PM, Marek Vasut wrote:
> >>>>>> From: Khem Raj <raj.khem@gmail.com>
> >>>>>>
> >>>>>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02)
> >>>>>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> >>>>>> Signed-off-by: Marek Vasut <marex@denx.de>
> >>>>>
> >>>>> And why should I allow this?
> >>>>
> >>>> This ... what ? The SoB line or the update ?
> >>>
> >>> What is in the update from 2.2.0 to 2.4.1?
> >>
> >> This patch updates freerdp from 2.0.0 to 2.2.0 , not from 2.2.0 to
> >> 2.4.1 , that's a later patch.
> > I still see new features being added in 2.2.0 so the same statements
> > apply.  Until the process changes to allow package updates that include
> > new features and functionality for a LTS branch, I am going to decline
> > taking this patch series.
>
> What about the large amount of CVE fixes and the fact that this is still
> a stable-2.0 branch update, not upgrade to 3.x , as explained below ?
>
>
Marek,
Are you able to backport needed fixes to 2.2.x series? This would be
something
Armin would likely accept.

Kind regards,
Marta

[-- Attachment #2: Type: text/html, Size: 2466 bytes --]

Re: [oe] [meta-oe][dunfell][PATCH 1/5] freerdp: Upgrade to 2.2.0

[Marek Vasut]

On 1/17/22 18:34, Marta Rybczynska wrote:
> On Sun, Jan 16, 2022 at 7:22 PM Marek Vasut <marex@denx.de> wrote:
> 
>> On 1/16/22 19:05, akuster808 wrote:
>>>
>>>
>>> On 1/15/22 7:45 AM, Marek Vasut wrote:
>>>> On 1/15/22 14:43, akuster808 wrote:
>>>>>
>>>>>
>>>>> On 1/11/22 8:57 PM, Marek Vasut wrote:
>>>>>> On 1/12/22 05:42, akuster808 wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 1/11/22 2:47 PM, Marek Vasut wrote:
>>>>>>>> From: Khem Raj <raj.khem@gmail.com>
>>>>>>>>
>>>>>>>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02)
>>>>>>>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>>>>>>>> Signed-off-by: Marek Vasut <marex@denx.de>
>>>>>>>
>>>>>>> And why should I allow this?
>>>>>>
>>>>>> This ... what ? The SoB line or the update ?
>>>>>
>>>>> What is in the update from 2.2.0 to 2.4.1?
>>>>
>>>> This patch updates freerdp from 2.0.0 to 2.2.0 , not from 2.2.0 to
>>>> 2.4.1 , that's a later patch.
>>> I still see new features being added in 2.2.0 so the same statements
>>> apply.  Until the process changes to allow package updates that include
>>> new features and functionality for a LTS branch, I am going to decline
>>> taking this patch series.
>>
>> What about the large amount of CVE fixes and the fact that this is still
>> a stable-2.0 branch update, not upgrade to 3.x , as explained below ?
>>
>>
> Marek,
> Are you able to backport needed fixes to 2.2.x series? This would be
> something
> Armin would likely accept.

I'm not really confident at sifting through the 550 or so patches 
between freerdp 2.0.0 and 2.4.1 and picking out what ought to be CVE 
fixes correctly, so that might end up with even worse result.

We can likely pick the fixes from debian oldstable freerdp, but those 
are also last updated in June 2020, and debian stable is on freerdp 
2.3.0 now.

Also, June 2020 is where freerdp no longer has CVE information in the 
commit messages, for whatever reason.

That's why I think rolling the freerdp forward to latest stable-2.x 
series is the easiest, the CVEs get reliably closed and there shouldn't 
be any API/ABI incompatibility.