[OE-core][dunfell 0/6] Patch review

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this next set of patches for dundell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2247

The following changes since commit 2246b0d7a71c69eb2e89c55991d1387069895466:

  kernel-devicetree: Introduce KERNEL_DTC_FLAGS to pass dtc flags (2021-06-08 04:32:17 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Andrea Adami (1):
  kernel.bbclass: fix do_sizecheck() comparison

Kai Kang (1):
  valgrind: fix a typo

Lee Chee Yang (4):
  gstreamer-plugins-good: fix CVE-2021-3497 CVE-2021-3498
  bind: 9.11.22 -> 9.11.32
  ruby: 2.7.1 -> 2.7.3
  python3: fix CVE-2021-23336

 meta/classes/kernel.bbclass                   |   2 +-
 .../bind/bind/CVE-2020-8625.patch             |  17 -
 .../bind/{bind_9.11.22.bb => bind_9.11.32.bb} |   5 +-
 .../python/python3/CVE-2021-23336.patch       | 530 ++++++++++++++++++
 meta/recipes-devtools/python/python3_3.8.2.bb |   1 +
 .../ruby/ruby/CVE-2020-25613.patch            |  40 --
 .../ruby/{ruby_2.7.1.bb => ruby_2.7.3.bb}     |   5 +-
 .../valgrind/valgrind_3.15.0.bb               |   2 +-
 .../CVE-2021-3497.patch                       | 207 +++++++
 .../CVE-2021-3498.patch                       |  44 ++
 .../gstreamer1.0-plugins-good_1.16.3.bb       |   2 +
 11 files changed, 790 insertions(+), 65 deletions(-)
 delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch
 rename meta/recipes-connectivity/bind/{bind_9.11.22.bb => bind_9.11.32.bb} (96%)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2021-23336.patch
 delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
 rename meta/recipes-devtools/ruby/{ruby_2.7.1.bb => ruby_2.7.3.bb} (94%)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch

-- 
2.25.1

[OE-core][dunfell 1/6] gstreamer-plugins-good: fix CVE-2021-3497 CVE-2021-3498

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../CVE-2021-3497.patch                       | 207 ++++++++++++++++++
 .../CVE-2021-3498.patch                       |  44 ++++
 .../gstreamer1.0-plugins-good_1.16.3.bb       |   2 +
 3 files changed, 253 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch
new file mode 100644
index 0000000000..81f7c59a7b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch
@@ -0,0 +1,207 @@
+From 9181191511f9c0be6a89c98b311f49d66bd46dc3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 4 Mar 2021 13:05:19 +0200
+Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack
+
+The old code had a couple of issues that all lead to potential memory
+safety bugs.
+
+  - Use a constant for the Wavpack4Header size instead of using sizeof.
+    It's written out into the data and not from the struct and who knows
+    what special alignment/padding requirements some C compilers have.
+  - gst_buffer_set_size() does not realloc the buffer when setting a
+    bigger size than allocated, it only allows growing up to the maximum
+    allocated size. Instead use a GstAdapter to collect all the blocks
+    and take out everything at once in the end.
+  - Check that enough data is actually available in the input and
+    otherwise handle it an error in all cases instead of silently
+    ignoring it.
+
+Among other things this fixes out of bounds writes because the code
+assumed gst_buffer_set_size() can grow the buffer and simply wrote after
+the end of the buffer.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/859
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903>
+
+Upstream-Status: Backport
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903
+CVE: CVE-2021-3497
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ gst/matroska/matroska-demux.c | 99 +++++++++++++++++++----------------
+ gst/matroska/matroska-ids.h   |  2 +
+ 2 files changed, 55 insertions(+), 46 deletions(-)
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 467815986..0e47ee7b5 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3851,6 +3851,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     guint32 block_samples, tmp;
+     gsize size = gst_buffer_get_size (*buf);
+ 
++    if (size < 4) {
++      GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++      gst_buffer_unmap (*buf, &map);
++      return GST_FLOW_ERROR;
++    }
++
+     gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
+     block_samples = GUINT32_FROM_LE (tmp);
+     /* we need to reconstruct the header of the wavpack block */
+@@ -3858,10 +3864,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     /* -20 because ck_size is the size of the wavpack block -8
+      * and lace_size is the size of the wavpack block + 12
+      * (the three guint32 of the header that already are in the buffer) */
+-    wvh.ck_size = size + sizeof (Wavpack4Header) - 20;
++    wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20;
+ 
+     /* block_samples, flags and crc are already in the buffer */
+-    newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL);
++    newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL);
+ 
+     gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+     data = outmap.data;
+@@ -3886,9 +3892,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     audiocontext->wvpk_block_index += block_samples;
+   } else {
+     guint8 *outdata = NULL;
+-    guint outpos = 0;
+-    gsize buf_size, size, out_size = 0;
++    gsize buf_size, size;
+     guint32 block_samples, flags, crc, blocksize;
++    GstAdapter *adapter;
++
++    adapter = gst_adapter_new ();
+ 
+     gst_buffer_map (*buf, &map, GST_MAP_READ);
+     buf_data = map.data;
+@@ -3897,6 +3905,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     if (buf_size < 4) {
+       GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+       gst_buffer_unmap (*buf, &map);
++      g_object_unref (adapter);
+       return GST_FLOW_ERROR;
+     }
+ 
+@@ -3918,59 +3927,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+       data += 4;
+       size -= 4;
+ 
+-      if (blocksize == 0 || size < blocksize)
+-        break;
+-
+-      g_assert ((newbuf == NULL) == (outdata == NULL));
++      if (blocksize == 0 || size < blocksize) {
++        GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++        gst_buffer_unmap (*buf, &map);
++        g_object_unref (adapter);
++        return GST_FLOW_ERROR;
++      }
+ 
+-      if (newbuf == NULL) {
+-        out_size = sizeof (Wavpack4Header) + blocksize;
+-        newbuf = gst_buffer_new_allocate (NULL, out_size, NULL);
++      g_assert (newbuf == NULL);
+ 
+-        gst_buffer_copy_into (newbuf, *buf,
+-            GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++      newbuf =
++          gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
++          NULL);
++      gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
++      outdata = outmap.data;
++
++      outdata[0] = 'w';
++      outdata[1] = 'v';
++      outdata[2] = 'p';
++      outdata[3] = 'k';
++      outdata += 4;
++
++      GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8);
++      GST_WRITE_UINT16_LE (outdata + 4, wvh.version);
++      GST_WRITE_UINT8 (outdata + 6, wvh.track_no);
++      GST_WRITE_UINT8 (outdata + 7, wvh.index_no);
++      GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples);
++      GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index);
++      GST_WRITE_UINT32_LE (outdata + 16, block_samples);
++      GST_WRITE_UINT32_LE (outdata + 20, flags);
++      GST_WRITE_UINT32_LE (outdata + 24, crc);
++      outdata += 28;
++
++      memcpy (outdata, data, blocksize);
+ 
+-        outpos = 0;
+-        gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+-        outdata = outmap.data;
+-      } else {
+-        gst_buffer_unmap (newbuf, &outmap);
+-        out_size += sizeof (Wavpack4Header) + blocksize;
+-        gst_buffer_set_size (newbuf, out_size);
+-        gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+-        outdata = outmap.data;
+-      }
++      gst_buffer_unmap (newbuf, &outmap);
++      gst_adapter_push (adapter, newbuf);
++      newbuf = NULL;
+ 
+-      outdata[outpos] = 'w';
+-      outdata[outpos + 1] = 'v';
+-      outdata[outpos + 2] = 'p';
+-      outdata[outpos + 3] = 'k';
+-      outpos += 4;
+-
+-      GST_WRITE_UINT32_LE (outdata + outpos,
+-          blocksize + sizeof (Wavpack4Header) - 8);
+-      GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version);
+-      GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no);
+-      GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 20, flags);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 24, crc);
+-      outpos += 28;
+-
+-      memmove (outdata + outpos, data, blocksize);
+-      outpos += blocksize;
+       data += blocksize;
+       size -= blocksize;
+     }
+     gst_buffer_unmap (*buf, &map);
+-    gst_buffer_unref (*buf);
+ 
+-    if (newbuf)
+-      gst_buffer_unmap (newbuf, &outmap);
++    newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
++    g_object_unref (adapter);
+ 
++    gst_buffer_copy_into (newbuf, *buf,
++        GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++    gst_buffer_unref (*buf);
+     *buf = newbuf;
++
+     audiocontext->wvpk_block_index += block_samples;
+   }
+ 
+diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h
+index 429213f77..8d4a685a9 100644
+--- a/gst/matroska/matroska-ids.h
++++ b/gst/matroska/matroska-ids.h
+@@ -688,6 +688,8 @@ typedef struct _Wavpack4Header {
+   guint32 crc;           /* crc for actual decoded data                    */
+ } Wavpack4Header;
+ 
++#define WAVPACK4_HEADER_SIZE (32)
++
+ typedef enum {
+   GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
+   GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch
new file mode 100644
index 0000000000..d3de2d5014
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch
@@ -0,0 +1,44 @@
+From 02174790726dd20a5c73ce2002189bf240ad4fe0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 3 Mar 2021 11:31:52 +0200
+Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL
+ before parsing
+
+Various error return paths don't set it to NULL and callers are only
+checking if the pointer is NULL. As it's allocated on the stack this
+usually contains random stack memory, and more often than not the memory
+of a previously parsed track.
+
+This then causes all kinds of memory corruptions further down the line.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/858
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903>
+
+Upstream-Status: Backport [
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903 ]
+CVE: CVE-2021-3498
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ gst/matroska/matroska-demux.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 4d0234743..467815986 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -692,6 +692,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
+ 
+   DEBUG_ELEMENT_START (demux, ebml, "TrackEntry");
+ 
++  *dest_context = NULL;
++
+   /* start with the master */
+   if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
+     DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
index b3f17d4a4a..1038cbf224 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
@@ -8,6 +8,8 @@ SRC_URI = " \
             https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \
             file://0001-qmlgl-ensure-Qt-defines-GLsync-to-fix-compile-on-som.patch \
             file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \
+            file://CVE-2021-3497.patch \
+            file://CVE-2021-3498.patch \
             "
 
 SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e"
-- 
2.25.1

[OE-core][dunfell 2/6] bind: 9.11.22 -> 9.11.32

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

updates include fixes for
CVE-2021-25214
CVE-2021-25215
CVE-2021-25216

CVE-2020-8625 fixed in 9.11.28, so drop that patch

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>

tmp

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../bind/bind/CVE-2020-8625.patch               | 17 -----------------
 .../bind/{bind_9.11.22.bb => bind_9.11.32.bb}   |  5 ++---
 2 files changed, 2 insertions(+), 20 deletions(-)
 delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch
 rename meta/recipes-connectivity/bind/{bind_9.11.22.bb => bind_9.11.32.bb} (96%)

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch
deleted file mode 100644
index 9078f2448e..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Upstream-Status: Backporting [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch]
-CVE: CVE-2020-8625
-Signed-off-by: Minjae Kim <flowergom@gmail.com>
-
-diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
-index e61d1c600f2..753dc8049fa 100644
---- a/lib/dns/spnego.c
-+++ b/lib/dns/spnego.c
-@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
- 		return (ASN1_OVERRUN);
- 	}
- 
--	data->components = malloc(len * sizeof(*data->components));
-+	data->components = malloc((len + 1) * sizeof(*data->components));
- 	if (data->components == NULL) {
- 		return (ENOMEM);
- 	}
diff --git a/meta/recipes-connectivity/bind/bind_9.11.22.bb b/meta/recipes-connectivity/bind/bind_9.11.32.bb
similarity index 96%
rename from meta/recipes-connectivity/bind/bind_9.11.22.bb
rename to meta/recipes-connectivity/bind/bind_9.11.32.bb
index 5598ba976d..9feebe5ae2 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.22.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.32.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
 SECTION = "console/network"
 
 LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b88e7ca5f21908e1b2720169f6807cf6"
 
 DEPENDS = "openssl libcap zlib"
 
@@ -19,10 +19,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
            file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
            file://0001-avoid-start-failure-with-bind-user.patch \
-           file://CVE-2020-8625.patch \
            "
 
-SRC_URI[sha256sum] = "afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9"
+SRC_URI[sha256sum] = "cbf8cb4b74dd1452d97c3a2a8c625ea346df8516b4b3508ef07443121a591342"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4
-- 
2.25.1

[OE-core][dunfell 3/6] ruby: 2.7.1 -> 2.7.3

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

This release includes security fixes.

CVE-2021-28965: XML round-trip vulnerability in REXML
CVE-2021-28966: Path traversal in Tempfile on Windows

CVE-2020-25613 fixed in 2.7.2, do drop the patch

release notes for 2.7.2 and 2.7.3
https://www.ruby-lang.org/en/news/2020/10/02/ruby-2-7-2-released/
https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ruby/ruby/CVE-2020-25613.patch            | 40 -------------------
 .../ruby/{ruby_2.7.1.bb => ruby_2.7.3.bb}     |  5 +--
 2 files changed, 2 insertions(+), 43 deletions(-)
 delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
 rename meta/recipes-devtools/ruby/{ruby_2.7.1.bb => ruby_2.7.3.bb} (94%)

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch b/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
deleted file mode 100644
index 1abcb7547e..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
-From: Yusuke Endoh <mame@ruby-lang.org>
-Date: Tue, 29 Sep 2020 13:15:58 +0900
-Subject: [PATCH] Make it more strict to interpret some headers
-
-Some regexps were too tolerant.
-
-Upstream-Status: Backport
-[https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7]
-CVE: CVE-2020-25613
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
----
- lib/webrick/httprequest.rb | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
-index 294bd91..d34eac7 100644
---- a/lib/webrick/httprequest.rb
-+++ b/lib/webrick/httprequest.rb
-@@ -227,9 +227,9 @@ def parse(socket=nil)
-         raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
-       end
- 
--      if /close/io =~ self["connection"]
-+      if /\Aclose\z/io =~ self["connection"]
-         @keep_alive = false
--      elsif /keep-alive/io =~ self["connection"]
-+      elsif /\Akeep-alive\z/io =~ self["connection"]
-         @keep_alive = true
-       elsif @http_version < "1.1"
-         @keep_alive = false
-@@ -508,7 +508,7 @@ def read_body(socket, block)
-       return unless socket
-       if tc = self['transfer-encoding']
-         case tc
--        when /chunked/io then read_chunked(socket, block)
-+        when /\Achunked\z/io then read_chunked(socket, block)
-         else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
-         end
-       elsif self['content-length'] || @remaining_size
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.1.bb b/meta/recipes-devtools/ruby/ruby_2.7.3.bb
similarity index 94%
rename from meta/recipes-devtools/ruby/ruby_2.7.1.bb
rename to meta/recipes-devtools/ruby/ruby_2.7.3.bb
index a6c65e887b..318b9acdae 100644
--- a/meta/recipes-devtools/ruby/ruby_2.7.1.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.7.3.bb
@@ -6,12 +6,11 @@ SRC_URI += " \
            file://remove_has_include_macros.patch \
            file://run-ptest \
            file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \
-           file://CVE-2020-25613.patch \
            file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
            "
 
-SRC_URI[md5sum] = "debb9c325bf65021214451660f46e909"
-SRC_URI[sha256sum] = "d418483bdd0000576c1370571121a6eb24582116db0b7bb2005e90e250eae418"
+SRC_URI[md5sum] = "72ef97685008981de3ddb748d0dab31f"
+SRC_URI[sha256sum] = "8925a95e31d8f2c81749025a52a544ea1d05dad18794e6828709268b92e55338"
 
 PACKAGECONFIG ??= ""
 PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
-- 
2.25.1

[OE-core][dunfell 4/6] python3: fix CVE-2021-23336

[Steve Sakoman]

From: Lee Chee Yang <chee.yang.lee@intel.com>

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before
3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable
to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by
using a vector called parameter cloaking. When the attacker can separate query
parameters using a semicolon (;), they can cause a difference in the
interpretation of the request between the proxy (running with default
configuration) and the server. This can result in malicious requests being
cached as completely safe ones, as the proxy would usually not see the
semicolon as a separator, and therefore would not include it in a cache key of
an unkeyed parameter.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-23336
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../python/python3/CVE-2021-23336.patch       | 530 ++++++++++++++++++
 meta/recipes-devtools/python/python3_3.8.2.bb |   1 +
 2 files changed, 531 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2021-23336.patch

diff --git a/meta/recipes-devtools/python/python3/CVE-2021-23336.patch b/meta/recipes-devtools/python/python3/CVE-2021-23336.patch
new file mode 100644
index 0000000000..2a885b9d37
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2021-23336.patch
@@ -0,0 +1,530 @@
+From 3ab6f812653e79d008d5eba31dc25d34f3ca7170 Mon Sep 17 00:00:00 2001
+From: Senthil Kumaran <senthil@uthcode.com>
+Date: Mon, 15 Feb 2021 10:15:02 -0800
+Subject: [PATCH] bpo-42967: only use '&' as a query string separator
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ (GH-24297)  (#24529)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-42967: only use '&' as a query string separator (#24297)
+
+bpo-42967: [security] Address a web cache-poisoning issue reported in
+urllib.parse.parse_qsl().
+
+urllib.parse will only us "&" as query string separator by default
+instead of both ";" and "&" as allowed in earlier versions. An optional
+argument seperator with default value "&" is added to specify the
+separator.
+
+Co-authored-by: Éric Araujo <merwok@netwok.org>
+Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
+Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
+Co-authored-by: Éric Araujo <merwok@netwok.org>
+(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
+
+* [3.8] bpo-42967: only use '&' as a query string separator (GH-24297)
+
+bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().
+
+urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.
+
+Co-authored-by: Éric Araujo <merwok@netwok.org>
+Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
+Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
+Co-authored-by: Éric Araujo <merwok@netwok.org>.
+(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
+
+Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
+
+* Update correct version information.
+
+* fix docs and make logic clearer
+
+Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
+Co-authored-by: Fidget-Spinner <28750310+Fidget-Spinner@users.noreply.github.com>
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/e3110c3cfbb7daa690d54d0eff6c264c870a71bf]
+CVE: CVE-2020-23336
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ Doc/library/cgi.rst                           | 11 ++-
+ Doc/library/urllib.parse.rst                  | 22 +++++-
+ Doc/whatsnew/3.6.rst                          | 13 ++++
+ Doc/whatsnew/3.7.rst                          | 13 ++++
+ Lib/cgi.py                                    | 23 ++++---
+ Lib/test/test_cgi.py                          | 29 ++++++--
+ Lib/test/test_urlparse.py                     | 68 +++++++++++++------
+ Lib/urllib/parse.py                           | 19 ++++--
+ .../2021-02-14-15-59-16.bpo-42967.YApqDS.rst  |  1 +
+ 9 files changed, 153 insertions(+), 46 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
+
+diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst
+index 4048592..880074b 100644
+--- a/Doc/library/cgi.rst
++++ b/Doc/library/cgi.rst
+@@ -277,14 +277,16 @@ These are useful if you want more control, or if you want to employ some of the
+ algorithms implemented in this module in other circumstances.
+ 
+ 
+-.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False)
++.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False, separator="&")
+ 
+    Parse a query in the environment or from a file (the file defaults to
+-   ``sys.stdin``).  The *keep_blank_values* and *strict_parsing* parameters are
++   ``sys.stdin``).  The *keep_blank_values*, *strict_parsing* and *separator* parameters are
+    passed to :func:`urllib.parse.parse_qs` unchanged.
+ 
++   .. versionchanged:: 3.8.8
++      Added the *separator* parameter.
+ 
+-.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace")
++.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace", separator="&")
+ 
+    Parse input of type :mimetype:`multipart/form-data` (for  file uploads).
+    Arguments are *fp* for the input file, *pdict* for a dictionary containing
+@@ -303,6 +305,9 @@ algorithms implemented in this module in other circumstances.
+       Added the *encoding* and *errors* parameters.  For non-file fields, the
+       value is now a list of strings, not bytes.
+ 
++   .. versionchanged:: 3.8.8
++      Added the *separator* parameter.
++
+ 
+ .. function:: parse_header(string)
+ 
+diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
+index 52f98ef..45ca03a 100644
+--- a/Doc/library/urllib.parse.rst
++++ b/Doc/library/urllib.parse.rst
+@@ -165,7 +165,7 @@ or on combining URL components into a URL string.
+       now raise :exc:`ValueError`.
+ 
+ 
+-.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
++.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&')
+ 
+    Parse a query string given as a string argument (data of type
+    :mimetype:`application/x-www-form-urlencoded`).  Data are returned as a
+@@ -190,6 +190,9 @@ or on combining URL components into a URL string.
+    read. If set, then throws a :exc:`ValueError` if there are more than
+    *max_num_fields* fields read.
+ 
++   The optional argument *separator* is the symbol to use for separating the
++   query arguments. It defaults to ``&``.
++
+    Use the :func:`urllib.parse.urlencode` function (with the ``doseq``
+    parameter set to ``True``) to convert such dictionaries into query
+    strings.
+@@ -201,8 +204,14 @@ or on combining URL components into a URL string.
+    .. versionchanged:: 3.8
+       Added *max_num_fields* parameter.
+ 
++   .. versionchanged:: 3.8.8
++      Added *separator* parameter with the default value of ``&``. Python
++      versions earlier than Python 3.8.8 allowed using both ``;`` and ``&`` as
++      query parameter separator. This has been changed to allow only a single
++      separator key, with ``&`` as the default separator.
++
+ 
+-.. function:: parse_qsl(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
++.. function:: parse_qsl(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&')
+ 
+    Parse a query string given as a string argument (data of type
+    :mimetype:`application/x-www-form-urlencoded`).  Data are returned as a list of
+@@ -226,6 +235,9 @@ or on combining URL components into a URL string.
+    read. If set, then throws a :exc:`ValueError` if there are more than
+    *max_num_fields* fields read.
+ 
++   The optional argument *separator* is the symbol to use for separating the
++   query arguments. It defaults to ``&``.
++
+    Use the :func:`urllib.parse.urlencode` function to convert such lists of pairs into
+    query strings.
+ 
+@@ -235,6 +247,12 @@ or on combining URL components into a URL string.
+    .. versionchanged:: 3.8
+       Added *max_num_fields* parameter.
+ 
++   .. versionchanged:: 3.8.8
++      Added *separator* parameter with the default value of ``&``. Python
++      versions earlier than Python 3.8.8 allowed using both ``;`` and ``&`` as
++      query parameter separator. This has been changed to allow only a single
++      separator key, with ``&`` as the default separator.
++
+ 
+ .. function:: urlunparse(parts)
+ 
+diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst
+index 04c1f7e..4409a3a 100644
+--- a/Doc/whatsnew/3.6.rst
++++ b/Doc/whatsnew/3.6.rst
+@@ -2443,3 +2443,16 @@ because of the behavior of the socket option ``SO_REUSEADDR`` in UDP. For more
+ details, see the documentation for ``loop.create_datagram_endpoint()``.
+ (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in
+ :issue:`37228`.)
++
++Notable changes in Python 3.6.13
++================================
++
++Earlier Python versions allowed using both ``;`` and ``&`` as
++query parameter separators in :func:`urllib.parse.parse_qs` and
++:func:`urllib.parse.parse_qsl`.  Due to security concerns, and to conform with
++newer W3C recommendations, this has been changed to allow only a single
++separator key, with ``&`` as the default.  This change also affects
++:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
++functions internally. For more details, please see their respective
++documentation.
++(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst
+index b9b5021..8f47a9f 100644
+--- a/Doc/whatsnew/3.7.rst
++++ b/Doc/whatsnew/3.7.rst
+@@ -2556,3 +2556,16 @@ because of the behavior of the socket option ``SO_REUSEADDR`` in UDP. For more
+ details, see the documentation for ``loop.create_datagram_endpoint()``.
+ (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in
+ :issue:`37228`.)
++
++Notable changes in Python 3.7.10
++================================
++
++Earlier Python versions allowed using both ``;`` and ``&`` as
++query parameter separators in :func:`urllib.parse.parse_qs` and
++:func:`urllib.parse.parse_qsl`.  Due to security concerns, and to conform with
++newer W3C recommendations, this has been changed to allow only a single
++separator key, with ``&`` as the default.  This change also affects
++:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
++functions internally. For more details, please see their respective
++documentation.
++(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+diff --git a/Lib/cgi.py b/Lib/cgi.py
+index 5ace46a..13255a9 100755
+--- a/Lib/cgi.py
++++ b/Lib/cgi.py
+@@ -106,7 +106,8 @@ log = initlog           # The current logging function
+ # 0 ==> unlimited input
+ maxlen = 0
+ 
+-def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
++def parse(fp=None, environ=os.environ, keep_blank_values=0,
++          strict_parsing=0, separator='&'):
+     """Parse a query in the environment or from a file (default stdin)
+ 
+         Arguments, all optional:
+@@ -125,6 +126,9 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
+         strict_parsing: flag indicating what to do with parsing errors.
+             If false (the default), errors are silently ignored.
+             If true, errors raise a ValueError exception.
++
++        separator: str. The symbol to use for separating the query arguments.
++            Defaults to &.
+     """
+     if fp is None:
+         fp = sys.stdin
+@@ -145,7 +149,7 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
+     if environ['REQUEST_METHOD'] == 'POST':
+         ctype, pdict = parse_header(environ['CONTENT_TYPE'])
+         if ctype == 'multipart/form-data':
+-            return parse_multipart(fp, pdict)
++            return parse_multipart(fp, pdict, separator=separator)
+         elif ctype == 'application/x-www-form-urlencoded':
+             clength = int(environ['CONTENT_LENGTH'])
+             if maxlen and clength > maxlen:
+@@ -169,10 +173,10 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
+             qs = ""
+         environ['QUERY_STRING'] = qs    # XXX Shouldn't, really
+     return urllib.parse.parse_qs(qs, keep_blank_values, strict_parsing,
+-                                 encoding=encoding)
++                                 encoding=encoding, separator=separator)
+ 
+ 
+-def parse_multipart(fp, pdict, encoding="utf-8", errors="replace"):
++def parse_multipart(fp, pdict, encoding="utf-8", errors="replace", separator='&'):
+     """Parse multipart input.
+ 
+     Arguments:
+@@ -193,7 +197,7 @@ def parse_multipart(fp, pdict, encoding="utf-8", errors="replace"):
+     headers.set_type(ctype)
+     headers['Content-Length'] = pdict['CONTENT-LENGTH']
+     fs = FieldStorage(fp, headers=headers, encoding=encoding, errors=errors,
+-        environ={'REQUEST_METHOD': 'POST'})
++        environ={'REQUEST_METHOD': 'POST'}, separator=separator)
+     return {k: fs.getlist(k) for k in fs}
+ 
+ def _parseparam(s):
+@@ -303,7 +307,7 @@ class FieldStorage:
+     def __init__(self, fp=None, headers=None, outerboundary=b'',
+                  environ=os.environ, keep_blank_values=0, strict_parsing=0,
+                  limit=None, encoding='utf-8', errors='replace',
+-                 max_num_fields=None):
++                 max_num_fields=None, separator='&'):
+         """Constructor.  Read multipart/* until last part.
+ 
+         Arguments, all optional:
+@@ -351,6 +355,7 @@ class FieldStorage:
+         self.keep_blank_values = keep_blank_values
+         self.strict_parsing = strict_parsing
+         self.max_num_fields = max_num_fields
++        self.separator = separator
+         if 'REQUEST_METHOD' in environ:
+             method = environ['REQUEST_METHOD'].upper()
+         self.qs_on_post = None
+@@ -577,7 +582,7 @@ class FieldStorage:
+         query = urllib.parse.parse_qsl(
+             qs, self.keep_blank_values, self.strict_parsing,
+             encoding=self.encoding, errors=self.errors,
+-            max_num_fields=self.max_num_fields)
++            max_num_fields=self.max_num_fields, separator=self.separator)
+         self.list = [MiniFieldStorage(key, value) for key, value in query]
+         self.skip_lines()
+ 
+@@ -593,7 +598,7 @@ class FieldStorage:
+             query = urllib.parse.parse_qsl(
+                 self.qs_on_post, self.keep_blank_values, self.strict_parsing,
+                 encoding=self.encoding, errors=self.errors,
+-                max_num_fields=self.max_num_fields)
++                max_num_fields=self.max_num_fields, separator=self.separator)
+             self.list.extend(MiniFieldStorage(key, value) for key, value in query)
+ 
+         klass = self.FieldStorageClass or self.__class__
+@@ -637,7 +642,7 @@ class FieldStorage:
+                 else self.limit - self.bytes_read
+             part = klass(self.fp, headers, ib, environ, keep_blank_values,
+                          strict_parsing, limit,
+-                         self.encoding, self.errors, max_num_fields)
++                         self.encoding, self.errors, max_num_fields, self.separator)
+ 
+             if max_num_fields is not None:
+                 max_num_fields -= 1
+diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py
+index ab86771..bda03ee 100644
+--- a/Lib/test/test_cgi.py
++++ b/Lib/test/test_cgi.py
+@@ -53,12 +53,9 @@ parse_strict_test_cases = [
+     ("", ValueError("bad query field: ''")),
+     ("&", ValueError("bad query field: ''")),
+     ("&&", ValueError("bad query field: ''")),
+-    (";", ValueError("bad query field: ''")),
+-    (";&;", ValueError("bad query field: ''")),
+     # Should the next few really be valid?
+     ("=", {}),
+     ("=&=", {}),
+-    ("=;=", {}),
+     # This rest seem to make sense
+     ("=a", {'': ['a']}),
+     ("&=a", ValueError("bad query field: ''")),
+@@ -73,8 +70,6 @@ parse_strict_test_cases = [
+     ("a=a+b&b=b+c", {'a': ['a b'], 'b': ['b c']}),
+     ("a=a+b&a=b+a", {'a': ['a b', 'b a']}),
+     ("x=1&y=2.0&z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
+-    ("x=1;y=2.0&z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
+-    ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
+     ("Hbc5161168c542333633315dee1182227:key_store_seqid=400006&cuyer=r&view=bustomer&order_id=0bb2e248638833d48cb7fed300000f1b&expire=964546263&lobale=en-US&kid=130003.300038&ss=env",
+      {'Hbc5161168c542333633315dee1182227:key_store_seqid': ['400006'],
+       'cuyer': ['r'],
+@@ -187,6 +182,30 @@ Content-Length: 3
+                     else:
+                         self.assertEqual(fs.getvalue(key), expect_val[0])
+ 
++    def test_separator(self):
++        parse_semicolon = [
++            ("x=1;y=2.0", {'x': ['1'], 'y': ['2.0']}),
++            ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}),
++            (";", ValueError("bad query field: ''")),
++            (";;", ValueError("bad query field: ''")),
++            ("=;a", ValueError("bad query field: 'a'")),
++            (";b=a", ValueError("bad query field: ''")),
++            ("b;=a", ValueError("bad query field: 'b'")),
++            ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}),
++            ("a=a+b;a=b+a", {'a': ['a b', 'b a']}),
++        ]
++        for orig, expect in parse_semicolon:
++            env = {'QUERY_STRING': orig}
++            fs = cgi.FieldStorage(separator=';', environ=env)
++            if isinstance(expect, dict):
++                for key in expect.keys():
++                    expect_val = expect[key]
++                    self.assertIn(key, fs)
++                    if len(expect_val) > 1:
++                        self.assertEqual(fs.getvalue(key), expect_val)
++                    else:
++                        self.assertEqual(fs.getvalue(key), expect_val[0])
++
+     def test_log(self):
+         cgi.log("Testing")
+ 
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 4ae6ed3..90c8d69 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -32,16 +32,10 @@ parse_qsl_test_cases = [
+     (b"&a=b", [(b'a', b'b')]),
+     (b"a=a+b&b=b+c", [(b'a', b'a b'), (b'b', b'b c')]),
+     (b"a=1&a=2", [(b'a', b'1'), (b'a', b'2')]),
+-    (";", []),
+-    (";;", []),
+-    (";a=b", [('a', 'b')]),
+-    ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]),
+-    ("a=1;a=2", [('a', '1'), ('a', '2')]),
+-    (b";", []),
+-    (b";;", []),
+-    (b";a=b", [(b'a', b'b')]),
+-    (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]),
+-    (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]),
++    (";a=b", [(';a', 'b')]),
++    ("a=a+b;b=b+c", [('a', 'a b;b=b c')]),
++    (b";a=b", [(b';a', b'b')]),
++    (b"a=a+b;b=b+c", [(b'a', b'a b;b=b c')]),
+ ]
+ 
+ # Each parse_qs testcase is a two-tuple that contains
+@@ -68,16 +62,10 @@ parse_qs_test_cases = [
+     (b"&a=b", {b'a': [b'b']}),
+     (b"a=a+b&b=b+c", {b'a': [b'a b'], b'b': [b'b c']}),
+     (b"a=1&a=2", {b'a': [b'1', b'2']}),
+-    (";", {}),
+-    (";;", {}),
+-    (";a=b", {'a': ['b']}),
+-    ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}),
+-    ("a=1;a=2", {'a': ['1', '2']}),
+-    (b";", {}),
+-    (b";;", {}),
+-    (b";a=b", {b'a': [b'b']}),
+-    (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}),
+-    (b"a=1;a=2", {b'a': [b'1', b'2']}),
++    (";a=b", {';a': ['b']}),
++    ("a=a+b;b=b+c", {'a': ['a b;b=b c']}),
++    (b";a=b", {b';a': [b'b']}),
++    (b"a=a+b;b=b+c", {b'a':[ b'a b;b=b c']}),
+ ]
+ 
+ class UrlParseTestCase(unittest.TestCase):
+@@ -884,10 +872,46 @@ class UrlParseTestCase(unittest.TestCase):
+     def test_parse_qsl_max_num_fields(self):
+         with self.assertRaises(ValueError):
+             urllib.parse.parse_qs('&'.join(['a=a']*11), max_num_fields=10)
+-        with self.assertRaises(ValueError):
+-            urllib.parse.parse_qs(';'.join(['a=a']*11), max_num_fields=10)
+         urllib.parse.parse_qs('&'.join(['a=a']*10), max_num_fields=10)
+ 
++    def test_parse_qs_separator(self):
++        parse_qs_semicolon_cases = [
++            (";", {}),
++            (";;", {}),
++            (";a=b", {'a': ['b']}),
++            ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}),
++            ("a=1;a=2", {'a': ['1', '2']}),
++            (b";", {}),
++            (b";;", {}),
++            (b";a=b", {b'a': [b'b']}),
++            (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}),
++            (b"a=1;a=2", {b'a': [b'1', b'2']}),
++        ]
++        for orig, expect in parse_qs_semicolon_cases:
++            with self.subTest(f"Original: {orig!r}, Expected: {expect!r}"):
++                result = urllib.parse.parse_qs(orig, separator=';')
++                self.assertEqual(result, expect, "Error parsing %r" % orig)
++
++
++    def test_parse_qsl_separator(self):
++        parse_qsl_semicolon_cases = [
++            (";", []),
++            (";;", []),
++            (";a=b", [('a', 'b')]),
++            ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]),
++            ("a=1;a=2", [('a', '1'), ('a', '2')]),
++            (b";", []),
++            (b";;", []),
++            (b";a=b", [(b'a', b'b')]),
++            (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]),
++            (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]),
++        ]
++        for orig, expect in parse_qsl_semicolon_cases:
++            with self.subTest(f"Original: {orig!r}, Expected: {expect!r}"):
++                result = urllib.parse.parse_qsl(orig, separator=';')
++                self.assertEqual(result, expect, "Error parsing %r" % orig)
++
++
+     def test_urlencode_sequences(self):
+         # Other tests incidentally urlencode things; test non-covered cases:
+         # Sequence and object values.
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index e2b6f13..5a3e847 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -648,7 +648,7 @@ def unquote(string, encoding='utf-8', errors='replace'):
+ 
+ 
+ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
+-             encoding='utf-8', errors='replace', max_num_fields=None):
++             encoding='utf-8', errors='replace', max_num_fields=None, separator='&'):
+     """Parse a query given as a string argument.
+ 
+         Arguments:
+@@ -672,12 +672,15 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
+         max_num_fields: int. If set, then throws a ValueError if there
+             are more than n fields read by parse_qsl().
+ 
++        separator: str. The symbol to use for separating the query arguments.
++            Defaults to &.
++
+         Returns a dictionary.
+     """
+     parsed_result = {}
+     pairs = parse_qsl(qs, keep_blank_values, strict_parsing,
+                       encoding=encoding, errors=errors,
+-                      max_num_fields=max_num_fields)
++                      max_num_fields=max_num_fields, separator=separator)
+     for name, value in pairs:
+         if name in parsed_result:
+             parsed_result[name].append(value)
+@@ -687,7 +690,7 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
+ 
+ 
+ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False,
+-              encoding='utf-8', errors='replace', max_num_fields=None):
++              encoding='utf-8', errors='replace', max_num_fields=None, separator='&'):
+     """Parse a query given as a string argument.
+ 
+         Arguments:
+@@ -710,19 +713,25 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False,
+         max_num_fields: int. If set, then throws a ValueError
+             if there are more than n fields read by parse_qsl().
+ 
++        separator: str. The symbol to use for separating the query arguments.
++            Defaults to &.
++
+         Returns a list, as G-d intended.
+     """
+     qs, _coerce_result = _coerce_args(qs)
+ 
++    if not separator or (not isinstance(separator, (str, bytes))):
++        raise ValueError("Separator must be of type string or bytes.")
++
+     # If max_num_fields is defined then check that the number of fields
+     # is less than max_num_fields. This prevents a memory exhaustion DOS
+     # attack via post bodies with many fields.
+     if max_num_fields is not None:
+-        num_fields = 1 + qs.count('&') + qs.count(';')
++        num_fields = 1 + qs.count(separator)
+         if max_num_fields < num_fields:
+             raise ValueError('Max number of fields exceeded')
+ 
+-    pairs = [s2 for s1 in qs.split('&') for s2 in s1.split(';')]
++    pairs = [s1 for s1 in qs.split(separator)]
+     r = []
+     for name_value in pairs:
+         if not name_value and not strict_parsing:
+diff --git a/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
+new file mode 100644
+index 0000000..f08489b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
+@@ -0,0 +1 @@
++Fix web cache poisoning vulnerability by defaulting the query args separator to ``&``, and allowing the user to choose a custom separator.
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.2.bb
index 072ce97472..762e9444b8 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.2.bb
@@ -39,6 +39,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://CVE-2020-26116.patch \
            file://CVE-2020-27619.patch \
            file://CVE-2021-3177.patch \
+	   file://CVE-2021-23336.patch \
            "
 
 SRC_URI_append_class-native = " \
-- 
2.25.1

[OE-core][dunfell 5/6] valgrind: fix a typo

[Steve Sakoman]

From: Kai Kang <kai.kang@windriver.com>

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0478d9b04d6a6d10e439116b23b641a1e2553e26)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/valgrind/valgrind_3.15.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb b/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
index 4621471d67..67999e579a 100644
--- a/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
+++ b/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
@@ -107,7 +107,7 @@ VALGRINDARCH_mipsel = "mips32"
 VALGRINDARCH_mips64el = "mips64"
 VALGRINDARCH_powerpc = "ppc"
 VALGRINDARCH_powerpc64 = "ppc64"
-VALGRINDARCH_powerpc64el = "ppc64le"
+VALGRINDARCH_powerpc64le = "ppc64le"
 
 INHIBIT_PACKAGE_STRIP_FILES = "${PKGD}${libdir}/valgrind/vgpreload_memcheck-${VALGRINDARCH}-linux.so"
 
-- 
2.25.1

[OE-core][dunfell 6/6] kernel.bbclass: fix do_sizecheck() comparison

[Steve Sakoman]

From: Andrea Adami <andrea.adami@gmail.com>

The routine do_sizecheck() was historically needed by legacy
devices with limited flash memory.
The lowest extreme is probably with Zaurus collie having exactly
1024*1024 = 1048576 bytes for the kernel partition.

In the years the KERNEL_IMAGE_MAXSIZE has been converted to kilobytes
thus rounded so we have now KERNEL_IMAGE_MAXSIZE_collie = "1024".

The effect is that now the check fails because we hit curiously this
 | WARNING: This kernel zImage (size=1024(K) > 1024(K)) is too big for...
even though zImage is 1047288 bytes (kernel + kexecboot-klibc-initramfs).

Fix this case using test -gt (greater) instead of -ge (greater or equal).

Signed-off-by: Andrea Adami <andrea.adami@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 254ca956d63b4ce6aa294213b60bb943f9f3a9e6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 518aaef724..85c6594c27 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -680,7 +680,7 @@ do_sizecheck() {
 		at_least_one_fits=
 		for imageType in ${KERNEL_IMAGETYPES} ; do
 			size=`du -ks ${B}/${KERNEL_OUTPUT_DIR}/$imageType | awk '{print $1}'`
-			if [ $size -ge ${KERNEL_IMAGE_MAXSIZE} ]; then
+			if [ $size -gt ${KERNEL_IMAGE_MAXSIZE} ]; then
 				bbwarn "This kernel $imageType (size=$size(K) > ${KERNEL_IMAGE_MAXSIZE}(K)) is too big for your device."
 			else
 				at_least_one_fits=y
-- 
2.25.1