[dunfell 00/28] Patch review Jan 17th

[dunfell 00/28] Patch review Jan 17th

[akuster]

Here is the next batch for Dunfell. Please review and have comments back by Wednesday.

The following changes since commit f2d02cb71eaff8eb285a1997b30be52486c160ae:

  python3-pyinotify: Add missing ctypes dependency (2020-11-15 11:13:25 -0800)

are available in the Git repository at:

  git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-nut
  http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/dunfell-nut

Armin Kuster (5):
  wireguard-module: fix build issue with 5.4 kernel
  mariadb: update to 10.4.17 for cve fixes
  lua: update to 5.3.6
  nss: Security fix CVE-2020-12401
  wireshark: Several securtiy fixes

Chenxi Mao (1):
  geoclue: select avahi-daemon if nmea enabled

Gianfranco (1):
  dlt-daemon: add upstream patch to fix CVE-2020-29394

Khem Raj (4):
  nodejs: Fix build with icu 67.1
  nodejs: Upgrade to 12.18.3
  nodejs: Fix arm32/thumb builds with clang
  nodejs: Update to 12.19.0

Leon Anavi (1):
  php: Upgrade 7.4.4 -> 7.4.9

Max Kellermann (1):
  php: remove the failing ${D}/${TMPDIR} code

Roland Hieber (1):
  pcsc-lite: provide pcsc-lite-lib-native explicitly for native build

Sakib Sajal (1):
  apache2: upgrade v2.4.43 -> v2.4.46

Sean Nyekjaer (1):
  nodejs: 12.19.1 -> 12.20.1

Stacy Gaikovaia (1):
  nodejs: 12.19.0 -> 12.19.1

Wang Mingyu (1):
  zabbix: CVE-2020-15803 Security Advisory

Wenlin Kang (2):
  lua: fix CVE-2020-15945
  lua: fix CVE-2020-24371

Zang Ruochen (1):
  mcpp: Normalize the patch format of CVE

Zheng Ruoqin (4):
  samba: CVE-2020-14318 Security Advisory
  samba: CVE-2020-14383 Security Advisory
  php: CVE-2020-7070
  php: CVE-2020-7069

jabdoa2 (2):
  libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer
  libsdl2-mixer: set --disable-music-ogg-shared to link statically

viatsk (1):
  tcpdump: Patch for CVE-2020-8037

 .../samba/samba/CVE-2020-14318.patch          | 142 +++++++++++++++
 .../samba/samba/CVE-2020-14383.patch          | 112 ++++++++++++
 .../samba/samba_4.10.18.bb                    |   2 +
 ...NC_-START-END-were-backported-to-5.4.patch |  29 +++
 .../wireguard-module_1.0.20200401.bb          |   3 +-
 ...ping-don-t-allocate-a-too-large-buff.patch |  70 ++++++++
 .../recipes-support/tcpdump/tcpdump_4.9.3.bb  |   1 +
 ...wireshark_3.2.7.bb => wireshark_3.2.10.bb} |   2 +-
 .../zabbix/zabbix/CVE-2020-15803.patch        |  36 ++++
 .../zabbix/zabbix_4.4.6.bb                    |   1 +
 ...e_10.4.12.bb => mariadb-native_10.4.17.bb} |   0
 meta-oe/recipes-dbs/mysql/mariadb.inc         |   6 +-
 ...-breakage-from-lock_guard-error-6161.patch |  32 ----
 .../mariadb/0001-Fix-library-LZ4-lookup.patch |  19 +-
 .../mysql/mariadb/c11_atomics.patch           |  24 ++-
 .../configure.cmake-fix-valgrind.patch        |  10 +-
 .../mariadb/fix-a-building-failure.patch      |  13 +-
 .../mysql/mariadb/fix-arm-atomic.patch        |  13 +-
 ...Lists.txt-fix-gen_lex_hash-not-found.patch |  12 +-
 ...akeLists.txt-fix-do_populate_sysroot.patch |  10 +-
 ...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} |   0
 ...rriers-cannot-be-active-during-sweep.patch |  90 ++++++++++
 .../lua/lua/CVE-2020-15945.patch              | 167 ++++++++++++++++++
 .../lua/{lua_5.3.5.bb => lua_5.3.6.bb}        |   8 +-
 .../mcpp/files/CVE-2019-14274.patch           |  34 ++++
 .../mcpp/files/ice-mcpp.patch                 |  31 ----
 meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb   |   3 +-
 ...gister-r7-because-llvm-now-issues-an.patch |  53 ++++++
 ...-passing-multiple-libs-to-pkg_config.patch |  41 -----
 ...allow-use-of-system-installed-brotli.patch |  66 -------
 ...Install-both-binaries-and-use-libdir.patch |  28 ++-
 .../{nodejs_12.14.1.bb => nodejs_12.20.1.bb}  |  12 +-
 .../php/php/CVE-2020-7069.patch               | 158 +++++++++++++++++
 .../php/php/CVE-2020-7070.patch               |  24 +++
 .../php/php/debian-php-fixheader.patch        |  27 +--
 .../php/{php_7.4.4.bb => php_7.4.9.bb}        |  16 +-
 .../dlt-daemon/dlt-daemon/275.patch           |  38 ++++
 .../dlt-daemon/dlt-daemon_2.18.4.bb           |   1 +
 .../libsdl/libsdl2-mixer_2.0.4.bb             |   2 +-
 .../geoclue/geoclue_2.5.3.bb                  |   2 +-
 .../nss/nss/CVE-2020-12401.patch              |  52 ++++++
 meta-oe/recipes-support/nss/nss_3.51.1.bb     |   1 +
 .../pcsc-lite/pcsc-lite_1.8.26.bb             |   1 +
 .../{apache2_2.4.43.bb => apache2_2.4.46.bb}  |   4 +-
 44 files changed, 1111 insertions(+), 285 deletions(-)
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
 create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
 create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
 rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb => wireshark_3.2.10.bb} (96%)
 create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch
 rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb => mariadb-native_10.4.17.bb} (100%)
 delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
 rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb => mariadb_10.4.17.bb} (100%)
 create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch
 create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
 rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (87%)
 create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch
 create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch
 delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
 delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
 rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb => nodejs_12.20.1.bb} (94%)
 create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
 create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
 mode change 100755 => 100644 meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
 rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb} (97%)
 create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
 create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
 rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb => apache2_2.4.46.bb} (98%)

-- 
2.17.1

[dunfell 01/28] tcpdump: Patch for CVE-2020-8037

[akuster]

From: viatsk <viatsk@fastmail.com>

Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...ping-don-t-allocate-a-too-large-buff.patch | 70 +++++++++++++++++++
 .../recipes-support/tcpdump/tcpdump_4.9.3.bb  |  1 +
 2 files changed, 71 insertions(+)
 create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch

diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
new file mode 100644
index 0000000000..9b74e00c5b
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
@@ -0,0 +1,70 @@
+From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Sat, 18 Apr 2020 14:04:59 -0700
+Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer.
+
+The buffer should be big enough to hold the captured data, but it
+doesn't need to be big enough to hold the entire on-the-network packet,
+if we haven't captured all of it.
+
+(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
+
+Upstream-Status: Backport
+Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com>
+
+---
+ print-ppp.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/print-ppp.c b/print-ppp.c
+index 89176172..33fb0341 100644
+--- a/print-ppp.c
++++ b/print-ppp.c
+@@ -1367,19 +1367,29 @@ trunc:
+ 	return 0;
+ }
+ 
++/*
++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
++ * The length argument is the on-the-wire length, not the captured
++ * length; we can only un-escape the captured part.
++ */
+ static void
+ ppp_hdlc(netdissect_options *ndo,
+          const u_char *p, int length)
+ {
++	u_int caplen = ndo->ndo_snapend - p;
+ 	u_char *b, *t, c;
+ 	const u_char *s;
+-	int i, proto;
++	u_int i;
++	int proto;
+ 	const void *se;
+ 
++	if (caplen == 0)
++		return;
++
+         if (length <= 0)
+                 return;
+ 
+-	b = (u_char *)malloc(length);
++	b = (u_char *)malloc(caplen);
+ 	if (b == NULL)
+ 		return;
+ 
+@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo,
+ 	 * Do this so that we dont overwrite the original packet
+ 	 * contents.
+ 	 */
+-	for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
++	for (s = p, t = b, i = caplen; i != 0; i--) {
+ 		c = *s++;
+ 		if (c == 0x7d) {
+-			if (i <= 1 || !ND_TTEST(*s))
++			if (i <= 1)
+ 				break;
+ 			i--;
+ 			c = *s++ ^ 0x20;
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
index 94543dd1da..8f7bd59f18 100644
--- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
+++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
@@ -17,6 +17,7 @@ SRC_URI = " \
     file://avoid-absolute-path-when-searching-for-libdlpi.patch \
     file://add-ptest.patch \
     file://run-ptest \
+    file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \
 "
 
 SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae"
-- 
2.17.1

[dunfell 02/28] dlt-daemon: add upstream patch to fix CVE-2020-29394

[akuster]

From: Gianfranco <costamagna.gianfranco@gmail.com>

More information on: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976228
| A buffer overflow in the dlt_filter_load function in dlt_common.c in
| dlt-daemon 2.8.5 (GENIVI Diagnostic Log and Trace) allows arbitrary
| code execution because fscanf is misused (no limit on the number of
| characters to be read in a format argument).

Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[Fix up for Dunfell context - AK]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../dlt-daemon/dlt-daemon/275.patch           | 38 +++++++++++++++++++
 .../dlt-daemon/dlt-daemon_2.18.4.bb           |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch

diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
new file mode 100644
index 0000000000..75065eb054
--- /dev/null
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
@@ -0,0 +1,38 @@
+Upstream-status: Backport
+CVE: CVE-2020-29394
+From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001
+From: GwanYeong Kim <gy741.kim@gmail.com>
+Date: Sat, 28 Nov 2020 12:24:46 +0900
+Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load
+
+A buffer overflow in the dlt_filter_load function in dlt_common.c in dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, because it does not limit the number of characters to be read in a format argument.
+
+Fixed: #274
+
+Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
+---
+ src/shared/dlt_common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c
+index 254f4ce4..d15b1cec 100644
+--- a/src/shared/dlt_common.c
++++ b/src/shared/dlt_common.c
+@@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
+     while (!feof(handle)) {
+         str1[0] = 0;
+ 
+-        if (fscanf(handle, "%s", str1) != 1)
++        if (fscanf(handle, "%254s", str1) != 1)
+             break;
+ 
+         if (str1[0] == 0)
+@@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
+ 
+         str1[0] = 0;
+ 
+-        if (fscanf(handle, "%s", str1) != 1)
++        if (fscanf(handle, "%254s", str1) != 1)
+             break;
+ 
+         if (str1[0] == 0)
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb
index 35c638bc78..45724e98ac 100644
--- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \
     file://0002-Don-t-execute-processes-as-a-specific-user.patch \
     file://0004-Modify-systemd-config-directory.patch \
     file://204.patch \
+    file://275.patch \
 "
 SRCREV = "14ea971be7e808b9c5099c7f404ed3cf341873c4"
 
-- 
2.17.1

[dunfell 03/28] pcsc-lite: provide pcsc-lite-lib-native explicitly for native build

[akuster]

From: Roland Hieber <rhi@pengutronix.de>

Commits e2180b00b3b8fcf776c3 and 8edd760e66b48e411d2a added support for
native builds for the opensc and pcsc-lite recipes, but building
opensc-native fails after commit 40b3a5123120da0e4586 (2019-12-04,
"opensc: fix RDEPENDS in pcsc PACKAGECONFIG"):

    ERROR: Required build target 'opensc-native' has no buildable providers.
    Missing or unbuildable dependency chain was: ['opensc-native', 'pcsc-lite-lib-native']

The commit in question is correct for target builds, but native builds
don't have packages. The -lib part is also provided along with
pcsc-lite-native, and there is no pcsc-lite-lib-native package.

Ideally we would fix this in the opensc recipe. However, using syntax
like "PACKAGECONFIG_class-native[pcsc]" in the opensc recipe is
apparently not possible to overwrite the dependency for a native build,
and using RDEPENDS_remove has no effect either – apparently dependencies
from PACKAGECONFIG are added after RDEPENDS_remove is evaluated.
Therefore let pcsc-lite provide the missing package name for native
builds, even if fixing this unrelated package is not the most elegant
solution.

Fixes: 40b3a5123120da0e4586 (2019-12-04, "opensc: fix RDEPENDS in pcsc PACKAGECONFIG")
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb b/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb
index 91d77ac938..04989fb740 100644
--- a/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb
+++ b/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb
@@ -36,6 +36,7 @@ PACKAGES = "${PN} ${PN}-dbg ${PN}-dev ${PN}-lib ${PN}-doc ${PN}-spy ${PN}-spy-de
 
 RRECOMMENDS_${PN} = "ccid"
 RRECOMMENDS_${PN}_class-native = ""
+RPROVIDES_${PN}_class-native += "pcsc-lite-lib-native"
 
 FILES_${PN} = "${sbindir}/pcscd"
 FILES_${PN}-lib = "${libdir}/libpcsclite*${SOLIBS}"
-- 
2.17.1

[dunfell 04/28] wireguard-module: fix build issue with 5.4 kernel

[akuster]

 /tmp/work/qemux86_64-poky-linux/wireguard-module/1.0.20200401-r0/git/src/compat/compat-asm.h:44: warning: "SYM_FUNC_START" redefined
|    44 | #define SYM_FUNC_START ENTRY
|       |
| In file included from /tmp/work/qemux86_64-poky-linux/wireguard-module/1.0.20200401-r0/git/src/compat/compat-asm.h:9,
|                  from <command-line>:
| /tmp/work-shared/qemux86-64/kernel-source/include/linux/linkage.h:218: note: this is the location of the previous definition
|   218 | #define SYM_FUNC_START(name)    \
|       |
| In file included from <command-line>:
| /tmp/work/qemux86_64-poky-linux/wireguard-module/1.0.20200401-r0/git/src/compat/compat-asm.h:45: warning: "SYM_FUNC_END" redefined
|    45 | #define SYM_FUNC_END ENDPROC
|       |

Backporit fix from upstream

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...NC_-START-END-were-backported-to-5.4.patch | 29 +++++++++++++++++++
 .../wireguard-module_1.0.20200401.bb          |  3 +-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch

diff --git a/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch b/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
new file mode 100644
index 0000000000..a9dc9dc2b7
--- /dev/null
+++ b/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
@@ -0,0 +1,29 @@
+From ce8faa3ee266ea69431805e6ed4bd7102d982508 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 12 Nov 2020 09:43:38 +0100
+Subject: [PATCH] compat: SYM_FUNC_{START,END} were backported to 5.4
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+
+Upstream-Status: Backport
+Fixes build failure in Dunfell.
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ compat/compat-asm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: src/compat/compat-asm.h
+===================================================================
+--- src.orig/compat/compat-asm.h
++++ src/compat/compat-asm.h
+@@ -40,7 +40,7 @@
+ #undef pull
+ #endif
+ 
+-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0)
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 76)
+ #define SYM_FUNC_START ENTRY
+ #define SYM_FUNC_END ENDPROC
+ #endif
diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb
index 73199592c8..45324c02a1 100644
--- a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb
+++ b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb
@@ -2,7 +2,8 @@ require wireguard.inc
 
 SRCREV = "43f57dac7b8305024f83addc533c9eede6509129"
 
-SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat"
+SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat \
+           file://0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch"
 
 inherit module kernel-module-split
 
-- 
2.17.1

[dunfell 05/28] mcpp: Normalize the patch format of CVE

[akuster]

From: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>

Because CVE-2019-14274.patch is included in ice-mcpp.patch, the cve-check-tool fails to correctly judge the CVE of the OSS. CVE-2019-14274.patch is separated from ice-mcpp.patch to fix the problem.

Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9301b77e3266160ffb7e9bfd69d445f0392076c8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 81874b239287126805aa176907bd52e9a7801655)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../mcpp/files/CVE-2019-14274.patch           | 34 +++++++++++++++++++
 .../mcpp/files/ice-mcpp.patch                 | 31 -----------------
 meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb   |  3 +-
 3 files changed, 36 insertions(+), 32 deletions(-)
 create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch

diff --git a/meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch b/meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch
new file mode 100644
index 0000000000..a0c6584ecb
--- /dev/null
+++ b/meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch
@@ -0,0 +1,34 @@
+From ea453aca2742be6ac43ba4ce0da6f938a7e5a5d8 Mon Sep 17 00:00:00 2001
+From: He Liu <liulonnie@gmail.com>
+Date: Tue, 4 Feb 2014 11:00:40 -0800
+Subject: [PATCH] line comment bug
+
+---
+ src/support.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/support.c b/src/support.c
+index c57eaef..e3357e4 100644
+--- a/src/support.c
++++ b/src/support.c
+@@ -188,7 +188,7 @@ static char *   append_to_buffer(
+     size_t      length
+ )
+ {
+-    if (mem_buf_p->bytes_avail < length) {  /* Need to allocate more memory */
++    if (mem_buf_p->bytes_avail < length + 1) {  /* Need to allocate more memory */
+         size_t size = MAX( BUF_INCR_SIZE, length);
+ 
+         if (mem_buf_p->buffer == NULL) {            /* 1st append   */
+@@ -1722,6 +1722,8 @@ com_start:
+                     sp -= 2;
+                     while (*sp != '\n')     /* Until end of line    */
+                         mcpp_fputc( *sp++, OUT);
++                    mcpp_fputc('\n', OUT);
++                    wrong_line = TRUE;
+                 }
+                 goto  end_line;
+             default:                        /* Not a comment        */
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch b/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch
index 8103cf0920..1df3ae55bc 100644
--- a/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch
+++ b/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch
@@ -114,37 +114,6 @@ diff -r -c -N ../mcpp-2.7.2-old/src/main.c ./src/main.c
   }
   
   int     mcpp_lib_main
-diff -r -c -N ../mcpp-2.7.2-old/src/support.c ./src/support.c
-*** ../mcpp-2.7.2-old/src/support.c	Tue Jun 10 06:02:33 2008
---- ./src/support.c	Fri May 14 12:40:56 2010
-***************
-*** 188,194 ****
-      size_t      length
-  )
-  {
-!     if (mem_buf_p->bytes_avail < length) {  /* Need to allocate more memory */
-          size_t size = MAX( BUF_INCR_SIZE, length);
-  
-          if (mem_buf_p->buffer == NULL) {            /* 1st append   */
---- 188,194 ----
-      size_t      length
-  )
-  {
-!     if (mem_buf_p->bytes_avail < length + 1) {  /* Need to allocate more memory */
-          size_t size = MAX( BUF_INCR_SIZE, length);
-  
-          if (mem_buf_p->buffer == NULL) {            /* 1st append   */
-***************
-*** 1722,1727 ****
---- 1722,1729 ----
-                      sp -= 2;
-                      while (*sp != '\n')     /* Until end of line    */
-                          mcpp_fputc( *sp++, OUT);
-+                     mcpp_fputc( '\n', OUT);
-+                     wrong_line = TRUE;
-                  }
-                  goto  end_line;
-              default:                        /* Not a comment        */
 diff -r -c -N ../mcpp-2.7.2-old/src/system.c ./src/system.c
 *** ../mcpp-2.7.2-old/src/system.c      2008-11-26 10:53:51.000000000 +0100
 --- ./src/system.c      2011-02-21 16:18:05.678058106 +0100
diff --git a/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb b/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb
index b5ca495663..f8125f72d9 100644
--- a/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb
+++ b/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb
@@ -4,7 +4,8 @@ LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=5ca370b75ec890321888a00cea9bc1d5"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
-           file://ice-mcpp.patch "
+           file://ice-mcpp.patch \
+           file://CVE-2019-14274.patch"
 SRC_URI[md5sum] = "512de48c87ab023a69250edc7a0c7b05"
 SRC_URI[sha256sum] = "3b9b4421888519876c4fc68ade324a3bbd81ceeb7092ecdbbc2055099fcb8864"
 
-- 
2.17.1

[dunfell 06/28] zabbix: CVE-2020-15803 Security Advisory

[akuster]

From: Wang Mingyu <wangmy@cn.fujitsu.com>

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15803

Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d259144422bb44af9dbc7397fc4077d0bf3fc83f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit d9911b087c83e0c73fbe7eeb497ca388b62d7706)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../zabbix/zabbix/CVE-2020-15803.patch        | 36 +++++++++++++++++++
 .../zabbix/zabbix_4.4.6.bb                    |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch

diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch
new file mode 100644
index 0000000000..2eec4bf327
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch
@@ -0,0 +1,36 @@
+From 4943334fd9bf7dffd49f9e86251ad40b3efe2135 Mon Sep 17 00:00:00 2001
+From: Wang Mingyu <wangmy@cn.fujitsu.com>
+Date: Fri, 11 Dec 2020 17:02:20 +0900
+Subject: [PATCH] Fix bug for CVE-2020-15803
+
+Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
+---
+ frontends/php/include/classes/html/CIFrame.php | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/frontends/php/include/classes/html/CIFrame.php b/frontends/php/include/classes/html/CIFrame.php
+index 32220cd..70f2ab5 100644
+--- a/frontends/php/include/classes/html/CIFrame.php
++++ b/frontends/php/include/classes/html/CIFrame.php
+@@ -29,6 +29,7 @@ class CIFrame extends CTag {
+ 		$this->setHeight($height);
+ 		$this->setScrolling($scrolling);
+ 		$this->setId($id);
++		$this->setSandbox();
+ 	}
+ 
+ 	public function setSrc($value = null) {
+@@ -69,4 +70,10 @@ class CIFrame extends CTag {
+ 		$this->setAttribute('scrolling', $value);
+ 		return $this;
+ 	}
++
++	private function setSandbox() {
++		if (ZBX_IFRAME_SANDBOX !== false) {
++			$this->setAttribute('sandbox', ZBX_IFRAME_SANDBOX);
++		}
++	}
+ }
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb
index 0e0ddd5779..98a31879c4 100644
--- a/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb
@@ -26,6 +26,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
 SRC_URI = "http://jaist.dl.sourceforge.net/project/zabbix/ZABBIX%20Latest%20Stable/${PV}/${BPN}-${PV}.tar.gz \
     file://0001-Fix-configure.ac.patch \
     file://zabbix-agent.service \
+    file://CVE-2020-15803.patch \
 "
 
 SRC_URI[md5sum] = "e666539220be93b1af38e40f5fbb1f79"
-- 
2.17.1

[dunfell 07/28] samba: CVE-2020-14318 Security Advisory

[akuster]

From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14318

Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1d44b4c03d51e91ce01cf5fd0b33155ce36f1862)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 38beb6fe98894ffaf82a05ccfd6694f735daba26)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../samba/samba/CVE-2020-14318.patch          | 142 ++++++++++++++++++
 .../samba/samba_4.10.18.bb                    |   1 +
 2 files changed, 143 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
new file mode 100644
index 0000000000..ff1225db07
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
@@ -0,0 +1,142 @@
+From ccf53dfdcd39f3526dbc2f20e1245674155380ff Mon Sep 17 00:00:00 2001
+From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+Date: Fri, 11 Dec 2020 11:32:44 +0900
+Subject: [PATCH] s4: torture: Add smb2.notify.handle-permissions test.
+
+s3: smbd: Ensure change notifies can't get set unless the
+ directory handle is open for SEC_DIR_LIST.
+
+CVE-2020-14318
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+
+Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ source3/smbd/notify.c         |  8 ++++
+ source4/torture/smb2/notify.c | 82 ++++++++++++++++++++++++++++++++++-
+ 2 files changed, 89 insertions(+), 1 deletion(-)
+
+diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
+index 44c0b09..d23c03b 100644
+--- a/source3/smbd/notify.c
++++ b/source3/smbd/notify.c
+@@ -283,6 +283,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32_t filter,
+ 	char fullpath[len+1];
+ 	NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
+ 
++	/*
++	 * Setting a changenotify needs READ/LIST access
++	 * on the directory handle.
++	 */
++	if (!(fsp->access_mask & SEC_DIR_LIST)) {
++		return NT_STATUS_ACCESS_DENIED;
++	}
++
+ 	if (fsp->notify != NULL) {
+ 		DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
+ 			  "fname = %s\n", fsp->fsp_name->base_name));
+diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c
+index ebb4f8a..a5c9b94 100644
+--- a/source4/torture/smb2/notify.c
++++ b/source4/torture/smb2/notify.c
+@@ -2569,6 +2569,83 @@ done:
+ 	return ok;
+ }
+ 
++/*
++  Test asking for a change notify on a handle without permissions.
++*/
++
++#define BASEDIR_HPERM BASEDIR "_HPERM"
++
++static bool torture_smb2_notify_handle_permissions(
++		struct torture_context *torture,
++		struct smb2_tree *tree)
++{
++	bool ret = true;
++	NTSTATUS status;
++	union smb_notify notify;
++	union smb_open io;
++	struct smb2_handle h1 = {{0}};
++	struct smb2_request *req;
++
++	smb2_deltree(tree, BASEDIR_HPERM);
++	smb2_util_rmdir(tree, BASEDIR_HPERM);
++
++	torture_comment(torture,
++		"TESTING CHANGE NOTIFY "
++		"ON A HANDLE WITHOUT PERMISSIONS\n");
++
++	/*
++	  get a handle on the directory
++	*/
++	ZERO_STRUCT(io.smb2);
++	io.generic.level = RAW_OPEN_SMB2;
++	io.smb2.in.create_flags = 0;
++	io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE;
++	io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
++	io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
++	io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
++				NTCREATEX_SHARE_ACCESS_WRITE;
++	io.smb2.in.alloc_size = 0;
++	io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE;
++	io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS;
++	io.smb2.in.security_flags = 0;
++	io.smb2.in.fname = BASEDIR_HPERM;
++
++	status = smb2_create(tree, torture, &io.smb2);
++	CHECK_STATUS(status, NT_STATUS_OK);
++	h1 = io.smb2.out.file.handle;
++
++	/* ask for a change notify,
++	   on file or directory name changes */
++	ZERO_STRUCT(notify.smb2);
++	notify.smb2.level = RAW_NOTIFY_SMB2;
++	notify.smb2.in.buffer_size = 1000;
++	notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
++	notify.smb2.in.file.handle = h1;
++	notify.smb2.in.recursive = true;
++
++	req = smb2_notify_send(tree, &notify.smb2);
++	torture_assert_goto(torture,
++			req != NULL,
++			ret,
++			done,
++			"smb2_notify_send failed\n");
++
++	/*
++	 * Cancel it, we don't really want to wait.
++	 */
++	smb2_cancel(req);
++	status = smb2_notify_recv(req, torture, &notify.smb2);
++	/* Handle h1 doesn't have permissions for ChangeNotify. */
++	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
++
++done:
++	if (!smb2_util_handle_empty(h1)) {
++		smb2_util_close(tree, h1);
++	}
++	smb2_deltree(tree, BASEDIR_HPERM);
++	return ret;
++}
++
+ /*
+    basic testing of SMB2 change notify
+ */
+@@ -2602,7 +2679,10 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx)
+ 				     torture_smb2_notify_rmdir3);
+ 	torture_suite_add_2smb2_test(suite, "rmdir4",
+ 				     torture_smb2_notify_rmdir4);
+-
++	torture_suite_add_1smb2_test(suite,
++				    "handle-permissions",
++				    torture_smb2_notify_handle_permissions);
++ 
+ 	suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests");
+ 
+ 	return suite;
+-- 
+2.25.1
+
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
index b5085c913b..923b2ddf16 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
@@ -28,6 +28,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
            file://0002-util_sec.c-Move-__thread-variable-to-global-scope.patch \
            file://0001-Add-options-to-configure-the-use-of-libbsd.patch \
            file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \
+           file://CVE-2020-14318.patch \
            "
 SRC_URI_append_libc-musl = " \
            file://samba-pam.patch \
-- 
2.17.1

[dunfell 08/28] samba: CVE-2020-14383 Security Advisory

[akuster]

From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14383

Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit baee1ebeafce5d6a99dafc30b91e6fb760197686)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 81d14a86353829eba1d55a93d478faf4c5527a89)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../samba/samba/CVE-2020-14383.patch          | 112 ++++++++++++++++++
 .../samba/samba_4.10.18.bb                    |   1 +
 2 files changed, 113 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
new file mode 100644
index 0000000000..3341b80a38
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
@@ -0,0 +1,112 @@
+From ff17443fe761eda864d13957bec45f5bac478fe3 Mon Sep 17 00:00:00 2001
+From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+Date: Fri, 11 Dec 2020 14:34:31 +0900
+Subject: [PATCH] CVE-2020-14383: s4/dns: Ensure variable initialization with 
+ NULL. do not crash when additional data not found
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Found by Francis Brosnan Blázquez <francis@aspl.es>.
+Based on patches from Francis Brosnan Blázquez <francis@aspl.es>
+and Jeremy Allison <jra@samba.org>
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
+Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184
+
+(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379)
+(based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e
+
+Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ .../rpc_server/dnsserver/dcerpc_dnsserver.c   | 31 ++++++++++---------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+index 910de9a1..618c7096 100644
+--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
++++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+@@ -1754,15 +1754,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ 	TALLOC_CTX *tmp_ctx;
+ 	char *name;
+ 	const char * const attrs[] = { "name", "dnsRecord", NULL };
+-	struct ldb_result *res;
+-	struct DNS_RPC_RECORDS_ARRAY *recs;
++	struct ldb_result *res = NULL;
++	struct DNS_RPC_RECORDS_ARRAY *recs = NULL;
+ 	char **add_names = NULL;
+-	char *rname;
++	char *rname = NULL;
+ 	const char *preference_name = NULL;
+ 	int add_count = 0;
+ 	int i, ret, len;
+ 	WERROR status;
+-	struct dns_tree *tree, *base, *node;
++	struct dns_tree *tree = NULL;
++	struct dns_tree *base = NULL;
++	struct dns_tree *node = NULL;
+ 
+ 	tmp_ctx = talloc_new(mem_ctx);
+ 	W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
+@@ -1845,15 +1847,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ 		}
+ 	}
+ 
+-	talloc_free(res);
+-	talloc_free(tree);
+-	talloc_free(name);
++	TALLOC_FREE(res);
++	TALLOC_FREE(tree);
++	TALLOC_FREE(name);
+ 
+ 	/* Add any additional records */
+ 	if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
+ 		for (i=0; i<add_count; i++) {
+-			struct dnsserver_zone *z2;
+-
++			struct dnsserver_zone *z2 = NULL;
++			struct ldb_message *msg = NULL;
+ 			/* Search all the available zones for additional name */
+ 			for (z2 = dsstate->zones; z2; z2 = z2->next) {
+ 				char *encoded_name;
+@@ -1865,14 +1867,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ 						LDB_SCOPE_ONELEVEL, attrs,
+ 						"(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))",
+ 						encoded_name);
+-				talloc_free(name);
++				TALLOC_FREE(name);
+ 				if (ret != LDB_SUCCESS) {
+ 					continue;
+ 				}
+ 				if (res->count == 1) {
++					msg = res->msgs[0];
+ 					break;
+ 				} else {
+-					talloc_free(res);
++					TALLOC_FREE(res);
+ 					continue;
+ 				}
+ 			}
+@@ -1885,10 +1888,10 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ 			}
+ 			status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A,
+ 							select_flag, rname,
+-							res->msgs[0], 0, recs,
++							msg, 0, recs,
+ 							NULL, NULL);
+-			talloc_free(rname);
+-			talloc_free(res);
++			TALLOC_FREE(rname);
++			TALLOC_FREE(res);
+ 		}
+ 	}
+ 
+-- 
+2.25.1
+
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
index 923b2ddf16..1a982368ec 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
@@ -29,6 +29,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
            file://0001-Add-options-to-configure-the-use-of-libbsd.patch \
            file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \
            file://CVE-2020-14318.patch \
+           file://CVE-2020-14383.patch \
            "
 SRC_URI_append_libc-musl = " \
            file://samba-pam.patch \
-- 
2.17.1

[dunfell 09/28] php: Upgrade 7.4.4 -> 7.4.9

[akuster]

From: Leon Anavi <leon.anavi@konsulko.com>

Upgrade to release 7.4.9:

- Fixed: Upgrade apache2handler's php_apache_sapi_get_request_time
  to return usec
- Fixed: BSTR to PHP string conversion not binary safe
- Fixed: DCOM does not work with Username, Password parameter
- Fixed: serialize() and unserialize() methods can not be called
  statically
- Fixed: Segfault in php_str_replace_common
- Fixed: Assertion failure if dumping closure with unresolved
  static variable
- Fixed: Assertion failure when assigning property of string
  offset by reference
- Fixed: HT iterators not removed if empty array is destroyed
- Fixed: Changing array during undef index RW error segfaults
- Fixed: Use after free if changing array during undef var during
  array write fetch
- Fixed: Use after free if string used in undefined index warning
  is changed
- Fixed: Public non-static property in child should take priority
  over private static
- Fixed: getimagesize function silently truncates after a null
  byte
- Fixed: finfo_file crash (FILEINFO_MIME)
- Fixed: ftp_size on large files
- Fixed: mb_strimwidth does not trim string
- Fixed: Use of freed hash key in the phar_parse_zipfile function
- Fixed: ::getStaticProperties() ignores property modifications
- Fixed: ::getStaticPropertyValue() throws on protected props
- Fixed: Use after free when type duplicated into
  ReflectionProperty gets resolved
- Fixed: Can't copy() large 'data://' with open_basedir
- Fixed: dns_check_record() always return true on Alpine
- Fixed: array_walk() does not respect property types

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f46931abf073a4c5b02a160a89fe073f1b67632b)
[Bug fix on update. lts version]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../php/php/debian-php-fixheader.patch        | 27 ++++++++++---------
 .../php/{php_7.4.4.bb => php_7.4.9.bb}        |  5 ++--
 2 files changed, 17 insertions(+), 15 deletions(-)
 mode change 100755 => 100644 meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
 rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb} (98%)

diff --git a/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch b/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
old mode 100755
new mode 100644
index 21050f7605..a4804d1849
--- a/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
+++ b/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
@@ -1,31 +1,32 @@
-php: remove host specific info from header file
+From 1234a8ef7c5ab88e24bc5908f0ccfd55af21aa39 Mon Sep 17 00:00:00 2001
+From: Leon Anavi <leon.anavi@konsulko.com>
+Date: Mon, 31 Aug 2020 16:03:27 +0300
+Subject: [PATCH] php: remove host specific info from header file
 
+Based on:
 https://sources.debian.org/data/main/p/php7.3/7.3.6-1/debian/patches/
         0036-php-5.4.9-fixheader.patch
 
 Upstream-Status: Inappropriate [not author]
 Signed-off-by: Joe Slater <joe.slater@windriver.com>
-
----
-From: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
-Date: Sat, 2 May 2015 10:26:56 +0200
-Subject: php-5.4.9-fixheader
-
-Make generated php_config.h constant across rebuilds.
+Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
 ---
  configure.ac | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index 433d7e6..41893d7 100644
+index 2a474ba36d..6d22a21630 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1357,7 +1357,7 @@ PHP_BUILD_DATE=`date -u +%Y-%m-%d`
+@@ -1323,7 +1323,7 @@ PHP_BUILD_DATE=`date -u +%Y-%m-%d`
  fi
  AC_DEFINE_UNQUOTED(PHP_BUILD_DATE,"$PHP_BUILD_DATE",[PHP build date])
  
--PHP_UNAME=`uname -a | xargs`
-+PHP_UNAME=`uname | xargs`
+-UNAME=`uname -a | xargs`
++UNAME=`uname | xargs`
+ PHP_UNAME=${PHP_UNAME:-$UNAME}
  AC_DEFINE_UNQUOTED(PHP_UNAME,"$PHP_UNAME",[uname -a output])
  PHP_OS=`uname | xargs`
- AC_DEFINE_UNQUOTED(PHP_OS,"$PHP_OS",[uname output])
+-- 
+2.17.1
+
diff --git a/meta-oe/recipes-devtools/php/php_7.4.4.bb b/meta-oe/recipes-devtools/php/php_7.4.9.bb
similarity index 98%
rename from meta-oe/recipes-devtools/php/php_7.4.4.bb
rename to meta-oe/recipes-devtools/php/php_7.4.9.bb
index 1d93902e72..cd874d3c8b 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.4.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.9.bb
@@ -31,9 +31,10 @@ SRC_URI_append_class-target = " \
             file://0001-opcache-config.m4-enable-opcache.patch \
             file://xfail_two_bug_tests.patch \
           "
+
 S = "${WORKDIR}/php-${PV}"
-SRC_URI[md5sum] = "262c258a3b8b5699fcca89a64e58758c"
-SRC_URI[sha256sum] = "308e8f4182ec8a2767b0b1b8e1e7c69fb149b37cfb98ee4a37475e082fa9829f"
+SRC_URI[md5sum] = "e68a66c54b080d108831f6dc2e1e403d"
+SRC_URI[sha256sum] = "2e270958a4216480da7886743438ccc92b6acf32ea96fefda88d07e0a5095deb"
 
 inherit autotools pkgconfig python3native gettext
 
-- 
2.17.1

[dunfell 10/28] php: remove the failing ${D}/${TMPDIR} code

[akuster]

From: Max Kellermann <max.kellermann@gmail.com>

Appending ${TMPDIR} to ${D} doesn't make any sense, because both are
absolute paths.  And additionally, the code fails:

 rmdir: failed to remove '/usr/src/oe/tmp-musl/work/core2-64-oe-linux-musl/php/7.1.9-r0/image//usr': Directory not empty

Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit f6338892d9c57c51ed48b04f587b468f7718a8ba)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-devtools/php/php_7.4.9.bb | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/meta-oe/recipes-devtools/php/php_7.4.9.bb b/meta-oe/recipes-devtools/php/php_7.4.9.bb
index cd874d3c8b..fc01ea1953 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.9.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.9.bb
@@ -154,7 +154,6 @@ do_install_prepend_class-target() {
 # fixme
 do_install_append_class-target() {
     install -d ${D}${sysconfdir}/
-    rm -rf ${D}/${TMPDIR}
     rm -rf ${D}/.registry
     rm -rf ${D}/.channels
     rm -rf ${D}/.[a-z]*
@@ -178,14 +177,6 @@ do_install_append_class-target() {
             ${D}${systemd_unitdir}/system/php-fpm.service
     fi
 
-    TMP=`dirname ${D}/${TMPDIR}`
-    while test ${TMP} != ${D}; do
-        if [ -d ${TMP} ]; then
-            rmdir ${TMP}
-        fi
-        TMP=`dirname ${TMP}`;
-    done
-
     if ${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'true', 'false', d)}; then
         install -d ${D}${sysconfdir}/apache2/modules.d
         install -d ${D}${sysconfdir}/php/apache2-php${PHP_MAJOR_VERSION}
-- 
2.17.1

[dunfell 11/28] php: CVE-2020-7070

[akuster]

From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>

Security Advisory

References
https://nvd.nist.gov/vuln/detail/CVE-2020-7070
https://bugs.php.net/patch-display.php?bug=79699&patch=fix-urldecode&revision=1600650364
https://github.com/php/php-src/blob/master/main/php_variables.c

Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit aff8a1fefb9a1a311e5ba14ad69871514270803a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 09f5a2ac5ab8550f5f0bd05417f2f54d27995dac)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../php/php/CVE-2020-7070.patch               | 24 +++++++++++++++++++
 meta-oe/recipes-devtools/php/php_7.4.9.bb     |  1 +
 2 files changed, 25 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch

diff --git a/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch b/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
new file mode 100644
index 0000000000..e5b527f989
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
@@ -0,0 +1,24 @@
+Subject: Patch fix-urldecode for HTTP related Bug #79699
+
+---
+ main/php_variables.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/main/php_variables.c b/main/php_variables.c
+index 1a40c2a1..cbdc7cf1 100644
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -514,7 +514,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
+ 		}
+ 
+ 		val = estrndup(val, val_len);
+-		php_url_decode(var, strlen(var));
++		if (arg != PARSE_COOKIE) {
++			php_url_decode(var, strlen(var));
++		}
+ 		if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {
+ 			php_register_variable_safe(var, val, new_val_len, &array);
+ 		}
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-devtools/php/php_7.4.9.bb b/meta-oe/recipes-devtools/php/php_7.4.9.bb
index fc01ea1953..73caed6543 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.9.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.9.bb
@@ -30,6 +30,7 @@ SRC_URI_append_class-target = " \
             file://phar-makefile.patch \
             file://0001-opcache-config.m4-enable-opcache.patch \
             file://xfail_two_bug_tests.patch \
+            file://CVE-2020-7070.patch \
           "
 
 S = "${WORKDIR}/php-${PV}"
-- 
2.17.1

[dunfell 12/28] php: CVE-2020-7069

[akuster]

From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>

Security Advisory

References
https://nvd.nist.gov/vuln/detail/CVE-2020-7069
https://bugs.php.net/patch-display.php?bug_id=79601&patch=openssl_aes_ccm_iv_fix&revision=latest

Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fa80193468745a11bc12d5845f66412a0d62e0e2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 992e09f09a40e7a8d03c7c4b5adf40f821ed3774)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../php/php/CVE-2020-7069.patch               | 158 ++++++++++++++++++
 meta-oe/recipes-devtools/php/php_7.4.9.bb     |   1 +
 2 files changed, 159 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch

diff --git a/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch b/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
new file mode 100644
index 0000000000..0cf4d5ed60
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
@@ -0,0 +1,158 @@
+Subject: Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption
+ for a 12 bytes IV)
+
+---
+ ext/openssl/openssl.c                      | 10 ++++-----
+ ext/openssl/tests/cipher_tests.inc         | 21 +++++++++++++++++
+ ext/openssl/tests/openssl_decrypt_ccm.phpt | 22 +++++++++++-------
+ ext/openssl/tests/openssl_encrypt_ccm.phpt | 26 ++++++++++++++--------
+ 4 files changed, 57 insertions(+), 22 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 04cb9b0f..fdad2c3b 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -6521,11 +6521,6 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir
+ {
+ 	char *iv_new;
+ 
+-	/* Best case scenario, user behaved */
+-	if (*piv_len == iv_required_len) {
+-		return SUCCESS;
+-	}
+-
+ 	if (mode->is_aead) {
+ 		if (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_ivlen_flag, *piv_len, NULL) != 1) {
+ 			php_error_docref(NULL, E_WARNING, "Setting of IV length for AEAD mode failed");
+@@ -6534,6 +6529,11 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir
+ 		return SUCCESS;
+ 	}
+ 
++	/* Best case scenario, user behaved */
++	if (*piv_len == iv_required_len) {
++		return SUCCESS;
++	}
++
+ 	iv_new = ecalloc(1, iv_required_len + 1);
+ 
+ 	if (*piv_len == 0) {
+diff --git a/ext/openssl/tests/cipher_tests.inc b/ext/openssl/tests/cipher_tests.inc
+index b1e46b41..779bfa85 100644
+--- a/ext/openssl/tests/cipher_tests.inc
++++ b/ext/openssl/tests/cipher_tests.inc
+@@ -1,5 +1,26 @@
+ <?php
+ $php_openssl_cipher_tests = array(
++    'aes-128-ccm' => array(
++        array(
++            'key' => '404142434445464748494a4b4c4d4e4f',
++            'iv'  => '1011121314151617',
++            'aad' => '000102030405060708090a0b0c0d0e0f',
++            'tag' => '1fc64fbfaccd',
++            'pt'  => '202122232425262728292a2b2c2d2e2f',
++            'ct'  => 'd2a1f0e051ea5f62081a7792073d593d',
++        ),
++        array(
++            'key' => '404142434445464748494a4b4c4d4e4f',
++            'iv'  => '101112131415161718191a1b',
++            'aad' => '000102030405060708090a0b0c0d0e0f' .
++                     '10111213',
++            'tag' => '484392fbc1b09951',
++            'pt'  => '202122232425262728292a2b2c2d2e2f' .
++                     '3031323334353637',
++            'ct'  => 'e3b201a9f5b71a7a9b1ceaeccd97e70b' .
++                     '6176aad9a4428aa5',
++        ),
++    ),
+     'aes-256-ccm' => array(
+         array(
+             'key' => '1bde3251d41a8b5ea013c195ae128b21' .
+diff --git a/ext/openssl/tests/openssl_decrypt_ccm.phpt b/ext/openssl/tests/openssl_decrypt_ccm.phpt
+index a5f01b87..08ef5bb7 100644
+--- a/ext/openssl/tests/openssl_decrypt_ccm.phpt
++++ b/ext/openssl/tests/openssl_decrypt_ccm.phpt
+@@ -10,14 +10,16 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods()))
+ --FILE--
+ <?php
+ require_once __DIR__ . "/cipher_tests.inc";
+-$method = 'aes-256-ccm';
+-$tests = openssl_get_cipher_tests($method);
++$methods = ['aes-128-ccm', 'aes-256-ccm'];
+ 
+-foreach ($tests as $idx => $test) {
+-    echo "TEST $idx\n";
+-    $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
+-        $test['iv'], $test['tag'], $test['aad']);
+-    var_dump($test['pt'] === $pt);
++foreach ($methods as $method) {
++    $tests = openssl_get_cipher_tests($method);
++    foreach ($tests as $idx => $test) {
++        echo "$method - TEST $idx\n";
++        $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
++            $test['iv'], $test['tag'], $test['aad']);
++        var_dump($test['pt'] === $pt);
++    }
+ }
+ 
+ // no IV
+@@ -32,7 +34,11 @@ var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
+ 
+ ?>
+ --EXPECTF--
+-TEST 0
++aes-128-ccm - TEST 0
++bool(true)
++aes-128-ccm - TEST 1
++bool(true)
++aes-256-ccm - TEST 0
+ bool(true)
+ 
+ Warning: openssl_decrypt(): Setting of IV length for AEAD mode failed in %s on line %d
+diff --git a/ext/openssl/tests/openssl_encrypt_ccm.phpt b/ext/openssl/tests/openssl_encrypt_ccm.phpt
+index fb5dbbc8..8c4c41f8 100644
+--- a/ext/openssl/tests/openssl_encrypt_ccm.phpt
++++ b/ext/openssl/tests/openssl_encrypt_ccm.phpt
+@@ -10,15 +10,17 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods()))
+ --FILE--
+ <?php
+ require_once __DIR__ . "/cipher_tests.inc";
+-$method = 'aes-256-ccm';
+-$tests = openssl_get_cipher_tests($method);
++$methods = ['aes-128-ccm', 'aes-256-ccm'];
+ 
+-foreach ($tests as $idx => $test) {
+-    echo "TEST $idx\n";
+-    $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA,
+-        $test['iv'], $tag, $test['aad'], strlen($test['tag']));
+-    var_dump($test['ct'] === $ct);
+-    var_dump($test['tag'] === $tag);
++foreach ($methods as $method) {
++    $tests = openssl_get_cipher_tests($method);
++    foreach ($tests as $idx => $test) {
++        echo "$method - TEST $idx\n";
++        $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA,
++            $test['iv'], $tag, $test['aad'], strlen($test['tag']));
++        var_dump($test['ct'] === $ct);
++        var_dump($test['tag'] === $tag);
++    }
+ }
+ 
+ // Empty IV error
+@@ -32,7 +34,13 @@ var_dump(strlen($tag));
+ var_dump(openssl_encrypt('data', $method, 'password', 0, str_repeat('x', 16), $tag, '', 1024));
+ ?>
+ --EXPECTF--
+-TEST 0
++aes-128-ccm - TEST 0
++bool(true)
++bool(true)
++aes-128-ccm - TEST 1
++bool(true)
++bool(true)
++aes-256-ccm - TEST 0
+ bool(true)
+ bool(true)
+ 
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-devtools/php/php_7.4.9.bb b/meta-oe/recipes-devtools/php/php_7.4.9.bb
index 73caed6543..16fc311b0e 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.9.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.9.bb
@@ -31,6 +31,7 @@ SRC_URI_append_class-target = " \
             file://0001-opcache-config.m4-enable-opcache.patch \
             file://xfail_two_bug_tests.patch \
             file://CVE-2020-7070.patch \
+            file://CVE-2020-7069.patch \
           "
 
 S = "${WORKDIR}/php-${PV}"
-- 
2.17.1

[dunfell 13/28] apache2: upgrade v2.4.43 -> v2.4.46

[akuster]

From: Sakib Sajal <sakib.sajal@windriver.com>

Source: meta-openembedded.org
MR: 105034, 105034, 105124
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/apache2?h=gatesgarth&id=fc995b3cfed86850ce5ab1b70da1e31560ac350f
ChangeID: 37b9f376c5e4b9a9355f867bac56454e2630d86c
Description:

Minor upgrade inluding bug and CVE fixes, namely:
  - CVE-2020-9490
  - CVE-2020-11984
  - CVE-2020-11993

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fc995b3cfed86850ce5ab1b70da1e31560ac350f)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../apache2/{apache2_2.4.43.bb => apache2_2.4.46.bb}          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb => apache2_2.4.46.bb} (98%)

diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.43.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
similarity index 98%
rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.43.bb
rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
index a7083d80e9..197cb83e64 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.43.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
@@ -26,8 +26,8 @@ SRC_URI_append_class-target = " \
            "
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3"
-SRC_URI[md5sum] = "791c986b1e70fe61eb44060aacc89a64"
-SRC_URI[sha256sum] = "a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43"
+SRC_URI[md5sum] = "7d661ea5e736dac5e2761d9f49fe8361"
+SRC_URI[sha256sum] = "740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea"
 
 S = "${WORKDIR}/httpd-${PV}"
 
-- 
2.17.1

[dunfell 14/28] mariadb: update to 10.4.17 for cve fixes

[akuster]

Source: mariadb.org
MR: 107836, 107837, 107838, 107839, 107840, 107852, 106414, 106414, 107864, 107876, 107888
Type: Security Fix
Disposition: Backport from mariadb.org
ChangeID: 75fb83ced15990b94659af6e107c063d288cb037
Description:

refresh several patches
Drop 0001-Fix-build-breakage-from-lock_guard-error-6161.patch as fix included in update

Bugfix only update including these cves:

10.4.13
CVE-2020-2752
CVE-2020-2812
CVE-2020-2814
CVE-2020-2760
CVE-2020-13249

10.4.15
CVE-2020-15180

10.4.16
CVE-2020-14812
CVE-2020-14765
CVE-2020-14776
CVE-2020-14789
CVE-2020-28912 (MDEV-24040)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...e_10.4.12.bb => mariadb-native_10.4.17.bb} |  0
 meta-oe/recipes-dbs/mysql/mariadb.inc         |  6 ++--
 ...-breakage-from-lock_guard-error-6161.patch | 32 -------------------
 .../mariadb/0001-Fix-library-LZ4-lookup.patch | 19 +++++------
 .../mysql/mariadb/c11_atomics.patch           | 24 ++++++++------
 .../configure.cmake-fix-valgrind.patch        | 10 +++---
 .../mariadb/fix-a-building-failure.patch      | 13 +++-----
 .../mysql/mariadb/fix-arm-atomic.patch        | 13 +++-----
 ...Lists.txt-fix-gen_lex_hash-not-found.patch | 12 +++----
 ...akeLists.txt-fix-do_populate_sysroot.patch | 10 +++---
 ...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} |  0
 11 files changed, 51 insertions(+), 88 deletions(-)
 rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb => mariadb-native_10.4.17.bb} (100%)
 delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
 rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb => mariadb_10.4.17.bb} (100%)

diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.12.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.17.bb
similarity index 100%
rename from meta-oe/recipes-dbs/mysql/mariadb-native_10.4.12.bb
rename to meta-oe/recipes-dbs/mysql/mariadb-native_10.4.17.bb
diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index 95f5acba1f..1a86bc0446 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -18,11 +18,9 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz
            file://c11_atomics.patch \
            file://clang_version_header_conflict.patch \
            file://fix-arm-atomic.patch \
-           file://0001-Fix-build-breakage-from-lock_guard-error-6161.patch \
-           file://0001-Fix-library-LZ4-lookup.patch \
           "
-SRC_URI[md5sum] = "97d7c0f508c04a31c138fdb24e95dbc4"
-SRC_URI[sha256sum] = "fef1e1d38aa253dd8a51006bd15aad184912fce31c446bb69434fcde735aa208"
+SRC_URI[md5sum] = "e8193b9cd008b6d7f177f5a5c44c7a9f"
+SRC_URI[sha256sum] = "a7b104e264311cd46524ae546ff0c5107978373e4a01cf7fd8a241454548d16e"
 
 UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases"
 
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
deleted file mode 100644
index 87c70617a1..0000000000
--- a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Subject: [PATCH] Fix build breakage from lock_guard error (#6161)
-
-Summary:
-This change fixes a source issue that caused compile time error which
-breaks build for many fbcode services in that setup. The size() member
-function of channel is a const member, so member variables accessed
-within it are implicitly const as well. This caused error when clang
-fails to resolve to a constructor that takes std::mutex because the
-suitable constructor got rejected due to loss of constness for its
-argument. The fix is to add mutable modifier to the lock_ member of
-channel.
-
-Pull Request resolved: https://github.com/facebook/rocksdb/pull/6161
-
-Differential Revision: D18967685
-
-Pulled By: maysamyabandeh
-
-Upstream-Status: Backport
-
-fbshipit-source-id:698b6a5153c3c92eeacb842c467aa28cc350d432 
---- a/storage/rocksdb/rocksdb/util/channel.h
-+++ b/storage/rocksdb/rocksdb/util/channel.h
-@@ -60,7 +60,7 @@ class channel {
- 
-  private:
-   std::condition_variable cv_;
--  std::mutex lock_;
-+  mutable std::mutex lock_;
-   std::queue<T> buffer_;
-   bool eof_;
- };
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch
index 574dfd317a..4b90d280ac 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch
@@ -8,15 +8,15 @@ Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
  cmake/FindLZ4.cmake | 9 +++++++--
  1 file changed, 7 insertions(+), 2 deletions(-)
 
-diff --git a/cmake/FindLZ4.cmake b/cmake/FindLZ4.cmake
-index e97dd63e2b0..2f4694e727c 100644
---- a/cmake/FindLZ4.cmake
-+++ b/cmake/FindLZ4.cmake
-@@ -1,5 +1,10 @@
--find_path(LZ4_INCLUDE_DIR NAMES lz4.h)
--find_library(LZ4_LIBRARY NAMES lz4)
+Index: mariadb-10.4.17/cmake/FindLZ4.cmake
+===================================================================
+--- mariadb-10.4.17.orig/cmake/FindLZ4.cmake
++++ mariadb-10.4.17/cmake/FindLZ4.cmake
+@@ -1,5 +1,11 @@
+ find_path(LZ4_INCLUDE_DIR NAMES lz4.h)
+-find_library(LZ4_LIBRARIES NAMES lz4)
 +find_path(LZ4_INCLUDE_DIR
-+  NAMES	lz4.h
++  NAMES    lz4.h
 +  NO_DEFAULT_PATH NO_CMAKE_FIND_ROOT_PATH)
 +
 +find_library(LZ4_LIBRARY
@@ -25,6 +25,3 @@ index e97dd63e2b0..2f4694e727c 100644
  
  include(FindPackageHandleStandardArgs)
  FIND_PACKAGE_HANDLE_STANDARD_ARGS(
--- 
-2.17.1
-
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch b/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch
index 169986130c..b1ce963602 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch
@@ -10,9 +10,11 @@ Date:   Fri Dec 21 19:14:04 2018 +0200
 Upstream-Status: Pending
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 
---- a/configure.cmake
-+++ b/configure.cmake
-@@ -926,7 +926,25 @@ int main()
+Index: mariadb-10.4.17/configure.cmake
+===================================================================
+--- mariadb-10.4.17.orig/configure.cmake
++++ mariadb-10.4.17/configure.cmake
+@@ -863,7 +863,25 @@ int main()
    long long int *ptr= &var;
    return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST);
  }"
@@ -39,10 +41,12 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  
  IF(WITH_VALGRIND)
    SET(HAVE_valgrind 1)
---- a/mysys/CMakeLists.txt
-+++ b/mysys/CMakeLists.txt
+Index: mariadb-10.4.17/mysys/CMakeLists.txt
+===================================================================
+--- mariadb-10.4.17.orig/mysys/CMakeLists.txt
++++ mariadb-10.4.17/mysys/CMakeLists.txt
 @@ -78,6 +78,10 @@ TARGET_LINK_LIBRARIES(mysys dbug strings
-  ${LIBNSL} ${LIBM} ${LIBRT} ${LIBDL} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY})
+  ${LIBNSL} ${LIBM} ${LIBRT} ${CMAKE_DL_LIBS} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY})
  DTRACE_INSTRUMENT(mysys)
  
 +IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC)
@@ -52,9 +56,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  IF(HAVE_BFD_H)
    TARGET_LINK_LIBRARIES(mysys bfd)  
  ENDIF(HAVE_BFD_H)
---- a/sql/CMakeLists.txt
-+++ b/sql/CMakeLists.txt
-@@ -178,6 +178,10 @@ ELSE()
+Index: mariadb-10.4.17/sql/CMakeLists.txt
+===================================================================
+--- mariadb-10.4.17.orig/sql/CMakeLists.txt
++++ mariadb-10.4.17/sql/CMakeLists.txt
+@@ -196,6 +196,10 @@ ELSE()
    SET(MYSQLD_SOURCE main.cc ${DTRACE_PROBES_ALL})
  ENDIF()
  
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch b/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch
index ac94279585..162b1e295b 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch
@@ -21,11 +21,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
  configure.cmake | 5 ++---
  1 file changed, 2 insertions(+), 3 deletions(-)
 
-diff --git a/configure.cmake b/configure.cmake
-index 3cfc4b31..d017b3b3 100644
---- a/configure.cmake
-+++ b/configure.cmake
-@@ -930,10 +930,9 @@ HAVE_GCC_C11_ATOMICS)
+Index: mariadb-10.4.17/configure.cmake
+===================================================================
+--- mariadb-10.4.17.orig/configure.cmake
++++ mariadb-10.4.17/configure.cmake
+@@ -867,10 +867,9 @@ HAVE_GCC_C11_ATOMICS)
  
  IF(WITH_VALGRIND)
    SET(HAVE_valgrind 1)
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch b/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch
index 9149ee21f2..5fc94835ea 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch
@@ -14,11 +14,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
  CMakeLists.txt | 5 -----
  1 file changed, 5 deletions(-)
 
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index fc30750..4f9110e 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -347,11 +347,6 @@ CHECK_PCRE()
+Index: mariadb-10.4.17/CMakeLists.txt
+===================================================================
+--- mariadb-10.4.17.orig/CMakeLists.txt
++++ mariadb-10.4.17/CMakeLists.txt
+@@ -376,11 +376,6 @@ CHECK_PCRE()
  
  CHECK_SYSTEMD()
  
@@ -30,6 +30,3 @@ index fc30750..4f9110e 100644
  #
  # Setup maintainer mode options. Platform checks are
  # not run with the warning options as to not perturb fragile checks
--- 
-2.17.1
-
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch b/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch
index 05b0cf8ff7..db72709439 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch
@@ -15,11 +15,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
  storage/rocksdb/build_rocksdb.cmake | 3 +++
  1 file changed, 3 insertions(+)
 
-diff --git a/storage/rocksdb/build_rocksdb.cmake b/storage/rocksdb/build_rocksdb.cmake
-index d7895b0..3bcd52a 100644
---- a/storage/rocksdb/build_rocksdb.cmake
-+++ b/storage/rocksdb/build_rocksdb.cmake
-@@ -470,6 +470,9 @@ list(APPEND SOURCES ${CMAKE_CURRENT_BINARY_DIR}/build_version.cc)
+Index: mariadb-10.4.17/storage/rocksdb/build_rocksdb.cmake
+===================================================================
+--- mariadb-10.4.17.orig/storage/rocksdb/build_rocksdb.cmake
++++ mariadb-10.4.17/storage/rocksdb/build_rocksdb.cmake
+@@ -498,6 +498,9 @@ list(APPEND SOURCES ${CMAKE_CURRENT_BINA
  
  ADD_CONVENIENCE_LIBRARY(rocksdblib ${SOURCES})
  target_link_libraries(rocksdblib ${THIRDPARTY_LIBS} ${SYSTEM_LIBS})
@@ -29,6 +29,3 @@ index d7895b0..3bcd52a 100644
  IF(CMAKE_CXX_COMPILER_ID MATCHES "GNU" OR CMAKE_CXX_COMPILER_ID MATCHES "Clang")
    set_target_properties(rocksdblib PROPERTIES COMPILE_FLAGS "-fPIC -fno-builtin-memcmp -Wno-error")
  endif()
--- 
-2.7.4
-
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch b/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch
index afc1be47b5..16cd584da9 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch
@@ -15,11 +15,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
  sql/CMakeLists.txt | 30 ++++++++++++++++++++----------
  1 file changed, 20 insertions(+), 10 deletions(-)
 
-diff --git a/sql/CMakeLists.txt b/sql/CMakeLists.txt
-index c6910f46..bf51f4cb 100644
---- a/sql/CMakeLists.txt
-+++ b/sql/CMakeLists.txt
-@@ -50,11 +50,16 @@ ${WSREP_INCLUDES}
+Index: mariadb-10.4.17/sql/CMakeLists.txt
+===================================================================
+--- mariadb-10.4.17.orig/sql/CMakeLists.txt
++++ mariadb-10.4.17/sql/CMakeLists.txt
+@@ -55,11 +55,16 @@ ${CMAKE_BINARY_DIR}/sql
  
  
  
@@ -41,7 +41,7 @@ index c6910f46..bf51f4cb 100644
  
  ADD_DEFINITIONS(-DMYSQL_SERVER -DHAVE_EVENT_SCHEDULER)
  
-@@ -370,11 +375,16 @@ IF(NOT CMAKE_CROSSCOMPILING)
+@@ -364,11 +369,16 @@ IF(NOT CMAKE_CROSSCOMPILING)
    ADD_EXECUTABLE(gen_lex_hash gen_lex_hash.cc)
  ENDIF()
  
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch b/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch
index 4f9a4e9b0e..937d13da31 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch
@@ -15,11 +15,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
  support-files/CMakeLists.txt | 7 -------
  1 file changed, 7 deletions(-)
 
-diff --git a/support-files/CMakeLists.txt b/support-files/CMakeLists.txt
-index b5767432..56733de1 100644
---- a/support-files/CMakeLists.txt
-+++ b/support-files/CMakeLists.txt
-@@ -165,12 +165,5 @@ IF(UNIX)
+Index: mariadb-10.4.17/support-files/CMakeLists.txt
+===================================================================
+--- mariadb-10.4.17.orig/support-files/CMakeLists.txt
++++ mariadb-10.4.17/support-files/CMakeLists.txt
+@@ -192,12 +192,5 @@ IF(UNIX)
        INSTALL(FILES rpm/enable_encryption.preset DESTINATION ${INSTALL_SYSCONF2DIR}
                COMPONENT IniFiles)
      ENDIF()
diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.4.12.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.4.17.bb
similarity index 100%
rename from meta-oe/recipes-dbs/mysql/mariadb_10.4.12.bb
rename to meta-oe/recipes-dbs/mysql/mariadb_10.4.17.bb
-- 
2.17.1

[dunfell 15/28] lua: fix CVE-2020-15945

[akuster]

From: Wenlin Kang <wenlin.kang@windriver.com>

Source: openembedded.org
MR: 104897
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded gatesgarth
ChangeID: 6c43941d116bbb9f0d62ca5376da24ae03eb9eab
Description:

Fixes CVE-2020-15945

Backport with modifications to apply successfully.

Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../lua/lua/CVE-2020-15945.patch              | 167 ++++++++++++++++++
 meta-oe/recipes-devtools/lua/lua_5.3.5.bb     |   1 +
 2 files changed, 168 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch

diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
new file mode 100644
index 0000000000..89ce491487
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
@@ -0,0 +1,167 @@
+From d8d344365945a534f700c82c5dd26f704f89fef3 Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Wed, 5 Aug 2020 16:59:58 +0800
+Subject: [PATCH] Fixed bug: invalid 'oldpc' when returning to a function
+
+The field 'L->oldpc' is not always updated when control returns to a
+function; an invalid value can seg. fault when computing 'changedline'.
+(One example is an error in a finalizer; control can return to
+'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to
+fix all possible corner cases, it seems safer to be resilient to invalid
+values for 'oldpc'. Valid but wrong values at most cause an extra call
+to a line hook.
+
+CVE: CVE-2020-15945
+
+[Adjust the code to be applicable to the tree]
+
+Upstream-Status: Backport [https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3]
+
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+Signed-off-by: Joe Slater <joe.slater@@windriver.com>
+
+---
+ src/ldebug.c | 30 +++++++++++++++---------------
+ src/ldebug.h |  4 ++++
+ src/ldo.c    |  2 +-
+ src/lstate.c |  1 +
+ src/lstate.h |  2 +-
+ 5 files changed, 22 insertions(+), 17 deletions(-)
+
+diff --git a/src/ldebug.c b/src/ldebug.c
+index 239affb..832b16c 100644
+--- a/src/ldebug.c
++++ b/src/ldebug.c
+@@ -34,9 +34,8 @@
+ #define noLuaClosure(f)		((f) == NULL || (f)->c.tt == LUA_TCCL)
+ 
+ 
+-/* Active Lua function (given call info) */
+-#define ci_func(ci)		(clLvalue((ci)->func))
+-
++/* inverse of 'pcRel' */
++#define invpcRel(pc, p)                ((p)->code + (pc) + 1)
+ 
+ static const char *funcnamefromcode (lua_State *L, CallInfo *ci,
+                                     const char **name);
+@@ -71,20 +70,18 @@ static void swapextra (lua_State *L) {
+ 
+ /*
+ ** This function can be called asynchronously (e.g. during a signal).
+-** Fields 'oldpc', 'basehookcount', and 'hookcount' (set by
+-** 'resethookcount') are for debug only, and it is no problem if they
+-** get arbitrary values (causes at most one wrong hook call). 'hookmask'
+-** is an atomic value. We assume that pointers are atomic too (e.g., gcc
+-** ensures that for all platforms where it runs). Moreover, 'hook' is
+-** always checked before being called (see 'luaD_hook').
++** Fields 'basehookcount' and 'hookcount' (set by 'resethookcount')
++** are for debug only, and it is no problem if they get arbitrary
++** values (causes at most one wrong hook call). 'hookmask' is an atomic
++** value. We assume that pointers are atomic too (e.g., gcc ensures that
++** for all platforms where it runs). Moreover, 'hook' is always checked
++** before being called (see 'luaD_hook').
+ */
+ LUA_API void lua_sethook (lua_State *L, lua_Hook func, int mask, int count) {
+   if (func == NULL || mask == 0) {  /* turn off hooks? */
+     mask = 0;
+     func = NULL;
+   }
+-  if (isLua(L->ci))
+-    L->oldpc = L->ci->u.l.savedpc;
+   L->hook = func;
+   L->basehookcount = count;
+   resethookcount(L);
+@@ -665,7 +662,10 @@ l_noret luaG_runerror (lua_State *L, const char *fmt, ...) {
+ void luaG_traceexec (lua_State *L) {
+   CallInfo *ci = L->ci;
+   lu_byte mask = L->hookmask;
++  const Proto *p = ci_func(ci)->p;
+   int counthook = (--L->hookcount == 0 && (mask & LUA_MASKCOUNT));
++  /* 'L->oldpc' may be invalid; reset it in this case */
++  int oldpc = (L->oldpc < p->sizecode) ? L->oldpc : 0;
+   if (counthook)
+     resethookcount(L);  /* reset count */
+   else if (!(mask & LUA_MASKLINE))
+@@ -677,15 +677,15 @@ void luaG_traceexec (lua_State *L) {
+   if (counthook)
+     luaD_hook(L, LUA_HOOKCOUNT, -1);  /* call count hook */
+   if (mask & LUA_MASKLINE) {
+-    Proto *p = ci_func(ci)->p;
+     int npc = pcRel(ci->u.l.savedpc, p);
+     int newline = getfuncline(p, npc);
+     if (npc == 0 ||  /* call linehook when enter a new function, */
+-        ci->u.l.savedpc <= L->oldpc ||  /* when jump back (loop), or when */
+-        newline != getfuncline(p, pcRel(L->oldpc, p)))  /* enter a new line */
++        ci->u.l.savedpc <= invpcRel(oldpc, p) ||  /* when jump back (loop), or when */
++        newline != getfuncline(p, oldpc))  /* enter a new line */
+       luaD_hook(L, LUA_HOOKLINE, newline);  /* call line hook */
++
++    L->oldpc = npc;  /* 'pc' of last call to line hook */
+   }
+-  L->oldpc = ci->u.l.savedpc;
+   if (L->status == LUA_YIELD) {  /* did hook yield? */
+     if (counthook)
+       L->hookcount = 1;  /* undo decrement to zero */
+diff --git a/src/ldebug.h b/src/ldebug.h
+index 0e31546..c224cc4 100644
+--- a/src/ldebug.h
++++ b/src/ldebug.h
+@@ -13,6 +13,10 @@
+ 
+ #define pcRel(pc, p)	(cast(int, (pc) - (p)->code) - 1)
+ 
++/* Active Lua function (given call info) */
++#define ci_func(ci)            (clLvalue((ci)->func))
++
++
+ #define getfuncline(f,pc)	(((f)->lineinfo) ? (f)->lineinfo[pc] : -1)
+ 
+ #define resethookcount(L)	(L->hookcount = L->basehookcount)
+diff --git a/src/ldo.c b/src/ldo.c
+index 90b695f..f66ac1a 100644
+--- a/src/ldo.c
++++ b/src/ldo.c
+@@ -382,7 +382,7 @@ int luaD_poscall (lua_State *L, CallInfo *ci, StkId firstResult, int nres) {
+       luaD_hook(L, LUA_HOOKRET, -1);
+       firstResult = restorestack(L, fr);
+     }
+-    L->oldpc = ci->previous->u.l.savedpc;  /* 'oldpc' for caller function */
++    L->oldpc = pcRel(ci->u.l.savedpc, ci_func(ci)->p);  /* 'oldpc' for caller function */
+   }
+   res = ci->func;  /* res == final position of 1st result */
+   L->ci = ci->previous;  /* back to caller */
+diff --git a/src/lstate.c b/src/lstate.c
+index 9194ac3..3573e36 100644
+--- a/src/lstate.c
++++ b/src/lstate.c
+@@ -236,6 +236,7 @@ static void preinit_thread (lua_State *L, global_State *g) {
+   L->nny = 1;
+   L->status = LUA_OK;
+   L->errfunc = 0;
++  L->oldpc = 0;
+ }
+ 
+ 
+diff --git a/src/lstate.h b/src/lstate.h
+index a469466..d75eadf 100644
+--- a/src/lstate.h
++++ b/src/lstate.h
+@@ -164,7 +164,6 @@ struct lua_State {
+   StkId top;  /* first free slot in the stack */
+   global_State *l_G;
+   CallInfo *ci;  /* call info for current function */
+-  const Instruction *oldpc;  /* last pc traced */
+   StkId stack_last;  /* last free slot in the stack */
+   StkId stack;  /* stack base */
+   UpVal *openupval;  /* list of open upvalues in this stack */
+@@ -174,6 +173,7 @@ struct lua_State {
+   CallInfo base_ci;  /* CallInfo for first level (C calling Lua) */
+   volatile lua_Hook hook;
+   ptrdiff_t errfunc;  /* current error handling function (stack index) */
++  int oldpc;  /* last pc traced */
+   int stacksize;
+   int basehookcount;
+   int hookcount;
+-- 
+2.13.3
+
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
index d3461b06de..4f89579c78 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
@@ -8,6 +8,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
            file://lua.pc.in \
            file://0001-Allow-building-lua-without-readline-on-Linux.patch \
            file://CVE-2020-15888.patch \
+           file://CVE-2020-15945.patch \
            "
 
 # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
-- 
2.17.1

[dunfell 16/28] lua: fix CVE-2020-24371

[akuster]

From: Wenlin Kang <wenlin.kang@windriver.com>

Source: openembedded.org
MR: 105165
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded gatesgarth
ChangeID: 747161877824daae061bc4fb458f55ab033f62f4
Description:

Fix CVE-2020-24371

Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...rriers-cannot-be-active-during-sweep.patch | 90 +++++++++++++++++++
 meta-oe/recipes-devtools/lua/lua_5.3.5.bb     |  1 +
 2 files changed, 91 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch

diff --git a/meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch b/meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch
new file mode 100644
index 0000000000..a302874d76
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch
@@ -0,0 +1,90 @@
+From 1e6df25ac28dcd89f0324177bb55019422404b44 Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Thu, 3 Sep 2020 15:32:17 +0800
+Subject: [PATCH] Fixed bug: barriers cannot be active during sweep
+
+Barriers cannot be active during sweep, even in generational mode.
+(Although gen. mode is not incremental, it can hit a barrier when
+deleting a thread and closing its upvalues.)  The colors of objects are
+being changed during sweep and, therefore, cannot be trusted.
+
+Upstream-Status: Backport [https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110]
+CVE: CVE-2020-24371
+
+[Adjust code KGC_INC -> KGC_NORMAL, refer 69371c4b84becac09c445aae01d005b49658ef82]
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ src/lgc.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/src/lgc.c b/src/lgc.c
+index 973c269..7af23d5 100644
+--- a/src/lgc.c
++++ b/src/lgc.c
+@@ -142,10 +142,17 @@ static int iscleared (global_State *g, const TValue *o) {
+ 
+ 
+ /*
+-** barrier that moves collector forward, that is, mark the white object
+-** being pointed by a black object. (If in sweep phase, clear the black
+-** object to white [sweep it] to avoid other barrier calls for this
+-** same object.)
++** Barrier that moves collector forward, that is, marks the white object
++** 'v' being pointed by the black object 'o'.  In the generational
++** mode, 'v' must also become old, if 'o' is old; however, it cannot
++** be changed directly to OLD, because it may still point to non-old
++** objects. So, it is marked as OLD0. In the next cycle it will become
++** OLD1, and in the next it will finally become OLD (regular old). By
++** then, any object it points to will also be old.  If called in the
++** incremental sweep phase, it clears the black object to white (sweep
++** it) to avoid other barrier calls for this same object. (That cannot
++** be done is generational mode, as its sweep does not distinguish
++** whites from deads.)
+ */
+ void luaC_barrier_ (lua_State *L, GCObject *o, GCObject *v) {
+   global_State *g = G(L);
+@@ -154,7 +161,8 @@ void luaC_barrier_ (lua_State *L, GCObject *o, GCObject *v) {
+     reallymarkobject(g, v);  /* restore invariant */
+   else {  /* sweep phase */
+     lua_assert(issweepphase(g));
+-    makewhite(g, o);  /* mark main obj. as white to avoid other barriers */
++    if (g->gckind == KGC_NORMAL)  /* incremental mode? */
++      makewhite(g, o);  /* mark 'o' as white to avoid other barriers */
+   }
+ }
+ 
+@@ -299,10 +307,15 @@ static void markbeingfnz (global_State *g) {
+ 
+ 
+ /*
+-** Mark all values stored in marked open upvalues from non-marked threads.
+-** (Values from marked threads were already marked when traversing the
+-** thread.) Remove from the list threads that no longer have upvalues and
+-** not-marked threads.
++** For each non-marked thread, simulates a barrier between each open
++** upvalue and its value. (If the thread is collected, the value will be
++** assigned to the upvalue, but then it can be too late for the barrier
++** to act. The "barrier" does not need to check colors: A non-marked
++** thread must be young; upvalues cannot be older than their threads; so
++** any visited upvalue must be young too.) Also removes the thread from
++** the list, as it was already visited. Removes also threads with no
++** upvalues, as they have nothing to be checked. (If the thread gets an
++** upvalue later, it will be linked in the list again.)
+ */
+ static void remarkupvals (global_State *g) {
+   lua_State *thread;
+@@ -313,9 +326,11 @@ static void remarkupvals (global_State *g) {
+       p = &thread->twups;  /* keep marked thread with upvalues in the list */
+     else {  /* thread is not marked or without upvalues */
+       UpVal *uv;
++      lua_assert(!isold(thread) || thread->openupval == NULL);
+       *p = thread->twups;  /* remove thread from the list */
+       thread->twups = thread;  /* mark that it is out of list */
+       for (uv = thread->openupval; uv != NULL; uv = uv->u.open.next) {
++        lua_assert(getage(uv) <= getage(thread));
+         if (uv->u.open.touched) {
+           markvalue(g, uv->v);  /* remark upvalue's value */
+           uv->u.open.touched = 0;
+-- 
+1.9.1
+
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
index 4f89579c78..7d84ea60b6 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
            file://0001-Allow-building-lua-without-readline-on-Linux.patch \
            file://CVE-2020-15888.patch \
            file://CVE-2020-15945.patch \
+           file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
            "
 
 # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
-- 
2.17.1

[dunfell 17/28] lua: update to 5.3.6

[akuster]

From: Armin Kuster <akuster@mvista.com>

LIC_FILES_CHKSUM changed to do year updates

This is the last 5.3.x update. This will give us the best
starting point for doing Maintence moving forward.

Its a bug fix only update. See http://www.lua.org/work/diffs-lua-5.3.5-lua-5.3.6.html

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (92%)

diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
similarity index 92%
rename from meta-oe/recipes-devtools/lua/lua_5.3.5.bb
rename to meta-oe/recipes-devtools/lua/lua_5.3.6.bb
index 7d84ea60b6..342ed1b547 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
@@ -1,7 +1,7 @@
 DESCRIPTION = "Lua is a powerful light-weight programming language designed \
 for extending applications."
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://doc/readme.html;beginline=318;endline=352;md5=60aa5cfdbd40086501778d9b6ebf29ee"
+LIC_FILES_CHKSUM = "file://doc/readme.html;beginline=318;endline=352;md5=f43d8ee6bc4df18ef8b276439cc4a153"
 HOMEPAGE = "http://www.lua.org/"
 
 SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
@@ -20,8 +20,8 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', \
             file://run-ptest \
            ', '', d)}"
 
-SRC_URI[tarballsrc.md5sum] = "4f4b4f323fd3514a68e0ab3da8ce3455"
-SRC_URI[tarballsrc.sha256sum] = "0c2eed3f960446e1a3e4b9a1ca2f3ff893b6ce41942cf54d5dd59ab4b3b058ac"
+SRC_URI[tarballsrc.md5sum] = "83f23dbd5230140a3770d5f54076948d"
+SRC_URI[tarballsrc.sha256sum] = "fc5fd69bb8736323f026672b1b7235da613d7177e72558893a0bdcd320466d60"
 SRC_URI[tarballtest.md5sum] = "b14fe3748c1cb2d74e3acd1943629ba3"
 SRC_URI[tarballtest.sha256sum] = "b80771238271c72565e5a1183292ef31bd7166414cd0d43a8eb79845fa7f599f"
 
-- 
2.17.1

[dunfell 18/28] nss: Security fix CVE-2020-12401

[akuster]

From: Armin Kuster <akuster@mvista.com>

Source: Mozilla.org
MR: 106876
Type: Security Fix
Disposition: Backport from https://hg.mozilla.org/projects/nss/raw-rev/aeb2e583ee957a699d949009c7ba37af76515c20
ChangeID: a61d4926f8ab5afc54c23e58cd86b4a7609c9708
Description:

Fixes CVE-2020-12401

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../nss/nss/CVE-2020-12401.patch              | 52 +++++++++++++++++++
 meta-oe/recipes-support/nss/nss_3.51.1.bb     |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch

diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
new file mode 100644
index 0000000000..e67926fe50
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
@@ -0,0 +1,52 @@
+# HG changeset patch
+# User Billy Brumley <bbrumley@gmail.com>
+# Date 1595283525 0
+# Node ID aeb2e583ee957a699d949009c7ba37af76515c20
+# Parent  ca207655b4b7cb1d3a5e438c1fb9b90d45596da6
+Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche
+
+Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding.
+
+Timing attack countermeasures are now applied more generally deeper in
+the call stack.
+
+Differential Revision: https://phabricator.services.mozilla.com/D82011
+
+
+Upstream-Status: Backport
+
+CVE: CVE-2020-1240
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: nss-3.51.1/nss/lib/freebl/ec.c
+===================================================================
+--- nss-3.51.1.orig/nss/lib/freebl/ec.c
++++ nss-3.51.1/nss/lib/freebl/ec.c
+@@ -724,27 +724,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k
+     }
+ 
+     /*
+-    ** We do not want timing information to leak the length of k,
+-    ** so we compute k*G using an equivalent scalar of fixed
+-    ** bit-length.
+-    ** Fix based on patch for ECDSA timing attack in the paper
+-    ** by Billy Bob Brumley and Nicola Tuveri at
+-    **   http://eprint.iacr.org/2011/232
+-    **
+-    ** How do we convert k to a value of a fixed bit-length?
+-    ** k starts off as an integer satisfying 0 <= k < n.  Hence,
+-    ** n <= k+n < 2n, which means k+n has either the same number
+-    ** of bits as n or one more bit than n.  If k+n has the same
+-    ** number of bits as n, the second addition ensures that the
+-    ** final value has exactly one more bit than n.  Thus, we
+-    ** always end up with a value that exactly one more bit than n.
+-    */
+-    CHECK_MPI_OK(mp_add(&k, &n, &k));
+-    if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) {
+-        CHECK_MPI_OK(mp_add(&k, &n, &k));
+-    }
+-
+-    /*
+     ** ANSI X9.62, Section 5.3.2, Step 2
+     **
+     ** Compute kG
diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb
index c00bd34cb2..3e3c3a3fdf 100644
--- a/meta-oe/recipes-support/nss/nss_3.51.1.bb
+++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
            file://riscv.patch \
            file://0001-Enable-uint128-on-mips64.patch \
            file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \
+           file://CVE-2020-12401.patch \
            "
 
 SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"
-- 
2.17.1

[dunfell 19/28] wireshark: Several securtiy fixes

[akuster]

From: Armin Kuster <akuster@mvista.com>

Source: Wireshark.org
MR: 106181, 106696, 107655, 107673, 107682
Type: Security Fix
Disposition: Backport from wireshark.org
ChangeID: 57df6ac3b11aabd96e6aec728501ce7988bc176a
Description:

Bugfix only update including these cves:
3.2.8
CVE-2020-26575
CVE-2020-28030

3.2.9
CVE-2020-26418
CVE-2020-26421
CVE-2020-26420

Signed-off-by: Armin Kuster <akuster@mvista.com>
(cherry picked from commit a10ea62a1c9c7b0c4810f2e4ef0dcc6f75b0ca6b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../wireshark/{wireshark_3.2.7.bb => wireshark_3.2.10.bb}       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb => wireshark_3.2.10.bb} (96%)

diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.7.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.10.bb
similarity index 96%
rename from meta-networking/recipes-support/wireshark/wireshark_3.2.7.bb
rename to meta-networking/recipes-support/wireshark/wireshark_3.2.10.bb
index 65f925ce1f..d284824149 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.2.7.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.10.bb
@@ -12,7 +12,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
 
-SRC_URI[sha256sum] = "be832fb86d9c455c5be8b225a755cdc77cb0e92356bdfc1fe4b000d93f7d70da"
+SRC_URI[sha256sum] = "1e9e239f2449f240a7910ed598084ccaf8ea308b2b46b196c5adbec59612226c"
 
 PE = "1"
 
-- 
2.17.1

[dunfell 20/28] nodejs: Fix build with icu 67.1

[akuster]

From: Khem Raj <raj.khem@gmail.com>

Remove soon-to-be removed getAllFieldPositions

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Andrej Valek <andrej.valek@siemens.com>
(cherry picked from commit 7910f2b64575dcd3352effd441accb3b56e3554d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../0001-deps-V8-backport-3f8dc4b2e5ba.patch  | 194 ++++++++++++++++++
 .../recipes-devtools/nodejs/nodejs_12.14.1.bb |   1 +
 2 files changed, 195 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch
new file mode 100644
index 0000000000..07dbdfe564
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch
@@ -0,0 +1,194 @@
+From 836311710ca8d49fdf4d619e3a738a445c413605 Mon Sep 17 00:00:00 2001
+From: Ujjwal Sharma <ryzokuken@disroot.org>
+Date: Wed, 22 Apr 2020 12:20:17 +0530
+Subject: [PATCH] deps: V8: backport 3f8dc4b2e5ba
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Original commit message:
+
+    [intl] Remove soon-to-be removed getAllFieldPositions
+
+    Needed to land ICU67.1 soon.
+
+    Bug: v8:10393
+    Change-Id: I3c7737ca600d6ccfdc46ffaddfb318ce60bc7618
+    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2136489
+    Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
+    Commit-Queue: Frank Tang <ftang@chromium.org>
+    Cr-Commit-Position: refs/heads/master@{#67027}
+
+Refs: https://github.com/v8/v8/commit/3f8dc4b2e5baf77b463334c769af85b79d8c1463
+
+PR-URL: https://github.com/nodejs/node/pull/32993
+Reviewed-By: Michaël Zasso <targos@protonmail.com>
+Reviewed-By: Matheus Marchini <mat@mmarchini.me>
+Reviewed-By: Steven R Loomis <srloomis@us.ibm.com>
+Reviewed-By: Richard Lau <riclau@uk.ibm.com>
+---
+ common.gypi                             |  2 +-
+ deps/v8/src/objects/js-number-format.cc | 72 +++++++++++++------------
+ 2 files changed, 38 insertions(+), 36 deletions(-)
+
+diff --git a/common.gypi b/common.gypi
+index b86e5e0..a7b37e6 100644
+--- a/common.gypi
++++ b/common.gypi
+@@ -38,7 +38,7 @@
+ 
+     # Reset this number to 0 on major V8 upgrades.
+     # Increment by one for each non-official patch applied to deps/v8.
+-    'v8_embedder_string': '-node.16',
++    'v8_embedder_string': '-node.17',
+ 
+     ##### V8 defaults for Node.js #####
+ 
+diff --git a/deps/v8/src/objects/js-number-format.cc b/deps/v8/src/objects/js-number-format.cc
+index d1e3ef4..757c665 100644
+--- a/deps/v8/src/objects/js-number-format.cc
++++ b/deps/v8/src/objects/js-number-format.cc
+@@ -1252,42 +1252,31 @@ MaybeHandle<JSNumberFormat> JSNumberFormat::New(Isolate* isolate,
+ }
+ 
+ namespace {
+-Maybe<icu::UnicodeString> IcuFormatNumber(
++Maybe<bool> IcuFormatNumber(
+     Isolate* isolate,
+     const icu::number::LocalizedNumberFormatter& number_format,
+-    Handle<Object> numeric_obj, icu::FieldPositionIterator* fp_iter) {
++    Handle<Object> numeric_obj, icu::number::FormattedNumber* formatted) {
+   // If it is BigInt, handle it differently.
+   UErrorCode status = U_ZERO_ERROR;
+-  icu::number::FormattedNumber formatted;
+   if (numeric_obj->IsBigInt()) {
+     Handle<BigInt> big_int = Handle<BigInt>::cast(numeric_obj);
+     Handle<String> big_int_string;
+     ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, big_int_string,
+                                      BigInt::ToString(isolate, big_int),
+-                                     Nothing<icu::UnicodeString>());
+-    formatted = number_format.formatDecimal(
++                                     Nothing<bool>());
++    *formatted = number_format.formatDecimal(
+         {big_int_string->ToCString().get(), big_int_string->length()}, status);
+   } else {
+     double number = numeric_obj->Number();
+-    formatted = number_format.formatDouble(number, status);
++    *formatted = number_format.formatDouble(number, status);
+   }
+   if (U_FAILURE(status)) {
+     // This happen because of icu data trimming trim out "unit".
+     // See https://bugs.chromium.org/p/v8/issues/detail?id=8641
+-    THROW_NEW_ERROR_RETURN_VALUE(isolate,
+-                                 NewTypeError(MessageTemplate::kIcuError),
+-                                 Nothing<icu::UnicodeString>());
+-  }
+-  if (fp_iter) {
+-    formatted.getAllFieldPositions(*fp_iter, status);
++    THROW_NEW_ERROR_RETURN_VALUE(
++        isolate, NewTypeError(MessageTemplate::kIcuError), Nothing<bool>());
+   }
+-  icu::UnicodeString result = formatted.toString(status);
+-  if (U_FAILURE(status)) {
+-    THROW_NEW_ERROR_RETURN_VALUE(isolate,
+-                                 NewTypeError(MessageTemplate::kIcuError),
+-                                 Nothing<icu::UnicodeString>());
+-  }
+-  return Just(result);
++  return Just(true);
+ }
+ 
+ }  // namespace
+@@ -1298,10 +1287,16 @@ MaybeHandle<String> JSNumberFormat::FormatNumeric(
+     Handle<Object> numeric_obj) {
+   DCHECK(numeric_obj->IsNumeric());
+ 
+-  Maybe<icu::UnicodeString> maybe_format =
+-      IcuFormatNumber(isolate, number_format, numeric_obj, nullptr);
++  icu::number::FormattedNumber formatted;
++  Maybe<bool> maybe_format =
++      IcuFormatNumber(isolate, number_format, numeric_obj, &formatted);
+   MAYBE_RETURN(maybe_format, Handle<String>());
+-  return Intl::ToString(isolate, maybe_format.FromJust());
++  UErrorCode status = U_ZERO_ERROR;
++  icu::UnicodeString result = formatted.toString(status);
++  if (U_FAILURE(status)) {
++    THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kIcuError), String);
++  }
++  return Intl::ToString(isolate, result);
+ }
+ 
+ namespace {
+@@ -1414,12 +1409,18 @@ std::vector<NumberFormatSpan> FlattenRegionsToParts(
+ }
+ 
+ namespace {
+-Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
+-                          icu::FieldPositionIterator* fp_iter,
++Maybe<int> ConstructParts(Isolate* isolate,
++                          icu::number::FormattedNumber* formatted,
+                           Handle<JSArray> result, int start_index,
+                           Handle<Object> numeric_obj, bool style_is_unit) {
++  UErrorCode status = U_ZERO_ERROR;
++  icu::UnicodeString formatted_text = formatted->toString(status);
++  if (U_FAILURE(status)) {
++    THROW_NEW_ERROR_RETURN_VALUE(
++        isolate, NewTypeError(MessageTemplate::kIcuError), Nothing<int>());
++  }
+   DCHECK(numeric_obj->IsNumeric());
+-  int32_t length = formatted.length();
++  int32_t length = formatted_text.length();
+   int index = start_index;
+   if (length == 0) return Just(index);
+ 
+@@ -1428,13 +1429,14 @@ Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
+   // other region covers some part of the formatted string. It's possible
+   // there's another field with exactly the same begin and end as this backdrop,
+   // in which case the backdrop's field_id of -1 will give it lower priority.
+-  regions.push_back(NumberFormatSpan(-1, 0, formatted.length()));
++  regions.push_back(NumberFormatSpan(-1, 0, formatted_text.length()));
+ 
+   {
+-    icu::FieldPosition fp;
+-    while (fp_iter->next(fp)) {
+-      regions.push_back(NumberFormatSpan(fp.getField(), fp.getBeginIndex(),
+-                                         fp.getEndIndex()));
++    icu::ConstrainedFieldPosition cfp;
++    cfp.constrainCategory(UFIELD_CATEGORY_NUMBER);
++    while (formatted->nextPosition(cfp, status)) {
++      regions.push_back(
++          NumberFormatSpan(cfp.getField(), cfp.getStart(), cfp.getLimit()));
+     }
+   }
+ 
+@@ -1456,7 +1458,7 @@ Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
+     Handle<String> substring;
+     ASSIGN_RETURN_ON_EXCEPTION_VALUE(
+         isolate, substring,
+-        Intl::ToString(isolate, formatted, part.begin_pos, part.end_pos),
++        Intl::ToString(isolate, formatted_text, part.begin_pos, part.end_pos),
+         Nothing<int>());
+     Intl::AddElement(isolate, result, index, field_type_string, substring);
+     ++index;
+@@ -1476,14 +1478,14 @@ MaybeHandle<JSArray> JSNumberFormat::FormatToParts(
+       number_format->icu_number_formatter().raw();
+   CHECK_NOT_NULL(fmt);
+ 
+-  icu::FieldPositionIterator fp_iter;
+-  Maybe<icu::UnicodeString> maybe_format =
+-      IcuFormatNumber(isolate, *fmt, numeric_obj, &fp_iter);
++  icu::number::FormattedNumber formatted;
++  Maybe<bool> maybe_format =
++      IcuFormatNumber(isolate, *fmt, numeric_obj, &formatted);
+   MAYBE_RETURN(maybe_format, Handle<JSArray>());
+ 
+   Handle<JSArray> result = factory->NewJSArray(0);
+   Maybe<int> maybe_format_to_parts = ConstructParts(
+-      isolate, maybe_format.FromJust(), &fp_iter, result, 0, numeric_obj,
++      isolate, &formatted, result, 0, numeric_obj,
+       number_format->style() == JSNumberFormat::Style::UNIT);
+   MAYBE_RETURN(maybe_format_to_parts, Handle<JSArray>());
+ 
+-- 
+2.26.2
+
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb
index d468fb3ffa..9f9f320aa7 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb
@@ -23,6 +23,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
            file://0001-build-allow-passing-multiple-libs-to-pkg_config.patch \
            file://0002-build-allow-use-of-system-installed-brotli.patch \
            file://mips-warnings.patch \
+           file://0001-deps-V8-backport-3f8dc4b2e5ba.patch \
            "
 SRC_URI_append_class-target = " \
            file://0002-Using-native-binaries.patch \
-- 
2.17.1

[dunfell 21/28] nodejs: Upgrade to 12.18.3

[akuster]

From: Khem Raj <raj.khem@gmail.com>

Drop already upstreamed patches
use builtin uv, it does not build without it

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bda3ee6276d76a10d2b5564da5709db4c21b8f13)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...-passing-multiple-libs-to-pkg_config.patch |  41 ----
 .../0001-deps-V8-backport-3f8dc4b2e5ba.patch  | 194 ------------------
 ...allow-use-of-system-installed-brotli.patch |  66 ------
 ...Install-both-binaries-and-use-libdir.patch |  28 +--
 .../{nodejs_12.14.1.bb => nodejs_12.18.3.bb}  |  12 +-
 5 files changed, 14 insertions(+), 327 deletions(-)
 delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
 delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch
 delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
 rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb => nodejs_12.18.3.bb} (93%)

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
deleted file mode 100644
index 13edf229b3..0000000000
--- a/meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From fdaa0e3bef93c5c72a7258b5f1e30718e7d81f9b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>
-Date: Mon, 2 Mar 2020 12:17:09 +0000
-Subject: [PATCH 1/2] build: allow passing multiple libs to pkg_config
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Sometimes it's necessary to pass multiple library names to pkg-config,
-e.g. the brotli shared libraries can be pulled in with
-    pkg-config libbrotlienc libbrotlidec
-
-Update the code to handle both, strings (as used so far), and lists
-of strings.
-
-Signed-off-by: André Draszik <git@andred.net>
----
-Upstream-Status: Submitted [https://github.com/nodejs/node/pull/32046]
- configure.py | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/configure.py b/configure.py
-index beb08df088..e3f78f2fed 100755
---- a/configure.py
-+++ b/configure.py
-@@ -680,7 +680,11 @@ def pkg_config(pkg):
-   retval = ()
-   for flag in ['--libs-only-l', '--cflags-only-I',
-                '--libs-only-L', '--modversion']:
--    args += [flag, pkg]
-+    args += [flag]
-+    if isinstance(pkg, list):
-+      args += pkg
-+    else:
-+      args += [pkg]
-     try:
-       proc = subprocess.Popen(shlex.split(pkg_config) + args,
-                               stdout=subprocess.PIPE)
--- 
-2.25.0
-
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch
deleted file mode 100644
index 07dbdfe564..0000000000
--- a/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-From 836311710ca8d49fdf4d619e3a738a445c413605 Mon Sep 17 00:00:00 2001
-From: Ujjwal Sharma <ryzokuken@disroot.org>
-Date: Wed, 22 Apr 2020 12:20:17 +0530
-Subject: [PATCH] deps: V8: backport 3f8dc4b2e5ba
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Original commit message:
-
-    [intl] Remove soon-to-be removed getAllFieldPositions
-
-    Needed to land ICU67.1 soon.
-
-    Bug: v8:10393
-    Change-Id: I3c7737ca600d6ccfdc46ffaddfb318ce60bc7618
-    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2136489
-    Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
-    Commit-Queue: Frank Tang <ftang@chromium.org>
-    Cr-Commit-Position: refs/heads/master@{#67027}
-
-Refs: https://github.com/v8/v8/commit/3f8dc4b2e5baf77b463334c769af85b79d8c1463
-
-PR-URL: https://github.com/nodejs/node/pull/32993
-Reviewed-By: Michaël Zasso <targos@protonmail.com>
-Reviewed-By: Matheus Marchini <mat@mmarchini.me>
-Reviewed-By: Steven R Loomis <srloomis@us.ibm.com>
-Reviewed-By: Richard Lau <riclau@uk.ibm.com>
----
- common.gypi                             |  2 +-
- deps/v8/src/objects/js-number-format.cc | 72 +++++++++++++------------
- 2 files changed, 38 insertions(+), 36 deletions(-)
-
-diff --git a/common.gypi b/common.gypi
-index b86e5e0..a7b37e6 100644
---- a/common.gypi
-+++ b/common.gypi
-@@ -38,7 +38,7 @@
- 
-     # Reset this number to 0 on major V8 upgrades.
-     # Increment by one for each non-official patch applied to deps/v8.
--    'v8_embedder_string': '-node.16',
-+    'v8_embedder_string': '-node.17',
- 
-     ##### V8 defaults for Node.js #####
- 
-diff --git a/deps/v8/src/objects/js-number-format.cc b/deps/v8/src/objects/js-number-format.cc
-index d1e3ef4..757c665 100644
---- a/deps/v8/src/objects/js-number-format.cc
-+++ b/deps/v8/src/objects/js-number-format.cc
-@@ -1252,42 +1252,31 @@ MaybeHandle<JSNumberFormat> JSNumberFormat::New(Isolate* isolate,
- }
- 
- namespace {
--Maybe<icu::UnicodeString> IcuFormatNumber(
-+Maybe<bool> IcuFormatNumber(
-     Isolate* isolate,
-     const icu::number::LocalizedNumberFormatter& number_format,
--    Handle<Object> numeric_obj, icu::FieldPositionIterator* fp_iter) {
-+    Handle<Object> numeric_obj, icu::number::FormattedNumber* formatted) {
-   // If it is BigInt, handle it differently.
-   UErrorCode status = U_ZERO_ERROR;
--  icu::number::FormattedNumber formatted;
-   if (numeric_obj->IsBigInt()) {
-     Handle<BigInt> big_int = Handle<BigInt>::cast(numeric_obj);
-     Handle<String> big_int_string;
-     ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, big_int_string,
-                                      BigInt::ToString(isolate, big_int),
--                                     Nothing<icu::UnicodeString>());
--    formatted = number_format.formatDecimal(
-+                                     Nothing<bool>());
-+    *formatted = number_format.formatDecimal(
-         {big_int_string->ToCString().get(), big_int_string->length()}, status);
-   } else {
-     double number = numeric_obj->Number();
--    formatted = number_format.formatDouble(number, status);
-+    *formatted = number_format.formatDouble(number, status);
-   }
-   if (U_FAILURE(status)) {
-     // This happen because of icu data trimming trim out "unit".
-     // See https://bugs.chromium.org/p/v8/issues/detail?id=8641
--    THROW_NEW_ERROR_RETURN_VALUE(isolate,
--                                 NewTypeError(MessageTemplate::kIcuError),
--                                 Nothing<icu::UnicodeString>());
--  }
--  if (fp_iter) {
--    formatted.getAllFieldPositions(*fp_iter, status);
-+    THROW_NEW_ERROR_RETURN_VALUE(
-+        isolate, NewTypeError(MessageTemplate::kIcuError), Nothing<bool>());
-   }
--  icu::UnicodeString result = formatted.toString(status);
--  if (U_FAILURE(status)) {
--    THROW_NEW_ERROR_RETURN_VALUE(isolate,
--                                 NewTypeError(MessageTemplate::kIcuError),
--                                 Nothing<icu::UnicodeString>());
--  }
--  return Just(result);
-+  return Just(true);
- }
- 
- }  // namespace
-@@ -1298,10 +1287,16 @@ MaybeHandle<String> JSNumberFormat::FormatNumeric(
-     Handle<Object> numeric_obj) {
-   DCHECK(numeric_obj->IsNumeric());
- 
--  Maybe<icu::UnicodeString> maybe_format =
--      IcuFormatNumber(isolate, number_format, numeric_obj, nullptr);
-+  icu::number::FormattedNumber formatted;
-+  Maybe<bool> maybe_format =
-+      IcuFormatNumber(isolate, number_format, numeric_obj, &formatted);
-   MAYBE_RETURN(maybe_format, Handle<String>());
--  return Intl::ToString(isolate, maybe_format.FromJust());
-+  UErrorCode status = U_ZERO_ERROR;
-+  icu::UnicodeString result = formatted.toString(status);
-+  if (U_FAILURE(status)) {
-+    THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kIcuError), String);
-+  }
-+  return Intl::ToString(isolate, result);
- }
- 
- namespace {
-@@ -1414,12 +1409,18 @@ std::vector<NumberFormatSpan> FlattenRegionsToParts(
- }
- 
- namespace {
--Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
--                          icu::FieldPositionIterator* fp_iter,
-+Maybe<int> ConstructParts(Isolate* isolate,
-+                          icu::number::FormattedNumber* formatted,
-                           Handle<JSArray> result, int start_index,
-                           Handle<Object> numeric_obj, bool style_is_unit) {
-+  UErrorCode status = U_ZERO_ERROR;
-+  icu::UnicodeString formatted_text = formatted->toString(status);
-+  if (U_FAILURE(status)) {
-+    THROW_NEW_ERROR_RETURN_VALUE(
-+        isolate, NewTypeError(MessageTemplate::kIcuError), Nothing<int>());
-+  }
-   DCHECK(numeric_obj->IsNumeric());
--  int32_t length = formatted.length();
-+  int32_t length = formatted_text.length();
-   int index = start_index;
-   if (length == 0) return Just(index);
- 
-@@ -1428,13 +1429,14 @@ Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
-   // other region covers some part of the formatted string. It's possible
-   // there's another field with exactly the same begin and end as this backdrop,
-   // in which case the backdrop's field_id of -1 will give it lower priority.
--  regions.push_back(NumberFormatSpan(-1, 0, formatted.length()));
-+  regions.push_back(NumberFormatSpan(-1, 0, formatted_text.length()));
- 
-   {
--    icu::FieldPosition fp;
--    while (fp_iter->next(fp)) {
--      regions.push_back(NumberFormatSpan(fp.getField(), fp.getBeginIndex(),
--                                         fp.getEndIndex()));
-+    icu::ConstrainedFieldPosition cfp;
-+    cfp.constrainCategory(UFIELD_CATEGORY_NUMBER);
-+    while (formatted->nextPosition(cfp, status)) {
-+      regions.push_back(
-+          NumberFormatSpan(cfp.getField(), cfp.getStart(), cfp.getLimit()));
-     }
-   }
- 
-@@ -1456,7 +1458,7 @@ Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
-     Handle<String> substring;
-     ASSIGN_RETURN_ON_EXCEPTION_VALUE(
-         isolate, substring,
--        Intl::ToString(isolate, formatted, part.begin_pos, part.end_pos),
-+        Intl::ToString(isolate, formatted_text, part.begin_pos, part.end_pos),
-         Nothing<int>());
-     Intl::AddElement(isolate, result, index, field_type_string, substring);
-     ++index;
-@@ -1476,14 +1478,14 @@ MaybeHandle<JSArray> JSNumberFormat::FormatToParts(
-       number_format->icu_number_formatter().raw();
-   CHECK_NOT_NULL(fmt);
- 
--  icu::FieldPositionIterator fp_iter;
--  Maybe<icu::UnicodeString> maybe_format =
--      IcuFormatNumber(isolate, *fmt, numeric_obj, &fp_iter);
-+  icu::number::FormattedNumber formatted;
-+  Maybe<bool> maybe_format =
-+      IcuFormatNumber(isolate, *fmt, numeric_obj, &formatted);
-   MAYBE_RETURN(maybe_format, Handle<JSArray>());
- 
-   Handle<JSArray> result = factory->NewJSArray(0);
-   Maybe<int> maybe_format_to_parts = ConstructParts(
--      isolate, maybe_format.FromJust(), &fp_iter, result, 0, numeric_obj,
-+      isolate, &formatted, result, 0, numeric_obj,
-       number_format->style() == JSNumberFormat::Style::UNIT);
-   MAYBE_RETURN(maybe_format_to_parts, Handle<JSArray>());
- 
--- 
-2.26.2
-
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
deleted file mode 100644
index fc038f3aae..0000000000
--- a/meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From f0f927feee8cb1fb173835d5c3f6beb6bf7d5e54 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>
-Date: Mon, 2 Mar 2020 12:17:35 +0000
-Subject: [PATCH 2/2] build: allow use of system-installed brotli
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-brotli is available as a shared library since 2016, so it makes sense
-to allow its use as a system-installed version.
-
-Some of the infrastructure was in place already (node.gyp and
-node.gypi), but some bits in the configure script here were missing.
-
-Add them, keeping the default as before, to use the bundled version.
-
-Refs: https://github.com/google/brotli/pull/421
-Signed-off-by: André Draszik <git@andred.net>
----
-Upstream-Status: Submitted [https://github.com/nodejs/node/pull/32046]
- configure.py | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/configure.py b/configure.py
-index e3f78f2fed..0190e31b41 100755
---- a/configure.py
-+++ b/configure.py
-@@ -301,6 +301,27 @@ shared_optgroup.add_option('--shared-zlib-libpath',
-     dest='shared_zlib_libpath',
-     help='a directory to search for the shared zlib DLL')
- 
-+shared_optgroup.add_option('--shared-brotli',
-+    action='store_true',
-+    dest='shared_brotli',
-+    help='link to a shared brotli DLL instead of static linking')
-+
-+shared_optgroup.add_option('--shared-brotli-includes',
-+    action='store',
-+    dest='shared_brotli_includes',
-+    help='directory containing brotli header files')
-+
-+shared_optgroup.add_option('--shared-brotli-libname',
-+    action='store',
-+    dest='shared_brotli_libname',
-+    default='brotlidec,brotlienc',
-+    help='alternative lib name to link to [default: %default]')
-+
-+shared_optgroup.add_option('--shared-brotli-libpath',
-+    action='store',
-+    dest='shared_brotli_libpath',
-+    help='a directory to search for the shared brotli DLL')
-+
- shared_optgroup.add_option('--shared-cares',
-     action='store_true',
-     dest='shared_cares',
-@@ -1692,6 +1713,7 @@ configure_napi(output)
- configure_library('zlib', output)
- configure_library('http_parser', output)
- configure_library('libuv', output)
-+configure_library('brotli', output, pkgname=['libbrotlidec', 'libbrotlienc'])
- configure_library('cares', output, pkgname='libcares')
- configure_library('nghttp2', output, pkgname='libnghttp2')
- configure_v8(output)
--- 
-2.25.0
-
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch
index 599f742b2f..92386fa779 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch
@@ -20,11 +20,9 @@ Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
  tools/install.py | 31 ++++++++++++++-----------------
  2 files changed, 21 insertions(+), 17 deletions(-)
 
-diff --git a/configure.py b/configure.py
-index 20cce214db..e2d78a2a51 100755
 --- a/configure.py
 +++ b/configure.py
-@@ -559,6 +559,12 @@ parser.add_option('--shared',
+@@ -602,6 +602,12 @@ parser.add_option('--shared',
      help='compile shared library for embedding node in another project. ' +
           '(This mode is not officially supported for regular applications)')
  
@@ -37,16 +35,14 @@ index 20cce214db..e2d78a2a51 100755
  parser.add_option('--without-v8-platform',
      action='store_true',
      dest='without_v8_platform',
-@@ -1103,6 +1109,7 @@ def configure_node(o):
-   if o['variables']['want_separate_host_toolset'] == 0:
-     o['variables']['node_code_cache'] = 'yes' # For testing
+@@ -1168,6 +1174,7 @@ def configure_node(o):
+   o['variables']['node_no_browser_globals'] = b(options.no_browser_globals)
+ 
    o['variables']['node_shared'] = b(options.shared)
 +  o['variables']['libdir'] = options.libdir
    node_module_version = getmoduleversion.get_version()
  
-   if sys.platform == 'darwin':
-diff --git a/tools/install.py b/tools/install.py
-index 655802980a..fe4723bf15 100755
+   if options.dest_os == 'android':
 --- a/tools/install.py
 +++ b/tools/install.py
 @@ -121,26 +121,23 @@ def subdir_files(path, dest, action):
@@ -72,24 +68,20 @@ index 655802980a..fe4723bf15 100755
 -      # in its source - see the _InstallableTargetInstallPath function.
 -      if sys.platform != 'darwin':
 -        output_prefix += 'lib.target/'
--
--  if 'false' == variables.get('node_shared'):
--    action([output_prefix + output_file], 'bin/' + output_file)
--  else:
--    action([output_prefix + output_file], 'lib/' + output_file)
 +    output_bin = 'node'
 +    output_lib = 'libnode.' + variables.get('shlib_suffix')
 +    # GYP will output to lib.target except on OS X, this is hardcoded
 +    # in its source - see the _InstallableTargetInstallPath function.
 +    if sys.platform != 'darwin':
 +      output_libprefix += 'lib.target/'
-+
+ 
+-  if 'false' == variables.get('node_shared'):
+-    action([output_prefix + output_file], 'bin/' + output_file)
+-  else:
+-    action([output_prefix + output_file], 'lib/' + output_file)
 +  action([output_prefix + output_bin], 'bin/' + output_bin)
 +  if 'true' == variables.get('node_shared'):
 +    action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib)
  
    if 'true' == variables.get('node_use_dtrace'):
      action(['out/Release/node.d'], 'lib/dtrace/node.d')
--- 
-2.20.1
-
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
similarity index 93%
rename from meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb
rename to meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
index 9f9f320aa7..8a9f32bce2 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
@@ -1,7 +1,7 @@
 DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript"
 HOMEPAGE = "http://nodejs.org"
 LICENSE = "MIT & BSD & Artistic-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=be4d5107c64dc3d7c57e3797e1a0674b"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=30e27bd6830002d9415e4a5da7901f03"
 
 DEPENDS = "openssl"
 DEPENDS_append_class-target = " nodejs-native"
@@ -20,17 +20,12 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
            file://0003-Install-both-binaries-and-use-libdir.patch \
            file://0004-v8-don-t-override-ARM-CFLAGS.patch \
            file://big-endian.patch \
-           file://0001-build-allow-passing-multiple-libs-to-pkg_config.patch \
-           file://0002-build-allow-use-of-system-installed-brotli.patch \
            file://mips-warnings.patch \
-           file://0001-deps-V8-backport-3f8dc4b2e5ba.patch \
            "
 SRC_URI_append_class-target = " \
            file://0002-Using-native-binaries.patch \
            "
-
-SRC_URI[md5sum] = "1c78a75f5c95321f533ecccca695e814"
-SRC_URI[sha256sum] = "877b4b842318b0e09bc754faf7343f2f097f0fc4f88ab9ae57cf9944e88e7adb"
+SRC_URI[sha256sum] = "71158026579487422fd13cc2553b34cddb76519098aa6030faab52f88c6e0d0e"
 
 S = "${WORKDIR}/node-v${PV}"
 
@@ -55,7 +50,8 @@ ARCHFLAGS_arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '-
 GYP_DEFINES_append_mipsel = " mips_arch_variant='r1' "
 ARCHFLAGS ?= ""
 
-PACKAGECONFIG ??= "ares brotli icu libuv zlib"
+PACKAGECONFIG ??= "ares brotli icu zlib"
+
 PACKAGECONFIG[ares] = "--shared-cares,,c-ares"
 PACKAGECONFIG[brotli] = "--shared-brotli,,brotli"
 PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu"
-- 
2.17.1

[dunfell 22/28] nodejs: Fix arm32/thumb builds with clang

[akuster]

From: Khem Raj <raj.khem@gmail.com>

Backport a patch from upstream to take care of build failure e.g.

| ../deps/v8/src/codegen/arm/cpu-arm.cc:38:16: error: write to reserved register 'R7'
|   asm volatile("svc 0\n"
|                ^
| 1 error generated.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 45a2dfdd0f16ed6941926e2dca1ad90f36e120bc)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...gister-r7-because-llvm-now-issues-an.patch | 53 +++++++++++++++++++
 .../recipes-devtools/nodejs/nodejs_12.18.3.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch
new file mode 100644
index 0000000000..a23f1c243e
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch
@@ -0,0 +1,53 @@
+From be8d3cd6eab4b8f9849133060abb1aba4400276b Mon Sep 17 00:00:00 2001
+From: Amy Huang <akhuang@google.com>
+Date: Thu, 23 Apr 2020 11:25:53 -0700
+Subject: [PATCH] Remove use of register r7 because llvm now issues an error
+ when "r7" is used (starting in commit d85b3877)
+
+Bug: chromium:1073270
+Change-Id: I7ec8112f170b98d2edaf92bc9341e738f8de07a3
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2163435
+Reviewed-by: Nico Weber <thakis@chromium.org>
+Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
+Commit-Queue: Nico Weber <thakis@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#67371}
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Backport [https://chromium.googlesource.com/v8/v8/+/00604cd2806b5d26bef592dd19989a234bd07a4b%5E%21/]
+ deps/v8/src/codegen/arm/cpu-arm.cc | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/deps/v8/src/codegen/arm/cpu-arm.cc b/deps/v8/src/codegen/arm/cpu-arm.cc
+index 868f360..654d68f 100644
+--- a/deps/v8/src/codegen/arm/cpu-arm.cc
++++ b/deps/v8/src/codegen/arm/cpu-arm.cc
+@@ -30,18 +30,6 @@ V8_NOINLINE void CpuFeatures::FlushICache(void* start, size_t size) {
+   register uint32_t end asm("r1") = beg + size;
+   register uint32_t flg asm("r2") = 0;
+ 
+-#ifdef __clang__
+-  // This variant of the asm avoids a constant pool entry, which can be
+-  // problematic when LTO'ing. It is also slightly shorter.
+-  register uint32_t scno asm("r7") = __ARM_NR_cacheflush;
+-
+-  asm volatile("svc 0\n"
+-               :
+-               : "r"(beg), "r"(end), "r"(flg), "r"(scno)
+-               : "memory");
+-#else
+-  // Use a different variant of the asm with GCC because some versions doesn't
+-  // support r7 as an asm input.
+   asm volatile(
+       // This assembly works for both ARM and Thumb targets.
+ 
+@@ -59,7 +47,6 @@ V8_NOINLINE void CpuFeatures::FlushICache(void* start, size_t size) {
+       : "r"(beg), "r"(end), "r"(flg), [scno] "i"(__ARM_NR_cacheflush)
+       : "memory");
+ #endif
+-#endif
+ #endif  // !USE_SIMULATOR
+ }
+ 
+-- 
+2.29.2
+
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
index 8a9f32bce2..7d8fd1db94 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
            file://0004-v8-don-t-override-ARM-CFLAGS.patch \
            file://big-endian.patch \
            file://mips-warnings.patch \
+           file://0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch \
            "
 SRC_URI_append_class-target = " \
            file://0002-Using-native-binaries.patch \
-- 
2.17.1

[dunfell 23/28] nodejs: Update to 12.19.0

[akuster]

From: Khem Raj <raj.khem@gmail.com>

This perhaps is last release in 12.x LTS

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a10f894a8e7f800d2412fff8d47fb37d363fa322)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../nodejs/{nodejs_12.18.3.bb => nodejs_12.19.0.bb}             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-oe/recipes-devtools/nodejs/{nodejs_12.18.3.bb => nodejs_12.19.0.bb} (98%)

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb
similarity index 98%
rename from meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
rename to meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb
index 7d8fd1db94..9d15586238 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb
@@ -26,7 +26,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
 SRC_URI_append_class-target = " \
            file://0002-Using-native-binaries.patch \
            "
-SRC_URI[sha256sum] = "71158026579487422fd13cc2553b34cddb76519098aa6030faab52f88c6e0d0e"
+SRC_URI[sha256sum] = "3b671c45c493f96d7e018c15110cdbafa4478e5e5cfc9e6eec83cea9e6b551e1"
 
 S = "${WORKDIR}/node-v${PV}"
 
-- 
2.17.1

[dunfell 24/28] nodejs: 12.19.0 -> 12.19.1

[akuster]

From: Stacy Gaikovaia <Stacy.Gaikovaia@windriver.com>

Uprev nodejs in order to fix CVE-2020-8277.
This CVE allows an attacker to trigger a DNS request for a host
of their choice, which could trigger a Denial of Service in
nodejs versions < 12.19.1.

See https://nvd.nist.gov/vuln/detail/CVE-2020-8277 for details.

CVE: CVE-2020-8277
Signed-off-by: Stacy Gaikovaia <Stacy.Gaikovaia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a44015408253d8a4f64055f41fa1f497aeacfc30)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 387f40ce8068ec8848c2e3b76ce2e3267b98c3d6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../nodejs/{nodejs_12.19.0.bb => nodejs_12.19.1.bb}             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-oe/recipes-devtools/nodejs/{nodejs_12.19.0.bb => nodejs_12.19.1.bb} (98%)

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb
similarity index 98%
rename from meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb
rename to meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb
index 9d15586238..8021fedf44 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb
@@ -26,7 +26,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
 SRC_URI_append_class-target = " \
            file://0002-Using-native-binaries.patch \
            "
-SRC_URI[sha256sum] = "3b671c45c493f96d7e018c15110cdbafa4478e5e5cfc9e6eec83cea9e6b551e1"
+SRC_URI[sha256sum] = "74077e0cc3db000a6f3cc685b220e609807b61adc8e7d8243e8511d478d1b17d"
 
 S = "${WORKDIR}/node-v${PV}"
 
-- 
2.17.1

[dunfell 25/28] nodejs: 12.19.1 -> 12.20.1

[akuster]

From: Sean Nyekjaer <sean@geanix.com>

Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit cde1019804c2f7b67bf89d178eec9f4efafea414)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit ac6bc96e7da6b3c9d5b9c9272b487a926fbb462e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../nodejs/{nodejs_12.19.1.bb => nodejs_12.20.1.bb}           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-oe/recipes-devtools/nodejs/{nodejs_12.19.1.bb => nodejs_12.20.1.bb} (97%)

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.20.1.bb
similarity index 97%
rename from meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb
rename to meta-oe/recipes-devtools/nodejs/nodejs_12.20.1.bb
index 8021fedf44..0673a3202d 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.20.1.bb
@@ -1,7 +1,7 @@
 DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript"
 HOMEPAGE = "http://nodejs.org"
 LICENSE = "MIT & BSD & Artistic-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=30e27bd6830002d9415e4a5da7901f03"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=8c66ff8861d9f96076a7cb61e3d75f54"
 
 DEPENDS = "openssl"
 DEPENDS_append_class-target = " nodejs-native"
@@ -26,7 +26,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
 SRC_URI_append_class-target = " \
            file://0002-Using-native-binaries.patch \
            "
-SRC_URI[sha256sum] = "74077e0cc3db000a6f3cc685b220e609807b61adc8e7d8243e8511d478d1b17d"
+SRC_URI[sha256sum] = "e00eee325d705b2bfa9929b7d061eb2315402d7e8548945eac9870bf84321853"
 
 S = "${WORKDIR}/node-v${PV}"
 
-- 
2.17.1

[dunfell 26/28] libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer

[akuster]

From: jabdoa2 <jabdoa2@users.noreply.github.com>

Remove --enable-music-ogg-tremor  as it broke vorbis support:

checking tremor/ivorbisfile.h usability... no
checking tremor/ivorbisfile.h presence... no
checking for tremor/ivorbisfile.h... no
checking for ov_open_callbacks in -lvorbisidec... no
configure: WARNING: *** Unable to find Ogg Vorbis Tremor library (http://www.xiph.org/)
configure: WARNING: Ogg Vorbis support disabled

With this change:

checking vorbis/vorbisfile.h usability... yes
checking vorbis/vorbisfile.h presence... yes
checking for vorbis/vorbisfile.h... yes
checking for ov_open_callbacks in -lvorbisfile... yes
-- dynamic libvorbisfile -> libvorbisfile.so.3

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 074c7d9a1ebb86674f02d8a5545e1ed54f6d87fe)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb b/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
index aa246f9995..77e50d3841 100644
--- a/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
+++ b/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
@@ -14,7 +14,7 @@ S = "${WORKDIR}/SDL2_mixer-${PV}"
 inherit autotools-brokensep pkgconfig
 
 EXTRA_AUTORECONF += "--include=acinclude"
-EXTRA_OECONF = "--disable-music-mp3 --enable-music-ogg --enable-music-ogg-tremor LIBS=-L${STAGING_LIBDIR}"
+EXTRA_OECONF = "--disable-music-mp3 --enable-music-ogg LIBS=-L${STAGING_LIBDIR}"
 
 PACKAGECONFIG[mad] = "--enable-music-mp3-mad-gpl,--disable-music-mp3-mad-gpl,libmad"
 
-- 
2.17.1

[dunfell 27/28] libsdl2-mixer: set --disable-music-ogg-shared to link statically

[akuster]

From: jabdoa2 <jabdoa2@users.noreply.github.com>

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 69bae2a2360643805de2ae1cd9ebc4202cd5a2fb)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb b/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
index 77e50d3841..8f1960d8ad 100644
--- a/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
+++ b/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
@@ -14,7 +14,7 @@ S = "${WORKDIR}/SDL2_mixer-${PV}"
 inherit autotools-brokensep pkgconfig
 
 EXTRA_AUTORECONF += "--include=acinclude"
-EXTRA_OECONF = "--disable-music-mp3 --enable-music-ogg LIBS=-L${STAGING_LIBDIR}"
+EXTRA_OECONF = "--disable-music-mp3 --enable-music-ogg --disable-music-ogg-shared LIBS=-L${STAGING_LIBDIR}"
 
 PACKAGECONFIG[mad] = "--enable-music-mp3-mad-gpl,--disable-music-mp3-mad-gpl,libmad"
 
-- 
2.17.1

[dunfell 28/28] geoclue: select avahi-daemon if nmea enabled

[akuster]

From: Chenxi Mao <maochenxi@eswin.com>

geoclue serivce rely on avahi-daemon, so enable it by default.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9239584e717bb2093c9bfd6972bb2f01507ab859)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb b/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb
index b46445a2ba..e57e7a7209 100644
--- a/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb
+++ b/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb
@@ -31,7 +31,7 @@ PACKAGECONFIG ??= "3g modem-gps cdma nmea lib"
 PACKAGECONFIG[3g] = "-D3g-source=true,-D3g-source=false,modemmanager"
 PACKAGECONFIG[modem-gps] = "-Dmodem-gps-source=true,-Dmodem-gps-source=false,modemmanager"
 PACKAGECONFIG[cdma] = "-Dcdma-source=true,-Dcdma-source=false,modemmanager"
-PACKAGECONFIG[nmea] = "-Dnmea-source=true,-Dnmea-source=false,avahi"
+PACKAGECONFIG[nmea] = "-Dnmea-source=true,-Dnmea-source=false,avahi,avahi-daemon"
 PACKAGECONFIG[lib] = "-Dlibgeoclue=true,-Dlibgeoclue=false,gobject-introspection"
 
 GTKDOC_MESON_OPTION = "gtk-doc"
-- 
2.17.1

Re: [oe] [dunfell 00/28] Patch review Jan 17th

[Andreas Müller]

On Sun, Jan 17, 2021 at 6:46 PM akuster <akuster808@gmail.com> wrote:
>
> Here is the next batch for Dunfell. Please review and have comments back by Wednesday.
>
> The following changes since commit f2d02cb71eaff8eb285a1997b30be52486c160ae:
>
>   python3-pyinotify: Add missing ctypes dependency (2020-11-15 11:13:25 -0800)
>
> are available in the Git repository at:
>
>   git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-nut
>   http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/dunfell-nut
>
> Armin Kuster (5):
>   wireguard-module: fix build issue with 5.4 kernel
>   mariadb: update to 10.4.17 for cve fixes
>   lua: update to 5.3.6
>   nss: Security fix CVE-2020-12401
>   wireshark: Several securtiy fixes
>
> Chenxi Mao (1):
>   geoclue: select avahi-daemon if nmea enabled
>
> Gianfranco (1):
>   dlt-daemon: add upstream patch to fix CVE-2020-29394
>
> Khem Raj (4):
>   nodejs: Fix build with icu 67.1
>   nodejs: Upgrade to 12.18.3
>   nodejs: Fix arm32/thumb builds with clang
>   nodejs: Update to 12.19.0
>
> Leon Anavi (1):
>   php: Upgrade 7.4.4 -> 7.4.9
>
> Max Kellermann (1):
>   php: remove the failing ${D}/${TMPDIR} code
>
> Roland Hieber (1):
>   pcsc-lite: provide pcsc-lite-lib-native explicitly for native build
>
> Sakib Sajal (1):
>   apache2: upgrade v2.4.43 -> v2.4.46
>
> Sean Nyekjaer (1):
>   nodejs: 12.19.1 -> 12.20.1
>
> Stacy Gaikovaia (1):
>   nodejs: 12.19.0 -> 12.19.1
>
> Wang Mingyu (1):
>   zabbix: CVE-2020-15803 Security Advisory
>
> Wenlin Kang (2):
>   lua: fix CVE-2020-15945
>   lua: fix CVE-2020-24371
>
> Zang Ruochen (1):
>   mcpp: Normalize the patch format of CVE
>
> Zheng Ruoqin (4):
>   samba: CVE-2020-14318 Security Advisory
>   samba: CVE-2020-14383 Security Advisory
>   php: CVE-2020-7070
>   php: CVE-2020-7069
>
> jabdoa2 (2):
>   libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer
>   libsdl2-mixer: set --disable-music-ogg-shared to link statically
>
> viatsk (1):
>   tcpdump: Patch for CVE-2020-8037
>
>  .../samba/samba/CVE-2020-14318.patch          | 142 +++++++++++++++
>  .../samba/samba/CVE-2020-14383.patch          | 112 ++++++++++++
>  .../samba/samba_4.10.18.bb                    |   2 +
>  ...NC_-START-END-were-backported-to-5.4.patch |  29 +++
>  .../wireguard-module_1.0.20200401.bb          |   3 +-
>  ...ping-don-t-allocate-a-too-large-buff.patch |  70 ++++++++
>  .../recipes-support/tcpdump/tcpdump_4.9.3.bb  |   1 +
>  ...wireshark_3.2.7.bb => wireshark_3.2.10.bb} |   2 +-
>  .../zabbix/zabbix/CVE-2020-15803.patch        |  36 ++++
>  .../zabbix/zabbix_4.4.6.bb                    |   1 +
>  ...e_10.4.12.bb => mariadb-native_10.4.17.bb} |   0
>  meta-oe/recipes-dbs/mysql/mariadb.inc         |   6 +-
>  ...-breakage-from-lock_guard-error-6161.patch |  32 ----
>  .../mariadb/0001-Fix-library-LZ4-lookup.patch |  19 +-
>  .../mysql/mariadb/c11_atomics.patch           |  24 ++-
>  .../configure.cmake-fix-valgrind.patch        |  10 +-
>  .../mariadb/fix-a-building-failure.patch      |  13 +-
>  .../mysql/mariadb/fix-arm-atomic.patch        |  13 +-
>  ...Lists.txt-fix-gen_lex_hash-not-found.patch |  12 +-
>  ...akeLists.txt-fix-do_populate_sysroot.patch |  10 +-
>  ...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} |   0
>  ...rriers-cannot-be-active-during-sweep.patch |  90 ++++++++++
>  .../lua/lua/CVE-2020-15945.patch              | 167 ++++++++++++++++++
>  .../lua/{lua_5.3.5.bb => lua_5.3.6.bb}        |   8 +-
>  .../mcpp/files/CVE-2019-14274.patch           |  34 ++++
>  .../mcpp/files/ice-mcpp.patch                 |  31 ----
>  meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb   |   3 +-
>  ...gister-r7-because-llvm-now-issues-an.patch |  53 ++++++
>  ...-passing-multiple-libs-to-pkg_config.patch |  41 -----
>  ...allow-use-of-system-installed-brotli.patch |  66 -------
>  ...Install-both-binaries-and-use-libdir.patch |  28 ++-
>  .../{nodejs_12.14.1.bb => nodejs_12.20.1.bb}  |  12 +-
>  .../php/php/CVE-2020-7069.patch               | 158 +++++++++++++++++
>  .../php/php/CVE-2020-7070.patch               |  24 +++
>  .../php/php/debian-php-fixheader.patch        |  27 +--
>  .../php/{php_7.4.4.bb => php_7.4.9.bb}        |  16 +-
>  .../dlt-daemon/dlt-daemon/275.patch           |  38 ++++
>  .../dlt-daemon/dlt-daemon_2.18.4.bb           |   1 +
>  .../libsdl/libsdl2-mixer_2.0.4.bb             |   2 +-
>  .../geoclue/geoclue_2.5.3.bb                  |   2 +-
>  .../nss/nss/CVE-2020-12401.patch              |  52 ++++++
>  meta-oe/recipes-support/nss/nss_3.51.1.bb     |   1 +
>  .../pcsc-lite/pcsc-lite_1.8.26.bb             |   1 +
>  .../{apache2_2.4.43.bb => apache2_2.4.46.bb}  |   4 +-
>  44 files changed, 1111 insertions(+), 285 deletions(-)
>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
>  create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
>  create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
>  rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb => wireshark_3.2.10.bb} (96%)
>  create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch
>  rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb => mariadb-native_10.4.17.bb} (100%)
>  delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
>  rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb => mariadb_10.4.17.bb} (100%)
>  create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch
>  create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
>  rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (87%)
>  create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch
>  create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch
>  delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
>  delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
>  rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb => nodejs_12.20.1.bb} (94%)
>  create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
>  create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
>  mode change 100755 => 100644 meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
>  rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb} (97%)
>  create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
>  create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
>  rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb => apache2_2.4.46.bb} (98%)
>
Hi Armin,

maybe you take the graphviz patches into account I just sent out. As
said in cover letter: graphviz is broken currently

Cheers

Andreas

Re: [oe] [dunfell 00/28] Patch review Jan 17th

[akuster]

On 1/17/21 12:38 PM, Andreas Müller wrote:
> On Sun, Jan 17, 2021 at 6:46 PM akuster <akuster808@gmail.com> wrote:
>> Here is the next batch for Dunfell. Please review and have comments back by Wednesday.
>>
>> The following changes since commit f2d02cb71eaff8eb285a1997b30be52486c160ae:
>>
>>   python3-pyinotify: Add missing ctypes dependency (2020-11-15 11:13:25 -0800)
>>
>> are available in the Git repository at:
>>
>>   git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-nut
>>   http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/dunfell-nut
>>
>> Armin Kuster (5):
>>   wireguard-module: fix build issue with 5.4 kernel
>>   mariadb: update to 10.4.17 for cve fixes
>>   lua: update to 5.3.6
>>   nss: Security fix CVE-2020-12401
>>   wireshark: Several securtiy fixes
>>
>> Chenxi Mao (1):
>>   geoclue: select avahi-daemon if nmea enabled
>>
>> Gianfranco (1):
>>   dlt-daemon: add upstream patch to fix CVE-2020-29394
>>
>> Khem Raj (4):
>>   nodejs: Fix build with icu 67.1
>>   nodejs: Upgrade to 12.18.3
>>   nodejs: Fix arm32/thumb builds with clang
>>   nodejs: Update to 12.19.0
>>
>> Leon Anavi (1):
>>   php: Upgrade 7.4.4 -> 7.4.9
>>
>> Max Kellermann (1):
>>   php: remove the failing ${D}/${TMPDIR} code
>>
>> Roland Hieber (1):
>>   pcsc-lite: provide pcsc-lite-lib-native explicitly for native build
>>
>> Sakib Sajal (1):
>>   apache2: upgrade v2.4.43 -> v2.4.46
>>
>> Sean Nyekjaer (1):
>>   nodejs: 12.19.1 -> 12.20.1
>>
>> Stacy Gaikovaia (1):
>>   nodejs: 12.19.0 -> 12.19.1
>>
>> Wang Mingyu (1):
>>   zabbix: CVE-2020-15803 Security Advisory
>>
>> Wenlin Kang (2):
>>   lua: fix CVE-2020-15945
>>   lua: fix CVE-2020-24371
>>
>> Zang Ruochen (1):
>>   mcpp: Normalize the patch format of CVE
>>
>> Zheng Ruoqin (4):
>>   samba: CVE-2020-14318 Security Advisory
>>   samba: CVE-2020-14383 Security Advisory
>>   php: CVE-2020-7070
>>   php: CVE-2020-7069
>>
>> jabdoa2 (2):
>>   libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer
>>   libsdl2-mixer: set --disable-music-ogg-shared to link statically
>>
>> viatsk (1):
>>   tcpdump: Patch for CVE-2020-8037
>>
>>  .../samba/samba/CVE-2020-14318.patch          | 142 +++++++++++++++
>>  .../samba/samba/CVE-2020-14383.patch          | 112 ++++++++++++
>>  .../samba/samba_4.10.18.bb                    |   2 +
>>  ...NC_-START-END-were-backported-to-5.4.patch |  29 +++
>>  .../wireguard-module_1.0.20200401.bb          |   3 +-
>>  ...ping-don-t-allocate-a-too-large-buff.patch |  70 ++++++++
>>  .../recipes-support/tcpdump/tcpdump_4.9.3.bb  |   1 +
>>  ...wireshark_3.2.7.bb => wireshark_3.2.10.bb} |   2 +-
>>  .../zabbix/zabbix/CVE-2020-15803.patch        |  36 ++++
>>  .../zabbix/zabbix_4.4.6.bb                    |   1 +
>>  ...e_10.4.12.bb => mariadb-native_10.4.17.bb} |   0
>>  meta-oe/recipes-dbs/mysql/mariadb.inc         |   6 +-
>>  ...-breakage-from-lock_guard-error-6161.patch |  32 ----
>>  .../mariadb/0001-Fix-library-LZ4-lookup.patch |  19 +-
>>  .../mysql/mariadb/c11_atomics.patch           |  24 ++-
>>  .../configure.cmake-fix-valgrind.patch        |  10 +-
>>  .../mariadb/fix-a-building-failure.patch      |  13 +-
>>  .../mysql/mariadb/fix-arm-atomic.patch        |  13 +-
>>  ...Lists.txt-fix-gen_lex_hash-not-found.patch |  12 +-
>>  ...akeLists.txt-fix-do_populate_sysroot.patch |  10 +-
>>  ...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} |   0
>>  ...rriers-cannot-be-active-during-sweep.patch |  90 ++++++++++
>>  .../lua/lua/CVE-2020-15945.patch              | 167 ++++++++++++++++++
>>  .../lua/{lua_5.3.5.bb => lua_5.3.6.bb}        |   8 +-
>>  .../mcpp/files/CVE-2019-14274.patch           |  34 ++++
>>  .../mcpp/files/ice-mcpp.patch                 |  31 ----
>>  meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb   |   3 +-
>>  ...gister-r7-because-llvm-now-issues-an.patch |  53 ++++++
>>  ...-passing-multiple-libs-to-pkg_config.patch |  41 -----
>>  ...allow-use-of-system-installed-brotli.patch |  66 -------
>>  ...Install-both-binaries-and-use-libdir.patch |  28 ++-
>>  .../{nodejs_12.14.1.bb => nodejs_12.20.1.bb}  |  12 +-
>>  .../php/php/CVE-2020-7069.patch               | 158 +++++++++++++++++
>>  .../php/php/CVE-2020-7070.patch               |  24 +++
>>  .../php/php/debian-php-fixheader.patch        |  27 +--
>>  .../php/{php_7.4.4.bb => php_7.4.9.bb}        |  16 +-
>>  .../dlt-daemon/dlt-daemon/275.patch           |  38 ++++
>>  .../dlt-daemon/dlt-daemon_2.18.4.bb           |   1 +
>>  .../libsdl/libsdl2-mixer_2.0.4.bb             |   2 +-
>>  .../geoclue/geoclue_2.5.3.bb                  |   2 +-
>>  .../nss/nss/CVE-2020-12401.patch              |  52 ++++++
>>  meta-oe/recipes-support/nss/nss_3.51.1.bb     |   1 +
>>  .../pcsc-lite/pcsc-lite_1.8.26.bb             |   1 +
>>  .../{apache2_2.4.43.bb => apache2_2.4.46.bb}  |   4 +-
>>  44 files changed, 1111 insertions(+), 285 deletions(-)
>>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
>>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
>>  create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
>>  create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
>>  rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb => wireshark_3.2.10.bb} (96%)
>>  create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch
>>  rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb => mariadb-native_10.4.17.bb} (100%)
>>  delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
>>  rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb => mariadb_10.4.17.bb} (100%)
>>  create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch
>>  create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
>>  rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (87%)
>>  create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch
>>  create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch
>>  delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
>>  delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
>>  rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb => nodejs_12.20.1.bb} (94%)
>>  create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
>>  create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
>>  mode change 100755 => 100644 meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
>>  rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb} (97%)
>>  create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
>>  create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
>>  rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb => apache2_2.4.46.bb} (98%)
>>
> Hi Armin,
>
> maybe you take the graphviz patches into account I just sent out. As
> said in cover letter: graphviz is broken currently

sure thing.

thanks,
Armin
>
> Cheers
>
> Andreas

Re: [oe] [dunfell 00/28] Patch review Jan 17th

[Diego Santa Cruz]

> -----Original Message-----
> From: openembedded-devel@lists.openembedded.org <openembedded-
> devel@lists.openembedded.org> On Behalf Of akuster via
> lists.openembedded.org
> Sent: 17 January 2021 18:46
> To: openembedded-devel@lists.openembedded.org
> Subject: [oe] [dunfell 00/28] Patch review Jan 17th
> 
> Here is the next batch for Dunfell. Please review and have comments back by
> Wednesday.
> 
> The following changes since commit
> f2d02cb71eaff8eb285a1997b30be52486c160ae:
> 
>   python3-pyinotify: Add missing ctypes dependency (2020-11-15 11:13:25 -
> 0800)
> 
> are available in the Git repository at:
> 
>   git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-
> nut
>   http://cgit.openembedded.org/meta-openembedded-
> contrib/log/?h=stable/dunfell-nut
> 
> Armin Kuster (5):
>   wireguard-module: fix build issue with 5.4 kernel
>   mariadb: update to 10.4.17 for cve fixes
>   lua: update to 5.3.6
>   nss: Security fix CVE-2020-12401
>   wireshark: Several securtiy fixes
> 
> Chenxi Mao (1):
>   geoclue: select avahi-daemon if nmea enabled
> 
> Gianfranco (1):
>   dlt-daemon: add upstream patch to fix CVE-2020-29394
> 
> Khem Raj (4):
>   nodejs: Fix build with icu 67.1
>   nodejs: Upgrade to 12.18.3
>   nodejs: Fix arm32/thumb builds with clang
>   nodejs: Update to 12.19.0
> 
> Leon Anavi (1):
>   php: Upgrade 7.4.4 -> 7.4.9
> 
> Max Kellermann (1):
>   php: remove the failing ${D}/${TMPDIR} code
> 
> Roland Hieber (1):
>   pcsc-lite: provide pcsc-lite-lib-native explicitly for native build
> 
> Sakib Sajal (1):
>   apache2: upgrade v2.4.43 -> v2.4.46
> 
> Sean Nyekjaer (1):
>   nodejs: 12.19.1 -> 12.20.1
> 
> Stacy Gaikovaia (1):
>   nodejs: 12.19.0 -> 12.19.1
> 
> Wang Mingyu (1):
>   zabbix: CVE-2020-15803 Security Advisory
> 
> Wenlin Kang (2):
>   lua: fix CVE-2020-15945
>   lua: fix CVE-2020-24371
> 
> Zang Ruochen (1):
>   mcpp: Normalize the patch format of CVE
> 
> Zheng Ruoqin (4):
>   samba: CVE-2020-14318 Security Advisory
>   samba: CVE-2020-14383 Security Advisory
>   php: CVE-2020-7070
>   php: CVE-2020-7069
> 
> jabdoa2 (2):
>   libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer
>   libsdl2-mixer: set --disable-music-ogg-shared to link statically
> 
> viatsk (1):
>   tcpdump: Patch for CVE-2020-8037
> 
>  .../samba/samba/CVE-2020-14318.patch          | 142 +++++++++++++++
>  .../samba/samba/CVE-2020-14383.patch          | 112 ++++++++++++
>  .../samba/samba_4.10.18.bb                    |   2 +
>  ...NC_-START-END-were-backported-to-5.4.patch |  29 +++
>  .../wireguard-module_1.0.20200401.bb          |   3 +-
>  ...ping-don-t-allocate-a-too-large-buff.patch |  70 ++++++++
>  .../recipes-support/tcpdump/tcpdump_4.9.3.bb  |   1 +
>  ...wireshark_3.2.7.bb => wireshark_3.2.10.bb} |   2 +-
>  .../zabbix/zabbix/CVE-2020-15803.patch        |  36 ++++
>  .../zabbix/zabbix_4.4.6.bb                    |   1 +
>  ...e_10.4.12.bb => mariadb-native_10.4.17.bb} |   0
>  meta-oe/recipes-dbs/mysql/mariadb.inc         |   6 +-
>  ...-breakage-from-lock_guard-error-6161.patch |  32 ----
>  .../mariadb/0001-Fix-library-LZ4-lookup.patch |  19 +-
>  .../mysql/mariadb/c11_atomics.patch           |  24 ++-
>  .../configure.cmake-fix-valgrind.patch        |  10 +-
>  .../mariadb/fix-a-building-failure.patch      |  13 +-
>  .../mysql/mariadb/fix-arm-atomic.patch        |  13 +-
>  ...Lists.txt-fix-gen_lex_hash-not-found.patch |  12 +-
>  ...akeLists.txt-fix-do_populate_sysroot.patch |  10 +-
>  ...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} |   0
>  ...rriers-cannot-be-active-during-sweep.patch |  90 ++++++++++
>  .../lua/lua/CVE-2020-15945.patch              | 167 ++++++++++++++++++
>  .../lua/{lua_5.3.5.bb => lua_5.3.6.bb}        |   8 +-
>  .../mcpp/files/CVE-2019-14274.patch           |  34 ++++
>  .../mcpp/files/ice-mcpp.patch                 |  31 ----
>  meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb   |   3 +-
>  ...gister-r7-because-llvm-now-issues-an.patch |  53 ++++++
>  ...-passing-multiple-libs-to-pkg_config.patch |  41 -----
>  ...allow-use-of-system-installed-brotli.patch |  66 -------
>  ...Install-both-binaries-and-use-libdir.patch |  28 ++-
>  .../{nodejs_12.14.1.bb => nodejs_12.20.1.bb}  |  12 +-
>  .../php/php/CVE-2020-7069.patch               | 158 +++++++++++++++++
>  .../php/php/CVE-2020-7070.patch               |  24 +++
>  .../php/php/debian-php-fixheader.patch        |  27 +--
>  .../php/{php_7.4.4.bb => php_7.4.9.bb}        |  16 +-
>  .../dlt-daemon/dlt-daemon/275.patch           |  38 ++++
>  .../dlt-daemon/dlt-daemon_2.18.4.bb           |   1 +
>  .../libsdl/libsdl2-mixer_2.0.4.bb             |   2 +-
>  .../geoclue/geoclue_2.5.3.bb                  |   2 +-
>  .../nss/nss/CVE-2020-12401.patch              |  52 ++++++
>  meta-oe/recipes-support/nss/nss_3.51.1.bb     |   1 +
>  .../pcsc-lite/pcsc-lite_1.8.26.bb             |   1 +
>  .../{apache2_2.4.43.bb => apache2_2.4.46.bb}  |   4 +-
>  44 files changed, 1111 insertions(+), 285 deletions(-)
>  create mode 100644 meta-networking/recipes-
> connectivity/samba/samba/CVE-2020-14318.patch
>  create mode 100644 meta-networking/recipes-
> connectivity/samba/samba/CVE-2020-14383.patch
>  create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-
> compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
>  create mode 100644 meta-networking/recipes-
> support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-
> too-large-buff.patch
>  rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb
> => wireshark_3.2.10.bb} (96%)
>  create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-
> 15803.patch
>  rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb =>
> mariadb-native_10.4.17.bb} (100%)
>  delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-
> breakage-from-lock_guard-error-6161.patch
>  rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb =>
> mariadb_10.4.17.bb} (100%)
>  create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-
> barriers-cannot-be-active-during-sweep.patch
>  create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-
> 15945.patch
>  rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (87%)
>  create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-
> 14274.patch
>  create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-
> Remove-use-of-register-r7-because-llvm-now-issues-an.patch
>  delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-
> allow-passing-multiple-libs-to-pkg_config.patch
>  delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-
> allow-use-of-system-installed-brotli.patch
>  rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb =>
> nodejs_12.20.1.bb} (94%)
>  create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-
> 7069.patch
>  create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-
> 7070.patch
>  mode change 100755 => 100644 meta-oe/recipes-
> devtools/php/php/debian-php-fixheader.patch
>  rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb}
> (97%)
>  create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-
> daemon/275.patch
>  create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-
> 12401.patch
>  rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb =>
> apache2_2.4.46.bb} (98%)
> 
> --
> 2.17.1
Hi Armin,

Is there any specific reason why the gssdp and gupnp updates I sent for dunfell a while ago to fix a CVE are not in? They are in the patch review you've sent for gatesgarth though.

Anything I should do?

Thanks,

Diego

-- 
Diego Santa Cruz, PhD
Technology Architect
spinetix.com

Re: [oe] [dunfell 00/28] Patch review Jan 17th

[akuster]

On 1/18/21 2:12 AM, Diego Santa Cruz wrote:
>> -----Original Message-----
>> From: openembedded-devel@lists.openembedded.org <openembedded-
>> devel@lists.openembedded.org> On Behalf Of akuster via
>> lists.openembedded.org
>> Sent: 17 January 2021 18:46
>> To: openembedded-devel@lists.openembedded.org
>> Subject: [oe] [dunfell 00/28] Patch review Jan 17th
>>
>> Here is the next batch for Dunfell. Please review and have comments back by
>> Wednesday.
>>
>> The following changes since commit
>> f2d02cb71eaff8eb285a1997b30be52486c160ae:
>>
>>   python3-pyinotify: Add missing ctypes dependency (2020-11-15 11:13:25 -
>> 0800)
>>
>> are available in the Git repository at:
>>
>>   git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-
>> nut
>>   http://cgit.openembedded.org/meta-openembedded-
>> contrib/log/?h=stable/dunfell-nut
>>
>> Armin Kuster (5):
>>   wireguard-module: fix build issue with 5.4 kernel
>>   mariadb: update to 10.4.17 for cve fixes
>>   lua: update to 5.3.6
>>   nss: Security fix CVE-2020-12401
>>   wireshark: Several securtiy fixes
>>
>> Chenxi Mao (1):
>>   geoclue: select avahi-daemon if nmea enabled
>>
>> Gianfranco (1):
>>   dlt-daemon: add upstream patch to fix CVE-2020-29394
>>
>> Khem Raj (4):
>>   nodejs: Fix build with icu 67.1
>>   nodejs: Upgrade to 12.18.3
>>   nodejs: Fix arm32/thumb builds with clang
>>   nodejs: Update to 12.19.0
>>
>> Leon Anavi (1):
>>   php: Upgrade 7.4.4 -> 7.4.9
>>
>> Max Kellermann (1):
>>   php: remove the failing ${D}/${TMPDIR} code
>>
>> Roland Hieber (1):
>>   pcsc-lite: provide pcsc-lite-lib-native explicitly for native build
>>
>> Sakib Sajal (1):
>>   apache2: upgrade v2.4.43 -> v2.4.46
>>
>> Sean Nyekjaer (1):
>>   nodejs: 12.19.1 -> 12.20.1
>>
>> Stacy Gaikovaia (1):
>>   nodejs: 12.19.0 -> 12.19.1
>>
>> Wang Mingyu (1):
>>   zabbix: CVE-2020-15803 Security Advisory
>>
>> Wenlin Kang (2):
>>   lua: fix CVE-2020-15945
>>   lua: fix CVE-2020-24371
>>
>> Zang Ruochen (1):
>>   mcpp: Normalize the patch format of CVE
>>
>> Zheng Ruoqin (4):
>>   samba: CVE-2020-14318 Security Advisory
>>   samba: CVE-2020-14383 Security Advisory
>>   php: CVE-2020-7070
>>   php: CVE-2020-7069
>>
>> jabdoa2 (2):
>>   libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer
>>   libsdl2-mixer: set --disable-music-ogg-shared to link statically
>>
>> viatsk (1):
>>   tcpdump: Patch for CVE-2020-8037
>>
>>  .../samba/samba/CVE-2020-14318.patch          | 142 +++++++++++++++
>>  .../samba/samba/CVE-2020-14383.patch          | 112 ++++++++++++
>>  .../samba/samba_4.10.18.bb                    |   2 +
>>  ...NC_-START-END-were-backported-to-5.4.patch |  29 +++
>>  .../wireguard-module_1.0.20200401.bb          |   3 +-
>>  ...ping-don-t-allocate-a-too-large-buff.patch |  70 ++++++++
>>  .../recipes-support/tcpdump/tcpdump_4.9.3.bb  |   1 +
>>  ...wireshark_3.2.7.bb => wireshark_3.2.10.bb} |   2 +-
>>  .../zabbix/zabbix/CVE-2020-15803.patch        |  36 ++++
>>  .../zabbix/zabbix_4.4.6.bb                    |   1 +
>>  ...e_10.4.12.bb => mariadb-native_10.4.17.bb} |   0
>>  meta-oe/recipes-dbs/mysql/mariadb.inc         |   6 +-
>>  ...-breakage-from-lock_guard-error-6161.patch |  32 ----
>>  .../mariadb/0001-Fix-library-LZ4-lookup.patch |  19 +-
>>  .../mysql/mariadb/c11_atomics.patch           |  24 ++-
>>  .../configure.cmake-fix-valgrind.patch        |  10 +-
>>  .../mariadb/fix-a-building-failure.patch      |  13 +-
>>  .../mysql/mariadb/fix-arm-atomic.patch        |  13 +-
>>  ...Lists.txt-fix-gen_lex_hash-not-found.patch |  12 +-
>>  ...akeLists.txt-fix-do_populate_sysroot.patch |  10 +-
>>  ...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} |   0
>>  ...rriers-cannot-be-active-during-sweep.patch |  90 ++++++++++
>>  .../lua/lua/CVE-2020-15945.patch              | 167 ++++++++++++++++++
>>  .../lua/{lua_5.3.5.bb => lua_5.3.6.bb}        |   8 +-
>>  .../mcpp/files/CVE-2019-14274.patch           |  34 ++++
>>  .../mcpp/files/ice-mcpp.patch                 |  31 ----
>>  meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb   |   3 +-
>>  ...gister-r7-because-llvm-now-issues-an.patch |  53 ++++++
>>  ...-passing-multiple-libs-to-pkg_config.patch |  41 -----
>>  ...allow-use-of-system-installed-brotli.patch |  66 -------
>>  ...Install-both-binaries-and-use-libdir.patch |  28 ++-
>>  .../{nodejs_12.14.1.bb => nodejs_12.20.1.bb}  |  12 +-
>>  .../php/php/CVE-2020-7069.patch               | 158 +++++++++++++++++
>>  .../php/php/CVE-2020-7070.patch               |  24 +++
>>  .../php/php/debian-php-fixheader.patch        |  27 +--
>>  .../php/{php_7.4.4.bb => php_7.4.9.bb}        |  16 +-
>>  .../dlt-daemon/dlt-daemon/275.patch           |  38 ++++
>>  .../dlt-daemon/dlt-daemon_2.18.4.bb           |   1 +
>>  .../libsdl/libsdl2-mixer_2.0.4.bb             |   2 +-
>>  .../geoclue/geoclue_2.5.3.bb                  |   2 +-
>>  .../nss/nss/CVE-2020-12401.patch              |  52 ++++++
>>  meta-oe/recipes-support/nss/nss_3.51.1.bb     |   1 +
>>  .../pcsc-lite/pcsc-lite_1.8.26.bb             |   1 +
>>  .../{apache2_2.4.43.bb => apache2_2.4.46.bb}  |   4 +-
>>  44 files changed, 1111 insertions(+), 285 deletions(-)
>>  create mode 100644 meta-networking/recipes-
>> connectivity/samba/samba/CVE-2020-14318.patch
>>  create mode 100644 meta-networking/recipes-
>> connectivity/samba/samba/CVE-2020-14383.patch
>>  create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-
>> compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
>>  create mode 100644 meta-networking/recipes-
>> support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-
>> too-large-buff.patch
>>  rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb
>> => wireshark_3.2.10.bb} (96%)
>>  create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-
>> 15803.patch
>>  rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb =>
>> mariadb-native_10.4.17.bb} (100%)
>>  delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-
>> breakage-from-lock_guard-error-6161.patch
>>  rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb =>
>> mariadb_10.4.17.bb} (100%)
>>  create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-
>> barriers-cannot-be-active-during-sweep.patch
>>  create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-
>> 15945.patch
>>  rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (87%)
>>  create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-
>> 14274.patch
>>  create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-
>> Remove-use-of-register-r7-because-llvm-now-issues-an.patch
>>  delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-
>> allow-passing-multiple-libs-to-pkg_config.patch
>>  delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-
>> allow-use-of-system-installed-brotli.patch
>>  rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb =>
>> nodejs_12.20.1.bb} (94%)
>>  create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-
>> 7069.patch
>>  create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-
>> 7070.patch
>>  mode change 100755 => 100644 meta-oe/recipes-
>> devtools/php/php/debian-php-fixheader.patch
>>  rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb}
>> (97%)
>>  create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-
>> daemon/275.patch
>>  create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-
>> 12401.patch
>>  rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb =>
>> apache2_2.4.46.bb} (98%)
>>
>> --
>> 2.17.1
> Hi Armin,
>
> Is there any specific reason why the gssdp and gupnp updates I sent for dunfell a while ago to fix a CVE are not in? They are in the patch review you've sent for gatesgarth though.
I most forgot to merge them from Gatesgarth. They are in there shortly.
-armin
>
> Anything I should do?
>
> Thanks,
>
> Diego
>