[dunfell 00/20] Patch review Sept 5

[dunfell 00/20] Patch review Sept 5

[akuster]

Here is the next set of dunfell changes.
Please review and have feedback by Monday.


The following changes since commit 654ad8bea49f142d20b2b96c0dd44810a6be233a:

  jsoncpp: add PE do to revert to older PV (2020-07-18 07:24:39 -0700)

are available in the Git repository at:

  git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-nut
  http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/dunfell-nut

Adrian Bunk (1):
  gnome-settings-daemon: Remove duplicate outdated SRC_URI hashes

Alistair Francis (1):
  python3-obd: Add missing setuptools RDEPENDS

Andreas Müller (1):
  exiv2: upgrade 0.27.1 -> 0.27.3

Armin Kuster (3):
  vlc: fix loop initial declarations are only allowed in C99 mode
  babl-native: fix build issue
  gnome-settings-daemon: Backport 3.36 fix for building without wayland

Changqing Li (1):
  radvd: add /etc/radvd.conf

Julius Hemanth Pitti (1):
  netkit-telnetd: Fix buffer overflow in netoprintf

Kai Kang (2):
  lvm2: remove service template from SYSTEMD_SERVICE
  rdist: fix parallel build

Khem Raj (2):
  samba: Fix conflicts with nss.h from glibc
  flashrom: Fix build failure with glibc 2.32

Leon Anavi (1):
  python3-pandas: Upgrade 1.0.3 -> 1.0.5

Martin Jansa (1):
  lcov: fix lcov-native build

Mingli Yu (2):
  freeradius: fix the existed certificate error
  freeradius: fix the occasional verification failure

Ovidiu Panait (1):
  net-snmp: Fix CVE-2020-15861 and CVE-2020-15862

Ryan Rowe (1):
  python3-pint: add setuptools and packaging to RDEPENDS

Yi Zhao (1):
  samba: upgrade 4.10.15 -> 4.10.17

Yue Tao (1):
  lua: Security Advisory - lua - CVE-2020-15888

 meta-gnome/recipes-gimp/babl/babl_0.1.74.bb   |   2 +
 ...gins-wacom-Fix-build-without-WAYLAND.patch |  27 ++
 .../gnome-settings-daemon_3.34.2.bb           |   5 +-
 .../recipes-multimedia/vlc/vlc_3.0.9.2.bb     |   2 +-
 ...file-fix-the-existed-certificate-err.patch |  55 +++
 ...file-fix-the-occasional-verification.patch | 135 +++++++
 .../freeradius/freeradius_3.0.20.bb           |   2 +
 .../rdist-6.1.5-fix-parallel-build.patch      |  31 ++
 .../recipes-connectivity/rdist/rdist_6.1.5.bb |   1 +
 ....c-Avoid-nss-function-conflicts-with.patch |  96 +++++
 .../0001-util-Simplify-input-validation.patch |  59 +++
 ...n-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch |  79 ++++
 ...larger-buffer-if-getpwuid_r-returns-.patch |  50 +++
 .../{samba_4.10.15.bb => samba_4.10.17.bb}    |   8 +-
 .../recipes-daemons/radvd/files/radvd.conf    |  18 +
 .../recipes-daemons/radvd/radvd.inc           |   5 +-
 ....c-Fix-buffer-overflow-in-netoprintf.patch |  56 +++
 .../netkit-telnet/netkit-telnet_0.17.bb       |   1 +
 .../net-snmp/CVE-2020-15861-0001.patch        | 164 ++++++++
 .../net-snmp/CVE-2020-15861-0002.patch        |  44 +++
 .../net-snmp/CVE-2020-15861-0003.patch        |  40 ++
 .../net-snmp/CVE-2020-15861-0004.patch        |  33 ++
 .../net-snmp/CVE-2020-15861-0005.patch        | 349 ++++++++++++++++++
 .../net-snmp/net-snmp/CVE-2020-15862.patch    |  87 +++++
 .../net-snmp/net-snmp_5.8.bb                  |   6 +
 ...or-last-line-only-from-preprocessed-.patch |  57 +++
 meta-oe/recipes-bsp/flashrom/flashrom_1.2.bb  |   1 +
 .../lua/lua/CVE-2020-15888.patch              |  45 +++
 meta-oe/recipes-devtools/lua/lua_5.3.5.bb     |   1 +
 ...-protection-only-if-compiler-arch-su.patch |  40 ++
 .../{exiv2_0.27.1.bb => exiv2_0.27.3.bb}      |   7 +-
 meta-oe/recipes-support/lcov/lcov_1.14.bb     |   7 +-
 meta-oe/recipes-support/lvm2/lvm2_2.03.06.bb  |   8 +-
 .../recipes-devtools/python/python-pint.inc   |   5 +
 .../python/python3-obd_0.7.1.bb               |   2 +-
 ...andas_1.0.3.bb => python3-pandas_1.0.5.bb} |   4 +-
 36 files changed, 1516 insertions(+), 16 deletions(-)
 create mode 100644 meta-gnome/recipes-gnome/gnome-settings-daemon/files/0001-plugins-wacom-Fix-build-without-WAYLAND.patch
 create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch
 create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch
 create mode 100644 meta-networking/recipes-connectivity/rdist/rdist-6.1.5/rdist-6.1.5-fix-parallel-build.patch
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch
 rename meta-networking/recipes-connectivity/samba/{samba_4.10.15.bb => samba_4.10.17.bb} (96%)
 create mode 100644 meta-networking/recipes-daemons/radvd/files/radvd.conf
 create mode 100644 meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0002.patch
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0003.patch
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0004.patch
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15862.patch
 create mode 100644 meta-oe/recipes-bsp/flashrom/flashrom/0001-Makefile-Check-for-last-line-only-from-preprocessed-.patch
 create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15888.patch
 create mode 100644 meta-oe/recipes-support/exiv2/exiv2/0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch
 rename meta-oe/recipes-support/exiv2/{exiv2_0.27.1.bb => exiv2_0.27.3.bb} (52%)
 rename meta-python/recipes-devtools/python/{python3-pandas_1.0.3.bb => python3-pandas_1.0.5.bb} (81%)

-- 
2.17.1

[dunfell 01/20] lvm2: remove service template from SYSTEMD_SERVICE

[akuster]

From: Kai Kang <kai.kang@windriver.com>

Remove systemd service template lvm2-pvscan@.service from
SYSTEMD_SERVICE. It should be started/stopped in udev rules file
69-dm-lvm-metad.rules.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d85613d8d1d285c9a1f9cf3cf8b13655220cd8cf)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-support/lvm2/lvm2_2.03.06.bb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/meta-oe/recipes-support/lvm2/lvm2_2.03.06.bb b/meta-oe/recipes-support/lvm2/lvm2_2.03.06.bb
index e2b551bbc6..bc86810ecb 100644
--- a/meta-oe/recipes-support/lvm2/lvm2_2.03.06.bb
+++ b/meta-oe/recipes-support/lvm2/lvm2_2.03.06.bb
@@ -32,7 +32,7 @@ PACKAGE_BEFORE_PN = "${PN}-scripts ${PN}-udevrules"
 
 SYSTEMD_PACKAGES = "${PN}"
 SYSTEMD_SERVICE_${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'dmeventd', 'lvm2-monitor.service dm-event.socket dm-event.service', '', d)} \
-                         blk-availability.service lvm2-pvscan@.service"
+                         blk-availability.service"
 SYSTEMD_AUTO_ENABLE = "disable"
 
 TARGET_CC_ARCH += "${LDFLAGS}"
@@ -52,7 +52,11 @@ FILES_libdevmapper = " \
     ${sbindir}/dmstats \
 "
 
-FILES_${PN} += "${libdir}/device-mapper/*.so"
+FILES_${PN} += " \
+    ${libdir}/device-mapper/*.so \
+    ${systemd_system_unitdir}/lvm2-pvscan@.service \
+"
+
 FILES_${PN}-scripts = " \
     ${sbindir}/blkdeactivate \
     ${sbindir}/fsadm \
-- 
2.17.1

[dunfell 02/20] freeradius: fix the existed certificate error

[akuster]

From: Mingli Yu <mingli.yu@windriver.com>

Fixes the occasional error:
 # cd /etc/raddb/certs
 # ./bootstrap
[snip]
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key 'whatever' -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org
The matching entry has the following details
Type          :Valid
Expires on    :200908024833Z
Serial Number :02
File name     :unknown
Subject Name  :/C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org
make: *** [Makefile:128: client.crt] Error 1

Add the check to fix the above error and it does the same for server.crt.

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0d7522b7df80e45c379ad76addfddd51d0e56e9d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...file-fix-the-existed-certificate-err.patch | 55 +++++++++++++++++++
 .../freeradius/freeradius_3.0.20.bb           |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch

diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch
new file mode 100644
index 0000000000..669f363e72
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch
@@ -0,0 +1,55 @@
+From 084f5467672f2ae37003b77e8f8706772f3da3ec Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Mon, 13 Jul 2020 07:01:45 +0000
+Subject: [PATCH] raddb/certs/Makefile: fix the existed certificate error
+
+Fixes:
+ # ./bootstrap
+ [snip]
+openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key 'whatever' -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+Using configuration from ./client.cnf
+Check that the request matches the signature
+Signature ok
+ERROR:There is already a certificate for /C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org
+The matching entry has the following details
+Type          :Valid
+Expires on    :200908024833Z
+Serial Number :02
+File name     :unknown
+Subject Name  :/C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org
+make: *** [Makefile:128: client.crt] Error 1
+
+Add the check to fix the above error and it does the same for server.crt.
+
+Upstream-Status: Pending
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ raddb/certs/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
+index 5cbfd467ce..77eec9baa1 100644
+--- a/raddb/certs/Makefile
++++ b/raddb/certs/Makefile
+@@ -92,7 +92,7 @@ server.csr server.key: server.cnf
+ 	chmod g+r server.key
+ 
+ server.crt: server.csr ca.key ca.pem
+-	$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
++	@[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
+ 
+ server.p12: server.crt
+ 	$(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+@@ -117,7 +117,7 @@ client.csr client.key: client.cnf
+ 	chmod g+r client.key
+ 
+ client.crt: client.csr ca.pem ca.key
+-	$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
++	@[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+ 
+ client.p12: client.crt
+ 	$(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+-- 
+2.26.2
+
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
index 005ca47da8..d2046d72eb 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
@@ -27,6 +27,7 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0
     file://freeradius-fix-error-for-expansion-of-macro.patch \
     file://0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch \
     file://0001-rlm_python3-add-PY_INC_DIR-in-search-dir.patch \
+    file://0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch \
     file://radiusd.service \
     file://radiusd-volatiles.conf \
 "
-- 
2.17.1

[dunfell 03/20] netkit-telnetd: Fix buffer overflow in netoprintf

[akuster]

From: Julius Hemanth Pitti <jpitti@cisco.com>

netoprintf() was not handling a case where
return value of vsnprintf is greater than
"size"(2nd argument), results in buffer overflow
while adjusting "nfrontp" pointer to point
beyond "netobuf" buffer.

Here is one such case where "nfrontp"
crossed boundaries of "netobuf", and
pointing to another global variable.

(gdb) p &netobuf[8255]
$5 = 0x55c93afe8b1f <netobuf+8255> ""
(gdb) p nfrontp
$6 = 0x55c93afe8c20 <terminaltype> "\377"
(gdb) p &terminaltype
$7 = (char **) 0x55c93afe8c20 <terminaltype>
(gdb)

This resulted in crash of telnetd service
with segmentation fault.

Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 232b82afd405c526f822294509e1d32388544ed4)
[appears to be CVE-2020-10188]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ....c-Fix-buffer-overflow-in-netoprintf.patch | 56 +++++++++++++++++++
 .../netkit-telnet/netkit-telnet_0.17.bb       |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch

diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch
new file mode 100644
index 0000000000..8f983e40ab
--- /dev/null
+++ b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch
@@ -0,0 +1,56 @@
+From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001
+From: Julius Hemanth Pitti <jpitti@cisco.com>
+Date: Tue, 14 Jul 2020 22:34:19 -0700
+Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf
+
+As per man page of vsnprintf, when formated
+string size is greater than "size"(2nd argument),
+then vsnprintf returns size of formated string,
+not "size"(2nd argument).
+
+netoprintf() was not handling a case where
+return value of vsnprintf is greater than
+"size"(2nd argument), results in buffer overflow
+while adjusting "nfrontp" pointer to point
+beyond "netobuf" buffer.
+
+Here is one such case where "nfrontp"
+crossed boundaries of "netobuf", and
+pointing to another global variable.
+
+(gdb) p &netobuf[8255]
+$5 = 0x55c93afe8b1f <netobuf+8255> ""
+(gdb) p nfrontp
+$6 = 0x55c93afe8c20 <terminaltype> "\377"
+(gdb) p &terminaltype
+$7 = (char **) 0x55c93afe8c20 <terminaltype>
+(gdb)
+
+This resulted in crash of telnetd service
+with segmentation fault.
+
+Though this is DoS security bug, I couldn't
+find any CVE ID for this.
+
+Upstream-Status: Pending
+
+Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
+---
+ telnetd/utility.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index b9a46a6..4811f14 100644
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...)
+       len = vsnprintf(nfrontp, maxsize, fmt, ap);
+       va_end(ap);
+ 
+-      if (len<0 || len==maxsize) {
++      if (len<0 || len>=maxsize) {
+ 	 /* didn't fit */
+ 	 netflush();
+       }
+--
+2.19.1
diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
index 0e92add633..08dd532b62 100644
--- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
+++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://ftp.linux.org.uk/pub/linux/Networking/netkit/${BP}.tar.gz \
            file://0001-telnet-telnetd-Fix-print-format-strings.patch \
            file://0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch \
            file://CVE-2020-10188.patch \
+           file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \
            "
 
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/"
-- 
2.17.1

[dunfell 04/20] radvd: add /etc/radvd.conf

[akuster]

From: Changqing Li <changqing.li@windriver.com>

When starting radvd without any configuration the following errors would
be triggered.

"""
root@intel-x86-64:~# systemctl status radvd
● radvd.service - Router advertisement daemon for IPv6
Loaded: loaded (/lib/systemd/system/radvd.service; enabled; vendor preset:
	enabled)
Active: inactive (dead)
        Condition: start condition failed at Tue 2019-09-24 13:29:36 UTC; 3s ago
	    └─ ConditionPathExists=/etc/radvd.conf was not met
"""

Normally the user should create and configrue the /etc/radvd.conf
manually.  However the radvd provide a example file for redhad located
at "radvd/redhat/radvd.conf.empty". When installing, it would copy
radvd/redhat/radvd.conf.empty to /etc/radvd.conf. Also add this empty
conf here to used as an example of configuration

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5af77740a46c334978adc7f37f53ea9a318d3a33)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../recipes-daemons/radvd/files/radvd.conf     | 18 ++++++++++++++++++
 .../recipes-daemons/radvd/radvd.inc            |  5 ++++-
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-daemons/radvd/files/radvd.conf

diff --git a/meta-networking/recipes-daemons/radvd/files/radvd.conf b/meta-networking/recipes-daemons/radvd/files/radvd.conf
new file mode 100644
index 0000000000..c006f86313
--- /dev/null
+++ b/meta-networking/recipes-daemons/radvd/files/radvd.conf
@@ -0,0 +1,18 @@
+# NOTE: there is no such thing as a working "by-default" configuration file. 
+#       At least the prefix needs to be specified.  Please consult the radvd.conf(5)
+#       man page and/or /usr/share/doc/radvd-*/radvd.conf.example for help.
+#
+#
+#interface eth0
+#{
+#	AdvSendAdvert on;
+#	MinRtrAdvInterval 30;
+#	MaxRtrAdvInterval 100;
+#	prefix 2001:db8:1:0::/64
+#	{
+#		AdvOnLink on;
+#		AdvAutonomous on;
+#		AdvRouterAddr off;
+#	};
+#
+#};
diff --git a/meta-networking/recipes-daemons/radvd/radvd.inc b/meta-networking/recipes-daemons/radvd/radvd.inc
index 59a07d78dc..802dbe34e9 100644
--- a/meta-networking/recipes-daemons/radvd/radvd.inc
+++ b/meta-networking/recipes-daemons/radvd/radvd.inc
@@ -18,7 +18,8 @@ SRC_URI = "http://v6web.litech.org/radvd/dist/radvd-${PV}.tar.gz \
            file://radvd.init \
            file://radvd.service \
            file://volatiles.03_radvd \
-           file://radvd.default"
+           file://radvd.default \
+           file://radvd.conf"
 
 inherit autotools useradd pkgconfig systemd
 
@@ -52,6 +53,8 @@ do_install_append () {
     for i in radvd.conf.example README; do \
         install -m 0644 ${S}/$i ${D}${docdir}/radvd; \
     done
+
+    install -m 0644 ${WORKDIR}/radvd.conf ${D}${sysconfdir}/radvd.conf
 }
 
 USERADD_PACKAGES = "${PN}"
-- 
2.17.1

[dunfell 05/20] python3-obd: Add missing setuptools RDEPENDS

[akuster]

From: Alistair Francis <alistair@alistair23.me>

Signed-off-by: Alistair Francis <alistair@alistair23.me>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9cf730f22266d63df3cf63998c87918dfa540fb7)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-python/recipes-devtools/python/python3-obd_0.7.1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-python/recipes-devtools/python/python3-obd_0.7.1.bb b/meta-python/recipes-devtools/python/python3-obd_0.7.1.bb
index eb8a5a7474..8f17068a48 100644
--- a/meta-python/recipes-devtools/python/python3-obd_0.7.1.bb
+++ b/meta-python/recipes-devtools/python/python3-obd_0.7.1.bb
@@ -7,4 +7,4 @@ SRC_URI[sha256sum] = "8b81ea5896157b6e861af12e173c10b001cb6cca6ebb04db2c01d32681
 
 inherit setuptools3 pypi
 
-RDEPENDS_${PN} += "${PYTHON_PN}-pyserial ${PYTHON_PN}-pint ${PYTHON_PN}-setuptools"
+RDEPENDS_${PN} += "${PYTHON_PN}-pyserial ${PYTHON_PN}-pint ${PYTHON_PN}-setuptools ${PYTHON_PN}-packaging"
-- 
2.17.1

[dunfell 06/20] python3-pint: add setuptools and packaging to RDEPENDS

[akuster]

From: Ryan Rowe <rrowe@xevo.com>

Signed-off-by: Ryan Rowe <rrowe@xevo.com>
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit cfa786917343589c1756c1bc7cdf62309d29462f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-python/recipes-devtools/python/python-pint.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta-python/recipes-devtools/python/python-pint.inc b/meta-python/recipes-devtools/python/python-pint.inc
index 5c34810080..d022c41a57 100644
--- a/meta-python/recipes-devtools/python/python-pint.inc
+++ b/meta-python/recipes-devtools/python/python-pint.inc
@@ -20,6 +20,11 @@ SRC_URI += " \
 	file://run-ptest \
 "
 
+RDEPENDS_${PN} += " \
+    ${PYTHON_PN}-setuptools \
+    ${PYTHON_PN}-packaging \
+"
+
 RDEPENDS_${PN}-ptest += " \
 	${PYTHON_PN}-pytest \
 "
-- 
2.17.1

[dunfell 07/20] samba: Fix conflicts with nss.h from glibc

[akuster]

From: Khem Raj <raj.khem@gmail.com>

This is seen with glibc 2.32 where these names are also defined

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5cf2665446f3fdc16b484c64afffaa0ac8373a35)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ....c-Avoid-nss-function-conflicts-with.patch | 96 +++++++++++++++++++
 .../samba/samba_4.10.15.bb                    |  1 +
 2 files changed, 97 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch

diff --git a/meta-networking/recipes-connectivity/samba/samba/0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch b/meta-networking/recipes-connectivity/samba/samba/0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch
new file mode 100644
index 0000000000..2dbabdaa47
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch
@@ -0,0 +1,96 @@
+From 9aba5ac17bb822f91f6b214f5b82dd1eb8c47616 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 22 Jul 2020 22:42:09 -0700
+Subject: [PATCH] nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h
+
+glibc 2.32 will define these varibles [1] which results in conflicts
+with these static function names, therefore prefix these function names
+with samba_ to avoid it
+
+[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=499a92df8b9fc64a054cf3b7f728f8967fc1da7d
+
+Upstream-Status: Submitted [https://gitlab.com/samba-team/samba/-/merge_requests/1477]
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ nsswitch/nsstest.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c
+index 6d92806..46f9679 100644
+--- a/nsswitch/nsstest.c
++++ b/nsswitch/nsstest.c
+@@ -137,7 +137,7 @@ static struct passwd *nss_getpwuid(uid_t uid)
+ 	return &pwd;
+ }
+ 
+-static void nss_setpwent(void)
++static void samba_nss_setpwent(void)
+ {
+ 	NSS_STATUS (*_nss_setpwent)(void) =
+ 		(NSS_STATUS(*)(void))find_fn("setpwent");
+@@ -152,7 +152,7 @@ static void nss_setpwent(void)
+ 	}
+ }
+ 
+-static void nss_endpwent(void)
++static void samba_nss_endpwent(void)
+ {
+ 	NSS_STATUS (*_nss_endpwent)(void) =
+ 		(NSS_STATUS (*)(void))find_fn("endpwent");
+@@ -284,7 +284,7 @@ again:
+ 	return &grp;
+ }
+ 
+-static void nss_setgrent(void)
++static void samba_nss_setgrent(void)
+ {
+ 	NSS_STATUS (*_nss_setgrent)(void) =
+ 		(NSS_STATUS (*)(void))find_fn("setgrent");
+@@ -299,7 +299,7 @@ static void nss_setgrent(void)
+ 	}
+ }
+ 
+-static void nss_endgrent(void)
++static void samba_nss_endgrent(void)
+ {
+ 	NSS_STATUS (*_nss_endgrent)(void) =
+ 		(NSS_STATUS (*)(void))find_fn("endgrent");
+@@ -396,7 +396,7 @@ static void nss_test_users(void)
+ {
+ 	struct passwd *pwd;
+ 
+-	nss_setpwent();
++	samba_nss_setpwent();
+ 	/* loop over all users */
+ 	while ((pwd = nss_getpwent())) {
+ 		printf("Testing user %s\n", pwd->pw_name);
+@@ -418,14 +418,14 @@ static void nss_test_users(void)
+ 		printf("initgroups: "); nss_test_initgroups(pwd->pw_name, pwd->pw_gid);
+ 		printf("\n");
+ 	}
+-	nss_endpwent();
++	samba_nss_endpwent();
+ }
+ 
+ static void nss_test_groups(void)
+ {
+ 	struct group *grp;
+ 
+-	nss_setgrent();
++	samba_nss_setgrent();
+ 	/* loop over all groups */
+ 	while ((grp = nss_getgrent())) {
+ 		printf("Testing group %s\n", grp->gr_name);
+@@ -446,7 +446,7 @@ static void nss_test_groups(void)
+ 		printf("getgrgid: "); print_group(grp);
+ 		printf("\n");
+ 	}
+-	nss_endgrent();
++	samba_nss_endgrent();
+ }
+ 
+ static void nss_test_errors(void)
+-- 
+2.27.0
+
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.15.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.15.bb
index 2c74c27fb8..01250cb43f 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.10.15.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.10.15.bb
@@ -27,6 +27,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
            file://0001-lib-replace-wscript-Avoid-generating-nested-main-fun.patch \
            file://0002-util_sec.c-Move-__thread-variable-to-global-scope.patch \
            file://0001-Add-options-to-configure-the-use-of-libbsd.patch \
+           file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \
            "
 SRC_URI_append_libc-musl = " \
            file://samba-pam.patch \
-- 
2.17.1

[dunfell 08/20] flashrom: Fix build failure with glibc 2.32

[akuster]

From: Khem Raj <raj.khem@gmail.com>

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f16aa16e917ea440daa3d5bd136338f66a964f5c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...or-last-line-only-from-preprocessed-.patch | 57 +++++++++++++++++++
 meta-oe/recipes-bsp/flashrom/flashrom_1.2.bb  |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 meta-oe/recipes-bsp/flashrom/flashrom/0001-Makefile-Check-for-last-line-only-from-preprocessed-.patch

diff --git a/meta-oe/recipes-bsp/flashrom/flashrom/0001-Makefile-Check-for-last-line-only-from-preprocessed-.patch b/meta-oe/recipes-bsp/flashrom/flashrom/0001-Makefile-Check-for-last-line-only-from-preprocessed-.patch
new file mode 100644
index 0000000000..7a8be83746
--- /dev/null
+++ b/meta-oe/recipes-bsp/flashrom/flashrom/0001-Makefile-Check-for-last-line-only-from-preprocessed-.patch
@@ -0,0 +1,57 @@
+From 3c078497e506bd6acb406da5cde7ce20e8896353 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 23 Jul 2020 14:13:59 -0700
+Subject: [PATCH] Makefile: Check for last line only from preprocessed output
+
+This started to fail with glibc 2.32 since glibc added additional
+attributes to functions in signal.h therefore existing regexp started to
+fail as it is not able to handle these functions e.g.
+
+extern int siginterrupt (int __sig, int __interrupt) __attribute__ ((__nothrow__ , __leaf__))
+  __attribute__ ((__deprecated__ ("Use sigaction with SA_RESTART instead")));
+
+grep -v '^\#' | grep '"' | cut -f 2 -d'"'
+bit outside of fd_set selected
+Use sigaction with SA_RESTART instead
+arm
+
+So changing it to
+tail -1 | grep '"' | cut -f 2 -d'"'
+arm
+
+Produces the expected result, this was hidden until now
+
+Upstream-Status: Submitted [https://review.coreboot.org/c/flashrom/+/43770]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Change-Id: I123a046e142d54632f12d54e2aa09b0928c02b91
+---
+ Makefile | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 803529f..3795681 100644
+--- a/Makefile
++++ b/Makefile
+@@ -106,7 +106,7 @@ endif
+ # IMPORTANT: The following line must be placed before TARGET_OS is ever used
+ # (of course), but should come after any lines setting CC because the line
+ # below uses CC itself.
+-override TARGET_OS := $(strip $(call debug_shell,$(CC) $(CPPFLAGS) -E os.h 2>/dev/null | grep -v '^\#' | grep '"' | cut -f 2 -d'"'))
++override TARGET_OS := $(strip $(call debug_shell,$(CC) $(CPPFLAGS) -E os.h 2>/dev/null | tail -1 | grep '"' | cut -f 2 -d'"'))
+ 
+ ifeq ($(TARGET_OS), Darwin)
+ override CPPFLAGS += -I/opt/local/include -I/usr/local/include
+@@ -460,8 +460,8 @@ endif
+ # IMPORTANT: The following line must be placed before ARCH is ever used
+ # (of course), but should come after any lines setting CC because the line
+ # below uses CC itself.
+-override ARCH := $(strip $(call debug_shell,$(CC) $(CPPFLAGS) -E archtest.c 2>/dev/null | grep -v '^\#' | grep '"' | cut -f 2 -d'"'))
+-override ENDIAN := $(strip $(call debug_shell,$(CC) $(CPPFLAGS) -E endiantest.c 2>/dev/null | grep -v '^\#'))
++override ARCH := $(strip $(call debug_shell,$(CC) $(CPPFLAGS) -E archtest.c 2>/dev/null | tail -1 | grep '"' | cut -f 2 -d'"'))
++override ENDIAN := $(strip $(call debug_shell,$(CC) $(CPPFLAGS) -E endiantest.c 2>/dev/null | tail -1))
+ 
+ # Disable the internal programmer on unsupported architectures (everything but x86 and mipsel)
+ ifneq ($(ARCH)-little, $(filter $(ARCH),x86 mips)-$(ENDIAN))
+-- 
+2.27.0
+
diff --git a/meta-oe/recipes-bsp/flashrom/flashrom_1.2.bb b/meta-oe/recipes-bsp/flashrom/flashrom_1.2.bb
index 642cec1598..66ae34af94 100644
--- a/meta-oe/recipes-bsp/flashrom/flashrom_1.2.bb
+++ b/meta-oe/recipes-bsp/flashrom/flashrom_1.2.bb
@@ -7,6 +7,7 @@ DEPENDS = "pciutils libusb libusb-compat"
 
 SRC_URI = "https://download.flashrom.org/releases/flashrom-v${PV}.tar.bz2 \
            file://0001-typecast-enum-conversions-explicitly.patch \
+           file://0001-Makefile-Check-for-last-line-only-from-preprocessed-.patch \
            "
 SRC_URI[md5sum] = "7f8e4b87087eb12ecee0fcc5445b4956"
 SRC_URI[sha256sum] = "e1f8d95881f5a4365dfe58776ce821dfcee0f138f75d0f44f8a3cd032d9ea42b"
-- 
2.17.1

[dunfell 09/20] lua: Security Advisory - lua - CVE-2020-15888

[akuster]

From: Yue Tao <Yue.Tao@windriver.com>

Backport fix from https://github.com/lua/lua.git.

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 698748c1538ed03efbcfdd936cf8317b4f138c29)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../lua/lua/CVE-2020-15888.patch              | 45 +++++++++++++++++++
 meta-oe/recipes-devtools/lua/lua_5.3.5.bb     |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15888.patch

diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2020-15888.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2020-15888.patch
new file mode 100644
index 0000000000..60a4125971
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2020-15888.patch
@@ -0,0 +1,45 @@
+From 6298903e35217ab69c279056f925fb72900ce0b7 Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Mon, 6 Jul 2020 12:11:54 -0300
+Subject: [PATCH] Keep minimum size when shrinking a stack
+
+When shrinking a stack (during GC), do not make it smaller than the
+initial stack size.
+---
+ ldo.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+==== end of original header ====
+
+CVE: CVE-2020-15888
+
+Upstream-Status: backport [https://github.com/lua/lua.git]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+====
+diff --git a/ldo.c b/ldo.c
+index c563b1d9..a89ac010 100644
+--- a/src/ldo.c
++++ b/src/ldo.c
+@@ -220,7 +220,7 @@ static int stackinuse (lua_State *L) {
+ 
+ void luaD_shrinkstack (lua_State *L) {
+   int inuse = stackinuse(L);
+-  int goodsize = inuse + (inuse / 8) + 2*EXTRA_STACK;
++  int goodsize = inuse + BASIC_STACK_SIZE;
+   if (goodsize > LUAI_MAXSTACK)
+     goodsize = LUAI_MAXSTACK;  /* respect stack limit */
+   if (L->stacksize > LUAI_MAXSTACK)  /* had been handling stack overflow? */
+@@ -229,8 +229,7 @@ void luaD_shrinkstack (lua_State *L) {
+     luaE_shrinkCI(L);  /* shrink list */
+   /* if thread is currently not handling a stack overflow and its
+      good size is smaller than current size, shrink its stack */
+-  if (inuse <= (LUAI_MAXSTACK - EXTRA_STACK) &&
+-      goodsize < L->stacksize)
++  if (inuse <= (LUAI_MAXSTACK - EXTRA_STACK) && goodsize < L->stacksize)
+     luaD_reallocstack(L, goodsize);
+   else  /* don't change stack */
+     condmovestack(L,{},{});  /* (change only for debugging) */
+-- 
+2.17.1
+
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
index a23a4a5dac..d3461b06de 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
@@ -7,6 +7,7 @@ HOMEPAGE = "http://www.lua.org/"
 SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
            file://lua.pc.in \
            file://0001-Allow-building-lua-without-readline-on-Linux.patch \
+           file://CVE-2020-15888.patch \
            "
 
 # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
-- 
2.17.1

[dunfell 10/20] exiv2: upgrade 0.27.1 -> 0.27.3

[akuster]

From: Andreas Müller <schnitzeltony@gmail.com>

Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6443044ca9ec90d6740c42e618830ca52d656f5f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...-protection-only-if-compiler-arch-su.patch | 40 +++++++++++++++++++
 .../{exiv2_0.27.1.bb => exiv2_0.27.3.bb}      |  7 +++-
 2 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 meta-oe/recipes-support/exiv2/exiv2/0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch
 rename meta-oe/recipes-support/exiv2/{exiv2_0.27.1.bb => exiv2_0.27.3.bb} (52%)

diff --git a/meta-oe/recipes-support/exiv2/exiv2/0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch b/meta-oe/recipes-support/exiv2/exiv2/0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch
new file mode 100644
index 0000000000..96146a1957
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch
@@ -0,0 +1,40 @@
+From 04d5f4805a86302a0e135a28d58a6c1ff6a68d52 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andreas=20M=C3=BCller?= <schnitzeltony@gmail.com>
+Date: Thu, 30 Jul 2020 23:03:51 +0200
+Subject: [PATCH] Use compiler -fcf-protection only if compiler/arch supports
+ it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There have been some PRs they were either rejected or some general suggestion
+for more flags suggested. So
+
+Upstream-Status: Pending
+
+Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
+---
+ cmake/compilerFlags.cmake | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/cmake/compilerFlags.cmake b/cmake/compilerFlags.cmake
+index 12caf42..455525e 100644
+--- a/cmake/compilerFlags.cmake
++++ b/cmake/compilerFlags.cmake
+@@ -26,7 +26,12 @@ if ( MINGW OR UNIX OR MSYS ) # MINGW, Linux, APPLE, CYGWIN
+         # This fails under Fedora, MinGW GCC 8.3.0 and CYGWIN/MSYS 9.3.0
+         if (NOT (MINGW OR CMAKE_HOST_SOLARIS OR CYGWIN OR MSYS) )
+             if (COMPILER_IS_GCC AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 8.0)
+-                add_compile_options(-fstack-clash-protection -fcf-protection)
++                # Gcc does support -fcf-protection on few arches only
++                CHECK_CXX_COMPILER_FLAG(-fcf-protection COMPILER_SUPPORTS_FCF_PROTECTION)
++                if (COMPILER_SUPPORTS_FCF_PROTECTION)
++                    add_compile_options(-fcf-protection)
++                endif()
++                add_compile_options(-fstack-clash-protection)
+             endif()
+ 
+             if( (COMPILER_IS_GCC   AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 5.0) # Not in GCC 4.8
+-- 
+2.21.3
+
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.1.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
similarity index 52%
rename from meta-oe/recipes-support/exiv2/exiv2_0.27.1.bb
rename to meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 97116ee2d1..ed1e8de5c2 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.1.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -5,8 +5,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2"
 DEPENDS = "zlib expat"
 
 SRC_URI = "https://exiv2.org/releases/${BPN}-${PV}-Source.tar.gz"
-SRC_URI[md5sum] = "56d064517ae5903dd963b84514a121c1"
-SRC_URI[sha256sum] = "f125286980fd1bcb28e188c02a93946951c61e10784720be2301b661a65b3081"
+SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778"
+
+# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
+inherit dos2unix
+SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch"
 
 S = "${WORKDIR}/${BPN}-${PV}-Source"
 
-- 
2.17.1

[dunfell 11/20] samba: upgrade 4.10.15 -> 4.10.17

[akuster]

From: Yi Zhao <yi.zhao@windriver.com>

This is a security release in order to address the following defects:

CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD
                DC LDAP Server with ASQ, VLV and paged_results.
CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
                excessive CPU
CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
                paged_results and VLV.
CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.

Also backport 3 patches to fix build error with musl.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1609df11530ebb73de863d0c705e16107015dbe3)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../0001-util-Simplify-input-validation.patch | 59 ++++++++++++++
 ...n-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch | 79 +++++++++++++++++++
 ...larger-buffer-if-getpwuid_r-returns-.patch | 50 ++++++++++++
 .../{samba_4.10.15.bb => samba_4.10.17.bb}    |  7 +-
 4 files changed, 193 insertions(+), 2 deletions(-)
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch
 rename meta-networking/recipes-connectivity/samba/{samba_4.10.15.bb => samba_4.10.17.bb} (97%)

diff --git a/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch b/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch
new file mode 100644
index 0000000000..e724c04bcd
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch
@@ -0,0 +1,59 @@
+From f9d9ba6cd06aca053c747c399ba700db80b1623c Mon Sep 17 00:00:00 2001
+From: Martin Schwenke <martin@meltin.net>
+Date: Tue, 9 Jun 2020 11:52:50 +1000
+Subject: [PATCH 1/3] util: Simplify input validation
+
+It appears that snprintf(3) is being used for input validation.
+However, this seems like overkill because it causes szPath to be
+copied an extra time.  The mostly likely protections being sought
+here, according to https://cwe.mitre.org/data/definitions/20.html,
+look to be DoS attacks involving CPU and memory usage.  A simpler
+check that uses strnlen(3) can mitigate against both of these and is
+simpler.
+
+Signed-off-by: Martin Schwenke <martin@meltin.net>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Bjoern Jacke <bjacke@samba.org>
+(cherry picked from commit 922bce2668994dd2a5988c17060f977e9bb0c229)
+
+Upstream-Status:Backport
+[https://gitlab.com/samba-team/samba/-/commit/f9d9ba6cd06aca053c747c399ba700db80b1623c]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ lib/util/util_paths.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
+index c0ee5c32c30..dec91772d9e 100644
+--- a/lib/util/util_paths.c
++++ b/lib/util/util_paths.c
+@@ -69,21 +69,20 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
+ 	struct passwd pwd = {0};
+ 	struct passwd *pwdbuf = NULL;
+ 	char buf[NSS_BUFLEN_PASSWD] = {0};
++	size_t len;
+ 	int rc;
+ 
+ 	rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
+ 	if (rc != 0 || pwdbuf == NULL ) {
+-		int len_written;
+ 		const char *szPath = getenv("HOME");
+ 		if (szPath == NULL) {
+ 			return NULL;
+ 		}
+-		len_written = snprintf(buf, sizeof(buf), "%s", szPath);
+-		if (len_written >= sizeof(buf) || len_written < 0) {
+-			/* Output was truncated or an error. */
++		len = strnlen(szPath, PATH_MAX);
++		if (len >= PATH_MAX) {
+ 			return NULL;
+ 		}
+-		return talloc_strdup(mem_ctx, buf);
++		return talloc_strdup(mem_ctx, szPath);
+ 	}
+ 
+ 	return talloc_strdup(mem_ctx, pwd.pw_dir);
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch b/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch
new file mode 100644
index 0000000000..dcd79044ae
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch
@@ -0,0 +1,79 @@
+From 57bd719af1f138f44f71b2078995452582da0da6 Mon Sep 17 00:00:00 2001
+From: Martin Schwenke <martin@meltin.net>
+Date: Fri, 5 Jun 2020 21:52:23 +1000
+Subject: [PATCH 2/3] util: Fix build on FreeBSD by avoiding NSS_BUFLEN_PASSWD
+
+NSS_BUFLEN_PASSWD is not defined on FreeBSD.  Use
+sysconf(_SC_GETPW_R_SIZE_MAX) instead, as per POSIX.
+
+Use a dynamically allocated buffer instead of trying to cram all of
+the logic into the declarations.  This will come in useful later
+anyway.
+
+Signed-off-by: Martin Schwenke <martin@meltin.net>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Bjoern Jacke <bjacke@samba.org>
+(cherry picked from commit 847208cd8ac68c4c7d1dae63767820db1c69292b)
+
+Upstream-Status:Backport
+[https://gitlab.com/samba-team/samba/-/commit/57bd719af1f138f44f71b2078995452582da0da6]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ lib/util/util_paths.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
+index dec91772d9e..9bc6df37e5d 100644
+--- a/lib/util/util_paths.c
++++ b/lib/util/util_paths.c
+@@ -68,24 +68,41 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
+ {
+ 	struct passwd pwd = {0};
+ 	struct passwd *pwdbuf = NULL;
+-	char buf[NSS_BUFLEN_PASSWD] = {0};
++	char *buf = NULL;
++	char *out = NULL;
++	long int initlen;
+ 	size_t len;
+ 	int rc;
+ 
+-	rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
++	initlen = sysconf(_SC_GETPW_R_SIZE_MAX);
++	if (initlen == -1) {
++		len = 1024;
++	} else {
++		len = (size_t)initlen;
++	}
++	buf = talloc_size(mem_ctx, len);
++	if (buf == NULL) {
++		return NULL;
++	}
++
++	rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf);
+ 	if (rc != 0 || pwdbuf == NULL ) {
+ 		const char *szPath = getenv("HOME");
+ 		if (szPath == NULL) {
+-			return NULL;
++			goto done;
+ 		}
+ 		len = strnlen(szPath, PATH_MAX);
+ 		if (len >= PATH_MAX) {
+ 			return NULL;
+ 		}
+-		return talloc_strdup(mem_ctx, szPath);
++		out = talloc_strdup(mem_ctx, szPath);
++		goto done;
+ 	}
+ 
+-	return talloc_strdup(mem_ctx, pwd.pw_dir);
++	out = talloc_strdup(mem_ctx, pwd.pw_dir);
++done:
++	TALLOC_FREE(buf);
++	return out;
+ }
+ 
+ char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d)
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch b/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch
new file mode 100644
index 0000000000..53a3f67814
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch
@@ -0,0 +1,50 @@
+From 016e08ca07f86af9e0131a908a2df116bcb9a48e Mon Sep 17 00:00:00 2001
+From: Martin Schwenke <martin@meltin.net>
+Date: Fri, 5 Jun 2020 22:05:42 +1000
+Subject: [PATCH 3/3] util: Reallocate larger buffer if getpwuid_r() returns
+ ERANGE
+
+Signed-off-by: Martin Schwenke <martin@meltin.net>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Bjoern Jacke <bjacke@samba.org>
+
+Autobuild-User(master): Martin Schwenke <martins@samba.org>
+Autobuild-Date(master): Tue Jun  9 21:07:24 UTC 2020 on sn-devel-184
+
+(cherry picked from commit ddac6b2eb4adaec8fc5e25ca07387d2b9417764c)
+
+Upstream-Status:Backport
+[https://gitlab.com/samba-team/samba/-/commit/016e08ca07f86af9e0131a908a2df116bcb9a48e]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ lib/util/util_paths.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
+index 9bc6df37e5d..72cc0aab8de 100644
+--- a/lib/util/util_paths.c
++++ b/lib/util/util_paths.c
+@@ -86,6 +86,19 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
+ 	}
+ 
+ 	rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf);
++	while (rc == ERANGE) {
++		size_t newlen = 2 * len;
++		if (newlen < len) {
++			/* Overflow */
++			goto done;
++		}
++		len = newlen;
++		buf = talloc_realloc_size(mem_ctx, buf, len);
++		if (buf == NULL) {
++			goto done;
++		}
++		rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf);
++	}
+ 	if (rc != 0 || pwdbuf == NULL ) {
+ 		const char *szPath = getenv("HOME");
+ 		if (szPath == NULL) {
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.15.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.17.bb
similarity index 97%
rename from meta-networking/recipes-connectivity/samba/samba_4.10.15.bb
rename to meta-networking/recipes-connectivity/samba/samba_4.10.17.bb
index 01250cb43f..3ae5afbe95 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.10.15.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.10.17.bb
@@ -28,6 +28,9 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
            file://0002-util_sec.c-Move-__thread-variable-to-global-scope.patch \
            file://0001-Add-options-to-configure-the-use-of-libbsd.patch \
            file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \
+           file://0001-util-Simplify-input-validation.patch \
+           file://0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch \
+           file://0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch \
            "
 SRC_URI_append_libc-musl = " \
            file://samba-pam.patch \
@@ -36,8 +39,8 @@ SRC_URI_append_libc-musl = " \
            file://0001-samba-fix-musl-lib-without-innetgr.patch \
           "
 
-SRC_URI[md5sum] = "67e9f6b8c5140475641bf5121c93b3d4"
-SRC_URI[sha256sum] = "0b8b62558b62fbb121015f28f40fae0f07522710b6bef77c508b51bb6914ced9"
+SRC_URI[md5sum] = "f69cac9ba5035ee60257520a209a0a83"
+SRC_URI[sha256sum] = "03dc9758e7bfa2faf7cdeb45b4d40997e2ee16a41e71996aa666bc069e70ba3e"
 
 UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.10(\.\d+)+).tar.gz"
 
-- 
2.17.1

[dunfell 12/20] rdist: fix parallel build

[akuster]

From: Kai Kang <kai.kang@windriver.com>

It fails to compile rdist occasionally when system load of build server
is high:

| In file included from common.c:57:
| ../include/defs.h:49:10: fatal error: y.tab.h: No such file or directory
|    49 | #include "y.tab.h"
|       |          ^~~~~~~~~
| compilation terminated.

Make $(COMMONOBJS) which include common.o to depends on related header files
and y.tab.h to fix the parallel build failure.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1bb990c6ca1b149c19404fbe006fb6b372af8c4c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../rdist-6.1.5-fix-parallel-build.patch      | 31 +++++++++++++++++++
 .../recipes-connectivity/rdist/rdist_6.1.5.bb |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/rdist/rdist-6.1.5/rdist-6.1.5-fix-parallel-build.patch

diff --git a/meta-networking/recipes-connectivity/rdist/rdist-6.1.5/rdist-6.1.5-fix-parallel-build.patch b/meta-networking/recipes-connectivity/rdist/rdist-6.1.5/rdist-6.1.5-fix-parallel-build.patch
new file mode 100644
index 0000000000..f35e96a34f
--- /dev/null
+++ b/meta-networking/recipes-connectivity/rdist/rdist-6.1.5/rdist-6.1.5-fix-parallel-build.patch
@@ -0,0 +1,31 @@
+It fails to produce common.o when system load is high:
+
+| In file included from common.c:57:
+| ../include/defs.h:49:10: fatal error: y.tab.h: No such file or directory
+|    49 | #include "y.tab.h"
+|       |          ^~~~~~~~~
+| compilation terminated.
+
+Make $(COMMONOBJS) which include common.o to depends on related header files
+and y.tab.h to fix the parallel build failure.
+
+Upstream-Status: Inappropriate [no upstream]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ src/Makefile.real | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.real b/src/Makefile.real
+index e0f0dfc..53d4944 100644
+--- a/src/Makefile.real
++++ b/src/Makefile.real
+@@ -41,7 +41,7 @@ $(SERVER_BIN): $(SERVEROBJS) $(COMMONOBJS) $(MISSINGOBJS)
+ $(CLIENT_BIN): $(CLIENTOBJS) $(COMMONOBJS) $(MISSINGOBJS)
+ 	$(CC) -o $@ $(CLIENTOBJS) $(COMMONOBJS) $(MISSINGOBJS) $(LIBS) $(LDFLAGS)
+ 
+-$(CLIENTOBJS) $(SERVEROBJS): $(HFILES) y.tab.h
++$(COMMONOBJS) $(CLIENTOBJS) $(SERVEROBJS): $(HFILES) y.tab.h
+ 
+ y.tab.h: gram.c
+ 
diff --git a/meta-networking/recipes-connectivity/rdist/rdist_6.1.5.bb b/meta-networking/recipes-connectivity/rdist/rdist_6.1.5.bb
index 3a27c2c5b3..37b3eebe4b 100644
--- a/meta-networking/recipes-connectivity/rdist/rdist_6.1.5.bb
+++ b/meta-networking/recipes-connectivity/rdist/rdist_6.1.5.bb
@@ -28,6 +28,7 @@ SRC_URI += "file://rdist-6.1.5-linux.patch \
             file://rdist-6.1.5-fix-msgsndnotify-loop.patch \
             file://rdist-6.1.5-bb-build.patch \
             file://rdist-6.1.5-makefile-add-ldflags.patch \
+            file://rdist-6.1.5-fix-parallel-build.patch \
 "
 
 UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/rdist/files/rdist/"
-- 
2.17.1

[dunfell 13/20] freeradius: fix the occasional verification failure

[akuster]

From: Mingli Yu <mingli.yu@windriver.com>

Fixes:
  # cd /etc/raddb/certs
  # ./bootstrap
[snip]
chmod g+r ca.key
openssl pkcs12 -in server.p12 -out server.pem -passin pass:'whatever' -passout pass:'whatever'
chmod g+r server.pem
C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org
error 7 at 0 depth lookup: certificate signature failure
140066667427072:error:04067084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus:../openssl-1.1.1g/crypto/rsa/rsa_ossl.c:553:
140066667427072:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../openssl-1.1.1g/crypto/asn1/a_verify.c:170:
error server.pem: verification failed
make: *** [Makefile:107: server.vrfy] Error 2

It seems the ca.pem mismatchs server.pem which results in failing to
execute "openssl verify -CAfile ca.pem server.pem", so add the logic
to check the file to avoid inconsistency.

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 52f5141109fae5f49c5a7334e9ded2b028e16cf6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...file-fix-the-occasional-verification.patch | 135 ++++++++++++++++++
 .../freeradius/freeradius_3.0.20.bb           |   1 +
 2 files changed, 136 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch

diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch
new file mode 100644
index 0000000000..dce0427e1a
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch
@@ -0,0 +1,135 @@
+From 3eda5d35fbaf66ed6bdc86ada4320a0a18681b7e Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Wed, 5 Aug 2020 07:23:11 +0000
+Subject: [PATCH] raddb/certs/Makefile: fix the occasional verification failure
+
+Fixes:
+  # cd /etc/raddb/certs
+  # ./bootstrap
+[snip]
+chmod g+r ca.key
+openssl pkcs12 -in server.p12 -out server.pem -passin pass:'whatever' -passout pass:'whatever'
+chmod g+r server.pem
+C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org
+error 7 at 0 depth lookup: certificate signature failure
+140066667427072:error:04067084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus:../openssl-1.1.1g/crypto/rsa/rsa_ossl.c:553:
+140066667427072:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../openssl-1.1.1g/crypto/asn1/a_verify.c:170:
+error server.pem: verification failed
+make: *** [Makefile:107: server.vrfy] Error 2
+
+It seems the ca.pem mismatchs server.pem which results in failing to
+execute "openssl verify -CAfile ca.pem server.pem", so add to check
+the file to avoid inconsistency.
+
+Upstream-Status: Pending
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ raddb/certs/Makefile | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
+index 77eec9baa1..3dcb63fe71 100644
+--- a/raddb/certs/Makefile
++++ b/raddb/certs/Makefile
+@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
+ #
+ ######################################################################
+ dh:
+-	$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
++	@[ -f dh ] || $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+ 
+ ######################################################################
+ #
+@@ -69,17 +69,17 @@ dh:
+ ca.key ca.pem: ca.cnf
+ 	@[ -f index.txt ] || $(MAKE) index.txt
+ 	@[ -f serial ] || $(MAKE) serial
+-	$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
++	@[ -f ca.pem ] || $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
+ 		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
+ 		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
+ 	chmod g+r ca.key
+ 
+ ca.der: ca.pem
+-	$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
++	@[ -f ca.der ] || $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
+ 
+ ca.crl: ca.pem
+-	$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
+-	$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
++	@[ -f ca-crl.pem ] || $(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
++	@[ -f ca.crl ] || $(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
+ 	rm ca-crl.pem
+ 
+ ######################################################################
+@@ -88,18 +88,18 @@ ca.crl: ca.pem
+ #
+ ######################################################################
+ server.csr server.key: server.cnf
+-	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf
++	@[ -f server.csr ] || $(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf
+ 	chmod g+r server.key
+ 
+ server.crt: server.csr ca.key ca.pem
+ 	@[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
+ 
+ server.p12: server.crt
+-	$(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
++	@[ -f server.p12 ] || $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+ 	chmod g+r server.p12
+ 
+ server.pem: server.p12
+-	$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
++	@[ -f server.pem ] || $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+ 	chmod g+r server.pem
+ 
+ .PHONY: server.vrfy
+@@ -113,18 +113,18 @@ server.vrfy: ca.pem
+ #
+ ######################################################################
+ client.csr client.key: client.cnf
+-	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf
++	@[ -f client.csr ] || $(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf
+ 	chmod g+r client.key
+ 
+ client.crt: client.csr ca.pem ca.key
+ 	@[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+ 
+ client.p12: client.crt
+-	$(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
++	@[ -f client.p12 ] || $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+ 	chmod g+r client.p12
+ 
+ client.pem: client.p12
+-	$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
++	@[ -f client.pem ] || $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+ 	chmod g+r client.pem
+ 	cp client.pem $(USER_NAME).pem
+ 
+@@ -139,18 +139,18 @@ client.vrfy: ca.pem client.pem
+ #
+ ######################################################################
+ inner-server.csr inner-server.key: inner-server.cnf
+-	$(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
++	@[ -f inner-server.csr] || $(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
+ 	chmod g+r inner-server.key
+ 
+ inner-server.crt: inner-server.csr ca.key ca.pem
+-	$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr  -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf
++	@[ -f inner-server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr  -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf
+ 
+ inner-server.p12: inner-server.crt
+-	$(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12  -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
++	@[ -f inner-server.p12 ] || $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12  -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
+ 	chmod g+r inner-server.p12
+ 
+ inner-server.pem: inner-server.p12
+-	$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
++	@[ -f inner-server.pem ] || $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
+ 	chmod g+r inner-server.pem
+ 
+ .PHONY: inner-server.vrfy
+-- 
+2.26.2
+
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
index d2046d72eb..2c39c4c443 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
@@ -28,6 +28,7 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0
     file://0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch \
     file://0001-rlm_python3-add-PY_INC_DIR-in-search-dir.patch \
     file://0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch \
+    file://0001-raddb-certs-Makefile-fix-the-occasional-verification.patch \
     file://radiusd.service \
     file://radiusd-volatiles.conf \
 "
-- 
2.17.1

[dunfell 14/20] lcov: fix lcov-native build

[akuster]

From: Martin Jansa <martin.jansa@gmail.com>

* there is no provider for gcov-native nor gcov-symlinks-native

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e82bb7efa8cf4c3b826b22761d5ba798bc134cb9)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-support/lcov/lcov_1.14.bb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/meta-oe/recipes-support/lcov/lcov_1.14.bb b/meta-oe/recipes-support/lcov/lcov_1.14.bb
index 14718184bd..0cc8b31b3f 100755
--- a/meta-oe/recipes-support/lcov/lcov_1.14.bb
+++ b/meta-oe/recipes-support/lcov/lcov_1.14.bb
@@ -9,8 +9,6 @@ LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
 
 RDEPENDS_${PN} += " \
-    gcov \
-    gcov-symlinks \
     libjson-perl \
     libperlio-gzip-perl \
     perl \
@@ -46,6 +44,11 @@ RDEPENDS_${PN} += " \
     perl-module-tie-hash \
 "
 
+RDEPENDS_${PN}_append_class-target = " \
+    gcov \
+    gcov-symlinks \
+"
+
 SRC_URI = " \
            http://downloads.sourceforge.net/ltp/${BP}.tar.gz \
            file://0001-geninfo-Add-intermediate-text-format-support.patch \
-- 
2.17.1

[dunfell 15/20] python3-pandas: Upgrade 1.0.3 -> 1.0.5

[akuster]

From: Leon Anavi <leon.anavi@konsulko.com>

Upgrade to release 1.0.5:

- Fix regression in read_parquet() when reading from file-like
  objects.
- Fix regression in reading from public S3 buckets.
- Fixed regression in replace() raising an AssertionError when
  replacing values in an extension dtype with values of a
  different dtype

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Acked-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5dbc25ea9d4bd4b3f9a150d3893a12b41dd456d3)
[ak: fixes build issue on CentOS7: Bug fix only update
https://github.com/pandas-dev/pandas/releases]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../{python3-pandas_1.0.3.bb => python3-pandas_1.0.5.bb}      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-python/recipes-devtools/python/{python3-pandas_1.0.3.bb => python3-pandas_1.0.5.bb} (81%)

diff --git a/meta-python/recipes-devtools/python/python3-pandas_1.0.3.bb b/meta-python/recipes-devtools/python/python3-pandas_1.0.5.bb
similarity index 81%
rename from meta-python/recipes-devtools/python/python3-pandas_1.0.3.bb
rename to meta-python/recipes-devtools/python/python3-pandas_1.0.5.bb
index 099e035e14..d8db4cef39 100644
--- a/meta-python/recipes-devtools/python/python3-pandas_1.0.3.bb
+++ b/meta-python/recipes-devtools/python/python3-pandas_1.0.5.bb
@@ -6,8 +6,8 @@ HOMEPAGE = "http://pandas.pydata.org/"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=ee0470f2de336c370a71c2f8d5e81c11"
 
-SRC_URI[md5sum] = "a3ea90326c5b55944d369bef87740a72"
-SRC_URI[sha256sum] = "32f42e322fb903d0e189a4c10b75ba70d90958cc4f66a1781ed027f1a1d14586"
+SRC_URI[md5sum] = "5183db713194e6fbc96c45f30a0d1311"
+SRC_URI[sha256sum] = "69c5d920a0b2a9838e677f78f4dde506b95ea8e4d30da25859db6469ded84fa8"
 
 inherit pypi setuptools3
 
-- 
2.17.1

[dunfell 16/20] vlc: fix loop initial declarations are only allowed in C99 mode

[akuster]

build issue seen on CentOS7 and Aarch64 machine

Fixes:
../../vlc-3.0.9.2/src/misc/fourcc_gen.c:75:5: error: ‘for’ loop initial declarations are only allowed in C99 mode
|      for (size_t i = 0; i < n; i++)
|      ^
| ../../vlc-3.0.9.2/src/misc/fourcc_gen.c:75:5: note: use option -std=c99 or -std=gnu99 to compile your code

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-multimedia/recipes-multimedia/vlc/vlc_3.0.9.2.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.9.2.bb b/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.9.2.bb
index f6c7a606d5..b1aa82cc89 100644
--- a/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.9.2.bb
+++ b/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.9.2.bb
@@ -30,7 +30,7 @@ inherit autotools features_check gettext pkgconfig mime-xdg
 
 REQUIRED_DISTRO_FEATURES = "x11"
 
-export BUILDCC = "${BUILD_CC}"
+export BUILDCC = "${BUILD_CC} -std=c99"
 EXTRA_OECONF = "\
     --enable-run-as-root \
     --enable-xvideo \
-- 
2.17.1

[dunfell 17/20] babl-native: fix build issue

[akuster]

../babl-0.1.74/babl/babl-fish-reference.c:1064:7: error: ‘for’ loop initial declarations are only allowed in C99 mode
|        for (int i = 0; i < n; i++)
|        ^
| ../babl-0.1.74/babl/babl-fish-reference.c:1064:7: note: use option -std=c99 or -std=gnu99 to compile your code

Fails on CentOS7 with Arch64

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-gnome/recipes-gimp/babl/babl_0.1.74.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-gnome/recipes-gimp/babl/babl_0.1.74.bb b/meta-gnome/recipes-gimp/babl/babl_0.1.74.bb
index c470987b4f..9b405be0b3 100644
--- a/meta-gnome/recipes-gimp/babl/babl_0.1.74.bb
+++ b/meta-gnome/recipes-gimp/babl/babl_0.1.74.bb
@@ -10,6 +10,8 @@ inherit setuptools3 gnomebase gobject-introspection
 
 DEPENDS += "lcms"
 
+CFLAGS_append_class-native = " -std=gnu99"
+
 # https://bugs.llvm.org/show_bug.cgi?id=45555
 CFLAGS_append_toolchain-clang_mipsarch = " -ffp-exception-behavior=ignore "
 CFLAGS_append_toolchain-clang_riscv64 = " -ffp-exception-behavior=ignore "
-- 
2.17.1

[dunfell 18/20] gnome-settings-daemon: Backport 3.36 fix for building without wayland

[akuster]

/usr/src/debug/gnome-settings-daemon/3.34.2-r0/build/../gnome-settings-daemon-3.34.2/plugins/wacom/gsd-wacom-manager.c:195: undefined reference to `gdk_wayland_device_get_node_path'

Signed-off-by: Adrian Bunk <bunk@stusta.de>
[AK: hand applied]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...gins-wacom-Fix-build-without-WAYLAND.patch | 27 +++++++++++++++++++
 .../gnome-settings-daemon_3.34.2.bb           |  2 ++
 2 files changed, 29 insertions(+)
 create mode 100644 meta-gnome/recipes-gnome/gnome-settings-daemon/files/0001-plugins-wacom-Fix-build-without-WAYLAND.patch

diff --git a/meta-gnome/recipes-gnome/gnome-settings-daemon/files/0001-plugins-wacom-Fix-build-without-WAYLAND.patch b/meta-gnome/recipes-gnome/gnome-settings-daemon/files/0001-plugins-wacom-Fix-build-without-WAYLAND.patch
new file mode 100644
index 0000000000..d84fa984e5
--- /dev/null
+++ b/meta-gnome/recipes-gnome/gnome-settings-daemon/files/0001-plugins-wacom-Fix-build-without-WAYLAND.patch
@@ -0,0 +1,27 @@
+From ec6982cc8b3fccc35dbd5df3c4e22ab94709c66d Mon Sep 17 00:00:00 2001
+From: Vlad Banea <vlb@xiphos.ca>
+Date: Tue, 31 Dec 2019 15:35:41 -0500
+Subject: plugins/wacom: Fix build without WAYLAND
+
+Upstream-Status: Backport
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+---
+ plugins/wacom/gsd-wacom-manager.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/wacom/gsd-wacom-manager.c b/plugins/wacom/gsd-wacom-manager.c
+index e1c8eaa7..92fd96c3 100644
+--- a/plugins/wacom/gsd-wacom-manager.c
++++ b/plugins/wacom/gsd-wacom-manager.c
+@@ -190,7 +190,7 @@ gsd_wacom_manager_class_init (GsdWacomManagerClass *klass)
+ static gchar *
+ get_device_path (GdkDevice *device)
+ {
+-#ifdef HAVE_WAYLAND
++#if HAVE_WAYLAND
+         if (gnome_settings_is_wayland ())
+                 return g_strdup (gdk_wayland_device_get_node_path (device));
+         else
+-- 
+2.20.1
+
diff --git a/meta-gnome/recipes-gnome/gnome-settings-daemon/gnome-settings-daemon_3.34.2.bb b/meta-gnome/recipes-gnome/gnome-settings-daemon/gnome-settings-daemon_3.34.2.bb
index 0b6865d293..e2fbcb401d 100644
--- a/meta-gnome/recipes-gnome/gnome-settings-daemon/gnome-settings-daemon_3.34.2.bb
+++ b/meta-gnome/recipes-gnome/gnome-settings-daemon/gnome-settings-daemon_3.34.2.bb
@@ -31,6 +31,8 @@ UNKNOWN_CONFIGURE_WHITELIST_append = " introspection"
 SRC_URI[archive.md5sum] = "493332fa0f36645188468fed41c0060b"
 SRC_URI[archive.sha256sum] = "9fbae67e217e53b99e4f9e7d392c91ffbe31253941c9b136ef09c2d9db7ad7ed"
 
+SRC_URI += "file://0001-plugins-wacom-Fix-build-without-WAYLAND.patch"
+
 # allow cross build mixed with build of native tools
 do_write_config_append() {
     cat >${WORKDIR}/meson.native <<EOF
-- 
2.17.1

[dunfell 19/20] gnome-settings-daemon: Remove duplicate outdated SRC_URI hashes

[akuster]

From: Adrian Bunk <bunk@stusta.de>

They got overwritten later with the correct values.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0b22ed995fec7ee23c23a9eed8323685af1e1403)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../gnome-settings-daemon/gnome-settings-daemon_3.34.2.bb      | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/meta-gnome/recipes-gnome/gnome-settings-daemon/gnome-settings-daemon_3.34.2.bb b/meta-gnome/recipes-gnome/gnome-settings-daemon/gnome-settings-daemon_3.34.2.bb
index e2fbcb401d..1b77582433 100644
--- a/meta-gnome/recipes-gnome/gnome-settings-daemon/gnome-settings-daemon_3.34.2.bb
+++ b/meta-gnome/recipes-gnome/gnome-settings-daemon/gnome-settings-daemon_3.34.2.bb
@@ -6,9 +6,6 @@ GNOMEBASEBUILDCLASS = "meson"
 
 inherit gnomebase gsettings gobject-introspection gettext features_check upstream-version-is-even
 
-SRC_URI[archive.md5sum] = "528b0b7cc2dd22c6026a9c8739c71fa7"
-SRC_URI[archive.sha256sum] = "7ce4979817866911a94ecb75b36db56797e038c0c524c5c1a81aefccafc17337"
-
 DEPENDS = " \
     colord \
     geocode-glib \
-- 
2.17.1

[dunfell 20/20] net-snmp: Fix CVE-2020-15861 and CVE-2020-15862

[akuster]

From: Ovidiu Panait <ovidiu.panait@windriver.com>

Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic
link (symlink) following.

Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE
access to the EXTEND MIB provides the ability to run arbitrary commands as
root.

References:
https://nvd.nist.gov/vuln/detail/CVE-2020-15861
https://nvd.nist.gov/vuln/detail/CVE-2020-15862

Upstream patches:
https://github.com/net-snmp/net-snmp/commit/2b3e300ade4add03b889e61d610b0db77d300fc3
https://github.com/net-snmp/net-snmp/commit/9cfb38b0aa95363da1466ca81dd929989ba27c1f
https://github.com/net-snmp/net-snmp/commit/114e4c2cec2601ca56e8afb1f441520f75a9a312
https://github.com/net-snmp/net-snmp/commit/2968b455e6f182f329746e2bca1043f368618c73
https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602
https://github.com/net-snmp/net-snmp/commit/77f6c60f57dba0aaea5d8ef1dd94bcd0c8e6d205

CVE-2020-15861-0005.patch is the actual fix for CVE-2020-15861 and
CVE-2020-15861-0001.patch through CVE-2020-15861-0004.patch are context
patches needed by the fix to apply cleanly.

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../net-snmp/CVE-2020-15861-0001.patch        | 164 ++++++++
 .../net-snmp/CVE-2020-15861-0002.patch        |  44 +++
 .../net-snmp/CVE-2020-15861-0003.patch        |  40 ++
 .../net-snmp/CVE-2020-15861-0004.patch        |  33 ++
 .../net-snmp/CVE-2020-15861-0005.patch        | 349 ++++++++++++++++++
 .../net-snmp/net-snmp/CVE-2020-15862.patch    |  87 +++++
 .../net-snmp/net-snmp_5.8.bb                  |   6 +
 7 files changed, 723 insertions(+)
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0002.patch
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0003.patch
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0004.patch
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15862.patch

diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
new file mode 100644
index 0000000000..f43803a663
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
@@ -0,0 +1,164 @@
+From c449946b9d06571b447fce3fc0dcad89e8df05b5 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 15 May 2019 14:09:25 +0200
+Subject: [PATCH 1/5] CHANGES: libsnmp: Scan MIB directories in alphabetical
+ order
+
+This guarantees that e.g. mibs/RFC1213-MIB.txt is read before mibs/SNMPv2-MIB.txt.
+The order in which these MIBs is read matters because both define sysLocation but
+with different attributes.
+
+CVE: CVE-2020-15861
+Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/2b3e300ade4add03b889e61d610b0db77d300fc3]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ snmplib/parse.c | 113 +++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 82 insertions(+), 31 deletions(-)
+
+diff --git a/snmplib/parse.c b/snmplib/parse.c
+index 7678b35..51d119b 100644
+--- a/snmplib/parse.c
++++ b/snmplib/parse.c
+@@ -4894,6 +4894,79 @@ add_mibfile(const char* tmpstr, const char* d_name, FILE *ip )
+     }
+ }
+ 
++static int elemcmp(const void *a, const void *b)
++{
++    const char *const *s1 = a, *const *s2 = b;
++
++    return strcmp(*s1, *s2);
++}
++
++/*
++ * Scan a directory and return all filenames found as an array of pointers to
++ * directory entries (@result).
++ */
++static int scan_directory(char ***result, const char *dirname)
++{
++    DIR            *dir, *dir2;
++    struct dirent  *file;
++    char          **filenames = NULL;
++    int             fname_len, i, filename_count = 0, array_size = 0;
++    char           *tmpstr;
++
++    *result = NULL;
++
++    dir = opendir(dirname);
++    if (!dir)
++        return -1;
++
++    while ((file = readdir(dir))) {
++        /*
++         * Only parse file names that don't begin with a '.'
++         * Also skip files ending in '~', or starting/ending
++         * with '#' which are typically editor backup files.
++         */
++        fname_len = strlen(file->d_name);
++        if (fname_len > 0 && file->d_name[0] != '.'
++            && file->d_name[0] != '#'
++            && file->d_name[fname_len-1] != '#'
++            && file->d_name[fname_len-1] != '~') {
++            if (asprintf(&tmpstr, "%s/%s", dirname, file->d_name) < 0)
++                continue;
++            dir2 = opendir(tmpstr);
++            if (dir2) {
++                /* file is a directory, don't read it */
++                closedir(dir2);
++            } else {
++                if (filename_count >= array_size) {
++                    char **new_filenames;
++
++                    array_size = (array_size + 16) * 2;
++                    new_filenames = realloc(filenames,
++                                        array_size * sizeof(filenames[0]));
++                    if (!new_filenames) {
++                        free(tmpstr);
++                        for (i = 0; i < filename_count; i++)
++                            free(filenames[i]);
++                        free(filenames);
++                        closedir(dir);
++                        return -1;
++                    }
++                    filenames = new_filenames;
++                }
++                filenames[filename_count++] = tmpstr;
++                tmpstr = NULL;
++            }
++            free(tmpstr);
++        }
++    }
++    closedir(dir);
++
++    qsort(filenames, filename_count, sizeof(filenames[0]), elemcmp);
++    *result = filenames;
++
++    return filename_count;
++}
++
+ /* For Win32 platforms, the directory does not maintain a last modification
+  * date that we can compare with the modification date of the .index file.
+  * Therefore there is no way to know whether any .index file is valid.
+@@ -4904,12 +4977,11 @@ int
+ add_mibdir(const char *dirname)
+ {
+     FILE           *ip;
+-    DIR            *dir, *dir2;
+     const char     *oldFile = File;
+-    struct dirent  *file;
++    char          **filenames;
+     char            tmpstr[300];
+     int             count = 0;
+-    int             fname_len = 0;
++    int             filename_count, i;
+ #if !(defined(WIN32) || defined(cygwin))
+     char           *token;
+     char space;
+@@ -4957,36 +5029,15 @@ add_mibdir(const char *dirname)
+         DEBUGMSGTL(("parse-mibs", "No index\n"));
+ #endif
+ 
+-    if ((dir = opendir(dirname))) {
+-        ip = netsnmp_mibindex_new( dirname );
+-        while ((file = readdir(dir))) {
+-            /*
+-             * Only parse file names that don't begin with a '.' 
+-             * Also skip files ending in '~', or starting/ending
+-             * with '#' which are typically editor backup files.
+-             */
+-            if (file->d_name != NULL) {
+-              fname_len = strlen( file->d_name );
+-              if (fname_len > 0 && file->d_name[0] != '.' 
+-                                && file->d_name[0] != '#'
+-                                && file->d_name[fname_len-1] != '#'
+-                                && file->d_name[fname_len-1] != '~') {
+-                snprintf(tmpstr, sizeof(tmpstr), "%s/%s", dirname, file->d_name);
+-                tmpstr[ sizeof(tmpstr)-1 ] = 0;
+-                if ((dir2 = opendir(tmpstr))) {
+-                    /*
+-                     * file is a directory, don't read it 
+-                     */
+-                    closedir(dir2);
+-                } else {
+-                    if ( !add_mibfile( tmpstr, file->d_name, ip ))
+-                        count++;
+-                }
+-              }
+-            }
++    filename_count = scan_directory(&filenames, dirname);
++
++    if (filename_count >= 0) {
++        ip = netsnmp_mibindex_new(dirname);
++        for (i = 0; i < filename_count; i++) {
++            if (add_mibfile(filenames[i], strrchr(filenames[i], '/'), ip) == 0)
++                count++;
+         }
+         File = oldFile;
+-        closedir(dir);
+         if (ip)
+             fclose(ip);
+         return (count);
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0002.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0002.patch
new file mode 100644
index 0000000000..e54a8b4acb
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0002.patch
@@ -0,0 +1,44 @@
+From 50118392c58c8d9554580373c0dbc542336b58a9 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 16 May 2019 13:49:05 +0200
+Subject: [PATCH 2/5] libsnmp: Fix two recently introduced issues in the MIB
+ parsing code
+
+Ensure that the first argument passed to qsort() is not NULL. Free the memory
+that holds the directory contents.
+
+Fixes: 2b3e300ade4a ("CHANGES: libsnmp: Scan MIB directories in alphabetical order")
+
+CVE: CVE-2020-15861
+Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/9cfb38b0aa95363da1466ca81dd929989ba27c1f]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ snmplib/parse.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/snmplib/parse.c b/snmplib/parse.c
+index 51d119b..200ba25 100644
+--- a/snmplib/parse.c
++++ b/snmplib/parse.c
+@@ -4961,7 +4961,8 @@ static int scan_directory(char ***result, const char *dirname)
+     }
+     closedir(dir);
+ 
+-    qsort(filenames, filename_count, sizeof(filenames[0]), elemcmp);
++    if (filenames)
++        qsort(filenames, filename_count, sizeof(filenames[0]), elemcmp);
+     *result = filenames;
+ 
+     return filename_count;
+@@ -5040,6 +5041,7 @@ add_mibdir(const char *dirname)
+         File = oldFile;
+         if (ip)
+             fclose(ip);
++        free(filenames);
+         return (count);
+     }
+     else
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0003.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0003.patch
new file mode 100644
index 0000000000..03acbbab92
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0003.patch
@@ -0,0 +1,40 @@
+From c98808036c86a4ac4877ea13dbcef096b57e49f8 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 22 May 2019 10:08:53 +0200
+Subject: [PATCH 3/5] libsnmp: Fix a compiler warning
+
+Avoid that the compiler complains on Windows systems that tmpstr[] is not used.
+
+Fixes: 2b3e300ade4a ("CHANGES: libsnmp: Scan MIB directories in alphabetical order")
+
+CVE: CVE-2020-15861
+Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/114e4c2cec2601ca56e8afb1f441520f75a9a312]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ snmplib/parse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/snmplib/parse.c b/snmplib/parse.c
+index 200ba25..0414337 100644
+--- a/snmplib/parse.c
++++ b/snmplib/parse.c
+@@ -4980,7 +4980,6 @@ add_mibdir(const char *dirname)
+     FILE           *ip;
+     const char     *oldFile = File;
+     char          **filenames;
+-    char            tmpstr[300];
+     int             count = 0;
+     int             filename_count, i;
+ #if !(defined(WIN32) || defined(cygwin))
+@@ -4988,6 +4987,7 @@ add_mibdir(const char *dirname)
+     char space;
+     char newline;
+     struct stat     dir_stat, idx_stat;
++    char            tmpstr[300];
+     char            tmpstr1[300];
+ #endif
+ 
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0004.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0004.patch
new file mode 100644
index 0000000000..f0e709636e
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0004.patch
@@ -0,0 +1,33 @@
+From 545742d1867d70a645a63161ede4a391456691fc Mon Sep 17 00:00:00 2001
+From: Bill Fenner <fenner@gmail.com>
+Date: Mon, 3 Jun 2019 10:01:08 -0700
+Subject: [PATCH 4/5] libsnmp: free filenames from directory listing
+
+Free each filename as we use it, as well as freeing the
+list of filenames.
+
+Fixes: 2b3e300ade4a ("CHANGES: libsnmp: Scan MIB directories in alphabetical order")
+
+CVE: CVE-2020-15861
+Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/2968b455e6f182f329746e2bca1043f368618c73]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ snmplib/parse.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/snmplib/parse.c b/snmplib/parse.c
+index 0414337..7f98542 100644
+--- a/snmplib/parse.c
++++ b/snmplib/parse.c
+@@ -5037,6 +5037,7 @@ add_mibdir(const char *dirname)
+         for (i = 0; i < filename_count; i++) {
+             if (add_mibfile(filenames[i], strrchr(filenames[i], '/'), ip) == 0)
+                 count++;
++	    free(filenames[i]);
+         }
+         File = oldFile;
+         if (ip)
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch
new file mode 100644
index 0000000000..66a16f6dbf
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch
@@ -0,0 +1,349 @@
+From 83d6c5181828921b3731878588b3728de704d490 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 22 May 2019 09:56:21 +0200
+Subject: [PATCH 5/5] CHANGES: snmpd: Stop reading and writing the
+ mib_indexes/* files
+
+Caching directory contents is something the operating system should do
+and is not something Net-SNMP should do. Instead of storing a copy of
+the directory contents in ${tmp_dir}/mib_indexes/${n}, always scan a
+MIB directory.
+
+CVE: CVE-2020-15861
+Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ .gitignore                       |   1 -
+ include/net-snmp/library/mib.h   |   3 -
+ include/net-snmp/library/parse.h |   2 +-
+ snmplib/mib.c                    | 148 +------------------------------
+ snmplib/parse.c                  |  57 +-----------
+ 5 files changed, 4 insertions(+), 207 deletions(-)
+
+diff --git a/.gitignore b/.gitignore
+index 2d37bc6..94da568 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -75,7 +75,6 @@ Makefile
+ man/*.[1358]
+ man/default_store.3.h
+ man/manaliases
+-mibs/.index
+ mk/
+ module_tmp_header.h
+ net-snmp-5*
+diff --git a/include/net-snmp/library/mib.h b/include/net-snmp/library/mib.h
+index ab36853..3e81634 100644
+--- a/include/net-snmp/library/mib.h
++++ b/include/net-snmp/library/mib.h
+@@ -124,9 +124,6 @@ SOFTWARE.
+     NETSNMP_IMPORT
+     char            *netsnmp_get_mib_directory(void);
+     void            netsnmp_fixup_mib_directory(void);
+-    void            netsnmp_mibindex_load( void );
+-    char *          netsnmp_mibindex_lookup( const char * );
+-    FILE *          netsnmp_mibindex_new( const char * );
+     int             sprint_realloc_description(u_char ** buf, size_t * buf_len,
+                                 size_t * out_len, int allow_realloc,
+                                 oid * objid, size_t objidlen, int width);
+diff --git a/include/net-snmp/library/parse.h b/include/net-snmp/library/parse.h
+index ce46ab9..7c33d3f 100644
+--- a/include/net-snmp/library/parse.h
++++ b/include/net-snmp/library/parse.h
+@@ -201,7 +201,7 @@ SOFTWARE.
+ #endif
+     void            netsnmp_init_mib_internals(void);
+     void            unload_all_mibs(void);
+-    int             add_mibfile(const char*, const char*, FILE *);
++    int             add_mibfile(const char*, const char*);
+     int             which_module(const char *);
+     NETSNMP_IMPORT
+     char           *module_name(int, char *);
+diff --git a/snmplib/mib.c b/snmplib/mib.c
+index 1c875c0..30d6cde 100644
+--- a/snmplib/mib.c
++++ b/snmplib/mib.c
+@@ -2717,7 +2717,6 @@ netsnmp_init_mib(void)
+     env_var = strdup(netsnmp_get_mib_directory());
+     if (!env_var)
+         return;
+-    netsnmp_mibindex_load();
+ 
+     DEBUGMSGTL(("init_mib",
+                 "Seen MIBDIRS: Looking in '%s' for mib dirs ...\n",
+@@ -2737,7 +2736,7 @@ netsnmp_init_mib(void)
+         else
+             entry = strtok_r(env_var, ENV_SEPARATOR, &st);
+         while (entry) {
+-            add_mibfile(entry, NULL, NULL);
++            add_mibfile(entry, NULL);
+             entry = strtok_r(NULL, ENV_SEPARATOR, &st);
+         }
+     }
+@@ -2888,142 +2887,6 @@ init_mib(void)
+ #endif
+ 
+ 
+-/*
+- * Handle MIB indexes centrally
+- */
+-static int _mibindex     = 0;   /* Last index in use */
+-static int _mibindex_max = 0;   /* Size of index array */
+-char     **_mibindexes   = NULL;
+-
+-int _mibindex_add( const char *dirname, int i );
+-void
+-netsnmp_mibindex_load( void )
+-{
+-    DIR *dir;
+-    struct dirent *file;
+-    FILE *fp;
+-    char tmpbuf[ 300];
+-    char tmpbuf2[300];
+-    int  i;
+-    char *cp;
+-
+-    /*
+-     * Open the MIB index directory, or create it (empty)
+-     */
+-    snprintf( tmpbuf, sizeof(tmpbuf), "%s/mib_indexes",
+-              get_persistent_directory());
+-    tmpbuf[sizeof(tmpbuf)-1] = 0;
+-    dir = opendir( tmpbuf );
+-    if ( dir == NULL ) {
+-        DEBUGMSGTL(("mibindex", "load: (new)\n"));
+-        mkdirhier( tmpbuf, NETSNMP_AGENT_DIRECTORY_MODE, 0);
+-        return;
+-    }
+-
+-    /*
+-     * Create a list of which directory each file refers to
+-     */
+-    while ((file = readdir( dir ))) {
+-        if ( !isdigit((unsigned char)(file->d_name[0])))
+-            continue;
+-        i = atoi( file->d_name );
+-
+-        snprintf( tmpbuf, sizeof(tmpbuf), "%s/mib_indexes/%d",
+-              get_persistent_directory(), i );
+-        tmpbuf[sizeof(tmpbuf)-1] = 0;
+-        fp = fopen( tmpbuf, "r" );
+-        if (!fp)
+-            continue;
+-        cp = fgets( tmpbuf2, sizeof(tmpbuf2), fp );
+-        fclose( fp );
+-        if ( !cp ) {
+-            DEBUGMSGTL(("mibindex", "Empty MIB index (%d)\n", i));
+-            continue;
+-        }
+-        if ( strncmp( tmpbuf2, "DIR ", 4 ) != 0 ) {
+-            DEBUGMSGTL(("mibindex", "Malformed MIB index (%d)\n", i));
+-            continue;
+-        }
+-        tmpbuf2[strlen(tmpbuf2)-1] = 0;
+-        DEBUGMSGTL(("mibindex", "load: (%d) %s\n", i, tmpbuf2));
+-        (void)_mibindex_add( tmpbuf2+4, i );  /* Skip 'DIR ' */
+-    }
+-    closedir( dir );
+-}
+-
+-char *
+-netsnmp_mibindex_lookup( const char *dirname )
+-{
+-    int i;
+-    static char tmpbuf[300];
+-
+-    for (i=0; i<_mibindex; i++) {
+-        if ( _mibindexes[i] &&
+-             strcmp( _mibindexes[i], dirname ) == 0) {
+-             snprintf(tmpbuf, sizeof(tmpbuf), "%s/mib_indexes/%d",
+-                      get_persistent_directory(), i);
+-             tmpbuf[sizeof(tmpbuf)-1] = 0;
+-             DEBUGMSGTL(("mibindex", "lookup: %s (%d) %s\n", dirname, i, tmpbuf ));
+-             return tmpbuf;
+-        }
+-    }
+-    DEBUGMSGTL(("mibindex", "lookup: (none)\n"));
+-    return NULL;
+-}
+-
+-int
+-_mibindex_add( const char *dirname, int i )
+-{
+-    const int old_mibindex_max = _mibindex_max;
+-
+-    DEBUGMSGTL(("mibindex", "add: %s (%d)\n", dirname, i ));
+-    if ( i == -1 )
+-        i = _mibindex++;
+-    if ( i >= _mibindex_max ) {
+-        /*
+-         * If the index array is full (or non-existent)
+-         *   then expand (or create) it
+-         */
+-        _mibindex_max = i + 10;
+-        _mibindexes = realloc(_mibindexes,
+-                              _mibindex_max * sizeof(_mibindexes[0]));
+-        netsnmp_assert(_mibindexes);
+-        memset(_mibindexes + old_mibindex_max, 0,
+-               (_mibindex_max - old_mibindex_max) * sizeof(_mibindexes[0]));
+-    }
+-
+-    _mibindexes[ i ] = strdup( dirname );
+-    if ( i >= _mibindex )
+-        _mibindex = i+1;
+-
+-    DEBUGMSGTL(("mibindex", "add: %d/%d/%d\n", i, _mibindex, _mibindex_max ));
+-    return i;
+-}
+-    
+-FILE *
+-netsnmp_mibindex_new( const char *dirname )
+-{
+-    FILE *fp;
+-    char  tmpbuf[300];
+-    char *cp;
+-    int   i;
+-
+-    cp = netsnmp_mibindex_lookup( dirname );
+-    if (!cp) {
+-        i  = _mibindex_add( dirname, -1 );
+-        snprintf( tmpbuf, sizeof(tmpbuf), "%s/mib_indexes/%d",
+-                  get_persistent_directory(), i );
+-        tmpbuf[sizeof(tmpbuf)-1] = 0;
+-        cp = tmpbuf;
+-    }
+-    DEBUGMSGTL(("mibindex", "new: %s (%s)\n", dirname, cp ));
+-    fp = fopen( cp, "w" );
+-    if (fp)
+-        fprintf( fp, "DIR %s\n", dirname );
+-    return fp;
+-}
+-
+-
+ /**
+  * Unloads all mibs.
+  */
+@@ -3038,15 +2901,6 @@ shutdown_mib(void)
+     }
+     tree_head = NULL;
+     Mib = NULL;
+-    if (_mibindexes) {
+-        int i;
+-        for (i = 0; i < _mibindex; ++i)
+-            SNMP_FREE(_mibindexes[i]);
+-        free(_mibindexes);
+-        _mibindex = 0;
+-        _mibindex_max = 0;
+-        _mibindexes = NULL;
+-    }
+     if (Prefix != NULL && Prefix != &Standard_Prefix[0])
+         SNMP_FREE(Prefix);
+     if (Prefix)
+diff --git a/snmplib/parse.c b/snmplib/parse.c
+index 7f98542..58d777e 100644
+--- a/snmplib/parse.c
++++ b/snmplib/parse.c
+@@ -607,8 +607,6 @@ static int     read_module_replacements(const char *);
+ static int     read_import_replacements(const char *,
+                                          struct module_import *);
+ 
+-static void     new_module(const char *, const char *);
+-
+ static struct node *merge_parse_objectid(struct node *, FILE *, char *);
+ static struct index_list *getIndexes(FILE * fp, struct index_list **);
+ static struct varbind_list *getVarbinds(FILE * fp, struct varbind_list **);
+@@ -4859,7 +4857,7 @@ snmp_get_token(FILE * fp, char *token, int maxtlen)
+ #endif /* NETSNMP_FEATURE_REMOVE_PARSE_GET_TOKEN */
+ 
+ int
+-add_mibfile(const char* tmpstr, const char* d_name, FILE *ip )
++add_mibfile(const char* tmpstr, const char* d_name)
+ {
+     FILE           *fp;
+     char            token[MAXTOKEN], token2[MAXTOKEN];
+@@ -4884,8 +4882,6 @@ add_mibfile(const char* tmpstr, const char* d_name, FILE *ip )
+      */
+     if (get_token(fp, token2, MAXTOKEN) == DEFINITIONS) {
+         new_module(token, tmpstr);
+-        if (ip)
+-            fprintf(ip, "%s %s\n", token, d_name);
+         fclose(fp);
+         return 0;
+     } else {
+@@ -4977,71 +4973,22 @@ static int scan_directory(char ***result, const char *dirname)
+ int
+ add_mibdir(const char *dirname)
+ {
+-    FILE           *ip;
+     const char     *oldFile = File;
+     char          **filenames;
+     int             count = 0;
+     int             filename_count, i;
+-#if !(defined(WIN32) || defined(cygwin))
+-    char           *token;
+-    char space;
+-    char newline;
+-    struct stat     dir_stat, idx_stat;
+-    char            tmpstr[300];
+-    char            tmpstr1[300];
+-#endif
+ 
+     DEBUGMSGTL(("parse-mibs", "Scanning directory %s\n", dirname));
+-#if !(defined(WIN32) || defined(cygwin))
+-    token = netsnmp_mibindex_lookup( dirname );
+-    if (token && stat(token, &idx_stat) == 0 && stat(dirname, &dir_stat) == 0) {
+-        if (dir_stat.st_mtime < idx_stat.st_mtime) {
+-            DEBUGMSGTL(("parse-mibs", "The index is good\n"));
+-            if ((ip = fopen(token, "r")) != NULL) {
+-                fgets(tmpstr, sizeof(tmpstr), ip); /* Skip dir line */
+-                while (fscanf(ip, "%127s%c%299[^\n]%c", token, &space, tmpstr,
+-		    &newline) == 4) {
+-
+-		    /*
+-		     * If an overflow of the token or tmpstr buffers has been
+-		     * found log a message and break out of the while loop,
+-		     * thus the rest of the file tokens will be ignored.
+-		     */
+-		    if (space != ' ' || newline != '\n') {
+-			snmp_log(LOG_ERR,
+-			    "add_mibdir: strings scanned in from %s/%s " \
+-			    "are too large.  count = %d\n ", dirname,
+-			    ".index", count);
+-			    break;
+-		    }
+-		   
+-		    snprintf(tmpstr1, sizeof(tmpstr1), "%s/%s", dirname, tmpstr);
+-                    tmpstr1[ sizeof(tmpstr1)-1 ] = 0;
+-                    new_module(token, tmpstr1);
+-                    count++;
+-                }
+-                fclose(ip);
+-                return count;
+-            } else
+-                DEBUGMSGTL(("parse-mibs", "Can't read index\n"));
+-        } else
+-            DEBUGMSGTL(("parse-mibs", "Index outdated\n"));
+-    } else
+-        DEBUGMSGTL(("parse-mibs", "No index\n"));
+-#endif
+ 
+     filename_count = scan_directory(&filenames, dirname);
+ 
+     if (filename_count >= 0) {
+-        ip = netsnmp_mibindex_new(dirname);
+         for (i = 0; i < filename_count; i++) {
+-            if (add_mibfile(filenames[i], strrchr(filenames[i], '/'), ip) == 0)
++            if (add_mibfile(filenames[i], strrchr(filenames[i], '/')) == 0)
+                 count++;
+ 	    free(filenames[i]);
+         }
+         File = oldFile;
+-        if (ip)
+-            fclose(ip);
+         free(filenames);
+         return (count);
+     }
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15862.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15862.patch
new file mode 100644
index 0000000000..419a0c21bb
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15862.patch
@@ -0,0 +1,87 @@
+From de36cf1ecbb13a9541ec5d43ce20ab5030861837 Mon Sep 17 00:00:00 2001
+From: Wes Hardaker <opensource@hardakers.net>
+Date: Thu, 23 Jul 2020 16:17:27 -0700
+Subject: [PATCH 1/1] make the extend mib read-only by default
+
+CVE: CVE-2020-15862
+Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/77f6c60f57dba0aaea5d8ef1dd94bcd0c8e6d205]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ agent/mibgroup/agent/extend.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/agent/mibgroup/agent/extend.c b/agent/mibgroup/agent/extend.c
+index 5f8cedc..38a6c50 100644
+--- a/agent/mibgroup/agent/extend.c
++++ b/agent/mibgroup/agent/extend.c
+@@ -16,6 +16,12 @@
+ #define SHELLCOMMAND 3
+ #endif
+ 
++/*  This mib is potentially dangerous to turn on by default, since it
++ *  allows arbitrary commands to be set by anyone with SNMP WRITE
++ *  access to the MIB table.  If all of your users are "root" level
++ *  users, then it may be safe to turn on. */
++#define ENABLE_EXTEND_WRITE_ACCESS 0
++
+ netsnmp_feature_require(extract_table_row_data)
+ netsnmp_feature_require(table_data_delete_table)
+ #ifndef NETSNMP_NO_WRITE_SUPPORT
+@@ -742,7 +748,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler          *handler,
+          *
+          **********/
+ 
+-#ifndef NETSNMP_NO_WRITE_SUPPORT
++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS
+         case MODE_SET_RESERVE1:
+             /*
+              * Validate the new assignments
+@@ -1068,7 +1074,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler          *handler,
+                 }
+             }
+             break;
+-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ 
++#endif /* !NETSNMP_NO_WRITE_SUPPORT and ENABLE_EXTEND_WRITE_ACCESS */
+ 
+         default:
+             netsnmp_set_request_error(reqinfo, request, SNMP_ERR_GENERR);
+@@ -1076,7 +1082,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler          *handler,
+         }
+     }
+ 
+-#ifndef NETSNMP_NO_WRITE_SUPPORT
++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS
+     /*
+      * If we're marking a given row as active,
+      *  then we need to check that it's ready.
+@@ -1101,7 +1107,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler          *handler,
+             }
+         }
+     }
+-#endif /* !NETSNMP_NO_WRITE_SUPPORT */
++#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */
+     
+     return SNMP_ERR_NOERROR;
+ }
+@@ -1590,7 +1596,7 @@ fixExec2Error(int action,
+     idx = name[name_len-1] -1;
+     exten = &compatability_entries[ idx ];
+ 
+-#ifndef NETSNMP_NO_WRITE_SUPPORT
++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS
+     switch (action) {
+     case MODE_SET_RESERVE1:
+         if (var_val_type != ASN_INTEGER) {
+@@ -1611,7 +1617,7 @@ fixExec2Error(int action,
+     case MODE_SET_COMMIT:
+         netsnmp_cache_check_and_reload( exten->efix_entry->cache );
+     }
+-#endif /* !NETSNMP_NO_WRITE_SUPPORT */
++#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */
+     return SNMP_ERR_NOERROR;
+ }
+ #endif /* USING_UCD_SNMP_EXTENSIBLE_MODULE */
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
index 67316db0d2..6b4b6ce8ed 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
@@ -29,6 +29,12 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
            file://0001-net-snmp-fix-compile-error-disable-des.patch \
            file://0001-Add-pkg-config-support-for-building-applications-and.patch \
            file://CVE-2019-20892.patch \
+           file://CVE-2020-15861-0001.patch \
+           file://CVE-2020-15861-0002.patch \
+           file://CVE-2020-15861-0003.patch \
+           file://CVE-2020-15861-0004.patch \
+           file://CVE-2020-15861-0005.patch \
+           file://CVE-2020-15862.patch \
            "
 SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a"
 SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf"
-- 
2.17.1

Re: [oe] [dunfell 00/20] Patch review Sept 5

[Khem Raj]

On Sat, Sep 5, 2020 at 9:56 AM akuster <akuster808@gmail.com> wrote:
>
> Here is the next set of dunfell changes.
> Please review and have feedback by Monday.
>
>

looks good to me


> The following changes since commit 654ad8bea49f142d20b2b96c0dd44810a6be233a:
>
>   jsoncpp: add PE do to revert to older PV (2020-07-18 07:24:39 -0700)
>
> are available in the Git repository at:
>
>   git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-nut
>   http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/dunfell-nut
>
> Adrian Bunk (1):
>   gnome-settings-daemon: Remove duplicate outdated SRC_URI hashes
>
> Alistair Francis (1):
>   python3-obd: Add missing setuptools RDEPENDS
>
> Andreas Müller (1):
>   exiv2: upgrade 0.27.1 -> 0.27.3
>
> Armin Kuster (3):
>   vlc: fix loop initial declarations are only allowed in C99 mode
>   babl-native: fix build issue
>   gnome-settings-daemon: Backport 3.36 fix for building without wayland
>
> Changqing Li (1):
>   radvd: add /etc/radvd.conf
>
> Julius Hemanth Pitti (1):
>   netkit-telnetd: Fix buffer overflow in netoprintf
>
> Kai Kang (2):
>   lvm2: remove service template from SYSTEMD_SERVICE
>   rdist: fix parallel build
>
> Khem Raj (2):
>   samba: Fix conflicts with nss.h from glibc
>   flashrom: Fix build failure with glibc 2.32
>
> Leon Anavi (1):
>   python3-pandas: Upgrade 1.0.3 -> 1.0.5
>
> Martin Jansa (1):
>   lcov: fix lcov-native build
>
> Mingli Yu (2):
>   freeradius: fix the existed certificate error
>   freeradius: fix the occasional verification failure
>
> Ovidiu Panait (1):
>   net-snmp: Fix CVE-2020-15861 and CVE-2020-15862
>
> Ryan Rowe (1):
>   python3-pint: add setuptools and packaging to RDEPENDS
>
> Yi Zhao (1):
>   samba: upgrade 4.10.15 -> 4.10.17
>
> Yue Tao (1):
>   lua: Security Advisory - lua - CVE-2020-15888
>
>  meta-gnome/recipes-gimp/babl/babl_0.1.74.bb   |   2 +
>  ...gins-wacom-Fix-build-without-WAYLAND.patch |  27 ++
>  .../gnome-settings-daemon_3.34.2.bb           |   5 +-
>  .../recipes-multimedia/vlc/vlc_3.0.9.2.bb     |   2 +-
>  ...file-fix-the-existed-certificate-err.patch |  55 +++
>  ...file-fix-the-occasional-verification.patch | 135 +++++++
>  .../freeradius/freeradius_3.0.20.bb           |   2 +
>  .../rdist-6.1.5-fix-parallel-build.patch      |  31 ++
>  .../recipes-connectivity/rdist/rdist_6.1.5.bb |   1 +
>  ....c-Avoid-nss-function-conflicts-with.patch |  96 +++++
>  .../0001-util-Simplify-input-validation.patch |  59 +++
>  ...n-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch |  79 ++++
>  ...larger-buffer-if-getpwuid_r-returns-.patch |  50 +++
>  .../{samba_4.10.15.bb => samba_4.10.17.bb}    |   8 +-
>  .../recipes-daemons/radvd/files/radvd.conf    |  18 +
>  .../recipes-daemons/radvd/radvd.inc           |   5 +-
>  ....c-Fix-buffer-overflow-in-netoprintf.patch |  56 +++
>  .../netkit-telnet/netkit-telnet_0.17.bb       |   1 +
>  .../net-snmp/CVE-2020-15861-0001.patch        | 164 ++++++++
>  .../net-snmp/CVE-2020-15861-0002.patch        |  44 +++
>  .../net-snmp/CVE-2020-15861-0003.patch        |  40 ++
>  .../net-snmp/CVE-2020-15861-0004.patch        |  33 ++
>  .../net-snmp/CVE-2020-15861-0005.patch        | 349 ++++++++++++++++++
>  .../net-snmp/net-snmp/CVE-2020-15862.patch    |  87 +++++
>  .../net-snmp/net-snmp_5.8.bb                  |   6 +
>  ...or-last-line-only-from-preprocessed-.patch |  57 +++
>  meta-oe/recipes-bsp/flashrom/flashrom_1.2.bb  |   1 +
>  .../lua/lua/CVE-2020-15888.patch              |  45 +++
>  meta-oe/recipes-devtools/lua/lua_5.3.5.bb     |   1 +
>  ...-protection-only-if-compiler-arch-su.patch |  40 ++
>  .../{exiv2_0.27.1.bb => exiv2_0.27.3.bb}      |   7 +-
>  meta-oe/recipes-support/lcov/lcov_1.14.bb     |   7 +-
>  meta-oe/recipes-support/lvm2/lvm2_2.03.06.bb  |   8 +-
>  .../recipes-devtools/python/python-pint.inc   |   5 +
>  .../python/python3-obd_0.7.1.bb               |   2 +-
>  ...andas_1.0.3.bb => python3-pandas_1.0.5.bb} |   4 +-
>  36 files changed, 1516 insertions(+), 16 deletions(-)
>  create mode 100644 meta-gnome/recipes-gnome/gnome-settings-daemon/files/0001-plugins-wacom-Fix-build-without-WAYLAND.patch
>  create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch
>  create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch
>  create mode 100644 meta-networking/recipes-connectivity/rdist/rdist-6.1.5/rdist-6.1.5-fix-parallel-build.patch
>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch
>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch
>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch
>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch
>  rename meta-networking/recipes-connectivity/samba/{samba_4.10.15.bb => samba_4.10.17.bb} (96%)
>  create mode 100644 meta-networking/recipes-daemons/radvd/files/radvd.conf
>  create mode 100644 meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch
>  create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
>  create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0002.patch
>  create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0003.patch
>  create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0004.patch
>  create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch
>  create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15862.patch
>  create mode 100644 meta-oe/recipes-bsp/flashrom/flashrom/0001-Makefile-Check-for-last-line-only-from-preprocessed-.patch
>  create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15888.patch
>  create mode 100644 meta-oe/recipes-support/exiv2/exiv2/0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch
>  rename meta-oe/recipes-support/exiv2/{exiv2_0.27.1.bb => exiv2_0.27.3.bb} (52%)
>  rename meta-python/recipes-devtools/python/{python3-pandas_1.0.3.bb => python3-pandas_1.0.5.bb} (81%)
>
> --
> 2.17.1
>
> 

Re: [oe] [dunfell 11/20] samba: upgrade 4.10.15 -> 4.10.17

[Andreas Müller]

On Sat, Sep 5, 2020 at 6:56 PM akuster <akuster808@gmail.com> wrote:
>
> From: Yi Zhao <yi.zhao@windriver.com>
>
> This is a security release in order to address the following defects:
>
> CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD
>                 DC LDAP Server with ASQ, VLV and paged_results.
> CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
>                 excessive CPU
> CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
>                 paged_results and VLV.
> CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
>
> Also backport 3 patches to fix build error with musl.
>
Maybe I messed something but it fails for me i recent dunfell with:

| Checking for system pyldb-util.cpython-38-arm-linux-gnueabi (>=1.5.8
<=1.5.999)   : not found
| ERROR: System library pyldb-util.cpython-38-arm-linux-gnueabi of
version 1.5.8 not found, and bundling disabled
| WARNING: /home/superandy/tmp/oe-core-glibc/work/cortexa9t2hf-neon-mortsgna-linux-gnueabi/samba/4.10.17-r0/temp/run.do_configure.2978665:1
exit 1 from '${CONFIG_CMD} --cross-answers="${CROSS_ANSWERS}"'

Suggestions welcome

Andreas

Re: [oe] [dunfell 11/20] samba: upgrade 4.10.15 -> 4.10.17

[Craig McQueen]

On Tuesday, 8 September 2020 9:31 PM, Andreas Müller wrote:
> 
> Maybe I messed something but it fails for me i recent dunfell with:
> | Checking for system pyldb-util.cpython-38-arm-linux-gnueabi
> (>=1.5.8 <=1.5.999)   : not found
> | ERROR: System library pyldb-util.cpython-38-arm-linux-gnueabi of
> version 1.5.8 not found, and bundling disabled
> | WARNING: /home/superandy/tmp/oe-core-glibc/work/cortexa9t2hf-
> neon-mortsgna-linux-gnueabi/samba/4.10.17-r0/temp/run.do_configure.2978665:1
> exit 1 from '${CONFIG_CMD} --cross-answers="${CROSS_ANSWERS}"'
> 
> Suggestions welcome
> 
> Andreas


I'm having the same issue. I see that on 29/07/2020, Yi Zhao submitted a patch to update libldb from 1.5.7 to 1.5.8, which might be useful to this issue. But then the samba recipe still needs to add a DEPENDS for it I presume.

-- 
Craig McQueen