[OE-core][dunfell 00/28] Patch review

[OE-core][dunfell 00/28] Patch review

[Steve Sakoman]

Please review this next set of patches for dunfell and have comments back
by end of day Wednesday.

The following changes since commit 2cc3fac9cd1a0d77931c9e49dbe2941fa8619c51:

  parselogs.py: ignore pulseaudio startup warning messages (2020-04-30 11:59:59 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alex Kiernan (1):
  run-postinsts: Set RemainAfterExit on systemd unit

Alexander Kanavin (2):
  testimage.bbclass: correctly process SIGTERM
  buildtools-extended-tarball: add libgomp-dev

Andrew Geissler (2):
  boost: revert 1.72.0 regression
  libffi: fix v3.3 compile on ppc64le

Domarys Correa (1):
  insane.bbclass: Add test for shebang line length

Drew Moseley (1):
  perl: Add missing dependency for tie-hash on carp.

Jan Luebbe (1):
  openssl: upgrade 1.1.1f -> 1.1.1g

Joe Slater (1):
  vim: do not adjust script paths building for target

Kai Kang (1):
  pseudo: add macro guard for seccomp

Khem Raj (6):
  packagegroup-go-sdk-target: Enable on rv64
  go: Rely on go-runtime to provide needed modules
  packagegroup-go-sdk-target: Add go to packagegroup
  gcc: Configure all gccs with --disable-install-libiberty
  binutils: Detect proper static-libstdc++ support when using clang
  binutils: Install PIC version of libiberty.a

Mingli Yu (2):
  pbzip2: Fix license warning
  iputils: Initialize libgcrypt

Peter Kjellerstedt (1):
  busybox: Correct the name of the bzip2 license

Richard Purdie (6):
  bzip2/pbzip2: Correct license information
  oeqa/selftest: Add test for conflicting sysroot provider
  staging: Fix overlapping file failures
  targetcontrol: Fix leaking log handler
  oeqa/qemurunner: Clean up failure handling
  gcc-target: Ensure buildtools-extended-tarball doesn't use arch=native

Tim Orling (1):
  scripts/install-buildtools: bump to 3.1 release by default

Trevor Gamblin (1):
  python3: fix CVE-2020-8492

Wang Mingyu (1):
  icu: CVE-2020-10531

 .../sysroot-test/sysroot-test-arch1_1.0.bb    |  14 +
 .../sysroot-test/sysroot-test-arch2_1.0.bb    |  14 +
 .../sysroot-test/sysroot-test_1.0.bb          |   6 +
 meta/classes/insane.bbclass                   |  25 +-
 meta/classes/staging.bbclass                  |  12 +-
 meta/classes/testimage.bbclass                |   8 +-
 .../common-licenses/{bzip2 => bzip2-1.0.6}    |   0
 meta/lib/oeqa/selftest/cases/sysroot.py       |  37 +++
 meta/lib/oeqa/targetcontrol.py                |   7 +-
 meta/lib/oeqa/utils/qemurunner.py             |  11 +-
 .../{openssl_1.1.1f.bb => openssl_1.1.1g.bb}  |   2 +-
 meta/recipes-core/busybox/busybox.inc         |   2 +-
 .../meta/buildtools-extended-tarball.bb       |   1 +
 .../packagegroup-go-sdk-target.bb             |   3 +-
 .../binutils/binutils-2.34.inc                |   1 +
 meta/recipes-devtools/binutils/binutils.inc   |   5 +
 ...or-clang-before-checking-gcc-version.patch |  48 ++++
 .../gcc/gcc-configure-common.inc              |   1 +
 .../gcc/gcc-cross-canadian.inc                |   6 -
 meta/recipes-devtools/gcc/gcc-cross.inc       |   4 -
 meta/recipes-devtools/gcc/gcc-target.inc      |  14 +-
 meta/recipes-devtools/go/go-target.inc        |   4 +-
 .../perl/files/perl-rdepends.txt              |   1 +
 .../pseudo/files/seccomp.patch                |  15 +-
 ...20-8492-Fix-AbstractBasicAuthHandler.patch | 248 ++++++++++++++++++
 meta/recipes-devtools/python/python3_3.8.2.bb |   1 +
 .../run-postinsts/run-postinsts.service       |   2 +-
 meta/recipes-extended/bzip2/bzip2_1.0.8.bb    |   2 +-
 .../0001-iputils-Initialize-libgcrypt.patch   |  55 ++++
 .../iputils/iputils_s20190709.bb              |   1 +
 meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb |   2 +-
 meta/recipes-support/boost/boost_1.72.0.bb    |   1 +
 ...001-revert-cease-dependence-on-range.patch |  53 ++++
 .../icu/icu/CVE-2020-10531.patch              | 128 +++++++++
 meta/recipes-support/icu/icu_66.1.bb          |   1 +
 ...pc.h-fix-build-failure-with-powerpc7.patch |  62 +++++
 meta/recipes-support/libffi/libffi_3.3.bb     |   1 +
 .../vim/files/no-path-adjust.patch            |  27 ++
 meta/recipes-support/vim/vim.inc              |  12 +-
 scripts/install-buildtools                    |   6 +-
 40 files changed, 793 insertions(+), 50 deletions(-)
 create mode 100644 meta-selftest/recipes-test/sysroot-test/sysroot-test-arch1_1.0.bb
 create mode 100644 meta-selftest/recipes-test/sysroot-test/sysroot-test-arch2_1.0.bb
 create mode 100644 meta-selftest/recipes-test/sysroot-test/sysroot-test_1.0.bb
 rename meta/files/common-licenses/{bzip2 => bzip2-1.0.6} (100%)
 create mode 100644 meta/lib/oeqa/selftest/cases/sysroot.py
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1f.bb => openssl_1.1.1g.bb} (98%)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0016-Check-for-clang-before-checking-gcc-version.patch
 create mode 100644 meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
 create mode 100644 meta/recipes-extended/iputils/iputils/0001-iputils-Initialize-libgcrypt.patch
 create mode 100644 meta/recipes-support/boost/files/0001-revert-cease-dependence-on-range.patch
 create mode 100644 meta/recipes-support/icu/icu/CVE-2020-10531.patch
 create mode 100644 meta/recipes-support/libffi/libffi/0001-ffi_powerpc.h-fix-build-failure-with-powerpc7.patch
 create mode 100644 meta/recipes-support/vim/files/no-path-adjust.patch

-- 
2.17.1

[OE-core][dunfell 01/28] bzip2/pbzip2: Correct license information

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

The license of pbzip2 looks slightly BSD like but is in fact the bzip2
license. The SPDX identifier for this is "bzip-1.0.6" since there is
another version of the bzip license out there.

To clear up all the confusion, use the SPDX license name and update
both recipes to refer to it. The copyright information is slightly
different between the codebases but the license looks the same.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/files/common-licenses/{bzip2 => bzip2-1.0.6} | 0
 meta/recipes-extended/bzip2/bzip2_1.0.8.bb        | 2 +-
 meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb     | 2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename meta/files/common-licenses/{bzip2 => bzip2-1.0.6} (100%)

diff --git a/meta/files/common-licenses/bzip2 b/meta/files/common-licenses/bzip2-1.0.6
similarity index 100%
rename from meta/files/common-licenses/bzip2
rename to meta/files/common-licenses/bzip2-1.0.6
diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb
index 8e9b779e67..d58f553a49 100644
--- a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb
+++ b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb
@@ -4,7 +4,7 @@ Huffman coding. Compression is generally considerably better than that achieved
 LZ77/LZ78-based compressors, and approaches the performance of the PPM family of statistical compressors."
 HOMEPAGE = "https://sourceware.org/bzip2/"
 SECTION = "console/utils"
-LICENSE = "bzip2"
+LICENSE = "bzip2-1.0.6"
 LIC_FILES_CHKSUM = "file://LICENSE;beginline=4;endline=37;md5=600af43c50f1fcb82e32f19b32df4664"
 
 SRC_URI = "https://sourceware.org/pub/${BPN}/${BPN}-${PV}.tar.gz \
diff --git a/meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb b/meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb
index 1275cc0097..d7450c73c1 100644
--- a/meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb
+++ b/meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb
@@ -5,7 +5,7 @@ machines. The output of this version is fully compatible with bzip2 v1.0.2 or \
 newer (ie: anything compressed with pbzip2 can be decompressed with bzip2)."
 HOMEPAGE = "http://compression.ca/pbzip2/"
 SECTION = "console/utils"
-LICENSE = "BSD-4-Clause"
+LICENSE = "bzip-1.0.6"
 LIC_FILES_CHKSUM = "file://COPYING;md5=398b8832c6f840cfebd20ab2be6a3743"
 
 DEPENDS = "bzip2"
-- 
2.17.1

[OE-core][dunfell 02/28] busybox: Correct the name of the bzip2 license

[Steve Sakoman]

From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>

The common bzip2 license was renamed from "bzip2" to "bzip2-1.0.6" in
commit 669600ef to match the official SPDX identifier.

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/busybox/busybox.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc
index 344e891f7a..6cfdcd7344 100644
--- a/meta/recipes-core/busybox/busybox.inc
+++ b/meta/recipes-core/busybox/busybox.inc
@@ -7,7 +7,7 @@ DEPENDS += "kern-tools-native virtual/crypt"
 
 # bzip2 applet in busybox is based on lightly-modified bzip2 source
 # the GPL is version 2 only
-LICENSE = "GPLv2 & bzip2"
+LICENSE = "GPLv2 & bzip2-1.0.6"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=de10de48642ab74318e893a61105afbb"
 
 SECTION = "base"
-- 
2.17.1

[OE-core][dunfell 03/28] pbzip2: Fix license warning

[Steve Sakoman]

From: Mingli Yu <mingli.yu@windriver.com>

After below commit introduced, the LICENSE
field changed from BSD-4-Clause to bzip-1.0.6.
669600ef9b bzip2/pbzip2: Correct license information

But actually it should be bzip2-1.0.6,
update it to fix the below license warning:
WARNING: pbzip2-native-1.1.13-r0 do_populate_lic: pbzip2-native: No generic license file exists for: bzip-1.0.6 in any provider

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb b/meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb
index d7450c73c1..e321cd2b27 100644
--- a/meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb
+++ b/meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb
@@ -5,7 +5,7 @@ machines. The output of this version is fully compatible with bzip2 v1.0.2 or \
 newer (ie: anything compressed with pbzip2 can be decompressed with bzip2)."
 HOMEPAGE = "http://compression.ca/pbzip2/"
 SECTION = "console/utils"
-LICENSE = "bzip-1.0.6"
+LICENSE = "bzip2-1.0.6"
 LIC_FILES_CHKSUM = "file://COPYING;md5=398b8832c6f840cfebd20ab2be6a3743"
 
 DEPENDS = "bzip2"
-- 
2.17.1

[OE-core][dunfell 04/28] packagegroup-go-sdk-target: Enable on rv64

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

RISCV64 now supports golang (starting dunfell), therefore limit
disabling to rv32 only.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/packagegroups/packagegroup-go-sdk-target.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/packagegroups/packagegroup-go-sdk-target.bb b/meta/recipes-core/packagegroups/packagegroup-go-sdk-target.bb
index 5afb490aac..86c71900ec 100644
--- a/meta/recipes-core/packagegroups/packagegroup-go-sdk-target.bb
+++ b/meta/recipes-core/packagegroups/packagegroup-go-sdk-target.bb
@@ -8,4 +8,4 @@ RDEPENDS_${PN} = " \
     go-runtime-staticdev \
 "
 
-COMPATIBLE_HOST = "^(?!riscv64).*"
+COMPATIBLE_HOST = "^(?!riscv32).*"
-- 
2.17.1

[OE-core][dunfell 05/28] go: Rely on go-runtime to provide needed modules

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

go compiler is including go/src/cmd modules in -dev package which is in
conflict with go-runtime-dev which provides exact same copy of this
module along with other runtime modules, as a result when both go-dev and
go-runtime-dev are included in image then it results in rootfs failures,
here lets make go depend on go-runtime and dont install the cmd module
here explicitly.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-target.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-devtools/go/go-target.inc b/meta/recipes-devtools/go/go-target.inc
index 316bf6f038..8e44247031 100644
--- a/meta/recipes-devtools/go/go-target.inc
+++ b/meta/recipes-devtools/go/go-target.inc
@@ -34,12 +34,12 @@ do_install() {
 		install -m 0755 $f ${D}${libdir}/go/bin/
 		ln -sf ../${baselib}/go/bin/$name ${D}${bindir}/
 	done
+	rm -rf ${D}${libdir}/go/src
 }
 
 PACKAGES = "${PN} ${PN}-dev"
 FILES_${PN} = "${libdir}/go/bin ${libdir}/go/pkg/tool/${TARGET_GOTUPLE} ${bindir}"
-FILES_${PN}-dev = "${libdir}/go"
-RDEPENDS_${PN}-dev = "perl bash"
+RDEPENDS_${PN} = "go-runtime"
 INSANE_SKIP_${PN} = "ldflags"
 
 BBCLASSEXTEND = "nativesdk"
-- 
2.17.1

[OE-core][dunfell 06/28] packagegroup-go-sdk-target: Add go to packagegroup

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

This ensures that we have go compiler installed into image along with
runtime

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/packagegroups/packagegroup-go-sdk-target.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/packagegroups/packagegroup-go-sdk-target.bb b/meta/recipes-core/packagegroups/packagegroup-go-sdk-target.bb
index 86c71900ec..9a52b0781c 100644
--- a/meta/recipes-core/packagegroups/packagegroup-go-sdk-target.bb
+++ b/meta/recipes-core/packagegroups/packagegroup-go-sdk-target.bb
@@ -3,6 +3,7 @@ SUMMARY = "Target packages for the Go SDK"
 inherit packagegroup goarch
 
 RDEPENDS_${PN} = " \
+    go \
     go-runtime \
     go-runtime-dev \
     go-runtime-staticdev \
-- 
2.17.1

[OE-core][dunfell 07/28] gcc: Configure all gccs with --disable-install-libiberty

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

OE uses libiberty from binutils, since its properly compiled as pic
archive and applications and other libraries needing libiberty can
properly link with it.

With this option applied, explicit delete of libiberty headers and
libraries is not required in install step, since they wont get installed
in first place.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/gcc/gcc-configure-common.inc | 1 +
 meta/recipes-devtools/gcc/gcc-cross-canadian.inc   | 6 ------
 meta/recipes-devtools/gcc/gcc-cross.inc            | 4 ----
 meta/recipes-devtools/gcc/gcc-target.inc           | 4 ----
 4 files changed, 1 insertion(+), 14 deletions(-)

diff --git a/meta/recipes-devtools/gcc/gcc-configure-common.inc b/meta/recipes-devtools/gcc/gcc-configure-common.inc
index bb4f6923f2..a64c4caf00 100644
--- a/meta/recipes-devtools/gcc/gcc-configure-common.inc
+++ b/meta/recipes-devtools/gcc/gcc-configure-common.inc
@@ -33,6 +33,7 @@ EXTRA_OECONF = "\
     --enable-libstdcxx-pch \
     --program-prefix=${TARGET_PREFIX} \
     --without-local-prefix \
+    --disable-install-libiberty \
     ${EXTRA_OECONF_BASE} \
     ${EXTRA_OECONF_GCC_FLOAT} \
     ${EXTRA_OECONF_PATHS} \
diff --git a/meta/recipes-devtools/gcc/gcc-cross-canadian.inc b/meta/recipes-devtools/gcc/gcc-cross-canadian.inc
index 4aac345bec..553ef7fe62 100644
--- a/meta/recipes-devtools/gcc/gcc-cross-canadian.inc
+++ b/meta/recipes-devtools/gcc/gcc-cross-canadian.inc
@@ -108,12 +108,6 @@ do_install () {
 	# We don't care about the gcc-<version> copies
 	rm -f ${D}${bindir}/*gcc-?.?*
 
-	# We use libiberty from binutils
-	rm -f ${D}${prefix}/${TARGET_SYS}/lib/libiberty.a
-	# Not sure where the strange paths come from
-	rm -f ${D}${libdir}/../lib/libiberty.a
-	rm -f ${D}${libdir}/libiberty.a
-
 	# Cleanup empty directories which are not shipped
 	# we use rmdir instead of 'rm -f' to ensure the non empty directories are not deleted
 	# ${D}${libdir}/../lib only seems to appear with SDKMACHINE=i686
diff --git a/meta/recipes-devtools/gcc/gcc-cross.inc b/meta/recipes-devtools/gcc/gcc-cross.inc
index c68cdd5dc4..6fa8c274cd 100644
--- a/meta/recipes-devtools/gcc/gcc-cross.inc
+++ b/meta/recipes-devtools/gcc/gcc-cross.inc
@@ -117,10 +117,6 @@ do_install () {
 	cp ${S}/libquadmath/quadmath.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include/
 	cp ${S}/libquadmath/quadmath_weak.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include/
 
-	# We use libiberty from binutils
-	find ${D}${exec_prefix}/lib -name libiberty.a | xargs rm -f
-	find ${D}${exec_prefix}/lib -name libiberty.h | xargs rm -f
-
 	find ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include-fixed -type f -not -name "README" -not -name limits.h -not -name syslimits.h | xargs rm -f
 }
 
diff --git a/meta/recipes-devtools/gcc/gcc-target.inc b/meta/recipes-devtools/gcc/gcc-target.inc
index 34c1b2263b..8cb432780f 100644
--- a/meta/recipes-devtools/gcc/gcc-target.inc
+++ b/meta/recipes-devtools/gcc/gcc-target.inc
@@ -192,10 +192,6 @@ do_install () {
 	# We don't care about the gcc-<version> ones for this
 	rm -f *gcc-?.?*
 
-	# We use libiberty from binutils
-	find ${D}${libdir} -name libiberty.a | xargs rm -f
-	find ${D}${libdir} -name libiberty.h | xargs rm -f
-
 	# Not sure why we end up with these but we don't want them...
 	rm -f ${TARGET_PREFIX}${TARGET_PREFIX}*
 
-- 
2.17.1

[OE-core][dunfell 08/28] binutils: Detect proper static-libstdc++ support when using clang

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

Fixes configure time tests to ensure static-libstdc++ is enabled when
using clang

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.34.inc                |  1 +
 ...or-clang-before-checking-gcc-version.patch | 48 +++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0016-Check-for-clang-before-checking-gcc-version.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 4b085b6fe0..66a3850ef2 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -40,6 +40,7 @@ SRC_URI = "\
      file://0013-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \
      file://0014-Detect-64-bit-MIPS-targets.patch \
      file://0015-sync-with-OE-libtool-changes.patch \
+     file://0016-Check-for-clang-before-checking-gcc-version.patch \
      file://CVE-2020-0551.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0016-Check-for-clang-before-checking-gcc-version.patch b/meta/recipes-devtools/binutils/binutils/0016-Check-for-clang-before-checking-gcc-version.patch
new file mode 100644
index 0000000000..c694b42dc3
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0016-Check-for-clang-before-checking-gcc-version.patch
@@ -0,0 +1,48 @@
+From 67590a44c1256491fa674426f0170d5d05377d05 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 15 Apr 2020 14:17:20 -0700
+Subject: [PATCH 16/16] Check for clang before checking gcc version
+
+Clang advertises itself to be gcc 4.2.1, so when compiling this test
+here fails since gcc < 4.4.5 did not support -static-libstdc++ but thats
+not true for clang, so its better to make an additional check for clang
+before resorting to gcc version check. This should let clang enable
+static libstdc++ linking
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ configure    | 2 +-
+ configure.ac | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure b/configure
+index 590b03c2da0..46f116fdb54 100755
+--- a/configure
++++ b/configure
+@@ -5140,7 +5140,7 @@ ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+-#if (__GNUC__ < 4) || (__GNUC__ == 4 && __GNUC_MINOR__ < 5)
++#if !defined(__clang__) && ((__GNUC__ < 4) || (__GNUC__ == 4 && __GNUC_MINOR__ < 5))
+ #error -static-libstdc++ not implemented
+ #endif
+ int main() {}
+diff --git a/configure.ac b/configure.ac
+index d3f85e6f5d5..c0eb1343121 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1309,7 +1309,7 @@ if test "$GCC" = yes; then
+   AC_MSG_CHECKING([whether g++ accepts -static-libstdc++ -static-libgcc])
+   AC_LANG_PUSH(C++)
+   AC_LINK_IFELSE([AC_LANG_SOURCE([
+-#if (__GNUC__ < 4) || (__GNUC__ == 4 && __GNUC_MINOR__ < 5)
++#if !defined(__clang__) && ((__GNUC__ < 4) || (__GNUC__ == 4 && __GNUC_MINOR__ < 5))
+ #error -static-libstdc++ not implemented
+ #endif
+ int main() {}])],
+-- 
+2.26.1
+
-- 
2.17.1

[OE-core][dunfell 09/28] binutils: Install PIC version of libiberty.a

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

some architectures e.g. mips complain in linking apps which have shared
libs that are linking with libiberty.a fixes errors like below

libiberty/../../libiberty/hashtab.c:285:(.text+0xf8): relocation R_MIPS_26 against `htab_create_typed_alloc' cannot be used when making a shared object; recompile with -fPIC

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/binutils/binutils.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/recipes-devtools/binutils/binutils.inc b/meta/recipes-devtools/binutils/binutils.inc
index 4119960c63..e93cd50b20 100644
--- a/meta/recipes-devtools/binutils/binutils.inc
+++ b/meta/recipes-devtools/binutils/binutils.inc
@@ -152,6 +152,11 @@ do_install () {
 	install -m 644 ${S}/include/ansidecl.h ${D}${includedir}
 	install -m 644 ${S}/include/libiberty.h ${D}${includedir}
 
+	# insall pic version of libiberty if available
+        if [ -e ${B}/libiberty/pic/libiberty.a ]; then
+		install -Dm 0644 ${B}/libiberty/pic/libiberty.a ${D}${libdir}/libiberty.a
+	fi
+
 	cd ${D}${bindir}
 
 	# Symlinks for ease of running these on the native target
-- 
2.17.1

[OE-core][dunfell 10/28] insane.bbclass: Add test for shebang line length

[Steve Sakoman]

From: Domarys Correa <domarys.correa@ossystems.com.br>

Shebang lines longer than 128 characters can give an error
depending on the operating system.
This implements a test that signals an error when locating a
faulty shebang.

YOCTO: #11053

Signed-off-by: Domarys Correa <domarys.correa@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/insane.bbclass | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index 478240fa57..7fc8f33a98 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -35,7 +35,7 @@ ERROR_QA ?= "dev-so debug-deps dev-deps debug-files arch pkgconfig la \
             split-strip packages-list pkgv-undefined var-undefined \
             version-going-backwards expanded-d invalid-chars \
             license-checksum dev-elf file-rdeps configure-unsafe \
-            configure-gettext perllocalpod \
+            configure-gettext perllocalpod shebang-size \
             "
 # Add usrmerge QA check based on distro feature
 ERROR_QA_append = "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', ' usrmerge', '', d)}"
@@ -83,6 +83,29 @@ def package_qa_add_message(messages, section, new_msg):
     else:
         messages[section] = messages[section] + "\n" + new_msg
 
+QAPATHTEST[shebang-size] = "package_qa_check_shebang_size"
+def package_qa_check_shebang_size(path, name, d, elf, messages):
+    if os.path.islink(path) or elf:
+        return
+
+    try:
+        with open(path, 'rb') as f:
+            stanza = f.readline(130)
+    except IOError:
+        return
+
+    if stanza.startswith(b'#!'):
+        #Shebang not found
+        try:
+            stanza = stanza.decode("utf-8")
+        except UnicodeDecodeError:
+            #If it is not a text file, it is not a script
+            return
+
+        if len(stanza) > 129:
+            package_qa_add_message(messages, "shebang-size", "%s: %s maximum shebang size exceeded, the maximum size is 128." % (name, package_qa_clean_path(path, d)))
+            return
+
 QAPATHTEST[libexec] = "package_qa_check_libexec"
 def package_qa_check_libexec(path,name, d, elf, messages):
 
-- 
2.17.1

[OE-core][dunfell 11/28] vim: do not adjust script paths building for target

[Steve Sakoman]

From: Joe Slater <joe.slater@windriver.com>

When cross-compiling, do not change scripts to use host
versions of perl and gawk.

Also, use INSANE_SKIP to suppress QA complaints if perl
or gawk are not on the target.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../vim/files/no-path-adjust.patch            | 27 +++++++++++++++++++
 meta/recipes-support/vim/vim.inc              | 12 ++++-----
 2 files changed, 33 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-support/vim/files/no-path-adjust.patch

diff --git a/meta/recipes-support/vim/files/no-path-adjust.patch b/meta/recipes-support/vim/files/no-path-adjust.patch
new file mode 100644
index 0000000000..05c2d803f6
--- /dev/null
+++ b/meta/recipes-support/vim/files/no-path-adjust.patch
@@ -0,0 +1,27 @@
+vim: do not adjust script pathnames
+
+When cross-compiling, we do not want to reference the host versions of
+things like perl and awk.
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -2507,11 +2507,14 @@ installtools: $(TOOLS) $(DESTDIR)$(exec_
+ 		 rm -rf $$cvs; \
+ 	      fi
+ 	-chmod $(FILEMOD) $(DEST_TOOLS)/*
+-# replace the path in some tools
++
++# replace the path in some tools, but not when cross-compiling
++ifneq ($(CROSS_COMPILING),1)
+ 	perlpath=`./which.sh perl` && sed -e "s+/usr/bin/perl+$$perlpath+" $(TOOLSSOURCE)/efm_perl.pl >$(DEST_TOOLS)/efm_perl.pl
+ 	awkpath=`./which.sh nawk` && sed -e "s+/usr/bin/nawk+$$awkpath+" $(TOOLSSOURCE)/mve.awk >$(DEST_TOOLS)/mve.awk; if test -z "$$awkpath"; then \
+ 		awkpath=`./which.sh gawk` && sed -e "s+/usr/bin/nawk+$$awkpath+" $(TOOLSSOURCE)/mve.awk >$(DEST_TOOLS)/mve.awk; if test -z "$$awkpath"; then \
+ 		awkpath=`./which.sh awk` && sed -e "s+/usr/bin/nawk+$$awkpath+" $(TOOLSSOURCE)/mve.awk >$(DEST_TOOLS)/mve.awk; fi; fi
++endif
+ 	-chmod $(SCRIPTMOD) `grep -l "^#!" $(DEST_TOOLS)/*`
+ 
+ # install the language specific files for tools, if they were unpacked
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 78e3f9528d..9f3dc08027 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -11,6 +11,7 @@ SRC_URI = "git://github.com/vim/vim.git \
            file://disable_acl_header_check.patch \
            file://vim-add-knob-whether-elf.h-are-checked.patch \
            file://0001-src-Makefile-improve-reproducibility.patch \
+           file://no-path-adjust.patch \
 "
 SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
 
@@ -82,12 +83,6 @@ EXTRA_OECONF = " \
 do_install() {
     autotools_do_install
 
-    # Work around file-rdeps picking up csh, awk, perl or python as a dep
-    chmod -x ${D}${datadir}/${BPN}/${VIMDIR}/tools/vim132
-    chmod -x ${D}${datadir}/${BPN}/${VIMDIR}/tools/mve.awk
-    chmod -x ${D}${datadir}/${BPN}/${VIMDIR}/tools/*.pl
-    chmod -x ${D}${datadir}/${BPN}/${VIMDIR}/tools/*.py
-
     # Install example vimrc from runtime files
     install -m 0644 runtime/vimrc_example.vim ${D}/${datadir}/${BPN}/vimrc
 
@@ -110,7 +105,12 @@ FILES_${PN}-help = "${datadir}/${BPN}/${VIMDIR}/doc"
 FILES_${PN}-tutor = "${datadir}/${BPN}/${VIMDIR}/tutor ${bindir}/${BPN}tutor"
 FILES_${PN}-vimrc = "${datadir}/${BPN}/vimrc"
 FILES_${PN}-data = "${datadir}/${BPN}"
+
+# We do not want to complain if perl or gawk are not on the target.
+#
 FILES_${PN}-tools = "${datadir}/${BPN}/${VIMDIR}/tools"
+INSANE_SKIP_${PN}-tools = "file-rdeps"
+
 FILES_${PN}-common = " \
     ${datadir}/${BPN}/${VIMDIR}/*.vim \
     ${datadir}/${BPN}/${VIMDIR}/autoload \
-- 
2.17.1

[OE-core][dunfell 12/28] boost: revert 1.72.0 regression

[Steve Sakoman]

From: Andrew Geissler <geissonator@gmail.com>

https://www.boost.org/users/history/version_1_72_0.html documents a
"Known Issue" and has a revert patch for an issue that causes code to
fail to compile that includes the coroutine function. Without this
patch, code which includes the asymmetric_coroutine.hpp will fail to
compile.

Signed-off-by: Andrew Geissler <geissonator@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/boost/boost_1.72.0.bb    |  1 +
 ...001-revert-cease-dependence-on-range.patch | 53 +++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-support/boost/files/0001-revert-cease-dependence-on-range.patch

diff --git a/meta/recipes-support/boost/boost_1.72.0.bb b/meta/recipes-support/boost/boost_1.72.0.bb
index 5e9e0d87d7..0b7badbc76 100644
--- a/meta/recipes-support/boost/boost_1.72.0.bb
+++ b/meta/recipes-support/boost/boost_1.72.0.bb
@@ -7,4 +7,5 @@ SRC_URI += "file://arm-intrinsics.patch \
            file://0001-Apply-boost-1.62.0-no-forced-flags.patch.patch \
            file://0001-Don-t-set-up-arch-instruction-set-flags-we-do-that-o.patch \
            file://0001-dont-setup-compiler-flags-m32-m64.patch \
+           file://0001-revert-cease-dependence-on-range.patch \
            "
diff --git a/meta/recipes-support/boost/files/0001-revert-cease-dependence-on-range.patch b/meta/recipes-support/boost/files/0001-revert-cease-dependence-on-range.patch
new file mode 100644
index 0000000000..d6d09a23a5
--- /dev/null
+++ b/meta/recipes-support/boost/files/0001-revert-cease-dependence-on-range.patch
@@ -0,0 +1,53 @@
+From 436e1dbe6fcd31523d261d18ad011392f1d6fbbc Mon Sep 17 00:00:00 2001
+From: Oliver Kowalke <oliver.kowalke@gmail.com>
+Date: Sun, 1 Dec 2019 20:40:28 +0100
+Subject: [PATCH] Revert "Cease dependence on Range"
+
+This reverts commit 0c556bb59241e682bbcd3f572815149c5a9b17db.
+
+see #44 (One test fails to compile after boostorg/coroutine submodule updated)
+
+Upstream-Status: Backport [https://github.com/boostorg/coroutine/commit/9c73b2f7c1759a9508ba8780b38dc15f07f1a447]
+
+Signed-off-by: Andrew Geissler <geissonator@gmail.com>
+---
+ boost/coroutine/asymmetric_coroutine.hpp | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/boost/coroutine/asymmetric_coroutine.hpp b/boost/coroutine/asymmetric_coroutine.hpp
+index ea96981..640896f 100644
+--- a/boost/coroutine/asymmetric_coroutine.hpp
++++ b/boost/coroutine/asymmetric_coroutine.hpp
+@@ -14,6 +14,7 @@
+ #include <boost/assert.hpp>
+ #include <boost/config.hpp>
+ #include <boost/move/move.hpp>
++#include <boost/range.hpp>
+ #include <boost/throw_exception.hpp>
+ #include <boost/utility/explicit_operator_bool.hpp>
+
+@@ -2354,19 +2355,12 @@ end( push_coroutine< R > & c)
+
+ }
+
+-// forward declaration of Boost.Range traits to break dependency on it
+-template<typename C, typename Enabler>
+-struct range_mutable_iterator;
+-
+-template<typename C, typename Enabler>
+-struct range_const_iterator;
+-
+ template< typename Arg >
+-struct range_mutable_iterator< coroutines::push_coroutine< Arg >, void >
++struct range_mutable_iterator< coroutines::push_coroutine< Arg > >
+ { typedef typename coroutines::push_coroutine< Arg >::iterator type; };
+
+ template< typename R >
+-struct range_mutable_iterator< coroutines::pull_coroutine< R >, void >
++struct range_mutable_iterator< coroutines::pull_coroutine< R > >
+ { typedef typename coroutines::pull_coroutine< R >::iterator type; };
+
+ }
+--
+2.24.1
+
-- 
2.17.1

[OE-core][dunfell 13/28] perl: Add missing dependency for tie-hash on carp.

[Steve Sakoman]

From: Drew Moseley <drew.moseley@northern.tech>

Signed-off-by: Drew Moseley <drew.moseley@northern.tech>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/perl/files/perl-rdepends.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-devtools/perl/files/perl-rdepends.txt b/meta/recipes-devtools/perl/files/perl-rdepends.txt
index 331a44d308..9ecfce0011 100644
--- a/meta/recipes-devtools/perl/files/perl-rdepends.txt
+++ b/meta/recipes-devtools/perl/files/perl-rdepends.txt
@@ -2218,6 +2218,7 @@ RDEPENDS_perl-module-tie-handle += "perl-module-warnings-register"
 RDEPENDS_perl-module-tie-hash-namedcapture += "perl-module-strict"
 RDEPENDS_perl-module-tie-hash-namedcapture += "perl-module-xsloader"
 RDEPENDS_perl-module-tie-hash += "perl-module-warnings-register"
+RDEPENDS_perl-module-tie-hash += "perl-module-carp"
 RDEPENDS_perl-module-tie-memoize += "perl-module-strict"
 RDEPENDS_perl-module-tie-memoize += "perl-module-tie-hash"
 RDEPENDS_perl-module-tie-refhash += "perl-module-config"
-- 
2.17.1

[OE-core][dunfell 14/28] testimage.bbclass: correctly process SIGTERM

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

Python's unittest will not propagate exceptions upside
of itself, but rather will just catch and print them.

The working way to make it stop is to send a SIGINT
(e.g. simulate a ctrl-c press), which will make it exit
with a KeyboardInterrupt exception.

This also makes pressing ctrl-c twice from bitbake work
again (previously hanging instances of bitbake and qemu were
left around, and bitbake would no longer start until they
were killed manually).

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/testimage.bbclass | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/classes/testimage.bbclass b/meta/classes/testimage.bbclass
index 01d8598604..deb81bc256 100644
--- a/meta/classes/testimage.bbclass
+++ b/meta/classes/testimage.bbclass
@@ -204,7 +204,7 @@ def testimage_main(d):
         """
         Catch SIGTERM from worker in order to stop qemu.
         """
-        raise RuntimeError
+        os.kill(os.getpid(), signal.SIGINT)
 
     testimage_sanity(d)
 
@@ -360,9 +360,9 @@ def testimage_main(d):
         # or if the worker send us a SIGTERM
         tc.target.start(params=d.getVar("TEST_QEMUPARAMS"), runqemuparams=d.getVar("TEST_RUNQEMUPARAMS"))
         results = tc.runTests()
-    except (RuntimeError, BlockingIOError) as err:
-        if isinstance(err, RuntimeError):
-            bb.error('testimage received SIGTERM, shutting down...')
+    except (KeyboardInterrupt, BlockingIOError) as err:
+        if isinstance(err, KeyboardInterrupt):
+            bb.error('testimage interrupted, shutting down...')
         else:
             bb.error('runqemu failed, shutting down...')
         if results:
-- 
2.17.1

[OE-core][dunfell 15/28] run-postinsts: Set RemainAfterExit on systemd unit

[Steve Sakoman]

From: Alex Kiernan <alex.kiernan@gmail.com>

run-postinsts is only expected to run once, but during startup, but if
any dependency is pulled into a transaction, even once it has been
marked disabled, then it can be restarted.

This leads to occasional failures during QA if an ssh session starts
whilst the existing transaction is still running:

  Finished Run pending postinsts.
  run-postinsts.service: Succeeded.
  Condition check resulted in Commit a transient machine-id on disk being skipped.
  Condition check resulted in Bind mount volatile /srv being skipped.
  Condition check resulted in Bind mount volatile /var/spool being skipped.
  Condition check resulted in Bind mount volatile /var/lib being skipped.
  Condition check resulted in Bind mount volatile /var/cache being skipped.
  Condition check resulted in Platform Persistent Storage Archival being skipped.
  Condition check resulted in Rebuild Hardware Database being skipped.
  Starting Run pending postinsts...
  Condition check resulted in Kernel Configuration File System being skipped.
  Condition check resulted in FUSE Control File System being skipped.
  Condition check resulted in Load Kernel Modules being skipped.
  Condition check resulted in File System Check on Root Device being skipped.
  Condition check resulted in Huge Pages File System being skipped.
  Condition check resulted in Journal Audit Socket being skipped.
  dropbear@125-192.168.7.2:22-192.168.7.1:44226.service: Succeeded.
  Condition check resulted in Platform Persistent Storage Archival being skipped.
  Started SSH Per-Connection Server (192.168.7.1:44226).
  dropbear@124-192.168.7.2:22-192.168.7.1:44224.service: Succeeded.
  Started SSH Per-Connection Server (192.168.7.1:44224).
  Condition check resulted in Commit a transient machine-id on disk being skipped.
  Condition check resulted in Bind mount volatile /srv being skipped.
  Condition check resulted in Bind mount volatile /var/spool being skipped.
  Condition check resulted in Bind mount volatile /var/lib being skipped.
  Condition check resulted in Bind mount volatile /var/cache being skipped.
  Condition check resulted in Platform Persistent Storage Archival being skipped.
  Condition check resulted in Rebuild Hardware Database being skipped.
  Failed to start Run pending postinsts.
  run-postinsts.service: Failed with result 'start-limit-hit'.
  run-postinsts.service: Start request repeated too quickly.

Setting RemainAfterExit ensures that the unit remains active and is not
gratuitously restarted, unless done so explicitly using systemctl
restart.

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../run-postinsts/run-postinsts/run-postinsts.service           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
index d42addf510..7f72f3388a 100644
--- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
@@ -8,7 +8,7 @@ Before=sysinit.target
 Type=oneshot
 ExecStart=#SBINDIR#/run-postinsts
 ExecStartPost=#BASE_BINDIR#/systemctl --no-reload disable run-postinsts.service
-RemainAfterExit=No
+RemainAfterExit=yes
 TimeoutSec=0
 
 [Install]
-- 
2.17.1

[OE-core][dunfell 16/28] scripts/install-buildtools: bump to 3.1 release by default

[Steve Sakoman]

From: Tim Orling <timothy.t.orling@linux.intel.com>

By default, use the extended buildtools installer from the
Yocto Project 3.1 "dunfell" release.

Signed-off-by: Tim Orling <timothy.t.orling@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/install-buildtools | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/install-buildtools b/scripts/install-buildtools
index 9da364981e..c6b3a1eed7 100755
--- a/scripts/install-buildtools
+++ b/scripts/install-buildtools
@@ -56,9 +56,9 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout)
 
 DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools')
 DEFAULT_BASE_URL = 'http://downloads.yoctoproject.org/releases/yocto'
-DEFAULT_RELEASE = 'yocto-3.1_M3'
-DEFAULT_INSTALLER_VERSION = '3.0+snapshot'
-DEFAULT_BUILDDATE = "20200315"
+DEFAULT_RELEASE = 'yocto-3.1'
+DEFAULT_INSTALLER_VERSION = '3.1'
+DEFAULT_BUILDDATE = ''
 
 # Python version sanity check
 if not (sys.version_info.major == 3 and sys.version_info.minor >= 4):
-- 
2.17.1

[OE-core][dunfell 17/28] oeqa/selftest: Add test for conflicting sysroot provider

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

sysroot-test depends on virtual/sysroot-test which we build for one machine,
switch machine, switch provider of virtual/sysroot-test and check that the
sysroot is correctly cleaned up. The files in the two providers overlap
so can cause errors if the sysroot code doesn't function correctly.

Yes, sysroot-test should be machine specific really to avoid this, however
the sysroot cleanup should also work.

This adds a test for bug:

[YOCTO #13702]

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../sysroot-test/sysroot-test-arch1_1.0.bb    | 14 +++++++
 .../sysroot-test/sysroot-test-arch2_1.0.bb    | 14 +++++++
 .../sysroot-test/sysroot-test_1.0.bb          |  6 +++
 meta/lib/oeqa/selftest/cases/sysroot.py       | 37 +++++++++++++++++++
 4 files changed, 71 insertions(+)
 create mode 100644 meta-selftest/recipes-test/sysroot-test/sysroot-test-arch1_1.0.bb
 create mode 100644 meta-selftest/recipes-test/sysroot-test/sysroot-test-arch2_1.0.bb
 create mode 100644 meta-selftest/recipes-test/sysroot-test/sysroot-test_1.0.bb
 create mode 100644 meta/lib/oeqa/selftest/cases/sysroot.py

diff --git a/meta-selftest/recipes-test/sysroot-test/sysroot-test-arch1_1.0.bb b/meta-selftest/recipes-test/sysroot-test/sysroot-test-arch1_1.0.bb
new file mode 100644
index 0000000000..36a682c53d
--- /dev/null
+++ b/meta-selftest/recipes-test/sysroot-test/sysroot-test-arch1_1.0.bb
@@ -0,0 +1,14 @@
+LICENSE = "CLOSED"
+
+PROVIDES = "virtual/sysroot-test"
+INHIBIT_DEFAULT_DEPS = "1"
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+TESTSTRING ?= "1"
+
+do_install() {
+	install -d ${D}${includedir}
+	echo "# test ${TESTSTRING}" > ${D}${includedir}/sysroot-test.h
+}
+
+EXCLUDE_FROM_WORLD = "1"
diff --git a/meta-selftest/recipes-test/sysroot-test/sysroot-test-arch2_1.0.bb b/meta-selftest/recipes-test/sysroot-test/sysroot-test-arch2_1.0.bb
new file mode 100644
index 0000000000..67172f3cab
--- /dev/null
+++ b/meta-selftest/recipes-test/sysroot-test/sysroot-test-arch2_1.0.bb
@@ -0,0 +1,14 @@
+LICENSE = "CLOSED"
+
+PROVIDES = "virtual/sysroot-test"
+INHIBIT_DEFAULT_DEPS = "1"
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+TESTSTRING ?= "2"
+
+do_install() {
+	install -d ${D}${includedir}
+	echo "# test ${TESTSTRING}" > ${D}${includedir}/sysroot-test.h
+}
+
+EXCLUDE_FROM_WORLD = "1"
diff --git a/meta-selftest/recipes-test/sysroot-test/sysroot-test_1.0.bb b/meta-selftest/recipes-test/sysroot-test/sysroot-test_1.0.bb
new file mode 100644
index 0000000000..560487c159
--- /dev/null
+++ b/meta-selftest/recipes-test/sysroot-test/sysroot-test_1.0.bb
@@ -0,0 +1,6 @@
+SUMMARY = "Virtual provider sysroot test"
+LICENSE = "CLOSED"
+INHIBIT_DEFAULT_DEPS = "1"
+DEPENDS = "virtual/sysroot-test"
+
+EXCLUDE_FROM_WORLD = "1"
diff --git a/meta/lib/oeqa/selftest/cases/sysroot.py b/meta/lib/oeqa/selftest/cases/sysroot.py
new file mode 100644
index 0000000000..6e34927c90
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/sysroot.py
@@ -0,0 +1,37 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+import uuid
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import  bitbake
+
+class SysrootTests(OESelftestTestCase):
+    def test_sysroot_cleanup(self):
+        """
+        Build sysroot test which depends on virtual/sysroot-test for one machine,
+        switch machine, switch provider of virtual/sysroot-test and check that the
+        sysroot is correctly cleaned up. The files in the two providers overlap
+        so can cause errors if the sysroot code doesn't function correctly.
+        Yes, sysroot-test should be machine specific really to avoid this, however
+        the sysroot cleanup should also work [YOCTO #13702]. 
+        """
+
+        uuid1 = uuid.uuid4()
+        uuid2 = uuid.uuid4()
+
+        self.write_config("""
+PREFERRED_PROVIDER_virtual/sysroot-test = "sysroot-test-arch1"
+MACHINE = "qemux86"
+TESTSTRING_pn-sysroot-test-arch1 = "%s"
+TESTSTRING_pn-sysroot-test-arch2 = "%s"
+""" % (uuid1, uuid2))
+        bitbake("sysroot-test")
+        self.write_config("""
+PREFERRED_PROVIDER_virtual/sysroot-test = "sysroot-test-arch2"
+MACHINE = "qemux86copy"
+TESTSTRING_pn-sysroot-test-arch1 = "%s"
+TESTSTRING_pn-sysroot-test-arch2 = "%s"
+""" % (uuid1, uuid2))
+        bitbake("sysroot-test")
-- 
2.17.1

[OE-core][dunfell 18/28] staging: Fix overlapping file failures

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

If there are different providers of a file and they are swiched when the
recipe isn't machine specific, we can get tracebacks due to the overlapping
files. The issue is that the previous provider isn't uninstalled since
the system can't tell whether some later task needs them.

By tracking which tasks we depend upon, the code can now choose to
uninstall more things since a later task can reinstall if/as needed.

The code here was to protect against code with two different tasks
running in parallel which is still protected agaisnt.

[YOCTO #13702]

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/staging.bbclass | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index 5dab42745f..5b04f88b2d 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -277,11 +277,13 @@ python extend_recipe_sysroot() {
 
     start = None
     configuredeps = []
+    owntaskdeps = []
     for dep in taskdepdata:
         data = taskdepdata[dep]
         if data[1] == mytaskname and data[0] == pn:
             start = dep
-            break
+        elif data[0] == pn:
+            owntaskdeps.append(data[1])
     if start is None:
         bb.fatal("Couldn't find ourself in BB_TASKDEPDATA?")
 
@@ -427,7 +429,7 @@ python extend_recipe_sysroot() {
                         # Was likely already uninstalled
                         continue
                     potential.append(l)
-        # We need to ensure not other task needs this dependency. We hold the sysroot
+        # We need to ensure no other task needs this dependency. We hold the sysroot
         # lock so we ca search the indexes to check
         if potential:
             for i in glob.glob(depdir + "/index.*"):
@@ -435,6 +437,11 @@ python extend_recipe_sysroot() {
                     continue
                 with open(i, "r") as f:
                     for l in f:
+                        if l.startswith("TaskDeps:"):
+                            prevtasks = l.split()[1:]
+                            if mytaskname in prevtasks:
+                                # We're a dependency of this task so we can clear items out the sysroot
+                                break
                         l = l.strip()
                         if l in potential:
                             potential.remove(l)
@@ -588,6 +595,7 @@ python extend_recipe_sysroot() {
         os.symlink(manifests[dep], depdir + "/" + c + ".complete")
 
     with open(taskindex, "w") as f:
+        f.write("TaskDeps: " + " ".join(owntaskdeps) + "\n")
         for l in sorted(installed):
             f.write(l + "\n")
 
-- 
2.17.1

[OE-core][dunfell 19/28] python3: fix CVE-2020-8492

[Steve Sakoman]

From: Trevor Gamblin <trevor.gamblin@windriver.com>

CVE: CVE-2020-8492

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...20-8492-Fix-AbstractBasicAuthHandler.patch | 248 ++++++++++++++++++
 meta/recipes-devtools/python/python3_3.8.2.bb |   1 +
 2 files changed, 249 insertions(+)
 create mode 100644 meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch

diff --git a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
new file mode 100644
index 0000000000..e16b99bcb9
--- /dev/null
+++ b/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
@@ -0,0 +1,248 @@
+From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Thu, 2 Apr 2020 02:52:20 +0200
+Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
+ (GH-18284)
+
+Upstream-Status: Backport
+(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
+
+CVE: CVE-2020-8492
+
+The AbstractBasicAuthHandler class of the urllib.request module uses
+an inefficient regular expression which can be exploited by an
+attacker to cause a denial of service. Fix the regex to prevent the
+catastrophic backtracking. Vulnerability reported by Ben Caller
+and Matt Schwager.
+
+AbstractBasicAuthHandler of urllib.request now parses all
+WWW-Authenticate HTTP headers and accepts multiple challenges per
+header: use the realm of the first Basic challenge.
+
+Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ Lib/test/test_urllib2.py                      | 90 ++++++++++++-------
+ Lib/urllib/request.py                         | 69 ++++++++++----
+ .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst  |  3 +
+ .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst  |  5 ++
+ 4 files changed, 115 insertions(+), 52 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
+ create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+
+diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
+index 8abedaac98..e69ac3e213 100644
+--- a/Lib/test/test_urllib2.py
++++ b/Lib/test/test_urllib2.py
+@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase):
+         bypass = {'exclude_simple': True, 'exceptions': []}
+         self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
+ 
+-    def test_basic_auth(self, quote_char='"'):
+-        opener = OpenerDirector()
+-        password_manager = MockPasswordManager()
+-        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
+-        realm = "ACME Widget Store"
+-        http_handler = MockHTTPHandler(
+-            401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
+-            (quote_char, realm, quote_char))
+-        opener.add_handler(auth_handler)
+-        opener.add_handler(http_handler)
+-        self._test_basic_auth(opener, auth_handler, "Authorization",
+-                              realm, http_handler, password_manager,
+-                              "http://acme.example.com/protected",
+-                              "http://acme.example.com/protected",
+-                              )
+-
+-    def test_basic_auth_with_single_quoted_realm(self):
+-        self.test_basic_auth(quote_char="'")
+-
+-    def test_basic_auth_with_unquoted_realm(self):
+-        opener = OpenerDirector()
+-        password_manager = MockPasswordManager()
+-        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
+-        realm = "ACME Widget Store"
+-        http_handler = MockHTTPHandler(
+-            401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
+-        opener.add_handler(auth_handler)
+-        opener.add_handler(http_handler)
+-        with self.assertWarns(UserWarning):
++    def check_basic_auth(self, headers, realm):
++        with self.subTest(realm=realm, headers=headers):
++            opener = OpenerDirector()
++            password_manager = MockPasswordManager()
++            auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
++            body = '\r\n'.join(headers) + '\r\n\r\n'
++            http_handler = MockHTTPHandler(401, body)
++            opener.add_handler(auth_handler)
++            opener.add_handler(http_handler)
+             self._test_basic_auth(opener, auth_handler, "Authorization",
+-                                realm, http_handler, password_manager,
+-                                "http://acme.example.com/protected",
+-                                "http://acme.example.com/protected",
+-                                )
++                                  realm, http_handler, password_manager,
++                                  "http://acme.example.com/protected",
++                                  "http://acme.example.com/protected")
++
++    def test_basic_auth(self):
++        realm = "realm2@example.com"
++        realm2 = "realm2@example.com"
++        basic = f'Basic realm="{realm}"'
++        basic2 = f'Basic realm="{realm2}"'
++        other_no_realm = 'Otherscheme xxx'
++        digest = (f'Digest realm="{realm2}", '
++                  f'qop="auth, auth-int", '
++                  f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
++                  f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
++        for realm_str in (
++            # test "quote" and 'quote'
++            f'Basic realm="{realm}"',
++            f"Basic realm='{realm}'",
++
++            # charset is ignored
++            f'Basic realm="{realm}", charset="UTF-8"',
++
++            # Multiple challenges per header
++            f'{basic}, {basic2}',
++            f'{basic}, {other_no_realm}',
++            f'{other_no_realm}, {basic}',
++            f'{basic}, {digest}',
++            f'{digest}, {basic}',
++        ):
++            headers = [f'WWW-Authenticate: {realm_str}']
++            self.check_basic_auth(headers, realm)
++
++        # no quote: expect a warning
++        with support.check_warnings(("Basic Auth Realm was unquoted",
++                                     UserWarning)):
++            headers = [f'WWW-Authenticate: Basic realm={realm}']
++            self.check_basic_auth(headers, realm)
++
++        # Multiple headers: one challenge per header.
++        # Use the first Basic realm.
++        for challenges in (
++            [basic,  basic2],
++            [basic,  digest],
++            [digest, basic],
++        ):
++            headers = [f'WWW-Authenticate: {challenge}'
++                       for challenge in challenges]
++            self.check_basic_auth(headers, realm)
+ 
+     def test_proxy_basic_auth(self):
+         opener = OpenerDirector()
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index 7fe50535da..2a3d71554f 100644
+--- a/Lib/urllib/request.py
++++ b/Lib/urllib/request.py
+@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
+ 
+     # allow for double- and single-quoted realm values
+     # (single quotes are a violation of the RFC, but appear in the wild)
+-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+-                    'realm=(["\']?)([^"\']*)\\2', re.I)
++    rx = re.compile('(?:^|,)'   # start of the string or ','
++                    '[ \t]*'    # optional whitespaces
++                    '([^ \t]+)' # scheme like "Basic"
++                    '[ \t]+'    # mandatory whitespaces
++                    # realm=xxx
++                    # realm='xxx'
++                    # realm="xxx"
++                    'realm=(["\']?)([^"\']*)\\2',
++                    re.I)
+ 
+     # XXX could pre-emptively send auth info already accepted (RFC 2617,
+     # end of section 2, and section 1.2 immediately after "credentials"
+@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler:
+         self.passwd = password_mgr
+         self.add_password = self.passwd.add_password
+ 
++    def _parse_realm(self, header):
++        # parse WWW-Authenticate header: accept multiple challenges per header
++        found_challenge = False
++        for mo in AbstractBasicAuthHandler.rx.finditer(header):
++            scheme, quote, realm = mo.groups()
++            if quote not in ['"', "'"]:
++                warnings.warn("Basic Auth Realm was unquoted",
++                              UserWarning, 3)
++
++            yield (scheme, realm)
++
++            found_challenge = True
++
++        if not found_challenge:
++            if header:
++                scheme = header.split()[0]
++            else:
++                scheme = ''
++            yield (scheme, None)
++
+     def http_error_auth_reqed(self, authreq, host, req, headers):
+         # host may be an authority (without userinfo) or a URL with an
+         # authority
+-        # XXX could be multiple headers
+-        authreq = headers.get(authreq, None)
++        headers = headers.get_all(authreq)
++        if not headers:
++            # no header found
++            return
+ 
+-        if authreq:
+-            scheme = authreq.split()[0]
+-            if scheme.lower() != 'basic':
+-                raise ValueError("AbstractBasicAuthHandler does not"
+-                                 " support the following scheme: '%s'" %
+-                                 scheme)
+-            else:
+-                mo = AbstractBasicAuthHandler.rx.search(authreq)
+-                if mo:
+-                    scheme, quote, realm = mo.groups()
+-                    if quote not in ['"',"'"]:
+-                        warnings.warn("Basic Auth Realm was unquoted",
+-                                      UserWarning, 2)
+-                    if scheme.lower() == 'basic':
+-                        return self.retry_http_basic_auth(host, req, realm)
++        unsupported = None
++        for header in headers:
++            for scheme, realm in self._parse_realm(header):
++                if scheme.lower() != 'basic':
++                    unsupported = scheme
++                    continue
++
++                if realm is not None:
++                    # Use the first matching Basic challenge.
++                    # Ignore following challenges even if they use the Basic
++                    # scheme.
++                    return self.retry_http_basic_auth(host, req, realm)
++
++        if unsupported is not None:
++            raise ValueError("AbstractBasicAuthHandler does not "
++                             "support the following scheme: %r"
++                             % (scheme,))
+ 
+     def retry_http_basic_auth(self, host, req, realm):
+         user, pw = self.passwd.find_user_password(realm, host)
+diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
+new file mode 100644
+index 0000000000..be80ce79d9
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
+@@ -0,0 +1,3 @@
++:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
++now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
++per header: use the realm of the first Basic challenge.
+diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+new file mode 100644
+index 0000000000..9f2800581c
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+@@ -0,0 +1,5 @@
++CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
++:mod:`urllib.request` module uses an inefficient regular expression which can
++be exploited by an attacker to cause a denial of service. Fix the regex to
++prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
++and Matt Schwager.
+-- 
+2.24.1
+
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.2.bb
index fc01935948..a4a16fd495 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.2.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-configure.ac-fix-LIBPL.patch \
            file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
            file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
+           file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \
            "
 
 SRC_URI_append_class-native = " \
-- 
2.17.1

[OE-core][dunfell 20/28] targetcontrol: Fix leaking log handler

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

We had a mystery failure on the autobuilder where runqemu appeared to
be failing as a logfile directory no longer existed. The key to
reproducing was running a runqemu where the image was deleted (as
devtool does), then running another runqemu test. E.g.:

'oe-selftest -r  devtool.DevtoolExtractTests.test_devtool_deploy_target wic.Wic2.test_qemu_efi'

This then tries to write to the logfile from the first test, the
image directory was deleted and we get strange failures.

The fix is to remove the logging handler when qemu is stopped.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/targetcontrol.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/meta/lib/oeqa/targetcontrol.py b/meta/lib/oeqa/targetcontrol.py
index 0b2915d5cc..2aa548e1ad 100644
--- a/meta/lib/oeqa/targetcontrol.py
+++ b/meta/lib/oeqa/targetcontrol.py
@@ -117,9 +117,9 @@ class QemuTarget(BaseTarget):
         import oe.path
         bb.utils.mkdirhier(self.testdir)
         self.qemurunnerlog = os.path.join(self.testdir, 'qemurunner_log.%s' % self.datetime)
-        loggerhandler = logging.FileHandler(self.qemurunnerlog)
-        loggerhandler.setFormatter(logging.Formatter("%(levelname)s: %(message)s"))
-        self.logger.addHandler(loggerhandler)
+        self.loggerhandler = logging.FileHandler(self.qemurunnerlog)
+        self.loggerhandler.setFormatter(logging.Formatter("%(levelname)s: %(message)s"))
+        self.logger.addHandler(self.loggerhandler)
         oe.path.symlink(os.path.basename(self.qemurunnerlog), os.path.join(self.testdir, 'qemurunner_log'), force=True)
 
         if d.getVar("DISTRO") == "poky-tiny":
@@ -183,6 +183,7 @@ class QemuTarget(BaseTarget):
 
     def stop(self):
         self.runner.stop()
+        self.logger.removeHandler(self.loggerhandler)
         self.connection = None
         self.ip = None
         self.server_ip = None
-- 
2.17.1

[OE-core][dunfell 21/28] oeqa/qemurunner: Clean up failure handling

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

If you fail to setup the tap devices, runqemu will error quickly
however stdout/stderr are not shown to the user, instead a SystemExit
traceback is shown. This could explain some long since unexplained
failures on the autobuilder.

Rework the error handling so SystemExit isn't used and the
standard log failure messages can be shown. The code could
likely ultimatley need some restructuring to work effectively.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/utils/qemurunner.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py
index 7ae309845a..cd95d33bdc 100644
--- a/meta/lib/oeqa/utils/qemurunner.py
+++ b/meta/lib/oeqa/utils/qemurunner.py
@@ -36,6 +36,7 @@ class QemuRunner:
 
         # Popen object for runqemu
         self.runqemu = None
+        self.runqemu_exited = False
         # pid of the qemu process that runqemu will start
         self.qemupid = None
         # target ip - from the command line or runqemu output
@@ -124,7 +125,6 @@ class QemuRunner:
                 self.logger.error('Output from runqemu:\n%s' % self.getOutput(self.runqemu.stdout))
                 self.stop()
                 self._dump_host()
-                raise SystemExit
 
     def start(self, qemuparams = None, get_ip = True, extra_bootparams = None, runqemuparams='', launch_cmd=None, discard_writes=True):
         env = os.environ.copy()
@@ -232,6 +232,8 @@ class QemuRunner:
         endtime = time.time() + self.runqemutime
         while not self.is_alive() and time.time() < endtime:
             if self.runqemu.poll():
+                if self.runqemu_exited:
+                    return False
                 if self.runqemu.returncode:
                     # No point waiting any longer
                     self.logger.warning('runqemu exited with code %d' % self.runqemu.returncode)
@@ -241,6 +243,9 @@ class QemuRunner:
                     return False
             time.sleep(0.5)
 
+        if self.runqemu_exited:
+            return False
+
         if not self.is_alive():
             self.logger.error("Qemu pid didn't appear in %s seconds (%s)" %
                               (self.runqemutime, time.strftime("%D %H:%M:%S")))
@@ -416,7 +421,7 @@ class QemuRunner:
                 os.killpg(os.getpgid(self.runqemu.pid), signal.SIGKILL)
             self.runqemu.stdin.close()
             self.runqemu.stdout.close()
-            self.runqemu = None
+            self.runqemu_exited = True
 
         if hasattr(self, 'server_socket') and self.server_socket:
             self.server_socket.close()
@@ -457,7 +462,7 @@ class QemuRunner:
         return False
 
     def is_alive(self):
-        if not self.runqemu or self.runqemu.poll() is not None:
+        if not self.runqemu or self.runqemu.poll() is not None or self.runqemu_exited:
             return False
         if os.path.isfile(self.qemu_pidfile):
             # when handling pidfile, qemu creates the file, stat it, lock it and then write to it
-- 
2.17.1

[OE-core][dunfell 22/28] buildtools-extended-tarball: add libgomp-dev

[Steve Sakoman]

From: Alexander Kanavin <alex.kanavin@gmail.com>

This is needed in particular for newer versions of rpm
which would otherwise fail to build due to absence of omp.h header.

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/meta/buildtools-extended-tarball.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/meta/buildtools-extended-tarball.bb b/meta/recipes-core/meta/buildtools-extended-tarball.bb
index e38967af3f..c32d0107c3 100644
--- a/meta/recipes-core/meta/buildtools-extended-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-extended-tarball.bb
@@ -21,6 +21,7 @@ TOOLCHAIN_HOST_TASK += "\
     nativesdk-gettext \
     nativesdk-libatomic \
     nativesdk-libgcc \
+    nativesdk-libgomp-dev \
     nativesdk-libstdc++ \
     nativesdk-libstdc++-dev \
     nativesdk-libstdc++-staticdev \
-- 
2.17.1

[OE-core][dunfell 23/28] libffi: fix v3.3 compile on ppc64le

[Steve Sakoman]

From: Andrew Geissler <geissonator@gmail.com>

The latest released version of libffi no longer compiles on ppc64le
based machines. Some searching found a patch that fixed our issue but
had not been submitted upstream to libffi.

It has now been submitted upstream with this PR:
https://github.com/libffi/libffi/pull/561

Signed-off-by: Andrew Geissler <geissonator@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...pc.h-fix-build-failure-with-powerpc7.patch | 62 +++++++++++++++++++
 meta/recipes-support/libffi/libffi_3.3.bb     |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 meta/recipes-support/libffi/libffi/0001-ffi_powerpc.h-fix-build-failure-with-powerpc7.patch

diff --git a/meta/recipes-support/libffi/libffi/0001-ffi_powerpc.h-fix-build-failure-with-powerpc7.patch b/meta/recipes-support/libffi/libffi/0001-ffi_powerpc.h-fix-build-failure-with-powerpc7.patch
new file mode 100644
index 0000000000..52e6e4536b
--- /dev/null
+++ b/meta/recipes-support/libffi/libffi/0001-ffi_powerpc.h-fix-build-failure-with-powerpc7.patch
@@ -0,0 +1,62 @@
+From de93adfb6f48100946bba2c3abad2a77a0cfde0b Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Sun, 24 Nov 2019 09:52:01 +0100
+Subject: [PATCH] ffi_powerpc.h: fix build failure with powerpc7
+
+This is a patch pulled down from the following:
+https://github.com/buildroot/buildroot/blob/78926f610b1411b03464152472fd430012deb9ac/package/libffi/0004-ffi_powerpc.h-fix-build-failure-with-powerpc7.patch
+
+This issue is being hit on OpenBMC code when pulling the latest
+libffi tag and building on a P8 ppc64le machine. I verified this
+patch fixes the issue we are seeing.
+
+Below is the original commit message:
+
+Sicne commit 73dd43afc8a447ba98ea02e9aad4c6898dc77fb0, build on powerpc7
+fails on:
+
+In file included from ../src/powerpc/ffi.c:33:0:
+../src/powerpc/ffi_powerpc.h:61:9: error: '_Float128' is not supported on this target
+ typedef _Float128 float128;
+         ^~~~~~~~~
+
+Fix this build failure by checking for __HAVE_FLOAT128 before using
+_Float128, as _Float128 is enabled only on specific conditions, see
+output/host/powerpc64-buildroot-linux-gnu/sysroot/usr/include/bits/floatn.h:
+
+ /* Defined to 1 if the current compiler invocation provides a
+    floating-point type with the IEEE 754 binary128 format, and this glibc
+    includes corresponding *f128 interfaces for it.  */
+ #if defined _ARCH_PWR8 && defined __LITTLE_ENDIAN__ && (_CALL_ELF == 2) \
+     && defined __FLOAT128__ && !defined __NO_LONG_DOUBLE_MATH
+ # define __HAVE_FLOAT128 1
+ #else
+ # define __HAVE_FLOAT128 0
+ #endif
+
+Fixes:
+ - http://autobuild.buildroot.org/results/5c9dd8fb3b6a128882b6250f197c80232d8a3b53
+
+Upstream-Status: Submitted [https://github.com/libffi/libffi/pull/561]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
+---
+ src/powerpc/ffi_powerpc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/powerpc/ffi_powerpc.h b/src/powerpc/ffi_powerpc.h
+index 8e2f2f0..960a5c4 100644
+--- a/src/powerpc/ffi_powerpc.h
++++ b/src/powerpc/ffi_powerpc.h
+@@ -57,7 +57,7 @@ typedef union
+   double d;
+ } ffi_dblfl;
+
+-#if defined(__FLOAT128_TYPE__)
++#if defined(__FLOAT128_TYPE__) && defined(__HAVE_FLOAT128)
+ typedef _Float128 float128;
+ #elif defined(__FLOAT128__)
+ typedef __float128 float128;
+--
+2.21.0 (Apple Git-122)
+
diff --git a/meta/recipes-support/libffi/libffi_3.3.bb b/meta/recipes-support/libffi/libffi_3.3.bb
index 803a25fa35..e5beb985c6 100644
--- a/meta/recipes-support/libffi/libffi_3.3.bb
+++ b/meta/recipes-support/libffi/libffi_3.3.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://github.com/libffi/libffi/releases/download/v${PV}/${BPN}-${PV
            file://0001-powerpc-fix-build-failure-on-power7-and-older-532.patch \
            file://0001-Address-platforms-with-no-__int128.patch \
            file://0001-Address-platforms-with-no-__int128-part2.patch \
+           file://0001-ffi_powerpc.h-fix-build-failure-with-powerpc7.patch \
            "
 SRC_URI[md5sum] = "6313289e32f1d38a9df4770b014a2ca7"
 SRC_URI[sha256sum] = "72fba7922703ddfa7a028d513ac15a85c8d54c8d67f55fa5a4802885dc652056"
-- 
2.17.1

[OE-core][dunfell 24/28] pseudo: add macro guard for seccomp

[Steve Sakoman]

From: Kai Kang <kai.kang@windriver.com>

It fails to compile pseudo-native on centos 7:

| ports/linux/pseudo_wrappers.c: In function ‘prctl’:
| ports/linux/pseudo_wrappers.c:129:14: error: ‘SECCOMP_SET_MODE_FILTER’ undeclared (first use in this function)
|    if (cmd == SECCOMP_SET_MODE_FILTER) {
|               ^

Add macro guard for the definition to avoid the failure.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/pseudo/files/seccomp.patch | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/pseudo/files/seccomp.patch b/meta/recipes-devtools/pseudo/files/seccomp.patch
index be42eaf353..283f997941 100644
--- a/meta/recipes-devtools/pseudo/files/seccomp.patch
+++ b/meta/recipes-devtools/pseudo/files/seccomp.patch
@@ -7,6 +7,17 @@ Upstream-Status: Pending
 RP 2020/4/3
 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 
+It fails to compile pseudo-native on centos 7:
+
+| ports/linux/pseudo_wrappers.c: In function ‘prctl’:
+| ports/linux/pseudo_wrappers.c:129:14: error: ‘SECCOMP_SET_MODE_FILTER’ undeclared (first use in this function)
+|    if (cmd == SECCOMP_SET_MODE_FILTER) {
+|               ^
+
+Add macro guard for seccomp to avoid the failure.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
 Index: git/ports/linux/pseudo_wrappers.c
 ===================================================================
 --- git.orig/ports/linux/pseudo_wrappers.c
@@ -40,7 +51,7 @@ Index: git/ports/linux/pseudo_wrappers.c
  	/* gcc magic to attempt to just pass these args to syscall. we have to
  	 * guess about the number of args; the docs discuss calling conventions
  	 * up to 7, so let's try that?
-@@ -92,3 +108,42 @@ static long wrap_syscall(long nr, va_lis
+@@ -92,3 +108,44 @@ static long wrap_syscall(long nr, va_lis
  	(void) ap;
  	return -1;
  }
@@ -56,6 +67,7 @@ Index: git/ports/linux/pseudo_wrappers.c
 +		return rc;
 +	}
 +
++#ifdef SECCOMP_SET_MODE_FILTER
 +	/* pseudo and seccomp are incompatible as pseudo uses different syscalls
 +	 * so pretend to enable seccomp but really do nothing */
 +	if (option == PR_SET_SECCOMP) {
@@ -67,6 +79,7 @@ Index: git/ports/linux/pseudo_wrappers.c
 +		    return 0;
 +		}
 +	}
++#endif
 +
 +	/* gcc magic to attempt to just pass these args to prctl. we have to
 +	 * guess about the number of args; the docs discuss calling conventions
-- 
2.17.1

[OE-core][dunfell 25/28] gcc-target: Ensure buildtools-extended-tarball doesn't use arch=native

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

A nativesdk BBCLASSEXTEND was added to gcc-target without realising this
would pass arch=native through to it for x86-64. This heavily optimises
gcc output for the host its running on meaning it can't be reused via
sstate on other machines.

Add class-target overrides here to get the desired behaviour. All
targets have been covered for completeness.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/gcc/gcc-target.inc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/meta/recipes-devtools/gcc/gcc-target.inc b/meta/recipes-devtools/gcc/gcc-target.inc
index 8cb432780f..6263e81497 100644
--- a/meta/recipes-devtools/gcc/gcc-target.inc
+++ b/meta/recipes-devtools/gcc/gcc-target.inc
@@ -15,11 +15,11 @@ EXTRA_OECONF_append_linuxstdbase = " --enable-clocale=gnu"
 
 ARMFPARCHEXT ?= ""
 
-EXTRA_OECONF_append_armv6 = " --with-arch=armv6${ARMFPARCHEXT}"
-EXTRA_OECONF_append_armv7a = " --with-arch=armv7-a${ARMFPARCHEXT}"
-EXTRA_OECONF_append_armv7ve = " --with-arch=armv7ve${ARMFPARCHEXT}"
-EXTRA_OECONF_append_arc = " --with-cpu=${TUNE_PKGARCH}"
-EXTRA_OECONF_append_x86-64 = " --with-arch=native"
+EXTRA_OECONF_append_armv6_class-target = " --with-arch=armv6${ARMFPARCHEXT}"
+EXTRA_OECONF_append_armv7a_class-target = " --with-arch=armv7-a${ARMFPARCHEXT}"
+EXTRA_OECONF_append_armv7ve_class-target = " --with-arch=armv7ve${ARMFPARCHEXT}"
+EXTRA_OECONF_append_arc_class-target = " --with-cpu=${TUNE_PKGARCH}"
+EXTRA_OECONF_append_x86-64_class-target = " --with-arch=native"
 
 # libcc1 requres gcc_cv_objdump when cross build, but gcc_cv_objdump is
 # set in subdir gcc, so subdir libcc1 can't use it, export it here to
-- 
2.17.1

[OE-core][dunfell 26/28] iputils: Initialize libgcrypt

[Steve Sakoman]

From: Mingli Yu <mingli.yu@windriver.com>

Initialize libgcrypt on first use otherwise
there comes below warning when check the status
of the ninfod.service.
 # systemctl status ninfod.service
 * ninfod.service - Respond to IPv6 Node Information Queries
 Loaded: loaded (/lib/systemd/system/ninfod.service; enabled; vendor preset: enabled)
 Active: active (running) since Wed 2020-04-29 05:18:21 UTC; 36s ago
 Docs: man:ninfod(8)
 Main PID: 347 (ninfod)
 Tasks: 1 (limit: 9382)
 Memory: 1.2M
 CGroup: /system.slice/ninfod.service
 `-347 /sbin/ninfod -d

 Apr 29 05:18:21 intel-x86-64 systemd[1]: Started Respond to IPv6 Node Information Queries.
 Apr 29 05:18:24 intel-x86-64 ninfod[347]: Libgcrypt warning: missing initialization - please fix the application

Reference: https://salsa.debian.org/apt-team/apt/-/commit/4f489a8c7954cbbc9613e6b671c8efe87b9ced8c

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../0001-iputils-Initialize-libgcrypt.patch   | 55 +++++++++++++++++++
 .../iputils/iputils_s20190709.bb              |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 meta/recipes-extended/iputils/iputils/0001-iputils-Initialize-libgcrypt.patch

diff --git a/meta/recipes-extended/iputils/iputils/0001-iputils-Initialize-libgcrypt.patch b/meta/recipes-extended/iputils/iputils/0001-iputils-Initialize-libgcrypt.patch
new file mode 100644
index 0000000000..b56804cebe
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0001-iputils-Initialize-libgcrypt.patch
@@ -0,0 +1,55 @@
+From 8576e0c218634e6f7ed1b6ff02fa164fb0c75f86 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Wed, 29 Apr 2020 03:50:32 +0000
+Subject: [PATCH] iputils_md5dig.h: Initialize libgcrypt
+
+Initialize libgcrypt on first use otherwise
+there comes below warning when check the status
+of the ninfod.service.
+ # systemctl status ninfod.service
+ * ninfod.service - Respond to IPv6 Node Information Queries
+ Loaded: loaded (/lib/systemd/system/ninfod.service; enabled; vendor preset: enabled)
+ Active: active (running) since Wed 2020-04-29 05:18:21 UTC; 36s ago
+ Docs: man:ninfod(8)
+ Main PID: 347 (ninfod)
+ Tasks: 1 (limit: 9382)
+ Memory: 1.2M
+ CGroup: /system.slice/ninfod.service
+ `-347 /sbin/ninfod -d
+
+ Apr 29 05:18:21 intel-x86-64 systemd[1]: Started Respond to IPv6 Node Information Queries.
+ Apr 29 05:18:24 intel-x86-64 ninfod[347]: Libgcrypt warning: missing initialization - please fix the application
+
+Upstream-Status: Inappropriate [the upstream avoids linking to crypto libraries in
+                   commit 214ed83 common: copy md5 implementation to iputils project]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ iputils_md5dig.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/iputils_md5dig.h b/iputils_md5dig.h
+index bfa7f02..3cc3fbf 100644
+--- a/iputils_md5dig.h
++++ b/iputils_md5dig.h
+@@ -24,8 +24,17 @@ typedef struct {
+ 	gcry_md_hd_t dig;
+ } iputils_md5dig_ctx;
+ 
++void maybeInit()
++{
++	if (!gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P))
++	{
++		gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
++	}
++}
++
+ static void iputils_md5dig_init(iputils_md5dig_ctx *ctx)
+ {
++	maybeInit();
+ 	if (gcry_md_open(&ctx->dig, GCRY_MD_MD5, 0) != GPG_ERR_NO_ERROR)
+ 		abort();
+ 	return;
+-- 
+2.24.1
+
diff --git a/meta/recipes-extended/iputils/iputils_s20190709.bb b/meta/recipes-extended/iputils/iputils_s20190709.bb
index 2aed6b56ca..545f3d5e87 100644
--- a/meta/recipes-extended/iputils/iputils_s20190709.bb
+++ b/meta/recipes-extended/iputils/iputils_s20190709.bb
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/iputils/iputils \
            file://0001-ninfod-change-variable-name-to-avoid-colliding-with-.patch \
            file://0001-ninfod-fix-systemd-Documentation-url-error.patch \
            file://0001-rarpd-rdisc-Drop-PrivateUsers.patch \
+           file://0001-iputils-Initialize-libgcrypt.patch \
            "
 SRCREV = "13e00847176aa23683d68fce1d17ffb523510946"
 
-- 
2.17.1

[OE-core][dunfell 27/28] openssl: upgrade 1.1.1f -> 1.1.1g

[Steve Sakoman]

From: Jan Luebbe <jlu@pengutronix.de>

This also fixes CVE-2020-1967.

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/{openssl_1.1.1f.bb => openssl_1.1.1g.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1f.bb => openssl_1.1.1g.bb} (98%)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1f.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_1.1.1f.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
index 3fa2b41fb9..66fa8f7d0a 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1f.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
@@ -23,7 +23,7 @@ SRC_URI_append_class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35"
+SRC_URI[sha256sum] = "ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
 
 inherit lib_package multilib_header multilib_script ptest
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.17.1

[OE-core][dunfell 28/28] icu: CVE-2020-10531

[Steve Sakoman]

From: Wang Mingyu <wangmy@cn.fujitsu.com>

security Advisory

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531

Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../icu/icu/CVE-2020-10531.patch              | 128 ++++++++++++++++++
 meta/recipes-support/icu/icu_66.1.bb          |   1 +
 2 files changed, 129 insertions(+)
 create mode 100644 meta/recipes-support/icu/icu/CVE-2020-10531.patch

diff --git a/meta/recipes-support/icu/icu/CVE-2020-10531.patch b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
new file mode 100644
index 0000000000..6697b27dc8
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
@@ -0,0 +1,128 @@
+From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Sat, 1 Feb 2020 02:39:04 +0000
+Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
+
+See #971
+
+Upstream-Status: Accepted
+CVE: CVE-2020-10531
+
+Reference to upstream patch:
+https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca
+
+---
+ common/unistr.cpp          |  6 ++-
+ test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++++++++
+ test/intltest/ustrtest.h   |  1 +
+ 3 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/common/unistr.cpp b/common/unistr.cpp
+index 901bb33..6ea0915 100644
+--- a/common/unistr.cpp
++++ b/common/unistr.cpp
+@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+   }
+ 
+   int32_t oldLength = length();
+-  int32_t newLength = oldLength + srcLength;
++  int32_t newLength; 
++  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) { 
++     setToBogus(); 
++     return *this; 
++  }
+ 
+   // Check for append onto ourself
+   const UChar* oldArray = getArrayStart();
+diff --git a/test/intltest/ustrtest.cpp b/test/intltest/ustrtest.cpp
+index b6515ea..ad38bdf 100644
+--- a/test/intltest/ustrtest.cpp
++++ b/test/intltest/ustrtest.cpp
+@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+     TESTCASE_AUTO(TestWCharPointers);
+     TESTCASE_AUTO(TestNullPointers);
+     TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
++    TESTCASE_AUTO(TestLargeAppend);
+     TESTCASE_AUTO_END;
+ }
+ 
+@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
+     str.insert(2, sub);
+     assertEquals("", u"abbcdcde", str);
+ }
++
++void UnicodeStringTest::TestLargeAppend() {
++    if(quick) return;
++
++    IcuTestErrorCode status(*this, "TestLargeAppend");
++    // Make a large UnicodeString
++    int32_t len = 0xAFFFFFF;
++    UnicodeString str;
++    char16_t *buf = str.getBuffer(len);
++    // A fast way to set buffer to valid Unicode.
++    // 4E4E is a valid unicode character
++    uprv_memset(buf, 0x4e, len * 2);
++    str.releaseBuffer(len);
++    UnicodeString dest;
++    // Append it 16 times
++    // 0xAFFFFFF times 16 is 0xA4FFFFF1,
++    // which is greater than INT32_MAX, which is 0x7FFFFFFF.
++    int64_t total = 0;
++    for (int32_t i = 0; i < 16; i++) {
++        dest.append(str);
++        total += len;
++        if (total <= INT32_MAX) {
++            assertFalse("dest is not bogus", dest.isBogus());
++        } else {
++            assertTrue("dest should be bogus", dest.isBogus());
++        }
++    }
++    dest.remove();
++    total = 0;
++    for (int32_t i = 0; i < 16; i++) {
++        dest.append(str);
++        total += len;
++        if (total + len <= INT32_MAX) {
++            assertFalse("dest is not bogus", dest.isBogus());
++        } else if (total <= INT32_MAX) {
++            // Check that a string of exactly the maximum size works
++            UnicodeString str2;
++            int32_t remain = INT32_MAX - total;
++            char16_t *buf2 = str2.getBuffer(remain);
++            if (buf2 == nullptr) {
++                // if somehow memory allocation fail, return the test
++                return;
++            }
++            uprv_memset(buf2, 0x4e, remain * 2);
++            str2.releaseBuffer(remain);
++            dest.append(str2);
++            total += remain;
++            assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
++            assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
++            assertFalse("dest is not bogus", dest.isBogus());
++
++            // Check that a string size+1 goes bogus
++            str2.truncate(1);
++            dest.append(str2);
++            total++;
++            assertTrue("dest should be bogus", dest.isBogus());
++        } else {
++            assertTrue("dest should be bogus", dest.isBogus());
++        }
++    }
++}
+diff --git a/test/intltest/ustrtest.h b/test/intltest/ustrtest.h
+index 218befd..4a356a9 100644
+--- a/test/intltest/ustrtest.h
++++ b/test/intltest/ustrtest.h
+@@ -97,6 +97,7 @@ public:
+     void TestWCharPointers();
+     void TestNullPointers();
+     void TestUnicodeStringInsertAppendToSelf();
++    void TestLargeAppend();
+ };
+ 
+ #endif
+-- 
+2.17.1
+
diff --git a/meta/recipes-support/icu/icu_66.1.bb b/meta/recipes-support/icu/icu_66.1.bb
index f2bb344e33..a8096c1840 100644
--- a/meta/recipes-support/icu/icu_66.1.bb
+++ b/meta/recipes-support/icu/icu_66.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "${BASE_SRC_URI};name=code \
            file://fix-install-manx.patch \
            file://0001-Fix-big-endian-build.patch;apply=no \
            file://0001-icu-Added-armeb-support.patch \
+           file://CVE-2020-10531.patch \
            "
 
 SRC_URI_append_class-target = "\
-- 
2.17.1