summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBrad Bishop <bradleyb@fuzziesquirrel.com>2018-08-23 11:11:46 +0300
committerBrad Bishop <bradleyb@fuzziesquirrel.com>2018-09-27 14:47:44 +0300
commitbba38f38e7e41525c30116a2fe990d113b8157da (patch)
tree14a0d015f4b144a97c51c896e7a3135b600760a6
parent36b84cde8facab568630eec811e483cf1fc50848 (diff)
downloadopenbmc-bba38f38e7e41525c30116a2fe990d113b8157da.tar.xz
poky: sumo refresh 51872d3f99..3b8dc3a88e
Update poky to sumo HEAD. Andrej Valek (1): wpa-supplicant: fix CVE-2018-14526 Armin Kuster (2): xserver-xorg: config: fix NULL value detection for ID_INPUT being unset binutils: Change the ARM assembler's ADR and ADRl pseudo-ops so that they will only set the bottom bit of imported thumb function symbols if the -mthumb-interwork option is active. Bruce Ashfield (3): linux-yocto/4.12: update to v4.12.28 linux-yocto/4.14: update to v4.14.62 linux-yocto/4.14: update to v4.14.67 Changqing Li (6): libexif: patch for CVE-2017-7544 squashfs-tools: patch for CVE-2015-4645(4646) libcroco: patch for CVE-2017-7960 libid3tag: patch for CVE-2004-2779 libice: patch for CVE-2017-2626 apr-util: fix ptest fail problem Chen Qi (2): util-linux: upgrade 2.32 -> 2.32.1 busybox: move init related configs to init.cfg Jagadeesh Krishnanjanappa (2): libarchive: CVE-2017-14501 libcgroup: CVE-2018-14348 Jon Szymaniak (1): cve-check.bbclass: detect CVE IDs listed on multiple lines Joshua Lock (1): os-release: fix to install in the expected location Khem Raj (1): serf: Fix Sconstruct build with python 3.7 Konstantin Shemyak (1): cve-check.bbclass: do not download the CVE DB in package-specific tasks Mike Looijmans (1): busybox/mdev-mount.sh: Fix partition detect and cleanup mountpoint on fail Ross Burton (1): lrzsz: fix CVE-2018-10195 Sinan Kaya (3): busybox: CVE-2017-15874 libpng: CVE-2018-13785 sqlite3: CVE-2018-8740 Yadi.hu (1): busybox: handle syslog Yi Zhao (2): blktrace: Security fix CVE-2018-10689 taglib: Security fix CVE-2018-11439 Zheng Ruoqin (1): glibc: fix CVE-2018-11237 Change-Id: I2eb1fe6574638de745e4bfc106b86fe797b977c8 Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
-rw-r--r--poky/meta/classes/cve-check.bbclass12
-rw-r--r--poky/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/cve-2018-10195.patch28
-rw-r--r--poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb1
-rw-r--r--poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch44
-rw-r--r--poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb1
-rw-r--r--poky/meta/recipes-core/busybox/busybox.inc14
-rw-r--r--poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch30
-rw-r--r--poky/meta/recipes-core/busybox/busybox/defconfig12
-rw-r--r--poky/meta/recipes-core/busybox/busybox/init.cfg7
-rw-r--r--poky/meta/recipes-core/busybox/busybox_1.27.2.bb1
-rw-r--r--poky/meta/recipes-core/busybox/files/mdev-mount.sh4
-rw-r--r--poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch82
-rw-r--r--poky/meta/recipes-core/glibc/glibc_2.27.bb1
-rw-r--r--poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch37
-rw-r--r--poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb3
-rw-r--r--poky/meta/recipes-core/os-release/os-release.bb9
-rw-r--r--poky/meta/recipes-core/util-linux/util-linux_2.32.1.bb (renamed from poky/meta/recipes-core/util-linux/util-linux_2.32.bb)4
-rw-r--r--poky/meta/recipes-devtools/binutils/binutils-2.30.inc1
-rw-r--r--poky/meta/recipes-devtools/binutils/binutils/0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch176
-rw-r--r--poky/meta/recipes-devtools/squashfs-tools/squashfs-tools/0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch47
-rw-r--r--poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb1
-rw-r--r--poky/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch79
-rw-r--r--poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb1
-rw-r--r--poky/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch149
-rw-r--r--poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb2
-rw-r--r--poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch40
-rw-r--r--poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb1
-rw-r--r--poky/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch150
-rw-r--r--poky/meta/recipes-kernel/blktrace/blktrace_git.bb1
-rw-r--r--poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb6
-rw-r--r--poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb6
-rw-r--r--poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb6
-rw-r--r--poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb6
-rw-r--r--poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb20
-rw-r--r--poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb20
-rw-r--r--poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch33
-rw-r--r--poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb1
-rw-r--r--poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch37
-rw-r--r--poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb4
-rw-r--r--poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch135
-rw-r--r--poky/meta/recipes-support/apr/apr-util_1.6.1.bb1
-rw-r--r--poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch56
-rw-r--r--poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb2
-rw-r--r--poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch40
-rw-r--r--poky/meta/recipes-support/libexif/libexif_0.6.21.bb3
-rw-r--r--poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch29
-rw-r--r--poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch27
-rw-r--r--poky/meta/recipes-support/serf/serf/0003-gen_def.patch22
-rw-r--r--poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch29
-rw-r--r--poky/meta/recipes-support/serf/serf_1.3.9.bb7
-rw-r--r--poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch47
-rw-r--r--poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb1
-rw-r--r--poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch51
-rw-r--r--poky/meta/recipes-support/taglib/taglib_1.11.1.bb1
54 files changed, 1468 insertions, 60 deletions
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass
index 537659df1..12ad3e5c5 100644
--- a/poky/meta/classes/cve-check.bbclass
+++ b/poky/meta/classes/cve-check.bbclass
@@ -146,15 +146,17 @@ def get_patches_cves(d):
with open(patch_file, "r", encoding="iso8859-1") as f:
patch_text = f.read()
- # Search for the "CVE: " line
- match = cve_match.search(patch_text)
- if match:
+ # Search for one or more "CVE: " lines
+ text_match = False
+ for match in cve_match.finditer(patch_text):
# Get only the CVEs without the "CVE: " tag
cves = patch_text[match.start()+5:match.end()]
for cve in cves.split():
bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
patched_cves.add(cve)
- elif not fname_match:
+ text_match = True
+
+ if not fname_match and not text_match:
bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
return patched_cves
@@ -177,7 +179,7 @@ def check_cves(d, patched_cves):
cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
cve_cmd = "cve-check-tool"
- cmd = [cve_cmd, "--no-html", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
+ cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
# If the recipe has been whitlisted we return empty lists
if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
diff --git a/poky/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/cve-2018-10195.patch b/poky/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/cve-2018-10195.patch
new file mode 100644
index 000000000..dea298634
--- /dev/null
+++ b/poky/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/cve-2018-10195.patch
@@ -0,0 +1,28 @@
+Integer overflow in src/zm.c:zsdata() causes crash in sz and can leak information to receiver.
+
+Patch taken from Fedora.
+
+CVE: CVE-2018-10195
+Upstream-Status: Inappropriate (dead upstream)
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff -urN lrzsz-0.12.20/src/zm.c lrzsz-0.12.20.new/src/zm.c
+--- lrzsz-0.12.20/src/zm.c Tue Dec 29 09:48:38 1998
++++ lrzsz-0.12.20.new/src/zm.c Tue Oct 8 12:46:58 2002
+@@ -431,10 +431,12 @@
+ VPRINTF(3,("zsdata: %lu %s", (unsigned long) length,
+ Zendnames[(frameend-ZCRCE)&3]));
+ crc = 0;
+- do {
+- zsendline(*buf); crc = updcrc((0377 & *buf), crc);
+- buf++;
+- } while (--length>0);
++
++ for( ; length; length--) {
++ zsendline(*buf); crc = updcrc((0377 & *buf), crc);
++ buf++;
++ }
++
+ xsendline(ZDLE); xsendline(frameend);
+ crc = updcrc(frameend, crc);
+ \ No newline at end of file
diff --git a/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb b/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
index 4b349be32..002c774c6 100644
--- a/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
+++ b/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://www.ohse.de/uwe/releases/lrzsz-${PV}.tar.gz \
file://acdefine.patch \
file://lrzsz_fix_for_automake-1.12.patch \
file://lrzsz-check-locale.h.patch \
+ file://cve-2018-10195.patch \
"
SRC_URI[md5sum] = "b5ce6a74abc9b9eb2af94dffdfd372a4"
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch
new file mode 100644
index 000000000..e800a410e
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch
@@ -0,0 +1,44 @@
+wpa_supplicant-2.6: Fix CVE-2018-14526
+
+[No upstream tracking] -- https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
+
+wpa: Ignore unauthenticated encrypted EAPOL-Key data
+
+Ignore unauthenticated encrypted EAPOL-Key data in supplicant
+processing. When using WPA2, these are frames that have the Encrypted
+flag set, but not the MIC flag.
+
+When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
+not the MIC flag, had their data field decrypted without first verifying
+the MIC. In case the data field was encrypted using RC4 (i.e., when
+negotiating TKIP as the pairwise cipher), this meant that
+unauthenticated but decrypted data would then be processed. An adversary
+could abuse this as a decryption oracle to recover sensitive information
+in the data field of EAPOL-Key messages (e.g., the group key).
+
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/src/rsn_supp/wpa.c?id=3e34cfdff6b192fe337c6fb3f487f73e96582961]
+CVE: CVE-2018-14526
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 3c47879..6bdf923 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
+
+ if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
+ (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
++ /*
++ * Only decrypt the Key Data field if the frame's authenticity
++ * was verified. When using AES-SIV (FILS), the MIC flag is not
++ * set, so this check should only be performed if mic_len != 0
++ * which is the case in this code branch.
++ */
++ if (!(key_info & WPA_KEY_INFO_MIC)) {
++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
++ goto out;
++ }
+ if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
+ &key_data_len))
+ goto out;
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
index e68453748..aa4c4c2da 100644
--- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://key-replay-cve-multiple6.patch \
file://key-replay-cve-multiple7.patch \
file://key-replay-cve-multiple8.patch \
+ file://wpa_supplicant-CVE-2018-14526.patch \
"
SRC_URI[md5sum] = "091569eb4440b7d7f2b4276dbfc03c3c"
SRC_URI[sha256sum] = "b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450"
diff --git a/poky/meta/recipes-core/busybox/busybox.inc b/poky/meta/recipes-core/busybox/busybox.inc
index d1675c37a..8c6dbbaf9 100644
--- a/poky/meta/recipes-core/busybox/busybox.inc
+++ b/poky/meta/recipes-core/busybox/busybox.inc
@@ -315,20 +315,24 @@ do_install () {
fi
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+ if grep -q "CONFIG_KLOGD=y" ${B}/.config; then
+ install -d ${D}${systemd_unitdir}/system
+ sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-klogd.service.in \
+ > ${D}${systemd_unitdir}/system/busybox-klogd.service
+ fi
+
if grep -q "CONFIG_SYSLOGD=y" ${B}/.config; then
install -d ${D}${systemd_unitdir}/system
sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-syslog.service.in \
> ${D}${systemd_unitdir}/system/busybox-syslog.service
+ if [ ! -e ${D}${systemd_unitdir}/system/busybox-klogd.service ] ; then
+ sed -i '/klog/d' ${D}${systemd_unitdir}/system/busybox-syslog.service
+ fi
if [ -f ${WORKDIR}/busybox-syslog.default ] ; then
install -d ${D}${sysconfdir}/default
install -m 0644 ${WORKDIR}/busybox-syslog.default ${D}${sysconfdir}/default/busybox-syslog
fi
fi
- if grep -q "CONFIG_KLOGD=y" ${B}/.config; then
- install -d ${D}${systemd_unitdir}/system
- sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-klogd.service.in \
- > ${D}${systemd_unitdir}/system/busybox-klogd.service
- fi
fi
# Remove the sysvinit specific configuration file for systemd systems to avoid confusion
diff --git a/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch b/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
new file mode 100644
index 000000000..67b4ed7e1
--- /dev/null
+++ b/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
@@ -0,0 +1,30 @@
+From e75c01bb3249df16201b482b79bb24bec3b58188 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 27 Oct 2017 15:37:03 +0200
+Subject: [PATCH] unlzma: fix SEGV, closes 10436
+
+Upstream-Status: Backport [ https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ archival/libarchive/decompress_unlzma.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index 29eee2a..41e492f 100644
+--- a/archival/libarchive/decompress_unlzma.c
++++ b/archival/libarchive/decompress_unlzma.c
+@@ -353,6 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ pos = buffer_pos - rep0;
+ if ((int32_t)pos < 0) {
+ pos += header.dict_size;
++ /* bug 10436 has an example file where this triggers: */
++ if ((int32_t)pos < 0)
++ goto bad;
++
+ /* see unzip_bad_lzma_2.zip: */
+ if (pos >= buffer_size)
+ goto bad;
+--
+2.19.0
+
diff --git a/poky/meta/recipes-core/busybox/busybox/defconfig b/poky/meta/recipes-core/busybox/busybox/defconfig
index fbb5fd852..59d93c707 100644
--- a/poky/meta/recipes-core/busybox/busybox/defconfig
+++ b/poky/meta/recipes-core/busybox/busybox/defconfig
@@ -468,21 +468,21 @@ CONFIG_FEATURE_XARGS_SUPPORT_REPL_STR=y
# CONFIG_BOOTCHARTD is not set
# CONFIG_FEATURE_BOOTCHARTD_BLOATED_HEADER is not set
# CONFIG_FEATURE_BOOTCHARTD_CONFIG_FILE is not set
-CONFIG_HALT=y
-CONFIG_POWEROFF=y
-CONFIG_REBOOT=y
+# CONFIG_HALT is not set
+# CONFIG_POWEROFF is not set
+# CONFIG_REBOOT is not set
# CONFIG_FEATURE_CALL_TELINIT is not set
-CONFIG_TELINIT_PATH=""
+# CONFIG_TELINIT_PATH is not set
# CONFIG_INIT is not set
# CONFIG_LINUXRC is not set
# CONFIG_FEATURE_USE_INITTAB is not set
# CONFIG_FEATURE_KILL_REMOVED is not set
-CONFIG_FEATURE_KILL_DELAY=0
+# CONFIG_FEATURE_KILL_DELAY is not set
# CONFIG_FEATURE_INIT_SCTTY is not set
# CONFIG_FEATURE_INIT_SYSLOG is not set
# CONFIG_FEATURE_INIT_QUIET is not set
# CONFIG_FEATURE_INIT_COREDUMPS is not set
-CONFIG_INIT_TERMINAL_TYPE=""
+# CONFIG_INIT_TERMINAL_TYPE is not set
# CONFIG_FEATURE_INIT_MODIFY_CMDLINE is not set
#
diff --git a/poky/meta/recipes-core/busybox/busybox/init.cfg b/poky/meta/recipes-core/busybox/busybox/init.cfg
index 006d4c633..3c1fdd42b 100644
--- a/poky/meta/recipes-core/busybox/busybox/init.cfg
+++ b/poky/meta/recipes-core/busybox/busybox/init.cfg
@@ -1,3 +1,8 @@
CONFIG_INIT=y
CONFIG_FEATURE_USE_INITTAB=y
-
+CONFIG_HALT=y
+CONFIG_POWEROFF=y
+CONFIG_REBOOT=y
+CONFIG_FEATURE_KILL_DELAY=0
+CONFIG_TELINIT_PATH=""
+CONFIG_INIT_TERMINAL_TYPE=""
diff --git a/poky/meta/recipes-core/busybox/busybox_1.27.2.bb b/poky/meta/recipes-core/busybox/busybox_1.27.2.bb
index 1ce4823d4..bab29728e 100644
--- a/poky/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/poky/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://busybox-CVE-2017-16544.patch \
file://busybox-fix-lzma-segfaults.patch \
file://umount-ignore-c.patch \
+ file://CVE-2017-15874.patch \
"
SRC_URI_append_libc-musl = " file://musl.cfg "
diff --git a/poky/meta/recipes-core/busybox/files/mdev-mount.sh b/poky/meta/recipes-core/busybox/files/mdev-mount.sh
index b4385a157..130e9472f 100644
--- a/poky/meta/recipes-core/busybox/files/mdev-mount.sh
+++ b/poky/meta/recipes-core/busybox/files/mdev-mount.sh
@@ -25,7 +25,7 @@ case "$ACTION" in
fi
# check for full-disk partition
if [ "${DEVBASE}" = "${MDEV}" ] ; then
- if [ -d /sys/block/${DEVBASE}/${DEVBASE}*1 ] ; then
+ if [ -f /sys/block/${DEVBASE}/${DEVBASE}*1/partition ] ; then
# Partition detected, just quit
exit 0
fi
@@ -43,7 +43,7 @@ case "$ACTION" in
then
MOUNTPOINT="${MDEV_AUTOMOUNT_ROOT}/$MDEV"
mkdir -p "$MOUNTPOINT"
- mount -t auto /dev/$MDEV "$MOUNTPOINT"
+ mount -t auto /dev/$MDEV "$MOUNTPOINT" || rmdir "$MOUNTPOINT"
fi
;;
remove)
diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch
new file mode 100644
index 000000000..632aa565e
--- /dev/null
+++ b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch
@@ -0,0 +1,82 @@
+From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Tue, 22 May 2018 10:37:59 +0200
+Subject: [PATCH] Don't write beyond destination in
+ __mempcpy_avx512_no_vzeroupper (bug 23196)
+
+When compiled as mempcpy, the return value is the end of the destination
+buffer, thus it cannot be used to refer to the start of it.
+
+2018-05-23 Andreas Schwab <schwab@suse.de>
+
+ [BZ #23196]
+ CVE-2018-11237
+ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+ (L(preloop_large)): Save initial destination pointer in %r11 and
+ use it instead of %rax after the loop.
+ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
+CVE: CVE-2018-11237
+Upstream-Status: Backport
+Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ ChangeLog | 9 +++++++++
+ string/test-mempcpy.c | 1 +
+ sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index fa0a07c..bc09dec 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,12 @@
++2018-05-23 Andreas Schwab <schwab@suse.de>
++
++ [BZ #23196]
++ CVE-2018-11237
++ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
++ (L(preloop_large)): Save initial destination pointer in %r11 and
++ use it instead of %rax after the loop.
++ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
++
+ 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #22786]
+diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
+index c08fba8..d98ecdd 100644
+--- a/string/test-mempcpy.c
++++ b/string/test-mempcpy.c
+@@ -18,6 +18,7 @@
+ <http://www.gnu.org/licenses/>. */
+
+ #define MEMCPY_RESULT(dst, len) (dst) + (len)
++#define MIN_PAGE_SIZE 131072
+ #define TEST_MAIN
+ #define TEST_NAME "mempcpy"
+ #include "test-string.h"
+diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+index 23c0f7a..a55cf6f 100644
+--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
++++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+@@ -335,6 +335,7 @@ L(preloop_large):
+ ja L(preloop_large_bkw)
+ vmovups (%rsi), %zmm4
+ vmovups 0x40(%rsi), %zmm5
++ mov %rdi, %r11
+
+ /* Align destination for access with non-temporal stores in the loop. */
+ mov %rdi, %r8
+@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
+ cmp $256, %rdx
+ ja L(gobble_256bytes_nt_loop)
+ sfence
+- vmovups %zmm4, (%rax)
+- vmovups %zmm5, 0x40(%rax)
++ vmovups %zmm4, (%r11)
++ vmovups %zmm5, 0x40(%r11)
+ jmp L(check)
+
+ L(preloop_large_bkw):
+--
+2.7.4
+
diff --git a/poky/meta/recipes-core/glibc/glibc_2.27.bb b/poky/meta/recipes-core/glibc/glibc_2.27.bb
index 22a9881ea..adee494c2 100644
--- a/poky/meta/recipes-core/glibc/glibc_2.27.bb
+++ b/poky/meta/recipes-core/glibc/glibc_2.27.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0030-plural_c_no_preprocessor_lines.patch \
file://CVE-2017-18269.patch \
file://CVE-2018-11236.patch \
+ file://CVE-2018-11237.patch \
"
NATIVESDKFIXES ?= ""
diff --git a/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch b/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch
new file mode 100644
index 000000000..d133703de
--- /dev/null
+++ b/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch
@@ -0,0 +1,37 @@
+From 0d88b73d189ea3440ccaab00418d6469f76fa590 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Wed, 18 Jul 2018 11:24:29 +0200
+Subject: [PATCH] cgrulesengd: remove umask(0)
+
+One of our partners has noticed that cgred daemon is creating a log file
+(/var/log/cgred) with too wide permissions (0666) and that is seen as
+a security bug because an untrusted user can write to otherwise
+restricted area. CVE-2018-14348 has been assigned to this issue.
+
+CVE: CVE-2018-14348
+Upstream-Status: Backport [https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590]
+
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ src/daemon/cgrulesengd.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
+index ea51f11..0d288f3 100644
+--- a/src/daemon/cgrulesengd.c
++++ b/src/daemon/cgrulesengd.c
+@@ -889,9 +889,6 @@ int cgre_start_daemon(const char *logp, const int logf,
+ } else if (pid > 0) {
+ exit(EXIT_SUCCESS);
+ }
+-
+- /* Change the file mode mask. */
+- umask(0);
+ } else {
+ flog(LOG_DEBUG, "Not using daemon mode\n");
+ pid = getpid();
+--
+2.13.3
+
diff --git a/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb b/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb
index 7ddc81e9b..92d7261b0 100644
--- a/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb
+++ b/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb
@@ -11,7 +11,8 @@ inherit autotools pkgconfig
DEPENDS = "bison-native flex-native"
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/libcg/${BPN}/v0.41/${BPN}-${PV}.tar.bz2"
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/libcg/${BPN}/v0.41/${BPN}-${PV}.tar.bz2 \
+ file://CVE-2018-14348.patch"
SRC_URI_append_libc-musl = " file://musl-decls-compat.patch"
SRC_URI[md5sum] = "3dea9d50b8a5b73ff0bf1cdcb210f63f"
diff --git a/poky/meta/recipes-core/os-release/os-release.bb b/poky/meta/recipes-core/os-release/os-release.bb
index f98870475..bf4f815a1 100644
--- a/poky/meta/recipes-core/os-release/os-release.bb
+++ b/poky/meta/recipes-core/os-release/os-release.bb
@@ -1,7 +1,7 @@
inherit allarch
SUMMARY = "Operating system identification"
-DESCRIPTION = "The /etc/os-release file contains operating system identification data."
+DESCRIPTION = "The /usr/lib/os-release file contains operating system identification data."
LICENSE = "MIT"
INHIBIT_DEFAULT_DEPS = "1"
@@ -42,6 +42,9 @@ python do_compile () {
do_compile[vardeps] += "${OS_RELEASE_FIELDS}"
do_install () {
- install -d ${D}${sysconfdir}
- install -m 0644 os-release ${D}${sysconfdir}/
+ install -d ${D}${libdir} ${D}${sysconfdir}
+ install -m 0644 os-release ${D}${libdir}/
+ lnr ${D}${libdir}/os-release ${D}${sysconfdir}/os-release
}
+
+FILES_${PN} += "${libdir}/os-release"
diff --git a/poky/meta/recipes-core/util-linux/util-linux_2.32.bb b/poky/meta/recipes-core/util-linux/util-linux_2.32.1.bb
index 55cc98c20..455b9377b 100644
--- a/poky/meta/recipes-core/util-linux/util-linux_2.32.bb
+++ b/poky/meta/recipes-core/util-linux/util-linux_2.32.1.bb
@@ -15,8 +15,8 @@ SRC_URI += "file://configure-sbindir.patch \
file://display_testname_for_subtest.patch \
file://avoid_parallel_tests.patch \
"
-SRC_URI[md5sum] = "e0d8a25853f88cd15ff557e5d8cb4ea7"
-SRC_URI[sha256sum] = "6c7397abc764e32e8159c2e96042874a190303e77adceb4ac5bd502a272a4734"
+SRC_URI[md5sum] = "9e5b1b8c1dc99455bdb6b462cf9436d9"
+SRC_URI[sha256sum] = "86e6707a379c7ff5489c218cfaf1e3464b0b95acf7817db0bc5f179e356a67b2"
CACHED_CONFIGUREVARS += "scanf_cv_alloc_modifier=ms"
diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.30.inc b/poky/meta/recipes-devtools/binutils/binutils-2.30.inc
index 37243db1b..35d7d9b93 100644
--- a/poky/meta/recipes-devtools/binutils/binutils-2.30.inc
+++ b/poky/meta/recipes-devtools/binutils/binutils-2.30.inc
@@ -47,6 +47,7 @@ SRC_URI = "\
file://CVE-2018-10372.patch \
file://CVE-2018-10535.patch \
file://CVE-2018-10534.patch \
+ file://0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch \
"
S = "${WORKDIR}/git"
diff --git a/poky/meta/recipes-devtools/binutils/binutils/0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch b/poky/meta/recipes-devtools/binutils/binutils/0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch
new file mode 100644
index 000000000..8604e678d
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch
@@ -0,0 +1,176 @@
+From fc6141f097056f830a412afebed8d81a9d72b696 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 20 Jun 2018 12:38:10 +0100
+Subject: [PATCH] Change the ARM assembler's ADR and ADRl pseudo-ops so that
+ they will only set the bottom bit of imported thumb function symbols if the
+ -mthumb-interwork option is active.
+
+For more information see the email thread starting here:
+https://www.sourceware.org/ml/binutils/2018-05/msg00348.html
+
+ PR 21458
+ * tc-arm.c (do_adr): Only set the bottom bit of an imported thumb
+ function symbol address if -mthumb-interwork is active.
+ (do_adrl): Likewise.
+ * doc/c-arm.texi: Update descriptions of the -mthumb-interwork
+ option and the ADR and ADRL pseudo-ops.
+ * NEWS: Mention the new behaviour of the ADR and ADRL pseudo-ops.
+ * testsuite/gas/arm/pr21458.d: Add -mthumb-interwork option to
+ assembler command line.
+ * testsuite/gas/arm/adr.d: Likewise.
+ * testsuite/gas/arm/adrl.d: Likewise.
+---
+ gas/ChangeLog | 14 ++++++++++++++
+ gas/NEWS | 4 ++++
+ gas/config/tc-arm.c | 10 ++++++----
+ gas/doc/c-arm.texi | 17 ++++++++++++++++-
+ gas/testsuite/gas/arm/adr.d | 1 +
+ gas/testsuite/gas/arm/adrl.d | 1 +
+ gas/testsuite/gas/arm/pr21458.d | 3 ++-
+ 7 files changed, 44 insertions(+), 6 deletions(-)
+
+Index: git/gas/config/tc-arm.c
+===================================================================
+--- git.orig/gas/config/tc-arm.c
++++ git/gas/config/tc-arm.c
+@@ -8410,11 +8410,12 @@ do_adr (void)
+ inst.reloc.pc_rel = 1;
+ inst.reloc.exp.X_add_number -= 8;
+
+- if (inst.reloc.exp.X_op == O_symbol
++ if (support_interwork
++ && inst.reloc.exp.X_op == O_symbol
+ && inst.reloc.exp.X_add_symbol != NULL
+ && S_IS_DEFINED (inst.reloc.exp.X_add_symbol)
+ && THUMB_IS_FUNC (inst.reloc.exp.X_add_symbol))
+- inst.reloc.exp.X_add_number += 1;
++ inst.reloc.exp.X_add_number |= 1;
+ }
+
+ /* This is a pseudo-op of the form "adrl rd, label" to be converted
+@@ -8434,11 +8435,12 @@ do_adrl (void)
+ inst.size = INSN_SIZE * 2;
+ inst.reloc.exp.X_add_number -= 8;
+
+- if (inst.reloc.exp.X_op == O_symbol
++ if (support_interwork
++ && inst.reloc.exp.X_op == O_symbol
+ && inst.reloc.exp.X_add_symbol != NULL
+ && S_IS_DEFINED (inst.reloc.exp.X_add_symbol)
+ && THUMB_IS_FUNC (inst.reloc.exp.X_add_symbol))
+- inst.reloc.exp.X_add_number += 1;
++ inst.reloc.exp.X_add_number |= 1;
+ }
+
+ static void
+Index: git/gas/doc/c-arm.texi
+===================================================================
+--- git.orig/gas/doc/c-arm.texi
++++ git/gas/doc/c-arm.texi
+@@ -317,7 +317,8 @@ instructions; that is, it should behave
+ @cindex @code{-mthumb-interwork} command line option, ARM
+ @item -mthumb-interwork
+ This option specifies that the output generated by the assembler should
+-be marked as supporting interworking.
++be marked as supporting interworking. It also affects the behaviour
++of the @code{ADR} and @code{ADRL} pseudo opcodes.
+
+ @cindex @code{-mimplicit-it} command line option, ARM
+ @item -mimplicit-it=never
+@@ -1060,6 +1061,16 @@ out of range, or if it is not defined in
+ the ADR instruction, then an error will be generated. This instruction
+ will not make use of the literal pool.
+
++If @var{label} is a thumb function symbol, and thumb interworking has
++been enabled via the @option{-mthumb-interwork} option then the bottom
++bit of the value stored into @var{register} will be set. This allows
++the following sequence to work as expected:
++
++@smallexample
++ adr r0, thumb_function
++ blx r0
++@end smallexample
++
+ @cindex @code{ADRL reg,<label>} pseudo op, ARM
+ @item ADRL
+ @smallexample
+@@ -1076,6 +1087,10 @@ If the label is out of range, or if it i
+ (and section) as the ADRL instruction, then an error will be generated.
+ This instruction will not make use of the literal pool.
+
++If @var{label} is a thumb function symbol, and thumb interworking has
++been enabled via the @option{-mthumb-interwork} option then the bottom
++bit of the value stored into @var{register} will be set.
++
+ @end table
+
+ For information on the ARM or Thumb instruction sets, see @cite{ARM
+Index: git/gas/testsuite/gas/arm/adr.d
+===================================================================
+--- git.orig/gas/testsuite/gas/arm/adr.d
++++ git/gas/testsuite/gas/arm/adr.d
+@@ -1,3 +1,4 @@
++#as: -mthumb-interwork
+ #objdump: -dr --prefix-addresses --show-raw-insn
+ #name: ADR
+
+Index: git/gas/testsuite/gas/arm/adrl.d
+===================================================================
+--- git.orig/gas/testsuite/gas/arm/adrl.d
++++ git/gas/testsuite/gas/arm/adrl.d
+@@ -1,3 +1,4 @@
++#as: -mthumb-interwork
+ #objdump: -dr --prefix-addresses --show-raw-insn
+ #name: ADRL
+
+Index: git/gas/ChangeLog
+===================================================================
+--- git.orig/gas/ChangeLog
++++ git/gas/ChangeLog
+@@ -1,3 +1,17 @@
++2018-06-20 Nick Clifton <nickc@redhat.com>
++
++ PR 21458
++ * tc-arm.c (do_adr): Only set the bottom bit of an imported thumb
++ function symbol address if -mthumb-interwork is active.
++ (do_adrl): Likewise.
++ * doc/c-arm.texi: Update descriptions of the -mthumb-interwork
++ option and the ADR and ADRL pseudo-ops.
++ * NEWS: Mention the new behaviour of the ADR and ADRL pseudo-ops.
++ * testsuite/gas/arm/pr21458.d: Add -mthumb-interwork option to
++ assembler command line.
++ * testsuite/gas/arm/adr.d: Likewise.
++ * testsuite/gas/arm/adrl.d: Likewise.
++
+ 2018-02-05 Nick Clifton <nickc@redhat.com>
+
+ * po/ru.po: Updated Russian translation.
+Index: git/gas/NEWS
+===================================================================
+--- git.orig/gas/NEWS
++++ git/gas/NEWS
+@@ -1,5 +1,9 @@
+ -*- text -*-
+
++* The ADR and ADRL pseudo-instructions supported by the ARM assembler
++ now only set the bottom bit of the address of thumb function symbols
++ if the -mthumb-interwork command line option is active.
++
+ Changes in 2.30:
+
+ * Add support for loaction views in DWARF debug line information.
+Index: git/gas/testsuite/gas/arm/pr21458.d
+===================================================================
+--- git.orig/gas/testsuite/gas/arm/pr21458.d
++++ git/gas/testsuite/gas/arm/pr21458.d
+@@ -1,8 +1,9 @@
++#as: -mthumb-interwork
+ #objdump: -d --prefix-addresses --show-raw-insn
+ #name: ADR(L) for Thumb functions
+ #skip: *-*-pe *-wince-* *-*-coff *-*-vxworks
+
+-# Test that using ADR(L) on thumb function symbols sets the T bit.
++# Test that using ADR(L) on thumb function symbols sets the T bit when -mthumb-interwork is active.
+
+ .*: +file format .*arm.*
+
diff --git a/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools/0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools/0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch
new file mode 100644
index 000000000..2261ea94b
--- /dev/null
+++ b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools/0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch
@@ -0,0 +1,47 @@
+From 3c0d67184d6edb63f3b7d6d5eb81531daa6388f3 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 28 Aug 2018 16:25:36 +0800
+Subject: [PATCH] squashfs-tools: patch for CVE-2015-4645(6)
+
+Upstream-Status: Backport[https://github.com/devttys0/sasquatch/pull/
+ 5/commits/6777e08cc38bc780d27c69c1d8c272867b74524f]
+
+CVE: CVE-2015-4645 CVE-2015-4646
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ squashfs-tools/unsquash-4.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
+index ecdaac7..692ae25 100644
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -31,9 +31,9 @@ static unsigned int *id_table;
+ int read_fragment_table_4(long long *directory_table_end)
+ {
+ int res, i;
+- int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
+- int indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
+- long long fragment_table_index[indexes];
++ size_t bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
++ size_t indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
++ long long *fragment_table_index;
+
+ TRACE("read_fragment_table: %d fragments, reading %d fragment indexes "
+ "from 0x%llx\n", sBlk.s.fragments, indexes,
+@@ -43,6 +43,11 @@ int read_fragment_table_4(long long *directory_table_end)
+ *directory_table_end = sBlk.s.fragment_table_start;
+ return TRUE;
+ }
++
++ fragment_table_index = malloc(indexes*sizeof(long long));
++ if(fragment_table_index == NULL)
++ EXIT_UNSQUASH("read_fragment_table: failed to allocate "
++ "fragment table index\n");
+
+ fragment_table = malloc(bytes);
+ if(fragment_table == NULL)
+--
+2.7.4
+
diff --git a/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
index a8baca51e..1eb0154fd 100644
--- a/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
+++ b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https \
file://0001-mksquashfs.c-get-inline-functions-work-with-C99.patch;striplevel=2 \
file://squashfs-tools-4.3-sysmacros.patch;striplevel=2 \
file://fix-compat.patch \
+ file://0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch;striplevel=2 \
"
UPSTREAM_CHECK_COMMITS = "1"
SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"
diff --git a/poky/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch
new file mode 100644
index 000000000..1038102e6
--- /dev/null
+++ b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch
@@ -0,0 +1,79 @@
+From f9569c086ff29259c73790db9cbf39fe8fb9d862 Mon Sep 17 00:00:00 2001
+From: John Starks <jostarks@microsoft.com>
+Date: Wed, 25 Jul 2018 12:16:34 -0700
+Subject: [PATCH] iso9660: validate directory record length
+
+CVE: CVE-2017-14501
+Upstream-Status: Backport [https://github.com/mmatuska/libarchive/commit/13e87dcd9c37b533127cceb9f3e1e5a38d95e784]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ libarchive/archive_read_support_format_iso9660.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
+index f01d37bf..089bb723 100644
+--- a/libarchive/archive_read_support_format_iso9660.c
++++ b/libarchive/archive_read_support_format_iso9660.c
+@@ -409,7 +409,8 @@ static int next_entry_seek(struct archive_read *, struct iso9660 *,
+ struct file_info **);
+ static struct file_info *
+ parse_file_info(struct archive_read *a,
+- struct file_info *parent, const unsigned char *isodirrec);
++ struct file_info *parent, const unsigned char *isodirrec,
++ size_t reclen);
+ static int parse_rockridge(struct archive_read *a,
+ struct file_info *file, const unsigned char *start,
+ const unsigned char *end);
+@@ -1022,7 +1023,7 @@ read_children(struct archive_read *a, struct file_info *parent)
+ if (*(p + DR_name_len_offset) == 1
+ && *(p + DR_name_offset) == '\001')
+ continue;
+- child = parse_file_info(a, parent, p);
++ child = parse_file_info(a, parent, p, b - p);
+ if (child == NULL) {
+ __archive_read_consume(a, skip_size);
+ return (ARCHIVE_FATAL);
+@@ -1112,7 +1113,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660)
+ */
+ seenJoliet = iso9660->seenJoliet;/* Save flag. */
+ iso9660->seenJoliet = 0;
+- file = parse_file_info(a, NULL, block);
++ file = parse_file_info(a, NULL, block, vd->size);
+ if (file == NULL)
+ return (ARCHIVE_FATAL);
+ iso9660->seenJoliet = seenJoliet;
+@@ -1144,7 +1145,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660)
+ return (ARCHIVE_FATAL);
+ }
+ iso9660->seenJoliet = 0;
+- file = parse_file_info(a, NULL, block);
++ file = parse_file_info(a, NULL, block, vd->size);
+ if (file == NULL)
+ return (ARCHIVE_FATAL);
+ iso9660->seenJoliet = seenJoliet;
+@@ -1749,7 +1750,7 @@ archive_read_format_iso9660_cleanup(struct archive_read *a)
+ */
+ static struct file_info *
+ parse_file_info(struct archive_read *a, struct file_info *parent,
+- const unsigned char *isodirrec)
++ const unsigned char *isodirrec, size_t reclen)
+ {
+ struct iso9660 *iso9660;
+ struct file_info *file, *filep;
+@@ -1763,7 +1764,11 @@ parse_file_info(struct archive_read *a, struct file_info *parent,
+
+ iso9660 = (struct iso9660 *)(a->format->data);
+
+- dr_len = (size_t)isodirrec[DR_length_offset];
++ if (reclen == 0 || reclen < (dr_len = (size_t)isodirrec[DR_length_offset])) {
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
++ "Invalid directory record length");
++ return (NULL);
++ }
+ name_len = (size_t)isodirrec[DR_name_len_offset];
+ location = archive_le32dec(isodirrec + DR_extent_offset);
+ fsize = toi(isodirrec + DR_size_offset, DR_size_size);
+--
+2.13.3
+
diff --git a/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb b/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
index 326971647..e3d90b276 100644
--- a/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
+++ b/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
@@ -37,6 +37,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://CVE-2017-14502.patch \
file://non-recursive-extract-and-list.patch \
file://CVE-2017-14503.patch \
+ file://CVE-2017-14501.patch \
"
SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27"
diff --git a/poky/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch b/poky/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch
new file mode 100644
index 000000000..20c6dda2e
--- /dev/null
+++ b/poky/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch
@@ -0,0 +1,149 @@
+From ff5e59f32255913bb1cdf51441b98c9107ae165b Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Date: Tue, 4 Apr 2017 19:12:53 +0200
+Subject: Use getentropy() if arc4random_buf() is not available
+
+This allows to fix CVE-2017-2626 on Linux platforms without pulling in
+libbsd.
+The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
+For Linux, we need at least a v3.17 kernel. If the recommended
+arc4random_buf() function is not available, emulate it by first trying
+to use getentropy() on a supported glibc and kernel. If the call fails,
+fall back to the current (partly vulnerable) code.
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-Status: Backport[https://cgit.freedesktop.org/xorg/lib/libICE
+ /commit/?id=ff5e59f32255913bb1cdf51441b98c9107ae165b]
+
+CVE: CVE-2017-2626
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ configure.ac | 2 +-
+ src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++-----------------
+ 2 files changed, 47 insertions(+), 20 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 458882a..c971ab6 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type])
+
+ # Checks for library functions.
+ AC_CHECK_LIB([bsd], [arc4random_buf])
+-AC_CHECK_FUNCS([asprintf arc4random_buf])
++AC_CHECK_FUNCS([asprintf arc4random_buf getentropy])
+
+ # Allow checking code with lint, sparse, etc.
+ XORG_WITH_LINT
+diff --git a/src/iceauth.c b/src/iceauth.c
+index ed31683..de4785b 100644
+--- a/src/iceauth.c
++++ b/src/iceauth.c
+@@ -44,31 +44,19 @@ Author: Ralph Mor, X Consortium
+
+ static int was_called_state;
+
+-/*
+- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
+- * the SI. It is not part of standard ICElib.
+- */
++#ifndef HAVE_ARC4RANDOM_BUF
+
+-
+-char *
+-IceGenerateMagicCookie (
++static void
++emulate_getrandom_buf (
++ char *auth,
+ int len
+ )
+ {
+- char *auth;
+-#ifndef HAVE_ARC4RANDOM_BUF
+ long ldata[2];
+ int seed;
+ int value;
+ int i;
+-#endif
+
+- if ((auth = malloc (len + 1)) == NULL)
+- return (NULL);
+-
+-#ifdef HAVE_ARC4RANDOM_BUF
+- arc4random_buf(auth, len);
+-#else
+ #ifdef ITIMER_REAL
+ {
+ struct timeval now;
+@@ -76,13 +64,13 @@ IceGenerateMagicCookie (
+ ldata[0] = now.tv_sec;
+ ldata[1] = now.tv_usec;
+ }
+-#else
++#else /* ITIMER_REAL */
+ {
+ long time ();
+ ldata[0] = time ((long *) 0);
+ ldata[1] = getpid ();
+ }
+-#endif
++#endif /* ITIMER_REAL */
+ seed = (ldata[0]) + (ldata[1] << 16);
+ srand (seed);
+ for (i = 0; i < len; i++)
+@@ -90,7 +78,46 @@ IceGenerateMagicCookie (
+ value = rand ();
+ auth[i] = value & 0xff;
+ }
+-#endif
++}
++
++static void
++arc4random_buf (
++ char *auth,
++ int len
++)
++{
++ int ret;
++
++#if HAVE_GETENTROPY
++ /* weak emulation of arc4random through the entropy libc */
++ ret = getentropy (auth, len);
++ if (ret == 0)
++ return;
++#endif /* HAVE_GETENTROPY */
++
++ emulate_getrandom_buf (auth, len);
++}
++
++#endif /* !defined(HAVE_ARC4RANDOM_BUF) */
++
++/*
++ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
++ * the SI. It is not part of standard ICElib.
++ */
++
++
++char *
++IceGenerateMagicCookie (
++ int len
++)
++{
++ char *auth;
++
++ if ((auth = malloc (len + 1)) == NULL)
++ return (NULL);
++
++ arc4random_buf (auth, len);
++
+ auth[len] = '\0';
+ return (auth);
+ }
+--
+cgit v1.1
+
diff --git a/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb b/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb
index f069749ce..5ccd1d8c3 100644
--- a/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb
+++ b/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb
@@ -23,6 +23,8 @@ BBCLASSEXTEND = "native"
SRC_URI[md5sum] = "addfb1e897ca8079531669c7c7711726"
SRC_URI[sha256sum] = "8f7032f2c1c64352b5423f6b48a8ebdc339cc63064af34d66a6c9aa79759e202"
+SRC_URI += "file://CVE-2017-2626.patch"
+
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
PACKAGECONFIG[arc4] = "ac_cv_lib_bsd_arc4random_buf=yes,ac_cv_lib_bsd_arc4random_buf=no,libbsd"
PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch
new file mode 100644
index 000000000..964d5dd4c
--- /dev/null
+++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch
@@ -0,0 +1,40 @@
+From a309323328d9d6e0bf5d9ea1d75920e53b9beef3 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Fri, 5 Jan 2018 11:58:42 +1000
+Subject: [PATCH] config: fix NULL value detection for ID_INPUT being unset
+
+Erroneous condition caused us to keep going with all devices that didn't have
+ID_INPUT set.
+
+Fixes: 5aad81445c8c3d6
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=104382
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-status: Backport
+https://patchwork.freedesktop.org/patch/196090/
+Affects: < 1.20.0
+[Yocto # 12899]
+
+Signed-off-by: Armin Kuster <akuser808@gmail.com>
+
+---
+ config/udev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/udev.c b/config/udev.c
+index e198e8609..3a73189e2 100644
+--- a/config/udev.c
++++ b/config/udev.c
+@@ -135,7 +135,7 @@ device_added(struct udev_device *udev_device)
+ #endif
+
+ value = udev_device_get_property_value(udev_device, "ID_INPUT");
+- if (value && !strcmp(value, "0")) {
++ if (!value || !strcmp(value, "0")) {
+ LogMessageVerb(X_INFO, 10,
+ "config/udev: ignoring device %s without "
+ "property ID_INPUT set\n", path);
+--
+2.17.1
+
diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb
index c680cf9e8..7e8a9541c 100644
--- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb
+++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb
@@ -5,6 +5,7 @@ SRC_URI += "file://musl-arm-inb-outb.patch \
file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \
file://0003-Remove-check-for-useSIGIO-option.patch \
file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
+ file://0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch \
"
SRC_URI[md5sum] = "3e47777ff034a331aed2322b078694a8"
SRC_URI[sha256sum] = "a732502f1db000cf36a376cd0c010ffdbf32ecdd7f1fa08ba7f5bdf9601cc197"
diff --git a/poky/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch b/poky/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch
new file mode 100644
index 000000000..7b58568d5
--- /dev/null
+++ b/poky/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch
@@ -0,0 +1,150 @@
+From d61ff409cb4dda31386373d706ea0cfb1aaac5b7 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 2 May 2018 10:24:17 -0600
+Subject: [PATCH] btt: make device/devno use PATH_MAX to avoid overflow
+
+Herbo Zhang reports:
+
+I found a bug in blktrace/btt/devmap.c. The code is just as follows:
+
+https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/tree/btt/devmap.c?id=8349ad2f2d19422a6241f94ea84d696b21de4757
+
+ struct devmap {
+
+struct list_head head;
+char device[32], devno[32]; // #1
+};
+
+LIST_HEAD(all_devmaps);
+
+static int dev_map_add(char *line)
+{
+struct devmap *dmp;
+
+if (strstr(line, "Device") != NULL)
+return 1;
+
+dmp = malloc(sizeof(struct devmap));
+if (sscanf(line, "%s %s", dmp->device, dmp->devno) != 2) { //#2
+free(dmp);
+return 1;
+}
+
+list_add_tail(&dmp->head, &all_devmaps);
+return 0;
+}
+
+int dev_map_read(char *fname)
+{
+char line[256]; // #3
+FILE *fp = my_fopen(fname, "r");
+
+if (!fp) {
+perror(fname);
+return 1;
+}
+
+while (fscanf(fp, "%255[a-zA-Z0-9 :.,/_-]\n", line) == 1) {
+if (dev_map_add(line))
+break;
+}
+
+fclose(fp);
+return 0;
+}
+
+ The line length is 256, but the dmp->device, dmp->devno max length
+is only 32. We can put strings longer than 32 into dmp->device and
+dmp->devno , and then they will be overflowed.
+
+ we can trigger this bug just as follows:
+
+ $ python -c "print 'A'*256" > ./test
+ $ btt -M ./test
+
+ *** Error in btt': free(): invalid next size (fast): 0x000055ad7349b250 ***
+ ======= Backtrace: =========
+ /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f158ce7e5]
+ /lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7f7f158d6e0a]
+ /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f158da98c]
+ btt(+0x32e0)[0x55ad7306f2e0]
+ btt(+0x2c5f)[0x55ad7306ec5f]
+ btt(+0x251f)[0x55ad7306e51f]
+ /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f15877830]
+ btt(+0x26b9)[0x55ad7306e6b9]
+ ======= Memory map: ========
+ 55ad7306c000-55ad7307f000 r-xp 00000000 08:14 3698139
+ /usr/bin/btt
+ 55ad7327e000-55ad7327f000 r--p 00012000 08:14 3698139
+ /usr/bin/btt
+ 55ad7327f000-55ad73280000 rw-p 00013000 08:14 3698139
+ /usr/bin/btt
+ 55ad73280000-55ad73285000 rw-p 00000000 00:00 0
+ 55ad7349a000-55ad734bb000 rw-p 00000000 00:00 0
+ [heap]
+ 7f7f10000000-7f7f10021000 rw-p 00000000 00:00 0
+ 7f7f10021000-7f7f14000000 ---p 00000000 00:00 0
+ 7f7f15640000-7f7f15656000 r-xp 00000000 08:14 14942237
+ /lib/x86_64-linux-gnu/libgcc_s.so.1
+ 7f7f15656000-7f7f15855000 ---p 00016000 08:14 14942237
+ /lib/x86_64-linux-gnu/libgcc_s.so.1
+ 7f7f15855000-7f7f15856000 r--p 00015000 08:14 14942237
+ /lib/x86_64-linux-gnu/libgcc_s.so.1
+ 7f7f15856000-7f7f15857000 rw-p 00016000 08:14 14942237
+ /lib/x86_64-linux-gnu/libgcc_s.so.1
+ 7f7f15857000-7f7f15a16000 r-xp 00000000 08:14 14948477
+ /lib/x86_64-linux-gnu/libc-2.23.so
+ 7f7f15a16000-7f7f15c16000 ---p 001bf000 08:14 14948477
+ /lib/x86_64-linux-gnu/libc-2.23.so
+ 7f7f15c16000-7f7f15c1a000 r--p 001bf000 08:14 14948477
+ /lib/x86_64-linux-gnu/libc-2.23.so
+ 7f7f15c1a000-7f7f15c1c000 rw-p 001c3000 08:14 14948477
+ /lib/x86_64-linux-gnu/libc-2.23.so
+ 7f7f15c1c000-7f7f15c20000 rw-p 00000000 00:00 0
+ 7f7f15c20000-7f7f15c46000 r-xp 00000000 08:14 14948478
+ /lib/x86_64-linux-gnu/ld-2.23.so
+ 7f7f15e16000-7f7f15e19000 rw-p 00000000 00:00 0
+ 7f7f15e42000-7f7f15e45000 rw-p 00000000 00:00 0
+ 7f7f15e45000-7f7f15e46000 r--p 00025000 08:14 14948478
+ /lib/x86_64-linux-gnu/ld-2.23.so
+ 7f7f15e46000-7f7f15e47000 rw-p 00026000 08:14 14948478
+ /lib/x86_64-linux-gnu/ld-2.23.so
+ 7f7f15e47000-7f7f15e48000 rw-p 00000000 00:00 0
+ 7ffdebe5c000-7ffdebe7d000 rw-p 00000000 00:00 0
+ [stack]
+ 7ffdebebc000-7ffdebebe000 r--p 00000000 00:00 0
+ [vvar]
+ 7ffdebebe000-7ffdebec0000 r-xp 00000000 00:00 0
+ [vdso]
+ ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
+ [vsyscall]
+ [1] 6272 abort btt -M test
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+Upstream-Status: Backport
+[https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7]
+
+CVE: CVE-2018-10689
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ btt/devmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/btt/devmap.c b/btt/devmap.c
+index 0553a9e..5fc1cb2 100644
+--- a/btt/devmap.c
++++ b/btt/devmap.c
+@@ -23,7 +23,7 @@
+
+ struct devmap {
+ struct list_head head;
+- char device[32], devno[32];
++ char device[PATH_MAX], devno[PATH_MAX];
+ };
+
+ LIST_HEAD(all_devmaps);
+--
+2.7.4
+
diff --git a/poky/meta/recipes-kernel/blktrace/blktrace_git.bb b/poky/meta/recipes-kernel/blktrace/blktrace_git.bb
index 663de2ed5..2605ff916 100644
--- a/poky/meta/recipes-kernel/blktrace/blktrace_git.bb
+++ b/poky/meta/recipes-kernel/blktrace/blktrace_git.bb
@@ -11,6 +11,7 @@ PV = "1.2.0+git${SRCPV}"
SRC_URI = "git://git.kernel.dk/blktrace.git \
file://ldflags.patch \
+ file://CVE-2018-10689.patch \
"
S = "${WORKDIR}/git"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb
index cf6a733ce..a6a8b60e1 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "7ba09f891939cbf2c58801a7a4a740365896d6ba"
-SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587"
+SRCREV_machine ?= "ef88c3326f62cec4b98340324ddbe7f7f7704fd5"
+SRCREV_meta ?= "2ae65226f64ed5c888d60eef76b6249db678d060"
SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.12.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}"
-LINUX_VERSION ?= "4.12.26"
+LINUX_VERSION ?= "4.12.28"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
index 00671182d..d5b285e7b 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "aeeb2d73f2a828a9c0b121b2aa3bb345009f5698"
-SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8"
+SRCREV_machine ?= "af1b926c9160b0dbf2bbe41b166a8a7b07191fd2"
+SRCREV_meta ?= "c43c9e19a22367b48c0f62764c8555643d2a6844"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
-LINUX_VERSION ?= "4.14.48"
+LINUX_VERSION ?= "4.14.67"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb
index 9d5e1582b..cb4ef3a65 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb
@@ -4,13 +4,13 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "4.12.26"
+LINUX_VERSION ?= "4.12.28"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587"
+SRCREV_machine ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_meta ?= "2ae65226f64ed5c888d60eef76b6249db678d060"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
index 58945f25d..c9e6e412b 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
@@ -4,7 +4,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "4.14.48"
+LINUX_VERSION ?= "4.14.67"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
@@ -12,8 +12,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "9e246607d5c23f8bb3b8800734b1707766e0b2b9"
-SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8"
+SRCREV_machine ?= "74ecbeb03ebfc2b9a73a6554924b043b903295f5"
+SRCREV_meta ?= "c43c9e19a22367b48c0f62764c8555643d2a6844"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb
index ac98ca85f..0aea05b83 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb
@@ -11,22 +11,22 @@ KBRANCH_qemux86 ?= "standard/base"
KBRANCH_qemux86-64 ?= "standard/base"
KBRANCH_qemumips64 ?= "standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "86b02dd23be1e3b3449885b38ed1b876ebec31e8"
-SRCREV_machine_qemuarm64 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_machine_qemumips ?= "67b93101c52504fd5077166c70baa296190e6166"
-SRCREV_machine_qemuppc ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_machine_qemux86 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_machine_qemux86-64 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_machine_qemumips64 ?= "38da8c72733da9619bbbddf14140204631faf488"
-SRCREV_machine ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587"
+SRCREV_machine_qemuarm ?= "b84ecefc243a6ed67d8b6020394963de1240a9f0"
+SRCREV_machine_qemuarm64 ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_machine_qemumips ?= "15b1ab68f73fa60dd95a74c640e87e05fad1716d"
+SRCREV_machine_qemuppc ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_machine_qemux86 ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_machine_qemux86-64 ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_machine_qemumips64 ?= "57a3f72a020fc84f2da5b0b4c5de4cdbc22b3284"
+SRCREV_machine ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_meta ?= "2ae65226f64ed5c888d60eef76b6249db678d060"
SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.12.git;name=machine;branch=${KBRANCH}; \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}"
DEPENDS += "openssl-native util-linux-native"
-LINUX_VERSION ?= "4.12.26"
+LINUX_VERSION ?= "4.12.28"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
index 0449213d4..91a2845a7 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
@@ -11,20 +11,20 @@ KBRANCH_qemux86 ?= "v4.14/standard/base"
KBRANCH_qemux86-64 ?= "v4.14/standard/base"
KBRANCH_qemumips64 ?= "v4.14/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "363723ef50c06df54e146c8fe78faa962e96a8c8"
-SRCREV_machine_qemuarm64 ?= "798d15552a4d5d9355a300290ed6bf72106b7e96"
-SRCREV_machine_qemumips ?= "6c2433d7c51c3e78b1be2c7d1fbfe840b13d04df"
-SRCREV_machine_qemuppc ?= "c03babad17499489b20216576d608c94e7fddc5d"
-SRCREV_machine_qemux86 ?= "65d1c849534179bbfa494f77947f8be615e9871a"
-SRCREV_machine_qemux86-64 ?= "65d1c849534179bbfa494f77947f8be615e9871a"
-SRCREV_machine_qemumips64 ?= "59f70381cbde371e41206b7902390ae78558c310"
-SRCREV_machine ?= "65d1c849534179bbfa494f77947f8be615e9871a"
-SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8"
+SRCREV_machine_qemuarm ?= "93d58c0c59d1dcdba6ff76ef093de7de339414a8"
+SRCREV_machine_qemuarm64 ?= "888066bc1b9cc5f596da8237cbf74417106e8f22"
+SRCREV_machine_qemumips ?= "a9d862bb92707f39c0cf2b2cc6f1645e88a99eb9"
+SRCREV_machine_qemuppc ?= "d8ced31602b65fb92487865502da595bd113a329"
+SRCREV_machine_qemux86 ?= "084af9624d268ddf4fd65b2f9e8e50ca2f22e62b"
+SRCREV_machine_qemux86-64 ?= "084af9624d268ddf4fd65b2f9e8e50ca2f22e62b"
+SRCREV_machine_qemumips64 ?= "44e1719a8f4fe10e88c13b9ec6c1fa1d041efaed"
+SRCREV_machine ?= "084af9624d268ddf4fd65b2f9e8e50ca2f22e62b"
+SRCREV_meta ?= "c43c9e19a22367b48c0f62764c8555643d2a6844"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
-LINUX_VERSION ?= "4.14.48"
+LINUX_VERSION ?= "4.14.67"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
diff --git a/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch b/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch
new file mode 100644
index 000000000..8d09ce7b6
--- /dev/null
+++ b/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch
@@ -0,0 +1,33 @@
+libid3tag: patch for CVE-2004-2779
+
+The patch comes from
+https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch
+
+Upstream-Status: Pending
+
+CVE: CVE-2004-2779
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+diff -urNad libid3tag-0.15.1b/utf16.c /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c
+--- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100
++++ /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100
+@@ -282,5 +282,18 @@
+
+ free(utf16);
+
++ if (end == *ptr && length % 2 != 0)
++ {
++ /* We were called with a bogus length. It should always
++ * be an even number. We can deal with this in a few ways:
++ * - Always give an error.
++ * - Try and parse as much as we can and
++ * - return an error if we're called again when we
++ * already tried to parse everything we can.
++ * - tell that we parsed it, which is what we do here.
++ */
++ (*ptr)++;
++ }
++
+ return ucs4;
+ }
diff --git a/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb b/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
index f6139d612..fe3164610 100644
--- a/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
+++ b/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
@@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \
file://addpkgconfig.patch \
file://obsolete_automake_macros.patch \
file://0001-Fix-gperf-3.1-incompatibility.patch \
+ file://10_utf16.dpatch \
"
UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/"
UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$"
diff --git a/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch b/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
new file mode 100644
index 000000000..84b1af1fb
--- /dev/null
+++ b/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
@@ -0,0 +1,37 @@
+From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sun, 17 Jun 2018 22:56:29 -0400
+Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
+ png_check_chunk_length
+
+(Bug report by Thuan Pham, SourceForge issue #278)
+Upstream-Status: Backport [https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2]
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ pngrutil.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/pngrutil.c b/pngrutil.c
+index 95571b517..5ba995abf 100644
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
+ {
+ png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
+ size_t row_factor =
+- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+- + 1 + (png_ptr->interlaced? 6: 0));
++ (size_t)png_ptr->width
++ * (size_t)png_ptr->channels
++ * (png_ptr->bit_depth > 8? 2: 1)
++ + 1
++ + (png_ptr->interlaced? 6: 0);
+ if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+- idat_limit=PNG_UINT_31_MAX;
++ idat_limit = PNG_UINT_31_MAX;
+ else
+ idat_limit = png_ptr->height * row_factor;
+ row_factor = row_factor > 32566? 32566 : row_factor;
+--
+2.19.0
+
diff --git a/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb b/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
index e52d03228..3877d6cbf 100644
--- a/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
+++ b/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
@@ -8,7 +8,9 @@ DEPENDS = "zlib"
LIBV = "16"
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
+ file://CVE-2018-13785.patch \
+"
SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2"
SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6"
diff --git a/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch b/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch
new file mode 100644
index 000000000..57e745331
--- /dev/null
+++ b/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch
@@ -0,0 +1,135 @@
+From 6b638fa9afbeb54dfa19378e391465a5284ce1ad Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 12 Sep 2018 17:16:36 +0800
+Subject: [PATCH] Fix error handling in gdbm
+
+Only check for gdbm_errno if the return value of the called gdbm_*
+function says so. This fixes apr-util with gdbm 1.14, which does not
+seem to always reset gdbm_errno.
+
+Also make the gdbm driver return error codes starting with
+APR_OS_START_USEERR instead of always returning APR_EGENERAL. This is
+what the berkleydb driver already does.
+
+Also ensure that dsize is 0 if dptr == NULL.
+
+Upstream-Status: Backport[https://svn.apache.org/viewvc?
+view=revision&amp;revision=1825311]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ dbm/apr_dbm_gdbm.c | 47 +++++++++++++++++++++++++++++------------------
+ 1 file changed, 29 insertions(+), 18 deletions(-)
+
+diff --git a/dbm/apr_dbm_gdbm.c b/dbm/apr_dbm_gdbm.c
+index 749447a..1c86327 100644
+--- a/dbm/apr_dbm_gdbm.c
++++ b/dbm/apr_dbm_gdbm.c
+@@ -36,13 +36,25 @@
+ static apr_status_t g2s(int gerr)
+ {
+ if (gerr == -1) {
+- /* ### need to fix this */
+- return APR_EGENERAL;
++ if (gdbm_errno == GDBM_NO_ERROR)
++ return APR_SUCCESS;
++ return APR_OS_START_USEERR + gdbm_errno;
+ }
+
+ return APR_SUCCESS;
+ }
+
++static apr_status_t gdat2s(datum d)
++{
++ if (d.dptr == NULL) {
++ if (gdbm_errno == GDBM_NO_ERROR || gdbm_errno == GDBM_ITEM_NOT_FOUND)
++ return APR_SUCCESS;
++ return APR_OS_START_USEERR + gdbm_errno;
++ }
++
++ return APR_SUCCESS;
++}
++
+ static apr_status_t datum_cleanup(void *dptr)
+ {
+ if (dptr)
+@@ -53,22 +65,15 @@ static apr_status_t datum_cleanup(void *dptr)
+
+ static apr_status_t set_error(apr_dbm_t *dbm, apr_status_t dbm_said)
+ {
+- apr_status_t rv = APR_SUCCESS;
+
+- /* ### ignore whatever the DBM said (dbm_said); ask it explicitly */
++ dbm->errcode = dbm_said;
+
+- if ((dbm->errcode = gdbm_errno) == GDBM_NO_ERROR) {
++ if (dbm_said == APR_SUCCESS)
+ dbm->errmsg = NULL;
+- }
+- else {
+- dbm->errmsg = gdbm_strerror(gdbm_errno);
+- rv = APR_EGENERAL; /* ### need something better */
+- }
+-
+- /* captured it. clear it now. */
+- gdbm_errno = GDBM_NO_ERROR;
++ else
++ dbm->errmsg = gdbm_strerror(dbm_said - APR_OS_START_USEERR);
+
+- return rv;
++ return dbm_said;
+ }
+
+ /* --------------------------------------------------------------------------
+@@ -107,7 +112,7 @@ static apr_status_t vt_gdbm_open(apr_dbm_t **pdb, const char *pathname,
+ NULL);
+
+ if (file == NULL)
+- return APR_EGENERAL; /* ### need a better error */
++ return APR_OS_START_USEERR + gdbm_errno; /* ### need a better error */
+
+ /* we have an open database... return it */
+ *pdb = apr_pcalloc(pool, sizeof(**pdb));
+@@ -141,10 +146,12 @@ static apr_status_t vt_gdbm_fetch(apr_dbm_t *dbm, apr_datum_t key,
+ if (pvalue->dptr)
+ apr_pool_cleanup_register(dbm->pool, pvalue->dptr, datum_cleanup,
+ apr_pool_cleanup_null);
++ else
++ pvalue->dsize = 0;
+
+ /* store the error info into DBM, and return a status code. Also, note
+ that *pvalue should have been cleared on error. */
+- return set_error(dbm, APR_SUCCESS);
++ return set_error(dbm, gdat2s(rd));
+ }
+
+ static apr_status_t vt_gdbm_store(apr_dbm_t *dbm, apr_datum_t key,
+@@ -201,9 +208,11 @@ static apr_status_t vt_gdbm_firstkey(apr_dbm_t *dbm, apr_datum_t *pkey)
+ if (pkey->dptr)
+ apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup,
+ apr_pool_cleanup_null);
++ else
++ pkey->dsize = 0;
+
+ /* store any error info into DBM, and return a status code. */
+- return set_error(dbm, APR_SUCCESS);
++ return set_error(dbm, gdat2s(rd));
+ }
+
+ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey)
+@@ -221,9 +230,11 @@ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey)
+ if (pkey->dptr)
+ apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup,
+ apr_pool_cleanup_null);
++ else
++ pkey->dsize = 0;
+
+ /* store any error info into DBM, and return a status code. */
+- return set_error(dbm, APR_SUCCESS);
++ return set_error(dbm, gdat2s(rd));
+ }
+
+ static void vt_gdbm_freedatum(apr_dbm_t *dbm, apr_datum_t data)
+--
+2.7.4
+
diff --git a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
index 88b4300f9..12d71cbb6 100644
--- a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
+++ b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
@@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \
file://configfix.patch \
file://configure_fixes.patch \
file://run-ptest \
+ file://0001-Fix-error-handling-in-gdbm.patch \
"
SRC_URI[md5sum] = "bd502b9a8670a8012c4d90c31a84955f"
diff --git a/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch b/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch
new file mode 100644
index 000000000..f6f43c3d2
--- /dev/null
+++ b/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch
@@ -0,0 +1,56 @@
+input: check end of input before reading a byte
+
+When reading bytes we weren't check that the index wasn't
+out of bound and this could produce an invalid read which
+could deal to a security bug.
+
+Upstream-Status: Backport[https://gitlab.gnome.org/GNOME/libcroco/
+ commit/898e3a8c8c0314d2e6b106809a8e3e93cf9d4394]
+
+CVE: CVE-2017-7960
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+diff --git a/src/cr-input.c b/src/cr-input.c
+index 49000b1f5f07fe057135f1b8fc69bdcf9613e300..3b63a88ee3b1c56778e58172d147d958951bf099 100644
+--- a/src/cr-input.c
++++ b/src/cr-input.c
+@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc)
+ *we should free buf here because it's own by CRInput.
+ *(see the last parameter of cr_input_new_from_buf().
+ */
+- buf = NULL ;
++ buf = NULL;
+ }
+
+ cleanup:
+@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this)
+ enum CRStatus
+ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ {
++ gulong nb_bytes_left = 0;
++
+ g_return_val_if_fail (a_this && PRIVATE (a_this)
+ && a_byte, CR_BAD_PARAM_ERROR);
+
+@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ if (PRIVATE (a_this)->end_of_input == TRUE)
+ return CR_END_OF_INPUT_ERROR;
+
++ nb_bytes_left = cr_input_get_nb_bytes_left (a_this);
++
++ if (nb_bytes_left < 1) {
++ return CR_END_OF_INPUT_ERROR;
++ }
++
+ *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index];
+
+ if (PRIVATE (a_this)->nb_bytes -
+@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char)
+ if (*a_char == '\n') {
+ PRIVATE (a_this)->end_of_line = TRUE;
+ }
+-
+ }
+
+ return status;
diff --git a/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb b/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb
index d86ddd646..5b962ee73 100644
--- a/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb
+++ b/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb
@@ -16,5 +16,7 @@ BINCONFIG = "${bindir}/croco-0.6-config"
inherit gnomebase gtk-doc binconfig-disabled
+SRC_URI += "file://CVE-2017-7960.patch"
+
SRC_URI[archive.md5sum] = "bc0984fce078ba2ce29f9500c6b9ddce"
SRC_URI[archive.sha256sum] = "ddc4b5546c9fb4280a5017e2707fbd4839034ed1aba5b7d4372212f34f84f860"
diff --git a/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch b/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch
new file mode 100644
index 000000000..e49481ff8
--- /dev/null
+++ b/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch
@@ -0,0 +1,40 @@
+From 8a92f964a66d476ca8907234359e92a70fc1325b Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 28 Aug 2018 15:12:10 +0800
+Subject: [PATCH] On saving makernotes, make sure the makernote container tags
+ has a type with 1 byte components.
+
+Fixes (at least):
+ https://sourceforge.net/p/libexif/bugs/130
+ https://sourceforge.net/p/libexif/bugs/129
+
+Upstream-Status: Backport[https://github.com/libexif/libexif/commit/
+c39acd1692023b26290778a02a9232c873f9d71a#diff-830e348923810f00726700b083ec00cd]
+
+CVE: CVE-2017-7544
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libexif/exif-data.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 67df4db..6bf89eb 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
+ exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ e->components = e->size;
++ if (exif_format_get_size (e->format) != 1) {
++ /* e->format is taken from input code,
++ * but we need to make sure it is a 1 byte
++ * entity due to the multiplication below. */
++ e->format = EXIF_FORMAT_UNDEFINED;
++ }
+ }
+ }
+
+--
+2.7.4
+
diff --git a/poky/meta/recipes-support/libexif/libexif_0.6.21.bb b/poky/meta/recipes-support/libexif/libexif_0.6.21.bb
index cff4caede..b550a1125 100644
--- a/poky/meta/recipes-support/libexif/libexif_0.6.21.bb
+++ b/poky/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -4,7 +4,8 @@ SECTION = "libs"
LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
-SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2"
+SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
+ file://CVE-2017-7544.patch"
SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"
diff --git a/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch b/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
new file mode 100644
index 000000000..4a5832ac1
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
@@ -0,0 +1,29 @@
+From 99f6e1b0d68281b63218d6adfe68cd9e331ac5be Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 10:50:08 -0700
+Subject: [PATCH] Fix syntax of a print() in the scons file to unbreak building
+ with most recent scons version.
+
+* SConstruct Use Python 3.0 valid syntax to make Scons 3.0.0 happy on both python
+ 3.0 and 2.7.
+
+Upstream-Status: Backport
+[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1809132&r2=1811083&diff_format=h]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ SConstruct | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SConstruct b/SConstruct
+index 1670459..18a45fa 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -184,7 +184,7 @@ CALLOUT_OKAY = not (env.GetOption('clean') or env.GetOption('help'))
+
+ unknown = opts.UnknownVariables()
+ if unknown:
+- print 'Warning: Used unknown variables:', ', '.join(unknown.keys())
++ print('Warning: Used unknown variables:', ', '.join(unknown.keys()))
+
+ apr = str(env['APR'])
+ apu = str(env['APU'])
diff --git a/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch b/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch
new file mode 100644
index 000000000..cec881ee1
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch
@@ -0,0 +1,27 @@
+From e51b4b37916dd20b13133cb7af16601b6bf3ace9 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 10:54:54 -0700
+Subject: [PATCH] SConstruct: Fix path quoting for .def generator
+
+Patch by: Martin Keller <m.keller{_AT_}codesys.com>
+Upstream-Status: Backport
+[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1807594&r2=1809132]
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ SConstruct | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SConstruct b/SConstruct
+index 18a45fa..571bdce 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -160,7 +160,7 @@ env = Environment(variables=opts,
+
+ env.Append(BUILDERS = {
+ 'GenDef' :
+- Builder(action = sys.executable + ' build/gen_def.py $SOURCES > $TARGET',
++ Builder(action = '"%s" "%s" $SOURCES > $TARGET' % (sys.executable, gen_def_script,),
+ suffix='.def', src_suffix='.h')
+ })
+
diff --git a/poky/meta/recipes-support/serf/serf/0003-gen_def.patch b/poky/meta/recipes-support/serf/serf/0003-gen_def.patch
new file mode 100644
index 000000000..e37e9034b
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0003-gen_def.patch
@@ -0,0 +1,22 @@
+From 98e793d9f2250e7c1f9f1eb5dfd616a6a8829e9a Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 11:12:27 -0700
+Subject: [PATCH] gen_def
+
+---
+ SConstruct | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/SConstruct b/SConstruct
+index 571bdce..877731e 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -158,6 +158,8 @@ env = Environment(variables=opts,
+ ENV = os.environ,
+ )
+
++gen_def_script = env.File('build/gen_def.py').rstr()
++
+ env.Append(BUILDERS = {
+ 'GenDef' :
+ Builder(action = '"%s" "%s" $SOURCES > $TARGET' % (sys.executable, gen_def_script,),
diff --git a/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch b/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch
new file mode 100644
index 000000000..02fa9e3a0
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch
@@ -0,0 +1,29 @@
+From 565211fd082ef653ca9c44a345350fc1451f5a0f Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 11:12:38 -0700
+Subject: [PATCH] Follow-up to r1811083 fix building with scons 3.0.0 and
+ Python3
+
+* SConstruct: Append decode('utf-8) to FILE.get_contents() to avoid
+ TypeError: cannot use a string pattern on a bytes-like object
+
+Upstream-Status: Backport
+[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1811088&r2=1814604]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ SConstruct | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SConstruct b/SConstruct
+index 877731e..7678bb1 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -169,7 +169,7 @@ env.Append(BUILDERS = {
+ match = re.search('SERF_MAJOR_VERSION ([0-9]+).*'
+ 'SERF_MINOR_VERSION ([0-9]+).*'
+ 'SERF_PATCH_VERSION ([0-9]+)',
+- env.File('serf.h').get_contents(),
++ env.File('serf.h').get_contents().decode('utf-8'),
+ re.DOTALL)
+ MAJOR, MINOR, PATCH = [int(x) for x in match.groups()]
+ env.Append(MAJOR=str(MAJOR))
diff --git a/poky/meta/recipes-support/serf/serf_1.3.9.bb b/poky/meta/recipes-support/serf/serf_1.3.9.bb
index 2be5a069c..65a8114bb 100644
--- a/poky/meta/recipes-support/serf/serf_1.3.9.bb
+++ b/poky/meta/recipes-support/serf/serf_1.3.9.bb
@@ -1,7 +1,12 @@
SUMMARY = "High-Performance Asynchronous HTTP Client Library"
SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
file://norpath.patch \
- file://env.patch"
+ file://env.patch \
+ file://0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch \
+ file://0002-SConstruct-Fix-path-quoting-for-.def-generator.patch \
+ file://0003-gen_def.patch \
+ file://0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch \
+ "
SRC_URI[md5sum] = "370a6340ff20366ab088012cd13f2b57"
SRC_URI[sha256sum] = "549c2d21c577a8a9c0450facb5cca809f26591f048e466552240947bdf7a87cc"
diff --git a/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch b/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch
new file mode 100644
index 000000000..5d95e37af
--- /dev/null
+++ b/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch
@@ -0,0 +1,47 @@
+From 19aed4d2be46c4516caf2bee31f79044bbd1d57d Mon Sep 17 00:00:00 2001
+From: Sinan Kaya <okaya@kernel.org>
+Date: Fri, 21 Sep 2018 16:22:01 +0000
+Subject: [PATCH] Detect databases whose schema is corrupted using a CREATE TABLE AS statement and issue an appropriate error message
+
+Upstream-Status: Backport [ https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b&diff=1&w]
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ sqlite3.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 73c69ef..6863bc6 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -103474,8 +103474,6 @@ SQLITE_PRIVATE void sqlite3EndTable(
+ p = pParse->pNewTable;
+ if( p==0 ) return;
+
+- assert( !db->init.busy || !pSelect );
+-
+ /* If the db->init.busy is 1 it means we are reading the SQL off the
+ ** "sqlite_master" or "sqlite_temp_master" table on the disk.
+ ** So do not write to the disk again. Extract the root page number
+@@ -103486,6 +103484,10 @@ SQLITE_PRIVATE void sqlite3EndTable(
+ ** table itself. So mark it read-only.
+ */
+ if( db->init.busy ){
++ if( pSelect ){
++ sqlite3ErrorMsg(pParse, "");
++ return;
++ }
+ p->tnum = db->init.newTnum;
+ if( p->tnum==1 ) p->tabFlags |= TF_Readonly;
+ }
+@@ -117813,7 +117815,7 @@ static void corruptSchema(
+ char *z;
+ if( zObj==0 ) zObj = "?";
+ z = sqlite3MPrintf(db, "malformed database schema (%s)", zObj);
+- if( zExtra ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
++ if( zExtra && zExtra[0] ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
+ sqlite3DbFree(db, *pData->pzErrMsg);
+ *pData->pzErrMsg = z;
+ }
+--
+2.19.0
+
diff --git a/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb b/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
index ef88659e9..b90f89886 100644
--- a/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
+++ b/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
SRC_URI = "\
http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
+ file://CVE-2018-8740.patch \
"
SRC_URI[md5sum] = "96b5648d542e8afa6ab7ffb8db8ddc3d"
SRC_URI[sha256sum] = "2824ab1238b706bc66127320afbdffb096361130e23291f26928a027b885c612"
diff --git a/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch b/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch
new file mode 100644
index 000000000..cdd66e67f
--- /dev/null
+++ b/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch
@@ -0,0 +1,51 @@
+From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <github.scott@gmail.com>
+Date: Mon, 4 Jun 2018 11:34:36 -0400
+Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
+
+This CVE is caused by a failure to check the minimum length
+of a ogg flac header. This header is detailed in full at:
+https://xiph.org/flac/ogg_mapping.html. Added more strict checking
+for entire header.
+
+Upstream-Status: Backport
+[https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278]
+
+CVE: CVE-2018-11439
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
+index 53d0450..07ea9dc 100644
+--- a/taglib/ogg/flac/oggflacfile.cpp
++++ b/taglib/ogg/flac/oggflacfile.cpp
+@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
+
+ if(!metadataHeader.startsWith("fLaC")) {
+ // FLAC 1.1.2+
++ // See https://xiph.org/flac/ogg_mapping.html for the header specification.
++ if(metadataHeader.size() < 13)
++ return;
++
++ if(metadataHeader[0] != 0x7f)
++ return;
++
+ if(metadataHeader.mid(1, 4) != "FLAC")
+ return;
+
+- if(metadataHeader[5] != 1)
+- return; // not version 1
++ if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
++ return; // not version 1.0
++
++ if(metadataHeader.mid(9, 4) != "fLaC")
++ return;
+
+ metadataHeader = metadataHeader.mid(13);
+ }
+--
+2.7.4
+
diff --git a/poky/meta/recipes-support/taglib/taglib_1.11.1.bb b/poky/meta/recipes-support/taglib/taglib_1.11.1.bb
index 50439bc14..01dcf66d1 100644
--- a/poky/meta/recipes-support/taglib/taglib_1.11.1.bb
+++ b/poky/meta/recipes-support/taglib/taglib_1.11.1.bb
@@ -10,6 +10,7 @@ DEPENDS = "zlib"
SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz \
file://CVE-2017-12678.patch \
+ file://CVE-2018-11439.patch \
"
SRC_URI[md5sum] = "cee7be0ccfc892fa433d6c837df9522a"