poky: sumo refresh 51872d3f99..3b8dc3a88e

Update poky to sumo HEAD.

Andrej Valek (1):
      wpa-supplicant: fix CVE-2018-14526

Armin Kuster (2):
      xserver-xorg: config: fix NULL value detection for ID_INPUT being unset
      binutils: Change the ARM assembler's ADR and ADRl pseudo-ops so that they will only set the bottom bit of imported thumb function symbols if the -mthumb-interwork option is active.

Bruce Ashfield (3):
      linux-yocto/4.12: update to v4.12.28
      linux-yocto/4.14: update to v4.14.62
      linux-yocto/4.14: update to v4.14.67

Changqing Li (6):
      libexif: patch for CVE-2017-7544
      squashfs-tools: patch for CVE-2015-4645(4646)
      libcroco: patch for CVE-2017-7960
      libid3tag: patch for CVE-2004-2779
      libice: patch for CVE-2017-2626
      apr-util: fix ptest fail problem

Chen Qi (2):
      util-linux: upgrade 2.32 -> 2.32.1
      busybox: move init related configs to init.cfg

Jagadeesh Krishnanjanappa (2):
      libarchive: CVE-2017-14501
      libcgroup: CVE-2018-14348

Jon Szymaniak (1):
      cve-check.bbclass: detect CVE IDs listed on multiple lines

Joshua Lock (1):
      os-release: fix to install in the expected location

Khem Raj (1):
      serf: Fix Sconstruct build with python 3.7

Konstantin Shemyak (1):
      cve-check.bbclass: do not download the CVE DB in package-specific tasks

Mike Looijmans (1):
      busybox/mdev-mount.sh: Fix partition detect and cleanup mountpoint on fail

Ross Burton (1):
      lrzsz: fix CVE-2018-10195

Sinan Kaya (3):
      busybox: CVE-2017-15874
      libpng: CVE-2018-13785
      sqlite3: CVE-2018-8740

Yadi.hu (1):
      busybox: handle syslog

Yi Zhao (2):
      blktrace: Security fix CVE-2018-10689
      taglib: Security fix CVE-2018-11439

Zheng Ruoqin (1):
      glibc: fix CVE-2018-11237

Change-Id: I2eb1fe6574638de745e4bfc106b86fe797b977c8
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

54 files changed, 1468 insertions, 60 deletions

diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass
index 537659df1..12ad3e5c5 100644
--- a/poky/meta/classes/cve-check.bbclass
+++ b/poky/meta/classes/cve-check.bbclass
@@ -146,15 +146,17 @@ def get_patches_cves(d):
                 with open(patch_file, "r", encoding="iso8859-1") as f:
                     patch_text = f.read()
 
-        # Search for the "CVE: " line
-        match = cve_match.search(patch_text)
-        if match:
+        # Search for one or more "CVE: " lines
+        text_match = False
+        for match in cve_match.finditer(patch_text):
             # Get only the CVEs without the "CVE: " tag
             cves = patch_text[match.start()+5:match.end()]
             for cve in cves.split():
                 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
                 patched_cves.add(cve)
-        elif not fname_match:
+                text_match = True
+
+        if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
     return patched_cves
@@ -177,7 +179,7 @@ def check_cves(d, patched_cves):
     cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
     cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
     cve_cmd = "cve-check-tool"
-    cmd = [cve_cmd, "--no-html", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
+    cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
 
     # If the recipe has been whitlisted we return empty lists
     if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
diff --git a/poky/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/cve-2018-10195.patch b/poky/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/cve-2018-10195.patch
new file mode 100644
index 000000000..dea298634
--- /dev/null
+++ b/poky/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/cve-2018-10195.patch
@@ -0,0 +1,28 @@
+Integer overflow in src/zm.c:zsdata() causes crash in sz and can leak information to receiver.
+
+Patch taken from Fedora.
+
+CVE: CVE-2018-10195
+Upstream-Status: Inappropriate (dead upstream)
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff -urN lrzsz-0.12.20/src/zm.c lrzsz-0.12.20.new/src/zm.c
+--- lrzsz-0.12.20/src/zm.c	Tue Dec 29 09:48:38 1998
++++ lrzsz-0.12.20.new/src/zm.c	Tue Oct  8 12:46:58 2002
+@@ -431,10 +431,12 @@
+ 	VPRINTF(3,("zsdata: %lu %s", (unsigned long) length, 
+ 		Zendnames[(frameend-ZCRCE)&3]));
+ 	crc = 0;
+-	do {
+-		zsendline(*buf); crc = updcrc((0377 & *buf), crc);
+-		buf++;
+-	} while (--length>0);
++
++	for( ; length; length--) {
++	  zsendline(*buf); crc = updcrc((0377 & *buf), crc);
++	  buf++;
++	}
++
+ 	xsendline(ZDLE); xsendline(frameend);
+ 	crc = updcrc(frameend, crc);
+ 
\ No newline at end of file
diff --git a/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb b/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
index 4b349be32..002c774c6 100644
--- a/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
+++ b/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://www.ohse.de/uwe/releases/lrzsz-${PV}.tar.gz \
 	   file://acdefine.patch \
 	   file://lrzsz_fix_for_automake-1.12.patch \
            file://lrzsz-check-locale.h.patch \
+           file://cve-2018-10195.patch \
            "
 
 SRC_URI[md5sum] = "b5ce6a74abc9b9eb2af94dffdfd372a4"
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch
new file mode 100644
index 000000000..e800a410e
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch
@@ -0,0 +1,44 @@
+wpa_supplicant-2.6: Fix CVE-2018-14526
+
+[No upstream tracking] -- https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
+
+wpa: Ignore unauthenticated encrypted EAPOL-Key data
+
+Ignore unauthenticated encrypted EAPOL-Key data in supplicant
+processing. When using WPA2, these are frames that have the Encrypted
+flag set, but not the MIC flag.
+
+When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
+not the MIC flag, had their data field decrypted without first verifying
+the MIC. In case the data field was encrypted using RC4 (i.e., when
+negotiating TKIP as the pairwise cipher), this meant that
+unauthenticated but decrypted data would then be processed. An adversary
+could abuse this as a decryption oracle to recover sensitive information
+in the data field of EAPOL-Key messages (e.g., the group key).
+
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/src/rsn_supp/wpa.c?id=3e34cfdff6b192fe337c6fb3f487f73e96582961]
+CVE: CVE-2018-14526
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 3c47879..6bdf923 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
+
+ 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
++		/*
++		 * Only decrypt the Key Data field if the frame's authenticity
++		 * was verified. When using AES-SIV (FILS), the MIC flag is not
++		 * set, so this check should only be performed if mic_len != 0
++		 * which is the case in this code branch.
++		 */
++		if (!(key_info & WPA_KEY_INFO_MIC)) {
++			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
++			goto out;
++		}
+ 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
+ 						    &key_data_len))
+ 			goto out;
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
index e68453748..aa4c4c2da 100644
--- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
            file://key-replay-cve-multiple6.patch \
            file://key-replay-cve-multiple7.patch \
            file://key-replay-cve-multiple8.patch \
+           file://wpa_supplicant-CVE-2018-14526.patch \
           "
 SRC_URI[md5sum] = "091569eb4440b7d7f2b4276dbfc03c3c"
 SRC_URI[sha256sum] = "b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450"
diff --git a/poky/meta/recipes-core/busybox/busybox.inc b/poky/meta/recipes-core/busybox/busybox.inc
index d1675c37a..8c6dbbaf9 100644
--- a/poky/meta/recipes-core/busybox/busybox.inc
+++ b/poky/meta/recipes-core/busybox/busybox.inc
@@ -315,20 +315,24 @@ do_install () {
         fi
 
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        if grep -q "CONFIG_KLOGD=y" ${B}/.config; then
+            install -d ${D}${systemd_unitdir}/system
+            sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-klogd.service.in \
+            > ${D}${systemd_unitdir}/system/busybox-klogd.service
+        fi
+
         if grep -q "CONFIG_SYSLOGD=y" ${B}/.config; then
             install -d ${D}${systemd_unitdir}/system
             sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-syslog.service.in \
 		> ${D}${systemd_unitdir}/system/busybox-syslog.service
+            if  [ ! -e ${D}${systemd_unitdir}/system/busybox-klogd.service ] ; then
+                sed -i '/klog/d' ${D}${systemd_unitdir}/system/busybox-syslog.service
+            fi
             if [ -f ${WORKDIR}/busybox-syslog.default ] ; then
 		install -d ${D}${sysconfdir}/default
 		install -m 0644 ${WORKDIR}/busybox-syslog.default ${D}${sysconfdir}/default/busybox-syslog
             fi
         fi
-        if grep -q "CONFIG_KLOGD=y" ${B}/.config; then
-            install -d ${D}${systemd_unitdir}/system
-            sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-klogd.service.in \
-		> ${D}${systemd_unitdir}/system/busybox-klogd.service
-        fi
     fi
 
     # Remove the sysvinit specific configuration file for systemd systems to avoid confusion
diff --git a/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch b/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
new file mode 100644
index 000000000..67b4ed7e1
--- /dev/null
+++ b/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
@@ -0,0 +1,30 @@
+From e75c01bb3249df16201b482b79bb24bec3b58188 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 27 Oct 2017 15:37:03 +0200
+Subject: [PATCH] unlzma: fix SEGV, closes 10436
+
+Upstream-Status: Backport [ https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ archival/libarchive/decompress_unlzma.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index 29eee2a..41e492f 100644
+--- a/archival/libarchive/decompress_unlzma.c
++++ b/archival/libarchive/decompress_unlzma.c
+@@ -353,6 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 						pos = buffer_pos - rep0;
+ 						if ((int32_t)pos < 0) {
+ 							pos += header.dict_size;
++							/* bug 10436 has an example file where this triggers: */
++							if ((int32_t)pos < 0)
++								goto bad;
++
+ 							/* see unzip_bad_lzma_2.zip: */
+ 							if (pos >= buffer_size)
+ 								goto bad;
+-- 
+2.19.0
+
diff --git a/poky/meta/recipes-core/busybox/busybox/defconfig b/poky/meta/recipes-core/busybox/busybox/defconfig
index fbb5fd852..59d93c707 100644
--- a/poky/meta/recipes-core/busybox/busybox/defconfig
+++ b/poky/meta/recipes-core/busybox/busybox/defconfig
@@ -468,21 +468,21 @@ CONFIG_FEATURE_XARGS_SUPPORT_REPL_STR=y
 # CONFIG_BOOTCHARTD is not set
 # CONFIG_FEATURE_BOOTCHARTD_BLOATED_HEADER is not set
 # CONFIG_FEATURE_BOOTCHARTD_CONFIG_FILE is not set
-CONFIG_HALT=y
-CONFIG_POWEROFF=y
-CONFIG_REBOOT=y
+# CONFIG_HALT is not set
+# CONFIG_POWEROFF is not set
+# CONFIG_REBOOT is not set
 # CONFIG_FEATURE_CALL_TELINIT is not set
-CONFIG_TELINIT_PATH=""
+# CONFIG_TELINIT_PATH is not set
 # CONFIG_INIT is not set
 # CONFIG_LINUXRC is not set
 # CONFIG_FEATURE_USE_INITTAB is not set
 # CONFIG_FEATURE_KILL_REMOVED is not set
-CONFIG_FEATURE_KILL_DELAY=0
+# CONFIG_FEATURE_KILL_DELAY is not set
 # CONFIG_FEATURE_INIT_SCTTY is not set
 # CONFIG_FEATURE_INIT_SYSLOG is not set
 # CONFIG_FEATURE_INIT_QUIET is not set
 # CONFIG_FEATURE_INIT_COREDUMPS is not set
-CONFIG_INIT_TERMINAL_TYPE=""
+# CONFIG_INIT_TERMINAL_TYPE is not set
 # CONFIG_FEATURE_INIT_MODIFY_CMDLINE is not set
 
 #
diff --git a/poky/meta/recipes-core/busybox/busybox/init.cfg b/poky/meta/recipes-core/busybox/busybox/init.cfg
index 006d4c633..3c1fdd42b 100644
--- a/poky/meta/recipes-core/busybox/busybox/init.cfg
+++ b/poky/meta/recipes-core/busybox/busybox/init.cfg
@@ -1,3 +1,8 @@
 CONFIG_INIT=y
 CONFIG_FEATURE_USE_INITTAB=y
-
+CONFIG_HALT=y
+CONFIG_POWEROFF=y
+CONFIG_REBOOT=y
+CONFIG_FEATURE_KILL_DELAY=0
+CONFIG_TELINIT_PATH=""
+CONFIG_INIT_TERMINAL_TYPE=""
diff --git a/poky/meta/recipes-core/busybox/busybox_1.27.2.bb b/poky/meta/recipes-core/busybox/busybox_1.27.2.bb
index 1ce4823d4..bab29728e 100644
--- a/poky/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/poky/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://busybox-CVE-2017-16544.patch \
            file://busybox-fix-lzma-segfaults.patch \
            file://umount-ignore-c.patch \
+           file://CVE-2017-15874.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
diff --git a/poky/meta/recipes-core/busybox/files/mdev-mount.sh b/poky/meta/recipes-core/busybox/files/mdev-mount.sh
index b4385a157..130e9472f 100644
--- a/poky/meta/recipes-core/busybox/files/mdev-mount.sh
+++ b/poky/meta/recipes-core/busybox/files/mdev-mount.sh
@@ -25,7 +25,7 @@ case "$ACTION" in
 		fi
 		# check for full-disk partition
 		if [ "${DEVBASE}" = "${MDEV}" ] ; then
-			if [ -d /sys/block/${DEVBASE}/${DEVBASE}*1 ] ; then
+			if [ -f /sys/block/${DEVBASE}/${DEVBASE}*1/partition ] ; then
 				# Partition detected, just quit
 				exit 0
 			fi
@@ -43,7 +43,7 @@ case "$ACTION" in
 		then
 			MOUNTPOINT="${MDEV_AUTOMOUNT_ROOT}/$MDEV"
 			mkdir -p "$MOUNTPOINT"
-			mount -t auto /dev/$MDEV "$MOUNTPOINT"
+			mount -t auto /dev/$MDEV "$MOUNTPOINT" || rmdir "$MOUNTPOINT"
 		fi
 		;;
 	remove)
diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch
new file mode 100644
index 000000000..632aa565e
--- /dev/null
+++ b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch
@@ -0,0 +1,82 @@
+From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Tue, 22 May 2018 10:37:59 +0200
+Subject: [PATCH] Don't write beyond destination in
+ __mempcpy_avx512_no_vzeroupper (bug 23196)
+
+When compiled as mempcpy, the return value is the end of the destination
+buffer, thus it cannot be used to refer to the start of it.
+
+2018-05-23  Andreas Schwab  <schwab@suse.de>
+
+       [BZ #23196]
+       CVE-2018-11237
+       * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+       (L(preloop_large)): Save initial destination pointer in %r11 and
+       use it instead of %rax after the loop.
+       * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
+CVE: CVE-2018-11237
+Upstream-Status: Backport
+Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ ChangeLog                                               | 9 +++++++++
+ string/test-mempcpy.c                                   | 1 +
+ sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index fa0a07c..bc09dec 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,12 @@
++2018-05-23  Andreas Schwab  <schwab@suse.de>
++
++	[BZ #23196]
++	CVE-2018-11237
++	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
++	(L(preloop_large)): Save initial destination pointer in %r11 and
++	use it instead of %rax after the loop.
++	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
++
+ 2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+ 
+ 	[BZ #22786]
+diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
+index c08fba8..d98ecdd 100644
+--- a/string/test-mempcpy.c
++++ b/string/test-mempcpy.c
+@@ -18,6 +18,7 @@
+    <http://www.gnu.org/licenses/>.  */
+ 
+ #define MEMCPY_RESULT(dst, len) (dst) + (len)
++#define MIN_PAGE_SIZE 131072
+ #define TEST_MAIN
+ #define TEST_NAME "mempcpy"
+ #include "test-string.h"
+diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+index 23c0f7a..a55cf6f 100644
+--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
++++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+@@ -335,6 +335,7 @@ L(preloop_large):
+ 	ja	L(preloop_large_bkw)
+ 	vmovups	(%rsi), %zmm4
+ 	vmovups	0x40(%rsi), %zmm5
++	mov     %rdi, %r11
+ 
+ /* Align destination for access with non-temporal stores in the loop.  */
+ 	mov	%rdi, %r8
+@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
+ 	cmp	$256, %rdx
+ 	ja	L(gobble_256bytes_nt_loop)
+ 	sfence
+-	vmovups	%zmm4, (%rax)
+-	vmovups	%zmm5, 0x40(%rax)
++	vmovups %zmm4, (%r11)
++	vmovups %zmm5, 0x40(%r11)
+ 	jmp	L(check)
+ 
+ L(preloop_large_bkw):
+-- 
+2.7.4
+
diff --git a/poky/meta/recipes-core/glibc/glibc_2.27.bb b/poky/meta/recipes-core/glibc/glibc_2.27.bb
index 22a9881ea..adee494c2 100644
--- a/poky/meta/recipes-core/glibc/glibc_2.27.bb
+++ b/poky/meta/recipes-core/glibc/glibc_2.27.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0030-plural_c_no_preprocessor_lines.patch \
            file://CVE-2017-18269.patch \
            file://CVE-2018-11236.patch \
+           file://CVE-2018-11237.patch \
 "
 
 NATIVESDKFIXES ?= ""
diff --git a/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch b/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch
new file mode 100644
index 000000000..d133703de
--- /dev/null
+++ b/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch
@@ -0,0 +1,37 @@
+From 0d88b73d189ea3440ccaab00418d6469f76fa590 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Wed, 18 Jul 2018 11:24:29 +0200
+Subject: [PATCH] cgrulesengd: remove umask(0)
+
+One of our partners has noticed that cgred daemon is creating a log file
+(/var/log/cgred) with too wide permissions (0666) and that is seen as
+a security bug because an untrusted user can write to otherwise
+restricted area. CVE-2018-14348 has been assigned to this issue.
+
+CVE: CVE-2018-14348
+Upstream-Status: Backport [https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590]
+
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ src/daemon/cgrulesengd.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
+index ea51f11..0d288f3 100644
+--- a/src/daemon/cgrulesengd.c
++++ b/src/daemon/cgrulesengd.c
+@@ -889,9 +889,6 @@ int cgre_start_daemon(const char *logp, const int logf,
+ 		} else if (pid > 0) {
+ 			exit(EXIT_SUCCESS);
+ 		}
+-
+-		/* Change the file mode mask. */
+-		umask(0);
+ 	} else {
+ 		flog(LOG_DEBUG, "Not using daemon mode\n");
+ 		pid = getpid();
+-- 
+2.13.3
+
diff --git a/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb b/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb
index 7ddc81e9b..92d7261b0 100644
--- a/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb
+++ b/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb
@@ -11,7 +11,8 @@ inherit autotools pkgconfig
 
 DEPENDS = "bison-native flex-native"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/libcg/${BPN}/v0.41/${BPN}-${PV}.tar.bz2"
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/libcg/${BPN}/v0.41/${BPN}-${PV}.tar.bz2 \
+           file://CVE-2018-14348.patch"
 SRC_URI_append_libc-musl = " file://musl-decls-compat.patch"
 
 SRC_URI[md5sum] = "3dea9d50b8a5b73ff0bf1cdcb210f63f"
diff --git a/poky/meta/recipes-core/os-release/os-release.bb b/poky/meta/recipes-core/os-release/os-release.bb
index f98870475..bf4f815a1 100644
--- a/poky/meta/recipes-core/os-release/os-release.bb
+++ b/poky/meta/recipes-core/os-release/os-release.bb
@@ -1,7 +1,7 @@
 inherit allarch
 
 SUMMARY = "Operating system identification"
-DESCRIPTION = "The /etc/os-release file contains operating system identification data."
+DESCRIPTION = "The /usr/lib/os-release file contains operating system identification data."
 LICENSE = "MIT"
 INHIBIT_DEFAULT_DEPS = "1"
 
@@ -42,6 +42,9 @@ python do_compile () {
 do_compile[vardeps] += "${OS_RELEASE_FIELDS}"
 
 do_install () {
-    install -d ${D}${sysconfdir}
-    install -m 0644 os-release ${D}${sysconfdir}/
+    install -d ${D}${libdir} ${D}${sysconfdir}
+    install -m 0644 os-release ${D}${libdir}/
+    lnr ${D}${libdir}/os-release ${D}${sysconfdir}/os-release
 }
+
+FILES_${PN} += "${libdir}/os-release"
diff --git a/poky/meta/recipes-core/util-linux/util-linux_2.32.bb b/poky/meta/recipes-core/util-linux/util-linux_2.32.1.bb
index 55cc98c20..455b9377b 100644
--- a/poky/meta/recipes-core/util-linux/util-linux_2.32.bb
+++ b/poky/meta/recipes-core/util-linux/util-linux_2.32.1.bb
@@ -15,8 +15,8 @@ SRC_URI += "file://configure-sbindir.patch \
             file://display_testname_for_subtest.patch \
             file://avoid_parallel_tests.patch \
 "
-SRC_URI[md5sum] = "e0d8a25853f88cd15ff557e5d8cb4ea7"
-SRC_URI[sha256sum] = "6c7397abc764e32e8159c2e96042874a190303e77adceb4ac5bd502a272a4734"
+SRC_URI[md5sum] = "9e5b1b8c1dc99455bdb6b462cf9436d9"
+SRC_URI[sha256sum] = "86e6707a379c7ff5489c218cfaf1e3464b0b95acf7817db0bc5f179e356a67b2"
 
 CACHED_CONFIGUREVARS += "scanf_cv_alloc_modifier=ms"
 
diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.30.inc b/poky/meta/recipes-devtools/binutils/binutils-2.30.inc
index 37243db1b..35d7d9b93 100644
--- a/poky/meta/recipes-devtools/binutils/binutils-2.30.inc
+++ b/poky/meta/recipes-devtools/binutils/binutils-2.30.inc
@@ -47,6 +47,7 @@ SRC_URI = "\
      file://CVE-2018-10372.patch \
      file://CVE-2018-10535.patch \
      file://CVE-2018-10534.patch \
+     file://0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/poky/meta/recipes-devtools/binutils/binutils/0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch b/poky/meta/recipes-devtools/binutils/binutils/0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch
new file mode 100644
index 000000000..8604e678d
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch
@@ -0,0 +1,176 @@
+From fc6141f097056f830a412afebed8d81a9d72b696 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 20 Jun 2018 12:38:10 +0100
+Subject: [PATCH] Change the ARM assembler's ADR and ADRl pseudo-ops so that
+ they will only set the bottom bit of imported thumb function symbols if the
+ -mthumb-interwork option is active.
+
+For more information see the email thread starting here:
+https://www.sourceware.org/ml/binutils/2018-05/msg00348.html
+
+	PR 21458
+	* tc-arm.c (do_adr): Only set the bottom bit of an imported thumb
+	function symbol address if -mthumb-interwork is active.
+	(do_adrl): Likewise.
+	* doc/c-arm.texi: Update descriptions of the -mthumb-interwork
+	option and the ADR and ADRL pseudo-ops.
+	* NEWS: Mention the new behaviour of the ADR and ADRL pseudo-ops.
+	* testsuite/gas/arm/pr21458.d: Add -mthumb-interwork option to
+	assembler command line.
+	* testsuite/gas/arm/adr.d: Likewise.
+	* testsuite/gas/arm/adrl.d: Likewise.
+---
+ gas/ChangeLog                   | 14 ++++++++++++++
+ gas/NEWS                        |  4 ++++
+ gas/config/tc-arm.c             | 10 ++++++----
+ gas/doc/c-arm.texi              | 17 ++++++++++++++++-
+ gas/testsuite/gas/arm/adr.d     |  1 +
+ gas/testsuite/gas/arm/adrl.d    |  1 +
+ gas/testsuite/gas/arm/pr21458.d |  3 ++-
+ 7 files changed, 44 insertions(+), 6 deletions(-)
+
+Index: git/gas/config/tc-arm.c
+===================================================================
+--- git.orig/gas/config/tc-arm.c
++++ git/gas/config/tc-arm.c
+@@ -8410,11 +8410,12 @@ do_adr (void)
+   inst.reloc.pc_rel = 1;
+   inst.reloc.exp.X_add_number -= 8;
+ 
+-  if (inst.reloc.exp.X_op == O_symbol
++  if (support_interwork
++      && inst.reloc.exp.X_op == O_symbol
+       && inst.reloc.exp.X_add_symbol != NULL
+       && S_IS_DEFINED (inst.reloc.exp.X_add_symbol)
+       && THUMB_IS_FUNC (inst.reloc.exp.X_add_symbol))
+-    inst.reloc.exp.X_add_number += 1;
++    inst.reloc.exp.X_add_number |= 1;
+ }
+ 
+ /* This is a pseudo-op of the form "adrl rd, label" to be converted
+@@ -8434,11 +8435,12 @@ do_adrl (void)
+   inst.size		       = INSN_SIZE * 2;
+   inst.reloc.exp.X_add_number -= 8;
+ 
+-  if (inst.reloc.exp.X_op == O_symbol
++  if (support_interwork
++      && inst.reloc.exp.X_op == O_symbol
+       && inst.reloc.exp.X_add_symbol != NULL
+       && S_IS_DEFINED (inst.reloc.exp.X_add_symbol)
+       && THUMB_IS_FUNC (inst.reloc.exp.X_add_symbol))
+-    inst.reloc.exp.X_add_number += 1;
++    inst.reloc.exp.X_add_number |= 1;
+ }
+ 
+ static void
+Index: git/gas/doc/c-arm.texi
+===================================================================
+--- git.orig/gas/doc/c-arm.texi
++++ git/gas/doc/c-arm.texi
+@@ -317,7 +317,8 @@ instructions; that is, it should behave
+ @cindex @code{-mthumb-interwork} command line option, ARM
+ @item -mthumb-interwork
+ This option specifies that the output generated by the assembler should
+-be marked as supporting interworking.
++be marked as supporting interworking.  It also affects the behaviour
++of the @code{ADR} and @code{ADRL} pseudo opcodes.
+ 
+ @cindex @code{-mimplicit-it} command line option, ARM
+ @item -mimplicit-it=never
+@@ -1060,6 +1061,16 @@ out of range, or if it is not defined in
+ the ADR instruction, then an error will be generated.  This instruction
+ will not make use of the literal pool.
+ 
++If @var{label} is a thumb function symbol, and thumb interworking has
++been enabled via the @option{-mthumb-interwork} option then the bottom
++bit of the value stored into @var{register} will be set.  This allows
++the following sequence to work as expected:
++
++@smallexample
++  adr     r0, thumb_function
++  blx     r0
++@end smallexample
++
+ @cindex @code{ADRL reg,<label>} pseudo op, ARM
+ @item ADRL
+ @smallexample
+@@ -1076,6 +1087,10 @@ If the label is out of range, or if it i
+ (and section) as the ADRL instruction, then an error will be generated.
+ This instruction will not make use of the literal pool.
+ 
++If @var{label} is a thumb function symbol, and thumb interworking has
++been enabled via the @option{-mthumb-interwork} option then the bottom
++bit of the value stored into @var{register} will be set.
++
+ @end table
+ 
+ For information on the ARM or Thumb instruction sets, see @cite{ARM
+Index: git/gas/testsuite/gas/arm/adr.d
+===================================================================
+--- git.orig/gas/testsuite/gas/arm/adr.d
++++ git/gas/testsuite/gas/arm/adr.d
+@@ -1,3 +1,4 @@
++#as: -mthumb-interwork
+ #objdump: -dr --prefix-addresses --show-raw-insn
+ #name: ADR
+ 
+Index: git/gas/testsuite/gas/arm/adrl.d
+===================================================================
+--- git.orig/gas/testsuite/gas/arm/adrl.d
++++ git/gas/testsuite/gas/arm/adrl.d
+@@ -1,3 +1,4 @@
++#as: -mthumb-interwork
+ #objdump: -dr --prefix-addresses --show-raw-insn
+ #name: ADRL
+ 
+Index: git/gas/ChangeLog
+===================================================================
+--- git.orig/gas/ChangeLog
++++ git/gas/ChangeLog
+@@ -1,3 +1,17 @@
++2018-06-20  Nick Clifton  <nickc@redhat.com>
++
++       PR 21458
++       * tc-arm.c (do_adr): Only set the bottom bit of an imported thumb
++       function symbol address if -mthumb-interwork is active.
++       (do_adrl): Likewise.
++       * doc/c-arm.texi: Update descriptions of the -mthumb-interwork
++       option and the ADR and ADRL pseudo-ops.
++       * NEWS: Mention the new behaviour of the ADR and ADRL pseudo-ops.
++       * testsuite/gas/arm/pr21458.d: Add -mthumb-interwork option to
++       assembler command line.
++       * testsuite/gas/arm/adr.d: Likewise.
++       * testsuite/gas/arm/adrl.d: Likewise.
++
+ 2018-02-05  Nick Clifton  <nickc@redhat.com>
+ 
+ 	* po/ru.po: Updated Russian translation.
+Index: git/gas/NEWS
+===================================================================
+--- git.orig/gas/NEWS
++++ git/gas/NEWS
+@@ -1,5 +1,9 @@
+ -*- text -*-
+ 
++* The ADR and ADRL pseudo-instructions supported by the ARM assembler
++  now only set the bottom bit of the address of thumb function symbols
++  if the -mthumb-interwork command line option is active.
++
+ Changes in 2.30:
+ 
+ * Add support for loaction views in DWARF debug line information.
+Index: git/gas/testsuite/gas/arm/pr21458.d
+===================================================================
+--- git.orig/gas/testsuite/gas/arm/pr21458.d
++++ git/gas/testsuite/gas/arm/pr21458.d
+@@ -1,8 +1,9 @@
++#as: -mthumb-interwork
+ #objdump: -d --prefix-addresses --show-raw-insn
+ #name: ADR(L) for Thumb functions
+ #skip: *-*-pe *-wince-* *-*-coff *-*-vxworks
+ 
+-# Test that using ADR(L) on thumb function symbols sets the T bit.
++# Test that using ADR(L) on thumb function symbols sets the T bit when -mthumb-interwork is active.
+ 
+ .*: +file format .*arm.*
+ 
diff --git a/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools/0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools/0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch
new file mode 100644
index 000000000..2261ea94b
--- /dev/null
+++ b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools/0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch
@@ -0,0 +1,47 @@
+From 3c0d67184d6edb63f3b7d6d5eb81531daa6388f3 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 28 Aug 2018 16:25:36 +0800
+Subject: [PATCH] squashfs-tools: patch for CVE-2015-4645(6)
+
+Upstream-Status: Backport[https://github.com/devttys0/sasquatch/pull/
+                 5/commits/6777e08cc38bc780d27c69c1d8c272867b74524f]
+
+CVE: CVE-2015-4645 CVE-2015-4646
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ squashfs-tools/unsquash-4.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
+index ecdaac7..692ae25 100644
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -31,9 +31,9 @@ static unsigned int *id_table;
+ int read_fragment_table_4(long long *directory_table_end)
+ {
+ 	int res, i;
+-	int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
+-	int  indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
+-	long long fragment_table_index[indexes];
++	size_t bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
++	size_t indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
++	long long *fragment_table_index;
+ 
+ 	TRACE("read_fragment_table: %d fragments, reading %d fragment indexes "
+ 		"from 0x%llx\n", sBlk.s.fragments, indexes,
+@@ -43,6 +43,11 @@ int read_fragment_table_4(long long *directory_table_end)
+ 		*directory_table_end = sBlk.s.fragment_table_start;
+ 		return TRUE;
+ 	}
++        
++	fragment_table_index = malloc(indexes*sizeof(long long));
++	if(fragment_table_index == NULL)
++		EXIT_UNSQUASH("read_fragment_table: failed to allocate "
++			"fragment table index\n");
+ 
+ 	fragment_table = malloc(bytes);
+ 	if(fragment_table == NULL)
+-- 
+2.7.4
+
diff --git a/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
index a8baca51e..1eb0154fd 100644
--- a/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
+++ b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https \
            file://0001-mksquashfs.c-get-inline-functions-work-with-C99.patch;striplevel=2 \
            file://squashfs-tools-4.3-sysmacros.patch;striplevel=2 \
            file://fix-compat.patch \
+           file://0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch;striplevel=2 \
 "
 UPSTREAM_CHECK_COMMITS = "1"
 SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"
diff --git a/poky/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch
new file mode 100644
index 000000000..1038102e6
--- /dev/null
+++ b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch
@@ -0,0 +1,79 @@
+From f9569c086ff29259c73790db9cbf39fe8fb9d862 Mon Sep 17 00:00:00 2001
+From: John Starks <jostarks@microsoft.com>
+Date: Wed, 25 Jul 2018 12:16:34 -0700
+Subject: [PATCH] iso9660: validate directory record length
+
+CVE: CVE-2017-14501
+Upstream-Status: Backport [https://github.com/mmatuska/libarchive/commit/13e87dcd9c37b533127cceb9f3e1e5a38d95e784]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ libarchive/archive_read_support_format_iso9660.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
+index f01d37bf..089bb723 100644
+--- a/libarchive/archive_read_support_format_iso9660.c
++++ b/libarchive/archive_read_support_format_iso9660.c
+@@ -409,7 +409,8 @@ static int	next_entry_seek(struct archive_read *, struct iso9660 *,
+ 		    struct file_info **);
+ static struct file_info *
+ 		parse_file_info(struct archive_read *a,
+-		    struct file_info *parent, const unsigned char *isodirrec);
++		    struct file_info *parent, const unsigned char *isodirrec,
++		    size_t reclen);
+ static int	parse_rockridge(struct archive_read *a,
+ 		    struct file_info *file, const unsigned char *start,
+ 		    const unsigned char *end);
+@@ -1022,7 +1023,7 @@ read_children(struct archive_read *a, struct file_info *parent)
+ 			if (*(p + DR_name_len_offset) == 1
+ 			    && *(p + DR_name_offset) == '\001')
+ 				continue;
+-			child = parse_file_info(a, parent, p);
++			child = parse_file_info(a, parent, p, b - p);
+ 			if (child == NULL) {
+ 				__archive_read_consume(a, skip_size);
+ 				return (ARCHIVE_FATAL);
+@@ -1112,7 +1113,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660)
+ 	 */
+ 	seenJoliet = iso9660->seenJoliet;/* Save flag. */
+ 	iso9660->seenJoliet = 0;
+-	file = parse_file_info(a, NULL, block);
++	file = parse_file_info(a, NULL, block, vd->size);
+ 	if (file == NULL)
+ 		return (ARCHIVE_FATAL);
+ 	iso9660->seenJoliet = seenJoliet;
+@@ -1144,7 +1145,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660)
+ 			return (ARCHIVE_FATAL);
+ 		}
+ 		iso9660->seenJoliet = 0;
+-		file = parse_file_info(a, NULL, block);
++		file = parse_file_info(a, NULL, block, vd->size);
+ 		if (file == NULL)
+ 			return (ARCHIVE_FATAL);
+ 		iso9660->seenJoliet = seenJoliet;
+@@ -1749,7 +1750,7 @@ archive_read_format_iso9660_cleanup(struct archive_read *a)
+  */
+ static struct file_info *
+ parse_file_info(struct archive_read *a, struct file_info *parent,
+-    const unsigned char *isodirrec)
++    const unsigned char *isodirrec, size_t reclen)
+ {
+ 	struct iso9660 *iso9660;
+ 	struct file_info *file, *filep;
+@@ -1763,7 +1764,11 @@ parse_file_info(struct archive_read *a, struct file_info *parent,
+ 
+ 	iso9660 = (struct iso9660 *)(a->format->data);
+ 
+-	dr_len = (size_t)isodirrec[DR_length_offset];
++	if (reclen == 0 || reclen < (dr_len = (size_t)isodirrec[DR_length_offset])) {
++		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
++			"Invalid directory record length");
++		return (NULL);
++	}
+ 	name_len = (size_t)isodirrec[DR_name_len_offset];
+ 	location = archive_le32dec(isodirrec + DR_extent_offset);
+ 	fsize = toi(isodirrec + DR_size_offset, DR_size_size);
+-- 
+2.13.3
+
diff --git a/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb b/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
index 326971647..e3d90b276 100644
--- a/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
+++ b/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
@@ -37,6 +37,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
            file://CVE-2017-14502.patch \
            file://non-recursive-extract-and-list.patch \
            file://CVE-2017-14503.patch \
+           file://CVE-2017-14501.patch \
           "
 
 SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27"
diff --git a/poky/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch b/poky/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch
new file mode 100644
index 000000000..20c6dda2e
--- /dev/null
+++ b/poky/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch
@@ -0,0 +1,149 @@
+From ff5e59f32255913bb1cdf51441b98c9107ae165b Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Date: Tue, 4 Apr 2017 19:12:53 +0200
+Subject: Use getentropy() if arc4random_buf() is not available
+
+This allows to fix CVE-2017-2626 on Linux platforms without pulling in
+libbsd.
+The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
+For Linux, we need at least a v3.17 kernel. If the recommended
+arc4random_buf() function is not available, emulate it by first trying
+to use getentropy() on a supported glibc and kernel. If the call fails,
+fall back to the current (partly vulnerable) code.
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-Status: Backport[https://cgit.freedesktop.org/xorg/lib/libICE
+                 /commit/?id=ff5e59f32255913bb1cdf51441b98c9107ae165b]
+
+CVE: CVE-2017-2626
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ configure.ac  |  2 +-
+ src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++-----------------
+ 2 files changed, 47 insertions(+), 20 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 458882a..c971ab6 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type])
+ 
+ # Checks for library functions.
+ AC_CHECK_LIB([bsd], [arc4random_buf])
+-AC_CHECK_FUNCS([asprintf arc4random_buf])
++AC_CHECK_FUNCS([asprintf arc4random_buf getentropy])
+ 
+ # Allow checking code with lint, sparse, etc.
+ XORG_WITH_LINT
+diff --git a/src/iceauth.c b/src/iceauth.c
+index ed31683..de4785b 100644
+--- a/src/iceauth.c
++++ b/src/iceauth.c
+@@ -44,31 +44,19 @@ Author: Ralph Mor, X Consortium
+ 
+ static int was_called_state;
+ 
+-/*
+- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
+- * the SI.  It is not part of standard ICElib.
+- */
++#ifndef HAVE_ARC4RANDOM_BUF
+ 
+-
+-char *
+-IceGenerateMagicCookie (
++static void
++emulate_getrandom_buf (
++	char *auth,
+ 	int len
+ )
+ {
+-    char    *auth;
+-#ifndef HAVE_ARC4RANDOM_BUF
+     long    ldata[2];
+     int	    seed;
+     int	    value;
+     int	    i;
+-#endif
+ 
+-    if ((auth = malloc (len + 1)) == NULL)
+-	return (NULL);
+-
+-#ifdef HAVE_ARC4RANDOM_BUF
+-    arc4random_buf(auth, len);
+-#else
+ #ifdef ITIMER_REAL
+     {
+ 	struct timeval  now;
+@@ -76,13 +64,13 @@ IceGenerateMagicCookie (
+ 	ldata[0] = now.tv_sec;
+ 	ldata[1] = now.tv_usec;
+     }
+-#else
++#else /* ITIMER_REAL */
+     {
+ 	long    time ();
+ 	ldata[0] = time ((long *) 0);
+ 	ldata[1] = getpid ();
+     }
+-#endif
++#endif /* ITIMER_REAL */
+     seed = (ldata[0]) + (ldata[1] << 16);
+     srand (seed);
+     for (i = 0; i < len; i++)
+@@ -90,7 +78,46 @@ IceGenerateMagicCookie (
+ 	value = rand ();
+ 	auth[i] = value & 0xff;
+     }
+-#endif
++}
++
++static void
++arc4random_buf (
++	char *auth,
++	int len
++)
++{
++    int	    ret;
++
++#if HAVE_GETENTROPY
++    /* weak emulation of arc4random through the entropy libc */
++    ret = getentropy (auth, len);
++    if (ret == 0)
++	return;
++#endif /* HAVE_GETENTROPY */
++
++    emulate_getrandom_buf (auth, len);
++}
++
++#endif /* !defined(HAVE_ARC4RANDOM_BUF) */
++
++/*
++ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
++ * the SI.  It is not part of standard ICElib.
++ */
++
++
++char *
++IceGenerateMagicCookie (
++	int len
++)
++{
++    char    *auth;
++
++    if ((auth = malloc (len + 1)) == NULL)
++	return (NULL);
++
++    arc4random_buf (auth, len);
++
+     auth[len] = '\0';
+     return (auth);
+ }
+-- 
+cgit v1.1
+
diff --git a/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb b/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb
index f069749ce..5ccd1d8c3 100644
--- a/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb
+++ b/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb
@@ -23,6 +23,8 @@ BBCLASSEXTEND = "native"
 SRC_URI[md5sum] = "addfb1e897ca8079531669c7c7711726"
 SRC_URI[sha256sum] = "8f7032f2c1c64352b5423f6b48a8ebdc339cc63064af34d66a6c9aa79759e202"
 
+SRC_URI += "file://CVE-2017-2626.patch"
+
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
 PACKAGECONFIG[arc4] = "ac_cv_lib_bsd_arc4random_buf=yes,ac_cv_lib_bsd_arc4random_buf=no,libbsd"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch
new file mode 100644
index 000000000..964d5dd4c
--- /dev/null
+++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch
@@ -0,0 +1,40 @@
+From a309323328d9d6e0bf5d9ea1d75920e53b9beef3 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Fri, 5 Jan 2018 11:58:42 +1000
+Subject: [PATCH] config: fix NULL value detection for ID_INPUT being unset
+
+Erroneous condition caused us to keep going with all devices that didn't have
+ID_INPUT set.
+
+Fixes: 5aad81445c8c3d6
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=104382
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-status: Backport
+https://patchwork.freedesktop.org/patch/196090/
+Affects: < 1.20.0
+[Yocto # 12899]
+
+Signed-off-by: Armin Kuster <akuser808@gmail.com>
+
+---
+ config/udev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/udev.c b/config/udev.c
+index e198e8609..3a73189e2 100644
+--- a/config/udev.c
++++ b/config/udev.c
+@@ -135,7 +135,7 @@ device_added(struct udev_device *udev_device)
+ #endif
+ 
+     value = udev_device_get_property_value(udev_device, "ID_INPUT");
+-    if (value && !strcmp(value, "0")) {
++    if (!value || !strcmp(value, "0")) {
+         LogMessageVerb(X_INFO, 10,
+                        "config/udev: ignoring device %s without "
+                        "property ID_INPUT set\n", path);
+-- 
+2.17.1
+
diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb
index c680cf9e8..7e8a9541c 100644
--- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb
+++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb
@@ -5,6 +5,7 @@ SRC_URI += "file://musl-arm-inb-outb.patch \
             file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \
             file://0003-Remove-check-for-useSIGIO-option.patch \
             file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
+            file://0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch \
             "
 SRC_URI[md5sum] = "3e47777ff034a331aed2322b078694a8"
 SRC_URI[sha256sum] = "a732502f1db000cf36a376cd0c010ffdbf32ecdd7f1fa08ba7f5bdf9601cc197"
diff --git a/poky/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch b/poky/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch
new file mode 100644
index 000000000..7b58568d5
--- /dev/null
+++ b/poky/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch
@@ -0,0 +1,150 @@
+From d61ff409cb4dda31386373d706ea0cfb1aaac5b7 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 2 May 2018 10:24:17 -0600
+Subject: [PATCH] btt: make device/devno use PATH_MAX to avoid overflow
+
+Herbo Zhang reports:
+
+I found a bug in blktrace/btt/devmap.c. The code is just as follows:
+
+https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/tree/btt/devmap.c?id=8349ad2f2d19422a6241f94ea84d696b21de4757
+
+       struct devmap {
+
+struct list_head head;
+char device[32], devno[32];    // #1
+};
+
+LIST_HEAD(all_devmaps);
+
+static int dev_map_add(char *line)
+{
+struct devmap *dmp;
+
+if (strstr(line, "Device") != NULL)
+return 1;
+
+dmp = malloc(sizeof(struct devmap));
+if (sscanf(line, "%s %s", dmp->device, dmp->devno) != 2) {  //#2
+free(dmp);
+return 1;
+}
+
+list_add_tail(&dmp->head, &all_devmaps);
+return 0;
+}
+
+int dev_map_read(char *fname)
+{
+char line[256];   // #3
+FILE *fp = my_fopen(fname, "r");
+
+if (!fp) {
+perror(fname);
+return 1;
+}
+
+while (fscanf(fp, "%255[a-zA-Z0-9 :.,/_-]\n", line) == 1) {
+if (dev_map_add(line))
+break;
+}
+
+fclose(fp);
+return 0;
+}
+
+ The line length is 256, but the dmp->device, dmp->devno  max length
+is only 32. We can put strings longer than 32 into dmp->device and
+dmp->devno , and then they will be overflowed.
+
+ we can trigger this bug just as follows:
+
+ $ python -c "print 'A'*256" > ./test
+    $ btt -M ./test
+
+    *** Error in btt': free(): invalid next size (fast): 0x000055ad7349b250 ***
+    ======= Backtrace: =========
+    /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f158ce7e5]
+    /lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7f7f158d6e0a]
+    /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f158da98c]
+    btt(+0x32e0)[0x55ad7306f2e0]
+    btt(+0x2c5f)[0x55ad7306ec5f]
+    btt(+0x251f)[0x55ad7306e51f]
+    /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f15877830]
+    btt(+0x26b9)[0x55ad7306e6b9]
+    ======= Memory map: ========
+    55ad7306c000-55ad7307f000 r-xp 00000000 08:14 3698139
+      /usr/bin/btt
+    55ad7327e000-55ad7327f000 r--p 00012000 08:14 3698139
+      /usr/bin/btt
+    55ad7327f000-55ad73280000 rw-p 00013000 08:14 3698139
+      /usr/bin/btt
+    55ad73280000-55ad73285000 rw-p 00000000 00:00 0
+    55ad7349a000-55ad734bb000 rw-p 00000000 00:00 0
+      [heap]
+    7f7f10000000-7f7f10021000 rw-p 00000000 00:00 0
+    7f7f10021000-7f7f14000000 ---p 00000000 00:00 0
+    7f7f15640000-7f7f15656000 r-xp 00000000 08:14 14942237
+      /lib/x86_64-linux-gnu/libgcc_s.so.1
+    7f7f15656000-7f7f15855000 ---p 00016000 08:14 14942237
+      /lib/x86_64-linux-gnu/libgcc_s.so.1
+    7f7f15855000-7f7f15856000 r--p 00015000 08:14 14942237
+      /lib/x86_64-linux-gnu/libgcc_s.so.1
+    7f7f15856000-7f7f15857000 rw-p 00016000 08:14 14942237
+      /lib/x86_64-linux-gnu/libgcc_s.so.1
+    7f7f15857000-7f7f15a16000 r-xp 00000000 08:14 14948477
+      /lib/x86_64-linux-gnu/libc-2.23.so
+    7f7f15a16000-7f7f15c16000 ---p 001bf000 08:14 14948477
+      /lib/x86_64-linux-gnu/libc-2.23.so
+    7f7f15c16000-7f7f15c1a000 r--p 001bf000 08:14 14948477
+      /lib/x86_64-linux-gnu/libc-2.23.so
+    7f7f15c1a000-7f7f15c1c000 rw-p 001c3000 08:14 14948477
+      /lib/x86_64-linux-gnu/libc-2.23.so
+    7f7f15c1c000-7f7f15c20000 rw-p 00000000 00:00 0
+    7f7f15c20000-7f7f15c46000 r-xp 00000000 08:14 14948478
+      /lib/x86_64-linux-gnu/ld-2.23.so
+    7f7f15e16000-7f7f15e19000 rw-p 00000000 00:00 0
+    7f7f15e42000-7f7f15e45000 rw-p 00000000 00:00 0
+    7f7f15e45000-7f7f15e46000 r--p 00025000 08:14 14948478
+      /lib/x86_64-linux-gnu/ld-2.23.so
+    7f7f15e46000-7f7f15e47000 rw-p 00026000 08:14 14948478
+      /lib/x86_64-linux-gnu/ld-2.23.so
+    7f7f15e47000-7f7f15e48000 rw-p 00000000 00:00 0
+    7ffdebe5c000-7ffdebe7d000 rw-p 00000000 00:00 0
+      [stack]
+    7ffdebebc000-7ffdebebe000 r--p 00000000 00:00 0
+      [vvar]
+    7ffdebebe000-7ffdebec0000 r-xp 00000000 00:00 0
+      [vdso]
+    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
+      [vsyscall]
+    [1]    6272 abort      btt -M test
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+Upstream-Status: Backport
+[https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7]
+
+CVE: CVE-2018-10689
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ btt/devmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/btt/devmap.c b/btt/devmap.c
+index 0553a9e..5fc1cb2 100644
+--- a/btt/devmap.c
++++ b/btt/devmap.c
+@@ -23,7 +23,7 @@
+ 
+ struct devmap {
+ 	struct list_head head;
+-	char device[32], devno[32];
++	char device[PATH_MAX], devno[PATH_MAX];
+ };
+ 
+ LIST_HEAD(all_devmaps);
+-- 
+2.7.4
+
diff --git a/poky/meta/recipes-kernel/blktrace/blktrace_git.bb b/poky/meta/recipes-kernel/blktrace/blktrace_git.bb
index 663de2ed5..2605ff916 100644
--- a/poky/meta/recipes-kernel/blktrace/blktrace_git.bb
+++ b/poky/meta/recipes-kernel/blktrace/blktrace_git.bb
@@ -11,6 +11,7 @@ PV = "1.2.0+git${SRCPV}"
 
 SRC_URI = "git://git.kernel.dk/blktrace.git \
            file://ldflags.patch \
+           file://CVE-2018-10689.patch \
 "
 
 S = "${WORKDIR}/git"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb
index cf6a733ce..a6a8b60e1 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "7ba09f891939cbf2c58801a7a4a740365896d6ba"
-SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587"
+SRCREV_machine ?= "ef88c3326f62cec4b98340324ddbe7f7f7704fd5"
+SRCREV_meta ?= "2ae65226f64ed5c888d60eef76b6249db678d060"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.12.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.12.26"
+LINUX_VERSION ?= "4.12.28"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
index 00671182d..d5b285e7b 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "aeeb2d73f2a828a9c0b121b2aa3bb345009f5698"
-SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8"
+SRCREV_machine ?= "af1b926c9160b0dbf2bbe41b166a8a7b07191fd2"
+SRCREV_meta ?= "c43c9e19a22367b48c0f62764c8555643d2a6844"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.14.48"
+LINUX_VERSION ?= "4.14.67"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb
index 9d5e1582b..cb4ef3a65 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb
@@ -4,13 +4,13 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "4.12.26"
+LINUX_VERSION ?= "4.12.28"
 
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587"
+SRCREV_machine ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_meta ?= "2ae65226f64ed5c888d60eef76b6249db678d060"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
index 58945f25d..c9e6e412b 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
@@ -4,7 +4,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "4.14.48"
+LINUX_VERSION ?= "4.14.67"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
@@ -12,8 +12,8 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine ?= "9e246607d5c23f8bb3b8800734b1707766e0b2b9"
-SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8"
+SRCREV_machine ?= "74ecbeb03ebfc2b9a73a6554924b043b903295f5"
+SRCREV_meta ?= "c43c9e19a22367b48c0f62764c8555643d2a6844"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb
index ac98ca85f..0aea05b83 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb
@@ -11,22 +11,22 @@ KBRANCH_qemux86  ?= "standard/base"
 KBRANCH_qemux86-64 ?= "standard/base"
 KBRANCH_qemumips64 ?= "standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "86b02dd23be1e3b3449885b38ed1b876ebec31e8"
-SRCREV_machine_qemuarm64 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_machine_qemumips ?= "67b93101c52504fd5077166c70baa296190e6166"
-SRCREV_machine_qemuppc ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_machine_qemux86 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_machine_qemux86-64 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_machine_qemumips64 ?= "38da8c72733da9619bbbddf14140204631faf488"
-SRCREV_machine ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
-SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587"
+SRCREV_machine_qemuarm ?= "b84ecefc243a6ed67d8b6020394963de1240a9f0"
+SRCREV_machine_qemuarm64 ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_machine_qemumips ?= "15b1ab68f73fa60dd95a74c640e87e05fad1716d"
+SRCREV_machine_qemuppc ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_machine_qemux86 ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_machine_qemux86-64 ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_machine_qemumips64 ?= "57a3f72a020fc84f2da5b0b4c5de4cdbc22b3284"
+SRCREV_machine ?= "e562267bae5b518acca880c929fbbdf6be047e0a"
+SRCREV_meta ?= "2ae65226f64ed5c888d60eef76b6249db678d060"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.12.git;name=machine;branch=${KBRANCH}; \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}"
 
 DEPENDS += "openssl-native util-linux-native"
 
-LINUX_VERSION ?= "4.12.26"
+LINUX_VERSION ?= "4.12.28"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
index 0449213d4..91a2845a7 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
@@ -11,20 +11,20 @@ KBRANCH_qemux86  ?= "v4.14/standard/base"
 KBRANCH_qemux86-64 ?= "v4.14/standard/base"
 KBRANCH_qemumips64 ?= "v4.14/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "363723ef50c06df54e146c8fe78faa962e96a8c8"
-SRCREV_machine_qemuarm64 ?= "798d15552a4d5d9355a300290ed6bf72106b7e96"
-SRCREV_machine_qemumips ?= "6c2433d7c51c3e78b1be2c7d1fbfe840b13d04df"
-SRCREV_machine_qemuppc ?= "c03babad17499489b20216576d608c94e7fddc5d"
-SRCREV_machine_qemux86 ?= "65d1c849534179bbfa494f77947f8be615e9871a"
-SRCREV_machine_qemux86-64 ?= "65d1c849534179bbfa494f77947f8be615e9871a"
-SRCREV_machine_qemumips64 ?= "59f70381cbde371e41206b7902390ae78558c310"
-SRCREV_machine ?= "65d1c849534179bbfa494f77947f8be615e9871a"
-SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8"
+SRCREV_machine_qemuarm ?= "93d58c0c59d1dcdba6ff76ef093de7de339414a8"
+SRCREV_machine_qemuarm64 ?= "888066bc1b9cc5f596da8237cbf74417106e8f22"
+SRCREV_machine_qemumips ?= "a9d862bb92707f39c0cf2b2cc6f1645e88a99eb9"
+SRCREV_machine_qemuppc ?= "d8ced31602b65fb92487865502da595bd113a329"
+SRCREV_machine_qemux86 ?= "084af9624d268ddf4fd65b2f9e8e50ca2f22e62b"
+SRCREV_machine_qemux86-64 ?= "084af9624d268ddf4fd65b2f9e8e50ca2f22e62b"
+SRCREV_machine_qemumips64 ?= "44e1719a8f4fe10e88c13b9ec6c1fa1d041efaed"
+SRCREV_machine ?= "084af9624d268ddf4fd65b2f9e8e50ca2f22e62b"
+SRCREV_meta ?= "c43c9e19a22367b48c0f62764c8555643d2a6844"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.14.48"
+LINUX_VERSION ?= "4.14.67"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch b/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch
new file mode 100644
index 000000000..8d09ce7b6
--- /dev/null
+++ b/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch
@@ -0,0 +1,33 @@
+libid3tag: patch for CVE-2004-2779
+
+The patch comes from
+https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch
+
+Upstream-Status: Pending
+
+CVE: CVE-2004-2779
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+diff -urNad libid3tag-0.15.1b/utf16.c /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c
+--- libid3tag-0.15.1b/utf16.c	2006-01-13 15:26:29.000000000 +0100
++++ /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c	2006-01-13 15:27:19.000000000 +0100
+@@ -282,5 +282,18 @@
+ 
+   free(utf16);
+ 
++  if (end == *ptr && length % 2 != 0)
++  {
++     /* We were called with a bogus length.  It should always
++      * be an even number.  We can deal with this in a few ways:
++      * - Always give an error.
++      * - Try and parse as much as we can and
++      *   - return an error if we're called again when we
++      *     already tried to parse everything we can.
++      *   - tell that we parsed it, which is what we do here.
++      */
++     (*ptr)++;
++  }
++
+   return ucs4;
+ }
diff --git a/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb b/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
index f6139d612..fe3164610 100644
--- a/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
+++ b/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
@@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \
            file://addpkgconfig.patch \
            file://obsolete_automake_macros.patch \
            file://0001-Fix-gperf-3.1-incompatibility.patch \
+           file://10_utf16.dpatch \
            "
 UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/"
 UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$"
diff --git a/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch b/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
new file mode 100644
index 000000000..84b1af1fb
--- /dev/null
+++ b/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
@@ -0,0 +1,37 @@
+From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sun, 17 Jun 2018 22:56:29 -0400
+Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
+ png_check_chunk_length
+
+(Bug report by Thuan Pham, SourceForge issue #278)
+Upstream-Status: Backport [https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2]
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ pngrutil.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/pngrutil.c b/pngrutil.c
+index 95571b517..5ba995abf 100644
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
+    {
+       png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
+       size_t row_factor =
+-         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+-          + 1 + (png_ptr->interlaced? 6: 0));
++         (size_t)png_ptr->width
++         * (size_t)png_ptr->channels
++         * (png_ptr->bit_depth > 8? 2: 1)
++         + 1
++         + (png_ptr->interlaced? 6: 0);
+       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+-         idat_limit=PNG_UINT_31_MAX;
++         idat_limit = PNG_UINT_31_MAX;
+       else
+          idat_limit = png_ptr->height * row_factor;
+       row_factor = row_factor > 32566? 32566 : row_factor;
+-- 
+2.19.0
+
diff --git a/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb b/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
index e52d03228..3877d6cbf 100644
--- a/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
+++ b/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
@@ -8,7 +8,9 @@ DEPENDS = "zlib"
 
 LIBV = "16"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
+           file://CVE-2018-13785.patch \
+"
 SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2"
 SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6"
 
diff --git a/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch b/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch
new file mode 100644
index 000000000..57e745331
--- /dev/null
+++ b/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch
@@ -0,0 +1,135 @@
+From 6b638fa9afbeb54dfa19378e391465a5284ce1ad Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 12 Sep 2018 17:16:36 +0800
+Subject: [PATCH] Fix error handling in gdbm
+
+Only check for gdbm_errno if the return value of the called gdbm_*
+function says so. This fixes apr-util with gdbm 1.14, which does not
+seem to always reset gdbm_errno.
+
+Also make the gdbm driver return error codes starting with
+APR_OS_START_USEERR instead of always returning APR_EGENERAL. This is
+what the berkleydb driver already does.
+
+Also ensure that dsize is 0 if dptr == NULL.
+
+Upstream-Status: Backport[https://svn.apache.org/viewvc?
+view=revision&amp;revision=1825311]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ dbm/apr_dbm_gdbm.c | 47 +++++++++++++++++++++++++++++------------------
+ 1 file changed, 29 insertions(+), 18 deletions(-)
+
+diff --git a/dbm/apr_dbm_gdbm.c b/dbm/apr_dbm_gdbm.c
+index 749447a..1c86327 100644
+--- a/dbm/apr_dbm_gdbm.c
++++ b/dbm/apr_dbm_gdbm.c
+@@ -36,13 +36,25 @@
+ static apr_status_t g2s(int gerr)
+ {
+     if (gerr == -1) {
+-        /* ### need to fix this */
+-        return APR_EGENERAL;
++        if (gdbm_errno == GDBM_NO_ERROR)
++           return APR_SUCCESS;
++        return APR_OS_START_USEERR + gdbm_errno;
+     }
+ 
+     return APR_SUCCESS;
+ }
+ 
++static apr_status_t gdat2s(datum d)
++{
++    if (d.dptr == NULL) {
++        if (gdbm_errno == GDBM_NO_ERROR || gdbm_errno == GDBM_ITEM_NOT_FOUND)
++           return APR_SUCCESS;
++        return APR_OS_START_USEERR + gdbm_errno;
++   }
++
++    return APR_SUCCESS;
++}
++
+ static apr_status_t datum_cleanup(void *dptr)
+ {
+     if (dptr)
+@@ -53,22 +65,15 @@ static apr_status_t datum_cleanup(void *dptr)
+ 
+ static apr_status_t set_error(apr_dbm_t *dbm, apr_status_t dbm_said)
+ {
+-    apr_status_t rv = APR_SUCCESS;
+ 
+-    /* ### ignore whatever the DBM said (dbm_said); ask it explicitly */
++    dbm->errcode = dbm_said;  
+ 
+-    if ((dbm->errcode = gdbm_errno) == GDBM_NO_ERROR) {
++    if (dbm_said == APR_SUCCESS)
+         dbm->errmsg = NULL;
+-    }
+-    else {
+-        dbm->errmsg = gdbm_strerror(gdbm_errno);
+-        rv = APR_EGENERAL;        /* ### need something better */
+-    }
+-
+-    /* captured it. clear it now. */
+-    gdbm_errno = GDBM_NO_ERROR;
++    else
++        dbm->errmsg = gdbm_strerror(dbm_said - APR_OS_START_USEERR);
+ 
+-    return rv;
++    return dbm_said;
+ }
+ 
+ /* --------------------------------------------------------------------------
+@@ -107,7 +112,7 @@ static apr_status_t vt_gdbm_open(apr_dbm_t **pdb, const char *pathname,
+                      NULL);
+ 
+     if (file == NULL)
+-        return APR_EGENERAL;      /* ### need a better error */
++        return APR_OS_START_USEERR + gdbm_errno;   /* ### need a better error */
+ 
+     /* we have an open database... return it */
+     *pdb = apr_pcalloc(pool, sizeof(**pdb));
+@@ -141,10 +146,12 @@ static apr_status_t vt_gdbm_fetch(apr_dbm_t *dbm, apr_datum_t key,
+     if (pvalue->dptr)
+         apr_pool_cleanup_register(dbm->pool, pvalue->dptr, datum_cleanup,
+                                   apr_pool_cleanup_null);
++    else
++       pvalue->dsize = 0;
+ 
+     /* store the error info into DBM, and return a status code. Also, note
+        that *pvalue should have been cleared on error. */
+-    return set_error(dbm, APR_SUCCESS);
++    return set_error(dbm, gdat2s(rd));
+ }
+ 
+ static apr_status_t vt_gdbm_store(apr_dbm_t *dbm, apr_datum_t key,
+@@ -201,9 +208,11 @@ static apr_status_t vt_gdbm_firstkey(apr_dbm_t *dbm, apr_datum_t *pkey)
+     if (pkey->dptr)
+         apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup,
+                                   apr_pool_cleanup_null);
++    else
++        pkey->dsize = 0;
+ 
+     /* store any error info into DBM, and return a status code. */
+-    return set_error(dbm, APR_SUCCESS);
++    return set_error(dbm, gdat2s(rd));
+ }
+ 
+ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey)
+@@ -221,9 +230,11 @@ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey)
+     if (pkey->dptr)
+         apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup,
+                                   apr_pool_cleanup_null);
++    else
++       pkey->dsize = 0;
+ 
+     /* store any error info into DBM, and return a status code. */
+-    return set_error(dbm, APR_SUCCESS);
++    return set_error(dbm, gdat2s(rd));
+ }
+ 
+ static void vt_gdbm_freedatum(apr_dbm_t *dbm, apr_datum_t data)
+-- 
+2.7.4
+
diff --git a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
index 88b4300f9..12d71cbb6 100644
--- a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
+++ b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
@@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \
            file://configfix.patch \
            file://configure_fixes.patch \
            file://run-ptest \
+           file://0001-Fix-error-handling-in-gdbm.patch \
 "
 
 SRC_URI[md5sum] = "bd502b9a8670a8012c4d90c31a84955f"
diff --git a/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch b/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch
new file mode 100644
index 000000000..f6f43c3d2
--- /dev/null
+++ b/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch
@@ -0,0 +1,56 @@
+input: check end of input before reading a byte
+
+When reading bytes we weren't check that the index wasn't
+out of bound and this could produce an invalid read which
+could deal to a security bug.
+
+Upstream-Status: Backport[https://gitlab.gnome.org/GNOME/libcroco/
+                 commit/898e3a8c8c0314d2e6b106809a8e3e93cf9d4394]
+
+CVE: CVE-2017-7960 
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+diff --git a/src/cr-input.c b/src/cr-input.c
+index 49000b1f5f07fe057135f1b8fc69bdcf9613e300..3b63a88ee3b1c56778e58172d147d958951bf099 100644
+--- a/src/cr-input.c
++++ b/src/cr-input.c
+@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc)
+                  *we should  free buf here because it's own by CRInput.
+                  *(see the last parameter of cr_input_new_from_buf().
+                  */
+-                buf = NULL ;
++                buf = NULL;
+         }
+ 
+  cleanup:
+@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this)
+ enum CRStatus
+ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ {
++        gulong nb_bytes_left = 0;
++
+         g_return_val_if_fail (a_this && PRIVATE (a_this)
+                               && a_byte, CR_BAD_PARAM_ERROR);
+ 
+@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+         if (PRIVATE (a_this)->end_of_input == TRUE)
+                 return CR_END_OF_INPUT_ERROR;
+ 
++        nb_bytes_left = cr_input_get_nb_bytes_left (a_this);
++
++        if (nb_bytes_left < 1) {
++                return CR_END_OF_INPUT_ERROR;
++        }
++
+         *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index];
+ 
+         if (PRIVATE (a_this)->nb_bytes -
+@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char)
+                 if (*a_char == '\n') {
+                         PRIVATE (a_this)->end_of_line = TRUE;
+                 }
+-
+         }
+ 
+         return status;
diff --git a/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb b/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb
index d86ddd646..5b962ee73 100644
--- a/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb
+++ b/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb
@@ -16,5 +16,7 @@ BINCONFIG = "${bindir}/croco-0.6-config"
 
 inherit gnomebase gtk-doc binconfig-disabled
 
+SRC_URI += "file://CVE-2017-7960.patch"
+
 SRC_URI[archive.md5sum] = "bc0984fce078ba2ce29f9500c6b9ddce"
 SRC_URI[archive.sha256sum] = "ddc4b5546c9fb4280a5017e2707fbd4839034ed1aba5b7d4372212f34f84f860"
diff --git a/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch b/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch
new file mode 100644
index 000000000..e49481ff8
--- /dev/null
+++ b/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch
@@ -0,0 +1,40 @@
+From 8a92f964a66d476ca8907234359e92a70fc1325b Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 28 Aug 2018 15:12:10 +0800
+Subject: [PATCH] On saving makernotes, make sure the makernote container tags
+ has a type with 1 byte components.
+
+Fixes (at least):
+	https://sourceforge.net/p/libexif/bugs/130
+	https://sourceforge.net/p/libexif/bugs/129
+
+Upstream-Status: Backport[https://github.com/libexif/libexif/commit/
+c39acd1692023b26290778a02a9232c873f9d71a#diff-830e348923810f00726700b083ec00cd]
+
+CVE: CVE-2017-7544
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libexif/exif-data.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 67df4db..6bf89eb 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
+ 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ 			e->components = e->size;
++                        if (exif_format_get_size (e->format) != 1) {
++				/* e->format is taken from input code,
++				 * but we need to make sure it is a 1 byte
++				 * entity due to the multiplication below. */
++				e->format = EXIF_FORMAT_UNDEFINED;
++			}
+ 		}
+ 	}
+ 
+-- 
+2.7.4
+
diff --git a/poky/meta/recipes-support/libexif/libexif_0.6.21.bb b/poky/meta/recipes-support/libexif/libexif_0.6.21.bb
index cff4caede..b550a1125 100644
--- a/poky/meta/recipes-support/libexif/libexif_0.6.21.bb
+++ b/poky/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -4,7 +4,8 @@ SECTION = "libs"
 LICENSE = "LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2"
+SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
+           file://CVE-2017-7544.patch"
 
 SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
 SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"
diff --git a/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch b/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
new file mode 100644
index 000000000..4a5832ac1
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
@@ -0,0 +1,29 @@
+From 99f6e1b0d68281b63218d6adfe68cd9e331ac5be Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 10:50:08 -0700
+Subject: [PATCH] Fix syntax of a print() in the scons file to unbreak building
+ with most recent scons version.
+
+* SConstruct Use Python 3.0 valid syntax to make Scons 3.0.0 happy on both python
+  3.0 and 2.7.
+
+Upstream-Status: Backport
+[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1809132&r2=1811083&diff_format=h]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ SConstruct | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SConstruct b/SConstruct
+index 1670459..18a45fa 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -184,7 +184,7 @@ CALLOUT_OKAY = not (env.GetOption('clean') or env.GetOption('help'))
+ 
+ unknown = opts.UnknownVariables()
+ if unknown:
+-  print 'Warning: Used unknown variables:', ', '.join(unknown.keys())
++  print('Warning: Used unknown variables:', ', '.join(unknown.keys()))
+ 
+ apr = str(env['APR'])
+ apu = str(env['APU'])
diff --git a/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch b/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch
new file mode 100644
index 000000000..cec881ee1
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch
@@ -0,0 +1,27 @@
+From e51b4b37916dd20b13133cb7af16601b6bf3ace9 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 10:54:54 -0700
+Subject: [PATCH] SConstruct: Fix path quoting for .def generator
+
+Patch by: Martin Keller <m.keller{_AT_}codesys.com>
+Upstream-Status: Backport
+[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1807594&r2=1809132]
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ SConstruct | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SConstruct b/SConstruct
+index 18a45fa..571bdce 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -160,7 +160,7 @@ env = Environment(variables=opts,
+ 
+ env.Append(BUILDERS = {
+     'GenDef' : 
+-      Builder(action = sys.executable + ' build/gen_def.py $SOURCES > $TARGET',
++      Builder(action = '"%s" "%s" $SOURCES > $TARGET' % (sys.executable, gen_def_script,),
+               suffix='.def', src_suffix='.h')
+   })
+ 
diff --git a/poky/meta/recipes-support/serf/serf/0003-gen_def.patch b/poky/meta/recipes-support/serf/serf/0003-gen_def.patch
new file mode 100644
index 000000000..e37e9034b
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0003-gen_def.patch
@@ -0,0 +1,22 @@
+From 98e793d9f2250e7c1f9f1eb5dfd616a6a8829e9a Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 11:12:27 -0700
+Subject: [PATCH] gen_def
+
+---
+ SConstruct | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/SConstruct b/SConstruct
+index 571bdce..877731e 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -158,6 +158,8 @@ env = Environment(variables=opts,
+                   ENV = os.environ,
+                   )
+ 
++gen_def_script = env.File('build/gen_def.py').rstr()
++
+ env.Append(BUILDERS = {
+     'GenDef' : 
+       Builder(action = '"%s" "%s" $SOURCES > $TARGET' % (sys.executable, gen_def_script,),
diff --git a/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch b/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch
new file mode 100644
index 000000000..02fa9e3a0
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch
@@ -0,0 +1,29 @@
+From 565211fd082ef653ca9c44a345350fc1451f5a0f Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 11:12:38 -0700
+Subject: [PATCH] Follow-up to r1811083 fix building with scons 3.0.0 and
+ Python3
+
+* SConstruct: Append decode('utf-8) to FILE.get_contents() to avoid
+  TypeError: cannot use a string pattern on a bytes-like object
+
+Upstream-Status: Backport
+[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1811088&r2=1814604]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ SConstruct | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SConstruct b/SConstruct
+index 877731e..7678bb1 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -169,7 +169,7 @@ env.Append(BUILDERS = {
+ match = re.search('SERF_MAJOR_VERSION ([0-9]+).*'
+                   'SERF_MINOR_VERSION ([0-9]+).*'
+                   'SERF_PATCH_VERSION ([0-9]+)',
+-                  env.File('serf.h').get_contents(),
++                  env.File('serf.h').get_contents().decode('utf-8'),
+                   re.DOTALL)
+ MAJOR, MINOR, PATCH = [int(x) for x in match.groups()]
+ env.Append(MAJOR=str(MAJOR))
diff --git a/poky/meta/recipes-support/serf/serf_1.3.9.bb b/poky/meta/recipes-support/serf/serf_1.3.9.bb
index 2be5a069c..65a8114bb 100644
--- a/poky/meta/recipes-support/serf/serf_1.3.9.bb
+++ b/poky/meta/recipes-support/serf/serf_1.3.9.bb
@@ -1,7 +1,12 @@
 SUMMARY = "High-Performance Asynchronous HTTP Client Library"
 SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://norpath.patch \
-           file://env.patch"
+           file://env.patch \
+           file://0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch \
+           file://0002-SConstruct-Fix-path-quoting-for-.def-generator.patch \
+           file://0003-gen_def.patch \
+           file://0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch \
+           "
 
 SRC_URI[md5sum] = "370a6340ff20366ab088012cd13f2b57"
 SRC_URI[sha256sum] = "549c2d21c577a8a9c0450facb5cca809f26591f048e466552240947bdf7a87cc"
diff --git a/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch b/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch
new file mode 100644
index 000000000..5d95e37af
--- /dev/null
+++ b/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch
@@ -0,0 +1,47 @@
+From 19aed4d2be46c4516caf2bee31f79044bbd1d57d Mon Sep 17 00:00:00 2001
+From: Sinan Kaya <okaya@kernel.org>
+Date: Fri, 21 Sep 2018 16:22:01 +0000
+Subject: [PATCH] Detect databases whose schema is corrupted using a CREATE TABLE AS statement and issue an appropriate error message
+
+Upstream-Status: Backport [ https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b&diff=1&w]
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ sqlite3.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 73c69ef..6863bc6 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -103474,8 +103474,6 @@ SQLITE_PRIVATE void sqlite3EndTable(
+   p = pParse->pNewTable;
+   if( p==0 ) return;
+ 
+-  assert( !db->init.busy || !pSelect );
+-
+   /* If the db->init.busy is 1 it means we are reading the SQL off the
+   ** "sqlite_master" or "sqlite_temp_master" table on the disk.
+   ** So do not write to the disk again.  Extract the root page number
+@@ -103486,6 +103484,10 @@ SQLITE_PRIVATE void sqlite3EndTable(
+   ** table itself.  So mark it read-only.
+   */
+   if( db->init.busy ){
++    if( pSelect ){
++     sqlite3ErrorMsg(pParse, "");
++     return;
++    }
+     p->tnum = db->init.newTnum;
+     if( p->tnum==1 ) p->tabFlags |= TF_Readonly;
+   }
+@@ -117813,7 +117815,7 @@ static void corruptSchema(
+     char *z;
+     if( zObj==0 ) zObj = "?";
+     z = sqlite3MPrintf(db, "malformed database schema (%s)", zObj);
+-    if( zExtra ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
++    if( zExtra && zExtra[0] ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
+     sqlite3DbFree(db, *pData->pzErrMsg);
+     *pData->pzErrMsg = z;
+   }
+-- 
+2.19.0
+
diff --git a/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb b/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
index ef88659e9..b90f89886 100644
--- a/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
+++ b/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 
 SRC_URI = "\
   http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
+  file://CVE-2018-8740.patch \
   "
 SRC_URI[md5sum] = "96b5648d542e8afa6ab7ffb8db8ddc3d"
 SRC_URI[sha256sum] = "2824ab1238b706bc66127320afbdffb096361130e23291f26928a027b885c612"
diff --git a/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch b/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch
new file mode 100644
index 000000000..cdd66e67f
--- /dev/null
+++ b/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch
@@ -0,0 +1,51 @@
+From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <github.scott@gmail.com>
+Date: Mon, 4 Jun 2018 11:34:36 -0400
+Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
+
+This CVE is caused by a failure to check the minimum length
+of a ogg flac header. This header is detailed in full at:
+https://xiph.org/flac/ogg_mapping.html. Added more strict checking
+for entire header.
+
+Upstream-Status: Backport
+[https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278]
+
+CVE: CVE-2018-11439
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
+index 53d0450..07ea9dc 100644
+--- a/taglib/ogg/flac/oggflacfile.cpp
++++ b/taglib/ogg/flac/oggflacfile.cpp
+@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
+ 
+   if(!metadataHeader.startsWith("fLaC"))  {
+     // FLAC 1.1.2+
++    // See https://xiph.org/flac/ogg_mapping.html for the header specification.
++    if(metadataHeader.size() < 13)
++      return;
++
++    if(metadataHeader[0] != 0x7f)
++      return;
++
+     if(metadataHeader.mid(1, 4) != "FLAC")
+       return;
+ 
+-    if(metadataHeader[5] != 1)
+-      return; // not version 1
++    if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
++      return; // not version 1.0
++
++    if(metadataHeader.mid(9, 4) != "fLaC")
++      return;
+ 
+     metadataHeader = metadataHeader.mid(13);
+   }
+-- 
+2.7.4
+
diff --git a/poky/meta/recipes-support/taglib/taglib_1.11.1.bb b/poky/meta/recipes-support/taglib/taglib_1.11.1.bb
index 50439bc14..01dcf66d1 100644
--- a/poky/meta/recipes-support/taglib/taglib_1.11.1.bb
+++ b/poky/meta/recipes-support/taglib/taglib_1.11.1.bb
@@ -10,6 +10,7 @@ DEPENDS = "zlib"
 
 SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz \
            file://CVE-2017-12678.patch \
+           file://CVE-2018-11439.patch \
           "
 
 SRC_URI[md5sum] = "cee7be0ccfc892fa433d6c837df9522a"