summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--bitbake/HEADER13
-rw-r--r--bitbake/LICENSE12
-rw-r--r--bitbake/LICENSE.GPL-2.0-only (renamed from bitbake/COPYING)61
-rw-r--r--bitbake/LICENSE.MIT25
-rwxr-xr-xbitbake/bin/bitbake12
-rwxr-xr-xbitbake/bin/bitbake-diffsigs12
-rwxr-xr-xbitbake/bin/bitbake-hashserv13
-rwxr-xr-xbitbake/bin/bitbake-layers12
-rwxr-xr-xbitbake/bin/bitbake-prserv4
-rwxr-xr-xbitbake/bin/bitbake-selftest12
-rwxr-xr-xbitbake/bin/bitbake-worker11
-rwxr-xr-xbitbake/bin/bitdoc12
-rwxr-xr-xbitbake/bin/git-make-shallow4
-rwxr-xr-xbitbake/bin/toaster12
-rwxr-xr-xbitbake/bin/toaster-eventreplay15
-rw-r--r--bitbake/lib/bb/COW.py13
-rw-r--r--bitbake/lib/bb/__init__.py12
-rw-r--r--bitbake/lib/bb/build.py13
-rw-r--r--bitbake/lib/bb/cache.py12
-rw-r--r--bitbake/lib/bb/cache_extra.py12
-rw-r--r--bitbake/lib/bb/checksum.py12
-rw-r--r--bitbake/lib/bb/codeparser.py4
-rw-r--r--bitbake/lib/bb/command.py12
-rw-r--r--bitbake/lib/bb/compat.py4
-rw-r--r--bitbake/lib/bb/cooker.py13
-rw-r--r--bitbake/lib/bb/cookerdata.py18
-rw-r--r--bitbake/lib/bb/daemonize.py4
-rw-r--r--bitbake/lib/bb/data.py13
-rw-r--r--bitbake/lib/bb/data_smart.py12
-rw-r--r--bitbake/lib/bb/event.py12
-rw-r--r--bitbake/lib/bb/exceptions.py3
-rw-r--r--bitbake/lib/bb/fetch2/__init__.py21
-rw-r--r--bitbake/lib/bb/fetch2/bzr.py12
-rw-r--r--bitbake/lib/bb/fetch2/clearcase.py13
-rw-r--r--bitbake/lib/bb/fetch2/cvs.py15
-rw-r--r--bitbake/lib/bb/fetch2/git.py14
-rw-r--r--bitbake/lib/bb/fetch2/gitannex.py12
-rw-r--r--bitbake/lib/bb/fetch2/gitsm.py24
-rw-r--r--bitbake/lib/bb/fetch2/hg.py14
-rw-r--r--bitbake/lib/bb/fetch2/local.py14
-rw-r--r--bitbake/lib/bb/fetch2/npm.py3
-rw-r--r--bitbake/lib/bb/fetch2/osc.py3
-rw-r--r--bitbake/lib/bb/fetch2/perforce.py13
-rw-r--r--bitbake/lib/bb/fetch2/repo.py14
-rw-r--r--bitbake/lib/bb/fetch2/s3.py13
-rw-r--r--bitbake/lib/bb/fetch2/sftp.py13
-rw-r--r--bitbake/lib/bb/fetch2/ssh.py12
-rw-r--r--bitbake/lib/bb/fetch2/svn.py13
-rw-r--r--bitbake/lib/bb/fetch2/wget.py13
-rwxr-xr-xbitbake/lib/bb/main.py12
-rw-r--r--bitbake/lib/bb/methodpool.py12
-rw-r--r--bitbake/lib/bb/monitordisk.py12
-rw-r--r--bitbake/lib/bb/msg.py12
-rw-r--r--bitbake/lib/bb/namedtuple_with_abc.py3
-rw-r--r--bitbake/lib/bb/parse/__init__.py14
-rw-r--r--bitbake/lib/bb/parse/ast.py13
-rw-r--r--bitbake/lib/bb/parse/parse_py/BBHandler.py13
-rw-r--r--bitbake/lib/bb/parse/parse_py/ConfHandler.py12
-rw-r--r--bitbake/lib/bb/parse/parse_py/__init__.py14
-rw-r--r--bitbake/lib/bb/persist_data.py12
-rw-r--r--bitbake/lib/bb/process.py4
-rw-r--r--bitbake/lib/bb/progress.py12
-rw-r--r--bitbake/lib/bb/providers.py12
-rw-r--r--bitbake/lib/bb/remotedata.py12
-rw-r--r--bitbake/lib/bb/runqueue.py12
-rw-r--r--bitbake/lib/bb/server/__init__.py14
-rw-r--r--bitbake/lib/bb/server/process.py12
-rw-r--r--bitbake/lib/bb/server/xmlrpcclient.py12
-rw-r--r--bitbake/lib/bb/server/xmlrpcserver.py12
-rw-r--r--bitbake/lib/bb/siggen.py4
-rw-r--r--bitbake/lib/bb/taskdata.py12
-rw-r--r--bitbake/lib/bb/tests/codeparser.py13
-rw-r--r--bitbake/lib/bb/tests/cooker.py13
-rw-r--r--bitbake/lib/bb/tests/cow.py15
-rw-r--r--bitbake/lib/bb/tests/data.py13
-rw-r--r--bitbake/lib/bb/tests/event.py13
-rw-r--r--bitbake/lib/bb/tests/fetch.py44
-rw-r--r--bitbake/lib/bb/tests/parse.py13
-rw-r--r--bitbake/lib/bb/tests/persist_data.py13
-rw-r--r--bitbake/lib/bb/tests/utils.py13
-rw-r--r--bitbake/lib/bb/tinfoil.py12
-rw-r--r--bitbake/lib/bb/ui/__init__.py12
-rw-r--r--bitbake/lib/bb/ui/buildinfohelper.py12
-rw-r--r--bitbake/lib/bb/ui/knotty.py12
-rw-r--r--bitbake/lib/bb/ui/ncurses.py12
-rw-r--r--bitbake/lib/bb/ui/taskexp.py12
-rw-r--r--bitbake/lib/bb/ui/toasterui.py12
-rw-r--r--bitbake/lib/bb/ui/uievent.py13
-rw-r--r--bitbake/lib/bb/ui/uihelper.py12
-rw-r--r--bitbake/lib/bb/utils.py14
-rw-r--r--bitbake/lib/bblayers/__init__.py4
-rw-r--r--bitbake/lib/bblayers/action.py4
-rw-r--r--bitbake/lib/bblayers/common.py4
-rw-r--r--bitbake/lib/bblayers/layerindex.py4
-rw-r--r--bitbake/lib/bblayers/query.py4
-rw-r--r--bitbake/lib/hashserv/__init__.py12
-rw-r--r--bitbake/lib/hashserv/tests.py12
-rw-r--r--bitbake/lib/layerindexlib/__init__.py12
-rw-r--r--bitbake/lib/layerindexlib/cooker.py12
-rw-r--r--bitbake/lib/layerindexlib/plugin.py13
-rw-r--r--bitbake/lib/layerindexlib/restapi.py12
-rw-r--r--bitbake/lib/layerindexlib/tests/common.py12
-rw-r--r--bitbake/lib/layerindexlib/tests/cooker.py12
-rw-r--r--bitbake/lib/layerindexlib/tests/layerindexobj.py12
-rw-r--r--bitbake/lib/layerindexlib/tests/restapi.py12
-rw-r--r--bitbake/lib/progressbar/__init__.py2
-rw-r--r--bitbake/lib/progressbar/compat.py2
-rw-r--r--bitbake/lib/progressbar/progressbar.py2
-rw-r--r--bitbake/lib/progressbar/widgets.py2
-rw-r--r--bitbake/lib/prserv/__init__.py4
-rw-r--r--bitbake/lib/prserv/db.py4
-rw-r--r--bitbake/lib/prserv/serv.py4
-rw-r--r--bitbake/lib/pyinotify.py17
-rw-r--r--bitbake/lib/toaster/bldcollector/admin.py4
-rw-r--r--bitbake/lib/toaster/bldcollector/urls.py13
-rw-r--r--bitbake/lib/toaster/bldcollector/views.py12
-rw-r--r--bitbake/lib/toaster/bldcontrol/admin.py4
-rw-r--r--bitbake/lib/toaster/bldcontrol/bbcontroller.py13
-rw-r--r--bitbake/lib/toaster/bldcontrol/localhostbecontroller.py13
-rw-r--r--bitbake/lib/toaster/bldcontrol/management/commands/checksettings.py4
-rw-r--r--bitbake/lib/toaster/bldcontrol/management/commands/runbuilds.py4
-rw-r--r--bitbake/lib/toaster/bldcontrol/models.py4
-rw-r--r--bitbake/lib/toaster/bldcontrol/views.py4
-rwxr-xr-xbitbake/lib/toaster/manage.py4
-rw-r--r--bitbake/lib/toaster/orm/management/commands/lsupdates.py12
-rw-r--r--bitbake/lib/toaster/orm/models.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/selenium_helpers.py13
-rw-r--r--bitbake/lib/toaster/tests/browser/selenium_helpers_base.py13
-rw-r--r--bitbake/lib/toaster/tests/browser/test_all_builds_page.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_all_projects_page.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_builddashboard_page.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_builddashboard_page_artifacts.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_builddashboard_page_recipes.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_builddashboard_page_tasks.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_js_unit_tests.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_landing_page.py14
-rw-r--r--bitbake/lib/toaster/tests/browser/test_layerdetails_page.py14
-rw-r--r--bitbake/lib/toaster/tests/browser/test_most_recent_builds_states.py14
-rw-r--r--bitbake/lib/toaster/tests/browser/test_new_custom_image_page.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_new_project_page.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_project_builds_page.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_project_config_page.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_project_page.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_sample.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_task_page.py12
-rw-r--r--bitbake/lib/toaster/tests/browser/test_toastertable_ui.py12
-rw-r--r--bitbake/lib/toaster/tests/builds/buildtest.py12
-rw-r--r--bitbake/lib/toaster/tests/builds/test_core_image_min.py13
-rw-r--r--bitbake/lib/toaster/tests/commands/test_loaddata.py12
-rw-r--r--bitbake/lib/toaster/tests/commands/test_lsupdates.py12
-rw-r--r--bitbake/lib/toaster/tests/commands/test_runbuilds.py12
-rw-r--r--bitbake/lib/toaster/tests/db/test_db.py2
-rw-r--r--bitbake/lib/toaster/tests/eventreplay/__init__.py12
-rw-r--r--bitbake/lib/toaster/tests/functional/functional_helpers.py12
-rw-r--r--bitbake/lib/toaster/tests/functional/test_functional_basic.py12
-rw-r--r--bitbake/lib/toaster/tests/views/test_views.py12
-rw-r--r--bitbake/lib/toaster/toastergui/api.py13
-rw-r--r--bitbake/lib/toaster/toastergui/buildtables.py12
-rw-r--r--bitbake/lib/toaster/toastergui/tablefilter.py12
-rw-r--r--bitbake/lib/toaster/toastergui/tables.py12
-rw-r--r--bitbake/lib/toaster/toastergui/templatetags/field_values_filter.py4
-rw-r--r--bitbake/lib/toaster/toastergui/templatetags/objects_to_dictionaries_filter.py4
-rw-r--r--bitbake/lib/toaster/toastergui/templatetags/project_url_tag.py4
-rw-r--r--bitbake/lib/toaster/toastergui/templatetags/projecttags.py12
-rw-r--r--bitbake/lib/toaster/toastergui/typeaheads.py12
-rw-r--r--bitbake/lib/toaster/toastergui/urls.py12
-rw-r--r--bitbake/lib/toaster/toastergui/views.py13
-rw-r--r--bitbake/lib/toaster/toastergui/widgets.py12
-rw-r--r--bitbake/lib/toaster/toastermain/management/commands/builddelete.py4
-rw-r--r--bitbake/lib/toaster/toastermain/management/commands/buildimport.py12
-rw-r--r--bitbake/lib/toaster/toastermain/management/commands/buildslist.py4
-rw-r--r--bitbake/lib/toaster/toastermain/management/commands/checksocket.py12
-rw-r--r--bitbake/lib/toaster/toastermain/management/commands/perf.py4
-rw-r--r--bitbake/lib/toaster/toastermain/settings.py12
-rw-r--r--bitbake/lib/toaster/toastermain/settings_production_example.py12
-rw-r--r--bitbake/lib/toaster/toastermain/settings_test.py12
-rw-r--r--bitbake/lib/toaster/toastermain/urls.py12
-rw-r--r--bitbake/lib/toaster/toastermain/wsgi.py4
-rw-r--r--documentation/bsp-guide/bsp-guide.xml12
-rw-r--r--documentation/dev-manual/dev-manual-common-tasks.xml67
-rw-r--r--documentation/dev-manual/dev-manual.xml12
-rw-r--r--documentation/kernel-dev/kernel-dev-common.xml6
-rw-r--r--documentation/kernel-dev/kernel-dev.xml12
-rw-r--r--documentation/mega-manual/mega-manual.xml12
-rw-r--r--documentation/overview-manual/overview-manual.xml17
-rw-r--r--documentation/poky.ent10
-rw-r--r--documentation/profile-manual/profile-manual.xml12
-rw-r--r--documentation/ref-manual/migration.xml7
-rw-r--r--documentation/ref-manual/ref-classes.xml8
-rw-r--r--documentation/ref-manual/ref-devtool-reference.xml12
-rw-r--r--documentation/ref-manual/ref-manual.xml12
-rw-r--r--documentation/ref-manual/ref-variables.xml9
-rw-r--r--documentation/sdk-manual/sdk-manual.xml12
-rw-r--r--documentation/toaster-manual/toaster-manual.xml12
-rw-r--r--documentation/tools/mega-manual.sed46
-rw-r--r--meta-poky/conf/distro/poky.conf5
-rw-r--r--meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend20
-rw-r--r--meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.0.bbappend20
-rw-r--r--meta/classes/cve-check.bbclass142
-rw-r--r--meta/classes/devicetree.bbclass2
-rw-r--r--meta/classes/icecc.bbclass6
-rw-r--r--meta/classes/image-live.bbclass2
-rw-r--r--meta/classes/kernel-uboot.bbclass4
-rw-r--r--meta/classes/kernel.bbclass2
-rw-r--r--meta/classes/multilib.bbclass47
-rw-r--r--meta/classes/package.bbclass61
-rw-r--r--meta/classes/staging.bbclass2
-rw-r--r--meta/classes/uboot-extlinux-config.bbclass13
-rw-r--r--meta/classes/uboot-sign.bbclass4
-rw-r--r--meta/classes/useradd.bbclass7
-rw-r--r--meta/conf/distro/include/maintainers.inc1
-rw-r--r--meta/conf/distro/include/yocto-uninative.inc10
-rw-r--r--meta/conf/machine/qemuarm64.conf1
-rw-r--r--meta/lib/oe/gpg_sign.py39
-rw-r--r--meta/lib/oe/package.py2
-rw-r--r--meta/lib/oe/rootfs.py1
-rw-r--r--meta/lib/oeqa/core/context.py7
-rw-r--r--meta/lib/oeqa/selftest/cases/devtool.py2
-rw-r--r--meta/lib/oeqa/selftest/cases/manifest.py7
-rw-r--r--meta/lib/oeqa/selftest/cases/signing.py3
-rw-r--r--meta/lib/oeqa/utils/logparser.py4
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.1.1b.bb6
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch48
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch97
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Add-helper-functions-for-constant-time-operations.patch222
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch48
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch64
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch327
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch244
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch147
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch121
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch108
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch139
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch60
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch61
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0012-EAP-pwd-server-Detect-reflection-attacks.patch48
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch61
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch335
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb16
-rw-r--r--meta/recipes-core/expat/expat/CVE-2018-20843.patch26
-rw-r--r--meta/recipes-core/expat/expat_2.2.6.bb1
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch40
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb1
-rw-r--r--meta/recipes-core/glibc/glibc-locale.inc6
-rw-r--r--meta/recipes-core/glibc/glibc-mtrace.inc3
-rw-r--r--meta/recipes-core/glibc/glibc-package.inc61
-rw-r--r--meta/recipes-core/glibc/glibc-scripts.inc3
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2019-9169.patch1
-rw-r--r--meta/recipes-core/glibc/glibc_2.29.bb1
-rw-r--r--meta/recipes-core/images/build-appliance-image_15.0.0.bb2
-rw-r--r--meta/recipes-core/libxcrypt/libxcrypt.bb4
-rw-r--r--meta/recipes-core/meta/cve-update-db-native.bb195
-rw-r--r--meta/recipes-core/systemd/systemd.inc2
-rw-r--r--meta/recipes-core/util-linux/util-linux.inc4
-rw-r--r--meta/recipes-core/util-linux/util-linux/run-ptest14
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.32.inc4
-rw-r--r--meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch9
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch51
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch33
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch28
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch165
-rw-r--r--meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb62
-rw-r--r--meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch50
-rw-r--r--meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch215
-rw-r--r--meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch135
-rw-r--r--meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch52
-rw-r--r--meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch51
-rw-r--r--meta/recipes-devtools/dpkg/dpkg/pager.patch21
-rw-r--r--meta/recipes-devtools/dpkg/dpkg_1.19.4.bb1
-rw-r--r--meta/recipes-devtools/gcc/gcc-8.3.inc6
-rw-r--r--meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch94
-rw-r--r--meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch813
-rw-r--r--meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch44
-rw-r--r--meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p1.patch521
-rw-r--r--meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p2.patch77
-rw-r--r--meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p3.patch45
-rw-r--r--meta/recipes-devtools/go/go-1.12.inc7
-rw-r--r--meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch163
-rw-r--r--meta/recipes-devtools/json-c/json-c_0.13.1.bb2
-rw-r--r--meta/recipes-devtools/meson/meson.inc1
-rw-r--r--meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch84
-rw-r--r--meta/recipes-devtools/meson/meson/0003-native_bindir.patch2
-rw-r--r--meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch93
-rw-r--r--meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch80
-rw-r--r--meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch44
-rw-r--r--meta/recipes-devtools/patch/patch/CVE-2019-13636.patch113
-rw-r--r--meta/recipes-devtools/patch/patch_2.7.6.bb4
-rw-r--r--meta/recipes-devtools/python/python.inc5
-rw-r--r--meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch90
-rw-r--r--meta/recipes-devtools/python/python/CVE-2019-9740.patch215
-rw-r--r--meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch81
-rw-r--r--meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch2
-rw-r--r--meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch2
-rw-r--r--meta/recipes-devtools/python/python3_3.7.4.bb (renamed from meta/recipes-devtools/python/python3_3.7.2.bb)8
-rw-r--r--meta/recipes-devtools/python/python_2.7.16.bb8
-rw-r--r--meta/recipes-devtools/qemu/qemu-native_3.1.1.1.bb (renamed from meta/recipes-devtools/qemu/qemu-native_3.1.0.bb)0
-rw-r--r--meta/recipes-devtools/qemu/qemu-system-native_3.1.1.1.bb (renamed from meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb)0
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc15
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch50
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch49
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch95
-rw-r--r--meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch85
-rw-r--r--meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch339
-rw-r--r--meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch60
-rw-r--r--meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch54
-rw-r--r--meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch113
-rw-r--r--meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch47
-rw-r--r--meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch85
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch39
-rw-r--r--meta/recipes-devtools/qemu/qemu_3.1.1.1.bb (renamed from meta/recipes-devtools/qemu/qemu_3.1.0.bb)0
-rw-r--r--meta/recipes-devtools/rsync/files/CVE-2016-9840.patch75
-rw-r--r--meta/recipes-devtools/rsync/files/CVE-2016-9841.patch228
-rw-r--r--meta/recipes-devtools/rsync/files/CVE-2016-9842.patch33
-rw-r--r--meta/recipes-devtools/rsync/files/CVE-2016-9843.patch53
-rw-r--r--meta/recipes-devtools/rsync/rsync_3.1.3.bb4
-rw-r--r--meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch33
-rw-r--r--meta/recipes-extended/bzip2/bzip2-1.0.6/fix-regression-CVE-2019-12900.patch82
-rw-r--r--meta/recipes-extended/bzip2/bzip2_1.0.6.bb2
-rw-r--r--meta/recipes-extended/diffutils/diffutils/run-ptest3
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch440
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.26.bb1
-rw-r--r--meta/recipes-extended/psmisc/psmisc.inc2
-rw-r--r--meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch178
-rw-r--r--meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch112
-rw-r--r--meta/recipes-extended/sudo/sudo_1.8.27.bb2
-rw-r--r--meta/recipes-extended/texinfo-dummy-native/texinfo-dummy/template.py86
-rw-r--r--meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch33
-rw-r--r--meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch356
-rw-r--r--meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch121
-rw-r--r--meta/recipes-extended/unzip/unzip_6.0.bb3
-rw-r--r--meta/recipes-extended/wget/wget/CVE-2019-5953.patch34
-rw-r--r--meta/recipes-extended/wget/wget_1.20.1.bb1
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch114
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch68
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch81
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch80
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch123
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch64
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch63
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch192
-rw-r--r--meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch38
-rw-r--r--meta/recipes-graphics/libsdl/libsdl_1.2.15.bb9
-rw-r--r--meta/recipes-graphics/mesa/mesa-gl_19.0.8.bb (renamed from meta/recipes-graphics/mesa/mesa-gl_19.0.1.bb)0
-rw-r--r--meta/recipes-graphics/mesa/mesa_19.0.8.bb (renamed from meta/recipes-graphics/mesa/mesa_19.0.1.bb)4
-rw-r--r--meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch38
-rw-r--r--meta/recipes-graphics/pango/pango_1.42.4.bb4
-rw-r--r--meta/recipes-kernel/linux/kernel-devsrc.bb4
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-dev.bb2
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb8
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-rt_5.0.bb6
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb8
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-tiny_5.0.bb6
-rw-r--r--meta/recipes-kernel/linux/linux-yocto_4.19.bb22
-rw-r--r--meta/recipes-kernel/linux/linux-yocto_5.0.bb21
-rw-r--r--meta/recipes-kernel/powertop/powertop/0001-wakeup_xxx.h-include-limits.h.patch55
-rw-r--r--meta/recipes-kernel/powertop/powertop_2.10.bb1
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2019-9928.patch33
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.14.4.bb1
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-decoder-release-VA-buffers-after-vaEndPicture.patch45
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-encoder-jpeg-set-component-id-and-Tqi.patch65
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.14.4.bb2
-rw-r--r--meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch1
-rw-r--r--meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch39
-rw-r--r--meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb1
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch52
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch77
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.10.bb3
-rw-r--r--meta/recipes-support/boost/boost.inc2
-rw-r--r--meta/recipes-support/curl/curl/CVE-2019-5435.patch266
-rw-r--r--meta/recipes-support/curl/curl/CVE-2019-5436.patch30
-rw-r--r--meta/recipes-support/curl/curl/CVE-2019-5482.patch65
-rw-r--r--meta/recipes-support/curl/curl_7.64.1.bb3
-rw-r--r--meta/recipes-support/gnutls/gnutls_3.6.8.bb (renamed from meta/recipes-support/gnutls/gnutls_3.6.7.bb)4
-rw-r--r--meta/recipes-support/libcroco/libcroco/CVE-2017-8834_71.patch38
-rw-r--r--meta/recipes-support/libcroco/libcroco_0.6.12.bb1
-rw-r--r--meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch90
-rw-r--r--meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch332
-rw-r--r--meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch178
-rw-r--r--meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb3
-rw-r--r--meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch161
-rw-r--r--meta/recipes-support/libgpg-error/libgpg-error_1.35.bb1
-rw-r--r--meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch124
-rw-r--r--meta/recipes-support/libxslt/files/CVE-2019-13117.patch33
-rw-r--r--meta/recipes-support/libxslt/files/CVE-2019-13118.patch76
-rw-r--r--meta/recipes-support/libxslt/libxslt_1.1.33.bb6
-rw-r--r--meta/recipes-support/ptest-runner/ptest-runner/0004-utils-ensure-child-can-be-session-leader.patch212
-rw-r--r--meta/recipes-support/ptest-runner/ptest-runner_2.3.1.bb6
-rw-r--r--meta/recipes-support/rng-tools/rng-tools/rngd.service3
-rw-r--r--meta/recipes-support/vim/files/CVE-2019-12735.patch64
-rw-r--r--meta/recipes-support/vim/vim_8.1.1017.bb1
-rwxr-xr-xscripts/runqemu22
391 files changed, 11539 insertions, 3119 deletions
diff --git a/bitbake/HEADER b/bitbake/HEADER
index 9859255df3..323892ecac 100644
--- a/bitbake/HEADER
+++ b/bitbake/HEADER
@@ -4,16 +4,5 @@
# <one line to give the program's name and a brief idea of what it does.>
# Copyright (C) <year> <name of author>
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
diff --git a/bitbake/LICENSE b/bitbake/LICENSE
index 7d4e5f44b5..8458042303 100644
--- a/bitbake/LICENSE
+++ b/bitbake/LICENSE
@@ -1,4 +1,13 @@
-BitBake is licensed under the GNU General Public License version 2.0. See COPYING for further details.
+BitBake is licensed under the GNU General Public License version 2.0. See
+LICENSE.GPL-2.0-only for further details.
+
+Individual files contain the following style tags instead of the full license text:
+
+ SPDX-License-Identifier: GPL-2.0-only
+
+This enables machine processing of license information based on the SPDX
+License Identifiers that are here available: http://spdx.org/licenses/
+
The following external components are distributed with this software:
@@ -17,3 +26,4 @@ Foundation and individual contributors.
* Font Awesome fonts redistributed under the SIL Open Font License 1.1
* simplediff is distributed under the zlib license.
+
diff --git a/bitbake/COPYING b/bitbake/LICENSE.GPL-2.0-only
index d511905c16..5db3c0a21c 100644
--- a/bitbake/COPYING
+++ b/bitbake/LICENSE.GPL-2.0-only
@@ -279,61 +279,10 @@ POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
- How to Apply These Terms to Your New Programs
+Note:
+Individual files contain the following tag instead of the full license text.
- If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
+ SPDX-License-Identifier: GPL-2.0-only
- To do so, attach the following notices to the program. It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
- <one line to give the program's name and a brief idea of what it does.>
- Copyright (C) <year> <name of author>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License along
- with this program; if not, write to the Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
- Gnomovision version 69, Copyright (C) year name of author
- Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
- This is free software, and you are welcome to redistribute it
- under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License. Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary. Here is a sample; alter the names:
-
- Yoyodyne, Inc., hereby disclaims all copyright interest in the program
- `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
- <signature of Ty Coon>, 1 April 1989
- Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs. If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library. If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.
+This enables machine processing of license information based on the SPDX
+License Identifiers that are here available: http://spdx.org/licenses/
diff --git a/bitbake/LICENSE.MIT b/bitbake/LICENSE.MIT
new file mode 100644
index 0000000000..a6919eb7e1
--- /dev/null
+++ b/bitbake/LICENSE.MIT
@@ -0,0 +1,25 @@
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+Note:
+Individual files contain the following tag instead of the full license text.
+
+ SPDX-License-Identifier: MIT
+
+This enables machine processing of license information based on the SPDX
+License Identifiers that are here available: http://spdx.org/licenses/
diff --git a/bitbake/bin/bitbake b/bitbake/bin/bitbake
index 55eb530899..12467239c5 100755
--- a/bitbake/bin/bitbake
+++ b/bitbake/bin/bitbake
@@ -9,18 +9,8 @@
# Copyright (C) 2005 ROAD GmbH
# Copyright (C) 2006 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import sys
diff --git a/bitbake/bin/bitbake-diffsigs b/bitbake/bin/bitbake-diffsigs
index fa430bb3b3..5523b33859 100755
--- a/bitbake/bin/bitbake-diffsigs
+++ b/bitbake/bin/bitbake-diffsigs
@@ -5,18 +5,8 @@
#
# Copyright (C) 2012-2013, 2017 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import sys
diff --git a/bitbake/bin/bitbake-hashserv b/bitbake/bin/bitbake-hashserv
index c49397b73a..848a0ca39f 100755
--- a/bitbake/bin/bitbake-hashserv
+++ b/bitbake/bin/bitbake-hashserv
@@ -2,18 +2,9 @@
#
# Copyright (C) 2018 Garmin Ltd.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
import os
import sys
import logging
diff --git a/bitbake/bin/bitbake-layers b/bitbake/bin/bitbake-layers
index d184011ea6..a884dc1f8d 100755
--- a/bitbake/bin/bitbake-layers
+++ b/bitbake/bin/bitbake-layers
@@ -7,18 +7,8 @@
# Copyright (C) 2011 Mentor Graphics Corporation
# Copyright (C) 2011-2015 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import logging
import os
diff --git a/bitbake/bin/bitbake-prserv b/bitbake/bin/bitbake-prserv
index f38d2dd882..1e9b6cbc1b 100755
--- a/bitbake/bin/bitbake-prserv
+++ b/bitbake/bin/bitbake-prserv
@@ -1,4 +1,8 @@
#!/usr/bin/env python3
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
import os
import sys,logging
import optparse
diff --git a/bitbake/bin/bitbake-selftest b/bitbake/bin/bitbake-selftest
index 99f1af910f..20553e9814 100755
--- a/bitbake/bin/bitbake-selftest
+++ b/bitbake/bin/bitbake-selftest
@@ -2,18 +2,8 @@
#
# Copyright (C) 2012 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import sys, logging
diff --git a/bitbake/bin/bitbake-worker b/bitbake/bin/bitbake-worker
index a9e997e1f6..c1df3ecd9f 100755
--- a/bitbake/bin/bitbake-worker
+++ b/bitbake/bin/bitbake-worker
@@ -1,4 +1,7 @@
#!/usr/bin/env python3
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
import os
import sys
@@ -192,9 +195,6 @@ def fork_off_task(cfg, data, databuilder, workerdata, fn, task, taskname, taskha
global worker_pipe_lock
pipein.close()
- signal.signal(signal.SIGTERM, sigterm_handler)
- # Let SIGHUP exit as SIGTERM
- signal.signal(signal.SIGHUP, sigterm_handler)
bb.utils.signal_on_parent_exit("SIGTERM")
# Save out the PID so that the event can include it the
@@ -209,6 +209,11 @@ def fork_off_task(cfg, data, databuilder, workerdata, fn, task, taskname, taskha
# This ensures signals sent to the controlling terminal like Ctrl+C
# don't stop the child processes.
os.setsid()
+
+ signal.signal(signal.SIGTERM, sigterm_handler)
+ # Let SIGHUP exit as SIGTERM
+ signal.signal(signal.SIGHUP, sigterm_handler)
+
# No stdin
newsi = os.open(os.devnull, os.O_RDWR)
os.dup2(newsi, sys.stdin.fileno())
diff --git a/bitbake/bin/bitdoc b/bitbake/bin/bitdoc
index 2744678824..4839a6489f 100755
--- a/bitbake/bin/bitdoc
+++ b/bitbake/bin/bitdoc
@@ -4,18 +4,8 @@
#
# Copyright (C) 2005 Holger Hans Peter Freyther
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import optparse, os, sys
diff --git a/bitbake/bin/git-make-shallow b/bitbake/bin/git-make-shallow
index 296d3a3dbd..57069f7edf 100755
--- a/bitbake/bin/git-make-shallow
+++ b/bitbake/bin/git-make-shallow
@@ -1,4 +1,8 @@
#!/usr/bin/env python3
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
"""git-make-shallow: make the current git repository shallow
Remove the history of the specified revisions, then optionally filter the
diff --git a/bitbake/bin/toaster b/bitbake/bin/toaster
index ecf66fa51f..c3472dfee8 100755
--- a/bitbake/bin/toaster
+++ b/bitbake/bin/toaster
@@ -3,19 +3,9 @@
# toaster - shell script to start Toaster
# Copyright (C) 2013-2015 Intel Corp.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# SPDX-License-Identifier: GPL-2.0-or-later
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see http://www.gnu.org/licenses/.
HELP="
Usage: source toaster start|stop [webport=<address:port>] [noweb] [nobuild] [toasterdir]
diff --git a/bitbake/bin/toaster-eventreplay b/bitbake/bin/toaster-eventreplay
index 80967a0934..3f01a3cc00 100755
--- a/bitbake/bin/toaster-eventreplay
+++ b/bitbake/bin/toaster-eventreplay
@@ -4,22 +4,11 @@
#
# Copyright (C) 2014 Alex Damian
#
+# SPDX-License-Identifier: GPL-2.0-only
+#
# This file re-uses code spread throughout other Bitbake source files.
# As such, all other copyrights belong to their own right holders.
#
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""
This command takes a filename as a single parameter. The filename is read
diff --git a/bitbake/lib/bb/COW.py b/bitbake/lib/bb/COW.py
index 7817473ab8..06678a9bf8 100644
--- a/bitbake/lib/bb/COW.py
+++ b/bitbake/lib/bb/COW.py
@@ -5,19 +5,6 @@
#
# Copyright (C) 2006 Tim Ansell
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
#Please Note:
# Be careful when using mutable types (ie Dict and Lists) - operations involving these are SLOW.
# Assign a file to __warn__ to get warnings about slow operations.
diff --git a/bitbake/lib/bb/__init__.py b/bitbake/lib/bb/__init__.py
index df54b6b304..afa49abc73 100644
--- a/bitbake/lib/bb/__init__.py
+++ b/bitbake/lib/bb/__init__.py
@@ -8,18 +8,8 @@
#
# Based on Gentoo's portage.py.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
__version__ = "1.42.0"
diff --git a/bitbake/lib/bb/build.py b/bitbake/lib/bb/build.py
index 7571421d71..5ba2e6d517 100644
--- a/bitbake/lib/bb/build.py
+++ b/bitbake/lib/bb/build.py
@@ -10,18 +10,7 @@
#
# Based on Gentoo's portage.py.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
diff --git a/bitbake/lib/bb/cache.py b/bitbake/lib/bb/cache.py
index 65c514b908..af410aac39 100644
--- a/bitbake/lib/bb/cache.py
+++ b/bitbake/lib/bb/cache.py
@@ -15,18 +15,8 @@
# Copyright (C) 2005 Holger Hans Peter Freyther
# Copyright (C) 2005 ROAD GmbH
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import sys
diff --git a/bitbake/lib/bb/cache_extra.py b/bitbake/lib/bb/cache_extra.py
index 83f4959d6c..d282601134 100644
--- a/bitbake/lib/bb/cache_extra.py
+++ b/bitbake/lib/bb/cache_extra.py
@@ -12,18 +12,8 @@
# Copyright (C) 2011, Intel Corporation. All rights reserved.
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from bb.cache import RecipeInfoCommon
diff --git a/bitbake/lib/bb/checksum.py b/bitbake/lib/bb/checksum.py
index 4e1598fe83..5bc8a8fcb6 100644
--- a/bitbake/lib/bb/checksum.py
+++ b/bitbake/lib/bb/checksum.py
@@ -2,18 +2,8 @@
#
# Copyright (C) 2012 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import glob
import operator
diff --git a/bitbake/lib/bb/codeparser.py b/bitbake/lib/bb/codeparser.py
index ac995a6a1d..fd2c4734f0 100644
--- a/bitbake/lib/bb/codeparser.py
+++ b/bitbake/lib/bb/codeparser.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
"""
BitBake code parser
diff --git a/bitbake/lib/bb/command.py b/bitbake/lib/bb/command.py
index 6c966e3dbc..378f389b3a 100644
--- a/bitbake/lib/bb/command.py
+++ b/bitbake/lib/bb/command.py
@@ -6,18 +6,8 @@ Provide an interface to interact with the bitbake server through 'commands'
# Copyright (C) 2006-2007 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""
The bitbake server takes 'commands' from its UI/commandline.
diff --git a/bitbake/lib/bb/compat.py b/bitbake/lib/bb/compat.py
index de1923d28a..49356681ab 100644
--- a/bitbake/lib/bb/compat.py
+++ b/bitbake/lib/bb/compat.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
"""Code pulled from future python versions, here for compatibility"""
from collections import MutableMapping, KeysView, ValuesView, ItemsView, OrderedDict
diff --git a/bitbake/lib/bb/cooker.py b/bitbake/lib/bb/cooker.py
index 8dac7934f7..a97bafdcac 100644
--- a/bitbake/lib/bb/cooker.py
+++ b/bitbake/lib/bb/cooker.py
@@ -9,19 +9,8 @@
# Copyright (C) 2005 ROAD GmbH
# Copyright (C) 2006 - 2007 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
import sys, os, glob, os.path, re, time
import atexit
diff --git a/bitbake/lib/bb/cookerdata.py b/bitbake/lib/bb/cookerdata.py
index 09412e28cf..9ad97f4f38 100644
--- a/bitbake/lib/bb/cookerdata.py
+++ b/bitbake/lib/bb/cookerdata.py
@@ -9,23 +9,14 @@
# Copyright (C) 2005 ROAD GmbH
# Copyright (C) 2006 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import logging
import os
import re
import sys
+import hashlib
from functools import wraps
import bb
from bb import data
@@ -279,6 +270,7 @@ class CookerDataBuilder(object):
self.mcdata = {}
def parseBaseConfiguration(self):
+ data_hash = hashlib.sha256()
try:
bb.parse.init_parser(self.basedata)
self.data = self.parseConfigurationFiles(self.prefiles, self.postfiles)
@@ -302,7 +294,7 @@ class CookerDataBuilder(object):
bb.event.fire(bb.event.ConfigParsed(), self.data)
bb.parse.init_parser(self.data)
- self.data_hash = self.data.get_hash()
+ data_hash.update(self.data.get_hash().encode('utf-8'))
self.mcdata[''] = self.data
multiconfig = (self.data.getVar("BBMULTICONFIG") or "").split()
@@ -310,9 +302,11 @@ class CookerDataBuilder(object):
mcdata = self.parseConfigurationFiles(self.prefiles, self.postfiles, config)
bb.event.fire(bb.event.ConfigParsed(), mcdata)
self.mcdata[config] = mcdata
+ data_hash.update(mcdata.get_hash().encode('utf-8'))
if multiconfig:
bb.event.fire(bb.event.MultiConfigParsed(self.mcdata), self.data)
+ self.data_hash = data_hash.hexdigest()
except (SyntaxError, bb.BBHandledException):
raise bb.BBHandledException
except bb.data_smart.ExpansionError as e:
diff --git a/bitbake/lib/bb/daemonize.py b/bitbake/lib/bb/daemonize.py
index c937675eb6..f01e6ec7cc 100644
--- a/bitbake/lib/bb/daemonize.py
+++ b/bitbake/lib/bb/daemonize.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
"""
Python Daemonizing helper
diff --git a/bitbake/lib/bb/data.py b/bitbake/lib/bb/data.py
index 29c2388038..2dcb16e56a 100644
--- a/bitbake/lib/bb/data.py
+++ b/bitbake/lib/bb/data.py
@@ -22,18 +22,7 @@ the speed is more critical here.
# Copyright (C) 2003, 2004 Chris Larson
# Copyright (C) 2005 Holger Hans Peter Freyther
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
diff --git a/bitbake/lib/bb/data_smart.py b/bitbake/lib/bb/data_smart.py
index 07db7be97a..da67998b10 100644
--- a/bitbake/lib/bb/data_smart.py
+++ b/bitbake/lib/bb/data_smart.py
@@ -14,18 +14,8 @@ BitBake build tools.
# Copyright (C) 2005 Uli Luckas
# Copyright (C) 2005 ROAD GmbH
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
import copy, re, sys, traceback
diff --git a/bitbake/lib/bb/event.py b/bitbake/lib/bb/event.py
index 5b1b094a80..656491494e 100644
--- a/bitbake/lib/bb/event.py
+++ b/bitbake/lib/bb/event.py
@@ -9,18 +9,8 @@ BitBake build tools.
# Copyright (C) 2003, 2004 Chris Larson
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os, sys
import warnings
diff --git a/bitbake/lib/bb/exceptions.py b/bitbake/lib/bb/exceptions.py
index cd713439ea..ecbad59970 100644
--- a/bitbake/lib/bb/exceptions.py
+++ b/bitbake/lib/bb/exceptions.py
@@ -1,3 +1,6 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
import inspect
import traceback
diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py
index 8fecc809d4..b00aeb3afd 100644
--- a/bitbake/lib/bb/fetch2/__init__.py
+++ b/bitbake/lib/bb/fetch2/__init__.py
@@ -10,18 +10,7 @@ BitBake build tools.
# Copyright (C) 2003, 2004 Chris Larson
# Copyright (C) 2012 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
@@ -856,6 +845,11 @@ def runfetchcmd(cmd, d, quiet=False, cleanup=None, log=None, workdir=None):
if val:
cmd = 'export ' + var + '=\"%s\"; %s' % (val, cmd)
+ # Ensure that a _PYTHON_SYSCONFIGDATA_NAME value set by a recipe
+ # (for example via python3native.bbclass since warrior) is not set for
+ # host Python (otherwise tools like git-make-shallow will fail)
+ cmd = 'unset _PYTHON_SYSCONFIGDATA_NAME; ' + cmd
+
# Disable pseudo as it may affect ssh, potentially causing it to hang.
cmd = 'export PSEUDO_DISABLED=1; ' + cmd
@@ -970,7 +964,8 @@ def rename_bad_checksum(ud, suffix):
new_localpath = "%s_bad-checksum_%s" % (ud.localpath, suffix)
bb.warn("Renaming %s to %s" % (ud.localpath, new_localpath))
- bb.utils.movefile(ud.localpath, new_localpath)
+ if not bb.utils.movefile(ud.localpath, new_localpath):
+ bb.warn("Renaming %s to %s failed, grep movefile in log.do_fetch to see why" % (ud.localpath, new_localpath))
def try_mirror_url(fetch, origud, ud, ld, check = False):
diff --git a/bitbake/lib/bb/fetch2/bzr.py b/bitbake/lib/bb/fetch2/bzr.py
index 658502f9a6..c56d875300 100644
--- a/bitbake/lib/bb/fetch2/bzr.py
+++ b/bitbake/lib/bb/fetch2/bzr.py
@@ -10,18 +10,8 @@ BitBake 'Fetch' implementation for bzr.
# BitBake build tools.
# Copyright (C) 2003, 2004 Chris Larson
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import sys
diff --git a/bitbake/lib/bb/fetch2/clearcase.py b/bitbake/lib/bb/fetch2/clearcase.py
index 3a6573d0b2..09c9d0c33c 100644
--- a/bitbake/lib/bb/fetch2/clearcase.py
+++ b/bitbake/lib/bb/fetch2/clearcase.py
@@ -47,18 +47,7 @@ User credentials:
"""
# Copyright (C) 2014 Siemens AG
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
import os
diff --git a/bitbake/lib/bb/fetch2/cvs.py b/bitbake/lib/bb/fetch2/cvs.py
index 0e0a3196f8..c780a6a45d 100644
--- a/bitbake/lib/bb/fetch2/cvs.py
+++ b/bitbake/lib/bb/fetch2/cvs.py
@@ -10,20 +10,9 @@ BitBake build tools.
# Copyright (C) 2003, 2004 Chris Larson
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#Based on functions from the base bb module, Copyright 2003 Holger Schurig
+# Based on functions from the base bb module, Copyright 2003 Holger Schurig
#
import os
diff --git a/bitbake/lib/bb/fetch2/git.py b/bitbake/lib/bb/fetch2/git.py
index c69d25c914..80caf109b1 100644
--- a/bitbake/lib/bb/fetch2/git.py
+++ b/bitbake/lib/bb/fetch2/git.py
@@ -55,20 +55,10 @@ Supported SRC_URI options are:
"""
-#Copyright (C) 2005 Richard Purdie
+# Copyright (C) 2005 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import collections
import errno
diff --git a/bitbake/lib/bb/fetch2/gitannex.py b/bitbake/lib/bb/fetch2/gitannex.py
index a9b69caab4..939e058127 100644
--- a/bitbake/lib/bb/fetch2/gitannex.py
+++ b/bitbake/lib/bb/fetch2/gitannex.py
@@ -7,18 +7,8 @@ BitBake 'Fetch' git annex implementation
# Copyright (C) 2014 Otavio Salvador
# Copyright (C) 2014 O.S. Systems Software LTDA.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import bb
diff --git a/bitbake/lib/bb/fetch2/gitsm.py b/bitbake/lib/bb/fetch2/gitsm.py
index 32389130bd..0b3abe4c8c 100644
--- a/bitbake/lib/bb/fetch2/gitsm.py
+++ b/bitbake/lib/bb/fetch2/gitsm.py
@@ -16,18 +16,8 @@ NOTE: Switching a SRC_URI from "git://" to "gitsm://" requires a clean of your r
# Copyright (C) 2013 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import bb
@@ -129,7 +119,7 @@ class GitSM(Git):
url += ';protocol=%s' % proto
url += ";name=%s" % module
- url += ";subpath=%s" % paths[module]
+ url += ";subpath=%s" % module
ld = d.createCopy()
# Not necessary to set SRC_URI, since we're passing the URI to
@@ -196,7 +186,7 @@ class GitSM(Git):
try:
newfetch = Fetch([url], d, cache=False)
- newfetch.unpack(root=os.path.dirname(os.path.join(repo_conf, 'modules', modpath)))
+ newfetch.unpack(root=os.path.dirname(os.path.join(repo_conf, 'modules', module)))
except Exception as e:
logger.error('gitsm: submodule unpack failed: %s %s' % (type(e).__name__, str(e)))
raise
@@ -211,9 +201,9 @@ class GitSM(Git):
# Ensure the submodule repository is NOT set to bare, since we're checking it out...
try:
- runfetchcmd("%s config core.bare false" % (ud.basecmd), d, quiet=True, workdir=os.path.join(repo_conf, 'modules', modpath))
+ runfetchcmd("%s config core.bare false" % (ud.basecmd), d, quiet=True, workdir=os.path.join(repo_conf, 'modules', module))
except:
- logger.error("Unable to set git config core.bare to false for %s" % os.path.join(repo_conf, 'modules', modpath))
+ logger.error("Unable to set git config core.bare to false for %s" % os.path.join(repo_conf, 'modules', module))
raise
Git.unpack(self, ud, destdir, d)
@@ -221,5 +211,7 @@ class GitSM(Git):
ret = self.process_submodules(ud, ud.destdir, unpack_submodules, d)
if not ud.bareclone and ret:
- # Run submodule update, this sets up the directories -- without touching the config
+ # All submodules should already be downloaded and configured in the tree. This simply sets
+ # up the configuration and checks out the files. The main project config should remain
+ # unmodified, and no download from the internet should occur.
runfetchcmd("%s submodule update --recursive --no-fetch" % (ud.basecmd), d, quiet=True, workdir=ud.destdir)
diff --git a/bitbake/lib/bb/fetch2/hg.py b/bitbake/lib/bb/fetch2/hg.py
index 5a2985e16c..289fcd14bf 100644
--- a/bitbake/lib/bb/fetch2/hg.py
+++ b/bitbake/lib/bb/fetch2/hg.py
@@ -9,20 +9,10 @@ BitBake 'Fetch' implementation for mercurial DRCS (hg).
# Copyright (C) 2004 Marcin Juszkiewicz
# Copyright (C) 2007 Robert Schuster
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
+#
import os
import sys
diff --git a/bitbake/lib/bb/fetch2/local.py b/bitbake/lib/bb/fetch2/local.py
index a114ac12e5..b04476fe48 100644
--- a/bitbake/lib/bb/fetch2/local.py
+++ b/bitbake/lib/bb/fetch2/local.py
@@ -10,20 +10,10 @@ BitBake build tools.
# Copyright (C) 2003, 2004 Chris Larson
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
+#
import os
import urllib.request, urllib.parse, urllib.error
diff --git a/bitbake/lib/bb/fetch2/npm.py b/bitbake/lib/bb/fetch2/npm.py
index 65bf5a3644..7235f899f4 100644
--- a/bitbake/lib/bb/fetch2/npm.py
+++ b/bitbake/lib/bb/fetch2/npm.py
@@ -1,3 +1,6 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
# ex:ts=4:sw=4:sts=4:et
# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
"""
diff --git a/bitbake/lib/bb/fetch2/osc.py b/bitbake/lib/bb/fetch2/osc.py
index 6c60456b53..19c0d9dcaa 100644
--- a/bitbake/lib/bb/fetch2/osc.py
+++ b/bitbake/lib/bb/fetch2/osc.py
@@ -1,3 +1,6 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
# ex:ts=4:sw=4:sts=4:et
# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
"""
diff --git a/bitbake/lib/bb/fetch2/perforce.py b/bitbake/lib/bb/fetch2/perforce.py
index 903a8e61ae..a03a36d340 100644
--- a/bitbake/lib/bb/fetch2/perforce.py
+++ b/bitbake/lib/bb/fetch2/perforce.py
@@ -8,18 +8,7 @@ BitBake 'Fetch' implementation for perforce
# Copyright (C) 2003, 2004 Chris Larson
# Copyright (C) 2016 Kodak Alaris, Inc.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
diff --git a/bitbake/lib/bb/fetch2/repo.py b/bitbake/lib/bb/fetch2/repo.py
index 8c7e81853a..cd752d5283 100644
--- a/bitbake/lib/bb/fetch2/repo.py
+++ b/bitbake/lib/bb/fetch2/repo.py
@@ -8,20 +8,10 @@ BitBake "Fetch" repo (git) implementation
# Copyright (C) 2009 Tom Rini <trini@embeddedalley.com>
#
# Based on git.py which is:
-#Copyright (C) 2005 Richard Purdie
+# Copyright (C) 2005 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import bb
diff --git a/bitbake/lib/bb/fetch2/s3.py b/bitbake/lib/bb/fetch2/s3.py
index 1629288622..479528f926 100644
--- a/bitbake/lib/bb/fetch2/s3.py
+++ b/bitbake/lib/bb/fetch2/s3.py
@@ -13,18 +13,7 @@ The aws tool must be correctly installed and configured prior to use.
# Based in part on bb.fetch2.wget:
# Copyright (C) 2003, 2004 Chris Larson
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
diff --git a/bitbake/lib/bb/fetch2/sftp.py b/bitbake/lib/bb/fetch2/sftp.py
index 81884a6aa4..f4a979197a 100644
--- a/bitbake/lib/bb/fetch2/sftp.py
+++ b/bitbake/lib/bb/fetch2/sftp.py
@@ -44,18 +44,7 @@ SRC_URI = "sftp://user@host.example.com/dir/path.file.txt"
# Based in part on bb.fetch2.wget:
# Copyright (C) 2003, 2004 Chris Larson
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
diff --git a/bitbake/lib/bb/fetch2/ssh.py b/bitbake/lib/bb/fetch2/ssh.py
index 6047ee417a..be2427cf9a 100644
--- a/bitbake/lib/bb/fetch2/ssh.py
+++ b/bitbake/lib/bb/fetch2/ssh.py
@@ -29,18 +29,8 @@ IETF secsh internet draft:
# Copyright 2003 Holger Schurig
#
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import re, os
from bb.fetch2 import FetchMethod
diff --git a/bitbake/lib/bb/fetch2/svn.py b/bitbake/lib/bb/fetch2/svn.py
index 9dcf3eb090..6a82da9d52 100644
--- a/bitbake/lib/bb/fetch2/svn.py
+++ b/bitbake/lib/bb/fetch2/svn.py
@@ -8,18 +8,7 @@ BitBake 'Fetch' implementation for svn.
# Copyright (C) 2003, 2004 Chris Larson
# Copyright (C) 2004 Marcin Juszkiewicz
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
index 3bb3e3bb0c..143db1b361 100644
--- a/bitbake/lib/bb/fetch2/wget.py
+++ b/bitbake/lib/bb/fetch2/wget.py
@@ -10,18 +10,7 @@ BitBake build tools.
# Copyright (C) 2003, 2004 Chris Larson
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
diff --git a/bitbake/lib/bb/main.py b/bitbake/lib/bb/main.py
index 41dd3b9e03..3c8746d2bd 100755
--- a/bitbake/lib/bb/main.py
+++ b/bitbake/lib/bb/main.py
@@ -9,18 +9,8 @@
# Copyright (C) 2005 ROAD GmbH
# Copyright (C) 2006 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import sys
diff --git a/bitbake/lib/bb/methodpool.py b/bitbake/lib/bb/methodpool.py
index 49aed3338b..2f383c229c 100644
--- a/bitbake/lib/bb/methodpool.py
+++ b/bitbake/lib/bb/methodpool.py
@@ -4,18 +4,8 @@
#
# Copyright (C) 2006 Holger Hans Peter Freyther
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from bb.utils import better_compile, better_exec
diff --git a/bitbake/lib/bb/monitordisk.py b/bitbake/lib/bb/monitordisk.py
index 2ad1e61562..855452d2b4 100644
--- a/bitbake/lib/bb/monitordisk.py
+++ b/bitbake/lib/bb/monitordisk.py
@@ -4,18 +4,8 @@
#
# Copyright (C) 2012 Robert Yang
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os, logging, re, sys
import bb
diff --git a/bitbake/lib/bb/msg.py b/bitbake/lib/bb/msg.py
index 96f077ec49..a116444fa1 100644
--- a/bitbake/lib/bb/msg.py
+++ b/bitbake/lib/bb/msg.py
@@ -9,18 +9,8 @@ Message handling infrastructure for bitbake
# Copyright (C) 2006 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import sys
import copy
diff --git a/bitbake/lib/bb/namedtuple_with_abc.py b/bitbake/lib/bb/namedtuple_with_abc.py
index 32f2fc642c..c8e1d55c15 100644
--- a/bitbake/lib/bb/namedtuple_with_abc.py
+++ b/bitbake/lib/bb/namedtuple_with_abc.py
@@ -1,6 +1,9 @@
# http://code.activestate.com/recipes/577629-namedtupleabc-abstract-base-class-mix-in-for-named/
#!/usr/bin/env python
# Copyright (c) 2011 Jan Kaliszewski (zuo). Available under the MIT License.
+#
+# SPDX-License-Identifier: MIT
+#
"""
namedtuple_with_abc.py:
diff --git a/bitbake/lib/bb/parse/__init__.py b/bitbake/lib/bb/parse/__init__.py
index 5397d57a51..76e180b411 100644
--- a/bitbake/lib/bb/parse/__init__.py
+++ b/bitbake/lib/bb/parse/__init__.py
@@ -9,20 +9,10 @@ File parsers for the BitBake build tools.
# Copyright (C) 2003, 2004 Chris Larson
# Copyright (C) 2003, 2004 Phil Blundell
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
+#
handlers = []
diff --git a/bitbake/lib/bb/parse/ast.py b/bitbake/lib/bb/parse/ast.py
index 6d7c80b34f..71ee49b8ce 100644
--- a/bitbake/lib/bb/parse/ast.py
+++ b/bitbake/lib/bb/parse/ast.py
@@ -8,19 +8,8 @@
# Copyright (C) 2003, 2004 Phil Blundell
# Copyright (C) 2009 Holger Hans Peter Freyther
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
import re
import string
diff --git a/bitbake/lib/bb/parse/parse_py/BBHandler.py b/bitbake/lib/bb/parse/parse_py/BBHandler.py
index 9dba5f2334..cf84ddfb12 100644
--- a/bitbake/lib/bb/parse/parse_py/BBHandler.py
+++ b/bitbake/lib/bb/parse/parse_py/BBHandler.py
@@ -12,19 +12,8 @@
# Copyright (C) 2003, 2004 Chris Larson
# Copyright (C) 2003, 2004 Phil Blundell
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
import re, bb, os
import logging
diff --git a/bitbake/lib/bb/parse/parse_py/ConfHandler.py b/bitbake/lib/bb/parse/parse_py/ConfHandler.py
index ea49f8ca93..cc70da0db6 100644
--- a/bitbake/lib/bb/parse/parse_py/ConfHandler.py
+++ b/bitbake/lib/bb/parse/parse_py/ConfHandler.py
@@ -11,18 +11,8 @@
# Copyright (C) 2003, 2004 Chris Larson
# Copyright (C) 2003, 2004 Phil Blundell
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import errno
import re
diff --git a/bitbake/lib/bb/parse/parse_py/__init__.py b/bitbake/lib/bb/parse/parse_py/__init__.py
index 3e658d0de9..696c71b458 100644
--- a/bitbake/lib/bb/parse/parse_py/__init__.py
+++ b/bitbake/lib/bb/parse/parse_py/__init__.py
@@ -11,20 +11,10 @@ File parsers for the BitBake build tools.
# Copyright (C) 2003, 2004 Chris Larson
# Copyright (C) 2003, 2004 Phil Blundell
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# Based on functions from the base bb module, Copyright 2003 Holger Schurig
+#
from __future__ import absolute_import
from . import ConfHandler
diff --git a/bitbake/lib/bb/persist_data.py b/bitbake/lib/bb/persist_data.py
index 0d44100f10..de8f87a8bf 100644
--- a/bitbake/lib/bb/persist_data.py
+++ b/bitbake/lib/bb/persist_data.py
@@ -8,18 +8,8 @@ currently, providing a key/value store accessed by 'domain'.
# Copyright (C) 2007 Richard Purdie
# Copyright (C) 2010 Chris Larson <chris_larson@mentor.com>
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import collections
import logging
diff --git a/bitbake/lib/bb/process.py b/bitbake/lib/bb/process.py
index e69697cb68..2dc472a86f 100644
--- a/bitbake/lib/bb/process.py
+++ b/bitbake/lib/bb/process.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
import logging
import signal
import subprocess
diff --git a/bitbake/lib/bb/progress.py b/bitbake/lib/bb/progress.py
index f54d1c76f8..e9b72e28b9 100644
--- a/bitbake/lib/bb/progress.py
+++ b/bitbake/lib/bb/progress.py
@@ -4,18 +4,8 @@ BitBake progress handling code
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import sys
import re
diff --git a/bitbake/lib/bb/providers.py b/bitbake/lib/bb/providers.py
index f496d84d12..78445d6a72 100644
--- a/bitbake/lib/bb/providers.py
+++ b/bitbake/lib/bb/providers.py
@@ -8,18 +8,8 @@
# Copyright (C) 2005 ROAD GmbH
# Copyright (C) 2006 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import re
import logging
diff --git a/bitbake/lib/bb/remotedata.py b/bitbake/lib/bb/remotedata.py
index 68ecffc198..7391e1b45c 100644
--- a/bitbake/lib/bb/remotedata.py
+++ b/bitbake/lib/bb/remotedata.py
@@ -6,18 +6,8 @@ Provides support for using a datastore from the bitbake client
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import bb.data
diff --git a/bitbake/lib/bb/runqueue.py b/bitbake/lib/bb/runqueue.py
index 329cda33a4..c7047b3b84 100644
--- a/bitbake/lib/bb/runqueue.py
+++ b/bitbake/lib/bb/runqueue.py
@@ -9,18 +9,8 @@ Handles preparation and execution of a queue of tasks
# Copyright (C) 2006-2007 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import copy
import os
diff --git a/bitbake/lib/bb/server/__init__.py b/bitbake/lib/bb/server/__init__.py
index 5a3fba968f..b6f7513181 100644
--- a/bitbake/lib/bb/server/__init__.py
+++ b/bitbake/lib/bb/server/__init__.py
@@ -5,17 +5,5 @@
# Copyright (C) 2006 - 2008 Richard Purdie
# Copyright (C) 2013 Alexandru Damian
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-
diff --git a/bitbake/lib/bb/server/process.py b/bitbake/lib/bb/server/process.py
index 80a7875ad9..f901fe505a 100644
--- a/bitbake/lib/bb/server/process.py
+++ b/bitbake/lib/bb/server/process.py
@@ -3,18 +3,8 @@
#
# Copyright (C) 2010 Bob Foerster <robert@erafx.com>
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""
This module implements a multiprocessing.Process based server for bitbake.
diff --git a/bitbake/lib/bb/server/xmlrpcclient.py b/bitbake/lib/bb/server/xmlrpcclient.py
index 4661a9e5a0..c054c3c89d 100644
--- a/bitbake/lib/bb/server/xmlrpcclient.py
+++ b/bitbake/lib/bb/server/xmlrpcclient.py
@@ -4,18 +4,8 @@
# Copyright (C) 2006 - 2007 Michael 'Mickey' Lauer
# Copyright (C) 2006 - 2008 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import sys
diff --git a/bitbake/lib/bb/server/xmlrpcserver.py b/bitbake/lib/bb/server/xmlrpcserver.py
index 875b1282e5..54fa32f573 100644
--- a/bitbake/lib/bb/server/xmlrpcserver.py
+++ b/bitbake/lib/bb/server/xmlrpcserver.py
@@ -4,18 +4,8 @@
# Copyright (C) 2006 - 2007 Michael 'Mickey' Lauer
# Copyright (C) 2006 - 2008 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import sys
diff --git a/bitbake/lib/bb/siggen.py b/bitbake/lib/bb/siggen.py
index 09c9c8a25f..3e2a85fc8c 100644
--- a/bitbake/lib/bb/siggen.py
+++ b/bitbake/lib/bb/siggen.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
import hashlib
import logging
import os
diff --git a/bitbake/lib/bb/taskdata.py b/bitbake/lib/bb/taskdata.py
index 94e822c485..5c49739da3 100644
--- a/bitbake/lib/bb/taskdata.py
+++ b/bitbake/lib/bb/taskdata.py
@@ -10,18 +10,8 @@ Task data collection and handling
# Copyright (C) 2006 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import logging
import re
diff --git a/bitbake/lib/bb/tests/codeparser.py b/bitbake/lib/bb/tests/codeparser.py
index 3fd76a8f9f..742ccc2c27 100644
--- a/bitbake/lib/bb/tests/codeparser.py
+++ b/bitbake/lib/bb/tests/codeparser.py
@@ -6,18 +6,7 @@
# Copyright (C) 2010 Chris Larson
# Copyright (C) 2012 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
import unittest
diff --git a/bitbake/lib/bb/tests/cooker.py b/bitbake/lib/bb/tests/cooker.py
index 2b44236506..70b18598e1 100644
--- a/bitbake/lib/bb/tests/cooker.py
+++ b/bitbake/lib/bb/tests/cooker.py
@@ -3,18 +3,7 @@
#
# BitBake Tests for cooker.py
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
import unittest
diff --git a/bitbake/lib/bb/tests/cow.py b/bitbake/lib/bb/tests/cow.py
index d149d84d0d..59ad242183 100644
--- a/bitbake/lib/bb/tests/cow.py
+++ b/bitbake/lib/bb/tests/cow.py
@@ -3,20 +3,9 @@
#
# BitBake Tests for Copy-on-Write (cow.py)
#
-# Copyright 2006 Holger Freyther <freyther@handhelds.org>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# Copyright 2006 Holger Freyther <freyther@handhelds.org>
#
import unittest
diff --git a/bitbake/lib/bb/tests/data.py b/bitbake/lib/bb/tests/data.py
index 3c511f214b..8bd472a8be 100644
--- a/bitbake/lib/bb/tests/data.py
+++ b/bitbake/lib/bb/tests/data.py
@@ -6,18 +6,7 @@
# Copyright (C) 2010 Chris Larson
# Copyright (C) 2012 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
import unittest
diff --git a/bitbake/lib/bb/tests/event.py b/bitbake/lib/bb/tests/event.py
index d3a5f6269f..e6254c7a1e 100644
--- a/bitbake/lib/bb/tests/event.py
+++ b/bitbake/lib/bb/tests/event.py
@@ -5,18 +5,7 @@
#
# Copyright (C) 2017 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
import unittest
diff --git a/bitbake/lib/bb/tests/fetch.py b/bitbake/lib/bb/tests/fetch.py
index 429998b34f..32db5c38c8 100644
--- a/bitbake/lib/bb/tests/fetch.py
+++ b/bitbake/lib/bb/tests/fetch.py
@@ -5,18 +5,7 @@
#
# Copyright (C) 2012 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
import unittest
@@ -977,6 +966,33 @@ class FetcherNetworkTest(FetcherTest):
self.assertTrue(os.path.exists(os.path.join(repo_path, '.git/modules/third_party/googletest/config')), msg='Missing submodule config "third_party/googletest/config"')
self.assertTrue(os.path.exists(os.path.join(repo_path, '.git/modules/third_party/HdrHistogram_c/config')), msg='Missing submodule config "third_party/HdrHistogram_c/config"')
+ def test_git_submodule_iotedge(self):
+ """ Prevent regression on deeply nested submodules not being checked out properly, even though they were fetched. """
+
+ # This repository also has submodules where the module (name), path and url do not align
+ url = "gitsm://github.com/azure/iotedge.git;protocol=git;rev=d76e0316c6f324345d77c48a83ce836d09392699"
+ fetcher = bb.fetch.Fetch([url], self.d)
+ fetcher.download()
+ # Previous cwd has been deleted
+ os.chdir(os.path.dirname(self.unpackdir))
+ fetcher.unpack(self.unpackdir)
+
+ repo_path = os.path.join(self.tempdir, 'unpacked', 'git')
+
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/c-shared/README.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/c-shared/testtools/ctest/README.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/c-shared/testtools/testrunner/readme.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/c-shared/testtools/umock-c/readme.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/c-shared/testtools/umock-c/deps/ctest/README.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/c-shared/testtools/umock-c/deps/testrunner/readme.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm/README.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm/deps/c-utility/README.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm/deps/c-utility/testtools/ctest/README.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm/deps/c-utility/testtools/testrunner/readme.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm/deps/c-utility/testtools/umock-c/readme.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm/deps/c-utility/testtools/umock-c/deps/ctest/README.md')), msg='Missing submodule checkout')
+ self.assertTrue(os.path.exists(os.path.join(repo_path, 'edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm/deps/c-utility/testtools/umock-c/deps/testrunner/readme.md')), msg='Missing submodule checkout')
+
class TrustedNetworksTest(FetcherTest):
def test_trusted_network(self):
# Ensure trusted_network returns False when the host IS in the list.
@@ -1101,8 +1117,8 @@ class FetchLatestVersionTest(FetcherTest):
# packages with valid UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX
("cups", "http://www.cups.org/software/1.7.2/cups-1.7.2-source.tar.bz2", "https://github.com/apple/cups/releases", "(?P<name>cups\-)(?P<pver>((\d+[\.\-_]*)+))\-source\.tar\.gz")
: "2.0.0",
- ("db", "http://download.oracle.com/berkeley-db/db-5.3.21.tar.gz", "http://www.oracle.com/technetwork/products/berkeleydb/downloads/index-082944.html", "http://download.oracle.com/otn/berkeley-db/(?P<name>db-)(?P<pver>((\d+[\.\-_]*)+))\.tar\.gz")
- : "6.1.19",
+ ("db", "http://download.oracle.com/berkeley-db/db-5.3.21.tar.gz", "http://ftp.debian.org/debian/pool/main/d/db5.3/", "(?P<name>db5\.3_)(?P<pver>\d+(\.\d+)+).+\.orig\.tar\.xz")
+ : "5.3.10",
}
@skipIfNoNetwork()
diff --git a/bitbake/lib/bb/tests/parse.py b/bitbake/lib/bb/tests/parse.py
index 1bc47405d9..78c611fb12 100644
--- a/bitbake/lib/bb/tests/parse.py
+++ b/bitbake/lib/bb/tests/parse.py
@@ -5,18 +5,7 @@
#
# Copyright (C) 2015 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
import unittest
diff --git a/bitbake/lib/bb/tests/persist_data.py b/bitbake/lib/bb/tests/persist_data.py
index 812bcbd7b8..dbb3ce183d 100644
--- a/bitbake/lib/bb/tests/persist_data.py
+++ b/bitbake/lib/bb/tests/persist_data.py
@@ -5,18 +5,7 @@
#
# Copyright (C) 2018 Garmin Ltd.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
import unittest
diff --git a/bitbake/lib/bb/tests/utils.py b/bitbake/lib/bb/tests/utils.py
index f1cd83a419..1f01447bbb 100644
--- a/bitbake/lib/bb/tests/utils.py
+++ b/bitbake/lib/bb/tests/utils.py
@@ -5,18 +5,7 @@
#
# Copyright (C) 2012 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
import unittest
diff --git a/bitbake/lib/bb/tinfoil.py b/bitbake/lib/bb/tinfoil.py
index 368264f39a..0a1b913055 100644
--- a/bitbake/lib/bb/tinfoil.py
+++ b/bitbake/lib/bb/tinfoil.py
@@ -4,18 +4,8 @@
# Copyright (C) 2011 Mentor Graphics Corporation
# Copyright (C) 2006-2012 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import logging
import os
diff --git a/bitbake/lib/bb/ui/__init__.py b/bitbake/lib/bb/ui/__init__.py
index a4805ed028..4b7ac36ca6 100644
--- a/bitbake/lib/bb/ui/__init__.py
+++ b/bitbake/lib/bb/ui/__init__.py
@@ -3,15 +3,5 @@
#
# Copyright (C) 2006-2007 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
diff --git a/bitbake/lib/bb/ui/buildinfohelper.py b/bitbake/lib/bb/ui/buildinfohelper.py
index 31323d281f..f2151c2d47 100644
--- a/bitbake/lib/bb/ui/buildinfohelper.py
+++ b/bitbake/lib/bb/ui/buildinfohelper.py
@@ -3,18 +3,8 @@
#
# Copyright (C) 2013 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import sys
import bb
diff --git a/bitbake/lib/bb/ui/knotty.py b/bitbake/lib/bb/ui/knotty.py
index fa88e6ccdd..58e6b8e364 100644
--- a/bitbake/lib/bb/ui/knotty.py
+++ b/bitbake/lib/bb/ui/knotty.py
@@ -5,18 +5,8 @@
#
# Copyright (C) 2006-2012 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from __future__ import division
diff --git a/bitbake/lib/bb/ui/ncurses.py b/bitbake/lib/bb/ui/ncurses.py
index 8690c529cc..c422732b26 100644
--- a/bitbake/lib/bb/ui/ncurses.py
+++ b/bitbake/lib/bb/ui/ncurses.py
@@ -6,18 +6,8 @@
# Copyright (C) 2006 Michael 'Mickey' Lauer
# Copyright (C) 2006-2007 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""
We have the following windows:
diff --git a/bitbake/lib/bb/ui/taskexp.py b/bitbake/lib/bb/ui/taskexp.py
index 8305d70f41..50a943cd05 100644
--- a/bitbake/lib/bb/ui/taskexp.py
+++ b/bitbake/lib/bb/ui/taskexp.py
@@ -4,18 +4,8 @@
# Copyright (C) 2007 Ross Burton
# Copyright (C) 2007 - 2008 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import sys
import gi
diff --git a/bitbake/lib/bb/ui/toasterui.py b/bitbake/lib/bb/ui/toasterui.py
index 88cec37592..51892c9a09 100644
--- a/bitbake/lib/bb/ui/toasterui.py
+++ b/bitbake/lib/bb/ui/toasterui.py
@@ -7,18 +7,8 @@
# Copyright (C) 2006-2012 Richard Purdie
# Copyright (C) 2013 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from __future__ import division
import time
diff --git a/bitbake/lib/bb/ui/uievent.py b/bitbake/lib/bb/ui/uievent.py
index 9542b911ca..7276bdaf9d 100644
--- a/bitbake/lib/bb/ui/uievent.py
+++ b/bitbake/lib/bb/ui/uievent.py
@@ -4,19 +4,8 @@
# Copyright (C) 2006 - 2007 Michael 'Mickey' Lauer
# Copyright (C) 2006 - 2007 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
"""
Use this class to fork off a thread to recieve event callbacks from the bitbake
diff --git a/bitbake/lib/bb/ui/uihelper.py b/bitbake/lib/bb/ui/uihelper.py
index 963c1ea2df..45519c8afd 100644
--- a/bitbake/lib/bb/ui/uihelper.py
+++ b/bitbake/lib/bb/ui/uihelper.py
@@ -4,18 +4,8 @@
# Copyright (C) 2006 - 2007 Michael 'Mickey' Lauer
# Copyright (C) 2006 - 2007 Richard Purdie
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import bb.build
import time
diff --git a/bitbake/lib/bb/utils.py b/bitbake/lib/bb/utils.py
index a3f75fbe9d..7aaf9309bd 100644
--- a/bitbake/lib/bb/utils.py
+++ b/bitbake/lib/bb/utils.py
@@ -6,18 +6,8 @@ BitBake Utility Functions
# Copyright (C) 2004 Michael Lauer
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import re, fcntl, os, string, stat, shutil, time
import sys
@@ -792,7 +782,7 @@ def movefile(src, dest, newmtime = None, sstat = None):
os.rename(src, destpath)
renamefailed = 0
except Exception as e:
- if e[0] != errno.EXDEV:
+ if e.errno != errno.EXDEV:
# Some random error.
print("movefile: Failed to move", src, "to", dest, e)
return None
diff --git a/bitbake/lib/bblayers/__init__.py b/bitbake/lib/bblayers/__init__.py
index 3ad9513f40..4e7c09da04 100644
--- a/bitbake/lib/bblayers/__init__.py
+++ b/bitbake/lib/bblayers/__init__.py
@@ -1,2 +1,6 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from pkgutil import extend_path
__path__ = extend_path(__path__, __name__)
diff --git a/bitbake/lib/bblayers/action.py b/bitbake/lib/bblayers/action.py
index a3f658f931..d6459d6617 100644
--- a/bitbake/lib/bblayers/action.py
+++ b/bitbake/lib/bblayers/action.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
import fnmatch
import logging
import os
diff --git a/bitbake/lib/bblayers/common.py b/bitbake/lib/bblayers/common.py
index 98515ced4f..c5657d3819 100644
--- a/bitbake/lib/bblayers/common.py
+++ b/bitbake/lib/bblayers/common.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
import argparse
import logging
import os
diff --git a/bitbake/lib/bblayers/layerindex.py b/bitbake/lib/bblayers/layerindex.py
index b2ff2268ea..57cd9027f6 100644
--- a/bitbake/lib/bblayers/layerindex.py
+++ b/bitbake/lib/bblayers/layerindex.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
import layerindexlib
import argparse
diff --git a/bitbake/lib/bblayers/query.py b/bitbake/lib/bblayers/query.py
index 9294dfa884..993589de94 100644
--- a/bitbake/lib/bblayers/query.py
+++ b/bitbake/lib/bblayers/query.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
import collections
import fnmatch
import logging
diff --git a/bitbake/lib/hashserv/__init__.py b/bitbake/lib/hashserv/__init__.py
index 46bca7cab3..fdc9ced9f2 100644
--- a/bitbake/lib/hashserv/__init__.py
+++ b/bitbake/lib/hashserv/__init__.py
@@ -1,17 +1,7 @@
# Copyright (C) 2018 Garmin Ltd.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from http.server import BaseHTTPRequestHandler, HTTPServer
import contextlib
diff --git a/bitbake/lib/hashserv/tests.py b/bitbake/lib/hashserv/tests.py
index 806b54c5eb..8300a25599 100644
--- a/bitbake/lib/hashserv/tests.py
+++ b/bitbake/lib/hashserv/tests.py
@@ -2,18 +2,8 @@
#
# Copyright (C) 2018 Garmin Ltd.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import unittest
import threading
diff --git a/bitbake/lib/layerindexlib/__init__.py b/bitbake/lib/layerindexlib/__init__.py
index cb79cb37d7..d231cf6a99 100644
--- a/bitbake/lib/layerindexlib/__init__.py
+++ b/bitbake/lib/layerindexlib/__init__.py
@@ -1,17 +1,7 @@
# Copyright (C) 2016-2018 Wind River Systems, Inc.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-# See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
import datetime
diff --git a/bitbake/lib/layerindexlib/cooker.py b/bitbake/lib/layerindexlib/cooker.py
index 848f0e2ee2..604a9611dd 100644
--- a/bitbake/lib/layerindexlib/cooker.py
+++ b/bitbake/lib/layerindexlib/cooker.py
@@ -1,17 +1,7 @@
# Copyright (C) 2016-2018 Wind River Systems, Inc.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-# See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
import logging
import json
diff --git a/bitbake/lib/layerindexlib/plugin.py b/bitbake/lib/layerindexlib/plugin.py
index 92a2e978ba..7015a1af26 100644
--- a/bitbake/lib/layerindexlib/plugin.py
+++ b/bitbake/lib/layerindexlib/plugin.py
@@ -1,18 +1,7 @@
# Copyright (C) 2016-2018 Wind River Systems, Inc.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-# See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
# The file contains:
# LayerIndex exceptions
# Plugin base class
diff --git a/bitbake/lib/layerindexlib/restapi.py b/bitbake/lib/layerindexlib/restapi.py
index d08eb20555..21fd144143 100644
--- a/bitbake/lib/layerindexlib/restapi.py
+++ b/bitbake/lib/layerindexlib/restapi.py
@@ -1,17 +1,7 @@
# Copyright (C) 2016-2018 Wind River Systems, Inc.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-# See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
import logging
import json
diff --git a/bitbake/lib/layerindexlib/tests/common.py b/bitbake/lib/layerindexlib/tests/common.py
index 22a54585c8..077382f11d 100644
--- a/bitbake/lib/layerindexlib/tests/common.py
+++ b/bitbake/lib/layerindexlib/tests/common.py
@@ -1,17 +1,7 @@
# Copyright (C) 2017-2018 Wind River Systems, Inc.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-# See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
import unittest
import tempfile
diff --git a/bitbake/lib/layerindexlib/tests/cooker.py b/bitbake/lib/layerindexlib/tests/cooker.py
index fdbf091103..1fa102e602 100644
--- a/bitbake/lib/layerindexlib/tests/cooker.py
+++ b/bitbake/lib/layerindexlib/tests/cooker.py
@@ -1,17 +1,7 @@
# Copyright (C) 2018 Wind River Systems, Inc.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-# See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
import unittest
import tempfile
diff --git a/bitbake/lib/layerindexlib/tests/layerindexobj.py b/bitbake/lib/layerindexlib/tests/layerindexobj.py
index e2fbb950b0..0c5ec8881b 100644
--- a/bitbake/lib/layerindexlib/tests/layerindexobj.py
+++ b/bitbake/lib/layerindexlib/tests/layerindexobj.py
@@ -1,17 +1,7 @@
# Copyright (C) 2017-2018 Wind River Systems, Inc.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-# See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
import unittest
import tempfile
diff --git a/bitbake/lib/layerindexlib/tests/restapi.py b/bitbake/lib/layerindexlib/tests/restapi.py
index 58766950ce..6d8dc0058e 100644
--- a/bitbake/lib/layerindexlib/tests/restapi.py
+++ b/bitbake/lib/layerindexlib/tests/restapi.py
@@ -1,17 +1,7 @@
# Copyright (C) 2017-2018 Wind River Systems, Inc.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-# See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
import unittest
import tempfile
diff --git a/bitbake/lib/progressbar/__init__.py b/bitbake/lib/progressbar/__init__.py
index fbab744ee2..c545a62754 100644
--- a/bitbake/lib/progressbar/__init__.py
+++ b/bitbake/lib/progressbar/__init__.py
@@ -4,6 +4,8 @@
# progressbar - Text progress bar library for Python.
# Copyright (c) 2005 Nilton Volpato
#
+# SPDX-License-Identifier: LGPL-2.1-or-later OR BSD-3-Clause-Clear
+#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
diff --git a/bitbake/lib/progressbar/compat.py b/bitbake/lib/progressbar/compat.py
index a39f4a1f4e..9804e0b512 100644
--- a/bitbake/lib/progressbar/compat.py
+++ b/bitbake/lib/progressbar/compat.py
@@ -3,6 +3,8 @@
# progressbar - Text progress bar library for Python.
# Copyright (c) 2005 Nilton Volpato
#
+# SPDX-License-Identifier: LGPL-2.1-or-later OR BSD-3-Clause-Clear
+#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
diff --git a/bitbake/lib/progressbar/progressbar.py b/bitbake/lib/progressbar/progressbar.py
index 2873ad6cae..e2b6ba1083 100644
--- a/bitbake/lib/progressbar/progressbar.py
+++ b/bitbake/lib/progressbar/progressbar.py
@@ -5,6 +5,8 @@
#
# (With some small changes after importing into BitBake)
#
+# SPDX-License-Identifier: LGPL-2.1-or-later OR BSD-3-Clause-Clear
+#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
diff --git a/bitbake/lib/progressbar/widgets.py b/bitbake/lib/progressbar/widgets.py
index 77285ca7a3..0772aa536d 100644
--- a/bitbake/lib/progressbar/widgets.py
+++ b/bitbake/lib/progressbar/widgets.py
@@ -3,6 +3,8 @@
# progressbar - Text progress bar library for Python.
# Copyright (c) 2005 Nilton Volpato
#
+# SPDX-License-Identifier: LGPL-2.1-or-later OR BSD-3-Clause-Clear
+#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
diff --git a/bitbake/lib/prserv/__init__.py b/bitbake/lib/prserv/__init__.py
index c3cb73ad92..9961040b58 100644
--- a/bitbake/lib/prserv/__init__.py
+++ b/bitbake/lib/prserv/__init__.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
__version__ = "1.0.0"
import os, time
diff --git a/bitbake/lib/prserv/db.py b/bitbake/lib/prserv/db.py
index 495d09f39b..d6188a679b 100644
--- a/bitbake/lib/prserv/db.py
+++ b/bitbake/lib/prserv/db.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
import logging
import os.path
import errno
diff --git a/bitbake/lib/prserv/serv.py b/bitbake/lib/prserv/serv.py
index 6a99728c4f..be3acec36a 100644
--- a/bitbake/lib/prserv/serv.py
+++ b/bitbake/lib/prserv/serv.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
import os,sys,logging
import signal, time
from xmlrpc.server import SimpleXMLRPCServer, SimpleXMLRPCRequestHandler
diff --git a/bitbake/lib/pyinotify.py b/bitbake/lib/pyinotify.py
index 4eb03b092d..9dcfd0d2ee 100644
--- a/bitbake/lib/pyinotify.py
+++ b/bitbake/lib/pyinotify.py
@@ -3,23 +3,8 @@
# pyinotify.py - python interface to inotify
# Copyright (c) 2005-2015 Sebastien Martini <seb@dbzteam.org>
#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
+# SPDX-License-Identifier: MIT
#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
"""
pyinotify
diff --git a/bitbake/lib/toaster/bldcollector/admin.py b/bitbake/lib/toaster/bldcollector/admin.py
index 1f2e07f50b..feaa888c73 100644
--- a/bitbake/lib/toaster/bldcollector/admin.py
+++ b/bitbake/lib/toaster/bldcollector/admin.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from django.contrib import admin
from orm.models import BitbakeVersion, Release, ToasterSetting, Layer_Version
from django import forms
diff --git a/bitbake/lib/toaster/bldcollector/urls.py b/bitbake/lib/toaster/bldcollector/urls.py
index 888175d0ab..8eb1e34a53 100644
--- a/bitbake/lib/toaster/bldcollector/urls.py
+++ b/bitbake/lib/toaster/bldcollector/urls.py
@@ -3,19 +3,8 @@
#
# Copyright (C) 2014-2017 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
from django.conf.urls import include, url
diff --git a/bitbake/lib/toaster/bldcollector/views.py b/bitbake/lib/toaster/bldcollector/views.py
index f32fa4d225..c708b415e1 100644
--- a/bitbake/lib/toaster/bldcollector/views.py
+++ b/bitbake/lib/toaster/bldcollector/views.py
@@ -3,18 +3,8 @@
#
# Copyright (C) 2014 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.views.decorators.cache import cache_control
from django.core.urlresolvers import reverse
diff --git a/bitbake/lib/toaster/bldcontrol/admin.py b/bitbake/lib/toaster/bldcontrol/admin.py
index fcbe5f5935..e85c30ed11 100644
--- a/bitbake/lib/toaster/bldcontrol/admin.py
+++ b/bitbake/lib/toaster/bldcontrol/admin.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from django.contrib import admin
from django.contrib.admin.filters import RelatedFieldListFilter
from .models import BuildEnvironment
diff --git a/bitbake/lib/toaster/bldcontrol/bbcontroller.py b/bitbake/lib/toaster/bldcontrol/bbcontroller.py
index 5195600d90..9b92207937 100644
--- a/bitbake/lib/toaster/bldcontrol/bbcontroller.py
+++ b/bitbake/lib/toaster/bldcontrol/bbcontroller.py
@@ -6,19 +6,8 @@
#
# Copyright (C) 2014 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
import os
import sys
diff --git a/bitbake/lib/toaster/bldcontrol/localhostbecontroller.py b/bitbake/lib/toaster/bldcontrol/localhostbecontroller.py
index 9490635934..41e5629ae0 100644
--- a/bitbake/lib/toaster/bldcontrol/localhostbecontroller.py
+++ b/bitbake/lib/toaster/bldcontrol/localhostbecontroller.py
@@ -6,19 +6,8 @@
#
# Copyright (C) 2014 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
import os
import sys
diff --git a/bitbake/lib/toaster/bldcontrol/management/commands/checksettings.py b/bitbake/lib/toaster/bldcontrol/management/commands/checksettings.py
index 14298d9daf..fe2c4dc2bb 100644
--- a/bitbake/lib/toaster/bldcontrol/management/commands/checksettings.py
+++ b/bitbake/lib/toaster/bldcontrol/management/commands/checksettings.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from django.core.management.base import BaseCommand, CommandError
from django.db import transaction
diff --git a/bitbake/lib/toaster/bldcontrol/management/commands/runbuilds.py b/bitbake/lib/toaster/bldcontrol/management/commands/runbuilds.py
index 6a55dd46c8..50ec409860 100644
--- a/bitbake/lib/toaster/bldcontrol/management/commands/runbuilds.py
+++ b/bitbake/lib/toaster/bldcontrol/management/commands/runbuilds.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from django.core.management.base import BaseCommand
from django.db import transaction
from django.db.models import Q
diff --git a/bitbake/lib/toaster/bldcontrol/models.py b/bitbake/lib/toaster/bldcontrol/models.py
index 409614b9e7..bcffcf5e20 100644
--- a/bitbake/lib/toaster/bldcontrol/models.py
+++ b/bitbake/lib/toaster/bldcontrol/models.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from __future__ import unicode_literals
from django.db import models
from django.core.validators import MaxValueValidator, MinValueValidator
diff --git a/bitbake/lib/toaster/bldcontrol/views.py b/bitbake/lib/toaster/bldcontrol/views.py
index 60f00ef0ef..286d88b45a 100644
--- a/bitbake/lib/toaster/bldcontrol/views.py
+++ b/bitbake/lib/toaster/bldcontrol/views.py
@@ -1 +1,5 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
# Create your views here.
diff --git a/bitbake/lib/toaster/manage.py b/bitbake/lib/toaster/manage.py
index 0c7ea50882..ae32619d12 100755
--- a/bitbake/lib/toaster/manage.py
+++ b/bitbake/lib/toaster/manage.py
@@ -1,4 +1,8 @@
#!/usr/bin/env python3
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
import os
import sys
diff --git a/bitbake/lib/toaster/orm/management/commands/lsupdates.py b/bitbake/lib/toaster/orm/management/commands/lsupdates.py
index 66114ff89e..a6ab6e8046 100644
--- a/bitbake/lib/toaster/orm/management/commands/lsupdates.py
+++ b/bitbake/lib/toaster/orm/management/commands/lsupdates.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2016-2017 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.management.base import BaseCommand
diff --git a/bitbake/lib/toaster/orm/models.py b/bitbake/lib/toaster/orm/models.py
index 7720290214..7174e85582 100644
--- a/bitbake/lib/toaster/orm/models.py
+++ b/bitbake/lib/toaster/orm/models.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from __future__ import unicode_literals
diff --git a/bitbake/lib/toaster/tests/browser/selenium_helpers.py b/bitbake/lib/toaster/tests/browser/selenium_helpers.py
index 08711e4558..56621096b5 100644
--- a/bitbake/lib/toaster/tests/browser/selenium_helpers.py
+++ b/bitbake/lib/toaster/tests/browser/selenium_helpers.py
@@ -6,18 +6,7 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# The Wait class and some of SeleniumDriverHelper and SeleniumTestCase are
# modified from Patchwork, released under the same licence terms as Toaster:
diff --git a/bitbake/lib/toaster/tests/browser/selenium_helpers_base.py b/bitbake/lib/toaster/tests/browser/selenium_helpers_base.py
index 156d639b1e..8c25740b64 100644
--- a/bitbake/lib/toaster/tests/browser/selenium_helpers_base.py
+++ b/bitbake/lib/toaster/tests/browser/selenium_helpers_base.py
@@ -6,18 +6,7 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-only
#
# The Wait class and some of SeleniumDriverHelper and SeleniumTestCase are
# modified from Patchwork, released under the same licence terms as Toaster:
diff --git a/bitbake/lib/toaster/tests/browser/test_all_builds_page.py b/bitbake/lib/toaster/tests/browser/test_all_builds_page.py
index b86f29bdd4..f895028686 100644
--- a/bitbake/lib/toaster/tests/browser/test_all_builds_page.py
+++ b/bitbake/lib/toaster/tests/browser/test_all_builds_page.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import re
diff --git a/bitbake/lib/toaster/tests/browser/test_all_projects_page.py b/bitbake/lib/toaster/tests/browser/test_all_projects_page.py
index 44da640751..1c46258641 100644
--- a/bitbake/lib/toaster/tests/browser/test_all_projects_page.py
+++ b/bitbake/lib/toaster/tests/browser/test_all_projects_page.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import re
diff --git a/bitbake/lib/toaster/tests/browser/test_builddashboard_page.py b/bitbake/lib/toaster/tests/browser/test_builddashboard_page.py
index f8ccb54528..350e5e0a95 100644
--- a/bitbake/lib/toaster/tests/browser/test_builddashboard_page.py
+++ b/bitbake/lib/toaster/tests/browser/test_builddashboard_page.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.urlresolvers import reverse
from django.utils import timezone
diff --git a/bitbake/lib/toaster/tests/browser/test_builddashboard_page_artifacts.py b/bitbake/lib/toaster/tests/browser/test_builddashboard_page_artifacts.py
index 1c627ad498..a4f2f0c71a 100644
--- a/bitbake/lib/toaster/tests/browser/test_builddashboard_page_artifacts.py
+++ b/bitbake/lib/toaster/tests/browser/test_builddashboard_page_artifacts.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.urlresolvers import reverse
from django.utils import timezone
diff --git a/bitbake/lib/toaster/tests/browser/test_builddashboard_page_recipes.py b/bitbake/lib/toaster/tests/browser/test_builddashboard_page_recipes.py
index ed18324e57..ebf1f99083 100644
--- a/bitbake/lib/toaster/tests/browser/test_builddashboard_page_recipes.py
+++ b/bitbake/lib/toaster/tests/browser/test_builddashboard_page_recipes.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.urlresolvers import reverse
from django.utils import timezone
diff --git a/bitbake/lib/toaster/tests/browser/test_builddashboard_page_tasks.py b/bitbake/lib/toaster/tests/browser/test_builddashboard_page_tasks.py
index da50f16011..c136fe3bf9 100644
--- a/bitbake/lib/toaster/tests/browser/test_builddashboard_page_tasks.py
+++ b/bitbake/lib/toaster/tests/browser/test_builddashboard_page_tasks.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.urlresolvers import reverse
from django.utils import timezone
diff --git a/bitbake/lib/toaster/tests/browser/test_js_unit_tests.py b/bitbake/lib/toaster/tests/browser/test_js_unit_tests.py
index 3c0b96252f..76c3495e8c 100644
--- a/bitbake/lib/toaster/tests/browser/test_js_unit_tests.py
+++ b/bitbake/lib/toaster/tests/browser/test_js_unit_tests.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""
Run the js unit tests
diff --git a/bitbake/lib/toaster/tests/browser/test_landing_page.py b/bitbake/lib/toaster/tests/browser/test_landing_page.py
index 4d4cd660fb..85529b2921 100644
--- a/bitbake/lib/toaster/tests/browser/test_landing_page.py
+++ b/bitbake/lib/toaster/tests/browser/test_landing_page.py
@@ -4,20 +4,10 @@
#
# BitBake Toaster Implementation
#
-# Copyright (C) 2013-2016 Intel Corporation
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# Copyright (C) 2013-2016 Intel Corporation
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.urlresolvers import reverse
from django.utils import timezone
diff --git a/bitbake/lib/toaster/tests/browser/test_layerdetails_page.py b/bitbake/lib/toaster/tests/browser/test_layerdetails_page.py
index f24fb093a5..0a9fd85091 100644
--- a/bitbake/lib/toaster/tests/browser/test_layerdetails_page.py
+++ b/bitbake/lib/toaster/tests/browser/test_layerdetails_page.py
@@ -4,20 +4,10 @@
#
# BitBake Toaster Implementation
#
-# Copyright (C) 2013-2016 Intel Corporation
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# Copyright (C) 2013-2016 Intel Corporation
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.urlresolvers import reverse
from tests.browser.selenium_helpers import SeleniumTestCase
diff --git a/bitbake/lib/toaster/tests/browser/test_most_recent_builds_states.py b/bitbake/lib/toaster/tests/browser/test_most_recent_builds_states.py
index abc0b0bc88..e2601017b1 100644
--- a/bitbake/lib/toaster/tests/browser/test_most_recent_builds_states.py
+++ b/bitbake/lib/toaster/tests/browser/test_most_recent_builds_states.py
@@ -4,20 +4,10 @@
#
# BitBake Toaster Implementation
#
-# Copyright (C) 2013-2016 Intel Corporation
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# Copyright (C) 2013-2016 Intel Corporation
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.urlresolvers import reverse
from django.utils import timezone
diff --git a/bitbake/lib/toaster/tests/browser/test_new_custom_image_page.py b/bitbake/lib/toaster/tests/browser/test_new_custom_image_page.py
index ab5a8e66be..f2f5e7104e 100644
--- a/bitbake/lib/toaster/tests/browser/test_new_custom_image_page.py
+++ b/bitbake/lib/toaster/tests/browser/test_new_custom_image_page.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.urlresolvers import reverse
from tests.browser.selenium_helpers import SeleniumTestCase
diff --git a/bitbake/lib/toaster/tests/browser/test_new_project_page.py b/bitbake/lib/toaster/tests/browser/test_new_project_page.py
index 77e5f15267..d715d3a842 100644
--- a/bitbake/lib/toaster/tests/browser/test_new_project_page.py
+++ b/bitbake/lib/toaster/tests/browser/test_new_project_page.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.urlresolvers import reverse
from tests.browser.selenium_helpers import SeleniumTestCase
diff --git a/bitbake/lib/toaster/tests/browser/test_project_builds_page.py b/bitbake/lib/toaster/tests/browser/test_project_builds_page.py
index 9fe91ab067..0a8a38b2c8 100644
--- a/bitbake/lib/toaster/tests/browser/test_project_builds_page.py
+++ b/bitbake/lib/toaster/tests/browser/test_project_builds_page.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import re
diff --git a/bitbake/lib/toaster/tests/browser/test_project_config_page.py b/bitbake/lib/toaster/tests/browser/test_project_config_page.py
index 0710084995..5ae3a0a20c 100644
--- a/bitbake/lib/toaster/tests/browser/test_project_config_page.py
+++ b/bitbake/lib/toaster/tests/browser/test_project_config_page.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import re
diff --git a/bitbake/lib/toaster/tests/browser/test_project_page.py b/bitbake/lib/toaster/tests/browser/test_project_page.py
index 0186463324..aa984237fb 100644
--- a/bitbake/lib/toaster/tests/browser/test_project_page.py
+++ b/bitbake/lib/toaster/tests/browser/test_project_page.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.urlresolvers import reverse
from django.utils import timezone
diff --git a/bitbake/lib/toaster/tests/browser/test_sample.py b/bitbake/lib/toaster/tests/browser/test_sample.py
index 20ec53c28a..219f00cec4 100644
--- a/bitbake/lib/toaster/tests/browser/test_sample.py
+++ b/bitbake/lib/toaster/tests/browser/test_sample.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""
A small example test demonstrating the basics of writing a test with
diff --git a/bitbake/lib/toaster/tests/browser/test_task_page.py b/bitbake/lib/toaster/tests/browser/test_task_page.py
index 690d116cba..993f081d93 100644
--- a/bitbake/lib/toaster/tests/browser/test_task_page.py
+++ b/bitbake/lib/toaster/tests/browser/test_task_page.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.core.urlresolvers import reverse
from django.utils import timezone
diff --git a/bitbake/lib/toaster/tests/browser/test_toastertable_ui.py b/bitbake/lib/toaster/tests/browser/test_toastertable_ui.py
index 53ddf30c3c..f22239c482 100644
--- a/bitbake/lib/toaster/tests/browser/test_toastertable_ui.py
+++ b/bitbake/lib/toaster/tests/browser/test_toastertable_ui.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from datetime import datetime
diff --git a/bitbake/lib/toaster/tests/builds/buildtest.py b/bitbake/lib/toaster/tests/builds/buildtest.py
index 5a56a110a7..fce7b62144 100644
--- a/bitbake/lib/toaster/tests/builds/buildtest.py
+++ b/bitbake/lib/toaster/tests/builds/buildtest.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import sys
diff --git a/bitbake/lib/toaster/tests/builds/test_core_image_min.py b/bitbake/lib/toaster/tests/builds/test_core_image_min.py
index 586f4a8f7f..63f62c8e5a 100644
--- a/bitbake/lib/toaster/tests/builds/test_core_image_min.py
+++ b/bitbake/lib/toaster/tests/builds/test_core_image_min.py
@@ -6,19 +6,8 @@
#
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
# Tests were part of openembedded-core oe selftest Authored by: Lucian Musat
# Ionut Chisanovici, Paul Eggleton and Cristian Iorga
diff --git a/bitbake/lib/toaster/tests/commands/test_loaddata.py b/bitbake/lib/toaster/tests/commands/test_loaddata.py
index 951f6ff5aa..27a0eca8f3 100644
--- a/bitbake/lib/toaster/tests/commands/test_loaddata.py
+++ b/bitbake/lib/toaster/tests/commands/test_loaddata.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.test import TestCase
from django.core import management
diff --git a/bitbake/lib/toaster/tests/commands/test_lsupdates.py b/bitbake/lib/toaster/tests/commands/test_lsupdates.py
index 49897a476c..854bb7ebab 100644
--- a/bitbake/lib/toaster/tests/commands/test_lsupdates.py
+++ b/bitbake/lib/toaster/tests/commands/test_lsupdates.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.test import TestCase
from django.core import management
diff --git a/bitbake/lib/toaster/tests/commands/test_runbuilds.py b/bitbake/lib/toaster/tests/commands/test_runbuilds.py
index 3e634835ee..3180e96dba 100644
--- a/bitbake/lib/toaster/tests/commands/test_runbuilds.py
+++ b/bitbake/lib/toaster/tests/commands/test_runbuilds.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
diff --git a/bitbake/lib/toaster/tests/db/test_db.py b/bitbake/lib/toaster/tests/db/test_db.py
index a0f5f6ec03..0410422276 100644
--- a/bitbake/lib/toaster/tests/db/test_db.py
+++ b/bitbake/lib/toaster/tests/db/test_db.py
@@ -2,6 +2,8 @@
#
# Copyright (c) 2016 Damien Lespiau
#
+# SPDX-License-Identifier: MIT
+#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
diff --git a/bitbake/lib/toaster/tests/eventreplay/__init__.py b/bitbake/lib/toaster/tests/eventreplay/__init__.py
index 695661947a..941531461c 100644
--- a/bitbake/lib/toaster/tests/eventreplay/__init__.py
+++ b/bitbake/lib/toaster/tests/eventreplay/__init__.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# Tests were part of openembedded-core oe selftest Authored by: Lucian Musat
# Ionut Chisanovici, Paul Eggleton and Cristian Iorga
diff --git a/bitbake/lib/toaster/tests/functional/functional_helpers.py b/bitbake/lib/toaster/tests/functional/functional_helpers.py
index 486078a615..9de6fbcf04 100644
--- a/bitbake/lib/toaster/tests/functional/functional_helpers.py
+++ b/bitbake/lib/toaster/tests/functional/functional_helpers.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2017 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import os
import logging
diff --git a/bitbake/lib/toaster/tests/functional/test_functional_basic.py b/bitbake/lib/toaster/tests/functional/test_functional_basic.py
index cfa2b0fdf0..e58045d3e2 100644
--- a/bitbake/lib/toaster/tests/functional/test_functional_basic.py
+++ b/bitbake/lib/toaster/tests/functional/test_functional_basic.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2017 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import time
import re
diff --git a/bitbake/lib/toaster/tests/views/test_views.py b/bitbake/lib/toaster/tests/views/test_views.py
index 1463077e91..f4273367cd 100644
--- a/bitbake/lib/toaster/tests/views/test_views.py
+++ b/bitbake/lib/toaster/tests/views/test_views.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013-2015 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""Test cases for Toaster GUI and ReST."""
diff --git a/bitbake/lib/toaster/toastergui/api.py b/bitbake/lib/toaster/toastergui/api.py
index 564d595a1c..8b49b3ee3f 100644
--- a/bitbake/lib/toaster/toastergui/api.py
+++ b/bitbake/lib/toaster/toastergui/api.py
@@ -3,19 +3,8 @@
#
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
# Please run flake8 on this file before sending patches
import os
diff --git a/bitbake/lib/toaster/toastergui/buildtables.py b/bitbake/lib/toaster/toastergui/buildtables.py
index 755a7c2e43..4332107fc8 100644
--- a/bitbake/lib/toaster/toastergui/buildtables.py
+++ b/bitbake/lib/toaster/toastergui/buildtables.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from orm.models import Build, Task, Target, Package
from django.db.models import Q, Sum
diff --git a/bitbake/lib/toaster/toastergui/tablefilter.py b/bitbake/lib/toaster/toastergui/tablefilter.py
index 65454e140d..04220cf24d 100644
--- a/bitbake/lib/toaster/toastergui/tablefilter.py
+++ b/bitbake/lib/toaster/toastergui/tablefilter.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2015 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.db.models import Q, Max, Min
from django.utils import dateparse, timezone
diff --git a/bitbake/lib/toaster/toastergui/tables.py b/bitbake/lib/toaster/toastergui/tables.py
index 9ff756bc8d..a3de22a359 100644
--- a/bitbake/lib/toaster/toastergui/tables.py
+++ b/bitbake/lib/toaster/toastergui/tables.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2015 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from toastergui.widgets import ToasterTable
from orm.models import Recipe, ProjectLayer, Layer_Version, Machine, Project
diff --git a/bitbake/lib/toaster/toastergui/templatetags/field_values_filter.py b/bitbake/lib/toaster/toastergui/templatetags/field_values_filter.py
index 5a73af797c..eb483396c2 100644
--- a/bitbake/lib/toaster/toastergui/templatetags/field_values_filter.py
+++ b/bitbake/lib/toaster/toastergui/templatetags/field_values_filter.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from django import template
register = template.Library()
diff --git a/bitbake/lib/toaster/toastergui/templatetags/objects_to_dictionaries_filter.py b/bitbake/lib/toaster/toastergui/templatetags/objects_to_dictionaries_filter.py
index 0dcc7d2714..048d533871 100644
--- a/bitbake/lib/toaster/toastergui/templatetags/objects_to_dictionaries_filter.py
+++ b/bitbake/lib/toaster/toastergui/templatetags/objects_to_dictionaries_filter.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from django import template
import json
diff --git a/bitbake/lib/toaster/toastergui/templatetags/project_url_tag.py b/bitbake/lib/toaster/toastergui/templatetags/project_url_tag.py
index 04770ac6a8..71e0925787 100644
--- a/bitbake/lib/toaster/toastergui/templatetags/project_url_tag.py
+++ b/bitbake/lib/toaster/toastergui/templatetags/project_url_tag.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from django import template
from django.core.urlresolvers import reverse
diff --git a/bitbake/lib/toaster/toastergui/templatetags/projecttags.py b/bitbake/lib/toaster/toastergui/templatetags/projecttags.py
index b170a16165..d2ee11d2f6 100644
--- a/bitbake/lib/toaster/toastergui/templatetags/projecttags.py
+++ b/bitbake/lib/toaster/toastergui/templatetags/projecttags.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from datetime import datetime, timedelta
from os.path import relpath
diff --git a/bitbake/lib/toaster/toastergui/typeaheads.py b/bitbake/lib/toaster/toastergui/typeaheads.py
index 5aa0f8d889..fd750ffb74 100644
--- a/bitbake/lib/toaster/toastergui/typeaheads.py
+++ b/bitbake/lib/toaster/toastergui/typeaheads.py
@@ -3,18 +3,8 @@
#
# Copyright (C) 2015 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import subprocess
diff --git a/bitbake/lib/toaster/toastergui/urls.py b/bitbake/lib/toaster/toastergui/urls.py
index dc03e30356..673d9ae967 100644
--- a/bitbake/lib/toaster/toastergui/urls.py
+++ b/bitbake/lib/toaster/toastergui/urls.py
@@ -3,18 +3,8 @@
#
# Copyright (C) 2013-2017 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.conf.urls import include, url
from django.views.generic import RedirectView, TemplateView
diff --git a/bitbake/lib/toaster/toastergui/views.py b/bitbake/lib/toaster/toastergui/views.py
index c712b06a6e..5ef4f40da7 100644
--- a/bitbake/lib/toaster/toastergui/views.py
+++ b/bitbake/lib/toaster/toastergui/views.py
@@ -6,19 +6,8 @@
#
# Copyright (C) 2013 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
import re
diff --git a/bitbake/lib/toaster/toastergui/widgets.py b/bitbake/lib/toaster/toastergui/widgets.py
index db5c3aa00b..fb03337498 100644
--- a/bitbake/lib/toaster/toastergui/widgets.py
+++ b/bitbake/lib/toaster/toastergui/widgets.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2015 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.views.generic import View, TemplateView
from django.views.decorators.cache import cache_control
diff --git a/bitbake/lib/toaster/toastermain/management/commands/builddelete.py b/bitbake/lib/toaster/toastermain/management/commands/builddelete.py
index bf69a8fb80..c2d773a577 100644
--- a/bitbake/lib/toaster/toastermain/management/commands/builddelete.py
+++ b/bitbake/lib/toaster/toastermain/management/commands/builddelete.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from django.core.management.base import BaseCommand, CommandError
from django.core.exceptions import ObjectDoesNotExist
from orm.models import Build
diff --git a/bitbake/lib/toaster/toastermain/management/commands/buildimport.py b/bitbake/lib/toaster/toastermain/management/commands/buildimport.py
index 2d57ab557a..a6340575a9 100644
--- a/bitbake/lib/toaster/toastermain/management/commands/buildimport.py
+++ b/bitbake/lib/toaster/toastermain/management/commands/buildimport.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2018 Wind River Systems
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# buildimport: import a project for project specific configuration
#
diff --git a/bitbake/lib/toaster/toastermain/management/commands/buildslist.py b/bitbake/lib/toaster/toastermain/management/commands/buildslist.py
index 70b5812d98..1ed20224d3 100644
--- a/bitbake/lib/toaster/toastermain/management/commands/buildslist.py
+++ b/bitbake/lib/toaster/toastermain/management/commands/buildslist.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from django.core.management.base import BaseCommand, CommandError
from orm.models import Build
import os
diff --git a/bitbake/lib/toaster/toastermain/management/commands/checksocket.py b/bitbake/lib/toaster/toastermain/management/commands/checksocket.py
index 0399b8659b..822373011c 100644
--- a/bitbake/lib/toaster/toastermain/management/commands/checksocket.py
+++ b/bitbake/lib/toaster/toastermain/management/commands/checksocket.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2015 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""Custom management command checksocket."""
diff --git a/bitbake/lib/toaster/toastermain/management/commands/perf.py b/bitbake/lib/toaster/toastermain/management/commands/perf.py
index 6b450bbdfc..7d629fb37f 100644
--- a/bitbake/lib/toaster/toastermain/management/commands/perf.py
+++ b/bitbake/lib/toaster/toastermain/management/commands/perf.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
from django.core.management.base import BaseCommand
from django.test.client import Client
import os, sys, re
diff --git a/bitbake/lib/toaster/toastermain/settings.py b/bitbake/lib/toaster/toastermain/settings.py
index 13541d380f..457ed0da10 100644
--- a/bitbake/lib/toaster/toastermain/settings.py
+++ b/bitbake/lib/toaster/toastermain/settings.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# Django settings for Toaster project.
diff --git a/bitbake/lib/toaster/toastermain/settings_production_example.py b/bitbake/lib/toaster/toastermain/settings_production_example.py
index 61a288864a..d06841fcce 100644
--- a/bitbake/lib/toaster/toastermain/settings_production_example.py
+++ b/bitbake/lib/toaster/toastermain/settings_production_example.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# See Django documentation for more information about deployment
# https://docs.djangoproject.com/en/1.8/howto/deployment/checklist/
diff --git a/bitbake/lib/toaster/toastermain/settings_test.py b/bitbake/lib/toaster/toastermain/settings_test.py
index a322711579..599cc186a6 100644
--- a/bitbake/lib/toaster/toastermain/settings_test.py
+++ b/bitbake/lib/toaster/toastermain/settings_test.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2016 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# Django settings for Toaster project.
diff --git a/bitbake/lib/toaster/toastermain/urls.py b/bitbake/lib/toaster/toastermain/urls.py
index e2fb0aebfd..d3a95923f5 100644
--- a/bitbake/lib/toaster/toastermain/urls.py
+++ b/bitbake/lib/toaster/toastermain/urls.py
@@ -6,18 +6,8 @@
#
# Copyright (C) 2013 Intel Corporation
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
+# SPDX-License-Identifier: GPL-2.0-only
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
from django.conf.urls import include, url
from django.views.generic import RedirectView, TemplateView
diff --git a/bitbake/lib/toaster/toastermain/wsgi.py b/bitbake/lib/toaster/toastermain/wsgi.py
index 031b314b1a..5ad22aea18 100644
--- a/bitbake/lib/toaster/toastermain/wsgi.py
+++ b/bitbake/lib/toaster/toastermain/wsgi.py
@@ -1,3 +1,7 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
"""
# ex:ts=4:sw=4:sts=4:et
# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
diff --git a/documentation/bsp-guide/bsp-guide.xml b/documentation/bsp-guide/bsp-guide.xml
index f559e0809c..e060a55b9e 100644
--- a/documentation/bsp-guide/bsp-guide.xml
+++ b/documentation/bsp-guide/bsp-guide.xml
@@ -128,9 +128,19 @@
</revision>
<revision>
<revnumber>2.7</revnumber>
- <date>&REL_MONTH_YEAR;</date>
+ <date>May 2019</date>
<revremark>Released with the Yocto Project 2.7 Release.</revremark>
</revision>
+ <revision>
+ <revnumber>2.7.1</revnumber>
+ <date>July 2019</date>
+ <revremark>Released with the Yocto Project 2.7.1 Release.</revremark>
+ </revision>
+ <revision>
+ <revnumber>2.7.2</revnumber>
+ <date>&REL_MONTH_YEAR;</date>
+ <revremark>Released with the Yocto Project 2.7.2 Release.</revremark>
+ </revision>
</revhistory>
<copyright>
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml
index 8bc7fd8b2b..c64914a304 100644
--- a/documentation/dev-manual/dev-manual-common-tasks.xml
+++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -2348,7 +2348,7 @@
Most software provides some means of setting build-time
configuration options before compilation.
Typically, setting these options is accomplished by running a
- configure script with some options, or by modifying a build
+ configure script with options, or by modifying a build
configuration file.
<note>
As of Yocto Project Release 1.7, some of the core recipes
@@ -2388,6 +2388,7 @@
software is built using Autotools.
If this is the case, you just need to worry about
modifying the configuration.</para>
+
<para>When using Autotools, your recipe needs to inherit
the
<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-autotools'><filename>autotools</filename></ulink>
@@ -2400,13 +2401,15 @@
or
<ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></ulink>
to pass any needed configure options that are specific
- to the recipe.</para></listitem>
+ to the recipe.
+ </para></listitem>
<listitem><para><emphasis>CMake:</emphasis>
If your source files have a
<filename>CMakeLists.txt</filename> file, then your
software is built using CMake.
If this is the case, you just need to worry about
modifying the configuration.</para>
+
<para>When you use CMake, your recipe needs to inherit
the
<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-cmake'><filename>cmake</filename></ulink>
@@ -2416,7 +2419,16 @@
You can make some adjustments by setting
<ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_OECMAKE'><filename>EXTRA_OECMAKE</filename></ulink>
to pass any needed configure options that are specific
- to the recipe.</para></listitem>
+ to the recipe.
+ <note>
+ If you need to install one or more custom CMake
+ toolchain files that are supplied by the
+ application you are building, install the files to
+ <filename>${D}${datadir}/cmake/</filename> Modules
+ during
+ <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>.
+ </note>
+ </para></listitem>
<listitem><para><emphasis>Other:</emphasis>
If your source files do not have a
<filename>configure.ac</filename> or
@@ -2779,6 +2791,14 @@
<ulink url='&YOCTO_DOCS_REF_URL;#var-PARALLEL_MAKEINST'><filename>PARALLEL_MAKEINST</filename></ulink>
for additional information.
</para></listitem>
+ <listitem><para>
+ If you need to install one or more custom CMake
+ toolchain files that are supplied by the
+ application you are building, install the files to
+ <filename>${D}${datadir}/cmake/</filename> Modules
+ during
+ <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>.
+ </para></listitem>
</itemizedlist>
</note>
</section>
@@ -10810,6 +10830,47 @@
</para>
<para>
+ By default, the Yocto Project uses SysVinit as the initialization
+ manager.
+ However, support also exists for systemd,
+ which is a full replacement for init with
+ parallel starting of services, reduced shell overhead and other
+ features that are used by many distributions.
+ </para>
+
+ <para>
+ Within the system, SysVinit treats system components as services.
+ These services are maintained as shell scripts stored in the
+ <filename>/etc/init.d/</filename> directory.
+ Services organize into different run levels.
+ This organization is maintained by putting links to the services
+ in the <filename>/etc/rcN.d/</filename> directories, where
+ <replaceable>N/</replaceable> is one of the following options:
+ "S", "0", "1", "2", "3", "4", "5", or "6".
+ <note>
+ Each runlevel has a dependency on the previous runlevel.
+ This dependency allows the services to work properly.
+ </note>
+ </para>
+
+ <para>
+ In comparison, systemd treats components as units.
+ Using units is a broader concept as compared to using a service.
+ A unit includes several different types of entities.
+ Service is one of the types of entities.
+ The runlevel concept in SysVinit corresponds to the concept of a
+ target in systemd, where target is also a type of supported unit.
+ </para>
+
+ <para>
+ In a SysVinit-based system, services load sequentially (i.e. one
+ by one) during and parallelization is not supported.
+ With systemd, services start in parallel.
+ Needless to say, the method can have an impact on system startup
+ performance.
+ </para>
+
+ <para>
If you want to use SysVinit, you do
not have to do anything.
But, if you want to use systemd, you must
diff --git a/documentation/dev-manual/dev-manual.xml b/documentation/dev-manual/dev-manual.xml
index 5dda016d78..3033d7a916 100644
--- a/documentation/dev-manual/dev-manual.xml
+++ b/documentation/dev-manual/dev-manual.xml
@@ -113,9 +113,19 @@
</revision>
<revision>
<revnumber>2.7</revnumber>
- <date>&REL_MONTH_YEAR;</date>
+ <date>May 2019</date>
<revremark>Released with the Yocto Project 2.7 Release.</revremark>
</revision>
+ <revision>
+ <revnumber>2.7.1</revnumber>
+ <date>July 2019</date>
+ <revremark>Released with the Yocto Project 2.7.1 Release.</revremark>
+ </revision>
+ <revision>
+ <revnumber>2.7.2</revnumber>
+ <date>&REL_MONTH_YEAR;</date>
+ <revremark>Released with the Yocto Project 2.7.2 Release.</revremark>
+ </revision>
</revhistory>
<copyright>
diff --git a/documentation/kernel-dev/kernel-dev-common.xml b/documentation/kernel-dev/kernel-dev-common.xml
index 7d8826fa35..2ea5d3f38e 100644
--- a/documentation/kernel-dev/kernel-dev-common.xml
+++ b/documentation/kernel-dev/kernel-dev-common.xml
@@ -549,9 +549,9 @@
<literallayout class='monospaced'>
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
- SRC_URI_append += "file://<replaceable>patch-file-one</replaceable>"
- SRC_URI_append += "file://<replaceable>patch-file-two</replaceable>"
- SRC_URI_append += "file://<replaceable>patch-file-three</replaceable>"
+ SRC_URI_append = " file://<replaceable>patch-file-one</replaceable>"
+ SRC_URI_append = " file://<replaceable>patch-file-two</replaceable>"
+ SRC_URI_append = " file://<replaceable>patch-file-three</replaceable>"
</literallayout>
The
<ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
diff --git a/documentation/kernel-dev/kernel-dev.xml b/documentation/kernel-dev/kernel-dev.xml
index 33553df060..90c12e978f 100644
--- a/documentation/kernel-dev/kernel-dev.xml
+++ b/documentation/kernel-dev/kernel-dev.xml
@@ -98,9 +98,19 @@
</revision>
<revision>
<revnumber>2.7</revnumber>
- <date>&REL_MONTH_YEAR;</date>
+ <date>May 2019</date>
<revremark>Released with the Yocto Project 2.7 Release.</revremark>
</revision>
+ <revision>
+ <revnumber>2.7.1</revnumber>
+ <date>July 2019</date>
+ <revremark>Released with the Yocto Project 2.7.1 Release.</revremark>
+ </revision>
+ <revision>
+ <revnumber>2.7.2</revnumber>
+ <date>&REL_MONTH_YEAR;</date>
+ <revremark>Released with the Yocto Project 2.7.2 Release.</revremark>
+ </revision>
</revhistory>
<copyright>
diff --git a/documentation/mega-manual/mega-manual.xml b/documentation/mega-manual/mega-manual.xml
index 37d26492d9..620eae8d5a 100644
--- a/documentation/mega-manual/mega-manual.xml
+++ b/documentation/mega-manual/mega-manual.xml
@@ -84,9 +84,19 @@
</revision>
<revision>
<revnumber>2.7</revnumber>
- <date>&REL_MONTH_YEAR;</date>
+ <date>May 2019</date>
<revremark>Released with the Yocto Project 2.7 Release.</revremark>
</revision>
+ <revision>
+ <revnumber>2.7.1</revnumber>
+ <date>July 2019</date>
+ <revremark>Released with the Yocto Project 2.7.1 Release.</revremark>
+ </revision>
+ <revision>
+ <revnumber>2.7.2</revnumber>
+ <date>&REL_MONTH_YEAR;</date>
+ <revremark>Released with the Yocto Project 2.7.2 Release.</revremark>
+ </revision>
</revhistory>
<copyright>
diff --git a/documentation/overview-manual/overview-manual.xml b/documentation/overview-manual/overview-manual.xml
index b23c39497c..a2cbd1535a 100644
--- a/documentation/overview-manual/overview-manual.xml
+++ b/documentation/overview-manual/overview-manual.xml
@@ -38,9 +38,24 @@
</revision>
<revision>
<revnumber>2.6</revnumber>
- <date>&REL_MONTH_YEAR;</date>
+ <date>November 2018</date>
<revremark>Released with the Yocto Project 2.6 Release.</revremark>
</revision>
+ <revision>
+ <revnumber>2.7</revnumber>
+ <date>May 2019</date>
+ <revremark>Released with the Yocto Project 2.7 Release.</revremark>
+ </revision>
+ <revision>
+ <revnumber>2.7.1</revnumber>
+ <date>July 2019</date>
+ <revremark>Released with the Yocto Project 2.7.1 Release.</revremark>
+ </revision>
+ <revision>
+ <revnumber>2.7.2</revnumber>
+ <date>&REL_MONTH_YEAR;</date>
+ <revremark>Released with the Yocto Project 2.7.2 Release.</revremark>
+ </revision>
</revhistory>
<copyright>
diff --git a/documentation/poky.ent b/documentation/poky.ent
index 199e651089..5ab0675495 100644
--- a/documentation/poky.ent
+++ b/documentation/poky.ent
@@ -1,14 +1,14 @@
-<!ENTITY DISTRO "2.7">
-<!ENTITY DISTRO_COMPRESSED "27">
+<!ENTITY DISTRO "2.7.2">
+<!ENTITY DISTRO_COMPRESSED "272">
<!ENTITY DISTRO_NAME_NO_CAP "warrior">
<!ENTITY DISTRO_NAME "Warrior">
<!ENTITY DISTRO_NAME_NO_CAP_MINUS_ONE "thud">
<!ENTITY DISTRO_NAME_MINUS_ONE "Thud">
-<!ENTITY YOCTO_DOC_VERSION "2.7">
+<!ENTITY YOCTO_DOC_VERSION "2.7.2">
<!ENTITY YOCTO_DOC_VERSION_MINUS_ONE "2.6">
-<!ENTITY DISTRO_REL_TAG "yocto-2.7">
+<!ENTITY DISTRO_REL_TAG "yocto-2.7.2">
<!ENTITY METAINTELVERSION "11.0">
-<!ENTITY REL_MONTH_YEAR "May 2019">
+<!ENTITY REL_MONTH_YEAR "November 2019">
<!ENTITY META_INTEL_REL_TAG "&METAINTELVERSION;-&DISTRO_NAME_NO_CAP;-&YOCTO_DOC_VERSION;">
<!ENTITY POKYVERSION "21.0.0">
<!ENTITY POKYVERSION_COMPRESSED "2100">
diff --git a/documentation/profile-manual/profile-manual.xml b/documentation/profile-manual/profile-manual.xml
index af2c7baf72..3168041189 100644
--- a/documentation/profile-manual/profile-manual.xml
+++ b/documentation/profile-manual/profile-manual.xml
@@ -98,9 +98,19 @@
</revision>
<revision>
<revnumber>2.7</revnumber>
- <date>&REL_MONTH_YEAR;</date>
+ <date>May 2019</date>
<revremark>Released with the Yocto Project 2.7 Release.</revremark>
</revision>
+ <revision>
+ <revnumber>2.7.1</revnumber>
+ <date>July 2019</date>
+ <revremark>Released with the Yocto Project 2.7.1 Release.</revremark>
+ </revision>
+ <revision>
+ <revnumber>2.7.2</revnumber>
+ <date>&REL_MONTH_YEAR;</date>
+ <revremark>Released with the Yocto Project 2.7.2 Release.</revremark>
+ </revision>
</revhistory>
<copyright>
diff --git a/documentation/ref-manual/migration.xml b/documentation/ref-manual/migration.xml
index a4d72dd6b7..50a94dbf9a 100644
--- a/documentation/ref-manual/migration.xml
+++ b/documentation/ref-manual/migration.xml
@@ -2103,10 +2103,9 @@
</para>
<para>
- Additionally, a
- <link linkend='ref-classes-bluetooth'><filename>bluetooth</filename></link>
- class has been added to make selection of the appropriate bluetooth
- support within a recipe a little easier.
+ Additionally, a <filename>bluetooth</filename> class has been added
+ to make selection of the appropriate bluetooth support within a
+ recipe a little easier.
If you wish to make use of this class in a recipe, add something
such as the following:
<literallayout class='monospaced'>
diff --git a/documentation/ref-manual/ref-classes.xml b/documentation/ref-manual/ref-classes.xml
index ece47e757b..76ae334b24 100644
--- a/documentation/ref-manual/ref-classes.xml
+++ b/documentation/ref-manual/ref-classes.xml
@@ -445,6 +445,14 @@
variable to specify additional configuration options to be passed
using the <filename>cmake</filename> command line.
</para>
+
+ <para>
+ On the occasion that you would be installing custom CMake toolchain
+ files supplied by the application being built, you should install them
+ to the preferred CMake Module directory:
+ <filename>${D}${datadir}/cmake/</filename> Modules during
+ <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>.
+ </para>
</section>
<section id='ref-classes-cml1'>
diff --git a/documentation/ref-manual/ref-devtool-reference.xml b/documentation/ref-manual/ref-devtool-reference.xml
index 4810d28ad1..11f7399c5a 100644
--- a/documentation/ref-manual/ref-devtool-reference.xml
+++ b/documentation/ref-manual/ref-devtool-reference.xml
@@ -629,18 +629,18 @@
<title>Building Your Recipe</title>
<para>
- Use the <filename>devtool build</filename> command to cause the
- OpenEmbedded build system to build your recipe.
+ Use the <filename>devtool build</filename> command to build your
+ recipe.
The <filename>devtool build</filename> command is equivalent to
- <filename>bitbake -c populate_sysroot</filename>.
+ the <filename>bitbake -c populate_sysroot</filename> command.
</para>
<para>
When you use the <filename>devtool build</filename> command,
- you must supply the root name of the recipe (i.e. no version,
- paths, or extensions).
+ you must supply the root name of the recipe (i.e. do not provide
+ versions, paths, or extensions).
You can use either the "-s" or the "--disable-parallel-make"
- option to disable parallel makes during the build.
+ options to disable parallel makes during the build.
Here is an example:
<literallayout class='monospaced'>
$ devtool build <replaceable>recipe</replaceable>
diff --git a/documentation/ref-manual/ref-manual.xml b/documentation/ref-manual/ref-manual.xml
index 26295f02f6..762211054c 100644
--- a/documentation/ref-manual/ref-manual.xml
+++ b/documentation/ref-manual/ref-manual.xml
@@ -129,9 +129,19 @@
</revision>
<revision>
<revnumber>2.7</revnumber>
- <date>&REL_MONTH_YEAR;</date>
+ <date>May 2019</date>
<revremark>Released with the Yocto Project 2.7 Release.</revremark>
</revision>
+ <revision>
+ <revnumber>2.7.1</revnumber>
+ <date>July 2019</date>
+ <revremark>Released with the Yocto Project 2.7.1 Release.</revremark>
+ </revision>
+ <revision>
+ <revnumber>2.7.2</revnumber>
+ <date>&REL_MONTH_YEAR;</date>
+ <revremark>Released with the Yocto Project 2.7.2 Release.</revremark>
+ </revision>
</revhistory>
<copyright>
diff --git a/documentation/ref-manual/ref-variables.xml b/documentation/ref-manual/ref-variables.xml
index 1e3f282a53..578d96f1a7 100644
--- a/documentation/ref-manual/ref-variables.xml
+++ b/documentation/ref-manual/ref-variables.xml
@@ -335,7 +335,7 @@
<glossdef>
<para role="glossdeffirst">
<!-- <para role="glossdeffirst"><imagedata fileref="figures/define-generic.png" /> -->
- The minimal command and arguments used to run the
+ Minimal command and arguments needed to run the
assembler.
</para>
</glossdef>
@@ -1358,7 +1358,7 @@
For example, the following line specifies three
configuration files:
<literallayout class='monospaced'>
- BBMULTIFONFIG = "configA configB configC"
+ BBMULTICONFIG = "configA configB configC"
</literallayout>
Each configuration file you use must reside in the
<link linkend='build-directory'>Build Directory</link>
@@ -2182,9 +2182,10 @@
<para>
The <filename>BUSYBOX_SPLIT_SUID</filename> variable
- defaults to "1", which results in a single output
+ defaults to "1", which results in splitting the output
executable file.
- Set the variable to "0" to split the output file.
+ Set the variable to "0" to get a single output executable
+ file.
</para>
</glossdef>
</glossentry>
diff --git a/documentation/sdk-manual/sdk-manual.xml b/documentation/sdk-manual/sdk-manual.xml
index 9ce4a5b03d..a17d362f41 100644
--- a/documentation/sdk-manual/sdk-manual.xml
+++ b/documentation/sdk-manual/sdk-manual.xml
@@ -63,9 +63,19 @@
</revision>
<revision>
<revnumber>2.7</revnumber>
- <date>&REL_MONTH_YEAR;</date>
+ <date>May 2019</date>
<revremark>Released with the Yocto Project 2.7 Release.</revremark>
</revision>
+ <revision>
+ <revnumber>2.7.1</revnumber>
+ <date>July 2019</date>
+ <revremark>Released with the Yocto Project 2.7.1 Release.</revremark>
+ </revision>
+ <revision>
+ <revnumber>2.7.2</revnumber>
+ <date>&REL_MONTH_YEAR;</date>
+ <revremark>Released with the Yocto Project 2.7.2 Release.</revremark>
+ </revision>
</revhistory>
<copyright>
diff --git a/documentation/toaster-manual/toaster-manual.xml b/documentation/toaster-manual/toaster-manual.xml
index 42dc6a33eb..b3926f3bd4 100644
--- a/documentation/toaster-manual/toaster-manual.xml
+++ b/documentation/toaster-manual/toaster-manual.xml
@@ -73,9 +73,19 @@
</revision>
<revision>
<revnumber>2.7</revnumber>
- <date>&REL_MONTH_YEAR;</date>
+ <date>May 2019</date>
<revremark>Released with the Yocto Project 2.7 Release.</revremark>
</revision>
+ <revision>
+ <revnumber>2.7.1</revnumber>
+ <date>July 2019</date>
+ <revremark>Released with the Yocto Project 2.7.1 Release.</revremark>
+ </revision>
+ <revision>
+ <revnumber>2.7.2</revnumber>
+ <date>&REL_MONTH_YEAR;</date>
+ <revremark>Released with the Yocto Project 2.7.2 Release.</revremark>
+ </revision>
</revhistory>
<copyright>
diff --git a/documentation/tools/mega-manual.sed b/documentation/tools/mega-manual.sed
index 79bbeef575..c37fc33096 100644
--- a/documentation/tools/mega-manual.sed
+++ b/documentation/tools/mega-manual.sed
@@ -1,36 +1,36 @@
# Processes bitbake-user-manual (<word>-<word>-<word> style).
# This style is for manual three-word folders, which currently is only the BitBake User Manual.
# We used to have the "yocto-project-qs" and "poky-ref-manual" folders but no longer do.
-# s@"ulink" href="http://www.yoctoproject.org/docs/2.7/[a-z]*-[a-z]*-[a-z]*/[a-z]*-[a-z]*-[a-z]*.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.7/bitbake-user-manual/bitbake-user-manual.html#@"link" href="#@g
+# s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/[a-z]*-[a-z]*-[a-z]*/[a-z]*-[a-z]*-[a-z]*.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/bitbake-user-manual/bitbake-user-manual.html#@"link" href="#@g
# Processes all other manuals (<word>-<word> style).
# This style is for manual folders that use two word, which is the standard now (e.g. "ref-manual").
# Here is the one-liner:
-# s@"ulink" href="http://www.yoctoproject.org/docs/2.7/[a-z]*-[a-z]*/[a-z]*-[a-z]*.html#@"link" href="#@g
+# s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/[a-z]*-[a-z]*/[a-z]*-[a-z]*.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.7/sdk-manual/sdk-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.7/bsp-guide/bsp-guide.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.7/dev-manual/dev-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.7/overview-manual/overview-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.7/brief-yoctoprojectqs/brief-yoctoprojectqs.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.7/kernel-dev/kernel-dev.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.7/profile-manual/profile-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.7/ref-manual/ref-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.7/toaster-manual/toaster-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/sdk-manual/sdk-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/bsp-guide/bsp-guide.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/dev-manual/dev-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/overview-manual/overview-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/brief-yoctoprojectqs/brief-yoctoprojectqs.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/kernel-dev/kernel-dev.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/profile-manual/profile-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/ref-manual/ref-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.7.2/toaster-manual/toaster-manual.html#@"link" href="#@g
# Process cases where just an external manual is referenced without an id anchor
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7/brief-yoctoprojectqs/brief-yoctoprojectqs.html" target="_top">Yocto Project Quick Build</a>@Yocto Project Quick Build@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7/bitbake-user-manual/bitbake-user-manual.html" target="_top">BitBake User Manual</a>@BitBake User Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7/dev-manual/dev-manual.html" target="_top">Yocto Project Development Tasks Manual</a>@Yocto Project Development Tasks Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7/overview-manual/overview-manual.html" target="_top">Yocto Project Overview and Concepts Manual</a>@Yocto project Overview and Concepts Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7/sdk-manual/sdk-manual.html" target="_top">Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</a>@Yocto Project Application Development and the Extensible Software Development Kit (eSDK)@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7/bsp-guide/bsp-guide.html" target="_top">Yocto Project Board Support Package (BSP) Developer's Guide</a>@Yocto Project Board Support Package (BSP) Developer's Guide@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7/profile-manual/profile-manual.html" target="_top">Yocto Project Profiling and Tracing Manual</a>@Yocto Project Profiling and Tracing Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7/kernel-dev/kernel-dev.html" target="_top">Yocto Project Linux Kernel Development Manual</a>@Yocto Project Linux Kernel Development Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7/ref-manual/ref-manual.html" target="_top">Yocto Project Reference Manual</a>@Yocto Project Reference Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7/toaster-manual/toaster-manual.html" target="_top">Toaster User Manual</a>@Toaster User Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7.2/brief-yoctoprojectqs/brief-yoctoprojectqs.html" target="_top">Yocto Project Quick Build</a>@Yocto Project Quick Build@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7.2/bitbake-user-manual/bitbake-user-manual.html" target="_top">BitBake User Manual</a>@BitBake User Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7.2/dev-manual/dev-manual.html" target="_top">Yocto Project Development Tasks Manual</a>@Yocto Project Development Tasks Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7.2/overview-manual/overview-manual.html" target="_top">Yocto Project Overview and Concepts Manual</a>@Yocto project Overview and Concepts Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7.2/sdk-manual/sdk-manual.html" target="_top">Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</a>@Yocto Project Application Development and the Extensible Software Development Kit (eSDK)@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7.2/bsp-guide/bsp-guide.html" target="_top">Yocto Project Board Support Package (BSP) Developer's Guide</a>@Yocto Project Board Support Package (BSP) Developer's Guide@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7.2/profile-manual/profile-manual.html" target="_top">Yocto Project Profiling and Tracing Manual</a>@Yocto Project Profiling and Tracing Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7.2/kernel-dev/kernel-dev.html" target="_top">Yocto Project Linux Kernel Development Manual</a>@Yocto Project Linux Kernel Development Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7.2/ref-manual/ref-manual.html" target="_top">Yocto Project Reference Manual</a>@Yocto Project Reference Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7.2/toaster-manual/toaster-manual.html" target="_top">Toaster User Manual</a>@Toaster User Manual@g
# Process a single, rouge occurrence of a linked reference to the Mega-Manual.
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7/mega-manual/mega-manual.html" target="_top">Yocto Project Mega-Manual</a>@Yocto Project Mega-Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.7.2/mega-manual/mega-manual.html" target="_top">Yocto Project Mega-Manual</a>@Yocto Project Mega-Manual@g
diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf
index 7083ec0675..43afcab104 100644
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -1,6 +1,6 @@
DISTRO = "poky"
DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "2.7"
+DISTRO_VERSION = "2.7.2"
DISTRO_CODENAME = "warrior"
SDK_VENDOR = "-pokysdk"
SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${DATE}', 'snapshot')}"
@@ -56,10 +56,13 @@ SANITY_TESTED_DISTROS ?= " \
ubuntu-18.04 \n \
fedora-28 \n \
fedora-29 \n \
+ fedora-30 \n \
centos-7 \n \
debian-8 \n \
debian-9 \n \
+ debian-10 \n \
opensuse-42.3 \n \
+ opensuseleap-15.1 \n \
"
#
# OELAYOUT_ABI allows us to notify users when the format of TMPDIR changes in
diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend
index 6025230c73..ec269d905c 100644
--- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend
+++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend
@@ -8,11 +8,11 @@ KMACHINE_genericx86 ?= "common-pc"
KMACHINE_genericx86-64 ?= "common-pc-64"
KMACHINE_beaglebone-yocto ?= "beaglebone"
-SRCREV_machine_genericx86 ?= "11e0e616ed095bb8012e1b4a231254c9656a0193"
-SRCREV_machine_genericx86-64 ?= "11e0e616ed095bb8012e1b4a231254c9656a0193"
-SRCREV_machine_edgerouter ?= "eebb51300a07804a020ec468b5f8c5bf720198d9"
-SRCREV_machine_beaglebone-yocto ?= "eebb51300a07804a020ec468b5f8c5bf720198d9"
-SRCREV_machine_mpc8315e-rdb ?= "8b60f968823256f5d2889c4520d70299ca21411b"
+SRCREV_machine_genericx86 ?= "5664dc14399edcaad210bbeb6343d84561fb3ea8"
+SRCREV_machine_genericx86-64 ?= "5664dc14399edcaad210bbeb6343d84561fb3ea8"
+SRCREV_machine_edgerouter ?= "5664dc14399edcaad210bbeb6343d84561fb3ea8"
+SRCREV_machine_beaglebone-yocto ?= "5664dc14399edcaad210bbeb6343d84561fb3ea8"
+SRCREV_machine_mpc8315e-rdb ?= "d419f4ca6ba4b097b8ad710a93b89510f5b2998c"
COMPATIBLE_MACHINE_genericx86 = "genericx86"
COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
@@ -20,8 +20,8 @@ COMPATIBLE_MACHINE_edgerouter = "edgerouter"
COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"
COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb"
-LINUX_VERSION_genericx86 = "4.19.19"
-LINUX_VERSION_genericx86-64 = "4.19.19"
-LINUX_VERSION_edgerouter = "4.19.14"
-LINUX_VERSION_beaglebone-yocto = "4.19.14"
-LINUX_VERSION_mpc8315e-rdb = "4.19.14"
+LINUX_VERSION_genericx86 = "4.19.34"
+LINUX_VERSION_genericx86-64 = "4.19.34"
+LINUX_VERSION_edgerouter = "4.19.34"
+LINUX_VERSION_beaglebone-yocto = "4.19.34"
+LINUX_VERSION_mpc8315e-rdb = "4.19.34"
diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.0.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.0.bbappend
index 5cf6e1f064..d7cf1216f4 100644
--- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.0.bbappend
+++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.0.bbappend
@@ -8,11 +8,11 @@ KMACHINE_genericx86 ?= "common-pc"
KMACHINE_genericx86-64 ?= "common-pc-64"
KMACHINE_beaglebone-yocto ?= "beaglebone"
-SRCREV_machine_genericx86 ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
-SRCREV_machine_genericx86-64 ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
-SRCREV_machine_edgerouter ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
-SRCREV_machine_beaglebone-yocto ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
-SRCREV_machine_mpc8315e-rdb ?= "8b62af7f252af10588276802c4c6d7c502e875be"
+SRCREV_machine_genericx86 ?= "f990fd0ce123aa6035042efad09b2ddc3e7d48f4"
+SRCREV_machine_genericx86-64 ?= "f990fd0ce123aa6035042efad09b2ddc3e7d48f4"
+SRCREV_machine_edgerouter ?= "f990fd0ce123aa6035042efad09b2ddc3e7d48f4"
+SRCREV_machine_beaglebone-yocto ?= "f990fd0ce123aa6035042efad09b2ddc3e7d48f4"
+SRCREV_machine_mpc8315e-rdb ?= "670ce7e9db627d0c2067cfdb571ddc1f117818d8"
COMPATIBLE_MACHINE_genericx86 = "genericx86"
COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
@@ -20,8 +20,8 @@ COMPATIBLE_MACHINE_edgerouter = "edgerouter"
COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"
COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb"
-LINUX_VERSION_genericx86 = "5.0.3"
-LINUX_VERSION_genericx86-64 = "5.0.3"
-LINUX_VERSION_edgerouter = "5.0.3"
-LINUX_VERSION_beaglebone-yocto = "5.0.3"
-LINUX_VERSION_mpc8315e-rdb = "5.0.3"
+LINUX_VERSION_genericx86 = "5.0.13"
+LINUX_VERSION_genericx86-64 = "5.0.13"
+LINUX_VERSION_edgerouter = "5.0.13"
+LINUX_VERSION_beaglebone-yocto = "5.0.13"
+LINUX_VERSION_mpc8315e-rdb = "5.0.13"
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 743bc08a4f..c00d2910be 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -37,32 +37,33 @@ CVE_CHECK_COPY_FILES ??= "1"
CVE_CHECK_CREATE_MANIFEST ??= "1"
# Whitelist for packages (PN)
-CVE_CHECK_PN_WHITELIST = "\
- glibc-locale \
-"
+CVE_CHECK_PN_WHITELIST ?= ""
-# Whitelist for CVE and version of package
-CVE_CHECK_CVE_WHITELIST = "{\
- 'CVE-2014-2524': ('6.3','5.2',), \
-}"
+# Whitelist for CVE. If a CVE is found, then it is considered patched.
+# The value is a string containing space separated CVE values:
+#
+# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234'
+#
+CVE_CHECK_WHITELIST ?= ""
python do_cve_check () {
"""
Check recipe for patched and unpatched CVEs
"""
- if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
+ if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
patched_cves = get_patches_cves(d)
patched, unpatched = check_cves(d, patched_cves)
if patched or unpatched:
cve_data = get_cve_info(d, patched + unpatched)
cve_write_data(d, patched, unpatched, cve_data)
else:
- bb.note("Failed to update CVE database, skipping CVE check")
+ bb.note("No CVE database found, skipping CVE check")
+
}
addtask cve_check after do_unpack before do_build
-do_cve_check[depends] = "cve-check-tool-native:do_populate_sysroot cve-check-tool-native:do_populate_cve_db"
+do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db"
do_cve_check[nostamp] = "1"
python cve_check_cleanup () {
@@ -163,65 +164,94 @@ def get_patches_cves(d):
def check_cves(d, patched_cves):
"""
- Run cve-check-tool looking for patched and unpatched CVEs.
+ Connect to the NVD database and find unpatched cves.
"""
-
import ast, csv, tempfile, subprocess, io
+ from distutils.version import LooseVersion
- cves_patched = []
cves_unpatched = []
- bpn = d.getVar("CVE_PRODUCT")
+ # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
+ products = d.getVar("CVE_PRODUCT").split()
# If this has been unset then we're not scanning for CVEs here (for example, image recipes)
- if not bpn:
+ if not products:
return ([], [])
pv = d.getVar("CVE_VERSION").split("+git")[0]
- cves = " ".join(patched_cves)
- cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
- cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
- cve_cmd = "cve-check-tool"
- cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
# If the recipe has been whitlisted we return empty lists
if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
bb.note("Recipe has been whitelisted, skipping check")
return ([], [])
- try:
- # Write the faux CSV file to be used with cve-check-tool
- fd, faux = tempfile.mkstemp(prefix="cve-faux-")
- with os.fdopen(fd, "w") as f:
- for pn in bpn.split():
- f.write("%s,%s,%s,\n" % (pn, pv, cves))
- cmd.append(faux)
-
- output = subprocess.check_output(cmd).decode("utf-8")
- bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output))
- except subprocess.CalledProcessError as e:
- bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output))
- finally:
- os.remove(faux)
-
- for row in csv.reader(io.StringIO(output)):
- # Third row has the unpatched CVEs
- if row[2]:
- for cve in row[2].split():
- # Skip if the CVE has been whitlisted for the current version
- if pv in cve_whitelist.get(cve,[]):
- bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve))
+ old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST")
+ if old_cve_whitelist:
+ bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
+ cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
+
+ import sqlite3
+ db_file = d.getVar("CVE_CHECK_DB_FILE")
+ conn = sqlite3.connect(db_file)
+
+ for product in products:
+ c = conn.cursor()
+ if ":" in product:
+ vendor, product = product.split(":", 1)
+ c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor))
+ else:
+ c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,))
+
+ for row in c:
+ cve = row[0]
+ version_start = row[3]
+ operator_start = row[4]
+ version_end = row[5]
+ operator_end = row[6]
+
+ if cve in cve_whitelist:
+ bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
+ elif cve in patched_cves:
+ bb.note("%s has been patched" % (cve))
+ else:
+ to_append = False
+ if (operator_start == '=' and pv == version_start):
+ cves_unpatched.append(cve)
else:
+ if operator_start:
+ try:
+ to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
+ to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+ except:
+ bb.note("%s: Failed to compare %s %s %s for %s" %
+ (product, pv, operator_start, version_start, cve))
+ to_append_start = False
+ else:
+ to_append_start = False
+
+ if operator_end:
+ try:
+ to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
+ to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+ except:
+ bb.note("%s: Failed to compare %s %s %s for %s" %
+ (product, pv, operator_end, version_end, cve))
+ to_append_end = False
+ else:
+ to_append_end = False
+
+ if operator_start and operator_end:
+ to_append = to_append_start and to_append_end
+ else:
+ to_append = to_append_start or to_append_end
+
+ if to_append:
cves_unpatched.append(cve)
- bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve))
- # Fourth row has patched CVEs
- if row[3]:
- for cve in row[3].split():
- cves_patched.append(cve)
- bb.debug(2, "%s-%s is patched for %s" % (bpn, pv, cve))
+ bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))
+ conn.close()
- return (cves_patched, cves_unpatched)
+ return (list(patched_cves), cves_unpatched)
def get_cve_info(d, cves):
"""
- Get CVE information from the database used by cve-check-tool.
+ Get CVE information from the database.
Unfortunately the only way to get CVE info is set the output to
html (hard to parse) or query directly the database.
@@ -241,9 +271,10 @@ def get_cve_info(d, cves):
for row in cur.execute(query, tuple(cves)):
cve_data[row[0]] = {}
cve_data[row[0]]["summary"] = row[1]
- cve_data[row[0]]["score"] = row[2]
- cve_data[row[0]]["modified"] = row[3]
- cve_data[row[0]]["vector"] = row[4]
+ cve_data[row[0]]["scorev2"] = row[2]
+ cve_data[row[0]]["scorev3"] = row[3]
+ cve_data[row[0]]["modified"] = row[4]
+ cve_data[row[0]]["vector"] = row[5]
conn.close()
return cve_data
@@ -270,7 +301,8 @@ def cve_write_data(d, patched, unpatched, cve_data):
unpatched_cves.append(cve)
write_string += "CVE STATUS: Unpatched\n"
write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
- write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"]
+ write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
+ write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
diff --git a/meta/classes/devicetree.bbclass b/meta/classes/devicetree.bbclass
index 5c03e4b0fd..d8779c7943 100644
--- a/meta/classes/devicetree.bbclass
+++ b/meta/classes/devicetree.bbclass
@@ -116,7 +116,7 @@ def devicetree_compile(dtspath, includes, d):
dtcargs += ["-o", "{0}.{1}".format(dtname, "dtbo" if isoverlay else "dtb")]
dtcargs += ["-I", "dts", "-O", "dtb", "{0}.pp".format(dts)]
bb.note("Running {0}".format(" ".join(dtcargs)))
- subprocess.run(dtcargs, check = True)
+ subprocess.run(dtcargs, check = True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
python devicetree_do_compile() {
includes = expand_includes("DT_INCLUDE", d)
diff --git a/meta/classes/icecc.bbclass b/meta/classes/icecc.bbclass
index edb0e10434..63d8b4dfee 100644
--- a/meta/classes/icecc.bbclass
+++ b/meta/classes/icecc.bbclass
@@ -243,7 +243,11 @@ def icecc_get_external_tool(bb, d, tool):
def icecc_get_tool_link(tool, d):
import subprocess
- return subprocess.check_output("readlink -f %s" % tool, shell=True).decode("utf-8")[:-1]
+ try:
+ return subprocess.check_output("readlink -f %s" % tool, shell=True).decode("utf-8")[:-1]
+ except subprocess.CalledProcessError as e:
+ bb.note("icecc: one of the tools probably disappeared during recipe parsing, cmd readlink -f %s returned %d:\n%s" % (tool, e.returncode, e.output.decode("utf-8")))
+ return tool
def icecc_get_path_tool(tool, d):
# This is a little ugly, but we want to make sure we add an actual
diff --git a/meta/classes/image-live.bbclass b/meta/classes/image-live.bbclass
index af71be5093..54058b350d 100644
--- a/meta/classes/image-live.bbclass
+++ b/meta/classes/image-live.bbclass
@@ -37,7 +37,7 @@ do_bootimg[depends] += "dosfstools-native:do_populate_sysroot \
LABELS_LIVE ?= "boot install"
ROOT_LIVE ?= "root=/dev/ram0"
INITRD_IMAGE_LIVE ?= "${MLPREFIX}core-image-minimal-initramfs"
-INITRD_LIVE ?= "${DEPLOY_DIR_IMAGE}/${INITRD_IMAGE_LIVE}-${MACHINE}.cpio.gz"
+INITRD_LIVE ?= "${DEPLOY_DIR_IMAGE}/${INITRD_IMAGE_LIVE}-${MACHINE}.${INITRAMFS_FSTYPES}"
LIVE_ROOTFS_TYPE ?= "ext4"
ROOTFS ?= "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.${LIVE_ROOTFS_TYPE}"
diff --git a/meta/classes/kernel-uboot.bbclass b/meta/classes/kernel-uboot.bbclass
index 2364053f31..87f02654fa 100644
--- a/meta/classes/kernel-uboot.bbclass
+++ b/meta/classes/kernel-uboot.bbclass
@@ -3,10 +3,6 @@ uboot_prep_kimage() {
vmlinux_path="arch/${ARCH}/boot/compressed/vmlinux"
linux_suffix=""
linux_comp="none"
- elif [ -e arch/${ARCH}/boot/Image ] ; then
- vmlinux_path="vmlinux"
- linux_suffix=""
- linux_comp="none"
elif [ -e arch/${ARCH}/boot/vmlinuz.bin ]; then
rm -f linux.bin
cp -l arch/${ARCH}/boot/vmlinuz.bin linux.bin
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 111a0b2eeb..fb1f49327c 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -453,7 +453,7 @@ do_shared_workdir () {
cp .config $kerneldir/
mkdir -p $kerneldir/include/config
cp include/config/kernel.release $kerneldir/include/config/kernel.release
- if [ -e certs/signing_key.pem ]; then
+ if [ -e certs/signing_key.x509 ]; then
# The signing_key.* files are stored in the certs/ dir in
# newer Linux kernels
mkdir -p $kerneldir/certs
diff --git a/meta/classes/multilib.bbclass b/meta/classes/multilib.bbclass
index 2b761f3551..9b27b53b47 100644
--- a/meta/classes/multilib.bbclass
+++ b/meta/classes/multilib.bbclass
@@ -123,8 +123,55 @@ python __anonymous () {
clsextend.map_variable("USERADD_PACKAGES")
clsextend.map_variable("SYSTEMD_PACKAGES")
clsextend.map_variable("UPDATERCPN")
+
+ reset_alternative_priority(d)
}
+def reset_alternative_priority(d):
+ if not bb.data.inherits_class('update-alternatives', d):
+ return
+
+ # There might be multiple multilibs at the same time, e.g., lib32 and
+ # lib64, each of them should have a different priority.
+ multilib_variants = d.getVar('MULTILIB_VARIANTS')
+ bbextendvariant = d.getVar('BBEXTENDVARIANT')
+ reset_gap = multilib_variants.split().index(bbextendvariant) + 1
+
+ # ALTERNATIVE_PRIORITY = priority
+ alt_priority_recipe = d.getVar('ALTERNATIVE_PRIORITY')
+ # Reset ALTERNATIVE_PRIORITY when found
+ if alt_priority_recipe:
+ reset_priority = int(alt_priority_recipe) - reset_gap
+ bb.debug(1, '%s: Setting ALTERNATIVE_PRIORITY to %s' % (d.getVar('PN'), reset_priority))
+ d.setVar('ALTERNATIVE_PRIORITY', reset_priority)
+
+ handled_pkgs = []
+ for pkg in (d.getVar('PACKAGES') or "").split():
+ # ALTERNATIVE_PRIORITY_pkg = priority
+ alt_priority_pkg = d.getVar('ALTERNATIVE_PRIORITY_%s' % pkg)
+ # Reset ALTERNATIVE_PRIORITY_pkg when found
+ if alt_priority_pkg:
+ reset_priority = int(alt_priority_pkg) - reset_gap
+ if not pkg in handled_pkgs:
+ handled_pkgs.append(pkg)
+ bb.debug(1, '%s: Setting ALTERNATIVE_PRIORITY_%s to %s' % (pkg, pkg, reset_priority))
+ d.setVar('ALTERNATIVE_PRIORITY_%s' % pkg, reset_priority)
+
+ for alt_name in (d.getVar('ALTERNATIVE_%s' % pkg) or "").split():
+ # ALTERNATIVE_PRIORITY_pkg[tool] = priority
+ alt_priority_pkg_name = d.getVarFlag('ALTERNATIVE_PRIORITY_%s' % pkg, alt_name)
+ # ALTERNATIVE_PRIORITY[tool] = priority
+ alt_priority_name = d.getVarFlag('ALTERNATIVE_PRIORITY', alt_name)
+
+ if alt_priority_pkg_name:
+ reset_priority = int(alt_priority_pkg_name) - reset_gap
+ bb.debug(1, '%s: Setting ALTERNATIVE_PRIORITY_%s[%s] to %s' % (pkg, pkg, alt_name, reset_priority))
+ d.setVarFlag('ALTERNATIVE_PRIORITY_%s' % pkg, alt_name, reset_priority)
+ elif alt_priority_name:
+ reset_priority = int(alt_priority_name) - reset_gap
+ bb.debug(1, '%s: Setting ALTERNATIVE_PRIORITY[%s] to %s' % (pkg, alt_name, reset_priority))
+ d.setVarFlag('ALTERNATIVE_PRIORITY', alt_name, reset_priority)
+
PACKAGEFUNCS_append = " do_package_qa_multilib"
python do_package_qa_multilib() {
diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index 4c0a859536..472d542b11 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -1210,7 +1210,8 @@ python populate_packages () {
src = os.path.join(src, p)
dest = os.path.join(dest, p)
fstat = cpath.stat(src)
- os.mkdir(dest, fstat.st_mode)
+ os.mkdir(dest)
+ os.chmod(dest, fstat.st_mode)
os.chown(dest, fstat.st_uid, fstat.st_gid)
if p not in seen:
seen.append(p)
@@ -1343,6 +1344,8 @@ EXPORT_FUNCTIONS package_name_hook
PKGDESTWORK = "${WORKDIR}/pkgdata"
+PKGDATA_VARS = "PN PE PV PR PKGE PKGV PKGR LICENSE DESCRIPTION SUMMARY RDEPENDS RPROVIDES RRECOMMENDS RSUGGESTS RREPLACES RCONFLICTS SECTION PKG ALLOW_EMPTY FILES CONFFILES FILES_INFO pkg_postinst pkg_postrm pkg_preinst pkg_prerm"
+
python emit_pkgdata() {
from glob import glob
import json
@@ -1447,48 +1450,26 @@ fi
total_size += fstat.st_size
d.setVar('FILES_INFO', json.dumps(files, sort_keys=True))
- subdata_file = pkgdatadir + "/runtime/%s" % pkg
- sf = open(subdata_file, 'w')
- write_if_exists(sf, pkg, 'PN')
- write_if_exists(sf, pkg, 'PE')
- write_if_exists(sf, pkg, 'PV')
- write_if_exists(sf, pkg, 'PR')
- write_if_exists(sf, pkg, 'PKGE')
- write_if_exists(sf, pkg, 'PKGV')
- write_if_exists(sf, pkg, 'PKGR')
- write_if_exists(sf, pkg, 'LICENSE')
- write_if_exists(sf, pkg, 'DESCRIPTION')
- write_if_exists(sf, pkg, 'SUMMARY')
- write_if_exists(sf, pkg, 'RDEPENDS')
- rprov = write_if_exists(sf, pkg, 'RPROVIDES')
- write_if_exists(sf, pkg, 'RRECOMMENDS')
- write_if_exists(sf, pkg, 'RSUGGESTS')
- write_if_exists(sf, pkg, 'RREPLACES')
- write_if_exists(sf, pkg, 'RCONFLICTS')
- write_if_exists(sf, pkg, 'SECTION')
- write_if_exists(sf, pkg, 'PKG')
- write_if_exists(sf, pkg, 'ALLOW_EMPTY')
- write_if_exists(sf, pkg, 'FILES')
- write_if_exists(sf, pkg, 'CONFFILES')
process_postinst_on_target(pkg, d.getVar("MLPREFIX"))
add_set_e_to_scriptlets(pkg)
- write_if_exists(sf, pkg, 'pkg_postinst')
- write_if_exists(sf, pkg, 'pkg_postrm')
- write_if_exists(sf, pkg, 'pkg_preinst')
- write_if_exists(sf, pkg, 'pkg_prerm')
- write_if_exists(sf, pkg, 'FILERPROVIDESFLIST')
- write_if_exists(sf, pkg, 'FILES_INFO')
- for dfile in (d.getVar('FILERPROVIDESFLIST_' + pkg) or "").split():
- write_if_exists(sf, pkg, 'FILERPROVIDES_' + dfile)
-
- write_if_exists(sf, pkg, 'FILERDEPENDSFLIST')
- for dfile in (d.getVar('FILERDEPENDSFLIST_' + pkg) or "").split():
- write_if_exists(sf, pkg, 'FILERDEPENDS_' + dfile)
-
- sf.write('%s_%s: %d\n' % ('PKGSIZE', pkg, total_size))
- sf.close()
+
+ subdata_file = pkgdatadir + "/runtime/%s" % pkg
+ with open(subdata_file, 'w') as sf:
+ for var in (d.getVar('PKGDATA_VARS') or "").split():
+ val = write_if_exists(sf, pkg, var)
+
+ write_if_exists(sf, pkg, 'FILERPROVIDESFLIST')
+ for dfile in (d.getVar('FILERPROVIDESFLIST_' + pkg) or "").split():
+ write_if_exists(sf, pkg, 'FILERPROVIDES_' + dfile)
+
+ write_if_exists(sf, pkg, 'FILERDEPENDSFLIST')
+ for dfile in (d.getVar('FILERDEPENDSFLIST_' + pkg) or "").split():
+ write_if_exists(sf, pkg, 'FILERDEPENDS_' + dfile)
+
+ sf.write('%s_%s: %d\n' % ('PKGSIZE', pkg, total_size))
# Symlinks needed for rprovides lookup
+ rprov = d.getVar('RPROVIDES_%s' % pkg) or d.getVar('RPROVIDES')
if rprov:
for p in rprov.strip().split():
subdata_sym = pkgdatadir + "/runtime-rprovides/%s/%s" % (p, pkg)
@@ -1938,7 +1919,7 @@ python package_do_pkgconfig () {
for dir in reversed(shlibs_dirs):
if not os.path.exists(dir):
continue
- for file in os.listdir(dir):
+ for file in sorted(os.listdir(dir)):
m = re.match(r'^(.*)\.pclist$', file)
if m:
pkg = m.group(1)
diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index 062b2817c8..546fc812ad 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -167,7 +167,7 @@ def staging_processfixme(fixme, target, recipesysroot, recipesysrootnative, d):
if not fixme:
return
cmd = "sed -e 's:^[^/]*/:%s/:g' %s | xargs sed -i -e 's:FIXMESTAGINGDIRTARGET:%s:g; s:FIXMESTAGINGDIRHOST:%s:g'" % (target, " ".join(fixme), recipesysroot, recipesysrootnative)
- for fixmevar in ['COMPONENTS_DIR', 'HOSTTOOLS_DIR', 'PKGDATA_DIR', 'PSEUDO_LOCALSTATEDIR', 'LOGFIFO']:
+ for fixmevar in ['PSEUDO_SYSROOT', 'HOSTTOOLS_DIR', 'PKGDATA_DIR', 'PSEUDO_LOCALSTATEDIR', 'LOGFIFO']:
fixme_path = d.getVar(fixmevar)
cmd += " -e 's:FIXME_%s:%s:g'" % (fixmevar, fixme_path)
bb.debug(2, cmd)
diff --git a/meta/classes/uboot-extlinux-config.bbclass b/meta/classes/uboot-extlinux-config.bbclass
index b5b1a81dfc..f4bf94be04 100644
--- a/meta/classes/uboot-extlinux-config.bbclass
+++ b/meta/classes/uboot-extlinux-config.bbclass
@@ -104,13 +104,16 @@ python do_create_extlinux_config() {
if default:
cfgfile.write('DEFAULT %s\n' % (default))
- for label in labels.split():
+ # Need to deconflict the labels with existing overrides
+ label_overrides = labels.split()
+ default_overrides = localdata.getVar('OVERRIDES').split(':')
+ # We're keeping all the existing overrides that aren't used as a label
+ # an override for that label will be added back in while we're processing that label
+ keep_overrides = list(filter(lambda x: x not in label_overrides, default_overrides))
- overrides = localdata.getVar('OVERRIDES')
- if not overrides:
- bb.fatal('OVERRIDES not defined')
+ for label in labels.split():
- localdata.setVar('OVERRIDES', label + ':' + overrides)
+ localdata.setVar('OVERRIDES', ':'.join(keep_overrides + [label]))
extlinux_console = localdata.getVar('UBOOT_EXTLINUX_CONSOLE')
diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index 8beafff7c0..1fc2a37214 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -66,7 +66,7 @@ concat_dtb_helper() {
install ${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e "$deployed_uboot_dtb_binary" ]; then
cd ${DEPLOYDIR}
- cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee ${UBOOT_BINARY} > ${UBOOT_IMAGE}
+ cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${UBOOT_BINARY} > ${UBOOT_IMAGE}
else
bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
fi
@@ -77,10 +77,12 @@ concat_dtb() {
mkdir -p ${DEPLOYDIR}
if [ -n "${UBOOT_CONFIG}" ]; then
for config in ${UBOOT_MACHINE}; do
+ CONFIG_B_PATH="${config}"
cd ${B}/${config}
concat_dtb_helper
done
else
+ CONFIG_B_PATH=""
cd ${B}
concat_dtb_helper
fi
diff --git a/meta/classes/useradd.bbclass b/meta/classes/useradd.bbclass
index 124becd082..e5f3ba24f9 100644
--- a/meta/classes/useradd.bbclass
+++ b/meta/classes/useradd.bbclass
@@ -100,6 +100,8 @@ useradd_sysroot () {
# Pseudo may (do_prepare_recipe_sysroot) or may not (do_populate_sysroot_setscene) be running
# at this point so we're explicit about the environment so pseudo can load if
# not already present.
+ # PSEUDO_SYSROOT can contain references to the build architecture and COMPONENT_DIR
+ # so needs the STAGING_FIXME below
export PSEUDO="${FAKEROOTENV} ${PSEUDO_SYSROOT}${bindir_native}/pseudo"
# Explicitly set $D since it isn't set to anything
@@ -134,10 +136,10 @@ useradd_sysroot () {
}
# The export of PSEUDO in useradd_sysroot() above contains references to
-# ${COMPONENTS_DIR} and ${PSEUDO_LOCALSTATEDIR}. Additionally, the logging
+# ${PSEUDO_SYSROOT} and ${PSEUDO_LOCALSTATEDIR}. Additionally, the logging
# shell functions use ${LOGFIFO}. These need to be handled when restoring
# postinst-useradd-${PN} from the sstate cache.
-EXTRA_STAGING_FIXMES += "COMPONENTS_DIR PSEUDO_LOCALSTATEDIR LOGFIFO"
+EXTRA_STAGING_FIXMES += "PSEUDO_SYSROOT PSEUDO_LOCALSTATEDIR LOGFIFO"
python useradd_sysroot_sstate () {
scriptfile = None
@@ -182,6 +184,7 @@ def update_useradd_after_parse(d):
bb.fatal("%s inherits useradd but doesn't set USERADD_PACKAGES" % d.getVar('FILE', False))
for pkg in useradd_packages.split():
+ d.appendVarFlag("do_populate_sysroot", "vardeps", "USERADD_PARAM_%s GROUPADD_PARAM_%s GROUPMEMS_PARAM_%s" % (pkg, pkg, pkg))
if not d.getVar('USERADD_PARAM_%s' % pkg) and not d.getVar('GROUPADD_PARAM_%s' % pkg) and not d.getVar('GROUPMEMS_PARAM_%s' % pkg):
bb.fatal("%s inherits useradd but doesn't set USERADD_PARAM, GROUPADD_PARAM or GROUPMEMS_PARAM for package %s" % (d.getVar('FILE', False), pkg))
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 950b8e8951..660a52ad87 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -135,6 +135,7 @@ RECIPE_MAINTAINER_pn-cryptodev-tests = "Robert Yang <liezhi.yang@windriver.com>"
RECIPE_MAINTAINER_pn-cups = "Chen Qi <Qi.Chen@windriver.com>"
RECIPE_MAINTAINER_pn-curl = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER_pn-cve-check-tool = "Ross Burton <ross.burton@intel.com>"
+RECIPE_MAINTAINER_pn-cve-update-db-native = "Ross Burton <ross.burton@intel.com>"
RECIPE_MAINTAINER_pn-cwautomacros = "Ross Burton <ross.burton@intel.com>"
RECIPE_MAINTAINER_pn-db = "Mark Hatle <mark.hatle@windriver.com>"
RECIPE_MAINTAINER_pn-dbus = "Chen Qi <Qi.Chen@windriver.com>"
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 0bb8f7af17..ad75d3e2a3 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,9 @@
# to the distro running on the build machine.
#
-UNINATIVE_MAXGLIBCVERSION = "2.29"
+UNINATIVE_MAXGLIBCVERSION = "2.30"
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.5/"
-UNINATIVE_CHECKSUM[aarch64] ?= "ca977ff95c77f983570141908d451ff7d78add2864471605af404302bb36a1fa"
-UNINATIVE_CHECKSUM[i686] ?= "7b5822891c293795faf8a4a80586b36f8cde405387524916a24f9055ea82f7ca"
-UNINATIVE_CHECKSUM[x86_64] ?= "ed0ac07c710b711925cb976685dd855fb1d442dd840d00194751c18bf480c4ed"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.7/"
+UNINATIVE_CHECKSUM[aarch64] ?= "e76a45886ee8a0b3904b761c17ac8ff91edf9811ee455f1832d10763ba794dfc"
+UNINATIVE_CHECKSUM[i686] ?= "810d027dfb1c7675226afbcec07808770516c969ee7378f6d8240281083f8924"
+UNINATIVE_CHECKSUM[x86_64] ?= "9498d8bba047499999a7310ac2576d0796461184965351a56f6d32c888a1f216"
diff --git a/meta/conf/machine/qemuarm64.conf b/meta/conf/machine/qemuarm64.conf
index 5c8aac1511..353ac927d9 100644
--- a/meta/conf/machine/qemuarm64.conf
+++ b/meta/conf/machine/qemuarm64.conf
@@ -14,6 +14,7 @@ QB_SYSTEM_NAME = "qemu-system-aarch64"
QB_MEM = "-m 512"
QB_MACHINE = "-machine virt"
QB_CPU = "-cpu cortex-a57"
+QB_CPU_KVM = "-cpu host"
# Standard Serial console
QB_KERNEL_CMDLINE_APPEND = "console=ttyAMA0"
# For graphics to work we need to define the VGA device as well as the necessary USB devices
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index a95d2ba34c..2fd8c3b1ac 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -15,21 +15,27 @@ class LocalSigner(object):
def __init__(self, d):
self.gpg_bin = d.getVar('GPG_BIN') or \
bb.utils.which(os.getenv('PATH'), 'gpg')
+ self.gpg_cmd = [self.gpg_bin]
+ self.gpg_agent_bin = bb.utils.which(os.getenv('PATH'), "gpg-agent")
+ # Without this we see "Cannot allocate memory" errors when running processes in parallel
+ # It needs to be set for any gpg command since any agent launched can stick around in memory
+ # and this parameter must be set.
+ if self.gpg_agent_bin:
+ self.gpg_cmd += ["--agent-program=%s|--auto-expand-secmem" % (self.gpg_agent_bin)]
self.gpg_path = d.getVar('GPG_PATH')
- self.gpg_version = self.get_gpg_version()
self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpmsign")
- self.gpg_agent_bin = bb.utils.which(os.getenv('PATH'), "gpg-agent")
+ self.gpg_version = self.get_gpg_version()
+
def export_pubkey(self, output_file, keyid, armor=True):
"""Export GPG public key to a file"""
- cmd = '%s --no-permission-warning --batch --yes --export -o %s ' % \
- (self.gpg_bin, output_file)
+ cmd = self.gpg_cmd + ["--no-permission-warning", "--batch", "--yes", "--export", "-o", output_file]
if self.gpg_path:
- cmd += "--homedir %s " % self.gpg_path
+ cmd += ["--homedir", self.gpg_path]
if armor:
- cmd += "--armor "
- cmd += keyid
- subprocess.check_output(shlex.split(cmd), stderr=subprocess.STDOUT)
+ cmd += ["--armor"]
+ cmd += [keyid]
+ subprocess.check_output(cmd, stderr=subprocess.STDOUT)
def sign_rpms(self, files, keyid, passphrase, digest, sign_chunk, fsk=None, fsk_password=None):
"""Sign RPM files"""
@@ -59,7 +65,7 @@ class LocalSigner(object):
if passphrase_file and passphrase:
raise Exception("You should use either passphrase_file of passphrase, not both")
- cmd = [self.gpg_bin, '--detach-sign', '--no-permission-warning', '--batch',
+ cmd = self.gpg_cmd + ['--detach-sign', '--no-permission-warning', '--batch',
'--no-tty', '--yes', '--passphrase-fd', '0', '-u', keyid]
if self.gpg_path:
@@ -72,9 +78,6 @@ class LocalSigner(object):
if self.gpg_version > (2,1,):
cmd += ['--pinentry-mode', 'loopback']
- if self.gpg_agent_bin:
- cmd += ["--agent-program=%s|--auto-expand-secmem" % (self.gpg_agent_bin)]
-
cmd += [input_file]
try:
@@ -101,7 +104,8 @@ class LocalSigner(object):
def get_gpg_version(self):
"""Return the gpg version as a tuple of ints"""
try:
- ver_str = subprocess.check_output((self.gpg_bin, "--version", "--no-permission-warning")).split()[2].decode("utf-8")
+ cmd = self.gpg_cmd + ["--version", "--no-permission-warning"]
+ ver_str = subprocess.check_output(cmd).split()[2].decode("utf-8")
return tuple([int(i) for i in ver_str.split("-")[0].split('.')])
except subprocess.CalledProcessError as e:
raise bb.build.FuncFailed("Could not get gpg version: %s" % e)
@@ -109,11 +113,12 @@ class LocalSigner(object):
def verify(self, sig_file):
"""Verify signature"""
- cmd = self.gpg_bin + " --verify --no-permission-warning "
+ cmd = self.gpg_cmd + [" --verify", "--no-permission-warning"]
if self.gpg_path:
- cmd += "--homedir %s " % self.gpg_path
- cmd += sig_file
- status = subprocess.call(shlex.split(cmd))
+ cmd += ["--homedir", self.gpg_path]
+
+ cmd += [sig_file]
+ status = subprocess.call(cmd)
ret = False if status else True
return ret
diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
index b59513227b..b8585d4253 100644
--- a/meta/lib/oe/package.py
+++ b/meta/lib/oe/package.py
@@ -265,7 +265,7 @@ def read_shlib_providers(d):
bb.debug(2, "Reading shlib providers in %s" % (dir))
if not os.path.exists(dir):
continue
- for file in os.listdir(dir):
+ for file in sorted(os.listdir(dir)):
m = list_re.match(file)
if m:
dep_pkg = m.group(1)
diff --git a/meta/lib/oe/rootfs.py b/meta/lib/oe/rootfs.py
index 9358f562c8..c62fa5f54a 100644
--- a/meta/lib/oe/rootfs.py
+++ b/meta/lib/oe/rootfs.py
@@ -647,6 +647,7 @@ class DpkgRootfs(DpkgOpkgRootfs):
if pkg_type in pkgs_to_install:
self.pm.install(pkgs_to_install[pkg_type],
[False, True][pkg_type == Manifest.PKG_TYPE_ATTEMPT_ONLY])
+ self.pm.fix_broken_dependencies()
if self.progress_reporter:
# Don't support attemptonly, so skip that
diff --git a/meta/lib/oeqa/core/context.py b/meta/lib/oeqa/core/context.py
index 09627044c8..58244895af 100644
--- a/meta/lib/oeqa/core/context.py
+++ b/meta/lib/oeqa/core/context.py
@@ -9,6 +9,7 @@ import json
import time
import logging
import collections
+import unittest
from oeqa.core.loader import OETestLoader
from oeqa.core.runner import OETestRunner
@@ -45,10 +46,14 @@ class OETestContext(object):
def skipTests(self, skips):
if not skips:
return
+ def skipfuncgen(skipmsg):
+ def func():
+ raise unittest.SkipTest(skipmsg)
+ return func
for test in self.suites:
for skip in skips:
if test.id().startswith(skip):
- setattr(test, 'setUp', lambda: test.skipTest('Skip by the command line argument "%s"' % skip))
+ setattr(test, 'setUp', skipfuncgen('Skip by the command line argument "%s"' % skip))
def loadTests(self, module_paths, modules=[], tests=[],
modules_manifest="", modules_required=[], filters={}):
diff --git a/meta/lib/oeqa/selftest/cases/devtool.py b/meta/lib/oeqa/selftest/cases/devtool.py
index 434a7b9dd4..904ff6988b 100644
--- a/meta/lib/oeqa/selftest/cases/devtool.py
+++ b/meta/lib/oeqa/selftest/cases/devtool.py
@@ -393,7 +393,7 @@ class DevtoolAddTests(DevtoolBase):
tempdir = tempfile.mkdtemp(prefix='devtoolqa')
self.track_for_cleanup(tempdir)
testver = '0.23'
- url = 'https://pypi.python.org/packages/source/M/MarkupSafe/MarkupSafe-%s.tar.gz' % testver
+ url = 'https://files.pythonhosted.org/packages/c0/41/bae1254e0396c0cc8cf1751cb7d9afc90a602353695af5952530482c963f/MarkupSafe-%s.tar.gz' % testver
testrecipe = 'python-markupsafe'
srcdir = os.path.join(tempdir, testrecipe)
# Test devtool add
diff --git a/meta/lib/oeqa/selftest/cases/manifest.py b/meta/lib/oeqa/selftest/cases/manifest.py
index c0b25ab5d8..5d13f35468 100644
--- a/meta/lib/oeqa/selftest/cases/manifest.py
+++ b/meta/lib/oeqa/selftest/cases/manifest.py
@@ -86,11 +86,8 @@ class VerifyManifest(OESelftestTestCase):
try:
mdir = self.get_dir_from_bb_var('SDK_DEPLOY', self.buildtarget)
for k in d_target.keys():
- bb_vars = get_bb_vars(['SDK_NAME', 'SDK_VERSION'], self.buildtarget)
- mfilename[k] = "{}-toolchain-{}.{}.manifest".format(
- bb_vars['SDK_NAME'],
- bb_vars['SDK_VERSION'],
- k)
+ toolchain_outputname = get_bb_var('TOOLCHAIN_OUTPUTNAME', self.buildtarget)
+ mfilename[k] = "{}.{}.manifest".format(toolchain_outputname, k)
mpath[k] = os.path.join(mdir, mfilename[k])
if not os.path.isfile(mpath[k]):
self.logger.debug("{}: {} does not exist".format(
diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
index 9c710bd0ff..b390f37d8e 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -30,7 +30,8 @@ class Signing(OESelftestTestCase):
self.secret_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.secret")
nsysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native")
- runCmd('gpg --batch --homedir %s --import %s %s' % (self.gpg_dir, self.pub_key_path, self.secret_key_path), native_sysroot=nsysroot)
+
+ runCmd('gpg --agent-program=`which gpg-agent`\|--auto-expand-secmem --batch --homedir %s --import %s %s' % (self.gpg_dir, self.pub_key_path, self.secret_key_path), native_sysroot=nsysroot)
return nsysroot + get_bb_var("bindir_native")
diff --git a/meta/lib/oeqa/utils/logparser.py b/meta/lib/oeqa/utils/logparser.py
index cc6d18d94a..b31214b1c7 100644
--- a/meta/lib/oeqa/utils/logparser.py
+++ b/meta/lib/oeqa/utils/logparser.py
@@ -16,7 +16,7 @@ class PtestParser(object):
def parse(self, logfile):
test_regex = {}
test_regex['PASSED'] = re.compile(r"^PASS:(.+)")
- test_regex['FAILED'] = re.compile(r"^FAIL:(.+)")
+ test_regex['FAILED'] = re.compile(r"^FAIL:([^(]+)")
test_regex['SKIPPED'] = re.compile(r"^SKIP:(.+)")
section_regex = {}
@@ -69,7 +69,7 @@ class PtestParser(object):
if result:
if current_section['name'] not in self.results:
self.results[current_section['name']] = {}
- self.results[current_section['name']][result.group(1)] = t
+ self.results[current_section['name']][result.group(1).strip()] = t
return self.results, self.sections
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb
index d3404d2ef9..9e36df807c 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb
@@ -148,7 +148,7 @@ do_install_append_class-native () {
OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
- OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
+ OPENSSL_ENGINES=${libdir}/engines-1.1
}
do_install_append_class-nativesdk () {
@@ -167,8 +167,8 @@ do_install_ptest () {
cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
# For test_shlibload
- ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/libcrypto.so
- ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/libssl.so
+ ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
+ ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
install -d ${D}${PTEST_PATH}/apps
ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
new file mode 100644
index 0000000000..45e6e87dfe
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
@@ -0,0 +1,48 @@
+From fe76f487e28bdc61940f304f153a954cf36935ea Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 17 Apr 2019 01:55:32 +0300
+Subject: [PATCH 1/3] EAP-pwd server: Fix reassembly buffer handling
+
+data->inbuf allocation might fail and if that were to happen, the next
+fragment in the exchange could have resulted in NULL pointer
+dereference. Unexpected fragment with more bit might also be able to
+trigger this. Fix that by explicitly checking for data->inbuf to be
+available before using it.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-11555
+---
+ src/eap_server/eap_server_pwd.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index 11bef55..38e2af8 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -912,6 +912,12 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ * the first and all intermediate fragments have the M bit set
+ */
+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
++ if (!data->inbuf) {
++ wpa_printf(MSG_DEBUG,
++ "EAP-pwd: No buffer for reassembly");
++ eap_pwd_state(data, FAILURE);
++ return;
++ }
+ if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
+ "attack detected! (%d+%d > %d)",
+@@ -932,7 +938,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ * last fragment won't have the M bit set (but we're obviously
+ * buffering fragments so that's how we know it's the last)
+ */
+- if (data->in_frag_pos) {
++ if (data->in_frag_pos && data->inbuf) {
+ pos = wpabuf_head_u8(data->inbuf);
+ len = data->in_frag_pos;
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch
new file mode 100644
index 0000000000..e64d140c7b
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch
@@ -0,0 +1,97 @@
+From d42c477cc794163a3757956bbffca5cea000923c Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 11:43:03 +0200
+Subject: [PATCH 01/14] OpenSSL: Use constant time operations for private
+ bignums
+
+This helps in reducing measurable timing differences in operations
+involving private information. BoringSSL has removed BN_FLG_CONSTTIME
+and expects specific constant time functions to be called instead, so a
+bit different approach is needed depending on which library is used.
+
+The main operation that needs protection against side channel attacks is
+BN_mod_exp() that depends on private keys (the public key validation
+step in crypto_dh_derive_secret() is an exception that can use the
+faster version since it does not depend on private keys).
+
+crypto_bignum_div() is currently used only in SAE FFC case with not
+safe-prime groups and only with values that do not depend on private
+keys, so it is not critical to protect it.
+
+crypto_bignum_inverse() is currently used only in SAE FFC PWE
+derivation. The additional protection here is targeting only OpenSSL.
+BoringSSL may need conversion to using BN_mod_inverse_blinded().
+
+This is related to CVE-2019-9494 and CVE-2019-9495.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+CVE: CVE-2019-9495
+---
+ src/crypto/crypto_openssl.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 9c2ba58..ac53cc8 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -607,7 +607,8 @@ int crypto_mod_exp(const u8 *base, size_t base_len,
+ bn_result == NULL)
+ goto error;
+
+- if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1)
++ if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
++ ctx, NULL) != 1)
+ goto error;
+
+ *result_len = BN_bn2bin(bn_result, result);
+@@ -1360,8 +1361,9 @@ int crypto_bignum_exptmod(const struct crypto_bignum *a,
+ bnctx = BN_CTX_new();
+ if (bnctx == NULL)
+ return -1;
+- res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
+- (const BIGNUM *) c, bnctx);
++ res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
++ (const BIGNUM *) b, (const BIGNUM *) c,
++ bnctx, NULL);
+ BN_CTX_free(bnctx);
+
+ return res ? 0 : -1;
+@@ -1380,6 +1382,11 @@ int crypto_bignum_inverse(const struct crypto_bignum *a,
+ bnctx = BN_CTX_new();
+ if (bnctx == NULL)
+ return -1;
++#ifdef OPENSSL_IS_BORINGSSL
++ /* TODO: use BN_mod_inverse_blinded() ? */
++#else /* OPENSSL_IS_BORINGSSL */
++ BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
++#endif /* OPENSSL_IS_BORINGSSL */
+ res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
+ (const BIGNUM *) b, bnctx);
+ BN_CTX_free(bnctx);
+@@ -1413,6 +1420,9 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ bnctx = BN_CTX_new();
+ if (bnctx == NULL)
+ return -1;
++#ifndef OPENSSL_IS_BORINGSSL
++ BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
++#endif /* OPENSSL_IS_BORINGSSL */
+ res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
+ (const BIGNUM *) b, bnctx);
+ BN_CTX_free(bnctx);
+@@ -1504,8 +1514,8 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
+ /* exp = (p-1) / 2 */
+ !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
+ !BN_rshift1(exp, exp) ||
+- !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p,
+- bnctx))
++ !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
++ (const BIGNUM *) p, bnctx, NULL))
+ goto fail;
+
+ if (BN_is_word(tmp, 1))
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Add-helper-functions-for-constant-time-operations.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Add-helper-functions-for-constant-time-operations.patch
new file mode 100644
index 0000000000..fd6f2ce158
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Add-helper-functions-for-constant-time-operations.patch
@@ -0,0 +1,222 @@
+From 6e34f618d37ddbb5854c42e2ad4fca83492fa7b7 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 27 Feb 2019 18:38:30 +0200
+Subject: [PATCH 02/14] Add helper functions for constant time operations
+
+These functions can be used to help implement constant time operations
+for various cryptographic operations that must minimize externally
+observable differences in processing (both in timing and also in
+internal cache use, etc.).
+
+This is related to CVE-2019-9494 and CVE-2019-9495.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+CVE: CVE-2019-9495
+---
+ src/utils/const_time.h | 191 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 191 insertions(+)
+ create mode 100644 src/utils/const_time.h
+
+diff --git a/src/utils/const_time.h b/src/utils/const_time.h
+new file mode 100644
+index 0000000..ab8f611
+--- /dev/null
++++ b/src/utils/const_time.h
+@@ -0,0 +1,191 @@
++/*
++ * Helper functions for constant time operations
++ * Copyright (c) 2019, The Linux Foundation
++ *
++ * This software may be distributed under the terms of the BSD license.
++ * See README for more details.
++ *
++ * These helper functions can be used to implement logic that needs to minimize
++ * externally visible differences in execution path by avoiding use of branches,
++ * avoiding early termination or other time differences, and forcing same memory
++ * access pattern regardless of values.
++ */
++
++#ifndef CONST_TIME_H
++#define CONST_TIME_H
++
++
++#if defined(__clang__)
++#define NO_UBSAN_UINT_OVERFLOW \
++ __attribute__((no_sanitize("unsigned-integer-overflow")))
++#else
++#define NO_UBSAN_UINT_OVERFLOW
++#endif
++
++
++/**
++ * const_time_fill_msb - Fill all bits with MSB value
++ * @val: Input value
++ * Returns: Value with all the bits set to the MSB of the input val
++ */
++static inline unsigned int const_time_fill_msb(unsigned int val)
++{
++ /* Move the MSB to LSB and multiple by -1 to fill in all bits. */
++ return (val >> (sizeof(val) * 8 - 1)) * ~0U;
++}
++
++
++/* Returns: -1 if val is zero; 0 if val is not zero */
++static inline unsigned int const_time_is_zero(unsigned int val)
++ NO_UBSAN_UINT_OVERFLOW
++{
++ /* Set MSB to 1 for 0 and fill rest of bits with the MSB value */
++ return const_time_fill_msb(~val & (val - 1));
++}
++
++
++/* Returns: -1 if a == b; 0 if a != b */
++static inline unsigned int const_time_eq(unsigned int a, unsigned int b)
++{
++ return const_time_is_zero(a ^ b);
++}
++
++
++/* Returns: -1 if a == b; 0 if a != b */
++static inline u8 const_time_eq_u8(unsigned int a, unsigned int b)
++{
++ return (u8) const_time_eq(a, b);
++}
++
++
++/**
++ * const_time_eq_bin - Constant time memory comparison
++ * @a: First buffer to compare
++ * @b: Second buffer to compare
++ * @len: Number of octets to compare
++ * Returns: -1 if buffers are equal, 0 if not
++ *
++ * This function is meant for comparing passwords or hash values where
++ * difference in execution time or memory access pattern could provide external
++ * observer information about the location of the difference in the memory
++ * buffers. The return value does not behave like memcmp(), i.e.,
++ * const_time_eq_bin() cannot be used to sort items into a defined order. Unlike
++ * memcmp(), the execution time of const_time_eq_bin() does not depend on the
++ * contents of the compared memory buffers, but only on the total compared
++ * length.
++ */
++static inline unsigned int const_time_eq_bin(const void *a, const void *b,
++ size_t len)
++{
++ const u8 *aa = a;
++ const u8 *bb = b;
++ size_t i;
++ u8 res = 0;
++
++ for (i = 0; i < len; i++)
++ res |= aa[i] ^ bb[i];
++
++ return const_time_is_zero(res);
++}
++
++
++/**
++ * const_time_select - Constant time unsigned int selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline unsigned int const_time_select(unsigned int mask,
++ unsigned int true_val,
++ unsigned int false_val)
++{
++ return (mask & true_val) | (~mask & false_val);
++}
++
++
++/**
++ * const_time_select_int - Constant time int selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline int const_time_select_int(unsigned int mask, int true_val,
++ int false_val)
++{
++ return (int) const_time_select(mask, (unsigned int) true_val,
++ (unsigned int) false_val);
++}
++
++
++/**
++ * const_time_select_u8 - Constant time u8 selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline u8 const_time_select_u8(u8 mask, u8 true_val, u8 false_val)
++{
++ return (u8) const_time_select(mask, true_val, false_val);
++}
++
++
++/**
++ * const_time_select_s8 - Constant time s8 selection
++ * @mask: 0 (false) or -1 (true) to identify which value to select
++ * @true_val: Value to select for the true case
++ * @false_val: Value to select for the false case
++ * Returns: true_val if mask == -1, false_val if mask == 0
++ */
++static inline s8 const_time_select_s8(u8 mask, s8 true_val, s8 false_val)
++{
++ return (s8) const_time_select(mask, (unsigned int) true_val,
++ (unsigned int) false_val);
++}
++
++
++/**
++ * const_time_select_bin - Constant time binary buffer selection copy
++ * @mask: 0 (false) or -1 (true) to identify which value to copy
++ * @true_val: Buffer to copy for the true case
++ * @false_val: Buffer to copy for the false case
++ * @len: Number of octets to copy
++ * @dst: Destination buffer for the copy
++ *
++ * This function copies the specified buffer into the destination buffer using
++ * operations with identical memory access pattern regardless of which buffer
++ * is being copied.
++ */
++static inline void const_time_select_bin(u8 mask, const u8 *true_val,
++ const u8 *false_val, size_t len,
++ u8 *dst)
++{
++ size_t i;
++
++ for (i = 0; i < len; i++)
++ dst[i] = const_time_select_u8(mask, true_val[i], false_val[i]);
++}
++
++
++static inline int const_time_memcmp(const void *a, const void *b, size_t len)
++{
++ const u8 *aa = a;
++ const u8 *bb = b;
++ int diff, res = 0;
++ unsigned int mask;
++
++ if (len == 0)
++ return 0;
++ do {
++ len--;
++ diff = (int) aa[len] - (int) bb[len];
++ mask = const_time_is_zero((unsigned int) diff);
++ res = const_time_select_int(mask, res, diff);
++ } while (len);
++
++ return res;
++}
++
++#endif /* CONST_TIME_H */
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
new file mode 100644
index 0000000000..95ea809ef2
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
@@ -0,0 +1,48 @@
+From d2d1a324ce937628e4d9d9999fe113819b7d4478 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 17 Apr 2019 02:21:20 +0300
+Subject: [PATCH 3/3] EAP-pwd peer: Fix reassembly buffer handling
+
+Unexpected fragment might result in data->inbuf not being allocated
+before processing and that could have resulted in NULL pointer
+dereference. Fix that by explicitly checking for data->inbuf to be
+available before using it.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-11555
+---
+ src/eap_peer/eap_pwd.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 46894a5..76fcad4 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -932,6 +932,13 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
+ * buffer and ACK the fragment
+ */
+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
++ if (!data->inbuf) {
++ wpa_printf(MSG_DEBUG,
++ "EAP-pwd: No buffer for reassembly");
++ ret->methodState = METHOD_DONE;
++ ret->decision = DECISION_FAIL;
++ return NULL;
++ }
+ data->in_frag_pos += len;
+ if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
+ wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
+@@ -958,7 +965,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
+ /*
+ * we're buffering and this is the last fragment
+ */
+- if (data->in_frag_pos) {
++ if (data->in_frag_pos && data->inbuf) {
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
+ (int) len);
+ pos = wpabuf_head_u8(data->inbuf);
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch
new file mode 100644
index 0000000000..790041f259
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch
@@ -0,0 +1,64 @@
+From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Fri, 8 Mar 2019 00:24:12 +0200
+Subject: [PATCH 03/14] OpenSSL: Use constant time selection for
+ crypto_bignum_legendre()
+
+Get rid of the branches that depend on the result of the Legendre
+operation. This is needed to avoid leaking information about different
+temporary results in blinding mechanisms.
+
+This is related to CVE-2019-9494 and CVE-2019-9495.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+CVE: CVE-2019-9495
+---
+ src/crypto/crypto_openssl.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index ac53cc8..0f52101 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -24,6 +24,7 @@
+ #endif /* CONFIG_ECC */
+
+ #include "common.h"
++#include "utils/const_time.h"
+ #include "wpabuf.h"
+ #include "dh_group5.h"
+ #include "sha1.h"
+@@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
+ BN_CTX *bnctx;
+ BIGNUM *exp = NULL, *tmp = NULL;
+ int res = -2;
++ unsigned int mask;
+
+ if (TEST_FAIL())
+ return -2;
+@@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
+ (const BIGNUM *) p, bnctx, NULL))
+ goto fail;
+
+- if (BN_is_word(tmp, 1))
+- res = 1;
+- else if (BN_is_zero(tmp))
+- res = 0;
+- else
+- res = -1;
++ /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
++ * constant time selection to avoid branches here. */
++ res = -1;
++ mask = const_time_eq(BN_is_word(tmp, 1), 1);
++ res = const_time_select_int(mask, 1, res);
++ mask = const_time_eq(BN_is_zero(tmp), 1);
++ res = const_time_select_int(mask, 0, res);
+
+ fail:
+ BN_clear_free(tmp);
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch
new file mode 100644
index 0000000000..471380c443
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch
@@ -0,0 +1,327 @@
+From aaf65feac67c3993935634eefe5bc76b9fce03aa Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 11:59:45 +0200
+Subject: [PATCH 04/14] EAP-pwd: Use constant time and memory access for
+ finding the PWE
+
+This algorithm could leak information to external observers in form of
+timing differences or memory access patterns (cache use). While the
+previous implementation had protection against the most visible timing
+differences (looping 40 rounds and masking the legendre operation), it
+did not protect against memory access patterns between the two possible
+code paths in the masking operations. That might be sufficient to allow
+an unprivileged process running on the same device to be able to
+determine which path is being executed through a cache attack and based
+on that, determine information about the used password.
+
+Convert the PWE finding loop to use constant time functions and
+identical memory access path without different branches for the QR/QNR
+cases to minimize possible side-channel information similarly to the
+changes done for SAE authentication. (CVE-2019-9495)
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9495
+---
+ src/eap_common/eap_pwd_common.c | 187 +++++++++++++++++++++-------------------
+ 1 file changed, 99 insertions(+), 88 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 02fe01e..e49aaf8 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -8,11 +8,15 @@
+
+ #include "includes.h"
+ #include "common.h"
++#include "utils/const_time.h"
+ #include "crypto/sha256.h"
+ #include "crypto/crypto.h"
+ #include "eap_defs.h"
+ #include "eap_pwd_common.h"
+
++#define MAX_ECC_PRIME_LEN 66
++
++
+ /* The random function H(x) = HMAC-SHA256(0^32, x) */
+ struct crypto_hash * eap_pwd_h_init(void)
+ {
+@@ -102,6 +106,15 @@ EAP_PWD_group * get_eap_pwd_group(u16 num)
+ }
+
+
++static void buf_shift_right(u8 *buf, size_t len, size_t bits)
++{
++ size_t i;
++ for (i = len - 1; i > 0; i--)
++ buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits);
++ buf[0] >>= bits;
++}
++
++
+ /*
+ * compute a "random" secret point on an elliptic curve based
+ * on the password and identities.
+@@ -113,17 +126,27 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ const u8 *token)
+ {
+ struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL;
++ struct crypto_bignum *qr_or_qnr = NULL;
++ u8 qr_bin[MAX_ECC_PRIME_LEN];
++ u8 qnr_bin[MAX_ECC_PRIME_LEN];
++ u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
++ u8 x_bin[MAX_ECC_PRIME_LEN];
+ struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
+ struct crypto_hash *hash;
+ unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+- int is_odd, ret = 0, check, found = 0;
+- size_t primebytelen, primebitlen;
+- struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
++ int ret = 0, check, res;
++ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
++ * mask */
++ size_t primebytelen = 0, primebitlen;
++ struct crypto_bignum *x_candidate = NULL, *cofactor = NULL;
+ const struct crypto_bignum *prime;
++ u8 mask, found_ctr = 0, is_odd = 0;
+
+ if (grp->pwe)
+ return -1;
+
++ os_memset(x_bin, 0, sizeof(x_bin));
++
+ prime = crypto_ec_get_prime(grp->group);
+ cofactor = crypto_bignum_init();
+ grp->pwe = crypto_ec_point_init(grp->group);
+@@ -152,8 +175,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+
+ /* get a random quadratic residue and nonresidue */
+ while (!qr || !qnr) {
+- int res;
+-
+ if (crypto_bignum_rand(tmp1, prime) < 0)
+ goto fail;
+ res = crypto_bignum_legendre(tmp1, prime);
+@@ -167,6 +188,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ if (!tmp1)
+ goto fail;
+ }
++ if (crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin),
++ primebytelen) < 0 ||
++ crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin),
++ primebytelen) < 0)
++ goto fail;
+
+ os_memset(prfbuf, 0, primebytelen);
+ ctr = 0;
+@@ -194,17 +220,16 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ eap_pwd_h_update(hash, &ctr, sizeof(ctr));
+ eap_pwd_h_final(hash, pwe_digest);
+
+- crypto_bignum_deinit(rnd, 1);
+- rnd = crypto_bignum_init_set(pwe_digest, SHA256_MAC_LEN);
+- if (!rnd) {
+- wpa_printf(MSG_INFO, "EAP-pwd: unable to create rnd");
+- goto fail;
+- }
++ is_odd = const_time_select_u8(
++ found, is_odd, pwe_digest[SHA256_MAC_LEN - 1] & 0x01);
+ if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
+ (u8 *) "EAP-pwd Hunting And Pecking",
+ os_strlen("EAP-pwd Hunting And Pecking"),
+ prfbuf, primebitlen) < 0)
+ goto fail;
++ if (primebitlen % 8)
++ buf_shift_right(prfbuf, primebytelen,
++ 8 - primebitlen % 8);
+
+ crypto_bignum_deinit(x_candidate, 1);
+ x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
+@@ -214,24 +239,13 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ goto fail;
+ }
+
+- /*
+- * eap_pwd_kdf() returns a string of bits 0..primebitlen but
+- * BN_bin2bn will treat that string of bits as a big endian
+- * number. If the primebitlen is not an even multiple of 8
+- * then excessive bits-- those _after_ primebitlen-- so now
+- * we have to shift right the amount we masked off.
+- */
+- if ((primebitlen % 8) &&
+- crypto_bignum_rshift(x_candidate,
+- (8 - (primebitlen % 8)),
+- x_candidate) < 0)
+- goto fail;
+-
+ if (crypto_bignum_cmp(x_candidate, prime) >= 0)
+ continue;
+
+- wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
+- prfbuf, primebytelen);
++ wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
++ prfbuf, primebytelen);
++ const_time_select_bin(found, x_bin, prfbuf, primebytelen,
++ x_bin);
+
+ /*
+ * compute y^2 using the equation of the curve
+@@ -261,13 +275,15 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ * Flip a coin, multiply by the random quadratic residue or the
+ * random quadratic nonresidue and record heads or tails.
+ */
+- if (crypto_bignum_is_odd(tmp1)) {
+- crypto_bignum_mulmod(tmp2, qr, prime, tmp2);
+- check = 1;
+- } else {
+- crypto_bignum_mulmod(tmp2, qnr, prime, tmp2);
+- check = -1;
+- }
++ mask = const_time_eq_u8(crypto_bignum_is_odd(tmp1), 1);
++ check = const_time_select_s8(mask, 1, -1);
++ const_time_select_bin(mask, qr_bin, qnr_bin, primebytelen,
++ qr_or_qnr_bin);
++ crypto_bignum_deinit(qr_or_qnr, 1);
++ qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, primebytelen);
++ if (!qr_or_qnr ||
++ crypto_bignum_mulmod(tmp2, qr_or_qnr, prime, tmp2) < 0)
++ goto fail;
+
+ /*
+ * Now it's safe to do legendre, if check is 1 then it's
+@@ -275,59 +291,12 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ * change result), if check is -1 then it's the opposite test
+ * (multiplying a qr by qnr would make a qnr).
+ */
+- if (crypto_bignum_legendre(tmp2, prime) == check) {
+- if (found == 1)
+- continue;
+-
+- /* need to unambiguously identify the solution */
+- is_odd = crypto_bignum_is_odd(rnd);
+-
+- /*
+- * We know x_candidate is a quadratic residue so set
+- * it here.
+- */
+- if (crypto_ec_point_solve_y_coord(grp->group, grp->pwe,
+- x_candidate,
+- is_odd) != 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: Could not solve for y");
+- continue;
+- }
+-
+- /*
+- * If there's a solution to the equation then the point
+- * must be on the curve so why check again explicitly?
+- * OpenSSL code says this is required by X9.62. We're
+- * not X9.62 but it can't hurt just to be sure.
+- */
+- if (!crypto_ec_point_is_on_curve(grp->group,
+- grp->pwe)) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: point is not on curve");
+- continue;
+- }
+-
+- if (!crypto_bignum_is_one(cofactor)) {
+- /* make sure the point is not in a small
+- * sub-group */
+- if (crypto_ec_point_mul(grp->group, grp->pwe,
+- cofactor,
+- grp->pwe) != 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: cannot multiply generator by order");
+- continue;
+- }
+- if (crypto_ec_point_is_at_infinity(grp->group,
+- grp->pwe)) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: point is at infinity");
+- continue;
+- }
+- }
+- wpa_printf(MSG_DEBUG,
+- "EAP-pwd: found a PWE in %d tries", ctr);
+- found = 1;
+- }
++ res = crypto_bignum_legendre(tmp2, prime);
++ if (res == -2)
++ goto fail;
++ mask = const_time_eq(res, check);
++ found_ctr = const_time_select_u8(found, found_ctr, ctr);
++ found |= mask;
+ }
+ if (found == 0) {
+ wpa_printf(MSG_INFO,
+@@ -335,6 +304,44 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ num);
+ goto fail;
+ }
++
++ /*
++ * We know x_candidate is a quadratic residue so set it here.
++ */
++ crypto_bignum_deinit(x_candidate, 1);
++ x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
++ if (!x_candidate ||
++ crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
++ is_odd) != 0) {
++ wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
++ goto fail;
++ }
++
++ /*
++ * If there's a solution to the equation then the point must be on the
++ * curve so why check again explicitly? OpenSSL code says this is
++ * required by X9.62. We're not X9.62 but it can't hurt just to be sure.
++ */
++ if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) {
++ wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
++ goto fail;
++ }
++
++ if (!crypto_bignum_is_one(cofactor)) {
++ /* make sure the point is not in a small sub-group */
++ if (crypto_ec_point_mul(grp->group, grp->pwe, cofactor,
++ grp->pwe) != 0) {
++ wpa_printf(MSG_INFO,
++ "EAP-pwd: cannot multiply generator by order");
++ goto fail;
++ }
++ if (crypto_ec_point_is_at_infinity(grp->group, grp->pwe)) {
++ wpa_printf(MSG_INFO, "EAP-pwd: point is at infinity");
++ goto fail;
++ }
++ }
++ wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr);
++
+ if (0) {
+ fail:
+ crypto_ec_point_deinit(grp->pwe, 1);
+@@ -344,14 +351,18 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ /* cleanliness and order.... */
+ crypto_bignum_deinit(cofactor, 1);
+ crypto_bignum_deinit(x_candidate, 1);
+- crypto_bignum_deinit(rnd, 1);
+ crypto_bignum_deinit(pm1, 0);
+ crypto_bignum_deinit(tmp1, 1);
+ crypto_bignum_deinit(tmp2, 1);
+ crypto_bignum_deinit(qr, 1);
+ crypto_bignum_deinit(qnr, 1);
++ crypto_bignum_deinit(qr_or_qnr, 1);
+ crypto_bignum_deinit(one, 0);
+- os_free(prfbuf);
++ bin_clear_free(prfbuf, primebytelen);
++ os_memset(qr_bin, 0, sizeof(qr_bin));
++ os_memset(qnr_bin, 0, sizeof(qnr_bin));
++ os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
++ os_memset(pwe_digest, 0, sizeof(pwe_digest));
+
+ return ret;
+ }
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch
new file mode 100644
index 0000000000..6a567c5fb6
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch
@@ -0,0 +1,244 @@
+From 6513db3e96c43c2e36805cf5ead349765d18eaf7 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 13:05:09 +0200
+Subject: [PATCH 05/14] SAE: Minimize timing differences in PWE derivation
+
+The QR test result can provide information about the password to an
+attacker, so try to minimize differences in how the
+sae_test_pwd_seed_ecc() result is used. (CVE-2019-9494)
+
+Use heap memory for the dummy password to allow the same password length
+to be used even with long passwords.
+
+Use constant time selection functions to track the real vs. dummy
+variables so that the exact same operations can be performed for both QR
+test results.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+---
+ src/common/sae.c | 106 ++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 57 insertions(+), 49 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 8129a7c..d55323b 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -9,6 +9,7 @@
+ #include "includes.h"
+
+ #include "common.h"
++#include "utils/const_time.h"
+ #include "crypto/crypto.h"
+ #include "crypto/sha256.h"
+ #include "crypto/random.h"
+@@ -292,15 +293,12 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ const u8 *prime,
+ const struct crypto_bignum *qr,
+ const struct crypto_bignum *qnr,
+- struct crypto_bignum **ret_x_cand)
++ u8 *pwd_value)
+ {
+- u8 pwd_value[SAE_MAX_ECC_PRIME_LEN];
+ struct crypto_bignum *y_sqr, *x_cand;
+ int res;
+ size_t bits;
+
+- *ret_x_cand = NULL;
+-
+ wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
+
+ /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
+@@ -309,7 +307,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ prime, sae->tmp->prime_len, pwd_value, bits) < 0)
+ return -1;
+ if (bits % 8)
+- buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8);
++ buf_shift_right(pwd_value, sae->tmp->prime_len, 8 - bits % 8);
+ wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
+ pwd_value, sae->tmp->prime_len);
+
+@@ -320,20 +318,13 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ if (!x_cand)
+ return -1;
+ y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand);
+- if (!y_sqr) {
+- crypto_bignum_deinit(x_cand, 1);
++ crypto_bignum_deinit(x_cand, 1);
++ if (!y_sqr)
+ return -1;
+- }
+
+ res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
+ crypto_bignum_deinit(y_sqr, 1);
+- if (res <= 0) {
+- crypto_bignum_deinit(x_cand, 1);
+- return res;
+- }
+-
+- *ret_x_cand = x_cand;
+- return 1;
++ return res;
+ }
+
+
+@@ -454,25 +445,30 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ const u8 *addr[3];
+ size_t len[3];
+ size_t num_elem;
+- u8 dummy_password[32];
+- size_t dummy_password_len;
++ u8 *dummy_password, *tmp_password;
+ int pwd_seed_odd = 0;
+ u8 prime[SAE_MAX_ECC_PRIME_LEN];
+ size_t prime_len;
+- struct crypto_bignum *x = NULL, *qr, *qnr;
++ struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
++ u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
++ u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
+ size_t bits;
+- int res;
++ int res = -1;
++ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
++ * mask */
+
+- dummy_password_len = password_len;
+- if (dummy_password_len > sizeof(dummy_password))
+- dummy_password_len = sizeof(dummy_password);
+- if (random_get_bytes(dummy_password, dummy_password_len) < 0)
+- return -1;
++ os_memset(x_bin, 0, sizeof(x_bin));
++
++ dummy_password = os_malloc(password_len);
++ tmp_password = os_malloc(password_len);
++ if (!dummy_password || !tmp_password ||
++ random_get_bytes(dummy_password, password_len) < 0)
++ goto fail;
+
+ prime_len = sae->tmp->prime_len;
+ if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
+ prime_len) < 0)
+- return -1;
++ goto fail;
+ bits = crypto_ec_prime_len_bits(sae->tmp->ec);
+
+ /*
+@@ -481,7 +477,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ */
+ if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
+ &qr, &qnr) < 0)
+- return -1;
++ goto fail;
+
+ wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+ password, password_len);
+@@ -497,7 +493,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ */
+ sae_pwd_seed_key(addr1, addr2, addrs);
+
+- addr[0] = password;
++ addr[0] = tmp_password;
+ len[0] = password_len;
+ num_elem = 1;
+ if (identifier) {
+@@ -514,9 +510,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ * attacks that attempt to determine the number of iterations required
+ * in the loop.
+ */
+- for (counter = 1; counter <= k || !x; counter++) {
++ for (counter = 1; counter <= k || !found; counter++) {
+ u8 pwd_seed[SHA256_MAC_LEN];
+- struct crypto_bignum *x_cand;
+
+ if (counter > 200) {
+ /* This should not happen in practice */
+@@ -524,36 +519,45 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ break;
+ }
+
+- wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
++ wpa_printf(MSG_DEBUG, "SAE: counter = %03u", counter);
++ const_time_select_bin(found, dummy_password, password,
++ password_len, tmp_password);
+ if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
+ addr, len, pwd_seed) < 0)
+ break;
+
+ res = sae_test_pwd_seed_ecc(sae, pwd_seed,
+- prime, qr, qnr, &x_cand);
++ prime, qr, qnr, x_cand_bin);
++ const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
++ x_bin);
++ pwd_seed_odd = const_time_select_u8(
++ found, pwd_seed_odd,
++ pwd_seed[SHA256_MAC_LEN - 1] & 0x01);
++ os_memset(pwd_seed, 0, sizeof(pwd_seed));
+ if (res < 0)
+ goto fail;
+- if (res > 0 && !x) {
+- wpa_printf(MSG_DEBUG,
+- "SAE: Selected pwd-seed with counter %u",
+- counter);
+- x = x_cand;
+- pwd_seed_odd = pwd_seed[SHA256_MAC_LEN - 1] & 0x01;
+- os_memset(pwd_seed, 0, sizeof(pwd_seed));
++ /* Need to minimize differences in handling res == 0 and 1 here
++ * to avoid differences in timing and instruction cache access,
++ * so use const_time_select_*() to make local copies of the
++ * values based on whether this loop iteration was the one that
++ * found the pwd-seed/x. */
++
++ /* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
++ * (with res converted to 0/0xff) handles this in constant time.
++ */
++ found |= res * 0xff;
++ wpa_printf(MSG_DEBUG, "SAE: pwd-seed result %d found=0x%02x",
++ res, found);
++ }
+
+- /*
+- * Use a dummy password for the following rounds, if
+- * any.
+- */
+- addr[0] = dummy_password;
+- len[0] = dummy_password_len;
+- } else if (res > 0) {
+- crypto_bignum_deinit(x_cand, 1);
+- }
++ if (!found) {
++ wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
++ res = -1;
++ goto fail;
+ }
+
++ x = crypto_bignum_init_set(x_bin, prime_len);
+ if (!x) {
+- wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
+ res = -1;
+ goto fail;
+ }
+@@ -566,7 +570,6 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
+ sae->tmp->pwe_ecc, x,
+ pwd_seed_odd);
+- crypto_bignum_deinit(x, 1);
+ if (res < 0) {
+ /*
+ * This should not happen since we already checked that there
+@@ -578,6 +581,11 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ fail:
+ crypto_bignum_deinit(qr, 0);
+ crypto_bignum_deinit(qnr, 0);
++ os_free(dummy_password);
++ bin_clear_free(tmp_password, password_len);
++ crypto_bignum_deinit(x, 1);
++ os_memset(x_bin, 0, sizeof(x_bin));
++ os_memset(x_cand_bin, 0, sizeof(x_cand_bin));
+
+ return res;
+ }
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch
new file mode 100644
index 0000000000..5209559659
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch
@@ -0,0 +1,147 @@
+From 362704dda04507e7ebb8035122e83d9f0ae7c320 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 19:34:38 +0200
+Subject: [PATCH 06/14] SAE: Avoid branches in is_quadratic_residue_blind()
+
+Make the non-failure path in the function proceed without branches based
+on r_odd and in constant time to minimize risk of observable differences
+in timing or cache use. (CVE-2019-9494)
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+---
+ src/common/sae.c | 64 ++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 37 insertions(+), 27 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index d55323b..5df9b95 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -232,12 +232,14 @@ get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
+
+ static int is_quadratic_residue_blind(struct sae_data *sae,
+ const u8 *prime, size_t bits,
+- const struct crypto_bignum *qr,
+- const struct crypto_bignum *qnr,
++ const u8 *qr, const u8 *qnr,
+ const struct crypto_bignum *y_sqr)
+ {
+- struct crypto_bignum *r, *num;
++ struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
+ int r_odd, check, res = -1;
++ u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
++ size_t prime_len = sae->tmp->prime_len;
++ unsigned int mask;
+
+ /*
+ * Use the blinding technique to mask y_sqr while determining
+@@ -248,7 +250,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
+ * r = a random number between 1 and p-1, inclusive
+ * num = (v * r * r) modulo p
+ */
+- r = get_rand_1_to_p_1(prime, sae->tmp->prime_len, bits, &r_odd);
++ r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd);
+ if (!r)
+ return -1;
+
+@@ -258,41 +260,45 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
+ crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
+ goto fail;
+
+- if (r_odd) {
+- /*
+- * num = (num * qr) module p
+- * LGR(num, p) = 1 ==> quadratic residue
+- */
+- if (crypto_bignum_mulmod(num, qr, sae->tmp->prime, num) < 0)
+- goto fail;
+- check = 1;
+- } else {
+- /*
+- * num = (num * qnr) module p
+- * LGR(num, p) = -1 ==> quadratic residue
+- */
+- if (crypto_bignum_mulmod(num, qnr, sae->tmp->prime, num) < 0)
+- goto fail;
+- check = -1;
+- }
++ /*
++ * Need to minimize differences in handling different cases, so try to
++ * avoid branches and timing differences.
++ *
++ * If r_odd:
++ * num = (num * qr) module p
++ * LGR(num, p) = 1 ==> quadratic residue
++ * else:
++ * num = (num * qnr) module p
++ * LGR(num, p) = -1 ==> quadratic residue
++ */
++ mask = const_time_is_zero(r_odd);
++ const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
++ qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
++ if (!qr_or_qnr ||
++ crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0)
++ goto fail;
++ /* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */
++ check = const_time_select_int(mask, -1, 1);
+
+ res = crypto_bignum_legendre(num, sae->tmp->prime);
+ if (res == -2) {
+ res = -1;
+ goto fail;
+ }
+- res = res == check;
++ /* branchless version of res = res == check
++ * (res is -1, 0, or 1; check is -1 or 1) */
++ mask = const_time_eq(res, check);
++ res = const_time_select_int(mask, 1, 0);
+ fail:
+ crypto_bignum_deinit(num, 1);
+ crypto_bignum_deinit(r, 1);
++ crypto_bignum_deinit(qr_or_qnr, 1);
+ return res;
+ }
+
+
+ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+- const u8 *prime,
+- const struct crypto_bignum *qr,
+- const struct crypto_bignum *qnr,
++ const u8 *prime, const u8 *qr, const u8 *qnr,
+ u8 *pwd_value)
+ {
+ struct crypto_bignum *y_sqr, *x_cand;
+@@ -452,6 +458,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
+ u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
+ u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
++ u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
++ u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
+ size_t bits;
+ int res = -1;
+ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+@@ -476,7 +484,9 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ * (qnr) modulo p for blinding purposes during the loop.
+ */
+ if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
+- &qr, &qnr) < 0)
++ &qr, &qnr) < 0 ||
++ crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), prime_len) < 0 ||
++ crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), prime_len) < 0)
+ goto fail;
+
+ wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+@@ -527,7 +537,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ break;
+
+ res = sae_test_pwd_seed_ecc(sae, pwd_seed,
+- prime, qr, qnr, x_cand_bin);
++ prime, qr_bin, qnr_bin, x_cand_bin);
+ const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
+ x_bin);
+ pwd_seed_odd = const_time_select_u8(
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch
new file mode 100644
index 0000000000..6cfa7220e1
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch
@@ -0,0 +1,121 @@
+From 90839597cc4016b33f00055b12d59174c62770a3 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Sat, 2 Mar 2019 12:24:09 +0200
+Subject: [PATCH 07/14] SAE: Mask timing of MODP groups 22, 23, 24
+
+These groups have significant probability of coming up with pwd-value
+that is equal or greater than the prime and as such, need for going
+through the PWE derivation loop multiple times. This can result in
+sufficient timing different to allow an external observer to determine
+how many rounds are needed and that can leak information about the used
+password.
+
+Force at least 40 loop rounds for these MODP groups similarly to the ECC
+group design to mask timing. This behavior is not described in IEEE Std
+802.11-2016 for SAE, but it does not result in different values (i.e.,
+only different timing), so such implementation specific countermeasures
+can be done without breaking interoperability with other implementation.
+
+Note: These MODP groups 22, 23, and 24 are not considered sufficiently
+strong to be used with SAE (or more or less anything else). As such,
+they should never be enabled in runtime configuration for any production
+use cases. These changes to introduce additional protection to mask
+timing is only for completeness of implementation and not an indication
+that these groups should be used.
+
+This is related to CVE-2019-9494.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+---
+ src/common/sae.c | 38 ++++++++++++++++++++++++++++----------
+ 1 file changed, 28 insertions(+), 10 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 5df9b95..75b1b4a 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -601,22 +601,27 @@ fail:
+ }
+
+
++static int sae_modp_group_require_masking(int group)
++{
++ /* Groups for which pwd-value is likely to be >= p frequently */
++ return group == 22 || group == 23 || group == 24;
++}
++
++
+ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+ const u8 *addr2, const u8 *password,
+ size_t password_len, const char *identifier)
+ {
+- u8 counter;
++ u8 counter, k;
+ u8 addrs[2 * ETH_ALEN];
+ const u8 *addr[3];
+ size_t len[3];
+ size_t num_elem;
+ int found = 0;
++ struct crypto_bignum *pwe = NULL;
+
+- if (sae->tmp->pwe_ffc == NULL) {
+- sae->tmp->pwe_ffc = crypto_bignum_init();
+- if (sae->tmp->pwe_ffc == NULL)
+- return -1;
+- }
++ crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
++ sae->tmp->pwe_ffc = NULL;
+
+ wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+ password, password_len);
+@@ -640,7 +645,9 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+ len[num_elem] = sizeof(counter);
+ num_elem++;
+
+- for (counter = 1; !found; counter++) {
++ k = sae_modp_group_require_masking(sae->group) ? 40 : 1;
++
++ for (counter = 1; counter <= k || !found; counter++) {
+ u8 pwd_seed[SHA256_MAC_LEN];
+ int res;
+
+@@ -650,19 +657,30 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+ break;
+ }
+
+- wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
++ wpa_printf(MSG_DEBUG, "SAE: counter = %02u", counter);
+ if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
+ addr, len, pwd_seed) < 0)
+ break;
+- res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc);
++ if (!pwe) {
++ pwe = crypto_bignum_init();
++ if (!pwe)
++ break;
++ }
++ res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
+ if (res < 0)
+ break;
+ if (res > 0) {
+- wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
+ found = 1;
++ if (!sae->tmp->pwe_ffc) {
++ wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
++ sae->tmp->pwe_ffc = pwe;
++ pwe = NULL;
++ }
+ }
+ }
+
++ crypto_bignum_deinit(pwe, 1);
++
+ return found ? 0 : -1;
+ }
+
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch
new file mode 100644
index 0000000000..7b8616a66d
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch
@@ -0,0 +1,108 @@
+From f8f20717f87eff1f025f48ed585c7684debacf72 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Sat, 2 Mar 2019 12:45:33 +0200
+Subject: [PATCH 08/14] SAE: Use const_time selection for PWE in FFC
+
+This is an initial step towards making the FFC case use strictly
+constant time operations similarly to the ECC case.
+sae_test_pwd_seed_ffc() does not yet have constant time behavior,
+though.
+
+This is related to CVE-2019-9494.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+---
+ src/common/sae.c | 53 +++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 35 insertions(+), 18 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 75b1b4a..fa9a145 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -612,17 +612,28 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+ const u8 *addr2, const u8 *password,
+ size_t password_len, const char *identifier)
+ {
+- u8 counter, k;
++ u8 counter, k, sel_counter = 0;
+ u8 addrs[2 * ETH_ALEN];
+ const u8 *addr[3];
+ size_t len[3];
+ size_t num_elem;
+- int found = 0;
+- struct crypto_bignum *pwe = NULL;
++ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
++ * mask */
++ u8 mask;
++ struct crypto_bignum *pwe;
++ size_t prime_len = sae->tmp->prime_len * 8;
++ u8 *pwe_buf;
+
+ crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
+ sae->tmp->pwe_ffc = NULL;
+
++ /* Allocate a buffer to maintain selected and candidate PWE for constant
++ * time selection. */
++ pwe_buf = os_zalloc(prime_len * 2);
++ pwe = crypto_bignum_init();
++ if (!pwe_buf || !pwe)
++ goto fail;
++
+ wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+ password, password_len);
+
+@@ -661,27 +672,33 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+ if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
+ addr, len, pwd_seed) < 0)
+ break;
+- if (!pwe) {
+- pwe = crypto_bignum_init();
+- if (!pwe)
+- break;
+- }
+ res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
++ /* res is -1 for fatal failure, 0 if a valid PWE was not found,
++ * or 1 if a valid PWE was found. */
+ if (res < 0)
+ break;
+- if (res > 0) {
+- found = 1;
+- if (!sae->tmp->pwe_ffc) {
+- wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
+- sae->tmp->pwe_ffc = pwe;
+- pwe = NULL;
+- }
+- }
++ /* Store the candidate PWE into the second half of pwe_buf and
++ * the selected PWE in the beginning of pwe_buf using constant
++ * time selection. */
++ if (crypto_bignum_to_bin(pwe, pwe_buf + prime_len, prime_len,
++ prime_len) < 0)
++ break;
++ const_time_select_bin(found, pwe_buf, pwe_buf + prime_len,
++ prime_len, pwe_buf);
++ sel_counter = const_time_select_u8(found, sel_counter, counter);
++ mask = const_time_eq_u8(res, 1);
++ found = const_time_select_u8(found, found, mask);
+ }
+
+- crypto_bignum_deinit(pwe, 1);
++ if (!found)
++ goto fail;
+
+- return found ? 0 : -1;
++ wpa_printf(MSG_DEBUG, "SAE: Use PWE from counter = %02u", sel_counter);
++ sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len);
++fail:
++ crypto_bignum_deinit(pwe, 1);
++ bin_clear_free(pwe_buf, prime_len * 2);
++ return sae->tmp->pwe_ffc ? 0 : -1;
+ }
+
+
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch
new file mode 100644
index 0000000000..d2ae8188e1
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch
@@ -0,0 +1,139 @@
+From cff138b0747fa39765cbc641b66cfa5d7f1735d1 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Sat, 2 Mar 2019 16:05:56 +0200
+Subject: [PATCH 09/14] SAE: Use constant time operations in
+ sae_test_pwd_seed_ffc()
+
+Try to avoid showing externally visible timing or memory access
+differences regardless of whether the derived pwd-value is smaller than
+the group prime.
+
+This is related to CVE-2019-9494.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+---
+ src/common/sae.c | 75 ++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 46 insertions(+), 29 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index fa9a145..eaf825d 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -334,14 +334,17 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ }
+
+
++/* Returns -1 on fatal failure, 0 if PWE cannot be derived from the provided
++ * pwd-seed, or 1 if a valid PWE was derived from pwd-seed. */
+ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
+ struct crypto_bignum *pwe)
+ {
+ u8 pwd_value[SAE_MAX_PRIME_LEN];
+ size_t bits = sae->tmp->prime_len * 8;
+ u8 exp[1];
+- struct crypto_bignum *a, *b;
+- int res;
++ struct crypto_bignum *a, *b = NULL;
++ int res, is_val;
++ u8 pwd_value_valid;
+
+ wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
+
+@@ -353,16 +356,29 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
+ wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value,
+ sae->tmp->prime_len);
+
+- if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0)
+- {
+- wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p");
+- return 0;
+- }
++ /* Check whether pwd-value < p */
++ res = const_time_memcmp(pwd_value, sae->tmp->dh->prime,
++ sae->tmp->prime_len);
++ /* pwd-value >= p is invalid, so res is < 0 for the valid cases and
++ * the negative sign can be used to fill the mask for constant time
++ * selection */
++ pwd_value_valid = const_time_fill_msb(res);
++
++ /* If pwd-value >= p, force pwd-value to be < p and perform the
++ * calculations anyway to hide timing difference. The derived PWE will
++ * be ignored in that case. */
++ pwd_value[0] = const_time_select_u8(pwd_value_valid, pwd_value[0], 0);
+
+ /* PWE = pwd-value^((p-1)/r) modulo p */
+
++ res = -1;
+ a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
++ if (!a)
++ goto fail;
+
++ /* This is an optimization based on the used group that does not depend
++ * on the password in any way, so it is fine to use separate branches
++ * for this step without constant time operations. */
+ if (sae->tmp->dh->safe_prime) {
+ /*
+ * r = (p-1)/2 for the group used here, so this becomes:
+@@ -376,33 +392,34 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
+ b = crypto_bignum_init_set(exp, sizeof(exp));
+ if (b == NULL ||
+ crypto_bignum_sub(sae->tmp->prime, b, b) < 0 ||
+- crypto_bignum_div(b, sae->tmp->order, b) < 0) {
+- crypto_bignum_deinit(b, 0);
+- b = NULL;
+- }
++ crypto_bignum_div(b, sae->tmp->order, b) < 0)
++ goto fail;
+ }
+
+- if (a == NULL || b == NULL)
+- res = -1;
+- else
+- res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
+-
+- crypto_bignum_deinit(a, 0);
+- crypto_bignum_deinit(b, 0);
++ if (!b)
++ goto fail;
+
+- if (res < 0) {
+- wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE");
+- return -1;
+- }
++ res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
++ if (res < 0)
++ goto fail;
+
+- /* if (PWE > 1) --> found */
+- if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) {
+- wpa_printf(MSG_DEBUG, "SAE: PWE <= 1");
+- return 0;
+- }
++ /* There were no fatal errors in calculations, so determine the return
++ * value using constant time operations. We get here for number of
++ * invalid cases which are cleared here after having performed all the
++ * computation. PWE is valid if pwd-value was less than prime and
++ * PWE > 1. Start with pwd-value check first and then use constant time
++ * operations to clear res to 0 if PWE is 0 or 1.
++ */
++ res = const_time_select_u8(pwd_value_valid, 1, 0);
++ is_val = crypto_bignum_is_zero(pwe);
++ res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
++ is_val = crypto_bignum_is_one(pwe);
++ res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
+
+- wpa_printf(MSG_DEBUG, "SAE: PWE found");
+- return 1;
++fail:
++ crypto_bignum_deinit(a, 1);
++ crypto_bignum_deinit(b, 1);
++ return res;
+ }
+
+
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch
new file mode 100644
index 0000000000..9d2c6983d4
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch
@@ -0,0 +1,60 @@
+From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 5 Mar 2019 23:43:25 +0200
+Subject: [PATCH 10/14] SAE: Fix confirm message validation in error cases
+
+Explicitly verify that own and peer commit scalar/element are available
+when trying to check SAE confirm message. It could have been possible to
+hit a NULL pointer dereference if the peer element could not have been
+parsed. (CVE-2019-9496)
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9496
+---
+ src/common/sae.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index eaf825d..5a50294 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -1487,23 +1487,31 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
+
+ wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
+
+- if (sae->tmp == NULL) {
++ if (!sae->tmp || !sae->peer_commit_scalar ||
++ !sae->tmp->own_commit_scalar) {
+ wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
+ return -1;
+ }
+
+- if (sae->tmp->ec)
++ if (sae->tmp->ec) {
++ if (!sae->tmp->peer_commit_element_ecc ||
++ !sae->tmp->own_commit_element_ecc)
++ return -1;
+ sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
+ sae->tmp->peer_commit_element_ecc,
+ sae->tmp->own_commit_scalar,
+ sae->tmp->own_commit_element_ecc,
+ verifier);
+- else
++ } else {
++ if (!sae->tmp->peer_commit_element_ffc ||
++ !sae->tmp->own_commit_element_ffc)
++ return -1;
+ sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
+ sae->tmp->peer_commit_element_ffc,
+ sae->tmp->own_commit_scalar,
+ sae->tmp->own_commit_element_ffc,
+ verifier);
++ }
+
+ if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
+ wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch
new file mode 100644
index 0000000000..87095bf7f4
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch
@@ -0,0 +1,61 @@
+From 70ff850e89fbc8bc7da515321b4d15b5eef70581 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Date: Sun, 31 Mar 2019 17:13:06 +0200
+Subject: [PATCH 11/14] EAP-pwd server: Verify received scalar and element
+
+When processing an EAP-pwd Commit frame, the peer's scalar and element
+(elliptic curve point) were not validated. This allowed an adversary to
+bypass authentication, and impersonate any user if the crypto
+implementation did not verify the validity of the EC point.
+
+Fix this vulnerability by assuring the received scalar lies within the
+valid range, and by checking that the received element is not the point
+at infinity and lies on the elliptic curve being used. (CVE-2019-9498)
+
+The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
+is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
+(and also BoringSSL) implicitly validate the elliptic curve point in
+EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
+
+Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9498
+---
+ src/eap_server/eap_server_pwd.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index d0fa54a..74979da 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -718,6 +718,26 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ goto fin;
+ }
+
++ /* verify received scalar */
++ if (crypto_bignum_is_zero(data->peer_scalar) ||
++ crypto_bignum_is_one(data->peer_scalar) ||
++ crypto_bignum_cmp(data->peer_scalar,
++ crypto_ec_get_order(data->grp->group)) >= 0) {
++ wpa_printf(MSG_INFO,
++ "EAP-PWD (server): received scalar is invalid");
++ goto fin;
++ }
++
++ /* verify received element */
++ if (!crypto_ec_point_is_on_curve(data->grp->group,
++ data->peer_element) ||
++ crypto_ec_point_is_at_infinity(data->grp->group,
++ data->peer_element)) {
++ wpa_printf(MSG_INFO,
++ "EAP-PWD (server): received element is invalid");
++ goto fin;
++ }
++
+ /* check to ensure peer's element is not in a small sub-group */
+ if (!crypto_bignum_is_one(cofactor)) {
+ if (crypto_ec_point_mul(data->grp->group, data->peer_element,
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0012-EAP-pwd-server-Detect-reflection-attacks.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0012-EAP-pwd-server-Detect-reflection-attacks.patch
new file mode 100644
index 0000000000..32d134db41
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0012-EAP-pwd-server-Detect-reflection-attacks.patch
@@ -0,0 +1,48 @@
+From d63edfa90243e9a7de6ae5c275032f2cc79fef95 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Date: Sun, 31 Mar 2019 17:26:01 +0200
+Subject: [PATCH 12/14] EAP-pwd server: Detect reflection attacks
+
+When processing an EAP-pwd Commit frame, verify that the peer's scalar
+and elliptic curve element differ from the one sent by the server. This
+prevents reflection attacks where the adversary reflects the scalar and
+element sent by the server. (CVE-2019-9497)
+
+The vulnerability allows an adversary to complete the EAP-pwd handshake
+as any user. However, the adversary does not learn the negotiated
+session key, meaning the subsequent 4-way handshake would fail. As a
+result, this cannot be abused to bypass authentication unless EAP-pwd is
+used in non-WLAN cases without any following key exchange that would
+require the attacker to learn the MSK.
+
+Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9497
+---
+ src/eap_server/eap_server_pwd.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index 74979da..16057e9 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -753,6 +753,15 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ }
+ }
+
++ /* detect reflection attacks */
++ if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
++ crypto_ec_point_cmp(data->grp->group, data->my_element,
++ data->peer_element) == 0) {
++ wpa_printf(MSG_INFO,
++ "EAP-PWD (server): detected reflection attack!");
++ goto fin;
++ }
++
+ /* compute the shared key, k */
+ if ((crypto_ec_point_mul(data->grp->group, data->grp->pwe,
+ data->peer_scalar, K) < 0) ||
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch
new file mode 100644
index 0000000000..c6e61cb803
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch
@@ -0,0 +1,61 @@
+From 8ad8585f91823ddcc3728155e288e0f9f872e31a Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Date: Sun, 31 Mar 2019 17:43:44 +0200
+Subject: [PATCH 13/14] EAP-pwd client: Verify received scalar and element
+
+When processing an EAP-pwd Commit frame, the server's scalar and element
+(elliptic curve point) were not validated. This allowed an adversary to
+bypass authentication, and act as a rogue Access Point (AP) if the
+crypto implementation did not verify the validity of the EC point.
+
+Fix this vulnerability by assuring the received scalar lies within the
+valid range, and by checking that the received element is not the point
+at infinity and lies on the elliptic curve being used. (CVE-2019-9499)
+
+The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
+is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
+(and also BoringSSL) implicitly validate the elliptic curve point in
+EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
+
+Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9499
+---
+ src/eap_peer/eap_pwd.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 761c16a..5a05e54 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -594,6 +594,26 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ goto fin;
+ }
+
++ /* verify received scalar */
++ if (crypto_bignum_is_zero(data->server_scalar) ||
++ crypto_bignum_is_one(data->server_scalar) ||
++ crypto_bignum_cmp(data->server_scalar,
++ crypto_ec_get_order(data->grp->group)) >= 0) {
++ wpa_printf(MSG_INFO,
++ "EAP-PWD (peer): received scalar is invalid");
++ goto fin;
++ }
++
++ /* verify received element */
++ if (!crypto_ec_point_is_on_curve(data->grp->group,
++ data->server_element) ||
++ crypto_ec_point_is_at_infinity(data->grp->group,
++ data->server_element)) {
++ wpa_printf(MSG_INFO,
++ "EAP-PWD (peer): received element is invalid");
++ goto fin;
++ }
++
+ /* check to ensure server's element is not in a small sub-group */
+ if (!crypto_bignum_is_one(cofactor)) {
+ if (crypto_ec_point_mul(data->grp->group, data->server_element,
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch
new file mode 100644
index 0000000000..e944ef110f
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch
@@ -0,0 +1,335 @@
+From 16d4f1069118aa19bfce013493e1ac5783f92f1d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Fri, 5 Apr 2019 02:12:50 +0300
+Subject: [PATCH 14/14] EAP-pwd: Check element x,y coordinates explicitly
+
+This adds an explicit check for 0 < x,y < prime based on RFC 5931,
+2.8.5.2.2 requirement. The earlier checks might have covered this
+implicitly, but it is safer to avoid any dependency on implicit checks
+and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)
+
+Furthermore, this moves the EAP-pwd element and scalar parsing and
+validation steps into shared helper functions so that there is no need
+to maintain two separate copies of this common functionality between the
+server and peer implementations.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9498
+CVE: CVE-2019-9499
+---
+ src/eap_common/eap_pwd_common.c | 106 ++++++++++++++++++++++++++++++++++++++++
+ src/eap_common/eap_pwd_common.h | 3 ++
+ src/eap_peer/eap_pwd.c | 45 ++---------------
+ src/eap_server/eap_server_pwd.c | 45 ++---------------
+ 4 files changed, 117 insertions(+), 82 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index e49aaf8..c28b56d 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -428,3 +428,109 @@ int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
+
+ return 1;
+ }
++
++
++static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime,
++ const u8 *buf, size_t len)
++{
++ struct crypto_bignum *val;
++ int ok = 1;
++
++ val = crypto_bignum_init_set(buf, len);
++ if (!val || crypto_bignum_is_zero(val) ||
++ crypto_bignum_cmp(val, prime) >= 0)
++ ok = 0;
++ crypto_bignum_deinit(val, 0);
++ return ok;
++}
++
++
++struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
++ const u8 *buf)
++{
++ struct crypto_ec_point *element;
++ const struct crypto_bignum *prime;
++ size_t prime_len;
++ struct crypto_bignum *cofactor = NULL;
++
++ prime = crypto_ec_get_prime(group->group);
++ prime_len = crypto_ec_prime_len(group->group);
++
++ /* RFC 5931, 2.8.5.2.2: 0 < x,y < p */
++ if (!eap_pwd_element_coord_ok(prime, buf, prime_len) ||
++ !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) {
++ wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element");
++ return NULL;
++ }
++
++ element = crypto_ec_point_from_bin(group->group, buf);
++ if (!element) {
++ wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed");
++ return NULL;
++ }
++
++ /* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */
++ if (!crypto_ec_point_is_on_curve(group->group, element) ||
++ crypto_ec_point_is_at_infinity(group->group, element)) {
++ wpa_printf(MSG_INFO, "EAP-pwd: Invalid element");
++ goto fail;
++ }
++
++ cofactor = crypto_bignum_init();
++ if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) {
++ wpa_printf(MSG_INFO,
++ "EAP-pwd: Unable to get cofactor for curve");
++ goto fail;
++ }
++
++ if (!crypto_bignum_is_one(cofactor)) {
++ struct crypto_ec_point *point;
++ int ok = 1;
++
++ /* check to ensure peer's element is not in a small sub-group */
++ point = crypto_ec_point_init(group->group);
++ if (!point ||
++ crypto_ec_point_mul(group->group, element,
++ cofactor, point) != 0 ||
++ crypto_ec_point_is_at_infinity(group->group, point))
++ ok = 0;
++ crypto_ec_point_deinit(point, 0);
++
++ if (!ok) {
++ wpa_printf(MSG_INFO,
++ "EAP-pwd: Small sub-group check on peer element failed");
++ goto fail;
++ }
++ }
++
++out:
++ crypto_bignum_deinit(cofactor, 0);
++ return element;
++fail:
++ crypto_ec_point_deinit(element, 0);
++ element = NULL;
++ goto out;
++}
++
++
++struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
++{
++ struct crypto_bignum *scalar;
++ const struct crypto_bignum *order;
++ size_t order_len;
++
++ order = crypto_ec_get_order(group->group);
++ order_len = crypto_ec_order_len(group->group);
++
++ /* RFC 5931, 2.8.5.2: 1 < scalar < r */
++ scalar = crypto_bignum_init_set(buf, order_len);
++ if (!scalar || crypto_bignum_is_zero(scalar) ||
++ crypto_bignum_is_one(scalar) ||
++ crypto_bignum_cmp(scalar, order) >= 0) {
++ wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid");
++ crypto_bignum_deinit(scalar, 0);
++ scalar = NULL;
++ }
++
++ return scalar;
++}
+diff --git a/src/eap_common/eap_pwd_common.h b/src/eap_common/eap_pwd_common.h
+index 6b07cf8..2387e59 100644
+--- a/src/eap_common/eap_pwd_common.h
++++ b/src/eap_common/eap_pwd_common.h
+@@ -67,5 +67,8 @@ int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
+ struct crypto_hash * eap_pwd_h_init(void);
+ void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len);
+ void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest);
++struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
++ const u8 *buf);
++struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf);
+
+ #endif /* EAP_PWD_COMMON_H */
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 5a05e54..f37b974 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -308,7 +308,7 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ const struct wpabuf *reqData,
+ const u8 *payload, size_t payload_len)
+ {
+- struct crypto_ec_point *K = NULL, *point = NULL;
++ struct crypto_ec_point *K = NULL;
+ struct crypto_bignum *mask = NULL, *cofactor = NULL;
+ const u8 *ptr = payload;
+ u8 *scalar = NULL, *element = NULL;
+@@ -572,63 +572,27 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ /* process the request */
+ data->k = crypto_bignum_init();
+ K = crypto_ec_point_init(data->grp->group);
+- point = crypto_ec_point_init(data->grp->group);
+- if (!data->k || !K || !point) {
++ if (!data->k || !K) {
+ wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
+ "fail");
+ goto fin;
+ }
+
+ /* element, x then y, followed by scalar */
+- data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr);
++ data->server_element = eap_pwd_get_element(data->grp, ptr);
+ if (!data->server_element) {
+ wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
+ "fail");
+ goto fin;
+ }
+ ptr += prime_len * 2;
+- data->server_scalar = crypto_bignum_init_set(ptr, order_len);
++ data->server_scalar = eap_pwd_get_scalar(data->grp, ptr);
+ if (!data->server_scalar) {
+ wpa_printf(MSG_INFO,
+ "EAP-PWD (peer): setting peer scalar fail");
+ goto fin;
+ }
+
+- /* verify received scalar */
+- if (crypto_bignum_is_zero(data->server_scalar) ||
+- crypto_bignum_is_one(data->server_scalar) ||
+- crypto_bignum_cmp(data->server_scalar,
+- crypto_ec_get_order(data->grp->group)) >= 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-PWD (peer): received scalar is invalid");
+- goto fin;
+- }
+-
+- /* verify received element */
+- if (!crypto_ec_point_is_on_curve(data->grp->group,
+- data->server_element) ||
+- crypto_ec_point_is_at_infinity(data->grp->group,
+- data->server_element)) {
+- wpa_printf(MSG_INFO,
+- "EAP-PWD (peer): received element is invalid");
+- goto fin;
+- }
+-
+- /* check to ensure server's element is not in a small sub-group */
+- if (!crypto_bignum_is_one(cofactor)) {
+- if (crypto_ec_point_mul(data->grp->group, data->server_element,
+- cofactor, point) < 0) {
+- wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
+- "server element by order!\n");
+- goto fin;
+- }
+- if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
+- wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
+- "is at infinity!\n");
+- goto fin;
+- }
+- }
+-
+ /* compute the shared key, k */
+ if (crypto_ec_point_mul(data->grp->group, data->grp->pwe,
+ data->server_scalar, K) < 0 ||
+@@ -702,7 +666,6 @@ fin:
+ crypto_bignum_deinit(mask, 1);
+ crypto_bignum_deinit(cofactor, 1);
+ crypto_ec_point_deinit(K, 1);
+- crypto_ec_point_deinit(point, 1);
+ if (data->outbuf == NULL)
+ eap_pwd_state(data, FAILURE);
+ else
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index 16057e9..f6c75cf 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -669,7 +669,7 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ {
+ const u8 *ptr;
+ struct crypto_bignum *cofactor = NULL;
+- struct crypto_ec_point *K = NULL, *point = NULL;
++ struct crypto_ec_point *K = NULL;
+ int res = 0;
+ size_t prime_len, order_len;
+
+@@ -688,9 +688,8 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+
+ data->k = crypto_bignum_init();
+ cofactor = crypto_bignum_init();
+- point = crypto_ec_point_init(data->grp->group);
+ K = crypto_ec_point_init(data->grp->group);
+- if (!data->k || !cofactor || !point || !K) {
++ if (!data->k || !cofactor || !K) {
+ wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
+ "fail");
+ goto fin;
+@@ -704,55 +703,20 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+
+ /* element, x then y, followed by scalar */
+ ptr = payload;
+- data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr);
++ data->peer_element = eap_pwd_get_element(data->grp, ptr);
+ if (!data->peer_element) {
+ wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element "
+ "fail");
+ goto fin;
+ }
+ ptr += prime_len * 2;
+- data->peer_scalar = crypto_bignum_init_set(ptr, order_len);
++ data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr);
+ if (!data->peer_scalar) {
+ wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
+ "fail");
+ goto fin;
+ }
+
+- /* verify received scalar */
+- if (crypto_bignum_is_zero(data->peer_scalar) ||
+- crypto_bignum_is_one(data->peer_scalar) ||
+- crypto_bignum_cmp(data->peer_scalar,
+- crypto_ec_get_order(data->grp->group)) >= 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-PWD (server): received scalar is invalid");
+- goto fin;
+- }
+-
+- /* verify received element */
+- if (!crypto_ec_point_is_on_curve(data->grp->group,
+- data->peer_element) ||
+- crypto_ec_point_is_at_infinity(data->grp->group,
+- data->peer_element)) {
+- wpa_printf(MSG_INFO,
+- "EAP-PWD (server): received element is invalid");
+- goto fin;
+- }
+-
+- /* check to ensure peer's element is not in a small sub-group */
+- if (!crypto_bignum_is_one(cofactor)) {
+- if (crypto_ec_point_mul(data->grp->group, data->peer_element,
+- cofactor, point) != 0) {
+- wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
+- "multiply peer element by order");
+- goto fin;
+- }
+- if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
+- wpa_printf(MSG_INFO, "EAP-PWD (server): peer element "
+- "is at infinity!\n");
+- goto fin;
+- }
+- }
+-
+ /* detect reflection attacks */
+ if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
+ crypto_ec_point_cmp(data->grp->group, data->my_element,
+@@ -804,7 +768,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+
+ fin:
+ crypto_ec_point_deinit(K, 1);
+- crypto_ec_point_deinit(point, 1);
+ crypto_bignum_deinit(cofactor, 1);
+
+ if (res)
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
index fe5fa2b82e..277bbaec63 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
@@ -25,6 +25,22 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://wpa_supplicant.conf-sane \
file://99_wpa_supplicant \
file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
+ file://0001-OpenSSL-Use-constant-time-operations-for-private-big.patch \
+ file://0002-Add-helper-functions-for-constant-time-operations.patch \
+ file://0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch \
+ file://0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch \
+ file://0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch \
+ file://0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch \
+ file://0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch \
+ file://0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch \
+ file://0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch \
+ file://0010-SAE-Fix-confirm-message-validation-in-error-cases.patch \
+ file://0011-EAP-pwd-server-Verify-received-scalar-and-element.patch \
+ file://0012-EAP-pwd-server-Detect-reflection-attacks.patch \
+ file://0013-EAP-pwd-client-Verify-received-scalar-and-element.patch \
+ file://0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch \
+ file://0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch \
+ file://0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch \
"
SRC_URI[md5sum] = "a68538fb62766f40f890125026c42c10"
SRC_URI[sha256sum] = "76ea6b06b7a2ea8e6d9eb1a9166166f1656e6d48c7508914f592100c95c73074"
diff --git a/meta/recipes-core/expat/expat/CVE-2018-20843.patch b/meta/recipes-core/expat/expat/CVE-2018-20843.patch
new file mode 100644
index 0000000000..af6641eff1
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2018-20843.patch
@@ -0,0 +1,26 @@
+From 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 12 Jun 2019 15:42:22 +0200
+Subject: [PATCH] xmlparse.c: Fix extraction of namespace prefix from XML name
+ (#186)
+
+Upstream-Status: Backport
+CVE: CVE-2018-20843
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ expat/lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 30d55c5c..737d7cd2 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
+ else
+ poolDiscard(&dtd->pool);
+ elementType->prefix = prefix;
+-
++ break;
+ }
+ }
+ return 1;
diff --git a/meta/recipes-core/expat/expat_2.2.6.bb b/meta/recipes-core/expat/expat_2.2.6.bb
index c9e6081a35..0cef70555a 100644
--- a/meta/recipes-core/expat/expat_2.2.6.bb
+++ b/meta/recipes-core/expat/expat_2.2.6.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5b8620d98e49772d95fc1d291c26aa79"
SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
file://autotools.patch \
file://libtool-tag.patch \
+ file://CVE-2018-20843.patch;striplevel=2 \
"
SRC_URI[md5sum] = "ca047ae951b40020ac831c28859161b2"
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
new file mode 100644
index 0000000000..c882cba3b3
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
@@ -0,0 +1,40 @@
+From 9fd6b4b21891adc318784f6a141f40d767b0d73c Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: [PATCH] keyfile settings: Use tighter permissions
+
+When creating directories, create them with 700 permissions,
+instead of 777.
+
+Closes: #1658
+CVE: CVE-2019-13012
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ gio/gkeyfilesettingsbackend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index a37978e..580a0b0 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write (GKeyfileSettingsBackend *kfsb)
+
+ contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+ g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ NULL, NULL, NULL);
+
+ compute_checksum (kfsb->digest, contents, length);
+@@ -640,7 +641,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
+
+ kfsb->file = g_file_new_for_path (filename);
+ kfsb->dir = g_file_get_parent (kfsb->file);
+- g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
++ g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
+
+ kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
+ kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
index 733a2d46d9..2286d03148 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \
file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \
file://glib-meson.cross \
+ file://CVE-2019-13012.patch \
"
SRC_URI_append_class-native = " file://relocate-modules.patch"
diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc
index a985d26c75..3f77221ec3 100644
--- a/meta/recipes-core/glibc/glibc-locale.inc
+++ b/meta/recipes-core/glibc/glibc-locale.inc
@@ -89,6 +89,9 @@ do_install() {
if [ ${PACKAGE_NO_GCONV} -eq 0 ]; then
copy_locale_files ${libdir}/gconv 0755
copy_locale_files ${datadir}/i18n 0644
+ else
+ # Remove the libdir if it is empty when gconv is not copied
+ find ${D}${libdir} -type d -empty -delete
fi
copy_locale_files ${datadir}/locale 0644
install -m 0644 ${LOCALETREESRC}/SUPPORTED ${WORKDIR}/SUPPORTED
@@ -97,3 +100,6 @@ do_install() {
inherit libc-package
BBCLASSEXTEND = "nativesdk"
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc
index d703c14bdc..ef9d60ec23 100644
--- a/meta/recipes-core/glibc/glibc-mtrace.inc
+++ b/meta/recipes-core/glibc/glibc-mtrace.inc
@@ -11,3 +11,6 @@ do_install() {
install -d -m 0755 ${D}${bindir}
install -m 0755 ${SRC}/mtrace ${D}${bindir}/
}
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/meta/recipes-core/glibc/glibc-package.inc b/meta/recipes-core/glibc/glibc-package.inc
index b7c64a0b2e..5cfb1b6ab9 100644
--- a/meta/recipes-core/glibc/glibc-package.inc
+++ b/meta/recipes-core/glibc/glibc-package.inc
@@ -162,21 +162,28 @@ bashscripts = "mtrace sotruss xtrace"
do_stash_locale () {
dest=${LOCALESTASH}
install -d ${dest}${base_libdir} ${dest}${bindir} ${dest}${libdir} ${dest}${datadir}
- if [ "${base_libdir}" != "${libdir}" ]; then
- cp -fpPR ${D}${base_libdir}/* ${dest}${base_libdir}
- fi
+ # Hide away the locale data from the deployment
if [ -e ${D}${bindir}/localedef ]; then
- mv -f ${D}${bindir}/localedef ${dest}${bindir}
+ cp -a ${D}${bindir}/localedef ${dest}${bindir}
fi
if [ -e ${D}${libdir}/gconv ]; then
- mv -f ${D}${libdir}/gconv ${dest}${libdir}
- fi
- if [ -e ${D}${exec_prefix}/lib ]; then
- cp -fpPR ${D}${exec_prefix}/lib ${dest}${exec_prefix}
+ cp -a ${D}${libdir}/gconv ${dest}${libdir}
fi
if [ -e ${D}${datadir}/i18n ]; then
- mv ${D}${datadir}/i18n ${dest}${datadir}
+ cp -a ${D}${datadir}/i18n ${dest}${datadir}
+ fi
+
+ # Make a copy of all the libraries into the locale stash
+ cp -fpPR ${D}${libdir}/* ${dest}${libdir}
+ if [ "${base_libdir}" != "${libdir}" ]; then
+ cp -fpPR ${D}${base_libdir}/* ${dest}${base_libdir}
+ fi
+ if [ -e ${D}${exec_prefix}/lib ]; then
+ if [ ${exec_prefix}/lib != ${base_libdir} ] && [ ${exec_prefix}/lib != ${libdir} ]; then
+ cp -fpPR ${D}${exec_prefix}/lib ${dest}${exec_prefix}
+ fi
fi
+
cp -fpPR ${D}${datadir}/* ${dest}${datadir}
rm -rf ${D}${datadir}/locale/
cp -fpPR ${WORKDIR}/SUPPORTED ${dest}
@@ -203,30 +210,38 @@ python do_stash_locale_setscene () {
}
addtask do_stash_locale_setscene
-do_poststash_install_cleanup () {
- # Remove all files which do_stash_locale would remove (mv)
- # since that task could have come from sstate and not get run.
+PACKAGE_PREPROCESS_FUNCS += "stash_locale_package_cleanup"
+SYSROOT_PREPROCESS_FUNCS += "stash_locale_sysroot_cleanup"
+stash_locale_cleanup () {
+ cleanupdir=$1
+ # Remove all files which do_stash_locale() copies
for i in ${bashscripts}; do
- rm -f ${D}${bindir}/$i
+ rm -f ${cleanupdir}${bindir}/$i
done
- rm -f ${D}${bindir}/localedef
- rm -rf ${D}${datadir}/i18n
- rm -rf ${D}${libdir}/gconv
- rm -rf ${D}/${localedir}
- rm -rf ${D}${datadir}/locale
- if [ "${libdir}" != "${exec_prefix}/lib" ]; then
- if [ -d "${D}${exec_prefix}/lib" ]; then
+ rm -f ${cleanupdir}${bindir}/localedef
+ rm -rf ${cleanupdir}${datadir}/i18n
+ rm -rf ${cleanupdir}${libdir}/gconv
+ rm -rf ${cleanupdir}/${localedir}
+ rm -rf ${cleanupdir}${datadir}/locale
+ if [ "${libdir}" != "${exec_prefix}/lib" ] && [ "${root_prefix}/lib" != "${exec_prefix}/lib" ]; then
+ if [ -d "${cleanupdir}${exec_prefix}/lib" ]; then
if [ -z "${ARCH_DYNAMIC_LOADER}" -o \
- ! -e "${D}${exec_prefix}/lib/${ARCH_DYNAMIC_LOADER}" ]; then
+ ! -e "${cleanupdir}${exec_prefix}/lib/${ARCH_DYNAMIC_LOADER}" ]; then
# error out if directory isn't empty
# this dir should only contain locale dir
# which has been deleted in the previous step
- rmdir ${D}${exec_prefix}/lib
+ rmdir ${cleanupdir}${exec_prefix}/lib
fi
fi
fi
}
-addtask do_poststash_install_cleanup after do_stash_locale do_install before do_populate_sysroot do_package
+
+stash_locale_sysroot_cleanup() {
+ stash_locale_cleanup ${SYSROOT_DESTDIR}
+}
+stash_locale_package_cleanup() {
+ stash_locale_cleanup ${PKGD}
+}
pkg_postinst_nscd () {
if [ -z "$D" ]; then
diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc
index 2a2b41507e..14a14e4512 100644
--- a/meta/recipes-core/glibc/glibc-scripts.inc
+++ b/meta/recipes-core/glibc/glibc-scripts.inc
@@ -18,3 +18,6 @@ do_install() {
# sotruss script requires sotruss-lib.so (given by libsotruss package),
# to produce trace of the library calls.
RDEPENDS_${PN} += "libsotruss"
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
index bc40361c5d..cf3744b24a 100644
--- a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
+++ b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
@@ -1,4 +1,5 @@
CVE: CVE-2019-9169
+CVE: CVE-2018-20796
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@intel.com>
diff --git a/meta/recipes-core/glibc/glibc_2.29.bb b/meta/recipes-core/glibc/glibc_2.29.bb
index 073d1533e3..c6b2caad42 100644
--- a/meta/recipes-core/glibc/glibc_2.29.bb
+++ b/meta/recipes-core/glibc/glibc_2.29.bb
@@ -121,7 +121,6 @@ do_compile () {
echo "ldd \"${prevrtld} ${RTLDLIST}\" -> \"${newrtld}\""
sed -i ${B}/elf/ldd -e "s#^RTLDLIST=.*\$#RTLDLIST=\"${newrtld}\"#"
fi
-
}
require glibc-package.inc
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index 91d4ec9d5e..a17c51e9a7 100644
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -22,7 +22,7 @@ IMAGE_FSTYPES = "wic.vmdk"
inherit core-image module-base setuptools3
-SRCREV ?= "41136dd0cfd7653b9b1da47f865573d7e3d8f9ed"
+SRCREV ?= "d0f73121551dc98f6924cd77952bf9ebf5ef3dd7"
SRC_URI = "git://git.yoctoproject.org/poky;branch=warrior \
file://Yocto_Build_Appliance.vmx \
file://Yocto_Build_Appliance.vmxf \
diff --git a/meta/recipes-core/libxcrypt/libxcrypt.bb b/meta/recipes-core/libxcrypt/libxcrypt.bb
index 3b9af6d739..a712e72914 100644
--- a/meta/recipes-core/libxcrypt/libxcrypt.bb
+++ b/meta/recipes-core/libxcrypt/libxcrypt.bb
@@ -24,7 +24,7 @@ FILES_${PN} = "${libdir}/libcrypt*.so.* ${libdir}/libcrypt-*.so ${libdir}/libowc
S = "${WORKDIR}/git"
BUILD_CPPFLAGS = "-I${STAGING_INCDIR_NATIVE} -std=gnu99"
-TARGET_CPPFLAGS = "-I${STAGING_DIR_TARGET}${includedir} -Wno-error=missing-attributes"
-CPPFLAGS_append_class-nativesdk = " -Wno-error=missing-attributes"
+TARGET_CPPFLAGS = "-I${STAGING_DIR_TARGET}${includedir} -Wno-error"
+CPPFLAGS_append_class-nativesdk = " -Wno-error"
BBCLASSEXTEND = "nativesdk"
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
new file mode 100644
index 0000000000..2c427a5884
--- /dev/null
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -0,0 +1,195 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "MIT"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit native
+
+deltask do_unpack
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+
+python () {
+ if not d.getVar("CVE_CHECK_DB_FILE"):
+ raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
+}
+
+python do_populate_cve_db() {
+ """
+ Update NVD database with json data feed
+ """
+
+ import sqlite3, urllib, urllib.parse, shutil, gzip
+ from datetime import date
+
+ BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
+ YEAR_START = 2002
+
+ db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK')
+ db_file = os.path.join(db_dir, 'nvdcve_1.0.db')
+ json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
+ proxy = d.getVar("https_proxy")
+
+ if proxy:
+ # instantiate an opener but do not install it as the global
+ # opener unless if we're really sure it's applicable for all
+ # urllib requests
+ proxy_handler = urllib.request.ProxyHandler({'https': proxy})
+ proxy_opener = urllib.request.build_opener(proxy_handler)
+ else:
+ proxy_opener = None
+
+ cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
+
+ if not os.path.isdir(db_dir):
+ os.mkdir(db_dir)
+
+ # Connect to database
+ conn = sqlite3.connect(db_file)
+ c = conn.cursor()
+
+ initialize_db(c)
+
+ for year in range(YEAR_START, date.today().year + 1):
+ year_url = BASE_URL + str(year)
+ meta_url = year_url + ".meta"
+ json_url = year_url + ".json.gz"
+
+ # Retrieve meta last modified date
+
+ response = None
+
+ if proxy_opener:
+ response = proxy_opener.open(meta_url)
+ else:
+ req = urllib.request.Request(meta_url)
+ response = urllib.request.urlopen(req)
+
+ if response:
+ for l in response.read().decode("utf-8").splitlines():
+ key, value = l.split(":", 1)
+ if key == "lastModifiedDate":
+ last_modified = value
+ break
+ else:
+ bb.warn("Cannot parse CVE metadata, update failed")
+ return
+
+ # Compare with current db last modified date
+ c.execute("select DATE from META where YEAR = ?", (year,))
+ meta = c.fetchone()
+ if not meta or meta[0] != last_modified:
+ # Clear products table entries corresponding to current year
+ c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,))
+
+ # Update db with current year json file
+ try:
+ if proxy_opener:
+ response = proxy_opener.open(json_url)
+ else:
+ req = urllib.request.Request(json_url)
+ response = urllib.request.urlopen(req)
+
+ if response:
+ update_db(c, gzip.decompress(response.read()).decode('utf-8'))
+ c.execute("insert or replace into META values (?, ?)", [year, last_modified])
+ except urllib.error.URLError as e:
+ cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
+ bb.warn("Cannot parse CVE data (%s), update failed" % e.reason)
+ return
+
+ # Update success, set the date to cve_check file.
+ if year == date.today().year:
+ cve_f.write('CVE database update : %s\n\n' % date.today())
+
+ cve_f.close()
+ conn.commit()
+ conn.close()
+}
+
+def initialize_db(c):
+ c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
+ c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
+ SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+ c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
+ VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
+ VERSION_END TEXT, OPERATOR_END TEXT)")
+
+def parse_node_and_insert(c, node, cveId):
+ # Parse children node if needed
+ for child in node.get('children', ()):
+ parse_node_and_insert(c, child, cveId)
+
+ def cpe_generator():
+ for cpe in node.get('cpe_match', ()):
+ if not cpe['vulnerable']:
+ return
+ cpe23 = cpe['cpe23Uri'].split(':')
+ vendor = cpe23[3]
+ product = cpe23[4]
+ version = cpe23[5]
+
+ if version != '*':
+ # Version is defined, this is a '=' match
+ yield [cveId, vendor, product, version, '=', '', '']
+ else:
+ # Parse start version, end version and operators
+ op_start = ''
+ op_end = ''
+ v_start = ''
+ v_end = ''
+
+ if 'versionStartIncluding' in cpe:
+ op_start = '>='
+ v_start = cpe['versionStartIncluding']
+
+ if 'versionStartExcluding' in cpe:
+ op_start = '>'
+ v_start = cpe['versionStartExcluding']
+
+ if 'versionEndIncluding' in cpe:
+ op_end = '<='
+ v_end = cpe['versionEndIncluding']
+
+ if 'versionEndExcluding' in cpe:
+ op_end = '<'
+ v_end = cpe['versionEndExcluding']
+
+ yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+
+ c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator())
+
+def update_db(c, jsondata):
+ import json
+ root = json.loads(jsondata)
+
+ for elt in root['CVE_Items']:
+ if not elt['impact']:
+ continue
+
+ cveId = elt['cve']['CVE_data_meta']['ID']
+ cveDesc = elt['cve']['description']['description_data'][0]['value']
+ date = elt['lastModifiedDate']
+ accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
+ cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
+
+ try:
+ cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
+ except:
+ cvssv3 = 0.0
+
+ c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
+ [cveId, cveDesc, cvssv2, cvssv3, date, accessVector])
+
+ configurations = elt['configurations']['nodes']
+ for config in configurations:
+ parse_node_and_insert(c, config, cveId)
+
+
+addtask do_populate_cve_db before do_fetch
+do_populate_cve_db[nostamp] = "1"
+
+EXCLUDE_FROM_WORLD = "1"
diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-core/systemd/systemd.inc
index 5bd88ed6ed..2b9c291959 100644
--- a/meta/recipes-core/systemd/systemd.inc
+++ b/meta/recipes-core/systemd/systemd.inc
@@ -14,7 +14,7 @@ LICENSE = "GPLv2 & LGPLv2.1"
LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \
file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c"
-SRCREV = "c1f8ff8d0de7e303b8004b02a0a47d4cc103a7f8"
+SRCREV = "511646b8ac5c82f210b16920044465756913d238"
SRCBRANCH = "v241-stable"
SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}"
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index 7b9b4d2a30..a61bc78542 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -318,4 +318,8 @@ do_install_ptest() {
sed -i -e \
'/^TS_CMD_KILL/ s|kill|${PTEST_PATH}/bin/kill|g' \
${D}${PTEST_PATH}/tests/commands.sh
+
+
+ sed -i 's|@base_sbindir@|${base_sbindir}|g' ${D}${PTEST_PATH}/run-ptest
+
}
diff --git a/meta/recipes-core/util-linux/util-linux/run-ptest b/meta/recipes-core/util-linux/util-linux/run-ptest
index 03248325bf..e135ee583b 100644
--- a/meta/recipes-core/util-linux/util-linux/run-ptest
+++ b/meta/recipes-core/util-linux/util-linux/run-ptest
@@ -1,5 +1,14 @@
#!/bin/sh
+
+# When udevd (from eudev) is running most eject/mount tests will fail because
+# of automount. We need to stop udevd before executing util-linux's tests.
+# The systemd-udevd daemon doesn't change the outcome of util-linux's tests.
+UDEV_PID="`pidof "@base_sbindir@/udevd"`"
+if [ "x$UDEV_PID" != "x" ]; then
+ /etc/init.d/udev stop
+fi
+
current_path=$(readlink -f $0)
export bindir=$(dirname $current_path)
export PATH=$bindir/bin:$PATH
@@ -27,3 +36,8 @@ do
}'
done
+
+if [ "x$UDEV_PID" != "x" ]; then
+ /etc/init.d/udev start
+fi
+
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 49e6827c1f..d3c52936d1 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -48,6 +48,10 @@ SRC_URI = "\
file://CVE-2019-9075.patch \
file://CVE-2019-9076.patch \
file://CVE-2019-9077.patch \
+ file://CVE-2019-9071.patch \
+ file://CVE-2019-12972.patch \
+ file://CVE-2019-14250.patch \
+ file://CVE-2019-14444.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch b/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch
index ba5e4c2ce5..5f4ac72f48 100644
--- a/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch
+++ b/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch
@@ -1,4 +1,4 @@
-From d540e95d05cd7c4b8924ac7b257c14ae0105d0ab Mon Sep 17 00:00:00 2001
+From 958a49749b772660d3bafb80748829cba6bed065 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Mon, 2 Mar 2015 01:44:14 +0000
Subject: [PATCH 10/15] Change default emulation for mips64*-*-linux
@@ -14,7 +14,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/bfd/config.bfd b/bfd/config.bfd
-index 0e1ddb659c..cc65547588 100644
+index 0e1ddb659c..d4f50f0a8d 100644
--- a/bfd/config.bfd
+++ b/bfd/config.bfd
@@ -919,12 +919,12 @@ case "${targ}" in
@@ -30,7 +30,7 @@ index 0e1ddb659c..cc65547588 100644
- targ_defvec=mips_elf32_ntrad_be_vec
- targ_selvecs="mips_elf32_ntrad_le_vec mips_elf32_trad_be_vec mips_elf32_trad_le_vec mips_elf64_trad_be_vec mips_elf64_trad_le_vec"
+ targ_defvec=mips_elf64_trad_be_vec
-+ targ_selvecs="mips_elf32_ntrad_be_vec mips_elf32_ntrad_be_vec mips_elf32_trad_be_vec mips_elf32_trad_le_vec mips_elf64_trad_le_vec"
++ targ_selvecs="mips_elf32_ntrad_be_vec mips_elf32_ntrad_le_vec mips_elf32_trad_be_vec mips_elf32_trad_le_vec mips_elf64_trad_le_vec"
;;
mips*el-*-linux*)
targ_defvec=mips_elf32_trad_le_vec
@@ -54,6 +54,3 @@ index beba17ef51..917be6f8eb 100644
targ_extra_libpath=$targ_extra_emuls ;;
mips*el-*-linux-*) targ_emul=elf32ltsmip
targ_extra_emuls="elf32btsmip elf32ltsmipn32 elf64ltsmip elf32btsmipn32 elf64btsmip"
---
-2.20.1
-
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
new file mode 100644
index 0000000000..07d1d65467
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
@@ -0,0 +1,51 @@
+From 30bcc01478433a1cb05b36dc5c4beef7d2c89b5b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 21 Jun 2019 11:51:38 +0930
+Subject: [PATCH] PR24689, string table corruption
+
+The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
+hdr->contents were initialized by setup_group rather than being read
+from the file, thus last byte was not zero and string dereference ran
+off the end of the buffer.
+
+ PR 24689
+ * elfcode.h (elf_object_p): Check type of e_shstrndx section.
+
+Upstream-Status: Backport
+CVE: CVE-2019-12972
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/elfcode.h | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 91f09e6346..e66fb40a2c 100644
+--- a/bfd/ChangeLog
++++ b/bfd/ChangeLog
+@@ -1,3 +1,8 @@
++2019-06-21 Alan Modra <amodra@gmail.com>
++
++ PR 24689
++ * elfcode.h (elf_object_p): Check type of e_shstrndx section.
++
+ 2019-02-20 Alan Modra <amodra@gmail.com>
+
+ PR 24236
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index ec5ea766de..a35a629087 100644
+--- a/bfd/elfcode.h
++++ b/bfd/elfcode.h
+@@ -755,7 +755,8 @@ elf_object_p (bfd *abfd)
+ /* A further sanity check. */
+ if (i_ehdrp->e_shnum != 0)
+ {
+- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
++ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
++ || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
+ {
+ /* PR 2257:
+ We used to just goto got_wrong_format_error here
+--
+2.20.1
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch
new file mode 100644
index 0000000000..c915a832b0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch
@@ -0,0 +1,33 @@
+From df78be05daf4eb07f60f50ec1080cb979af32ec0 Mon Sep 17 00:00:00 2001
+From: marxin <marxin@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Tue, 23 Jul 2019 07:33:32 +0000
+Subject: [PATCH] libiberty: Check zero value shstrndx in simple-object-elf.c
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@273718 138bc75d-0d04-0410-961f-82ee72b054a4
+
+CVE: CVE-2019-14250
+Upstream-Status: Backport [from gcc: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=273718]
+[Removed Changelog entry]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
+index 502388991a08..bdee963634d6 100644
+--- a/libiberty/simple-object-elf.c
++++ b/libiberty/simple-object-elf.c
+@@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
+ XDELETE (eor);
+ return NULL;
+ }
+-
++
++ if (eor->shstrndx == 0)
++ {
++ *errmsg = "invalid ELF shstrndx == 0";
++ *err = 0;
++ XDELETE (eor);
++ return NULL;
++ }
++
+ return (void *) eor;
+ }
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
new file mode 100644
index 0000000000..85b9a9f916
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
@@ -0,0 +1,28 @@
+From e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 5 Aug 2019 10:40:35 +0100
+Subject: [PATCH] Catch potential integer overflow in readelf when processing
+ corrupt binaries.
+
+ PR 24829
+ * readelf.c (apply_relocations): Catch potential integer overflow
+ whilst checking reloc location against section size.
+
+CVE: CVE-2019-14444
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7]
+[Removed Changelog entry]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index b896ad9f406..e785fde43e7 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -13366,7 +13366,7 @@ apply_relocations (Filedata * filedata,
+ }
+
+ rloc = start + rp->r_offset;
+- if ((rloc + reloc_size) > end || (rloc < start))
++ if (rloc >= end || (rloc + reloc_size) > end || (rloc < start))
+ {
+ warn (_("skipping invalid relocation offset 0x%lx in section %s\n"),
+ (unsigned long) rp->r_offset,
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
new file mode 100644
index 0000000000..f02539942f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
@@ -0,0 +1,165 @@
+From c1202057eb9161a86af27d867703235fee7b7555 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 10 Apr 2019 15:49:36 +0100
+Subject: [PATCH] Pull in patch for libiberty that fixes a stack exhaustion bug
+ when demangling a pathalogically constructed mangled name.
+
+ PR 89394
+ * cp-demangle.c (cplus_demangle_fill_name): Reject negative
+ lengths.
+ (d_count_templates_scopes): Replace num_templates and num_scopes
+ parameters with a struct d_print_info pointer parameter. Adjust
+ body of the function accordingly. Add recursion counter and check
+ that the recursion limit is not reached.
+ (d_print_init): Pass dpi parameter to d_count_templates_scopes.
+ Reset recursion counter afterwards, unless the recursion limit was
+ reached.
+
+CVE: CVE-2019-9071
+CVE: CVE-2019-9070
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ ChangeLog | 16 ++++++++++++++
+ libiberty/cp-demangle.c | 48 ++++++++++++++++++++++-------------------
+ 2 files changed, 42 insertions(+), 22 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index cd631a15b6..4df3aaa62c 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,19 @@
++2019-04-10 Nick Clifton <nickc@redhat.com>
++
++ * libiberty: Sync with gcc. Bring in:
++ 2019-04-10 Nick Clifton <nickc@redhat.com>
++
++ PR 89394
++ * cp-demangle.c (cplus_demangle_fill_name): Reject negative
++ lengths.
++ (d_count_templates_scopes): Replace num_templates and num_scopes
++ parameters with a struct d_print_info pointer parameter. Adjust
++ body of the function accordingly. Add recursion counter and check
++ that the recursion limit is not reached.
++ (d_print_init): Pass dpi parameter to d_count_templates_scopes.
++ Reset recursion counter afterwards, unless the recursion limit was
++ reached.
++
+ 2018-06-24 Nick Clifton <nickc@redhat.com>
+
+ 2.32 branch created.
+diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
+index b34b485692..779b4e763a 100644
+--- a/libiberty/cp-demangle.c
++++ b/libiberty/cp-demangle.c
+@@ -861,7 +861,7 @@ CP_STATIC_IF_GLIBCPP_V3
+ int
+ cplus_demangle_fill_name (struct demangle_component *p, const char *s, int len)
+ {
+- if (p == NULL || s == NULL || len == 0)
++ if (p == NULL || s == NULL || len <= 0)
+ return 0;
+ p->d_printing = 0;
+ p->type = DEMANGLE_COMPONENT_NAME;
+@@ -4061,7 +4061,7 @@ d_growable_string_callback_adapter (const char *s, size_t l, void *opaque)
+ are larger than the actual numbers encountered. */
+
+ static void
+-d_count_templates_scopes (int *num_templates, int *num_scopes,
++d_count_templates_scopes (struct d_print_info *dpi,
+ const struct demangle_component *dc)
+ {
+ if (dc == NULL)
+@@ -4081,13 +4081,13 @@ d_count_templates_scopes (int *num_templates, int *num_scopes,
+ break;
+
+ case DEMANGLE_COMPONENT_TEMPLATE:
+- (*num_templates)++;
++ dpi->num_copy_templates++;
+ goto recurse_left_right;
+
+ case DEMANGLE_COMPONENT_REFERENCE:
+ case DEMANGLE_COMPONENT_RVALUE_REFERENCE:
+ if (d_left (dc)->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM)
+- (*num_scopes)++;
++ dpi->num_saved_scopes++;
+ goto recurse_left_right;
+
+ case DEMANGLE_COMPONENT_QUAL_NAME:
+@@ -4152,42 +4152,42 @@ d_count_templates_scopes (int *num_templates, int *num_scopes,
+ case DEMANGLE_COMPONENT_TAGGED_NAME:
+ case DEMANGLE_COMPONENT_CLONE:
+ recurse_left_right:
+- d_count_templates_scopes (num_templates, num_scopes,
+- d_left (dc));
+- d_count_templates_scopes (num_templates, num_scopes,
+- d_right (dc));
++ /* PR 89394 - Check for too much recursion. */
++ if (dpi->recursion > DEMANGLE_RECURSION_LIMIT)
++ /* FIXME: There ought to be a way to report to the
++ user that the recursion limit has been reached. */
++ return;
++
++ ++ dpi->recursion;
++ d_count_templates_scopes (dpi, d_left (dc));
++ d_count_templates_scopes (dpi, d_right (dc));
++ -- dpi->recursion;
+ break;
+
+ case DEMANGLE_COMPONENT_CTOR:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_ctor.name);
++ d_count_templates_scopes (dpi, dc->u.s_ctor.name);
+ break;
+
+ case DEMANGLE_COMPONENT_DTOR:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_dtor.name);
++ d_count_templates_scopes (dpi, dc->u.s_dtor.name);
+ break;
+
+ case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_extended_operator.name);
++ d_count_templates_scopes (dpi, dc->u.s_extended_operator.name);
+ break;
+
+ case DEMANGLE_COMPONENT_FIXED_TYPE:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_fixed.length);
++ d_count_templates_scopes (dpi, dc->u.s_fixed.length);
+ break;
+
+ case DEMANGLE_COMPONENT_GLOBAL_CONSTRUCTORS:
+ case DEMANGLE_COMPONENT_GLOBAL_DESTRUCTORS:
+- d_count_templates_scopes (num_templates, num_scopes,
+- d_left (dc));
++ d_count_templates_scopes (dpi, d_left (dc));
+ break;
+
+ case DEMANGLE_COMPONENT_LAMBDA:
+ case DEMANGLE_COMPONENT_DEFAULT_ARG:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_unary_num.sub);
++ d_count_templates_scopes (dpi, dc->u.s_unary_num.sub);
+ break;
+ }
+ }
+@@ -4222,8 +4222,12 @@ d_print_init (struct d_print_info *dpi, demangle_callbackref callback,
+ dpi->next_copy_template = 0;
+ dpi->num_copy_templates = 0;
+
+- d_count_templates_scopes (&dpi->num_copy_templates,
+- &dpi->num_saved_scopes, dc);
++ d_count_templates_scopes (dpi, dc);
++ /* If we did not reach the recursion limit, then reset the
++ current recursion value back to 0, so that we can print
++ the templates. */
++ if (dpi->recursion < DEMANGLE_RECURSION_LIMIT)
++ dpi->recursion = 0;
+ dpi->num_copy_templates *= dpi->num_saved_scopes;
+
+ dpi->current_template = NULL;
+--
+2.20.1
+
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
deleted file mode 100644
index 1c84fb1cf2..0000000000
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ /dev/null
@@ -1,62 +0,0 @@
-SUMMARY = "cve-check-tool"
-DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\
-The tool will identify potentially vunlnerable software packages within Linux distributions through version matching."
-HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool"
-SECTION = "Development/Tools"
-LICENSE = "GPL-2.0+"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
-
-SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
- file://check-for-malloc_trim-before-using-it.patch \
- file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
- file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
- file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
- file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
- "
-
-SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
-SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b"
-
-UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases"
-
-DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates"
-
-RDEPENDS_${PN} = "ca-certificates"
-
-inherit pkgconfig autotools
-
-EXTRA_OECONF = "--disable-coverage --enable-relative-plugins"
-CFLAGS_append = " -Wno-error=pedantic"
-
-do_populate_cve_db() {
- if [ "${BB_NO_NETWORK}" = "1" ] ; then
- bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected"
- return
- fi
-
- # In case we don't inherit cve-check class, use default values defined in the class.
- cve_dir="${CVE_CHECK_DB_DIR}"
- cve_file="${CVE_CHECK_TMP_FILE}"
-
- [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"
- [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
-
- unused="${@bb.utils.export_proxies(d)}"
- bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
- # --cacert works around curl-native not finding the CA bundle
- if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
- printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
- else
- bbwarn "Error in executing cve-check-update"
- if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then
- bbwarn "Failed to update cve-check-tool database, CVEs won't be checked"
- fi
- fi
-}
-
-addtask populate_cve_db after do_populate_sysroot
-do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot"
-do_populate_cve_db[nostamp] = "1"
-do_populate_cve_db[progress] = "percent"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
deleted file mode 100644
index 4a82cf2dde..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
-From: Peter Marko <peter.marko@siemens.com>
-Date: Thu, 13 Apr 2017 23:09:52 +0200
-Subject: [PATCH] Fix freeing memory allocated by sqlite
-
-Upstream-Status: Backport
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- src/core.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/core.c b/src/core.c
-index 6263031..6788f16 100644
---- a/src/core.c
-+++ b/src/core.c
-@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
- rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
- if (rc != SQLITE_OK) {
- fprintf(stderr, "ensure_table(): %s\n", err);
-- free(err);
-+ sqlite3_free(err);
- return false;
- }
-
-@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
- rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
- if (rc != SQLITE_OK) {
- fprintf(stderr, "ensure_table(): %s\n", err);
-- free(err);
-+ sqlite3_free(err);
- return false;
- }
-
-@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
- rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
- if (rc != SQLITE_OK) {
- fprintf(stderr, "ensure_table(): %s\n", err);
-- free(err);
-+ sqlite3_free(err);
- return false;
- }
- if (err) {
-- free(err);
-+ sqlite3_free(err);
- }
-
- return true;
---
-2.1.4
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
deleted file mode 100644
index 3d8ebd1bd2..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
-From: Jussi Kukkonen <jussi.kukkonen@intel.com>
-Date: Thu, 9 Feb 2017 14:51:28 +0200
-Subject: [PATCH] curl: allow overriding default CA certificate file
-
-Similar to curl, --cacert can now be used in cve-check-tool and
-cve-check-update to override the default CA certificate file. Useful
-in cases where the system default is unsuitable (for example,
-out-dated) or broken (as in OE's current native libcurl, which embeds
-a path string from one build host and then uses it on another although
-the right path may have become something different).
-
-Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-
-
-Took Patrick Ohlys original patch from meta-security-isafw, rebased
-on top of other patches.
-
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
----
- src/library/cve-check-tool.h | 1 +
- src/library/fetch.c | 10 +++++++++-
- src/library/fetch.h | 3 ++-
- src/main.c | 5 ++++-
- src/update-main.c | 4 +++-
- src/update.c | 12 +++++++-----
- src/update.h | 2 +-
- 7 files changed, 27 insertions(+), 10 deletions(-)
-
-diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
-index e4bb5b1..f89eade 100644
---- a/src/library/cve-check-tool.h
-+++ b/src/library/cve-check-tool.h
-@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
- bool bugs; /**<Whether bug tracking is enabled */
- GHashTable *mapping; /**<CVE Mapping */
- const char *output_file; /**<Output file, if any */
-+ const char *cacert_file; /**<Non-default SSL certificate file, if any */
- } CveCheckTool;
-
- /**
-diff --git a/src/library/fetch.c b/src/library/fetch.c
-index 0fe6d76..8f998c3 100644
---- a/src/library/fetch.c
-+++ b/src/library/fetch.c
-@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
- }
-
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-- unsigned int start_percent, unsigned int end_percent)
-+ unsigned int start_percent, unsigned int end_percent,
-+ const char *cacert_file)
- {
- FetchStatus ret = FETCH_STATUS_FAIL;
- CURLcode res;
-@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
- return ret;
- }
-
-+ if (cacert_file) {
-+ res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
-+ if (res != CURLE_OK) {
-+ goto bail;
-+ }
-+ }
-+
- if (stat(target, &st) == 0) {
- res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
- if (res != CURLE_OK) {
-diff --git a/src/library/fetch.h b/src/library/fetch.h
-index 4cce5d1..836c7d7 100644
---- a/src/library/fetch.h
-+++ b/src/library/fetch.h
-@@ -29,7 +29,8 @@ typedef enum {
- * @return A FetchStatus, indicating the operation taken
- */
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-- unsigned int this_percent, unsigned int next_percent);
-+ unsigned int this_percent, unsigned int next_percent,
-+ const char *cacert_file);
-
- /**
- * Attempt to extract the given gzipped file
-diff --git a/src/main.c b/src/main.c
-index 8e6f158..ae69d47 100644
---- a/src/main.c
-+++ b/src/main.c
-@@ -280,6 +280,7 @@ static bool csv_mode = false;
- static char *modified_stamp = NULL;
- static gchar *mapping_file = NULL;
- static gchar *output_file = NULL;
-+static gchar *cacert_file = NULL;
-
- static GOptionEntry _entries[] = {
- { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
-@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
- { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
- { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
- { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
-+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
- { .short_name = 0 }
- };
-
-@@ -492,6 +494,7 @@ int main(int argc, char **argv)
-
- quiet = csv_mode || !no_html;
- self->output_file = output_file;
-+ self->cacert_file = cacert_file;
-
- if (!csv_mode && self->output_file) {
- quiet = false;
-@@ -530,7 +533,7 @@ int main(int argc, char **argv)
- if (status) {
- fprintf(stderr, "Update of db forced\n");
- cve_db_unlock();
-- if (!update_db(quiet, db_path->str)) {
-+ if (!update_db(quiet, db_path->str, self->cacert_file)) {
- fprintf(stderr, "DB update failure\n");
- goto cleanup;
- }
-diff --git a/src/update-main.c b/src/update-main.c
-index 2379cfa..c52d9d0 100644
---- a/src/update-main.c
-+++ b/src/update-main.c
-@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
- static gchar *nvds = NULL;
- static bool _show_version = false;
- static bool _quiet = false;
-+static const char *_cacert_file = NULL;
-
- static GOptionEntry _entries[] = {
- { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
- { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
- { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
-+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
- { .short_name = 0 }
- };
-
-@@ -88,7 +90,7 @@ int main(int argc, char **argv)
- goto end;
- }
-
-- if (update_db(_quiet, db_path->str)) {
-+ if (update_db(_quiet, db_path->str, _cacert_file)) {
- ret = EXIT_SUCCESS;
- } else {
- fprintf(stderr, "Failed to update database\n");
-diff --git a/src/update.c b/src/update.c
-index 070560a..8cb4a39 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
-
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
- bool db_exist, bool verbose,
-- unsigned int this_percent, unsigned int next_percent)
-+ unsigned int this_percent, unsigned int next_percent,
-+ const char *cacert_file)
- {
- const char nvd_uri[] = URI_PREFIX;
- autofree(cve_string) *uri_meta = NULL;
-@@ -331,14 +332,14 @@ refetch:
- }
-
- /* Fetch NVD META file */
-- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
-+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
- if (st == FETCH_STATUS_FAIL) {
- fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
- return -1;
- }
-
- /* Fetch NVD XML file */
-- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
-+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
- switch (st) {
- case FETCH_STATUS_FAIL:
- fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
-@@ -391,7 +392,7 @@ refetch:
- return 0;
- }
-
--bool update_db(bool quiet, const char *db_file)
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file)
- {
- autofree(char) *db_dir = NULL;
- autofree(CveDB) *cve_db = NULL;
-@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
- if (!quiet)
- fprintf(stderr, "completed: %u%%\r", start_percent);
- rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
-- start_percent, end_percent);
-+ start_percent, end_percent,
-+ cacert_file);
- switch (rc) {
- case 0:
- if (!quiet)
-diff --git a/src/update.h b/src/update.h
-index b8e9911..ceea0c3 100644
---- a/src/update.h
-+++ b/src/update.h
-@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);
-
- int update_required(const char *db_file);
-
--bool update_db(bool quiet, const char *db_file);
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file);
-
-
- /*
---
-2.1.4
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
deleted file mode 100644
index 8ea6f686e3..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>
-Date: Mon, 26 Sep 2016 12:12:41 +0100
-Subject: [PATCH] print progress in percent when downloading CVE db
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Upstream-Status: Pending
-Signed-off-by: André Draszik <git@andred.net>
----
- src/library/fetch.c | 28 +++++++++++++++++++++++++++-
- src/library/fetch.h | 3 ++-
- src/update.c | 16 ++++++++++++----
- 3 files changed, 41 insertions(+), 6 deletions(-)
-
-diff --git a/src/library/fetch.c b/src/library/fetch.c
-index 06d4b30..0fe6d76 100644
---- a/src/library/fetch.c
-+++ b/src/library/fetch.c
-@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f
- return fwrite(ptr, size, nmemb, f->f);
- }
-
--FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
-+struct percent_t {
-+ unsigned int start;
-+ unsigned int end;
-+};
-+
-+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow)
-+{
-+ (void) ultotal;
-+ (void) ulnow;
-+
-+ struct percent_t *percent = (struct percent_t *) ptr;
-+
-+ if (dltotal && percent && percent->end >= percent->start) {
-+ unsigned int diff = percent->end - percent->start;
-+ if (diff) {
-+ fprintf(stderr,"completed: %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal));
-+ }
-+ }
-+
-+ return 0;
-+}
-+
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-+ unsigned int start_percent, unsigned int end_percent)
- {
- FetchStatus ret = FETCH_STATUS_FAIL;
- CURLcode res;
- struct stat st;
- CURL *curl = NULL;
- struct fetch_t *f = NULL;
-+ struct percent_t percent = { .start = start_percent, .end = end_percent };
-
- curl = curl_easy_init();
- if (!curl) {
-@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
- }
- if (verbose) {
- (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);
-+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &percent);
-+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new);
- }
- res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func);
- if (res != CURLE_OK) {
-diff --git a/src/library/fetch.h b/src/library/fetch.h
-index 70c3779..4cce5d1 100644
---- a/src/library/fetch.h
-+++ b/src/library/fetch.h
-@@ -28,7 +28,8 @@ typedef enum {
- * @param verbose Whether to be verbose
- * @return A FetchStatus, indicating the operation taken
- */
--FetchStatus fetch_uri(const char *uri, const char *target, bool verbose);
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-+ unsigned int this_percent, unsigned int next_percent);
-
- /**
- * Attempt to extract the given gzipped file
-diff --git a/src/update.c b/src/update.c
-index 30fbe96..eaeeefd 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
- }
-
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
-- bool db_exist, bool verbose)
-+ bool db_exist, bool verbose,
-+ unsigned int this_percent, unsigned int next_percent)
- {
- const char nvd_uri[] = URI_PREFIX;
- autofree(cve_string) *uri_meta = NULL;
-@@ -330,14 +331,14 @@ refetch:
- }
-
- /* Fetch NVD META file */
-- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose);
-+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
- if (st == FETCH_STATUS_FAIL) {
- fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
- return -1;
- }
-
- /* Fetch NVD XML file */
-- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose);
-+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
- switch (st) {
- case FETCH_STATUS_FAIL:
- fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
-@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file)
- for (int i = YEAR_START; i <= year+1; i++) {
- int y = i > year ? -1 : i;
- int rc;
-+ unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START);
-+ unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START);
-
-- rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet);
-+ if (!quiet)
-+ fprintf(stderr, "completed: %u%%\r", start_percent);
-+ rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
-+ start_percent, end_percent);
- switch (rc) {
- case 0:
-+ if (!quiet)
-+ fprintf(stderr,"completed: %u%%\r", end_percent);
- continue;
- case ENOMEM:
- goto oom;
---
-2.9.3
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
deleted file mode 100644
index 458c0cc84e..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
-From: Sergey Popovich <popovich_sergei@mail.ua>
-Date: Fri, 21 Apr 2017 07:32:23 -0700
-Subject: [PATCH] update: Compare computed vs expected sha256 digit string
- ignoring case
-
-We produce sha256 digest string using %x snprintf()
-qualifier for each byte of digest which uses alphabetic
-characters from "a" to "f" in lower case to represent
-integer values from 10 to 15.
-
-Previously all of the NVD META files supply sha256
-digest string for corresponding XML file in lower case.
-
-However due to some reason this changed recently to
-provide digest digits in upper case causing fetched
-data consistency checks to fail. This prevents database
-from being updated periodically.
-
-While commit c4f6e94 (update: Do not treat sha256 failure
-as fatal if requested) adds useful option to skip
-digest validation at all and thus provides workaround for
-this situation, it might be unacceptable for some
-deployments where we need to ensure that downloaded
-data is consistent before start parsing it and update
-SQLite database.
-
-Use strcasecmp() to compare two digest strings case
-insensitively and addressing this case.
-
-Upstream-Status: Backport
-Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
----
- src/update.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/update.c b/src/update.c
-index 8588f38..3cc6b67 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
- snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
- }
-
-- ret = streq(csum_meta, csum_data);
-+ ret = !strcasecmp(csum_meta, csum_data);
-
- err_unmap:
- munmap(buffer, length);
---
-2.11.0
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
deleted file mode 100644
index 0774ad946a..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Mon, 22 Aug 2016 22:54:24 -0700
-Subject: [PATCH] Check for malloc_trim before using it
-
-malloc_trim is gnu specific and not all libc
-implement it, threfore write a configure check
-to poke for it first and use the define to
-guard its use.
-
-Helps in compiling on musl based systems
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
-Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/48]
- configure.ac | 2 ++
- src/core.c | 4 ++--
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index d3b66ce..79c3542 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0])
- m4_define([openssl_required_version],[1.0.0])
- # TODO: Set minimum sqlite
-
-+AC_CHECK_FUNCS_ONCE(malloc_trim)
-+
- PKG_CHECK_MODULES(CVE_CHECK_TOOL,
- [
- glib-2.0 >= glib_required_version,
-diff --git a/src/core.c b/src/core.c
-index 6263031..0d5df29 100644
---- a/src/core.c
-+++ b/src/core.c
-@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname)
- }
-
- b = true;
--
-+#ifdef HAVE_MALLOC_TRIM
- malloc_trim(0);
--
-+#endif
- xmlFreeTextReader(r);
- if (fd) {
- close(fd);
---
-2.9.3
-
diff --git a/meta/recipes-devtools/dpkg/dpkg/pager.patch b/meta/recipes-devtools/dpkg/dpkg/pager.patch
new file mode 100644
index 0000000000..e56b9d28af
--- /dev/null
+++ b/meta/recipes-devtools/dpkg/dpkg/pager.patch
@@ -0,0 +1,21 @@
+pager: Use less instead of pager
+
+pager is a Debianism. Istead use directly pager.
+
+Upstream-Status: Inappropriate [OE-Core integration specific]
+
+Suggested-by: Burton, Ross <ross.burton@intel.com>
+Signed-off-by: Ricardo Ribalda <ricardo@ribalda.com>
+diff --git a/lib/dpkg/dpkg.h b/lib/dpkg/dpkg.h
+index 2bb067a..6cbce80 100644
+--- a/lib/dpkg/dpkg.h
++++ b/lib/dpkg/dpkg.h
+@@ -95,7 +95,7 @@ DPKG_BEGIN_DECLS
+ #define MAXUPDATES 250
+
+ #define DEFAULTSHELL "sh"
+-#define DEFAULTPAGER "pager"
++#define DEFAULTPAGER "less"
+
+ #define MD5HASHLEN 32
+ #define MAXTRIGDIRECTIVE 256
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb b/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb
index c3dbda77a4..e6083e2219 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb
@@ -13,6 +13,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/d/${BPN}/${BPN}_${PV}.tar.xz \
file://0006-add-musleabi-to-known-target-tripets.patch \
file://0007-dpkg-deb-build.c-Remove-usage-of-clamp-mtime-in-tar.patch \
file://0001-dpkg-Support-muslx32-build.patch \
+ file://pager.patch \
"
SRC_URI_append_class-native = " file://glibc2.5-sync_file_range.patch \
file://tweak-options-require-tar-1.27.patch \
diff --git a/meta/recipes-devtools/gcc/gcc-8.3.inc b/meta/recipes-devtools/gcc/gcc-8.3.inc
index a64f48a59b..854883054b 100644
--- a/meta/recipes-devtools/gcc/gcc-8.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.3.inc
@@ -72,6 +72,12 @@ SRC_URI = "\
file://0039-riscv-Disable-multilib-for-OE.patch \
file://0040-powerpc-powerpc64-Add-support-for-musl-ldso.patch \
file://0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch \
+ file://0042-PR-debug-86964.patch \
+ file://0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch \
+ file://CVE-2019-14250.patch \
+ file://CVE-2019-15847_p1.patch \
+ file://CVE-2019-15847_p2.patch \
+ file://CVE-2019-15847_p3.patch \
"
SRC_URI[md5sum] = "65b210b4bfe7e060051f799e0f994896"
SRC_URI[sha256sum] = "64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c"
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch b/meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch
new file mode 100644
index 0000000000..d9b5d39b77
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch
@@ -0,0 +1,94 @@
+From beb921e1106b5bcbb0c6e2be84b241327e2ffc51 Mon Sep 17 00:00:00 2001
+From: law <law@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Mon, 25 Mar 2019 21:19:09 +0000
+Subject: [PATCH] PR debug/86964 * dwarf2out.c
+ (premark_used_variables): New function. (prune_unused_types_walk): Do
+ not mark not premarked external variables. (prune_unused_types):
+ Call premark_used_variables.
+
+ * gcc.dg/debug/dwarf2/pr86964.c: New testcase.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@269925 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ gcc/ChangeLog | 8 ++++++
+ gcc/dwarf2out.c | 32 +++++++++++++++++++++
+ 2 files changed, 40 insertions(+)
+
+diff --git a/gcc/ChangeLog b/gcc/ChangeLog
+index 2075480ca2b..cdce539ac6f 100644
+--- a/gcc/ChangeLog
++++ b/gcc/ChangeLog
+@@ -1,3 +1,11 @@
++2019-03-25 Johan Karlsson <johan.karlsson@enea.com>
++
++ PR debug/86964
++ * dwarf2out.c (premark_used_variables): New function.
++ (prune_unused_types_walk): Do not mark not premarked external
++ variables.
++ (prune_unused_types): Call premark_used_variables.
++
+ 2019-02-22 Release Manager
+
+ * GCC 8.3.0 released.
+diff --git a/gcc/dwarf2out.c b/gcc/dwarf2out.c
+index ae8bdee9981..b9a624e1ac7 100644
+--- a/gcc/dwarf2out.c
++++ b/gcc/dwarf2out.c
+@@ -22658,6 +22658,21 @@ premark_types_used_by_global_vars (void)
+ ->traverse<void *, premark_types_used_by_global_vars_helper> (NULL);
+ }
+
++/* Mark all variables used by the symtab as perennial. */
++
++static void
++premark_used_variables (void)
++{
++ /* Mark DIEs in the symtab as used. */
++ varpool_node *var;
++ FOR_EACH_VARIABLE (var)
++ {
++ dw_die_ref die = lookup_decl_die (var->decl);
++ if (die)
++ die->die_perennial_p = 1;
++ }
++}
++
+ /* Generate a DW_TAG_call_site DIE in function DECL under SUBR_DIE
+ for CA_LOC call arg loc node. */
+
+@@ -29264,6 +29279,19 @@ prune_unused_types_walk (dw_die_ref die)
+
+ return;
+
++ case DW_TAG_variable:
++ if (flag_debug_only_used_symbols)
++ {
++ if (die->die_perennial_p)
++ break;
++
++ /* premark_used_variables marks external variables --- don't mark
++ them here. */
++ if (get_AT (die, DW_AT_external))
++ return;
++ }
++ /* FALLTHROUGH */
++
+ default:
+ /* Mark everything else. */
+ break;
+@@ -29390,6 +29418,10 @@ prune_unused_types (void)
+ /* Mark types that are used in global variables. */
+ premark_types_used_by_global_vars ();
+
++ /* Mark variables used in the symtab. */
++ if (flag_debug_only_used_symbols)
++ premark_used_variables ();
++
+ /* Set the mark on nodes that are actually used. */
+ prune_unused_types_walk (comp_unit_die ());
+ for (node = limbo_die_list; node; node = node->next)
+--
+2.21.0
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch b/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch
new file mode 100644
index 0000000000..f15207f581
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch
@@ -0,0 +1,813 @@
+From f98495d90ba66f67fe922a4b9229ea787041c418 Mon Sep 17 00:00:00 2001
+From: thopre01 <thopre01@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 22 Nov 2018 14:46:17 +0000
+Subject: [PATCH] PR85434: Prevent spilling of stack protector guard's address
+ on ARM
+
+In case of high register pressure in PIC mode, address of the stack
+protector's guard can be spilled on ARM targets as shown in PR85434,
+thus allowing an attacker to control what the canary would be compared
+against. ARM does lack stack_protect_set and stack_protect_test insn
+patterns, defining them does not help as the address is expanded
+regularly and the patterns only deal with the copy and test of the
+guard with the canary.
+
+This problem does not occur for x86 targets because the PIC access and
+the test can be done in the same instruction. Aarch64 is exempt too
+because PIC access insn pattern are mov of UNSPEC which prevents it from
+the second access in the epilogue being CSEd in cse_local pass with the
+first access in the prologue.
+
+The approach followed here is to create new "combined" set and test
+standard pattern names that take the unexpanded guard and do the set or
+test. This allows the target to use an opaque pattern (eg. using UNSPEC)
+to hide the individual instructions being generated to the compiler and
+split the pattern into generic load, compare and branch instruction
+after register allocator, therefore avoiding any spilling. This is here
+implemented for the ARM targets. For targets not implementing these new
+standard pattern names, the existing stack_protect_set and
+stack_protect_test pattern names are used.
+
+To be able to split PIC access after register allocation, the functions
+had to be augmented to force a new PIC register load and to control
+which register it loads into. This is because sharing the PIC register
+between prologue and epilogue could lead to spilling due to CSE again
+which an attacker could use to control what the canary gets compared
+against.
+
+2018-11-22 Thomas Preud'homme <thomas.preudhomme@linaro.org>
+
+ gcc/
+ PR target/85434
+ * target-insns.def (stack_protect_combined_set): Define new standard
+ pattern name.
+ (stack_protect_combined_test): Likewise.
+ * cfgexpand.c (stack_protect_prologue): Try new
+ stack_protect_combined_set pattern first.
+ * function.c (stack_protect_epilogue): Try new
+ stack_protect_combined_test pattern first.
+ * config/arm/arm.c (require_pic_register): Add pic_reg and compute_now
+ parameters to control which register to use as PIC register and force
+ reloading PIC register respectively. Insert in the stream of insns if
+ possible.
+ (legitimize_pic_address): Expose above new parameters in prototype and
+ adapt recursive calls accordingly. Use pic_reg if non null instead of
+ cached one.
+ (arm_load_pic_register): Add pic_reg parameter and use it if non null.
+ (arm_legitimize_address): Adapt to new legitimize_pic_address
+ prototype.
+ (thumb_legitimize_address): Likewise.
+ (arm_emit_call_insn): Adapt to require_pic_register prototype change.
+ (arm_expand_prologue): Adapt to arm_load_pic_register prototype change.
+ (thumb1_expand_prologue): Likewise.
+ * config/arm/arm-protos.h (legitimize_pic_address): Adapt to prototype
+ change.
+ (arm_load_pic_register): Likewise.
+ * config/arm/predicated.md (guard_addr_operand): New predicate.
+ (guard_operand): New predicate.
+ * config/arm/arm.md (movsi expander): Adapt to legitimize_pic_address
+ prototype change.
+ (builtin_setjmp_receiver expander): Adapt to thumb1_expand_prologue
+ prototype change.
+ (stack_protect_combined_set): New expander..
+ (stack_protect_combined_set_insn): New insn_and_split pattern.
+ (stack_protect_set_insn): New insn pattern.
+ (stack_protect_combined_test): New expander.
+ (stack_protect_combined_test_insn): New insn_and_split pattern.
+ (arm_stack_protect_test_insn): New insn pattern.
+ * config/arm/thumb1.md (thumb1_stack_protect_test_insn): New insn pattern.
+ * config/arm/unspecs.md (UNSPEC_SP_SET): New unspec.
+ (UNSPEC_SP_TEST): Likewise.
+ * doc/md.texi (stack_protect_combined_set): Document new standard
+ pattern name.
+ (stack_protect_set): Clarify that the operand for guard's address is
+ legal.
+ (stack_protect_combined_test): Document new standard pattern name.
+ (stack_protect_test): Clarify that the operand for guard's address is
+ legal.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@266379 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+CVE: CVE-2018-12886
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ gcc/ChangeLog | 49 ++++++
+ gcc/cfgexpand.c | 17 +++
+ gcc/config/arm/arm-protos.h | 4 +-
+ gcc/config/arm/arm.c | 87 ++++++++---
+ gcc/config/arm/arm.md | 163 +++++++++++++++++++-
+ gcc/config/arm/predicates.md | 17 +++
+ gcc/config/arm/thumb1.md | 13 ++
+ gcc/config/arm/unspecs.md | 3 +
+ gcc/doc/md.texi | 55 ++++++-
+ gcc/function.c | 32 +++-
+ gcc/target-insns.def | 2 +
+ 11 files changed, 399 insertions(+), 43 deletions(-)
+ create mode 100644 gcc/testsuite/gcc.target/arm/pr85434.c
+
+diff --git a/gcc/ChangeLog b/gcc/ChangeLog
+index e2ebfd34214..fa41e7112e0 100644
+--- a/gcc/ChangeLog
++++ b/gcc/ChangeLog
+@@ -1537,6 +1537,55 @@
+ * config/arm/neon.md (movv4hf, movv8hf): Refactored to..
+ (mov<mov>): ..this and enable unconditionally.
+
++2018-11-22 Thomas Preud'homme <thomas.preudhomme@linaro.org>
++
++ * target-insns.def (stack_protect_combined_set): Define new standard
++ pattern name.
++ (stack_protect_combined_test): Likewise.
++ * cfgexpand.c (stack_protect_prologue): Try new
++ stack_protect_combined_set pattern first.
++ * function.c (stack_protect_epilogue): Try new
++ stack_protect_combined_test pattern first.
++ * config/arm/arm.c (require_pic_register): Add pic_reg and compute_now
++ parameters to control which register to use as PIC register and force
++ reloading PIC register respectively. Insert in the stream of insns if
++ possible.
++ (legitimize_pic_address): Expose above new parameters in prototype and
++ adapt recursive calls accordingly. Use pic_reg if non null instead of
++ cached one.
++ (arm_load_pic_register): Add pic_reg parameter and use it if non null.
++ (arm_legitimize_address): Adapt to new legitimize_pic_address
++ prototype.
++ (thumb_legitimize_address): Likewise.
++ (arm_emit_call_insn): Adapt to require_pic_register prototype change.
++ (arm_expand_prologue): Adapt to arm_load_pic_register prototype change.
++ (thumb1_expand_prologue): Likewise.
++ * config/arm/arm-protos.h (legitimize_pic_address): Adapt to prototype
++ change.
++ (arm_load_pic_register): Likewise.
++ * config/arm/predicated.md (guard_addr_operand): New predicate.
++ (guard_operand): New predicate.
++ * config/arm/arm.md (movsi expander): Adapt to legitimize_pic_address
++ prototype change.
++ (builtin_setjmp_receiver expander): Adapt to thumb1_expand_prologue
++ prototype change.
++ (stack_protect_combined_set): New expander..
++ (stack_protect_combined_set_insn): New insn_and_split pattern.
++ (stack_protect_set_insn): New insn pattern.
++ (stack_protect_combined_test): New expander.
++ (stack_protect_combined_test_insn): New insn_and_split pattern.
++ (arm_stack_protect_test_insn): New insn pattern.
++ * config/arm/thumb1.md (thumb1_stack_protect_test_insn): New insn pattern.
++ * config/arm/unspecs.md (UNSPEC_SP_SET): New unspec.
++ (UNSPEC_SP_TEST): Likewise.
++ * doc/md.texi (stack_protect_combined_set): Document new standard
++ pattern name.
++ (stack_protect_set): Clarify that the operand for guard's address is
++ legal.
++ (stack_protect_combined_test): Document new standard pattern name.
++ (stack_protect_test): Clarify that the operand for guard's address is
++ legal.
++
+ 2018-11-22 Uros Bizjak <ubizjak@gmail.com>
+
+ Backport from mainline
+diff --git a/gcc/cfgexpand.c b/gcc/cfgexpand.c
+index 8fa392fcd8a..21bdcdaeaa3 100644
+--- a/gcc/cfgexpand.c
++++ b/gcc/cfgexpand.c
+@@ -6185,6 +6185,23 @@ stack_protect_prologue (void)
+ rtx x, y;
+
+ x = expand_normal (crtl->stack_protect_guard);
++
++ if (targetm.have_stack_protect_combined_set () && guard_decl)
++ {
++ gcc_assert (DECL_P (guard_decl));
++ y = DECL_RTL (guard_decl);
++
++ /* Allow the target to compute address of Y and copy it to X without
++ leaking Y into a register. This combined address + copy pattern
++ allows the target to prevent spilling of any intermediate results by
++ splitting it after register allocator. */
++ if (rtx_insn *insn = targetm.gen_stack_protect_combined_set (x, y))
++ {
++ emit_insn (insn);
++ return;
++ }
++ }
++
+ if (guard_decl)
+ y = expand_normal (guard_decl);
+ else
+diff --git a/gcc/config/arm/arm-protos.h b/gcc/config/arm/arm-protos.h
+index 8d6d2395b84..00f5f16ed02 100644
+--- a/gcc/config/arm/arm-protos.h
++++ b/gcc/config/arm/arm-protos.h
+@@ -28,7 +28,7 @@ extern enum unwind_info_type arm_except_unwind_info (struct gcc_options *);
+ extern int use_return_insn (int, rtx);
+ extern bool use_simple_return_p (void);
+ extern enum reg_class arm_regno_class (int);
+-extern void arm_load_pic_register (unsigned long);
++extern void arm_load_pic_register (unsigned long, rtx);
+ extern int arm_volatile_func (void);
+ extern void arm_expand_prologue (void);
+ extern void arm_expand_epilogue (bool);
+@@ -69,7 +69,7 @@ extern int const_ok_for_dimode_op (HOST_WIDE_INT, enum rtx_code);
+ extern int arm_split_constant (RTX_CODE, machine_mode, rtx,
+ HOST_WIDE_INT, rtx, rtx, int);
+ extern int legitimate_pic_operand_p (rtx);
+-extern rtx legitimize_pic_address (rtx, machine_mode, rtx);
++extern rtx legitimize_pic_address (rtx, machine_mode, rtx, rtx, bool);
+ extern rtx legitimize_tls_address (rtx, rtx);
+ extern bool arm_legitimate_address_p (machine_mode, rtx, bool);
+ extern int arm_legitimate_address_outer_p (machine_mode, rtx, RTX_CODE, int);
+diff --git a/gcc/config/arm/arm.c b/gcc/config/arm/arm.c
+index 8393f0b87f3..12417de5102 100644
+--- a/gcc/config/arm/arm.c
++++ b/gcc/config/arm/arm.c
+@@ -7379,21 +7379,34 @@ legitimate_pic_operand_p (rtx x)
+ return 1;
+ }
+
+-/* Record that the current function needs a PIC register. Initialize
+- cfun->machine->pic_reg if we have not already done so. */
++/* Record that the current function needs a PIC register. If PIC_REG is null,
++ a new pseudo is allocated as PIC register, otherwise PIC_REG is used. In
++ both case cfun->machine->pic_reg is initialized if we have not already done
++ so. COMPUTE_NOW decide whether and where to set the PIC register. If true,
++ PIC register is reloaded in the current position of the instruction stream
++ irregardless of whether it was loaded before. Otherwise, it is only loaded
++ if not already done so (crtl->uses_pic_offset_table is null). Note that
++ nonnull PIC_REG is only supported iff COMPUTE_NOW is true and null PIC_REG
++ is only supported iff COMPUTE_NOW is false. */
+
+ static void
+-require_pic_register (void)
++require_pic_register (rtx pic_reg, bool compute_now)
+ {
++ gcc_assert (compute_now == (pic_reg != NULL_RTX));
++
+ /* A lot of the logic here is made obscure by the fact that this
+ routine gets called as part of the rtx cost estimation process.
+ We don't want those calls to affect any assumptions about the real
+ function; and further, we can't call entry_of_function() until we
+ start the real expansion process. */
+- if (!crtl->uses_pic_offset_table)
++ if (!crtl->uses_pic_offset_table || compute_now)
+ {
+- gcc_assert (can_create_pseudo_p ());
++ gcc_assert (can_create_pseudo_p ()
++ || (pic_reg != NULL_RTX
++ && REG_P (pic_reg)
++ && GET_MODE (pic_reg) == Pmode));
+ if (arm_pic_register != INVALID_REGNUM
++ && !compute_now
+ && !(TARGET_THUMB1 && arm_pic_register > LAST_LO_REGNUM))
+ {
+ if (!cfun->machine->pic_reg)
+@@ -7409,8 +7422,10 @@ require_pic_register (void)
+ {
+ rtx_insn *seq, *insn;
+
++ if (pic_reg == NULL_RTX)
++ pic_reg = gen_reg_rtx (Pmode);
+ if (!cfun->machine->pic_reg)
+- cfun->machine->pic_reg = gen_reg_rtx (Pmode);
++ cfun->machine->pic_reg = pic_reg;
+
+ /* Play games to avoid marking the function as needing pic
+ if we are being called as part of the cost-estimation
+@@ -7421,11 +7436,12 @@ require_pic_register (void)
+ start_sequence ();
+
+ if (TARGET_THUMB1 && arm_pic_register != INVALID_REGNUM
+- && arm_pic_register > LAST_LO_REGNUM)
++ && arm_pic_register > LAST_LO_REGNUM
++ && !compute_now)
+ emit_move_insn (cfun->machine->pic_reg,
+ gen_rtx_REG (Pmode, arm_pic_register));
+ else
+- arm_load_pic_register (0UL);
++ arm_load_pic_register (0UL, pic_reg);
+
+ seq = get_insns ();
+ end_sequence ();
+@@ -7438,16 +7454,33 @@ require_pic_register (void)
+ we can't yet emit instructions directly in the final
+ insn stream. Queue the insns on the entry edge, they will
+ be committed after everything else is expanded. */
+- insert_insn_on_edge (seq,
+- single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun)));
++ if (currently_expanding_to_rtl)
++ insert_insn_on_edge (seq,
++ single_succ_edge
++ (ENTRY_BLOCK_PTR_FOR_FN (cfun)));
++ else
++ emit_insn (seq);
+ }
+ }
+ }
+ }
+
++/* Legitimize PIC load to ORIG into REG. If REG is NULL, a new pseudo is
++ created to hold the result of the load. If not NULL, PIC_REG indicates
++ which register to use as PIC register, otherwise it is decided by register
++ allocator. COMPUTE_NOW forces the PIC register to be loaded at the current
++ location in the instruction stream, irregardless of whether it was loaded
++ previously. Note that nonnull PIC_REG is only supported iff COMPUTE_NOW is
++ true and null PIC_REG is only supported iff COMPUTE_NOW is false.
++
++ Returns the register REG into which the PIC load is performed. */
++
+ rtx
+-legitimize_pic_address (rtx orig, machine_mode mode, rtx reg)
++legitimize_pic_address (rtx orig, machine_mode mode, rtx reg, rtx pic_reg,
++ bool compute_now)
+ {
++ gcc_assert (compute_now == (pic_reg != NULL_RTX));
++
+ if (GET_CODE (orig) == SYMBOL_REF
+ || GET_CODE (orig) == LABEL_REF)
+ {
+@@ -7480,9 +7513,12 @@ legitimize_pic_address (rtx orig, machine_mode mode, rtx reg)
+ rtx mem;
+
+ /* If this function doesn't have a pic register, create one now. */
+- require_pic_register ();
++ require_pic_register (pic_reg, compute_now);
++
++ if (pic_reg == NULL_RTX)
++ pic_reg = cfun->machine->pic_reg;
+
+- pat = gen_calculate_pic_address (reg, cfun->machine->pic_reg, orig);
++ pat = gen_calculate_pic_address (reg, pic_reg, orig);
+
+ /* Make the MEM as close to a constant as possible. */
+ mem = SET_SRC (pat);
+@@ -7531,9 +7567,11 @@ legitimize_pic_address (rtx orig, machine_mode mode, rtx reg)
+
+ gcc_assert (GET_CODE (XEXP (orig, 0)) == PLUS);
+
+- base = legitimize_pic_address (XEXP (XEXP (orig, 0), 0), Pmode, reg);
++ base = legitimize_pic_address (XEXP (XEXP (orig, 0), 0), Pmode, reg,
++ pic_reg, compute_now);
+ offset = legitimize_pic_address (XEXP (XEXP (orig, 0), 1), Pmode,
+- base == reg ? 0 : reg);
++ base == reg ? 0 : reg, pic_reg,
++ compute_now);
+
+ if (CONST_INT_P (offset))
+ {
+@@ -7633,16 +7671,17 @@ static GTY(()) int pic_labelno;
+ low register. */
+
+ void
+-arm_load_pic_register (unsigned long saved_regs ATTRIBUTE_UNUSED)
++arm_load_pic_register (unsigned long saved_regs ATTRIBUTE_UNUSED, rtx pic_reg)
+ {
+- rtx l1, labelno, pic_tmp, pic_rtx, pic_reg;
++ rtx l1, labelno, pic_tmp, pic_rtx;
+
+ if (crtl->uses_pic_offset_table == 0 || TARGET_SINGLE_PIC_BASE)
+ return;
+
+ gcc_assert (flag_pic);
+
+- pic_reg = cfun->machine->pic_reg;
++ if (pic_reg == NULL_RTX)
++ pic_reg = cfun->machine->pic_reg;
+ if (TARGET_VXWORKS_RTP)
+ {
+ pic_rtx = gen_rtx_SYMBOL_REF (Pmode, VXWORKS_GOTT_BASE);
+@@ -8718,7 +8757,8 @@ arm_legitimize_address (rtx x, rtx orig_x, machine_mode mode)
+ {
+ /* We need to find and carefully transform any SYMBOL and LABEL
+ references; so go back to the original address expression. */
+- rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX);
++ rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX, NULL_RTX,
++ false /*compute_now*/);
+
+ if (new_x != orig_x)
+ x = new_x;
+@@ -8786,7 +8826,8 @@ thumb_legitimize_address (rtx x, rtx orig_x, machine_mode mode)
+ {
+ /* We need to find and carefully transform any SYMBOL and LABEL
+ references; so go back to the original address expression. */
+- rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX);
++ rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX, NULL_RTX,
++ false /*compute_now*/);
+
+ if (new_x != orig_x)
+ x = new_x;
+@@ -18074,7 +18115,7 @@ arm_emit_call_insn (rtx pat, rtx addr, bool sibcall)
+ ? !targetm.binds_local_p (SYMBOL_REF_DECL (addr))
+ : !SYMBOL_REF_LOCAL_P (addr)))
+ {
+- require_pic_register ();
++ require_pic_register (NULL_RTX, false /*compute_now*/);
+ use_reg (&CALL_INSN_FUNCTION_USAGE (insn), cfun->machine->pic_reg);
+ }
+
+@@ -22006,7 +22047,7 @@ arm_expand_prologue (void)
+ mask &= THUMB2_WORK_REGS;
+ if (!IS_NESTED (func_type))
+ mask |= (1 << IP_REGNUM);
+- arm_load_pic_register (mask);
++ arm_load_pic_register (mask, NULL_RTX);
+ }
+
+ /* If we are profiling, make sure no instructions are scheduled before
+@@ -25237,7 +25278,7 @@ thumb1_expand_prologue (void)
+ /* Load the pic register before setting the frame pointer,
+ so we can use r7 as a temporary work register. */
+ if (flag_pic && arm_pic_register != INVALID_REGNUM)
+- arm_load_pic_register (live_regs_mask);
++ arm_load_pic_register (live_regs_mask, NULL_RTX);
+
+ if (!frame_pointer_needed && CALLER_INTERWORKING_SLOT_SIZE > 0)
+ emit_move_insn (gen_rtx_REG (Pmode, ARM_HARD_FRAME_POINTER_REGNUM),
+diff --git a/gcc/config/arm/arm.md b/gcc/config/arm/arm.md
+index c8dc9474b1b..f6196e93168 100644
+--- a/gcc/config/arm/arm.md
++++ b/gcc/config/arm/arm.md
+@@ -6021,7 +6021,8 @@
+ operands[1] = legitimize_pic_address (operands[1], SImode,
+ (!can_create_pseudo_p ()
+ ? operands[0]
+- : 0));
++ : NULL_RTX), NULL_RTX,
++ false /*compute_now*/);
+ }
+ "
+ )
+@@ -6309,7 +6310,7 @@
+ /* r3 is clobbered by set/longjmp, so we can use it as a scratch
+ register. */
+ if (arm_pic_register != INVALID_REGNUM)
+- arm_load_pic_register (1UL << 3);
++ arm_load_pic_register (1UL << 3, NULL_RTX);
+ DONE;
+ }")
+
+@@ -8634,6 +8635,164 @@
+ (set_attr "conds" "clob")]
+ )
+
++;; Named patterns for stack smashing protection.
++(define_expand "stack_protect_combined_set"
++ [(parallel
++ [(set (match_operand:SI 0 "memory_operand" "")
++ (unspec:SI [(match_operand:SI 1 "guard_operand" "")]
++ UNSPEC_SP_SET))
++ (clobber (match_scratch:SI 2 ""))
++ (clobber (match_scratch:SI 3 ""))])]
++ ""
++ ""
++)
++
++;; Use a separate insn from the above expand to be able to have the mem outside
++;; the operand #1 when register allocation comes. This is needed to avoid LRA
++;; try to reload the guard since we need to control how PIC access is done in
++;; the -fpic/-fPIC case (see COMPUTE_NOW parameter when calling
++;; legitimize_pic_address ()).
++(define_insn_and_split "*stack_protect_combined_set_insn"
++ [(set (match_operand:SI 0 "memory_operand" "=m,m")
++ (unspec:SI [(mem:SI (match_operand:SI 1 "guard_addr_operand" "X,X"))]
++ UNSPEC_SP_SET))
++ (clobber (match_scratch:SI 2 "=&l,&r"))
++ (clobber (match_scratch:SI 3 "=&l,&r"))]
++ ""
++ "#"
++ "reload_completed"
++ [(parallel [(set (match_dup 0) (unspec:SI [(mem:SI (match_dup 2))]
++ UNSPEC_SP_SET))
++ (clobber (match_dup 2))])]
++ "
++{
++ if (flag_pic)
++ {
++ /* Forces recomputing of GOT base now. */
++ legitimize_pic_address (operands[1], SImode, operands[2], operands[3],
++ true /*compute_now*/);
++ }
++ else
++ {
++ if (address_operand (operands[1], SImode))
++ operands[2] = operands[1];
++ else
++ {
++ rtx mem = XEXP (force_const_mem (SImode, operands[1]), 0);
++ emit_move_insn (operands[2], mem);
++ }
++ }
++}"
++ [(set_attr "arch" "t1,32")]
++)
++
++(define_insn "*stack_protect_set_insn"
++ [(set (match_operand:SI 0 "memory_operand" "=m,m")
++ (unspec:SI [(mem:SI (match_operand:SI 1 "register_operand" "+&l,&r"))]
++ UNSPEC_SP_SET))
++ (clobber (match_dup 1))]
++ ""
++ "@
++ ldr\\t%1, [%1]\;str\\t%1, %0\;movs\t%1,#0
++ ldr\\t%1, [%1]\;str\\t%1, %0\;mov\t%1,#0"
++ [(set_attr "length" "8,12")
++ (set_attr "conds" "clob,nocond")
++ (set_attr "type" "multiple")
++ (set_attr "arch" "t1,32")]
++)
++
++(define_expand "stack_protect_combined_test"
++ [(parallel
++ [(set (pc)
++ (if_then_else
++ (eq (match_operand:SI 0 "memory_operand" "")
++ (unspec:SI [(match_operand:SI 1 "guard_operand" "")]
++ UNSPEC_SP_TEST))
++ (label_ref (match_operand 2))
++ (pc)))
++ (clobber (match_scratch:SI 3 ""))
++ (clobber (match_scratch:SI 4 ""))
++ (clobber (reg:CC CC_REGNUM))])]
++ ""
++ ""
++)
++
++;; Use a separate insn from the above expand to be able to have the mem outside
++;; the operand #1 when register allocation comes. This is needed to avoid LRA
++;; try to reload the guard since we need to control how PIC access is done in
++;; the -fpic/-fPIC case (see COMPUTE_NOW parameter when calling
++;; legitimize_pic_address ()).
++(define_insn_and_split "*stack_protect_combined_test_insn"
++ [(set (pc)
++ (if_then_else
++ (eq (match_operand:SI 0 "memory_operand" "m,m")
++ (unspec:SI [(mem:SI (match_operand:SI 1 "guard_addr_operand" "X,X"))]
++ UNSPEC_SP_TEST))
++ (label_ref (match_operand 2))
++ (pc)))
++ (clobber (match_scratch:SI 3 "=&l,&r"))
++ (clobber (match_scratch:SI 4 "=&l,&r"))
++ (clobber (reg:CC CC_REGNUM))]
++ ""
++ "#"
++ "reload_completed"
++ [(const_int 0)]
++{
++ rtx eq;
++
++ if (flag_pic)
++ {
++ /* Forces recomputing of GOT base now. */
++ legitimize_pic_address (operands[1], SImode, operands[3], operands[4],
++ true /*compute_now*/);
++ }
++ else
++ {
++ if (address_operand (operands[1], SImode))
++ operands[3] = operands[1];
++ else
++ {
++ rtx mem = XEXP (force_const_mem (SImode, operands[1]), 0);
++ emit_move_insn (operands[3], mem);
++ }
++ }
++ if (TARGET_32BIT)
++ {
++ emit_insn (gen_arm_stack_protect_test_insn (operands[4], operands[0],
++ operands[3]));
++ rtx cc_reg = gen_rtx_REG (CC_Zmode, CC_REGNUM);
++ eq = gen_rtx_EQ (CC_Zmode, cc_reg, const0_rtx);
++ emit_jump_insn (gen_arm_cond_branch (operands[2], eq, cc_reg));
++ }
++ else
++ {
++ emit_insn (gen_thumb1_stack_protect_test_insn (operands[4], operands[0],
++ operands[3]));
++ eq = gen_rtx_EQ (VOIDmode, operands[4], const0_rtx);
++ emit_jump_insn (gen_cbranchsi4 (eq, operands[4], const0_rtx,
++ operands[2]));
++ }
++ DONE;
++}
++ [(set_attr "arch" "t1,32")]
++)
++
++(define_insn "arm_stack_protect_test_insn"
++ [(set (reg:CC_Z CC_REGNUM)
++ (compare:CC_Z (unspec:SI [(match_operand:SI 1 "memory_operand" "m,m")
++ (mem:SI (match_operand:SI 2 "register_operand" "+l,r"))]
++ UNSPEC_SP_TEST)
++ (const_int 0)))
++ (clobber (match_operand:SI 0 "register_operand" "=&l,&r"))
++ (clobber (match_dup 2))]
++ "TARGET_32BIT"
++ "ldr\t%0, [%2]\;ldr\t%2, %1\;eors\t%0, %2, %0"
++ [(set_attr "length" "8,12")
++ (set_attr "conds" "set")
++ (set_attr "type" "multiple")
++ (set_attr "arch" "t,32")]
++)
++
+ (define_expand "casesi"
+ [(match_operand:SI 0 "s_register_operand" "") ; index to jump on
+ (match_operand:SI 1 "const_int_operand" "") ; lower bound
+diff --git a/gcc/config/arm/predicates.md b/gcc/config/arm/predicates.md
+index 7e198f9bce4..69718ee9c7a 100644
+--- a/gcc/config/arm/predicates.md
++++ b/gcc/config/arm/predicates.md
+@@ -31,6 +31,23 @@
+ || REGNO_REG_CLASS (REGNO (op)) != NO_REGS));
+ })
+
++; Predicate for stack protector guard's address in
++; stack_protect_combined_set_insn and stack_protect_combined_test_insn patterns
++(define_predicate "guard_addr_operand"
++ (match_test "true")
++{
++ return (CONSTANT_ADDRESS_P (op)
++ || !targetm.cannot_force_const_mem (mode, op));
++})
++
++; Predicate for stack protector guard in stack_protect_combined_set and
++; stack_protect_combined_test patterns
++(define_predicate "guard_operand"
++ (match_code "mem")
++{
++ return guard_addr_operand (XEXP (op, 0), mode);
++})
++
+ (define_predicate "imm_for_neon_inv_logic_operand"
+ (match_code "const_vector")
+ {
+diff --git a/gcc/config/arm/thumb1.md b/gcc/config/arm/thumb1.md
+index 19dcdbcdd73..cd199c9c529 100644
+--- a/gcc/config/arm/thumb1.md
++++ b/gcc/config/arm/thumb1.md
+@@ -1962,4 +1962,17 @@
+ }"
+ [(set_attr "type" "mov_reg")]
+ )
++
++(define_insn "thumb1_stack_protect_test_insn"
++ [(set (match_operand:SI 0 "register_operand" "=&l")
++ (unspec:SI [(match_operand:SI 1 "memory_operand" "m")
++ (mem:SI (match_operand:SI 2 "register_operand" "+l"))]
++ UNSPEC_SP_TEST))
++ (clobber (match_dup 2))]
++ "TARGET_THUMB1"
++ "ldr\t%0, [%2]\;ldr\t%2, %1\;eors\t%0, %2, %0"
++ [(set_attr "length" "8")
++ (set_attr "conds" "set")
++ (set_attr "type" "multiple")]
++)
+
+diff --git a/gcc/config/arm/unspecs.md b/gcc/config/arm/unspecs.md
+index 19416736ef9..8f9dbcb08dc 100644
+--- a/gcc/config/arm/unspecs.md
++++ b/gcc/config/arm/unspecs.md
+@@ -86,6 +86,9 @@
+ UNSPEC_PROBE_STACK ; Probe stack memory reference
+ UNSPEC_NONSECURE_MEM ; Represent non-secure memory in ARMv8-M with
+ ; security extension
++ UNSPEC_SP_SET ; Represent the setting of stack protector's canary
++ UNSPEC_SP_TEST ; Represent the testing of stack protector's canary
++ ; against the guard.
+ ])
+
+ (define_c_enum "unspec" [
+diff --git a/gcc/doc/md.texi b/gcc/doc/md.texi
+index 295fc1f1143..895309b2f3c 100644
+--- a/gcc/doc/md.texi
++++ b/gcc/doc/md.texi
+@@ -7450,22 +7450,61 @@ builtins.
+ The get/set patterns have a single output/input operand respectively,
+ with @var{mode} intended to be @code{Pmode}.
+
++@cindex @code{stack_protect_combined_set} instruction pattern
++@item @samp{stack_protect_combined_set}
++This pattern, if defined, moves a @code{ptr_mode} value from an address
++whose declaration RTX is given in operand 1 to the memory in operand 0
++without leaving the value in a register afterward. If several
++instructions are needed by the target to perform the operation (eg. to
++load the address from a GOT entry then load the @code{ptr_mode} value
++and finally store it), it is the backend's responsibility to ensure no
++intermediate result gets spilled. This is to avoid leaking the value
++some place that an attacker might use to rewrite the stack guard slot
++after having clobbered it.
++
++If this pattern is not defined, then the address declaration is
++expanded first in the standard way and a @code{stack_protect_set}
++pattern is then generated to move the value from that address to the
++address in operand 0.
++
+ @cindex @code{stack_protect_set} instruction pattern
+ @item @samp{stack_protect_set}
+-This pattern, if defined, moves a @code{ptr_mode} value from the memory
+-in operand 1 to the memory in operand 0 without leaving the value in
+-a register afterward. This is to avoid leaking the value some place
+-that an attacker might use to rewrite the stack guard slot after
+-having clobbered it.
++This pattern, if defined, moves a @code{ptr_mode} value from the valid
++memory location in operand 1 to the memory in operand 0 without leaving
++the value in a register afterward. This is to avoid leaking the value
++some place that an attacker might use to rewrite the stack guard slot
++after having clobbered it.
++
++Note: on targets where the addressing modes do not allow to load
++directly from stack guard address, the address is expanded in a standard
++way first which could cause some spills.
+
+ If this pattern is not defined, then a plain move pattern is generated.
+
++@cindex @code{stack_protect_combined_test} instruction pattern
++@item @samp{stack_protect_combined_test}
++This pattern, if defined, compares a @code{ptr_mode} value from an
++address whose declaration RTX is given in operand 1 with the memory in
++operand 0 without leaving the value in a register afterward and
++branches to operand 2 if the values were equal. If several
++instructions are needed by the target to perform the operation (eg. to
++load the address from a GOT entry then load the @code{ptr_mode} value
++and finally store it), it is the backend's responsibility to ensure no
++intermediate result gets spilled. This is to avoid leaking the value
++some place that an attacker might use to rewrite the stack guard slot
++after having clobbered it.
++
++If this pattern is not defined, then the address declaration is
++expanded first in the standard way and a @code{stack_protect_test}
++pattern is then generated to compare the value from that address to the
++value at the memory in operand 0.
++
+ @cindex @code{stack_protect_test} instruction pattern
+ @item @samp{stack_protect_test}
+ This pattern, if defined, compares a @code{ptr_mode} value from the
+-memory in operand 1 with the memory in operand 0 without leaving the
+-value in a register afterward and branches to operand 2 if the values
+-were equal.
++valid memory location in operand 1 with the memory in operand 0 without
++leaving the value in a register afterward and branches to operand 2 if
++the values were equal.
+
+ If this pattern is not defined, then a plain compare pattern and
+ conditional branch pattern is used.
+diff --git a/gcc/function.c b/gcc/function.c
+index 85a5d9f43f7..69523c1d723 100644
+--- a/gcc/function.c
++++ b/gcc/function.c
+@@ -4937,18 +4937,34 @@ stack_protect_epilogue (void)
+ tree guard_decl = targetm.stack_protect_guard ();
+ rtx_code_label *label = gen_label_rtx ();
+ rtx x, y;
+- rtx_insn *seq;
++ rtx_insn *seq = NULL;
+
+ x = expand_normal (crtl->stack_protect_guard);
+- if (guard_decl)
+- y = expand_normal (guard_decl);
++
++ if (targetm.have_stack_protect_combined_test () && guard_decl)
++ {
++ gcc_assert (DECL_P (guard_decl));
++ y = DECL_RTL (guard_decl);
++ /* Allow the target to compute address of Y and compare it with X without
++ leaking Y into a register. This combined address + compare pattern
++ allows the target to prevent spilling of any intermediate results by
++ splitting it after register allocator. */
++ seq = targetm.gen_stack_protect_combined_test (x, y, label);
++ }
+ else
+- y = const0_rtx;
++ {
++ if (guard_decl)
++ y = expand_normal (guard_decl);
++ else
++ y = const0_rtx;
++
++ /* Allow the target to compare Y with X without leaking either into
++ a register. */
++ if (targetm.have_stack_protect_test ())
++ seq = targetm.gen_stack_protect_test (x, y, label);
++ }
+
+- /* Allow the target to compare Y with X without leaking either into
+- a register. */
+- if (targetm.have_stack_protect_test ()
+- && ((seq = targetm.gen_stack_protect_test (x, y, label)) != NULL_RTX))
++ if (seq)
+ emit_insn (seq);
+ else
+ emit_cmp_and_jump_insns (x, y, EQ, NULL_RTX, ptr_mode, 1, label);
+diff --git a/gcc/target-insns.def b/gcc/target-insns.def
+index 9a552c3d11c..d39889b3522 100644
+--- a/gcc/target-insns.def
++++ b/gcc/target-insns.def
+@@ -96,7 +96,9 @@ DEF_TARGET_INSN (sibcall_value, (rtx x0, rtx x1, rtx opt2, rtx opt3,
+ DEF_TARGET_INSN (simple_return, (void))
+ DEF_TARGET_INSN (split_stack_prologue, (void))
+ DEF_TARGET_INSN (split_stack_space_check, (rtx x0, rtx x1))
++DEF_TARGET_INSN (stack_protect_combined_set, (rtx x0, rtx x1))
+ DEF_TARGET_INSN (stack_protect_set, (rtx x0, rtx x1))
++DEF_TARGET_INSN (stack_protect_combined_test, (rtx x0, rtx x1, rtx x2))
+ DEF_TARGET_INSN (stack_protect_test, (rtx x0, rtx x1, rtx x2))
+ DEF_TARGET_INSN (store_multiple, (rtx x0, rtx x1, rtx x2))
+ DEF_TARGET_INSN (tablejump, (rtx x0, rtx x1))
+--
+2.21.0
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch
new file mode 100644
index 0000000000..e327684e16
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch
@@ -0,0 +1,44 @@
+From a4f1b58eb48b349a5f353bc69c30be553506d33b Mon Sep 17 00:00:00 2001
+From: rguenth <rguenth@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 25 Jul 2019 10:48:26 +0000
+Subject: [PATCH] 2019-07-25 Richard Biener <rguenther@suse.de>
+
+ PR lto/90924
+ Backport from mainline
+ 2019-07-12 Ren Kimura <rkx1209dev@gmail.com>
+
+ * simple-object-elf.c (simple_object_elf_match): Check zero value
+ shstrndx.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@273794 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+Affectes: < 9.2
+CVE: CVE-2019-14250
+Dropped changelog
+Signed-off-by: Armin Kuster <Akustre@mvista.com>
+
+---
+ libiberty/simple-object-elf.c | 8 ++++++++
+ 2 files changed, 17 insertions(+)
+
+Index: gcc-8.2.0/libiberty/simple-object-elf.c
+===================================================================
+--- gcc-8.2.0.orig/libiberty/simple-object-elf.c
++++ gcc-8.2.0/libiberty/simple-object-elf.c
+@@ -549,6 +549,14 @@ simple_object_elf_match (unsigned char h
+ return NULL;
+ }
+
++ if (eor->shstrndx == 0)
++ {
++ *errmsg = "invalid ELF shstrndx == 0";
++ *err = 0;
++ XDELETE (eor);
++ return NULL;
++ }
++
+ return (void *) eor;
+ }
+
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p1.patch b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p1.patch
new file mode 100644
index 0000000000..6fb5afc6bc
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p1.patch
@@ -0,0 +1,521 @@
+From baf7c861e1cc523425029dcf81467f16c734fbd5 Mon Sep 17 00:00:00 2001
+From: segher <segher@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 30 Aug 2019 14:13:51 +0000
+Subject: [PATCH 1/3] Backport from trunk 2019-08-22 Segher Boessenkool
+ <segher@kernel.crashing.org>
+
+ * config/rs6000/altivec.md (unspec): Delete UNSPEC_DARN, UNSPEC_DARN_32,
+ UNSPEC_DARN_RAW, UNSPEC_CMPRB, UNSPEC_CMPRB2, UNSPEC_CMPEQB; move to...
+ * config/rs6000/rs6000.md (unspec): ... here.
+ * config/rs6000/altivec.md (darn_32, darn_raw, darn, cmprb,
+ *cmprb_internal, setb_signed, setb_unsigned, cmprb2, *cmprb2_internal,
+ cmpeqb, *cmpeqb_internal): Delete, move to...
+ * config/rs6000/rs6000.md (darn_32, darn_raw, darn, cmprb,
+ *cmprb_internal, setb_signed, setb_unsigned, cmprb2, *cmprb2_internal,
+ cmpeqb, *cmpeqb_internal): ... here.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@275180 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+CVE: CVE-2019-14847 p1
+Affects <= 9.2.0
+Dropped Changelog changes
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ gcc/config/rs6000/altivec.md | 223 ------------------------------------------
+ gcc/config/rs6000/rs6000.md | 224 +++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 239 insertions(+), 223 deletions(-)
+
+Index: gcc-8.3.0/gcc/config/rs6000/altivec.md
+===================================================================
+--- gcc-8.3.0.orig/gcc/config/rs6000/altivec.md
++++ gcc-8.3.0/gcc/config/rs6000/altivec.md
+@@ -80,9 +80,6 @@
+ UNSPEC_VUPKHPX
+ UNSPEC_VUPKLPX
+ UNSPEC_CONVERT_4F32_8I16
+- UNSPEC_DARN
+- UNSPEC_DARN_32
+- UNSPEC_DARN_RAW
+ UNSPEC_DST
+ UNSPEC_DSTT
+ UNSPEC_DSTST
+@@ -161,9 +158,6 @@
+ UNSPEC_BCDADD
+ UNSPEC_BCDSUB
+ UNSPEC_BCD_OVERFLOW
+- UNSPEC_CMPRB
+- UNSPEC_CMPRB2
+- UNSPEC_CMPEQB
+ UNSPEC_VRLMI
+ UNSPEC_VRLNM
+ ])
+@@ -4317,223 +4311,6 @@
+ [(set_attr "length" "4")
+ (set_attr "type" "vecsimple")])
+
+-(define_insn "darn_32"
+- [(set (match_operand:SI 0 "register_operand" "=r")
+- (unspec:SI [(const_int 0)] UNSPEC_DARN_32))]
+- "TARGET_P9_MISC"
+- "darn %0,0"
+- [(set_attr "type" "integer")])
+-
+-(define_insn "darn_raw"
+- [(set (match_operand:DI 0 "register_operand" "=r")
+- (unspec:DI [(const_int 0)] UNSPEC_DARN_RAW))]
+- "TARGET_P9_MISC && TARGET_64BIT"
+- "darn %0,2"
+- [(set_attr "type" "integer")])
+-
+-(define_insn "darn"
+- [(set (match_operand:DI 0 "register_operand" "=r")
+- (unspec:DI [(const_int 0)] UNSPEC_DARN))]
+- "TARGET_P9_MISC && TARGET_64BIT"
+- "darn %0,1"
+- [(set_attr "type" "integer")])
+-
+-;; Test byte within range.
+-;;
+-;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
+-;; represents a byte whose value is ignored in this context and
+-;; vv, the least significant byte, holds the byte value that is to
+-;; be tested for membership within the range specified by operand 2.
+-;; The bytes of operand 2 are organized as xx:xx:hi:lo.
+-;;
+-;; Return in target register operand 0 a value of 1 if lo <= vv and
+-;; vv <= hi. Otherwise, set register operand 0 to 0.
+-;;
+-;; Though the instructions to which this expansion maps operate on
+-;; 64-bit registers, the current implementation only operates on
+-;; SI-mode operands as the high-order bits provide no information
+-;; that is not already available in the low-order bits. To avoid the
+-;; costs of data widening operations, future enhancements might allow
+-;; DI mode for operand 0 and/or might allow operand 1 to be QI mode.
+-(define_expand "cmprb"
+- [(set (match_dup 3)
+- (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
+- (match_operand:SI 2 "gpc_reg_operand" "r")]
+- UNSPEC_CMPRB))
+- (set (match_operand:SI 0 "gpc_reg_operand" "=r")
+- (if_then_else:SI (lt (match_dup 3)
+- (const_int 0))
+- (const_int -1)
+- (if_then_else (gt (match_dup 3)
+- (const_int 0))
+- (const_int 1)
+- (const_int 0))))]
+- "TARGET_P9_MISC"
+-{
+- operands[3] = gen_reg_rtx (CCmode);
+-})
+-
+-;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
+-;; represents a byte whose value is ignored in this context and
+-;; vv, the least significant byte, holds the byte value that is to
+-;; be tested for membership within the range specified by operand 2.
+-;; The bytes of operand 2 are organized as xx:xx:hi:lo.
+-;;
+-;; Set bit 1 (the GT bit, 0x4) of CR register operand 0 to 1 if
+-;; lo <= vv and vv <= hi. Otherwise, set the GT bit to 0. The other
+-;; 3 bits of the target CR register are all set to 0.
+-(define_insn "*cmprb_internal"
+- [(set (match_operand:CC 0 "cc_reg_operand" "=y")
+- (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
+- (match_operand:SI 2 "gpc_reg_operand" "r")]
+- UNSPEC_CMPRB))]
+- "TARGET_P9_MISC"
+- "cmprb %0,0,%1,%2"
+- [(set_attr "type" "logical")])
+-
+-;; Set operand 0 register to -1 if the LT bit (0x8) of condition
+-;; register operand 1 is on. Otherwise, set operand 0 register to 1
+-;; if the GT bit (0x4) of condition register operand 1 is on.
+-;; Otherwise, set operand 0 to 0. Note that the result stored into
+-;; register operand 0 is non-zero iff either the LT or GT bits are on
+-;; within condition register operand 1.
+-(define_insn "setb_signed"
+- [(set (match_operand:SI 0 "gpc_reg_operand" "=r")
+- (if_then_else:SI (lt (match_operand:CC 1 "cc_reg_operand" "y")
+- (const_int 0))
+- (const_int -1)
+- (if_then_else (gt (match_dup 1)
+- (const_int 0))
+- (const_int 1)
+- (const_int 0))))]
+- "TARGET_P9_MISC"
+- "setb %0,%1"
+- [(set_attr "type" "logical")])
+-
+-(define_insn "setb_unsigned"
+- [(set (match_operand:SI 0 "gpc_reg_operand" "=r")
+- (if_then_else:SI (ltu (match_operand:CCUNS 1 "cc_reg_operand" "y")
+- (const_int 0))
+- (const_int -1)
+- (if_then_else (gtu (match_dup 1)
+- (const_int 0))
+- (const_int 1)
+- (const_int 0))))]
+- "TARGET_P9_MISC"
+- "setb %0,%1"
+- [(set_attr "type" "logical")])
+-
+-;; Test byte within two ranges.
+-;;
+-;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
+-;; represents a byte whose value is ignored in this context and
+-;; vv, the least significant byte, holds the byte value that is to
+-;; be tested for membership within the range specified by operand 2.
+-;; The bytes of operand 2 are organized as hi_1:lo_1:hi_2:lo_2.
+-;;
+-;; Return in target register operand 0 a value of 1 if (lo_1 <= vv and
+-;; vv <= hi_1) or if (lo_2 <= vv and vv <= hi_2). Otherwise, set register
+-;; operand 0 to 0.
+-;;
+-;; Though the instructions to which this expansion maps operate on
+-;; 64-bit registers, the current implementation only operates on
+-;; SI-mode operands as the high-order bits provide no information
+-;; that is not already available in the low-order bits. To avoid the
+-;; costs of data widening operations, future enhancements might allow
+-;; DI mode for operand 0 and/or might allow operand 1 to be QI mode.
+-(define_expand "cmprb2"
+- [(set (match_dup 3)
+- (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
+- (match_operand:SI 2 "gpc_reg_operand" "r")]
+- UNSPEC_CMPRB2))
+- (set (match_operand:SI 0 "gpc_reg_operand" "=r")
+- (if_then_else:SI (lt (match_dup 3)
+- (const_int 0))
+- (const_int -1)
+- (if_then_else (gt (match_dup 3)
+- (const_int 0))
+- (const_int 1)
+- (const_int 0))))]
+- "TARGET_P9_MISC"
+-{
+- operands[3] = gen_reg_rtx (CCmode);
+-})
+-
+-;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
+-;; represents a byte whose value is ignored in this context and
+-;; vv, the least significant byte, holds the byte value that is to
+-;; be tested for membership within the ranges specified by operand 2.
+-;; The bytes of operand 2 are organized as hi_1:lo_1:hi_2:lo_2.
+-;;
+-;; Set bit 1 (the GT bit, 0x4) of CR register operand 0 to 1 if
+-;; (lo_1 <= vv and vv <= hi_1) or if (lo_2 <= vv and vv <= hi_2).
+-;; Otherwise, set the GT bit to 0. The other 3 bits of the target
+-;; CR register are all set to 0.
+-(define_insn "*cmprb2_internal"
+- [(set (match_operand:CC 0 "cc_reg_operand" "=y")
+- (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
+- (match_operand:SI 2 "gpc_reg_operand" "r")]
+- UNSPEC_CMPRB2))]
+- "TARGET_P9_MISC"
+- "cmprb %0,1,%1,%2"
+- [(set_attr "type" "logical")])
+-
+-;; Test byte membership within set of 8 bytes.
+-;;
+-;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
+-;; represents a byte whose value is ignored in this context and
+-;; vv, the least significant byte, holds the byte value that is to
+-;; be tested for membership within the set specified by operand 2.
+-;; The bytes of operand 2 are organized as e0:e1:e2:e3:e4:e5:e6:e7.
+-;;
+-;; Return in target register operand 0 a value of 1 if vv equals one
+-;; of the values e0, e1, e2, e3, e4, e5, e6, or e7. Otherwise, set
+-;; register operand 0 to 0. Note that the 8 byte values held within
+-;; operand 2 need not be unique.
+-;;
+-;; Though the instructions to which this expansion maps operate on
+-;; 64-bit registers, the current implementation requires that operands
+-;; 0 and 1 have mode SI as the high-order bits provide no information
+-;; that is not already available in the low-order bits. To avoid the
+-;; costs of data widening operations, future enhancements might allow
+-;; DI mode for operand 0 and/or might allow operand 1 to be QI mode.
+-(define_expand "cmpeqb"
+- [(set (match_dup 3)
+- (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
+- (match_operand:DI 2 "gpc_reg_operand" "r")]
+- UNSPEC_CMPEQB))
+- (set (match_operand:SI 0 "gpc_reg_operand" "=r")
+- (if_then_else:SI (lt (match_dup 3)
+- (const_int 0))
+- (const_int -1)
+- (if_then_else (gt (match_dup 3)
+- (const_int 0))
+- (const_int 1)
+- (const_int 0))))]
+- "TARGET_P9_MISC && TARGET_64BIT"
+-{
+- operands[3] = gen_reg_rtx (CCmode);
+-})
+-
+-;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
+-;; represents a byte whose value is ignored in this context and
+-;; vv, the least significant byte, holds the byte value that is to
+-;; be tested for membership within the set specified by operand 2.
+-;; The bytes of operand 2 are organized as e0:e1:e2:e3:e4:e5:e6:e7.
+-;;
+-;; Set bit 1 (the GT bit, 0x4) of CR register operand 0 to 1 if vv
+-;; equals one of the values e0, e1, e2, e3, e4, e5, e6, or e7. Otherwise,
+-;; set the GT bit to zero. The other 3 bits of the target CR register
+-;; are all set to 0.
+-(define_insn "*cmpeqb_internal"
+- [(set (match_operand:CC 0 "cc_reg_operand" "=y")
+- (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
+- (match_operand:DI 2 "gpc_reg_operand" "r")]
+- UNSPEC_CMPEQB))]
+- "TARGET_P9_MISC && TARGET_64BIT"
+- "cmpeqb %0,%1,%2"
+- [(set_attr "type" "logical")])
+-
+ (define_expand "bcd<bcd_add_sub>_<code>"
+ [(parallel [(set (reg:CCFP CR6_REGNO)
+ (compare:CCFP
+Index: gcc-8.3.0/gcc/config/rs6000/rs6000.md
+===================================================================
+--- gcc-8.3.0.orig/gcc/config/rs6000/rs6000.md
++++ gcc-8.3.0/gcc/config/rs6000/rs6000.md
+@@ -136,6 +136,12 @@
+ UNSPEC_LSQ
+ UNSPEC_FUSION_GPR
+ UNSPEC_STACK_CHECK
++ UNSPEC_DARN
++ UNSPEC_DARN_32
++ UNSPEC_DARN_RAW
++ UNSPEC_CMPRB
++ UNSPEC_CMPRB2
++ UNSPEC_CMPEQB
+ UNSPEC_FUSION_P9
+ UNSPEC_FUSION_ADDIS
+ UNSPEC_ADD_ROUND_TO_ODD
+@@ -14597,7 +14603,225 @@
+ "xscmpuqp %0,%1,%2"
+ [(set_attr "type" "veccmp")
+ (set_attr "size" "128")])
++
++;; Miscellaneous ISA 3.0 (power9) instructions
++
++(define_insn "darn_32"
++ [(set (match_operand:SI 0 "register_operand" "=r")
++ (unspec:SI [(const_int 0)] UNSPEC_DARN_32))]
++ "TARGET_P9_MISC"
++ "darn %0,0"
++ [(set_attr "type" "integer")])
++
++(define_insn "darn_raw"
++ [(set (match_operand:DI 0 "register_operand" "=r")
++ (unspec:DI [(const_int 0)] UNSPEC_DARN_RAW))]
++ "TARGET_P9_MISC && TARGET_64BIT"
++ "darn %0,2"
++ [(set_attr "type" "integer")])
++
++(define_insn "darn"
++ [(set (match_operand:DI 0 "register_operand" "=r")
++ (unspec:DI [(const_int 0)] UNSPEC_DARN))]
++ "TARGET_P9_MISC && TARGET_64BIT"
++ "darn %0,1"
++ [(set_attr "type" "integer")])
+
++;; Test byte within range.
++;;
++;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
++;; represents a byte whose value is ignored in this context and
++;; vv, the least significant byte, holds the byte value that is to
++;; be tested for membership within the range specified by operand 2.
++;; The bytes of operand 2 are organized as xx:xx:hi:lo.
++;;
++;; Return in target register operand 0 a value of 1 if lo <= vv and
++;; vv <= hi. Otherwise, set register operand 0 to 0.
++;;
++;; Though the instructions to which this expansion maps operate on
++;; 64-bit registers, the current implementation only operates on
++;; SI-mode operands as the high-order bits provide no information
++;; that is not already available in the low-order bits. To avoid the
++;; costs of data widening operations, future enhancements might allow
++;; DI mode for operand 0 and/or might allow operand 1 to be QI mode.
++(define_expand "cmprb"
++ [(set (match_dup 3)
++ (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
++ (match_operand:SI 2 "gpc_reg_operand" "r")]
++ UNSPEC_CMPRB))
++ (set (match_operand:SI 0 "gpc_reg_operand" "=r")
++ (if_then_else:SI (lt (match_dup 3)
++ (const_int 0))
++ (const_int -1)
++ (if_then_else (gt (match_dup 3)
++ (const_int 0))
++ (const_int 1)
++ (const_int 0))))]
++ "TARGET_P9_MISC"
++{
++ operands[3] = gen_reg_rtx (CCmode);
++})
++
++;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
++;; represents a byte whose value is ignored in this context and
++;; vv, the least significant byte, holds the byte value that is to
++;; be tested for membership within the range specified by operand 2.
++;; The bytes of operand 2 are organized as xx:xx:hi:lo.
++;;
++;; Set bit 1 (the GT bit, 0x4) of CR register operand 0 to 1 if
++;; lo <= vv and vv <= hi. Otherwise, set the GT bit to 0. The other
++;; 3 bits of the target CR register are all set to 0.
++(define_insn "*cmprb_internal"
++ [(set (match_operand:CC 0 "cc_reg_operand" "=y")
++ (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
++ (match_operand:SI 2 "gpc_reg_operand" "r")]
++ UNSPEC_CMPRB))]
++ "TARGET_P9_MISC"
++ "cmprb %0,0,%1,%2"
++ [(set_attr "type" "logical")])
++
++;; Set operand 0 register to -1 if the LT bit (0x8) of condition
++;; register operand 1 is on. Otherwise, set operand 0 register to 1
++;; if the GT bit (0x4) of condition register operand 1 is on.
++;; Otherwise, set operand 0 to 0. Note that the result stored into
++;; register operand 0 is non-zero iff either the LT or GT bits are on
++;; within condition register operand 1.
++(define_insn "setb_signed"
++ [(set (match_operand:SI 0 "gpc_reg_operand" "=r")
++ (if_then_else:SI (lt (match_operand:CC 1 "cc_reg_operand" "y")
++ (const_int 0))
++ (const_int -1)
++ (if_then_else (gt (match_dup 1)
++ (const_int 0))
++ (const_int 1)
++ (const_int 0))))]
++ "TARGET_P9_MISC"
++ "setb %0,%1"
++ [(set_attr "type" "logical")])
++
++(define_insn "setb_unsigned"
++ [(set (match_operand:SI 0 "gpc_reg_operand" "=r")
++ (if_then_else:SI (ltu (match_operand:CCUNS 1 "cc_reg_operand" "y")
++ (const_int 0))
++ (const_int -1)
++ (if_then_else (gtu (match_dup 1)
++ (const_int 0))
++ (const_int 1)
++ (const_int 0))))]
++ "TARGET_P9_MISC"
++ "setb %0,%1"
++ [(set_attr "type" "logical")])
++
++;; Test byte within two ranges.
++;;
++;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
++;; represents a byte whose value is ignored in this context and
++;; vv, the least significant byte, holds the byte value that is to
++;; be tested for membership within the range specified by operand 2.
++;; The bytes of operand 2 are organized as hi_1:lo_1:hi_2:lo_2.
++;;
++;; Return in target register operand 0 a value of 1 if (lo_1 <= vv and
++;; vv <= hi_1) or if (lo_2 <= vv and vv <= hi_2). Otherwise, set register
++;; operand 0 to 0.
++;;
++;; Though the instructions to which this expansion maps operate on
++;; 64-bit registers, the current implementation only operates on
++;; SI-mode operands as the high-order bits provide no information
++;; that is not already available in the low-order bits. To avoid the
++;; costs of data widening operations, future enhancements might allow
++;; DI mode for operand 0 and/or might allow operand 1 to be QI mode.
++(define_expand "cmprb2"
++ [(set (match_dup 3)
++ (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
++ (match_operand:SI 2 "gpc_reg_operand" "r")]
++ UNSPEC_CMPRB2))
++ (set (match_operand:SI 0 "gpc_reg_operand" "=r")
++ (if_then_else:SI (lt (match_dup 3)
++ (const_int 0))
++ (const_int -1)
++ (if_then_else (gt (match_dup 3)
++ (const_int 0))
++ (const_int 1)
++ (const_int 0))))]
++ "TARGET_P9_MISC"
++{
++ operands[3] = gen_reg_rtx (CCmode);
++})
++
++;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
++;; represents a byte whose value is ignored in this context and
++;; vv, the least significant byte, holds the byte value that is to
++;; be tested for membership within the ranges specified by operand 2.
++;; The bytes of operand 2 are organized as hi_1:lo_1:hi_2:lo_2.
++;;
++;; Set bit 1 (the GT bit, 0x4) of CR register operand 0 to 1 if
++;; (lo_1 <= vv and vv <= hi_1) or if (lo_2 <= vv and vv <= hi_2).
++;; Otherwise, set the GT bit to 0. The other 3 bits of the target
++;; CR register are all set to 0.
++(define_insn "*cmprb2_internal"
++ [(set (match_operand:CC 0 "cc_reg_operand" "=y")
++ (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
++ (match_operand:SI 2 "gpc_reg_operand" "r")]
++ UNSPEC_CMPRB2))]
++ "TARGET_P9_MISC"
++ "cmprb %0,1,%1,%2"
++ [(set_attr "type" "logical")])
++
++;; Test byte membership within set of 8 bytes.
++;;
++;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
++;; represents a byte whose value is ignored in this context and
++;; vv, the least significant byte, holds the byte value that is to
++;; be tested for membership within the set specified by operand 2.
++;; The bytes of operand 2 are organized as e0:e1:e2:e3:e4:e5:e6:e7.
++;;
++;; Return in target register operand 0 a value of 1 if vv equals one
++;; of the values e0, e1, e2, e3, e4, e5, e6, or e7. Otherwise, set
++;; register operand 0 to 0. Note that the 8 byte values held within
++;; operand 2 need not be unique.
++;;
++;; Though the instructions to which this expansion maps operate on
++;; 64-bit registers, the current implementation requires that operands
++;; 0 and 1 have mode SI as the high-order bits provide no information
++;; that is not already available in the low-order bits. To avoid the
++;; costs of data widening operations, future enhancements might allow
++;; DI mode for operand 0 and/or might allow operand 1 to be QI mode.
++(define_expand "cmpeqb"
++ [(set (match_dup 3)
++ (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
++ (match_operand:DI 2 "gpc_reg_operand" "r")]
++ UNSPEC_CMPEQB))
++ (set (match_operand:SI 0 "gpc_reg_operand" "=r")
++ (if_then_else:SI (lt (match_dup 3)
++ (const_int 0))
++ (const_int -1)
++ (if_then_else (gt (match_dup 3)
++ (const_int 0))
++ (const_int 1)
++ (const_int 0))))]
++ "TARGET_P9_MISC && TARGET_64BIT"
++{
++ operands[3] = gen_reg_rtx (CCmode);
++})
++
++;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
++;; represents a byte whose value is ignored in this context and
++;; vv, the least significant byte, holds the byte value that is to
++;; be tested for membership within the set specified by operand 2.
++;; The bytes of operand 2 are organized as e0:e1:e2:e3:e4:e5:e6:e7.
++;;
++;; Set bit 1 (the GT bit, 0x4) of CR register operand 0 to 1 if vv
++;; equals one of the values e0, e1, e2, e3, e4, e5, e6, or e7. Otherwise,
++;; set the GT bit to zero. The other 3 bits of the target CR register
++;; are all set to 0.
++(define_insn "*cmpeqb_internal"
++ [(set (match_operand:CC 0 "cc_reg_operand" "=y")
++ (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
++ (match_operand:DI 2 "gpc_reg_operand" "r")]
++ UNSPEC_CMPEQB))]
++ "TARGET_P9_MISC && TARGET_64BIT"
++ "cmpeqb %0,%1,%2"
++ [(set_attr "type" "logical")])
+
+
+ (include "sync.md")
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p2.patch b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p2.patch
new file mode 100644
index 0000000000..ad9e4c659a
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p2.patch
@@ -0,0 +1,77 @@
+From 2d7749ba418adde9536baf0d16d50a072b5841de Mon Sep 17 00:00:00 2001
+From: segher <segher@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 30 Aug 2019 14:15:39 +0000
+Subject: [PATCH 2/3] Backport from trunk 2019-08-22 Segher Boessenkool
+ <segher@kernel.crashing.org>
+
+ PR target/91481
+ * config/rs6000/rs6000.md (unspec): Delete UNSPEC_DARN, UNSPEC_DARN_32,
+ and UNSPEC_DARN_RAW.
+ (unspecv): New enumerator values UNSPECV_DARN, UNSPECV_DARN_32, and
+ UNSPECV_DARN_RAW.
+ (darn_32): Use an unspec_volatile, and UNSPECV_DARN_32.
+ (darn_raw): Use an unspec_volatile, and UNSPECV_DARN_RAW.
+ (darn): Use an unspec_volatile, and UNSPECV_DARN.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@275181 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+CVE: CVE-2019-14847 p2
+Affects <= 9.2.0
+Dropped Change log changes
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ gcc/config/rs6000/rs6000.md | 12 ++++++------
+ 2 files changed, 20 insertions(+), 6 deletions(-)
+
+Index: gcc-8.3.0/gcc/config/rs6000/rs6000.md
+===================================================================
+--- gcc-8.3.0.orig/gcc/config/rs6000/rs6000.md
++++ gcc-8.3.0/gcc/config/rs6000/rs6000.md
+@@ -136,9 +136,6 @@
+ UNSPEC_LSQ
+ UNSPEC_FUSION_GPR
+ UNSPEC_STACK_CHECK
+- UNSPEC_DARN
+- UNSPEC_DARN_32
+- UNSPEC_DARN_RAW
+ UNSPEC_CMPRB
+ UNSPEC_CMPRB2
+ UNSPEC_CMPEQB
+@@ -168,6 +165,9 @@
+ UNSPECV_EH_RR ; eh_reg_restore
+ UNSPECV_ISYNC ; isync instruction
+ UNSPECV_MFTB ; move from time base
++ UNSPECV_DARN ; darn 1 (deliver a random number)
++ UNSPECV_DARN_32 ; darn 2
++ UNSPECV_DARN_RAW ; darn 0
+ UNSPECV_NLGR ; non-local goto receiver
+ UNSPECV_MFFS ; Move from FPSCR
+ UNSPECV_MTFSF ; Move to FPSCR Fields
+@@ -14608,21 +14608,21 @@
+
+ (define_insn "darn_32"
+ [(set (match_operand:SI 0 "register_operand" "=r")
+- (unspec:SI [(const_int 0)] UNSPEC_DARN_32))]
++ (unspec_volatile:SI [(const_int 0)] UNSPECV_DARN_32))]
+ "TARGET_P9_MISC"
+ "darn %0,0"
+ [(set_attr "type" "integer")])
+
+ (define_insn "darn_raw"
+ [(set (match_operand:DI 0 "register_operand" "=r")
+- (unspec:DI [(const_int 0)] UNSPEC_DARN_RAW))]
++ (unspec_volatile:DI [(const_int 0)] UNSPECV_DARN_RAW))]
+ "TARGET_P9_MISC && TARGET_64BIT"
+ "darn %0,2"
+ [(set_attr "type" "integer")])
+
+ (define_insn "darn"
+ [(set (match_operand:DI 0 "register_operand" "=r")
+- (unspec:DI [(const_int 0)] UNSPEC_DARN))]
++ (unspec_volatile:DI [(const_int 0)] UNSPECV_DARN))]
+ "TARGET_P9_MISC && TARGET_64BIT"
+ "darn %0,1"
+ [(set_attr "type" "integer")])
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p3.patch b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p3.patch
new file mode 100644
index 0000000000..cd525de622
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-15847_p3.patch
@@ -0,0 +1,45 @@
+From 5f8cd14f8966f11e8ed10a4c7e35dc01fffe54d8 Mon Sep 17 00:00:00 2001
+From: segher <segher@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 30 Aug 2019 14:17:20 +0000
+Subject: [PATCH 3/3] Backport from trunk 2019-08-23 Segher Boessenkool
+ <segher@kernel.crashing.org>
+
+gcc/testsuite/
+ PR target/91481
+ * gcc.target/powerpc/darn-3.c: New testcase.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@275182 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+CVE: CVE-2019-14847 p3
+Affects <= 9.2.0
+Dropped Change log changes
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ gcc/testsuite/gcc.target/powerpc/darn-3.c | 16 ++++++++++++++++
+ 2 files changed, 25 insertions(+)
+ create mode 100644 gcc/testsuite/gcc.target/powerpc/darn-3.c
+
+Index: gcc-8.3.0/gcc/testsuite/gcc.target/powerpc/darn-3.c
+===================================================================
+--- /dev/null
++++ gcc-8.3.0/gcc/testsuite/gcc.target/powerpc/darn-3.c
+@@ -0,0 +1,16 @@
++/* { dg-do compile { target { powerpc*-*-* } } } */
++/* { dg-skip-if "" { powerpc*-*-aix* } } */
++/* { dg-options "-O2 -mdejagnu-cpu=power9" } */
++
++static int darn32(void) { return __builtin_darn_32(); }
++
++int four(void)
++{
++ int sum = 0;
++ int i;
++ for (i = 0; i < 4; i++)
++ sum += darn32();
++ return sum;
++}
++
++/* { dg-final { scan-assembler-times {(?n)\mdarn .*,0\M} 4 } } */
diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc
index 0cf0a63ff6..ed14b175e6 100644
--- a/meta/recipes-devtools/go/go-1.12.inc
+++ b/meta/recipes-devtools/go/go-1.12.inc
@@ -1,7 +1,7 @@
require go-common.inc
GO_BASEVERSION = "1.12"
-GO_MINOR = ".1"
+GO_MINOR = ".9"
PV .= "${GO_MINOR}"
FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
@@ -16,8 +16,9 @@ SRC_URI += "\
file://0006-cmd-dist-separate-host-and-target-builds.patch \
file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
+ file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
-SRC_URI[main.md5sum] = "09fe592343465560b4b8431d870b3df3"
-SRC_URI[main.sha256sum] = "0be127684df4b842a64e58093154f9d15422f1405f1fcff4b2c36ffc6a15818a"
+SRC_URI[main.md5sum] = "6132109d4050da349eadc9f7b0304ef4"
+SRC_URI[main.sha256sum] = "ab0e56ed9c4732a653ed22e232652709afbf573e710f56a07f7fdeca578d62fc"
diff --git a/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch b/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch
new file mode 100644
index 0000000000..7b39dbd734
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch
@@ -0,0 +1,163 @@
+From 265b691ac440bfb711d8de323346f7d72e620efe Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Thu, 12 Sep 2019 12:37:36 -0400
+Subject: [PATCH] [release-branch.go1.12-security] net/textproto: don't
+ normalize headers with spaces before the colon
+
+RFC 7230 is clear about headers with a space before the colon, like
+
+X-Answer : 42
+
+being invalid, but we've been accepting and normalizing them for compatibility
+purposes since CL 5690059 in 2012.
+
+On the client side, this is harmless and indeed most browsers behave the same
+to this day. On the server side, this becomes a security issue when the
+behavior doesn't match that of a reverse proxy sitting in front of the server.
+
+For example, if a WAF accepts them without normalizing them, it might be
+possible to bypass its filters, because the Go server would interpret the
+header differently. Worse, if the reverse proxy coalesces requests onto a
+single HTTP/1.1 connection to a Go server, the understanding of the request
+boundaries can get out of sync between them, allowing an attacker to tack an
+arbitrary method and path onto a request by other clients, including
+authentication headers unknown to the attacker.
+
+This was recently presented at multiple security conferences:
+https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn
+
+net/http servers already reject header keys with invalid characters.
+Simply stop normalizing extra spaces in net/textproto, let it return them
+unchanged like it does for other invalid headers, and let net/http enforce
+RFC 7230, which is HTTP specific. This loses us normalization on the client
+side, but there's no right answer on the client side anyway, and hiding the
+issue sounds worse than letting the application decide.
+
+Fixes CVE-2019-16276
+
+Change-Id: I6d272de827e0870da85d93df770d6a0e161bbcf1
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/549719
+Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
+(cherry picked from commit 1280b868e82bf173ea3e988be3092d160ee66082)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558776
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+
+CVE: CVE-2019-16276
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/net/http/serve_test.go | 4 ++++
+ src/net/http/transport_test.go | 27 +++++++++++++++++++++++++++
+ src/net/textproto/reader.go | 10 ++--------
+ src/net/textproto/reader_test.go | 13 ++++++-------
+ 4 files changed, 39 insertions(+), 15 deletions(-)
+
+diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
+index 6eb0088a96..89bfdfbb82 100644
+--- a/src/net/http/serve_test.go
++++ b/src/net/http/serve_test.go
+@@ -4748,6 +4748,10 @@ func TestServerValidatesHeaders(t *testing.T) {
+ {"foo\xffbar: foo\r\n", 400}, // binary in header
+ {"foo\x00bar: foo\r\n", 400}, // binary in header
+ {"Foo: " + strings.Repeat("x", 1<<21) + "\r\n", 431}, // header too large
++ // Spaces between the header key and colon are not allowed.
++ // See RFC 7230, Section 3.2.4.
++ {"Foo : bar\r\n", 400},
++ {"Foo\t: bar\r\n", 400},
+
+ {"foo: foo foo\r\n", 200}, // LWS space is okay
+ {"foo: foo\tfoo\r\n", 200}, // LWS tab is okay
+diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
+index 5c329543e2..5e5438a708 100644
+--- a/src/net/http/transport_test.go
++++ b/src/net/http/transport_test.go
+@@ -5133,3 +5133,30 @@ func TestTransportIgnores408(t *testing.T) {
+ }
+ t.Fatalf("timeout after %v waiting for Transport connections to die off", time.Since(t0))
+ }
++
++func TestInvalidHeaderResponse(t *testing.T) {
++ setParallel(t)
++ defer afterTest(t)
++ cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w ResponseWriter, r *Request) {
++ conn, buf, _ := w.(Hijacker).Hijack()
++ buf.Write([]byte("HTTP/1.1 200 OK\r\n" +
++ "Date: Wed, 30 Aug 2017 19:09:27 GMT\r\n" +
++ "Content-Type: text/html; charset=utf-8\r\n" +
++ "Content-Length: 0\r\n" +
++ "Foo : bar\r\n\r\n"))
++ buf.Flush()
++ conn.Close()
++ }))
++ defer cst.close()
++ res, err := cst.c.Get(cst.ts.URL)
++ if err != nil {
++ t.Fatal(err)
++ }
++ defer res.Body.Close()
++ if v := res.Header.Get("Foo"); v != "" {
++ t.Errorf(`unexpected "Foo" header: %q`, v)
++ }
++ if v := res.Header.Get("Foo "); v != "bar" {
++ t.Errorf(`bad "Foo " header value: %q, want %q`, v, "bar")
++ }
++}
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index 2c4f25d5ae..1a5e364cf7 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -493,18 +493,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
+ return m, err
+ }
+
+- // Key ends at first colon; should not have trailing spaces
+- // but they appear in the wild, violating specs, so we remove
+- // them if present.
++ // Key ends at first colon.
+ i := bytes.IndexByte(kv, ':')
+ if i < 0 {
+ return m, ProtocolError("malformed MIME header line: " + string(kv))
+ }
+- endKey := i
+- for endKey > 0 && kv[endKey-1] == ' ' {
+- endKey--
+- }
+- key := canonicalMIMEHeaderKey(kv[:endKey])
++ key := canonicalMIMEHeaderKey(kv[:i])
+
+ // As per RFC 7230 field-name is a token, tokens consist of one or more chars.
+ // We could return a ProtocolError here, but better to be liberal in what we
+diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
+index f85fbdc36d..b92fdcd3c7 100644
+--- a/src/net/textproto/reader_test.go
++++ b/src/net/textproto/reader_test.go
+@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing.T) {
+ }
+ }
+
+-// Test that we read slightly-bogus MIME headers seen in the wild,
+-// with spaces before colons, and spaces in keys.
++// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers
++// with spaces before colons, and accept spaces in keys.
+ func TestReadMIMEHeaderNonCompliant(t *testing.T) {
+- // Invalid HTTP response header as sent by an Axis security
+- // camera: (this is handled by IE, Firefox, Chrome, curl, etc.)
++ // These invalid headers will be rejected by net/http according to RFC 7230.
+ r := reader("Foo: bar\r\n" +
+ "Content-Language: en\r\n" +
+ "SID : 0\r\n" +
+@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *testing.T) {
+ want := MIMEHeader{
+ "Foo": {"bar"},
+ "Content-Language": {"en"},
+- "Sid": {"0"},
+- "Audio Mode": {"None"},
+- "Privilege": {"127"},
++ "SID ": {"0"},
++ "Audio Mode ": {"None"},
++ "Privilege ": {"127"},
+ }
+ if !reflect.DeepEqual(m, want) || err != nil {
+ t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, err, want)
diff --git a/meta/recipes-devtools/json-c/json-c_0.13.1.bb b/meta/recipes-devtools/json-c/json-c_0.13.1.bb
index 5b10e68297..e6a38995cb 100644
--- a/meta/recipes-devtools/json-c/json-c_0.13.1.bb
+++ b/meta/recipes-devtools/json-c/json-c_0.13.1.bb
@@ -20,8 +20,6 @@ RPROVIDES_${PN} = "libjson"
inherit autotools
-EXTRA_OECONF = "--enable-rdrand"
-
do_configure_prepend() {
# Clean up autoconf cruft that should not be in the tarball
rm -f ${S}/config.status
diff --git a/meta/recipes-devtools/meson/meson.inc b/meta/recipes-devtools/meson/meson.inc
index 2d18f72c0c..bfe9851e94 100644
--- a/meta/recipes-devtools/meson/meson.inc
+++ b/meta/recipes-devtools/meson/meson.inc
@@ -16,6 +16,7 @@ SRC_URI = "https://github.com/mesonbuild/meson/releases/download/${PV}/meson-${P
file://cross-prop-default.patch \
file://many-cross.patch \
file://cross-libdir.patch \
+ file://0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch \
"
SRC_URI[sha256sum] = "ef9f14326ec1e30d3ba1a26df0f92826ede5a79255ad723af78a2691c37109fd"
SRC_URI[md5sum] = "0267b0871266056184c484792572c682"
diff --git a/meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch b/meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch
new file mode 100644
index 0000000000..1f22755e17
--- /dev/null
+++ b/meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch
@@ -0,0 +1,84 @@
+From 7e83cf1edac2a57c08ebb1ce7f21c2a539d5c300 Mon Sep 17 00:00:00 2001
+From: Martin Liska <mliska@suse.cz>
+Date: Mon, 15 Jul 2019 10:06:17 +0200
+Subject: [PATCH] Fix missing return statements that are seen with
+ -Werror=return-type.
+
+Error example:
+
+Code:
+
+ #include <locale.h>
+ int main () {
+ /* If it's not defined as a macro, try to use as a symbol */
+ #ifndef LC_MESSAGES
+ LC_MESSAGES;
+ #endif
+ }
+Compiler stdout:
+
+Compiler stderr:
+ In file included from /usr/include/locale.h:25,
+ from /tmp/tmpep_i4iwg/testfile.c:2:
+/usr/include/features.h:382:4: warning: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Wcpp]
+ 382 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O)
+ | ^~~~~~~
+/tmp/tmpep_i4iwg/testfile.c: In function 'main':
+/tmp/tmpep_i4iwg/testfile.c:8:9: error: control reaches end of non-void function [-Werror=return-type]
+ 8 | }
+ | ^
+cc1: some warnings being treated as errors
+
+Upstream-Status: Backport
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ mesonbuild/compilers/c.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mesonbuild/compilers/c.py b/mesonbuild/compilers/c.py
+index b0096459..69cf84a4 100644
+--- a/mesonbuild/compilers/c.py
++++ b/mesonbuild/compilers/c.py
+@@ -387,6 +387,7 @@ class CCompiler(Compiler):
+ #ifndef {symbol}
+ {symbol};
+ #endif
++ return 0;
+ }}'''
+ return self.compiles(t.format(**fargs), env, extra_args=extra_args,
+ dependencies=dependencies)
+@@ -563,6 +564,7 @@ class CCompiler(Compiler):
+ {prefix}
+ int main(int argc, char **argv) {{
+ {type} something;
++ return 0;
+ }}'''
+ if not self.compiles(t.format(**fargs), env, extra_args=extra_args,
+ dependencies=dependencies):
+@@ -598,6 +600,7 @@ class CCompiler(Compiler):
+ {prefix}
+ int main(int argc, char **argv) {{
+ {type} something;
++ return 0;
+ }}'''
+ if not self.compiles(t.format(**fargs), env, extra_args=extra_args,
+ dependencies=dependencies):
+@@ -672,6 +675,7 @@ class CCompiler(Compiler):
+ #include <stdio.h>
+ int main(int argc, char *argv[]) {{
+ printf ("{fmt}", {cast} {f}());
++ return 0;
+ }}'''.format(**fargs)
+ res = self.run(code, env, extra_args=extra_args, dependencies=dependencies)
+ if not res.compiled:
+@@ -823,6 +827,7 @@ class CCompiler(Compiler):
+ #error "No definition for __builtin_{func} found in the prefix"
+ #endif
+ #endif
++ return 0;
+ }}'''
+ return self.links(t.format(**fargs), env, extra_args=extra_args,
+ dependencies=dependencies)
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/meson/meson/0003-native_bindir.patch b/meta/recipes-devtools/meson/meson/0003-native_bindir.patch
index da477454cb..2b22531dd0 100644
--- a/meta/recipes-devtools/meson/meson/0003-native_bindir.patch
+++ b/meta/recipes-devtools/meson/meson/0003-native_bindir.patch
@@ -51,7 +51,7 @@ index 6d3678f..90fdb80 100644
- cmd = self.pkgbin.get_command() + args
+ def _call_pkgbin_real(self, args, env, use_native=False):
+ if use_native:
-+ cmd = self.pkgbin.get_command() + "-native" + args
++ cmd = [self.pkgbin.get_command()[0] + "-native"] + args
+ else:
+ cmd = self.pkgbin.get_command() + args
p, out = Popen_safe(cmd, env=env)[0:2]
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
new file mode 100644
index 0000000000..9891526e4e
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
@@ -0,0 +1,93 @@
+From 7f770b9c20da1a192dad8cb572a6391f2773285a Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Thu, 3 May 2018 14:31:55 +0200
+Subject: [PATCH 1/2] Don't leak temporary file on failed ed-style patch
+
+Now that we write ed-style patches to a temporary file before we
+apply them, we need to ensure that the temporary file is removed
+before we leave, even on fatal error.
+
+* src/pch.c (do_ed_script): Use global TMPEDNAME instead of local
+ tmpname. Don't unlink the file directly, instead tag it for removal
+ at exit time.
+* src/patch.c (cleanup): Unlink TMPEDNAME at exit.
+
+This closes bug #53820:
+https://savannah.gnu.org/bugs/index.php?53820
+
+Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=19599883ffb6a450d2884f081f8ecf68edbed7ee]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ src/common.h | 2 ++
+ src/pch.c | 12 +++++-------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/common.h b/src/common.h
+index ec50b40..22238b5 100644
+--- a/src/common.h
++++ b/src/common.h
+@@ -94,10 +94,12 @@ XTERN char const *origsuff;
+ XTERN char const * TMPINNAME;
+ XTERN char const * TMPOUTNAME;
+ XTERN char const * TMPPATNAME;
++XTERN char const * TMPEDNAME;
+
+ XTERN bool TMPINNAME_needs_removal;
+ XTERN bool TMPOUTNAME_needs_removal;
+ XTERN bool TMPPATNAME_needs_removal;
++XTERN bool TMPEDNAME_needs_removal;
+
+ #ifdef DEBUGGING
+ XTERN int debug;
+diff --git a/src/pch.c b/src/pch.c
+index 16e001a..c1a62cf 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2392,7 +2392,6 @@ do_ed_script (char const *inname, char const *outname,
+ file_offset beginning_of_this_line;
+ size_t chars_read;
+ FILE *tmpfp = 0;
+- char const *tmpname;
+ int tmpfd;
+ pid_t pid;
+
+@@ -2404,12 +2403,13 @@ do_ed_script (char const *inname, char const *outname,
+ invalid commands and treats the next line as a new command, which
+ can lead to arbitrary command execution. */
+
+- tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++ tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0);
+ if (tmpfd == -1)
+- pfatal ("Can't create temporary file %s", quotearg (tmpname));
++ pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME));
++ TMPEDNAME_needs_removal = true;
+ tmpfp = fdopen (tmpfd, "w+b");
+ if (! tmpfp)
+- pfatal ("Can't open stream for file %s", quotearg (tmpname));
++ pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME));
+ }
+
+ for (;;) {
+@@ -2449,8 +2449,7 @@ do_ed_script (char const *inname, char const *outname,
+ write_fatal ();
+
+ if (lseek (tmpfd, 0, SEEK_SET) == -1)
+- pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
+-
++ pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME));
+ if (! dry_run && ! skip_rest_of_patch) {
+ int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+ *outname_needs_removal = true;
+@@ -2482,7 +2481,6 @@ do_ed_script (char const *inname, char const *outname,
+ }
+
+ fclose (tmpfp);
+- safe_unlink (tmpname);
+
+ if (ofp)
+ {
+--
+2.17.0
+
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
new file mode 100644
index 0000000000..d6a219a1b1
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
@@ -0,0 +1,80 @@
+From 369dcccdfa6336e5a873d6d63705cfbe04c55727 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 7 May 2018 15:14:45 +0200
+Subject: Don't leak temporary file on failed multi-file ed-style patch
+
+The previous fix worked fine with single-file ed-style patches, but
+would still leak temporary files in the case of multi-file ed-style
+patch. Fix that case as well, and extend the test case to check for
+it.
+
+* src/patch.c (main): Unlink TMPEDNAME if needed before moving to
+ the next file in a patch.
+
+This closes bug #53820:
+https://savannah.gnu.org/bugs/index.php?53820
+
+Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch")
+
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=369dcccdfa6336e5a873d6d63705cfbe04c55727]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ src/patch.c | 1 +
+ tests/ed-style | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/src/patch.c b/src/patch.c
+index 9146597..81c7a02 100644
+--- a/src/patch.c
++++ b/src/patch.c
+@@ -236,6 +236,7 @@ main (int argc, char **argv)
+ }
+ remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal);
+ }
++ remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal);
+
+ if (! skip_rest_of_patch && ! file_type)
+ {
+diff --git a/tests/ed-style b/tests/ed-style
+index 6b6ef9d..504e6e5 100644
+--- a/tests/ed-style
++++ b/tests/ed-style
+@@ -38,3 +38,34 @@ EOF
+ check 'cat foo' <<EOF
+ foo
+ EOF
++
++# Test the case where one ed-style patch modifies several files
++
++cat > ed3.diff <<EOF
++--- foo
+++++ foo
++1c
++bar
++.
++--- baz
+++++ baz
++0a
++baz
++.
++EOF
++
++# Apparently we can't create a file with such a patch, while it works fine
++# when the file name is provided on the command line
++cat > baz <<EOF
++EOF
++
++check 'patch -e -i ed3.diff' <<EOF
++EOF
++
++check 'cat foo' <<EOF
++bar
++EOF
++
++check 'cat baz' <<EOF
++baz
++EOF
+--
+cgit v1.0-41-gc330
+
diff --git a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
new file mode 100644
index 0000000000..f60dfe879a
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
@@ -0,0 +1,44 @@
+From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 19:36:15 +0200
+Subject: [PATCH] Invoke ed directly instead of using the shell
+
+* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
+command to avoid quoting vulnerabilities.
+
+CVE: CVE-2019-13638
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+---
+ src/pch.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..16e001a 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
+ *outname_needs_removal = true;
+ copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ }
+- sprintf (buf, "%s %s%s", editor_program,
+- verbosity == VERBOSE ? "" : "- ",
+- outname);
+ fflush (stdout);
+
+ pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
+ else if (pid == 0)
+ {
+ dup2 (tmpfd, 0);
+- execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++ assert (outname[0] != '!' && outname[0] != '-');
++ execlp (editor_program, editor_program, "-", outname, (char *) NULL);
+ _exit (2);
+ }
+ else
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch b/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
new file mode 100644
index 0000000000..9f8b6db0b9
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
@@ -0,0 +1,113 @@
+From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 16:21:48 +0200
+Subject: Don't follow symlinks unless --follow-symlinks is given
+
+* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,
+append_to_file): Unless the --follow-symlinks option is given, open files with
+the O_NOFOLLOW flag to avoid following symlinks. So far, we were only doing
+that consistently for input files.
+* src/util.c (create_backup): When creating empty backup files, (re)create them
+with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
+
+CVE: CVE-2019-13636
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ src/inp.c | 12 ++++++++++--
+ src/util.c | 14 +++++++++++---
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/inp.c b/src/inp.c
+index 32d0919..22d7473 100644
+--- a/src/inp.c
++++ b/src/inp.c
+@@ -238,8 +238,13 @@ plan_a (char const *filename)
+ {
+ if (S_ISREG (instat.st_mode))
+ {
+- int ifd = safe_open (filename, O_RDONLY|binary_transput, 0);
++ int flags = O_RDONLY | binary_transput;
+ size_t buffered = 0, n;
++ int ifd;
++
++ if (! follow_symlinks)
++ flags |= O_NOFOLLOW;
++ ifd = safe_open (filename, flags, 0);
+ if (ifd < 0)
+ pfatal ("can't open file %s", quotearg (filename));
+
+@@ -340,6 +345,7 @@ plan_a (char const *filename)
+ static void
+ plan_b (char const *filename)
+ {
++ int flags = O_RDONLY | binary_transput;
+ int ifd;
+ FILE *ifp;
+ int c;
+@@ -353,7 +359,9 @@ plan_b (char const *filename)
+
+ if (instat.st_size == 0)
+ filename = NULL_DEVICE;
+- if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0
++ if (! follow_symlinks)
++ flags |= O_NOFOLLOW;
++ if ((ifd = safe_open (filename, flags, 0)) < 0
+ || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r")))
+ pfatal ("Can't open file %s", quotearg (filename));
+ if (TMPINNAME_needs_removal)
+diff --git a/src/util.c b/src/util.c
+index 1cc08ba..fb38307 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original)
+
+ try_makedirs_errno = ENOENT;
+ safe_unlink (bakname);
+- while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0)
++ while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0)
+ {
+ if (errno != try_makedirs_errno)
+ pfatal ("Can't create file %s", quotearg (bakname));
+@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode,
+ static void
+ copy_to_fd (const char *from, int tofd)
+ {
++ int from_flags = O_RDONLY | O_BINARY;
+ int fromfd;
+ ssize_t i;
+
+- if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0)
++ if (! follow_symlinks)
++ from_flags |= O_NOFOLLOW;
++ if ((fromfd = safe_open (from, from_flags, 0)) < 0)
+ pfatal ("Can't reopen file %s", quotearg (from));
+ while ((i = read (fromfd, buf, bufsize)) != 0)
+ {
+@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost,
+ else
+ {
+ assert (S_ISREG (mode));
++ if (! follow_symlinks)
++ to_flags |= O_NOFOLLOW;
+ tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode,
+ to_dir_known_to_exist);
+ copy_to_fd (from, tofd);
+@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost,
+ void
+ append_to_file (char const *from, char const *to)
+ {
++ int to_flags = O_WRONLY | O_APPEND | O_BINARY;
+ int tofd;
+
+- if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0)
++ if (! follow_symlinks)
++ to_flags |= O_NOFOLLOW;
++ if ((tofd = safe_open (to, to_flags, 0)) < 0)
+ pfatal ("Can't reopen file %s", quotearg (to));
+ copy_to_fd (from, tofd);
+ if (close (tofd) != 0)
+--
+cgit v1.0-41-gc330
+
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 85b0db7333..5d7f55f8dc 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -6,6 +6,10 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch \
file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
+ file://CVE-2019-13636.patch \
+ file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
+ file://0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch \
+ file://0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch \
"
SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 779df53521..8d0e90862c 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -8,6 +8,11 @@ INC_PR = "r1"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498"
SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
+ file://bpo-35907-cve-2019-9948.patch \
+ file://bpo-35907-cve-2019-9948-fix.patch \
+ file://bpo-36216-cve-2019-9636.patch \
+ file://bpo-36216-cve-2019-9636-fix.patch \
+ file://CVE-2019-9740.patch \
"
SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5"
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
new file mode 100644
index 0000000000..5415472a35
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
@@ -0,0 +1,90 @@
+From 532ed09c5454bb789a301bb6f1339a0818255610 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
+Date: Sat, 14 Sep 2019 13:26:38 -0400
+Subject: [PATCH] [2.7] bpo-34155: Dont parse domains containing @ (GH-13079)
+ (GH-16006)
+
+This change skips parsing of email addresses where domains include a "@" character, which can be maliciously used since the local part is returned as a complete address.
+
+(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
+
+Excludes changes to Lib/email/_header_value_parser.py, which did not
+exist in 2.7.
+
+Co-authored-by: jpic <jpic@users.noreply.github.com>
+
+https://bugs.python.org/issue34155
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9]
+
+CVE: CVE-2019-16056
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ Lib/email/_parseaddr.py | 11 ++++++++++-
+ Lib/email/test/test_email.py | 14 ++++++++++++++
+ .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 +
+ 3 files changed, 25 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
+
+diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py
+index 690db2c22d..dc49d2e45a 100644
+--- a/Lib/email/_parseaddr.py
++++ b/Lib/email/_parseaddr.py
+@@ -336,7 +336,12 @@ class AddrlistClass:
+ aslist.append('@')
+ self.pos += 1
+ self.gotonext()
+- return EMPTYSTRING.join(aslist) + self.getdomain()
++ domain = self.getdomain()
++ if not domain:
++ # Invalid domain, return an empty address instead of returning a
++ # local part to denote failed parsing.
++ return EMPTYSTRING
++ return EMPTYSTRING.join(aslist) + domain
+
+ def getdomain(self):
+ """Get the complete domain name from an address."""
+@@ -351,6 +356,10 @@ class AddrlistClass:
+ elif self.field[self.pos] == '.':
+ self.pos += 1
+ sdlist.append('.')
++ elif self.field[self.pos] == '@':
++ # bpo-34155: Don't parse domains with two `@` like
++ # `a@malicious.org@important.com`.
++ return EMPTYSTRING
+ elif self.field[self.pos] in self.atomends:
+ break
+ else:
+diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py
+index 4b4dee3d34..2efe44ac5a 100644
+--- a/Lib/email/test/test_email.py
++++ b/Lib/email/test/test_email.py
+@@ -2306,6 +2306,20 @@ class TestMiscellaneous(TestEmailBase):
+ self.assertEqual(Utils.parseaddr('<>'), ('', ''))
+ self.assertEqual(Utils.formataddr(Utils.parseaddr('<>')), '')
+
++ def test_parseaddr_multiple_domains(self):
++ self.assertEqual(
++ Utils.parseaddr('a@b@c'),
++ ('', '')
++ )
++ self.assertEqual(
++ Utils.parseaddr('a@b.c@c'),
++ ('', '')
++ )
++ self.assertEqual(
++ Utils.parseaddr('a@172.17.0.1@c'),
++ ('', '')
++ )
++
+ def test_noquote_dump(self):
+ self.assertEqual(
+ Utils.formataddr(('A Silly Person', 'person@dom.ain')),
+diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
+new file mode 100644
+index 0000000000..50292e29ed
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
+@@ -0,0 +1 @@
++Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic.
diff --git a/meta/recipes-devtools/python/python/CVE-2019-9740.patch b/meta/recipes-devtools/python/python/CVE-2019-9740.patch
new file mode 100644
index 0000000000..066ac68290
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2019-9740.patch
@@ -0,0 +1,215 @@
+From bb8071a4cae5ab3fe321481dd3d73662ffb26052 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <victor.stinner@gmail.com>
+Date: Tue, 21 May 2019 15:12:33 +0200
+Subject: [PATCH] bpo-30458: Disallow control chars in http URLs (GH-12755)
+ (GH-13154) (GH-13315)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Disallow control chars in http URLs in urllib2.urlopen. This
+addresses a potential security problem for applications that do not
+sanity check their URLs where http request headers could be injected.
+
+Disable https related urllib tests on a build without ssl (GH-13032)
+These tests require an SSL enabled build. Skip these tests when
+python is built without SSL to fix test failures.
+
+Use httplib.InvalidURL instead of ValueError as the new error case's
+exception. (GH-13044)
+
+Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
+
+(cherry picked from commit 7e200e0763f5b71c199aaf98bd5588f291585619)
+
+Notes on backport to Python 2.7:
+
+* test_urllib tests urllib.urlopen() which quotes the URL and so is
+ not vulerable to HTTP Header Injection.
+* Add tests to test_urllib2 on urllib2.urlopen().
+* Reject non-ASCII characters: range 0x80-0xff.
+
+Upstream-Status: Backport
+CVE: CVE-2019-9740
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/httplib.py | 16 ++++++
+ Lib/test/test_urllib.py | 25 +++++++++
+ Lib/test/test_urllib2.py | 51 ++++++++++++++++++-
+ Lib/test/test_xmlrpc.py | 8 ++-
+ .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst | 1 +
+ 5 files changed, 99 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+
+diff --git a/Lib/httplib.py b/Lib/httplib.py
+index 60a8fb4e355f..1b41c346e090 100644
+--- a/Lib/httplib.py
++++ b/Lib/httplib.py
+@@ -247,6 +247,16 @@
+ _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
+ _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
+
++# These characters are not allowed within HTTP URL paths.
++# See https://tools.ietf.org/html/rfc3986#section-3.3 and the
++# https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
++# Prevents CVE-2019-9740. Includes control characters such as \r\n.
++# Restrict non-ASCII characters above \x7f (0x80-0xff).
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]')
++# Arguably only these _should_ allowed:
++# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
++# We are more lenient for assumed real world compatibility purposes.
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -927,6 +937,12 @@ def putrequest(self, method, url, skip_host=0, skip_accept_encoding=0):
+ self._method = method
+ if not url:
+ url = '/'
++ # Prevent CVE-2019-9740.
++ match = _contains_disallowed_url_pchar_re.search(url)
++ if match:
++ raise InvalidURL("URL can't contain control characters. %r "
++ "(found at least %r)"
++ % (url, match.group()))
+ hdr = '%s %s %s' % (method, url, self._http_vsn_str)
+
+ self._output(hdr)
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 1ce9201c0693..d7778d4194f3 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -257,6 +257,31 @@ def test_url_fragment(self):
+ finally:
+ self.unfakehttp()
+
++ def test_url_with_control_char_rejected(self):
++ for char_no in range(0, 0x21) + range(0x7f, 0x100):
++ char = chr(char_no)
++ schemeless_url = "//localhost:7777/test%s/" % char
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ try:
++ # urllib quotes the URL so there is no injection.
++ resp = urllib.urlopen("http:" + schemeless_url)
++ self.assertNotIn(char, resp.geturl())
++ finally:
++ self.unfakehttp()
++
++ def test_url_with_newline_header_injection_rejected(self):
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++ schemeless_url = "//" + host + ":8080/test/?test=a"
++ try:
++ # urllib quotes the URL so there is no injection.
++ resp = urllib.urlopen("http:" + schemeless_url)
++ self.assertNotIn(' ', resp.geturl())
++ self.assertNotIn('\r', resp.geturl())
++ self.assertNotIn('\n', resp.geturl())
++ finally:
++ self.unfakehttp()
++
+ def test_read_bogus(self):
+ # urlopen() should raise IOError for many error codes.
+ self.fakehttp('''HTTP/1.1 401 Authentication Required
+diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
+index 6d24d5ddf83c..9531818e16b2 100644
+--- a/Lib/test/test_urllib2.py
++++ b/Lib/test/test_urllib2.py
+@@ -15,6 +15,9 @@
+ except ImportError:
+ ssl = None
+
++from test.test_urllib import FakeHTTPMixin
++
++
+ # XXX
+ # Request
+ # CacheFTPHandler (hard to write)
+@@ -1262,7 +1265,7 @@ def _test_basic_auth(self, opener, auth_handler, auth_header,
+ self.assertEqual(len(http_handler.requests), 1)
+ self.assertFalse(http_handler.requests[0].has_header(auth_header))
+
+-class MiscTests(unittest.TestCase):
++class MiscTests(unittest.TestCase, FakeHTTPMixin):
+
+ def test_build_opener(self):
+ class MyHTTPHandler(urllib2.HTTPHandler): pass
+@@ -1317,6 +1320,52 @@ def test_unsupported_algorithm(self):
+ "Unsupported digest authentication algorithm 'invalid'"
+ )
+
++ @unittest.skipUnless(ssl, "ssl module required")
++ def test_url_with_control_char_rejected(self):
++ for char_no in range(0, 0x21) + range(0x7f, 0x100):
++ char = chr(char_no)
++ schemeless_url = "//localhost:7777/test%s/" % char
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ try:
++ # We explicitly test urllib.request.urlopen() instead of the top
++ # level 'def urlopen()' function defined in this... (quite ugly)
++ # test suite. They use different url opening codepaths. Plain
++ # urlopen uses FancyURLOpener which goes via a codepath that
++ # calls urllib.parse.quote() on the URL which makes all of the
++ # above attempts at injection within the url _path_ safe.
++ escaped_char_repr = repr(char).replace('\\', r'\\')
++ InvalidURL = httplib.InvalidURL
++ with self.assertRaisesRegexp(
++ InvalidURL, "contain control.*" + escaped_char_repr):
++ urllib2.urlopen("http:" + schemeless_url)
++ with self.assertRaisesRegexp(
++ InvalidURL, "contain control.*" + escaped_char_repr):
++ urllib2.urlopen("https:" + schemeless_url)
++ finally:
++ self.unfakehttp()
++
++ @unittest.skipUnless(ssl, "ssl module required")
++ def test_url_with_newline_header_injection_rejected(self):
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++ schemeless_url = "//" + host + ":8080/test/?test=a"
++ try:
++ # We explicitly test urllib2.urlopen() instead of the top
++ # level 'def urlopen()' function defined in this... (quite ugly)
++ # test suite. They use different url opening codepaths. Plain
++ # urlopen uses FancyURLOpener which goes via a codepath that
++ # calls urllib.parse.quote() on the URL which makes all of the
++ # above attempts at injection within the url _path_ safe.
++ InvalidURL = httplib.InvalidURL
++ with self.assertRaisesRegexp(
++ InvalidURL, r"contain control.*\\r.*(found at least . .)"):
++ urllib2.urlopen("http:" + schemeless_url)
++ with self.assertRaisesRegexp(InvalidURL, r"contain control.*\\n"):
++ urllib2.urlopen("https:" + schemeless_url)
++ finally:
++ self.unfakehttp()
++
++
+
+ class RequestTests(unittest.TestCase):
+
+diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
+index 36b3be67fd6b..90ccb30716ff 100644
+--- a/Lib/test/test_xmlrpc.py
++++ b/Lib/test/test_xmlrpc.py
+@@ -659,7 +659,13 @@ def test_dotted_attribute(self):
+ def test_partial_post(self):
+ # Check that a partial POST doesn't make the server loop: issue #14001.
+ conn = httplib.HTTPConnection(ADDR, PORT)
+- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
++ conn.send('POST /RPC2 HTTP/1.0\r\n'
++ 'Content-Length: 100\r\n\r\n'
++ 'bye HTTP/1.1\r\n'
++ 'Host: %s:%s\r\n'
++ 'Accept-Encoding: identity\r\n'
++ 'Content-Length: 0\r\n\r\n'
++ % (ADDR, PORT))
+ conn.close()
+
+ class SimpleServerEncodingTestCase(BaseServerTestCase):
+diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+new file mode 100644
+index 000000000000..47cb899df1af
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+@@ -0,0 +1 @@
++Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an httplib.InvalidURL exception to be raised.
diff --git a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
new file mode 100644
index 0000000000..1b6cb8cf3e
--- /dev/null
+++ b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
@@ -0,0 +1,81 @@
+From 5a1033fe5be764a135adcfff2fdc14edc3e5f327 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 10 Oct 2019 16:32:19 +0800
+Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in
+ urlsplit() bpo-36742: Corrects fix to handle decomposition in usernames
+
+Upstream-Status: Backport
+
+https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259
+https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de#diff-b577545d73dd0cdb2c337a4c5f89e1d7
+
+CVE: CVE-2019-10160
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ Lib/test/test_urlparse.py | 19 +++++++++++++------
+ Lib/urlparse.py | 14 +++++++++-----
+ 2 files changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 1830d0b..857ed96 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -641,13 +641,20 @@ class UrlParseTestCase(unittest.TestCase):
+ self.assertIn(u'\u2100', denorm_chars)
+ self.assertIn(u'\uFF03', denorm_chars)
+
++ # bpo-36742: Verify port separators are ignored when they
++ # existed prior to decomposition
++ urlparse.urlsplit(u'http://\u30d5\u309a:80')
++ with self.assertRaises(ValueError):
++ urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380')
++
+ for scheme in [u"http", u"https", u"ftp"]:
+- for c in denorm_chars:
+- url = u"{}://netloc{}false.netloc/path".format(scheme, c)
+- if test_support.verbose:
+- print "Checking %r" % url
+- with self.assertRaises(ValueError):
+- urlparse.urlsplit(url)
++ for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]:
++ for c in denorm_chars:
++ url = u"{}://{}/path".format(scheme, netloc.format(c))
++ if test_support.verbose:
++ print "Checking %r" % url
++ with self.assertRaises(ValueError):
++ urlparse.urlsplit(url)
+
+ def test_main():
+ test_support.run_unittest(UrlParseTestCase)
+diff --git a/Lib/urlparse.py b/Lib/urlparse.py
+index 54eda08..e34b368 100644
+--- a/Lib/urlparse.py
++++ b/Lib/urlparse.py
+@@ -171,14 +171,18 @@ def _checknetloc(netloc):
+ # looking for characters like \u2100 that expand to 'a/c'
+ # IDNA uses NFKC equivalence, so normalize for this check
+ import unicodedata
+- netloc2 = unicodedata.normalize('NFKC', netloc)
+- if netloc == netloc2:
++ n = netloc.replace(u'@', u'') # ignore characters already included
++ n = n.replace(u':', u'') # but not the surrounding text
++ n = n.replace(u'#', u'')
++ n = n.replace(u'?', u'')
++
++ netloc2 = unicodedata.normalize('NFKC', n)
++ if n == netloc2:
+ return
+- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
+ for c in '/?#@:':
+ if c in netloc2:
+- raise ValueError("netloc '" + netloc2 + "' contains invalid " +
+- "characters under NFKC normalization")
++ raise ValueError(u"netloc '" + netloc + u"' contains invalid " +
++ u"characters under NFKC normalization")
+
+ def urlsplit(url, scheme='', allow_fragments=True):
+ """Parse a URL into 5 components:
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch
index 8083345a4e..1741f5753b 100644
--- a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch
+++ b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch
@@ -1,4 +1,4 @@
-From 4865615a2bc2b78c739e4c33f536712c7f9af061 Mon Sep 17 00:00:00 2001
+From 17796e353acf08acd604610f34840a4a9d2f4b54 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Thu, 31 Jan 2019 16:46:30 +0100
Subject: [PATCH] distutils/sysconfig: append
diff --git a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch
index dcc0932c7f..35213171bd 100644
--- a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch
+++ b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch
@@ -1,4 +1,4 @@
-From 1397979ee445ff6826aa5469511e003539f77bb2 Mon Sep 17 00:00:00 2001
+From 12900d498bb77bcc990868a80eaf0ab257b88fff Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Tue, 14 May 2013 15:00:26 -0700
Subject: [PATCH] python3: Add target and native recipes
diff --git a/meta/recipes-devtools/python/python3_3.7.2.bb b/meta/recipes-devtools/python/python3_3.7.4.bb
index 7ef7cb5998..af3c3259c2 100644
--- a/meta/recipes-devtools/python/python3_3.7.2.bb
+++ b/meta/recipes-devtools/python/python3_3.7.4.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
LICENSE = "PSFv2"
SECTION = "devel/python"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498"
SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://run-ptest \
@@ -32,8 +32,8 @@ SRC_URI_append_class-nativesdk = " \
file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \
"
-SRC_URI[md5sum] = "df6ec36011808205beda239c72f947cb"
-SRC_URI[sha256sum] = "d83fe8ce51b1bb48bbcf0550fd265b9a75cdfdfa93f916f9e700aef8444bf1bb"
+SRC_URI[md5sum] = "d33e4aae66097051c2eca45ee3604803"
+SRC_URI[sha256sum] = "fb799134b868199930b75f26678f18932214042639cd52b16da7fd134cd9b13f"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
@@ -294,6 +294,6 @@ FILES_${PN}-man = "${datadir}/man"
RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests unzip bzip2 libgcc tzdata-europe coreutils sed"
RDEPENDS_${PN}-ptest_append_libc-glibc = " locale-base-tr-tr.iso-8859-9"
-RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk', '', d)}"
+RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}"
RDEPENDS_${PN}-dev = ""
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb
index d70342fe3a..1c7c58199f 100644
--- a/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -30,10 +30,8 @@ SRC_URI += " \
file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \
file://float-endian.patch \
file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \
- file://bpo-35907-cve-2019-9948.patch \
- file://bpo-35907-cve-2019-9948-fix.patch \
- file://bpo-36216-cve-2019-9636.patch \
- file://bpo-36216-cve-2019-9636-fix.patch \
+ file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
+ file://bpo-36742-cve-2019-10160.patch \
"
S = "${WORKDIR}/Python-${PV}"
@@ -177,7 +175,7 @@ RDEPENDS_${PN}-modules += "${PN}-misc"
# ptest
RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests unzip tzdata-europe coreutils sed"
-RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk', '', d)}"
+RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}"
# catch manpage
PACKAGES += "${PN}-man"
FILES_${PN}-man = "${datadir}/man"
diff --git a/meta/recipes-devtools/qemu/qemu-native_3.1.0.bb b/meta/recipes-devtools/qemu/qemu-native_3.1.1.1.bb
index c8acff8e19..c8acff8e19 100644
--- a/meta/recipes-devtools/qemu/qemu-native_3.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-native_3.1.1.1.bb
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_3.1.1.1.bb
index 5bf528bec1..5bf528bec1 100644
--- a/meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-system-native_3.1.1.1.bb
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e503aa866d..202134b3d8 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -22,19 +22,14 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
file://0001-Add-a-missing-X11-include.patch \
- file://0001-egl-headless-add-egl_create_context.patch \
- file://0014-fix-CVE-2018-16872.patch \
- file://0015-fix-CVE-2018-20124.patch \
- file://0016-fix-CVE-2018-20125.patch \
- file://0017-fix-CVE-2018-20126.patch \
- file://0018-fix-CVE-2018-20191.patch \
- file://0019-fix-CVE-2018-20216.patch \
- file://CVE-2019-3812.patch \
+ file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
+ file://0001-linux-user-assume-__NR_gettid-always-exists.patch \
+ file://0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
-SRC_URI[md5sum] = "fb687ce0b02d3bf4327e36d3b99427a8"
-SRC_URI[sha256sum] = "6a0508df079a0a33c2487ca936a56c12122f105b8a96a44374704bef6c69abfc"
+SRC_URI[md5sum] = "aafb005c252eb3a667c2468868348c0a"
+SRC_URI[sha256sum] = "b148fc3c7382c5addd915db433383160ca7b840bc6ea90bb0d35c6b253526d56"
COMPATIBLE_HOST_mipsarchn32 = "null"
COMPATIBLE_HOST_mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch b/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch
deleted file mode 100644
index d9326c017a..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 952e5d584f5aabe41298c278065fe628f3f7aa7a Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Thu, 29 Nov 2018 13:35:02 +0100
-Subject: [PATCH] egl-headless: add egl_create_context
-
-We must set the correct context (via eglMakeCurrent) before
-calling qemu_egl_create_context, so we need a thin wrapper and can't
-hook qemu_egl_create_context directly as ->dpy_gl_ctx_create callback.
-
-Reported-by: Frederik Carlier <frederik.carlier@quamotion.mobi>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20181129123502.30129-1-kraxel@redhat.com
-
-Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=952e5d584f5aabe41298c278065fe628f3f7aa7a]
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
----
- ui/egl-headless.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)