build-appliance-image: Update to kirkstone head revision

(From OE-Core rev: f09fca692f96c9c428e89c5ef53fbcb92ac0c9bf)

Signed-off-by: Steve Sakoman <steve@sakoman.com>

bitbake/lib/bb/fetch2/wget.py

@@ -88,7 +88,10 @@ class Wget(FetchMethod):
         if not ud.localfile:
             ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", "."))
 
-        self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp"
+        self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30"
+
+        if ud.type == 'ftp' or ud.type == 'ftps':
+            self.basecmd += " --passive-ftp"
 
         if not self.check_certs(d):
             self.basecmd += " --no-check-certificate"
@@ -106,10 +109,10 @@ class Wget(FetchMethod):
 
         fetchcmd = self.basecmd
 
-        if 'downloadfilename' in ud.parm:
-            localpath = os.path.join(d.getVar("DL_DIR"), ud.localfile)
-            bb.utils.mkdirhier(os.path.dirname(localpath))
-            fetchcmd += " -O %s" % shlex.quote(localpath)
+        dldir = os.path.realpath(d.getVar("DL_DIR"))
+        localpath = os.path.join(dldir, ud.localfile) + ".tmp"
+        bb.utils.mkdirhier(os.path.dirname(localpath))
+        fetchcmd += " -O %s" % shlex.quote(localpath)
 
         if ud.user and ud.pswd:
             fetchcmd += " --auth-no-challenge"
@@ -127,12 +130,16 @@ class Wget(FetchMethod):
         uri = ud.url.split(";")[0]
         if os.path.exists(ud.localpath):
             # file exists, but we didnt complete it.. trying again..
-            fetchcmd += d.expand(" -c -P ${DL_DIR} '%s'" % uri)
+            fetchcmd += " -c -P " + dldir + " '" + uri + "'"
         else:
-            fetchcmd += d.expand(" -P ${DL_DIR} '%s'" % uri)
+            fetchcmd += " -P " + dldir + " '" + uri + "'"
 
         self._runwget(ud, d, fetchcmd, False)
 
+        # Remove the ".tmp" and move the file into position atomically
+        # Our lock prevents multiple writers but mirroring code may grab incomplete files
+        os.rename(localpath, localpath[:-4])
+
         # Sanity check since wget can pretend it succeed when it didn't
         # Also, this used to happen if sourceforge sent us to the mirror page
         if not os.path.exists(ud.localpath):

bitbake/lib/bb/tests/fetch.py

@@ -1417,7 +1417,7 @@ class FetchLatestVersionTest(FetcherTest):
 
     def test_wget_latest_versionstring(self):
         testdata = os.path.dirname(os.path.abspath(__file__)) + "/fetch-testdata"
-        server = HTTPService(testdata)
+        server = HTTPService(testdata, host="127.0.0.1")
         server.start()
         port = server.port
         try:
@@ -1425,10 +1425,10 @@ class FetchLatestVersionTest(FetcherTest):
                 self.d.setVar("PN", k[0])
                 checkuri = ""
                 if k[2]:
-                    checkuri = "http://localhost:%s/" % port + k[2]
+                    checkuri = "http://127.0.0.1:%s/" % port + k[2]
                 self.d.setVar("UPSTREAM_CHECK_URI", checkuri)
                 self.d.setVar("UPSTREAM_CHECK_REGEX", k[3])
-                url = "http://localhost:%s/" % port + k[1]
+                url = "http://127.0.0.1:%s/" % port + k[1]
                 ud = bb.fetch2.FetchData(url, self.d)
                 pupver = ud.method.latest_versionstring(ud, self.d)
                 verstring = pupver[0]

bitbake/lib/hashserv/tests.py

@@ -30,7 +30,7 @@ class HashEquivalenceTestSetup(object):
 
     server_index = 0
 
-    def start_server(self, dbpath=None, upstream=None, read_only=False, prefunc=server_prefunc):
+    def start_server(self, dbpath=None, upstream=None, read_only=False, prefunc=server_prefunc, need_client=True):
         self.server_index += 1
         if dbpath is None:
             dbpath = os.path.join(self.temp_dir.name, "db%d.sqlite" % self.server_index)
@@ -54,8 +54,11 @@ class HashEquivalenceTestSetup(object):
         def cleanup_client(client):
             client.close()
 
-        client = create_client(server.address)
-        self.addCleanup(cleanup_client, client)
+        if need_client:
+            client = create_client(server.address)
+            self.addCleanup(cleanup_client, client)
+        else:
+            client = None
 
         return (client, server)
 
@@ -341,7 +344,7 @@ class HashEquivalenceCommonTests(object):
         old_signal = signal.signal(signal.SIGTERM, do_nothing)
         self.addCleanup(signal.signal, signal.SIGTERM, old_signal)
 
-        _, server = self.start_server(prefunc=prefunc)
+        _, server = self.start_server(prefunc=prefunc, need_client=False)
         server.process.terminate()
         time.sleep(30)
         event.set()

documentation/migration-guides/release-4.0.rst

@@ -27,4 +27,5 @@ Release 4.0 (kirkstone)
    release-notes-4.0.18
    release-notes-4.0.19
    release-notes-4.0.20
+   release-notes-4.0.21
 

documentation/migration-guides/release-notes-4.0.21.rst

@@ -0,0 +1,166 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Release notes for Yocto-4.0.21 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.21
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  bind: Fix :cve:`2024-4076`, :cve:`2024-1737`, :cve:`2024-0760` and :cve:`2024-1975`
+-  apr: Fix :cve:`2023-49582`
+-  busybox: Fix :cve:`2023-42363`, :cve:`2023-42364`, :cve:`2023-42365`, :cve:`2023-42366` and :cve:`2021-42380`
+-  curl: Ignore :cve:`2024-32928`
+-  curl: Fix :cve:`2024-7264`
+-  ghostscript: Fix :cve:`2024-29506`, :cve:`2024-29509` and :cve:`2024-29511`
+-  go: Fix :cve:`2024-24789` and :cve:`2024-24791`
+-  gtk+3: Fix :cve:`2024-6655`
+-  libarchive: Ignore :cve:`2024-37407`
+-  libyaml: Ignore :cve:`2024-35325`, :cve:`2024-35326` and :cve:`2024-35328`
+-  linux-yocto/5.15: Fix :cve:`2022-48772`, :cve:`2024-35972`, :cve:`2024-35984`, :cve:`2024-35990`, :cve:`2024-35997`, :cve:`2024-36008`, :cve:`2024-36270`, :cve:`2024-36489`, :cve:`2024-36897`, :cve:`2024-36938`, :cve:`2024-36965`, :cve:`2024-36967`, :cve:`2024-36969`, :cve:`2024-36971`, :cve:`2024-36978`, :cve:`2024-38546`, :cve:`2024-38547`, :cve:`2024-38549`, :cve:`2024-38552`, :cve:`2024-38555`, :cve:`2024-38571`, :cve:`2024-38583`, :cve:`2024-38591`, :cve:`2024-38597`, :cve:`2024-38598`, :cve:`2024-38600`, :cve:`2024-38627`, :cve:`2024-38633`, :cve:`2024-38661`, :cve:`2024-38662`, :cve:`2024-38780`, :cve:`2024-39277`, :cve:`2024-39292`, :cve:`2024-39301`, :cve:`2024-39466`, :cve:`2024-39468`, :cve:`2024-39471`, :cve:`2024-39475`, :cve:`2024-39476`, :cve:`2024-39480`, :cve:`2024-39482`, :cve:`2024-39484`, :cve:`2024-39487`, :cve:`2024-39489`, :cve:`2024-39493`, :cve:`2024-39495`, :cve:`2024-39506`, :cve:`2024-40902`, :cve:`2024-40911`, :cve:`2024-40912`, :cve:`2024-40932`, :cve:`2024-40934`, :cve:`2024-40954`, :cve:`2024-40956`, :cve:`2024-40957`, :cve:`2024-40958`, :cve:`2024-40959`, :cve:`2024-40960`, :cve:`2024-40961`, :cve:`2024-40967`, :cve:`2024-40970`, :cve:`2024-40980`, :cve:`2024-40981`, :cve:`2024-40994`, :cve:`2024-40995`, :cve:`2024-41000`, :cve:`2024-41002`, :cve:`2024-41006`, :cve:`2024-41007`, :cve:`2024-41046`, :cve:`2024-41049`, :cve:`2024-41055`, :cve:`2024-41064`, :cve:`2024-41070`, :cve:`2024-41073`, :cve:`2024-41087`, :cve:`2024-41089`, :cve:`2024-41092`, :cve:`2024-41093`, :cve:`2024-41095`, :cve:`2024-41097`, :cve:`2024-42068`, :cve:`2024-42070`, :cve:`2024-42076`, :cve:`2024-42077`, :cve:`2024-42080`, :cve:`2024-42082`, :cve:`2024-42085`, :cve:`2024-42090`, :cve:`2024-42093`, :cve:`2024-42094`, :cve:`2024-42101`, :cve:`2024-42102`, :cve:`2024-42104`, :cve:`2024-42109`, :cve:`2024-42140`, :cve:`2024-42148`, :cve:`2024-42152`, :cve:`2024-42153`, :cve:`2024-42154`, :cve:`2024-42157`, :cve:`2024-42161`, :cve:`2024-42223`, :cve:`2024-42224`, :cve:`2024-42225`, :cve:`2024-42229`, :cve:`2024-42232`, :cve:`2024-42236`, :cve:`2024-42244` and :cve:`2024-42247`
+-  llvm: Fix :cve:`2023-46049` and :cve:`2024-31852`
+-  ofono: fix :cve:`2023-2794`
+-  orc: Fix :cve:`2024-40897`
+-  python3-certifi: Fix :cve:`2024-39689`
+-  python3-jinja2: Fix :cve:`2024-34064`
+-  python3: Fix :cve:`2024-8088`
+-  qemu: Fix :cve:`2024-7409`
+-  ruby: Fix for :cve:`2024-27282`
+-  tiff: Fix :cve:`2024-7006`
+-  vim: Fix :cve:`2024-22667`, :cve:`2024-41957`, :cve:`2024-41965` and :cve:`2024-43374`
+-  wpa-supplicant: Fix :cve:`2023-52160`
+
+
+Fixes in Yocto-4.0.21
+~~~~~~~~~~~~~~~~~~~~~
+
+-  apr: upgrade to 1.7.5
+-  bind: Upgrade to 9.18.28
+-  bitbake: data_smart: Improve performance for VariableHistory
+-  build-appliance-image: Update to kirkstone head revision
+-  cryptodev-module: Fix build for linux 5.10.220
+-  gcc-runtime: remove bashism
+-  grub: fs/fat: Don't error when mtime is 0
+-  image_types.bbclass: Use --force also with lz4,lzop
+-  libsoup: fix compile error on centos7
+-  linux-yocto/5.15: upgrade to v5.15.164
+-  lttng-modules: Upgrade to 2.13.14
+-  migration-guide: add release notes for 4.0.20
+-  orc: upgrade to 0.4.39
+-  poky.conf: bump version for 4.0.21
+-  python3-jinja2: upgrade to 3.1.4
+-  python3-pycryptodome(x): use python_setuptools_build_meta build class
+-  python3: add PACKAGECONFIG[editline]
+-  ref-manual: fix typo and move :term:`SYSROOT_DIRS` example
+-  sqlite3: CVE_ID correction for :cve:`2023-7104` as patched
+-  sqlite3: Rename patch for :cve:`2022-35737`
+-  uboot-sign: Fix index error in concat_dtb_helper() with multiple configs
+-  vim: upgrade to 9.1.0682
+-  wireless-regdb: upgrade to 2024.07.04
+
+
+Known Issues in Yocto-4.0.21
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.21
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Archana Polampalli
+-  Ashish Sharma
+-  Bruce Ashfield
+-  Deepthi Hemraj
+-  Divya Chellam
+-  Florian Amstutz
+-  Guocai He
+-  Hitendra Prajapati
+-  Hugo SIMELIERE
+-  Lee Chee Yang
+-  Leon Anavi
+-  Matthias Pritschet
+-  Ming Liu
+-  Niko Mauno
+-  Peter Marko
+-  Robert Yang
+-  Rohini Sangam
+-  Ross Burton
+-  Siddharth Doshi
+-  Soumya Sambu
+-  Steve Sakoman
+-  Vijay Anusuri
+-  Vrushti Dabhi
+-  Wang Mingyu
+-  Yogita Urade
+
+
+Repositories / Downloads for Yocto-4.0.21
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.21 </poky/log/?h=yocto-4.0.21>`
+-  Git Revision: :yocto_git:`4cdc553814640851cce85f84ee9c0b58646cd33b </poky/commit/?id=4cdc553814640851cce85f84ee9c0b58646cd33b>`
+-  Release Artefact: poky-4cdc553814640851cce85f84ee9c0b58646cd33b
+-  sha: 460e3a4ede491a9b66c5d262cd9498d5bcca1f2d880885342b08dc32b967f33d
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.21/poky-4cdc553814640851cce85f84ee9c0b58646cd33b.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.21/poky-4cdc553814640851cce85f84ee9c0b58646cd33b.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.21 </openembedded-core/log/?h=yocto-4.0.21>`
+-  Git Revision: :oe_git:`c40a3fec49942ac6d25ba33e57e801a550e252c9 </openembedded-core/commit/?id=c40a3fec49942ac6d25ba33e57e801a550e252c9>`
+-  Release Artefact: oecore-c40a3fec49942ac6d25ba33e57e801a550e252c9
+-  sha: afc2aaf312f9fb2590ae006615557ec605c98eff42bc380a1b2d6e39cfdf8930
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.21/oecore-c40a3fec49942ac6d25ba33e57e801a550e252c9.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.21/oecore-c40a3fec49942ac6d25ba33e57e801a550e252c9.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.21 </meta-mingw/log/?h=yocto-4.0.21>`
+-  Git Revision: :yocto_git:`f6b38ce3c90e1600d41c2ebb41e152936a0357d7 </meta-mingw/commit/?id=f6b38ce3c90e1600d41c2ebb41e152936a0357d7>`
+-  Release Artefact: meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7
+-  sha: 7d57167c19077f4ab95623d55a24c2267a3a3fb5ed83688659b4c03586373b25
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.21/meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.21/meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.21 </meta-gplv2/log/?h=yocto-4.0.21>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.21/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.21/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.21 </bitbake/log/?h=yocto-4.0.21>`
+-  Git Revision: :oe_git:`ec2a99a077da9aa0e99e8b05e0c65dcbd45864b1 </bitbake/commit/?id=ec2a99a077da9aa0e99e8b05e0c65dcbd45864b1>`
+-  Release Artefact: bitbake-ec2a99a077da9aa0e99e8b05e0c65dcbd45864b1
+-  sha: 1cb102f4c8dbd067f0262072e4e629ec7cb423103111ccdde75a09fcb8f55e5f
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.21/bitbake-ec2a99a077da9aa0e99e8b05e0c65dcbd45864b1.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.21/bitbake-ec2a99a077da9aa0e99e8b05e0c65dcbd45864b1.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.21 </yocto-docs/log/?h=yocto-4.0.21>`
+-  Git Revision: :yocto_git:`512025edd9b3b6b8d0938b35bb6188c9f3b7f17d </yocto-docs/commit/?id=512025edd9b3b6b8d0938b35bb6188c9f3b7f17d>`
+

documentation/ref-manual/features.rst

@@ -129,7 +129,7 @@ metadata:
 
 -  *directfb:* Include DirectFB support.
 
--  *ext2:* Include tools for supporting for devices with internal
+-  *ext2:* Include tools for supporting devices with internal
    HDD/Microdrive for storing files (instead of Flash only devices).
 
 -  *ipsec:* Include IPSec support.

meta-poky/conf/distro/poky.conf

@@ -1,7 +1,7 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
 #DISTRO_VERSION = "3.4+snapshot-${METADATA_REVISION}"
-DISTRO_VERSION = "4.0.21"
+DISTRO_VERSION = "4.0.22"
 DISTRO_CODENAME = "kirkstone"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"

meta/classes/buildhistory.bbclass

@@ -45,11 +45,18 @@ BUILDHISTORY_PUSH_REPO ?= ""
 BUILDHISTORY_TAG ?= "build"
 BUILDHISTORY_PATH_PREFIX_STRIP ?= ""
 
-SSTATEPOSTINSTFUNCS:append = " buildhistory_emit_pkghistory"
-# We want to avoid influencing the signatures of sstate tasks - first the function itself:
-sstate_install[vardepsexclude] += "buildhistory_emit_pkghistory"
-# then the value added to SSTATEPOSTINSTFUNCS:
-SSTATEPOSTINSTFUNCS[vardepvalueexclude] .= "| buildhistory_emit_pkghistory"
+# We want to avoid influencing the signatures of the task so use vardepsexclude
+do_populate_sysroot[postfuncs] += "buildhistory_emit_sysroot"
+do_populate_sysroot_setscene[postfuncs] += "buildhistory_emit_sysroot"
+do_populate_sysroot[vardepsexclude] += "buildhistory_emit_sysroot"
+
+do_package[postfuncs] += "buildhistory_list_pkg_files"
+do_package_setscene[postfuncs] += "buildhistory_list_pkg_files"
+do_package[vardepsexclude] += "buildhistory_list_pkg_files"
+
+do_packagedata[postfuncs] += "buildhistory_emit_pkghistory"
+do_packagedata_setscene[postfuncs] += "buildhistory_emit_pkghistory"
+do_packagedata[vardepsexclude] += "buildhistory_emit_pkghistory"
 
 # Similarly for our function that gets the output signatures
 SSTATEPOSTUNPACKFUNCS:append = " buildhistory_emit_outputsigs"
@@ -89,25 +96,14 @@ buildhistory_emit_sysroot() {
 # Write out metadata about this package for comparison when writing future packages
 #
 python buildhistory_emit_pkghistory() {
-    if d.getVar('BB_CURRENTTASK') in ['populate_sysroot', 'populate_sysroot_setscene']:
-        bb.build.exec_func("buildhistory_emit_sysroot", d)
-        return 0
-
-    if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
-        return 0
-
-    if d.getVar('BB_CURRENTTASK') in ['package', 'package_setscene']:
-        # Create files-in-<package-name>.txt files containing a list of files of each recipe's package
-        bb.build.exec_func("buildhistory_list_pkg_files", d)
-        return 0
-
-    if not d.getVar('BB_CURRENTTASK') in ['packagedata', 'packagedata_setscene']:
-        return 0
-
     import re
     import json
     import shlex
     import errno
+    import shutil
+
+    if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
+        return 0
 
     pkghistdir = d.getVar('BUILDHISTORY_DIR_PACKAGE')
     oldpkghistdir = d.getVar('BUILDHISTORY_OLD_DIR_PACKAGE')
@@ -221,6 +217,20 @@ python buildhistory_emit_pkghistory() {
         items.sort()
         return ' '.join(items)
 
+    def preservebuildhistoryfiles(pkg, preserve):
+        if os.path.exists(os.path.join(oldpkghistdir, pkg)):
+            listofobjs = os.listdir(os.path.join(oldpkghistdir, pkg))
+            for obj in listofobjs:
+                if obj not in preserve:
+                    continue
+                try:
+                    bb.utils.mkdirhier(os.path.join(pkghistdir, pkg))
+                    shutil.copyfile(os.path.join(oldpkghistdir, pkg, obj), os.path.join(pkghistdir, pkg, obj))
+                except IOError as e:
+                    bb.note("Unable to copy file. %s" % e)
+                except EnvironmentError as e:
+                    bb.note("Unable to copy file. %s" % e)
+
     pn = d.getVar('PN')
     pe = d.getVar('PE') or "0"
     pv = d.getVar('PV')
@@ -248,6 +258,14 @@ python buildhistory_emit_pkghistory() {
     if not os.path.exists(pkghistdir):
         bb.utils.mkdirhier(pkghistdir)
     else:
+        # We need to make sure that all files kept in
+        # buildhistory/old are restored successfully
+        # otherwise next block of code wont have files to
+        # check and purge
+        if d.getVar("BUILDHISTORY_RESET"):
+            for pkg in packagelist:
+                preservebuildhistoryfiles(pkg, preserve)
+
         # Remove files for packages that no longer exist
         for item in os.listdir(pkghistdir):
             if item not in preserve:
@@ -596,16 +614,17 @@ buildhistory_list_files_no_owners() {
 }
 
 buildhistory_list_pkg_files() {
+	if [ "${@bb.utils.contains('BUILDHISTORY_FEATURES', 'package', '1', '0', d)}" = "0" ] ; then
+		return
+	fi
+
 	# Create individual files-in-package for each recipe's package
-	for pkgdir in $(find ${PKGDEST}/* -maxdepth 0 -type d); do
+	pkgdirlist=$(find ${PKGDEST}/* -maxdepth 0 -type d)
+	for pkgdir in $pkgdirlist; do
 		pkgname=$(basename $pkgdir)
 		outfolder="${BUILDHISTORY_DIR_PACKAGE}/$pkgname"
 		outfile="$outfolder/files-in-package.txt"
-		# Make sure the output folder exists so we can create the file
-		if [ ! -d $outfolder ] ; then
-			bbdebug 2 "Folder $outfolder does not exist, file $outfile not created"
-			continue
-		fi
+		mkdir -p $outfolder
 		buildhistory_list_files $pkgdir $outfile fakeroot
 	done
 }

meta/classes/populate_sdk_base.bbclass

@@ -1,6 +1,6 @@
 PACKAGES = ""
 
-inherit image-postinst-intercepts image-artifact-names
+inherit image-postinst-intercepts image-artifact-names nopackages
 
 # Wildcards specifying complementary packages to install for every package that has been explicitly
 # installed into the rootfs

meta/classes/sstate.bbclass

@@ -156,7 +156,10 @@ python () {
     d.setVar('SSTATETASKS', " ".join(unique_tasks))
     for task in unique_tasks:
         d.prependVarFlag(task, 'prefuncs', "sstate_task_prefunc ")
-        d.appendVarFlag(task, 'postfuncs', " sstate_task_postfunc")
+        # Generally sstate should be last, execpt for buildhistory functions
+        postfuncs = (d.getVarFlag(task, 'postfuncs') or "").split()
+        newpostfuncs = [p for p in postfuncs if "buildhistory" not in p] + ["sstate_task_postfunc"] + [p for p in postfuncs if "buildhistory" in p]
+        d.setVarFlag(task, 'postfuncs', " ".join(newpostfuncs))
         d.setVarFlag(task, 'network', '1')
         d.setVarFlag(task + "_setscene", 'network', '1')
 }

meta/classes/testexport.bbclass

@@ -50,7 +50,7 @@ def testexport_main(d):
     from oeqa.runtime.context import OERuntimeTestContextExecutor
 
     image_name = ("%s/%s" % (d.getVar('DEPLOY_DIR_IMAGE'),
-                             d.getVar('IMAGE_LINK_NAME')))
+                             d.getVar('IMAGE_LINK_NAME') or d.getVar('IMAGE_NAME')))
 
     tdname = "%s.testdata.json" % image_name
     td = json.load(open(tdname, "r"))

meta/classes/testimage.bbclass

@@ -98,7 +98,7 @@ TESTIMAGELOCK:qemuall = ""
 
 TESTIMAGE_DUMP_DIR ?= "${LOG_DIR}/runtime-hostdump/"
 
-TESTIMAGE_UPDATE_VARS ?= "DL_DIR WORKDIR DEPLOY_DIR"
+TESTIMAGE_UPDATE_VARS ?= "DL_DIR WORKDIR DEPLOY_DIR IMAGE_LINK_NAME"
 
 testimage_dump_target () {
 }
@@ -209,7 +209,7 @@ def testimage_main(d):
     bb.utils.mkdirhier(d.getVar("TEST_LOG_DIR"))
 
     image_name = ("%s/%s" % (d.getVar('DEPLOY_DIR_IMAGE'),
-                             d.getVar('IMAGE_LINK_NAME')))
+                             d.getVar('IMAGE_LINK_NAME') or d.getVar('IMAGE_NAME')))
 
     tdname = "%s.testdata.json" % image_name
     try:

meta/conf/distro/include/maintainers.inc

@@ -189,7 +189,7 @@ RECIPE_MAINTAINER:pn-gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} = "Khem Raj <r
 RECIPE_MAINTAINER:pn-gcc-crosssdk-${SDK_SYS} = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-gcc-runtime = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-gcc-sanitizers = "Khem Raj <raj.khem@gmail.com>"
-RECIPE_MAINTAINER:pn-gcc-source-11.4.0 = "Khem Raj <raj.khem@gmail.com>"
+RECIPE_MAINTAINER:pn-gcc-source-11.5.0 = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-gconf = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-gcr = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER:pn-gdb = "Khem Raj <raj.khem@gmail.com>"

meta/conf/distro/include/yocto-uninative.inc

@@ -6,10 +6,10 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.39"
-UNINATIVE_VERSION = "4.4"
+UNINATIVE_MAXGLIBCVERSION = "2.40"
+UNINATIVE_VERSION = "4.6"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "b61876130f494f75092f21086b4a64ea5fb064045769bf1d32e9cb6af17ea8ec"
-UNINATIVE_CHECKSUM[i686] ?= "9f28627828f0082cc0344eede4d9a861a9a064bfa8f36e072e46212f0fe45fcc"
-UNINATIVE_CHECKSUM[x86_64] ?= "d81c54284be2bb886931fc87281d58177a2cd381cf99d1981f8923039a72a302"
+UNINATIVE_CHECKSUM[aarch64] ?= "c2d36338272eba101580f648dd8dff5352cdb4c1809db7dedf8fc4d7e7df716c"
+UNINATIVE_CHECKSUM[i686] ?= "0041584678109c18deca48fb59eaf14cf725cf024a170ab537b354b63240c504"
+UNINATIVE_CHECKSUM[x86_64] ?= "6bf00154c5a7bc48adbf63fd17684bb87eb07f4814fbb482a3fbd817c1ccf4c5"

meta/lib/oeqa/selftest/cases/runcmd.py

@@ -56,11 +56,11 @@ class RunCmdTests(OESelftestTestCase):
         self.assertEqual(result.status, 0)
 
     def test_result_assertion(self):
-        self.assertRaisesRegexp(AssertionError, "Command 'echo .* false' returned non-zero exit status 1:\nfoobar",
+        self.assertRaisesRegex(AssertionError, "Command 'echo .* false' returned non-zero exit status 1:\nfoobar",
                                 runCmd, "echo foobar >&2; false", shell=True)
 
     def test_result_exception(self):
-        self.assertRaisesRegexp(CommandError, "Command 'echo .* false' returned non-zero exit status 1 with output: foobar",
+        self.assertRaisesRegex(CommandError, "Command 'echo .* false' returned non-zero exit status 1 with output: foobar",
                                 runCmd, "echo foobar >&2; false", shell=True, assert_error=False)
 
     def test_output(self):

meta/lib/oeqa/selftest/cases/runtime_test.py

@@ -258,7 +258,7 @@ class TestImage(OESelftestTestCase):
 
         distro = oe.lsb.distro_identifier()
         if distro and (distro in ['debian-9', 'debian-10', 'centos-7', 'centos-8', 'ubuntu-16.04', 'ubuntu-18.04'] or
-            distro.startswith('almalinux') or distro.startswith('rocky')):
+            distro.startswith('almalinux') or distro.startswith('fedora') or distro.startswith('rocky')):
             self.skipTest('virgl headless cannot be tested with %s' %(distro))
 
         render_hint = """If /dev/dri/renderD* is absent due to lack of suitable GPU, 'modprobe vgem' will create one suitable for mesa llvmpipe software renderer."""

meta/recipes-connectivity/iw/iw_5.16.bb

@@ -4,7 +4,7 @@ wireless devices. It supports almost all new drivers that have been added \
 to the kernel recently. "
 HOMEPAGE = "https://wireless.wiki.kernel.org/en/users/documentation/iw"
 SECTION = "base"
-LICENSE = "BSD-2-Clause"
+LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://COPYING;md5=878618a5c4af25e9b93ef0be1a93f774"
 
 DEPENDS = "libnl"

meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch

@@ -0,0 +1,99 @@
+From f72f48a26abdd2eb11a4a8fb3596ee67b8f8cbe6 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Wed, 21 Jul 2021 23:50:32 -0700
+Subject: [PATCH] rpcap: don't do pointless integer->string and then
+ string->integer conversions.
+
+The string->integer conversion was also broken, as it passed a pointer
+to a 16-bit integer to a sscanf() call that used %d rather than %hd.
+It'd overwrite 2 bytes past the 16-bit integer; it may set the integer
+"correctly" on a little-endian, but wouldn't even do *that* on a
+big-endian machine.
+
+(cherry picked from commit efaddfe8eae4dab252bb2d35e004a40e4b72db24)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/f72f48a26abdd2eb11a4a8fb3596ee67b8f8cbe6]
+CVE: CVE-2023-7256 #Dependency Patch1
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-rpcap.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/pcap-rpcap.c b/pcap-rpcap.c
+index 225b420904..f5c126dbc1 100644
+--- a/pcap-rpcap.c
++++ b/pcap-rpcap.c
+@@ -1060,7 +1060,7 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 	struct pcap_rpcap *pr = fp->priv;	/* structure used when doing a remote live capture */
+ 	char sendbuf[RPCAP_NETBUF_SIZE];	/* temporary buffer in which data to be sent is buffered */
+ 	int sendbufidx = 0;			/* index which keeps the number of bytes currently buffered */
+-	char portdata[PCAP_BUF_SIZE];		/* temp variable needed to keep the network port for the data connection */
++	uint16 portdata = 0;			/* temp variable needed to keep the network port for the data connection */
+ 	uint32 plen;
+ 	int active = 0;				/* '1' if we're in active mode */
+ 	struct activehosts *temp;		/* temp var needed to scan the host list chain, to detect if we're in active mode */
+@@ -1073,6 +1073,8 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 	struct sockaddr_storage saddr;		/* temp, needed to retrieve the network data port chosen on the local machine */
+ 	socklen_t saddrlen;			/* temp, needed to retrieve the network data port chosen on the local machine */
+ 	int ai_family;				/* temp, keeps the address family used by the control connection */
++	struct sockaddr_in *sin4;
++	struct sockaddr_in6 *sin6;
+ 
+ 	/* RPCAP-related variables*/
+ 	struct rpcap_header header;			/* header of the RPCAP packet */
+@@ -1171,11 +1173,22 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 			goto error_nodiscard;
+ 		}
+ 
+-		/* Get the local port the system picked up */
+-		if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL,
+-			0, portdata, sizeof(portdata), NI_NUMERICSERV))
+-		{
+-			sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
++		switch (saddr.ss_family) {
++
++		case AF_INET:
++			sin4 = (struct sockaddr_in *)&saddr;
++			portdata = sin4->sin_port;
++			break;
++
++		case AF_INET6:
++			sin6 = (struct sockaddr_in6 *)&saddr;
++			portdata = sin6->sin6_port;
++			break;
++
++		default:
++			snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
++			    "Local address has unknown address family %u",
++			    saddr.ss_family);
+ 			goto error_nodiscard;
+ 		}
+ 	}
+@@ -1208,8 +1221,7 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 	/* portdata on the openreq is meaningful only if we're in active mode */
+ 	if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
+ 	{
+-		sscanf(portdata, "%d", (int *)&(startcapreq->portdata));	/* cast to avoid a compiler warning */
+-		startcapreq->portdata = htons(startcapreq->portdata);
++		startcapreq->portdata = portdata;
+ 	}
+ 
+ 	startcapreq->snaplen = htonl(fp->snapshot);
+@@ -1258,13 +1270,15 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 	{
+ 		if (!active)
+ 		{
++			char portstring[PCAP_BUF_SIZE];
++
+ 			memset(&hints, 0, sizeof(struct addrinfo));
+ 			hints.ai_family = ai_family;		/* Use the same address family of the control socket */
+ 			hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
+-			snprintf(portdata, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
++			snprintf(portstring, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
+ 
+ 			/* Let's the server pick up a free network port for us */
+-			if (sock_initaddress(host, portdata, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++			if (sock_initaddress(host, portstring, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
+ 				goto error;
+ 
+ 			if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)

meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre2.patch

@@ -0,0 +1,131 @@
+From ba493d37d418b126d7357df553bd065cbc99384e Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Sun, 31 Jul 2022 11:30:43 -0700
+Subject: [PATCH] rpcap: improve error messages for host and port resolution
+ errors.
+
+If we don't want a particular port nuber in a sock_initaddress() call,
+pass NULL rather than "0".  If the service name parameter passsed to
+sock_initaddress() is NULL, pass "0" as the service name parameter to
+getaddrinfo().
+
+Have get_gai_errstring() precede the host/port name information with an
+indication as to whethe it's a host name, port name, or host name and
+port name.  Don't say "host name" for EAI_NONAME; rely on the
+description get_gai_errstring() provides.  If there's only a port
+number, don't preceded it with ":" in get_gai_errstring().
+
+This makes the error message reported if a host and port are provided
+not say that the host name couldn't be resolved, because it could be a
+problem with the port name (sadly, getaddinfo() doesn't indicate which
+is the one with the problem).
+
+It also makes the error message reported if only a port is provided not
+say that it's a problem with the host name or show the "host name" as
+":<port>".
+
+(cherry picked from commit 33cf6fb70a13a982d70f6a5e5e63aa765073c8e8)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/ba493d37d418b126d7357df553bd065cbc99384e]
+CVE: CVE-2023-7256 #Dependency Patch2
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-rpcap.c    |  6 +++---
+ rpcapd/daemon.c |  4 ++--
+ sockutils.c     | 19 ++++++++++++++-----
+ 3 files changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/pcap-rpcap.c b/pcap-rpcap.c
+index 889ade32f6..b68af65d52 100644
+--- a/pcap-rpcap.c
++++ b/pcap-rpcap.c
+@@ -1020,7 +1020,7 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
+ 	hints.ai_family = PF_UNSPEC;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
+-	retval = sock_initaddress(host, "0", &hints, &addrinfo, errbuf,
++	retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
+ 	    PCAP_ERRBUF_SIZE);
+ 	if (retval != 0)
+ 	{
+@@ -1172,7 +1172,7 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 		hints.ai_flags = AI_PASSIVE;	/* Data connection is opened by the server toward the client */
+ 
+ 		/* Let's the server pick up a free network port for us */
+-		if (sock_initaddress(NULL, "0", &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++		if (sock_initaddress(NULL, NULL, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
+ 			goto error_nodiscard;
+ 
+ 		if ((sockdata = sock_open(addrinfo, SOCKOPEN_SERVER,
+@@ -3024,7 +3024,7 @@ int pcap_remoteact_close(const char *host, char *errbuf)
+ 	hints.ai_family = PF_UNSPEC;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
+-	retval = sock_initaddress(host, "0", &hints, &addrinfo, errbuf,
++	retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
+ 	    PCAP_ERRBUF_SIZE);
+ 	if (retval != 0)
+ 	{
+diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c
+index 362f4b9bb0..4b91a43242 100644
+--- a/rpcapd/daemon.c
++++ b/rpcapd/daemon.c
+@@ -2085,8 +2085,8 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen,
+ 	{
+ 		hints.ai_flags = AI_PASSIVE;
+ 
+-		// Let's the server socket pick up a free network port for us
+-		if (sock_initaddress(NULL, "0", &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
++		// Make the server socket pick up a free network port for us
++		if (sock_initaddress(NULL, NULL, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
+ 			goto error;
+ 
+ 		if ((session->sockdata = sock_open(addrinfo, SOCKOPEN_SERVER, 1 /* max 1 connection in queue */, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+diff --git a/sockutils.c b/sockutils.c
+index a34f0d1738..ca5b683720 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -548,13 +548,13 @@ get_gai_errstring(char *errbuf, int errbuflen, const char *prefix, int err,
+ 	char hostport[PCAP_ERRBUF_SIZE];
+ 
+ 	if (hostname != NULL && portname != NULL)
+-		snprintf(hostport, PCAP_ERRBUF_SIZE, "%s:%s",
++		snprintf(hostport, PCAP_ERRBUF_SIZE, "host and port %s:%s",
+ 		    hostname, portname);
+ 	else if (hostname != NULL)
+-		snprintf(hostport, PCAP_ERRBUF_SIZE, "%s",
++		snprintf(hostport, PCAP_ERRBUF_SIZE, "host %s",
+ 		    hostname);
+ 	else if (portname != NULL)
+-		snprintf(hostport, PCAP_ERRBUF_SIZE, ":%s",
++		snprintf(hostport, PCAP_ERRBUF_SIZE, "port %s",
+ 		    portname);
+ 	else
+ 		snprintf(hostport, PCAP_ERRBUF_SIZE, "<no host or port!>");
+@@ -618,7 +618,7 @@ get_gai_errstring(char *errbuf, int errbuflen, const char *prefix, int err,
+ 
+ 		case EAI_NONAME:
+ 			snprintf(errbuf, errbuflen,
+-			    "%sThe host name %s couldn't be resolved",
++			    "%sThe %s couldn't be resolved",
+ 			    prefix, hostport);
+ 			break;
+ 
+@@ -720,7 +720,16 @@ int sock_initaddress(const char *host, const char *port,
+ {
+ 	int retval;
+ 
+-	retval = getaddrinfo(host, port, hints, addrinfo);
++	/*
++	 * We allow both the host and port to be null, but getaddrinfo()
++	 * is not guaranteed to do so; to handle that, if port is null,
++	 * we provide "0" as the port number.
++	 *
++	 * This results in better error messages from get_gai_errstring(),
++	 * as those messages won't talk about a problem with the port if
++	 * no port was specified.
++	 */
++	retval = getaddrinfo(host, port == NULL ? "0" : port, hints, addrinfo);
+ 	if (retval != 0)
+ 	{
+ 		if (errbuf)

meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre3.patch

@@ -0,0 +1,67 @@
+From c1ceab8f191031a81996035af20685e6f9b7f1b7 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Sun, 31 Jul 2022 11:54:22 -0700
+Subject: [PATCH] rpcap: try to distringuish between host and port errors.
+
+getaddrinfo() won't do it for us, so do it ourselves.
+
+(cherry picked from commit a83992a1bec91661b2f0e1a6fc910343793a97f1)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/c1ceab8f191031a81996035af20685e6f9b7f1b7]
+CVE: CVE-2023-7256 #Dependency Patch3
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ sockutils.c | 40 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/sockutils.c b/sockutils.c
+index ca5b683720..84024ac67d 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -734,8 +734,44 @@ int sock_initaddress(const char *host, const char *port,
+ 	{
+ 		if (errbuf)
+ 		{
+-			get_gai_errstring(errbuf, errbuflen, "", retval,
+-			    host, port);
++			if (host != NULL && port != NULL) {
++				/*
++				 * Try with just a host, to distinguish
++				 * between "host is bad" and "port is
++				 * bad".
++				 */
++				int try_retval;
++
++				try_retval = getaddrinfo(host, NULL, hints,
++				    addrinfo);
++				if (try_retval == 0) {
++					/*
++					 * Worked with just the host,
++					 * so assume the problem is
++					 * with the port.
++					 *
++					 * Free up the addres info first.
++					 */
++					freeaddrinfo(*addrinfo);
++					get_gai_errstring(errbuf, errbuflen,
++					    "", retval, NULL, port);
++				} else {
++					/*
++					 * Didn't work with just the host,
++					 * so assume the problem is
++					 * with the host.
++					 */
++					get_gai_errstring(errbuf, errbuflen,
++					    "", retval, host, NULL);
++				}
++			} else {
++				/*
++				 * Either the host or port was null, so
++				 * there's nothing to determine.
++				 */
++				get_gai_errstring(errbuf, errbuflen, "",
++				    retval, host, port);
++			}
+ 		}
+ 		return -1;
+ 	}

meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre4.patch

@@ -0,0 +1,37 @@
+From 73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f Mon Sep 17 00:00:00 2001
+From: Rose <83477269+AtariDreams@users.noreply.github.com>
+Date: Tue, 16 May 2023 12:37:11 -0400
+Subject: [PATCH] Remove unused variable retval in sock_present2network
+
+This quiets the compiler since it is not even returned anyway, and is a misleading variable name.
+
+(cherry picked from commit c7b90298984c46d820d3cee79a96d24870b5f200)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f]
+CVE: CVE-2023-7256 #Dependency Patch4
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ sockutils.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sockutils.c b/sockutils.c
+index 1c07f76fd1..6752f296af 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -2082,7 +2082,6 @@ int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *addres
+  */
+ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr, int addr_family, char *errbuf, int errbuflen)
+ {
+-	int retval;
+ 	struct addrinfo *addrinfo;
+ 	struct addrinfo hints;
+ 
+@@ -2090,7 +2089,7 @@ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr,
+ 
+ 	hints.ai_family = addr_family;
+ 
+-	if ((retval = sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen)) == -1)
++	if (sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen) == -1)
+ 		return 0;
+ 
+ 	if (addrinfo->ai_family == PF_INET)

meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch

@@ -0,0 +1,368 @@
+From 2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Thu, 28 Sep 2023 00:37:57 -0700
+Subject: [PATCH] Have sock_initaddress() return the list of addrinfo
+ structures or NULL.
+
+Its return address is currently 0 for success and -1 for failure, with a
+pointer to the first element of the list of struct addrinfos returned
+through a pointer on success; change it to return that pointer on
+success and NULL on failure.
+
+That way, we don't have to worry about what happens to the pointer
+pointeed to by the argument in question on failure; we know that we got
+NULL back if no struct addrinfos were found because getaddrinfo()
+failed.  Thus, we know that we have something to free iff
+sock_initaddress() returned a pointer to that something rather than
+returning NULL.
+
+This avoids a double-free in some cases.
+
+This is apparently CVE-2023-40400.
+
+(backported from commit 262e4f34979872d822ccedf9f318ed89c4d31c03)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d]
+CVE: CVE-2023-7256
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-rpcap.c    | 48 ++++++++++++++++++++--------------------
+ rpcapd/daemon.c |  8 +++++--
+ rpcapd/rpcapd.c |  8 +++++--
+ sockutils.c     | 58 ++++++++++++++++++++++++++++---------------------
+ sockutils.h     |  5 ++---
+ 5 files changed, 72 insertions(+), 55 deletions(-)
+
+diff --git a/pcap-rpcap.c b/pcap-rpcap.c
+index 91f8557..733077b 100644
+--- a/pcap-rpcap.c
++++ b/pcap-rpcap.c
+@@ -995,7 +995,6 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
+ {
+ 	struct activehosts *temp;			/* temp var needed to scan the host list chain */
+ 	struct addrinfo hints, *addrinfo, *ai_next;	/* temp var needed to translate between hostname to its address */
+-	int retval;
+ 
+ 	/* retrieve the network address corresponding to 'host' */
+ 	addrinfo = NULL;
+@@ -1003,9 +1002,9 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
+ 	hints.ai_family = PF_UNSPEC;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
+-	retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
++	addrinfo = sock_initaddress(host, NULL, &hints, errbuf,
+ 	    PCAP_ERRBUF_SIZE);
+-	if (retval != 0)
++	if (addrinfo == NULL)
+ 	{
+ 		*error = 1;
+ 		return NULL;
+@@ -1153,7 +1152,9 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 		hints.ai_flags = AI_PASSIVE;	/* Data connection is opened by the server toward the client */
+ 
+ 		/* Let's the server pick up a free network port for us */
+-		if (sock_initaddress(NULL, NULL, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress(NULL, NULL, &hints, fp->errbuf,
++		    PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 			goto error_nodiscard;
+ 
+ 		if ((sockdata = sock_open(addrinfo, SOCKOPEN_SERVER,
+@@ -1277,7 +1278,9 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 			snprintf(portstring, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
+ 
+ 			/* Let's the server pick up a free network port for us */
+-			if (sock_initaddress(host, portstring, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++			addrinfo = sock_initaddress(host, portstring, &hints,
++			    fp->errbuf, PCAP_ERRBUF_SIZE);
++			if (addrinfo == NULL)
+ 				goto error;
+ 
+ 			if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2220,16 +2223,16 @@ rpcap_setup_session(const char *source, struct pcap_rmtauth *auth,
+ 		if (port[0] == 0)
+ 		{
+ 			/* the user chose not to specify the port */
+-			if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
+-			    &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+-				return -1;
++			addrinfo = sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
++			    &hints, errbuf, PCAP_ERRBUF_SIZE);
+ 		}
+ 		else
+ 		{
+-			if (sock_initaddress(host, port, &hints, &addrinfo,
+-			    errbuf, PCAP_ERRBUF_SIZE) == -1)
+-				return -1;
++			addrinfo = sock_initaddress(host, port, &hints,
++			    errbuf, PCAP_ERRBUF_SIZE);
+ 		}
++		if (addrinfo == NULL)
++			return -1;
+ 
+ 		if ((*sockctrlp = sock_open(addrinfo, SOCKOPEN_CLIENT, 0,
+ 		    errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2825,19 +2828,19 @@ SOCKET pcap_remoteact_accept_ex(const char *address, const char *port, const cha
+ 	/* Do the work */
+ 	if ((port == NULL) || (port[0] == 0))
+ 	{
+-		if (sock_initaddress(address, RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+-		{
+-			return (SOCKET)-2;
+-		}
++		addrinfo = sock_initaddress(address,
++		    RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, errbuf,
++		    PCAP_ERRBUF_SIZE);
+ 	}
+ 	else
+ 	{
+-		if (sock_initaddress(address, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+-		{
+-			return (SOCKET)-2;
+-		}
++		addrinfo = sock_initaddress(address, port, &hints, errbuf,
++		    PCAP_ERRBUF_SIZE);
++	}
++	if (addrinfo == NULL)
++	{
++		return (SOCKET)-2;
+ 	}
+-
+ 
+ 	if ((sockmain = sock_open(addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+ 	{
+@@ -2994,7 +2997,6 @@ int pcap_remoteact_close(const char *host, char *errbuf)
+ {
+ 	struct activehosts *temp, *prev;	/* temp var needed to scan the host list chain */
+ 	struct addrinfo hints, *addrinfo, *ai_next;	/* temp var needed to translate between hostname to its address */
+-	int retval;
+ 
+ 	temp = activeHosts;
+ 	prev = NULL;
+@@ -3005,9 +3007,9 @@ int pcap_remoteact_close(const char *host, char *errbuf)
+ 	hints.ai_family = PF_UNSPEC;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
+-	retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
++	addrinfo = sock_initaddress(host, NULL, &hints, errbuf,
+ 	    PCAP_ERRBUF_SIZE);
+-	if (retval != 0)
++	if (addrinfo == NULL)
+ 	{
+ 		return -1;
+ 	}
+diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c
+index 8f50899..925d381 100644
+--- a/rpcapd/daemon.c
++++ b/rpcapd/daemon.c
+@@ -2065,7 +2065,9 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen,
+ 			goto error;
+ 		}
+ 
+-		if (sock_initaddress(peerhost, portdata, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress(peerhost, portdata, &hints,
++		    errmsgbuf, PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 			goto error;
+ 
+ 		if ((session->sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2076,7 +2078,9 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen,
+ 		hints.ai_flags = AI_PASSIVE;
+ 
+ 		// Make the server socket pick up a free network port for us
+-		if (sock_initaddress(NULL, NULL, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress(NULL, NULL, &hints, errmsgbuf,
++		    PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 			goto error;
+ 
+ 		if ((session->sockdata = sock_open(addrinfo, SOCKOPEN_SERVER, 1 /* max 1 connection in queue */, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+diff --git a/rpcapd/rpcapd.c b/rpcapd/rpcapd.c
+index b91a401..74c138b 100644
+--- a/rpcapd/rpcapd.c
++++ b/rpcapd/rpcapd.c
+@@ -610,7 +610,9 @@ void main_startup(void)
+ 		//
+ 		// Get a list of sockets on which to listen.
+ 		//
+-		if (sock_initaddress((address[0]) ? address : NULL, port, &mainhints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress((address[0]) ? address : NULL,
++		    port, &mainhints, errbuf, PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 		{
+ 			rpcapd_log(LOGPRIO_DEBUG, "%s", errbuf);
+ 			return;
+@@ -1347,7 +1349,9 @@ main_active(void *ptr)
+ 	memset(errbuf, 0, sizeof(errbuf));
+ 
+ 	// Do the work
+-	if (sock_initaddress(activepars->address, activepars->port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
++	addrinfo = sock_initaddress(activepars->address, activepars->port,
++	    &hints, errbuf, PCAP_ERRBUF_SIZE);
++	if (addrinfo == NULL)
+ 	{
+ 		rpcapd_log(LOGPRIO_DEBUG, "%s", errbuf);
+ 		return 0;
+diff --git a/sockutils.c b/sockutils.c
+index 0b0bcee..4d02d96 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -704,20 +704,21 @@ get_gai_errstring(char *errbuf, int errbuflen, const char *prefix, int err,
+  * \param errbuflen: length of the buffer that will contains the error. The error message cannot be
+  * larger than 'errbuflen - 1' because the last char is reserved for the string terminator.
+  *
+- * \return '0' if everything is fine, '-1' if some errors occurred. The error message is returned
+- * in the 'errbuf' variable. The addrinfo variable that has to be used in the following sockets calls is
+- * returned into the addrinfo parameter.
++ * \return a pointer to the first element in a list of addrinfo structures
++ * if everything is fine, NULL if some errors occurred. The error message
++ * is returned in the 'errbuf' variable.
+  *
+- * \warning The 'addrinfo' variable has to be deleted by the programmer by calling freeaddrinfo() when
+- * it is no longer needed.
++ * \warning The list of addrinfo structures returned has to be deleted by
++ * the programmer by calling freeaddrinfo() when it is no longer needed.
+  *
+  * \warning This function requires the 'hints' variable as parameter. The semantic of this variable is the same
+  * of the one of the corresponding variable used into the standard getaddrinfo() socket function. We suggest
+  * the programmer to look at that function in order to set the 'hints' variable appropriately.
+  */
+-int sock_initaddress(const char *host, const char *port,
+-    struct addrinfo *hints, struct addrinfo **addrinfo, char *errbuf, int errbuflen)
++struct addrinfo *sock_initaddress(const char *host, const char *port,
++    struct addrinfo *hints, char *errbuf, int errbuflen)
+ {
++	struct addrinfo *addrinfo;
+ 	int retval;
+ 
+ 	/*
+@@ -729,9 +730,13 @@ int sock_initaddress(const char *host, const char *port,
+ 	 * as those messages won't talk about a problem with the port if
+ 	 * no port was specified.
+ 	 */
+-	retval = getaddrinfo(host, port == NULL ? "0" : port, hints, addrinfo);
++	retval = getaddrinfo(host, port == NULL ? "0" : port, hints, &addrinfo);
+ 	if (retval != 0)
+ 	{
++		/*
++		 * That call failed.
++		 * Determine whether the problem is that the host is bad.
++		 */
+ 		if (errbuf)
+ 		{
+ 			if (host != NULL && port != NULL) {
+@@ -743,7 +748,7 @@ int sock_initaddress(const char *host, const char *port,
+ 				int try_retval;
+ 
+ 				try_retval = getaddrinfo(host, NULL, hints,
+-				    addrinfo);
++				    &addrinfo);
+ 				if (try_retval == 0) {
+ 					/*
+ 					 * Worked with just the host,
+@@ -752,14 +757,16 @@ int sock_initaddress(const char *host, const char *port,
+ 					 *
+ 					 * Free up the addres info first.
+ 					 */
+-					freeaddrinfo(*addrinfo);
++					freeaddrinfo(addrinfo);
+ 					get_gai_errstring(errbuf, errbuflen,
+ 					    "", retval, NULL, port);
+ 				} else {
+ 					/*
+ 					 * Didn't work with just the host,
+ 					 * so assume the problem is
+-					 * with the host.
++					 * with the host; we assume
++					 * the original error indicates
++					 * the underlying problem.
+ 					 */
+ 					get_gai_errstring(errbuf, errbuflen,
+ 					    "", retval, host, NULL);
+@@ -767,13 +774,14 @@ int sock_initaddress(const char *host, const char *port,
+ 			} else {
+ 				/*
+ 				 * Either the host or port was null, so
+-				 * there's nothing to determine.
++				 * there's nothing to determine; report
++				 * the error from the original call.
+ 				 */
+ 				get_gai_errstring(errbuf, errbuflen, "",
+ 				    retval, host, port);
+ 			}
+ 		}
+-		return -1;
++		return NULL;
+ 	}
+ 	/*
+ 	 * \warning SOCKET: I should check all the accept() in order to bind to all addresses in case
+@@ -788,30 +796,28 @@ int sock_initaddress(const char *host, const char *port,
+ 	 * ignore all addresses that are neither?  (What, no IPX
+ 	 * support? :-))
+ 	 */
+-	if (((*addrinfo)->ai_family != PF_INET) &&
+-	    ((*addrinfo)->ai_family != PF_INET6))
++	if ((addrinfo->ai_family != PF_INET) &&
++	    (addrinfo->ai_family != PF_INET6))
+ 	{
+ 		if (errbuf)
+ 			snprintf(errbuf, errbuflen, "getaddrinfo(): socket type not supported");
+-		freeaddrinfo(*addrinfo);
+-		*addrinfo = NULL;
+-		return -1;
++		freeaddrinfo(addrinfo);
++		return NULL;
+ 	}
+ 
+ 	/*
+ 	 * You can't do multicast (or broadcast) TCP.
+ 	 */
+-	if (((*addrinfo)->ai_socktype == SOCK_STREAM) &&
+-	    (sock_ismcastaddr((*addrinfo)->ai_addr) == 0))
++	if ((addrinfo->ai_socktype == SOCK_STREAM) &&
++	    (sock_ismcastaddr(addrinfo->ai_addr) == 0))
+ 	{
+ 		if (errbuf)
+ 			snprintf(errbuf, errbuflen, "getaddrinfo(): multicast addresses are not valid when using TCP streams");
+-		freeaddrinfo(*addrinfo);
+-		*addrinfo = NULL;
+-		return -1;
++		freeaddrinfo(addrinfo);
++		return NULL;
+ 	}
+ 
+-	return 0;
++	return addrinfo;
+ }
+ 
+ /*
+@@ -1720,7 +1726,9 @@ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr,
+ 
+ 	hints.ai_family = addr_family;
+ 
+-	if (sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen) == -1)
++	addrinfo = sock_initaddress(address, "22222" /* fake port */, &hints,
++	    errbuf, errbuflen);
++	if (addrinfo == NULL)
+ 		return 0;
+ 
+ 	if (addrinfo->ai_family == PF_INET)
+diff --git a/sockutils.h b/sockutils.h
+index e748662..ede86a1 100644
+--- a/sockutils.h
++++ b/sockutils.h
+@@ -129,9 +129,8 @@ int sock_init(char *errbuf, int errbuflen);
+ void sock_cleanup(void);
+ void sock_fmterror(const char *caller, int errcode, char *errbuf, int errbuflen);
+ void sock_geterror(const char *caller, char *errbuf, int errbufsize);
+-int sock_initaddress(const char *address, const char *port,
+-    struct addrinfo *hints, struct addrinfo **addrinfo,
+-    char *errbuf, int errbuflen);
++struct addrinfo *sock_initaddress(const char *address, const char *port,
++    struct addrinfo *hints, char *errbuf, int errbuflen);
+ int sock_recv(SOCKET sock, SSL *, void *buffer, size_t size, int receiveall,
+     char *errbuf, int errbuflen);
+ int sock_recv_dgram(SOCKET sock, SSL *, void *buffer, size_t size,
+-- 
+2.25.1
+

meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch

@@ -0,0 +1,42 @@
+From 8a633ee5b9ecd9d38a587ac9b204e2380713b0d6 Mon Sep 17 00:00:00 2001
+From: Nicolas Badoux <n.badoux@hotmail.com>
+Date: Mon, 19 Aug 2024 12:31:53 +0200
+Subject: [PATCH] makes pcap_findalldevs_ex errors out if the directory does
+ not exist
+
+(backported from commit 0f8a103469ce87d2b8d68c5130a46ddb7fb5eb29)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/8a633ee5b9ecd9d38a587ac9b204e2380713b0d6]
+CVE: CVE-2024-8006
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-new.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/pcap-new.c b/pcap-new.c
+index 7c00659..ac88065 100644
+--- a/pcap-new.c
++++ b/pcap-new.c
+@@ -231,13 +231,18 @@ int pcap_findalldevs_ex(const char *source, struct pcap_rmtauth *auth, pcap_if_t
+ #else
+ 		/* opening the folder */
+ 		unixdir= opendir(path);
++		if (unixdir == NULL) {
++			snprintf(errbuf, PCAP_ERRBUF_SIZE,
++			    "Error when listing files: does folder '%s' exist?", path);
++			return -1;
++		}
+ 
+ 		/* get the first file into it */
+ 		filedata= readdir(unixdir);
+ 
+ 		if (filedata == NULL)
+ 		{
+-			snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' exist?", path);
++			snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' contain files?", path);
+ 			return -1;
+ 		}
+ #endif
+-- 
+2.25.1
+

meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb

@@ -10,7 +10,15 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \
                     file://pcap.h;beginline=1;endline=32;md5=39af3510e011f34b8872f120b1dc31d2"
 DEPENDS = "flex-native bison-native"
 
-SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz"
+SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \
+           file://CVE-2023-7256-pre1.patch \
+           file://CVE-2023-7256-pre2.patch \
+           file://CVE-2023-7256-pre3.patch \
+           file://CVE-2023-7256-pre4.patch \
+           file://CVE-2023-7256.patch \
+           file://CVE-2024-8006.patch \
+          "
+
 SRC_URI[sha256sum] = "ed285f4accaf05344f90975757b3dbfe772ba41d1c401c2648b7fa45b711bdd4"
 
 inherit autotools binconfig-disabled pkgconfig

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch

@@ -1,115 +0,0 @@
-From e6190fc977f086428cc7880f95e8bcd5a11ac193 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:14:33 +0100
-Subject: [PATCH 1/9] Fix SSL_select_next_proto
-
-Ensure that the provided client list is non-NULL and starts with a valid
-entry. When called from the ALPN callback the client list should already
-have been validated by OpenSSL so this should not cause a problem. When
-called from the NPN callback the client list is locally configured and
-will not have already been validated. Therefore SSL_select_next_proto
-should not assume that it is correctly formatted.
-
-We implement stricter checking of the client protocol list. We also do the
-same for the server list while we are about it.
-
-CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
-
-(cherry picked from commit 4ada436a1946cbb24db5ab4ca082b69c1bc10f37)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
- 1 file changed, 40 insertions(+), 23 deletions(-)
-
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index cb4e006..e628140 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -2952,37 +2952,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
-                           unsigned int server_len,
-                           const unsigned char *client, unsigned int client_len)
- {
--    unsigned int i, j;
--    const unsigned char *result;
--    int status = OPENSSL_NPN_UNSUPPORTED;
-+    PACKET cpkt, csubpkt, spkt, ssubpkt;
-+
-+    if (!PACKET_buf_init(&cpkt, client, client_len)
-+            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
-+            || PACKET_remaining(&csubpkt) == 0) {
-+        *out = NULL;
-+        *outlen = 0;
-+        return OPENSSL_NPN_NO_OVERLAP;
-+    }
-+
-+    /*
-+     * Set the default opportunistic protocol. Will be overwritten if we find
-+     * a match.
-+     */
-+    *out = (unsigned char *)PACKET_data(&csubpkt);
-+    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
- 
-     /*
-      * For each protocol in server preference order, see if we support it.
-      */
--    for (i = 0; i < server_len;) {
--        for (j = 0; j < client_len;) {
--            if (server[i] == client[j] &&
--                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
--                /* We found a match */
--                result = &server[i];
--                status = OPENSSL_NPN_NEGOTIATED;
--                goto found;
-+    if (PACKET_buf_init(&spkt, server, server_len)) {
-+        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
-+            if (PACKET_remaining(&ssubpkt) == 0)
-+                continue; /* Invalid - ignore it */
-+            if (PACKET_buf_init(&cpkt, client, client_len)) {
-+                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
-+                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
-+                                     PACKET_remaining(&ssubpkt))) {
-+                        /* We found a match */
-+                        *out = (unsigned char *)PACKET_data(&ssubpkt);
-+                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
-+                        return OPENSSL_NPN_NEGOTIATED;
-+                    }
-+                }
-+                /* Ignore spurious trailing bytes in the client list */
-+            } else {
-+                /* This should never happen */
-+                return OPENSSL_NPN_NO_OVERLAP;
-             }
--            j += client[j];
--            j++;
-         }
--        i += server[i];
--        i++;
-+        /* Ignore spurious trailing bytes in the server list */
-     }
- 
--    /* There's no overlap between our protocols and the server's list. */
--    result = client;
--    status = OPENSSL_NPN_NO_OVERLAP;
--
-- found:
--    *out = (unsigned char *)result + 1;
--    *outlen = result[0];
--    return status;
-+    /*
-+     * There's no overlap between our protocols and the server's list. We use
-+     * the default opportunistic protocol selected earlier
-+     */
-+    return OPENSSL_NPN_NO_OVERLAP;
- }
- 
- #ifndef OPENSSL_NO_NEXTPROTONEG
--- 
-2.25.1
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch

@@ -1,44 +0,0 @@
-From 4a96c6b7265838b044dab4a2a6150c246297bc89 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:18:27 +0100
-Subject: [PATCH 2/9] More correctly handle a selected_len of 0 when processing
- NPN
-
-In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
-the selected_len is 0 we should fail. Previously this would fail with an
-internal_error alert because calling OPENSSL_malloc(selected_len) will
-return NULL when selected_len is 0. We make this error detection more
-explicit and return a handshake failure alert.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
-
-(cherry picked from commit 4279c89a726025c758db3dafb263b17e52211304)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/159921152fd4aa91e4c849fd281ad93ac0d0d0ba]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/statem/extensions_clnt.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index 842be07..a07dc62 100644
---- a/ssl/statem/extensions_clnt.c
-+++ b/ssl/statem/extensions_clnt.c
-@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
-                                   PACKET_data(pkt),
-                                   PACKET_remaining(pkt),
-                                   s->ctx->ext.npn_select_cb_arg) !=
--             SSL_TLSEXT_ERR_OK) {
-+                                  SSL_TLSEXT_ERR_OK
-+            || selected_len == 0) {
-         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
-         return 0;
-     }
--- 
-2.25.1
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch

@@ -1,84 +0,0 @@
-From 6887608f77236d14b0789f4b1c14df53dfe2d618 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:46:38 +0100
-Subject: [PATCH 3/9] Clarify the SSL_select_next_proto() documentation
-
-We clarify the input preconditions and the expected behaviour in the event
-of no overlap.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
-
-(cherry picked from commit 889ed19ba25abebd2690997acd6d4791cbe5c493)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/7a9f521b1de96e79184948e5813e791e608cc94b]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-index 102e657..a29557d 100644
---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
- SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
- set the list of protocols available to be negotiated. The B<protos> must be in
- protocol-list format, described below. The length of B<protos> is specified in
--B<protos_len>.
-+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
-+protocols and no ALPN extension will be sent to the server.
- 
- SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
- server to select which protocol to use for the incoming connection. When B<cb>
-@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
- described below. The first item in the B<server>, B<server_len> list that
- matches an item in the B<client>, B<client_len> list is selected, and returned
- in B<out>, B<outlen>. The B<out> value will point into either B<server> or
--B<client>, so it should be copied immediately. If no match is found, the first
--item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
--function can also be used in the NPN callback.
-+B<client>, so it should be copied immediately. The client list must include at
-+least one valid (nonempty) protocol entry in the list.
-+
-+The SSL_select_next_proto() helper function can be useful from either the ALPN
-+callback or the NPN callback (described below). If no match is found, the first
-+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
-+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
-+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
-+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
-+SSL_select_next_proto().
- 
- SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
- client needs to select a protocol from the server's provided list, and a
-@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
- The length of the protocol name must be written into B<outlen>. The
- server's advertised protocols are provided in B<in> and B<inlen>. The
- callback can assume that B<in> is syntactically valid. The client must
--select a protocol. It is fatal to the connection if this callback returns
--a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
--set via SSL_CTX_set_next_proto_select_cb().
-+select a protocol (although it may be an empty, zero length protocol). It is
-+fatal to the connection if this callback returns a value other than
-+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
-+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
- 
- SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
- when a TLS server needs a list of supported protocols for Next Protocol
-@@ -149,7 +158,8 @@ A match was found and is returned in B<out>, B<outlen>.
- =item OPENSSL_NPN_NO_OVERLAP
- 
- No match was found. The first item in B<client>, B<client_len> is returned in
--B<out>, B<outlen>.
-+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
-+B<client> is invalid).
- 
- =back
- 
--- 
-2.25.1
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch

@@ -1,178 +0,0 @@
-From 6f9e71968f1f5e089bf79b0925e703a16f7bfa19 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 16:35:16 +0100
-Subject: [PATCH 4/9] Add a test for SSL_select_next_proto
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
-
-(cherry picked from commit ad1318efa2cfdf43ed49d23c4a815f4754604b97)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/707c71aa03ba968e09325d72cf1e8dcac70df2df]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 137 insertions(+)
-
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 2b1c2fd..3922262 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -10765,6 +10765,142 @@ static int test_multi_resume(int idx)
-     return testresult;
- }
- 
-+static struct next_proto_st {
-+    int serverlen;
-+    unsigned char server[40];
-+    int clientlen;
-+    unsigned char client[40];
-+    int expected_ret;
-+    size_t selectedlen;
-+    unsigned char selected[40];
-+} next_proto_tests[] = {
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'b', 'c', 'd' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        0, { 0 },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        -1, { 0 },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        0, { 0 },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        0, { 0 }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        -1, { 0 },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        0, { 0 }
-+    },
-+    {
-+        3, { 3, 'a', 'b', 'c' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        3, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        0, { 0 }
-+    }
-+};
-+
-+static int test_select_next_proto(int idx)
-+{
-+    struct next_proto_st *np = &next_proto_tests[idx];
-+    int ret = 0;
-+    unsigned char *out, *client, *server;
-+    unsigned char outlen;
-+    unsigned int clientlen, serverlen;
-+
-+    if (np->clientlen == -1) {
-+        client = NULL;
-+        clientlen = 0;
-+    } else {
-+        client = np->client;
-+        clientlen = (unsigned int)np->clientlen;
-+    }
-+    if (np->serverlen == -1) {
-+        server = NULL;
-+        serverlen = 0;
-+    } else {
-+        server = np->server;
-+        serverlen = (unsigned int)np->serverlen;
-+    }
-+
-+    if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
-+                                           client, clientlen),
-+                     np->expected_ret))
-+        goto err;
-+
-+    if (np->selectedlen == 0) {
-+        if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
-+            goto err;
-+    } else {
-+        if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
-+            goto err;
-+    }
-+
-+    ret = 1;
-+ err:
-+    return ret;
-+}
-+
- OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
- 
- int setup_tests(void)
-@@ -11041,6 +11177,7 @@ int setup_tests(void)
- #endif
-     ADD_ALL_TESTS(test_handshake_retry, 16);
-     ADD_ALL_TESTS(test_multi_resume, 5);
-+    ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
-     return 1;
- 
-  err:
--- 
-2.25.1
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch

@@ -1,45 +0,0 @@
-From a8c0ee154d212284f82680275de63642d914365e Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 10:41:55 +0100
-Subject: [PATCH 6/9] Correct return values for
- tls_construct_stoc_next_proto_neg
-
-Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
-rather than EXT_RETURN_SENT. This actually makes no difference at all to
-the current control flow since this return value is ignored in this case
-anyway. But lets make it correct anyway.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
-
-(cherry picked from commit 087501b4f572825e27ca8cc2c5874fcf6fd47cf7)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/189a7ed3e380e34ea38fe4190a7c9396bace0fb7]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/statem/extensions_srvr.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
-index 1fab5a3..51ea74b 100644
---- a/ssl/statem/extensions_srvr.c
-+++ b/ssl/statem/extensions_srvr.c
-@@ -1471,9 +1471,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
-             return EXT_RETURN_FAIL;
-         }
-         s->s3.npn_seen = 1;
-+        return EXT_RETURN_SENT;
-     }
- 
--    return EXT_RETURN_SENT;
-+    return EXT_RETURN_NOT_SENT;
- }
- #endif
- 
--- 
-2.25.1
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch

@@ -1,68 +0,0 @@
-From fa5cc5eb58a4c9632929397fc9a6c291fff1b99d Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 11:51:54 +0100
-Subject: [PATCH 7/9] Add ALPN validation in the client
-
-The ALPN protocol selected by the server must be one that we originally
-advertised. We should verify that it is.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
-
-(cherry picked from commit 017e54183b95617825fb9316d618c154a34c634e)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/4b375b998798dd516d367036773073e1b88e6433]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index a07dc62..b21ccf9 100644
---- a/ssl/statem/extensions_clnt.c
-+++ b/ssl/statem/extensions_clnt.c
-@@ -1566,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
-                         size_t chainidx)
- {
-     size_t len;
-+    PACKET confpkt, protpkt;
-+    int valid = 0;
- 
-     /* We must have requested it. */
-     if (!s->s3.alpn_sent) {
-@@ -1584,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
-         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
-         return 0;
-     }
-+
-+    /* It must be a protocol that we sent */
-+    if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
-+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
-+        return 0;
-+    }
-+    while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
-+        if (PACKET_remaining(&protpkt) != len)
-+            continue;
-+        if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
-+            /* Valid protocol found */
-+            valid = 1;
-+            break;
-+        }
-+    }
-+
-+    if (!valid) {
-+        /* The protocol sent from the server does not match one we advertised */
-+        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
-+        return 0;
-+    }
-+
-     OPENSSL_free(s->s3.alpn_selected);
-     s->s3.alpn_selected = OPENSSL_malloc(len);
-     if (s->s3.alpn_selected == NULL) {
--- 
-2.25.1
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch

@@ -1,273 +0,0 @@
-From b898db2b91751a52d2af699e674a80a6b218084d Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 10:09:41 +0100
-Subject: [PATCH 8/9] Add explicit testing of ALN and NPN in sslapitest
-
-We already had some tests elsewhere - but this extends that testing with
-additional tests.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
-
-(cherry picked from commit 0453bf5a7ac60ab01c8bb713d8cc2a94324aa88c)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/ca176d7291eb780e4ed2781342f5be5a32210a68]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 229 insertions(+)
-
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 3922262..171298b 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -10901,6 +10901,231 @@ static int test_select_next_proto(int idx)
-     return ret;
- }
- 
-+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
-+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
-+
-+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
-+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
-+                         unsigned int *outlen, void *arg)
-+{
-+    int *idx = (int *)arg;
-+
-+    switch (*idx) {
-+    default:
-+    case 0:
-+        *out = fooprot;
-+        *outlen = sizeof(fooprot);
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 1:
-+        *outlen = 0;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 2:
-+        return SSL_TLSEXT_ERR_NOACK;
-+    }
-+}
-+
-+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
-+                         const unsigned char *in, unsigned int inlen, void *arg)
-+{
-+    int *idx = (int *)arg;
-+
-+    switch (*idx) {
-+    case 0:
-+    case 1:
-+        *out = (unsigned char *)(fooprot + 1);
-+        *outlen = *fooprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 3:
-+        *out = (unsigned char *)(barprot + 1);
-+        *outlen = *barprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 4:
-+        *outlen = 0;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    default:
-+    case 2:
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-+    }
-+}
-+
-+/*
-+ * Test the NPN callbacks
-+ * Test 0: advert = foo, select = foo
-+ * Test 1: advert = <empty>, select = foo
-+ * Test 2: no advert
-+ * Test 3: advert = foo, select = bar
-+ * Test 4: advert = foo, select = <empty> (should fail)
-+ */
-+static int test_npn(int idx)
-+{
-+    SSL_CTX *sctx = NULL, *cctx = NULL;
-+    SSL *serverssl = NULL, *clientssl = NULL;
-+    int testresult = 0;
-+
-+    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-+                                       TLS_client_method(), 0, TLS1_2_VERSION,
-+                                       &sctx, &cctx, cert, privkey)))
-+        goto end;
-+
-+    SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
-+    SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
-+
-+    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
-+                                      NULL)))
-+        goto end;
-+
-+    if (idx == 4) {
-+        /* We don't allow empty selection of NPN, so this should fail */
-+        if (!TEST_false(create_ssl_connection(serverssl, clientssl,
-+                                              SSL_ERROR_NONE)))
-+            goto end;
-+    } else {
-+        const unsigned char *prot;
-+        unsigned int protlen;
-+
-+        if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+                                             SSL_ERROR_NONE)))
-+            goto end;
-+
-+        SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
-+        switch (idx) {
-+        case 0:
-+        case 1:
-+            if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
-+                goto end;
-+            break;
-+        case 2:
-+            if (!TEST_uint_eq(protlen, 0))
-+                goto end;
-+            break;
-+        case 3:
-+            if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
-+                goto end;
-+            break;
-+        default:
-+            TEST_error("Should not get here");
-+            goto end;
-+        }
-+    }
-+
-+    testresult = 1;
-+ end:
-+    SSL_free(serverssl);
-+    SSL_free(clientssl);
-+    SSL_CTX_free(sctx);
-+    SSL_CTX_free(cctx);
-+
-+    return testresult;
-+}
-+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
-+
-+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
-+                           unsigned char *outlen, const unsigned char *in,
-+                           unsigned int inlen, void *arg)
-+{
-+    int *idx = (int *)arg;
-+
-+    switch (*idx) {
-+    case 0:
-+        *out = (unsigned char *)(fooprot + 1);
-+        *outlen = *fooprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 2:
-+        *out = (unsigned char *)(barprot + 1);
-+        *outlen = *barprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 3:
-+        *outlen = 0;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    default:
-+    case 1:
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-+    }
-+    return 0;
-+}
-+
-+/*
-+ * Test the ALPN callbacks
-+ * Test 0: client = foo, select = foo
-+ * Test 1: client = <empty>, select = none
-+ * Test 2: client = foo, select = bar (should fail)
-+ * Test 3: client = foo, select = <empty> (should fail)
-+ */
-+static int test_alpn(int idx)
-+{
-+    SSL_CTX *sctx = NULL, *cctx = NULL;
-+    SSL *serverssl = NULL, *clientssl = NULL;
-+    int testresult = 0;
-+    const unsigned char *prots = fooprot;
-+    unsigned int protslen = sizeof(fooprot);
-+
-+    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-+                                       TLS_client_method(), 0, 0,
-+                                       &sctx, &cctx, cert, privkey)))
-+        goto end;
-+
-+    SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
-+
-+    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
-+                                      NULL)))
-+        goto end;
-+
-+    if (idx == 1) {
-+        prots = NULL;
-+        protslen = 0;
-+    }
-+
-+    /* SSL_set_alpn_protos returns 0 for success! */
-+    if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
-+        goto end;
-+
-+    if (idx == 2 || idx == 3) {
-+        /* We don't allow empty selection of NPN, so this should fail */
-+        if (!TEST_false(create_ssl_connection(serverssl, clientssl,
-+                                              SSL_ERROR_NONE)))
-+            goto end;
-+    } else {
-+        const unsigned char *prot;
-+        unsigned int protlen;
-+
-+        if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+                                             SSL_ERROR_NONE)))
-+            goto end;
-+
-+        SSL_get0_alpn_selected(clientssl, &prot, &protlen);
-+        switch (idx) {
-+        case 0:
-+            if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
-+                goto end;
-+            break;
-+        case 1:
-+            if (!TEST_uint_eq(protlen, 0))
-+                goto end;
-+            break;
-+        default:
-+            TEST_error("Should not get here");
-+            goto end;
-+        }
-+    }
-+
-+    testresult = 1;
-+ end:
-+    SSL_free(serverssl);
-+    SSL_free(clientssl);
-+    SSL_CTX_free(sctx);
-+    SSL_CTX_free(cctx);
-+
-+    return testresult;
-+}
-+
- OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
- 
- int setup_tests(void)
-@@ -11178,6 +11403,10 @@ int setup_tests(void)
-     ADD_ALL_TESTS(test_handshake_retry, 16);
-     ADD_ALL_TESTS(test_multi_resume, 5);
-     ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
-+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
-+    ADD_ALL_TESTS(test_npn, 5);
-+#endif
-+    ADD_ALL_TESTS(test_alpn, 4);
-     return 1;
- 
-  err:
--- 
-2.25.1
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch

@@ -1,205 +0,0 @@
-From 475480db0f9592f15f00a7cf692d3e04ad8e742f Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 14:29:26 +0100
-Subject: [PATCH 9/9] Add a test for an empty NextProto message
-
-It is valid according to the spec for a NextProto message to have no
-protocols listed in it. The OpenSSL implementation however does not allow
-us to create such a message. In order to check that we work as expected
-when communicating with a client that does generate such messages we have
-to use a TLSProxy test.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
-
-(cherry picked from commit a201030901de9f9a48b34c38f6922fb0b272f26f)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/99c2b6b971c302595db1801e26a202247238659d]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- test/recipes/70-test_npn.t      | 73 +++++++++++++++++++++++++++++++++
- util/perl/TLSProxy/Message.pm   |  9 ++++
- util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++
- util/perl/TLSProxy/Proxy.pm     |  1 +
- 4 files changed, 137 insertions(+)
- create mode 100644 test/recipes/70-test_npn.t
- create mode 100644 util/perl/TLSProxy/NextProto.pm
-
-diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
-new file mode 100644
-index 0000000..f82e71a
---- /dev/null
-+++ b/test/recipes/70-test_npn.t
-@@ -0,0 +1,73 @@
-+#! /usr/bin/env perl
-+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License").  You may not use
-+# this file except in compliance with the License.  You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use strict;
-+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
-+use OpenSSL::Test::Utils;
-+
-+use TLSProxy::Proxy;
-+
-+my $test_name = "test_npn";
-+setup($test_name);
-+
-+plan skip_all => "TLSProxy isn't usable on $^O"
-+    if $^O =~ /^(VMS)$/;
-+
-+plan skip_all => "$test_name needs the dynamic engine feature enabled"
-+    if disabled("engine") || disabled("dynamic-engine");
-+
-+plan skip_all => "$test_name needs the sock feature enabled"
-+    if disabled("sock");
-+
-+plan skip_all => "$test_name needs NPN enabled"
-+    if disabled("nextprotoneg");
-+
-+plan skip_all => "$test_name needs TLSv1.2 enabled"
-+    if disabled("tls1_2");
-+
-+my $proxy = TLSProxy::Proxy->new(
-+    undef,
-+    cmdstr(app(["openssl"]), display => 1),
-+    srctop_file("apps", "server.pem"),
-+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
-+);
-+
-+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-+plan tests => 1;
-+
-+my $npnseen = 0;
-+
-+# Test 1: Check sending an empty NextProto message from the client works. This is
-+#         valid as per the spec, but OpenSSL does not allow you to send it.
-+#         Therefore we must be prepared to receive such a message but we cannot
-+#         generate it except via TLSProxy
-+$proxy->clear();
-+$proxy->filter(\&npn_filter);
-+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
-+$proxy->serverflags("-nextprotoneg foo");
-+$proxy->start();
-+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
-+
-+sub npn_filter
-+{
-+    my $proxy = shift;
-+    my $message;
-+
-+    # The NextProto message always appears in flight 2
-+    return if $proxy->flight != 2;
-+
-+    foreach my $message (@{$proxy->message_list}) {
-+        if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
-+            # Our TLSproxy NextProto message support doesn't support parsing of
-+            # the message. If we repack it just creates an empty NextProto
-+            # message - which is exactly the scenario we want to test here.
-+            $message->repack();
-+            $npnseen = 1;
-+        }
-+    }
-+}
-diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
-index 2c1bdb3..eb350de 100644
---- a/util/perl/TLSProxy/Message.pm
-+++ b/util/perl/TLSProxy/Message.pm
-@@ -379,6 +379,15 @@ sub create_message
-             [@message_frag_lens]
-         );
-         $message->parse();
-+    }  elsif ($mt == MT_NEXT_PROTO) {
-+        $message = TLSProxy::NextProto->new(
-+            $server,
-+            $data,
-+            [@message_rec_list],
-+            $startoffset,
-+            [@message_frag_lens]
-+        );
-+        $message->parse();
-     } else {
-         #Unknown message type
-         $message = TLSProxy::Message->new(
-diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
-new file mode 100644
-index 0000000..0e18347
---- /dev/null
-+++ b/util/perl/TLSProxy/NextProto.pm
-@@ -0,0 +1,54 @@
-+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License").  You may not use
-+# this file except in compliance with the License.  You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use strict;
-+
-+package TLSProxy::NextProto;
-+
-+use vars '@ISA';
-+push @ISA, 'TLSProxy::Message';
-+
-+sub new
-+{
-+    my $class = shift;
-+    my ($server,
-+        $data,
-+        $records,
-+        $startoffset,
-+        $message_frag_lens) = @_;
-+
-+    my $self = $class->SUPER::new(
-+        $server,
-+        TLSProxy::Message::MT_NEXT_PROTO,
-+        $data,
-+        $records,
-+        $startoffset,
-+        $message_frag_lens);
-+
-+    return $self;
-+}
-+
-+sub parse
-+{
-+    # We don't support parsing at the moment
-+}
-+
-+# This is supposed to reconstruct the on-the-wire message data following changes.
-+# For now though since we don't support parsing we just create an empty NextProto
-+# message - this capability is used in test_npn
-+sub set_message_contents
-+{
-+    my $self = shift;
-+    my $data;
-+
-+    $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+                 0x00, 0x00, 0x00);
-+    $self->data($data);
-+}
-+1;
-diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
-index 3de10ec..b707722 100644
---- a/util/perl/TLSProxy/Proxy.pm
-+++ b/util/perl/TLSProxy/Proxy.pm
-@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
- use TLSProxy::CertificateVerify;
- use TLSProxy::ServerKeyExchange;
- use TLSProxy::NewSessionTicket;
-+use TLSProxy::NextProto;
- 
- my $have_IPv6;
- my $IP_factory;
--- 
-2.25.1
-

meta/recipes-connectivity/openssl/openssl_3.0.15.bb

@@ -7,27 +7,18 @@ SECTION = "libs/network"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
 
-SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
-           file://CVE-2024-5535_1.patch \
-           file://CVE-2024-5535_2.patch \
-           file://CVE-2024-5535_3.patch \
-           file://CVE-2024-5535_4.patch \
-           file://CVE-2024-5535_5.patch \
-           file://CVE-2024-5535_6.patch \
-           file://CVE-2024-5535_7.patch \
-           file://CVE-2024-5535_8.patch \
-           file://CVE-2024-5535_9.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "eeca035d4dd4e84fc25846d952da6297484afa0650a6f84c682e39df3a4123ca"
+SRC_URI[sha256sum] = "23c666d0edf20f14249b3d8f0368acaee9ab585b09e1de82107c66e1f3ec9533"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch

@@ -0,0 +1,52 @@
+From 364c2da8741f0979dae497551e70b94c0e6c8636 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 7 Jul 2024 11:46:49 +0300
+Subject: [PATCH 1/3] SAE: Check for invalid Rejected Groups element length
+ explicitly
+
+Instead of practically ignoring an odd octet at the end of the element,
+check for such invalid case explicitly. This is needed to avoid a
+potential group downgrade attack.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2024-3596
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=364c2da8741f0979dae497551e70b94c0e6c8636]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/ap/ieee802_11.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index db4104928..1a62e30cc 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -1258,7 +1258,7 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
+ 				     struct sae_data *sae)
+ {
+ 	const struct wpabuf *groups;
+-	size_t i, count;
++	size_t i, count, len;
+ 	const u8 *pos;
+ 
+ 	if (!sae->tmp)
+@@ -1268,7 +1268,15 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
+ 		return 0;
+ 
+ 	pos = wpabuf_head(groups);
+-	count = wpabuf_len(groups) / 2;
++	len = wpabuf_len(groups);
++	if (len & 1) {
++		wpa_printf(MSG_DEBUG,
++			   "SAE: Invalid length of the Rejected Groups element payload: %zu",
++			   len);
++		return 1;
++	}
++
++	count = len / 2;
+ 	for (i = 0; i < count; i++) {
+ 		int enabled;
+ 		u16 group;
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch

@@ -0,0 +1,50 @@
+From 593a7c2f8c93edd6b552f2d42e28164464b4e6ff Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Tue, 9 Jul 2024 23:33:38 +0300
+Subject: [PATCH 2/3] SAE: Check for invalid Rejected Groups element length
+ explicitly on STA
+
+Instead of practically ignoring an odd octet at the end of the element,
+check for such invalid case explicitly. This is needed to avoid a
+potential group downgrade attack.
+
+Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled")
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=593a7c2f8c93edd6b552f2d42e28164464b4e6ff]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ wpa_supplicant/sme.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
+index 7f43216c6..c7289f6a8 100644
+--- a/wpa_supplicant/sme.c
++++ b/wpa_supplicant/sme.c
+@@ -1222,14 +1222,21 @@ static int sme_sae_is_group_enabled(struct wpa_supplicant *wpa_s, int group)
+ static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s,
+ 					 const struct wpabuf *groups)
+ {
+-	size_t i, count;
++	size_t i, count, len;
+ 	const u8 *pos;
+ 
+ 	if (!groups)
+ 		return 0;
+ 
+ 	pos = wpabuf_head(groups);
+-	count = wpabuf_len(groups) / 2;
++	len = wpabuf_len(groups);
++	if (len & 1) {
++		wpa_printf(MSG_DEBUG,
++			   "SAE: Invalid length of the Rejected Groups element payload: %zu",
++			   len);
++		return 1;
++	}
++	count = len / 2;
+ 	for (i = 0; i < count; i++) {
+ 		int enabled;
+ 		u16 group;
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch

@@ -0,0 +1,38 @@
+From 9716bf1160beb677e965d9e6475d6c9e162e8374 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Tue, 9 Jul 2024 23:34:34 +0300
+Subject: [PATCH 3/3] SAE: Reject invalid Rejected Groups element in the parser
+
+There is no need to depend on all uses (i.e., both hostapd and
+wpa_supplicant) to verify that the length of the Rejected Groups field
+in the Rejected Groups element is valid (i.e., a multiple of two octets)
+since the common parser can reject the message when detecting this.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=9716bf1160beb677e965d9e6475d6c9e162e8374]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/common/sae.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index c0f154e91..620bdf753 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -2076,6 +2076,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae,
+ 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
+ 	epos++; /* skip ext ID */
+ 	len--;
++	if (len & 1) {
++		wpa_printf(MSG_DEBUG,
++			   "SAE: Invalid length of the Rejected Groups element payload: %u",
++			   len);
++		return WLAN_STATUS_UNSPECIFIED_FAILURE;
++	}
+ 
+ 	wpabuf_free(sae->tmp->peer_rejected_groups);
+ 	sae->tmp->peer_rejected_groups = wpabuf_alloc(len);
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_00.patch

@@ -0,0 +1,82 @@
+From 945acf3ef06a6c312927da4fa055693dbac432d1 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 2 Apr 2022 16:28:12 +0300
+Subject: [PATCH 1/9] ieee802_11_auth: Coding style cleanup - no string
+ constant splitting
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=945acf3ef06a6c312927da4fa055693dbac432d1]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/ap/ieee802_11_auth.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
+index 783ee6dea..47cc625be 100644
+--- a/src/ap/ieee802_11_auth.c
++++ b/src/ap/ieee802_11_auth.c
+@@ -267,16 +267,16 @@ int hostapd_allowed_address(struct hostapd_data *hapd, const u8 *addr,
+ 		os_get_reltime(&query->timestamp);
+ 		os_memcpy(query->addr, addr, ETH_ALEN);
+ 		if (hostapd_radius_acl_query(hapd, addr, query)) {
+-			wpa_printf(MSG_DEBUG, "Failed to send Access-Request "
+-				   "for ACL query.");
++			wpa_printf(MSG_DEBUG,
++				   "Failed to send Access-Request for ACL query.");
+ 			hostapd_acl_query_free(query);
+ 			return HOSTAPD_ACL_REJECT;
+ 		}
+ 
+ 		query->auth_msg = os_memdup(msg, len);
+ 		if (query->auth_msg == NULL) {
+-			wpa_printf(MSG_ERROR, "Failed to allocate memory for "
+-				   "auth frame.");
++			wpa_printf(MSG_ERROR,
++				   "Failed to allocate memory for auth frame.");
+ 			hostapd_acl_query_free(query);
+ 			return HOSTAPD_ACL_REJECT;
+ 		}
+@@ -467,19 +467,21 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
+ 	if (query == NULL)
+ 		return RADIUS_RX_UNKNOWN;
+ 
+-	wpa_printf(MSG_DEBUG, "Found matching Access-Request for RADIUS "
+-		   "message (id=%d)", query->radius_id);
++	wpa_printf(MSG_DEBUG,
++		   "Found matching Access-Request for RADIUS message (id=%d)",
++		   query->radius_id);
+ 
+ 	if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) {
+-		wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have "
+-			   "correct authenticator - dropped\n");
++		wpa_printf(MSG_INFO,
++			   "Incoming RADIUS packet did not have correct authenticator - dropped");
+ 		return RADIUS_RX_INVALID_AUTHENTICATOR;
+ 	}
+ 
+ 	if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
+ 	    hdr->code != RADIUS_CODE_ACCESS_REJECT) {
+-		wpa_printf(MSG_DEBUG, "Unknown RADIUS message code %d to ACL "
+-			   "query", hdr->code);
++		wpa_printf(MSG_DEBUG,
++			   "Unknown RADIUS message code %d to ACL query",
++			   hdr->code);
+ 		return RADIUS_RX_UNKNOWN;
+ 	}
+ 
+@@ -506,8 +508,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
+ 			    msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
+ 			    &info->acct_interim_interval) == 0 &&
+ 		    info->acct_interim_interval < 60) {
+-			wpa_printf(MSG_DEBUG, "Ignored too small "
+-				   "Acct-Interim-Interval %d for STA " MACSTR,
++			wpa_printf(MSG_DEBUG,
++				   "Ignored too small Acct-Interim-Interval %d for STA "
++				   MACSTR,
+ 				   info->acct_interim_interval,
+ 				   MAC2STR(query->addr));
+ 			info->acct_interim_interval = 0;
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_01.patch

@@ -0,0 +1,165 @@
+From adac846bd0e258a0aa50750bbd2b411fa0085c46 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 16 Mar 2024 11:11:44 +0200
+Subject: [PATCH 2/9] RADIUS: Allow Message-Authenticator attribute as the
+ first attribute
+
+If a Message-Authenticator attribute was already added to a RADIUS
+message, use that attribute instead of adding a new one when finishing
+message building. This allows the Message-Authenticator attribute to be
+placed as the first attribute in the message.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2024-3596
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius.c | 85 ++++++++++++++++++++++++++++-----------------
+ src/radius/radius.h |  1 +
+ 2 files changed, 54 insertions(+), 32 deletions(-)
+
+diff --git a/src/radius/radius.c b/src/radius/radius.c
+index be16e27b9..2d2e00b5c 100644
+--- a/src/radius/radius.c
++++ b/src/radius/radius.c
+@@ -364,25 +364,54 @@ void radius_msg_dump(struct radius_msg *msg)
+ }
+ 
+ 
++u8 * radius_msg_add_msg_auth(struct radius_msg *msg)
++{
++	u8 auth[MD5_MAC_LEN];
++	struct radius_attr_hdr *attr;
++
++	os_memset(auth, 0, MD5_MAC_LEN);
++	attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
++				   auth, MD5_MAC_LEN);
++	if (!attr) {
++		wpa_printf(MSG_ERROR,
++			   "WARNING: Could not add Message-Authenticator");
++		return NULL;
++	}
++
++	return (u8 *) (attr + 1);
++}
++
++
++static u8 * radius_msg_auth_pos(struct radius_msg *msg)
++{
++	u8 *pos;
++	size_t alen;
++
++	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
++				    &pos, &alen, NULL) == 0 &&
++	    alen == MD5_MAC_LEN) {
++		/* Use already added Message-Authenticator attribute */
++		return pos;
++	}
++
++	/* Add a Message-Authenticator attribute */
++	return radius_msg_add_msg_auth(msg);
++}
++
++
+ int radius_msg_finish(struct radius_msg *msg, const u8 *secret,
+ 		      size_t secret_len)
+ {
+ 	if (secret) {
+-		u8 auth[MD5_MAC_LEN];
+-		struct radius_attr_hdr *attr;
++		u8 *pos;
+ 
+-		os_memset(auth, 0, MD5_MAC_LEN);
+-		attr = radius_msg_add_attr(msg,
+-					   RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
+-					   auth, MD5_MAC_LEN);
+-		if (attr == NULL) {
+-			wpa_printf(MSG_WARNING, "RADIUS: Could not add "
+-				   "Message-Authenticator");
++		pos = radius_msg_auth_pos(msg);
++		if (!pos)
+ 			return -1;
+-		}
+ 		msg->hdr->length = host_to_be16(wpabuf_len(msg->buf));
+-		hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
+-			 wpabuf_len(msg->buf), (u8 *) (attr + 1));
++		if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
++			     wpabuf_len(msg->buf), pos) < 0)
++			return -1;
+ 	} else
+ 		msg->hdr->length = host_to_be16(wpabuf_len(msg->buf));
+ 
+@@ -398,23 +427,19 @@ int radius_msg_finish(struct radius_msg *msg, const u8 *secret,
+ int radius_msg_finish_srv(struct radius_msg *msg, const u8 *secret,
+ 			  size_t secret_len, const u8 *req_authenticator)
+ {
+-	u8 auth[MD5_MAC_LEN];
+-	struct radius_attr_hdr *attr;
+ 	const u8 *addr[4];
+ 	size_t len[4];
++	u8 *pos;
+ 
+-	os_memset(auth, 0, MD5_MAC_LEN);
+-	attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
+-				   auth, MD5_MAC_LEN);
+-	if (attr == NULL) {
+-		wpa_printf(MSG_ERROR, "WARNING: Could not add Message-Authenticator");
++	pos = radius_msg_auth_pos(msg);
++	if (!pos)
+ 		return -1;
+-	}
+ 	msg->hdr->length = host_to_be16(wpabuf_len(msg->buf));
+ 	os_memcpy(msg->hdr->authenticator, req_authenticator,
+ 		  sizeof(msg->hdr->authenticator));
+-	hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
+-		 wpabuf_len(msg->buf), (u8 *) (attr + 1));
++	if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
++		     wpabuf_len(msg->buf), pos) < 0)
++		return -1;
+ 
+ 	/* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */
+ 	addr[0] = (u8 *) msg->hdr;
+@@ -442,21 +467,17 @@ int radius_msg_finish_das_resp(struct radius_msg *msg, const u8 *secret,
+ {
+ 	const u8 *addr[2];
+ 	size_t len[2];
+-	u8 auth[MD5_MAC_LEN];
+-	struct radius_attr_hdr *attr;
++	u8 *pos;
+ 
+-	os_memset(auth, 0, MD5_MAC_LEN);
+-	attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
+-				   auth, MD5_MAC_LEN);
+-	if (attr == NULL) {
+-		wpa_printf(MSG_WARNING, "Could not add Message-Authenticator");
++	pos = radius_msg_auth_pos(msg);
++	if (!pos)
+ 		return -1;
+-	}
+ 
+ 	msg->hdr->length = host_to_be16(wpabuf_len(msg->buf));
+ 	os_memcpy(msg->hdr->authenticator, req_hdr->authenticator, 16);
+-	hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
+-		 wpabuf_len(msg->buf), (u8 *) (attr + 1));
++	if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
++		     wpabuf_len(msg->buf), pos) < 0)
++		return -1;
+ 
+ 	/* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */
+ 	addr[0] = wpabuf_head_u8(msg->buf);
+diff --git a/src/radius/radius.h b/src/radius/radius.h
+index fb8148180..6b9dfbca2 100644
+--- a/src/radius/radius.h
++++ b/src/radius/radius.h
+@@ -240,6 +240,7 @@ struct wpabuf * radius_msg_get_buf(struct radius_msg *msg);
+ struct radius_msg * radius_msg_new(u8 code, u8 identifier);
+ void radius_msg_free(struct radius_msg *msg);
+ void radius_msg_dump(struct radius_msg *msg);
++u8 * radius_msg_add_msg_auth(struct radius_msg *msg);
+ int radius_msg_finish(struct radius_msg *msg, const u8 *secret,
+ 		      size_t secret_len);
+ int radius_msg_finish_srv(struct radius_msg *msg, const u8 *secret,
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_02.patch

@@ -0,0 +1,62 @@
+From 54abb0d3cf35894e7d86e3f7555e95b106306803 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 16 Mar 2024 11:13:32 +0200
+Subject: [PATCH 3/9] RADIUS server: Place Message-Authenticator attribute as
+ the first one
+
+Move the Message-Authenticator attribute to be the first attribute in
+the RADIUS messages. This mitigates certain MD5 attacks against
+RADIUS/UDP.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2024-3596
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=54abb0d3cf35894e7d86e3f7555e95b106306803]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius_server.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
+index e02c21540..fa3691548 100644
+--- a/src/radius/radius_server.c
++++ b/src/radius/radius_server.c
+@@ -920,6 +920,11 @@ radius_server_encapsulate_eap(struct radius_server_data *data,
+ 		return NULL;
+ 	}
+ 
++	if (!radius_msg_add_msg_auth(msg)) {
++		radius_msg_free(msg);
++		return NULL;
++	}
++
+ 	sess_id = htonl(sess->sess_id);
+ 	if (code == RADIUS_CODE_ACCESS_CHALLENGE &&
+ 	    !radius_msg_add_attr(msg, RADIUS_ATTR_STATE,
+@@ -1204,6 +1209,11 @@ radius_server_macacl(struct radius_server_data *data,
+ 		return NULL;
+ 	}
+ 
++	if (!radius_msg_add_msg_auth(msg)) {
++		radius_msg_free(msg);
++		return NULL;
++	}
++
+ 	if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) {
+ 		RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)");
+ 		radius_msg_free(msg);
+@@ -1253,6 +1263,11 @@ static int radius_server_reject(struct radius_server_data *data,
+ 		return -1;
+ 	}
+ 
++	if (!radius_msg_add_msg_auth(msg)) {
++		radius_msg_free(msg);
++		return -1;
++	}
++
+ 	os_memset(&eapfail, 0, sizeof(eapfail));
+ 	eapfail.code = EAP_CODE_FAILURE;
+ 	eapfail.identifier = 0;
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_03.patch

@@ -0,0 +1,37 @@
+From 689a248260c9708e6c92cd8635382725a29e34ca Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 16 Mar 2024 11:16:12 +0200
+Subject: [PATCH 4/9] eapol_test: Move Message-Authenticator attribute to be
+ the first one
+
+Even if this is not strictly speaking necessary for mitigating certain
+RADIUS protocol attacks, be consistent with the RADIUS server behavior
+and move the Message-Authenticator attribute to be the first attribute
+in the message from RADIUS client.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2024-3596
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=689a248260c9708e6c92cd8635382725a29e34ca]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ wpa_supplicant/eapol_test.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/wpa_supplicant/eapol_test.c b/wpa_supplicant/eapol_test.c
+index e256ac50e..57082e4b8 100644
+--- a/wpa_supplicant/eapol_test.c
++++ b/wpa_supplicant/eapol_test.c
+@@ -194,6 +194,9 @@ static void ieee802_1x_encapsulate_radius(struct eapol_test_data *e,
+ 		return;
+ 	}
+ 
++	if (!radius_msg_add_msg_auth(msg))
++		goto fail;
++
+ 	radius_msg_make_authenticator(msg);
+ 
+ 	hdr = (const struct eap_hdr *) eap;
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_04.patch

@@ -0,0 +1,52 @@
+From 37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 16 Mar 2024 11:22:43 +0200
+Subject: [PATCH 5/9] hostapd: Move Message-Authenticator attribute to be the
+ first one in req
+
+Even if this is not strictly speaking necessary for mitigating certain
+RADIUS protocol attacks, be consistent with the RADIUS server behavior
+and move the Message-Authenticator attribute to be the first attribute
+in the message from RADIUS client in hostapd.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2024-3596
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/ap/ieee802_11_auth.c | 3 +++
+ src/ap/ieee802_1x.c      | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
+index 47cc625be..2a950cf7f 100644
+--- a/src/ap/ieee802_11_auth.c
++++ b/src/ap/ieee802_11_auth.c
+@@ -119,6 +119,9 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr,
+ 		goto fail;
+ 	}
+ 
++	if (!radius_msg_add_msg_auth(msg))
++		goto fail;
++
+ 	os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr));
+ 	if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf,
+ 				 os_strlen(buf))) {
+diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
+index 753c88335..89e3dd30e 100644
+--- a/src/ap/ieee802_1x.c
++++ b/src/ap/ieee802_1x.c
+@@ -702,6 +702,9 @@ void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
+ 		goto fail;
+ 	}
+ 
++	if (!radius_msg_add_msg_auth(msg))
++		goto fail;
++
+ 	if (sm->identity &&
+ 	    !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
+ 				 sm->identity, sm->identity_len)) {
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_05.patch

@@ -0,0 +1,51 @@
+From f54157077f799d84ce26bed6ad6b01c4a16e31cf Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 16 Mar 2024 11:26:58 +0200
+Subject: [PATCH 6/9] RADIUS DAS: Move Message-Authenticator attribute to be
+ the first one
+
+Even if this might not be strictly speaking necessary for mitigating
+certain RADIUS protocol attacks, be consistent with the RADIUS server
+behavior and move the Message-Authenticator attribute to be the first
+attribute in the RADIUS DAS responses from hostapd.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2024-3596
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius_das.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/radius/radius_das.c b/src/radius/radius_das.c
+index aaa3fc267..8d7c9b4c4 100644
+--- a/src/radius/radius_das.c
++++ b/src/radius/radius_das.c
+@@ -177,6 +177,11 @@ fail:
+ 	if (reply == NULL)
+ 		return NULL;
+ 
++	if (!radius_msg_add_msg_auth(reply)) {
++		radius_msg_free(reply);
++		return NULL;
++	}
++
+ 	if (error) {
+ 		if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
+ 					       error)) {
+@@ -368,6 +373,11 @@ fail:
+ 	if (!reply)
+ 		return NULL;
+ 
++	if (!radius_msg_add_msg_auth(reply)) {
++		radius_msg_free(reply);
++		return NULL;
++	}
++
+ 	if (error &&
+ 	    !radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) {
+ 		radius_msg_free(reply);
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_06.patch

@@ -0,0 +1,46 @@
+From 934b0c3a45ce0726560ccefbd992a9d385c36385 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 16 Mar 2024 11:31:37 +0200
+Subject: [PATCH 7/9] Require Message-Authenticator in Access-Reject even
+ without EAP-Message
+
+Do not allow the exception for missing Message-Authenticator in
+Access-Reject without EAP-Message. While such exception is allowed in
+RADIUS definition, there is no strong reason to maintain this since
+Access-Reject is supposed to include EAP-Message and even if it doesn't,
+discarding Access-Reject will result in the connection not completing.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2024-3596
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=934b0c3a45ce0726560ccefbd992a9d385c36385]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/ap/ieee802_1x.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
+index 89e3dd30e..6e7b75128 100644
+--- a/src/ap/ieee802_1x.c
++++ b/src/ap/ieee802_1x.c
+@@ -1939,16 +1939,7 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
+ 	}
+ 	sta = sm->sta;
+ 
+-	/* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
+-	 * present when packet contains an EAP-Message attribute */
+-	if (hdr->code == RADIUS_CODE_ACCESS_REJECT &&
+-	    radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
+-				0) < 0 &&
+-	    radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
+-		wpa_printf(MSG_DEBUG,
+-			   "Allowing RADIUS Access-Reject without Message-Authenticator since it does not include EAP-Message");
+-	} else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
+-				     req, 1)) {
++	if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 1)) {
+ 		wpa_printf(MSG_INFO,
+ 			   "Incoming RADIUS packet did not have correct Message-Authenticator - dropped");
+ 		return RADIUS_RX_INVALID_AUTHENTICATOR;
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_07.patch

@@ -0,0 +1,67 @@
+From 58097123ec5ea6f8276b38cb9b07669ec368a6c1 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 17 Mar 2024 10:42:56 +0200
+Subject: [PATCH 8/9] RADIUS: Require Message-Authenticator attribute in MAC
+ ACL cases
+
+hostapd required Message-Authenticator attribute to be included in EAP
+authentication cases, but that requirement was not in place for MAC ACL
+cases. Start requiring Message-Authenticator attribute for MAC ACL by
+default. Unlike the EAP case, this can still be disabled with
+radius_require_message_authenticator=1 to maintain compatibility with
+some RADIUS servers when used in a network where the connection to such
+a server is secure.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2024-3596
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/ap/ap_config.c       |  1 +
+ src/ap/ap_config.h       |  1 +
+ src/ap/ieee802_11_auth.c |  4 +++-
+ 5 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
+index 86b6e097c..cf497a180 100644
+--- a/src/ap/ap_config.c
++++ b/src/ap/ap_config.c
+@@ -120,6 +120,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
+ #endif /* CONFIG_IEEE80211R_AP */
+ 
+ 	bss->radius_das_time_window = 300;
++	bss->radius_require_message_authenticator = 1;
+ 
+ 	bss->anti_clogging_threshold = 5;
+ 	bss->sae_sync = 5;
+diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
+index 49cd3168a..22ad617f4 100644
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -302,6 +302,7 @@ struct hostapd_bss_config {
+ 	struct hostapd_ip_addr own_ip_addr;
+ 	char *nas_identifier;
+ 	struct hostapd_radius_servers *radius;
++	int radius_require_message_authenticator;
+ 	int acct_interim_interval;
+ 	int radius_request_cui;
+ 	struct hostapd_radius_attr *radius_auth_req_attr;
+diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
+index 2a950cf7f..dab9bcde3 100644
+--- a/src/ap/ieee802_11_auth.c
++++ b/src/ap/ieee802_11_auth.c
+@@ -474,7 +474,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
+ 		   "Found matching Access-Request for RADIUS message (id=%d)",
+ 		   query->radius_id);
+ 
+-	if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) {
++	if (radius_msg_verify(
++		    msg, shared_secret, shared_secret_len, req,
++		    hapd->conf->radius_require_message_authenticator)) {
+ 		wpa_printf(MSG_INFO,
+ 			   "Incoming RADIUS packet did not have correct authenticator - dropped");
+ 		return RADIUS_RX_INVALID_AUTHENTICATOR;
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2024-3596_08.patch

@@ -0,0 +1,47 @@
+From f302d9f9646704cce745734af21d540baa0da65f Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 17 Mar 2024 10:47:58 +0200
+Subject: [PATCH 9/9] RADIUS: Check Message-Authenticator if it is present even
+ if not required
+
+Always check the Message-Authenticator attribute in a received RADIUS
+message if it is present. Previously, this would have been skipped if
+the attribute was not required to be present.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2024-3596
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=f302d9f9646704cce745734af21d540baa0da65f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/radius/radius.c b/src/radius/radius.c
+index 2d2e00b5c..a0e3ce399 100644
+--- a/src/radius/radius.c
++++ b/src/radius/radius.c
+@@ -879,6 +879,20 @@ int radius_msg_verify(struct radius_msg *msg, const u8 *secret,
+ 		return 1;
+ 	}
+ 
++	if (!auth) {
++		u8 *pos;
++		size_t alen;
++
++		if (radius_msg_get_attr_ptr(msg,
++					    RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
++					    &pos, &alen, NULL) == 0) {
++			/* Check the Message-Authenticator attribute since it
++			 * was included even if we are configured to not
++			 * require it. */
++			auth = 1;
++		}
++	}
++
+ 	if (auth &&
+ 	    radius_msg_verify_msg_auth(msg, secret, secret_len,
+ 				       sent_msg->hdr->authenticator)) {
+-- 
+2.30.2
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb

@@ -26,11 +26,26 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
            file://wpa_supplicant.conf-sane \
            file://99_wpa_supplicant \
            file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \
+           file://CVE-2024-3596_00.patch \
+           file://CVE-2024-3596_01.patch \
+           file://CVE-2024-3596_02.patch \
+           file://CVE-2024-3596_03.patch \
+           file://CVE-2024-3596_04.patch \
+           file://CVE-2024-3596_05.patch \
+           file://CVE-2024-3596_06.patch \
+           file://CVE-2024-3596_07.patch \
+           file://CVE-2024-3596_08.patch \
+           file://0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \
+           file://0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \
+           file://0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch \
            "
 SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
 
 CVE_PRODUCT = "wpa_supplicant"
 
+# not-applicable-platform: this only affects Ubuntu and other platforms patching wpa-supplicant
+CVE_CHECK_IGNORE += "CVE-2024-5290"
+
 S = "${WORKDIR}/wpa_supplicant-${PV}"
 
 PACKAGES:prepend = "wpa-supplicant-passphrase wpa-supplicant-cli "

meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch

@@ -0,0 +1,66 @@
+From 199606e960942c29fd8085be812edd3d3697825c Mon Sep 17 00:00:00 2001
+From: Colin McAllister <colinmca242@gmail.com>
+Date: Wed, 17 Jul 2024 07:58:52 -0500
+Subject: [PATCH 1/1] cut: Fix "-s" flag to omit blank lines
+
+Using cut with the delimiter flag ("-d") with the "-s" flag to only
+output lines containing the delimiter will print blank lines. This is
+deviant behavior from cut provided by GNU Coreutils. Blank lines should
+be omitted if "-s" is used with "-d".
+
+This change introduces a somewhat naiive, yet efficient solution, where
+line length is checked before looping though bytes. If line length is
+zero and the "-s" flag is used, the code will jump to parsing the next
+line to avoid printing a newline character.
+
+In addition, a test to cut.tests has been added to ensure that this
+regression is fixed and will not happen again in the future.
+
+Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2024-July/090834.html]
+
+Signed-off-by: Colin McAllister <colinmca242@gmail.com>
+---
+ coreutils/cut.c     | 6 ++++++
+ testsuite/cut.tests | 9 +++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/coreutils/cut.c b/coreutils/cut.c
+index 55bdd9386..b7f986f26 100644
+--- a/coreutils/cut.c
++++ b/coreutils/cut.c
+@@ -152,6 +152,12 @@ static void cut_file(FILE *file, const char *delim, const char *odelim,
+ 			unsigned uu = 0, start = 0, end = 0, out = 0;
+ 			int dcount = 0;
+ 
++			/* Blank line? */
++			if (!linelen) {
++				if (option_mask32 & CUT_OPT_SUPPRESS_FLGS)
++					goto next_line;
++			}
++
+ 			/* Loop through bytes, finding next delimiter */
+ 			for (;;) {
+ 				/* End of current range? */
+diff --git a/testsuite/cut.tests b/testsuite/cut.tests
+index 2458c019c..0b401bc00 100755
+--- a/testsuite/cut.tests
++++ b/testsuite/cut.tests
+@@ -65,6 +65,15 @@ testing "cut with -d -f( ) -s" "cut -d' ' -f3 -s input && echo yes" "yes\n" "$in
+ testing "cut with -d -f(a) -s" "cut -da -f3 -s input" "n\nsium:Jim\n\ncion:Ed\n" "$input" ""
+ testing "cut with -d -f(a) -s -n" "cut -da -f3 -s -n input" "n\nsium:Jim\n\ncion:Ed\n" "$input" ""
+ 
++input="\
++
++foo bar baz
++
++bing bong boop
++
++"
++testing "cut with -d -s omits blank lines" "cut -d' ' -f2 -s input" "bar\nbong\n" "$input" ""
++
+ # substitute for awk
+ optional FEATURE_CUT_REGEX
+ testing "cut -DF" "cut -DF 2,7,5" \
+-- 
+2.43.0
+

meta/recipes-core/busybox/busybox_1.35.0.bb

@@ -57,6 +57,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2023-42364_42365-1.patch \
            file://CVE-2023-42364_42365-2.patch \
            file://CVE-2023-42366.patch \
+           file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 

meta/recipes-core/expat/expat/CVE-2024-45490-0001.patch

@@ -0,0 +1,35 @@
+From 1d4f03d21b4f42031716522a6b96346b7a60d4c4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
+
+Reported by TaiYou
+
+CVE: CVE-2024-45490
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 9984d02..6f0440b 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1996,6 +1996,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
+
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (parser->m_parsingStatus.parsing) {
+   case XML_SUSPENDED:
+     parser->m_errorCode = XML_ERROR_SUSPENDED;
+--
+2.40.0

meta/recipes-core/expat/expat/CVE-2024-45490-0002.patch

@@ -0,0 +1,250 @@
+From c803b93e8736ed255ff1a6db5ab6add7ccea736c Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Fri, 25 Aug 2023 14:49:29 +0200
+Subject: [PATCH] minicheck: Add simple subtest support
+
+This will be useful when a test runs through several examples and
+fails somewhere in the middle. The subtest string replaces the
+phase_info string (i.e. "during actual test") in the failure output.
+
+Added subtest info to various tests where I found for loops.
+
+CVE: CVE-2024-45490
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/c803b93e8736ed255ff1a6db5ab6add7ccea736c]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ tests/minicheck.c | 25 +++++++++++++++++++++++++
+ tests/minicheck.h | 16 ++++++++++++++++
+ tests/runtests.c  | 13 +++++++++++++
+ 3 files changed, 54 insertions(+)
+
+diff --git a/tests/minicheck.c b/tests/minicheck.c
+index 1c65748..46db355 100644
+--- a/tests/minicheck.c
++++ b/tests/minicheck.c
+@@ -15,6 +15,7 @@
+    Copyright (c) 2017      Rhodri James <rhodri@wildebeest.org.uk>
+    Copyright (c) 2018      Marco Maggi <marco.maggi-ipsu@poste.it>
+    Copyright (c) 2019      David Loffredo <loffredo@steptools.com>
++   Copyright (c) 2023      Sony Corporation / Snild Dolkow <snild@sony.com>
+    Licensed under the MIT license:
+
+    Permission is  hereby granted,  free of charge,  to any  person obtaining
+@@ -37,6 +38,7 @@
+    USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
++#include <stdarg.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <setjmp.h>
+@@ -132,17 +134,35 @@ srunner_create(Suite *suite) {
+
+ static jmp_buf env;
+
++#define SUBTEST_LEN (50) // informative, but not too long
+ static char const *_check_current_function = NULL;
++static char _check_current_subtest[SUBTEST_LEN];
+ static int _check_current_lineno = -1;
+ static char const *_check_current_filename = NULL;
+
+ void
+ _check_set_test_info(char const *function, char const *filename, int lineno) {
+   _check_current_function = function;
++  set_subtest("%s", "");
+   _check_current_lineno = lineno;
+   _check_current_filename = filename;
+ }
+
++void
++set_subtest(char const *fmt, ...) {
++  va_list ap;
++  va_start(ap, fmt);
++  vsnprintf(_check_current_subtest, SUBTEST_LEN, fmt, ap);
++  va_end(ap);
++  // replace line feeds with spaces, for nicer error logs
++  for (size_t i = 0; i < SUBTEST_LEN; ++i) {
++    if (_check_current_subtest[i] == '\n') {
++      _check_current_subtest[i] = ' ';
++    }
++  }
++  _check_current_subtest[SUBTEST_LEN - 1] = '\0'; // ensure termination
++}
++
+ static void
+ handle_success(int verbosity) {
+   if (verbosity >= CK_VERBOSE) {
+@@ -154,6 +174,9 @@ static void
+ handle_failure(SRunner *runner, int verbosity, const char *phase_info) {
+   runner->nfailures++;
+   if (verbosity != CK_SILENT) {
++    if (strlen(_check_current_subtest) != 0) {
++      phase_info = _check_current_subtest;
++    }
+     printf("FAIL: %s (%s at %s:%d)\n", _check_current_function, phase_info,
+            _check_current_filename, _check_current_lineno);
+   }
+@@ -170,6 +193,7 @@ srunner_run_all(SRunner *runner, int verbosity) {
+     volatile int i;
+     for (i = 0; i < tc->ntests; ++i) {
+       runner->nchecks++;
++      set_subtest("%s", "");
+
+       if (tc->setup != NULL) {
+         /* setup */
+@@ -185,6 +209,7 @@ srunner_run_all(SRunner *runner, int verbosity) {
+         continue;
+       }
+       (tc->tests[i])();
++      set_subtest("%s", "");
+
+       /* teardown */
+       if (tc->teardown != NULL) {
+diff --git a/tests/minicheck.h b/tests/minicheck.h
+index cc1f835..a0ff333 100644
+--- a/tests/minicheck.h
++++ b/tests/minicheck.h
+@@ -15,6 +15,7 @@
+    Copyright (c) 2004-2006 Fred L. Drake, Jr. <fdrake@users.sourceforge.net>
+    Copyright (c) 2006-2012 Karl Waclawek <karl@waclawek.net>
+    Copyright (c) 2016-2017 Sebastian Pipping <sebastian@pipping.org>
++   Copyright (c) 2023      Sony Corporation / Snild Dolkow <snild@sony.com>
+    Licensed under the MIT license:
+
+    Permission is  hereby granted,  free of charge,  to any  person obtaining
+@@ -56,6 +57,19 @@ extern "C" {
+ #  define __func__ __FUNCTION__
+ #endif
+
++/* PRINTF_LIKE has two effects:
++    1. Make clang's -Wformat-nonliteral stop warning about non-literal format
++       strings in annotated functions' code.
++    2. Make both clang and gcc's -Wformat-nonliteral warn about *callers* of
++       the annotated function that use a non-literal format string.
++*/
++#  if defined(__GNUC__)
++#    define PRINTF_LIKE(fmtpos, argspos)                                       \
++      __attribute__((format(printf, fmtpos, argspos)))
++#  else
++#    define PRINTF_LIKE(fmtpos, argspos)
++#  endif
++
+ #define START_TEST(testname)                                                   \
+   static void testname(void) {                                                 \
+     _check_set_test_info(__func__, __FILE__, __LINE__);                        \
+@@ -64,6 +78,8 @@ extern "C" {
+   }                                                                            \
+   }
+
++void PRINTF_LIKE(1, 2) set_subtest(char const *fmt, ...);
++
+ #define fail(msg) _fail_unless(0, __FILE__, __LINE__, msg)
+
+ typedef void (*tcase_setup_function)(void);
+diff --git a/tests/runtests.c b/tests/runtests.c
+index 915fa52..3e610f7 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -18,6 +18,7 @@
+    Copyright (c) 2019      David Loffredo <loffredo@steptools.com>
+    Copyright (c) 2020      Tim Gates <tim.gates@iress.com>
+    Copyright (c) 2021      Dong-hee Na <donghee.na@python.org>
++   Copyright (c) 2023      Sony Corporation / Snild Dolkow <snild@sony.com>
+    Licensed under the MIT license:
+
+    Permission is  hereby granted,  free of charge,  to any  person obtaining
+@@ -1804,6 +1805,7 @@ START_TEST(test_ext_entity_invalid_parse) {
+   const ExtFaults *fault = faults;
+
+   for (; fault->parse_text != NULL; fault++) {
++    set_subtest("\"%s\"", fault->parse_text);
+     XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
+     XML_SetExternalEntityRefHandler(g_parser, external_entity_faulter);
+     XML_SetUserData(g_parser, (void *)fault);
+@@ -1904,6 +1906,7 @@ START_TEST(test_dtd_attr_handling) {
+   AttTest *test;
+
+   for (test = attr_data; test->definition != NULL; test++) {
++    set_subtest("%s", test->definition);
+     XML_SetAttlistDeclHandler(g_parser, verify_attlist_decl_handler);
+     XML_SetUserData(g_parser, test);
+     if (_XML_Parse_SINGLE_BYTES(g_parser, prolog, (int)strlen(prolog),
+@@ -2356,6 +2359,7 @@ START_TEST(test_bad_cdata) {
+
+   size_t i = 0;
+   for (; i < sizeof(cases) / sizeof(struct CaseData); i++) {
++    set_subtest("%s", cases[i].text);
+     const enum XML_Status actualStatus = _XML_Parse_SINGLE_BYTES(
+         g_parser, cases[i].text, (int)strlen(cases[i].text), XML_TRUE);
+     const enum XML_Error actualError = XML_GetErrorCode(g_parser);
+@@ -2423,6 +2427,7 @@ START_TEST(test_bad_cdata_utf16) {
+   size_t i;
+
+   for (i = 0; i < sizeof(cases) / sizeof(struct CaseData); i++) {
++    set_subtest("case %lu", (long unsigned)(i + 1));
+     enum XML_Status actual_status;
+     enum XML_Error actual_error;
+
+@@ -3323,6 +3328,7 @@ START_TEST(test_ext_entity_invalid_suspended_parse) {
+   ExtFaults *fault;
+
+   for (fault = &faults[0]; fault->parse_text != NULL; fault++) {
++    set_subtest("%s", fault->parse_text);
+     XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
+     XML_SetExternalEntityRefHandler(g_parser,
+                                     external_entity_suspending_faulter);
+@@ -4311,6 +4317,7 @@ START_TEST(test_bad_ignore_section) {
+   ExtFaults *fault;
+
+   for (fault = &faults[0]; fault->parse_text != NULL; fault++) {
++    set_subtest("%s", fault->parse_text);
+     XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
+     XML_SetExternalEntityRefHandler(g_parser, external_entity_faulter);
+     XML_SetUserData(g_parser, fault);
+@@ -4400,6 +4407,7 @@ START_TEST(test_external_entity_values) {
+   int i;
+
+   for (i = 0; data_004_2[i].parse_text != NULL; i++) {
++    set_subtest("%s", data_004_2[i].parse_text);
+     XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
+     XML_SetExternalEntityRefHandler(g_parser, external_entity_valuer);
+     XML_SetUserData(g_parser, &data_004_2[i]);
+@@ -7585,6 +7593,7 @@ START_TEST(test_ns_separator_in_uri) {
+   size_t i = 0;
+   size_t failCount = 0;
+   for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
++    set_subtest("%s", cases[i].doc);
+     XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep);
+     XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
+     if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
+@@ -7932,6 +7941,7 @@ START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
+   size_t inputIndex = 0;
+
+   for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
++    set_subtest("%s", inputs[inputIndex]);
+     XML_Parser parser;
+     enum XML_Status parseResult;
+     int setParamEntityResult;
+@@ -12078,6 +12088,7 @@ START_TEST(test_helper_unsigned_char_to_printable) {
+   // Smoke test
+   unsigned char uc = 0;
+   for (; uc < (unsigned char)-1; uc++) {
++    set_subtest("char %u", (unsigned)uc);
+     const char *const printable = unsignedCharToPrintable(uc);
+     if (printable == NULL)
+       fail("unsignedCharToPrintable returned NULL");
+@@ -12086,8 +12097,10 @@ START_TEST(test_helper_unsigned_char_to_printable) {
+   }
+
+   // Two concrete samples
++  set_subtest("char 'A'");
+   if (strcmp(unsignedCharToPrintable('A'), "A") != 0)
+     fail("unsignedCharToPrintable result mistaken");
++  set_subtest("char '\\'");
+   if (strcmp(unsignedCharToPrintable('\\'), "\\\\") != 0)
+     fail("unsignedCharToPrintable result mistaken");
+ }
+--
+2.40.0

meta/recipes-core/expat/expat/CVE-2024-45490-0003.patch

@@ -0,0 +1,91 @@
+From c12f039b8024d6b9a11c20858370495ff6ff5245 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 20 Aug 2024 22:57:12 +0200
+Subject: [PATCH] tests: Cover "len < 0" for both XML_Parse and XML_ParseBuffer
+
+CVE: CVE-2024-45490
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/c12f039b8024d6b9a11c20858370495ff6ff5245]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ tests/runtests.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 57 insertions(+)
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index 915fa52..2479341 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -3813,6 +3813,61 @@ START_TEST(test_empty_parse) {
+ }
+ END_TEST
+
++/* Test XML_Parse for len < 0 */
++START_TEST(test_negative_len_parse) {
++  const char *const doc = "<root/>";
++  for (int isFinal = 0; isFinal < 2; isFinal++) {
++    set_subtest("isFinal=%d", isFinal);
++
++    XML_Parser parser = XML_ParserCreate(NULL);
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
++      fail("There was not supposed to be any initial parse error.");
++
++    const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal);
++
++    if (status != XML_STATUS_ERROR)
++      fail("Negative len was expected to fail the parse but did not.");
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
++      fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
++
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++
++/* Test XML_ParseBuffer for len < 0 */
++START_TEST(test_negative_len_parse_buffer) {
++  const char *const doc = "<root/>";
++  for (int isFinal = 0; isFinal < 2; isFinal++) {
++    set_subtest("isFinal=%d", isFinal);
++
++    XML_Parser parser = XML_ParserCreate(NULL);
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
++      fail("There was not supposed to be any initial parse error.");
++
++    void *const buffer = XML_GetBuffer(parser, (int)strlen(doc));
++
++    if (buffer == NULL)
++      fail("XML_GetBuffer failed.");
++
++    memcpy(buffer, doc, strlen(doc));
++
++    const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal);
++
++    if (status != XML_STATUS_ERROR)
++      fail("Negative len was expected to fail the parse but did not.");
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
++      fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
++
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++
+ /* Test odd corners of the XML_GetBuffer interface */
+ static enum XML_Status
+ get_feature(enum XML_FeatureEnum feature_id, long *presult) {
+@@ -12214,6 +12269,8 @@ make_suite(void) {
+   tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters);
+   tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter);
+   tcase_add_test(tc_basic, test_empty_parse);
++  tcase_add_test(tc_basic, test_negative_len_parse);
++  tcase_add_test(tc_basic, test_negative_len_parse_buffer);
+   tcase_add_test(tc_basic, test_get_buffer_1);
+   tcase_add_test(tc_basic, test_get_buffer_2);
+ #if defined(XML_CONTEXT_BYTES)
+--
+2.40.0

meta/recipes-core/expat/expat/CVE-2024-45490-0004.patch

@@ -0,0 +1,49 @@
+From 2db233019f551fe4c701bbbc5eb0fa58ff349daa Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 25 Aug 2024 19:09:51 +0200
+Subject: [PATCH] doc: Document that XML_Parse/XML_ParseBuffer reject "len < 0"
+
+CVE: CVE-2024-45490
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2db233019f551fe4c701bbbc5eb0fa58ff349daa]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ doc/reference.html | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/doc/reference.html b/doc/reference.html
+index cdf3983..ebae824 100644
+--- a/doc/reference.html
++++ b/doc/reference.html
+@@ -1097,7 +1097,9 @@ containing part (or perhaps all) of the document. The number of bytes of s
+ that are part of the document is indicated by <code>len</code>. This means
+ that <code>s</code> doesn't have to be null terminated. It also means that
+ if <code>len</code> is larger than the number of bytes in the block of
+-memory that <code>s</code> points at, then a memory fault is likely. The
++memory that <code>s</code> points at, then a memory fault is likely.
++Negative values for <code>len</code> are rejected since Expat 2.2.1.
++The
+ <code>isFinal</code> parameter informs the parser that this is the last
+ piece of the document. Frequently, the last piece is empty (i.e.
+ <code>len</code> is zero.)
+@@ -1113,11 +1115,17 @@ XML_ParseBuffer(XML_Parser p,
+                 int isFinal);
+ </pre>
+ <div class="fcndef">
++<p>
+ This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>,
+ except in this case Expat provides the buffer.  By obtaining the
+ buffer from Expat with the <code><a href= "#XML_GetBuffer"
+ >XML_GetBuffer</a></code> function, the application can avoid double
+ copying of the input.
++</p>
++
++<p>
++Negative values for <code>len</code> are rejected since Expat 2.6.3.
++</p>
+ </div>
+
+ <h4 id="XML_GetBuffer">XML_GetBuffer</h4>
+--
+2.40.0

meta/recipes-core/expat/expat/CVE-2024-45491.patch

@@ -0,0 +1,39 @@
+From 17e29cb8ff58a8356ad8ea363c169e227e93e444 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH] lib: Detect integer overflow in dtdCopy
+
+Reported by TaiYou
+
+CVE: CVE-2024-45491
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/891/commits/8e439a9947e9dc80]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 6f0440b..adb27e3 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6913,6 +6913,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+     if (! newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts
+           = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (! newE->defaultAtts) {
+--
+2.40.0

meta/recipes-core/expat/expat/CVE-2024-45492.patch

@@ -0,0 +1,38 @@
+From 9b0615959a4df00b4719c5beae286eb52fd32fe0 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:37:16 +0200
+Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
+
+Reported by TaiYou
+
+CVE: CVE-2024-45492
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/892/commits/9bf0f2c16ee86f64]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/xmlparse.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index adb27e3..6d7e92f 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7465,6 +7465,15 @@ nextScaffoldPart(XML_Parser parser) {
+   int next;
+
+   if (! dtd->scaffIndex) {
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
++      return -1;
++    }
++#endif
+     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
+     if (! dtd->scaffIndex)
+       return -1;
+--
+2.40.0

meta/recipes-core/expat/expat_2.5.0.bb

@@ -22,6 +22,12 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
 	   file://CVE-2023-52426-009.patch \
 	   file://CVE-2023-52426-010.patch \
 	   file://CVE-2023-52426-011.patch \
+	   file://CVE-2024-45490-0001.patch \
+	   file://CVE-2024-45490-0002.patch \
+	   file://CVE-2024-45490-0003.patch \
+	   file://CVE-2024-45490-0004.patch \
+	   file://CVE-2024-45491.patch \
+	   file://CVE-2024-45492.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"

meta/recipes-core/glibc/glibc-version.inc

@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.35/master"
 PV = "2.35"
-SRCREV_glibc ?= "72abffe225485d10ea76adde963c13157bf3b310"
+SRCREV_glibc ?= "37214df5f103f4075cf0a79a227e70f3e064701c"
 SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"

meta/recipes-core/images/build-appliance-image_15.0.0.bb

@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx"
 
 inherit core-image setuptools3
 
-SRCREV ?= "940c885c239be4139908c1c322cd335e02d27a92"
+SRCREV ?= "474121d387e30c8f34f091e0b29e22a30eeb2261"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=kirkstone \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \

meta/recipes-core/meta/meta-world-pkgdata.bb

@@ -27,6 +27,7 @@ python do_collect_packagedata() {
     oe.copy_buildsystem.generate_locked_sigs(sigfile, d)
 }
 
+inherit nopackages
 deltask do_fetch
 deltask do_unpack
 deltask do_patch

meta/recipes-core/udev/udev-extraconf/mount.sh

@@ -83,7 +83,7 @@ automount_systemd() {
         ;;
     esac
 
-    if ! $MOUNT --no-block -t auto $DEVNAME "$MOUNT_BASE/$name"
+    if ! $MOUNT --collect --no-block -t auto $DEVNAME "$MOUNT_BASE/$name"
     then
         #logger "mount.sh/automount" "$MOUNT -t auto $DEVNAME \"$MOUNT_BASE/$name\" failed!"
         rm_dir "$MOUNT_BASE/$name"

meta/recipes-devtools/binutils/binutils-2.38.inc

@@ -18,7 +18,7 @@ SRCBRANCH ?= "binutils-2_38-branch"
 
 UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
 
-SRCREV ?= "ea5fe5d01e5a182ee7a0eddb54a702109a9f5931"
+SRCREV ?= "4d71e17a9fd8d319359ded891eb3034a2325d4c0"
 BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=git"
 SRC_URI = "\
      ${BINUTILS_GIT_URI} \

meta/recipes-devtools/cdrtools/cdrtools-native_3.01.bb

@@ -16,13 +16,17 @@ SRC_URI = " \
 SRC_URI[md5sum] = "7d45c5b7e1f78d85d1583b361aee6e8b"
 SRC_URI[sha256sum] = "ed282eb6276c4154ce6a0b5dee0bdb81940d0cbbfc7d03f769c4735ef5f5860f"
 
-EXTRA_OEMAKE = "-e MAKEFLAGS="
+EXTRA_OEMAKE = "-e MAKEFLAGS= CPPOPTX='${CPPFLAGS}' COPTX='${CFLAGS}' C++OPTX='${CXXFLAGS}' LDOPTX='${LDFLAGS}' GMAKE_NOWARN='true'"
 
 # Stop failures when 'cc' can't be found
 export ac_cv_prog_CC = "${CC}"
 
 inherit native
 
+# Use -std=gnu89 to build with gcc-14 (https://bugs.gentoo.org/903876)
+# this needs to be after native inherit (which sets CFLAGS to BUILD_CFLAGS)
+CFLAGS += "-std=gnu89"
+
 do_install() {
 	make install GMAKE_NOWARN=true INS_BASE=${prefix} DESTDIR=${D}
 }

meta/recipes-devtools/dejagnu/dejagnu_1.6.3.bb

@@ -2,7 +2,7 @@ SUMMARY = "GNU unit testing framework, written in Expect and Tcl"
 DESCRIPTION = "DejaGnu is a framework for testing other programs. Its purpose \
 is to provide a single front end for all tests."
 HOMEPAGE = "https://www.gnu.org/software/dejagnu/"
-LICENSE = "GPL-2.0-only"
+LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 SECTION = "devel"
 

meta/recipes-devtools/gcc/gcc-11.5.inc

@@ -2,11 +2,11 @@ require gcc-common.inc
 
 # Third digit in PV should be incremented after a minor release
 
-PV = "11.4.0"
+PV = "11.5.0"
 
 # BINV should be incremented to a revision after a minor gcc release
 
-BINV = "11.4.0"
+BINV = "11.5.0"
 
 FILESEXTRAPATHS =. "${FILE_DIRNAME}/gcc:${FILE_DIRNAME}/gcc/backport:"
 
@@ -65,14 +65,12 @@ SRC_URI = "\
            file://0003-CVE-2021-42574.patch \
            file://0004-CVE-2021-42574.patch \
            file://0001-CVE-2021-46195.patch \
-	   file://0001-aarch64-Update-Neoverse-N2-core-defini.patch \
 	   file://0002-aarch64-add-armv9-a-to-march.patch \
 	   file://0003-aarch64-Enable-FP16-feature-by-default-for-Armv9.patch \
 	   file://0004-arm-add-armv9-a-architecture-to-march.patch \
-	   file://CVE-2023-4039.patch \
 "
 
-SRC_URI[sha256sum] = "3f2db222b007e8a4a23cd5ba56726ef08e8b1f1eb2055ee72c1402cea73a8dd9"
+SRC_URI[sha256sum] = "a6e21868ead545cf87f0c01f84276e4b5281d672098591c1c896241f09363478"
 
 S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}"
 

meta/recipes-devtools/gcc/gcc/0001-aarch64-Update-Neoverse-N2-core-defini.patch

@@ -1,38 +0,0 @@
-From 9f37d31324f89d0b7b2abac988a976d121ae29c6 Mon Sep 17 00:00:00 2001
-From: Andre Vieira <andre.simoesdiasvieira@arm.com>
-Date: Thu, 8 Sep 2022 06:02:18 +0000
-Subject: [PATCH 1/4] aarch64: Update Neoverse N2 core definition
-
-commit 9f37d31324f89d0b7b2abac988a976d121ae29c6 from upstream.
-
-gcc/ChangeLog:
-
-        * config/aarch64/aarch64-cores.def: Update Neoverse N2 core entry.
-
-Upstream-Status: Backport
-Signed-off-by: Ruiqiang Hao <Ruiqiang.Hao@windriver.com>
----
- gcc/config/aarch64/aarch64-cores.def | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/gcc/config/aarch64/aarch64-cores.def b/gcc/config/aarch64/aarch64-cores.def
-index 4643e0e27..3478e567a 100644
---- a/gcc/config/aarch64/aarch64-cores.def
-+++ b/gcc/config/aarch64/aarch64-cores.def
-@@ -147,7 +147,6 @@
- AARCH64_CORE("saphira",     saphira,    saphira,    8_4A,  AARCH64_FL_FOR_ARCH8_4 | AARCH64_FL_CRYPTO, saphira,   0x51, 0xC01, -1)
-
- /* Armv8.5-A Architecture Processors.  */
--AARCH64_CORE("neoverse-n2", neoversen2, cortexa57, 8_5A, AARCH64_FL_FOR_ARCH8_5 | AARCH64_FL_I8MM | AARCH64_FL_BF16 | AARCH64_FL_F16 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_SVE2_BITPERM | AARCH64_FL_RNG | AARCH64_FL_MEMTAG, neoversen2, 0x41, 0xd49, -1)
- AARCH64_CORE("neoverse-v2", neoversev2, cortexa57, 8_5A, AARCH64_FL_FOR_ARCH8_5 | AARCH64_FL_I8MM | AARCH64_FL_BF16 | AARCH64_FL_F16 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_SVE2_BITPERM | AARCH64_FL_RNG | AARCH64_FL_MEMTAG, neoverse512tvb, 0x41, 0xd4f, -1)
-
- /* ARMv8-A big.LITTLE implementations.  */
-@@ -165,4 +164,7 @@
- /* Armv8-R Architecture Processors.  */
- AARCH64_CORE("cortex-r82", cortexr82, cortexa53, 8R, AARCH64_FL_FOR_ARCH8_R, cortexa53, 0x41, 0xd15, -1)
-
-+/* Armv9-A Architecture Processors. */
-+AARCH64_CORE("neoverse-n2", neoversen2, cortexa57, 9A, AARCH64_FL_FOR_ARCH9 | AARCH64_FL_I8MM | AARCH64_FL_BF16 | AARCH64_FL_SVE2_BITPERM | AARCH64_FL_RNG | AARCH64_FL_MEMTAG | AARCH64_FL_PROFILE, neoversen2, 0x41, 0xd49, -1)
-+
- #undef AARCH64_CORE
-

meta/recipes-devtools/libedit/libedit_20210910-3.1.bb

@@ -15,6 +15,13 @@ SRC_URI = "http://www.thrysoee.dk/editline/${BP}.tar.gz \
           "
 SRC_URI[sha256sum] = "6792a6a992050762edcca28ff3318cdb7de37dccf7bc30db59fcd7017eed13c5"
 
+# configure hardcodes /usr/bin search path bypassing HOSTTOOLS
+CACHED_CONFIGUREVARS += "ac_cv_path_NROFF=/bin/false"
+
+# remove at next version upgrade or when output changes
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
+
 BBCLASSEXTEND = "native nativesdk"
 
 inherit update-alternatives

meta/recipes-devtools/python/python3/CVE-2024-8088.patch

@@ -1,124 +0,0 @@
-From e0264a61119d551658d9445af38323ba94fc16db Mon Sep 17 00:00:00 2001
-From: "Jason R. Coombs" <jaraco@jaraco.com>
-Date: Thu, 22 Aug 2024 19:24:33 -0400
-Subject: [PATCH] CVE-2024-8088: Sanitize names in zipfile.Path. (GH-122906)
-
-Upstream-Status: Backport from https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db
-CVE: CVE-2024-8088
-
-Signed-off-by: Rohini Sangam <rsangam@mvista.com>
----
- Lib/test/test_zipfile.py   | 17 ++++++
- Lib/zipfile.py             | 61 ++++++++++++++++++-
- 2 files changed, 77 insertions(+), 1 deletion(-)
-
-diff --git a/Lib/test/test_zipfile.py b/Lib/test/test_zipfile.py
-index 32c0170..a60dc11 100644
---- a/Lib/test/test_zipfile.py
-+++ b/Lib/test/test_zipfile.py
-@@ -3280,6 +3280,23 @@ with zipfile.ZipFile(io.BytesIO(), "w") as zf:
-         zipfile.Path(zf)
-         zf.extractall(source_path.parent)
- 
-+    def test_malformed_paths(self):
-+        """
-+        Path should handle malformed paths.
-+        """
-+        data = io.BytesIO()
-+        zf = zipfile.ZipFile(data, "w")
-+        zf.writestr("/one-slash.txt", b"content")
-+        zf.writestr("//two-slash.txt", b"content")
-+        zf.writestr("../parent.txt", b"content")
-+        zf.filename = ''
-+        root = zipfile.Path(zf)
-+        assert list(map(str, root.iterdir())) == [
-+            'one-slash.txt',
-+            'two-slash.txt',
-+            'parent.txt',
-+        ]
-+
- 
- class StripExtraTests(unittest.TestCase):
-     # Note: all of the "z" characters are technically invalid, but up
-diff --git a/Lib/zipfile.py b/Lib/zipfile.py
-index 7d18bc2..cbac8d9 100644
---- a/Lib/zipfile.py
-+++ b/Lib/zipfile.py
-@@ -9,6 +9,7 @@ import io
- import itertools
- import os
- import posixpath
-+import re
- import shutil
- import stat
- import struct
-@@ -2182,7 +2183,65 @@ def _difference(minuend, subtrahend):
-     return itertools.filterfalse(set(subtrahend).__contains__, minuend)
- 
- 
--class CompleteDirs(ZipFile):
-+class SanitizedNames:
-+    """
-+    ZipFile mix-in to ensure names are sanitized.
-+    """
-+
-+    def namelist(self):
-+        return list(map(self._sanitize, super().namelist()))
-+
-+    @staticmethod
-+    def _sanitize(name):
-+        r"""
-+        Ensure a relative path with posix separators and no dot names.
-+        Modeled after
-+        https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
-+        but provides consistent cross-platform behavior.
-+        >>> san = SanitizedNames._sanitize
-+        >>> san('/foo/bar')
-+        'foo/bar'
-+        >>> san('//foo.txt')
-+        'foo.txt'
-+        >>> san('foo/.././bar.txt')
-+        'foo/bar.txt'
-+        >>> san('foo../.bar.txt')
-+        'foo../.bar.txt'
-+        >>> san('\\foo\\bar.txt')
-+        'foo/bar.txt'
-+        >>> san('D:\\foo.txt')
-+        'D/foo.txt'
-+        >>> san('\\\\server\\share\\file.txt')
-+        'server/share/file.txt'
-+        >>> san('\\\\?\\GLOBALROOT\\Volume3')
-+        '?/GLOBALROOT/Volume3'
-+        >>> san('\\\\.\\PhysicalDrive1\\root')
-+        'PhysicalDrive1/root'
-+        Retain any trailing slash.
-+        >>> san('abc/')
-+        'abc/'
-+        Raises a ValueError if the result is empty.
-+        >>> san('../..')
-+        Traceback (most recent call last):
-+        ...
-+        ValueError: Empty filename
-+        """
-+
-+        def allowed(part):
-+            return part and part not in {'..', '.'}
-+
-+        # Remove the drive letter.
-+        # Don't use ntpath.splitdrive, because that also strips UNC paths
-+        bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
-+        clean = bare.replace('\\', '/')
-+        parts = clean.split('/')
-+        joined = '/'.join(filter(allowed, parts))
-+        if not joined:
-+            raise ValueError("Empty filename")
-+        return joined + '/' * name.endswith('/')
-+
-+
-+class CompleteDirs(SanitizedNames, ZipFile):
-     """
-     A ZipFile subclass that ensures that implied directories
-     are always included in the namelist.
--- 
-2.35.7
-

meta/recipes-devtools/python/python3_3.10.15.bb

@@ -36,7 +36,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://deterministic_imports.patch \
            file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
            file://0001-test_storlines-skip-due-to-load-variability.patch \
-	   file://CVE-2024-8088.patch \
            "
 
 SRC_URI:append:class-native = " \
@@ -45,7 +44,7 @@ SRC_URI:append:class-native = " \
            file://12-distutils-prefix-is-inside-staging-area.patch \
            file://0001-Don-t-search-system-for-headers-libraries.patch \
            "
-SRC_URI[sha256sum] = "9c50481faa8c2832329ba0fc8868d0a606a680fc4f60ec48d26ce8e076751fda"
+SRC_URI[sha256sum] = "aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"

meta/recipes-devtools/qemu/qemu.inc

@@ -113,6 +113,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2024-7409-0002.patch \
            file://CVE-2024-7409-0003.patch \
            file://CVE-2024-7409-0004.patch \
+           file://CVE-2024-4467-0001.patch \
+           file://CVE-2024-4467-0002.patch \
+           file://CVE-2024-4467-0003.patch \
+           file://CVE-2024-4467-0004.patch \
+           file://CVE-2024-4467-0005.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 

meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0001.patch

@@ -0,0 +1,214 @@
+From 5cdbc87ab24a8cc4cf926158ec429d43d8a45f15 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 5 Jun 2024 19:56:51 -0400
+Subject: [PATCH 1/5] qcow2: Don't open data_file with BDRV_O_NO_IO
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 5: EMBARGOED CVE-2024-4467 for rhel-8.10.z (PRDSC)
+RH-Jira: RHEL-35616
+RH-CVE: CVE-2024-4467
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Commit: [1/5] 2e72d21c14d86645cf68eec78f49d5cc5d77581f
+
+Conflicts: qcow2_do_open(): missing boolean ´open_data_file'.
+           We assume it to be true.
+
+commit f9843ce5c519901654a7d8ba43ee95ce25ca13c2
+Author: Kevin Wolf <kwolf@redhat.com>
+Date:   Thu Apr 11 15:06:01 2024 +0200
+
+    qcow2: Don't open data_file with BDRV_O_NO_IO
+
+    One use case for 'qemu-img info' is verifying that untrusted images
+    don't reference an unwanted external file, be it as a backing file or an
+    external data file. To make sure that calling 'qemu-img info' can't
+    already have undesired side effects with a malicious image, just don't
+    open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do
+    I/O, we don't need to have it open.
+
+    This changes the output of iotests case 061, which used 'qemu-img info'
+    to show that opening an image with an invalid data file fails. After
+    this patch, it succeeds. Replace this part of the test with a qemu-io
+    call, but keep the final 'qemu-img info' to show that the invalid data
+    file is correctly displayed in the output.
+
+    Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+    Reviewed-by: Eric Blake <eblake@redhat.com>
+    Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+    Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
+    Upstream: N/A, embargoed
+    Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Upstream-Status: Backport [import from rhel8 qemu-kvm-6.2.0-50.module+el8.10.0+22027+db0a70a4.src.rpm
+Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/bd385a5298d7062668e804d73944d52aec9549f1]
+CVE: CVE-2024-4467
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ block/qcow2.c              | 87 +++++++++++++++++++++++---------------
+ tests/qemu-iotests/061     |  6 ++-
+ tests/qemu-iotests/061.out |  8 +++-
+ 3 files changed, 62 insertions(+), 39 deletions(-)
+
+diff --git a/block/qcow2.c b/block/qcow2.c
+index d509016756..6ee1919612 100644
+--- a/block/qcow2.c
++++ b/block/qcow2.c
+@@ -1613,50 +1613,67 @@ static int coroutine_fn qcow2_do_open(BlockDriverState *bs, QDict *options,
+         goto fail;
+     }
+ 
+-    /* Open external data file */
+-    s->data_file = bdrv_open_child(NULL, options, "data-file", bs,
+-                                   &child_of_bds, BDRV_CHILD_DATA,
+-                                   true, errp);
+-    if (*errp) {
+-        ret = -EINVAL;
+-        goto fail;
+-    }
++    if (flags & BDRV_O_NO_IO) {
++        /*
++         * Don't open the data file for 'qemu-img info' so that it can be used
++         * to verify that an untrusted qcow2 image doesn't refer to external
++         * files.
++         *
++         * Note: This still makes has_data_file() return true.
++         */
++        if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) {
++            s->data_file = NULL;
++        } else {
++            s->data_file = bs->file;
++        }
++        qdict_extract_subqdict(options, NULL, "data-file.");
++        qdict_del(options, "data-file");
++    } else {
++        /* Open external data file */
++        s->data_file = bdrv_open_child(NULL, options, "data-file", bs,
++                                       &child_of_bds, BDRV_CHILD_DATA,
++                                       true, errp);
++        if (*errp) {
++            ret = -EINVAL;
++            goto fail;
++        }
+ 
+-    if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) {
+-        if (!s->data_file && s->image_data_file) {
+-            s->data_file = bdrv_open_child(s->image_data_file, options,
+-                                           "data-file", bs, &child_of_bds,
+-                                           BDRV_CHILD_DATA, false, errp);
++        if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) {
++            if (!s->data_file && s->image_data_file) {
++                s->data_file = bdrv_open_child(s->image_data_file, options,
++                                               "data-file", bs, &child_of_bds,
++                                               BDRV_CHILD_DATA, false, errp);
++                if (!s->data_file) {
++                    ret = -EINVAL;
++                    goto fail;
++                }
++            }
+             if (!s->data_file) {
++                error_setg(errp, "'data-file' is required for this image");
+                 ret = -EINVAL;
+                 goto fail;
+             }
+-        }
+-        if (!s->data_file) {
+-            error_setg(errp, "'data-file' is required for this image");
+-            ret = -EINVAL;
+-            goto fail;
+-        }
+ 
+-        /* No data here */
+-        bs->file->role &= ~BDRV_CHILD_DATA;
++            /* No data here */
++            bs->file->role &= ~BDRV_CHILD_DATA;
+ 
+-        /* Must succeed because we have given up permissions if anything */
+-        bdrv_child_refresh_perms(bs, bs->file, &error_abort);
+-    } else {
+-        if (s->data_file) {
+-            error_setg(errp, "'data-file' can only be set for images with an "
+-                             "external data file");
+-            ret = -EINVAL;
+-            goto fail;
+-        }
++            /* Must succeed because we have given up permissions if anything */
++            bdrv_child_refresh_perms(bs, bs->file, &error_abort);
++        } else {
++            if (s->data_file) {
++                error_setg(errp, "'data-file' can only be set for images with an "
++                           "external data file");
++                ret = -EINVAL;
++                goto fail;
++            }
+ 
+-        s->data_file = bs->file;
++            s->data_file = bs->file;
+ 
+-        if (data_file_is_raw(bs)) {
+-            error_setg(errp, "data-file-raw requires a data file");
+-            ret = -EINVAL;
+-            goto fail;
++            if (data_file_is_raw(bs)) {
++                error_setg(errp, "data-file-raw requires a data file");
++                ret = -EINVAL;
++                goto fail;
++            }
+         }
+     }
+ 
+diff --git a/tests/qemu-iotests/061 b/tests/qemu-iotests/061
+index 9507c223bd..6a5bd47efc 100755
+--- a/tests/qemu-iotests/061
++++ b/tests/qemu-iotests/061
+@@ -322,12 +322,14 @@ $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
+ echo
+ _make_test_img -o "compat=1.1,data_file=$TEST_IMG.data" 64M
+ $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
+-_img_info --format-specific
++$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
++$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
+ TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
+ 
+ echo
+ $QEMU_IMG amend -o "data_file=" --image-opts "data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG"
+-_img_info --format-specific
++$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
++$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
+ TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
+ 
+ echo
+diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out
+index 7ecbd4dea8..99b2307a23 100644
+--- a/tests/qemu-iotests/061.out
++++ b/tests/qemu-iotests/061.out
+@@ -545,7 +545,9 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+ qemu-img: data-file can only be set for images that use an external data file
+ 
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 data_file=TEST_DIR/t.IMGFMT.data
+-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Could not open 'foo': No such file or directory
++qemu-io: can't open device TEST_DIR/t.IMGFMT: Could not open 'foo': No such file or directory
++read 4096/4096 bytes at offset 0
++4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+ image: TEST_DIR/t.IMGFMT
+ file format: IMGFMT
+ virtual size: 64 MiB (67108864 bytes)
+@@ -560,7 +562,9 @@ Format specific information:
+     corrupt: false
+     extended l2: false
+ 
+-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'data-file' is required for this image
++qemu-io: can't open device TEST_DIR/t.IMGFMT: 'data-file' is required for this image
++read 4096/4096 bytes at offset 0
++4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+ image: TEST_DIR/t.IMGFMT
+ file format: IMGFMT
+ virtual size: 64 MiB (67108864 bytes)
+-- 
+2.39.3
+

meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0002.patch

@@ -0,0 +1,73 @@
+From 3cb587f460ec432f329fb83df034bbb7e79e17aa Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 5 Jun 2024 19:56:51 -0400
+Subject: [PATCH 2/5] iotests/244: Don't store data-file with protocol in image
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 5: EMBARGOED CVE-2024-4467 for rhel-8.10.z (PRDSC)
+RH-Jira: RHEL-35616
+RH-CVE: CVE-2024-4467
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Commit: [2/5] a422cfdba938e1bd857008ccbbddc695011ae0ff
+
+commit 92e00dab8be1570b13172353d77d2af44cb4e22b
+Author: Kevin Wolf <kwolf@redhat.com>
+Date:   Thu Apr 25 14:49:40 2024 +0200
+
+    iotests/244: Don't store data-file with protocol in image
+
+    We want to disable filename parsing for data files because it's too easy
+    to abuse in malicious image files. Make the test ready for the change by
+    passing the data file explicitly in command line options.
+
+    Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+    Reviewed-by: Eric Blake <eblake@redhat.com>
+    Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+    Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
+    Upstream: N/A, embargoed
+    Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Upstream-Status: Backport [import from rhel8 qemu-kvm-6.2.0-50.module+el8.10.0+22027+db0a70a4.src.rpm
+Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/2eb42a728d27a43fdcad5f37d3f65706ce6deba5]
+CVE: CVE-2024-4467
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/qemu-iotests/244 | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/tests/qemu-iotests/244 b/tests/qemu-iotests/244
+index 3e61fa25bb..bb9cc6512f 100755
+--- a/tests/qemu-iotests/244
++++ b/tests/qemu-iotests/244
+@@ -215,9 +215,22 @@ $QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG"
+ $QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG"
+ 
+ # blkdebug doesn't support copy offloading, so this tests the error path
+-$QEMU_IMG amend -f $IMGFMT -o "data_file=blkdebug::$TEST_IMG.data" "$TEST_IMG"
+-$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG"
+-$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG"
++test_img_with_blkdebug="json:{
++    'driver': 'qcow2',
++    'file': {
++        'driver': 'file',
++        'filename': '$TEST_IMG'
++    },
++    'data-file': {
++        'driver': 'blkdebug',
++        'image': {
++            'driver': 'file',
++            'filename': '$TEST_IMG.data'
++        }
++    }
++}"
++$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$test_img_with_blkdebug"
++$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$test_img_with_blkdebug"
+ 
+ echo
+ echo "=== Flushing should flush the data file ==="
+-- 
+2.39.3
+

meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0003.patch

@@ -0,0 +1,76 @@
+From 59a84673079f9763e9507733e308442397aba703 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 5 Jun 2024 19:56:51 -0400
+Subject: [PATCH 3/5] iotests/270: Don't store data-file with json: prefix in
+ image
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 5: EMBARGOED CVE-2024-4467 for rhel-8.10.z (PRDSC)
+RH-Jira: RHEL-35616
+RH-CVE: CVE-2024-4467
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Commit: [3/5] ac08690fd3ea3af6e24b2f6a8beedcfe469917a8
+
+commit 705bcc2819ce8e0f8b9d660a93bc48de26413aec
+Author: Kevin Wolf <kwolf@redhat.com>
+Date:   Thu Apr 25 14:49:40 2024 +0200
+
+    iotests/270: Don't store data-file with json: prefix in image
+
+    We want to disable filename parsing for data files because it's too easy
+    to abuse in malicious image files. Make the test ready for the change by
+    passing the data file explicitly in command line options.
+
+    Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+    Reviewed-by: Eric Blake <eblake@redhat.com>
+    Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+    Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
+    Upstream: N/A, embargoed
+    Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Upstream-Status: Backport [import from rhel8 qemu-kvm-6.2.0-50.module+el8.10.0+22027+db0a70a4.src.rpm
+Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/7e1110664ecbc4826f3c978ccb06b6c1bce823e6]
+CVE: CVE-2024-4467
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/qemu-iotests/270 | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/tests/qemu-iotests/270 b/tests/qemu-iotests/270
+index 74352342db..c37b674aa2 100755
+--- a/tests/qemu-iotests/270
++++ b/tests/qemu-iotests/270
+@@ -60,8 +60,16 @@ _make_test_img -o cluster_size=2M,data_file="$TEST_IMG.orig" \
+ # "write" 2G of data without using any space.
+ # (qemu-img create does not like it, though, because null-co does not
+ # support image creation.)
+-$QEMU_IMG amend -o data_file="json:{'driver':'null-co',,'size':'4294967296'}" \
+-    "$TEST_IMG"
++test_img_with_null_data="json:{
++    'driver': '$IMGFMT',
++    'file': {
++        'filename': '$TEST_IMG'
++    },
++    'data-file': {
++        'driver': 'null-co',
++        'size':'4294967296'
++    }
++}"
+ 
+ # This gives us a range of:
+ #   2^31 - 512 + 768 - 1 = 2^31 + 255 > 2^31
+@@ -74,7 +82,7 @@ $QEMU_IMG amend -o data_file="json:{'driver':'null-co',,'size':'4294967296'}" \
+ # on L2 boundaries, we need large L2 tables; hence the cluster size of
+ # 2 MB.  (Anything from 256 kB should work, though, because then one L2
+ # table covers 8 GB.)
+-$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$TEST_IMG" | _filter_qemu_io
++$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$test_img_with_null_data" | _filter_qemu_io
+ 
+ _check_test_img
+ 
+-- 
+2.39.3
+

meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0004.patch

@@ -0,0 +1,571 @@
+From 996680dd6d5afd51918e600126dbfed4dfe89e05 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Sun, 9 Jun 2024 23:08:39 -0400
+Subject: [PATCH 4/5] block: introduce bdrv_open_file_child() helper
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 5: EMBARGOED CVE-2024-4467 for rhel-8.10.z (PRDSC)
+RH-Jira: RHEL-35616
+RH-CVE: CVE-2024-4467
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Commit: [4/5] 9f582a9aff740eb9ec6f64bfec94854038d8545f
+
+Conflicts: - copy-before-write.c::cbw_copy() is an older version than
+             upstream, but introduction of the new function is
+	     straight-forward.
+           - include/block/block-global-state.h doesn't exist in this
+             code version. Adding the prototype to
+             include/block/block.h instead.
+           - struct BlockDriver has no field 'filtered_child_is_backing'
+             We remove the corresponding assert() in the new function.
+
+commit 83930780325b144a5908c45b3957b9b6457b3831
+Author: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Date:   Tue Jul 26 23:11:21 2022 +0300
+
+    block: introduce bdrv_open_file_child() helper
+
+    Almost all drivers call bdrv_open_child() similarly. Let's create a
+    helper for this.
+
+    The only not updated drivers that call bdrv_open_child() to set
+    bs->file are raw-format and snapshot-access:
+        raw-format sometimes want to have filtered child but
+            don't set drv->is_filter to true.
+        snapshot-access wants only DATA | PRIMARY
+
+    Possibly we should implement drv->is_filter_func() handler, to consider
+    raw-format as filter when it works as filter.. But it's another story.
+
+    Note also, that we decrease assignments to bs->file in code: it helps
+    us restrict modifying this field in further commit.
+
+    Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+    Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+    Message-Id: <20220726201134.924743-3-vsementsov@yandex-team.ru>
+    Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+    Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Upstream-Status: Backport [import from rhel8 qemu-kvm-6.2.0-50.module+el8.10.0+22027+db0a70a4.src.rpm
+Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/83930780325b144a5908c45b3957b9b6457b3831]
+CVE: CVE-2024-4467
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ block.c                   | 18 ++++++++++++++++++
+ block/blkdebug.c          |  9 +++------
+ block/blklogwrites.c      |  7 ++-----
+ block/blkreplay.c         |  7 ++-----
+ block/blkverify.c         |  9 +++------
+ block/bochs.c             |  7 +++----
+ block/cloop.c             |  7 +++----
+ block/copy-before-write.c |  9 ++++-----
+ block/copy-on-read.c      |  9 ++++-----
+ block/crypto.c            | 11 ++++++-----
+ block/dmg.c               |  7 +++----
+ block/filter-compress.c   |  8 +++-----
+ block/parallels.c         |  7 +++----
+ block/preallocate.c       |  9 ++++-----
+ block/qcow.c              |  6 ++----
+ block/qcow2.c             |  8 ++++----
+ block/qed.c               |  8 ++++----
+ block/replication.c       |  8 +++-----
+ block/throttle.c          |  8 +++-----
+ block/vdi.c               |  7 +++----
+ block/vhdx.c              |  7 +++----
+ block/vmdk.c              |  7 +++----
+ block/vpc.c               |  7 +++----
+ include/block/block.h     |  3 +++
+ 24 files changed, 92 insertions(+), 101 deletions(-)
+
+diff --git a/block.c b/block.c
+index 0ac5b163d2..889f878565 100644
+--- a/block.c
++++ b/block.c
+@@ -3546,6 +3546,24 @@ BdrvChild *bdrv_open_child(const char *filename,
+                              errp);
+ }
+ 
++/*
++ * Wrapper on bdrv_open_child() for most popular case: open primary child of bs.
++ */
++int bdrv_open_file_child(const char *filename,
++                         QDict *options, const char *bdref_key,
++                         BlockDriverState *parent, Error **errp)
++{
++    BdrvChildRole role;
++
++    role = parent->drv->is_filter ?
++        (BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY) : BDRV_CHILD_IMAGE;
++
++    parent->file = bdrv_open_child(filename, options, bdref_key, parent,
++                                   &child_of_bds, role, false, errp);
++
++    return parent->file ? 0 : -EINVAL;
++}
++
+ /*
+  * TODO Future callers may need to specify parent/child_class in order for
+  * option inheritance to work. Existing callers use it for the root node.
+diff --git a/block/blkdebug.c b/block/blkdebug.c
+index bbf2948703..5fcfc8ac6f 100644
+--- a/block/blkdebug.c
++++ b/block/blkdebug.c
+@@ -503,12 +503,9 @@ static int blkdebug_open(BlockDriverState *bs, QDict *options, int flags,
+     }
+ 
+     /* Open the image file */
+-    bs->file = bdrv_open_child(qemu_opt_get(opts, "x-image"), options, "image",
+-                               bs, &child_of_bds,
+-                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
+-                               false, errp);
+-    if (!bs->file) {
+-        ret = -EINVAL;
++    ret = bdrv_open_file_child(qemu_opt_get(opts, "x-image"), options, "image",
++                               bs, errp);
++    if (ret < 0) {
+         goto out;
+     }
+ 
+diff --git a/block/blklogwrites.c b/block/blklogwrites.c
+index f7a251e91f..f66a617eb3 100644
+--- a/block/blklogwrites.c
++++ b/block/blklogwrites.c
+@@ -155,11 +155,8 @@ static int blk_log_writes_open(BlockDriverState *bs, QDict *options, int flags,
+     }
+ 
+     /* Open the file */
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY, false,
+-                               errp);
+-    if (!bs->file) {
+-        ret = -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
+         goto fail;
+     }
+ 
+diff --git a/block/blkreplay.c b/block/blkreplay.c
+index dcbe780ddb..76a0b8d12a 100644
+--- a/block/blkreplay.c
++++ b/block/blkreplay.c
+@@ -26,11 +26,8 @@ static int blkreplay_open(BlockDriverState *bs, QDict *options, int flags,
+     int ret;
+ 
+     /* Open the image file */
+-    bs->file = bdrv_open_child(NULL, options, "image", bs, &child_of_bds,
+-                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
+-                               false, errp);
+-    if (!bs->file) {
+-        ret = -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "image", bs, errp);
++    if (ret < 0) {
+         goto fail;
+     }
+ 
+diff --git a/block/blkverify.c b/block/blkverify.c
+index d1facf5ba9..920e891684 100644
+--- a/block/blkverify.c
++++ b/block/blkverify.c
+@@ -121,12 +121,9 @@ static int blkverify_open(BlockDriverState *bs, QDict *options, int flags,
+     }
+ 
+     /* Open the raw file */
+-    bs->file = bdrv_open_child(qemu_opt_get(opts, "x-raw"), options, "raw",
+-                               bs, &child_of_bds,
+-                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
+-                               false, errp);
+-    if (!bs->file) {
+-        ret = -EINVAL;
++    ret = bdrv_open_file_child(qemu_opt_get(opts, "x-raw"), options, "raw",
++                               bs, errp);
++    if (ret < 0) {
+         goto fail;
+     }
+ 
+diff --git a/block/bochs.c b/block/bochs.c
+index 4d68658087..b2dc06bbfd 100644
+--- a/block/bochs.c
++++ b/block/bochs.c
+@@ -110,10 +110,9 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
+         return ret;
+     }
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     ret = bdrv_pread(bs->file, 0, &bochs, sizeof(bochs));
+diff --git a/block/cloop.c b/block/cloop.c
+index b8c6d0eccd..bee87da173 100644
+--- a/block/cloop.c
++++ b/block/cloop.c
+@@ -71,10 +71,9 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
+         return ret;
+     }
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     /* read header */
+diff --git a/block/copy-before-write.c b/block/copy-before-write.c
+index c30a5ff8de..8aa2cb6a85 100644
+--- a/block/copy-before-write.c
++++ b/block/copy-before-write.c
+@@ -150,12 +150,11 @@ static int cbw_open(BlockDriverState *bs, QDict *options, int flags,
+ {
+     BDRVCopyBeforeWriteState *s = bs->opaque;
+     BdrvDirtyBitmap *copy_bitmap;
++    int ret;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
+-                               false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     s->target = bdrv_open_child(NULL, options, "target", bs, &child_of_bds,
+diff --git a/block/copy-on-read.c b/block/copy-on-read.c
+index 1fc7fb3333..815ac1d835 100644
+--- a/block/copy-on-read.c
++++ b/block/copy-on-read.c
+@@ -41,12 +41,11 @@ static int cor_open(BlockDriverState *bs, QDict *options, int flags,
+     BDRVStateCOR *state = bs->opaque;
+     /* Find a bottom node name, if any */
+     const char *bottom_node = qdict_get_try_str(options, "bottom");
++    int ret;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
+-                               false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     bs->supported_read_flags = BDRV_REQ_PREFETCH;
+diff --git a/block/crypto.c b/block/crypto.c
+index c8ba4681e2..abfce39230 100644
+--- a/block/crypto.c
++++ b/block/crypto.c
+@@ -260,15 +260,14 @@ static int block_crypto_open_generic(QCryptoBlockFormat format,
+ {
+     BlockCrypto *crypto = bs->opaque;
+     QemuOpts *opts = NULL;
+-    int ret = -EINVAL;
++    int ret;
+     QCryptoBlockOpenOptions *open_opts = NULL;
+     unsigned int cflags = 0;
+     QDict *cryptoopts = NULL;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     bs->supported_write_flags = BDRV_REQ_FUA &
+@@ -276,6 +275,7 @@ static int block_crypto_open_generic(QCryptoBlockFormat format,
+ 
+     opts = qemu_opts_create(opts_spec, NULL, 0, &error_abort);
+     if (!qemu_opts_absorb_qdict(opts, options, errp)) {
++        ret = -EINVAL;
+         goto cleanup;
+     }
+ 
+@@ -284,6 +284,7 @@ static int block_crypto_open_generic(QCryptoBlockFormat format,
+ 
+     open_opts = block_crypto_open_opts_init(cryptoopts, errp);
+     if (!open_opts) {
++        ret = -EINVAL;
+         goto cleanup;
+     }
+ 
+diff --git a/block/dmg.c b/block/dmg.c
+index 447901fbb8..38c363dd39 100644
+--- a/block/dmg.c
++++ b/block/dmg.c
+@@ -439,10 +439,9 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
+         return ret;
+     }
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     block_module_load_one("dmg-bz2");
+diff --git a/block/filter-compress.c b/block/filter-compress.c
+index d5be538619..305716c86c 100644
+--- a/block/filter-compress.c
++++ b/block/filter-compress.c
+@@ -30,11 +30,9 @@
+ static int compress_open(BlockDriverState *bs, QDict *options, int flags,
+                          Error **errp)
+ {
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
+-                               false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    int ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     if (!bs->file->bs->drv || !block_driver_can_compress(bs->file->bs->drv)) {
+diff --git a/block/parallels.c b/block/parallels.c
+index 6ebad2a2bb..ed4debd899 100644
+--- a/block/parallels.c
++++ b/block/parallels.c
+@@ -735,10 +735,9 @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags,
+     Error *local_err = NULL;
+     char *buf;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     ret = bdrv_pread(bs->file, 0, &ph, sizeof(ph));
+diff --git a/block/preallocate.c b/block/preallocate.c
+index 1d4233f730..332408bdc9 100644
+--- a/block/preallocate.c
++++ b/block/preallocate.c
+@@ -134,6 +134,7 @@ static int preallocate_open(BlockDriverState *bs, QDict *options, int flags,
+                             Error **errp)
+ {
+     BDRVPreallocateState *s = bs->opaque;
++    int ret;
+ 
+     /*
+      * s->data_end and friends should be initialized on permission update.
+@@ -141,11 +142,9 @@ static int preallocate_open(BlockDriverState *bs, QDict *options, int flags,
+      */
+     s->file_end = s->zero_start = s->data_end = -EINVAL;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
+-                               false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     if (!preallocate_absorb_opts(&s->opts, options, bs->file->bs, errp)) {
+diff --git a/block/qcow.c b/block/qcow.c
+index c39940f33e..544a17261f 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -120,10 +120,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
+     qdict_extract_subqdict(options, &encryptopts, "encrypt.");
+     encryptfmt = qdict_get_try_str(encryptopts, "format");
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        ret = -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
+         goto fail;
+     }
+ 
+diff --git a/block/qcow2.c b/block/qcow2.c
+index 6ee1919612..29ea157e6b 100644
+--- a/block/qcow2.c
++++ b/block/qcow2.c
+@@ -1907,11 +1907,11 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
+         .errp = errp,
+         .ret = -EINPROGRESS
+     };
++    int ret;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     /* Initialise locks */
+diff --git a/block/qed.c b/block/qed.c
+index 558d3646c4..e3b06a3d00 100644
+--- a/block/qed.c
++++ b/block/qed.c
+@@ -558,11 +558,11 @@ static int bdrv_qed_open(BlockDriverState *bs, QDict *options, int flags,
+         .errp = errp,
+         .ret = -EINPROGRESS
+     };
++    int ret;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     bdrv_qed_init_state(bs);
+diff --git a/block/replication.c b/block/replication.c
+index 55c8f894aa..2f17397764 100644
+--- a/block/replication.c
++++ b/block/replication.c
+@@ -88,11 +88,9 @@ static int replication_open(BlockDriverState *bs, QDict *options,
+     const char *mode;
+     const char *top_id;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
+-                               false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     ret = -EINVAL;
+diff --git a/block/throttle.c b/block/throttle.c
+index 6e8d52fa24..4fb5798c27 100644
+--- a/block/throttle.c
++++ b/block/throttle.c
+@@ -78,11 +78,9 @@ static int throttle_open(BlockDriverState *bs, QDict *options,
+     char *group;
+     int ret;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
+-                               false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+     bs->supported_write_flags = bs->file->bs->supported_write_flags |
+                                 BDRV_REQ_WRITE_UNCHANGED;
+diff --git a/block/vdi.c b/block/vdi.c
+index bdc58d726e..c50c0ed61f 100644
+--- a/block/vdi.c
++++ b/block/vdi.c
+@@ -376,10 +376,9 @@ static int vdi_open(BlockDriverState *bs, QDict *options, int flags,
+     int ret;
+     QemuUUID uuid_link, uuid_parent;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     logout("\n");
+diff --git a/block/vhdx.c b/block/vhdx.c
+index 356ec4c455..e7d6d7509a 100644
+--- a/block/vhdx.c
++++ b/block/vhdx.c
+@@ -996,10 +996,9 @@ static int vhdx_open(BlockDriverState *bs, QDict *options, int flags,
+     uint64_t signature;
+     Error *local_err = NULL;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     s->bat = NULL;
+diff --git a/block/vmdk.c b/block/vmdk.c
+index 0dfab6e941..7d7e56b36c 100644
+--- a/block/vmdk.c
++++ b/block/vmdk.c
+@@ -1262,10 +1262,9 @@ static int vmdk_open(BlockDriverState *bs, QDict *options, int flags,
+     BDRVVmdkState *s = bs->opaque;
+     uint32_t magic;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     buf = vmdk_read_desc(bs->file, 0, errp);
+diff --git a/block/vpc.c b/block/vpc.c
+index 297a26262a..430cab1cbb 100644
+--- a/block/vpc.c
++++ b/block/vpc.c
+@@ -232,10 +232,9 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
+     int ret;
+     int64_t bs_size;
+ 
+-    bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
+-                               BDRV_CHILD_IMAGE, false, errp);
+-    if (!bs->file) {
+-        return -EINVAL;
++    ret = bdrv_open_file_child(NULL, options, "file", bs, errp);
++    if (ret < 0) {
++        return ret;
+     }
+ 
+     opts = qemu_opts_create(&vpc_runtime_opts, NULL, 0, &error_abort);
+diff --git a/include/block/block.h b/include/block/block.h
+index e5dd22b034..f885f113ef 100644
+--- a/include/block/block.h
++++ b/include/block/block.h
+@@ -376,6 +376,9 @@ BdrvChild *bdrv_open_child(const char *filename,
+                            const BdrvChildClass *child_class,
+                            BdrvChildRole child_role,
+                            bool allow_none, Error **errp);
++int bdrv_open_file_child(const char *filename,
++                         QDict *options, const char *bdref_key,
++                         BlockDriverState *parent, Error **errp);
+ BlockDriverState *bdrv_open_blockdev_ref(BlockdevRef *ref, Error **errp);
+ int bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd,
+                         Error **errp);
+-- 
+2.39.3
+

meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0005.patch

@@ -0,0 +1,265 @@
+From c4ba1f1755031a0ac2f600ed8c17e7dcb6b2b857 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 5 Jun 2024 19:56:51 -0400
+Subject: [PATCH 5/5] block: Parse filenames only when explicitly requested
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 5: EMBARGOED CVE-2024-4467 for rhel-8.10.z (PRDSC)
+RH-Jira: RHEL-35616
+RH-CVE: CVE-2024-4467
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Commit: [5/5] a3e197add64fc6950c4ac576e34d833dfae7ee34
+
+Conflicts: - brdv_open_child_common(): bdrv_graph_wrlock/unlock()
+             don't exist in this code version. We ignore them.
+	     bdrv_open_inherit(): no_coroutine_fn/GRAPH_UNLOCKED
+             doesn't exist. We ignore it.
+           - Changes to bdrv_open_file_child() didn't apply cleanly,
+             but fixing it is straight-forward.
+           - GLOBAL_STATE_CODE() not present in this code. Ignoring it.
+           - bdrv_open_file_child(): Need to continue setting of
+	     parent->file.
+
+commit f44c2941d4419e60f16dea3e9adca164e75aa78d
+Author: Kevin Wolf <kwolf@redhat.com>
+Date:   Thu Apr 25 14:56:02 2024 +0200
+
+    block: Parse filenames only when explicitly requested
+
+    When handling image filenames from legacy options such as -drive or from
+    tools, these filenames are parsed for protocol prefixes, including for
+    the json:{} pseudo-protocol.
+
+    This behaviour is intended for filenames that come directly from the
+    command line and for backing files, which may come from the image file
+    itself. Higher level management tools generally take care to verify that
+    untrusted images don't contain a bad (or any) backing file reference;
+    'qemu-img info' is a suitable tool for this.
+
+    However, for other files that can be referenced in images, such as
+    qcow2 data files or VMDK extents, the string from the image file is
+    usually not verified by management tools - and 'qemu-img info' wouldn't
+    be suitable because in contrast to backing files, it already opens these
+    other referenced files. So here the string should be interpreted as a
+    literal local filename. More complex configurations need to be specified
+    explicitly on the command line or in QMP.
+
+    This patch changes bdrv_open_inherit() so that it only parses filenames
+    if a new parameter parse_filename is true. It is set for the top level
+    in bdrv_open(), for the file child and for the backing file child. All
+    other callers pass false and disable filename parsing this way.
+
+    Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+    Reviewed-by: Eric Blake <eblake@redhat.com>
+    Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+    Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
+    Upstream: N/A, embargoed
+    Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Upstream-Status: Backport [import from rhel8 qemu-kvm-6.2.0-50.module+el8.10.0+22027+db0a70a4.src.rpm
+Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/7ead946998610657d38d1a505d5f25300d4ca613]
+CVE: CVE-2024-4467
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ block.c | 81 +++++++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 56 insertions(+), 25 deletions(-)
+
+diff --git a/block.c b/block.c
+index 889f878565..ddebf50efa 100644
+--- a/block.c
++++ b/block.c
+@@ -82,6 +82,7 @@ static BlockDriverState *bdrv_open_inherit(const char *filename,
+                                            BlockDriverState *parent,
+                                            const BdrvChildClass *child_class,
+                                            BdrvChildRole child_role,
++                                           bool parse_filename,
+                                            Error **errp);
+ 
+ static bool bdrv_recurse_has_child(BlockDriverState *bs,
+@@ -1926,7 +1927,8 @@ static void parse_json_protocol(QDict *options, const char **pfilename,
+  * block driver has been specified explicitly.
+  */
+ static int bdrv_fill_options(QDict **options, const char *filename,
+-                             int *flags, Error **errp)
++                             int *flags, bool allow_parse_filename,
++                             Error **errp)
+ {
+     const char *drvname;
+     bool protocol = *flags & BDRV_O_PROTOCOL;
+@@ -1966,7 +1968,7 @@ static int bdrv_fill_options(QDict **options, const char *filename,
+     if (protocol && filename) {
+         if (!qdict_haskey(*options, "filename")) {
+             qdict_put_str(*options, "filename", filename);
+-            parse_filename = true;
++            parse_filename = allow_parse_filename;
+         } else {
+             error_setg(errp, "Can't specify 'file' and 'filename' options at "
+                              "the same time");
+@@ -3439,7 +3441,8 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict *parent_options,
+     }
+ 
+     backing_hd = bdrv_open_inherit(backing_filename, reference, options, 0, bs,
+-                                   &child_of_bds, bdrv_backing_role(bs), errp);
++                                   &child_of_bds, bdrv_backing_role(bs), true,
++                                   errp);
+     if (!backing_hd) {
+         bs->open_flags |= BDRV_O_NO_BACKING;
+         error_prepend(errp, "Could not open backing file: ");
+@@ -3472,7 +3475,8 @@ free_exit:
+ static BlockDriverState *
+ bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key,
+                    BlockDriverState *parent, const BdrvChildClass *child_class,
+-                   BdrvChildRole child_role, bool allow_none, Error **errp)
++                   BdrvChildRole child_role, bool allow_none,
++                   bool parse_filename, Error **errp)
+ {
+     BlockDriverState *bs = NULL;
+     QDict *image_options;
+@@ -3503,7 +3507,8 @@ bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key,
+     }
+ 
+     bs = bdrv_open_inherit(filename, reference, image_options, 0,
+-                           parent, child_class, child_role, errp);
++                           parent, child_class, child_role, parse_filename,
++                           errp);
+     if (!bs) {
+         goto done;
+     }
+@@ -3513,6 +3518,29 @@ done:
+     return bs;
+ }
+ 
++static BdrvChild *bdrv_open_child_common(const char *filename,
++                                         QDict *options, const char *bdref_key,
++                                         BlockDriverState *parent,
++                                         const BdrvChildClass *child_class,
++                                         BdrvChildRole child_role,
++                                         bool allow_none, bool parse_filename,
++                                         Error **errp)
++{
++    BlockDriverState *bs;
++    BdrvChild *child;
++
++    bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class,
++                            child_role, allow_none, parse_filename, errp);
++    if (bs == NULL) {
++        return NULL;
++    }
++
++    child = bdrv_attach_child(parent, bs, bdref_key, child_class, child_role,
++                              errp);
++
++    return child;
++}
++
+ /*
+  * Opens a disk image whose options are given as BlockdevRef in another block
+  * device's options.
+@@ -3534,20 +3562,17 @@ BdrvChild *bdrv_open_child(const char *filename,
+                            BdrvChildRole child_role,
+                            bool allow_none, Error **errp)
+ {
+-    BlockDriverState *bs;
+-
+-    bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class,
+-                            child_role, allow_none, errp);
+-    if (bs == NULL) {
+-        return NULL;
+-    }
+-
+-    return bdrv_attach_child(parent, bs, bdref_key, child_class, child_role,
+-                             errp);
++    return bdrv_open_child_common(filename, options, bdref_key, parent,
++                                  child_class, child_role, allow_none, false,
++                                  errp);
+ }
+ 
+ /*
+- * Wrapper on bdrv_open_child() for most popular case: open primary child of bs.
++ * This does mostly the same as bdrv_open_child(), but for opening the primary
++ * child of a node. A notable difference from bdrv_open_child() is that it
++ * enables filename parsing for protocol names (including json:).
++ *
++ * @parent can move to a different AioContext in this function.
+  */
+ int bdrv_open_file_child(const char *filename,
+                          QDict *options, const char *bdref_key,
+@@ -3558,8 +3583,9 @@ int bdrv_open_file_child(const char *filename,
+     role = parent->drv->is_filter ?
+         (BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY) : BDRV_CHILD_IMAGE;
+ 
+-    parent->file = bdrv_open_child(filename, options, bdref_key, parent,
+-                                   &child_of_bds, role, false, errp);
++    parent->file = bdrv_open_child_common(filename, options, bdref_key, parent,
++                                          &child_of_bds, role, false, true,
++                                          errp);
+ 
+     return parent->file ? 0 : -EINVAL;
+ }
+@@ -3599,7 +3625,8 @@ BlockDriverState *bdrv_open_blockdev_ref(BlockdevRef *ref, Error **errp)
+ 
+     }
+ 
+-    bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, errp);
++    bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, false,
++                           errp);
+     obj = NULL;
+     qobject_unref(obj);
+     visit_free(v);
+@@ -3690,6 +3717,7 @@ static BlockDriverState *bdrv_open_inherit(const char *filename,
+                                            BlockDriverState *parent,
+                                            const BdrvChildClass *child_class,
+                                            BdrvChildRole child_role,
++                                           bool parse_filename,
+                                            Error **errp)
+ {
+     int ret;
+@@ -3733,9 +3761,11 @@ static BlockDriverState *bdrv_open_inherit(const char *filename,
+     }
+ 
+     /* json: syntax counts as explicit options, as if in the QDict */
+-    parse_json_protocol(options, &filename, &local_err);
+-    if (local_err) {
+-        goto fail;
++    if (parse_filename) {
++        parse_json_protocol(options, &filename, &local_err);
++        if (local_err) {
++            goto fail;
++        }
+     }
+ 
+     bs->explicit_options = qdict_clone_shallow(options);
+@@ -3760,7 +3790,8 @@ static BlockDriverState *bdrv_open_inherit(const char *filename,
+                                      parent->open_flags, parent->options);
+     }
+ 
+-    ret = bdrv_fill_options(&options, filename, &flags, &local_err);
++    ret = bdrv_fill_options(&options, filename, &flags, parse_filename,
++                            &local_err);
+     if (ret < 0) {
+         goto fail;
+     }
+@@ -3829,7 +3860,7 @@ static BlockDriverState *bdrv_open_inherit(const char *filename,
+ 
+         file_bs = bdrv_open_child_bs(filename, options, "file", bs,
+                                      &child_of_bds, BDRV_CHILD_IMAGE,
+-                                     true, &local_err);
++                                     true, true, &local_err);
+         if (local_err) {
+             goto fail;
+         }
+@@ -3974,7 +4005,7 @@ BlockDriverState *bdrv_open(const char *filename, const char *reference,
+                             QDict *options, int flags, Error **errp)
+ {
+     return bdrv_open_inherit(filename, reference, options, flags, NULL,
+-                             NULL, 0, errp);
++                             NULL, 0, true, errp);
+ }
+ 
+ /* Return true if the NULL-terminated @list contains @str */
+-- 
+2.39.3
+

meta/recipes-devtools/ruby/ruby_3.1.3.bb

@@ -76,6 +76,7 @@ EXTRA_OECONF = "\
     --enable-load-relative \
     --with-pkg-config=pkg-config \
     --with-static-linked-ext \
+    --with-mantype=man \
 "
 
 EXTRA_OECONF:append:libc-musl = "\

meta/recipes-devtools/rust/rust-source.inc

@@ -6,5 +6,5 @@ RUSTSRC = "${WORKDIR}/rustc-${PV}-src"
 UPSTREAM_CHECK_URI = "https://forge.rust-lang.org/infra/other-installation-methods.html"
 UPSTREAM_CHECK_REGEX = "rustc-(?P<pver>\d+(\.\d+)+)-src"
 
-#CVE-2024-24576 is specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2024-24576"
+# These CVEs are specific to Microsoft Windows
+CVE_CHECK_IGNORE += "CVE-2024-24576 CVE-2024-43402"

meta/recipes-devtools/valgrind/valgrind_3.18.1.bb

@@ -237,6 +237,14 @@ do_install_ptest() {
     # This is known failure see https://bugs.kde.org/show_bug.cgi?id=435732
     rm ${D}${PTEST_PATH}/memcheck/tests/leak_cpp_interior.vgtest
 
+    # This test fails consistently on the new valkyrie autobuilder cluster
+    # It tests the avx estimate instructions
+    # The estimate instructions (rcpss, rcpps, rsqrtps, rsqrtss) are, as the
+    # name suggests, not expected to give a fully accurate result. They may
+    # produce slighly different results on different CPU families because
+    # their results are not defined by the IEEE standard
+    rm ${D}${PTEST_PATH}/none/tests/amd64/avx_estimate_insn.vgtest
+
     # As the binary isn't stripped or debug-splitted, the source file isn't fetched
     # via dwarfsrcfiles either, so it needs to be installed manually.
     mkdir -p ${D}/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}/${BP}/none/tests/

meta/recipes-extended/cups/cups.inc

@@ -19,6 +19,12 @@ SRC_URI = "https://github.com/OpenPrinting/cups/releases/download/v${PV}/cups-${
            file://CVE-2023-34241.patch \
 	   file://CVE-2023-32360.patch \
 	   file://CVE-2023-4504.patch \
+	   file://CVE-2024-35235.patch \
+	   file://CVE-2024-47175-1.patch \
+	   file://CVE-2024-47175-2.patch \
+	   file://CVE-2024-47175-3.patch \
+	   file://CVE-2024-47175-4.patch \
+	   file://CVE-2024-47175-5.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"

meta/recipes-extended/cups/cups/CVE-2024-35235.patch

@@ -0,0 +1,121 @@
+From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Mon, 3 Jun 2024 18:53:58 +0200
+Subject: [PATCH] CVE-2024-35235: Fix domain socket handling
+
+- Check status of unlink and bind system calls.
+- Don't allow extra domain sockets when running from launchd/systemd.
+- Validate length of domain socket path (< sizeof(sun_path))
+
+Upstream-Status: Backport from https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2, https://github.com/OpenPrinting/cups/commit/e3952d3ecd231588bb382529281a294124db9348#diff-6fc0a5ba57f83c8177d28f44729276fe35fcaaceae8b774481e6973fcbdf733d
+CVE: CVE-2024-35235
+
+Signed-off-by: Rohini Sangam <rsangam@mvista.com>
+---
+ cups/debug-internal.h |  4 +--
+ cups/http-addr.c      | 36 ++++++++++---------
+ scheduler/conf.c      | 20 +++++++++++
+ 3 files changed, 41 insertions(+), 19 deletions(-)
+
+diff --git a/cups/debug-internal.h b/cups/debug-internal.h
+index 2b57854..2e1a56a 100644
+--- a/cups/debug-internal.h
++++ b/cups/debug-internal.h
+@@ -59,10 +59,10 @@ extern "C" {
+ 
+ #  ifdef DEBUG
+ #    define DEBUG_puts(x) _cups_debug_puts(x)
+-#    define DEBUG_printf(x) _cups_debug_printf x
++#    define DEBUG_printf(...) _cups_debug_printf(__VA_ARGS__)
+ #  else
+ #    define DEBUG_puts(x)
+-#    define DEBUG_printf(x)
++#    define DEBUG_printf(...)
+ #  endif /* DEBUG */
+ 
+ 
+diff --git a/cups/http-addr.c b/cups/http-addr.c
+index 114a644..610e9db 100644
+--- a/cups/http-addr.c
++++ b/cups/http-addr.c
+@@ -206,27 +206,29 @@ httpAddrListen(http_addr_t *addr,	/* I - Address to bind to */
+     * Remove any existing domain socket file...
+     */
+ 
+-    unlink(addr->un.sun_path);
+-
+-   /*
+-    * Save the current umask and set it to 0 so that all users can access
+-    * the domain socket...
+-    */
+-
+-    mask = umask(0);
++    if ((status = unlink(addr->un.sun_path)) < 0)
++    {
++      DEBUG_printf("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno));
+ 
+-   /*
+-    * Bind the domain socket...
+-    */
++      if (errno == ENOENT)
++	status = 0;
++    }
+ 
+-    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
++    if (!status)
++    {
++      // Save the current umask and set it to 0 so that all users can access
++      // the domain socket...
++      mask = umask(0);
+ 
+-   /*
+-    * Restore the umask and fix permissions...
+-    */
++      // Bind the domain socket...
++      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
++      {
++	DEBUG_printf("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno));
++      }
+ 
+-    umask(mask);
+-    chmod(addr->un.sun_path, 0140777);
++      // Restore the umask...
++      umask(mask);
++    }
+   }
+   else
+ #endif /* AF_LOCAL */
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index 535d40f..3a2eec2 100644
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -3074,6 +3074,26 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+       cupsd_listener_t	*lis;		/* New listeners array */
+ 
+ 
++      /*
++      * If we are launched on-demand, do not use domain sockets from the config
++      * file.  Also check that the domain socket path is not too long...
++      */
++
++#ifdef HAVE_ONDEMAND
++      if (*value == '/' && OnDemand)
++      {
++        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
++        continue;
++      }
++#endif // HAVE_ONDEMAND
++
++      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
++      {
++        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
++        continue;
++      }
++
+      /*
+       * Get the address list...
+       */
+-- 
+2.35.7
+

meta/recipes-extended/cups/cups/CVE-2024-47175-1.patch

@@ -0,0 +1,73 @@
+From 9939a70b750edd9d05270060cc5cf62ca98cfbe5 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 9 Sep 2024 10:03:10 -0400
+Subject: [PATCH] Mirror IPP Everywhere printer changes from master.
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/9939a70b750edd9d05270060cc5cf62ca98cfbe5]
+CVE: CVE-2024-47175
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cups/ppd-cache.c | 10 +++++-----
+ scheduler/ipp.c  |  7 +++++++
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index 8861813..88b27e1 100644
+--- a/cups/ppd-cache.c
++++ b/cups/ppd-cache.c
+@@ -3198,10 +3198,10 @@ _ppdCreateFromIPP2(
+   }
+   cupsFilePuts(fp, "\"\n");
+ 
+-  if ((attr = ippFindAttribute(supported, "printer-more-info", IPP_TAG_URI)) != NULL)
++  if ((attr = ippFindAttribute(supported, "printer-more-info", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+     cupsFilePrintf(fp, "*APSupplies: \"%s\"\n", ippGetString(attr, 0, NULL));
+ 
+-  if ((attr = ippFindAttribute(supported, "printer-charge-info-uri", IPP_TAG_URI)) != NULL)
++  if ((attr = ippFindAttribute(supported, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+     cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL));
+ 
+   if ((attr = ippFindAttribute(supported, "printer-strings-uri", IPP_TAG_URI)) != NULL)
+@@ -3270,10 +3270,10 @@ _ppdCreateFromIPP2(
+   if (ippGetBoolean(ippFindAttribute(supported, "job-accounting-user-id-supported", IPP_TAG_BOOLEAN), 0))
+     cupsFilePuts(fp, "*cupsJobAccountingUserId: True\n");
+ 
+-  if ((attr = ippFindAttribute(supported, "printer-privacy-policy-uri", IPP_TAG_URI)) != NULL)
++  if ((attr = ippFindAttribute(supported, "printer-privacy-policy-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+     cupsFilePrintf(fp, "*cupsPrivacyURI: \"%s\"\n", ippGetString(attr, 0, NULL));
+ 
+-  if ((attr = ippFindAttribute(supported, "printer-mandatory-job-attributes", IPP_TAG_KEYWORD)) != NULL)
++  if ((attr = ippFindAttribute(supported, "printer-mandatory-job-attributes", IPP_TAG_KEYWORD)) != NULL && ippValidateAttribute(attr))
+   {
+     char	prefix = '\"';		// Prefix for string
+ 
+@@ -3291,7 +3291,7 @@ _ppdCreateFromIPP2(
+     cupsFilePuts(fp, "\"\n");
+   }
+ 
+-  if ((attr = ippFindAttribute(supported, "printer-requested-job-attributes", IPP_TAG_KEYWORD)) != NULL)
++  if ((attr = ippFindAttribute(supported, "printer-requested-job-attributes", IPP_TAG_KEYWORD)) != NULL && ippValidateAttribute(attr))
+   {
+     char	prefix = '\"';		// Prefix for string
+ 
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index 14cadb0..729f5c4 100644
+--- a/scheduler/ipp.c
++++ b/scheduler/ipp.c
+@@ -5361,6 +5361,13 @@ create_local_bg_thread(
+     cupsdLogMessage(CUPSD_LOG_DEBUG, "%s: IPP/1.1 Get-Printer-Attributes returned %s (%s)", printer->name, ippErrorString(cupsLastError()), cupsLastErrorString());
+   }
+ 
++  // Validate response from printer...
++  if (!ippValidateAttributes(response))
++  {
++    cupsdLogMessage(CUPSD_LOG_ERROR, "%s: Printer returned invalid data: %s", printer->name, cupsLastErrorString());
++    return (NULL);
++  }
++
+   // TODO: Grab printer icon file...
+   httpClose(http);
+ 
+-- 
+2.25.1
+

meta/recipes-extended/cups/cups/CVE-2024-47175-2.patch

@@ -0,0 +1,148 @@
+From 04bb2af4521b56c1699a2c2431c56c05a7102e69 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 9 Sep 2024 14:05:42 -0400
+Subject: [PATCH] Refactor make-and-model code.
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/04bb2af4521b56c1699a2c2431c56c05a7102e69]
+CVE: CVE-2024-47175
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cups/ppd-cache.c | 103 +++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 87 insertions(+), 16 deletions(-)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index 8a99a865c..986c64f73 100644
+--- a/cups/ppd-cache.c
++++ b/cups/ppd-cache.c
+@@ -3196,9 +3196,10 @@ _ppdCreateFromIPP2(
+   ipp_t			*media_col,	/* Media collection */
+ 			*media_size;	/* Media size collection */
+   char			make[256],	/* Make and model */
+-			*model,		/* Model name */
++			*mptr,		/* Pointer into make and model */
+ 			ppdname[PPD_MAX_NAME];
+ 		    			/* PPD keyword */
++  const char		*model;		/* Model name */
+   int			i, j,		/* Looping vars */
+ 			count,		/* Number of values */
+ 			bottom,		/* Largest bottom margin */
+@@ -3259,34 +3260,104 @@ _ppdCreateFromIPP2(
+   }
+ 
+  /*
+-  * Standard stuff for PPD file...
++  * Get a sanitized make and model...
+   */
+ 
+-  cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
+-  cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
+-  cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
+-  cupsFilePuts(fp, "*LanguageVersion: English\n");
+-  cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
+-  cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
+-  cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
+-  cupsFilePuts(fp, "*FileSystem: False\n");
+-  cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
++  if ((attr = ippFindAttribute(supported, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr))
++  {
++   /*
++    * Sanitize the model name to only contain PPD-safe characters.
++    */
+ 
+-  if ((attr = ippFindAttribute(supported, "printer-make-and-model", IPP_TAG_TEXT)) != NULL)
+     strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
++
++    for (mptr = make; *mptr; mptr ++)
++    {
++      if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"')
++      {
++       /*
++	* Truncate the make and model on the first bad character...
++	*/
++
++	*mptr = '\0';
++	break;
++      }
++    }
++
++    while (mptr > make)
++    {
++     /*
++      * Strip trailing whitespace...
++      */
++
++      mptr --;
++      if (*mptr == ' ')
++	*mptr = '\0';
++    }
++
++    if (!make[0])
++    {
++     /*
++      * Use a default make and model if nothing remains...
++      */
++
++      strlcpy(make, "Unknown", sizeof(make));
++    }
++  }
+   else
+-    strlcpy(make, "Unknown Printer", sizeof(make));
++  {
++   /*
++    * Use a default make and model...
++    */
++
++    strlcpy(make, "Unknown", sizeof(make));
++  }
+ 
+   if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) || !_cups_strncasecmp(make, "Hewlett-Packard ", 16))
+   {
++   /*
++    * Normalize HP printer make and model...
++    */
++
+     model = make + 16;
+     strlcpy(make, "HP", sizeof(make));
++
++    if (!_cups_strncasecmp(model, "HP ", 3))
++      model += 3;
++  }
++  else if ((mptr = strchr(make, ' ')) != NULL)
++  {
++   /*
++    * Separate "MAKE MODEL"...
++    */
++
++    while (*mptr && *mptr == ' ')
++      *mptr++ = '\0';
++
++    model = mptr;
+   }
+-  else if ((model = strchr(make, ' ')) != NULL)
+-    *model++ = '\0';
+   else
+-    model = make;
++  {
++   /*
++    * No separate model name...
++    */
+ 
++    model = "Printer";
++  }
++
++ /*
++  * Standard stuff for PPD file...
++  */
++
++  cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
++  cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
++  cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
++  cupsFilePuts(fp, "*LanguageVersion: English\n");
++  cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
++  cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
++  cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
++  cupsFilePuts(fp, "*FileSystem: False\n");
++  cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
+   cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make);
+   cupsFilePrintf(fp, "*ModelName: \"%s\"\n", model);
+   cupsFilePrintf(fp, "*Product: \"(%s)\"\n", model);

meta/recipes-extended/cups/cups/CVE-2024-47175-3.patch

@@ -0,0 +1,116 @@
+From e0630cd18f76340d302000f2bf6516e99602b844 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 9 Sep 2024 15:59:57 -0400
+Subject: [PATCH] PPDize preset and template names.
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/e0630cd18f76340d302000f2bf6516e99602b844]
+CVE: CVE-2024-47175
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cups/ppd-cache.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index 986c64f73..18c38d0ee 100644
+--- a/cups/ppd-cache.c
++++ b/cups/ppd-cache.c
+@@ -4975,12 +4975,14 @@ _ppdCreateFromIPP2(
+ 
+       cupsArrayAdd(templates, (void *)keyword);
+ 
++      pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
++
+       snprintf(msgid, sizeof(msgid), "finishing-template.%s", keyword);
+       if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+ 	if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+ 	  msgstr = keyword;
+ 
+-      cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", keyword);
++      cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname);
+       for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; finishing_attr = ippNextAttribute(finishing_col))
+       {
+         if (ippGetValueTag(finishing_attr) == IPP_TAG_BEGIN_COLLECTION)
+@@ -4993,7 +4995,7 @@ _ppdCreateFromIPP2(
+ 	}
+       }
+       cupsFilePuts(fp, "\"\n");
+-      cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, keyword, msgstr);
++      cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, ppdname, msgstr);
+       cupsFilePuts(fp, "*End\n");
+     }
+ 
+@@ -5039,7 +5041,8 @@ _ppdCreateFromIPP2(
+       if (!preset || !preset_name)
+         continue;
+ 
+-      cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", preset_name);
++      pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
++      cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", ppdname);
+       for (member = ippFirstAttribute(preset); member; member = ippNextAttribute(preset))
+       {
+         member_name = ippGetName(member);
+@@ -5080,7 +5083,10 @@ _ppdCreateFromIPP2(
+             fin_col = ippGetCollection(member, i);
+ 
+             if ((keyword = ippGetString(ippFindAttribute(fin_col, "finishing-template", IPP_TAG_ZERO), 0, NULL)) != NULL)
+-              cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", keyword);
++            {
++              pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
++              cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", ppdname);
++            }
+           }
+         }
+         else if (!strcmp(member_name, "media"))
+@@ -5107,13 +5113,13 @@ _ppdCreateFromIPP2(
+           if ((keyword = ippGetString(ippFindAttribute(media_col, "media-source", IPP_TAG_ZERO), 0, NULL)) != NULL)
+           {
+             pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+-            cupsFilePrintf(fp, "*InputSlot %s\n", keyword);
++            cupsFilePrintf(fp, "*InputSlot %s\n", ppdname);
+ 	  }
+ 
+           if ((keyword = ippGetString(ippFindAttribute(media_col, "media-type", IPP_TAG_ZERO), 0, NULL)) != NULL)
+           {
+             pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+-            cupsFilePrintf(fp, "*MediaType %s\n", keyword);
++            cupsFilePrintf(fp, "*MediaType %s\n", ppdname);
+ 	  }
+         }
+         else if (!strcmp(member_name, "print-quality"))
+@@ -5159,7 +5165,10 @@ _ppdCreateFromIPP2(
+       cupsFilePuts(fp, "\"\n*End\n");
+ 
+       if ((localized_name = _cupsMessageLookup(strings, preset_name)) != preset_name)
+-        cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, preset_name, localized_name);
++      {
++        pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
++        cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, ppdname, localized_name);
++      }
+     }
+   }
+ 
+@@ -5543,7 +5552,7 @@ pwg_ppdize_name(const char *ipp,	/* I - IPP keyword */
+ 	*end;				/* End of name buffer */
+ 
+ 
+-  if (!ipp)
++  if (!ipp || !_cups_isalnum(*ipp))
+   {
+     *name = '\0';
+     return;
+@@ -5558,8 +5567,14 @@ pwg_ppdize_name(const char *ipp,	/* I - IPP keyword */
+       ipp ++;
+       *ptr++ = (char)toupper(*ipp++ & 255);
+     }
+-    else
++    else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || _cups_isalnum(*ipp))
++    {
+       *ptr++ = *ipp++;
++    }
++    else
++    {
++      ipp ++;
++    }
+   }
+ 
+   *ptr = '\0';

meta/recipes-extended/cups/cups/CVE-2024-47175-4.patch

@@ -0,0 +1,249 @@
+From 1e6ca5913eceee906038bc04cc7ccfbe2923bdfd Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 23 Sep 2024 09:36:39 -0400
+Subject: [PATCH] Quote PPD localized strings.
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/1e6ca5913eceee906038bc04cc7ccfbe2923bdfd]
+CVE: CVE-2024-47175
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cups/ppd-cache.c | 93 +++++++++++++++++++++++++++---------------------
+ 1 file changed, 53 insertions(+), 40 deletions(-)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index 26911b3..3933545 100644
+--- a/cups/ppd-cache.c
++++ b/cups/ppd-cache.c
+@@ -31,6 +31,7 @@
+ 
+ static int	cups_connect(http_t **http, const char *url, char *resource, size_t ressize);
+ static int	cups_get_url(http_t **http, const char *url, char *name, size_t namesize);
++static void     ppd_put_string(cups_file_t *fp, cups_lang_t *lang, cups_array_t *strings, const char *ppd_option, const char *ppd_choice, const char *pwg_msgid);
+ static void	pwg_add_finishing(cups_array_t *finishings, ipp_finishings_t template, const char *name, const char *value);
+ static void	pwg_add_message(cups_array_t *a, const char *msg, const char *str);
+ static int	pwg_compare_finishings(_pwg_finishings_t *a, _pwg_finishings_t *b);
+@@ -3275,7 +3276,7 @@ _ppdCreateFromIPP2(
+   if ((attr = ippFindAttribute(supported, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+     cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL));
+ 
+-  if ((attr = ippFindAttribute(supported, "printer-strings-uri", IPP_TAG_URI)) != NULL)
++  if ((attr = ippFindAttribute(supported, "printer-strings-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+   {
+     http_t	*http = NULL;		/* Connection to printer */
+     char	stringsfile[1024];	/* Temporary strings file */
+@@ -3319,7 +3320,7 @@ _ppdCreateFromIPP2(
+ 
+           response = cupsDoRequest(http, request, resource);
+ 
+-          if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL)
++          if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+           {
+ 	    cupsFilePrintf(fp, "*cupsStringsURI %s: \"%s\"\n", keyword, ippGetString(attr, 0, NULL));
+           }
+@@ -3909,18 +3910,16 @@ _ppdCreateFromIPP2(
+ 	cupsFilePrintf(fp, "*DefaultInputSlot: %s\n", ppdname);
+ 
+       for (j = 0; j < (int)(sizeof(sources) / sizeof(sources[0])); j ++)
++      {
+         if (!strcmp(sources[j], keyword))
+ 	{
+ 	  snprintf(msgid, sizeof(msgid), "media-source.%s", keyword);
+ 
+-	  if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	    if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	      msgstr = keyword;
+-
+ 	  cupsFilePrintf(fp, "*InputSlot %s: \"<</MediaPosition %d>>setpagedevice\"\n", ppdname, j);
+-	  cupsFilePrintf(fp, "*%s.InputSlot %s/%s: \"\"\n", lang->language, ppdname, msgstr);
++	  ppd_put_string(fp, lang, strings, "InputSlot", ppdname, msgid);
+ 	  break;
+ 	}
++      }
+     }
+     cupsFilePuts(fp, "*CloseUI: *InputSlot\n");
+   }
+@@ -3946,12 +3945,9 @@ _ppdCreateFromIPP2(
+       pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+ 
+       snprintf(msgid, sizeof(msgid), "media-type.%s", keyword);
+-      if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	  msgstr = keyword;
+ 
+       cupsFilePrintf(fp, "*MediaType %s: \"<</MediaType(%s)>>setpagedevice\"\n", ppdname, ppdname);
+-      cupsFilePrintf(fp, "*%s.MediaType %s/%s: \"\"\n", lang->language, ppdname, msgstr);
++      ppd_put_string(fp, lang, strings, "MediaType", ppdname, msgid);
+     }
+     cupsFilePuts(fp, "*CloseUI: *MediaType\n");
+   }
+@@ -4411,12 +4407,9 @@ _ppdCreateFromIPP2(
+       pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+ 
+       snprintf(msgid, sizeof(msgid), "output-bin.%s", keyword);
+-      if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	  msgstr = keyword;
+ 
+       cupsFilePrintf(fp, "*OutputBin %s: \"\"\n", ppdname);
+-      cupsFilePrintf(fp, "*%s.OutputBin %s/%s: \"\"\n", lang->language, ppdname, msgstr);
++      ppd_put_string(fp, lang, strings, "OutputBin", ppdname, msgid);
+ 
+       if ((tray_ptr = ippGetOctetString(trays, i, &tray_len)) != NULL)
+       {
+@@ -4535,9 +4528,6 @@ _ppdCreateFromIPP2(
+         cupsArrayAdd(names, (char *)keyword);
+ 
+ 	snprintf(msgid, sizeof(msgid), "finishings.%d", value);
+-	if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	  if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	    msgstr = keyword;
+ 
+         if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
+           ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
+@@ -4552,7 +4542,7 @@ _ppdCreateFromIPP2(
+           continue;
+ 
+ 	cupsFilePrintf(fp, "*StapleLocation %s: \"\"\n", ppd_keyword);
+-	cupsFilePrintf(fp, "*%s.StapleLocation %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
++	ppd_put_string(fp, lang, strings, "StapleLocation", ppd_keyword, msgid);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*StapleLocation %s\"\n", value, keyword, ppd_keyword);
+       }
+ 
+@@ -4615,9 +4605,6 @@ _ppdCreateFromIPP2(
+         cupsArrayAdd(names, (char *)keyword);
+ 
+ 	snprintf(msgid, sizeof(msgid), "finishings.%d", value);
+-	if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	  if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	    msgstr = keyword;
+ 
+         if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
+           ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
+@@ -4632,7 +4619,7 @@ _ppdCreateFromIPP2(
+           continue;
+ 
+ 	cupsFilePrintf(fp, "*FoldType %s: \"\"\n", ppd_keyword);
+-	cupsFilePrintf(fp, "*%s.FoldType %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
++	ppd_put_string(fp, lang, strings, "FoldType", ppd_keyword, msgid);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*FoldType %s\"\n", value, keyword, ppd_keyword);
+       }
+ 
+@@ -4703,9 +4690,6 @@ _ppdCreateFromIPP2(
+         cupsArrayAdd(names, (char *)keyword);
+ 
+ 	snprintf(msgid, sizeof(msgid), "finishings.%d", value);
+-	if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	  if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	    msgstr = keyword;
+ 
+         if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
+           ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
+@@ -4720,7 +4704,7 @@ _ppdCreateFromIPP2(
+           continue;
+ 
+ 	cupsFilePrintf(fp, "*PunchMedia %s: \"\"\n", ppd_keyword);
+-	cupsFilePrintf(fp, "*%s.PunchMedia %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
++	ppd_put_string(fp, lang, strings, "PunchMedia", ppd_keyword, msgid);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*PunchMedia %s\"\n", value, keyword, ppd_keyword);
+       }
+ 
+@@ -4791,9 +4775,6 @@ _ppdCreateFromIPP2(
+         cupsArrayAdd(names, (char *)keyword);
+ 
+ 	snprintf(msgid, sizeof(msgid), "finishings.%d", value);
+-	if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	  if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	    msgstr = keyword;
+ 
+         if (value == IPP_FINISHINGS_TRIM)
+           ppd_keyword = "Auto";
+@@ -4801,7 +4782,7 @@ _ppdCreateFromIPP2(
+ 	  ppd_keyword = trim_keywords[value - IPP_FINISHINGS_TRIM_AFTER_PAGES];
+ 
+ 	cupsFilePrintf(fp, "*CutMedia %s: \"\"\n", ppd_keyword);
+-	cupsFilePrintf(fp, "*%s.CutMedia %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
++	ppd_put_string(fp, lang, strings, "CutMedia", ppd_keyword, msgid);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*CutMedia %s\"\n", value, keyword, ppd_keyword);
+       }
+ 
+@@ -4843,9 +4824,6 @@ _ppdCreateFromIPP2(
+       pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+ 
+       snprintf(msgid, sizeof(msgid), "finishing-template.%s", keyword);
+-      if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	  msgstr = keyword;
+ 
+       cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname);
+       for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; finishing_attr = ippNextAttribute(finishing_col))
+@@ -4860,7 +4838,7 @@ _ppdCreateFromIPP2(
+ 	}
+       }
+       cupsFilePuts(fp, "\"\n");
+-      cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, ppdname, msgstr);
++      ppd_put_string(fp, lang, strings, "cupsFinishingTemplate", ppdname, msgid);
+       cupsFilePuts(fp, "*End\n");
+     }
+ 
+@@ -5029,11 +5007,9 @@ _ppdCreateFromIPP2(
+ 
+       cupsFilePuts(fp, "\"\n*End\n");
+ 
+-      if ((localized_name = _cupsMessageLookup(strings, preset_name)) != preset_name)
+-      {
+-        pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
+-        cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, ppdname, localized_name);
+-      }
++      snprintf(msgid, sizeof(msgid), "preset-name.%s", preset_name);
++      pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
++      ppd_put_string(fp, lang, strings, "APPrinterPreset", ppdname, msgid);
+     }
+   }
+ 
+@@ -5290,6 +5266,43 @@ cups_get_url(http_t     **http,		/* IO - Current HTTP connection */
+ }
+ 
+ 
++/*
++ * 'ppd_put_strings()' - Write localization attributes to a PPD file.
++ */
++
++static void
++ppd_put_string(cups_file_t  *fp,	/* I - PPD file */
++               cups_lang_t  *lang,	/* I - Language */
++               cups_array_t *strings,	/* I - Strings */
++	       const char   *ppd_option,/* I - PPD option */
++	       const char   *ppd_choice,/* I - PPD choice */
++	       const char   *pwg_msgid)	/* I - PWG message ID */
++{
++  const char	*text;			/* Localized text */
++
++
++  if ((text = _cupsLangString(lang, pwg_msgid)) == pwg_msgid || !strcmp(pwg_msgid, text))
++  {
++    if ((text = _cupsMessageLookup(strings, pwg_msgid)) == pwg_msgid)
++      return;
++  }
++
++  // Add the first line of localized text...
++  cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
++  while (*text && *text != '\n')
++  {
++    // Escape ":" and "<"...
++    if (*text == ':' || *text == '<')
++      cupsFilePrintf(fp, "<%02X>", *text);
++    else
++      cupsFilePutChar(fp, *text);
++
++    text ++;
++  }
++  cupsFilePuts(fp, ": \"\"\n");
++}
++
++
+ /*
+  * 'pwg_add_finishing()' - Add a finishings value.
+  */
+-- 
+2.25.1
+

meta/recipes-extended/cups/cups/CVE-2024-47175-5.patch

@@ -0,0 +1,37 @@
+From 2abe1ba8a66864aa82cd9836b37e57103b8e1a3b Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 23 Sep 2024 10:11:31 -0400
+Subject: [PATCH] Fix warnings for unused vars.
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2abe1ba8a66864aa82cd9836b37e57103b8e1a3b]
+CVE: CVE-2024-47175
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cups/ppd-cache.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index 85ede0f18..a6163a0e1 100644
+--- a/cups/ppd-cache.c
++++ b/cups/ppd-cache.c
+@@ -3222,8 +3222,7 @@ _ppdCreateFromIPP2(
+   int			have_qdraft = 0,/* Have draft quality? */
+ 			have_qhigh = 0;	/* Have high quality? */
+   char			msgid[256];	/* Message identifier (attr.value) */
+-  const char		*keyword,	/* Keyword value */
+-			*msgstr;	/* Localized string */
++  const char		*keyword;	/* Keyword value */
+   cups_array_t		*strings = NULL;/* Printer strings file */
+   struct lconv		*loc = localeconv();
+ 					/* Locale data */
+@@ -5009,9 +5008,8 @@ _ppdCreateFromIPP2(
+     {
+       ipp_t	*preset = ippGetCollection(attr, i);
+ 					/* Preset collection */
+-      const char *preset_name = ippGetString(ippFindAttribute(preset, "preset-name", IPP_TAG_ZERO), 0, NULL),
++      const char *preset_name = ippGetString(ippFindAttribute(preset, "preset-name", IPP_TAG_ZERO), 0, NULL);
+ 					/* Preset name */
+-		*localized_name;	/* Localized preset name */
+       ipp_attribute_t *member;		/* Member attribute in preset */
+       const char *member_name;		/* Member attribute name */
+       char      	member_value[256];	/* Member attribute value */

meta/recipes-extended/procps/procps/CVE-2023-4016-2.patch

@@ -0,0 +1,60 @@
+From 93bb86a37a0cf7b9c71e374f3c9aac7dbfe2953a Mon Sep 17 00:00:00 2001
+From: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+Date: Fri, 27 Sep 2024 14:22:32 +0800
+Subject: [PATCH] procps: patch CVE-2023-4016
+
+ps/parser: parse_list(): int overflow for large arg, free() of uninit. ptr
+
+* ps/parser.c:parse_list(): Regression (2c933ecb): node->u is uninitialized at
+  free(node->u) when reached before node->u=xcalloc().
+* ps/parser.c:parse_list(): When "arg" is very long, CVE-2023-4016 is triggered.
+  2c933ecb handles the multiplication issue, but there is still the possibility
+  of int overflow when incrementing "items".
+
+CVE: CVE-2023-4016
+
+Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/f5f843e257daeceaac2504b8957e84f4bf87a8f2]
+
+Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+---
+ include/xalloc.h | 2 +-
+ ps/parser.c      | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/include/xalloc.h b/include/xalloc.h
+index 8b4d368f..a8046892 100644
+--- a/include/xalloc.h
++++ b/include/xalloc.h
+@@ -42,7 +42,7 @@ void *xcalloc(const size_t nelems, const size_t size)
+ {
+ 	void *ret = calloc(nelems, size);
+ 	if (!ret && size && nelems)
+-		xerrx(XALLOC_EXIT_CODE, "cannot allocate %zu bytes", size);
++		xerrx(XALLOC_EXIT_CODE, "cannot allocate %zu bytes", nelems*size);
+ 	return ret;
+ }
+ 
+diff --git a/ps/parser.c b/ps/parser.c
+index 5c92fce4..a94b49ff 100644
+--- a/ps/parser.c
++++ b/ps/parser.c
+@@ -185,6 +185,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+   /*** prepare to operate ***/
+   node = malloc(sizeof(selection_node));
+   node->n = 0;
++  node->u = NULL;
+   buf = strdup(arg);
+   /*** sanity check and count items ***/
+   need_item = 1; /* true */
+@@ -198,7 +199,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+       need_item=1;
+       break;
+     default:
+-      if(need_item) items++;
++      if(need_item && items<INT_MAX) items++;
+       need_item=0;
+     }
+   } while (*++walk);
+-- 
+2.34.1
+

meta/recipes-extended/procps/procps_3.3.17.bb

@@ -17,6 +17,7 @@ SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \
            file://0001-w.c-correct-musl-builds.patch \
            file://0002-proc-escape.c-add-missing-include.patch \
            file://CVE-2023-4016.patch \
+           file://CVE-2023-4016-2.patch \
            "
 SRCREV = "19a508ea121c0c4ac6d0224575a036de745eaaf8"
 
@@ -101,4 +102,4 @@ ALTERNATIVE_LINK_NAME[ps] = "${base_bindir}/ps"
 
 ALTERNATIVE:${PN}-sysctl = "sysctl"
 ALTERNATIVE_TARGET[sysctl] = "${base_sbindir}/sysctl"
-ALTERNATIVE_LINK_NAME[sysctl] = "${base_sbindir}/sysctl"
+ALTERNATIVE_LINK_NAME[sysctl] = "${base_sbindir}/sysctl"

meta/recipes-extended/unzip/unzip_6.0.bb

@@ -2,7 +2,7 @@ SUMMARY = "Utilities for extracting and viewing files in .zip archives"
 HOMEPAGE = "http://www.info-zip.org"
 DESCRIPTION = "Info-ZIP's purpose is to provide free, portable, high-quality versions of the Zip and UnZip compressor-archiver utilities that are compatible with the DOS-based PKZIP by PKWARE, Inc."
 SECTION = "console/utils"
-LICENSE = "BSD-3-Clause"
+LICENSE = "Info-ZIP"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=94caec5a51ef55ef711ee4e8b1c69e29"
 PE = "1"
 PR = "r5"

meta/recipes-extended/zip/zip_3.0.bb

@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.info-zip.org"
 DESCRIPTION = "Info-ZIP's purpose is to provide free, portable, high-quality versions of the Zip and UnZip compressor-archiver utilities that are compatible with the DOS-based PKZIP by PKWARE, Inc."
 SECTION = "console/utils"
 
-LICENSE = "BSD-3-Clause"
+LICENSE = "Info-ZIP"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=04d43c5d70b496c032308106e26ae17d"
 
 PR = "r2"

meta/recipes-extended/zstd/zstd_1.5.2.bb

@@ -5,7 +5,7 @@ It's backed by a very fast entropy stage, provided by Huff0 and FSE library."
 HOMEPAGE = "http://www.zstd.net/"
 SECTION = "console/utils"
 
-LICENSE = "BSD-3-Clause & GPL-2.0-only"
+LICENSE = "BSD-3-Clause | GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c7f0b161edbe52f5f345a3d1311d0b32 \
                     file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0"