build-appliance-image: Update to daisy head revision

(From OE-Core rev: 5a577ec878a15f3caaf4893b819825ffb8c81266)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

bitbake/lib/bb/data.py

@@ -231,6 +231,7 @@ def emit_var(var, o=sys.__stdout__, d = init(), all=False):
     # to a shell, we need to escape the quotes in the var
     alter = re.sub('"', '\\"', val)
     alter = re.sub('\n', ' \\\n', alter)
+    alter = re.sub('\\$', '\\\\$', alter)
     o.write('%s="%s"\n' % (varExpanded, alter))
     return 0
 

bitbake/lib/bb/fetch2/git.py

@@ -245,7 +245,7 @@ class Git(FetchMethod):
         subdir = ud.parm.get("subpath", "")
         if subdir != "":
             readpathspec = ":%s" % (subdir)
-            def_destsuffix = "%s/" % os.path.basename(subdir)
+            def_destsuffix = "%s/" % os.path.basename(subdir.rstrip('/'))
         else:
             readpathspec = ""
             def_destsuffix = "git/"

bitbake/lib/bb/tests/utils.py

@@ -21,6 +21,7 @@
 
 import unittest
 import bb
+import os
 
 class VerCmpString(unittest.TestCase):
 
@@ -51,3 +52,52 @@ class VerCmpString(unittest.TestCase):
         result = bb.utils.explode_dep_versions2("foo ( =1.10 )")
         self.assertEqual(result, correctresult)
 
+    def test_vercmp_string_op(self):
+        compareops = [('1', '1', '=', True),
+                      ('1', '1', '==', True),
+                      ('1', '1', '!=', False),
+                      ('1', '1', '>', False),
+                      ('1', '1', '<', False),
+                      ('1', '1', '>=', True),
+                      ('1', '1', '<=', True),
+                      ('1', '0', '=', False),
+                      ('1', '0', '==', False),
+                      ('1', '0', '!=', True),
+                      ('1', '0', '>', True),
+                      ('1', '0', '<', False),
+                      ('1', '0', '>>', True),
+                      ('1', '0', '<<', False),
+                      ('1', '0', '>=', True),
+                      ('1', '0', '<=', False),
+                      ('0', '1', '=', False),
+                      ('0', '1', '==', False),
+                      ('0', '1', '!=', True),
+                      ('0', '1', '>', False),
+                      ('0', '1', '<', True),
+                      ('0', '1', '>>', False),
+                      ('0', '1', '<<', True),
+                      ('0', '1', '>=', False),
+                      ('0', '1', '<=', True)]
+
+        for arg1, arg2, op, correctresult in compareops:
+            result = bb.utils.vercmp_string_op(arg1, arg2, op)
+            self.assertEqual(result, correctresult, 'vercmp_string_op("%s", "%s", "%s") != %s' % (arg1, arg2, op, correctresult))
+
+        # Check that clearly invalid operator raises an exception
+        self.assertRaises(bb.utils.VersionStringException, bb.utils.vercmp_string_op, '0', '0', '$')
+
+
+class Path(unittest.TestCase):
+    def test_unsafe_delete_path(self):
+        checkitems = [('/', True),
+                      ('//', True),
+                      ('///', True),
+                      (os.getcwd().count(os.sep) * ('..' + os.sep), True),
+                      (os.environ.get('HOME', '/home/test'), True),
+                      ('/home/someone', True),
+                      ('/home/other/', True),
+                      ('/home/other/subdir', False),
+                      ('', False)]
+        for arg1, correctresult in checkitems:
+            result = bb.utils._check_unsafe_delete_path(arg1)
+            self.assertEqual(result, correctresult, '_check_unsafe_delete_path("%s") != %s' % (arg1, correctresult))

bitbake/lib/bb/utils.py

@@ -578,11 +578,30 @@ def build_environment(d):
         if export:
             os.environ[var] = d.getVar(var, True) or ""
 
+def _check_unsafe_delete_path(path):
+    """
+    Basic safeguard against recursively deleting something we shouldn't. If it returns True,
+    the caller should raise an exception with an appropriate message.
+    NOTE: This is NOT meant to be a security mechanism - just a guard against silly mistakes
+    with potentially disastrous results.
+    """
+    extra = ''
+    # HOME might not be /home/something, so in case we can get it, check against it
+    homedir = os.environ.get('HOME', '')
+    if homedir:
+        extra = '|%s' % homedir
+    if re.match('(/|//|/home|/home/[^/]*%s)$' % extra, os.path.abspath(path)):
+        return True
+    return False
+
 def remove(path, recurse=False):
     """Equivalent to rm -f or rm -rf"""
     if not path:
         return
     if recurse:
+        for name in glob.glob(path):
+            if _check_unsafe_delete_path(path):
+                raise Exception('bb.utils.remove: called with dangerous path "%s" and recurse=True, refusing to delete!' % path)
         # shutil.rmtree(name) would be ideal but its too slow
         subprocess.call(['rm', '-rf'] + glob.glob(path))
         return
@@ -596,6 +615,8 @@ def remove(path, recurse=False):
 def prunedir(topdir):
     # Delete everything reachable from the directory named in 'topdir'.
     # CAUTION:  This is dangerous!
+    if _check_unsafe_delete_path(topdir):
+        raise Exception('bb.utils.prunedir: called with dangerous path "%s", refusing to delete!' % topdir)
     for root, dirs, files in os.walk(topdir, topdown = False):
         for name in files:
             os.remove(os.path.join(root, name))

documentation/adt-manual/adt-manual-customization.xsl

@@ -1,7 +1,7 @@
 <?xml version='1.0'?>
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-  
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl" />
+
+  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
 
   <xsl:param name="html.stylesheet" select="'adt-style.css'" />
   <xsl:param name="chapter.autolabel" select="1" />

documentation/adt-manual/adt-manual.xml

@@ -86,6 +86,11 @@
                 <date>November 2014</date>
                 <revremark>Released with the Yocto Project 1.6.2 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>1.6.3</revnumber>
+                <date>May 2015</date>
+                <revremark>Released with the Yocto Project 1.6.3 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>

documentation/bsp-guide/bsp-guide-customization.xsl

@@ -1,7 +1,7 @@
 <?xml version='1.0'?>
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-  
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl" />
+
+  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
 
   <xsl:param name="html.stylesheet" select="'bsp-style.css'" />
   <xsl:param name="chapter.autolabel" select="1" />

documentation/bsp-guide/bsp-guide.xml

@@ -98,6 +98,11 @@
                 <date>November 2014</date>
                 <revremark>Released with the Yocto Project 1.6.2 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>1.6.3</revnumber>
+                <date>May 2015</date>
+                <revremark>Released with the Yocto Project 1.6.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>

documentation/dev-manual/dev-manual-customization.xsl

@@ -1,7 +1,7 @@
 <?xml version='1.0'?>
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-  
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl" />
+
+  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
 
   <xsl:param name="html.stylesheet" select="'dev-style.css'" />
   <xsl:param name="chapter.autolabel" select="1" />

documentation/dev-manual/dev-manual.xml

@@ -76,6 +76,11 @@
                 <date>November 2014</date>
                 <revremark>Released with the Yocto Project 1.6.2 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>1.6.3</revnumber>
+                <date>May 2015</date>
+                <revremark>Released with the Yocto Project 1.6.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>

documentation/kernel-dev/kernel-dev-customization.xsl

@@ -1,7 +1,7 @@
 <?xml version='1.0'?>
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
 
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl" />
+  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
 
   <xsl:param name="html.stylesheet" select="'kernel-dev-style.css'" />
   <xsl:param name="chapter.autolabel" select="1" />

documentation/kernel-dev/kernel-dev.xml

@@ -61,6 +61,11 @@
                 <date>November 2014</date>
                 <revremark>Released with the Yocto Project 1.6.2 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>1.6.3</revnumber>
+                <date>May 2015</date>
+                <revremark>Released with the Yocto Project 1.6.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>

documentation/mega-manual/mega-manual-customization.xsl

@@ -1,8 +1,8 @@
 <?xml version='1.0'?>
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-  
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl" />
 
-  <xsl:param name="generate.toc" select="'chapter toc'"></xsl:param>  
+  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
+
+  <xsl:param name="generate.toc" select="'chapter toc'"></xsl:param>
 
 </xsl:stylesheet>

documentation/poky.ent

@@ -1,11 +1,11 @@
-<!ENTITY DISTRO "1.6.2">
-<!ENTITY DISTRO_COMPRESSED "162">
+<!ENTITY DISTRO "1.6.3">
+<!ENTITY DISTRO_COMPRESSED "163">
 <!ENTITY DISTRO_NAME "daisy">
-<!ENTITY YOCTO_DOC_VERSION "1.6.2">
-<!ENTITY POKYVERSION "11.0.2">
-<!ENTITY POKYVERSION_COMPRESSED "1102">
+<!ENTITY YOCTO_DOC_VERSION "1.6.3">
+<!ENTITY POKYVERSION "11.0.3">
+<!ENTITY POKYVERSION_COMPRESSED "1103">
 <!ENTITY YOCTO_POKY "poky-&DISTRO_NAME;-&POKYVERSION;">
-<!ENTITY COPYRIGHT_YEAR "2010-2014">
+<!ENTITY COPYRIGHT_YEAR "2010-2015">
 <!ENTITY YOCTO_DL_URL "http://downloads.yoctoproject.org">
 <!ENTITY YOCTO_HOME_URL "http://www.yoctoproject.org">
 <!ENTITY YOCTO_LISTS_URL "http://lists.yoctoproject.org">

documentation/profile-manual/profile-manual-customization.xsl

@@ -1,7 +1,7 @@
 <?xml version='1.0'?>
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
 
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl" />
+  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
 
   <xsl:param name="html.stylesheet" select="'profile-manual-style.css'" />
   <xsl:param name="chapter.autolabel" select="1" />

documentation/profile-manual/profile-manual.xml

@@ -61,6 +61,11 @@
                 <date>November 2014</date>
                 <revremark>Released with the Yocto Project 1.6.2 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>1.6.3</revnumber>
+                <date>May 2015</date>
+                <revremark>Released with the Yocto Project 1.6.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>

documentation/ref-manual/ref-classes.xml

@@ -1073,7 +1073,7 @@
         <link linkend='var-ICECC_DISABLED'><filename>ICECC_DISABLED</filename></link>
         variable to "1" as follows:
         <literallayout class='monospaced'>
-     INHERIT_DISTRO += "icecc"
+     INHERIT_DISTRO_append = " icecc"
      ICECC_DISABLED ??= "1"
         </literallayout>
         This practice makes sure everyone is using the same signatures but also
@@ -2107,7 +2107,7 @@
     <title><filename>package_rpm.bbclass</filename></title>
 
     <para>
-        The <filename>package_deb</filename> class
+        The <filename>package_rpm</filename> class
         provides support for creating packages that use the
         <filename>.rpm</filename> file format.
         The class ensures the packages are written out to the

documentation/ref-manual/ref-manual-customization.xsl

@@ -1,7 +1,7 @@
 <?xml version='1.0'?>
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-  
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl" />
+
+  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
 
   <xsl:param name="html.stylesheet" select="'ref-style.css'" />
   <xsl:param name="chapter.autolabel" select="1" />

documentation/ref-manual/ref-manual.xml

@@ -92,6 +92,11 @@
                 <date>November 2014</date>
                 <revremark>Released with the Yocto Project 1.6.2 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>1.6.3</revnumber>
+                <date>May 2015</date>
+                <revremark>Released with the Yocto Project 1.6.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>

documentation/tools/mega-manual.sed

@@ -2,30 +2,30 @@
 # This style is for manual folders like "yocto-project-qs" and "poky-ref-manual".
 # This is the old way that did it.  Can't do that now that we have "bitbake-user-manual" strings
 # in the mega-manual.
-# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/[a-z]*-[a-z]*-[a-z]*\/[a-z]*-[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/poky-ref-manual\/poky-ref-manual.html#/\"link\" href=\"#/g
+# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/[a-z]*-[a-z]*-[a-z]*\/[a-z]*-[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/poky-ref-manual\/poky-ref-manual.html#/\"link\" href=\"#/g
 
 # Processes all other manuals (<word>-<word> style) except for the BitBake User Manual because
 # it is not included in the mega-manual.
 # This style is for manual folders that use two word, which is the standard now (e.g. "ref-manual").
 # This was the one-liner that worked before we introduced the BitBake User Manual, which is
 # not in the mega-manual.
-# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/[a-z]*-[a-z]*\/[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
+# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/[a-z]*-[a-z]*\/[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
 
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/adt-manual\/adt-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/bsp-guide\/bsp-guide.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/dev-manual\/dev-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/kernel-dev\/kernel-dev.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/profile-manual\/profile-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/ref-manual\/ref-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/adt-manual\/adt-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/bsp-guide\/bsp-guide.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/dev-manual\/dev-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/kernel-dev\/kernel-dev.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/profile-manual\/profile-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/ref-manual\/ref-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
 
 # Process cases where just an external manual is referenced without an id anchor
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/yocto-project-qs\/yocto-project-qs.html\" target=\"_top\">Yocto Project Quick Start<\/a>/Yocto Project Quick Start/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/dev-manual\/dev-manual.html\" target=\"_top\">Yocto Project Development Manual<\/a>/Yocto Project Development Manual/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/adt-manual\/adt-manual.html\" target=\"_top\">Yocto Project Application Developer's Guide<\/a>/Yocto Project Application Developer's Guide/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/bsp-guide\/bsp-guide.html\" target=\"_top\">Yocto Project Board Support Package (BSP) Developer's Guide<\/a>/Yocto Project Board Support Package (BSP) Developer's Guide/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/profile-manual\/profile-manual.html\" target=\"_top\">Yocto Project Profiling and Tracing Manual<\/a>/Yocto Project Profiling and Tracing Manual/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/kernel-dev\/kernel-dev.html\" target=\"_top\">Yocto Project Linux Kernel Development Manual<\/a>/Yocto Project Linux Kernel Development Manual/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.2\/ref-manual\/ref-manual.html\" target=\"_top\">Yocto Project Reference Manual<\/a>/Yocto Project Reference Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/yocto-project-qs\/yocto-project-qs.html\" target=\"_top\">Yocto Project Quick Start<\/a>/Yocto Project Quick Start/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/dev-manual\/dev-manual.html\" target=\"_top\">Yocto Project Development Manual<\/a>/Yocto Project Development Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/adt-manual\/adt-manual.html\" target=\"_top\">Yocto Project Application Developer's Guide<\/a>/Yocto Project Application Developer's Guide/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/bsp-guide\/bsp-guide.html\" target=\"_top\">Yocto Project Board Support Package (BSP) Developer's Guide<\/a>/Yocto Project Board Support Package (BSP) Developer's Guide/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/profile-manual\/profile-manual.html\" target=\"_top\">Yocto Project Profiling and Tracing Manual<\/a>/Yocto Project Profiling and Tracing Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/kernel-dev\/kernel-dev.html\" target=\"_top\">Yocto Project Linux Kernel Development Manual<\/a>/Yocto Project Linux Kernel Development Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.6.3\/ref-manual\/ref-manual.html\" target=\"_top\">Yocto Project Reference Manual<\/a>/Yocto Project Reference Manual/g

documentation/yocto-project-qs/yocto-project-qs-customization.xsl

@@ -1,7 +1,7 @@
 <?xml version='1.0'?>
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-  
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl" />
+
+  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
   <xsl:import href="yocto-project-qs-titlepage.xsl"/>
 
   <xsl:param name="generate.toc" select="'article nop'"></xsl:param>

meta/classes/image_types.bbclass

@@ -57,8 +57,8 @@ IMAGE_CMD_ext3 = "oe_mkext234fs ext3 ${EXTRA_IMAGECMD}"
 IMAGE_CMD_ext4 = "oe_mkext234fs ext4 ${EXTRA_IMAGECMD}"
 
 IMAGE_CMD_btrfs () {
-	touch ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.btrfs
-	mkfs.btrfs -b `expr ${ROOTFS_SIZE} \* 1024` ${EXTRA_IMAGECMD} -r ${IMAGE_ROOTFS} ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.btrfs
+	dd if=/dev/zero of=${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.btrfs count=${ROOTFS_SIZE} bs=1024
+	mkfs.btrfs ${EXTRA_IMAGECMD} -r ${IMAGE_ROOTFS} ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.btrfs
 }
 
 IMAGE_CMD_squashfs = "mksquashfs ${IMAGE_ROOTFS} ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.squashfs ${EXTRA_IMAGECMD} -noappend"

meta/classes/update-rc.d.bbclass

@@ -1,7 +1,8 @@
 UPDATERCPN ?= "${PN}"
 
 DEPENDS_append = " update-rc.d-native"
-DEPENDS_append_class-target = " initscripts"
+VIRTUAL-RUNTIME_initscripts ?= "initscripts"
+DEPENDS_append_class-target = " ${VIRTUAL-RUNTIME_initscripts}"
 UPDATERCD = "update-rc.d"
 UPDATERCD_class-cross = ""
 UPDATERCD_class-native = ""

meta/classes/utils.bbclass

@@ -259,11 +259,11 @@ create_cmdline_wrapper () {
 	echo "Generating wrapper script for $cmd"
 
 	mv $cmd $cmd.real
-	cmdname=`basename $cmd`.real
+	cmdname=`basename $cmd`
 	cat <<END >$cmd
 #!/bin/bash
 realpath=\`readlink -fn \$0\`
-exec -a $cmd \`dirname \$realpath\`/$cmdname $@ "\$@"
+exec -a \`dirname \$realpath\`/$cmdname \`dirname \$realpath\`/$cmdname.real $@ "\$@"
 END
 	chmod +x $cmd
 }

meta/conf/distro/include/security_flags.inc

@@ -19,7 +19,7 @@ SECURITY_CFLAGS_pn-beecrypt = "${SECURITY_NO_PIE_CFLAGS}"
 # Curl seems to check for FORTIFY_SOURCE in CFLAGS, but even assigned
 # to CPPFLAGS it gets picked into CFLAGS in bitbake.
 #TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
-SECURITY_CFLAGS_pn-cups = "${SECURITY_NO_PIE_CLAGS}"
+SECURITY_CFLAGS_pn-cups = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
 SECURITY_CFLAGS_pn-db = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-directfb = "${SECURITY_NO_PIE_CFLAGS}"

meta/lib/oe/package_manager.py

@@ -519,6 +519,9 @@ class PackageManager(object):
         cmd = [bb.utils.which(os.getenv('PATH'), "oe-pkgdata-util"),
                "glob", self.d.getVar('PKGDATA_DIR', True), installed_pkgs_file,
                globs]
+        exclude = self.d.getVar('PACKAGE_EXCLUDE_COMPLEMENTARY', True)
+        if exclude:
+            cmd.extend(['-x', exclude])
         try:
             bb.note("Installing complementary packages ...")
             complementary_pkgs = subprocess.check_output(cmd, stderr=subprocess.STDOUT)

meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch

@@ -0,0 +1,990 @@
+From 603a0e2637b35a2da820bc807f69bcf09c682dce Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Mon, 17 Nov 2014 23:49:07 -0800
+Subject: [PATCH] [v9_9] limit recursion depth and iterative queries
+
+4006.	[security]	A flaw in delegation handling could be exploited
+			to put named into an infinite loop.  This has
+			been addressed by placing limits on the number
+			of levels of recursion named will allow (default 7),
+			and the number of iterative queries that it will
+			send (default 50) before terminating a recursive
+			query (CVE-2014-8500).
+
+			The recursion depth limit is configured via the
+			"max-recursion-depth" option.  [RT #35780]
+
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ bin/named/config.c                   |  3 +-
+ bin/named/include/named/query.h      |  2 -
+ bin/named/query.c                    |  7 ++-
+ bin/named/server.c                   |  5 ++
+ bin/tests/system/many/clean.sh       |  7 +++
+ bin/tests/system/many/ns1/named.conf | 33 +++++++++++++
+ bin/tests/system/many/ns2/named.conf | 30 ++++++++++++
+ bin/tests/system/many/ns3/named.conf | 32 +++++++++++++
+ bin/tests/system/many/ns4/named.conf | 30 ++++++++++++
+ bin/tests/system/many/ns5/hints.db   |  2 +
+ bin/tests/system/many/ns5/named.conf | 29 ++++++++++++
+ bin/tests/system/many/setup.sh       | 75 ++++++++++++++++++++++++++++++
+ bin/tests/system/many/tests.sh       | 48 +++++++++++++++++++
+ doc/arm/Bv9ARM-book.xml              | 12 +++++
+ lib/dns/adb.c                        | 58 ++++++++++++++++-------
+ lib/dns/include/dns/adb.h            |  8 ++++
+ lib/dns/include/dns/resolver.h       | 25 ++++++++++
+ lib/dns/resolver.c                   | 90 ++++++++++++++++++++++++++++++------
+ lib/isccfg/namedconf.c               |  1 +
+ 20 files changed, 471 insertions(+), 37 deletions(-)
+ create mode 100644 bin/tests/system/many/clean.sh
+ create mode 100644 bin/tests/system/many/ns1/named.conf
+ create mode 100644 bin/tests/system/many/ns2/named.conf
+ create mode 100644 bin/tests/system/many/ns3/named.conf
+ create mode 100644 bin/tests/system/many/ns4/named.conf
+ create mode 100644 bin/tests/system/many/ns5/hints.db
+ create mode 100644 bin/tests/system/many/ns5/named.conf
+ create mode 100644 bin/tests/system/many/setup.sh
+ create mode 100644 bin/tests/system/many/tests.sh
+
+diff --git a/bin/named/config.c b/bin/named/config.c
+index 2782720..5ee8c4e 100644
+--- a/bin/named/config.c
++++ b/bin/named/config.c
+@@ -15,8 +15,6 @@
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+
+-/* $Id: config.c,v 1.123 2012/01/06 23:46:41 tbox Exp $ */
+-
+ /*! \file */
+
+ #include <config.h>
+@@ -160,6 +158,7 @@ options {\n\
+ 	dnssec-accept-expired no;\n\
+ 	clients-per-query 10;\n\
+ 	max-clients-per-query 100;\n\
++	max-recursion-depth 7;\n\
+ 	zero-no-soa-ttl-cache no;\n\
+ 	nsec3-test-zone no;\n\
+ 	allow-new-zones no;\n\
+diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h
+index 3beabb8..b5e3900 100644
+--- a/bin/named/include/named/query.h
++++ b/bin/named/include/named/query.h
+@@ -15,8 +15,6 @@
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+
+-/* $Id: query.h,v 1.45 2011/01/13 04:59:24 tbox Exp $ */
+-
+ #ifndef NAMED_QUERY_H
+ #define NAMED_QUERY_H 1
+
+diff --git a/bin/named/query.c b/bin/named/query.c
+index 982f76d..47bfc6a 100644
+--- a/bin/named/query.c
++++ b/bin/named/query.c
+@@ -3877,12 +3877,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
+ 		peeraddr = &client->peeraddr;
+ 	else
+ 		peeraddr = NULL;
+-	result = dns_resolver_createfetch2(client->view->resolver,
++	result = dns_resolver_createfetch3(client->view->resolver,
+ 					   qname, qtype, qdomain, nameservers,
+ 					   NULL, peeraddr, client->message->id,
+-					   client->query.fetchoptions,
+-					   client->task,
+-					   query_resume, client,
++					   client->query.fetchoptions, 0,
++					   client->task, query_resume, client,
+ 					   rdataset, sigrdataset,
+ 					   &client->query.fetch);
+ 
+diff --git a/bin/named/server.c b/bin/named/server.c
+index ac015a4..0559977 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -3161,6 +3161,11 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
+ 					cfg_obj_asuint32(obj),
+ 					max_clients_per_query);
+ 
++	obj = NULL;
++	result = ns_config_get(maps, "max-recursion-depth", &obj);
++	INSIST(result == ISC_R_SUCCESS);
++	dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj));
++
+ #ifdef ALLOW_FILTER_AAAA_ON_V4
+ 	obj = NULL;
+ 	result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
+diff --git a/bin/tests/system/many/clean.sh b/bin/tests/system/many/clean.sh
+new file mode 100644
+index 0000000..119b1f5
+--- /dev/null
++++ b/bin/tests/system/many/clean.sh
+@@ -0,0 +1,7 @@
++rm -f ns1/[1-9]*example.tld?.db
++rm -f ns2/[1-9]*example.tld?.db
++rm -f ns1/zones.conf
++rm -f ns2/zones.conf
++rm -f */root.db
++rm -f ns3/tld1.db
++rm -f ns4/tld2.db
+diff --git a/bin/tests/system/many/ns1/named.conf b/bin/tests/system/many/ns1/named.conf
+new file mode 100644
+index 0000000..abc9dca
+--- /dev/null
++++ b/bin/tests/system/many/ns1/named.conf
+@@ -0,0 +1,33 @@
++/*
++ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.1;
++	notify-source 10.53.0.1;
++	transfer-source 10.53.0.1;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.1; };
++	listen-on-v6 { none; };
++	recursion no;
++};
++
++include "zones.conf";
++
++// zone "tld1" { type master; file "tld1.db"; };
++// zone "tld2" { type master; file "tld2.db"; };
+diff --git a/bin/tests/system/many/ns2/named.conf b/bin/tests/system/many/ns2/named.conf
+new file mode 100644
+index 0000000..16266e2
+--- /dev/null
++++ b/bin/tests/system/many/ns2/named.conf
+@@ -0,0 +1,30 @@
++/*
++ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.2;
++	notify-source 10.53.0.2;
++	transfer-source 10.53.0.2;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.2; };
++	listen-on-v6 { none; };
++	recursion no;
++};
++
++include "zones.conf";
+diff --git a/bin/tests/system/many/ns3/named.conf b/bin/tests/system/many/ns3/named.conf
+new file mode 100644
+index 0000000..b950afe
+--- /dev/null
++++ b/bin/tests/system/many/ns3/named.conf
+@@ -0,0 +1,32 @@
++/*
++ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.3;
++	notify-source 10.53.0.3;
++	transfer-source 10.53.0.3;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.3; };
++	listen-on-v6 { none; };
++	recursion no;
++};
++
++zone "." { type master; file "root.db"; };
++
++zone "tld1" { type master; file "tld1.db"; };
+diff --git a/bin/tests/system/many/ns4/named.conf b/bin/tests/system/many/ns4/named.conf
+new file mode 100644
+index 0000000..ca9aa6a
+--- /dev/null
++++ b/bin/tests/system/many/ns4/named.conf
+@@ -0,0 +1,30 @@
++/*
++ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.4;
++	notify-source 10.53.0.4;
++	transfer-source 10.53.0.4;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.4; };
++	listen-on-v6 { none; };
++	recursion no;
++};
++
++zone "tld2" { type master; file "tld2.db"; };
+diff --git a/bin/tests/system/many/ns5/hints.db b/bin/tests/system/many/ns5/hints.db
+new file mode 100644
+index 0000000..c05809b
+--- /dev/null
++++ b/bin/tests/system/many/ns5/hints.db
+@@ -0,0 +1,2 @@
++. 60 in ns ns.nil.
++ns.nil. 60 in A 10.53.0.3
+diff --git a/bin/tests/system/many/ns5/named.conf b/bin/tests/system/many/ns5/named.conf
+new file mode 100644
+index 0000000..fce7d59
+--- /dev/null
++++ b/bin/tests/system/many/ns5/named.conf
+@@ -0,0 +1,29 @@
++/*
++ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.5;
++	notify-source 10.53.0.5;
++	transfer-source 10.53.0.5;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.5; };
++	listen-on-v6 { none; };
++};
++
++zone "." { type hint; file "hints.db"; };
+diff --git a/bin/tests/system/many/setup.sh b/bin/tests/system/many/setup.sh
+new file mode 100644
+index 0000000..80695b5
+--- /dev/null
++++ b/bin/tests/system/many/setup.sh
+@@ -0,0 +1,75 @@
++i=1
++
++cat > ns3/root.db << EOF
++. 60 in soa ns.nil. hostmaster.ns.nil. 1 0 0 0 0
++. 60 in ns ns.nil.
++ns.nil. 60 in a 10.53.0.3
++tld1. 60 in ns ns.tld1.
++ns.tld1. 60 in a 10.53.0.3
++tld2. 60 in ns ns.tld2.
++ns.tld2. 60 in a 10.53.0.4
++EOF
++
++cat > ns3/tld1.db << EOF
++tld1. 60 in soa ns.tld1. hostmaster.ns.tld1. 1 0 0 0 0
++tld1. 60 in ns ns.tld1.
++ns.tld1. 60 in a 10.53.0.1
++EOF
++
++cat > ns4/tld2.db << EOF
++tld2. 60 in soa ns.tld2. hostmaster.ns.tld4. 1 0 0 0 0
++tld2. 60 in ns ns.tld2.
++ns.tld2. 60 in a 10.53.0.1
++EOF
++
++: > ns1/zones.conf
++: > ns2/zones.conf
++
++while [ $i -lt 1000 ]
++do
++j=`expr $i + 1`
++s=`expr $j % 2 + 1`
++n=`expr $i % 2 + 1`
++t=`expr $s + 2`
++
++# i=1 j=2 s=1 n=2
++# i=2 j=3 s=1 n=2
++# i=3 j=4 s=1 n=2
++
++cat > ns1/${i}example.tld${s}.db << EOF
++${i}example.tld${s}. 60 in soa ns.${j}example.tld${n}. hostmaster 1 0 0 0 0
++${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}.
++ns.${i}example.tld${s}. 60 in a 10.53.0.1
++EOF
++
++cat >> ns1/zones.conf << EOF
++zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; };
++EOF
++
++cat >> ns${t}/tld${s}.db << EOF
++${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}.
++EOF
++
++i=$j
++
++done
++
++j=`expr $i + 1`
++s=`expr $j % 2 + 1`
++n=`expr $s % 2 + 1`
++t=`expr $s + 2`
++
++cat > ns1/${i}example.tld${s}.db << EOF
++${i}example.tld${s}. 60 in soa ns.${i}example.tld${s}. hostmaster 1 0 0 0 0
++${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}.
++ns.${i}example.tld${s}. 60 in a 10.53.0.1
++EOF
++
++cat >> ns1/zones.conf << EOF
++zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; };
++EOF
++
++cat >> ns${t}/tld${s}.db << EOF
++${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}.
++ns.${i}example.tld${s}. 60 in a 10.53.0.1
++EOF
+diff --git a/bin/tests/system/many/tests.sh b/bin/tests/system/many/tests.sh
+new file mode 100644
+index 0000000..37964e2
+--- /dev/null
++++ b/bin/tests/system/many/tests.sh
+@@ -0,0 +1,48 @@
++#!/bin/sh
++#
++# Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++#
++# Permission to use, copy, modify, and/or distribute this software for any
++# purpose with or without fee is hereby granted, provided that the above
++# copyright notice and this permission notice appear in all copies.
++#
++# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++# PERFORMANCE OF THIS SOFTWARE.
++
++SYSTEMTESTTOP=..
++. $SYSTEMTESTTOP/conf.sh
++
++status=0
++n=0
++
++n=`expr $n + 1`
++echo "I: attempt lookup 1example.tld2 soa ($n)"
++ret=0
++$DIG +tcp 1example.tld1 soa @10.53.0.5 -p 5300  > dig.out.test$n
++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++n=`expr $n + 1`
++echo "I: attempt lookup 992example.tld2 soa ($n)"
++ret=0
++$DIG +tcp 992example.tld2 soa @10.53.0.5 -p 5300 >  dig.out.test$n
++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++n=`expr $n + 1`
++echo "I: attempt lookup 993example.tld1 soa ($n)"
++ret=0
++$DIG +tcp 993example.tld1 soa @10.53.0.5 -p 5300 >  dig.out.test$n
++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++echo "I:exit status: $status"
++exit $status
+diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
+index 9f7bd38..fff4249 100644
+--- a/doc/arm/Bv9ARM-book.xml
++++ b/doc/arm/Bv9ARM-book.xml
+@@ -4861,6 +4861,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+     <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
+     <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
+     <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
++    <optional> max-recursion-depth <replaceable>number</replaceable> ; </optional>
+     <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
+     <optional> empty-server <replaceable>name</replaceable> ; </optional>
+     <optional> empty-contact <replaceable>name</replaceable> ; </optional>
+@@ -8680,6 +8681,17 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
+ 	      </listitem>
+ 	    </varlistentry>
+ 
++	    <varlistentry id="max-recursion-depth">
++	      <term><command>max-recursion-depth</command></term>
++	      <listitem>
++		<para>
++		  Sets the maximum number of levels of recursion
++		  permitted at any one time while resolving a name.
++		  The default is 7.
++		</para>
++	      </listitem>
++	    </varlistentry>
++
+ 	    <varlistentry>
+ 	      <term><command>notify-delay</command></term>
+ 	      <listitem>
+diff --git a/lib/dns/adb.c b/lib/dns/adb.c
+index 2ccb51e..fe9b3f7 100644
+--- a/lib/dns/adb.c
++++ b/lib/dns/adb.c
+@@ -199,6 +199,7 @@ struct dns_adbfetch {
+ 	unsigned int                    magic;
+ 	dns_fetch_t                    *fetch;
+ 	dns_rdataset_t                  rdataset;
++	unsigned int			depth;
+ };
+ 
+ /*%
+@@ -300,7 +301,7 @@ static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *);
+ static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
+ static void clean_target(dns_adb_t *, dns_name_t *);
+ static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t,
+-				unsigned int);
++				isc_uint32_t, unsigned int);
+ static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t);
+ static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **,
+ 					isc_stdtime_t);
+@@ -308,7 +309,7 @@ static void cancel_fetches_at_name(dns_adbname_t *);
+ static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
+ 				dns_rdatatype_t);
+ static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t,
+-			       dns_rdatatype_t);
++			       unsigned int, dns_rdatatype_t);
+ static inline void check_exit(dns_adb_t *);
+ static void destroy(dns_adb_t *);
+ static isc_boolean_t shutdown_names(dns_adb_t *);
+@@ -984,7 +985,7 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
+ 	 * Clean up the name's various lists.  These two are destructive
+ 	 * in that they will always empty the list.
+ 	 */
+-	clean_finds_at_name(name, ev, DNS_ADBFIND_ADDRESSMASK);
++	clean_finds_at_name(name, ev, 0, DNS_ADBFIND_ADDRESSMASK);
+ 	result4 = clean_namehooks(adb, &name->v4);
+ 	result6 = clean_namehooks(adb, &name->v6);
+ 	clean_target(adb, &name->target);
+@@ -1409,7 +1410,7 @@ event_free(isc_event_t *event) {
+  */
+ static void
+ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
+-		    unsigned int addrs)
++		    isc_uint32_t qtotal, unsigned int addrs)
+ {
+ 	isc_event_t *ev;
+ 	isc_task_t *task;
+@@ -1469,6 +1470,7 @@ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
+ 			ev->ev_sender = find;
+ 			find->result_v4 = find_err_map[name->fetch_err];
+ 			find->result_v6 = find_err_map[name->fetch6_err];
++			find->qtotal += qtotal;
+ 			ev->ev_type = evtype;
+ 			ev->ev_destroy = event_free;
+ 			ev->ev_destroy_arg = find;
+@@ -1827,6 +1829,7 @@ new_adbfind(dns_adb_t *adb) {
+ 	h->flags = 0;
+ 	h->result_v4 = ISC_R_UNEXPECTED;
+ 	h->result_v6 = ISC_R_UNEXPECTED;
++	h->qtotal = 0;
+ 	ISC_LINK_INIT(h, publink);
+ 	ISC_LINK_INIT(h, plink);
+ 	ISC_LIST_INIT(h->list);
+@@ -2799,6 +2802,19 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ 		   isc_stdtime_t now, dns_name_t *target,
+ 		   in_port_t port, dns_adbfind_t **findp)
+ {
++	return (dns_adb_createfind2(adb, task, action, arg, name,
++				    qname, qtype, options, now,
++				    target, port, 0, findp));
++}
++
++isc_result_t
++dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
++		    void *arg, dns_name_t *name, dns_name_t *qname,
++		    dns_rdatatype_t qtype, unsigned int options,
++		    isc_stdtime_t now, dns_name_t *target,
++		    in_port_t port, unsigned int depth,
++		    dns_adbfind_t **findp)
++{
+ 	dns_adbfind_t *find;
+ 	dns_adbname_t *adbname;
+ 	int bucket;
+@@ -3029,7 +3045,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ 		 * Start V4.
+ 		 */
+ 		if (WANT_INET(wanted_fetches) &&
+-		    fetch_name(adbname, start_at_zone,
++		    fetch_name(adbname, start_at_zone, depth,
+ 			       dns_rdatatype_a) == ISC_R_SUCCESS) {
+ 			DP(DEF_LEVEL,
+ 			   "dns_adb_createfind: started A fetch for name %p",
+@@ -3040,7 +3056,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ 		 * Start V6.
+ 		 */
+ 		if (WANT_INET6(wanted_fetches) &&
+-		    fetch_name(adbname, start_at_zone,
++		    fetch_name(adbname, start_at_zone, depth,
+ 			       dns_rdatatype_aaaa) == ISC_R_SUCCESS) {
+ 			DP(DEF_LEVEL,
+ 			   "dns_adb_createfind: "
+@@ -3656,6 +3672,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
+ 	isc_result_t result;
+ 	unsigned int address_type;
+ 	isc_boolean_t want_check_exit = ISC_FALSE;
++	isc_uint32_t qtotal = 0;
+ 
+ 	UNUSED(task);
+ 
+@@ -3666,6 +3683,8 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
+ 	adb = name->adb;
+ 	INSIST(DNS_ADB_VALID(adb));
+ 
++	qtotal = dev->qtotal;
++
+ 	bucket = name->lock_bucket;
+ 	LOCK(&adb->namelocks[bucket]);
+ 
+@@ -3783,6 +3802,12 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
+ 		DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s",
+ 		   buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA",
+ 		   dns_result_totext(dev->result));
++		/*
++		 * Don't record a failure unless this is the initial
++		 * fetch of a chain.
++		 */
++		if (fetch->depth > 1)
++			goto out;
+ 		/* XXXMLG Don't pound on bad servers. */
+ 		if (address_type == DNS_ADBFIND_INET) {
+ 			name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
+@@ -3814,15 +3839,14 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
+ 	free_adbfetch(adb, &fetch);
+ 	isc_event_free(&ev);
+ 
+-	clean_finds_at_name(name, ev_status, address_type);
++	clean_finds_at_name(name, ev_status, qtotal, address_type);
+ 
+ 	UNLOCK(&adb->namelocks[bucket]);
+ }
+ 
+ static isc_result_t
+-fetch_name(dns_adbname_t *adbname,
+-	   isc_boolean_t start_at_zone,
+-	   dns_rdatatype_t type)
++fetch_name(dns_adbname_t *adbname, isc_boolean_t start_at_zone,
++	   unsigned int depth, dns_rdatatype_t type)
+ {
+ 	isc_result_t result;
+ 	dns_adbfetch_t *fetch = NULL;
+@@ -3867,12 +3891,14 @@ fetch_name(dns_adbname_t *adbname,
+ 		result = ISC_R_NOMEMORY;
+ 		goto cleanup;
+ 	}
+-
+-	result = dns_resolver_createfetch(adb->view->resolver, &adbname->name,
+-					  type, name, nameservers, NULL,
+-					  options, adb->task, fetch_callback,
+-					  adbname, &fetch->rdataset, NULL,
+-					  &fetch->fetch);
++	fetch->depth = depth;
++
++	result = dns_resolver_createfetch3(adb->view->resolver, &adbname->name,
++					   type, name, nameservers, NULL,
++					   NULL, 0, options, depth, adb->task,
++					   fetch_callback, adbname,
++					   &fetch->rdataset, NULL,
++					   &fetch->fetch);
+ 	if (result != ISC_R_SUCCESS)
+ 		goto cleanup;
+ 
+diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
+index 35350ff..7501f01 100644
+--- a/lib/dns/include/dns/adb.h
++++ b/lib/dns/include/dns/adb.h
+@@ -118,6 +118,8 @@ struct dns_adbfind {
+ 	isc_result_t			result_v6;	/*%< RO: v6 result */
+ 	ISC_LINK(dns_adbfind_t)		publink;	/*%< RW: client use */
+ 
++	isc_uint32_t			qtotal;
++
+ 	/* Private */
+ 	isc_mutex_t			lock;		/* locks all below */
+ 	in_port_t			port;
+@@ -334,6 +336,12 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ 		   dns_rdatatype_t qtype, unsigned int options,
+ 		   isc_stdtime_t now, dns_name_t *target,
+ 		   in_port_t port, dns_adbfind_t **find);
++isc_result_t
++dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
++		    void *arg, dns_name_t *name, dns_name_t *qname,
++		    dns_rdatatype_t qtype, unsigned int options,
++		    isc_stdtime_t now, dns_name_t *target, in_port_t port,
++		    unsigned int depth, dns_adbfind_t **find);
+ /*%<
+  * Main interface for clients. The adb will look up the name given in
+  * "name" and will build up a list of found addresses, and perhaps start
+diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
+index 4e20eb6..c256049 100644
+--- a/lib/dns/include/dns/resolver.h
++++ b/lib/dns/include/dns/resolver.h
+@@ -82,6 +82,7 @@ typedef struct dns_fetchevent {
+ 	isc_sockaddr_t *		client;
+ 	dns_messageid_t			id;
+ 	isc_result_t			vresult;
++	isc_uint32_t 			qtotal;
+ } dns_fetchevent_t;
+ 
+ /*
+@@ -275,6 +276,18 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+ 			  dns_rdataset_t *rdataset,
+ 			  dns_rdataset_t *sigrdataset,
+ 			  dns_fetch_t **fetchp);
++isc_result_t
++dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
++			  dns_rdatatype_t type,
++			  dns_name_t *domain, dns_rdataset_t *nameservers,
++			  dns_forwarders_t *forwarders,
++			  isc_sockaddr_t *client, isc_uint16_t id,
++			  unsigned int options, unsigned int depth,
++			  isc_task_t *task,
++			  isc_taskaction_t action, void *arg,
++			  dns_rdataset_t *rdataset,
++			  dns_rdataset_t *sigrdataset,
++			  dns_fetch_t **fetchp);
+ /*%<
+  * Recurse to answer a question.
+  *
+@@ -576,6 +589,18 @@ dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp);
+  * \li	resolver to be valid.
+  */
+ 
++void
++dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth);
++unsigned int
++dns_resolver_getmaxdepth(dns_resolver_t *resolver);
++/*%
++ * Get and set how many NS indirections will be followed when looking for
++ * nameserver addresses.
++ *
++ * Requires:
++ * \li	resolver to be valid.
++ */
++
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_RESOLVER_H */
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index e517dad..6a635b2 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -131,6 +131,16 @@
+ #define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */
+ #endif
+ 
++/* The default maximum number of recursions to follow before giving up. */
++#ifndef DEFAULT_RECURSION_DEPTH
++#define DEFAULT_RECURSION_DEPTH 7
++#endif
++
++/* The default maximum number of iterative queries to allow before giving up. */
++#ifndef DEFAULT_MAX_QUERIES
++#define DEFAULT_MAX_QUERIES 50
++#endif
++
+ /*%
+  * Maximum EDNS0 input packet size.
+  */
+@@ -297,6 +307,7 @@ struct fetchctx {
+ 	isc_uint64_t			duration;
+ 	isc_boolean_t			logged;
+ 	unsigned int			querysent;
++	unsigned int			totalqueries;
+ 	unsigned int			referrals;
+ 	unsigned int			lamecount;
+ 	unsigned int			neterr;
+@@ -307,6 +318,7 @@ struct fetchctx {
+ 	isc_boolean_t			timeout;
+ 	dns_adbaddrinfo_t 		*addrinfo;
+ 	isc_sockaddr_t			*client;
++	unsigned int			depth;
+ };
+ 
+ #define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
+@@ -419,6 +431,7 @@ struct dns_resolver {
+ 	isc_timer_t *			spillattimer;
+ 	isc_boolean_t			zero_no_soa_ttl;
+ 	unsigned int			query_timeout;
++	unsigned int			maxdepth;
+ 
+ 	/* Locked by lock. */
+ 	unsigned int			references;
+@@ -1097,6 +1110,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
+ 			       event->result == DNS_R_NCACHENXRRSET);
+ 		}
+ 
++		event->qtotal = fctx->totalqueries;
+ 		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
+ 		count++;
+ 	}
+@@ -1537,7 +1551,9 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+ 		if (result != ISC_R_SUCCESS)
+ 			goto cleanup_dispatch;
+ 	}
++
+ 	fctx->querysent++;
++	fctx->totalqueries++;
+ 
+ 	ISC_LIST_APPEND(fctx->queries, query, link);
+ 	query->fctx->nqueries++;
+@@ -2194,9 +2210,10 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
+ 		 */
+ 		INSIST(!SHUTTINGDOWN(fctx));
+ 		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+-		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES)
++		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) {
+ 			want_try = ISC_TRUE;
+-		else {
++			fctx->totalqueries += find->qtotal;
++		} else {
+ 			fctx->findfail++;
+ 			if (fctx->pending == 0) {
+ 				/*
+@@ -2479,12 +2496,13 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
+ 	 * See what we know about this address.
+ 	 */
+ 	find = NULL;
+-	result = dns_adb_createfind(fctx->adb,
+-				    res->buckets[fctx->bucketnum].task,
+-				    fctx_finddone, fctx, name,
+-				    &fctx->name, fctx->type,
+-				    options, now, NULL,
+-				    res->view->dstport, &find);
++	result = dns_adb_createfind2(fctx->adb,
++				     res->buckets[fctx->bucketnum].task,
++				     fctx_finddone, fctx, name,
++				     &fctx->name, fctx->type,
++				     options, now, NULL,
++				     res->view->dstport,
++				     fctx->depth + 1, &find);
+ 	if (result != ISC_R_SUCCESS) {
+ 		if (result == DNS_R_ALIAS) {
+ 			/*
+@@ -2592,6 +2610,11 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
+ 
+ 	res = fctx->res;
+ 
++	if (fctx->depth > res->maxdepth) {
++		FCTXTRACE("too much NS indirection");
++		return (DNS_R_SERVFAIL);
++	}
++
+ 	/*
+ 	 * Forwarders.
+ 	 */
+@@ -3030,6 +3053,9 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
+ 
+ 	REQUIRE(!ADDRWAIT(fctx));
+ 
++	if (fctx->totalqueries > DEFAULT_MAX_QUERIES)
++		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
++
+ 	addrinfo = fctx_nextaddress(fctx);
+ 	if (addrinfo == NULL) {
+ 		/*
+@@ -3388,6 +3414,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
+ 		 * Normal fctx startup.
+ 		 */
+ 		fctx->state = fetchstate_active;
++		fctx->totalqueries = 0;
+ 		/*
+ 		 * Reset the control event for later use in shutting down
+ 		 * the fctx.
+@@ -3457,6 +3484,7 @@ fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client,
+ 	event->fetch = fetch;
+ 	event->client = client;
+ 	event->id = id;
++	event->qtotal = 0;
+ 	dns_fixedname_init(&event->foundname);
+ 
+ 	/*
+@@ -3493,7 +3521,8 @@ log_ns_ttl(fetchctx_t *fctx, const char *where) {
+ static isc_result_t
+ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ 	    dns_name_t *domain, dns_rdataset_t *nameservers,
+-	    unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp)
++	    unsigned int options, unsigned int bucketnum, unsigned int depth,
++	    fetchctx_t **fctxp)
+ {
+ 	fetchctx_t *fctx;
+ 	isc_result_t result;
+@@ -3545,6 +3574,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ 	fctx->state = fetchstate_init;
+ 	fctx->want_shutdown = ISC_FALSE;
+ 	fctx->cloned = ISC_FALSE;
++	fctx->depth = depth;
+ 	ISC_LIST_INIT(fctx->queries);
+ 	ISC_LIST_INIT(fctx->finds);
+ 	ISC_LIST_INIT(fctx->altfinds);
+@@ -3563,6 +3593,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ 	fctx->pending = 0;
+ 	fctx->restarts = 0;
+ 	fctx->querysent = 0;
++	fctx->totalqueries = 0;
+ 	fctx->referrals = 0;
+ 	TIME_NOW(&fctx->start);
+ 	fctx->timeouts = 0;
+@@ -7781,6 +7812,7 @@ dns_resolver_create(dns_view_t *view,
+ 	res->spillattimer = NULL;
+ 	res->zero_no_soa_ttl = ISC_FALSE;
+ 	res->query_timeout = DEFAULT_QUERY_TIMEOUT;
++	res->maxdepth = DEFAULT_RECURSION_DEPTH;
+ 	res->nbuckets = ntasks;
+ 	res->activebuckets = ntasks;
+ 	res->buckets = isc_mem_get(view->mctx,
+@@ -8219,9 +8251,9 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
+ 			 dns_rdataset_t *sigrdataset,
+ 			 dns_fetch_t **fetchp)
+ {
+-	return (dns_resolver_createfetch2(res, name, type, domain,
++	return (dns_resolver_createfetch3(res, name, type, domain,
+ 					  nameservers, forwarders, NULL, 0,
+-					  options, task, action, arg,
++					  options, 0, task, action, arg,
+ 					  rdataset, sigrdataset, fetchp));
+ }
+ 
+@@ -8237,6 +8269,25 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+ 			  dns_rdataset_t *sigrdataset,
+ 			  dns_fetch_t **fetchp)
+ {
++	return (dns_resolver_createfetch3(res, name, type, domain,
++					  nameservers, forwarders, client, id,
++					  options, 0, task, action, arg,
++					  rdataset, sigrdataset, fetchp));
++}
++
++isc_result_t
++dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
++			  dns_rdatatype_t type,
++			  dns_name_t *domain, dns_rdataset_t *nameservers,
++			  dns_forwarders_t *forwarders,
++			  isc_sockaddr_t *client, dns_messageid_t id,
++			  unsigned int options, unsigned int depth,
++			  isc_task_t *task,
++			  isc_taskaction_t action, void *arg,
++			  dns_rdataset_t *rdataset,
++			  dns_rdataset_t *sigrdataset,
++			  dns_fetch_t **fetchp)
++{
+ 	dns_fetch_t *fetch;
+ 	fetchctx_t *fctx = NULL;
+ 	isc_result_t result = ISC_R_SUCCESS;
+@@ -8325,11 +8376,12 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+ 
+ 	if (fctx == NULL) {
+ 		result = fctx_create(res, name, type, domain, nameservers,
+-				     options, bucketnum, &fctx);
++				     options, bucketnum, depth, &fctx);
+ 		if (result != ISC_R_SUCCESS)
+ 			goto unlock;
+ 		new_fctx = ISC_TRUE;
+-	}
++	} else if (fctx->depth > depth)
++		fctx->depth = depth;
+ 
+ 	result = fctx_join(fctx, task, client, id, action, arg,
+ 			   rdataset, sigrdataset, fetch);
+@@ -9101,3 +9153,15 @@ dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
+ 
+ 	resolver->query_timeout = seconds;
+ }
++
++void
++dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) {
++	REQUIRE(VALID_RESOLVER(resolver));
++	resolver->maxdepth = maxdepth;
++}
++
++unsigned int
++dns_resolver_getmaxdepth(dns_resolver_t *resolver) {
++	REQUIRE(VALID_RESOLVER(resolver));
++	return (resolver->maxdepth);
++}
+diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
+index bfd4bab..5f8b037 100644
+--- a/lib/isccfg/namedconf.c
++++ b/lib/isccfg/namedconf.c
+@@ -1393,6 +1393,7 @@ view_clauses[] = {
+ 	{ "max-cache-ttl", &cfg_type_uint32, 0 },
+ 	{ "max-clients-per-query", &cfg_type_uint32, 0 },
+ 	{ "max-ncache-ttl", &cfg_type_uint32, 0 },
++	{ "max-recursion-depth", &cfg_type_uint32, 0 },
+ 	{ "max-udp-size", &cfg_type_uint32, 0 },
+ 	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
+ 	{ "minimal-responses", &cfg_type_boolean, 0 },
+-- 
+1.9.1
+

meta/recipes-connectivity/bind/bind_9.9.5.bb

@@ -14,6 +14,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://mips1-not-support-opcode.diff \
            file://dont-test-on-host.patch \
            file://init.d-add-support-for-read-only-rootfs.patch \
+           file://bind9_9_5-CVE-2014-8500.patch \
 	   "
 
 SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e"

meta/recipes-connectivity/openssh/openssh_6.5p1.bb

@@ -54,7 +54,6 @@ inherit autotools-brokensep
 
 # LFS support:
 CFLAGS += "-D__FILE_OFFSET_BITS=64"
-export LD = "${CC}"
 
 # login path is hardcoded in sshd
 EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
@@ -79,6 +78,7 @@ CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
 EXTRA_OECONF_append_libc-uclibc=" --without-pam"
 
 do_configure_prepend () {
+	export LD="${CC}"
 	if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then
 		cp aclocal.m4 acinclude.m4
 	fi

meta/recipes-connectivity/openssl/openssl/configure-targets.patch

@@ -10,25 +10,25 @@ The number of colons are important :)
 --- a/Configure
 +++ b/Configure
 @@ -403,6 +403,22 @@ my %table=(
- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+ "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+ "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
  
 + # Linux on ARM
-+"linux-elf-arm","$ENV{'CC'}:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf-armeb","$ENV{'CC'}:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-gnueabi-arm","$ENV{'CC'}:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-gnueabi-armeb","$ENV{'CC'}:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-uclibceabi-arm","$ENV{'CC'}:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-uclibceabi-armeb","$ENV{'CC'}:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf-arm","$ENV{'CC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf-armeb","$ENV{'CC'}:-DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-gnueabi-arm","$ENV{'CC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-gnueabi-armeb","$ENV{'CC'}:-DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-uclibceabi-arm","$ENV{'CC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-uclibceabi-armeb","$ENV{'CC'}:-DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +
-+"linux-avr32","$ENV{'CC'}:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).",
++"linux-avr32","$ENV{'CC'}: -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).",
 +
 +#### Linux on MIPS/MIPS64
-+"linux-mips","$ENV{'CC'}:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-mips64","$ENV{'CC'}:-DB_ENDIAN -DTERMIO -mabi=64 -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-mips64el","$ENV{'CC'}:-DL_ENDIAN -DTERMIO -mabi=64 -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-mipsel","$ENV{'CC'}:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-mips","$ENV{'CC'}:-DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-mips64","$ENV{'CC'}:-DB_ENDIAN -mabi=64 -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-mips64el","$ENV{'CC'}:-DL_ENDIAN -mabi=64 -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-mipsel","$ENV{'CC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +
- # Android: linux-* but without -DTERMIO and pointers to headers and libs.
+ # Android: linux-* but without pointers to headers and libs.
  "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

meta/recipes-connectivity/openssl/openssl/fix-cipher-des-ede3-cfb1.patch

@@ -6,17 +6,20 @@ http://rt.openssl.org/Ticket/Display.html?id=2867
 
 Signed-Off-By: Muhammad Shakeel <muhammad_shakeel@mentor.com>
 
+ported the patch to the 1.0.0m version
+Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com> 2015/03/24
+
 diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c
 index 3232cfe..df84922 100644
 ===================================================================
 --- a/crypto/evp/e_des3.c
 +++ b/crypto/evp/e_des3.c
-@@ -173,7 +173,7 @@ static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+@@ -181,7 +181,7 @@ static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
      size_t n;
-     unsigned char c[1],d[1];
+     unsigned char c[1], d[1];
  
--    for(n=0 ; n < inl ; ++n)
-+    for(n=0 ; n < inl*8 ; ++n)
- 	{
- 	c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
-	DES_ede3_cfb_encrypt(c,d,1,1,
+-    for (n = 0; n < inl; ++n) {
++    for (n = 0; n < inl * 8; ++n) {
+         c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0;
+         DES_ede3_cfb_encrypt(c, d, 1, 1,
+                              &data(ctx)->ks1, &data(ctx)->ks2,

meta/recipes-connectivity/openssl/openssl/initial-aarch64-bits.patch

@@ -5,6 +5,9 @@ X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=039
 
 Initial aarch64 bits.
 Upstream-Status: backport (will be included in 1.0.2)
+
+ported the patch to the 1.0.0m version
+Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com> 2015/03/24
 ---
  crypto/bn/bn_lcl.h       |    9 +++++++++
  crypto/md32_common.h     |   18 ++++++++++++++++++
@@ -16,10 +19,10 @@ Index: openssl-1.0.1f/crypto/bn/bn_lcl.h
 ===================================================================
 --- openssl-1.0.1f.orig/crypto/bn/bn_lcl.h	2014-01-06 15:47:42.000000000 +0200
 +++ openssl-1.0.1f/crypto/bn/bn_lcl.h	2014-02-28 10:37:55.495979037 +0200
-@@ -300,6 +300,15 @@
- 	     : "r"(a), "r"(b));
+@@ -295,6 +295,15 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
+              : "r"(a), "r"(b));
  #    endif
- #  endif
+ #   endif
 +# elif defined(__aarch64__) && defined(SIXTY_FOUR_BIT_LONG)
 +#  if defined(__GNUC__) && __GNUC__>=2
 +#   define BN_UMULT_HIGH(a,b)  ({  \
@@ -29,17 +32,17 @@ Index: openssl-1.0.1f/crypto/bn/bn_lcl.h
 +        : "r"(a), "r"(b));     \
 +   ret;            })
 +#  endif
- # endif		/* cpu */
- #endif		/* OPENSSL_NO_ASM */
+ #  endif                        /* cpu */
+ # endif                         /* OPENSSL_NO_ASM */
  
 Index: openssl-1.0.1f/crypto/md32_common.h
 ===================================================================
 --- openssl-1.0.1f.orig/crypto/md32_common.h	2014-01-06 15:47:42.000000000 +0200
 +++ openssl-1.0.1f/crypto/md32_common.h	2014-02-28 10:39:21.751979107 +0200
-@@ -213,6 +213,24 @@
- 				   asm ("bswapl %0":"=r"(r):"0"(r));	\
- 				   *((unsigned int *)(c))=r; (c)+=4; r;	})
- #   endif
+@@ -213,6 +213,42 @@
+                                    asm ("bswapl %0":"=r"(r):"0"(r));    \
+                                    *((unsigned int *)(c))=r; (c)+=4; r; })
+ #    endif
 +#  elif defined(__aarch64__)
 +#   if defined(__BYTE_ORDER__)
 +#    if defined(__ORDER_LITTLE_ENDIAN__) && __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
@@ -58,25 +61,43 @@ Index: openssl-1.0.1f/crypto/md32_common.h
 +#     define HOST_l2c(l,c) (*((unsigned int *)(c))=(l), (c)+=4, (l))
 +#    endif
 +#   endif
++#   endif
++#  elif defined(__aarch64__)
++#   if defined(__BYTE_ORDER__)
++#    if defined(__ORDER_LITTLE_ENDIAN__) && __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
++#     define HOST_c2l(c,l) ({ unsigned int r;      \
++                  asm ("rev    %w0,%w1"    \
++                   :"=r"(r)        \
++                   :"r"(*((const unsigned int *)(c))));\
++                  (c)+=4; (l)=r;       })
++#     define HOST_l2c(l,c) ({ unsigned int r;      \
++                  asm ("rev    %w0,%w1"    \
++                   :"=r"(r)        \
++                   :"r"((unsigned int)(l)));\
++                  *((unsigned int *)(c))=r; (c)+=4; r; })
++#    elif defined(__ORDER_BIG_ENDIAN__) && __BYTE_ORDER__==__ORDER_BIG_ENDIAN__
++#     define HOST_c2l(c,l) ((l)=*((const unsigned int *)(c)), (c)+=4, (l))
++#     define HOST_l2c(l,c) (*((unsigned int *)(c))=(l), (c)+=4, (l))
++#    endif
+ #   endif
  #  endif
  # endif
- #endif
 Index: openssl-1.0.1f/crypto/modes/modes_lcl.h
 ===================================================================
 --- openssl-1.0.1f.orig/crypto/modes/modes_lcl.h	2014-02-28 10:47:48.731979011 +0200
 +++ openssl-1.0.1f/crypto/modes/modes_lcl.h	2014-02-28 10:48:49.707978919 +0200
-@@ -29,6 +29,7 @@
- #if defined(__i386)	|| defined(__i386__)	|| \
-     defined(__x86_64)	|| defined(__x86_64__)	|| \
-     defined(_M_IX86)	|| defined(_M_AMD64)	|| defined(_M_X64) || \
+@@ -28,6 +28,7 @@ typedef unsigned char u8;
+ #if defined(__i386)     || defined(__i386__)    || \
+     defined(__x86_64)   || defined(__x86_64__)  || \
+     defined(_M_IX86)    || defined(_M_AMD64)    || defined(_M_X64) || \
 +    defined(__aarch64__)           || \
-     defined(__s390__)	|| defined(__s390x__)
+     defined(__s390__)   || defined(__s390x__)
  # undef STRICT_ALIGNMENT
  #endif
-@@ -50,6 +51,13 @@
- #  define BSWAP4(x) ({	u32 ret=(x);			\
- 			asm ("bswapl %0"		\
- 			: "+r"(ret));	ret;		})
+@@ -49,6 +50,13 @@ typedef unsigned char u8;
+ #   define BSWAP4(x) ({ u32 ret=(x);                    \
+                         asm ("bswapl %0"                \
+                         : "+r"(ret));   ret;            })
 +# elif defined(__aarch64__)
 +#  define BSWAP8(x) ({ u64 ret;            \
 +           asm ("rev %0,%1"        \
@@ -84,25 +105,25 @@ Index: openssl-1.0.1f/crypto/modes/modes_lcl.h
 +#  define BSWAP4(x) ({ u32 ret;            \
 +           asm ("rev %w0,%w1"      \
 +           : "=r"(ret) : "r"(x)); ret; })
- # elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT)
- #  define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
- 			asm ("rev %0,%0; rev %1,%1"	\
+ #  elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT)
+ #   define BSWAP8(x) ({  u32 lo=(u64)(x)>>32,hi=(x);     \
+                         asm ("rev %0,%0; rev %1,%1"     \
 Index: openssl-1.0.1f/crypto/sha/sha512.c
 ===================================================================
 --- openssl-1.0.1f.orig/crypto/sha/sha512.c	2014-01-06 15:47:42.000000000 +0200
 +++ openssl-1.0.1f/crypto/sha/sha512.c	2014-02-28 10:52:14.579978981 +0200
-@@ -55,6 +55,7 @@
- #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
+@@ -55,6 +55,7 @@ const char SHA512_version[] = "SHA-512" OPENSSL_VERSION_PTEXT;
+ # if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
      defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) || \
      defined(__s390__) || defined(__s390x__) || \
 +    defined(__aarch64__) || \
      defined(SHA512_ASM)
- #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
- #endif
-@@ -347,6 +348,18 @@
- 				asm ("rotrdi %0,%1,%2"	\
- 				: "=r"(ret)		\
- 				: "r"(a),"K"(n)); ret;	})
+ #  define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
+ # endif
+@@ -353,6 +354,18 @@ static const SHA_LONG64 K512[80] = {
+                                 asm ("rotrdi %0,%1,%2"  \
+                                 : "=r"(ret)             \
+                                 : "r"(a),"K"(n)); ret;  })
 +#  elif defined(__aarch64__)
 +#   define ROTR(a,n)   ({ SHA_LONG64 ret;      \
 +               asm ("ror %0,%1,%2" \
@@ -115,6 +136,6 @@ Index: openssl-1.0.1f/crypto/sha/sha512.c
 +               : "=r"(ret)         \
 +               : "r"(*((const SHA_LONG64 *)(&(x))))); ret;     })
 +#   endif
- #  endif
- # elif defined(_MSC_VER)
- #  if defined(_WIN64)	/* applies to both IA-64 and AMD64 */
+ #    endif
+ #   elif defined(_MSC_VER)
+ #    if defined(_WIN64)         /* applies to both IA-64 and AMD64 */

meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch

@@ -7,15 +7,18 @@ Upstream-Status: Submitted
 http://www.mail-archive.com/openssl-dev@openssl.org/msg32860.html
 
 Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
+
+ported the patch to the 1.0.0m version
+Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com> 2015/03/24
 ---
 --- a/crypto/evp/digest.c
 +++ b/crypto/evp/digest.c
-@@ -199,7 +199,7 @@
- 		return 0;
- 		}
+@@ -199,7 +199,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+         type = ctx->digest;
+     }
  #endif
--	if (ctx->digest != type)
-+	if (type && (ctx->digest != type))
- 		{
- 		if (ctx->digest && ctx->digest->ctx_size)
- 			OPENSSL_free(ctx->md_data);
+-    if (ctx->digest != type) {
++    if (type && (ctx->digest != type)) {
+         if (ctx->digest && ctx->digest->ctx_size)
+             OPENSSL_free(ctx->md_data);
+         ctx->digest = type;

meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch

@@ -1,39 +0,0 @@
-openssl: avoid NULL pointer dereference in dh_pub_encode()/dsa_pub_encode()
-
-We should avoid accessing the pointer if ASN1_STRING_new()
-allocates memory failed.
-
-Upstream-Status: Submitted
-http://www.mail-archive.com/openssl-dev@openssl.org/msg32859.html
-
-Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
----
---- a/crypto/dh/dh_ameth.c
-+++ b/crypto/dh/dh_ameth.c
-@@ -139,6 +139,12 @@
- 	dh=pkey->pkey.dh;
- 
- 	str = ASN1_STRING_new();
-+	if (!str)
-+		{
-+		DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
- 	str->length = i2d_DHparams(dh, &str->data);
- 	if (str->length <= 0)
- 		{
---- a/crypto/dsa/dsa_ameth.c
-+++ b/crypto/dsa/dsa_ameth.c
-@@ -148,6 +148,11 @@
- 		{
- 		ASN1_STRING *str;
- 		str = ASN1_STRING_new();
-+		if (!str)
-+			{
-+			DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
-+			goto err;
-+			}
- 		str->length = i2d_DSAparams(dsa, &str->data);
- 		if (str->length <= 0)
- 			{

meta/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch

@@ -6,16 +6,19 @@ Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/07/13
 
 ported the patch to the 1.0.0e version
 Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/12/01
+
+ported the patch to the 1.0.0m version
+Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com> 2015/03/24
 Index: openssl-1.0.1e/Configure
 ===================================================================
 --- openssl-1.0.1e.orig/Configure
 +++ openssl-1.0.1e/Configure
 @@ -402,6 +402,7 @@ my %table=(
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x32", "gcc:-mx32 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
- "linux64-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-ia64-ecc","ecc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
+ "linux64-s390x",	"gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
  #### So called "highgprs" target for z/Architecture CPUs
  # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
 Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c
@@ -26,65 +29,69 @@ Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c
   *    machine.
   */
  
--#ifdef _WIN64
-+#if defined _WIN64 || !defined __LP64__
- #define BN_ULONG unsigned long long
- #else
- #define BN_ULONG unsigned long
-@@ -192,9 +192,9 @@ BN_ULONG bn_add_words (BN_ULONG *rp, con
- 	asm (
- 	"	subq	%2,%2		\n"
- 	".p2align 4			\n"
--	"1:	movq	(%4,%2,8),%0	\n"
--	"	adcq	(%5,%2,8),%0	\n"
--	"	movq	%0,(%3,%2,8)	\n"
-+	"1:	movq	(%q4,%2,8),%0	\n"
-+	"	adcq	(%q5,%2,8),%0	\n"
-+	"	movq	%0,(%q3,%2,8)	\n"
- 	"	leaq	1(%2),%2	\n"
- 	"	loop	1b		\n"
- 	"	sbbq	%0,%0		\n"
-@@ -215,9 +215,9 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, con
- 	asm (
- 	"	subq	%2,%2		\n"
- 	".p2align 4			\n"
--	"1:	movq	(%4,%2,8),%0	\n"
--	"	sbbq	(%5,%2,8),%0	\n"
--	"	movq	%0,(%3,%2,8)	\n"
-+	"1:	movq	(%q4,%2,8),%0	\n"
-+	"	sbbq	(%q5,%2,8),%0	\n"
-+	"	movq	%0,(%q3,%2,8)	\n"
- 	"	leaq	1(%2),%2	\n"
- 	"	loop	1b		\n"
- 	"	sbbq	%0,%0		\n"
+-# ifdef _WIN64
++# if defined _WIN64 || !defined __LP64__
+ #  define BN_ULONG unsigned long long
+ # else
+ #  define BN_ULONG unsigned long
 Index: openssl-1.0.1e/crypto/bn/bn.h
 ===================================================================
 --- openssl-1.0.1e.orig/crypto/bn/bn.h
 +++ openssl-1.0.1e/crypto/bn/bn.h
-@@ -172,6 +172,13 @@ extern "C" {
+@@ -173,6 +173,13 @@ extern "C" {
+ #  endif
  # endif
- #endif
  
 +/* Address type.  */
-+#ifdef _WIN64
-+#define BN_ADDR unsigned long long
-+#else
-+#define BN_ADDR unsigned long
-+#endif
++# ifdef _WIN64
++#   define BN_ADDR unsigned long long
++# else
++#   define BN_ADDR unsigned long
++# endif
 +
- /* assuming long is 64bit - this is the DEC Alpha
-  * unsigned long long is only 64 bits :-(, don't define
-  * BN_LLONG for the DEC Alpha */
+ /*
+  * assuming long is 64bit - this is the DEC Alpha unsigned long long is only
+  * 64 bits :-(, don't define BN_LLONG for the DEC Alpha
+Index: openssl-1.0.1e/crypto/bn/asm/x86_64-gcc.c
+===================================================================
+--- openssl-1.0.1m/crypto/bn/asm/x86_64-gcc.c	2015-03-19 13:37:10.000000000 +0000
++++ openssl-1.0.1m-modif/crypto/bn/asm/x86_64-gcc.c	2015-04-14 17:09:11.876533194 +0100
+@@ -211,9 +211,9 @@
+
+     asm volatile ("       subq    %2,%2           \n"
+                   ".p2align 4                     \n"
+-                  "1:     movq    (%4,%2,8),%0    \n"
+-                  "       adcq    (%5,%2,8),%0    \n"
+-                  "       movq    %0,(%3,%2,8)    \n"
++                  "1:     movq    (%q4,%2,8),%0   \n"
++                  "       adcq    (%q5,%2,8),%0   \n"
++                  "       movq    %0,(%q3,%2,8)   \n"
+                   "       leaq    1(%2),%2        \n"
+                   "       loop    1b              \n"
+                   "       sbbq    %0,%0           \n":"=&a" (ret), "+c"(n),
+@@ -235,9 +235,9 @@
+
+     asm volatile ("       subq    %2,%2           \n"
+                   ".p2align 4                     \n"
+-                  "1:     movq    (%4,%2,8),%0    \n"
+-                  "       sbbq    (%5,%2,8),%0    \n"
+-                  "       movq    %0,(%3,%2,8)    \n"
++                  "1:     movq    (%q4,%2,8),%0   \n"
++                  "       sbbq    (%q5,%2,8),%0   \n"
++                  "       movq    %0,(%q3,%2,8)   \n"
+                   "       leaq    1(%2),%2        \n"
+                   "       loop    1b              \n"
+                   "       sbbq    %0,%0           \n":"=&a" (ret), "+c"(n)
 Index: openssl-1.0.1e/crypto/bn/bn_exp.c
 ===================================================================
 --- openssl-1.0.1e.orig/crypto/bn/bn_exp.c
 +++ openssl-1.0.1e/crypto/bn/bn_exp.c
-@@ -567,7 +567,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBU
- 
- /* Given a pointer value, compute the next address that is a cache line multiple. */
+@@ -572,7 +572,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
+  * multiple.
+  */
  #define MOD_EXP_CTIME_ALIGN(x_) \
--	((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((size_t)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
-+	((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ADDR)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
+-        ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((size_t)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
++        ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ADDR)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
  
- /* This variant of BN_mod_exp_mont() uses fixed windows and the special
-  * precomputation memory layout to limit data-dependency to a minimum
+ /*
+  * This variant of BN_mod_exp_mont() uses fixed windows and the special

meta/recipes-connectivity/openssl/openssl_1.0.1m.bb

@@ -29,7 +29,6 @@ SRC_URI += "file://configure-targets.patch \
             file://openssl_fix_for_x32.patch \
             file://fix-cipher-des-ede3-cfb1.patch \
             file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
-            file://openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch \
             file://initial-aarch64-bits.patch \
             file://find.pl \
             file://openssl-fix-des.pod-error.patch \
@@ -38,8 +37,8 @@ SRC_URI += "file://configure-targets.patch \
             file://run-ptest \
            "
 
-SRC_URI[md5sum] = "f7175c9cd3c39bb1907ac8bba9df8ed3"
-SRC_URI[sha256sum] = "1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3"
+SRC_URI[md5sum] = "d143d1555d842a069cb7cc34ba745a06"
+SRC_URI[sha256sum] = "095f0b7b09116c0c5526422088058dc7e6e000aa14d22acca6a4e2babcdfef74"
 
 PACKAGES =+ " \
 	${PN}-engines \

meta/recipes-connectivity/resolvconf/resolvconf/99_resolvconf

@@ -0,0 +1,4 @@
+d root root 0755 /var/run/resolvconf/interface none
+f root root 0644 /etc/resolvconf/run/resolv.conf none
+f root root 0644 /etc/resolvconf/run/enable-updates none
+l root root 0644 /etc/resolv.conf /etc/resolvconf/run/resolv.conf

meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch

@@ -0,0 +1,20 @@
+
+busybox installs readlink into /usr/bin, so ensure /usr/bin
+is in the path.
+
+Upstream-Status: Submitted
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+
+Index: resolvconf-1.76/etc/resolvconf/update.d/libc
+===================================================================
+--- resolvconf-1.76.orig/etc/resolvconf/update.d/libc
++++ resolvconf-1.76/etc/resolvconf/update.d/libc
+@@ -16,7 +16,7 @@
+ #
+ 
+ set -e
+-PATH=/sbin:/bin
++PATH=/sbin:/bin:/usr/bin
+ 
+ [ -x /lib/resolvconf/list-records ] || exit 1
+ 

meta/recipes-connectivity/resolvconf/resolvconf_1.74.bb

@@ -11,7 +11,11 @@ AUTHOR = "Thomas Hood"
 HOMEPAGE = "http://packages.debian.org/resolvconf"
 RDEPENDS_${PN} = "bash"
 
-SRC_URI = "${DEBIAN_MIRROR}/main/r/resolvconf/resolvconf_${PV}.tar.gz"
+SRC_URI = "${DEBIAN_MIRROR}/main/r/resolvconf/resolvconf_${PV}.tar.gz \
+           file://fix-path-for-busybox.patch \
+           file://99_resolvconf \
+          "
+
 
 SRC_URI[md5sum] = "2f190d3bb8960b69157f63590c262e93"
 SRC_URI[sha256sum] = "2e72e6884e9105cbf57101ab0f11e768717b6f76b7f5100c6a2a0cc69bb3d4a0"
@@ -24,13 +28,13 @@ do_compile () {
 
 do_install () {
 	install -d ${D}${sysconfdir}/default/volatiles
-	echo "d root root 0755 ${localstatedir}/run/${BPN}/interface none" \
-	     > ${D}${sysconfdir}/default/volatiles/99_resolvconf
-	if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+	install -m 0644 ${WORKDIR}/99_resolvconf ${D}${sysconfdir}/default/volatiles
+	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
 		install -d ${D}${sysconfdir}/tmpfiles.d
 		echo "d /run/${BPN}/interface - - - -" \
 		     > ${D}${sysconfdir}/tmpfiles.d/resolvconf.conf
 	fi
+	install -d ${D}${base_libdir}/${BPN}
 	install -d ${D}${sysconfdir}/${BPN}
 	ln -snf ${localstatedir}/run/${BPN} ${D}${sysconfdir}/${BPN}/run
 	install -d ${D}${sysconfdir} ${D}${base_sbindir}
@@ -38,6 +42,11 @@ do_install () {
 	cp -pPR etc/* ${D}${sysconfdir}/
 	chown -R root:root ${D}${sysconfdir}/
 	install -m 0755 bin/resolvconf ${D}${base_sbindir}/
+	install -m 0755 bin/list-records ${D}${base_libdir}/${BPN}
+	install -d ${D}/${sysconfdir}/network/if-up.d
+	install -m 0755 debian/resolvconf.000resolvconf.if-up ${D}/${sysconfdir}/network/if-up.d/000resolvconf
+	install -d ${D}/${sysconfdir}/network/if-down.d
+	install -m 0755 debian/resolvconf.resolvconf.if-down ${D}/${sysconfdir}/network/if-down.d/resolvconf
 	install -m 0644 README ${D}${docdir}/${P}/
 	install -m 0644 man/resolvconf.8 ${D}${mandir}/man8/
 }
@@ -51,3 +60,5 @@ pkg_postinst_${PN} () {
 		fi
 	fi
 }
+
+FILES_${PN} += "${base_libdir}/${BPN}"

meta/recipes-core/coreutils/coreutils-8.22/parse-datetime-CVE-2014-9471.patch

@@ -0,0 +1,43 @@
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/ChangeLog b/ChangeLog
+--- a/ChangeLog	2013-12-13 16:20:00.000000000 +0100
++++ b/ChangeLog	2015-02-26 09:24:10.640577829 +0100
+@@ -1,3 +1,11 @@
++2014-02-25  Sona Sarmadi <sona.sarmadi@enea.com>
++
++       parse-datetime: fix crash or infloop in TZ="" parsing
++       * lib/parse-datetime.y (parse_datetime): Break out of the
++       TZ="" parsing loop once the second significant " is found.
++       Also skip over any subsequent whitespace to be consistent
++       with the non TZ= case (CVE-2014-9471)
++
+ 2013-12-13  Pádraig Brady  <P@draigBrady.com>
+ 
+ 	version 8.22
+diff -ruN a/lib/parse-datetime.y b/lib/parse-datetime.y
+--- a/lib/parse-datetime.y	2013-12-04 15:53:33.000000000 +0100
++++ b/lib/parse-datetime.y	2015-02-26 09:20:15.238528670 +0100
+@@ -1303,8 +1303,6 @@
+             char tz1buf[TZBUFSIZE];
+             bool large_tz = TZBUFSIZE < tzsize;
+             bool setenv_ok;
+-            /* Free tz0, in case this is the 2nd or subsequent time through. */
+-            free (tz0);
+             tz0 = get_tz (tz0buf);
+             z = tz1 = large_tz ? xmalloc (tzsize) : tz1buf;
+             for (s = tzbase; *s != '"'; s++)
+@@ -1316,7 +1314,12 @@
+             if (!setenv_ok)
+               goto fail;
+             tz_was_altered = true;
++
+             p = s + 1;
++            while (c = *p, c_isspace (c))
++              p++;
++
++            break;
+           }
+     }
+ 

meta/recipes-core/coreutils/coreutils_8.22.bb

@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
            file://remove-usr-local-lib-from-m4.patch \
            file://dummy_help2man.patch \
            file://fix-for-dummy-man-usage.patch \
+           file://parse-datetime-CVE-2014-9471.patch \
           "
 
 SRC_URI[md5sum] = "8fb0ae2267aa6e728958adc38f8163a2"

meta/recipes-core/eglibc/eglibc-2.19/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch

@@ -0,0 +1,317 @@
+From a5357b7ce2a2982c5778435704bcdb55ce3667a0 Mon Sep 17 00:00:00 2001
+From: Jeff Law <law@redhat.com>
+Date: Mon, 15 Dec 2014 10:09:32 +0100
+Subject: [PATCH] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
+
+A larger number of format specifiers coudld cause a stack overflow,
+potentially allowing to bypass _FORTIFY_SOURCE format string
+protection.
+---
+ ChangeLog               |  9 +++++++
+ NEWS                    | 13 +++++----
+ stdio-common/Makefile   |  2 +-
+ stdio-common/bug23-2.c  | 70 +++++++++++++++++++++++++++++++++++++++++++++++++
+ stdio-common/bug23-3.c  | 50 +++++++++++++++++++++++++++++++++++
+ stdio-common/bug23-4.c  | 31 ++++++++++++++++++++++
+ stdio-common/vfprintf.c | 40 ++++++++++++++++++++++++++--
+ 7 files changed, 207 insertions(+), 8 deletions(-)
+ create mode 100644 stdio-common/bug23-2.c
+ create mode 100644 stdio-common/bug23-3.c
+ create mode 100644 stdio-common/bug23-4.c
+
+Index: libc/ChangeLog
+===================================================================
+--- libc.orig/ChangeLog
++++ libc/ChangeLog
+@@ -1,3 +1,12 @@
++2014-12-15  Jeff Law  <law@redhat.com>
++
++   [BZ #16617]
++   * stdio-common/vfprintf.c (vfprintf): Allocate large specs array
++   on the heap.  (CVE-2012-3406)
++   * stdio-common/bug23-2.c, stdio-common/bug23-3.c: New file.
++   * stdio-common/bug23-4.c: New file.  Test case by Joseph Myers.
++   * stdio-common/Makefile (tests): Add bug23-2, bug23-3, bug23-4.
++
+ 2014-11-19  Carlos O'Donell  <carlos@redhat.com>
+        Florian Weimer  <fweimer@redhat.com>
+        Joseph Myers  <joseph@codesourcery.com>
+Index: libc/NEWS
+===================================================================
+--- libc.orig/NEWS
++++ libc/NEWS
+@@ -26,7 +26,7 @@ Version 2.19
+   16271, 16274, 16283, 16289, 16293, 16314, 16316, 16330, 16337, 16338,
+   16356, 16365, 16366, 16369, 16372, 16375, 16379, 16384, 16385, 16386,
+   16387, 16390, 16394, 16398, 16400, 16407, 16408, 16414, 16430, 16431,
+-  16453, 16474, 16506, 16510, 16529, 17187, 17625.
++  16453, 16474, 16506, 16510, 16529, 16619, 17187, 17625.
+ 
+ * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
+   under certain input conditions resulting in the execution of a shell for
+@@ -34,6 +34,9 @@ Version 2.19
+   implementation now checks WRDE_NOCMD immediately before executing the
+   shell and returns the error WRDE_CMDSUB as expected.
+ 
++* CVE-2012-3406 printf-style functions could run into a stack overflow when
++  processing format strings with a large number of format specifiers.
++
+ * Slovenian translations for glibc messages have been contributed by the
+   Translation Project's Slovenian team of translators.
+ 
+Index: libc/stdio-common/bug23-2.c
+===================================================================
+--- /dev/null
++++ libc/stdio-common/bug23-2.c
+@@ -0,0 +1,70 @@
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++
++static const char expected[] = "\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n";
++
++static int
++do_test (void)
++{
++  char *buf = malloc (strlen (expected) + 1);
++  snprintf (buf, strlen (expected) + 1,
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++	    "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n",
++	    "a", "b", "c", "d", 5);
++  return strcmp (buf, expected) != 0;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+Index: libc/stdio-common/bug23-3.c
+===================================================================
+--- /dev/null
++++ libc/stdio-common/bug23-3.c
+@@ -0,0 +1,50 @@
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++
++int
++do_test (void)
++{
++  size_t instances = 16384;
++#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++  const char *item = "\na\nabbcd55";
++#define X3 X0 X0 X0 X0 X0 X0 X0 X0
++#define X6 X3 X3 X3 X3 X3 X3 X3 X3
++#define X9 X6 X6 X6 X6 X6 X6 X6 X6
++#define X12 X9 X9 X9 X9 X9 X9 X9 X9
++#define X14 X12 X12 X12 X12
++#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%"
++#define TRAILER2 TRAILER TRAILER
++  size_t length = instances * strlen (item) + strlen (TRAILER) + 1;
++
++  char *buf = malloc (length + 1);
++  snprintf (buf, length + 1,
++	    X14 TRAILER2 "\n",
++	    "a", "b", "c", "d", 5);
++
++  const char *p = buf;
++  size_t i;
++  for (i = 0; i < instances; ++i)
++    {
++      const char *expected;
++      for (expected = item; *expected; ++expected)
++	{
++	  if (*p != *expected)
++	    {
++	      printf ("mismatch at offset %zu (%zu): expected %d, got %d\n",
++		      (size_t) (p - buf), i, *expected & 0xFF, *p & 0xFF);
++	      return 1;
++	    }
++	  ++p;
++	}
++    }
++  if (strcmp (p, TRAILER "\n") != 0)
++    {
++      printf ("mismatch at trailer: [%s]\n", p);
++      return 1;
++    }
++  free (buf);
++  return 0;
++}
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+Index: libc/stdio-common/bug23-4.c
+===================================================================
+--- /dev/null
++++ libc/stdio-common/bug23-4.c
+@@ -0,0 +1,31 @@
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/resource.h>
++
++#define LIMIT 1000000
++
++int
++main (void)
++{
++  struct rlimit lim;
++  getrlimit (RLIMIT_STACK, &lim);
++  lim.rlim_cur = 1048576;
++  setrlimit (RLIMIT_STACK, &lim);
++  char *fmtstr = malloc (4 * LIMIT + 1);
++  if (fmtstr == NULL)
++    abort ();
++  char *output = malloc (LIMIT + 1);
++  if (output == NULL)
++    abort ();
++  for (size_t i = 0; i < LIMIT; i++)
++    memcpy (fmtstr + 4 * i, "%1$d", 4);
++  fmtstr[4 * LIMIT] = '\0';
++  int ret = snprintf (output, LIMIT + 1, fmtstr, 0);
++  if (ret != LIMIT)
++    abort ();
++  for (size_t i = 0; i < LIMIT; i++)
++    if (output[i] != '0')
++      abort ();
++  return 0;
++}
+Index: libc/stdio-common/vfprintf.c
+===================================================================
+--- libc.orig/stdio-common/vfprintf.c
++++ libc/stdio-common/vfprintf.c
+@@ -276,6 +276,12 @@ vfprintf (FILE *s, const CHAR_T *format,
+   /* For the argument descriptions, which may be allocated on the heap.  */
+   void *args_malloced = NULL;
+ 
++  /* For positional argument handling.  */
++  struct printf_spec *specs;
++
++  /* Track if we malloced the SPECS array and thus must free it.  */
++  bool specs_malloced = false;
++
+   /* This table maps a character into a number representing a
+      class.  In each step there is a destination label for each
+      class.  */
+@@ -1698,8 +1704,8 @@ do_positional:
+     size_t nspecs = 0;
+     /* A more or less arbitrary start value.  */
+     size_t nspecs_size = 32 * sizeof (struct printf_spec);
+-    struct printf_spec *specs = alloca (nspecs_size);
+ 
++    specs = alloca (nspecs_size);
+     /* The number of arguments the format string requests.  This will
+        determine the size of the array needed to store the argument
+        attributes.  */
+@@ -1742,11 +1748,39 @@ do_positional:
+ 	if (nspecs * sizeof (*specs) >= nspecs_size)
+ 	  {
+ 	    /* Extend the array of format specifiers.  */
++	    if (nspecs_size * 2 < nspecs_size)
++	      {
++		__set_errno (ENOMEM);
++		done = -1;
++		goto all_done;
++	      }
+ 	    struct printf_spec *old = specs;
+-	    specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
++	    if (__libc_use_alloca (2 * nspecs_size))
++	      specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
++	    else
++	      {
++		nspecs_size *= 2;
++		specs = malloc (nspecs_size);
++		if (specs == NULL)
++		  {
++		    __set_errno (ENOMEM);
++		    specs = old;
++		    done = -1;
++		    goto all_done;
++		  }
++	      }
+ 
+ 	    /* Copy the old array's elements to the new space.  */
+ 	    memmove (specs, old, nspecs * sizeof (*specs));
++
++	    /* If we had previously malloc'd space for SPECS, then
++	       release it after the copy is complete.  */
++	    if (specs_malloced)
++	      free (old);
++
++	    /* Now set SPECS_MALLOCED if needed.  */
++	    if (!__libc_use_alloca (nspecs_size))
++	      specs_malloced = true;
+ 	  }
+ 
+ 	/* Parse the format specifier.  */
+@@ -2067,6 +2101,8 @@ do_positional:
+   }
+ 
+ all_done:
++  if (specs_malloced)
++    free (specs);
+   if (__glibc_unlikely (args_malloced != NULL))
+     free (args_malloced);
+   if (__glibc_unlikely (workstart != NULL))
+Index: libc/stdio-common/Makefile
+===================================================================
+--- libc.orig/stdio-common/Makefile
++++ libc/stdio-common/Makefile
+@@ -64,7 +64,7 @@ tests := tstscanf test_rdwr test-popen t
+ 	 tst-fwrite bug16 bug17 tst-sprintf2 bug18 \
+ 	 bug19 tst-popen2 scanf14 scanf15 bug21 bug22 scanf16 scanf17 \
+ 	 tst-setvbuf1 bug23 bug24 bug-vfprintf-nargs tst-sprintf3 bug25 \
+-	 tst-printf-round bug26
++	 tst-printf-round bug23-2 bug23-3 bug23-4
+ tests-$(OPTION_EGLIBC_LOCALE_CODE) \
+       += tst-sscanf tst-swprintf test-vfprintf bug14 scanf13 tst-grouping
+ tests-$(OPTION_POSIX_WIDE_CHAR_DEVICE_IO) \

meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch

@@ -0,0 +1,216 @@
+From a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c Mon Sep 17 00:00:00 2001
+From: Carlos O'Donell <carlos@redhat.com>
+Date: Wed, 19 Nov 2014 11:44:12 -0500
+Subject: [PATCH] CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
+
+The function wordexp() fails to properly handle the WRDE_NOCMD
+flag when processing arithmetic inputs in the form of "$((... ``))"
+where "..." can be anything valid. The backticks in the arithmetic
+epxression are evaluated by in a shell even if WRDE_NOCMD forbade
+command substitution. This allows an attacker to attempt to pass
+dangerous commands via constructs of the above form, and bypass
+the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
+in exec_comm(), the only place that can execute a shell. All other
+checks for WRDE_NOCMD are superfluous and removed.
+
+We expand the testsuite and add 3 new regression tests of roughly
+the same form but with a couple of nested levels.
+
+On top of the 3 new tests we add fork validation to the WRDE_NOCMD
+testing. If any forks are detected during the execution of a wordexp()
+call with WRDE_NOCMD, the test is marked as failed. This is slightly
+heuristic since vfork might be used in the future, but it provides a
+higher level of assurance that no shells were executed as part of
+command substitution with WRDE_NOCMD in effect. In addition it doesn't
+require libpthread or libdl, instead we use the public implementation
+namespace function __register_atfork (already part of the public ABI
+for libpthread).
+
+Tested on x86_64 with no regressions.
+---
+ ChangeLog            | 22 ++++++++++++++++++++++
+ NEWS                 |  8 +++++++-
+ posix/wordexp-test.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
+ posix/wordexp.c      | 16 ++++------------
+ 4 files changed, 77 insertions(+), 13 deletions(-)
+
+Index: libc/ChangeLog
+===================================================================
+--- libc.orig/ChangeLog
++++ libc/ChangeLog
+@@ -1,3 +1,25 @@
++2014-11-19  Carlos O'Donell  <carlos@redhat.com>
++       Florian Weimer  <fweimer@redhat.com>
++       Joseph Myers  <joseph@codesourcery.com>
++       Adam Conrad  <adconrad@0c3.net>
++       Andreas Schwab  <schwab@suse.de>
++       Brooks  <bmoses@google.com>
++
++   [BZ #17625]
++   * wordexp-test.c (__dso_handle): Add prototype.
++   (__register_atfork): Likewise.
++   (__app_register_atfork): New function.
++   (registered_forks): New global.
++   (register_fork): New function.
++   (test_case): Add 3 new tests for WRDE_CMDSUB.
++   (main): Call __app_register_atfork.
++   (testit): If WRDE_NOCMD set registered_forks to zero, run test, and if
++   fork count is non-zero fail the test.
++   * posix/wordexp.c (exec_comm): Return WRDE_CMDSUB if WRDE_NOCMD flag
++   is set.
++   (parse_dollars): Remove check for WRDE_NOCMD.
++   (parse_dquote): Likewise.
++
+ 2014-08-26  Florian Weimer  <fweimer@redhat.com>
+ 
+ 	[BZ #17187]
+Index: libc/posix/wordexp-test.c
+===================================================================
+--- libc.orig/posix/wordexp-test.c
++++ libc/posix/wordexp-test.c
+@@ -27,6 +27,25 @@
+ 
+ #define IFS " \n\t"
+ 
++extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
++extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
++
++static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
++{
++  return __register_atfork (prepare, parent, child,
++			    &__dso_handle == NULL ? NULL : __dso_handle);
++}
++
++/* Number of forks seen.  */
++static int registered_forks;
++
++/* For each fork increment the fork count.  */
++static void
++register_fork (void)
++{
++  registered_forks++;
++}
++
+ struct test_case_struct
+ {
+   int retval;
+@@ -206,6 +225,12 @@ struct test_case_struct
+     { WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS },
+     { WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS },
+     { WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS },
++    /* Test for CVE-2014-7817. We test 3 combinations of command
++       substitution inside an arithmetic expression to make sure that
++       no commands are executed and error is returned.  */
++    { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
++    { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
++    { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
+ 
+     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
+   };
+@@ -258,6 +283,15 @@ main (int argc, char *argv[])
+ 	  return -1;
+     }
+ 
++  /* If we are not allowed to do command substitution, we install
++     fork handlers to verify that no forks happened.  No forks should
++     happen at all if command substitution is disabled.  */
++  if (__app_register_atfork (register_fork, NULL, NULL) != 0)
++    {
++      printf ("Failed to register fork handler.\n");
++      return -1;
++    }
++
+   for (test = 0; test_case[test].retval != -1; test++)
+     if (testit (&test_case[test]))
+       ++fail;
+@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc)
+ 
+   printf ("Test %d (%s): ", ++tests, tc->words);
+ 
++  if (tc->flags & WRDE_NOCMD)
++    registered_forks = 0;
++
+   if (tc->flags & WRDE_APPEND)
+     {
+       /* initial wordexp() call, to be appended to */
+@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc)
+     }
+   retval = wordexp (tc->words, &we, tc->flags);
+ 
++  if ((tc->flags & WRDE_NOCMD)
++      && (registered_forks > 0))
++    {
++	  printf ("FAILED fork called for WRDE_NOCMD\n");
++	  return 1;
++    }
++
+   if (tc->flags & WRDE_DOOFFS)
+       start_offs = sav_we.we_offs;
+ 
+Index: libc/posix/wordexp.c
+===================================================================
+--- libc.orig/posix/wordexp.c
++++ libc/posix/wordexp.c
+@@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size
+   pid_t pid;
+   int noexec = 0;
+ 
++  /* Do nothing if command substitution should not succeed.  */
++  if (flags & WRDE_NOCMD)
++    return WRDE_CMDSUB;
++
+   /* Don't fork() unless necessary */
+   if (!comm || !*comm)
+     return 0;
+@@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word
+ 	    }
+ 	}
+ 
+-      if (flags & WRDE_NOCMD)
+-	return WRDE_CMDSUB;
+-
+       (*offset) += 2;
+       return parse_comm (word, word_length, max_length, words, offset, flags,
+ 			 quoted? NULL : pwordexp, ifs, ifs_white);
+@@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_
+ 	  break;
+ 
+ 	case '`':
+-	  if (flags & WRDE_NOCMD)
+-	    return WRDE_CMDSUB;
+-
+ 	  ++(*offset);
+ 	  error = parse_backtick (word, word_length, max_length, words,
+ 				  offset, flags, NULL, NULL, NULL);
+@@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *p
+ 	break;
+ 
+       case '`':
+-	if (flags & WRDE_NOCMD)
+-	  {
+-	    error = WRDE_CMDSUB;
+-	    goto do_error;
+-	  }
+-
+ 	++words_offset;
+ 	error = parse_backtick (&word, &word_length, &max_length, words,
+ 				&words_offset, flags, pwordexp, ifs,
+Index: libc/NEWS
+===================================================================
+--- libc.orig/NEWS
++++ libc/NEWS
+@@ -26,7 +26,13 @@ Version 2.19
+   16271, 16274, 16283, 16289, 16293, 16314, 16316, 16330, 16337, 16338,
+   16356, 16365, 16366, 16369, 16372, 16375, 16379, 16384, 16385, 16386,
+   16387, 16390, 16394, 16398, 16400, 16407, 16408, 16414, 16430, 16431,
+-  16453, 16474, 16506, 16510, 16529, 17187
++  16453, 16474, 16506, 16510, 16529, 17187, 17625.
++
++* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
++  under certain input conditions resulting in the execution of a shell for
++  command substitution when the applicaiton did not request it. The
++  implementation now checks WRDE_NOCMD immediately before executing the
++  shell and returns the error WRDE_CMDSUB as expected.
+ 
+ * Slovenian translations for glibc messages have been contributed by the
+   Translation Project's Slovenian team of translators.

meta/recipes-core/eglibc/eglibc_2.19.bb

@@ -27,6 +27,8 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/eglibc/eglibc-${PV}-svnr25
            file://ppce6500-32b_slow_ieee754_sqrt.patch \
            file://grok_gold.patch \
            file://CVE-2014-5119.patch \
+           file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
+           file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
           "
 SRC_URI[md5sum] = "197836c2ba42fb146e971222647198dd"
 SRC_URI[sha256sum] = "baaa030531fc308f7820c46acdf8e1b2f8e3c1f40bcd28b6e440d1c95d170d4c"

meta/recipes-core/images/build-appliance-image_8.0.bb

@@ -21,7 +21,7 @@ IMAGE_FSTYPES = "vmdk"
 
 inherit core-image
 
-SRCREV ?= "07a7905689f62e382c5640006dacb2c331ae454a"
+SRCREV ?= "56bd68e82c28528d9a99170611d02f5532599ef5"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=daisy \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \

meta/recipes-core/systemd/systemd/0001-journal-Fix-navigating-backwards-missing-entries.patch

@@ -0,0 +1,34 @@
+From 2173cbf847fc53ca24950e77958c902edecfc207 Mon Sep 17 00:00:00 2001
+From: Olivier Brunel <jjk@jjacky.com>
+Date: Fri, 5 Dec 2014 16:06:45 +0100
+Subject: [PATCH] journal: Fix navigating backwards missing entries
+
+With DIRECTION_UP (i.e. navigating backwards) in generic_array_bisect() when the
+needle was found as the last item in the array, it wasn't actually processed as
+match, resulting in entries being missed.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=86855
+
+Upstream-Status: Backport
+
+Signed-off-by: Jonathan Liu <net147@gmail.com>
+---
+ src/journal/journal-file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
+index 7858435..c5d2d19 100644
+--- a/src/journal/journal-file.c
++++ b/src/journal/journal-file.c
+@@ -1657,7 +1657,7 @@ static int generic_array_bisect(
+                         }
+                 }
+ 
+-                if (k > n) {
++                if (k >= n) {
+                         if (direction == DIRECTION_UP) {
+                                 i = n;
+                                 subtract_one = true;
+-- 
+2.1.3
+

meta/recipes-core/systemd/systemd_211.bb

@@ -32,6 +32,7 @@ SRC_URI = "git://anongit.freedesktop.org/systemd/systemd;branch=master;protocol=
            file://uclibc-sysinfo_h.patch \
            file://uclibc-get-physmem.patch \
            file://sd-bus-don-t-use-assert_return-to-check-for-disconne.patch \
+           file://0001-journal-Fix-navigating-backwards-missing-entries.patch \
            \
            file://touchscreen.rules \
            file://00-create-volatile.conf \
@@ -123,6 +124,7 @@ do_install() {
 		sed -i s%@UDEVD@%${rootlibexecdir}/systemd/systemd-udevd% ${D}${sysconfdir}/init.d/systemd-udevd
 	fi
 
+        chown root:systemd-journal ${D}/${localstatedir}/log/journal
         # Delete journal README, as log can be symlinked inside volatile.
         rm -f ${D}/${localstatedir}/log/README
 }

meta/recipes-devtools/binutils/binutils-2.24.inc

@@ -32,6 +32,14 @@ SRC_URI = "\
      file://replace_macros_with_static_inline.patch \
      file://0001-Fix-MMIX-build-breakage-from-bfd_set_section_vma-cha.patch \
      file://binutils-uninitialised-warning.patch \
+     file://binutils_CVE-2014-8484.patch \
+     file://binutils_CVE-2014-8485.patch \
+     file://binutils_CVE-2014-8501.patch \
+     file://binutils_CVE-2014-8502_1.patch \
+     file://binutils_CVE-2014-8502.patch \
+     file://binutils_CVE-2014-8503.patch \
+     file://binutils_CVE-2014-8504.patch \
+     file://binutils_CVE-2014-8737.patch \
      "
 
 SRC_URI[md5sum] = "e0f71a7b2ddab0f8612336ac81d9636b"

meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8484.patch

@@ -0,0 +1,67 @@
+Upstream-Status: Backport
+
+CVE-2014-8484 fix.
+
+[YOCTO #7084]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+From bd25671c6f202c4a5108883caa2adb24ff6f361f Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 29 Aug 2014 10:36:29 +0930
+Subject: [PATCH] Report an error for S-records with less than the miniumum
+ size
+
+	* srec.c (srec_scan): Revert last change.  Report an error for
+	S-records with less than the miniumum byte count.
+---
+ bfd/ChangeLog |  5 +++++
+ bfd/srec.c    | 18 +++++++++++++++---
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+Index: binutils-2.24/bfd/srec.c
+===================================================================
+--- binutils-2.24.orig/bfd/srec.c
++++ binutils-2.24/bfd/srec.c
+@@ -455,7 +455,7 @@ srec_scan (bfd *abfd)
+ 	  {
+ 	    file_ptr pos;
+ 	    char hdr[3];
+-	    unsigned int bytes;
++	    unsigned int bytes, min_bytes;
+ 	    bfd_vma address;
+ 	    bfd_byte *data;
+ 	    unsigned char check_sum;
+@@ -478,6 +478,19 @@ srec_scan (bfd *abfd)
+ 	      }
+ 
+ 	    check_sum = bytes = HEX (hdr + 1);
++	    min_bytes = 3;
++	    if (hdr[0] == '2' || hdr[0] == '8')
++	      min_bytes = 4;
++	    else if (hdr[0] == '3' || hdr[0] == '7')
++	      min_bytes = 5;
++	    if (bytes < min_bytes)
++	      {
++		(*_bfd_error_handler) (_("%B:%d: byte count %d too small\n"),
++				       abfd, lineno, bytes);
++		bfd_set_error (bfd_error_bad_value);
++		goto error_return;
++	      }
++
+ 	    if (bytes * 2 > bufsize)
+ 	      {
+ 		if (buf != NULL)
+Index: binutils-2.24/bfd/ChangeLog
+===================================================================
+--- binutils-2.24.orig/bfd/ChangeLog
++++ binutils-2.24/bfd/ChangeLog
+@@ -1,3 +1,8 @@
++2014-08-29  Alan Modra  <amodra@gmail.com>
++
++       * srec.c (srec_scan): Revert last change.  Report an error for
++       S-records with less than the miniumum byte count.
++
+ 2013-12-02  Tristan Gingold  <gingold@adacore.com>
+ 
+ 	* configure.in: Bump version to 2.24

meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch

@@ -0,0 +1,102 @@
+Upstream-Status: Backport
+
+CVE-2014-8485 fix.
+
+[YOCTO #7084]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+From 493a33860c71cac998f1a56d6d87d6faa801fbaa Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 27 Oct 2014 12:43:16 +0000
+Subject: [PATCH] This patch closes a potential security hole in applications
+ that use the bfd library to parse binaries containing maliciously corrupt
+ section group headers.
+
+	PR binutils/17510
+	* elf.c (setup_group): Improve handling of corrupt group
+	sections.
+---
+ bfd/ChangeLog |  6 ++++++
+ bfd/elf.c     | 34 ++++++++++++++++++++++++++++++----
+ 2 files changed, 36 insertions(+), 4 deletions(-)
+
+Index: binutils-2.24/bfd/elf.c
+===================================================================
+--- binutils-2.24.orig/bfd/elf.c
++++ binutils-2.24/bfd/elf.c
+@@ -608,9 +608,10 @@ setup_group (bfd *abfd, Elf_Internal_Shd
+ 		  if (shdr->contents == NULL)
+ 		    {
+ 		      _bfd_error_handler
+-			(_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
++			(_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
+ 		      bfd_set_error (bfd_error_bad_value);
+-		      return FALSE;
++		      -- num_group;
++		      continue;
+ 		    }
+ 
+ 		  memset (shdr->contents, 0, amt);
+@@ -618,7 +619,16 @@ setup_group (bfd *abfd, Elf_Internal_Shd
+ 		  if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
+ 		      || (bfd_bread (shdr->contents, shdr->sh_size, abfd)
+ 			  != shdr->sh_size))
+-		    return FALSE;
++		    {
++		      _bfd_error_handler
++			(_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size);
++		      bfd_set_error (bfd_error_bad_value);
++		      -- num_group;
++		      /* PR 17510: If the group contents are even partially
++			 corrupt, do not allow any of the contents to be used.  */
++		      memset (shdr->contents, 0, amt);
++		      continue;
++		    }
+ 
+ 		  /* Translate raw contents, a flag word followed by an
+ 		     array of elf section indices all in target byte order,
+@@ -651,6 +661,21 @@ setup_group (bfd *abfd, Elf_Internal_Shd
+ 		    }
+ 		}
+ 	    }
++
++	  /* PR 17510: Corrupt binaries might contain invalid groups.  */
++	  if (num_group != (unsigned) elf_tdata (abfd)->num_group)
++	    {
++	      elf_tdata (abfd)->num_group = num_group;
++
++	      /* If all groups are invalid then fail.  */
++	      if (num_group == 0)
++		{
++		  elf_tdata (abfd)->group_sect_ptr = NULL;
++		  elf_tdata (abfd)->num_group = num_group = -1;
++		  (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd);
++		  bfd_set_error (bfd_error_bad_value);
++		}
++	    }
+ 	}
+     }
+ 
+@@ -716,6 +741,7 @@ setup_group (bfd *abfd, Elf_Internal_Shd
+     {
+       (*_bfd_error_handler) (_("%B: no group info for section %A"),
+ 			     abfd, newsect);
++      return FALSE;
+     }
+   return TRUE;
+ }
+Index: binutils-2.24/bfd/ChangeLog
+===================================================================
+--- binutils-2.24.orig/bfd/ChangeLog
++++ binutils-2.24/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2014-10-27  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/17510
++       * elf.c (setup_group): Improve handling of corrupt group
++       sections.
++
+ 2014-08-29  Alan Modra  <amodra@gmail.com>
+ 
+        * srec.c (srec_scan): Revert last change.  Report an error for

meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8501.patch

@@ -0,0 +1,60 @@
+Upstream-Status: Backport
+
+CVE-2014-8501 fix.
+
+[YOCTO #7084]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+From 7e1e19887abd24aeb15066b141cdff5541e0ec8e Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 27 Oct 2014 14:45:06 +0000
+Subject: [PATCH] Fix a seg-fault in strings and other binutuils when parsing a
+ corrupt PE executable with an invalid value in the NumberOfRvaAndSizes field
+ of the AOUT header.
+
+	PR binutils/17512
+	* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries
+	with an invalid value for NumberOfRvaAndSizes.
+---
+ bfd/ChangeLog  |  4 ++++
+ bfd/peXXigen.c | 12 ++++++++++++
+ 2 files changed, 16 insertions(+)
+
+Index: binutils-2.24/bfd/peXXigen.c
+===================================================================
+--- binutils-2.24.orig/bfd/peXXigen.c
++++ binutils-2.24/bfd/peXXigen.c
+@@ -460,6 +460,18 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
+   {
+     int idx;
+ 
++    /* PR 17512: Corrupt PE binaries can cause seg-faults.  */
++    if (a->NumberOfRvaAndSizes > 16)
++      {
++	(*_bfd_error_handler)
++	  (_("%B: aout header specifies an invalid number of data-directory entries: %d"),
++	   abfd, a->NumberOfRvaAndSizes);
++	/* Paranoia: If the number is corrupt, then assume that the
++	   actual entries themselves might be corrupt as well.  */
++	a->NumberOfRvaAndSizes = 0;
++      }
++
++
+     for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
+       {
+         /* If data directory is empty, rva also should be 0.  */
+Index: binutils-2.24/bfd/ChangeLog
+===================================================================
+--- binutils-2.24.orig/bfd/ChangeLog
++++ binutils-2.24/bfd/ChangeLog
+@@ -1,5 +1,9 @@
+ 2014-10-27  Nick Clifton  <nickc@redhat.com>
+ 
++       PR binutils/17512
++       * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries
++       with an invalid value for NumberOfRvaAndSizes.
++
+        PR binutils/17510
+        * elf.c (setup_group): Improve handling of corrupt group
+        sections.

meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch

@@ -0,0 +1,89 @@
+Upstream-Status: Backport
+
+CVE-2014-8502 fix.
+
+[YOCTO #7084]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+From 5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 28 Oct 2014 15:42:56 +0000
+Subject: [PATCH] More fixes for corrupt binaries crashing the binutils.
+
+	PR binutils/17512
+	* elf.c (bfd_section_from_shdr): Allocate and free the recursion
+	detection table on a per-bfd basis.
+	* peXXigen.c (pe_print_edata): Handle binaries with a truncated
+	export table.
+---
+ bfd/ChangeLog  |  8 ++++++++
+ bfd/elf.c      | 16 +++++++++++++---
+ bfd/peXXigen.c |  9 +++++++++
+ 3 files changed, 30 insertions(+), 3 deletions(-)
+
+Index: binutils-2.24/bfd/peXXigen.c
+===================================================================
+--- binutils-2.24.orig/bfd/peXXigen.c
++++ binutils-2.24/bfd/peXXigen.c
+@@ -1438,6 +1438,15 @@ pe_print_edata (bfd * abfd, void * vfile
+ 	}
+     }
+ 
++  /* PR 17512: Handle corrupt PE binaries.  */
++  if (datasize < 36)
++    {
++      fprintf (file,
++	       _("\nThere is an export table in %s, but it is too small (%d)\n"),
++	       section->name, (int) datasize);
++      return TRUE;
++    }
++
+   fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"),
+ 	   section->name, (unsigned long) addr);
+ 
+Index: binutils-2.24/bfd/elf.c
+===================================================================
+--- binutils-2.24.orig/bfd/elf.c
++++ binutils-2.24/bfd/elf.c
+@@ -1576,6 +1576,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
+   const char *name;
+   bfd_boolean ret = TRUE;
+   static bfd_boolean * sections_being_created = NULL;
++  static bfd * sections_being_created_abfd = NULL;
+   static unsigned int nesting = 0;
+ 
+   if (shindex >= elf_numsections (abfd))
+@@ -1588,13 +1589,20 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	 loop.  Detect this here, by refusing to load a section that we are
+ 	 already in the process of loading.  We only trigger this test if
+ 	 we have nested at least three sections deep as normal ELF binaries
+-	 can expect to recurse at least once.  */
++	 can expect to recurse at least once.  
++     
++     FIXME: It would be better if this array was attached to the bfd,
++     rather than being held in a static pointer.  */
++     
++      if (sections_being_created_abfd != abfd)
++        sections_being_created = NULL;
+       
+       if (sections_being_created == NULL)
+ 	{
+ 	  /* FIXME: It would be more efficient to attach this array to the bfd somehow.  */
+ 	  sections_being_created = (bfd_boolean *)
+ 	    bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
++        sections_being_created_abfd = abfd;
+ 	}
+       if (sections_being_created [shindex])
+ 	{
+@@ -2098,7 +2106,10 @@ bfd_section_from_shdr (bfd *abfd, unsign
+   if (sections_being_created)
+     sections_being_created [shindex] = FALSE;
+   if (-- nesting == 0)
++  {
+     sections_being_created = NULL;
++    sections_being_created_abfd = abfd;
++  }
+   return ret;
+ }
+ 

meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502_1.patch

@@ -0,0 +1,523 @@
+Upstream-Status: Backport
+
+CVE-2014-8502 supporting patch.
+
+[YOCTO #7084]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+From bf67003b4567600ed3022a439207ac8f26454f91 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 27 Oct 2014 18:05:37 +0000
+Subject: [PATCH] This fixes more seg-faults in tools like "strings" and
+ "objdump" when presented with corrupt binaries.
+
+	PR binutils/17512
+	* elf.c (bfd_section_from_shdr): Detect and warn about ELF
+	binaries with a group of sections linked by the string table
+	indicies.
+	* peXXigen.c (pe_print_edata): Detect out of range rvas and
+	entry counts for the Export Address table, Name Pointer table
+	 and Ordinal table.
+---
+ bfd/ChangeLog  |   5 ++
+ bfd/elf.c      | 194 ++++++++++++++++++++++++++++++++++++++-------------------
+ bfd/peXXigen.c |  18 +++++-
+ 3 files changed, 150 insertions(+), 67 deletions(-)
+
+Index: binutils-2.24/bfd/elf.c
+===================================================================
+--- binutils-2.24.orig/bfd/elf.c
++++ binutils-2.24/bfd/elf.c
+@@ -1574,38 +1574,67 @@ bfd_section_from_shdr (bfd *abfd, unsign
+   Elf_Internal_Ehdr *ehdr;
+   const struct elf_backend_data *bed;
+   const char *name;
++  bfd_boolean ret = TRUE;
++  static bfd_boolean * sections_being_created = NULL;
++  static unsigned int nesting = 0;
+ 
+   if (shindex >= elf_numsections (abfd))
+     return FALSE;
+ 
++  if (++ nesting > 3)
++    {
++      /* PR17512: A corrupt ELF binary might contain a recursive group of
++	 sections, each the string indicies pointing to the next in the
++	 loop.  Detect this here, by refusing to load a section that we are
++	 already in the process of loading.  We only trigger this test if
++	 we have nested at least three sections deep as normal ELF binaries
++	 can expect to recurse at least once.  */
++      
++      if (sections_being_created == NULL)
++	{
++	  /* FIXME: It would be more efficient to attach this array to the bfd somehow.  */
++	  sections_being_created = (bfd_boolean *)
++	    bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
++	}
++      if (sections_being_created [shindex])
++	{
++	  (*_bfd_error_handler)
++	    (_("%B: warning: loop in section dependencies detected"), abfd);
++	  return FALSE;
++	}
++      sections_being_created [shindex] = TRUE;
++    }
++
+   hdr = elf_elfsections (abfd)[shindex];
+   ehdr = elf_elfheader (abfd);
+   name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx,
+ 					  hdr->sh_name);
+   if (name == NULL)
+-    return FALSE;
++    goto fail;
+ 
+   bed = get_elf_backend_data (abfd);
+   switch (hdr->sh_type)
+     {
+     case SHT_NULL:
+       /* Inactive section. Throw it away.  */
+-      return TRUE;
++      goto success;
+ 
+-    case SHT_PROGBITS:	/* Normal section with contents.  */
+-    case SHT_NOBITS:	/* .bss section.  */
+-    case SHT_HASH:	/* .hash section.  */
+-    case SHT_NOTE:	/* .note section.  */
++    case SHT_PROGBITS:		/* Normal section with contents.  */
++    case SHT_NOBITS:		/* .bss section.  */
++    case SHT_HASH:		/* .hash section.  */
++    case SHT_NOTE:		/* .note section.  */
+     case SHT_INIT_ARRAY:	/* .init_array section.  */
+     case SHT_FINI_ARRAY:	/* .fini_array section.  */
+     case SHT_PREINIT_ARRAY:	/* .preinit_array section.  */
+     case SHT_GNU_LIBLIST:	/* .gnu.liblist section.  */
+     case SHT_GNU_HASH:		/* .gnu.hash section.  */
+-      return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      goto success;
+ 
+     case SHT_DYNAMIC:	/* Dynamic linking information.  */
+       if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
+-	return FALSE;
++	goto fail;
++
+       if (hdr->sh_link > elf_numsections (abfd))
+ 	{
+ 	  /* PR 10478: Accept Solaris binaries with a sh_link
+@@ -1619,11 +1648,11 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 		break;
+ 	      /* Otherwise fall through.  */
+ 	    default:
+-	      return FALSE;
++	      goto fail;
+ 	    }
+ 	}
+       else if (elf_elfsections (abfd)[hdr->sh_link] == NULL)
+-	return FALSE;
++	goto fail;
+       else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)
+ 	{
+ 	  Elf_Internal_Shdr *dynsymhdr;
+@@ -1652,24 +1681,26 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 		}
+ 	    }
+ 	}
+-      break;
++      goto success;
+ 
+-    case SHT_SYMTAB:		/* A symbol table */
++    case SHT_SYMTAB:		/* A symbol table.  */
+       if (elf_onesymtab (abfd) == shindex)
+-	return TRUE;
++	goto success;
+ 
+       if (hdr->sh_entsize != bed->s->sizeof_sym)
+-	return FALSE;
++	goto fail;
++
+       if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size)
+ 	{
+ 	  if (hdr->sh_size != 0)
+-	    return FALSE;
++	    goto fail;
+ 	  /* Some assemblers erroneously set sh_info to one with a
+ 	     zero sh_size.  ld sees this as a global symbol count
+ 	     of (unsigned) -1.  Fix it here.  */
+ 	  hdr->sh_info = 0;
+-	  return TRUE;
++	  goto success;
+ 	}
++
+       BFD_ASSERT (elf_onesymtab (abfd) == 0);
+       elf_onesymtab (abfd) = shindex;
+       elf_tdata (abfd)->symtab_hdr = *hdr;
+@@ -1686,7 +1717,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	  && (abfd->flags & DYNAMIC) != 0
+ 	  && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+ 						shindex))
+-	return FALSE;
++	goto fail;
+ 
+       /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we
+ 	 can't read symbols without that section loaded as well.  It
+@@ -1712,26 +1743,29 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 		  break;
+ 	      }
+ 	  if (i != shindex)
+-	    return bfd_section_from_shdr (abfd, i);
++	    ret = bfd_section_from_shdr (abfd, i);
+ 	}
+-      return TRUE;
++      goto success;
+ 
+-    case SHT_DYNSYM:		/* A dynamic symbol table */
++    case SHT_DYNSYM:		/* A dynamic symbol table.  */
+       if (elf_dynsymtab (abfd) == shindex)
+-	return TRUE;
++	goto success;
+ 
+       if (hdr->sh_entsize != bed->s->sizeof_sym)
+-	return FALSE;
++	goto fail;
++
+       if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size)
+ 	{
+ 	  if (hdr->sh_size != 0)
+-	    return FALSE;
++	    goto fail;
++
+ 	  /* Some linkers erroneously set sh_info to one with a
+ 	     zero sh_size.  ld sees this as a global symbol count
+ 	     of (unsigned) -1.  Fix it here.  */
+ 	  hdr->sh_info = 0;
+-	  return TRUE;
++	  goto success;
+ 	}
++
+       BFD_ASSERT (elf_dynsymtab (abfd) == 0);
+       elf_dynsymtab (abfd) = shindex;
+       elf_tdata (abfd)->dynsymtab_hdr = *hdr;
+@@ -1740,34 +1774,38 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 
+       /* Besides being a symbol table, we also treat this as a regular
+ 	 section, so that objcopy can handle it.  */
+-      return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      goto success;
+ 
+-    case SHT_SYMTAB_SHNDX:	/* Symbol section indices when >64k sections */
++    case SHT_SYMTAB_SHNDX:	/* Symbol section indices when >64k sections.  */
+       if (elf_symtab_shndx (abfd) == shindex)
+-	return TRUE;
++	goto success;
+ 
+       BFD_ASSERT (elf_symtab_shndx (abfd) == 0);
+       elf_symtab_shndx (abfd) = shindex;
+       elf_tdata (abfd)->symtab_shndx_hdr = *hdr;
+       elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr;
+-      return TRUE;
++      goto success;
+ 
+-    case SHT_STRTAB:		/* A string table */
++    case SHT_STRTAB:		/* A string table.  */
+       if (hdr->bfd_section != NULL)
+-	return TRUE;
++	goto success;
++
+       if (ehdr->e_shstrndx == shindex)
+ 	{
+ 	  elf_tdata (abfd)->shstrtab_hdr = *hdr;
+ 	  elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr;
+-	  return TRUE;
++	  goto success;
+ 	}
++
+       if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex)
+ 	{
+ 	symtab_strtab:
+ 	  elf_tdata (abfd)->strtab_hdr = *hdr;
+ 	  elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr;
+-	  return TRUE;
++	  goto success;
+ 	}
++
+       if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex)
+ 	{
+ 	dynsymtab_strtab:
+@@ -1776,8 +1814,9 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	  elf_elfsections (abfd)[shindex] = hdr;
+ 	  /* We also treat this as a regular section, so that objcopy
+ 	     can handle it.  */
+-	  return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+-						  shindex);
++	  ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++						 shindex);
++	  goto success;
+ 	}
+ 
+       /* If the string table isn't one of the above, then treat it as a
+@@ -1795,9 +1834,9 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 		{
+ 		  /* Prevent endless recursion on broken objects.  */
+ 		  if (i == shindex)
+-		    return FALSE;
++		    goto fail;
+ 		  if (! bfd_section_from_shdr (abfd, i))
+-		    return FALSE;
++		    goto fail;
+ 		  if (elf_onesymtab (abfd) == i)
+ 		    goto symtab_strtab;
+ 		  if (elf_dynsymtab (abfd) == i)
+@@ -1805,7 +1844,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 		}
+ 	    }
+ 	}
+-      return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      goto success;
+ 
+     case SHT_REL:
+     case SHT_RELA:
+@@ -1820,7 +1860,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	if (hdr->sh_entsize
+ 	    != (bfd_size_type) (hdr->sh_type == SHT_REL
+ 				? bed->s->sizeof_rel : bed->s->sizeof_rela))
+-	  return FALSE;
++	  goto fail;
+ 
+ 	/* Check for a bogus link to avoid crashing.  */
+ 	if (hdr->sh_link >= num_sec)
+@@ -1828,8 +1868,9 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	    ((*_bfd_error_handler)
+ 	     (_("%B: invalid link %lu for reloc section %s (index %u)"),
+ 	      abfd, hdr->sh_link, name, shindex));
+-	    return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+-						    shindex);
++	    ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++						   shindex);
++	    goto success;
+ 	  }
+ 
+ 	/* For some incomprehensible reason Oracle distributes
+@@ -1870,7 +1911,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB
+ 	     || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM)
+ 	    && ! bfd_section_from_shdr (abfd, hdr->sh_link))
+-	  return FALSE;
++	  goto fail;
+ 
+ 	/* If this reloc section does not use the main symbol table we
+ 	   don't treat it as a reloc section.  BFD can't adequately
+@@ -1885,14 +1926,18 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	    || hdr->sh_info >= num_sec
+ 	    || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
+ 	    || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
+-	  return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+-						  shindex);
++	  {
++	    ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++						   shindex);
++	    goto success;
++	  }
+ 
+ 	if (! bfd_section_from_shdr (abfd, hdr->sh_info))
+-	  return FALSE;
++	  goto fail;
++
+ 	target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info);
+ 	if (target_sect == NULL)
+-	  return FALSE;
++	  goto fail;
+ 
+ 	esdt = elf_section_data (target_sect);
+ 	if (hdr->sh_type == SHT_RELA)
+@@ -1904,7 +1949,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	amt = sizeof (*hdr2);
+ 	hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
+ 	if (hdr2 == NULL)
+-	  return FALSE;
++	  goto fail;
+ 	*hdr2 = *hdr;
+ 	*p_hdr = hdr2;
+ 	elf_elfsections (abfd)[shindex] = hdr2;
+@@ -1920,34 +1965,40 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	      target_sect->use_rela_p = 1;
+ 	  }
+ 	abfd->flags |= HAS_RELOC;
+-	return TRUE;
++	goto success;
+       }
+ 
+     case SHT_GNU_verdef:
+       elf_dynverdef (abfd) = shindex;
+       elf_tdata (abfd)->dynverdef_hdr = *hdr;
+-      return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      goto success;
+ 
+     case SHT_GNU_versym:
+       if (hdr->sh_entsize != sizeof (Elf_External_Versym))
+-	return FALSE;
++	goto fail;
++
+       elf_dynversym (abfd) = shindex;
+       elf_tdata (abfd)->dynversym_hdr = *hdr;
+-      return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      goto success;
+ 
+     case SHT_GNU_verneed:
+       elf_dynverref (abfd) = shindex;
+       elf_tdata (abfd)->dynverref_hdr = *hdr;
+-      return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++      goto success;
+ 
+     case SHT_SHLIB:
+-      return TRUE;
++      goto success;
+ 
+     case SHT_GROUP:
+       if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE))
+-	return FALSE;
++	goto fail;
++
+       if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
+-	return FALSE;
++	goto fail;
++
+       if (hdr->contents != NULL)
+ 	{
+ 	  Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents;
+@@ -1973,7 +2024,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 		}
+ 	    }
+ 	}
+-      break;
++      goto success;
+ 
+     default:
+       /* Possibly an attributes section.  */
+@@ -1981,14 +2032,14 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	  || hdr->sh_type == bed->obj_attrs_section_type)
+ 	{
+ 	  if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
+-	    return FALSE;
++	    goto fail;
+ 	  _bfd_elf_parse_attributes (abfd, hdr);
+-	  return TRUE;
++	  goto success;
+ 	}
+ 
+       /* Check for any processor-specific section types.  */
+       if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex))
+-	return TRUE;
++	goto success;
+ 
+       if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER)
+ 	{
+@@ -2000,9 +2051,12 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 		 "specific section `%s' [0x%8x]"),
+ 	       abfd, name, hdr->sh_type);
+ 	  else
+-	    /* Allow sections reserved for applications.  */
+-	    return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+-						    shindex);
++	    {
++	      /* Allow sections reserved for applications.  */
++	      ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++						     shindex);
++	      goto success;
++	    }
+ 	}
+       else if (hdr->sh_type >= SHT_LOPROC
+ 	       && hdr->sh_type <= SHT_HIPROC)
+@@ -2023,8 +2077,11 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 		 "`%s' [0x%8x]"),
+ 	       abfd, name, hdr->sh_type);
+ 	  else
+-	    /* Otherwise it should be processed.  */
+-	    return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++	    {
++	      /* Otherwise it should be processed.  */
++	      ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++	      goto success;
++	    }
+ 	}
+       else
+ 	/* FIXME: We should handle this section.  */
+@@ -2032,10 +2089,17 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	  (_("%B: don't know how to handle section `%s' [0x%8x]"),
+ 	   abfd, name, hdr->sh_type);
+ 
+-      return FALSE;
++      goto fail;
+     }
+ 
+-  return TRUE;
++ fail:
++  ret = FALSE;
++ success:
++  if (sections_being_created)
++    sections_being_created [shindex] = FALSE;
++  if (-- nesting == 0)
++    sections_being_created = NULL;
++  return ret;
+ }
+ 
+ /* Return the local symbol specified by ABFD, R_SYMNDX.  */
+Index: binutils-2.24/bfd/peXXigen.c
+===================================================================
+--- binutils-2.24.orig/bfd/peXXigen.c
++++ binutils-2.24/bfd/peXXigen.c
+@@ -1528,7 +1528,12 @@ pe_print_edata (bfd * abfd, void * vfile
+ 	  _("\nExport Address Table -- Ordinal Base %ld\n"),
+ 	  edt.base);
+ 
+-  for (i = 0; i < edt.num_functions; ++i)
++  /* PR 17512: Handle corrupt PE binaries.  */
++  if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize)
++    fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
++	     (long) edt.eat_addr,
++	     (long) edt.num_functions);
++  else for (i = 0; i < edt.num_functions; ++i)
+     {
+       bfd_vma eat_member = bfd_get_32 (abfd,
+ 				       data + edt.eat_addr + (i * 4) - adj);
+@@ -1564,7 +1569,16 @@ pe_print_edata (bfd * abfd, void * vfile
+   fprintf (file,
+ 	   _("\n[Ordinal/Name Pointer] Table\n"));
+ 
+-  for (i = 0; i < edt.num_names; ++i)
++  /* PR 17512: Handle corrupt PE binaries.  */
++  if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize)
++    fprintf (file, _("\tInvalid Name Pointer Table rva (0x%lx) or entry count (0x%lx)\n"),
++	     (long) edt.npt_addr,
++	     (long) edt.num_names);
++  else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize)
++    fprintf (file, _("\tInvalid Ordinal Table rva (0x%lx) or entry count (0x%lx)\n"),
++	     (long) edt.ot_addr,
++	     (long) edt.num_names);
++  else for (i = 0; i < edt.num_names; ++i)
+     {
+       bfd_vma name_ptr = bfd_get_32 (abfd,
+ 				    data +
+Index: binutils-2.24/bfd/ChangeLog
+===================================================================
+--- binutils-2.24.orig/bfd/ChangeLog
++++ binutils-2.24/bfd/ChangeLog
+@@ -1,8 +1,13 @@
+ 2014-10-27  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/17512
++       * elf.c (bfd_section_from_shdr): Detect and warn about ELF
++       binaries with a group of sections linked by the string table
++       indicies.
+        * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries
+        with an invalid value for NumberOfRvaAndSizes.
++       (pe_print_edata): Detect out of range rvas and entry counts for
++       the Export Address table, Name Pointer table and Ordinal table.
+ 
+        PR binutils/17510
+        * elf.c (setup_group): Improve handling of corrupt group

meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8503.patch

@@ -0,0 +1,47 @@
+Upstream-Status: Backport
+
+CVE-2014-8503 fix.
+
+[YOCTO #7084]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+From 0102ea8cec5fc509bba6c91df61b7ce23a799d32 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 30 Oct 2014 17:16:17 +0000
+Subject: [PATCH] Fixes a seg-fault in the ihex parser when it encounters a
+ malformed ihex file.
+
+	PR binutils/17512
+	* ihex.c (ihex_scan): Fix typo in invocation of ihex_bad_byte.
+---
+ bfd/ChangeLog | 1 +
+ bfd/ihex.c    | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+Index: binutils-2.24/bfd/ihex.c
+===================================================================
+--- binutils-2.24.orig/bfd/ihex.c
++++ binutils-2.24/bfd/ihex.c
+@@ -322,7 +322,7 @@ ihex_scan (bfd *abfd)
+ 	    {
+ 	      if (! ISHEX (buf[i]))
+ 		{
+-		  ihex_bad_byte (abfd, lineno, hdr[i], error);
++		  ihex_bad_byte (abfd, lineno, buf[i], error);
+ 		  goto error_return;
+ 		}
+ 	    }
+Index: binutils-2.24/bfd/ChangeLog
+===================================================================
+--- binutils-2.24.orig/bfd/ChangeLog
++++ binutils-2.24/bfd/ChangeLog
+@@ -1,3 +1,8 @@
++2014-10-30  Nick Clifton  <nickc@redhat.com>
++
++    PR binutils/17512
++    * ihex.c (ihex_scan): Fix typo in invocation of ihex_bad_byte.
++
+ 2014-10-27  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/17512

meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8504.patch

@@ -0,0 +1,75 @@
+Upstream-Status: Backport
+
+CVE-2014-8504 fix.
+
+[YOCTO #7084]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+From 708d7d0d11f0f2d776171979aa3479e8e12a38a0 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 28 Oct 2014 10:48:14 +0000
+Subject: [PATCH] This patch fixes a flaw in the SREC parser which could cause
+ a stack overflow and potential secuiryt breach.
+
+	PR binutils/17510
+	* srec.c (srec_bad_byte): Increase size of buf to allow for
+	negative values.
+	(srec_scan): Use an unsigned char buffer to hold header bytes.
+---
+ bfd/ChangeLog  | 8 ++++++++
+ bfd/elf.c      | 2 +-
+ bfd/peXXigen.c | 1 -
+ bfd/srec.c     | 4 ++--
+ 4 files changed, 11 insertions(+), 4 deletions(-)
+
+Index: binutils-2.24/bfd/ChangeLog
+===================================================================
+--- binutils-2.24.orig/bfd/ChangeLog
++++ binutils-2.24/bfd/ChangeLog
+@@ -1,3 +1,11 @@
++2014-10-28  Andreas Schwab  <schwab@suse.de>
++       Nick Clifton  <nickc@redhat.com>
++
++   PR binutils/17510
++   * srec.c (srec_bad_byte): Increase size of buf to allow for
++   negative values.
++   (srec_scan): Use an unsigned char buffer to hold header bytes.
++
+ 2014-10-30  Nick Clifton  <nickc@redhat.com>
+ 
+     PR binutils/17512
+Index: binutils-2.24/bfd/peXXigen.c
+===================================================================
+--- binutils-2.24.orig/bfd/peXXigen.c
++++ binutils-2.24/bfd/peXXigen.c
+@@ -471,7 +471,6 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
+ 	a->NumberOfRvaAndSizes = 0;
+       }
+ 
+-
+     for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
+       {
+         /* If data directory is empty, rva also should be 0.  */
+Index: binutils-2.24/bfd/srec.c
+===================================================================
+--- binutils-2.24.orig/bfd/srec.c
++++ binutils-2.24/bfd/srec.c
+@@ -248,7 +248,7 @@ srec_bad_byte (bfd *abfd,
+     }
+   else
+     {
+-      char buf[10];
++      char buf[40];
+ 
+       if (! ISPRINT (c))
+ 	sprintf (buf, "\\%03o", (unsigned int) c);
+@@ -454,7 +454,7 @@ srec_scan (bfd *abfd)
+ 	case 'S':
+ 	  {
+ 	    file_ptr pos;
+-	    char hdr[3];
++	    unsigned char hdr[3];
+ 	    unsigned int bytes, min_bytes;
+ 	    bfd_vma address;
+ 	    bfd_byte *data;

meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch

@@ -0,0 +1,177 @@
+Upstream-Status: Backport
+
+CVE-2014-8737 fix.
+
+[YOCTO #7084]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+From dd9b91de2149ee81d47f708e7b0bbf57da10ad42 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 6 Nov 2014 14:49:10 +0000
+Subject: [PATCH] Prevent archive memebers with illegal pathnames from being
+ extracted from an archive.
+
+	PR binutils/17552, binutils/17533
+	* bucomm.c (is_valid_archive_path): New function.  Returns false
+	for absolute pathnames and pathnames that include /../.
+	* bucomm.h (is_valid_archive_path): Add prototype.
+	* ar.c (extract_file): Use new function to check for valid
+	pathnames when extracting files from an archive.
+	* objcopy.c (copy_archive): Likewise.
+	* doc/binutils.texi: Update documentation to mention the
+	limitation on pathname of archive members.
+---
+ binutils/ChangeLog         | 16 ++++++++++++++--
+ binutils/ar.c              |  9 +++++++++
+ binutils/bucomm.c          | 26 ++++++++++++++++++++++++++
+ binutils/bucomm.h          | 12 ++++++++----
+ binutils/doc/binutils.texi |  3 ++-
+ binutils/objcopy.c         |  6 ++++++
+ 6 files changed, 65 insertions(+), 7 deletions(-)
+
+Index: binutils-2.24/binutils/ar.c
+===================================================================
+--- binutils-2.24.orig/binutils/ar.c
++++ binutils-2.24/binutils/ar.c
+@@ -1031,6 +1031,15 @@ extract_file (bfd *abfd)
+   bfd_size_type size;
+   struct stat buf;
+ 
++  /* PR binutils/17533: Do not allow directory traversal
++     outside of the current directory tree.  */
++  if (! is_valid_archive_path (bfd_get_filename (abfd)))
++    {
++      non_fatal (_("illegal pathname found in archive member: %s"),
++		 bfd_get_filename (abfd));
++      return;
++    }
++
+   if (bfd_stat_arch_elt (abfd, &buf) != 0)
+     /* xgettext:c-format */
+     fatal (_("internal stat error on %s"), bfd_get_filename (abfd));
+Index: binutils-2.24/binutils/bucomm.c
+===================================================================
+--- binutils-2.24.orig/binutils/bucomm.c
++++ binutils-2.24/binutils/bucomm.c
+@@ -624,3 +624,29 @@ bfd_get_archive_filename (const bfd *abf
+ 	   bfd_get_filename (abfd));
+   return buf;
+ }
++
++/* Returns TRUE iff PATHNAME, a filename of an archive member,
++   is valid for writing.  For security reasons absolute paths
++   and paths containing /../ are not allowed.  See PR 17533.  */
++
++bfd_boolean
++is_valid_archive_path (char const * pathname)
++{
++  const char * n = pathname;
++
++  if (IS_ABSOLUTE_PATH (n))
++    return FALSE;
++
++  while (*n)
++    {
++      if (*n == '.' && *++n == '.' && ( ! *++n || IS_DIR_SEPARATOR (*n)))
++	return FALSE;
++
++      while (*n && ! IS_DIR_SEPARATOR (*n))
++	n++;
++      while (IS_DIR_SEPARATOR (*n))
++	n++;
++    }
++
++  return TRUE;
++}
+Index: binutils-2.24/binutils/bucomm.h
+===================================================================
+--- binutils-2.24.orig/binutils/bucomm.h
++++ binutils-2.24/binutils/bucomm.h
+@@ -23,6 +23,8 @@
+ #ifndef _BUCOMM_H
+ #define _BUCOMM_H
+ 
++/* In bucomm.c.  */
++
+ /* Return the filename in a static buffer.  */
+ const char *bfd_get_archive_filename (const bfd *);
+ 
+@@ -58,20 +60,22 @@ bfd_vma parse_vma (const char *, const c
+ 
+ off_t get_file_size (const char *);
+ 
++bfd_boolean is_valid_archive_path (char const *);
++
+ extern char *program_name;
+ 
+-/* filemode.c */
++/* In filemode.c.  */
+ void mode_string (unsigned long, char *);
+ 
+-/* version.c */
++/* In version.c.  */
+ extern void print_version (const char *);
+ 
+-/* rename.c */
++/* In rename.c.  */
+ extern void set_times (const char *, const struct stat *);
+ 
+ extern int smart_rename (const char *, const char *, int);
+ 
+-/* libiberty.  */
++/* In libiberty.  */
+ void *xmalloc (size_t);
+ 
+ void *xrealloc (void *, size_t);
+Index: binutils-2.24/binutils/doc/binutils.texi
+===================================================================
+--- binutils-2.24.orig/binutils/doc/binutils.texi
++++ binutils-2.24/binutils/doc/binutils.texi
+@@ -234,7 +234,8 @@ a normal archive.  Instead the elements
+ individually to the second archive.
+ 
+ The paths to the elements of the archive are stored relative to the
+-archive itself.
++archive itself.  For security reasons absolute paths and paths with a
++@code{/../} component are not allowed.
+ 
+ @cindex compatibility, @command{ar}
+ @cindex @command{ar} compatibility
+Index: binutils-2.24/binutils/objcopy.c
+===================================================================
+--- binutils-2.24.orig/binutils/objcopy.c
++++ binutils-2.24/binutils/objcopy.c
+@@ -2206,6 +2206,12 @@ copy_archive (bfd *ibfd, bfd *obfd, cons
+       bfd_boolean del = TRUE;
+       bfd_boolean ok_object;
+ 
++      /* PR binutils/17533: Do not allow directory traversal
++	 outside of the current directory tree by archive members.  */
++      if (! is_valid_archive_path (bfd_get_filename (this_element)))
++	fatal (_("illegal pathname found in archive member: %s"),
++	       bfd_get_filename (this_element));
++
+       /* Create an output file for this member.  */
+       output_name = concat (dir, "/",
+ 			    bfd_get_filename (this_element), (char *) 0);
+Index: binutils-2.24/binutils/ChangeLog
+===================================================================
+--- binutils-2.24.orig/binutils/ChangeLog
++++ binutils-2.24/binutils/ChangeLog
+@@ -1,3 +1,15 @@
++2014-11-06  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/17552, binutils/17533
++       * bucomm.c (is_valid_archive_path): New function.  Returns false
++       for absolute pathnames and pathnames that include /../.
++       * bucomm.h (is_valid_archive_path): Add prototype.
++       * ar.c (extract_file): Use new function to check for valid
++       pathnames when extracting files from an archive.
++       * objcopy.c (copy_archive): Likewise.
++       * doc/binutils.texi: Update documentation to mention the
++       limitation on pathname of archive members.
++
+ 2013-11-22  Cory Fields  <cory@coryfields.com>
+ 
+ 	* windres.c (define_resource): Use zero for timestamp, making

meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2015-0247.patch

@@ -0,0 +1,58 @@
+From f66e6ce4446738c2c7f43d41988a3eb73347e2f5 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 9 Aug 2014 12:24:54 -0400
+Subject: libext2fs: avoid buffer overflow if s_first_meta_bg is too big
+
+If s_first_meta_bg is greater than the of number block group
+descriptor blocks, then reading or writing the block group descriptors
+will end up overruning the memory buffer allocated for the
+descriptors.  Fix this by limiting first_meta_bg to no more than
+fs->desc_blocks.  This doesn't correct the bad s_first_meta_bg value,
+but it avoids causing the e2fsprogs userspace programs from
+potentially crashing.
+
+Fixes CVE-2015-0247
+Upstream-Status: Backport
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
+index 4599eef..1f99113 100644
+--- a/lib/ext2fs/closefs.c
++++ b/lib/ext2fs/closefs.c
+@@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
+ 	 * superblocks and group descriptors.
+ 	 */
+ 	group_ptr = (char *) group_shadow;
+-	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
++	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
+ 		old_desc_blocks = fs->super->s_first_meta_bg;
+-	else
++		if (old_desc_blocks > fs->super->s_first_meta_bg)
++			old_desc_blocks = fs->desc_blocks;
++	} else
+ 		old_desc_blocks = fs->desc_blocks;
+ 
+ 	ext2fs_numeric_progress_init(fs, &progress, NULL,
+diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
+index a1a3517..ba501e6 100644
+--- a/lib/ext2fs/openfs.c
++++ b/lib/ext2fs/openfs.c
+@@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
+ #ifdef WORDS_BIGENDIAN
+ 	groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
+ #endif
+-	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
++	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
+ 		first_meta_bg = fs->super->s_first_meta_bg;
+-	else
++		if (first_meta_bg > fs->desc_blocks)
++			first_meta_bg = fs->desc_blocks;
++	} else
+ 		first_meta_bg = fs->desc_blocks;
+ 	if (first_meta_bg) {
+ 		retval = io_channel_read_blk(fs->io, group_block +
+-- 
+cgit v0.10.2
+

meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb

@@ -18,6 +18,7 @@ SRC_URI += "file://acinclude.m4 \
             file://0011-mke2fs.8.in-update-the-manual-for-the-d-option.patch \
             file://0001-e2fsprogs-fix-cross-compilation-problem.patch \
             file://misc-mke2fs.c-return-error-when-failed-to-populate-fs.patch \
+            file://CVE-2015-0247.patch \
 "
 
 SRC_URI[md5sum] = "3f8e41e63b432ba114b33f58674563f7"

meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch

@@ -0,0 +1,50 @@
+libelf: Fix dir traversal vuln in ar extraction.
+
+read_long_names terminates names at the first '/' found but then skips one
+character without checking (it's supposed to be '\n'). Hence the next name could
+start with any character including '/'. This leads to a directory traversal
+vulnerability at the time the contents of the archive is extracted.
+
+The danger is mitigated by the fact that only one '/' is possible in a resulting
+filename
+and only in the leading position. Hence only files in the root directory can be
+written via this vuln and only when ar is executed as root. The fix for the vuln
+is to not skip any characters while looking for '/'.
+
+Upstream commit:
+https://git.fedorahosted.org/cgit/elfutils.git/commit/
+?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
+
+Fixes CVE-2014-9447
+Upstream-Status: Backport
+
+Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog
+--- a/libelf/ChangeLog	2015-03-03 12:39:39.255277970 +0100
++++ b/libelf/ChangeLog	2015-03-03 12:43:44.700870042 +0100
+@@ -1,3 +1,8 @@
++2014-12-28  Alexander Cherepanov  <cherepan@mccme.ru>
++
++       * elf_begin.c (read_long_names): Don't miss '/' right after
++       another '/'. Fixes a dir traversal vuln in ar extraction.
++
+ 2012-08-16  Roland McGrath  <roland@hack.frob.com>
+ 
+ 	* elf.h: Update from glibc.
+diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c
+--- a/libelf/elf_begin.c	2015-03-03 12:39:39.835253375 +0100
++++ b/libelf/elf_begin.c	2015-03-03 12:41:30.906543370 +0100
+@@ -744,10 +744,7 @@
+ 	    break;
+ 
+ 	  /* NUL-terminate the string.  */
+-	  *runp = '\0';
+-
+-	  /* Skip the NUL byte and the \012.  */
+-	  runp += 2;
++	  *runp++ = '\0';
+ 
+ 	  /* A sanity check.  Somebody might have generated invalid
+ 	     archive.  */

meta/recipes-devtools/elfutils/elfutils_0.155.bb

@@ -23,6 +23,7 @@ SRC_URI += "\
 	file://nm-Fix-size-passed-to-snprintf-for-invalid-sh_name-case.patch \
 	file://elfutils-ar-c-fix-num-passed-to-memset.patch \
 	file://fix-build-gcc-4.8.patch \
+        file://CVE-2014-9447.patch \
 "
 # Only apply when building uclibc based target recipe
 SRC_URI_append_libc-uclibc = " file://uclibc-support.patch"

meta/recipes-devtools/file/file_5.16.bb

@@ -12,6 +12,7 @@ DEPENDS = "zlib file-native"
 DEPENDS_class-native = "zlib-native"
 
 SRC_URI = "ftp://ftp.astron.com/pub/file/file-${PV}.tar.gz \
+           file://file-CVE-2014-9620-and-CVE-2014-9621.patch \
            file://dump \
            file://filesystems"
 
@@ -32,5 +33,9 @@ do_install_append_class-native() {
 		--magic-file ${datadir}/misc/magic.mgc
 }
 
+do_install_append_class-nativesdk() {
+	create_cmdline_wrapper ${D}/${bindir}/file \
+		--magic-file ${datadir}/misc/magic.mgc
+}
 
 BBCLASSEXTEND = "native nativesdk"

meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch

@@ -0,0 +1,75 @@
+From 104eb318283dde5203aa6cf7384287bef181e308 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Wed, 12 Nov 2014 01:58:02 -0500
+Subject: [PATCH] python: fix CVE-2014-7185
+
+Reference: http://bugs.python.org/issue21831
+
+CVE-2014-7185: Integer overflow in bufferobject.c in Python before
+2.7.8 allows context-dependent attackers to obtain sensitive
+information from process memory via a large size and offset in a
+"buffer" function.
+
+Upstream-Status: Backport
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ Lib/test/test_buffer.py |    6 ++++++
+ Misc/NEWS               |    3 +++
+ Objects/bufferobject.c  |    2 +-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/test/test_buffer.py b/Lib/test/test_buffer.py
+index 6bdc34d..3ac1f8c 100644
+--- a/Lib/test/test_buffer.py
++++ b/Lib/test/test_buffer.py
+@@ -4,6 +4,7 @@ For now, tests just new or changed functionality.
+ 
+ """
+ 
++import sys
+ import unittest
+ from test import test_support
+ 
+@@ -21,6 +22,11 @@ class BufferTests(unittest.TestCase):
+                     self.assertEqual(b[start:stop:step],
+                                      s[start:stop:step])
+ 
++    def test_large_buffer_size_and_offset(self):
++        data = bytearray('hola mundo')
++        buf = buffer(data, sys.maxsize, sys.maxsize)
++        self.assertEqual(buf[:4096], "")
++
+ 
+ def test_main():
+     with test_support.check_py3k_warnings(("buffer.. not supported",
+diff --git a/Misc/NEWS b/Misc/NEWS
+index e8778ad..77396c5 100644
+--- a/Misc/NEWS
++++ b/Misc/NEWS
+@@ -1896,6 +1896,9 @@ What's New in Python 2.7 Release Candidate 1?
+ Core and Builtins
+ -----------------
+ 
++- Issue #21831: Avoid integer overflow when large sizes and offsets are given to
++  the buffer type. CVE-2014-7185.
++
+ - Issue #8271: during the decoding of an invalid UTF-8 byte sequence, only the
+   start byte and the continuation byte(s) are now considered invalid, instead
+   of the number of bytes specified by the start byte.
+diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c
+index c52f0bc..c542506 100644
+--- a/Objects/bufferobject.c
++++ b/Objects/bufferobject.c
+@@ -88,7 +88,7 @@ get_buf(PyBufferObject *self, void **ptr, Py_ssize_t *size,
+             *size = count;
+         else
+             *size = self->b_size;
+-        if (offset + *size > count)
++        if (*size > count - offset)
+             *size = count - offset;
+     }
+     return 1;
+-- 
+1.7.9.5
+

meta/recipes-devtools/python/python/python2.7.3-nossl3.patch

@@ -0,0 +1,37 @@
+python: Building without SSLv3 support
+
+Building without SSLv3 support when openssl is built
+without any support for SSLv3
+
+Upstream-Status: Backport
+
+Reference:
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=76A8611#22
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/Modules/_ssl.c b/Modules/_ssl.c
+--- a/Modules/_ssl.c	2014-11-26 07:43:58.755679939 +0100
++++ b/Modules/_ssl.c	2014-11-26 07:49:10.454182400 +0100
+@@ -302,8 +302,10 @@
+     PySSL_BEGIN_ALLOW_THREADS
+     if (proto_version == PY_SSL_VERSION_TLS1)
+         self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
++#ifndef OPENSSL_NO_SSL3
+     else if (proto_version == PY_SSL_VERSION_SSL3)
+         self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
++#endif
+ #ifndef OPENSSL_NO_SSL2
+     else if (proto_version == PY_SSL_VERSION_SSL2)
+         self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
+@@ -1777,8 +1779,10 @@
+     PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
+                             PY_SSL_VERSION_SSL2);
+ #endif
++#ifndef OPENSSL_NO_SSL3
+     PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
+                             PY_SSL_VERSION_SSL3);
++#endif
+     PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
+                             PY_SSL_VERSION_SSL23);
+     PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",

meta/recipes-devtools/python/python_2.7.3.bb

@@ -36,6 +36,8 @@ SRC_URI += "\
   file://python-2.7.3-CVE-2013-1752-smtplib-fix.patch \
   file://python-fix-build-error-with-Readline-6.3.patch \
   file://python-2.7.3-CVE-2014-1912.patch \
+  file://python2.7.3-nossl3.patch \
+  file://python-2.7.3-CVE-2014-7185.patch \
 "
 
 S = "${WORKDIR}/Python-${PV}"

meta/recipes-devtools/qemu/files/ide-CVE-2014-2894.patch

@@ -0,0 +1,46 @@
+From c5dae2f4c50ef848f224da718154af4438862cdb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Canet?= <benoit.canet@irqsave.net>
+Date: Sat, 12 Apr 2014 22:59:50 +0200
+Subject: [PATCH] ide: Correct improper smart self test counter reset in ide
+ core.
+
+The SMART self test counter was incorrectly being reset to zero,
+not 1. This had the effect that on every 21st SMART EXECUTE OFFLINE:
+ * We would write off the beginning of a dynamically allocated buffer
+ * We forgot the SMART history
+Fix this.
+
+Signed-off-by: Benoit Canet <benoit@irqsave.net>
+Message-id: 1397336390-24664-1-git-send-email-benoit.canet@irqsave.net
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Cc: qemu-stable@nongnu.org
+Acked-by: Kevin Wolf <kwolf@redhat.com>
+[PMM: tweaked commit message as per suggestions from Markus]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Fixes CVE-2014-2894
+Upstream-Status: Backport
+
+(cherry picked from commit 940973ae0b45c9b6817bab8e4cf4df99a9ef83d7)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ hw/ide/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index e1f4c33..6007f6f 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -1601,7 +1601,7 @@ static bool cmd_smart(IDEState *s, uint8_t cmd)
+         case 2: /* extended self test */
+             s->smart_selftest_count++;
+             if (s->smart_selftest_count > 21) {
+-                s->smart_selftest_count = 0;
++                s->smart_selftest_count = 1;
+             }
+             n = 2 + (s->smart_selftest_count - 1) * 24;
+             s->smart_selftest_data[n] = s->sector;
+-- 
+1.9.1
+

meta/recipes-devtools/qemu/qemu_1.7.0.bb

@@ -5,7 +5,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
 
 SRC_URI += "file://fxrstorssefix.patch \
             file://qemu-enlarge-env-entry-size.patch \
-            file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch"
+            file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
+            file://ide-CVE-2014-2894.patch"
 
 SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2"
 SRC_URI[md5sum] = "32893941d40d052a5e649efcf06aca06"

meta/recipes-extended/cpio/cpio-2.11/fix-memory-overrun.patch

@@ -0,0 +1,220 @@
+cpio: Fix memory overrun on reading improperly created link records
+
+Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
+
+http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d
+
+  * src/copyin.c (get_link_name): New function.
+  (list_file, copyin_link): use get_link_name
+
+  * tests/symlink-bad-length.at: New file.
+  * tests/symlink-long.at: New file.
+  * tests/Makefile.am: Add new files.
+  * tests/testsuite.at: Likewise.
+
+  See http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
+
+Upstream-Status: Backport
+
+Signed-off-by: Sergey Poznyakoff <gray@gnu.org.ua>
+
+diff -Nurp cpio-2.11.orig/src/copyin.c cpio-2.11/src/copyin.c
+--- cpio-2.11.orig/src/copyin.c	2010-02-15 18:02:23.000000000 +0800
++++ cpio-2.11/src/copyin.c	2014-12-08 13:14:04.355547508 +0800
+@@ -126,6 +126,28 @@ tape_skip_padding (int in_file_des, off_
+ }
+ 
+ 
++static char *
++get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
++{
++  off_t n = file_hdr->c_filesize + 1;
++  char *link_name;
++
++  if (n == 0 || n > SIZE_MAX)
++    {
++      error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);
++      link_name = NULL;
++    }
++  else
++    {
++      link_name = xmalloc (n);
++      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
++      link_name[file_hdr->c_filesize] = '\0';
++      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++    }
++  return link_name;
++}
++
++
+ static void
+ list_file(struct cpio_file_stat* file_hdr, int in_file_des)
+ {
+@@ -136,21 +158,16 @@ list_file(struct cpio_file_stat* file_hd
+ 	{
+ 	  if (archive_format != arf_tar && archive_format != arf_ustar)
+ 	    {
+-	      char *link_name = NULL;	/* Name of hard and symbolic links.  */
+-
+-	      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-	      link_name[file_hdr->c_filesize] = '\0';
+-	      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-	      long_format (file_hdr, link_name);
+-	      free (link_name);
+-	      tape_skip_padding (in_file_des, file_hdr->c_filesize);
+-	      return;
++	      char *link_name = get_link_name (file_hdr, in_file_des);
++	      if (link_name)
++		{
++		  long_format (file_hdr, link_name);
++		  free (link_name);
++		}
+ 	    }
+ 	  else
+-	    {
+ 	      long_format (file_hdr, file_hdr->c_tar_linkname);
+-	      return;
+-	    }
++	  return;
+ 	}
+       else
+ #endif
+@@ -650,10 +667,7 @@ copyin_link(struct cpio_file_stat *file_
+ 
+   if (archive_format != arf_tar && archive_format != arf_ustar)
+     {
+-      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-      link_name[file_hdr->c_filesize] = '\0';
+-      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++      link_name = get_link_name (file_hdr, in_file_des);
+     }
+   else
+     {
+diff -Nurp cpio-2.11.orig/tests/Makefile.am cpio-2.11/tests/Makefile.am
+--- cpio-2.11.orig/tests/Makefile.am	2010-02-15 18:02:23.000000000 +0800
++++ cpio-2.11/tests/Makefile.am	2014-12-08 13:14:49.931545727 +0800
+@@ -52,6 +52,8 @@ TESTSUITE_AT = \
+  setstat04.at\
+  setstat05.at\
+  symlink.at\
++ symlink-bad-length.at\
++ symlink-long.at\
+  version.at
+ 
+ TESTSUITE = $(srcdir)/testsuite
+diff -Nurp cpio-2.11.orig/tests/symlink-bad-length.at cpio-2.11/tests/symlink-bad-length.at
+--- cpio-2.11.orig/tests/symlink-bad-length.at	1970-01-01 08:00:00.000000000 +0800
++++ cpio-2.11/tests/symlink-bad-length.at	2014-12-08 13:17:45.979538847 +0800
+@@ -0,0 +1,49 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11 did segfault with badly set symlink length.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-bad-length])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_DATA([ARCHIVE.base64],
++[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
++JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
++UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
++])
++
++AT_CHECK([
++base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
++cpio -ntv < ARCHIVE
++test $? -eq 2
++],
++[0],
++[-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
++],[cpio: LINK: stored filename length too big
++cpio: premature end of file
++])
++
++AT_CLEANUP
+diff -Nurp cpio-2.11.orig/tests/symlink-long.at cpio-2.11/tests/symlink-long.at
+--- cpio-2.11.orig/tests/symlink-long.at	1970-01-01 08:00:00.000000000 +0800
++++ cpio-2.11/tests/symlink-long.at	2014-12-08 13:17:57.219538408 +0800
+@@ -0,0 +1,46 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11.90 changed the way symlink name is read from archive.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-long])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_CHECK([
++
++# len(dirname) > READBUFSIZE
++dirname=
++for i in {1..52}; do
++    dirname="xxxxxxxxx/$dirname"
++    mkdir "$dirname"
++done
++ln -s "$dirname" x || AT_SKIP_TEST
++
++echo x | cpio -o > ar
++list=`cpio -tv < ar | sed 's|.*-> ||'`
++test "$list" = "$dirname" && echo success || echo fail
++],
++[0],
++[success
++],[2 blocks
++2 blocks
++])
++
++AT_CLEANUP
+diff -Nurp cpio-2.11.orig/tests/testsuite.at cpio-2.11/tests/testsuite.at
+--- cpio-2.11.orig/tests/testsuite.at	2010-02-15 18:02:23.000000000 +0800
++++ cpio-2.11/tests/testsuite.at	2014-12-08 13:15:13.515544805 +0800
+@@ -31,6 +31,8 @@ m4_include([version.at])
+ 
+ m4_include([inout.at])
+ m4_include([symlink.at])
++m4_include([symlink-bad-length.at])
++m4_include([symlink-long.at])
+ m4_include([interdir.at])
+ 
+ m4_include([setstat01.at])

meta/recipes-extended/cpio/cpio-2.8/fix-memory-overrun.patch

@@ -0,0 +1,217 @@
+cpio: Fix memory overrun on reading improperly created link records
+
+Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
+
+http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d
+
+  * src/copyin.c (get_link_name): New function.
+  (list_file, copyin_link): use get_link_name
+
+  * tests/symlink-bad-length.at: New file.
+  * tests/symlink-long.at: New file.
+  * tests/Makefile.am: Add new files.
+  * tests/testsuite.at: Likewise.
+
+  See http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
+
+Upstream-Status: Backport
+
+Signed-off-by: Sergey Poznyakoff <gray@gnu.org.ua>
+
+diff -Nurp cpio-2.8.orig/src/copyin.c cpio-2.8/src/copyin.c
+--- cpio-2.8.orig/src/copyin.c	2007-06-07 19:58:03.000000000 +0800
++++ cpio-2.8/src/copyin.c	2014-12-08 11:30:01.159791484 +0800
+@@ -126,6 +126,28 @@ tape_skip_padding (int in_file_des, int
+ }
+ 
+ 
++static char *
++get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
++{
++  off_t n = file_hdr->c_filesize + 1;
++  char *link_name;
++
++  if (n == 0 || n > SIZE_MAX)
++    {
++      error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);
++      link_name = NULL;
++    }
++  else
++    {
++      link_name = xmalloc (n);
++      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
++      link_name[file_hdr->c_filesize] = '\0';
++      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++    }
++  return link_name;
++}
++
++
+ static void
+ list_file(struct cpio_file_stat* file_hdr, int in_file_des)
+ {
+@@ -136,21 +158,16 @@ list_file(struct cpio_file_stat* file_hd
+ 	{
+ 	  if (archive_format != arf_tar && archive_format != arf_ustar)
+ 	    {
+-	      char *link_name = NULL;	/* Name of hard and symbolic links.  */
+-
+-	      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-	      link_name[file_hdr->c_filesize] = '\0';
+-	      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-	      long_format (file_hdr, link_name);
+-	      free (link_name);
+-	      tape_skip_padding (in_file_des, file_hdr->c_filesize);
+-	      return;
++	      char *link_name = get_link_name (file_hdr, in_file_des);
++	      if (link_name)
++		{
++		  long_format (file_hdr, link_name);
++		  free (link_name);
++		}
+ 	    }
+ 	  else
+-	    {
+ 	      long_format (file_hdr, file_hdr->c_tar_linkname);
+-	      return;
+-	    }
++	  return;
+ 	}
+       else
+ #endif
+@@ -732,10 +749,7 @@ copyin_link(struct cpio_file_stat *file_
+ 
+   if (archive_format != arf_tar && archive_format != arf_ustar)
+     {
+-      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-      link_name[file_hdr->c_filesize] = '\0';
+-      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++      link_name = get_link_name (file_hdr, in_file_des);
+     }
+   else
+     {
+diff -Nurp cpio-2.8.orig/tests/Makefile.am cpio-2.8/tests/Makefile.am
+--- cpio-2.8.orig/tests/Makefile.am	2006-10-24 18:32:13.000000000 +0800
++++ cpio-2.8/tests/Makefile.am	2014-12-08 11:30:52.387789482 +0800
+@@ -45,6 +45,8 @@ TESTSUITE_AT = \
+  testsuite.at\
+  inout.at\
+  symlink.at\
++ symlink-bad-length.at\
++ symlink-long.at\
+  version.at
+ 
+ TESTSUITE = $(srcdir)/testsuite
+diff -Nurp cpio-2.8.orig/tests/symlink-bad-length.at cpio-2.8/tests/symlink-bad-length.at
+--- cpio-2.8.orig/tests/symlink-bad-length.at	1970-01-01 08:00:00.000000000 +0800
++++ cpio-2.8/tests/symlink-bad-length.at	2014-12-08 11:33:25.283783507 +0800
+@@ -0,0 +1,49 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11 did segfault with badly set symlink length.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-bad-length])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_DATA([ARCHIVE.base64],
++[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
++JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
++UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
++])
++
++AT_CHECK([
++base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
++cpio -ntv < ARCHIVE
++test $? -eq 2
++],
++[0],
++[-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
++],[cpio: LINK: stored filename length too big
++cpio: premature end of file
++])
++
++AT_CLEANUP
+diff -Nurp cpio-2.8.orig/tests/symlink-long.at cpio-2.8/tests/symlink-long.at
+--- cpio-2.8.orig/tests/symlink-long.at	1970-01-01 08:00:00.000000000 +0800
++++ cpio-2.8/tests/symlink-long.at	2014-12-08 11:34:28.807781024 +0800
+@@ -0,0 +1,46 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11.90 changed the way symlink name is read from archive.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-long])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_CHECK([
++
++# len(dirname) > READBUFSIZE
++dirname=
++for i in {1..52}; do
++    dirname="xxxxxxxxx/$dirname"
++    mkdir "$dirname"
++done
++ln -s "$dirname" x || AT_SKIP_TEST
++
++echo x | cpio -o > ar
++list=`cpio -tv < ar | sed 's|.*-> ||'`
++test "$list" = "$dirname" && echo success || echo fail
++],
++[0],
++[success
++],[2 blocks
++2 blocks
++])
++
++AT_CLEANUP
+diff -Nurp cpio-2.8.orig/tests/testsuite.at cpio-2.8/tests/testsuite.at
+--- cpio-2.8.orig/tests/testsuite.at	2006-10-24 18:32:13.000000000 +0800
++++ cpio-2.8/tests/testsuite.at	2014-12-08 11:34:56.515779942 +0800
+@@ -31,3 +31,5 @@ m4_include([version.at])
+ 
+ m4_include([inout.at])
+ m4_include([symlink.at])
++m4_include([symlink-bad-length.at])
++m4_include([symlink-long.at])

meta/recipes-extended/cpio/cpio_2.11.bb

@@ -3,9 +3,10 @@ include cpio_v2.inc
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
 
-PR = "r4"
+PR = "r5"
 
 SRC_URI += "file://remove-gets.patch \
+	    file://fix-memory-overrun.patch \
            "
 
 SRC_URI[md5sum] = "1112bb6c45863468b5496ba128792f6c"

meta/recipes-extended/cpio/cpio_2.8.bb

@@ -3,11 +3,12 @@ require cpio_v2.inc
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b7f772ea3a2489231cb4872656cac34b"
 
-PR = "r3"
+PR = "r4"
 
 SRC_URI += "file://m4extensions.patch \
-    file://avoid_heap_overflow.patch \
-    "
+	    file://avoid_heap_overflow.patch \
+	    file://fix-memory-overrun.patch \
+	   "
 
 SRC_URI[md5sum] = "0caa356e69e149fb49b76bacc64615a1"
 SRC_URI[sha256sum] = "1b203248874c3b5a728b351f06513e5282f73e0170b7f207fbf8c39f28f6b4ad"

meta/recipes-kernel/linux/linux-yocto-rt_3.14.bb

@@ -3,13 +3,13 @@ require recipes-kernel/linux/linux-yocto.inc
 KBRANCH = "standard/preempt-rt/base"
 KBRANCH_qemuppc = "standard/preempt-rt/qemuppc"
 
-SRCREV_machine ?= "b5ed38affb23ff64a0382ee0dd116ffe74c4a379"
-SRCREV_machine_qemuppc ?= "79cb133d2d1b0b816cc1cd888f4ed4ef81570793"
-SRCREV_meta ?= "09424cee646626c04105f08455a58fabb27eff31"
+SRCREV_machine ?= "08229402523bdb153dceed0a7260180837396e7f"
+SRCREV_machine_qemuppc ?= "08229402523bdb153dceed0a7260180837396e7f"
+SRCREV_meta ?= "183622e8095545999a64bd72adedea2dffb6ec4b"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.14.git;bareclone=1;branch=${KBRANCH},meta;name=machine,meta"
 
-LINUX_VERSION ?= "3.14"
+LINUX_VERSION ?= "3.14.4"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 

meta/recipes-kernel/linux/linux-yocto-tiny_3.14.bb

@@ -4,12 +4,12 @@ KBRANCH = "standard/tiny/base"
 LINUX_KERNEL_TYPE = "tiny"
 KCONFIG_MODE = "--allnoconfig"
 
-LINUX_VERSION ?= "3.14"
+LINUX_VERSION ?= "3.14.4"
 
 KMETA = "meta"
 
-SRCREV_machine ?= "144595ef6215a0febfb8ee7d0c9e4eb2eaf93d61"
-SRCREV_meta ?= "09424cee646626c04105f08455a58fabb27eff31"
+SRCREV_machine ?= "cb22733185cd9db3e8945dadb899d9eb3831b9ad"
+SRCREV_meta ?= "183622e8095545999a64bd72adedea2dffb6ec4b"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 

meta/recipes-kernel/linux/linux-yocto_3.14.bb

@@ -10,18 +10,18 @@ KBRANCH_qemux86  = "standard/common-pc/base"
 KBRANCH_qemux86-64  = "standard/common-pc-64/base"
 KBRANCH_qemumips64 = "standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "d7a5330e50f78f63789b91cb9880b38633d33450"
-SRCREV_machine_qemumips ?= "38f344fcab8c0ee29f40edb92dd6612eff4579bf"
-SRCREV_machine_qemuppc ?= "b28241db34ab66f9e86718d8c94276d65d2457bb"
-SRCREV_machine_qemux86 ?= "f9048769cc178f2f64ed492a9a649827167d9a34"
-SRCREV_machine_qemux86-64 ?= "144595ef6215a0febfb8ee7d0c9e4eb2eaf93d61"
-SRCREV_machine_qemumips64 ?= "c4e08d47c5eb36ae056f2eab82a74c3638e72e06"
-SRCREV_machine ?= "144595ef6215a0febfb8ee7d0c9e4eb2eaf93d61"
-SRCREV_meta ?= "09424cee646626c04105f08455a58fabb27eff31"
+SRCREV_machine_qemuarm ?= "9882294294f307dc52c29e5dbb24d7f9a2f5a635"
+SRCREV_machine_qemumips ?= "94e2f8429bcc953cb0df499446b847ba67a0f334"
+SRCREV_machine_qemuppc ?= "2795a4d16724b41fbcd62c2f9f56c427d1ce3797"
+SRCREV_machine_qemux86 ?= "4aa41764bf8dba2044ff9fae806d61cac7cdd9de"
+SRCREV_machine_qemux86-64 ?= "cb22733185cd9db3e8945dadb899d9eb3831b9ad"
+SRCREV_machine_qemumips64 ?= "342ccacd4e28d1cc7e30277ee4ac6caa3086ff2f"
+SRCREV_machine ?= "cb22733185cd9db3e8945dadb899d9eb3831b9ad"
+SRCREV_meta ?= "183622e8095545999a64bd72adedea2dffb6ec4b"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.14.git;bareclone=1;branch=${KBRANCH},${KMETA};name=machine,meta"
 
-LINUX_VERSION ?= "3.14"
+LINUX_VERSION ?= "3.14.4"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 

meta/recipes-kernel/powertop/powertop_2.5.bb

@@ -14,8 +14,9 @@ SRC_URI[sha256sum] = "8b2c08a555d79e1c428863470c41cb023971d74ba4801d80a05e35adee
 inherit autotools gettext
 
 # we need to explicitly link with libintl in uClibc systems
-LDFLAGS += "${EXTRA_LDFLAGS}"
+EXTRA_LDFLAGS ?= ""
 EXTRA_LDFLAGS_libc-uclibc = "-lintl"
+LDFLAGS += "${EXTRA_LDFLAGS}"
 
 # we do not want libncursesw if we can
 do_configure_prepend() {

meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch

@@ -0,0 +1,47 @@
+libpng16: Fixed an overflow in png_combine_row with very wide interlaced
+
+Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow 
+vulnerability in the png_combine_row() function of the libpng library, 
+when very large interlaced images were used. 
+
+Upstream patch:
+http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/
+
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff --git a/pngrutil.c b/pngrutil.c
+index e9fdd62..4c26be4 100644
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
+ {
+    unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
+    png_const_bytep sp = png_ptr->row_buf + 1;
+-   png_uint_32 row_width = png_ptr->width;
++   png_alloc_size_t row_width = png_ptr->width;
+    unsigned int pass = png_ptr->pass;
+    png_bytep end_ptr = 0;
+    png_byte end_byte = 0;
+@@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
+ 
+             /* But don't allow this number to exceed the actual row width. */
+             if (bytes_to_copy > row_width)
+-               bytes_to_copy = row_width;
++               bytes_to_copy = (unsigned int)/*SAFE*/row_width;
+          }
+ 
+          else /* normal row; Adam7 only ever gives us one pixel to copy. */
+@@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
+                   dp += bytes_to_jump;
+                   row_width -= bytes_to_jump;
+                   if (bytes_to_copy > row_width)
+-                     bytes_to_copy = row_width;
++                     bytes_to_copy = (unsigned int)/*SAFE*/row_width;
+                }
+          }
+ 
+-- 
+1.9.1
+

meta/recipes-multimedia/libpng/libpng_1.6.8.bb

@@ -10,6 +10,7 @@ LIBV = "16"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \
            file://0001-configure-lower-automake-requirement.patch \
+           file://libpng16-CVE-2015-0973.patch \
           "
 
 SRC_URI[md5sum] = "51ce71a1642cdde1f4485a7ff82193c0"

meta/recipes-qt/qt4/qt4-4.8.5.inc

@@ -26,6 +26,7 @@ SRC_URI = "http://download.qt-project.org/archive/qt/4.8/${PV}/qt-everywhere-ope
            file://0024-Ensure-lastPixel.y-is-also-initalized-to-1-when-nece.patch \
            file://0025-Fix-misaligned-selection-region-with-text-when-cente.patch \
            file://0027-tools.pro-disable-qmeegographicssystemhelper.patch \
+           file://0028-Fix-a-division-by-zero-when-processing-malformed-BMP.patch \
            file://g++.conf \
            file://linux.conf \
            "

meta/recipes-qt/qt4/qt4-4.8.5/0028-Fix-a-division-by-zero-when-processing-malformed-BMP.patch

@@ -0,0 +1,44 @@
+From e50aa2252cdd5cb53eef7d8c4503c7edff634f68 Mon Sep 17 00:00:00 2001
+From: "Richard J. Moore" <rich@kde.org>
+Date: Tue, 24 Feb 2015 19:02:35 +0000
+Subject: [PATCH] Fix a division by zero when processing malformed BMP files.
+
+This fixes a division by 0 when processing a maliciously crafted BMP
+file. No impact beyond DoS.
+
+Backport of 661f6bfd032dacc62841037732816a583640e187
+
+Upstream-Status: Backport
+
+Task-number: QTBUG-44547
+Change-Id: I43f06e752b11cb50669101460902a82b885ae618
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+Signed-off-by: Jonathan Liu <net147@gmail.com>
+---
+ src/gui/image/qbmphandler.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index b22e842..30fa9e0 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -319,10 +319,16 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+         }
+     } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
+         red_shift = calc_shift(red_mask);
++        if (((red_mask >> red_shift) + 1) == 0)
++            return false;
+         red_scale = 256 / ((red_mask >> red_shift) + 1);
+         green_shift = calc_shift(green_mask);
++        if (((green_mask >> green_shift) + 1) == 0)
++            return false;
+         green_scale = 256 / ((green_mask >> green_shift) + 1);
+         blue_shift = calc_shift(blue_mask);
++        if (((blue_mask >> blue_shift) + 1) == 0)
++            return false;
+         blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+     } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+         blue_mask = 0x000000ff;
+-- 
+2.3.1
+

scripts/lib/bsp/substrate/target/arch/common/recipes-kernel/linux/{{ if kernel_choice == "custom": }} linux-yocto-custom.bb

@@ -31,9 +31,9 @@ inherit kernel
 require recipes-kernel/linux/linux-yocto.inc
 
 {{ if kernel_choice == "custom" and custom_kernel_remote == "y": }}
-SRC_URI = "{{=custom_kernel_remote_path}};protocol=git;bareclone=1"
+SRC_URI = "{{=custom_kernel_remote_path}};protocol=git;bareclone=1;branch=${KBRANCH}"
 {{ if kernel_choice == "custom" and custom_kernel_remote == "n": }}
-SRC_URI = "git://{{=custom_kernel_local_path}};protocol=file;bareclone=1"
+SRC_URI = "git://{{=custom_kernel_local_path}};protocol=file;bareclone=1;branch=${KBRANCH}"
 
 SRC_URI += "file://defconfig"
 

scripts/oe-pkgdata-util

@@ -28,7 +28,7 @@ import re
 import optparse
 from collections import defaultdict
 
-def glob(args, usage, debug=False):
+def glob(args, usage, debug=False, exclude=""):
     if len(args) < 3:
         usage()
         sys.exit(1)
@@ -45,7 +45,10 @@ def glob(args, usage, debug=False):
         print('ERROR: Unable to find package list file %s' % pkglist_file)
         sys.exit(1)
 
-    skipregex = re.compile("-locale-|^locale-base-|-dev$|-doc$|-dbg$|-staticdev$|^kernel-module-")
+    skipval = "-locale-|^locale-base-|-dev$|-doc$|-dbg$|-staticdev$|^kernel-module-"
+    if exclude:
+        skipval += "|" + exclude
+    skipregex = re.compile(skipval)
 
     mappedpkgs = set()
     with open(pkglist_file, 'r') as f:
@@ -305,6 +308,9 @@ Available commands:
     parser.add_option("-d", "--debug",
             help = "Report all SRCREV values, not just ones where AUTOREV has been used",
             action="store_true", dest="debug", default=False)
+    parser.add_option("-x", "--exclude",
+            help = "Exclude packages matching specified regex from the glob operation",
+            action="store", type="string", dest="exclude", default="")
 
     options, args = parser.parse_args(sys.argv)
     args = args[1:]
@@ -314,7 +320,7 @@ Available commands:
         sys.exit(1)
 
     if args[0] == "glob":
-        glob(args[1:], parser.print_help, options.debug)
+        glob(args[1:], parser.print_help, options.debug, options.exclude)
     elif args[0] == "lookup-pkg":
         lookup_pkg(args[1:], parser.print_help, options.debug)
     elif args[0] == "lookup-recipe":