build-appliance-image: Update to rocko head revision

(From OE-Core rev: 0d70ca998b3bdc18db6a5644f4ed8797fd0e7ddd)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

bitbake/lib/bb/providers.py

@@ -244,17 +244,17 @@ def _filterProviders(providers, item, cfgData, dataCache):
             pkg_pn[pn] = []
         pkg_pn[pn].append(p)
 
-    logger.debug(1, "providers for %s are: %s", item, list(pkg_pn.keys()))
+    logger.debug(1, "providers for %s are: %s", item, list(sorted(pkg_pn.keys())))
 
     # First add PREFERRED_VERSIONS
-    for pn in pkg_pn:
+    for pn in sorted(pkg_pn):
         sortpkg_pn[pn] = sortPriorities(pn, dataCache, pkg_pn)
         preferred_versions[pn] = findPreferredProvider(pn, cfgData, dataCache, sortpkg_pn[pn], item)
         if preferred_versions[pn][1]:
             eligible.append(preferred_versions[pn][1])
 
     # Now add latest versions
-    for pn in sortpkg_pn:
+    for pn in sorted(sortpkg_pn):
         if pn in preferred_versions and preferred_versions[pn][1]:
             continue
         preferred_versions[pn] = findLatestProvider(pn, cfgData, dataCache, sortpkg_pn[pn][0])

meta-poky/conf/distro/poky.conf

@@ -1,6 +1,6 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "2.4.2"
+DISTRO_VERSION = "2.4.3"
 DISTRO_CODENAME = "rocko"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION := "${@'${DISTRO_VERSION}'.replace('snapshot-${DATE}','snapshot')}"

meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.12.bbappend

@@ -7,11 +7,11 @@ KBRANCH_edgerouter = "standard/edgerouter"
 KBRANCH_beaglebone = "standard/beaglebone"
 KBRANCH_mpc8315e-rdb = "standard/fsl-mpc8315e-rdb"
 
-SRCREV_machine_genericx86    ?= "1c4ad569af3e23a77994235435040e322908687f"
-SRCREV_machine_genericx86-64 ?= "1c4ad569af3e23a77994235435040e322908687f"
-SRCREV_machine_edgerouter ?= "257f843ea367744620f1d92910afd2f454e31483"
-SRCREV_machine_beaglebone-yocto ?= "257f843ea367744620f1d92910afd2f454e31483"
-SRCREV_machine_mpc8315e-rdb ?= "014560874f9eb2a86138c9cc35046ff1720485e1"
+SRCREV_machine_genericx86    ?= "97e710ef0545c19d3c10bd81a61bdca9fe543b81"
+SRCREV_machine_genericx86-64 ?= "97e710ef0545c19d3c10bd81a61bdca9fe543b81"
+SRCREV_machine_edgerouter ?= "97e710ef0545c19d3c10bd81a61bdca9fe543b81"
+SRCREV_machine_beaglebone-yocto ?= "97e710ef0545c19d3c10bd81a61bdca9fe543b81"
+SRCREV_machine_mpc8315e-rdb ?= "55fcfbee2560f57a490c5724ac5b5cb49bacb01c"
 
 
 COMPATIBLE_MACHINE_genericx86 = "genericx86"
@@ -20,8 +20,8 @@ COMPATIBLE_MACHINE_edgerouter = "edgerouter"
 COMPATIBLE_MACHINE_beaglebone = "beaglebone"
 COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb"
 
-LINUX_VERSION_genericx86 = "4.12.20"
-LINUX_VERSION_genericx86-64 = "4.12.20"
-LINUX_VERSION_edgerouter = "4.12.19"
-LINUX_VERSION_beaglebone-yocto = "4.12.19"
-LINUX_VERSION_mpc8315e-rdb = "4.12.19"
+LINUX_VERSION_genericx86 = "4.12.21"
+LINUX_VERSION_genericx86-64 = "4.12.21"
+LINUX_VERSION_edgerouter = "4.12.21"
+LINUX_VERSION_beaglebone-yocto = "4.12.21"
+LINUX_VERSION_mpc8315e-rdb = "4.12.21"

meta-yocto-bsp/wic/beaglebone.wks

@@ -2,5 +2,5 @@
 # long-description: Creates a partitioned SD card image for Beaglebone.
 # Boot files are located in the first vfat partition.
 
-part /boot --source bootimg-partition --ondisk mmcblk --fstype=vfat --label boot --active --align 4 --size 16
+part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16
 part / --source rootfs --ondisk mmcblk --fstype=ext4 --label root --align 4

meta/classes/gio-module-cache.bbclass

@@ -9,6 +9,7 @@ if [ "x$D" != "x" ]; then
             mlprefix=${MLPREFIX} \
             binprefix=${MLPREFIX} \
             libdir=${libdir} \
+            libexecdir=${libexecdir} \
             base_libdir=${base_libdir} \
             bindir=${bindir}
 else

meta/classes/kernel-arch.bbclass

@@ -25,6 +25,8 @@ def map_kernel_arch(a, d):
     elif re.match('armeb$', a):                 return 'arm'
     elif re.match('aarch64$', a):               return 'arm64'
     elif re.match('aarch64_be$', a):            return 'arm64'
+    elif re.match('aarch64_ilp32$', a):         return 'arm64'
+    elif re.match('aarch64_be_ilp32$', a):      return 'arm64'
     elif re.match('mips(isa|)(32|64|)(r6|)(el|)$', a):      return 'mips'
     elif re.match('p(pc|owerpc)(|64)', a):      return 'powerpc'
     elif re.match('sh(3|4)$', a):               return 'sh'

meta/classes/logging.bbclass

@@ -86,7 +86,7 @@ bbdebug() {
 	
 	# Strip off the debug level and ensure it is an integer
 	DBGLVL=$1; shift
-	NONDIGITS=$(echo "$DBGLVL" | tr -d [:digit:])
+	NONDIGITS=$(echo "$DBGLVL" | tr -d "[:digit:]")
 	if [ "$NONDIGITS" ]; then
 		bbfatal "$USAGE"
 	fi

meta/classes/mirrors.bbclass

@@ -67,7 +67,7 @@ ${CPAN_MIRROR}  http://search.cpan.org/CPAN/ \n \
 # where git native protocol fetches may fail due to local firewall rules, etc.
 
 MIRRORS += "\
-git://anonscm.debian.org/.*   git://anonscm.debian.org/git/PATH;protocol=https \n \
+git://salsa.debian.org/.*     git://salsa.debian.org/PATH;protocol=https \n \
 git://git.gnome.org/.*        git://git.gnome.org/browse/PATH;protocol=https \n \
 git://git.savannah.gnu.org/.* git://git.savannah.gnu.org/git/PATH;protocol=https \n \
 git://git.yoctoproject.org/.* git://git.yoctoproject.org/git/PATH;protocol=https \n \

meta/classes/package.bbclass

@@ -901,7 +901,7 @@ python split_and_strip_files () {
     # 16 - kernel module
     def isELF(path):
         type = 0
-        ret, result = oe.utils.getstatusoutput("file \"%s\"" % path.replace("\"", "\\\""))
+        ret, result = oe.utils.getstatusoutput("file -b '%s'" % path)
 
         if ret:
             msg = "split_and_strip_files: 'file %s' failed" % path

meta/classes/package_rpm.bbclass

@@ -665,7 +665,7 @@ python do_package_rpm () {
     cmd = rpmbuild
     cmd = cmd + " --noclean --nodeps --short-circuit --target " + pkgarch + " --buildroot " + pkgd
     cmd = cmd + " --define '_topdir " + workdir + "' --define '_rpmdir " + pkgwritedir + "'"
-    cmd = cmd + " --define '_builddir " + d.getVar('S') + "'"
+    cmd = cmd + " --define '_builddir " + d.getVar('B') + "'"
     cmd = cmd + " --define '_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm'"
     cmd = cmd + " --define '_use_internal_dependency_generator 0'"
     cmd = cmd + " --define '_binaries_in_noarch_packages_terminate_build 0'"

meta/classes/populate_sdk_base.bbclass

@@ -20,6 +20,9 @@ def complementary_globs(featurevar, d):
 SDKIMAGE_FEATURES ??= "dev-pkgs dbg-pkgs ${@bb.utils.contains('DISTRO_FEATURES', 'api-documentation', 'doc-pkgs', '', d)}"
 SDKIMAGE_INSTALL_COMPLEMENTARY = '${@complementary_globs("SDKIMAGE_FEATURES", d)}'
 
+# List of locales to install, or "all" for all of them, or unset for none.
+SDKIMAGE_LINGUAS ?= "all"
+
 inherit rootfs_${IMAGE_PKGTYPE}
 
 SDK_DIR = "${WORKDIR}/sdk"
@@ -39,7 +42,8 @@ TOOLCHAIN_TARGET_TASK_ATTEMPTONLY ?= ""
 TOOLCHAIN_OUTPUTNAME ?= "${SDK_NAME}-toolchain-${SDK_VERSION}"
 
 SDK_RDEPENDS = "${TOOLCHAIN_TARGET_TASK} ${TOOLCHAIN_HOST_TASK}"
-SDK_DEPENDS = "virtual/fakeroot-native pixz-native"
+SDK_DEPENDS = "virtual/fakeroot-native pixz-native cross-localedef-native"
+SDK_DEPENDS_append_libc-glibc = " nativesdk-glibc-locale"
 
 # We want the MULTIARCH_TARGET_SYS to point to the TUNE_PKGARCH, not PACKAGE_ARCH as it
 # could be set to the MACHINE_ARCH

meta/classes/populate_sdk_ext.bbclass

@@ -657,7 +657,8 @@ fakeroot python do_populate_sdk_ext() {
     d.setVar('SDK_REQUIRED_UTILITIES', get_sdk_required_utilities(buildtools_fn, d))
     d.setVar('SDK_BUILDTOOLS_INSTALLER', buildtools_fn)
     d.setVar('SDKDEPLOYDIR', '${SDKEXTDEPLOYDIR}')
-
+    # ESDKs have a libc from the buildtools so ensure we don't ship linguas twice
+    d.delVar('SDKIMAGE_LINGUAS')
     populate_sdk_common(d)
 }
 

meta/classes/uninative.bbclass

@@ -8,6 +8,9 @@ UNINATIVE_TARBALL ?= "${BUILD_ARCH}-nativesdk-libc.tar.bz2"
 #UNINATIVE_CHECKSUM[x86_64] = "dead"
 UNINATIVE_DLDIR ?= "${DL_DIR}/uninative/"
 
+# Enabling uninative will change the following variables so they need to go the parsing white list to prevent multiple recipe parsing
+BB_HASHCONFIG_WHITELIST += "NATIVELSBSTRING SSTATEPOSTUNPACKFUNCS BUILD_LDFLAGS"
+
 addhandler uninative_event_fetchloader
 uninative_event_fetchloader[eventmask] = "bb.event.BuildStarted"
 
@@ -77,6 +80,11 @@ python uninative_event_fetchloader() {
                 except FileExistsError:
                     pass
 
+        # ldd output is "ldd (Ubuntu GLIBC 2.23-0ubuntu10) 2.23", extract last option from first line
+        glibcver = subprocess.check_output(["ldd", "--version"]).decode('utf-8').split('\n')[0].split()[-1]
+        if bb.utils.vercmp_string(d.getVar("UNINATIVE_MAXGLIBCVERSION"), glibcver) < 0:
+            raise RuntimeError("Your host glibc verson (%s) is newer than that in uninative (%s). Disabling uninative so that sstate is not corrupted." % (glibcver, d.getVar("UNINATIVE_MAXGLIBCVERSION")))
+
         cmd = d.expand("\
 mkdir -p ${UNINATIVE_STAGING_DIR}-uninative; \
 cd ${UNINATIVE_STAGING_DIR}-uninative; \
@@ -94,6 +102,8 @@ ${UNINATIVE_STAGING_DIR}-uninative/relocate_sdk.py \
 
         enable_uninative(d)
 
+    except RuntimeError as e:
+        bb.warn(str(e))
     except bb.fetch2.BBFetchException as exc:
         bb.warn("Disabling uninative as unable to fetch uninative tarball: %s" % str(exc))
         bb.warn("To build your own uninative loader, please bitbake uninative-tarball and set UNINATIVE_TARBALL appropriately.")
@@ -119,6 +129,9 @@ def enable_uninative(d):
         d.setVar("NATIVELSBSTRING", "universal%s" % oe.utils.host_gcc_version(d))
         d.appendVar("SSTATEPOSTUNPACKFUNCS", " uninative_changeinterp")
         d.appendVarFlag("SSTATEPOSTUNPACKFUNCS", "vardepvalueexclude", "| uninative_changeinterp")
+        d.appendVar("BUILD_LDFLAGS", " -Wl,--allow-shlib-undefined -Wl,--dynamic-linker=${UNINATIVE_LOADER}")
+        d.appendVarFlag("BUILD_LDFLAGS", "vardepvalueexclude", "| -Wl,--allow-shlib-undefined -Wl,--dynamic-linker=${UNINATIVE_LOADER}")
+        d.appendVarFlag("BUILD_LDFLAGS", "vardepsexclude", "UNINATIVE_LOADER")
         d.prependVar("PATH", "${STAGING_DIR}-uninative/${BUILD_ARCH}-linux${bindir_native}:")
 
 python uninative_changeinterp () {

meta/classes/update-rc.d.bbclass

@@ -91,7 +91,8 @@ python populate_packages_updatercd () {
             return
         statement = "grep -q -w '/etc/init.d/functions' %s" % path
         if subprocess.call(statement, shell=True) == 0:
-            d.appendVar('RDEPENDS_' + pkg, ' initd-functions')
+            mlprefix = d.getVar('MLPREFIX') or ""
+            d.appendVar('RDEPENDS_' + pkg, ' %sinitd-functions' % (mlprefix))
 
     def update_rcd_package(pkg):
         bb.debug(1, 'adding update-rc.d calls to preinst/postinst/prerm/postrm for %s' % pkg)

meta/classes/waf.bbclass

@@ -25,23 +25,8 @@ def get_waf_parallel_make(d):
 
     return ""
 
-python waf_preconfigure() {
-    from distutils.version import StrictVersion
-    srcsubdir = d.getVar('S')
-    wafbin = os.path.join(srcsubdir, 'waf')
-    status, result = oe.utils.getstatusoutput(wafbin + " --version")
-    if status != 0:
-        bb.warn("Unable to execute waf --version, exit code %d. Assuming waf version without bindir/libdir support." % status)
-        return
-    version = result.split()[1]
-    if StrictVersion(version) >= StrictVersion("1.8.7"):
-        d.setVar("WAF_EXTRA_CONF", "--bindir=${bindir} --libdir=${libdir}")
-}
-
-do_configure[prefuncs] += "waf_preconfigure"
-
 waf_do_configure() {
-	${S}/waf configure --prefix=${prefix} ${WAF_EXTRA_CONF} ${EXTRA_OECONF}
+	${S}/waf configure --prefix=${prefix} ${EXTRA_OECONF}
 }
 
 waf_do_compile()  {

meta/conf/bitbake.conf

@@ -473,7 +473,7 @@ HOSTTOOLS_DIR = "${TMPDIR}/hosttools"
 
 # Tools needed to run builds with OE-Core
 HOSTTOOLS += " \
-    [ ar as awk basename bash bzip2 cat chgrp chmod chown chrpath cmp cp cpio \
+    [ ar as awk basename bash bzip2 cat chgrp chmod chown chrpath cmp comm cp cpio \
     cpp cut date dd diff diffstat dirname du echo egrep env expand expr false \
     fgrep file find flock g++ gawk gcc getconf getopt git grep gunzip gzip \
     head hostname id install ld ldd ln ls make makeinfo md5sum mkdir mknod \
@@ -536,6 +536,7 @@ export MAKE = "make"
 EXTRA_OEMAKE = ""
 EXTRA_OECONF = ""
 export LC_ALL = "en_US.UTF-8"
+export TZ = 'UTC'
 
 ##################################################################
 # Patch handling.

meta/conf/distro/include/default-distrovars.inc

@@ -8,6 +8,7 @@ IMAGE_LINGUAS ?= "en-us en-gb"
 ENABLE_BINARY_LOCALE_GENERATION ?= "1"
 LOCALE_UTF8_ONLY ?= "0"
 LOCALE_UTF8_IS_DEFAULT ?= "1"
+LOCALE_UTF8_IS_DEFAULT_class-nativesdk = "0"
 
 DISTRO_FEATURES_DEFAULT ?= "acl alsa argp bluetooth ext2 irda largefile pcmcia usbgadget usbhost wifi xattr nfs zeroconf pci 3g nfc x11"
 DISTRO_FEATURES_LIBC_DEFAULT ?= "ipv4 ipv6 libc-backtrace libc-big-macros libc-bsd libc-cxx-tests libc-catgets libc-charsets libc-crypt \

meta/conf/distro/include/maintainers.inc

@@ -88,6 +88,7 @@ RECIPE_MAINTAINER_pn-build-sysroots = "Richard Purdie <richard.purdie@linuxfound
 RECIPE_MAINTAINER_pn-builder = "Cristian Iorga <cristian.iorga@intel.com>"
 RECIPE_MAINTAINER_pn-buildtools-tarball = "Cristian Iorga <cristian.iorga@intel.com>"
 RECIPE_MAINTAINER_pn-busybox = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-busybox-inittab = "Denys Dmytriyenko <denys@ti.com>"
 RECIPE_MAINTAINER_pn-byacc = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER_pn-bzip2 = "Denys Dmytriyenko <denys@ti.com>"
 RECIPE_MAINTAINER_pn-ca-certificates = "Alexander Kanavin <alexander.kanavin@intel.com>"

meta/conf/distro/include/world-broken.inc

@@ -5,10 +5,6 @@
 # rt-tests needs PI mutex support in libc
 EXCLUDE_FROM_WORLD_pn-rt-tests_libc-musl = "1"
 
-# error: no member named 'sin_port' in 'struct sockaddr_in6'
-# this is due to libtirpc using ipv6 but portmap rpc expecting ipv4
-EXCLUDE_FROM_WORLD_pn-unfs3_libc-musl = "1"
-
 # error: use of undeclared identifier '_STAT_VER'
 EXCLUDE_FROM_WORLD_pn-pseudo_libc-musl = "1"
 

meta/conf/distro/include/yocto-uninative.inc

@@ -6,6 +6,8 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/1.7/"
-UNINATIVE_CHECKSUM[i686] ?= "d7c341460035936c19d63fe02f354ef1bc993c62d694ae3a31458d1c6997f0c5"
-UNINATIVE_CHECKSUM[x86_64] ?= "ed033c868b87852b07957a4400f3b744c00aef5d6470346ea1a59b6d3e03075e"
+UNINATIVE_MAXGLIBCVERSION = "2.27"
+
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/1.9/"
+UNINATIVE_CHECKSUM[i686] ?= "83a4f927da81d9889ef0cbe5c12cb782e21c6cc11e6155600b94ff0c99576dce"
+UNINATIVE_CHECKSUM[x86_64] ?= "c26622a1f27dbf5b25de986b11584b5c5b2f322d9eb367f705a744f58a5561ec"

meta/conf/layer.conf

@@ -21,6 +21,7 @@ COREBASE = '${@os.path.normpath("${LAYERDIR}/../")}'
 # opkg-utils is for update-alternatives :(
 SIGGEN_EXCLUDERECIPES_ABISAFE += " \
   sysvinit-inittab \
+  busybox-inittab \
   shadow-securetty \
   opkg-arch-config \
   netbase \

meta/lib/oe/package.py

@@ -72,8 +72,7 @@ def strip_execs(pn, dstdir, strip_cmd, libdir, base_libdir, qa_already_stripped=
     # 16 - kernel module
     def is_elf(path):
         exec_type = 0
-        ret, result = oe.utils.getstatusoutput(
-            "file \"%s\"" % path.replace("\"", "\\\""))
+        ret, result = oe.utils.getstatusoutput("file -b '%s'" % path)
 
         if ret:
             bb.error("split_and_strip_files: 'file %s' failed" % path)

meta/lib/oe/package_manager.py

@@ -370,6 +370,29 @@ class PackageManager(object, metaclass=ABCMeta):
     def insert_feeds_uris(self, feed_uris, feed_base_paths, feed_archs):
         pass
 
+    """
+    Install all packages that match a glob.
+    """
+    def install_glob(self, globs, sdk=False):
+        # TODO don't have sdk here but have a property on the superclass
+        # (and respect in install_complementary)
+        if sdk:
+            pkgdatadir = self.d.expand("${TMPDIR}/pkgdata/${SDK_SYS}")
+        else:
+            pkgdatadir = self.d.getVar("PKGDATA_DIR")
+
+        try:
+            bb.note("Installing globbed packages...")
+            cmd = ["oe-pkgdata-util", "-p", pkgdatadir, "list-pkgs", globs]
+            pkgs = subprocess.check_output(cmd, stderr=subprocess.STDOUT).decode("utf-8")
+            self.install(pkgs.split(), attempt_only=True)
+        except subprocess.CalledProcessError as e:
+            # Return code 1 means no packages matched
+            if e.returncode != 1:
+                bb.fatal("Could not compute globbed packages list. Command "
+                         "'%s' returned %d:\n%s" %
+                         (' '.join(cmd), e.returncode, e.output.decode("utf-8")))
+
     """
     Install complementary packages based upon the list of currently installed
     packages e.g. locales, *-dev, *-dbg, etc. This will only attempt to install
@@ -402,7 +425,7 @@ class PackageManager(object, metaclass=ABCMeta):
             installed_pkgs.write(output)
             installed_pkgs.flush()
 
-            cmd = [bb.utils.which(os.getenv('PATH'), "oe-pkgdata-util"),
+            cmd = ["oe-pkgdata-util",
                    "-p", self.d.getVar('PKGDATA_DIR'), "glob", installed_pkgs.name,
                    globs]
             exclude = self.d.getVar('PACKAGE_EXCLUDE_COMPLEMENTARY')
@@ -412,11 +435,11 @@ class PackageManager(object, metaclass=ABCMeta):
                 bb.note("Installing complementary packages ...")
                 bb.note('Running %s' % cmd)
                 complementary_pkgs = subprocess.check_output(cmd, stderr=subprocess.STDOUT).decode("utf-8")
+                self.install(complementary_pkgs.split(), attempt_only=True)
             except subprocess.CalledProcessError as e:
                 bb.fatal("Could not compute complementary packages list. Command "
                          "'%s' returned %d:\n%s" %
                          (' '.join(cmd), e.returncode, e.output.decode("utf-8")))
-            self.install(complementary_pkgs.split(), attempt_only=True)
 
     def deploy_dir_lock(self):
         if self.deploy_dir is None:
@@ -554,7 +577,7 @@ class RpmPM(PackageManager):
             gpg_opts += 'repo_gpgcheck=1\n'
             gpg_opts += 'gpgkey=file://%s/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s-%s\n' % (self.d.getVar('sysconfdir'), self.d.getVar('DISTRO'), self.d.getVar('DISTRO_CODENAME'))
 
-        if self.d.getVar('RPM_SIGN_PACKAGES') == '0':
+        if self.d.getVar('RPM_SIGN_PACKAGES') != '1':
             gpg_opts += 'gpgcheck=0\n'
 
         bb.utils.mkdirhier(oe.path.join(self.target_rootfs, "etc", "yum.repos.d"))
@@ -1066,7 +1089,7 @@ class OpkgPM(OpkgDpkgPM):
             output = subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT).decode("utf-8")
             bb.note(output)
         except subprocess.CalledProcessError as e:
-            (bb.fatal, bb.note)[attempt_only]("Unable to install packages. "
+            (bb.fatal, bb.warn)[attempt_only]("Unable to install packages. "
                                               "Command '%s' returned %d:\n%s" %
                                               (cmd, e.returncode, e.output.decode("utf-8")))
 
@@ -1365,7 +1388,7 @@ class DpkgPM(OpkgDpkgPM):
             bb.note("Installing the following packages: %s" % ' '.join(pkgs))
             subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT)
         except subprocess.CalledProcessError as e:
-            (bb.fatal, bb.note)[attempt_only]("Unable to install packages. "
+            (bb.fatal, bb.warn)[attempt_only]("Unable to install packages. "
                                               "Command '%s' returned %d:\n%s" %
                                               (cmd, e.returncode, e.output.decode("utf-8")))
 

meta/lib/oe/sdk.py

@@ -7,6 +7,51 @@ import shutil
 import glob
 import traceback
 
+def generate_locale_archive(d, rootfs):
+    # Pretty sure we don't need this for SDK archive generation but
+    # keeping it to be safe...
+    target_arch = d.getVar('SDK_ARCH')
+    locale_arch_options = { \
+        "arm": ["--uint32-align=4", "--little-endian"],
+        "armeb": ["--uint32-align=4", "--big-endian"],
+        "aarch64": ["--uint32-align=4", "--little-endian"],
+        "aarch64_be": ["--uint32-align=4", "--big-endian"],
+        "sh4": ["--uint32-align=4", "--big-endian"],
+        "powerpc": ["--uint32-align=4", "--big-endian"],
+        "powerpc64": ["--uint32-align=4", "--big-endian"],
+        "mips": ["--uint32-align=4", "--big-endian"],
+        "mipsisa32r6": ["--uint32-align=4", "--big-endian"],
+        "mips64": ["--uint32-align=4", "--big-endian"],
+        "mipsisa64r6": ["--uint32-align=4", "--big-endian"],
+        "mipsel": ["--uint32-align=4", "--little-endian"],
+        "mipsisa32r6el": ["--uint32-align=4", "--little-endian"],
+        "mips64el": ["--uint32-align=4", "--little-endian"],
+        "mipsisa64r6el": ["--uint32-align=4", "--little-endian"],
+        "i586": ["--uint32-align=4", "--little-endian"],
+        "i686": ["--uint32-align=4", "--little-endian"],
+        "x86_64": ["--uint32-align=4", "--little-endian"]
+    }
+    if target_arch in locale_arch_options:
+        arch_options = locale_arch_options[target_arch]
+    else:
+        bb.error("locale_arch_options not found for target_arch=" + target_arch)
+        bb.fatal("unknown arch:" + target_arch + " for locale_arch_options")
+
+    localedir = oe.path.join(rootfs, d.getVar("libdir_nativesdk"), "locale")
+    # Need to set this so cross-localedef knows where the archive is
+    env = dict(os.environ)
+    env["LOCALEARCHIVE"] = oe.path.join(localedir, "locale-archive")
+
+    for name in os.listdir(localedir):
+        path = os.path.join(localedir, name)
+        if os.path.isdir(path):
+            try:
+                cmd = ["cross-localedef", "--verbose"]
+                cmd += arch_options
+                cmd += ["--add-to-archive", path]
+                subprocess.check_output(cmd, env=env, stderr=subprocess.STDOUT)
+            except Exception as e:
+                bb.fatal("Cannot create locale archive: %s" % e.output)
 
 class Sdk(object, metaclass=ABCMeta):
     def __init__(self, d, manifest_dir):
@@ -84,6 +129,30 @@ class Sdk(object, metaclass=ABCMeta):
             bb.debug(1, "printing the stack trace\n %s" %traceback.format_exc())
             bb.warn("cannot remove SDK dir: %s" % path)
 
+    def install_locales(self, pm):
+        # This is only relevant for glibc
+        if self.d.getVar("TCLIBC") != "glibc":
+            return
+
+        linguas = self.d.getVar("SDKIMAGE_LINGUAS")
+        if linguas:
+            import fnmatch
+            # Install the binary locales
+            if linguas == "all":
+                pm.install_glob("nativesdk-glibc-binary-localedata-*.utf-8", sdk=True)
+            else:
+                for lang in linguas.split():
+                    pm.install("nativesdk-glibc-binary-localedata-%s.utf-8" % lang)
+            # Generate a locale archive of them
+            generate_locale_archive(self.d, oe.path.join(self.sdk_host_sysroot, self.sdk_native_path))
+            # And now delete the binary locales
+            pkgs = fnmatch.filter(pm.list_installed(), "nativesdk-glibc-binary-localedata-*.utf-8")
+            pm.remove(pkgs)
+        else:
+            # No linguas so do nothing
+            pass
+
+
 class RpmSdk(Sdk):
     def __init__(self, d, manifest_dir=None, rpm_workdir="oe-sdk-repo"):
         super(RpmSdk, self).__init__(d, manifest_dir)
@@ -166,6 +235,7 @@ class RpmSdk(Sdk):
 
         bb.note("Installing NATIVESDK packages")
         self._populate_sysroot(self.host_pm, self.host_manifest)
+        self.install_locales(self.host_pm)
 
         execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_HOST_COMMAND"))
 
@@ -249,6 +319,7 @@ class OpkgSdk(Sdk):
 
         bb.note("Installing NATIVESDK packages")
         self._populate_sysroot(self.host_pm, self.host_manifest)
+        self.install_locales(self.host_pm)
 
         execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_HOST_COMMAND"))
 
@@ -335,6 +406,7 @@ class DpkgSdk(Sdk):
 
         bb.note("Installing NATIVESDK packages")
         self._populate_sysroot(self.host_pm, self.host_manifest)
+        self.install_locales(self.host_pm)
 
         execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_HOST_COMMAND"))
 

meta/recipes-bsp/grub/grub-efi_2.02.bb

@@ -3,7 +3,7 @@ require grub2.inc
 GRUBPLATFORM = "efi"
 
 DEPENDS_append_class-target = " grub-efi-native"
-RDEPENDS_${PN}_class-target = "diffutils freetype"
+RDEPENDS_${PN}_class-target = "diffutils freetype grub-common"
 
 SRC_URI += " \
            file://cfg \
@@ -41,7 +41,9 @@ do_install_class-native() {
 	install -m 755 grub-mkimage ${D}${bindir}
 }
 
-do_install_append_class-target() {
+do_install_class-target() {
+    oe_runmake 'DESTDIR=${D}' -C grub-core install
+
     # Remove build host references...
     find "${D}" -name modinfo.sh -type f -exec \
         sed -i \
@@ -69,8 +71,7 @@ do_deploy_class-native() {
 
 addtask deploy after do_install before do_build
 
-FILES_${PN} += "${libdir}/grub/${GRUB_TARGET}-efi \
-                ${datadir}/grub \
+FILES_${PN} = "${libdir}/grub/${GRUB_TARGET}-efi \
                 "
 
 # 64-bit binaries are expected for the bootloader with an x32 userland

meta/recipes-bsp/grub/grub2.inc

@@ -67,12 +67,4 @@ do_configure_prepend() {
 	${S}/autogen.sh )
 }
 
-# grub and grub-efi's sysroot/${datadir}/grub/grub-mkconfig_lib are
-# conflicted, remove it since no one uses it.
-SYSROOT_DIRS_BLACKLIST += "${datadir}/grub/grub-mkconfig_lib"
-
-PACKAGES =+ "${PN}-editenv"
-
-FILES_${PN}-editenv = "${bindir}/grub-editenv"
-RDEPENDS_${PN} += "${PN}-editenv"
 RDEPENDS_${PN}_class-native = ""

meta/recipes-bsp/grub/grub_2.02.bb

@@ -1,6 +1,18 @@
 require grub2.inc
 
-RDEPENDS_${PN} += "diffutils freetype"
+RDEPENDS_${PN}-common += "${PN}-editenv"
+RDEPENDS_${PN} += "diffutils freetype ${PN}-common"
+
+RPROVIDES_${PN}-editenv += "${PN}-efi-editenv"
+
+PACKAGES =+ "${PN}-editenv ${PN}-common"
+FILES_${PN}-editenv = "${bindir}/grub-editenv"
+FILES_${PN}-common = " \
+    ${bindir} \
+    ${sysconfdir} \
+    ${sbindir} \
+    ${datadir}/grub \
+"
 
 do_install_append () {
     install -d ${D}${sysconfdir}/grub.d

meta/recipes-connectivity/dhcp/dhcp/CVE-2017-3144.patch

@@ -0,0 +1,74 @@
+From 8cfdedee369c26d2869b6ec4a64460b5f5a30934 Mon Sep 17 00:00:00 2001
+From: Thomas Markwalder <tmark@isc.org>
+Date: Thu, 7 Dec 2017 11:39:30 -0500
+Subject: [PATCH] [v4_3] Plugs a socket descriptor leak in OMAPI
+
+        Merges in rt46767.
+
+Upstream-Status: Backport
+[https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=5097bc0559f592683faac1f67bf350e1bddf6ed4]
+
+CVE: CVE-2017-3144
+
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ RELNOTES         | 7 +++++++
+ omapip/buffer.c  | 9 +++++++++
+ omapip/message.c | 2 +-
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/RELNOTES b/RELNOTES
+index dd40aaf..3741b80 100644
+--- a/RELNOTES
++++ b/RELNOTES
+@@ -66,6 +66,13 @@ We welcome comments from DHCP users, about this or anything else we do.
+ Email Vicky Risk, Product Manager at vicky@isc.org or discuss on 
+ dhcp-users@lists.isc.org.
+ 
++- Plugged a socket descriptor leak in OMAPI, that can occur when there is
++  data pending to be written to an OMAPI connection, when the connection
++  is closed by the reader.  Thanks to Pavel Zhukov at RedHat for bringing
++  this issue to our attention and whose patch helped guide us in the right
++  direction.
++  [ISc-Bugs #46767]
++
+ 			Changes since 4.3.6b1
+ 
+ - None
+diff --git a/omapip/buffer.c b/omapip/buffer.c
+index f7fdc32..809034d 100644
+--- a/omapip/buffer.c
++++ b/omapip/buffer.c
+@@ -566,6 +566,15 @@ isc_result_t omapi_connection_writer (omapi_object_t *h)
+ 			omapi_buffer_dereference (&buffer, MDL);
+ 		}
+ 	}
++
++	/* If we had data left to write when we're told to disconnect,
++	* we need recall disconnect, now that we're done writing.
++	* See rt46767. */
++	if (c->out_bytes == 0 && c->state == omapi_connection_disconnecting) {
++		omapi_disconnect (h, 1);
++		return ISC_R_SHUTTINGDOWN;
++	}
++
+ 	return ISC_R_SUCCESS;
+ }
+ 
+diff --git a/omapip/message.c b/omapip/message.c
+index 59ccdc2..21bcfc3 100644
+--- a/omapip/message.c
++++ b/omapip/message.c
+@@ -339,7 +339,7 @@ isc_result_t omapi_message_unregister (omapi_object_t *mo)
+ }
+ 
+ #ifdef DEBUG_PROTOCOL
+-static const char *omapi_message_op_name(int op) {
++const char *omapi_message_op_name(int op) {
+ 	switch (op) {
+ 	case OMAPI_OP_OPEN:    return "OMAPI_OP_OPEN";
+ 	case OMAPI_OP_REFRESH: return "OMAPI_OP_REFRESH";
+-- 
+2.7.4
+

meta/recipes-connectivity/dhcp/dhcp_4.3.6.bb

@@ -12,6 +12,7 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
             file://0010-build-shared-libs.patch \
             file://0011-Moved-the-call-to-isc_app_ctxstart-to-not-get-signal.patch \
             file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
+            file://CVE-2017-3144.patch \
            "
 
 SRC_URI[md5sum] = "afa6e9b3eb7539ea048421a82c668adc"

meta/recipes-connectivity/openssl/openssl-1.0.2n/openssl-1.0.2a-x32-asm.patch

@@ -1,46 +0,0 @@
-https://rt.openssl.org/Ticket/Display.html?id=3759&user=guest&pass=guest
-
-From 6257d59b3a68d2feb9d64317a1c556dc3813ee61 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 21 Mar 2015 06:01:25 -0400
-Subject: [PATCH] crypto: use bigint in x86-64 perl
-
-Upstream-Status: Pending
-Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
-
-When building on x32 systems where the default type is 32bit, make sure
-we can transparently represent 64bit integers.  Otherwise we end up with
-build errors like:
-/usr/bin/perl asm/ghash-x86_64.pl elf > ghash-x86_64.s
-Integer overflow in hexadecimal number at asm/../../perlasm/x86_64-xlate.pl line 201, <> line 890.
-...
-ghash-x86_64.s: Assembler messages:
-ghash-x86_64.s:890: Error: junk '.15473355479995e+19' after expression
-
-We don't enable this globally as there are some cases where we'd get
-32bit values interpreted as unsigned when we need them as signed.
-
-Reported-by: Bertrand Jacquin <bertrand@jacquin.bzh>
-URL: https://bugs.gentoo.org/542618
----
- crypto/perlasm/x86_64-xlate.pl | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/crypto/perlasm/x86_64-xlate.pl b/crypto/perlasm/x86_64-xlate.pl
-index aae8288..0bf9774 100755
---- a/crypto/perlasm/x86_64-xlate.pl
-+++ b/crypto/perlasm/x86_64-xlate.pl
-@@ -195,6 +195,10 @@ my %globals;
-     sub out {
-     	my $self = shift;
- 
-+	# When building on x32 ABIs, the expanded hex value might be too
-+	# big to fit into 32bits.  Enable transparent 64bit support here
-+	# so we can safely print it out.
-+	use bigint;
- 	if ($gas) {
- 	    # Solaris /usr/ccs/bin/as can't handle multiplications
- 	    # in $self->{value}
--- 
-2.3.3
-

meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/c_rehash-compat.patch

@@ -5,10 +5,10 @@ Subject: [PATCH] also create old hash for compatibility
 
 Upstream-Status: Backport [debian]
 
-diff --git a/tools/c_rehash.in b/tools/c_rehash.in
-index b086ff9..b777d79 100644
---- a/tools/c_rehash.in
-+++ b/tools/c_rehash.in
+Index: openssl-1.0.2n/tools/c_rehash.in
+===================================================================
+--- openssl-1.0.2n.orig/tools/c_rehash.in
++++ openssl-1.0.2n/tools/c_rehash.in
 @@ -8,8 +8,6 @@ my $prefix;
  
  my $openssl = $ENV{OPENSSL} || "openssl";
@@ -48,7 +48,7 @@ index b086ff9..b777d79 100644
  		$fname =~ s/'/'\\''/g;
  		my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
  		chomp $hash;
-@@ -176,11 +174,21 @@ sub link_hash_cert {
+@@ -177,10 +175,20 @@ sub link_hash_cert {
  		$hashlist{$hash} = $fprint;
  }
  

meta/recipes-connectivity/openssl/openssl-1.0.2o/debian/debian-targets.patch

@@ -1,12 +1,12 @@
 Upstream-Status: Backport [debian]
 
-Index: openssl-1.0.2/Configure
+Index: openssl-1.0.2n/Configure
 ===================================================================
---- openssl-1.0.2.orig/Configure
-+++ openssl-1.0.2/Configure
-@@ -107,6 +107,10 @@ my $gcc_devteam_warn = "-Wall -pedantic
- 
- my $clang_disabled_warnings = "-Wno-language-extension-token -Wno-extended-offsetof -Wno-padded -Wno-shorten-64-to-32 -Wno-format-nonliteral -Wno-missing-noreturn -Wno-unused-parameter -Wno-sign-conversion -Wno-unreachable-code -Wno-conversion -Wno-documentation -Wno-missing-variable-declarations -Wno-cast-align -Wno-incompatible-pointer-types-discards-qualifiers -Wno-missing-variable-declarations -Wno-missing-field-initializers -Wno-unused-macros -Wno-disabled-macro-expansion -Wno-conditional-uninitialized -Wno-switch-enum";
+--- openssl-1.0.2n.orig/Configure
++++ openssl-1.0.2n/Configure
+@@ -133,6 +133,10 @@ my $clang_devteam_warn = "-Wno-unused-pa
+ # Warn that "make depend" should be run?
+ my $warn_make_depend = 0;
  
 +# There are no separate CFLAGS/CPPFLAGS/LDFLAGS, set everything in CFLAGS
 +my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall";
@@ -15,7 +15,7 @@ Index: openssl-1.0.2/Configure
  my $strict_warnings = 0;
  
  my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
-@@ -343,6 +347,55 @@ my %table=(
+@@ -369,6 +373,55 @@ my %table=(
  "osf1-alpha-cc",  "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
  "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so",
  

meta/recipes-connectivity/openssl/openssl-1.0.2o/reproducible-cflags.patch

@@ -0,0 +1,20 @@
+Allow passing custom c-flags to mkbuildinf.pl in order to pass
+flags without any build host references
+
+Upstream-Status: Inappropriate [OE specific]
+
+Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+
+--- Makefile	2018-03-06 14:50:18.342138147 -0800
++++ Makefile	2018-03-06 15:24:04.794239071 -0800
+--- a/crypto/Makefile
++++ b/crypto/Makefile
+@@ -55,7 +55,7 @@
+ all: shared
+ 
+ buildinf.h: ../Makefile
+-	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
++	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CC_INFO)" "$(PLATFORM)" >buildinf.h
+ 
+ x86cpuid.s:	x86cpuid.pl perlasm/x86asm.pl
+ 	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@

meta/recipes-connectivity/openssl/openssl-1.0.2o/reproducible-mkbuildinf.patch

@@ -0,0 +1,21 @@
+If SOURCE_DATE_EPOCH is present in the environment, use it as build date.
+Also make sure to use UTC time.
+
+Upstream-Status: Backport [ https://github.com/openssl/openssl/blob/master/util/mkbuildinf.pl ]
+
+Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+
+--- mkbuildinf.pl	2018-03-06 14:20:09.438048058 -0800
++++ mkbuildinf.pl	2018-03-06 14:19:20.722045632 -0800
+--- a/util/mkbuildinf.pl
++++ b/util/mkbuildinf.pl
+@@ -3,7 +3,8 @@
+ my ($cflags, $platform) = @ARGV;
+ 
+ $cflags = "compiler: $cflags";
+-$date = localtime();
++my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || time()) . " UTC";
++
+ print <<"END_OUTPUT";
+ #ifndef MK1MF_BUILD
+     /* auto-generated by util/mkbuildinf.pl for crypto/cversion.c */

meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch

@@ -1,49 +0,0 @@
-From 3fdb1e2a16ea405c6731447a8994f222808ef7e6 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Fri, 7 Apr 2017 18:01:52 +0300
-Subject: [PATCH] Remove test that requires running as non-root
-
-Upstream-Status: Inappropriate [oe-core specific]
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
----
- test/recipes/40-test_rehash.t | 17 +----------------
- 1 file changed, 1 insertion(+), 16 deletions(-)
-
-diff --git a/test/recipes/40-test_rehash.t b/test/recipes/40-test_rehash.t
-index f902c23..c7567c1 100644
---- a/test/recipes/40-test_rehash.t
-+++ b/test/recipes/40-test_rehash.t
-@@ -23,7 +23,7 @@ setup("test_rehash");
- plan skip_all => "test_rehash is not available on this platform"
-     unless run(app(["openssl", "rehash", "-help"]));
- 
--plan tests => 5;
-+plan tests => 3;
- 
- indir "rehash.$$" => sub {
-     prepare();
-@@ -42,21 +42,6 @@ indir "rehash.$$" => sub {
-        'Testing rehash operations on empty directory');
- }, create => 1, cleanup => 1;
- 
--indir "rehash.$$" => sub {
--    prepare();
--    chmod 0500, curdir();
--  SKIP: {
--      if (!ok(!open(FOO, ">unwritable.txt"),
--              "Testing that we aren't running as a privileged user, such as root")) {
--          close FOO;
--          skip "It's pointless to run the next test as root", 1;
--      }
--      isnt(run(app(["openssl", "rehash", curdir()])), 1,
--           'Testing rehash operations on readonly directory');
--    }
--    chmod 0700, curdir();       # make it writable again, so cleanup works
--}, create => 1, cleanup => 1;
--
- sub prepare {
-     my @pemsourcefiles = sort glob(srctop_file('test', "*.pem"));
-     my @destfiles = ();
--- 
-2.11.0
-

meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch

@@ -1,88 +0,0 @@
-From bcc096a50811bf0f0c4fd34b2993fed7a7015972 Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Fri, 3 Nov 2017 23:30:01 +0100
-Subject: [PATCH] aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with
- binutils-2.29.
-
-It's not clear if it's a feature or bug, but binutils-2.29[.1]
-interprets 'adr' instruction with Thumb2 code reference differently,
-in a way that affects calculation of addresses of constants' tables.
-
-Upstream-Status: Backport
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
-(Merged from https://github.com/openssl/openssl/pull/4669)
-
-(cherry picked from commit b82acc3c1a7f304c9df31841753a0fa76b5b3cda)
----
- crypto/aes/asm/aes-armv4.pl   | 6 +++---
- crypto/aes/asm/bsaes-armv7.pl | 6 +++---
- 2 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/crypto/aes/asm/aes-armv4.pl b/crypto/aes/asm/aes-armv4.pl
-index 16d79aae53..c6474b8aad 100644
---- a/crypto/aes/asm/aes-armv4.pl
-+++ b/crypto/aes/asm/aes-armv4.pl
-@@ -200,7 +200,7 @@ AES_encrypt:
- #ifndef	__thumb2__
- 	sub	r3,pc,#8		@ AES_encrypt
- #else
--	adr	r3,AES_encrypt
-+	adr	r3,.
- #endif
- 	stmdb   sp!,{r1,r4-r12,lr}
- #ifdef	__APPLE__
-@@ -450,7 +450,7 @@ _armv4_AES_set_encrypt_key:
- #ifndef	__thumb2__
- 	sub	r3,pc,#8		@ AES_set_encrypt_key
- #else
--	adr	r3,AES_set_encrypt_key
-+	adr	r3,.
- #endif
- 	teq	r0,#0
- #ifdef	__thumb2__
-@@ -976,7 +976,7 @@ AES_decrypt:
- #ifndef	__thumb2__
- 	sub	r3,pc,#8		@ AES_decrypt
- #else
--	adr	r3,AES_decrypt
-+	adr	r3,.
- #endif
- 	stmdb   sp!,{r1,r4-r12,lr}
- #ifdef	__APPLE__
-diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl
-index 9f288660ef..a27bb4a179 100644
---- a/crypto/aes/asm/bsaes-armv7.pl
-+++ b/crypto/aes/asm/bsaes-armv7.pl
-@@ -744,7 +744,7 @@ $code.=<<___;
- .type	_bsaes_decrypt8,%function
- .align	4
- _bsaes_decrypt8:
--	adr	$const,_bsaes_decrypt8
-+	adr	$const,.
- 	vldmia	$key!, {@XMM[9]}		@ round 0 key
- #ifdef	__APPLE__
- 	adr	$const,.LM0ISR
-@@ -843,7 +843,7 @@ _bsaes_const:
- .type	_bsaes_encrypt8,%function
- .align	4
- _bsaes_encrypt8:
--	adr	$const,_bsaes_encrypt8
-+	adr	$const,.
- 	vldmia	$key!, {@XMM[9]}		@ round 0 key
- #ifdef	__APPLE__
- 	adr	$const,.LM0SR
-@@ -951,7 +951,7 @@ $code.=<<___;
- .type	_bsaes_key_convert,%function
- .align	4
- _bsaes_key_convert:
--	adr	$const,_bsaes_key_convert
-+	adr	$const,.
- 	vld1.8	{@XMM[7]},  [$inp]!		@ load round 0 key
- #ifdef	__APPLE__
- 	adr	$const,.LM0
--- 
-2.15.0
-

meta/recipes-connectivity/openssl/openssl10.inc

@@ -151,11 +151,15 @@ do_configure () {
         if [ "x$useprefix" = "x" ]; then
                 useprefix=/
         fi        
-	perl ./Configure ${EXTRA_OECONF} shared --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename ${libdir}` $target
+	libdirleaf="$(echo ${libdir} | sed s:$useprefix::)"
+	perl ./Configure ${EXTRA_OECONF} shared --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=${libdirleaf} $target
 }
 
 do_compile_prepend_class-target () {
     sed -i 's/\((OPENSSL=\)".*"/\1"openssl"/' Makefile
+    oe_runmake depend
+	cc_sanitized=`echo "${CC} ${CFLAG}" | sed -e 's,--sysroot=${STAGING_DIR_TARGET},,g' -e 's|${DEBUG_PREFIX_MAP}||g'`
+	oe_runmake CC_INFO="${cc_sanitized}"
 }
 
 do_compile () {

meta/recipes-connectivity/openssl/openssl_1.0.2o.bb

@@ -6,7 +6,7 @@ require openssl10.inc
 CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"
 CFLAG_append_class-native = " -fPIC"
 
-LIC_FILES_CHKSUM = "file://LICENSE;md5=057d9218c6180e1d9ee407572b2dd225"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=f475368924827d06d4b416111c8bdb77"
 
 export DIRS = "crypto ssl apps engines"
 export OE_LDFLAGS="${LDFLAGS}"
@@ -34,7 +34,6 @@ SRC_URI += "file://find.pl;subdir=openssl-${PV}/util/ \
            file://openssl-fix-des.pod-error.patch \
            file://Makefiles-ptest.patch \
            file://ptest-deps.patch \
-           file://openssl-1.0.2a-x32-asm.patch \
            file://ptest_makefile_deps.patch \
            file://configure-musl-target.patch \
            file://parallel.patch \
@@ -43,8 +42,13 @@ SRC_URI += "file://find.pl;subdir=openssl-${PV}/util/ \
            file://0001-Fix-build-with-clang-using-external-assembler.patch \
            file://0001-openssl-force-soft-link-to-avoid-rare-race.patch \
            "
-SRC_URI[md5sum] = "13bdc1b1d1ff39b6fd42a255e74676a4"
-SRC_URI[sha256sum] = "370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe"
+
+SRC_URI_append_class-target = "\
+           file://reproducible-cflags.patch \
+           file://reproducible-mkbuildinf.patch \
+           "
+SRC_URI[md5sum] = "44279b8557c3247cbe324e2322ecd114"
+SRC_URI[sha256sum] = "ec3f5c9714ba0fd45cb4e087301eb1336c317e0d20b575a125050470e8089e4d"
 
 PACKAGES =+ "${PN}-engines"
 FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"

meta/recipes-connectivity/openssl/openssl_1.1.0h.bb

@@ -6,20 +6,18 @@ SECTION = "libs/network"
 
 # "openssl | SSLeay" dual license
 LICENSE = "openssl"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=cae6da10f4ffd9703214776d2aabce32"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d57d511030c9d66ef5f5966bee5a7eff"
 
 BBCLASSEXTEND = "native nativesdk"
 
-SRC_URI[md5sum] = "ba5f1b8b835b88cadbce9b35ed9531a6"
-SRC_URI[sha256sum] = "de4d501267da39310905cb6dc8c6121f7a2cad45a7707f76df828fe1b85073af"
+SRC_URI[md5sum] = "5271477e4d93f4ea032b665ef095ff24"
+SRC_URI[sha256sum] = "5835626cde9e99656585fc7aaa2302a73a7e1340bf8c14fd635a62c66802a517"
 
 SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://openssl-c_rehash.sh \
            file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \
-           file://0001-Remove-test-that-requires-running-as-non-root.patch \
-           file://0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch \
-          "
+           "
 
 S = "${WORKDIR}/openssl-${PV}"
 
@@ -110,7 +108,8 @@ do_configure () {
         if [ "x$useprefix" = "x" ]; then
                 useprefix=/
         fi
-	perl ./Configure ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=`basename ${libdir}` $target
+	libdirleaf="$(echo ${libdir} | sed s:$useprefix::)"
+	perl ./Configure ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdirleaf} $target
 }
 
 #| engines/afalg/e_afalg.c: In function 'eventfd':

meta/recipes-core/busybox/busybox-inittab_1.24.1.bb

@@ -0,0 +1,32 @@
+SUMMARY = "inittab configuration for BusyBox"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+
+SRC_URI = "file://inittab"
+
+S = "${WORKDIR}"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+do_compile() {
+	:
+}
+
+do_install() {
+    install -d ${D}${sysconfdir}
+    install -D -m 0644 ${WORKDIR}/inittab ${D}${sysconfdir}/inittab
+    tmp="${SERIAL_CONSOLES}"
+    for i in $tmp
+    do
+            j=`echo ${i} | sed s/\;/\ /g`
+            id=`echo ${i} | sed -e 's/^.*;//' -e 's/;.*//'`
+            echo "$id::respawn:${base_sbindir}/getty ${j}" >> ${D}${sysconfdir}/inittab
+    done
+}
+
+# SERIAL_CONSOLES is generally defined by the MACHINE .conf.
+# Set PACKAGE_ARCH appropriately.
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+FILES_${PN} = "${sysconfdir}/inittab"
+CONFFILES_${PN} = "${sysconfdir}/inittab"

meta/recipes-core/busybox/busybox.inc

@@ -48,6 +48,8 @@ CONFFILES_${PN}-mdev = "${sysconfdir}/mdev.conf"
 
 RRECOMMENDS_${PN} = "${PN}-syslog ${PN}-udhcpc"
 
+RDEPENDS_${PN} = "${@["", "busybox-inittab"][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'busybox')]}"
+
 inherit cml1 systemd update-rc.d ptest
 
 # internal helper
@@ -292,16 +294,6 @@ do_install () {
                 install -D -m 0777 ${WORKDIR}/rcS ${D}${sysconfdir}/init.d/rcS
                 install -D -m 0777 ${WORKDIR}/rcK ${D}${sysconfdir}/init.d/rcK
                 install -D -m 0755 ${WORKDIR}/runlevel ${D}${base_sbindir}/runlevel
-                if grep "CONFIG_FEATURE_USE_INITTAB=y" ${B}/.config; then
-                        install -D -m 0777 ${WORKDIR}/inittab ${D}${sysconfdir}/inittab
-                        tmp="${SERIAL_CONSOLES}"
-                        for i in $tmp
-                        do
-                                j=`echo ${i} | sed s/\;/\ /g`
-                                id=`echo ${i} | sed -e 's/^.*;//' -e 's/;.*//'`
-                                echo "$id::respawn:${base_sbindir}/getty ${j}" >> ${D}${sysconfdir}/inittab
-                        done
-                fi
         fi
 
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then

meta/recipes-core/expat/expat.inc

@@ -9,7 +9,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
            file://libtool-tag.patch \
 	  "
 
-SRC_URI_append_class-native = " file://no_getrandom.patch"
+SRC_URI[md5sum] = "789e297f547980fc9ecc036f9a070d49"
+SRC_URI[sha256sum] = "d9dc32efba7e74f788fcc4f212a43216fc37cf5f23f4c2339664d473353aedf6"
 
 inherit autotools lib_package
 

meta/recipes-core/expat/expat/no_getrandom.patch

@@ -1,23 +0,0 @@
-The native version of expat may be used on older systems which dont have glibc 2.25
-and hence don't have getrandom() thanks to uninative. Disable the libc call and
-use the syscall instead to avoid a compatibility issue until we have 2.25 everywhere
-we support with uninative.
-
-RP
-2017/8/14
-
-Upstream-Status: Inappropriate
-
-Index: expat-2.2.3/configure.ac
-===================================================================
---- expat-2.2.3.orig/configure.ac
-+++ expat-2.2.3/configure.ac
-@@ -151,7 +151,7 @@ AC_LINK_IFELSE([AC_LANG_SOURCE([
-   #include <stdlib.h>  /* for NULL */
-   #include <sys/random.h>
-   int main() {
--    return getrandom(NULL, 0U, 0U);
-+    return getrandomBREAKME(NULL, 0U, 0U);
-   }
- ])], [
-     AC_DEFINE([HAVE_GETRANDOM], [1],

meta/recipes-core/glibc/cross-localedef-native_2.26.bb

@@ -21,7 +21,7 @@ SRCBRANCH ?= "release/${PV}/master"
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.\d+)*)"
 
-SRCREV_glibc ?= "1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369"
+SRCREV_glibc ?= "d300041c533a3d837c9f37a099bcc95466860e98"
 SRCREV_localedef ?= "dfb4afe551c6c6e94f9cc85417bd1f582168c843"
 
 SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
@@ -35,6 +35,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0021-eglibc-Install-PIC-archives.patch \
            file://0022-eglibc-Forward-port-cross-locale-generation-support.patch \
            file://0023-Define-DUMMY_LOCALE_T-if-not-defined.patch \
+           file://archive-path.patch \
 "
 # Makes for a rather long rev (22 characters), but...
 #

meta/recipes-core/glibc/glibc-package.inc

@@ -113,15 +113,15 @@ do_install_append () {
 }
 
 do_install_append_aarch64 () {
-	if [ "${base_libdir}" != "/lib" ] ; then
+	if [ "${base_libdir}" != "${nonarch_base_libdir}" ]; then
 		# The aarch64 ABI says the dynamic linker -must- be /lib/ld-linux-aarch64[_be].so.1
-		install -d ${D}/lib
+		install -d ${D}${nonarch_base_libdir}
 		if [ -e ${D}${base_libdir}/ld-linux-aarch64.so.1 ]; then
-			ln -s ${@base_path_relative('/lib', '${base_libdir}')}/ld-linux-aarch64.so.1 \
-				${D}/lib/ld-linux-aarch64.so.1
+			ln -s ${@base_path_relative('${nonarch_base_libdir}', '${base_libdir}')}/ld-linux-aarch64.so.1 \
+				${D}${nonarch_base_libdir}/ld-linux-aarch64.so.1
 		elif [ -e ${D}${base_libdir}/ld-linux-aarch64_be.so.1 ]; then
-			ln -s ${@base_path_relative('/lib', '${base_libdir}')}/ld-linux-aarch64_be.so.1 \
-				${D}/lib/ld-linux-aarch64_be.so.1
+			ln -s ${@base_path_relative('${nonarch_base_libdir}', '${base_libdir}')}/ld-linux-aarch64_be.so.1 \
+				${D}${nonarch_base_libdir}/ld-linux-aarch64_be.so.1
 		fi
 	fi
 	do_install_armmultilib

meta/recipes-core/glibc/glibc/0029-bits-siginfo-consts.h-enum-definition-for-TRAP_HWBKP.patch

@@ -0,0 +1,69 @@
+From af3054b3856379d353a779801678f330e1b58c9a Mon Sep 17 00:00:00 2001
+Message-Id: <af3054b3856379d353a779801678f330e1b58c9a.1490183611.git.panand@redhat.com>
+From: Pratyush Anand <panand@redhat.com>
+Date: Wed, 22 Mar 2017 17:02:38 +0530
+Subject: [PATCH] bits/siginfo-consts.h: enum definition for TRAP_HWBKPT is missing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Compile following linux kernel test code with latest glibc:
+
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/testing/selftests/breakpoints/breakpoint_test_arm64.c
+
+and we get following error:
+breakpoint_test_arm64.c: In function ‘run_test’:
+breakpoint_test_arm64.c:171:25: error: ‘TRAP_HWBKPT’ undeclared (first use in this function)
+  if (siginfo.si_code != TRAP_HWBKPT) {
+                         ^
+I can compile test code by modifying my local
+/usr/include/bits/siginfo.h and test works great. Therefore, this patch
+will be needed in upstream glibc so that issue is fixed there as well.
+
+Signed-off-by: Pratyush Anand <panand@redhat.com>
+
+Upstream-Status: Submitted [https://sourceware.org/bugzilla/show_bug.cgi?id=21286]
+---
+ bits/siginfo-consts.h                         | 6 +++++-
+ sysdeps/unix/sysv/linux/bits/siginfo-consts.h | 6 +++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/bits/siginfo-consts.h b/bits/siginfo-consts.h
+index a58ac4b..8448fac 100644
+--- a/bits/siginfo-consts.h
++++ b/bits/siginfo-consts.h
+@@ -106,8 +106,12 @@ enum
+ {
+   TRAP_BRKPT = 1,		/* Process breakpoint.  */
+ #  define TRAP_BRKPT	TRAP_BRKPT
+-  TRAP_TRACE			/* Process trace trap.  */
++  TRAP_TRACE,			/* Process trace trap.  */
+ #  define TRAP_TRACE	TRAP_TRACE
++  TRAP_BRANCH,			/* Process branch trap. */
++# define TRAP_BRANCH	TRAP_BRANCH
++  TRAP_HWBKPT			/* hardware breakpoint/watchpoint  */
++# define TRAP_HWBKPT	TRAP_HWBKPT
+ };
+ # endif
+ 
+diff --git a/sysdeps/unix/sysv/linux/bits/siginfo-consts.h b/sysdeps/unix/sysv/linux/bits/siginfo-consts.h
+index 525840c..57a9edb 100644
+--- a/sysdeps/unix/sysv/linux/bits/siginfo-consts.h
++++ b/sysdeps/unix/sysv/linux/bits/siginfo-consts.h
+@@ -137,8 +137,12 @@ enum
+ {
+   TRAP_BRKPT = 1,		/* Process breakpoint.  */
+ #  define TRAP_BRKPT	TRAP_BRKPT
+-  TRAP_TRACE			/* Process trace trap.  */
++  TRAP_TRACE,			/* Process trace trap.  */
+ #  define TRAP_TRACE	TRAP_TRACE
++  TRAP_BRANCH,			/* Process branch trap. */
++# define TRAP_BRANCH	TRAP_BRANCH
++  TRAP_HWBKPT			/* hardware breakpoint/watchpoint  */
++# define TRAP_HWBKPT	TRAP_HWBKPT
+ };
+ # endif
+ 
+-- 
+2.7.4
+

meta/recipes-core/glibc/glibc/CVE-2017-15671.patch

@@ -1,66 +0,0 @@
-From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001
-From: Paul Eggert <eggert@cs.ucla.edu>
-Date: Sun, 22 Oct 2017 10:00:57 +0200
-Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ
- #22332]
-
-(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
-
-Upstream-Status: Backport
-CVE: CVE-2017-15671
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ChangeLog    | 6 ++++++
- NEWS         | 4 ++++
- posix/glob.c | 4 ++--
- 3 files changed, 12 insertions(+), 2 deletions(-)
-
-Index: git/NEWS
-===================================================================
---- git.orig/NEWS
-+++ git/NEWS
-@@ -211,6 +211,10 @@ Security related changes:
-   on the stack or the heap, depending on the length of the user name).
-   Reported by Tim Rühsen.
- 
-+  The glob function, when invoked with GLOB_TILDE and without
-+  GLOB_NOESCAPE, could write past the end of a buffer while
-+  unescaping user names.  Reported by Tim Rühsen.
-+
- The following bugs are resolved with this release:
- 
-   [984] network: Respond to changed resolv.conf in gethostbyname
-Index: git/posix/glob.c
-===================================================================
---- git.orig/posix/glob.c
-+++ git/posix/glob.c
-@@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in
- 		  char *p = mempcpy (newp, dirname + 1,
- 				     unescape - dirname - 1);
- 		  char *q = unescape;
--		  while (*q != '\0')
-+		  while (q != end_name)
- 		    {
- 		      if (*q == '\\')
- 			{
--			  if (q[1] == '\0')
-+			  if (q + 1 == end_name)
- 			    {
- 			      /* "~fo\\o\\" unescape to user_name "foo\\",
- 				 but "~fo\\o\\/" unescape to user_name
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,5 +1,10 @@
-+
- 2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
- 
-+       [BZ #22332]
-+       * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
-+       unescaping.
-+
-        [BZ #22320]
-        CVE-2017-15670
-        * posix/glob.c (__glob): Fix one-byte overflow.

meta/recipes-core/glibc/glibc/CVE-2017-16997.patch

@@ -1,150 +0,0 @@
-From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001
-From: Aurelien Jarno <aurelien@aurel32.net>
-Date: Sat, 30 Dec 2017 10:54:23 +0100
-Subject: [PATCH] elf: Check for empty tokens before dynamic string token
- expansion [BZ #22625]
-
-The fillin_rpath function in elf/dl-load.c loops over each RPATH or
-RUNPATH tokens and interprets empty tokens as the current directory
-("./"). In practice the check for empty token is done *after* the
-dynamic string token expansion. The expansion process can return an
-empty string for the $ORIGIN token if __libc_enable_secure is set
-or if the path of the binary can not be determined (/proc not mounted).
-
-Fix that by moving the check for empty tokens before the dynamic string
-token expansion. In addition, check for NULL pointer or empty strings
-return by expand_dynamic_string_token.
-
-The above changes highlighted a bug in decompose_rpath, an empty array
-is represented by the first element being NULL at the fillin_rpath
-level, but by using a -1 pointer in decompose_rpath and other functions.
-
-Changelog:
-	[BZ #22625]
-	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
-	string token expansion. Check for NULL pointer or empty string possibly
-	returned by expand_dynamic_string_token.
-	(decompose_rpath): Check for empty path after dynamic string
-	token expansion.
-(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
-
-Upstream-Status: Backport
-CVE: CVE-2017-16997
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ChangeLog     | 10 ++++++++++
- NEWS          |  4 ++++
- elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------
- 3 files changed, 47 insertions(+), 16 deletions(-)
-
-Index: git/NEWS
-===================================================================
---- git.orig/NEWS
-+++ git/NEWS
-@@ -215,6 +215,10 @@ Security related changes:
-   GLOB_NOESCAPE, could write past the end of a buffer while
-   unescaping user names.  Reported by Tim Rühsen.
- 
-+  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
-+  for AT_SECURE or SUID binaries could be used to load libraries from the
-+  current directory.
-+
- The following bugs are resolved with this release:
- 
-   [984] network: Respond to changed resolv.conf in gethostbyname
-Index: git/elf/dl-load.c
-===================================================================
---- git.orig/elf/dl-load.c
-+++ git/elf/dl-load.c
-@@ -433,32 +433,41 @@ fillin_rpath (char *rpath, struct r_sear
- {
-   char *cp;
-   size_t nelems = 0;
--  char *to_free;
- 
-   while ((cp = __strsep (&rpath, sep)) != NULL)
-     {
-       struct r_search_path_elem *dirp;
-+      char *to_free = NULL;
-+      size_t len = 0;
- 
--      to_free = cp = expand_dynamic_string_token (l, cp, 1);
-+      /* `strsep' can pass an empty string.  */
-+      if (*cp != '\0')
-+	{
-+	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
- 
--      size_t len = strlen (cp);
-+	  /* expand_dynamic_string_token can return NULL in case of empty
-+	     path or memory allocation failure.  */
-+	  if (cp == NULL)
-+	    continue;
-+
-+	  /* Compute the length after dynamic string token expansion and
-+	     ignore empty paths.  */
-+	  len = strlen (cp);
-+	  if (len == 0)
-+	    {
-+	      free (to_free);
-+	      continue;
-+	    }
- 
--      /* `strsep' can pass an empty string.  This has to be
--	 interpreted as `use the current directory'. */
--      if (len == 0)
--	{
--	  static const char curwd[] = "./";
--	  cp = (char *) curwd;
-+	  /* Remove trailing slashes (except for "/").  */
-+	  while (len > 1 && cp[len - 1] == '/')
-+	    --len;
-+
-+	  /* Now add one if there is none so far.  */
-+	  if (len > 0 && cp[len - 1] != '/')
-+	    cp[len++] = '/';
- 	}
- 
--      /* Remove trailing slashes (except for "/").  */
--      while (len > 1 && cp[len - 1] == '/')
--	--len;
--
--      /* Now add one if there is none so far.  */
--      if (len > 0 && cp[len - 1] != '/')
--	cp[len++] = '/';
--
-       /* Make sure we don't use untrusted directories if we run SUID.  */
-       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
- 	{
-@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_st
-      necessary.  */
-   free (copy);
- 
-+  /* There is no path after expansion.  */
-+  if (result[0] == NULL)
-+    {
-+      free (result);
-+      sps->dirs = (struct r_search_path_elem **) -1;
-+      return false;
-+    }
-+
-   sps->dirs = result;
-   /* The caller will change this value if we haven't used a real malloc.  */
-   sps->malloced = 1;
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,12 @@
-+2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
-+           Dmitry V. Levin  <ldv@altlinux.org>
-+
-+       [BZ #22625]
-+       * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
-+       string token expansion. Check for NULL pointer or empty string possibly
-+       returned by expand_dynamic_string_token.
-+       (decompose_rpath): Check for empty path after dynamic string
-+       token expansion.
- 
- 2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
- 

meta/recipes-core/glibc/glibc/CVE-2017-17426.patch

@@ -1,80 +0,0 @@
-From df8c219cb987cfe85c550efa693a1383a11e38aa Mon Sep 17 00:00:00 2001
-From: Arjun Shankar <arjun@redhat.com>
-Date: Thu, 30 Nov 2017 13:31:45 +0100
-Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
- #22375]
-
-When the per-thread cache is enabled, __libc_malloc uses request2size (which
-does not perform an overflow check) to calculate the chunk size from the
-requested allocation size. This leads to an integer overflow causing malloc
-to incorrectly return the last successfully allocated block when called with
-a very large size argument (close to SIZE_MAX).
-
-This commit uses checked_request2size instead, removing the overflow.
-
-(cherry picked from commit 34697694e8a93b325b18f25f7dcded55d6baeaf6)
-
-Upstream-Status: Backport
-CVE: CVE-2017-17426
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ChangeLog       | 7 +++++++
- NEWS            | 6 ++++++
- malloc/malloc.c | 3 ++-
- 3 files changed, 15 insertions(+), 1 deletion(-)
-
-Index: git/NEWS
-===================================================================
---- git.orig/NEWS
-+++ git/NEWS
-@@ -4,6 +4,8 @@ See the end for copying conditions.
- 
- Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
- using `glibc' in the "product" field.
-+
-+[22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426)
- 
- Version 2.26
- 
-@@ -215,6 +217,11 @@ Security related changes:
-   for AT_SECURE or SUID binaries could be used to load libraries from the
-   current directory.
- 
-+  CVE-2017-17426: The malloc function, when called with an object size near
-+  the value SIZE_MAX, would return a pointer to a buffer which is too small,
-+  instead of NULL.  This was a regression introduced with the new malloc
-+  thread cache in glibc 2.26.  Reported by Iain Buclaw.
-+
- The following bugs are resolved with this release:
- 
-   [984] network: Respond to changed resolv.conf in gethostbyname
-Index: git/malloc/malloc.c
-===================================================================
---- git.orig/malloc/malloc.c
-+++ git/malloc/malloc.c
-@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes)
-     return (*hook)(bytes, RETURN_ADDRESS (0));
- #if USE_TCACHE
-   /* int_free also calls request2size, be careful to not pad twice.  */
--  size_t tbytes = request2size (bytes);
-+  size_t tbytes;
-+  checked_request2size (bytes, tbytes);
-   size_t tc_idx = csize2tidx (tbytes);
- 
-   MAYBE_INIT_TCACHE ();
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,10 @@
-+2017-11-30  Arjun Shankar  <arjun@redhat.com>
-+
-+       [BZ #22375]
-+       CVE-2017-17426
-+       * malloc/malloc.c (__libc_malloc): Use checked_request2size
-+       instead of request2size.
-+
- 2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
-            Dmitry V. Levin  <ldv@altlinux.org>
- 

meta/recipes-core/glibc/glibc/archive-path.patch

@@ -0,0 +1,39 @@
+localedef --add-to-archive uses a hard-coded locale path which doesn't exist in
+normal use, and there's no way to pass an alternative filename.
+
+Add a fallback of $LOCALEARCHIVE from the environment, and allow creation of new locale archives that are not the system archive.
+
+Upstream-Status: Inappropriate (OE-specific)
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/locale/programs/locarchive.c b/locale/programs/locarchive.c
+index ca332a34..6b7ba9b2 100644
+--- a/locale/programs/locarchive.c
++++ b/locale/programs/locarchive.c
+@@ -569,10 +569,13 @@ open_archive (struct locarhandle *ah, bool readonly)
+   /* If ah has a non-NULL fname open that otherwise open the default.  */
+   if (archivefname == NULL)
+     {
+-      archivefname = default_fname;
+-      if (output_prefix)
+-        memcpy (default_fname, output_prefix, prefix_len);
+-      strcpy (default_fname + prefix_len, ARCHIVE_NAME);
++      archivefname = getenv("LOCALEARCHIVE");
++      if (archivefname == NULL) {
++              archivefname = default_fname;
++              if (output_prefix)
++                memcpy (default_fname, output_prefix, prefix_len);
++              strcpy (default_fname + prefix_len, ARCHIVE_NAME);
++      }
+     }
+ 
+   while (1)
+@@ -585,7 +588,7 @@ open_archive (struct locarhandle *ah, bool readonly)
+ 	     the default locale archive we ignore the failure and
+ 	     list an empty archive, otherwise we print an error
+ 	     and exit.  */
+-	  if (errno == ENOENT && archivefname == default_fname)
++	  if (errno == ENOENT)
+ 	    {
+ 	      if (readonly)
+ 		{

meta/recipes-core/glibc/glibc/relocate-locales.patch

@@ -0,0 +1,55 @@
+The glibc locale path is hard-coded to the install prefix, but in SDKs we need
+to be able to relocate the binaries.  Expand the strings to 4K and put them in a
+magic segment that we can relocate at install time.
+
+Upstream-Status: Inappropriate (OE-specific)
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/locale/findlocale.c b/locale/findlocale.c
+index 872cadb5..da14fa39 100644
+--- a/locale/findlocale.c
++++ b/locale/findlocale.c
+@@ -56,7 +56,7 @@ struct __locale_data *const _nl_C[] attribute_hidden =
+    which are somehow addressed.  */
+ struct loaded_l10nfile *_nl_locale_file_list[__LC_LAST];
+ 
+-const char _nl_default_locale_path[] attribute_hidden = COMPLOCALEDIR;
++char _nl_default_locale_path[4096] attribute_hidden __attribute__ ((section (".gccrelocprefix"))) = COMPLOCALEDIR;
+ 
+ /* Checks if the name is actually present, that is, not NULL and not
+    empty.  */
+@@ -167,7 +167,7 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
+ 
+       /* Nothing in the archive.  Set the default path to search below.  */
+       locale_path = _nl_default_locale_path;
+-      locale_path_len = sizeof _nl_default_locale_path;
++      locale_path_len = strlen(locale_path) + 1;
+     }
+   else
+     /* We really have to load some data.  First see whether the name is
+diff --git a/locale/localeinfo.h b/locale/localeinfo.h
+index 68822a63..537bc351 100644
+--- a/locale/localeinfo.h
++++ b/locale/localeinfo.h
+@@ -325,7 +325,7 @@ _nl_lookup_word (locale_t l, int category, int item)
+ }
+ 
+ /* Default search path if no LOCPATH environment variable.  */
+-extern const char _nl_default_locale_path[] attribute_hidden;
++extern char _nl_default_locale_path[4096] attribute_hidden;
+ 
+ /* Load the locale data for CATEGORY from the file specified by *NAME.
+    If *NAME is "", use environment variables as specified by POSIX, and
+diff --git a/locale/loadarchive.c b/locale/loadarchive.c
+index 516d30d8..792b37fb 100644
+--- a/locale/loadarchive.c
++++ b/locale/loadarchive.c
+@@ -42,7 +43,7 @@
+ 
+ 
+ /* Name of the locale archive file.  */
+-static const char archfname[] = COMPLOCALEDIR "/locale-archive";
++static const char archfname[4096] __attribute__ ((section (".gccrelocprefix"))) = COMPLOCALEDIR "/locale-archive";
+ 
+ /* Size of initial mapping window, optimal if large enough to
+    cover the header plus the initial locale.  */

meta/recipes-core/glibc/glibc_2.26.bb

@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
 
 DEPENDS += "gperf-native bison-native"
 
-SRCREV ?= "1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369"
+SRCREV ?= "d300041c533a3d837c9f37a099bcc95466860e98"
 
 SRCBRANCH ?= "release/${PV}/master"
 
@@ -40,14 +40,9 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0023-Define-DUMMY_LOCALE_T-if-not-defined.patch \
            file://0024-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch \
            file://0025-locale-fix-hard-coded-reference-to-gcc-E.patch \
-           file://0026-assert-Suppress-pedantic-warning-caused-by-statement.patch \
            file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
            file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
-           file://CVE-2017-15670.patch \
-           file://CVE-2017-15671.patch \
-           file://0029-assert-Support-types-without-operator-int-BZ-21972.patch \
-           file://CVE-2017-16997.patch \
-           file://CVE-2017-17426.patch \
+           file://0029-bits-siginfo-consts.h-enum-definition-for-TRAP_HWBKP.patch \
 "
 
 NATIVESDKFIXES ?= ""
@@ -56,6 +51,7 @@ NATIVESDKFIXES_class-nativesdk = "\
            file://0002-nativesdk-glibc-Fix-buffer-overrun-with-a-relocated-.patch \
            file://0003-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch \
            file://0004-nativesdk-glibc-Allow-64-bit-atomics-for-x86.patch \
+           file://relocate-locales.patch \
 "
 
 S = "${WORKDIR}/git"
@@ -143,12 +139,6 @@ do_compile () {
 
 }
 
-# Use the host locale archive when built for nativesdk so that we don't need to
-# ship a complete (100MB) locale set.
-do_compile_prepend_class-nativesdk() {
-    echo "complocaledir=/usr/lib/locale" >> ${S}/configparms
-}
-
 require glibc-package.inc
 
 BBCLASSEXTEND = "nativesdk"

meta/recipes-core/images/build-appliance-image_15.0.0.bb

@@ -22,7 +22,7 @@ IMAGE_FSTYPES = "wic.vmdk"
 
 inherit core-image module-base setuptools3
 
-SRCREV ?= "a9588646fcec17e53199e1ea7e7b8dccf140817e"
+SRCREV ?= "78b61238f2a3eb18d97d31ac5d27bce9566438d2"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=rocko \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \

meta/recipes-core/libxml/libxml2/libxml-m4-use-pkgconfig.patch

@@ -183,7 +183,7 @@ index 68cd824..5fa0a9b 100644
 -          echo "*** If you have an old version installed, it is best to remove it, although"
 -          echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH" ],
 -        [ echo "*** The test program failed to compile or link. See the file config.log for the"
--          echo "*** exact error that occured. This usually means LIBXML was incorrectly installed"
+-          echo "*** exact error that occurred. This usually means LIBXML was incorrectly installed"
 -          echo "*** or that you have moved LIBXML since it was installed. In the latter case, you"
 -          echo "*** may want to edit the xml2-config script: $XML2_CONFIG" ])
 -          CPPFLAGS="$ac_save_CPPFLAGS"

meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch

@@ -1,269 +0,0 @@
-libxml2-2.9.4: Fix CVE-2016-4658
-
-[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4658
-
-xpointer: Disallow namespace nodes in XPointer points and ranges
-
-Namespace nodes must be copied to avoid use-after-free errors.
-But they don't necessarily have a physical representation in a
-document, so simply disallow them in XPointer ranges.
-
-Upstream-Status: Backport
- - [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
- - [https://git.gnome.org/browse/libxml2/commit/?id=3f8a91036d338e51c059d54397a42d645f019c65]
-CVE: CVE-2016-4658
-Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
-Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
-
-diff --git a/xpointer.c b/xpointer.c
-index 676c510..911680d 100644
---- a/xpointer.c
-+++ b/xpointer.c
-@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) {
- }
- 
- /**
-+ * xmlXPtrNewRangeInternal:
-+ * @start:  the starting node
-+ * @startindex:  the start index
-+ * @end:  the ending point
-+ * @endindex:  the ending index
-+ *
-+ * Internal function to create a new xmlXPathObjectPtr of type range
-+ *
-+ * Returns the newly created object.
-+ */
-+static xmlXPathObjectPtr
-+xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex,
-+                        xmlNodePtr end, int endindex) {
-+    xmlXPathObjectPtr ret;
-+
-+    /*
-+     * Namespace nodes must be copied (see xmlXPathNodeSetDupNs).
-+     * Disallow them for now.
-+     */
-+    if ((start != NULL) && (start->type == XML_NAMESPACE_DECL))
-+	return(NULL);
-+    if ((end != NULL) && (end->type == XML_NAMESPACE_DECL))
-+	return(NULL);
-+
-+    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-+    if (ret == NULL) {
-+        xmlXPtrErrMemory("allocating range");
-+	return(NULL);
-+    }
-+    memset(ret, 0, sizeof(xmlXPathObject));
-+    ret->type = XPATH_RANGE;
-+    ret->user = start;
-+    ret->index = startindex;
-+    ret->user2 = end;
-+    ret->index2 = endindex;
-+    return(ret);
-+}
-+
-+/**
-  * xmlXPtrNewRange:
-  * @start:  the starting node
-  * @startindex:  the start index
-@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex,
-     if (endindex < 0)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = startindex;
--    ret->user2 = end;
--    ret->index2 = endindex;
-+    ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) {
-     if (end->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start->user;
--    ret->index = start->index;
--    ret->user2 = end->user;
--    ret->index2 = end->index;
-+    ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user,
-+				  end->index);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) {
-     if (start->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start->user;
--    ret->index = start->index;
--    ret->user2 = end;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) {
-     if (end->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = end->user;
--    ret->index2 = end->index;
-+    ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) {
-     if (end == NULL)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = end;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start, -1, end, -1);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
-     if (start == NULL)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = NULL;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1);
-     return(ret);
- }
- 
-@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
-  */
- xmlXPathObjectPtr
- xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
-+    xmlNodePtr endNode;
-+    int endIndex;
-     xmlXPathObjectPtr ret;
- 
-     if (start == NULL)
-@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
- 	return(NULL);
-     switch (end->type) {
- 	case XPATH_POINT:
-+	    endNode = end->user;
-+	    endIndex = end->index;
-+	    break;
- 	case XPATH_RANGE:
-+	    endNode = end->user2;
-+	    endIndex = end->index2;
- 	    break;
- 	case XPATH_NODESET:
- 	    /*
-@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
- 	     */
- 	    if (end->nodesetval->nodeNr <= 0)
- 		return(NULL);
-+	    endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
-+	    endIndex = -1;
- 	    break;
- 	default:
- 	    /* TODO */
- 	    return(NULL);
-     }
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    switch (end->type) {
--	case XPATH_POINT:
--	    ret->user2 = end->user;
--	    ret->index2 = end->index;
--	    break;
--	case XPATH_RANGE:
--	    ret->user2 = end->user2;
--	    ret->index2 = end->index2;
--	    break;
--	case XPATH_NODESET: {
--	    ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
--	    ret->index2 = -1;
--	    break;
--	}
--	default:
--	    STRANGE
--	    return(NULL);
--    }
-+    ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -1835,8 +1798,8 @@ xmlXPtrStartPointFunction(xmlXPathParserContextPtr ctxt, int nargs) {
- 		case XPATH_RANGE: {
- 		    xmlNodePtr node = tmp->user;
- 		    if (node != NULL) {
--			if (node->type == XML_ATTRIBUTE_NODE) {
--			    /* TODO: Namespace Nodes ??? */
-+			if ((node->type == XML_ATTRIBUTE_NODE) ||
-+			     (node->type == XML_NAMESPACE_DECL)) {
- 			    xmlXPathFreeObject(obj);
- 			    xmlXPtrFreeLocationSet(newset);
- 			    XP_ERROR(XPTR_SYNTAX_ERROR);
-@@ -1931,8 +1894,8 @@ xmlXPtrEndPointFunction(xmlXPathParserContextPtr ctxt, int nargs) {
- 		case XPATH_RANGE: {
- 		    xmlNodePtr node = tmp->user2;
- 		    if (node != NULL) {
--			if (node->type == XML_ATTRIBUTE_NODE) {
--			    /* TODO: Namespace Nodes ??? */
-+			if ((node->type == XML_ATTRIBUTE_NODE) ||
-+			     (node->type == XML_NAMESPACE_DECL)) {
- 			    xmlXPathFreeObject(obj);
- 			    xmlXPtrFreeLocationSet(newset);
- 			    XP_ERROR(XPTR_SYNTAX_ERROR);

meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-5131.patch

@@ -1,180 +0,0 @@
-From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 14:22:23 +0200
-Subject: [PATCH] Fix XPointer paths beginning with range-to
-
-The old code would invoke the broken xmlXPtrRangeToFunction. range-to
-isn't really a function but a special kind of location step. Remove
-this function and always handle range-to in the XPath code.
-
-The old xmlXPtrRangeToFunction could also be abused to trigger a
-use-after-free error with the potential for remote code execution.
-
-Found with afl-fuzz.
-
-Fixes CVE-2016-5131.
-
-CVE: CVE-2016-5131
-Upstream-Status: Backport
-https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
-
-Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
----
- result/XPath/xptr/vidbase | 13 ++++++++
- test/XPath/xptr/vidbase   |  1 +
- xpath.c                   |  7 ++++-
- xpointer.c                | 76 ++++-------------------------------------------
- 4 files changed, 26 insertions(+), 71 deletions(-)
-
-diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase
-index 8b9e92d..f19193e 100644
---- a/result/XPath/xptr/vidbase
-+++ b/result/XPath/xptr/vidbase
-@@ -17,3 +17,16 @@ Object is a Location Set:
-   To node
-     ELEMENT p
- 
-+
-+========================
-+Expression: xpointer(range-to(id('chapter2')))
-+Object is a Location Set:
-+1 :   Object is a range :
-+  From node
-+     /
-+  To node
-+    ELEMENT chapter
-+      ATTRIBUTE id
-+        TEXT
-+          content=chapter2
-+
-diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase
-index b146383..884b106 100644
---- a/test/XPath/xptr/vidbase
-+++ b/test/XPath/xptr/vidbase
-@@ -1,2 +1,3 @@
- xpointer(id('chapter1')/p)
- xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
-+xpointer(range-to(id('chapter2')))
-diff --git a/xpath.c b/xpath.c
-index d992841..5a01b1b 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
- 		    lc = 1;
- 		    break;
- 		} else if ((NXT(len) == '(')) {
--		    /* Note Type or Function */
-+		    /* Node Type or Function */
- 		    if (xmlXPathIsNodeType(name)) {
- #ifdef DEBUG_STEP
- 		        xmlGenericError(xmlGenericErrorContext,
- 				"PathExpr: Type search\n");
- #endif
- 			lc = 1;
-+#ifdef LIBXML_XPTR_ENABLED
-+                    } else if (ctxt->xptr &&
-+                               xmlStrEqual(name, BAD_CAST "range-to")) {
-+                        lc = 1;
-+#endif
- 		    } else {
- #ifdef DEBUG_STEP
- 		        xmlGenericError(xmlGenericErrorContext,
-diff --git a/xpointer.c b/xpointer.c
-index 676c510..d74174a 100644
---- a/xpointer.c
-+++ b/xpointer.c
-@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
-     ret->here = here;
-     ret->origin = origin;
- 
--    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
--	                 xmlXPtrRangeToFunction);
-     xmlXPathRegisterFunc(ret, (xmlChar *)"range",
- 	                 xmlXPtrRangeFunction);
-     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
-@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
-  * @nargs:  the number of args
-  *
-  * Implement the range-to() XPointer function
-+ *
-+ * Obsolete. range-to is not a real function but a special type of location
-+ * step which is handled in xpath.c.
-  */
- void
--xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
--    xmlXPathObjectPtr range;
--    const xmlChar *cur;
--    xmlXPathObjectPtr res, obj;
--    xmlXPathObjectPtr tmp;
--    xmlLocationSetPtr newset = NULL;
--    xmlNodeSetPtr oldset;
--    int i;
--
--    if (ctxt == NULL) return;
--    CHECK_ARITY(1);
--    /*
--     * Save the expression pointer since we will have to evaluate
--     * it multiple times. Initialize the new set.
--     */
--    CHECK_TYPE(XPATH_NODESET);
--    obj = valuePop(ctxt);
--    oldset = obj->nodesetval;
--    ctxt->context->node = NULL;
--
--    cur = ctxt->cur;
--    newset = xmlXPtrLocationSetCreate(NULL);
--
--    for (i = 0; i < oldset->nodeNr; i++) {
--	ctxt->cur = cur;
--
--	/*
--	 * Run the evaluation with a node list made of a single item
--	 * in the nodeset.
--	 */
--	ctxt->context->node = oldset->nodeTab[i];
--	tmp = xmlXPathNewNodeSet(ctxt->context->node);
--	valuePush(ctxt, tmp);
--
--	xmlXPathEvalExpr(ctxt);
--	CHECK_ERROR;
--
--	/*
--	 * The result of the evaluation need to be tested to
--	 * decided whether the filter succeeded or not
--	 */
--	res = valuePop(ctxt);
--	range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
--	if (range != NULL) {
--	    xmlXPtrLocationSetAdd(newset, range);
--	}
--
--	/*
--	 * Cleanup
--	 */
--	if (res != NULL)
--	    xmlXPathFreeObject(res);
--	if (ctxt->value == tmp) {
--	    res = valuePop(ctxt);
--	    xmlXPathFreeObject(res);
--	}
--
--	ctxt->context->node = NULL;
--    }
--
--    /*
--     * The result is used as the new evaluation set.
--     */
--    xmlXPathFreeObject(obj);
--    ctxt->context->node = NULL;
--    ctxt->context->contextSize = -1;
--    ctxt->context->proximityPosition = -1;
--    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
-+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
-+                       int nargs ATTRIBUTE_UNUSED) {
-+    XP_ERROR(XPATH_EXPR_ERROR);
- }
- 
- /**
--- 
-2.7.4
-

meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-0663.patch

@@ -1,40 +0,0 @@
-libxml2: Fix CVE-2017-0663
-
-[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=780228
-
-valid: Fix type confusion in xmlValidateOneNamespace
-
-Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types
-on namespace declarations make no practical sense anyway.
-
-Fixes bug 780228
-
-Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66]
-CVE: CVE-2017-0663
-Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
-
-diff --git a/valid.c b/valid.c
-index 19f84b8..e03d35e 100644
---- a/valid.c
-+++ b/valid.c
-@@ -4621,6 +4621,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
- 	}
-     }
- 
-+    /*
-+     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
-+     * xmlAddID and xmlAddRef for namespace declarations, but it makes
-+     * no practical sense to use ID types anyway.
-+     */
-+#if 0
-     /* Validity Constraint: ID uniqueness */
-     if (attrDecl->atype == XML_ATTRIBUTE_ID) {
-         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
-@@ -4632,6 +4638,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
-         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
- 	    ret = 0;
-     }
-+#endif
- 
-     /* Validity Constraint: Notation Attributes */
-     if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {

meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch

@@ -1,62 +0,0 @@
-libxml2-2.9.4: Fix CVE-2017-5969
-
-[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422
-
-valid: Fix NULL pointer deref in xmlDumpElementContent
-
-Can only be triggered in recovery mode.
-
-Fixes bug 758422
-
-Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882]
-CVE: CVE-2017-5969
-Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
-
-diff --git a/valid.c b/valid.c
-index 19f84b8..0a8e58a 100644
---- a/valid.c
-+++ b/valid.c
-@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
- 	    xmlBufferWriteCHAR(buf, content->name);
- 	    break;
- 	case XML_ELEMENT_CONTENT_SEQ:
--	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
--	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
-+	    if ((content->c1 != NULL) &&
-+	        ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
-+	         (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
- 		xmlDumpElementContent(buf, content->c1, 1);
- 	    else
- 		xmlDumpElementContent(buf, content->c1, 0);
-             xmlBufferWriteChar(buf, " , ");
--	    if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
--	        ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
--		 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
-+	    if ((content->c2 != NULL) &&
-+	        ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
-+	         ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
-+		  (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
- 		xmlDumpElementContent(buf, content->c2, 1);
- 	    else
- 		xmlDumpElementContent(buf, content->c2, 0);
- 	    break;
- 	case XML_ELEMENT_CONTENT_OR:
--	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
--	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
-+	    if ((content->c1 != NULL) &&
-+	        ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
-+	         (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
- 		xmlDumpElementContent(buf, content->c1, 1);
- 	    else
- 		xmlDumpElementContent(buf, content->c1, 0);
-             xmlBufferWriteChar(buf, " | ");
--	    if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
--	        ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
--		 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
-+	    if ((content->c2 != NULL) &&
-+	        ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
-+	         ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
-+		  (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
- 		xmlDumpElementContent(buf, content->c2, 1);
- 	    else
- 		xmlDumpElementContent(buf, content->c2, 0);

meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-8872.patch

@@ -1,37 +0,0 @@
-From d2f873a541c72b0f67e15562819bf98b884b30b7 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Wed, 23 Aug 2017 16:04:49 +0800
-Subject: [PATCH] fix CVE-2017-8872
-
-this makes xmlHaltParser "empty" the buffer, as it resets cur and ava
-il too here.
-
-this seems to cure this specific issue, and also passes the testsuite
-
-Signed-off-by: Marcus Meissner <meissner@suse.de>
-
-https://bugzilla.gnome.org/show_bug.cgi?id=775200
-Upstream-Status: Backport [https://bugzilla.gnome.org/attachment.cgi?id=355527&action=diff]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- parser.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/parser.c b/parser.c
-index 9506ead..6c07ffd 100644
---- a/parser.c
-+++ b/parser.c
-@@ -12664,6 +12664,10 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
- 	}
- 	ctxt->input->cur = BAD_CAST"";
- 	ctxt->input->base = ctxt->input->cur;
-+	if (ctxt->input->buf) {
-+		xmlBufEmpty (ctxt->input->buf->buffer);
-+	} else
-+		ctxt->input->length = 0;
-     }
- }
- 
--- 
-2.7.4
-

meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-9049_CVE-2017-9050.patch

@@ -1,291 +0,0 @@
-libxml2-2.9.4: Fix CVE-2017-9049 and CVE-2017-9050
-
-[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=781205
- -- https://bugzilla.gnome.org/show_bug.cgi?id=781361
-
-parser: Fix handling of parameter-entity references
-
-There were two bugs where parameter-entity references could lead to an
-unexpected change of the input buffer in xmlParseNameComplex and
-xmlDictLookup being called with an invalid pointer.
-
-Percent sign in DTD Names
-=========================
-
-The NEXTL macro used to call xmlParserHandlePEReference. When parsing
-"complex" names inside the DTD, this could result in entity expansion
-which created a new input buffer. The fix is to simply remove the call
-to xmlParserHandlePEReference from the NEXTL macro. This is safe because
-no users of the macro require expansion of parameter entities.
-
-- xmlParseNameComplex
-- xmlParseNCNameComplex
-- xmlParseNmtoken
-
-The percent sign is not allowed in names, which are grammatical tokens.
-
-- xmlParseEntityValue
-
-Parameter-entity references in entity values are expanded but this
-happens in a separate step in this function.
-
-- xmlParseSystemLiteral
-
-Parameter-entity references are ignored in the system literal.
-
-- xmlParseAttValueComplex
-- xmlParseCharDataComplex
-- xmlParseCommentComplex
-- xmlParsePI
-- xmlParseCDSect
-
-Parameter-entity references are ignored outside the DTD.
-
-- xmlLoadEntityContent
-
-This function is only called from xmlStringLenDecodeEntities and
-entities are replaced in a separate step immediately after the function
-call.
-
-This bug could also be triggered with an internal subset and double
-entity expansion.
-
-This fixes bug 766956 initially reported by Wei Lei and independently by
-Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
-involved.
-
-xmlParseNameComplex with XML_PARSE_OLD10
-========================================
-
-When parsing Names inside an expanded parameter entity with the
-XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
-GROW macro if the input buffer was exhausted. At the end of the
-parameter entity's replacement text, this function would then call
-xmlPopInput which invalidated the input buffer.
-
-There should be no need to invoke GROW in this situation because the
-buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
-at least for UTF-8, in xmlCurrentChar. This also matches the code path
-executed when XML_PARSE_OLD10 is not set.
-
-This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
-Thanks to Marcel Böhme and Thuan Pham for the report.
-
-Additional hardening
-====================
-
-A separate check was added in xmlParseNameComplex to validate the
-buffer size.
-
-Fixes bug 781205 and bug 781361
-
-Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74]
-CVE: CVE-2017-9049 CVE-2017-9050
-Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
-
-diff --git a/Makefile.am b/Makefile.am
-index 9f988b0..dab15a4 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT)
- 	      if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \
- 	      rm result.$$name error.$$name ; \
- 	  fi ; fi ; done)
-+	@echo "## Error cases regression tests (old 1.0)"
-+	-@(for i in $(srcdir)/test/errors10/*.xml ; do \
-+	  name=`basename $$i`; \
-+	  if [ ! -d $$i ] ; then \
-+	  if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
-+	      echo New test file $$name ; \
-+	      $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
-+	         2> $(srcdir)/result/errors10/$$name.err \
-+		 > $(srcdir)/result/errors10/$$name ; \
-+	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
-+	  else \
-+	      log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
-+	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
-+	      diff $(srcdir)/result/errors10/$$name result.$$name ; \
-+	      diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
-+	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
-+	      rm result.$$name error.$$name ; \
-+	  fi ; fi ; done)
- 	@echo "## Error cases stream regression tests"
- 	-@(for i in $(srcdir)/test/errors/*.xml ; do \
- 	  name=`basename $$i`; \
-diff --git a/parser.c b/parser.c
-index 609a270..8e11c12 100644
---- a/parser.c
-+++ b/parser.c
-@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
- 	ctxt->input->line++; ctxt->input->col = 1;			\
-     } else ctxt->input->col++;						\
-     ctxt->input->cur += l;				\
--    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);	\
-   } while (0)
- 
- #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
-@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
- 	    len += l;
- 	    NEXTL(l);
- 	    c = CUR_CHAR(l);
--	    if (c == 0) {
--		count = 0;
--		GROW;
--                if (ctxt->instate == XML_PARSER_EOF)
--                    return(NULL);
--		c = CUR_CHAR(l);
--	    }
- 	}
-     }
-     if ((len > XML_MAX_NAME_LENGTH) &&
-@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
-         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
-         return(NULL);
-     }
-+    if (ctxt->input->cur - ctxt->input->base < len) {
-+        /*
-+         * There were a couple of bugs where PERefs lead to to a change
-+         * of the buffer. Check the buffer size to avoid passing an invalid
-+         * pointer to xmlDictLookup.
-+         */
-+        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
-+                    "unexpected change of input buffer");
-+        return (NULL);
-+    }
-     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
-         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
-     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
-diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
-new file mode 100644
-index 0000000..e69de29
-diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
-new file mode 100644
-index 0000000..da15c3f
---- /dev/null
-+++ b/result/errors10/781205.xml.err
-@@ -0,0 +1,21 @@
-+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+ %a; 
-+    ^
-+Entity: line 1: 
-+<:0000
-+^
-+Entity: line 1: parser error : DOCTYPE improperly terminated
-+ %a; 
-+    ^
-+Entity: line 1: 
-+<:0000
-+^
-+namespace error : Failed to parse QName ':0000'
-+ %a; 
-+    ^
-+<:0000
-+      ^
-+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
-+
-+^
-diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
-new file mode 100644
-index 0000000..e69de29
-diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
-new file mode 100644
-index 0000000..655f41a
---- /dev/null
-+++ b/result/errors10/781361.xml.err
-@@ -0,0 +1,13 @@
-+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
-+
-+^
-+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+
-+^
-+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
-+
-+^
-+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
-+
-+^
-diff --git a/result/valid/766956.xml b/result/valid/766956.xml
-new file mode 100644
-index 0000000..e69de29
-diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
-new file mode 100644
-index 0000000..34b1dae
---- /dev/null
-+++ b/result/valid/766956.xml.err
-@@ -0,0 +1,9 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+   ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent; 
-+      ^
-+Entity: line 1: 
-+value
-+^
-diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
-new file mode 100644
-index 0000000..7760346
---- /dev/null
-+++ b/result/valid/766956.xml.err.rdr
-@@ -0,0 +1,10 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+   ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent; 
-+      ^
-+Entity: line 1: 
-+value
-+^
-+./test/valid/766956.xml : failed to parse
-diff --git a/runtest.c b/runtest.c
-index bb74d2a..63e8c20 100644
---- a/runtest.c
-+++ b/runtest.c
-@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = {
-     { "Error cases regression tests",
-       errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err",
-       0 },
-+    { "Error cases regression tests (old 1.0)",
-+      errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err",
-+      XML_PARSE_OLD10 },
- #ifdef LIBXML_READER_ENABLED
-     { "Error cases stream regression tests",
-       streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str",
-diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
-new file mode 100644
-index 0000000..d9e9e83
---- /dev/null
-+++ b/test/errors10/781205.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE D [
-+  <!ENTITY % a "<:0000">
-+  %a;
-diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
-new file mode 100644
-index 0000000..67476bc
---- /dev/null
-+++ b/test/errors10/781361.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE doc [
-+  <!ENTITY % elem "<!ELEMENT e0000000000">
-+  %elem;
-diff --git a/test/valid/766956.xml b/test/valid/766956.xml
-new file mode 100644
-index 0000000..19a95a0
---- /dev/null
-+++ b/test/valid/766956.xml
-@@ -0,0 +1,2 @@
-+<!DOCTYPE test SYSTEM "dtds/766956.dtd">
-+<test/>
-diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
-new file mode 100644
-index 0000000..dddde68
---- /dev/null
-+++ b/test/valid/dtds/766956.dtd
-@@ -0,0 +1,2 @@
-+<!ENTITY % ent "value">
-+%ä%ent;

meta/recipes-core/libxml/libxml2/libxml2-fix_NULL_pointer_derefs.patch

@@ -1,45 +0,0 @@
-libxml2-2.9.4: Fix more NULL pointer derefs
-
-xpointer: Fix more NULL pointer derefs
-
-Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=e905f08123e4a6e7731549e6f09dadff4cab65bd]
-Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
-Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
-
-diff --git a/xpointer.c b/xpointer.c
-index 676c510..074db24 100644
---- a/xpointer.c
-+++ b/xpointer.c
-@@ -555,7 +555,7 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
- 	    /*
- 	     * Empty set ...
- 	     */
--	    if (end->nodesetval->nodeNr <= 0)
-+	    if ((end->nodesetval == NULL) || (end->nodesetval->nodeNr <= 0))
- 		return(NULL);
- 	    break;
- 	default:
-@@ -1400,7 +1400,7 @@ xmlXPtrEval(const xmlChar *str, xmlXPathContextPtr ctx) {
- 		     */
- 		    xmlNodeSetPtr set;
- 		    set = tmp->nodesetval;
--		    if ((set->nodeNr != 1) ||
-+		    if ((set == NULL) || (set->nodeNr != 1) ||
- 			(set->nodeTab[0] != (xmlNodePtr) ctx->doc))
- 			stack++;
- 		} else
-@@ -2073,9 +2073,11 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
- 	xmlXPathFreeObject(set);
-         XP_ERROR(XPATH_MEMORY_ERROR);
-     }
--    for (i = 0;i < oldset->locNr;i++) {
--	xmlXPtrLocationSetAdd(newset,
--		xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
-+    if (oldset != NULL) {
-+	for (i = 0;i < oldset->locNr;i++) {
-+	  xmlXPtrLocationSetAdd(newset,
-+		  xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
-+      }
-     }
- 
-     /*

meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch

@@ -1,67 +0,0 @@
-libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer
-
-xpath:
- - Check for errors after evaluating first operand.
- - Add sanity check for empty stack.
- - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes
-
-Upstream-Status: Backport
- - [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
- - [https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8]
-CVE: CVE-2016-5131
-Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
-Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
-
-diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror
-new file mode 100644
-index 0000000..d589882
---- /dev/null
-+++ b/result/XPath/xptr/viderror
-@@ -0,0 +1,4 @@
-+
-+========================
-+Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
-+Object is empty (NULL)
-diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror
-new file mode 100644
-index 0000000..da8c53b
---- /dev/null
-+++ b/test/XPath/xptr/viderror
-@@ -0,0 +1 @@
-+xpointer(non-existing-fn()/range-to(id('chapter2')))
-diff --git a/xpath.c b/xpath.c
-index 113bce6..d992841 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
-      * compute depth to root
-      */
-     for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
--	if (cur == node1)
-+	if (cur->parent == node1)
- 	    return(1);
- 	depth2++;
-     }
-     root = cur;
-     for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
--	if (cur == node2)
-+	if (cur->parent == node2)
- 	    return(-1);
- 	depth1++;
-     }
-@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
-                 xmlNodeSetPtr oldset;
-                 int i, j;
- 
--                if (op->ch1 != -1)
-+                if (op->ch1 != -1) {
-                     total +=
-                         xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
-+                    CHECK_ERROR0;
-+                }
-+                if (ctxt->value == NULL) {
-+                    XP_ERROR0(XPATH_INVALID_OPERAND);
-+                }
-                 if (op->ch2 == -1)
-                     return (total);
- 

meta/recipes-core/libxml/libxml2/runtest.patch

@@ -2,47 +2,29 @@ Add 'install-ptest' rule.
 Print a standard result line for each test.
 
 Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com>
-Signed-off-by: Andrej Valek <andrej.valek@enea.com>
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
 Upstream-Status: Backport
 
 diff -uNr a/Makefile.am b/Makefile.am
---- a/Makefile.am	2016-05-22 03:49:02.000000000 +0200
-+++ b/Makefile.am	2017-06-14 10:38:43.381305385 +0200
-@@ -202,10 +202,24 @@
+--- a/Makefile.am	2017-08-28 15:01:14.000000000 +0200
++++ b/Makefile.am	2017-09-05 08:06:05.752287323 +0200
+@@ -202,6 +202,15 @@
  #testOOM_DEPENDENCIES = $(DEPS)
  #testOOM_LDADD= $(LDADDS)
  
 +install-ptest:
 +	@(if [ -d .libs ] ; then cd .libs; fi; \
-+	install $(noinst_PROGRAMS) $(DESTDIR))
++	install $(check_PROGRAMS) $(DESTDIR))
 +	cp -r $(srcdir)/test $(DESTDIR)
 +	cp -r $(srcdir)/result $(DESTDIR)
 +	cp -r $(srcdir)/python $(DESTDIR)
 +	cp Makefile $(DESTDIR)
 +	sed -i -e 's|^Makefile:|_Makefile:|' $(DESTDIR)/Makefile
 +
- runtests:
+ runtests: runtest$(EXEEXT) testrecurse$(EXEEXT) testapi$(EXEEXT) \
+           testchar$(EXEEXT) testdict$(EXEEXT) runxmlconf$(EXEEXT)
  	[ -d test   ] || $(LN_S) $(srcdir)/test   .
- 	[ -d result ] || $(LN_S) $(srcdir)/result .
--	$(CHECKER) ./runtest$(EXEEXT) && $(CHECKER) ./testrecurse$(EXEEXT) &&$(CHECKER) ./testapi$(EXEEXT) && $(CHECKER) ./testchar$(EXEEXT)&& $(CHECKER) ./testdict$(EXEEXT) && $(CHECKER) ./runxmlconf$(EXEEXT)
-+	$(CHECKER) ./runtest$(EXEEXT) && \
-+	    $(CHECKER) ./testrecurse$(EXEEXT) && \
-+	    ASAN_OPTIONS="$$ASAN_OPTIONS:detect_leaks=0" $(CHECKER) ./testapi$(EXEEXT) && \
-+	    $(CHECKER) ./testchar$(EXEEXT) && \
-+	    $(CHECKER) ./testdict$(EXEEXT) && \
-+	    $(CHECKER) ./runxmlconf$(EXEEXT)
- 	@(if [ "$(PYTHON_SUBDIR)" != "" ] ; then cd python ; \
- 	    $(MAKE) tests ; fi)
- 
-@@ -229,7 +243,7 @@
- 
- APItests: testapi$(EXEEXT)
- 	@echo "## Running the API regression tests this may take a little while"
--	-@($(CHECKER) $(top_builddir)/testapi -q)
-+	-@(ASAN_OPTIONS="$$ASAN_OPTIONS:detect_leaks=0" $(CHECKER) $(top_builddir)/testapi -q)
- 
- HTMLtests : testHTML$(EXEEXT)
- 	@(echo > .memdump)
+
 diff -uNr a/runsuite.c b/runsuite.c
 --- a/runsuite.c	2013-04-12 16:17:11.462823238 +0200
 +++ b/runsuite.c	2013-04-17 14:07:24.352693211 +0200

meta/recipes-core/libxml/libxml2_2.9.5.bb

@@ -19,21 +19,11 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://run-ptest \
            file://python-sitepackages-dir.patch \
            file://libxml-m4-use-pkgconfig.patch \
-           file://libxml2-fix_node_comparison.patch \
-           file://libxml2-CVE-2016-5131.patch \
-           file://libxml2-CVE-2016-4658.patch \
-           file://libxml2-fix_NULL_pointer_derefs.patch \
-           file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
-           file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
-           file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
-           file://libxml2-CVE-2017-5969.patch \
-           file://libxml2-CVE-2017-0663.patch \
-           file://libxml2-CVE-2017-8872.patch \
            file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
            "
 
-SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"
-SRC_URI[libtar.sha256sum] = "ffb911191e509b966deb55de705387f14156e1a56b21824357cdf0053233633c"
+SRC_URI[libtar.md5sum] = "5ce0da9bdaa267b40c4ca36d35363b8b"
+SRC_URI[libtar.sha256sum] = "4031c1ecee9ce7ba4f313e91ef6284164885cdb69937a123f6a83bb6a72dcd38"
 SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a"
 SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7"
 
@@ -81,6 +71,10 @@ do_configure_prepend () {
 	find ${WORKDIR}/xmlconf/ -type f -exec chmod -x {} \+
 }
 
+do_compile_ptest() {
+	oe_runmake check-am
+}
+
 do_install_ptest () {
 	cp -r ${WORKDIR}/xmlconf ${D}${PTEST_PATH}
 	if [ "${@bb.utils.filter('PACKAGECONFIG', 'python', d)}" ]; then

meta/recipes-core/meta/buildtools-tarball.bb

@@ -21,7 +21,6 @@ TOOLCHAIN_HOST_TASK ?= "\
     nativesdk-wget \
     nativesdk-ca-certificates \
     nativesdk-texinfo \
-    nativesdk-locale-base-en-us \
     "
 
 MULTIMACH_TARGET_SYS = "${SDK_ARCH}-nativesdk${SDK_VENDOR}-${SDK_OS}"

meta/recipes-core/ncurses/files/CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch

@@ -1,541 +0,0 @@
-From 4bf72cb8f1d3aa5f33c31eb817a5f0338f4aaf6f Mon Sep 17 00:00:00 2001
-From: Ovidiu Panait <ovidiu.panait@windriver.com>
-Date: Wed, 20 Sep 2017 05:02:00 +0000
-Subject: [PATCH] Import upstream patch 20170826
-
-20170826
-	+ fixes for "iterm2" (report by Leonardo Brondani Schenkel) -TD
-	+ corrected a warning from tic about keys which are the same, to skip
-	  over missing/cancelled values.
-	+ add check in tic for unnecessary use of "2" to denote a shifted
-	  special key.
-	+ improve checks in trim_sgr0, comp_parse.c and parse_entry.c, for
-	  cancelled string capabilities.
-	+ add check in _nc_parse_entry() for invalid entry name, setting the
-	  name to "invalid" to avoid problems storing entries.
-	+ add/improve checks in tic's parser to address invalid input
-	  + add a check in comp_scan.c to handle the special case where a
-	    nontext file ending with a NUL rather than newline is given to tic
-	    as input (Redhat #1484274).
-	  + allow for cancelled capabilities in _nc_save_str (Redhat #1484276).
-	  + add validity checks for "use=" target in _nc_parse_entry (Redhat
-	    #1484284).
-	  + check for invalid strings in postprocess_termcap (Redhat #1484285)
-	  + reset secondary pointers on EOF in next_char() (Redhat #1484287).
-	  + guard _nc_safe_strcpy() and _nc_safe_strcat() against calls using
-	    cancelled strings (Redhat #1484291).
-	+ correct typo in curs_memleaks.3x (Sven Joachim).
-	+ improve test/configure checks for some curses variants not based on
-	  X/Open Curses.
-	+ add options for test/configure to disable checks for form, menu and
-	  panel libraries.
-
-Upstream-Status: Backport
-CVE: CVE-2017-13732, CVE-2017-13734, CVE-2017-13730, CVE-2017-13729, CVE-2017-13728, CVE-2017-13731
- 
-
-Author: Sven Joachim <svenjoac@gmx.de>
-Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
----
- dist.mk                     |  4 +-
- include/ncurses_defs        |  4 +-
- ncurses/tinfo/alloc_entry.c |  4 +-
- ncurses/tinfo/comp_parse.c  | 10 ++---
- ncurses/tinfo/comp_scan.c   |  6 ++-
- ncurses/tinfo/parse_entry.c | 91 ++++++++++++++++++++++++++++++---------------
- ncurses/tinfo/strings.c     |  9 +++--
- ncurses/tinfo/trim_sgr0.c   |  4 +-
- progs/tic.c                 | 75 ++++++++++++++++++++++++++++++++++++-
- 9 files changed, 157 insertions(+), 50 deletions(-)
-
-diff --git a/dist.mk b/dist.mk
-index 9af2699..2c70472 100644
---- a/dist.mk
-+++ b/dist.mk
-@@ -25,7 +25,7 @@
- # use or other dealings in this Software without prior written               #
- # authorization.                                                             #
- ##############################################################################
--# $Id: dist.mk,v 1.1172 2017/07/13 00:15:27 tom Exp $
-+# $Id: dist.mk,v 1.1179 2017/08/20 15:33:41 tom Exp $
- # Makefile for creating ncurses distributions.
- #
- # This only needs to be used directly as a makefile by developers, but
-@@ -37,7 +37,7 @@ SHELL = /bin/sh
- # These define the major/minor/patch versions of ncurses.
- NCURSES_MAJOR = 6
- NCURSES_MINOR = 0
--NCURSES_PATCH = 20170715
-+NCURSES_PATCH = 20170826
- 
- # We don't append the patch to the version, since this only applies to releases
- VERSION = $(NCURSES_MAJOR).$(NCURSES_MINOR)
-diff --git a/include/ncurses_defs b/include/ncurses_defs
-index e6611b7..d237db1 100644
---- a/include/ncurses_defs
-+++ b/include/ncurses_defs
-@@ -1,4 +1,4 @@
--# $Id: ncurses_defs,v 1.73 2017/06/24 14:20:57 tom Exp $
-+# $Id: ncurses_defs,v 1.75 2017/08/20 16:50:04 tom Exp $
- ##############################################################################
- # Copyright (c) 2000-2016,2017 Free Software Foundation, Inc.                #
- #                                                                            #
-@@ -50,7 +50,9 @@ HAVE_BSD_STRING_H
- HAVE_BTOWC 
- HAVE_BUILTIN_H
- HAVE_CHGAT	1
-+HAVE_COLOR_CONTENT	1
- HAVE_COLOR_SET	1
-+HAVE_CURSCR	1
- HAVE_DIRENT_H
- HAVE_ERRNO
- HAVE_FCNTL_H
-diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
-index 5de09f1..09374d6 100644
---- a/ncurses/tinfo/alloc_entry.c
-+++ b/ncurses/tinfo/alloc_entry.c
-@@ -47,7 +47,7 @@
- 
- #include <tic.h>
- 
--MODULE_ID("$Id: alloc_entry.c,v 1.60 2017/06/27 23:48:55 tom Exp $")
-+MODULE_ID("$Id: alloc_entry.c,v 1.61 2017/08/25 09:09:08 tom Exp $")
- 
- #define ABSENT_OFFSET    -1
- #define CANCELLED_OFFSET -2
-@@ -98,7 +98,7 @@ _nc_save_str(const char *const string)
-     size_t old_next_free = next_free;
-     size_t len;
- 
--    if (string == 0)
-+    if (!VALID_STRING(string))
- 	return _nc_save_str("");
-     len = strlen(string) + 1;
- 
-diff --git a/ncurses/tinfo/comp_parse.c b/ncurses/tinfo/comp_parse.c
-index 34e6216..580d4df 100644
---- a/ncurses/tinfo/comp_parse.c
-+++ b/ncurses/tinfo/comp_parse.c
-@@ -47,7 +47,7 @@
- 
- #include <tic.h>
- 
--MODULE_ID("$Id: comp_parse.c,v 1.96 2017/04/15 15:36:58 tom Exp $")
-+MODULE_ID("$Id: comp_parse.c,v 1.99 2017/08/26 16:15:50 tom Exp $")
- 
- static void sanity_check2(TERMTYPE2 *, bool);
- NCURSES_IMPEXP void NCURSES_API(*_nc_check_termtype2) (TERMTYPE2 *, bool) = sanity_check2;
-@@ -510,9 +510,9 @@ static void
- fixup_acsc(TERMTYPE2 *tp, int literal)
- {
-     if (!literal) {
--	if (acs_chars == 0
--	    && enter_alt_charset_mode != 0
--	    && exit_alt_charset_mode != 0)
-+	if (acs_chars == ABSENT_STRING
-+	    && PRESENT(enter_alt_charset_mode)
-+	    && PRESENT(exit_alt_charset_mode))
- 	    acs_chars = strdup(VT_ACSC);
-     }
- }
-@@ -568,9 +568,7 @@ sanity_check2(TERMTYPE2 *tp, bool literal)
-     PAIRED(enter_xon_mode, exit_xon_mode);
-     PAIRED(enter_am_mode, exit_am_mode);
-     ANDMISSING(label_off, label_on);
--#ifdef remove_clock
-     PAIRED(display_clock, remove_clock);
--#endif
-     ANDMISSING(set_color_pair, initialize_pair);
- }
- 
-diff --git a/ncurses/tinfo/comp_scan.c b/ncurses/tinfo/comp_scan.c
-index 40d7f6a..b207257 100644
---- a/ncurses/tinfo/comp_scan.c
-+++ b/ncurses/tinfo/comp_scan.c
-@@ -50,7 +50,7 @@
- #include <ctype.h>
- #include <tic.h>
- 
--MODULE_ID("$Id: comp_scan.c,v 1.106 2017/04/22 11:41:12 tom Exp $")
-+MODULE_ID("$Id: comp_scan.c,v 1.108 2017/08/25 22:57:21 tom Exp $")
- 
- /*
-  * Maximum length of string capability we'll accept before raising an error.
-@@ -168,6 +168,8 @@ next_char(void)
- 	if (result != 0) {
- 	    FreeAndNull(result);
- 	    FreeAndNull(pushname);
-+	    bufptr = 0;
-+	    bufstart = 0;
- 	    allocated = 0;
- 	}
- 	/*
-@@ -222,6 +224,8 @@ next_char(void)
- 		}
- 		if ((bufptr = bufstart) != 0) {
- 		    used = strlen(bufptr);
-+		    if (used == 0)
-+			return (EOF);
- 		    while (iswhite(*bufptr)) {
- 			if (*bufptr == '\t') {
- 			    _nc_curr_col = (_nc_curr_col | 7) + 1;
-diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
-index 3fa2f25..bbbfcb2 100644
---- a/ncurses/tinfo/parse_entry.c
-+++ b/ncurses/tinfo/parse_entry.c
-@@ -47,7 +47,7 @@
- #include <ctype.h>
- #include <tic.h>
- 
--MODULE_ID("$Id: parse_entry.c,v 1.86 2017/06/28 00:53:12 tom Exp $")
-+MODULE_ID("$Id: parse_entry.c,v 1.91 2017/08/26 16:13:34 tom Exp $")
- 
- #ifdef LINT
- static short const parametrized[] =
-@@ -180,6 +180,20 @@ _nc_extend_names(ENTRY * entryp, char *name, int token_type)
- }
- #endif /* NCURSES_XNAMES */
- 
-+static bool
-+valid_entryname(const char *name)
-+{
-+    bool result = TRUE;
-+    int ch;
-+    while ((ch = UChar(*name++)) != '\0') {
-+	if (ch <= ' ' || ch > '~' || ch == '/') {
-+	    result = FALSE;
-+	    break;
-+	}
-+    }
-+    return result;
-+}
-+
- /*
-  *	int
-  *	_nc_parse_entry(entry, literal, silent)
-@@ -211,6 +225,7 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
-     int token_type;
-     struct name_table_entry const *entry_ptr;
-     char *ptr, *base;
-+    const char *name;
-     bool bad_tc_usage = FALSE;
- 
-     token_type = _nc_get_token(silent);
-@@ -261,7 +276,12 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
-      * results in the terminal type getting prematurely set to correspond
-      * to that of the next entry.
-      */
--    _nc_set_type(_nc_first_name(entryp->tterm.term_names));
-+    name = _nc_first_name(entryp->tterm.term_names);
-+    if (!valid_entryname(name)) {
-+	_nc_warning("invalid entry name \"%s\"", name);
-+	name = "invalid";
-+    }
-+    _nc_set_type(name);
- 
-     /* check for overly-long names and aliases */
-     for (base = entryp->tterm.term_names; (ptr = strchr(base, '|')) != 0;
-@@ -283,13 +303,24 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
- 	bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
- 	bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
- 	if (is_use || is_tc) {
-+	    if (!VALID_STRING(_nc_curr_token.tk_valstring)
-+		|| _nc_curr_token.tk_valstring[0] == '\0') {
-+		_nc_warning("missing name for use-clause");
-+		continue;
-+	    } else if (!valid_entryname(_nc_curr_token.tk_valstring)) {
-+		_nc_warning("invalid name for use-clause \"%s\"",
-+			    _nc_curr_token.tk_valstring);
-+		continue;
-+	    } else if (entryp->nuses >= MAX_USES) {
-+		_nc_warning("too many use-clauses, ignored \"%s\"",
-+			    _nc_curr_token.tk_valstring);
-+		continue;
-+	    }
- 	    entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
- 	    entryp->uses[entryp->nuses].line = _nc_curr_line;
--	    if (VALID_STRING(entryp->uses[entryp->nuses].name)) {
--		entryp->nuses++;
--		if (entryp->nuses > 1 && is_tc) {
--		    BAD_TC_USAGE
--		}
-+	    entryp->nuses++;
-+	    if (entryp->nuses > 1 && is_tc) {
-+		BAD_TC_USAGE
- 	    }
- 	} else {
- 	    /* normal token lookup */
-@@ -641,13 +672,6 @@ static const char C_BS[] = "\b";
- static const char C_HT[] = "\t";
- 
- /*
-- * Note that WANTED and PRESENT are not simple inverses!  If a capability
-- * has been explicitly cancelled, it's not considered WANTED.
-- */
--#define WANTED(s)	((s) == ABSENT_STRING)
--#define PRESENT(s)	(((s) != ABSENT_STRING) && ((s) != CANCELLED_STRING))
--
--/*
-  * This bit of legerdemain turns all the terminfo variable names into
-  * references to locations in the arrays Booleans, Numbers, and Strings ---
-  * precisely what's needed.
-@@ -672,10 +696,10 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
- 
-     /* if there was a tc entry, assume we picked up defaults via that */
-     if (!has_base) {
--	if (WANTED(init_3string) && termcap_init2)
-+	if (WANTED(init_3string) && PRESENT(termcap_init2))
- 	    init_3string = _nc_save_str(termcap_init2);
- 
--	if (WANTED(reset_2string) && termcap_reset)
-+	if (WANTED(reset_2string) && PRESENT(termcap_reset))
- 	    reset_2string = _nc_save_str(termcap_reset);
- 
- 	if (WANTED(carriage_return)) {
-@@ -790,7 +814,7 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
- 	if (init_tabs != 8 && init_tabs != ABSENT_NUMERIC)
- 	    _nc_warning("hardware tabs with a width other than 8: %d", init_tabs);
- 	else {
--	    if (tab && _nc_capcmp(tab, C_HT))
-+	    if (PRESENT(tab) && _nc_capcmp(tab, C_HT))
- 		_nc_warning("hardware tabs with a non-^I tab string %s",
- 			    _nc_visbuf(tab));
- 	    else {
-@@ -867,17 +891,22 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
- 	     * The magic moment -- copy the mapped key string over,
- 	     * stripping out padding.
- 	     */
--	    for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) {
--		if (bp[0] == '$' && bp[1] == '<') {
--		    while (*bp && *bp != '>') {
--			++bp;
--		    }
--		} else
--		    *dp++ = *bp;
--	    }
--	    *dp = '\0';
-+	    bp = tp->Strings[from_ptr->nte_index];
-+	    if (VALID_STRING(bp)) {
-+		for (dp = buf2; *bp; bp++) {
-+		    if (bp[0] == '$' && bp[1] == '<') {
-+			while (*bp && *bp != '>') {
-+			    ++bp;
-+			}
-+		    } else
-+			*dp++ = *bp;
-+		}
-+		*dp = '\0';
- 
--	    tp->Strings[to_ptr->nte_index] = _nc_save_str(buf2);
-+		tp->Strings[to_ptr->nte_index] = _nc_save_str(buf2);
-+	    } else {
-+		tp->Strings[to_ptr->nte_index] = bp;
-+	    }
- 	}
- 
- 	/*
-@@ -886,7 +915,7 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
- 	 * got mapped to kich1 and im to kIC to avoid a collision.
- 	 * If the description has im but not ic, hack kIC back to kich1.
- 	 */
--	if (foundim && WANTED(key_ic) && key_sic) {
-+	if (foundim && WANTED(key_ic) && PRESENT(key_sic)) {
- 	    key_ic = key_sic;
- 	    key_sic = ABSENT_STRING;
- 	}
-@@ -938,9 +967,9 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
- 	    acs_chars = _nc_save_str(buf2);
- 	    _nc_warning("acsc string synthesized from XENIX capabilities");
- 	}
--    } else if (acs_chars == 0
--	       && enter_alt_charset_mode != 0
--	       && exit_alt_charset_mode != 0) {
-+    } else if (acs_chars == ABSENT_STRING
-+	       && PRESENT(enter_alt_charset_mode)
-+	       && PRESENT(exit_alt_charset_mode)) {
- 	acs_chars = _nc_save_str(VT_ACSC);
-     }
- }
-diff --git a/ncurses/tinfo/strings.c b/ncurses/tinfo/strings.c
-index 393d8e7..10ec6c8 100644
---- a/ncurses/tinfo/strings.c
-+++ b/ncurses/tinfo/strings.c
-@@ -1,5 +1,5 @@
- /****************************************************************************
-- * Copyright (c) 2000-2007,2012 Free Software Foundation, Inc.              *
-+ * Copyright (c) 2000-2012,2017 Free Software Foundation, Inc.              *
-  *                                                                          *
-  * Permission is hereby granted, free of charge, to any person obtaining a  *
-  * copy of this software and associated documentation files (the            *
-@@ -35,8 +35,9 @@
- **/
- 
- #include <curses.priv.h>
-+#include <tic.h>
- 
--MODULE_ID("$Id: strings.c,v 1.8 2012/02/22 22:34:31 tom Exp $")
-+MODULE_ID("$Id: strings.c,v 1.9 2017/08/26 13:16:11 tom Exp $")
- 
- /****************************************************************************
-  * Useful string functions (especially for mvcur)
-@@ -105,7 +106,7 @@ _nc_str_copy(string_desc * dst, string_desc * src)
- NCURSES_EXPORT(bool)
- _nc_safe_strcat(string_desc * dst, const char *src)
- {
--    if (src != 0) {
-+    if (PRESENT(src)) {
- 	size_t len = strlen(src);
- 
- 	if (len < dst->s_size) {
-@@ -126,7 +127,7 @@ _nc_safe_strcat(string_desc * dst, const char *src)
- NCURSES_EXPORT(bool)
- _nc_safe_strcpy(string_desc * dst, const char *src)
- {
--    if (src != 0) {
-+    if (PRESENT(src)) {
- 	size_t len = strlen(src);
- 
- 	if (len < dst->s_size) {
-diff --git a/ncurses/tinfo/trim_sgr0.c b/ncurses/tinfo/trim_sgr0.c
-index 4cbcb65..4d92d15 100644
---- a/ncurses/tinfo/trim_sgr0.c
-+++ b/ncurses/tinfo/trim_sgr0.c
-@@ -36,7 +36,7 @@
- 
- #include <tic.h>
- 
--MODULE_ID("$Id: trim_sgr0.c,v 1.16 2017/04/05 22:33:07 tom Exp $")
-+MODULE_ID("$Id: trim_sgr0.c,v 1.17 2017/08/26 14:54:16 tom Exp $")
- 
- #undef CUR
- #define CUR tp->
-@@ -263,7 +263,7 @@ _nc_trim_sgr0(TERMTYPE2 *tp)
- 	    /*
- 	     * If rmacs is a substring of sgr(0), remove that chunk.
- 	     */
--	    if (exit_alt_charset_mode != 0) {
-+	    if (PRESENT(exit_alt_charset_mode)) {
- 		TR(TRACE_DATABASE, ("scan for rmacs %s", _nc_visbuf(exit_alt_charset_mode)));
- 		j = strlen(off);
- 		k = strlen(exit_alt_charset_mode);
-diff --git a/progs/tic.c b/progs/tic.c
-index c5d78e5..6dd4678 100644
---- a/progs/tic.c
-+++ b/progs/tic.c
-@@ -48,7 +48,7 @@
- #include <parametrized.h>
- #include <transform.h>
- 
--MODULE_ID("$Id: tic.c,v 1.233 2017/07/15 17:40:19 tom Exp $")
-+MODULE_ID("$Id: tic.c,v 1.243 2017/08/26 20:56:55 tom Exp $")
- 
- #define STDIN_NAME "<stdin>"
- 
-@@ -62,6 +62,10 @@ static bool showsummary = FALSE;
- static char **namelst = 0;
- static const char *to_remove;
- 
-+#if NCURSES_XNAMES
-+static bool using_extensions = FALSE;
-+#endif
-+
- static void (*save_check_termtype) (TERMTYPE2 *, bool);
- static void check_termtype(TERMTYPE2 *tt, bool);
- 
-@@ -850,6 +854,7 @@ main(int argc, char *argv[])
- 	    /* FALLTHRU */
- 	case 'x':
- 	    use_extended_names(TRUE);
-+	    using_extensions = TRUE;
- 	    break;
- #endif
- 	default:
-@@ -2405,10 +2410,17 @@ check_conflict(TERMTYPE2 *tp)
- 	    const char *a = given[j].value;
- 	    bool first = TRUE;
- 
-+	    if (!VALID_STRING(a))
-+		continue;
-+
- 	    for (k = j + 1; given[k].keycode; k++) {
- 		const char *b = given[k].value;
-+
-+		if (!VALID_STRING(b))
-+		    continue;
- 		if (check[k])
- 		    continue;
-+
- 		if (!_nc_capcmp(a, b)) {
- 		    check[j] = 1;
- 		    check[k] = 1;
-@@ -2431,6 +2443,67 @@ check_conflict(TERMTYPE2 *tp)
- 	    if (!first)
- 		fprintf(stderr, "\n");
- 	}
-+#if NCURSES_XNAMES
-+	if (using_extensions) {
-+	    /* *INDENT-OFF* */
-+	    static struct {
-+		const char *xcurses;
-+		const char *shifted;
-+	    } table[] = {
-+		{ "kDC",  NULL },
-+		{ "kDN",  "kind" },
-+		{ "kEND", NULL },
-+		{ "kHOM", NULL },
-+		{ "kLFT", NULL },
-+		{ "kNXT", NULL },
-+		{ "kPRV", NULL },
-+		{ "kRIT", NULL },
-+		{ "kUP",  "kri" },
-+		{ NULL,   NULL },
-+	    };
-+	    /* *INDENT-ON* */
-+
-+	    /*
-+	     * SVr4 curses defines the "xcurses" names listed above except for
-+	     * the special cases in the "shifted" column.  When using these
-+	     * names for xterm's extensions, that was confusing, and resulted
-+	     * in adding extended capabilities with "2" (shift) suffix.  This
-+	     * check warns about unnecessary use of extensions for this quirk.
-+	     */
-+	    for (j = 0; given[j].keycode; ++j) {
-+		const char *find = given[j].name;
-+		int value;
-+		char ch;
-+
-+		if (!VALID_STRING(given[j].value))
-+		    continue;
-+
-+		for (k = 0; table[k].xcurses; ++k) {
-+		    const char *test = table[k].xcurses;
-+		    size_t size = strlen(test);
-+
-+		    if (!strncmp(find, test, size) && strcmp(find, test)) {
-+			switch (sscanf(find + size, "%d%c", &value, &ch)) {
-+			case 1:
-+			    if (value == 2) {
-+				_nc_warning("expected '%s' rather than '%s'",
-+					    (table[k].shifted
-+					     ? table[k].shifted
-+					     : test), find);
-+			    } else if (value < 2 || value > 15) {
-+				_nc_warning("expected numeric 2..15 '%s'", find);
-+			    }
-+			    break;
-+			default:
-+			    _nc_warning("expected numeric suffix for '%s'", find);
-+			    break;
-+			}
-+			break;
-+		    }
-+		}
-+	    }
-+	}
-+#endif
- 	free(given);
- 	free(check);
-     }
--- 
-2.10.2
-

meta/recipes-core/ncurses/ncurses.inc

@@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \
 inherit autotools binconfig-disabled multilib_header pkgconfig
 
 # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/
-SRC_URI = "git://anonscm.debian.org/collab-maint/ncurses.git"
+SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https"
 
 EXTRA_AUTORECONF = "-I m4"
 CONFIG_SITE =+ "${WORKDIR}/config.cache"
@@ -59,6 +59,7 @@ EX_TERMCAP_class-nativesdk = ":/etc/termcap:/usr/share/misc/termcap"
 EX_TERMINFO = ""
 EX_TERMINFO_class-native = ":/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo"
 EX_TERMINFO_class-nativesdk = ":/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo"
+EX_TERMLIB ?= "tinfo"
 
 # Helper function for do_configure to allow multiple configurations
 # $1 the directory to run configure in
@@ -80,7 +81,7 @@ ncurses_configure() {
 	        --disable-big-core \
 	        --program-prefix= \
 	        --with-ticlib \
-	        --with-termlib=tinfo \
+	        --with-termlib=${EX_TERMLIB} \
 	        --enable-sigwinch \
 	        --enable-pc-files \
 	        --disable-rpath-hack \
@@ -201,7 +202,10 @@ do_install() {
                 ln -sf xterm-color ${D}${sysconfdir}/terminfo/x/xterm
         fi
 
-        rm -f ${D}${libdir}/terminfo
+        # When changing ${libdir} to e.g. /usr/lib/myawesomelib/ ncurses 
+        # still installs '/usr/lib/terminfo', so try to rm both 
+        # the proper path and a slightly hardcoded one
+        rm -f ${D}${libdir}/terminfo ${D}${prefix}/lib/terminfo
 
         # create linker scripts for libcurses.so and libncurses to
         # link against -ltinfo when needed. Some builds might break
@@ -227,7 +231,7 @@ do_install() {
         if [ ! -d "${D}${base_libdir}" ]; then
             # Setting base_libdir to libdir as is done in the -native
             # case will skip this code
-            mkdir ${D}${base_libdir}
+            mkdir -p ${D}${base_libdir}
             mv ${D}${libdir}/libncurses.so.* ${D}${base_libdir}
             ! ${ENABLE_WIDEC} || \
                 mv ${D}${libdir}/libncursesw.so.* ${D}${base_libdir}

meta/recipes-core/ncurses/ncurses_6.0+20171125.bb

@@ -3,10 +3,9 @@ require ncurses.inc
 SRC_URI += "file://0001-tic-hang.patch \
             file://0002-configure-reproducible.patch \
             file://config.cache \
-            file://CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch \
 "
 # commit id corresponds to the revision in package version
-SRCREV = "52681a6a1a18b4d6eb1a716512d0dd827bd71c87"
+SRCREV = "5d849e836052459901cfe0b85a0b2939ff8d2b2a"
 S = "${WORKDIR}/git"
 EXTRA_OECONF += "--with-abi-version=5"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)"

meta/recipes-core/util-linux/util-linux/no_getrandom.patch

@@ -1,21 +0,0 @@
-getrandom() is only available in glibc 2.25+ and uninative may relocate 
-binaries onto systems that don't have this function. For now, force the 
-code to the older codepath until we can come up with a better solution 
-for this kind of issue.
-
-Upstream-Status: Inappropriate
-RP
-2016/8/15
-
-Index: util-linux-2.30/configure.ac
-===================================================================
---- util-linux-2.30.orig/configure.ac
-+++ util-linux-2.30/configure.ac
-@@ -399,7 +399,6 @@ AC_CHECK_FUNCS([ \
- 	getdtablesize \
- 	getexecname \
- 	getmntinfo \
--	getrandom \
- 	getrlimit \
- 	getsgnam \
- 	inotify_init \