poky: sumo refresh 51872d3f99..3b8dc3a88e
Update poky to sumo HEAD.
Andrej Valek (1):
wpa-supplicant: fix CVE-2018-14526
Armin Kuster (2):
xserver-xorg: config: fix NULL value detection for ID_INPUT being unset
binutils: Change the ARM assembler's ADR and ADRl pseudo-ops so that they will only set the bottom bit of imported thumb function symbols if the -mthumb-interwork option is active.
Bruce Ashfield (3):
linux-yocto/4.12: update to v4.12.28
linux-yocto/4.14: update to v4.14.62
linux-yocto/4.14: update to v4.14.67
Changqing Li (6):
libexif: patch for CVE-2017-7544
squashfs-tools: patch for CVE-2015-4645(4646)
libcroco: patch for CVE-2017-7960
libid3tag: patch for CVE-2004-2779
libice: patch for CVE-2017-2626
apr-util: fix ptest fail problem
Chen Qi (2):
util-linux: upgrade 2.32 -> 2.32.1
busybox: move init related configs to init.cfg
Jagadeesh Krishnanjanappa (2):
libarchive: CVE-2017-14501
libcgroup: CVE-2018-14348
Jon Szymaniak (1):
cve-check.bbclass: detect CVE IDs listed on multiple lines
Joshua Lock (1):
os-release: fix to install in the expected location
Khem Raj (1):
serf: Fix Sconstruct build with python 3.7
Konstantin Shemyak (1):
cve-check.bbclass: do not download the CVE DB in package-specific tasks
Mike Looijmans (1):
busybox/mdev-mount.sh: Fix partition detect and cleanup mountpoint on fail
Ross Burton (1):
lrzsz: fix CVE-2018-10195
Sinan Kaya (3):
busybox: CVE-2017-15874
libpng: CVE-2018-13785
sqlite3: CVE-2018-8740
Yadi.hu (1):
busybox: handle syslog
Yi Zhao (2):
blktrace: Security fix CVE-2018-10689
taglib: Security fix CVE-2018-11439
Zheng Ruoqin (1):
glibc: fix CVE-2018-11237
Change-Id: I2eb1fe6574638de745e4bfc106b86fe797b977c8
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch b/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch
new file mode 100644
index 0000000..57e7453
--- /dev/null
+++ b/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch
@@ -0,0 +1,135 @@
+From 6b638fa9afbeb54dfa19378e391465a5284ce1ad Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 12 Sep 2018 17:16:36 +0800
+Subject: [PATCH] Fix error handling in gdbm
+
+Only check for gdbm_errno if the return value of the called gdbm_*
+function says so. This fixes apr-util with gdbm 1.14, which does not
+seem to always reset gdbm_errno.
+
+Also make the gdbm driver return error codes starting with
+APR_OS_START_USEERR instead of always returning APR_EGENERAL. This is
+what the berkleydb driver already does.
+
+Also ensure that dsize is 0 if dptr == NULL.
+
+Upstream-Status: Backport[https://svn.apache.org/viewvc?
+view=revision&revision=1825311]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ dbm/apr_dbm_gdbm.c | 47 +++++++++++++++++++++++++++++------------------
+ 1 file changed, 29 insertions(+), 18 deletions(-)
+
+diff --git a/dbm/apr_dbm_gdbm.c b/dbm/apr_dbm_gdbm.c
+index 749447a..1c86327 100644
+--- a/dbm/apr_dbm_gdbm.c
++++ b/dbm/apr_dbm_gdbm.c
+@@ -36,13 +36,25 @@
+ static apr_status_t g2s(int gerr)
+ {
+ if (gerr == -1) {
+- /* ### need to fix this */
+- return APR_EGENERAL;
++ if (gdbm_errno == GDBM_NO_ERROR)
++ return APR_SUCCESS;
++ return APR_OS_START_USEERR + gdbm_errno;
+ }
+
+ return APR_SUCCESS;
+ }
+
++static apr_status_t gdat2s(datum d)
++{
++ if (d.dptr == NULL) {
++ if (gdbm_errno == GDBM_NO_ERROR || gdbm_errno == GDBM_ITEM_NOT_FOUND)
++ return APR_SUCCESS;
++ return APR_OS_START_USEERR + gdbm_errno;
++ }
++
++ return APR_SUCCESS;
++}
++
+ static apr_status_t datum_cleanup(void *dptr)
+ {
+ if (dptr)
+@@ -53,22 +65,15 @@ static apr_status_t datum_cleanup(void *dptr)
+
+ static apr_status_t set_error(apr_dbm_t *dbm, apr_status_t dbm_said)
+ {
+- apr_status_t rv = APR_SUCCESS;
+
+- /* ### ignore whatever the DBM said (dbm_said); ask it explicitly */
++ dbm->errcode = dbm_said;
+
+- if ((dbm->errcode = gdbm_errno) == GDBM_NO_ERROR) {
++ if (dbm_said == APR_SUCCESS)
+ dbm->errmsg = NULL;
+- }
+- else {
+- dbm->errmsg = gdbm_strerror(gdbm_errno);
+- rv = APR_EGENERAL; /* ### need something better */
+- }
+-
+- /* captured it. clear it now. */
+- gdbm_errno = GDBM_NO_ERROR;
++ else
++ dbm->errmsg = gdbm_strerror(dbm_said - APR_OS_START_USEERR);
+
+- return rv;
++ return dbm_said;
+ }
+
+ /* --------------------------------------------------------------------------
+@@ -107,7 +112,7 @@ static apr_status_t vt_gdbm_open(apr_dbm_t **pdb, const char *pathname,
+ NULL);
+
+ if (file == NULL)
+- return APR_EGENERAL; /* ### need a better error */
++ return APR_OS_START_USEERR + gdbm_errno; /* ### need a better error */
+
+ /* we have an open database... return it */
+ *pdb = apr_pcalloc(pool, sizeof(**pdb));
+@@ -141,10 +146,12 @@ static apr_status_t vt_gdbm_fetch(apr_dbm_t *dbm, apr_datum_t key,
+ if (pvalue->dptr)
+ apr_pool_cleanup_register(dbm->pool, pvalue->dptr, datum_cleanup,
+ apr_pool_cleanup_null);
++ else
++ pvalue->dsize = 0;
+
+ /* store the error info into DBM, and return a status code. Also, note
+ that *pvalue should have been cleared on error. */
+- return set_error(dbm, APR_SUCCESS);
++ return set_error(dbm, gdat2s(rd));
+ }
+
+ static apr_status_t vt_gdbm_store(apr_dbm_t *dbm, apr_datum_t key,
+@@ -201,9 +208,11 @@ static apr_status_t vt_gdbm_firstkey(apr_dbm_t *dbm, apr_datum_t *pkey)
+ if (pkey->dptr)
+ apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup,
+ apr_pool_cleanup_null);
++ else
++ pkey->dsize = 0;
+
+ /* store any error info into DBM, and return a status code. */
+- return set_error(dbm, APR_SUCCESS);
++ return set_error(dbm, gdat2s(rd));
+ }
+
+ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey)
+@@ -221,9 +230,11 @@ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey)
+ if (pkey->dptr)
+ apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup,
+ apr_pool_cleanup_null);
++ else
++ pkey->dsize = 0;
+
+ /* store any error info into DBM, and return a status code. */
+- return set_error(dbm, APR_SUCCESS);
++ return set_error(dbm, gdat2s(rd));
+ }
+
+ static void vt_gdbm_freedatum(apr_dbm_t *dbm, apr_datum_t data)
+--
+2.7.4
+
diff --git a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
index 88b4300..12d71cb 100644
--- a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
+++ b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
@@ -13,6 +13,7 @@
file://configfix.patch \
file://configure_fixes.patch \
file://run-ptest \
+ file://0001-Fix-error-handling-in-gdbm.patch \
"
SRC_URI[md5sum] = "bd502b9a8670a8012c4d90c31a84955f"
diff --git a/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch b/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch
new file mode 100644
index 0000000..f6f43c3
--- /dev/null
+++ b/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch
@@ -0,0 +1,56 @@
+input: check end of input before reading a byte
+
+When reading bytes we weren't check that the index wasn't
+out of bound and this could produce an invalid read which
+could deal to a security bug.
+
+Upstream-Status: Backport[https://gitlab.gnome.org/GNOME/libcroco/
+ commit/898e3a8c8c0314d2e6b106809a8e3e93cf9d4394]
+
+CVE: CVE-2017-7960
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+diff --git a/src/cr-input.c b/src/cr-input.c
+index 49000b1f5f07fe057135f1b8fc69bdcf9613e300..3b63a88ee3b1c56778e58172d147d958951bf099 100644
+--- a/src/cr-input.c
++++ b/src/cr-input.c
+@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc)
+ *we should free buf here because it's own by CRInput.
+ *(see the last parameter of cr_input_new_from_buf().
+ */
+- buf = NULL ;
++ buf = NULL;
+ }
+
+ cleanup:
+@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this)
+ enum CRStatus
+ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ {
++ gulong nb_bytes_left = 0;
++
+ g_return_val_if_fail (a_this && PRIVATE (a_this)
+ && a_byte, CR_BAD_PARAM_ERROR);
+
+@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ if (PRIVATE (a_this)->end_of_input == TRUE)
+ return CR_END_OF_INPUT_ERROR;
+
++ nb_bytes_left = cr_input_get_nb_bytes_left (a_this);
++
++ if (nb_bytes_left < 1) {
++ return CR_END_OF_INPUT_ERROR;
++ }
++
+ *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index];
+
+ if (PRIVATE (a_this)->nb_bytes -
+@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char)
+ if (*a_char == '\n') {
+ PRIVATE (a_this)->end_of_line = TRUE;
+ }
+-
+ }
+
+ return status;
diff --git a/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb b/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb
index d86ddd6..5b962ee 100644
--- a/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb
+++ b/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb
@@ -16,5 +16,7 @@
inherit gnomebase gtk-doc binconfig-disabled
+SRC_URI += "file://CVE-2017-7960.patch"
+
SRC_URI[archive.md5sum] = "bc0984fce078ba2ce29f9500c6b9ddce"
SRC_URI[archive.sha256sum] = "ddc4b5546c9fb4280a5017e2707fbd4839034ed1aba5b7d4372212f34f84f860"
diff --git a/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch b/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch
new file mode 100644
index 0000000..e49481f
--- /dev/null
+++ b/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch
@@ -0,0 +1,40 @@
+From 8a92f964a66d476ca8907234359e92a70fc1325b Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 28 Aug 2018 15:12:10 +0800
+Subject: [PATCH] On saving makernotes, make sure the makernote container tags
+ has a type with 1 byte components.
+
+Fixes (at least):
+ https://sourceforge.net/p/libexif/bugs/130
+ https://sourceforge.net/p/libexif/bugs/129
+
+Upstream-Status: Backport[https://github.com/libexif/libexif/commit/
+c39acd1692023b26290778a02a9232c873f9d71a#diff-830e348923810f00726700b083ec00cd]
+
+CVE: CVE-2017-7544
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libexif/exif-data.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 67df4db..6bf89eb 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
+ exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ e->components = e->size;
++ if (exif_format_get_size (e->format) != 1) {
++ /* e->format is taken from input code,
++ * but we need to make sure it is a 1 byte
++ * entity due to the multiplication below. */
++ e->format = EXIF_FORMAT_UNDEFINED;
++ }
+ }
+ }
+
+--
+2.7.4
+
diff --git a/poky/meta/recipes-support/libexif/libexif_0.6.21.bb b/poky/meta/recipes-support/libexif/libexif_0.6.21.bb
index cff4cae..b550a11 100644
--- a/poky/meta/recipes-support/libexif/libexif_0.6.21.bb
+++ b/poky/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -4,7 +4,8 @@
LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
-SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2"
+SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
+ file://CVE-2017-7544.patch"
SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"
diff --git a/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch b/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
new file mode 100644
index 0000000..4a5832a
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
@@ -0,0 +1,29 @@
+From 99f6e1b0d68281b63218d6adfe68cd9e331ac5be Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 10:50:08 -0700
+Subject: [PATCH] Fix syntax of a print() in the scons file to unbreak building
+ with most recent scons version.
+
+* SConstruct Use Python 3.0 valid syntax to make Scons 3.0.0 happy on both python
+ 3.0 and 2.7.
+
+Upstream-Status: Backport
+[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1809132&r2=1811083&diff_format=h]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ SConstruct | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SConstruct b/SConstruct
+index 1670459..18a45fa 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -184,7 +184,7 @@ CALLOUT_OKAY = not (env.GetOption('clean') or env.GetOption('help'))
+
+ unknown = opts.UnknownVariables()
+ if unknown:
+- print 'Warning: Used unknown variables:', ', '.join(unknown.keys())
++ print('Warning: Used unknown variables:', ', '.join(unknown.keys()))
+
+ apr = str(env['APR'])
+ apu = str(env['APU'])
diff --git a/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch b/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch
new file mode 100644
index 0000000..cec881e
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch
@@ -0,0 +1,27 @@
+From e51b4b37916dd20b13133cb7af16601b6bf3ace9 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 10:54:54 -0700
+Subject: [PATCH] SConstruct: Fix path quoting for .def generator
+
+Patch by: Martin Keller <m.keller{_AT_}codesys.com>
+Upstream-Status: Backport
+[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1807594&r2=1809132]
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ SConstruct | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SConstruct b/SConstruct
+index 18a45fa..571bdce 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -160,7 +160,7 @@ env = Environment(variables=opts,
+
+ env.Append(BUILDERS = {
+ 'GenDef' :
+- Builder(action = sys.executable + ' build/gen_def.py $SOURCES > $TARGET',
++ Builder(action = '"%s" "%s" $SOURCES > $TARGET' % (sys.executable, gen_def_script,),
+ suffix='.def', src_suffix='.h')
+ })
+
diff --git a/poky/meta/recipes-support/serf/serf/0003-gen_def.patch b/poky/meta/recipes-support/serf/serf/0003-gen_def.patch
new file mode 100644
index 0000000..e37e903
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0003-gen_def.patch
@@ -0,0 +1,22 @@
+From 98e793d9f2250e7c1f9f1eb5dfd616a6a8829e9a Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 11:12:27 -0700
+Subject: [PATCH] gen_def
+
+---
+ SConstruct | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/SConstruct b/SConstruct
+index 571bdce..877731e 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -158,6 +158,8 @@ env = Environment(variables=opts,
+ ENV = os.environ,
+ )
+
++gen_def_script = env.File('build/gen_def.py').rstr()
++
+ env.Append(BUILDERS = {
+ 'GenDef' :
+ Builder(action = '"%s" "%s" $SOURCES > $TARGET' % (sys.executable, gen_def_script,),
diff --git a/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch b/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch
new file mode 100644
index 0000000..02fa9e3
--- /dev/null
+++ b/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch
@@ -0,0 +1,29 @@
+From 565211fd082ef653ca9c44a345350fc1451f5a0f Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 3 Sep 2018 11:12:38 -0700
+Subject: [PATCH] Follow-up to r1811083 fix building with scons 3.0.0 and
+ Python3
+
+* SConstruct: Append decode('utf-8) to FILE.get_contents() to avoid
+ TypeError: cannot use a string pattern on a bytes-like object
+
+Upstream-Status: Backport
+[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1811088&r2=1814604]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ SConstruct | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SConstruct b/SConstruct
+index 877731e..7678bb1 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -169,7 +169,7 @@ env.Append(BUILDERS = {
+ match = re.search('SERF_MAJOR_VERSION ([0-9]+).*'
+ 'SERF_MINOR_VERSION ([0-9]+).*'
+ 'SERF_PATCH_VERSION ([0-9]+)',
+- env.File('serf.h').get_contents(),
++ env.File('serf.h').get_contents().decode('utf-8'),
+ re.DOTALL)
+ MAJOR, MINOR, PATCH = [int(x) for x in match.groups()]
+ env.Append(MAJOR=str(MAJOR))
diff --git a/poky/meta/recipes-support/serf/serf_1.3.9.bb b/poky/meta/recipes-support/serf/serf_1.3.9.bb
index 2be5a06..65a8114 100644
--- a/poky/meta/recipes-support/serf/serf_1.3.9.bb
+++ b/poky/meta/recipes-support/serf/serf_1.3.9.bb
@@ -1,7 +1,12 @@
SUMMARY = "High-Performance Asynchronous HTTP Client Library"
SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
file://norpath.patch \
- file://env.patch"
+ file://env.patch \
+ file://0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch \
+ file://0002-SConstruct-Fix-path-quoting-for-.def-generator.patch \
+ file://0003-gen_def.patch \
+ file://0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch \
+ "
SRC_URI[md5sum] = "370a6340ff20366ab088012cd13f2b57"
SRC_URI[sha256sum] = "549c2d21c577a8a9c0450facb5cca809f26591f048e466552240947bdf7a87cc"
diff --git a/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch b/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch
new file mode 100644
index 0000000..5d95e37
--- /dev/null
+++ b/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch
@@ -0,0 +1,47 @@
+From 19aed4d2be46c4516caf2bee31f79044bbd1d57d Mon Sep 17 00:00:00 2001
+From: Sinan Kaya <okaya@kernel.org>
+Date: Fri, 21 Sep 2018 16:22:01 +0000
+Subject: [PATCH] Detect databases whose schema is corrupted using a CREATE TABLE AS statement and issue an appropriate error message
+
+Upstream-Status: Backport [ https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b&diff=1&w]
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ sqlite3.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 73c69ef..6863bc6 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -103474,8 +103474,6 @@ SQLITE_PRIVATE void sqlite3EndTable(
+ p = pParse->pNewTable;
+ if( p==0 ) return;
+
+- assert( !db->init.busy || !pSelect );
+-
+ /* If the db->init.busy is 1 it means we are reading the SQL off the
+ ** "sqlite_master" or "sqlite_temp_master" table on the disk.
+ ** So do not write to the disk again. Extract the root page number
+@@ -103486,6 +103484,10 @@ SQLITE_PRIVATE void sqlite3EndTable(
+ ** table itself. So mark it read-only.
+ */
+ if( db->init.busy ){
++ if( pSelect ){
++ sqlite3ErrorMsg(pParse, "");
++ return;
++ }
+ p->tnum = db->init.newTnum;
+ if( p->tnum==1 ) p->tabFlags |= TF_Readonly;
+ }
+@@ -117813,7 +117815,7 @@ static void corruptSchema(
+ char *z;
+ if( zObj==0 ) zObj = "?";
+ z = sqlite3MPrintf(db, "malformed database schema (%s)", zObj);
+- if( zExtra ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
++ if( zExtra && zExtra[0] ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
+ sqlite3DbFree(db, *pData->pzErrMsg);
+ *pData->pzErrMsg = z;
+ }
+--
+2.19.0
+
diff --git a/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb b/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
index ef88659..b90f898 100644
--- a/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
+++ b/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
@@ -5,6 +5,7 @@
SRC_URI = "\
http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
+ file://CVE-2018-8740.patch \
"
SRC_URI[md5sum] = "96b5648d542e8afa6ab7ffb8db8ddc3d"
SRC_URI[sha256sum] = "2824ab1238b706bc66127320afbdffb096361130e23291f26928a027b885c612"
diff --git a/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch b/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch
new file mode 100644
index 0000000..cdd66e6
--- /dev/null
+++ b/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch
@@ -0,0 +1,51 @@
+From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <github.scott@gmail.com>
+Date: Mon, 4 Jun 2018 11:34:36 -0400
+Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
+
+This CVE is caused by a failure to check the minimum length
+of a ogg flac header. This header is detailed in full at:
+https://xiph.org/flac/ogg_mapping.html. Added more strict checking
+for entire header.
+
+Upstream-Status: Backport
+[https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278]
+
+CVE: CVE-2018-11439
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
+index 53d0450..07ea9dc 100644
+--- a/taglib/ogg/flac/oggflacfile.cpp
++++ b/taglib/ogg/flac/oggflacfile.cpp
+@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
+
+ if(!metadataHeader.startsWith("fLaC")) {
+ // FLAC 1.1.2+
++ // See https://xiph.org/flac/ogg_mapping.html for the header specification.
++ if(metadataHeader.size() < 13)
++ return;
++
++ if(metadataHeader[0] != 0x7f)
++ return;
++
+ if(metadataHeader.mid(1, 4) != "FLAC")
+ return;
+
+- if(metadataHeader[5] != 1)
+- return; // not version 1
++ if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
++ return; // not version 1.0
++
++ if(metadataHeader.mid(9, 4) != "fLaC")
++ return;
+
+ metadataHeader = metadataHeader.mid(13);
+ }
+--
+2.7.4
+
diff --git a/poky/meta/recipes-support/taglib/taglib_1.11.1.bb b/poky/meta/recipes-support/taglib/taglib_1.11.1.bb
index 50439bc..01dcf66 100644
--- a/poky/meta/recipes-support/taglib/taglib_1.11.1.bb
+++ b/poky/meta/recipes-support/taglib/taglib_1.11.1.bb
@@ -10,6 +10,7 @@
SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz \
file://CVE-2017-12678.patch \
+ file://CVE-2018-11439.patch \
"
SRC_URI[md5sum] = "cee7be0ccfc892fa433d6c837df9522a"