33 files changed, 2289 insertions, 20 deletions

diff --git a/recipes-connectivity/openssl/openssl/CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch b/recipes-connectivity/openssl/openssl/CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch
new file mode 100644
index 0000000..e3da5f3
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch
@@ -0,0 +1,50 @@
+From: Guido Vranken <guidovranken@gmail.com>
+Date: Mon, 11 Jun 2018 17:38:54 +0000 (+0200)
+Subject: Reject excessively large primes in DH key generation.
+X-Git-Tag: OpenSSL_1_0_2p~40
+X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=3984ef0b72831da8b3ece4745cac4f8575b19098
+
+Reject excessively large primes in DH key generation.
+
+CVE-2018-0732
+
+Signed-off-by: Guido Vranken <guidovranken@gmail.com>
+
+(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6457)
+
+CVE: CVE-2018-0732
+Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=3984ef0b72831da8b3ece4745cac4f8575b19098]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ crypto/dh/dh_key.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 387558f..f235e0d 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -130,10 +130,15 @@ static int generate_key(DH *dh)
+     int ok = 0;
+     int generate_new_key = 0;
+     unsigned l;
+-    BN_CTX *ctx;
++    BN_CTX *ctx = NULL;
+     BN_MONT_CTX *mont = NULL;
+     BIGNUM *pub_key = NULL, *priv_key = NULL;
+ 
++    if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
++        DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
++        return 0;
++    }
++
+     ctx = BN_CTX_new();
+     if (ctx == NULL)
+         goto err;
+-- 
+2.7.4
+
diff --git a/recipes-connectivity/openssl/openssl/CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch b/recipes-connectivity/openssl/openssl/CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch
new file mode 100644
index 0000000..aa92d75
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch
@@ -0,0 +1,36 @@
+From 337da9779c4ef107a4b7bbaaa198824a489a10ed Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 12:43:16 +0200
+Subject: RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with...
+X-Git-Tag: OpenSSL_1_0_2p~87
+X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f
+
+RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.
+
+CVE-2018-0737
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787)
+
+CVE: CVE-2018-0737
+Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ crypto/rsa/rsa_gen.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
+index a85493d..f5914c0 100644
+--- a/crypto/rsa/rsa_gen.c
++++ b/crypto/rsa/rsa_gen.c
+@@ -155,6 +155,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
+     if (BN_copy(rsa->e, e_value) == NULL)
+         goto err;
+ 
++    BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
++    BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
+     /* generate p and q */
+     for (;;) {
+         if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
diff --git a/recipes-connectivity/openssl/openssl/CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch b/recipes-connectivity/openssl/openssl/CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch
new file mode 100644
index 0000000..8062031
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch
@@ -0,0 +1,237 @@
+From 9310d45087ae546e27e61ddf8f6367f29848220d Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 22 Mar 2018 10:05:40 +0000
+Subject: [PATCH] Limit ASN.1 constructed types recursive definition depth
+
+Constructed types with a recursive definition (such as can be found in
+PKCS7) could eventually exceed the stack given malicious input with
+excessive recursion. Therefore we limit the stack depth.
+
+CVE-2018-0739
+Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9310d45087ae546e27e61ddf8f6367f29848220d]
+
+Credit to OSSFuzz for finding this issue.
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ crypto/asn1/asn1.h     |  1 +
+ crypto/asn1/asn1_err.c |  3 ++-
+ crypto/asn1/tasn_dec.c | 62 +++++++++++++++++++++++++++++++++-----------------
+ 3 files changed, 44 insertions(+), 22 deletions(-)
+
+diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
+index 68e791f..35a2b2a 100644
+--- a/crypto/asn1/asn1.h
++++ b/crypto/asn1/asn1.h
+@@ -1365,6 +1365,7 @@ void ERR_load_ASN1_strings(void);
+ # define ASN1_R_MSTRING_NOT_UNIVERSAL                     139
+ # define ASN1_R_MSTRING_WRONG_TAG                         140
+ # define ASN1_R_NESTED_ASN1_STRING                        197
++# define ASN1_R_NESTED_TOO_DEEP                           219
+ # define ASN1_R_NON_HEX_CHARACTERS                        141
+ # define ASN1_R_NOT_ASCII_FORMAT                          190
+ # define ASN1_R_NOT_ENOUGH_DATA                           142
+diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
+index fd4ac8d..cfc1512 100644
+--- a/crypto/asn1/asn1_err.c
++++ b/crypto/asn1/asn1_err.c
+@@ -1,6 +1,6 @@
+ /* crypto/asn1/asn1_err.c */
+ /* ====================================================================
+- * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
++ * Copyright (c) 1999-2018 The OpenSSL Project.  All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -279,6 +279,7 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
+     {ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"},
+     {ERR_REASON(ASN1_R_MSTRING_WRONG_TAG), "mstring wrong tag"},
+     {ERR_REASON(ASN1_R_NESTED_ASN1_STRING), "nested asn1 string"},
++    {ERR_REASON(ASN1_R_NESTED_TOO_DEEP), "nested too deep"},
+     {ERR_REASON(ASN1_R_NON_HEX_CHARACTERS), "non hex characters"},
+     {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT), "not ascii format"},
+     {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA), "not enough data"},
+diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
+index d49a5d5..78126e9 100644
+--- a/crypto/asn1/tasn_dec.c
++++ b/crypto/asn1/tasn_dec.c
+@@ -65,6 +65,14 @@
+ #include <openssl/buffer.h>
+ #include <openssl/err.h>
+ 
++/*
++ * Constructed types with a recursive definition (such as can be found in PKCS7)
++ * could eventually exceed the stack given malicious input with excessive
++ * recursion. Therefore we limit the stack depth. This is the maximum number of
++ * recursive invocations of asn1_item_embed_d2i().
++ */
++#define ASN1_MAX_CONSTRUCTED_NEST 30
++
+ static int asn1_check_eoc(const unsigned char **in, long len);
+ static int asn1_find_end(const unsigned char **in, long len, char inf);
+ 
+@@ -81,11 +89,11 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
+ static int asn1_template_ex_d2i(ASN1_VALUE **pval,
+                                 const unsigned char **in, long len,
+                                 const ASN1_TEMPLATE *tt, char opt,
+-                                ASN1_TLC *ctx);
++                                ASN1_TLC *ctx, int depth);
+ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+                                    const unsigned char **in, long len,
+                                    const ASN1_TEMPLATE *tt, char opt,
+-                                   ASN1_TLC *ctx);
++                                   ASN1_TLC *ctx, int depth);
+ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
+                                  const unsigned char **in, long len,
+                                  const ASN1_ITEM *it,
+@@ -154,17 +162,16 @@ int ASN1_template_d2i(ASN1_VALUE **pval,
+ {
+     ASN1_TLC c;
+     asn1_tlc_clear_nc(&c);
+-    return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
++    return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0);
+ }
+ 
+ /*
+  * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
+  * tag mismatch return -1 to handle OPTIONAL
+  */
+-
+-int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+-                     const ASN1_ITEM *it,
+-                     int tag, int aclass, char opt, ASN1_TLC *ctx)
++static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,
++                            long len, const ASN1_ITEM *it, int tag, int aclass,
++                            char opt, ASN1_TLC *ctx, int depth)
+ {
+     const ASN1_TEMPLATE *tt, *errtt = NULL;
+     const ASN1_COMPAT_FUNCS *cf;
+@@ -189,6 +196,11 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+     else
+         asn1_cb = 0;
+ 
++    if (++depth > ASN1_MAX_CONSTRUCTED_NEST) {
++        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NESTED_TOO_DEEP);
++        goto err;
++    }
++
+     switch (it->itype) {
+     case ASN1_ITYPE_PRIMITIVE:
+         if (it->templates) {
+@@ -204,7 +216,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+                 goto err;
+             }
+             return asn1_template_ex_d2i(pval, in, len,
+-                                        it->templates, opt, ctx);
++                                        it->templates, opt, ctx, depth);
+         }
+         return asn1_d2i_ex_primitive(pval, in, len, it,
+                                      tag, aclass, opt, ctx);
+@@ -326,7 +338,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+             /*
+              * We mark field as OPTIONAL so its absence can be recognised.
+              */
+-            ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
++            ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth);
+             /* If field not present, try the next one */
+             if (ret == -1)
+                 continue;
+@@ -444,7 +456,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+              * attempt to read in field, allowing each to be OPTIONAL
+              */
+ 
+-            ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx);
++            ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,
++                                       depth);
+             if (!ret) {
+                 errtt = seqtt;
+                 goto err;
+@@ -514,6 +527,13 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+     return 0;
+ }
+ 
++int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
++                     const ASN1_ITEM *it,
++                     int tag, int aclass, char opt, ASN1_TLC *ctx)
++{
++    return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0);
++}
++
+ /*
+  * Templates are handled with two separate functions. One handles any
+  * EXPLICIT tag and the other handles the rest.
+@@ -522,7 +542,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+ static int asn1_template_ex_d2i(ASN1_VALUE **val,
+                                 const unsigned char **in, long inlen,
+                                 const ASN1_TEMPLATE *tt, char opt,
+-                                ASN1_TLC *ctx)
++                                ASN1_TLC *ctx, int depth)
+ {
+     int flags, aclass;
+     int ret;
+@@ -557,7 +577,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
+             return 0;
+         }
+         /* We've found the field so it can't be OPTIONAL now */
+-        ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
++        ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth);
+         if (!ret) {
+             ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+             return 0;
+@@ -581,7 +601,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
+             }
+         }
+     } else
+-        return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx);
++        return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth);
+ 
+     *in = p;
+     return 1;
+@@ -594,7 +614,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
+ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+                                    const unsigned char **in, long len,
+                                    const ASN1_TEMPLATE *tt, char opt,
+-                                   ASN1_TLC *ctx)
++                                   ASN1_TLC *ctx, int depth)
+ {
+     int flags, aclass;
+     int ret;
+@@ -665,8 +685,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+                 break;
+             }
+             skfield = NULL;
+-            if (!ASN1_item_ex_d2i(&skfield, &p, len,
+-                                  ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
++            if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item),
++                                  -1, 0, 0, ctx, depth)) {
+                 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
+                         ERR_R_NESTED_ASN1_ERROR);
+                 goto err;
+@@ -684,9 +704,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+         }
+     } else if (flags & ASN1_TFLG_IMPTAG) {
+         /* IMPLICIT tagging */
+-        ret = ASN1_item_ex_d2i(val, &p, len,
+-                               ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt,
+-                               ctx);
++        ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag,
++                               aclass, opt, ctx, depth);
+         if (!ret) {
+             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
+             goto err;
+@@ -694,8 +713,9 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+             return -1;
+     } else {
+         /* Nothing special */
+-        ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+-                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
++        ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
++                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx,
++                               depth);
+         if (!ret) {
+             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
+             goto err;
+-- 
+1.9.1
+
diff --git a/recipes-connectivity/openssl/openssl_1.0.2n.bbappend b/recipes-connectivity/openssl/openssl_1.0.2n.bbappend
new file mode 100644
index 0000000..6f2625f
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl_1.0.2n.bbappend
@@ -0,0 +1,7 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+        file://CVE-2018-0732-reject-excessively-large-primes-in-DH-key-generation.patch \
+        file://CVE-2018-0737-ensure-BN_mod_inverse-and-BN_mod_exp_mont-both-get-called.patch \
+        file://CVE-2018-0739-limit-ASN.1-constructed-types-recursive-definition-depth.patch \
+        "
diff --git a/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
new file mode 100644
index 0000000..c05c75b
--- /dev/null
+++ b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
@@ -0,0 +1,59 @@
+From 7935de14ce61f5a5c1c845925873379ae2e2f45a Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 13:13:07 +0200
+Subject: [PATCH] wget: check chunk length for overflowing off_t
+
+function                                             old     new   delta
+retrieve_file_data                                   428     465     +37
+wget_main                                           2386    2389      +3
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0)               Total: 40 bytes
+
+CVE: CVE-2018-1000517
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e]
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ networking/wget.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/networking/wget.c b/networking/wget.c
+index d4a9c0c..b525d6a 100644
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -566,7 +566,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_
+        if (ftpcmd("SIZE ", target->path, sfp) == 213) {
+                G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
+                if (G.content_len < 0 || errno) {
+-                       bb_error_msg_and_die("SIZE value is garbage");
++                       bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
+                }
+                G.got_clen = 1;
+        }
+@@ -821,12 +821,20 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
+ #endif
+                if (!G.chunked)
+                        break;
+-
+-               fgets_and_trim(dfp); /* Eat empty line */
++               
++               /* Each chunk ends with "\r\n" - eat it */
++               fgets_and_trim(dfp);
+  get_clen:
++               /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
+                fgets_and_trim(dfp);
++               errno = 0;
+                G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
+-               /* FIXME: error check? */
++               /*
++                * Had a bug with inputs like "ffffffff0001f400"
++                * smashing the heap later. Ensure >= 0.
++                */
++               if (G.content_len < 0 || errno)
++                       bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
+                if (G.content_len == 0)
+                        break; /* all done! */
+                G.got_clen = 1;
+
+
diff --git a/recipes-core/busybox/busybox_%.bbappend b/recipes-core/busybox/busybox_1.24.1.bbappend
index 7b61cf9..6be3e59 100644
--- a/recipes-core/busybox/busybox_%.bbappend
+++ b/recipes-core/busybox/busybox_1.24.1.bbappend
@@ -1,3 +1,10 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+        file://CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch \
+        "
+
 do_prepare_config_append () {
       sed -i -e 's/# CONFIG_CHRT is not set/CONFIG_CHRT=y/' .config
       sed -i -e 's/# CONFIG_TASKSET is not set/CONFIG_TASKSET=y/' .config
diff --git a/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch b/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch
new file mode 100644
index 0000000..8f88096
--- /dev/null
+++ b/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch
@@ -0,0 +1,164 @@
+From bd43c78956040a5d419d5034cdddd4b62c5dd53e Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 10:37:02 +0200
+Subject: [PATCH] sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115]
+
+After commit bc779a1a5b3035133024b21e2f339fe4219fb11c
+(CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call
+[BZ #20112]), ancillary data is stored on the heap,
+but it is accessed after it has been freed.
+
+The test case must be run under a heap debugger such as valgrind
+to observe the invalid access.  A malloc implementation which
+immediately calls munmap on free would catch this bug as well.
+
+This patch is for CVE-2017-12133.
+(cherry picked from commit d42eed4a044e5e10dfb885cf9891c2518a72a491)
+
+CVE: CVE-2017-12133
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ ChangeLog              |  8 +++++++
+ NEWS                   |  1 +
+ sunrpc/Makefile        |  3 ++-
+ sunrpc/clnt_udp.c      |  2 +-
+ sunrpc/tst-udp-error.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 74 insertions(+), 2 deletions(-)
+ create mode 100644 sunrpc/tst-udp-error.c
+
+diff --git a/ChangeLog b/ChangeLog
+index 48b095b..097ab5c 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,11 @@
++2017-02-27  Florian Weimer  <fweimer@redhat.com>
++
++       [BZ #21115]
++       * sunrpc/clnt_udp.c (clntudp_call): Free ancillary data later.
++       * sunrpc/Makefile (tests): Add tst-udp-error.
++       (tst-udp-error): Link against libc.so explicitly.
++       * sunrpc/tst-udp-error: New file.
++
+ 2018-01-18  Arjun Shankar  <arjun@redhat.com>
+ 
+        [BZ #22343]
+diff --git a/NEWS b/NEWS
+index 5134f34..4765e1b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -376,6 +376,7 @@ The following bugs are resolved with this release:
+   [21081] string: Missing vzeroupper in memset-vec-unaligned-erms.S
+   [22343] malloc: Integer overflow in posix_memalign (CVE-2018-6485)
+   [22774] malloc: Integer overflow in malloc (CVE-2018-6551)
++  [21115] sunrpc: Use-after-free in error path in clntudp_call
+ 
+ Version 2.24
+ 
+diff --git a/sunrpc/Makefile b/sunrpc/Makefile
+index 12ec2e7..8b9f25f 100644
+--- a/sunrpc/Makefile
++++ b/sunrpc/Makefile
+@@ -93,7 +93,7 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \
+ extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs))
+ others += rpcgen
+ 
+-tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3
++tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3 tst-udp-error
+ xtests := tst-getmyaddr
+ 
+ tests-special += $(objpfx)mtrace-tst-xdrmem3.out
+@@ -163,6 +163,7 @@ $(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
+ (objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
++$(objpfx)tst-udp-error: $(common-objpfx)linkobj/libc.so
+ 
+ $(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs))
+ 
+diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
+index 4d9acb1..1de25cb 100644
+--- a/sunrpc/clnt_udp.c
++++ b/sunrpc/clnt_udp.c
+@@ -421,9 +421,9 @@ send_again:
+                 cmsg = CMSG_NXTHDR (&msg, cmsg))
+              if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+                {
+-                 free (cbuf);
+                  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+                  cu->cu_error.re_errno = e->ee_errno;
++                 free (cbuf);
+                  return (cu->cu_error.re_status = RPC_CANTRECV);
+                }
+          free (cbuf);
+diff --git a/sunrpc/tst-udp-error.c b/sunrpc/tst-udp-error.c
+new file mode 100644
+index 0000000..1efc02f
+--- /dev/null
++++ b/sunrpc/tst-udp-error.c
+@@ -0,0 +1,62 @@
++/* Check for use-after-free in clntudp_call (bug 21115).
++   Copyright (C) 2017 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <netinet/in.h>
++#include <rpc/clnt.h>
++#include <rpc/svc.h>
++#include <support/check.h>
++#include <support/namespace.h>
++#include <support/xsocket.h>
++#include <unistd.h>
++
++static int
++do_test (void)
++{
++  support_become_root ();
++  support_enter_network_namespace ();
++
++  /* Obtain a likely-unused port number.  */
++  struct sockaddr_in sin =
++    {
++      .sin_family = AF_INET,
++      .sin_addr.s_addr = htonl (INADDR_LOOPBACK),
++    };
++  {
++    int fd = xsocket (AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
++    xbind (fd, (struct sockaddr *) &sin, sizeof (sin));
++    socklen_t sinlen = sizeof (sin);
++    xgetsockname (fd, (struct sockaddr *) &sin, &sinlen);
++    /* Close the socket, so that we will receive an error below.  */
++    close (fd);
++  }
++
++  int sock = RPC_ANYSOCK;
++  CLIENT *clnt = clntudp_create
++    (&sin, 1, 2, (struct timeval) { 1, 0 }, &sock);
++  TEST_VERIFY_EXIT (clnt != NULL);
++  TEST_VERIFY (clnt_call (clnt, 3,
++                          (xdrproc_t) xdr_void, NULL,
++                          (xdrproc_t) xdr_void, NULL,
++                          ((struct timeval) { 3, 0 }))
++               == RPC_CANTRECV);
++  clnt_destroy (clnt);
++
++  return 0;
++}
++
++#include <support/test-driver.c>
+
+
diff --git a/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch b/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch
new file mode 100644
index 0000000..6401734
--- /dev/null
+++ b/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch
@@ -0,0 +1,150 @@
+From 24ee2a5b63d15cf45c43ec598f11fe59878982a8 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 11:17:18 +0200
+Subject: [PATCH] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
+
+The fillin_rpath function in elf/dl-load.c loops over each RPATH or
+RUNPATH tokens and interprets empty tokens as the current directory
+("./"). In practice the check for empty token is done *after* the
+dynamic string token expansion. The expansion process can return an
+empty string for the $ORIGIN token if __libc_enable_secure is set
+or if the path of the binary can not be determined (/proc not mounted).
+
+Fix that by moving the check for empty tokens before the dynamic string
+token expansion. In addition, check for NULL pointer or empty strings
+return by expand_dynamic_string_token.
+
+The above changes highlighted a bug in decompose_rpath, an empty array
+is represented by the first element being NULL at the fillin_rpath
+level, but by using a -1 pointer in decompose_rpath and other functions.
+
+Changelog:
+        [BZ #22625]
+        * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+        string token expansion. Check for NULL pointer or empty string possibly
+        returned by expand_dynamic_string_token.
+        (decompose_rpath): Check for empty path after dynamic string
+        token expansion.
+(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
+
+CVE: CVE-2017-16997
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=21c5d14bfb4e08bee86f94fd815535d3be2c3869]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ ChangeLog     | 10 ++++++++++
+ NEWS          |  4 ++++
+ elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------
+ 3 files changed, 47 insertions(+), 16 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index a0c2f51..ad380fd 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,13 @@
++2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
++           Dmitry V. Levin  <ldv@altlinux.org>
++
++       [BZ #22625]
++       * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
++       string token expansion. Check for NULL pointer or empty string possibly
++       returned by expand_dynamic_string_token.
++       (decompose_rpath): Check for empty path after dynamic string
++       token expansion.
++
+ 2017-04-13  Florian Weimer  <fweimer@redhat.com>
+ 
+        [BZ #21361]
+diff --git a/NEWS b/NEWS
+index 29e795a..195c06d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -214,6 +214,10 @@ Security related changes:
+ * The xdr_bytes and xdr_string routines free the internally allocated buffer
+   if deserialization of the buffer contents fails for any reason.
+ 
++  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
++  for AT_SECURE or SUID binaries could be used to load libraries from the
++  current directory.
++
+ The following bugs are resolved with this release:
+ 
+   [4099] stdio: Overly agressive caching by stream i/o functions.
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index a5318f9..bdb4484 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -433,31 +433,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
+ {
+   char *cp;
+   size_t nelems = 0;
+-  char *to_free;
+ 
+   while ((cp = __strsep (&rpath, sep)) != NULL)
+     {
+       struct r_search_path_elem *dirp;
++      char *to_free = NULL;
++      size_t len = 0;
+ 
+-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
++      /* `strsep' can pass an empty string.  */
++      if (*cp != '\0')
++       {
++         to_free = cp = expand_dynamic_string_token (l, cp, 1);
+ 
+-      size_t len = strlen (cp);
++         /* expand_dynamic_string_token can return NULL in case of empty
++            path or memory allocation failure.  */
++         if (cp == NULL)
++           continue;
+ 
+-      /* `strsep' can pass an empty string.  This has to be
+-        interpreted as `use the current directory'. */
+-      if (len == 0)
+-       {
+-         static const char curwd[] = "./";
+-         cp = (char *) curwd;
+-       }
++         /* Compute the length after dynamic string token expansion and
++            ignore empty paths.  */
++         len = strlen (cp);
++         if (len == 0)
++           {
++             free (to_free);
++             continue;
++           }
+ 
+-      /* Remove trailing slashes (except for "/").  */
+-      while (len > 1 && cp[len - 1] == '/')
+-       --len;
++         /* Remove trailing slashes (except for "/").  */
++         while (len > 1 && cp[len - 1] == '/')
++           --len;
+ 
+-      /* Now add one if there is none so far.  */
+-      if (len > 0 && cp[len - 1] != '/')
+-       cp[len++] = '/';
++         /* Now add one if there is none so far.  */
++         if (len > 0 && cp[len - 1] != '/')
++           cp[len++] = '/';
++       }
+ 
+       /* Make sure we don't use untrusted directories if we run SUID.  */
+       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
+@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_struct *sps,
+      necessary.  */
+   free (copy);
+ 
++  /* There is no path after expansion.  */
++  if (result[0] == NULL)
++    {
++      free (result);
++      sps->dirs = (struct r_search_path_elem **) -1;
++      return false;
++    }
++
+   sps->dirs = result;
+   /* The caller will change this value if we haven't used a real malloc.  */
+   sps->malloced = 1;
+
+
diff --git a/recipes-core/glibc/glibc/CVE-2018-6551-Fix-integer-overflows-in-internal-memalign-and-malloc-functions.patch b/recipes-core/glibc/glibc/CVE-2018-6551-Fix-integer-overflows-in-internal-memalign-and-malloc-functions.patch
new file mode 100644
index 0000000..cb766c4
--- /dev/null
+++ b/recipes-core/glibc/glibc/CVE-2018-6551-Fix-integer-overflows-in-internal-memalign-and-malloc-functions.patch
@@ -0,0 +1,401 @@
+From 5d7411e9ec03cae8e9bb5df4b515744e5065a64c Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 13:54:54 +0200
+Subject: [PATCH] Fix integer overflows in internal memalign and malloc [BZ #22343] [BZ #22774]
+
+When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT
+and a requested size close to SIZE_MAX, it falls back to malloc code
+(because the alignment of a block returned by malloc is sufficient to
+satisfy the call).  In this case, an integer overflow in _int_malloc leads
+to posix_memalign incorrectly returning successfully.
+
+Upon fixing this and writing a somewhat thorough regression test, it was
+discovered that when posix_memalign is called with an alignment larger than
+MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size
+close to SIZE_MAX, a different integer overflow in _int_memalign leads to
+posix_memalign incorrectly returning successfully.
+
+Both integer overflows affect other memory allocation functions that use
+_int_malloc (one affected malloc in x86) or _int_memalign as well.
+
+This commit fixes both integer overflows.  In addition to this, it adds a
+regression test to guard against false successful allocations by the
+following memory allocation functions when called with too-large allocation
+sizes and, where relevant, various valid alignments:
+malloc, realloc, calloc, memalign, posix_memalign, aligned_alloc, valloc,
+and pvalloc.
+
+(cherry picked from commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22)
+
+CVE: CVE-2018-6551
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ ChangeLog                     |  13 +++
+ NEWS                          |  11 ++
+ malloc/Makefile               |   1 +
+ malloc/malloc.c               |  30 ++++--
+ malloc/tst-malloc-too-large.c | 237 ++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 284 insertions(+), 8 deletions(-)
+ create mode 100644 malloc/tst-malloc-too-large.c
+
+diff --git a/ChangeLog b/ChangeLog
+index ad380fd..48b095b 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,16 @@
++2018-01-18  Arjun Shankar  <arjun@redhat.com>
++
++       [BZ #22343]
++       [BZ #22774]
++       CVE-2018-6485
++       CVE-2018-6551
++       * malloc/malloc.c (checked_request2size): call REQUEST_OUT_OF_RANGE
++       after padding.
++       (_int_memalign): check for integer overflow before calling
++       _int_malloc.
++       * malloc/tst-malloc-too-large.c: New test.
++       * malloc/Makefile: Add tst-malloc-too-large.
++
+ 2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
+            Dmitry V. Levin  <ldv@altlinux.org>
+ 
+diff --git a/NEWS b/NEWS
+index 195c06d..5134f34 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,3 +1,4 @@
++
+ GNU C Library NEWS -- history of user-visible changes.
+ Copyright (C) 1992-2017 Free Software Foundation, Inc.
+ See the end for copying conditions.
+@@ -218,6 +219,14 @@ Security related changes:
+   for AT_SECURE or SUID binaries could be used to load libraries from the
+   current directory.
+ 
++  CVE-2018-6485: The posix_memalign and memalign functions, when called with
++  an object size near the value of SIZE_MAX, would return a pointer to a
++  buffer which is too small, instead of NULL.  Reported by Jakub Wilk.
++
++  CVE-2018-6551: The malloc function, when called with an object size near
++  the value of SIZE_MAX, would return a pointer to a buffer which is too
++  small, instead of NULL.
++
+ The following bugs are resolved with this release:
+ 
+   [4099] stdio: Overly agressive caching by stream i/o functions.
+@@ -365,6 +374,8 @@ The following bugs are resolved with this release:
+   [21073] libc: tunables: insecure environment variables passed to
+     subprocesses with AT_SECURE
+   [21081] string: Missing vzeroupper in memset-vec-unaligned-erms.S
++  [22343] malloc: Integer overflow in posix_memalign (CVE-2018-6485)
++  [22774] malloc: Integer overflow in malloc (CVE-2018-6551)
+ 
+ Version 2.24
+ 
+diff --git a/malloc/Makefile b/malloc/Makefile
+index e93b83b..ab9e795 100644
+--- a/malloc/Makefile
++++ b/malloc/Makefile
+@@ -33,6 +33,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \
+         tst-mallocfork2 \
+         tst-interpose-nothread \
+         tst-interpose-thread \
++        tst-malloc-too-large \
+ 
+ tests-static := \
+         tst-interpose-static-nothread \
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 4885793..a82555d 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -1202,14 +1202,21 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    MINSIZE :                                                      \
+    ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK)
+ 
+-/*  Same, except also perform argument check */
+-
+-#define checked_request2size(req, sz)                             \
+-  if (REQUEST_OUT_OF_RANGE (req)) {                                          \
+-      __set_errno (ENOMEM);                                                  \
+-      return 0;                                                                      \
+-    }                                                                        \
+-  (sz) = request2size (req);
++/* Same, except also perform an argument and result check.  First, we check
++   that the padding done by request2size didn't result in an integer
++   overflow.  Then we check (using REQUEST_OUT_OF_RANGE) that the resulting
++   size isn't so large that a later alignment would lead to another integer
++   overflow.  */
++#define checked_request2size(req, sz) \
++({                                 \
++  (sz) = request2size (req);       \
++  if (((sz) < (req))               \
++      || REQUEST_OUT_OF_RANGE (sz)) \
++    {                              \
++      __set_errno (ENOMEM);        \
++      return 0;                            \
++    }                              \
++})
+ 
+ /*
+    --------------- Physical chunk operations ---------------
+@@ -4423,6 +4430,13 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
+    */
+ 
+ 
++  /* Check for overflow.  */
++  if (nb > SIZE_MAX - alignment - MINSIZE)
++    {
++      __set_errno (ENOMEM);
++      return 0;
++    }
++
+   /* Call malloc with worst case padding to hit alignment. */
+ 
+   m = (char *) (_int_malloc (av, nb + alignment + MINSIZE));
+diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c
+new file mode 100644
+index 0000000..1f7bf29
+--- /dev/null
++++ b/malloc/tst-malloc-too-large.c
+@@ -0,0 +1,237 @@
++/* Test and verify that too-large memory allocations fail with ENOMEM.
++   Copyright (C) 2018 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++/* Bug 22375 reported a regression in malloc where if after malloc'ing then
++   free'ing a small block of memory, malloc is then called with a really
++   large size argument (close to SIZE_MAX): instead of returning NULL and
++   setting errno to ENOMEM, malloc incorrectly returns the previously
++   allocated block instead.  Bug 22343 reported a similar case where
++   posix_memalign incorrectly returns successfully when called with an with
++   a really large size argument.
++
++   Both of these were caused by integer overflows in the allocator when it
++   was trying to pad the requested size to allow for book-keeping or
++   alignment.  This test guards against such bugs by repeatedly allocating
++   and freeing small blocks of memory then trying to allocate various block
++   sizes larger than the memory bus width of 64-bit targets, or almost
++   as large as SIZE_MAX on 32-bit targets supported by glibc.  In each case,
++   it verifies that such impossibly large allocations correctly fail.  */
++
++
++#include <stdlib.h>
++#include <malloc.h>
++#include <errno.h>
++#include <stdint.h>
++#include <sys/resource.h>
++#include <libc-internal.h>
++#include <support/check.h>
++#include <unistd.h>
++#include <sys/param.h>
++
++
++/* This function prepares for each 'too-large memory allocation' test by
++   performing a small successful malloc/free and resetting errno prior to
++   the actual test.  */
++static void
++test_setup (void)
++{
++  void *volatile ptr = malloc (16);
++  TEST_VERIFY_EXIT (ptr != NULL);
++  free (ptr);
++  errno = 0;
++}
++
++
++/* This function tests each of:
++   - malloc (SIZE)
++   - realloc (PTR_FOR_REALLOC, SIZE)
++   - for various values of NMEMB:
++    - calloc (NMEMB, SIZE/NMEMB)
++    - calloc (SIZE/NMEMB, NMEMB)
++   and precedes each of these tests with a small malloc/free before it.  */
++static void
++test_large_allocations (size_t size)
++{
++  void * ptr_to_realloc;
++
++  test_setup ();
++  TEST_VERIFY (malloc (size) == NULL);
++  TEST_VERIFY (errno == ENOMEM);
++
++  ptr_to_realloc = malloc (16);
++  TEST_VERIFY_EXIT (ptr_to_realloc != NULL);
++  test_setup ();
++  TEST_VERIFY (realloc (ptr_to_realloc, size) == NULL);
++  TEST_VERIFY (errno == ENOMEM);
++  free (ptr_to_realloc);
++
++  for (size_t nmemb = 1; nmemb <= 8; nmemb *= 2)
++    if ((size % nmemb) == 0)
++      {
++        test_setup ();
++        TEST_VERIFY (calloc (nmemb, size / nmemb) == NULL);
++        TEST_VERIFY (errno == ENOMEM);
++
++        test_setup ();
++        TEST_VERIFY (calloc (size / nmemb, nmemb) == NULL);
++        TEST_VERIFY (errno == ENOMEM);
++      }
++    else
++      break;
++}
++
++
++static long pagesize;
++
++/* This function tests the following aligned memory allocation functions
++   using several valid alignments and precedes each allocation test with a
++   small malloc/free before it:
++   memalign, posix_memalign, aligned_alloc, valloc, pvalloc.  */
++static void
++test_large_aligned_allocations (size_t size)
++{
++  /* ptr stores the result of posix_memalign but since all those calls
++     should fail, posix_memalign should never change ptr.  We set it to
++     NULL here and later on we check that it remains NULL after each
++     posix_memalign call.  */
++  void * ptr = NULL;
++
++  size_t align;
++
++  /* All aligned memory allocation functions expect an alignment that is a
++     power of 2.  Given this, we test each of them with every valid
++     alignment from 1 thru PAGESIZE.  */
++  for (align = 1; align <= pagesize; align *= 2)
++    {
++      test_setup ();
++      TEST_VERIFY (memalign (align, size) == NULL);
++      TEST_VERIFY (errno == ENOMEM);
++
++      /* posix_memalign expects an alignment that is a power of 2 *and* a
++         multiple of sizeof (void *).  */
++      if ((align % sizeof (void *)) == 0)
++        {
++          test_setup ();
++          TEST_VERIFY (posix_memalign (&ptr, align, size) == ENOMEM);
++          TEST_VERIFY (ptr == NULL);
++        }
++
++      /* aligned_alloc expects a size that is a multiple of alignment.  */
++      if ((size % align) == 0)
++        {
++          test_setup ();
++          TEST_VERIFY (aligned_alloc (align, size) == NULL);
++          TEST_VERIFY (errno == ENOMEM);
++        }
++    }
++
++  /* Both valloc and pvalloc return page-aligned memory.  */
++
++  test_setup ();
++  TEST_VERIFY (valloc (size) == NULL);
++  TEST_VERIFY (errno == ENOMEM);
++
++  test_setup ();
++  TEST_VERIFY (pvalloc (size) == NULL);
++  TEST_VERIFY (errno == ENOMEM);
++}
++
++
++#define FOURTEEN_ON_BITS ((1UL << 14) - 1)
++#define FIFTY_ON_BITS ((1UL << 50) - 1)
++
++
++static int
++do_test (void)
++{
++
++#if __WORDSIZE >= 64
++
++  /* This test assumes that none of the supported targets have an address
++     bus wider than 50 bits, and that therefore allocations for sizes wider
++     than 50 bits will fail.  Here, we ensure that the assumption continues
++     to be true in the future when we might have address buses wider than 50
++     bits.  */
++
++  struct rlimit alloc_size_limit
++    = {
++        .rlim_cur = FIFTY_ON_BITS,
++        .rlim_max = FIFTY_ON_BITS
++      };
++
++  setrlimit (RLIMIT_AS, &alloc_size_limit);
++
++#endif /* __WORDSIZE >= 64 */
++
++  DIAG_PUSH_NEEDS_COMMENT;
++#if __GNUC_PREREQ (7, 0)
++  /* GCC 7 warns about too-large allocations; here we want to test
++     that they fail.  */
++  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
++#endif
++
++  /* Aligned memory allocation functions need to be tested up to alignment
++     size equivalent to page size, which should be a power of 2.  */
++  pagesize = sysconf (_SC_PAGESIZE);
++  TEST_VERIFY_EXIT (powerof2 (pagesize));
++
++  /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e.
++     in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.
++
++     We can expect that this range of allocation sizes will always lead to
++     an allocation failure on both 64 and 32 bit targets, because:
++
++     1. no currently supported 64-bit target has an address bus wider than
++     50 bits -- and (2^64 - 2^14) is much wider than that;
++
++     2. on 32-bit targets, even though 2^32 is only 4 GB and potentially
++     addressable, glibc itself is more than 2^14 bytes in size, and
++     therefore once glibc is loaded, less than (2^32 - 2^14) bytes remain
++     available.  */
++
++  for (size_t i = 0; i <= FOURTEEN_ON_BITS; i++)
++    {
++      test_large_allocations (SIZE_MAX - i);
++      test_large_aligned_allocations (SIZE_MAX - i);
++    }
++
++#if __WORDSIZE >= 64
++  /* On 64-bit targets, we need to test a much wider range of too-large
++     sizes, so we test at intervals of (1 << 50) that allocation sizes
++     ranging from SIZE_MAX down to (1 << 50) fail:
++     The 14 MSBs are decremented starting from "all ON" going down to 1,
++     the 50 LSBs are "all ON" and then "all OFF" during every iteration.  */
++  for (size_t msbs = FOURTEEN_ON_BITS; msbs >= 1; msbs--)
++    {
++      size_t size = (msbs << 50) | FIFTY_ON_BITS;
++      test_large_allocations (size);
++      test_large_aligned_allocations (size);
++
++      size = msbs << 50;
++      test_large_allocations (size);
++      test_large_aligned_allocations (size);
++    }
++#endif /* __WORDSIZE >= 64 */
++
++  DIAG_POP_NEEDS_COMMENT;
++
++  return 0;
++}
++
++
++#include <support/test-driver.c>
+
+
diff --git a/recipes-core/glibc/glibc_%.bbappend b/recipes-core/glibc/glibc_%.bbappend
deleted file mode 100644
index f2c9a31..0000000
--- a/recipes-core/glibc/glibc_%.bbappend
+++ /dev/null
@@ -1,8 +0,0 @@
-# look for files in the layer first
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-
-SRC_URI += "file://CVE-2017-1000366.patch \
-            file://CVE-2017-12132.patch \
-            file://CVE-2017-8804.patch \
-           "
-
diff --git a/recipes-core/glibc/glibc_2.25.bbappend b/recipes-core/glibc/glibc_2.25.bbappend
new file mode 100644
index 0000000..bbd2585
--- /dev/null
+++ b/recipes-core/glibc/glibc_2.25.bbappend
@@ -0,0 +1,11 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+        file://CVE-2017-1000366.patch \
+        file://CVE-2017-12132.patch \
+        file://CVE-2017-8804.patch \
+        file://CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch \
+        file://CVE-2018-6551-Fix-integer-overflows-in-internal-memalign-and-malloc-functions.patch \
+        file://CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch \
+        "
diff --git a/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
new file mode 100644
index 0000000..9a94344
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch
@@ -0,0 +1,106 @@
+From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 25 Jul 2017 14:59:49 +0200
+Subject: [PATCH] Detect infinite recursion in parameter entities
+
+When expanding a parameter entity in a DTD, infinite recursion could
+lead to an infinite loop or memory exhaustion.
+
+Thanks to Wei Lei for the first of many reports.
+
+Fixes bug 759579.
+
+CVE: CVE-2017-16932  
+Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ parser.c                     | 11 ++++++++++-
+ result/errors/759579.xml     |  0
+ result/errors/759579.xml.err |  6 ++++++
+ result/errors/759579.xml.str |  7 +++++++
+ test/errors/759579.xml       | 11 +++++++++++
+ 5 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100644 result/errors/759579.xml
+ create mode 100644 result/errors/759579.xml.err
+ create mode 100644 result/errors/759579.xml.str
+ create mode 100644 test/errors/759579.xml
+
+diff --git a/parser.c b/parser.c
+index 6286cad..51452a2 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
+        xmlGenericError(xmlGenericErrorContext,
+                "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
+     }
++    if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
++        (ctxt->inputNr > 1024)) {
++        xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++        while (ctxt->inputNr > 1)
++            xmlFreeInputStream(inputPop(ctxt));
++       return(-1);
++    }
+     ret = inputPush(ctxt, input);
+     if (ctxt->instate == XML_PARSER_EOF)
+         return(-1);
+@@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+             * c.f. http://www.w3.org/TR/REC-xml#as-PE
+             */
+            input = xmlNewEntityInputStream(ctxt, entity);
+-           if (xmlPushInput(ctxt, input) < 0)
++           if (xmlPushInput(ctxt, input) < 0) {
++                xmlFreeInputStream(input);
+                return;
++            } 
+            if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+                (CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) &&
+                (IS_BLANK_CH(NXT(5)))) {
+diff --git a/result/errors/759579.xml b/result/errors/759579.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err
+new file mode 100644
+index 0000000..288026e
+--- /dev/null
++++ b/result/errors/759579.xml.err
+@@ -0,0 +1,6 @@
++Entity: line 2: parser error : Detected an entity reference loop
++        %z; %z; %z; %z; %z;
++           ^
++Entity: line 2: 
++        %z; %z; %z; %z; %z;
++           ^
+diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str
+new file mode 100644
+index 0000000..09408f5
+--- /dev/null
++++ b/result/errors/759579.xml.str
+@@ -0,0 +1,7 @@
++Entity: line 2: parser error : Detected an entity reference loop
++        %z; %z; %z; %z; %z;
++           ^
++Entity: line 2: 
++        %z; %z; %z; %z; %z;
++           ^
++./test/errors/759579.xml : failed to parse
+diff --git a/test/errors/759579.xml b/test/errors/759579.xml
+new file mode 100644
+index 0000000..7fadd70
+--- /dev/null
++++ b/test/errors/759579.xml
+@@ -0,0 +1,11 @@
++<!DOCTYPE doc [
++    <!ENTITY % z '
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++    '>
++    %z;
++]>
++<doc/>
+-- 
+2.7.4
+
diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
new file mode 100644
index 0000000..e072ef1
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
@@ -0,0 +1,66 @@
+From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 13:21:14 +0200
+Subject: [PATCH] Check for integer overflow in memory debug code
+
+Fixes bug 783026.
+
+Thanks to Pranjal Jumde for the report.
+
+CVE: CVE-2017-5130
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ xmlmemory.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/xmlmemory.c b/xmlmemory.c
+index f08c8c3..c53141f 100644
+--- a/xmlmemory.c
++++ b/xmlmemory.c
+@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
+ 
+     TEST_POINT
+ 
++    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
++       xmlGenericError(xmlGenericErrorContext,
++               "xmlMallocLoc : Unsigned overflow\n");
++       xmlMemoryDump();
++       return(NULL);
++    }
++
+     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
+ 
+     if (!p) {
+@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
+ #endif
+     xmlMutexUnlock(xmlMemMutex);
+ 
++    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
++       xmlGenericError(xmlGenericErrorContext,
++               "xmlMallocLoc : Unsigned overflow\n");
++       xmlMemoryDump();
++       return(NULL);
++    }
++
+     tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
+     if (!tmp) {
+         free(p);
+@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
+     if (!xmlMemInitialized) xmlInitMemory();
+     TEST_POINT
+ 
++    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
++       xmlGenericError(xmlGenericErrorContext,
++               "xmlMallocLoc : Unsigned overflow\n");
++       xmlMemoryDump();
++       return(NULL);
++    }
++
+     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
+     if (!p) {
+       goto error;
+-- 
+2.7.4
+
diff --git a/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
new file mode 100644
index 0000000..252929c
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch
@@ -0,0 +1,40 @@
+From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
+From: Neel Mehta <nmehta@google.com>
+Date: Fri, 7 Apr 2017 17:43:02 +0200
+Subject: [PATCH] Prevent unwanted external entity reference
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=780691
+
+* parser.c: add a specific check to avoid PE reference
+
+CVE: CVE-2018-7375
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ parser.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 609a270..c2c812d 100644
+--- a/parser.c
++++ b/parser.c
+@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+            if (xmlPushInput(ctxt, input) < 0)
+                return;
+        } else {
++           if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
++               ((ctxt->options & XML_PARSE_NOENT) == 0) &&
++               ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
++               ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
++               ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
++               (ctxt->replaceEntities == 0) &&
++               (ctxt->validate == 0))
++               return;
++
+            /*
+             * TODO !!!
+             * handle the extra spaces added before and after
+-- 
+2.7.4
+
diff --git a/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch
new file mode 100644
index 0000000..aae956d
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch
@@ -0,0 +1,36 @@
+From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 7 Apr 2017 17:13:28 +0200
+Subject: [PATCH] Increase buffer space for port in HTTP redirect support
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=780690
+
+nanohttp.c: the code wrongly assumed a short int port value.
+
+CVE: CVE-2017-7376
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/5dca9eea1bd4263bfa4d037ab2443de1cd730f7e]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ nanohttp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nanohttp.c b/nanohttp.c
+index e109ad7..373425d 100644
+--- a/nanohttp.c
++++ b/nanohttp.c
+@@ -1423,9 +1423,9 @@ retry:
+     if (ctxt->port != 80) {
+        /* reserve space for ':xxxxx', incl. potential proxy */
+        if (proxy)
+-           blen += 12;
++           blen += 17;
+        else
+-           blen += 6;
++           blen += 11;
+     }
+     bp = (char*)xmlMallocAtomic(blen);
+     if ( bp == NULL ) {
+-- 
+2.7.4
+
diff --git a/recipes-core/libxml/libxml2_2.9.4.bbappend b/recipes-core/libxml/libxml2_2.9.4.bbappend
new file mode 100644
index 0000000..dbf9709
--- /dev/null
+++ b/recipes-core/libxml/libxml2_2.9.4.bbappend
@@ -0,0 +1,9 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+        file://CVE-2017-7376-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch \
+        file://CVE-2017-7375-Prevent-unwanted-external-entity-reference.patch \
+        file://CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch \
+        file://CVE-2017-16932-detect-infinite-recursion-in-parameter-entities.patch \
+        "
diff --git a/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch b/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch
new file mode 100644
index 0000000..cb73e21
--- /dev/null
+++ b/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch
@@ -0,0 +1,148 @@
+From a9d5c6e11891b48be06d4e06eeed18642bc98527 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 8 Aug 2017 09:32:58 +1000
+Subject: [PATCH] (perl #131844) fix various space calculation issues in
+ pp_pack.c
+
+- for the originally reported case, if the start/cur pointer is in the
+  top 75% of the address space the add (cur) + glen addition would
+  overflow, resulting in the condition failing incorrectly.
+
+- the addition of the existing space used to the space needed could
+  overflow, resulting in too small an allocation and a buffer overflow.
+
+- the scaling for UTF8 could overflow.
+
+- the multiply to calculate the space needed for many items could
+  overflow.
+
+For the first case, do a space calculation without making new pointers.
+
+For the other cases, detect the overflow and croak if there's an
+overflow.
+
+Originally this used Size_t_MAX as the maximum size of a memory
+allocation, but for -DDEBUGGING builds realloc() throws a panic for
+allocations over half the address space in size, changing the error
+reported for the allocation.
+
+For non-DEBUGGING builds the Size_t_MAX limit has the small chance
+of finding a system that has 3GB of contiguous space available, and
+allocating that space, which could be a denial of servce in some cases.
+
+Unfortunately changing the limit to half the address space means that
+the exact case with the original issue can no longer occur, so the
+test is no longer testing against the address + length issue that
+caused the original problem, since the allocation is failing earlier.
+
+One option would be to change the test so the size request by pack is
+just under 2GB, but this has a higher (but still low) probability that
+the system has the address space available, and will actually try to
+allocate the memory, so let's not do that.
+
+(cherry picked from commit f5506feddde8546eabb69d71569d856c7e9c615b)
+
+CVE: CVE-2018-131844
+Upstream-Status: Backport [https://rt.perl.org/Public/Ticket/Attachment/1480002/799836/0001-perl-131844-fix-various-space-calculation-issues-in-.patch]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ pp_pack.c   | 25 +++++++++++++++++++++----
+ t/op/pack.t | 24 +++++++++++++++++++++++-
+ 2 files changed, 44 insertions(+), 5 deletions(-)
+
+diff --git a/pp_pack.c b/pp_pack.c
+index f6964c3..c0de5ab 100644
+--- a/pp_pack.c
++++ b/pp_pack.c
+@@ -358,11 +358,28 @@ STMT_START {                                                      \
+     }                                                          \
+ } STMT_END
+ 
++#define SAFE_UTF8_EXPAND(var)  \
++STMT_START {                           \
++    if ((var) > SSize_t_MAX / UTF8_EXPAND) \
++        Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
++    (var) = (var) * UTF8_EXPAND; \
++} STMT_END
++
++#define GROWING2(utf8, cat, start, cur, item_size, item_count) \
++STMT_START {                                                   \
++    if (SSize_t_MAX / (item_size) < (item_count))              \
++        Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
++    GROWING((utf8), (cat), (start), (cur), (item_size) * (item_count)); \
++} STMT_END
++
+ #define GROWING(utf8, cat, start, cur, in_len) \
+ STMT_START {                                   \
+     STRLEN glen = (in_len);                    \
+-    if (utf8) glen *= UTF8_EXPAND;             \
+-    if ((cur) + glen >= (start) + SvLEN(cat)) {        \
++    STRLEN catcur = (STRLEN)((cur) - (start)); \
++    if (utf8) SAFE_UTF8_EXPAND(glen);          \
++    if (SSize_t_MAX - glen < catcur)           \
++        Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
++    if (catcur + glen >= SvLEN(cat)) { \
+        (start) = sv_exp_grow(cat, glen);       \
+        (cur) = (start) + SvCUR(cat);           \
+     }                                          \
+@@ -372,7 +389,7 @@ STMT_START {                                        \
+ STMT_START {                                   \
+     const STRLEN glen = (in_len);              \
+     STRLEN gl = glen;                          \
+-    if (utf8) gl *= UTF8_EXPAND;               \
++    if (utf8) SAFE_UTF8_EXPAND(gl);            \
+     if ((cur) + gl >= (start) + SvLEN(cat)) {  \
+         *cur = '\0';                           \
+         SvCUR_set((cat), (cur) - (start));     \
+@@ -2126,7 +2143,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist )
+            if (props && !(props & PACK_SIZE_UNPREDICTABLE)) {
+                /* We can process this letter. */
+                STRLEN size = props & PACK_SIZE_MASK;
+-               GROWING(utf8, cat, start, cur, (STRLEN) len * size);
++               GROWING2(utf8, cat, start, cur, size, (STRLEN)len);
+            }
+         }
+ 
+diff --git a/t/op/pack.t b/t/op/pack.t
+index a2da636..a480c3a 100644
+--- a/t/op/pack.t
++++ b/t/op/pack.t
+@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' :
+ my $no_signedness = $] > 5.009 ? '' :
+   "Signed/unsigned pack modifiers not available on this perl";
+ 
+-plan tests => 14712;
++plan tests => 14716;
+ 
+ use strict;
+ use warnings qw(FATAL all);
+@@ -2044,3 +2044,25 @@ ok(1, "argument underflow did not crash");
+     is(pack("H40", $up_nul), $twenty_nuls,
+        "check pack H zero fills (utf8 source)");
+ }
++
++SKIP:
++{
++  # [perl #131844] pointer addition overflow
++    $Config{ptrsize} == 4
++      or skip "[perl #131844] need 32-bit build for this test", 4;
++    # prevent ASAN just crashing on the allocation failure
++    local $ENV{ASAN_OPTIONS} = $ENV{ASAN_OPTIONS};
++    $ENV{ASAN_OPTIONS} .= ",allocator_may_return_null=1";
++    fresh_perl_like('pack "f999999999"', qr/Out of memory during pack/, { stderr => 1 },
++                   "pointer addition overflow");
++
++    # integer (STRLEN) overflow from addition of glen to current length
++    fresh_perl_like('pack "c10f1073741823"', qr/Out of memory during pack/, { stderr => 1 },
++                   "integer overflow calculating allocation (addition)");
++
++    fresh_perl_like('pack "W10f536870913", 256', qr/Out of memory during pack/, { stderr => 1 },
++                   "integer overflow calculating allocation (utf8)");
++
++    fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 },
++                   "integer overflow calculating allocation (multiply)");
++}
+-- 
+2.7.4
+
diff --git a/recipes-devtools/perl/perl_5.24.1.bbappend b/recipes-devtools/perl/perl_5.24.1.bbappend
new file mode 100644
index 0000000..10cfbca
--- /dev/null
+++ b/recipes-devtools/perl/perl_5.24.1.bbappend
@@ -0,0 +1,6 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+        file://CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch \
+        "
diff --git a/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch b/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch
new file mode 100644
index 0000000..b94ae06
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch
@@ -0,0 +1,62 @@
+From cab6444ff39a91084bdac08d0ae66734cea943f6 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 10:13:00 +0200
+Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174)
+
+CVE: CVE-2017-1000158
+Upstream-Status: Backport [https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ Misc/ACKS              | 1 +
+ Misc/NEWS              | 3 +++
+ Objects/stringobject.c | 8 +++++++-
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/Misc/ACKS b/Misc/ACKS
+index 952d6dd..6ea6639 100644
+--- a/Misc/ACKS
++++ b/Misc/ACKS
+@@ -151,6 +151,7 @@ Gregory Bond
+ Matias Bordese
+ Jonas Borgström
+ Jurjen Bos
++Jay Bosamiya
+ Peter Bosch
+ Dan Boswell
+ Eric Bouck
+diff --git a/Misc/NEWS b/Misc/NEWS
+index b779e82..ab0b687 100644
+--- a/Misc/NEWS
++++ b/Misc/NEWS
+@@ -21,6 +21,9 @@ What's New in Python 2.7.13 release candidate 1?
+ Core and Builtins
+ -----------------
+ 
++- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape.
++  Patch by Jay Bosamiya.
++
+ - Issue #28847: dumbdbm no longer writes the index file in when it is not
+   changed and supports reading read-only files.
+ 
+diff --git a/Objects/stringobject.c b/Objects/stringobject.c
+index 4e38735..6c31c5b 100644
+--- a/Objects/stringobject.c
++++ b/Objects/stringobject.c
+@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s,
+     char *p, *buf;
+     const char *end;
+     PyObject *v;
+-    Py_ssize_t newlen = recode_encoding ? 4*len:len;
++    Py_ssize_t newlen;
++    /* Check for integer overflow */
++    if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
++        PyErr_SetString(PyExc_OverflowError, "string is too large");
++        return NULL;
++    }
++    newlen = recode_encoding ? 4*len:len;
+     v = PyString_FromStringAndSize((char *)NULL, newlen);
+     if (v == NULL)
+         return NULL;
+
+
diff --git a/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch
new file mode 100644
index 0000000..6239503
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch
@@ -0,0 +1,161 @@
+From fbfdc20005366facc079675ee7e217a0993ef2f9 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 13:44:16 +0200
+Subject: [PATCH] [2.7] bpo-32981: Fix catastrophic backtracking vulns
+ (GH-5955)
+
+* Prevent low-grade poplib REDOS (CVE-2018-1060)
+
+The regex to test a mail server's timestamp is susceptible to
+catastrophic backtracking on long evil responses from the server.
+
+Happily, the maximum length of malicious inputs is 2K thanks
+to a limit introduced in the fix for CVE-2013-1752.
+
+A 2KB evil response from the mail server would result in small slowdowns
+(milliseconds vs. microseconds) accumulated over many apop calls.
+This is a potential DOS vector via accumulated slowdowns.
+
+Replace it with a similar non-vulnerable regex.
+
+The new regex is RFC compliant.
+The old regex was non-compliant in edge cases.
+
+* Prevent difflib REDOS (CVE-2018-1061)
+
+The default regex for IS_LINE_JUNK is susceptible to
+catastrophic backtracking.
+This is a potential DOS vector.
+
+Replace it with an equivalent non-vulnerable regex.
+
+Also introduce unit and REDOS tests for difflib.
+
+CVE: CVE-2018-1060
+CVE: CVE-2018-1061
+Upstream-Status: Backport [https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b]
+
+Co-authored-by: Tim Peters <tim.peters@gmail.com>
+Co-authored-by: Christian Heimes <christian@python.org>.
+(cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ Lib/difflib.py                                     |  2 +-
+ Lib/poplib.py                                      |  2 +-
+ Lib/test/test_difflib.py                           | 22 +++++++++++++++++++++-
+ Lib/test/test_poplib.py                            | 10 ++++++++++
+ Misc/ACKS                                          |  1 +
+ .../2018-03-02-10-24-52.bpo-32981.O_qDyj.rst       |  4 ++++
+ 6 files changed, 38 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
+
+diff --git a/Lib/difflib.py b/Lib/difflib.py
+index 1c6fbdb..788a92d 100644
+--- a/Lib/difflib.py
++++ b/Lib/difflib.py
+@@ -1103,7 +1103,7 @@ class Differ:
+ 
+ import re
+ 
+-def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match):
++def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):
+     r"""
+     Return 1 for ignorable line: iff `line` is blank or contains a single '#'.
+ 
+diff --git a/Lib/poplib.py b/Lib/poplib.py
+index b91e5f7..a238510 100644
+--- a/Lib/poplib.py
++++ b/Lib/poplib.py
+@@ -274,7 +274,7 @@ class POP3:
+         return self._shortcmd('RPOP %s' % user)
+ 
+ 
+-    timestamp = re.compile(r'\+OK.*(<[^>]+>)')
++    timestamp = re.compile(br'\+OK.[^<]*(<.*>)')
+ 
+     def apop(self, user, secret):
+         """Authorisation
+diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py
+index 35f2c36..d8277b7 100644
+--- a/Lib/test/test_difflib.py
++++ b/Lib/test/test_difflib.py
+@@ -269,13 +269,33 @@ class TestOutputFormat(unittest.TestCase):
+         self.assertEqual(fmt(3,6), '4,6')
+         self.assertEqual(fmt(0,0), '0')
+ 
++class TestJunkAPIs(unittest.TestCase):
++    def test_is_line_junk_true(self):
++        for line in ['#', '  ', ' #', '# ', ' # ', '']:
++            self.assertTrue(difflib.IS_LINE_JUNK(line), repr(line))
++
++    def test_is_line_junk_false(self):
++        for line in ['##', ' ##', '## ', 'abc ', 'abc #', 'Mr. Moose is up!']:
++            self.assertFalse(difflib.IS_LINE_JUNK(line), repr(line))
++
++    def test_is_line_junk_REDOS(self):
++        evil_input = ('\t' * 1000000) + '##'
++        self.assertFalse(difflib.IS_LINE_JUNK(evil_input))
++
++    def test_is_character_junk_true(self):
++        for char in [' ', '\t']:
++            self.assertTrue(difflib.IS_CHARACTER_JUNK(char), repr(char))
++
++    def test_is_character_junk_false(self):
++        for char in ['a', '#', '\n', '\f', '\r', '\v']:
++            self.assertFalse(difflib.IS_CHARACTER_JUNK(char), repr(char))
+ 
+ def test_main():
+     difflib.HtmlDiff._default_prefix = 0
+     Doctests = doctest.DocTestSuite(difflib)
+     run_unittest(
+         TestWithAscii, TestAutojunk, TestSFpatches, TestSFbugs,
+-        TestOutputFormat, Doctests)
++        TestOutputFormat, TestJunkAPIs)
+ 
+ if __name__ == '__main__':
+     test_main()
+diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
+index 23d6887..d214375 100644
+--- a/Lib/test/test_poplib.py
++++ b/Lib/test/test_poplib.py
+@@ -211,6 +211,16 @@ class TestPOP3Class(TestCase):
+     def test_rpop(self):
+         self.assertOK(self.client.rpop('foo'))
+ 
++    def test_apop_REDOS(self):
++        # Replace welcome with very long evil welcome.
++        # NB The upper bound on welcome length is currently 2048.
++        # At this length, evil input makes each apop call take
++        # on the order of milliseconds instead of microseconds.
++        evil_welcome = b'+OK' + (b'<' * 1000000)
++        with test_support.swap_attr(self.client, 'welcome', evil_welcome):
++            # The evil welcome is invalid, so apop should throw.
++            self.assertRaises(poplib.error_proto, self.client.apop, 'a', 'kb')
++
+     def test_top(self):
+         expected =  ('+OK 116 bytes',
+                      ['From: postmaster@python.org', 'Content-Type: text/plain',
+diff --git a/Misc/ACKS b/Misc/ACKS
+index 9cbc230..952d6dd 100644
+--- a/Misc/ACKS
++++ b/Misc/ACKS
+@@ -314,6 +314,7 @@ Kushal Das
+ Jonathan Dasteel
+ Pierre-Yves David
+ A. Jesse Jiryu Davis
++Jamie (James C.) Davis
+ Merlijn van Deen
+ John DeGood
+ Ned Deily
+diff --git a/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
+new file mode 100644
+index 0000000..9ebabb4
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
+@@ -0,0 +1,4 @@
++Regexes in difflib and poplib were vulnerable to catastrophic backtracking.
++These regexes formed potential DOS vectors (REDOS). They have been
++refactored. This resolves CVE-2018-1060 and CVE-2018-1061.
++Patch by Jamie Davis.
+
+
diff --git a/recipes-devtools/python/python_2.7.13.bbappend b/recipes-devtools/python/python_2.7.13.bbappend
new file mode 100644
index 0000000..d7ec5e2
--- /dev/null
+++ b/recipes-devtools/python/python_2.7.13.bbappend
@@ -0,0 +1,7 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+        file://CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch \
+        file://CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch \
+        "
diff --git a/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-6311.patch b/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-6311.patch
new file mode 100644
index 0000000..25d55ad
--- /dev/null
+++ b/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-6311.patch
@@ -0,0 +1,109 @@
+From 725afb9a926553b664a1cb1270d38de133f659e1 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 12:21:56 +0200
+Subject: [PATCH] ico: Return an error when the ICO didn't load
+
+If we don't even read enough data to fill the header, return an
+error. This doesn't cover everything that could go wrong with
+the ICO incremental loader, but this is a good first throw.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/7586553]
+
+thumbnailer: Update skeleton to fix a possible crash
+
+If the loader returns a NULL pixbuf without returning an
+error, the skeleton would crash trying to print the error.
+Print that the thumbnailer is broken instead.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=778204
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/57362ed]
+
+CVE: CVE-2017-6311
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ gdk-pixbuf/io-ico.c                      | 11 ++++++++++-
+ thumbnailer/gnome-thumbnailer-skeleton.c | 14 ++++++++++++--
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
+index 2b0441f..68295a3 100644
+--- a/gdk-pixbuf/io-ico.c
++++ b/gdk-pixbuf/io-ico.c
+@@ -605,6 +605,7 @@ gdk_pixbuf__ico_image_stop_load(gpointer data,
+ {
+        struct ico_progressive_state *context =
+            (struct ico_progressive_state *) data;
++       gboolean ret = TRUE;
+ 
+         /* FIXME this thing needs to report errors if
+          * we have unused image data
+@@ -612,8 +613,16 @@ gdk_pixbuf__ico_image_stop_load(gpointer data,
+ 
+        g_return_val_if_fail(context != NULL, TRUE);
+ 
++       if (context->HeaderDone < context->HeaderSize) {
++               g_set_error_literal (error,
++                                    GDK_PIXBUF_ERROR,
++                                    GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++                                    _("ICO image was truncated or incomplete."));
++               ret = FALSE;
++       }
++
+        context_free (context);
+-        return TRUE;
++        return ret;
+ }
+ 
+ static void
+diff --git a/thumbnailer/gnome-thumbnailer-skeleton.c b/thumbnailer/gnome-thumbnailer-skeleton.c
+index d686432..73da53e 100644
+--- a/thumbnailer/gnome-thumbnailer-skeleton.c
++++ b/thumbnailer/gnome-thumbnailer-skeleton.c
+@@ -37,6 +37,7 @@ static int output_size = 256;
+ static gboolean g_fatal_warnings = FALSE;
+ static char **filenames = NULL;
+ 
++#if !GDK_PIXBUF_CHECK_VERSION(2,36,5)
+ /**
+  * gnome_desktop_thumbnail_scale_down_pixbuf:
+  * @pixbuf: a #GdkPixbuf
+@@ -178,6 +179,7 @@ gnome_desktop_thumbnail_scale_down_pixbuf (GdkPixbuf *pixbuf,
+        
+        return dest_pixbuf;
+ }
++#endif
+ 
+ static char *
+ get_target_uri (GFile *file)
+@@ -291,9 +293,16 @@ int main (int argc, char **argv)
+ 
+                        scale = (double)output_size / MAX (width, height);
+ 
++#if !GDK_PIXBUF_CHECK_VERSION(2,36,5)
+                        scaled = gnome_desktop_thumbnail_scale_down_pixbuf (pixbuf,
+                                                                            floor (width * scale + 0.5),
+                                                                            floor (height * scale + 0.5));
++#else
++                       scaled = gdk_pixbuf_scale_simple (pixbuf,
++                                                         floor (width * scale + 0.5),
++                                                         floor (height * scale + 0.5),
++                                                         GDK_INTERP_HYPER);
++#endif
+                        gdk_pixbuf_copy_options (pixbuf, scaled);
+                        g_object_unref (pixbuf);
+                        pixbuf = scaled;
+@@ -316,8 +325,9 @@ int main (int argc, char **argv)
+        g_free (input_filename);
+ 
+        if (!pixbuf) {
+-               g_warning ("Could not thumbnail '%s': %s", filenames[0], error->message);
+-               g_error_free (error);
++               g_warning ("Could not thumbnail '%s': %s", filenames[0],
++                          error ? error->message : "Thumbnailer failed without returning an error");
++               g_clear_error (&error);
+                g_strfreev (filenames);
+                return 1;
+        }
+
+
diff --git a/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.5.bbappend b/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.5.bbappend
new file mode 100644
index 0000000..370bb73
--- /dev/null
+++ b/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.5.bbappend
@@ -0,0 +1,6 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+        file://CVE-2017-6311.patch \
+        "
diff --git a/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch b/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch
new file mode 100644
index 0000000..9cad31e
--- /dev/null
+++ b/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch
@@ -0,0 +1,78 @@
+From 4794b5dd34688158fb51a2943032569d3780c4b8 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sat, 21 Oct 2017 23:47:52 +0200
+Subject: [PATCH] Fix heap overflows when parsing malicious files.
+ (CVE-2017-16612)
+
+It is possible to trigger heap overflows due to an integer overflow
+while parsing images and a signedness issue while parsing comments.
+
+The integer overflow occurs because the chosen limit 0x10000 for
+dimensions is too large for 32 bit systems, because each pixel takes
+4 bytes. Properly chosen values allow an overflow which in turn will
+lead to less allocated memory than needed for subsequent reads.
+
+The signedness bug is triggered by reading the length of a comment
+as unsigned int, but casting it to int when calling the function
+XcursorCommentCreate. Turning length into a negative value allows the
+check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
+addition of sizeof (XcursorComment) + 1 makes it possible to allocate
+less memory than needed for subsequent reads.
+
+CVE: CVE-2017-16612
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8]
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ src/file.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/file.c b/src/file.c
+index 43163c2..da16277 100644
+--- a/src/file.c
++++ b/src/file.c
+@@ -29,6 +29,11 @@ XcursorImageCreate (int width, int height)
+ {
+     XcursorImage    *image;
+ 
++    if (width < 0 || height < 0)
++       return NULL;
++    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++       return NULL;
++
+     image = malloc (sizeof (XcursorImage) +
+                    width * height * sizeof (XcursorPixel));
+     if (!image)
+@@ -101,7 +106,7 @@ XcursorCommentCreate (XcursorUInt comment_type, int length)
+ {
+     XcursorComment  *comment;
+ 
+-    if (length > XCURSOR_COMMENT_MAX_LEN)
++    if (length < 0 || length > XCURSOR_COMMENT_MAX_LEN)
+        return NULL;
+ 
+     comment = malloc (sizeof (XcursorComment) + length + 1);
+@@ -448,7 +453,8 @@ _XcursorReadImage (XcursorFile              *file,
+     if (!_XcursorReadUInt (file, &head.delay))
+        return NULL;
+     /* sanity check data */
+-    if (head.width >= 0x10000 || head.height > 0x10000)
++    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
++       head.height > XCURSOR_IMAGE_MAX_SIZE)
+        return NULL;
+     if (head.width == 0 || head.height == 0)
+        return NULL;
+@@ -457,6 +463,8 @@ _XcursorReadImage (XcursorFile              *file,
+ 
+     /* Create the image and initialize it */
+     image = XcursorImageCreate (head.width, head.height);
++    if (image == NULL)
++       return NULL;
+     if (chunkHeader.version < image->version)
+        image->version = chunkHeader.version;
+     image->size = chunkHeader.subtype;
+-- 
+2.7.4
+
diff --git a/recipes-graphics/xorg-lib/libxcursor_1.1.14.bbappend b/recipes-graphics/xorg-lib/libxcursor_1.1.14.bbappend
new file mode 100644
index 0000000..0f67cec
--- /dev/null
+++ b/recipes-graphics/xorg-lib/libxcursor_1.1.14.bbappend
@@ -0,0 +1,6 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+        file://CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch \
+        "
diff --git a/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch
new file mode 100644
index 0000000..cd44efb
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch
@@ -0,0 +1,119 @@
+From 257f0d14893a491786bccb34ecc847f74edd47c6 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 13:01:11 +0200
+Subject: [PATCH] FTP: reject path components with control codes
+
+Refuse to operate when given path components featuring byte values lower
+than 32.
+
+Previously, inserting a %00 sequence early in the directory part when
+using the 'singlecwd' ftp method could make curl write a zero byte
+outside of the allocated buffer.
+
+Test case 340 verifies.
+
+CVE-2018-1000120
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000120.patch]
+
+Reported-by: Duy Phan Thanh
+Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ lib/ftp.c               |  6 +++---
+ tests/data/Makefile.inc |  1 +
+ tests/data/test340      | 40 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 44 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test340
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index cab3699..0e28059 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -3236,7 +3236,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
+ 
+   if(!result)
+     /* get the "raw" path */
+-    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
++    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
+   if(result) {
+     /* We can limp along anyway (and should try to since we may already be in
+      * the error path) */
+@@ -4242,7 +4242,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+       result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
+                               slash_pos ? dirlen : 1,
+                               &ftpc->dirs[0], NULL,
+-                              FALSE);
++                              TRUE);
+       if(result) {
+         freedirs(ftpc);
+         return result;
+@@ -4350,7 +4350,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+     size_t dlen;
+     char *path;
+     CURLcode result =
+-      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
++      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
+     if(result) {
+       freedirs(ftpc);
+       return result;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 135ba06..31e026f 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -57,6 +57,7 @@ test298 test299 test300 test301 test302 test303 test304 test305 test306 \
+ test307 test308 test309 test310 test311 test312 test313                 \
+                                 test320 test321 test322 test323 test324 \
+ test325 \
++test340 \
+ test350 test351 test352 test353 test354 \
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+diff --git a/tests/data/test340 b/tests/data/test340
+new file mode 100644
+index 0000000..d834d76
+--- /dev/null
++++ b/tests/data/test340
+@@ -0,0 +1,40 @@
++<testcase>
++<info>
++<keywords>
++FTP
++PASV
++CWD
++--ftp-method
++singlecwd
++</keywords>
++</info>
++#
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++ftp
++</server>
++ <name>
++FTP using %00 in path with singlecwd
++ </name>
++ <command>
++--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++USER anonymous

++PASS ftp@example.com

++PWD

++</protocol>
++<errorcode>
++3
++</errorcode>
++</verify>
++</testcase>
+
+
diff --git a/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch b/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch
new file mode 100644
index 0000000..488d457
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch
@@ -0,0 +1,47 @@
+From 9889db043393092e9d4b5a42720bba0b3d58deba Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 6 Mar 2018 23:02:16 +0100
+Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL
+ before using
+
+CVE-2018-1000121
+Reported-by: Dario Weisser
+Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
+
+CVE: CVE-2018-1000121
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000121.patch]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ lib/openldap.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/openldap.c b/lib/openldap.c
+index f2ffdfe..6927275 100644
+--- a/lib/openldap.c
++++ b/lib/openldap.c
+@@ -473,7 +473,7 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf,
+ 
+   for(ent = ldap_first_message(li->ld, msg); ent;
+     ent = ldap_next_message(li->ld, ent)) {
+-    struct berval bv, *bvals, **bvp = &bvals;
++    struct berval bv, *bvals;
+     int binary = 0, msgtype;
+     CURLcode writeerr;
+ 
+@@ -535,9 +535,9 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf,
+     }
+     data->req.bytecount += bv.bv_len + 5;
+ 
+-    for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp);
+-      rc == LDAP_SUCCESS;
+-      rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) {
++    for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals);
++        (rc == LDAP_SUCCESS) && bvals;
++        rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) {
+       int i;
+ 
+       if(bv.bv_val == NULL) break;
+-- 
+2.7.4
+
diff --git a/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch
new file mode 100644
index 0000000..488d2fb
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch
@@ -0,0 +1,43 @@
+From d52dc4760f6d9ca1937eefa2093058a952465128 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 8 Mar 2018 10:33:16 +0100
+Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end
+
+CVE-2018-1000122
+Bug: https://curl.haxx.se/docs/adv_2018-b047.html
+
+Detected by OSS-fuzz
+
+CVE: CVE-2018-1000122
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000122.patch]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ lib/transfer.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index c46ac25..fd9af31 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -808,10 +808,15 @@ static CURLcode readwrite_data(struct Curl_easy *data,
+ 
+     } /* if(!header and data to read) */
+ 
+-    if(conn->handler->readwrite &&
+-       (excess > 0 && !conn->bits.stream_was_rewound)) {
++    if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
+       /* Parse the excess data */
+       k->str += nread;
++
++      if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
++        /* the excess amount was too excessive(!), make sure
++           it doesn't read out of buffer */
++        excess = &k->buf[data->set.buffer_size] - k->str;
++      }
+       nread = (ssize_t)excess;
+ 
+       result = conn->handler->readwrite(data, conn, &nread, &readmore);
+-- 
+2.7.4
+
diff --git a/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch
new file mode 100644
index 0000000..cf5a596
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch
@@ -0,0 +1,48 @@
+From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 24 Mar 2018 23:47:41 +0100
+Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed
+
+... leaving the k->str could lead to buffer over-reads later on.
+  
+Assisted-by: Max Dymond
+
+Detected by OSS-Fuzz.
+Bug: https://curl.haxx.se/docs/adv_2018-b138.html
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
+
+CVE: CVE-2018-1000301
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000301.patch]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ lib/http.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 1a313b4..e080ae5 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -3014,6 +3014,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+ {
+   CURLcode result;
+   struct SingleRequest *k = &data->req;
++  ssize_t onread = *nread;
++  char *ostr = k->str;
+ 
+   /* header line within buffer loop */
+   do {
+@@ -3078,7 +3080,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+         else {
+           /* this was all we read so it's all a bad header */
+           k->badheader = HEADER_ALLBAD;
+-          *nread = (ssize_t)rest_length;
++          *nread = onread;
++          k->str = ostr;
++          return CURLE_OK;
+         }
+         break;
+       }
+-- 
+2.7.4
+
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
deleted file mode 100644
index 3727bea..0000000
--- a/recipes-support/curl/curl_%.bbappend
+++ /dev/null
@@ -1,12 +0,0 @@
-# look for files in the layer first
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-
-SRC_URI += "file://CVE-2017-7407.patch \
-            file://CVE-2017-7468.patch \
-            file://CVE-2017-9502.patch \
-            file://CVE-2017-1000254.patch \
-            file://CVE-2017-1000257.patch \
-            file://CVE-2017-8816.patch \
-            file://CVE-2017-8817.patch \
-            file://CVE-2018-1000005.patch \
-           "
diff --git a/recipes-support/curl/curl_7.53.1.bbappend b/recipes-support/curl/curl_7.53.1.bbappend
new file mode 100644
index 0000000..ad7241c
--- /dev/null
+++ b/recipes-support/curl/curl_7.53.1.bbappend
@@ -0,0 +1,17 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+        file://CVE-2017-7407.patch \
+        file://CVE-2017-7468.patch \
+        file://CVE-2017-9502.patch \
+        file://CVE-2017-1000254.patch \
+        file://CVE-2017-1000257.patch \
+        file://CVE-2017-8816.patch \
+        file://CVE-2017-8817.patch \
+        file://CVE-2018-1000005.patch \
+        file://CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch \
+        file://CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch \
+        file://CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch \
+        file://CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch \
+        "
diff --git a/recipes-support/libcroco/libcroco/CVE-2017-7961-tknzr-support-only-max-long-rgb-values.patch b/recipes-support/libcroco/libcroco/CVE-2017-7961-tknzr-support-only-max-long-rgb-values.patch
new file mode 100644
index 0000000..520a52d
--- /dev/null
+++ b/recipes-support/libcroco/libcroco/CVE-2017-7961-tknzr-support-only-max-long-rgb-values.patch
@@ -0,0 +1,47 @@
+From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:56:09 +0200
+Subject: [PATCH] tknzr: support only max long rgb values
+
+This fixes a possible out of bound when reading rgbs which
+are longer than the support MAXLONG
+
+CVE: CVE-2017-7961
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libcroco/commit/9ad72875e9f08e4c519ef63d44cdbd94aa9504f7]
+
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ src/cr-tknzr.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c
+index 1a7cfeb..1548c35 100644
+--- a/src/cr-tknzr.c
++++ b/src/cr-tknzr.c
+@@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+         status = cr_tknzr_parse_num (a_this, &num);
+         ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+ 
++        if (num->val > G_MAXLONG) {
++                status = CR_PARSING_ERROR;
++                goto error;
++        }
++
+         red = num->val;
+         cr_num_destroy (num);
+         num = NULL;
+@@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+                 status = cr_tknzr_parse_num (a_this, &num);
+                 ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+ 
++                if (num->val > G_MAXLONG) {
++                        status = CR_PARSING_ERROR;
++                        goto error;
++                }
++
+                 PEEK_BYTE (a_this, 1, &next_bytes[0]);
+                 if (next_bytes[0] == '%') {
+                         SKIP_CHARS (a_this, 1);
+-- 
+2.7.4
+
diff --git a/recipes-support/libcroco/libcroco_0.6.11.bbappend b/recipes-support/libcroco/libcroco_0.6.11.bbappend
new file mode 100644
index 0000000..c1b3b6c
--- /dev/null
+++ b/recipes-support/libcroco/libcroco_0.6.11.bbappend
@@ -0,0 +1,6 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+        file://CVE-2017-7961-tknzr-support-only-max-long-rgb-values.patch \
+        "