10 files changed, 234 insertions, 412 deletions

diff --git a/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch b/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch
deleted file mode 100644
index 78dcc1b636..0000000000
--- a/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch
+++ /dev/null
@@ -1,402 +0,0 @@
-From 951bdaad7a18cc0dc1036bba86b18b90874d39ff Mon Sep 17 00:00:00 2001
-From: Chet Ramey <chet.ramey@case.edu>
-Date: Mon, 1 Jul 2019 09:03:53 -0400
-Subject: [PATCH] commit bash-20190628 snapshot
-
-An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11.
-By default, if Bash is run with its effective UID not equal to its real UID,
-it will drop privileges by setting its effective UID to its real UID.
-However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality,
-the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for
-runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore
-regains privileges. However, binaries running with an effective UID of 0 are unaffected.
-
-Upstream-Status: Backport [https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff]
-CVE: CVE-2019-18276
-Signed-off-by: Chet Ramey <chet.ramey@case.edu>
-Signed-off-by: De Huo <De.Huo@windriver.com>
----
- MANIFEST          |  2 ++
- bashline.c        | 50 +-------------------------------------------------
- builtins/help.def |  2 +-
- config.h.in       | 10 +++++++++-
- configure         | 11 +++++++++++
- configure.ac      |  1 +
- doc/bash.1        |  3 ++-
- doc/bashref.texi  |  3 ++-
- lib/glob/glob.c   |  5 ++++-
- pathexp.c         | 16 ++++++++++++++--
- shell.c           |  8 ++++++++
- tests/glob.tests  |  2 ++
- tests/glob6.sub   | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
- tests/glob7.sub   | 11 +++++++++++
- 14 files changed, 122 insertions(+), 56 deletions(-)
- create mode 100644 tests/glob6.sub
- create mode 100644 tests/glob7.sub
-
-diff --git a/MANIFEST b/MANIFEST
-index 03de221..f9ccad7 100644
---- a/MANIFEST
-+++ b/MANIFEST
-@@ -1037,6 +1037,8 @@ tests/extglob3.tests      f
- tests/extglob3.right   f
- tests/extglob4.sub     f
- tests/extglob5.sub     f
-+tests/glob6.sub                f
-+tests/glob7.sub                f
- tests/func.tests       f
- tests/func.right       f
- tests/func1.sub                f
-diff --git a/bashline.c b/bashline.c
-index 824ea9d..d86b47d 100644
---- a/bashline.c
-+++ b/bashline.c
-@@ -3718,55 +3718,7 @@ static int
- completion_glob_pattern (string)
-      char *string;
- {
--  register int c;
--  char *send;
--  int open;
--
--  DECLARE_MBSTATE;
--
--  open = 0;
--  send = string + strlen (string);
--
--  while (c = *string++)
--    {
--      switch (c)
--       {
--       case '?':
--       case '*':
--         return (1);
--
--       case '[':
--         open++;
--         continue;
--
--       case ']':
--         if (open)
--           return (1);
--         continue;
--
--       case '+':
--       case '@':
--       case '!':
--         if (*string == '(')   /*)*/
--           return (1);
--         continue;
--
--       case '\\':
--         if (*string++ == 0)
--           return (0);           
--       }
--
--      /* Advance one fewer byte than an entire multibyte character to
--        account for the auto-increment in the loop above. */
--#ifdef HANDLE_MULTIBYTE
--      string--;
--      ADVANCE_CHAR_P (string, send - string);
--      string++;
--#else
--      ADVANCE_CHAR_P (string, send - string);
--#endif
--    }
--  return (0);
-+  return (glob_pattern_p (string) == 1);
- }
- 
- static char *globtext;
-diff --git a/builtins/help.def b/builtins/help.def
-index 006c4b5..92f9b38 100644
---- a/builtins/help.def
-+++ b/builtins/help.def
-@@ -128,7 +128,7 @@ help_builtin (list)
- 
-   /* We should consider making `help bash' do something. */
- 
--  if (glob_pattern_p (list->word->word))
-+  if (glob_pattern_p (list->word->word) == 1)
-     {
-       printf ("%s", ngettext ("Shell commands matching keyword `", "Shell commands matching keywords `", (list->next ? 2 : 1)));
-       print_word_list (list, ", ");
-diff --git a/config.h.in b/config.h.in
-index 8554aec..ad4b1e8 100644
---- a/config.h.in
-+++ b/config.h.in
-@@ -1,6 +1,6 @@
- /* config.h -- Configuration file for bash. */
- 
--/* Copyright (C) 1987-2009,2011-2012 Free Software Foundation, Inc.
-+/* Copyright (C) 1987-2009,2011-2012,2013-2019 Free Software Foundation, Inc.
- 
-    This file is part of GNU Bash, the Bourne Again SHell.
- 
-@@ -807,6 +807,14 @@
- #undef HAVE_SETREGID
- #undef HAVE_DECL_SETREGID
- 
-+/* Define if you have the setregid function.  */
-+#undef HAVE_SETRESGID
-+#undef HAVE_DECL_SETRESGID
-+
-+/* Define if you have the setresuid function.  */
-+#undef HAVE_SETRESUID
-+#undef HAVE_DECL_SETRESUID
-+
- /* Define if you have the setvbuf function.  */
- #undef HAVE_SETVBUF
- 
-diff --git a/configure b/configure
-index 2f62662..b3321c9 100755
---- a/configure
-+++ b/configure
-@@ -10281,6 +10281,17 @@ cat >>confdefs.h <<_ACEOF
- #define HAVE_DECL_SETREGID $ac_have_decl
- _ACEOF
- 
-+ac_fn_c_check_decl "$LINENO" "" "ac_cv_have_decl_" "$ac_includes_default"
-+if test "x$ac_cv_have_decl_" = xyes; then :
-+  ac_have_decl=1
-+else
-+  ac_have_decl=0
-+fi
-+
-+cat >>confdefs.h <<_ACEOF
-+#define HAVE_DECL_ $ac_have_decl
-+_ACEOF
-+(setresuid, setresgid)
- ac_fn_c_check_decl "$LINENO" "strcpy" "ac_cv_have_decl_strcpy" "$ac_includes_default"
- if test "x$ac_cv_have_decl_strcpy" = xyes; then :
-   ac_have_decl=1
-diff --git a/configure.ac b/configure.ac
-index 52b4cdb..549adef 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -810,6 +810,7 @@ AC_CHECK_DECLS([confstr])
- AC_CHECK_DECLS([printf])
- AC_CHECK_DECLS([sbrk])
- AC_CHECK_DECLS([setregid])
-+AC_CHECK_DECLS[(setresuid, setresgid])
- AC_CHECK_DECLS([strcpy])
- AC_CHECK_DECLS([strsignal])
- 
-diff --git a/doc/bash.1 b/doc/bash.1
-index e6cd08d..9e58a0b 100644
---- a/doc/bash.1
-+++ b/doc/bash.1
-@@ -4681,7 +4681,8 @@ above).
- .PD
- .SH "SIMPLE COMMAND EXPANSION"
- When a simple command is executed, the shell performs the following
--expansions, assignments, and redirections, from left to right.
-+expansions, assignments, and redirections, from left to right, in
-+the following order.
- .IP 1.
- The words that the parser has marked as variable assignments (those
- preceding the command name) and redirections are saved for later
-diff --git a/doc/bashref.texi b/doc/bashref.texi
-index d33cd57..3065126 100644
---- a/doc/bashref.texi
-+++ b/doc/bashref.texi
-@@ -2964,7 +2964,8 @@ is not specified.  If the file does not exist, it is created.
- @cindex command expansion
- 
- When a simple command is executed, the shell performs the following
--expansions, assignments, and redirections, from left to right.
-+expansions, assignments, and redirections, from left to right, in
-+the following order.
- 
- @enumerate
- @item
-diff --git a/lib/glob/glob.c b/lib/glob/glob.c
-index 398253b..2eaa33e 100644
---- a/lib/glob/glob.c
-+++ b/lib/glob/glob.c
-@@ -607,6 +607,7 @@ glob_vector (pat, dir, flags)
-   register unsigned int i;
-   int mflags;          /* Flags passed to strmatch (). */
-   int pflags;          /* flags passed to sh_makepath () */
-+  int hasglob;         /* return value from glob_pattern_p */
-   int nalloca;
-   struct globval *firstmalloc, *tmplink;
-   char *convfn;
-@@ -648,10 +649,12 @@ glob_vector (pat, dir, flags)
-   patlen = (pat && *pat) ? strlen (pat) : 0;
- 
-   /* If the filename pattern (PAT) does not contain any globbing characters,
-+     or contains a pattern with only backslash escapes (hasglob == 2),
-      we can dispense with reading the directory, and just see if there is
-      a filename `DIR/PAT'.  If there is, and we can access it, just make the
-      vector to return and bail immediately. */
--  if (skip == 0 && glob_pattern_p (pat) == 0)
-+  hasglob = 0;
-+  if (skip == 0 && (hasglob = glob_pattern_p (pat)) == 0 || hasglob == 2)
-     {
-       int dirlen;
-       struct stat finfo;
-diff --git a/pathexp.c b/pathexp.c
-index c1bf2d8..e6c5392 100644
---- a/pathexp.c
-+++ b/pathexp.c
-@@ -58,7 +58,10 @@ int extended_glob = EXTGLOB_DEFAULT;
- /* Control enabling special handling of `**' */
- int glob_star = 0;
- 
--/* Return nonzero if STRING has any unquoted special globbing chars in it.  */
-+/* Return nonzero if STRING has any unquoted special globbing chars in it.
-+   This is supposed to be called when pathname expansion is performed, so
-+   it implements the rules in Posix 2.13.3, specifically that an unquoted
-+   slash cannot appear in a bracket expression. */
- int
- unquoted_glob_pattern_p (string)
-      register char *string;
-@@ -85,10 +88,14 @@ unquoted_glob_pattern_p (string)
-          continue;
- 
-        case ']':
--         if (open)
-+         if (open)             /* XXX - if --open == 0? */
-            return (1);
-          continue;
- 
-+       case '/':
-+         if (open)
-+           open = 0;
-+
-        case '+':
-        case '@':
-        case '!':
-@@ -106,6 +113,11 @@ unquoted_glob_pattern_p (string)
-              string++;
-              continue;
-            }
-+         else if (open && *string == '/')
-+           {
-+             string++;         /* quoted slashes in bracket expressions are ok */
-+             continue;
-+           }
-          else if (*string == 0)
-            return (0);
-                  
-diff --git a/shell.c b/shell.c
-index a2b2a55..6adabc8 100644
---- a/shell.c
-+++ b/shell.c
-@@ -1293,7 +1293,11 @@ disable_priv_mode ()
- {
-   int e;
- 
-+#if HAVE_DECL_SETRESUID
-+  if (setresuid (current_user.uid, current_user.uid, current_user.uid) < 0)
-+#else
-   if (setuid (current_user.uid) < 0)
-+#endif
-     {
-       e = errno;
-       sys_error (_("cannot set uid to %d: effective uid %d"), current_user.uid, current_user.euid);
-@@ -1302,7 +1306,11 @@ disable_priv_mode ()
-        exit (e);
- #endif
-     }
-+#if HAVE_DECL_SETRESGID
-+  if (setresgid (current_user.gid, current_user.gid, current_user.gid) < 0)
-+#else
-   if (setgid (current_user.gid) < 0)
-+#endif
-     sys_error (_("cannot set gid to %d: effective gid %d"), current_user.gid, current_user.egid);
- 
-   current_user.euid = current_user.uid;
-diff --git a/tests/glob.tests b/tests/glob.tests
-index 01913bb..fb012f7 100644
---- a/tests/glob.tests
-+++ b/tests/glob.tests
-@@ -12,6 +12,8 @@ ${THIS_SH} ./glob1.sub
- ${THIS_SH} ./glob2.sub
- ${THIS_SH} ./glob3.sub
- ${THIS_SH} ./glob4.sub
-+${THIS_SH} ./glob6.sub
-+${THIS_SH} ./glob7.sub
- 
- MYDIR=$PWD     # save where we are
- 
-diff --git a/tests/glob6.sub b/tests/glob6.sub
-new file mode 100644
-index 0000000..b099811
---- /dev/null
-+++ b/tests/glob6.sub
-@@ -0,0 +1,54 @@
-+# tests of the backslash-in-glob-patterns discussion on the austin-group ML
-+
-+: ${TMPDIR:=/var/tmp}
-+
-+ORIG=$PWD
-+GLOBDIR=$TMPDIR/bash-glob-$$
-+mkdir $GLOBDIR && cd $GLOBDIR
-+
-+# does the pattern matcher allow backslashes as escape characters and remove
-+# them as part of matching?
-+touch abcdefg
-+pat='ab\cd*'
-+printf '<%s>\n' $pat
-+pat='\.'
-+printf '<%s>\n' $pat
-+rm abcdefg
-+
-+# how about when escaping pattern characters?
-+touch '*abc.c'
-+a='\**.c'
-+printf '%s\n' $a
-+rm -f '*abc.c'
-+
-+# how about when making the distinction between readable and searchable path
-+# components?
-+mkdir -m a=x searchable
-+mkdir -m a=r readable
-+
-+p='searchable/\.'
-+printf "%s\n" $p
-+
-+p='searchable/\./.'
-+printf "%s\n" $p
-+
-+p='readable/\.'
-+printf "%s\n" $p
-+
-+p='readable/\./.'
-+printf "%s\n" $p
-+
-+printf "%s\n" 'searchable/\.'
-+printf "%s\n" 'readable/\.'
-+
-+echo */.
-+
-+p='*/\.'
-+echo $p
-+
-+echo */'.'
-+
-+rmdir searchable readable
-+
-+cd $ORIG
-+rmdir $GLOBDIR
-diff --git a/tests/glob7.sub b/tests/glob7.sub
-new file mode 100644
-index 0000000..0212b8e
---- /dev/null
-+++ b/tests/glob7.sub
-@@ -0,0 +1,11 @@
-+# according to Posix 2.13.3, a slash in a bracket expression renders that
-+# bracket expression invalid
-+shopt -s nullglob
-+
-+echo 1: [qwe/qwe]
-+echo 2: [qwe/
-+echo 3: [qwe/]
-+
-+echo 4: [qwe\/qwe]
-+echo 5: [qwe\/
-+echo 6: [qwe\/]
--- 
-1.9.1
diff --git a/meta/recipes-extended/bash/bash_5.0.bb b/meta/recipes-extended/bash/bash_5.0.bb
index 1b7058746f..eadc82279d 100644
--- a/meta/recipes-extended/bash/bash_5.0.bb
+++ b/meta/recipes-extended/bash/bash_5.0.bb
@@ -19,7 +19,6 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
            file://run-ptest \
            file://run-bash-ptests \
            file://fix-run-builtins.patch \
-           file://bash-CVE-2019-18276.patch \
            "
 
 SRC_URI[tarball.md5sum] = "2b44b47b905be16f45709648f671820b"
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch
new file mode 100644
index 0000000000..9bec7343f5
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch
@@ -0,0 +1,53 @@
+From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 2 Aug 2019 15:18:26 +0100
+Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly
+
+Upstream-Status: Backport [http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19] 
+CVE: CVE-2019-10216
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+---
+ Resource/Init/gs_type1.ps | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
+index 6c7735bc0..a039ccee3 100644
+--- a/Resource/Init/gs_type1.ps
++++ b/Resource/Init/gs_type1.ps
+@@ -118,25 +118,25 @@
+                          ( to be the same as glyph: ) print 1 index //== exec } if
+                    3 index exch 3 index .forceput
+                                                                  % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+-                 }
++                 }executeonly
+                  {pop} ifelse
+-               } forall
++               } executeonly forall
+                pop pop
+-             }
++             } executeonly
+              {
+                pop pop pop
+              } ifelse
+-           }
++           } executeonly
+            {
+                                                                % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+              pop pop
+            } ifelse
+-         } forall
++         } executeonly forall
+          3 1 roll pop pop
+-     } if
++     } executeonly if
+      pop
+      dup /.AGLprocessed~GS //true .forceput
+-   } if
++   } executeonly if
+ 
+    %% We need to excute the C .buildfont1 in a stopped context so that, if there
+    %% are errors we can put the stack back sanely and exit. Otherwise callers won't
+-- 
+2.17.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
index 32f938f254..bbd17104e1 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
@@ -29,6 +29,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2019-14817-0001.patch \
                 file://CVE-2019-14817-0002.patch \
                 file://CVE-2019-14869-0001.patch \
+                file://CVE-2019-10216.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
diff --git a/meta/recipes-extended/libarchive/libarchive/0001-RAR5-reader-reject-files-that-declare-invalid-header.patch b/meta/recipes-extended/libarchive/libarchive/0001-RAR5-reader-reject-files-that-declare-invalid-header.patch
new file mode 100644
index 0000000000..a84c1f1f76
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/0001-RAR5-reader-reject-files-that-declare-invalid-header.patch
@@ -0,0 +1,124 @@
+From c1fe0a8cc8dde8ba3eae3d17e34060d2d6e4eb96 Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Sun, 2 Feb 2020 08:04:41 +0100
+Subject: [PATCH] RAR5 reader: reject files that declare invalid header flags
+
+One of the fields in RAR5's base block structure is the size of the
+header. Some invalid files declare a 0 header size setting, which can
+confuse the unpacker. Minimum header size for RAR5 base blocks is 7
+bytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0
+bytes should be rejected at header parsing stage.
+
+The fix adds an error condition if header size of 0 bytes is detected.
+In this case, the unpacker will not attempt to unpack the file, as the
+header is corrupted.
+
+The commit also adds OSSFuzz #20459 sample to test further regressions
+in this area.
+
+Upstream-Status: Backport[https://github.com/libarchive/libarchive/commit/94821008d6eea81e315c5881cdf739202961040a]
+CVE: CVE-2020-9308
+
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ Makefile.am                                     |  1 +
+ libarchive/archive_read_support_format_rar5.c   | 17 +++++++++++++++--
+ libarchive/test/test_read_format_rar5.c         | 15 +++++++++++++++
+ ...d_format_rar5_block_size_is_too_small.rar.uu |  8 ++++++++
+ 4 files changed, 39 insertions(+), 2 deletions(-)
+ create mode 100644 libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu
+
+diff --git a/Makefile.am b/Makefile.am
+index da78b24..01abf20 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -863,6 +863,7 @@ libarchive_test_EXTRA_DIST=\
+        libarchive/test/test_read_format_rar5_symlink.rar.uu \
+        libarchive/test/test_read_format_rar5_truncated_huff.rar.uu \
+        libarchive/test/test_read_format_rar5_win32.rar.uu \
++       libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
+        libarchive/test/test_read_format_raw.bufr.uu \
+        libarchive/test/test_read_format_raw.data.gz.uu \
+        libarchive/test/test_read_format_raw.data.Z.uu \
+diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c
+index 7c24627..f73393c 100644
+--- a/libarchive/archive_read_support_format_rar5.c
++++ b/libarchive/archive_read_support_format_rar5.c
+@@ -2034,6 +2034,8 @@ static int scan_for_signature(struct archive_read* a);
+ static int process_base_block(struct archive_read* a,
+     struct archive_entry* entry)
+ {
++       const size_t SMALLEST_RAR5_BLOCK_SIZE = 3;
++
+        struct rar5* rar = get_context(a);
+        uint32_t hdr_crc, computed_crc;
+        size_t raw_hdr_size = 0, hdr_size_len, hdr_size;
+@@ -2057,15 +2059,26 @@ static int process_base_block(struct archive_read* a,
+                return ARCHIVE_EOF;
+        }
+ 
++       hdr_size = raw_hdr_size + hdr_size_len;
++
+        /* Sanity check, maximum header size for RAR5 is 2MB. */
+-       if(raw_hdr_size > (2 * 1024 * 1024)) {
++       if(hdr_size > (2 * 1024 * 1024)) {
+                archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                    "Base block header is too large");
+ 
+                return ARCHIVE_FATAL;
+        }
+ 
+-       hdr_size = raw_hdr_size + hdr_size_len;
++       /* Additional sanity checks to weed out invalid files. */
++       if(raw_hdr_size == 0 || hdr_size_len == 0 ||
++               hdr_size < SMALLEST_RAR5_BLOCK_SIZE)
++       {
++               archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++                       "Too small block encountered (%ld bytes)",
++                       raw_hdr_size);
++
++               return ARCHIVE_FATAL;
++       }
+ 
+        /* Read the whole header data into memory, maximum memory use here is
+         * 2MB. */
+diff --git a/libarchive/test/test_read_format_rar5.c b/libarchive/test/test_read_format_rar5.c
+index 1408f37..32e7ed8 100644
+--- a/libarchive/test/test_read_format_rar5.c
++++ b/libarchive/test/test_read_format_rar5.c
+@@ -1194,3 +1194,18 @@ DEFINE_TEST(test_read_format_rar5_fileattr)
+ 
+        EPILOGUE();
+ }
++
++DEFINE_TEST(test_read_format_rar5_block_size_is_too_small)
++{
++       char buf[4096];
++       PROLOGUE("test_read_format_rar5_block_size_is_too_small.rar");
++
++       /* This file is damaged, so those functions should return failure.
++        * Additionally, SIGSEGV shouldn't be raised during execution
++        * of those functions. */
++
++       assertA(archive_read_next_header(a, &ae) != ARCHIVE_OK);
++       assertA(archive_read_data(a, buf, sizeof(buf)) <= 0);
++
++       EPILOGUE();
++}
+diff --git a/libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu b/libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu
+new file mode 100644
+index 0000000..5cad219
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu
+@@ -0,0 +1,8 @@
++begin 644 test_read_format_rar5_block_size_is_too_small.rar
++M4F%R(1H'`0"-[P+2``+'(!P,("`@N`,!`B`@("`@("`@("`@("`@("#_("`@
++M("`@("`@("`@((:Q;2!4-'-^4B`!((WO`M(``O\@$/\@-R`@("`@("`@("`@
++M``X@("`@("`@____("`@("`@(/\@("`@("`@("`@("#_(+6U,2"UM;6UM[CU
++M)B`@*(0G(`!.`#D\3R``(/__(,+_````-0#_($&%*/HE=C+N`"```"```"`D
++J`)$#("#_("#__P`@__\@_R#_("`@("`@("#_("#__R`@(/__("#__R`"
++`
++end
+-- 
+2.23.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
index c196382b07..db45ccf654 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
@@ -33,6 +33,7 @@ EXTRA_OECONF += "--enable-largefile"
 
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
            file://CVE-2019-19221.patch \
+           file://0001-RAR5-reader-reject-files-that-declare-invalid-header.patch \
 "
 
 SRC_URI[md5sum] = "6046396255bd7cf6d0f6603a9bda39ac"
diff --git a/meta/recipes-extended/pam/libpam/pam.d/common-password b/meta/recipes-extended/pam/libpam/pam.d/common-password
index 3896057328..52478dae77 100644
--- a/meta/recipes-extended/pam/libpam/pam.d/common-password
+++ b/meta/recipes-extended/pam/libpam/pam.d/common-password
@@ -10,13 +10,10 @@
 # The "sha512" option enables salted SHA512 passwords.  Without this option,
 # the default is Unix crypt.  Prior releases used the option "md5".
 #
-# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
-# login.defs.
-#
 # See the pam_unix manpage for other options.
 
 # here are the per-package modules (the "Primary" block)
-password        [success=1 default=ignore]      pam_unix.so obscure sha512
+password        [success=1 default=ignore]      pam_unix.so sha512
 # here's the fallback if no module succeeds
 password        requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
diff --git a/meta/recipes-extended/screen/screen/CVE-2020-9366.patch b/meta/recipes-extended/screen/screen/CVE-2020-9366.patch
new file mode 100644
index 0000000000..a52b9e6e68
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2020-9366.patch
@@ -0,0 +1,48 @@
+From 8ce90c1d3d5bece150479d8bc9303fd9d9f45e03 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
+Date: Thu, 30 Jan 2020 17:56:27 +0100
+Subject: [PATCH] Fix out of bounds access when setting w_xtermosc after OSC 49
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+echo -e "\e]49\e;                                    \n\ec"
+crashes screen.
+
+This happens because 49 is divided by 10 and used as table index
+resulting in access to w_xtermosc[4], which is out of bounds with table
+itself being size 4. Increase size of table by 1 to 5, which is enough
+for all current uses.
+
+As this overwrites memory based on user input it is potential security
+issue.
+
+Reported-by: pippin@gimp.org
+Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?h=v.4.8.0&id=68386dfb1fa33471372a8cd2e74686758a2f527b]
+CVE: CVE-2020-9366
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ window.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/window.h b/window.h
+index bd10dcd..a8afa19 100644
+--- a/window.h
++++ b/window.h
+@@ -237,7 +237,7 @@ struct win
+   char  w_vbwait;
+   char  w_norefresh;           /* dont redisplay when switching to that win */
+ #ifdef RXVT_OSC
+-  char  w_xtermosc[4][MAXSTR]; /* special xterm/rxvt escapes */
++  char  w_xtermosc[5][MAXSTR]; /* special xterm/rxvt escapes */
+ #endif
+   int    w_mouse;              /* mouse mode 0,9,1000 */
+ #ifdef HAVE_BRAILLE
diff --git a/meta/recipes-extended/screen/screen_4.6.2.bb b/meta/recipes-extended/screen/screen_4.6.2.bb
index 21b476ddb0..d00b849021 100644
--- a/meta/recipes-extended/screen/screen_4.6.2.bb
+++ b/meta/recipes-extended/screen/screen_4.6.2.bb
@@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
            file://0001-fix-for-multijob-build.patch \
            file://0001-configure.ac-fix-configure-failed-while-build-dir-ha.patch \
            file://0001-Remove-more-compatibility-stuff.patch \
+           file://CVE-2020-9366.patch \
           "
 
 SRC_URI[md5sum] = "a0f529d3333b128dfaa324d978ba73a8"
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index f6bab1acb4..e542290c3c 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -4,7 +4,7 @@ SECTION = "base"
 LICENSE = "PD & BSD & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
 
-PV = "2019c"
+PV = "2020a"
 
 SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \
            http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \
@@ -12,7 +12,7 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz
 
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
 
-SRC_URI[tzcode.md5sum] = "195a17454c5db05cab96595380650391"
-SRC_URI[tzcode.sha256sum] = "f6ebd3668e02d5ed223d3b7b1947561bf2d2da2f4bd1db61efefd9e06c167ed4"
-SRC_URI[tzdata.md5sum] = "f6987e6dfdb2eb83a1b5076a50b80894"
-SRC_URI[tzdata.sha256sum] = "79c7806dab09072308da0e3d22c37d3b245015a591891ea147d3b133b60ffc7c"
+SRC_URI[tzcode.md5sum] = "f87c3477e85a5c4b00df0def6c6a0055"
+SRC_URI[tzcode.sha256sum] = "7d2af7120ee03df71fbca24031ccaf42404752e639196fe93c79a41b38a6d669"
+SRC_URI[tzdata.md5sum] = "96a985bb8eeab535fb8aa2132296763a"
+SRC_URI[tzdata.sha256sum] = "547161eca24d344e0b5f96aff6a76b454da295dc14ed4ca50c2355043fb899a2"