reset upstream subtrees to yocto 2.6

Reset the following subtrees on thud HEAD:

  poky: 87e3a9739d
  meta-openembedded: 6094ae18c8
  meta-security: 31dc4e7532
  meta-raspberrypi: a48743dc36
  meta-xilinx: c42016e2e6

Also re-apply backports that didn't make it into thud:
  poky:
    17726d0 systemd-systemctl-native: handle Install wildcards

  meta-openembedded:
    4321a5d libtinyxml2: update to 7.0.1
    042f0a3 libcereal: Add native and nativesdk classes
    e23284f libcereal: Allow empty package
    030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
    179a1b9 gtest: update to 1.8.1

Squashed OpenBMC subtree compatibility updates:
  meta-aspeed:
    Brad Bishop (1):
          aspeed: add yocto 2.6 compatibility

  meta-ibm:
    Brad Bishop (1):
          ibm: prepare for yocto 2.6

  meta-ingrasys:
    Brad Bishop (1):
          ingrasys: set layer compatibility to yocto 2.6

  meta-openpower:
    Brad Bishop (1):
          openpower: set layer compatibility to yocto 2.6

  meta-phosphor:
    Brad Bishop (3):
          phosphor: set layer compatibility to thud
          phosphor: libgpg-error: drop patches
          phosphor: react to fitimage artifact rename

    Ed Tanous (4):
          Dropbear: upgrade options for latest upgrade
          yocto2.6: update openssl options
          busybox: remove upstream watchdog patch
          systemd: Rebase CONFIG_CGROUP_BPF patch

Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

1 files changed, 105 insertions, 0 deletions

diff --git a/poky/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch b/poky/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch
new file mode 100644
index 000000000..6c715ad43
--- /dev/null
+++ b/poky/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch
@@ -0,0 +1,105 @@
+From 34a8c5aa987d4db5234172a62218b168371606b1 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 2 Oct 2018 16:02:58 +0100
+Subject: [PATCH 4/5] For hidden operators, pass a name object to error
+ handler.
+
+In normal operation, Postscript error handlers are passed the object which
+triggered the error: this is invariably an operator object.
+
+The issue arises when an error is triggered by an operator which is for internal
+use only, and that operator is then passed to the error handler, meaning it
+becomes visible to the error handler code.
+
+By converting to a name object, the error message is still valid, but we no
+longer expose internal use only operators.
+
+The change in gs_dps1.ps is related to the above: previously an error in
+scheck would throw an error against .gcheck, but as .gcheck is now a hidden
+operator, it resulted in a name object being passed to the error handler. As
+scheck is a 'real' operator, it's better to use the real operator, rather than
+the name of an internal, hidden one.
+
+CVE: CVE-2018-17961
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ Resource/Init/gs_dps1.ps |  2 +-
+ psi/interp.c             | 33 ++++++++++++++++++++++++---------
+ 2 files changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
+index 1182f53..ec5db61 100644
+--- a/Resource/Init/gs_dps1.ps
++++ b/Resource/Init/gs_dps1.ps
+@@ -21,7 +21,7 @@ level2dict begin
+ % ------ Virtual memory ------ %
+ 
+ /currentshared /.currentglobal load def
+-/scheck /.gcheck load def
++/scheck {.gcheck} bind odef
+ %****** FOLLOWING IS WRONG ******
+ /shareddict currentdict /globaldict .knownget not { 20 dict } if def
+ 
+diff --git a/psi/interp.c b/psi/interp.c
+index cd894f9..b70769d 100644
+--- a/psi/interp.c
++++ b/psi/interp.c
+@@ -678,6 +678,8 @@ again:
+     epref = &doref;
+     /* Push the error object on the operand stack if appropriate. */
+     if (!GS_ERROR_IS_INTERRUPT(code)) {
++        byte buf[260], *bufptr;
++        uint rlen;
+         /* Replace the error object if within an oparray or .errorexec. */
+         osp++;
+         if (osp >= ostop) {
+@@ -686,23 +688,36 @@ again:
+         }
+         *osp = *perror_object;
+         errorexec_find(i_ctx_p, osp);
+-        /* If using SAFER, hand a name object to the error handler, rather than the executable
+-         * object/operator itself.
+-         */
+-        if (i_ctx_p->LockFilePermissions) {
++
++        if (!r_has_type(osp, t_string) && !r_has_type(osp, t_name)) {
+             code = obj_cvs(imemory, osp, buf + 2, 256, &rlen, (const byte **)&bufptr);
+             if (code < 0) {
+                 const char *unknownstr = "--unknown--";
+                 rlen = strlen(unknownstr);
+                 memcpy(buf, unknownstr, rlen);
++                bufptr = buf;
+             }
+             else {
+-                buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-';
+-                rlen += 4;
++                ref *tobj;
++                bufptr[rlen] = '\0';
++                /* Only pass a name object if the operator doesn't exist in systemdict
++                 * i.e. it's an internal operator we have hidden
++                 */
++                code = dict_find_string(systemdict, (const char *)bufptr, &tobj);
++                if (code < 0) {
++                    buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-';
++                    rlen += 4;
++                    bufptr = buf;
++                }
++                else {
++                    bufptr = NULL;
++                }
++            }
++            if (bufptr) {
++                code = name_ref(imemory, buf, rlen, osp, 1);
++                if (code < 0)
++                    make_null(osp);
+             }
+-            code = name_ref(imemory, buf, rlen, osp, 1);
+-            if (code < 0)
+-                make_null(osp);
+         }
+     }
+     goto again;
+-- 
+2.7.4
+