Merge commit 'f1e5d6968976c2341c6d554bfcc8895f1b33c26b' from yocto-2.0.1

70 files changed, 5073 insertions, 29 deletions

diff --git a/yocto-poky/meta/recipes-core/busybox/busybox.inc b/yocto-poky/meta/recipes-core/busybox/busybox.inc
index ed8f9fe76..4d4709a48 100644
--- a/yocto-poky/meta/recipes-core/busybox/busybox.inc
+++ b/yocto-poky/meta/recipes-core/busybox/busybox.inc
@@ -103,9 +103,8 @@ python () {
 }
 
 do_prepare_config () {
-	sed -e 's#@DATADIR@#${datadir}#g' \
+	sed -e '/CONFIG_STATIC/d' \
 		< ${WORKDIR}/defconfig > ${S}/.config
-	sed -i -e '/CONFIG_STATIC/d' .config
 	echo "# CONFIG_STATIC is not set" >> .config
 	for i in 'CROSS' 'DISTRO FEATURES'; do echo "### $i"; done >> \
 		${S}/.config
diff --git a/yocto-poky/meta/recipes-core/busybox/busybox/0001-Switch-to-POSIX-utmpx-API.patch b/yocto-poky/meta/recipes-core/busybox/busybox/0001-Switch-to-POSIX-utmpx-API.patch
new file mode 100644
index 000000000..1d299eec9
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/busybox/busybox/0001-Switch-to-POSIX-utmpx-API.patch
@@ -0,0 +1,388 @@
+From 86a7f18f211af1abda5c855d2674b0fcb53de524 Mon Sep 17 00:00:00 2001
+From: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
+Date: Thu, 2 Apr 2015 23:03:46 +0200
+Subject: [PATCH] *: Switch to POSIX utmpx API
+
+UTMP is SVID legacy, UTMPX is mandated by POSIX.
+
+Glibc and uClibc have identical layout of UTMP and UTMPX, both of these
+libc treat _PATH_UTMPX as _PATH_UTMP so from a user-perspective nothing
+changes except the names of the API entrypoints.
+
+Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
+---
+Upstream-Status: Backport
+
+ coreutils/who.c        |  8 ++++----
+ include/libbb.h        |  2 +-
+ init/halt.c            |  4 ++--
+ libbb/utmp.c           | 44 ++++++++++++++++++++++----------------------
+ miscutils/last.c       |  8 ++++----
+ miscutils/last_fancy.c | 16 ++++++++++------
+ miscutils/runlevel.c   | 12 ++++++------
+ miscutils/wall.c       |  8 ++++----
+ procps/uptime.c        |  6 +++---
+ 9 files changed, 56 insertions(+), 52 deletions(-)
+
+diff --git a/coreutils/who.c b/coreutils/who.c
+index f955ce6..8337212 100644
+--- a/coreutils/who.c
++++ b/coreutils/who.c
+@@ -73,7 +73,7 @@ static void idle_string(char *str6, time_t t)
+ int who_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
+ int who_main(int argc UNUSED_PARAM, char **argv)
+ {
+-	struct utmp *ut;
++	struct utmpx *ut;
+ 	unsigned opt;
+ 	int do_users = (ENABLE_USERS && (!ENABLE_WHO || applet_name[0] == 'u'));
+ 	const char *fmt = "%s";
+@@ -83,8 +83,8 @@ int who_main(int argc UNUSED_PARAM, char **argv)
+ 	if (opt & 2) // -H
+ 		printf("USER\t\tTTY\t\tIDLE\tTIME\t\t HOST\n");
+ 
+-	setutent();
+-	while ((ut = getutent()) != NULL) {
++	setutxent();
++	while ((ut = getutxent()) != NULL) {
+ 		if (ut->ut_user[0]
+ 		 && ((opt & 1) || ut->ut_type == USER_PROCESS)
+ 		) {
+@@ -126,6 +126,6 @@ int who_main(int argc UNUSED_PARAM, char **argv)
+ 	if (do_users)
+ 		bb_putchar('\n');
+ 	if (ENABLE_FEATURE_CLEAN_UP)
+-		endutent();
++		endutxent();
+ 	return EXIT_SUCCESS;
+ }
+diff --git a/include/libbb.h b/include/libbb.h
+index 26b6868..0f8363b 100644
+--- a/include/libbb.h
++++ b/include/libbb.h
+@@ -84,7 +84,7 @@
+ # include <selinux/av_permissions.h>
+ #endif
+ #if ENABLE_FEATURE_UTMP
+-# include <utmp.h>
++# include <utmpx.h>
+ #endif
+ #if ENABLE_LOCALE_SUPPORT
+ # include <locale.h>
+diff --git a/init/halt.c b/init/halt.c
+index 7974adb..ad12d91 100644
+--- a/init/halt.c
++++ b/init/halt.c
+@@ -74,7 +74,7 @@
+ 
+ static void write_wtmp(void)
+ {
+-	struct utmp utmp;
++	struct utmpx utmp;
+ 	struct utsname uts;
+ 	/* "man utmp" says wtmp file should *not* be created automagically */
+ 	/*if (access(bb_path_wtmp_file, R_OK|W_OK) == -1) {
+@@ -88,7 +88,7 @@ static void write_wtmp(void)
+ 	utmp.ut_line[0] = '~'; utmp.ut_line[1] = '~'; /* = strcpy(utmp.ut_line, "~~"); */
+ 	uname(&uts);
+ 	safe_strncpy(utmp.ut_host, uts.release, sizeof(utmp.ut_host));
+-	updwtmp(bb_path_wtmp_file, &utmp);
++	updwtmpx(bb_path_wtmp_file, &utmp);
+ }
+ #else
+ #define write_wtmp() ((void)0)
+diff --git a/libbb/utmp.c b/libbb/utmp.c
+index 8ad9ba2..bd07670 100644
+--- a/libbb/utmp.c
++++ b/libbb/utmp.c
+@@ -16,7 +16,7 @@ static void touch(const char *filename)
+ 
+ void FAST_FUNC write_new_utmp(pid_t pid, int new_type, const char *tty_name, const char *username, const char *hostname)
+ {
+-	struct utmp utent;
++	struct utmpx utent;
+ 	char *id;
+ 	unsigned width;
+ 
+@@ -45,17 +45,17 @@ void FAST_FUNC write_new_utmp(pid_t pid, int new_type, const char *tty_name, con
+ 		tty_name += 3;
+ 	strncpy(id, tty_name, width);
+ 
+-	touch(_PATH_UTMP);
+-	//utmpname(_PATH_UTMP);
+-	setutent();
++	touch(_PATH_UTMPX);
++	//utmpxname(_PATH_UTMPX);
++	setutxent();
+ 	/* Append new one (hopefully, unless we collide on ut_id) */
+-	pututline(&utent);
+-	endutent();
++	pututxline(&utent);
++	endutxent();
+ 
+ #if ENABLE_FEATURE_WTMP
+ 	/* "man utmp" says wtmp file should *not* be created automagically */
+ 	/*touch(bb_path_wtmp_file);*/
+-	updwtmp(bb_path_wtmp_file, &utent);
++	updwtmpx(bb_path_wtmp_file, &utent);
+ #endif
+ }
+ 
+@@ -64,17 +64,17 @@ void FAST_FUNC write_new_utmp(pid_t pid, int new_type, const char *tty_name, con
+  */
+ void FAST_FUNC update_utmp(pid_t pid, int new_type, const char *tty_name, const char *username, const char *hostname)
+ {
+-	struct utmp utent;
+-	struct utmp *utp;
++	struct utmpx utent;
++	struct utmpx *utp;
+ 
+-	touch(_PATH_UTMP);
+-	//utmpname(_PATH_UTMP);
+-	setutent();
++	touch(_PATH_UTMPX);
++	//utmpxname(_PATH_UTMPX);
++	setutxent();
+ 
+ 	/* Did init/getty/telnetd/sshd/... create an entry for us?
+ 	 * It should be (new_type-1), but we'd also reuse
+ 	 * any other potentially stale xxx_PROCESS entry */
+-	while ((utp = getutent()) != NULL) {
++	while ((utp = getutxent()) != NULL) {
+ 		if (utp->ut_pid == pid
+ 		// && ut->ut_line[0]
+ 		 && utp->ut_id[0] /* must have nonzero id */
+@@ -88,25 +88,25 @@ void FAST_FUNC update_utmp(pid_t pid, int new_type, const char *tty_name, const
+ 				/* Stale record. Nuke hostname */
+ 				memset(utp->ut_host, 0, sizeof(utp->ut_host));
+ 			}
+-			/* NB: pututline (see later) searches for matching utent
+-			 * using getutid(utent) - we must not change ut_id
++			/* NB: pututxline (see later) searches for matching utxent
++			 * using getutxid(utent) - we must not change ut_id
+ 			 * if we want *exactly this* record to be overwritten!
+ 			 */
+ 			break;
+ 		}
+ 	}
+-	//endutent(); - no need, pututline can deal with (and actually likes)
++	//endutxent(); - no need, pututxline can deal with (and actually likes)
+ 	//the situation when utmp file is positioned on found record
+ 
+ 	if (!utp) {
+ 		if (new_type != DEAD_PROCESS)
+ 			write_new_utmp(pid, new_type, tty_name, username, hostname);
+ 		else
+-			endutent();
++			endutxent();
+ 		return;
+ 	}
+ 
+-	/* Make a copy. We can't use *utp, pututline's internal getutid
++	/* Make a copy. We can't use *utp, pututxline's internal getutxid
+ 	 * will overwrite it before it is used! */
+ 	utent = *utp;
+ 
+@@ -120,14 +120,14 @@ void FAST_FUNC update_utmp(pid_t pid, int new_type, const char *tty_name, const
+ 	utent.ut_tv.tv_sec = time(NULL);
+ 
+ 	/* Update, or append new one */
+-	//setutent();
+-	pututline(&utent);
+-	endutent();
++	//setutxent();
++	pututxline(&utent);
++	endutxent();
+ 
+ #if ENABLE_FEATURE_WTMP
+ 	/* "man utmp" says wtmp file should *not* be created automagically */
+ 	/*touch(bb_path_wtmp_file);*/
+-	updwtmp(bb_path_wtmp_file, &utent);
++	updwtmpx(bb_path_wtmp_file, &utent);
+ #endif
+ }
+ 
+diff --git a/miscutils/last.c b/miscutils/last.c
+index a144c7e..6d8b584 100644
+--- a/miscutils/last.c
++++ b/miscutils/last.c
+@@ -32,21 +32,21 @@
+ 
+ #if defined UT_LINESIZE \
+ 	&& ((UT_LINESIZE != 32) || (UT_NAMESIZE != 32) || (UT_HOSTSIZE != 256))
+-#error struct utmp member char[] size(s) have changed!
++#error struct utmpx member char[] size(s) have changed!
+ #elif defined __UT_LINESIZE \
+ 	&& ((__UT_LINESIZE != 32) || (__UT_NAMESIZE != 64) || (__UT_HOSTSIZE != 256))
+-#error struct utmp member char[] size(s) have changed!
++#error struct utmpx member char[] size(s) have changed!
+ #endif
+ 
+ #if EMPTY != 0 || RUN_LVL != 1 || BOOT_TIME != 2 || NEW_TIME != 3 || \
+ 	OLD_TIME != 4
+-#error Values for the ut_type field of struct utmp changed
++#error Values for the ut_type field of struct utmpx changed
+ #endif
+ 
+ int last_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
+ int last_main(int argc UNUSED_PARAM, char **argv UNUSED_PARAM)
+ {
+-	struct utmp ut;
++	struct utmpx ut;
+ 	int n, file = STDIN_FILENO;
+ 	time_t t_tmp;
+ 	off_t pos;
+diff --git a/miscutils/last_fancy.c b/miscutils/last_fancy.c
+index 16ed9e9..8194e31 100644
+--- a/miscutils/last_fancy.c
++++ b/miscutils/last_fancy.c
+@@ -22,6 +22,10 @@
+ #define HEADER_LINE_WIDE  "USER", "TTY", \
+ 	INET6_ADDRSTRLEN, INET6_ADDRSTRLEN, "HOST", "LOGIN", "  TIME", ""
+ 
++#if !defined __UT_LINESIZE && defined UT_LINESIZE
++# define __UT_LINESIZE UT_LINESIZE
++#endif
++
+ enum {
+ 	NORMAL,
+ 	LOGGED,
+@@ -39,7 +43,7 @@ enum {
+ 
+ #define show_wide (option_mask32 & LAST_OPT_W)
+ 
+-static void show_entry(struct utmp *ut, int state, time_t dur_secs)
++static void show_entry(struct utmpx *ut, int state, time_t dur_secs)
+ {
+ 	unsigned days, hours, mins;
+ 	char duration[sizeof("(%u+02:02)") + sizeof(int)*3];
+@@ -104,7 +108,7 @@ static void show_entry(struct utmp *ut, int state, time_t dur_secs)
+ 		duration_str);
+ }
+ 
+-static int get_ut_type(struct utmp *ut)
++static int get_ut_type(struct utmpx *ut)
+ {
+ 	if (ut->ut_line[0] == '~') {
+ 		if (strcmp(ut->ut_user, "shutdown") == 0) {
+@@ -142,7 +146,7 @@ static int get_ut_type(struct utmp *ut)
+ 	return ut->ut_type;
+ }
+ 
+-static int is_runlevel_shutdown(struct utmp *ut)
++static int is_runlevel_shutdown(struct utmpx *ut)
+ {
+ 	if (((ut->ut_pid & 255) == '0') || ((ut->ut_pid & 255) == '6')) {
+ 		return 1;
+@@ -154,7 +158,7 @@ static int is_runlevel_shutdown(struct utmp *ut)
+ int last_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
+ int last_main(int argc UNUSED_PARAM, char **argv)
+ {
+-	struct utmp ut;
++	struct utmpx ut;
+ 	const char *filename = _PATH_WTMP;
+ 	llist_t *zlist;
+ 	off_t pos;
+@@ -242,9 +246,9 @@ int last_main(int argc UNUSED_PARAM, char **argv)
+ 			{
+ 				llist_t *el, *next;
+ 				for (el = zlist; el; el = next) {
+-					struct utmp *up = (struct utmp *)el->data;
++					struct utmpx *up = (struct utmpx *)el->data;
+ 					next = el->link;
+-					if (strncmp(up->ut_line, ut.ut_line, UT_LINESIZE) == 0) {
++					if (strncmp(up->ut_line, ut.ut_line, __UT_LINESIZE) == 0) {
+ 						if (show) {
+ 							show_entry(&ut, NORMAL, up->ut_tv.tv_sec);
+ 							show = 0;
+diff --git a/miscutils/runlevel.c b/miscutils/runlevel.c
+index 76231df..8558db8 100644
+--- a/miscutils/runlevel.c
++++ b/miscutils/runlevel.c
+@@ -29,19 +29,19 @@
+ int runlevel_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
+ int runlevel_main(int argc UNUSED_PARAM, char **argv)
+ {
+-	struct utmp *ut;
++	struct utmpx *ut;
+ 	char prev;
+ 
+-	if (argv[1]) utmpname(argv[1]);
++	if (argv[1]) utmpxname(argv[1]);
+ 
+-	setutent();
+-	while ((ut = getutent()) != NULL) {
++	setutxent();
++	while ((ut = getutxent()) != NULL) {
+ 		if (ut->ut_type == RUN_LVL) {
+ 			prev = ut->ut_pid / 256;
+ 			if (prev == 0) prev = 'N';
+ 			printf("%c %c\n", prev, ut->ut_pid % 256);
+ 			if (ENABLE_FEATURE_CLEAN_UP)
+-				endutent();
++				endutxent();
+ 			return 0;
+ 		}
+ 	}
+@@ -49,6 +49,6 @@ int runlevel_main(int argc UNUSED_PARAM, char **argv)
+ 	puts("unknown");
+ 
+ 	if (ENABLE_FEATURE_CLEAN_UP)
+-		endutent();
++		endutxent();
+ 	return 1;
+ }
+diff --git a/miscutils/wall.c b/miscutils/wall.c
+index bb709ee..50658f4 100644
+--- a/miscutils/wall.c
++++ b/miscutils/wall.c
+@@ -32,7 +32,7 @@
+ int wall_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
+ int wall_main(int argc UNUSED_PARAM, char **argv)
+ {
+-	struct utmp *ut;
++	struct utmpx *ut;
+ 	char *msg;
+ 	int fd;
+ 
+@@ -46,8 +46,8 @@ int wall_main(int argc UNUSED_PARAM, char **argv)
+ 	msg = xmalloc_read(fd, NULL);
+ 	if (ENABLE_FEATURE_CLEAN_UP && argv[1])
+ 		close(fd);
+-	setutent();
+-	while ((ut = getutent()) != NULL) {
++	setutxent();
++	while ((ut = getutxent()) != NULL) {
+ 		char *line;
+ 		if (ut->ut_type != USER_PROCESS)
+ 			continue;
+@@ -56,7 +56,7 @@ int wall_main(int argc UNUSED_PARAM, char **argv)
+ 		free(line);
+ 	}
+ 	if (ENABLE_FEATURE_CLEAN_UP) {
+-		endutent();
++		endutxent();
+ 		free(msg);
+ 	}
+ 	return EXIT_SUCCESS;
+diff --git a/procps/uptime.c b/procps/uptime.c
+index 778812a..149bae6 100644
+--- a/procps/uptime.c
++++ b/procps/uptime.c
+@@ -81,10 +81,10 @@ int uptime_main(int argc UNUSED_PARAM, char **argv UNUSED_PARAM)
+ 
+ #if ENABLE_FEATURE_UPTIME_UTMP_SUPPORT
+ 	{
+-		struct utmp *ut;
++		struct utmpx *ut;
+ 		unsigned users = 0;
+-		while ((ut = getutent()) != NULL) {
+-			if ((ut->ut_type == USER_PROCESS) && (ut->ut_name[0] != '\0'))
++		while ((ut = getutxent()) != NULL) {
++			if ((ut->ut_type == USER_PROCESS) && (ut->ut_user[0] != '\0'))
+ 				users++;
+ 		}
+ 		printf(",  %u users", users);
+-- 
+2.5.1
+
diff --git a/yocto-poky/meta/recipes-core/busybox/busybox/0001-Use-CC-when-linking-instead-of-LD-and-use-CFLAGS-and.patch b/yocto-poky/meta/recipes-core/busybox/busybox/0001-Use-CC-when-linking-instead-of-LD-and-use-CFLAGS-and.patch
new file mode 100644
index 000000000..2bf2b91c7
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/busybox/busybox/0001-Use-CC-when-linking-instead-of-LD-and-use-CFLAGS-and.patch
@@ -0,0 +1,114 @@
+From a9333eb6a7b8dbda735947cd5bc981ff9352a2c9 Mon Sep 17 00:00:00 2001
+From: Nathan Phillip Brink <ohnobinki@ohnopublishing.net>
+Date: Thu, 10 Mar 2011 00:27:08 -0500
+Subject: [PATCH 1/2] Use $(CC) when linking instead of $(LD) and use $(CFLAGS)
+ and $(EXTRA_CFLAGS) when linking.
+
+This fixes the issue where LDFLAGS escaped with -Wl are ignored during
+compilation. It also simplifies using CFLAGS or EXTRA_CFLAGS (such as
+-m32 on x86_64 or -flto) which apply to both compilation and linking
+situations.
+
+Signed-off-by: Nathan Phillip Brink <ohnobinki@ohnopublishing.net>
+---
+Upstream-Status: Pending
+
+ Makefile               |  7 ++++---
+ scripts/Makefile.build |  8 ++++----
+ scripts/Makefile.lib   | 13 +++----------
+ 3 files changed, 11 insertions(+), 17 deletions(-)
+
+Index: busybox-1.23.2/Makefile
+===================================================================
+--- busybox-1.23.2.orig/Makefile
++++ busybox-1.23.2/Makefile
+@@ -309,7 +309,8 @@ CHECKFLAGS     := -D__linux__ -Dlinux -D
+ MODFLAGS	= -DMODULE
+ CFLAGS_MODULE   = $(MODFLAGS)
+ AFLAGS_MODULE   = $(MODFLAGS)
+-LDFLAGS_MODULE  = -r
++LDFLAGS_RELOCATABLE = -r -nostdlib
++LDFLAGS_MODULE  = $(LDFLAGS_RELOCATABLE)
+ CFLAGS_KERNEL	=
+ AFLAGS_KERNEL	=
+ 
+@@ -331,7 +332,7 @@ KERNELVERSION = $(VERSION).$(PATCHLEVEL)
+ export	VERSION PATCHLEVEL SUBLEVEL KERNELRELEASE KERNELVERSION \
+ 	ARCH CONFIG_SHELL HOSTCC HOSTCFLAGS CROSS_COMPILE AS LD CC \
+ 	CPP AR NM STRIP OBJCOPY OBJDUMP MAKE AWK GENKSYMS PERL UTS_MACHINE \
+-	HOSTCXX HOSTCXXFLAGS LDFLAGS_MODULE CHECK CHECKFLAGS
++	HOSTCXX HOSTCXXFLAGS LDFLAGS_RELOCATABLE LDFLAGS_MODULE CHECK CHECKFLAGS
+ 
+ export CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS LDFLAGS
+ export CFLAGS CFLAGS_KERNEL CFLAGS_MODULE
+@@ -610,7 +611,7 @@ quiet_cmd_busybox__ ?= LINK    $@
+       cmd_busybox__ ?= $(srctree)/scripts/trylink \
+       "$@" \
+       "$(CC)" \
+-      "$(CFLAGS) $(CFLAGS_busybox)" \
++      "$(CFLAGS) $(CFLAGS_busybox) $(EXTRA_CFLAGS)" \
+       "$(LDFLAGS) $(EXTRA_LDFLAGS)" \
+       "$(core-y)" \
+       "$(libs-y)" \
+Index: busybox-1.23.2/scripts/Makefile.build
+===================================================================
+--- busybox-1.23.2.orig/scripts/Makefile.build
++++ busybox-1.23.2/scripts/Makefile.build
+@@ -174,7 +174,7 @@ cmd_modversions =							\
+ 		| $(GENKSYMS) -a $(ARCH)				\
+ 		> $(@D)/.tmp_$(@F:.o=.ver);				\
+ 									\
+-		$(LD) $(LDFLAGS) -r -o $@ $(@D)/.tmp_$(@F) 		\
++               $(CC) $(ld_flags_partial) $(LDFLAGS_RELOCATABLE) -o $@ $(@D)/.tmp_$(@F)        \
+ 			-T $(@D)/.tmp_$(@F:.o=.ver);			\
+ 		rm -f $(@D)/.tmp_$(@F) $(@D)/.tmp_$(@F:.o=.ver);	\
+ 	else								\
+@@ -257,7 +257,7 @@ quiet_cmd_link_o_target = LD      $@
+ # If the list of objects to link is empty, just create an empty built-in.o
+ # -nostdlib is added to make "make LD=gcc ..." work (some people use that)
+ cmd_link_o_target = $(if $(strip $(obj-y)),\
+-		$(LD) -nostdlib $(ld_flags) -r -o $@ $(filter $(obj-y), $^),\
++		$(CC) $(ld_flags_partial) $(LDFLAGS_RELOCATABLE) -o $@ $(filter $(obj-y), $^),\
+ 		rm -f $@; $(AR) rcs $@)
+ 
+ $(builtin-target): $(obj-y) FORCE
+@@ -292,10 +292,10 @@ $($(subst $(obj)/,,$(@:.o=-objs)))    \
+ $($(subst $(obj)/,,$(@:.o=-y)))), $^)
+ 
+ quiet_cmd_link_multi-y = LD      $@
+-cmd_link_multi-y = $(LD) $(ld_flags) -r -o $@ $(link_multi_deps)
++cmd_link_multi-y = $(CC) $(ld_flags_partial) $(LDFLAGS_RELOCATABLE) -o $@ $(link_multi_deps)
+ 
+ quiet_cmd_link_multi-m = LD [M]  $@
+-cmd_link_multi-m = $(LD) $(ld_flags) $(LDFLAGS_MODULE) -o $@ $(link_multi_deps)
++cmd_link_multi-m = $(CC) $(ld_flags) $(LDFLAGS_MODULE) -o $@ $(link_multi_deps)
+ 
+ # We would rather have a list of rules like
+ # 	foo.o: $(foo-objs)
+Index: busybox-1.23.2/scripts/Makefile.lib
+===================================================================
+--- busybox-1.23.2.orig/scripts/Makefile.lib
++++ busybox-1.23.2/scripts/Makefile.lib
+@@ -121,7 +121,8 @@ cpp_flags      = -Wp,-MD,$(depfile) $(NO
+ # yet ld_flags is fed to ld.
+ #ld_flags       = $(LDFLAGS) $(EXTRA_LDFLAGS)
+ # Remove the -Wl, prefix from linker options normally passed through gcc
+-ld_flags       = $(filter-out -Wl$(comma)%,$(LDFLAGS) $(EXTRA_LDFLAGS))
++ld_flags       = $(filter-out -Wl$(comma)%,$(LDFLAGS) $(EXTRA_LDFLAGS) $(CFLAGS) $(EXTRA_CFLAGS))
++ld_flags_partial = $($(filter-out -shared%, $(filter-out -pie%,$(ld_flags))))
+ 
+ 
+ # Finds the multi-part object the current object will be linked into
+@@ -151,10 +152,8 @@ $(obj)/%:: $(src)/%_shipped
+ # Linking
+ # ---------------------------------------------------------------------------
+ 
+-# TODO: LDFLAGS usually is supposed to contain gcc's flags, not ld's.
+-# but here we feed them to ld!
+-quiet_cmd_ld = LD      $@
+-cmd_ld = $(LD) $(LDFLAGS) $(EXTRA_LDFLAGS) $(LDFLAGS_$(@F)) \
++quiet_cmd_ld = CC    $@
++cmd_ld = $(CC) $(ld_flags) $(LDFLAGS_$(@F)) \
+ 	       $(filter-out FORCE,$^) -o $@
+ 
+ # Objcopy
diff --git a/yocto-poky/meta/recipes-core/busybox/busybox/0001-randconfig-fix.patch b/yocto-poky/meta/recipes-core/busybox/busybox/0001-randconfig-fix.patch
new file mode 100644
index 000000000..415ec3409
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/busybox/busybox/0001-randconfig-fix.patch
@@ -0,0 +1,33 @@
+If CONFIG_FEATURE_LAST_SMALL is enabled the build fails because of a broken
+__UT_NAMESIZE test.
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 932302666b0354ede63504d1bef8393cab28db8b Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Sun, 11 Oct 2015 16:58:18 +0200
+Subject: [PATCH] randconfig fix
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ miscutils/last.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/miscutils/last.c b/miscutils/last.c
+index 6d8b584..f8f3437 100644
+--- a/miscutils/last.c
++++ b/miscutils/last.c
+@@ -34,7 +34,8 @@
+ 	&& ((UT_LINESIZE != 32) || (UT_NAMESIZE != 32) || (UT_HOSTSIZE != 256))
+ #error struct utmpx member char[] size(s) have changed!
+ #elif defined __UT_LINESIZE \
+-	&& ((__UT_LINESIZE != 32) || (__UT_NAMESIZE != 64) || (__UT_HOSTSIZE != 256))
++	&& ((__UT_LINESIZE != 32) || (__UT_NAMESIZE != 32) || (__UT_HOSTSIZE != 256))
++/* __UT_NAMESIZE was checked with 64 above, but glibc-2.11 definitely uses 32! */
+ #error struct utmpx member char[] size(s) have changed!
+ #endif
+ 
+-- 
+2.6.4
+
diff --git a/yocto-poky/meta/recipes-core/busybox/busybox/0002-Passthrough-r-to-linker.patch b/yocto-poky/meta/recipes-core/busybox/busybox/0002-Passthrough-r-to-linker.patch
new file mode 100644
index 000000000..de286fb74
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/busybox/busybox/0002-Passthrough-r-to-linker.patch
@@ -0,0 +1,32 @@
+From df2cc76cdebc4773361477f3db203790f6986e3b Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 22 Aug 2015 23:42:40 -0700
+Subject: [PATCH 2/2] Passthrough -r to linker
+
+clang does not have -r switch and it does not pass it down to linker
+either, LDFLAGS_RELOCATABLE is used when CC is used for LD, so this
+should not cause side effects
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 9da02cb..10dd4a9 100644
+--- a/Makefile
++++ b/Makefile
+@@ -309,7 +309,7 @@ CHECKFLAGS     := -D__linux__ -Dlinux -D__STDC__ -Dunix -D__unix__ -Wbitwise $(C
+ MODFLAGS	= -DMODULE
+ CFLAGS_MODULE   = $(MODFLAGS)
+ AFLAGS_MODULE   = $(MODFLAGS)
+-LDFLAGS_RELOCATABLE = -r -nostdlib
++LDFLAGS_RELOCATABLE = -Xlinker -r -nostdlib
+ LDFLAGS_MODULE  = $(LDFLAGS_RELOCATABLE)
+ CFLAGS_KERNEL	=
+ AFLAGS_KERNEL	=
+-- 
+2.1.4
+
diff --git a/yocto-poky/meta/recipes-core/busybox/busybox_1.23.2.bb b/yocto-poky/meta/recipes-core/busybox/busybox_1.23.2.bb
index e4d9f9718..7258df022 100644
--- a/yocto-poky/meta/recipes-core/busybox/busybox_1.23.2.bb
+++ b/yocto-poky/meta/recipes-core/busybox/busybox_1.23.2.bb
@@ -30,8 +30,12 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://login-utilities.cfg \
            file://recognize_connmand.patch \
            file://busybox-cross-menuconfig.patch \
+           file://0001-Switch-to-POSIX-utmpx-API.patch \
            file://0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch \
            file://0001-chown-fix-help-text.patch \
+           file://0001-Use-CC-when-linking-instead-of-LD-and-use-CFLAGS-and.patch \
+           file://0002-Passthrough-r-to-linker.patch \
+           file://0001-randconfig-fix.patch \
            file://mount-via-label.cfg \
            file://sha1sum.cfg \
            file://sha256sum.cfg \
diff --git a/yocto-poky/meta/recipes-core/coreutils/coreutils-6.9/loadavg.patch b/yocto-poky/meta/recipes-core/coreutils/coreutils-6.9/loadavg.patch
new file mode 100644
index 000000000..c72efd4d3
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/coreutils/coreutils-6.9/loadavg.patch
@@ -0,0 +1,18 @@
+Remove hardcoded paths so OE's configure QA does not detect it and fail the builds
+For cross compilation is less interesting to look into host paths for target libraries anyway
+
+Upstream-Status: Inappropriate [OE Specific]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Index: coreutils-6.9/m4/getloadavg.m4
+===================================================================
+--- coreutils-6.9.orig/m4/getloadavg.m4
++++ coreutils-6.9/m4/getloadavg.m4
+@@ -49,7 +49,6 @@ if test $gl_have_func = no; then
+   # There is a commonly available library for RS/6000 AIX.
+   # Since it is not a standard part of AIX, it might be installed locally.
+   gl_getloadavg_LIBS=$LIBS
+-  LIBS="-L/usr/local/lib $LIBS"
+   AC_CHECK_LIB(getloadavg, getloadavg,
+ 	       [LIBS="-lgetloadavg $LIBS"], [LIBS=$gl_getloadavg_LIBS])
+ fi
diff --git a/yocto-poky/meta/recipes-core/coreutils/coreutils_6.9.bb b/yocto-poky/meta/recipes-core/coreutils/coreutils_6.9.bb
index 4ff1d50bd..e9f82abc8 100644
--- a/yocto-poky/meta/recipes-core/coreutils/coreutils_6.9.bb
+++ b/yocto-poky/meta/recipes-core/coreutils/coreutils_6.9.bb
@@ -9,6 +9,7 @@ LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe \
                     file://src/ls.c;beginline=4;endline=16;md5=15ed60f67b1db5fedd5dbc37cf8a9543"
 PR = "r5"
+DEPENDS = "virtual/libiconv"
 
 inherit autotools gettext texinfo
 
@@ -25,6 +26,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.bz2 \
            file://coreutils-build-with-acl.patch \
            file://coreutils-fix-texinfo.patch \
            file://fix_for_manpage_building.patch \
+           file://loadavg.patch \
            "
 
 SRC_URI[md5sum] = "c9607d8495f16e98906e7ed2d9751a06"
diff --git a/yocto-poky/meta/recipes-core/coreutils/coreutils_8.24.bb b/yocto-poky/meta/recipes-core/coreutils/coreutils_8.24.bb
index 034ebcda9..f04234624 100644
--- a/yocto-poky/meta/recipes-core/coreutils/coreutils_8.24.bb
+++ b/yocto-poky/meta/recipes-core/coreutils/coreutils_8.24.bb
@@ -62,7 +62,7 @@ do_compile_prepend () {
 	mkdir -p ${B}/src
 }
 
-do_install_append() {
+do_install_append_class-target() {
 	for i in df mktemp base64; do mv ${D}${bindir}/$i ${D}${bindir}/$i.${BPN}; done
 
 	install -d ${D}${base_bindir}
diff --git a/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbear@.service b/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbear@.service
index 6fe994209..b420bcddc 100644
--- a/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbear@.service
+++ b/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbear@.service
@@ -4,8 +4,9 @@ Wants=dropbearkey.service
 After=syslog.target dropbearkey.service
 
 [Service]
+Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear"
 EnvironmentFile=-/etc/default/dropbear
-ExecStart=-@SBINDIR@/dropbear -i -r /etc/dropbear/dropbear_rsa_host_key $DROPBEAR_EXTRA_ARGS
+ExecStart=-@SBINDIR@/dropbear -i -r ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key $DROPBEAR_EXTRA_ARGS
 ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
 StandardInput=socket
 KillMode=process
diff --git a/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbearkey.service b/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbearkey.service
index ccc21d5cc..c49053d57 100644
--- a/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbearkey.service
+++ b/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbearkey.service
@@ -1,8 +1,13 @@
 [Unit]
 Description=SSH Key Generation
-ConditionPathExists=|!/etc/dropbear/dropbear_rsa_host_key
+RequiresMountsFor=/var /var/lib
+ConditionPathExists=!/etc/dropbear/dropbear_rsa_host_key
+ConditionPathExists=!/var/lib/dropbear/dropbear_rsa_host_key
 
 [Service]
+Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear"
+EnvironmentFile=-/etc/default/dropbear
 Type=oneshot
-ExecStart=@SBINDIR@/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
+ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR}
+ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key
 RemainAfterExit=yes
diff --git a/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb b/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb
index 2153ece0e..3aefe748f 100644
--- a/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb
+++ b/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb
@@ -14,12 +14,13 @@ inherit autotools
 
 FILESEXTRAPATHS =. "${FILE_DIRNAME}/${PN}:${FILE_DIRNAME}/glibc:"
 
-BRANCH ?= "release/${PV}/master"
+SRCBRANCH ?= "release/${PV}/master"
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
 
-SRC_URI = "${GLIBC_GIT_URI};branch=${BRANCH};name=glibc \
+SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            git://github.com/kraj/localedef;branch=master;name=localedef;destsuffix=git/localedef \
            file://fix_for_centos_5.8.patch \
+	   file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \
            ${EGLIBCPATCHES} \
 "
 EGLIBCPATCHES = "\
diff --git a/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc b/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc
index df6d07343..2352bd029 100644
--- a/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc
+++ b/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc
@@ -87,7 +87,7 @@ do_install () {
 	if [ -e ${LOCALETREESRC}/${datadir}/locale ]; then
 		cp -fpPR ${LOCALETREESRC}/${datadir}/locale ${D}${datadir}
 	fi
-	chown root.root -R ${D}
+	chown root:root -R ${D}
 	cp -fpPR ${LOCALETREESRC}/SUPPORTED ${WORKDIR}
 }
 
diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch b/yocto-poky/meta/recipes-core/glibc/glibc/0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch
new file mode 100644
index 000000000..3455df1cf
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/glibc/glibc/0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch
@@ -0,0 +1,84 @@
+From cadaf1336332ca7bcdfe4a400776e5782a20e26d Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Wed, 28 Oct 2015 07:49:44 -0700
+Subject: [PATCH] Keep only ELF_RTYPE_CLASS_{PLT|COPY} bits for prelink
+
+prelink runs ld.so with the environment variable LD_TRACE_PRELINKING
+set to dump the relocation type class from _dl_debug_bindings.  prelink
+has the following relocation type classes:
+
+ #define RTYPE_CLASS_VALID       8
+ #define RTYPE_CLASS_PLT         (8|1)
+ #define RTYPE_CLASS_COPY        (8|2)
+ #define RTYPE_CLASS_TLS         (8|4)
+
+where ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA has a conflict with
+RTYPE_CLASS_TLS.
+
+Since prelink only uses ELF_RTYPE_CLASS_PLT and ELF_RTYPE_CLASS_COPY
+bits, we should clear the other bits when the DL_DEBUG_PRELINK bit is
+set.
+
+	[BZ #19178]
+	* elf/dl-lookup.c (RTYPE_CLASS_VALID): New.
+	(RTYPE_CLASS_PLT): Likewise.
+	(RTYPE_CLASS_COPY): Likewise.
+	(RTYPE_CLASS_TLS): Likewise.
+	(_dl_debug_bindings): Use RTYPE_CLASS_TLS and RTYPE_CLASS_VALID
+	to set relocation type class for DL_DEBUG_PRELINK.  Keep only
+	ELF_RTYPE_CLASS_PLT and ELF_RTYPE_CLASS_COPY bits for
+	DL_DEBUG_PRELINK.
+
+Upstream-Status: submitted (https://sourceware.org/bugzilla/show_bug.cgi?id=19178)
+
+Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
+---
+ elf/dl-lookup.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c
+index 581fb20..6ae6cc3 100644
+--- a/elf/dl-lookup.c
++++ b/elf/dl-lookup.c
+@@ -1016,6 +1016,18 @@ _dl_debug_bindings (const char *undef_name, struct link_map *undef_map,
+ #ifdef SHARED
+   if (GLRO(dl_debug_mask) & DL_DEBUG_PRELINK)
+     {
++/* ELF_RTYPE_CLASS_XXX must match RTYPE_CLASS_XXX used by prelink with
++   LD_TRACE_PRELINKING.  */
++#define RTYPE_CLASS_VALID	8
++#define RTYPE_CLASS_PLT		(8|1)
++#define RTYPE_CLASS_COPY	(8|2)
++#define RTYPE_CLASS_TLS		(8|4)
++#if ELF_RTYPE_CLASS_PLT != 0 && ELF_RTYPE_CLASS_PLT != 1
++# error ELF_RTYPE_CLASS_PLT must be 0 or 1!
++#endif
++#if ELF_RTYPE_CLASS_COPY != 0 && ELF_RTYPE_CLASS_COPY != 2
++# error ELF_RTYPE_CLASS_COPY must be 0 or 2!
++#endif
+       int conflict = 0;
+       struct sym_val val = { NULL, NULL };
+ 
+@@ -1071,12 +1083,17 @@ _dl_debug_bindings (const char *undef_name, struct link_map *undef_map,
+ 
+       if (value->s)
+ 	{
++	  /* Keep only ELF_RTYPE_CLASS_PLT and ELF_RTYPE_CLASS_COPY
++	     bits since since prelink only uses them.  */
++	  type_class &= ELF_RTYPE_CLASS_PLT | ELF_RTYPE_CLASS_COPY;
+ 	  if (__glibc_unlikely (ELFW(ST_TYPE) (value->s->st_info)
+ 				== STT_TLS))
+-	    type_class = 4;
++	    /* Clear the RTYPE_CLASS_VALID bit in RTYPE_CLASS_TLS.  */
++	    type_class = RTYPE_CLASS_TLS & ~RTYPE_CLASS_VALID;
+ 	  else if (__glibc_unlikely (ELFW(ST_TYPE) (value->s->st_info)
+ 				     == STT_GNU_IFUNC))
+-	    type_class |= 8;
++	    /* Set the RTYPE_CLASS_VALID bit.  */
++	    type_class |= RTYPE_CLASS_VALID;
+ 	}
+ 
+       if (conflict
+-- 
+1.9.3
+
diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-7547.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-7547.patch
new file mode 100644
index 000000000..4e539f849
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-7547.patch
@@ -0,0 +1,642 @@
+From e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca Mon Sep 17 00:00:00 2001
+From: Carlos O'Donell <carlos@systemhalted.org>
+Date: Tue, 16 Feb 2016 21:26:37 -0500
+Subject: [PATCH] CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug
+ 18665).
+
+* A stack-based buffer overflow was found in libresolv when invoked from
+  libnss_dns, allowing specially crafted DNS responses to seize control
+  of execution flow in the DNS client.  The buffer overflow occurs in
+  the functions send_dg (send datagram) and send_vc (send TCP) for the
+  NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
+  family.  The use of AF_UNSPEC triggers the low-level resolver code to
+  send out two parallel queries for A and AAAA.  A mismanagement of the
+  buffers used for those queries could result in the response of a query
+  writing beyond the alloca allocated buffer created by
+  _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
+  the overflow.  Thanks to the Google Security Team and Red Hat for
+  reporting the security impact of this issue, and Robert Holiday of
+  Ciena for reporting the related bug 18665. (CVE-2015-7547)
+
+See also:
+https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
+https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
+
+Upstream-Status: Backport
+CVE: CVE-2015-7547
+
+https://sourceware.org/git/?p=glibc.git;a=commit;h=e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca
+minor tweeking to apply to Changelog and res_send.c
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog                 |  17 ++-
+ NEWS                      |  14 +++
+ resolv/nss_dns/dns-host.c | 111 +++++++++++++++++++-
+ resolv/res_query.c        |   3 +
+ resolv/res_send.c         | 260 +++++++++++++++++++++++++++++++++++-----------
+ 5 files changed, 339 insertions(+), 66 deletions(-)
+
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -105,6 +105,20 @@ Security related changes:
+   depending on the length of the string passed as an argument to the
+   functions.  Reported by Joseph Myers.
+ 
++* A stack-based buffer overflow was found in libresolv when invoked from
++  libnss_dns, allowing specially crafted DNS responses to seize control
++  of execution flow in the DNS client.  The buffer overflow occurs in
++  the functions send_dg (send datagram) and send_vc (send TCP) for the
++  NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
++  family.  The use of AF_UNSPEC triggers the low-level resolver code to
++  send out two parallel queries for A and AAAA.  A mismanagement of the
++  buffers used for those queries could result in the response of a query
++  writing beyond the alloca allocated buffer created by
++  _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
++  the overflow.  Thanks to the Google Security Team and Red Hat for
++  reporting the security impact of this issue, and Robert Holiday of
++  Ciena for reporting the related bug 18665. (CVE-2015-7547)
++
+ * The following bugs are resolved with this release:
+ 
+   6652, 10672, 12674, 12847, 12926, 13862, 14132, 14138, 14171, 14498,
+Index: git/resolv/nss_dns/dns-host.c
+===================================================================
+--- git.orig/resolv/nss_dns/dns-host.c
++++ git/resolv/nss_dns/dns-host.c
+@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *an
+   int h_namelen = 0;
+ 
+   if (ancount == 0)
+-    return NSS_STATUS_NOTFOUND;
++    {
++      *h_errnop = HOST_NOT_FOUND;
++      return NSS_STATUS_NOTFOUND;
++    }
+ 
+   while (ancount-- > 0 && cp < end_of_message && had_error == 0)
+     {
+@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *an
+   /* Special case here: if the resolver sent a result but it only
+      contains a CNAME while we are looking for a T_A or T_AAAA record,
+      we fail with NOTFOUND instead of TRYAGAIN.  */
+-  return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
++  if (canon != NULL)
++    {
++      *h_errnop = HOST_NOT_FOUND;
++      return NSS_STATUS_NOTFOUND;
++    }
++
++  *h_errnop = NETDB_INTERNAL;
++  return NSS_STATUS_TRYAGAIN;
+ }
+ 
+ 
+@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1,
+ 
+   enum nss_status status = NSS_STATUS_NOTFOUND;
+ 
++  /* Combining the NSS status of two distinct queries requires some
++     compromise and attention to symmetry (A or AAAA queries can be
++     returned in any order).  What follows is a breakdown of how this
++     code is expected to work and why. We discuss only SUCCESS,
++     TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns
++     that apply (though RETURN and MERGE exist).  We make a distinction
++     between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable).
++     A recoverable TRYAGAIN is almost always due to buffer size issues
++     and returns ERANGE in errno and the caller is expected to retry
++     with a larger buffer.
++
++     Lastly, you may be tempted to make significant changes to the
++     conditions in this code to bring about symmetry between responses.
++     Please don't change anything without due consideration for
++     expected application behaviour.  Some of the synthesized responses
++     aren't very well thought out and sometimes appear to imply that
++     IPv4 responses are always answer 1, and IPv6 responses are always
++     answer 2, but that's not true (see the implementation of send_dg
++     and send_vc to see response can arrive in any order, particularly
++     for UDP). However, we expect it holds roughly enough of the time
++     that this code works, but certainly needs to be fixed to make this
++     a more robust implementation.
++
++     ----------------------------------------------
++     | Answer 1 Status /   | Synthesized | Reason |
++     | Answer 2 Status     | Status      |        |
++     |--------------------------------------------|
++     | SUCCESS/SUCCESS     | SUCCESS     | [1]    |
++     | SUCCESS/TRYAGAIN    | TRYAGAIN    | [5]    |
++     | SUCCESS/TRYAGAIN'   | SUCCESS     | [1]    |
++     | SUCCESS/NOTFOUND    | SUCCESS     | [1]    |
++     | SUCCESS/UNAVAIL     | SUCCESS     | [1]    |
++     | TRYAGAIN/SUCCESS    | TRYAGAIN    | [2]    |
++     | TRYAGAIN/TRYAGAIN   | TRYAGAIN    | [2]    |
++     | TRYAGAIN/TRYAGAIN'  | TRYAGAIN    | [2]    |
++     | TRYAGAIN/NOTFOUND   | TRYAGAIN    | [2]    |
++     | TRYAGAIN/UNAVAIL    | TRYAGAIN    | [2]    |
++     | TRYAGAIN'/SUCCESS   | SUCCESS     | [3]    |
++     | TRYAGAIN'/TRYAGAIN  | TRYAGAIN    | [3]    |
++     | TRYAGAIN'/TRYAGAIN' | TRYAGAIN'   | [3]    |
++     | TRYAGAIN'/NOTFOUND  | TRYAGAIN'   | [3]    |
++     | TRYAGAIN'/UNAVAIL   | UNAVAIL     | [3]    |
++     | NOTFOUND/SUCCESS    | SUCCESS     | [3]    |
++     | NOTFOUND/TRYAGAIN   | TRYAGAIN    | [3]    |
++     | NOTFOUND/TRYAGAIN'  | TRYAGAIN'   | [3]    |
++     | NOTFOUND/NOTFOUND   | NOTFOUND    | [3]    |
++     | NOTFOUND/UNAVAIL    | UNAVAIL     | [3]    |
++     | UNAVAIL/SUCCESS     | UNAVAIL     | [4]    |
++     | UNAVAIL/TRYAGAIN    | UNAVAIL     | [4]    |
++     | UNAVAIL/TRYAGAIN'   | UNAVAIL     | [4]    |
++     | UNAVAIL/NOTFOUND    | UNAVAIL     | [4]    |
++     | UNAVAIL/UNAVAIL     | UNAVAIL     | [4]    |
++     ----------------------------------------------
++
++     [1] If the first response is a success we return success.
++	 This ignores the state of the second answer and in fact
++	 incorrectly sets errno and h_errno to that of the second
++	 answer.  However because the response is a success we ignore
++	 *errnop and *h_errnop (though that means you touched errno on
++	 success).  We are being conservative here and returning the
++	 likely IPv4 response in the first answer as a success.
++
++     [2] If the first response is a recoverable TRYAGAIN we return
++	 that instead of looking at the second response.  The
++	 expectation here is that we have failed to get an IPv4 response
++	 and should retry both queries.
++
++     [3] If the first response was not a SUCCESS and the second
++	 response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN,
++	 or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the
++	 result from the second response, otherwise the first responses
++	 status is used.  Again we have some odd side-effects when the
++	 second response is NOTFOUND because we overwrite *errnop and
++	 *h_errnop that means that a first answer of NOTFOUND might see
++	 its *errnop and *h_errnop values altered.  Whether it matters
++	 in practice that a first response NOTFOUND has the wrong
++	 *errnop and *h_errnop is undecided.
++
++     [4] If the first response is UNAVAIL we return that instead of
++	 looking at the second response.  The expectation here is that
++	 it will have failed similarly e.g. configuration failure.
++
++     [5] Testing this code is complicated by the fact that truncated
++	 second response buffers might be returned as SUCCESS if the
++	 first answer is a SUCCESS.  To fix this we add symmetry to
++	 TRYAGAIN with the second response.  If the second response
++	 is a recoverable error we now return TRYAGIN even if the first
++	 response was SUCCESS.  */
++
+   if (anslen1 > 0)
+     status = gaih_getanswer_slice(answer1, anslen1, qname,
+ 				  &pat, &buffer, &buflen,
+ 				  errnop, h_errnop, ttlp,
+ 				  &first);
++
+   if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
+        || (status == NSS_STATUS_TRYAGAIN
+ 	   /* We want to look at the second answer in case of an
+@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1,
+ 						     &pat, &buffer, &buflen,
+ 						     errnop, h_errnop, ttlp,
+ 						     &first);
++      /* Use the second response status in some cases.  */
+       if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
+ 	status = status2;
++      /* Do not return a truncated second response (unless it was
++	 unavoidable e.g. unrecoverable TRYAGAIN).  */
++      if (status == NSS_STATUS_SUCCESS
++	  && (status2 == NSS_STATUS_TRYAGAIN
++	      && *errnop == ERANGE && *h_errnop != NO_RECOVERY))
++	status = NSS_STATUS_TRYAGAIN;
+     }
+ 
+   return status;
+Index: git/resolv/res_query.c
+===================================================================
+--- git.orig/resolv/res_query.c
++++ git/resolv/res_query.c
+@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp,
+ 		  {
+ 		    free (*answerp2);
+ 		    *answerp2 = NULL;
++		    *nanswerp2 = 0;
+ 		    *answerp2_malloced = 0;
+ 		  }
+ 	}
+@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp,
+ 			  {
+ 			    free (*answerp2);
+ 			    *answerp2 = NULL;
++			    *nanswerp2 = 0;
+ 			    *answerp2_malloced = 0;
+ 			  }
+ 
+@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp,
+ 	  {
+ 	    free (*answerp2);
+ 	    *answerp2 = NULL;
++	    *nanswerp2 = 0;
+ 	    *answerp2_malloced = 0;
+ 	  }
+ 	if (saved_herrno != -1)
+Index: git/resolv/res_send.c
+===================================================================
+--- git.orig/resolv/res_send.c
++++ git/resolv/res_send.c
+@@ -1,3 +1,20 @@
++/* Copyright (C) 2016 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
+ /*
+  * Copyright (c) 1985, 1989, 1993
+  *    The Regents of the University of California.  All rights reserved.
+@@ -363,6 +380,8 @@ __libc_res_nsend(res_state statp, const
+ #ifdef USE_HOOKS
+ 	if (__glibc_unlikely (statp->qhook || statp->rhook))       {
+ 		if (anssiz < MAXPACKET && ansp) {
++			/* Always allocate MAXPACKET, callers expect
++			   this specific size.  */
+ 			u_char *buf = malloc (MAXPACKET);
+ 			if (buf == NULL)
+ 				return (-1);
+@@ -638,6 +657,77 @@ get_nsaddr (res_state statp, int n)
+     return (struct sockaddr *) (void *) &statp->nsaddr_list[n];
+ }
+ 
++/* The send_vc function is responsible for sending a DNS query over TCP
++   to the nameserver numbered NS from the res_state STATP i.e.
++   EXT(statp).nssocks[ns].  The function supports sending both IPv4 and
++   IPv6 queries at the same serially on the same socket.
++
++   Please note that for TCP there is no way to disable sending both
++   queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP
++   and sends the queries serially and waits for the result after each
++   sent query.  This implemetnation should be corrected to honour these
++   options.
++
++   Please also note that for TCP we send both queries over the same
++   socket one after another.  This technically violates best practice
++   since the server is allowed to read the first query, respond, and
++   then close the socket (to service another client).  If the server
++   does this, then the remaining second query in the socket data buffer
++   will cause the server to send the client an RST which will arrive
++   asynchronously and the client's OS will likely tear down the socket
++   receive buffer resulting in a potentially short read and lost
++   response data.  This will force the client to retry the query again,
++   and this process may repeat until all servers and connection resets
++   are exhausted and then the query will fail.  It's not known if this
++   happens with any frequency in real DNS server implementations.  This
++   implementation should be corrected to use two sockets by default for
++   parallel queries.
++
++   The query stored in BUF of BUFLEN length is sent first followed by
++   the query stored in BUF2 of BUFLEN2 length.  Queries are sent
++   serially on the same socket.
++
++   Answers to the query are stored firstly in *ANSP up to a max of
++   *ANSSIZP bytes.  If more than *ANSSIZP bytes are needed and ANSCP
++   is non-NULL (to indicate that modifying the answer buffer is allowed)
++   then malloc is used to allocate a new response buffer and ANSCP and
++   ANSP will both point to the new buffer.  If more than *ANSSIZP bytes
++   are needed but ANSCP is NULL, then as much of the response as
++   possible is read into the buffer, but the results will be truncated.
++   When truncation happens because of a small answer buffer the DNS
++   packets header field TC will bet set to 1, indicating a truncated
++   message and the rest of the socket data will be read and discarded.
++
++   Answers to the query are stored secondly in *ANSP2 up to a max of
++   *ANSSIZP2 bytes, with the actual response length stored in
++   *RESPLEN2.  If more than *ANSSIZP bytes are needed and ANSP2
++   is non-NULL (required for a second query) then malloc is used to
++   allocate a new response buffer, *ANSSIZP2 is set to the new buffer
++   size and *ANSP2_MALLOCED is set to 1.
++
++   The ANSP2_MALLOCED argument will eventually be removed as the
++   change in buffer pointer can be used to detect the buffer has
++   changed and that the caller should use free on the new buffer.
++
++   Note that the answers may arrive in any order from the server and
++   therefore the first and second answer buffers may not correspond to
++   the first and second queries.
++
++   It is not supported to call this function with a non-NULL ANSP2
++   but a NULL ANSCP.  Put another way, you can call send_vc with a
++   single unmodifiable buffer or two modifiable buffers, but no other
++   combination is supported.
++
++   It is the caller's responsibility to free the malloc allocated
++   buffers by detecting that the pointers have changed from their
++   original values i.e. *ANSCP or *ANSP2 has changed.
++
++   If errors are encountered then *TERRNO is set to an appropriate
++   errno value and a zero result is returned for a recoverable error,
++   and a less-than zero result is returned for a non-recoverable error.
++
++   If no errors are encountered then *TERRNO is left unmodified and
++   a the length of the first response in bytes is returned.  */
+ static int
+ send_vc(res_state statp,
+ 	const u_char *buf, int buflen, const u_char *buf2, int buflen2,
+@@ -647,11 +737,7 @@ send_vc(res_state statp,
+ {
+ 	const HEADER *hp = (HEADER *) buf;
+ 	const HEADER *hp2 = (HEADER *) buf2;
+-	u_char *ans = *ansp;
+-	int orig_anssizp = *anssizp;
+-	// XXX REMOVE
+-	// int anssiz = *anssizp;
+-	HEADER *anhp = (HEADER *) ans;
++	HEADER *anhp = (HEADER *) *ansp;
+ 	struct sockaddr *nsap = get_nsaddr (statp, ns);
+ 	int truncating, connreset, n;
+ 	/* On some architectures compiler might emit a warning indicating
+@@ -743,6 +829,8 @@ send_vc(res_state statp,
+ 	 * Receive length & response
+ 	 */
+ 	int recvresp1 = 0;
++	/* Skip the second response if there is no second query.
++	   To do that we mark the second response as received.  */
+ 	int recvresp2 = buf2 == NULL;
+ 	uint16_t rlen16;
+  read_len:
+@@ -779,40 +867,14 @@ send_vc(res_state statp,
+ 	u_char **thisansp;
+ 	int *thisresplenp;
+ 	if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
++               /* We have not received any responses
++                  yet or we only have one response to
++                  receive.  */
+ 		thisanssizp = anssizp;
+ 		thisansp = anscp ?: ansp;
+ 		assert (anscp != NULL || ansp2 == NULL);
+ 		thisresplenp = &resplen;
+ 	} else {
+-		if (*anssizp != MAXPACKET) {
+-			/* No buffer allocated for the first
+-			   reply.  We can try to use the rest
+-			   of the user-provided buffer.  */
+-#if __GNUC_PREREQ (4, 7)
+-			DIAG_PUSH_NEEDS_COMMENT;
+-			DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
+-#endif
+-#if _STRING_ARCH_unaligned
+-			*anssizp2 = orig_anssizp - resplen;
+-			*ansp2 = *ansp + resplen;
+-#else
+-			int aligned_resplen
+-			  = ((resplen + __alignof__ (HEADER) - 1)
+-			     & ~(__alignof__ (HEADER) - 1));
+-			*anssizp2 = orig_anssizp - aligned_resplen;
+-			*ansp2 = *ansp + aligned_resplen;
+-#endif
+-#if __GNUC_PREREQ (4, 7)
+-			DIAG_POP_NEEDS_COMMENT;
+-#endif
+-		} else {
+-			/* The first reply did not fit into the
+-			   user-provided buffer.  Maybe the second
+-			   answer will.  */
+-			*anssizp2 = orig_anssizp;
+-			*ansp2 = *ansp;
+-		}
+-
+ 		thisanssizp = anssizp2;
+ 		thisansp = ansp2;
+ 		thisresplenp = resplen2;
+@@ -820,10 +882,14 @@ send_vc(res_state statp,
+ 	anhp = (HEADER *) *thisansp;
+ 
+ 	*thisresplenp = rlen;
+-	if (rlen > *thisanssizp) {
+-		/* Yes, we test ANSCP here.  If we have two buffers
+-		   both will be allocatable.  */
+-		if (__glibc_likely (anscp != NULL))       {
++	/* Is the answer buffer too small?  */
++	if (*thisanssizp < rlen) {
++		/* If the current buffer is not the the static
++		   user-supplied buffer then we can reallocate
++		   it.  */
++		if (thisansp != NULL && thisansp != ansp) {
++			/* Always allocate MAXPACKET, callers expect
++			   this specific size.  */
+ 			u_char *newp = malloc (MAXPACKET);
+ 			if (newp == NULL) {
+ 				*terrno = ENOMEM;
+@@ -835,6 +901,9 @@ send_vc(res_state statp,
+ 			if (thisansp == ansp2)
+ 			  *ansp2_malloced = 1;
+ 			anhp = (HEADER *) newp;
++			/* A uint16_t can't be larger than MAXPACKET
++			   thus it's safe to allocate MAXPACKET but
++			   read RLEN bytes instead.  */
+ 			len = rlen;
+ 		} else {
+ 			Dprint(statp->options & RES_DEBUG,
+@@ -997,6 +1066,66 @@ reopen (res_state statp, int *terrno, in
+ 	return 1;
+ }
+ 
++/* The send_dg function is responsible for sending a DNS query over UDP
++   to the nameserver numbered NS from the res_state STATP i.e.
++   EXT(statp).nssocks[ns].  The function supports IPv4 and IPv6 queries
++   along with the ability to send the query in parallel for both stacks
++   (default) or serially (RES_SINGLKUP).  It also supports serial lookup
++   with a close and reopen of the socket used to talk to the server
++   (RES_SNGLKUPREOP) to work around broken name servers.
++
++   The query stored in BUF of BUFLEN length is sent first followed by
++   the query stored in BUF2 of BUFLEN2 length.  Queries are sent
++   in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP).
++
++   Answers to the query are stored firstly in *ANSP up to a max of
++   *ANSSIZP bytes.  If more than *ANSSIZP bytes are needed and ANSCP
++   is non-NULL (to indicate that modifying the answer buffer is allowed)
++   then malloc is used to allocate a new response buffer and ANSCP and
++   ANSP will both point to the new buffer.  If more than *ANSSIZP bytes
++   are needed but ANSCP is NULL, then as much of the response as
++   possible is read into the buffer, but the results will be truncated.
++   When truncation happens because of a small answer buffer the DNS
++   packets header field TC will bet set to 1, indicating a truncated
++   message, while the rest of the UDP packet is discarded.
++
++   Answers to the query are stored secondly in *ANSP2 up to a max of
++   *ANSSIZP2 bytes, with the actual response length stored in
++   *RESPLEN2.  If more than *ANSSIZP bytes are needed and ANSP2
++   is non-NULL (required for a second query) then malloc is used to
++   allocate a new response buffer, *ANSSIZP2 is set to the new buffer
++   size and *ANSP2_MALLOCED is set to 1.
++
++   The ANSP2_MALLOCED argument will eventually be removed as the
++   change in buffer pointer can be used to detect the buffer has
++   changed and that the caller should use free on the new buffer.
++
++   Note that the answers may arrive in any order from the server and
++   therefore the first and second answer buffers may not correspond to
++   the first and second queries.
++
++   It is not supported to call this function with a non-NULL ANSP2
++   but a NULL ANSCP.  Put another way, you can call send_vc with a
++   single unmodifiable buffer or two modifiable buffers, but no other
++   combination is supported.
++
++   It is the caller's responsibility to free the malloc allocated
++   buffers by detecting that the pointers have changed from their
++   original values i.e. *ANSCP or *ANSP2 has changed.
++
++   If an answer is truncated because of UDP datagram DNS limits then
++   *V_CIRCUIT is set to 1 and the return value non-zero to indicate to
++   the caller to retry with TCP.  The value *GOTSOMEWHERE is set to 1
++   if any progress was made reading a response from the nameserver and
++   is used by the caller to distinguish between ECONNREFUSED and
++   ETIMEDOUT (the latter if *GOTSOMEWHERE is 1).
++
++   If errors are encountered then *TERRNO is set to an appropriate
++   errno value and a zero result is returned for a recoverable error,
++   and a less-than zero result is returned for a non-recoverable error.
++
++   If no errors are encountered then *TERRNO is left unmodified and
++   a the length of the first response in bytes is returned.  */
+ static int
+ send_dg(res_state statp,
+ 	const u_char *buf, int buflen, const u_char *buf2, int buflen2,
+@@ -1006,8 +1135,6 @@ send_dg(res_state statp,
+ {
+ 	const HEADER *hp = (HEADER *) buf;
+ 	const HEADER *hp2 = (HEADER *) buf2;
+-	u_char *ans = *ansp;
+-	int orig_anssizp = *anssizp;
+ 	struct timespec now, timeout, finish;
+ 	struct pollfd pfd[1];
+ 	int ptimeout;
+@@ -1040,6 +1167,8 @@ send_dg(res_state statp,
+ 	int need_recompute = 0;
+ 	int nwritten = 0;
+ 	int recvresp1 = 0;
++	/* Skip the second response if there is no second query.
++	   To do that we mark the second response as received.  */
+ 	int recvresp2 = buf2 == NULL;
+ 	pfd[0].fd = EXT(statp).nssocks[ns];
+ 	pfd[0].events = POLLOUT;
+@@ -1203,55 +1332,56 @@ send_dg(res_state statp,
+ 		int *thisresplenp;
+ 
+ 		if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
++			/* We have not received any responses
++			   yet or we only have one response to
++			   receive.  */
+ 			thisanssizp = anssizp;
+ 			thisansp = anscp ?: ansp;
+ 			assert (anscp != NULL || ansp2 == NULL);
+ 			thisresplenp = &resplen;
+ 		} else {
+-			if (*anssizp != MAXPACKET) {
+-				/* No buffer allocated for the first
+-				   reply.  We can try to use the rest
+-				   of the user-provided buffer.  */
+-#if _STRING_ARCH_unaligned
+-				*anssizp2 = orig_anssizp - resplen;
+-				*ansp2 = *ansp + resplen;
+-#else
+-				int aligned_resplen
+-				  = ((resplen + __alignof__ (HEADER) - 1)
+-				     & ~(__alignof__ (HEADER) - 1));
+-				*anssizp2 = orig_anssizp - aligned_resplen;
+-				*ansp2 = *ansp + aligned_resplen;
+-#endif
+-			} else {
+-				/* The first reply did not fit into the
+-				   user-provided buffer.  Maybe the second
+-				   answer will.  */
+-				*anssizp2 = orig_anssizp;
+-				*ansp2 = *ansp;
+-			}
+-
+ 			thisanssizp = anssizp2;
+ 			thisansp = ansp2;
+ 			thisresplenp = resplen2;
+ 		}
+ 
+ 		if (*thisanssizp < MAXPACKET
+-		    /* Yes, we test ANSCP here.  If we have two buffers
+-		       both will be allocatable.  */
+-		    && anscp
++		    /* If the current buffer is not the the static
++		       user-supplied buffer then we can reallocate
++		       it.  */
++		    && (thisansp != NULL && thisansp != ansp)
+ #ifdef FIONREAD
++		    /* Is the size too small?  */
+ 		    && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0
+ 			|| *thisanssizp < *thisresplenp)
+ #endif
+                     ) {
++			/* Always allocate MAXPACKET, callers expect
++			   this specific size.  */
+ 			u_char *newp = malloc (MAXPACKET);
+ 			if (newp != NULL) {
+-				*anssizp = MAXPACKET;
+-				*thisansp = ans = newp;
++				*thisanssizp = MAXPACKET;
++				*thisansp = newp;
+ 				if (thisansp == ansp2)
+ 				  *ansp2_malloced = 1;
+ 			}
+ 		}
++		/* We could end up with truncation if anscp was NULL
++		   (not allowed to change caller's buffer) and the
++		   response buffer size is too small.  This isn't a
++		   reliable way to detect truncation because the ioctl
++		   may be an inaccurate report of the UDP message size.
++		   Therefore we use this only to issue debug output.
++		   To do truncation accurately with UDP we need
++		   MSG_TRUNC which is only available on Linux.  We
++		   can abstract out the Linux-specific feature in the
++		   future to detect truncation.  */
++		if (__glibc_unlikely (*thisanssizp < *thisresplenp)) {
++			Dprint(statp->options & RES_DEBUG,
++			       (stdout, ";; response may be truncated (UDP)\n")
++			);
++		}
++
+ 		HEADER *anhp = (HEADER *) *thisansp;
+ 		socklen_t fromlen = sizeof(struct sockaddr_in6);
+ 		assert (sizeof(from) <= fromlen);
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,18 @@
++2016-02-15  Carlos O'Donell  <carlos@redhat.com>
++
++   [BZ #18665]
++   * resolv/nss_dns/dns-host.c (gaih_getanswer_slice): Always set
++   *herrno_p.
++   (gaih_getanswer): Document functional behviour. Return tryagain
++   if any result is tryagain.
++   * resolv/res_query.c (__libc_res_nsearch): Set buffer size to zero
++   when freed.
++   * resolv/res_send.c: Add copyright text.
++   (__libc_res_nsend): Document that MAXPACKET is expected.
++   (send_vc): Document. Remove buffer reuse.
++   (send_dg): Document. Remove buffer reuse. Set *thisanssizp to set the
++   size of the buffer. Add Dprint for truncated UDP buffer.
++
+ 2015-09-26  Paul Pluzhnikov  <ppluzhnikov@google.com>
+ 
+ 	[BZ #18985]
diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
new file mode 100644
index 000000000..684f34417
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
@@ -0,0 +1,155 @@
+From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001
+From: Paul Pluzhnikov <ppluzhnikov@google.com>
+Date: Sat, 26 Sep 2015 13:27:48 -0700
+Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a
+ segfault
+
+Upstream-Status: Backport
+CVE: CVE-2015-8776
+[Yocto # 8980]
+
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog           |  8 ++++++++
+ NEWS                |  2 +-
+ time/strftime_l.c   | 20 +++++++++++++-------
+ time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 4 files changed, 73 insertions(+), 9 deletions(-)
+
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,11 @@
++2015-09-26  Paul Pluzhnikov  <ppluzhnikov@google.com>
++
++	[BZ #18985]
++	* time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
++	(__strftime_internal): Likewise.
++	* time/tst-strftime.c (do_bz18985): New test.
++	(do_test): Call it.
++
+ 2015-12-04  Joseph Myers  <joseph@codesourcery.com>
+ 
+ 	[BZ #16961]
+Index: git/time/strftime_l.c
+===================================================================
+--- git.orig/time/strftime_l.c
++++ git/time/strftime_l.c
+@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format,
+      only a few elements.  Dereference the pointers only if the format
+      requires this.  Then it is ok to fail if the pointers are invalid.  */
+ # define a_wkday \
+-  ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
++  ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6			     \
++		     ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
+ # define f_wkday \
+-  ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
++  ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6			     \
++		     ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
+ # define a_month \
+-  ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
++  ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11			     \
++		     ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
+ # define f_month \
+-  ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
++  ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11			     \
++		     ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
+ # define ampm \
+   ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11		      \
+ 				 ? NLW(PM_STR) : NLW(AM_STR)))
+@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format,
+ # define ap_len STRLEN (ampm)
+ #else
+ # if !HAVE_STRFTIME
+-#  define f_wkday (weekday_name[tp->tm_wday])
+-#  define f_month (month_name[tp->tm_mon])
++#  define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6	\
++		   ? "?" : weekday_name[tp->tm_wday])
++#  define f_month (tp->tm_mon < 0 || tp->tm_mon > 11	\
++		   ? "?" : month_name[tp->tm_mon])
+ #  define a_wkday f_wkday
+ #  define a_month f_month
+ #  define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
+@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format,
+ 		  *tzset_called = true;
+ 		}
+ # endif
+-	      zone = tzname[tp->tm_isdst];
++	      zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
+ 	    }
+ #endif
+ 	  if (! zone)
+Index: git/time/tst-strftime.c
+===================================================================
+--- git.orig/time/tst-strftime.c
++++ git/time/tst-strftime.c
+@@ -4,6 +4,56 @@
+ #include <time.h>
+ 
+ 
++static int
++do_bz18985 (void)
++{
++  char buf[1000];
++  struct tm ttm;
++  int rc, ret = 0;
++
++  memset (&ttm, 1, sizeof (ttm));
++  ttm.tm_zone = NULL;  /* Dereferenced directly if non-NULL.  */
++  rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
++
++  if (rc == 66)
++    {
++      const char expected[]
++	= "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
++      if (0 != strcmp (buf, expected))
++	{
++	  printf ("expected:\n  %s\ngot:\n  %s\n", expected, buf);
++	  ret += 1;
++	}
++    }
++  else
++    {
++      printf ("expected 66, got %d\n", rc);
++      ret += 1;
++    }
++
++  /* Check negative values as well.  */
++  memset (&ttm, 0xFF, sizeof (ttm));
++  ttm.tm_zone = NULL;  /* Dereferenced directly if non-NULL.  */
++  rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
++
++  if (rc == 30)
++    {
++      const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899  ";
++      if (0 != strcmp (buf, expected))
++	{
++	  printf ("expected:\n  %s\ngot:\n  %s\n", expected, buf);
++	  ret += 1;
++	}
++    }
++  else
++    {
++      printf ("expected 30, got %d\n", rc);
++      ret += 1;
++    }
++
++  return ret;
++}
++
+ static struct
+ {
+   const char *fmt;
+@@ -104,7 +154,7 @@ do_test (void)
+ 	}
+     }
+ 
+-  return result;
++  return result + do_bz18985 ();
+ }
+ 
+ #define TEST_FUNCTION do_test ()
diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 000000000..eeab72d65
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,123 @@
+From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 15 Oct 2015 09:23:07 +0200
+Subject: [PATCH] Always enable pointer guard [BZ #18928]
+
+Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
+has security implications.  This commit enables pointer guard
+unconditionally, and the environment variable is now ignored.
+
+        [BZ #18928]
+        * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+        _dl_pointer_guard member.
+        * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+        initializer.
+        (security_init): Always set up pointer guard.
+        (process_envvars): Do not process LD_POINTER_GUARD.
+
+Upstream-Status: Backport
+CVE: CVE-2015-8777
+[Yocto # 8980]
+
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog                  | 10 ++++++++++
+ NEWS                       | 13 ++++++++-----
+ elf/rtld.c                 | 15 ++++-----------
+ sysdeps/generic/ldsodefs.h |  3 ---
+ 4 files changed, 22 insertions(+), 19 deletions(-)
+
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,14 @@
++2015-10-15  Florian Weimer  <fweimer@redhat.com>
++
++   [BZ #18928]
++   * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
++   _dl_pointer_guard member.
++   * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
++   initializer.
++   (security_init): Always set up pointer guard.
++   (process_envvars): Do not process LD_POINTER_GUARD.
++
++
+ 2015-08-10  Maxim Ostapenko  <m.ostapenko@partner.samsung.com>
+ 
+ 	[BZ #18778]
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -34,7 +34,10 @@ Version 2.22
+   18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547,
+   18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593,
+   18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648,
+-  18657, 18676, 18694, 18696.
++  18657, 18676, 18694, 18696, 18928.
++
++* The LD_POINTER_GUARD environment variable can no longer be used to
++  disable the pointer guard feature.  It is always enabled.
+ 
+ * Cache information can be queried via sysconf() function on s390 e.g. with
+   _SC_LEVEL1_ICACHE_SIZE as argument.
+Index: git/elf/rtld.c
+===================================================================
+--- git.orig/elf/rtld.c
++++ git/elf/rtld.c
+@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
+     ._dl_hwcap_mask = HWCAP_IMPORTANT,
+     ._dl_lazy = 1,
+     ._dl_fpu_control = _FPU_DEFAULT,
+-    ._dl_pointer_guard = 1,
+     ._dl_pagesize = EXEC_PAGESIZE,
+     ._dl_inhibit_cache = 0,
+ 
+@@ -710,15 +709,12 @@ security_init (void)
+ #endif
+ 
+   /* Set up the pointer guard as well, if necessary.  */
+-  if (GLRO(dl_pointer_guard))
+-    {
+-      uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
+-							     stack_chk_guard);
++  uintptr_t pointer_chk_guard
++    = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
+ #ifdef THREAD_SET_POINTER_GUARD
+-      THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++  THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ #endif
+-      __pointer_chk_guard_local = pointer_chk_guard;
+-    }
++  __pointer_chk_guard_local = pointer_chk_guard;
+ 
+   /* We do not need the _dl_random value anymore.  The less
+      information we leave behind, the better, so clear the
+@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
+ 	      GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
+ 	      break;
+ 	    }
+-
+-	  if (memcmp (envline, "POINTER_GUARD", 13) == 0)
+-	    GLRO(dl_pointer_guard) = envline[14] != '0';
+ 	  break;
+ 
+ 	case 14:
+Index: git/sysdeps/generic/ldsodefs.h
+===================================================================
+--- git.orig/sysdeps/generic/ldsodefs.h
++++ git/sysdeps/generic/ldsodefs.h
+@@ -600,9 +600,6 @@ struct rtld_global_ro
+   /* List of auditing interfaces.  */
+   struct audit_ifaces *_dl_audit;
+   unsigned int _dl_naudit;
+-
+-  /* 0 if internal pointer values should not be guarded, 1 if they should.  */
+-  EXTERN int _dl_pointer_guard;
+ };
+ # define __rtld_global_attribute__
+ # if IS_IN (rtld)
diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
new file mode 100644
index 000000000..4dc93c769
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
@@ -0,0 +1,262 @@
+From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001
+From: Paul Pluzhnikov <ppluzhnikov@google.com>
+Date: Sat, 8 Aug 2015 15:53:03 -0700
+Subject: [PATCH] Fix BZ #17905
+
+Upstream-Status: Backport
+CVE: CVE-2015-8779
+[Yocto # 8980]
+
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog              |  8 ++++++++
+ NEWS                   |  2 +-
+ catgets/Makefile       |  9 ++++++++-
+ catgets/catgets.c      | 19 ++++++++++++-------
+ catgets/open_catalog.c | 23 ++++++++++++++---------
+ catgets/tst-catgets.c  | 31 +++++++++++++++++++++++++++++++
+ 6 files changed, 74 insertions(+), 18 deletions(-)
+
+Index: git/catgets/Makefile
+===================================================================
+--- git.orig/catgets/Makefile
++++ git/catgets/Makefile
+@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS))
+ ifeq ($(run-built-tests),yes)
+ tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
+ 		 $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
++tests-special += $(objpfx)tst-catgets-mem.out
+ endif
+ endif
+ gencat-modules	= xmalloc
+@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat
+ 
+ generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
+ 	     test-gencat.h
++generated += tst-catgets.mtrace tst-catgets-mem.out
++
+ generated-dirs += de
+ 
+-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
++tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
+ 
+ ifeq ($(run-built-tests),yes)
+ # This test just checks whether the program produces any error or not.
+@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh
+ $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
+ 	$(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
+ 	$(evaluate-test)
++
++$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
++	$(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
++	$(evaluate-test)
+ endif
+Index: git/catgets/catgets.c
+===================================================================
+--- git.orig/catgets/catgets.c
++++ git/catgets/catgets.c
+@@ -16,7 +16,6 @@
+    License along with the GNU C Library; if not, see
+    <http://www.gnu.org/licenses/>.  */
+ 
+-#include <alloca.h>
+ #include <errno.h>
+ #include <locale.h>
+ #include <nl_types.h>
+@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
+   __nl_catd result;
+   const char *env_var = NULL;
+   const char *nlspath = NULL;
++  char *tmp = NULL;
+ 
+   if (strchr (cat_name, '/') == NULL)
+     {
+@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
+ 	{
+ 	  /* Append the system dependent directory.  */
+ 	  size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
+-	  char *tmp = alloca (len);
++	  tmp = malloc (len);
++
++	  if (__glibc_unlikely (tmp == NULL))
++	    return (nl_catd) -1;
+ 
+ 	  __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
+ 	  nlspath = tmp;
+@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
+ 
+   result = (__nl_catd) malloc (sizeof (*result));
+   if (result == NULL)
+-    /* We cannot get enough memory.  */
+-    return (nl_catd) -1;
+-
+-  if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
++    {
++      /* We cannot get enough memory.  */
++      result = (nl_catd) -1;
++    }
++  else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
+     {
+       /* Couldn't open the file.  */
+       free ((void *) result);
+-      return (nl_catd) -1;
++      result = (nl_catd) -1;
+     }
+ 
++  free (tmp);
+   return (nl_catd) result;
+ }
+ 
+Index: git/catgets/open_catalog.c
+===================================================================
+--- git.orig/catgets/open_catalog.c
++++ git/catgets/open_catalog.c
+@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co
+   size_t tab_size;
+   const char *lastp;
+   int result = -1;
++  char *buf = NULL;
+ 
+   if (strchr (cat_name, '/') != NULL || nlspath == NULL)
+     fd = open_not_cancel_2 (cat_name, O_RDONLY);
+@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co
+   if (__glibc_unlikely (bufact + (n) >= bufmax))			      \
+     {									      \
+       char *old_buf = buf;						      \
+-      bufmax += 256 + (n);						      \
+-      buf = (char *) alloca (bufmax);					      \
+-      memcpy (buf, old_buf, bufact);					      \
++      bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax;		      \
++      buf = realloc (buf, bufmax);					      \
++      if (__glibc_unlikely (buf == NULL))				      \
++	{								      \
++	  free (old_buf);						      \
++	  return -1;							      \
++	}								      \
+     }
+ 
+       /* The RUN_NLSPATH variable contains a colon separated list of
+ 	 descriptions where we expect to find catalogs.  We have to
+ 	 recognize certain % substitutions and stop when we found the
+ 	 first existing file.  */
+-      char *buf;
+       size_t bufact;
+-      size_t bufmax;
++      size_t bufmax = 0;
+       size_t len;
+ 
+-      buf = NULL;
+-      bufmax = 0;
+-
+       fd = -1;
+       while (*run_nlspath != '\0')
+ 	{
+@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co
+ 
+   /* Avoid dealing with directories and block devices */
+   if (__builtin_expect (fd, 0) < 0)
+-    return -1;
++    {
++      free (buf);
++      return -1;
++    }
+ 
+   if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
+     goto close_unlock_return;
+@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co
+   /* Release the lock again.  */
+  close_unlock_return:
+   close_not_cancel_no_status (fd);
++  free (buf);
+ 
+   return result;
+ }
+Index: git/catgets/tst-catgets.c
+===================================================================
+--- git.orig/catgets/tst-catgets.c
++++ git/catgets/tst-catgets.c
+@@ -1,7 +1,10 @@
++#include <assert.h>
+ #include <mcheck.h>
+ #include <nl_types.h>
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <string.h>
++#include <sys/resource.h>
+ 
+ 
+ static const char *msgs[] =
+@@ -12,6 +15,33 @@ static const char *msgs[] =
+ };
+ #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
+ 
++
++/* Test for unbounded alloca.  */
++static int
++do_bz17905 (void)
++{
++  char *buf;
++  struct rlimit rl;
++  nl_catd result;
++
++  const int sz = 1024 * 1024;
++
++  getrlimit (RLIMIT_STACK, &rl);
++  rl.rlim_cur = sz;
++  setrlimit (RLIMIT_STACK, &rl);
++
++  buf = malloc (sz + 1); 
++  memset (buf, 'A', sz);
++  buf[sz] = '\0';
++  setenv ("NLSPATH", buf, 1);
++
++  result = catopen (buf, NL_CAT_LOCALE);
++  assert (result == (nl_catd) -1);
++
++  free (buf);
++  return 0;
++}
++
+ #define ROUNDS 5
+ 
+ static int
+@@ -62,6 +92,7 @@ do_test (void)
+ 	}
+     }
+ 
++  result += do_bz17905 ();
+   return result;
+ }
+ 
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,11 @@
++2015-08-08  Paul Pluzhnikov  <ppluzhnikov@google.com>
++
++   [BZ #17905]
++   * catgets/Makefile (tst-catgets-mem): New test.
++   * catgets/catgets.c (catopen): Don't use unbounded alloca.
++   * catgets/open_catalog.c (__open_catalog): Likewise.
++   * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
++
+ 2015-10-15  Florian Weimer  <fweimer@redhat.com>
+ 
+    [BZ #18928]
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -9,7 +9,7 @@ Version 2.22.1
+ 
+ * The following bugs are resolved with this release:
+ 
+-  18778, 18781, 18787.
++  18778, 18781, 18787, 17905.
+ 
+ Version 2.22
+ 
diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
new file mode 100644
index 000000000..3aca91331
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
@@ -0,0 +1,1039 @@
+From e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 Mon Sep 17 00:00:00 2001
+From: Joseph Myers <joseph@codesourcery.com>
+Date: Tue, 24 Nov 2015 22:24:52 +0000
+Subject: [PATCH] Refactor strtod parsing of NaN payloads.
+
+The nan* functions handle their string argument by constructing a
+NAN(...) string on the stack as a VLA and passing it to strtod
+functions.
+
+This approach has problems discussed in bug 16961 and bug 16962: the
+stack usage is unbounded, and it gives incorrect results in certain
+cases where the argument is not a valid n-char-sequence.
+
+The natural fix for both issues is to refactor the NaN payload parsing
+out of strtod into a separate function that the nan* functions can
+call directly, so that no temporary string needs constructing on the
+stack at all.  This patch does that refactoring in preparation for
+fixing those bugs (but without actually using the new functions from
+nan* - which will also require exporting them from libc at version
+GLIBC_PRIVATE).  This patch is not intended to change any user-visible
+behavior, so no tests are added (fixes for the above bugs will of
+course add tests for them).
+
+This patch builds on my recent fixes for strtol and strtod issues in
+Turkish locales.  Given those fixes, the parsing of NaN payloads is
+locale-independent; thus, the new functions do not need to take a
+locale_t argument.
+
+Tested for x86_64, x86, mips64 and powerpc.
+
+	* stdlib/strtod_nan.c: New file.
+	* stdlib/strtod_nan_double.h: Likewise.
+	* stdlib/strtod_nan_float.h: Likewise.
+	* stdlib/strtod_nan_main.c: Likewise.
+	* stdlib/strtod_nan_narrow.h: Likewise.
+	* stdlib/strtod_nan_wide.h: Likewise.
+	* stdlib/strtof_nan.c: Likewise.
+	* stdlib/strtold_nan.c: Likewise.
+	* sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise.
+	* sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise.
+	* sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise.
+	* wcsmbs/wcstod_nan.c: Likewise.
+	* wcsmbs/wcstof_nan.c: Likewise.
+	* wcsmbs/wcstold_nan.c: Likewise.
+	* stdlib/Makefile (routines): Add strtof_nan, strtod_nan and
+	strtold_nan.
+	* wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and
+	wcstof_nan.
+	* include/stdlib.h (__strtof_nan): Declare and use
+	libc_hidden_proto.
+	(__strtod_nan): Likewise.
+	(__strtold_nan): Likewise.
+	(__wcstof_nan): Likewise.
+	(__wcstod_nan): Likewise.
+	(__wcstold_nan): Likewise.
+	* include/wchar.h (____wcstoull_l_internal): Declare.
+	* stdlib/strtod_l.c: Do not include <ieee754.h>.
+	(____strtoull_l_internal): Remove declaration.
+	(STRTOF_NAN): Define macro.
+	(SET_MANTISSA): Remove macro.
+	(STRTOULL): Likewise.
+	(____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload.
+	* stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration.
+	(STRTOF_NAN): Define macro.
+	(SET_MANTISSA): Remove macro.
+	* sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro.
+	(SET_MANTISSA): Remove macro.
+	* sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define
+	macro.
+	(SET_MANTISSA): Remove macro.
+	* sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define
+	macro.
+	(SET_MANTISSA): Remove macro.
+	* sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro.
+	(SET_MANTISSA): Remove macro.
+	* wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration.
+	* wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise.
+	* wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise.
+
+Upstream-Status: Backport
+CVE: CVE-2015-9761 patch #1
+[Yocto # 8980]
+
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog                                        | 49 ++++++++++++++++++
+ include/stdlib.h                                 | 18 +++++++
+ include/wchar.h                                  |  3 ++
+ stdlib/Makefile                                  |  1 +
+ stdlib/strtod_l.c                                | 48 ++++--------------
+ stdlib/strtod_nan.c                              | 24 +++++++++
+ stdlib/strtod_nan_double.h                       | 30 +++++++++++
+ stdlib/strtod_nan_float.h                        | 29 +++++++++++
+ stdlib/strtod_nan_main.c                         | 63 ++++++++++++++++++++++++
+ stdlib/strtod_nan_narrow.h                       | 22 +++++++++
+ stdlib/strtod_nan_wide.h                         | 22 +++++++++
+ stdlib/strtof_l.c                                | 11 +----
+ stdlib/strtof_nan.c                              | 24 +++++++++
+ stdlib/strtold_nan.c                             | 30 +++++++++++
+ sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h    | 33 +++++++++++++
+ sysdeps/ieee754/ldbl-128/strtold_l.c             | 13 +----
+ sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h | 30 +++++++++++
+ sysdeps/ieee754/ldbl-128ibm/strtold_l.c          | 10 +---
+ sysdeps/ieee754/ldbl-64-128/strtold_l.c          | 13 +----
+ sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h     | 30 +++++++++++
+ sysdeps/ieee754/ldbl-96/strtold_l.c              | 10 +---
+ wcsmbs/Makefile                                  |  1 +
+ wcsmbs/wcstod_l.c                                |  3 --
+ wcsmbs/wcstod_nan.c                              | 23 +++++++++
+ wcsmbs/wcstof_l.c                                |  3 --
+ wcsmbs/wcstof_nan.c                              | 23 +++++++++
+ wcsmbs/wcstold_l.c                               |  3 --
+ wcsmbs/wcstold_nan.c                             | 30 +++++++++++
+ 28 files changed, 504 insertions(+), 95 deletions(-)
+ create mode 100644 stdlib/strtod_nan.c
+ create mode 100644 stdlib/strtod_nan_double.h
+ create mode 100644 stdlib/strtod_nan_float.h
+ create mode 100644 stdlib/strtod_nan_main.c
+ create mode 100644 stdlib/strtod_nan_narrow.h
+ create mode 100644 stdlib/strtod_nan_wide.h
+ create mode 100644 stdlib/strtof_nan.c
+ create mode 100644 stdlib/strtold_nan.c
+ create mode 100644 sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
+ create mode 100644 sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
+ create mode 100644 sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
+ create mode 100644 wcsmbs/wcstod_nan.c
+ create mode 100644 wcsmbs/wcstof_nan.c
+ create mode 100644 wcsmbs/wcstold_nan.c
+
+Index: git/include/stdlib.h
+===================================================================
+--- git.orig/include/stdlib.h
++++ git/include/stdlib.h
+@@ -203,6 +203,24 @@ libc_hidden_proto (strtoll)
+ libc_hidden_proto (strtoul)
+ libc_hidden_proto (strtoull)
+ 
++extern float __strtof_nan (const char *, char **, char) internal_function;
++extern double __strtod_nan (const char *, char **, char) internal_function;
++extern long double __strtold_nan (const char *, char **, char)
++     internal_function;
++extern float __wcstof_nan (const wchar_t *, wchar_t **, wchar_t)
++     internal_function;
++extern double __wcstod_nan (const wchar_t *, wchar_t **, wchar_t)
++     internal_function;
++extern long double __wcstold_nan (const wchar_t *, wchar_t **, wchar_t)
++     internal_function;
++
++libc_hidden_proto (__strtof_nan)
++libc_hidden_proto (__strtod_nan)
++libc_hidden_proto (__strtold_nan)
++libc_hidden_proto (__wcstof_nan)
++libc_hidden_proto (__wcstod_nan)
++libc_hidden_proto (__wcstold_nan)
++
+ extern char *__ecvt (double __value, int __ndigit, int *__restrict __decpt,
+ 		     int *__restrict __sign);
+ extern char *__fcvt (double __value, int __ndigit, int *__restrict __decpt,
+Index: git/include/wchar.h
+===================================================================
+--- git.orig/include/wchar.h
++++ git/include/wchar.h
+@@ -52,6 +52,9 @@ extern unsigned long long int __wcstoull
+ 						   __restrict __endptr,
+ 						   int __base,
+ 						   int __group) __THROW;
++extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
++						       wchar_t **, int, int,
++						       __locale_t);
+ libc_hidden_proto (__wcstof_internal)
+ libc_hidden_proto (__wcstod_internal)
+ libc_hidden_proto (__wcstold_internal)
+Index: git/stdlib/Makefile
+===================================================================
+--- git.orig/stdlib/Makefile
++++ git/stdlib/Makefile
+@@ -51,6 +51,7 @@ routines-y	:=							      \
+ 	strtol_l strtoul_l strtoll_l strtoull_l				      \
+ 	strtof strtod strtold						      \
+ 	strtof_l strtod_l strtold_l					      \
++	strtof_nan strtod_nan strtold_nan				      \
+ 	system canonicalize						      \
+ 	a64l l64a							      \
+ 	getsubopt xpg_basename						      \
+Index: git/stdlib/strtod_l.c
+===================================================================
+--- git.orig/stdlib/strtod_l.c
++++ git/stdlib/strtod_l.c
+@@ -21,8 +21,6 @@
+ #include <xlocale.h>
+ 
+ extern double ____strtod_l_internal (const char *, char **, int, __locale_t);
+-extern unsigned long long int ____strtoull_l_internal (const char *, char **,
+-						       int, int, __locale_t);
+ 
+ /* Configuration part.  These macros are defined by `strtold.c',
+    `strtof.c', `wcstod.c', `wcstold.c', and `wcstof.c' to produce the
+@@ -34,27 +32,20 @@ extern unsigned long long int ____strtou
+ # ifdef USE_WIDE_CHAR
+ #  define STRTOF	wcstod_l
+ #  define __STRTOF	__wcstod_l
++#  define STRTOF_NAN	__wcstod_nan
+ # else
+ #  define STRTOF	strtod_l
+ #  define __STRTOF	__strtod_l
++#  define STRTOF_NAN	__strtod_nan
+ # endif
+ # define MPN2FLOAT	__mpn_construct_double
+ # define FLOAT_HUGE_VAL	HUGE_VAL
+-# define SET_MANTISSA(flt, mant) \
+-  do { union ieee754_double u;						      \
+-       u.d = (flt);							      \
+-       u.ieee_nan.mantissa0 = (mant) >> 32;				      \
+-       u.ieee_nan.mantissa1 = (mant);					      \
+-       if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0)			      \
+-	 (flt) = u.d;							      \
+-  } while (0)
+ #endif
+ /* End of configuration part.  */
+ 
+ #include <ctype.h>
+ #include <errno.h>
+ #include <float.h>
+-#include <ieee754.h>
+ #include "../locale/localeinfo.h"
+ #include <locale.h>
+ #include <math.h>
+@@ -105,7 +96,6 @@ extern unsigned long long int ____strtou
+ # define TOLOWER_C(Ch) __towlower_l ((Ch), _nl_C_locobj_ptr)
+ # define STRNCASECMP(S1, S2, N) \
+   __wcsncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
+-# define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, loc)
+ #else
+ # define STRING_TYPE char
+ # define CHAR_TYPE char
+@@ -117,7 +107,6 @@ extern unsigned long long int ____strtou
+ # define TOLOWER_C(Ch) __tolower_l ((Ch), _nl_C_locobj_ptr)
+ # define STRNCASECMP(S1, S2, N) \
+   __strncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
+-# define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, loc)
+ #endif
+ 
+ 
+@@ -668,33 +657,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+ 	  if (*cp == L_('('))
+ 	    {
+ 	      const STRING_TYPE *startp = cp;
+-	      do
+-		++cp;
+-	      while ((*cp >= L_('0') && *cp <= L_('9'))
+-		     || ({ CHAR_TYPE lo = TOLOWER (*cp);
+-			   lo >= L_('a') && lo <= L_('z'); })
+-		     || *cp == L_('_'));
+-
+-	      if (*cp != L_(')'))
+-		/* The closing brace is missing.  Only match the NAN
+-		   part.  */
+-		cp = startp;
++          STRING_TYPE *endp;
++          retval = STRTOF_NAN (cp + 1, &endp, L_(')'));
++          if (*endp == L_(')'))
++            /* Consume the closing parenthesis.  */
++            cp = endp + 1;
+ 	      else
+-		{
+-		  /* This is a system-dependent way to specify the
+-		     bitmask used for the NaN.  We expect it to be
+-		     a number which is put in the mantissa of the
+-		     number.  */
+-		  STRING_TYPE *endp;
+-		  unsigned long long int mant;
+-
+-		  mant = STRTOULL (startp + 1, &endp, 0);
+-		  if (endp == cp)
+-		    SET_MANTISSA (retval, mant);
+-
+-		  /* Consume the closing brace.  */
+-		  ++cp;
+-		}
++               /* Only match the NAN part.  */
++               cp = startp;
+ 	    }
+ 
+ 	  if (endptr != NULL)
+Index: git/stdlib/strtod_nan.c
+===================================================================
+--- /dev/null
++++ git/stdlib/strtod_nan.c
+@@ -0,0 +1,24 @@
++/* Convert string for NaN payload to corresponding NaN.  Narrow
++   strings, double.
++   Copyright (C) 2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <strtod_nan_narrow.h>
++#include <strtod_nan_double.h>
++
++#define STRTOD_NAN __strtod_nan
++#include <strtod_nan_main.c>
+Index: git/stdlib/strtod_nan_double.h
+===================================================================
+--- /dev/null
++++ git/stdlib/strtod_nan_double.h
+@@ -0,0 +1,30 @@
++/* Convert string for NaN payload to corresponding NaN.  For double.
++   Copyright (C) 1997-2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#define FLOAT		double
++#define SET_MANTISSA(flt, mant)				\
++  do							\
++    {							\
++      union ieee754_double u;				\
++      u.d = (flt);					\
++      u.ieee_nan.mantissa0 = (mant) >> 32;		\
++      u.ieee_nan.mantissa1 = (mant);			\
++      if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0)	\
++	(flt) = u.d;					\
++    }							\
++  while (0)
+Index: git/stdlib/strtod_nan_float.h
+===================================================================
+--- /dev/null
++++ git/stdlib/strtod_nan_float.h
+@@ -0,0 +1,29 @@
++/* Convert string for NaN payload to corresponding NaN.  For float.
++   Copyright (C) 1997-2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#define	FLOAT		float
++#define SET_MANTISSA(flt, mant)			\
++  do						\
++    {						\
++      union ieee754_float u;			\
++      u.f = (flt);				\
++      u.ieee_nan.mantissa = (mant);		\
++      if (u.ieee.mantissa != 0)			\
++	(flt) = u.f;				\
++    }						\
++  while (0)
+Index: git/stdlib/strtod_nan_main.c
+===================================================================
+--- /dev/null
++++ git/stdlib/strtod_nan_main.c
+@@ -0,0 +1,63 @@
++/* Convert string for NaN payload to corresponding NaN.
++   Copyright (C) 1997-2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <ieee754.h>
++#include <locale.h>
++#include <math.h>
++#include <stdlib.h>
++#include <wchar.h>
++
++
++/* If STR starts with an optional n-char-sequence as defined by ISO C
++   (a sequence of ASCII letters, digits and underscores), followed by
++   ENDC, return a NaN whose payload is set based on STR.  Otherwise,
++   return a default NAN.  If ENDPTR is not NULL, set *ENDPTR to point
++   to the character after the initial n-char-sequence.  */
++
++internal_function
++FLOAT
++STRTOD_NAN (const STRING_TYPE *str, STRING_TYPE **endptr, STRING_TYPE endc)
++{
++  const STRING_TYPE *cp = str;
++
++  while ((*cp >= L_('0') && *cp <= L_('9'))
++	 || (*cp >= L_('A') && *cp <= L_('Z'))
++	 || (*cp >= L_('a') && *cp <= L_('z'))
++	 || *cp == L_('_'))
++    ++cp;
++
++  FLOAT retval = NAN;
++  if (*cp != endc)
++    goto out;
++
++  /* This is a system-dependent way to specify the bitmask used for
++     the NaN.  We expect it to be a number which is put in the
++     mantissa of the number.  */
++  STRING_TYPE *endp;
++  unsigned long long int mant;
++
++  mant = STRTOULL (str, &endp, 0);
++  if (endp == cp)
++    SET_MANTISSA (retval, mant);
++
++ out:
++  if (endptr != NULL)
++    *endptr = (STRING_TYPE *) cp;
++  return retval;
++}
++libc_hidden_def (STRTOD_NAN)
+Index: git/stdlib/strtod_nan_narrow.h
+===================================================================
+--- /dev/null
++++ git/stdlib/strtod_nan_narrow.h
+@@ -0,0 +1,22 @@
++/* Convert string for NaN payload to corresponding NaN.  Narrow strings.
++   Copyright (C) 1997-2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#define STRING_TYPE char
++#define L_(Ch) Ch
++#define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0,	\
++						   _nl_C_locobj_ptr)
+Index: git/stdlib/strtod_nan_wide.h
+===================================================================
+--- /dev/null
++++ git/stdlib/strtod_nan_wide.h
+@@ -0,0 +1,22 @@
++/* Convert string for NaN payload to corresponding NaN.  Wide strings.
++   Copyright (C) 1997-2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#define STRING_TYPE wchar_t
++#define L_(Ch) L##Ch
++#define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0,	\
++						   _nl_C_locobj_ptr)
+Index: git/stdlib/strtof_l.c
+===================================================================
+--- git.orig/stdlib/strtof_l.c
++++ git/stdlib/strtof_l.c
+@@ -20,26 +20,19 @@
+ #include <xlocale.h>
+ 
+ extern float ____strtof_l_internal (const char *, char **, int, __locale_t);
+-extern unsigned long long int ____strtoull_l_internal (const char *, char **,
+-						       int, int, __locale_t);
+ 
+ #define	FLOAT		float
+ #define	FLT		FLT
+ #ifdef USE_WIDE_CHAR
+ # define STRTOF		wcstof_l
+ # define __STRTOF	__wcstof_l
++# define STRTOF_NAN	__wcstof_nan
+ #else
+ # define STRTOF		strtof_l
+ # define __STRTOF	__strtof_l
++# define STRTOF_NAN	__strtof_nan
+ #endif
+ #define	MPN2FLOAT	__mpn_construct_float
+ #define	FLOAT_HUGE_VAL	HUGE_VALF
+-#define SET_MANTISSA(flt, mant) \
+-  do { union ieee754_float u;						      \
+-       u.f = (flt);							      \
+-       u.ieee_nan.mantissa = (mant);					      \
+-       if (u.ieee.mantissa != 0)					      \
+-	 (flt) = u.f;							      \
+-  } while (0)
+ 
+ #include "strtod_l.c"
+Index: git/stdlib/strtof_nan.c
+===================================================================
+--- /dev/null
++++ git/stdlib/strtof_nan.c
+@@ -0,0 +1,24 @@
++/* Convert string for NaN payload to corresponding NaN.  Narrow
++   strings, float.
++   Copyright (C) 2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <strtod_nan_narrow.h>
++#include <strtod_nan_float.h>
++
++#define STRTOD_NAN __strtof_nan
++#include <strtod_nan_main.c>
+Index: git/stdlib/strtold_nan.c
+===================================================================
+--- /dev/null
++++ git/stdlib/strtold_nan.c
+@@ -0,0 +1,30 @@
++/* Convert string for NaN payload to corresponding NaN.  Narrow
++   strings, long double.
++   Copyright (C) 2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <math.h>
++
++/* This function is unused if long double and double have the same
++   representation.  */
++#ifndef __NO_LONG_DOUBLE_MATH
++# include <strtod_nan_narrow.h>
++# include <strtod_nan_ldouble.h>
++
++# define STRTOD_NAN __strtold_nan
++# include <strtod_nan_main.c>
++#endif
+Index: git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
+===================================================================
+--- /dev/null
++++ git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
+@@ -0,0 +1,33 @@
++/* Convert string for NaN payload to corresponding NaN.  For ldbl-128.
++   Copyright (C) 1997-2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#define FLOAT		long double
++#define SET_MANTISSA(flt, mant)				\
++  do							\
++    {							\
++      union ieee854_long_double u;			\
++      u.d = (flt);					\
++      u.ieee_nan.mantissa0 = 0;				\
++      u.ieee_nan.mantissa1 = 0;				\
++      u.ieee_nan.mantissa2 = (mant) >> 32;		\
++      u.ieee_nan.mantissa3 = (mant);			\
++      if ((u.ieee.mantissa0 | u.ieee.mantissa1		\
++	   | u.ieee.mantissa2 | u.ieee.mantissa3) != 0)	\
++	(flt) = u.d;					\
++    }							\
++  while (0)
+Index: git/sysdeps/ieee754/ldbl-128/strtold_l.c
+===================================================================
+--- git.orig/sysdeps/ieee754/ldbl-128/strtold_l.c
++++ git/sysdeps/ieee754/ldbl-128/strtold_l.c
+@@ -25,22 +25,13 @@
+ #ifdef USE_WIDE_CHAR
+ # define STRTOF		wcstold_l
+ # define __STRTOF	__wcstold_l
++# define STRTOF_NAN	__wcstold_nan
+ #else
+ # define STRTOF		strtold_l
+ # define __STRTOF	__strtold_l
++# define STRTOF_NAN	__strtold_nan
+ #endif
+ #define MPN2FLOAT	__mpn_construct_long_double
+ #define FLOAT_HUGE_VAL	HUGE_VALL
+-#define SET_MANTISSA(flt, mant) \
+-  do { union ieee854_long_double u;					      \
+-       u.d = (flt);							      \
+-       u.ieee_nan.mantissa0 = 0;					      \
+-       u.ieee_nan.mantissa1 = 0;					      \
+-       u.ieee_nan.mantissa2 = (mant) >> 32;				      \
+-       u.ieee_nan.mantissa3 = (mant);					      \
+-       if ((u.ieee.mantissa0 | u.ieee.mantissa1				      \
+-	    | u.ieee.mantissa2 | u.ieee.mantissa3) != 0)		      \
+-	 (flt) = u.d;							      \
+-  } while (0)
+ 
+ #include <strtod_l.c>
+Index: git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
+===================================================================
+--- /dev/null
++++ git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
+@@ -0,0 +1,30 @@
++/* Convert string for NaN payload to corresponding NaN.  For ldbl-128ibm.
++   Copyright (C) 1997-2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#define FLOAT		long double
++#define SET_MANTISSA(flt, mant)					\
++  do								\
++    {								\
++      union ibm_extended_long_double u;				\
++      u.ld = (flt);						\
++      u.d[0].ieee_nan.mantissa0 = (mant) >> 32;			\
++      u.d[0].ieee_nan.mantissa1 = (mant);			\
++      if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0)	\
++	(flt) = u.ld;						\
++    }								\
++  while (0)
+Index: git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
+===================================================================
+--- git.orig/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
++++ git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
+@@ -30,25 +30,19 @@ extern long double ____new_wcstold_l (co
+ # define STRTOF		__new_wcstold_l
+ # define __STRTOF	____new_wcstold_l
+ # define ____STRTOF_INTERNAL ____wcstold_l_internal
++# define STRTOF_NAN	__wcstold_nan
+ #else
+ extern long double ____new_strtold_l (const char *, char **, __locale_t);
+ # define STRTOF		__new_strtold_l
+ # define __STRTOF	____new_strtold_l
+ # define ____STRTOF_INTERNAL ____strtold_l_internal
++# define STRTOF_NAN	__strtold_nan
+ #endif
+ extern __typeof (__STRTOF) STRTOF;
+ libc_hidden_proto (__STRTOF)
+ libc_hidden_proto (STRTOF)
+ #define MPN2FLOAT	__mpn_construct_long_double
+ #define FLOAT_HUGE_VAL	HUGE_VALL
+-# define SET_MANTISSA(flt, mant) \
+-  do { union ibm_extended_long_double u;				      \
+-       u.ld = (flt);							      \
+-       u.d[0].ieee_nan.mantissa0 = (mant) >> 32;			      \
+-       u.d[0].ieee_nan.mantissa1 = (mant);				      \
+-       if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0)	      \
+-	 (flt) = u.ld;							      \
+-  } while (0)
+ 
+ #include <strtod_l.c>
+ 
+Index: git/sysdeps/ieee754/ldbl-64-128/strtold_l.c
+===================================================================
+--- git.orig/sysdeps/ieee754/ldbl-64-128/strtold_l.c
++++ git/sysdeps/ieee754/ldbl-64-128/strtold_l.c
+@@ -30,28 +30,19 @@ extern long double ____new_wcstold_l (co
+ # define STRTOF		__new_wcstold_l
+ # define __STRTOF	____new_wcstold_l
+ # define ____STRTOF_INTERNAL ____wcstold_l_internal
++# define STRTOF_NAN	__wcstold_nan
+ #else
+ extern long double ____new_strtold_l (const char *, char **, __locale_t);
+ # define STRTOF		__new_strtold_l
+ # define __STRTOF	____new_strtold_l
+ # define ____STRTOF_INTERNAL ____strtold_l_internal
++# define STRTOF_NAN	__strtold_nan
+ #endif
+ extern __typeof (__STRTOF) STRTOF;
+ libc_hidden_proto (__STRTOF)
+ libc_hidden_proto (STRTOF)
+ #define MPN2FLOAT	__mpn_construct_long_double
+ #define FLOAT_HUGE_VAL	HUGE_VALL
+-#define SET_MANTISSA(flt, mant) \
+-  do { union ieee854_long_double u;					      \
+-       u.d = (flt);							      \
+-       u.ieee_nan.mantissa0 = 0;					      \
+-       u.ieee_nan.mantissa1 = 0;					      \
+-       u.ieee_nan.mantissa2 = (mant) >> 32;				      \
+-       u.ieee_nan.mantissa3 = (mant);					      \
+-       if ((u.ieee.mantissa0 | u.ieee.mantissa1				      \
+-	    | u.ieee.mantissa2 | u.ieee.mantissa3) != 0)		      \
+-	 (flt) = u.d;							      \
+-  } while (0)
+ 
+ #include <strtod_l.c>
+ 
+Index: git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
+===================================================================
+--- /dev/null
++++ git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
+@@ -0,0 +1,30 @@
++/* Convert string for NaN payload to corresponding NaN.  For ldbl-96.
++   Copyright (C) 1997-2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#define FLOAT		long double
++#define SET_MANTISSA(flt, mant)				\
++  do							\
++    {							\
++      union ieee854_long_double u;			\
++      u.d = (flt);					\
++      u.ieee_nan.mantissa0 = (mant) >> 32;		\
++      u.ieee_nan.mantissa1 = (mant);			\
++      if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0)	\
++	(flt) = u.d;					\
++    }							\
++  while (0)
+Index: git/sysdeps/ieee754/ldbl-96/strtold_l.c
+===================================================================
+--- git.orig/sysdeps/ieee754/ldbl-96/strtold_l.c
++++ git/sysdeps/ieee754/ldbl-96/strtold_l.c
+@@ -25,19 +25,13 @@
+ #ifdef USE_WIDE_CHAR
+ # define STRTOF		wcstold_l
+ # define __STRTOF	__wcstold_l
++# define STRTOF_NAN	__wcstold_nan
+ #else
+ # define STRTOF		strtold_l
+ # define __STRTOF	__strtold_l
++# define STRTOF_NAN	__strtold_nan
+ #endif
+ #define MPN2FLOAT	__mpn_construct_long_double
+ #define FLOAT_HUGE_VAL	HUGE_VALL
+-#define SET_MANTISSA(flt, mant) \
+-  do { union ieee854_long_double u;					      \
+-       u.d = (flt);							      \
+-       u.ieee_nan.mantissa0 = (mant) >> 32;				      \
+-       u.ieee_nan.mantissa1 = (mant);					      \
+-       if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0)			      \
+-	 (flt) = u.d;							      \
+-  } while (0)
+ 
+ #include <stdlib/strtod_l.c>
+Index: git/wcsmbs/Makefile
+===================================================================
+--- git.orig/wcsmbs/Makefile
++++ git/wcsmbs/Makefile
+@@ -39,6 +39,7 @@ routines-$(OPTION_POSIX_C_LANG_WIDE_CHAR
+ 	    wcstol wcstoul wcstoll wcstoull wcstod wcstold wcstof \
+ 	    wcstol_l wcstoul_l wcstoll_l wcstoull_l \
+ 	    wcstod_l wcstold_l wcstof_l \
++	    wcstod_nan wcstold_nan wcstof_nan \
+ 	    wcscoll wcsxfrm \
+ 	    wcwidth wcswidth \
+ 	    wcscoll_l wcsxfrm_l \
+Index: git/wcsmbs/wcstod_l.c
+===================================================================
+--- git.orig/wcsmbs/wcstod_l.c
++++ git/wcsmbs/wcstod_l.c
+@@ -23,9 +23,6 @@
+ 
+ extern double ____wcstod_l_internal (const wchar_t *, wchar_t **, int,
+ 				     __locale_t);
+-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
+-						       wchar_t **, int, int,
+-						       __locale_t);
+ 
+ #define	USE_WIDE_CHAR	1
+ 
+Index: git/wcsmbs/wcstod_nan.c
+===================================================================
+--- /dev/null
++++ git/wcsmbs/wcstod_nan.c
+@@ -0,0 +1,23 @@
++/* Convert string for NaN payload to corresponding NaN.  Wide strings, double.
++   Copyright (C) 2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include "../stdlib/strtod_nan_wide.h"
++#include "../stdlib/strtod_nan_double.h"
++
++#define STRTOD_NAN __wcstod_nan
++#include "../stdlib/strtod_nan_main.c"
+Index: git/wcsmbs/wcstof_l.c
+===================================================================
+--- git.orig/wcsmbs/wcstof_l.c
++++ git/wcsmbs/wcstof_l.c
+@@ -25,8 +25,5 @@
+ 
+ extern float ____wcstof_l_internal (const wchar_t *, wchar_t **, int,
+ 				    __locale_t);
+-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
+-						       wchar_t **, int, int,
+-						       __locale_t);
+ 
+ #include <stdlib/strtof_l.c>
+Index: git/wcsmbs/wcstof_nan.c
+===================================================================
+--- /dev/null
++++ git/wcsmbs/wcstof_nan.c
+@@ -0,0 +1,23 @@
++/* Convert string for NaN payload to corresponding NaN.  Wide strings, float.
++   Copyright (C) 2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include "../stdlib/strtod_nan_wide.h"
++#include "../stdlib/strtod_nan_float.h"
++
++#define STRTOD_NAN __wcstof_nan
++#include "../stdlib/strtod_nan_main.c"
+Index: git/wcsmbs/wcstold_l.c
+===================================================================
+--- git.orig/wcsmbs/wcstold_l.c
++++ git/wcsmbs/wcstold_l.c
+@@ -24,8 +24,5 @@
+ 
+ extern long double ____wcstold_l_internal (const wchar_t *, wchar_t **, int,
+ 					   __locale_t);
+-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
+-						       wchar_t **, int, int,
+-						       __locale_t);
+ 
+ #include <strtold_l.c>
+Index: git/wcsmbs/wcstold_nan.c
+===================================================================
+--- /dev/null
++++ git/wcsmbs/wcstold_nan.c
+@@ -0,0 +1,30 @@
++/* Convert string for NaN payload to corresponding NaN.  Wide strings,
++   long double.
++   Copyright (C) 2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <math.h>
++
++/* This function is unused if long double and double have the same
++   representation.  */
++#ifndef __NO_LONG_DOUBLE_MATH
++# include "../stdlib/strtod_nan_wide.h"
++# include <strtod_nan_ldouble.h>
++
++# define STRTOD_NAN __wcstold_nan
++# include "../stdlib/strtod_nan_main.c"
++#endif
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,57 @@
++2015-11-24  Joseph Myers  <joseph@codesourcery.com>
++ 
++	* stdlib/strtod_nan.c: New file.
++	* stdlib/strtod_nan_double.h: Likewise.
++	* stdlib/strtod_nan_float.h: Likewise.
++	* stdlib/strtod_nan_main.c: Likewise.
++	* stdlib/strtod_nan_narrow.h: Likewise.
++	* stdlib/strtod_nan_wide.h: Likewise.
++	* stdlib/strtof_nan.c: Likewise.
++	* stdlib/strtold_nan.c: Likewise.
++	* sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise.
++	* sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise.
++	* sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise.
++	* wcsmbs/wcstod_nan.c: Likewise.
++	* wcsmbs/wcstof_nan.c: Likewise.
++	* wcsmbs/wcstold_nan.c: Likewise.
++	* stdlib/Makefile (routines): Add strtof_nan, strtod_nan and
++	strtold_nan.
++	* wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and
++	wcstof_nan.
++	* include/stdlib.h (__strtof_nan): Declare and use
++	libc_hidden_proto.
++	(__strtod_nan): Likewise.
++	(__strtold_nan): Likewise.
++	(__wcstof_nan): Likewise.
++	(__wcstod_nan): Likewise.
++	(__wcstold_nan): Likewise.
++	* include/wchar.h (____wcstoull_l_internal): Declare.
++	* stdlib/strtod_l.c: Do not include <ieee754.h>.
++	(____strtoull_l_internal): Remove declaration.
++	(STRTOF_NAN): Define macro.
++	(SET_MANTISSA): Remove macro.
++	(STRTOULL): Likewise.
++	(____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload.
++	* stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration.
++	(STRTOF_NAN): Define macro.
++	(SET_MANTISSA): Remove macro.
++	* sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro.
++	(SET_MANTISSA): Remove macro.
++	* sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define
++	macro.
++	(SET_MANTISSA): Remove macro.
++	* sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define
++	macro.
++	(SET_MANTISSA): Remove macro.
++	* sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro.
++	(SET_MANTISSA): Remove macro.
++	* wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration.
++	* wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise.
++	* wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise.
++
++ 	[BZ #19266]
++ 	* stdlib/strtod_l.c (____STRTOF_INTERNAL): Check directly for
++ 	upper case and lower case letters inside NAN(), not using TOLOWER.
+ 2015-08-08  Paul Pluzhnikov  <ppluzhnikov@google.com>
+ 
+    [BZ #17905]
diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch
new file mode 100644
index 000000000..e30307fbc
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch
@@ -0,0 +1,385 @@
+From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17 00:00:00 2001
+From: Joseph Myers <joseph@codesourcery.com>
+Date: Fri, 4 Dec 2015 20:36:28 +0000
+Subject: [PATCH] Fix nan functions handling of payload strings (bug 16961, bug
+ 16962).
+
+The nan, nanf and nanl functions handle payload strings by doing e.g.:
+
+  if (tagp[0] != '\0')
+    {
+      char buf[6 + strlen (tagp)];
+      sprintf (buf, "NAN(%s)", tagp);
+      return strtod (buf, NULL);
+    }
+
+This is an unbounded stack allocation based on the length of the
+argument.  Furthermore, if the argument starts with an n-char-sequence
+followed by ')', that n-char-sequence is wrongly treated as
+significant for determining the payload of the resulting NaN, when ISO
+C says the call should be equivalent to strtod ("NAN", NULL), without
+being affected by that initial n-char-sequence.  This patch fixes both
+those problems by using the __strtod_nan etc. functions recently
+factored out of strtod etc. for that purpose, with those functions
+being exported from libc at version GLIBC_PRIVATE.
+
+Tested for x86_64, x86, mips64 and powerpc.
+
+	[BZ #16961]
+	[BZ #16962]
+	* math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
+	string on the stack for strtod.
+	* math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
+	a string on the stack for strtof.
+	* math/s_nanl.c (__nanl): Use __strtold_nan instead of
+	constructing a string on the stack for strtold.
+	* stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
+	__strtold_nan to GLIBC_PRIVATE.
+	* math/test-nan-overflow.c: New file.
+	* math/test-nan-payload.c: Likewise.
+	* math/Makefile (tests): Add test-nan-overflow and
+	test-nan-payload.
+
+Upstream-Status: Backport
+CVE: CVE-2015-9761 patch #2
+[Yocto # 8980]
+
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog                |  17 +++++++
+ NEWS                     |   6 +++
+ math/Makefile            |   3 +-
+ math/s_nan.c             |   9 +---
+ math/s_nanf.c            |   9 +---
+ math/s_nanl.c            |   9 +---
+ math/test-nan-overflow.c |  66 +++++++++++++++++++++++++
+ math/test-nan-payload.c  | 122 +++++++++++++++++++++++++++++++++++++++++++++++
+ stdlib/Versions          |   1 +
+ 9 files changed, 217 insertions(+), 25 deletions(-)
+ create mode 100644 math/test-nan-overflow.c
+ create mode 100644 math/test-nan-payload.c
+
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,20 @@
++2015-12-04  Joseph Myers  <joseph@codesourcery.com>
++
++	[BZ #16961]
++	[BZ #16962]
++	* math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
++	string on the stack for strtod.
++	* math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
++	a string on the stack for strtof.
++	* math/s_nanl.c (__nanl): Use __strtold_nan instead of
++	constructing a string on the stack for strtold.
++	* stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
++	__strtold_nan to GLIBC_PRIVATE.
++	* math/test-nan-overflow.c: New file.
++	* math/test-nan-payload.c: Likewise.
++	* math/Makefile (tests): Add test-nan-overflow and
++	test-nan-payload.
++
+ 2015-11-24  Joseph Myers  <joseph@codesourcery.com>
+  
+ 	* stdlib/strtod_nan.c: New file.
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -99,6 +99,12 @@ Version 2.22
+ 
+ Version 2.21
+ 
++Security related changes:
++
++* The nan, nanf and nanl functions no longer have unbounded stack usage
++  depending on the length of the string passed as an argument to the
++  functions.  Reported by Joseph Myers.
++
+ * The following bugs are resolved with this release:
+ 
+   6652, 10672, 12674, 12847, 12926, 13862, 14132, 14138, 14171, 14498,
+Index: git/math/Makefile
+===================================================================
+--- git.orig/math/Makefile
++++ git/math/Makefile
+@@ -110,6 +110,7 @@ tests = test-matherr test-fenv atest-exp
+ 	test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \
+ 	test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \
+ 	test-fenv-tls test-fenv-preserve test-fenv-return test-fenvinline \
++    test-nan-overflow test-nan-payload \
+ 	$(tests-static)
+ tests-static = test-fpucw-static test-fpucw-ieee-static
+ # We do the `long double' tests only if this data type is available and
+Index: git/math/s_nan.c
+===================================================================
+--- git.orig/math/s_nan.c
++++ git/math/s_nan.c
+@@ -28,14 +28,7 @@
+ double
+ __nan (const char *tagp)
+ {
+-  if (tagp[0] != '\0')
+-    {
+-      char buf[6 + strlen (tagp)];
+-      sprintf (buf, "NAN(%s)", tagp);
+-      return strtod (buf, NULL);
+-    }
+-
+-  return NAN;
++  return __strtod_nan (tagp, NULL, 0);
+ }
+ weak_alias (__nan, nan)
+ #ifdef NO_LONG_DOUBLE
+Index: git/math/s_nanf.c
+===================================================================
+--- git.orig/math/s_nanf.c
++++ git/math/s_nanf.c
+@@ -28,13 +28,6 @@
+ float
+ __nanf (const char *tagp)
+ {
+-  if (tagp[0] != '\0')
+-    {
+-      char buf[6 + strlen (tagp)];
+-      sprintf (buf, "NAN(%s)", tagp);
+-      return strtof (buf, NULL);
+-    }
+-
+-  return NAN;
++  return __strtof_nan (tagp, NULL, 0);
+ }
+ weak_alias (__nanf, nanf)
+Index: git/math/s_nanl.c
+===================================================================
+--- git.orig/math/s_nanl.c
++++ git/math/s_nanl.c
+@@ -28,13 +28,6 @@
+ long double
+ __nanl (const char *tagp)
+ {
+-  if (tagp[0] != '\0')
+-    {
+-      char buf[6 + strlen (tagp)];
+-      sprintf (buf, "NAN(%s)", tagp);
+-      return strtold (buf, NULL);
+-    }
+-
+-  return NAN;
++  return __strtold_nan (tagp, NULL, 0);
+ }
+ weak_alias (__nanl, nanl)
+Index: git/math/test-nan-overflow.c
+===================================================================
+--- /dev/null
++++ git/math/test-nan-overflow.c
+@@ -0,0 +1,66 @@
++/* Test nan functions stack overflow (bug 16962).
++   Copyright (C) 2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <math.h>
++#include <stdio.h>
++#include <string.h>
++#include <sys/resource.h>
++
++#define STACK_LIM 1048576
++#define STRING_SIZE (2 * STACK_LIM)
++
++static int
++do_test (void)
++{
++  int result = 0;
++  struct rlimit lim;
++  getrlimit (RLIMIT_STACK, &lim);
++  lim.rlim_cur = STACK_LIM;
++  setrlimit (RLIMIT_STACK, &lim);
++  char *nanstr = malloc (STRING_SIZE);
++  if (nanstr == NULL)
++    {
++      puts ("malloc failed, cannot test");
++      return 77;
++    }
++  memset (nanstr, '0', STRING_SIZE - 1);
++  nanstr[STRING_SIZE - 1] = 0;
++#define NAN_TEST(TYPE, FUNC)			\
++  do						\
++    {						\
++      char *volatile p = nanstr;		\
++      volatile TYPE v = FUNC (p);		\
++      if (isnan (v))				\
++	puts ("PASS: " #FUNC);			\
++      else					\
++	{					\
++	  puts ("FAIL: " #FUNC);		\
++	  result = 1;				\
++	}					\
++    }						\
++  while (0)
++  NAN_TEST (float, nanf);
++  NAN_TEST (double, nan);
++#ifndef NO_LONG_DOUBLE
++  NAN_TEST (long double, nanl);
++#endif
++  return result;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+Index: git/math/test-nan-payload.c
+===================================================================
+--- /dev/null
++++ git/math/test-nan-payload.c
+@@ -0,0 +1,122 @@
++/* Test nan functions payload handling (bug 16961).
++   Copyright (C) 2015 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <float.h>
++#include <math.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++/* Avoid built-in functions.  */
++#define WRAP_NAN(FUNC, STR) \
++  ({ const char *volatile wns = (STR); FUNC (wns); })
++#define WRAP_STRTO(FUNC, STR) \
++  ({ const char *volatile wss = (STR); FUNC (wss, NULL); })
++
++#define CHECK_IS_NAN(TYPE, A)			\
++  do						\
++    {						\
++      if (isnan (A))				\
++	puts ("PASS: " #TYPE " " #A);		\
++      else					\
++	{					\
++	  puts ("FAIL: " #TYPE " " #A);		\
++	  result = 1;				\
++	}					\
++    }						\
++  while (0)
++
++#define CHECK_SAME_NAN(TYPE, A, B)			\
++  do							\
++    {							\
++      if (memcmp (&(A), &(B), sizeof (A)) == 0)		\
++	puts ("PASS: " #TYPE " " #A " = " #B);		\
++      else						\
++	{						\
++	  puts ("FAIL: " #TYPE " " #A " = " #B);	\
++	  result = 1;					\
++	}						\
++    }							\
++  while (0)
++
++#define CHECK_DIFF_NAN(TYPE, A, B)			\
++  do							\
++    {							\
++      if (memcmp (&(A), &(B), sizeof (A)) != 0)		\
++	puts ("PASS: " #TYPE " " #A " != " #B);		\
++      else						\
++	{						\
++	  puts ("FAIL: " #TYPE " " #A " != " #B);	\
++	  result = 1;					\
++	}						\
++    }							\
++  while (0)
++
++/* Cannot test payloads by memcmp for formats where NaNs have padding
++   bits.  */
++#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106)
++
++#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG)		\
++  do							\
++    {							\
++     TYPE n123 = WRAP_NAN (FUNC, "123");		\
++     CHECK_IS_NAN (TYPE, n123);				\
++     TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)");	\
++     CHECK_IS_NAN (TYPE, s123);				\
++     TYPE n456 = WRAP_NAN (FUNC, "456");		\
++     CHECK_IS_NAN (TYPE, n456);				\
++     TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)");	\
++     CHECK_IS_NAN (TYPE, s456);				\
++     TYPE n123x = WRAP_NAN (FUNC, "123)");		\
++     CHECK_IS_NAN (TYPE, n123x);			\
++     TYPE nemp = WRAP_NAN (FUNC, "");			\
++     CHECK_IS_NAN (TYPE, nemp);				\
++     TYPE semp = WRAP_STRTO (SFUNC, "NAN()");		\
++     CHECK_IS_NAN (TYPE, semp);				\
++     TYPE sx = WRAP_STRTO (SFUNC, "NAN");		\
++     CHECK_IS_NAN (TYPE, sx);				\
++     if (CAN_TEST_EQ (MANT_DIG))			\
++       CHECK_SAME_NAN (TYPE, n123, s123);		\
++     if (CAN_TEST_EQ (MANT_DIG))			\
++       CHECK_SAME_NAN (TYPE, n456, s456);		\
++     if (CAN_TEST_EQ (MANT_DIG))			\
++       CHECK_SAME_NAN (TYPE, nemp, semp);		\
++     if (CAN_TEST_EQ (MANT_DIG))			\
++       CHECK_SAME_NAN (TYPE, n123x, sx);		\
++     CHECK_DIFF_NAN (TYPE, n123, n456);			\
++     CHECK_DIFF_NAN (TYPE, n123, nemp);			\
++     CHECK_DIFF_NAN (TYPE, n123, n123x);		\
++     CHECK_DIFF_NAN (TYPE, n456, nemp);			\
++     CHECK_DIFF_NAN (TYPE, n456, n123x);		\
++    }							\
++  while (0)
++
++static int
++do_test (void)
++{
++  int result = 0;
++  RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG);
++  RUN_TESTS (double, strtod, nan, DBL_MANT_DIG);
++#ifndef NO_LONG_DOUBLE
++  RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG);
++#endif
++  return result;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+Index: git/stdlib/Versions
+===================================================================
+--- git.orig/stdlib/Versions
++++ git/stdlib/Versions
+@@ -118,5 +118,6 @@ libc {
+     # Used from other libraries
+     __libc_secure_getenv;
+     __call_tls_dtors;
++    __strtof_nan; __strtod_nan; __strtold_nan;
+   }
+ }
diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch b/yocto-poky/meta/recipes-core/glibc/glibc/strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch
new file mode 100644
index 000000000..8ce255f11
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/glibc/glibc/strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch
@@ -0,0 +1,323 @@
+Upstream-Status: Backport
+
+Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com>
+
+From https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6c84109cfa26f35c3dfed3acb97d347361bd5849
+Author: Carlos O'Donell <carlos@systemhalted.org>
+Date:   Thu Oct 8 16:34:53 2015 -0400
+
+    strcoll: Remove incorrect STRDIFF-based optimization (Bug 18589).
+
+    The optimization introduced in commit
+    f13c2a8dff2329c6692a80176262ceaaf8a6f74e, causes regressions in
+    sorting for languages that have digraphs that change sort order, like
+    cs_CZ which sorts ch between h and i.
+
+    My analysis shows the fast-forwarding optimization in STRCOLL advances
+    through a digraph while possibly stopping in the middle which results
+    in a subsequent skipping of the digraph and incorrect sorting. The
+    optimization is incorrect as implemented and because of that I'm
+    removing it for 2.23, and I will also commit this fix for 2.22 where
+    it was originally introduced.
+
+    This patch reverts the optimization, introduces a new bug-strcoll2.c
+    regression test that tests both cs_CZ.UTF-8 and da_DK.ISO-8859-1 and
+    ensures they sort one digraph each correctly. The optimization can't be
+    applied without regressing this test.
+
+    Checked on x86_64, bug-strcoll2.c fails without this patch and passes
+    after. This will also get a fix on 2.22 which has the same bug.
+
+    (cherry picked from commit 87701a58e291bd7ac3b407d10a829dac52c9c16e)
+---
+ locale/C-collate.c           |  4 +-
+ locale/categories.def        |  1 -
+ locale/langinfo.h            |  1 -
+ locale/localeinfo.h          |  7 ----
+ locale/programs/ld-collate.c |  9 -----
+ string/bug-strcoll2.c        | 95 ++++++++++++++++++++++++++++++++++++++++++++
+ string/strcoll_l.c           | 39 +-----------------
+ wcsmbs/wcscoll_l.c           |  1 -
+ 8 files changed, 98 insertions(+), 59 deletions(-)
+ create mode 100644 string/bug-strcoll2.c
+
+diff --git a/locale/C-collate.c b/locale/C-collate.c
+index d7f3c55..06dfdfa 100644
+--- a/locale/C-collate.c
++++ b/locale/C-collate.c
+@@ -144,8 +144,6 @@ const struct __locale_data _nl_C_LC_COLLATE attribute_hidden =
+     /* _NL_COLLATE_COLLSEQWC */
+     { .string = (const char *) collseqwc },
+     /* _NL_COLLATE_CODESET */
+-    { .string = _nl_C_codeset },
+-    /* _NL_COLLATE_ENCODING_TYPE */
+-    { .word = __cet_8bit }
++    { .string = _nl_C_codeset }
+   }
+ };
+diff --git a/locale/categories.def b/locale/categories.def
+index 045489d..a8dda53 100644
+--- a/locale/categories.def
++++ b/locale/categories.def
+@@ -58,7 +58,6 @@ DEFINE_CATEGORY
+   DEFINE_ELEMENT (_NL_COLLATE_COLLSEQMB,        "collate-collseqmb",        std, wstring)
+   DEFINE_ELEMENT (_NL_COLLATE_COLLSEQWC,        "collate-collseqwc",        std, wstring)
+   DEFINE_ELEMENT (_NL_COLLATE_CODESET,		"collate-codeset",	    std, string)
+-  DEFINE_ELEMENT (_NL_COLLATE_ENCODING_TYPE,   "collate-encoding-type",    std, word)
+   ), NO_POSTLOAD)
+ 
+ 
+diff --git a/locale/langinfo.h b/locale/langinfo.h
+index ffc5c7f..a565d9d 100644
+--- a/locale/langinfo.h
++++ b/locale/langinfo.h
+@@ -255,7 +255,6 @@ enum
+   _NL_COLLATE_COLLSEQMB,
+   _NL_COLLATE_COLLSEQWC,
+   _NL_COLLATE_CODESET,
+-  _NL_COLLATE_ENCODING_TYPE,
+   _NL_NUM_LC_COLLATE,
+ 
+   /* LC_CTYPE category: character classification.
+diff --git a/locale/localeinfo.h b/locale/localeinfo.h
+index a7516c0..c076d8e 100644
+--- a/locale/localeinfo.h
++++ b/locale/localeinfo.h
+@@ -110,13 +110,6 @@ enum coll_sort_rule
+   sort_mask
+ };
+ 
+-/* Collation encoding type.  */
+-enum collation_encoding_type
+-{
+-  __cet_other,
+-  __cet_8bit,
+-  __cet_utf8
+-};
+ 
+ /* We can map the types of the entries into a few categories.  */
+ enum value_type
+diff --git a/locale/programs/ld-collate.c b/locale/programs/ld-collate.c
+index 16e9039..3c88c6d 100644
+--- a/locale/programs/ld-collate.c
++++ b/locale/programs/ld-collate.c
+@@ -32,7 +32,6 @@
+ #include "linereader.h"
+ #include "locfile.h"
+ #include "elem-hash.h"
+-#include "../localeinfo.h"
+ 
+ /* Uncomment the following line in the production version.  */
+ /* #define NDEBUG 1 */
+@@ -2130,8 +2129,6 @@ collate_output (struct localedef_t *locale, const struct charmap_t *charmap,
+ 	  /* The words have to be handled specially.  */
+ 	  if (idx == _NL_ITEM_INDEX (_NL_COLLATE_SYMB_HASH_SIZEMB))
+ 	    add_locale_uint32 (&file, 0);
+-	  else if (idx == _NL_ITEM_INDEX (_NL_COLLATE_ENCODING_TYPE))
+-	    add_locale_uint32 (&file, __cet_other);
+ 	  else
+ 	    add_locale_empty (&file);
+ 	}
+@@ -2495,12 +2492,6 @@ collate_output (struct localedef_t *locale, const struct charmap_t *charmap,
+   add_locale_raw_data (&file, collate->mbseqorder, 256);
+   add_locale_collseq_table (&file, &collate->wcseqorder);
+   add_locale_string (&file, charmap->code_set_name);
+-  if (strcmp (charmap->code_set_name, "UTF-8") == 0)
+-    add_locale_uint32 (&file, __cet_utf8);
+-  else if (charmap->mb_cur_max == 1)
+-    add_locale_uint32 (&file, __cet_8bit);
+-  else
+-    add_locale_uint32 (&file, __cet_other);
+   write_locale_data (output_path, LC_COLLATE, "LC_COLLATE", &file);
+ 
+   obstack_free (&weightpool, NULL);
+diff --git a/string/bug-strcoll2.c b/string/bug-strcoll2.c
+new file mode 100644
+index 0000000..950b090
+--- /dev/null
++++ b/string/bug-strcoll2.c
+@@ -0,0 +1,95 @@
++/* Bug 18589: sort-test.sh fails at random.
++ * Copyright (C) 1998-2015 Free Software Foundation, Inc.
++ * This file is part of the GNU C Library.
++ * Contributed by Ulrich Drepper <drepper@cygnus.com>, 1998.
++ *
++ * The GNU C Library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * The GNU C Library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with the GNU C Library; if not, see
++ * <http://www.gnu.org/licenses/>.  */
++
++#include <stdio.h>
++#include <string.h>
++#include <locale.h>
++
++/* An incorrect strcoll optimization resulted in incorrect
++ *    results from strcoll for cs_CZ and da_DK.  */
++
++int
++test_cs_CZ (void)
++{
++  const char t1[] = "config";
++  const char t2[] = "choose";
++  if (setlocale (LC_ALL, "cs_CZ.UTF-8") == NULL)
++    {
++      perror ("setlocale");
++      return 1;
++    }
++  /* In Czech the digraph ch sorts after c, therefore we expect
++ *      config to sort before choose.  */
++  int a = strcoll (t1, t2);
++  int b = strcoll (t2, t1);
++  printf ("strcoll (\"%s\", \"%s\") = %d\n", t1, t2, a);
++  printf ("strcoll (\"%s\", \"%s\") = %d\n", t2, t1, b);
++  if (a < 0 && b > 0)
++    {
++      puts ("PASS: config < choose");
++      return 0;
++    }
++  else
++    {
++      puts ("FAIL: Wrong sorting in cz_CZ.UTF-8.");
++      return 1;
++    }
++}
++
++int
++test_da_DK (void)
++{
++  const char t1[] = "AS";
++  const char t2[] = "AA";
++  if (setlocale (LC_ALL, "da_DK.ISO-8859-1") == NULL)
++    {
++      perror ("setlocale");
++      return 1;
++    }
++  /* AA should be treated as the last letter of the Danish alphabet,
++ *      hence sorting after AS.  */
++  int a = strcoll (t1, t2);
++  int b = strcoll (t2, t1);
++  printf ("strcoll (\"%s\", \"%s\") = %d\n", t1, t2, a);
++  printf ("strcoll (\"%s\", \"%s\") = %d\n", t2, t1, b);
++  if (a < 0 && b > 0)
++    {
++      puts ("PASS: AS < AA");
++      return 0;
++    }
++  else
++    {
++      puts ("FAIL: Wrong sorting in da_DK.ISO-8859-1");
++      return 1;
++    }
++}
++
++static int
++do_test (void)
++{
++  int err = 0;
++  err |= test_cs_CZ ();
++  err |= test_da_DK ();
++  return err;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
++
++
+diff --git a/string/strcoll_l.c b/string/strcoll_l.c
+index b36b18c..a18b65e 100644
+--- a/string/strcoll_l.c
++++ b/string/strcoll_l.c
+@@ -30,7 +30,6 @@
+ # define STRING_TYPE char
+ # define USTRING_TYPE unsigned char
+ # define STRCOLL __strcoll_l
+-# define STRDIFF __strdiff
+ # define STRCMP strcmp
+ # define WEIGHT_H "../locale/weight.h"
+ # define SUFFIX	MB
+@@ -43,19 +42,6 @@
+ #include "../locale/localeinfo.h"
+ #include WEIGHT_H
+ 
+-#define MASK_UTF8_7BIT  (1 << 7)
+-#define MASK_UTF8_START (3 << 6)
+-
+-size_t
+-STRDIFF (const STRING_TYPE *s, const STRING_TYPE *t)
+-{
+-  size_t n;
+-
+-  for (n = 0; *s != '\0' && *s++ == *t++; ++n)
+-    continue;
+-
+-  return n;
+-}
+ 
+ /* Track status while looking for sequences in a string.  */
+ typedef struct
+@@ -274,29 +260,9 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
+   const USTRING_TYPE *extra;
+   const int32_t *indirect;
+ 
+-  /* In case there is no locale specific sort order (C / POSIX).  */
+   if (nrules == 0)
+     return STRCMP (s1, s2);
+ 
+-  /* Fast forward to the position of the first difference.  Needs to be
+-     encoding aware as the byte-by-byte comparison can stop in the middle
+-     of a char sequence for multibyte encodings like UTF-8.  */
+-  uint_fast32_t encoding =
+-    current->values[_NL_ITEM_INDEX (_NL_COLLATE_ENCODING_TYPE)].word;
+-  if (encoding != __cet_other)
+-    {
+-      size_t diff = STRDIFF (s1, s2);
+-      if (diff > 0)
+-	{
+-	  if (encoding == __cet_utf8 && (*(s1 + diff) & MASK_UTF8_7BIT) != 0)
+-	    do
+-	      diff--;
+-	    while (diff > 0 && (*(s1 + diff) & MASK_UTF8_START) != MASK_UTF8_START);
+-	  s1 += diff;
+-	  s2 += diff;
+-	}
+-    }
+-
+   /* Catch empty strings.  */
+   if (__glibc_unlikely (*s1 == '\0') || __glibc_unlikely (*s2 == '\0'))
+     return (*s1 != '\0') - (*s2 != '\0');
+@@ -363,9 +329,8 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
+ 		     byte-level comparison to ensure that we don't waste time
+ 		     going through multiple passes for totally equal strings
+ 		     before proceeding to subsequent passes.  */
+-		  if (pass == 0 && encoding == __cet_other &&
+-		      STRCMP (s1, s2) == 0)
+-		    return result;
++		  if (pass == 0 && STRCMP (s1, s2) == 0)
++                    return result;
+ 		  else
+ 		    break;
+ 	        }
+diff --git a/wcsmbs/wcscoll_l.c b/wcsmbs/wcscoll_l.c
+index 6d9384a..87f240d 100644
+--- a/wcsmbs/wcscoll_l.c
++++ b/wcsmbs/wcscoll_l.c
+@@ -23,7 +23,6 @@
+ #define STRING_TYPE wchar_t
+ #define USTRING_TYPE wint_t
+ #define STRCOLL __wcscoll_l
+-#define STRDIFF __wcsdiff
+ #define STRCMP __wcscmp
+ #define WEIGHT_H "../locale/weightwc.h"
+ #define SUFFIX	WC
+-- 
+1.8.4.2
+
diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/use_64bit_atomics.patch b/yocto-poky/meta/recipes-core/glibc/glibc/use_64bit_atomics.patch
new file mode 100644
index 000000000..eb7f2b29b
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/glibc/glibc/use_64bit_atomics.patch
@@ -0,0 +1,24 @@
+This patch alows using 64 bit atomic instructions on a
+32 bit platform. This is safe, providing x86 is Pentium or
+later (would not work on i386, i486). Using 64 bit atomic 
+instructions bypasses code containing a bug as documented in
+https://bugzilla.yoctoproject.org/show_bug.cgi?id=8140
+
+Upstream-Status: TBD
+
+Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+
+
+Index: libc/sysdeps/i386/i486/bits/atomic.h
+===================================================================
+--- libc.orig/sysdeps/i386/i486/bits/atomic.h
++++ libc/sysdeps/i386/i486/bits/atomic.h
+@@ -54,7 +54,7 @@ typedef uintmax_t uatomic_max_t;
+ # endif
+ #endif
+ 
+-#define __HAVE_64B_ATOMICS 0
++#define __HAVE_64B_ATOMICS 1
+ #define USE_ATOMIC_COMPILER_BUILTINS 0
+ 
+ 
diff --git a/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb b/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb
index 09f0428ea..a13b7f94b 100644
--- a/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb
@@ -9,11 +9,11 @@ DEPENDS += "gperf-native kconfig-frontends-native"
 
 SRCREV ?= "a34d1c6afc86521d6ad17662a3b5362d8481514c"
 
-BRANCH ?= "release/${PV}/master"
+SRCBRANCH ?= "release/${PV}/master"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
 
-SRC_URI = "${GLIBC_GIT_URI};branch=${BRANCH};name=glibc \
+SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0004-Backport-https-sourceware.org-ml-libc-ports-2007-12-.patch \
            file://0005-fsl-e500-e5500-e6500-603e-fsqrt-implementation.patch \
            file://0006-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch \
@@ -39,6 +39,14 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${BRANCH};name=glibc \
            file://0026-eglibc-dl_debug_mask-is-controlled-by-__OPTION_EGLIB.patch \
            file://0027-eglibc-use-option-groups-Conditionally-exclude-c-tes.patch \
            file://nscd-no-bash.patch \
+           file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \
+           file://0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch \
+           file://CVE-2015-8777.patch \
+           file://CVE-2015-8779.patch \
+           file://CVE-2015-9761_1.patch \
+           file://CVE-2015-9761_2.patch \
+           file://CVE-2015-8776.patch \
+           file://CVE-2015-7547.patch \
 "
 
 SRC_URI += "\
@@ -50,6 +58,7 @@ SRC_URI_append_class-nativesdk = "\
            file://0001-nativesdk-glibc-Look-for-host-system-ld.so.cache-as-.patch \
            file://0002-nativesdk-glibc-Fix-buffer-overrun-with-a-relocated-.patch \
            file://0003-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch \
+           file://use_64bit_atomics.patch \
 "
 
 S = "${WORKDIR}/git"
diff --git a/yocto-poky/meta/recipes-core/images/build-appliance-image_12.0.1.bb b/yocto-poky/meta/recipes-core/images/build-appliance-image_12.0.1.bb
index 0a86ba4b3..fdeadb63a 100644
--- a/yocto-poky/meta/recipes-core/images/build-appliance-image_12.0.1.bb
+++ b/yocto-poky/meta/recipes-core/images/build-appliance-image_12.0.1.bb
@@ -21,8 +21,8 @@ IMAGE_FSTYPES = "vmdk"
 
 inherit core-image
 
-SRCREV ?= "d01cd53429b1c20f01dac97f1b9b659cb9dc9812"
-SRC_URI = "git://git.yoctoproject.org/poky \
+SRCREV ?= "7fe17a2942ff03e2ec47d566fd5393f52b2eb736"
+SRC_URI = "git://git.yoctoproject.org/poky;branch=jethro \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \
           "
diff --git a/yocto-poky/meta/recipes-core/initrdscripts/files/init-install-efi.sh b/yocto-poky/meta/recipes-core/initrdscripts/files/init-install-efi.sh
index fc4908ef9..0443a9d11 100644
--- a/yocto-poky/meta/recipes-core/initrdscripts/files/init-install-efi.sh
+++ b/yocto-poky/meta/recipes-core/initrdscripts/files/init-install-efi.sh
@@ -134,7 +134,7 @@ swap_start=$((rootfs_end))
 # 2) they are detected asynchronously (need rootwait)
 rootwait=""
 part_prefix=""
-if [ ! "${device#mmcblk}" = "${device}" ]; then
+if [ ! "${device#/dev/mmcblk}" = "${device}" ]; then
     part_prefix="p"
     rootwait="rootwait"
 fi
@@ -184,8 +184,8 @@ mount -o rw,loop,noatime,nodiratime /run/media/$1/$2 /src_root
 echo "Copying rootfs files..."
 cp -a /src_root/* /tgt_root
 if [ -d /tgt_root/etc/ ] ; then
-    boot_uuid=$(blkid -o value -s UUID ${device}1)
-    swap_part_uuid=$(blkid -o value -s PARTUUID ${device}3)
+    boot_uuid=$(blkid -o value -s UUID ${bootfs})
+    swap_part_uuid=$(blkid -o value -s PARTUUID ${swap})
     echo "/dev/disk/by-partuuid/$swap_part_uuid                swap             swap       defaults              0  0" >> /tgt_root/etc/fstab
     echo "UUID=$boot_uuid              /boot            vfat       defaults              1  2" >> /tgt_root/etc/fstab
     # We dont want udev to mount our root device while we're booting...
@@ -206,7 +206,7 @@ mkdir -p $EFIDIR
 cp /run/media/$1/EFI/BOOT/*.efi $EFIDIR
 
 if [ -f /run/media/$1/EFI/BOOT/grub.cfg ]; then
-    root_part_uuid=$(blkid -o value -s PARTUUID ${device}2)
+    root_part_uuid=$(blkid -o value -s PARTUUID ${rootfs})
     GRUBCFG="$EFIDIR/grub.cfg"
     cp /run/media/$1/EFI/BOOT/grub.cfg $GRUBCFG
     # Update grub config for the installed image
@@ -223,6 +223,7 @@ if [ -f /run/media/$1/EFI/BOOT/grub.cfg ]; then
 fi
 
 if [ -d /run/media/$1/loader ]; then
+    rootuuid=$(blkid -o value -s PARTUUID ${rootfs})
     GUMMIBOOT_CFGS="/boot/loader/entries/*.conf"
     # copy config files for gummiboot
     cp -dr /run/media/$1/loader /boot
diff --git a/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/finish b/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/finish
index e712ff03c..d09bbb8be 100755
--- a/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/finish
+++ b/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/finish
@@ -37,7 +37,7 @@ finish_run() {
 				fi
 				mount $flags $bootparam_root $ROOTFS_DIR
 			else
-				debug "root '$bootparam_root' doesn't exist."
+				msg "root '$bootparam_root' doesn't exist."
 			fi
 		fi
 
diff --git a/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/init b/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/init
index 9291ad5c2..204f2379a 100755
--- a/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/init
+++ b/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/init
@@ -58,7 +58,7 @@ fatal() {
     echo $1 >/dev/console
     echo >/dev/console
 
-    if [ -n "bootparam_init_fatal_sh" ]; then
+    if [ -n "$bootparam_init_fatal_sh" ]; then
         sh
     else
 	while [ "true" ]; do
diff --git a/yocto-poky/meta/recipes-core/initscripts/initscripts-1.0/sysfs.sh b/yocto-poky/meta/recipes-core/initscripts/initscripts-1.0/sysfs.sh
index 0cfe76e23..0a52c90da 100644
--- a/yocto-poky/meta/recipes-core/initscripts/initscripts-1.0/sysfs.sh
+++ b/yocto-poky/meta/recipes-core/initscripts/initscripts-1.0/sysfs.sh
@@ -21,3 +21,7 @@ fi
 if [ -e /sys/kernel/debug ] && grep -q debugfs /proc/filesystems; then
   mount -t debugfs debugfs /sys/kernel/debug
 fi
+
+if ! [ -e /dev/zero ] && [ -e /dev ] && grep -q devtmpfs /proc/filesystems; then
+  mount -n -t devtmpfs devtmpfs /dev
+fi
diff --git a/yocto-poky/meta/recipes-core/kbd/kbd_2.0.2.bb b/yocto-poky/meta/recipes-core/kbd/kbd_2.0.2.bb
index 136dc7ac0..49bb6c9a3 100644
--- a/yocto-poky/meta/recipes-core/kbd/kbd_2.0.2.bb
+++ b/yocto-poky/meta/recipes-core/kbd/kbd_2.0.2.bb
@@ -34,3 +34,4 @@ ALTERNATIVE_${PN} = "chvt deallocvt fgconsole openvt"
 ALTERNATIVE_PRIORITY = "100"
 
 BBCLASSEXTEND = "native"
+PARALLEL_MAKEINST = ""
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2.inc b/yocto-poky/meta/recipes-core/libxml/libxml2.inc
index 1c3c37d50..310d5bbc5 100644
--- a/yocto-poky/meta/recipes-core/libxml/libxml2.inc
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2.inc
@@ -21,6 +21,22 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml-m4-use-pkgconfig.patch \
            file://configure.ac-fix-cross-compiling-warning.patch \
            file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
+           file://CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch \
+           file://CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch \
+           file://CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch \
+           file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \
+           file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \
+           file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \
+           file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \
+           file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \
+           file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \
+           file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \
+           file://0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch \
+           file://0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \
+           file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \
+           file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \
+           file://CVE-2015-8241.patch \
+           file://CVE-2015-8710.patch \
           "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch
new file mode 100644
index 000000000..979618d2c
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch
@@ -0,0 +1,39 @@
+From 69030714cde66d525a8884bda01b9e8f0abf8e1e Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale@google.com>
+Date: Fri, 20 Nov 2015 11:13:45 +0800
+Subject: [PATCH] CVE-2015-5312 Another entity expansion issue
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756733
+It is one case where the code in place to detect entities expansions
+failed to exit when the situation was detected, leading to DoS
+Problem reported by Kostya Serebryany @ Google
+Patch provided by David Drysdale @ Google
+
+Upstream-Status: Backport
+
+CVE-2015-5312
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index b7b6668..da6e729 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2806,6 +2806,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 			                      0, 0, 0);
+ 		ctxt->depth--;
+ 
++		if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
++		    (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
++		    goto int_error;
++
+ 		if (rep != NULL) {
+ 		    current = rep;
+ 		    while (*current != 0) { /* non input consuming loop */
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch
new file mode 100644
index 000000000..955c96195
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch
@@ -0,0 +1,40 @@
+From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale@google.com>
+Date: Fri, 20 Nov 2015 10:47:12 +0800
+Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in
+ xmlDictComputeFastQKey
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756528
+It was possible to hit a negative offset in the name indexing
+used to randomize the dictionary key generation
+Reported and fix provided by David Drysdale @ Google
+
+Upstream-Status: Backport
+
+CVE-2015-7497
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ dict.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 5f71d55..8c8f931 100644
+--- a/dict.c
++++ b/dict.c
+@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
+ 	value += 30 * (*prefix);
+ 
+     if (len > 10) {
+-        value += name[len - (plen + 1 + 1)];
++        int offset = len - (plen + 1 + 1);
++	if (offset < 0)
++	    offset = len - (10 + 1);
++	value += name[offset];
+         len = 10;
+ 	if (plen > 10)
+ 	    plen = 10;
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
new file mode 100644
index 000000000..b4860791b
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
@@ -0,0 +1,131 @@
+From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 16:06:59 +0800
+Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
+ entities boundaries
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756525
+handle properly the case where we popped out of the current entity
+while processing a start tag
+Reported by Kostya Serebryany @ Google
+
+This slightly modifies the output of 754946 in regression tests
+
+Upstream-Status: Backport
+
+CVE-2015-7500
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c                     | 28 ++++++++++++++++++++++------
+ result/errors/754946.xml.err |  7 +++++--
+ 2 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index c7e4574..c5741e3 100644
+--- a/parser.c
++++ b/parser.c
+@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+     const xmlChar **atts = ctxt->atts;
+     int maxatts = ctxt->maxatts;
+     int nratts, nbatts, nbdef;
+-    int i, j, nbNs, attval, oldline, oldcol;
++    int i, j, nbNs, attval, oldline, oldcol, inputNr;
+     const xmlChar *base;
+     unsigned long cur;
+     int nsNr = ctxt->nsNr;
+@@ -9367,6 +9367,7 @@ reparse:
+     SHRINK;
+     base = ctxt->input->base;
+     cur = ctxt->input->cur - ctxt->input->base;
++    inputNr = ctxt->inputNr;
+     oldline = ctxt->input->line;
+     oldcol = ctxt->input->col;
+     nbatts = 0;
+@@ -9392,7 +9393,8 @@ reparse:
+      */
+     SKIP_BLANKS;
+     GROW;
+-    if (ctxt->input->base != base) goto base_changed;
++    if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++        goto base_changed;
+ 
+     while (((RAW != '>') &&
+ 	   ((RAW != '/') || (NXT(1) != '>')) &&
+@@ -9403,7 +9405,7 @@ reparse:
+ 
+ 	attname = xmlParseAttribute2(ctxt, prefix, localname,
+ 	                             &aprefix, &attvalue, &len, &alloc);
+-	if (ctxt->input->base != base) {
++	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
+ 	    if ((attvalue != NULL) && (alloc != 0))
+ 	        xmlFree(attvalue);
+ 	    attvalue = NULL;
+@@ -9552,7 +9554,8 @@ skip_ns:
+ 		    break;
+ 		}
+ 		SKIP_BLANKS;
+-		if (ctxt->input->base != base) goto base_changed;
++		if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++		    goto base_changed;
+ 		continue;
+ 	    }
+ 
+@@ -9589,7 +9592,8 @@ failed:
+ 	GROW
+         if (ctxt->instate == XML_PARSER_EOF)
+             break;
+-	if (ctxt->input->base != base) goto base_changed;
++	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++	    goto base_changed;
+ 	if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ 	    break;
+ 	if (!IS_BLANK_CH(RAW)) {
+@@ -9605,7 +9609,8 @@ failed:
+ 	    break;
+ 	}
+         GROW;
+-	if (ctxt->input->base != base) goto base_changed;
++	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++	    goto base_changed;
+     }
+ 
+     /*
+@@ -9772,6 +9777,17 @@ base_changed:
+ 	    if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
+ 	        xmlFree((xmlChar *) atts[i]);
+     }
++
++    /*
++     * We can't switch from one entity to another in the middle
++     * of a start tag
++     */
++    if (inputNr != ctxt->inputNr) {
++        xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
++		    "Start tag doesn't start and stop in the same entity\n");
++	return(NULL);
++    }
++
+     ctxt->input->cur = ctxt->input->base + cur;
+     ctxt->input->line = oldline;
+     ctxt->input->col = oldcol;
+diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
+index 423dff5..a75088b 100644
+--- a/result/errors/754946.xml.err
++++ b/result/errors/754946.xml.err
+@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated
+ Entity: line 1: 
+ A<lbbbbbbbbbbbbbbbbbbb_
+ ^
++./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity
++>%SYSTEM;<![
++         ^
+ ./test/errors/754946.xml:1: parser error : Extra content at the end of the document
+-<!DOCTYPEA[<!ENTITY %
+-  ^
++>%SYSTEM;<![
++         ^
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch
new file mode 100644
index 000000000..710735570
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch
@@ -0,0 +1,38 @@
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+
+Upstream-Status: Backport
+
+CVE-2015-8035
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f4..1fab546 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+             return -1;
+         }
++        if (ret == LZMA_PROG_ERROR) {
++            xz_error(state, LZMA_PROG_ERROR, "compression error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch
new file mode 100644
index 000000000..73531b3c1
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch
@@ -0,0 +1,49 @@
+From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh@allthethings.co.nz>
+Date: Fri, 20 Nov 2015 17:16:06 +0800
+Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756372
+Error in the code pointing to the codepoint in the stack for the
+current char value instead of the pointer in the input that the SAX
+callback expects
+Reported and fixed by Hugh Davenport
+
+Upstream-Status: Backport
+
+CVE-2015-8242
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ HTMLparser.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index bdf7807..b729197 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -5735,17 +5735,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
+ 				if (ctxt->keepBlanks) {
+ 				    if (ctxt->sax->characters != NULL)
+ 					ctxt->sax->characters(
+-						ctxt->userData, &cur, 1);
++						ctxt->userData, &in->cur[0], 1);
+ 				} else {
+ 				    if (ctxt->sax->ignorableWhitespace != NULL)
+ 					ctxt->sax->ignorableWhitespace(
+-						ctxt->userData, &cur, 1);
++						ctxt->userData, &in->cur[0], 1);
+ 				}
+ 			    } else {
+ 				htmlCheckParagraph(ctxt);
+ 				if (ctxt->sax->characters != NULL)
+ 				    ctxt->sax->characters(
+-					    ctxt->userData, &cur, 1);
++					    ctxt->userData, &in->cur[0], 1);
+ 			    }
+ 			}
+ 			ctxt->token = 0;
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
new file mode 100644
index 000000000..a86b9ee86
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
@@ -0,0 +1,138 @@
+From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 15 Sep 2015 16:50:32 +0800
+Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=754946
+
+When hitting the end of the current input buffer while parsing
+a name we could end up loosing the beginning of the name, which
+led to various issues.
+
+Upstream-Status: backport
+
+Depend patch for CVE-2015-7500
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c                     | 29 ++++++++++++++++++++---------
+ result/errors/754946.xml     |  0
+ result/errors/754946.xml.err | 16 ++++++++++++++++
+ result/errors/754946.xml.str |  4 ++++
+ test/errors/754946.xml       |  1 +
+ 5 files changed, 41 insertions(+), 9 deletions(-)
+ create mode 100644 result/errors/754946.xml
+ create mode 100644 result/errors/754946.xml.err
+ create mode 100644 result/errors/754946.xml.str
+ create mode 100644 test/errors/754946.xml
+
+diff --git a/parser.c b/parser.c
+index 0edd53b..fd29a39 100644
+--- a/parser.c
++++ b/parser.c
+@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+ 	c = CUR_CHAR(l);
+ 	if (c == 0) {
+ 	    count = 0;
++	    /*
++	     * when shrinking to extend the buffer we really need to preserve
++	     * the part of the name we already parsed. Hence rolling back
++	     * by current lenght.
++	     */
++	    ctxt->input->cur -= l;
+ 	    GROW;
++	    ctxt->input->cur += l;
+             if (ctxt->instate == XML_PARSER_EOF)
+                 return(NULL);
+ 	    end = ctxt->input->cur;
+@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+ 
+ static const xmlChar *
+ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+-    const xmlChar *in;
++    const xmlChar *in, *e;
+     const xmlChar *ret;
+     int count = 0;
+ 
+@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+      * Accelerator for simple ASCII names
+      */
+     in = ctxt->input->cur;
+-    if (((*in >= 0x61) && (*in <= 0x7A)) ||
+-	((*in >= 0x41) && (*in <= 0x5A)) ||
+-	(*in == '_')) {
++    e = ctxt->input->end;
++    if ((((*in >= 0x61) && (*in <= 0x7A)) ||
++	 ((*in >= 0x41) && (*in <= 0x5A)) ||
++	 (*in == '_')) && (in < e)) {
+ 	in++;
+-	while (((*in >= 0x61) && (*in <= 0x7A)) ||
+-	       ((*in >= 0x41) && (*in <= 0x5A)) ||
+-	       ((*in >= 0x30) && (*in <= 0x39)) ||
+-	       (*in == '_') || (*in == '-') ||
+-	       (*in == '.'))
++	while ((((*in >= 0x61) && (*in <= 0x7A)) ||
++	        ((*in >= 0x41) && (*in <= 0x5A)) ||
++	        ((*in >= 0x30) && (*in <= 0x39)) ||
++	        (*in == '_') || (*in == '-') ||
++	        (*in == '.')) && (in < e))
+ 	    in++;
++	if (in >= e)
++	    goto complex;
+ 	if ((*in > 0) && (*in < 0x80)) {
+ 	    count = in - ctxt->input->cur;
+             if ((count > XML_MAX_NAME_LENGTH) &&
+@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+ 	    return(ret);
+ 	}
+     }
++complex:
+     return(xmlParseNCNameComplex(ctxt));
+ }
+ 
+diff --git a/result/errors/754946.xml b/result/errors/754946.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
+new file mode 100644
+index 0000000..423dff5
+--- /dev/null
++++ b/result/errors/754946.xml.err
+@@ -0,0 +1,16 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++ %SYSTEM; 
++         ^
++Entity: line 1: 
++A<lbbbbbbbbbbbbbbbbbbb_
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %SYSTEM; 
++         ^
++Entity: line 1: 
++A<lbbbbbbbbbbbbbbbbbbb_
++^
++./test/errors/754946.xml:1: parser error : Extra content at the end of the document
++<!DOCTYPEA[<!ENTITY %
++  ^
+diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str
+new file mode 100644
+index 0000000..3b748cc
+--- /dev/null
++++ b/result/errors/754946.xml.str
+@@ -0,0 +1,4 @@
++./test/errors/754946.xml:1: parser error : Extra content at the end of the document
++<!DOCTYPEA[<!ENTITY %
++          ^
++./test/errors/754946.xml : failed to parse
+diff --git a/test/errors/754946.xml b/test/errors/754946.xml
+new file mode 100644
+index 0000000..6b5f9b0
+--- /dev/null
++++ b/test/errors/754946.xml
+@@ -0,0 +1 @@
++<!DOCTYPEA[<!ENTITY %

SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_"
>%SYSTEM;<![
+\ No newline at end of file
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
new file mode 100644
index 000000000..47ba8970e
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
@@ -0,0 +1,89 @@
+From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 9 Nov 2015 18:07:18 +0800
+Subject: [PATCH] Avoid processing entities after encoding conversion failures
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756527
+and was also raised by Chromium team in the past
+
+When we hit a convwersion failure when switching encoding
+it is bestter to stop parsing there, this was treated as a
+fatal error but the parser was continuing to process to extract
+more errors, unfortunately that makes little sense as the data
+is obviously corrupt and can potentially lead to unexpected behaviour.
+
+Upstream-Status: Backport
+
+CVE-2015-7498
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c          |  7 +++++--
+ parserInternals.c | 11 ++++++++++-
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 134afe7..c79b4e8 100644
+--- a/parser.c
++++ b/parser.c
+@@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
+ 	xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n");
+     }
+     xmlParseEncodingDecl(ctxt);
+-    if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
++    if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
++         (ctxt->instate == XML_PARSER_EOF)) {
+ 	/*
+ 	 * The XML REC instructs us to stop parsing right here
+ 	 */
+@@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+ 
+     if (CUR == 0) {
+ 	xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
++	return(-1);
+     }
+ 
+     /*
+@@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+ 	 * Note that we will switch encoding on the fly.
+ 	 */
+ 	xmlParseXMLDecl(ctxt);
+-	if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
++	if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
++	    (ctxt->instate == XML_PARSER_EOF)) {
+ 	    /*
+ 	     * The XML REC instructs us to stop parsing right here
+ 	     */
+diff --git a/parserInternals.c b/parserInternals.c
+index df204fd..c8230c1 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+ {
+     xmlCharEncodingHandlerPtr handler;
+     int len = -1;
++    int ret;
+ 
+     if (ctxt == NULL) return(-1);
+     switch (enc) {
+@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+     if (handler == NULL)
+ 	return(-1);
+     ctxt->charset = XML_CHAR_ENCODING_UTF8;
+-    return(xmlSwitchToEncodingInt(ctxt, handler, len));
++    ret = xmlSwitchToEncodingInt(ctxt, handler, len);
++    if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) {
++        /*
++	 * on encoding conversion errors, stop the parser
++	 */
++        xmlStopParser(ctxt);
++	ctxt->errNo = XML_I18N_CONV_FAILED;
++    }
++    return(ret);
+ }
+ 
+ /**
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
new file mode 100644
index 000000000..e39ec65cd
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
@@ -0,0 +1,88 @@
+From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 14:55:30 +0800
+Subject: [PATCH] Add xmlHaltParser() to stop the parser
+
+The problem is doing it in a consistent and safe fashion
+It's more complex than just setting ctxt->instate = XML_PARSER_EOF
+Update the public function to reuse that new internal routine
+
+Upstream-Status: Backport
+
+CVE-2015-7499-1
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 34 +++++++++++++++++++++++++++++-----
+ 1 file changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index da6e729..b6e99b1 100644
+--- a/parser.c
++++ b/parser.c
+@@ -94,6 +94,8 @@ static xmlParserCtxtPtr
+ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+ 	                  const xmlChar *base, xmlParserCtxtPtr pctx);
+ 
++static void xmlHaltParser(xmlParserCtxtPtr ctxt);
++
+ /************************************************************************
+  *									*
+  *	Arbitrary limits set in the parser. See XML_PARSE_HUGE		*
+@@ -12625,25 +12627,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data,
+ #endif /* LIBXML_PUSH_ENABLED */
+ 
+ /**
+- * xmlStopParser:
++ * xmlHaltParser:
+  * @ctxt:  an XML parser context
+  *
+- * Blocks further parser processing
++ * Blocks further parser processing don't override error
++ * for internal use
+  */
+-void
+-xmlStopParser(xmlParserCtxtPtr ctxt) {
++static void
++xmlHaltParser(xmlParserCtxtPtr ctxt) {
+     if (ctxt == NULL)
+         return;
+     ctxt->instate = XML_PARSER_EOF;
+-    ctxt->errNo = XML_ERR_USER_STOP;
+     ctxt->disableSAX = 1;
+     if (ctxt->input != NULL) {
++        /*
++	 * in case there was a specific allocation deallocate before
++	 * overriding base
++	 */
++        if (ctxt->input->free != NULL) {
++	    ctxt->input->free((xmlChar *) ctxt->input->base);
++	    ctxt->input->free = NULL;
++	}
+ 	ctxt->input->cur = BAD_CAST"";
+ 	ctxt->input->base = ctxt->input->cur;
+     }
+ }
+ 
+ /**
++ * xmlStopParser:
++ * @ctxt:  an XML parser context
++ *
++ * Blocks further parser processing
++ */
++void
++xmlStopParser(xmlParserCtxtPtr ctxt) {
++    if (ctxt == NULL)
++        return;
++    xmlHaltParser(ctxt);
++    ctxt->errNo = XML_ERR_USER_STOP;
++}
++
++/**
+  * xmlCreateIOParserCtxt:
+  * @sax:  a SAX handler
+  * @user_data:  The user data returned on SAX callbacks
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
new file mode 100644
index 000000000..aff392095
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
@@ -0,0 +1,43 @@
+From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:04:09 +0800
+Subject: [PATCH] Detect incoherency on GROW
+
+the current pointer to the input has to be between the base and end
+if not stop everything we have an internal state error.
+
+Upstream-Status: Backport
+
+CVE-2015-7499-2
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 1810f99..ab007aa 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+          ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
+         ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+         xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+-        ctxt->instate = XML_PARSER_EOF;
++        xmlHaltParser(ctxt);
++	return;
+     }
+     xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
++    if ((ctxt->input->cur > ctxt->input->end) ||
++        (ctxt->input->cur < ctxt->input->base)) {
++        xmlHaltParser(ctxt);
++        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
++	return;
++    }
+     if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
+         (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
+ 	    xmlPopInput(ctxt);
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
new file mode 100644
index 000000000..11da9f9bd
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
@@ -0,0 +1,39 @@
+From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:17:35 +0800
+Subject: [PATCH] Stop parsing on entities boundaries errors
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+There are times, like on unterminated entities that it's preferable to
+stop parsing, even if that means less error reporting. Entities are
+feeding the parser on further processing, and if they are ill defined
+then it's possible to get the parser to bug. Also do the same on
+Conditional Sections if the input is broken, as the structure of
+the document can't be guessed.
+
+Upstream-Status: Backport
+
+CVE-2015-7941-1
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/parser.c b/parser.c
+index a8d1b67..bbe97eb 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ 	if (RAW != '>') {
+ 	    xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+ 	            "xmlParseEntityDecl: entity %s not terminated\n", name);
++	    xmlStopParser(ctxt);
+ 	} else {
+ 	    if (input != ctxt->input) {
+ 		xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
new file mode 100644
index 000000000..b7bd96053
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
@@ -0,0 +1,56 @@
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: [PATCH] Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+
+Upstream-Status: Backport
+
+CVE-2015-7941-2
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index bbe97eb..fe603ac 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+     } else {
+ 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++	xmlStopParser(ctxt);
++	return;
+     }
+ 
+     if (RAW == 0)
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
new file mode 100644
index 000000000..34b60362c
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
@@ -0,0 +1,35 @@
+From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 27 Oct 2015 10:53:44 +0800
+Subject: [PATCH] Fix an error in previous Conditional section patch
+
+an off by one mistake in the change, led to error on correct
+document where the end of the included entity was exactly
+the end of the conditional section, leading to regtest failure
+
+Upstream-Status: Backport
+
+CVE-2015-7942-2
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index b9217ff..d67b300 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 				 NULL, NULL);
+ 	}
+ 	if ((ctxt-> instate != XML_PARSER_EOF) &&
+-	    ((ctxt->input->cur + 3) < ctxt->input->end))
++	    ((ctxt->input->cur + 3) <= ctxt->input->end))
+ 	    SKIP(3);
+     }
+ }
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
new file mode 100644
index 000000000..40082ec07
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
@@ -0,0 +1,39 @@
+From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 23 Oct 2015 19:02:28 +0800
+Subject: [PATCH] Another variation of overflow in Conditional sections
+
+Which happen after the previous fix to
+https://bugzilla.gnome.org/show_bug.cgi?id=756456
+
+But stopping the parser and exiting we didn't pop the intermediary entities
+and doing the SKIP there applies on an input which may be too small
+
+Upstream-Status: Backport
+
+CVE-2015-7942
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index a65e4cc..b9217ff 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	"All markup of the conditional section is not in the same entity\n",
+ 				 NULL, NULL);
+ 	}
+-        SKIP(3);
++	if ((ctxt-> instate != XML_PARSER_EOF) &&
++	    ((ctxt->input->cur + 3) < ctxt->input->end))
++	    SKIP(3);
+     }
+ }
+ 
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
new file mode 100644
index 000000000..89a46ad17
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
@@ -0,0 +1,40 @@
+From ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh@allthethings.co.nz>
+Date: Tue, 3 Nov 2015 20:40:49 +0800
+Subject: [PATCH] Avoid extra processing of MarkupDecl when EOF
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756263
+
+One place where ctxt->instate == XML_PARSER_EOF whic was set up
+by entity detection issues doesn't get noticed, and even overrided
+
+Upstream-status: Backport
+
+https://git.gnome.org/browse/libxml2/commit/?id=ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe
+
+CVE: CVE-2015-8241
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -6999,6 +6999,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt
+ 	    xmlParsePI(ctxt);
+ 	}
+     }
++
++    /*
++     * detect requirement to exit there and act accordingly
++     * and avoid having instate overriden later on
++     */
++    if (ctxt->instate == XML_PARSER_EOF)
++        return;
++
+     /*
+      * This is only for internal subset. On external entities,
+      * the replacement is done before parsing stage
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch
new file mode 100644
index 000000000..59425cbfc
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch
@@ -0,0 +1,42 @@
+From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 29 Jun 2015 16:10:26 +0800
+Subject: [PATCH] Fail parsing early on if encoding conversion failed
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=751631
+
+If we fail conversing the current input stream while
+processing the encoding declaration of the XMLDecl
+then it's safer to just abort there and not try to
+report further errors.
+
+Upstream-Status: Backport
+
+CVE-2015-8317
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index a3a9568..0edd53b 100644
+--- a/parser.c
++++ b/parser.c
+@@ -10471,7 +10471,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
+ 
+             handler = xmlFindCharEncodingHandler((const char *) encoding);
+ 	    if (handler != NULL) {
+-		xmlSwitchToEncoding(ctxt, handler);
++		if (xmlSwitchToEncoding(ctxt, handler) < 0) {
++		    /* failed to convert */
++		    ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING;
++		    return(NULL);
++		}
+ 	    } else {
+ 		xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING,
+ 			"Unsupported encoding %s\n", encoding);
+-- 
+2.3.5
+
diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
new file mode 100644
index 000000000..be06cc22c
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
@@ -0,0 +1,71 @@
+From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 30 Oct 2015 21:14:55 +0800
+Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=746048
+The HTML parser was too optimistic when processing comments and
+didn't check for the end of the stream on the first 2 characters
+
+Upstream-Status: Backport
+
+https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c
+
+CVE: CVE-2015-8710
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ HTMLparser.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+Index: libxml2-2.9.2/HTMLparser.c
+===================================================================
+--- libxml2-2.9.2.orig/HTMLparser.c
++++ libxml2-2.9.2/HTMLparser.c
+@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
+ 	ctxt->instate = state;
+ 	return;
+     }
++    len = 0;
++    buf[len] = 0;
+     q = CUR_CHAR(ql);
++    if (!IS_CHAR(q))
++        goto unfinished;
+     NEXTL(ql);
+     r = CUR_CHAR(rl);
++    if (!IS_CHAR(r))
++        goto unfinished;
+     NEXTL(rl);
+     cur = CUR_CHAR(l);
+-    len = 0;
+     while (IS_CHAR(cur) &&
+            ((cur != '>') ||
+ 	    (r != '-') || (q != '-'))) {
+@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
+ 	}
+     }
+     buf[len] = 0;
+-    if (!IS_CHAR(cur)) {
+-	htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+-	             "Comment not terminated \n<!--%.50s\n", buf, NULL);
+-	xmlFree(buf);
+-    } else {
++    if (IS_CHAR(cur)) {
+         NEXT;
+ 	if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
+ 	    (!ctxt->disableSAX))
+ 	    ctxt->sax->comment(ctxt->userData, buf);
+ 	xmlFree(buf);
++	ctxt->instate = state;
++	return;
+     }
+-    ctxt->instate = state;
++
++unfinished:
++    htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++		 "Comment not terminated \n<!--%.50s\n", buf, NULL);
++    xmlFree(buf);
+ }
+ 
+ /**
diff --git a/yocto-poky/meta/recipes-core/meta/meta-ide-support.bb b/yocto-poky/meta/recipes-core/meta/meta-ide-support.bb
index 2f9291281..86c57cda2 100644
--- a/yocto-poky/meta/recipes-core/meta/meta-ide-support.bb
+++ b/yocto-poky/meta/recipes-core/meta/meta-ide-support.bb
@@ -13,5 +13,4 @@ do_populate_ide_support () {
   toolchain_create_tree_env_script
 }
 
-do_populate_ide_support[nostamp] = "1"
 addtask populate_ide_support before do_build after do_install
diff --git a/yocto-poky/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb b/yocto-poky/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
index d971c3ca3..904173489 100644
--- a/yocto-poky/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
+++ b/yocto-poky/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
@@ -2,10 +2,17 @@ SUMMARY = "Dummy package which ensures perl is excluded from buildtools"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
 
-inherit nativesdk
+inherit allarch
 
-# Put it somewhere separate to ensure it's never used except when we want it
-PACKAGE_ARCH = "buildtools-dummy-${SDKPKGSUFFIX}"
+PR = "r1"
+
+python() {
+    # Put the package somewhere separate to ensure it's never used except
+    # when we want it
+    # (note that we have to do this in anonymous python here to avoid
+    # allarch.bbclass disabling itself)
+    d.setVar('PACKAGE_ARCH', 'buildtools-dummy-${SDKPKGSUFFIX}')
+}
 
 PERLPACKAGES = "nativesdk-perl \
                 nativesdk-perl-module-file-path"
diff --git a/yocto-poky/meta/recipes-core/meta/signing-keys.bb b/yocto-poky/meta/recipes-core/meta/signing-keys.bb
new file mode 100644
index 000000000..cc401f3b6
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/meta/signing-keys.bb
@@ -0,0 +1,45 @@
+# Copyright (C) 2015 Intel Corporation
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+DESCRIPTION = "Make public keys of the signing keys available"
+LICENSE = "MIT"
+PACKAGES = ""
+
+do_fetch[noexec] = "1"
+do_unpack[noexec] = "1"
+do_patch[noexec] = "1"
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+do_install[noexec] = "1"
+do_package[noexec] = "1"
+do_packagedata[noexec] = "1"
+do_package_write_ipk[noexec] = "1"
+do_package_write_rpm[noexec] = "1"
+do_package_write_deb[noexec] = "1"
+do_populate_sysroot[noexec] = "1"
+
+EXCLUDE_FROM_WORLD = "1"
+
+def export_gpg_pubkey(d, keyid, path):
+    import bb
+    gpg_bin = d.getVar('GPG_BIN', True) or \
+              bb.utils.which(os.getenv('PATH'), "gpg")
+    cmd = '%s --batch --yes --export --armor -o %s %s' % \
+          (gpg_bin, path, keyid)
+    status, output = oe.utils.getstatusoutput(cmd)
+    if status:
+        raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' %
+                                  (keyid, output))
+
+python do_export_public_keys () {
+    if d.getVar("RPM_SIGN_PACKAGES", True):
+        # Export public key of the rpm signing key
+        export_gpg_pubkey(d, d.getVar("RPM_GPG_NAME", True),
+                          d.getVar('RPM_GPG_PUBKEY', True))
+
+    if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
+        # Export public key of the feed signing key
+        export_gpg_pubkey(d, d.getVar("PACKAGE_FEED_GPG_NAME", True),
+                          d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
+}
+addtask do_export_public_keys before do_build
diff --git a/yocto-poky/meta/recipes-core/meta/uninative-tarball.bb b/yocto-poky/meta/recipes-core/meta/uninative-tarball.bb
index 41f7927e1..21f3bd985 100644
--- a/yocto-poky/meta/recipes-core/meta/uninative-tarball.bb
+++ b/yocto-poky/meta/recipes-core/meta/uninative-tarball.bb
@@ -7,6 +7,7 @@ TOOLCHAIN_TARGET_TASK = ""
 
 TOOLCHAIN_HOST_TASK = "\
     nativesdk-glibc \
+    nativesdk-glibc-gconv-ibm850 \
     nativesdk-patchelf \
     "
 
diff --git a/yocto-poky/meta/recipes-core/os-release/os-release.bb b/yocto-poky/meta/recipes-core/os-release/os-release.bb
index cc431d2cd..c690b82b2 100644
--- a/yocto-poky/meta/recipes-core/os-release/os-release.bb
+++ b/yocto-poky/meta/recipes-core/os-release/os-release.bb
@@ -32,11 +32,12 @@ python do_compile () {
                 f.write('{0}={1}\n'.format(field, value))
     if d.getVar('RPM_SIGN_PACKAGES', True) == '1':
         rpm_gpg_pubkey = d.getVar('RPM_GPG_PUBKEY', True)
-        os.mkdir('${B}/rpm-gpg')
-        distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0"
+        bb.utils.mkdirhier('${B}/rpm-gpg')
+        distro_version = d.getVar('DISTRO_VERSION', True) or "oe.0"
         shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version))
 }
 do_compile[vardeps] += "${OS_RELEASE_FIELDS}"
+do_compile[depends] += "signing-keys:do_export_public_keys"
 
 do_install () {
     install -d ${D}${sysconfdir}
diff --git a/yocto-poky/meta/recipes-core/packagegroups/packagegroup-core-standalone-sdk-target.bb b/yocto-poky/meta/recipes-core/packagegroups/packagegroup-core-standalone-sdk-target.bb
index 37f5e43a7..6997f396b 100644
--- a/yocto-poky/meta/recipes-core/packagegroups/packagegroup-core-standalone-sdk-target.bb
+++ b/yocto-poky/meta/recipes-core/packagegroups/packagegroup-core-standalone-sdk-target.bb
@@ -7,6 +7,8 @@ inherit packagegroup
 RDEPENDS_${PN} = "\
     libgcc \
     libgcc-dev \
+    libatomic \
+    libatomic-dev \
     libstdc++ \
     libstdc++-dev \
     ${LIBC_DEPENDENCIES} \
diff --git a/yocto-poky/meta/recipes-core/readline/readline-6.3/readline63-003 b/yocto-poky/meta/recipes-core/readline/readline-6.3/readline-cve-2014-2524.patch
index 98a9d810b..98a9d810b 100644
--- a/yocto-poky/meta/recipes-core/readline/readline-6.3/readline63-003
+++ b/yocto-poky/meta/recipes-core/readline/readline-6.3/readline-cve-2014-2524.patch
diff --git a/yocto-poky/meta/recipes-core/readline/readline_6.3.bb b/yocto-poky/meta/recipes-core/readline/readline_6.3.bb
index 55964a6cf..fc362ae5a 100644
--- a/yocto-poky/meta/recipes-core/readline/readline_6.3.bb
+++ b/yocto-poky/meta/recipes-core/readline/readline_6.3.bb
@@ -1,6 +1,6 @@
 require readline.inc
 
-SRC_URI += "file://readline63-003 \
+SRC_URI += "file://readline-cve-2014-2524.patch;striplevel=0 \
             file://readline-dispatch-multikey.patch"
 
 SRC_URI[archive.md5sum] = "33c8fb279e981274f485fd91da77e94a"
diff --git a/yocto-poky/meta/recipes-core/systemd/systemd/0001-fix-build-on-uClibc-exp10.patch b/yocto-poky/meta/recipes-core/systemd/systemd/0001-fix-build-on-uClibc-exp10.patch
new file mode 100644
index 000000000..76ce4b781
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/systemd/systemd/0001-fix-build-on-uClibc-exp10.patch
@@ -0,0 +1,22 @@
+Inspired by: http://peter.korsgaard.com/patches/alsa-utils/alsamixer-fix-build-on-uClibc-exp10.patch
+
+exp10 extension is not part of uClibc, so compute it.
+
+
+Signed-off-by: Samuel Martin <s.martin49@gmail.com>
+
+Upstream-Status: Pending
+
+Index: git/src/basic/missing.h
+===================================================================
+--- git.orig/src/basic/missing.h
++++ git/src/basic/missing.h
+@@ -1036,3 +1036,8 @@ static inline int kcmp(pid_t pid1, pid_t
+ #ifndef INPUT_PROP_ACCELEROMETER
+ #define INPUT_PROP_ACCELEROMETER  0x06
+ #endif
++
++#ifdef __UCLIBC__
++/* 10^x = 10^(log e^x) = (e^x)^log10 = e^(x * log 10) */
++#define exp10(x) (exp((x) * log(10)))
++#endif /* __UCLIBC__ */
diff --git a/yocto-poky/meta/recipes-core/systemd/systemd/0022-Use-getenv-when-secure-versions-are-not-available.patch b/yocto-poky/meta/recipes-core/systemd/systemd/0022-Use-getenv-when-secure-versions-are-not-available.patch
new file mode 100644
index 000000000..30e38173e
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/systemd/systemd/0022-Use-getenv-when-secure-versions-are-not-available.patch
@@ -0,0 +1,39 @@
+From cb71e4beea3b3b11e5951f95c829cd2eee9fcf7b Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 12 Sep 2015 19:10:04 +0000
+Subject: [PATCH 22/31] Use getenv when secure versions are not available
+
+musl doesnt implement secure version, so we default
+to it if configure does not detect a secure imeplementation
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Rejected
+
+ src/basic/missing.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/basic/missing.h b/src/basic/missing.h
+index bf9b490..d6dbc7d 100644
+--- a/src/basic/missing.h
++++ b/src/basic/missing.h
+@@ -584,13 +584,14 @@ static inline int name_to_handle_at(int fd, const char *name, struct file_handle
+         return syscall(__NR_name_to_handle_at, fd, name, handle, mnt_id, flags);
+ }
+ #endif
+-
+-#ifndef HAVE_SECURE_GETENV
++#ifdef HAVE_SECURE_GETENV
+ #  ifdef HAVE___SECURE_GETENV
+ #    define secure_getenv __secure_getenv
+ #  else
+ #    error "neither secure_getenv nor __secure_getenv are available"
+ #  endif
++#else
++#  define secure_getenv getenv
+ #endif
+ 
+ #ifndef CIFS_MAGIC_NUMBER
+-- 
+2.5.2
+
diff --git a/yocto-poky/meta/recipes-core/systemd/systemd/rules-whitelist-hd-devices.patch b/yocto-poky/meta/recipes-core/systemd/systemd/rules-whitelist-hd-devices.patch
new file mode 100644
index 000000000..8975b05e0
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/systemd/systemd/rules-whitelist-hd-devices.patch
@@ -0,0 +1,32 @@
+From f77b7e5626e70c3a775e993816a33af5a61dea42 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Wed, 16 Sep 2015 13:55:58 +0200
+Subject: [PATCH] rules: whitelist hd* devices
+
+qemu by default emulates IDE and the linux-yocto kernel(s) use
+CONFIG_IDE instead of the more modern libsata, so disks appear as
+/dev/hd*. Patch rejected upstream because CONFIG_IDE is deprecated.
+
+Upstream-Status: Denied [https://github.com/systemd/systemd/pull/1276]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ rules/60-persistent-storage.rules | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rules/60-persistent-storage.rules b/rules/60-persistent-storage.rules
+index 0b14bb4..1c4d97a 100644
+--- a/rules/60-persistent-storage.rules
++++ b/rules/60-persistent-storage.rules
+@@ -6,7 +6,7 @@
+ ACTION=="remove", GOTO="persistent_storage_end"
+ 
+ SUBSYSTEM!="block", GOTO="persistent_storage_end"
+-KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*|ubd*", GOTO="persistent_storage_end"
++KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|hd*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*|ubd*", GOTO="persistent_storage_end"
+ 
+ # ignore partitions that span the entire disk
+ TEST=="whole_disk", GOTO="persistent_storage_end"
+-- 
+2.1.4
+
diff --git a/yocto-poky/meta/recipes-core/systemd/systemd_225.bb b/yocto-poky/meta/recipes-core/systemd/systemd_225.bb
index f7d4c7df4..18c244812 100644
--- a/yocto-poky/meta/recipes-core/systemd/systemd_225.bb
+++ b/yocto-poky/meta/recipes-core/systemd/systemd_225.bb
@@ -18,7 +18,7 @@ PROVIDES = "udev"
 
 PE = "1"
 
-DEPENDS = "kmod docbook-sgml-dtd-4.1-native intltool-native gperf-native acl readline dbus libcap libcgroup glib-2.0 qemu-native util-linux"
+DEPENDS = "kmod docbook-sgml-dtd-4.1-native intltool-native gperf-native acl readline dbus libcap libcgroup qemu-native util-linux"
 
 SECTION = "base/shell"
 
@@ -45,6 +45,7 @@ SRC_URI = "git://github.com/systemd/systemd.git;protocol=git \
            file://00-create-volatile.conf \
            file://init \
            file://run-ptest \
+           file://rules-whitelist-hd-devices.patch \
           "
 SRC_URI_append_qemuall = " file://qemuall_io_latency-core-device.c-Change-the-default-device-timeout-to-2.patch"
 
@@ -52,6 +53,8 @@ S = "${WORKDIR}/git"
 
 SRC_URI_append_libc-uclibc = "\
             file://0001-units-Prefer-getty-to-agetty-in-console-setup-system.patch \
+            file://0022-Use-getenv-when-secure-versions-are-not-available.patch \
+            file://0001-fix-build-on-uClibc-exp10.patch \
            "
 LDFLAGS_append_libc-uclibc = " -lrt"
 
@@ -87,6 +90,7 @@ PACKAGECONFIG[iptc] = "--enable-libiptc,--disable-libiptc,iptables"
 PACKAGECONFIG[ldconfig] = "--enable-ldconfig,--disable-ldconfig,,"
 PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
 PACKAGECONFIG[valgrind] = "ac_cv_header_valgrind_memcheck_h=yes ac_cv_header_valgrind_valgrind_h=yes ,ac_cv_header_valgrind_memcheck_h=no ac_cv_header_valgrind_valgrind_h=no ,valgrind"
+PACKAGECONFIG[qrencode] = "--enable-qrencode,--disable-qrencode,qrencode"
 
 CACHED_CONFIGUREVARS += "ac_cv_path_KILL=${base_bindir}/kill"
 CACHED_CONFIGUREVARS += "ac_cv_path_KMOD=${base_bindir}/kmod"
@@ -123,6 +127,9 @@ EXTRA_OECONF = " --with-rootprefix=${rootprefix} \
 # uclibc does not have NSS
 EXTRA_OECONF_append_libc-uclibc = " --disable-myhostname "
 
+# disable problematic GCC 5.2 optimizations [YOCTO #8291]
+FULL_OPTIMIZATION_append_arm = " -fno-schedule-insns -fno-schedule-insns2"
+
 do_configure_prepend() {
 	export NM="${HOST_PREFIX}gcc-nm"
 	export AR="${HOST_PREFIX}gcc-ar"
@@ -186,8 +193,8 @@ do_install() {
 	sed -i -e 's/.*ForwardToSyslog.*/ForwardToSyslog=yes/' ${D}${sysconfdir}/systemd/journald.conf
 	# this file is needed to exist if networkd is disabled but timesyncd is still in use since timesyncd checks it
 	# for existence else it fails
-	if [ -s ${D}${libdir}/tmpfiles.d/systemd.conf ]; then
-		${@bb.utils.contains('PACKAGECONFIG', 'networkd', ':', 'sed -i -e "\$ad /run/systemd/netif/links 0755 root root -" ${D}${libdir}/tmpfiles.d/systemd.conf', d)}
+	if [ -s ${D}${exec_prefix}/lib/tmpfiles.d/systemd.conf ]; then
+		${@bb.utils.contains('PACKAGECONFIG', 'networkd', ':', 'sed -i -e "\$ad /run/systemd/netif/links 0755 root root -" ${D}${exec_prefix}/lib/tmpfiles.d/systemd.conf', d)}
 	fi
 	install -Dm 0755 ${S}/src/systemctl/systemd-sysv-install.SKELETON ${D}${systemd_unitdir}/systemd-sysv-install
 }
diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git.inc b/yocto-poky/meta/recipes-core/uclibc/uclibc-git.inc
index 14a577f43..b7184794d 100644
--- a/yocto-poky/meta/recipes-core/uclibc/uclibc-git.inc
+++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git.inc
@@ -16,5 +16,10 @@ SRC_URI = "git://uclibc.org/uClibc.git;branch=master \
         file://0005-Always-use-O2-for-compiling-fork.c.patch \
         file://0006-ldso-limited-support-for-ORIGIN-in-rpath.patch \
         file://0007-nptl-atfork-Hide-pthread_atfork-in-shared-versions.patch \
+        file://0001-gcc5-optimizes-away-the-write-only-static-functions-.patch \
+        file://0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch \
+        file://0001-wire-in-syncfs.patch \
+        file://CVE-2016-2224.patch \
+        file://CVE-2016-2225.patch \
 "
 S = "${WORKDIR}/git"
diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch
new file mode 100644
index 000000000..6942db462
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch
@@ -0,0 +1,42 @@
+From 4c8f5fe7d41493e8e181941ae5a01713155f44d1 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 15 Oct 2015 15:34:39 +0000
+Subject: [PATCH] fcntl: Add AT_EMPTY_PATH for all and O_PATH for arm
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+
+ include/fcntl.h                     | 3 +++
+ libc/sysdeps/linux/arm/bits/fcntl.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/include/fcntl.h b/include/fcntl.h
+index 11000dd..8a7ad9b 100644
+--- a/include/fcntl.h
++++ b/include/fcntl.h
+@@ -65,6 +65,9 @@ __BEGIN_DECLS
+ # define AT_SYMLINK_FOLLOW	0x400	/* Follow symbolic links.  */
+ # define AT_EACCESS		0x200	/* Test access permitted for
+ 					   effective IDs, not real IDs.  */
++# ifdef __USE_GNU
++#  define AT_EMPTY_PATH         0x1000  /* Allow empty relative pathname.  */
++# endif
+ #endif
+ 
+ /* Do the file control operation described by CMD on FD.
+diff --git a/libc/sysdeps/linux/arm/bits/fcntl.h b/libc/sysdeps/linux/arm/bits/fcntl.h
+index aedc154..c6ba958 100644
+--- a/libc/sysdeps/linux/arm/bits/fcntl.h
++++ b/libc/sysdeps/linux/arm/bits/fcntl.h
+@@ -50,6 +50,7 @@
+ # define O_DIRECT	0200000	/* Direct disk access.	*/
+ # define O_NOATIME     01000000 /* Do not set atime.  */
+ # define O_CLOEXEC     02000000 /* Set close_on_exec.  */
++# define O_PATH       010000000 /* Resolve pathname but do not open file.  */
+ #endif
+ 
+ /* For now Linux has synchronisity options for data and read operations.
+-- 
+2.6.1
+
diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-gcc5-optimizes-away-the-write-only-static-functions-.patch b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-gcc5-optimizes-away-the-write-only-static-functions-.patch
new file mode 100644
index 000000000..e622f87ba
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-gcc5-optimizes-away-the-write-only-static-functions-.patch
@@ -0,0 +1,51 @@
+From 2659fb25d32f4b29c1c96aa5730fe40e19d53ab0 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 14 Oct 2015 17:38:37 -0700
+Subject: [PATCH] gcc5 optimizes away the write only static functions and we
+ end up with
+
+  librt/librt_so.a(rt-unwind-resume.oS): In function `_Unwind_Resume':
+  rt-unwind-resume.c:(.text+0x3c): undefined reference to `libgcc_s_resume'
+  collect2: error: ld returned 1 exit status
+  make[2]: *** [lib/librt.so] Error 1
+
+marking these functions explicitly used with __attribute_used__ avoids
+that optimization.
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+
+ libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-forcedunwind.c | 2 +-
+ libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-resume.c       | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-forcedunwind.c b/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-forcedunwind.c
+index f4d6f41..0c2edd7 100644
+--- a/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-forcedunwind.c
++++ b/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-forcedunwind.c
+@@ -27,7 +27,7 @@
+ #define __libc_fatal(x)         {/*write(STDERR_FILENO, x, strlen(x));*/ abort();}
+ 
+ static void *libgcc_s_handle;
+-static void (*libgcc_s_resume) (struct _Unwind_Exception *exc);
++static void (*libgcc_s_resume) (struct _Unwind_Exception *exc) __attribute_used__;
+ static _Unwind_Reason_Code (*libgcc_s_personality)
+   (_Unwind_State, struct _Unwind_Exception *, struct _Unwind_Context *);
+ static _Unwind_Reason_Code (*libgcc_s_forcedunwind)
+diff --git a/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-resume.c b/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-resume.c
+index f9a4ffb..f0c3047 100644
+--- a/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-resume.c
++++ b/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-resume.c
+@@ -25,7 +25,7 @@
+ #define __libc_dlclose          dlclose
+ #define __libc_fatal(x)         {/*write(STDERR_FILENO, x, strlen(x));*/ abort();}
+ 
+-static void (*libgcc_s_resume) (struct _Unwind_Exception *exc);
++static void (*libgcc_s_resume) (struct _Unwind_Exception *exc) __attribute_used__;
+ static _Unwind_Reason_Code (*libgcc_s_personality)
+   (_Unwind_State, struct _Unwind_Exception *, struct _Unwind_Context *);
+ 
+-- 
+2.6.1
+
diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-wire-in-syncfs.patch b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-wire-in-syncfs.patch
new file mode 100644
index 000000000..079ad6b3b
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-wire-in-syncfs.patch
@@ -0,0 +1,49 @@
+From 4f2db1b46bda5e376245ec36198b137709f069e8 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 15 Oct 2015 17:03:37 +0000
+Subject: [PATCH] wire in syncfs
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+
+ include/unistd.h                   |  2 +-
+ libc/sysdeps/linux/common/syncfs.c | 13 +++++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+ create mode 100644 libc/sysdeps/linux/common/syncfs.c
+
+diff --git a/include/unistd.h b/include/unistd.h
+index 3793d2d..d01bb08 100644
+--- a/include/unistd.h
++++ b/include/unistd.h
+@@ -1073,7 +1073,7 @@ extern char *getpass (const char *__prompt) __nonnull ((1));
+ extern int fsync (int __fd);
+ #endif /* Use BSD || X/Open || Unix98.  */
+ 
+-#if 0 /*def __USE_GNU */
++#ifdef __USE_GNU
+ /* Make all changes done to all files on the file system associated
+  *    with FD actually appear on disk.  */
+ extern int syncfs (int __fd) __THROW;
+diff --git a/libc/sysdeps/linux/common/syncfs.c b/libc/sysdeps/linux/common/syncfs.c
+new file mode 100644
+index 0000000..d2eed05
+--- /dev/null
++++ b/libc/sysdeps/linux/common/syncfs.c
+@@ -0,0 +1,13 @@
++/* vi: set sw=4 ts=4: */
++/*
++ * fsync() for uClibc
++ *
++ * Copyright (C) 2000-2006 Erik Andersen <andersen@uclibc.org>
++ *
++ * Licensed under the LGPL v2.1, see the file COPYING.LIB in this tarball.
++ */
++
++#include <sys/syscall.h>
++#include <unistd.h>
++
++_syscall1(int, syncfs, int, fd)
+-- 
+2.6.1
+
diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch
new file mode 100644
index 000000000..218b60a85
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch
@@ -0,0 +1,49 @@
+From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001
+From: Waldemar Brodkorb <wbx@openadk.org>
+Date: Sun, 17 Jan 2016 15:47:22 +0100
+Subject: [PATCH] Do not follow compressed items forever.
+
+It is possible to get stuck in an infinite loop when receiving a
+specially crafted DNS reply. Exit the loop after a number of iteration
+and consider the packet invalid.
+
+Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
+Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
+
+Upstream-status: Backport
+http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515
+
+CVE: CVE-2016-2224
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libc/inet/resolv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+Index: git/libc/inet/resolv.c
+===================================================================
+--- git.orig/libc/inet/resolv.c
++++ git/libc/inet/resolv.c
+@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char
+ 	bool measure = 1;
+ 	unsigned total = 0;
+ 	unsigned used = 0;
++	unsigned maxiter = 256;
+ 
+ 	if (!packet)
+ 		return -1;
+ 
+-	while (1) {
++	while (--maxiter) {
+ 		if (offset >= packet_len)
+ 			return -1;
+ 		b = packet[offset++];
+@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char
+ 		else
+ 			dest[used++] = '\0';
+ 	}
++	if (!maxiter)
++		return -1;
+ 
+ 	/* The null byte must be counted too */
+ 	if (measure)
diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2225.patch b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2225.patch
new file mode 100644
index 000000000..0217e4bf5
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2225.patch
@@ -0,0 +1,32 @@
+From bb01edff0377f2585ce304ecbadcb7b6cde372ac Mon Sep 17 00:00:00 2001
+From: Waldemar Brodkorb <wbx@openadk.org>
+Date: Mon, 25 Jan 2016 21:11:34 +0100
+Subject: [PATCH] Make sure to always terminate decoded string
+
+Write a terminating '\0' to dest when the first byte of the encoded data
+is 0. This corner case was previously missed.
+
+Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
+Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
+
+Upstream-Status: Backport
+http://repo.or.cz/uclibc-ng.git/commit/bb01edff0377f2585ce304ecbadcb7b6cde372ac
+CVE: CVE-2016-2225
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libc/inet/resolv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: git/libc/inet/resolv.c
+===================================================================
+--- git.orig/libc/inet/resolv.c
++++ git/libc/inet/resolv.c
+@@ -671,6 +671,7 @@ int __decode_dotted(const unsigned char
+ 	if (!packet)
+ 		return -1;
+ 
++	dest[0] = '\0';
+ 	while (--maxiter) {
+ 		if (offset >= packet_len)
+ 			return -1;
diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/uClibc.distro b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/uClibc.distro
index 6575482b3..3827b66e9 100644
--- a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/uClibc.distro
+++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/uClibc.distro
@@ -182,6 +182,8 @@ UCLIBC_HAS_FLOATS=y
 
 # COMPILE_IN_THUMB_MODE is not set
 
+# needed by shadow
+UCLIBC_HAS_UTMP=y
 # needed by systemd
 UCLIBC_HAS_UTMPX=y
 UCLIBC_LINUX_MODULE_26=y
diff --git a/yocto-poky/meta/recipes-core/udev/udev.inc b/yocto-poky/meta/recipes-core/udev/udev.inc
index a00dad5db..c378ae3cd 100644
--- a/yocto-poky/meta/recipes-core/udev/udev.inc
+++ b/yocto-poky/meta/recipes-core/udev/udev.inc
@@ -15,6 +15,8 @@ LDFLAGS += "-lrt"
 DEPENDS = "glib-2.0 libusb usbutils pciutils glib-2.0-native gperf-native libxslt-native util-linux"
 RPROVIDES_${PN} = "hotplug"
 
+PROVIDES = "libgudev"
+
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/kernel/hotplug/udev-${PV}.tar.gz \
            file://0001-Fixing-keyboard_force_release.sh-shell-script-path.patch \
            file://avoid-mouse-autosuspend.patch \
diff --git a/yocto-poky/meta/recipes-core/util-linux/util-linux.inc b/yocto-poky/meta/recipes-core/util-linux/util-linux.inc
index a4072bc6c..594108f68 100644
--- a/yocto-poky/meta/recipes-core/util-linux/util-linux.inc
+++ b/yocto-poky/meta/recipes-core/util-linux/util-linux.inc
@@ -163,6 +163,12 @@ do_install () {
 	echo 'MOUNTALL="-t nonfs,nosmbfs,noncpfs"' > ${D}${sysconfdir}/default/mountall
 
 	rm -f ${D}${bindir}/chkdupexe
+
+	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then
+		install -d ${D}${sysconfdir}/pam.d
+		install -m 0644 ${WORKDIR}/runuser.pamd ${D}${sysconfdir}/pam.d/runuser
+		install -m 0644 ${WORKDIR}/runuser-l.pamd ${D}${sysconfdir}/pam.d/runuser-l
+	fi
 }
 
 # reset and nologin causes a conflict with ncurses-native and shadow-native
diff --git a/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser-l.pamd b/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser-l.pamd
new file mode 100644
index 000000000..4b368ccf5
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser-l.pamd
@@ -0,0 +1,3 @@
+auth	include		runuser
+session	optional	pam_keyinit.so force revoke
+session include		runuser
diff --git a/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser.pamd b/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser.pamd
new file mode 100644
index 000000000..48d133b9e
--- /dev/null
+++ b/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser.pamd
@@ -0,0 +1,4 @@
+auth	sufficient	pam_rootok.so
+session	optional	pam_keyinit.so revoke
+session	required	pam_limits.so
+session	required	pam_unix.so
diff --git a/yocto-poky/meta/recipes-core/util-linux/util-linux_2.26.2.bb b/yocto-poky/meta/recipes-core/util-linux/util-linux_2.26.2.bb
index fc7dc6e09..e09fdfaf5 100644
--- a/yocto-poky/meta/recipes-core/util-linux/util-linux_2.26.2.bb
+++ b/yocto-poky/meta/recipes-core/util-linux/util-linux_2.26.2.bb
@@ -13,6 +13,8 @@ SRC_URI += "file://util-linux-ng-replace-siginterrupt.patch \
             file://uclibc-__progname-conflict.patch \
             file://configure-sbindir.patch \
             file://fix-parallel-build.patch \
+            file://runuser.pamd \
+            file://runuser-l.pamd \
             ${OLDHOST} \
 "
 SRC_URI[md5sum] = "9bdf368c395f1b70325d0eb22c7f48fb"