summaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2017-02-13 22:35:05 +0100
committerMarius Bakke <mbakke@fastmail.com>2017-02-13 22:35:05 +0100
commit424b1ae76901c538457bd3c30d9d9cf67e79855f (patch)
treeacc35c1160625618cd6083e728c6a4ff7e9cccc9 /gnu/packages/patches
parenta50e03014177d2f00b5b85d3e1c295406f842016 (diff)
parenteae2dbd47ac1f4a201b8584e2f88c30cd28e093a (diff)
Merge branch 'master' into python-tests
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/duplicity-piped-password.patch20
-rw-r--r--gnu/packages/patches/duplicity-test_selection-tmp.patch18
-rw-r--r--gnu/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch27
-rw-r--r--gnu/packages/patches/gnupg-test-segfault-on-32bit-arch.patch40
-rw-r--r--gnu/packages/patches/gst-plugins-base-fix-test-on-32bit.patch32
-rw-r--r--gnu/packages/patches/httpd-CVE-2016-8740.patch36
-rw-r--r--gnu/packages/patches/khal-disable-failing-tests.patch33
-rw-r--r--gnu/packages/patches/lcms-fix-out-of-bounds-read.patch34
-rw-r--r--gnu/packages/patches/ldc-1.1.0-disable-dmd-tests.patch35
-rw-r--r--gnu/packages/patches/ldc-1.1.0-disable-phobos-tests.patch414
-rw-r--r--gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch42
-rw-r--r--gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch40
-rw-r--r--gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch42
-rw-r--r--gnu/packages/patches/libevent-2.1-dns-tests.patch26
-rw-r--r--gnu/packages/patches/libevent-2.1-skip-failing-test.patch24
-rw-r--r--gnu/packages/patches/libtiff-CVE-2017-5225.patch86
-rw-r--r--gnu/packages/patches/libupnp-CVE-2016-6255.patch50
-rw-r--r--gnu/packages/patches/libupnp-CVE-2016-8863.patch72
-rw-r--r--gnu/packages/patches/libvpx-CVE-2016-2818.patch21
-rw-r--r--gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch188
-rw-r--r--gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch36
-rw-r--r--gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch42
-rw-r--r--gnu/packages/patches/omake-fix-non-determinism.patch41
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2016-9572-CVE-2016-9573.patch233
-rw-r--r--gnu/packages/patches/p7zip-CVE-2016-9296.patch24
-rw-r--r--gnu/packages/patches/qemu-CVE-2016-10155.patch49
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-2615.patch52
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5525.patch55
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5526.patch58
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5552.patch44
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5578.patch39
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5579.patch44
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5667.patch46
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5856.patch68
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5898.patch44
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5931.patch55
-rw-r--r--gnu/packages/patches/screen-CVE-2017-5618.patch40
-rw-r--r--gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch31
-rw-r--r--gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch22
-rw-r--r--gnu/packages/patches/spice-CVE-2016-9577.patch33
-rw-r--r--gnu/packages/patches/spice-CVE-2016-9578-1.patch33
-rw-r--r--gnu/packages/patches/spice-CVE-2016-9578-2.patch38
-rw-r--r--gnu/packages/patches/tipp10-fix-compiling.patch213
-rw-r--r--gnu/packages/patches/tipp10-remove-license-code.patch332
-rw-r--r--gnu/packages/patches/totem-debug-format-fix.patch11
-rw-r--r--gnu/packages/patches/upower-builddir.patch2
-rw-r--r--gnu/packages/patches/vsearch-unbundle-cityhash.patch73
-rw-r--r--gnu/packages/patches/xf86-video-glint-remove-mibstore.patch24
-rw-r--r--gnu/packages/patches/xf86-video-nv-remove-mibstore.patch72
-rw-r--r--gnu/packages/patches/xinetd-CVE-2013-4342.patch36
-rw-r--r--gnu/packages/patches/xinetd-fix-fd-leak.patch26
51 files changed, 2799 insertions, 397 deletions
diff --git a/gnu/packages/patches/duplicity-piped-password.patch b/gnu/packages/patches/duplicity-piped-password.patch
deleted file mode 100644
index db50f5df32..0000000000
--- a/gnu/packages/patches/duplicity-piped-password.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-This test, on three occasions, is failing with the error:
-
- EOF: End Of File (EOF) in read_nonblocking(). Braindead platform.
-
---- duplicity-0.6.24/testing/functional/test_final.py 2014-09-28 13:14:52.146001614 -0500
-+++ duplicity-0.6.24/testing/functional/test_final.py 2014-09-28 13:13:20.333546342 -0500
-@@ -156,13 +156,6 @@
- self.run_duplicity(options=["remove-older-than", "50000", "--force", self.backend_url])
- self.assertEqual(self.get_backend_files(), second_chain)
-
-- def test_piped_password(self):
-- """Make sure that prompting for a password works"""
-- self.set_environ("PASSPHRASE", None)
-- self.backup("full", "testfiles/empty_dir",
-- passphrase_input=[self.sign_passphrase, self.sign_passphrase])
-- self.restore(passphrase_input=[self.sign_passphrase])
--
-
- class OldFilenamesFinalTest(FinalTest):
-
diff --git a/gnu/packages/patches/duplicity-test_selection-tmp.patch b/gnu/packages/patches/duplicity-test_selection-tmp.patch
deleted file mode 100644
index 8f66be4dcc..0000000000
--- a/gnu/packages/patches/duplicity-test_selection-tmp.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Reported upstream at https://bugs.launchpad.net/duplicity/+bug/1375019
-
---- duplicity-0.6.24/testing/unit/test_selection.py 2014-05-09 08:27:40.000000000 -0500
-+++ duplicity-0.6.24/testing/unit/test_selection.py 2014-09-28 12:28:53.932324380 -0500
-@@ -431,10 +431,10 @@
- [(), ('1',), ('1', '1'), ('1', '2'), ('1', '3')])
-
- self.root = Path("/")
-- self.ParseTest([("--exclude", "/home/*"),
-- ("--include", "/home"),
-+ self.ParseTest([("--exclude", "/tmp/*"),
-+ ("--include", "/tmp"),
- ("--exclude", "/")],
-- [(), ("home",)])
-+ [(), ("tmp",)])
-
- if __name__ == "__main__":
- unittest.main()
diff --git a/gnu/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch b/gnu/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch
new file mode 100644
index 0000000000..40aae7a9d7
--- /dev/null
+++ b/gnu/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch
@@ -0,0 +1,27 @@
+Don’t add linker flags via ‘response files’ since ld-wrapper
+doesn’t handle them.
+See https://github.com/NixOS/nixpkgs/commit/a421e7bd4a28c69bded8b17888325e31554f61a1
+https://gcc.gnu.org/ml/gcc/2016-10/msg00151.html
+
+diff --git a/compiler/main/SysTools.hs.orig b/compiler/main/SysTools.hs
+index 1ab5b13..99270fc 100644
+--- a/compiler/main/SysTools.hs.orig
++++ b/compiler/main/SysTools.hs
+@@ -424,7 +424,7 @@ runCc dflags args = do
+ args1 = map Option (getOpts dflags opt_c)
+ args2 = args0 ++ args1 ++ args
+ mb_env <- getGccEnv args2
+- runSomethingResponseFile dflags cc_filter "C Compiler" p args2 mb_env
++ runSomethingFiltered dflags cc_filter "C Compiler" p args2 mb_env
+ where
+ -- discard some harmless warnings from gcc that we can't turn off
+ cc_filter = unlines . doFilter . lines
+@@ -945,7 +945,7 @@ runLink dflags args = do
+ args1 = map Option (getOpts dflags opt_l)
+ args2 = args0 ++ linkargs ++ args1 ++ args
+ mb_env <- getGccEnv args2
+- runSomethingResponseFile dflags ld_filter "Linker" p args2 mb_env
++ runSomethingFiltered dflags ld_filter "Linker" p args2 mb_env
+ where
+ ld_filter = case (platformOS (targetPlatform dflags)) of
+ OSSolaris2 -> sunos_ld_filter
diff --git a/gnu/packages/patches/gnupg-test-segfault-on-32bit-arch.patch b/gnu/packages/patches/gnupg-test-segfault-on-32bit-arch.patch
deleted file mode 100644
index 79bb41caaa..0000000000
--- a/gnu/packages/patches/gnupg-test-segfault-on-32bit-arch.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-This fixes a segfault on 32-bit architectures. Upstream discussion:
-
-https://lists.gnupg.org/pipermail/gnupg-devel/2016-December/032364.html
-
-Guix thread: https://lists.gnu.org/archive/html/guix-devel/2016-12/msg00631.html
-
-Patch copied from upstream source repository:
-
-https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=6e96cdd41a0e55b672309431062f37c4a4a9f485
-
-From 6e96cdd41a0e55b672309431062f37c4a4a9f485 Mon Sep 17 00:00:00 2001
-From: Justus Winter <justus@g10code.com>
-Date: Wed, 21 Dec 2016 16:14:45 +0100
-Subject: [PATCH] gpgscm: Guard use of union member.
-
-* tests/gpgscm/scheme.c (opexe_5): Check that we have a file port
-before accessing filename. Fixes a crash on 32-bit architectures.
-
-Fixes-commit: e7429b1ced0c69fa7901f888f8dc25f00fc346a4
-Signed-off-by: Justus Winter <justus@g10code.com>
----
- tests/gpgscm/scheme.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/gpgscm/scheme.c b/tests/gpgscm/scheme.c
-index a5b7691..2844545 100644
---- a/tests/gpgscm/scheme.c
-+++ b/tests/gpgscm/scheme.c
-@@ -4838,7 +4838,7 @@ static pointer opexe_5(scheme *sc, enum scheme_opcodes op) {
- } else {
- sc->nesting_stack[sc->file_i]++;
- #if USE_TAGS && SHOW_ERROR_LINE
-- {
-+ if (sc->load_stack[sc->file_i].kind & port_file) {
- const char *filename =
- sc->load_stack[sc->file_i].rep.stdio.filename;
- int lineno =
---
-2.8.0.rc3
-
diff --git a/gnu/packages/patches/gst-plugins-base-fix-test-on-32bit.patch b/gnu/packages/patches/gst-plugins-base-fix-test-on-32bit.patch
new file mode 100644
index 0000000000..4c6c7ed06e
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-base-fix-test-on-32bit.patch
@@ -0,0 +1,32 @@
+This fixes a test failure on i686.
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=5e2e111627871c566ffc6607eda8f4ef4699d040
+
+From 5e2e111627871c566ffc6607eda8f4ef4699d040 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 2 Feb 2017 14:56:39 +0200
+Subject: [PATCH] multifdsink: Make sure to use a 64 bit integer for the
+ units-max property
+
+---
+ tests/check/elements/multifdsink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/check/elements/multifdsink.c b/tests/check/elements/multifdsink.c
+index af138cc92..951b1b9fa 100644
+--- a/tests/check/elements/multifdsink.c
++++ b/tests/check/elements/multifdsink.c
+@@ -869,7 +869,7 @@ GST_START_TEST (test_client_kick)
+ gint i, initial_buffers = 3, num_buffers = 0;
+
+ sink = setup_multifdsink ();
+- g_object_set (sink, "units-max", initial_buffers, NULL);
++ g_object_set (sink, "units-max", (gint64) initial_buffers, NULL);
+
+ fail_if (pipe (pfd1) == -1);
+ fail_if (pipe (pfd2) == -1);
+--
+2.11.0
+
diff --git a/gnu/packages/patches/httpd-CVE-2016-8740.patch b/gnu/packages/patches/httpd-CVE-2016-8740.patch
deleted file mode 100644
index 17ba323ccf..0000000000
--- a/gnu/packages/patches/httpd-CVE-2016-8740.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-This patch applies against httpd-2.4.23 and shouldn't be needed in later releases
-http://openwall.com/lists/oss-security/2016/12/05/17
-Index: modules/http2/h2_stream.c
-===================================================================
---- modules/http2/h2_stream.c (revision 1771866)
-+++ modules/http2/h2_stream.c (working copy)
-@@ -322,18 +322,18 @@
- HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE);
- }
- }
-- }
--
-- if (h2_stream_is_scheduled(stream)) {
-- return h2_request_add_trailer(stream->request, stream->pool,
-- name, nlen, value, vlen);
-- }
-- else {
-- if (!input_open(stream)) {
-- return APR_ECONNRESET;
-+
-+ if (h2_stream_is_scheduled(stream)) {
-+ return h2_request_add_trailer(stream->request, stream->pool,
-+ name, nlen, value, vlen);
- }
-- return h2_request_add_header(stream->request, stream->pool,
-- name, nlen, value, vlen);
-+ else {
-+ if (!input_open(stream)) {
-+ return APR_ECONNRESET;
-+ }
-+ return h2_request_add_header(stream->request, stream->pool,
-+ name, nlen, value, vlen);
-+ }
- }
- }
-
diff --git a/gnu/packages/patches/khal-disable-failing-tests.patch b/gnu/packages/patches/khal-disable-failing-tests.patch
deleted file mode 100644
index e2c65df8ce..0000000000
--- a/gnu/packages/patches/khal-disable-failing-tests.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Disable some tests that are known to fail:
-
-https://github.com/pimutils/khal/issues/546
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844081
-
-diff --git a/tests/khalendar_test.py b/tests/khalendar_test.py
-index fd8dcc6..17732bf 100644
---- a/tests/khalendar_test.py
-+++ b/tests/khalendar_test.py
-@@ -65,6 +65,7 @@ class TestCalendar(object):
- else:
- mtimes[cal] = mtime
-
-+ @pytest.mark.xfail
- def test_db_needs_update(self, coll_vdirs):
- coll, vdirs = coll_vdirs
-
-@@ -321,6 +322,7 @@ class TestDbCreation(object):
- CalendarCollection(calendars, dbpath=dbpath, locale=aux.locale)
-
-
-+@pytest.mark.xfail
- def test_default_calendar(coll_vdirs):
- """test if an update to the vdir is detected by the CalendarCollection"""
- coll, vdirs = coll_vdirs
-@@ -341,6 +343,7 @@ def test_default_calendar(coll_vdirs):
- assert len(list(coll.get_events_on(today))) == 0
-
-
-+@pytest.mark.xfail
- def test_only_update_old_event(coll_vdirs, monkeypatch):
- coll, vdirs = coll_vdirs
-
diff --git a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch b/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch
new file mode 100644
index 0000000000..d9f7ac6a36
--- /dev/null
+++ b/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch
@@ -0,0 +1,34 @@
+Fix an out-of-bounds heap read in Type_MLU_Read():
+
+http://seclists.org/oss-sec/2016/q3/288
+https://bugzilla.redhat.com/show_bug.cgi?id=1367357
+
+Patch copied from upstream source repository:
+
+https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2
+
+From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001
+From: Marti <marti.maria@tktbrainpower.com>
+Date: Mon, 15 Aug 2016 23:31:39 +0200
+Subject: [PATCH] Added an extra check to MLU bounds
+
+Thanks to Ibrahim el-sayed for spotting the bug
+---
+ src/cmstypes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cmstypes.c b/src/cmstypes.c
+index cb61860..c7328b9 100644
+--- a/src/cmstypes.c
++++ b/src/cmstypes.c
+@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+
+ // Check for overflow
+ if (Offset < (SizeOfHeader + 8)) goto Error;
++ if ((Offset + Len) > SizeOfTag + 8) goto Error;
+
+ // True begin of the string
+ BeginOfThisString = Offset - SizeOfHeader - 8;
+--
+2.11.0
+
diff --git a/gnu/packages/patches/ldc-1.1.0-disable-dmd-tests.patch b/gnu/packages/patches/ldc-1.1.0-disable-dmd-tests.patch
new file mode 100644
index 0000000000..31eb44aefc
--- /dev/null
+++ b/gnu/packages/patches/ldc-1.1.0-disable-dmd-tests.patch
@@ -0,0 +1,35 @@
+This patch deactivates some tests that fail when ldc is built with the command:
+
+./pre-inst-env guix environment guix --pure -- ./pre-inst-env guix build ldc@1.1.0-beta6
+
+When the --keep-failed flag is added to the build command above, and the tests
+run in the resulting /tmp/guix-build-ldc-1.1.0-beta6.drv-* directory, the tests
+pass.
+
+by Frederick M. Muriithi <fredmanglis@gmail.com>
+
+diff --git a/d_do_test.d b/d_do_test.d
+index aa67169..8173759 100755
+--- a/d_do_test.d
++++ b/d_do_test.d
+@@ -645,8 +645,6 @@ int main(string[] args)
+ auto gdb_output = execute(fThisRun, command, true, result_path);
+ if (testArgs.gdbMatch !is null)
+ {
+- enforce(match(gdb_output, regex(testArgs.gdbMatch)),
+- "\nGDB regex: '"~testArgs.gdbMatch~"' didn't match output:\n----\n"~gdb_output~"\n----\n");
+ }
+ }
+ }
+diff --git a/runnable/gdb15729.sh b/runnable/gdb15729.sh
+index 1d390e0..906b2b6 100755
+--- a/runnable/gdb15729.sh
++++ b/runnable/gdb15729.sh
+@@ -21,7 +21,6 @@ if [ $OS == "linux" ]; then
+ echo RESULT=
+ p s.val
+ EOF
+- gdb ${dir}${SEP}gdb15729 --batch -x ${dir}${SEP}gdb15729.gdb | grep 'RESULT=.*1234' || exit 1
+ fi
+
+ rm -f ${libname} ${dir}${SEP}{gdb15729${OBJ},gdb15729${EXE},gdb15729.gdb}
diff --git a/gnu/packages/patches/ldc-1.1.0-disable-phobos-tests.patch b/gnu/packages/patches/ldc-1.1.0-disable-phobos-tests.patch
new file mode 100644
index 0000000000..70dd419455
--- /dev/null
+++ b/gnu/packages/patches/ldc-1.1.0-disable-phobos-tests.patch
@@ -0,0 +1,414 @@
+This patch deactivates failing tests that depend on network connectivity
+to pass in curl.d and socket.d
+It deactivates tests in path.d that assume /root
+
+A thread was started on the ldc forum to pursue the possibility of a
+version flag to deactivate tests conditionally. The thread is at
+https://forum.dlang.org/post/zmdbdgnzrxyvtpqafvyg@forum.dlang.org
+
+by Frederick M. Muriithi <fredmanglis@gmail.com>
+
+diff --git a/std/datetime.d b/std/datetime.d
+index 4d4afb1..2c91a44 100644
+--- a/std/datetime.d
++++ b/std/datetime.d
+@@ -27306,8 +27306,8 @@ public:
+ // leaving it commented out until I can sort it out.
+ //assert(equal(tzNames, tzNames.uniq()));
+
+- foreach(tzName; tzNames)
+- assertNotThrown!DateTimeException(testPZSuccess(tzName));
++ //foreach(tzName; tzNames)
++ //assertNotThrown!DateTimeException(testPZSuccess(tzName));
+ }
+
+
+@@ -29178,8 +29178,8 @@ public:
+
+ auto tzNames = getInstalledTZNames();
+
+- foreach(tzName; tzNames)
+- assertNotThrown!DateTimeException(testPTZSuccess(tzName));
++ //foreach(tzName; tzNames)
++ //assertNotThrown!DateTimeException(testPTZSuccess(tzName));
+
+ // No timezone directories on Android, just a single tzdata file
+ version(Android) {} else
+diff --git a/std/net/curl.d b/std/net/curl.d
+index 9c6af66..5fccb38 100644
+--- a/std/net/curl.d
++++ b/std/net/curl.d
+@@ -419,7 +419,7 @@ void download(Conn = AutoProtocol)(const(char)[] url, string saveToPath, Conn co
+
+ unittest
+ {
+- static import std.file;
++ /*static import std.file;
+ foreach (host; [testServer.addr, "http://"~testServer.addr])
+ {
+ testServer.handle((s) {
+@@ -430,7 +430,7 @@ unittest
+ scope (exit) std.file.remove(fn);
+ download(host, fn);
+ assert(std.file.readText(fn) == "Hello world");
+- }
++ }*/
+ }
+
+ /** Upload file from local files system using the HTTP or FTP protocol.
+@@ -483,7 +483,7 @@ void upload(Conn = AutoProtocol)(string loadFromPath, const(char)[] url, Conn co
+
+ unittest
+ {
+- static import std.file;
++ /*static import std.file;
+ foreach (host; [testServer.addr, "http://"~testServer.addr])
+ {
+ auto fn = std.file.deleteme;
+@@ -496,7 +496,7 @@ unittest
+ s.send(httpOK());
+ });
+ upload(fn, host ~ "/path");
+- }
++ }*/
+ }
+
+ /** HTTP/FTP get content.
+@@ -551,7 +551,7 @@ T[] get(Conn = AutoProtocol, T = char)(const(char)[] url, Conn conn = Conn())
+
+ unittest
+ {
+- foreach (host; [testServer.addr, "http://"~testServer.addr])
++ /*foreach (host; [testServer.addr, "http://"~testServer.addr])
+ {
+ testServer.handle((s) {
+ assert(s.recvReq.hdrs.canFind("GET /path"));
+@@ -559,7 +559,7 @@ unittest
+ });
+ auto res = get(host ~ "/path");
+ assert(res == "GETRESPONSE");
+- }
++ }*/
+ }
+
+
+@@ -598,7 +598,7 @@ if (is(T == char) || is(T == ubyte))
+
+ unittest
+ {
+- foreach (host; [testServer.addr, "http://"~testServer.addr])
++ /*foreach (host; [testServer.addr, "http://"~testServer.addr])
+ {
+ testServer.handle((s) {
+ auto req = s.recvReq;
+@@ -608,12 +608,12 @@ unittest
+ });
+ auto res = post(host ~ "/path", "POSTBODY");
+ assert(res == "POSTRESPONSE");
+- }
++ }*/
+ }
+
+ unittest
+ {
+- auto data = new ubyte[](256);
++ /*auto data = new ubyte[](256);
+ foreach (i, ref ub; data)
+ ub = cast(ubyte)i;
+
+@@ -624,7 +624,7 @@ unittest
+ s.send(httpOK(cast(ubyte[])[17, 27, 35, 41]));
+ });
+ auto res = post!ubyte(testServer.addr, data);
+- assert(res == cast(ubyte[])[17, 27, 35, 41]);
++ assert(res == cast(ubyte[])[17, 27, 35, 41]);*/
+ }
+
+
+@@ -680,7 +680,7 @@ T[] put(Conn = AutoProtocol, T = char, PutUnit)(const(char)[] url, const(PutUnit
+
+ unittest
+ {
+- foreach (host; [testServer.addr, "http://"~testServer.addr])
++ /*foreach (host; [testServer.addr, "http://"~testServer.addr])
+ {
+ testServer.handle((s) {
+ auto req = s.recvReq;
+@@ -690,7 +690,7 @@ unittest
+ });
+ auto res = put(host ~ "/path", "PUTBODY");
+ assert(res == "PUTRESPONSE");
+- }
++ }*/
+ }
+
+
+@@ -742,7 +742,7 @@ void del(Conn = AutoProtocol)(const(char)[] url, Conn conn = Conn())
+
+ unittest
+ {
+- foreach (host; [testServer.addr, "http://"~testServer.addr])
++ /*foreach (host; [testServer.addr, "http://"~testServer.addr])
+ {
+ testServer.handle((s) {
+ auto req = s.recvReq;
+@@ -750,7 +750,7 @@ unittest
+ s.send(httpOK());
+ });
+ del(host ~ "/path");
+- }
++ }*/
+ }
+
+
+@@ -796,13 +796,13 @@ T[] options(T = char, OptionsUnit)(const(char)[] url,
+
+ unittest
+ {
+- testServer.handle((s) {
++ /*testServer.handle((s) {
+ auto req = s.recvReq;
+ assert(req.hdrs.canFind("OPTIONS /path"));
+ s.send(httpOK("OPTIONSRESPONSE"));
+ });
+ auto res = options(testServer.addr ~ "/path");
+- assert(res == "OPTIONSRESPONSE");
++ assert(res == "OPTIONSRESPONSE");*/
+ }
+
+
+@@ -836,13 +836,13 @@ T[] trace(T = char)(const(char)[] url, HTTP conn = HTTP())
+
+ unittest
+ {
+- testServer.handle((s) {
++ /*testServer.handle((s) {
+ auto req = s.recvReq;
+ assert(req.hdrs.canFind("TRACE /path"));
+ s.send(httpOK("TRACERESPONSE"));
+ });
+ auto res = trace(testServer.addr ~ "/path");
+- assert(res == "TRACERESPONSE");
++ assert(res == "TRACERESPONSE");*/
+ }
+
+
+@@ -875,13 +875,13 @@ T[] connect(T = char)(const(char)[] url, HTTP conn = HTTP())
+
+ unittest
+ {
+- testServer.handle((s) {
++ /*testServer.handle((s) {
+ auto req = s.recvReq;
+ assert(req.hdrs.canFind("CONNECT /path"));
+ s.send(httpOK("CONNECTRESPONSE"));
+ });
+ auto res = connect(testServer.addr ~ "/path");
+- assert(res == "CONNECTRESPONSE");
++ assert(res == "CONNECTRESPONSE");*/
+ }
+
+
+@@ -919,14 +919,14 @@ T[] patch(T = char, PatchUnit)(const(char)[] url, const(PatchUnit)[] patchData,
+
+ unittest
+ {
+- testServer.handle((s) {
++ /*testServer.handle((s) {
+ auto req = s.recvReq;
+ assert(req.hdrs.canFind("PATCH /path"));
+ assert(req.bdy.canFind("PATCHBODY"));
+ s.send(httpOK("PATCHRESPONSE"));
+ });
+ auto res = patch(testServer.addr ~ "/path", "PATCHBODY");
+- assert(res == "PATCHRESPONSE");
++ assert(res == "PATCHRESPONSE");*/
+ }
+
+
+@@ -1031,19 +1031,19 @@ private auto _basicHTTP(T)(const(char)[] url, const(void)[] sendData, HTTP clien
+
+ unittest
+ {
+- testServer.handle((s) {
++ /*testServer.handle((s) {
+ auto req = s.recvReq;
+ assert(req.hdrs.canFind("GET /path"));
+ s.send(httpNotFound());
+ });
+ auto e = collectException!CurlException(get(testServer.addr ~ "/path"));
+- assert(e.msg == "HTTP request returned status code 404 (Not Found)");
++ assert(e.msg == "HTTP request returned status code 404 (Not Found)");*/
+ }
+
+ // Bugzilla 14760 - content length must be reset after post
+ unittest
+ {
+- testServer.handle((s) {
++ /*testServer.handle((s) {
+ auto req = s.recvReq;
+ assert(req.hdrs.canFind("POST /"));
+ assert(req.bdy.canFind("POSTBODY"));
+@@ -1061,7 +1061,7 @@ unittest
+ auto res = post(testServer.addr, "POSTBODY", http);
+ assert(res == "POSTRESPONSE");
+ res = trace(testServer.addr, http);
+- assert(res == "TRACERESPONSE");
++ assert(res == "TRACERESPONSE");*/
+ }
+
+ /*
+@@ -1265,14 +1265,14 @@ if (isCurlConn!Conn && isSomeChar!Char && isSomeChar!Terminator)
+
+ unittest
+ {
+- foreach (host; [testServer.addr, "http://"~testServer.addr])
++ /*foreach (host; [testServer.addr, "http://"~testServer.addr])
+ {
+ testServer.handle((s) {
+ auto req = s.recvReq;
+ s.send(httpOK("Line1\nLine2\nLine3"));
+ });
+ assert(byLine(host).equal(["Line1", "Line2", "Line3"]));
+- }
++ }*/
+ }
+
+ /** HTTP/FTP fetch content as a range of chunks.
+@@ -1337,14 +1337,14 @@ auto byChunk(Conn = AutoProtocol)
+
+ unittest
+ {
+- foreach (host; [testServer.addr, "http://"~testServer.addr])
++ /*foreach (host; [testServer.addr, "http://"~testServer.addr])
+ {
+ testServer.handle((s) {
+ auto req = s.recvReq;
+ s.send(httpOK(cast(ubyte[])[0, 1, 2, 3, 4, 5]));
+ });
+ assert(byChunk(host, 2).equal([[0, 1], [2, 3], [4, 5]]));
+- }
++ }*/
+ }
+
+ private T[] _getForRange(T,Conn)(const(char)[] url, Conn conn)
+@@ -1629,14 +1629,14 @@ auto byLineAsync(Conn = AutoProtocol, Terminator = char, Char = char)
+
+ unittest
+ {
+- foreach (host; [testServer.addr, "http://"~testServer.addr])
++ /*foreach (host; [testServer.addr, "http://"~testServer.addr])
+ {
+ testServer.handle((s) {
+ auto req = s.recvReq;
+ s.send(httpOK("Line1\nLine2\nLine3"));
+ });
+ assert(byLineAsync(host).equal(["Line1", "Line2", "Line3"]));
+- }
++ }*/
+ }
+
+
+@@ -1778,14 +1778,14 @@ auto byChunkAsync(Conn = AutoProtocol)
+
+ unittest
+ {
+- foreach (host; [testServer.addr, "http://"~testServer.addr])
++ /*foreach (host; [testServer.addr, "http://"~testServer.addr])
+ {
+ testServer.handle((s) {
+ auto req = s.recvReq;
+ s.send(httpOK(cast(ubyte[])[0, 1, 2, 3, 4, 5]));
+ });
+ assert(byChunkAsync(host, 2).equal([[0, 1], [2, 3], [4, 5]]));
+- }
++ }*/
+ }
+
+
+@@ -2041,7 +2041,7 @@ private mixin template Protocol()
+
+ unittest
+ {
+- testServer.handle((s) {
++ /*testServer.handle((s) {
+ auto req = s.recvReq;
+ assert(req.hdrs.canFind("GET /"));
+ assert(req.hdrs.canFind("Basic dXNlcjpwYXNz"));
+@@ -2051,7 +2051,7 @@ private mixin template Protocol()
+ auto http = HTTP(testServer.addr);
+ http.onReceive = (ubyte[] data) { return data.length; };
+ http.setAuthentication("user", "pass");
+- http.perform();
++ http.perform();*/
+ }
+
+ /**
+@@ -2959,7 +2959,7 @@ struct HTTP
+
+ unittest
+ {
+- testServer.handle((s) {
++ /*testServer.handle((s) {
+ auto req = s.recvReq!ubyte;
+ assert(req.hdrs.canFind("POST /path"));
+ assert(req.bdy.canFind(cast(ubyte[])[0, 1, 2, 3, 4]));
+@@ -2975,7 +2975,7 @@ struct HTTP
+ ubyte[] res;
+ http.onReceive = (data) { res ~= data; return data.length; };
+ http.perform();
+- assert(res == cast(ubyte[])[17, 27, 35, 41]);
++ assert(res == cast(ubyte[])[17, 27, 35, 41]);*/
+ }
+
+ /**
+diff --git a/std/path.d b/std/path.d
+index 60c844f..0598104 100644
+--- a/std/path.d
++++ b/std/path.d
+@@ -3953,8 +3953,10 @@ unittest
+ }
+ else
+ {
++/*
+ assert(expandTilde("~root") == "/root", expandTilde("~root"));
+ assert(expandTilde("~root/") == "/root/", expandTilde("~root/"));
++*/
+ }
+ assert(expandTilde("~Idontexist/hey") == "~Idontexist/hey");
+ }
+diff --git a/std/socket.d b/std/socket.d
+index 7f5a3c3..e68b881 100644
+--- a/std/socket.d
++++ b/std/socket.d
+@@ -481,15 +481,15 @@ unittest
+ {
+ softUnittest({
+ Protocol proto = new Protocol;
+- assert(proto.getProtocolByType(ProtocolType.TCP));
++ //assert(proto.getProtocolByType(ProtocolType.TCP));
+ //writeln("About protocol TCP:");
+ //writefln("\tName: %s", proto.name);
+ // foreach(string s; proto.aliases)
+ // {
+ // writefln("\tAlias: %s", s);
+ // }
+- assert(proto.name == "tcp");
+- assert(proto.aliases.length == 1 && proto.aliases[0] == "TCP");
++ //assert(proto.name == "tcp");
++ //assert(proto.aliases.length == 1 && proto.aliases[0] == "TCP");
+ });
+ }
+
+@@ -832,9 +832,9 @@ unittest
+ InternetHost ih = new InternetHost;
+
+ ih.getHostByAddr(0x7F_00_00_01);
+- assert(ih.addrList[0] == 0x7F_00_00_01);
++ //assert(ih.addrList[0] == 0x7F_00_00_01);
+ ih.getHostByAddr("127.0.0.1");
+- assert(ih.addrList[0] == 0x7F_00_00_01);
++ //assert(ih.addrList[0] == 0x7F_00_00_01);
+
+ softUnittest({
+ if (!ih.getHostByName("www.digitalmars.com"))
diff --git a/gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch b/gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch
new file mode 100644
index 0000000000..f1907d53e2
--- /dev/null
+++ b/gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch
@@ -0,0 +1,42 @@
+Fix buffer overread in libevents DNS code.
+
+Upstream bug report:
+
+https://github.com/libevent/libevent/issues/317
+
+Patch copied from upstream source repository:
+
+https://github.com/libevent/libevent/commit/96f64a022014a208105ead6c8a7066018449d86d
+
+From 3c570970516f48da35f42fef98276531fcc0abaa Mon Sep 17 00:00:00 2001
+From: Azat Khuzhin <a3at.mail@gmail.com>
+Date: Mon, 1 Feb 2016 17:32:09 +0300
+Subject: [PATCH] evdns: name_parse(): fix remote stack overread
+
+---
+ evdns.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/evdns.c b/evdns.c
+index 60b10485..137c24ea 100644
+--- a/evdns.c
++++ b/evdns.c
+@@ -960,7 +960,6 @@ name_parse(u8 *packet, int length, int *idx, char *name_out, int name_out_len) {
+
+ for (;;) {
+ u8 label_len;
+- if (j >= length) return -1;
+ GET8(label_len);
+ if (!label_len) break;
+ if (label_len & 0xc0) {
+@@ -981,6 +980,7 @@ name_parse(u8 *packet, int length, int *idx, char *name_out, int name_out_len) {
+ *cp++ = '.';
+ }
+ if (cp + label_len >= end) return -1;
++ if (j + label_len > length) return -1;
+ memcpy(cp, packet + j, label_len);
+ cp += label_len;
+ j += label_len;
+--
+2.11.0
+
diff --git a/gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch b/gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch
new file mode 100644
index 0000000000..c4ad0a1a4a
--- /dev/null
+++ b/gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch
@@ -0,0 +1,40 @@
+Fix OOB read on empty hostnames in evdns.
+
+Upstream bug report:
+
+https://github.com/libevent/libevent/issues/332
+
+Patch copied from upstream source repository:
+
+https://github.com/libevent/libevent/commit/ec65c42052d95d2c23d1d837136d1cf1d9ecef9e
+
+From a0305cec166a5bc89f1eb362510cc4cd25ecc0bc Mon Sep 17 00:00:00 2001
+From: Azat Khuzhin <a3at.mail@gmail.com>
+Date: Fri, 25 Mar 2016 00:33:47 +0300
+Subject: [PATCH] evdns: fix searching empty hostnames
+
+---
+ evdns.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/evdns.c b/evdns.c
+index 137c24ea..6191c677 100644
+--- a/evdns.c
++++ b/evdns.c
+@@ -3122,9 +3122,12 @@ search_set_from_hostname(struct evdns_base *base) {
+ static char *
+ search_make_new(const struct search_state *const state, int n, const char *const base_name) {
+ const size_t base_len = strlen(base_name);
+- const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;
++ char need_to_append_dot;
+ struct search_domain *dom;
+
++ if (!base_len) return NULL;
++ need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;
++
+ for (dom = state->head; dom; dom = dom->next) {
+ if (!n--) {
+ /* this is the postfix we want */
+--
+2.11.0
+
diff --git a/gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch b/gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch
new file mode 100644
index 0000000000..4d16a4b917
--- /dev/null
+++ b/gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch
@@ -0,0 +1,42 @@
+Fix buffer overflow in evutil.
+
+Upstream bug report:
+
+https://github.com/libevent/libevent/issues/318
+
+Patch copied from upstream source repository:
+
+https://github.com/libevent/libevent/commit/329acc18a0768c21ba22522f01a5c7f46cacc4d5
+
+From 28bdc2f3f62259d21ccaf7be2b60ef0a53e6f342 Mon Sep 17 00:00:00 2001
+From: Azat Khuzhin <a3at.mail@gmail.com>
+Date: Sun, 31 Jan 2016 00:57:16 +0300
+Subject: [PATCH] evutil_parse_sockaddr_port(): fix buffer overflow
+
+---
+ evutil.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/evutil.c b/evutil.c
+index 33445170..e2dfe6e4 100644
+--- a/evutil.c
++++ b/evutil.c
+@@ -1808,12 +1808,12 @@ evutil_parse_sockaddr_port(const char *ip_as_string, struct sockaddr *out, int *
+
+ cp = strchr(ip_as_string, ':');
+ if (*ip_as_string == '[') {
+- int len;
++ size_t len;
+ if (!(cp = strchr(ip_as_string, ']'))) {
+ return -1;
+ }
+- len = (int) ( cp-(ip_as_string + 1) );
+- if (len > (int)sizeof(buf)-1) {
++ len = ( cp-(ip_as_string + 1) );
++ if (len > sizeof(buf)-1) {
+ return -1;
+ }
+ memcpy(buf, ip_as_string+1, len);
+--
+2.11.0
+
diff --git a/gnu/packages/patches/libevent-2.1-dns-tests.patch b/gnu/packages/patches/libevent-2.1-dns-tests.patch
new file mode 100644
index 0000000000..091752a49d
--- /dev/null
+++ b/gnu/packages/patches/libevent-2.1-dns-tests.patch
@@ -0,0 +1,26 @@
+Disable tests that rely on usable DNS lookups, which aren't available
+in build chroots.
+
+--- libevent-2.0.21-stable/test/regress_dns.c 2013-01-20 22:32:09.000000000 +0100
++++ libevent-2.0.21-stable/test/regress_dns.c 2013-01-20 22:32:30.000000000 +0100
+@@ -2120,10 +2120,6 @@
+
+ struct testcase_t dns_testcases[] = {
+ DNS_LEGACY(server, TT_FORK|TT_NEED_BASE),
+- DNS_LEGACY(gethostbyname, TT_FORK|TT_NEED_BASE|TT_NEED_DNS|TT_OFF_BY_DEFAULT),
+- DNS_LEGACY(gethostbyname6, TT_FORK|TT_NEED_BASE|TT_NEED_DNS|TT_OFF_BY_DEFAULT),
+- DNS_LEGACY(gethostbyaddr, TT_FORK|TT_NEED_BASE|TT_NEED_DNS|TT_OFF_BY_DEFAULT),
+- { "resolve_reverse", dns_resolve_reverse, TT_FORK|TT_OFF_BY_DEFAULT, NULL, NULL },
+ { "search_empty", dns_search_empty_test, TT_FORK|TT_NEED_BASE, &basic_setup, NULL },
+ { "search", dns_search_test, TT_FORK|TT_NEED_BASE, &basic_setup, NULL },
+ { "search_lower", dns_search_lower_test, TT_FORK|TT_NEED_BASE, &basic_setup, NULL },
+@@ -2163,9 +2159,6 @@
+
+ { "client_fail_requests", dns_client_fail_requests_test,
+ TT_FORK|TT_NEED_BASE, &basic_setup, NULL },
+- { "client_fail_requests_getaddrinfo",
+- dns_client_fail_requests_getaddrinfo_test,
+- TT_FORK|TT_NEED_BASE, &basic_setup, NULL },
+
+ END_OF_TESTCASES
+ };
diff --git a/gnu/packages/patches/libevent-2.1-skip-failing-test.patch b/gnu/packages/patches/libevent-2.1-skip-failing-test.patch
new file mode 100644
index 0000000000..d9ea1d422d
--- /dev/null
+++ b/gnu/packages/patches/libevent-2.1-skip-failing-test.patch
@@ -0,0 +1,24 @@
+These fail on 32-bit due to an overflow bug in the test program.
+
+See test/regress_util.c:1448.
+
+Upstream bug URL:
+
+https://github.com/libevent/libevent/issues/452
+
+diff --git a/test/regress_util.c b/test/regress_util.c
+index ef6a1487..4de501fc 100644
+--- a/test/regress_util.c
++++ b/test/regress_util.c
+@@ -1413,9 +1413,9 @@ static struct date_rfc1123_case {
+ { 1323648000, "Mon, 12 Dec 2011 00:00:00 GMT"},
+ #ifndef _WIN32
+ /** In win32 case we have max "23:59:59 January 18, 2038, UTC" for time32 */
+- { 4294967296, "Sun, 07 Feb 2106 06:28:16 GMT"} /* 2^32 */,
++ //{ 4294967296, "Sun, 07 Feb 2106 06:28:16 GMT"} /* 2^32 */,
+ /** In win32 case we have max "23:59:59, December 31, 3000, UTC" for time64 */
+- {253402300799, "Fri, 31 Dec 9999 23:59:59 GMT"} /* long long future no one can imagine */,
++ //{253402300799, "Fri, 31 Dec 9999 23:59:59 GMT"} /* long long future no one can imagine */,
+ { 1456704000, "Mon, 29 Feb 2016 00:00:00 GMT"} /* leap year */,
+ #endif
+ { 1435708800, "Wed, 01 Jul 2015 00:00:00 GMT"} /* leap second */,
diff --git a/gnu/packages/patches/libtiff-CVE-2017-5225.patch b/gnu/packages/patches/libtiff-CVE-2017-5225.patch
new file mode 100644
index 0000000000..3158b49360
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-5225.patch
@@ -0,0 +1,86 @@
+Fix CVE-2017-5225 (Heap based buffer overflow in tools/tiffcp):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2656
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225
+https://security-tracker.debian.org/tracker/CVE-2017-5225
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
+ cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
+overflow.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+ http://bugzilla.maptools.org/show_bug.cgi?id=2657
+
+
+less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1210; previous revision: 1.1209
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c
+new revision: 1.61; previous revision: 1.60
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.60
+retrieving revision 1.61
+diff -u -r1.60 -r1.61
+--- libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60
++++ libtiff/tools/tiffcp.c 11 Jan 2017 19:26:14 -0000 1.61
+#@@ -1,4 +1,4 @@
+#-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */
+#+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */
+#
+# /*
+# * Copyright (c) 1988-1997 Sam Leffler
+@@ -591,7 +591,7 @@
+ static int
+ tiffcp(TIFF* in, TIFF* out)
+ {
+- uint16 bitspersample, samplesperpixel = 1;
++ uint16 bitspersample = 1, samplesperpixel = 1;
+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
+ copyFunc cf;
+ uint32 width, length;
+@@ -1067,6 +1067,16 @@
+ register uint32 n;
+ uint32 row;
+ tsample_t s;
++ uint16 bps = 0;
++
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps != 8 )
++ {
++ TIFFError(TIFFFileName(in),
++ "Error, can only handle BitsPerSample=8 in %s",
++ "cpContig2SeparateByRow");
++ return 0;
++ }
+
+ inbuf = _TIFFmalloc(scanlinesizein);
+ outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1120,6 +1130,16 @@
+ register uint32 n;
+ uint32 row;
+ tsample_t s;
++ uint16 bps = 0;
++
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps != 8 )
++ {
++ TIFFError(TIFFFileName(in),
++ "Error, can only handle BitsPerSample=8 in %s",
++ "cpSeparate2ContigByRow");
++ return 0;
++ }
+
+ inbuf = _TIFFmalloc(scanlinesizein);
+ outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1784,7 +1804,7 @@
+ uint32 w, l, tw, tl;
+ int bychunk;
+
+- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
+ if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
+ fprintf(stderr,
+ "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
diff --git a/gnu/packages/patches/libupnp-CVE-2016-6255.patch b/gnu/packages/patches/libupnp-CVE-2016-6255.patch
deleted file mode 100644
index c9a3fa284c..0000000000
--- a/gnu/packages/patches/libupnp-CVE-2016-6255.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-Fix CVE-2016-6255:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
-http://www.openwall.com/lists/oss-security/2016/07/18/13
-
-Patch adapted from upstream commit:
-
-https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d698654dda5
-
-The upstream change is simplified to unconditionally disable the HTTP
-POST feature.
-
-From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Tue, 23 Feb 2016 13:53:20 -0800
-Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
- default
-
-If there's no registered handler for a POST request, the default behaviour
-is to write it to the filesystem. Several million deployed devices appear
-to have this behaviour, making it possible to (at least) store arbitrary
-data on them. Add a configure option that enables this behaviour, and change
-the default to just drop POSTs that aren't directly handled.
-
-Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
-(cherry picked from commit c91a8a3903367e1163765b73eb4d43be7d7927fa)
----
- configure.ac | 9 +++++++++
- upnp/inc/upnpconfig.h.in | 9 +++++++++
- upnp/src/genlib/net/http/webserver.c | 4 ++++
- 3 files changed, 22 insertions(+)
-
-diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c
-index 26bf0f7..7ae8c1e 100644
---- a/upnp/src/genlib/net/http/webserver.c
-+++ b/upnp/src/genlib/net/http/webserver.c
-@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage(
- if (Fp == NULL)
- return HTTP_INTERNAL_SERVER_ERROR;
- } else {
-+#if 0
- Fp = fopen(filename, "wb");
- if (Fp == NULL)
- return HTTP_UNAUTHORIZED;
-+#else
-+ return HTTP_NOT_FOUND;
-+#endif
- }
- parser->position = POS_ENTITY;
- do {
diff --git a/gnu/packages/patches/libupnp-CVE-2016-8863.patch b/gnu/packages/patches/libupnp-CVE-2016-8863.patch
deleted file mode 100644
index 9978b39487..0000000000
--- a/gnu/packages/patches/libupnp-CVE-2016-8863.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-Fix CVE-2016-8863:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
-https://sourceforge.net/p/pupnp/bugs/133/
-
-Patch copied from upstream source repository:
-
-https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7/
-
-From 9c099c2923ab4d98530ab5204af1738be5bddba7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
-Date: Thu, 8 Dec 2016 17:11:53 +0100
-Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
-
-If there is an invalid URL in URLS->buf after a valid one, uri_parse is
-called with out pointing after the allocated memory. As uri_parse writes
-to *out before returning an error the loop in create_url_list must be
-stopped early to prevent an out-of-bound access
-
-Bug: https://sourceforge.net/p/pupnp/bugs/133/
-Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
-Bug-Debian: https://bugs.debian.org/842093
-Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
-(cherry picked from commit a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b)
----
- upnp/src/gena/gena_device.c | 17 ++++++++++++-----
- 1 file changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
-index fb04a29..245c56b 100644
---- a/upnp/src/gena/gena_device.c
-+++ b/upnp/src/gena/gena_device.c
-@@ -1113,7 +1113,7 @@ static int create_url_list(
- /*! [out] . */
- URL_list *out)
- {
-- size_t URLcount = 0;
-+ size_t URLcount = 0, URLcount2 = 0;
- size_t i;
- int return_code = 0;
- uri_type temp;
-@@ -1155,16 +1155,23 @@ static int create_url_list(
- }
- memcpy( out->URLs, URLS->buff, URLS->size );
- out->URLs[URLS->size] = 0;
-- URLcount = 0;
- for( i = 0; i < URLS->size; i++ ) {
- if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
- if( ( ( return_code =
- parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
-- &out->parsedURLs[URLcount] ) ) ==
-+ &out->parsedURLs[URLcount2] ) ) ==
- HTTP_SUCCESS )
-- && ( out->parsedURLs[URLcount].hostport.text.size !=
-+ && ( out->parsedURLs[URLcount2].hostport.text.size !=
- 0 ) ) {
-- URLcount++;
-+ URLcount2++;
-+ if (URLcount2 >= URLcount)
-+ /*
-+ * break early here in case there is a bogus URL that
-+ * was skipped above. This prevents to access
-+ * out->parsedURLs[URLcount] which is beyond the
-+ * allocation.
-+ */
-+ break;
- } else {
- if( return_code == UPNP_E_OUTOF_MEMORY ) {
- free( out->URLs );
---
-2.11.0
-
diff --git a/gnu/packages/patches/libvpx-CVE-2016-2818.patch b/gnu/packages/patches/libvpx-CVE-2016-2818.patch
index 1fdf01cbca..bef3448b81 100644
--- a/gnu/packages/patches/libvpx-CVE-2016-2818.patch
+++ b/gnu/packages/patches/libvpx-CVE-2016-2818.patch
@@ -9,15 +9,15 @@ Patch contents copied from Mozilla esr45 changeset 312077:7ebfe49f001c
--- libvpx-1.5.0/vp8/vp8_cx_iface.c.orig 2015-11-09 17:12:38.000000000 -0500
+++ libvpx-1.5.0/vp8/vp8_cx_iface.c 2016-06-08 08:48:46.037213092 -0400
-@@ -925,11 +925,19 @@
- {
- res = image2yuvconfig(img, &sd);
+@@ -860,11 +860,20 @@
+ if (img != NULL) {
+ res = image2yuvconfig(img, &sd);
-- if (vp8_receive_raw_frame(ctx->cpi, ctx->next_frame_flag | lib_flags,
-- &sd, dst_time_stamp, dst_end_time_stamp))
-- {
-- VP8_COMP *cpi = (VP8_COMP *)ctx->cpi;
-- res = update_error_state(ctx, &cpi->common.error);
+- if (vp8_receive_raw_frame(ctx->cpi, ctx->next_frame_flag | lib_flags, &sd,
+- dst_time_stamp, dst_end_time_stamp)) {
+- VP8_COMP *cpi = (VP8_COMP *)ctx->cpi;
+- res = update_error_state(ctx, &cpi->common.error);
+- }
+ if (sd.y_width != ctx->cfg.g_w || sd.y_height != ctx->cfg.g_h) {
+ /* from vp8_encoder.h for g_w/g_h:
+ "Note that the frames passed as input to the encoder must have this resolution"
@@ -31,6 +31,7 @@ Patch contents copied from Mozilla esr45 changeset 312077:7ebfe49f001c
+ VP8_COMP *cpi = (VP8_COMP *)ctx->cpi;
+ res = update_error_state(ctx, &cpi->common.error);
+ }
- }
++ }
- /* reset for next frame */
+ /* reset for next frame */
+ ctx->next_frame_flag = 0;
diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch
new file mode 100644
index 0000000000..e752e57ec5
--- /dev/null
+++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch
@@ -0,0 +1,188 @@
+Fix CVE-2016-10132:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697381
+http://seclists.org/oss-sec/2017/q1/74
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10132
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569
+
+From fd003eceda531e13fbdd1aeb6e9c73156496e569 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor@ccxvii.net>
+Date: Fri, 2 Dec 2016 14:56:20 -0500
+Subject: [PATCH] Fix 697381: check allocation when compiling regular
+ expressions.
+
+Also use allocator callback function.
+---
+ thirdparty/mujs/jsgc.c | 2 +-
+ thirdparty/mujs/jsregexp.c | 2 +-
+ thirdparty/mujs/jsstate.c | 6 ------
+ thirdparty/mujs/regexp.c | 45 +++++++++++++++++++++++++++++++++++----------
+ thirdparty/mujs/regexp.h | 7 +++++++
+ 5 files changed, 44 insertions(+), 18 deletions(-)
+
+diff --git a/thirdparty/mujs/jsgc.c b/thirdparty/mujs/jsgc.c
+index 4f7e7dc..f80111e 100644
+--- a/thirdparty/mujs/jsgc.c
++++ b/thirdparty/mujs/jsgc.c
+@@ -46,7 +46,7 @@ static void jsG_freeobject(js_State *J, js_Object *obj)
+ jsG_freeproperty(J, obj->head);
+ if (obj->type == JS_CREGEXP) {
+ js_free(J, obj->u.r.source);
+- js_regfree(obj->u.r.prog);
++ js_regfreex(J->alloc, J->actx, obj->u.r.prog);
+ }
+ if (obj->type == JS_CITERATOR)
+ jsG_freeiterator(J, obj->u.iter.head);
+diff --git a/thirdparty/mujs/jsregexp.c b/thirdparty/mujs/jsregexp.c
+index a2d5156..7b09c06 100644
+--- a/thirdparty/mujs/jsregexp.c
++++ b/thirdparty/mujs/jsregexp.c
+@@ -16,7 +16,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags)
+ if (flags & JS_REGEXP_I) opts |= REG_ICASE;
+ if (flags & JS_REGEXP_M) opts |= REG_NEWLINE;
+
+- prog = js_regcomp(pattern, opts, &error);
++ prog = js_regcompx(J->alloc, J->actx, pattern, opts, &error);
+ if (!prog)
+ js_syntaxerror(J, "regular expression: %s", error);
+
+diff --git a/thirdparty/mujs/jsstate.c b/thirdparty/mujs/jsstate.c
+index 638cab3..fd5bcf6 100644
+--- a/thirdparty/mujs/jsstate.c
++++ b/thirdparty/mujs/jsstate.c
+@@ -9,12 +9,6 @@
+
+ static void *js_defaultalloc(void *actx, void *ptr, int size)
+ {
+- if (size == 0) {
+- free(ptr);
+- return NULL;
+- }
+- if (!ptr)
+- return malloc((size_t)size);
+ return realloc(ptr, (size_t)size);
+ }
+
+diff --git a/thirdparty/mujs/regexp.c b/thirdparty/mujs/regexp.c
+index 9852be2..01c18a3 100644
+--- a/thirdparty/mujs/regexp.c
++++ b/thirdparty/mujs/regexp.c
+@@ -807,23 +807,31 @@ static void dumpprog(Reprog *prog)
+ }
+ #endif
+
+-Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++ const char *pattern, int cflags, const char **errorp)
+ {
+ struct cstate g;
+ Renode *node;
+ Reinst *split, *jump;
+ int i;
+
+- g.prog = malloc(sizeof (Reprog));
+- g.pstart = g.pend = malloc(sizeof (Renode) * strlen(pattern) * 2);
++ g.pstart = NULL;
++ g.prog = NULL;
+
+ if (setjmp(g.kaboom)) {
+ if (errorp) *errorp = g.error;
+- free(g.pstart);
+- free(g.prog);
++ alloc(ctx, g.pstart, 0);
++ alloc(ctx, g.prog, 0);
+ return NULL;
+ }
+
++ g.prog = alloc(ctx, NULL, sizeof (Reprog));
++ if (!g.prog)
++ die(&g, "cannot allocate regular expression");
++ g.pstart = g.pend = alloc(ctx, NULL, sizeof (Renode) * strlen(pattern) * 2);
++ if (!g.pstart)
++ die(&g, "cannot allocate regular expression parse list");
++
+ g.source = pattern;
+ g.ncclass = 0;
+ g.nsub = 1;
+@@ -840,7 +848,9 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
+ die(&g, "syntax error");
+
+ g.prog->nsub = g.nsub;
+- g.prog->start = g.prog->end = malloc((count(node) + 6) * sizeof (Reinst));
++ g.prog->start = g.prog->end = alloc(ctx, NULL, (count(node) + 6) * sizeof (Reinst));
++ if (!g.prog->start)
++ die(&g, "cannot allocate regular expression instruction list");
+
+ split = emit(g.prog, I_SPLIT);
+ split->x = split + 3;
+@@ -859,20 +869,35 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
+ dumpprog(g.prog);
+ #endif
+
+- free(g.pstart);
++ alloc(ctx, g.pstart, 0);
+
+ if (errorp) *errorp = NULL;
+ return g.prog;
+ }
+
+-void regfree(Reprog *prog)
++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, Reprog *prog)
+ {
+ if (prog) {
+- free(prog->start);
+- free(prog);
++ alloc(ctx, prog->start, 0);
++ alloc(ctx, prog, 0);
+ }
+ }
+
++static void *default_alloc(void *ctx, void *p, int n)
++{
++ return realloc(p, (size_t)n);
++}
++
++Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
++{
++ return regcompx(default_alloc, NULL, pattern, cflags, errorp);
++}
++
++void regfree(Reprog *prog)
++{
++ regfreex(default_alloc, NULL, prog);
++}
++
+ /* Match */
+
+ static int isnewline(int c)
+diff --git a/thirdparty/mujs/regexp.h b/thirdparty/mujs/regexp.h
+index 4bb4615..6bb73e8 100644
+--- a/thirdparty/mujs/regexp.h
++++ b/thirdparty/mujs/regexp.h
+@@ -1,6 +1,8 @@
+ #ifndef regexp_h
+ #define regexp_h
+
++#define regcompx js_regcompx
++#define regfreex js_regfreex
+ #define regcomp js_regcomp
+ #define regexec js_regexec
+ #define regfree js_regfree
+@@ -8,6 +10,11 @@
+ typedef struct Reprog Reprog;
+ typedef struct Resub Resub;
+
++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++ const char *pattern, int cflags, const char **errorp);
++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++ Reprog *prog);
++
+ Reprog *regcomp(const char *pattern, int cflags, const char **errorp);
+ int regexec(Reprog *prog, const char *string, Resub *sub, int eflags);
+ void regfree(Reprog *prog);
+--
+2.9.1
+
diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch
new file mode 100644
index 0000000000..d73849262c
--- /dev/null
+++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch
@@ -0,0 +1,36 @@
+Fix CVE-2016-10133:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697401
+http://seclists.org/oss-sec/2017/q1/74
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10133
+
+Patch lifted from upstream source repository:
+
+https://git.ghostscript.com/?p=mujs.git;h=77ab465f1c394bb77f00966cd950650f3f53cb24
+
+From 77ab465f1c394bb77f00966cd950650f3f53cb24 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@gmail.com>
+Date: Thu, 12 Jan 2017 14:47:01 +0100
+Subject: [PATCH] Fix 697401: Error when dropping extra arguments to
+ lightweight functions.
+
+---
+ thirdparty/mujs/jsrun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/thirdparty/mujs/jsrun.c b/thirdparty/mujs/jsrun.c
+index ee80845..782a6f9 100644
+--- a/thirdparty/mujs/jsrun.c
++++ b/thirdparty/mujs/jsrun.c
+@@ -937,7 +937,7 @@ static void jsR_calllwfunction(js_State *J, int n, js_Function *F, js_Environmen
+ jsR_savescope(J, scope);
+
+ if (n > F->numparams) {
+- js_pop(J, F->numparams - n);
++ js_pop(J, n - F->numparams);
+ n = F->numparams;
+ }
+ for (i = n; i < F->varlen; ++i)
+--
+2.9.1
+
diff --git a/gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch b/gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch
new file mode 100644
index 0000000000..6edd676e38
--- /dev/null
+++ b/gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch
@@ -0,0 +1,42 @@
+Fix CVE-2017-0358:
+http://seclists.org/oss-sec/2017/q1/259
+This patch was copied from the above URL.
+
+diff -ur ntfs-3g.old/src/lowntfs-3g.c ntfs-3g/src/lowntfs-3g.c
+--- ntfs-3g.old/src/lowntfs-3g.c 2017-02-09 15:01:04.074331542 -0500
++++ ntfs-3g/src/lowntfs-3g.c 2017-02-09 15:06:35.757580937 -0500
+@@ -3827,13 +3827,14 @@
+ struct stat st;
+ pid_t pid;
+ const char *cmd = "/sbin/modprobe";
++ char *env = (char*)NULL;
+ struct timespec req = { 0, 100000000 }; /* 100 msec */
+ fuse_fstype fstype;
+
+ if (!stat(cmd, &st) && !geteuid()) {
+ pid = fork();
+ if (!pid) {
+- execl(cmd, cmd, "fuse", NULL);
++ execle(cmd, cmd, "fuse", NULL, &env);
+ _exit(1);
+ } else if (pid != -1)
+ waitpid(pid, NULL, 0);
+diff -ur ntfs-3g.old/src/ntfs-3g.c ntfs-3g/src/ntfs-3g.c
+--- ntfs-3g.old/src/ntfs-3g.c 2017-02-09 15:01:04.074331542 -0500
++++ ntfs-3g/src/ntfs-3g.c 2017-02-09 15:06:26.077252571 -0500
+@@ -3612,13 +3612,14 @@
+ struct stat st;
+ pid_t pid;
+ const char *cmd = "/sbin/modprobe";
++ char *env = (char*)NULL;
+ struct timespec req = { 0, 100000000 }; /* 100 msec */
+ fuse_fstype fstype;
+
+ if (!stat(cmd, &st) && !geteuid()) {
+ pid = fork();
+ if (!pid) {
+- execl(cmd, cmd, "fuse", NULL);
++ execle(cmd, cmd, "fuse", NULL, &env);
+ _exit(1);
+ } else if (pid != -1)
+ waitpid(pid, NULL, 0);
diff --git a/gnu/packages/patches/omake-fix-non-determinism.patch b/gnu/packages/patches/omake-fix-non-determinism.patch
new file mode 100644
index 0000000000..813ce3cd7d
--- /dev/null
+++ b/gnu/packages/patches/omake-fix-non-determinism.patch
@@ -0,0 +1,41 @@
+From 2e7e254160506dc00f1beabf170512a8e932934b Mon Sep 17 00:00:00 2001
+From: Julien Lepiller <julien@lepiller.eu>
+Date: Sat, 31 Dec 2016 15:43:38 +0100
+Subject: [PATCH] fix build date in binary
+
+---
+ src/magic/omake_gen_magic.ml | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/src/magic/omake_gen_magic.ml b/src/magic/omake_gen_magic.ml
+index b2419ba..fad52f5 100644
+--- a/src/magic/omake_gen_magic.ml
++++ b/src/magic/omake_gen_magic.ml
+@@ -150,7 +150,7 @@ let ir_magic = "%s"
+ let obj_magic = "%s"
+ let lib_dir = "%s"
+ let version = "%s"
+-let version_message = "OMake %s:\\n\\tbuild [%s %s %d %02d:%02d:%02d %d]\\n\\ton %s"
++let version_message = "OMake %s"
+ |}
+ default_save_interval
+ digest_len
+@@ -160,15 +160,7 @@ let version_message = "OMake %s:\\n\\tbuild [%s %s %d %02d:%02d:%02d %d]\\n\\ton
+ (digest_files ".omo.magic" ".omo" omo_files)
+ (String.escaped libdir)
+ (String.escaped (shorten_version version))
+- (String.escaped version)
+- [|"Sun"; "Mon"; "Tue"; "Wed"; "Thu"; "Fri"; "Sat"|].(tm.tm_wday)
+- [|"Jan"; "Feb"; "Mar"; "Apr"; "May"; "Jun"; "Jul"; "Aug"; "Sep"; "Oct"; "Nov"; "Dec"|].(tm.tm_mon)
+- tm.tm_mday
+- tm.tm_hour
+- tm.tm_min
+- tm.tm_sec
+- (tm.tm_year + 1900)
+- (String.escaped (Unix.gethostname ()));
++ (String.escaped version);
+ List.iter
+ (fun (name,value) ->
+ Printf.fprintf buf "let %s = %S\n" name value
+--
+2.11.0
diff --git a/gnu/packages/patches/openjpeg-CVE-2016-9572-CVE-2016-9573.patch b/gnu/packages/patches/openjpeg-CVE-2016-9572-CVE-2016-9573.patch
new file mode 100644
index 0000000000..545b5d0a71
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2016-9572-CVE-2016-9573.patch
@@ -0,0 +1,233 @@
+Fix CVE-2016-9572 and CVE-2016-9573:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9572
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9573
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9572
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9573
+
+Patch copied from 3rd-party repository:
+
+https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d
+
+From 7b28bd2b723df6be09fe7791eba33147c1c47d0d Mon Sep 17 00:00:00 2001
+From: szukw000 <szukw000@arcor.de>
+Date: Mon, 28 Nov 2016 21:57:20 +0100
+Subject: [PATCH] Changes for issues #863 and #862
+
+---
+ src/bin/jp2/convert.c | 59 +++++++++++++++++++++++++++++++++++++++-----
+ src/bin/jp2/convertbmp.c | 29 +++++++++++++++++++++-
+ src/bin/jp2/opj_decompress.c | 2 +-
+ src/lib/openjp2/j2k.c | 11 ++++++---
+ 4 files changed, 90 insertions(+), 11 deletions(-)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index deee4f6..6a3f65b 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -906,7 +906,8 @@ int imagetotga(opj_image_t * image, const char *outfile) {
+ for (i = 0; i < image->numcomps-1; i++) {
+ if ((image->comps[0].dx != image->comps[i+1].dx)
+ ||(image->comps[0].dy != image->comps[i+1].dy)
+- ||(image->comps[0].prec != image->comps[i+1].prec)) {
++ ||(image->comps[0].prec != image->comps[i+1].prec)
++ ||(image->comps[0].sgnd != image->comps[i+1].sgnd)) {
+ fclose(fdest);
+ fprintf(stderr, "Unable to create a tga file with such J2K image charateristics.");
+ return 1;
+@@ -1743,7 +1744,7 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
+ int *red, *green, *blue, *alpha;
+ int wr, hr, max;
+ int i;
+- unsigned int compno, ncomp;
++ unsigned int compno, ncomp, ui;
+ int adjustR, adjustG, adjustB, adjustA;
+ int fails, two, want_gray, has_alpha, triple;
+ int prec, v;
+@@ -1768,6 +1769,27 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
+
+ if(want_gray) ncomp = 1;
+
++ for (ui = 1; ui < ncomp; ++ui) {
++ if (image->comps[0].dx != image->comps[ui].dx) {
++ break;
++ }
++ if (image->comps[0].dy != image->comps[ui].dy) {
++ break;
++ }
++ if (image->comps[0].prec != image->comps[ui].prec) {
++ break;
++ }
++ if (image->comps[0].sgnd != image->comps[ui].sgnd) {
++ break;
++ }
++ }
++ if (ui != ncomp) {
++ fprintf(stderr,"imagetopnm: All components\n shall have "
++ "the same subsampling, same bit depth, same sign.\n"
++ " Aborting\n");
++ return 1;
++ }
++
+ if ((force_split == 0) &&
+ (ncomp == 2 /* GRAYA */
+ || (ncomp > 2 /* RGB, RGBA */
+@@ -2126,7 +2148,7 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
+ {
+ FILE *rawFile = NULL;
+ size_t res;
+- unsigned int compno;
++ unsigned int compno, numcomps;
+ int w, h, fails;
+ int line, row, curr, mask;
+ int *ptr;
+@@ -2139,6 +2161,31 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
+ return 1;
+ }
+
++ numcomps = image->numcomps;
++
++ if (numcomps > 4) {
++ numcomps = 4;
++ }
++ for (compno = 1; compno < numcomps; ++compno) {
++ if (image->comps[0].dx != image->comps[compno].dx) {
++ break;
++ }
++ if (image->comps[0].dy != image->comps[compno].dy) {
++ break;
++ }
++ if (image->comps[0].prec != image->comps[compno].prec) {
++ break;
++ }
++ if (image->comps[0].sgnd != image->comps[compno].sgnd) {
++ break;
++ }
++ }
++ if (compno != numcomps) {
++ fprintf(stderr,"imagetoraw_common: All components shall have the same subsampling, same bit depth, same sign.\n");
++ fprintf(stderr,"\tAborting\n");
++ return 1;
++ }
++
+ rawFile = fopen(outfile, "wb");
+ if (!rawFile) {
+ fprintf(stderr, "Failed to open %s for writing !!\n", outfile);
+@@ -2146,9 +2193,9 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
+ }
+
+ fails = 1;
+- fprintf(stdout,"Raw image characteristics: %d components\n", image->numcomps);
++ fprintf(stdout,"Raw image characteristics: %d components\n", numcomps);
+
+- for(compno = 0; compno < image->numcomps; compno++)
++ for(compno = 0; compno < numcomps; compno++)
+ {
+ fprintf(stdout,"Component %u characteristics: %dx%dx%d %s\n", compno, image->comps[compno].w,
+ image->comps[compno].h, image->comps[compno].prec, image->comps[compno].sgnd==1 ? "signed": "unsigned");
+@@ -2238,7 +2285,7 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
+ }
+ else if (image->comps[compno].prec <= 32)
+ {
+- fprintf(stderr,"More than 16 bits per component no handled yet\n");
++ fprintf(stderr,"More than 16 bits per component not handled yet\n");
+ goto fin;
+ }
+ else
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index ae83077..8017ba8 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -806,8 +806,35 @@ int imagetobmp(opj_image_t * image, const char *outfile) {
+ FILE *fdest = NULL;
+ int adjustR, adjustG, adjustB;
+
++ {
++ unsigned int ui, ncomp = image->numcomps;
++
++ if (ncomp > 4) { /* RGBA in bmpmask32toimage */
++ ncomp = 4;
++ }
++ for (ui = 1; ui < ncomp; ++ui) {
++ if (image->comps[0].dx != image->comps[ui].dx) {
++ break;
++ }
++ if (image->comps[0].dy != image->comps[ui].dy) {
++ break;
++ }
++ if (image->comps[0].prec != image->comps[ui].prec) {
++ break;
++ }
++ if (image->comps[0].sgnd != image->comps[ui].sgnd) {
++ break;
++ }
++ }
++ if (ui != ncomp) {
++ fprintf(stderr,"imagetobmp: All components shall have the same subsampling, same bit depth, same sign.\n");
++ fprintf(stderr,"\tAborting\n");
++ return 1;
++ }
++
++ }
+ if (image->comps[0].prec < 8) {
+- fprintf(stderr, "Unsupported number of components: %d\n", image->comps[0].prec);
++ fprintf(stderr, "imagetobmp: Unsupported precision: %d\n", image->comps[0].prec);
+ return 1;
+ }
+ if (image->numcomps >= 3 && image->comps[0].dx == image->comps[1].dx
+diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
+index 83160c3..c30079b 100644
+--- a/src/bin/jp2/opj_decompress.c
++++ b/src/bin/jp2/opj_decompress.c
+@@ -1607,7 +1607,7 @@ int main(int argc, char **argv)
+ if(dirptr->filename_buf) free(dirptr->filename_buf);
+ free(dirptr);
+ }
+- if (numDecompressedImages) {
++ if (numDecompressedImages && !failed) {
+ fprintf(stdout, "decode time: %d ms\n", (int)( (tCumulative * 1000.0) / (OPJ_FLOAT64)numDecompressedImages));
+ }
+ return failed ? EXIT_FAILURE : EXIT_SUCCESS;
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 66802bb..b6daa32 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -2158,7 +2158,7 @@ static OPJ_BOOL opj_j2k_read_siz(opj_j2k_t *p_j2k,
+ i, l_img_comp->dx, l_img_comp->dy);
+ return OPJ_FALSE;
+ }
+- if( l_img_comp->prec > 38) { /* TODO openjpeg won't handle more than ? */
++ if( l_img_comp->prec < 1 || l_img_comp->prec > 38) { /* TODO openjpeg won't handle more than ? */
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Invalid values for comp = %d : prec=%u (should be between 1 and 38 according to the JPEG2000 norm)\n",
+ i, l_img_comp->prec);
+@@ -10029,7 +10029,11 @@ OPJ_BOOL opj_j2k_decode(opj_j2k_t * p_j2k,
+ /* Move data and copy one information from codec to output image*/
+ for (compno = 0; compno < p_image->numcomps; compno++) {
+ p_image->comps[compno].resno_decoded = p_j2k->m_output_image->comps[compno].resno_decoded;
+- p_image->comps[compno].data = p_j2k->m_output_image->comps[compno].data;
++ p_image->comps[compno].data = p_j2k->m_output_image->comps[compno].data;
++
++ if(p_image->comps[compno].data == NULL) return OPJ_FALSE;
++
++ p_j2k->m_output_image->comps[compno].data = NULL;
+ #if 0
+ char fn[256];
+ sprintf( fn, "/tmp/%d.raw", compno );
+@@ -10037,7 +10041,6 @@ OPJ_BOOL opj_j2k_decode(opj_j2k_t * p_j2k,
+ fwrite( p_image->comps[compno].data, sizeof(OPJ_INT32), p_image->comps[compno].w * p_image->comps[compno].h, debug );
+ fclose( debug );
+ #endif
+- p_j2k->m_output_image->comps[compno].data = NULL;
+ }
+
+ return OPJ_TRUE;
+@@ -10131,6 +10134,8 @@ OPJ_BOOL opj_j2k_get_tile( opj_j2k_t *p_j2k,
+
+ p_image->comps[compno].data = p_j2k->m_output_image->comps[compno].data;
+
++ if (p_image->comps[compno].data == NULL) return OPJ_FALSE;
++
+ p_j2k->m_output_image->comps[compno].data = NULL;
+ }
+
diff --git a/gnu/packages/patches/p7zip-CVE-2016-9296.patch b/gnu/packages/patches/p7zip-CVE-2016-9296.patch
new file mode 100644
index 0000000000..3fa80377ad
--- /dev/null
+++ b/gnu/packages/patches/p7zip-CVE-2016-9296.patch
@@ -0,0 +1,24 @@
+From: Robert Luberda <robert@debian.org>
+Date: Sat, 19 Nov 2016 08:48:08 +0100
+Subject: Fix nullptr dereference (CVE-2016-9296)
+
+Patch taken from https://sourceforge.net/p/p7zip/bugs/185/
+This patch file taken from Debian's patch set for p7zip
+---
+ CPP/7zip/Archive/7z/7zIn.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CPP/7zip/Archive/7z/7zIn.cpp b/CPP/7zip/Archive/7z/7zIn.cpp
+index b0c6b98..7c6dde2 100644
+--- a/CPP/7zip/Archive/7z/7zIn.cpp
++++ b/CPP/7zip/Archive/7z/7zIn.cpp
+@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedStreams(
+ if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+ ThrowIncorrect();
+ }
+- HeadersSize += folders.PackPositions[folders.NumPackStreams];
++ if (folders.PackPositions)
++ HeadersSize += folders.PackPositions[folders.NumPackStreams];
+ return S_OK;
+ }
+
diff --git a/gnu/packages/patches/qemu-CVE-2016-10155.patch b/gnu/packages/patches/qemu-CVE-2016-10155.patch
new file mode 100644
index 0000000000..825edaa815
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2016-10155.patch
@@ -0,0 +1,49 @@
+From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 28 Nov 2016 17:49:04 -0800
+Subject: [PATCH] watchdog: 6300esb: add exit function
+
+When the Intel 6300ESB watchdog is hot unplug. The timer allocated
+in realize isn't freed thus leaking memory leak. This patch avoid
+this through adding the exit function.
+
+http://git.qemu.org/?p=qemu.git;a=patch;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e
+this patch is from qemu-git.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/watchdog/wdt_i6300esb.c | 9 +++++++++
+ 1 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
+index a83d951..49b3cd1 100644
+--- a/hw/watchdog/wdt_i6300esb.c
++++ b/hw/watchdog/wdt_i6300esb.c
+@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
+ /* qemu_register_coalesced_mmio (addr, 0x10); ? */
+ }
+
++static void i6300esb_exit(PCIDevice *dev)
++{
++ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
++
++ timer_del(d->timer);
++ timer_free(d->timer);
++}
++
+ static WatchdogTimerModel model = {
+ .wdt_name = "i6300esb",
+ .wdt_description = "Intel 6300ESB",
+@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
+ k->config_read = i6300esb_config_read;
+ k->config_write = i6300esb_config_write;
+ k->realize = i6300esb_realize;
++ k->exit = i6300esb_exit;
+ k->vendor_id = PCI_VENDOR_ID_INTEL;
+ k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
+ k->class_id = PCI_CLASS_SYSTEM_OTHER;
+--
+1.7.0.4
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-2615.patch b/gnu/packages/patches/qemu-CVE-2017-2615.patch
new file mode 100644
index 0000000000..ede1f8c89d
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-2615.patch
@@ -0,0 +1,52 @@
+http://git.qemu.org/?p=qemu.git;a=patch;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64
+this patch is from qemu-git.
+
+
+From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Wed, 1 Feb 2017 09:35:01 +0100
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+ address, so check it as-is against vram size ]
+
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+---
+ hw/display/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 7db6409dc5..16f27e8ac5 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+ if (pitch < 0) {
+ int64_t min = addr
+- + ((int64_t)s->cirrus_blt_height-1) * pitch;
+- int32_t max = addr
+- + s->cirrus_blt_width;
+- if (min < 0 || max > s->vga.vram_size) {
++ + ((int64_t)s->cirrus_blt_height - 1) * pitch
++ - s->cirrus_blt_width;
++ if (min < -1 || addr >= s->vga.vram_size) {
+ return true;
+ }
+ } else {
+--
+2.11.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5525.patch b/gnu/packages/patches/qemu-CVE-2017-5525.patch
new file mode 100644
index 0000000000..d0c0c82a4a
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5525.patch
@@ -0,0 +1,55 @@
+From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Wed, 14 Dec 2016 18:30:21 -0800
+Subject: [PATCH] audio: ac97: add exit function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+http://git.qemu.org/?p=qemu.git;a=patch;h=12351a91da97b414eec8cdb09f1d9f41e535a401
+this patch is from qemu-git
+
+Currently the ac97 device emulation doesn't have a exit function,
+hot unplug this device will leak some memory. Add a exit function to
+avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/audio/ac97.c | 11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
+index cbd959e..c306575 100644
+--- a/hw/audio/ac97.c
++++ b/hw/audio/ac97.c
+@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
+ ac97_on_reset (&s->dev.qdev);
+ }
+
++static void ac97_exit(PCIDevice *dev)
++{
++ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
++
++ AUD_close_in(&s->card, s->voice_pi);
++ AUD_close_out(&s->card, s->voice_po);
++ AUD_close_in(&s->card, s->voice_mc);
++ AUD_remove_card(&s->card);
++}
++
+ static int ac97_init (PCIBus *bus)
+ {
+ pci_create_simple (bus, -1, "AC97");
+@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
+ PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
+
+ k->realize = ac97_realize;
++ k->exit = ac97_exit;
+ k->vendor_id = PCI_VENDOR_ID_INTEL;
+ k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
+ k->revision = 0x01;
+--
+1.7.0.4
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5526.patch b/gnu/packages/patches/qemu-CVE-2017-5526.patch
new file mode 100644
index 0000000000..5a6d796458
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5526.patch
@@ -0,0 +1,58 @@
+From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Wed, 14 Dec 2016 18:32:22 -0800
+Subject: [PATCH] audio: es1370: add exit function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+http://git.qemu.org/?p=qemu.git;a=patch;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da
+this patch is from qemu-git.
+
+Currently the es1370 device emulation doesn't have a exit function,
+hot unplug this device will leak some memory. Add a exit function to
+avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/audio/es1370.c | 14 ++++++++++++++
+ 1 files changed, 14 insertions(+), 0 deletions(-)
+
+diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
+index 8449b5f..883ec69 100644
+--- a/hw/audio/es1370.c
++++ b/hw/audio/es1370.c
+@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
+ es1370_reset (s);
+ }
+
++static void es1370_exit(PCIDevice *dev)
++{
++ ES1370State *s = ES1370(dev);
++ int i;
++
++ for (i = 0; i < 2; ++i) {
++ AUD_close_out(&s->card, s->dac_voice[i]);
++ }
++
++ AUD_close_in(&s->card, s->adc_voice);
++ AUD_remove_card(&s->card);
++}
++
+ static int es1370_init (PCIBus *bus)
+ {
+ pci_create_simple (bus, -1, TYPE_ES1370);
+@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
+ PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
+
+ k->realize = es1370_realize;
++ k->exit = es1370_exit;
+ k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
+ k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
+ k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
+--
+1.7.0.4
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5552.patch b/gnu/packages/patches/qemu-CVE-2017-5552.patch
new file mode 100644
index 0000000000..50911f4f36
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5552.patch
@@ -0,0 +1,44 @@
+From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Thu, 29 Dec 2016 03:11:26 -0500
+Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+If the virgl_renderer_resource_attach_iov function fails the
+'res_iovs' will be leaked. Add check of the return value to
+free the 'res_iovs' when failing.
+
+http://git.qemu.org/?p=qemu.git;a=patch;h=33243031dad02d161225ba99d782616da133f689
+this patch is from qemu-git.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/virtio-gpu-3d.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index e29f099..b13ced3 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
+ return;
+ }
+
+- virgl_renderer_resource_attach_iov(att_rb.resource_id,
+- res_iovs, att_rb.nr_entries);
++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
++ res_iovs, att_rb.nr_entries);
++
++ if (ret != 0)
++ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
+ }
+
+ static void virgl_resource_detach_backing(VirtIOGPU *g,
+--
+1.7.0.4
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5578.patch b/gnu/packages/patches/qemu-CVE-2017-5578.patch
new file mode 100644
index 0000000000..05655bcd98
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5578.patch
@@ -0,0 +1,39 @@
+http://git.qemu.org/?p=qemu.git;a=patch;h=204f01b30975923c64006f8067f0937b91eea68b
+this patch is from qemu-git.
+
+
+From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Thu, 29 Dec 2016 04:28:41 -0500
+Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
+
+In the resource attach backing function, everytime it will
+allocate 'res->iov' thus can leading a memory leak. This
+patch avoid this.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/virtio-gpu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 6a26258cac..ca88cf478d 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
+ return;
+ }
+
++ if (res->iov) {
++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
++ return;
++ }
++
+ ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
+ if (ret != 0) {
+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+--
+2.11.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5579.patch b/gnu/packages/patches/qemu-CVE-2017-5579.patch
new file mode 100644
index 0000000000..7630012d54
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5579.patch
@@ -0,0 +1,44 @@
+http://git.qemu.org/?p=qemu.git;a=patch;h=8409dc884a201bf74b30a9d232b6bbdd00cb7e2b
+this patch is from qemu-git.
+
+
+From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Wed, 4 Jan 2017 00:43:16 -0800
+Subject: [PATCH] serial: fix memory leak in serial exit
+
+The serial_exit_core function doesn't free some resources.
+This can lead memory leak when hotplug and unplug. This
+patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/char/serial.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/char/serial.c b/hw/char/serial.c
+index ffbacd8227..67b18eda12 100644
+--- a/hw/char/serial.c
++++ b/hw/char/serial.c
+@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
+ void serial_exit_core(SerialState *s)
+ {
+ qemu_chr_fe_deinit(&s->chr);
++
++ timer_del(s->modem_status_poll);
++ timer_free(s->modem_status_poll);
++
++ timer_del(s->fifo_timeout_timer);
++ timer_free(s->fifo_timeout_timer);
++
++ fifo8_destroy(&s->recv_fifo);
++ fifo8_destroy(&s->xmit_fifo);
++
+ qemu_unregister_reset(serial_reset, s);
+ }
+
+--
+2.11.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5667.patch b/gnu/packages/patches/qemu-CVE-2017-5667.patch
new file mode 100644
index 0000000000..5adea0d278
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5667.patch
@@ -0,0 +1,46 @@
+Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer):
+
+http://seclists.org/oss-sec/2017/q1/243
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667
+
+Patch copied from upstream source repository:
+
+http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9
+
+From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 7 Feb 2017 18:29:59 +0000
+Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
+
+While doing multi block SDMA transfer in routine
+'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
+index 'begin' and data length 's->data_count' could end up to be same.
+This could lead to an OOB access issue. Correct transfer data length
+to avoid it.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Jiang Xin <jiangxin1@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20170130064736.9236-1-ppandit@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/sd/sdhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 01fbf228be..5bd5ab6319 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ boundary_count -= block_size - begin;
+ }
+ dma_memory_read(&address_space_memory, s->sdmasysad,
+- &s->fifo_buffer[begin], s->data_count);
++ &s->fifo_buffer[begin], s->data_count - begin);
+ s->sdmasysad += s->data_count - begin;
+ if (s->data_count == block_size) {
+ for (n = 0; n < block_size; n++) {
+--
+2.11.1
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5856.patch b/gnu/packages/patches/qemu-CVE-2017-5856.patch
new file mode 100644
index 0000000000..bee0824c0a
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5856.patch
@@ -0,0 +1,68 @@
+http://git.qemu.org/?p=qemu.git;a=patch;h=765a707000e838c30b18d712fe6cb3dd8e0435f3
+this patch is from qemu-git.
+
+
+From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 2 Jan 2017 11:03:33 +0100
+Subject: [PATCH] megasas: fix guest-triggered memory leak
+
+If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
+will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
+Avoid this by returning only the status from map_dcmd, and loading
+cmd->iov_size in the caller.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/megasas.c | 11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 67fc1e7..6233865 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
+ trace_megasas_dcmd_invalid_sge(cmd->index,
+ cmd->frame->header.sge_count);
+ cmd->iov_size = 0;
+- return -1;
++ return -EINVAL;
+ }
+ iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
+ iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
+ pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
+ qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
+ cmd->iov_size = iov_size;
+- return cmd->iov_size;
++ return 0;
+ }
+
+ static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
+@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
+
+ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
+ {
+- int opcode, len;
++ int opcode;
+ int retval = 0;
++ size_t len;
+ const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
+
+ opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
+ trace_megasas_handle_dcmd(cmd->index, opcode);
+- len = megasas_map_dcmd(s, cmd);
+- if (len < 0) {
++ if (megasas_map_dcmd(s, cmd) < 0) {
+ return MFI_STAT_MEMORY_NOT_AVAILABLE;
+ }
+ while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
+ cmdptr++;
+ }
++ len = cmd->iov_size;
+ if (cmdptr->opcode == -1) {
+ trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
+ retval = megasas_dcmd_dummy(s, cmd);
+--
+1.7.0.4
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5898.patch b/gnu/packages/patches/qemu-CVE-2017-5898.patch
new file mode 100644
index 0000000000..5a94bb1ae4
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5898.patch
@@ -0,0 +1,44 @@
+Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest):
+
+http://seclists.org/oss-sec/2017/q1/328
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898
+
+Patch copied from upstream source repository:
+
+http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
+
+From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 3 Feb 2017 00:52:28 +0530
+Subject: [PATCH] usb: ccid: check ccid apdu length
+
+CCID device emulator uses Application Protocol Data Units(APDU)
+to exchange command and responses to and from the host.
+The length in these units couldn't be greater than 65536. Add
+check to ensure the same. It'd also avoid potential integer
+overflow in emulated_apdu_from_guest.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20170202192228.10847-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/dev-smartcard-reader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 89e11b68c4..1325ea1659 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
+ DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
+ recv->hdr.bSeq, len);
+ ccid_add_pending_answer(s, (CCID_Header *)recv);
+- if (s->card) {
++ if (s->card && len <= BULK_OUT_DATA_SIZE) {
+ ccid_card_apdu_from_guest(s->card, recv->abData, len);
+ } else {
+ DPRINTF(s, D_WARN, "warning: discarded apdu\n");
+--
+2.11.1
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5931.patch b/gnu/packages/patches/qemu-CVE-2017-5931.patch
new file mode 100644
index 0000000000..08910e5fac
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5931.patch
@@ -0,0 +1,55 @@
+Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests):
+
+http://seclists.org/oss-sec/2017/q1/337
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931
+
+Patch copied from upstream source repository:
+
+http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4
+
+From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
+From: Gonglei <arei.gonglei@huawei.com>
+Date: Tue, 3 Jan 2017 14:50:03 +0800
+Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
+
+Because the 'size_t' type is 4 bytes in 32-bit platform, which
+is the same with 'int'. It's easy to make 'max_len' to zero when
+integer overflow and then cause heap overflow if 'max_len' is zero.
+
+Using uint_64 instead of size_t to avoid the integer overflow.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Gonglei <arei.gonglei@huawei.com>
+Tested-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+---
+ hw/virtio/virtio-crypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index 2f2467e859..c23e1ad458 100644
+--- a/hw/virtio/virtio-crypto.c
++++ b/hw/virtio/virtio-crypto.c
+@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
+ uint32_t hash_start_src_offset = 0, len_to_hash = 0;
+ uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
+
+- size_t max_len, curr_size = 0;
++ uint64_t max_len, curr_size = 0;
+ size_t s;
+
+ /* Plain cipher */
+@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
+ return NULL;
+ }
+
+- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
++ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
+ if (unlikely(max_len > vcrypto->conf.max_size)) {
+ virtio_error(vdev, "virtio-crypto too big length");
+ return NULL;
+--
+2.11.1
+
diff --git a/gnu/packages/patches/screen-CVE-2017-5618.patch b/gnu/packages/patches/screen-CVE-2017-5618.patch
new file mode 100644
index 0000000000..1b95e428c8
--- /dev/null
+++ b/gnu/packages/patches/screen-CVE-2017-5618.patch
@@ -0,0 +1,40 @@
+Fixes CVE-2017-5618 (privilege escalation via opening the logfile when
+screen is installed setuid root):
+
+https://savannah.gnu.org/bugs/?50142
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5618
+
+This patch reverts the upstream commit that introduced the bug:
+
+https://git.savannah.gnu.org/cgit/screen.git/commit/?id=5460f5d28c01a9a58e021eb1dffef2965e629d58
+
+From f55b0cc29a0ac2a1c54e8a5e886b7393edd4a76c Mon Sep 17 00:00:00 2001
+From: Leo Famulari <leo@famulari.name>
+Date: Sat, 11 Feb 2017 22:40:24 -0500
+Subject: [PATCH] Revert "adding permissions check for the logfile name"
+
+This reverts commit 5460f5d28c01a9a58e021eb1dffef2965e629d58.
+---
+ src/screen.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/src/screen.c b/src/screen.c
+index 64650e9..283c305 100644
+--- a/src/screen.c
++++ b/src/screen.c
+@@ -673,12 +673,6 @@ int main(int ac, char** av)
+ Panic(0, "-L: logfile name can not start with \"-\" symbol");
+ if (strlen(screenlogfile) > PATH_MAX)
+ Panic(0, "-L: logfile name too long. (max. %d char)", PATH_MAX);
+-
+- FILE *w_check;
+- if ((w_check = fopen(screenlogfile, "w")) == NULL)
+- Panic(0, "-L: logfile name access problem");
+- else
+- fclose(w_check);
+ }
+ nwin_options.Lflag = 1;
+ break;
+--
+2.11.1
+
diff --git a/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch b/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch
new file mode 100644
index 0000000000..3f357c4924
--- /dev/null
+++ b/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch
@@ -0,0 +1,31 @@
+Patch copied from upstream source repository:
+
+https://github.com/shadow-maint/shadow/commit/67d2bb6e0a5ac124ce1f026dd5723217b1493194
+
+From 67d2bb6e0a5ac124ce1f026dd5723217b1493194 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sun, 18 Sep 2016 21:31:18 -0500
+Subject: [PATCH] su.c: fix missing length argument to snprintf
+
+---
+ src/su.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index 0c50a9456afd..93ffd2fbe2b4 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -373,8 +373,8 @@ static void prepare_pam_close_session (void)
+ stderr);
+ (void) kill (-pid_child, caught);
+
+- snprintf (kill_msg, _(" ...killed.\n"));
+- snprintf (wait_msg, _(" ...waiting for child to terminate.\n"));
++ snprintf (kill_msg, 256, _(" ...killed.\n"));
++ snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
+
+ (void) signal (SIGALRM, kill_child);
+ (void) alarm (2);
+--
+2.11.0.rc2
+
diff --git a/gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch b/gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch
index b63d5bb018..4092261f75 100644
--- a/gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch
+++ b/gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch
@@ -1,19 +1,19 @@
-From 53eda9102b969a4be2882cea4befee03591a7436 Mon Sep 17 00:00:00 2001
-From: Pjotr Prins <pjotr.public01@thebird.nl>
-Date: Fri, 12 Feb 2016 12:43:33 +0100
-Subject: [PATCH] Remove contribs
+From 49d83e24a8e66977056fc9920812265c16806500 Mon Sep 17 00:00:00 2001
+From: carolili <carolili@iki.fi>
+Date: Thu, 9 Feb 2017 19:24:49 +0000
+Subject: [PATCH] Removing contribs
---
- configure.ac | 20 --------------------
- 1 file changed, 20 deletions(-)
+ configure.ac | 22 ----------------------
+ 1 file changed, 22 deletions(-)
diff --git a/configure.ac b/configure.ac
-index fedf354..e010732 100644
+index 1cf1051..5d76b44 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -438,26 +438,6 @@ dnl All slurm Makefiles:
+@@ -435,28 +435,6 @@ dnl All slurm Makefiles:
+
AC_CONFIG_FILES([Makefile
- config.xml
auxdir/Makefile
- contribs/Makefile
- contribs/cray/Makefile
@@ -27,7 +27,9 @@ index fedf354..e010732 100644
- contribs/perlapi/libslurm/perl/Makefile.PL
- contribs/perlapi/libslurmdb/Makefile
- contribs/perlapi/libslurmdb/perl/Makefile.PL
+- contribs/seff/Makefile
- contribs/torque/Makefile
+- contribs/openlava/Makefile
- contribs/phpext/Makefile
- contribs/phpext/slurm_php/config.m4
- contribs/sgather/Makefile
@@ -39,5 +41,5 @@ index fedf354..e010732 100644
doc/man/Makefile
doc/man/man1/Makefile
--
-2.1.4
+2.11.0
diff --git a/gnu/packages/patches/spice-CVE-2016-9577.patch b/gnu/packages/patches/spice-CVE-2016-9577.patch
new file mode 100644
index 0000000000..a2cb558cd3
--- /dev/null
+++ b/gnu/packages/patches/spice-CVE-2016-9577.patch
@@ -0,0 +1,33 @@
+Prevent buffer overflow when reading large messages.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1401603
+https://access.redhat.com/security/cve/CVE-2016-9577
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9577
+https://security-tracker.debian.org/tracker/CVE-2016-9577
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3
+
+From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 29 Nov 2016 16:46:56 +0000
+Subject: main-channel: Prevent overflow reading messages from client
+
+diff --git a/server/main_channel.c b/server/main_channel.c
+index 0ecc9df..1fc3915 100644
+--- a/server/main_channel.c
++++ b/server/main_channel.c
+@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
+
+ if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
+ return reds_get_agent_data_buffer(mcc, size);
++ } else if (size > sizeof(main_chan->recv_buf)) {
++ /* message too large, caller will log a message and close the connection */
++ return NULL;
+ } else {
+ return main_chan->recv_buf;
+ }
+--
+cgit v0.10.2
+
diff --git a/gnu/packages/patches/spice-CVE-2016-9578-1.patch b/gnu/packages/patches/spice-CVE-2016-9578-1.patch
new file mode 100644
index 0000000000..f86cdb4eb1
--- /dev/null
+++ b/gnu/packages/patches/spice-CVE-2016-9578-1.patch
@@ -0,0 +1,33 @@
+Prevent possible DoS during protocol handshake.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1399566
+https://access.redhat.com/security/cve/CVE-2016-9578
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578
+https://security-tracker.debian.org/tracker/CVE-2016-9578
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a
+
+From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 13 Dec 2016 14:39:48 +0000
+Subject: Prevent possible DoS attempts during protocol handshake
+
+diff --git a/server/reds.c b/server/reds.c
+index f40b65c..86a33d5 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)
+
+ reds->peer_minor_version = header->minor_version;
+
+- if (header->size < sizeof(SpiceLinkMess)) {
++ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
++ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
+ spice_warning("bad size %u", header->size);
+ reds_link_free(link);
+--
+cgit v0.10.2
+
diff --git a/gnu/packages/patches/spice-CVE-2016-9578-2.patch b/gnu/packages/patches/spice-CVE-2016-9578-2.patch
new file mode 100644
index 0000000000..76f7ec7ffb
--- /dev/null
+++ b/gnu/packages/patches/spice-CVE-2016-9578-2.patch
@@ -0,0 +1,38 @@
+Fixes a potential buffer overflow in the protocol handling.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1399566
+https://access.redhat.com/security/cve/CVE-2016-9578
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578
+https://security-tracker.debian.org/tracker/CVE-2016-9578
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a
+
+From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 13 Dec 2016 14:40:10 +0000
+Subject: Prevent integer overflows in capability checks
+
+diff --git a/server/reds.c b/server/reds.c
+index 86a33d5..9150454 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque)
+ link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
+ link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
+
++ /* Prevent DoS. Currently we defined only 13 capabilities,
++ * I expect 1024 to be valid for quite a lot time */
++ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
++ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
++ reds_link_free(link);
++ return;
++ }
++
+ num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
+ caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
+
+--
+cgit v0.10.2
+
diff --git a/gnu/packages/patches/tipp10-fix-compiling.patch b/gnu/packages/patches/tipp10-fix-compiling.patch
new file mode 100644
index 0000000000..4c206d4d83
--- /dev/null
+++ b/gnu/packages/patches/tipp10-fix-compiling.patch
@@ -0,0 +1,213 @@
+Description: Debian patches to make tipp10 compile
+Author: Christoph Martin <chrism@debian.org>
+Last-Update: 2016-07-20
+
+https://sources.debian.net/data/main/t/tipp10/2.1.0-2/debian/patches/0001-FixCompiling
+
+--- a/widget/tickerboard.cpp
++++ b/widget/tickerboard.cpp
+@@ -97,7 +97,8 @@ void TickerBoard::startTicker(bool wasPa
+
+ if (tickerSpeed == 50) {
+ scrollOffset = 290;
+- scroll(-290, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());
++ const QRect qr = QRect(10, 15, 590, 35);
++ scroll(-290, 0, qr); //contentsRect());
+ }
+
+ startFlag = true;
+@@ -153,7 +154,8 @@ void TickerBoard::changeChar() {
+ scrollOffset = 0;
+ } else {
+ scrollOffset = 290;
+- scroll(-290, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());
++ const QRect qr = QRect(10, 15, 590, 35);
++ scroll(-290, 0, qr); //contentsRect());
+ }
+ splitLesson();
+ }
+@@ -242,7 +244,8 @@ void TickerBoard::progress() {
+
+ // Move ticker 1 pixel to left
+ scrollOffset++;
+- scroll(-1, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());
++ const QRect qr = QRect(10, 15, 590, 35);
++ scroll(-1, 0, qr); //contentsRect());
+
+ if ((lessonOffset - scrollOffset) <= 30) {
+ setSpeed(tickerSpeed);
+@@ -265,14 +268,16 @@ void TickerBoard::progress() {
+ // 160 pixels overage (because the user must see at least the next word)
+ if ((lessonOffset - scrollOffset) > 200) {
+ scrollOffset += (lessonOffset - scrollOffset) - 200;
+- scroll(-((lessonOffset - scrollOffset) - 200), 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());
++ const QRect qr = QRect(10, 15, 590, 35);
++ scroll(-((lessonOffset - scrollOffset) - 200), 0, qr); //contentsRect());
+ }
+ } else {
+ // If the user types faster than the ticker, move ticker faster after
+ // 160 pixels overage (because the user must see at least the next word)
+ if ((lessonOffset - scrollOffset) > 280) {
+ scrollOffset += 570;
+- scroll(-570, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());
++ const QRect qr = QRect(10, 15, 590, 35);
++ scroll(-570, 0, qr); //contentsRect());
+ }
+
+ }
+--- a/widget/settingspages.cpp
++++ b/widget/settingspages.cpp
+@@ -501,7 +501,7 @@ void DatabasePage::writeSettings() {
+ QSettings settings;
+ #endif
+ settings.beginGroup("database");
+- settings.setValue("pathpro", lineDatabasePath->text() + "/" + QString::QString(APP_USER_DB));
++ settings.setValue("pathpro", lineDatabasePath->text() + "/" + QString(APP_USER_DB));
+ settings.endGroup();
+ }
+
+--- a/widget/lessondialog.cpp
++++ b/widget/lessondialog.cpp
+@@ -89,7 +89,7 @@ void LessonDialog::updateContent() {
+ *lessonData = lineLessonContent->toPlainText().split("\n", QString::SkipEmptyParts);
+ // Delete empty lines
+ for (int i = 0; i < lessonData->size(); i++) {
+- if (QString::QString(lessonData->at(i).toLocal8Bit().constData()).simplified() == "") {
++ if (QString(lessonData->at(i).toLocal8Bit().constData()).simplified() == "") {
+ lessonData->removeAt(i);
+ }
+ }
+@@ -259,7 +259,7 @@ void LessonDialog::clickSave() {
+ contentList = lineLessonContent->toPlainText().split("\n", QString::SkipEmptyParts);
+ // Delete empty lines
+ for (i = 0; i < contentList.size(); i++) {
+- if (QString::QString(contentList.at(i).toLocal8Bit().constData()).simplified() == "") {
++ if (QString(contentList.at(i).toLocal8Bit().constData()).simplified() == "") {
+ contentList.removeAt(i);
+ }
+ }
+--- a/sql/chartablesql.cpp
++++ b/sql/chartablesql.cpp
+@@ -57,7 +57,7 @@ QVariant CharSqlModel::data(const QModel
+ // Read the unicode value
+ unicode = value.toInt();
+ // Convert unicode to a char
+- unicodeToChar = QString::QString(QChar(unicode)); //"\'" + QString::QString(QChar(unicode)) + "\'";
++ unicodeToChar = QString(QChar(unicode)); //"\'" + QString::QString(QChar(unicode)) + "\'";
+ return unicodeToChar;
+ } else {
+ // Last column (error weight)
+--- a/sql/startsql.cpp
++++ b/sql/startsql.cpp
+@@ -344,7 +344,7 @@ bool StartSql::updateOwnLesson(QString l
+ for (i = 0; i < content.size(); i++) {
+ //simplifiedContent = QString::QString(
+ // content.at(i)).replace(QChar(0x27), "''", Qt::CaseSensitive).simplified();
+- simplifiedContent = trim(QString::QString(
++ simplifiedContent = trim(QString(
+ content.at(i)).replace(QChar(0x27), "''", Qt::CaseSensitive));
+
+ if (!query.exec("INSERT INTO own_content VALUES(NULL,'" +
+--- a/def/defines.h
++++ b/def/defines.h
+@@ -27,9 +27,9 @@ Foundation, Inc., 51 Franklin Street, Fi
+ #define DEFINES_H
+
+ // OS constants
+-#define APP_WIN true
++#define APP_WIN false
+ #define APP_MAC false
+-#define APP_X11 false
++#define APP_X11 true
+ #define APP_PORTABLE false //at least one of the 3 OS must be true too!
+
+ // Languages
+@@ -47,6 +47,7 @@ Foundation, Inc., 51 Franklin Street, Fi
+ #define APP_URL "http://www.tipp10.com"
+ #define APP_DB "tipp10v2.template"
+ #define APP_USER_DB "tipp10v2.db"
++#define APP_SHARE_DIR "/usr/share/tipp10"
+
+ // Update constants
+ #define UPDATE_URL "www.tipp10.com"
+--- a/tipp10.pro
++++ b/tipp10.pro
+@@ -88,3 +88,15 @@ SOURCES += main.cpp \
+ sql/startsql.cpp \
+ games/abcrainwidget.cpp \
+ games/charball.cpp
++
++target.path = /usr/bin/
++INSTALLS += target
++share.path = /usr/share/tipp10/
++share.files = release/* *wav
++INSTALLS += share
++desktop.path = /usr/share/applications/
++desktop.files = tipp10.desktop
++INSTALLS += desktop
++pixmap.path = /usr/share/pixmaps/
++pixmap.files = tipp10.png
++INSTALLS += pixmap
+--- a/sql/connection.h
++++ b/sql/connection.h
+@@ -179,11 +179,13 @@ static bool createConnection() {
+ CANCEL_NO, "Betroffener Pfad:\n" + dbPath);*/
+ // Try to create new databae in user path
+ // Exist a database in the program dir?
+- if (QFile::exists(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate)) {
++ // if (QFile::exists(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate)) {
++ if (QFile::exists(QString(APP_SHARE_DIR) + "/" + dbNameTemplate)) {
+ //if (QFile::exists(":/" + dbNameTemplate)) {
+ // A database exist in the program dir
+ // -> copy database to user home dir
+- QFile file(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate);
++ // QFile file(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate);
++ QFile file(QString(APP_SHARE_DIR) + "/" + dbNameTemplate);
+ //QFile file(":/" + dbNameTemplate);
+ if (file.copy(dbPath)) {
+ QFile::setPermissions(dbPath, QFile::permissions(dbPath) | QFile::WriteUser);
+@@ -229,7 +231,8 @@ static bool createConnection() {
+ // Exist a database in user's home dir?
+ if (!QFile::exists(dbPath)) {
+ // Exist a database template in the program dir?
+- dbPath = QCoreApplication::applicationDirPath() + "/" + dbNameTemplate;
++ // dbPath = QCoreApplication::applicationDirPath() + "/" + dbNameTemplate;
++ dbPath = QString(APP_SHARE_DIR) + "/" + dbNameTemplate;
+ //dbPath = ":/" + dbNameTemplate;
+ if (QFile::exists(dbPath)) {
+ // A database template exist in the program dir
+--- a/widget/helpbrowser.cpp
++++ b/widget/helpbrowser.cpp
+@@ -52,13 +52,15 @@ HelpBrowser::HelpBrowser(QString link, Q
+ textBrowser->setOpenExternalLinks(true);
+
+ textBrowser->setSource(QString("file:///") +
+- QCoreApplication::applicationDirPath() +
++ // QCoreApplication::applicationDirPath() +
++ APP_SHARE_DIR +
+ QString("/help/") + language + QString("/index.html"));
+
+ if (link != "") {
+
+ textBrowser->setSource(QString("file:///") +
+- QCoreApplication::applicationDirPath() +
++ // QCoreApplication::applicationDirPath() +
++ APP_SHARE_DIR +
+ QString("/help/") + language + QString("/content/") + link);
+
+ }
+--- a/tipp10.desktop
++++ b/tipp10.desktop
+@@ -1,10 +1,10 @@
+ [Desktop Entry]
+-Encoding=UTF-8
+ Name=TIPP10
+ Comment=Touch Typing Tutor
+ Comment[de]=10-Finger-Schreibtrainer
+-Exec=tipp10
++Exec=/usr/bin/tipp10
+ Icon=tipp10.png
+ Terminal=false
+ Type=Application
+ Categories=Education;
++Keywords=learning;touchtyping
diff --git a/gnu/packages/patches/tipp10-remove-license-code.patch b/gnu/packages/patches/tipp10-remove-license-code.patch
new file mode 100644
index 0000000000..4b7487e726
--- /dev/null
+++ b/gnu/packages/patches/tipp10-remove-license-code.patch
@@ -0,0 +1,332 @@
+Description: Remove license dialog and license key checking
+
+https://sources.debian.net/data/main/t/tipp10/2.1.0-2/debian/patches/0002-RemoveLicenseCode
+
+--- a/main.cpp
++++ b/main.cpp
+@@ -33,7 +33,6 @@ Foundation, Inc., 51 Franklin Street, Fi
+ #include "def/defines.h"
+ #include "sql/connection.h"
+ #include "widget/mainwindow.h"
+-#include "widget/licensedialog.h"
+ #include "widget/illustrationdialog.h"
+
+ int main(int argc, char *argv[]) {
+@@ -59,7 +58,7 @@ int main(int argc, char *argv[]) {
+ QSettings settings;
+ #endif
+
+- // Read/write language, license key and show illustration flag
++ // Read/write language and show illustration flag
+ settings.beginGroup("general");
+ QString languageGui = settings.value("language_gui",
+ QLocale::system().name()).toString();
+@@ -101,7 +100,6 @@ int main(int argc, char *argv[]) {
+ QString languageLesson = settings.value("language_lesson",
+ "").toString();
+
+- QString licenseKey = settings.value("licensekey", "").toString();
+ bool showIllustration = settings.value("check_illustration", true).toBool();
+ bool useNativeStyle = settings.value("check_native_style", false).toBool();
+ settings.endGroup();
+--- a/tipp10.pro
++++ b/tipp10.pro
+@@ -43,7 +43,6 @@ HEADERS += def/defines.h \
+ widget/helpbrowser.h \
+ widget/companylogo.h \
+ widget/errormessage.h \
+- widget/licensedialog.h \
+ widget/txtmessagedialog.h \
+ widget/checkversion.h \
+ sql/connection.h \
+@@ -78,7 +77,6 @@ SOURCES += main.cpp \
+ widget/helpbrowser.cpp \
+ widget/companylogo.cpp \
+ widget/errormessage.cpp \
+- widget/licensedialog.cpp \
+ widget/txtmessagedialog.cpp \
+ widget/checkversion.cpp \
+ sql/lessontablesql.cpp \
+--- a/widget/licensedialog.cpp
++++ /dev/null
+@@ -1,168 +0,0 @@
+-/*
+-Copyright (c) 2006-2009, Tom Thielicke IT Solutions
+-
+-This program is free software; you can redistribute it and/or
+-modify it under the terms of the GNU General Public License
+-as published by the Free Software Foundation; either version 2
+-of the License.
+-
+-This program is distributed in the hope that it will be useful,
+-but WITHOUT ANY WARRANTY; without even the implied warranty of
+-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-GNU General Public License for more details.
+-
+-You should have received a copy of the GNU General Public License
+-along with this program; if not, write to the Free Software
+-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+-02110-1301, USA.
+-*/
+-
+-/****************************************************************
+-**
+-** Implementation of the LicenseDialog class
+-** File name: licensedialog.cpp
+-**
+-****************************************************************/
+-
+-#include <QHBoxLayout>
+-#include <QVBoxLayout>
+-#include <QMessageBox>
+-#include <QSettings>
+-#include <QCoreApplication>
+-
+-#include "licensedialog.h"
+-#include "def/defines.h"
+-
+-LicenseDialog::LicenseDialog(QWidget *parent) : QDialog(parent) {
+-
+- setWindowFlags(windowFlags() ^ Qt::WindowContextHelpButtonHint);
+-
+- setWindowTitle(tr("Lizenznummer"));
+- setWindowIcon(QIcon(":/img/" + QString(ICON_FILENAME)));
+-
+- // Create texbox
+- createLineEdit();
+-
+- // Create buttons
+- createButtons();
+-
+- // Set the layout of all widgets created above
+- createLayout();
+-
+- lineLicensing->setFocus();
+-}
+-
+-void LicenseDialog::createButtons() {
+- //Buttons
+- buttonOk = new QPushButton(this);
+- buttonDemo = new QPushButton(this);
+-
+- buttonOk->setText(tr("&Ok"));
+- buttonDemo->setText(tr("&Demo starten"));
+- buttonDemo->setToolTip(tr("Im Demo-Modus koennen pro Lektion nur\n"
+- "10 Schriftzeichen eingegeben werden"));
+-
+- buttonOk->setDefault(true);
+- // Widget connections
+- connect(buttonOk, SIGNAL(clicked()), this, SLOT(clickOk()));
+- connect(buttonDemo, SIGNAL(clicked()), this, SLOT(clickDemo()));
+-}
+-
+-void LicenseDialog::createLineEdit() {
+-
+- lineLicensing = new QLineEdit();
+- lineLicensing->setInputMask(">NNNNNNNNNNNNNN");
+-
+- labelLicensing = new QLabel(tr("Bitte geben Sie Ihre Lizenznummer "
+- "(ohne Leerzeichen) ein, "
+- "die Sie im Arbeitsbuch (Schulbuch) auf Seite 3 finden:"));
+-
+- labelLicensing->setWordWrap(true);
+-}
+-
+-void LicenseDialog::createLayout() {
+- // Button layout horizontal
+- QHBoxLayout *buttonLayoutHorizontal = new QHBoxLayout;
+- buttonLayoutHorizontal->addStretch(1);
+- buttonLayoutHorizontal->addWidget(buttonDemo);
+- buttonLayoutHorizontal->addWidget(buttonOk);
+- // Full layout of all widgets vertical
+- QVBoxLayout *mainLayout = new QVBoxLayout;
+- mainLayout->addSpacing(1);
+- mainLayout->addWidget(labelLicensing);
+- mainLayout->addSpacing(1);
+- mainLayout->addWidget(lineLicensing);
+- mainLayout->addSpacing(1);
+- mainLayout->addLayout(buttonLayoutHorizontal);
+- mainLayout->setMargin(15);
+- mainLayout->setSpacing(15);
+- // Pass layout to parent widget (this)
+- this->setLayout(mainLayout);
+-}
+-
+-void LicenseDialog::clickOk() {
+-
+- // Check license key
+- if (!checkLicenseKey(lineLicensing->text())) {
+-
+- // License key is wrong
+-
+- // Message to the user
+- QMessageBox::information(0, APP_NAME,
+- tr("Die eingegebene Lizenznummer ist leider nicht "
+- "korrekt.\nBitte ueberpruefen Sie die Schreibweise."));
+-
+- lineLicensing->setFocus();
+-
+- } else {
+-
+- // License key is ok
+- writeSettings();
+- accept();
+- }
+-}
+-
+-void LicenseDialog::clickDemo() {
+- accept();
+-}
+-
+-bool LicenseDialog::checkLicenseKey(QString licenseKey) {
+- if (licenseKey.size() == 14 &&
+- licenseKey[0].isLetter() &&
+- licenseKey[1].isLetter() &&
+- (licenseKey.mid(2, 2) == "39" ||
+- licenseKey.mid(2, 2) == "41" ||
+- licenseKey.mid(2, 2) == "43" ||
+- licenseKey.mid(2, 2) == "49" ||
+- licenseKey.mid(2, 2) == "99") &&
+- licenseKey[4].isDigit() &&
+- licenseKey[5].isDigit() &&
+- licenseKey[6].isDigit() &&
+- licenseKey[7].isLetter() &&
+- licenseKey[8].isDigit() &&
+- licenseKey[9].isDigit() &&
+- licenseKey[10].isDigit() &&
+- licenseKey[11].isDigit() &&
+- licenseKey[12].isLetter() &&
+- licenseKey[13].isLetter()) {
+-
+- return true;
+- }
+- return false;
+-}
+-
+-void LicenseDialog::writeSettings() {
+- // Saves settings of the startwiget
+- // (uses the default constructor of QSettings, passing
+- // the application and company name see main function)
+- #if APP_PORTABLE
+- QSettings settings(QCoreApplication::applicationDirPath() +
+- "/portable/settings.ini", QSettings::IniFormat);
+- #else
+- QSettings settings;
+- #endif
+-
+- settings.beginGroup("general");
+- settings.setValue("licensekey", lineLicensing->text());
+- settings.endGroup();
+-}
+--- a/widget/licensedialog.h
++++ /dev/null
+@@ -1,85 +0,0 @@
+-/*
+-Copyright (c) 2006-2009, Tom Thielicke IT Solutions
+-
+-This program is free software; you can redistribute it and/or
+-modify it under the terms of the GNU General Public License
+-as published by the Free Software Foundation; either version 2
+-of the License.
+-
+-This program is distributed in the hope that it will be useful,
+-but WITHOUT ANY WARRANTY; without even the implied warranty of
+-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-GNU General Public License for more details.
+-
+-You should have received a copy of the GNU General Public License
+-along with this program; if not, write to the Free Software
+-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+-02110-1301, USA.
+-*/
+-
+-/****************************************************************
+-**
+-** Definition of the LicenseDialog class
+-** File name: licensedialog.h
+-**
+-****************************************************************/
+-
+-#ifndef LICENSEDIALOG_H
+-#define LICENSEDIALOG_H
+-
+-#include <QDialog>
+-#include <QWidget>
+-#include <QPushButton>
+-#include <QLabel>
+-#include <QLineEdit>
+-#include <QString>
+-
+-//! The LicenseDialog class provides a license input widget.
+-/*!
+- The LicenseDialog class shows a dialog to enter a license key.
+-
+- @author Tom Thielicke, s712715
+- @version 0.0.1
+- @date 09.09.2008
+-*/
+-class LicenseDialog : public QDialog {
+- Q_OBJECT
+-
+- public:
+-
+- //! Constructor, creates two table objects and provide it in two tabs.
+- LicenseDialog(QWidget *parent = 0);
+-
+- bool checkLicenseKey(QString licenseKey);
+-
+- public slots:
+-
+- private slots:
+-
+- //! Start button pressed
+- void clickOk();
+-
+- //! Demo button pressed
+- void clickDemo();
+-
+- private:
+-
+- //! Creates a cancel and a ok button.
+- void createButtons();
+-
+- //! Creates a textbox.
+- void createLineEdit();
+-
+- //! Creates the layout of the complete class.
+- void createLayout();
+-
+- //! Writes user settings
+- void writeSettings();
+-
+- QPushButton *buttonOk;
+- QPushButton *buttonDemo;
+- QLabel *labelLicensing;
+- QLineEdit *lineLicensing;
+-};
+-
+-#endif //LICENSEDIALOG_H
+--- a/widget/mainwindow.cpp
++++ b/widget/mainwindow.cpp
+@@ -116,11 +116,6 @@ void MainWindow::closeEvent(QCloseEvent
+ }
+ }
+
+-bool MainWindow::checkLicenseKey(QString licenseKey) {
+-
+- return false;
+-}
+-
+ void MainWindow::createMenu() {
+ //Mac-Version:
+ //-----------
+--- a/widget/mainwindow.h
++++ b/widget/mainwindow.h
+@@ -39,7 +39,6 @@ Foundation, Inc., 51 Franklin Street, Fi
+ #include "trainingwidget.h"
+ #include "evaluationwidget.h"
+ #include "illustrationdialog.h"
+-#include "licensedialog.h"
+ #include "games/abcrainwidget.h"
+ #include "helpbrowser.h"
+
diff --git a/gnu/packages/patches/totem-debug-format-fix.patch b/gnu/packages/patches/totem-debug-format-fix.patch
deleted file mode 100644
index 7ddd31ee10..0000000000
--- a/gnu/packages/patches/totem-debug-format-fix.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- totem-3.20.1/src/backend/bacon-video-widget.c.orig 2016-03-22 12:45:32.000000000 -0400
-+++ totem-3.20.1/src/backend/bacon-video-widget.c 2016-05-11 02:49:55.299109551 -0400
-@@ -2334,7 +2334,7 @@
- if (!gst_toc_entry_get_start_stop_times (entry, &start, &stop)) {
- GST_DEBUG ("Chapter #%d (couldn't get times)", i);
- } else {
-- GST_DEBUG ("Chapter #%d (start: %li stop: %li)", i, start, stop);
-+ GST_DEBUG ("Chapter #%d (start: %li stop: %li)", i, (long) start, (long) stop);
- }
- }
-
diff --git a/gnu/packages/patches/upower-builddir.patch b/gnu/packages/patches/upower-builddir.patch
index 13cef5876a..d59d4364b8 100644
--- a/gnu/packages/patches/upower-builddir.patch
+++ b/gnu/packages/patches/upower-builddir.patch
@@ -37,7 +37,7 @@ Patch by Andy Wingo <wingo@igalia.com>
- if (g_file_test ("../etc/UPower.conf", G_FILE_TEST_EXISTS))
- g_setenv ("UPOWER_CONF_FILE_NAME", "../etc/UPower.conf", TRUE);
- else
-- g_setenv ("UPOWER_CONF_FILE_NAME", "../../etc/UPower.conf", TRUE);
+- g_setenv ("UPOWER_CONF_FILE_NAME", "../../../etc/UPower.conf", TRUE);
-
/* tests go here */
g_test_add_func ("/power/backend", up_test_backend_func);
diff --git a/gnu/packages/patches/vsearch-unbundle-cityhash.patch b/gnu/packages/patches/vsearch-unbundle-cityhash.patch
new file mode 100644
index 0000000000..b1ecb1f063
--- /dev/null
+++ b/gnu/packages/patches/vsearch-unbundle-cityhash.patch
@@ -0,0 +1,73 @@
+diff --git a/src/Makefile.am b/src/Makefile.am
+index e56a8a2..4adcc48 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -3,7 +3,7 @@ bin_PROGRAMS = $(top_builddir)/bin/vsearch
+ if TARGET_PPC
+ AM_CXXFLAGS=-Wall -Wsign-compare -O3 -g -mcpu=power8
+ else
+-AM_CXXFLAGS=-Wall -Wsign-compare -O3 -g
++AM_CXXFLAGS=-Wall -Wsign-compare -O3 -g -lcityhash
+ endif
+
+ AM_CFLAGS=$(AM_CXXFLAGS)
+@@ -18,8 +18,6 @@ allpairs.h \
+ arch.h \
+ bitmap.h \
+ chimera.h \
+-city.h \
+-citycrc.h \
+ cluster.h \
+ cpu.h \
+ db.h \
+@@ -59,31 +57,26 @@ xstring.h
+
+ if TARGET_PPC
+ libcpu_a_SOURCES = cpu.cc $(VSEARCHHEADERS)
+-noinst_LIBRARIES = libcpu.a libcityhash.a
++noinst_LIBRARIES = libcpu.a
+ else
+ libcpu_sse2_a_SOURCES = cpu.cc $(VSEARCHHEADERS)
+ libcpu_sse2_a_CXXFLAGS = $(AM_CXXFLAGS) -msse2
+ libcpu_ssse3_a_SOURCES = cpu.cc $(VSEARCHHEADERS)
+ libcpu_ssse3_a_CXXFLAGS = $(AM_CXXFLAGS) -mssse3 -DSSSE3
+-noinst_LIBRARIES = libcpu_sse2.a libcpu_ssse3.a libcityhash.a
++noinst_LIBRARIES = libcpu_sse2.a libcpu_ssse3.a
+ endif
+
+-libcityhash_a_SOURCES = city.cc city.h
+-
+ if TARGET_WIN
+
+-libcityhash_a_CXXFLAGS = -Wall -Wno-sign-compare -O3 -g -D_MSC_VER
+-__top_builddir__bin_vsearch_LDFLAGS = -static
+-__top_builddir__bin_vsearch_LDADD = libregex.a libcityhash.a libcpu_ssse3.a libcpu_sse2.a
++__top_builddir__bin_vsearch_LDFLAGS = -static -lcityhash
++__top_builddir__bin_vsearch_LDADD = libregex.a libcpu_ssse3.a libcpu_sse2.a
+
+ else
+
+-libcityhash_a_CXXFLAGS = -Wall -Wno-sign-compare -O3 -g
+-
+ if TARGET_PPC
+-__top_builddir__bin_vsearch_LDADD = libcityhash.a libcpu.a
++__top_builddir__bin_vsearch_LDADD = libcpu.a
+ else
+-__top_builddir__bin_vsearch_LDADD = libcityhash.a libcpu_ssse3.a libcpu_sse2.a
++__top_builddir__bin_vsearch_LDADD = libcpu_ssse3.a libcpu_sse2.a
+ endif
+
+ endif
+diff --git a/src/vsearch.h b/src/vsearch.h
+index f2c244b..5f51bbe 100644
+--- a/src/vsearch.h
++++ b/src/vsearch.h
+@@ -148,7 +148,7 @@
+ #include <bzlib.h>
+ #endif
+
+-#include "city.h"
++#include <city.h>
+ #include "md5.h"
+ #include "sha1.h"
+
diff --git a/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch b/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch
deleted file mode 100644
index 969ed7e41e..0000000000
--- a/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Removes references to mibstore.h and miInitializeBackingStore, which
-have been removed from xorg-server. Zack Rusin <zackr@vmware.com>
-wrote: "It was a noop for at least 5 years and it has been removed."
-See: http://patches.openembedded.org/patch/46133/
-
---- xf86-video-glint-1.2.8/src/glint_driver.c.~1~ 2012-07-15 22:50:47.000000000 -0400
-+++ xf86-video-glint-1.2.8/src/glint_driver.c 2014-12-19 00:42:39.162714279 -0500
-@@ -52,8 +52,6 @@
- #include "compiler.h"
- #include "mipointer.h"
-
--#include "mibstore.h"
--
- #include "pm3_regs.h"
- #include "glint_regs.h"
- #include "IBM.h"
-@@ -2904,7 +2902,6 @@
- }
- }
-
-- miInitializeBackingStore(pScreen);
- xf86SetBackingStore(pScreen);
- xf86SetSilkenMouse(pScreen);
-
diff --git a/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch b/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch
deleted file mode 100644
index 48588ed0e4..0000000000
--- a/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-Removes references to mibstore.h and miInitializeBackingStore, which
-have been removed from xorg-server. Zack Rusin <zackr@vmware.com>
-wrote: "It was a noop for at least 5 years and it has been removed."
-See: http://patches.openembedded.org/patch/46133/
-
-diff -ru xf86-video-nv-2.1.20.orig/src/g80_driver.c xf86-video-nv-2.1.20/src/g80_driver.c
---- xf86-video-nv-2.1.20.orig/src/g80_driver.c 2012-07-17 02:47:02.000000000 -0400
-+++ xf86-video-nv-2.1.20/src/g80_driver.c 2014-12-17 10:11:42.197579082 -0500
-@@ -34,7 +34,6 @@
- #include <xf86Resources.h>
- #endif
- #include <mipointer.h>
--#include <mibstore.h>
- #include <micmap.h>
- #include <xf86cmap.h>
- #include <fb.h>
-@@ -833,7 +832,6 @@
- }
- }
-
-- miInitializeBackingStore(pScreen);
- xf86SetBackingStore(pScreen);
- xf86SetSilkenMouse(pScreen);
-
-diff -ru xf86-video-nv-2.1.20.orig/src/nv_driver.c xf86-video-nv-2.1.20/src/nv_driver.c
---- xf86-video-nv-2.1.20.orig/src/nv_driver.c 2012-07-17 02:47:02.000000000 -0400
-+++ xf86-video-nv-2.1.20/src/nv_driver.c 2014-12-17 10:11:39.037563413 -0500
-@@ -2550,7 +2550,6 @@
- if (!pNv->NoAccel)
- NVAccelInit(pScreen);
-
-- miInitializeBackingStore(pScreen);
- xf86SetBackingStore(pScreen);
- xf86SetSilkenMouse(pScreen);
-
-diff -ru xf86-video-nv-2.1.20.orig/src/nv_include.h xf86-video-nv-2.1.20/src/nv_include.h
---- xf86-video-nv-2.1.20.orig/src/nv_include.h 2012-07-17 02:48:19.000000000 -0400
-+++ xf86-video-nv-2.1.20/src/nv_include.h 2014-12-17 10:11:22.089479372 -0500
-@@ -24,9 +24,6 @@
- /* All drivers initialising the SW cursor need this */
- #include "mipointer.h"
-
--/* All drivers implementing backing store need this */
--#include "mibstore.h"
--
- #include "micmap.h"
-
- #include "xf86DDC.h"
-diff -ru xf86-video-nv-2.1.20.orig/src/riva_driver.c xf86-video-nv-2.1.20/src/riva_driver.c
---- xf86-video-nv-2.1.20.orig/src/riva_driver.c 2012-07-17 02:47:02.000000000 -0400
-+++ xf86-video-nv-2.1.20/src/riva_driver.c 2014-12-17 10:11:31.101524060 -0500
-@@ -1168,7 +1168,6 @@
- if (!pRiva->NoAccel)
- RivaAccelInit(pScreen);
-
-- miInitializeBackingStore(pScreen);
- xf86SetBackingStore(pScreen);
- xf86SetSilkenMouse(pScreen);
-
-diff -ru xf86-video-nv-2.1.20.orig/src/riva_include.h xf86-video-nv-2.1.20/src/riva_include.h
---- xf86-video-nv-2.1.20.orig/src/riva_include.h 2012-07-17 02:48:45.000000000 -0400
-+++ xf86-video-nv-2.1.20/src/riva_include.h 2014-12-17 10:11:12.229430478 -0500
-@@ -22,9 +22,6 @@
- /* All drivers initialising the SW cursor need this */
- #include "mipointer.h"
-
--/* All drivers implementing backing store need this */
--#include "mibstore.h"
--
- #include "micmap.h"
-
- #include "xf86DDC.h"
diff --git a/gnu/packages/patches/xinetd-CVE-2013-4342.patch b/gnu/packages/patches/xinetd-CVE-2013-4342.patch
new file mode 100644
index 0000000000..ad57bc7b0e
--- /dev/null
+++ b/gnu/packages/patches/xinetd-CVE-2013-4342.patch
@@ -0,0 +1,36 @@
+Fix CVE-2013-4342:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678
+
+Patch copied from upstream source repository:
+
+https://github.com/xinetd-org/xinetd/commit/91e2401a219121eae15244a6b25d2e79c1af5864
+
+From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001
+From: Thomas Swan <thomas.swan@gmail.com>
+Date: Wed, 2 Oct 2013 23:17:17 -0500
+Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
+ TCPMUX services
+
+Originally reported to Debian in 2005 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered <https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root).
+---
+ xinetd/builtins.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xinetd/builtins.c b/xinetd/builtins.c
+index 3b85579..34a5bac 100644
+--- a/xinetd/builtins.c
++++ b/xinetd/builtins.c
+@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp )
+ if( SC_IS_INTERNAL( scp ) ) {
+ SC_INTERNAL(scp, nserp);
+ } else {
+- exec_server(nserp);
++ child_process(nserp);
+ }
+ }
+
+--
+2.7.4
+
diff --git a/gnu/packages/patches/xinetd-fix-fd-leak.patch b/gnu/packages/patches/xinetd-fix-fd-leak.patch
new file mode 100644
index 0000000000..77e4600185
--- /dev/null
+++ b/gnu/packages/patches/xinetd-fix-fd-leak.patch
@@ -0,0 +1,26 @@
+Fix a file descriptor leak:
+
+https://github.com/xinetd-org/xinetd/issues/23
+
+Patch copied from Debian:
+
+https://anonscm.debian.org/cgit/collab-maint/xinetd.git/tree/debian/patches/000012-fix_fd_leak
+
+Patch sent upstream at https://github.com/xinetd-org/xinetd/pull/26.
+
+diff --git a/xinetd/xgetloadavg.c b/xinetd/xgetloadavg.c
+index 5a26214..fe0f872 100644
+--- a/xinetd/xgetloadavg.c
++++ b/xinetd/xgetloadavg.c
+@@ -34,7 +34,7 @@ double xgetloadavg(void)
+
+ if( fscanf(fd, "%lf", &ret) != 1 ) {
+ perror("fscanf");
+- return -1;
++ ret = -1;
+ }
+
+ fclose(fd);
+--
+2.7.4
+