summaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2017-12-05 23:41:30 +0100
committerMarius Bakke <mbakke@fastmail.com>2017-12-05 23:41:30 +0100
commit77181815ae70cf573b6fa390a4400b718835aa8a (patch)
tree731ccaaccc7a69ddc90f04bb71a6a39aa5f3be5a /gnu/packages/patches
parente3f9406b7c4b3b1afe3dd6affb7f7898434d607a (diff)
parent35377cfa908340e51fd22af7369aef15499d4a36 (diff)
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/bazaar-CVE-2017-14176.patch166
-rw-r--r--gnu/packages/patches/clementine-use-openssl.patch67
-rw-r--r--gnu/packages/patches/dtc-32-bits-check.patch134
-rw-r--r--gnu/packages/patches/dtc-format-modifier.patch38
-rw-r--r--gnu/packages/patches/emacs-highlight-stages-add-gexp.patch26
-rw-r--r--gnu/packages/patches/exim-CVE-2017-1000369.patch59
-rw-r--r--gnu/packages/patches/gcc-6-source-date-epoch-1.patch187
-rw-r--r--gnu/packages/patches/gcc-6-source-date-epoch-2.patch346
-rw-r--r--gnu/packages/patches/glusterfs-use-PATH-instead-of-hardcodes.patch140
-rw-r--r--gnu/packages/patches/guile-emacs-fix-configure.patch211
-rw-r--r--gnu/packages/patches/higan-remove-march-native-flag.patch15
-rw-r--r--gnu/packages/patches/libmygpo-qt-fix-jsoncreatortest.patch41
-rw-r--r--gnu/packages/patches/libtorrent-rasterbar-boost-compat.patch27
-rw-r--r--gnu/packages/patches/libvirt-CVE-2017-1000256.patch84
-rw-r--r--gnu/packages/patches/node-test-http2-server-rst-stream.patch131
-rw-r--r--gnu/packages/patches/optipng-CVE-2017-1000229.patch22
-rw-r--r--gnu/packages/patches/pcmanfm-CVE-2017-8934.patch56
-rw-r--r--gnu/packages/patches/perl-text-markdown-discount-unbundle.patch (renamed from gnu/packages/patches/perl-text-markdown-discount-use-system-markdown.patch)0
-rw-r--r--gnu/packages/patches/procmail-CVE-2017-16844.patch25
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-15118.patch58
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-15119.patch68
-rw-r--r--gnu/packages/patches/shepherd-close-fds.patch36
-rw-r--r--gnu/packages/patches/spice-CVE-2016-9577.patch33
-rw-r--r--gnu/packages/patches/spice-CVE-2016-9578-1.patch33
-rw-r--r--gnu/packages/patches/spice-CVE-2016-9578-2.patch38
-rw-r--r--gnu/packages/patches/spice-CVE-2017-7506.patch158
-rw-r--r--gnu/packages/patches/supertuxkart-angelscript-ftbfs.patch42
-rw-r--r--gnu/packages/patches/vpnc-script.patch15
28 files changed, 1759 insertions, 497 deletions
diff --git a/gnu/packages/patches/bazaar-CVE-2017-14176.patch b/gnu/packages/patches/bazaar-CVE-2017-14176.patch
new file mode 100644
index 0000000000..0e9083b97d
--- /dev/null
+++ b/gnu/packages/patches/bazaar-CVE-2017-14176.patch
@@ -0,0 +1,166 @@
+Fix CVE-2017-14176:
+
+https://bugs.launchpad.net/bzr/+bug/1710979
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176
+
+Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+deb9u1:
+
+https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4204
+
+Description: Prevent SSH command line options from being specified in bzr+ssh:// URLs
+Bug: https://bugs.launchpad.net/brz/+bug/1710979
+Bug-Debian: https://bugs.debian.org/874429
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14176
+Forwarded: no
+Author: Jelmer Vernooij <jelmer@jelmer.uk>
+Last-Update: 2017-11-26
+
+=== modified file 'bzrlib/tests/test_ssh_transport.py'
+--- old/bzrlib/tests/test_ssh_transport.py 2010-10-07 12:45:51 +0000
++++ new/bzrlib/tests/test_ssh_transport.py 2017-08-20 01:59:20 +0000
+@@ -22,6 +22,7 @@
+ SSHCorpSubprocessVendor,
+ LSHSubprocessVendor,
+ SSHVendorManager,
++ StrangeHostname,
+ )
+
+
+@@ -161,6 +162,19 @@
+
+ class SubprocessVendorsTests(TestCase):
+
++ def test_openssh_command_tricked(self):
++ vendor = OpenSSHSubprocessVendor()
++ self.assertEqual(
++ vendor._get_vendor_specific_argv(
++ "user", "-oProxyCommand=blah", 100, command=["bzr"]),
++ ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
++ "-oClearAllForwardings=yes",
++ "-oNoHostAuthenticationForLocalhost=yes",
++ "-p", "100",
++ "-l", "user",
++ "--",
++ "-oProxyCommand=blah", "bzr"])
++
+ def test_openssh_command_arguments(self):
+ vendor = OpenSSHSubprocessVendor()
+ self.assertEqual(
+@@ -171,6 +185,7 @@
+ "-oNoHostAuthenticationForLocalhost=yes",
+ "-p", "100",
+ "-l", "user",
++ "--",
+ "host", "bzr"]
+ )
+
+@@ -184,9 +199,16 @@
+ "-oNoHostAuthenticationForLocalhost=yes",
+ "-p", "100",
+ "-l", "user",
+- "-s", "host", "sftp"]
++ "-s", "--", "host", "sftp"]
+ )
+
++ def test_openssh_command_tricked(self):
++ vendor = SSHCorpSubprocessVendor()
++ self.assertRaises(
++ StrangeHostname,
++ vendor._get_vendor_specific_argv,
++ "user", "-oProxyCommand=host", 100, command=["bzr"])
++
+ def test_sshcorp_command_arguments(self):
+ vendor = SSHCorpSubprocessVendor()
+ self.assertEqual(
+@@ -209,6 +231,13 @@
+ "-s", "sftp", "host"]
+ )
+
++ def test_lsh_command_tricked(self):
++ vendor = LSHSubprocessVendor()
++ self.assertRaises(
++ StrangeHostname,
++ vendor._get_vendor_specific_argv,
++ "user", "-oProxyCommand=host", 100, command=["bzr"])
++
+ def test_lsh_command_arguments(self):
+ vendor = LSHSubprocessVendor()
+ self.assertEqual(
+@@ -231,6 +260,13 @@
+ "--subsystem", "sftp", "host"]
+ )
+
++ def test_plink_command_tricked(self):
++ vendor = PLinkSubprocessVendor()
++ self.assertRaises(
++ StrangeHostname,
++ vendor._get_vendor_specific_argv,
++ "user", "-oProxyCommand=host", 100, command=["bzr"])
++
+ def test_plink_command_arguments(self):
+ vendor = PLinkSubprocessVendor()
+ self.assertEqual(
+
+=== modified file 'bzrlib/transport/ssh.py'
+--- old/bzrlib/transport/ssh.py 2015-07-31 01:04:41 +0000
++++ new/bzrlib/transport/ssh.py 2017-08-20 01:59:20 +0000
+@@ -46,6 +46,10 @@
+ from paramiko.sftp_client import SFTPClient
+
+
++class StrangeHostname(errors.BzrError):
++ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
++
++
+ SYSTEM_HOSTKEYS = {}
+ BZR_HOSTKEYS = {}
+
+@@ -360,6 +364,11 @@
+ # tests, but beware of using PIPE which may hang due to not being read.
+ _stderr_target = None
+
++ @staticmethod
++ def _check_hostname(arg):
++ if arg.startswith('-'):
++ raise StrangeHostname(hostname=arg)
++
+ def _connect(self, argv):
+ # Attempt to make a socketpair to use as stdin/stdout for the SSH
+ # subprocess. We prefer sockets to pipes because they support
+@@ -424,9 +433,9 @@
+ if username is not None:
+ args.extend(['-l', username])
+ if subsystem is not None:
+- args.extend(['-s', host, subsystem])
++ args.extend(['-s', '--', host, subsystem])
+ else:
+- args.extend([host] + command)
++ args.extend(['--', host] + command)
+ return args
+
+ register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
+@@ -439,6 +448,7 @@
+
+ def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
+ command=None):
++ self._check_hostname(host)
+ args = [self.executable_path, '-x']
+ if port is not None:
+ args.extend(['-p', str(port)])
+@@ -460,6 +470,7 @@
+
+ def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
+ command=None):
++ self._check_hostname(host)
+ args = [self.executable_path]
+ if port is not None:
+ args.extend(['-p', str(port)])
+@@ -481,6 +492,7 @@
+
+ def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
+ command=None):
++ self._check_hostname(host)
+ args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
+ if port is not None:
+ args.extend(['-P', str(port)])
+
diff --git a/gnu/packages/patches/clementine-use-openssl.patch b/gnu/packages/patches/clementine-use-openssl.patch
new file mode 100644
index 0000000000..1fbf3d2b8a
--- /dev/null
+++ b/gnu/packages/patches/clementine-use-openssl.patch
@@ -0,0 +1,67 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 4022c383b..3202b8b69 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -83,6 +83,7 @@ pkg_check_modules(LIBPULSE libpulse)
+ pkg_check_modules(LIBXML libxml-2.0)
+ pkg_check_modules(SPOTIFY libspotify>=12.1.45)
+ pkg_check_modules(TAGLIB REQUIRED taglib>=1.6)
++pkg_check_modules(OPENSSL REQUIRED openssl)
+
+ if (WIN32)
+ find_package(ZLIB REQUIRED)
+@@ -381,20 +382,6 @@ if(GMOCK_INCLUDE_DIRS)
+ endif(GTEST_INCLUDE_DIRS)
+ endif(GMOCK_INCLUDE_DIRS)
+
+-# Use the system's sha2 if it's available.
+-find_path(SHA2_INCLUDE_DIRS sha2.h)
+-find_library(SHA2_LIBRARIES sha2)
+-if(SHA2_LIBRARIES AND SHA2_INCLUDE_DIRS)
+- message(STATUS "Using system sha2 library")
+- set(USE_SYSTEM_SHA2 ON)
+-else()
+- message(STATUS "Using builtin sha2 library")
+- set(USE_SYSTEM_SHA2 OFF)
+- add_subdirectory(3rdparty/sha2)
+- set(SHA2_INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sha2)
+- set(SHA2_LIBRARIES sha2)
+-endif()
+-
+ # Use the system libmygpo-qt5 if a recent enough version was found
+ if(LIBMYGPO_QT5_FOUND)
+ set(MYGPOQT5_LIBRARIES ${LIBMYGPO_QT5_LIBRARIES})
+diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
+index 6e24c9726..104d044d9 100644
+--- a/src/CMakeLists.txt
++++ b/src/CMakeLists.txt
+@@ -29,7 +29,6 @@ include_directories(${LIBPROJECTM_INCLUDE_DIRS})
+ include_directories(${QTSINGLEAPPLICATION_INCLUDE_DIRS})
+ include_directories(${QTIOCOMPRESSOR_INCLUDE_DIRS})
+ include_directories(${QXT_INCLUDE_DIRS})
+-include_directories(${SHA2_INCLUDE_DIRS})
+ include_directories(${CHROMAPRINT_INCLUDE_DIRS})
+ include_directories(${MYGPOQT5_INCLUDE_DIRS})
+
+@@ -1223,7 +1222,7 @@ target_link_libraries(clementine_lib
+ libclementine-common
+ libclementine-tagreader
+ libclementine-remote
+- ${SHA2_LIBRARIES}
++ ${OPENSSL_LIBRARIES}
+ ${TAGLIB_LIBRARIES}
+ ${MYGPOQT5_LIBRARIES}
+ ${CHROMAPRINT_LIBRARIES}
+diff --git a/src/core/utilities.cpp b/src/core/utilities.cpp
+index ce76f22da..80bf623fb 100644
+--- a/src/core/utilities.cpp
++++ b/src/core/utilities.cpp
+@@ -52,7 +52,7 @@
+ #include "config.h"
+ #include "timeconstants.h"
+
+-#include "sha2.h"
++#include <openssl/sha.h>
+
+ #if defined(Q_OS_UNIX)
+ #include <sys/statvfs.h>
diff --git a/gnu/packages/patches/dtc-32-bits-check.patch b/gnu/packages/patches/dtc-32-bits-check.patch
new file mode 100644
index 0000000000..cf15be3404
--- /dev/null
+++ b/gnu/packages/patches/dtc-32-bits-check.patch
@@ -0,0 +1,134 @@
+This fixes tests on 32 bits platforms. Patch taken from upstream.
+
+commit f8872e29ce06d78d3db71b3ab26a7465fc8a9586
+Author: David Gibson <david@gibson.dropbear.id.au>
+Date: Fri Oct 6 23:07:30 2017 +1100
+
+ tests: Avoid 64-bit arithmetic in assembler
+
+ For testing we (ab)use the assembler to build us a sample dtb, independent
+ of the other tools (dtc and libfdt) that we're trying to test. In a few
+ places this uses 64-bit arithmetic to decompose 64-bit constants into
+ the individual bytes in the blob.
+
+ Unfortunately, it seems that some builds of GNU as don't support >32 bit
+ arithmetic, though it's not entirely clear to me which do and which don't
+ (Fedora i386 does support 64-bit, Debian arm32 doesn't).
+
+ Anyway, to be safe, this avoids 64-bit arithmetic in assembler at the cost
+ of some extra awkwardness because we have to define the values in 32-bit
+ halves.
+
+ Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+
+diff --git a/tests/testdata.h b/tests/testdata.h
+index 3588778..f6bbe1d 100644
+--- a/tests/testdata.h
++++ b/tests/testdata.h
+@@ -4,15 +4,25 @@
+ #define ASM_CONST_LL(x) (x##ULL)
+ #endif
+
+-#define TEST_ADDR_1 ASM_CONST_LL(0xdeadbeef00000000)
+-#define TEST_SIZE_1 ASM_CONST_LL(0x100000)
+-#define TEST_ADDR_2 ASM_CONST_LL(123456789)
+-#define TEST_SIZE_2 ASM_CONST_LL(010000)
++#define TEST_ADDR_1H ASM_CONST_LL(0xdeadbeef)
++#define TEST_ADDR_1L ASM_CONST_LL(0x00000000)
++#define TEST_ADDR_1 ((TEST_ADDR_1H << 32) | TEST_ADDR_1L)
++#define TEST_SIZE_1H ASM_CONST_LL(0x00000000)
++#define TEST_SIZE_1L ASM_CONST_LL(0x00100000)
++#define TEST_SIZE_1 ((TEST_SIZE_1H << 32) | TEST_SIZE_1L)
++#define TEST_ADDR_2H ASM_CONST_LL(0)
++#define TEST_ADDR_2L ASM_CONST_LL(123456789)
++#define TEST_ADDR_2 ((TEST_ADDR_2H << 32) | TEST_ADDR_2L)
++#define TEST_SIZE_2H ASM_CONST_LL(0)
++#define TEST_SIZE_2L ASM_CONST_LL(010000)
++#define TEST_SIZE_2 ((TEST_SIZE_2H << 32) | TEST_SIZE_2L)
+
+ #define TEST_VALUE_1 0xdeadbeef
+ #define TEST_VALUE_2 123456789
+
+-#define TEST_VALUE64_1 ASM_CONST_LL(0xdeadbeef01abcdef)
++#define TEST_VALUE64_1H ASM_CONST_LL(0xdeadbeef)
++#define TEST_VALUE64_1L ASM_CONST_LL(0x01abcdef)
++#define TEST_VALUE64_1 ((TEST_VALUE64_1H << 32) | TEST_VALUE64_1L)
+
+ #define PHANDLE_1 0x2000
+ #define PHANDLE_2 0x2001
+diff --git a/tests/trees.S b/tests/trees.S
+index 9854d1d..9859914 100644
+--- a/tests/trees.S
++++ b/tests/trees.S
+@@ -7,16 +7,6 @@
+ .byte ((val) >> 8) & 0xff ; \
+ .byte (val) & 0xff ;
+
+-#define FDTQUAD(val) \
+- .byte ((val) >> 56) & 0xff ; \
+- .byte ((val) >> 48) & 0xff ; \
+- .byte ((val) >> 40) & 0xff ; \
+- .byte ((val) >> 32) & 0xff ; \
+- .byte ((val) >> 24) & 0xff ; \
+- .byte ((val) >> 16) & 0xff ; \
+- .byte ((val) >> 8) & 0xff ; \
+- .byte (val) & 0xff ;
+-
+ #define TREE_HDR(tree) \
+ .balign 8 ; \
+ .globl _##tree ; \
+@@ -33,14 +23,16 @@ tree: \
+ FDTLONG(tree##_strings_end - tree##_strings) ; \
+ FDTLONG(tree##_struct_end - tree##_struct) ;
+
+-#define RSVMAP_ENTRY(addr, len) \
+- FDTQUAD(addr) ; \
+- FDTQUAD(len) ; \
++#define RSVMAP_ENTRY(addrh, addrl, lenh, lenl) \
++ FDTLONG(addrh) ; \
++ FDTLONG(addrl) ; \
++ FDTLONG(lenh) ; \
++ FDTLONG(lenl)
+
+ #define EMPTY_RSVMAP(tree) \
+ .balign 8 ; \
+ tree##_rsvmap: ; \
+- RSVMAP_ENTRY(0, 0) \
++ RSVMAP_ENTRY(0, 0, 0, 0) \
+ tree##_rsvmap_end: ;
+
+ #define PROPHDR(tree, name, len) \
+@@ -52,9 +44,10 @@ tree##_rsvmap_end: ;
+ PROPHDR(tree, name, 4) \
+ FDTLONG(val) ;
+
+-#define PROP_INT64(tree, name, val) \
++#define PROP_INT64(tree, name, valh, vall) \
+ PROPHDR(tree, name, 8) \
+- FDTQUAD(val) ;
++ FDTLONG(valh) ; \
++ FDTLONG(vall) ;
+
+ #define PROP_STR(tree, name, str) \
+ PROPHDR(tree, name, 55f - 54f) \
+@@ -81,16 +74,16 @@ tree##_##name: ; \
+
+ .balign 8
+ test_tree1_rsvmap:
+- RSVMAP_ENTRY(TEST_ADDR_1, TEST_SIZE_1)
+- RSVMAP_ENTRY(TEST_ADDR_2, TEST_SIZE_2)
+- RSVMAP_ENTRY(0, 0)
++ RSVMAP_ENTRY(TEST_ADDR_1H, TEST_ADDR_1L, TEST_SIZE_1H, TEST_SIZE_1L)
++ RSVMAP_ENTRY(TEST_ADDR_2H, TEST_ADDR_2L, TEST_SIZE_2H, TEST_SIZE_2L)
++ RSVMAP_ENTRY(0, 0, 0, 0)
+ test_tree1_rsvmap_end:
+
+ test_tree1_struct:
+ BEGIN_NODE("")
+ PROP_STR(test_tree1, compatible, "test_tree1")
+ PROP_INT(test_tree1, prop_int, TEST_VALUE_1)
+- PROP_INT64(test_tree1, prop_int64, TEST_VALUE64_1)
++ PROP_INT64(test_tree1, prop_int64, TEST_VALUE64_1H, TEST_VALUE64_1L)
+ PROP_STR(test_tree1, prop_str, TEST_STRING_1)
+ PROP_INT(test_tree1, address_cells, 1)
+ PROP_INT(test_tree1, size_cells, 0)
diff --git a/gnu/packages/patches/dtc-format-modifier.patch b/gnu/packages/patches/dtc-format-modifier.patch
new file mode 100644
index 0000000000..c33d16857f
--- /dev/null
+++ b/gnu/packages/patches/dtc-format-modifier.patch
@@ -0,0 +1,38 @@
+This fixes build on 32 bits platforms. This patch is taken from upstream.
+
+commit 497432fd2131967f349e69dc5d259072151cc4b4
+Author: Thierry Reding <treding@nvidia.com>
+Date: Wed Sep 27 15:04:09 2017 +0200
+
+ checks: Use proper format modifier for size_t
+
+ The size of size_t can vary between architectures, so using %ld isn't
+ going to work on 32-bit builds. Use the %zu modifier to make sure it is
+ always correct.
+
+ Signed-off-by: Thierry Reding <treding@nvidia.com>
+ Acked-by: Rob Herring <robh@kernel.org>
+ Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+
+diff --git a/checks.c b/checks.c
+index 902f2e3..08a3a29 100644
+--- a/checks.c
++++ b/checks.c
+@@ -972,7 +972,7 @@ static void check_property_phandle_args(struct check *c,
+ int cell, cellsize = 0;
+
+ if (prop->val.len % sizeof(cell_t)) {
+- FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %ld in node %s",
++ FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %zu in node %s",
+ prop->name, prop->val.len, sizeof(cell_t), node->fullpath);
+ return;
+ }
+@@ -1163,7 +1163,7 @@ static void check_interrupts_property(struct check *c,
+ return;
+
+ if (irq_prop->val.len % sizeof(cell_t))
+- FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %ld in node %s",
++ FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %zu in node %s",
+ irq_prop->name, irq_prop->val.len, sizeof(cell_t),
+ node->fullpath);
+
diff --git a/gnu/packages/patches/emacs-highlight-stages-add-gexp.patch b/gnu/packages/patches/emacs-highlight-stages-add-gexp.patch
new file mode 100644
index 0000000000..931355b4fe
--- /dev/null
+++ b/gnu/packages/patches/emacs-highlight-stages-add-gexp.patch
@@ -0,0 +1,26 @@
+Copyright © 2017 Oleg Pykhalov <go.wigust@gmail.com>
+Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
+
+This patch adds highlighting for (guix) G-Expressions.
+
+diff --git a/highlight-stages.el b/highlight-stages.el
+index 3094c3c..e11260e 100644
+--- a/highlight-stages.el
++++ b/highlight-stages.el
+@@ -237,14 +237,14 @@ non-nil, (match-string 0) must be the expression matched."
+
+ (defun highlight-stages-lisp-quote-matcher (&optional limit)
+ (when (highlight-stages--search-forward-regexp
+- "\\(?:`\\|\\(#?'\\)\\)\\|([\s\t\n]*\\(?:backquote\\|\\(quote\\)\\)[\s\t\n]+" limit)
++ "\\(?:`\\|\\(#?'\\)\\)\\|([\s\t\n]*\\(?:backquote\\|\\(quote\\)\\)[\s\t\n]+\\|\\(?:#~\\)\\|([\s\t\n]*\\(?:gexp\\)[\s\t\n]+" limit)
+ (prog1 (if (or (match-beginning 1) (match-beginning 2)) 'real t)
+ (set-match-data
+ (list (point)
+ (progn (ignore-errors (forward-sexp 1)) (point)))))))
+
+ (defun highlight-stages-lisp-escape-matcher (&optional limit)
+- (when (highlight-stages--search-forward-regexp ",@?\\|([\s\t\n]*\\\\,@?+[\s\t\n]+" limit)
++ (when (highlight-stages--search-forward-regexp ",@?\\|([\s\t\n]*\\\\,@?+[\s\t\n]+\\|\\(unquote\\)\\|\\(unquote-splicing\\)\\|\\(ungexp-native\\)\\|\\(ungexp-splicing\\)\\|\\(ungexp-native-splicing\\)\\|\\(ungexp\\)\\|#\\$" limit)
+ (set-match-data
+ (list (point)
+ (progn (ignore-errors (forward-sexp 1)) (point))))
diff --git a/gnu/packages/patches/exim-CVE-2017-1000369.patch b/gnu/packages/patches/exim-CVE-2017-1000369.patch
deleted file mode 100644
index a67a8afb0e..0000000000
--- a/gnu/packages/patches/exim-CVE-2017-1000369.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-Fix CVE-2017-1000369:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000369
-https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
-
-Patch adapted from upstream source repository:
-
-https://git.exim.org/exim.git/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21
-
-From 65e061b76867a9ea7aeeb535341b790b90ae6c21 Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Wed, 31 May 2017 23:08:56 +0200
-Subject: [PATCH] Cleanup (prevent repeated use of -p/-oMr to avoid mem leak)
-
----
- doc/doc-docbook/spec.xfpt | 3 ++-
- src/src/exim.c | 19 +++++++++++++++++--
- 2 files changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/src/src/exim.c b/src/src/exim.c
-index 67583e58..88e11977 100644
---- a/src/exim.c
-+++ b/src/exim.c
-@@ -3106,7 +3106,14 @@ for (i = 1; i < argc; i++)
-
- /* -oMr: Received protocol */
-
-- else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
-+ else if (Ustrcmp(argrest, "Mr") == 0)
-+
-+ if (received_protocol)
-+ {
-+ fprintf(stderr, "received_protocol is set already\n");
-+ exit(EXIT_FAILURE);
-+ }
-+ else received_protocol = argv[++i];
-
- /* -oMs: Set sender host name */
-
-@@ -3202,7 +3209,15 @@ for (i = 1; i < argc; i++)
-
- if (*argrest != 0)
- {
-- uschar *hn = Ustrchr(argrest, ':');
-+ uschar *hn;
-+
-+ if (received_protocol)
-+ {
-+ fprintf(stderr, "received_protocol is set already\n");
-+ exit(EXIT_FAILURE);
-+ }
-+
-+ hn = Ustrchr(argrest, ':');
- if (hn == NULL)
- {
- received_protocol = argrest;
---
-2.13.1
-
diff --git a/gnu/packages/patches/gcc-6-source-date-epoch-1.patch b/gnu/packages/patches/gcc-6-source-date-epoch-1.patch
new file mode 100644
index 0000000000..26f62bc9f1
--- /dev/null
+++ b/gnu/packages/patches/gcc-6-source-date-epoch-1.patch
@@ -0,0 +1,187 @@
+Make GCC respect SOURCE_DATE_EPOCH in __DATE__ and __TIME__ macros.
+
+Cherry-picked from upstream commit:
+
+https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=e3e8c48c4a494d9da741c1c8ea6c4c0b7c4ff934
+
+diff --git a/gcc/c-family/c-common.c b/gcc/c-family/c-common.c
+index 6cf8c610b4e..b5daea65ba7 100644
+--- a/gcc/c-family/c-common.c
++++ b/gcc/c-family/c-common.c
+@@ -12750,4 +12750,37 @@ valid_array_size_p (location_t loc, tree type, tree name)
+ return true;
+ }
+
++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
++ timestamp to replace embedded current dates to get reproducible
++ results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */
++time_t
++get_source_date_epoch ()
++{
++ char *source_date_epoch;
++ long long epoch;
++ char *endptr;
++
++ source_date_epoch = getenv ("SOURCE_DATE_EPOCH");
++ if (!source_date_epoch)
++ return (time_t) -1;
++
++ errno = 0;
++ epoch = strtoll (source_date_epoch, &endptr, 10);
++ if ((errno == ERANGE && (epoch == LLONG_MAX || epoch == LLONG_MIN))
++ || (errno != 0 && epoch == 0))
++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++ "strtoll: %s\n", xstrerror(errno));
++ if (endptr == source_date_epoch)
++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++ "no digits were found: %s\n", endptr);
++ if (*endptr != '\0')
++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++ "trailing garbage: %s\n", endptr);
++ if (epoch < 0)
++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++ "value must be nonnegative: %lld \n", epoch);
++
++ return (time_t) epoch;
++}
++
+ #include "gt-c-family-c-common.h"
+diff --git a/gcc/c-family/c-common.h b/gcc/c-family/c-common.h
+index dd74d0dd62e..c6e0ed12b55 100644
+--- a/gcc/c-family/c-common.h
++++ b/gcc/c-family/c-common.h
+@@ -1467,4 +1467,9 @@ extern bool reject_gcc_builtin (const_tree, location_t = UNKNOWN_LOCATION);
+ extern void warn_duplicated_cond_add_or_warn (location_t, tree, vec<tree> **);
+ extern bool valid_array_size_p (location_t, tree, tree);
+
++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
++ timestamp to replace embedded current dates to get reproducible
++ results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */
++extern time_t get_source_date_epoch (void);
++
+ #endif /* ! GCC_C_COMMON_H */
+diff --git a/gcc/c-family/c-lex.c b/gcc/c-family/c-lex.c
+index 96da4fc974e..bf1db6c0252 100644
+--- a/gcc/c-family/c-lex.c
++++ b/gcc/c-family/c-lex.c
+@@ -385,6 +385,9 @@ c_lex_with_flags (tree *value, location_t *loc, unsigned char *cpp_flags,
+ enum cpp_ttype type;
+ unsigned char add_flags = 0;
+ enum overflow_type overflow = OT_NONE;
++ time_t source_date_epoch = get_source_date_epoch ();
++
++ cpp_init_source_date_epoch (parse_in, source_date_epoch);
+
+ timevar_push (TV_CPP);
+ retry:
+diff --git a/gcc/doc/cppenv.texi b/gcc/doc/cppenv.texi
+index 22c8cb37624..e958e93e97e 100644
+--- a/gcc/doc/cppenv.texi
++++ b/gcc/doc/cppenv.texi
+@@ -79,4 +79,21 @@ main input file is omitted.
+ @ifclear cppmanual
+ @xref{Preprocessor Options}.
+ @end ifclear
++
++@item SOURCE_DATE_EPOCH
++
++If this variable is set, its value specifies a UNIX timestamp to be
++used in replacement of the current date and time in the @code{__DATE__}
++and @code{__TIME__} macros, so that the embedded timestamps become
++reproducible.
++
++The value of @env{SOURCE_DATE_EPOCH} must be a UNIX timestamp,
++defined as the number of seconds (excluding leap seconds) since
++01 Jan 1970 00:00:00 represented in ASCII, identical to the output of
++@samp{@command{date +%s}}.
++
++The value should be a known timestamp such as the last modification
++time of the source or package and it should be set by the build
++process.
++
+ @end vtable
+diff --git a/libcpp/include/cpplib.h b/libcpp/include/cpplib.h
+index 35b0375c09c..4998b3a8ab8 100644
+--- a/libcpp/include/cpplib.h
++++ b/libcpp/include/cpplib.h
+@@ -784,6 +784,9 @@ extern void cpp_init_special_builtins (cpp_reader *);
+ /* Set up built-ins like __FILE__. */
+ extern void cpp_init_builtins (cpp_reader *, int);
+
++/* Initialize the source_date_epoch value. */
++extern void cpp_init_source_date_epoch (cpp_reader *, time_t);
++
+ /* This is called after options have been parsed, and partially
+ processed. */
+ extern void cpp_post_options (cpp_reader *);
+diff --git a/libcpp/init.c b/libcpp/init.c
+index 4343075ba85..f5ff85b3bae 100644
+--- a/libcpp/init.c
++++ b/libcpp/init.c
+@@ -533,8 +533,15 @@ cpp_init_builtins (cpp_reader *pfile, int hosted)
+ _cpp_define_builtin (pfile, "__OBJC__ 1");
+ }
+
++/* Initialize the source_date_epoch value. */
++void
++cpp_init_source_date_epoch (cpp_reader *pfile, time_t source_date_epoch)
++{
++ pfile->source_date_epoch = source_date_epoch;
++}
++
+ /* Sanity-checks are dependent on command-line options, so it is
+- called as a subroutine of cpp_read_main_file (). */
++ called as a subroutine of cpp_read_main_file. */
+ #if CHECKING_P
+ static void sanity_checks (cpp_reader *);
+ static void sanity_checks (cpp_reader *pfile)
+diff --git a/libcpp/internal.h b/libcpp/internal.h
+index 9ce870738cc..e3eb26b1f27 100644
+--- a/libcpp/internal.h
++++ b/libcpp/internal.h
+@@ -502,6 +502,10 @@ struct cpp_reader
+ const unsigned char *date;
+ const unsigned char *time;
+
++ /* Externally set timestamp to replace current date and time useful for
++ reproducibility. */
++ time_t source_date_epoch;
++
+ /* EOF token, and a token forcing paste avoidance. */
+ cpp_token avoid_paste;
+ cpp_token eof;
+diff --git a/libcpp/macro.c b/libcpp/macro.c
+index c2515534504..c2a83764660 100644
+--- a/libcpp/macro.c
++++ b/libcpp/macro.c
+@@ -357,13 +357,20 @@ _cpp_builtin_macro_text (cpp_reader *pfile, cpp_hashnode *node,
+ time_t tt;
+ struct tm *tb = NULL;
+
+- /* (time_t) -1 is a legitimate value for "number of seconds
+- since the Epoch", so we have to do a little dance to
+- distinguish that from a genuine error. */
+- errno = 0;
+- tt = time(NULL);
+- if (tt != (time_t)-1 || errno == 0)
+- tb = localtime (&tt);
++ /* Set a reproducible timestamp for __DATE__ and __TIME__ macro
++ usage if SOURCE_DATE_EPOCH is defined. */
++ if (pfile->source_date_epoch != (time_t) -1)
++ tb = gmtime (&pfile->source_date_epoch);
++ else
++ {
++ /* (time_t) -1 is a legitimate value for "number of seconds
++ since the Epoch", so we have to do a little dance to
++ distinguish that from a genuine error. */
++ errno = 0;
++ tt = time (NULL);
++ if (tt != (time_t)-1 || errno == 0)
++ tb = localtime (&tt);
++ }
+
+ if (tb)
+ {
+--
+2.14.1
+
diff --git a/gnu/packages/patches/gcc-6-source-date-epoch-2.patch b/gnu/packages/patches/gcc-6-source-date-epoch-2.patch
new file mode 100644
index 0000000000..cd5b09867f
--- /dev/null
+++ b/gnu/packages/patches/gcc-6-source-date-epoch-2.patch
@@ -0,0 +1,346 @@
+Cherry-picked from upstream commit:
+
+https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=dfa5c0d3f3e23e4fdb14857a42de376d9ff8601c
+
+diff --git a/gcc/c-family/c-common.c b/gcc/c-family/c-common.c
+index b5daea65ba7..a4539da15ce 100644
+--- a/gcc/c-family/c-common.c
++++ b/gcc/c-family/c-common.c
+@@ -12753,8 +12753,9 @@ valid_array_size_p (location_t loc, tree type, tree name)
+ /* Read SOURCE_DATE_EPOCH from environment to have a deterministic
+ timestamp to replace embedded current dates to get reproducible
+ results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */
++
+ time_t
+-get_source_date_epoch ()
++cb_get_source_date_epoch (cpp_reader *pfile ATTRIBUTE_UNUSED)
+ {
+ char *source_date_epoch;
+ long long epoch;
+@@ -12766,19 +12767,14 @@ get_source_date_epoch ()
+
+ errno = 0;
+ epoch = strtoll (source_date_epoch, &endptr, 10);
+- if ((errno == ERANGE && (epoch == LLONG_MAX || epoch == LLONG_MIN))
+- || (errno != 0 && epoch == 0))
+- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+- "strtoll: %s\n", xstrerror(errno));
+- if (endptr == source_date_epoch)
+- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+- "no digits were found: %s\n", endptr);
+- if (*endptr != '\0')
+- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+- "trailing garbage: %s\n", endptr);
+- if (epoch < 0)
+- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+- "value must be nonnegative: %lld \n", epoch);
++ if (errno != 0 || endptr == source_date_epoch || *endptr != '\0'
++ || epoch < 0 || epoch > MAX_SOURCE_DATE_EPOCH)
++ {
++ error_at (input_location, "environment variable SOURCE_DATE_EPOCH must "
++ "expand to a non-negative integer less than or equal to %wd",
++ MAX_SOURCE_DATE_EPOCH);
++ return (time_t) -1;
++ }
+
+ return (time_t) epoch;
+ }
+diff --git a/gcc/c-family/c-common.h b/gcc/c-family/c-common.h
+index c6e0ed12b55..44699f716e0 100644
+--- a/gcc/c-family/c-common.h
++++ b/gcc/c-family/c-common.h
+@@ -1084,6 +1084,16 @@ extern vec<tree, va_gc> *make_tree_vector_copy (const vec<tree, va_gc> *);
+ c_register_builtin_type. */
+ extern GTY(()) tree registered_builtin_types;
+
++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
++ timestamp to replace embedded current dates to get reproducible
++ results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */
++extern time_t cb_get_source_date_epoch (cpp_reader *pfile);
++
++/* The value (as a unix timestamp) corresponds to date
++ "Dec 31 9999 23:59:59 UTC", which is the latest date that __DATE__ and
++ __TIME__ can store. */
++#define MAX_SOURCE_DATE_EPOCH HOST_WIDE_INT_C (253402300799)
++
+ /* In c-gimplify.c */
+ extern void c_genericize (tree);
+ extern int c_gimplify_expr (tree *, gimple_seq *, gimple_seq *);
+@@ -1467,9 +1477,4 @@ extern bool reject_gcc_builtin (const_tree, location_t = UNKNOWN_LOCATION);
+ extern void warn_duplicated_cond_add_or_warn (location_t, tree, vec<tree> **);
+ extern bool valid_array_size_p (location_t, tree, tree);
+
+-/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
+- timestamp to replace embedded current dates to get reproducible
+- results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */
+-extern time_t get_source_date_epoch (void);
+-
+ #endif /* ! GCC_C_COMMON_H */
+diff --git a/gcc/c-family/c-lex.c b/gcc/c-family/c-lex.c
+index bf1db6c0252..42a4135d339 100644
+--- a/gcc/c-family/c-lex.c
++++ b/gcc/c-family/c-lex.c
+@@ -80,6 +80,7 @@ init_c_lex (void)
+ cb->valid_pch = c_common_valid_pch;
+ cb->read_pch = c_common_read_pch;
+ cb->has_attribute = c_common_has_attribute;
++ cb->get_source_date_epoch = cb_get_source_date_epoch;
+
+ /* Set the debug callbacks if we can use them. */
+ if ((debug_info_level == DINFO_LEVEL_VERBOSE
+@@ -385,9 +386,6 @@ c_lex_with_flags (tree *value, location_t *loc, unsigned char *cpp_flags,
+ enum cpp_ttype type;
+ unsigned char add_flags = 0;
+ enum overflow_type overflow = OT_NONE;
+- time_t source_date_epoch = get_source_date_epoch ();
+-
+- cpp_init_source_date_epoch (parse_in, source_date_epoch);
+
+ timevar_push (TV_CPP);
+ retry:
+diff --git a/gcc/doc/cppenv.texi b/gcc/doc/cppenv.texi
+index e958e93e97e..8cefd529aa3 100644
+--- a/gcc/doc/cppenv.texi
++++ b/gcc/doc/cppenv.texi
+@@ -81,7 +81,6 @@ main input file is omitted.
+ @end ifclear
+
+ @item SOURCE_DATE_EPOCH
+-
+ If this variable is set, its value specifies a UNIX timestamp to be
+ used in replacement of the current date and time in the @code{__DATE__}
+ and @code{__TIME__} macros, so that the embedded timestamps become
+@@ -89,8 +88,9 @@ reproducible.
+
+ The value of @env{SOURCE_DATE_EPOCH} must be a UNIX timestamp,
+ defined as the number of seconds (excluding leap seconds) since
+-01 Jan 1970 00:00:00 represented in ASCII, identical to the output of
+-@samp{@command{date +%s}}.
++01 Jan 1970 00:00:00 represented in ASCII; identical to the output of
++@samp{@command{date +%s}} on GNU/Linux and other systems that support the
++@code{%s} extension in the @code{date} command.
+
+ The value should be a known timestamp such as the last modification
+ time of the source or package and it should be set by the build
+diff --git a/gcc/gcc.c b/gcc/gcc.c
+index cfa074d4e43..f88596219bc 100644
+--- a/gcc/gcc.c
++++ b/gcc/gcc.c
+@@ -3541,6 +3541,29 @@ save_switch (const char *opt, size_t n_args, const char *const *args,
+ n_switches++;
+ }
+
++/* Set the SOURCE_DATE_EPOCH environment variable to the current time if it is
++ not set already. */
++
++static void
++set_source_date_epoch_envvar ()
++{
++ /* Array size is 21 = ceil(log_10(2^64)) + 1 to hold string representations
++ of 64 bit integers. */
++ char source_date_epoch[21];
++ time_t tt;
++
++ errno = 0;
++ tt = time (NULL);
++ if (tt < (time_t) 0 || errno != 0)
++ tt = (time_t) 0;
++
++ snprintf (source_date_epoch, 21, "%llu", (unsigned long long) tt);
++ /* Using setenv instead of xputenv because we want the variable to remain
++ after finalizing so that it's still set in the second run when using
++ -fcompare-debug. */
++ setenv ("SOURCE_DATE_EPOCH", source_date_epoch, 0);
++}
++
+ /* Handle an option DECODED that is unknown to the option-processing
+ machinery. */
+
+@@ -3840,6 +3863,7 @@ driver_handle_option (struct gcc_options *opts,
+ else
+ compare_debug_opt = arg;
+ save_switch (compare_debug_replacement_opt, 0, NULL, validated, true);
++ set_source_date_epoch_envvar ();
+ return true;
+
+ case OPT_fdiagnostics_color_:
+diff --git a/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c
+new file mode 100644
+index 00000000000..f6aa1a360ff
+--- /dev/null
++++ b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c
+@@ -0,0 +1,11 @@
++/* { dg-do run } */
++/* { dg-set-compiler-env-var SOURCE_DATE_EPOCH "630333296" } */
++
++int
++main(void)
++{
++ __builtin_printf ("%s %s\n", __DATE__, __TIME__);
++ return 0;
++}
++
++/* { dg-output "^Dec 22 1989 12:34:56\n$" } */
+diff --git a/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c
+new file mode 100644
+index 00000000000..ae18362ae87
+--- /dev/null
++++ b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c
+@@ -0,0 +1,12 @@
++/* { dg-do compile } */
++/* { dg-set-compiler-env-var SOURCE_DATE_EPOCH "AAA" } */
++
++/* Make sure that SOURCE_DATE_EPOCH is only parsed once */
++
++int
++main(void)
++{
++ __builtin_printf ("%s %s\n", __DATE__, __TIME__); /* { dg-error "SOURCE_DATE_EPOCH must expand" } */
++ __builtin_printf ("%s %s\n", __DATE__, __TIME__);
++ return 0;
++}
+diff --git a/gcc/testsuite/lib/gcc-dg.exp b/gcc/testsuite/lib/gcc-dg.exp
+index 9dd909b0985..822d2fbb3b9 100644
+--- a/gcc/testsuite/lib/gcc-dg.exp
++++ b/gcc/testsuite/lib/gcc-dg.exp
+@@ -450,6 +450,38 @@ proc restore-target-env-var { } {
+ }
+ }
+
++proc dg-set-compiler-env-var { args } {
++ global set_compiler_env_var
++ global saved_compiler_env_var
++ if { [llength $args] != 3 } {
++ error "dg-set-compiler-env-var: need two arguments"
++ return
++ }
++ set var [lindex $args 1]
++ set value [lindex $args 2]
++ if [info exists ::env($var)] {
++ lappend saved_compiler_env_var [list $var 1 $::env($var)]
++ } else {
++ lappend saved_compiler_env_var [list $var 0]
++ }
++ setenv $var $value
++ lappend set_compiler_env_var [list $var $value]
++}
++
++proc restore-compiler-env-var { } {
++ global saved_compiler_env_var
++ for { set env_vari [llength $saved_compiler_env_var] } {
++ [incr env_vari -1] >= 0 } {} {
++ set env_var [lindex $saved_compiler_env_var $env_vari]
++ set var [lindex $env_var 0]
++ if [lindex $env_var 1] {
++ setenv $var [lindex $env_var 2]
++ } else {
++ unsetenv $var
++ }
++ }
++}
++
+ # Utility routines.
+
+ #
+@@ -873,6 +905,11 @@ if { [info procs saved-dg-test] == [list] } {
+ if [info exists set_target_env_var] {
+ unset set_target_env_var
+ }
++ if [info exists set_compiler_env_var] {
++ restore-compiler-env-var
++ unset set_compiler_env_var
++ unset saved_compiler_env_var
++ }
+ if [info exists keep_saved_temps_suffixes] {
+ unset keep_saved_temps_suffixes
+ }
+diff --git a/libcpp/include/cpplib.h b/libcpp/include/cpplib.h
+index 4998b3a8ab8..9d70cc856ef 100644
+--- a/libcpp/include/cpplib.h
++++ b/libcpp/include/cpplib.h
+@@ -594,6 +594,9 @@ struct cpp_callbacks
+
+ /* Callback that can change a user builtin into normal macro. */
+ bool (*user_builtin_macro) (cpp_reader *, cpp_hashnode *);
++
++ /* Callback to parse SOURCE_DATE_EPOCH from environment. */
++ time_t (*get_source_date_epoch) (cpp_reader *);
+ };
+
+ #ifdef VMS
+@@ -784,9 +787,6 @@ extern void cpp_init_special_builtins (cpp_reader *);
+ /* Set up built-ins like __FILE__. */
+ extern void cpp_init_builtins (cpp_reader *, int);
+
+-/* Initialize the source_date_epoch value. */
+-extern void cpp_init_source_date_epoch (cpp_reader *, time_t);
+-
+ /* This is called after options have been parsed, and partially
+ processed. */
+ extern void cpp_post_options (cpp_reader *);
+diff --git a/libcpp/init.c b/libcpp/init.c
+index f5ff85b3bae..e78b3206def 100644
+--- a/libcpp/init.c
++++ b/libcpp/init.c
+@@ -257,6 +257,9 @@ cpp_create_reader (enum c_lang lang, cpp_hash_table *table,
+ /* Do not force token locations by default. */
+ pfile->forced_token_location_p = NULL;
+
++ /* Initialize source_date_epoch to -2 (not yet set). */
++ pfile->source_date_epoch = (time_t) -2;
++
+ /* The expression parser stack. */
+ _cpp_expand_op_stack (pfile);
+
+@@ -533,13 +536,6 @@ cpp_init_builtins (cpp_reader *pfile, int hosted)
+ _cpp_define_builtin (pfile, "__OBJC__ 1");
+ }
+
+-/* Initialize the source_date_epoch value. */
+-void
+-cpp_init_source_date_epoch (cpp_reader *pfile, time_t source_date_epoch)
+-{
+- pfile->source_date_epoch = source_date_epoch;
+-}
+-
+ /* Sanity-checks are dependent on command-line options, so it is
+ called as a subroutine of cpp_read_main_file. */
+ #if CHECKING_P
+diff --git a/libcpp/internal.h b/libcpp/internal.h
+index e3eb26b1f27..cea32ec73c6 100644
+--- a/libcpp/internal.h
++++ b/libcpp/internal.h
+@@ -503,7 +503,8 @@ struct cpp_reader
+ const unsigned char *time;
+
+ /* Externally set timestamp to replace current date and time useful for
+- reproducibility. */
++ reproducibility. It should be initialized to -2 (not yet set) and
++ set to -1 to disable it or to a non-negative value to enable it. */
+ time_t source_date_epoch;
+
+ /* EOF token, and a token forcing paste avoidance. */
+diff --git a/libcpp/macro.c b/libcpp/macro.c
+index c2a83764660..a3b8348a23f 100644
+--- a/libcpp/macro.c
++++ b/libcpp/macro.c
+@@ -358,9 +358,13 @@ _cpp_builtin_macro_text (cpp_reader *pfile, cpp_hashnode *node,
+ struct tm *tb = NULL;
+
+ /* Set a reproducible timestamp for __DATE__ and __TIME__ macro
+- usage if SOURCE_DATE_EPOCH is defined. */
+- if (pfile->source_date_epoch != (time_t) -1)
+- tb = gmtime (&pfile->source_date_epoch);
++ if SOURCE_DATE_EPOCH is defined. */
++ if (pfile->source_date_epoch == (time_t) -2
++ && pfile->cb.get_source_date_epoch != NULL)
++ pfile->source_date_epoch = pfile->cb.get_source_date_epoch (pfile);
++
++ if (pfile->source_date_epoch >= (time_t) 0)
++ tb = gmtime (&pfile->source_date_epoch);
+ else
+ {
+ /* (time_t) -1 is a legitimate value for "number of seconds
+--
+2.14.1
+
diff --git a/gnu/packages/patches/glusterfs-use-PATH-instead-of-hardcodes.patch b/gnu/packages/patches/glusterfs-use-PATH-instead-of-hardcodes.patch
new file mode 100644
index 0000000000..d05b4351b3
--- /dev/null
+++ b/gnu/packages/patches/glusterfs-use-PATH-instead-of-hardcodes.patch
@@ -0,0 +1,140 @@
+This patch was taken from Nixpkgs.
+
+From 616381bc25b0e90198683fb049f994e82d467d96 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niklas=20Hamb=C3=BCchen?= <mail@nh2.me>
+Date: Sat, 13 May 2017 02:45:49 +0200
+Subject: [PATCH] Don't use hardcoded /sbin, /usr/bin etc. paths. Fixes
+ #1450546.
+
+Instead, rely on programs to be in PATH, as gluster already
+does in many places across its code base.
+
+Change-Id: Id21152fe42f5b67205d8f1571b0656c4d5f74246
+---
+ contrib/fuse-lib/mount-common.c | 8 ++++----
+ xlators/mgmt/glusterd/src/glusterd-ganesha.c | 6 +++---
+ xlators/mgmt/glusterd/src/glusterd-quota.c | 6 +++---
+ xlators/mgmt/glusterd/src/glusterd-snapshot.c | 4 ++--
+ xlators/mgmt/glusterd/src/glusterd-utils.c | 14 +-------------
+ 5 files changed, 13 insertions(+), 25 deletions(-)
+
+diff --git a/contrib/fuse-lib/mount-common.c b/contrib/fuse-lib/mount-common.c
+index e9f80fe81..6380dd867 100644
+--- a/contrib/fuse-lib/mount-common.c
++++ b/contrib/fuse-lib/mount-common.c
+@@ -255,16 +255,16 @@ fuse_mnt_umount (const char *progname, const char *abs_mnt,
+ exit (1);
+ }
+ #ifdef GF_LINUX_HOST_OS
+- execl ("/bin/umount", "/bin/umount", "-i", rel_mnt,
++ execl ("umount", "umount", "-i", rel_mnt,
+ lazy ? "-l" : NULL, NULL);
+- GFFUSE_LOGERR ("%s: failed to execute /bin/umount: %s",
++ GFFUSE_LOGERR ("%s: failed to execute umount: %s",
+ progname, strerror (errno));
+ #elif __NetBSD__
+ /* exitting the filesystem causes the umount */
+ exit (0);
+ #else
+- execl ("/sbin/umount", "/sbin/umount", "-f", rel_mnt, NULL);
+- GFFUSE_LOGERR ("%s: failed to execute /sbin/umount: %s",
++ execl ("umount", "umount", "-f", rel_mnt, NULL);
++ GFFUSE_LOGERR ("%s: failed to execute umount: %s",
+ progname, strerror (errno));
+ #endif /* GF_LINUX_HOST_OS */
+ exit (1);
+diff --git a/xlators/mgmt/glusterd/src/glusterd-quota.c b/xlators/mgmt/glusterd/src/glusterd-quota.c
+index 0e6629cf0..fcb4738b7 100644
+--- a/xlators/mgmt/glusterd/src/glusterd-quota.c
++++ b/xlators/mgmt/glusterd/src/glusterd-quota.c
+@@ -30,7 +30,7 @@
+
+ #ifndef _PATH_SETFATTR
+ # ifdef GF_LINUX_HOST_OS
+-# define _PATH_SETFATTR "/usr/bin/setfattr"
++# define _PATH_SETFATTR "setfattr"
+ # endif
+ # ifdef __NetBSD__
+ # define _PATH_SETFATTR "/usr/pkg/bin/setfattr"
+@@ -335,7 +335,7 @@ _glusterd_quota_initiate_fs_crawl (glusterd_conf_t *priv,
+
+ if (type == GF_QUOTA_OPTION_TYPE_ENABLE ||
+ type == GF_QUOTA_OPTION_TYPE_ENABLE_OBJECTS)
+- runner_add_args (&runner, "/usr/bin/find", ".", NULL);
++ runner_add_args (&runner, "find", ".", NULL);
+
+ else if (type == GF_QUOTA_OPTION_TYPE_DISABLE) {
+
+@@ -351,7 +351,7 @@ _glusterd_quota_initiate_fs_crawl (glusterd_conf_t *priv,
+ VIRTUAL_QUOTA_XATTR_CLEANUP_KEY, "1",
+ "{}", "\\", ";", NULL);
+ #else
+- runner_add_args (&runner, "/usr/bin/find", ".",
++ runner_add_args (&runner, "find", ".",
+ "-exec", _PATH_SETFATTR, "-n",
+ VIRTUAL_QUOTA_XATTR_CLEANUP_KEY, "-v",
+ "1", "{}", "\\", ";", NULL);
+diff --git a/xlators/mgmt/glusterd/src/glusterd-snapshot.c b/xlators/mgmt/glusterd/src/glusterd-snapshot.c
+index da0152366..f0d135350 100644
+--- a/xlators/mgmt/glusterd/src/glusterd-snapshot.c
++++ b/xlators/mgmt/glusterd/src/glusterd-snapshot.c
+@@ -121,7 +121,7 @@ glusterd_build_snap_device_path (char *device, char *snapname,
+ }
+
+ runinit (&runner);
+- runner_add_args (&runner, "/sbin/lvs", "--noheadings", "-o", "vg_name",
++ runner_add_args (&runner, "lvs", "--noheadings", "-o", "vg_name",
+ device, NULL);
+ runner_redir (&runner, STDOUT_FILENO, RUN_PIPE);
+ snprintf (msg, sizeof (msg), "Get volume group for device %s", device);
+@@ -1982,7 +1982,7 @@ glusterd_is_thinp_brick (char *device, uint32_t *op_errno)
+
+ runinit (&runner);
+
+- runner_add_args (&runner, "/sbin/lvs", "--noheadings", "-o", "pool_lv",
++ runner_add_args (&runner, "lvs", "--noheadings", "-o", "pool_lv",
+ device, NULL);
+ runner_redir (&runner, STDOUT_FILENO, RUN_PIPE);
+ runner_log (&runner, this->name, GF_LOG_DEBUG, msg);
+diff --git a/xlators/mgmt/glusterd/src/glusterd-utils.c b/xlators/mgmt/glusterd/src/glusterd-utils.c
+index 51db13df0..6fa7b92f9 100644
+--- a/xlators/mgmt/glusterd/src/glusterd-utils.c
++++ b/xlators/mgmt/glusterd/src/glusterd-utils.c
+@@ -6027,7 +6027,6 @@ static struct fs_info {
+ char *fs_tool_pattern;
+ char *fs_tool_pkg;
+ } glusterd_fs[] = {
+- /* some linux have these in /usr/sbin/and others in /sbin/? */
+ { "xfs", "xfs_info", NULL, "isize=", "xfsprogs" },
+ { "ext3", "tune2fs", "-l", "Inode size:", "e2fsprogs" },
+ { "ext4", "tune2fs", "-l", "Inode size:", "e2fsprogs" },
+@@ -6048,7 +6047,6 @@ glusterd_add_inode_size_to_dict (dict_t *dict, int count)
+ char *trail = NULL;
+ runner_t runner = {0, };
+ struct fs_info *fs = NULL;
+- char fs_tool_name[256] = {0, };
+ static dict_t *cached_fs = NULL;
+
+ memset (key, 0, sizeof (key));
+@@ -6085,17 +6083,7 @@ glusterd_add_inode_size_to_dict (dict_t *dict, int count)
+ cur_word = "N/A";
+ goto cached;
+ }
+-
+- snprintf (fs_tool_name, sizeof (fs_tool_name),
+- "/usr/sbin/%s", fs->fs_tool_name);
+- if (sys_access (fs_tool_name, R_OK|X_OK) == 0)
+- runner_add_arg (&runner, fs_tool_name);
+- else {
+- snprintf (fs_tool_name, sizeof (fs_tool_name),
+- "/sbin/%s", fs->fs_tool_name);
+- if (sys_access (fs_tool_name, R_OK|X_OK) == 0)
+- runner_add_arg (&runner, fs_tool_name);
+- }
++ runner_add_arg (&runner, fs->fs_tool_name);
+ break;
+ }
+ }
+--
+2.12.0
+
diff --git a/gnu/packages/patches/guile-emacs-fix-configure.patch b/gnu/packages/patches/guile-emacs-fix-configure.patch
new file mode 100644
index 0000000000..b1f7146d21
--- /dev/null
+++ b/gnu/packages/patches/guile-emacs-fix-configure.patch
@@ -0,0 +1,211 @@
+Two patches here backporting fixes from Emacs master.
+
+Upstream status: emailed first patch to latest committer, Robin Templeton
+<robin@igalia.com>, no response.
+
+From dfcb3b6ff318e47b84a28cfc43f50bec42fa3570 Mon Sep 17 00:00:00 2001
+From: Jan Nieuwenhuizen <janneke@gnu.org>
+Date: Tue, 7 Nov 2017 18:48:03 +0100
+Subject: [PATCH 1/2] backport: Port jpeg configuration to Solaris 10 with Sun
+ C.
+
+* configure.ac: Check for jpeglib 6b by trying to link it, instead
+of relying on cpp magic that has problems in practice. Check for
+both jpeglib.h and jerror.h features. Remove special case for
+mingw32, which should no longer be needed (and if it were needed,
+should now be addressable by hotwiring emacs_cv_jpeglib).
+Fixes: bug#20332
+
+ From fdf532b9c915ad9ba72155646d29d0f530fd72ec Mon Sep 17 00:00:00 2001
+ From: Paul Eggert <address@hidden>
+ Date: Wed, 15 Apr 2015 18:30:01 -0700
+ Subject: [PATCH] Port jpeg configuration to Solaris 10 with Sun C.
+
+ * configure.ac: Check for jpeglib 6b by trying to link it, instead
+ of relying on cpp magic that has problems in practice. Check for
+ both jpeglib.h and jerror.h features. Remove special case for
+ mingw32, which should no longer be needed (and if it were needed,
+ should now be addressable by hotwiring emacs_cv_jpeglib).
+ Fixes: bug#20332
+---
+ configure.ac | 72 ++++++++++++++++++++++++++++--------------------------------
+ 1 file changed, 34 insertions(+), 38 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 2445db4886..36fa8eb390 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3014,44 +3014,40 @@ AC_SUBST(LIBXPM)
+ ### mingw32 doesn't use -ljpeg, since it loads the library dynamically.
+ HAVE_JPEG=no
+ LIBJPEG=
+-if test "${opsys}" = "mingw32"; then
+- if test "${with_jpeg}" != "no"; then
+- dnl Checking for jpeglib.h can lose because of a redefinition of
+- dnl HAVE_STDLIB_H.
+- AC_CHECK_HEADER(jerror.h, HAVE_JPEG=yes, HAVE_JPEG=no)
+- fi
+- AH_TEMPLATE(HAVE_JPEG, [Define to 1 if you have the jpeg library (-ljpeg).])dnl
+- if test "${HAVE_JPEG}" = "yes"; then
+- AC_DEFINE(HAVE_JPEG)
+- AC_EGREP_CPP([version= *(6[2-9]|[7-9][0-9])],
+- [#include <jpeglib.h>
+- version=JPEG_LIB_VERSION
+-],
+- [AC_DEFINE(HAVE_JPEG)],
+- [AC_MSG_WARN([libjpeg found, but not version 6b or later])
+- HAVE_JPEG=no])
+- fi
+-elif test "${HAVE_X11}" = "yes" || test "${HAVE_W32}" = "yes"; then
+- if test "${with_jpeg}" != "no"; then
+- dnl Checking for jpeglib.h can lose because of a redefinition of
+- dnl HAVE_STDLIB_H.
+- AC_CHECK_HEADER(jerror.h,
+- [AC_CHECK_LIB(jpeg, jpeg_destroy_compress, HAVE_JPEG=yes)])
+- fi
+-
+- AH_TEMPLATE(HAVE_JPEG, [Define to 1 if you have the jpeg library (-ljpeg).])dnl
+- if test "${HAVE_JPEG}" = "yes"; then
+- AC_DEFINE(HAVE_JPEG)
+- AC_EGREP_CPP([version= *(6[2-9]|[7-9][0-9])],
+- [#include <jpeglib.h>
+- version=JPEG_LIB_VERSION
+-],
+- [AC_DEFINE(HAVE_JPEG)],
+- [AC_MSG_WARN([libjpeg found, but not version 6b or later])
+- HAVE_JPEG=no])
+- fi
+- if test "${HAVE_JPEG}" = "yes"; then
+- LIBJPEG=-ljpeg
++if test "${with_jpeg}" != "no"; then
++ AC_CACHE_CHECK([for jpeglib 6b or later],
++ [emacs_cv_jpeglib],
++ [OLD_LIBS=$LIBS
++ for emacs_cv_jpeglib in yes -ljpeg no; do
++ case $emacs_cv_jpeglib in
++ yes) ;;
++ no) break;;
++ *) LIBS="$LIBS $emacs_cv_jpeglib";;
++ esac
++ AC_LINK_IFELSE(
++ [AC_LANG_PROGRAM(
++ [[#undef HAVE_STDLIB_H /* Avoid config.h/jpeglib.h collision. */
++ #include <stdio.h> /* jpeglib.h needs FILE and size_t. */
++ #include <jpeglib.h>
++ #include <jerror.h>
++ char verify[JPEG_LIB_VERSION < 62 ? -1 : 1];
++ struct jpeg_decompress_struct cinfo;
++ ]],
++ [[
++ jpeg_create_decompress (&cinfo);
++ WARNMS (&cinfo, JWRN_JPEG_EOF);
++ jpeg_destroy_decompress (&cinfo);
++ ]])],
++ [emacs_link_ok=yes],
++ [emacs_link_ok=no])
++ LIBS=$OLD_LIBS
++ test $emacs_link_ok = yes && break
++ done])
++ if test "$emacs_cv_jpeglib" != no; then
++ HAVE_JPEG=yes
++ AC_DEFINE([HAVE_JPEG], 1,
++ [Define to 1 if you have the jpeg library (typically -ljpeg).])
++ test "$emacs_cv_jpeglib" != yes && LIBJPEG=$emacs_cv_jpeglib
+ fi
+ fi
+ AC_SUBST(LIBJPEG)
+--
+Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
+Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
+
+From f761b92d520b72954be28ad66eb82d1a96c785fb Mon Sep 17 00:00:00 2001
+From: Jan Nieuwenhuizen <janneke@gnu.org>
+Date: Wed, 8 Nov 2017 14:05:43 +0100
+Subject: [PATCH 2/2] backport fix for #24065: calloc loop when compiling with
+ -O2.
+
+This patch fixes
+
+ EMACSLOADPATH= '../src/bootstrap-emacs' -batch --no-site-file --no-site-lisp -l autoload \
+ --eval "(setq generate-autoload-cookie \";;;###cal-autoload\")" \
+ --eval "(setq generated-autoload-file (expand-file-name
+ (unmsys--file-name
+ \"../../git-checkout/lisp/calendar/cal-loaddefs.el\")))" \
+ -f batch-update-autoloads ../../git-checkout/lisp/calendar
+ make[2]: *** [Makefile:466: ../../git-checkout/lisp/calendar/cal-loaddefs.el] Segmentation fault
+
+in gdb seen as
+
+ in calloc (nmemb=<error reading variable: DWARF-2 expression error:Loop detected (257).>, size=size@entry=1) at gmalloc.c:1510
+
+I did not find malloc-fixing commits from emacs master to cleanly
+cherry-pick, so this patch replaces the relevant part in configure
+(emacs 53da55b8cc45e76b836ebaadd23f46e92d25abce).
+
+* configure.ac: backport system_malloc/hybrid_malloc detection.
+---
+ configure.ac | 29 ++++++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 36fa8eb390..3cc1794f37 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1966,7 +1966,25 @@ case "$opsys" in
+ darwin|mingw32|sol2-10) system_malloc=yes ;;
+ esac
+
++hybrid_malloc=
++system_malloc=yes
++
++test "$CANNOT_DUMP" = yes ||
++case "$opsys" in
++ ## darwin ld insists on the use of malloc routines in the System framework.
++ darwin | mingw32 | nacl | sol2-10) ;;
++ cygwin) hybrid_malloc=yes
++ system_malloc= ;;
++ *) test "$ac_cv_func_sbrk" = yes && system_malloc=$emacs_cv_sanitize_address;;
++esac
++
++if test "${system_malloc}" != yes && test "${doug_lea_malloc}" != yes \
++ && test "${UNEXEC_OBJ}" = unexelf.o; then
++ hybrid_malloc=yes
++fi
++
+ GMALLOC_OBJ=
++HYBRID_MALLOC=
+ if test "${system_malloc}" = "yes"; then
+ AC_DEFINE([SYSTEM_MALLOC], 1,
+ [Define to 1 to use the system memory allocator, even if it is not
+@@ -1975,6 +1993,14 @@ if test "${system_malloc}" = "yes"; then
+ GNU_MALLOC_reason="
+ (The GNU allocators don't work with this system configuration.)"
+ VMLIMIT_OBJ=
++elif test "$hybrid_malloc" = yes; then
++ AC_DEFINE(HYBRID_MALLOC, 1,
++ [Define to use gmalloc before dumping and the system malloc after.])
++ HYBRID_MALLOC=1
++ GNU_MALLOC=no
++ GNU_MALLOC_reason=" (only before dumping)"
++ GMALLOC_OBJ=gmalloc.o
++ VMLIMIT_OBJ=
+ else
+ test "$doug_lea_malloc" != "yes" && GMALLOC_OBJ=gmalloc.o
+ VMLIMIT_OBJ=vm-limit.o
+@@ -1993,10 +2019,11 @@ else
+ of the main data segment.])
+ fi
+ fi
++AC_SUBST([HYBRID_MALLOC])
+ AC_SUBST(GMALLOC_OBJ)
+ AC_SUBST(VMLIMIT_OBJ)
+
+-if test "$doug_lea_malloc" = "yes" ; then
++if test "$doug_lea_malloc" = "yes" && test "$hybrid_malloc" != yes; then
+ if test "$GNU_MALLOC" = yes ; then
+ GNU_MALLOC_reason="
+ (Using Doug Lea's new malloc from the GNU C Library.)"
+--
+Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
+Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
+
diff --git a/gnu/packages/patches/higan-remove-march-native-flag.patch b/gnu/packages/patches/higan-remove-march-native-flag.patch
index 8f4a36dc35..30d4cdd061 100644
--- a/gnu/packages/patches/higan-remove-march-native-flag.patch
+++ b/gnu/packages/patches/higan-remove-march-native-flag.patch
@@ -2,12 +2,11 @@ Remove -march=native from build flags.
--- a/higan/GNUmakefile
+++ b/higan/GNUmakefile
-@@ -32,7 +32,7 @@ ifeq ($(platform),windows)
- else ifeq ($(platform),macosx)
- flags += -march=native
- else ifneq ($(filter $(platform),linux bsd),)
-- flags += -march=native -fopenmp
-+ flags += -fopenmp
+@@ -26,7 +26,6 @@
+ flags += -fopenmp
link += -fopenmp
- link += -Wl,-export-dynamic
- link += -lX11 -lXext
+ ifeq ($(binary),application)
+- flags += -march=native
+ link += -Wl,-export-dynamic
+ link += -lX11 -lXext
+ else ifeq ($(binary),library)
diff --git a/gnu/packages/patches/libmygpo-qt-fix-jsoncreatortest.patch b/gnu/packages/patches/libmygpo-qt-fix-jsoncreatortest.patch
new file mode 100644
index 0000000000..c457d592cc
--- /dev/null
+++ b/gnu/packages/patches/libmygpo-qt-fix-jsoncreatortest.patch
@@ -0,0 +1,41 @@
+From ebe2323727f8d646590245b0bf06dbc92b5808d6 Mon Sep 17 00:00:00 2001
+From: Golubev Alexander <fatzer2@gmail.com>
+Date: Tue, 20 Sep 2016 15:33:30 +0400
+Subject: [PATCH] JsonCreatorTest failed due to extra space
+
+JsonCreatorTest failed with next message:
+```
+********* Start testing of mygpo::JsonCreatorTest *********
+Config: Using QTest library 4.8.6, Qt 4.8.6
+PASS : mygpo::JsonCreatorTest::initTestCase()
+PASS : mygpo::JsonCreatorTest::testAddRemoveSubsToJSON()
+PASS : mygpo::JsonCreatorTest::testSaveSettingsToJSON()
+FAIL! : mygpo::JsonCreatorTest::testEpisodeActionListToJSON() Compared values are not the same
+ Actual (outString2): [{"action":"download","device":"device1","episode":"http://episode.url","podcast":"http://podcast.url","timestamp":"1998-01-01T00:01:02"},{"action":"delete","device":"device3","episode":"http://episode2.url","podcast":"http://podcast2.url","timestamp":"1920-01-01T12:01:02"},{"action":"new","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","timestamp":"1998-01-01T00:01:02"},{"action":"play","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","timestamp":"1920-01-01T12:01:02"},{"action":"play","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","position":123,"started":10,"timestamp":"1998-01-01T00:01:02","total":321},{"action":"play","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","position":10,"timestamp":"1998-01-01T00:01:02"}]
+ Expected (expected2): [{"action":"download","device":"device1","episode":"http://episode.url","podcast":"http:
+ Loc: [/var/tmp/portage/media-libs/libmygpo-qt-1.0.9-r1/work/libmygpo-qt-1.0.9/tests/JsonCreatorTest.cpp(138)]
+PASS : mygpo::JsonCreatorTest::testRenameDeviceStringToJSON()
+PASS : mygpo::JsonCreatorTest::testDeviceSynchronizationListsToJSON()
+PASS : mygpo::JsonCreatorTest::cleanupTestCase()
+Totals: 6 passed, 1 failed, 0 skipped
+********* Finished testing of mygpo::JsonCreatorTest *********
+```
+
+This was caused by extra space in the expected string.
+---
+ tests/JsonCreatorTest.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/JsonCreatorTest.cpp b/tests/JsonCreatorTest.cpp
+index b15b006..feb03d5 100644
+--- a/tests/JsonCreatorTest.cpp
++++ b/tests/JsonCreatorTest.cpp
+@@ -133,7 +133,7 @@ void JsonCreatorTest::testEpisodeActionListToJSON()
+
+ output = JsonCreator::episodeActionListToJSON(episodeActions);
+ QString outString2 = QString::fromLatin1( output ).replace( QLatin1String(" "), QLatin1String("") );
+- QString expected2( QLatin1String( "[{\"action\":\"download\",\"device\":\"device1\",\"episode\":\"http://episode.url\",\"podcast\":\"http://podcast.url\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"delete\",\"device\":\"device3\",\"episode\":\"http://episode2.url\",\"podcast\":\"http://podcast2.url\",\"timestamp\":\"1920-01-01T12:01:02\"},{\"action\":\"new\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1920-01-01T12:01:02\" },{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":123,\"started\":10,\"timestamp\":\"1998-01-01T00:01:02\",\"total\":321},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":10,\"timestamp\":\"1998-01-01T00:01:02\"}]" ) );
++ QString expected2( QLatin1String( "[{\"action\":\"download\",\"device\":\"device1\",\"episode\":\"http://episode.url\",\"podcast\":\"http://podcast.url\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"delete\",\"device\":\"device3\",\"episode\":\"http://episode2.url\",\"podcast\":\"http://podcast2.url\",\"timestamp\":\"1920-01-01T12:01:02\"},{\"action\":\"new\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1920-01-01T12:01:02\"},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":123,\"started\":10,\"timestamp\":\"1998-01-01T00:01:02\",\"total\":321},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":10,\"timestamp\":\"1998-01-01T00:01:02\"}]" ) );
+
+ QCOMPARE(outString2, expected2 );
+ }
diff --git a/gnu/packages/patches/libtorrent-rasterbar-boost-compat.patch b/gnu/packages/patches/libtorrent-rasterbar-boost-compat.patch
deleted file mode 100644
index 85bea76efe..0000000000
--- a/gnu/packages/patches/libtorrent-rasterbar-boost-compat.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Fix compatibility with Boost 1.63.
-
-Patch copied from upstream source repository:
-
-https://github.com/arvidn/libtorrent/commit/6d2d736cecce0af274dd651dd1f562716b625d92
-
-From 6d2d736cecce0af274dd651dd1f562716b625d92 Mon Sep 17 00:00:00 2001
-From: arvidn <arvid@cs.umu.se>
-Date: Sun, 12 Mar 2017 13:03:26 -0400
-Subject: [PATCH] fix test_ssl.cpp build with newer versions of boost
-
----
- test/test_ssl.cpp | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/test/test_ssl.cpp b/test/test_ssl.cpp
-index 01c5bc7..2903332 100644
---- a/test/test_ssl.cpp
-+++ b/test/test_ssl.cpp
-@@ -51,7 +51,6 @@ POSSIBILITY OF SUCH DAMAGE.
- #include <boost/asio/connect.hpp>
-
- #ifdef TORRENT_USE_OPENSSL
--#include <boost/asio/ssl/error.hpp> // for asio::error::get_ssl_category()
- #include <boost/asio/ssl.hpp>
-
- #include "libtorrent/aux_/disable_warnings_pop.hpp"
diff --git a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch
deleted file mode 100644
index d577e1eb50..0000000000
--- a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-Fix CVE-2017-1000256:
-
-https://security.libvirt.org/2017/0002.html
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256
-
-Patch copied from upstream source repository:
-
-https://libvirt.org/git/?p=libvirt.git;a=commit;h=dc6c41798d1eb5c52c75365ffa22f7672709dfa7
-
-From dc6c41798d1eb5c52c75365ffa22f7672709dfa7 Mon Sep 17 00:00:00 2001
-From: Daniel P. Berrange <berrange@redhat.com>
-Date: Thu, 5 Oct 2017 17:54:28 +0100
-Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
-
-The default_tls_x509_verify (and related) parameters in qemu.conf
-control whether the QEMU TLS servers request & verify certificates
-from clients. This works as a simple access control system for
-servers by requiring the CA to issue certs to permitted clients.
-This use of client certificates is disabled by default, since it
-requires extra work to issue client certificates.
-
-Unfortunately the code was using this configuration parameter when
-setting up both TLS clients and servers in QEMU. The result was that
-TLS clients for character devices and disk devices had verification
-turned off, meaning they would ignore errors while validating the
-server certificate.
-
-This allows for trivial MITM attacks between client and server,
-as any certificate returned by the attacker will be accepted by
-the client.
-
-This is assigned CVE-2017-1000256 / LSN-2017-0002
-
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
-(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
----
- src/qemu/qemu_command.c | 2 +-
- .../qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +-
- ...xml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
-index 9a27987..ae78cd1 100644
---- a/src/qemu/qemu_command.c
-+++ b/src/qemu/qemu_command.c
-@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
- if (virJSONValueObjectCreate(propsret,
- "s:dir", path,
- "s:endpoint", (isListen ? "server": "client"),
-- "b:verify-peer", verifypeer,
-+ "b:verify-peer", (isListen ? verifypeer : true),
- NULL) < 0)
- goto cleanup;
-
-diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
-index 5aff773..ab5f7e2 100644
---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
-+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
-@@ -26,7 +26,7 @@ server,nowait \
- localport=1111 \
- -device isa-serial,chardev=charserial0,id=serial0 \
- -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
--endpoint=client,verify-peer=no \
-+endpoint=client,verify-peer=yes \
- -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
- tls-creds=objcharserial1_tls0 \
- -device isa-serial,chardev=charserial1,id=serial1 \
-diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
-index 91f1fe0..2567abb 100644
---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
-+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
-@@ -31,7 +31,7 @@ localport=1111 \
- data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
- keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
- -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
--endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
-+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
- -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
- tls-creds=objcharserial1_tls0 \
- -device isa-serial,chardev=charserial1,id=serial1 \
---
-1.7.1
-
diff --git a/gnu/packages/patches/node-test-http2-server-rst-stream.patch b/gnu/packages/patches/node-test-http2-server-rst-stream.patch
new file mode 100644
index 0000000000..c2f85010b1
--- /dev/null
+++ b/gnu/packages/patches/node-test-http2-server-rst-stream.patch
@@ -0,0 +1,131 @@
+From a41cc020fd6e40b358103425edfa50e6a10fc973 Mon Sep 17 00:00:00 2001
+From: Anatoli Papirovski <apapirovski@mac.com>
+Date: Thu, 2 Nov 2017 12:46:31 -0400
+Subject: [PATCH] test: fix flaky test-http2-server-rst-stream.js
+
+PR-URL: https://github.com/nodejs/node/pull/16690
+Fixes: https://github.com/nodejs/node/issues/16688
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
+---
+ test/parallel/test-http2-server-rst-stream.js | 93 ++++++++++-----------------
+ 1 file changed, 35 insertions(+), 58 deletions(-)
+
+diff --git a/test/parallel/test-http2-server-rst-stream.js b/test/parallel/test-http2-server-rst-stream.js
+index b92217dc99..dd38efb42f 100644
+--- a/test/parallel/test-http2-server-rst-stream.js
++++ b/test/parallel/test-http2-server-rst-stream.js
+@@ -5,11 +5,9 @@ if (!common.hasCrypto)
+ common.skip('missing crypto');
+ const assert = require('assert');
+ const http2 = require('http2');
++const Countdown = require('../common/countdown');
+
+ const {
+- HTTP2_HEADER_METHOD,
+- HTTP2_HEADER_PATH,
+- HTTP2_METHOD_POST,
+ NGHTTP2_CANCEL,
+ NGHTTP2_NO_ERROR,
+ NGHTTP2_PROTOCOL_ERROR,
+@@ -17,63 +15,42 @@ const {
+ NGHTTP2_INTERNAL_ERROR
+ } = http2.constants;
+
+-const errCheck = common.expectsError({ code: 'ERR_HTTP2_STREAM_ERROR' }, 6);
++const tests = [
++ ['rstStream', NGHTTP2_NO_ERROR, false],
++ ['rstWithNoError', NGHTTP2_NO_ERROR, false],
++ ['rstWithProtocolError', NGHTTP2_PROTOCOL_ERROR, true],
++ ['rstWithCancel', NGHTTP2_CANCEL, false],
++ ['rstWithRefuse', NGHTTP2_REFUSED_STREAM, true],
++ ['rstWithInternalError', NGHTTP2_INTERNAL_ERROR, true]
++];
++
++const server = http2.createServer();
++server.on('stream', (stream, headers) => {
++ const method = headers['rstmethod'];
++ stream[method]();
++});
++
++server.listen(0, common.mustCall(() => {
++ const client = http2.connect(`http://localhost:${server.address().port}`);
++
++ const countdown = new Countdown(tests.length, common.mustCall(() => {
++ client.destroy();
++ server.close();
++ }));
+
+-function checkRstCode(rstMethod, expectRstCode) {
+- const server = http2.createServer();
+- server.on('stream', (stream, headers, flags) => {
+- stream.respond({
+- 'content-type': 'text/html',
+- ':status': 200
++ tests.forEach((test) => {
++ const req = client.request({
++ ':method': 'POST',
++ rstmethod: test[0]
+ });
+- stream.write('test');
+- if (rstMethod === 'rstStream')
+- stream[rstMethod](expectRstCode);
+- else
+- stream[rstMethod]();
+-
+- if (expectRstCode !== NGHTTP2_NO_ERROR &&
+- expectRstCode !== NGHTTP2_CANCEL) {
+- stream.on('error', common.mustCall(errCheck));
+- } else {
+- stream.on('error', common.mustNotCall());
+- }
+- });
+-
+- server.listen(0, common.mustCall(() => {
+- const port = server.address().port;
+- const client = http2.connect(`http://localhost:${port}`);
+-
+- const headers = {
+- [HTTP2_HEADER_PATH]: '/',
+- [HTTP2_HEADER_METHOD]: HTTP2_METHOD_POST
+- };
+- const req = client.request(headers);
+-
+- req.setEncoding('utf8');
+- req.on('streamClosed', common.mustCall((actualRstCode) => {
+- assert.strictEqual(
+- expectRstCode, actualRstCode, `${rstMethod} is not match rstCode`);
+- server.close();
+- client.destroy();
++ req.on('streamClosed', common.mustCall((code) => {
++ assert.strictEqual(code, test[1]);
++ countdown.dec();
+ }));
+- req.on('data', common.mustCall());
+ req.on('aborted', common.mustCall());
+- req.on('end', common.mustCall());
+-
+- if (expectRstCode !== NGHTTP2_NO_ERROR &&
+- expectRstCode !== NGHTTP2_CANCEL) {
+- req.on('error', common.mustCall(errCheck));
+- } else {
++ if (test[2])
++ req.on('error', common.mustCall());
++ else
+ req.on('error', common.mustNotCall());
+- }
+-
+- }));
+-}
+-
+-checkRstCode('rstStream', NGHTTP2_NO_ERROR);
+-checkRstCode('rstWithNoError', NGHTTP2_NO_ERROR);
+-checkRstCode('rstWithProtocolError', NGHTTP2_PROTOCOL_ERROR);
+-checkRstCode('rstWithCancel', NGHTTP2_CANCEL);
+-checkRstCode('rstWithRefuse', NGHTTP2_REFUSED_STREAM);
+-checkRstCode('rstWithInternalError', NGHTTP2_INTERNAL_ERROR);
++ });
++}));
+--
+2.15.0
+
diff --git a/gnu/packages/patches/optipng-CVE-2017-1000229.patch b/gnu/packages/patches/optipng-CVE-2017-1000229.patch
new file mode 100644
index 0000000000..2cb3b2f21c
--- /dev/null
+++ b/gnu/packages/patches/optipng-CVE-2017-1000229.patch
@@ -0,0 +1,22 @@
+Fix CVE-2017-1000229:
+
+https://security-tracker.debian.org/tracker/CVE-2017-1000229
+https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000229.html
+https://nvd.nist.gov/vuln/detail/CVE-2017-1000229
+
+Patch copied from upstream bug tracker:
+https://sourceforge.net/p/optipng/bugs/65/
+
+diff --git a/src/minitiff/tiffread.c b/src/minitiff/tiffread.c
+index b4910ec..5f9b376 100644
+--- a/src/minitiff/tiffread.c
++++ b/src/minitiff/tiffread.c
+@@ -350,6 +350,8 @@ minitiff_read_info(struct minitiff_info *tiff_ptr, FILE *fp)
+ count = tiff_ptr->strip_offsets_count;
+ if (count == 0 || count > tiff_ptr->height)
+ goto err_invalid;
++ if (count > (size_t)-1 / sizeof(long))
++ goto err_memory;
+ tiff_ptr->strip_offsets = (long *)malloc(count * sizeof(long));
+ if (tiff_ptr->strip_offsets == NULL)
+ goto err_memory;
diff --git a/gnu/packages/patches/pcmanfm-CVE-2017-8934.patch b/gnu/packages/patches/pcmanfm-CVE-2017-8934.patch
new file mode 100644
index 0000000000..489d22c83b
--- /dev/null
+++ b/gnu/packages/patches/pcmanfm-CVE-2017-8934.patch
@@ -0,0 +1,56 @@
+From bc8c3d871e9ecc67c47ff002b68cf049793faf08 Mon Sep 17 00:00:00 2001
+From: Andriy Grytsenko <andrej@rep.kiev.ua>
+Date: Sun, 14 May 2017 21:35:40 +0300
+Subject: [PATCH] Fix potential access violation, use runtime user dir instead
+ of tmp dir.
+
+---
+ NEWS | 4 ++++
+ src/single-inst.c | 7 ++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 8c2049a..876f7f3 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,3 +1,7 @@
++* Fixed potential access violation, use runtime user dir instead of tmp dir
++ for single instance socket.
++
++
+ Changes on 1.2.5 since 1.2.4:
+
+ * Removed options to Cut, Remove and Rename from context menu on mounted
+diff --git a/src/single-inst.c b/src/single-inst.c
+index 62c37b3..aaf84ab 100644
+--- a/src/single-inst.c
++++ b/src/single-inst.c
+@@ -2,7 +2,7 @@
+ * single-inst.c: simple IPC mechanism for single instance app
+ *
+ * Copyright 2010 Hong Jen Yee (PCMan) <pcman.tw@gmail.com>
+- * Copyright 2012 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
++ * Copyright 2012-2017 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -404,11 +404,16 @@ static void get_socket_name(SingleInstData* data, char* buf, int len)
+ }
+ else
+ dpynum = 0;
++#if GLIB_CHECK_VERSION(2, 28, 0)
++ g_snprintf(buf, len, "%s/%s-socket-%s-%d", g_get_user_runtime_dir(),
++ data->prog_name, host ? host : "", dpynum);
++#else
+ g_snprintf(buf, len, "%s/.%s-socket-%s-%d-%s",
+ g_get_tmp_dir(),
+ data->prog_name,
+ host ? host : "",
+ dpynum,
+ g_get_user_name());
++#endif
+ }
+
+--
+2.1.4
+
diff --git a/gnu/packages/patches/perl-text-markdown-discount-use-system-markdown.patch b/gnu/packages/patches/perl-text-markdown-discount-unbundle.patch
index e0df632a04..e0df632a04 100644
--- a/gnu/packages/patches/perl-text-markdown-discount-use-system-markdown.patch
+++ b/gnu/packages/patches/perl-text-markdown-discount-unbundle.patch
diff --git a/gnu/packages/patches/procmail-CVE-2017-16844.patch b/gnu/packages/patches/procmail-CVE-2017-16844.patch
new file mode 100644
index 0000000000..b96540c8cd
--- /dev/null
+++ b/gnu/packages/patches/procmail-CVE-2017-16844.patch
@@ -0,0 +1,25 @@
+Fix CVE-2017-16844:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16844
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511
+
+Patch copied from Debian procmail package 3.22-26:
+
+http://http.debian.net/debian/pool/main/p/procmail/procmail_3.22-26.debian.tar.xz
+
+From: Santiago Vila <sanvila@debian.org>
+Subject: Fix heap-based buffer overflow in loadbuf()
+Bug-Debian: http://bugs.debian.org/876511
+X-Debian-version: 3.22-26
+
+--- a/src/formisc.c
++++ b/src/formisc.c
+@@ -103,7 +103,7 @@
+ }
+ /* append to buf */
+ void loadbuf(text,len)const char*const text;const size_t len;
+-{ if(buffilled+len>buflen) /* buf can't hold the text */
++{ while(buffilled+len>buflen) /* buf can't hold the text */
+ buf=realloc(buf,buflen+=Bsize);
+ tmemmove(buf+buffilled,text,len);buffilled+=len;
+ }
diff --git a/gnu/packages/patches/qemu-CVE-2017-15118.patch b/gnu/packages/patches/qemu-CVE-2017-15118.patch
new file mode 100644
index 0000000000..d427317be9
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-15118.patch
@@ -0,0 +1,58 @@
+Fix CVE-2017-15118:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15118
+https://bugzilla.redhat.com/show_bug.cgi?id=1516922
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=51ae4f8455c9e32c54770c4ebc25bf86a8128183
+
+From 51ae4f8455c9e32c54770c4ebc25bf86a8128183 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 22 Nov 2017 15:07:22 -0600
+Subject: [PATCH] nbd/server: CVE-2017-15118 Stack smash on large export name
+
+Introduced in commit f37708f6b8 (2.10). The NBD spec says a client
+can request export names up to 4096 bytes in length, even though
+they should not expect success on names longer than 256. However,
+qemu hard-codes the limit of 256, and fails to filter out a client
+that probes for a longer name; the result is a stack smash that can
+potentially give an attacker arbitrary control over the qemu
+process.
+
+The smash can be easily demonstrated with this client:
+$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
+
+If the qemu NBD server binary (whether the standalone qemu-nbd, or
+the builtin server of QMP nbd-server-start) was compiled with
+-fstack-protector-strong, the ability to exploit the stack smash
+into arbitrary execution is a lot more difficult (but still
+theoretically possible to a determined attacker, perhaps in
+combination with other CVEs). Still, crashing a running qemu (and
+losing the VM) is bad enough, even if the attacker did not obtain
+full execution control.
+
+CC: qemu-stable@nongnu.org
+Signed-off-by: Eric Blake <eblake@redhat.com>
+---
+ nbd/server.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/nbd/server.c b/nbd/server.c
+index a81801e3bc..92c0fdd03b 100644
+--- a/nbd/server.c
++++ b/nbd/server.c
+@@ -386,6 +386,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length,
+ msg = "name length is incorrect";
+ goto invalid;
+ }
++ if (namelen >= sizeof(name)) {
++ msg = "name too long for qemu";
++ goto invalid;
++ }
+ if (nbd_read(client->ioc, name, namelen, errp) < 0) {
+ return -EIO;
+ }
+--
+2.15.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-15119.patch b/gnu/packages/patches/qemu-CVE-2017-15119.patch
new file mode 100644
index 0000000000..6265ecf8d6
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-15119.patch
@@ -0,0 +1,68 @@
+Fix CVE-2017-15119:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15119
+https://bugzilla.redhat.com/show_bug.cgi?id=1516925
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=fdad35ef6c5839d50dfc14073364ac893afebc30
+
+From fdad35ef6c5839d50dfc14073364ac893afebc30 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 22 Nov 2017 16:25:16 -0600
+Subject: [PATCH] nbd/server: CVE-2017-15119 Reject options larger than 32M
+
+The NBD spec gives us permission to abruptly disconnect on clients
+that send outrageously large option requests, rather than having
+to spend the time reading to the end of the option. No real
+option request requires that much data anyways; and meanwhile, we
+already have the practice of abruptly dropping the connection on
+any client that sends NBD_CMD_WRITE with a payload larger than 32M.
+
+For comparison, nbdkit drops the connection on any request with
+more than 4096 bytes; however, that limit is probably too low
+(as the NBD spec states an export name can theoretically be up
+to 4096 bytes, which means a valid NBD_OPT_INFO could be even
+longer) - even if qemu doesn't permit exports longer than 256
+bytes.
+
+It could be argued that a malicious client trying to get us to
+read nearly 4G of data on a bad request is a form of denial of
+service. In particular, if the server requires TLS, but a client
+that does not know the TLS credentials sends any option (other
+than NBD_OPT_STARTTLS or NBD_OPT_EXPORT_NAME) with a stated
+payload of nearly 4G, then the server was keeping the connection
+alive trying to read all the payload, tying up resources that it
+would rather be spending on a client that can get past the TLS
+handshake. Hence, this warranted a CVE.
+
+Present since at least 2.5 when handling known options, and made
+worse in 2.6 when fixing support for NBD_FLAG_C_FIXED_NEWSTYLE
+to handle unknown options.
+
+CC: qemu-stable@nongnu.org
+Signed-off-by: Eric Blake <eblake@redhat.com>
+---
+ nbd/server.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nbd/server.c b/nbd/server.c
+index 7d6801b427..a81801e3bc 100644
+--- a/nbd/server.c
++++ b/nbd/server.c
+@@ -673,6 +673,12 @@ static int nbd_negotiate_options(NBDClient *client, uint16_t myflags,
+ }
+ length = be32_to_cpu(length);
+
++ if (length > NBD_MAX_BUFFER_SIZE) {
++ error_setg(errp, "len (%" PRIu32" ) is larger than max len (%u)",
++ length, NBD_MAX_BUFFER_SIZE);
++ return -EINVAL;
++ }
++
+ trace_nbd_negotiate_options_check_option(option,
+ nbd_opt_lookup(option));
+ if (client->tlscreds &&
+--
+2.15.0
+
diff --git a/gnu/packages/patches/shepherd-close-fds.patch b/gnu/packages/patches/shepherd-close-fds.patch
new file mode 100644
index 0000000000..2078b15265
--- /dev/null
+++ b/gnu/packages/patches/shepherd-close-fds.patch
@@ -0,0 +1,36 @@
+commit 3e346a2a84b099766ea8a3a4a4549f6172483062
+Author: Ludovic Courtès <ludo@gnu.org>
+Date: Sun Dec 3 22:30:03 2017 +0100
+
+ service: In 'exec-command', close open ports before 'execl'.
+
+ This gets rid of annoying "Bad file descriptor" warnings from shepherd.
+
+ * modules/shepherd/service.scm (exec-command): In 'loop', invoke
+ 'close-port' and the ports returned by (fdes->ports i).
+
+diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
+index b2d8bc5..0ad28a0 100644
+--- a/modules/shepherd/service.scm
++++ b/modules/shepherd/service.scm
+@@ -1,5 +1,5 @@
+ ;; service.scm -- Representation of services.
+-;; Copyright (C) 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
++;; Copyright (C) 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+ ;; Copyright (C) 2002, 2003 Wolfgang Järling <wolfgang@pro-linux.de>
+ ;; Copyright (C) 2014 Alex Sassmannshausen <alex.sassmannshausen@gmail.com>
+ ;; Copyright (C) 2016 Alex Kost <alezost@gmail.com>
+@@ -744,6 +744,14 @@ false."
+
+ (let loop ((i 3))
+ (when (< i max-fd)
++ ;; First try to close any ports associated with file descriptor I.
++ ;; Otherwise the finalization thread might get around to closing
++ ;; those ports eventually, which will raise an EBADF exception (on
++ ;; 2.2), leading to messages like "error in the finalization
++ ;; thread: Bad file descriptor".
++ (for-each (lambda (port)
++ (catch-system-error (close-port port)))
++ (fdes->ports i))
+ (catch-system-error (close-fdes i))
+ (loop (+ i 1)))))
diff --git a/gnu/packages/patches/spice-CVE-2016-9577.patch b/gnu/packages/patches/spice-CVE-2016-9577.patch
deleted file mode 100644
index a2cb558cd3..0000000000
--- a/gnu/packages/patches/spice-CVE-2016-9577.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Prevent buffer overflow when reading large messages.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1401603
-https://access.redhat.com/security/cve/CVE-2016-9577
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9577
-https://security-tracker.debian.org/tracker/CVE-2016-9577
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3
-
-From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <fziglio@redhat.com>
-Date: Tue, 29 Nov 2016 16:46:56 +0000
-Subject: main-channel: Prevent overflow reading messages from client
-
-diff --git a/server/main_channel.c b/server/main_channel.c
-index 0ecc9df..1fc3915 100644
---- a/server/main_channel.c
-+++ b/server/main_channel.c
-@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
-
- if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
- return reds_get_agent_data_buffer(mcc, size);
-+ } else if (size > sizeof(main_chan->recv_buf)) {
-+ /* message too large, caller will log a message and close the connection */
-+ return NULL;
- } else {
- return main_chan->recv_buf;
- }
---
-cgit v0.10.2
-
diff --git a/gnu/packages/patches/spice-CVE-2016-9578-1.patch b/gnu/packages/patches/spice-CVE-2016-9578-1.patch
deleted file mode 100644
index f86cdb4eb1..0000000000
--- a/gnu/packages/patches/spice-CVE-2016-9578-1.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Prevent possible DoS during protocol handshake.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1399566
-https://access.redhat.com/security/cve/CVE-2016-9578
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578
-https://security-tracker.debian.org/tracker/CVE-2016-9578
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a
-
-From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <fziglio@redhat.com>
-Date: Tue, 13 Dec 2016 14:39:48 +0000
-Subject: Prevent possible DoS attempts during protocol handshake
-
-diff --git a/server/reds.c b/server/reds.c
-index f40b65c..86a33d5 100644
---- a/server/reds.c
-+++ b/server/reds.c
-@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)
-
- reds->peer_minor_version = header->minor_version;
-
-- if (header->size < sizeof(SpiceLinkMess)) {
-+ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
-+ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
- reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
- spice_warning("bad size %u", header->size);
- reds_link_free(link);
---
-cgit v0.10.2
-
diff --git a/gnu/packages/patches/spice-CVE-2016-9578-2.patch b/gnu/packages/patches/spice-CVE-2016-9578-2.patch
deleted file mode 100644
index 76f7ec7ffb..0000000000
--- a/gnu/packages/patches/spice-CVE-2016-9578-2.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Fixes a potential buffer overflow in the protocol handling.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1399566
-https://access.redhat.com/security/cve/CVE-2016-9578
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578
-https://security-tracker.debian.org/tracker/CVE-2016-9578
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a
-
-From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <fziglio@redhat.com>
-Date: Tue, 13 Dec 2016 14:40:10 +0000
-Subject: Prevent integer overflows in capability checks
-
-diff --git a/server/reds.c b/server/reds.c
-index 86a33d5..9150454 100644
---- a/server/reds.c
-+++ b/server/reds.c
-@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque)
- link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
- link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
-
-+ /* Prevent DoS. Currently we defined only 13 capabilities,
-+ * I expect 1024 to be valid for quite a lot time */
-+ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
-+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
-+ reds_link_free(link);
-+ return;
-+ }
-+
- num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
- caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
-
---
-cgit v0.10.2
-
diff --git a/gnu/packages/patches/spice-CVE-2017-7506.patch b/gnu/packages/patches/spice-CVE-2017-7506.patch
deleted file mode 100644
index 37d8f02831..0000000000
--- a/gnu/packages/patches/spice-CVE-2017-7506.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-Fix CVE-2017-7506:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1452606
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7506
-
-Patches copied from Debian spice package version
-'spice_0.12.8-2.1+deb9u1.debian.tar.xz':
-http://security.debian.org/debian-security/pool/updates/main/s/spice/spice_0.12.8-2.1+deb9u1.debian.tar.xz
-
-The patches had to be adapted to apply to the latest spice tarball, and
-are based on these upstream commits:
-
-https://cgit.freedesktop.org/spice/spice/commit/?id=111ab38611cef5012f1565a65fa2d8a8a05cce37
-https://cgit.freedesktop.org/spice/spice/commit/?id=571cec91e71c2aae0d5f439ea2d8439d0c3d75eb
-https://cgit.freedesktop.org/spice/spice/commit/?id=fbbcdad773e2791cfb988f4748faa41943551ca6
-
-From 257f69d619fed407493156c8a7b952abc8a51314 Mon Sep 17 00:00:00 2001
-Date: Mon, 15 May 2017 15:57:28 +0100
-Subject: [spice-server 1/3] reds: Disconnect when receiving overly big
- ClientMonitorsConfig
-
-Total message size received from the client was unlimited. There is
-a 2kiB size check on individual agent messages, but the MonitorsConfig
-message can be split in multiple chunks, and the size of the
-non-chunked MonitorsConfig message was never checked. This could easily
-lead to memory exhaustion on the host.
-
----
- server/reds.c | 25 +++++++++++++++++++++++--
- 1 file changed, 23 insertions(+), 2 deletions(-)
-
-diff --git a/server/reds.c b/server/reds.c
-index f439a3668..7be85fdfc 100644
---- a/server/reds.c
-+++ b/server/reds.c
-@@ -993,19 +993,34 @@ static void reds_client_monitors_config_cleanup(void)
- static void reds_on_main_agent_monitors_config(
- MainChannelClient *mcc, void *message, size_t size)
- {
-+ const unsigned int MAX_MONITORS = 256;
-+ const unsigned int MAX_MONITOR_CONFIG_SIZE =
-+ sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig);
-+
- VDAgentMessage *msg_header;
- VDAgentMonitorsConfig *monitors_config;
- RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
-
-+ // limit size of message sent by the client as this can cause a DoS through
-+ // memory exhaustion, or potentially some integer overflows
-+ if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) {
-+ goto overflow;
-+ }
- cmc->buffer_size += size;
- cmc->buffer = realloc(cmc->buffer, cmc->buffer_size);
- spice_assert(cmc->buffer);
- cmc->mcc = mcc;
- memcpy(cmc->buffer + cmc->buffer_pos, message, size);
- cmc->buffer_pos += size;
-+ if (sizeof(VDAgentMessage) > cmc->buffer_size) {
-+ spice_debug("not enough data yet. %d", cmc->buffer_size);
-+ return;
-+ }
- msg_header = (VDAgentMessage *)cmc->buffer;
-- if (sizeof(VDAgentMessage) > cmc->buffer_size ||
-- msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) {
-+ if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) {
-+ goto overflow;
-+ }
-+ if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) {
- spice_debug("not enough data yet. %d", cmc->buffer_size);
- return;
- }
-@@ -1013,6 +1028,12 @@ static void reds_on_main_agent_monitors_config(
- spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
- red_dispatcher_client_monitors_config(monitors_config);
- reds_client_monitors_config_cleanup();
-+ return;
-+
-+overflow:
-+ spice_warning("received invalid MonitorsConfig request from client, disconnecting");
-+ red_channel_client_disconnect(main_channel_client_get_base(mcc));
-+ reds_client_monitors_config_cleanup();
- }
-
- void reds_on_main_agent_data(MainChannelClient *mcc, void *message, size_t size)
---
-2.13.0
-From ff2b4ef70181087d5abd50bad76d026ec5088a93 Mon Sep 17 00:00:00 2001
-Date: Mon, 15 May 2017 15:57:28 +0100
-Subject: [spice-server 2/3] reds: Avoid integer overflows handling monitor
- configuration
-
-Avoid VDAgentMessage::size integer overflows.
-
----
- server/reds.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/server/reds.c b/server/reds.c
-index 7be85fdfc..e1c8c1086 100644
---- a/server/reds.c
-+++ b/server/reds.c
-@@ -1024,6 +1024,9 @@ static void reds_on_main_agent_monitors_config(
- spice_debug("not enough data yet. %d", cmc->buffer_size);
- return;
- }
-+ if (msg_header->size < sizeof(VDAgentMonitorsConfig)) {
-+ goto overflow;
-+ }
- monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
- spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
- red_dispatcher_client_monitors_config(monitors_config);
---
-2.13.0
-From 8cc3d7df2792751939cc832f4110c57e2addfca5 Mon Sep 17 00:00:00 2001
-Date: Mon, 15 May 2017 15:57:28 +0100
-Subject: [spice-server 3/3] reds: Avoid buffer overflows handling monitor
- configuration
-
-It was also possible for a malicious client to set
-VDAgentMonitorsConfig::num_of_monitors to a number larger
-than the actual size of VDAgentMOnitorsConfig::monitors.
-This would lead to buffer overflows, which could allow the guest to
-read part of the host memory. This might cause write overflows in the
-host as well, but controlling the content of such buffers seems
-complicated.
-
----
- server/reds.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/server/reds.c b/server/reds.c
-index e1c8c1086..3a42c3755 100644
---- a/server/reds.c
-+++ b/server/reds.c
-@@ -1000,6 +1000,7 @@ static void reds_on_main_agent_monitors_config(
- VDAgentMessage *msg_header;
- VDAgentMonitorsConfig *monitors_config;
- RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
-+ uint32_t max_monitors;
-
- // limit size of message sent by the client as this can cause a DoS through
- // memory exhaustion, or potentially some integer overflows
-@@ -1028,6 +1029,12 @@ static void reds_on_main_agent_monitors_config(
- goto overflow;
- }
- monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
-+ // limit the monitor number to avoid buffer overflows
-+ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
-+ sizeof(VDAgentMonConfig);
-+ if (monitors_config->num_of_monitors > max_monitors) {
-+ goto overflow;
-+ }
- spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
- red_dispatcher_client_monitors_config(monitors_config);
- reds_client_monitors_config_cleanup();
---
-2.13.0
diff --git a/gnu/packages/patches/supertuxkart-angelscript-ftbfs.patch b/gnu/packages/patches/supertuxkart-angelscript-ftbfs.patch
deleted file mode 100644
index db3c56861b..0000000000
--- a/gnu/packages/patches/supertuxkart-angelscript-ftbfs.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-https://github.com/supertuxkart/stk-code/commit/5e05f1178ce6bc5f3a653b55ab3dc6d016196341.patch
-
-From 5e05f1178ce6bc5f3a653b55ab3dc6d016196341 Mon Sep 17 00:00:00 2001
-From: Deve <deveee@gmail.com>
-Date: Mon, 3 Oct 2016 23:26:09 +0200
-Subject: [PATCH] Fixed compiler error on Linux with non-x86 64bit platforms,
- e.g. arm64, mips, and s390x architectures
-
-This modification is already applied in upstream angelscript repository:
-https://sourceforge.net/p/angelscript/code/2353/
-
-Thanks to Adrian Bunk and Andreas Jonsson
----
- lib/angelscript/projects/cmake/CMakeLists.txt | 1 +
- lib/angelscript/source/as_config.h | 2 +-
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/lib/angelscript/projects/cmake/CMakeLists.txt b/lib/angelscript/projects/cmake/CMakeLists.txt
-index e93971315e..755d8378c3 100644
---- a/lib/angelscript/projects/cmake/CMakeLists.txt
-+++ b/lib/angelscript/projects/cmake/CMakeLists.txt
-@@ -67,6 +67,7 @@ set(ANGELSCRIPT_SOURCE
- ../../source/as_builder.cpp
- ../../source/as_bytecode.cpp
- ../../source/as_callfunc.cpp
-+ ../../source/as_callfunc_mips.cpp
- ../../source/as_callfunc_x86.cpp
- ../../source/as_callfunc_x64_gcc.cpp
- ../../source/as_callfunc_x64_msvc.cpp
-diff --git a/lib/angelscript/source/as_config.h b/lib/angelscript/source/as_config.h
-index cb05bffbd5..5bb5b8e800 100644
---- a/lib/angelscript/source/as_config.h
-+++ b/lib/angelscript/source/as_config.h
-@@ -844,7 +844,7 @@
- #define THISCALL_PASS_OBJECT_POINTER_ON_THE_STACK
- #define AS_X86
- #undef AS_NO_THISCALL_FUNCTOR_METHOD
-- #elif defined(__LP64__) && !defined(__arm64__)
-+ #elif defined(__x86_64__)
- #define AS_X64_GCC
- #undef AS_NO_THISCALL_FUNCTOR_METHOD
- #define HAS_128_BIT_PRIMITIVES
diff --git a/gnu/packages/patches/vpnc-script.patch b/gnu/packages/patches/vpnc-script.patch
deleted file mode 100644
index a0d9481952..0000000000
--- a/gnu/packages/patches/vpnc-script.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-This patch adapts the vpnc script to newer kernel versions, see
- https://lkml.org/lkml/2011/3/24/645
-
-diff -u a/vpnc-script.in b/vpnc-script.in
---- a/vpnc-script.in 2013-03-03 13:55:16.000000000 +0100
-+++ b/vpnc-script.in 2013-03-03 13:56:11.000000000 +0100
-@@ -116,7 +116,7 @@
-
- if [ -n "$IPROUTE" ]; then
- fix_ip_get_output () {
-- sed 's/cache//;s/metric \?[0-9]\+ [0-9]\+//g;s/hoplimit [0-9]\+//g'
-+ sed 's/cache//;s/metric \?[0-9]\+ [0-9]\+//g;s/hoplimit [0-9]\+//g;s/ipid 0x....//g'
- }
-
- set_vpngateway_route() {