summary refs log tree commit diff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2018-02-11 04:05:07 -0500
committerMark H Weaver <mhw@netris.org>2018-02-11 04:05:07 -0500
commita7fb29866520d5661e0ac8e47957c91a2a43e11e (patch)
tree50a169b022edbb31db49f09809d30dfe8597b862
parent6730d895d3992f37f35f5351332f51a4be2fda50 (diff)
parent31c7002b466c6d09400a95bc15774f232b51ce0b (diff)
downloadguix-a7fb29866520d5661e0ac8e47957c91a2a43e11e.tar.gz
Merge branch 'master' into core-updates
-rw-r--r--doc/guix.texi35
-rw-r--r--gnu/local.mk17
-rw-r--r--gnu/packages/admin.scm4
-rw-r--r--gnu/packages/avahi.scm27
-rw-r--r--gnu/packages/code.scm60
-rw-r--r--gnu/packages/compression.scm15
-rw-r--r--gnu/packages/emacs.scm2
-rw-r--r--gnu/packages/games.scm25
-rw-r--r--gnu/packages/glib.scm11
-rw-r--r--gnu/packages/guile.scm10
-rw-r--r--gnu/packages/image.scm12
-rw-r--r--gnu/packages/java.scm587
-rw-r--r--gnu/packages/linux.scm12
-rw-r--r--gnu/packages/mail.scm8
-rw-r--r--gnu/packages/mtools.scm5
-rw-r--r--gnu/packages/music.scm18
-rw-r--r--gnu/packages/networking.scm4
-rw-r--r--gnu/packages/package-management.scm6
-rw-r--r--gnu/packages/patches/clementine-remove-crypto++-dependency.patch19
-rw-r--r--gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch59
-rw-r--r--gnu/packages/patches/java-xerces-bootclasspath.patch38
-rw-r--r--gnu/packages/patches/java-xerces-build_dont_unzip.patch44
-rw-r--r--gnu/packages/patches/java-xerces-xjavac_taskdef.patch45
-rw-r--r--gnu/packages/patches/libtasn1-CVE-2018-6003.patch73
-rw-r--r--gnu/packages/patches/libtiff-CVE-2017-18013.patch45
-rw-r--r--gnu/packages/patches/libtiff-CVE-2017-9935.patch162
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5974.patch28
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5975.patch32
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5976.patch61
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5978.patch37
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5979.patch19
-rw-r--r--gnu/packages/patches/zziplib-CVE-2017-5981.patch19
-rw-r--r--gnu/packages/qt.scm6
-rw-r--r--gnu/packages/ruby.scm2
-rw-r--r--gnu/packages/samba.scm4
-rw-r--r--gnu/packages/shells.scm6
-rw-r--r--gnu/packages/terminals.scm6
-rw-r--r--gnu/packages/tls.scm9
-rw-r--r--gnu/packages/video.scm4
-rw-r--r--gnu/packages/virtualization.scm7
-rw-r--r--gnu/packages/web.scm38
-rw-r--r--gnu/packages/xml.scm489
-rw-r--r--gnu/services/avahi.scm6
-rw-r--r--gnu/services/games.scm81
-rw-r--r--guix/licenses.scm6
-rw-r--r--guix/ssh.scm17
46 files changed, 1946 insertions, 274 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 68f6c12294..13187f2e82 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -43,7 +43,7 @@ Copyright @copyright{} 2017 Maxim Cournoyer@*
 Copyright @copyright{} 2017, 2018 Tobias Geerinckx-Rice@*
 Copyright @copyright{} 2017 George Clemmer@*
 Copyright @copyright{} 2017 Andy Wingo@*
-Copyright @copyright{} 2017 Arun Isaac@*
+Copyright @copyright{} 2017, 2018 Arun Isaac@*
 Copyright @copyright{} 2017 nee@*
 Copyright @copyright{} 2018 Rutger Helling
 
@@ -249,6 +249,7 @@ Services
 * Audio Services::              The MPD.
 * Virtualization Services::     Virtualization services.
 * Version Control Services::    Providing remote access to Git repositories.
+* Game Services::                Game servers.
 * Miscellaneous Services::      Other services.
 
 Defining Services
@@ -9575,6 +9576,7 @@ declaration.
 * Audio Services::              The MPD.
 * Virtualization Services::     Virtualization services.
 * Version Control Services::    Providing remote access to Git repositories.
+* Game Services::                Game servers.
 * Miscellaneous Services::      Other services.
 @end menu
 
@@ -18201,6 +18203,37 @@ HTTPS.  You will also need to add an @code{fcgiwrap} proxy to your
 system services.  @xref{Web Services}.
 @end deffn
 
+@node Game Services
+@subsubsection Game Services
+
+@subsubheading The Battle for Wesnoth Service
+@cindex wesnothd
+@uref{https://wesnoth.org, The Battle for Wesnoth} is a fantasy, turn
+based tactical strategy game, with several single player campaigns, and
+multiplayer games (both networked and local).
+
+@defvar {Scheme Variable} wesnothd-service-type
+Service type for the wesnothd service.  Its value must be a
+@code{wesnothd-configuration} object.  To run wesnothd in the default
+configuration, instantiate it as:
+
+@example
+(service wesnothd-service-type)
+@end example
+@end defvar
+
+@deftp {Data Type} wesnothd-configuration
+Data type representing the configuration of @command{wesnothd}.
+
+@table @asis
+@item @code{package} (default: @code{wesnoth-server})
+The wesnoth server package to use.
+
+@item @code{port} (default: @code{15000})
+The port to bind the server to.
+@end table
+@end deftp
+
 @node Miscellaneous Services
 @subsubsection Miscellaneous Services
 
diff --git a/gnu/local.mk b/gnu/local.mk
index 0a7810df9d..030ea8397a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -459,6 +459,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/services/desktop.scm			\
   %D%/services/dict.scm				\
   %D%/services/dns.scm				\
+  %D%/services/games.scm			\
   %D%/services/kerberos.scm			\
   %D%/services/lirc.scm				\
   %D%/services/virtualization.scm		\
@@ -581,6 +582,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/clang-3.8-libc-search-path.patch		\
   %D%/packages/patches/clang-runtime-asan-build-fixes.patch	\
   %D%/packages/patches/clang-runtime-esan-build-fixes.patch	\
+  %D%/packages/patches/clementine-remove-crypto++-dependency.patch	\
   %D%/packages/patches/clementine-use-openssl.patch		\
   %D%/packages/patches/clisp-glibc-2.26.patch			\
   %D%/packages/patches/clisp-remove-failing-test.patch		\
@@ -621,6 +623,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/elfutils-tests-ptrace.patch		\
   %D%/packages/patches/elixir-disable-failing-tests.patch	\
   %D%/packages/patches/einstein-build.patch			\
+  %D%/packages/patches/emacs-browse-at-remote-cgit-gnu.patch	\
   %D%/packages/patches/emacs-exec-path.patch			\
   %D%/packages/patches/emacs-fix-scheme-indent-function.patch	\
   %D%/packages/patches/emacs-json-reformat-fix-tests.patch	\
@@ -775,6 +778,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/isl-0.11.1-aarch64-support.patch	\
   %D%/packages/patches/jacal-fix-texinfo.patch			\
   %D%/packages/patches/java-powermock-fix-java-files.patch		\
+  %D%/packages/patches/java-xerces-bootclasspath.patch	\
+  %D%/packages/patches/java-xerces-build_dont_unzip.patch	\
+  %D%/packages/patches/java-xerces-xjavac_taskdef.patch	\
   %D%/packages/patches/jemalloc-arm-address-bits.patch		\
   %D%/packages/patches/jbig2dec-ignore-testtest.patch		\
   %D%/packages/patches/jq-CVE-2015-8863.patch			\
@@ -846,8 +852,11 @@ dist_patch_DATA =						\
   %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch	\
   %D%/packages/patches/libtar-CVE-2013-4420.patch 		\
   %D%/packages/patches/libtasn1-CVE-2017-10790.patch		\
+  %D%/packages/patches/libtasn1-CVE-2018-6003.patch		\
   %D%/packages/patches/libtheora-config-guess.patch		\
   %D%/packages/patches/libtirpc-missing-headers.patch		\
+  %D%/packages/patches/libtiff-CVE-2017-9935.patch		\
+  %D%/packages/patches/libtiff-CVE-2017-18013.patch		\
   %D%/packages/patches/libtool-skip-tests2.patch		\
   %D%/packages/patches/libusb-0.1-disable-tests.patch		\
   %D%/packages/patches/libusb-for-axoloti.patch			\
@@ -1163,13 +1172,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/xinetd-CVE-2013-4342.patch		\
   %D%/packages/patches/xmodmap-asprintf.patch 			\
   %D%/packages/patches/libyaml-CVE-2014-9130.patch 		\
-  %D%/packages/patches/zathura-plugindir-environment-variable.patch	\
-  %D%/packages/patches/zziplib-CVE-2017-5974.patch		\
-  %D%/packages/patches/zziplib-CVE-2017-5975.patch		\
-  %D%/packages/patches/zziplib-CVE-2017-5976.patch		\
-  %D%/packages/patches/zziplib-CVE-2017-5978.patch		\
-  %D%/packages/patches/zziplib-CVE-2017-5979.patch		\
-  %D%/packages/patches/zziplib-CVE-2017-5981.patch
+  %D%/packages/patches/zathura-plugindir-environment-variable.patch
 
 MISC_DISTRO_FILES =				\
   %D%/packages/ld-wrapper.in
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 35e6b202b0..61ab9654f7 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -1198,7 +1198,7 @@ module slots, and the list of I/O ports (e.g. serial, parallel, USB).")
 (define-public acpica
   (package
     (name "acpica")
-    (version "20171110")
+    (version "20180209")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -1206,7 +1206,7 @@ module slots, and the list of I/O ports (e.g. serial, parallel, USB).")
                     version ".tar.gz"))
               (sha256
                (base32
-                "08g83qvhfx04vzb3f3pfpkp0w601v6csjzdv7z1vjzz1k71h7yml"))))
+                "04hyc5s9iiyiznvspx7q73r6ns98d51wrv8zfvqbqv52gqq8hzdh"))))
     (build-system gnu-build-system)
     (native-inputs `(("flex" ,flex)
                      ("bison" ,bison)))
diff --git a/gnu/packages/avahi.scm b/gnu/packages/avahi.scm
index 661214e23a..c8d7196d72 100644
--- a/gnu/packages/avahi.scm
+++ b/gnu/packages/avahi.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
@@ -100,3 +100,28 @@ DNS-SD (for \"DNS-Based Service Discovery\") protocols.")
 most often used in home and other small networks without a local name server,
 to resolve host names in the @samp{.local} top-level domain.")
     (license lgpl2.1+)))
+
+(define-public nss-mdns-0.10
+  ;; Kept here to work around in bug in 0.11: <https://bugs.gnu.org/30396> and
+  ;; <https://github.com/lathiat/nss-mdns/issues/26>.
+  (package
+    (inherit nss-mdns)
+    (version "0.10")
+    (source (origin
+              (method url-fetch)
+              (uri (list
+                    (string-append
+                     "mirror://debian/pool/main/n/nss-mdns/nss-mdns_"
+                     version ".orig.tar.gz")
+                    "http://pkgs.fedoraproject.org/repo/pkgs/nss-mdns/nss-mdns-0.10.tar.gz/03938f17646efbb50aa70ba5f99f51d7/nss-mdns-0.10.tar.gz"
+
+                    ;; This used to be the canonical URL but it vanished.
+                    ;; See <http://bugs.gnu.org/18704>.
+                    ;; (string-append
+                    ;;  "http://0pointer.de/lennart/projects/nss-mdns/nss-mdns-"
+                    ;;  version ".tar.gz")
+                    ))
+              (sha256
+               (base32
+                "0vgs6j0qsl0mwzh5a0m0bykr7x6bx79vnbyn0r3q289rghp3qs0y"))
+              (file-name (string-append "nss-mdns-" version ".tar.gz"))))))
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 93723d1a01..2067067f20 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -29,6 +29,7 @@
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system cmake)
+  #:use-module (guix build-system trivial)
   #:use-module (gnu packages)
   #:use-module (gnu packages base)
   #:use-module (gnu packages compression)
@@ -105,14 +106,14 @@ highlighting your own code that seemed comprehensible when you wrote it.")
 (define-public global                             ; a global variable
   (package
     (name "global")
-    (version "6.6.1")
+    (version "6.6.2")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/global/global-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "1r2r6z41lmgbszzwx7h3jqhwnqb9jj32pndzhr3lb0id710c8gcl"))))
+               "0zvi5vxwiq0dy8mq2cgs64m8harxs0fvkmsnvi0ayb0w608lgij3"))))
     (build-system gnu-build-system)
     (inputs `(("ncurses" ,ncurses)
               ("libltdl" ,libltdl)
@@ -440,3 +441,58 @@ symbolnames etc.  There’s also limited support for ObjC/ObjC++.  It allows you
 to find symbols by name (including nested class and namespace scope).  Most
 importantly we give you proper follow-symbol and find-references support.")
     (license license:gpl3+)))
+
+(define-public colormake
+  (package
+    (name "colormake")
+    (version "0.9.20140503")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/pagekite/Colormake/archive/"
+                           version ".tar.gz"))
+       (file-name (string-append name "-" version ".tar.gz"))
+       (sha256
+        (base32
+         "08ldss9zd8ls6bjahvxhffpsjcysifr720yf3jz9db2mlklzmyd3"))))
+    (build-system trivial-build-system)
+    (native-inputs
+     `(("bash" ,bash)
+       ("gzip" ,gzip)
+       ("perl" ,perl)
+       ("tar" ,tar)))
+    (arguments
+     `(#:modules ((guix build utils))
+       #:builder
+       (begin
+         (use-modules (guix build utils))
+         ;; bootstrap
+         (setenv "PATH" (string-append
+                         (assoc-ref %build-inputs "tar") "/bin" ":"
+                         (assoc-ref %build-inputs "gzip") "/bin"))
+         (invoke "tar" "xvf" (assoc-ref %build-inputs "source"))
+         (chdir (string-append (string-capitalize ,name) "-" ,version))
+         (patch-shebang  "colormake.pl"
+                         (list (string-append (assoc-ref %build-inputs "perl")
+                                              "/bin")))
+         (let* ((out (assoc-ref %outputs "out"))
+                (bin (string-append out "/bin"))
+                (doc (string-append out "/share/doc"))
+                (install-files (lambda (files directory)
+                                 (for-each (lambda (file)
+                                             (install-file file directory))
+                                           files))))
+           (substitute* "colormake"
+             (("colormake\\.pl") (string-append bin "/colormake.pl"))
+             (("/bin/bash")
+              (string-append (assoc-ref %build-inputs "bash") "/bin/sh")))
+           (install-file "colormake.1" (string-append doc "/man/man1"))
+           (install-files '("AUTHORS" "BUGS" "ChangeLog" "README") doc)
+           (install-files '("colormake" "colormake-short" "clmake"
+                            "clmake-short" "colormake.pl")
+                          bin)))))
+    (home-page "http://bre.klaki.net/programs/colormake/")
+    (synopsis "Wrapper around @command{make} to produce colored output")
+    (description "This package provides a wrapper around @command{make} to
+produce colored output.")
+    (license license:gpl2+)))
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index cd98d525e5..86dc809adb 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -1781,22 +1781,16 @@ recreates the stored directory structure by default.")
 (define-public zziplib
   (package
     (name "zziplib")
-    (version "0.13.62")
+    (version "0.13.68")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "mirror://sourceforge/zziplib/zziplib13/"
                            version "/zziplib-"
                            version ".tar.bz2"))
-       (patches (search-patches "zziplib-CVE-2017-5974.patch"
-                                "zziplib-CVE-2017-5975.patch"
-                                "zziplib-CVE-2017-5976.patch"
-                                "zziplib-CVE-2017-5978.patch"
-                                "zziplib-CVE-2017-5979.patch"
-                                "zziplib-CVE-2017-5981.patch"))
        (sha256
         (base32
-         "0nsjqxw017hiyp524p9316283jlf5piixc1091gkimhz38zh7f51"))))
+         "1s0wz1hf2q4qxcp4lkg4rzpbz2814xagmvlyicqdj0ww0cvxv036"))))
     (build-system gnu-build-system)
     (inputs
      `(("zlib" ,zlib)))
@@ -1807,7 +1801,10 @@ recreates the stored directory structure by default.")
                      ("python" ,python-2)
                      ("zip" ,zip))) ; to create test files
     (arguments
-     `(#:parallel-tests? #f)) ; since test files are created on the fly
+     ;; XXX: "make check" is broken, and the alternative (test/zziptests.py)
+     ;; requires network access.  See <https://github.com/gdraheim/zziplib/issues/20>
+     ;; and <https://github.com/gdraheim/zziplib/issues/24>.
+     `(#:tests? #f))
     (home-page "http://zziplib.sourceforge.net/")
     (synopsis "Library for accessing zip files")
     (description
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index 5478376bf0..d7effa4a87 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -6570,6 +6570,8 @@ Idris.")
                       (url "https://github.com/rmuslimov/browse-at-remote.git")
                       (commit commit)))
                 (file-name (string-append name "-" version "-checkout"))
+                (patches
+                 (search-patches "emacs-browse-at-remote-cgit-gnu.patch"))
                 (sha256
                  (base32
                   "017cb8lf7zbg0jmr7zxzd7d5kz2jy35cvw5vcpdmq1fdr3wqwkgj"))))
diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm
index 5e146e93c3..71fce7f5d3 100644
--- a/gnu/packages/games.scm
+++ b/gnu/packages/games.scm
@@ -25,7 +25,7 @@
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2016 Steve Webber <webber.sl@gmail.com>
 ;;; Copyright © 2017 Adonay "adfeno" Felipe Nogueira <https://libreplanet.org/wiki/User:Adfeno> <adfeno@hyperbola.info>
-;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2017, 2018 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 nee <nee-git@hidamari.blue>
 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
@@ -1898,6 +1898,29 @@ experience and advance levels, and are carried over from one scenario to the
 next campaign.")
     (license license:gpl2+)))
 
+(define-public wesnoth-server
+  (package
+    (inherit wesnoth)
+    (name "wesnoth-server")
+    (inputs
+     `(("boost" ,boost)
+       ("sdl-net" ,sdl-net)))
+    (arguments
+     (append
+      (substitute-keyword-arguments (package-arguments wesnoth)
+        ((#:configure-flags configure-flags)
+         `(append ,configure-flags (list "-DENABLE_GAME=OFF"))))
+      `(#:phases
+        (modify-phases %standard-phases
+          ;; Delete game assets not required by the server.
+          (add-after 'install 'delete-data
+            (lambda* (#:key outputs #:allow-other-keys)
+              (delete-file-recursively (string-append (assoc-ref outputs "out")
+                                                      "/share/wesnoth"))))))))
+    (synopsis "Dedicated @emph{Battle for Wesnoth} server")
+    (description "This package contains a dedicated server for @emph{The
+Battle for Wesnoth}.")))
+
 (define-public dosbox
   (package
     (name "dosbox")
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 77b8bdbb67..d32472b85e 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -729,17 +729,18 @@ programming langauage.  It also contains the utility
      `(("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin")         ; for glib-compile-resources
        ("pkg-config" ,pkg-config)))
+    (propagated-inputs
+     `(("gcab" ,gcab) ; for .pc file
+       ("gdk-pixbuf" ,gdk-pixbuf) ; for .pc file
+       ("util-linux" ,util-linux))) ; for .pc file
     (inputs
-     `(("gdk-pixbuf" ,gdk-pixbuf)
-       ("gcab" ,gcab)
-       ("glib" ,glib)
+     `(("glib" ,glib)
        ("gperf" ,gperf)
        ("gtk+" ,gtk+)
        ("json-glib" ,json-glib)
        ("libarchive" ,libarchive)
        ("libsoup" ,libsoup)
-       ("libyaml" ,libyaml)
-       ("util-linux" ,util-linux)))     ; for libuuid
+       ("libyaml" ,libyaml)))
     (arguments
      `(#:configure-flags
        (list "-Ddep11=false"
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 3283a675a0..3acb48a96d 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -706,7 +706,9 @@ format is also supported.")
              (lambda _
                (substitute* "configure.ac"
                  (("PKG_CHECK_MODULES\\(\\[GUILE\\],.*$")
-                  "PKG_CHECK_MODULES([GUILE], [guile-2.2])\n"))
+                  "PKG_CHECK_MODULES([GUILE], [guile-2.2])\n")
+                 (("guile/site/2.0")
+                  "guile/site/2.2"))
                #t))
            (add-after 'use-guile-2.2 'bootstrap
              (lambda _
@@ -1188,8 +1190,8 @@ Guile's foreign function interface.")
   (deprecated-package "guile2.2-gdbm-ffi" guile-gdbm-ffi))
 
 (define-public guile-sqlite3
-  (let ((commit "21f35ca87517194d8fcc7ac166b5e77f5f5348b0")
-        (revision "2"))
+  (let ((commit "1cd1dec96a9999db48c0ff45bab907efc637247f")
+        (revision "3"))
     (package
       (name "guile-sqlite3")
       (version (git-version "0.0" revision commit))
@@ -1205,7 +1207,7 @@ Guile's foreign function interface.")
                       (commit commit)))
                 (sha256
                  (base32
-                  "0m33di5gz0a6n6q380v1y8apm5hrynzyl4ri8ar4j202hwjqi1y2"))
+                  "0vvdgwcshrgl6dfz5cxf0l9bl44nkgah0ph3vv464d55nd8qh4b6"))
                 (file-name (string-append name "-" version "-checkout"))
                 (modules '((guix build utils)))
                 (snippet
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 9358b5a52c..9052a34e96 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -391,6 +391,7 @@ extracting icontainer icon files.")
   (package
    (name "libtiff")
    (version "4.0.9")
+   (replacement libtiff/fixed)
    (source
      (origin
        (method url-fetch)
@@ -420,6 +421,17 @@ collection of tools for doing simple manipulations of TIFF images.")
                                   "See COPYRIGHT in the distribution."))
    (home-page "http://www.simplesystems.org/libtiff/")))
 
+(define libtiff/fixed
+  (package
+    (inherit libtiff)
+    (source
+      (origin
+        (inherit (package-source libtiff))
+        (patches
+          (append (origin-patches (package-source libtiff))
+                  (search-patches "libtiff-CVE-2017-9935.patch"
+                                  "libtiff-CVE-2017-18013.patch")))))))
+
 (define-public leptonica
   (package
     (name "leptonica")
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 46d920e285..19169f65e6 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -7768,3 +7768,590 @@ outputting XML data from Java code.")
     (description "Xbean-reflect provides very flexible ways to create objects
 and graphs of objects for dependency injection frameworks")
     (license license:asl2.0)))
+
+(define-public java-geronimo-xbean-bundleutils
+  (package
+    (inherit java-geronimo-xbean-reflect)
+    (name "java-geronimo-xbean-bundleutils")
+    (arguments
+     `(#:jar-name "geronimo-xbean-bundleutils.jar"
+       #:source-dir "xbean-bundleutils/src/main/java"
+       #:test-dir "xbean-bundleutils/src/test"
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'fix-java
+           (lambda _
+             ;; We use a more recent version of osgi, so this file requires
+             ;; more interface method implementations.
+             (substitute* "xbean-bundleutils/src/main/java/org/apache/xbean/osgi/bundle/util/DelegatingBundleContext.java"
+               (("import org.osgi.framework.ServiceRegistration;")
+                "import org.osgi.framework.ServiceRegistration;
+import org.osgi.framework.ServiceFactory;
+import java.util.Collection;
+import org.osgi.framework.ServiceObjects;")
+               (("public Bundle getBundle\\(\\)")
+                "@Override
+public <S> ServiceObjects<S> getServiceObjects(ServiceReference<S> reference) {
+ throw new UnsupportedOperationException();
+}
+@Override
+public <S> ServiceRegistration<S> registerService(Class<S> clazz,
+        ServiceFactory<S> factory, Dictionary<String, ?> properties) {
+ throw new UnsupportedOperationException();
+}
+public Bundle getBundle()"))
+             #t)))))
+    (inputs
+     `(("java-slf4j" ,java-slf4j-api)
+       ("java-asm" ,java-asm)
+       ("java-osgi-framework" ,java-osgi-framework)
+       ("java-eclipse-osgi" ,java-eclipse-osgi)
+       ("java-osgi-service-packageadmin" ,java-osgi-service-packageadmin)))))
+ 
+(define-public java-geronimo-xbean-asm-util
+  (package
+    (inherit java-geronimo-xbean-reflect)
+    (name "java-geronimo-xbean-asm-util")
+    (arguments
+     `(#:jar-name "geronimo-xbean-asm-util.jar"
+       #:source-dir "xbean-asm-util/src/main/java"
+       #:tests? #f)); no tests
+    (inputs
+     `(("java-asm" ,java-asm)))
+    (native-inputs '())))
+ 
+(define-public java-geronimo-xbean-finder
+  (package
+    (inherit java-geronimo-xbean-reflect)
+    (name "java-geronimo-xbean-finder")
+    (arguments
+     `(#:jar-name "geronimo-xbean-finder.jar"
+       #:source-dir "xbean-finder/src/main/java"
+       #:test-dir "xbean-finder/src/test"))
+    (inputs
+     `(("java-slf4j-api" ,java-slf4j-api)
+       ("java-asm" ,java-asm)
+       ("java-geronimo-xbean-bundleutils" ,java-geronimo-xbean-bundleutils)
+       ("java-geronimo-xbean-asm-util" ,java-geronimo-xbean-asm-util)
+       ("java-osgi-service-packageadmin" ,java-osgi-service-packageadmin)
+       ("java-osgi-framework" ,java-osgi-framework)))
+    (native-inputs
+     `(("java-junit" ,java-junit)
+       ("java-hamcrest-core" ,java-hamcrest-core)))))
+
+(define-public java-gson
+  (package
+    (name "java-gson")
+    (version "2.8.2")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/google/gson/archive/"
+                                  "gson-parent-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1j4qnp7v046q0k48c4kyf69sxaasx2h949d3cqwsm3kzxms3x0f9"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "gson.jar"
+       #:source-dir "gson/src/main/java"
+       #:test-dir "gson/src/test"))
+    (native-inputs
+     `(("java-junit" ,java-junit)
+       ("java-hamcrest-core" ,java-hamcrest-core)))
+    (home-page "https://github.com/google/gson")
+    (synopsis "Java serialization/deserialization library from/to JSON")
+    (description "Gson is a Java library that can be used to convert Java
+Objects into their JSON representation.  It can also be used to convert a JSON
+string to an equivalent Java object.  Gson can work with arbitrary Java objects
+including pre-existing objects that you do not have source-code of.")
+    (license license:asl2.0)))
+
+(define-public java-hawtjni
+  (package
+    (name "java-hawtjni")
+    (version "1.15")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/fusesource/hawtjni/archive/"
+                                  "hawtjni-project-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1bqfd732rmh6svyx17fpw9175gc9gzkcbyps2yyrf50c3zzjas6g"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "hawtjni.jar"
+       #:source-dir "hawtjni-generator/src/main/java:hawtjni-runtime/src/main/java"
+       #:tests? #f; no tests
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'build-native
+           (lambda* (#:key inputs #:allow-other-keys)
+             (with-directory-excursion "hawtjni-generator/src/main/resources/"
+               (and
+                 (system* "gcc" "-c" "hawtjni.c" "-o" "hawtjni.o"
+                          "-fPIC" "-O2"
+                          (string-append "-I" (assoc-ref inputs "jdk") "/include/linux"))
+                 (system* "gcc" "-c" "hawtjni-callback.c" "-o" "hawtjni-callback.o"
+                          "-fPIC" "-O2"
+                          (string-append "-I" (assoc-ref inputs "jdk") "/include/linux"))
+                 (system* "gcc" "-o" "libhawtjni.so" "-shared"
+                          "hawtjni.o" "hawtjni-callback.o")))))
+         (add-after 'install 'install-native
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (lib (string-append out "/lib"))
+                    (inc (string-append out "/include")))
+               (mkdir-p lib)
+               (mkdir-p inc)
+               (with-directory-excursion "hawtjni-generator/src/main/resources/"
+                 (copy-file "libhawtjni.so" (string-append lib "/libhawtjni.so"))
+                 (copy-file "hawtjni.h" (string-append inc "/hawtjni.h"))))
+             #t)))))
+    (inputs
+     `(("java-commons-cli" ,java-commons-cli)
+       ("java-asm" ,java-asm)
+       ("java-geronimo-xbean-finder" ,java-geronimo-xbean-finder)))
+    (home-page "https://fusesource.github.io/hawtjni/")
+    (synopsis "JNI code generator")
+    (description "HawtJNI is a code generator that produces the JNI code needed
+to implement Java native methods.  It is based on the jnigen code generator
+that is part of the SWT Tools project.")
+    (license license:asl2.0)))
+
+(define-public java-jansi-native
+  (package
+    (name "java-jansi-native")
+    (version "1.7")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/fusesource/jansi-native/"
+                                  "archive/jansi-native-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0j2ydlgxbzbgshqkwghbxxxnbnx1mmjgd6k5fw6xfvxw1z956yqf"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "jansi-native.jar"
+       #:source-dir "src/main/java"
+       #:tests? #f; no tests
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'build-native
+           (lambda* (#:key inputs #:allow-other-keys)
+             ;; there are more required files for windows in windows/
+             (with-directory-excursion "src/main/native-package/src"
+               (substitute* "jansi_ttyname.c"
+                 (("#include \"jansi_.*") ""))
+               (and
+                 (system* "gcc" "-c" "jansi_ttyname.c" "-o" "jansi_ttyname.o"
+                          (string-append "-I" (assoc-ref inputs "java-hawtjni")
+                                         "/include")
+                          (string-append "-I" (assoc-ref inputs "jdk")
+                                         "/include/linux")
+                          "-fPIC" "-O2")
+                 (system* "gcc" "-o" "libjansi.so" "-shared" "jansi_ttyname.o")))))
+         (add-before 'build 'install-native
+           (lambda _
+             (let ((dir (string-append "build/classes/META-INF/native/"
+                                       ,(match (%current-system)
+                                          ((or "i686-linux" "armhf-linux")
+                                           "linux32")
+                                          ((or "x86_64-linux" "aarch64-linux")
+                                           "linux64")))))
+               (install-file "src/main/native-package/src/libjansi.so" dir))
+             #t))
+         (add-after 'install 'install-native
+           (lambda* (#:key outputs #:allow-other-keys)
+             (mkdir-p (string-append (assoc-ref outputs "out") "/include"))
+             (install-file "src/main/native-package/src/jansi.h"
+                           (string-append (assoc-ref outputs "out") "/include"))
+             #t)))))
+    (inputs
+     `(("java-hawtjni" ,java-hawtjni)))
+    (home-page "https://fusesource.github.io/jansi/")
+    (synopsis "Native library for jansi")
+    (description "Java-jansi-native contains the native library for the jansi
+frobnication library/framework.")
+    (license license:asl2.0)))
+
+(define-public java-jansi
+  (package
+    (name "java-jansi")
+    (version "1.16")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/fusesource/jansi/archive/"
+                                  "jansi-project-" version ".tar.gz"))
+              (sha256
+               (base32
+                "11kh3144i3fzp21dpy8zg52mjmsr214k7km9p8ly0rqk2px0qq2z"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "jansi.jar"
+       #:source-dir "jansi/src/main/java"
+       #:test-dir "jansi/src/test"
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'check 'clear-term
+           (lambda _
+             (zero? (system* "echo" "-e" "\\e[0m")))))))
+    (inputs
+     `(("java-jansi-native" ,java-jansi-native)))
+    (native-inputs
+     `(("java-junit" ,java-junit)
+       ("java-hamcrest-core" ,java-hamcrest-core)))
+    (home-page "https://fusesource.github.io/jansi/")
+    (synopsis "Portable ANSI escape sequences")
+    (description "Jansi is a Java library that allows you to use ANSI escape
+sequences to format your console output which works on every platform.")
+    (license license:asl2.0)))
+
+(define-public java-jboss-el-api-spec
+  (package
+    (name "java-jboss-el-api-spec")
+    (version "3.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/jboss/jboss-el-api_spec/"
+                                  "archive/jboss-el-api_" version
+                                  "_spec-1.0.7.Final.tar.gz"))
+              (sha256
+               (base32
+                "1j45ljxalwlibxl7g7iv952sjxkw275m8vyxxij8l6wdd5pf0pdh"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "java-jboss-el-api_spec.jar"
+       #:jdk ,icedtea-8))
+    (inputs
+     `(("java-junit" ,java-junit)))
+    (home-page "https://github.com/jboss/jboss-el-api_spec")
+    (synopsis "JSR-341 expression language 3.0 API")
+    (description "This package contains an implementation of the JSR-341
+specification for the expression language 3.0.  It implements an expression
+language inspired by ECMAScript and XPath.  This language is used with
+JavaServer Pages (JSP).")
+    ;; Either GPL2 only or CDDL.
+    (license (list license:gpl2 license:cddl1.1))))
+
+(define-public java-jboss-interceptors-api-spec
+  (package
+    (name "java-jboss-interceptors-api-spec")
+    (version "1.2")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/jboss/jboss-interceptors-api_spec/"
+                                  "archive/jboss-interceptors-api_" version
+                                  "_spec-1.0.0.Final.tar.gz"))
+              (sha256
+               (base32
+                "0wv8x0jp9a5qxlrgkhb5jdk2gr6vi87b4j4kjb8ryxiy9gn8g51z"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "java-jboss-interceptors-api_spec.jar"
+       #:jdk ,icedtea-8
+       #:source-dir "."
+       #:tests? #f)); no tests
+    (home-page "https://github.com/jboss/jboss-interceptors-api_spec")
+    (synopsis "Interceptors 1.2 API classes from JSR 318")
+    (description "Java-jboss-interceptors-api-spec implements the Interceptors
+API.  Interceptors are used to interpose on business method invocations and
+specific events.")
+    ;; Either GPL2 only or CDDL.
+    (license (list license:gpl2 license:cddl1.1))))
+
+(define-public java-cdi-api
+  (package
+    (name "java-cdi-api")
+    (version "2.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/cdi-spec/cdi/archive/"
+                                  version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1iv8b8bp07c5kmqic14jsr868vycjv4qv02lf3pkgp9z21mnfg5y"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:source-dir "api/src/main/java"
+       #:jar-name "java-cdi-api.jar"
+       #:test-dir "api/src/test"
+       #:jdk ,icedtea-8
+       #:tests? #f)); Tests fail because we don't have a CDI provider yet
+    (inputs
+     `(("java-javax-inject" ,java-javax-inject)
+       ("java-jboss-el-api-spec" ,java-jboss-el-api-spec)
+       ("java-jboss-interceptors-api-spec" ,java-jboss-interceptors-api-spec)))
+    (native-inputs
+     `(("java-testng" ,java-testng)
+       ("java-hamcrest-core" ,java-hamcrest-core)))
+    (home-page "http://cdi-spec.org/")
+    (synopsis "Contexts and Dependency Injection APIs")
+    (description "Java-cdi-api contains the required APIs for Contexts and
+Dependency Injection (CDI).")
+    (license license:asl2.0)))
+
+(define-public java-joda-convert
+  (package
+    (name "java-joda-convert")
+    (version "1.9.2")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/JodaOrg/joda-convert/archive/v"
+                                  version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0vp346xz7dh9br4q7xazhc7hvzf76a6hf95fki9bg67q5jr0kjh7"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name (string-append ,name "-" ,version ".jar")
+       #:source-dir "src/main/java"
+       #:test-include (list "**/Test*.java")
+       ;; Contains only interfaces and base classes (no test)
+       #:test-exclude (list "**/test*/**.java")))
+    (inputs
+     `(("java-guava" ,java-guava)))
+    (native-inputs
+     `(("java-junit" ,java-junit)
+       ("java-hamcrest-core" ,java-hamcrest-core)))
+    (home-page "http://www.joda.org/joda-convert/")
+    (synopsis "Conversion between Objects and Strings")
+    (description "Joda-Convert provides a small set of classes to aid
+conversion between Objects and Strings.  It is not intended to tackle the
+wider problem of Object to Object transformation.")
+    (license license:asl2.0)))
+
+(define-public java-joda-time
+  (package
+    (name "java-joda-time")
+    (version "2.9.9")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/JodaOrg/joda-time/archive/v"
+                                  version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1i9x91mi7yg2pasl0k3912f1pg46n37sps6rdb0v1gs8hj9ppwc1"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "java-joda-time.jar"
+       #:source-dir "src/main/java"
+       #:test-include (list "**/Test*.java")
+       ;; There is no runnable test in these files
+       #:test-exclude (list "**/Test*Chronology.java" "**/Test*Field.java")
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'build 'build-resources
+           (lambda _
+             (mkdir-p "build/classes/org/joda/time/tz/data")
+             (mkdir-p "build/classes/org/joda/time/format")
+             ;; This will produce the following exception:
+             ;; java.io.IOException: Resource not found: "org/joda/time/tz/data/ZoneInfoMap"
+             ;; which is normal, because it doesn't exist yet. It still generates
+             ;; the same file as in the binary one can find on maven.
+             (invoke "java" "-cp"
+                     (string-append "build/classes:" (getenv "CLASSPATH"))
+                     "org.joda.time.tz.ZoneInfoCompiler"
+                     "-src" "src/main/java/org/joda/time/tz/src"
+                     "-dst" "build/classes/org/joda/time/tz/data"
+                     "africa" "antarctica" "asia" "australasia"
+                     "europe" "northamerica" "southamerica"
+                     "pacificnew" "etcetera" "backward" "systemv")
+             (for-each (lambda (f)
+                         (copy-file f (string-append
+                                        "build/classes/org/joda/time/format/"
+                                        (basename f))))
+               (find-files "src/main/java/org/joda/time/format" ".*.properties"))
+             #t))
+         (add-before 'install 'regenerate-jar
+           (lambda _
+             ;; We need to regenerate the jar file to add generated data.
+             (delete-file "build/jar/java-joda-time.jar")
+             (invoke "ant" "jar")))
+         (add-before 'check 'copy-test-resources
+           (lambda _
+             (mkdir-p "build/test-classes/org/joda/time/tz/data")
+             (copy-file "src/test/resources/tzdata/ZoneInfoMap"
+                        "build/test-classes/org/joda/time/tz/data/ZoneInfoMap")
+             (copy-recursively "src/test/resources" "build/test-classes")
+             #t)))))
+    (inputs
+     `(("java-joda-convert" ,java-joda-convert)))
+    (native-inputs
+     `(("java-junit" ,java-junit)
+       ("java-hamcrest-core" ,java-hamcrest-core)
+       ("tzdata" ,tzdata)))
+    (home-page "http://www.joda.org/joda-time/")
+    (synopsis "Replacement for the Java date and time classes")
+    (description "Joda-Time is a replacement for the Java date and time
+classes prior to Java SE 8.")
+    (license license:asl2.0)))
+
+(define-public java-xerces
+  (package
+    (name "java-xerces")
+    (version "2.11.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://apache/xerces/j/source/"
+                           "Xerces-J-src." version ".tar.gz"))
+       (sha256
+        (base32 "1006igwy2lqrmjvdk64v8dg6qbk9c29pm8xxx7r87n0vnpvmx6pm"))
+       (patches (search-patches
+                 "java-xerces-xjavac_taskdef.patch"
+                 "java-xerces-build_dont_unzip.patch"
+                 "java-xerces-bootclasspath.patch"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:tests? #f;; Test files are not present
+       #:test-target "test"
+       #:jdk ,icedtea-8
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'create-build.properties
+          (lambda* (#:key inputs #:allow-other-keys)
+            (let ((jaxp (assoc-ref inputs "java-jaxp"))
+                  (resolver (assoc-ref inputs "java-apache-xml-commons-resolver")))
+              (with-output-to-file "build.properties"
+                (lambda _
+                  (format #t
+                   "jar.jaxp = ~a/share/java/jaxp.jar~@
+                   jar.apis-ext = ~a/share/java/jaxp.jar~@
+                   jar.resolver = ~a/share/java/xml-resolver.jar~%"
+                   jaxp jaxp resolver)))
+              ;; Make xerces use our version of jaxp in tests
+              (substitute* "build.xml"
+                (("xml-apis.jar")
+                 (string-append jaxp "/share/java/jaxp.jar"))
+                (("\\$\\{tools.dir\\}/\\$\\{jar.apis\\}")
+                 "${jar.apis}")))
+            #t))
+         (replace 'install (install-jars "build")))))
+    (inputs
+     `(("java-apache-xml-commons-resolver" ,java-apache-xml-commons-resolver)
+       ("java-jaxp" ,java-jaxp)))
+    (home-page "https://xerces.apache.org/xerces2-j/")
+    (synopsis "Validating XML parser for Java with DOM level 3 support")
+    (description "The Xerces2 Java parser is the reference implementation of
+XNI, the Xerces Native Interface, and also a fully conforming XML Schema
+processor.
+
+Xerces2-J supports the following standards and APIs:
+
+@itemize
+@item eXtensible Markup Language (XML) 1.0 Second Edition Recommendation
+@item Namespaces in XML Recommendation
+@item Document Object Model (DOM) Level 2 Core, Events, and Traversal and
+      Range Recommendations
+@item Simple API for XML (SAX) 2.0.1 Core and Extension
+@item Java APIs for XML Processing (JAXP) 1.2.01
+@item XML Schema 1.0 Structures and Datatypes Recommendations
+@item Experimental implementation of the Document Object Model (DOM) Level 3
+      Core and Load/Save Working Drafts
+@item Provides a partial implementation of the XML Inclusions (XInclude) W3C
+      Candidate Recommendation
+@end itemize
+
+Xerces is now able to parse documents written according to the XML 1.1
+Candidate Recommendation, except that it does not yet provide an option to
+enable normalization checking as described in section 2.13 of this
+specification.  It also handles namespaces according to the XML Namespaces 1.1
+Candidate Recommendation, and will correctly serialize XML 1.1 documents if
+the DOM level 3 load/save API's are in use.")
+    (license license:asl2.0)))
+
+(define-public java-jline
+  (package
+    (name "java-jline")
+    (version "1.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/jline/jline1/archive/jline-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "0bi3p6vrh7a6v0fbpb6rx9plpmx5zk3lr352xzdbz2jcxg499wir"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "jline.jar"
+       #:source-dir "src/main/java"
+       #:test-dir "src/test"
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'copy-resources
+           (lambda _
+             (copy-recursively "src/main/resources" "build/classes")
+             #t)))))
+    (native-inputs
+     `(("java-junit" ,java-junit)))
+    (home-page "https://jline.github.io")
+    (synopsis "Console input handling library")
+    (description "JLine is a Java library for handling console input.  It is
+similar in functionality to BSD editline and GNU readline but with additional
+features that bring it on par with the Z shell line editor.")
+    (license license:bsd-3)))
+
+(define-public java-xmlunit
+  (package
+    (name "java-xmlunit")
+    (version "2.5.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/xmlunit/xmlunit/archive/v"
+                                  version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "035rivlnmwhfqj0fzviciv0bkh1h95ps1iwnh2kjcvdbk5nccm4z"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "java-xmlunit.jar"
+       #:source-dir "xmlunit-core/src/main/java"
+       #:test-dir "xmlunit-core/src/test"
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'check 'copy-test-resources
+           (lambda* (#:key inputs #:allow-other-keys)
+             (copy-recursively (assoc-ref inputs "resources") "../test-resources")
+             #t)))))
+    (native-inputs
+     `(("java-junit" ,java-junit)
+       ("java-mockito-1" ,java-mockito-1)
+       ("java-hamcrest-all" ,java-hamcrest-all)
+       ("java-objenesis" ,java-objenesis)
+       ("java-asm" ,java-asm)
+       ("java-cglib" ,java-cglib)
+       ("resources"
+        ,(origin
+           (method git-fetch)
+           (uri (git-reference
+                  (url "https://github.com/xmlunit/test-resources.git")
+                  (commit "a590d2ae865c3e0455691d76ba8eefccc2215aec")))
+           (file-name "java-xmlunit-test-resources")
+           (sha256
+            (base32
+             "0r0glj37pg5l868yjz78gckr91cs8fysxxbp9p328dssssi91agr"))))))
+    (home-page "http://www.xmlunit.org/")
+    (synopsis "XML output testing")
+    (description "XMLUnit provides you with the tools to verify the XML you
+emit is the one you want to create.  It provides helpers to validate against
+an XML Schema, assert the values of XPath queries or compare XML documents
+against expected outcomes.")
+    (license license:asl2.0)))
+
+(define-public java-xmlunit-legacy
+  (package
+    (inherit java-xmlunit)
+    (name "java-xmlunit-legacy")
+    (arguments
+     `(#:jar-name "java-xmlunit-legacy.jar"
+       #:source-dir "xmlunit-legacy/src/main/java"
+       #:test-dir "xmlunit-legacy/src/test"))
+    (inputs
+     `(("java-xmlunit" ,java-xmlunit)
+       ("java-junit" ,java-junit)))
+    (native-inputs
+     `(("java-mockito-1" ,java-mockito-1)))))
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index b0cefeab75..a3a4737d59 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -11,7 +11,7 @@
 ;;; Copyright © 2016, 2017 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2016 Raymond Nicholson <rain1@openmailbox.org>
 ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
-;;; Copyright © 2016 Nicolas Goaziou <mail@nicolasgoaziou.fr>
+;;; Copyright © 2016, 2018 Nicolas Goaziou <mail@nicolasgoaziou.fr>
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 David Craven <david@craven.ch>
 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
@@ -3944,7 +3944,7 @@ Light is the successor of lightscript.")
 (define-public tlp
   (package
     (name "tlp")
-    (version "1.0")
+    (version "1.1")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -3954,7 +3954,7 @@ Light is the successor of lightscript.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "1v3qpj9kp4rxwqapayd0i9419wwv4bikyrzjvqn0r9xkgnr1f9v4"))))
+                "068hzmh90x600saynbl7iwg1pm0ywldn4jazyxx5y1fixs8s1qbn"))))
     (inputs `(("bash" ,bash)
               ("dbus" ,dbus)
               ("ethtool" ,ethtool)
@@ -3989,7 +3989,8 @@ Light is the successor of lightscript.")
                (setenv "TLP_CONF" "/etc/tlp")
                (setenv "TLP_SHCPL"
                        (string-append out "/share/bash-completion/completions"))
-               (setenv "TLP_MAN" (string-append out "/share/man")))))
+               (setenv "TLP_MAN" (string-append out "/share/man"))
+               (setenv "TLP_META" (string-append out "/share/metainfo")))))
          (delete 'check)                ; no tests
          (add-before 'install 'fix-installation
            (lambda _
@@ -3997,7 +3998,8 @@ Light is the successor of lightscript.")
              (substitute* "Makefile" (("\\[ -f \\$\\(_CONF\\) \\]") "#"))))
          (replace 'install
            (lambda _
-             (zero? (system* "make" "install-tlp" "install-man"))))
+             (invoke "make" "install-tlp" "install-man")
+             #t))
          (add-after 'install 'wrap
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let* ((bin (string-append (assoc-ref outputs "out") "/bin"))
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index e085c2dec6..f9c382c68e 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -1050,17 +1050,17 @@ delivery.")
 (define-public exim
   (package
     (name "exim")
-    (version "4.90")
+    (version "4.90.1")
     (source
      (origin
        (method url-fetch)
-       (uri (list (string-append "ftp://ftp.exim.org/pub/exim/exim4/exim-"
+       (uri (list (string-append "https://ftp.exim.org/pub/exim/exim4/exim-"
                                  version ".tar.bz2")
-                  (string-append "ftp://ftp.exim.org/pub/exim/exim4/old/exim-"
+                  (string-append "https://ftp.exim.org/pub/exim/exim4/old/exim-"
                                  version ".tar.bz2")))
        (sha256
         (base32
-         "1cmx2648zhpsc4pznky7qsqbjazd3wn4gpslbl30j56cv1m6rb3x"))))
+         "1w6blvvrd87c649j8xpag034md2w1ib0db9c4ijqbzc5dh2i1xfq"))))
     (build-system gnu-build-system)
     (inputs
      `(("bdb" ,bdb)
diff --git a/gnu/packages/mtools.scm b/gnu/packages/mtools.scm
index 2ac78c500a..3bfc4e76cf 100644
--- a/gnu/packages/mtools.scm
+++ b/gnu/packages/mtools.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -48,7 +49,7 @@ FAT-specific file attributes.")
 (define-public exfat-utils
   (package
     (name "exfat-utils")
-    (version "1.2.7")
+    (version "1.2.8")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -56,7 +57,7 @@ FAT-specific file attributes.")
                     version "/" name "-" version ".tar.gz"))
               (sha256
                (base32
-                "1r7z3n1zxkvlqf1wv7pg0jwlr1144wznd0slfckpsb5rap8k4q9q"))))
+                "09yf41mgwp8wg0psq347d5razllilx1sd4ij9173nri47p9465jw"))))
     (build-system gnu-build-system)
     (home-page "https://github.com/relan/exfat")
     (synopsis "Utilities to manipulate exFAT file systems")
diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 2db8ffea30..3709f10d1d 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -226,18 +226,19 @@ score, keyboard, guitar, drum and controller views.")
                        "sha2" ;; Replaced by openssl.
                        "taglib"
                        "tinysvcmdns")))
-                (patches (search-patches "clementine-use-openssl.patch"))))
+                (patches (search-patches "clementine-use-openssl.patch"
+                                         "clementine-remove-crypto++-dependency.patch"))))
       (build-system cmake-build-system)
       (arguments
        '(#:test-target "clementine_test"
          #:configure-flags
-         (let ((crypto (assoc-ref %build-inputs "crypto++")))
-           (list "-DENABLE_VISUALISATIONS=OFF" ; requires unpackaged "projectm"
-                 "-DCRYPTOPP_FOUND=TRUE"
-                 (string-append "-DCRYPTOPP_INCLUDE_DIRS=" crypto "/include")
-                 (string-append "-DCRYPTOPP_LIBRARY_DIRS=" crypto "/lib")
-                 (string-append "-DCRYPTOPP_LIBRARIES=" crypto "/lib/libcryptopp.a")
-                 "-DUSE_SYSTEM_SHA2=TRUE"))
+         (list ;; Requires unpackaged "projectm"
+               "-DENABLE_VISUALISATIONS=OFF"
+               ;; Otherwise it may try to download a non-free library at run-time.
+               ;; TODO In an origin snippet, remove the code that performs the
+               ;; download.
+               "-DHAVE_SPOTIFY_DOWNLOADER=FALSE"
+               "-DUSE_SYSTEM_SHA2=TRUE")
          #:phases
          (modify-phases %standard-phases
            (add-after 'install 'wrap-program
@@ -254,7 +255,6 @@ score, keyboard, guitar, drum and controller views.")
       (inputs
        `(("boost" ,boost)
          ("chromaprint" ,chromaprint)
-         ("crypto++" ,crypto++)
          ("fftw" ,fftw)
          ("glib" ,glib)
          ("glu" ,glu)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 21b158b815..f227659238 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -719,7 +719,7 @@ allows for heavy scripting.")
 (define-public perl-net-dns
  (package
   (name "perl-net-dns")
-  (version "1.14")
+  (version "1.15")
   (source
     (origin
       (method url-fetch)
@@ -729,7 +729,7 @@ allows for heavy scripting.")
              ".tar.gz"))
       (sha256
         (base32
-          "1z4r092qv0ify033dld5jayk8gs0bc7pl130dvb8ab7b9rcqmhw3"))))
+          "1l31kqrgjzq8zgpr86z12x550px5zpn563gmnja6m14b8fk6pm0s"))))
   (build-system perl-build-system)
   (inputs
     `(("perl-digest-hmac" ,perl-digest-hmac)))
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index b42f1c1e34..a84341e0df 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -92,8 +92,8 @@
   ;; Note: the 'update-guix-package.scm' script expects this definition to
   ;; start precisely like this.
   (let ((version "0.14.0")
-        (commit "33988f9b5876e4b44cabe1997a91eb604931c1ca")
-        (revision 7))
+        (commit "bc880f9d668448b95ae1c1d3761e61c4c514955b")
+        (revision 8))
     (package
       (name "guix")
 
@@ -109,7 +109,7 @@
                       (commit commit)))
                 (sha256
                  (base32
-                  "0sfr32yhkm87apgpp6mjr6r43sp4l0ih35q4pmhwzfnj2bimmzhk"))
+                  "0v4jr22cwajyndknfj0dy9brfvs6sgv0ansr76n4giybmsay28w4"))
                 (file-name (string-append "guix-" version "-checkout"))))
       (build-system gnu-build-system)
       (arguments
diff --git a/gnu/packages/patches/clementine-remove-crypto++-dependency.patch b/gnu/packages/patches/clementine-remove-crypto++-dependency.patch
new file mode 100644
index 0000000000..e7cf80ddee
--- /dev/null
+++ b/gnu/packages/patches/clementine-remove-crypto++-dependency.patch
@@ -0,0 +1,19 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 3202b8b..473ecb9 100755
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -279,14 +279,6 @@ optional_component(LIBPULSE ON "Pulse audio integration"
+ 
+ optional_component(VISUALISATIONS ON "Visualisations")
+ 
+-if(NOT HAVE_SPOTIFY_BLOB AND NOT CRYPTOPP_FOUND)
+-  message(FATAL_ERROR "Either crypto++ must be available or the non-GPL Spotify "
+-          "code must be compiled in")
+-elseif(CRYPTOPP_FOUND)
+-  set(HAVE_CRYPTOPP ON)
+-  set(HAVE_SPOTIFY_DOWNLOADER ON)
+-endif()
+-
+ # Find DBus if it's enabled
+ if (HAVE_DBUS)
+   find_package(Qt5 COMPONENTS DBus)
diff --git a/gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch b/gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch
new file mode 100644
index 0000000000..b90017fdb4
--- /dev/null
+++ b/gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch
@@ -0,0 +1,59 @@
+Copyright © 2018 Oleg Pykhalov <go.wigust@gmail.com>
+
+This patch adds a support for Git repositories hosted on git.savannah.gnu.org.
+
+Upstream bug URL:
+
+https://github.com/rmuslimov/browse-at-remote/pull/46
+
+From cd2ccdaef8b1d97337d790175f71cc3dbcfcff64 Mon Sep 17 00:00:00 2001
+From: Oleg Pykhalov <go.wigust@gmail.com>
+Date: Fri, 26 Jan 2018 00:05:30 +0300
+Subject: [PATCH] Add support for repositories that are hosted on gnu cgit
+
+---
+ browse-at-remote.el | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/browse-at-remote.el b/browse-at-remote.el
+index 66967b3..e210d18 100644
+--- a/browse-at-remote.el
++++ b/browse-at-remote.el
+@@ -44,7 +44,8 @@
+ (defcustom browse-at-remote-remote-type-domains
+   '(("bitbucket.org" ."bitbucket")
+     ("github.com" . "github")
+-    ("gitlab.com" . "gitlab"))
++    ("gitlab.com" . "gitlab")
++    ("git.savannah.gnu.org" . "gnu"))
+   "Alist of domain patterns to remote types."
+ 
+   :type '(alist :key-type (string :tag "Domain")
+@@ -199,6 +200,24 @@ If HEAD is detached, return nil."
+     (if (fboundp formatter)
+         formatter nil)))
+ 
++(defun browse-at-remote-gnu-format-url (repo-url)
++  "Get a gnu formatted URL."
++  (replace-regexp-in-string
++   (concat "https://" (car (rassoc "gnu" browse-at-remote-remote-type-domains))
++           "/\\(git\\).*\\'")
++   "cgit" repo-url nil nil 1))
++
++(defun browse-at-remote--format-region-url-as-gnu (repo-url location filename &optional linestart lineend)
++  "URL formatter for gnu."
++  (let ((repo-url (browse-at-remote-gnu-format-url repo-url)))
++    (cond
++     (linestart (format "%s.git/tree/%s?h=%s#n%d" repo-url filename location linestart))
++     (t (format "%s.git/tree/%s?h=%s" repo-url filename location)))))
++
++(defun browse-at-remote--format-commit-url-as-gnu (repo-url commithash)
++  "Commit URL formatted for gnu"
++  (format "%s.git/commit/?id=%s" (browse-at-remote-gnu-format-url repo-url) commithash))
++
+ (defun browse-at-remote--format-region-url-as-github (repo-url location filename &optional linestart lineend)
+   "URL formatted for github."
+   (cond
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/java-xerces-bootclasspath.patch b/gnu/packages/patches/java-xerces-bootclasspath.patch
new file mode 100644
index 0000000000..efaa548a62
--- /dev/null
+++ b/gnu/packages/patches/java-xerces-bootclasspath.patch
@@ -0,0 +1,38 @@
+Based on https://anonscm.debian.org/viewvc/pkg-java/trunk/libxerces2-java/debian/patches/03_bootclasspath.patch?revision=14509, adopted for guix
+
+--- xerces-2_11_0/build.xml.orig	2010-11-26 21:42:11.000000000 +0100
++++ xerces-2_11_0/build.xml	2017-03-28 14:04:41.946606996 +0200
+@@ -290,13 +290,14 @@
+            destdir="${build.dest}"

+            source="${javac.source}"

+            target="${javac.target}"

+-           classpath="${build.dir}/classes:${tools.dir}/${jar.apis}:${tools.dir}/${jar.resolver}:${tools.dir}/${jar.serializer}"

++           classpath="${build.dir}/classes:${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"

+            debug="${debug}" nowarn="true"

+            debuglevel="${debuglevel}"

+            deprecation="${deprecation}"

+            optimize="${optimize}"

+            includeAntRuntime="false"

+-           includeJavaRuntime="false"

++           includeJavaRuntime="true"

++           bootclasspath="${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"

+            excludes="org/xml/sax/** 

+                 javax/xml/**

+                 org/w3c/dom/*

+@@ -1451,13 +1452,14 @@
+                destdir="${build.dest}"

+                source="${javac.source}"

+                target="${javac.target}"

+-               classpath="${build.dir}/classes:${tools.dir}/${jar.apis}:${tools.dir}/${jar.resolver}:${tools.dir}/${jar.serializer}"

++               classpath="${build.dir}/classes:${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"

+                debug="${debug}"

+                debuglevel="${debuglevel}"

+                deprecation="${deprecation}"

+                optimize="${optimize}"

+                includeAntRuntime="false"

+-               includeJavaRuntime="false"

++               includeJavaRuntime="true"

++               bootclasspath="${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"

+                excludes="org/xml/sax/** 

+                     javax/xml/**

+                     org/w3c/dom/*

diff --git a/gnu/packages/patches/java-xerces-build_dont_unzip.patch b/gnu/packages/patches/java-xerces-build_dont_unzip.patch
new file mode 100644
index 0000000000..2ff5628865
--- /dev/null
+++ b/gnu/packages/patches/java-xerces-build_dont_unzip.patch
@@ -0,0 +1,44 @@
+Don't unzip the sources which were bundled originally. Guix strips them from
+the source and uses pre-build packages.
+
+Taken from https://anonscm.debian.org/viewvc/pkg-java/trunk/libxerces2-java/debian/patches/02_build_dont_unzip.patch?revision=14507
+
+Index: b/build.xml
+===================================================================
+--- a/build.xml
++++ b/build.xml
+@@ -247,7 +247,7 @@
+     <copy file="${src.dir}/org/apache/xerces/impl/xpath/regex/message.properties"

+       tofile="${build.src}/org/apache/xerces/impl/xpath/regex/message_en.properties"/>

+ 

+-    <!-- now deal with API's:  -->

++    <!-- not needed for Debian

+     <unzip src="${src.apis.zip}" dest="${build.src}">

+         <patternset

+             includes="org/xml/sax/** 

+@@ -270,6 +270,7 @@
+                 org/w3c/dom/xpath/**"

+         />

+     </unzip>

++    -->

+     

+     <!-- substitute tokens as needed -->

+     <replace file="${build.dir}/src/org/apache/xerces/impl/Version.java" 

+@@ -1232,7 +1233,7 @@
+     <replace file="${build.dir}/src/org/apache/xerces/parsers/AbstractSAXParser.java"

+              token="return (fConfiguration instanceof XML11Configurable);" value="return false;"/>

+  

+-    <!-- now deal with API's:  -->

++    <!-- not needed for Debian

+     <unzip src="${src.apis.zip}" dest="${build.src}">

+         <patternset

+             includes="org/xml/sax/** 

+@@ -1255,7 +1256,7 @@
+                 org/w3c/dom/xpath/**"

+         />

+     </unzip>

+-

++    -->

+ 

+     <!-- substitute tokens as needed -->

+     <replace file="${build.dir}/src/org/apache/xerces/impl/Version.java" 

diff --git a/gnu/packages/patches/java-xerces-xjavac_taskdef.patch b/gnu/packages/patches/java-xerces-xjavac_taskdef.patch
new file mode 100644
index 0000000000..4f5d008c28
--- /dev/null
+++ b/gnu/packages/patches/java-xerces-xjavac_taskdef.patch
@@ -0,0 +1,45 @@
+This patch eliminates the need for providing "xjavac", which saves building a
+package for the unmaintained "xerces-tools".
+
+Taken from https://anonscm.debian.org/viewvc/pkg-java/trunk/libxerces2-java/debian/patches/01_xjavac_taskdef.patch?revision=14507
+
+Index: b/build.xml
+===================================================================
+--- a/build.xml
++++ b/build.xml
+@@ -39,7 +39,7 @@
+   <property name="tools.dir" value="./tools"/>

+ 

+   <!-- enable compilation under JDK 1.4 and above -->

+-  <taskdef name="xjavac" classname="org.apache.xerces.util.XJavac">

++  <taskdef name="xjavac" classname="org.apache.tools.ant.taskdefs.Javac">

+     <classpath>

+       <pathelement location="${tools.dir}/bin/xjavac.jar"/>

+     </classpath>

+@@ -291,7 +291,7 @@
+            source="${javac.source}"

+            target="${javac.target}"

+            classpath="${build.dir}/classes:${tools.dir}/${jar.apis}:${tools.dir}/${jar.resolver}:${tools.dir}/${jar.serializer}"

+-           debug="${debug}"

++           debug="${debug}" nowarn="true"

+            debuglevel="${debuglevel}"

+            deprecation="${deprecation}"

+            optimize="${optimize}"

+@@ -359,7 +359,7 @@
+            source="${javac.source}"

+            target="${javac.target}"

+            classpath="${build.dir}/classes:${tools.dir}/${jar.apis}"

+-           debug="${debug}"

++           debug="${debug}" nowarn="true"

+            debuglevel="${debuglevel}"

+            includeAntRuntime="false"

+            includeJavaRuntime="true"/>

+@@ -379,7 +379,7 @@
+            source="${javac.source}"

+            target="${javac.target}"

+            classpath="${tools.dir}/${jar.apis}:${build.dir}/classes:./tools/junit.jar"

+-           debug="${debug}"

++           debug="${debug}" nowarn="true"

+            debuglevel="${debuglevel}"

+            includeAntRuntime="false"

+            includeJavaRuntime="true"/>

diff --git a/gnu/packages/patches/libtasn1-CVE-2018-6003.patch b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch
new file mode 100644
index 0000000000..3e6140518d
--- /dev/null
+++ b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch
@@ -0,0 +1,73 @@
+Fix CVE-2018-6003:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003
+https://lists.gnu.org/archive/html/help-libtasn1/2018-01/msg00000.html
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/gnutls/libtasn1/commit/c593ae84cfcde8fea45787e53950e0ac71e9ca97
+
+From c593ae84cfcde8fea45787e53950e0ac71e9ca97 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 4 Jan 2018 10:52:05 +0100
+Subject: [PATCH] _asn1_decode_simple_ber: restrict the levels of recursion to 3
+
+On indefinite string decoding, setting a maximum level of recursions
+protects the BER decoder from a stack exhaustion due to large amounts
+of recursion.
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/decoding.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/lib/decoding.c b/lib/decoding.c
+index 2240b09..0ee35d3 100644
+--- a/lib/decoding.c
++++ b/lib/decoding.c
+@@ -45,6 +45,13 @@
+ 
+ #define DECODE_FLAG_HAVE_TAG 1
+ #define DECODE_FLAG_INDEFINITE (1<<1)
++/* On indefinite string decoding, allow this maximum levels
++ * of recursion. Allowing infinite recursion, makes the BER
++ * decoder susceptible to stack exhaustion due to that recursion.
++ */
++#define DECODE_FLAG_LEVEL1 (1<<2)
++#define DECODE_FLAG_LEVEL2 (1<<3)
++#define DECODE_FLAG_LEVEL3 (1<<4)
+ 
+ #define DECR_LEN(l, s) do { \
+ 	  l -= s; \
+@@ -2216,7 +2223,8 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der,
+     }
+ 
+   /* indefinite constructed */
+-  if (((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype))
++  if ((((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) &&
++      !(dflags & DECODE_FLAG_LEVEL3))
+     {
+       len_len = 1;
+ 
+@@ -2236,8 +2244,17 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der,
+       do
+         {
+           unsigned tmp_len;
++          unsigned flags = DECODE_FLAG_HAVE_TAG;
++
++          if (dflags & DECODE_FLAG_LEVEL1)
++                flags |= DECODE_FLAG_LEVEL2;
++          else if (dflags & DECODE_FLAG_LEVEL2)
++		flags |= DECODE_FLAG_LEVEL3;
++	  else
++		flags |= DECODE_FLAG_LEVEL1;
+ 
+-          result = asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len);
++          result = _asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len,
++                                           flags);
+           if (result != ASN1_SUCCESS)
+             {
+               warn();
+--
+libgit2 0.26.0
+
diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
new file mode 100644
index 0000000000..ba03c83847
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-18013:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2770
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
+
+From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 31 Dec 2017 15:09:41 +0100
+Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
+ dereference on corrupted file. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2770
+
+---
+ libtiff/tif_print.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 9959d353..8deceb2b 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
+ 			    (unsigned long) s,
+-			    (unsigned __int64) td->td_stripoffset[s],
+-			    (unsigned __int64) td->td_stripbytecount[s]);
++			    td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
++			    td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+ 			fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
+ 			    (unsigned long) s,
+-			    (unsigned long long) td->td_stripoffset[s],
+-			    (unsigned long long) td->td_stripbytecount[s]);
++			    td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
++			    td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+ 	}
+ }
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
new file mode 100644
index 0000000000..5685d81f68
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
@@ -0,0 +1,162 @@
+Fix CVE-2017-9935
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
+http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
+
+From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
+From: Brian May <brian@linuxpenguins.xyz>
+Date: Thu, 7 Dec 2017 07:46:47 +1100
+Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
+
+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+This vulnerability - at least for the supplied test case - is because we
+assume that a tiff will only have one transfer function that is the same
+for all pages. This is not required by the TIFF standards.
+
+We than read the transfer function for every page.  Depending on the
+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
+We allocate this memory after we read in the transfer function for the
+page.
+
+For the first exploit - POC1, this file has 3 pages. For the first page
+we allocate 2 extra extra XREF entries. Then for the next page 2 more
+entries. Then for the last page the transfer function changes and we
+allocate 4 more entries.
+
+When we read the file into memory, we assume we have 4 bytes extra for
+each and every page (as per the last transfer function we read). Which
+is not correct, we only have 2 bytes extra for the first 2 pages. As a
+result, we end up writing past the end of the buffer.
+
+There are also some related issues that this also fixes. For example,
+TIFFGetField can return uninitalized pointer values, and the logic to
+detect a N=3 vs N=1 transfer function seemed rather strange.
+
+It is also strange that we declare the transfer functions to be of type
+float, when the standard says they are unsigned 16 bit values. This is
+fixed in another patch.
+
+This patch will check to ensure that the N value for every transfer
+function is the same for every page. If this changes, we abort with an
+error. In theory, we should perhaps check that the transfer function
+itself is identical for every page, however we don't do that due to the
+confusion of the type of the data in the transfer function.
+---
+ libtiff/tif_dir.c |  3 +++
+ tools/tiff2pdf.c  | 65 +++++++++++++++++++++++++++++++++++++------------------
+ 2 files changed, 47 insertions(+), 21 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 2ccaf448..cbf2b693 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
+ 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {
+ 				*va_arg(ap, uint16**) = td->td_transferfunction[1];
+ 				*va_arg(ap, uint16**) = td->td_transferfunction[2];
++			} else {
++				*va_arg(ap, uint16**) = NULL;
++				*va_arg(ap, uint16**) = NULL;
+ 			}
+ 			break;
+ 		case TIFFTAG_REFERENCEBLACKWHITE:
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index d1a9b095..c3ec0746 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ 	uint16 pagen=0;
+ 	uint16 paged=0;
+ 	uint16 xuint16=0;
++	uint16 tiff_transferfunctioncount=0;
++	float* tiff_transferfunction[3];
+ 
+ 	directorycount=TIFFNumberOfDirectories(input);
+ 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+                 }
+ #endif
+ 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
+-                                 &(t2p->tiff_transferfunction[0]),
+-                                 &(t2p->tiff_transferfunction[1]),
+-                                 &(t2p->tiff_transferfunction[2]))) {
+-			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+-                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+-                           (t2p->tiff_transferfunction[1] !=
+-                            t2p->tiff_transferfunction[0])) {
+-				t2p->tiff_transferfunctioncount = 3;
+-				t2p->tiff_pages[i].page_extra += 4;
+-				t2p->pdf_xrefcount += 4;
+-			} else {
+-				t2p->tiff_transferfunctioncount = 1;
+-				t2p->tiff_pages[i].page_extra += 2;
+-				t2p->pdf_xrefcount += 2;
+-			}
+-			if(t2p->pdf_minorversion < 2)
+-				t2p->pdf_minorversion = 2;
++                                 &(tiff_transferfunction[0]),
++                                 &(tiff_transferfunction[1]),
++                                 &(tiff_transferfunction[2]))) {
++
++                        if((tiff_transferfunction[1] != (float*) NULL) &&
++                           (tiff_transferfunction[2] != (float*) NULL)
++                          ) {
++                            tiff_transferfunctioncount=3;
++                        } else {
++                            tiff_transferfunctioncount=1;
++                        }
+                 } else {
+-			t2p->tiff_transferfunctioncount=0;
++			tiff_transferfunctioncount=0;
+ 		}
++
++                if (i > 0){
++                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
++                        TIFFError(
++                            TIFF2PDF_MODULE,
++                            "Different transfer function on page %d",
++                            i);
++                        t2p->t2p_error = T2P_ERR_ERROR;
++                        return;
++                    }
++                }
++
++                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
++                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
++                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
++                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
++                if(tiff_transferfunctioncount == 3){
++                        t2p->tiff_pages[i].page_extra += 4;
++                        t2p->pdf_xrefcount += 4;
++                        if(t2p->pdf_minorversion < 2)
++                                t2p->pdf_minorversion = 2;
++                } else if (tiff_transferfunctioncount == 1){
++                        t2p->tiff_pages[i].page_extra += 2;
++                        t2p->pdf_xrefcount += 2;
++                        if(t2p->pdf_minorversion < 2)
++                                t2p->pdf_minorversion = 2;
++                }
++
+ 		if( TIFFGetField(
+ 			input, 
+ 			TIFFTAG_ICCPROFILE, 
+@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ 			 &(t2p->tiff_transferfunction[1]),
+ 			 &(t2p->tiff_transferfunction[2]))) {
+ 		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+-                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+-                   (t2p->tiff_transferfunction[1] !=
+-                    t2p->tiff_transferfunction[0])) {
++                   (t2p->tiff_transferfunction[2] != (float*) NULL)
++                  ) {
+ 			t2p->tiff_transferfunctioncount=3;
+ 		} else {
+ 			t2p->tiff_transferfunctioncount=1;
+-- 
+2.16.1
+
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5974.patch b/gnu/packages/patches/zziplib-CVE-2017-5974.patch
deleted file mode 100644
index 9ae02103e7..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5974.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Fix CVE-2017-5974:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         /* override sizes/offsets with zip64 values for largefile support */
-         zzip_extra_zip64 *block = (zzip_extra_zip64 *)
-             zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64);
--        if (block)
-+        if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4))
-         {
--            item->zz_usize = __zzip_get64(block->z_usize);
--            item->zz_csize = __zzip_get64(block->z_csize);
--            item->zz_offset = __zzip_get64(block->z_offset);
--            item->zz_diskstart = __zzip_get32(block->z_diskstart);
-+            item->zz_usize = ZZIP_GET64(block->z_usize);
-+            item->zz_csize = ZZIP_GET64(block->z_csize);
-+            item->zz_offset = ZZIP_GET64(block->z_offset);
-+            item->zz_diskstart = ZZIP_GET32(block->z_diskstart);
-         }
-     }
-     /* NOTE:
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5975.patch b/gnu/packages/patches/zziplib-CVE-2017-5975.patch
deleted file mode 100644
index fad174b056..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5975.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Fix CVE-2017-5975:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         return 0;               /* errno=ENOMEM; */
-     ___ struct zzip_file_header *header =
-         zzip_disk_entry_to_file_header(disk, entry);
-+    if (!header)
-+	{ free(item); return 0; }
-     /*  there is a number of duplicated information in the file header
-      *  or the disk entry block. Theoretically some part may be missing
-      *  that exists in the other, ... but we will prefer the disk entry.
-Index: zziplib-0.13.62/zzip/mmapped.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/mmapped.c
-+++ zziplib-0.13.62/zzip/mmapped.c
-@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK
-         (disk->buffer + zzip_disk_entry_fileoffset(entry));
-     if (disk->buffer > file_header || file_header >= disk->endbuf)
-         return 0;
-+    if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC)
-+        return 0;
-     return (struct zzip_file_header *) file_header;
- }
- 
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5976.patch b/gnu/packages/patches/zziplib-CVE-2017-5976.patch
deleted file mode 100644
index 17fc30e302..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5976.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-Fix CVE-2017-5976:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         {
-             void *mem = malloc(ext1 + 2);
-             item->zz_ext[1] = mem;
-+	    item->zz_extlen[1] = ext1 + 2;
-             memcpy(mem, ptr1, ext1);
-             ((char *) (mem))[ext1 + 0] = 0;
-             ((char *) (mem))[ext1 + 1] = 0;
-@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         {
-             void *mem = malloc(ext2 + 2);
-             item->zz_ext[2] = mem;
-+	    item->zz_extlen[2] = ext2 + 2;
-             memcpy(mem, ptr2, ext2);
-             ((char *) (mem))[ext2 + 0] = 0;
-             ((char *) (mem))[ext2 + 1] = 0;
-@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
-     while (1)
-     {
-         ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
--        if (ext)
-+        if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
-         {
-+	    char *endblock = (char *)ext + entry->zz_extlen[i];
-+
-             while (*(short *) (ext->z_datatype))
-             {
-                 if (datatype == zzip_extra_block_get_datatype(ext))
-@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
-                 e += zzip_extra_block_headerlength;
-                 e += zzip_extra_block_get_datasize(ext);
-                 ext = (void *) e;
-+		if (e >= endblock)
-+		{
-+		    break;
-+		}
-                 ____;
-             }
-         }
-Index: zziplib-0.13.62/zzip/memdisk.h
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.h
-+++ zziplib-0.13.62/zzip/memdisk.h
-@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
-     int              zz_filetype;  /* (from "z_filetype") */
-     char*            zz_comment;   /* zero-terminated (from "comment") */
-     ZZIP_EXTRA_BLOCK* zz_ext[3];   /* terminated by null in z_datatype */
-+    int              zz_extlen[3]; /* length of zz_ext[i] in bytes */
- };                                 /* the extra blocks are NOT converted */
- 
- #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5978.patch b/gnu/packages/patches/zziplib-CVE-2017-5978.patch
deleted file mode 100644
index 452b14f804..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5978.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Fix CVE-2017-5978:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/memdisk.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/memdisk.c
-+++ zziplib-0.13.62/zzip/memdisk.c
-@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-      *  that exists in the other, ... but we will prefer the disk entry.
-      */
-     item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);
--    item->zz_name = zzip_disk_entry_strdup_name(disk, entry);
-+    item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");
-     item->zz_data = zzip_file_header_to_data(header);
-     item->zz_flags = zzip_disk_entry_get_flags(entry);
-     item->zz_compr = zzip_disk_entry_get_compr(entry);
-@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-         int /*            */ ext2 = zzip_file_header_get_extras(header);
-         char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);
- 
--        if (ext1)
-+        if (ext1 && ((ptr1 + ext1) < disk->endbuf))
-         {
-             void *mem = malloc(ext1 + 2);
-             item->zz_ext[1] = mem;
-@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
-             ((char *) (mem))[ext1 + 0] = 0;
-             ((char *) (mem))[ext1 + 1] = 0;
-         }
--        if (ext2)
-+        if (ext2 && ((ptr2 + ext2) < disk->endbuf))
-         {
-             void *mem = malloc(ext2 + 2);
-             item->zz_ext[2] = mem;
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5979.patch b/gnu/packages/patches/zziplib-CVE-2017-5979.patch
deleted file mode 100644
index b38f50b172..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5979.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Fix CVE-2017-5979:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979
-
-Patch copied from Debian.
-
-Index: zziplib-0.13.62/zzip/fseeko.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/fseeko.c
-+++ zziplib-0.13.62/zzip/fseeko.c
-@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk)
-         return 0;
-     /* we read out chunks of 8 KiB in the hope to match disk granularity */
-     ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */
--    ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry));
-+    ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry));
-     if (! entry)
-         return 0;
-     ___ unsigned char *buffer = malloc(pagesize);
diff --git a/gnu/packages/patches/zziplib-CVE-2017-5981.patch b/gnu/packages/patches/zziplib-CVE-2017-5981.patch
deleted file mode 100644
index ed82cb3b91..0000000000
--- a/gnu/packages/patches/zziplib-CVE-2017-5981.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Fix CVE-2017-5981:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981
-
-Patch copied from Debian.
-Index: zziplib-0.13.62/zzip/fseeko.c
-===================================================================
---- zziplib-0.13.62.orig/zzip/fseeko.c
-+++ zziplib-0.13.62/zzip/fseeko.c
-@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk)
-             } else
-                 continue;
- 
--            assert(0 <= root && root < mapsize);
-+	    if (root < 0 || root >= mapsize)
-+	        goto error;
-             if (fseeko(disk, root, SEEK_SET) == -1)
-                 goto error;
-             if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk)
diff --git a/gnu/packages/qt.scm b/gnu/packages/qt.scm
index 8bd51ae663..c663489e48 100644
--- a/gnu/packages/qt.scm
+++ b/gnu/packages/qt.scm
@@ -8,6 +8,7 @@
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Quiliro <quiliro@fsfla.org>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Nicolas Goaziou <mail@nicolasgoaziou.fr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -832,10 +833,11 @@ consume data received from the server, or both.")))
        ((#:parallel-tests? _ #f) #f) ; can lead to race condition
        ((#:phases phases)
         `(modify-phases ,phases
-           (add-after 'unpack 'lengthen-test-timeout
+           (add-after 'unpack 'fix-tests
              (lambda _
                (substitute* "tests/auto/qsensorgestures_gestures/tst_sensorgestures_gestures.cpp"
-                 (("2000") "5000"))
+                 (("2000") "5000")      ;lengthen test timeout
+                 (("QTest::newRow(\"twist\") << \"twist\"") "")) ;failing test
                #t))))))
     (native-inputs
      `(("perl" ,perl)
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 5d77d5f97b..4f8b76cffb 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -2862,7 +2862,7 @@ alternative to Marshal for Object serialization. ")
        ("ruby-hoe" ,ruby-hoe)
        ("ruby-rspec" ,ruby-rspec)))
     (inputs
-     `(("postgresql" ,postgresql)))
+     `(("postgresql" ,postgresql-9.6)))
     (synopsis "Ruby interface to PostgreSQL")
     (description "Pg is the Ruby interface to the PostgreSQL RDBMS.  It works
 with PostgreSQL 8.4 and later.")
diff --git a/gnu/packages/samba.scm b/gnu/packages/samba.scm
index a03736ed51..396006b27a 100644
--- a/gnu/packages/samba.scm
+++ b/gnu/packages/samba.scm
@@ -148,14 +148,14 @@ anywhere.")
 (define-public samba
   (package
     (name "samba")
-    (version "4.7.4")
+    (version "4.7.5")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://download.samba.org/pub/samba/stable/"
                                  "samba-" version ".tar.gz"))
              (sha256
               (base32
-               "0iw290n0q4l5s92d0f9yz27yp3rdfr6bvsmvg1xvd19g8p2d04pv"))))
+               "13gyr0sk9vx6mccr2h35ca3g92kp50cqxrlzfgrddfmskzx08v9i"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
index 80202e6814..f4a38b8779 100644
--- a/gnu/packages/shells.scm
+++ b/gnu/packages/shells.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2014, 2015 David Thompson <davet@gnu.org>
 ;;; Copyright © 2014 Kevin Lemonnier <lemonnierk@ulrar.net>
 ;;; Copyright © 2015 Jeff Mickey <j@codemac.net>
-;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2016 Stefan Reichör <stefan@xsteve.at>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017, 2018 ng0 <ng0@n0.is>
@@ -573,7 +573,7 @@ The OpenBSD Korn Shell is a cleaned up and enhanced ksh.")
 (define-public loksh
   (package
     (name "loksh")
-    (version "6.1")
+    (version "6.2")
     (source
      (origin
        (method url-fetch)
@@ -582,7 +582,7 @@ The OpenBSD Korn Shell is a cleaned up and enhanced ksh.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "1wg7ds56yr8fgg1m149bi53bvrwccwiashmwknggza1sqgj9m2lq"))))
+         "16mgxby77wgjg1ybp4fb9cvi7a4a387xmfivdxnhphg0vhyr8qd3"))))
     (build-system gnu-build-system)
     (inputs
      `(("libbsd" ,libbsd)))
diff --git a/gnu/packages/terminals.scm b/gnu/packages/terminals.scm
index 13d162e1ad..f296235b7b 100644
--- a/gnu/packages/terminals.scm
+++ b/gnu/packages/terminals.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2016 David Craven <david@craven.ch>
 ;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016, 2017 José Miguel Sánchez García <jmi2k@openmailbox.org>
-;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Petter <petter@mykolab.ch>
@@ -374,7 +374,7 @@ has no notion of what's interesing, but it's very good at that notifying part.")
 (define-public unibilium
   (package
     (name "unibilium")
-    (version "1.2.0")
+    (version "1.2.1")
     (source
      (origin
        (method url-fetch)
@@ -383,7 +383,7 @@ has no notion of what's interesing, but it's very good at that notifying part.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "1n7a0jrlwhn9nnkna76sbnjrr808m0pmzbiwznmp7rhmjl4z2fk2"))))
+         "1hbf011d8nzsp7c96fidjiq8yw8zlxf6f1s050ii2yyampvb8ib0"))))
     (build-system gnu-build-system)
     (arguments
      `(#:make-flags
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 58e8bbf0f7..ee316c2289 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -66,6 +66,7 @@
   (package
     (name "libtasn1")
     (version "4.12")
+    (replacement libtasn1/fixed)
     (source
      (origin
       (method url-fetch)
@@ -86,6 +87,14 @@ networking, allowing for formal validation of data according to some
 specifications.")
     (license license:lgpl2.0+)))
 
+(define libtasn1/fixed
+  (package
+    (inherit libtasn1)
+    (source (origin
+              (inherit (package-source libtasn1))
+              (patches (search-patches "libtasn1-CVE-2017-10790.patch"
+                                       "libtasn1-CVE-2018-6003.patch"))))))
+
 (define-public asn1c
   (package
     (name "asn1c")
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 931e6390c4..e550d19bad 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1157,7 +1157,7 @@ access to mpv's powerful playback capabilities.")
 (define-public youtube-dl
   (package
     (name "youtube-dl")
-    (version "2018.01.27")
+    (version "2018.02.08")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://yt-dl.org/downloads/"
@@ -1165,7 +1165,7 @@ access to mpv's powerful playback capabilities.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "14vbm8pr6xdrdbk8j9k4v82rnalbdpk2lcm7n9wj6z6d441ymji9"))))
+                "0iq5mav782gz0gm00rry3v7gdxkkx4y1k0p20pvz32ga4id5k1mg"))))
     (build-system python-build-system)
     (arguments
      ;; The problem here is that the directory for the man page and completion
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index f4fd4c336a..d49cdc208a 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -52,6 +52,7 @@
   #:use-module (gnu packages protobuf)
   #:use-module (gnu packages python)
   #:use-module (gnu packages python-web)
+  #:use-module (gnu packages pulseaudio)
   #:use-module (gnu packages selinux)
   #:use-module (gnu packages sdl)
   #:use-module (gnu packages spice)
@@ -99,7 +100,8 @@
        #:configure-flags (list "--enable-usb-redir" "--enable-opengl"
                                (string-append "--smbd="
                                               (assoc-ref %outputs "out")
-                                              "/libexec/samba-wrapper"))
+                                              "/libexec/samba-wrapper")
+                               "--audio-drv-list=alsa,pa,sdl")
        #:phases
        (modify-phases %standard-phases
          (replace 'configure
@@ -181,6 +183,7 @@ exec smbd $@")))
        ("ncurses" ,ncurses)
        ;; ("pciutils" ,pciutils)
        ("pixman" ,pixman)
+       ("pulseaudio" ,pulseaudio)
        ("sdl" ,sdl)
        ("spice" ,spice)
        ("usbredir" ,usbredir)
@@ -228,7 +231,7 @@ server and embedded PowerPC, and S390 guests.")
     ;; Remove dependencies on optional libraries, notably GUI libraries.
     (inputs (fold alist-delete (package-inputs qemu)
                   '("libusb" "mesa" "sdl" "spice" "virglrenderer"
-                    "usbredir" "libdrm" "libepoxy")))))
+                    "usbredir" "libdrm" "libepoxy" "pulseaudio")))))
 
 (define-public libosinfo
   (package
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 65fc9e40e6..24bbbd347d 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -6119,6 +6119,44 @@ container.")))
        ("server" ,java-eclipse-jetty-server-9.2)
        ,@(package-inputs java-eclipse-jetty-util-9.2)))))
 
+(define-public java-jsoup
+  (package
+    (name "java-jsoup")
+    (version "1.10.3")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/jhy/jsoup/archive/jsoup-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "0xbzw7rjv7s4nz1xk9b2cnin6zkpaldmc3svk71waa7hhjgp0a20"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "jsoup.jar"
+       #:source-dir "src/main/java"
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'copy-resources
+           (lambda _
+             (let ((classes-dir (string-append (getcwd) "/build/classes")))
+               (with-directory-excursion "src/main/java"
+                 (for-each (lambda (file)
+                             (let ((dist (string-append classes-dir "/" file)))
+                               (mkdir-p (dirname dist))
+                               (copy-file file dist)))
+                   (find-files "." ".*.properties"))))
+             #t)))))
+    (native-inputs
+     `(("java-junit" ,java-junit)
+       ("java-hamcrest-core" ,java-hamcrest-core)
+       ("java-gson" ,java-gson)))
+    (home-page "https://jsoup.org")
+    (synopsis "HTML parser")
+    (description "Jsoup is a Java library for working with real-world HTML.  It
+provides a very convenient API for extracting and manipulating data, using the
+best of DOM, CSS, and jQuery-like methods.")
+    (license l:expat)))
+
 (define-public tidyp
   (package
     (name "tidyp")
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 57bf8b1fa6..12a68abae3 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -40,6 +40,7 @@
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages gnupg)
+  #:use-module (gnu packages java)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages perl-check)
   #:use-module (gnu packages python)
@@ -1469,3 +1470,491 @@ What it doesn't offer: full SAX support (it can export SAX, but only reads
 XML), full XPath support (unless you use @code{XML::Twig::XPath}), nor DOM
 support.")
     (license license:perl-license)))
+
+;; TODO: Debian builds several jars out of this: jaxp-1.4.jar,
+;; xml-apis.jar and xml-apis-1.4.01.jar.
+(define-public java-jaxp
+  (package
+    (name "java-jaxp")
+    (version "1.4.01")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://apache/xerces/xml-commons/source/"
+                           "xml-commons-external-" version "-src.tar.gz"))
+       (sha256
+        (base32 "0rhq32a7dl9yik7zx9h0naz2iz068qgcdiayak91wp4wr26xhjyk"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "jaxp.jar"
+       #:jdk ,icedtea-8
+       #:source-dir ".."
+       #:tests? #f)); no tests
+    (home-page "http://xerces.apache.org/xml-commons/")
+    (synopsis "Java XML parser and transformer APIs (DOM, SAX, JAXP, TrAX)")
+    (description "Jaxp from the Apache XML Commons project is used by
+the Xerces-J XML parser and Xalan-J XSLT processor and specifies these APIs:
+
+@itemize
+@item Document Object Model (DOM)
+@item Simple API for XML (SAX)
+@item Java APIs for XML Processing (JAXP)
+@item Transformation API for XML (TrAX)
+@item Document Object Model (DOM) Load and Save
+@item JSR 206 Java API for XML Processing
+@end itemize")
+    (license (list license:asl2.0
+                   license:w3c ;; Files under org.w3c
+                   license:public-domain)))) ;; org.xml.sax
+
+(define-public java-apache-xml-commons-resolver
+  (package
+    (name "java-apache-xml-commons-resolver")
+    (version "1.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://apache/xerces/xml-commons/"
+                           "xml-commons-resolver-" version ".tar.gz"))
+       (sha256
+        (base32 "1zhy4anc3fg9f8y348bj88vmab15aavrg6nf419ifb25asyygnsm"))
+       (modules '((guix build utils)))
+       (snippet
+        '(begin
+           (for-each delete-file (find-files "." ".*\\.(jar|zip)"))
+           #t))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name (string-append "xml-resolver.jar")
+       #:tests? #f)); no tests
+    (inputs
+     `(("java-junit" ,java-junit)))
+    (home-page "http://xerces.apache.org/xml-commons/")
+    (synopsis "Catalog-based entity and URI resolution")
+    (description "The resolver class implements the full semantics of OASIS Technical
+Resolution 9401:1997 (Amendment 2 to TR 9401) catalogs and the 06 Aug
+2001 Committee Specification of OASIS XML Catalogs.
+
+It also includes a framework of classes designed to read catalog files
+in a number of formats:
+
+@itemize
+@item The plain-text flavor described by TR9401.
+@item The XCatalog XML format defined by John Cowan
+@item The XML Catalog format defined by the OASIS Entity Resolution
+      Technical Committee.
+@end itemize")
+    (license license:asl2.0)))
+
+;; Jaxen requires java-dom4j and java-xom that in turn require jaxen.
+;; This package is a bootstrap version without dependencies on dom4j and xom.
+(define java-jaxen-bootstrap
+  (package
+    (name "java-jaxen-bootstrap")
+    (version "1.1.6")
+    (source (origin
+              (method url-fetch)
+              ;; No release on github
+              (uri (string-append "https://repo1.maven.org/maven2/jaxen/jaxen/"
+                                  version "/jaxen-" version "-sources.jar"))
+              (sha256
+               (base32
+                "18pa8mks3gfhazmkyil8wsp6j1g1x7rggqxfv4k2mnixkrj5x1kx"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "jaxen.jar"
+       #:source-dir "src"
+       #:tests? #f; no tests
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'remove-dom4j
+           (lambda _
+             (delete-file-recursively "src/org/jaxen/dom4j")
+             (delete-file-recursively "src/org/jaxen/xom")
+             #t)))))
+    (inputs
+     `(("java-jdom" ,java-jdom)))
+    (home-page "https://github.com/jaxen-xpath/jaxen")
+    (synopsis "XPath library")
+    (description "Jaxen is an XPath library written in Java.  It is adaptable
+to many different object models, including DOM, XOM, dom4j, and JDOM.  It is
+also possible to write adapters that treat non-XML trees such as compiled
+Java byte code or Java beans as XML, thus enabling you to query these trees
+with XPath too.")
+    (license license:bsd-3)))
+
+(define-public java-jaxen
+  (package
+    (inherit java-jaxen-bootstrap)
+    (name "java-jaxen")
+    (inputs
+     `(("java-jdom" ,java-jdom)
+       ("java-xom" ,java-xom)
+       ("java-dom4j" ,java-dom4j)))))
+
+(define-public java-xom
+  (package
+    (name "java-xom")
+    (version "127")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/elharo/xom/archive/XOM_"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "04m69db1irqja12a9rfxrac8cbn9psqa1k136wh4ls4pxfsdr5wg"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  (for-each delete-file
+                            (find-files "." "\\.jar$"))
+                  #t))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "xom.jar"
+       #:jdk ,icedtea-8
+       #:tests? #f; no tests
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'fix-tagsoup-dep
+           (lambda _
+             ;; FIXME: Where is tagsoup source?
+             (delete-file "src/nu/xom/tools/XHTMLJavaDoc.java")
+             #t)))))
+    (inputs
+     `(("java-jdom" ,java-jdom)
+       ("java-junit" ,java-junit)
+       ("java-classpathx-servletapi" ,java-classpathx-servletapi)
+       ("java-jaxen-bootstrap" ,java-jaxen-bootstrap)
+       ("java-xerces" ,java-xerces)))
+    (home-page "https://xom.nu/")
+    (synopsis "XML Object Model")
+    (description "XOM is a new XML Object Model for processing XML with Java 
+that strives for correctness and simplicity.")
+    ;; 2.1 only
+    (license license:lgpl2.1)))
+
+(define-public java-xsdlib
+  (package
+    (name "java-xsdlib")
+    (version "2013.2")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://central.maven.org/maven2/com/sun/msv/"
+                                  "datatype/xsd/xsdlib/" version "/xsdlib-"
+                                  version "-sources.jar"))
+              (sha256
+               (base32
+                "185i48p1xp09wbq03i9zgfl701qa262rq46yf4cajzmk3336kqim"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:tests? #f; no tests
+       #:jar-name "xsdlib.jar"
+       #:jdk ,icedtea-8))
+    (inputs
+     `(("java-xerces" ,java-xerces)))
+    (home-page "http://central.maven.org/maven2/com/sun/msv/datatype/xsd/xsdlib/")
+    (synopsis "Sun Multi-Schema Validator")
+    (description "Xsdlib contains an implementation of sun.com.msv, an XML
+validator.")
+    (license license:bsd-2)))
+
+(define-public java-xpp3
+  (package
+    (name "java-xpp3")
+    (version "1.1.4")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://www.extreme.indiana.edu/dist/"
+                                  "java-repository/xpp3/distributions/xpp3-"
+                                  version "_src.tgz"))
+              (sha256
+               (base32
+                "1b99zrhyij5qwyhilyjdl1ykxvhk902vsvflh6gx4fir8hfvdl5p"))
+              (modules '((guix build utils)))
+              (snippet
+                '(begin ;; Delete bundled jar archives.
+                   (for-each delete-file (find-files "." ".*\\.jar"))
+                   #t))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:tests? #f; no tests
+       #:build-target "jar"
+       #:phases
+       (modify-phases %standard-phases
+         (replace 'install (install-jars "build")))))
+    (home-page "http://www.extreme.indiana.edu/xgws/xsoap/xpp/")
+    (synopsis "Streaming pull XML parser")
+    (description "Xml Pull Parser (in short XPP) is a streaming pull XML
+parser and should be used when there is a need to process quickly and
+efficiently all input elements (for example in SOAP processors). This
+package is a stable XmlPull parsing engine that is based on ideas from XPP
+and in particular XPP2 but completely revised and rewritten to take the best
+advantage of JIT JVMs.")
+    (license (license:non-copyleft "file://LICENSE.txt"))))
+
+(define-public java-xmlpull2
+  (package
+    (name "java-xmlpull2")
+    (version "2.1.10")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://www.extreme.indiana.edu/xgws/xsoap/"
+                                  "PullParser/PullParser" version ".tgz"))
+              (sha256
+               (base32
+                "1kw9nhyqb7bzhn2zjbwlpi5vp5rzj89amzi3hadw2acyh2dmd0md"))
+              (modules '((guix build utils)))
+              (snippet
+                '(begin ;; Delete bundled jar archives.
+                   (for-each delete-file (find-files "." ".*\\.jar"))
+                   #t))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:tests? #f; no tests
+       #:build-target "impl"
+       #:phases
+       (modify-phases %standard-phases
+         (replace 'install (install-jars "build/lib")))))
+    (home-page "http://www.extreme.indiana.edu/xgws/xsoap/xpp/")
+    (synopsis "Streaming pull XML parser")
+    (description "Xml Pull Parser (in short XPP) is a streaming pull XML
+parser and should be used when there is a need to process quickly and
+efficiently all input elements (for example in SOAP processors).  This
+package is in maintenance mode.")
+    (license (license:non-copyleft "file:///LICENSE.txt"))))
+
+(define-public java-dom4j
+  (package
+    (name "java-dom4j")
+    (version "2.1.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/dom4j/dom4j/archive/"
+                                  "version-" version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "101drpnw6agmcvsi1jrfi0kn97r7liazrh5jbrip9vx26axn2fx9"))
+              (modules '((guix build utils)))
+              (snippet
+                '(begin ;; Delete bundled jar archives.
+                   (for-each delete-file (find-files "." ".*\\.jar"))
+                   #t))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "dom4j.jar"
+       #:jdk ,icedtea-8
+       #:source-dir "src/main/java"
+       ;; FIXME: Requires xalan, but xalan depends on java-cup which has a
+       ;; dependency on itself through jflex.
+       #:tests? #f
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'copy-jaxen-sources
+           ;; java-jaxen-bootstrap is not enough. These files have a circular
+           ;; dependency and there is no subset of dom4j that would allow
+           ;; breaking the circle.
+           (lambda* (#:key inputs #:allow-other-keys)
+             (mkdir-p "jaxen-sources")
+             (with-directory-excursion "jaxen-sources"
+               (system* "jar" "xf" (assoc-ref inputs "java-jaxen-sources")))
+             (mkdir-p "src/main/java/org/jaxen/dom4j")
+             (copy-file "jaxen-sources/org/jaxen/dom4j/DocumentNavigator.java"
+                        "src/main/java/org/jaxen/dom4j/DocumentNavigator.java")
+             (copy-file "jaxen-sources/org/jaxen/dom4j/Dom4jXPath.java"
+                        "src/main/java/org/jaxen/dom4j/Dom4jXPath.java")
+             #t))
+         (add-before 'build 'fix-old-xpp2
+           (lambda _
+             ;; This package normally depends on xpp2 2.0, but version 2.1.10
+             ;; is the only version whose source code is published.
+             (substitute* "src/main/java/org/dom4j/xpp/ProxyXmlStartTag.java"
+               (("public void resetStartTag")
+                "public boolean removeAttributeByRawName(String name) {\n
+  return false;\n
+}\n
+public boolean removeAttributeByName(String name, String name2) {\n
+  return false;\n
+}\n\npublic void resetStartTag")
+               (("Atttribute") "Attribute"))
+             #t)))))
+    (inputs
+     `(("java-jaxen-bootstrap" ,java-jaxen-bootstrap)
+       ("java-jaxen-sources" ,(package-source java-jaxen-bootstrap))
+       ("java-xmlpull2" ,java-xmlpull2)
+       ("java-xpp3" ,java-xpp3)
+       ("java-xsdlib" ,java-xsdlib)))
+    (native-inputs
+     `(("java-testng" ,java-testng)
+       ("java-xerces" ,java-xerces)))
+    (home-page "https://dom4j.github.io/")
+    (synopsis "Flexible XML framework for Java")
+    (description "Dom4j is a flexible XML framework for Java.  DOM4J works
+with DOM, SAX, XPath, and XSLT.  It can parse large XML documents with very
+low memory footprint.")
+    ;; some BSD-like 5-clause license
+    (license (license:non-copyleft "file://LICENSE"))))
+
+(define-public java-kxml2
+  (package
+    (name "java-kxml2")
+    (version "2.4.2")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/stefanhaustein/kxml2/archive/v"
+                                  version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "17kh04qf3vll1xx6sv06xlazw2hxa8qdmzyday9r6z2191jlj74w"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "kxml2.jar"
+       #:source-dir "src/main/java"
+       #:test-include (list "TestWb.java")
+       ;; Test failure: it was expected to get an XML entity but got the
+       ;; equivalent Unicode character instead.
+       #:tests? #f
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'copy-resources
+           (lambda _
+             (copy-recursively "src/main/resources" "build/classes"))))))
+    (inputs
+     `(("java-xpp3" ,java-xpp3)))
+    (native-inputs
+     `(("java-junit" ,java-junit)))
+    (home-page "http://kxml.org")
+    (synopsis "XML pull parser")
+    (description "kXML is a small XML pull parser, specially designed for
+constrained environments such as Applets, Personal Java or devices compliant
+with the Mobile Information Device Profile (MIDP).")
+    (license license:expat)))
+
+(define-public java-stax
+  (package
+    (name "java-stax")
+    (version "1.2.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://repo1.maven.org/maven2/stax/stax/"
+                                  version "/stax-" version "-sources.jar"))
+              (sha256
+               (base32
+                "04ba4qvbrps45j8bldbakxq31k7gjlsay9pppa9yn13fr00q586z"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "stax.jar"
+       #:tests? #f; no tests
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'fix-utf8
+           (lambda _
+             ;; This file is ISO-8859-1 but java expects UTF-8.
+             ;; Remove special characters in comments.
+             (with-fluids ((%default-port-encoding "ISO-8859-1"))
+               (substitute* "src/com/wutka/dtd/Scanner.java"
+                 (("//.*") "\n")))
+             #t)))))
+    (home-page "https://repo1.maven.org/maven2/stax/stax/")
+    (synopsis "Streaming API for XML")
+    (description "This package provides the reference implementation of the
+@dfn{Streaming API for XML} (StAX).  It is used for streaming XML data to
+and from a Java application.  It provides a standard pull parser interface.")
+    (license license:asl2.0)))
+
+(define-public java-jettison
+  (package
+    (name "java-jettison")
+    (version "1.3.7")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/codehaus/jettison/archive/"
+                                  "jettison-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0rdhfyxywvga5wiwasc04iqnxyixn3rd8wj01c9ymhvwc3h6dpqg"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "jettison.jar"
+       #:source-dir "src/main/java"
+       #:test-exclude (list "**/Abstract*.java"
+                            ;; Abstract classes
+                            "**/DOMTest.java"
+                            "**/BadgerFishDOMTest.java"
+                            "**/MappedDOMTest.java")))
+    (native-inputs
+     `(("java-junit" ,java-junit)))
+    (home-page "https://github.com/codehaus/jettison")
+    (synopsis "StAX implementation for JSON")
+    (description "Jettison is a Java library for converting XML to JSON and
+vice-versa with the help of the @dfn{Streaming API for XML} (StAX).  It
+implements @code{XMLStreamWriter} and @code{XMLStreamReader} and supports
+@code{Mapped} and @code{BadgerFish} conventions.")
+    (license license:asl2.0)))
+
+(define-public java-jdom2
+  (package
+    (name "java-jdom")
+    (version "2.0.6")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/hunterhacker/jdom/archive/JDOM-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "0p8n7inqq2a25wk9ljinl3ixlx1x2la9qaman8ngd75xxjb02yc1"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:build-target "package"
+       #:tests? #f; tests are run as part of the build process
+       #:phases
+       (modify-phases %standard-phases
+         (replace 'install
+           (install-jars "build")))))
+    (home-page "http://jdom.org/")
+    (synopsis "Access, manipulate, and output XML data")
+    (description "Jdom is a Java-based solution for accessing, manipulating, and
+outputting XML data from Java code.")
+    (license license:bsd-4)))
+
+(define-public java-xstream
+  (package
+    (name "java-xstream")
+    (version "1.4.10")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                     "https://github.com/x-stream/xstream/archive/XSTREAM_"
+                     (string-map (lambda (x) (if (eq? x #\.) #\_ x)) version)
+                     ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "10zbkam05wirxipvgrjimdwsyqrwl4a0n7lhvxbsssqpv727469g"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:jar-name "xstream.jar"
+       ;; FIXME: Tests are not in a java subdirectory as assumed by ant-build-system
+       #:tests? #f
+       #:jdk ,icedtea-8
+       #:source-dir "xstream/src/java"))
+    (inputs
+     `(("java-jdom" ,java-jdom)
+       ("java-jdom2" ,java-jdom2)
+       ("java-cglib" ,java-cglib)
+       ("java-joda-time" ,java-joda-time)
+       ("java-jettison" ,java-jettison)
+       ("java-xom" ,java-xom)
+       ("java-xpp3" ,java-xpp3)
+       ("java-dom4j" ,java-dom4j)
+       ("java-stax2-api" ,java-stax2-api)
+       ("java-woodstox-core" ,java-woodstox-core)
+       ("java-kxml2" ,java-kxml2)
+       ("java-stax" ,java-stax)))
+    (home-page "https://x-stream.github.io")
+    (synopsis "XML serialization library")
+    (description "XStream is a simple library to serialize Java objects to XML
+and back again.")
+    (license license:bsd-3)))
diff --git a/gnu/services/avahi.scm b/gnu/services/avahi.scm
index d69c89f751..b4f89c4abf 100644
--- a/gnu/services/avahi.scm
+++ b/gnu/services/avahi.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -131,8 +131,10 @@ service switch (NSS) with support for @code{.local} host name resolution.")
                                             (const %avahi-accounts))
                          (service-extension activation-service-type
                                             (const %avahi-activation))
+
+                         ;; Use 0.10 due to <https://bugs.gnu.org/30396>.
                          (service-extension nscd-service-type
-                                            (const (list nss-mdns)))
+                                            (const (list nss-mdns-0.10)))
 
                          ;; Provide 'avahi-browse', 'avahi-resolve', etc. in
                          ;; the system profile.
diff --git a/gnu/services/games.scm b/gnu/services/games.scm
new file mode 100644
index 0000000000..b146696237
--- /dev/null
+++ b/gnu/services/games.scm
@@ -0,0 +1,81 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services games)
+  #:use-module (gnu services)
+  #:use-module (gnu services shepherd)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu packages games)
+  #:use-module (gnu system shadow)
+  #:use-module (guix gexp)
+  #:use-module (guix modules)
+  #:use-module (guix records)
+  #:use-module (ice-9 match)
+  #:export (wesnothd-configuration
+            wesnoth-configuration?
+            wesnothd-service-type))
+
+;;;
+;;; The Battle for Wesnoth server
+;;;
+
+(define-record-type* <wesnothd-configuration>
+  wesnothd-configuration make-wesnothd-configuration wesnothd-configuration?
+  (package wesnothd-configuration-package
+           (default wesnoth-server))
+  (port wesnothd-configuration-port
+        (default 15000)))
+
+(define %wesnothd-accounts
+  (list (user-account
+         (name "wesnothd")
+         (group "wesnothd")
+         (system? #t)
+         (comment "Wesnoth daemon user")
+         (home-directory "/var/empty")
+         (shell (file-append shadow "/sbin/nologin")))
+        (user-group
+         (name "wesnothd")
+         (system? #t))))
+
+(define wesnothd-shepherd-service
+  (match-lambda
+    (($ <wesnothd-configuration> package port)
+     (with-imported-modules (source-module-closure
+                             '((gnu build shepherd)))
+       (shepherd-service
+        (documentation "The Battle for Wesnoth server")
+        (provision '(wesnoth-daemon))
+        (requirement '(networking))
+        (modules '((gnu build shepherd)))
+        (start #~(make-forkexec-constructor/container
+                  (list #$(file-append package "/bin/wesnothd")
+                        "-p" #$(number->string port))))
+        (stop #~(make-kill-destructor)))))))
+
+(define wesnothd-service-type
+  (service-type
+   (name 'wesnothd)
+   (description
+    "Run The Battle for Wesnoth server @command{wesnothd}.")
+   (extensions
+    (list (service-extension account-service-type
+                             (const %wesnothd-accounts))
+          (service-extension shepherd-root-service-type
+                             (compose list wesnothd-shepherd-service))))
+   (default-value (wesnothd-configuration))))
diff --git a/guix/licenses.scm b/guix/licenses.scm
index 269d97c723..700fa7f03a 100644
--- a/guix/licenses.scm
+++ b/guix/licenses.scm
@@ -87,6 +87,7 @@
             tcl/tk
             unlicense
             vim
+            w3c
             x11 x11-style
             zpl2.1
             zlib
@@ -578,6 +579,11 @@ at URI, which may be a file:// URI pointing the package's tree."
            "https://unlicense.org/"
            "https://www.gnu.org/licenses/license-list.html#Unlicense"))
 
+(define w3c
+  (license "W3C Software Notice and License"
+           "https://directory.fsf.org/wiki/License:W3C_31Dec2002"
+           "https://www.gnu.org/licenses/license-list.en.html#W3C"))
+
 (define wtfpl2
   (license "WTFPL 2"
            "http://www.wtfpl.net"
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 5e442024bc..9e90216a2d 100644
--- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -108,9 +108,18 @@ Throw an error on failure."
        (use-modules (ice-9 match) (rnrs io ports)
                     (rnrs bytevectors))
 
-       (let ((sock   (socket AF_UNIX SOCK_STREAM 0))
-             (stdin  (current-input-port))
-             (stdout (current-output-port)))
+       (let ((sock    (socket AF_UNIX SOCK_STREAM 0))
+             (stdin   (current-input-port))
+             (stdout  (current-output-port))
+             (select* (lambda (read write except)
+                        ;; This is a workaround for
+                        ;; <https://bugs.gnu.org/30365> in Guile < 2.2.4:
+                        ;; since 'select' sometimes returns non-empty sets for
+                        ;; no good reason, call 'select' a second time with a
+                        ;; zero timeout to filter out incorrect replies.
+                        (match (select read write except)
+                          ((read write except)
+                           (select read write except 0))))))
          (setvbuf stdout _IONBF)
 
          ;; Use buffered ports so that 'get-bytevector-some' returns up to the
@@ -121,7 +130,7 @@ Throw an error on failure."
          (connect sock AF_UNIX ,socket-name)
 
          (let loop ()
-           (match (select (list stdin sock) '() '())
+           (match (select* (list stdin sock) '() '())
              ((reads () ())
               (when (memq stdin reads)
                 (match (get-bytevector-some stdin)